crewai-core 1.14.5__tar.gz

crewai_core-1.14.5/.gitignore

@@ -0,0 +1,33 @@
+.DS_Store
+.pytest_cache
+__pycache__
+dist/
+.env
+assets/*
+.idea
+test/
+docs_crew/
+chroma.sqlite3
+old_en.json
+db/
+test.py
+rc-tests/*
+*.pkl
+temp/*
+.vscode/*
+crew_tasks_output.json
+.codesight
+.mypy_cache
+.ruff_cache
+.venv
+test_flow.html
+crewairules.mdc
+plan.md
+conceptual_plan.md
+build_image
+chromadb-*.lock
+.claude
+.crewai/memory
+blogs/*
+secrets/*
+UNKNOWN.egg-info/

crewai_core-1.14.5/PKG-INFO

@@ -0,0 +1,31 @@
+Metadata-Version: 2.4
+Name: crewai-core
+Version: 1.14.5
+Summary: Shared utilities for CrewAI — version, paths, user-data, telemetry, printer.
+Project-URL: Homepage, https://crewai.com
+Project-URL: Documentation, https://docs.crewai.com
+Project-URL: Repository, https://github.com/crewAIInc/crewAI
+Author-email: "Greyson R. LaLonde" <greyson@crewai.com>
+Requires-Python: <3.14,>=3.10
+Requires-Dist: appdirs~=1.4.4
+Requires-Dist: cryptography>=42.0
+Requires-Dist: httpx~=0.28.1
+Requires-Dist: opentelemetry-api~=1.34.0
+Requires-Dist: opentelemetry-exporter-otlp-proto-http~=1.34.0
+Requires-Dist: opentelemetry-sdk~=1.34.0
+Requires-Dist: packaging>=23.0
+Requires-Dist: portalocker~=2.7.0
+Requires-Dist: pydantic<2.13,>=2.11.9
+Requires-Dist: pyjwt<3,>=2.9.0
+Requires-Dist: rich>=13.7.1
+Requires-Dist: tomli~=2.0.2
+Description-Content-Type: text/markdown
+
+# crewai-core
+
+Shared utilities used by both `crewai` and `crewai-cli`: version lookup, storage
+paths, user-data helpers, telemetry, and the printer.
+
+This package is a leaf — it has no dependency on the `crewai` framework — and is
+pulled in transitively by `crewai` and `crewai-cli`. End users do not normally
+install it directly.

crewai_core-1.14.5/README.md

@@ -0,0 +1,8 @@
+# crewai-core
+
+Shared utilities used by both `crewai` and `crewai-cli`: version lookup, storage
+paths, user-data helpers, telemetry, and the printer.
+
+This package is a leaf — it has no dependency on the `crewai` framework — and is
+pulled in transitively by `crewai` and `crewai-cli`. End users do not normally
+install it directly.

crewai_core-1.14.5/pyproject.toml

@@ -0,0 +1,38 @@
+[project]
+name = "crewai-core"
+dynamic = ["version"]
+description = "Shared utilities for CrewAI — version, paths, user-data, telemetry, printer."
+readme = "README.md"
+authors = [
+    { name = "Greyson R. LaLonde", email = "greyson@crewai.com" }
+]
+requires-python = ">=3.10, <3.14"
+dependencies = [
+    "appdirs~=1.4.4",
+    "cryptography>=42.0",
+    "httpx~=0.28.1",
+    "packaging>=23.0",
+    "portalocker~=2.7.0",
+    "pyjwt>=2.9.0,<3",
+    "pydantic>=2.11.9,<2.13",
+    "rich>=13.7.1",
+    "opentelemetry-api~=1.34.0",
+    "opentelemetry-sdk~=1.34.0",
+    "opentelemetry-exporter-otlp-proto-http~=1.34.0",
+    "tomli~=2.0.2",
+]
+
+[project.urls]
+Homepage = "https://crewai.com"
+Documentation = "https://docs.crewai.com"
+Repository = "https://github.com/crewAIInc/crewAI"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.version]
+path = "src/crewai_core/__init__.py"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/crewai_core"]

crewai_core-1.14.5/src/crewai_core/__init__.py

@@ -0,0 +1 @@
+__version__ = "1.14.5"

crewai_core-1.14.5/src/crewai_core/auth/__init__.py

@@ -0,0 +1,24 @@
+"""OAuth2 authentication primitives — shared by crewai and crewai-cli."""
+
+from __future__ import annotations
+
+from crewai_core.auth.oauth2 import (
+    AuthenticationCommand as AuthenticationCommand,
+    Oauth2Settings as Oauth2Settings,
+    ProviderFactory as ProviderFactory,
+)
+from crewai_core.auth.token import (
+    AuthError as AuthError,
+    get_auth_token as get_auth_token,
+)
+from crewai_core.auth.utils import validate_jwt_token as validate_jwt_token
+
+
+__all__ = [
+    "AuthError",
+    "AuthenticationCommand",
+    "Oauth2Settings",
+    "ProviderFactory",
+    "get_auth_token",
+    "validate_jwt_token",
+]

crewai_core-1.14.5/src/crewai_core/auth/constants.py

@@ -0,0 +1,8 @@
+"""Authentication constants."""
+
+from __future__ import annotations
+
+from typing import Final
+
+
+ALGORITHMS: Final[list[str]] = ["RS256"]

crewai_core-1.14.5/src/crewai_core/auth/oauth2.py

@@ -0,0 +1,186 @@
+"""OAuth2 device-flow authentication for the CrewAI platform."""
+
+from __future__ import annotations
+
+import time
+from typing import TYPE_CHECKING, Any, TypeVar, cast
+import webbrowser
+
+import httpx
+from pydantic import BaseModel, Field
+from rich.console import Console
+
+from crewai_core.auth.utils import validate_jwt_token
+from crewai_core.settings import Settings
+from crewai_core.token_manager import TokenManager
+
+
+console = Console()
+
+TOauth2Settings = TypeVar("TOauth2Settings", bound="Oauth2Settings")
+
+
+class Oauth2Settings(BaseModel):
+    """OAuth2 provider configuration."""
+
+    provider: str = Field(
+        description="OAuth2 provider used for authentication (e.g., workos, okta, auth0)."
+    )
+    client_id: str = Field(
+        description="OAuth2 client ID issued by the provider, used during authentication requests."
+    )
+    domain: str = Field(
+        description="OAuth2 provider's domain (e.g., your-org.auth0.com) used for issuing tokens."
+    )
+    audience: str | None = Field(
+        description="OAuth2 audience value, typically used to identify the target API or resource.",
+        default=None,
+    )
+    extra: dict[str, Any] = Field(
+        description="Extra configuration for the OAuth2 provider.",
+        default={},
+    )
+
+    @classmethod
+    def from_settings(cls: type[TOauth2Settings]) -> TOauth2Settings:
+        """Build an ``Oauth2Settings`` instance from the persisted CrewAI settings."""
+        settings = Settings()
+
+        return cls(
+            provider=settings.oauth2_provider,
+            domain=settings.oauth2_domain,
+            client_id=settings.oauth2_client_id,
+            audience=settings.oauth2_audience,
+            extra=settings.oauth2_extra,
+        )
+
+
+if TYPE_CHECKING:
+    from crewai_core.auth.providers.base_provider import BaseProvider
+
+
+class ProviderFactory:
+    """Factory for resolving the configured OAuth2 provider."""
+
+    @classmethod
+    def from_settings(
+        cls: type["ProviderFactory"],  # noqa: UP037
+        settings: Oauth2Settings | None = None,
+    ) -> "BaseProvider":  # noqa: UP037
+        """Create a provider instance from settings, importing the module dynamically."""
+        settings = settings or Oauth2Settings.from_settings()
+
+        import importlib
+
+        module = importlib.import_module(
+            f"crewai_core.auth.providers.{settings.provider.lower()}"
+        )
+        provider = getattr(
+            module,
+            f"{''.join(word.capitalize() for word in settings.provider.split('_'))}Provider",
+        )
+
+        return cast("BaseProvider", provider(settings))
+
+
+class AuthenticationCommand:
+    """Drives the OAuth2 device-flow login against the configured provider."""
+
+    def __init__(self) -> None:
+        self.token_manager = TokenManager()
+        self.oauth2_provider = ProviderFactory.from_settings()
+
+    def login(self) -> None:
+        """Sign in to the CrewAI platform via the OAuth2 device flow."""
+        console.print("Signing in to CrewAI AMP...\n", style="bold blue")
+
+        device_code_data = self._get_device_code()
+        self._display_auth_instructions(device_code_data)
+
+        return self._poll_for_token(device_code_data)
+
+    def _get_device_code(self) -> dict[str, Any]:
+        """Request a device code from the provider."""
+        device_code_payload = {
+            "client_id": self.oauth2_provider.get_client_id(),
+            "scope": " ".join(self.oauth2_provider.get_oauth_scopes()),
+            "audience": self.oauth2_provider.get_audience(),
+        }
+        response = httpx.post(
+            url=self.oauth2_provider.get_authorize_url(),
+            data=device_code_payload,
+            timeout=20,
+        )
+        response.raise_for_status()
+        return cast(dict[str, Any], response.json())
+
+    def _display_auth_instructions(self, device_code_data: dict[str, str]) -> None:
+        """Print and open the verification URL the user must visit."""
+        verification_uri = device_code_data.get(
+            "verification_uri_complete", device_code_data.get("verification_uri", "")
+        )
+
+        console.print("1. Navigate to: ", verification_uri)
+        console.print("2. Enter the following code: ", device_code_data["user_code"])
+        webbrowser.open(verification_uri)
+
+    def _poll_for_token(self, device_code_data: dict[str, Any]) -> None:
+        """Poll the token endpoint until authentication completes or times out."""
+        token_payload = {
+            "grant_type": "urn:ietf:params:oauth:grant-type:device_code",
+            "device_code": device_code_data["device_code"],
+            "client_id": self.oauth2_provider.get_client_id(),
+        }
+
+        console.print("\nWaiting for authentication... ", style="bold blue", end="")
+
+        attempts = 0
+        while True and attempts < 10:
+            response = httpx.post(
+                self.oauth2_provider.get_token_url(), data=token_payload, timeout=30
+            )
+            token_data = response.json()
+
+            if response.status_code == 200:
+                self._validate_and_save_token(token_data)
+
+                console.print(
+                    "Success!",
+                    style="bold green",
+                )
+
+                self._post_login()
+
+                console.print("\n[bold green]Welcome to CrewAI AMP![/bold green]\n")
+                return
+
+            if token_data["error"] not in ("authorization_pending", "slow_down"):
+                raise httpx.HTTPError(
+                    token_data.get("error_description") or token_data.get("error")
+                )
+
+            time.sleep(device_code_data["interval"])
+            attempts += 1
+
+        console.print(
+            "Timeout: Failed to get the token. Please try again.", style="bold red"
+        )
+
+    def _validate_and_save_token(self, token_data: dict[str, Any]) -> None:
+        """Validate the JWT and persist it via the token manager."""
+        jwt_token = token_data["access_token"]
+        issuer = self.oauth2_provider.get_issuer()
+        jwt_token_data = {
+            "jwt_token": jwt_token,
+            "jwks_url": self.oauth2_provider.get_jwks_url(),
+            "issuer": issuer,
+            "audience": self.oauth2_provider.get_audience(),
+        }
+
+        decoded_token = validate_jwt_token(**jwt_token_data)
+
+        expires_at = decoded_token.get("exp", 0)
+        self.token_manager.save_tokens(jwt_token, expires_at)
+
+    def _post_login(self) -> None:
+        """Hook called after a successful login. Override to extend behavior."""

crewai_core-1.14.5/src/crewai_core/auth/providers/__init__.py

@@ -0,0 +1 @@
+"""OAuth2 authentication providers."""

crewai_core-1.14.5/src/crewai_core/auth/providers/auth0.py

@@ -0,0 +1,40 @@
+"""Auth0 OAuth2 provider."""
+
+from __future__ import annotations
+
+from crewai_core.auth.providers.base_provider import BaseProvider
+
+
+class Auth0Provider(BaseProvider):
+    """Auth0 OAuth2 provider implementation."""
+
+    def get_authorize_url(self) -> str:
+        return f"https://{self._get_domain()}/oauth/device/code"
+
+    def get_token_url(self) -> str:
+        return f"https://{self._get_domain()}/oauth/token"
+
+    def get_jwks_url(self) -> str:
+        return f"https://{self._get_domain()}/.well-known/jwks.json"
+
+    def get_issuer(self) -> str:
+        return f"https://{self._get_domain()}/"
+
+    def get_audience(self) -> str:
+        if self.settings.audience is None:
+            raise ValueError(
+                "Audience is required. Please set it in the configuration."
+            )
+        return self.settings.audience
+
+    def get_client_id(self) -> str:
+        if self.settings.client_id is None:
+            raise ValueError(
+                "Client ID is required. Please set it in the configuration."
+            )
+        return self.settings.client_id
+
+    def _get_domain(self) -> str:
+        if self.settings.domain is None:
+            raise ValueError("Domain is required. Please set it in the configuration.")
+        return self.settings.domain

crewai_core-1.14.5/src/crewai_core/auth/providers/base_provider.py

@@ -0,0 +1,46 @@
+"""Base OAuth2 provider interface."""
+
+from __future__ import annotations
+
+from abc import ABC, abstractmethod
+
+from crewai_core.auth.oauth2 import Oauth2Settings
+
+
+class BaseProvider(ABC):
+    """Abstract base class for OAuth2 providers."""
+
+    def __init__(self, settings: Oauth2Settings):
+        self.settings = settings
+
+    @abstractmethod
+    def get_authorize_url(self) -> str:
+        """Return the authorization endpoint URL."""
+
+    @abstractmethod
+    def get_token_url(self) -> str:
+        """Return the token endpoint URL."""
+
+    @abstractmethod
+    def get_jwks_url(self) -> str:
+        """Return the JWKS endpoint URL."""
+
+    @abstractmethod
+    def get_issuer(self) -> str:
+        """Return the OAuth issuer identifier."""
+
+    @abstractmethod
+    def get_audience(self) -> str:
+        """Return the OAuth audience identifier."""
+
+    @abstractmethod
+    def get_client_id(self) -> str:
+        """Return the OAuth client identifier."""
+
+    def get_required_fields(self) -> list[str]:
+        """Return provider-specific keys required inside ``Oauth2Settings.extra``."""
+        return []
+
+    def get_oauth_scopes(self) -> list[str]:
+        """Return the OAuth scopes to request."""
+        return ["openid", "profile", "email"]

crewai_core-1.14.5/src/crewai_core/auth/providers/entra_id.py

@@ -0,0 +1,49 @@
+"""Entra ID (Azure AD) OAuth2 provider."""
+
+from __future__ import annotations
+
+from typing import cast
+
+from crewai_core.auth.providers.base_provider import BaseProvider
+
+
+class EntraIdProvider(BaseProvider):
+    """Entra ID (Azure AD) OAuth2 provider implementation."""
+
+    def get_authorize_url(self) -> str:
+        return f"{self._base_url()}/oauth2/v2.0/devicecode"
+
+    def get_token_url(self) -> str:
+        return f"{self._base_url()}/oauth2/v2.0/token"
+
+    def get_jwks_url(self) -> str:
+        return f"{self._base_url()}/discovery/v2.0/keys"
+
+    def get_issuer(self) -> str:
+        return f"{self._base_url()}/v2.0"
+
+    def get_audience(self) -> str:
+        if self.settings.audience is None:
+            raise ValueError(
+                "Audience is required. Please set it in the configuration."
+            )
+        return self.settings.audience
+
+    def get_client_id(self) -> str:
+        if self.settings.client_id is None:
+            raise ValueError(
+                "Client ID is required. Please set it in the configuration."
+            )
+        return self.settings.client_id
+
+    def get_oauth_scopes(self) -> list[str]:
+        return [
+            *super().get_oauth_scopes(),
+            *cast(str, self.settings.extra.get("scope", "")).split(),
+        ]
+
+    def get_required_fields(self) -> list[str]:
+        return ["scope"]
+
+    def _base_url(self) -> str:
+        return f"https://login.microsoftonline.com/{self.settings.domain}"

crewai_core-1.14.5/src/crewai_core/auth/providers/keycloak.py

@@ -0,0 +1,38 @@
+"""Keycloak OAuth2 provider."""
+
+from __future__ import annotations
+
+from crewai_core.auth.providers.base_provider import BaseProvider
+
+
+class KeycloakProvider(BaseProvider):
+    """Keycloak OAuth2 provider implementation."""
+
+    def get_authorize_url(self) -> str:
+        return f"{self._oauth2_base_url()}/realms/{self.settings.extra.get('realm')}/protocol/openid-connect/auth/device"
+
+    def get_token_url(self) -> str:
+        return f"{self._oauth2_base_url()}/realms/{self.settings.extra.get('realm')}/protocol/openid-connect/token"
+
+    def get_jwks_url(self) -> str:
+        return f"{self._oauth2_base_url()}/realms/{self.settings.extra.get('realm')}/protocol/openid-connect/certs"
+
+    def get_issuer(self) -> str:
+        return f"{self._oauth2_base_url()}/realms/{self.settings.extra.get('realm')}"
+
+    def get_audience(self) -> str:
+        return self.settings.audience or "no-audience-provided"
+
+    def get_client_id(self) -> str:
+        if self.settings.client_id is None:
+            raise ValueError(
+                "Client ID is required. Please set it in the configuration."
+            )
+        return self.settings.client_id
+
+    def get_required_fields(self) -> list[str]:
+        return ["realm"]
+
+    def _oauth2_base_url(self) -> str:
+        domain = self.settings.domain.removeprefix("https://").removeprefix("http://")
+        return f"https://{domain}"

crewai_core-1.14.5/src/crewai_core/auth/providers/okta.py

@@ -0,0 +1,48 @@
+"""Okta OAuth2 provider."""
+
+from __future__ import annotations
+
+from crewai_core.auth.providers.base_provider import BaseProvider
+
+
+class OktaProvider(BaseProvider):
+    """Okta OAuth2 provider implementation."""
+
+    def get_authorize_url(self) -> str:
+        return f"{self._oauth2_base_url()}/v1/device/authorize"
+
+    def get_token_url(self) -> str:
+        return f"{self._oauth2_base_url()}/v1/token"
+
+    def get_jwks_url(self) -> str:
+        return f"{self._oauth2_base_url()}/v1/keys"
+
+    def get_issuer(self) -> str:
+        return self._oauth2_base_url().removesuffix("/oauth2")
+
+    def get_audience(self) -> str:
+        if self.settings.audience is None:
+            raise ValueError(
+                "Audience is required. Please set it in the configuration."
+            )
+        return self.settings.audience
+
+    def get_client_id(self) -> str:
+        if self.settings.client_id is None:
+            raise ValueError(
+                "Client ID is required. Please set it in the configuration."
+            )
+        return self.settings.client_id
+
+    def get_required_fields(self) -> list[str]:
+        return ["authorization_server_name", "using_org_auth_server"]
+
+    def _oauth2_base_url(self) -> str:
+        using_org_auth_server = self.settings.extra.get("using_org_auth_server", False)
+
+        if using_org_auth_server:
+            base_url = f"https://{self.settings.domain}/oauth2"
+        else:
+            base_url = f"https://{self.settings.domain}/oauth2/{self.settings.extra.get('authorization_server_name', 'default')}"
+
+        return f"{base_url}"

crewai_core-1.14.5/src/crewai_core/auth/providers/workos.py

@@ -0,0 +1,36 @@
+"""WorkOS OAuth2 provider."""
+
+from __future__ import annotations
+
+from crewai_core.auth.providers.base_provider import BaseProvider
+
+
+class WorkosProvider(BaseProvider):
+    """WorkOS OAuth2 provider implementation."""
+
+    def get_authorize_url(self) -> str:
+        return f"https://{self._get_domain()}/oauth2/device_authorization"
+
+    def get_token_url(self) -> str:
+        return f"https://{self._get_domain()}/oauth2/token"
+
+    def get_jwks_url(self) -> str:
+        return f"https://{self._get_domain()}/oauth2/jwks"
+
+    def get_issuer(self) -> str:
+        return f"https://{self._get_domain()}"
+
+    def get_audience(self) -> str:
+        return self.settings.audience or ""
+
+    def get_client_id(self) -> str:
+        if self.settings.client_id is None:
+            raise ValueError(
+                "Client ID is required. Please set it in the configuration."
+            )
+        return self.settings.client_id
+
+    def _get_domain(self) -> str:
+        if self.settings.domain is None:
+            raise ValueError("Domain is required. Please set it in the configuration.")
+        return self.settings.domain

crewai_core-1.14.5/src/crewai_core/auth/token.py

@@ -0,0 +1,17 @@
+"""Authentication token retrieval."""
+
+from __future__ import annotations
+
+from crewai_core.token_manager import TokenManager
+
+
+class AuthError(Exception):
+    """Raised when authentication fails."""
+
+
+def get_auth_token() -> str:
+    """Return the saved authentication token; raise ``AuthError`` if missing."""
+    access_token = TokenManager().get_token()
+    if not access_token:
+        raise AuthError("No token found, make sure you are logged in")
+    return access_token