okta-agent 0.1.0__tar.gz

okta_agent-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Advanced Agentic Coding
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

okta_agent-0.1.0/MANIFEST.in

@@ -0,0 +1,4 @@
+include LICENSE
+include README.md
+include requirements.txt
+recursive-include okta_agent *.py *.json

okta_agent-0.1.0/PKG-INFO

@@ -0,0 +1,243 @@
+Metadata-Version: 2.4
+Name: okta-agent
+Version: 0.1.0
+Summary: Okta CIAM/SSO MCP Server and Agent for Agentic AI!
+Author-email: Audel Rouhi <knucklessg1@gmail.com>
+License: MIT
+Classifier: Development Status :: 4 - Beta
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Environment :: Console
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Programming Language :: Python :: 3
+Requires-Python: <3.15,>=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: agent-utilities>=0.47.0
+Requires-Dist: httpx>=0.27.0
+Requires-Dist: PyJWT[crypto]>=2.8.0
+Provides-Extra: mcp
+Requires-Dist: agent-utilities[mcp]>=0.47.0; extra == "mcp"
+Provides-Extra: agent
+Requires-Dist: agent-utilities[agent,logfire]>=0.47.0; extra == "agent"
+Provides-Extra: all
+Requires-Dist: okta-agent[agent,logfire,mcp]>=0.1.0; extra == "all"
+Provides-Extra: test
+Requires-Dist: pytest-xdist>=3.6.0; extra == "test"
+Requires-Dist: pytest; extra == "test"
+Requires-Dist: pytest-asyncio; extra == "test"
+Requires-Dist: pytest-cov; extra == "test"
+Dynamic: license-file
+
+# Okta Agent
+## CLI or API | MCP | Agent
+
+![PyPI - Version](https://img.shields.io/pypi/v/okta-agent)
+![MCP Server](https://badge.mcpx.dev?type=server 'MCP Server')
+![PyPI - Downloads](https://img.shields.io/pypi/dd/okta-agent)
+![GitHub Repo stars](https://img.shields.io/github/stars/Knuckles-Team/okta-agent)
+![PyPI - License](https://img.shields.io/pypi/l/okta-agent)
+![GitHub last commit (by committer)](https://img.shields.io/github/last-commit/Knuckles-Team/okta-agent)
+![PyPI - Wheel](https://img.shields.io/pypi/wheel/okta-agent)
+
+*Version: 0.1.0*
+
+> **Documentation** — Installation, deployment, usage across the API, CLI, and MCP
+> server live on the docs site:
+> <https://knuckles-team.github.io/okta-agent/>
+
+## Table of Contents
+
+- [Overview](#overview)
+- [Architecture](#architecture)
+- [Installation](#installation)
+- [Configure](#configure)
+- [Environment Variables](#environment-variables)
+- [Quick Start](#quick-start)
+- [Run](#run)
+- [MCP Tools](#mcp-tools)
+- [Deployment](#deployment)
+- [Keycloak Parity](#keycloak-parity)
+- [Development](#development)
+
+## Overview
+
+Enterprise CIAM/SSO connector for the agent fleet: a production-grade MCP
+server and Pydantic AI agent over the **Okta Management API** — users, groups,
+applications, policies, and the system log. Complements `keycloak-agent`
+(open-source IdP) with the commercial-IdP side of the house, mirroring its
+verb taxonomy so agents can switch IdPs with familiar verbs.
+
+- Raw `httpx` client — no Okta SDK; every method documents the endpoint it calls.
+- Two auth modes: **SSWS API token** and **OAuth2 private-key-JWT** (org
+  authorization server, Okta API scopes).
+- Rate-limit aware: every response envelope carries the latest
+  `X-Rate-Limit-*` snapshot; HTTP 429 triggers capped automatic backoff.
+- Cursor pagination via `Link: rel="next"` headers (Okta's `after` cursor),
+  with hard item caps and resumable `next_cursor`s.
+- Safety: destructive operations (deactivate / delete / clear sessions /
+  password ops) are blocked unless explicitly allowed; credential material is
+  redacted from logs and error envelopes.
+
+## Architecture
+
+```mermaid
+graph TD
+    User([User/A2A]) --> Server[A2A Server / okta-agent]
+    Server --> Agent[Pydantic AI Agent]
+    Agent --> MCP[MCP Server / okta-mcp]
+    MCP --> Client[Api facade / httpx]
+    Client --> ExternalAPI([Okta Management API])
+```
+
+## Installation
+
+```bash
+pip install okta-agent            # core API client
+pip install okta-agent[mcp]       # + MCP server
+pip install okta-agent[agent]     # + Pydantic AI agent server
+```
+
+## Configure
+
+```bash
+export OKTA_ORG_URL="https://acme.okta.com"
+
+# Mode 1 — SSWS API token (takes precedence)
+export OKTA_API_TOKEN="<api token>"
+
+# Mode 2 — OAuth2 private-key-JWT (service app, Okta API scopes)
+export OKTA_CLIENT_ID="0oa..."
+export OKTA_PRIVATE_KEY_FILE="/path/to/key.pem"   # or OKTA_PRIVATE_KEY inline
+export OKTA_SCOPES="okta.users.read okta.groups.manage"
+```
+
+See `.env.example` for every knob (`OKTA_SSL_VERIFY`, `OKTA_MAX_RETRIES`,
+`OKTA_BACKOFF_CAP_SECONDS`, `OKTA_ALLOW_DESTRUCTIVE`, per-tool switches).
+
+## Environment Variables
+
+| Variable | Default | Purpose |
+|----------|---------|---------|
+| `OKTA_ORG_URL` | — | Okta org URL, no trailing slash (`OKTA_AGENT_BASE_URL` accepted as fallback) |
+| `OKTA_API_TOKEN` | — | SSWS API token (auth mode 1, takes precedence) |
+| `OKTA_CLIENT_ID` | — | Service-app client id (private-key-JWT) |
+| `OKTA_PRIVATE_KEY` / `OKTA_PRIVATE_KEY_FILE` | — | PEM private key inline or path |
+| `OKTA_KEY_ID` | — | Optional JWKS key id for the client assertion |
+| `OKTA_SCOPES` | read scopes | Space-separated Okta API scopes |
+| `OKTA_SSL_VERIFY` | `True` | TLS verification toward the org |
+| `OKTA_MAX_RETRIES` | `2` | 429 retry attempts |
+| `OKTA_BACKOFF_CAP_SECONDS` | `60` | 429 backoff cap |
+| `OKTA_ALLOW_DESTRUCTIVE` | `False` | Org-wide default for destructive tool actions |
+| `HOST` / `PORT` / `TRANSPORT` | `0.0.0.0` / `8000` / `stdio` | MCP server bind + transport |
+| `USERSTOOL` / `GROUPSTOOL` / `APPSTOOL` / `POLICIESTOOL` / `SYSTEMTOOL` | `True` | Per-domain tool toggles |
+| `ENABLE_OTEL` / `OTEL_EXPORTER_OTLP_*` | — | Telemetry (OTEL / Langfuse) |
+| `EUNOMIA_TYPE` / `EUNOMIA_POLICY_FILE` / `EUNOMIA_REMOTE_URL` | `none` | MCP authorization middleware |
+| `AUTH_TYPE` | `none` | MCP server auth mode (Docker) |
+| `DEFAULT_AGENT_NAME` / `AGENT_DESCRIPTION` / `AGENT_SYSTEM_PROMPT` | identity files | A2A agent identity overrides |
+
+## Quick Start
+
+```python
+from okta_agent import Api
+from okta_agent.api.credentials import SswsToken
+from okta_agent.okta_input_models import SearchInput, FilterCondition
+
+api = Api(org_url="https://acme.okta.com", credential=SswsToken("<token>"))
+
+active = api.search_users(
+    conditions=[{"field": "status", "op": "eq", "value": "ACTIVE"}],
+)
+print(active["data"], active["rate_limit"])
+
+# Or build typed tool params for the MCP surface:
+params = SearchInput(
+    conditions=[FilterCondition(field="status", op="eq", value="ACTIVE")]
+).model_dump_json(exclude_none=True)
+```
+
+## Run
+
+```bash
+okta-mcp                                  # stdio MCP server
+okta-mcp --transport streamable-http --host 0.0.0.0 --port 8000
+okta-agent                                # A2A agent server
+```
+
+## MCP Tools
+
+Five consolidated, action-routed tools. Each takes `action`, `params_json`,
+and (where applicable) `allow_destructive`.
+
+| Tool | Actions | Destructive (gated) |
+|------|---------|---------------------|
+| `okta_users` | list, search, get, create, update, activate, deactivate, suspend, unsuspend, unlock, expire_password, reset_password, list_groups, list_apps, list_factors, clear_sessions | deactivate, suspend, expire_password, reset_password, clear_sessions |
+| `okta_groups` | list, search, get, create, update, delete, list_members, add_member, remove_member, list_rules, create_rule, activate_rule, deactivate_rule | delete, remove_member, deactivate_rule |
+| `okta_apps` | list, get, create (oidc/saml/bookmark templates), update, activate, deactivate, list_users, assign_user, unassign_user, list_groups, assign_group, unassign_group | deactivate, unassign_user, unassign_group |
+| `okta_policies` | list (okta_sign_on/password/mfa_enroll/access_policy), get, list_rules, activate, deactivate, activate_rule, deactivate_rule — *policy/rule create+update intentionally out of scope in this release* | deactivate, deactivate_rule |
+| `okta_system` | org, list_authorization_servers, logs (since/until/filter/q, capped at 1000 events, resumable cursor), list_authenticators, list_factors, list_zones | — |
+
+### Examples
+
+```json
+{"action": "search", "params_json": "{\"conditions\": [{\"field\": \"status\", \"op\": \"eq\", \"value\": \"ACTIVE\"}, {\"field\": \"profile.department\", \"op\": \"eq\", \"value\": \"Engineering\"}]}"}
+```
+
+```json
+{"action": "create", "params_json": "{\"template\": \"oidc\", \"label\": \"My App\", \"settings\": {\"redirect_uris\": [\"https://app.example.com/cb\"]}}"}
+```
+
+```json
+{"action": "deactivate", "params_json": "{\"user_id\": \"00u1\"}", "allow_destructive": true}
+```
+
+Every successful response is an envelope:
+
+```json
+{"data": [...], "rate_limit": {"limit": 600, "remaining": 599, "reset": 1700000000}, "count": 5, "truncated": false, "next_cursor": null}
+```
+
+Errors map Okta's envelope: `{"error": {"status", "error_code", "error_summary", "error_id", "error_causes", "rate_limit"}}`.
+
+## Deployment
+
+```bash
+# MCP server only (port 8000, streamable-http, /health)
+docker compose -f docker/mcp.compose.yml up -d
+
+# MCP server + A2A agent server (agent on port 9021, AG-UI web interface)
+docker compose -f docker/agent.compose.yml up -d
+```
+
+The A2A agent server (`okta-agent` console script, `agent_server.py`) reads
+`MCP_URL`, `PROVIDER`, and `MODEL_ID` from the environment. Prebuilt image:
+`knucklessg1/okta-agent:latest`. See [docs/deployment.md](docs/deployment.md)
+for transports, reverse proxy, and DNS guidance.
+
+## Keycloak parity
+
+Verbs intentionally mirror `keycloak-agent` where the concepts overlap, so an
+agent fluent in one IdP connector can drive the other:
+
+| Concept | keycloak-agent | okta-agent |
+|---------|----------------|------------|
+| Users CRUD | `keycloak_agent_users` list/get/create/update | `okta_users` list/get/create/update |
+| Password reset | `reset_password` | `reset_password` (plus expire_password) |
+| User's groups | `list_users_by_user_id_groups` | `list_groups` |
+| Groups CRUD + members | `keycloak_agent_groups` | `okta_groups` (+ Okta group rules) |
+| OAuth/SAML clients | `keycloak_agent_clients` | `okta_apps` (Keycloak "clients" = Okta "apps") |
+| Auth policies/flows | `keycloak_agent_authentication` | `okta_policies` (read + lifecycle) |
+| Server/org info & events | `keycloak_agent_info` / attack detection | `okta_system` (org + system log) |
+
+Okta-only surface: lifecycle states (suspend/unlock), group rules, app
+assignment profiles, network zones, Okta API scopes via private-key-JWT.
+
+## Development
+
+```bash
+pip install -e .[mcp,test]
+pytest -v
+pre-commit run --all-files
+```
+
+API references are cited in every client docstring
+(https://developer.okta.com/docs/api/).

okta_agent-0.1.0/README.md

@@ -0,0 +1,213 @@
+# Okta Agent
+## CLI or API | MCP | Agent
+
+![PyPI - Version](https://img.shields.io/pypi/v/okta-agent)
+![MCP Server](https://badge.mcpx.dev?type=server 'MCP Server')
+![PyPI - Downloads](https://img.shields.io/pypi/dd/okta-agent)
+![GitHub Repo stars](https://img.shields.io/github/stars/Knuckles-Team/okta-agent)
+![PyPI - License](https://img.shields.io/pypi/l/okta-agent)
+![GitHub last commit (by committer)](https://img.shields.io/github/last-commit/Knuckles-Team/okta-agent)
+![PyPI - Wheel](https://img.shields.io/pypi/wheel/okta-agent)
+
+*Version: 0.1.0*
+
+> **Documentation** — Installation, deployment, usage across the API, CLI, and MCP
+> server live on the docs site:
+> <https://knuckles-team.github.io/okta-agent/>
+
+## Table of Contents
+
+- [Overview](#overview)
+- [Architecture](#architecture)
+- [Installation](#installation)
+- [Configure](#configure)
+- [Environment Variables](#environment-variables)
+- [Quick Start](#quick-start)
+- [Run](#run)
+- [MCP Tools](#mcp-tools)
+- [Deployment](#deployment)
+- [Keycloak Parity](#keycloak-parity)
+- [Development](#development)
+
+## Overview
+
+Enterprise CIAM/SSO connector for the agent fleet: a production-grade MCP
+server and Pydantic AI agent over the **Okta Management API** — users, groups,
+applications, policies, and the system log. Complements `keycloak-agent`
+(open-source IdP) with the commercial-IdP side of the house, mirroring its
+verb taxonomy so agents can switch IdPs with familiar verbs.
+
+- Raw `httpx` client — no Okta SDK; every method documents the endpoint it calls.
+- Two auth modes: **SSWS API token** and **OAuth2 private-key-JWT** (org
+  authorization server, Okta API scopes).
+- Rate-limit aware: every response envelope carries the latest
+  `X-Rate-Limit-*` snapshot; HTTP 429 triggers capped automatic backoff.
+- Cursor pagination via `Link: rel="next"` headers (Okta's `after` cursor),
+  with hard item caps and resumable `next_cursor`s.
+- Safety: destructive operations (deactivate / delete / clear sessions /
+  password ops) are blocked unless explicitly allowed; credential material is
+  redacted from logs and error envelopes.
+
+## Architecture
+
+```mermaid
+graph TD
+    User([User/A2A]) --> Server[A2A Server / okta-agent]
+    Server --> Agent[Pydantic AI Agent]
+    Agent --> MCP[MCP Server / okta-mcp]
+    MCP --> Client[Api facade / httpx]
+    Client --> ExternalAPI([Okta Management API])
+```
+
+## Installation
+
+```bash
+pip install okta-agent            # core API client
+pip install okta-agent[mcp]       # + MCP server
+pip install okta-agent[agent]     # + Pydantic AI agent server
+```
+
+## Configure
+
+```bash
+export OKTA_ORG_URL="https://acme.okta.com"
+
+# Mode 1 — SSWS API token (takes precedence)
+export OKTA_API_TOKEN="<api token>"
+
+# Mode 2 — OAuth2 private-key-JWT (service app, Okta API scopes)
+export OKTA_CLIENT_ID="0oa..."
+export OKTA_PRIVATE_KEY_FILE="/path/to/key.pem"   # or OKTA_PRIVATE_KEY inline
+export OKTA_SCOPES="okta.users.read okta.groups.manage"
+```
+
+See `.env.example` for every knob (`OKTA_SSL_VERIFY`, `OKTA_MAX_RETRIES`,
+`OKTA_BACKOFF_CAP_SECONDS`, `OKTA_ALLOW_DESTRUCTIVE`, per-tool switches).
+
+## Environment Variables
+
+| Variable | Default | Purpose |
+|----------|---------|---------|
+| `OKTA_ORG_URL` | — | Okta org URL, no trailing slash (`OKTA_AGENT_BASE_URL` accepted as fallback) |
+| `OKTA_API_TOKEN` | — | SSWS API token (auth mode 1, takes precedence) |
+| `OKTA_CLIENT_ID` | — | Service-app client id (private-key-JWT) |
+| `OKTA_PRIVATE_KEY` / `OKTA_PRIVATE_KEY_FILE` | — | PEM private key inline or path |
+| `OKTA_KEY_ID` | — | Optional JWKS key id for the client assertion |
+| `OKTA_SCOPES` | read scopes | Space-separated Okta API scopes |
+| `OKTA_SSL_VERIFY` | `True` | TLS verification toward the org |
+| `OKTA_MAX_RETRIES` | `2` | 429 retry attempts |
+| `OKTA_BACKOFF_CAP_SECONDS` | `60` | 429 backoff cap |
+| `OKTA_ALLOW_DESTRUCTIVE` | `False` | Org-wide default for destructive tool actions |
+| `HOST` / `PORT` / `TRANSPORT` | `0.0.0.0` / `8000` / `stdio` | MCP server bind + transport |
+| `USERSTOOL` / `GROUPSTOOL` / `APPSTOOL` / `POLICIESTOOL` / `SYSTEMTOOL` | `True` | Per-domain tool toggles |
+| `ENABLE_OTEL` / `OTEL_EXPORTER_OTLP_*` | — | Telemetry (OTEL / Langfuse) |
+| `EUNOMIA_TYPE` / `EUNOMIA_POLICY_FILE` / `EUNOMIA_REMOTE_URL` | `none` | MCP authorization middleware |
+| `AUTH_TYPE` | `none` | MCP server auth mode (Docker) |
+| `DEFAULT_AGENT_NAME` / `AGENT_DESCRIPTION` / `AGENT_SYSTEM_PROMPT` | identity files | A2A agent identity overrides |
+
+## Quick Start
+
+```python
+from okta_agent import Api
+from okta_agent.api.credentials import SswsToken
+from okta_agent.okta_input_models import SearchInput, FilterCondition
+
+api = Api(org_url="https://acme.okta.com", credential=SswsToken("<token>"))
+
+active = api.search_users(
+    conditions=[{"field": "status", "op": "eq", "value": "ACTIVE"}],
+)
+print(active["data"], active["rate_limit"])
+
+# Or build typed tool params for the MCP surface:
+params = SearchInput(
+    conditions=[FilterCondition(field="status", op="eq", value="ACTIVE")]
+).model_dump_json(exclude_none=True)
+```
+
+## Run
+
+```bash
+okta-mcp                                  # stdio MCP server
+okta-mcp --transport streamable-http --host 0.0.0.0 --port 8000
+okta-agent                                # A2A agent server
+```
+
+## MCP Tools
+
+Five consolidated, action-routed tools. Each takes `action`, `params_json`,
+and (where applicable) `allow_destructive`.
+
+| Tool | Actions | Destructive (gated) |
+|------|---------|---------------------|
+| `okta_users` | list, search, get, create, update, activate, deactivate, suspend, unsuspend, unlock, expire_password, reset_password, list_groups, list_apps, list_factors, clear_sessions | deactivate, suspend, expire_password, reset_password, clear_sessions |
+| `okta_groups` | list, search, get, create, update, delete, list_members, add_member, remove_member, list_rules, create_rule, activate_rule, deactivate_rule | delete, remove_member, deactivate_rule |
+| `okta_apps` | list, get, create (oidc/saml/bookmark templates), update, activate, deactivate, list_users, assign_user, unassign_user, list_groups, assign_group, unassign_group | deactivate, unassign_user, unassign_group |
+| `okta_policies` | list (okta_sign_on/password/mfa_enroll/access_policy), get, list_rules, activate, deactivate, activate_rule, deactivate_rule — *policy/rule create+update intentionally out of scope in this release* | deactivate, deactivate_rule |
+| `okta_system` | org, list_authorization_servers, logs (since/until/filter/q, capped at 1000 events, resumable cursor), list_authenticators, list_factors, list_zones | — |
+
+### Examples
+
+```json
+{"action": "search", "params_json": "{\"conditions\": [{\"field\": \"status\", \"op\": \"eq\", \"value\": \"ACTIVE\"}, {\"field\": \"profile.department\", \"op\": \"eq\", \"value\": \"Engineering\"}]}"}
+```
+
+```json
+{"action": "create", "params_json": "{\"template\": \"oidc\", \"label\": \"My App\", \"settings\": {\"redirect_uris\": [\"https://app.example.com/cb\"]}}"}
+```
+
+```json
+{"action": "deactivate", "params_json": "{\"user_id\": \"00u1\"}", "allow_destructive": true}
+```
+
+Every successful response is an envelope:
+
+```json
+{"data": [...], "rate_limit": {"limit": 600, "remaining": 599, "reset": 1700000000}, "count": 5, "truncated": false, "next_cursor": null}
+```
+
+Errors map Okta's envelope: `{"error": {"status", "error_code", "error_summary", "error_id", "error_causes", "rate_limit"}}`.
+
+## Deployment
+
+```bash
+# MCP server only (port 8000, streamable-http, /health)
+docker compose -f docker/mcp.compose.yml up -d
+
+# MCP server + A2A agent server (agent on port 9021, AG-UI web interface)
+docker compose -f docker/agent.compose.yml up -d
+```
+
+The A2A agent server (`okta-agent` console script, `agent_server.py`) reads
+`MCP_URL`, `PROVIDER`, and `MODEL_ID` from the environment. Prebuilt image:
+`knucklessg1/okta-agent:latest`. See [docs/deployment.md](docs/deployment.md)
+for transports, reverse proxy, and DNS guidance.
+
+## Keycloak parity
+
+Verbs intentionally mirror `keycloak-agent` where the concepts overlap, so an
+agent fluent in one IdP connector can drive the other:
+
+| Concept | keycloak-agent | okta-agent |
+|---------|----------------|------------|
+| Users CRUD | `keycloak_agent_users` list/get/create/update | `okta_users` list/get/create/update |
+| Password reset | `reset_password` | `reset_password` (plus expire_password) |
+| User's groups | `list_users_by_user_id_groups` | `list_groups` |
+| Groups CRUD + members | `keycloak_agent_groups` | `okta_groups` (+ Okta group rules) |
+| OAuth/SAML clients | `keycloak_agent_clients` | `okta_apps` (Keycloak "clients" = Okta "apps") |
+| Auth policies/flows | `keycloak_agent_authentication` | `okta_policies` (read + lifecycle) |
+| Server/org info & events | `keycloak_agent_info` / attack detection | `okta_system` (org + system log) |
+
+Okta-only surface: lifecycle states (suspend/unlock), group rules, app
+assignment profiles, network zones, Okta API scopes via private-key-JWT.
+
+## Development
+
+```bash
+pip install -e .[mcp,test]
+pytest -v
+pre-commit run --all-files
+```
+
+API references are cited in every client docstring
+(https://developer.okta.com/docs/api/).

okta_agent-0.1.0/okta_agent/__init__.py

@@ -0,0 +1,68 @@
+"""CONCEPT:ECO-4.0 okta-agent: Okta Management API + MCP Server + A2A Server."""
+
+import importlib
+import inspect
+from typing import Any
+
+__version__ = "0.1.0"
+__all__: list[str] = []
+
+CORE_MODULES = [
+    "okta_agent.okta_input_models",
+    "okta_agent.okta_response_models",
+    "okta_agent.api_client",
+]
+OPTIONAL_MODULES = {
+    "okta_agent.agent_server": "agent",
+    "okta_agent.mcp_server": "mcp",
+}
+
+
+def _expose_members(module):
+    for name, obj in inspect.getmembers(module):
+        if (inspect.isclass(obj) or inspect.isfunction(obj)) and not name.startswith(
+            "_"
+        ):
+            globals()[name] = obj
+            if name not in __all__:
+                __all__.append(name)
+
+
+for module_name in CORE_MODULES:
+    module = importlib.import_module(module_name)
+    _expose_members(module)
+
+_loaded_optional_modules: dict[str, Any] = {}
+
+
+def _import_module_safely(module_name: str):
+    try:
+        return importlib.import_module(module_name)
+    except ImportError:
+        return None
+
+
+def __getattr__(name: str) -> Any:
+    if name == "_MCP_AVAILABLE":
+        mcp_key = next((k for k in OPTIONAL_MODULES if "mcp_server" in k), None)
+        return _import_module_safely(mcp_key) is not None if mcp_key else False
+    if name == "_AGENT_AVAILABLE":
+        agent_key = next((k for k in OPTIONAL_MODULES if "agent_server" in k), None)
+        return _import_module_safely(agent_key) is not None if agent_key else False
+
+    for module_name in OPTIONAL_MODULES:
+        if module_name not in _loaded_optional_modules:
+            module = _import_module_safely(module_name)
+            if module is not None:
+                _loaded_optional_modules[module_name] = module
+                _expose_members(module)
+
+        module = _loaded_optional_modules.get(module_name)
+        if module is not None and hasattr(module, name):
+            return getattr(module, name)
+
+    raise AttributeError(f"module {__name__!r} has no attribute {name!r}")
+
+
+def __dir__() -> list[str]:
+    return sorted(list(globals().keys()) + __all__)

okta_agent-0.1.0/okta_agent/__main__.py

@@ -0,0 +1,4 @@
+from okta_agent.agent_server import agent_server
+
+if __name__ == "__main__":
+    agent_server()

okta_agent-0.1.0/okta_agent/agent_server.py

@@ -0,0 +1,71 @@
+"""Pydantic AI agent server entry point for the Okta connector."""
+
+import logging
+import os
+import sys
+import warnings
+
+__version__ = "0.1.0"
+
+logging.basicConfig(
+    level=logging.INFO,
+    format="%(asctime)s - %(name)s - %(levelname)s - %(message)s",
+)
+logger = logging.getLogger(__name__)
+
+DEFAULT_AGENT_NAME = None
+DEFAULT_AGENT_DESCRIPTION = None
+DEFAULT_AGENT_SYSTEM_PROMPT = None
+
+
+def agent_server():
+    """Start the graph-based Pydantic AI agent server."""
+    from agent_utilities import (
+        build_system_prompt_from_workspace,
+        create_agent_parser,
+        create_agent_server,
+        initialize_workspace,
+        load_identity,
+    )
+
+    global DEFAULT_AGENT_NAME, DEFAULT_AGENT_DESCRIPTION, DEFAULT_AGENT_SYSTEM_PROMPT
+    initialize_workspace()
+    meta = load_identity()
+    DEFAULT_AGENT_NAME = os.getenv("DEFAULT_AGENT_NAME", meta.get("name", "Okta Agent"))
+    DEFAULT_AGENT_DESCRIPTION = os.getenv(
+        "AGENT_DESCRIPTION",
+        meta.get("description", "AI agent for Okta CIAM/SSO operations."),
+    )
+    DEFAULT_AGENT_SYSTEM_PROMPT = os.getenv(
+        "AGENT_SYSTEM_PROMPT",
+        meta.get("content") or build_system_prompt_from_workspace(),
+    )
+
+    warnings.filterwarnings("ignore", message=".*urllib3.*")
+    warnings.filterwarnings("ignore", category=DeprecationWarning, module="fastmcp")
+
+    print(f"{DEFAULT_AGENT_NAME} v{__version__}", file=sys.stderr)
+    parser = create_agent_parser()
+    args = parser.parse_args()
+
+    create_agent_server(
+        mcp_url=args.mcp_url,
+        mcp_config=args.mcp_config or "mcp_config.json",
+        host=args.host,
+        port=args.port,
+        provider=args.provider,
+        model_id=args.model_id,
+        router_model=args.model_id,
+        agent_model=args.model_id,
+        base_url=args.base_url,
+        api_key=args.api_key,
+        custom_skills_directory=args.custom_skills_directory,
+        enable_web_ui=args.web,
+        enable_otel=args.otel,
+        otel_endpoint=args.otel_endpoint,
+        otel_headers=args.otel_headers,
+        otel_public_key=args.otel_public_key,
+        otel_secret_key=args.otel_secret_key,
+        otel_protocol=args.otel_protocol,
+        debug=args.debug,
+    )

okta_agent-0.1.0/okta_agent/api/__init__.py

@@ -0,0 +1 @@
+"""Okta Management API client modules (raw httpx, no Okta SDK)."""