nvidia-nat 1.4.0a20251028__py3-none-any.whl → 1.4.0a20251030__py3-none-any.whl

nat/authentication/api_key/api_key_auth_provider.py

@@ -15,8 +15,6 @@
 
 import logging
 
-from pydantic import SecretStr
-
 from nat.authentication.api_key.api_key_auth_provider_config import APIKeyAuthProviderConfig
 from nat.authentication.interfaces import AuthProviderBase
 from nat.data_models.authentication import AuthResult
@@ -29,11 +27,10 @@ logger = logging.getLogger(__name__)
 class APIKeyAuthProvider(AuthProviderBase[APIKeyAuthProviderConfig]):
 
     # fmt: off
-    def __init__(self,
-                 config: APIKeyAuthProviderConfig,
-                 config_name: str | None = None) -> None:
+    def __init__(self, config: APIKeyAuthProviderConfig, config_name: str | None = None) -> None:
         assert isinstance(config, APIKeyAuthProviderConfig), ("Config is not APIKeyAuthProviderConfig")
         super().__init__(config)
+
     # fmt: on
 
     async def _construct_authentication_header(self) -> BearerTokenCred:
@@ -58,14 +55,12 @@ class APIKeyAuthProvider(AuthProviderBase[APIKeyAuthProviderConfig]):
         header_auth_scheme = config.auth_scheme
 
         if header_auth_scheme == HeaderAuthScheme.BEARER:
-            return BearerTokenCred(token=SecretStr(f"{config.raw_key}"),
+            return BearerTokenCred(token=config.raw_key,
                                    scheme=HeaderAuthScheme.BEARER.value,
                                    header_name=AUTHORIZATION_HEADER)
 
         if header_auth_scheme == HeaderAuthScheme.X_API_KEY:
-            return BearerTokenCred(token=SecretStr(f"{config.raw_key}"),
-                                   scheme=HeaderAuthScheme.X_API_KEY.value,
-                                   header_name='')
+            return BearerTokenCred(token=config.raw_key, scheme=HeaderAuthScheme.X_API_KEY.value, header_name='')
 
         if header_auth_scheme == HeaderAuthScheme.CUSTOM:
             if not config.custom_header_name:
@@ -74,7 +69,7 @@ class APIKeyAuthProvider(AuthProviderBase[APIKeyAuthProviderConfig]):
             if not config.custom_header_prefix:
                 raise ValueError('custom_header_prefix required when using header_auth_scheme=CUSTOM')
 
-            return BearerTokenCred(token=SecretStr(f"{config.raw_key}"),
+            return BearerTokenCred(token=config.raw_key,
                                    scheme=config.custom_header_prefix,
                                    header_name=config.custom_header_name)
 

nat/authentication/api_key/api_key_auth_provider_config.py

@@ -25,6 +25,7 @@ from nat.authentication.exceptions.api_key_exceptions import HeaderNameFieldErro
 from nat.authentication.exceptions.api_key_exceptions import HeaderPrefixFieldError
 from nat.data_models.authentication import AuthProviderBaseConfig
 from nat.data_models.authentication import HeaderAuthScheme
+from nat.data_models.common import SerializableSecretStr
 
 logger = logging.getLogger(__name__)
 
@@ -37,8 +38,9 @@ class APIKeyAuthProviderConfig(AuthProviderBaseConfig, name="api_key"):
     API Key authentication configuration model.
     """
 
-    raw_key: str = Field(description=("Raw API token or credential to be injected into the request parameter. "
-                                      "Used for 'bearer','x-api-key','custom', and other schemes. "))
+    raw_key: SerializableSecretStr = Field(
+        description=("Raw API token or credential to be injected into the request parameter. "
+                     "Used for 'bearer','x-api-key','custom', and other schemes. "))
 
     auth_scheme: HeaderAuthScheme = Field(default=HeaderAuthScheme.BEARER,
                                           description=("The HTTP authentication scheme to use. "
@@ -53,7 +55,7 @@ class APIKeyAuthProviderConfig(AuthProviderBaseConfig, name="api_key"):
 
     @field_validator('raw_key')
     @classmethod
-    def validate_raw_key(cls, value: str) -> str:
+    def validate_raw_key(cls, value: SerializableSecretStr) -> SerializableSecretStr:
         if not value:
             raise APIKeyFieldError('value_missing', 'raw_key field value is required.')
 
@@ -63,11 +65,12 @@ class APIKeyAuthProviderConfig(AuthProviderBaseConfig, name="api_key"):
                 'raw_key field value must be at least 8 characters long for security. '
                 f'Got: {len(value)} characters.')
 
-        if len(value.strip()) != len(value):
+        str_value = value.get_secret_value()
+        if len(str_value.strip()) != len(value):
             raise APIKeyFieldError('whitespace_found',
                                    'raw_key field value cannot have leading or trailing whitespace.')
 
-        if any(c in string.whitespace for c in value):
+        if any(c in string.whitespace for c in str_value):
             raise APIKeyFieldError('contains_whitespace', 'raw_key must not contain any '
                                    'whitespace characters.')
 

nat/authentication/oauth2/oauth2_auth_code_flow_provider_config.py

@@ -16,12 +16,13 @@
 from pydantic import Field
 
 from nat.data_models.authentication import AuthProviderBaseConfig
+from nat.data_models.common import SerializableSecretStr
 
 
 class OAuth2AuthCodeFlowProviderConfig(AuthProviderBaseConfig, name="oauth2_auth_code_flow"):
 
     client_id: str = Field(description="The client ID for OAuth 2.0 authentication.")
-    client_secret: str = Field(description="The secret associated with the client_id.")
+    client_secret: SerializableSecretStr = Field(description="The secret associated with the client_id.")
     authorization_url: str = Field(description="The authorization URL for OAuth 2.0 authentication.")
     token_url: str = Field(description="The token URL for OAuth 2.0 authentication.")
     token_endpoint_auth_method: str | None = Field(

nat/authentication/oauth2/oauth2_resource_server_config.py

@@ -20,6 +20,7 @@ from pydantic import field_validator
 from pydantic import model_validator
 
 from nat.data_models.authentication import AuthProviderBaseConfig
+from nat.data_models.common import OptionalSecretStr
 
 
 class OAuth2ResourceServerConfig(AuthProviderBaseConfig, name="oauth2_resource_server"):
@@ -66,7 +67,7 @@ class OAuth2ResourceServerConfig(AuthProviderBaseConfig, name="oauth2_resource_s
         default=None,
         description="OAuth2 client ID for authenticating to the introspection endpoint (opaque token validation).",
     )
-    client_secret: str | None = Field(
+    client_secret: OptionalSecretStr = Field(
         default=None,
         description="OAuth2 client secret for authenticating to the introspection endpoint (opaque token validation).",
     )

nat/data_models/api_server.py

@@ -31,6 +31,7 @@ from pydantic import field_validator
 from pydantic import model_validator
 from pydantic_core.core_schema import ValidationInfo
 
+from nat.data_models.common import SerializableSecretStr
 from nat.data_models.interactive import HumanPrompt
 from nat.utils.type_converter import GlobalTypeConverter
 
@@ -109,8 +110,8 @@ class TextContent(BaseModel):
 class Security(BaseModel):
     model_config = ConfigDict(extra="forbid")
 
-    api_key: str = "default"
-    token: str = "default"
+    api_key: SerializableSecretStr = Field(default="default")
+    token: SerializableSecretStr = Field(default="default")
 
 
 UserContent = typing.Annotated[TextContent | ImageContent | AudioContent, Discriminator("type")]

nat/data_models/common.py

@@ -14,6 +14,7 @@
 # limitations under the License.
 
 import inspect
+import os
 import sys
 import typing
 from hashlib import sha512
@@ -21,6 +22,8 @@ from hashlib import sha512
 from pydantic import AliasChoices
 from pydantic import BaseModel
 from pydantic import Field
+from pydantic import PlainSerializer
+from pydantic import SecretStr
 from pydantic.json_schema import GenerateJsonSchema
 from pydantic.json_schema import JsonSchemaMode
 
@@ -169,3 +172,47 @@ class TypedBaseModel(BaseModel):
 
 
 TypedBaseModelT = typing.TypeVar("TypedBaseModelT", bound=TypedBaseModel)
+
+
+def get_secret_value(v: SecretStr | None) -> str | None:
+    """
+    Extract the secret value from a SecretStr or return None.
+
+    Parameters
+    ----------
+    v: SecretStr or None.
+        A field defined as OptionalSecretStr, which is either a SecretStr or None.
+
+    Returns
+    -------
+    str | None
+        The secret value as a plain string, or None if v is None.
+    """
+    if v is None:
+        return None
+    return v.get_secret_value()
+
+
+def set_secret_from_env(model: BaseModel, field_name: str, env_var: str):
+    """
+    Set a SecretStr field in a Pydantic model from an environment variable, but only if the environment variable is set.
+
+    Parameters
+    ----------
+    model: BaseModel
+        The Pydantic model instance containing the field to set.
+    field_name: str
+        The name of the field in the model to set.
+    env_var: str
+        The name of the environment variable to read the secret value from.
+    """
+    env_value = os.getenv(env_var)
+    if env_value is not None:
+        setattr(model, field_name, SecretStr(env_value))
+
+
+# A SecretStr that serializes to plain string
+SerializableSecretStr = typing.Annotated[SecretStr, PlainSerializer(get_secret_value)]
+
+# A SecretStr or None that serializes to plain string
+OptionalSecretStr = typing.Annotated[SecretStr | None, PlainSerializer(get_secret_value)]

nat/data_models/dataset_handler.py

@@ -26,6 +26,7 @@ from pydantic import FilePath
 from pydantic import Tag
 
 from nat.data_models.common import BaseModelRegistryTag
+from nat.data_models.common import SerializableSecretStr
 from nat.data_models.common import TypedBaseModel
 
 
@@ -34,8 +35,8 @@ class EvalS3Config(BaseModel):
     endpoint_url: str | None = None
     region_name: str | None = None
     bucket: str
-    access_key: str
-    secret_key: str
+    access_key: SerializableSecretStr
+    secret_key: SerializableSecretStr
 
 
 class EvalFilterEntryConfig(BaseModel):

nat/embedder/azure_openai_embedder.py

@@ -20,6 +20,7 @@ from pydantic import Field
 from nat.builder.builder import Builder
 from nat.builder.embedder import EmbedderProviderInfo
 from nat.cli.register_workflow import register_embedder_provider
+from nat.data_models.common import OptionalSecretStr
 from nat.data_models.embedder import EmbedderBaseConfig
 from nat.data_models.retry_mixin import RetryMixin
 
@@ -29,7 +30,7 @@ class AzureOpenAIEmbedderModelConfig(EmbedderBaseConfig, RetryMixin, name="azure
 
     model_config = ConfigDict(protected_namespaces=(), extra="allow")
 
-    api_key: str | None = Field(default=None, description="Azure OpenAI API key to interact with hosted model.")
+    api_key: OptionalSecretStr = Field(default=None, description="Azure OpenAI API key to interact with hosted model.")
     api_version: str = Field(default="2025-04-01-preview", description="Azure OpenAI API version.")
     azure_endpoint: str | None = Field(validation_alias=AliasChoices("azure_endpoint", "base_url"),
                                        serialization_alias="azure_endpoint",

nat/embedder/nim_embedder.py

@@ -23,6 +23,7 @@ from pydantic import Field
 from nat.builder.builder import Builder
 from nat.builder.embedder import EmbedderProviderInfo
 from nat.cli.register_workflow import register_embedder_provider
+from nat.data_models.common import OptionalSecretStr
 from nat.data_models.embedder import EmbedderBaseConfig
 from nat.data_models.retry_mixin import RetryMixin
 
@@ -41,7 +42,7 @@ TruncationOption = typing.Annotated[str, AfterValidator(option_in_allowed_values
 class NIMEmbedderModelConfig(EmbedderBaseConfig, RetryMixin, name="nim"):
     """A NVIDIA Inference Microservice (NIM) embedder provider to be used with an embedder client."""
 
-    api_key: str | None = Field(default=None, description="NVIDIA API key to interact with hosted NIM.")
+    api_key: OptionalSecretStr = Field(default=None, description="NVIDIA API key to interact with hosted NIM.")
     base_url: str | None = Field(default=None, description="Base url to the hosted NIM.")
     model_name: str = Field(validation_alias=AliasChoices("model_name", "model"),
                             serialization_alias="model",

nat/embedder/openai_embedder.py

@@ -20,6 +20,7 @@ from pydantic import Field
 from nat.builder.builder import Builder
 from nat.builder.embedder import EmbedderProviderInfo
 from nat.cli.register_workflow import register_embedder_provider
+from nat.data_models.common import OptionalSecretStr
 from nat.data_models.embedder import EmbedderBaseConfig
 from nat.data_models.retry_mixin import RetryMixin
 
@@ -29,7 +30,7 @@ class OpenAIEmbedderModelConfig(EmbedderBaseConfig, RetryMixin, name="openai"):
 
     model_config = ConfigDict(protected_namespaces=(), extra="allow")
 
-    api_key: str | None = Field(default=None, description="OpenAI API key to interact with hosted model.")
+    api_key: OptionalSecretStr = Field(default=None, description="OpenAI API key to interact with hosted model.")
     base_url: str | None = Field(default=None, description="Base url to the hosted model.")
     model_name: str = Field(validation_alias=AliasChoices("model_name", "model"),
                             serialization_alias="model",

nat/eval/dataset_handler/dataset_downloader.py

@@ -19,6 +19,7 @@ import boto3
 import requests
 from botocore.exceptions import NoCredentialsError
 
+from nat.data_models.common import get_secret_value
 from nat.data_models.dataset_handler import EvalDatasetConfig
 
 logger = logging.getLogger(__name__)
@@ -46,8 +47,8 @@ class DatasetDownloader:
             try:
                 self._s3_client = boto3.client("s3",
                                                endpoint_url=self.s3_config.endpoint_url,
-                                               aws_access_key_id=self.s3_config.access_key,
-                                               aws_secret_access_key=self.s3_config.secret_key)
+                                               aws_access_key_id=get_secret_value(self.s3_config.access_key),
+                                               aws_secret_access_key=get_secret_value(self.s3_config.secret_key))
             except NoCredentialsError as e:
                 logger.error("AWS credentials not available: %s", e)
                 raise

nat/eval/utils/output_uploader.py

@@ -24,6 +24,7 @@ import aioboto3
 from botocore.exceptions import NoCredentialsError
 from tqdm import tqdm
 
+from nat.data_models.common import get_secret_value
 from nat.data_models.evaluate import EvalOutputConfig
 
 logger = logging.getLogger(__name__)
@@ -90,8 +91,8 @@ class OutputUploader:
                     "s3",
                     endpoint_url=endpoint_url,
                     region_name=region_name,
-                    aws_access_key_id=self.s3_config.access_key,
-                    aws_secret_access_key=self.s3_config.secret_key,
+                    aws_access_key_id=get_secret_value(self.s3_config.access_key),
+                    aws_secret_access_key=get_secret_value(self.s3_config.secret_key),
             ) as s3_client:
                 with tqdm(total=len(file_entries), desc="Uploading files to S3") as pbar:
                     upload_tasks = [

nat/front_ends/console/authentication_flow_handler.py

@@ -95,7 +95,7 @@ class ConsoleAuthenticationFlowHandler(FlowHandlerBase):
         try:
             client = AsyncOAuth2Client(
                 client_id=cfg.client_id,
-                client_secret=cfg.client_secret,
+                client_secret=cfg.client_secret.get_secret_value(),
                 redirect_uri=cfg.redirect_uri,
                 scope=" ".join(cfg.scopes) if cfg.scopes else None,
                 token_endpoint=cfg.token_url,

nat/front_ends/mcp/mcp_front_end_config.py

@@ -17,6 +17,7 @@ import logging
 from typing import Literal
 
 from pydantic import Field
+from pydantic import field_validator
 from pydantic import model_validator
 
 from nat.authentication.oauth2.oauth2_resource_server_config import OAuth2ResourceServerConfig
@@ -47,10 +48,25 @@ class MCPFrontEndConfig(FrontEndBaseConfig, name="mcp"):
         description="Transport type for the MCP server (default: streamable-http, backwards compatible with sse)")
     runner_class: str | None = Field(
         default=None, description="Custom worker class for handling MCP routes (default: built-in worker)")
+    base_path: str | None = Field(default=None,
+                                  description="Base path to mount the MCP server at (e.g., '/api/v1'). "
+                                  "If specified, the server will be accessible at http://host:port{base_path}/mcp. "
+                                  "If None, server runs at root path /mcp.")
 
     server_auth: OAuth2ResourceServerConfig | None = Field(
         default=None, description=("OAuth 2.0 Resource Server configuration for token verification."))
 
+    @field_validator('base_path')
+    @classmethod
+    def validate_base_path(cls, v: str | None) -> str | None:
+        """Validate that base_path starts with '/' and doesn't end with '/'."""
+        if v is not None:
+            if not v.startswith('/'):
+                raise ValueError("base_path must start with '/'")
+            if v.endswith('/'):
+                raise ValueError("base_path must not end with '/'")
+        return v
+
     # Memory profiling configuration
     enable_memory_profiling: bool = Field(default=False,
                                           description="Enable memory profiling and diagnostics (default: False)")

nat/front_ends/mcp/mcp_front_end_plugin.py

@@ -16,12 +16,14 @@
 import logging
 import typing
 
-from nat.authentication.oauth2.oauth2_resource_server_config import OAuth2ResourceServerConfig
 from nat.builder.front_end import FrontEndBase
 from nat.builder.workflow_builder import WorkflowBuilder
 from nat.front_ends.mcp.mcp_front_end_config import MCPFrontEndConfig
 from nat.front_ends.mcp.mcp_front_end_plugin_worker import MCPFrontEndPluginWorkerBase
 
+if typing.TYPE_CHECKING:
+    from mcp.server.fastmcp import FastMCP
+
 logger = logging.getLogger(__name__)
 
 
@@ -43,7 +45,7 @@ class MCPFrontEndPlugin(FrontEndBase[MCPFrontEndConfig]):
         worker_class = self.get_worker_class()
         return f"{worker_class.__module__}.{worker_class.__qualname__}"
 
-    def _get_worker_instance(self) -> MCPFrontEndPluginWorkerBase:
+    def _get_worker_instance(self):
         """Get an instance of the worker class."""
         # Import the worker class dynamically if specified in config
         if self.front_end_config.runner_class:
@@ -56,61 +58,94 @@ class MCPFrontEndPlugin(FrontEndBase[MCPFrontEndConfig]):
 
         return worker_class(self.full_config)
 
-    async def _create_token_verifier(self, token_verifier_config: OAuth2ResourceServerConfig):
-        """Create a token verifier based on configuration."""
-        from nat.front_ends.mcp.introspection_token_verifier import IntrospectionTokenVerifier
-
-        if not self.front_end_config.server_auth:
-            return None
-
-        return IntrospectionTokenVerifier(token_verifier_config)
-
     async def run(self) -> None:
         """Run the MCP server."""
-        # Import FastMCP
-        from mcp.server.fastmcp import FastMCP
-
-        # Create auth settings and token verifier if auth is required
-        auth_settings = None
-        token_verifier = None
-
         # Build the workflow and add routes using the worker
         async with WorkflowBuilder.from_config(config=self.full_config) as builder:
 
-            if self.front_end_config.server_auth:
-                from mcp.server.auth.settings import AuthSettings
-                from pydantic import AnyHttpUrl
-
-                server_url = f"http://{self.front_end_config.host}:{self.front_end_config.port}"
-
-                auth_settings = AuthSettings(issuer_url=AnyHttpUrl(self.front_end_config.server_auth.issuer_url),
-                                             required_scopes=self.front_end_config.server_auth.scopes,
-                                             resource_server_url=AnyHttpUrl(server_url))
-
-                token_verifier = await self._create_token_verifier(self.front_end_config.server_auth)
-
-            # Create an MCP server with the configured parameters
-            mcp = FastMCP(name=self.front_end_config.name,
-                          host=self.front_end_config.host,
-                          port=self.front_end_config.port,
-                          debug=self.front_end_config.debug,
-                          auth=auth_settings,
-                          token_verifier=token_verifier)
-
-            # Get the worker instance and set up routes
+            # Get the worker instance
             worker = self._get_worker_instance()
 
+            # Let the worker create the MCP server (allows plugins to customize)
+            mcp = await worker.create_mcp_server()
+
             # Add routes through the worker (includes health endpoint and function registration)
             await worker.add_routes(mcp, builder)
 
             # Start the MCP server with configurable transport
             # streamable-http is the default, but users can choose sse if preferred
             try:
-                if self.front_end_config.transport == "sse":
+                # If base_path is configured, mount server at sub-path using FastAPI wrapper
+                if self.front_end_config.base_path:
+                    if self.front_end_config.transport == "sse":
+                        logger.warning(
+                            "base_path is configured but SSE transport does not support mounting at sub-paths. "
+                            "Use streamable-http transport for base_path support.")
+                        logger.info("Starting MCP server with SSE endpoint at /sse")
+                        await mcp.run_sse_async()
+                    else:
+                        full_url = f"http://{self.front_end_config.host}:{self.front_end_config.port}{self.front_end_config.base_path}/mcp"
+                        logger.info(
+                            "Mounting MCP server at %s/mcp on %s:%s",
+                            self.front_end_config.base_path,
+                            self.front_end_config.host,
+                            self.front_end_config.port,
+                        )
+                        logger.info("MCP server URL: %s", full_url)
+                        await self._run_with_mount(mcp)
+                # Standard behavior - run at root path
+                elif self.front_end_config.transport == "sse":
                     logger.info("Starting MCP server with SSE endpoint at /sse")
                     await mcp.run_sse_async()
                 else:  # streamable-http
-                    logger.info("Starting MCP server with streamable-http endpoint at /mcp/")
+                    full_url = f"http://{self.front_end_config.host}:{self.front_end_config.port}/mcp"
+                    logger.info("MCP server URL: %s", full_url)
                     await mcp.run_streamable_http_async()
             except KeyboardInterrupt:
                 logger.info("MCP server shutdown requested (Ctrl+C). Shutting down gracefully.")
+
+    async def _run_with_mount(self, mcp: "FastMCP") -> None:
+        """Run MCP server mounted at configured base_path using FastAPI wrapper.
+
+        Args:
+            mcp: The FastMCP server instance to mount
+        """
+        import contextlib
+
+        import uvicorn
+        from fastapi import FastAPI
+
+        @contextlib.asynccontextmanager
+        async def lifespan(_app: FastAPI):
+            """Manage MCP server session lifecycle."""
+            logger.info("Starting MCP server session manager...")
+            async with contextlib.AsyncExitStack() as stack:
+                try:
+                    # Initialize the MCP server's session manager
+                    await stack.enter_async_context(mcp.session_manager.run())
+                    logger.info("MCP server session manager started successfully")
+                    yield
+                except Exception as e:
+                    logger.error("Failed to start MCP server session manager: %s", e)
+                    raise
+            logger.info("MCP server session manager stopped")
+
+        # Create a FastAPI wrapper app with lifespan management
+        app = FastAPI(
+            title=self.front_end_config.name,
+            description="MCP server mounted at custom base path",
+            lifespan=lifespan,
+        )
+
+        # Mount the MCP server's ASGI app at the configured base_path
+        app.mount(self.front_end_config.base_path, mcp.streamable_http_app())
+
+        # Configure and start uvicorn server
+        config = uvicorn.Config(
+            app,
+            host=self.front_end_config.host,
+            port=self.front_end_config.port,
+            log_level=self.front_end_config.log_level.lower(),
+        )
+        server = uvicorn.Server(config)
+        await server.serve()

nat/front_ends/mcp/mcp_front_end_plugin_worker.py

@@ -35,7 +35,12 @@ logger = logging.getLogger(__name__)
 
 
 class MCPFrontEndPluginWorkerBase(ABC):
-    """Base class for MCP front end plugin workers."""
+    """Base class for MCP front end plugin workers.
+
+    This abstract base class provides shared utilities and defines the contract
+    for MCP worker implementations. Most users should inherit from
+    MCPFrontEndPluginWorker instead of this class directly.
+    """
 
     def __init__(self, config: Config):
         """Initialize the MCP worker with configuration.
@@ -83,15 +88,86 @@ class MCPFrontEndPluginWorkerBase(ABC):
                 },
                                     status_code=503)
 
+    @abstractmethod
+    async def create_mcp_server(self) -> FastMCP:
+        """Create and configure the MCP server instance.
+
+        This is the main extension point. Plugins can return FastMCP or any subclass
+        to customize server behavior (for example, add authentication, custom transports).
+
+        Returns:
+            FastMCP instance or a subclass with custom behavior
+        """
+        ...
+
     @abstractmethod
     async def add_routes(self, mcp: FastMCP, builder: WorkflowBuilder):
         """Add routes to the MCP server.
 
+        Plugins must implement this method. Most plugins can call
+        _default_add_routes() for standard behavior and then add
+        custom enhancements.
+
+        Args:
+            mcp: The FastMCP server instance
+            builder: The workflow builder instance
+        """
+        ...
+
+    async def _default_add_routes(self, mcp: FastMCP, builder: WorkflowBuilder):
+        """Default route registration logic - reusable by subclasses.
+
+        This is a protected helper method that plugins can call to get
+        standard route registration behavior. Plugins typically call this
+        from their add_routes() implementation and then add custom features.
+
+        This method:
+        - Sets up the health endpoint
+        - Builds the workflow and extracts all functions
+        - Filters functions based on tool_names config
+        - Registers each function as an MCP tool
+        - Sets up debug endpoints for tool introspection
+
         Args:
             mcp: The FastMCP server instance
-            builder (WorkflowBuilder): The workflow builder instance
+            builder: The workflow builder instance
         """
-        pass
+        from nat.front_ends.mcp.tool_converter import register_function_with_mcp
+
+        # Set up the health endpoint
+        self._setup_health_endpoint(mcp)
+
+        # Build the workflow and register all functions with MCP
+        workflow = await builder.build()
+
+        # Get all functions from the workflow
+        functions = await self._get_all_functions(workflow)
+
+        # Filter functions based on tool_names if provided
+        if self.front_end_config.tool_names:
+            logger.info("Filtering functions based on tool_names: %s", self.front_end_config.tool_names)
+            filtered_functions: dict[str, Function] = {}
+            for function_name, function in functions.items():
+                if function_name in self.front_end_config.tool_names:
+                    # Treat current tool_names as function names, so check if the function name is in the list
+                    filtered_functions[function_name] = function
+                elif any(function_name.startswith(f"{group_name}.") for group_name in self.front_end_config.tool_names):
+                    # Treat tool_names as function group names, so check if the function name starts with the group name
+                    filtered_functions[function_name] = function
+                else:
+                    logger.debug("Skipping function %s as it's not in tool_names", function_name)
+            functions = filtered_functions
+
+        # Register each function with MCP, passing workflow context for observability
+        for function_name, function in functions.items():
+            register_function_with_mcp(mcp, function_name, function, workflow, self.memory_profiler)
+
+        # Add a simple fallback function if no functions were found
+        if not functions:
+            raise RuntimeError("No functions found in workflow. Please check your configuration.")
+
+        # After registration, expose debug endpoints for tool/schema inspection
+        self._setup_debug_endpoints(mcp, functions)
 
     async def _get_all_functions(self, workflow: Workflow) -> dict[str, Function]:
         """Get all functions from the workflow.
@@ -225,48 +301,62 @@ class MCPFrontEndPluginWorkerBase(ABC):
 
 
 class MCPFrontEndPluginWorker(MCPFrontEndPluginWorkerBase):
-    """Default MCP front end plugin worker implementation."""
+    """Default MCP server worker implementation.
 
-    async def add_routes(self, mcp: FastMCP, builder: WorkflowBuilder):
-        """Add default routes to the MCP server.
+    Inherit from this class to create custom MCP workers that extend or modify
+    server behavior. Override create_mcp_server() to use a different server type,
+    and override add_routes() to add custom functionality.
 
-        Args:
-            mcp: The FastMCP server instance
-            builder (WorkflowBuilder): The workflow builder instance
+    Example:
+        class CustomWorker(MCPFrontEndPluginWorker):
+            async def create_mcp_server(self):
+                # Return custom MCP server instance
+                return MyCustomFastMCP(...)
+
+            async def add_routes(self, mcp, builder):
+                # Get default routes
+                await super().add_routes(mcp, builder)
+                # Add custom features
+                self._add_my_custom_features(mcp)
+    """
+
+    async def create_mcp_server(self) -> FastMCP:
+        """Create default MCP server with optional authentication.
+
+        Returns:
+            FastMCP instance configured with settings from NAT config
         """
-        from nat.front_ends.mcp.tool_converter import register_function_with_mcp
+        # Handle auth if configured
+        auth_settings = None
+        token_verifier = None
 
-        # Set up the health endpoint
-        self._setup_health_endpoint(mcp)
+        if self.front_end_config.server_auth:
+            from mcp.server.auth.settings import AuthSettings
+            from pydantic import AnyHttpUrl
 
-        # Build the workflow and register all functions with MCP
-        workflow = await builder.build()
+            server_url = f"http://{self.front_end_config.host}:{self.front_end_config.port}"
+            auth_settings = AuthSettings(issuer_url=AnyHttpUrl(self.front_end_config.server_auth.issuer_url),
+                                         required_scopes=self.front_end_config.server_auth.scopes,
+                                         resource_server_url=AnyHttpUrl(server_url))
 
-        # Get all functions from the workflow
-        functions = await self._get_all_functions(workflow)
+            # Create token verifier
+            from nat.front_ends.mcp.introspection_token_verifier import IntrospectionTokenVerifier
 
-        # Filter functions based on tool_names if provided
-        if self.front_end_config.tool_names:
-            logger.info("Filtering functions based on tool_names: %s", self.front_end_config.tool_names)
-            filtered_functions: dict[str, Function] = {}
-            for function_name, function in functions.items():
-                if function_name in self.front_end_config.tool_names:
-                    # Treat current tool_names as function names, so check if the function name is in the list
-                    filtered_functions[function_name] = function
-                elif any(function_name.startswith(f"{group_name}.") for group_name in self.front_end_config.tool_names):
-                    # Treat tool_names as function group names, so check if the function name starts with the group name
-                    filtered_functions[function_name] = function
-                else:
-                    logger.debug("Skipping function %s as it's not in tool_names", function_name)
-            functions = filtered_functions
+            token_verifier = IntrospectionTokenVerifier(self.front_end_config.server_auth)
 
-        # Register each function with MCP, passing workflow context for observability
-        for function_name, function in functions.items():
-            register_function_with_mcp(mcp, function_name, function, workflow, self.memory_profiler)
+        return FastMCP(name=self.front_end_config.name,
+                       host=self.front_end_config.host,
+                       port=self.front_end_config.port,
+                       debug=self.front_end_config.debug,
+                       auth=auth_settings,
+                       token_verifier=token_verifier)
 
-        # Add a simple fallback function if no functions were found
-        if not functions:
-            raise RuntimeError("No functions found in workflow. Please check your configuration.")
+    async def add_routes(self, mcp: FastMCP, builder: WorkflowBuilder):
+        """Add default routes to the MCP server.
 
-        # After registration, expose debug endpoints for tool/schema inspection
-        self._setup_debug_endpoints(mcp, functions)
+        Args:
+            mcp: The FastMCP server instance
+            builder: The workflow builder instance
+        """
+        # Use the default implementation from base class to add the tools to the MCP server
+        await self._default_add_routes(mcp, builder)

nat/front_ends/mcp/tool_converter.py

@@ -18,9 +18,12 @@ import logging
 from inspect import Parameter
 from inspect import Signature
 from typing import TYPE_CHECKING
+from typing import Any
 
 from mcp.server.fastmcp import FastMCP
 from pydantic import BaseModel
+from pydantic.fields import FieldInfo
+from pydantic_core import PydanticUndefined
 
 from nat.builder.context import ContextState
 from nat.builder.function import Function
@@ -32,6 +35,41 @@ if TYPE_CHECKING:
 
 logger = logging.getLogger(__name__)
 
+# Sentinel: marks "optional; let Pydantic supply default/factory"
+_USE_PYDANTIC_DEFAULT = object()
+
+
+def is_field_optional(field: FieldInfo) -> tuple[bool, Any]:
+    """Determine if a Pydantic field is optional and extract its default value for MCP signatures.
+
+    For MCP tool signatures, we need to distinguish:
+    - Required fields: marked with Parameter.empty
+    - Optional with concrete default: use that default
+    - Optional with factory: use sentinel so Pydantic can apply the factory later
+
+    Args:
+        field: The Pydantic FieldInfo to check
+
+    Returns:
+        A tuple of (is_optional, default_value):
+        - (False, Parameter.empty) for required fields
+        - (True, actual_default) for optional fields with explicit defaults
+        - (True, _USE_PYDANTIC_DEFAULT) for optional fields with default_factory
+    """
+    if field.is_required():
+        return False, Parameter.empty
+
+    # Field is optional - has either default or factory
+    if field.default is not PydanticUndefined:
+        return True, field.default
+
+    # Factory case: mark optional in signature but don't fabricate a value
+    if field.default_factory is not None:
+        return True, _USE_PYDANTIC_DEFAULT
+
+    # Rare corner case: non-required yet no default surfaced
+    return True, _USE_PYDANTIC_DEFAULT
+
 
 def create_function_wrapper(
     function_name: str,
@@ -79,12 +117,15 @@ def create_function_wrapper(
             # Get the field type and convert to appropriate Python type
             field_type = field.annotation
 
+            # Check if field is optional and get its default value
+            _is_optional, param_default = is_field_optional(field)
+
             # Add the parameter to our list
             parameters.append(
                 Parameter(
                     name=name,
                     kind=Parameter.KEYWORD_ONLY,
-                    default=Parameter.empty if field.is_required else None,
+                    default=param_default,
                     annotation=field_type,
                 ))
 
@@ -143,33 +184,23 @@ def create_function_wrapper(
                         result = await call_with_observability(lambda: function.ainvoke(chat_request, to_type=str))
                 else:
                     # Regular handling
-                    # Handle complex input schema - if we extracted fields from a nested schema,
-                    # we need to reconstruct the input
-                    if len(schema.model_fields) == 1 and len(parameters) > 1:
-                        # Get the field name from the original schema
-                        field_name = next(iter(schema.model_fields.keys()))
-                        field_type = schema.model_fields[field_name].annotation
-
-                        # If it's a pydantic model, we need to create an instance
-                        if field_type and hasattr(field_type, "model_validate"):
-                            # Create the nested object
-                            nested_obj = field_type.model_validate(kwargs)
-                            # Call with the nested object
-                            kwargs = {field_name: nested_obj}
+                    # Strip sentinel values so Pydantic can apply defaults/factories
+                    cleaned_kwargs = {k: v for k, v in kwargs.items() if v is not _USE_PYDANTIC_DEFAULT}
+
+                    # Always validate with the declared schema
+                    # This handles defaults, factories, nested models, validators, etc.
+                    model_input = schema.model_validate(cleaned_kwargs)
 
                     # Call the NAT function with the parameters - special handling for Workflow
                     if is_workflow:
-                        # For workflow with regular input, we'll assume the first parameter is the input
-                        input_value = list(kwargs.values())[0] if kwargs else ""
-
-                        # Workflows have a run method that is an async context manager
-                        # that returns a Runner
-                        async with function.run(input_value) as runner:
+                        # Workflows expect the model instance directly
+                        async with function.run(model_input) as runner:
                             # Get the result from the runner
                             result = await runner.result(to_type=str)
                     else:
-                        # Regular function call
-                        result = await call_with_observability(lambda: function.acall_invoke(**kwargs))
+                        # Regular function call - unpack the validated model
+                        result = await call_with_observability(lambda: function.acall_invoke(**model_input.model_dump())
+                                                               )
 
                 # Report completion
                 if ctx:

nat/llm/azure_openai_llm.py

@@ -20,6 +20,7 @@ from pydantic import Field
 from nat.builder.builder import Builder
 from nat.builder.llm import LLMProviderInfo
 from nat.cli.register_workflow import register_llm_provider
+from nat.data_models.common import OptionalSecretStr
 from nat.data_models.llm import LLMBaseConfig
 from nat.data_models.retry_mixin import RetryMixin
 from nat.data_models.temperature_mixin import TemperatureMixin
@@ -39,7 +40,7 @@ class AzureOpenAIModelConfig(
 
     model_config = ConfigDict(protected_namespaces=(), extra="allow")
 
-    api_key: str | None = Field(default=None, description="Azure OpenAI API key to interact with hosted model.")
+    api_key: OptionalSecretStr = Field(default=None, description="Azure OpenAI API key to interact with hosted model.")
     api_version: str = Field(default="2025-04-01-preview", description="Azure OpenAI API version.")
     azure_endpoint: str | None = Field(validation_alias=AliasChoices("azure_endpoint", "base_url"),
                                        serialization_alias="azure_endpoint",

nat/llm/litellm_llm.py

@@ -22,6 +22,7 @@ from pydantic import Field
 from nat.builder.builder import Builder
 from nat.builder.llm import LLMProviderInfo
 from nat.cli.register_workflow import register_llm_provider
+from nat.data_models.common import OptionalSecretStr
 from nat.data_models.llm import LLMBaseConfig
 from nat.data_models.optimizable import OptimizableField
 from nat.data_models.optimizable import OptimizableMixin
@@ -44,7 +45,7 @@ class LiteLlmModelConfig(
 
     model_config = ConfigDict(protected_namespaces=(), extra="allow")
 
-    api_key: str | None = Field(default=None, description="API key to interact with hosted model.")
+    api_key: OptionalSecretStr = Field(default=None, description="API key to interact with hosted model.")
     base_url: str | None = Field(default=None,
                                  description="Base url to the hosted model.",
                                  validation_alias=AliasChoices("base_url", "api_base"),

nat/llm/nim_llm.py

@@ -21,6 +21,7 @@ from pydantic import PositiveInt
 from nat.builder.builder import Builder
 from nat.builder.llm import LLMProviderInfo
 from nat.cli.register_workflow import register_llm_provider
+from nat.data_models.common import OptionalSecretStr
 from nat.data_models.llm import LLMBaseConfig
 from nat.data_models.optimizable import OptimizableField
 from nat.data_models.optimizable import OptimizableMixin
@@ -42,7 +43,7 @@ class NIMModelConfig(LLMBaseConfig,
 
     model_config = ConfigDict(protected_namespaces=(), extra="allow")
 
-    api_key: str | None = Field(default=None, description="NVIDIA API key to interact with hosted NIM.")
+    api_key: OptionalSecretStr = Field(default=None, description="NVIDIA API key to interact with hosted NIM.")
     base_url: str | None = Field(default=None, description="Base url to the hosted NIM.")
     model_name: str = OptimizableField(validation_alias=AliasChoices("model_name", "model"),
                                        serialization_alias="model",

nat/llm/openai_llm.py

@@ -20,6 +20,7 @@ from pydantic import Field
 from nat.builder.builder import Builder
 from nat.builder.llm import LLMProviderInfo
 from nat.cli.register_workflow import register_llm_provider
+from nat.data_models.common import OptionalSecretStr
 from nat.data_models.llm import LLMBaseConfig
 from nat.data_models.optimizable import OptimizableField
 from nat.data_models.optimizable import OptimizableMixin
@@ -40,7 +41,7 @@ class OpenAIModelConfig(LLMBaseConfig,
 
     model_config = ConfigDict(protected_namespaces=(), extra="allow")
 
-    api_key: str | None = Field(default=None, description="OpenAI API key to interact with hosted model.")
+    api_key: OptionalSecretStr = Field(default=None, description="OpenAI API key to interact with hosted model.")
     base_url: str | None = Field(default=None, description="Base url to the hosted model.")
     model_name: str = OptimizableField(validation_alias=AliasChoices("model_name", "model"),
                                        serialization_alias="model",

nat/registry_handlers/pypi/register_pypi.py

@@ -16,6 +16,8 @@
 from pydantic import Field
 
 from nat.cli.register_workflow import register_registry_handler
+from nat.data_models.common import OptionalSecretStr
+from nat.data_models.common import get_secret_value
 from nat.data_models.registry_handler import RegistryHandlerBaseConfig
 
 
@@ -23,8 +25,8 @@ class PypiRegistryHandlerConfig(RegistryHandlerBaseConfig, name="pypi"):
     """Registry handler for interacting with a remote PyPI registry index."""
 
     endpoint: str = Field(description="A string representing the remote endpoint.")
-    token: str | None = Field(default=None,
-                              description="The authentication token to use when interacting with the registry.")
+    token: OptionalSecretStr = Field(default=None,
+                                     description="The authentication token to use when interacting with the registry.")
     publish_route: str = Field(description="The route to the NAT publish service.")
     pull_route: str = Field(description="The route to the NAT pull service.")
     search_route: str = Field(default="simple", description="The route to the NAT search service.")
@@ -35,6 +37,6 @@ async def pypi_publish_registry_handler(config: PypiRegistryHandlerConfig):
 
     from nat.registry_handlers.pypi.pypi_handler import PypiRegistryHandler
 
-    registry_handler = PypiRegistryHandler(endpoint=config.endpoint, token=config.token)
+    registry_handler = PypiRegistryHandler(endpoint=config.endpoint, token=get_secret_value(config.token))
 
     yield registry_handler

nat/registry_handlers/rest/register_rest.py

@@ -18,6 +18,8 @@ import os
 from pydantic import Field
 
 from nat.cli.register_workflow import register_registry_handler
+from nat.data_models.common import OptionalSecretStr
+from nat.data_models.common import get_secret_value
 from nat.data_models.registry_handler import RegistryHandlerBaseConfig
 
 
@@ -25,8 +27,8 @@ class RestRegistryHandlerConfig(RegistryHandlerBaseConfig, name="rest"):
     """Registry handler for interacting with a remote REST registry."""
 
     endpoint: str = Field(description="A string representing the remote endpoint.")
-    token: str | None = Field(default=None,
-                              description="The authentication token to use when interacting with the registry.")
+    token: OptionalSecretStr = Field(default=None,
+                                     description="The authentication token to use when interacting with the registry.")
     publish_route: str = Field(default="", description="The route to the NAT publish service.")
     pull_route: str = Field(default="", description="The route to the NAT pull service.")
     search_route: str = Field(default="", description="The route to the NAT search service")
@@ -44,7 +46,7 @@ async def rest_search_handler(config: RestRegistryHandlerConfig):
         if (registry_token is None):
             raise ValueError("Please supply registry token.")
     else:
-        registry_token = config.token
+        registry_token = get_secret_value(config.token)
 
     registry_handler = RestRegistryHandler(token=registry_token,
                                            endpoint=config.endpoint,

nat/retriever/nemo_retriever/register.py

@@ -20,6 +20,7 @@ from nat.builder.builder import Builder
 from nat.builder.retriever import RetrieverProviderInfo
 from nat.cli.register_workflow import register_retriever_client
 from nat.cli.register_workflow import register_retriever_provider
+from nat.data_models.common import OptionalSecretStr
 from nat.data_models.retriever import RetrieverBaseConfig
 
 
@@ -34,7 +35,7 @@ class NemoRetrieverConfig(RetrieverBaseConfig, name="nemo_retriever"):
         default=None,
         description="A list of fields to return from the datastore. If 'None', all fields but the vector are returned.")
     timeout: int = Field(default=60, description="Maximum time to wait for results to be returned from the service.")
-    nvidia_api_key: str | None = Field(
+    nvidia_api_key: OptionalSecretStr = Field(
         description="API key used to authenticate with the service. If 'None', will use ENV Variable 'NVIDIA_API_KEY'",
         default=None,
     )

{nvidia_nat-1.4.0a20251028.dist-info → nvidia_nat-1.4.0a20251030.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: nvidia-nat
-Version: 1.4.0a20251028
+Version: 1.4.0a20251030
 Summary: NVIDIA NeMo Agent toolkit
 Author: NVIDIA Corporation
 Maintainer: NVIDIA Corporation
@@ -22,7 +22,7 @@ Requires-Dist: click~=8.1
 Requires-Dist: colorama~=0.4.6
 Requires-Dist: datasets~=4.0
 Requires-Dist: expandvars~=1.0
-Requires-Dist: fastapi~=0.115.5
+Requires-Dist: fastapi~=0.120.1
 Requires-Dist: httpx~=0.27
 Requires-Dist: jinja2~=3.1
 Requires-Dist: jsonpath-ng~=1.7

{nvidia_nat-1.4.0a20251028.dist-info → nvidia_nat-1.4.0a20251030.dist-info}/RECORD

@@ -26,8 +26,8 @@ nat/authentication/__init__.py,sha256=Xs1JQ16L9btwreh4pdGKwskffAw1YFO48jKrU4ib_7
 nat/authentication/interfaces.py,sha256=1J2CWEJ_n6CLA3_HD3XV28CSbyfxrPAHzr7Q4kKDFdc,3511
 nat/authentication/register.py,sha256=lFhswYUk9iZ53mq33fClR9UfjJPdjGIivGGNHQeWiYo,915
 nat/authentication/api_key/__init__.py,sha256=GUJrgGtpvyMUCjUBvR3faAdv-tZzbU9W-izgx9aMEQg,680
-nat/authentication/api_key/api_key_auth_provider.py,sha256=QGRZZilD2GryhRJoODfKqypH54IwQp0I-Cck40Dc7dM,4032
-nat/authentication/api_key/api_key_auth_provider_config.py,sha256=zfkxH3yvUSKKldRf1K4PPm0rJLXGH0GDH8xj7anPYGQ,5472
+nat/authentication/api_key/api_key_auth_provider.py,sha256=J6WNarzdLIT1dRLM0wbYlcgypddNNGhgo9ExfQodM1I,3849
+nat/authentication/api_key/api_key_auth_provider_config.py,sha256=RLywkXGxfQlKnTW0Rz3a5qGgqyHV1B8ec8w2_nv3Dl8,5628
 nat/authentication/api_key/register.py,sha256=Mhv3WyZ9H7C2JN8VuPvwlsJEZrwXJCLXCIokkN9RrP0,1147
 nat/authentication/credential_validator/__init__.py,sha256=GUJrgGtpvyMUCjUBvR3faAdv-tZzbU9W-izgx9aMEQg,680
 nat/authentication/credential_validator/bearer_token_validator.py,sha256=cwGENd_bp-u2Y_JCRbEPxFkulk_vREpLog5c83h1nRU,21250
@@ -38,8 +38,8 @@ nat/authentication/http_basic_auth/http_basic_auth_provider.py,sha256=OXr5TV87Si
 nat/authentication/http_basic_auth/register.py,sha256=N2VD0vw7cYABsLxsGXl5yw0htc8adkrB0Y_EMxKwFfk,1235
 nat/authentication/oauth2/__init__.py,sha256=Xs1JQ16L9btwreh4pdGKwskffAw1YFO48jKrU4ib_7c,685
 nat/authentication/oauth2/oauth2_auth_code_flow_provider.py,sha256=NXsVATFxQ10Gg_nrW7Ljft2VXlAj460TeoXL-ww4WZc,5804
-nat/authentication/oauth2/oauth2_auth_code_flow_provider_config.py,sha256=e165ysd2pX2WTbV3_FQKEjEaa4TAXkJ7B98WUGbqnGE,2204
-nat/authentication/oauth2/oauth2_resource_server_config.py,sha256=ltcNp8Dwb2Q4tlwMN5Cl0B5pouTLtXRoV-QopfqV45M,5314
+nat/authentication/oauth2/oauth2_auth_code_flow_provider_config.py,sha256=R261a2QU2ZUiyY2GjMc3xJpPYqPzydSKVSGhgyj7Do0,2279
+nat/authentication/oauth2/oauth2_resource_server_config.py,sha256=WtqFMsJ-FzIjP7tjqs-tdYN4Pck0wxvdSyKIObNtU_8,5374
 nat/authentication/oauth2/register.py,sha256=7rXhf-ilgSS_bUJsd9pOOCotL1FM8dKUt3ke1TllKkQ,1228
 nat/builder/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 nat/builder/builder.py,sha256=okI3Y101hwF63AwazzxiahQx-W9eFZ_SNdFXzDuoftU,11608
@@ -114,13 +114,13 @@ nat/control_flow/router_agent/prompt.py,sha256=fIAiNsAs1zXRAatButR76zSpHJNxSkXXK
 nat/control_flow/router_agent/register.py,sha256=4RGmS9sy-QtIMmvh8mfMcR1VqxFPLpG4RckWCIExh40,4144
 nat/data_models/__init__.py,sha256=Xs1JQ16L9btwreh4pdGKwskffAw1YFO48jKrU4ib_7c,685
 nat/data_models/agent.py,sha256=IwDyb9Zc3R4Zd5rFeqt7q0EQswczAl5focxV9KozIzs,1625
-nat/data_models/api_server.py,sha256=oQtSiP7jpkHIZ75g21A_lTiidNsQo54pq3qy2StIJcs,30652
+nat/data_models/api_server.py,sha256=sX_faprmycij1Zy_PQqEMtAcbvGD8PG1kWKLAyNQx6M,30775
 nat/data_models/authentication.py,sha256=XPu9W8nh4XRSuxPv3HxO-FMQ_JtTEoK6Y02JwnzDwTg,8457
-nat/data_models/common.py,sha256=nXXfGrjpxebzBUa55mLdmzePLt7VFHvTAc6Znj3yEv0,5875
+nat/data_models/common.py,sha256=dOtZI6g9AvFplu40nTsUDnahafVa9c2VITq19V_cb50,7302
 nat/data_models/component.py,sha256=b_hXOA8Gm5UNvlFkAhsR6kEvf33ST50MKtr5kWf75Ao,1894
 nat/data_models/component_ref.py,sha256=KFDWFVCcvJCfBBcXTh9f3R802EVHBtHXh9OdbRqFmdM,4747
 nat/data_models/config.py,sha256=P0JJmjqvUHUkpZ3Yc0IrMPoA2qP8HkmOjl7CwNq-nQQ,18833
-nat/data_models/dataset_handler.py,sha256=bFPahRkmPtSmA4DVSUwKg-NJRHP7TGQDSRJiSv5UhZY,5518
+nat/data_models/dataset_handler.py,sha256=1zz0456WGcGdLA9bodbMd1EMtQC8pns8TpvjNkk27No,5611
 nat/data_models/discovery_metadata.py,sha256=_l97iQsqp_ihba8CbMBQ73mH1sipTQ19GiJDdzQYQGY,13432
 nat/data_models/embedder.py,sha256=nPhthEQDtzAMGd8gFRB1ZfJpN5M9DJvv0h28ohHnTmI,1002
 nat/data_models/evaluate.py,sha256=L0GdNh_c8jii-MiK8oHW9sUUsGO3l1FMsprr-UazT5c,4836
@@ -153,9 +153,9 @@ nat/data_models/thinking_mixin.py,sha256=VRDUJZ8XP_Vv0gW2FRZUf8O9-kVgNEdZCEZ8oEm
 nat/data_models/top_p_mixin.py,sha256=mu0DLnCAiwNzpSFR8FOW4kQBUpodSrvUR4MsLrNtbgA,1599
 nat/data_models/ttc_strategy.py,sha256=tAkKWcyEBmBOOYtHMtQTgeCbHxFTk5SEkmFunNVnfyE,1114
 nat/embedder/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-nat/embedder/azure_openai_embedder.py,sha256=8OM54DCVCmWuQ8eZ5lXxsKYQktRmHMoIelRHZmKurUk,2381
-nat/embedder/nim_embedder.py,sha256=4DLcweOajXi67ZpLq_QvK0ZihFsntpsSF27FEvhF1ZQ,2532
-nat/embedder/openai_embedder.py,sha256=uASGh8KEmJg6_km8YNaenpPC92v-WbFpsvq-l4R38pY,1937
+nat/embedder/azure_openai_embedder.py,sha256=yMHOA6lWZl15Pvd9Gpp_rHy5q2qmBiRjbFesFBGuC_U,2441
+nat/embedder/nim_embedder.py,sha256=BDwqixfzToXoOg4vkHcLAhoCGzwfJjixcDAGYGM8Sok,2592
+nat/embedder/openai_embedder.py,sha256=To7aCg8UyWPwSoA0MAHanH_MAKFDi3EcZxgLU1xYE9M,1997
 nat/embedder/register.py,sha256=TM_LKuSlJr3tEceNVuHfAx_yrCzf1sryD5Ycep5rNGo,883
 nat/eval/__init__.py,sha256=Xs1JQ16L9btwreh4pdGKwskffAw1YFO48jKrU4ib_7c,685
 nat/eval/config.py,sha256=G0LE4JpZaQy3PvERldVATFpQCiDQcVJGUFChgorqzNo,2377
@@ -166,7 +166,7 @@ nat/eval/remote_workflow.py,sha256=JAAbD0s753AOjo9baT4OqcB5dVEDmN34jPe0Uk13LcU,6
 nat/eval/runtime_event_subscriber.py,sha256=9MVgZLKvpnThHINaPbszPYDWnJ61sntS09YZtDhIRE4,1900
 nat/eval/usage_stats.py,sha256=r8Zr3bIy2qXU1BgVKXr_4mr7bG0hte3BPNQLSgZvg8M,1376
 nat/eval/dataset_handler/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-nat/eval/dataset_handler/dataset_downloader.py,sha256=w5Kjj7Dn2gQ14ekgt3rtGT8EPGJtXXXlckbtby9rJ2k,4553
+nat/eval/dataset_handler/dataset_downloader.py,sha256=ZaNohbRSvoHPWIj0C_FqyJnhQKoTBk_uZF7ijjfk6vE,4641
 nat/eval/dataset_handler/dataset_filter.py,sha256=HrK0m3SQnPX6zOcKwJwYMrD9O-f6aOw8Vo3j9RKszqE,2115
 nat/eval/dataset_handler/dataset_handler.py,sha256=my28rKvQiiRN_h2TJz6fdKeMOjP3LC3_e2aJNnPPYhE,18159
 nat/eval/evaluator/__init__.py,sha256=GUJrgGtpvyMUCjUBvR3faAdv-tZzbU9W-izgx9aMEQg,680
@@ -192,7 +192,7 @@ nat/eval/tunable_rag_evaluator/evaluate.py,sha256=SzZYwE0juuNv6o9Pbddxi4edxRXlo8
 nat/eval/tunable_rag_evaluator/register.py,sha256=jYhPz8Xwsxyb7E0xpkAcQFT20xjSoYd_4qOJ7ltvUzU,2558
 nat/eval/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 nat/eval/utils/eval_trace_ctx.py,sha256=hN0YZ0wMOPzh9I-iSav-cGdxY3RWQWoE_tk5BxUf1mc,3264
-nat/eval/utils/output_uploader.py,sha256=27-aKIejV-6DGNErR6iTioNE5rN_lEeiNoBTS1qIVVM,5579
+nat/eval/utils/output_uploader.py,sha256=wtAaxvrJrjQPFt8mTLSz31sWDs09KmLkmyelMQOLDws,5667
 nat/eval/utils/tqdm_position_registry.py,sha256=9CtpCk1wtYCSyieHPaSp8nlZu6EcNUOaUz2RTqfekrA,1286
 nat/eval/utils/weave_eval.py,sha256=fma5x9JbWpWrfQbfMHcjMovlRVR0v35yfNt1Avt6Vro,7719
 nat/experimental/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -235,7 +235,7 @@ nat/experimental/test_time_compute/selection/threshold_selector.py,sha256=9E__TM
 nat/front_ends/__init__.py,sha256=Xs1JQ16L9btwreh4pdGKwskffAw1YFO48jKrU4ib_7c,685
 nat/front_ends/register.py,sha256=_C6AFpsQ8hUXavKHaBMy0g137fOcLfEjyU0EAuYqtao,857
 nat/front_ends/console/__init__.py,sha256=Xs1JQ16L9btwreh4pdGKwskffAw1YFO48jKrU4ib_7c,685
-nat/front_ends/console/authentication_flow_handler.py,sha256=iv8sm7i1mtVT60lfXwwqDrlQfNZ1bl1bPfWkaH5oaLA,12147
+nat/front_ends/console/authentication_flow_handler.py,sha256=ikZdzQH4uLJ_eWLDHcCAcXhOk_2gmnjVTjykuISeVQE,12166
 nat/front_ends/console/console_front_end_config.py,sha256=wkMXk-RCdlEj3303kB1gh47UKJnubX2R-vzBzhedpS4,1318
 nat/front_ends/console/console_front_end_plugin.py,sha256=rlh8rL8iJCczVJngBFMckNFB7ERqJGtX1QJr-iNKGyA,4670
 nat/front_ends/console/register.py,sha256=2Kf6Mthx6jzWzU8YdhYIR1iABmZDvs1UXM_20npXWXs,1153
@@ -262,20 +262,20 @@ nat/front_ends/fastapi/html_snippets/__init__.py,sha256=GUJrgGtpvyMUCjUBvR3faAdv
 nat/front_ends/fastapi/html_snippets/auth_code_grant_success.py,sha256=BNpWwzmA58UM0GK4kZXG4PHJy_5K9ihaVHu8SgCs5JA,1131
 nat/front_ends/mcp/__init__.py,sha256=Xs1JQ16L9btwreh4pdGKwskffAw1YFO48jKrU4ib_7c,685
 nat/front_ends/mcp/introspection_token_verifier.py,sha256=s7Q4Q6rWZJ0ZVujSxxpvVI6Bnhkg1LJQ3RLkvhzFIGE,2836
-nat/front_ends/mcp/mcp_front_end_config.py,sha256=dnNsf487XZtoipU3DcmCAZ9eqtyF5a2p_1huQ_4uwPI,4919
-nat/front_ends/mcp/mcp_front_end_plugin.py,sha256=4u_kpen_T-_Uh62V5M7dfW9KyzbqXI7tGBG4AxJXWm0,5231
-nat/front_ends/mcp/mcp_front_end_plugin_worker.py,sha256=IuwCcrBYmN6hyVra5vnwVVEjCuj2YO9ZUs-mhJnNNSQ,11626
+nat/front_ends/mcp/mcp_front_end_config.py,sha256=QHmz0OdB6pdUU9TH65NjLk7JsAnR-F6xisel5Bv2Po4,5744
+nat/front_ends/mcp/mcp_front_end_plugin.py,sha256=MVYJBCOhZAzUPlnXest6CYP3Gf0Ef1lbURaezgHpoyg,6701
+nat/front_ends/mcp/mcp_front_end_plugin_worker.py,sha256=qoRbYLC_HWqSH_jSNb-w7R_qwOmLyXaUA5JK0SX33GA,15362
 nat/front_ends/mcp/memory_profiler.py,sha256=OpcpLBAGCdQwYSFZbtAqdfncrnGYVjDcMpWydB71hjY,12811
 nat/front_ends/mcp/register.py,sha256=3aJtgG5VaiqujoeU1-Eq7Hl5pWslIlIwGFU2ASLTXgM,1173
-nat/front_ends/mcp/tool_converter.py,sha256=14NweQN3cPFBw7ZNiGyUHO4VhMGHrtfLGgvu4_H38oU,12426
+nat/front_ends/mcp/tool_converter.py,sha256=IOHb8UoW_TVvRoiML2yi6nlbx13KgcmUsuYOGS3xYe0,13349
 nat/front_ends/simple_base/__init__.py,sha256=Xs1JQ16L9btwreh4pdGKwskffAw1YFO48jKrU4ib_7c,685
 nat/front_ends/simple_base/simple_front_end_plugin_base.py,sha256=py_yA9XAw-yHfK5cQJLM8ElnubEEM2ac8M0bvz-ScWs,1801
 nat/llm/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 nat/llm/aws_bedrock_llm.py,sha256=Qo6-7MUrh4qGzUQMsEPTyKEBp5D7DwU6e8LHoHwzQIs,3252
-nat/llm/azure_openai_llm.py,sha256=30JWbNyscHhuRjFdWF2yLAEcKurY0q2BSMVFTdtSv9g,2649
-nat/llm/litellm_llm.py,sha256=3txXuGXd5i3IAhzuI87jB4VGM3DeNfmvnkpZuTk0MPs,2943
-nat/llm/nim_llm.py,sha256=bKPNgK1c6n9TWbtltY5Jz9nRzWBKjk2S1-ClF1ngtNY,2729
-nat/llm/openai_llm.py,sha256=gUZ0AkQ25PrO9wWUzXvAMmrBMn5bqz9uU0Mv-54sxIE,2577
+nat/llm/azure_openai_llm.py,sha256=IJ_o6W_NtR2rzaCowznyJUA8-5F4CG0scy3Nw2egoPs,2709
+nat/llm/litellm_llm.py,sha256=060odQkgTR087LmFrgnpy_yP0nvUoHI25DahS5VUbgA,3003
+nat/llm/nim_llm.py,sha256=2v5QC16Fk-Nczx2p9OP7hfPM7CsylbAEZlkJrkvLgKI,2789
+nat/llm/openai_llm.py,sha256=vg4K05IUamsRz9SVs1GUJrabr38cs8JNa_jd52048cw,2637
 nat/llm/register.py,sha256=7xDYdK4w4opAwIjzDM5x7moJXT3QeEGaGGc_nDfY0i4,1090
 nat/llm/utils/__init__.py,sha256=GUJrgGtpvyMUCjUBvR3faAdv-tZzbU9W-izgx9aMEQg,680
 nat/llm/utils/env_config_value.py,sha256=kBVsv0pEokIAfDQx5omR7_FevFv_5fTPswcbnvhVT2c,3548
@@ -386,9 +386,9 @@ nat/registry_handlers/local/local_handler.py,sha256=Dz-jRccF3NbSM9ddEzI7qckD-Ngj
 nat/registry_handlers/local/register_local.py,sha256=EMcQ3tvDDic4YeViz3jNIQyrUiD0foriP11CuuEmrr0,1341
 nat/registry_handlers/pypi/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 nat/registry_handlers/pypi/pypi_handler.py,sha256=ec6oJjMO4msWTqahpP0L72O-iVckOFvrgcnpZuUlrw4,10070
-nat/registry_handlers/pypi/register_pypi.py,sha256=iFoZeAQjO_dZfzCsgp-5SmqwFDQ9y8QReVHZ0iGFoow,1840
+nat/registry_handlers/pypi/register_pypi.py,sha256=4TY6RLab99yIeQvfysZKFdsCWzTU81Dkxyb0yMONys0,1977
 nat/registry_handlers/rest/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-nat/registry_handlers/rest/register_rest.py,sha256=We_WtZ0KPSgCjsORRA1QNAgljEAGLeUi92mYRJ3nVQU,2529
+nat/registry_handlers/rest/register_rest.py,sha256=anIc20Tkupnm0T7wFfo5g_9tvJwBJjtaCo3nfhZUAmI,2666
 nat/registry_handlers/rest/rest_handler.py,sha256=Ez-seJyUqVYrR_kLrDFrA1kuzWIKeiJYY0GTrV9-qnA,9371
 nat/registry_handlers/schemas/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 nat/registry_handlers/schemas/headers.py,sha256=LnVfCMNc3vRr-lRdFB8Cuv9Db5Ct-ACTapjWLaRg2os,1549
@@ -406,7 +406,7 @@ nat/retriever/milvus/__init__.py,sha256=GUJrgGtpvyMUCjUBvR3faAdv-tZzbU9W-izgx9aM
 nat/retriever/milvus/register.py,sha256=FaWvUFj4rU6qcui-G459Z-bQV-QAVR3PNONT1qu7jxs,4027
 nat/retriever/milvus/retriever.py,sha256=wfWi-Ck17ZXbrCJE3MiEVD4DuVeeAkgifdAkoISqNa0,9485
 nat/retriever/nemo_retriever/__init__.py,sha256=GUJrgGtpvyMUCjUBvR3faAdv-tZzbU9W-izgx9aMEQg,680
-nat/retriever/nemo_retriever/register.py,sha256=3XdrvEJzX2Zc8wpdm__4YYlEWBW-FK3tl_BwOWtn-4w,2893
+nat/retriever/nemo_retriever/register.py,sha256=j0K5wz4jS9LbSXMknKUjkZ5bnqLGqrkcKGKTQNSg0ro,2953
 nat/retriever/nemo_retriever/retriever.py,sha256=gi3_qJFqE-iqRh3of_cmJg-SwzaQ3z24zA9LwY_MSLY,6930
 nat/runtime/__init__.py,sha256=Xs1JQ16L9btwreh4pdGKwskffAw1YFO48jKrU4ib_7c,685
 nat/runtime/loader.py,sha256=obUdAgZVYCPGC0R8u3wcoKFJzzSPQgJvrbU4OWygtog,7953
@@ -475,10 +475,10 @@ nat/utils/reactive/base/observer_base.py,sha256=6BiQfx26EMumotJ3KoVcdmFBYR_fnAss
 nat/utils/reactive/base/subject_base.py,sha256=UQOxlkZTIeeyYmG5qLtDpNf_63Y7p-doEeUA08_R8ME,2521
 nat/utils/settings/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 nat/utils/settings/global_settings.py,sha256=9JaO6pxKT_Pjw6rxJRsRlFCXdVKCl_xUKU2QHZQWWNM,7294
-nvidia_nat-1.4.0a20251028.dist-info/licenses/LICENSE-3rd-party.txt,sha256=fOk5jMmCX9YoKWyYzTtfgl-SUy477audFC5hNY4oP7Q,284609
-nvidia_nat-1.4.0a20251028.dist-info/licenses/LICENSE.md,sha256=QwcOLU5TJoTeUhuIXzhdCEEDDvorGiC6-3YTOl4TecE,11356
-nvidia_nat-1.4.0a20251028.dist-info/METADATA,sha256=6E0nFJWcfW8aO-1e4hi1UaxEdQvZ73jfFtMCE7n-5Gk,10248
-nvidia_nat-1.4.0a20251028.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
-nvidia_nat-1.4.0a20251028.dist-info/entry_points.txt,sha256=4jCqjyETMpyoWbCBf4GalZU8I_wbstpzwQNezdAVbbo,698
-nvidia_nat-1.4.0a20251028.dist-info/top_level.txt,sha256=lgJWLkigiVZuZ_O1nxVnD_ziYBwgpE2OStdaCduMEGc,8
-nvidia_nat-1.4.0a20251028.dist-info/RECORD,,
+nvidia_nat-1.4.0a20251030.dist-info/licenses/LICENSE-3rd-party.txt,sha256=fOk5jMmCX9YoKWyYzTtfgl-SUy477audFC5hNY4oP7Q,284609
+nvidia_nat-1.4.0a20251030.dist-info/licenses/LICENSE.md,sha256=QwcOLU5TJoTeUhuIXzhdCEEDDvorGiC6-3YTOl4TecE,11356
+nvidia_nat-1.4.0a20251030.dist-info/METADATA,sha256=EWbdokoCV8bvnCxqEIw-AssdqH85mzpC4KkEy8gC_3s,10248
+nvidia_nat-1.4.0a20251030.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+nvidia_nat-1.4.0a20251030.dist-info/entry_points.txt,sha256=4jCqjyETMpyoWbCBf4GalZU8I_wbstpzwQNezdAVbbo,698
+nvidia_nat-1.4.0a20251030.dist-info/top_level.txt,sha256=lgJWLkigiVZuZ_O1nxVnD_ziYBwgpE2OStdaCduMEGc,8
+nvidia_nat-1.4.0a20251030.dist-info/RECORD,,