@inkeep/agents-manage-api 0.9.0 → 0.10.2

package/dist/index.js

@@ -1,4 +1,4 @@
-import { loadEnvironmentFiles, getLogger, createDatabaseClient, commonGetErrorResponses, TenantProjectGraphParamsSchema, ArtifactComponentApiSelectSchema, getArtifactComponentsForAgent, getAgentsUsingArtifactComponent, ErrorResponseSchema, SingleResponseSchema, AgentArtifactComponentApiInsertSchema, AgentArtifactComponentApiSelectSchema, getAgentById, getArtifactComponentById, createApiError, isArtifactComponentAssociatedWithAgent, associateArtifactComponentWithAgent, RemovedResponseSchema, removeArtifactComponentFromAgent, ExistsResponseSchema, DataComponentApiSelectSchema, getDataComponentsForAgent, getAgentsUsingDataComponent, AgentDataComponentApiInsertSchema, AgentDataComponentApiSelectSchema, getDataComponent, isDataComponentAssociatedWithAgent, associateDataComponentWithAgent, removeDataComponentFromAgent, ListResponseSchema, PaginationQueryParamsSchema, TenantProjectParamsSchema, AgentGraphApiSelectSchema, listAgentGraphs, IdParamsSchema, getAgentGraphById, getGraphAgentInfos, FullGraphDefinitionSchema, getFullGraphDefinition, AgentGraphApiInsertSchema, createAgentGraph, AgentGraphApiUpdateSchema, updateAgentGraph, deleteAgentGraph, AgentRelationApiSelectSchema, AgentRelationQuerySchema, getAgentRelationsBySource, getAgentRelationsByTarget, getExternalAgentRelations, listAgentRelations, TenantProjectGraphIdParamsSchema, getAgentRelationById, AgentRelationApiInsertSchema, validateExternalAgent, validateInternalAgent, createAgentRelation, AgentRelationApiUpdateSchema, updateAgentRelation, deleteAgentRelation, AgentApiSelectSchema, listAgentsPaginated, AgentApiInsertSchema, createAgent, AgentApiUpdateSchema, updateAgent, deleteAgent, AgentToolRelationApiSelectSchema, getAgentToolRelationByAgent, getAgentToolRelationByTool, listAgentToolRelations, getAgentToolRelationById, getAgentsForTool, AgentToolRelationApiInsertSchema, createAgentToolRelation, AgentToolRelationApiUpdateSchema, updateAgentToolRelation, deleteAgentToolRelation, ApiKeyApiSelectSchema, listApiKeysPaginated, getApiKeyById, ApiKeyApiCreationResponseSchema, ApiKeyApiInsertSchema, generateApiKey, createApiKey, ApiKeyApiUpdateSchema, updateApiKey, deleteApiKey, listArtifactComponentsPaginated, ArtifactComponentApiInsertSchema, createArtifactComponent, ArtifactComponentApiUpdateSchema, updateArtifactComponent, deleteArtifactComponent, ContextConfigApiSelectSchema, listContextConfigsPaginated, getContextConfigById, ContextConfigApiInsertSchema, createContextConfig, commonUpdateErrorResponses, ContextConfigApiUpdateSchema, updateContextConfig, commonDeleteErrorResponses, deleteContextConfig, CredentialReferenceApiSelectSchema, listCredentialReferencesPaginated, getCredentialReferenceWithTools, CredentialReferenceApiInsertSchema, createCredentialReference, CredentialReferenceApiUpdateSchema, updateCredentialReference, getCredentialReferenceById, getCredentialStoreLookupKeyFromRetrievalParams, deleteCredentialReference, listDataComponentsPaginated, DataComponentApiInsertSchema, createDataComponent, DataComponentApiUpdateSchema, updateDataComponent, deleteDataComponent, ExternalAgentApiSelectSchema, listExternalAgentsPaginated, getExternalAgent, ExternalAgentApiInsertSchema, createExternalAgent, ExternalAgentApiUpdateSchema, updateExternalAgent, deleteExternalAgent, createFullGraphServerSide, getFullGraph, updateFullGraphServerSide, deleteFullGraph, TenantParamsSchema, ProjectApiSelectSchema, listProjectsPaginated, TenantIdParamsSchema, getProject, ProjectApiInsertSchema, createProject, ProjectApiUpdateSchema, updateProject, deleteProject, McpToolSchema, ToolStatusSchema, listTools, dbResultToMcpTool, getToolById, ToolApiInsertSchema, createTool, ToolApiUpdateSchema, updateTool, deleteTool, getCredentialReference, CredentialStoreType, FullProjectDefinitionSchema, createFullProjectServerSide, getFullProject, updateFullProjectServerSide, deleteFullProject, createDefaultCredentialStores, CredentialStoreRegistry, discoverOAuthEndpoints, handleApiError } from '@inkeep/agents-core';
+import { loadEnvironmentFiles, getLogger, createDatabaseClient, commonGetErrorResponses, TenantProjectGraphParamsSchema, ArtifactComponentApiSelectSchema, getArtifactComponentsForAgent, getAgentsUsingArtifactComponent, ErrorResponseSchema, SingleResponseSchema, AgentArtifactComponentApiInsertSchema, AgentArtifactComponentApiSelectSchema, getAgentById, getArtifactComponentById, createApiError, isArtifactComponentAssociatedWithAgent, associateArtifactComponentWithAgent, RemovedResponseSchema, removeArtifactComponentFromAgent, ExistsResponseSchema, DataComponentApiSelectSchema, getDataComponentsForAgent, getAgentsUsingDataComponent, AgentDataComponentApiInsertSchema, AgentDataComponentApiSelectSchema, getDataComponent, isDataComponentAssociatedWithAgent, associateDataComponentWithAgent, removeDataComponentFromAgent, ListResponseSchema, PaginationQueryParamsSchema, TenantProjectParamsSchema, AgentGraphApiSelectSchema, listAgentGraphs, IdParamsSchema, getAgentGraphById, getGraphAgentInfos, FullGraphDefinitionSchema, getFullGraphDefinition, AgentGraphApiInsertSchema, createAgentGraph, AgentGraphApiUpdateSchema, updateAgentGraph, deleteAgentGraph, AgentRelationApiSelectSchema, AgentRelationQuerySchema, getAgentRelationsBySource, getAgentRelationsByTarget, getExternalAgentRelations, listAgentRelations, TenantProjectGraphIdParamsSchema, getAgentRelationById, AgentRelationApiInsertSchema, validateExternalAgent, validateInternalAgent, createAgentRelation, AgentRelationApiUpdateSchema, updateAgentRelation, deleteAgentRelation, AgentApiSelectSchema, listAgentsPaginated, AgentApiInsertSchema, createAgent, AgentApiUpdateSchema, updateAgent, deleteAgent, AgentToolRelationApiSelectSchema, getAgentToolRelationByAgent, getAgentToolRelationByTool, listAgentToolRelations, getAgentToolRelationById, getAgentsForTool, AgentToolRelationApiInsertSchema, createAgentToolRelation, AgentToolRelationApiUpdateSchema, updateAgentToolRelation, deleteAgentToolRelation, ApiKeyApiSelectSchema, listApiKeysPaginated, getApiKeyById, ApiKeyApiCreationResponseSchema, ApiKeyApiInsertSchema, generateApiKey, createApiKey, ApiKeyApiUpdateSchema, updateApiKey, deleteApiKey, listArtifactComponentsPaginated, ArtifactComponentApiInsertSchema, createArtifactComponent, ArtifactComponentApiUpdateSchema, updateArtifactComponent, deleteArtifactComponent, ContextConfigApiSelectSchema, listContextConfigsPaginated, getContextConfigById, ContextConfigApiInsertSchema, createContextConfig, commonUpdateErrorResponses, ContextConfigApiUpdateSchema, updateContextConfig, commonDeleteErrorResponses, deleteContextConfig, CredentialReferenceApiSelectSchema, listCredentialReferencesPaginated, getCredentialReferenceWithTools, CredentialReferenceApiInsertSchema, createCredentialReference, CredentialReferenceApiUpdateSchema, updateCredentialReference, getCredentialReferenceById, getCredentialStoreLookupKeyFromRetrievalParams, deleteCredentialReference, listDataComponentsPaginated, DataComponentApiInsertSchema, createDataComponent, DataComponentApiUpdateSchema, updateDataComponent, deleteDataComponent, ExternalAgentApiSelectSchema, listExternalAgentsPaginated, getExternalAgent, ExternalAgentApiInsertSchema, createExternalAgent, ExternalAgentApiUpdateSchema, updateExternalAgent, deleteExternalAgent, createFullGraphServerSide, getFullGraph, updateFullGraphServerSide, deleteFullGraph, TenantParamsSchema, ProjectApiSelectSchema, listProjectsPaginated, TenantIdParamsSchema, getProject, ProjectApiInsertSchema, createProject, ProjectApiUpdateSchema, updateProject, deleteProject, McpToolSchema, ToolStatusSchema, listTools, dbResultToMcpTool, getToolById, ToolApiInsertSchema, createTool, ToolApiUpdateSchema, updateTool, deleteTool, CredentialStoreType, FullProjectDefinitionSchema, createFullProjectServerSide, getFullProject, updateFullProjectServerSide, deleteFullProject, createDefaultCredentialStores, CredentialStoreRegistry, discoverOAuthEndpoints, handleApiError } from '@inkeep/agents-core';
 import { OpenAPIHono, createRoute, z as z$1 } from '@hono/zod-openapi';
 import { Hono } from 'hono';
 import { cors } from 'hono/cors';
@@ -3476,245 +3476,7 @@ app14.openapi(
   }
 );
 var projects_default = app14;
-var logger3 = getLogger("oauth-service");
-var pkceStore = /* @__PURE__ */ new Map();
-function storePKCEVerifier(state, codeVerifier, toolId, tenantId, projectId, clientId) {
-  pkceStore.set(state, { codeVerifier, toolId, tenantId, projectId, clientId });
-  setTimeout(
-    () => {
-      pkceStore.delete(state);
-    },
-    10 * 60 * 1e3
-  );
-}
-function retrievePKCEVerifier(state) {
-  const data = pkceStore.get(state);
-  if (data) {
-    pkceStore.delete(state);
-    return data;
-  }
-  return null;
-}
-var OAuthService = class {
-  constructor(config = {}) {
-    __publicField(this, "defaultConfig");
-    this.defaultConfig = {
-      defaultClientId: config.defaultClientId || process.env.DEFAULT_OAUTH_CLIENT_ID || "mcp-client",
-      clientName: config.clientName || process.env.OAUTH_CLIENT_NAME || "Inkeep Agent Framework",
-      clientUri: config.clientUri || process.env.OAUTH_CLIENT_URI || "https://inkeep.com",
-      logoUri: config.logoUri || process.env.OAUTH_CLIENT_LOGO_URI || "https://inkeep.com/images/logos/inkeep-logo-blue.svg",
-      redirectBaseUrl: config.redirectBaseUrl || process.env.OAUTH_REDIRECT_BASE_URL || "http://localhost:3002"
-    };
-  }
-  /**
-   * Initiate OAuth flow for an MCP tool
-   */
-  async initiateOAuthFlow(params) {
-    const { tool, tenantId, projectId, toolId } = params;
-    const oAuthConfig = await discoverOAuthEndpoints(tool.config.mcp.server.url, logger3);
-    if (!oAuthConfig) {
-      throw new Error("OAuth not supported by this server");
-    }
-    const { codeVerifier, codeChallenge } = await this.generatePKCEInternal();
-    const redirectUri = `${this.defaultConfig.redirectBaseUrl}/oauth/callback`;
-    let clientId = this.defaultConfig.defaultClientId;
-    if (oAuthConfig.supportsDynamicRegistration && oAuthConfig.registrationUrl) {
-      clientId = await this.performDynamicClientRegistration(
-        oAuthConfig.registrationUrl,
-        redirectUri
-      );
-    }
-    const state = `tool_${toolId}`;
-    const authUrl = this.buildAuthorizationUrl({
-      oAuthConfig,
-      clientId,
-      redirectUri,
-      state,
-      codeChallenge,
-      resource: tool.config.mcp.server.url
-    });
-    storePKCEVerifier(state, codeVerifier, toolId, tenantId, projectId, clientId);
-    logger3.info({ toolId, oAuthConfig, tenantId, projectId }, "OAuth flow initiated successfully");
-    return {
-      redirectUrl: authUrl,
-      state
-    };
-  }
-  /**
-   * Exchange authorization code for access tokens
-   */
-  async exchangeCodeForTokens(params) {
-    const { code, codeVerifier, clientId, tool } = params;
-    const oAuthConfig = await discoverOAuthEndpoints(tool.config.mcp.server.url, logger3);
-    if (!oAuthConfig?.tokenUrl) {
-      throw new Error("Could not discover OAuth token endpoint");
-    }
-    const redirectUri = `${this.defaultConfig.redirectBaseUrl}/oauth/callback`;
-    let tokens;
-    try {
-      tokens = await this.exchangeWithOpenIdClient({
-        oAuthConfig,
-        clientId,
-        code,
-        codeVerifier,
-        redirectUri
-      });
-      logger3.info({ tokenType: tokens.token_type }, "Token exchange successful with openid-client");
-    } catch (error) {
-      logger3.warn(
-        { error: error instanceof Error ? error.message : error },
-        "openid-client failed, falling back to manual token exchange"
-      );
-      tokens = await this.exchangeManually({
-        oAuthConfig,
-        clientId,
-        code,
-        codeVerifier,
-        redirectUri
-      });
-      logger3.info({ tokenType: tokens.token_type }, "Manual token exchange successful");
-    }
-    return { tokens, oAuthConfig };
-  }
-  /**
-   * Perform dynamic client registration
-   */
-  async performDynamicClientRegistration(registrationUrl, redirectUri) {
-    logger3.info({ registrationUrl }, "Attempting dynamic client registration");
-    try {
-      const registrationResponse = await fetch(registrationUrl, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Accept: "application/json"
-        },
-        body: JSON.stringify({
-          client_name: this.defaultConfig.clientName,
-          client_uri: this.defaultConfig.clientUri,
-          logo_uri: this.defaultConfig.logoUri,
-          redirect_uris: [redirectUri],
-          grant_types: ["authorization_code"],
-          response_types: ["code"],
-          token_endpoint_auth_method: "none",
-          // PKCE only, no client secret
-          application_type: "native"
-          // For PKCE flows
-        })
-      });
-      if (registrationResponse.ok) {
-        const registration = await registrationResponse.json();
-        logger3.info({ clientId: registration.client_id }, "Dynamic client registration successful");
-        return registration.client_id;
-      } else {
-        const errorText = await registrationResponse.text();
-        logger3.warn(
-          {
-            status: registrationResponse.status,
-            errorText
-          },
-          "Dynamic client registration failed, using default client_id"
-        );
-      }
-    } catch (regError) {
-      logger3.warn(
-        { error: regError },
-        "Dynamic client registration error, using default client_id"
-      );
-    }
-    return this.defaultConfig.defaultClientId;
-  }
-  /**
-   * Build authorization URL
-   */
-  buildAuthorizationUrl(params) {
-    const { oAuthConfig, clientId, redirectUri, state, codeChallenge, resource } = params;
-    const authUrl = new URL(oAuthConfig.authorizationUrl);
-    authUrl.searchParams.set("response_type", "code");
-    authUrl.searchParams.set("client_id", clientId);
-    authUrl.searchParams.set("redirect_uri", redirectUri);
-    authUrl.searchParams.set("state", state);
-    authUrl.searchParams.set("code_challenge", codeChallenge);
-    authUrl.searchParams.set("code_challenge_method", "S256");
-    authUrl.searchParams.set("resource", resource);
-    return authUrl.toString();
-  }
-  /**
-   * Exchange code using openid-client library
-   */
-  async exchangeWithOpenIdClient(params) {
-    const { oAuthConfig, clientId, code, codeVerifier, redirectUri } = params;
-    const oauth = await import('openid-client');
-    const tokenUrl = new URL(oAuthConfig.tokenUrl);
-    const oauthServerUrl = `${tokenUrl.protocol}//${tokenUrl.host}`;
-    logger3.info({ oauthServerUrl, clientId }, "Attempting openid-client discovery");
-    const config = await oauth.discovery(
-      new URL(oauthServerUrl),
-      clientId,
-      void 0
-      // No client secret for PKCE
-    );
-    const callbackUrl = new URL(
-      `${redirectUri}?${new URLSearchParams({ code, state: "unused" }).toString()}`
-    );
-    return await oauth.authorizationCodeGrant(config, callbackUrl, {
-      pkceCodeVerifier: codeVerifier
-    });
-  }
-  /**
-   * Internal PKCE generation
-   */
-  async generatePKCEInternal() {
-    const codeVerifier = Buffer.from(
-      Array.from(crypto.getRandomValues(new Uint8Array(32)))
-    ).toString("base64url");
-    const encoder = new TextEncoder();
-    const data = encoder.encode(codeVerifier);
-    const hash = await crypto.subtle.digest("SHA-256", data);
-    const codeChallenge = Buffer.from(hash).toString("base64url");
-    return { codeVerifier, codeChallenge };
-  }
-  /**
-   * Manual token exchange fallback
-   */
-  async exchangeManually(params) {
-    const { oAuthConfig, clientId, code, codeVerifier, redirectUri } = params;
-    logger3.info({ tokenUrl: oAuthConfig.tokenUrl }, "Attempting manual token exchange");
-    const tokenResponse = await fetch(oAuthConfig.tokenUrl, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-        Accept: "application/json"
-      },
-      body: new URLSearchParams({
-        grant_type: "authorization_code",
-        code,
-        redirect_uri: redirectUri,
-        client_id: clientId,
-        code_verifier: codeVerifier
-        // PKCE verification
-      })
-    });
-    if (!tokenResponse.ok) {
-      const errorText = await tokenResponse.text();
-      logger3.error(
-        {
-          status: tokenResponse.status,
-          statusText: tokenResponse.statusText,
-          ...process.env.NODE_ENV === "development" && { errorText },
-          clientId,
-          tokenUrl: oAuthConfig.tokenUrl
-        },
-        "Token exchange failed"
-      );
-      throw new Error("Authentication failed. Please try again or contact support.");
-    }
-    return await tokenResponse.json();
-  }
-};
-var oauthService = new OAuthService();
-
-// src/routes/tools.ts
-var logger4 = getLogger("tools");
+var logger3 = getLogger("tools");
 var app15 = new OpenAPIHono();
 app15.openapi(
   createRoute({
@@ -3846,7 +3608,7 @@ app15.openapi(
     const { tenantId, projectId } = c.req.valid("param");
     const body = c.req.valid("json");
     const credentialStores = c.get("credentialStores");
-    logger4.info({ body }, "body");
+    logger3.info({ body }, "body");
     const id = body.id || nanoid();
     const tool = await createTool(dbClient_default)({
       tenantId,
@@ -3963,109 +3725,375 @@ app15.openapi(
     return c.body(null, 204);
   }
 );
-app15.openapi(
-  createRoute({
-    method: "get",
-    path: "/{id}/oauth-login",
-    summary: "Initiate OAuth login for MCP tool",
-    description: "Detects OAuth requirements and redirects to authorization server",
-    operationId: "initiate-oauth-login",
-    tags: ["Tools"],
-    request: {
-      params: TenantProjectParamsSchema.merge(IdParamsSchema)
+var tools_default = app15;
+
+// src/routes/index.ts
+var app16 = new OpenAPIHono();
+app16.route("/projects", projects_default);
+app16.route("/projects/:projectId/graphs/:graphId/agents", agents_default);
+app16.route("/projects/:projectId/graphs/:graphId/agent-relations", agentRelations_default);
+app16.route("/projects/:projectId/agent-graphs", agentGraph_default);
+app16.route("/projects/:projectId/graphs/:graphId/agent-tool-relations", agentToolRelations_default);
+app16.route("/projects/:projectId/graphs/:graphId/agent-artifact-components", agentArtifactComponents_default);
+app16.route("/projects/:projectId/graphs/:graphId/agent-data-components", agentDataComponents_default);
+app16.route("/projects/:projectId/artifact-components", artifactComponents_default);
+app16.route("/projects/:projectId/context-configs", contextConfigs_default);
+app16.route("/projects/:projectId/credentials", credentials_default);
+app16.route("/projects/:projectId/data-components", dataComponents_default);
+app16.route("/projects/:projectId/graphs/:graphId/external-agents", externalAgents_default);
+app16.route("/projects/:projectId/tools", tools_default);
+app16.route("/projects/:projectId/api-keys", apiKeys_default);
+app16.route("/projects/:projectId/graph", graphFull_default);
+var routes_default = app16;
+var logger4 = getLogger("oauth-service");
+var pkceStore = /* @__PURE__ */ new Map();
+function storePKCEVerifier(state, codeVerifier, toolId, tenantId, projectId, clientId) {
+  pkceStore.set(state, { codeVerifier, toolId, tenantId, projectId, clientId });
+  setTimeout(
+    () => {
+      pkceStore.delete(state);
     },
-    responses: {
-      302: {
-        description: "Redirect to OAuth authorization server"
-      },
-      400: {
+    10 * 60 * 1e3
+  );
+}
+function retrievePKCEVerifier(state) {
+  const data = pkceStore.get(state);
+  if (data) {
+    pkceStore.delete(state);
+    return data;
+  }
+  return null;
+}
+var OAuthService = class {
+  constructor(config = {}) {
+    __publicField(this, "defaultConfig");
+    this.defaultConfig = {
+      defaultClientId: config.defaultClientId || process.env.DEFAULT_OAUTH_CLIENT_ID || "mcp-client",
+      clientName: config.clientName || process.env.OAUTH_CLIENT_NAME || "Inkeep Agent Framework",
+      clientUri: config.clientUri || process.env.OAUTH_CLIENT_URI || "https://inkeep.com",
+      logoUri: config.logoUri || process.env.OAUTH_CLIENT_LOGO_URI || "https://inkeep.com/images/logos/inkeep-logo-blue.svg",
+      redirectBaseUrl: config.redirectBaseUrl || env.AGENTS_MANAGE_API_URL
+    };
+  }
+  /**
+   * Initiate OAuth flow for an MCP tool
+   */
+  async initiateOAuthFlow(params) {
+    const { tool, tenantId, projectId, toolId, baseUrl } = params;
+    const oAuthConfig = await discoverOAuthEndpoints(tool.config.mcp.server.url, logger4);
+    if (!oAuthConfig) {
+      throw new Error("OAuth not supported by this server");
+    }
+    const { codeVerifier, codeChallenge } = await this.generatePKCEInternal();
+    const redirectBaseUrl = baseUrl || this.defaultConfig.redirectBaseUrl;
+    const redirectUri = `${redirectBaseUrl}/oauth/callback`;
+    let clientId = this.defaultConfig.defaultClientId;
+    if (oAuthConfig.supportsDynamicRegistration && oAuthConfig.registrationUrl) {
+      clientId = await this.performDynamicClientRegistration(
+        oAuthConfig.registrationUrl,
+        redirectUri
+      );
+    }
+    const state = `tool_${toolId}`;
+    const authUrl = this.buildAuthorizationUrl({
+      oAuthConfig,
+      clientId,
+      redirectUri,
+      state,
+      codeChallenge,
+      resource: tool.config.mcp.server.url
+    });
+    storePKCEVerifier(state, codeVerifier, toolId, tenantId, projectId, clientId);
+    logger4.info({ toolId, oAuthConfig, tenantId, projectId }, "OAuth flow initiated successfully");
+    return {
+      redirectUrl: authUrl,
+      state
+    };
+  }
+  /**
+   * Exchange authorization code for access tokens
+   */
+  async exchangeCodeForTokens(params) {
+    const { code, codeVerifier, clientId, tool, baseUrl } = params;
+    const oAuthConfig = await discoverOAuthEndpoints(tool.config.mcp.server.url, logger4);
+    if (!oAuthConfig?.tokenUrl) {
+      throw new Error("Could not discover OAuth token endpoint");
+    }
+    const redirectBaseUrl = baseUrl || this.defaultConfig.redirectBaseUrl;
+    const redirectUri = `${redirectBaseUrl}/oauth/callback`;
+    let tokens;
+    try {
+      tokens = await this.exchangeWithOpenIdClient({
+        oAuthConfig,
+        clientId,
+        code,
+        codeVerifier,
+        redirectUri
+      });
+      logger4.info({ tokenType: tokens.token_type }, "Token exchange successful with openid-client");
+    } catch (error) {
+      logger4.warn(
+        { error: error instanceof Error ? error.message : error },
+        "openid-client failed, falling back to manual token exchange"
+      );
+      tokens = await this.exchangeManually({
+        oAuthConfig,
+        clientId,
+        code,
+        codeVerifier,
+        redirectUri
+      });
+      logger4.info({ tokenType: tokens.token_type }, "Manual token exchange successful");
+    }
+    return { tokens, oAuthConfig };
+  }
+  /**
+   * Perform dynamic client registration
+   */
+  async performDynamicClientRegistration(registrationUrl, redirectUri) {
+    logger4.info({ registrationUrl }, "Attempting dynamic client registration");
+    try {
+      const registrationResponse = await fetch(registrationUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json"
+        },
+        body: JSON.stringify({
+          client_name: this.defaultConfig.clientName,
+          client_uri: this.defaultConfig.clientUri,
+          logo_uri: this.defaultConfig.logoUri,
+          redirect_uris: [redirectUri],
+          grant_types: ["authorization_code"],
+          response_types: ["code"],
+          token_endpoint_auth_method: "none",
+          // PKCE only, no client secret
+          application_type: "native"
+          // For PKCE flows
+        })
+      });
+      if (registrationResponse.ok) {
+        const registration = await registrationResponse.json();
+        logger4.info({ clientId: registration.client_id }, "Dynamic client registration successful");
+        return registration.client_id;
+      } else {
+        const errorText = await registrationResponse.text();
+        logger4.warn(
+          {
+            status: registrationResponse.status,
+            errorText
+          },
+          "Dynamic client registration failed, using default client_id"
+        );
+      }
+    } catch (regError) {
+      logger4.warn(
+        { error: regError },
+        "Dynamic client registration error, using default client_id"
+      );
+    }
+    return this.defaultConfig.defaultClientId;
+  }
+  /**
+   * Build authorization URL
+   */
+  buildAuthorizationUrl(params) {
+    const { oAuthConfig, clientId, redirectUri, state, codeChallenge, resource } = params;
+    const authUrl = new URL(oAuthConfig.authorizationUrl);
+    authUrl.searchParams.set("response_type", "code");
+    authUrl.searchParams.set("client_id", clientId);
+    authUrl.searchParams.set("redirect_uri", redirectUri);
+    authUrl.searchParams.set("state", state);
+    authUrl.searchParams.set("code_challenge", codeChallenge);
+    authUrl.searchParams.set("code_challenge_method", "S256");
+    authUrl.searchParams.set("resource", resource);
+    return authUrl.toString();
+  }
+  /**
+   * Exchange code using openid-client library
+   */
+  async exchangeWithOpenIdClient(params) {
+    const { oAuthConfig, clientId, code, codeVerifier, redirectUri } = params;
+    const oauth = await import('openid-client');
+    const tokenUrl = new URL(oAuthConfig.tokenUrl);
+    const oauthServerUrl = `${tokenUrl.protocol}//${tokenUrl.host}`;
+    logger4.info({ oauthServerUrl, clientId }, "Attempting openid-client discovery");
+    const config = await oauth.discovery(
+      new URL(oauthServerUrl),
+      clientId,
+      void 0
+      // No client secret for PKCE
+    );
+    const callbackUrl = new URL(
+      `${redirectUri}?${new URLSearchParams({ code, state: "unused" }).toString()}`
+    );
+    return await oauth.authorizationCodeGrant(config, callbackUrl, {
+      pkceCodeVerifier: codeVerifier
+    });
+  }
+  /**
+   * Internal PKCE generation
+   */
+  async generatePKCEInternal() {
+    const codeVerifier = Buffer.from(
+      Array.from(crypto.getRandomValues(new Uint8Array(32)))
+    ).toString("base64url");
+    const encoder = new TextEncoder();
+    const data = encoder.encode(codeVerifier);
+    const hash = await crypto.subtle.digest("SHA-256", data);
+    const codeChallenge = Buffer.from(hash).toString("base64url");
+    return { codeVerifier, codeChallenge };
+  }
+  /**
+   * Manual token exchange fallback
+   */
+  async exchangeManually(params) {
+    const { oAuthConfig, clientId, code, codeVerifier, redirectUri } = params;
+    logger4.info({ tokenUrl: oAuthConfig.tokenUrl }, "Attempting manual token exchange");
+    const tokenResponse = await fetch(oAuthConfig.tokenUrl, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Accept: "application/json"
+      },
+      body: new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: redirectUri,
+        client_id: clientId,
+        code_verifier: codeVerifier
+        // PKCE verification
+      })
+    });
+    if (!tokenResponse.ok) {
+      const errorText = await tokenResponse.text();
+      logger4.error(
+        {
+          status: tokenResponse.status,
+          statusText: tokenResponse.statusText,
+          ...process.env.NODE_ENV === "development" && { errorText },
+          clientId,
+          tokenUrl: oAuthConfig.tokenUrl
+        },
+        "Token exchange failed"
+      );
+      throw new Error("Authentication failed. Please try again or contact support.");
+    }
+    return await tokenResponse.json();
+  }
+};
+var oauthService = new OAuthService();
+
+// src/routes/oauth.ts
+async function findOrCreateCredential(tenantId, projectId, credentialData) {
+  try {
+    const existingCredential = await getCredentialReferenceWithTools(dbClient_default)({
+      scopes: { tenantId, projectId },
+      id: credentialData.id
+    });
+    if (existingCredential) {
+      const validatedCredential = CredentialReferenceApiSelectSchema.parse(existingCredential);
+      return validatedCredential;
+    }
+  } catch {
+  }
+  try {
+    const credential = await createCredentialReference(dbClient_default)({
+      ...credentialData,
+      tenantId,
+      projectId
+    });
+    const validatedCredential = CredentialReferenceApiSelectSchema.parse(credential);
+    return validatedCredential;
+  } catch (error) {
+    console.error("Failed to save credential to database:", error);
+    throw new Error(`Failed to save credential '${credentialData.id}' to database`);
+  }
+}
+var app17 = new OpenAPIHono();
+var logger5 = getLogger("oauth-callback");
+function getBaseUrlFromRequest(c) {
+  const url = new URL(c.req.url);
+  return `${url.protocol}//${url.host}`;
+}
+var OAuthLoginQuerySchema = z$1.object({
+  tenantId: z$1.string().min(1, "Tenant ID is required"),
+  projectId: z$1.string().min(1, "Project ID is required"),
+  toolId: z$1.string().min(1, "Tool ID is required")
+});
+var OAuthCallbackQuerySchema = z$1.object({
+  code: z$1.string().min(1, "Authorization code is required"),
+  state: z$1.string().min(1, "State parameter is required"),
+  error: z$1.string().optional(),
+  error_description: z$1.string().optional()
+});
+app17.openapi(
+  createRoute({
+    method: "get",
+    path: "/login",
+    summary: "Initiate OAuth login for MCP tool",
+    description: "Detects OAuth requirements and redirects to authorization server (public endpoint)",
+    operationId: "initiate-oauth-login-public",
+    tags: ["OAuth"],
+    request: {
+      query: OAuthLoginQuerySchema
+    },
+    responses: {
+      302: {
+        description: "Redirect to OAuth authorization server"
+      },
+      400: {
         description: "OAuth not supported or configuration error",
         content: {
-          "application/json": {
-            schema: ErrorResponseSchema
+          "text/html": {
+            schema: z$1.string()
           }
         }
       },
       404: {
         description: "Tool not found",
         content: {
-          "application/json": {
-            schema: ErrorResponseSchema
+          "text/html": {
+            schema: z$1.string()
           }
         }
       },
       500: {
         description: "Internal server error",
         content: {
-          "application/json": {
-            schema: ErrorResponseSchema
+          "text/html": {
+            schema: z$1.string()
           }
         }
       }
     }
   }),
   async (c) => {
-    const { tenantId, projectId, id } = c.req.valid("param");
+    const { tenantId, projectId, toolId } = c.req.valid("query");
     try {
-      const tool = await getToolById(dbClient_default)({ scopes: { tenantId, projectId }, toolId: id });
+      const tool = await getToolById(dbClient_default)({ scopes: { tenantId, projectId }, toolId });
       if (!tool) {
-        throw createApiError({
-          code: "not_found",
-          message: "Tool not found"
-        });
+        logger5.error({ toolId, tenantId, projectId }, "Tool not found for OAuth login");
+        return c.text("Tool not found", 404);
       }
       const credentialStores = c.get("credentialStores");
       const mcpTool = await dbResultToMcpTool(tool, dbClient_default, credentialStores);
+      const baseUrl = getBaseUrlFromRequest(c);
       const { redirectUrl } = await oauthService.initiateOAuthFlow({
         tool: mcpTool,
         tenantId,
         projectId,
-        toolId: id
+        toolId,
+        baseUrl
       });
       return c.redirect(redirectUrl, 302);
     } catch (error) {
-      logger4.error({ toolId: id, error }, "OAuth login failed");
-      if (error && typeof error === "object" && "code" in error) {
-        const apiError = error;
-        return c.json({ error: apiError.message }, apiError.code === "not_found" ? 404 : 400);
-      }
-      return c.json(
-        {
-          error: "Failed to initiate OAuth login"
-        },
-        500
-      );
+      logger5.error({ toolId, tenantId, projectId, error }, "OAuth login failed");
+      const errorMessage = error instanceof Error ? error.message : "Failed to initiate OAuth login";
+      return c.text(`OAuth Error: ${errorMessage}`, 500);
     }
   }
 );
-var tools_default = app15;
-
-// src/routes/index.ts
-var app16 = new OpenAPIHono();
-app16.route("/projects", projects_default);
-app16.route("/projects/:projectId/graphs/:graphId/agents", agents_default);
-app16.route("/projects/:projectId/graphs/:graphId/agent-relations", agentRelations_default);
-app16.route("/projects/:projectId/agent-graphs", agentGraph_default);
-app16.route("/projects/:projectId/graphs/:graphId/agent-tool-relations", agentToolRelations_default);
-app16.route("/projects/:projectId/graphs/:graphId/agent-artifact-components", agentArtifactComponents_default);
-app16.route("/projects/:projectId/graphs/:graphId/agent-data-components", agentDataComponents_default);
-app16.route("/projects/:projectId/artifact-components", artifactComponents_default);
-app16.route("/projects/:projectId/context-configs", contextConfigs_default);
-app16.route("/projects/:projectId/credentials", credentials_default);
-app16.route("/projects/:projectId/data-components", dataComponents_default);
-app16.route("/projects/:projectId/graphs/:graphId/external-agents", externalAgents_default);
-app16.route("/projects/:projectId/tools", tools_default);
-app16.route("/projects/:projectId/api-keys", apiKeys_default);
-app16.route("/projects/:projectId/graph", graphFull_default);
-var routes_default = app16;
-var app17 = new OpenAPIHono();
-var logger5 = getLogger("oauth-callback");
-var OAuthCallbackQuerySchema = z$1.object({
-  code: z$1.string().min(1, "Authorization code is required"),
-  state: z$1.string().min(1, "State parameter is required"),
-  error: z$1.string().optional(),
-  error_description: z$1.string().optional()
-});
 app17.openapi(
   createRoute({
     method: "get",
@@ -4128,59 +4156,62 @@ app17.openapi(
       logger5.info({ toolId }, "Exchanging authorization code for access token");
       const credentialStores = c.get("credentialStores");
       const mcpTool = await dbResultToMcpTool(tool, dbClient_default, credentialStores);
+      const baseUrl = getBaseUrlFromRequest(c);
       const { tokens } = await oauthService.exchangeCodeForTokens({
         code,
         codeVerifier,
         clientId,
-        tool: mcpTool
+        tool: mcpTool,
+        baseUrl
       });
       logger5.info(
         { toolId, tokenType: tokens.token_type, hasRefresh: !!tokens.refresh_token },
         "Token exchange successful"
       );
+      const credentialTokenKey = `oauth_token_${toolId}`;
+      let newCredentialData;
       const keychainStore = credentialStores.get("keychain-default");
-      const keychainKey = `oauth_token_${toolId}`;
-      await keychainStore?.set(keychainKey, JSON.stringify(tokens));
-      const credentialId = tool.name;
-      const existingCredential = await getCredentialReference(dbClient_default)({
-        scopes: { tenantId, projectId },
-        id: credentialId
-      });
-      const credentialData = {
-        type: CredentialStoreType.keychain,
-        credentialStoreId: "keychain-default",
-        retrievalParams: {
-          key: keychainKey
+      if (keychainStore) {
+        try {
+          await keychainStore.set(credentialTokenKey, JSON.stringify(tokens));
+          newCredentialData = {
+            id: mcpTool.name,
+            type: CredentialStoreType.keychain,
+            credentialStoreId: "keychain-default",
+            retrievalParams: {
+              key: credentialTokenKey
+            }
+          };
+        } catch {
         }
-      };
-      let credential;
-      if (existingCredential) {
-        logger5.info({ credentialId: existingCredential.id }, "Updating existing credential");
-        credential = await updateCredentialReference(dbClient_default)({
-          scopes: { tenantId, projectId },
-          id: existingCredential.id,
-          data: credentialData
-        });
-      } else {
-        logger5.info({ credentialId }, "Creating new credential");
-        credential = await createCredentialReference(dbClient_default)({
-          tenantId,
-          projectId,
-          id: credentialId,
-          ...credentialData
-        });
       }
-      if (!credential) {
-        throw new Error("Failed to create or update credential");
+      if (!newCredentialData && process.env.NANGO_SECRET_KEY) {
+        const nangoStore = credentialStores.get("nango-default");
+        await nangoStore?.set(credentialTokenKey, JSON.stringify(tokens));
+        newCredentialData = {
+          id: mcpTool.name,
+          type: CredentialStoreType.nango,
+          credentialStoreId: "nango-default",
+          retrievalParams: {
+            connectionId: credentialTokenKey,
+            providerConfigKey: credentialTokenKey,
+            provider: "private-api-bearer",
+            authMode: "API_KEY"
+          }
+        };
+      }
+      if (!newCredentialData) {
+        throw new Error("No credential store found");
       }
+      const newCredential = await findOrCreateCredential(tenantId, projectId, newCredentialData);
       await updateTool(dbClient_default)({
         scopes: { tenantId, projectId },
         toolId,
         data: {
-          credentialReferenceId: credential.id
+          credentialReferenceId: newCredential.id
         }
       });
-      logger5.info({ toolId, credentialId: credential.id }, "OAuth flow completed successfully");
+      logger5.info({ toolId, credentialId: newCredential.id }, "OAuth flow completed successfully");
       const successPage = `
         <!DOCTYPE html>
         <html>