@slashfi/agents-sdk 0.89.0 → 0.89.2

package/src/call-agent-schema.ts

@@ -119,6 +119,22 @@ const callAgentBaseSchema = z.object({
   callerId: z.string().optional().describe("Caller ID for access control"),
   callerType: callerTypeSchema.optional().describe("Caller type"),
   metadata: z.object({}).passthrough().optional().describe("Additional metadata"),
+  maxResultTokens: z
+    .number()
+    .int()
+    .min(1)
+    .nullable()
+    .optional()
+    .describe(
+      "Maximum token count for the call result. If null, result limiting is disabled. If omitted, the registry default applies.",
+    ),
+  overflow: z
+    .enum(["error", "truncate"])
+    .nullable()
+    .optional()
+    .describe(
+      'What to do when the result exceeds maxResultTokens. "error" returns an error, "truncate" returns a partial result.',
+    ),
 });
 
 // ─────────────────────────────────────────────────────────────────────────────

package/src/config-store.test.ts

@@ -583,6 +583,99 @@ describe("ADK ref.call() full auto-refresh flow", () => {
     expect(cache.refs.math.authFields).toEqual({});
   });
 
+  test("ref.authStatus maps form security to required access_token authFields", async () => {
+    // Form security (e.g. databases) asks the user for structured
+    // connection fields, but the ADK call path stores the encoded form
+    // payload under `config.access_token` and forwards it to registry
+    // executors as `params.accessToken`. The cached authFields shape must
+    // therefore require `access_token`; otherwise host-side
+    // `isRefAuthComplete` / `isRefConnected` checks treat empty form refs
+    // as connected because there are no required fields to satisfy.
+    const fs = createMemoryFs();
+    const fetch: typeof globalThis.fetch = async () =>
+      Response.json({
+        jsonrpc: "2.0",
+        id: "call-1",
+        result: {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({
+                success: true,
+                toolSummaries: [{ name: "query", description: "Execute SQL" }],
+                description: "Form auth agent",
+                security: {
+                  type: "form",
+                  fields: [
+                    { name: "host", type: "string", required: true },
+                    { name: "password", type: "password", required: true },
+                  ],
+                },
+              }),
+            },
+          ],
+        },
+      });
+    const adk = createAdk(fs, {
+      encryptionKey: "test-key-32-chars-long-enough!!",
+      fetch,
+    });
+
+    await adk.registry.add({
+      name: "form-reg",
+      url: "http://registry.test",
+    });
+    const initialConfig = await adk.readConfig();
+    await adk.writeConfig({
+      ...initialConfig,
+      refs: [
+        ...(initialConfig.refs ?? []),
+        {
+          ref: "form-api",
+          name: "form-api-unauthed",
+          scheme: "registry",
+          sourceRegistry: {
+            url: "http://registry.test",
+            agentPath: "form-api",
+          },
+        },
+      ],
+    });
+
+    const status = await adk.ref.authStatus("form-api-unauthed");
+    expect(status.complete).toBe(false);
+    expect(status.fields?.access_token).toEqual({
+      required: true,
+      automated: false,
+      present: false,
+      resolvable: false,
+    });
+
+    const cacheRaw = await fs.readFile("registry-cache.json");
+    expect(cacheRaw).not.toBeNull();
+    if (!cacheRaw) throw new Error("registry-cache.json missing");
+    const cache = JSON.parse(cacheRaw) as {
+      refs: Record<string, { authFields?: Record<string, unknown> }>;
+    };
+    expect(cache.refs["form-api-unauthed"].authFields).toEqual({
+      access_token: { required: true, automated: false },
+    });
+
+    const config = await adk.readConfig();
+    await adk.writeConfig({
+      ...config,
+      refs: config.refs?.map((r) =>
+        r.name === "form-api-unauthed"
+          ? { ...r, config: { ...r.config, access_token: "encoded-form" } }
+          : r,
+      ),
+    });
+
+    const authedStatus = await adk.ref.authStatus("form-api-unauthed");
+    expect(authedStatus.complete).toBe(true);
+    expect(authedStatus.fields?.access_token?.present).toBe(true);
+  });
+
   test("ref.authStatus does NOT persist authFields when inspect fails (registry unreachable)", async () => {
     // Sibling guard: if the registry inspect call throws / returns null
     // (network error, registry doesn't host the ref, etc.), we must NOT

package/src/config-store.ts

@@ -214,6 +214,17 @@ export interface AdkOptions {
   encryptionKey?: string;
   /** Bearer token for authenticated registries */
   token?: string;
+  /**
+   * Default result token limit to pass through for `ref.call` registry requests.
+   * Use `null` to explicitly disable remote result limiting for in-process
+   * scripting boundaries like `adk run`; omit to use the registry default.
+   */
+  refCallMaxResultTokens?: number | null;
+  /**
+   * Default overflow behavior to pass through for `ref.call` registry requests.
+   * Only applies when the remote registry enforces a result limit.
+   */
+  refCallOverflow?: "error" | "truncate" | null;
   /**
    * OAuth callback URL. Defaults to http://localhost:8919/callback.
    * Set this to your server's callback endpoint in non-local environments
@@ -2200,6 +2211,12 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
           action: "execute_tool",
           path: entry.sourceRegistry?.agentPath ?? entry.ref,
           tool,
+          ...("refCallMaxResultTokens" in options && {
+            maxResultTokens: options.refCallMaxResultTokens,
+          }),
+          ...("refCallOverflow" in options && {
+            overflow: options.refCallOverflow,
+          }),
           params: {
             ...(params ?? {}),
             ...(token && { accessToken: token }),
@@ -2425,6 +2442,21 @@ export function createAdk(fs: FsStore, options: AdkOptions = {}): Adk {
           present: configKeys.includes("token"),
           resolvable: await canResolve("token"),
         };
+      } else if (security.type === "form") {
+        // Form-based refs collect structured user input at connect time
+        // (for example database host/user/password), then store the encoded
+        // form payload in the canonical credential slot that `ref.call`
+        // already reads and forwards to registry executors as
+        // `params.accessToken`. Cache that derived credential requirement
+        // instead of the individual form fields so host-side connected checks
+        // answer the same question as the call path: "does this ref carry
+        // the opaque credential blob needed to invoke it?"
+        fields.access_token = {
+          required: true,
+          automated: false,
+          present: configKeys.includes("access_token"),
+          resolvable: await canResolve("access_token"),
+        };
       }
 
       const complete = Object.values(fields).every(

package/src/index.ts

@@ -85,6 +85,7 @@ export type {
   ToolSelectionContext,
   IntegrationConfig,
   ApiKeySecurityScheme,
+  FormSecurityScheme,
   HttpSecurityScheme,
   NoneSecurityScheme,
   OAuth2SecurityScheme,

package/src/types.ts

@@ -243,6 +243,17 @@ export interface HttpSecurityScheme {
   scheme: "bearer" | "basic";
 }
 
+/**
+ * Form-based authentication. Consumers collect arbitrary structured fields
+ * (for example database connection settings), then store the encoded form
+ * payload in the ref's `access_token` credential slot. At call time ADK
+ * forwards that value as `params.accessToken` to the registry executor.
+ */
+export interface FormSecurityScheme {
+  type: "form";
+  [key: string]: unknown;
+}
+
 /**
  * No authentication required.
  */
@@ -285,6 +296,7 @@ export type SecurityScheme =
   | OAuth2SecurityScheme
   | ApiKeySecurityScheme
   | HttpSecurityScheme
+  | FormSecurityScheme
   | NoneSecurityScheme;
 
 /**