@inkeep/agents-work-apps 0.47.5 → 0.48.1

package/dist/env.d.ts

@@ -14,11 +14,11 @@ declare const envSchema: z.ZodObject<{
     pentest: "pentest";
   }>>;
   LOG_LEVEL: z.ZodDefault<z.ZodEnum<{
-    error: "error";
     trace: "trace";
     debug: "debug";
     info: "info";
     warn: "warn";
+    error: "error";
   }>>;
   INKEEP_AGENTS_RUN_DATABASE_URL: z.ZodString;
   INKEEP_AGENTS_MANAGE_UI_URL: z.ZodOptional<z.ZodString>;
@@ -28,11 +28,22 @@ declare const envSchema: z.ZodObject<{
   GITHUB_STATE_SIGNING_SECRET: z.ZodOptional<z.ZodString>;
   GITHUB_APP_NAME: z.ZodOptional<z.ZodString>;
   GITHUB_MCP_API_KEY: z.ZodOptional<z.ZodString>;
+  SLACK_CLIENT_ID: z.ZodOptional<z.ZodString>;
+  SLACK_CLIENT_SECRET: z.ZodOptional<z.ZodString>;
+  SLACK_SIGNING_SECRET: z.ZodOptional<z.ZodString>;
+  SLACK_BOT_TOKEN: z.ZodOptional<z.ZodString>;
+  SLACK_APP_URL: z.ZodOptional<z.ZodString>;
+  NANGO_SECRET_KEY: z.ZodOptional<z.ZodString>;
+  NANGO_SLACK_SECRET_KEY: z.ZodOptional<z.ZodString>;
+  NANGO_SLACK_INTEGRATION_ID: z.ZodOptional<z.ZodString>;
+  NANGO_SERVER_URL: z.ZodOptional<z.ZodString>;
+  INKEEP_AGENTS_JWT_SIGNING_SECRET: z.ZodOptional<z.ZodString>;
+  INKEEP_AGENTS_API_URL: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 declare const env: {
   NODE_ENV: "development" | "production" | "test";
   ENVIRONMENT: "development" | "production" | "test" | "pentest";
-  LOG_LEVEL: "error" | "trace" | "debug" | "info" | "warn";
+  LOG_LEVEL: "trace" | "debug" | "info" | "warn" | "error";
   INKEEP_AGENTS_RUN_DATABASE_URL: string;
   INKEEP_AGENTS_MANAGE_UI_URL?: string | undefined;
   GITHUB_APP_ID?: string | undefined;
@@ -41,6 +52,17 @@ declare const env: {
   GITHUB_STATE_SIGNING_SECRET?: string | undefined;
   GITHUB_APP_NAME?: string | undefined;
   GITHUB_MCP_API_KEY?: string | undefined;
+  SLACK_CLIENT_ID?: string | undefined;
+  SLACK_CLIENT_SECRET?: string | undefined;
+  SLACK_SIGNING_SECRET?: string | undefined;
+  SLACK_BOT_TOKEN?: string | undefined;
+  SLACK_APP_URL?: string | undefined;
+  NANGO_SECRET_KEY?: string | undefined;
+  NANGO_SLACK_SECRET_KEY?: string | undefined;
+  NANGO_SLACK_INTEGRATION_ID?: string | undefined;
+  NANGO_SERVER_URL?: string | undefined;
+  INKEEP_AGENTS_JWT_SIGNING_SECRET?: string | undefined;
+  INKEEP_AGENTS_API_URL?: string | undefined;
 };
 type Env = z.infer<typeof envSchema>;
 //#endregion

package/dist/env.js

@@ -22,14 +22,25 @@ const envSchema = z.object({
 		"warn",
 		"error"
 	]).default("info").describe("Logging verbosity level"),
-	INKEEP_AGENTS_RUN_DATABASE_URL: z.string().describe("PostgreSQL connection URL for the runtime database (Doltgres with Git version control)"),
+	INKEEP_AGENTS_RUN_DATABASE_URL: z.string().describe("PostgreSQL connection URL for the runtime database"),
 	INKEEP_AGENTS_MANAGE_UI_URL: z.string().optional().describe("URL where the management UI is hosted"),
 	GITHUB_APP_ID: z.string().optional().describe("GitHub App ID for GitHub integration"),
 	GITHUB_APP_PRIVATE_KEY: z.string().optional().describe("GitHub App private key for authentication"),
 	GITHUB_WEBHOOK_SECRET: z.string().optional().describe("Secret for validating GitHub webhook payloads"),
 	GITHUB_STATE_SIGNING_SECRET: z.string().min(32, "GITHUB_STATE_SIGNING_SECRET must be at least 32 characters").optional().describe("Secret for signing GitHub OAuth state (minimum 32 characters)"),
 	GITHUB_APP_NAME: z.string().optional().describe("Name of the GitHub App"),
-	GITHUB_MCP_API_KEY: z.string().optional().describe("API key for the GitHub MCP")
+	GITHUB_MCP_API_KEY: z.string().optional().describe("API key for the GitHub MCP"),
+	SLACK_CLIENT_ID: z.string().optional().describe("Slack App Client ID"),
+	SLACK_CLIENT_SECRET: z.string().optional().describe("Slack App Client Secret"),
+	SLACK_SIGNING_SECRET: z.string().optional().describe("Slack App Signing Secret"),
+	SLACK_BOT_TOKEN: z.string().optional().describe("Slack Bot Token (for testing)"),
+	SLACK_APP_URL: z.string().optional().describe("Slack App Install URL"),
+	NANGO_SECRET_KEY: z.string().optional().describe("Nango Secret Key"),
+	NANGO_SLACK_SECRET_KEY: z.string().optional().describe("Nango Slack-specific Secret Key"),
+	NANGO_SLACK_INTEGRATION_ID: z.string().optional().describe("Nango Slack Integration ID"),
+	NANGO_SERVER_URL: z.string().optional().describe("Nango Server URL"),
+	INKEEP_AGENTS_JWT_SIGNING_SECRET: z.string().optional().describe("JWT signing secret shared with agents-api. Required in production (min 32 chars). Used for Slack user tokens and link tokens."),
+	INKEEP_AGENTS_API_URL: z.string().optional().describe("Inkeep Agents API URL")
 });
 const parseEnv = () => {
 	try {

package/dist/github/mcp/index.d.ts

@@ -1,11 +1,11 @@
 import { Hono } from "hono";
-import * as hono_types3 from "hono/types";
+import * as hono_types5 from "hono/types";
 
 //#region src/github/mcp/index.d.ts
 declare const app: Hono<{
   Variables: {
     toolId: string;
   };
-}, hono_types3.BlankSchema, "/">;
+}, hono_types5.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/github/mcp/index.js

@@ -108,8 +108,9 @@ const getServer = async (toolId) => {
 		owner: z.string().describe("Repository owner name"),
 		repo: z.string().describe("Repository name"),
 		file_path: z.string().describe("Path to the file. the path is relative to the root of the repository"),
-		branch_name: z.string().optional().describe("The name of the branch to get the file content for (defaults to master/main branch). If you are analyzing a pr you created, you should use the branch name from the pr.")
-	}, async ({ owner, repo, file_path, branch_name }) => {
+		branch_name: z.string().optional().describe("The name of the branch to get the file content for (defaults to master/main branch). If you are analyzing a pr you created, you should use the branch name from the pr."),
+		include_line_numbers: z.boolean().optional().describe("Whether to include line numbers in the response (defaults to false)")
+	}, async ({ owner, repo, file_path, branch_name, include_line_numbers = false }) => {
 		try {
 			let githubClient;
 			try {
@@ -130,14 +131,20 @@ const getServer = async (toolId) => {
 				ref: branch_name
 			});
 			if ("content" in response.data && !Array.isArray(response.data)) {
-				const fileData = response.data;
-				const output_mapping = Buffer.from(fileData.content, "base64").toString("utf-8").split("\n").map((line, index) => ({
-					line: index + 1,
-					content: line
-				}));
+				if (include_line_numbers) {
+					const fileData = response.data;
+					const output_mapping = Buffer.from(fileData.content, "base64").toString("utf-8").split("\n").map((line, index) => ({
+						line: index + 1,
+						content: line
+					}));
+					return { content: [{
+						type: "text",
+						text: JSON.stringify(output_mapping)
+					}] };
+				}
 				return { content: [{
 					type: "text",
-					text: JSON.stringify(output_mapping)
+					text: Buffer.from(response.data.content, "base64").toString("utf-8")
 				}] };
 			}
 			return {
@@ -665,40 +672,22 @@ const getServer = async (toolId) => {
 	});
 	return server;
 };
-const SERVER_CACHE_TTL_MS = 300 * 1e3;
-const SERVER_CACHE_MAX_SIZE = 100;
-const serverCache = /* @__PURE__ */ new Map();
-const getCachedServer = async (toolId) => {
-	const cached = serverCache.get(toolId);
-	if (cached && cached.expiresAt > Date.now()) {
-		serverCache.delete(toolId);
-		serverCache.set(toolId, cached);
-		return cached.server;
-	}
-	serverCache.delete(toolId);
-	const server = await getServer(toolId);
-	serverCache.set(toolId, {
-		server,
-		expiresAt: Date.now() + SERVER_CACHE_TTL_MS
-	});
-	if (serverCache.size > SERVER_CACHE_MAX_SIZE) {
-		const firstKey = serverCache.keys().next().value;
-		if (firstKey !== void 0) serverCache.delete(firstKey);
-	}
-	return server;
-};
 const app = new Hono();
 app.use("/", githubMcpAuth());
 app.post("/", async (c) => {
 	if (!process.env.GITHUB_APP_ID || !process.env.GITHUB_APP_PRIVATE_KEY) return c.json({ error: "GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY must be set" }, 500);
 	const toolId = c.get("toolId");
 	const body = await c.req.json();
-	const server = await getCachedServer(toolId);
+	const server = await getServer(toolId);
 	const transport = new StreamableHTTPServerTransport({ sessionIdGenerator: void 0 });
-	server.connect(transport);
+	await server.connect(transport);
 	const { req, res } = toReqRes(c.req.raw);
-	await transport.handleRequest(req, res, body);
-	return toFetchResponse(res);
+	try {
+		await transport.handleRequest(req, res, body);
+		return toFetchResponse(res);
+	} finally {
+		await server.close();
+	}
 });
 app.delete("/", async (c) => {
 	return c.json({

package/dist/github/routes/setup.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types4 from "hono/types";
+import * as hono_types6 from "hono/types";
 
 //#region src/github/routes/setup.d.ts
-declare const app: Hono<hono_types4.BlankEnv, hono_types4.BlankSchema, "/">;
+declare const app: Hono<hono_types6.BlankEnv, hono_types6.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/github/routes/webhooks.d.ts

@@ -1,5 +1,5 @@
 import { Hono } from "hono";
-import * as hono_types6 from "hono/types";
+import * as hono_types3 from "hono/types";
 
 //#region src/github/routes/webhooks.d.ts
 interface WebhookVerificationResult {
@@ -7,6 +7,6 @@ interface WebhookVerificationResult {
   error?: string;
 }
 declare function verifyWebhookSignature(payload: string, signature: string | undefined, secret: string): WebhookVerificationResult;
-declare const app: Hono<hono_types6.BlankEnv, hono_types6.BlankSchema, "/">;
+declare const app: Hono<hono_types3.BlankEnv, hono_types3.BlankSchema, "/">;
 //#endregion
 export { WebhookVerificationResult, app as default, verifyWebhookSignature };

package/dist/slack/i18n/index.d.ts

@@ -0,0 +1,2 @@
+import { SlackStrings, SlackStringsType } from "./strings.js";
+export { SlackStrings, type SlackStringsType };

package/dist/slack/i18n/index.js

@@ -0,0 +1,3 @@
+import { SlackStrings } from "./strings.js";
+
+export { SlackStrings };

package/dist/slack/i18n/strings.d.ts

@@ -0,0 +1,73 @@
+//#region src/slack/i18n/strings.d.ts
+/**
+ * Slack UI/UX Internationalization Strings
+ *
+ * Centralized strings for all Slack-facing UI text.
+ * Update this file to change text across the entire Slack integration.
+ */
+declare const SlackStrings: {
+  readonly buttons: {
+    readonly triggerAgent: "Trigger Agent";
+    readonly send: "Send";
+    readonly followUp: "Follow Up";
+    readonly cancel: "Cancel";
+    readonly openDashboard: "⚙️ Open Dashboard";
+  };
+  readonly modals: {
+    readonly triggerAgent: "Trigger Agent";
+    readonly triggerAgentThread: "Trigger Agent (Thread)";
+    readonly askAboutMessage: "Ask About Message";
+    readonly followUp: "Follow Up";
+  };
+  readonly labels: {
+    readonly project: "Project";
+    readonly agent: "Agent";
+    readonly prompt: "Prompt";
+    readonly additionalInstructions: "Additional Instructions";
+    readonly context: "Context";
+  };
+  readonly placeholders: {
+    readonly selectProject: "Select a project...";
+    readonly selectAgent: "Select an agent...";
+    readonly enterPrompt: "Enter your prompt or question...";
+    readonly additionalInstructionsOptional: "Additional instructions (optional)...";
+    readonly additionalInstructionsMessage: "Additional instructions or question about this message...";
+  };
+  readonly visibility: {
+    readonly includeThreadContext: "Include thread context";
+  };
+  readonly context: {
+    readonly poweredBy: (agentName: string) => string;
+    readonly privateResponse: "_Private response_";
+  };
+  readonly usage: {
+    readonly mentionEmpty: string;
+  };
+  readonly status: {
+    readonly thinking: (agentName: string) => string;
+    readonly noAgentsAvailable: "No agents available";
+    readonly noProjectsConfigured: "⚙️ No projects configured. Please set up projects in the dashboard.";
+  };
+  readonly errors: {
+    readonly generic: "Sorry, something went wrong. Please try again.";
+    readonly failedToOpenSelector: "❌ Failed to open agent selector. Please try again.";
+  };
+  readonly help: {
+    readonly title: "Inkeep — How to Use";
+    readonly publicSection: string;
+    readonly privateSection: string;
+    readonly otherCommands: string;
+  };
+  readonly agentList: {
+    readonly title: "🤖 Available Agents";
+    readonly usage: "Usage:";
+    readonly runUsage: "`/inkeep run \"agent name\" question` - Run a specific agent";
+    readonly andMore: (count: number) => string;
+  };
+  readonly messageContext: {
+    readonly label: "Message:";
+  };
+};
+type SlackStringsType = typeof SlackStrings;
+//#endregion
+export { SlackStrings, SlackStringsType };

package/dist/slack/i18n/strings.js

@@ -0,0 +1,67 @@
+//#region src/slack/i18n/strings.ts
+/**
+* Slack UI/UX Internationalization Strings
+*
+* Centralized strings for all Slack-facing UI text.
+* Update this file to change text across the entire Slack integration.
+*/
+const SlackStrings = {
+	buttons: {
+		triggerAgent: "Trigger Agent",
+		send: "Send",
+		followUp: "Follow Up",
+		cancel: "Cancel",
+		openDashboard: "⚙️ Open Dashboard"
+	},
+	modals: {
+		triggerAgent: "Trigger Agent",
+		triggerAgentThread: "Trigger Agent (Thread)",
+		askAboutMessage: "Ask About Message",
+		followUp: "Follow Up"
+	},
+	labels: {
+		project: "Project",
+		agent: "Agent",
+		prompt: "Prompt",
+		additionalInstructions: "Additional Instructions",
+		context: "Context"
+	},
+	placeholders: {
+		selectProject: "Select a project...",
+		selectAgent: "Select an agent...",
+		enterPrompt: "Enter your prompt or question...",
+		additionalInstructionsOptional: "Additional instructions (optional)...",
+		additionalInstructionsMessage: "Additional instructions or question about this message..."
+	},
+	visibility: { includeThreadContext: "Include thread context" },
+	context: {
+		poweredBy: (agentName) => `Powered by *${agentName}* via Inkeep`,
+		privateResponse: "_Private response_"
+	},
+	usage: { mentionEmpty: "*To use your Inkeep agent, include a message:*\n\n• `@Inkeep <message>` — Send a message to your agent (reply appears in a thread)\n• `@Inkeep <message>` in a thread — Includes the thread as context for your agent\n• `@Inkeep` in a thread — Triggers your agent using the full thread as context\n\n💡 Use `/inkeep help` for all available commands." },
+	status: {
+		thinking: (agentName) => `_${agentName} is thinking..._`,
+		noAgentsAvailable: "No agents available",
+		noProjectsConfigured: "⚙️ No projects configured. Please set up projects in the dashboard."
+	},
+	errors: {
+		generic: "Sorry, something went wrong. Please try again.",
+		failedToOpenSelector: "❌ Failed to open agent selector. Please try again."
+	},
+	help: {
+		title: "Inkeep — How to Use",
+		publicSection: "🔊 *Public* — everyone in the channel can see the response\n\n• `@Inkeep <message>` — Send a message to your agent\n• `@Inkeep <message>` in a thread — Includes thread as context\n• `@Inkeep` in a thread — Uses the full thread as context",
+		privateSection: "🔒 *Private* — only you can see the response\n\n• `/inkeep <message>` — Send a message to your agent\n• `/inkeep` — Open the agent picker to choose an agent and prompt",
+		otherCommands: "⚙️ *Other Commands*\n\n• `/inkeep run \"agent name\" <message>` — Use a specific agent\n• `/inkeep list` — List available agents\n• `/inkeep status` — Check your connection and agent config\n• `/inkeep link` / `/inkeep unlink` — Manage account connection\n• `/inkeep help` — Show this message"
+	},
+	agentList: {
+		title: "🤖 Available Agents",
+		usage: "Usage:",
+		runUsage: "`/inkeep run \"agent name\" question` - Run a specific agent",
+		andMore: (count) => `...and ${count} more`
+	},
+	messageContext: { label: "Message:" }
+};
+
+//#endregion
+export { SlackStrings };

package/dist/slack/index.d.ts

@@ -0,0 +1,18 @@
+import { ManageAppVariables, WorkAppsVariables } from "./types.js";
+import { DefaultAgentConfig, SlackWorkspaceConnection, WorkspaceInstallData, clearWorkspaceConnectionCache, computeWorkspaceConnectionId, createConnectSession, deleteWorkspaceInstallation, findWorkspaceConnectionByTeamId, getConnectionAccessToken, getSlackIntegrationId, getSlackNango, getWorkspaceDefaultAgentFromNango, listWorkspaceInstallations, setWorkspaceDefaultAgent, storeWorkspaceInstallation, updateConnectionMetadata } from "./services/nango.js";
+import { getChannelAgentConfig, getWorkspaceDefaultAgent } from "./services/events/utils.js";
+import "./services/events/index.js";
+import { getBotTokenForTeam, setBotTokenForTeam } from "./services/workspace-tokens.js";
+import "./routes/oauth.js";
+import { OpenAPIHono } from "@hono/zod-openapi";
+
+//#region src/slack/index.d.ts
+
+declare function createSlackRoutes(): OpenAPIHono<{
+  Variables: WorkAppsVariables;
+}, {}, "/">;
+declare const slackRoutes: OpenAPIHono<{
+  Variables: WorkAppsVariables;
+}, {}, "/">;
+//#endregion
+export { DefaultAgentConfig, ManageAppVariables, SlackWorkspaceConnection, WorkAppsVariables, WorkspaceInstallData, clearWorkspaceConnectionCache, computeWorkspaceConnectionId, createConnectSession, createSlackRoutes, deleteWorkspaceInstallation, findWorkspaceConnectionByTeamId, getBotTokenForTeam, getChannelAgentConfig, getConnectionAccessToken, getSlackIntegrationId, getSlackNango, getWorkspaceDefaultAgent, getWorkspaceDefaultAgentFromNango, listWorkspaceInstallations, setBotTokenForTeam, setWorkspaceDefaultAgent, slackRoutes, storeWorkspaceInstallation, updateConnectionMetadata };

package/dist/slack/index.js

@@ -0,0 +1,28 @@
+import { clearWorkspaceConnectionCache, computeWorkspaceConnectionId, createConnectSession, deleteWorkspaceInstallation, findWorkspaceConnectionByTeamId, getConnectionAccessToken, getSlackIntegrationId, getSlackNango, getWorkspaceDefaultAgentFromNango, listWorkspaceInstallations, setWorkspaceDefaultAgent, storeWorkspaceInstallation, updateConnectionMetadata } from "./services/nango.js";
+import { getChannelAgentConfig, getWorkspaceDefaultAgent } from "./services/events/utils.js";
+import { getBotTokenForTeam, setBotTokenForTeam } from "./services/workspace-tokens.js";
+import "./services/events/index.js";
+import "./routes/oauth.js";
+import routes_default from "./routes/index.js";
+import { OpenAPIHono } from "@hono/zod-openapi";
+
+//#region src/slack/index.ts
+/**
+* Slack Work App
+*
+* Provides Slack integration for Inkeep Agents including:
+* - OAuth-based workspace installation
+* - User account linking via JWT tokens
+* - Slash commands for agent interaction
+* - @mention support for workspace-wide agent access
+* - Channel-specific agent configuration
+*/
+function createSlackRoutes() {
+	const app = new OpenAPIHono();
+	app.route("/", routes_default);
+	return app;
+}
+const slackRoutes = createSlackRoutes();
+
+//#endregion
+export { clearWorkspaceConnectionCache, computeWorkspaceConnectionId, createConnectSession, createSlackRoutes, deleteWorkspaceInstallation, findWorkspaceConnectionByTeamId, getBotTokenForTeam, getChannelAgentConfig, getConnectionAccessToken, getSlackIntegrationId, getSlackNango, getWorkspaceDefaultAgent, getWorkspaceDefaultAgentFromNango, listWorkspaceInstallations, setBotTokenForTeam, setWorkspaceDefaultAgent, slackRoutes, storeWorkspaceInstallation, updateConnectionMetadata };

package/dist/slack/middleware/permissions.d.ts

@@ -0,0 +1,31 @@
+import { ManageAppVariables } from "../types.js";
+import * as hono0 from "hono";
+
+//#region src/slack/middleware/permissions.d.ts
+/**
+ * Check if user has admin role (owner or admin)
+ */
+declare function isOrgAdmin(tenantRole: string | undefined): boolean;
+/**
+ * Middleware that requires Inkeep org admin/owner role.
+ * Use for workspace-level settings that only Inkeep organization admins can modify.
+ */
+declare const requireWorkspaceAdmin: <Env extends {
+  Variables: ManageAppVariables;
+} = {
+  Variables: ManageAppVariables;
+}>() => hono0.MiddlewareHandler<Env, string, {}, Response>;
+/**
+ * Middleware that requires either:
+ * 1. Org admin/owner role (can modify any channel), OR
+ * 2. Member role AND membership in the specific Slack channel
+ *
+ * Use for channel-level settings where members can configure their own channels.
+ */
+declare const requireChannelMemberOrAdmin: <Env extends {
+  Variables: ManageAppVariables;
+} = {
+  Variables: ManageAppVariables;
+}>() => hono0.MiddlewareHandler<Env, string, {}, Response>;
+//#endregion
+export { isOrgAdmin, requireChannelMemberOrAdmin, requireWorkspaceAdmin };

package/dist/slack/middleware/permissions.js

@@ -0,0 +1,167 @@
+import { getLogger } from "../../logger.js";
+import runDbClient_default from "../../db/runDbClient.js";
+import { findWorkspaceConnectionByTeamId } from "../services/nango.js";
+import { checkUserIsChannelMember, getSlackClient } from "../services/client.js";
+import { OrgRoles, createApiError, findWorkAppSlackUserMappingByInkeepUserId, getUserOrganizationsFromDb } from "@inkeep/agents-core";
+import { createMiddleware } from "hono/factory";
+
+//#region src/slack/middleware/permissions.ts
+const logger = getLogger("slack-permissions");
+/**
+* Check if user has admin role (owner or admin)
+*/
+function isOrgAdmin(tenantRole) {
+	return tenantRole === OrgRoles.OWNER || tenantRole === OrgRoles.ADMIN;
+}
+/**
+* Resolve tenantId and tenantRole from a Slack teamId.
+* Looks up the workspace connection to find the owning tenant,
+* then checks the user's org membership to determine their role.
+*
+* This is needed because /work-apps/* routes don't go through requireTenantAccess
+* middleware (which normally sets tenantRole on /manage/* routes).
+*/
+async function resolveWorkAppTenantContext(c, teamId, userId) {
+	const workspace = await findWorkspaceConnectionByTeamId(teamId);
+	if (!workspace?.tenantId) throw createApiError({
+		code: "not_found",
+		message: "Slack workspace not found or not associated with a tenant",
+		instance: c.req.path
+	});
+	const orgAccess = (await getUserOrganizationsFromDb(runDbClient_default)(userId)).find((org) => org.organizationId === workspace.tenantId);
+	if (!orgAccess) throw createApiError({
+		code: "forbidden",
+		message: "Access denied to this organization",
+		instance: c.req.path
+	});
+	c.set("tenantId", workspace.tenantId);
+	c.set("tenantRole", orgAccess.role);
+}
+/**
+* Middleware that requires Inkeep org admin/owner role.
+* Use for workspace-level settings that only Inkeep organization admins can modify.
+*/
+const requireWorkspaceAdmin = () => createMiddleware(async (c, next) => {
+	if (process.env.ENVIRONMENT === "test" && c.req.header("x-test-bypass-auth") === "true") {
+		await next();
+		return;
+	}
+	const userId = c.get("userId");
+	if (!userId) throw createApiError({
+		code: "unauthorized",
+		message: "User context not found",
+		instance: c.req.path
+	});
+	if (userId === "system" || userId.startsWith("apikey:")) {
+		await next();
+		return;
+	}
+	const teamId = c.req.param("teamId") || c.req.param("workspaceId");
+	if (teamId && !c.get("tenantRole")) await resolveWorkAppTenantContext(c, teamId, userId);
+	const tenantId = c.get("tenantId");
+	const tenantRole = c.get("tenantRole");
+	if (!tenantId) throw createApiError({
+		code: "unauthorized",
+		message: "Organization context not found",
+		instance: c.req.path
+	});
+	if (!isOrgAdmin(tenantRole)) {
+		logger.warn({
+			userId,
+			tenantId,
+			tenantRole,
+			path: c.req.path
+		}, "User does not have admin role for workspace operation");
+		throw createApiError({
+			code: "forbidden",
+			message: "Only organization administrators can modify workspace settings",
+			instance: c.req.path,
+			extensions: {
+				requiredRole: "admin or owner",
+				currentRole: tenantRole
+			}
+		});
+	}
+	await next();
+});
+/**
+* Middleware that requires either:
+* 1. Org admin/owner role (can modify any channel), OR
+* 2. Member role AND membership in the specific Slack channel
+*
+* Use for channel-level settings where members can configure their own channels.
+*/
+const requireChannelMemberOrAdmin = () => createMiddleware(async (c, next) => {
+	if (process.env.ENVIRONMENT === "test" && c.req.header("x-test-bypass-auth") === "true") {
+		await next();
+		return;
+	}
+	const userId = c.get("userId");
+	if (!userId) throw createApiError({
+		code: "unauthorized",
+		message: "User context not found",
+		instance: c.req.path
+	});
+	if (userId === "system" || userId.startsWith("apikey:")) {
+		await next();
+		return;
+	}
+	const teamId = c.req.param("teamId");
+	if (teamId && !c.get("tenantRole")) await resolveWorkAppTenantContext(c, teamId, userId);
+	const tenantId = c.get("tenantId");
+	const tenantRole = c.get("tenantRole");
+	if (!tenantId) throw createApiError({
+		code: "unauthorized",
+		message: "Organization context not found",
+		instance: c.req.path
+	});
+	if (isOrgAdmin(tenantRole)) {
+		await next();
+		return;
+	}
+	const channelId = c.req.param("channelId");
+	if (!teamId || !channelId) throw createApiError({
+		code: "bad_request",
+		message: "Team ID and Channel ID are required",
+		instance: c.req.path
+	});
+	const userMapping = (await findWorkAppSlackUserMappingByInkeepUserId(runDbClient_default)(userId)).find((m) => m.tenantId === tenantId && m.slackTeamId === teamId);
+	if (!userMapping) throw createApiError({
+		code: "forbidden",
+		message: "You must link your Slack account to modify channel settings. Use /inkeep link in Slack.",
+		instance: c.req.path
+	});
+	const workspace = await findWorkspaceConnectionByTeamId(teamId);
+	if (!workspace?.botToken) throw createApiError({
+		code: "not_found",
+		message: "Slack workspace not found or not properly configured",
+		instance: c.req.path
+	});
+	if (!await checkUserIsChannelMember(getSlackClient(workspace.botToken), channelId, userMapping.slackUserId)) {
+		logger.info({
+			userId,
+			slackUserId: userMapping.slackUserId,
+			channelId,
+			teamId
+		}, "User is not a member of the channel");
+		throw createApiError({
+			code: "forbidden",
+			message: "You can only configure channels you are a member of",
+			instance: c.req.path,
+			extensions: {
+				channelId,
+				reason: "not_channel_member"
+			}
+		});
+	}
+	logger.debug({
+		userId,
+		slackUserId: userMapping.slackUserId,
+		channelId,
+		teamId
+	}, "User verified as channel member");
+	await next();
+});
+
+//#endregion
+export { isOrgAdmin, requireChannelMemberOrAdmin, requireWorkspaceAdmin };

package/dist/slack/routes/events.d.ts

@@ -0,0 +1,10 @@
+import { WorkAppsVariables } from "../types.js";
+import { OpenAPIHono } from "@hono/zod-openapi";
+
+//#region src/slack/routes/events.d.ts
+
+declare const app: OpenAPIHono<{
+  Variables: WorkAppsVariables;
+}, {}, "/">;
+//#endregion
+export { app as default };