@inkeep/agents-manage-api 0.39.4 → 0.40.0

package/dist/sso-helpers.js

@@ -0,0 +1,51 @@
+import * as client from "openid-client";
+
+//#region src/sso-helpers.ts
+async function createOIDCProvider(options) {
+	try {
+		const issuerUrl = new URL(`https://${options.domain}`);
+		const metadata = (await client.discovery(issuerUrl, client.randomPKCECodeVerifier())).serverMetadata();
+		if (!metadata.issuer || !metadata.authorization_endpoint || !metadata.token_endpoint || !metadata.userinfo_endpoint || !metadata.jwks_uri) console.log("Some OIDC configuration endpoints are missing, which might cause issues with SSO");
+		const oidcConfig = {
+			clientId: options.clientId,
+			clientSecret: options.clientSecret,
+			discoveryEndpoint: `https://${options.domain}/.well-known/openid-configuration`,
+			authorizationEndpoint: metadata.authorization_endpoint,
+			tokenEndpoint: metadata.token_endpoint,
+			userinfoEndpoint: metadata.userinfo_endpoint,
+			jwksEndpoint: metadata.jwks_uri,
+			scopes: options.scopes || [
+				"openid",
+				"email",
+				"profile"
+			],
+			pkce: options.pkce !== false,
+			mapping: {
+				id: "sub",
+				email: "email",
+				emailVerified: "email_verified",
+				name: "name",
+				image: "picture"
+			}
+		};
+		return {
+			providerId: options.providerId,
+			issuer: metadata.issuer,
+			domain: options.domain,
+			organizationId: options.organizationId,
+			oidcConfig
+		};
+	} catch (error) {
+		console.error(`Error discovering OIDC configuration for ${options.domain}:`, error);
+		return null;
+	}
+}
+async function createAuth0Provider(options) {
+	return await createOIDCProvider({
+		...options,
+		providerId: "auth0"
+	});
+}
+
+//#endregion
+export { createAuth0Provider, createOIDCProvider };

package/dist/types/app.d.ts

@@ -0,0 +1,47 @@
+import { CredentialStoreRegistry, ServerConfig } from "@inkeep/agents-core";
+import { createAuth } from "@inkeep/agents-core/auth";
+
+//#region src/types/app.d.ts
+
+/**
+ * Base authentication variables set by session middleware
+ * Available in all authenticated routes
+ */
+type BaseAppVariables = {
+  auth: ReturnType<typeof createAuth> | null;
+  userId: string;
+  userEmail: string;
+  tenantId: string;
+  tenantRole: string;
+};
+/**
+ * Extended app variables with credential store support
+ * Used in routes that need credential management
+ */
+type AppVariablesWithCredentials = BaseAppVariables & {
+  credentialStores: CredentialStoreRegistry;
+};
+/**
+ * Extended app variables with server config and credential stores
+ * Used in routes that need full server configuration
+ */
+type AppVariablesWithServerConfig = BaseAppVariables & {
+  serverConfig: ServerConfig;
+  credentialStores: CredentialStoreRegistry;
+};
+/**
+ * Minimal app variables for public/OAuth routes
+ * Does not include authentication variables
+ */
+type PublicAppVariables = {
+  credentialStores: CredentialStoreRegistry;
+};
+/**
+ * Minimal app variables for OAuth routes with server config
+ */
+type PublicAppVariablesWithServerConfig = {
+  serverConfig: ServerConfig;
+  credentialStores: CredentialStoreRegistry;
+};
+//#endregion
+export { AppVariablesWithCredentials, AppVariablesWithServerConfig, BaseAppVariables, PublicAppVariables, PublicAppVariablesWithServerConfig };

package/dist/types/app.js

@@ -0,0 +1 @@
+export {  };

package/dist/utils/cors.d.ts

@@ -0,0 +1,33 @@
+import { cors } from "hono/cors";
+
+//#region src/utils/cors.d.ts
+type CorsOptions = Parameters<typeof cors>[0];
+/**
+ * Extract the base domain from a hostname (e.g., 'app.preview.inkeep.com' -> 'preview.inkeep.com')
+ * For hostnames with 3+ parts, returns the last 3 parts (subdomain.domain.tld)
+ * For hostnames with 2 parts, returns as-is (domain.tld)
+ */
+declare function getBaseDomain(hostname: string): string;
+/**
+ * Check if a request origin is allowed for CORS
+ *
+ * Development: Allow any localhost origin
+ * Production/Preview: Allow the specific UI URL, or any subdomain of the same base domain
+ *
+ * @returns true if origin is allowed (also narrows type to string)
+ */
+declare function isOriginAllowed(origin: string | undefined): origin is string;
+/**
+ * CORS configuration for auth routes (Better Auth, session endpoints)
+ */
+declare const authCorsConfig: CorsOptions;
+/**
+ * CORS configuration for playground routes
+ */
+declare const playgroundCorsConfig: CorsOptions;
+/**
+ * CORS configuration for default API routes
+ */
+declare const defaultCorsConfig: CorsOptions;
+//#endregion
+export { authCorsConfig, defaultCorsConfig, getBaseDomain, isOriginAllowed, playgroundCorsConfig };

package/dist/utils/cors.js

@@ -0,0 +1,98 @@
+import { env } from "../env.js";
+
+//#region src/utils/cors.ts
+/**
+* Extract the base domain from a hostname (e.g., 'app.preview.inkeep.com' -> 'preview.inkeep.com')
+* For hostnames with 3+ parts, returns the last 3 parts (subdomain.domain.tld)
+* For hostnames with 2 parts, returns as-is (domain.tld)
+*/
+function getBaseDomain(hostname) {
+	const parts = hostname.split(".");
+	if (parts.length >= 3) return parts.slice(-3).join(".");
+	return hostname;
+}
+/**
+* Check if a request origin is allowed for CORS
+*
+* Development: Allow any localhost origin
+* Production/Preview: Allow the specific UI URL, or any subdomain of the same base domain
+*
+* @returns true if origin is allowed (also narrows type to string)
+*/
+function isOriginAllowed(origin) {
+	if (!origin) return false;
+	try {
+		const requestUrl = new URL(origin);
+		const apiUrl = new URL(env.INKEEP_AGENTS_MANAGE_API_URL || "http://localhost:3002");
+		const uiUrl = env.INKEEP_AGENTS_MANAGE_UI_URL ? new URL(env.INKEEP_AGENTS_MANAGE_UI_URL) : null;
+		if (apiUrl.hostname === "localhost" || apiUrl.hostname === "127.0.0.1") return requestUrl.hostname === "localhost" || requestUrl.hostname === "127.0.0.1";
+		if (uiUrl && requestUrl.hostname === uiUrl.hostname) return true;
+		if (getBaseDomain(requestUrl.hostname) === getBaseDomain(apiUrl.hostname)) return true;
+		return false;
+	} catch {
+		return false;
+	}
+}
+/**
+* Origin handler for CORS middleware
+*/
+const originHandler = (origin) => isOriginAllowed(origin) ? origin : null;
+/**
+* CORS configuration for auth routes (Better Auth, session endpoints)
+*/
+const authCorsConfig = {
+	origin: originHandler,
+	allowHeaders: [
+		"content-type",
+		"Content-Type",
+		"authorization",
+		"Authorization",
+		"User-Agent"
+	],
+	allowMethods: [
+		"POST",
+		"GET",
+		"OPTIONS"
+	],
+	exposeHeaders: ["Content-Length"],
+	maxAge: 600,
+	credentials: true
+};
+/**
+* CORS configuration for playground routes
+*/
+const playgroundCorsConfig = {
+	origin: originHandler,
+	allowHeaders: [
+		"content-type",
+		"Content-Type",
+		"authorization",
+		"Authorization",
+		"User-Agent"
+	],
+	allowMethods: ["POST", "OPTIONS"],
+	exposeHeaders: ["Content-Length"],
+	maxAge: 600,
+	credentials: true
+};
+/**
+* CORS configuration for default API routes
+*/
+const defaultCorsConfig = {
+	origin: originHandler,
+	allowMethods: [
+		"GET",
+		"POST",
+		"PUT",
+		"DELETE",
+		"OPTIONS",
+		"PATCH"
+	],
+	allowHeaders: ["*"],
+	exposeHeaders: ["Content-Length"],
+	maxAge: 86400,
+	credentials: true
+};
+
+//#endregion
+export { authCorsConfig, defaultCorsConfig, getBaseDomain, isOriginAllowed, playgroundCorsConfig };

package/dist/utils/oauth-service.d.ts

@@ -0,0 +1,71 @@
+import { McpTokenExchangeResult } from "@inkeep/agents-core";
+
+//#region src/utils/oauth-service.d.ts
+
+/**
+ * Retrieve and remove PKCE verifier
+ */
+declare function retrievePKCEVerifier(state: string): {
+  codeVerifier: string;
+  toolId: string;
+  tenantId: string;
+  projectId: string;
+  clientInformation: any;
+  metadata: any;
+  resourceUrl?: string;
+} | null;
+/**
+ * OAuth client configuration
+ */
+interface OAuthClientConfig {
+  defaultClientId?: string;
+  clientName?: string;
+  clientUri?: string;
+  logoUri?: string;
+  redirectBaseUrl?: string;
+}
+/**
+ * OAuth flow initiation result
+ */
+interface OAuthInitiationResult {
+  redirectUrl: string;
+  state: string;
+}
+/**
+ * Token exchange result
+ */
+interface TokenExchangeResult {
+  tokens: McpTokenExchangeResult;
+}
+/**
+ * OAuth service class that handles the complete OAuth flow
+ */
+declare class OAuthService {
+  private defaultConfig;
+  constructor(config?: OAuthClientConfig);
+  /**
+   * Initiate OAuth flow for an MCP tool using MCP SDK
+   */
+  initiateOAuthFlow(params: {
+    tenantId: string;
+    projectId: string;
+    toolId: string;
+    mcpServerUrl: string;
+    baseUrl?: string;
+  }): Promise<OAuthInitiationResult>;
+  /**
+   * Exchange authorization code for access tokens using MCP SDK with stored metadata
+   */
+  exchangeCodeForTokens(params: {
+    code: string;
+    codeVerifier: string;
+    clientInformation: any;
+    metadata: any;
+    resourceUrl?: string;
+    mcpServerUrl: string;
+    baseUrl?: string;
+  }): Promise<TokenExchangeResult>;
+}
+declare const oauthService: OAuthService;
+//#endregion
+export { oauthService, retrievePKCEVerifier };

package/dist/utils/oauth-service.js

@@ -0,0 +1,106 @@
+import { env } from "../env.js";
+import { getLogger as getLogger$1 } from "../logger.js";
+import { exchangeMcpAuthorizationCode, initiateMcpOAuthFlow } from "@inkeep/agents-core";
+
+//#region src/utils/oauth-service.ts
+const logger = getLogger$1("oauth-service");
+const pkceStore = /* @__PURE__ */ new Map();
+/**
+* Store PKCE verifier and OAuth metadata for later use in token exchange
+*/
+function storePKCEVerifier(state, codeVerifier, toolId, tenantId, projectId, clientInformation, metadata, resourceUrl) {
+	pkceStore.set(state, {
+		codeVerifier,
+		toolId,
+		tenantId,
+		projectId,
+		clientInformation,
+		metadata,
+		resourceUrl
+	});
+	setTimeout(() => {
+		pkceStore.delete(state);
+	}, 600 * 1e3);
+}
+/**
+* Retrieve and remove PKCE verifier
+*/
+function retrievePKCEVerifier(state) {
+	const data = pkceStore.get(state);
+	if (data) {
+		pkceStore.delete(state);
+		return data;
+	}
+	return null;
+}
+/**
+* OAuth service class that handles the complete OAuth flow
+*/
+var OAuthService = class {
+	defaultConfig;
+	constructor(config = {}) {
+		this.defaultConfig = {
+			defaultClientId: config.defaultClientId || process.env.DEFAULT_OAUTH_CLIENT_ID || "mcp-client",
+			clientName: config.clientName || process.env.OAUTH_CLIENT_NAME || "Inkeep Agent Framework",
+			clientUri: config.clientUri || process.env.OAUTH_CLIENT_URI || "https://inkeep.com",
+			logoUri: config.logoUri || process.env.OAUTH_CLIENT_LOGO_URI || "https://inkeep.com/images/logos/inkeep-logo-blue.svg",
+			redirectBaseUrl: config.redirectBaseUrl || env.INKEEP_AGENTS_MANAGE_API_URL
+		};
+	}
+	/**
+	* Initiate OAuth flow for an MCP tool using MCP SDK
+	*/
+	async initiateOAuthFlow(params) {
+		const { tenantId, projectId, toolId, mcpServerUrl, baseUrl } = params;
+		const redirectUri = `${baseUrl || this.defaultConfig.redirectBaseUrl}/oauth/callback`;
+		const state = `tool_${toolId}`;
+		const authResult = await initiateMcpOAuthFlow({
+			mcpServerUrl,
+			redirectUri,
+			state,
+			clientName: this.defaultConfig.clientName,
+			clientUri: this.defaultConfig.clientUri,
+			logoUri: this.defaultConfig.logoUri,
+			defaultClientId: this.defaultConfig.defaultClientId,
+			logger
+		});
+		storePKCEVerifier(state, authResult.codeVerifier, toolId, tenantId, projectId, authResult.clientInformation, authResult.metadata, authResult.resourceUrl);
+		logger.info({
+			toolId,
+			authorizationUrl: authResult.authorizationUrl,
+			tenantId,
+			projectId,
+			scopes: authResult.scopes
+		}, "MCP OAuth flow initiated successfully");
+		return {
+			redirectUrl: authResult.authorizationUrl,
+			state
+		};
+	}
+	/**
+	* Exchange authorization code for access tokens using MCP SDK with stored metadata
+	*/
+	async exchangeCodeForTokens(params) {
+		const { code, codeVerifier, clientInformation, metadata, resourceUrl, mcpServerUrl, baseUrl } = params;
+		const tokens = await exchangeMcpAuthorizationCode({
+			mcpServerUrl,
+			metadata,
+			clientInformation,
+			authorizationCode: code,
+			codeVerifier,
+			redirectUri: `${baseUrl || this.defaultConfig.redirectBaseUrl}/oauth/callback`,
+			resourceUrl,
+			logger
+		});
+		logger.info({
+			tokenType: tokens.token_type,
+			hasRefreshToken: !!tokens.refresh_token,
+			clientId: clientInformation.client_id
+		}, "MCP token exchange successful");
+		return { tokens };
+	}
+};
+const oauthService = new OAuthService();
+
+//#endregion
+export { oauthService, retrievePKCEVerifier };

package/dist/utils/signoz-helpers.d.ts

@@ -0,0 +1,9 @@
+//#region src/utils/signoz-helpers.d.ts
+/**
+ * Helper function to enforce projectId filter on SigNoz queries.
+ * This modifies the query payload to ensure all builder queries include
+ * a server-side project.id filter, preventing client-side filter bypass.
+ */
+declare function enforceProjectFilter(payload: any, projectId: string): any;
+//#endregion
+export { enforceProjectFilter };

package/dist/utils/signoz-helpers.js

@@ -0,0 +1,33 @@
+//#region src/utils/signoz-helpers.ts
+/**
+* Helper function to enforce projectId filter on SigNoz queries.
+* This modifies the query payload to ensure all builder queries include
+* a server-side project.id filter, preventing client-side filter bypass.
+*/
+function enforceProjectFilter(payload, projectId) {
+	const modifiedPayload = JSON.parse(JSON.stringify(payload));
+	if (modifiedPayload.compositeQuery?.builderQueries) for (const queryKey in modifiedPayload.compositeQuery.builderQueries) {
+		const query = modifiedPayload.compositeQuery.builderQueries[queryKey];
+		if (!query.filters) query.filters = {
+			op: "AND",
+			items: []
+		};
+		query.filters.items = query.filters.items.filter((item) => item.key?.key !== "project.id");
+		query.filters.items.push({
+			key: {
+				key: "project.id",
+				dataType: "string",
+				type: "tag",
+				isColumn: false,
+				isJSON: false,
+				id: "false"
+			},
+			op: "=",
+			value: projectId
+		});
+	}
+	return modifiedPayload;
+}
+
+//#endregion
+export { enforceProjectFilter };

package/dist/utils/temp-api-keys.d.ts

@@ -0,0 +1,17 @@
+import { DatabaseClient } from "@inkeep/agents-core";
+
+//#region src/utils/temp-api-keys.d.ts
+interface CreateTempApiKeyParams {
+  tenantId: string;
+  projectId: string;
+  agentId: string;
+  userId: string;
+  expiryHours?: number;
+}
+interface TempApiKeyResult {
+  apiKey: string;
+  expiresAt: string;
+}
+declare function createTempApiKey(db: DatabaseClient, params: CreateTempApiKeyParams): Promise<TempApiKeyResult>;
+//#endregion
+export { CreateTempApiKeyParams, TempApiKeyResult, createTempApiKey };

package/dist/utils/temp-api-keys.js

@@ -0,0 +1,26 @@
+import { createApiKey, generateApiKey } from "@inkeep/agents-core";
+
+//#region src/utils/temp-api-keys.ts
+async function createTempApiKey(db, params) {
+	const expiryHours = params.expiryHours || 1;
+	const expiresAt = new Date(Date.now() + expiryHours * 60 * 60 * 1e3);
+	const keyData = await generateApiKey();
+	await createApiKey(db)({
+		id: keyData.id,
+		publicId: keyData.publicId,
+		keyHash: keyData.keyHash,
+		keyPrefix: keyData.keyPrefix,
+		name: `playground-temp-${params.userId}`,
+		tenantId: params.tenantId,
+		projectId: params.projectId,
+		agentId: params.agentId,
+		expiresAt: expiresAt.toISOString()
+	});
+	return {
+		apiKey: keyData.key,
+		expiresAt: expiresAt.toISOString()
+	};
+}
+
+//#endregion
+export { createTempApiKey };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-manage-api",
-  "version": "0.39.4",
+  "version": "0.40.0",
   "description": "Agents Manage API for Inkeep Agent Framework - handles CRUD operations and OAuth",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -17,24 +17,19 @@
   },
   "type": "module",
   "dependencies": {
+    "@electric-sql/pglite": "^0.3.13",
     "@hono/mcp": "^0.1.5",
-    "@composio/core": "^0.2.4",
-    "@hono/node-server": "^1.14.3",
     "@hono/swagger-ui": "^0.5.1",
-    "@modelcontextprotocol/sdk": "^1.17.0",
-    "@nangohq/node": "^0.69.5",
-    "@nangohq/types": "^0.69.5",
+    "@modelcontextprotocol/sdk": "1.24.3",
     "axios": "^1.7.9",
-    "dotenv": "^17.2.1",
     "drizzle-orm": "^0.44.4",
     "hono": "^4.10.4",
     "hono-pino": "^0.10.1",
-    "jose": "^6.1.0",
     "nanoid": "^5.1.5",
     "openid-client": "^6.6.4",
     "pino": "^9.7.0",
-    "@inkeep/agents-core": "^0.39.4",
-    "@inkeep/agents-manage-mcp": "^0.39.4"
+    "@inkeep/agents-core": "^0.40.0",
+    "@inkeep/agents-manage-mcp": "^0.40.0"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^1.1.5",
@@ -44,12 +39,9 @@
     "keytar": "^7.9.0"
   },
   "devDependencies": {
-    "@electric-sql/pglite": "^0.3.13",
     "@hono/vite-dev-server": "^0.20.1",
     "@types/node": "^20.11.24",
     "@vitest/coverage-v8": "^3.2.4",
-    "nodemon": "^3.1.0",
-    "pino-pretty": "^13.0.0",
     "tsx": "^4.7.1",
     "typescript": "^5.3.3",
     "vite": "^7.1.11",
@@ -72,6 +64,7 @@
     "directory": "agents-manage-api"
   },
   "scripts": {
+    "knip": "knip --directory .. --workspace agents-manage-api --dependencies",
     "dev": "vite",
     "build": "tsdown",
     "start": "node dist/index.js",