@inkeep/agents-run-api 0.36.1 → 0.37.0

package/dist/{chunk-H2IQDFCM.js → chunk-2LBNQ773.js}

@@ -1,4 +1,4 @@
-import { env } from './chunk-UZXC6MEO.js';
+import { env } from './chunk-HUZGFAUJ.js';
 import { getLogger } from './chunk-A2S7GSHL.js';
 import { getNodeAutoInstrumentations } from '@opentelemetry/auto-instrumentations-node';
 import { BaggageSpanProcessor, ALLOW_ALL_BAGGAGE_KEYS } from '@opentelemetry/baggage-span-processor';

package/dist/{chunk-CWFQPSTI.js → chunk-D3AB2AZW.js}

@@ -1,4 +1,4 @@
-import { env } from './chunk-UZXC6MEO.js';
+import { env } from './chunk-HUZGFAUJ.js';
 import { F, u, R, x, T, h, U, L, or, C, Vr, ce, ur, P } from './chunk-SBJLXGYG.js';
 import { createDatabaseClient } from '@inkeep/agents-core';
 import * as schema from '@inkeep/agents-core/db/schema';

package/dist/{chunk-UZXC6MEO.js → chunk-HUZGFAUJ.js}

@@ -16,6 +16,7 @@ var envSchema = z.object({
   GOOGLE_GENERATIVE_AI_API_KEY: z.string().optional(),
   INKEEP_AGENTS_RUN_API_BYPASS_SECRET: z.string().optional(),
   INKEEP_AGENTS_JWT_SIGNING_SECRET: z.string().optional(),
+  INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY: z.string().optional(),
   OTEL_BSP_SCHEDULE_DELAY: z.coerce.number().optional().default(500),
   OTEL_BSP_MAX_EXPORT_BATCH_SIZE: z.coerce.number().optional().default(64)
 });

package/dist/{chunk-7C3GUAQD.js → chunk-OAAX46OE.js}

@@ -1,4 +1,4 @@
-import { dbClient_default } from './chunk-CWFQPSTI.js';
+import { dbClient_default } from './chunk-D3AB2AZW.js';
 import { CONVERSATION_HISTORY_DEFAULT_LIMIT } from './chunk-IVALDC72.js';
 import { CONVERSATION_HISTORY_MAX_OUTPUT_TOKENS_DEFAULT, createMessage, generateId, getConversationHistory } from '@inkeep/agents-core';
 
@@ -208,7 +208,7 @@ async function getConversationScopedArtifacts(params) {
       return [];
     }
     const { getLedgerArtifacts } = await import('@inkeep/agents-core');
-    const dbClient = (await import('./dbClient-XO7KFTE7.js')).default;
+    const dbClient = (await import('./dbClient-XK4IR7QF.js')).default;
     const visibleTaskIds = visibleMessages.map((msg) => msg.taskId).filter((taskId) => Boolean(taskId));
     const referenceArtifacts = [];
     for (const taskId of visibleTaskIds) {

package/dist/{conversations-ZCZG5434.js → conversations-YFQ52RQB.js}

@@ -1 +1 @@
-export { createDefaultConversationHistoryConfig, getConversationScopedArtifacts, getFormattedConversationHistory, getFullConversationContext, getScopedHistory, getUserFacingHistory, saveA2AMessageResponse } from './chunk-7C3GUAQD.js';
+export { createDefaultConversationHistoryConfig, getConversationScopedArtifacts, getFormattedConversationHistory, getFullConversationContext, getScopedHistory, getUserFacingHistory, saveA2AMessageResponse } from './chunk-OAAX46OE.js';

package/dist/dbClient-XK4IR7QF.js

@@ -0,0 +1 @@
+export { dbClient_default as default } from './chunk-D3AB2AZW.js';

package/dist/index.cjs

@@ -103,6 +103,7 @@ var init_env = __esm({
       GOOGLE_GENERATIVE_AI_API_KEY: z8.z.string().optional(),
       INKEEP_AGENTS_RUN_API_BYPASS_SECRET: z8.z.string().optional(),
       INKEEP_AGENTS_JWT_SIGNING_SECRET: z8.z.string().optional(),
+      INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY: z8.z.string().optional(),
       OTEL_BSP_SCHEDULE_DELAY: z8.z.coerce.number().optional().default(500),
       OTEL_BSP_MAX_EXPORT_BATCH_SIZE: z8.z.coerce.number().optional().default(64)
     });
@@ -7643,6 +7644,31 @@ function createExecutionContext(params) {
 
 // src/middleware/api-key-auth.ts
 var logger2 = agentsCore.getLogger("env-key-auth");
+async function tryAuthenticateWithTempJwt(apiKey, baseUrl, subAgentId) {
+  if (!apiKey.startsWith("eyJ") || !env.INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY) {
+    return null;
+  }
+  try {
+    const publicKeyPem = Buffer.from(env.INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY, "base64").toString(
+      "utf-8"
+    );
+    const payload = await agentsCore.verifyTempToken(publicKeyPem, apiKey);
+    logger2.info({}, "JWT temp token authenticated successfully");
+    return createExecutionContext({
+      apiKey,
+      tenantId: payload.tenantId,
+      projectId: payload.projectId,
+      agentId: payload.agentId,
+      apiKeyId: "temp-jwt",
+      baseUrl,
+      subAgentId,
+      metadata: { initiatedBy: payload.initiatedBy }
+    });
+  } catch (error) {
+    logger2.debug({ error }, "JWT verification failed");
+    return null;
+  }
+}
 var apiKeyAuth = () => factory.createMiddleware(async (c2, next) => {
   if (c2.req.method === "OPTIONS") {
     await next();
@@ -7663,6 +7689,12 @@ var apiKeyAuth = () => factory.createMiddleware(async (c2, next) => {
     let executionContext;
     if (authHeader?.startsWith("Bearer ")) {
       const apiKey2 = authHeader.substring(7);
+      const jwtContext2 = await tryAuthenticateWithTempJwt(apiKey2, baseUrl, subAgentId);
+      if (jwtContext2) {
+        c2.set("executionContext", jwtContext2);
+        await next();
+        return;
+      }
       try {
         executionContext = await extractContextFromApiKey(apiKey2, baseUrl);
         if (subAgentId) {
@@ -7715,6 +7747,12 @@ var apiKeyAuth = () => factory.createMiddleware(async (c2, next) => {
     });
   }
   const apiKey = authHeader.substring(7);
+  const jwtContext = await tryAuthenticateWithTempJwt(apiKey, baseUrl, subAgentId);
+  if (jwtContext) {
+    c2.set("executionContext", jwtContext);
+    await next();
+    return;
+  }
   if (env.INKEEP_AGENTS_RUN_API_BYPASS_SECRET) {
     if (apiKey === env.INKEEP_AGENTS_RUN_API_BYPASS_SECRET) {
       if (!tenantId || !projectId || !agentId) {
@@ -7735,7 +7773,8 @@ var apiKeyAuth = () => factory.createMiddleware(async (c2, next) => {
       logger2.info({}, "Bypass secret authenticated successfully");
       await next();
       return;
-    } else if (apiKey) {
+    }
+    if (apiKey) {
       try {
         const executionContext = await extractContextFromApiKey(apiKey, baseUrl);
         if (subAgentId) {
@@ -7753,11 +7792,10 @@ var apiKeyAuth = () => factory.createMiddleware(async (c2, next) => {
       }
       await next();
       return;
-    } else {
-      throw new httpException.HTTPException(401, {
-        message: "Invalid Token"
-      });
     }
+    throw new httpException.HTTPException(401, {
+      message: "Invalid Token"
+    });
   }
   if (!apiKey || apiKey.length < 16) {
     throw new httpException.HTTPException(401, {
@@ -7906,6 +7944,19 @@ function setupOpenAPIRoutes(app6) {
           }
         ]
       });
+      document2.components = {
+        ...document2.components,
+        securitySchemes: {
+          ...document2.components?.securitySchemes || {},
+          bearerAuth: {
+            type: "http",
+            scheme: "bearer",
+            bearerFormat: "API Key",
+            description: 'API key authentication. All endpoints require a valid API key in the Authorization header as "Bearer <api-key>". API keys can be created in the management UI.'
+          }
+        }
+      };
+      document2.security = [{ bearerAuth: [] }];
       return c2.json(document2);
     } catch (error) {
       console.error("OpenAPI document generation failed:", error);
@@ -19137,7 +19188,15 @@ app3.openapi(chatDataStreamRoute, async (c2) => {
       );
     });
   } catch (error) {
-    logger26.error({ error }, "chatDataStream error");
+    logger26.error(
+      {
+        error,
+        errorMessage: error instanceof Error ? error.message : String(error),
+        errorStack: error instanceof Error ? error.stack : void 0,
+        errorType: error?.constructor?.name
+      },
+      "chatDataStream error - DETAILED"
+    );
     throw agentsCore.createApiError({
       code: "internal_server_error",
       message: "Failed to process chat completion"

package/dist/index.js

@@ -1,10 +1,10 @@
-import { flushBatchProcessor } from './chunk-H2IQDFCM.js';
-import { getFormattedConversationHistory, createDefaultConversationHistoryConfig, saveA2AMessageResponse } from './chunk-7C3GUAQD.js';
-import { dbClient_default } from './chunk-CWFQPSTI.js';
-import { env } from './chunk-UZXC6MEO.js';
+import { flushBatchProcessor } from './chunk-2LBNQ773.js';
+import { getFormattedConversationHistory, createDefaultConversationHistoryConfig, saveA2AMessageResponse } from './chunk-OAAX46OE.js';
+import { dbClient_default } from './chunk-D3AB2AZW.js';
+import { env } from './chunk-HUZGFAUJ.js';
 import { getLogger } from './chunk-A2S7GSHL.js';
 import { SESSION_CLEANUP_INTERVAL_MS, AGENT_EXECUTION_MAX_CONSECUTIVE_ERRORS, SESSION_TOOL_RESULT_CACHE_TIMEOUT_MS, STREAM_MAX_LIFETIME_MS, STREAM_BUFFER_MAX_SIZE_BYTES, STREAM_TEXT_GAP_THRESHOLD_MS, ARTIFACT_GENERATION_MAX_RETRIES, ARTIFACT_SESSION_MAX_PENDING, STATUS_UPDATE_DEFAULT_INTERVAL_SECONDS, STATUS_UPDATE_DEFAULT_NUM_EVENTS, ARTIFACT_SESSION_MAX_PREVIOUS_SUMMARIES, AGENT_EXECUTION_MAX_GENERATION_STEPS, FUNCTION_TOOL_SANDBOX_VCPUS_DEFAULT, FUNCTION_TOOL_EXECUTION_TIMEOUT_MS_DEFAULT, LLM_GENERATION_MAX_ALLOWED_TIMEOUT_MS, ARTIFACT_GENERATION_BACKOFF_INITIAL_MS, ARTIFACT_GENERATION_BACKOFF_MAX_MS, LLM_GENERATION_FIRST_CALL_TIMEOUT_MS_STREAMING, LLM_GENERATION_FIRST_CALL_TIMEOUT_MS_NON_STREAMING, LLM_GENERATION_SUBSEQUENT_CALL_TIMEOUT_MS, DELEGATION_TOOL_BACKOFF_MAX_ELAPSED_TIME_MS, DELEGATION_TOOL_BACKOFF_EXPONENT, DELEGATION_TOOL_BACKOFF_MAX_INTERVAL_MS, DELEGATION_TOOL_BACKOFF_INITIAL_INTERVAL_MS, STREAM_PARSER_MAX_SNAPSHOT_SIZE, STREAM_PARSER_MAX_STREAMED_SIZE, STREAM_PARSER_MAX_COLLECTED_PARTS } from './chunk-IVALDC72.js';
-import { getTracer, HeadersScopeSchema, getRequestExecutionContext, createApiError, getAgentWithDefaultSubAgent, contextValidationMiddleware, getConversationId, getFullAgent, createOrGetConversation, getActiveAgentForConversation, setActiveAgentForConversation, getSubAgentById, handleContextResolution, createMessage, generateId, commonGetErrorResponses, loggerFactory, createDefaultCredentialStores, CredentialStoreRegistry, createTask, getTask, updateTask, setSpanWithError, AGENT_EXECUTION_TRANSFER_COUNT_DEFAULT, updateConversation, handleApiError, TaskState, getAgentById, getProject, setActiveAgentForThread, getConversation, getRelatedAgentsForAgent, getExternalAgentsForSubAgent, getTeamAgentsForSubAgent, getToolsForAgent, getDataComponentsForAgent, getArtifactComponentsForAgent, dbResultToMcpTool, CONVERSATION_HISTORY_MAX_OUTPUT_TOKENS_DEFAULT, CONVERSATION_HISTORY_DEFAULT_LIMIT, validateAndGetApiKey, verifyServiceToken, validateTargetAgent, ContextResolver, CredentialStuffer, MCPServerType, getCredentialReference, McpClient, getFunctionToolsForSubAgent, getFunction, getContextConfigById, getFullAgentDefinition, TemplateEngine, listTaskIdsByContextId, getLedgerArtifacts, agentHasArtifactComponents, upsertLedgerArtifact, MCPTransportType, SPAN_KEYS, headers, generateServiceToken } from '@inkeep/agents-core';
+import { getTracer, HeadersScopeSchema, getRequestExecutionContext, createApiError, getAgentWithDefaultSubAgent, contextValidationMiddleware, getConversationId, getFullAgent, createOrGetConversation, getActiveAgentForConversation, setActiveAgentForConversation, getSubAgentById, handleContextResolution, createMessage, generateId, commonGetErrorResponses, loggerFactory, createDefaultCredentialStores, CredentialStoreRegistry, createTask, getTask, updateTask, setSpanWithError, AGENT_EXECUTION_TRANSFER_COUNT_DEFAULT, updateConversation, handleApiError, TaskState, getAgentById, getProject, setActiveAgentForThread, getConversation, getRelatedAgentsForAgent, getExternalAgentsForSubAgent, getTeamAgentsForSubAgent, getToolsForAgent, getDataComponentsForAgent, getArtifactComponentsForAgent, dbResultToMcpTool, CONVERSATION_HISTORY_MAX_OUTPUT_TOKENS_DEFAULT, CONVERSATION_HISTORY_DEFAULT_LIMIT, verifyTempToken, validateAndGetApiKey, verifyServiceToken, validateTargetAgent, ContextResolver, CredentialStuffer, MCPServerType, getCredentialReference, McpClient, getFunctionToolsForSubAgent, getFunction, getContextConfigById, getFullAgentDefinition, TemplateEngine, listTaskIdsByContextId, getLedgerArtifacts, agentHasArtifactComponents, upsertLedgerArtifact, MCPTransportType, SPAN_KEYS, headers, generateServiceToken } from '@inkeep/agents-core';
 import { otel } from '@hono/otel';
 import { OpenAPIHono, createRoute, z as z$1 } from '@hono/zod-openapi';
 import { trace, propagation, context, SpanStatusCode } from '@opentelemetry/api';
@@ -47,6 +47,31 @@ function createExecutionContext(params) {
 
 // src/middleware/api-key-auth.ts
 var logger = getLogger("env-key-auth");
+async function tryAuthenticateWithTempJwt(apiKey, baseUrl, subAgentId) {
+  if (!apiKey.startsWith("eyJ") || !env.INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY) {
+    return null;
+  }
+  try {
+    const publicKeyPem = Buffer.from(env.INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY, "base64").toString(
+      "utf-8"
+    );
+    const payload = await verifyTempToken(publicKeyPem, apiKey);
+    logger.info({}, "JWT temp token authenticated successfully");
+    return createExecutionContext({
+      apiKey,
+      tenantId: payload.tenantId,
+      projectId: payload.projectId,
+      agentId: payload.agentId,
+      apiKeyId: "temp-jwt",
+      baseUrl,
+      subAgentId,
+      metadata: { initiatedBy: payload.initiatedBy }
+    });
+  } catch (error) {
+    logger.debug({ error }, "JWT verification failed");
+    return null;
+  }
+}
 var apiKeyAuth = () => createMiddleware(async (c, next) => {
   if (c.req.method === "OPTIONS") {
     await next();
@@ -67,6 +92,12 @@ var apiKeyAuth = () => createMiddleware(async (c, next) => {
     let executionContext;
     if (authHeader?.startsWith("Bearer ")) {
       const apiKey2 = authHeader.substring(7);
+      const jwtContext2 = await tryAuthenticateWithTempJwt(apiKey2, baseUrl, subAgentId);
+      if (jwtContext2) {
+        c.set("executionContext", jwtContext2);
+        await next();
+        return;
+      }
       try {
         executionContext = await extractContextFromApiKey(apiKey2, baseUrl);
         if (subAgentId) {
@@ -119,6 +150,12 @@ var apiKeyAuth = () => createMiddleware(async (c, next) => {
     });
   }
   const apiKey = authHeader.substring(7);
+  const jwtContext = await tryAuthenticateWithTempJwt(apiKey, baseUrl, subAgentId);
+  if (jwtContext) {
+    c.set("executionContext", jwtContext);
+    await next();
+    return;
+  }
   if (env.INKEEP_AGENTS_RUN_API_BYPASS_SECRET) {
     if (apiKey === env.INKEEP_AGENTS_RUN_API_BYPASS_SECRET) {
       if (!tenantId || !projectId || !agentId) {
@@ -139,7 +176,8 @@ var apiKeyAuth = () => createMiddleware(async (c, next) => {
       logger.info({}, "Bypass secret authenticated successfully");
       await next();
       return;
-    } else if (apiKey) {
+    }
+    if (apiKey) {
       try {
         const executionContext = await extractContextFromApiKey(apiKey, baseUrl);
         if (subAgentId) {
@@ -157,11 +195,10 @@ var apiKeyAuth = () => createMiddleware(async (c, next) => {
       }
       await next();
       return;
-    } else {
-      throw new HTTPException(401, {
-        message: "Invalid Token"
-      });
     }
+    throw new HTTPException(401, {
+      message: "Invalid Token"
+    });
   }
   if (!apiKey || apiKey.length < 16) {
     throw new HTTPException(401, {
@@ -307,6 +344,19 @@ function setupOpenAPIRoutes(app6) {
           }
         ]
       });
+      document.components = {
+        ...document.components,
+        securitySchemes: {
+          ...document.components?.securitySchemes || {},
+          bearerAuth: {
+            type: "http",
+            scheme: "bearer",
+            bearerFormat: "API Key",
+            description: 'API key authentication. All endpoints require a valid API key in the Authorization header as "Bearer <api-key>". API keys can be created in the management UI.'
+          }
+        }
+      };
+      document.security = [{ bearerAuth: [] }];
       return c.json(document);
     } catch (error) {
       console.error("OpenAPI document generation failed:", error);
@@ -7900,7 +7950,7 @@ var Agent = class {
       inputSchema: tool3.inputSchema || tool3.parameters || {},
       usageGuidelines: name.startsWith("transfer_to_") || name.startsWith("delegate_to_") ? `Use this tool to ${name.startsWith("transfer_to_") ? "transfer" : "delegate"} to another agent when appropriate.` : "Use this tool when appropriate for the task at hand."
     }));
-    const { getConversationScopedArtifacts } = await import('./conversations-ZCZG5434.js');
+    const { getConversationScopedArtifacts } = await import('./conversations-YFQ52RQB.js');
     const historyConfig = this.config.conversationHistoryConfig ?? createDefaultConversationHistoryConfig();
     const referenceArtifacts = await getConversationScopedArtifacts({
       tenantId: this.config.tenantId,
@@ -11459,7 +11509,15 @@ app3.openapi(chatDataStreamRoute, async (c) => {
       );
     });
   } catch (error) {
-    logger22.error({ error }, "chatDataStream error");
+    logger22.error(
+      {
+        error,
+        errorMessage: error instanceof Error ? error.message : String(error),
+        errorStack: error instanceof Error ? error.stack : void 0,
+        errorType: error?.constructor?.name
+      },
+      "chatDataStream error - DETAILED"
+    );
     throw createApiError({
       code: "internal_server_error",
       message: "Failed to process chat completion"

package/dist/instrumentation.cjs

@@ -27,6 +27,7 @@ var envSchema = zod.z.object({
   GOOGLE_GENERATIVE_AI_API_KEY: zod.z.string().optional(),
   INKEEP_AGENTS_RUN_API_BYPASS_SECRET: zod.z.string().optional(),
   INKEEP_AGENTS_JWT_SIGNING_SECRET: zod.z.string().optional(),
+  INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY: zod.z.string().optional(),
   OTEL_BSP_SCHEDULE_DELAY: zod.z.coerce.number().optional().default(500),
   OTEL_BSP_MAX_EXPORT_BATCH_SIZE: zod.z.coerce.number().optional().default(64)
 });

package/dist/instrumentation.js

@@ -1 +1 @@
-export { defaultBatchProcessor, defaultContextManager, defaultInstrumentations, defaultResource, defaultSDK, defaultSpanProcessors, defaultTextMapPropagator, flushBatchProcessor } from './chunk-H2IQDFCM.js';
+export { defaultBatchProcessor, defaultContextManager, defaultInstrumentations, defaultResource, defaultSDK, defaultSpanProcessors, defaultTextMapPropagator, flushBatchProcessor } from './chunk-2LBNQ773.js';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-run-api",
-  "version": "0.36.1",
+  "version": "0.37.0",
   "description": "Agents Run API for Inkeep Agent Framework - handles chat, agent execution, and streaming",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -48,18 +48,20 @@
     "fetch-to-node": "^2.1.0",
     "hono": "^4.10.4",
     "jmespath": "^0.16.0",
+    "jose": "^6.1.0",
     "json-schema-to-zod": "^2.6.1",
     "nanoid": "^5.1.5",
     "pino": "^9.11.0",
     "traverse": "^0.6.11",
     "ts-pattern": "^5.7.1",
     "zod": "4.1.5",
-    "@inkeep/agents-core": "^0.36.1"
+    "@inkeep/agents-core": "^0.37.0"
   },
   "optionalDependencies": {
     "keytar": "^7.9.0"
   },
   "devDependencies": {
+    "@electric-sql/pglite": "^0.3.13",
     "@hono/vite-dev-server": "^0.20.1",
     "@opentelemetry/exporter-trace-otlp-proto": "^0.203.0",
     "@opentelemetry/sdk-metrics": "^2.1.0",
@@ -73,8 +75,7 @@
     "typescript": "^5.3.3",
     "vite": "^7.1.11",
     "vite-tsconfig-paths": "^5.1.4",
-    "vitest": "^3.2.4",
-    "@electric-sql/pglite": "^0.3.13"
+    "vitest": "^3.2.4"
   },
   "engines": {
     "node": ">=22.0.0"

package/dist/dbClient-XO7KFTE7.js

@@ -1 +0,0 @@
-export { dbClient_default as default } from './chunk-CWFQPSTI.js';