getstack 0.1.0__tar.gz → 0.3.0__tar.gz

getstack-0.3.0/.gitignore

@@ -0,0 +1,61 @@
+node_modules/
+dist/
+.turbo/
+*.tsbuildinfo
+__pycache__/
+*.pyc
+
+# Environment / secrets
+.env
+.env.*
+*.env
+.npmrc
+scripts/.env.cto
+
+# Strategy docs (not sensitive, but private)
+stack-claude-code-spec-v3.md
+stack-gtm-distribution.md
+stack-platform-spec-v2.md
+
+# IDE
+.vscode/settings.json
+.idea/
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Next.js
+.next/
+out/
+
+# MCP publisher
+mcp-publisher.exe
+.mcpregistry_*
+
+# Fly.io deployment config (contains app names, regions)
+**/fly.toml
+!apps/*/fly.toml
+!**/fly.toml.example
+
+# Logs
+*.log
+npm-debug.log*
+
+# Claude Code edit audit log (per-machine paper trail of hook-logged mutations)
+.claude/audit/
+
+# Claude Code per-machine state (background scheduler)
+.claude/scheduled_tasks.lock
+
+# OpenAPI spec cache (regenerated by scripts/verify-intents-openapi.ts)
+scripts/.openapi-cache/
+
+# Local dev screenshots
+*-stripe.png
+
+# YC application session exports (founder voice + redacted creds — never commit)
+docs/yc-q18/
+docs/yc-application-session-preface.md
+*-YC.md
+*-yc.md

getstack-0.3.0/CLAUDE.md

@@ -0,0 +1,46 @@
+# getstack (Python SDK)
+
+Published to PyPI as `getstack`. Not a workspace member of the main monorepo
+(Python has its own tooling via `pyproject.toml` + its own tests).
+
+## Purpose
+
+- Python ergonomic equivalent of `@getstackrun/sdk`
+- `with stack.passports.mission(...) as m:` context manager that handles
+  checkpoints + checkout automatically
+- Same RESTful coverage: agents, passports, services, credentials, drop-offs,
+  skills, identity, audit, notifications, security-events, proxy
+
+## Where to look
+
+- Package metadata: `sdk-python/pyproject.toml`
+- Module entry: `sdk-python/src/getstack/`
+- User-facing quickstart + examples: `sdk-python/README.md`
+- License: `sdk-python/LICENSE`
+
+## Key divergence from JS SDK
+
+The Python SDK has a **mission context manager** the JS SDK doesn't have:
+
+```python
+with stack.passports.mission(
+    agent_id=agent.id,
+    intent="Process invoices from Slack",
+    services=["slack", "stripe"],
+    checkpoint_interval="5m",
+) as mission:
+    mission.log("slack", "read_channel", "#invoices")
+    mission.log("stripe", "create_invoice")
+    # Checkpoints submitted automatically on schedule
+# Checkout submitted automatically when the block exits
+```
+
+When the JS SDK adds an equivalent, align the shape (same keyword args,
+same method names) for cross-language familiarity.
+
+## Gotchas
+
+- **Not installed by `npm install` at monorepo root.** Python devs run `pip install -e sdk-python/` or `uv pip install -e sdk-python/`. The JS monorepo lockfile does not resolve Python deps.
+- **Published to PyPI separately.** There's no coordinated release between the JS + Python SDKs; they can (and sometimes do) drift in version numbers.
+- **Same authentication posture.** API keys, session JWTs, and the same `sk_live_*` prefix convention. Token type detection works identically to JS.
+- **Offline passport verification is also available** (mirrors `verify_passport_offline` from the JS SDK) — but confirm the exact function name in `sdk-python/src/getstack/` before citing.

{getstack-0.1.0 → getstack-0.3.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: getstack
-Version: 0.1.0
+Version: 0.3.0
 Summary: Python SDK for STACK — trust infrastructure for AI agents
 Project-URL: Homepage, https://getstack.run
 Project-URL: Documentation, https://getstack.run/docs/sdk
@@ -19,7 +19,9 @@ Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Topic :: Software Development :: Libraries
 Requires-Python: >=3.9
+Requires-Dist: cryptography>=42.0.0
 Requires-Dist: httpx>=0.25.0
+Requires-Dist: pyjwt>=2.8.0
 Description-Content-Type: text/markdown
 
 # getstack
@@ -34,16 +36,30 @@ pip install getstack
 
 ## Quick start
 
+Sign in once on your machine — the SDK reads credentials from `~/.stack/credentials.json` automatically:
+
+```bash
+npx -y @getstackrun/cli auth login
+```
+
 ```python
 from getstack import Stack
 
-stack = Stack(api_key="sk_live_...")
+# Zero-arg constructor reads ~/.stack/credentials.json (OAuth refresh token).
+# Falls back to STACK_API_KEY env var, then constructor api_key= for CI.
+stack = Stack()
 
-# Register an agent
+# 1. Register an agent (one-time)
 agent = stack.agents.register("my-agent", accountability_mode="enforced")
 
-# Run a mission with automatic checkpoints and checkout
-with stack.passports.mission(
+# 2. In your agent runtime, switch to per-agent keypair mode
+agent_stack = Stack(agent_id=agent.id)
+# First run: generates an Ed25519 keypair locally + enrolls the public
+# half via /v1/agents/<id>/enroll. Persisted at ~/.stack/agents/<id>.json
+# (mode 0600). Every subsequent call signs a fresh 60-second JWT.
+
+# 3. Run a mission with automatic checkpoints and checkout
+with agent_stack.passports.mission(
     agent_id=agent.id,
     intent="Process invoices from Slack",
     services=["slack", "stripe"],
@@ -57,22 +73,26 @@ with stack.passports.mission(
 
 ## Authentication
 
+Four sources, resolved in priority order:
+
 ```python
-# API key (most common)
-stack = Stack(api_key="sk_live_...")
+# 1. Explicit auth strategy
+stack = Stack.from_oauth(client_id="...", client_secret="", access_token="...", refresh_token="...")
+stack = Stack.from_session(session_token="...")
 
-# OAuth with auto-refresh
-stack = Stack.from_oauth(
-    client_id="...",
-    client_secret="...",
-    access_token="...",
-    refresh_token="...",
-)
+# 2. agent_id (Phase 2 — recommended for production runtimes)
+stack = Stack(agent_id="agt_xxx")
 
-# Session JWT (dashboard integrations)
-stack = Stack.from_session(session_token="...")
+# 3. api_key (legacy sk_live_*; for CI without a browser)
+stack = Stack(api_key="sk_live_...")
+# or set STACK_API_KEY in the environment
+
+# 4. ~/.stack/credentials.json (Phase 1 — `stack-cli auth login` writes it)
+stack = Stack()
 ```
 
+See [/docs/security/stack-auth](https://getstack.run/docs/security/stack-auth) for the full auth model and [/docs/security/agent-keys](https://getstack.run/docs/security/agent-keys) for the per-agent keypair story.
+
 ## Continuous missions (24/7 agents)
 
 ```python

{getstack-0.1.0 → getstack-0.3.0}/README.md

@@ -10,16 +10,30 @@ pip install getstack
 
 ## Quick start
 
+Sign in once on your machine — the SDK reads credentials from `~/.stack/credentials.json` automatically:
+
+```bash
+npx -y @getstackrun/cli auth login
+```
+
 ```python
 from getstack import Stack
 
-stack = Stack(api_key="sk_live_...")
+# Zero-arg constructor reads ~/.stack/credentials.json (OAuth refresh token).
+# Falls back to STACK_API_KEY env var, then constructor api_key= for CI.
+stack = Stack()
 
-# Register an agent
+# 1. Register an agent (one-time)
 agent = stack.agents.register("my-agent", accountability_mode="enforced")
 
-# Run a mission with automatic checkpoints and checkout
-with stack.passports.mission(
+# 2. In your agent runtime, switch to per-agent keypair mode
+agent_stack = Stack(agent_id=agent.id)
+# First run: generates an Ed25519 keypair locally + enrolls the public
+# half via /v1/agents/<id>/enroll. Persisted at ~/.stack/agents/<id>.json
+# (mode 0600). Every subsequent call signs a fresh 60-second JWT.
+
+# 3. Run a mission with automatic checkpoints and checkout
+with agent_stack.passports.mission(
     agent_id=agent.id,
     intent="Process invoices from Slack",
     services=["slack", "stripe"],
@@ -33,22 +47,26 @@ with stack.passports.mission(
 
 ## Authentication
 
+Four sources, resolved in priority order:
+
 ```python
-# API key (most common)
-stack = Stack(api_key="sk_live_...")
+# 1. Explicit auth strategy
+stack = Stack.from_oauth(client_id="...", client_secret="", access_token="...", refresh_token="...")
+stack = Stack.from_session(session_token="...")
 
-# OAuth with auto-refresh
-stack = Stack.from_oauth(
-    client_id="...",
-    client_secret="...",
-    access_token="...",
-    refresh_token="...",
-)
+# 2. agent_id (Phase 2 — recommended for production runtimes)
+stack = Stack(agent_id="agt_xxx")
 
-# Session JWT (dashboard integrations)
-stack = Stack.from_session(session_token="...")
+# 3. api_key (legacy sk_live_*; for CI without a browser)
+stack = Stack(api_key="sk_live_...")
+# or set STACK_API_KEY in the environment
+
+# 4. ~/.stack/credentials.json (Phase 1 — `stack-cli auth login` writes it)
+stack = Stack()
 ```
 
+See [/docs/security/stack-auth](https://getstack.run/docs/security/stack-auth) for the full auth model and [/docs/security/agent-keys](https://getstack.run/docs/security/agent-keys) for the per-agent keypair story.
+
 ## Continuous missions (24/7 agents)
 
 ```python

{getstack-0.1.0 → getstack-0.3.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "getstack"
-version = "0.1.0"
+version = "0.3.0"
 description = "Python SDK for STACK — trust infrastructure for AI agents"
 readme = "README.md"
 license = "MIT"
@@ -24,6 +24,14 @@ classifiers = [
 ]
 dependencies = [
     "httpx>=0.25.0",
+    # Phase 2 — agent-keypair runtime needs Ed25519 sign + verify and
+    # JWT mint. cryptography is the de-facto standalone Ed25519 lib in
+    # the Python ecosystem; ~10MB install. Pinned to a major to avoid
+    # surprise breakage but minor floats.
+    "cryptography>=42.0.0",
+    # PyJWT for agent JWT minting; pure-Python, tiny (~50KB), no native
+    # deps beyond cryptography (which we already need).
+    "pyjwt>=2.8.0",
 ]
 
 [project.urls]

{getstack-0.1.0 → getstack-0.3.0}/src/getstack/__init__.py

@@ -33,7 +33,10 @@ For async usage::
 
 from __future__ import annotations
 
-from .auth import ApiKeyAuth, SessionAuth, OAuthAuth
+import os
+
+from .auth import ApiKeyAuth, SessionAuth, OAuthAuth, CredentialsFileAuth
+from .agent_auth import AgentKeypairAuth
 from .client import HttpClient, AsyncHttpClient, DEFAULT_BASE_URL
 from .agents import AgentService
 from .passports import PassportService, Mission
@@ -43,6 +46,11 @@ from .dropoffs import DropoffService
 from .reviews import ReviewService
 from .notifications import NotificationService
 from .audit import AuditService
+from .proxy import ProxyService as ProxySvc, ProxyResponse
+from .scan import ScanService
+from .security_events import SecurityEventService as SecurityEventSvc
+from .skills import SkillService
+from .identity import IdentityService
 from .types import (
     Agent,
     Passport,
@@ -56,6 +64,13 @@ from .types import (
     Credential,
     NotificationChannel,
     ToolCall,
+    Skill,
+    SkillInvocation,
+    SkillRequest,
+    IdentityProvider,
+    IdentityClaim,
+    IdentitySettings,
+    VerificationSession,
 )
 from .errors import (
     StackError,
@@ -66,7 +81,30 @@ from .errors import (
     PassportBlockedError,
 )
 
-__version__ = "0.1.0"
+__version__ = "0.2.0"
+
+
+def _build_static_auth(
+    *,
+    api_key: str | None,
+    base_url: str,
+) -> ApiKeyAuth | CredentialsFileAuth:
+    """Phase 2 helper. Resolve a static-bearer auth strategy for the
+    one-time agent-enrollment dance — explicit api_key, STACK_API_KEY
+    env var, or ~/.stack/credentials.json (CLI-managed OAuth refresh).
+    """
+    if api_key:
+        return ApiKeyAuth(api_key)
+    env_key = os.environ.get("STACK_API_KEY")
+    if env_key:
+        return ApiKeyAuth(env_key)
+    try:
+        return CredentialsFileAuth(api_base_url=base_url)
+    except RuntimeError as e:
+        raise ValueError(
+            "Agent enrollment needs a static bearer (api_key=, "
+            "STACK_API_KEY, or `stack-cli auth login`) — none found."
+        ) from e
 
 __all__ = [
     "Stack",
@@ -86,6 +124,14 @@ __all__ = [
     "NotificationChannel",
     "Mission",
     "ToolCall",
+    "ProxyResponse",
+    "Skill",
+    "SkillInvocation",
+    "SkillRequest",
+    "IdentityProvider",
+    "IdentityClaim",
+    "IdentitySettings",
+    "VerificationSession",
     # Errors
     "StackError",
     "NotFoundError",
@@ -109,16 +155,37 @@ class Stack:
         self,
         api_key: str | None = None,
         *,
+        agent_id: str | None = None,
         base_url: str = DEFAULT_BASE_URL,
         timeout: float = 30.0,
-        _auth: ApiKeyAuth | SessionAuth | OAuthAuth | None = None,
+        _auth: ApiKeyAuth | SessionAuth | OAuthAuth | CredentialsFileAuth | AgentKeypairAuth | None = None,
     ):
+        # Four-source resolution, in priority order:
+        #   1. Explicit _auth (callers that pre-built a strategy).
+        #   2. agent_id (Phase 2 — agent-keypair runtime mode). Static
+        #      bearer is auto-resolved for enrollment via api_key/env/file.
+        #   3. api_key arg or STACK_API_KEY env var (legacy sk_live_*).
+        #   4. ~/.stack/credentials.json — OAuth refresh token written
+        #      by `stack-cli auth login`.
         if _auth:
-            auth = _auth
-        elif api_key:
-            auth = ApiKeyAuth(api_key)
+            auth: ApiKeyAuth | SessionAuth | OAuthAuth | CredentialsFileAuth | AgentKeypairAuth = _auth
+        elif agent_id:
+            static_auth = _build_static_auth(api_key=api_key, base_url=base_url)
+            auth = AgentKeypairAuth(
+                agent_id=agent_id,
+                api_base_url=base_url,
+                bearer_provider=lambda: static_auth.get_headers()["Authorization"].split(" ", 1)[1],
+            )
+        elif api_key or os.environ.get("STACK_API_KEY"):
+            auth = ApiKeyAuth(api_key or os.environ["STACK_API_KEY"])
         else:
-            raise ValueError("Either api_key or _auth must be provided")
+            try:
+                auth = CredentialsFileAuth(api_base_url=base_url)
+            except RuntimeError as e:
+                raise ValueError(
+                    "No STACK credentials found. Pass api_key=, set "
+                    "STACK_API_KEY, or run `stack-cli auth login`."
+                ) from e
 
         self._client = HttpClient(auth, base_url=base_url, timeout=timeout)
         self.agents = AgentService(self._client)
@@ -129,6 +196,11 @@ class Stack:
         self.reviews = ReviewService(self._client)
         self.notifications = NotificationService(self._client)
         self.audit = AuditService(self._client)
+        self.proxy = ProxySvc(self._client)
+        self.scan = ScanService(self._client)
+        self.security_events = SecurityEventSvc(self._client)
+        self.skills = SkillService(self._client)
+        self.identity = IdentityService(self._client)
 
     @classmethod
     def from_session(cls, session_token: str, **kwargs) -> Stack:
@@ -184,16 +256,31 @@ class AsyncStack:
         self,
         api_key: str | None = None,
         *,
+        agent_id: str | None = None,
         base_url: str = DEFAULT_BASE_URL,
         timeout: float = 30.0,
-        _auth: ApiKeyAuth | SessionAuth | OAuthAuth | None = None,
+        _auth: ApiKeyAuth | SessionAuth | OAuthAuth | CredentialsFileAuth | AgentKeypairAuth | None = None,
     ):
+        # Same four-source resolution as Stack — see Stack.__init__.
         if _auth:
-            auth = _auth
-        elif api_key:
-            auth = ApiKeyAuth(api_key)
+            auth: ApiKeyAuth | SessionAuth | OAuthAuth | CredentialsFileAuth | AgentKeypairAuth = _auth
+        elif agent_id:
+            static_auth = _build_static_auth(api_key=api_key, base_url=base_url)
+            auth = AgentKeypairAuth(
+                agent_id=agent_id,
+                api_base_url=base_url,
+                bearer_provider=lambda: static_auth.get_headers()["Authorization"].split(" ", 1)[1],
+            )
+        elif api_key or os.environ.get("STACK_API_KEY"):
+            auth = ApiKeyAuth(api_key or os.environ["STACK_API_KEY"])
         else:
-            raise ValueError("Either api_key or _auth must be provided")
+            try:
+                auth = CredentialsFileAuth(api_base_url=base_url)
+            except RuntimeError as e:
+                raise ValueError(
+                    "No STACK credentials found. Pass api_key=, set "
+                    "STACK_API_KEY, or run `stack-cli auth login`."
+                ) from e
 
         self._client = AsyncHttpClient(auth, base_url=base_url, timeout=timeout)
 

getstack-0.3.0/src/getstack/agent_auth.py

@@ -0,0 +1,189 @@
+"""Phase 2 — agent-keypair runtime auth (Python).
+
+Mirror of packages/sdk/src/agent-auth.ts. When ``Stack(agent_id=...)`` is
+constructed, the SDK enters agent-runtime mode: every request is signed
+with a fresh 60-second EdDSA JWT minted from the agent's local privkey
+at ~/.stack/agents/<agent_id>.json.
+
+First run: generate Ed25519 keypair, request enrollment challenge from
+the API, sign challenge with privkey, POST /enroll. Persist privkey
+locally (mode 0600). Subsequent runs read from disk.
+"""
+
+from __future__ import annotations
+
+import base64
+import json
+import os
+import time
+from pathlib import Path
+from typing import Callable
+
+import httpx
+import jwt
+from cryptography.hazmat.primitives.asymmetric.ed25519 import (
+    Ed25519PrivateKey,
+    Ed25519PublicKey,
+)
+from cryptography.hazmat.primitives.serialization import (
+    Encoding,
+    NoEncryption,
+    PrivateFormat,
+    PublicFormat,
+)
+
+from .auth import AuthStrategy
+
+AGENT_JWT_TTL = 60
+AGENT_JWT_ISSUER = "stack-sdk"
+AGENT_JWT_AUDIENCE = "stack:agent"
+
+
+def _b64url_no_pad(data: bytes) -> str:
+    return base64.urlsafe_b64encode(data).rstrip(b"=").decode("ascii")
+
+
+def _key_path(agent_id: str) -> Path:
+    return Path(os.path.expanduser("~")) / ".stack" / "agents" / f"{agent_id}.json"
+
+
+def _load_stored(agent_id: str) -> dict | None:
+    path = _key_path(agent_id)
+    if not path.exists():
+        return None
+    try:
+        return json.loads(path.read_text(encoding="utf8"))
+    except (OSError, json.JSONDecodeError):
+        return None
+
+
+def _persist_stored(agent_id: str, payload: dict) -> None:
+    path = _key_path(agent_id)
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(json.dumps(payload, indent=2), encoding="utf8")
+    try:
+        os.chmod(path, 0o600)
+    except OSError:
+        # Windows / unsupported FS — ignore.
+        pass
+
+
+def _generate_keypair() -> tuple[Ed25519PrivateKey, dict, dict]:
+    """Generate an Ed25519 keypair and return (privkey_obj, public_jwk,
+    private_jwk_with_d)."""
+    priv = Ed25519PrivateKey.generate()
+    pub = priv.public_key()
+    pub_raw = pub.public_bytes(Encoding.Raw, PublicFormat.Raw)
+    priv_raw = priv.private_bytes(Encoding.Raw, PrivateFormat.Raw, NoEncryption())
+    public_jwk = {"kty": "OKP", "crv": "Ed25519", "x": _b64url_no_pad(pub_raw)}
+    private_jwk = {**public_jwk, "d": _b64url_no_pad(priv_raw)}
+    return priv, public_jwk, private_jwk
+
+
+def _privkey_from_jwk(jwk: dict) -> Ed25519PrivateKey:
+    pad = "=" * (-len(jwk["d"]) % 4)
+    raw = base64.urlsafe_b64decode(jwk["d"] + pad)
+    return Ed25519PrivateKey.from_private_bytes(raw)
+
+
+def _enroll(
+    agent_id: str,
+    base_url: str,
+    bearer_provider: Callable[[], str],
+) -> dict:
+    """Run the proof-of-possession enrollment dance. Returns the stored
+    payload (with private JWK) ready to persist."""
+    bearer = bearer_provider()
+    base = base_url.rstrip("/")
+
+    # Step 1 — request challenge.
+    r = httpx.post(
+        f"{base}/v1/agents/{agent_id}/enrollment-challenge",
+        headers={"Authorization": f"Bearer {bearer}", "Content-Type": "application/json"},
+        timeout=15.0,
+    )
+    r.raise_for_status()
+    challenge_body = r.json()
+    challenge: str = challenge_body["challenge"]
+    challenge_id: str = challenge_body["challenge_id"]
+
+    # Step 2 — generate keypair locally.
+    priv_obj, public_jwk, private_jwk = _generate_keypair()
+
+    # Step 3 — sign the challenge bytes.
+    sig = priv_obj.sign(challenge.encode("utf8"))
+    signed_challenge = _b64url_no_pad(sig)
+
+    # Step 4 — POST /enroll.
+    r2 = httpx.post(
+        f"{base}/v1/agents/{agent_id}/enroll",
+        headers={"Authorization": f"Bearer {bearer}", "Content-Type": "application/json"},
+        json={
+            "public_key": public_jwk,
+            "challenge_id": challenge_id,
+            "signed_challenge": signed_challenge,
+        },
+        timeout=15.0,
+    )
+    r2.raise_for_status()
+    enrolled = r2.json()
+
+    return {
+        "agent_id": agent_id,
+        "publicKey": public_jwk,
+        "privateKey": private_jwk,
+        "enrolled_at": enrolled.get("enrolled_at"),
+    }
+
+
+def _sign_agent_jwt(stored: dict, agent_id: str) -> str:
+    """Mint a fresh 60-second EdDSA JWT signed with the agent privkey."""
+    priv_obj = _privkey_from_jwk(stored["privateKey"])
+    now = int(time.time())
+    payload = {
+        "iss": AGENT_JWT_ISSUER,
+        "sub": agent_id,
+        "aud": AGENT_JWT_AUDIENCE,
+        "iat": now,
+        "nbf": now,
+        "exp": now + AGENT_JWT_TTL,
+        "jti": f"aj_{now}_{os.urandom(6).hex()}",
+    }
+    # PyJWT accepts a raw cryptography Ed25519 key when algorithm='EdDSA'.
+    return jwt.encode(payload, priv_obj, algorithm="EdDSA")
+
+
+class AgentKeypairAuth(AuthStrategy):
+    """Phase 2 agent-runtime auth strategy.
+
+    Constructed with an agent_id and a fallback bearer provider (used
+    only for the one-time enrollment dance). Once enrolled, every
+    request mints a fresh 60-second JWT signed by the locally-stored
+    privkey — the bearer provider is no longer consulted.
+    """
+
+    def __init__(
+        self,
+        agent_id: str,
+        api_base_url: str,
+        bearer_provider: Callable[[], str],
+    ):
+        self.agent_id = agent_id
+        self.api_base_url = api_base_url
+        self.bearer_provider = bearer_provider
+        self._stored: dict | None = None
+
+    def _ensure_stored(self) -> dict:
+        if self._stored is not None:
+            return self._stored
+        stored = _load_stored(self.agent_id)
+        if stored is None:
+            stored = _enroll(self.agent_id, self.api_base_url, self.bearer_provider)
+            _persist_stored(self.agent_id, stored)
+        self._stored = stored
+        return stored
+
+    def get_headers(self) -> dict[str, str]:
+        stored = self._ensure_stored()
+        token = _sign_agent_jwt(stored, self.agent_id)
+        return {"Authorization": f"Bearer {token}"}