@inkeep/agents-work-apps 0.0.0-dev-20260219033751 → 0.0.0-dev-20260219045007

package/dist/github/index.d.ts

@@ -4,10 +4,10 @@ import "./routes/setup.js";
 import "./routes/tokenExchange.js";
 import { WebhookVerificationResult, verifyWebhookSignature } from "./routes/webhooks.js";
 import { Hono } from "hono";
-import * as hono_types1 from "hono/types";
+import * as hono_types0 from "hono/types";
 
 //#region src/github/index.d.ts
-declare function createGithubRoutes(): Hono<hono_types1.BlankEnv, hono_types1.BlankSchema, "/">;
-declare const githubRoutes: Hono<hono_types1.BlankEnv, hono_types1.BlankSchema, "/">;
+declare function createGithubRoutes(): Hono<hono_types0.BlankEnv, hono_types0.BlankSchema, "/">;
+declare const githubRoutes: Hono<hono_types0.BlankEnv, hono_types0.BlankSchema, "/">;
 //#endregion
 export { GenerateInstallationAccessTokenResult, GenerateTokenError, GenerateTokenResult, GitHubAppConfig, InstallationAccessToken, InstallationInfo, LookupInstallationError, LookupInstallationForRepoResult, LookupInstallationResult, WebhookVerificationResult, clearConfigCache, createAppJwt, createGithubRoutes, determineStatus, fetchInstallationDetails, fetchInstallationRepositories, generateInstallationAccessToken, getGitHubAppConfig, getGitHubAppName, getStateSigningSecret, getWebhookSecret, githubRoutes, isGitHubAppConfigured, isGitHubAppNameConfigured, isStateSigningConfigured, isWebhookConfigured, lookupInstallationForRepo, validateGitHubAppConfigOnStartup, validateGitHubInstallFlowConfigOnStartup, validateGitHubWebhookConfigOnStartup, verifyWebhookSignature };

package/dist/github/mcp/index.d.ts

@@ -1,11 +1,11 @@
 import { Hono } from "hono";
-import * as hono_types5 from "hono/types";
+import * as hono_types9 from "hono/types";
 
 //#region src/github/mcp/index.d.ts
 declare const app: Hono<{
   Variables: {
     toolId: string;
   };
-}, hono_types5.BlankSchema, "/">;
+}, hono_types9.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/github/mcp/schemas.d.ts

@@ -76,8 +76,8 @@ declare const ChangedFileSchema: z.ZodObject<{
   path: z.ZodString;
   status: z.ZodEnum<{
     added: "added";
-    removed: "removed";
     modified: "modified";
+    removed: "removed";
     renamed: "renamed";
     copied: "copied";
     changed: "changed";

package/dist/github/routes/setup.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types0 from "hono/types";
+import * as hono_types5 from "hono/types";
 
 //#region src/github/routes/setup.d.ts
-declare const app: Hono<hono_types0.BlankEnv, hono_types0.BlankSchema, "/">;
+declare const app: Hono<hono_types5.BlankEnv, hono_types5.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/github/routes/tokenExchange.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types6 from "hono/types";
+import * as hono_types7 from "hono/types";
 
 //#region src/github/routes/tokenExchange.d.ts
-declare const app: Hono<hono_types6.BlankEnv, hono_types6.BlankSchema, "/">;
+declare const app: Hono<hono_types7.BlankEnv, hono_types7.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/github/routes/webhooks.d.ts

@@ -1,5 +1,5 @@
 import { Hono } from "hono";
-import * as hono_types8 from "hono/types";
+import * as hono_types3 from "hono/types";
 
 //#region src/github/routes/webhooks.d.ts
 interface WebhookVerificationResult {
@@ -7,6 +7,6 @@ interface WebhookVerificationResult {
   error?: string;
 }
 declare function verifyWebhookSignature(payload: string, signature: string | undefined, secret: string): WebhookVerificationResult;
-declare const app: Hono<hono_types8.BlankEnv, hono_types8.BlankSchema, "/">;
+declare const app: Hono<hono_types3.BlankEnv, hono_types3.BlankSchema, "/">;
 //#endregion
 export { WebhookVerificationResult, app as default, verifyWebhookSignature };

package/dist/slack/middleware/permissions.js

@@ -4,6 +4,7 @@ import { findWorkspaceConnectionByTeamId } from "../services/nango.js";
 import { checkUserIsChannelMember, getSlackClient } from "../services/client.js";
 import { OrgRoles, createApiError, findWorkAppSlackUserMappingByInkeepUserId, getUserOrganizationsFromDb } from "@inkeep/agents-core";
 import { createMiddleware } from "hono/factory";
+import { registerAuthzMeta } from "@inkeep/agents-core/middleware";
 
 //#region src/slack/middleware/permissions.ts
 const logger = getLogger("slack-permissions");
@@ -41,49 +42,57 @@ async function resolveWorkAppTenantContext(c, teamId, userId) {
 * Middleware that requires Inkeep org admin/owner role.
 * Use for workspace-level settings that only Inkeep organization admins can modify.
 */
-const requireWorkspaceAdmin = () => createMiddleware(async (c, next) => {
-	if (process.env.ENVIRONMENT === "test" && c.req.header("x-test-bypass-auth") === "true") {
+const requireWorkspaceAdmin = () => {
+	const mw = createMiddleware(async (c, next) => {
+		if (process.env.ENVIRONMENT === "test" && c.req.header("x-test-bypass-auth") === "true") {
+			await next();
+			return;
+		}
+		const userId = c.get("userId");
+		if (!userId) throw createApiError({
+			code: "unauthorized",
+			message: "User context not found",
+			instance: c.req.path
+		});
+		if (userId === "system" || userId.startsWith("apikey:")) {
+			await next();
+			return;
+		}
+		const teamId = c.req.param("teamId") || c.req.param("workspaceId");
+		if (teamId && !c.get("tenantRole")) await resolveWorkAppTenantContext(c, teamId, userId);
+		const tenantId = c.get("tenantId");
+		const tenantRole = c.get("tenantRole");
+		if (!tenantId) throw createApiError({
+			code: "unauthorized",
+			message: "Organization context not found",
+			instance: c.req.path
+		});
+		if (!isOrgAdmin(tenantRole)) {
+			logger.warn({
+				userId,
+				tenantId,
+				tenantRole,
+				path: c.req.path
+			}, "User does not have admin role for workspace operation");
+			throw createApiError({
+				code: "forbidden",
+				message: "Only organization administrators can modify workspace settings",
+				instance: c.req.path,
+				extensions: {
+					requiredRole: "admin or owner",
+					currentRole: tenantRole
+				}
+			});
+		}
 		await next();
-		return;
-	}
-	const userId = c.get("userId");
-	if (!userId) throw createApiError({
-		code: "unauthorized",
-		message: "User context not found",
-		instance: c.req.path
 	});
-	if (userId === "system" || userId.startsWith("apikey:")) {
-		await next();
-		return;
-	}
-	const teamId = c.req.param("teamId") || c.req.param("workspaceId");
-	if (teamId && !c.get("tenantRole")) await resolveWorkAppTenantContext(c, teamId, userId);
-	const tenantId = c.get("tenantId");
-	const tenantRole = c.get("tenantRole");
-	if (!tenantId) throw createApiError({
-		code: "unauthorized",
-		message: "Organization context not found",
-		instance: c.req.path
+	registerAuthzMeta(mw, {
+		resource: "organization",
+		permission: "admin",
+		description: "Requires Inkeep org admin/owner role to modify workspace settings"
 	});
-	if (!isOrgAdmin(tenantRole)) {
-		logger.warn({
-			userId,
-			tenantId,
-			tenantRole,
-			path: c.req.path
-		}, "User does not have admin role for workspace operation");
-		throw createApiError({
-			code: "forbidden",
-			message: "Only organization administrators can modify workspace settings",
-			instance: c.req.path,
-			extensions: {
-				requiredRole: "admin or owner",
-				currentRole: tenantRole
-			}
-		});
-	}
-	await next();
-});
+	return mw;
+};
 /**
 * Middleware that requires either:
 * 1. Org admin/owner role (can modify any channel), OR
@@ -91,77 +100,81 @@ const requireWorkspaceAdmin = () => createMiddleware(async (c, next) => {
 *
 * Use for channel-level settings where members can configure their own channels.
 */
-const requireChannelMemberOrAdmin = () => createMiddleware(async (c, next) => {
-	if (process.env.ENVIRONMENT === "test" && c.req.header("x-test-bypass-auth") === "true") {
-		await next();
-		return;
-	}
-	const userId = c.get("userId");
-	if (!userId) throw createApiError({
-		code: "unauthorized",
-		message: "User context not found",
-		instance: c.req.path
-	});
-	if (userId === "system" || userId.startsWith("apikey:")) {
-		await next();
-		return;
-	}
-	const teamId = c.req.param("teamId");
-	if (teamId && !c.get("tenantRole")) await resolveWorkAppTenantContext(c, teamId, userId);
-	const tenantId = c.get("tenantId");
-	const tenantRole = c.get("tenantRole");
-	if (!tenantId) throw createApiError({
-		code: "unauthorized",
-		message: "Organization context not found",
-		instance: c.req.path
-	});
-	if (isOrgAdmin(tenantRole)) {
-		await next();
-		return;
-	}
-	const channelId = c.req.param("channelId");
-	if (!teamId || !channelId) throw createApiError({
-		code: "bad_request",
-		message: "Team ID and Channel ID are required",
-		instance: c.req.path
-	});
-	const userMapping = (await findWorkAppSlackUserMappingByInkeepUserId(runDbClient_default)(userId)).find((m) => m.tenantId === tenantId && m.slackTeamId === teamId);
-	if (!userMapping) throw createApiError({
-		code: "forbidden",
-		message: "You must link your Slack account to modify channel settings. Use /inkeep link in Slack.",
-		instance: c.req.path
-	});
-	const workspace = await findWorkspaceConnectionByTeamId(teamId);
-	if (!workspace?.botToken) throw createApiError({
-		code: "not_found",
-		message: "Slack workspace not found or not properly configured",
-		instance: c.req.path
-	});
-	if (!await checkUserIsChannelMember(getSlackClient(workspace.botToken), channelId, userMapping.slackUserId)) {
-		logger.info({
+const requireChannelMemberOrAdmin = () => {
+	const mw = createMiddleware(async (c, next) => {
+		if (process.env.ENVIRONMENT === "test" && c.req.header("x-test-bypass-auth") === "true") {
+			await next();
+			return;
+		}
+		const userId = c.get("userId");
+		if (!userId) throw createApiError({
+			code: "unauthorized",
+			message: "User context not found",
+			instance: c.req.path
+		});
+		if (userId === "system" || userId.startsWith("apikey:")) {
+			await next();
+			return;
+		}
+		const teamId = c.req.param("teamId");
+		if (teamId && !c.get("tenantRole")) await resolveWorkAppTenantContext(c, teamId, userId);
+		const tenantId = c.get("tenantId");
+		const tenantRole = c.get("tenantRole");
+		if (!tenantId) throw createApiError({
+			code: "unauthorized",
+			message: "Organization context not found",
+			instance: c.req.path
+		});
+		if (isOrgAdmin(tenantRole)) {
+			await next();
+			return;
+		}
+		const channelId = c.req.param("channelId");
+		if (!teamId || !channelId) throw createApiError({
+			code: "bad_request",
+			message: "Team ID and Channel ID are required",
+			instance: c.req.path
+		});
+		const userMapping = (await findWorkAppSlackUserMappingByInkeepUserId(runDbClient_default)(userId)).find((m) => m.tenantId === tenantId && m.slackTeamId === teamId);
+		if (!userMapping) throw createApiError({
+			code: "forbidden",
+			message: "You must link your Slack account to modify channel settings. Use /inkeep link in Slack.",
+			instance: c.req.path
+		});
+		const workspace = await findWorkspaceConnectionByTeamId(teamId);
+		if (!workspace?.botToken) throw createApiError({
+			code: "not_found",
+			message: "Slack workspace not found or not properly configured",
+			instance: c.req.path
+		});
+		if (!await checkUserIsChannelMember(getSlackClient(workspace.botToken), channelId, userMapping.slackUserId)) {
+			logger.info({
+				userId,
+				slackUserId: userMapping.slackUserId,
+				channelId,
+				teamId
+			}, "User is not a member of the channel");
+			throw createApiError({
+				code: "forbidden",
+				message: "You can only configure channels you are a member of",
+				instance: c.req.path,
+				extensions: {
+					channelId,
+					reason: "not_channel_member"
+				}
+			});
+		}
+		logger.debug({
 			userId,
 			slackUserId: userMapping.slackUserId,
 			channelId,
 			teamId
-		}, "User is not a member of the channel");
-		throw createApiError({
-			code: "forbidden",
-			message: "You can only configure channels you are a member of",
-			instance: c.req.path,
-			extensions: {
-				channelId,
-				reason: "not_channel_member"
-			}
-		});
-	}
-	logger.debug({
-		userId,
-		slackUserId: userMapping.slackUserId,
-		channelId,
-		teamId
-	}, "User verified as channel member");
-	await next();
-});
+		}, "User verified as channel member");
+		await next();
+	});
+	registerAuthzMeta(mw, { description: "Requires Inkeep organization admin role, or Slack channel membership to modify channel settings" });
+	return mw;
+};
 
 //#endregion
 export { isOrgAdmin, requireChannelMemberOrAdmin, requireWorkspaceAdmin };

package/dist/slack/routes/oauth.js

@@ -5,9 +5,10 @@ import { clearWorkspaceConnectionCache, computeWorkspaceConnectionId, deleteWork
 import { getSlackClient, getSlackTeamInfo, getSlackUserInfo } from "../services/client.js";
 import { getBotTokenForTeam, setBotTokenForTeam } from "../services/workspace-tokens.js";
 import "../services/index.js";
-import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { OpenAPIHono, z } from "@hono/zod-openapi";
 import { createWorkAppSlackWorkspace } from "@inkeep/agents-core";
 import * as crypto$1 from "node:crypto";
+import { createProtectedRoute, noAuth } from "@inkeep/agents-core/middleware";
 
 //#region src/slack/routes/oauth.ts
 /**
@@ -70,7 +71,7 @@ function parseOAuthState(stateStr) {
 	}
 }
 const app = new OpenAPIHono();
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "get",
 	path: "/install",
 	summary: "Install Slack App",
@@ -81,6 +82,7 @@ app.openapi(createRoute({
 		"Slack",
 		"OAuth"
 	],
+	permission: noAuth(),
 	request: { query: z.object({ tenant_id: z.string().optional() }) },
 	responses: { 302: { description: "Redirect to Slack OAuth" } }
 }), (c) => {
@@ -115,7 +117,7 @@ app.openapi(createRoute({
 	}, "Redirecting to Slack OAuth");
 	return c.redirect(slackAuthUrl.toString());
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "get",
 	path: "/oauth_redirect",
 	summary: "Slack OAuth Callback",
@@ -126,6 +128,7 @@ app.openapi(createRoute({
 		"Slack",
 		"OAuth"
 	],
+	permission: noAuth(),
 	request: { query: z.object({
 		code: z.string().optional(),
 		error: z.string().optional(),

package/dist/slack/routes/users.js

@@ -2,8 +2,9 @@ import { getLogger } from "../../logger.js";
 import runDbClient_default from "../../db/runDbClient.js";
 import { createConnectSession } from "../services/nango.js";
 import "../services/index.js";
-import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { OpenAPIHono, z } from "@hono/zod-openapi";
 import { createWorkAppSlackUserMapping, deleteWorkAppSlackUserMapping, findWorkAppSlackUserMapping, findWorkAppSlackUserMappingByInkeepUserId, verifySlackLinkToken } from "@inkeep/agents-core";
+import { createProtectedRoute, inheritedWorkAppsAuth } from "@inkeep/agents-core/middleware";
 
 //#region src/slack/routes/users.ts
 /**
@@ -29,7 +30,7 @@ function isAuthorizedForUser(c, requestedUserId) {
 	return false;
 }
 const app = new OpenAPIHono();
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "get",
 	path: "/link-status",
 	summary: "Check Link Status",
@@ -40,6 +41,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Users"
 	],
+	permission: inheritedWorkAppsAuth(),
 	request: { query: z.object({
 		slackUserId: z.string(),
 		slackTeamId: z.string(),
@@ -67,7 +69,7 @@ app.openapi(createRoute({
 	});
 	return c.json({ linked: false });
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "post",
 	path: "/link/verify-token",
 	summary: "Verify Link Token",
@@ -78,6 +80,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Users"
 	],
+	permission: inheritedWorkAppsAuth(),
 	request: { body: { content: { "application/json": { schema: z.object({
 		token: z.string().min(1),
 		userId: z.string().min(1),
@@ -171,7 +174,7 @@ app.openapi(createRoute({
 		return c.json({ error: "Failed to verify link. Please try again." }, 500);
 	}
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "post",
 	path: "/connect",
 	summary: "Create Nango Connect Session",
@@ -182,6 +185,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Users"
 	],
+	permission: inheritedWorkAppsAuth(),
 	request: { body: { content: { "application/json": { schema: z.object({
 		userId: z.string().describe("Inkeep user ID"),
 		userEmail: z.string().optional().describe("User email"),
@@ -217,7 +221,7 @@ app.openapi(createRoute({
 	if (!session) return c.json({ error: "Failed to create session" }, 500);
 	return c.json(session);
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "post",
 	path: "/disconnect",
 	summary: "Disconnect User",
@@ -228,6 +232,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Users"
 	],
+	permission: inheritedWorkAppsAuth(),
 	request: { body: { content: { "application/json": { schema: z.object({
 		userId: z.string().optional().describe("Inkeep user ID"),
 		slackUserId: z.string().optional().describe("Slack user ID"),
@@ -285,7 +290,7 @@ app.openapi(createRoute({
 		return c.json({ error: "Failed to disconnect" }, 500);
 	}
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "get",
 	path: "/status",
 	summary: "Get Connection Status",
@@ -296,6 +301,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Users"
 	],
+	permission: inheritedWorkAppsAuth(),
 	request: { query: z.object({ userId: z.string().describe("Inkeep user ID") }) },
 	responses: {
 		200: {

package/dist/slack/routes/workspaces.js

@@ -4,8 +4,9 @@ import { clearWorkspaceConnectionCache, computeWorkspaceConnectionId, deleteWork
 import { getSlackChannels, getSlackClient, revokeSlackToken } from "../services/client.js";
 import "../services/index.js";
 import { requireChannelMemberOrAdmin, requireWorkspaceAdmin } from "../middleware/permissions.js";
-import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { OpenAPIHono, z } from "@hono/zod-openapi";
 import { deleteAllWorkAppSlackChannelAgentConfigsByTeam, deleteAllWorkAppSlackUserMappingsByTeam, deleteWorkAppSlackChannelAgentConfig, deleteWorkAppSlackWorkspaceByNangoConnectionId, findWorkAppSlackChannelAgentConfig, listWorkAppSlackChannelAgentConfigsByTeam, listWorkAppSlackUserMappingsByTeam, upsertWorkAppSlackChannelAgentConfig } from "@inkeep/agents-core";
+import { createProtectedRoute, inheritedWorkAppsAuth } from "@inkeep/agents-core/middleware";
 
 //#region src/slack/routes/workspaces.ts
 /**
@@ -39,22 +40,6 @@ function verifyTenantOwnership(c, workspaceTenantId) {
 	return sessionTenantId === workspaceTenantId;
 }
 const app = new OpenAPIHono();
-app.use("/:teamId/settings", async (c, next) => {
-	if (c.req.method === "PUT") return requireWorkspaceAdmin()(c, next);
-	return next();
-});
-app.use("/:teamId", async (c, next) => {
-	if (c.req.method === "DELETE") return requireWorkspaceAdmin()(c, next);
-	return next();
-});
-app.use("/:teamId/channels/:channelId/settings", async (c, next) => {
-	if (c.req.method === "PUT" || c.req.method === "DELETE") return requireChannelMemberOrAdmin()(c, next);
-	return next();
-});
-app.use("/:teamId/test-message", async (c, next) => {
-	if (c.req.method === "POST") return requireWorkspaceAdmin()(c, next);
-	return next();
-});
 const ChannelAgentConfigSchema = z.object({
 	projectId: z.string(),
 	agentId: z.string(),
@@ -62,7 +47,7 @@ const ChannelAgentConfigSchema = z.object({
 	projectName: z.string().optional()
 });
 const WorkspaceSettingsSchema = z.object({ defaultAgent: ChannelAgentConfigSchema.optional() });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "get",
 	path: "/",
 	summary: "List Workspaces",
@@ -73,6 +58,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Workspaces"
 	],
+	permission: inheritedWorkAppsAuth(),
 	responses: { 200: {
 		description: "List of workspaces",
 		content: { "application/json": { schema: z.object({ workspaces: z.array(z.object({
@@ -111,7 +97,7 @@ app.openapi(createRoute({
 		return c.json({ workspaces: [] });
 	}
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "get",
 	path: "/{teamId}",
 	summary: "Get Workspace",
@@ -122,6 +108,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Workspaces"
 	],
+	permission: inheritedWorkAppsAuth(),
 	request: { params: z.object({ teamId: z.string() }) },
 	responses: {
 		200: {
@@ -155,7 +142,7 @@ app.openapi(createRoute({
 		defaultAgent
 	});
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "get",
 	path: "/{teamId}/settings",
 	summary: "Get Workspace Settings",
@@ -166,6 +153,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Workspaces"
 	],
+	permission: inheritedWorkAppsAuth(),
 	request: { params: z.object({ teamId: z.string() }) },
 	responses: { 200: {
 		description: "Workspace settings",
@@ -188,7 +176,7 @@ app.openapi(createRoute({
 	};
 	return c.json({ defaultAgent });
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "put",
 	path: "/{teamId}/settings",
 	summary: "Update Workspace Settings",
@@ -199,6 +187,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Workspaces"
 	],
+	permission: requireWorkspaceAdmin(),
 	request: {
 		params: z.object({ teamId: z.string() }),
 		body: { content: { "application/json": { schema: WorkspaceSettingsSchema } } }
@@ -232,7 +221,7 @@ app.openapi(createRoute({
 	}
 	return c.json({ success: true });
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "delete",
 	path: "/{teamId}",
 	summary: "Uninstall Workspace",
@@ -243,6 +232,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Workspaces"
 	],
+	permission: requireWorkspaceAdmin(),
 	request: { params: z.object({ teamId: z.string() }) },
 	responses: {
 		200: {
@@ -301,7 +291,7 @@ app.openapi(createRoute({
 		return c.json({ error: "Failed to uninstall workspace" }, 500);
 	}
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "get",
 	path: "/{teamId}/channels",
 	summary: "List Channels",
@@ -312,6 +302,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Channels"
 	],
+	permission: inheritedWorkAppsAuth(),
 	request: {
 		params: z.object({ teamId: z.string() }),
 		query: z.object({
@@ -385,7 +376,7 @@ app.openapi(createRoute({
 		return c.json({ error: "Failed to list channels" }, 500);
 	}
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "get",
 	path: "/{teamId}/channels/{channelId}/settings",
 	summary: "Get Channel Settings",
@@ -396,6 +387,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Channels"
 	],
+	permission: inheritedWorkAppsAuth(),
 	request: { params: z.object({
 		teamId: z.string(),
 		channelId: z.string()
@@ -428,7 +420,7 @@ app.openapi(createRoute({
 		} : void 0
 	});
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "put",
 	path: "/{teamId}/channels/{channelId}/settings",
 	summary: "Set Channel Default Agent",
@@ -439,6 +431,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Channels"
 	],
+	permission: requireChannelMemberOrAdmin(),
 	request: {
 		params: z.object({
 			teamId: z.string(),
@@ -490,11 +483,7 @@ app.openapi(createRoute({
 		configId: config.id
 	});
 });
-app.use("/:teamId/channels/bulk", async (c, next) => {
-	if (c.req.method === "PUT" || c.req.method === "DELETE") return requireWorkspaceAdmin()(c, next);
-	return next();
-});
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "put",
 	path: "/{teamId}/channels/bulk",
 	summary: "Bulk Set Channel Agents",
@@ -505,6 +494,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Channels"
 	],
+	permission: requireWorkspaceAdmin(),
 	request: {
 		params: z.object({ teamId: z.string() }),
 		body: { content: { "application/json": { schema: z.object({
@@ -591,7 +581,7 @@ app.openapi(createRoute({
 		errors: errors.length > 0 ? errors : void 0
 	});
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "delete",
 	path: "/{teamId}/channels/bulk",
 	summary: "Bulk Remove Channel Configs",
@@ -602,6 +592,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Channels"
 	],
+	permission: requireWorkspaceAdmin(),
 	request: {
 		params: z.object({ teamId: z.string() }),
 		body: { content: { "application/json": { schema: z.object({ channelIds: z.array(z.string()).min(1) }) } } }
@@ -638,7 +629,7 @@ app.openapi(createRoute({
 		removed
 	});
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "delete",
 	path: "/{teamId}/channels/{channelId}/settings",
 	summary: "Remove Channel Config",
@@ -649,6 +640,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Channels"
 	],
+	permission: requireChannelMemberOrAdmin(),
 	request: { params: z.object({
 		teamId: z.string(),
 		channelId: z.string()
@@ -673,7 +665,7 @@ app.openapi(createRoute({
 	}, "Removed channel agent config");
 	return c.json({ success: deleted });
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "get",
 	path: "/{teamId}/users",
 	summary: "List Linked Users",
@@ -684,6 +676,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Users"
 	],
+	permission: inheritedWorkAppsAuth(),
 	request: { params: z.object({ teamId: z.string() }) },
 	responses: { 200: {
 		description: "List of linked users",
@@ -723,7 +716,7 @@ app.openapi(createRoute({
 		lastUsedAt: link.lastUsedAt || void 0
 	})) });
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "get",
 	path: "/{teamId}/health",
 	summary: "Check Workspace Health",
@@ -734,6 +727,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Workspaces"
 	],
+	permission: inheritedWorkAppsAuth(),
 	request: { params: z.object({ teamId: z.string() }) },
 	responses: {
 		200: {
@@ -819,7 +813,7 @@ app.openapi(createRoute({
 		});
 	}
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "post",
 	path: "/{teamId}/test-message",
 	summary: "Send Test Message",
@@ -830,6 +824,7 @@ app.openapi(createRoute({
 		"Slack",
 		"Workspaces"
 	],
+	permission: requireWorkspaceAdmin(),
 	request: {
 		params: z.object({ teamId: z.string() }),
 		body: { content: { "application/json": { schema: z.object({

package/dist/slack/services/events/utils.d.ts

@@ -8,9 +8,9 @@ import { AgentOption } from "../modals.js";
  * Called on every @mention and /inkeep command — caching avoids redundant DB queries.
  */
 declare function findCachedUserMapping(tenantId: string, slackUserId: string, teamId: string, clientId?: string): Promise<{
-  id: string;
   createdAt: string;
   updatedAt: string;
+  id: string;
   tenantId: string;
   clientId: string;
   slackUserId: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-work-apps",
-  "version": "0.0.0-dev-20260219033751",
+  "version": "0.0.0-dev-20260219045007",
   "description": "First party integrations for Inkeep Agents",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE.md",
@@ -33,7 +33,7 @@
     "jose": "^6.1.0",
     "minimatch": "^10.1.1",
     "slack-block-builder": "^2.8.0",
-    "@inkeep/agents-core": "0.0.0-dev-20260219033751"
+    "@inkeep/agents-core": "0.0.0-dev-20260219045007"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^1.1.5",