@inkeep/agents-manage-api 0.39.4 → 0.40.0

package/dist/routes/oauth.js

@@ -0,0 +1,314 @@
+import { getLogger as getLogger$1 } from "../logger.js";
+import dbClient_default from "../data/db/dbClient.js";
+import { oauthService, retrievePKCEVerifier } from "../utils/oauth-service.js";
+import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { CredentialReferenceApiSelectSchema, CredentialStoreType, OAuthCallbackQuerySchema, OAuthLoginQuerySchema, createCredentialReference, generateId, getCredentialReferenceWithResources, getToolById, updateTool } from "@inkeep/agents-core";
+
+//#region src/routes/oauth.ts
+/**
+* OAuth Callback Handler
+*
+* Handles OAuth 2.1 authorization code flows for MCP tools:
+* - Processes authorization codes from OAuth providers
+* - Exchanges codes for access tokens using PKCE
+* - Stores credentials in Keychain
+* - Updates MCP tool status
+* - Redirects users back to frontend
+*/
+/**
+* Find existing credential or create a new one (idempotent operation)
+*/
+async function findOrCreateCredential(tenantId, projectId, credentialData) {
+	try {
+		const existingCredential = await getCredentialReferenceWithResources(dbClient_default)({
+			scopes: {
+				tenantId,
+				projectId
+			},
+			id: credentialData.id
+		});
+		if (existingCredential) return CredentialReferenceApiSelectSchema.parse(existingCredential);
+	} catch {}
+	try {
+		const credential = await createCredentialReference(dbClient_default)({
+			...credentialData,
+			tenantId,
+			projectId
+		});
+		return CredentialReferenceApiSelectSchema.parse(credential);
+	} catch (error) {
+		console.error("Failed to save credential to database:", error);
+		throw new Error(`Failed to save credential '${credentialData.id}' to database`);
+	}
+}
+const app = new OpenAPIHono();
+const logger = getLogger$1("oauth-callback");
+/**
+* Extract base URL from request context
+*/
+function getBaseUrlFromRequest(c) {
+	const url = new URL(c.req.url);
+	return `${url.protocol}//${url.host}`;
+}
+/**
+* Generate OAuth callback HTML page
+*/
+function generateOAuthCallbackPage(params) {
+	const { title, message, isSuccess } = params;
+	return `
+    <!DOCTYPE html>
+    <html>
+    <head>
+      <title>${title}</title>
+      <meta charset="utf-8">
+      <style>
+        body {
+          background-color: #000;
+          color: #fff;
+          font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+          display: flex;
+          align-items: center;
+          justify-content: center;
+          height: 100vh;
+          margin: 0;
+          text-align: center;
+        }
+        .container {
+          max-width: 400px;
+          padding: 2rem;
+        }
+        .title {
+          font-size: 1.2rem;
+          margin-bottom: 1rem;
+        }
+        .message {
+          color: #ccc;
+          line-height: 1.5;
+        }
+        .countdown {
+          margin-top: 1rem;
+          font-size: 0.9rem;
+        }
+      </style>
+    </head>
+    <body>
+      <div class="container">
+        <div class="title">${title}</div>
+        <div class="message">${message}</div>
+        <div class="message countdown">
+          ${isSuccess ? "Closing automatically..." : ""}
+        </div>
+      </div>
+      <script>
+        ${isSuccess && `
+        // Success: Send PostMessage then auto-close
+        if (window.opener) {
+          try {
+            window.opener.postMessage({
+              type: 'oauth-success',
+              timestamp: Date.now()
+            }, '*');
+          } catch (error) {
+            console.error('PostMessage failed:', error);
+          }
+        }
+        
+        // Auto-close after brief delay
+        setTimeout(() => {
+          window.close();
+        }, 1000);
+          `}
+      <\/script>
+    </body>
+    </html>
+  `;
+}
+app.openapi(createRoute({
+	method: "get",
+	path: "/login",
+	summary: "Initiate OAuth login for MCP tool",
+	description: "Detects OAuth requirements and redirects to authorization server (public endpoint)",
+	operationId: "initiate-oauth-login-public",
+	tags: ["OAuth"],
+	request: { query: OAuthLoginQuerySchema },
+	responses: {
+		302: { description: "Redirect to OAuth authorization server" },
+		400: {
+			description: "OAuth not supported or configuration error",
+			content: { "text/html": { schema: z.string() } }
+		},
+		404: {
+			description: "Tool not found",
+			content: { "text/html": { schema: z.string() } }
+		},
+		500: {
+			description: "Internal server error",
+			content: { "text/html": { schema: z.string() } }
+		}
+	}
+}), async (c) => {
+	const { tenantId, projectId, toolId } = c.req.valid("query");
+	try {
+		const tool = await getToolById(dbClient_default)({
+			scopes: {
+				tenantId,
+				projectId
+			},
+			toolId
+		});
+		if (!tool) {
+			logger.error({
+				toolId,
+				tenantId,
+				projectId
+			}, "Tool not found for OAuth login");
+			return c.text("Tool not found", 404);
+		}
+		const baseUrl = getBaseUrlFromRequest(c);
+		const { redirectUrl } = await oauthService.initiateOAuthFlow({
+			tenantId,
+			projectId,
+			toolId,
+			mcpServerUrl: tool.config.mcp.server.url,
+			baseUrl
+		});
+		return c.redirect(redirectUrl, 302);
+	} catch (error) {
+		logger.error({
+			toolId,
+			tenantId,
+			projectId,
+			error
+		}, "OAuth login failed");
+		const errorMessage = error instanceof Error ? error.message : "Failed to initiate OAuth login";
+		return c.text(`OAuth Error: ${errorMessage}`, 500);
+	}
+});
+app.openapi(createRoute({
+	method: "get",
+	path: "/callback",
+	summary: "MCP OAuth authorization callback",
+	description: "Handles OAuth authorization codes for MCP tools and completes the authentication flow",
+	operationId: "mcp-oauth-callback",
+	tags: ["OAuth"],
+	request: { query: OAuthCallbackQuerySchema },
+	responses: {
+		302: { description: "Redirect to frontend after successful OAuth" },
+		400: {
+			description: "OAuth error or invalid request",
+			content: { "text/html": { schema: z.string() } }
+		},
+		500: {
+			description: "Internal server error",
+			content: { "text/html": { schema: z.string() } }
+		}
+	}
+}), async (c) => {
+	try {
+		const { code, state, error, error_description } = c.req.valid("query");
+		logger.info({
+			state,
+			hasCode: !!code
+		}, "OAuth callback received");
+		if (error) {
+			logger.error({
+				error,
+				error_description
+			}, "OAuth authorization failed");
+			const errorPage = generateOAuthCallbackPage({
+				title: "Authentication Failed",
+				message: error_description || error || "OAuth Authorization Failed. Please try again.",
+				isSuccess: false
+			});
+			return c.html(errorPage);
+		}
+		const pkceData = retrievePKCEVerifier(state);
+		if (!pkceData) {
+			logger.error({ state }, "Invalid or expired OAuth state");
+			const expiredPage = generateOAuthCallbackPage({
+				title: "Session Expired",
+				message: "OAuth Session Expired: The OAuth session has expired or is invalid. Please try again.",
+				isSuccess: false
+			});
+			return c.html(expiredPage);
+		}
+		const { codeVerifier, toolId, tenantId, projectId, clientInformation, metadata, resourceUrl } = pkceData;
+		const tool = await getToolById(dbClient_default)({
+			scopes: {
+				tenantId,
+				projectId
+			},
+			toolId
+		});
+		if (!tool) throw new Error(`Tool ${toolId} not found`);
+		logger.info({
+			toolId,
+			tenantId,
+			projectId
+		}, "Processing OAuth callback");
+		logger.info({ toolId }, "Exchanging authorization code for access token");
+		const credentialStores = c.get("credentialStores");
+		const baseUrl = getBaseUrlFromRequest(c);
+		const { tokens } = await oauthService.exchangeCodeForTokens({
+			code,
+			codeVerifier,
+			clientInformation,
+			metadata,
+			resourceUrl,
+			mcpServerUrl: tool.config.mcp.server.url,
+			baseUrl
+		});
+		logger.info({
+			toolId,
+			tokenType: tokens.token_type,
+			hasRefresh: !!tokens.refresh_token
+		}, "Token exchange successful");
+		const credentialTokenKey = `oauth_token_${toolId}`;
+		let newCredentialData;
+		const keychainStore = credentialStores.get("keychain-default");
+		if (keychainStore) try {
+			await keychainStore.set(credentialTokenKey, JSON.stringify(tokens));
+			newCredentialData = {
+				id: generateId(),
+				name: tool.name,
+				type: CredentialStoreType.keychain,
+				credentialStoreId: "keychain-default",
+				retrievalParams: { key: credentialTokenKey }
+			};
+		} catch (error$1) {
+			logger.info({ error: error$1 instanceof Error ? error$1.message : error$1 }, "Keychain store not available.");
+		}
+		if (!newCredentialData) throw new Error("No credential store found");
+		const newCredential = await findOrCreateCredential(tenantId, projectId, newCredentialData);
+		await updateTool(dbClient_default)({
+			scopes: {
+				tenantId,
+				projectId
+			},
+			toolId,
+			data: { credentialReferenceId: newCredential.id }
+		});
+		logger.info({
+			toolId,
+			credentialId: newCredential.id
+		}, "OAuth flow completed successfully");
+		const successPage = generateOAuthCallbackPage({
+			title: "Authentication Complete",
+			message: "You have been successfully authenticated.",
+			isSuccess: true
+		});
+		return c.html(successPage);
+	} catch (error) {
+		logger.error({ error }, "OAuth callback processing failed");
+		const errorPage = generateOAuthCallbackPage({
+			title: "Processing Failed",
+			message: "OAuth Processing Failed. Please try again.",
+			isSuccess: false
+		});
+		return c.html(errorPage);
+	}
+});
+var oauth_default = app;
+
+//#endregion
+export { oauth_default as default };

package/dist/routes/playgroundToken.d.ts

@@ -0,0 +1,9 @@
+import { BaseAppVariables } from "../types/app.js";
+import { OpenAPIHono } from "@hono/zod-openapi";
+
+//#region src/routes/playgroundToken.d.ts
+declare const app: OpenAPIHono<{
+  Variables: BaseAppVariables;
+}, {}, "/">;
+//#endregion
+export { app as default };

package/dist/routes/playgroundToken.js

@@ -0,0 +1,108 @@
+import { env } from "../env.js";
+import { getLogger as getLogger$1 } from "../logger.js";
+import dbClient_default from "../data/db/dbClient.js";
+import { requirePermission } from "../middleware/require-permission.js";
+import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { ErrorResponseSchema, TenantParamsSchema, createApiError, getAgentById, projectExists, signTempToken } from "@inkeep/agents-core";
+
+//#region src/routes/playgroundToken.ts
+const logger = getLogger$1("playgroundToken");
+const app = new OpenAPIHono();
+app.use("/", requirePermission({ agent: ["create"] }));
+const PlaygroundTokenRequestSchema = z.object({
+	projectId: z.string(),
+	agentId: z.string()
+});
+const PlaygroundTokenResponseSchema = z.object({
+	apiKey: z.string().describe("Temporary API key for playground use"),
+	expiresAt: z.string().describe("ISO 8601 timestamp when the key expires")
+});
+app.openapi(createRoute({
+	method: "post",
+	path: "/",
+	summary: "Generate temporary API key for playground",
+	operationId: "create-playground-token",
+	tags: ["Playground"],
+	description: "Generates a short-lived API key (1 hour expiry) for authenticated users to access the run-api from the playground",
+	security: [{ cookieAuth: [] }],
+	request: {
+		params: TenantParamsSchema,
+		body: { content: { "application/json": { schema: PlaygroundTokenRequestSchema } } }
+	},
+	responses: {
+		200: {
+			description: "Temporary API key generated successfully",
+			content: { "application/json": { schema: PlaygroundTokenResponseSchema } }
+		},
+		401: {
+			description: "Unauthorized - session required",
+			content: { "application/json": { schema: ErrorResponseSchema } }
+		}
+	}
+}), async (c) => {
+	const userId = c.get("userId");
+	const tenantId = c.get("tenantId");
+	const { projectId, agentId } = c.req.valid("json");
+	logger.info({
+		userId,
+		tenantId,
+		projectId,
+		agentId
+	}, "Generating temporary JWT token for playground");
+	if (!await projectExists(dbClient_default)({
+		tenantId,
+		projectId
+	})) {
+		logger.warn({
+			userId,
+			tenantId,
+			projectId
+		}, "Project not found or access denied");
+		throw createApiError({
+			code: "not_found",
+			message: "Project not found"
+		});
+	}
+	if (!await getAgentById(dbClient_default)({ scopes: {
+		tenantId,
+		projectId,
+		agentId
+	} })) {
+		logger.warn({
+			userId,
+			tenantId,
+			projectId,
+			agentId
+		}, "Agent not found or access denied");
+		throw createApiError({
+			code: "not_found",
+			message: "Agent not found"
+		});
+	}
+	if (!env.INKEEP_AGENTS_TEMP_JWT_PRIVATE_KEY) throw createApiError({
+		code: "internal_server_error",
+		message: "Temporary token signing not configured"
+	});
+	const result = await signTempToken(Buffer.from(env.INKEEP_AGENTS_TEMP_JWT_PRIVATE_KEY, "base64").toString("utf-8"), {
+		tenantId,
+		projectId,
+		agentId,
+		type: "temporary",
+		initiatedBy: {
+			type: "user",
+			id: userId
+		}
+	}, userId);
+	logger.info({
+		userId,
+		expiresAt: result.expiresAt
+	}, "Temporary JWT token generated");
+	return c.json({
+		apiKey: result.token,
+		expiresAt: result.expiresAt
+	}, 200);
+});
+var playgroundToken_default = app;
+
+//#endregion
+export { playgroundToken_default as default };

package/dist/routes/projectFull.d.ts

@@ -0,0 +1,9 @@
+import { BaseAppVariables } from "../types/app.js";
+import { OpenAPIHono } from "@hono/zod-openapi";
+
+//#region src/routes/projectFull.d.ts
+declare const app: OpenAPIHono<{
+  Variables: BaseAppVariables;
+}, {}, "/">;
+//#endregion
+export { app as default };

package/dist/routes/projectFull.js

@@ -0,0 +1,193 @@
+import { getLogger as getLogger$1 } from "../logger.js";
+import dbClient_default from "../data/db/dbClient.js";
+import { requirePermission } from "../middleware/require-permission.js";
+import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { ErrorResponseSchema, FullProjectDefinitionResponse, FullProjectDefinitionSchema, TenantParamsSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createFullProjectServerSide, deleteFullProject, getFullProject, updateFullProjectServerSide } from "@inkeep/agents-core";
+
+//#region src/routes/projectFull.ts
+const logger = getLogger$1("projectFull");
+const app = new OpenAPIHono();
+app.use("/project-full", async (c, next) => {
+	if (c.req.method === "POST") return requirePermission({ project: ["create"] })(c, next);
+	return next();
+});
+app.use("/project-full/:projectId", async (c, next) => {
+	if (c.req.method === "PUT") return requirePermission({ project: ["update"] })(c, next);
+	if (c.req.method === "DELETE") return requirePermission({ project: ["delete"] })(c, next);
+	return next();
+});
+app.openapi(createRoute({
+	method: "post",
+	path: "/project-full",
+	summary: "Create Full Project",
+	operationId: "create-full-project",
+	tags: ["Full Project"],
+	description: "Create a complete project with all Agents, Sub Agents, tools, and relationships from JSON definition",
+	request: {
+		params: TenantParamsSchema,
+		body: { content: { "application/json": { schema: FullProjectDefinitionSchema } } }
+	},
+	responses: {
+		201: {
+			description: "Full project created successfully",
+			content: { "application/json": { schema: FullProjectDefinitionResponse } }
+		},
+		409: {
+			description: "Project already exists",
+			content: { "application/json": { schema: ErrorResponseSchema } }
+		},
+		...commonGetErrorResponses
+	}
+}), async (c) => {
+	const { tenantId } = c.req.valid("param");
+	const projectData = c.req.valid("json");
+	const validatedProjectData = FullProjectDefinitionSchema.parse(projectData);
+	try {
+		const createdProject = await createFullProjectServerSide(dbClient_default, logger)({
+			tenantId,
+			projectId: validatedProjectData.id
+		}, validatedProjectData);
+		return c.json({ data: createdProject }, 201);
+	} catch (error) {
+		logger.error({ error }, "Error creating project");
+		if (error?.cause?.code === "23505") throw createApiError({
+			code: "conflict",
+			message: `Project with ID '${projectData.id}' already exists`
+		});
+		throw error;
+	}
+});
+app.openapi(createRoute({
+	method: "get",
+	path: "/project-full/{projectId}",
+	summary: "Get Full Project",
+	operationId: "get-full-project",
+	tags: ["Full Project"],
+	description: "Retrieve a complete project definition with all Agents, Sub Agents, tools, and relationships",
+	request: { params: TenantProjectParamsSchema },
+	responses: {
+		200: {
+			description: "Full project found",
+			content: { "application/json": { schema: FullProjectDefinitionResponse } }
+		},
+		...commonGetErrorResponses
+	}
+}), async (c) => {
+	const { tenantId, projectId } = c.req.valid("param");
+	try {
+		const project = await getFullProject(dbClient_default, logger)({ scopes: {
+			tenantId,
+			projectId
+		} });
+		if (!project) throw createApiError({
+			code: "not_found",
+			message: "Project not found"
+		});
+		return c.json({ data: project });
+	} catch (error) {
+		if (error instanceof Error && error.message.includes("not found")) throw createApiError({
+			code: "not_found",
+			message: "Project not found"
+		});
+		throw createApiError({
+			code: "internal_server_error",
+			message: error instanceof Error ? error.message : "Failed to retrieve project"
+		});
+	}
+});
+app.openapi(createRoute({
+	method: "put",
+	path: "/project-full/{projectId}",
+	summary: "Update Full Project",
+	operationId: "update-full-project",
+	tags: ["Full Project"],
+	description: "Update or create a complete project with all Agents, Sub Agents, tools, and relationships from JSON definition",
+	request: {
+		params: TenantProjectParamsSchema,
+		body: { content: { "application/json": { schema: FullProjectDefinitionSchema } } }
+	},
+	responses: {
+		200: {
+			description: "Full project updated successfully",
+			content: { "application/json": { schema: FullProjectDefinitionResponse } }
+		},
+		201: {
+			description: "Full project created successfully",
+			content: { "application/json": { schema: FullProjectDefinitionResponse } }
+		},
+		...commonGetErrorResponses
+	}
+}), async (c) => {
+	const { tenantId, projectId } = c.req.valid("param");
+	const projectData = c.req.valid("json");
+	try {
+		const validatedProjectData = FullProjectDefinitionSchema.parse(projectData);
+		if (projectId !== validatedProjectData.id) throw createApiError({
+			code: "bad_request",
+			message: `Project ID mismatch: expected ${projectId}, got ${validatedProjectData.id}`
+		});
+		const isCreate = !await getFullProject(dbClient_default, logger)({ scopes: {
+			tenantId,
+			projectId
+		} });
+		const updatedProject = isCreate ? await createFullProjectServerSide(dbClient_default, logger)({
+			tenantId,
+			projectId
+		}, validatedProjectData) : await updateFullProjectServerSide(dbClient_default, logger)({
+			tenantId,
+			projectId
+		}, validatedProjectData);
+		return c.json({ data: updatedProject }, isCreate ? 201 : 200);
+	} catch (error) {
+		if (error instanceof z.ZodError) throw createApiError({
+			code: "bad_request",
+			message: "Invalid project definition"
+		});
+		if (error instanceof Error && error.message.includes("ID mismatch")) throw createApiError({
+			code: "bad_request",
+			message: error.message
+		});
+		throw createApiError({
+			code: "internal_server_error",
+			message: error instanceof Error ? error.message : "Failed to update project"
+		});
+	}
+});
+app.openapi(createRoute({
+	method: "delete",
+	path: "/project-full/{projectId}",
+	summary: "Delete Full Project",
+	operationId: "delete-full-project",
+	tags: ["Full Project"],
+	description: "Delete a complete project and cascade to all related entities (Agents, Sub Agents, tools, relationships)",
+	request: { params: TenantProjectParamsSchema },
+	responses: {
+		204: { description: "Project deleted successfully" },
+		...commonGetErrorResponses
+	}
+}), async (c) => {
+	const { tenantId, projectId } = c.req.valid("param");
+	try {
+		if (!await deleteFullProject(dbClient_default, logger)({ scopes: {
+			tenantId,
+			projectId
+		} })) throw createApiError({
+			code: "not_found",
+			message: "Project not found"
+		});
+		return c.body(null, 204);
+	} catch (error) {
+		if (error instanceof Error && error.message.includes("not found")) throw createApiError({
+			code: "not_found",
+			message: "Project not found"
+		});
+		throw createApiError({
+			code: "internal_server_error",
+			message: error instanceof Error ? error.message : "Failed to delete project"
+		});
+	}
+});
+var projectFull_default = app;
+
+//#endregion
+export { projectFull_default as default };

package/dist/routes/projects.d.ts

@@ -0,0 +1,9 @@
+import { BaseAppVariables } from "../types/app.js";
+import { OpenAPIHono } from "@hono/zod-openapi";
+
+//#region src/routes/projects.d.ts
+declare const app: OpenAPIHono<{
+  Variables: BaseAppVariables;
+}, {}, "/">;
+//#endregion
+export { app as default };