@inkeep/agents-manage-api 0.39.4 → 0.40.0

package/dist/factory.js

@@ -1,4 +1,37 @@
-import { a as createManagementHono, i as initializeDefaultUser, n as createAuth0Provider, r as createOIDCProvider, t as createManagementApp } from "./factory2.js";
-import "./chunk-VBDAOXYI.js";
+import { env } from "./env.js";
+import dbClient_default from "./data/db/dbClient.js";
+import { createManagementHono } from "./create-app.js";
+import { initializeDefaultUser } from "./initialization.js";
+import { createAuth0Provider, createOIDCProvider } from "./sso-helpers.js";
+import { CredentialStoreRegistry, createDefaultCredentialStores } from "@inkeep/agents-core";
+import { createAuth } from "@inkeep/agents-core/auth";
 
+//#region src/factory.ts
+const defaultConfig = {
+	port: 3002,
+	serverOptions: {
+		requestTimeout: 6e4,
+		keepAliveTimeout: 6e4,
+		keepAlive: true
+	}
+};
+function createManagementAuth(userAuthConfig) {
+	if (env.DISABLE_AUTH) return null;
+	return createAuth({
+		baseURL: env.INKEEP_AGENTS_MANAGE_API_URL || "http://localhost:3002",
+		secret: env.BETTER_AUTH_SECRET || "development-secret-change-in-production",
+		dbClient: dbClient_default,
+		...userAuthConfig?.ssoProviders && { ssoProviders: userAuthConfig.ssoProviders },
+		...userAuthConfig?.socialProviders && { socialProviders: userAuthConfig.socialProviders }
+	});
+}
+function createManagementApp(config) {
+	const serverConfig = config?.serverConfig ?? defaultConfig;
+	const registry = new CredentialStoreRegistry(config?.credentialStores ?? createDefaultCredentialStores());
+	const auth$1 = createManagementAuth(config?.auth);
+	if (!config?.skipInitialization && env.ENVIRONMENT !== "test") initializeDefaultUser(auth$1);
+	return createManagementHono(serverConfig, registry, auth$1);
+}
+
+//#endregion
 export { createAuth0Provider, createManagementApp, createManagementHono, createOIDCProvider, initializeDefaultUser };

package/dist/index.d.ts

@@ -1,4 +1,7 @@
-import { a as createOIDCProvider, i as createAuth0Provider, n as UserAuthConfig, o as initializeDefaultUser, r as createManagementApp, s as createManagementHono, t as SSOProviderConfig } from "./factory2.js";
+import { createManagementHono } from "./create-app.js";
+import { initializeDefaultUser } from "./initialization.js";
+import { createAuth0Provider, createOIDCProvider } from "./sso-helpers.js";
+import { SSOProviderConfig, UserAuthConfig, createManagementApp } from "./factory.js";
 import { Hono } from "hono";
 import * as better_auth0 from "better-auth";
 import * as better_auth_social_providers0 from "better-auth/social-providers";
@@ -19,7 +22,51 @@ declare const auth: better_auth0.Auth<{
     autoSignIn: true;
   };
   socialProviders: {
-    google: better_auth_social_providers0.GoogleOptions;
+    google: {
+      redirectURI?: string | undefined;
+      clientId: string;
+      accessType?: ("offline" | "online") | undefined;
+      display?: ("page" | "popup" | "touch" | "wap") | undefined;
+      hd?: string | undefined;
+      clientSecret?: string | undefined;
+      scope?: string[] | undefined;
+      disableDefaultScope?: boolean | undefined;
+      clientKey?: string | undefined;
+      disableIdTokenSignIn?: boolean | undefined;
+      verifyIdToken?: ((token: string, nonce?: string) => Promise<boolean>) | undefined;
+      getUserInfo?: ((token: better_auth0.OAuth2Tokens) => Promise<{
+        user: {
+          id: string;
+          name?: string;
+          email?: string | null;
+          image?: string;
+          emailVerified: boolean;
+          [key: string]: any;
+        };
+        data: any;
+      }>) | undefined;
+      refreshAccessToken?: ((refreshToken: string) => Promise<better_auth0.OAuth2Tokens>) | undefined;
+      mapProfileToUser?: ((profile: better_auth_social_providers0.GoogleProfile) => {
+        id?: string;
+        name?: string;
+        email?: string | null;
+        image?: string;
+        emailVerified?: boolean;
+        [key: string]: any;
+      } | Promise<{
+        id?: string;
+        name?: string;
+        email?: string | null;
+        image?: string;
+        emailVerified?: boolean;
+        [key: string]: any;
+      }>) | undefined;
+      disableImplicitSignUp?: boolean | undefined;
+      disableSignUp?: boolean | undefined;
+      prompt?: ("select_account" | "consent" | "login" | "none" | "select_account consent") | undefined;
+      responseMode?: ("query" | "form_post") | undefined;
+      overrideUserInfoOnSignIn?: boolean | undefined;
+    };
   } | undefined;
   session: {
     expiresIn: number;
@@ -660,6 +707,57 @@ declare const auth: better_auth0.Auth<{
         enabled: true;
       };
     };
+  }, {
+    id: "oauth-proxy";
+    options: better_auth_plugins0.OAuthProxyOptions | undefined;
+    endpoints: {
+      oAuthProxy: better_auth0.StrictEndpoint<"/oauth-proxy-callback", {
+        method: "GET";
+        operationId: string;
+        query: zod0.ZodObject<{
+          callbackURL: zod0.ZodString;
+          cookies: zod0.ZodString;
+        }, better_auth0.$strip>;
+        use: ((inputContext: better_auth0.MiddlewareInputContext<better_auth0.MiddlewareOptions>) => Promise<void>)[];
+        metadata: {
+          openapi: {
+            operationId: string;
+            description: string;
+            parameters: {
+              in: "query";
+              name: string;
+              required: true;
+              description: string;
+            }[];
+            responses: {
+              302: {
+                description: string;
+                headers: {
+                  Location: {
+                    description: string;
+                    schema: {
+                      type: string;
+                    };
+                  };
+                };
+              };
+            };
+          };
+        };
+      } & {
+        use: any[];
+      }, never>;
+    };
+    hooks: {
+      before: {
+        matcher(context: better_auth0.HookEndpointContext): boolean;
+        handler: (inputContext: better_auth0.MiddlewareInputContext<better_auth0.MiddlewareOptions>) => Promise<void>;
+      }[];
+      after: {
+        matcher(context: better_auth0.HookEndpointContext): boolean;
+        handler: (inputContext: better_auth0.MiddlewareInputContext<better_auth0.MiddlewareOptions>) => Promise<void>;
+      }[];
+    };
   }, {
     id: "organization";
     endpoints: better_auth_plugins0.OrganizationEndpoints<{
@@ -667,25 +765,25 @@ declare const auth: better_auth0.Auth<{
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;
@@ -946,25 +1044,25 @@ declare const auth: better_auth0.Auth<{
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;
@@ -1327,5 +1425,4 @@ declare const auth: better_auth0.Auth<{
 }> | null;
 declare const app: Hono;
 //#endregion
-export { Hono, type SSOProviderConfig, type UserAuthConfig, auth, createAuth0Provider, createManagementApp, createManagementHono, createOIDCProvider, app as default, initializeDefaultUser };
-//# sourceMappingURL=index.d.ts.map
+export { Hono, type SSOProviderConfig, type UserAuthConfig, auth, createAuth0Provider, createManagementApp, createManagementHono, createOIDCProvider, app as default, initializeDefaultUser };

package/dist/index.js

@@ -1,8 +1,12 @@
-import { a as createManagementHono, i as initializeDefaultUser, n as createAuth0Provider, o as dbClient_default, r as createOIDCProvider, s as env, t as createManagementApp } from "./factory2.js";
-import "./chunk-VBDAOXYI.js";
+import { env } from "./env.js";
+import dbClient_default from "./data/db/dbClient.js";
+import { createManagementHono } from "./create-app.js";
+import { initializeDefaultUser } from "./initialization.js";
+import { createAuth0Provider, createOIDCProvider } from "./sso-helpers.js";
+import { createManagementApp } from "./factory.js";
+import { Hono } from "hono";
 import { CredentialStoreRegistry, createDefaultCredentialStores } from "@inkeep/agents-core";
 import { createAuth } from "@inkeep/agents-core/auth";
-import { Hono } from "hono";
 
 //#region src/index.ts
 const defaultConfig = {
@@ -44,5 +48,4 @@ if (env.ENVIRONMENT === "development") initializeDefaultUser(auth);
 var src_default = app;
 
 //#endregion
-export { Hono, auth, createAuth0Provider, createManagementApp, createManagementHono, createOIDCProvider, src_default as default, initializeDefaultUser };
-//# sourceMappingURL=index.js.map
+export { Hono, auth, createAuth0Provider, createManagementApp, createManagementHono, createOIDCProvider, src_default as default, initializeDefaultUser };

package/dist/initialization.d.ts

@@ -0,0 +1,6 @@
+import { createAuth } from "@inkeep/agents-core/auth";
+
+//#region src/initialization.d.ts
+declare function initializeDefaultUser(authInstance?: ReturnType<typeof createAuth> | null): Promise<void>;
+//#endregion
+export { initializeDefaultUser };

package/dist/initialization.js

@@ -0,0 +1,79 @@
+import { env } from "./env.js";
+import { getLogger as getLogger$1 } from "./logger.js";
+import dbClient_default from "./data/db/dbClient.js";
+import { generateId, getUserByEmail, member, organization } from "@inkeep/agents-core";
+import { and, eq } from "drizzle-orm";
+
+//#region src/initialization.ts
+const logger = getLogger$1("initialization");
+async function initializeDefaultUser(authInstance) {
+	const { INKEEP_AGENTS_MANAGE_UI_USERNAME, INKEEP_AGENTS_MANAGE_UI_PASSWORD, DISABLE_AUTH } = env;
+	const hasCredentials = INKEEP_AGENTS_MANAGE_UI_USERNAME && INKEEP_AGENTS_MANAGE_UI_PASSWORD;
+	const orgId = env.TENANT_ID;
+	if ((await dbClient_default.select().from(organization).where(eq(organization.id, orgId)).limit(1)).length === 0) {
+		await dbClient_default.insert(organization).values({
+			id: orgId,
+			name: env.TENANT_ID,
+			slug: env.TENANT_ID,
+			createdAt: /* @__PURE__ */ new Date(),
+			logo: null,
+			metadata: null
+		});
+		logger.info({ organizationId: orgId }, "Created default organization");
+	} else logger.info({ organizationId: orgId }, "Organization already exists");
+	if (!hasCredentials || DISABLE_AUTH || !authInstance) {
+		logger.info({ hasCredentials: false }, "Skipping default user creation");
+		return;
+	}
+	try {
+		let user = await getUserByEmail(dbClient_default)(INKEEP_AGENTS_MANAGE_UI_USERNAME);
+		if (user) logger.info({
+			email: INKEEP_AGENTS_MANAGE_UI_USERNAME,
+			userId: user.id
+		}, "Default user already exists");
+		else {
+			logger.info({ email: INKEEP_AGENTS_MANAGE_UI_USERNAME }, "Creating default user with Better Auth...");
+			if (!(await authInstance.api.signUpEmail({ body: {
+				email: INKEEP_AGENTS_MANAGE_UI_USERNAME,
+				password: INKEEP_AGENTS_MANAGE_UI_PASSWORD,
+				name: INKEEP_AGENTS_MANAGE_UI_USERNAME.split("@")[0]
+			} })).user) throw new Error("signUpEmail returned no user");
+			user = await getUserByEmail(dbClient_default)(INKEEP_AGENTS_MANAGE_UI_USERNAME);
+			if (!user) throw new Error("User was created but could not be retrieved from database");
+			logger.info({
+				email: user.email,
+				id: user.id
+			}, "Default user created from INKEEP_AGENTS_MANAGE_UI_USERNAME/INKEEP_AGENTS_MANAGE_UI_PASSWORD");
+		}
+		if ((await dbClient_default.select().from(member).where(and(eq(member.userId, user.id), eq(member.organizationId, orgId))).limit(1)).length === 0) {
+			await dbClient_default.insert(member).values({
+				id: generateId(),
+				userId: user.id,
+				organizationId: orgId,
+				role: "owner",
+				createdAt: /* @__PURE__ */ new Date()
+			});
+			logger.info({
+				userId: user.id,
+				organizationId: orgId
+			}, "Added user as organization owner");
+		} else logger.info({
+			userId: user.id,
+			organizationId: orgId
+		}, "User already a member of organization");
+		logger.info({
+			organizationId: orgId,
+			organizationSlug: env.TENANT_ID,
+			userId: user.id,
+			email: INKEEP_AGENTS_MANAGE_UI_USERNAME
+		}, "✅ Initialization complete - login with these credentials");
+	} catch (error) {
+		logger.error({
+			error,
+			email: INKEEP_AGENTS_MANAGE_UI_USERNAME
+		}, "❌ Failed to create default user");
+	}
+}
+
+//#endregion
+export { initializeDefaultUser };

package/dist/logger.d.ts

@@ -0,0 +1,2 @@
+import { getLogger } from "@inkeep/agents-core";
+export { getLogger };

package/dist/logger.js

@@ -0,0 +1,3 @@
+import { getLogger } from "@inkeep/agents-core";
+
+export { getLogger };

package/dist/middleware/auth.d.ts

@@ -0,0 +1,24 @@
+import * as hono2 from "hono";
+import { ExecutionContext } from "@inkeep/agents-core";
+import { createAuth } from "@inkeep/agents-core/auth";
+
+//#region src/middleware/auth.d.ts
+
+/**
+ * Middleware to authenticate API requests using Bearer token authentication
+ * Authentication priority:
+ * 1. Bypass secret (INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET)
+ * 2. Better-auth session token (from device authorization flow)
+ * 3. Database API key
+ */
+declare const apiKeyAuth: () => hono2.MiddlewareHandler<{
+  Variables: {
+    executionContext: ExecutionContext;
+    userId?: string;
+    userEmail?: string;
+    tenantId?: string;
+    auth: ReturnType<typeof createAuth> | null;
+  };
+}, string, {}, Response>;
+//#endregion
+export { apiKeyAuth };

package/dist/middleware/auth.js

@@ -0,0 +1,55 @@
+import { env } from "../env.js";
+import dbClient_default from "../data/db/dbClient.js";
+import { getLogger, validateAndGetApiKey } from "@inkeep/agents-core";
+import { createMiddleware } from "hono/factory";
+import { HTTPException } from "hono/http-exception";
+
+//#region src/middleware/auth.ts
+const logger = getLogger("env-key-auth");
+/**
+* Middleware to authenticate API requests using Bearer token authentication
+* Authentication priority:
+* 1. Bypass secret (INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET)
+* 2. Better-auth session token (from device authorization flow)
+* 3. Database API key
+*/
+const apiKeyAuth = () => createMiddleware(async (c, next) => {
+	const authHeader = c.req.header("Authorization");
+	if (!authHeader || !authHeader.startsWith("Bearer ")) throw new HTTPException(401, { message: "Missing or invalid authorization header. Expected: Bearer <api_key>" });
+	const token = authHeader.substring(7);
+	if (env.INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET && token === env.INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET) {
+		logger.info({}, "Bypass secret authenticated successfully");
+		c.set("userId", "system");
+		c.set("userEmail", "system@internal");
+		await next();
+		return;
+	}
+	const auth = c.get("auth");
+	if (auth) try {
+		const headers = new Headers();
+		headers.set("Authorization", authHeader);
+		const session = await auth.api.getSession({ headers });
+		if (session?.user) {
+			logger.info({ userId: session.user.id }, "Better-auth session authenticated successfully");
+			c.set("userId", session.user.id);
+			c.set("userEmail", session.user.email);
+			await next();
+			return;
+		}
+	} catch (error) {
+		logger.debug({ error }, "Better-auth session validation failed, trying API key");
+	}
+	const validatedKey = await validateAndGetApiKey(token, dbClient_default);
+	if (validatedKey) {
+		logger.info({ keyId: validatedKey.id }, "API key authenticated successfully");
+		c.set("userId", `apikey:${validatedKey.id}`);
+		c.set("userEmail", `apikey-${validatedKey.id}@internal`);
+		c.set("tenantId", validatedKey.tenantId);
+		await next();
+		return;
+	}
+	throw new HTTPException(401, { message: "Invalid Token" });
+});
+
+//#endregion
+export { apiKeyAuth };

package/dist/middleware/error-handler.d.ts

@@ -0,0 +1,12 @@
+import { Context } from "hono";
+
+//#region src/middleware/error-handler.d.ts
+
+/**
+ * Global error handler for the Hono application
+ * Handles Zod validation errors, HTTP exceptions, and unexpected errors
+ * Returns RFC 7807 Problem Details format
+ */
+declare function errorHandler(err: Error, c: Context): Promise<Response>;
+//#endregion
+export { errorHandler };

package/dist/middleware/error-handler.js

@@ -0,0 +1,88 @@
+import { getLogger as getLogger$1 } from "../logger.js";
+import { handleApiError } from "@inkeep/agents-core";
+import { HTTPException } from "hono/http-exception";
+
+//#region src/middleware/error-handler.ts
+const logger = getLogger$1("error-handler");
+/**
+* Extract Zod validation issues from an error object
+*/
+function extractZodIssues(err) {
+	if (err && typeof err === "object") {
+		if ("cause" in err && err.cause && typeof err.cause === "object" && "issues" in err.cause) {
+			const issues = err.cause.issues;
+			if (Array.isArray(issues)) return issues;
+		}
+		if ("issues" in err && Array.isArray(err.issues)) return err.issues;
+	}
+}
+/**
+* Format Zod validation errors into RFC 7807 problem detail format
+*/
+function formatZodValidationError(c, zodIssues) {
+	c.status(400);
+	c.header("Content-Type", "application/problem+json");
+	c.header("X-Content-Type-Options", "nosniff");
+	return c.json({
+		type: "https://docs.inkeep.com/agents-api/errors#bad_request",
+		title: "Validation Failed",
+		status: 400,
+		detail: "Request validation failed",
+		errors: zodIssues.map((issue) => ({
+			detail: issue.message,
+			pointer: issue.path ? `/${issue.path.join("/")}` : void 0,
+			name: issue.path ? issue.path.join(".") : void 0,
+			reason: issue.message
+		}))
+	});
+}
+/**
+* Log server errors with appropriate context
+*/
+function logServerError(err, path, requestId, status, isExpectedError) {
+	if (!isExpectedError) {
+		const errorMessage = err instanceof Error ? err.message : String(err);
+		const errorStack = err instanceof Error ? err.stack : void 0;
+		logger.error({
+			error: err,
+			message: errorMessage,
+			stack: errorStack,
+			path,
+			requestId
+		}, "Unexpected server error occurred");
+	} else logger.error({
+		error: err,
+		path,
+		requestId,
+		status
+	}, "Server error occurred");
+}
+/**
+* Global error handler for the Hono application
+* Handles Zod validation errors, HTTP exceptions, and unexpected errors
+* Returns RFC 7807 Problem Details format
+*/
+async function errorHandler(err, c) {
+	const isExpectedError = err instanceof HTTPException;
+	const status = isExpectedError ? err.status : 500;
+	const requestId = c.get("requestId") || "unknown";
+	const zodIssues = extractZodIssues(err);
+	if (status === 400 && zodIssues) return formatZodValidationError(c, zodIssues);
+	if (status >= 500) logServerError(err, c.req.path, requestId, status, isExpectedError);
+	const errorResponse = await handleApiError(err, requestId);
+	c.status(errorResponse.status);
+	const responseBody = {
+		...errorResponse.code && { code: errorResponse.code },
+		title: errorResponse.title,
+		status: errorResponse.status,
+		detail: errorResponse.detail,
+		...errorResponse.instance && { instance: errorResponse.instance },
+		...errorResponse.error && { error: errorResponse.error }
+	};
+	c.header("Content-Type", "application/problem+json");
+	c.header("X-Content-Type-Options", "nosniff");
+	return c.body(JSON.stringify(responseBody));
+}
+
+//#endregion
+export { errorHandler };

package/dist/middleware/require-permission.d.ts

@@ -0,0 +1,19 @@
+import * as hono4 from "hono";
+import { createAuth } from "@inkeep/agents-core/auth";
+
+//#region src/middleware/require-permission.d.ts
+type Permission = {
+  [resource: string]: string | string[];
+};
+type MinimalAuthVariables = {
+  Variables: {
+    auth: ReturnType<typeof createAuth> | null;
+    userId: string;
+    userEmail: string;
+    tenantId: string;
+    tenantRole: string;
+  };
+};
+declare const requirePermission: <Env$1 extends MinimalAuthVariables = MinimalAuthVariables>(permissions: Permission) => hono4.MiddlewareHandler<Env$1, string, {}, Response>;
+//#endregion
+export { requirePermission };