letta-nightly 0.11.7.dev20250916104104__py3-none-any.whl → 0.11.7.dev20250918104055__py3-none-any.whl

letta/schemas/secret.py

@@ -0,0 +1,378 @@
+import json
+from typing import Any, Dict, Optional
+
+from pydantic import BaseModel, ConfigDict, PrivateAttr
+
+from letta.helpers.crypto_utils import CryptoUtils
+from letta.log import get_logger
+
+logger = get_logger(__name__)
+
+
+class Secret(BaseModel):
+    """
+    A wrapper class for encrypted credentials that keeps values encrypted in memory.
+
+    This class ensures that sensitive data remains encrypted as much as possible
+    while passing through the codebase, only decrypting when absolutely necessary.
+
+    TODO: Once we deprecate plaintext columns in the database:
+    - Remove the dual-write logic in to_dict()
+    - Remove the from_db() method's plaintext_value parameter
+    - Remove the _was_encrypted flag (no longer needed for migration)
+    - Simplify get_plaintext() to only handle encrypted values
+    """
+
+    # Store the encrypted value
+    _encrypted_value: Optional[str] = PrivateAttr(default=None)
+    # Cache the decrypted value to avoid repeated decryption
+    _plaintext_cache: Optional[str] = PrivateAttr(default=None)
+    # Flag to indicate if the value was originally encrypted
+    _was_encrypted: bool = PrivateAttr(default=False)
+
+    model_config = ConfigDict(frozen=True)
+
+    @classmethod
+    def from_plaintext(cls, value: Optional[str]) -> "Secret":
+        """
+        Create a Secret from a plaintext value, encrypting it if possible.
+
+        Args:
+            value: The plaintext value to encrypt
+
+        Returns:
+            A Secret instance with the encrypted value, or plaintext if encryption unavailable
+        """
+        if value is None:
+            instance = cls()
+            instance._encrypted_value = None
+            instance._was_encrypted = False
+            return instance
+
+        # Try to encrypt, but fall back to plaintext if no encryption key
+        try:
+            encrypted = CryptoUtils.encrypt(value)
+            instance = cls()
+            instance._encrypted_value = encrypted
+            instance._was_encrypted = False
+            return instance
+        except ValueError as e:
+            # No encryption key available, store as plaintext
+            if "No encryption key configured" in str(e):
+                logger.warning(
+                    "No encryption key configured. Storing Secret value as plaintext. "
+                    "Set LETTA_ENCRYPTION_KEY environment variable to enable encryption."
+                )
+                instance = cls()
+                instance._encrypted_value = value  # Store plaintext
+                instance._plaintext_cache = value  # Cache it
+                instance._was_encrypted = False
+                return instance
+            raise  # Re-raise if it's a different error
+
+    @classmethod
+    def from_encrypted(cls, encrypted_value: Optional[str]) -> "Secret":
+        """
+        Create a Secret from an already encrypted value.
+
+        Args:
+            encrypted_value: The encrypted value
+
+        Returns:
+            A Secret instance
+        """
+        instance = cls()
+        instance._encrypted_value = encrypted_value
+        instance._was_encrypted = True
+        return instance
+
+    @classmethod
+    def from_db(cls, encrypted_value: Optional[str], plaintext_value: Optional[str]) -> "Secret":
+        """
+        Create a Secret from database values during migration phase.
+
+        Prefers encrypted value if available, falls back to plaintext.
+
+        Args:
+            encrypted_value: The encrypted value from the database
+            plaintext_value: The plaintext value from the database
+
+        Returns:
+            A Secret instance
+        """
+        if encrypted_value is not None:
+            return cls.from_encrypted(encrypted_value)
+        elif plaintext_value is not None:
+            return cls.from_plaintext(plaintext_value)
+        else:
+            return cls.from_plaintext(None)
+
+    def get_encrypted(self) -> Optional[str]:
+        """
+        Get the encrypted value.
+
+        Returns:
+            The encrypted value, or None if the secret is empty
+        """
+        return self._encrypted_value
+
+    def get_plaintext(self) -> Optional[str]:
+        """
+        Get the decrypted plaintext value.
+
+        This should only be called when the plaintext is actually needed,
+        such as when making an external API call.
+
+        Returns:
+            The decrypted plaintext value
+        """
+        if self._encrypted_value is None:
+            return None
+
+        # Use cached value if available, but only if it looks like plaintext
+        # or we're confident we can decrypt it
+        if self._plaintext_cache is not None:
+            # If we have a cache but the stored value looks encrypted and we have no key,
+            # we should not use the cache
+            if CryptoUtils.is_encrypted(self._encrypted_value) and not CryptoUtils.is_encryption_available():
+                self._plaintext_cache = None  # Clear invalid cache
+            else:
+                return self._plaintext_cache
+
+        # Decrypt and cache
+        try:
+            plaintext = CryptoUtils.decrypt(self._encrypted_value)
+            # Cache the decrypted value (PrivateAttr fields can be mutated even with frozen=True)
+            self._plaintext_cache = plaintext
+            return plaintext
+        except ValueError as e:
+            error_msg = str(e)
+
+            # Handle missing encryption key
+            if "No encryption key configured" in error_msg:
+                # Check if the value looks encrypted
+                if CryptoUtils.is_encrypted(self._encrypted_value):
+                    # Value was encrypted, but now we have no key - can't decrypt
+                    logger.warning(
+                        "Cannot decrypt Secret value - no encryption key configured. "
+                        "The value was encrypted and requires the original key to decrypt."
+                    )
+                    # Return None to indicate we can't get the plaintext
+                    return None
+                else:
+                    # Value is plaintext (stored when no key was available)
+                    logger.debug("Secret value is plaintext (stored without encryption)")
+                    self._plaintext_cache = self._encrypted_value
+                    return self._encrypted_value
+
+            # Handle decryption failure (might be plaintext stored as such)
+            elif "Failed to decrypt data" in error_msg:
+                # Check if it might be plaintext
+                if not CryptoUtils.is_encrypted(self._encrypted_value):
+                    # It's plaintext that was stored when no key was available
+                    logger.debug("Secret value appears to be plaintext (stored without encryption)")
+                    self._plaintext_cache = self._encrypted_value
+                    return self._encrypted_value
+                # Otherwise, it's corrupted or wrong key
+                logger.error("Failed to decrypt Secret value - data may be corrupted or wrong key")
+                raise
+
+            # Migration case: handle legacy plaintext
+            elif not self._was_encrypted:
+                if self._encrypted_value and not CryptoUtils.is_encrypted(self._encrypted_value):
+                    self._plaintext_cache = self._encrypted_value
+                    return self._encrypted_value
+                return None
+
+            # Re-raise for other errors
+            raise
+
+    def is_empty(self) -> bool:
+        """Check if the secret is empty/None."""
+        return self._encrypted_value is None
+
+    def __str__(self) -> str:
+        """String representation that doesn't expose the actual value."""
+        if self.is_empty():
+            return "<Secret: empty>"
+        return "<Secret: ****>"
+
+    def __repr__(self) -> str:
+        """Representation that doesn't expose the actual value."""
+        return self.__str__()
+
+    def to_dict(self) -> Dict[str, Any]:
+        """
+        Convert to dictionary for database storage.
+
+        Returns both encrypted and plaintext values for dual-write during migration.
+        """
+        return {"encrypted": self.get_encrypted(), "plaintext": self.get_plaintext() if not self._was_encrypted else None}
+
+    def __eq__(self, other: Any) -> bool:
+        """
+        Compare two secrets by their plaintext values.
+
+        Note: This decrypts both values, so use sparingly.
+        """
+        if not isinstance(other, Secret):
+            return False
+        return self.get_plaintext() == other.get_plaintext()
+
+
+class SecretDict(BaseModel):
+    """
+    A wrapper for dictionaries containing sensitive key-value pairs.
+
+    Used for custom headers and other key-value configurations.
+
+    TODO: Once we deprecate plaintext columns in the database:
+    - Remove the dual-write logic in to_dict()
+    - Remove the from_db() method's plaintext_value parameter
+    - Remove the _was_encrypted flag (no longer needed for migration)
+    - Simplify get_plaintext() to only handle encrypted JSON values
+    """
+
+    _encrypted_value: Optional[str] = PrivateAttr(default=None)
+    _plaintext_cache: Optional[Dict[str, str]] = PrivateAttr(default=None)
+    _was_encrypted: bool = PrivateAttr(default=False)
+
+    model_config = ConfigDict(frozen=True)
+
+    @classmethod
+    def from_plaintext(cls, value: Optional[Dict[str, str]]) -> "SecretDict":
+        """Create a SecretDict from a plaintext dictionary."""
+        if value is None:
+            instance = cls()
+            instance._encrypted_value = None
+            instance._was_encrypted = False
+            return instance
+
+        # Serialize to JSON then try to encrypt
+        json_str = json.dumps(value)
+        try:
+            encrypted = CryptoUtils.encrypt(json_str)
+            instance = cls()
+            instance._encrypted_value = encrypted
+            instance._was_encrypted = False
+            return instance
+        except ValueError as e:
+            # No encryption key available, store as plaintext JSON
+            if "No encryption key configured" in str(e):
+                logger.warning(
+                    "No encryption key configured. Storing SecretDict value as plaintext JSON. "
+                    "Set LETTA_ENCRYPTION_KEY environment variable to enable encryption."
+                )
+                instance = cls()
+                instance._encrypted_value = json_str  # Store JSON string
+                instance._plaintext_cache = value  # Cache the dict
+                instance._was_encrypted = False
+                return instance
+            raise  # Re-raise if it's a different error
+
+    @classmethod
+    def from_encrypted(cls, encrypted_value: Optional[str]) -> "SecretDict":
+        """Create a SecretDict from an encrypted value."""
+        instance = cls()
+        instance._encrypted_value = encrypted_value
+        instance._was_encrypted = True
+        return instance
+
+    @classmethod
+    def from_db(cls, encrypted_value: Optional[str], plaintext_value: Optional[Dict[str, str]]) -> "SecretDict":
+        """Create a SecretDict from database values during migration phase."""
+        if encrypted_value is not None:
+            return cls.from_encrypted(encrypted_value)
+        elif plaintext_value is not None:
+            return cls.from_plaintext(plaintext_value)
+        else:
+            return cls.from_plaintext(None)
+
+    def get_encrypted(self) -> Optional[str]:
+        """Get the encrypted value."""
+        return self._encrypted_value
+
+    def get_plaintext(self) -> Optional[Dict[str, str]]:
+        """Get the decrypted dictionary."""
+        if self._encrypted_value is None:
+            return None
+
+        # Use cached value if available, but only if it looks like plaintext
+        # or we're confident we can decrypt it
+        if self._plaintext_cache is not None:
+            # If we have a cache but the stored value looks encrypted and we have no key,
+            # we should not use the cache
+            if CryptoUtils.is_encrypted(self._encrypted_value) and not CryptoUtils.is_encryption_available():
+                self._plaintext_cache = None  # Clear invalid cache
+            else:
+                return self._plaintext_cache
+
+        try:
+            decrypted_json = CryptoUtils.decrypt(self._encrypted_value)
+            plaintext_dict = json.loads(decrypted_json)
+            # Cache the decrypted value (PrivateAttr fields can be mutated even with frozen=True)
+            self._plaintext_cache = plaintext_dict
+            return plaintext_dict
+        except ValueError as e:
+            error_msg = str(e)
+
+            # Handle missing encryption key
+            if "No encryption key configured" in error_msg:
+                # Check if the value looks encrypted
+                if CryptoUtils.is_encrypted(self._encrypted_value):
+                    # Value was encrypted, but now we have no key - can't decrypt
+                    logger.warning(
+                        "Cannot decrypt SecretDict value - no encryption key configured. "
+                        "The value was encrypted and requires the original key to decrypt."
+                    )
+                    # Return None to indicate we can't get the plaintext
+                    return None
+                else:
+                    # Value is plaintext JSON (stored when no key was available)
+                    logger.debug("SecretDict value is plaintext JSON (stored without encryption)")
+                    try:
+                        plaintext_dict = json.loads(self._encrypted_value)
+                        self._plaintext_cache = plaintext_dict
+                        return plaintext_dict
+                    except json.JSONDecodeError:
+                        logger.error("Failed to parse SecretDict plaintext as JSON")
+                        return None
+
+            # Handle decryption failure (might be plaintext JSON)
+            elif "Failed to decrypt data" in error_msg:
+                # Check if it might be plaintext JSON
+                if not CryptoUtils.is_encrypted(self._encrypted_value):
+                    # It's plaintext JSON that was stored when no key was available
+                    logger.debug("SecretDict value appears to be plaintext JSON (stored without encryption)")
+                    try:
+                        plaintext_dict = json.loads(self._encrypted_value)
+                        self._plaintext_cache = plaintext_dict
+                        return plaintext_dict
+                    except json.JSONDecodeError:
+                        logger.error("Failed to parse SecretDict plaintext as JSON")
+                        return None
+                # Otherwise, it's corrupted or wrong key
+                logger.error("Failed to decrypt SecretDict value - data may be corrupted or wrong key")
+                raise
+
+            # Migration case: handle legacy plaintext
+            elif not self._was_encrypted:
+                if self._encrypted_value:
+                    try:
+                        plaintext_dict = json.loads(self._encrypted_value)
+                        self._plaintext_cache = plaintext_dict
+                        return plaintext_dict
+                    except json.JSONDecodeError:
+                        pass
+                return None
+
+            # Re-raise for other errors
+            raise
+
+    def is_empty(self) -> bool:
+        """Check if the secret dict is empty/None."""
+        return self._encrypted_value is None
+
+    def to_dict(self) -> Dict[str, Any]:
+        """Convert to dictionary for database storage."""
+        return {"encrypted": self.get_encrypted(), "plaintext": self.get_plaintext() if not self._was_encrypted else None}

letta/schemas/step.py

@@ -35,7 +35,11 @@ class Step(StepBase):
     tags: List[str] = Field([], description="Metadata tags.")
     tid: Optional[str] = Field(None, description="The unique identifier of the transaction that processed this step.")
     trace_id: Optional[str] = Field(None, description="The trace id of the agent step.")
-    messages: List[Message] = Field([], description="The messages generated during this step.")
+    messages: List[Message] = Field(
+        [],
+        description="The messages generated during this step. Deprecated: use `GET /v1/steps/{step_id}/messages` endpoint instead",
+        deprecated=True,
+    )
     feedback: Optional[Literal["positive", "negative"]] = Field(
         None, description="The feedback for this step. Must be either 'positive' or 'negative'."
     )

letta/schemas/tool_rule.py

@@ -2,7 +2,6 @@ import json
 import logging
 from typing import Annotated, Any, Dict, List, Literal, Optional, Set, Union
 
-from jinja2 import Template
 from pydantic import Field, field_validator
 
 from letta.schemas.enums import ToolRuleType
@@ -17,7 +16,7 @@ class BaseToolRule(LettaBase):
     type: ToolRuleType = Field(..., description="The type of the message.")
     prompt_template: Optional[str] = Field(
         None,
-        description="Optional Jinja2 template for generating agent prompt about this tool rule. Template can use variables like 'tool_name' and rule-specific attributes.",
+        description="Optional template string (ignored). Rendering uses fast built-in formatting for performance.",
     )
 
     def __hash__(self):
@@ -34,22 +33,8 @@ class BaseToolRule(LettaBase):
         raise NotImplementedError
 
     def render_prompt(self) -> str | None:
-        """Render the prompt template with this rule's attributes."""
-        if not self.prompt_template:
-            return None
-
-        try:
-            template = Template(self.prompt_template)
-            return template.render(**self.model_dump())
-        except Exception as e:
-            logger.warning(
-                "Failed to render prompt template for tool rule '%s' (type: %s). Template: '%s'. Error: %s",
-                self.tool_name,
-                self.type,
-                self.prompt_template,
-                e,
-            )
-            return None
+        """Default implementation returns None. Subclasses provide optimized strings."""
+        return None
 
 
 class ChildToolRule(BaseToolRule):
@@ -60,8 +45,8 @@ class ChildToolRule(BaseToolRule):
     type: Literal[ToolRuleType.constrain_child_tools] = ToolRuleType.constrain_child_tools
     children: List[str] = Field(..., description="The children tools that can be invoked.")
     prompt_template: Optional[str] = Field(
-        default="<tool_rule>\nAfter using {{ tool_name }}, you must use one of these tools: {{ children | join(', ') }}\n</tool_rule>",
-        description="Optional Jinja2 template for generating agent prompt about this tool rule.",
+        default=None,
+        description="Optional template string (ignored).",
     )
 
     def __hash__(self):
@@ -78,6 +63,10 @@ class ChildToolRule(BaseToolRule):
         last_tool = tool_call_history[-1] if tool_call_history else None
         return set(self.children) if last_tool == self.tool_name else available_tools
 
+    def render_prompt(self) -> str | None:
+        children_str = ", ".join(self.children)
+        return f"<tool_rule>\nAfter using {self.tool_name}, you must use one of these tools: {children_str}\n</tool_rule>"
+
 
 class ParentToolRule(BaseToolRule):
     """
@@ -86,10 +75,7 @@ class ParentToolRule(BaseToolRule):
 
     type: Literal[ToolRuleType.parent_last_tool] = ToolRuleType.parent_last_tool
     children: List[str] = Field(..., description="The children tools that can be invoked.")
-    prompt_template: Optional[str] = Field(
-        default="<tool_rule>\n{{ children | join(', ') }} can only be used after {{ tool_name }}\n</tool_rule>",
-        description="Optional Jinja2 template for generating agent prompt about this tool rule.",
-    )
+    prompt_template: Optional[str] = Field(default=None, description="Optional template string (ignored).")
 
     def __hash__(self):
         """Hash including children list (sorted for consistency)."""
@@ -105,6 +91,10 @@ class ParentToolRule(BaseToolRule):
         last_tool = tool_call_history[-1] if tool_call_history else None
         return set(self.children) if last_tool == self.tool_name else available_tools - set(self.children)
 
+    def render_prompt(self) -> str | None:
+        children_str = ", ".join(self.children)
+        return f"<tool_rule>\n{children_str} can only be used after {self.tool_name}\n</tool_rule>"
+
 
 class ConditionalToolRule(BaseToolRule):
     """
@@ -115,10 +105,7 @@ class ConditionalToolRule(BaseToolRule):
     default_child: Optional[str] = Field(None, description="The default child tool to be called. If None, any tool can be called.")
     child_output_mapping: Dict[Any, str] = Field(..., description="The output case to check for mapping")
     require_output_mapping: bool = Field(default=False, description="Whether to throw an error when output doesn't match any case")
-    prompt_template: Optional[str] = Field(
-        default="<tool_rule>\n{{ tool_name }} will determine which tool to use next based on its output\n</tool_rule>",
-        description="Optional Jinja2 template for generating agent prompt about this tool rule.",
-    )
+    prompt_template: Optional[str] = Field(default=None, description="Optional template string (ignored).")
 
     def __hash__(self):
         """Hash including all configuration fields."""
@@ -165,6 +152,9 @@ class ConditionalToolRule(BaseToolRule):
 
         return {self.default_child} if self.default_child else available_tools
 
+    def render_prompt(self) -> str | None:
+        return f"<tool_rule>\n{self.tool_name} will determine which tool to use next based on its output\n</tool_rule>"
+
     @field_validator("child_output_mapping")
     @classmethod
     def validate_child_output_mapping(cls, v):
@@ -205,10 +195,10 @@ class TerminalToolRule(BaseToolRule):
     """
 
     type: Literal[ToolRuleType.exit_loop] = ToolRuleType.exit_loop
-    prompt_template: Optional[str] = Field(
-        default="<tool_rule>\n{{ tool_name }} ends your response (yields control) when called\n</tool_rule>",
-        description="Optional Jinja2 template for generating agent prompt about this tool rule.",
-    )
+    prompt_template: Optional[str] = Field(default=None, description="Optional template string (ignored).")
+
+    def render_prompt(self) -> str | None:
+        return f"<tool_rule>\n{self.tool_name} ends your response (yields control) when called\n</tool_rule>"
 
 
 class ContinueToolRule(BaseToolRule):
@@ -217,10 +207,10 @@ class ContinueToolRule(BaseToolRule):
     """
 
     type: Literal[ToolRuleType.continue_loop] = ToolRuleType.continue_loop
-    prompt_template: Optional[str] = Field(
-        default="<tool_rule>\n{{ tool_name }} requires continuing your response when called\n</tool_rule>",
-        description="Optional Jinja2 template for generating agent prompt about this tool rule.",
-    )
+    prompt_template: Optional[str] = Field(default=None, description="Optional template string (ignored).")
+
+    def render_prompt(self) -> str | None:
+        return f"<tool_rule>\n{self.tool_name} requires continuing your response when called\n</tool_rule>"
 
 
 class RequiredBeforeExitToolRule(BaseToolRule):
@@ -229,15 +219,15 @@ class RequiredBeforeExitToolRule(BaseToolRule):
     """
 
     type: Literal[ToolRuleType.required_before_exit] = ToolRuleType.required_before_exit
-    prompt_template: Optional[str] = Field(
-        default="<tool_rule>{{ tool_name }} must be called before ending the conversation</tool_rule>",
-        description="Optional Jinja2 template for generating agent prompt about this tool rule.",
-    )
+    prompt_template: Optional[str] = Field(default=None, description="Optional template string (ignored).")
 
     def get_valid_tools(self, tool_call_history: List[str], available_tools: Set[str], last_function_response: Optional[str]) -> Set[str]:
         """Returns all available tools - the logic for preventing exit is handled elsewhere."""
         return available_tools
 
+    def render_prompt(self) -> str | None:
+        return f"<tool_rule>{self.tool_name} must be called before ending the conversation</tool_rule>"
+
 
 class MaxCountPerStepToolRule(BaseToolRule):
     """
@@ -246,10 +236,7 @@ class MaxCountPerStepToolRule(BaseToolRule):
 
     type: Literal[ToolRuleType.max_count_per_step] = ToolRuleType.max_count_per_step
     max_count_limit: int = Field(..., description="The max limit for the total number of times this tool can be invoked in a single step.")
-    prompt_template: Optional[str] = Field(
-        default="<tool_rule>\n{{ tool_name }}: at most {{ max_count_limit }} use(s) per response\n</tool_rule>",
-        description="Optional Jinja2 template for generating agent prompt about this tool rule.",
-    )
+    prompt_template: Optional[str] = Field(default=None, description="Optional template string (ignored).")
 
     def __hash__(self):
         """Hash including max_count_limit."""
@@ -271,6 +258,9 @@ class MaxCountPerStepToolRule(BaseToolRule):
 
         return available_tools
 
+    def render_prompt(self) -> str | None:
+        return f"<tool_rule>\n{self.tool_name}: at most {self.max_count_limit} use(s) per response\n</tool_rule>"
+
 
 class RequiresApprovalToolRule(BaseToolRule):
     """

letta/serialize_schemas/marshmallow_agent.py

@@ -40,6 +40,7 @@ class MarshmallowAgentSchema(BaseSchema):
     core_memory = fields.List(fields.Nested(SerializedBlockSchema))
     tools = fields.List(fields.Nested(SerializedToolSchema))
     tool_exec_environment_variables = fields.List(fields.Nested(SerializedAgentEnvironmentVariableSchema))
+    secrets = fields.List(fields.Nested(SerializedAgentEnvironmentVariableSchema))
     tags = fields.List(fields.Nested(SerializedAgentTagSchema))
 
     def __init__(self, *args, session: sessionmaker, actor: User, max_steps: Optional[int] = None, **kwargs):
@@ -214,6 +215,9 @@ class MarshmallowAgentSchema(BaseSchema):
         for env_var in data.get("tool_exec_environment_variables", []):
             # need to be re-set at load time
             env_var["value"] = ""
+        for env_var in data.get("secrets", []):
+            # need to be re-set at load time
+            env_var["value"] = ""
         return data
 
     @pre_load

letta/server/rest_api/routers/v1/__init__.py

@@ -1,4 +1,5 @@
 from letta.server.rest_api.routers.v1.agents import router as agents_router
+from letta.server.rest_api.routers.v1.archives import router as archives_router
 from letta.server.rest_api.routers.v1.blocks import router as blocks_router
 from letta.server.rest_api.routers.v1.embeddings import router as embeddings_router
 from letta.server.rest_api.routers.v1.folders import router as folders_router
@@ -20,6 +21,7 @@ from letta.server.rest_api.routers.v1.tools import router as tools_router
 from letta.server.rest_api.routers.v1.voice import router as voice_router
 
 ROUTERS = [
+    archives_router,
     tools_router,
     sources_router,
     folders_router,

letta/server/rest_api/routers/v1/agents.py

@@ -38,6 +38,7 @@ from letta.schemas.job import JobStatus, JobUpdate, LettaRequestConfig
 from letta.schemas.letta_message import LettaMessageUnion, LettaMessageUpdateUnion, MessageType
 from letta.schemas.letta_request import LettaAsyncRequest, LettaRequest, LettaStreamingRequest
 from letta.schemas.letta_response import LettaResponse
+from letta.schemas.letta_stop_reason import StopReasonType
 from letta.schemas.memory import (
     ArchivalMemorySearchResponse,
     ArchivalMemorySearchResult,
@@ -1192,6 +1193,7 @@ async def send_message(
     await redis_client.set(f"{REDIS_RUN_ID_PREFIX}:{agent_id}", run.id if run else None)
 
     try:
+        result = None
         if agent_eligible and model_compatible:
             agent_loop = AgentLoop.load(agent_state=agent, actor=actor)
             result = await agent_loop.step(
@@ -1229,11 +1231,17 @@ async def send_message(
         raise
     finally:
         if settings.track_agent_run:
+            if result:
+                stop_reason = result.stop_reason.stop_reason
+            else:
+                # NOTE: we could also consider this an error?
+                stop_reason = None
             await server.job_manager.safe_update_job_status_async(
                 job_id=run.id,
                 new_status=job_status,
                 actor=actor,
                 metadata=job_update_metadata,
+                stop_reason=stop_reason,
             )
 
 
@@ -1440,10 +1448,7 @@ async def send_message_streaming(
     finally:
         if settings.track_agent_run:
             await server.job_manager.safe_update_job_status_async(
-                job_id=run.id,
-                new_status=job_status,
-                actor=actor,
-                metadata=job_update_metadata,
+                job_id=run.id, new_status=job_status, actor=actor, metadata=job_update_metadata
             )