agno 2.3.12__py3-none-any.whl → 2.3.14__py3-none-any.whl

agno/os/router.py

@@ -208,7 +208,6 @@ def get_base_router(
         return list(unique_models.values())
 
     # -- Database Migration routes ---
-
     @router.post(
         "/databases/{db_id}/migrate",
         tags=["Database"],

agno/os/routers/agents/router.py

@@ -18,7 +18,7 @@ from agno.agent.agent import Agent
 from agno.exceptions import InputCheckError, OutputCheckError
 from agno.media import Audio, Image, Video
 from agno.media import File as FileMedia
-from agno.os.auth import get_authentication_dependency
+from agno.os.auth import get_authentication_dependency, require_resource_access
 from agno.os.routers.agents.schema import AgentResponse
 from agno.os.schema import (
     BadRequestResponse,
@@ -187,6 +187,7 @@ def get_agent_router(
             400: {"description": "Invalid request or unsupported file type", "model": BadRequestResponse},
             404: {"description": "Agent not found", "model": NotFoundResponse},
         },
+        dependencies=[Depends(require_resource_access("agents", "run", "agent_id"))],
     )
     async def create_agent_run(
         agent_id: str,
@@ -372,6 +373,7 @@ def get_agent_router(
             404: {"description": "Agent not found", "model": NotFoundResponse},
             500: {"description": "Failed to cancel run", "model": InternalServerErrorResponse},
         },
+        dependencies=[Depends(require_resource_access("agents", "run", "agent_id"))],
     )
     async def cancel_agent_run(
         agent_id: str,
@@ -412,6 +414,7 @@ def get_agent_router(
             400: {"description": "Invalid JSON in tools field or invalid tool structure", "model": BadRequestResponse},
             404: {"description": "Agent not found", "model": NotFoundResponse},
         },
+        dependencies=[Depends(require_resource_access("agents", "run", "agent_id"))],
     )
     async def continue_agent_run(
         agent_id: str,
@@ -521,13 +524,27 @@ def get_agent_router(
             }
         },
     )
-    async def get_agents() -> List[AgentResponse]:
+    async def get_agents(request: Request) -> List[AgentResponse]:
         """Return the list of all Agents present in the contextual OS"""
         if os.agents is None:
             return []
 
+        # Filter agents based on user's scopes (only if authorization is enabled)
+        if getattr(request.state, "authorization_enabled", False):
+            from agno.os.auth import filter_resources_by_access, get_accessible_resources
+
+            # Check if user has any agent scopes at all
+            accessible_ids = get_accessible_resources(request, "agents")
+            if not accessible_ids:
+                raise HTTPException(status_code=403, detail="Insufficient permissions")
+
+            # Limit results based on the user's access/scopes
+            accessible_agents = filter_resources_by_access(request, os.agents, "agents")
+        else:
+            accessible_agents = os.agents
+
         agents = []
-        for agent in os.agents:
+        for agent in accessible_agents:
             agent_response = await AgentResponse.from_agent(agent=agent)
             agents.append(agent_response)
 
@@ -570,8 +587,9 @@ def get_agent_router(
             },
             404: {"description": "Agent not found", "model": NotFoundResponse},
         },
+        dependencies=[Depends(require_resource_access("agents", "read", "agent_id"))],
     )
-    async def get_agent(agent_id: str) -> AgentResponse:
+    async def get_agent(agent_id: str, request: Request) -> AgentResponse:
         agent = get_agent_by_id(agent_id, os.agents)
         if agent is None:
             raise HTTPException(status_code=404, detail="Agent not found")

agno/os/routers/agents/schema.py

@@ -215,11 +215,24 @@ class AgentResponse(BaseModel):
             "build_user_context": agent.build_user_context,
         }
 
+        # Handle output_schema name for both Pydantic models and JSON schemas
+        output_schema_name = None
+        if agent.output_schema is not None:
+            if isinstance(agent.output_schema, dict):
+                if "json_schema" in agent.output_schema:
+                    output_schema_name = agent.output_schema["json_schema"].get("name", "JSONSchema")
+                elif "schema" in agent.output_schema and isinstance(agent.output_schema["schema"], dict):
+                    output_schema_name = agent.output_schema["schema"].get("title", "JSONSchema")
+                else:
+                    output_schema_name = agent.output_schema.get("title", "JSONSchema")
+            elif hasattr(agent.output_schema, "__name__"):
+                output_schema_name = agent.output_schema.__name__
+
         response_settings_info: Dict[str, Any] = {
             "retries": agent.retries,
             "delay_between_retries": agent.delay_between_retries,
             "exponential_backoff": agent.exponential_backoff,
-            "output_schema_name": agent.output_schema.__name__ if agent.output_schema else None,
+            "output_schema_name": output_schema_name,
             "parser_model_prompt": agent.parser_model_prompt,
             "parse_response": agent.parse_response,
             "structured_outputs": agent.structured_outputs,

agno/os/routers/teams/router.py

@@ -16,7 +16,7 @@ from fastapi.responses import JSONResponse, StreamingResponse
 from agno.exceptions import InputCheckError, OutputCheckError
 from agno.media import Audio, Image, Video
 from agno.media import File as FileMedia
-from agno.os.auth import get_authentication_dependency
+from agno.os.auth import get_authentication_dependency, require_resource_access
 from agno.os.routers.teams.schema import TeamResponse
 from agno.os.schema import (
     BadRequestResponse,
@@ -142,6 +142,7 @@ def get_team_router(
             400: {"description": "Invalid request or unsupported file type", "model": BadRequestResponse},
             404: {"description": "Team not found", "model": NotFoundResponse},
         },
+        dependencies=[Depends(require_resource_access("teams", "run", "team_id"))],
     )
     async def create_team_run(
         team_id: str,
@@ -295,6 +296,7 @@ def get_team_router(
             404: {"description": "Team not found", "model": NotFoundResponse},
             500: {"description": "Failed to cancel team run", "model": InternalServerErrorResponse},
         },
+        dependencies=[Depends(require_resource_access("teams", "run", "team_id"))],
     )
     async def cancel_team_run(
         team_id: str,
@@ -390,13 +392,26 @@ def get_team_router(
             }
         },
     )
-    async def get_teams() -> List[TeamResponse]:
+    async def get_teams(request: Request) -> List[TeamResponse]:
         """Return the list of all Teams present in the contextual OS"""
         if os.teams is None:
             return []
 
+        # Filter teams based on user's scopes (only if authorization is enabled)
+        if getattr(request.state, "authorization_enabled", False):
+            from agno.os.auth import filter_resources_by_access, get_accessible_resources
+
+            # Check if user has any team scopes at all
+            accessible_ids = get_accessible_resources(request, "teams")
+            if not accessible_ids:
+                raise HTTPException(status_code=403, detail="Insufficient permissions")
+
+            accessible_teams = filter_resources_by_access(request, os.teams, "teams")
+        else:
+            accessible_teams = os.teams
+
         teams = []
-        for team in os.teams:
+        for team in accessible_teams:
             team_response = await TeamResponse.from_team(team=team)
             teams.append(team_response)
 
@@ -485,8 +500,9 @@ def get_team_router(
             },
             404: {"description": "Team not found", "model": NotFoundResponse},
         },
+        dependencies=[Depends(require_resource_access("teams", "read", "team_id"))],
     )
-    async def get_team(team_id: str) -> TeamResponse:
+    async def get_team(team_id: str, request: Request) -> TeamResponse:
         team = get_team_by_id(team_id, os.teams)
         if team is None:
             raise HTTPException(status_code=404, detail="Team not found")

agno/os/routers/teams/schema.py

@@ -197,8 +197,21 @@ class TeamResponse(BaseModel):
             "resolve_in_context": team.resolve_in_context,
         }
 
+        # Handle output_schema name for both Pydantic models and JSON schemas
+        output_schema_name = None
+        if team.output_schema is not None:
+            if isinstance(team.output_schema, dict):
+                if "json_schema" in team.output_schema:
+                    output_schema_name = team.output_schema["json_schema"].get("name", "JSONSchema")
+                elif "schema" in team.output_schema and isinstance(team.output_schema["schema"], dict):
+                    output_schema_name = team.output_schema["schema"].get("title", "JSONSchema")
+                else:
+                    output_schema_name = team.output_schema.get("title", "JSONSchema")
+            elif hasattr(team.output_schema, "__name__"):
+                output_schema_name = team.output_schema.__name__
+
         response_settings_info: Dict[str, Any] = {
-            "output_schema_name": team.output_schema.__name__ if team.output_schema else None,
+            "output_schema_name": output_schema_name,
             "parser_model_prompt": team.parser_model_prompt,
             "parse_response": team.parse_response,
             "use_json_mode": team.use_json_mode,

agno/os/routers/workflows/router.py

@@ -15,7 +15,7 @@ from fastapi.responses import JSONResponse, StreamingResponse
 from pydantic import BaseModel
 
 from agno.exceptions import InputCheckError, OutputCheckError
-from agno.os.auth import get_authentication_dependency, validate_websocket_token
+from agno.os.auth import get_authentication_dependency, require_resource_access, validate_websocket_token
 from agno.os.routers.workflows.schema import WorkflowResponse
 from agno.os.schema import (
     BadRequestResponse,
@@ -252,8 +252,21 @@ def get_websocket_router(
     settings: AgnoAPISettings = AgnoAPISettings(),
 ) -> APIRouter:
     """
-    Create WebSocket router without HTTP authentication dependencies.
+    Create WebSocket router with support for both legacy (os_security_key) and JWT authentication.
+
     WebSocket endpoints handle authentication internally via message-based auth.
+    Authentication methods (in order of precedence):
+    1. JWT tokens - if JWTMiddleware is configured (via app.state.jwt_middleware)
+    2. Legacy bearer token - if settings.os_security_key is set
+    3. No authentication - if neither is configured
+
+    The JWT middleware instance is accessed from app.state.jwt_middleware, which is set
+    by AgentOS when authorization is enabled. This allows reusing the same validation
+    logic and loaded keys as the HTTP middleware.
+
+    Args:
+        os: The AgentOS instance
+        settings: API settings (includes os_security_key for legacy auth)
     """
     ws_router = APIRouter()
 
@@ -263,9 +276,18 @@ def get_websocket_router(
     )
     async def workflow_websocket_endpoint(websocket: WebSocket):
         """WebSocket endpoint for receiving real-time workflow events"""
-        requires_auth = bool(settings.os_security_key)
+        # Check if JWT validator is configured (set by AgentOS when authorization=True)
+        jwt_validator = getattr(websocket.app.state, "jwt_validator", None)
+        jwt_auth_enabled = jwt_validator is not None
+
+        # Determine auth requirements - JWT takes precedence over legacy
+        requires_auth = jwt_auth_enabled or bool(settings.os_security_key)
+
         await websocket_manager.connect(websocket, requires_auth=requires_auth)
 
+        # Store user context from JWT auth
+        websocket_user_context: Dict[str, Any] = {}
+
         try:
             while True:
                 data = await websocket.receive_text()
@@ -279,19 +301,56 @@ def get_websocket_router(
                         await websocket.send_text(json.dumps({"event": "auth_error", "error": "Token is required"}))
                         continue
 
-                    if validate_websocket_token(token, settings):
+                    if jwt_auth_enabled and jwt_validator:
+                        # Use JWT validator for token validation
+                        try:
+                            payload = jwt_validator.validate_token(token)
+                            claims = jwt_validator.extract_claims(payload)
+                            await websocket_manager.authenticate_websocket(websocket)
+
+                            # Store user context from JWT
+                            websocket_user_context["user_id"] = claims["user_id"]
+                            websocket_user_context["scopes"] = claims["scopes"]
+                            websocket_user_context["payload"] = payload
+
+                            # Include user info in auth success message
+                            await websocket.send_text(
+                                json.dumps(
+                                    {
+                                        "event": "authenticated",
+                                        "message": "JWT authentication successful.",
+                                        "user_id": claims["user_id"],
+                                    }
+                                )
+                            )
+                        except Exception as e:
+                            error_msg = str(e) if str(e) else "Invalid token"
+                            error_type = "expired" if "expired" in error_msg.lower() else "invalid_token"
+                            await websocket.send_text(
+                                json.dumps(
+                                    {
+                                        "event": "auth_error",
+                                        "error": error_msg,
+                                        "error_type": error_type,
+                                    }
+                                )
+                            )
+                        continue
+                    elif validate_websocket_token(token, settings):
+                        # Legacy os_security_key authentication
                         await websocket_manager.authenticate_websocket(websocket)
                     else:
                         await websocket.send_text(json.dumps({"event": "auth_error", "error": "Invalid token"}))
-                        continue
+                    continue
 
                 # Check authentication for all other actions (only when required)
                 elif requires_auth and not websocket_manager.is_authenticated(websocket):
+                    auth_type = "JWT" if jwt_auth_enabled else "bearer token"
                     await websocket.send_text(
                         json.dumps(
                             {
                                 "event": "auth_required",
-                                "error": "Authentication required. Send authenticate action with valid token.",
+                                "error": f"Authentication required. Send authenticate action with valid {auth_type}.",
                             }
                         )
                     )
@@ -302,6 +361,10 @@ def get_websocket_router(
                     await websocket.send_text(json.dumps({"event": "pong"}))
 
                 elif action == "start-workflow":
+                    # Add user context to message if available from JWT auth
+                    if websocket_user_context:
+                        if "user_id" not in message and websocket_user_context.get("user_id"):
+                            message["user_id"] = websocket_user_context["user_id"]
                     # Handle workflow execution directly via WebSocket
                     await handle_workflow_via_websocket(websocket, message, os)
 
@@ -367,11 +430,24 @@ def get_workflow_router(
             }
         },
     )
-    async def get_workflows() -> List[WorkflowSummaryResponse]:
+    async def get_workflows(request: Request) -> List[WorkflowSummaryResponse]:
         if os.workflows is None:
             return []
 
-        return [WorkflowSummaryResponse.from_workflow(workflow) for workflow in os.workflows]
+        # Filter workflows based on user's scopes (only if authorization is enabled)
+        if getattr(request.state, "authorization_enabled", False):
+            from agno.os.auth import filter_resources_by_access, get_accessible_resources
+
+            # Check if user has any workflow scopes at all
+            accessible_ids = get_accessible_resources(request, "workflows")
+            if not accessible_ids:
+                raise HTTPException(status_code=403, detail="Insufficient permissions")
+
+            accessible_workflows = filter_resources_by_access(request, os.workflows, "workflows")
+        else:
+            accessible_workflows = os.workflows
+
+        return [WorkflowSummaryResponse.from_workflow(workflow) for workflow in accessible_workflows]
 
     @router.get(
         "/workflows/{workflow_id}",
@@ -397,8 +473,9 @@ def get_workflow_router(
             },
             404: {"description": "Workflow not found", "model": NotFoundResponse},
         },
+        dependencies=[Depends(require_resource_access("workflows", "read", "workflow_id"))],
     )
-    async def get_workflow(workflow_id: str) -> WorkflowResponse:
+    async def get_workflow(workflow_id: str, request: Request) -> WorkflowResponse:
         workflow = get_workflow_by_id(workflow_id, os.workflows)
         if workflow is None:
             raise HTTPException(status_code=404, detail="Workflow not found")
@@ -438,6 +515,7 @@ def get_workflow_router(
             404: {"description": "Workflow not found", "model": NotFoundResponse},
             500: {"description": "Workflow execution error", "model": InternalServerErrorResponse},
         },
+        dependencies=[Depends(require_resource_access("workflows", "run", "workflow_id"))],
     )
     async def create_workflow_run(
         workflow_id: str,
@@ -530,6 +608,7 @@ def get_workflow_router(
             404: {"description": "Workflow or run not found", "model": NotFoundResponse},
             500: {"description": "Failed to cancel workflow run", "model": InternalServerErrorResponse},
         },
+        dependencies=[Depends(require_resource_access("workflows", "run", "workflow_id"))],
     )
     async def cancel_workflow_run(workflow_id: str, run_id: str):
         workflow = get_workflow_by_id(workflow_id, os.workflows)