@mondaydotcomorg/atp-server 0.24.3 → 0.24.4

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@mondaydotcomorg/atp-server",
-	"version": "0.24.3",
+	"version": "0.24.4",
 	"description": "Server implementation for Agent Tool Protocol",
 	"type": "module",
 	"main": "./dist/index.cjs",

package/src/explorer/index.ts

@@ -81,8 +81,10 @@ export class ExplorerService {
 			context.allowedGroups.add(group.name);
 		}
 
-		for (const group of this.apiGroups) {
-			if (!context.allowedGroups.has(group.name)) continue;
+		// Iterate already-filtered `allowedGroups` so per-tool rules
+		// filter operations WITHIN an allowed group (matches the pattern
+		// in `SearchEngine.search`).
+		for (const group of allowedGroups) {
 			if (group.functions) {
 				for (const func of group.functions) {
 					context.allowedTools.add(`${group.name}:${func.name}`);

package/src/handlers/execute.handler.ts

@@ -122,7 +122,13 @@ export async function handleExecute(
 		provenanceHints: requestConfig.provenanceHints,
 		requestContext: {
 			...requestConfig.requestContext,
-			headers: ctx.headers,
+			// Merge caller-supplied headers with ctx.headers; ctx wins on
+			// conflicts so session auth takes precedence over app-layer keys.
+			headers: {
+				...(requestConfig.requestContext as { headers?: Record<string, string> } | undefined)
+					?.headers,
+				...ctx.headers,
+			},
 			path: ctx.path,
 			method: ctx.method,
 		},