llama-stack 0.4.4__py3-none-any.whl → 0.5.0rc1__py3-none-any.whl

llama_stack/core/routing_tables/shields.py

@@ -4,13 +4,19 @@
 # This source code is licensed under the terms described in the LICENSE file in
 # the root directory of this source tree.
 
-from typing import Any
-
 from llama_stack.core.datatypes import (
     ShieldWithOwner,
 )
 from llama_stack.log import get_logger
-from llama_stack_api import ListShieldsResponse, ResourceType, Shield, Shields
+from llama_stack_api import (
+    GetShieldRequest,
+    ListShieldsResponse,
+    RegisterShieldRequest,
+    ResourceType,
+    Shield,
+    Shields,
+    UnregisterShieldRequest,
+)
 
 from .common import CommonRoutingTableImpl
 
@@ -21,21 +27,17 @@ class ShieldsRoutingTable(CommonRoutingTableImpl, Shields):
     async def list_shields(self) -> ListShieldsResponse:
         return ListShieldsResponse(data=await self.get_all_with_type(ResourceType.shield.value))
 
-    async def get_shield(self, identifier: str) -> Shield:
-        shield = await self.get_object_by_identifier("shield", identifier)
+    async def get_shield(self, request: GetShieldRequest) -> Shield:
+        shield = await self.get_object_by_identifier("shield", request.identifier)
         if shield is None:
-            raise ValueError(f"Shield '{identifier}' not found")
+            raise ValueError(f"Shield '{request.identifier}' not found")
         return shield
 
-    async def register_shield(
-        self,
-        shield_id: str,
-        provider_shield_id: str | None = None,
-        provider_id: str | None = None,
-        params: dict[str, Any] | None = None,
-    ) -> Shield:
+    async def register_shield(self, request: RegisterShieldRequest) -> Shield:
+        provider_shield_id = request.provider_shield_id
         if provider_shield_id is None:
-            provider_shield_id = shield_id
+            provider_shield_id = request.shield_id
+        provider_id = request.provider_id
         if provider_id is None:
             # If provider_id not specified, use the only provider if it supports this shield type
             if len(self.impls_by_provider_id) == 1:
@@ -44,10 +46,11 @@ class ShieldsRoutingTable(CommonRoutingTableImpl, Shields):
                 raise ValueError(
                     "No provider specified and multiple providers available. Please specify a provider_id."
                 )
+        params = request.params
         if params is None:
             params = {}
         shield = ShieldWithOwner(
-            identifier=shield_id,
+            identifier=request.shield_id,
             provider_resource_id=provider_shield_id,
             provider_id=provider_id,
             params=params,
@@ -55,6 +58,6 @@ class ShieldsRoutingTable(CommonRoutingTableImpl, Shields):
         await self.register_object(shield)
         return shield
 
-    async def unregister_shield(self, identifier: str) -> None:
-        existing_shield = await self.get_shield(identifier)
+    async def unregister_shield(self, request: UnregisterShieldRequest) -> None:
+        existing_shield = await self.get_shield(GetShieldRequest(identifier=request.identifier))
         await self.unregister_object(existing_shield)

llama_stack/core/routing_tables/vector_stores.py

@@ -24,10 +24,13 @@ from llama_stack_api import (
     SearchRankingOptions,
     VectorStoreChunkingStrategy,
     VectorStoreDeleteResponse,
+    VectorStoreFileBatchObject,
     VectorStoreFileContentResponse,
     VectorStoreFileDeleteResponse,
     VectorStoreFileObject,
+    VectorStoreFilesListInBatchResponse,
     VectorStoreFileStatus,
+    VectorStoreListFilesResponse,
     VectorStoreObject,
     VectorStoreSearchResponsePage,
 )
@@ -205,7 +208,7 @@ class VectorStoresRoutingTable(CommonRoutingTableImpl):
         after: str | None = None,
         before: str | None = None,
         filter: VectorStoreFileStatus | None = None,
-    ) -> list[VectorStoreFileObject]:
+    ) -> VectorStoreListFilesResponse:
         await self.assert_action_allowed("read", "vector_store", vector_store_id)
         provider = await self.get_provider_impl(vector_store_id)
         return await provider.openai_list_files_in_vector_store(
@@ -276,7 +279,7 @@ class VectorStoresRoutingTable(CommonRoutingTableImpl):
         self,
         vector_store_id: str,
         params: OpenAICreateVectorStoreFileBatchRequestWithExtraBody,
-    ):
+    ) -> VectorStoreFileBatchObject:
         await self.assert_action_allowed("update", "vector_store", vector_store_id)
         provider = await self.get_provider_impl(vector_store_id)
         return await provider.openai_create_vector_store_file_batch(
@@ -288,7 +291,7 @@ class VectorStoresRoutingTable(CommonRoutingTableImpl):
         self,
         batch_id: str,
         vector_store_id: str,
-    ):
+    ) -> VectorStoreFileBatchObject:
         await self.assert_action_allowed("read", "vector_store", vector_store_id)
         provider = await self.get_provider_impl(vector_store_id)
         return await provider.openai_retrieve_vector_store_file_batch(
@@ -305,7 +308,7 @@ class VectorStoresRoutingTable(CommonRoutingTableImpl):
         filter: str | None = None,
         limit: int | None = 20,
         order: str | None = "desc",
-    ):
+    ) -> VectorStoreFilesListInBatchResponse:
         await self.assert_action_allowed("read", "vector_store", vector_store_id)
         provider = await self.get_provider_impl(vector_store_id)
         return await provider.openai_list_files_in_vector_store_file_batch(
@@ -322,7 +325,7 @@ class VectorStoresRoutingTable(CommonRoutingTableImpl):
         self,
         batch_id: str,
         vector_store_id: str,
-    ):
+    ) -> VectorStoreFileBatchObject:
         await self.assert_action_allowed("update", "vector_store", vector_store_id)
         provider = await self.get_provider_impl(vector_store_id)
         return await provider.openai_cancel_vector_store_file_batch(

llama_stack/core/server/auth.py

@@ -9,6 +9,8 @@ import json
 import httpx
 from aiohttp import hdrs
 
+from llama_stack.core.access_control.conditions import parse_conditions
+from llama_stack.core.access_control.datatypes import RouteAccessRule
 from llama_stack.core.datatypes import AuthenticationConfig, User
 from llama_stack.core.request_headers import user_from_scope
 from llama_stack.core.server.auth_providers import create_auth_provider
@@ -152,16 +154,6 @@ class AuthenticationMiddleware:
                 f"Authentication successful: {validation_result.principal} with {len(validation_result.attributes)} attributes"
             )
 
-            # Scope-based API access control
-            if webmethod and webmethod.required_scope:
-                user = user_from_scope(scope)
-                if not _has_required_scope(webmethod.required_scope, user):
-                    return await self._send_auth_error(
-                        send,
-                        f"Access denied: user does not have required scope: {webmethod.required_scope}",
-                        status=403,
-                    )
-
         return await self.app(scope, receive, send)
 
     async def _send_auth_error(self, send, message, status=401):
@@ -177,13 +169,196 @@ class AuthenticationMiddleware:
         await send({"type": "http.response.body", "body": error_msg})
 
 
-def _has_required_scope(required_scope: str, user: User | None) -> bool:
-    # if no user, assume auth is not enabled
-    if not user:
-        return True
+class RouteAuthorizationMiddleware:
+    """Middleware that enforces route-level access control.
+
+    This middleware runs after authentication and checks if the authenticated user
+    has permission to access the requested API route based on route_policy rules.
+
+    """
+
+    def __init__(self, app, route_policy: list[RouteAccessRule]):
+        self.app = app
+        self.route_policy = route_policy
+
+    async def __call__(self, scope, receive, send):
+        # Only process HTTP requests
+        if scope["type"] != "http":
+            return await self.app(scope, receive, send)
+
+        # If no route policy configured, allow all routes (backward compatible)
+        if not self.route_policy:
+            return await self.app(scope, receive, send)
+
+        route = scope.get("path", "")
+        # Normalize route: remove trailing slash (except for root "/")
+        if route != "/" and route.endswith("/"):
+            route = route.rstrip("/")
+
+        # Get authenticated user from scope (set by AuthenticationMiddleware if present)
+        user = user_from_scope(scope)
+
+        # Check if user has permission to access this route
+        if not self._is_route_allowed(route, user):
+            return await self._send_error(
+                send, f"Access denied: insufficient permissions for route {route}", status=403
+            )
+
+        return await self.app(scope, receive, send)
+
+    def _is_route_allowed(self, route: str, user: User | None) -> bool:
+        """Check if the user is allowed to access the given route.
+
+        Rules are evaluated in order. First matching rule determines access.
+        If no rule matches, access is denied.
+
+        Args:
+            route: The route being accessed
+            user: The authenticated user, or None if no authentication is configured
+        """
+        user_str = user.principal if user else "anonymous"
+
+        for index, rule in enumerate(self.route_policy):
+            if self._rule_matches(rule, route, user):
+                # Check if this is a permit or forbid rule
+                if rule.permit:
+                    decision = "APPROVED"
+                    reason = rule.description or ""
+                    logger.debug(
+                        f"ROUTE_AUTHZ,decision={decision},user={user_str},"
+                        f"route={route},rule_index={index},reason={reason!r}"
+                    )
+                    return True
+                else:  # forbid
+                    decision = "DENIED"
+                    reason = rule.description or ""
+                    logger.debug(
+                        f"ROUTE_AUTHZ,decision={decision},user={user_str},"
+                        f"route={route},rule_index={index},reason={reason!r}"
+                    )
+                    return False
+
+        # No matching rule found - deny by default
+        decision = "DENIED"
+        reason = "no matching rule"
+        logger.debug(f"ROUTE_AUTHZ,decision={decision},user={user_str},route={route},rule_index=-1,reason={reason!r}")
+        return False
+
+    def _rule_matches(self, rule: RouteAccessRule, route: str, user: User | None) -> bool:
+        """Check if a rule matches the given route and user.
+
+        Args:
+            rule: The rule to evaluate
+            route: The route being accessed
+            user: The authenticated user, or None if no authentication is configured
+        """
+        # Get the scope (permit or forbid)
+        scope = rule.permit if rule.permit else rule.forbid
+        if not scope:
+            return False
+
+        # Check if route matches
+        if not self._route_matches(route, scope.paths):
+            return False
+
+        # Evaluate conditions
+        return self._evaluate_conditions(rule, user)
+
+    def _route_matches(self, request_route: str, rule_patterns: str | list[str]) -> bool:
+        """Check if request route matches any of the rule patterns.
+
+        Supports:
+        - Exact match: "/v1/chat/completions"
+        - Prefix wildcard: "/v1/files*" matches "/v1/files", "/v1/files/upload", "/v1/files/list", etc.
+        - Full wildcard: "*" matches all routes
+        """
+        patterns = [rule_patterns] if isinstance(rule_patterns, str) else rule_patterns
+
+        for pattern in patterns:
+            if pattern == "*":
+                # Full wildcard matches everything
+                return True
+            elif pattern.endswith("*"):
+                # Prefix wildcard: check if request route starts with the prefix
+                prefix = pattern[:-1]  # Remove "*"
+                if request_route.startswith(prefix):
+                    return True
+            elif pattern == request_route:
+                # Exact match
+                return True
 
-    if not user.attributes:
         return False
 
-    user_scopes = user.attributes.get("scopes", [])
-    return required_scope in user_scopes
+    def _evaluate_conditions(self, rule: RouteAccessRule, user: User | None) -> bool:
+        """Evaluate when/unless conditions for the rule.
+
+        Reuses the existing condition parsing from access_control.conditions.
+
+        Args:
+            rule: The rule whose conditions to evaluate
+            user: The authenticated user, or None if no authentication is configured
+
+        Returns:
+            True if conditions are met (or no conditions exist), False otherwise
+        """
+        # If rule has conditions but no user is available, conditions cannot be met
+        if (rule.when or rule.unless) and not user:
+            return False
+
+        if rule.when:
+            # At this point, if rule.when exists and we got past the check above,
+            # user is guaranteed to be non-None
+            assert user is not None
+            conditions_list = rule.when if isinstance(rule.when, list) else [rule.when]
+            conditions = parse_conditions(conditions_list)
+            # For 'when', all conditions must match (AND logic)
+            # Note: Since we're checking route access, we don't have a resource,
+            # so we create a context object to satisfy the interface
+            route_context = _RouteContext()
+            for condition in conditions:
+                if not condition.matches(route_context, user):
+                    return False
+            return True
+
+        if rule.unless:
+            # At this point, if rule.unless exists and we got past the check above,
+            # user is guaranteed to be non-None
+            assert user is not None
+            conditions_list = rule.unless if isinstance(rule.unless, list) else [rule.unless]
+            conditions = parse_conditions(conditions_list)
+            # For 'unless', no conditions should match (NOT logic)
+            route_context = _RouteContext()
+            for condition in conditions:
+                if condition.matches(route_context, user):
+                    return False
+            return True
+
+        # No conditions specified - rule applies regardless of user
+        return True
+
+    async def _send_error(self, send, message: str, status: int = 403):
+        """Send an error response."""
+        await send(
+            {
+                "type": "http.response.start",
+                "status": status,
+                "headers": [[b"content-type", b"application/json"]],
+            }
+        )
+        error_key = "message" if status == 401 else "detail"
+        error_msg = json.dumps({"error": {error_key: message}}).encode()
+        await send({"type": "http.response.body", "body": error_msg})
+
+
+class _RouteContext:
+    """Placeholder resource for route-level condition evaluation.
+
+    Route rules don't operate on actual resources, so we use this context object
+    to satisfy the condition.matches() interface. Route conditions typically check
+    user attributes (e.g., "user with admin in roles") and don't require resource properties.
+    """
+
+    def __init__(self):
+        self.type = "route"
+        self.identifier = "route"
+        self.owner = None

llama_stack/core/server/fastapi_router_registry.py

@@ -16,20 +16,55 @@ from typing import Any, cast
 from fastapi import APIRouter
 from fastapi.routing import APIRoute
 
-from llama_stack_api import admin, batches, benchmarks, datasets, files, inspect_api, providers
+from llama_stack_api import (
+    admin,
+    agents,
+    batches,
+    benchmarks,
+    connectors,
+    conversations,
+    datasetio,
+    datasets,
+    eval,
+    files,
+    inference,
+    inspect_api,
+    models,
+    post_training,
+    prompts,
+    providers,
+    safety,
+    scoring,
+    scoring_functions,
+    shields,
+    vector_io,
+)
+from llama_stack_api.datatypes import Api
 
 # Router factories for APIs that have FastAPI routers
 # Add new APIs here as they are migrated to the router system
-from llama_stack_api.datatypes import Api
-
 _ROUTER_FACTORIES: dict[str, Callable[[Any], APIRouter]] = {
     "admin": admin.fastapi_routes.create_router,
+    "agents": agents.fastapi_routes.create_router,
     "batches": batches.fastapi_routes.create_router,
     "benchmarks": benchmarks.fastapi_routes.create_router,
+    "connectors": connectors.fastapi_routes.create_router,
+    "conversations": conversations.fastapi_routes.create_router,
+    "datasetio": datasetio.fastapi_routes.create_router,
     "datasets": datasets.fastapi_routes.create_router,
-    "providers": providers.fastapi_routes.create_router,
-    "inspect": inspect_api.fastapi_routes.create_router,
+    "eval": eval.fastapi_routes.create_router,
     "files": files.fastapi_routes.create_router,
+    "inference": inference.fastapi_routes.create_router,
+    "inspect": inspect_api.fastapi_routes.create_router,
+    "models": models.fastapi_routes.create_router,
+    "post_training": post_training.fastapi_routes.create_router,
+    "prompts": prompts.fastapi_routes.create_router,
+    "providers": providers.fastapi_routes.create_router,
+    "safety": safety.fastapi_routes.create_router,
+    "scoring": scoring.fastapi_routes.create_router,
+    "scoring_functions": scoring_functions.fastapi_routes.create_router,
+    "shields": shields.fastapi_routes.create_router,
+    "vector_io": vector_io.fastapi_routes.create_router,
 }
 
 

llama_stack/core/server/server.py

@@ -48,7 +48,7 @@ from llama_stack.core.server.fastapi_router_registry import build_fastapi_router
 from llama_stack.core.server.routes import get_all_api_routes
 from llama_stack.core.stack import (
     Stack,
-    cast_image_name_to_string,
+    cast_distro_name_to_string,
     replace_env_vars,
 )
 from llama_stack.core.utils.config import redact_sensitive_fields
@@ -57,7 +57,7 @@ from llama_stack.core.utils.context import preserve_contexts_async_generator
 from llama_stack.log import LoggingConfig, get_logger
 from llama_stack_api import Api, ConflictError, PaginatedResponse, ResourceNotFoundError
 
-from .auth import AuthenticationMiddleware
+from .auth import AuthenticationMiddleware, RouteAuthorizationMiddleware
 from .quota import QuotaMiddleware
 
 REPO_ROOT = Path(__file__).parent.parent.parent.parent
@@ -88,6 +88,13 @@ async def global_exception_handler(request: Request, exc: Exception):
     traceback.print_exception(type(exc), exc, exc.__traceback__)
     http_exc = translate_exception(exc)
 
+    # OpenAI-compat Vector Stores endpoints treat many "not found" conditions as 400s.
+    # Our core exceptions model these as ResourceNotFoundError (mapped to 404 by default),
+    # but integration tests (and OpenAI client behavior expectations in this repo)
+    # assert they surface as BadRequestError instead.
+    if isinstance(exc, ResourceNotFoundError) and request.url.path.startswith("/v1/vector_stores"):
+        http_exc = HTTPException(status_code=httpx.codes.BAD_REQUEST, detail=str(exc))
+
     return JSONResponse(status_code=http_exc.status_code, content={"error": {"detail": http_exc.detail}})
 
 
@@ -396,7 +403,7 @@ def create_app() -> StackApp:
         logger = get_logger(name=__name__, category="core::server", config=logger_config)
 
         config = replace_env_vars(config_contents)
-        config = StackConfig(**cast_image_name_to_string(config))
+        config = StackConfig(**cast_distro_name_to_string(config))
 
     _log_run_config(run_config=config)
 
@@ -416,8 +423,19 @@ def create_app() -> StackApp:
     impls = app.stack.impls
 
     if config.server.auth:
-        logger.info(f"Enabling authentication with provider: {config.server.auth.provider_config.type.value}")
-        app.add_middleware(AuthenticationMiddleware, auth_config=config.server.auth, impls=impls)
+        # Add route authorization middleware if route_policy is configured
+        # This can work independently of authentication
+        # NOTE: Add this FIRST because middleware wraps in reverse order (last added runs first)
+        # We want: Request → Auth → RouteAuth → App
+        if config.server.auth.route_policy:
+            logger.info(f"Enabling route-level authorization with {len(config.server.auth.route_policy)} rules")
+            app.add_middleware(RouteAuthorizationMiddleware, route_policy=config.server.auth.route_policy)
+
+        # Add authentication middleware only if provider is configured
+        # This runs FIRST in the middleware chain (last added = first to run)
+        if config.server.auth.provider_config:
+            logger.info(f"Enabling authentication with provider: {config.server.auth.provider_config.type.value}")
+            app.add_middleware(AuthenticationMiddleware, auth_config=config.server.auth, impls=impls)
     else:
         if config.server.quota:
             quota = config.server.quota
@@ -474,6 +492,7 @@ def create_app() -> StackApp:
     apis_to_serve.add("providers")
     apis_to_serve.add("prompts")
     apis_to_serve.add("conversations")
+    apis_to_serve.add("connectors")
 
     for api_str in apis_to_serve:
         api = Api(api_str)

llama_stack/core/stack.py

@@ -16,6 +16,7 @@ import yaml
 from pydantic import BaseModel
 
 from llama_stack.core.admin import AdminImpl, AdminImplConfig
+from llama_stack.core.connectors.connectors import ConnectorServiceConfig, ConnectorServiceImpl
 from llama_stack.core.conversations.conversations import ConversationServiceConfig, ConversationServiceImpl
 from llama_stack.core.datatypes import Provider, QualifiedModel, SafetyConfig, StackConfig, VectorStoresConfig
 from llama_stack.core.distribution import get_provider_registry
@@ -42,6 +43,7 @@ from llama_stack_api import (
     Api,
     Batches,
     Benchmarks,
+    Connectors,
     Conversations,
     DatasetIO,
     Datasets,
@@ -54,6 +56,9 @@ from llama_stack_api import (
     Prompts,
     Providers,
     RegisterBenchmarkRequest,
+    RegisterModelRequest,
+    RegisterScoringFunctionRequest,
+    RegisterShieldRequest,
     Safety,
     Scoring,
     ScoringFunctions,
@@ -89,6 +94,7 @@ class LlamaStack(
     Files,
     Prompts,
     Conversations,
+    Connectors,
 ):
     pass
 
@@ -96,15 +102,15 @@ class LlamaStack(
 # Resources to register based on configuration.
 # If a request class is specified, the configuration object will be converted to this class before invoking the registration method.
 RESOURCES = [
-    ("models", Api.models, "register_model", "list_models", None),
-    ("shields", Api.shields, "register_shield", "list_shields", None),
+    ("models", Api.models, "register_model", "list_models", RegisterModelRequest),
+    ("shields", Api.shields, "register_shield", "list_shields", RegisterShieldRequest),
     ("datasets", Api.datasets, "register_dataset", "list_datasets", RegisterDatasetRequest),
     (
         "scoring_fns",
         Api.scoring_functions,
         "register_scoring_function",
         "list_scoring_functions",
-        None,
+        RegisterScoringFunctionRequest,
     ),
     ("benchmarks", Api.benchmarks, "register_benchmark", "list_benchmarks", RegisterBenchmarkRequest),
     ("tool_groups", Api.tool_groups, "register_tool_group", "list_tool_groups", None),
@@ -242,6 +248,34 @@ async def register_resources(run_config: StackConfig, impls: dict[Api, Any]):
             )
 
 
+async def register_connectors(run_config: StackConfig, impls: dict[Api, Any]):
+    """Register connectors from config"""
+    if Api.connectors not in impls:
+        return
+
+    connectors_impl = impls[Api.connectors]
+
+    # Get connector IDs from config
+    config_connector_ids = {c.connector_id for c in run_config.connectors}
+
+    # Register/Update config connectors
+    for connector in run_config.connectors:
+        logger.debug(f"Registering connector: {connector.connector_id}")
+        await connectors_impl.register_connector(
+            connector_id=connector.connector_id,
+            connector_type=connector.connector_type,
+            url=connector.url,
+            server_label=connector.server_label,
+        )
+
+    # Remove connectors not in config (orphan cleanup)
+    existing_connectors = await connectors_impl.list_connectors()
+    for connector in existing_connectors.data:
+        if connector.connector_id not in config_connector_ids:
+            logger.info(f"Removing orphaned connector: {connector.connector_id}")
+            await connectors_impl.unregister_connector(connector.connector_id)
+
+
 async def validate_vector_stores_config(vector_stores_config: VectorStoresConfig | None, impls: dict[Api, Any]):
     """Validate vector stores configuration."""
     if vector_stores_config is None:
@@ -276,7 +310,8 @@ async def _validate_embedding_model(embedding_model: QualifiedModel, impls: dict
             f"Embedding model '{model_identifier}' not found. Available embedding models: {list(models_list.keys())}"
         )
 
-    embedding_dimension = model.metadata.get("embedding_dimension")
+    # if not in metadata, fetch from config default
+    embedding_dimension = model.metadata.get("embedding_dimension", embedding_model.embedding_dimensions)
     if embedding_dimension is None:
         raise ValueError(f"Embedding model '{model_identifier}' is missing 'embedding_dimension' in metadata")
 
@@ -489,10 +524,10 @@ def _convert_string_to_proper_type(value: str) -> Any:
     return value
 
 
-def cast_image_name_to_string(config_dict: dict[str, Any]) -> dict[str, Any]:
-    """Ensure that any value for a key 'image_name' in a config_dict is a string"""
-    if "image_name" in config_dict and config_dict["image_name"] is not None:
-        config_dict["image_name"] = str(config_dict["image_name"])
+def cast_distro_name_to_string(config_dict: dict[str, Any]) -> dict[str, Any]:
+    """Ensure that any value for a key 'distro_name' in a config_dict is a string"""
+    if "distro_name" in config_dict and config_dict["distro_name"] is not None:
+        config_dict["distro_name"] = str(config_dict["distro_name"])
     return config_dict
 
 
@@ -532,6 +567,11 @@ def add_internal_implementations(impls: dict[Api, Any], config: StackConfig) ->
     )
     impls[Api.conversations] = conversations_impl
 
+    connectors_impl = ConnectorServiceImpl(
+        ConnectorServiceConfig(config=config),
+    )
+    impls[Api.connectors] = connectors_impl
+
 
 def _initialize_storage(run_config: StackConfig):
     kv_backends: dict[str, StorageBackendConfig] = {}
@@ -574,7 +614,7 @@ class Stack:
         stores = self.run_config.storage.stores
         if not stores.metadata:
             raise ValueError("storage.stores.metadata must be configured with a kv_* backend")
-        dist_registry, _ = await create_dist_registry(stores.metadata, self.run_config.image_name)
+        dist_registry, _ = await create_dist_registry(stores.metadata, self.run_config.distro_name)
         policy = self.run_config.server.auth.access_policy if self.run_config.server.auth else []
 
         internal_impls = {}
@@ -592,8 +632,11 @@ class Stack:
             await impls[Api.prompts].initialize()
         if Api.conversations in impls:
             await impls[Api.conversations].initialize()
+        if Api.connectors in impls:
+            await impls[Api.connectors].initialize()
 
         await register_resources(self.run_config, impls)
+        await register_connectors(self.run_config, impls)
         await refresh_registry_once(impls)
         await validate_vector_stores_config(self.run_config.vector_stores, impls)
         await validate_safety_config(self.run_config.safety, impls)
@@ -727,7 +770,7 @@ def run_config_from_adhoc_config_spec(
             )
         ]
     config = StackConfig(
-        image_name="distro-test",
+        distro_name="distro-test",
         apis=list(provider_configs_by_api.keys()),
         providers=provider_configs_by_api,
         storage=StorageConfig(
@@ -740,6 +783,7 @@ def run_config_from_adhoc_config_spec(
                 inference=InferenceStoreReference(backend="sql_default", table_name="inference_store"),
                 conversations=SqlStoreReference(backend="sql_default", table_name="openai_conversations"),
                 prompts=KVStoreReference(backend="kv_default", namespace="prompts"),
+                connectors=KVStoreReference(backend="kv_default", namespace="connectors"),
             ),
         ),
     )

llama_stack/core/storage/datatypes.py

@@ -255,6 +255,11 @@ class InferenceStoreReference(SqlStoreReference):
 class ResponsesStoreReference(InferenceStoreReference):
     """Responses store configuration with queue tuning."""
 
+    table_name: str = Field(
+        default="openai_responses",
+        description="Name of the table to use for storing OpenAI responses",
+    )
+
 
 class ServerStoresConfig(BaseModel):
     metadata: KVStoreReference | None = Field(
@@ -286,6 +291,10 @@ class ServerStoresConfig(BaseModel):
         default=KVStoreReference(backend="kv_default", namespace="prompts"),
         description="Prompts store configuration (uses KV backend)",
     )
+    connectors: KVStoreReference | None = Field(
+        default=KVStoreReference(backend="kv_default", namespace="connectors"),
+        description="Connectors store configuration (uses KV backend)",
+    )
 
 
 class StorageConfig(BaseModel):