letta-nightly 0.11.7.dev20250915104130__py3-none-any.whl → 0.11.7.dev20250917104122__py3-none-any.whl

letta/schemas/agent.py

@@ -86,6 +86,11 @@ class AgentState(OrmMetadataBase, validate_assignment=True):
     sources: List[Source] = Field(..., description="The sources used by the agent.")
     tags: List[str] = Field(..., description="The tags associated with the agent.")
     tool_exec_environment_variables: List[AgentEnvironmentVariable] = Field(
+        default_factory=list,
+        description="Deprecated: use `secrets` field instead.",
+        deprecated=True,
+    )
+    secrets: List[AgentEnvironmentVariable] = Field(
         default_factory=list, description="The environment variables for tool execution specific to this agent."
     )
     project_id: Optional[str] = Field(None, description="The id of the project the agent belongs to.")
@@ -133,7 +138,7 @@ class AgentState(OrmMetadataBase, validate_assignment=True):
     def get_agent_env_vars_as_dict(self) -> Dict[str, str]:
         # Get environment variables for this agent specifically
         per_agent_env_vars = {}
-        for agent_env_var_obj in self.tool_exec_environment_variables:
+        for agent_env_var_obj in self.secrets:
             per_agent_env_vars[agent_env_var_obj.key] = agent_env_var_obj.value
         return per_agent_env_vars
 
@@ -222,9 +227,8 @@ class CreateAgent(BaseModel, validate_assignment=True):  #
         deprecated=True,
         description="Deprecated: Project should now be passed via the X-Project header instead of in the request body. If using the sdk, this can be done via the new x_project field below.",
     )
-    tool_exec_environment_variables: Optional[Dict[str, str]] = Field(
-        None, description="The environment variables for tool execution specific to this agent."
-    )
+    tool_exec_environment_variables: Optional[Dict[str, str]] = Field(None, description="Deprecated: use `secrets` field instead.")
+    secrets: Optional[Dict[str, str]] = Field(None, description="The environment variables for tool execution specific to this agent.")
     memory_variables: Optional[Dict[str, str]] = Field(None, description="The variables that should be set for the agent.")
     project_id: Optional[str] = Field(None, description="The id of the project the agent belongs to.")
     template_id: Optional[str] = Field(None, description="The id of the template the agent belongs to.")
@@ -328,9 +332,8 @@ class UpdateAgent(BaseModel):
     message_ids: Optional[List[str]] = Field(None, description="The ids of the messages in the agent's in-context memory.")
     description: Optional[str] = Field(None, description="The description of the agent.")
     metadata: Optional[Dict] = Field(None, description="The metadata of the agent.")
-    tool_exec_environment_variables: Optional[Dict[str, str]] = Field(
-        None, description="The environment variables for tool execution specific to this agent."
-    )
+    tool_exec_environment_variables: Optional[Dict[str, str]] = Field(None, description="Deprecated: use `secrets` field instead")
+    secrets: Optional[Dict[str, str]] = Field(None, description="The environment variables for tool execution specific to this agent.")
     project_id: Optional[str] = Field(None, description="The id of the project the agent belongs to.")
     template_id: Optional[str] = Field(None, description="The id of the template the agent belongs to.")
     base_template_id: Optional[str] = Field(None, description="The base template id of the agent.")

letta/schemas/job.py

@@ -8,16 +8,26 @@ from letta.helpers.datetime_helpers import get_utc_time
 from letta.schemas.enums import JobStatus, JobType
 from letta.schemas.letta_base import OrmMetadataBase
 from letta.schemas.letta_message import MessageType
+from letta.schemas.letta_stop_reason import StopReasonType
 
 
 class JobBase(OrmMetadataBase):
     __id_prefix__ = "job"
     status: JobStatus = Field(default=JobStatus.created, description="The status of the job.")
     created_at: datetime = Field(default_factory=get_utc_time, description="The unix timestamp of when the job was created.")
+
+    # completion related
     completed_at: Optional[datetime] = Field(None, description="The unix timestamp of when the job was completed.")
+    stop_reason: Optional[StopReasonType] = Field(None, description="The reason why the job was stopped.")
+
+    # metadata
     metadata: Optional[dict] = Field(None, validation_alias="metadata_", description="The metadata of the job.")
     job_type: JobType = Field(default=JobType.JOB, description="The type of the job.")
 
+    ## TODO: Run-specific fields
+    # background: Optional[bool] = Field(None, description="Whether the job was created in background mode.")
+    # agent_id: Optional[str] = Field(None, description="The agent associated with this job/run.")
+
     callback_url: Optional[str] = Field(None, description="If set, POST to this URL when the job completes.")
     callback_sent_at: Optional[datetime] = Field(None, description="Timestamp when the callback was last attempted.")
     callback_status_code: Optional[int] = Field(None, description="HTTP status code returned by the callback endpoint.")

letta/schemas/mcp.py

@@ -13,6 +13,8 @@ from letta.functions.mcp_client.types import (
 )
 from letta.orm.mcp_oauth import OAuthSessionStatus
 from letta.schemas.letta_base import LettaBase
+from letta.schemas.secret import Secret, SecretDict
+from letta.settings import settings
 
 
 class BaseMCPServer(LettaBase):
@@ -29,6 +31,9 @@ class MCPServer(BaseMCPServer):
     token: Optional[str] = Field(None, description="The access token or API key for the MCP server (used for authentication)")
     custom_headers: Optional[Dict[str, str]] = Field(None, description="Custom authentication headers as key-value pairs")
 
+    token_enc: Optional[str] = Field(None, description="Encrypted token")
+    custom_headers_enc: Optional[str] = Field(None, description="Encrypted custom headers")
+
     # stdio config
     stdio_config: Optional[StdioServerConfig] = Field(
         None, description="The configuration for the server (MCP 'local' client will run this command)"
@@ -41,18 +46,76 @@ class MCPServer(BaseMCPServer):
     last_updated_by_id: Optional[str] = Field(None, description="The id of the user that made this Tool.")
     metadata_: Optional[Dict[str, Any]] = Field(default_factory=dict, description="A dictionary of additional metadata for the tool.")
 
+    def get_token_secret(self) -> Secret:
+        """Get the token as a Secret object, preferring encrypted over plaintext."""
+        return Secret.from_db(self.token_enc, self.token)
+
+    def get_custom_headers_secret(self) -> SecretDict:
+        """Get custom headers as a SecretDict object, preferring encrypted over plaintext."""
+        return SecretDict.from_db(self.custom_headers_enc, self.custom_headers)
+
+    def set_token_secret(self, secret: Secret) -> None:
+        """Set token from a Secret object, updating both encrypted and plaintext fields."""
+        secret_dict = secret.to_dict()
+        self.token_enc = secret_dict["encrypted"]
+        # Only set plaintext during migration phase
+        if not secret._was_encrypted:
+            self.token = secret_dict["plaintext"]
+        else:
+            self.token = None
+
+    def set_custom_headers_secret(self, secret: SecretDict) -> None:
+        """Set custom headers from a SecretDict object, updating both fields."""
+        secret_dict = secret.to_dict()
+        self.custom_headers_enc = secret_dict["encrypted"]
+        # Only set plaintext during migration phase
+        if not secret._was_encrypted:
+            self.custom_headers = secret_dict["plaintext"]
+        else:
+            self.custom_headers = None
+
+    def model_dump(self, to_orm: bool = False, **kwargs):
+        """Override model_dump to handle encryption when saving to database."""
+        data = super().model_dump(to_orm=to_orm, **kwargs)
+
+        if to_orm and settings.encryption_key:
+            # Encrypt token if present
+            if self.token is not None:
+                token_secret = Secret.from_plaintext(self.token)
+                secret_dict = token_secret.to_dict()
+                data["token_enc"] = secret_dict["encrypted"]
+                # Keep plaintext for dual-write during migration
+                data["token"] = secret_dict["plaintext"]
+
+            # Encrypt custom headers if present
+            if self.custom_headers is not None:
+                headers_secret = SecretDict.from_plaintext(self.custom_headers)
+                secret_dict = headers_secret.to_dict()
+                data["custom_headers_enc"] = secret_dict["encrypted"]
+                # Keep plaintext for dual-write during migration
+                data["custom_headers"] = secret_dict["plaintext"]
+
+        return data
+
     def to_config(
         self,
         environment_variables: Optional[Dict[str, str]] = None,
         resolve_variables: bool = True,
     ) -> Union[SSEServerConfig, StdioServerConfig, StreamableHTTPServerConfig]:
+        # Get decrypted values for use in config
+        token_secret = self.get_token_secret()
+        token_plaintext = token_secret.get_plaintext()
+
+        headers_secret = self.get_custom_headers_secret()
+        headers_plaintext = headers_secret.get_plaintext()
+
         if self.server_type == MCPServerType.SSE:
             config = SSEServerConfig(
                 server_name=self.server_name,
                 server_url=self.server_url,
-                auth_header=MCP_AUTH_HEADER_AUTHORIZATION if self.token and not self.custom_headers else None,
-                auth_token=f"{MCP_AUTH_TOKEN_BEARER_PREFIX} {self.token}" if self.token and not self.custom_headers else None,
-                custom_headers=self.custom_headers,
+                auth_header=MCP_AUTH_HEADER_AUTHORIZATION if token_plaintext and not headers_plaintext else None,
+                auth_token=f"{MCP_AUTH_TOKEN_BEARER_PREFIX} {token_plaintext}" if token_plaintext and not headers_plaintext else None,
+                custom_headers=headers_plaintext,
             )
             if resolve_variables:
                 config.resolve_environment_variables(environment_variables)
@@ -70,9 +133,9 @@ class MCPServer(BaseMCPServer):
             config = StreamableHTTPServerConfig(
                 server_name=self.server_name,
                 server_url=self.server_url,
-                auth_header=MCP_AUTH_HEADER_AUTHORIZATION if self.token and not self.custom_headers else None,
-                auth_token=f"{MCP_AUTH_TOKEN_BEARER_PREFIX} {self.token}" if self.token and not self.custom_headers else None,
-                custom_headers=self.custom_headers,
+                auth_header=MCP_AUTH_HEADER_AUTHORIZATION if token_plaintext and not headers_plaintext else None,
+                auth_token=f"{MCP_AUTH_TOKEN_BEARER_PREFIX} {token_plaintext}" if token_plaintext and not headers_plaintext else None,
+                custom_headers=headers_plaintext,
             )
             if resolve_variables:
                 config.resolve_environment_variables(environment_variables)
@@ -138,11 +201,18 @@ class MCPOAuthSession(BaseMCPOAuth):
     expires_at: Optional[datetime] = Field(None, description="Token expiry time")
     scope: Optional[str] = Field(None, description="OAuth scope")
 
+    # Encrypted token fields (for internal use)
+    access_token_enc: Optional[str] = Field(None, description="Encrypted OAuth access token")
+    refresh_token_enc: Optional[str] = Field(None, description="Encrypted OAuth refresh token")
+
     # Client configuration
     client_id: Optional[str] = Field(None, description="OAuth client ID")
     client_secret: Optional[str] = Field(None, description="OAuth client secret")
     redirect_uri: Optional[str] = Field(None, description="OAuth redirect URI")
 
+    # Encrypted client secret (for internal use)
+    client_secret_enc: Optional[str] = Field(None, description="Encrypted OAuth client secret")
+
     # Session state
     status: OAuthSessionStatus = Field(default=OAuthSessionStatus.PENDING, description="Session status")
 
@@ -150,6 +220,76 @@ class MCPOAuthSession(BaseMCPOAuth):
     created_at: datetime = Field(default_factory=datetime.now, description="Session creation time")
     updated_at: datetime = Field(default_factory=datetime.now, description="Last update time")
 
+    def get_access_token_secret(self) -> Secret:
+        """Get the access token as a Secret object, preferring encrypted over plaintext."""
+        return Secret.from_db(self.access_token_enc, self.access_token)
+
+    def get_refresh_token_secret(self) -> Secret:
+        """Get the refresh token as a Secret object, preferring encrypted over plaintext."""
+        return Secret.from_db(self.refresh_token_enc, self.refresh_token)
+
+    def get_client_secret_secret(self) -> Secret:
+        """Get the client secret as a Secret object, preferring encrypted over plaintext."""
+        return Secret.from_db(self.client_secret_enc, self.client_secret)
+
+    def set_access_token_secret(self, secret: Secret) -> None:
+        """Set access token from a Secret object."""
+        secret_dict = secret.to_dict()
+        self.access_token_enc = secret_dict["encrypted"]
+        if not secret._was_encrypted:
+            self.access_token = secret_dict["plaintext"]
+        else:
+            self.access_token = None
+
+    def set_refresh_token_secret(self, secret: Secret) -> None:
+        """Set refresh token from a Secret object."""
+        secret_dict = secret.to_dict()
+        self.refresh_token_enc = secret_dict["encrypted"]
+        if not secret._was_encrypted:
+            self.refresh_token = secret_dict["plaintext"]
+        else:
+            self.refresh_token = None
+
+    def set_client_secret_secret(self, secret: Secret) -> None:
+        """Set client secret from a Secret object."""
+        secret_dict = secret.to_dict()
+        self.client_secret_enc = secret_dict["encrypted"]
+        if not secret._was_encrypted:
+            self.client_secret = secret_dict["plaintext"]
+        else:
+            self.client_secret = None
+
+    def model_dump(self, to_orm: bool = False, **kwargs):
+        """Override model_dump to handle encryption when saving to database."""
+        data = super().model_dump(to_orm=to_orm, **kwargs)
+
+        if to_orm and settings.encryption_key:
+            # Encrypt access token if present
+            if self.access_token is not None:
+                token_secret = Secret.from_plaintext(self.access_token)
+                secret_dict = token_secret.to_dict()
+                data["access_token_enc"] = secret_dict["encrypted"]
+                # Keep plaintext for dual-write during migration
+                data["access_token"] = secret_dict["plaintext"]
+
+            # Encrypt refresh token if present
+            if self.refresh_token is not None:
+                token_secret = Secret.from_plaintext(self.refresh_token)
+                secret_dict = token_secret.to_dict()
+                data["refresh_token_enc"] = secret_dict["encrypted"]
+                # Keep plaintext for dual-write during migration
+                data["refresh_token"] = secret_dict["plaintext"]
+
+            # Encrypt client secret if present
+            if self.client_secret is not None:
+                secret = Secret.from_plaintext(self.client_secret)
+                secret_dict = secret.to_dict()
+                data["client_secret_enc"] = secret_dict["encrypted"]
+                # Keep plaintext for dual-write during migration
+                data["client_secret"] = secret_dict["plaintext"]
+
+        return data
+
 
 class MCPOAuthSessionCreate(BaseMCPOAuth):
     """Create a new OAuth session."""

letta/schemas/provider_trace.py

@@ -19,7 +19,6 @@ class ProviderTraceCreate(BaseModel):
     request_json: dict[str, Any] = Field(..., description="JSON content of the provider request")
     response_json: dict[str, Any] = Field(..., description="JSON content of the provider response")
     step_id: str = Field(None, description="ID of the step that this trace is associated with")
-    organization_id: str = Field(..., description="The unique identifier of the organization.")
 
 
 class ProviderTrace(BaseProviderTrace):
@@ -39,5 +38,4 @@ class ProviderTrace(BaseProviderTrace):
     request_json: Dict[str, Any] = Field(..., description="JSON content of the provider request")
     response_json: Dict[str, Any] = Field(..., description="JSON content of the provider response")
     step_id: Optional[str] = Field(None, description="ID of the step that this trace is associated with")
-    organization_id: str = Field(..., description="The unique identifier of the organization.")
     created_at: datetime = Field(default_factory=get_utc_time, description="The timestamp when the object was created.")

letta/schemas/run.py

@@ -4,6 +4,7 @@ from pydantic import Field
 
 from letta.schemas.enums import JobType
 from letta.schemas.job import Job, JobBase, LettaRequestConfig
+from letta.schemas.letta_stop_reason import StopReasonType
 
 
 class RunBase(JobBase):
@@ -29,6 +30,7 @@ class Run(RunBase):
     id: str = RunBase.generate_id_field()
     user_id: Optional[str] = Field(None, description="The unique identifier of the user associated with the run.")
     request_config: Optional[LettaRequestConfig] = Field(None, description="The request configuration for the run.")
+    stop_reason: Optional[StopReasonType] = Field(None, description="The reason why the run was stopped.")
 
     @classmethod
     def from_job(cls, job: Job) -> "Run":