@mondaydotcomorg/atp-server 0.24.3 → 0.25.0

package/dist/index.js

@@ -10864,8 +10864,7 @@ var ExplorerService = class {
       }
       context.allowedGroups.add(group.name);
     }
-    for (const group of this.apiGroups) {
-      if (!context.allowedGroups.has(group.name)) continue;
+    for (const group of allowedGroups) {
       if (group.functions) {
         for (const func of group.functions) {
           context.allowedTools.add(`${group.name}:${func.name}`);
@@ -11451,10 +11450,10 @@ async function handleSearchQuery(ctx, searchEngine, config) {
 __name(handleSearchQuery, "handleSearchQuery");
 
 // src/handlers/explorer.handler.ts
-async function handleExplore(ctx, explorerService) {
+async function handleExplore(ctx, explorerService, toolRulesProvider) {
   const body = ctx.body;
   const path = body.path || "/";
-  const { toolRules } = body;
+  const effectiveToolRules = body.toolRules ?? (toolRulesProvider ? toolRulesProvider(ctx) : void 0);
   const executeExplore = /* @__PURE__ */ __name(() => {
     const result = explorerService.explore(path);
     if (!result) {
@@ -11462,9 +11461,9 @@ async function handleExplore(ctx, explorerService) {
     }
     return result;
   }, "executeExplore");
-  if (toolRules && !getRequestScope()?.toolRules) {
+  if (effectiveToolRules && !getRequestScope()?.toolRules) {
     return runInRequestScope({
-      toolRules
+      toolRules: effectiveToolRules
     }, executeExplore);
   }
   return executeExplore();
@@ -11634,7 +11633,7 @@ function cleanProvenanceIds(value) {
   return cleaned;
 }
 __name(cleanProvenanceIds, "cleanProvenanceIds");
-async function handleExecute(ctx, executor, stateManager, config, auditSink, sessionManager) {
+async function handleExecute(ctx, executor, stateManager, config, auditSink, sessionManager, toolRulesProvider) {
   const request = ctx.body;
   const code = request.code || "";
   const requestConfig = request.config || request.options || {};
@@ -11702,13 +11701,21 @@ async function handleExecute(ctx, executor, stateManager, config, auditSink, ses
     provenanceHints: requestConfig.provenanceHints,
     requestContext: {
       ...requestConfig.requestContext,
-      headers: ctx.headers,
+      // Merge caller-supplied headers with ctx.headers; ctx wins on
+      // conflicts so session auth takes precedence over app-layer keys.
+      headers: {
+        ...requestConfig.requestContext?.headers,
+        ...ctx.headers
+      },
       path: ctx.path,
       method: ctx.method
     },
     onToolCall,
     eventCallback: requestConfig.eventCallback,
-    toolRules: requestConfig.toolRules
+    // Rule source precedence: explicit requestConfig.toolRules first, then
+    // server-level provider (e.g. reads a header). Lets in-process callers
+    // and HTTP callers converge on the same provider mechanism.
+    toolRules: requestConfig.toolRules ?? toolRulesProvider?.(ctx)
   };
   let hintMap;
   const prelimExecutionId = crypto.randomUUID();
@@ -22162,13 +22169,13 @@ var AgentToolProtocolServer = class {
   }
   async handleExplore(ctx) {
     if (!this.explorerService) ctx.throw(503, "Explorer not initialized");
-    return await handleExplore(ctx, this.explorerService);
+    return await handleExplore(ctx, this.explorerService, this.toolRulesProvider);
   }
   async handleExecute(ctx) {
     if (!this.executor || !this.validator || !this.stateManager) {
       ctx.throw(503, "Execution not initialized");
     }
-    return await handleExecute(ctx, this.executor, this.stateManager, this.config, this.auditSink, this.sessionManager);
+    return await handleExecute(ctx, this.executor, this.stateManager, this.config, this.auditSink, this.sessionManager, this.toolRulesProvider);
   }
   async handleResume(ctx, executionId) {
     if (!this.executor || !this.stateManager) {