agno 2.3.21__py3-none-any.whl → 2.3.22__py3-none-any.whl

agno/os/middleware/jwt.py

@@ -5,7 +5,7 @@ import json
 import re
 from enum import Enum
 from os import getenv
-from typing import Any, Dict, List, Optional
+from typing import Any, Dict, Iterable, List, Optional, Union
 
 import jwt
 from fastapi import Request, Response
@@ -168,7 +168,9 @@ class JWTValidator:
             except Exception as e:
                 log_warning(f"Failed to parse JWKS key: {e}")
 
-    def validate_token(self, token: str, expected_audience: Optional[str] = None) -> Dict[str, Any]:
+    def validate_token(
+        self, token: str, expected_audience: Optional[Union[str, Iterable[str]]] = None
+    ) -> Dict[str, Any]:
         """
         Validate JWT token and extract claims.
 
@@ -191,10 +193,9 @@ class JWTValidator:
         }
 
         # Configure audience verification
-        if expected_audience:
-            decode_kwargs["audience"] = expected_audience
-        else:
-            decode_options["verify_aud"] = False
+        # We'll decode without audience verification and if we need to verify the audience,
+        # we'll manually verify the audience to provide better error messages
+        decode_options["verify_aud"] = False
 
         # If validation is disabled, decode without signature verification
         if not self.validate:
@@ -206,6 +207,7 @@ class JWTValidator:
             decode_kwargs["options"] = decode_options
 
         last_exception: Optional[Exception] = None
+        payload: Optional[Dict[str, Any]] = None
 
         # Try JWKS keys first if configured
         if self.jwks_keys:
@@ -222,9 +224,7 @@ class JWTValidator:
                     jwk = self.jwks_keys["_default"]
 
                 if jwk:
-                    return jwt.decode(token, jwk.key, **decode_kwargs)
-            except jwt.InvalidAudienceError:
-                raise
+                    payload = jwt.decode(token, jwk.key, **decode_kwargs)
             except jwt.ExpiredSignatureError:
                 raise
             except jwt.InvalidTokenError as e:
@@ -233,20 +233,54 @@ class JWTValidator:
                 last_exception = e
 
         # Try each static verification key until one succeeds
-        for key in self.verification_keys:
-            try:
-                return jwt.decode(token, key, **decode_kwargs)
-            except jwt.InvalidAudienceError:
-                raise
-            except jwt.ExpiredSignatureError:
-                raise
-            except jwt.InvalidTokenError as e:
-                last_exception = e
-                continue
+        if payload is None:
+            for key in self.verification_keys:
+                try:
+                    payload = jwt.decode(token, key, **decode_kwargs)
+                    break
+                except jwt.ExpiredSignatureError:
+                    raise
+                except jwt.InvalidTokenError as e:
+                    last_exception = e
+                    continue
 
-        if last_exception:
-            raise last_exception
-        raise jwt.InvalidTokenError("No verification keys configured")
+        if payload is None:
+            if last_exception:
+                raise last_exception
+            raise jwt.InvalidTokenError("No verification keys configured")
+
+        # Manually verify audience if expected_audience was provided
+        if expected_audience:
+            token_audience = payload.get(self.audience_claim)
+            if token_audience is None:
+                raise jwt.InvalidTokenError(
+                    f'Token is missing the "{self.audience_claim}" claim. '
+                    f"Audience verification requires this claim to be present in the token."
+                )
+
+            # Normalize expected_audience to a list
+            if isinstance(expected_audience, str):
+                expected_audiences = [expected_audience]
+            elif isinstance(expected_audience, Iterable):
+                expected_audiences = list(expected_audience)
+            else:
+                expected_audiences = []
+
+            # Normalize token_audience to a list
+            if isinstance(token_audience, str):
+                token_audiences = [token_audience]
+            elif isinstance(token_audience, list):
+                token_audiences = token_audience
+            else:
+                token_audiences = [token_audience] if token_audience else []
+
+            # Check if any token audience matches any expected audience
+            if not any(aud in expected_audiences for aud in token_audiences):
+                raise jwt.InvalidAudienceError(
+                    f"Invalid audience. Expected one of: {expected_audiences}, got: {token_audiences}"
+                )
+
+        return payload
 
     def extract_claims(self, payload: Dict[str, Any]) -> Dict[str, Any]:
         """
@@ -364,6 +398,7 @@ class JWTMiddleware(BaseHTTPMiddleware):
         user_id_claim: str = "sub",
         session_id_claim: str = "session_id",
         audience_claim: str = "aud",
+        audience: Optional[Union[str, Iterable[str]]] = None,
         verify_audience: bool = False,
         dependencies_claims: Optional[List[str]] = None,
         session_state_claims: Optional[List[str]] = None,
@@ -400,7 +435,8 @@ class JWTMiddleware(BaseHTTPMiddleware):
             user_id_claim: JWT claim name for user ID (default: "sub")
             session_id_claim: JWT claim name for session ID (default: "session_id")
             audience_claim: JWT claim name for audience/OS ID (default: "aud")
-            verify_audience: Whether to verify the audience claim matches AgentOS ID (default: False)
+            audience: Optional expected audience claim to validate against the token's audience claim (default: AgentOS ID)
+            verify_audience: Whether to verify the token's audience claim matches the expected audience claim (default: False)
             dependencies_claims: A list of claims to extract from the JWT token for dependencies
             session_state_claims: A list of claims to extract from the JWT token for session state
             scope_mappings: Optional dictionary mapping route patterns to required scopes.
@@ -453,6 +489,8 @@ class JWTMiddleware(BaseHTTPMiddleware):
         self.dependencies_claims: List[str] = dependencies_claims or []
         self.session_state_claims: List[str] = session_state_claims or []
 
+        self.audience = audience
+
         # RBAC configuration (opt-in via scope_mappings)
         self.authorization = authorization
 
@@ -648,7 +686,9 @@ class JWTMiddleware(BaseHTTPMiddleware):
 
         try:
             # Validate token and extract claims (with audience verification if configured)
-            expected_audience = agent_os_id if self.verify_audience else None
+            expected_audience = None
+            if self.verify_audience:
+                expected_audience = self.audience or agent_os_id
             payload: Dict[str, Any] = self.validator.validate_token(token, expected_audience)  # type: ignore
 
             # Extract standard claims and store in request.state
@@ -755,11 +795,10 @@ class JWTMiddleware(BaseHTTPMiddleware):
             request.state.authenticated = True
 
         except jwt.InvalidAudienceError:
-            log_warning(f"Invalid audience - expected: {agent_os_id}")
+            log_warning(f"Invalid token audience - expected: {expected_audience}")
             return self._create_error_response(
-                401, "Invalid audience - token not valid for this AgentOS instance", origin, cors_allowed_origins
+                401, "Invalid token audience - token not valid for this AgentOS instance", origin, cors_allowed_origins
             )
-
         except jwt.ExpiredSignatureError as e:
             if self.validate:
                 log_warning(f"Token has expired: {str(e)}")

agno/os/routers/agents/router.py

@@ -220,11 +220,11 @@ def get_agent_router(
         kwargs = await get_request_kwargs(request, create_agent_run)
 
         if hasattr(request.state, "user_id") and request.state.user_id is not None:
-            if user_id:
+            if user_id and user_id != request.state.user_id:
                 log_warning("User ID parameter passed in both request state and kwargs, using request state")
             user_id = request.state.user_id
         if hasattr(request.state, "session_id") and request.state.session_id is not None:
-            if session_id:
+            if session_id and session_id != request.state.session_id:
                 log_warning("Session ID parameter passed in both request state and kwargs, using request state")
             session_id = request.state.session_id
         if hasattr(request.state, "session_state") and request.state.session_state is not None:

agno/os/routers/knowledge/knowledge.py

@@ -297,7 +297,7 @@ def attach_routes(router: APIRouter, knowledge_instances: List[Union[Knowledge,
             else:
                 raise HTTPException(status_code=400, detail=f"Invalid reader_id: {update_data.reader_id}")
 
-        updated_content_dict = knowledge.patch_content(content)
+        updated_content_dict = await knowledge.apatch_content(content)
         if not updated_content_dict:
             raise HTTPException(status_code=404, detail=f"Content not found: {content_id}")
 
@@ -1029,13 +1029,13 @@ def attach_routes(router: APIRouter, knowledge_instances: List[Union[Knowledge,
                     search_types=search_types,
                 )
             )
-
+        filters = await knowledge.async_get_valid_filters()
         return ConfigResponseSchema(
             readers=reader_schemas,
             vector_dbs=vector_dbs,
             readersForType=types_of_readers,
             chunkers=chunkers_dict,
-            filters=knowledge.get_valid_filters(),
+            filters=filters,
         )
 
     return router

agno/os/routers/teams/router.py

@@ -169,11 +169,11 @@ def get_team_router(
         kwargs = await get_request_kwargs(request, create_team_run)
 
         if hasattr(request.state, "user_id") and request.state.user_id is not None:
-            if user_id:
+            if user_id and user_id != request.state.user_id:
                 log_warning("User ID parameter passed in both request state and kwargs, using request state")
             user_id = request.state.user_id
         if hasattr(request.state, "session_id") and request.state.session_id is not None:
-            if session_id:
+            if session_id and session_id != request.state.session_id:
                 log_warning("Session ID parameter passed in both request state and kwargs, using request state")
             session_id = request.state.session_id
         if hasattr(request.state, "session_state") and request.state.session_state is not None:

agno/os/routers/workflows/router.py

@@ -626,11 +626,11 @@ def get_workflow_router(
         kwargs = await get_request_kwargs(request, create_workflow_run)
 
         if hasattr(request.state, "user_id") and request.state.user_id is not None:
-            if user_id:
+            if user_id and user_id != request.state.user_id:
                 log_warning("User ID parameter passed in both request state and kwargs, using request state")
             user_id = request.state.user_id
         if hasattr(request.state, "session_id") and request.state.session_id is not None:
-            if session_id:
+            if session_id and session_id != request.state.session_id:
                 log_warning("Session ID parameter passed in both request state and kwargs, using request state")
             session_id = request.state.session_id
         if hasattr(request.state, "session_state") and request.state.session_state is not None:

agno/reasoning/deepseek.py

@@ -8,7 +8,17 @@ from agno.utils.log import logger
 
 
 def is_deepseek_reasoning_model(reasoning_model: Model) -> bool:
-    return reasoning_model.__class__.__name__ == "DeepSeek" and reasoning_model.id.lower() == "deepseek-reasoner"
+    """Check if the model is a DeepSeek reasoning model.
+
+    Matches:
+    - deepseek-reasoner
+    - deepseek-r1 and variants (deepseek-r1-distill-*, etc.)
+    """
+    if reasoning_model.__class__.__name__ != "DeepSeek":
+        return False
+
+    model_id = reasoning_model.id.lower()
+    return "reasoner" in model_id or "r1" in model_id
 
 
 def get_deepseek_reasoning(reasoning_agent: "Agent", messages: List[Message]) -> Optional[Message]:  # type: ignore  # noqa: F821

agno/reasoning/gemini.py

@@ -13,9 +13,13 @@ def is_gemini_reasoning_model(reasoning_model: Model) -> bool:
     if not is_gemini_class:
         return False
 
-    # Check if it's a Gemini 2.5+ model (supports thinking)
+    # Check if it's a Gemini model with thinking support
+    # - Gemini 2.5+ models support thinking
+    # - Gemini 3+ models support thinking (including DeepThink variants)
     model_id = reasoning_model.id.lower()
-    has_thinking_support = "2.5" in model_id
+    has_thinking_support = (
+        "2.5" in model_id or "3.0" in model_id or "3.5" in model_id or "deepthink" in model_id or "gemini-3" in model_id
+    )
 
     # Also check if thinking parameters are set
     # Note: thinking_budget=0 explicitly disables thinking mode per Google's API docs

agno/reasoning/groq.py

@@ -8,7 +8,12 @@ from agno.utils.log import logger
 
 
 def is_groq_reasoning_model(reasoning_model: Model) -> bool:
-    return reasoning_model.__class__.__name__ == "Groq" and "deepseek" in reasoning_model.id.lower()
+    return reasoning_model.__class__.__name__ == "Groq" and (
+        "deepseek" in reasoning_model.id.lower()
+        or "openai/gpt-oss-20b" in reasoning_model.id.lower()
+        or "openai/gpt-oss-120b" in reasoning_model.id.lower()
+        or "qwen/qwen3-32b" in reasoning_model.id.lower()
+    )
 
 
 def get_groq_reasoning(reasoning_agent: "Agent", messages: List[Message]) -> Optional[Message]:  # type: ignore  # noqa: F821
@@ -95,7 +100,7 @@ def get_groq_reasoning_stream(
     reasoning_content: str = ""
 
     try:
-        for event in reasoning_agent.run(input=messages, stream=True, stream_intermediate_steps=True):
+        for event in reasoning_agent.run(input=messages, stream=True, stream_events=True):
             if hasattr(event, "event"):
                 if event.event == RunEvent.run_content:
                     # Check for reasoning_content attribute first (native reasoning)
@@ -146,7 +151,7 @@ async def aget_groq_reasoning_stream(
     reasoning_content: str = ""
 
     try:
-        async for event in reasoning_agent.arun(input=messages, stream=True, stream_intermediate_steps=True):
+        async for event in reasoning_agent.arun(input=messages, stream=True, stream_events=True):
             if hasattr(event, "event"):
                 if event.event == RunEvent.run_content:
                     # Check for reasoning_content attribute first (native reasoning)

agno/reasoning/openai.py

@@ -21,6 +21,8 @@ def is_openai_reasoning_model(reasoning_model: Model) -> bool:
             or ("o1" in reasoning_model.id)
             or ("4.1" in reasoning_model.id)
             or ("4.5" in reasoning_model.id)
+            or ("5.1" in reasoning_model.id)
+            or ("5.2" in reasoning_model.id)
         )
     ) or (isinstance(reasoning_model, OpenAILike) and "deepseek-r1" in reasoning_model.id.lower())
 

agno/remote/base.py

@@ -2,7 +2,7 @@ import time
 from abc import abstractmethod
 from dataclasses import dataclass, field
 from datetime import date
-from typing import TYPE_CHECKING, Any, AsyncIterator, Dict, List, Optional, Sequence, Tuple, Union
+from typing import TYPE_CHECKING, Any, AsyncIterator, Dict, List, Literal, Optional, Sequence, Tuple, Union
 
 from pydantic import BaseModel
 
@@ -18,6 +18,8 @@ if TYPE_CHECKING:
     from fastapi import UploadFile
 
     from agno.client import AgentOSClient
+    from agno.client.a2a import A2AClient
+    from agno.client.a2a.schemas import AgentCard
     from agno.os.routers.evals.schemas import EvalSchema
     from agno.os.routers.knowledge.schemas import (
         ConfigResponseSchema,
@@ -64,7 +66,7 @@ class RemoteDb:
         """Create a RemoteDb instance from an AgentResponse/TeamResponse/WorkflowResponse and ConfigResponse.
 
         Args:
-            response: The agent, team, or workflow response containing the db_id.
+            db_id (str): The id of the remote database
             client: The AgentOSClient for remote operations.
             config: The ConfigResponse containing database table information.
 
@@ -344,31 +346,52 @@ class RemoteKnowledge:
 class BaseRemote:
     # Private cache for OS config with TTL: (config, timestamp)
     _cached_config: Optional[Tuple["ConfigResponse", float]] = field(default=None, init=False, repr=False)
+    # Private cache for agent card with TTL: (agent_card, timestamp)
+    _cached_agent_card: Optional[Tuple[Optional["AgentCard"], float]] = field(default=None, init=False, repr=False)
 
     def __init__(
         self,
         base_url: str,
         timeout: float = 60.0,
+        protocol: Literal["agentos", "a2a"] = "agentos",
+        a2a_protocol: Literal["json-rpc", "rest"] = "rest",
         config_ttl: float = 300.0,
     ):
         """Initialize BaseRemote for remote execution.
 
+        Supports two protocols:
+        - "agentos": Agno's proprietary AgentOS REST API (default)
+        - "a2a": A2A (Agent-to-Agent) protocol for cross-framework communication
+
         For local execution, provide agent/team/workflow instances.
         For remote execution, provide base_url.
 
         Args:
             base_url: Base URL for remote instance (e.g., "http://localhost:7777")
             timeout: Request timeout in seconds (default: 60)
+            protocol: Communication protocol - "agentos" (default) or "a2a"
+            a2a_protocol: For A2A protocol only - Whether to use JSON-RPC or REST protocol.
             config_ttl: Time-to-live for cached config in seconds (default: 300)
         """
         self.base_url = base_url.rstrip("/")
         self.timeout: float = timeout
+        self.protocol = protocol
+        self.a2a_protocol = a2a_protocol
         self.config_ttl: float = config_ttl
         self._cached_config = None
+        self._cached_agent_card = None
+
+        self.agentos_client = None
+        self.a2a_client = None
 
-        self.client = self.get_client()
+        if protocol == "agentos":
+            self.agentos_client = self.get_os_client()
+        elif protocol == "a2a":
+            self.a2a_client = self.get_a2a_client()
+        else:
+            raise ValueError(f"Invalid protocol: {protocol}")
 
-    def get_client(self) -> "AgentOSClient":
+    def get_os_client(self) -> "AgentOSClient":
         """Get an AgentOSClient for fetching remote configuration.
 
         This is used internally by AgentOS to fetch configuration from remote
@@ -384,11 +407,31 @@ class BaseRemote:
             timeout=self.timeout,
         )
 
+    def get_a2a_client(self) -> "A2AClient":
+        """Get an A2AClient for A2A protocol communication.
+
+        Returns cached client if available, otherwise creates a new one.
+        This method provides lazy initialization of the A2A client.
+
+        Returns:
+            A2AClient: Client configured for A2A protocol communication
+        """
+        from agno.client.a2a import A2AClient
+
+        return A2AClient(
+            base_url=self.base_url,
+            timeout=int(self.timeout),
+            protocol=self.a2a_protocol,
+        )
+
     @property
-    def _config(self) -> "ConfigResponse":
+    def _config(self) -> Optional["ConfigResponse"]:
         """Get the OS config from remote, cached with TTL."""
         from agno.os.schema import ConfigResponse
 
+        if self.protocol == "a2a":
+            return None
+
         current_time = time.time()
 
         # Check if cache is valid
@@ -398,15 +441,15 @@ class BaseRemote:
                 return config
 
         # Fetch fresh config
-        config: ConfigResponse = self.client.get_config()  # type: ignore
+        config: ConfigResponse = self.agentos_client.get_config()  # type: ignore
         self._cached_config = (config, current_time)
         return config
 
-    def refresh_os_config(self) -> "ConfigResponse":
+    async def refresh_os_config(self) -> "ConfigResponse":
         """Force refresh the cached OS config."""
         from agno.os.schema import ConfigResponse
 
-        config: ConfigResponse = self.client.get_config()
+        config: ConfigResponse = await self.agentos_client.aget_config()  # type: ignore
         self._cached_config = (config, time.time())
         return config
 
@@ -437,6 +480,60 @@ class BaseRemote:
             return {"Authorization": f"Bearer {auth_token}"}
         return None
 
+    def get_agent_card(self) -> Optional["AgentCard"]:
+        """Get agent card for A2A protocol agents, cached with TTL.
+
+        Fetches the agent card from the standard /.well-known/agent.json endpoint
+        to populate agent metadata (name, description, etc.) for A2A agents.
+
+        Returns None for non-A2A protocols or if the server doesn't support agent cards.
+        """
+        if self.protocol != "a2a":
+            return None
+
+        current_time = time.time()
+
+        # Check if cache is valid
+        if self._cached_agent_card is not None:
+            agent_card, cached_at = self._cached_agent_card
+            if current_time - cached_at < self.config_ttl:
+                return agent_card
+
+        try:
+            agent_card = self.a2a_client.get_agent_card()  # type: ignore
+            self._cached_agent_card = (agent_card, current_time)
+            return agent_card
+        except Exception:
+            self._cached_agent_card = (None, current_time)
+            return None
+
+    async def aget_agent_card(self) -> Optional["AgentCard"]:
+        """Get agent card for A2A protocol agents, cached with TTL.
+
+        Fetches the agent card from the standard /.well-known/agent.json endpoint
+        to populate agent metadata (name, description, etc.) for A2A agents.
+
+        Returns None for non-A2A protocols or if the server doesn't support agent cards.
+        """
+        if self.protocol != "a2a":
+            return None
+
+        current_time = time.time()
+
+        # Check if cache is valid
+        if self._cached_agent_card is not None:
+            agent_card, cached_at = self._cached_agent_card
+            if current_time - cached_at < self.config_ttl:
+                return agent_card
+
+        try:
+            agent_card = await self.a2a_client.aget_agent_card()  # type: ignore
+            self._cached_agent_card = (agent_card, current_time)
+            return agent_card
+        except Exception:
+            self._cached_agent_card = (None, current_time)
+            return None
+
     @abstractmethod
     def arun(  # type: ignore
         self,

agno/skills/__init__.py

@@ -0,0 +1,17 @@
+from agno.skills.agent_skills import Skills
+from agno.skills.errors import SkillError, SkillParseError, SkillValidationError
+from agno.skills.loaders import LocalSkills, SkillLoader
+from agno.skills.skill import Skill
+from agno.skills.validator import validate_metadata, validate_skill_directory
+
+__all__ = [
+    "Skills",
+    "LocalSkills",
+    "SkillLoader",
+    "Skill",
+    "SkillError",
+    "SkillParseError",
+    "SkillValidationError",
+    "validate_metadata",
+    "validate_skill_directory",
+]