agno 2.3.12__py3-none-any.whl → 2.3.14__py3-none-any.whl

agno/eval/__init__.py

@@ -1,12 +1,4 @@
-from agno.eval.accuracy import AccuracyAgentResponse, AccuracyEval, AccuracyEvaluation, AccuracyResult
-from agno.eval.agent_as_judge import (
-    AgentAsJudgeEval,
-    AgentAsJudgeEvaluation,
-    AgentAsJudgeResult,
-)
 from agno.eval.base import BaseEval
-from agno.eval.performance import PerformanceEval, PerformanceResult
-from agno.eval.reliability import ReliabilityEval, ReliabilityResult
 
 __all__ = [
     "AccuracyAgentResponse",
@@ -22,3 +14,24 @@ __all__ = [
     "ReliabilityEval",
     "ReliabilityResult",
 ]
+
+
+def __getattr__(name: str):
+    """Lazy import for eval implementations to avoid circular imports with Agent."""
+    if name in ("AccuracyAgentResponse", "AccuracyEval", "AccuracyEvaluation", "AccuracyResult"):
+        from agno.eval import accuracy
+
+        return getattr(accuracy, name)
+    elif name in ("AgentAsJudgeEval", "AgentAsJudgeEvaluation", "AgentAsJudgeResult"):
+        from agno.eval import agent_as_judge
+
+        return getattr(agent_as_judge, name)
+    elif name in ("PerformanceEval", "PerformanceResult"):
+        from agno.eval import performance
+
+        return getattr(performance, name)
+    elif name in ("ReliabilityEval", "ReliabilityResult"):
+        from agno.eval import reliability
+
+        return getattr(reliability, name)
+    raise AttributeError(f"module '{__name__}' has no attribute '{name}'")

agno/knowledge/embedder/azure_openai.py

@@ -18,7 +18,6 @@ except ImportError:
 @dataclass
 class AzureOpenAIEmbedder(Embedder):
     id: str = "text-embedding-3-small"  # This has to match the model that you deployed at the provided URL
-
     dimensions: int = 1536
     encoding_format: Literal["float", "base64"] = "float"
     user: Optional[str] = None

agno/knowledge/embedder/google.py

@@ -15,7 +15,7 @@ except ImportError:
 
 @dataclass
 class GeminiEmbedder(Embedder):
-    id: str = "gemini-embedding-exp-03-07"
+    id: str = "gemini-embedding-001"
     task_type: str = "RETRIEVAL_QUERY"
     title: Optional[str] = None
     dimensions: Optional[int] = 1536

agno/models/anthropic/claude.py

@@ -320,8 +320,11 @@ class Claude(Model):
 
             return {"type": "json_schema", "schema": schema}
 
-        # Handle dict format (already in correct structure)
+        # Handle dict format
         elif isinstance(response_format, dict):
+            # Claude only supports json_schema, not json_object
+            if response_format.get("type") == "json_object":
+                return None
             return response_format
 
         return None

agno/models/azure/openai_chat.py

@@ -65,11 +65,17 @@ class AzureOpenAI(OpenAILike):
         self.azure_endpoint = self.azure_endpoint or getenv("AZURE_OPENAI_ENDPOINT")
         self.azure_deployment = self.azure_deployment or getenv("AZURE_OPENAI_DEPLOYMENT")
 
-        if not self.api_key:
-            raise ModelAuthenticationError(
-                message="AZURE_OPENAI_API_KEY not set. Please set the AZURE_OPENAI_API_KEY environment variable.",
-                model_name=self.name,
-            )
+        if not (self.api_key or self.azure_ad_token):
+            if not self.api_key:
+                raise ModelAuthenticationError(
+                    message="AZURE_OPENAI_API_KEY not set. Please set the AZURE_OPENAI_API_KEY environment variable.",
+                    model_name=self.name,
+                )
+            if not self.azure_ad_token:
+                raise ModelAuthenticationError(
+                    message="AZURE_AD_TOKEN not set. Please set the AZURE_AD_TOKEN environment variable.",
+                    model_name=self.name,
+                )
 
         params_mapping = {
             "api_key": self.api_key,

agno/models/base.py

@@ -196,7 +196,8 @@ class Model(ABC):
                     )
                     sleep(delay)
                 else:
-                    log_error(f"Model provider error after {self.retries + 1} attempts: {e}")
+                    if self.retries > 0:
+                        log_error(f"Model provider error after {self.retries + 1} attempts: {e}")
             except RetryableModelProviderError as e:
                 current_count = retries_with_guidance_count
                 if current_count >= self.retry_with_guidance_limit:
@@ -238,7 +239,8 @@ class Model(ABC):
                     )
                     await asyncio.sleep(delay)
                 else:
-                    log_error(f"Model provider error after {self.retries + 1} attempts: {e}")
+                    if self.retries > 0:
+                        log_error(f"Model provider error after {self.retries + 1} attempts: {e}")
             except RetryableModelProviderError as e:
                 current_count = retries_with_guidance_count
                 if current_count >= self.retry_with_guidance_limit:
@@ -283,7 +285,8 @@ class Model(ABC):
                     )
                     sleep(delay)
                 else:
-                    log_error(f"Model provider error after {self.retries + 1} attempts: {e}")
+                    if self.retries > 0:
+                        log_error(f"Model provider error after {self.retries + 1} attempts: {e}")
             except RetryableModelProviderError as e:
                 current_count = retries_with_guidance_count
                 if current_count >= self.retry_with_guidance_limit:
@@ -330,7 +333,8 @@ class Model(ABC):
                     )
                     await asyncio.sleep(delay)
                 else:
-                    log_error(f"Model provider error after {self.retries + 1} attempts: {e}")
+                    if self.retries > 0:
+                        log_error(f"Model provider error after {self.retries + 1} attempts: {e}")
             except RetryableModelProviderError as e:
                 current_count = retries_with_guidance_count
                 if current_count >= self.retry_with_guidance_limit:

agno/models/openai/chat.py

@@ -768,7 +768,6 @@ class OpenAIChat(Model):
         # Add role
         if response_message.role is not None:
             model_response.role = response_message.role
-
         # Add content
         if response_message.content is not None:
             model_response.content = response_message.content
@@ -846,7 +845,6 @@ class OpenAIChat(Model):
 
         if response_delta.choices and len(response_delta.choices) > 0:
             choice_delta: ChoiceDelta = response_delta.choices[0].delta
-
             if choice_delta:
                 # Add content
                 if choice_delta.content is not None:

agno/models/openai/responses.py

@@ -234,8 +234,8 @@ class OpenAIResponses(Model):
                     "strict": self.strict_output,
                 }
             else:
-                # JSON mode
-                text_params["format"] = {"type": "json_object"}
+                # Pass through directly, user handles everything
+                text_params["format"] = response_format
 
         # Add text parameter if there are any text-level params
         if text_params:

agno/os/app.py

@@ -16,6 +16,7 @@ from agno.db.base import AsyncBaseDb, BaseDb
 from agno.knowledge.knowledge import Knowledge
 from agno.os.config import (
     AgentOSConfig,
+    AuthorizationConfig,
     DatabaseConfig,
     EvalsConfig,
     EvalsDomainConfig,
@@ -49,11 +50,12 @@ from agno.os.utils import (
     collect_mcp_tools_from_workflow,
     find_conflicting_routes,
     load_yaml_config,
+    resolve_origins,
     setup_tracing_for_os,
     update_cors_middleware,
 )
 from agno.team.team import Team
-from agno.utils.log import log_debug, log_error, log_warning
+from agno.utils.log import log_debug, log_error, log_info, log_warning
 from agno.utils.string import generate_id, generate_id_from_name
 from agno.workflow.workflow import Workflow
 
@@ -118,17 +120,20 @@ class AgentOS:
         knowledge: Optional[List[Knowledge]] = None,
         interfaces: Optional[List[BaseInterface]] = None,
         a2a_interface: bool = False,
+        authorization: bool = False,
+        authorization_config: Optional[AuthorizationConfig] = None,
+        cors_allowed_origins: Optional[List[str]] = None,
         config: Optional[Union[str, AgentOSConfig]] = None,
         settings: Optional[AgnoAPISettings] = None,
         lifespan: Optional[Any] = None,
         enable_mcp_server: bool = False,
         base_app: Optional[FastAPI] = None,
         on_route_conflict: Literal["preserve_agentos", "preserve_base_app", "error"] = "preserve_agentos",
-        telemetry: bool = True,
         tracing: bool = False,
         tracing_db: Optional[Union[BaseDb, AsyncBaseDb]] = None,
         auto_provision_dbs: bool = True,
         run_hooks_in_background: bool = False,
+        telemetry: bool = True,
     ):
         """Initialize AgentOS.
 
@@ -149,11 +154,15 @@ class AgentOS:
             enable_mcp_server: Whether to enable MCP (Model Context Protocol)
             base_app: Optional base FastAPI app to use for the AgentOS. All routes and middleware will be added to this app.
             on_route_conflict: What to do when a route conflict is detected in case a custom base_app is provided.
-            telemetry: Whether to enable telemetry
+            auto_provision_dbs: Whether to automatically provision databases
+            authorization: Whether to enable authorization
+            authorization_config: Configuration for the authorization middleware
+            cors_allowed_origins: List of allowed CORS origins (will be merged with default Agno domains)
             tracing: If True, enables OpenTelemetry tracing for all agents and teams in the OS
             tracing_db: Dedicated database for storing and reading traces. Recommended for multi-db setups.
                        If not provided and tracing=True, the first available db from agents/teams/workflows is used.
             run_hooks_in_background: If True, run agent/team pre/post hooks as FastAPI background tasks (non-blocking)
+            telemetry: Whether to enable telemetry
 
         """
         if not agents and not workflows and not teams and not knowledge:
@@ -198,6 +207,13 @@ class AgentOS:
         self.enable_mcp_server = enable_mcp_server
         self.lifespan = lifespan
 
+        # RBAC
+        self.authorization = authorization
+        self.authorization_config = authorization_config
+
+        # CORS configuration - merge user-provided origins with defaults from settings
+        self.cors_allowed_origins = resolve_origins(cors_allowed_origins, self.settings.cors_origin_list)
+
         # If True, run agent/team hooks as FastAPI background tasks
         self.run_hooks_in_background = run_hooks_in_background
 
@@ -209,6 +225,9 @@ class AgentOS:
         self._initialize_teams()
         self._initialize_workflows()
 
+        # Check for duplicate IDs
+        self._raise_if_duplicate_ids()
+
         if self.tracing:
             self._setup_tracing()
 
@@ -250,6 +269,9 @@ class AgentOS:
         self._initialize_agents()
         self._initialize_teams()
         self._initialize_workflows()
+
+        # Check for duplicate IDs
+        self._raise_if_duplicate_ids()
         self._auto_discover_databases()
         self._auto_discover_knowledge_instances()
 
@@ -318,6 +340,31 @@ class AgentOS:
             self.interfaces.append(a2a_interface)
             self._add_router(app, a2a_interface.get_router())
 
+    def _raise_if_duplicate_ids(self) -> None:
+        """Check for duplicate IDs within each entity type.
+
+        Raises:
+            ValueError: If duplicate IDs are found within the same entity type
+        """
+        duplicate_ids: List[str] = []
+
+        for entities in [self.agents, self.teams, self.workflows]:
+            if not entities:
+                continue
+            seen_ids: set[str] = set()
+            for entity in entities:
+                entity_id = entity.id
+                if entity_id is None:
+                    continue
+                if entity_id in seen_ids:
+                    if entity_id not in duplicate_ids:
+                        duplicate_ids.append(entity_id)
+                else:
+                    seen_ids.add(entity_id)
+
+        if duplicate_ids:
+            raise ValueError(f"Duplicate IDs found in AgentOS: {', '.join(repr(id_) for id_ in duplicate_ids)}")
+
     def _make_app(self, lifespan: Optional[Any] = None) -> FastAPI:
         # Adjust the FastAPI app lifespan to handle MCP connections if relevant
         app_lifespan = lifespan
@@ -558,10 +605,53 @@ class AgentOS:
                 )
 
         # Update CORS middleware
-        update_cors_middleware(fastapi_app, self.settings.cors_origin_list)  # type: ignore
+        update_cors_middleware(fastapi_app, self.cors_allowed_origins)  # type: ignore
+
+        # Set agent_os_id and cors_allowed_origins on app state
+        # This allows middleware (like JWT) to access these values
+        fastapi_app.state.agent_os_id = self.id
+        fastapi_app.state.cors_allowed_origins = self.cors_allowed_origins
+
+        # Add JWT middleware if authorization is enabled
+        if self.authorization:
+            self._add_jwt_middleware(fastapi_app)
 
         return fastapi_app
 
+    def _add_jwt_middleware(self, fastapi_app: FastAPI) -> None:
+        from agno.os.middleware.jwt import JWTMiddleware, JWTValidator
+
+        verify_audience = False
+        jwks_file = None
+        verification_keys = None
+        algorithm = "RS256"
+
+        if self.authorization_config:
+            algorithm = self.authorization_config.algorithm or "RS256"
+            verification_keys = self.authorization_config.verification_keys
+            jwks_file = self.authorization_config.jwks_file
+            verify_audience = self.authorization_config.verify_audience or False
+
+        log_info(f"Adding JWT middleware for authorization (algorithm: {algorithm})")
+
+        # Create validator and store on app.state for WebSocket access
+        jwt_validator = JWTValidator(
+            verification_keys=verification_keys,
+            jwks_file=jwks_file,
+            algorithm=algorithm,
+        )
+        fastapi_app.state.jwt_validator = jwt_validator
+
+        # Add middleware to stack
+        fastapi_app.add_middleware(
+            JWTMiddleware,
+            verification_keys=verification_keys,
+            jwks_file=jwks_file,
+            algorithm=algorithm,
+            authorization=self.authorization,
+            verify_audience=verify_audience,
+        )
+
     def get_routes(self) -> List[Any]:
         """Retrieve all routes from the FastAPI app.
 
@@ -922,6 +1012,8 @@ class AgentOS:
         host: str = "localhost",
         port: int = 7777,
         reload: bool = False,
+        reload_includes: Optional[List[str]] = None,
+        reload_excludes: Optional[List[str]] = None,
         workers: Optional[int] = None,
         access_log: bool = False,
         **kwargs,
@@ -956,4 +1048,19 @@ class AgentOS:
             )
         )
 
-        uvicorn.run(app=app, host=host, port=port, reload=reload, workers=workers, access_log=access_log, **kwargs)
+        # Adding *.yaml to reload_includes to reload the app when the yaml config file changes.
+        if reload and reload_includes is not None:
+            reload_includes = ["*.yaml", "*.yml"]
+
+        uvicorn.run(
+            app=app,
+            host=host,
+            port=port,
+            reload=reload,
+            reload_includes=reload_includes,
+            reload_excludes=reload_excludes,
+            workers=workers,
+            access_log=access_log,
+            lifespan="on",
+            **kwargs,
+        )

agno/os/auth.py

@@ -1,6 +1,9 @@
-from fastapi import Depends, HTTPException
+from typing import List, Set
+
+from fastapi import Depends, HTTPException, Request
 from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
 
+from agno.os.scopes import get_accessible_resource_ids
 from agno.os.settings import AgnoAPISettings
 
 # Create a global HTTPBearer instance
@@ -18,7 +21,7 @@ def get_authentication_dependency(settings: AgnoAPISettings):
         A dependency function that can be used with FastAPI's Depends()
     """
 
-    def auth_dependency(credentials: HTTPAuthorizationCredentials = Depends(security)) -> bool:
+    async def auth_dependency(credentials: HTTPAuthorizationCredentials = Depends(security)) -> bool:
         # If no security key is set, skip authentication entirely
         if not settings or not settings.os_security_key:
             return True
@@ -40,7 +43,7 @@ def get_authentication_dependency(settings: AgnoAPISettings):
 
 def validate_websocket_token(token: str, settings: AgnoAPISettings) -> bool:
     """
-    Validate a bearer token for WebSocket authentication.
+    Validate a bearer token for WebSocket authentication (legacy os_security_key method).
 
     Args:
         token: The bearer token to validate
@@ -55,3 +58,187 @@ def validate_websocket_token(token: str, settings: AgnoAPISettings) -> bool:
 
     # Verify the token matches the configured security key
     return token == settings.os_security_key
+
+
+def get_accessible_resources(request: Request, resource_type: str) -> Set[str]:
+    """
+    Get the set of resource IDs the user has access to based on their scopes.
+
+    This function is used to filter lists of resources (agents, teams, workflows)
+    based on the user's scopes from their JWT token.
+
+    Args:
+        request: The FastAPI request object (contains request.state.scopes)
+        resource_type: Type of resource ("agents", "teams", "workflows")
+
+    Returns:
+        Set of resource IDs the user can access. Returns {"*"} for wildcard access.
+
+    Usage:
+        accessible_ids = get_accessible_resources(request, "agents")
+        if "*" not in accessible_ids:
+            agents = [a for a in agents if a.id in accessible_ids]
+
+    Examples:
+        >>> # User with specific agent access
+        >>> # Token scopes: ["agent-os:my-os:agents:my-agent:read"]
+        >>> get_accessible_resources(request, "agents")
+        {'my-agent'}
+
+        >>> # User with wildcard access
+        >>> # Token scopes: ["agent-os:my-os:agents:*:read"] or ["admin"]
+        >>> get_accessible_resources(request, "agents")
+        {'*'}
+
+        >>> # User with agent-os level access (global resource scope)
+        >>> # Token scopes: ["agent-os:my-os:agents:read"]
+        >>> get_accessible_resources(request, "agents")
+        {'*'}
+    """
+    # Check if accessible_resource_ids is already cached in request state (set by JWT middleware)
+    # This happens when user doesn't have global scope but has specific resource scopes
+    cached_ids = getattr(request.state, "accessible_resource_ids", None)
+    if cached_ids is not None:
+        return cached_ids
+
+    # Get user's scopes from request state (set by JWT middleware)
+    user_scopes = getattr(request.state, "scopes", [])
+
+    # Get accessible resource IDs
+    accessible_ids = get_accessible_resource_ids(user_scopes=user_scopes, resource_type=resource_type)
+
+    return accessible_ids
+
+
+def filter_resources_by_access(request: Request, resources: List, resource_type: str) -> List:
+    """
+    Filter a list of resources based on user's access permissions.
+
+    Args:
+        request: The FastAPI request object
+        resources: List of resource objects (agents, teams, or workflows) with 'id' attribute
+        resource_type: Type of resource ("agents", "teams", "workflows")
+
+    Returns:
+        Filtered list of resources the user has access to
+
+    Usage:
+        agents = filter_resources_by_access(request, all_agents, "agents")
+        teams = filter_resources_by_access(request, all_teams, "teams")
+        workflows = filter_resources_by_access(request, all_workflows, "workflows")
+
+    Examples:
+        >>> # User with specific access
+        >>> agents = [Agent(id="agent-1"), Agent(id="agent-2"), Agent(id="agent-3")]
+        >>> # Token scopes: ["agent-os:my-os:agents:agent-1:read", "agent-os:my-os:agents:agent-2:read"]
+        >>> filter_resources_by_access(request, agents, "agents")
+        [Agent(id="agent-1"), Agent(id="agent-2")]
+
+        >>> # User with wildcard access
+        >>> # Token scopes: ["admin"]
+        >>> filter_resources_by_access(request, agents, "agents")
+        [Agent(id="agent-1"), Agent(id="agent-2"), Agent(id="agent-3")]
+    """
+    accessible_ids = get_accessible_resources(request, resource_type)
+
+    # Wildcard access - return all resources
+    if "*" in accessible_ids:
+        return resources
+
+    # Filter to only accessible resources
+    return [r for r in resources if r.id in accessible_ids]
+
+
+def check_resource_access(request: Request, resource_id: str, resource_type: str, action: str = "read") -> bool:
+    """
+    Check if user has access to a specific resource.
+
+    Args:
+        request: The FastAPI request object
+        resource_id: ID of the resource to check
+        resource_type: Type of resource ("agents", "teams", "workflows")
+        action: Action to check ("read", "run", etc.)
+
+    Returns:
+        True if user has access, False otherwise
+
+    Usage:
+        if not check_resource_access(request, agent_id, "agents", "run"):
+            raise HTTPException(status_code=403, detail="Access denied")
+
+    Examples:
+        >>> # Token scopes: ["agent-os:my-os:agents:my-agent:read", "agent-os:my-os:agents:my-agent:run"]
+        >>> check_resource_access(request, "my-agent", "agents", "run")
+        True
+
+        >>> check_resource_access(request, "other-agent", "agents", "run")
+        False
+    """
+    accessible_ids = get_accessible_resources(request, resource_type)
+
+    # Wildcard access grants all permissions
+    if "*" in accessible_ids:
+        return True
+
+    # Check if user has access to this specific resource
+    return resource_id in accessible_ids
+
+
+def require_resource_access(resource_type: str, action: str, resource_id_param: str):
+    """
+    Create a dependency that checks if the user has access to a specific resource.
+
+    This dependency factory creates a FastAPI dependency that automatically checks
+    authorization when authorization is enabled. It extracts the resource ID from
+    the path parameters and verifies the user has the required access.
+
+    Args:
+        resource_type: Type of resource ("agents", "teams", "workflows")
+        action: Action to check ("read", "run")
+        resource_id_param: Name of the path parameter containing the resource ID
+
+    Returns:
+        A dependency function for use with FastAPI's Depends()
+
+    Usage:
+        @router.post("/agents/{agent_id}/runs")
+        async def create_agent_run(
+            agent_id: str,
+            request: Request,
+            _: None = Depends(require_resource_access("agents", "run", "agent_id")),
+        ):
+            ...
+
+        @router.get("/agents/{agent_id}")
+        async def get_agent(
+            agent_id: str,
+            request: Request,
+            _: None = Depends(require_resource_access("agents", "read", "agent_id")),
+        ):
+            ...
+
+    Examples:
+        >>> # Creates dependency for checking agent run access
+        >>> dep = require_resource_access("agents", "run", "agent_id")
+
+        >>> # Creates dependency for checking team read access
+        >>> dep = require_resource_access("teams", "read", "team_id")
+    """
+    # Map resource_type to singular form for error messages
+    resource_singular = {
+        "agents": "agent",
+        "teams": "team",
+        "workflows": "workflow",
+    }.get(resource_type, resource_type.rstrip("s"))
+
+    async def dependency(request: Request):
+        # Only check authorization if it's enabled
+        if not getattr(request.state, "authorization_enabled", False):
+            return
+
+        # Get the resource_id from path parameters
+        resource_id = request.path_params.get(resource_id_param)
+        if resource_id and not check_resource_access(request, resource_id, resource_type, action):
+            raise HTTPException(status_code=403, detail=f"Access denied to {action} this {resource_singular}")
+
+    return dependency

agno/os/config.py

@@ -5,6 +5,15 @@ from typing import Generic, List, Optional, TypeVar
 from pydantic import BaseModel, field_validator
 
 
+class AuthorizationConfig(BaseModel):
+    """Configuration for the JWT middleware"""
+
+    verification_keys: Optional[List[str]] = None
+    jwks_file: Optional[str] = None
+    algorithm: Optional[str] = None
+    verify_audience: Optional[bool] = None
+
+
 class EvalsDomainConfig(BaseModel):
     """Configuration for the Evals domain of the AgentOS"""