PyPI - kubiya-control-plane-api - Versions diffs - 0.9.15__py3-none-any.whl - Mend

kubiya-control-plane-api 0.9.15__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (479) hide show

control_plane_api/LICENSE +676 -0
control_plane_api/README.md +350 -0
control_plane_api/__init__.py +4 -0
control_plane_api/__version__.py +8 -0
control_plane_api/alembic/README +1 -0
control_plane_api/alembic/env.py +121 -0
control_plane_api/alembic/script.py.mako +28 -0
control_plane_api/alembic/versions/2613c65c3dbe_initial_database_setup.py +32 -0
control_plane_api/alembic/versions/2df520d4927d_merge_heads.py +28 -0
control_plane_api/alembic/versions/43abf98d6a01_add_paused_status_to_executions.py +73 -0
control_plane_api/alembic/versions/6289854264cb_merge_multiple_heads.py +28 -0
control_plane_api/alembic/versions/6a4d4dc3d8dc_generate_execution_transitions.py +50 -0
control_plane_api/alembic/versions/87d11cf0a783_add_disconnected_status_to_worker_.py +44 -0
control_plane_api/alembic/versions/add_ephemeral_queue_support.py +85 -0
control_plane_api/alembic/versions/add_model_type_to_llm_models.py +31 -0
control_plane_api/alembic/versions/add_plan_executions_table.py +114 -0
control_plane_api/alembic/versions/add_trace_span_tables.py +154 -0
control_plane_api/alembic/versions/add_user_info_to_traces.py +36 -0
control_plane_api/alembic/versions/adjusting_foreign_keys.py +32 -0
control_plane_api/alembic/versions/b4983d976db2_initial_tables.py +1128 -0
control_plane_api/alembic/versions/d181a3b40e71_rename_custom_metadata_to_metadata_in_.py +50 -0
control_plane_api/alembic/versions/df9117888e82_add_missing_columns.py +82 -0
control_plane_api/alembic/versions/f25de6ad895a_missing_migrations.py +34 -0
control_plane_api/alembic/versions/f71305fb69b9_fix_ephemeral_queue_deletion_foreign_key.py +54 -0
control_plane_api/alembic/versions/mark_local_exec_queues_as_ephemeral.py +68 -0
control_plane_api/alembic.ini +148 -0
control_plane_api/api/index.py +12 -0
control_plane_api/app/__init__.py +11 -0
control_plane_api/app/activities/__init__.py +20 -0
control_plane_api/app/activities/agent_activities.py +384 -0
control_plane_api/app/activities/plan_generation_activities.py +499 -0
control_plane_api/app/activities/team_activities.py +424 -0
control_plane_api/app/activities/temporal_cloud_activities.py +588 -0
control_plane_api/app/config/__init__.py +35 -0
control_plane_api/app/config/api_config.py +469 -0
control_plane_api/app/config/config_loader.py +224 -0
control_plane_api/app/config/model_pricing.py +323 -0
control_plane_api/app/config/storage_config.py +159 -0
control_plane_api/app/config.py +115 -0
control_plane_api/app/controllers/__init__.py +0 -0
control_plane_api/app/controllers/execution_environment_controller.py +1315 -0
control_plane_api/app/database.py +135 -0
control_plane_api/app/exceptions.py +408 -0
control_plane_api/app/lib/__init__.py +11 -0
control_plane_api/app/lib/environment.py +65 -0
control_plane_api/app/lib/event_bus/__init__.py +17 -0
control_plane_api/app/lib/event_bus/base.py +136 -0
control_plane_api/app/lib/event_bus/manager.py +335 -0
control_plane_api/app/lib/event_bus/providers/__init__.py +6 -0
control_plane_api/app/lib/event_bus/providers/http_provider.py +166 -0
control_plane_api/app/lib/event_bus/providers/nats_provider.py +324 -0
control_plane_api/app/lib/event_bus/providers/redis_provider.py +233 -0
control_plane_api/app/lib/event_bus/providers/websocket_provider.py +497 -0
control_plane_api/app/lib/job_executor.py +330 -0
control_plane_api/app/lib/kubiya_client.py +293 -0
control_plane_api/app/lib/litellm_pricing.py +166 -0
control_plane_api/app/lib/mcp_validation.py +163 -0
control_plane_api/app/lib/nats/__init__.py +13 -0
control_plane_api/app/lib/nats/credentials_manager.py +288 -0
control_plane_api/app/lib/nats/listener.py +374 -0
control_plane_api/app/lib/planning_prompt_builder.py +153 -0
control_plane_api/app/lib/planning_tools/__init__.py +41 -0
control_plane_api/app/lib/planning_tools/agents.py +409 -0
control_plane_api/app/lib/planning_tools/agno_toolkit.py +836 -0
control_plane_api/app/lib/planning_tools/base.py +119 -0
control_plane_api/app/lib/planning_tools/cognitive_memory_tools.py +403 -0
control_plane_api/app/lib/planning_tools/context_graph_tools.py +545 -0
control_plane_api/app/lib/planning_tools/environments.py +218 -0
control_plane_api/app/lib/planning_tools/knowledge.py +204 -0
control_plane_api/app/lib/planning_tools/models.py +93 -0
control_plane_api/app/lib/planning_tools/planning_service.py +646 -0
control_plane_api/app/lib/planning_tools/resources.py +242 -0
control_plane_api/app/lib/planning_tools/teams.py +334 -0
control_plane_api/app/lib/policy_enforcer_client.py +1016 -0
control_plane_api/app/lib/redis_client.py +803 -0
control_plane_api/app/lib/sqlalchemy_utils.py +486 -0
control_plane_api/app/lib/state_transition_tools/__init__.py +7 -0
control_plane_api/app/lib/state_transition_tools/execution_context.py +388 -0
control_plane_api/app/lib/storage/__init__.py +20 -0
control_plane_api/app/lib/storage/base_provider.py +274 -0
control_plane_api/app/lib/storage/provider_factory.py +157 -0
control_plane_api/app/lib/storage/vercel_blob_provider.py +468 -0
control_plane_api/app/lib/supabase.py +71 -0
control_plane_api/app/lib/supabase_utils.py +138 -0
control_plane_api/app/lib/task_planning/__init__.py +138 -0
control_plane_api/app/lib/task_planning/agent_factory.py +308 -0
control_plane_api/app/lib/task_planning/agents.py +389 -0
control_plane_api/app/lib/task_planning/cache.py +218 -0
control_plane_api/app/lib/task_planning/entity_resolver.py +273 -0
control_plane_api/app/lib/task_planning/helpers.py +293 -0
control_plane_api/app/lib/task_planning/hooks.py +474 -0
control_plane_api/app/lib/task_planning/models.py +503 -0
control_plane_api/app/lib/task_planning/plan_validator.py +166 -0
control_plane_api/app/lib/task_planning/planning_workflow.py +2911 -0
control_plane_api/app/lib/task_planning/runner.py +656 -0
control_plane_api/app/lib/task_planning/streaming_hook.py +213 -0
control_plane_api/app/lib/task_planning/workflow.py +424 -0
control_plane_api/app/lib/templating/__init__.py +88 -0
control_plane_api/app/lib/templating/compiler.py +278 -0
control_plane_api/app/lib/templating/engine.py +178 -0
control_plane_api/app/lib/templating/parsers/__init__.py +29 -0
control_plane_api/app/lib/templating/parsers/base.py +96 -0
control_plane_api/app/lib/templating/parsers/env.py +85 -0
control_plane_api/app/lib/templating/parsers/graph.py +112 -0
control_plane_api/app/lib/templating/parsers/secret.py +87 -0
control_plane_api/app/lib/templating/parsers/simple.py +81 -0
control_plane_api/app/lib/templating/resolver.py +366 -0
control_plane_api/app/lib/templating/types.py +214 -0
control_plane_api/app/lib/templating/validator.py +201 -0
control_plane_api/app/lib/temporal_client.py +232 -0
control_plane_api/app/lib/temporal_credentials_cache.py +178 -0
control_plane_api/app/lib/temporal_credentials_service.py +203 -0
control_plane_api/app/lib/validation/__init__.py +24 -0
control_plane_api/app/lib/validation/runtime_validation.py +388 -0
control_plane_api/app/main.py +531 -0
control_plane_api/app/middleware/__init__.py +10 -0
control_plane_api/app/middleware/auth.py +645 -0
control_plane_api/app/middleware/exception_handler.py +267 -0
control_plane_api/app/middleware/prometheus_middleware.py +173 -0
control_plane_api/app/middleware/rate_limiting.py +384 -0
control_plane_api/app/middleware/request_id.py +202 -0
control_plane_api/app/models/__init__.py +40 -0
control_plane_api/app/models/agent.py +90 -0
control_plane_api/app/models/analytics.py +206 -0
control_plane_api/app/models/associations.py +107 -0
control_plane_api/app/models/auth_user.py +73 -0
control_plane_api/app/models/context.py +161 -0
control_plane_api/app/models/custom_integration.py +99 -0
control_plane_api/app/models/environment.py +64 -0
control_plane_api/app/models/execution.py +125 -0
control_plane_api/app/models/execution_transition.py +50 -0
control_plane_api/app/models/job.py +159 -0
control_plane_api/app/models/llm_model.py +78 -0
control_plane_api/app/models/orchestration.py +66 -0
control_plane_api/app/models/plan_execution.py +102 -0
control_plane_api/app/models/presence.py +49 -0
control_plane_api/app/models/project.py +61 -0
control_plane_api/app/models/project_management.py +85 -0
control_plane_api/app/models/session.py +29 -0
control_plane_api/app/models/skill.py +155 -0
control_plane_api/app/models/system_tables.py +43 -0
control_plane_api/app/models/task_planning.py +372 -0
control_plane_api/app/models/team.py +86 -0
control_plane_api/app/models/trace.py +257 -0
control_plane_api/app/models/user_profile.py +54 -0
control_plane_api/app/models/worker.py +221 -0
control_plane_api/app/models/workflow.py +161 -0
control_plane_api/app/models/workspace.py +50 -0
control_plane_api/app/observability/__init__.py +177 -0
control_plane_api/app/observability/context_logging.py +475 -0
control_plane_api/app/observability/decorators.py +337 -0
control_plane_api/app/observability/local_span_processor.py +702 -0
control_plane_api/app/observability/metrics.py +303 -0
control_plane_api/app/observability/middleware.py +246 -0
control_plane_api/app/observability/optional.py +115 -0
control_plane_api/app/observability/tracing.py +382 -0
control_plane_api/app/policies/README.md +149 -0
control_plane_api/app/policies/approved_users.rego +62 -0
control_plane_api/app/policies/business_hours.rego +51 -0
control_plane_api/app/policies/rate_limiting.rego +100 -0
control_plane_api/app/policies/tool_enforcement/README.md +336 -0
control_plane_api/app/policies/tool_enforcement/bash_command_validation.rego +71 -0
control_plane_api/app/policies/tool_enforcement/business_hours_enforcement.rego +82 -0
control_plane_api/app/policies/tool_enforcement/mcp_tool_allowlist.rego +58 -0
control_plane_api/app/policies/tool_enforcement/production_safeguards.rego +80 -0
control_plane_api/app/policies/tool_enforcement/role_based_tool_access.rego +44 -0
control_plane_api/app/policies/tool_restrictions.rego +86 -0
control_plane_api/app/routers/__init__.py +4 -0
control_plane_api/app/routers/agents.py +382 -0
control_plane_api/app/routers/agents_v2.py +1598 -0
control_plane_api/app/routers/analytics.py +1310 -0
control_plane_api/app/routers/auth.py +59 -0
control_plane_api/app/routers/client_config.py +57 -0
control_plane_api/app/routers/context_graph.py +561 -0
control_plane_api/app/routers/context_manager.py +577 -0
control_plane_api/app/routers/custom_integrations.py +490 -0
control_plane_api/app/routers/enforcer.py +132 -0
control_plane_api/app/routers/environment_context.py +252 -0
control_plane_api/app/routers/environments.py +761 -0
control_plane_api/app/routers/execution_environment.py +847 -0
control_plane_api/app/routers/executions/__init__.py +28 -0
control_plane_api/app/routers/executions/router.py +286 -0
control_plane_api/app/routers/executions/services/__init__.py +22 -0
control_plane_api/app/routers/executions/services/demo_worker_health.py +156 -0
control_plane_api/app/routers/executions/services/status_service.py +420 -0
control_plane_api/app/routers/executions/services/test_worker_health.py +480 -0
control_plane_api/app/routers/executions/services/worker_health.py +514 -0
control_plane_api/app/routers/executions/streaming/__init__.py +22 -0
control_plane_api/app/routers/executions/streaming/deduplication.py +352 -0
control_plane_api/app/routers/executions/streaming/event_buffer.py +353 -0
control_plane_api/app/routers/executions/streaming/event_formatter.py +964 -0
control_plane_api/app/routers/executions/streaming/history_loader.py +588 -0
control_plane_api/app/routers/executions/streaming/live_source.py +693 -0
control_plane_api/app/routers/executions/streaming/streamer.py +849 -0
control_plane_api/app/routers/executions.py +4888 -0
control_plane_api/app/routers/health.py +165 -0
control_plane_api/app/routers/health_v2.py +394 -0
control_plane_api/app/routers/integration_templates.py +496 -0
control_plane_api/app/routers/integrations.py +287 -0
control_plane_api/app/routers/jobs.py +1809 -0
control_plane_api/app/routers/metrics.py +517 -0
control_plane_api/app/routers/models.py +82 -0
control_plane_api/app/routers/models_v2.py +628 -0
control_plane_api/app/routers/plan_executions.py +1481 -0
control_plane_api/app/routers/plan_generation_async.py +304 -0
control_plane_api/app/routers/policies.py +669 -0
control_plane_api/app/routers/presence.py +234 -0
control_plane_api/app/routers/projects.py +987 -0
control_plane_api/app/routers/runners.py +379 -0
control_plane_api/app/routers/runtimes.py +172 -0
control_plane_api/app/routers/secrets.py +171 -0
control_plane_api/app/routers/skills.py +1010 -0
control_plane_api/app/routers/skills_definitions.py +140 -0
control_plane_api/app/routers/storage.py +456 -0
control_plane_api/app/routers/task_planning.py +611 -0
control_plane_api/app/routers/task_queues.py +650 -0
control_plane_api/app/routers/team_context.py +274 -0
control_plane_api/app/routers/teams.py +1747 -0
control_plane_api/app/routers/templates.py +248 -0
control_plane_api/app/routers/traces.py +571 -0
control_plane_api/app/routers/websocket_client.py +479 -0
control_plane_api/app/routers/websocket_executions_status.py +437 -0
control_plane_api/app/routers/websocket_gateway.py +323 -0
control_plane_api/app/routers/websocket_traces.py +576 -0
control_plane_api/app/routers/worker_queues.py +2555 -0
control_plane_api/app/routers/worker_websocket.py +419 -0
control_plane_api/app/routers/workers.py +1004 -0
control_plane_api/app/routers/workflows.py +204 -0
control_plane_api/app/runtimes/__init__.py +6 -0
control_plane_api/app/runtimes/validation.py +344 -0
control_plane_api/app/schemas/__init__.py +1 -0
control_plane_api/app/schemas/job_schemas.py +302 -0
control_plane_api/app/schemas/mcp_schemas.py +311 -0
control_plane_api/app/schemas/template_schemas.py +133 -0
control_plane_api/app/schemas/trace_schemas.py +168 -0
control_plane_api/app/schemas/worker_queue_observability_schemas.py +165 -0
control_plane_api/app/services/__init__.py +1 -0
control_plane_api/app/services/agno_planning_strategy.py +233 -0
control_plane_api/app/services/agno_service.py +838 -0
control_plane_api/app/services/claude_code_planning_service.py +203 -0
control_plane_api/app/services/context_graph_client.py +224 -0
control_plane_api/app/services/custom_integration_service.py +415 -0
control_plane_api/app/services/integration_resolution_service.py +345 -0
control_plane_api/app/services/litellm_service.py +394 -0
control_plane_api/app/services/plan_generator.py +79 -0
control_plane_api/app/services/planning_strategy.py +66 -0
control_plane_api/app/services/planning_strategy_factory.py +118 -0
control_plane_api/app/services/policy_service.py +615 -0
control_plane_api/app/services/state_transition_service.py +755 -0
control_plane_api/app/services/storage_service.py +593 -0
control_plane_api/app/services/temporal_cloud_provisioning.py +150 -0
control_plane_api/app/services/toolsets/context_graph_skill.py +432 -0
control_plane_api/app/services/trace_retention.py +354 -0
control_plane_api/app/services/worker_queue_metrics_service.py +190 -0
control_plane_api/app/services/workflow_cancellation_manager.py +135 -0
control_plane_api/app/services/workflow_operations_service.py +611 -0
control_plane_api/app/skills/__init__.py +100 -0
control_plane_api/app/skills/base.py +239 -0
control_plane_api/app/skills/builtin/__init__.py +37 -0
control_plane_api/app/skills/builtin/agent_communication/__init__.py +8 -0
control_plane_api/app/skills/builtin/agent_communication/skill.py +246 -0
control_plane_api/app/skills/builtin/code_ingestion/__init__.py +4 -0
control_plane_api/app/skills/builtin/code_ingestion/skill.py +267 -0
control_plane_api/app/skills/builtin/cognitive_memory/__init__.py +4 -0
control_plane_api/app/skills/builtin/cognitive_memory/skill.py +174 -0
control_plane_api/app/skills/builtin/contextual_awareness/__init__.py +4 -0
control_plane_api/app/skills/builtin/contextual_awareness/skill.py +387 -0
control_plane_api/app/skills/builtin/data_visualization/__init__.py +4 -0
control_plane_api/app/skills/builtin/data_visualization/skill.py +154 -0
control_plane_api/app/skills/builtin/docker/__init__.py +4 -0
control_plane_api/app/skills/builtin/docker/skill.py +104 -0
control_plane_api/app/skills/builtin/file_generation/__init__.py +4 -0
control_plane_api/app/skills/builtin/file_generation/skill.py +94 -0
control_plane_api/app/skills/builtin/file_system/__init__.py +4 -0
control_plane_api/app/skills/builtin/file_system/skill.py +110 -0
control_plane_api/app/skills/builtin/knowledge_api/__init__.py +5 -0
control_plane_api/app/skills/builtin/knowledge_api/skill.py +124 -0
control_plane_api/app/skills/builtin/python/__init__.py +4 -0
control_plane_api/app/skills/builtin/python/skill.py +92 -0
control_plane_api/app/skills/builtin/remote_filesystem/__init__.py +5 -0
control_plane_api/app/skills/builtin/remote_filesystem/skill.py +170 -0
control_plane_api/app/skills/builtin/shell/__init__.py +4 -0
control_plane_api/app/skills/builtin/shell/skill.py +161 -0
control_plane_api/app/skills/builtin/slack/__init__.py +3 -0
control_plane_api/app/skills/builtin/slack/skill.py +302 -0
control_plane_api/app/skills/builtin/workflow_executor/__init__.py +4 -0
control_plane_api/app/skills/builtin/workflow_executor/skill.py +469 -0
control_plane_api/app/skills/business_intelligence.py +189 -0
control_plane_api/app/skills/config.py +63 -0
control_plane_api/app/skills/loaders/__init__.py +14 -0
control_plane_api/app/skills/loaders/base.py +73 -0
control_plane_api/app/skills/loaders/filesystem_loader.py +199 -0
control_plane_api/app/skills/registry.py +125 -0
control_plane_api/app/utils/helpers.py +12 -0
control_plane_api/app/utils/workflow_executor.py +354 -0
control_plane_api/app/workflows/__init__.py +11 -0
control_plane_api/app/workflows/agent_execution.py +520 -0
control_plane_api/app/workflows/agent_execution_with_skills.py +223 -0
control_plane_api/app/workflows/namespace_provisioning.py +326 -0
control_plane_api/app/workflows/plan_generation.py +254 -0
control_plane_api/app/workflows/team_execution.py +442 -0
control_plane_api/scripts/seed_models.py +240 -0
control_plane_api/scripts/validate_existing_tool_names.py +492 -0
control_plane_api/shared/__init__.py +8 -0
control_plane_api/shared/version.py +17 -0
control_plane_api/test_deduplication.py +274 -0
control_plane_api/test_executor_deduplication_e2e.py +309 -0
control_plane_api/test_job_execution_e2e.py +283 -0
control_plane_api/test_real_integration.py +193 -0
control_plane_api/version.py +38 -0
control_plane_api/worker/__init__.py +0 -0
control_plane_api/worker/activities/__init__.py +0 -0
control_plane_api/worker/activities/agent_activities.py +1585 -0
control_plane_api/worker/activities/approval_activities.py +234 -0
control_plane_api/worker/activities/job_activities.py +199 -0
control_plane_api/worker/activities/runtime_activities.py +1167 -0
control_plane_api/worker/activities/skill_activities.py +282 -0
control_plane_api/worker/activities/team_activities.py +479 -0
control_plane_api/worker/agent_runtime_server.py +370 -0
control_plane_api/worker/binary_manager.py +333 -0
control_plane_api/worker/config/__init__.py +31 -0
control_plane_api/worker/config/worker_config.py +273 -0
control_plane_api/worker/control_plane_client.py +1491 -0
control_plane_api/worker/examples/analytics_integration_example.py +362 -0
control_plane_api/worker/health_monitor.py +159 -0
control_plane_api/worker/metrics.py +237 -0
control_plane_api/worker/models/__init__.py +1 -0
control_plane_api/worker/models/error_events.py +105 -0
control_plane_api/worker/models/inputs.py +89 -0
control_plane_api/worker/runtimes/__init__.py +35 -0
control_plane_api/worker/runtimes/agent_runtime/runtime.py +485 -0
control_plane_api/worker/runtimes/agno/__init__.py +34 -0
control_plane_api/worker/runtimes/agno/config.py +248 -0
control_plane_api/worker/runtimes/agno/hooks.py +385 -0
control_plane_api/worker/runtimes/agno/mcp_builder.py +195 -0
control_plane_api/worker/runtimes/agno/runtime.py +1063 -0
control_plane_api/worker/runtimes/agno/utils.py +163 -0
control_plane_api/worker/runtimes/base.py +979 -0
control_plane_api/worker/runtimes/claude_code/__init__.py +38 -0
control_plane_api/worker/runtimes/claude_code/cleanup.py +184 -0
control_plane_api/worker/runtimes/claude_code/client_pool.py +529 -0
control_plane_api/worker/runtimes/claude_code/config.py +829 -0
control_plane_api/worker/runtimes/claude_code/hooks.py +482 -0
control_plane_api/worker/runtimes/claude_code/litellm_proxy.py +1702 -0
control_plane_api/worker/runtimes/claude_code/mcp_builder.py +467 -0
control_plane_api/worker/runtimes/claude_code/mcp_discovery.py +558 -0
control_plane_api/worker/runtimes/claude_code/runtime.py +1546 -0
control_plane_api/worker/runtimes/claude_code/tool_mapper.py +403 -0
control_plane_api/worker/runtimes/claude_code/utils.py +149 -0
control_plane_api/worker/runtimes/factory.py +173 -0
control_plane_api/worker/runtimes/model_utils.py +107 -0
control_plane_api/worker/runtimes/validation.py +93 -0
control_plane_api/worker/services/__init__.py +1 -0
control_plane_api/worker/services/agent_communication_tools.py +908 -0
control_plane_api/worker/services/agent_executor.py +485 -0
control_plane_api/worker/services/agent_executor_v2.py +793 -0
control_plane_api/worker/services/analytics_collector.py +457 -0
control_plane_api/worker/services/analytics_service.py +464 -0
control_plane_api/worker/services/approval_tools.py +310 -0
control_plane_api/worker/services/approval_tools_agno.py +207 -0
control_plane_api/worker/services/cancellation_manager.py +177 -0
control_plane_api/worker/services/code_ingestion_tools.py +465 -0
control_plane_api/worker/services/contextual_awareness_tools.py +405 -0
control_plane_api/worker/services/data_visualization.py +834 -0
control_plane_api/worker/services/event_publisher.py +531 -0
control_plane_api/worker/services/jira_tools.py +257 -0
control_plane_api/worker/services/remote_filesystem_tools.py +498 -0
control_plane_api/worker/services/runtime_analytics.py +328 -0
control_plane_api/worker/services/session_service.py +365 -0
control_plane_api/worker/services/skill_context_enhancement.py +181 -0
control_plane_api/worker/services/skill_factory.py +471 -0
control_plane_api/worker/services/system_prompt_enhancement.py +410 -0
control_plane_api/worker/services/team_executor.py +715 -0
control_plane_api/worker/services/team_executor_v2.py +1866 -0
control_plane_api/worker/services/tool_enforcement.py +254 -0
control_plane_api/worker/services/workflow_executor/__init__.py +52 -0
control_plane_api/worker/services/workflow_executor/event_processor.py +287 -0
control_plane_api/worker/services/workflow_executor/event_publisher.py +210 -0
control_plane_api/worker/services/workflow_executor/executors/__init__.py +15 -0
control_plane_api/worker/services/workflow_executor/executors/base.py +270 -0
control_plane_api/worker/services/workflow_executor/executors/json_executor.py +50 -0
control_plane_api/worker/services/workflow_executor/executors/python_executor.py +50 -0
control_plane_api/worker/services/workflow_executor/models.py +142 -0
control_plane_api/worker/services/workflow_executor_tools.py +1748 -0
control_plane_api/worker/skills/__init__.py +12 -0
control_plane_api/worker/skills/builtin/context_graph_search/README.md +213 -0
control_plane_api/worker/skills/builtin/context_graph_search/__init__.py +5 -0
control_plane_api/worker/skills/builtin/context_graph_search/agno_impl.py +808 -0
control_plane_api/worker/skills/builtin/context_graph_search/skill.yaml +67 -0
control_plane_api/worker/skills/builtin/contextual_awareness/__init__.py +4 -0
control_plane_api/worker/skills/builtin/contextual_awareness/agno_impl.py +62 -0
control_plane_api/worker/skills/builtin/data_visualization/agno_impl.py +18 -0
control_plane_api/worker/skills/builtin/data_visualization/skill.yaml +84 -0
control_plane_api/worker/skills/builtin/docker/agno_impl.py +65 -0
control_plane_api/worker/skills/builtin/docker/skill.yaml +60 -0
control_plane_api/worker/skills/builtin/file_generation/agno_impl.py +47 -0
control_plane_api/worker/skills/builtin/file_generation/skill.yaml +64 -0
control_plane_api/worker/skills/builtin/file_system/agno_impl.py +32 -0
control_plane_api/worker/skills/builtin/file_system/skill.yaml +54 -0
control_plane_api/worker/skills/builtin/knowledge_api/__init__.py +4 -0
control_plane_api/worker/skills/builtin/knowledge_api/agno_impl.py +50 -0
control_plane_api/worker/skills/builtin/knowledge_api/skill.yaml +66 -0
control_plane_api/worker/skills/builtin/python/agno_impl.py +25 -0
control_plane_api/worker/skills/builtin/python/skill.yaml +60 -0
control_plane_api/worker/skills/builtin/schema_fix_mixin.py +260 -0
control_plane_api/worker/skills/builtin/shell/agno_impl.py +31 -0
control_plane_api/worker/skills/builtin/shell/skill.yaml +60 -0
control_plane_api/worker/skills/builtin/slack/__init__.py +3 -0
control_plane_api/worker/skills/builtin/slack/agno_impl.py +1282 -0
control_plane_api/worker/skills/builtin/slack/skill.yaml +276 -0
control_plane_api/worker/skills/builtin/workflow_executor/agno_impl.py +62 -0
control_plane_api/worker/skills/builtin/workflow_executor/skill.yaml +79 -0
control_plane_api/worker/skills/loaders/__init__.py +5 -0
control_plane_api/worker/skills/loaders/base.py +23 -0
control_plane_api/worker/skills/loaders/filesystem_loader.py +357 -0
control_plane_api/worker/skills/registry.py +208 -0
control_plane_api/worker/tests/__init__.py +1 -0
control_plane_api/worker/tests/conftest.py +12 -0
control_plane_api/worker/tests/e2e/__init__.py +0 -0
control_plane_api/worker/tests/e2e/test_context_graph_real_api.py +338 -0
control_plane_api/worker/tests/e2e/test_context_graph_templates_e2e.py +523 -0
control_plane_api/worker/tests/e2e/test_enforcement_e2e.py +344 -0
control_plane_api/worker/tests/e2e/test_execution_flow.py +571 -0
control_plane_api/worker/tests/e2e/test_single_execution_mode.py +656 -0
control_plane_api/worker/tests/integration/__init__.py +0 -0
control_plane_api/worker/tests/integration/test_builtin_skills_fixes.py +245 -0
control_plane_api/worker/tests/integration/test_context_graph_search_integration.py +365 -0
control_plane_api/worker/tests/integration/test_control_plane_integration.py +308 -0
control_plane_api/worker/tests/integration/test_hook_enforcement_integration.py +579 -0
control_plane_api/worker/tests/integration/test_scheduled_job_workflow.py +237 -0
control_plane_api/worker/tests/integration/test_system_prompt_enhancement_integration.py +343 -0
control_plane_api/worker/tests/unit/__init__.py +0 -0
control_plane_api/worker/tests/unit/test_builtin_skill_autoload.py +396 -0
control_plane_api/worker/tests/unit/test_context_graph_search.py +450 -0
control_plane_api/worker/tests/unit/test_context_graph_templates.py +403 -0
control_plane_api/worker/tests/unit/test_control_plane_client.py +401 -0
control_plane_api/worker/tests/unit/test_control_plane_client_jobs.py +345 -0
control_plane_api/worker/tests/unit/test_job_activities.py +353 -0
control_plane_api/worker/tests/unit/test_skill_context_enhancement.py +321 -0
control_plane_api/worker/tests/unit/test_system_prompt_enhancement.py +415 -0
control_plane_api/worker/tests/unit/test_tool_enforcement.py +324 -0
control_plane_api/worker/utils/__init__.py +1 -0
control_plane_api/worker/utils/chunk_batcher.py +330 -0
control_plane_api/worker/utils/environment.py +65 -0
control_plane_api/worker/utils/error_publisher.py +260 -0
control_plane_api/worker/utils/event_batcher.py +256 -0
control_plane_api/worker/utils/logging_config.py +335 -0
control_plane_api/worker/utils/logging_helper.py +326 -0
control_plane_api/worker/utils/parameter_validator.py +120 -0
control_plane_api/worker/utils/retry_utils.py +60 -0
control_plane_api/worker/utils/streaming_utils.py +665 -0
control_plane_api/worker/utils/tool_validation.py +332 -0
control_plane_api/worker/utils/workspace_manager.py +163 -0
control_plane_api/worker/websocket_client.py +393 -0
control_plane_api/worker/worker.py +1297 -0
control_plane_api/worker/workflows/__init__.py +0 -0
control_plane_api/worker/workflows/agent_execution.py +909 -0
control_plane_api/worker/workflows/scheduled_job_wrapper.py +332 -0
control_plane_api/worker/workflows/team_execution.py +611 -0
kubiya_control_plane_api-0.9.15.dist-info/METADATA +354 -0
kubiya_control_plane_api-0.9.15.dist-info/RECORD +479 -0
kubiya_control_plane_api-0.9.15.dist-info/WHEEL +5 -0
kubiya_control_plane_api-0.9.15.dist-info/entry_points.txt +5 -0
kubiya_control_plane_api-0.9.15.dist-info/licenses/LICENSE +676 -0
kubiya_control_plane_api-0.9.15.dist-info/top_level.txt +3 -0
scripts/__init__.py +1 -0
scripts/migrations.py +39 -0
scripts/seed_worker_queues.py +128 -0
scripts/setup_agent_runtime.py +142 -0
worker_internal/__init__.py +1 -0
worker_internal/planner/__init__.py +1 -0
worker_internal/planner/activities.py +1499 -0
worker_internal/planner/agent_tools.py +197 -0
worker_internal/planner/event_models.py +148 -0
worker_internal/planner/event_publisher.py +67 -0
worker_internal/planner/models.py +199 -0
worker_internal/planner/retry_logic.py +134 -0
worker_internal/planner/worker.py +300 -0
worker_internal/planner/workflows.py +970 -0

control_plane_api/worker/runtimes/claude_code/config.py ADDED Viewed

@@ -0,0 +1,829 @@
+"""
+Configuration builder for Claude Code runtime.
+This module handles the construction of ClaudeAgentOptions from execution
+context, including LiteLLM integration, MCP servers, and session management.
+BUG FIX #4: Added session_id validation before use.
+"""
+from typing import Dict, Any, Tuple, Optional, Callable, Set, List
+import structlog
+import os
+import asyncio
+import hashlib
+import json
+import time
+from .tool_mapper import map_skills_to_tools, validate_tool_names
+from .mcp_builder import build_mcp_servers
+from .hooks import build_hooks
+from .mcp_discovery import discover_all_mcp_resources
+from control_plane_api.worker.services.system_prompt_enhancement import create_default_prompt_builder
+from .litellm_proxy import (
+    get_proxy_base_url,
+    set_execution_context,
+    clear_execution_context,
+)
+from control_plane_api.worker.runtimes.model_utils import get_effective_model, is_model_override_active
+logger = structlog.get_logger(__name__)
+# Module-level singleton for system prompt enhancement
+# NOTE: This is now created per-execution to support dynamic skill context
+# _prompt_builder = create_default_prompt_builder()
+# Note: Claude SDK handles MCP discovery automatically - we verify connection and log errors
+# MCP Discovery Cache - Reduces process spawning by 50%
+# Key: hash of MCP server configuration, Value: discovery results
+_mcp_discovery_cache: Dict[str, Dict[str, Any]] = {}
+# Options Cache - Reduces options rebuild overhead by ~80%
+# Key: hash of execution configuration, Value: (options, timestamp)
+# This cache stores built ClaudeAgentOptions to avoid rebuilding when config unchanged
+_options_cache: Dict[str, Tuple[Any, float]] = {}
+_options_cache_ttl = int(os.getenv("CLAUDE_CODE_OPTIONS_CACHE_TTL", "3600"))  # 1 hour default
+def _get_mcp_cache_key(mcp_servers: Dict[str, Any]) -> str:
+    """
+    Generate cache key for MCP server configuration.
+    Uses hash of server configs to detect when discovery needs to be re-run.
+    Only command/args/env matter for STDIO servers, URL for HTTP servers.
+    """
+    # Sort keys for consistent hashing
+    cache_input = {}
+    for server_name, server_config in sorted(mcp_servers.items()):
+        # Extract relevant fields for cache key
+        transport = server_config.get("transport", {})
+        transport_type = transport.get("type", "stdio")
+        if transport_type == "stdio":
+            # For stdio: command + args determine the process
+            cache_input[server_name] = {
+                "type": "stdio",
+                "command": transport.get("command", ""),
+                "args": transport.get("args", []),
+                "env": transport.get("env", {}),
+            }
+        elif transport_type in ["http", "sse"]:
+            # For HTTP/SSE: URL is what matters
+            cache_input[server_name] = {
+                "type": transport_type,
+                "url": transport.get("url", ""),
+            }
+    # Hash the configuration
+    config_json = json.dumps(cache_input, sort_keys=True)
+    return hashlib.sha256(config_json.encode()).hexdigest()[:16]  # Short hash
+def _get_options_cache_key(context: Any) -> str:
+    """
+    Generate cache key from execution context configuration.
+    This hash includes all configuration that affects options building:
+    - Model ID and system prompt
+    - Agent ID (affects permissions and config)
+    - Skills (determines tools and MCP servers)
+    - MCP servers configuration
+    Args:
+        context: RuntimeExecutionContext
+    Returns:
+        Cache key string (16-char hash)
+    """
+    # Extract skills as sorted list of names/types for consistent hashing
+    skill_identifiers = []
+    if hasattr(context, 'skills') and context.skills:
+        for skill in context.skills:
+            if isinstance(skill, dict):
+                skill_identifiers.append({
+                    "name": skill.get("name", ""),
+                    "type": skill.get("type", ""),
+                })
+            else:
+                # Toolkit object - use class name
+                skill_identifiers.append({"type": type(skill).__name__})
+    # Build cache input (only config that affects options)
+    cache_input = {
+        "model_id": context.model_id or "",
+        "system_prompt_length": len(context.system_prompt or ""),  # Use length to avoid huge strings
+        "agent_id": context.agent_id,
+        "skill_identifiers": sorted(skill_identifiers, key=lambda x: (x.get("type", ""), x.get("name", ""))),
+        "mcp_server_names": sorted((context.mcp_servers or {}).keys()) if hasattr(context, 'mcp_servers') else [],
+        # Don't include execution_id or session_id - those vary per execution but don't affect config
+    }
+    config_json = json.dumps(cache_input, sort_keys=True)
+    return hashlib.sha256(config_json.encode()).hexdigest()[:16]  # Short hash
+def build_mcp_permission_handler(
+    mcp_servers: Dict[str, Any], allowed_tools: List[str]
+) -> Callable:
+    """
+    Build permission handler for MCP tools.
+    IMPORTANT: The SDK discovers MCP tools automatically, but does NOT
+    automatically grant permission to use them. We need to handle permissions
+    separately using the canUseTool callback.
+    This handler:
+    1. Allows tools in the allowed_tools list (builtin tools)
+    2. Auto-allows tools matching mcp__<server_name>__* for configured servers
+    3. Denies everything else
+    Args:
+        mcp_servers: Dict of MCP server configurations
+        allowed_tools: List of allowed builtin tool names
+    Returns:
+        Async permission handler for canUseTool parameter
+    """
+    # Extract MCP server names for permission matching
+    mcp_server_names: Set[str] = set(mcp_servers.keys())
+    logger.info(
+        "building_mcp_permission_handler",
+        mcp_server_count=len(mcp_server_names),
+        mcp_server_names=list(mcp_server_names),
+        builtin_tools_count=len(allowed_tools),
+        note="SDK discovers tools, but we handle permissions via canUseTool"
+    )
+    async def permission_handler(
+        tool_name: str, input_data: dict, context: dict
+    ) -> Dict[str, Any]:
+        """
+        Permission handler that allows:
+        1. Builtin tools from allowed_tools list
+        2. MCP tools matching mcp__<server_name>__* pattern
+        Args:
+            tool_name: Tool being invoked
+            input_data: Tool input parameters
+            context: Execution context
+        Returns:
+            Permission decision: {"behavior": "allow"|"deny", "updatedInput": input_data}
+        """
+        # ALWAYS log permission checks for debugging
+        logger.info(
+            "permission_handler_called",
+            tool_name=tool_name,
+            is_builtin=tool_name in allowed_tools,
+            is_mcp=tool_name.startswith("mcp__"),
+            configured_servers=list(mcp_server_names),
+        )
+        # Allow builtin tools
+        if tool_name in allowed_tools:
+            logger.info("permission_granted_builtin", tool_name=tool_name)
+            return {"behavior": "allow", "updatedInput": input_data}
+        # Allow MCP tools from configured servers
+        # Pattern: mcp__<server_name>__<tool_name>
+        if tool_name.startswith("mcp__"):
+            parts = tool_name.split("__", 2)
+            if len(parts) >= 2:
+                server_name = parts[1]
+                logger.info(
+                    "checking_mcp_permission",
+                    tool_name=tool_name,
+                    extracted_server=server_name,
+                    configured_servers=list(mcp_server_names),
+                    matches=server_name in mcp_server_names,
+                )
+                if server_name in mcp_server_names:
+                    logger.info(
+                        "permission_granted_mcp",
+                        tool_name=tool_name,
+                        server_name=server_name,
+                    )
+                    return {"behavior": "allow", "updatedInput": input_data}
+        # Deny unrecognized tools
+        logger.warning(
+            "tool_permission_denied",
+            tool_name=tool_name,
+            reason="not_in_allowed_tools_or_mcp_servers",
+            available_mcp_servers=list(mcp_server_names),
+            available_builtin_count=len(allowed_tools),
+        )
+        return {
+            "behavior": "deny",
+            "updatedInput": input_data,
+            "message": f"Tool '{tool_name}' not permitted. Not in allowed tools or MCP servers."
+        }
+    return permission_handler
+def validate_session_id(session_id: Optional[str]) -> Optional[str]:
+    """
+    Validate session_id format before use.
+    BUG FIX #4: Ensures session_id is valid before storing for multi-turn.
+    Args:
+        session_id: Session ID to validate
+    Returns:
+        Valid session_id or None if invalid
+    """
+    if not session_id:
+        return None
+    if not isinstance(session_id, str) or len(session_id) < 10:
+        logger.warning(
+            "invalid_session_id_format",
+            session_id=session_id if isinstance(session_id, str) else None,
+            type=type(session_id).__name__,
+            length=len(session_id) if isinstance(session_id, str) else 0,
+        )
+        return None
+    return session_id
+async def build_claude_options(
+    context: Any,  # RuntimeExecutionContext
+    event_callback: Optional[Callable] = None,
+    runtime: Optional[Any] = None,  # ClaudeCodeRuntime instance for caching
+) -> Tuple[Any, Dict[str, str], Set[str], Set[str]]:
+    """
+    Build ClaudeAgentOptions from execution context.
+    Args:
+        context: RuntimeExecutionContext with prompt, history, config
+        event_callback: Optional event callback for hooks
+        runtime: Optional ClaudeCodeRuntime instance for MCP discovery caching
+    Returns:
+        Tuple of (ClaudeAgentOptions instance, active_tools dict, started_tools set, completed_tools set)
+    """
+    from claude_agent_sdk import ClaudeAgentOptions
+    # Extract configuration
+    agent_config = context.agent_config or {}
+    runtime_config = context.runtime_config or {}
+    # Get LiteLLM configuration (same as DefaultRuntime/Agno)
+    litellm_api_base = os.getenv("LITELLM_API_BASE", "https://llm-proxy.kubiya.ai")
+    litellm_api_key = os.getenv("LITELLM_API_KEY")
+    if not litellm_api_key:
+        raise ValueError("LITELLM_API_KEY environment variable not set")
+    # Determine model (use LiteLLM format) with override support
+    # Priority: KUBIYA_MODEL_OVERRIDE > context.model_id > LITELLM_DEFAULT_MODEL > default
+    model = get_effective_model(
+        context_model_id=context.model_id,
+        log_context={"execution_id": context.execution_id[:8] if context.execution_id else "unknown"},
+    )
+    # Map skills to Claude Code tool names (built-in tools only)
+    allowed_tools = map_skills_to_tools(context.skills)
+    # Build MCP servers (both from context and custom skills)
+    # SDK will discover tools automatically - we just provide configs
+    mcp_servers, _ = build_mcp_servers(
+        context.skills, context.mcp_servers
+    )
+    # Verify MCP server connections and discover tools (with caching)
+    # This helps us detect configuration errors early
+    # Cache reduces process spawning by 50% by reusing discovery results
+    mcp_discovery_results = {}
+    if mcp_servers:
+        try:
+            # Check cache first
+            cache_key = _get_mcp_cache_key(mcp_servers)
+            if cache_key in _mcp_discovery_cache:
+                mcp_discovery_results = _mcp_discovery_cache[cache_key]
+                logger.info(
+                    "using_cached_mcp_discovery",
+                    server_count=len(mcp_servers),
+                    server_names=list(mcp_servers.keys()),
+                    cache_key=cache_key,
+                    note="✅ Using cached MCP discovery results (no processes spawned)"
+                )
+            else:
+                logger.info(
+                    "verifying_mcp_server_connections",
+                    server_count=len(mcp_servers),
+                    server_names=list(mcp_servers.keys()),
+                    cache_key=cache_key,
+                    note="Attempting to connect and discover tools from all MCP servers"
+                )
+                mcp_discovery_results = await discover_all_mcp_resources(mcp_servers)
+                # Cache the results for future executions
+                _mcp_discovery_cache[cache_key] = mcp_discovery_results
+                logger.info(
+                    "cached_mcp_discovery_results",
+                    cache_key=cache_key,
+                    note="Discovery results cached for future executions"
+                )
+            # Log results for each server
+            failed_servers = []
+            successful_servers = []
+            skipped_servers = []
+            for server_name, result in mcp_discovery_results.items():
+                # Check if server was skipped (HTTP servers use native SDK discovery)
+                if result.get("skipped"):
+                    skipped_servers.append(server_name)
+                    logger.info(
+                        "mcp_server_skipped_native_discovery",
+                        server_name=server_name,
+                        status="⚡ HTTP - Using SDK native discovery",
+                        note="Pre-discovery skipped for HTTP servers (SDK handles them natively)"
+                    )
+                elif result["connected"]:
+                    tool_count = len(result["tools"])
+                    successful_servers.append(server_name)
+                    if tool_count == 0:
+                        logger.warning(
+                            "mcp_server_connected_but_no_tools",
+                            server_name=server_name,
+                            message=f"MCP server '{server_name}' connected successfully but discovered 0 tools",
+                            recommendation="Check server implementation - it may not be exposing any tools"
+                        )
+                    else:
+                        logger.info(
+                            "mcp_server_verified",
+                            server_name=server_name,
+                            tool_count=tool_count,
+                            tool_names=result["tools"][:5] if tool_count <= 5 else [t["name"] for t in result["tools"][:5]] + [f"... and {tool_count - 5} more"],
+                            status="✅ Connected and discovered tools"
+                        )
+                else:
+                    failed_servers.append(server_name)
+                    logger.error(
+                        "mcp_server_connection_failed",
+                        server_name=server_name,
+                        error=result.get("error", "Unknown error"),
+                        status="❌ Failed to connect",
+                        recommendation="Check server command, args, and environment variables in agent configuration"
+                    )
+            # Summary log
+            if failed_servers:
+                logger.error(
+                    "mcp_verification_summary",
+                    total_servers=len(mcp_servers),
+                    http_skipped=len(skipped_servers),
+                    successful=len(successful_servers),
+                    failed=len(failed_servers),
+                    failed_server_names=failed_servers,
+                    message=f"⚠️  {len(failed_servers)} MCP server(s) failed to connect - agent may not have access to expected tools"
+                )
+            else:
+                logger.info(
+                    "mcp_verification_summary",
+                    total_servers=len(mcp_servers),
+                    http_skipped=len(skipped_servers),
+                    successful=len(successful_servers),
+                    total_tools_discovered=sum(len(r["tools"]) for r in mcp_discovery_results.values() if not r.get("skipped")),
+                    message=f"✅ All MCP servers ready: {len(skipped_servers)} HTTP (native SDK) + {len(successful_servers)} pre-discovered"
+                )
+        except Exception as discovery_error:
+            logger.error(
+                "mcp_discovery_process_failed",
+                error=str(discovery_error),
+                error_type=type(discovery_error).__name__,
+                message="Failed to verify MCP server connections - will proceed but tools may not be available",
+                exc_info=True
+            )
+    # BUG FIX #6: Validate built-in tool names before using
+    allowed_tools, invalid_tools = validate_tool_names(allowed_tools)
+    # Build permission handler for MCP tools
+    # IMPORTANT: SDK discovers tools, but we must permit them via canUseTool
+    permission_handler = None
+    if mcp_servers:
+        permission_handler = build_mcp_permission_handler(mcp_servers, allowed_tools)
+        logger.info(
+            "mcp_permission_handler_configured",
+            mcp_servers=list(mcp_servers.keys()),
+            note="Will auto-allow tools matching mcp__<server_name>__* pattern"
+        )
+    logger.info(
+        "claude_code_tools_configured",
+        builtin_tools_count=len(allowed_tools),
+        mcp_servers_count=len(mcp_servers),
+        mcp_server_names=list(mcp_servers.keys()) if mcp_servers else [],
+        builtin_tools=allowed_tools[:20],  # Limit for readability
+        has_permission_handler=permission_handler is not None,
+        note="SDK discovers MCP tools automatically, we handle permissions via canUseTool"
+    )
+    # Create shared active_tools dict for tool name tracking
+    # This is populated in the stream when ToolUseBlock is received,
+    # and used in hooks to look up tool names
+    active_tools: Dict[str, str] = {}
+    # Create shared started_tools set for tracking published start events
+    # This prevents duplicate tool_start events from hooks
+    from typing import Set
+    started_tools: Set[str] = set()
+    # Create shared completed_tools set for tracking published completion events
+    # This prevents duplicate tool_complete events from hooks and ToolResultBlock
+    completed_tools: Set[str] = set()
+    # Initialize enforcement service for policy checks
+    enforcement_context = {
+        "organization_id": context.organization_id,
+        "user_email": context.user_email,
+        "user_id": context.user_id,
+        "user_roles": context.user_roles or [],
+        "team_id": context.team_id,
+        "team_name": context.team_name,
+        "agent_id": context.agent_id,
+        "environment": context.environment,
+        "model_id": context.model_id,
+    }
+    # Import enforcement dependencies
+    from control_plane_api.app.lib.policy_enforcer_client import create_policy_enforcer_client
+    from control_plane_api.worker.services.tool_enforcement import ToolEnforcementService
+    # Get enforcer client (using the same token as the control plane)
+    enforcer_client = None
+    enforcement_service = None
+    # Check if enforcement is enabled (opt-in via environment variable)
+    enforcement_enabled = os.environ.get("KUBIYA_ENFORCE_ENABLED", "").lower() in ("true", "1", "yes")
+    if not enforcement_enabled:
+        logger.info(
+            "policy_enforcement_disabled",
+            reason="KUBIYA_ENFORCE_ENABLED not set",
+            execution_id=context.execution_id[:8],
+            note="Set KUBIYA_ENFORCE_ENABLED=true to enable policy enforcement"
+        )
+    else:
+        try:
+            # Get API key from runtime (if available)
+            api_key = runtime.control_plane.api_key if runtime and hasattr(runtime, 'control_plane') else None
+            if api_key:
+                # Get enforcer URL - default to control plane enforcer proxy
+                enforcer_url = os.environ.get("ENFORCER_SERVICE_URL")
+                if not enforcer_url:
+                    # Use control plane's enforcer proxy as default
+                    control_plane_url = os.environ.get("CONTROL_PLANE_URL", "http://localhost:8000")
+                    enforcer_url = f"{control_plane_url.rstrip('/')}/api/v1/enforcer"
+                    logger.debug(
+                        "using_control_plane_enforcer_proxy",
+                        enforcer_url=enforcer_url,
+                        execution_id=context.execution_id[:8],
+                    )
+                # Use async context manager properly (we're in an async function)
+                enforcer_client_context = create_policy_enforcer_client(
+                    enforcer_url=enforcer_url,
+                    api_key=api_key,
+                    auth_type="UserKey"
+                )
+                enforcer_client = await enforcer_client_context.__aenter__()
+                if enforcer_client:
+                    enforcement_service = ToolEnforcementService(enforcer_client)
+                    logger.info(
+                        "policy_enforcement_enabled",
+                        enforcer_url=enforcer_url,
+                        execution_id=context.execution_id[:8],
+                    )
+            else:
+                logger.debug(
+                    "enforcement_service_skipped",
+                    reason="no_api_key_available",
+                    execution_id=context.execution_id[:8],
+                )
+        except Exception as e:
+            logger.warning(
+                "enforcement_service_init_failed",
+                error=str(e),
+                execution_id=context.execution_id[:8],
+            )
+    # Build hooks for tool execution monitoring with enforcement
+    hooks = (
+        build_hooks(
+            context.execution_id,
+            event_callback,
+            active_tools,
+            completed_tools,
+            started_tools,
+            enforcement_context=enforcement_context,
+            enforcement_service=enforcement_service,
+        )
+        if event_callback
+        else {}
+    )
+    # Build environment with LiteLLM configuration
+    env = runtime_config.get("env", {}).copy()
+    # Check if model override is active - if so, we'll bypass the internal proxy
+    model_override_active = is_model_override_active()
+    model_override_value = os.environ.get("KUBIYA_MODEL_OVERRIDE") if model_override_active else None
+    if model_override_active:
+        logger.info(
+            "model_override_detected_bypassing_internal_proxy",
+            model_override=model_override_value,
+            note="Internal LiteLLM proxy will be bypassed, using direct API configuration"
+        )
+    # Extract and validate secrets from skill configurations
+    # Skills may reference secrets (e.g., Slack skill with secret_name or secrets parameters)
+    # These secrets should be resolved and injected as environment variables by the execution environment controller
+    if context.skill_configs:
+        for skill_config in context.skill_configs:
+            config = skill_config.get("configuration", {})
+            skill_name = skill_config.get("name", "unknown")
+            # Check for secrets (list) or secret_name (single, deprecated)
+            secrets_list = []
+            if "secrets" in config:
+                secrets = config["secrets"]
+                if isinstance(secrets, list):
+                    secrets_list = secrets
+                elif isinstance(secrets, str):
+                    secrets_list = [s.strip() for s in secrets.split(",") if s.strip()]
+            elif "secret_name" in config and config["secret_name"]:
+                secrets_list = [config["secret_name"]]
+            # Validate that configured secrets are available in environment
+            for secret_name in secrets_list:
+                if secret_name not in env:
+                    logger.warning(
+                        "skill_secret_not_resolved",
+                        skill_name=skill_name,
+                        secret_name=secret_name,
+                        note=f"Secret '{secret_name}' configured in skill '{skill_name}' but not found in execution environment. "
+                             f"Ensure the secret is added to the execution environment's secrets list."
+                    )
+    # LOG WHAT ENV VARS WE RECEIVED FROM RUNTIME CONFIG
+    print(f"\n🔍 CLAUDE CODE CONFIG - ENV VARS RECEIVED:")
+    print(f"   Received from runtime_config: {len(env)} variables")
+    print(f"   Keys: {list(env.keys())}")
+    for key, value in env.items():
+        if any(s in key.upper() for s in ["TOKEN", "KEY", "SECRET", "PASSWORD"]):
+            masked = f"{value[:10]}...{value[-5:]}" if len(value) > 15 else "***"
+            print(f"   {key}: {masked} (length: {len(value)})")
+        else:
+            print(f"   {key}: {value}")
+    print()
+    # ALWAYS use internal proxy - it handles:
+    # 1. Model override (rewrites ALL model names including subagents)
+    # 2. Langfuse metadata injection
+    # 3. Request forwarding to real LiteLLM
+    try:
+        local_proxy_url = get_proxy_base_url()
+        logger.info(
+            "local_litellm_proxy_started",
+            proxy_url=local_proxy_url,
+            real_litellm_url=litellm_api_base,
+            execution_id=context.execution_id[:8],
+            model_override_active=model_override_active,
+            model_override=model_override_value if model_override_active else None,
+            note="Internal proxy handles model override for ALL requests including subagents"
+        )
+    except Exception as proxy_error:
+        logger.error(
+            "failed_to_start_local_proxy",
+            error=str(proxy_error),
+            execution_id=context.execution_id,
+            fallback="Using direct LiteLLM connection (no metadata injection or model override)",
+        )
+        # Fallback to direct connection if proxy fails
+        local_proxy_url = litellm_api_base
+    # Configure Claude Code SDK to use LOCAL proxy (which forwards to real LiteLLM)
+    env["ANTHROPIC_BASE_URL"] = local_proxy_url
+    env["ANTHROPIC_API_KEY"] = litellm_api_key
+    # Store execution context for metadata injection
+    execution_context = {}
+    if context.user_metadata:
+        user_id = context.user_metadata.get("user_email") or context.user_metadata.get("user_id")
+        session_id = context.user_metadata.get("session_id") or context.execution_id
+        execution_context = {
+            "user_id": user_id,
+            "session_id": session_id,
+            "organization_id": context.organization_id,
+            "agent_id": context.agent_id,
+            "agent_name": context.user_metadata.get("agent_name") or context.agent_id,
+            "model_id": model,
+            # Pass trace_name and generation_name from user_metadata to preserve plan grouping
+            "trace_name": context.user_metadata.get("trace_name"),
+            "generation_name": context.user_metadata.get("generation_name"),
+        }
+        # Store context for proxy to use
+        set_execution_context(context.execution_id, execution_context)
+        logger.info(
+            "execution_context_stored_for_proxy",
+            execution_id=context.execution_id[:8],
+            has_user_id=bool(user_id),
+            has_session_id=bool(session_id),
+            metadata_keys=list(execution_context.keys()),
+        )
+    # Pass Kubiya API credentials for workflow execution
+    kubiya_api_key = os.environ.get("KUBIYA_API_KEY")
+    if kubiya_api_key:
+        env["KUBIYA_API_KEY"] = kubiya_api_key
+        logger.debug("added_kubiya_api_key_to_environment")
+    kubiya_api_base = os.environ.get("KUBIYA_API_BASE")
+    if kubiya_api_base:
+        env["KUBIYA_API_BASE"] = kubiya_api_base
+        logger.debug(
+            "added_kubiya_api_base_to_environment", kubiya_api_base=kubiya_api_base
+        )
+    # Get session_id from previous turn for conversation continuity
+    # BUG FIX #4: Validate session_id format before use
+    previous_session_id = None
+    if context.user_metadata:
+        raw_session_id = context.user_metadata.get("claude_code_session_id")
+        previous_session_id = validate_session_id(raw_session_id)
+        if raw_session_id and not previous_session_id:
+            logger.warning(
+                "invalid_session_id_from_user_metadata",
+                raw_session_id=raw_session_id,
+            )
+    logger.info(
+        "building_claude_code_options",
+        has_user_metadata=bool(context.user_metadata),
+        has_session_id_in_metadata=bool(previous_session_id),
+        previous_session_id_prefix=(
+            previous_session_id[:16] if previous_session_id else None
+        ),
+        will_resume=bool(previous_session_id),
+    )
+    # NEW: Support native subagents for team execution
+    sdk_agents = None
+    agents_config = agent_config.get('runtime_config', {}).get('agents')
+    if agents_config:
+        from claude_agent_sdk import AgentDefinition
+        sdk_agents = {}
+        for agent_id, agent_data in agents_config.items():
+            sdk_agents[agent_id] = AgentDefinition(
+                description=agent_data.get('description', ''),
+                prompt=agent_data.get('prompt', ''),
+                tools=agent_data.get('tools'),
+                model=agent_data.get('model', 'inherit'),
+            )
+        logger.info(
+            "native_subagents_configured",
+            execution_id=context.execution_id[:8] if context.execution_id else "unknown",
+            subagent_count=len(sdk_agents),
+            subagent_ids=list(sdk_agents.keys()),
+            subagent_models=[agent_data.get('model', 'inherit') for agent_data in agents_config.values()],
+        )
+    # Log detailed MCP server configuration for debugging
+    if mcp_servers:
+        logger.info(
+            "mcp_servers_being_passed_to_sdk",
+            server_count=len(mcp_servers),
+            server_names=list(mcp_servers.keys()),
+            server_configs={
+                name: {
+                    "type": cfg.get("type", "stdio"),
+                    "url": cfg.get("url", "N/A")[:50] if cfg.get("url") else "N/A",
+                    "command": cfg.get("command", "N/A"),
+                    "args": cfg.get("args", []),  # Show args for debugging
+                    "has_env": bool(cfg.get("env"))
+                }
+                for name, cfg in mcp_servers.items()
+            },
+            note="SDK should discover tools from these servers"
+        )
+    # Build options - SDK discovers tools, we handle permissions
+    # Enhance system prompt with runtime-specific additions
+    # Create per-execution prompt builder to support dynamic skill context and user context
+    from control_plane_api.worker.services.skill_context_enhancement import (
+        SkillContextEnhancement,
+    )
+    # Create prompt builder with user context
+    prompt_builder = create_default_prompt_builder(
+        user_metadata=context.user_metadata,
+    )
+    # Add skill context enhancement if enabled and skills are configured
+    skill_context_enabled = os.getenv("ENABLE_SKILL_CONTEXT_ENHANCEMENT", "true").lower() == "true"
+    if skill_context_enabled and context.skill_configs:
+        skill_context_enhancement = SkillContextEnhancement(context.skill_configs)
+        prompt_builder.add_enhancement(skill_context_enhancement)
+        logger.info(
+            "skill_context_enhancement_enabled",
+            skill_count=len(context.skill_configs),
+            execution_id=context.execution_id[:8] if context.execution_id else "unknown",
+        )
+    enhanced_system_prompt = prompt_builder.build(
+        base_prompt=context.system_prompt,
+        runtime_type="claude_code",
+    )
+    # LOG FINAL ENV VARS BEING PASSED TO CLAUDE SDK
+    print(f"\n🔍 CLAUDE SDK OPTIONS - FINAL ENV VARS:")
+    print(f"   Total env vars for SDK: {len(env)} variables")
+    print(f"   Keys: {list(env.keys())}")
+    for key, value in env.items():
+        if any(s in key.upper() for s in ["TOKEN", "KEY", "SECRET", "PASSWORD"]):
+            masked = f"{value[:10]}...{value[-5:]}" if len(value) > 15 else "***"
+            print(f"   {key}: {masked} (length: {len(value)})")
+        else:
+            print(f"   {key}: {value}")
+    print()
+    # Determine working directory: user override > workspace > None (SDK default)
+    cwd_value = agent_config.get("cwd") or runtime_config.get("cwd")
+    if not cwd_value and context.workspace_directory:
+        cwd_value = context.workspace_directory
+        logger.info(
+            "claude_code_using_execution_workspace",
+            execution_id=context.execution_id[:8] if len(context.execution_id) >= 8 else context.execution_id,
+            workspace=cwd_value,
+        )
+    options_dict = {
+        "system_prompt": enhanced_system_prompt,
+        "allowed_tools": allowed_tools,
+        "mcp_servers": mcp_servers,  # SDK discovers tools automatically
+        "agents": sdk_agents,  # NEW: Native subagent support for teams
+        "permission_mode": runtime_config.get(
+            "permission_mode",
+            os.getenv("CLAUDE_CODE_PERMISSION_MODE", "bypassPermissions")
+        ),
+        "cwd": cwd_value,
+        "model": model,
+        "env": env,  # ← ENVIRONMENT VARIABLES PASSED HERE!
+        "max_turns": runtime_config.get("max_turns", 50),  # Default 50 turns to support complex multi-step workflows
+        "hooks": hooks,
+        "setting_sources": [],  # Explicit: don't load filesystem settings
+        "include_partial_messages": True,  # Enable character-by-character streaming
+        "resume": previous_session_id,  # Resume previous conversation if available
+    }
+    # Extended thinking support - enables thinking/reasoning streaming
+    # Can be configured via runtime_config or environment variable
+    max_thinking_tokens = runtime_config.get(
+        "max_thinking_tokens",
+        int(os.getenv("CLAUDE_CODE_MAX_THINKING_TOKENS", "0"))
+    )
+    if max_thinking_tokens > 0:
+        options_dict["max_thinking_tokens"] = max_thinking_tokens
+        logger.info(
+            "extended_thinking_enabled",
+            max_thinking_tokens=max_thinking_tokens,
+            note="Extended thinking will stream thinking_start/thinking_delta/thinking_complete events"
+        )
+    # Add permission handler if we have MCP servers
+    # CRITICAL: SDK discovers tools but doesn't auto-permit them
+    if permission_handler:
+        options_dict["can_use_tool"] = permission_handler
+    options = ClaudeAgentOptions(**options_dict)
+    logger.info(
+        "claude_code_options_configured",
+        include_partial_messages=getattr(options, "include_partial_messages", "NOT SET"),
+        permission_mode=options.permission_mode,
+        model=options.model,
+        mcp_servers_configured=len(mcp_servers) if mcp_servers else 0,
+        has_can_use_tool=permission_handler is not None,
+        note="SDK discovers tools, canUseTool handler permits mcp__<server>__* pattern"
+    )
+    # Return options, active_tools dict, started_tools set, and completed_tools set for tracking
+    return options, active_tools, started_tools, completed_tools