@inkeep/agents-manage-api 0.1.0

package/README.md

@@ -0,0 +1,176 @@
+# Inkeep Management API
+
+The Management API is responsible for entity management and CRUD operations for the Inkeep Agent Framework. It provides the administrative layer for creating, configuring, and managing agents, graphs, tools, and projects.
+
+## Overview
+
+This API handles the configuration and management layer:
+- **Entity Management**: CRUD operations for all framework entities
+- **Agent Configuration**: Agent creation, updates, and relationship management  
+- **Graph Management**: Agent graph definitions and topology
+- **Tool Management**: MCP tool registration and configuration
+- **Project Management**: Multi-tenant project organization
+
+## Architecture
+
+### Core Entities
+
+- **Projects**: Top-level organizational units with tenant scoping
+- **Agents**: Individual AI agents with instructions and capabilities
+- **Agent Graphs**: Collections of agents with defined relationships
+- **Agent Relations**: Transfer and delegation relationships between agents
+- **Tools**: MCP servers and hosted tool configurations
+- **Tasks**: Work units with hierarchical parent-child relationships
+
+## Development
+
+### Setup
+
+If you do not have the db setup:
+
+```bash
+cd packages/core
+pnpm db:push
+```
+
+Then:
+
+```bash
+cd inkeep-execution-api
+pnpm install
+```
+
+### Environment Variables
+```env
+ENVIRONMENT=development|production|test
+PORT=3002
+DB_FILE_NAME=path/to/sqlite.db
+LOG_LEVEL=debug|info|warn|error
+```
+
+### Development Commands
+```bash
+pnpm dev              # Start development server
+pnpm test             # Run test suite
+pnpm test:coverage    # Run tests with coverage
+pnpm build           # Build for production
+pnpm lint            # Run linting
+pnpm format          # Format code
+```
+
+### Database Operations
+```bash
+pnpm db:push         # Apply schema changes to SQLite
+pnpm db:studio       # Open Drizzle Studio for inspection
+pnpm db:generate     # Generate migration files
+```
+
+## Builder Patterns
+
+The API provides builder patterns for programmatic entity creation:
+
+### Agent Builder
+```typescript
+import { agent } from '@inkeep/agents-manage-api';
+
+const qaAgent = agent({
+  id: 'qa-agent',
+  name: 'QA Agent',
+  instructions: 'Answer questions about our product',
+  canTransferTo: () => [routerAgent],
+  canDelegateTo: () => [searchAgent],
+  tools: { search: searchTool }
+});
+```
+
+### Graph Builder
+```typescript
+import { agentGraph } from '@inkeep/agents-manage-api';
+
+const graph = agentGraph({
+  id: 'customer-support',
+  defaultAgent: routerAgent,
+  agents: [routerAgent, qaAgent, orderAgent]
+});
+
+await graph.init(); // Persist to database
+```
+
+### Tool Builder
+```typescript
+import { tool } from '@inkeep/agents-manage-api';
+
+const searchTool = tool({
+  id: 'search-tool',
+  name: 'Product Search',
+  type: 'mcp',
+  config: {
+    command: 'search-server',
+    args: ['--index', 'products']
+  }
+});
+```
+
+## Database Schema
+
+The API uses SQLite with Drizzle ORM:
+
+### Core Tables
+- `projects` - Multi-tenant project organization
+- `agents` - Agent definitions and instructions
+- `agent_graphs` - Graph collections with default agents
+- `agent_relations` - Transfer/delegation relationships
+- `tools` - MCP tool configurations
+- `tasks` - Execution history and hierarchy
+
+### Key Patterns
+- **Multi-tenancy**: All entities scoped by `tenant_id`
+- **Relationships**: Foreign keys with cascade deletes
+- **Timestamps**: `created_at`/`updated_at` on all entities
+- **JSON Columns**: Complex configurations stored as JSON
+
+## Validation
+
+All API endpoints use Zod schemas for request/response validation:
+
+```typescript
+const createAgentSchema = z.object({
+  id: z.string().min(1),
+  name: z.string().min(1), 
+  instructions: z.string().min(1),
+  tenantId: z.string(),
+  projectId: z.string()
+});
+```
+
+## Integration
+
+### With Execution API
+The Management API provides the configuration that the Execution API reads during runtime. Changes to agents, graphs, or tools are immediately available to the execution layer.
+
+### With CLI
+The Inkeep CLI uses the Management API for all `push` operations, creating and updating entities from configuration files.
+
+### With Agent Builder
+The Agent Builder UI provides a web interface for all Management API operations, offering visual agent and graph creation.
+
+## Error Handling
+
+- **Validation Errors**: Schema validation with detailed field errors
+- **Constraint Errors**: Database constraint violations with helpful messages
+- **Not Found Errors**: Resource-specific 404 responses
+- **Conflict Errors**: Duplicate key and relationship conflicts
+
+## Security
+
+- **Multi-tenant Isolation**: All queries scoped by tenant ID
+- **Input Validation**: Comprehensive request sanitization
+- **SQL Injection Prevention**: Parameterized queries via Drizzle ORM
+- **Authorization**: Configurable API key authentication
+
+## Performance
+
+- **Database Indexing**: Optimized indexes on frequently queried fields
+- **Connection Pooling**: Efficient database connection management
+- **Caching**: In-memory caching for frequently accessed entities
+- **Parallel Operations**: Concurrent database operations where safe

package/dist/ManagementServer.d.ts

@@ -0,0 +1,28 @@
+import { BaseServer } from '@inkeep/agents-core';
+import type { AgentFrameworkServerConfig } from '@inkeep/agents-core';
+export declare const MANAGEMENT_API_PORT = 3002;
+/**
+ * Management Server for CRUD operations, entity management, and OAuth
+ * Extends BaseServer with Management API specific functionality
+ */
+export declare class ManagementServer extends BaseServer {
+    constructor(config?: AgentFrameworkServerConfig);
+    /**
+     * Initialize the Management API application
+     */
+    protected initialize(): Promise<void>;
+    /**
+     * Get default server options for Management API
+     */
+    protected getServerOptions(): {
+        port: number;
+        keepAliveTimeout: number;
+        keepAlive: boolean;
+        requestTimeout: number;
+    };
+    /**
+     * Custom cleanup for Management API before shutdown
+     */
+    protected beforeShutdown(): Promise<void>;
+}
+//# sourceMappingURL=ManagementServer.d.ts.map

package/dist/ManagementServer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ManagementServer.d.ts","sourceRoot":"","sources":["../src/ManagementServer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,qBAAqB,CAAC;AAGtE,eAAO,MAAM,mBAAmB,OAAO,CAAC;AACxC;;;GAGG;AACH,qBAAa,gBAAiB,SAAQ,UAAU;gBAClC,MAAM,GAAE,0BAA+B;IAInD;;OAEG;cACa,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAK3C;;OAEG;IACH,SAAS,CAAC,gBAAgB;;;;;;IAU1B;;OAEG;cACa,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC;CAQhD"}

package/dist/ManagementServer.js

@@ -0,0 +1,41 @@
+import { BaseServer } from '@inkeep/agents-core';
+import { getLogger } from './logger.js';
+import app from './app.js';
+export const MANAGEMENT_API_PORT = 3002;
+/**
+ * Management Server for CRUD operations, entity management, and OAuth
+ * Extends BaseServer with Management API specific functionality
+ */
+export class ManagementServer extends BaseServer {
+    constructor(config = {}) {
+        super(config, getLogger('ManagementServer'));
+    }
+    /**
+     * Initialize the Management API application
+     */
+    async initialize() {
+        this.app = app;
+        this.logger.info('Management API initialized');
+    }
+    /**
+     * Get default server options for Management API
+     */
+    getServerOptions() {
+        return {
+            port: this.config.port || MANAGEMENT_API_PORT,
+            keepAliveTimeout: 60000,
+            keepAlive: true,
+            requestTimeout: 60000,
+            ...this.config.serverOptions,
+        };
+    }
+    /**
+     * Custom cleanup for Management API before shutdown
+     */
+    async beforeShutdown() {
+        this.logger.info('Performing Management API cleanup...');
+        // Add any Management API specific cleanup here
+        // e.g., close database connections, cleanup OAuth sessions, etc.
+        await super.beforeShutdown();
+    }
+}

package/dist/__tests__/setup.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=setup.d.ts.map

package/dist/__tests__/setup.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"setup.d.ts","sourceRoot":"","sources":["../../src/__tests__/setup.ts"],"names":[],"mappings":""}

package/dist/__tests__/setup.js

@@ -0,0 +1,26 @@
+import { sql } from 'drizzle-orm';
+import { migrate } from 'drizzle-orm/libsql/migrator';
+import { afterAll, afterEach, beforeAll } from 'vitest';
+import dbClient from '../data/db/dbClient.js';
+import { getLogger } from '@inkeep/agents-core';
+// Initialize database schema for in-memory test databases using Drizzle migrations
+beforeAll(async () => {
+    const logger = getLogger('Test Setup');
+    try {
+        logger.debug({}, 'Applying database migrations to in-memory test database');
+        // Temporarily disable foreign key constraints for tests due to composite key issues
+        await dbClient.run(sql `PRAGMA foreign_keys = OFF`);
+        await migrate(dbClient, { migrationsFolder: '../packages/agents-core/drizzle' });
+        logger.debug({}, 'Database migrations applied successfully');
+    }
+    catch (error) {
+        logger.error({ error }, 'Failed to apply database migrations');
+        throw error;
+    }
+});
+afterEach(() => {
+    // Any cleanup if needed
+});
+afterAll(() => {
+    // Any final cleanup if needed
+});

package/dist/__tests__/utils/testProject.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Ensures a project exists for a given tenant ID.
+ * This is needed because of foreign key constraints in the database.
+ *
+ * @param tenantId - The tenant ID
+ * @param projectId - The project ID (defaults to 'default')
+ * @returns Promise that resolves when the project is created
+ */
+export declare function ensureTestProject(tenantId: string, projectId?: string): Promise<void>;
+/**
+ * Creates multiple test projects for a tenant.
+ *
+ * @param tenantId - The tenant ID
+ * @param projectIds - Array of project IDs to create
+ * @returns Promise that resolves when all projects are created
+ */
+export declare function ensureTestProjects(tenantId: string, projectIds: string[]): Promise<void>;
+//# sourceMappingURL=testProject.d.ts.map

package/dist/__tests__/utils/testProject.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"testProject.d.ts","sourceRoot":"","sources":["../../../src/__tests__/utils/testProject.ts"],"names":[],"mappings":"AAGA;;;;;;;GAOG;AACH,wBAAsB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,SAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CAK9F;AAED;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAE9F"}

package/dist/__tests__/utils/testProject.js

@@ -0,0 +1,26 @@
+import { sql } from 'drizzle-orm';
+import dbClient from '../../data/db/dbClient.js';
+/**
+ * Ensures a project exists for a given tenant ID.
+ * This is needed because of foreign key constraints in the database.
+ *
+ * @param tenantId - The tenant ID
+ * @param projectId - The project ID (defaults to 'default')
+ * @returns Promise that resolves when the project is created
+ */
+export async function ensureTestProject(tenantId, projectId = 'default') {
+    await dbClient.run(sql `
+    INSERT OR IGNORE INTO projects (tenant_id, id, name, description, created_at, updated_at)
+    VALUES (${tenantId}, ${projectId}, ${`Test Project ${projectId}`}, ${`Test project for ${projectId}`}, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP)
+  `);
+}
+/**
+ * Creates multiple test projects for a tenant.
+ *
+ * @param tenantId - The tenant ID
+ * @param projectIds - Array of project IDs to create
+ * @returns Promise that resolves when all projects are created
+ */
+export async function ensureTestProjects(tenantId, projectIds) {
+    await Promise.all(projectIds.map((projectId) => ensureTestProject(tenantId, projectId)));
+}

package/dist/__tests__/utils/testRequest.d.ts

@@ -0,0 +1,2 @@
+export declare const makeRequest: (url: string, options?: RequestInit) => Promise<Response>;
+//# sourceMappingURL=testRequest.d.ts.map

package/dist/__tests__/utils/testRequest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"testRequest.d.ts","sourceRoot":"","sources":["../../../src/__tests__/utils/testRequest.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,WAAW,GAAU,KAAK,MAAM,EAAE,UAAS,WAAgB,sBAQvE,CAAC"}

package/dist/__tests__/utils/testRequest.js

@@ -0,0 +1,11 @@
+import app from '../../app.js';
+// Helper function to make requests with JSON headers
+export const makeRequest = async (url, options = {}) => {
+    return app.request(url, {
+        ...options,
+        headers: {
+            'Content-Type': 'application/json',
+            ...options.headers,
+        },
+    });
+};

package/dist/__tests__/utils/testTenant.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Creates a unique tenant ID for test isolation.
+ *
+ * Each test run gets its own tenant to ensure parallel tests don't interfere with each other.
+ * The generated tenant ID follows the format: test-tenant-{prefix}-{uuid} or test-tenant-{uuid}
+ *
+ * @param prefix - Optional prefix to include in the tenant ID (e.g., test file name)
+ * @returns A unique tenant ID for test isolation
+ *
+ * @example
+ * ```typescript
+ * import { createTestTenantId } from './utils/testTenant.js';
+ *
+ * describe('My test suite', () => {
+ *   const tenantId = createTestTenantId('agents');
+ *
+ *   it('should work with isolated tenant', async () => {
+ *     // Your test code using the unique tenant ID
+ *     console.log(tenantId); // e.g., "test-tenant-agents-123e4567-e89b-12d3-a456-426614174000"
+ *   });
+ * });
+ * ```
+ */
+export declare function createTestTenantId(prefix?: string): string;
+/**
+ * Creates multiple unique tenant IDs for test isolation.
+ *
+ * Useful when you need multiple tenants in a single test.
+ *
+ * @param count - Number of tenant IDs to generate
+ * @param prefix - Optional prefix to include in all tenant IDs
+ * @returns Array of unique tenant IDs
+ *
+ * @example
+ * ```typescript
+ * import { createTestTenantIds } from './utils/testTenant.js';
+ *
+ * describe('Multi-tenant test suite', () => {
+ *   const [tenantA, tenantB] = createTestTenantIds(2, 'multi-tenant');
+ *
+ *   it('should handle cross-tenant operations', async () => {
+ *     // Test operations across different tenants
+ *   });
+ * });
+ * ```
+ */
+export declare function createTestTenantIds(count: number, prefix?: string): string[];
+/**
+ * Checks if a tenant ID is a test tenant.
+ *
+ * @param tenantId - The tenant ID to check
+ * @returns True if the tenant ID is a test tenant
+ *
+ * @example
+ * ```typescript
+ * import { isTestTenant } from './utils/testTenant.js';
+ *
+ * const tenantId = createTestTenantId();
+ * console.log(isTestTenant(tenantId)); // true
+ * console.log(isTestTenant('production-tenant')); // false
+ * ```
+ */
+export declare function isTestTenant(tenantId: string): boolean;
+//# sourceMappingURL=testTenant.d.ts.map

package/dist/__tests__/utils/testTenant.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"testTenant.d.ts","sourceRoot":"","sources":["../../../src/__tests__/utils/testTenant.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,CAG1D;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAE5E;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAEtD"}

package/dist/__tests__/utils/testTenant.js

@@ -0,0 +1,71 @@
+import { randomUUID } from 'node:crypto';
+/**
+ * Creates a unique tenant ID for test isolation.
+ *
+ * Each test run gets its own tenant to ensure parallel tests don't interfere with each other.
+ * The generated tenant ID follows the format: test-tenant-{prefix}-{uuid} or test-tenant-{uuid}
+ *
+ * @param prefix - Optional prefix to include in the tenant ID (e.g., test file name)
+ * @returns A unique tenant ID for test isolation
+ *
+ * @example
+ * ```typescript
+ * import { createTestTenantId } from './utils/testTenant.js';
+ *
+ * describe('My test suite', () => {
+ *   const tenantId = createTestTenantId('agents');
+ *
+ *   it('should work with isolated tenant', async () => {
+ *     // Your test code using the unique tenant ID
+ *     console.log(tenantId); // e.g., "test-tenant-agents-123e4567-e89b-12d3-a456-426614174000"
+ *   });
+ * });
+ * ```
+ */
+export function createTestTenantId(prefix) {
+    const uuid = randomUUID();
+    return prefix ? `test-tenant-${prefix}-${uuid}` : `test-tenant-${uuid}`;
+}
+/**
+ * Creates multiple unique tenant IDs for test isolation.
+ *
+ * Useful when you need multiple tenants in a single test.
+ *
+ * @param count - Number of tenant IDs to generate
+ * @param prefix - Optional prefix to include in all tenant IDs
+ * @returns Array of unique tenant IDs
+ *
+ * @example
+ * ```typescript
+ * import { createTestTenantIds } from './utils/testTenant.js';
+ *
+ * describe('Multi-tenant test suite', () => {
+ *   const [tenantA, tenantB] = createTestTenantIds(2, 'multi-tenant');
+ *
+ *   it('should handle cross-tenant operations', async () => {
+ *     // Test operations across different tenants
+ *   });
+ * });
+ * ```
+ */
+export function createTestTenantIds(count, prefix) {
+    return Array.from({ length: count }, () => createTestTenantId(prefix));
+}
+/**
+ * Checks if a tenant ID is a test tenant.
+ *
+ * @param tenantId - The tenant ID to check
+ * @returns True if the tenant ID is a test tenant
+ *
+ * @example
+ * ```typescript
+ * import { isTestTenant } from './utils/testTenant.js';
+ *
+ * const tenantId = createTestTenantId();
+ * console.log(isTestTenant(tenantId)); // true
+ * console.log(isTestTenant('production-tenant')); // false
+ * ```
+ */
+export function isTestTenant(tenantId) {
+    return tenantId.startsWith('test-tenant-');
+}

package/dist/app.d.ts

@@ -0,0 +1,4 @@
+import { OpenApiHonoWithExecutionContext } from '@inkeep/agents-core';
+declare const app: OpenApiHonoWithExecutionContext;
+export default app;
+//# sourceMappingURL=app.d.ts.map

package/dist/app.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"app.d.ts","sourceRoot":"","sources":["../src/app.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,+BAA+B,EAAE,MAAM,qBAAqB,CAAC;AAatE,QAAA,MAAM,GAAG,iCAAwC,CAAC;AAwJlD,eAAe,GAAG,CAAC"}

package/dist/app.js

@@ -0,0 +1,140 @@
+import { createRoute } from '@hono/zod-openapi';
+import { OpenApiHonoWithExecutionContext } from '@inkeep/agents-core';
+import { cors } from 'hono/cors';
+import { HTTPException } from 'hono/http-exception';
+import { requestId } from 'hono/request-id';
+import { pinoLogger } from 'hono-pino';
+import { handleApiError } from '@inkeep/agents-core';
+import { getLogger } from './logger.js';
+import crudRoutes from './routes/index.js';
+import { apiKeyAuth } from './middleware/auth.js';
+import oauthRoutes from './routes/oauth.js';
+import { setupOpenAPIRoutes } from './openapi.js';
+const app = new OpenApiHonoWithExecutionContext();
+// Request ID middleware
+app.use('*', requestId());
+// Logging middleware
+app.use(pinoLogger({
+    pino: getLogger(),
+    http: {
+        onResLevel(c) {
+            if (c.res.status >= 500) {
+                return 'error';
+            }
+            return 'info';
+        },
+    },
+}));
+// Error handling
+app.onError(async (err, c) => {
+    const isExpectedError = err instanceof HTTPException;
+    const status = isExpectedError ? err.status : 500;
+    const requestId = c.get('requestId') || 'unknown';
+    // Zod validation error detection
+    let zodIssues;
+    if (err && typeof err === 'object') {
+        if (err.cause && Array.isArray(err.cause.issues)) {
+            zodIssues = err.cause.issues;
+        }
+        else if (Array.isArray(err.issues)) {
+            zodIssues = err.issues;
+        }
+    }
+    if (status === 400 && Array.isArray(zodIssues)) {
+        c.status(400);
+        c.header('Content-Type', 'application/problem+json');
+        c.header('X-Content-Type-Options', 'nosniff');
+        return c.json({
+            type: 'https://docs.inkeep.com/agents-api/errors#bad_request',
+            title: 'Validation Failed',
+            status: 400,
+            detail: 'Request validation failed',
+            errors: zodIssues.map((issue) => ({
+                detail: issue.message,
+                pointer: issue.path ? `/${issue.path.join('/')}` : undefined,
+                name: issue.path ? issue.path.join('.') : undefined,
+                reason: issue.message,
+            })),
+        });
+    }
+    if (status >= 500) {
+        if (!isExpectedError) {
+            const errorMessage = err instanceof Error ? err.message : String(err);
+            const errorStack = err instanceof Error ? err.stack : undefined;
+            getLogger().error({
+                error: err,
+                message: errorMessage,
+                stack: errorStack,
+                path: c.req.path,
+                requestId,
+            }, 'Unexpected server error occurred');
+        }
+        else {
+            getLogger().error({
+                error: err,
+                path: c.req.path,
+                requestId,
+                status,
+            }, 'Server error occurred');
+        }
+    }
+    if (isExpectedError) {
+        try {
+            const response = err.getResponse();
+            return response;
+        }
+        catch (responseError) {
+            getLogger().error({ error: responseError }, 'Error while handling HTTPException response');
+        }
+    }
+    const { status: respStatus, title, detail, instance } = await handleApiError(err, requestId);
+    c.status(respStatus);
+    c.header('Content-Type', 'application/problem+json');
+    c.header('X-Content-Type-Options', 'nosniff');
+    return c.json({
+        type: 'https://docs.inkeep.com/agents-api/errors#internal_server_error',
+        title,
+        status: respStatus,
+        detail,
+        ...(instance && { instance }),
+    });
+});
+// CORS middleware
+app.use('*', cors({
+    origin: (origin) => {
+        if (!origin)
+            return origin;
+        return origin.startsWith('http://localhost:') || origin.startsWith('https://localhost:')
+            ? origin
+            : null;
+    },
+    allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS', 'PATCH'],
+    allowHeaders: ['*'],
+    exposeHeaders: ['Content-Length'],
+    maxAge: 86400,
+    credentials: true,
+}));
+// Health check endpoint
+app.openapi(createRoute({
+    method: 'get',
+    path: '/health',
+    tags: ['health'],
+    summary: 'Health check',
+    description: 'Check if the management service is healthy',
+    responses: {
+        204: {
+            description: 'Service is healthy',
+        },
+    },
+}), (c) => {
+    return c.body(null, 204);
+});
+// API Key authentication middleware for protected routes
+app.use('/tenants/*', apiKeyAuth());
+// Mount CRUD routes for all entities
+app.route('/tenants/:tenantId/crud', crudRoutes);
+// Mount OAuth routes - global OAuth callback endpoint
+app.route('/oauth', oauthRoutes);
+// Setup OpenAPI documentation endpoints (/openapi.json and /docs)
+setupOpenAPIRoutes(app);
+export default app;