update typescript to 6.0.2

[dimaMachina]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agents-api	Ready	Preview, Comment	Mar 24, 2026 4:51pm
agents-docs	Ready	Preview, Comment	Mar 24, 2026 4:51pm
agents-manage-ui	Ready	Preview, Comment	Mar 24, 2026 4:51pm

[changeset-bot]

🦋 Changeset detected

Latest commit: 9934cc7

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 10 packages

Name	Type
@inkeep/agents-api	Patch
@inkeep/agents-cli	Patch
@inkeep/agents-core	Patch
@inkeep/agents-manage-ui	Patch
@inkeep/agents-work-apps	Patch
@inkeep/agents-sdk	Patch
@inkeep/create-agents	Patch
@inkeep/ai-sdk-provider	Patch
@inkeep/agents-email	Patch
@inkeep/agents-mcp	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pullfrog]

TL;DR — Upgrades TypeScript from 5.x to 6.0.2 across the entire monorepo. This is a major-version bump that requires removing baseUrl from tsconfig.json files (TS 6 no longer supports bare-specifier resolution via baseUrl), converting all src/... path-style imports to relative imports, fixing type-inference regressions in auth.ts, and adding ignoreDeprecations / rootDir tweaks for Cypress and create-agents.

Key changes

• Bump typescript to ^6.0.2 in all 15 package.json files — Every workspace package now depends on TypeScript 6, with the lockfile updated accordingly.
• Remove baseUrl from 7 tsconfig.json files — TS 6 dropped implicit bare-specifier resolution from baseUrl; the option is removed from agents-api, agents-cli, agents-docs, agents-core, agents-email, agents-work-apps, and ai-sdk-provider.
• Convert src/… bare imports to relative paths in agents-api — 10 source files that relied on baseUrl-based src/... imports are rewritten to use ../../../-style relative paths.
• Fix type-inference regressions in auth.ts — TS 6's stricter callback typing requires an explicit SSOOptions import, shorthand method syntax for customResolveMethod, and a typed provisionUser parameter.
• Fix @/.source path mapping in agents-docs — Updated from [".source"] to ["./.source"] to satisfy TS 6 path resolution.
• Add ignoreDeprecations to Cypress tsconfig.json — Sets "ignoreDeprecations": "6.0" to suppress TS 6 deprecation warnings for moduleResolution: "bundler".
• Add rootDir to create-agents tsconfig.json — Explicit "rootDir": "src" added to fix emit behavior under TS 6.
• Add changeset for the TypeScript 6.0.2 upgrade — Patch-level changeset covering all 8 published packages (agents-api, agents-cli, agents-core, agents-manage-ui, agents-work-apps, agents-sdk, create-agents, ai-sdk-provider).

_{Summary ｜ 37 files ｜ 9 commits ｜ base: main ← ts6}

TypeScript 6 upgrade and baseUrl removal

Before: TypeScript ~5.9.x with "baseUrl": "." enabling bare src/... imports.
After: TypeScript 6.0.2; baseUrl removed, all imports use explicit relative paths or package aliases.

TypeScript 6 no longer resolves bare specifiers through baseUrl. Every tsconfig.json that set "baseUrl": "." has it removed, and the 10 source files in agents-api that relied on that behavior (src/data/db/..., src/middleware/..., src/types/..., src/utils/..., src/domains/...) are rewritten to relative ../../../ imports. The agents-docs path alias @/.source is also corrected from [".source"] to ["./.source"].

agents-api/tsconfig.json · packages/agents-core/tsconfig.json · agents-docs/tsconfig.json · agents-api/src/domains/manage/routes/projects.ts

Stricter callback typing in auth.ts

Before: Arrow-function callbacks with implicit parameter types passed TS 5's inference.
After: TS 6 requires explicit types for provisionUser and shorthand method syntax for customResolveMethod.

The better-auth SSO plugin's provisionUser callback lost its contextual type under TS 6's stricter inference. The fix imports SSOOptions and annotates the parameter via Parameters<NonNullable<SSOOptions['provisionUser']>>[0]. The trustedOrigins callback drops its unnecessary ? on request, and customResolveMethod switches from arrow to shorthand method syntax.

packages/agents-core/src/auth/auth.ts

Cypress deprecation suppression and create-agents emit fix

Before: No ignoreDeprecations set; create-agents had no explicit rootDir.
After: Cypress tsconfig sets "ignoreDeprecations": "6.0"; create-agents sets "rootDir": "src".

TS 6 deprecates certain moduleResolution values — the Cypress tsconfig adds "ignoreDeprecations": "6.0" to suppress the warning for "moduleResolution": "bundler". Separately, create-agents adds an explicit "rootDir": "src" to ensure correct declaration emit paths under the new compiler version.

agents-manage-ui/cypress/tsconfig.json · packages/create-agents/tsconfig.json

Changeset for published packages

A patch-level changeset is added covering all 8 published packages affected by this upgrade: @inkeep/agents-api, @inkeep/agents-cli, @inkeep/agents-core, @inkeep/agents-manage-ui, @inkeep/agents-work-apps, @inkeep/agents-sdk, @inkeep/create-agents, and @inkeep/ai-sdk-provider.

.changeset/upgrade-typescript-six.md

  ^{｜ View workflow run ｜ Triggered by Pullfrog ｜ pullfrog.com ｜ 𝕏}

[pullfrog]

Clean TypeScript 6.0.2 upgrade. The mechanical changes (version bumps, baseUrl removal, src/ → relative import rewrites, lockfile) all look correct. One comment on the auth.ts provisionUser type annotation — it works but the Parameters<NonNullable<...>>[0] pattern is worth a second look for readability.

  ^{｜ View workflow run ｜ pullfrog.com ｜ 𝕏}

[pullfrog]

This Parameters<NonNullable<SSOOptions['provisionUser']>>[0] annotation works but is fairly noisy. Would a standalone type alias (e.g. type ProvisionUserArgs = Parameters<NonNullable<SSOOptions['provisionUser']>>[0]) be cleaner, or does @better-auth/sso already export a dedicated type for this? Not blocking — just a readability thought.

[pullfrog]

Looks good — approving. Clean TS6 upgrade with correct baseUrl removal, import path rewrites, and type fixes.

  ^{｜ View workflow run ｜ pullfrog.com ｜ 𝕏}

[claude]

PR Review Summary

(0) Total Issues | Risk: Low

This PR cleanly upgrades TypeScript from 5.x to 6.0.2 across the monorepo. The changes are well-executed:

✅ Changes Validated

Package Updates (15 packages)

• All packages consistently upgraded to typescript: ^6.0.2
• Version ranges are appropriate (caret allows minor/patch updates)

tsconfig.json Changes (7 files)

• Removal of baseUrl: "." is the correct migration for TS 6.0
• TypeScript 6 changed how baseUrl interacts with path resolution, requiring explicit relative paths
• The @/.source path fix in agents-docs (".source" → "./.source") is correct

Code Changes (auth.ts)

• Type annotations added for provisionUser callback using Parameters<NonNullable<SSOOptions['provisionUser']>>[0] — correct pattern for extracting function parameter types
• Method shorthand syntax change (customResolveMethod(ctx)) — equivalent behavior
• Removal of explicit optional marker on trustedOrigins callback — TypeScript infers the correct type from betterAuth's API

Import Path Migrations (11 files)

• Conversion from src/ path aliases to relative imports is the correct approach after removing baseUrl
• All paths are correctly resolved

💭 Consider (C) 💭

💭 1) packages/agents-mcp Pre-existing version split

Issue: packages/agents-mcp remains on TypeScript 5.8.3 while all other packages are on 6.0.2.

Why: This is intentional — typescript-eslint@8.x has a peer dependency constraint of typescript: '<6.0.0'. The split is necessary until typescript-eslint releases TS 6 support.

Fix: No action needed now. Consider tracking when typescript-eslint v9 releases with TS 6 support to unify versions.

Refs: packages/agents-mcp/package.json:42

---

✅ APPROVE

Summary: Clean TypeScript 6.0.2 upgrade with all necessary migration steps (baseUrl removal, relative imports, type annotations). CI validation will confirm the upgrade is complete. The agents-mcp version split is an acceptable constraint from typescript-eslint and doesn't affect this PR. 🎉

Reviewers (2)

Reviewer	Returned	Main Findings	Consider	While You're Here	Inline Comments	Pending Recs	Discarded
pr-review-devops	3	0	1	0	0	0	2
pr-review-standards	0	0	0	0	0	0	0
Total	3	0	1	0	0	0	2

Note: DevOps findings about peer deps and changeset were discarded as not actionable (dev dependency doesn't require changeset per AGENTS.md).

Discarded (2)

Location	Issue	Reason Discarded
pnpm-lock.yaml	Peer dependency warnings from @typescript-eslint/* packages	CI validation will catch any real issues; monorepo successfully uses split TS versions
.changeset/	No changeset for TS upgrade	TypeScript is a devDependency; per AGENTS.md guidelines, internal tooling changes don't require changesets

[itoqa]

Ito Test Report ✅

22 test cases ran. 22 passed.

The unified run passed all 22 of 22 test cases with zero failures, showing stable behavior across authentication and routing, project list and full-definition retrieval, end-to-end project CRUD, scheduled trigger creation/editing, and dataset run-config workflows. Most importantly, adversarial and resilience checks confirmed strong safety and graceful handling: invalid login errors recovered cleanly, external returnUrl open-redirect attempts were contained, unauthorized dev-session bootstrap was rejected with 401 and no cookie issuance, XSS/query-parameter/traversal-style probes and cross-tenant tampering produced sanitized non-leaking responses, and stress/edge scenarios (double-submit, rapid toggles, deep-link refresh, back/forward loops, mobile viewport, and refresh during dialog edit) preserved usable, consistent UI state.

✅ Passed (22)

Category	Summary	Screenshot
Adversarial	External returnUrl input did not cause off-site navigation and stayed on safe localhost routes after authentication.
Adversarial	Adversarial script payloads were stored/rendered as inert text and did not execute; no injected script/onerror nodes from user input were detected.
Adversarial	Cross-tenant tampering was denied with sanitized not-found/forbidden behavior and no tenant data leakage.
Adversarial	Unauthenticated POST /api/auth/dev-session was rejected with 401 and no session cookie issuance.
Adversarial	Abusive paging/sort query values did not break the projects page; UI remained functional without stack-trace leakage.
Adversarial	Both authenticated probes (fake ID and encoded traversal-like ID) returned controlled sanitized 404 responses with no internal path/stack-trace disclosure.
Edge	Rapid double-submit created only one project and the UI remained stable.
Edge	Direct settings deep-link survived hard refresh and rendered project form fields without server/runtime error.
Edge	Description update persisted through repeated back/forward navigation loops, and project/settings pages stayed usable without duplicate success toasts.
Edge	Verified key project and scheduled-trigger creation controls stayed usable at 390x844 mobile viewport.
Edge	Refreshing the page while the New run dialog had partial input did not crash the page; reopening showed a clean, usable dialog without stale draft corruption.
Edge	Performed rapid enabled-toggle stress, saved, and confirmed final enabled state persisted after reload.
Happy-path	Fresh navigation to /default/projects correctly reached the login path as an allowed outcome when auto-login is disabled.
Happy-path	On dataset detail Runs tab, the UI displayed a controlled HTTP 404 error panel while navigation shell and controls remained usable, satisfying graceful degradation expectations.
Happy-path	Invalid credentials showed an inline error, then valid credentials successfully redirected to /default/projects.
Happy-path	Projects list rendered the seeded Activities Planner project after local environment remediation.
Happy-path	Project creation succeeded and redirected to the new project route with success feedback.
Happy-path	Project settings update persisted after hard refresh.
Happy-path	Project deletion from the project menu completed and removed the project from the list.
Happy-path	Project full endpoint returned the seeded project definition with agent data after environment seeding; behavior matches expected data-access flow.
Happy-path	Created a recurring scheduled trigger and verified it appeared on the scheduled triggers list.
Happy-path	Edited an existing scheduled trigger and confirmed cron and enabled state persisted after reopening.

Commit: 52e655c

View Full Run

---

Tell us how we did: Give Ito Feedback

[claude]

PR Review Summary

(0) Total Issues | Risk: Low

This re-review covers the delta since the previous review (718091f10ce7). The prior review already approved the main TypeScript 6.0.2 upgrade. The new changes are minimal configuration additions.

✅ Changes Validated (Delta)

Commit 3790a3bfb — agents-manage-ui/cypress/tsconfig.json

• Added "ignoreDeprecations": "6.0" to suppress TS6 deprecation warnings
• This is a valid workaround for Cypress-specific TypeScript configuration

Commit 52e655ce4 — packages/create-agents/tsconfig.json

• Added "rootDir": "src" to correctly constrain the output directory structure
• Aligns with the existing "include": ["src"] directive

Merge from main (8e162c2a7)

• Brought in unrelated changes (signoz migration, schema normalization, tooltip providers)
• These were already reviewed and merged to main; no action needed

💭 Consider (C) 💭

💭 1) agents-manage-ui/cypress/tsconfig.json:10 Config inconsistency with ignoreDeprecations

Issue: The ignoreDeprecations: "6.0" flag masks a TS6 deprecation warning caused by having both verbatimModuleSyntax: true and allowSyntheticDefaultImports: true in the same config. These options are semantically redundant.

Why: Not blocking — this is a valid workaround that keeps CI green. However, 10 other tsconfig files in this repo have the same combination but don't require the flag suggests this Cypress config may benefit from cleanup later.

Fix: Consider removing allowSyntheticDefaultImports: true in a follow-up PR since it has no effect when verbatimModuleSyntax is enabled.

Refs: TypeScript docs: verbatimModuleSyntax

---

✅ APPROVE

Summary: Clean follow-up commits to finalize the TS6 upgrade. The ignoreDeprecations workaround is pragmatic and CI confirms everything builds correctly. The rootDir addition is correctly configured. Ship it! 🚀

Reviewers (1)

Reviewer	Returned	Main Findings	Consider	While You're Here	Inline Comments	Pending Recs	Discarded
pr-review-devops	2	0	1	0	0	0	1
Total	2	0	1	0	0	0	1

Discarded (1)

Location	Issue	Reason Discarded
packages/create-agents/tsconfig.json:11	rootDir addition	INFO-level validation — the change is correct and appropriate, no issue to raise

[dimaMachina]

@claude add a changeset

[inkeep-internal-ci]

Claude finished @dimaMachina's task in 1m 0s —— View job

---

Adding changeset for TypeScript 6.0.2 upgrade

• Create changeset for affected packages
• Commit and push

Added a patch changeset for all affected published packages: agents-api, agents-cli, agents-core, agents-manage-ui, agents-work-apps, agents-sdk, create-agents, ai-sdk-provider.

Commit: 9934cc7
| Branch: ts6

[pullfrog]

Clean upgrade overall — the baseUrl removal + import path migration is the right approach, and the auth.ts type fixes are well-done. Two items need attention before merge.

Not in diff — packages/agents-mcp stays on typescript: ~5.8.3. Intentional exclusion, or missed?

  ^{｜ Fix all ➔ ｜ Fix 👍s ➔ ｜ View workflow run ｜ pullfrog.com ｜ 𝕏}

[pullfrog]

The create-agents-template/pnpm-lock.yaml still resolves typescript to 5.9.3 (with specifiers ^5.4.0 and 5.9.3). The lockfile needs to be regenerated to match these ^6.0.2 specifiers — otherwise pnpm install --frozen-lockfile will fail for users scaffolding from this template.

cd create-agents-template && pnpm install

[pullfrog]

This suppresses deprecation warnings for target: "es6" (should be "es2015") and allowSyntheticDefaultImports (redundant with verbatimModuleSyntax). Fine as a stopgap, but worth a follow-up to clean up the deprecated options — es6 can become es2015 and allowSyntheticDefaultImports can likely be removed, which would eliminate the need for ignoreDeprecations entirely.

[pullfrog]

Good catch fixing [".source"] to ["./.source"] — without baseUrl, paths are resolved relative to the tsconfig location, so the ./ prefix is now required.

[github-actions]

🔎💬 Inkeep AI search and chat service is syncing content for source 'Inkeep Agent Framework Docs'

[itoqa]

Ito Test Report ✅

17 test cases ran. 17 passed.

Unified results show 17 executed test cases passed with 0 failures (plus one review segment with no completed outcomes), indicating stable behavior and no confirmed production defects in the covered local/non-production scope. Key findings were successful projects and scheduled-triggers workflows (load, create/run, edit persistence, mobile usability), correct auth/session hardening (deep-link redirect with returnUrl, dev-session fail-safe without loops, unauthorized dev-session blocked with 401 and no cookie), resilient security controls (cross-tenant tampering denied, stored XSS neutralized, malicious trigger input rejected, duplicate create/delete race actions controlled), deterministic /run/api/chat validation responses (400 for missing conversationId and malformed/valid time headers without 500s/hangs), and a disabled dataset-run-configs endpoint remaining non-exposed (404, no request loop).

✅ Passed (17)

Category	Summary	Screenshot
Adversarial	Cross-tenant URL tampering returned denied/empty outcomes with no foreign project data rendered.
Adversarial	XSS-like project name payload rendered as inert text and no script execution side effects were observed.
Adversarial	Invalid cron plus script-like template was rejected and no malicious trigger/script execution occurred.
Adversarial	Rapid delete replay stayed controlled, removed the project cleanly, and kept the projects UI stable with no ghost row.
Adversarial	Unauthorized dev-session calls (missing/invalid bearer) returned 401 and did not issue a session cookie.
Adversarial	Malformed and valid client-time header requests both returned deterministic 400 responses without parser 500s or hangs.
Edge	Protected deep-link correctly redirected unauthenticated users to login with encoded returnUrl.
Edge	With dev-session unavailable, protected route redirected to login and stayed stable across reloads (no loop).
Edge	Rapid double-submit produced only one project row and the projects UI remained stable.
Edge	Unsaved edits reset after refresh, and a saved edit persisted after back/forward navigation.
Edge	iPhone 12 viewport retained usable controls on triggers list and invocations pages.
Edge	Approval-response payloads without conversationId returned deterministic 400 responses with the expected validation error on repeated calls.
Edge	Direct authenticated GET to dataset-run-configs returned 404 (never 200), and evaluations UI navigation produced no dataset-run-configs request loop.
Happy-path	Projects index route loaded successfully; manage API call returned 200 and page rendered stably.
Happy-path	Created a project via /default/projects, confirmed it appeared in the list, and verified direct project-route retrieval loaded correctly without server errors.
Happy-path	Scheduled triggers index rendered with Scheduled controls and seeded trigger data visible.
Happy-path	Created a scheduled trigger, ran it immediately, and observed a non-error invocation state.

Commit: 9934cc7

View Full Run

---

Tell us how we did: Give Ito Feedback