@inkeep/agents-manage-api 0.0.0-dev-20250910232631

package/LICENSE.md

@@ -0,0 +1,49 @@
+# Inkeep SDK – Elastic License 2.0 with Supplemental Terms
+
+NOTE: The Inkeep SDK is licensed under the Elastic License 2.0 (ELv2), subject to Supplemental Terms included in [SUPPLEMENTAL_TERMS.md](SUPPLEMENTAL_TERMS.md). In the event of conflict, the Supplemental Terms control.
+
+# Elastic License 2.0
+
+## Acceptance  
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+The licensor grants you a non-exclusive, royalty-free, worldwide, non-sublicensable, non-transferable license to use, copy, distribute, make available, and prepare derivative works of the software, in each case subject to the limitations and conditions below.
+
+## Limitations
+You may not provide the software to third parties as a hosted or managed service, where the service provides users with access to any substantial set of the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality in the software, and you may not remove or obscure any functionality in the software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices of the licensor in the software. Any use of the licensor’s trademarks is subject to applicable law.
+
+## Patents
+The licensor grants you a license, under any patent claims the licensor can license, or becomes able to license, to make, have made, use, sell, offer for sale, import and have imported the software, in each case subject to the limitations and conditions in this license. This license does not cover any patent claims that you cause to be infringed by modifications or additions to the software. If you or your company make any written claim that the software infringes or contributes to infringement of any patent, your patent license for the software granted under these terms ends immediately. If your company makes such a claim, your patent license ends immediately for work on behalf of your company.
+
+## Notices
+You must ensure that anyone who gets a copy of any part of the software from you also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the software prominent notices stating that you have modified the software.
+
+## No Other Rights
+These terms do not imply any licenses other than those expressly granted in these terms.
+
+## Termination
+If you use the software in violation of these terms, such use is not licensed, and your licenses will automatically terminate. If the licensor provides you with a notice of your violation, and you cease all violation of this license no later than 30 days after you receive that notice, your licenses will be reinstated retroactively. However, if you violate these terms after such reinstatement, any additional violation of these terms will cause your licenses to terminate automatically and permanently.
+
+## No Liability
+***As far as the law allows, the software comes as is, without any warranty or condition, and the licensor will not be liable to you for any damages arising out of these terms or the use or nature of the software, under any kind of legal claim.***
+
+## Definitions
+The **licensor** is the entity offering these terms, and the **software** is the software the licensor makes available under these terms, including any portion of it.
+
+**you** refers to the individual or entity agreeing to these terms.
+
+**your company** is any legal entity, sole proprietorship, or other kind of organization that you work for, plus all organizations that have control over, are under the control of, or are under common control with that organization. **control** means ownership of substantially all the assets of an entity, or the power to direct its management and policies by vote, contract, or otherwise. Control can be direct or indirect.
+
+**your licenses** are all the licenses granted to you for the software under these terms.
+
+**use** means anything you do with the software requiring one of your licenses.
+
+**trademark** means trademarks, service marks, and similar rights.
+

package/README.md

@@ -0,0 +1,176 @@
+# Inkeep Management API
+
+The Management API is responsible for entity management and CRUD operations for the Inkeep Agent Framework. It provides the administrative layer for creating, configuring, and managing agents, graphs, tools, and projects.
+
+## Overview
+
+This API handles the configuration and management layer:
+- **Entity Management**: CRUD operations for all framework entities
+- **Agent Configuration**: Agent creation, updates, and relationship management  
+- **Graph Management**: Agent graph definitions and topology
+- **Tool Management**: MCP tool registration and configuration
+- **Project Management**: Multi-tenant project organization
+
+## Architecture
+
+### Core Entities
+
+- **Projects**: Top-level organizational units with tenant scoping
+- **Agents**: Individual AI agents with instructions and capabilities
+- **Agent Graphs**: Collections of agents with defined relationships
+- **Agent Relations**: Transfer and delegation relationships between agents
+- **Tools**: MCP servers and hosted tool configurations
+- **Tasks**: Work units with hierarchical parent-child relationships
+
+## Development
+
+### Setup
+
+If you do not have the db setup:
+
+```bash
+cd packages/core
+pnpm db:push
+```
+
+Then:
+
+```bash
+cd agents-run-api
+pnpm install
+```
+
+### Environment Variables
+```env
+ENVIRONMENT=development|production|test
+PORT=3002
+DB_FILE_NAME=path/to/sqlite.db
+LOG_LEVEL=debug|info|warn|error
+```
+
+### Development Commands
+```bash
+pnpm dev              # Start development server
+pnpm test             # Run test suite
+pnpm test:coverage    # Run tests with coverage
+pnpm build           # Build for production
+pnpm lint            # Run linting
+pnpm format          # Format code
+```
+
+### Database Operations
+```bash
+pnpm db:push         # Apply schema changes to SQLite
+pnpm db:studio       # Open Drizzle Studio for inspection
+pnpm db:generate     # Generate migration files
+```
+
+## Builder Patterns
+
+The API provides builder patterns for programmatic entity creation:
+
+### Agent Builder
+```typescript
+import { agent } from '@inkeep/agents-manage-api';
+
+const qaAgent = agent({
+  id: 'qa-agent',
+  name: 'QA Agent',
+  instructions: 'Answer questions about our product',
+  canTransferTo: () => [routerAgent],
+  canDelegateTo: () => [searchAgent],
+  tools: { search: searchTool }
+});
+```
+
+### Graph Builder
+```typescript
+import { agentGraph } from '@inkeep/agents-manage-api';
+
+const graph = agentGraph({
+  id: 'customer-support',
+  defaultAgent: routerAgent,
+  agents: [routerAgent, qaAgent, orderAgent]
+});
+
+await graph.init(); // Persist to database
+```
+
+### Tool Builder
+```typescript
+import { tool } from '@inkeep/agents-manage-api';
+
+const searchTool = tool({
+  id: 'search-tool',
+  name: 'Product Search',
+  type: 'mcp',
+  config: {
+    command: 'search-server',
+    args: ['--index', 'products']
+  }
+});
+```
+
+## Database Schema
+
+The API uses SQLite with Drizzle ORM:
+
+### Core Tables
+- `projects` - Multi-tenant project organization
+- `agents` - Agent definitions and instructions
+- `agent_graphs` - Graph collections with default agents
+- `agent_relations` - Transfer/delegation relationships
+- `tools` - MCP tool configurations
+- `tasks` - Execution history and hierarchy
+
+### Key Patterns
+- **Multi-tenancy**: All entities scoped by `tenant_id`
+- **Relationships**: Foreign keys with cascade deletes
+- **Timestamps**: `created_at`/`updated_at` on all entities
+- **JSON Columns**: Complex configurations stored as JSON
+
+## Validation
+
+All API endpoints use Zod schemas for request/response validation:
+
+```typescript
+const createAgentSchema = z.object({
+  id: z.string().min(1),
+  name: z.string().min(1), 
+  instructions: z.string().min(1),
+  tenantId: z.string(),
+  projectId: z.string()
+});
+```
+
+## Integration
+
+### With Execution API
+The Management API provides the configuration that the Execution API reads during runtime. Changes to agents, graphs, or tools are immediately available to the execution layer.
+
+### With CLI
+The Inkeep CLI uses the Management API for all `push` operations, creating and updating entities from configuration files.
+
+### With Agent Builder
+The Agent Builder UI provides a web interface for all Management API operations, offering visual agent and graph creation.
+
+## Error Handling
+
+- **Validation Errors**: Schema validation with detailed field errors
+- **Constraint Errors**: Database constraint violations with helpful messages
+- **Not Found Errors**: Resource-specific 404 responses
+- **Conflict Errors**: Duplicate key and relationship conflicts
+
+## Security
+
+- **Multi-tenant Isolation**: All queries scoped by tenant ID
+- **Input Validation**: Comprehensive request sanitization
+- **SQL Injection Prevention**: Parameterized queries via Drizzle ORM
+- **Authorization**: Configurable API key authentication
+
+## Performance
+
+- **Database Indexing**: Optimized indexes on frequently queried fields
+- **Connection Pooling**: Efficient database connection management
+- **Caching**: In-memory caching for frequently accessed entities
+- **Parallel Operations**: Concurrent database operations where safe

package/dist/__tests__/setup.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=setup.d.ts.map

package/dist/__tests__/setup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../../src/__tests__/setup.ts"],"names":[],"mappings":""}

package/dist/__tests__/setup.js

@@ -0,0 +1,26 @@
+import { getLogger } from '@inkeep/agents-core';
+import { sql } from 'drizzle-orm';
+import { migrate } from 'drizzle-orm/libsql/migrator';
+import { afterAll, afterEach, beforeAll } from 'vitest';
+import dbClient from '../data/db/dbClient';
+// Initialize database schema for in-memory test databases using Drizzle migrations
+beforeAll(async () => {
+    const logger = getLogger('Test Setup');
+    try {
+        logger.debug({}, 'Applying database migrations to in-memory test database');
+        // Temporarily disable foreign key constraints for tests due to composite key issues
+        await dbClient.run(sql `PRAGMA foreign_keys = OFF`);
+        await migrate(dbClient, { migrationsFolder: '../packages/agents-core/drizzle' });
+        logger.debug({}, 'Database migrations applied successfully');
+    }
+    catch (error) {
+        logger.error({ error }, 'Failed to apply database migrations');
+        throw error;
+    }
+});
+afterEach(() => {
+    // Any cleanup if needed
+});
+afterAll(() => {
+    // Any final cleanup if needed
+});

package/dist/__tests__/utils/testProject.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Ensures a project exists for a given tenant ID.
+ * This is needed because of foreign key constraints in the database.
+ *
+ * @param tenantId - The tenant ID
+ * @param projectId - The project ID (defaults to 'default')
+ * @returns Promise that resolves when the project is created
+ */
+export declare function ensureTestProject(tenantId: string, projectId?: string): Promise<void>;
+/**
+ * Creates multiple test projects for a tenant.
+ *
+ * @param tenantId - The tenant ID
+ * @param projectIds - Array of project IDs to create
+ * @returns Promise that resolves when all projects are created
+ */
+export declare function ensureTestProjects(tenantId: string, projectIds: string[]): Promise<void>;
+//# sourceMappingURL=testProject.d.ts.map

package/dist/__tests__/utils/testProject.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"testProject.d.ts","sourceRoot":"","sources":["../../../src/__tests__/utils/testProject.ts"],"names":[],"mappings":"AAGA;;;;;;;GAOG;AACH,wBAAsB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,SAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAK9F;AAED;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAE9F"}

package/dist/__tests__/utils/testProject.js

@@ -0,0 +1,26 @@
+import { sql } from 'drizzle-orm';
+import dbClient from '../../data/db/dbClient';
+/**
+ * Ensures a project exists for a given tenant ID.
+ * This is needed because of foreign key constraints in the database.
+ *
+ * @param tenantId - The tenant ID
+ * @param projectId - The project ID (defaults to 'default')
+ * @returns Promise that resolves when the project is created
+ */
+export async function ensureTestProject(tenantId, projectId = 'default') {
+    await dbClient.run(sql `
+    INSERT OR IGNORE INTO projects (tenant_id, id, name, description, created_at, updated_at)
+    VALUES (${tenantId}, ${projectId}, ${`Test Project ${projectId}`}, ${`Test project for ${projectId}`}, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP)
+  `);
+}
+/**
+ * Creates multiple test projects for a tenant.
+ *
+ * @param tenantId - The tenant ID
+ * @param projectIds - Array of project IDs to create
+ * @returns Promise that resolves when all projects are created
+ */
+export async function ensureTestProjects(tenantId, projectIds) {
+    await Promise.all(projectIds.map((projectId) => ensureTestProject(tenantId, projectId)));
+}

package/dist/__tests__/utils/testRequest.d.ts

@@ -0,0 +1,2 @@
+export declare const makeRequest: (url: string, options?: RequestInit) => Promise<Response>;
+//# sourceMappingURL=testRequest.d.ts.map

package/dist/__tests__/utils/testRequest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"testRequest.d.ts","sourceRoot":"","sources":["../../../src/__tests__/utils/testRequest.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,WAAW,GAAU,KAAK,MAAM,EAAE,UAAS,WAAgB,sBAQvE,CAAC"}

package/dist/__tests__/utils/testRequest.js

@@ -0,0 +1,11 @@
+import app from '../../index';
+// Helper function to make requests with JSON headers
+export const makeRequest = async (url, options = {}) => {
+    return app.request(url, {
+        ...options,
+        headers: {
+            'Content-Type': 'application/json',
+            ...options.headers,
+        },
+    });
+};

package/dist/__tests__/utils/testTenant.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Creates a unique tenant ID for test isolation.
+ *
+ * Each test run gets its own tenant to ensure parallel tests don't interfere with each other.
+ * The generated tenant ID follows the format: test-tenant-{prefix}-{uuid} or test-tenant-{uuid}
+ *
+ * @param prefix - Optional prefix to include in the tenant ID (e.g., test file name)
+ * @returns A unique tenant ID for test isolation
+ *
+ * @example
+ * ```typescript
+ * import { createTestTenantId } from './utils/testTenant';
+ *
+ * describe('My test suite', () => {
+ *   const tenantId = createTestTenantId('agents');
+ *
+ *   it('should work with isolated tenant', async () => {
+ *     // Your test code using the unique tenant ID
+ *     console.log(tenantId); // e.g., "test-tenant-agents-123e4567-e89b-12d3-a456-426614174000"
+ *   });
+ * });
+ * ```
+ */
+export declare function createTestTenantId(prefix?: string): string;
+/**
+ * Creates multiple unique tenant IDs for test isolation.
+ *
+ * Useful when you need multiple tenants in a single test.
+ *
+ * @param count - Number of tenant IDs to generate
+ * @param prefix - Optional prefix to include in all tenant IDs
+ * @returns Array of unique tenant IDs
+ *
+ * @example
+ * ```typescript
+ * import { createTestTenantIds } from './utils/testTenant';
+ *
+ * describe('Multi-tenant test suite', () => {
+ *   const [tenantA, tenantB] = createTestTenantIds(2, 'multi-tenant');
+ *
+ *   it('should handle cross-tenant operations', async () => {
+ *     // Test operations across different tenants
+ *   });
+ * });
+ * ```
+ */
+export declare function createTestTenantIds(count: number, prefix?: string): string[];
+/**
+ * Checks if a tenant ID is a test tenant.
+ *
+ * @param tenantId - The tenant ID to check
+ * @returns True if the tenant ID is a test tenant
+ *
+ * @example
+ * ```typescript
+ * import { isTestTenant } from './utils/testTenant';
+ *
+ * const tenantId = createTestTenantId();
+ * console.log(isTestTenant(tenantId)); // true
+ * console.log(isTestTenant('production-tenant')); // false
+ * ```
+ */
+export declare function isTestTenant(tenantId: string): boolean;
+//# sourceMappingURL=testTenant.d.ts.map

package/dist/__tests__/utils/testTenant.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"testTenant.d.ts","sourceRoot":"","sources":["../../../src/__tests__/utils/testTenant.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,CAG1D;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAE5E;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEtD"}

package/dist/__tests__/utils/testTenant.js

@@ -0,0 +1,71 @@
+import { randomUUID } from 'node:crypto';
+/**
+ * Creates a unique tenant ID for test isolation.
+ *
+ * Each test run gets its own tenant to ensure parallel tests don't interfere with each other.
+ * The generated tenant ID follows the format: test-tenant-{prefix}-{uuid} or test-tenant-{uuid}
+ *
+ * @param prefix - Optional prefix to include in the tenant ID (e.g., test file name)
+ * @returns A unique tenant ID for test isolation
+ *
+ * @example
+ * ```typescript
+ * import { createTestTenantId } from './utils/testTenant';
+ *
+ * describe('My test suite', () => {
+ *   const tenantId = createTestTenantId('agents');
+ *
+ *   it('should work with isolated tenant', async () => {
+ *     // Your test code using the unique tenant ID
+ *     console.log(tenantId); // e.g., "test-tenant-agents-123e4567-e89b-12d3-a456-426614174000"
+ *   });
+ * });
+ * ```
+ */
+export function createTestTenantId(prefix) {
+    const uuid = randomUUID();
+    return prefix ? `test-tenant-${prefix}-${uuid}` : `test-tenant-${uuid}`;
+}
+/**
+ * Creates multiple unique tenant IDs for test isolation.
+ *
+ * Useful when you need multiple tenants in a single test.
+ *
+ * @param count - Number of tenant IDs to generate
+ * @param prefix - Optional prefix to include in all tenant IDs
+ * @returns Array of unique tenant IDs
+ *
+ * @example
+ * ```typescript
+ * import { createTestTenantIds } from './utils/testTenant';
+ *
+ * describe('Multi-tenant test suite', () => {
+ *   const [tenantA, tenantB] = createTestTenantIds(2, 'multi-tenant');
+ *
+ *   it('should handle cross-tenant operations', async () => {
+ *     // Test operations across different tenants
+ *   });
+ * });
+ * ```
+ */
+export function createTestTenantIds(count, prefix) {
+    return Array.from({ length: count }, () => createTestTenantId(prefix));
+}
+/**
+ * Checks if a tenant ID is a test tenant.
+ *
+ * @param tenantId - The tenant ID to check
+ * @returns True if the tenant ID is a test tenant
+ *
+ * @example
+ * ```typescript
+ * import { isTestTenant } from './utils/testTenant';
+ *
+ * const tenantId = createTestTenantId();
+ * console.log(isTestTenant(tenantId)); // true
+ * console.log(isTestTenant('production-tenant')); // false
+ * ```
+ */
+export function isTestTenant(tenantId) {
+    return tenantId.startsWith('test-tenant-');
+}

package/dist/app.d.ts

@@ -0,0 +1,5 @@
+import { Hono } from 'hono';
+import type { CredentialStoreRegistry, ServerConfig } from '@inkeep/agents-core';
+declare function createManagementHono(serverConfig: ServerConfig, credentialStores: CredentialStoreRegistry): Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">;
+export { createManagementHono };
+//# sourceMappingURL=app.d.ts.map

package/dist/app.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"app.d.ts","sourceRoot":"","sources":["../src/app.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAE5B,OAAO,KAAK,EAAE,uBAAuB,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAkBjF,iBAAS,oBAAoB,CAC3B,YAAY,EAAE,YAAY,EAC1B,gBAAgB,EAAE,uBAAuB,8EAqK1C;AAED,OAAO,EAAE,oBAAoB,EAAE,CAAC"}

package/dist/app.js

@@ -0,0 +1,151 @@
+import { Hono } from 'hono';
+import { createRoute, OpenAPIHono } from '@hono/zod-openapi';
+import { handleApiError } from '@inkeep/agents-core';
+import { cors } from 'hono/cors';
+import { HTTPException } from 'hono/http-exception';
+import { requestId } from 'hono/request-id';
+import { pinoLogger } from 'hono-pino';
+import { getLogger } from './logger';
+import { apiKeyAuth } from './middleware/auth';
+import { setupOpenAPIRoutes } from './openapi';
+import crudRoutes from './routes/index';
+import oauthRoutes from './routes/oauth';
+function createManagementHono(serverConfig, credentialStores) {
+    const app = new OpenAPIHono();
+    // Request ID middleware
+    app.use('*', requestId());
+    // Server config and credential stores middleware
+    app.use('*', async (c, next) => {
+        c.set('serverConfig', serverConfig);
+        c.set('credentialStores', credentialStores);
+        return next();
+    });
+    // Logging middleware
+    app.use(pinoLogger({
+        pino: getLogger(),
+        http: {
+            onResLevel(c) {
+                if (c.res.status >= 500) {
+                    return 'error';
+                }
+                return 'info';
+            },
+        },
+    }));
+    // Error handling
+    app.onError(async (err, c) => {
+        const isExpectedError = err instanceof HTTPException;
+        const status = isExpectedError ? err.status : 500;
+        const requestId = c.get('requestId') || 'unknown';
+        // Zod validation error detection
+        let zodIssues;
+        if (err && typeof err === 'object') {
+            if (err.cause && Array.isArray(err.cause.issues)) {
+                zodIssues = err.cause.issues;
+            }
+            else if (Array.isArray(err.issues)) {
+                zodIssues = err.issues;
+            }
+        }
+        if (status === 400 && Array.isArray(zodIssues)) {
+            c.status(400);
+            c.header('Content-Type', 'application/problem+json');
+            c.header('X-Content-Type-Options', 'nosniff');
+            return c.json({
+                type: 'https://docs.inkeep.com/agents-api/errors#bad_request',
+                title: 'Validation Failed',
+                status: 400,
+                detail: 'Request validation failed',
+                errors: zodIssues.map((issue) => ({
+                    detail: issue.message,
+                    pointer: issue.path ? `/${issue.path.join('/')}` : undefined,
+                    name: issue.path ? issue.path.join('.') : undefined,
+                    reason: issue.message,
+                })),
+            });
+        }
+        if (status >= 500) {
+            if (!isExpectedError) {
+                const errorMessage = err instanceof Error ? err.message : String(err);
+                const errorStack = err instanceof Error ? err.stack : undefined;
+                getLogger().error({
+                    error: err,
+                    message: errorMessage,
+                    stack: errorStack,
+                    path: c.req.path,
+                    requestId,
+                }, 'Unexpected server error occurred');
+            }
+            else {
+                getLogger().error({
+                    error: err,
+                    path: c.req.path,
+                    requestId,
+                    status,
+                }, 'Server error occurred');
+            }
+        }
+        if (isExpectedError) {
+            try {
+                const response = err.getResponse();
+                return response;
+            }
+            catch (responseError) {
+                getLogger().error({ error: responseError }, 'Error while handling HTTPException response');
+            }
+        }
+        const { status: respStatus, title, detail, instance } = await handleApiError(err, requestId);
+        c.status(respStatus);
+        c.header('Content-Type', 'application/problem+json');
+        c.header('X-Content-Type-Options', 'nosniff');
+        return c.json({
+            type: 'https://docs.inkeep.com/agents-api/errors#internal_server_error',
+            title,
+            status: respStatus,
+            detail,
+            ...(instance && { instance }),
+        });
+    });
+    // CORS middleware
+    app.use('*', cors({
+        origin: (origin) => {
+            if (!origin)
+                return origin;
+            return origin.startsWith('http://localhost:') || origin.startsWith('https://localhost:')
+                ? origin
+                : null;
+        },
+        allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'PATCH'],
+        allowHeaders: ['*'],
+        exposeHeaders: ['Content-Length'],
+        maxAge: 86400,
+        credentials: true,
+    }));
+    // Health check endpoint
+    app.openapi(createRoute({
+        method: 'get',
+        path: '/health',
+        tags: ['health'],
+        summary: 'Health check',
+        description: 'Check if the management service is healthy',
+        responses: {
+            204: {
+                description: 'Service is healthy',
+            },
+        },
+    }), (c) => {
+        return c.body(null, 204);
+    });
+    // API Key authentication middleware for protected routes
+    app.use('/tenants/*', apiKeyAuth());
+    // Mount CRUD routes for all entities
+    app.route('/tenants/:tenantId/crud', crudRoutes);
+    // Mount OAuth routes - global OAuth callback endpoint
+    app.route('/oauth', oauthRoutes);
+    // Setup OpenAPI documentation endpoints (/openapi.json and /docs)
+    setupOpenAPIRoutes(app);
+    const baseApp = new Hono();
+    baseApp.route('/', app);
+    return baseApp;
+}
+export { createManagementHono };