@inkeep/agents-manage-api 0.6.4 → 0.6.5

package/dist/index.cjs

@@ -2430,7 +2430,7 @@ app10.openapi(
   }),
   async (c) => {
     const { tenantId, projectId, id } = c.req.valid("param");
-    const credential = await agentsCore.getCredentialReferenceById(dbClient_default)({
+    const credential = await agentsCore.getCredentialReferenceWithTools(dbClient_default)({
       scopes: { tenantId, projectId },
       id
     });
@@ -3771,71 +3771,7 @@ var checkAllToolsHealth = async (tenantId, projectId, credentialStoreRegistry) =
   );
   return results;
 };
-
-// src/utils/auth-detection.ts
-var logger4 = agentsCore.getLogger("auth-detection");
-var getWellKnownUrls = (baseUrl) => [
-  `${baseUrl}/.well-known/oauth-authorization-server`,
-  `${baseUrl}/.well-known/openid-configuration`
-];
-var validateOAuthMetadata = (metadata) => {
-  return metadata.code_challenge_methods_supported?.includes("S256");
-};
-var buildOAuthConfig = (metadata) => ({
-  authorizationUrl: metadata.authorization_endpoint,
-  tokenUrl: metadata.token_endpoint,
-  registrationUrl: metadata.registration_endpoint,
-  supportsDynamicRegistration: !!metadata.registration_endpoint
-});
-var tryWellKnownEndpoints = async (baseUrl) => {
-  const wellKnownUrls = getWellKnownUrls(baseUrl);
-  for (const wellKnownUrl of wellKnownUrls) {
-    try {
-      const response = await fetch(wellKnownUrl);
-      if (response.ok) {
-        const metadata = await response.json();
-        if (validateOAuthMetadata(metadata)) {
-          logger4.debug({ baseUrl, wellKnownUrl }, "OAuth 2.1/PKCE support detected");
-          return buildOAuthConfig(metadata);
-        }
-      }
-    } catch (error) {
-      logger4.debug({ wellKnownUrl, error }, "OAuth endpoint check failed");
-    }
-  }
-  return null;
-};
-var discoverOAuthEndpoints = async (serverUrl) => {
-  try {
-    const response = await fetch(serverUrl, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({})
-    });
-    if (response.status === 401) {
-      const wwwAuth = response.headers.get("WWW-Authenticate");
-      if (wwwAuth) {
-        const metadataMatch = wwwAuth.match(/as_uri="([^"]+)"/);
-        if (metadataMatch) {
-          const metadataResponse = await fetch(metadataMatch[1]);
-          if (metadataResponse.ok) {
-            const metadata = await metadataResponse.json();
-            if (metadata.authorization_servers?.length > 0) {
-              return await tryWellKnownEndpoints(metadata.authorization_servers[0]);
-            }
-          }
-        }
-      }
-    }
-  } catch (_error) {
-  }
-  const url = new URL(serverUrl);
-  const baseUrl = `${url.protocol}//${url.host}`;
-  return await tryWellKnownEndpoints(baseUrl);
-};
-
-// src/utils/oauth-service.ts
-var logger5 = agentsCore.getLogger("oauth-service");
+var logger4 = agentsCore.getLogger("oauth-service");
 var pkceStore = /* @__PURE__ */ new Map();
 function storePKCEVerifier(state, codeVerifier, toolId, tenantId, projectId, clientId) {
   pkceStore.set(state, { codeVerifier, toolId, tenantId, projectId, clientId });
@@ -3870,7 +3806,7 @@ var OAuthService = class {
    */
   async initiateOAuthFlow(params) {
     const { tool, tenantId, projectId, toolId } = params;
-    const oAuthConfig = await discoverOAuthEndpoints(tool.config.mcp.server.url);
+    const oAuthConfig = await agentsCore.discoverOAuthEndpoints(tool.config.mcp.server.url, logger4);
     if (!oAuthConfig) {
       throw new Error("OAuth not supported by this server");
     }
@@ -3893,7 +3829,7 @@ var OAuthService = class {
       resource: tool.config.mcp.server.url
     });
     storePKCEVerifier(state, codeVerifier, toolId, tenantId, projectId, clientId);
-    logger5.info({ toolId, oAuthConfig, tenantId, projectId }, "OAuth flow initiated successfully");
+    logger4.info({ toolId, oAuthConfig, tenantId, projectId }, "OAuth flow initiated successfully");
     return {
       redirectUrl: authUrl,
       state
@@ -3904,7 +3840,7 @@ var OAuthService = class {
    */
   async exchangeCodeForTokens(params) {
     const { code, codeVerifier, clientId, tool } = params;
-    const oAuthConfig = await discoverOAuthEndpoints(tool.config.mcp.server.url);
+    const oAuthConfig = await agentsCore.discoverOAuthEndpoints(tool.config.mcp.server.url, logger4);
     if (!oAuthConfig?.tokenUrl) {
       throw new Error("Could not discover OAuth token endpoint");
     }
@@ -3918,9 +3854,9 @@ var OAuthService = class {
         codeVerifier,
         redirectUri
       });
-      logger5.info({ tokenType: tokens.token_type }, "Token exchange successful with openid-client");
+      logger4.info({ tokenType: tokens.token_type }, "Token exchange successful with openid-client");
     } catch (error) {
-      logger5.warn(
+      logger4.warn(
         { error: error instanceof Error ? error.message : error },
         "openid-client failed, falling back to manual token exchange"
       );
@@ -3931,7 +3867,7 @@ var OAuthService = class {
         codeVerifier,
         redirectUri
       });
-      logger5.info({ tokenType: tokens.token_type }, "Manual token exchange successful");
+      logger4.info({ tokenType: tokens.token_type }, "Manual token exchange successful");
     }
     return { tokens, oAuthConfig };
   }
@@ -3939,7 +3875,7 @@ var OAuthService = class {
    * Perform dynamic client registration
    */
   async performDynamicClientRegistration(registrationUrl, redirectUri) {
-    logger5.info({ registrationUrl }, "Attempting dynamic client registration");
+    logger4.info({ registrationUrl }, "Attempting dynamic client registration");
     try {
       const registrationResponse = await fetch(registrationUrl, {
         method: "POST",
@@ -3962,11 +3898,11 @@ var OAuthService = class {
       });
       if (registrationResponse.ok) {
         const registration = await registrationResponse.json();
-        logger5.info({ clientId: registration.client_id }, "Dynamic client registration successful");
+        logger4.info({ clientId: registration.client_id }, "Dynamic client registration successful");
         return registration.client_id;
       } else {
         const errorText = await registrationResponse.text();
-        logger5.warn(
+        logger4.warn(
           {
             status: registrationResponse.status,
             errorText
@@ -3975,7 +3911,7 @@ var OAuthService = class {
         );
       }
     } catch (regError) {
-      logger5.warn(
+      logger4.warn(
         { error: regError },
         "Dynamic client registration error, using default client_id"
       );
@@ -4005,7 +3941,7 @@ var OAuthService = class {
     const oauth = await import('openid-client');
     const tokenUrl = new URL(oAuthConfig.tokenUrl);
     const oauthServerUrl = `${tokenUrl.protocol}//${tokenUrl.host}`;
-    logger5.info({ oauthServerUrl, clientId }, "Attempting openid-client discovery");
+    logger4.info({ oauthServerUrl, clientId }, "Attempting openid-client discovery");
     const config = await oauth.discovery(
       new URL(oauthServerUrl),
       clientId,
@@ -4037,7 +3973,7 @@ var OAuthService = class {
    */
   async exchangeManually(params) {
     const { oAuthConfig, clientId, code, codeVerifier, redirectUri } = params;
-    logger5.info({ tokenUrl: oAuthConfig.tokenUrl }, "Attempting manual token exchange");
+    logger4.info({ tokenUrl: oAuthConfig.tokenUrl }, "Attempting manual token exchange");
     const tokenResponse = await fetch(oAuthConfig.tokenUrl, {
       method: "POST",
       headers: {
@@ -4055,7 +3991,7 @@ var OAuthService = class {
     });
     if (!tokenResponse.ok) {
       const errorText = await tokenResponse.text();
-      logger5.error(
+      logger4.error(
         {
           status: tokenResponse.status,
           statusText: tokenResponse.statusText,
@@ -4073,7 +4009,7 @@ var OAuthService = class {
 var oauthService = new OAuthService();
 
 // src/routes/tools.ts
-var logger6 = agentsCore.getLogger("tools");
+var logger5 = agentsCore.getLogger("tools");
 var app15 = new zodOpenapi.OpenAPIHono();
 app15.openapi(
   zodOpenapi.createRoute({
@@ -4196,7 +4132,7 @@ app15.openapi(
   async (c) => {
     const { tenantId, projectId } = c.req.valid("param");
     const body = c.req.valid("json");
-    logger6.info({ body }, "body");
+    logger5.info({ body }, "body");
     const id = body.id || nanoid.nanoid();
     const tool = await agentsCore.createTool(dbClient_default)({
       tenantId,
@@ -4634,7 +4570,7 @@ app15.openapi(
       });
       return c.redirect(redirectUrl, 302);
     } catch (error) {
-      logger6.error({ toolId: id, error }, "OAuth login failed");
+      logger5.error({ toolId: id, error }, "OAuth login failed");
       if (error && typeof error === "object" && "code" in error) {
         const apiError = error;
         return c.json({ error: apiError.message }, apiError.code === "not_found" ? 404 : 400);
@@ -4669,7 +4605,7 @@ app16.route("/projects/:projectId/api-keys", apiKeys_default);
 app16.route("/projects/:projectId/graph", graphFull_default);
 var routes_default = app16;
 var app17 = new zodOpenapi.OpenAPIHono();
-var logger7 = agentsCore.getLogger("oauth-callback");
+var logger6 = agentsCore.getLogger("oauth-callback");
 var OAuthCallbackQuerySchema = zodOpenapi.z.object({
   code: zodOpenapi.z.string().min(1, "Authorization code is required"),
   state: zodOpenapi.z.string().min(1, "State parameter is required"),
@@ -4712,15 +4648,15 @@ app17.openapi(
   async (c) => {
     try {
       const { code, state, error, error_description } = c.req.valid("query");
-      logger7.info({ state, hasCode: !!code }, "OAuth callback received");
+      logger6.info({ state, hasCode: !!code }, "OAuth callback received");
       if (error) {
-        logger7.error({ error, error_description }, "OAuth authorization failed");
+        logger6.error({ error, error_description }, "OAuth authorization failed");
         const errorMessage = "OAuth Authorization Failed. Please try again.";
         return c.text(errorMessage, 400);
       }
       const pkceData = retrievePKCEVerifier(state);
       if (!pkceData) {
-        logger7.error({ state }, "Invalid or expired OAuth state");
+        logger6.error({ state }, "Invalid or expired OAuth state");
         return c.text(
           "OAuth Session Expired: The OAuth session has expired or is invalid. Please try again.",
           400
@@ -4734,8 +4670,8 @@ app17.openapi(
       if (!tool) {
         throw new Error(`Tool ${toolId} not found`);
       }
-      logger7.info({ toolId, tenantId, projectId }, "Processing OAuth callback");
-      logger7.info({ toolId }, "Exchanging authorization code for access token");
+      logger6.info({ toolId, tenantId, projectId }, "Processing OAuth callback");
+      logger6.info({ toolId }, "Exchanging authorization code for access token");
       const mcpTool = agentsCore.dbResultToMcpTool(tool);
       const { tokens } = await oauthService.exchangeCodeForTokens({
         code,
@@ -4743,7 +4679,7 @@ app17.openapi(
         clientId,
         tool: mcpTool
       });
-      logger7.info(
+      logger6.info(
         { toolId, tokenType: tokens.token_type, hasRefresh: !!tokens.refresh_token },
         "Token exchange successful"
       );
@@ -4765,14 +4701,14 @@ app17.openapi(
       };
       let credential;
       if (existingCredential) {
-        logger7.info({ credentialId: existingCredential.id }, "Updating existing credential");
+        logger6.info({ credentialId: existingCredential.id }, "Updating existing credential");
         credential = await agentsCore.updateCredentialReference(dbClient_default)({
           scopes: { tenantId, projectId },
           id: existingCredential.id,
           data: credentialData
         });
       } else {
-        logger7.info({ credentialId }, "Creating new credential");
+        logger6.info({ credentialId }, "Creating new credential");
         credential = await agentsCore.createCredentialReference(dbClient_default)({
           tenantId,
           projectId,
@@ -4790,7 +4726,7 @@ app17.openapi(
           credentialReferenceId: credential.id
         }
       });
-      logger7.info({ toolId, credentialId: credential.id }, "OAuth flow completed successfully");
+      logger6.info({ toolId, credentialId: credential.id }, "OAuth flow completed successfully");
       const successPage = `
         <!DOCTYPE html>
         <html>
@@ -4832,14 +4768,14 @@ app17.openapi(
       `;
       return c.html(successPage);
     } catch (error) {
-      logger7.error({ error }, "OAuth callback processing failed");
+      logger6.error({ error }, "OAuth callback processing failed");
       const errorMessage = "OAuth Processing Failed. Please try again.";
       return c.text(errorMessage, 500);
     }
   }
 );
 var oauth_default = app17;
-var logger8 = agentsCore.getLogger("projectFull");
+var logger7 = agentsCore.getLogger("projectFull");
 var app18 = new zodOpenapi.OpenAPIHono();
 var ProjectIdParamsSchema = zod.z.object({
   tenantId: zod.z.string().openapi({
@@ -4900,7 +4836,7 @@ app18.openapi(
     const projectData = c.req.valid("json");
     const validatedProjectData = agentsCore.FullProjectDefinitionSchema.parse(projectData);
     try {
-      const createdProject = await agentsCore.createFullProjectServerSide(dbClient_default, logger8)(
+      const createdProject = await agentsCore.createFullProjectServerSide(dbClient_default, logger7)(
         { tenantId, projectId: validatedProjectData.id },
         validatedProjectData
       );
@@ -4944,7 +4880,7 @@ app18.openapi(
     try {
       const project = await agentsCore.getFullProject(
         dbClient_default,
-        logger8
+        logger7
       )({
         scopes: { tenantId, projectId }
       });
@@ -5020,15 +4956,15 @@ app18.openapi(
       }
       const existingProject = await agentsCore.getFullProject(
         dbClient_default,
-        logger8
+        logger7
       )({
         scopes: { tenantId, projectId }
       });
       const isCreate = !existingProject;
-      const updatedProject = isCreate ? await agentsCore.createFullProjectServerSide(dbClient_default, logger8)(
+      const updatedProject = isCreate ? await agentsCore.createFullProjectServerSide(dbClient_default, logger7)(
         { tenantId, projectId },
         validatedProjectData
-      ) : await agentsCore.updateFullProjectServerSide(dbClient_default, logger8)(
+      ) : await agentsCore.updateFullProjectServerSide(dbClient_default, logger7)(
         { tenantId, projectId },
         validatedProjectData
       );
@@ -5076,7 +5012,7 @@ app18.openapi(
     try {
       const deleted = await agentsCore.deleteFullProject(
         dbClient_default,
-        logger8
+        logger7
       )({
         scopes: { tenantId, projectId }
       });
@@ -5104,8 +5040,8 @@ app18.openapi(
 var projectFull_default = app18;
 
 // src/app.ts
-var logger9 = agentsCore.getLogger("agents-manage-api");
-logger9.info({ logger: logger9.getTransports() }, "Logger initialized");
+var logger8 = agentsCore.getLogger("agents-manage-api");
+logger8.info({ logger: logger8.getTransports() }, "Logger initialized");
 function createManagementHono(serverConfig, credentialStores) {
   const app20 = new zodOpenapi.OpenAPIHono();
   app20.use("*", requestId.requestId());
@@ -5160,7 +5096,7 @@ function createManagementHono(serverConfig, credentialStores) {
       if (!isExpectedError) {
         const errorMessage = err instanceof Error ? err.message : String(err);
         const errorStack = err instanceof Error ? err.stack : void 0;
-        logger9.error(
+        logger8.error(
           {
             error: err,
             message: errorMessage,
@@ -5171,7 +5107,7 @@ function createManagementHono(serverConfig, credentialStores) {
           "Unexpected server error occurred"
         );
       } else {
-        logger9.error(
+        logger8.error(
           {
             error: err,
             path: c.req.path,
@@ -5187,7 +5123,7 @@ function createManagementHono(serverConfig, credentialStores) {
         const response = err.getResponse();
         return response;
       } catch (responseError) {
-        logger9.error({ error: responseError }, "Error while handling HTTPException response");
+        logger8.error({ error: responseError }, "Error while handling HTTPException response");
       }
     }
     const { status: respStatus, title, detail, instance } = await agentsCore.handleApiError(err, requestId2);

package/dist/index.js

@@ -1,4 +1,4 @@
-import { loadEnvironmentFiles, getLogger, createDatabaseClient, commonGetErrorResponses, TenantProjectGraphParamsSchema, ArtifactComponentApiSelectSchema, getArtifactComponentsForAgent, getAgentsUsingArtifactComponent, ErrorResponseSchema, SingleResponseSchema, AgentArtifactComponentApiInsertSchema, AgentArtifactComponentApiSelectSchema, getAgentById, getArtifactComponentById, createApiError, isArtifactComponentAssociatedWithAgent, associateArtifactComponentWithAgent, RemovedResponseSchema, removeArtifactComponentFromAgent, ExistsResponseSchema, DataComponentApiSelectSchema, getDataComponentsForAgent, getAgentsUsingDataComponent, AgentDataComponentApiInsertSchema, AgentDataComponentApiSelectSchema, getDataComponent, isDataComponentAssociatedWithAgent, associateDataComponentWithAgent, removeDataComponentFromAgent, ListResponseSchema, PaginationQueryParamsSchema, TenantProjectParamsSchema, AgentGraphApiSelectSchema, listAgentGraphs, IdParamsSchema, getAgentGraphById, getGraphAgentInfos, FullGraphDefinitionSchema, getFullGraphDefinition, AgentGraphApiInsertSchema, createAgentGraph, AgentGraphApiUpdateSchema, updateAgentGraph, deleteAgentGraph, AgentRelationApiSelectSchema, AgentRelationQuerySchema, getAgentRelationsBySource, getAgentRelationsByTarget, getExternalAgentRelations, listAgentRelations, TenantProjectGraphIdParamsSchema, getAgentRelationById, AgentRelationApiInsertSchema, validateExternalAgent, validateInternalAgent, createAgentRelation, AgentRelationApiUpdateSchema, updateAgentRelation, deleteAgentRelation, AgentApiSelectSchema, listAgentsPaginated, AgentApiInsertSchema, createAgent, AgentApiUpdateSchema, updateAgent, deleteAgent, AgentToolRelationApiSelectSchema, getAgentToolRelationByAgent, getAgentToolRelationByTool, listAgentToolRelations, getAgentToolRelationById, getToolsForAgent, getAgentsForTool, AgentToolRelationApiInsertSchema, createAgentToolRelation, AgentToolRelationApiUpdateSchema, updateAgentToolRelation, deleteAgentToolRelation, ApiKeyApiSelectSchema, listApiKeysPaginated, getApiKeyById, ApiKeyApiCreationResponseSchema, ApiKeyApiInsertSchema, generateApiKey, createApiKey, ApiKeyApiUpdateSchema, updateApiKey, deleteApiKey, listArtifactComponentsPaginated, ArtifactComponentApiInsertSchema, createArtifactComponent, ArtifactComponentApiUpdateSchema, updateArtifactComponent, deleteArtifactComponent, ContextConfigApiSelectSchema, listContextConfigsPaginated, getContextConfigById, ContextConfigApiInsertSchema, createContextConfig, commonUpdateErrorResponses, ContextConfigApiUpdateSchema, updateContextConfig, commonDeleteErrorResponses, deleteContextConfig, CredentialReferenceApiSelectSchema, listCredentialReferencesPaginated, getCredentialReferenceById, CredentialReferenceApiInsertSchema, createCredentialReference, CredentialReferenceApiUpdateSchema, updateCredentialReference, getCredentialStoreLookupKeyFromRetrievalParams, deleteCredentialReference, listDataComponentsPaginated, DataComponentApiInsertSchema, createDataComponent, DataComponentApiUpdateSchema, updateDataComponent, deleteDataComponent, ExternalAgentApiSelectSchema, listExternalAgentsPaginated, getExternalAgent, ExternalAgentApiInsertSchema, createExternalAgent, ExternalAgentApiUpdateSchema, updateExternalAgent, deleteExternalAgent, createFullGraphServerSide, getFullGraph, updateFullGraphServerSide, deleteFullGraph, TenantParamsSchema, ProjectApiSelectSchema, listProjectsPaginated, TenantIdParamsSchema, getProject, ProjectApiInsertSchema, createProject, ProjectApiUpdateSchema, updateProject, deleteProject, McpToolSchema, ToolStatusSchema, listToolsByStatus, dbResultToMcpTool, listTools, getToolById, ToolApiInsertSchema, createTool, ToolApiUpdateSchema, updateTool, deleteTool, getCredentialReference, CredentialStoreType, FullProjectDefinitionSchema, createFullProjectServerSide, getFullProject, updateFullProjectServerSide, deleteFullProject, createDefaultCredentialStores, CredentialStoreRegistry, ContextResolver, CredentialStuffer, McpClient, detectAuthenticationRequired, handleApiError, MCPServerType, MCPTransportType } from '@inkeep/agents-core';
+import { loadEnvironmentFiles, getLogger, createDatabaseClient, commonGetErrorResponses, TenantProjectGraphParamsSchema, ArtifactComponentApiSelectSchema, getArtifactComponentsForAgent, getAgentsUsingArtifactComponent, ErrorResponseSchema, SingleResponseSchema, AgentArtifactComponentApiInsertSchema, AgentArtifactComponentApiSelectSchema, getAgentById, getArtifactComponentById, createApiError, isArtifactComponentAssociatedWithAgent, associateArtifactComponentWithAgent, RemovedResponseSchema, removeArtifactComponentFromAgent, ExistsResponseSchema, DataComponentApiSelectSchema, getDataComponentsForAgent, getAgentsUsingDataComponent, AgentDataComponentApiInsertSchema, AgentDataComponentApiSelectSchema, getDataComponent, isDataComponentAssociatedWithAgent, associateDataComponentWithAgent, removeDataComponentFromAgent, ListResponseSchema, PaginationQueryParamsSchema, TenantProjectParamsSchema, AgentGraphApiSelectSchema, listAgentGraphs, IdParamsSchema, getAgentGraphById, getGraphAgentInfos, FullGraphDefinitionSchema, getFullGraphDefinition, AgentGraphApiInsertSchema, createAgentGraph, AgentGraphApiUpdateSchema, updateAgentGraph, deleteAgentGraph, AgentRelationApiSelectSchema, AgentRelationQuerySchema, getAgentRelationsBySource, getAgentRelationsByTarget, getExternalAgentRelations, listAgentRelations, TenantProjectGraphIdParamsSchema, getAgentRelationById, AgentRelationApiInsertSchema, validateExternalAgent, validateInternalAgent, createAgentRelation, AgentRelationApiUpdateSchema, updateAgentRelation, deleteAgentRelation, AgentApiSelectSchema, listAgentsPaginated, AgentApiInsertSchema, createAgent, AgentApiUpdateSchema, updateAgent, deleteAgent, AgentToolRelationApiSelectSchema, getAgentToolRelationByAgent, getAgentToolRelationByTool, listAgentToolRelations, getAgentToolRelationById, getToolsForAgent, getAgentsForTool, AgentToolRelationApiInsertSchema, createAgentToolRelation, AgentToolRelationApiUpdateSchema, updateAgentToolRelation, deleteAgentToolRelation, ApiKeyApiSelectSchema, listApiKeysPaginated, getApiKeyById, ApiKeyApiCreationResponseSchema, ApiKeyApiInsertSchema, generateApiKey, createApiKey, ApiKeyApiUpdateSchema, updateApiKey, deleteApiKey, listArtifactComponentsPaginated, ArtifactComponentApiInsertSchema, createArtifactComponent, ArtifactComponentApiUpdateSchema, updateArtifactComponent, deleteArtifactComponent, ContextConfigApiSelectSchema, listContextConfigsPaginated, getContextConfigById, ContextConfigApiInsertSchema, createContextConfig, commonUpdateErrorResponses, ContextConfigApiUpdateSchema, updateContextConfig, commonDeleteErrorResponses, deleteContextConfig, CredentialReferenceApiSelectSchema, listCredentialReferencesPaginated, getCredentialReferenceWithTools, CredentialReferenceApiInsertSchema, createCredentialReference, CredentialReferenceApiUpdateSchema, updateCredentialReference, getCredentialReferenceById, getCredentialStoreLookupKeyFromRetrievalParams, deleteCredentialReference, listDataComponentsPaginated, DataComponentApiInsertSchema, createDataComponent, DataComponentApiUpdateSchema, updateDataComponent, deleteDataComponent, ExternalAgentApiSelectSchema, listExternalAgentsPaginated, getExternalAgent, ExternalAgentApiInsertSchema, createExternalAgent, ExternalAgentApiUpdateSchema, updateExternalAgent, deleteExternalAgent, createFullGraphServerSide, getFullGraph, updateFullGraphServerSide, deleteFullGraph, TenantParamsSchema, ProjectApiSelectSchema, listProjectsPaginated, TenantIdParamsSchema, getProject, ProjectApiInsertSchema, createProject, ProjectApiUpdateSchema, updateProject, deleteProject, McpToolSchema, ToolStatusSchema, listToolsByStatus, dbResultToMcpTool, listTools, getToolById, ToolApiInsertSchema, createTool, ToolApiUpdateSchema, updateTool, deleteTool, getCredentialReference, CredentialStoreType, FullProjectDefinitionSchema, createFullProjectServerSide, getFullProject, updateFullProjectServerSide, deleteFullProject, createDefaultCredentialStores, CredentialStoreRegistry, discoverOAuthEndpoints, ContextResolver, CredentialStuffer, McpClient, detectAuthenticationRequired, handleApiError, MCPServerType, MCPTransportType } from '@inkeep/agents-core';
 import { OpenAPIHono, createRoute, z as z$1 } from '@hono/zod-openapi';
 import { Hono } from 'hono';
 import { cors } from 'hono/cors';
@@ -2426,7 +2426,7 @@ app10.openapi(
   }),
   async (c) => {
     const { tenantId, projectId, id } = c.req.valid("param");
-    const credential = await getCredentialReferenceById(dbClient_default)({
+    const credential = await getCredentialReferenceWithTools(dbClient_default)({
       scopes: { tenantId, projectId },
       id
     });
@@ -3767,71 +3767,7 @@ var checkAllToolsHealth = async (tenantId, projectId, credentialStoreRegistry) =
   );
   return results;
 };
-
-// src/utils/auth-detection.ts
-var logger4 = getLogger("auth-detection");
-var getWellKnownUrls = (baseUrl) => [
-  `${baseUrl}/.well-known/oauth-authorization-server`,
-  `${baseUrl}/.well-known/openid-configuration`
-];
-var validateOAuthMetadata = (metadata) => {
-  return metadata.code_challenge_methods_supported?.includes("S256");
-};
-var buildOAuthConfig = (metadata) => ({
-  authorizationUrl: metadata.authorization_endpoint,
-  tokenUrl: metadata.token_endpoint,
-  registrationUrl: metadata.registration_endpoint,
-  supportsDynamicRegistration: !!metadata.registration_endpoint
-});
-var tryWellKnownEndpoints = async (baseUrl) => {
-  const wellKnownUrls = getWellKnownUrls(baseUrl);
-  for (const wellKnownUrl of wellKnownUrls) {
-    try {
-      const response = await fetch(wellKnownUrl);
-      if (response.ok) {
-        const metadata = await response.json();
-        if (validateOAuthMetadata(metadata)) {
-          logger4.debug({ baseUrl, wellKnownUrl }, "OAuth 2.1/PKCE support detected");
-          return buildOAuthConfig(metadata);
-        }
-      }
-    } catch (error) {
-      logger4.debug({ wellKnownUrl, error }, "OAuth endpoint check failed");
-    }
-  }
-  return null;
-};
-var discoverOAuthEndpoints = async (serverUrl) => {
-  try {
-    const response = await fetch(serverUrl, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({})
-    });
-    if (response.status === 401) {
-      const wwwAuth = response.headers.get("WWW-Authenticate");
-      if (wwwAuth) {
-        const metadataMatch = wwwAuth.match(/as_uri="([^"]+)"/);
-        if (metadataMatch) {
-          const metadataResponse = await fetch(metadataMatch[1]);
-          if (metadataResponse.ok) {
-            const metadata = await metadataResponse.json();
-            if (metadata.authorization_servers?.length > 0) {
-              return await tryWellKnownEndpoints(metadata.authorization_servers[0]);
-            }
-          }
-        }
-      }
-    }
-  } catch (_error) {
-  }
-  const url = new URL(serverUrl);
-  const baseUrl = `${url.protocol}//${url.host}`;
-  return await tryWellKnownEndpoints(baseUrl);
-};
-
-// src/utils/oauth-service.ts
-var logger5 = getLogger("oauth-service");
+var logger4 = getLogger("oauth-service");
 var pkceStore = /* @__PURE__ */ new Map();
 function storePKCEVerifier(state, codeVerifier, toolId, tenantId, projectId, clientId) {
   pkceStore.set(state, { codeVerifier, toolId, tenantId, projectId, clientId });
@@ -3866,7 +3802,7 @@ var OAuthService = class {
    */
   async initiateOAuthFlow(params) {
     const { tool, tenantId, projectId, toolId } = params;
-    const oAuthConfig = await discoverOAuthEndpoints(tool.config.mcp.server.url);
+    const oAuthConfig = await discoverOAuthEndpoints(tool.config.mcp.server.url, logger4);
     if (!oAuthConfig) {
       throw new Error("OAuth not supported by this server");
     }
@@ -3889,7 +3825,7 @@ var OAuthService = class {
       resource: tool.config.mcp.server.url
     });
     storePKCEVerifier(state, codeVerifier, toolId, tenantId, projectId, clientId);
-    logger5.info({ toolId, oAuthConfig, tenantId, projectId }, "OAuth flow initiated successfully");
+    logger4.info({ toolId, oAuthConfig, tenantId, projectId }, "OAuth flow initiated successfully");
     return {
       redirectUrl: authUrl,
       state
@@ -3900,7 +3836,7 @@ var OAuthService = class {
    */
   async exchangeCodeForTokens(params) {
     const { code, codeVerifier, clientId, tool } = params;
-    const oAuthConfig = await discoverOAuthEndpoints(tool.config.mcp.server.url);
+    const oAuthConfig = await discoverOAuthEndpoints(tool.config.mcp.server.url, logger4);
     if (!oAuthConfig?.tokenUrl) {
       throw new Error("Could not discover OAuth token endpoint");
     }
@@ -3914,9 +3850,9 @@ var OAuthService = class {
         codeVerifier,
         redirectUri
       });
-      logger5.info({ tokenType: tokens.token_type }, "Token exchange successful with openid-client");
+      logger4.info({ tokenType: tokens.token_type }, "Token exchange successful with openid-client");
     } catch (error) {
-      logger5.warn(
+      logger4.warn(
         { error: error instanceof Error ? error.message : error },
         "openid-client failed, falling back to manual token exchange"
       );
@@ -3927,7 +3863,7 @@ var OAuthService = class {
         codeVerifier,
         redirectUri
       });
-      logger5.info({ tokenType: tokens.token_type }, "Manual token exchange successful");
+      logger4.info({ tokenType: tokens.token_type }, "Manual token exchange successful");
     }
     return { tokens, oAuthConfig };
   }
@@ -3935,7 +3871,7 @@ var OAuthService = class {
    * Perform dynamic client registration
    */
   async performDynamicClientRegistration(registrationUrl, redirectUri) {
-    logger5.info({ registrationUrl }, "Attempting dynamic client registration");
+    logger4.info({ registrationUrl }, "Attempting dynamic client registration");
     try {
       const registrationResponse = await fetch(registrationUrl, {
         method: "POST",
@@ -3958,11 +3894,11 @@ var OAuthService = class {
       });
       if (registrationResponse.ok) {
         const registration = await registrationResponse.json();
-        logger5.info({ clientId: registration.client_id }, "Dynamic client registration successful");
+        logger4.info({ clientId: registration.client_id }, "Dynamic client registration successful");
         return registration.client_id;
       } else {
         const errorText = await registrationResponse.text();
-        logger5.warn(
+        logger4.warn(
           {
             status: registrationResponse.status,
             errorText
@@ -3971,7 +3907,7 @@ var OAuthService = class {
         );
       }
     } catch (regError) {
-      logger5.warn(
+      logger4.warn(
         { error: regError },
         "Dynamic client registration error, using default client_id"
       );
@@ -4001,7 +3937,7 @@ var OAuthService = class {
     const oauth = await import('openid-client');
     const tokenUrl = new URL(oAuthConfig.tokenUrl);
     const oauthServerUrl = `${tokenUrl.protocol}//${tokenUrl.host}`;
-    logger5.info({ oauthServerUrl, clientId }, "Attempting openid-client discovery");
+    logger4.info({ oauthServerUrl, clientId }, "Attempting openid-client discovery");
     const config = await oauth.discovery(
       new URL(oauthServerUrl),
       clientId,
@@ -4033,7 +3969,7 @@ var OAuthService = class {
    */
   async exchangeManually(params) {
     const { oAuthConfig, clientId, code, codeVerifier, redirectUri } = params;
-    logger5.info({ tokenUrl: oAuthConfig.tokenUrl }, "Attempting manual token exchange");
+    logger4.info({ tokenUrl: oAuthConfig.tokenUrl }, "Attempting manual token exchange");
     const tokenResponse = await fetch(oAuthConfig.tokenUrl, {
       method: "POST",
       headers: {
@@ -4051,7 +3987,7 @@ var OAuthService = class {
     });
     if (!tokenResponse.ok) {
       const errorText = await tokenResponse.text();
-      logger5.error(
+      logger4.error(
         {
           status: tokenResponse.status,
           statusText: tokenResponse.statusText,
@@ -4069,7 +4005,7 @@ var OAuthService = class {
 var oauthService = new OAuthService();
 
 // src/routes/tools.ts
-var logger6 = getLogger("tools");
+var logger5 = getLogger("tools");
 var app15 = new OpenAPIHono();
 app15.openapi(
   createRoute({
@@ -4192,7 +4128,7 @@ app15.openapi(
   async (c) => {
     const { tenantId, projectId } = c.req.valid("param");
     const body = c.req.valid("json");
-    logger6.info({ body }, "body");
+    logger5.info({ body }, "body");
     const id = body.id || nanoid();
     const tool = await createTool(dbClient_default)({
       tenantId,
@@ -4630,7 +4566,7 @@ app15.openapi(
       });
       return c.redirect(redirectUrl, 302);
     } catch (error) {
-      logger6.error({ toolId: id, error }, "OAuth login failed");
+      logger5.error({ toolId: id, error }, "OAuth login failed");
       if (error && typeof error === "object" && "code" in error) {
         const apiError = error;
         return c.json({ error: apiError.message }, apiError.code === "not_found" ? 404 : 400);
@@ -4665,7 +4601,7 @@ app16.route("/projects/:projectId/api-keys", apiKeys_default);
 app16.route("/projects/:projectId/graph", graphFull_default);
 var routes_default = app16;
 var app17 = new OpenAPIHono();
-var logger7 = getLogger("oauth-callback");
+var logger6 = getLogger("oauth-callback");
 var OAuthCallbackQuerySchema = z$1.object({
   code: z$1.string().min(1, "Authorization code is required"),
   state: z$1.string().min(1, "State parameter is required"),
@@ -4708,15 +4644,15 @@ app17.openapi(
   async (c) => {
     try {
       const { code, state, error, error_description } = c.req.valid("query");
-      logger7.info({ state, hasCode: !!code }, "OAuth callback received");
+      logger6.info({ state, hasCode: !!code }, "OAuth callback received");
       if (error) {
-        logger7.error({ error, error_description }, "OAuth authorization failed");
+        logger6.error({ error, error_description }, "OAuth authorization failed");
         const errorMessage = "OAuth Authorization Failed. Please try again.";
         return c.text(errorMessage, 400);
       }
       const pkceData = retrievePKCEVerifier(state);
       if (!pkceData) {
-        logger7.error({ state }, "Invalid or expired OAuth state");
+        logger6.error({ state }, "Invalid or expired OAuth state");
         return c.text(
           "OAuth Session Expired: The OAuth session has expired or is invalid. Please try again.",
           400
@@ -4730,8 +4666,8 @@ app17.openapi(
       if (!tool) {
         throw new Error(`Tool ${toolId} not found`);
       }
-      logger7.info({ toolId, tenantId, projectId }, "Processing OAuth callback");
-      logger7.info({ toolId }, "Exchanging authorization code for access token");
+      logger6.info({ toolId, tenantId, projectId }, "Processing OAuth callback");
+      logger6.info({ toolId }, "Exchanging authorization code for access token");
       const mcpTool = dbResultToMcpTool(tool);
       const { tokens } = await oauthService.exchangeCodeForTokens({
         code,
@@ -4739,7 +4675,7 @@ app17.openapi(
         clientId,
         tool: mcpTool
       });
-      logger7.info(
+      logger6.info(
         { toolId, tokenType: tokens.token_type, hasRefresh: !!tokens.refresh_token },
         "Token exchange successful"
       );
@@ -4761,14 +4697,14 @@ app17.openapi(
       };
       let credential;
       if (existingCredential) {
-        logger7.info({ credentialId: existingCredential.id }, "Updating existing credential");
+        logger6.info({ credentialId: existingCredential.id }, "Updating existing credential");
         credential = await updateCredentialReference(dbClient_default)({
           scopes: { tenantId, projectId },
           id: existingCredential.id,
           data: credentialData
         });
       } else {
-        logger7.info({ credentialId }, "Creating new credential");
+        logger6.info({ credentialId }, "Creating new credential");
         credential = await createCredentialReference(dbClient_default)({
           tenantId,
           projectId,
@@ -4786,7 +4722,7 @@ app17.openapi(
           credentialReferenceId: credential.id
         }
       });
-      logger7.info({ toolId, credentialId: credential.id }, "OAuth flow completed successfully");
+      logger6.info({ toolId, credentialId: credential.id }, "OAuth flow completed successfully");
       const successPage = `
         <!DOCTYPE html>
         <html>
@@ -4828,14 +4764,14 @@ app17.openapi(
       `;
       return c.html(successPage);
     } catch (error) {
-      logger7.error({ error }, "OAuth callback processing failed");
+      logger6.error({ error }, "OAuth callback processing failed");
       const errorMessage = "OAuth Processing Failed. Please try again.";
       return c.text(errorMessage, 500);
     }
   }
 );
 var oauth_default = app17;
-var logger8 = getLogger("projectFull");
+var logger7 = getLogger("projectFull");
 var app18 = new OpenAPIHono();
 var ProjectIdParamsSchema = z.object({
   tenantId: z.string().openapi({
@@ -4896,7 +4832,7 @@ app18.openapi(
     const projectData = c.req.valid("json");
     const validatedProjectData = FullProjectDefinitionSchema.parse(projectData);
     try {
-      const createdProject = await createFullProjectServerSide(dbClient_default, logger8)(
+      const createdProject = await createFullProjectServerSide(dbClient_default, logger7)(
         { tenantId, projectId: validatedProjectData.id },
         validatedProjectData
       );
@@ -4940,7 +4876,7 @@ app18.openapi(
     try {
       const project = await getFullProject(
         dbClient_default,
-        logger8
+        logger7
       )({
         scopes: { tenantId, projectId }
       });
@@ -5016,15 +4952,15 @@ app18.openapi(
       }
       const existingProject = await getFullProject(
         dbClient_default,
-        logger8
+        logger7
       )({
         scopes: { tenantId, projectId }
       });
       const isCreate = !existingProject;
-      const updatedProject = isCreate ? await createFullProjectServerSide(dbClient_default, logger8)(
+      const updatedProject = isCreate ? await createFullProjectServerSide(dbClient_default, logger7)(
         { tenantId, projectId },
         validatedProjectData
-      ) : await updateFullProjectServerSide(dbClient_default, logger8)(
+      ) : await updateFullProjectServerSide(dbClient_default, logger7)(
         { tenantId, projectId },
         validatedProjectData
       );
@@ -5072,7 +5008,7 @@ app18.openapi(
     try {
       const deleted = await deleteFullProject(
         dbClient_default,
-        logger8
+        logger7
       )({
         scopes: { tenantId, projectId }
       });
@@ -5100,8 +5036,8 @@ app18.openapi(
 var projectFull_default = app18;
 
 // src/app.ts
-var logger9 = getLogger("agents-manage-api");
-logger9.info({ logger: logger9.getTransports() }, "Logger initialized");
+var logger8 = getLogger("agents-manage-api");
+logger8.info({ logger: logger8.getTransports() }, "Logger initialized");
 function createManagementHono(serverConfig, credentialStores) {
   const app20 = new OpenAPIHono();
   app20.use("*", requestId());
@@ -5156,7 +5092,7 @@ function createManagementHono(serverConfig, credentialStores) {
       if (!isExpectedError) {
         const errorMessage = err instanceof Error ? err.message : String(err);
         const errorStack = err instanceof Error ? err.stack : void 0;
-        logger9.error(
+        logger8.error(
           {
             error: err,
             message: errorMessage,
@@ -5167,7 +5103,7 @@ function createManagementHono(serverConfig, credentialStores) {
           "Unexpected server error occurred"
         );
       } else {
-        logger9.error(
+        logger8.error(
           {
             error: err,
             path: c.req.path,
@@ -5183,7 +5119,7 @@ function createManagementHono(serverConfig, credentialStores) {
         const response = err.getResponse();
         return response;
       } catch (responseError) {
-        logger9.error({ error: responseError }, "Error while handling HTTPException response");
+        logger8.error({ error: responseError }, "Error while handling HTTPException response");
       }
     }
     const { status: respStatus, title, detail, instance } = await handleApiError(err, requestId2);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-manage-api",
-  "version": "0.6.4",
+  "version": "0.6.5",
   "description": "Agents Manage API for Inkeep Agent Framework - handles CRUD operations and OAuth",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -24,7 +24,7 @@
     "openid-client": "^6.6.4",
     "pino": "^9.7.0",
     "zod": "^4.1.5",
-    "@inkeep/agents-core": "^0.6.4"
+    "@inkeep/agents-core": "^0.6.5"
   },
   "devDependencies": {
     "@hono/vite-dev-server": "^0.20.1",