@poncho-ai/harness 0.34.1 → 0.35.0

package/dist/index.js

@@ -1450,6 +1450,112 @@ Available memory tools:
 - \`memory_main_write\` \u2014 overwrite the entire memory document
 - \`memory_main_edit\` \u2014 edit memory via exact string replacement (\`old_str\` / \`new_str\`)
 - \`conversation_recall\` \u2014 search past conversations
+
+## Multi-Tenancy
+
+Deploy one agent and let many users (tenants) use it, each with fully isolated data. Multi-tenancy is opt-in \u2014 it activates automatically when a valid tenant JWT is received. Existing single-user deployments work unchanged.
+
+### How it works
+
+1. **Builder creates a JWT** for each tenant, signed with \`PONCHO_AUTH_TOKEN\` (HS256).
+2. **Tenant accesses the agent** using \`?token=<jwt>\` in the web UI URL, or \`Authorization: Bearer <jwt>\` for API calls.
+3. **All data is scoped** \u2014 conversations, memory, reminders, and todos are isolated per tenant.
+
+### Creating tenant tokens
+
+Using the CLI (for development/testing):
+
+\`\`\`bash
+poncho auth create-token --tenant acme-corp --ttl 24h
+\`\`\`
+
+Using the client SDK (for your backend):
+
+\`\`\`typescript
+import { createTenantToken } from "@poncho-ai/client";
+
+const token = await createTenantToken({
+  signingKey: process.env.PONCHO_AUTH_TOKEN,
+  tenantId: "acme-corp",
+  expiresIn: "1h",
+  metadata: { plan: "pro" },  // optional, stored in JWT \`meta\` claim
+});
+
+// Give this URL to the tenant:
+const url = \`https://my-agent.example.com/?token=\${token}\`;
+\`\`\`
+
+Or use any HS256 JWT library in any language \u2014 set \`sub\` to the tenant ID.
+
+### Tenant-scoped API access
+
+\`\`\`typescript
+import { AgentClient, createTenantToken } from "@poncho-ai/client";
+
+const token = await createTenantToken({
+  signingKey: process.env.PONCHO_AUTH_TOKEN,
+  tenantId: "acme-corp",
+  expiresIn: "1h",
+});
+
+const client = new AgentClient({
+  url: "https://my-agent.example.com",
+  token,  // tenant-scoped access
+});
+
+const conversations = await client.listConversations(); // only acme-corp's
+\`\`\`
+
+### Per-tenant secrets
+
+Tenants can provide their own API keys for MCP integrations. Declare which env vars are tenant-managed in \`poncho.config.js\`:
+
+\`\`\`javascript
+export default {
+  tenantSecrets: {
+    LINEAR_API_KEY: "Linear API Key",
+    GITHUB_TOKEN: "GitHub Token",
+  },
+  mcp: [
+    { url: "https://mcp.linear.app/sse", auth: { type: "bearer", tokenEnv: "LINEAR_API_KEY" } },
+  ],
+};
+\`\`\`
+
+When a tenant sets their \`LINEAR_API_KEY\` through the web UI settings panel (or API), MCP tool calls for that tenant use their key. If the tenant hasn't set it, the agent falls back to \`process.env.LINEAR_API_KEY\`.
+
+Builders can also set secrets for tenants via CLI:
+
+\`\`\`bash
+poncho secrets set --tenant acme-corp LINEAR_API_KEY lk_acme_123
+poncho secrets list --tenant acme-corp
+poncho secrets delete --tenant acme-corp LINEAR_API_KEY
+\`\`\`
+
+Secrets are encrypted at rest (AES-256-GCM) using a key derived from \`PONCHO_AUTH_TOKEN\`.
+
+### Auth model
+
+| Access type | Token | Scope |
+|---|---|---|
+| **Builder** | \`Authorization: Bearer <PONCHO_AUTH_TOKEN>\` | Full admin access |
+| **Tenant** | \`Authorization: Bearer <JWT>\` or \`?token=<JWT>\` | Scoped to one tenant |
+| **Anonymous** | No token (when \`auth.required\` is false) | Legacy single-user mode |
+
+### What's isolated per tenant
+
+- Conversations and message history
+- Persistent memory
+- Reminders
+- Todos
+- Secrets (MCP auth tokens)
+- Subagent conversations
+
+### Limitations
+
+- **No tenant registry**: builders can't enumerate all tenants. Cron jobs and reminders run in agent scope, not per-tenant.
+- **No token revocation**: use short TTLs (1h recommended). Stateless JWTs can't be individually revoked.
+- **\`PONCHO_AUTH_TOKEN\` is immutable**: rotating it invalidates all tenant JWTs and encrypted secrets.
 `,
   "configuration": `# Configuration & Security
 
@@ -1532,6 +1638,14 @@ export default {
   // When auth.required is true:
   // - Web UI: users enter the passphrase (value of PONCHO_AUTH_TOKEN env var)
   // - API: clients include Authorization: Bearer <token> header
+  // - Tenants: use JWT tokens (see Multi-Tenancy in docs/features.md)
+
+  // Per-tenant secrets (optional). Tenants can set their own values for these
+  // env vars via the web UI settings panel or API. Used for MCP auth tokens.
+  // tenantSecrets: {
+  //   LINEAR_API_KEY: 'Linear API Key',
+  //   GITHUB_TOKEN: 'GitHub Token',
+  // },
 
   // Model provider API key env var overrides (optional)
   providers: {
@@ -2102,8 +2216,8 @@ var ponchoDocsTool = defineTool({
 
 // src/harness.ts
 import { randomUUID as randomUUID3 } from "crypto";
-import { readFile as readFile10 } from "fs/promises";
-import { resolve as resolve12 } from "path";
+import { readFile as readFile11 } from "fs/promises";
+import { resolve as resolve13 } from "path";
 import { defineTool as defineTool8, getTextContent as getTextContent2 } from "@poncho-ai/sdk";
 
 // src/upload-store.ts
@@ -2616,20 +2730,25 @@ var InMemoryMemoryStore = class {
 var FileMainMemoryStore = class {
   workingDir;
   filePath = "";
+  customRelPath;
   ttlMs;
   loaded = false;
   writing = Promise.resolve();
   mainMemory = { ...DEFAULT_MAIN_MEMORY };
-  constructor(workingDir, ttlSeconds) {
+  constructor(workingDir, ttlSeconds, customRelPath) {
     this.workingDir = workingDir;
     this.ttlMs = typeof ttlSeconds === "number" ? ttlSeconds * 1e3 : void 0;
+    this.customRelPath = customRelPath;
   }
   async ensureFilePath() {
     if (this.filePath) {
       return;
     }
     const identity = await ensureAgentIdentity(this.workingDir);
-    this.filePath = resolve6(getAgentStoreDirectory(identity), LOCAL_MEMORY_FILE);
+    this.filePath = resolve6(
+      getAgentStoreDirectory(identity),
+      this.customRelPath ?? LOCAL_MEMORY_FILE
+    );
   }
   isExpired(updatedAt) {
     return typeof this.ttlMs === "number" && Date.now() - updatedAt > this.ttlMs;
@@ -2725,7 +2844,15 @@ var createMemoryStore = (agentId, config, options) => {
   const provider = config?.provider ?? "local";
   const ttl = config?.ttl;
   const workingDir = options?.workingDir ?? process.cwd();
+  const tenantId = options?.tenantId;
   if (provider === "local") {
+    if (tenantId) {
+      return new FileMainMemoryStore(
+        workingDir,
+        ttl,
+        `tenants/${slugifyStorageComponent(tenantId)}/${LOCAL_MEMORY_FILE}`
+      );
+    }
     return new FileMainMemoryStore(workingDir, ttl);
   }
   if (provider === "memory") {
@@ -2733,7 +2860,8 @@ var createMemoryStore = (agentId, config, options) => {
   }
   const kv = createRawKVStore(config);
   if (kv) {
-    const storageKey = `poncho:${STORAGE_SCHEMA_VERSION}:${slugifyStorageComponent(agentId)}:memory:main`;
+    const base = `poncho:${STORAGE_SCHEMA_VERSION}:${slugifyStorageComponent(agentId)}`;
+    const storageKey = tenantId ? `${base}:t:${slugifyStorageComponent(tenantId)}:memory:main` : `${base}:memory:main`;
     return new KVBackedMemoryStore(kv, storageKey, ttl);
   }
   return new InMemoryMemoryStore(ttl);
@@ -2768,6 +2896,7 @@ var buildRecallSnippet = (content, query, maxChars = 360) => {
   return content.slice(start, end);
 };
 var createMemoryTools = (store, options) => {
+  const resolveStore = typeof store === "function" ? store : () => store;
   const maxRecallConversations = Math.max(1, options?.maxRecallConversations ?? 20);
   return [
     defineTool2({
@@ -2778,8 +2907,8 @@ var createMemoryTools = (store, options) => {
         properties: {},
         additionalProperties: false
       },
-      handler: async () => {
-        const memory = await store.getMainMemory();
+      handler: async (_input, context) => {
+        const memory = await resolveStore(context).getMainMemory();
         return { memory };
       }
     }),
@@ -2797,12 +2926,12 @@ var createMemoryTools = (store, options) => {
         required: ["content"],
         additionalProperties: false
       },
-      handler: async (input) => {
+      handler: async (input, context) => {
         const content = typeof input.content === "string" ? input.content.trim() : "";
         if (!content) {
           throw new Error("content is required");
         }
-        const memory = await store.updateMainMemory({ content });
+        const memory = await resolveStore(context).updateMainMemory({ content });
         return { ok: true, memory };
       }
     }),
@@ -2824,13 +2953,13 @@ var createMemoryTools = (store, options) => {
         required: ["old_str", "new_str"],
         additionalProperties: false
       },
-      handler: async (input) => {
+      handler: async (input, context) => {
         const oldStr = typeof input.old_str === "string" ? input.old_str : "";
         const newStr = typeof input.new_str === "string" ? input.new_str : "";
         if (!oldStr) {
           throw new Error("old_str must not be empty.");
         }
-        const current = await store.getMainMemory();
+        const current = await resolveStore(context).getMainMemory();
         const content = current.content;
         const first = content.indexOf(oldStr);
         if (first === -1) {
@@ -2845,7 +2974,7 @@ var createMemoryTools = (store, options) => {
           );
         }
         const newContent = content.slice(0, first) + newStr + content.slice(first + oldStr.length);
-        const memory = await store.updateMainMemory({ content: newContent });
+        const memory = await resolveStore(context).updateMainMemory({ content: newContent });
         return { ok: true, memory };
       }
     }),
@@ -3208,7 +3337,8 @@ var InMemoryReminderStore = class {
       status: "pending",
       createdAt: Date.now(),
       conversationId: input.conversationId,
-      ownerId: input.ownerId
+      ownerId: input.ownerId,
+      tenantId: input.tenantId
     };
     this.reminders = pruneStale(this.reminders);
     this.reminders.push(reminder);
@@ -3267,7 +3397,8 @@ var FileReminderStore = class {
       status: "pending",
       createdAt: Date.now(),
       conversationId: input.conversationId,
-      ownerId: input.ownerId
+      ownerId: input.ownerId,
+      tenantId: input.tenantId
     };
     let reminders = await this.readAll();
     reminders = pruneStale(reminders);
@@ -3393,6 +3524,171 @@ var createReminderStore = (agentId, config, options) => {
   return new InMemoryReminderStore();
 };
 
+// src/secrets-store.ts
+import { createCipheriv, createDecipheriv, randomBytes, createHash as createHash3 } from "crypto";
+import { mkdir as mkdir6, readFile as readFile8, writeFile as writeFile7 } from "fs/promises";
+import { dirname as dirname5, resolve as resolve9 } from "path";
+function deriveKey(signingKey) {
+  return createHash3("sha256").update("poncho-secrets-v1:" + signingKey).digest();
+}
+function encrypt(plaintext, key) {
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const ct = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return {
+    iv: iv.toString("base64"),
+    ct: ct.toString("base64"),
+    tag: tag.toString("base64")
+  };
+}
+function decrypt(blob, key) {
+  const decipher = createDecipheriv(
+    "aes-256-gcm",
+    key,
+    Buffer.from(blob.iv, "base64")
+  );
+  decipher.setAuthTag(Buffer.from(blob.tag, "base64"));
+  return Buffer.concat([
+    decipher.update(Buffer.from(blob.ct, "base64")),
+    decipher.final()
+  ]).toString("utf8");
+}
+var FileSecretsStore = class {
+  workingDir;
+  encKey;
+  constructor(workingDir, signingKey) {
+    this.workingDir = workingDir;
+    this.encKey = deriveKey(signingKey);
+  }
+  async filePath(tenantId) {
+    const identity = await ensureAgentIdentity(this.workingDir);
+    const dir = resolve9(
+      getAgentStoreDirectory(identity),
+      "tenants",
+      slugifyStorageComponent(tenantId)
+    );
+    return resolve9(dir, "secrets.json");
+  }
+  async readAll(tenantId) {
+    try {
+      const raw = await readFile8(await this.filePath(tenantId), "utf8");
+      return JSON.parse(raw);
+    } catch {
+      return {};
+    }
+  }
+  async writeAll(tenantId, data) {
+    const fp = await this.filePath(tenantId);
+    await mkdir6(dirname5(fp), { recursive: true });
+    await writeFile7(fp, JSON.stringify(data, null, 2), "utf8");
+  }
+  async get(tenantId) {
+    const data = await this.readAll(tenantId);
+    const result = {};
+    for (const [k, blob] of Object.entries(data)) {
+      try {
+        result[k] = decrypt(blob, this.encKey);
+      } catch {
+      }
+    }
+    return result;
+  }
+  async set(tenantId, key, value) {
+    const data = await this.readAll(tenantId);
+    data[key] = encrypt(value, this.encKey);
+    await this.writeAll(tenantId, data);
+  }
+  async delete(tenantId, key) {
+    const data = await this.readAll(tenantId);
+    delete data[key];
+    await this.writeAll(tenantId, data);
+  }
+  async list(tenantId) {
+    const data = await this.readAll(tenantId);
+    return Object.keys(data);
+  }
+};
+var KVSecretsStore = class {
+  kv;
+  baseKey;
+  encKey;
+  ttl;
+  constructor(kv, baseKey, signingKey, ttl) {
+    this.kv = kv;
+    this.baseKey = baseKey;
+    this.encKey = deriveKey(signingKey);
+    this.ttl = ttl;
+  }
+  kvKey(tenantId) {
+    return `${this.baseKey}:t:${slugifyStorageComponent(tenantId)}:secrets`;
+  }
+  async readAll(tenantId) {
+    try {
+      const raw = await this.kv.get(this.kvKey(tenantId));
+      if (!raw) return {};
+      return JSON.parse(raw);
+    } catch {
+      return {};
+    }
+  }
+  async writeAll(tenantId, data) {
+    const key = this.kvKey(tenantId);
+    const value = JSON.stringify(data);
+    if (this.ttl) {
+      await this.kv.setWithTtl(key, value, this.ttl);
+    } else {
+      await this.kv.set(key, value);
+    }
+  }
+  async get(tenantId) {
+    const data = await this.readAll(tenantId);
+    const result = {};
+    for (const [k, blob] of Object.entries(data)) {
+      try {
+        result[k] = decrypt(blob, this.encKey);
+      } catch {
+      }
+    }
+    return result;
+  }
+  async set(tenantId, key, value) {
+    const data = await this.readAll(tenantId);
+    data[key] = encrypt(value, this.encKey);
+    await this.writeAll(tenantId, data);
+  }
+  async delete(tenantId, key) {
+    const data = await this.readAll(tenantId);
+    delete data[key];
+    await this.writeAll(tenantId, data);
+  }
+  async list(tenantId) {
+    const data = await this.readAll(tenantId);
+    return Object.keys(data);
+  }
+};
+var createSecretsStore = (agentId, signingKey, config, options) => {
+  const provider = config?.provider ?? "local";
+  const ttl = typeof config?.ttl === "number" ? config.ttl : void 0;
+  const workingDir = options?.workingDir ?? process.cwd();
+  if (provider === "local" || provider === "memory") {
+    return new FileSecretsStore(workingDir, signingKey);
+  }
+  const kv = createRawKVStore(config);
+  if (kv) {
+    const baseKey = `poncho:${STORAGE_SCHEMA_VERSION}:${slugifyStorageComponent(agentId)}`;
+    return new KVSecretsStore(kv, baseKey, signingKey, ttl);
+  }
+  return new FileSecretsStore(workingDir, signingKey);
+};
+async function resolveEnv(secretsStore, tenantId, envName) {
+  if (tenantId && secretsStore) {
+    const secrets = await secretsStore.get(tenantId);
+    if (secrets[envName]) return secrets[envName];
+  }
+  return process.env[envName];
+}
+
 // src/reminder-tools.ts
 import { defineTool as defineTool4 } from "@poncho-ai/sdk";
 var VALID_STATUSES2 = ["pending", "cancelled"];
@@ -3465,7 +3761,8 @@ var createReminderTools = (store) => [
         task,
         scheduledAt,
         timezone,
-        conversationId
+        conversationId,
+        tenantId: context.tenantId
       });
       return {
         ok: true,
@@ -3493,8 +3790,11 @@ var createReminderTools = (store) => [
       },
       additionalProperties: false
     },
-    handler: async (input) => {
+    handler: async (input, context) => {
       let reminders = await store.list();
+      if (context.tenantId) {
+        reminders = reminders.filter((r) => r.tenantId === context.tenantId);
+      }
       const status = typeof input.status === "string" ? input.status : void 0;
       if (status && VALID_STATUSES2.includes(status)) {
         reminders = reminders.filter((r) => r.status === status);
@@ -3526,9 +3826,16 @@ var createReminderTools = (store) => [
       required: ["id"],
       additionalProperties: false
     },
-    handler: async (input) => {
+    handler: async (input, context) => {
       const id = typeof input.id === "string" ? input.id.trim() : "";
       if (!id) throw new Error("id is required");
+      if (context.tenantId) {
+        const all = await store.list();
+        const target = all.find((r) => r.id === id);
+        if (target && target.tenantId !== context.tenantId) {
+          throw new Error("Reminder not found");
+        }
+      }
       const cancelled = await store.cancel(id);
       return {
         ok: true,
@@ -3751,6 +4058,14 @@ var LocalMcpBridge = class {
   toolCatalog = /* @__PURE__ */ new Map();
   unavailableServers = /* @__PURE__ */ new Map();
   authFailedServers = /* @__PURE__ */ new Set();
+  envResolver;
+  /**
+   * Set a resolver for per-tenant env vars (e.g. MCP auth tokens).
+   * Called by the harness after creating the secrets store.
+   */
+  setEnvResolver(resolver) {
+    this.envResolver = resolver;
+  }
   constructor(config) {
     this.remoteServers = (config?.mcp ?? []).filter(
       (entry) => typeof entry.url === "string"
@@ -3790,8 +4105,11 @@ var LocalMcpBridge = class {
     }
     console.info(`[poncho][mcp] ${line}`);
   }
+  /** Set of servers where discovery was deferred (no default token, has env resolver). */
+  deferredDiscoveryServers = /* @__PURE__ */ new Set();
   async discoverTools() {
     this.toolCatalog.clear();
+    this.deferredDiscoveryServers.clear();
     for (const remoteServer of this.remoteServers) {
       const name = this.getServerName(remoteServer);
       if (this.unavailableServers.has(name)) {
@@ -3812,6 +4130,11 @@ var LocalMcpBridge = class {
       } catch (error) {
         const message = error instanceof Error ? error.message : String(error);
         if (error instanceof McpHttpError && error.status === 401) {
+          if (this.envResolver && remoteServer.auth?.tokenEnv) {
+            this.deferredDiscoveryServers.add(name);
+            this.log("info", "catalog.deferred", { server: name, reason: "auth_deferred_to_tenant" });
+            continue;
+          }
           this.authFailedServers.add(name);
           this.log("warn", "auth.failed", {
             server: name,
@@ -3824,6 +4147,57 @@ var LocalMcpBridge = class {
       }
     }
   }
+  /**
+   * Run deferred discovery and return ToolDefinitions for all newly discovered tools.
+   * Call this during run() so the tools are available to the model immediately.
+   */
+  async discoverAndLoadDeferred(tenantId) {
+    if (this.deferredDiscoveryServers.size === 0) return [];
+    for (const server of this.remoteServers) {
+      await this.tryDeferredDiscovery(server, tenantId);
+    }
+    const tools = [];
+    for (const server of this.remoteServers) {
+      const name = this.getServerName(server);
+      if (!server.auth?.tokenEnv) continue;
+      const discovered = this.toolCatalog.get(name);
+      if (!discovered || discovered.length === 0) continue;
+      const client = this.rpcClients.get(name);
+      if (!client) continue;
+      tools.push(...this.toToolDefinitions(name, discovered, client, server));
+    }
+    return tools;
+  }
+  async tryDeferredDiscovery(server, tenantId) {
+    const name = this.getServerName(server);
+    if (!this.deferredDiscoveryServers.has(name)) return;
+    if (this.toolCatalog.has(name)) return;
+    const tokenEnv = server.auth?.tokenEnv;
+    if (!tokenEnv || !this.envResolver) return;
+    const token = await this.envResolver(tenantId, tokenEnv);
+    if (!token) return;
+    try {
+      const probeClient = new StreamableHttpMcpRpcClient(
+        server.url,
+        server.timeoutMs ?? 1e4,
+        token,
+        server.headers
+      );
+      const discovered = await probeClient.listTools();
+      this.toolCatalog.set(name, discovered);
+      this.deferredDiscoveryServers.delete(name);
+      this.log("info", "catalog.loaded", {
+        server: name,
+        discoveredCount: discovered.length,
+        via: "deferred_tenant_discovery"
+      });
+    } catch (error) {
+      this.log("warn", "catalog.deferred_failed", {
+        server: name,
+        error: error instanceof Error ? error.message : String(error)
+      });
+    }
+  }
   async startLocalServers() {
     this.unavailableServers.clear();
     for (const server of this.remoteServers) {
@@ -3832,15 +4206,21 @@ var LocalMcpBridge = class {
       if (tokenEnv) {
         const token = process.env[tokenEnv];
         if (!token || token.trim().length === 0) {
-          this.unavailableServers.set(
-            name,
-            `Missing bearer token value from env var ${tokenEnv}`
-          );
-          this.log("warn", "auth.token_missing", {
+          if (!this.envResolver) {
+            this.unavailableServers.set(
+              name,
+              `Missing bearer token value from env var ${tokenEnv}`
+            );
+            this.log("warn", "auth.token_missing", {
+              server: name,
+              tokenEnv
+            });
+            continue;
+          }
+          this.log("info", "auth.token_deferred", {
             server: name,
             tokenEnv
           });
-          continue;
         }
       }
       this.rpcClients.set(
@@ -3904,6 +4284,29 @@ var LocalMcpBridge = class {
     }
     return output.sort();
   }
+  hasDeferredServers() {
+    return this.deferredDiscoveryServers.size > 0;
+  }
+  /**
+   * Return ToolDefinitions for catalog tools not already registered in the dispatcher.
+   */
+  getUnregisteredTools(registeredNames) {
+    const tools = [];
+    for (const server of this.remoteServers) {
+      const name = this.getServerName(server);
+      const discovered = this.toolCatalog.get(name);
+      if (!discovered || discovered.length === 0) continue;
+      const client = this.rpcClients.get(name);
+      if (!client) continue;
+      const unregistered = discovered.filter(
+        (d) => !registeredNames.has(`${name}/${d.name}`)
+      );
+      if (unregistered.length > 0) {
+        tools.push(...this.toToolDefinitions(name, unregistered, client, server));
+      }
+    }
+    return tools;
+  }
   async loadTools(requestedPatterns) {
     for (const [index, pattern] of requestedPatterns.entries()) {
       validateMcpPattern(pattern, `requestedPatterns[${index}]`);
@@ -3935,7 +4338,7 @@ var LocalMcpBridge = class {
       const selectedDescriptors = discovered.filter(
         (descriptor) => selectedRawNames.has(descriptor.name)
       );
-      tools.push(...this.toToolDefinitions(serverName, selectedDescriptors, client));
+      tools.push(...this.toToolDefinitions(serverName, selectedDescriptors, client, server));
     }
     this.log("info", "tools.selected", {
       requestedPatternCount: requestedPatterns.length,
@@ -3945,7 +4348,7 @@ var LocalMcpBridge = class {
     });
     return tools;
   }
-  toToolDefinitions(serverName, tools, client) {
+  toToolDefinitions(serverName, tools, client, server) {
     return tools.map((tool) => ({
       name: `${serverName}/${tool.name}`,
       description: tool.description ?? `MCP tool ${tool.name} from ${serverName}`,
@@ -3953,9 +4356,23 @@ var LocalMcpBridge = class {
         type: "object",
         properties: {}
       },
-      handler: async (input) => {
+      handler: async (input, context) => {
         try {
-          return await client.callTool(tool.name, input);
+          const tokenEnv = server?.auth?.tokenEnv;
+          let callClient = client;
+          if (tokenEnv && this.envResolver && context?.tenantId) {
+            const tenantToken = await this.envResolver(context.tenantId, tokenEnv);
+            const defaultToken = process.env[tokenEnv];
+            if (tenantToken && tenantToken !== defaultToken) {
+              callClient = new StreamableHttpMcpRpcClient(
+                server.url,
+                server.timeoutMs ?? 1e4,
+                tenantToken,
+                server.headers
+              );
+            }
+          }
+          return await callClient.callTool(tool.name, input);
         } catch (error) {
           if (error instanceof McpHttpError && error.status === 401) {
             this.authFailedServers.add(serverName);
@@ -3986,8 +4403,8 @@ import { createAnthropic } from "@ai-sdk/anthropic";
 
 // src/openai-codex-auth.ts
 import { homedir as homedir3 } from "os";
-import { dirname as dirname5, resolve as resolve9 } from "path";
-import { mkdir as mkdir6, readFile as readFile8, chmod, writeFile as writeFile7, rm as rm3 } from "fs/promises";
+import { dirname as dirname6, resolve as resolve10 } from "path";
+import { mkdir as mkdir7, readFile as readFile9, chmod, writeFile as writeFile8, rm as rm3 } from "fs/promises";
 var OPENAI_CODEX_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
 var OPENAI_AUTH_ISSUER = "https://auth.openai.com";
 var REFRESH_TOKEN_GRACE_MS = 5 * 60 * 1e3;
@@ -4019,14 +4436,14 @@ var getOpenAICodexAuthFilePath = (config) => {
   const env = defaultedConfig(config);
   const fromEnv = process.env[env.authFilePathEnv];
   if (typeof fromEnv === "string" && fromEnv.trim().length > 0) {
-    return resolve9(fromEnv);
+    return resolve10(fromEnv);
   }
-  return resolve9(homedir3(), ".poncho", "auth", "openai-codex.json");
+  return resolve10(homedir3(), ".poncho", "auth", "openai-codex.json");
 };
 var readOpenAICodexSession = async (config) => {
   const filePath = getOpenAICodexAuthFilePath(config);
   try {
-    const content = await readFile8(filePath, "utf8");
+    const content = await readFile9(filePath, "utf8");
     const parsed = JSON.parse(content);
     if (typeof parsed.refreshToken !== "string" || parsed.refreshToken.length === 0) {
       return void 0;
@@ -4043,12 +4460,12 @@ var readOpenAICodexSession = async (config) => {
 };
 var writeOpenAICodexSession = async (session, config) => {
   const filePath = getOpenAICodexAuthFilePath(config);
-  await mkdir6(dirname5(filePath), { recursive: true });
+  await mkdir7(dirname6(filePath), { recursive: true });
   const payload = {
     ...session,
     updatedAt: (/* @__PURE__ */ new Date()).toISOString()
   };
-  await writeFile7(filePath, `${JSON.stringify(payload, null, 2)}
+  await writeFile8(filePath, `${JSON.stringify(payload, null, 2)}
 `, "utf8");
   await chmod(filePath, 384);
 };
@@ -4361,8 +4778,8 @@ var createModelProvider = (provider, config) => {
 };
 
 // src/skill-context.ts
-import { readFile as readFile9, readdir as readdir2, stat } from "fs/promises";
-import { dirname as dirname6, resolve as resolve10, normalize } from "path";
+import { readFile as readFile10, readdir as readdir2, stat } from "fs/promises";
+import { dirname as dirname7, resolve as resolve11, normalize } from "path";
 import YAML3 from "yaml";
 var DEFAULT_SKILL_DIRS = ["skills"];
 var resolveSkillDirs = (workingDir, extraPaths) => {
@@ -4374,7 +4791,7 @@ var resolveSkillDirs = (workingDir, extraPaths) => {
       }
     }
   }
-  return dirs.map((d) => resolve10(workingDir, d));
+  return dirs.map((d) => resolve11(workingDir, d));
 };
 var FRONTMATTER_PATTERN3 = /^---\s*\n([\s\S]*?)\n---\s*\n?([\s\S]*)$/;
 var asRecord2 = (value) => typeof value === "object" && value !== null ? value : {};
@@ -4443,7 +4860,7 @@ var collectSkillManifests = async (directory) => {
   const entries = await readdir2(directory, { withFileTypes: true });
   const files = [];
   for (const entry of entries) {
-    const fullPath = resolve10(directory, entry.name);
+    const fullPath = resolve11(directory, entry.name);
     let isDir = entry.isDirectory();
     let isFile = entry.isFile();
     if (entry.isSymbolicLink()) {
@@ -4478,13 +4895,13 @@ var loadSkillMetadata = async (workingDir, extraSkillPaths) => {
   const seen = /* @__PURE__ */ new Set();
   for (const manifest of allManifests) {
     try {
-      const content = await readFile9(manifest, "utf8");
+      const content = await readFile10(manifest, "utf8");
       const parsed = parseSkillFrontmatter(content);
       if (parsed && !seen.has(parsed.name)) {
         seen.add(parsed.name);
         skills.push({
           ...parsed,
-          skillDir: dirname6(manifest),
+          skillDir: dirname7(manifest),
           skillPath: manifest
         });
       }
@@ -4523,7 +4940,7 @@ ${xmlSkills}
 };
 var escapeXml = (value) => value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&apos;");
 var loadSkillInstructions = async (skill) => {
-  const content = await readFile9(skill.skillPath, "utf8");
+  const content = await readFile10(skill.skillPath, "utf8");
   const match = content.match(FRONTMATTER_PATTERN3);
   return match ? match[2].trim() : content.trim();
 };
@@ -4532,11 +4949,11 @@ var readSkillResource = async (skill, relativePath) => {
   if (normalized.startsWith("..") || normalized.startsWith("/")) {
     throw new Error("Path must be relative and within the skill directory");
   }
-  const fullPath = resolve10(skill.skillDir, normalized);
+  const fullPath = resolve11(skill.skillDir, normalized);
   if (!fullPath.startsWith(skill.skillDir)) {
     throw new Error("Path escapes the skill directory");
   }
-  return await readFile9(fullPath, "utf8");
+  return await readFile10(fullPath, "utf8");
 };
 var MAX_INSTRUCTIONS_PER_SKILL = 1200;
 var loadSkillContext = async (workingDir) => {
@@ -4655,7 +5072,7 @@ function convertSchema(schema) {
 // src/skill-tools.ts
 import { defineTool as defineTool5 } from "@poncho-ai/sdk";
 import { access as access2, readdir as readdir3, stat as stat2 } from "fs/promises";
-import { extname, normalize as normalize2, resolve as resolve11, sep as sep2 } from "path";
+import { extname, normalize as normalize2, resolve as resolve12, sep as sep2 } from "path";
 import { pathToFileURL } from "url";
 import { createJiti as createJiti2 } from "jiti";
 var createSkillTools = (skills, options) => {
@@ -4913,7 +5330,7 @@ var collectScriptFiles = async (directory) => {
     if (entry.name === "node_modules") {
       continue;
     }
-    const fullPath = resolve11(directory, entry.name);
+    const fullPath = resolve12(directory, entry.name);
     let isDir = entry.isDirectory();
     let isFile = entry.isFile();
     if (entry.isSymbolicLink()) {
@@ -4952,8 +5369,8 @@ var normalizeScriptPolicyPath = (relativePath) => {
 };
 var resolveScriptPath = (baseDir, relativePath, containmentDir) => {
   const normalized = normalizeScriptPolicyPath(relativePath);
-  const fullPath = resolve11(baseDir, normalized);
-  const boundary = resolve11(containmentDir ?? baseDir);
+  const fullPath = resolve12(baseDir, normalized);
+  const boundary = resolve12(containmentDir ?? baseDir);
   if (!fullPath.startsWith(`${boundary}${sep2}`) && fullPath !== boundary) {
     throw new Error("Script path must stay inside the allowed directory");
   }
@@ -5059,8 +5476,8 @@ function applyRateLimitCooldown(retryAfterHeader) {
 async function runWithSearchThrottle(fn) {
   const previous = searchQueue;
   let release;
-  searchQueue = new Promise((resolve14) => {
-    release = resolve14;
+  searchQueue = new Promise((resolve15) => {
+    release = resolve15;
   });
   await previous.catch(() => {
   });
@@ -5266,7 +5683,8 @@ var createSubagentTools = (manager) => [
       const { subagentId } = await manager.spawn({
         task: task.trim(),
         parentConversationId: conversationId,
-        ownerId
+        ownerId,
+        tenantId: context.tenantId
       });
       return { subagentId, status: "running" };
     }
@@ -5351,8 +5769,12 @@ import { OTLPTraceExporter } from "@opentelemetry/exporter-trace-otlp-http";
 
 // src/telemetry.ts
 var MAX_FIELD_LENGTH = 200;
+var OMIT_FROM_LOG = /* @__PURE__ */ new Set(["continuationMessages", "_harnessMessages", "messages", "compactedHistory"]);
 function sanitizeEventForLog(event) {
-  return JSON.stringify(event, (_key, value) => {
+  return JSON.stringify(event, (key, value) => {
+    if (OMIT_FROM_LOG.has(key) && Array.isArray(value)) {
+      return `[${value.length} messages]`;
+    }
     if (typeof value === "string" && value.length > MAX_FIELD_LENGTH) {
       return `${value.slice(0, 80)}...[${value.length} chars]`;
     }
@@ -6002,8 +6424,11 @@ var AgentHarness = class _AgentHarness {
   uploadStore;
   skillContextWindow = "";
   memoryStore;
+  tenantMemoryStores = /* @__PURE__ */ new Map();
+  memoryConfig;
   todoStore;
   reminderStore;
+  secretsStore;
   loadedConfig;
   loadedSkills = [];
   skillFingerprint = "";
@@ -6288,6 +6713,28 @@ var AgentHarness = class _AgentHarness {
     if (!this.todoStore) return [];
     return this.todoStore.get(conversationId);
   }
+  /**
+   * Get a memory store, optionally scoped to a tenant.
+   * Returns the default (agent-wide) store when tenantId is null/undefined.
+   */
+  getMemoryStore(tenantId) {
+    if (!this.memoryConfig?.enabled) return void 0;
+    if (!tenantId) return this.memoryStore;
+    let store = this.tenantMemoryStores.get(tenantId);
+    if (!store) {
+      const agentId = this.parsedAgent?.frontmatter.id ?? this.parsedAgent?.frontmatter.name ?? "unknown";
+      store = createMemoryStore(agentId, this.memoryConfig, {
+        workingDir: this.workingDir,
+        tenantId
+      });
+      this.tenantMemoryStores.set(tenantId, store);
+      if (this.tenantMemoryStores.size > 100) {
+        const oldest = this.tenantMemoryStores.keys().next().value;
+        if (oldest) this.tenantMemoryStores.delete(oldest);
+      }
+    }
+    return store;
+  }
   listActiveSkills() {
     return [...this.activeSkillNames].sort();
   }
@@ -6518,8 +6965,8 @@ var AgentHarness = class _AgentHarness {
       return false;
     }
     try {
-      const agentFilePath = resolve12(this.workingDir, "AGENT.md");
-      const rawContent = await readFile10(agentFilePath, "utf8");
+      const agentFilePath = resolve13(this.workingDir, "AGENT.md");
+      const rawContent = await readFile11(agentFilePath, "utf8");
       if (rawContent === this.agentFileFingerprint) {
         return false;
       }
@@ -6588,8 +7035,8 @@ var AgentHarness = class _AgentHarness {
     }
   }
   async initialize() {
-    const agentFilePath = resolve12(this.workingDir, "AGENT.md");
-    const agentRawContent = await readFile10(agentFilePath, "utf8");
+    const agentFilePath = resolve13(this.workingDir, "AGENT.md");
+    const agentRawContent = await readFile11(agentFilePath, "utf8");
     this.parsedAgent = parseAgentMarkdown(agentRawContent);
     this.agentFileFingerprint = agentRawContent;
     const identity = await ensureAgentIdentity(this.workingDir);
@@ -6613,6 +7060,7 @@ var AgentHarness = class _AgentHarness {
     this.skillFingerprint = this.buildSkillFingerprint(skillMetadata);
     this.registerSkillTools(skillMetadata);
     const agentId = this.parsedAgent.frontmatter.id ?? this.parsedAgent.frontmatter.name;
+    this.memoryConfig = memoryConfig ?? void 0;
     if (memoryConfig?.enabled) {
       this.memoryStore = createMemoryStore(
         agentId,
@@ -6620,9 +7068,10 @@ var AgentHarness = class _AgentHarness {
         { workingDir: this.workingDir }
       );
       this.dispatcher.registerMany(
-        createMemoryTools(this.memoryStore, {
-          maxRecallConversations: memoryConfig.maxRecallConversations
-        })
+        createMemoryTools(
+          (ctx) => this.getMemoryStore(ctx.tenantId) ?? this.memoryStore,
+          { maxRecallConversations: memoryConfig.maxRecallConversations }
+        )
       );
     }
     const stateConfig = resolveStateConfig(config);
@@ -6647,6 +7096,14 @@ var AgentHarness = class _AgentHarness {
         );
       });
     }
+    const authTokenEnv = config?.auth?.tokenEnv ?? "PONCHO_AUTH_TOKEN";
+    const authToken = process.env[authTokenEnv];
+    if (authToken) {
+      this.secretsStore = createSecretsStore(agentId, authToken, stateConfig, { workingDir: this.workingDir });
+      bridge.setEnvResolver(async (tenantId, envName) => {
+        return resolveEnv(this.secretsStore, tenantId, envName);
+      });
+    }
     await bridge.startLocalServers();
     await bridge.discoverTools();
     await this.refreshMcpTools("initialize");
@@ -6680,14 +7137,14 @@ var AgentHarness = class _AgentHarness {
       const filePath = pathResolve(stateDir, `${sessionId}.json`);
       return {
         async save(json) {
-          const { mkdir: mkdir8, writeFile: writeFile9 } = await import("fs/promises");
-          await mkdir8(stateDir, { recursive: true });
-          await writeFile9(filePath, json, "utf8");
+          const { mkdir: mkdir9, writeFile: writeFile10 } = await import("fs/promises");
+          await mkdir9(stateDir, { recursive: true });
+          await writeFile10(filePath, json, "utf8");
         },
         async load() {
-          const { readFile: readFile12 } = await import("fs/promises");
+          const { readFile: readFile13 } = await import("fs/promises");
           try {
-            return await readFile12(filePath, "utf8");
+            return await readFile13(filePath, "utf8");
           } catch {
             return void 0;
           }
@@ -6753,7 +7210,7 @@ var AgentHarness = class _AgentHarness {
     let browserMod;
     try {
       const { existsSync } = await import("fs");
-      const { join, dirname: dirname8 } = await import("path");
+      const { join, dirname: dirname9 } = await import("path");
       const { pathToFileURL: pathToFileURL2 } = await import("url");
       let searchDir = this.workingDir;
       let entryPath;
@@ -6763,7 +7220,7 @@ var AgentHarness = class _AgentHarness {
           entryPath = candidate;
           break;
         }
-        const parent = dirname8(searchDir);
+        const parent = dirname9(searchDir);
         if (parent === searchDir) break;
         searchDir = parent;
       }
@@ -6839,7 +7296,8 @@ var AgentHarness = class _AgentHarness {
         kind: SpanKind.INTERNAL,
         attributes: {
           "gen_ai.operation.name": "invoke_agent",
-          ...input.conversationId ? { "gen_ai.conversation.id": input.conversationId } : {}
+          ...input.conversationId ? { "gen_ai.conversation.id": input.conversationId } : {},
+          ...input.tenantId ? { "tenant.id": input.tenantId } : {}
         }
       });
       const spanContext = trace.setSpan(otelContext.active(), rootSpan);
@@ -6885,10 +7343,18 @@ var AgentHarness = class _AgentHarness {
     if (!this.parsedAgent) {
       await this.initialize();
     }
-    const memoryPromise = this.memoryStore ? this.memoryStore.getMainMemory() : void 0;
+    const activeMemoryStore = this.getMemoryStore(input.tenantId);
+    const memoryPromise = activeMemoryStore ? activeMemoryStore.getMainMemory() : void 0;
     const todosPromise = this.todoStore ? this.todoStore.get(input.conversationId ?? "__default__") : void 0;
     await this.refreshAgentIfChanged();
     await this.refreshSkillsIfChanged();
+    if (input.tenantId && this.mcpBridge?.hasDeferredServers()) {
+      const newTools = await this.mcpBridge.discoverAndLoadDeferred(input.tenantId);
+      for (const tool of newTools) {
+        this.dispatcher.register(tool);
+        this.registeredMcpToolNames.add(tool.name);
+      }
+    }
     let agent = this.parsedAgent;
     const runId = `run_${randomUUID3()}`;
     const start = now();
@@ -7445,8 +7911,8 @@ ${textContent}` };
               let timer;
               nextPart = await Promise.race([
                 fullStreamIterator.next(),
-                new Promise((resolve14) => {
-                  timer = setTimeout(() => resolve14(null), effectiveTimeout);
+                new Promise((resolve15) => {
+                  timer = setTimeout(() => resolve15(null), effectiveTimeout);
                 })
               ]);
               clearTimeout(timer);
@@ -7664,7 +8130,8 @@ ${textContent}` };
           workingDir: this.workingDir,
           parameters: input.parameters ?? {},
           abortSignal: input.abortSignal,
-          conversationId: input.conversationId
+          conversationId: input.conversationId,
+          tenantId: input.tenantId
         };
         const toolResultsForModel = [];
         const richToolResults = [];
@@ -7766,7 +8233,7 @@ ${textContent}` };
           const raced = await Promise.race([
             this.dispatcher.executeBatch(approvedCalls, toolContext),
             new Promise(
-              (resolve14) => setTimeout(() => resolve14(TOOL_DEADLINE_SENTINEL), toolDeadlineRemainingMs)
+              (resolve15) => setTimeout(() => resolve15(TOOL_DEADLINE_SENTINEL), toolDeadlineRemainingMs)
             )
           ]);
           if (raced === TOOL_DEADLINE_SENTINEL) {
@@ -8139,8 +8606,8 @@ ${this.skillFingerprint}`;
 
 // src/state.ts
 import { randomUUID as randomUUID4 } from "crypto";
-import { mkdir as mkdir7, readFile as readFile11, readdir as readdir4, rename as rename4, rm as rm4, writeFile as writeFile8 } from "fs/promises";
-import { dirname as dirname7, resolve as resolve13 } from "path";
+import { mkdir as mkdir8, readFile as readFile12, readdir as readdir4, rename as rename4, rm as rm4, writeFile as writeFile9 } from "fs/promises";
+import { dirname as dirname8, resolve as resolve14 } from "path";
 var DEFAULT_OWNER = "local-owner";
 var LOCAL_STATE_FILE = "state.json";
 var CONVERSATIONS_DIRECTORY = "conversations";
@@ -8156,9 +8623,9 @@ var toStoreIdentity = async ({
   return { name: ensured.name, id: agentId };
 };
 var writeJsonAtomic4 = async (filePath, payload) => {
-  await mkdir7(dirname7(filePath), { recursive: true });
+  await mkdir8(dirname8(filePath), { recursive: true });
   const tmpPath = `${filePath}.tmp`;
-  await writeFile8(tmpPath, JSON.stringify(payload, null, 2), "utf8");
+  await writeFile9(tmpPath, JSON.stringify(payload, null, 2), "utf8");
   await rename4(tmpPath, filePath);
 };
 var formatUtcTimestamp = (value) => new Date(value).toISOString().replace(/[-:]/g, "").replace(/\.\d{3}Z$/, "Z");
@@ -8254,18 +8721,19 @@ var InMemoryConversationStore = class {
       }
     }
   }
-  async list(ownerId) {
+  async list(ownerId, tenantId) {
     this.purgeExpired();
-    return Array.from(this.conversations.values()).filter((conversation) => !ownerId || conversation.ownerId === ownerId).sort((a, b) => b.updatedAt - a.updatedAt);
+    return Array.from(this.conversations.values()).filter((conversation) => !ownerId || conversation.ownerId === ownerId).filter((c) => tenantId === void 0 || c.tenantId === tenantId).sort((a, b) => b.updatedAt - a.updatedAt);
   }
-  async listSummaries(ownerId) {
+  async listSummaries(ownerId, tenantId) {
     this.purgeExpired();
-    return Array.from(this.conversations.values()).filter((c) => !ownerId || c.ownerId === ownerId).sort((a, b) => b.updatedAt - a.updatedAt).map((c) => ({
+    return Array.from(this.conversations.values()).filter((c) => !ownerId || c.ownerId === ownerId).filter((c) => tenantId === void 0 || c.tenantId === tenantId).sort((a, b) => b.updatedAt - a.updatedAt).map((c) => ({
       conversationId: c.conversationId,
       title: c.title,
       updatedAt: c.updatedAt,
       createdAt: c.createdAt,
       ownerId: c.ownerId,
+      tenantId: c.tenantId,
       parentConversationId: c.parentConversationId,
       messageCount: c.messages.length,
       hasPendingApprovals: Array.isArray(c.pendingApprovals) && c.pendingApprovals.length > 0,
@@ -8276,14 +8744,14 @@ var InMemoryConversationStore = class {
     this.purgeExpired();
     return this.conversations.get(conversationId);
   }
-  async create(ownerId = DEFAULT_OWNER, title) {
+  async create(ownerId = DEFAULT_OWNER, title, tenantId = null) {
     const now2 = Date.now();
     const conversation = {
       conversationId: globalThis.crypto?.randomUUID?.() ?? `${now2}-${Math.random()}`,
       title: normalizeTitle(title),
       messages: [],
       ownerId,
-      tenantId: null,
+      tenantId,
       createdAt: now2,
       updatedAt: now2
     };
@@ -8347,8 +8815,8 @@ var FileConversationStore = class {
       agentId: this.agentId
     });
     const agentDir = getAgentStoreDirectory(identity);
-    const conversationsDir = resolve13(agentDir, CONVERSATIONS_DIRECTORY);
-    const indexPath = resolve13(conversationsDir, LOCAL_CONVERSATION_INDEX_FILE);
+    const conversationsDir = resolve14(agentDir, CONVERSATIONS_DIRECTORY);
+    const indexPath = resolve14(conversationsDir, LOCAL_CONVERSATION_INDEX_FILE);
     this.paths = { conversationsDir, indexPath };
     return this.paths;
   }
@@ -8362,9 +8830,9 @@ var FileConversationStore = class {
   }
   async readConversationFile(fileName) {
     const { conversationsDir } = await this.resolvePaths();
-    const filePath = resolve13(conversationsDir, fileName);
+    const filePath = resolve14(conversationsDir, fileName);
     try {
-      const raw = await readFile11(filePath, "utf8");
+      const raw = await readFile12(filePath, "utf8");
       return JSON.parse(raw);
     } catch {
       return void 0;
@@ -8389,6 +8857,7 @@ var FileConversationStore = class {
           updatedAt: conversation.updatedAt,
           createdAt: conversation.createdAt,
           ownerId: conversation.ownerId,
+          tenantId: conversation.tenantId,
           fileName: entry.name,
           parentConversationId: conversation.parentConversationId,
           messageCount: conversation.messages.length,
@@ -8410,7 +8879,7 @@ var FileConversationStore = class {
     this.loaded = true;
     const { indexPath } = await this.resolvePaths();
     try {
-      const raw = await readFile11(indexPath, "utf8");
+      const raw = await readFile12(indexPath, "utf8");
       const parsed = JSON.parse(raw);
       for (const conversation of parsed.conversations ?? []) {
         this.conversations.set(conversation.conversationId, conversation);
@@ -8433,7 +8902,7 @@ var FileConversationStore = class {
     const { conversationsDir } = await this.resolvePaths();
     const existing = this.conversations.get(conversation.conversationId);
     const fileName = existing?.fileName ?? this.resolveConversationFileName(conversation);
-    const filePath = resolve13(conversationsDir, fileName);
+    const filePath = resolve14(conversationsDir, fileName);
     this.writing = this.writing.then(async () => {
       await writeJsonAtomic4(filePath, conversation);
       this.conversations.set(conversation.conversationId, {
@@ -8442,6 +8911,7 @@ var FileConversationStore = class {
         updatedAt: conversation.updatedAt,
         createdAt: conversation.createdAt,
         ownerId: conversation.ownerId,
+        tenantId: conversation.tenantId,
         fileName,
         parentConversationId: conversation.parentConversationId,
         messageCount: conversation.messages.length,
@@ -8452,9 +8922,9 @@ var FileConversationStore = class {
     });
     await this.writing;
   }
-  async list(ownerId) {
+  async list(ownerId, tenantId) {
     await this.ensureLoaded();
-    const summaries = Array.from(this.conversations.values()).filter((conversation) => !ownerId || conversation.ownerId === ownerId).sort((a, b) => b.updatedAt - a.updatedAt);
+    const summaries = Array.from(this.conversations.values()).filter((conversation) => !ownerId || conversation.ownerId === ownerId).filter((c) => tenantId === void 0 || (c.tenantId ?? null) === tenantId).sort((a, b) => b.updatedAt - a.updatedAt);
     const conversations = [];
     for (const summary of summaries) {
       const loaded = await this.readConversationFile(summary.fileName);
@@ -8464,14 +8934,15 @@ var FileConversationStore = class {
     }
     return conversations;
   }
-  async listSummaries(ownerId) {
+  async listSummaries(ownerId, tenantId) {
     await this.ensureLoaded();
-    return Array.from(this.conversations.values()).filter((c) => !ownerId || c.ownerId === ownerId).sort((a, b) => b.updatedAt - a.updatedAt).map((c) => ({
+    return Array.from(this.conversations.values()).filter((c) => !ownerId || c.ownerId === ownerId).filter((c) => tenantId === void 0 || (c.tenantId ?? null) === tenantId).sort((a, b) => b.updatedAt - a.updatedAt).map((c) => ({
       conversationId: c.conversationId,
       title: c.title,
       updatedAt: c.updatedAt,
       createdAt: c.createdAt,
       ownerId: c.ownerId,
+      tenantId: c.tenantId,
       parentConversationId: c.parentConversationId,
       messageCount: c.messageCount,
       hasPendingApprovals: c.hasPendingApprovals,
@@ -8486,7 +8957,7 @@ var FileConversationStore = class {
     }
     return await this.readConversationFile(summary.fileName);
   }
-  async create(ownerId = DEFAULT_OWNER, title) {
+  async create(ownerId = DEFAULT_OWNER, title, tenantId = null) {
     await this.ensureLoaded();
     const now2 = Date.now();
     const conversation = {
@@ -8494,7 +8965,7 @@ var FileConversationStore = class {
       title: normalizeTitle(title),
       messages: [],
       ownerId,
-      tenantId: null,
+      tenantId,
       createdAt: now2,
       updatedAt: now2
     };
@@ -8531,7 +9002,7 @@ var FileConversationStore = class {
     if (removed) {
       this.writing = this.writing.then(async () => {
         if (existing) {
-          await rm4(resolve13(conversationsDir, existing.fileName), { force: true });
+          await rm4(resolve14(conversationsDir, existing.fileName), { force: true });
         }
         await this.writeIndex();
       });
@@ -8553,7 +9024,7 @@ var FileConversationStore = class {
     const summary = this.conversations.get(conversationId);
     if (!summary) return void 0;
     const { conversationsDir } = await this.resolvePaths();
-    const filePath = resolve13(conversationsDir, summary.fileName);
+    const filePath = resolve14(conversationsDir, summary.fileName);
     let result;
     this.writing = this.writing.then(async () => {
       const conv = await this.readConversationFile(summary.fileName);
@@ -8592,7 +9063,7 @@ var FileStateStore = class {
       workingDir: this.workingDir,
       agentId: this.agentId
     });
-    this.filePath = resolve13(getAgentStoreDirectory(identity), LOCAL_STATE_FILE);
+    this.filePath = resolve14(getAgentStoreDirectory(identity), LOCAL_STATE_FILE);
   }
   isExpired(state) {
     return typeof this.ttlMs === "number" && Date.now() - state.updatedAt > this.ttlMs;
@@ -8604,7 +9075,7 @@ var FileStateStore = class {
     }
     this.loaded = true;
     try {
-      const raw = await readFile11(this.filePath, "utf8");
+      const raw = await readFile12(this.filePath, "utf8");
       const parsed = JSON.parse(raw);
       for (const state of parsed.states ?? []) {
         this.states.set(state.runId, state);
@@ -8737,10 +9208,10 @@ var KeyValueConversationStoreBase = class {
       return void 0;
     }
   }
-  async list(ownerId) {
+  async list(ownerId, tenantId) {
     const kv = await this.client();
     if (!kv) {
-      return await this.memoryFallback.list(ownerId);
+      return await this.memoryFallback.list(ownerId, tenantId);
     }
     if (!ownerId) {
       return [];
@@ -8753,16 +9224,19 @@ var KeyValueConversationStoreBase = class {
     for (const raw of rawValues) {
       if (!raw) continue;
       try {
-        conversations.push(JSON.parse(raw));
+        const conv = JSON.parse(raw);
+        if (tenantId === void 0 || conv.tenantId === tenantId) {
+          conversations.push(conv);
+        }
       } catch {
       }
     }
     return conversations.sort((a, b) => b.updatedAt - a.updatedAt);
   }
-  async listSummaries(ownerId) {
+  async listSummaries(ownerId, tenantId) {
     const kv = await this.client();
     if (!kv) {
-      return await this.memoryFallback.listSummaries(ownerId);
+      return await this.memoryFallback.listSummaries(ownerId, tenantId);
     }
     if (!ownerId) {
       return [];
@@ -8776,13 +9250,14 @@ var KeyValueConversationStoreBase = class {
       if (!raw) continue;
       try {
         const meta = JSON.parse(raw);
-        if (meta.ownerId === ownerId) {
+        if (meta.ownerId === ownerId && (tenantId === void 0 || (meta.tenantId ?? null) === tenantId)) {
           summaries.push({
             conversationId: meta.conversationId,
             title: meta.title,
             updatedAt: meta.updatedAt,
             createdAt: meta.createdAt,
             ownerId: meta.ownerId,
+            tenantId: meta.tenantId,
             parentConversationId: meta.parentConversationId,
             messageCount: meta.messageCount,
             hasPendingApprovals: meta.hasPendingApprovals,
@@ -8809,14 +9284,14 @@ var KeyValueConversationStoreBase = class {
       return void 0;
     }
   }
-  async create(ownerId = DEFAULT_OWNER, title) {
+  async create(ownerId = DEFAULT_OWNER, title, tenantId = null) {
     const now2 = Date.now();
     const conversation = {
       conversationId: globalThis.crypto?.randomUUID?.() ?? `${now2}-${Math.random()}`,
       title: normalizeTitle(title),
       messages: [],
       ownerId,
-      tenantId: null,
+      tenantId,
       createdAt: now2,
       updatedAt: now2
     };
@@ -8845,6 +9320,7 @@ var KeyValueConversationStoreBase = class {
         updatedAt: nextConversation.updatedAt,
         createdAt: nextConversation.createdAt,
         ownerId: nextConversation.ownerId,
+        tenantId: nextConversation.tenantId,
         parentConversationId: nextConversation.parentConversationId,
         messageCount: nextConversation.messages.length,
         hasPendingApprovals: Array.isArray(nextConversation.pendingApprovals) && nextConversation.pendingApprovals.length > 0,
@@ -9304,6 +9780,32 @@ var createConversationStore = (config, options) => {
   return new InMemoryConversationStore(ttl);
 };
 
+// src/tenant-token.ts
+import { jwtVerify } from "jose";
+async function verifyTenantToken(signingKey, token) {
+  try {
+    const secret = new TextEncoder().encode(signingKey);
+    const { payload } = await jwtVerify(token, secret, {
+      algorithms: ["HS256"]
+    });
+    const tenantId = payload.sub;
+    if (!tenantId || typeof tenantId !== "string") {
+      return void 0;
+    }
+    const metadata = extractMetadata(payload);
+    return { tenantId, metadata };
+  } catch {
+    return void 0;
+  }
+}
+function extractMetadata(payload) {
+  const meta = payload.meta;
+  if (meta && typeof meta === "object" && !Array.isArray(meta)) {
+    return meta;
+  }
+  return void 0;
+}
+
 // src/index.ts
 import { defineTool as defineTool9 } from "@poncho-ai/sdk";
 export {
@@ -9334,6 +9836,7 @@ export {
   createReminderStore,
   createReminderTools,
   createSearchTools,
+  createSecretsStore,
   createSkillTools,
   createStateStore,
   createSubagentTools,
@@ -9368,10 +9871,12 @@ export {
   renderAgentPrompt,
   resolveAgentIdentity,
   resolveCompactionConfig,
+  resolveEnv,
   resolveMemoryConfig,
   resolveSkillDirs,
   resolveStateConfig,
   slugifyStorageComponent,
   startOpenAICodexDeviceAuth,
+  verifyTenantToken,
   writeOpenAICodexSession
 };