@inkeep/agents-manage-api 0.36.0 → 0.37.0

package/dist/{chunk-7YBMBKBI.js → chunk-6E4QM6FE.js}

@@ -1,5 +1,5 @@
 import { F, u, R, x, T, h, U, L, or, C, Vr, ce, ur, P } from './chunk-SBJLXGYG.js';
-import { loadEnvironmentFiles, getLogger, createDatabaseClient, commonGetErrorResponses, AgentListResponse, PaginationQueryParamsSchema, TenantProjectParamsSchema, listAgents, AgentResponse, TenantProjectIdParamsSchema, getAgentById, createApiError, RelatedAgentInfoListResponse, TenantProjectAgentSubAgentParamsSchema, getAgentSubAgentInfos, AgentWithinContextOfProjectResponse, TenantProjectAgentParamsSchema, getFullAgentDefinition, AgentApiInsertSchema, createAgent, generateId, AgentApiUpdateSchema, updateAgent, ErrorResponseSchema, deleteAgent, AgentWithinContextOfProjectSchema, createFullAgentServerSide, getFullAgent, updateFullAgentServerSide, deleteFullAgent, ApiKeyListResponse, listApiKeysPaginated, ApiKeyResponse, getApiKeyById, ApiKeyApiCreationResponseSchema, ApiKeyApiInsertSchema, generateApiKey, createApiKey, ApiKeyApiUpdateSchema, updateApiKey, deleteApiKey, ArtifactComponentListResponse, listArtifactComponentsPaginated, ArtifactComponentResponse, getArtifactComponentById, ArtifactComponentApiInsertSchema, validatePropsAsJsonSchema, createArtifactComponent, ArtifactComponentApiUpdateSchema, updateArtifactComponent, deleteArtifactComponent, ContextConfigListResponse, listContextConfigsPaginated, ContextConfigResponse, TenantProjectAgentIdParamsSchema, getContextConfigById, ContextConfigApiInsertSchema, createContextConfig, commonUpdateErrorResponses, ContextConfigApiUpdateSchema, updateContextConfig, commonDeleteErrorResponses, deleteContextConfig, CredentialStoreListResponseSchema, CreateCredentialInStoreResponseSchema, CreateCredentialInStoreRequestSchema, CredentialReferenceListResponse, listCredentialReferencesPaginated, ListResponseSchema, CredentialReferenceApiSelectSchema, CredentialReferenceResponse, getCredentialReferenceWithResources, CredentialReferenceApiInsertSchema, createCredentialReference, CredentialReferenceApiUpdateSchema, updateCredentialReference, getCredentialReferenceById, getCredentialStoreLookupKeyFromRetrievalParams, deleteCredentialReference, DataComponentListResponse, listDataComponentsPaginated, DataComponentResponse, getDataComponent, DataComponentApiInsertSchema, createDataComponent, DataComponentApiUpdateSchema, updateDataComponent, deleteDataComponent, ExternalAgentListResponse, listExternalAgentsPaginated, ExternalAgentResponse, getExternalAgent, ExternalAgentApiInsertSchema, createExternalAgent, ExternalAgentApiUpdateSchema, updateExternalAgent, deleteExternalAgent, FunctionListResponse, listFunctions, FunctionResponse, getFunction, FunctionApiInsertSchema, upsertFunction, FunctionApiUpdateSchema, deleteFunction, FunctionToolListResponse, listFunctionTools, FunctionToolResponse, getFunctionToolById, FunctionToolApiInsertSchema, createFunctionTool, FunctionToolApiUpdateSchema, updateFunctionTool, deleteFunctionTool, MCPCatalogListResponse, fetchComposioServers, MCPTransportType, ProjectListResponse, TenantParamsSchema, listProjectsPaginated, ProjectResponse, TenantIdParamsSchema, getProject, ProjectApiInsertSchema, createProject, ProjectApiUpdateSchema, updateProject, deleteProject, ArtifactComponentArrayResponse, getArtifactComponentsForAgent, ComponentAssociationListResponse, getAgentsUsingArtifactComponent, SubAgentArtifactComponentResponse, SubAgentArtifactComponentApiInsertSchema, getSubAgentById, isArtifactComponentAssociatedWithAgent, associateArtifactComponentWithAgent, RemovedResponseSchema, removeArtifactComponentFromAgent, ExistsResponseSchema, DataComponentArrayResponse, getDataComponentsForAgent, getAgentsUsingDataComponent, SubAgentDataComponentResponse, SubAgentDataComponentApiInsertSchema, isDataComponentAssociatedWithAgent, associateDataComponentWithAgent, removeDataComponentFromAgent, SubAgentExternalAgentRelationListResponse, listSubAgentExternalAgentRelations, SubAgentExternalAgentRelationResponse, TenantProjectAgentSubAgentIdParamsSchema, getSubAgentExternalAgentRelationById, SubAgentExternalAgentRelationApiInsertSchema, createSubAgentExternalAgentRelation, SubAgentExternalAgentRelationApiUpdateSchema, updateSubAgentExternalAgentRelation, deleteSubAgentExternalAgentRelation, SubAgentRelationListResponse, SubAgentRelationQuerySchema, getAgentRelationsBySource, getSubAgentRelationsByTarget, listAgentRelations, SubAgentRelationResponse, getAgentRelationById, SubAgentRelationApiInsertSchema, validateSubAgent, createSubAgentRelation, SubAgentRelationApiUpdateSchema, updateAgentRelation, deleteSubAgentRelation, SubAgentListResponse, listSubAgentsPaginated, SubAgentResponse, SubAgentApiInsertSchema, createSubAgent, SubAgentApiUpdateSchema, updateSubAgent, deleteSubAgent, SubAgentTeamAgentRelationListResponse, listSubAgentTeamAgentRelations, SubAgentTeamAgentRelationResponse, getSubAgentTeamAgentRelationById, SubAgentTeamAgentRelationApiInsertSchema, createSubAgentTeamAgentRelation, SubAgentTeamAgentRelationApiUpdateSchema, updateSubAgentTeamAgentRelation, deleteSubAgentTeamAgentRelation, SubAgentToolRelationListResponse, getAgentToolRelationByAgent, getAgentToolRelationByTool, listAgentToolRelations, SubAgentToolRelationResponse, getAgentToolRelationById, getAgentsForTool, SubAgentToolRelationApiInsertSchema, createAgentToolRelation, SubAgentToolRelationApiUpdateSchema, updateAgentToolRelation, deleteAgentToolRelation, ThirdPartyMCPServerResponse, fetchSingleComposioServer, McpToolListResponse, ToolStatusSchema, listTools, dbResultToMcpTool, McpToolResponse, getToolById, ToolApiInsertSchema, createTool, ToolApiUpdateSchema, updateTool, deleteTool, getPendingInvitationsByEmail, OAuthLoginQuerySchema, OAuthCallbackQuerySchema, CredentialStoreType, FullProjectDefinitionResponse, FullProjectDefinitionSchema, createFullProjectServerSide, getFullProject, updateFullProjectServerSide, deleteFullProject, getUserOrganizations, addUserToOrganization, initiateMcpOAuthFlow, exchangeMcpAuthorizationCode, handleApiError, organization, getUserByEmail, member, createDefaultCredentialStores, CredentialStoreRegistry } from '@inkeep/agents-core';
+import { loadEnvironmentFiles, getLogger, createDatabaseClient, commonGetErrorResponses, AgentListResponse, PaginationQueryParamsSchema, TenantProjectParamsSchema, listAgents, AgentResponse, TenantProjectIdParamsSchema, getAgentById, createApiError, RelatedAgentInfoListResponse, TenantProjectAgentSubAgentParamsSchema, getAgentSubAgentInfos, AgentWithinContextOfProjectResponse, TenantProjectAgentParamsSchema, getFullAgentDefinition, AgentApiInsertSchema, createAgent, generateId, AgentApiUpdateSchema, updateAgent, ErrorResponseSchema, deleteAgent, AgentWithinContextOfProjectSchema, createFullAgentServerSide, getFullAgent, updateFullAgentServerSide, deleteFullAgent, ApiKeyListResponse, listApiKeysPaginated, ApiKeyResponse, getApiKeyById, ApiKeyApiCreationResponseSchema, ApiKeyApiInsertSchema, generateApiKey, createApiKey, ApiKeyApiUpdateSchema, updateApiKey, deleteApiKey, ArtifactComponentListResponse, listArtifactComponentsPaginated, ArtifactComponentResponse, getArtifactComponentById, ArtifactComponentApiInsertSchema, validatePropsAsJsonSchema, createArtifactComponent, ArtifactComponentApiUpdateSchema, updateArtifactComponent, deleteArtifactComponent, ContextConfigListResponse, listContextConfigsPaginated, ContextConfigResponse, TenantProjectAgentIdParamsSchema, getContextConfigById, ContextConfigApiInsertSchema, createContextConfig, commonUpdateErrorResponses, ContextConfigApiUpdateSchema, updateContextConfig, commonDeleteErrorResponses, deleteContextConfig, CredentialStoreListResponseSchema, CreateCredentialInStoreResponseSchema, CreateCredentialInStoreRequestSchema, CredentialReferenceListResponse, listCredentialReferencesPaginated, ListResponseSchema, CredentialReferenceApiSelectSchema, CredentialReferenceResponse, getCredentialReferenceWithResources, CredentialReferenceApiInsertSchema, createCredentialReference, CredentialReferenceApiUpdateSchema, updateCredentialReference, getCredentialReferenceById, getCredentialStoreLookupKeyFromRetrievalParams, deleteCredentialReference, DataComponentListResponse, listDataComponentsPaginated, DataComponentResponse, getDataComponent, DataComponentApiInsertSchema, createDataComponent, DataComponentApiUpdateSchema, updateDataComponent, deleteDataComponent, ExternalAgentListResponse, listExternalAgentsPaginated, ExternalAgentResponse, getExternalAgent, ExternalAgentApiInsertSchema, createExternalAgent, ExternalAgentApiUpdateSchema, updateExternalAgent, deleteExternalAgent, FunctionListResponse, listFunctions, FunctionResponse, getFunction, FunctionApiInsertSchema, upsertFunction, FunctionApiUpdateSchema, deleteFunction, FunctionToolListResponse, listFunctionTools, FunctionToolResponse, getFunctionToolById, FunctionToolApiInsertSchema, createFunctionTool, FunctionToolApiUpdateSchema, updateFunctionTool, deleteFunctionTool, MCPCatalogListResponse, fetchComposioServers, MCPTransportType, ProjectListResponse, TenantParamsSchema, listProjectsPaginated, ProjectResponse, TenantIdParamsSchema, getProject, ProjectApiInsertSchema, createProject, ProjectApiUpdateSchema, updateProject, deleteProject, ArtifactComponentArrayResponse, getArtifactComponentsForAgent, ComponentAssociationListResponse, getAgentsUsingArtifactComponent, SubAgentArtifactComponentResponse, SubAgentArtifactComponentApiInsertSchema, getSubAgentById, isArtifactComponentAssociatedWithAgent, associateArtifactComponentWithAgent, RemovedResponseSchema, removeArtifactComponentFromAgent, ExistsResponseSchema, DataComponentArrayResponse, getDataComponentsForAgent, getAgentsUsingDataComponent, SubAgentDataComponentResponse, SubAgentDataComponentApiInsertSchema, isDataComponentAssociatedWithAgent, associateDataComponentWithAgent, removeDataComponentFromAgent, SubAgentExternalAgentRelationListResponse, listSubAgentExternalAgentRelations, SubAgentExternalAgentRelationResponse, TenantProjectAgentSubAgentIdParamsSchema, getSubAgentExternalAgentRelationById, SubAgentExternalAgentRelationApiInsertSchema, createSubAgentExternalAgentRelation, SubAgentExternalAgentRelationApiUpdateSchema, updateSubAgentExternalAgentRelation, deleteSubAgentExternalAgentRelation, SubAgentRelationListResponse, SubAgentRelationQuerySchema, getAgentRelationsBySource, getSubAgentRelationsByTarget, listAgentRelations, SubAgentRelationResponse, getAgentRelationById, SubAgentRelationApiInsertSchema, validateSubAgent, createSubAgentRelation, SubAgentRelationApiUpdateSchema, updateAgentRelation, deleteSubAgentRelation, SubAgentListResponse, listSubAgentsPaginated, SubAgentResponse, SubAgentApiInsertSchema, createSubAgent, SubAgentApiUpdateSchema, updateSubAgent, deleteSubAgent, SubAgentTeamAgentRelationListResponse, listSubAgentTeamAgentRelations, SubAgentTeamAgentRelationResponse, getSubAgentTeamAgentRelationById, SubAgentTeamAgentRelationApiInsertSchema, createSubAgentTeamAgentRelation, SubAgentTeamAgentRelationApiUpdateSchema, updateSubAgentTeamAgentRelation, deleteSubAgentTeamAgentRelation, SubAgentToolRelationListResponse, getAgentToolRelationByAgent, getAgentToolRelationByTool, listAgentToolRelations, SubAgentToolRelationResponse, getAgentToolRelationById, getAgentsForTool, SubAgentToolRelationApiInsertSchema, createAgentToolRelation, SubAgentToolRelationApiUpdateSchema, updateAgentToolRelation, deleteAgentToolRelation, ThirdPartyMCPServerResponse, fetchSingleComposioServer, McpToolListResponse, ToolStatusSchema, listTools, dbResultToMcpTool, McpToolResponse, getToolById, ToolApiInsertSchema, createTool, ToolApiUpdateSchema, updateTool, deleteTool, getPendingInvitationsByEmail, OAuthLoginQuerySchema, OAuthCallbackQuerySchema, CredentialStoreType, projectExists, signTempToken, FullProjectDefinitionResponse, FullProjectDefinitionSchema, createFullProjectServerSide, getFullProject, updateFullProjectServerSide, deleteFullProject, getUserOrganizations, addUserToOrganization, initiateMcpOAuthFlow, exchangeMcpAuthorizationCode, handleApiError, organization, getUserByEmail, member, createDefaultCredentialStores, CredentialStoreRegistry } from '@inkeep/agents-core';
 import { createAuth } from '@inkeep/agents-core/auth';
 import { OpenAPIHono, createRoute, z as z$1 } from '@hono/zod-openapi';
 import { Hono } from 'hono';
@@ -22,6 +22,7 @@ var envSchema = z.object({
   NODE_ENV: z.enum(["development", "production", "test"]).optional(),
   ENVIRONMENT: z.enum(["development", "production", "pentest", "test"]).optional(),
   INKEEP_AGENTS_MANAGE_API_URL: z.string().optional().default("http://localhost:3002"),
+  INKEEP_AGENTS_MANAGE_UI_URL: z.string().optional().default("http://localhost:3000"),
   DATABASE_URL: z.string().optional(),
   LOG_LEVEL: z.enum(["trace", "debug", "info", "warn", "error"]).optional().default("debug"),
   NANGO_SERVER_URL: z.string().optional().default("https://api.nango.dev"),
@@ -35,7 +36,8 @@ var envSchema = z.object({
   INKEEP_AGENTS_MANAGE_UI_PASSWORD: z.string().optional().refine((val) => !val || val.length >= 8, {
     message: "Password must be at least 8 characters"
   }),
-  DISABLE_AUTH: z.string().optional().default("false").transform((val) => val === "true")
+  DISABLE_AUTH: z.string().optional().default("false").transform((val) => val === "true"),
+  INKEEP_AGENTS_TEMP_JWT_PRIVATE_KEY: z.string().optional()
 });
 var parseEnv = () => {
   try {
@@ -79,8 +81,9 @@ var sessionAuth = () => createMiddleware(async (c, next) => {
   try {
     const user = c.get("user");
     if (!user) {
-      throw new HTTPException(401, {
-        message: "Unauthorized - Please log in"
+      throw createApiError({
+        code: "unauthorized",
+        message: "Please log in to access this resource"
       });
     }
     c.set("userId", user.id);
@@ -90,7 +93,8 @@ var sessionAuth = () => createMiddleware(async (c, next) => {
     if (error instanceof HTTPException) {
       throw error;
     }
-    throw new HTTPException(401, {
+    throw createApiError({
+      code: "unauthorized",
       message: "Authentication failed"
     });
   }
@@ -5164,22 +5168,23 @@ var requireTenantAccess = () => createMiddleware(async (c, next) => {
   const userId = c.get("userId");
   const tenantId = c.req.param("tenantId");
   if (!userId) {
-    throw new HTTPException(401, {
-      message: "Unauthorized - User ID not found"
+    throw createApiError({
+      code: "unauthorized",
+      message: "User ID not found"
     });
   }
   if (!tenantId) {
-    throw new HTTPException(400, {
-      message: "Bad Request - Organization ID is required"
+    throw createApiError({
+      code: "bad_request",
+      message: "Organization ID is required"
     });
   }
   try {
     const userOrganizations = await getUserOrganizations(dbClient_default)(userId);
-    const organizationAccess = userOrganizations.find(
-      (org) => org.organizationId === tenantId
-    );
+    const organizationAccess = userOrganizations.find((org) => org.organizationId === tenantId);
     if (!organizationAccess) {
-      throw new HTTPException(403, {
+      throw createApiError({
+        code: "forbidden",
         message: "Access denied to this organization"
       });
     }
@@ -5190,16 +5195,17 @@ var requireTenantAccess = () => createMiddleware(async (c, next) => {
     if (error instanceof HTTPException) {
       throw error;
     }
-    throw new HTTPException(500, {
+    throw createApiError({
+      code: "internal_server_error",
       message: "Failed to verify organization access"
     });
   }
 });
-function setupOpenAPIRoutes(app26) {
-  app26.get("/openapi.json", (c) => {
+function setupOpenAPIRoutes(app27) {
+  app27.get("/openapi.json", (c) => {
     try {
       const serverUrl = process.env.VERCEL_ENV === "production" && process.env.VERCEL_PROJECT_PRODUCTION_URL ? `https://${process.env.VERCEL_PROJECT_PRODUCTION_URL}` : process.env.VERCEL_ENV === "preview" && process.env.VERCEL_URL ? `https://${process.env.VERCEL_URL}` : env.INKEEP_AGENTS_MANAGE_API_URL;
-      const document2 = app26.getOpenAPIDocument({
+      const document2 = app27.getOpenAPIDocument({
         openapi: "3.0.0",
         info: {
           title: "Inkeep Agents Manage API",
@@ -5307,6 +5313,30 @@ function setupOpenAPIRoutes(app26) {
           }
         ]
       });
+      document2.components = {
+        ...document2.components,
+        securitySchemes: {
+          ...document2.components?.securitySchemes || {},
+          cookieAuth: {
+            type: "apiKey",
+            in: "cookie",
+            name: "better-auth.session_token",
+            description: 'Session-based authentication using HTTP-only cookies. Cookies are automatically sent by browsers. For server-side requests, include cookies with names starting with "better-auth." in the Cookie header.'
+          },
+          bearerAuth: {
+            type: "http",
+            scheme: "bearer",
+            bearerFormat: "Token",
+            description: 'Bearer token authentication. Use this for API clients and service-to-service communication. Set the Authorization header to "Bearer <token>".'
+          }
+        }
+      };
+      document2.security = [
+        {
+          cookieAuth: [],
+          bearerAuth: []
+        }
+      ];
       return c.json(document2);
     } catch (error) {
       console.error("OpenAPI document generation failed:", error);
@@ -5314,7 +5344,7 @@ function setupOpenAPIRoutes(app26) {
       return c.json({ error: "Failed to generate OpenAPI document", details: errorDetails }, 500);
     }
   });
-  app26.get(
+  app27.get(
     "/docs",
     swaggerUI({
       url: "/openapi.json",
@@ -11294,15 +11324,118 @@ app24.openapi(
   }
 );
 var oauth_default = app24;
-var logger8 = getLogger("projectFull");
+var logger8 = getLogger("playgroundToken");
 var app25 = new OpenAPIHono();
-app25.use("/project-full", async (c, next) => {
+app25.use("/", requirePermission({ agent: ["create"] }));
+var PlaygroundTokenRequestSchema = z$1.object({
+  projectId: z$1.string(),
+  agentId: z$1.string()
+});
+var PlaygroundTokenResponseSchema = z$1.object({
+  apiKey: z$1.string().describe("Temporary API key for playground use"),
+  expiresAt: z$1.string().describe("ISO 8601 timestamp when the key expires")
+});
+app25.openapi(
+  createRoute({
+    method: "post",
+    path: "/",
+    summary: "Generate temporary API key for playground",
+    operationId: "create-playground-token",
+    tags: ["Playground"],
+    description: "Generates a short-lived API key (1 hour expiry) for authenticated users to access the run-api from the playground",
+    security: [{ cookieAuth: [] }],
+    request: {
+      body: {
+        content: {
+          "application/json": {
+            schema: PlaygroundTokenRequestSchema
+          }
+        }
+      }
+    },
+    responses: {
+      200: {
+        description: "Temporary API key generated successfully",
+        content: {
+          "application/json": {
+            schema: PlaygroundTokenResponseSchema
+          }
+        }
+      },
+      401: {
+        description: "Unauthorized - session required",
+        content: {
+          "application/json": {
+            schema: ErrorResponseSchema
+          }
+        }
+      }
+    }
+  }),
+  async (c) => {
+    const userId = c.get("userId");
+    const tenantId = c.get("tenantId");
+    const { projectId, agentId } = c.req.valid("json");
+    logger8.info(
+      { userId, tenantId, projectId, agentId },
+      "Generating temporary JWT token for playground"
+    );
+    const projectExistsCheck = await projectExists(dbClient_default)({ tenantId, projectId });
+    if (!projectExistsCheck) {
+      logger8.warn({ userId, tenantId, projectId }, "Project not found or access denied");
+      throw createApiError({
+        code: "not_found",
+        message: "Project not found"
+      });
+    }
+    const agent = await getAgentById(dbClient_default)({ scopes: { tenantId, projectId, agentId } });
+    if (!agent) {
+      logger8.warn({ userId, tenantId, projectId, agentId }, "Agent not found or access denied");
+      throw createApiError({
+        code: "not_found",
+        message: "Agent not found"
+      });
+    }
+    if (!env.INKEEP_AGENTS_TEMP_JWT_PRIVATE_KEY) {
+      throw createApiError({
+        code: "internal_server_error",
+        message: "Temporary token signing not configured"
+      });
+    }
+    const privateKeyPem = Buffer.from(env.INKEEP_AGENTS_TEMP_JWT_PRIVATE_KEY, "base64").toString(
+      "utf-8"
+    );
+    const result = await signTempToken(
+      privateKeyPem,
+      {
+        tenantId,
+        projectId,
+        agentId,
+        type: "temporary",
+        initiatedBy: { type: "user", id: userId }
+      },
+      userId
+    );
+    logger8.info({ userId, expiresAt: result.expiresAt }, "Temporary JWT token generated");
+    return c.json(
+      {
+        apiKey: result.token,
+        expiresAt: result.expiresAt
+      },
+      200
+    );
+  }
+);
+var playgroundToken_default = app25;
+var logger9 = getLogger("projectFull");
+var app26 = new OpenAPIHono();
+app26.use("/project-full", async (c, next) => {
   if (c.req.method === "POST") {
     return requirePermission({ project: ["create"] })(c, next);
   }
   return next();
 });
-app25.use("/project-full/:projectId", async (c, next) => {
+app26.use("/project-full/:projectId", async (c, next) => {
   if (c.req.method === "PUT") {
     return requirePermission({ project: ["update"] })(c, next);
   }
@@ -11311,7 +11444,7 @@ app25.use("/project-full/:projectId", async (c, next) => {
   }
   return next();
 });
-app25.openapi(
+app26.openapi(
   createRoute({
     method: "post",
     path: "/project-full",
@@ -11354,13 +11487,13 @@ app25.openapi(
     const projectData = c.req.valid("json");
     const validatedProjectData = FullProjectDefinitionSchema.parse(projectData);
     try {
-      const createdProject = await createFullProjectServerSide(dbClient_default, logger8)(
+      const createdProject = await createFullProjectServerSide(dbClient_default, logger9)(
         { tenantId, projectId: validatedProjectData.id },
         validatedProjectData
       );
       return c.json({ data: createdProject }, 201);
     } catch (error) {
-      logger8.error({ error }, "Error creating project");
+      logger9.error({ error }, "Error creating project");
       if (error?.cause?.code === "23505") {
         throw createApiError({
           code: "conflict",
@@ -11371,7 +11504,7 @@ app25.openapi(
     }
   }
 );
-app25.openapi(
+app26.openapi(
   createRoute({
     method: "get",
     path: "/project-full/{projectId}",
@@ -11399,7 +11532,7 @@ app25.openapi(
     try {
       const project = await getFullProject(
         dbClient_default,
-        logger8
+        logger9
       )({
         scopes: { tenantId, projectId }
       });
@@ -11424,7 +11557,7 @@ app25.openapi(
     }
   }
 );
-app25.openapi(
+app26.openapi(
   createRoute({
     method: "put",
     path: "/project-full/{projectId}",
@@ -11475,15 +11608,15 @@ app25.openapi(
       }
       const existingProject = await getFullProject(
         dbClient_default,
-        logger8
+        logger9
       )({
         scopes: { tenantId, projectId }
       });
       const isCreate = !existingProject;
-      const updatedProject = isCreate ? await createFullProjectServerSide(dbClient_default, logger8)(
+      const updatedProject = isCreate ? await createFullProjectServerSide(dbClient_default, logger9)(
         { tenantId, projectId },
         validatedProjectData
-      ) : await updateFullProjectServerSide(dbClient_default, logger8)(
+      ) : await updateFullProjectServerSide(dbClient_default, logger9)(
         { tenantId, projectId },
         validatedProjectData
       );
@@ -11508,7 +11641,7 @@ app25.openapi(
     }
   }
 );
-app25.openapi(
+app26.openapi(
   createRoute({
     method: "delete",
     path: "/project-full/{projectId}",
@@ -11531,7 +11664,7 @@ app25.openapi(
     try {
       const deleted = await deleteFullProject(
         dbClient_default,
-        logger8
+        logger9
       )({
         scopes: { tenantId, projectId }
       });
@@ -11556,7 +11689,7 @@ app25.openapi(
     }
   }
 );
-var projectFull_default = app25;
+var projectFull_default = app26;
 var userOrganizationsRoutes = new OpenAPIHono();
 userOrganizationsRoutes.openapi(
   createRoute({
@@ -11631,35 +11764,35 @@ userOrganizationsRoutes.openapi(
 var userOrganizations_default = userOrganizationsRoutes;
 
 // src/app.ts
-var logger9 = getLogger("agents-manage-api");
-logger9.info({ logger: logger9.getTransports() }, "Logger initialized");
+var logger10 = getLogger("agents-manage-api");
+logger10.info({ logger: logger10.getTransports() }, "Logger initialized");
 function isOriginAllowed(origin) {
   if (!origin) return false;
   try {
     const requestUrl = new URL(origin);
     const authUrl = new URL(env.INKEEP_AGENTS_MANAGE_API_URL || "http://localhost:3002");
+    const uiUrl = env.INKEEP_AGENTS_MANAGE_UI_URL ? new URL(env.INKEEP_AGENTS_MANAGE_UI_URL) : null;
     if (authUrl.hostname === "localhost" || authUrl.hostname === "127.0.0.1") {
       return requestUrl.hostname === "localhost" || requestUrl.hostname === "127.0.0.1";
     }
-    if (requestUrl.hostname.endsWith(".vercel.app")) {
+    if (uiUrl && requestUrl.hostname === uiUrl.hostname) {
       return true;
     }
-    const baseDomain = authUrl.hostname.replace(/^api\./, "");
-    return requestUrl.hostname === baseDomain || requestUrl.hostname.endsWith(`.${baseDomain}`);
+    return false;
   } catch {
     return false;
   }
 }
 function createManagementHono(serverConfig, credentialStores, auth) {
-  const app26 = new OpenAPIHono();
-  app26.use("*", requestId());
-  app26.use("*", async (c, next) => {
+  const app27 = new OpenAPIHono();
+  app27.use("*", requestId());
+  app27.use("*", async (c, next) => {
     c.set("serverConfig", serverConfig);
     c.set("credentialStores", credentialStores);
     c.set("auth", auth);
     return next();
   });
-  app26.use(
+  app27.use(
     pinoLogger({
       pino: getLogger("agents-manage-api").getPinoInstance(),
       http: {
@@ -11672,7 +11805,7 @@ function createManagementHono(serverConfig, credentialStores, auth) {
       }
     })
   );
-  app26.onError(async (err2, c) => {
+  app27.onError(async (err2, c) => {
     const isExpectedError = err2 instanceof HTTPException;
     const status = isExpectedError ? err2.status : 500;
     const requestId2 = c.get("requestId") || "unknown";
@@ -11705,7 +11838,7 @@ function createManagementHono(serverConfig, credentialStores, auth) {
       if (!isExpectedError) {
         const errorMessage = err2 instanceof Error ? err2.message : String(err2);
         const errorStack = err2 instanceof Error ? err2.stack : void 0;
-        logger9.error(
+        logger10.error(
           {
             error: err2,
             message: errorMessage,
@@ -11716,7 +11849,7 @@ function createManagementHono(serverConfig, credentialStores, auth) {
           "Unexpected server error occurred"
         );
       } else {
-        logger9.error(
+        logger10.error(
           {
             error: err2,
             path: c.req.path,
@@ -11742,7 +11875,7 @@ function createManagementHono(serverConfig, credentialStores, auth) {
     return c.body(JSON.stringify(responseBody));
   });
   if (auth) {
-    app26.use(
+    app27.use(
       "/api/auth/*",
       cors({
         origin: (origin) => {
@@ -11755,14 +11888,30 @@ function createManagementHono(serverConfig, credentialStores, auth) {
         credentials: true
       })
     );
-    app26.on(["POST", "GET"], "/api/auth/*", (c) => {
+    app27.on(["POST", "GET"], "/api/auth/*", (c) => {
       return auth.handler(c.req.raw);
     });
   }
-  app26.use("*", async (c, next) => {
+  app27.use(
+    "/tenants/*/playground/token",
+    cors({
+      origin: (origin) => {
+        return isOriginAllowed(origin) ? origin : null;
+      },
+      allowHeaders: ["content-type", "Content-Type", "authorization", "Authorization"],
+      allowMethods: ["POST", "OPTIONS"],
+      exposeHeaders: ["Content-Length"],
+      maxAge: 600,
+      credentials: true
+    })
+  );
+  app27.use("*", async (c, next) => {
     if (auth && c.req.path.startsWith("/api/auth/")) {
       return next();
     }
+    if (c.req.path.includes("/playground/token")) {
+      return next();
+    }
     return cors({
       origin: (origin) => {
         return isOriginAllowed(origin) ? origin : null;
@@ -11774,7 +11923,7 @@ function createManagementHono(serverConfig, credentialStores, auth) {
       credentials: true
     })(c, next);
   });
-  app26.use("*", async (c, next) => {
+  app27.use("*", async (c, next) => {
     if (env.DISABLE_AUTH || !auth) {
       c.set("user", null);
       c.set("session", null);
@@ -11792,7 +11941,7 @@ function createManagementHono(serverConfig, credentialStores, auth) {
     c.set("session", session.session);
     await next();
   });
-  app26.openapi(
+  app27.openapi(
     createRoute({
       method: "get",
       path: "/health",
@@ -11809,7 +11958,7 @@ function createManagementHono(serverConfig, credentialStores, auth) {
       return c.body(null, 204);
     }
   );
-  app26.use("/tenants/*", async (c, next) => {
+  app27.use("/tenants/*", async (c, next) => {
     const isTestEnvironment = process.env.ENVIRONMENT === "test";
     if (env.DISABLE_AUTH || isTestEnvironment) {
       await next();
@@ -11823,19 +11972,20 @@ function createManagementHono(serverConfig, credentialStores, auth) {
   });
   const isTestEnv = process.env.ENVIRONMENT === "test";
   if (!env.DISABLE_AUTH && !isTestEnv) {
-    app26.use("/tenants/:tenantId/*", requireTenantAccess());
-  }
-  app26.route("/api/users/:userId/organizations", userOrganizations_default);
-  app26.route("/api/invitations", invitations_default);
-  app26.route("/tenants/:tenantId", routes_default);
-  app26.route("/tenants/:tenantId", projectFull_default);
-  app26.route("/oauth", oauth_default);
-  setupOpenAPIRoutes(app26);
+    app27.use("/tenants/:tenantId/*", requireTenantAccess());
+  }
+  app27.route("/api/users/:userId/organizations", userOrganizations_default);
+  app27.route("/api/invitations", invitations_default);
+  app27.route("/tenants/:tenantId", routes_default);
+  app27.route("/tenants/:tenantId/playground/token", playgroundToken_default);
+  app27.route("/tenants/:tenantId", projectFull_default);
+  app27.route("/oauth", oauth_default);
+  setupOpenAPIRoutes(app27);
   const baseApp = new Hono();
-  baseApp.route("/", app26);
+  baseApp.route("/", app27);
   return baseApp;
 }
-var logger10 = getLogger("initialization");
+var logger11 = getLogger("initialization");
 async function initializeDefaultUser(authInstance) {
   const { INKEEP_AGENTS_MANAGE_UI_USERNAME, INKEEP_AGENTS_MANAGE_UI_PASSWORD, DISABLE_AUTH } = env;
   const hasCredentials = INKEEP_AGENTS_MANAGE_UI_USERNAME && INKEEP_AGENTS_MANAGE_UI_PASSWORD;
@@ -11850,23 +12000,23 @@ async function initializeDefaultUser(authInstance) {
       logo: null,
       metadata: null
     });
-    logger10.info({ organizationId: orgId }, "Created default organization");
+    logger11.info({ organizationId: orgId }, "Created default organization");
   } else {
-    logger10.info({ organizationId: orgId }, "Organization already exists");
+    logger11.info({ organizationId: orgId }, "Organization already exists");
   }
   if (!hasCredentials || DISABLE_AUTH || !authInstance) {
-    logger10.info({ hasCredentials: false }, "Skipping default user creation");
+    logger11.info({ hasCredentials: false }, "Skipping default user creation");
     return;
   }
   try {
     let user = await getUserByEmail(dbClient_default)(INKEEP_AGENTS_MANAGE_UI_USERNAME);
     if (user) {
-      logger10.info(
+      logger11.info(
         { email: INKEEP_AGENTS_MANAGE_UI_USERNAME, userId: user.id },
         "Default user already exists"
       );
     } else {
-      logger10.info(
+      logger11.info(
         { email: INKEEP_AGENTS_MANAGE_UI_USERNAME },
         "Creating default user with Better Auth..."
       );
@@ -11885,7 +12035,7 @@ async function initializeDefaultUser(authInstance) {
       if (!user) {
         throw new Error("User was created but could not be retrieved from database");
       }
-      logger10.info(
+      logger11.info(
         {
           email: user.email,
           id: user.id
@@ -11902,14 +12052,14 @@ async function initializeDefaultUser(authInstance) {
         role: "owner",
         createdAt: /* @__PURE__ */ new Date()
       });
-      logger10.info({ userId: user.id, organizationId: orgId }, "Added user as organization owner");
+      logger11.info({ userId: user.id, organizationId: orgId }, "Added user as organization owner");
     } else {
-      logger10.info(
+      logger11.info(
         { userId: user.id, organizationId: orgId },
         "User already a member of organization"
       );
     }
-    logger10.info(
+    logger11.info(
       {
         organizationId: orgId,
         organizationSlug: env.TENANT_ID,
@@ -11919,7 +12069,7 @@ async function initializeDefaultUser(authInstance) {
       "\u2705 Initialization complete - login with these credentials"
     );
   } catch (error) {
-    logger10.error(
+    logger11.error(
       { error, email: INKEEP_AGENTS_MANAGE_UI_USERNAME },
       "\u274C Failed to create default user"
     );

package/dist/factory.js

@@ -1 +1 @@
-export { createAuth0Provider, createManagementApp, createManagementHono, createOIDCProvider, initializeDefaultUser } from './chunk-7YBMBKBI.js';
+export { createAuth0Provider, createManagementApp, createManagementHono, createOIDCProvider, initializeDefaultUser } from './chunk-6E4QM6FE.js';

package/dist/index.d.ts

@@ -30,9 +30,31 @@ declare const auth: better_auth.Auth<{
         updateAge: number;
     };
     advanced: {
+        ipAddress?: {
+            ipAddressHeaders?: string[];
+            disableIpTracking?: boolean;
+        } | undefined;
+        useSecureCookies?: boolean | undefined;
+        disableCSRFCheck?: boolean | undefined;
+        disableOriginCheck?: boolean | undefined;
         crossSubDomainCookies: {
-            enabled: true;
+            enabled: boolean;
+            additionalCookies?: string[];
+            domain?: string;
         };
+        cookies?: {
+            [key: string]: {
+                name?: string;
+                attributes?: better_auth.CookieOptions;
+            };
+        } | undefined;
+        defaultCookieAttributes?: better_auth.CookieOptions | undefined;
+        cookiePrefix?: string | undefined;
+        database?: {
+            defaultFindManyLimit?: number;
+            useNumberId?: boolean;
+            generateId?: better_auth.GenerateIdFn | false | "serial" | "uuid";
+        } | undefined;
     };
     trustedOrigins: string[];
     plugins: [{

package/dist/index.js

@@ -1,5 +1,5 @@
-import { createAuth0Provider, createManagementHono, env, initializeDefaultUser, dbClient_default } from './chunk-7YBMBKBI.js';
-export { createAuth0Provider, createManagementApp, createManagementHono, createOIDCProvider, initializeDefaultUser } from './chunk-7YBMBKBI.js';
+import { createAuth0Provider, createManagementHono, env, initializeDefaultUser, dbClient_default } from './chunk-6E4QM6FE.js';
+export { createAuth0Provider, createManagementApp, createManagementHono, createOIDCProvider, initializeDefaultUser } from './chunk-6E4QM6FE.js';
 import { createDefaultCredentialStores, CredentialStoreRegistry } from '@inkeep/agents-core';
 import { createAuth } from '@inkeep/agents-core/auth';
 export { Hono } from 'hono';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-manage-api",
-  "version": "0.36.0",
+  "version": "0.37.0",
   "description": "Agents Manage API for Inkeep Agent Framework - handles CRUD operations and OAuth",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -27,11 +27,12 @@
     "drizzle-orm": "^0.44.4",
     "hono": "^4.10.4",
     "hono-pino": "^0.10.1",
+    "jose": "^6.1.0",
     "nanoid": "^5.1.5",
     "openid-client": "^6.6.4",
     "pino": "^9.7.0",
     "zod": "^4.1.11",
-    "@inkeep/agents-core": "^0.36.0"
+    "@inkeep/agents-core": "^0.37.0"
   },
   "optionalDependencies": {
     "keytar": "^7.9.0"