@inkeep/agents-manage-api 0.0.0-dev-20260113172432 → 0.0.0-dev-20260115183047

package/README.md

@@ -41,7 +41,8 @@ pnpm db:migrate
 ```env
 ENVIRONMENT=development|production|test
 PORT=3002
-DATABASE_URL=pg_db_url
+INKEEP_AGENTS_RUN_DATABASE_URL=pg_db_url
+INKEEP_AGENTS_MANAGE_DATABASE_URL=dolt_db_url
 LOG_LEVEL=debug|info|warn|error
 ```
 

package/dist/create-app.d.ts

@@ -1,13 +1,13 @@
+import * as _inkeep_agents_core0 from "@inkeep/agents-core";
+import { CredentialStoreRegistry, ServerConfig } from "@inkeep/agents-core";
 import { Hono } from "hono";
-import { ServerConfig } from "@inkeep/agents-core";
 import { auth, createAuth } from "@inkeep/agents-core/auth";
 import * as hono_types0 from "hono/types";
-import { CredentialStoreRegistry as CredentialStoreRegistry$1 } from "@inkeep/agents-core/credential-stores";
 
 //#region src/create-app.d.ts
 type AppVariables = {
   serverConfig: ServerConfig;
-  credentialStores: CredentialStoreRegistry$1;
+  credentialStores: CredentialStoreRegistry;
   auth: ReturnType<typeof createAuth> | null;
   user: typeof auth.$Infer.Session.user | null;
   session: typeof auth.$Infer.Session.session | null;
@@ -15,7 +15,9 @@ type AppVariables = {
   userEmail?: string;
   tenantId?: string;
   tenantRole?: string;
+  isInternalService?: boolean;
+  internalServicePayload?: _inkeep_agents_core0.InternalServiceTokenPayload;
 };
-declare function createManagementHono(serverConfig: ServerConfig, credentialStores: CredentialStoreRegistry$1, auth: ReturnType<typeof createAuth> | null): Hono<hono_types0.BlankEnv, hono_types0.BlankSchema, "/">;
+declare function createManagementHono(serverConfig: ServerConfig, credentialStores: CredentialStoreRegistry, auth: ReturnType<typeof createAuth> | null): Hono<hono_types0.BlankEnv, hono_types0.BlankSchema, "/">;
 //#endregion
 export { AppVariables, createManagementHono };

package/dist/create-app.js

@@ -1,11 +1,14 @@
 import { env } from "./env.js";
-import { getLogger } from "./logger.js";
+import { getLogger as getLogger$1 } from "./logger.js";
 import { apiKeyAuth } from "./middleware/auth.js";
+import { branchScopedDbMiddleware } from "./middleware/branch-scoped-db.js";
 import { errorHandler } from "./middleware/error-handler.js";
+import { refMiddleware, writeProtectionMiddleware } from "./middleware/ref.js";
 import { sessionAuth } from "./middleware/session-auth.js";
 import { requireTenantAccess } from "./middleware/tenant-access.js";
 import { setupOpenAPIRoutes } from "./openapi.js";
 import cliAuth_default from "./routes/cliAuth.js";
+import evals_default from "./routes/evals/index.js";
 import routes_default from "./routes/index.js";
 import invitations_default from "./routes/invitations.js";
 import mcp_default from "./routes/mcp.js";
@@ -16,13 +19,14 @@ import signoz_default from "./routes/signoz.js";
 import userOrganizations_default from "./routes/userOrganizations.js";
 import { authCorsConfig, defaultCorsConfig, isOriginAllowed, playgroundCorsConfig } from "./utils/cors.js";
 import { OpenAPIHono, createRoute } from "@hono/zod-openapi";
+import { handleApiError } from "@inkeep/agents-core";
 import { Hono } from "hono";
 import { cors } from "hono/cors";
 import { requestId } from "hono/request-id";
 import { pinoLogger } from "hono-pino";
 
 //#region src/create-app.ts
-const logger = getLogger("agents-manage-api");
+const logger = getLogger$1("agents-manage-api");
 logger.info({ logger: logger.getTransports() }, "Logger initialized");
 const isTestEnvironment = () => process.env.ENVIRONMENT === "test";
 function createManagementHono(serverConfig, credentialStores, auth) {
@@ -35,7 +39,7 @@ function createManagementHono(serverConfig, credentialStores, auth) {
 		return next();
 	});
 	app.use(pinoLogger({
-		pino: getLogger("agents-manage-api").getPinoInstance(),
+		pino: getLogger$1("agents-manage-api").getPinoInstance(),
 		http: { onResLevel(c) {
 			if (c.res.status >= 500) return "error";
 			return "info";
@@ -125,6 +129,9 @@ function createManagementHono(serverConfig, credentialStores, auth) {
 		await next();
 	});
 	else app.use("/tenants/:tenantId/*", requireTenantAccess());
+	app.use("/tenants/*", async (c, next) => refMiddleware(c, next));
+	app.use("/tenants/*", (c, next) => writeProtectionMiddleware(c, next));
+	app.use("/tenants/*", async (c, next) => branchScopedDbMiddleware(c, next));
 	app.route("/api/users/:userId/organizations", userOrganizations_default);
 	app.route("/api/cli", cliAuth_default);
 	app.route("/api/invitations", invitations_default);
@@ -132,6 +139,7 @@ function createManagementHono(serverConfig, credentialStores, auth) {
 	app.route("/tenants/:tenantId/playground/token", playgroundToken_default);
 	app.route("/tenants/:tenantId/signoz", signoz_default);
 	app.route("/tenants/:tenantId", projectFull_default);
+	app.route("/tenants/:tenantId/projects/:projectId/evals", evals_default);
 	app.route("/oauth", oauth_default);
 	app.route("/mcp", mcp_default);
 	setupOpenAPIRoutes(app);

package/dist/data/db/dbClient.d.ts

@@ -1,6 +1,6 @@
-import { DatabaseClient } from "@inkeep/agents-core";
+import * as _inkeep_agents_core0 from "@inkeep/agents-core";
 
 //#region src/data/db/dbClient.d.ts
-declare let dbClient: DatabaseClient;
+declare const manageDbClient: _inkeep_agents_core0.AgentsManageDatabaseClient;
 //#endregion
-export { dbClient as default };
+export { manageDbClient as default };

package/dist/data/db/dbClient.js

@@ -1,17 +1,9 @@
 import { env } from "../../env.js";
-import { createDatabaseClient } from "@inkeep/agents-core";
-import { PGlite } from "@electric-sql/pglite";
-import * as schema from "@inkeep/agents-core/db/schema";
-import { drizzle } from "drizzle-orm/pglite";
+import { createAgentsManageDatabaseClient } from "@inkeep/agents-core";
 
 //#region src/data/db/dbClient.ts
-let dbClient;
-if (env.ENVIRONMENT === "test") dbClient = drizzle({
-	client: new PGlite(),
-	schema
-});
-else dbClient = createDatabaseClient({ connectionString: env.DATABASE_URL });
-var dbClient_default = dbClient;
+const manageDbClient = createAgentsManageDatabaseClient({ connectionString: env.INKEEP_AGENTS_MANAGE_DATABASE_URL });
+var dbClient_default = manageDbClient;
 
 //#endregion
 export { dbClient_default as default };

package/dist/data/db/runDbClient.d.ts

@@ -0,0 +1,6 @@
+import * as _inkeep_agents_core1 from "@inkeep/agents-core";
+
+//#region src/data/db/runDbClient.d.ts
+declare const runDbClient: _inkeep_agents_core1.AgentsRunDatabaseClient;
+//#endregion
+export { runDbClient as default };

package/dist/data/db/runDbClient.js

@@ -0,0 +1,9 @@
+import { env } from "../../env.js";
+import { createAgentsRunDatabaseClient } from "@inkeep/agents-core";
+
+//#region src/data/db/runDbClient.ts
+const runDbClient = createAgentsRunDatabaseClient({ connectionString: env.INKEEP_AGENTS_RUN_DATABASE_URL });
+var runDbClient_default = runDbClient;
+
+//#endregion
+export { runDbClient_default as default };

package/dist/env.d.ts

@@ -15,7 +15,9 @@ declare const envSchema: z.ZodObject<{
   }>>;
   INKEEP_AGENTS_MANAGE_API_URL: z.ZodDefault<z.ZodOptional<z.ZodString>>;
   INKEEP_AGENTS_MANAGE_UI_URL: z.ZodDefault<z.ZodOptional<z.ZodString>>;
-  DATABASE_URL: z.ZodOptional<z.ZodString>;
+  INKEEP_AGENTS_EVAL_API_URL: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+  INKEEP_AGENTS_MANAGE_DATABASE_URL: z.ZodOptional<z.ZodString>;
+  INKEEP_AGENTS_RUN_DATABASE_URL: z.ZodOptional<z.ZodString>;
   LOG_LEVEL: z.ZodDefault<z.ZodOptional<z.ZodEnum<{
     trace: "trace";
     debug: "debug";
@@ -39,13 +41,15 @@ declare const envSchema: z.ZodObject<{
 declare const env: {
   INKEEP_AGENTS_MANAGE_API_URL: string;
   INKEEP_AGENTS_MANAGE_UI_URL: string;
+  INKEEP_AGENTS_EVAL_API_URL: string;
   LOG_LEVEL: "trace" | "debug" | "info" | "warn" | "error";
   NANGO_SERVER_URL: string;
   TENANT_ID: string;
   DISABLE_AUTH: boolean;
   NODE_ENV?: "development" | "production" | "test" | undefined;
   ENVIRONMENT?: "development" | "production" | "test" | "pentest" | undefined;
-  DATABASE_URL?: string | undefined;
+  INKEEP_AGENTS_MANAGE_DATABASE_URL?: string | undefined;
+  INKEEP_AGENTS_RUN_DATABASE_URL?: string | undefined;
   NANGO_SECRET_KEY?: string | undefined;
   INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET?: string | undefined;
   BETTER_AUTH_SECRET?: string | undefined;

package/dist/env.js

@@ -17,7 +17,9 @@ const envSchema = z.object({
 	]).optional(),
 	INKEEP_AGENTS_MANAGE_API_URL: z.string().optional().default("http://localhost:3002"),
 	INKEEP_AGENTS_MANAGE_UI_URL: z.string().optional().default("http://localhost:3000"),
-	DATABASE_URL: z.string().optional(),
+	INKEEP_AGENTS_EVAL_API_URL: z.string().optional().default("http://localhost:3005"),
+	INKEEP_AGENTS_MANAGE_DATABASE_URL: z.string().optional(),
+	INKEEP_AGENTS_RUN_DATABASE_URL: z.string().optional(),
 	LOG_LEVEL: z.enum([
 		"trace",
 		"debug",

package/dist/factory.d.ts

@@ -1,8 +1,8 @@
 import { createManagementHono } from "./create-app.js";
 import { initializeDefaultUser } from "./initialization.js";
 import { createAuth0Provider, createOIDCProvider } from "./sso-helpers.js";
-import * as hono0 from "hono";
 import { CredentialStore, ServerConfig } from "@inkeep/agents-core";
+import * as hono0 from "hono";
 import { SSOProviderConfig, UserAuthConfig } from "@inkeep/agents-core/auth";
 import * as hono_types1 from "hono/types";
 

package/dist/factory.js

@@ -1,5 +1,5 @@
 import { env } from "./env.js";
-import dbClient_default from "./data/db/dbClient.js";
+import runDbClient_default from "./data/db/runDbClient.js";
 import { createManagementHono } from "./create-app.js";
 import { initializeDefaultUser } from "./initialization.js";
 import { createAuth0Provider, createOIDCProvider } from "./sso-helpers.js";
@@ -20,7 +20,7 @@ function createManagementAuth(userAuthConfig) {
 	return createAuth({
 		baseURL: env.INKEEP_AGENTS_MANAGE_API_URL || "http://localhost:3002",
 		secret: env.BETTER_AUTH_SECRET || "development-secret-change-in-production",
-		dbClient: dbClient_default,
+		dbClient: runDbClient_default,
 		...userAuthConfig?.ssoProviders && { ssoProviders: userAuthConfig.ssoProviders },
 		...userAuthConfig?.socialProviders && { socialProviders: userAuthConfig.socialProviders }
 	});

package/dist/index.d.ts

@@ -785,25 +785,25 @@ declare const auth: better_auth0.Auth<{
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;
@@ -1064,25 +1064,25 @@ declare const auth: better_auth0.Auth<{
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "invitation" | "member" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"function" | "invitation" | "member" | "organization" | "ac" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;

package/dist/index.js

@@ -1,11 +1,11 @@
 import { env } from "./env.js";
-import dbClient_default from "./data/db/dbClient.js";
+import runDbClient_default from "./data/db/runDbClient.js";
 import { createManagementHono } from "./create-app.js";
 import { initializeDefaultUser } from "./initialization.js";
 import { createAuth0Provider, createOIDCProvider } from "./sso-helpers.js";
 import { createManagementApp } from "./factory.js";
-import { Hono } from "hono";
 import { CredentialStoreRegistry, createDefaultCredentialStores } from "@inkeep/agents-core";
+import { Hono } from "hono";
 import { createAuth } from "@inkeep/agents-core/auth";
 
 //#region src/index.ts
@@ -23,7 +23,7 @@ function createManagementAuth(userAuthConfig) {
 	return createAuth({
 		baseURL: env.INKEEP_AGENTS_MANAGE_API_URL || "http://localhost:3002",
 		secret: env.BETTER_AUTH_SECRET || "development-secret-change-in-production",
-		dbClient: dbClient_default,
+		dbClient: runDbClient_default,
 		...userAuthConfig?.ssoProviders && { ssoProviders: userAuthConfig.ssoProviders },
 		...userAuthConfig?.socialProviders && { socialProviders: userAuthConfig.socialProviders }
 	});

package/dist/initialization.js

@@ -1,6 +1,6 @@
 import { env } from "./env.js";
 import { getLogger as getLogger$1 } from "./logger.js";
-import dbClient_default from "./data/db/dbClient.js";
+import runDbClient_default from "./data/db/runDbClient.js";
 import { generateId, getUserByEmail, member, organization } from "@inkeep/agents-core";
 import { and, eq } from "drizzle-orm";
 
@@ -10,8 +10,8 @@ async function initializeDefaultUser(authInstance) {
 	const { INKEEP_AGENTS_MANAGE_UI_USERNAME, INKEEP_AGENTS_MANAGE_UI_PASSWORD, DISABLE_AUTH } = env;
 	const hasCredentials = INKEEP_AGENTS_MANAGE_UI_USERNAME && INKEEP_AGENTS_MANAGE_UI_PASSWORD;
 	const orgId = env.TENANT_ID;
-	if ((await dbClient_default.select().from(organization).where(eq(organization.id, orgId)).limit(1)).length === 0) {
-		await dbClient_default.insert(organization).values({
+	if ((await runDbClient_default.select().from(organization).where(eq(organization.id, orgId)).limit(1)).length === 0) {
+		await runDbClient_default.insert(organization).values({
 			id: orgId,
 			name: env.TENANT_ID,
 			slug: env.TENANT_ID,
@@ -26,7 +26,7 @@ async function initializeDefaultUser(authInstance) {
 		return;
 	}
 	try {
-		let user = await getUserByEmail(dbClient_default)(INKEEP_AGENTS_MANAGE_UI_USERNAME);
+		let user = await getUserByEmail(runDbClient_default)(INKEEP_AGENTS_MANAGE_UI_USERNAME);
 		if (user) logger.info({
 			email: INKEEP_AGENTS_MANAGE_UI_USERNAME,
 			userId: user.id
@@ -38,15 +38,15 @@ async function initializeDefaultUser(authInstance) {
 				password: INKEEP_AGENTS_MANAGE_UI_PASSWORD,
 				name: INKEEP_AGENTS_MANAGE_UI_USERNAME.split("@")[0]
 			} })).user) throw new Error("signUpEmail returned no user");
-			user = await getUserByEmail(dbClient_default)(INKEEP_AGENTS_MANAGE_UI_USERNAME);
+			user = await getUserByEmail(runDbClient_default)(INKEEP_AGENTS_MANAGE_UI_USERNAME);
 			if (!user) throw new Error("User was created but could not be retrieved from database");
 			logger.info({
 				email: user.email,
 				id: user.id
 			}, "Default user created from INKEEP_AGENTS_MANAGE_UI_USERNAME/INKEEP_AGENTS_MANAGE_UI_PASSWORD");
 		}
-		if ((await dbClient_default.select().from(member).where(and(eq(member.userId, user.id), eq(member.organizationId, orgId))).limit(1)).length === 0) {
-			await dbClient_default.insert(member).values({
+		if ((await runDbClient_default.select().from(member).where(and(eq(member.userId, user.id), eq(member.organizationId, orgId))).limit(1)).length === 0) {
+			await runDbClient_default.insert(member).values({
 				id: generateId(),
 				userId: user.id,
 				organizationId: orgId,

package/dist/middleware/auth.d.ts

@@ -1,5 +1,5 @@
-import * as hono0 from "hono";
-import { ExecutionContext } from "@inkeep/agents-core";
+import { BaseExecutionContext } from "@inkeep/agents-core";
+import * as hono6 from "hono";
 import { createAuth } from "@inkeep/agents-core/auth";
 
 //#region src/middleware/auth.d.ts
@@ -10,10 +10,11 @@ import { createAuth } from "@inkeep/agents-core/auth";
  * 1. Bypass secret (INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET)
  * 2. Better-auth session token (from device authorization flow)
  * 3. Database API key
+ * 4. Internal service token
  */
-declare const apiKeyAuth: () => hono0.MiddlewareHandler<{
+declare const apiKeyAuth: () => hono6.MiddlewareHandler<{
   Variables: {
-    executionContext: ExecutionContext;
+    executionContext: BaseExecutionContext;
     userId?: string;
     userEmail?: string;
     tenantId?: string;

package/dist/middleware/auth.js

@@ -1,6 +1,6 @@
 import { env } from "../env.js";
-import dbClient_default from "../data/db/dbClient.js";
-import { getLogger, validateAndGetApiKey } from "@inkeep/agents-core";
+import runDbClient_default from "../data/db/runDbClient.js";
+import { getLogger, isInternalServiceToken, validateAndGetApiKey, verifyInternalServiceAuthHeader } from "@inkeep/agents-core";
 import { createMiddleware } from "hono/factory";
 import { HTTPException } from "hono/http-exception";
 
@@ -12,6 +12,7 @@ const logger = getLogger("env-key-auth");
 * 1. Bypass secret (INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET)
 * 2. Better-auth session token (from device authorization flow)
 * 3. Database API key
+* 4. Internal service token
 */
 const apiKeyAuth = () => createMiddleware(async (c, next) => {
 	const authHeader = c.req.header("Authorization");
@@ -48,7 +49,7 @@ const apiKeyAuth = () => createMiddleware(async (c, next) => {
 	} catch (error) {
 		logger.debug({ error }, "Better-auth session validation failed, trying API key");
 	}
-	const validatedKey = await validateAndGetApiKey(token, dbClient_default);
+	const validatedKey = await validateAndGetApiKey(token, runDbClient_default);
 	if (validatedKey) {
 		logger.info({ keyId: validatedKey.id }, "API key authenticated successfully");
 		c.set("userId", `apikey:${validatedKey.id}`);
@@ -57,6 +58,21 @@ const apiKeyAuth = () => createMiddleware(async (c, next) => {
 		await next();
 		return;
 	}
+	if (isInternalServiceToken(token)) {
+		const result = await verifyInternalServiceAuthHeader(authHeader);
+		if (!result.valid || !result.payload) throw new HTTPException(401, { message: result.error || "Invalid internal service token" });
+		logger.info({
+			serviceId: result.payload.sub,
+			tenantId: result.payload.tenantId,
+			projectId: result.payload.projectId,
+			userId: result.payload.userId
+		}, "Internal service authenticated");
+		c.set("userId", result.payload.userId || `system`);
+		c.set("userEmail", `${result.payload.sub}@internal.inkeep`);
+		if (result.payload.tenantId) c.set("tenantId", result.payload.tenantId);
+		await next();
+		return;
+	}
 	throw new HTTPException(401, { message: "Invalid Token" });
 });
 

package/dist/middleware/branch-scoped-db.d.ts

@@ -0,0 +1,31 @@
+import { AgentsManageDatabaseClient } from "@inkeep/agents-core";
+import { Context, Next } from "hono";
+import { Pool } from "pg";
+
+//#region src/middleware/branch-scoped-db.d.ts
+declare function isProjectDeleteOperation(path: string, method: string): boolean;
+/**
+ * Get the underlying connection pool from a Drizzle database client
+ */
+declare function getPoolFromClient(client: AgentsManageDatabaseClient): Pool | null;
+/**
+ * Middleware that provides branch-scoped database connections
+ *
+ * Flow:
+ * 1. Get a dedicated connection from the pool
+ * 2. If ref is specified, checkout that branch/tag/commit on this connection
+ * 3. Create a Drizzle client wrapping this specific connection
+ * 4. Inject into context as 'db' (request-scoped database client)
+ * 5. Execute the route handler
+ * 6. For write operations on branches: auto-commit changes
+ * 7. Always cleanup: checkout main and release connection
+ *
+ * This ensures:
+ * - All operations in a request use the same connection (correct)
+ * - Only one checkout per request (performant)
+ * - Automatic commits for successful writes on branches
+ * - Proper connection cleanup
+ */
+declare const branchScopedDbMiddleware: (c: Context, next: Next) => Promise<void>;
+//#endregion
+export { branchScopedDbMiddleware, getPoolFromClient, isProjectDeleteOperation };