yeet migrations that we don't need anymore (left over from conflict resolution on marketplace DB layer cleanup)

.claude/skills/backend-check/SKILL.md

@@ -0,0 +1,17 @@
+---
+name: backend-check
+description: Run the full backend formatting, linting, and test suite. Ensures code quality before commits and PRs. TRIGGER when backend Python code has been modified and needs validation.
+user-invocable: true
+metadata:
+  author: autogpt-team
+  version: "1.0.0"
+---
+
+# Backend Check
+
+## Steps
+
+1. **Format**: `poetry run format` — runs formatting AND linting. NEVER run ruff/black/isort individually
+2. **Fix** any remaining errors manually, re-run until clean
+3. **Test**: `poetry run test` (runs DB setup + pytest). For specific files: `poetry run pytest -s -vvv <test_files>`
+4. **Snapshots** (if needed): `poetry run pytest path/to/test.py --snapshot-update` — review with `git diff`

.claude/skills/code-style/SKILL.md

@@ -0,0 +1,35 @@
+---
+name: code-style
+description: Python code style preferences for the AutoGPT backend. Apply when writing or reviewing Python code. TRIGGER when writing new Python code, reviewing PRs, or refactoring backend code.
+user-invocable: false
+metadata:
+  author: autogpt-team
+  version: "1.0.0"
+---
+
+# Code Style
+
+## Imports
+
+- **Top-level only** — no local/inner imports. Move all imports to the top of the file.
+
+## Typing
+
+- **No duck typing** — avoid `hasattr`, `getattr`, `isinstance` for type dispatch. Use proper typed interfaces, unions, or protocols.
+- **Pydantic models** over dataclass, namedtuple, or raw dict for structured data.
+- **No linter suppressors** — avoid `# type: ignore`, `# noqa`, `# pyright: ignore` etc. 99% of the time the right fix is fixing the type/code, not silencing the tool.
+
+## Code Structure
+
+- **List comprehensions** over manual loop-and-append.
+- **Early return** — guard clauses first, avoid deep nesting.
+- **Flatten inline** — prefer short, concise expressions. Reduce `if/else` chains with direct returns or ternaries when readable.
+- **Modular functions** — break complex logic into small, focused functions rather than long blocks with nested conditionals.
+
+## Review Checklist
+
+Before finishing, always ask:
+- Can any function be split into smaller pieces?
+- Is there unnecessary nesting that an early return would eliminate?
+- Can any loop be a comprehension?
+- Is there a simpler way to express this logic?

.claude/skills/frontend-check/SKILL.md

@@ -0,0 +1,16 @@
+---
+name: frontend-check
+description: Run the full frontend formatting, linting, and type checking suite. Ensures code quality before commits and PRs. TRIGGER when frontend TypeScript/React code has been modified and needs validation.
+user-invocable: true
+metadata:
+  author: autogpt-team
+  version: "1.0.0"
+---
+
+# Frontend Check
+
+## Steps (in order)
+
+1. **Format**: `pnpm format` — NEVER run individual formatters
+2. **Lint**: `pnpm lint` — fix errors, re-run until clean
+3. **Types**: `pnpm types` — if it keeps failing after multiple attempts, stop and ask the user

.claude/skills/new-block/SKILL.md

@@ -0,0 +1,29 @@
+---
+name: new-block
+description: Create a new backend block following the Block SDK Guide. Guides through provider configuration, schema definition, authentication, and testing. TRIGGER when user asks to create a new block, add a new integration, or build a new node for the graph editor.
+user-invocable: true
+metadata:
+  author: autogpt-team
+  version: "1.0.0"
+---
+
+# New Block Creation
+
+Read `docs/platform/block-sdk-guide.md` first for the full guide.
+
+## Steps
+
+1. **Provider config** (if external service): create `_config.py` with `ProviderBuilder`
+2. **Block file** in `backend/blocks/` (from `autogpt_platform/backend/`):
+   - Generate a UUID once with `uuid.uuid4()`, then **hard-code that string** as `id` (IDs must be stable across imports)
+   - `Input(BlockSchema)` and `Output(BlockSchema)` classes
+   - `async def run` that `yield`s output fields
+3. **Files**: use `store_media_file()` with `"for_block_output"` for outputs
+4. **Test**: `poetry run pytest 'backend/blocks/test/test_block.py::test_available_blocks[MyBlock]' -xvs`
+5. **Format**: `poetry run format`
+
+## Rules
+
+- Analyze interfaces: do inputs/outputs connect well with other blocks in a graph?
+- Use top-level imports, avoid duck typing
+- Always use `for_block_output` for block outputs

.claude/skills/openapi-regen/SKILL.md

@@ -0,0 +1,28 @@
+---
+name: openapi-regen
+description: Regenerate the OpenAPI spec and frontend API client. Starts the backend REST server, fetches the spec, and regenerates the typed frontend hooks. TRIGGER when API routes change, new endpoints are added, or frontend API types are stale.
+user-invocable: true
+metadata:
+  author: autogpt-team
+  version: "1.0.0"
+---
+
+# OpenAPI Spec Regeneration
+
+## Steps
+
+1. **Run end-to-end** in a single shell block (so `REST_PID` persists):
+   ```bash
+   cd autogpt_platform/backend && poetry run rest &
+   REST_PID=$!
+   WAIT=0; until curl -sf http://localhost:8006/health > /dev/null 2>&1; do sleep 1; WAIT=$((WAIT+1)); [ $WAIT -ge 60 ] && echo "Timed out" && kill $REST_PID && exit 1; done
+   cd ../frontend && pnpm generate:api:force
+   kill $REST_PID
+   pnpm types && pnpm lint && pnpm format
+   ```
+
+## Rules
+
+- Always use `pnpm generate:api:force` (not `pnpm generate:api`)
+- Don't manually edit files in `src/app/api/__generated__/`
+- Generated hooks follow: `use{Method}{Version}{OperationName}`

.claude/skills/pr-address/SKILL.md

@@ -1,79 +0,0 @@
----
-name: pr-address
-description: Address PR review comments and loop until CI green and all comments resolved. TRIGGER when user asks to address comments, fix PR feedback, respond to reviewers, or babysit/monitor a PR.
-user-invocable: true
-args: "[PR number or URL] — if omitted, finds PR for current branch."
-metadata:
-  author: autogpt-team
-  version: "1.0.0"
----
-
-# PR Address
-
-## Find the PR
-
-```bash
-gh pr list --head $(git branch --show-current) --repo Significant-Gravitas/AutoGPT
-gh pr view {N}
-```
-
-## Fetch comments (all sources)
-
-```bash
-gh api repos/Significant-Gravitas/AutoGPT/pulls/{N}/reviews       # top-level reviews
-gh api repos/Significant-Gravitas/AutoGPT/pulls/{N}/comments      # inline review comments
-gh api repos/Significant-Gravitas/AutoGPT/issues/{N}/comments     # PR conversation comments
-```
-
-**Bots to watch for:**
-- `autogpt-reviewer` — posts "Blockers", "Should Fix", "Nice to Have". Address ALL of them.
-- `sentry[bot]` — bug predictions. Fix real bugs, explain false positives.
-- `coderabbitai[bot]` — automated review. Address actionable items.
-
-## For each unaddressed comment
-
-Address comments **one at a time**: fix → commit → push → inline reply → next.
-
-1. Read the referenced code, make the fix (or reply explaining why it's not needed)
-2. Commit and push the fix
-3. Reply **inline** (not as a new top-level comment) referencing the fixing commit — this is what resolves the conversation for bot reviewers (coderabbitai, sentry):
-
-| Comment type | How to reply |
-|---|---|
-| Inline review (`pulls/{N}/comments`) | `gh api repos/Significant-Gravitas/AutoGPT/pulls/{N}/comments/{ID}/replies -f body="Fixed in <commit-sha>: <description>"` |
-| Conversation (`issues/{N}/comments`) | `gh api repos/Significant-Gravitas/AutoGPT/issues/{N}/comments -f body="Fixed in <commit-sha>: <description>"` |
-
-## Format and commit
-
-After fixing, format the changed code:
-
-- **Backend** (from `autogpt_platform/backend/`): `poetry run format`
-- **Frontend** (from `autogpt_platform/frontend/`): `pnpm format && pnpm lint && pnpm types`
-
-If API routes changed, regenerate the frontend client:
-```bash
-cd autogpt_platform/backend && poetry run rest &
-REST_PID=$!
-trap "kill $REST_PID 2>/dev/null" EXIT
-WAIT=0; until curl -sf http://localhost:8006/health > /dev/null 2>&1; do sleep 1; WAIT=$((WAIT+1)); [ $WAIT -ge 60 ] && echo "Timed out" && exit 1; done
-cd ../frontend && pnpm generate:api:force
-kill $REST_PID 2>/dev/null; trap - EXIT
-```
-Never manually edit files in `src/app/api/__generated__/`.
-
-Then commit and **push immediately** — never batch commits without pushing.
-
-For backend commits in worktrees: `poetry run git commit` (pre-commit hooks).
-
-## The loop
-
-```text
-address comments → format → commit → push
-→ re-check comments → fix new ones → push
-→ wait for CI → re-check comments after CI settles
-→ repeat until: all comments addressed AND CI green AND no new comments arriving
-```
-
-While CI runs, stay productive: run local tests, address remaining comments.
-
-**The loop ends when:** CI fully green + all comments addressed + no new comments since CI settled.

.claude/skills/pr-create/SKILL.md

@@ -0,0 +1,31 @@
+---
+name: pr-create
+description: Create a pull request for the current branch. TRIGGER when user asks to create a PR, open a pull request, push changes for review, or submit work for merging.
+user-invocable: true
+metadata:
+  author: autogpt-team
+  version: "1.0.0"
+---
+
+# Create Pull Request
+
+## Steps
+
+1. **Check for existing PR**: `gh pr view --json url -q .url 2>/dev/null` — if a PR already exists, output its URL and stop
+2. **Understand changes**: `git status`, `git diff dev...HEAD`, `git log dev..HEAD --oneline`
+3. **Read PR template**: `.github/PULL_REQUEST_TEMPLATE.md`
+4. **Draft PR title**: Use conventional commits format (see CLAUDE.md for types and scopes)
+5. **Fill out PR template** as the body — be thorough in the Changes section
+6. **Format first** (if relevant changes exist):
+   - Backend: `cd autogpt_platform/backend && poetry run format`
+   - Frontend: `cd autogpt_platform/frontend && pnpm format`
+   - Fix any lint errors, then commit formatting changes before pushing
+7. **Push**: `git push -u origin HEAD`
+8. **Create PR**: `gh pr create --base dev`
+9. **Output** the PR URL
+
+## Rules
+
+- Always target `dev` branch
+- Do NOT run tests — CI will handle that
+- Use the PR template from `.github/PULL_REQUEST_TEMPLATE.md`

.claude/skills/pr-review/SKILL.md

@@ -1,74 +1,51 @@
 ---
 name: pr-review
-description: Review a PR for correctness, security, code quality, and testing issues. TRIGGER when user asks to review a PR, check PR quality, or give feedback on a PR.
+description: Address all open PR review comments systematically. Fetches comments, addresses each one, reacts +1/-1, and replies when clarification is needed. Keeps iterating until all comments are addressed and CI is green. TRIGGER when user shares a PR URL, asks to address review comments, fix PR feedback, or respond to reviewer comments.
 user-invocable: true
-args: "[PR number or URL] — if omitted, finds PR for current branch."
 metadata:
   author: autogpt-team
   version: "1.0.0"
 ---
 
-# PR Review
+# PR Review Comment Workflow
 
-## Find the PR
+## Steps
 
-```bash
-gh pr list --head $(git branch --show-current) --repo Significant-Gravitas/AutoGPT
-gh pr view {N}
-```
+1. **Find PR**: `gh pr list --head $(git branch --show-current) --repo Significant-Gravitas/AutoGPT`
+2. **Fetch comments** (all three sources):
+   - `gh api repos/Significant-Gravitas/AutoGPT/pulls/{N}/reviews` (top-level reviews)
+   - `gh api repos/Significant-Gravitas/AutoGPT/pulls/{N}/comments` (inline review comments)
+   - `gh api repos/Significant-Gravitas/AutoGPT/issues/{N}/comments` (PR conversation comments)
+3. **Skip** comments already reacted to by PR author
+4. **For each unreacted comment**:
+   - Read referenced code, make the fix (or reply if you disagree/need info)
+   - **Inline review comments** (`pulls/{N}/comments`):
+     - React: `gh api repos/.../pulls/comments/{ID}/reactions -f content="+1"` (or `-1`)
+     - Reply: `gh api repos/.../pulls/{N}/comments/{ID}/replies -f body="..."`
+   - **PR conversation comments** (`issues/{N}/comments`):
+     - React: `gh api repos/.../issues/comments/{ID}/reactions -f content="+1"` (or `-1`)
+     - No threaded replies — post a new issue comment if needed
+   - **Top-level reviews**: no reaction API — address in code, reply via issue comment if needed
+5. **Include autogpt-reviewer bot fixes** too
+6. **Format**: `cd autogpt_platform/backend && poetry run format`, `cd autogpt_platform/frontend && pnpm format`
+7. **Commit & push**
+8. **Re-fetch comments** immediately — address any new unreacted ones before waiting on CI
+9. **Stay productive while CI runs** — don't idle. In priority order:
+   - Run any pending local tests (`poetry run pytest`, e2e, etc.) and fix failures
+   - Address any remaining comments
+   - Only poll `gh pr checks {N}` as the last resort when there's truly nothing left to do
+10. **If CI fails** — fix, go back to step 6
+11. **Re-fetch comments again** after CI is green — address anything that appeared while CI was running
+12. **Done** only when: all comments reacted AND CI is green.
 
-## Read the diff
+## CRITICAL: Do Not Stop
 
-```bash
-gh pr diff {N}
-```
+**Loop is: address → format → commit → push → re-check comments → run local tests → wait CI → re-check comments → repeat.**
 
-## Fetch existing review comments
+Never idle. If CI is running and you have nothing to address, run local tests. Waiting on CI is the last resort.
 
-Before posting anything, fetch existing inline comments to avoid duplicates:
+## Rules
 
-```bash
-gh api repos/Significant-Gravitas/AutoGPT/pulls/{N}/comments
-gh api repos/Significant-Gravitas/AutoGPT/pulls/{N}/reviews
-```
-
-## What to check
-
-**Correctness:** logic errors, off-by-one, missing edge cases, race conditions (TOCTOU in file access, credit charging), error handling gaps, async correctness (missing `await`, unclosed resources).
-
-**Security:** input validation at boundaries, no injection (command, XSS, SQL), secrets not logged, file paths sanitized (`os.path.basename()` in error messages).
-
-**Code quality:** apply rules from backend/frontend CLAUDE.md files.
-
-**Architecture:** DRY, single responsibility, modular functions. `Security()` vs `Depends()` for FastAPI auth. `data:` for SSE events, `: comment` for heartbeats. `transaction=True` for Redis pipelines.
-
-**Testing:** edge cases covered, colocated `*_test.py` (backend) / `__tests__/` (frontend), mocks target where symbol is **used** not defined, `AsyncMock` for async.
-
-## Output format
-
-Every comment **must** be prefixed with `🤖` and a criticality badge:
-
-| Tier | Badge | Meaning |
-|---|---|---|
-| Blocker | `🔴 **Blocker**` | Must fix before merge |
-| Should Fix | `🟠 **Should Fix**` | Important improvement |
-| Nice to Have | `🟡 **Nice to Have**` | Minor suggestion |
-| Nit | `🔵 **Nit**` | Style / wording |
-
-Example: `🤖 🔴 **Blocker**: Missing error handling for X — suggest wrapping in try/except.`
-
-## Post inline comments
-
-For each finding, post an inline comment on the PR (do not just write a local report):
-
-```bash
-# Get the latest commit SHA for the PR
-COMMIT_SHA=$(gh api repos/Significant-Gravitas/AutoGPT/pulls/{N} --jq '.head.sha')
-
-# Post an inline comment on a specific file/line
-gh api repos/Significant-Gravitas/AutoGPT/pulls/{N}/comments \
-  -f body="🤖 🔴 **Blocker**: <description>" \
-  -f commit_id="$COMMIT_SHA" \
-  -f path="<file path>" \
-  -F line=<line number>
-```
+- One todo per comment
+- For inline review comments: reply on existing threads. For PR conversation comments: post a new issue comment (API doesn't support threaded replies)
+- React to every comment: +1 addressed, -1 disagreed (with explanation)

.claude/skills/worktree-setup/SKILL.md

@@ -0,0 +1,45 @@
+---
+name: worktree-setup
+description: Set up a new git worktree for parallel development. Creates the worktree, copies .env files, installs dependencies, generates Prisma client, and optionally starts the app (with port conflict resolution) or runs tests. TRIGGER when user asks to set up a worktree, work on a branch in isolation, or needs a separate environment for a branch or PR.
+user-invocable: true
+metadata:
+  author: autogpt-team
+  version: "1.0.0"
+---
+
+# Worktree Setup
+
+## Preferred: Use Branchlet
+
+The repo has a `.branchlet.json` config — it handles env file copying, dependency installation, and Prisma generation automatically.
+
+```bash
+npm install -g branchlet                                      # install once
+branchlet create -n <name> -s <source-branch> -b <new-branch>
+branchlet list --json   # list all worktrees
+```
+
+## Manual Fallback
+
+If branchlet isn't available:
+
+1. `git worktree add ../<RepoName><N> <branch-name>`
+2. Copy `.env` files: `backend/.env`, `frontend/.env`, `autogpt_platform/.env`, `db/docker/.env`
+3. Install deps:
+   - `cd autogpt_platform/backend && poetry install && poetry run prisma generate`
+   - `cd autogpt_platform/frontend && pnpm install`
+
+## Running the App
+
+Free ports first — backend uses: 8001, 8002, 8003, 8005, 8006, 8007, 8008.
+
+```bash
+for port in 8001 8002 8003 8005 8006 8007 8008; do
+  lsof -ti :$port | xargs kill -9 2>/dev/null || true
+done
+cd <worktree>/autogpt_platform/backend && poetry run app
+```
+
+## CoPilot Testing Gotcha
+
+SDK mode spawns a Claude subprocess — **won't work inside Claude Code**. Set `CHAT_USE_CLAUDE_AGENT_SDK=false` in `backend/.env` to use baseline mode.

.claude/skills/worktree/SKILL.md

@@ -1,85 +0,0 @@
----
-name: worktree
-description: Set up a new git worktree for parallel development. Creates the worktree, copies .env files, installs dependencies, and generates Prisma client. TRIGGER when user asks to set up a worktree, work on a branch in isolation, or needs a separate environment for a branch or PR.
-user-invocable: true
-args: "[name] — optional worktree name (e.g., 'AutoGPT7'). If omitted, uses next available AutoGPT<N>."
-metadata:
-  author: autogpt-team
-  version: "3.0.0"
----
-
-# Worktree Setup
-
-## Create the worktree
-
-Derive paths from the git toplevel. If a name is provided as argument, use it. Otherwise, check `git worktree list` and pick the next `AutoGPT<N>`.
-
-```bash
-ROOT=$(git rev-parse --show-toplevel)
-PARENT=$(dirname "$ROOT")
-
-# From an existing branch
-git worktree add "$PARENT/<NAME>" <branch-name>
-
-# From a new branch off dev
-git worktree add -b <new-branch> "$PARENT/<NAME>" dev
-```
-
-## Copy environment files
-
-Copy `.env` from the root worktree. Falls back to `.env.default` if `.env` doesn't exist.
-
-```bash
-ROOT=$(git rev-parse --show-toplevel)
-TARGET="$(dirname "$ROOT")/<NAME>"
-
-for envpath in autogpt_platform/backend autogpt_platform/frontend autogpt_platform; do
-  if [ -f "$ROOT/$envpath/.env" ]; then
-    cp "$ROOT/$envpath/.env" "$TARGET/$envpath/.env"
-  elif [ -f "$ROOT/$envpath/.env.default" ]; then
-    cp "$ROOT/$envpath/.env.default" "$TARGET/$envpath/.env"
-  fi
-done
-```
-
-## Install dependencies
-
-```bash
-TARGET="$(dirname "$(git rev-parse --show-toplevel)")/<NAME>"
-cd "$TARGET/autogpt_platform/autogpt_libs" && poetry install
-cd "$TARGET/autogpt_platform/backend" && poetry install && poetry run prisma generate
-cd "$TARGET/autogpt_platform/frontend" && pnpm install
-```
-
-Replace `<NAME>` with the actual worktree name (e.g., `AutoGPT7`).
-
-## Running the app (optional)
-
-Backend uses ports: 8001, 8002, 8003, 8005, 8006, 8007, 8008. Free them first if needed:
-
-```bash
-TARGET="$(dirname "$(git rev-parse --show-toplevel)")/<NAME>"
-for port in 8001 8002 8003 8005 8006 8007 8008; do
-  lsof -ti :$port | xargs kill -9 2>/dev/null || true
-done
-cd "$TARGET/autogpt_platform/backend" && poetry run app
-```
-
-## CoPilot testing
-
-SDK mode spawns a Claude subprocess — won't work inside Claude Code. Set `CHAT_USE_CLAUDE_AGENT_SDK=false` in `backend/.env` to use baseline mode.
-
-## Cleanup
-
-```bash
-# Replace <NAME> with the actual worktree name (e.g., AutoGPT7)
-git worktree remove "$(dirname "$(git rev-parse --show-toplevel)")/<NAME>"
-```
-
-## Alternative: Branchlet (optional)
-
-If [branchlet](https://www.npmjs.com/package/branchlet) is installed:
-
-```bash
-branchlet create -n <name> -s <source-branch> -b <new-branch>
-```

.pre-commit-config.yaml

@@ -27,6 +27,103 @@ repos:
         exclude: pnpm-lock\.yaml$
         stages: [pre-push]
 
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.7.2
+    hooks:
+      - id: ruff
+        name: Lint (Ruff) - AutoGPT Platform - Backend
+        alias: ruff-lint-platform-backend
+        files: ^autogpt_platform/backend/
+        args: [--fix]
+
+      - id: ruff
+        name: Lint (Ruff) - AutoGPT Platform - Libs
+        alias: ruff-lint-platform-libs
+        files: ^autogpt_platform/autogpt_libs/
+        args: [--fix]
+
+      - id: ruff-format
+        name: Format (Ruff) - AutoGPT Platform - Libs
+        alias: ruff-lint-platform-libs
+        files: ^autogpt_platform/autogpt_libs/
+
+  - repo: local
+    # isort needs the context of which packages are installed to function, so we
+    # can't use a vendored isort pre-commit hook (which runs in its own isolated venv).
+    hooks:
+      - id: isort
+        name: Lint (isort) - AutoGPT Platform - Backend
+        alias: isort-platform-backend
+        entry: poetry -P autogpt_platform/backend run isort -p backend
+        files: ^autogpt_platform/backend/
+        types: [file, python]
+        language: system
+
+      - id: isort
+        name: Lint (isort) - Classic - AutoGPT
+        alias: isort-classic-autogpt
+        entry: poetry -P classic/original_autogpt run isort -p autogpt
+        files: ^classic/original_autogpt/
+        types: [file, python]
+        language: system
+
+      - id: isort
+        name: Lint (isort) - Classic - Forge
+        alias: isort-classic-forge
+        entry: poetry -P classic/forge run isort -p forge
+        files: ^classic/forge/
+        types: [file, python]
+        language: system
+
+      - id: isort
+        name: Lint (isort) - Classic - Benchmark
+        alias: isort-classic-benchmark
+        entry: poetry -P classic/benchmark run isort -p agbenchmark
+        files: ^classic/benchmark/
+        types: [file, python]
+        language: system
+
+  - repo: https://github.com/psf/black
+    rev: 24.10.0
+    # Black has sensible defaults, doesn't need package context, and ignores
+    # everything in .gitignore, so it works fine without any config or arguments.
+    hooks:
+      - id: black
+        name: Format (Black)
+
+  - repo: https://github.com/PyCQA/flake8
+    rev: 7.0.0
+    # To have flake8 load the config of the individual subprojects, we have to call
+    # them separately.
+    hooks:
+      - id: flake8
+        name: Lint (Flake8) - Classic - AutoGPT
+        alias: flake8-classic-autogpt
+        files: ^classic/original_autogpt/(autogpt|scripts|tests)/
+        args: [--config=classic/original_autogpt/.flake8]
+
+      - id: flake8
+        name: Lint (Flake8) - Classic - Forge
+        alias: flake8-classic-forge
+        files: ^classic/forge/(forge|tests)/
+        args: [--config=classic/forge/.flake8]
+
+      - id: flake8
+        name: Lint (Flake8) - Classic - Benchmark
+        alias: flake8-classic-benchmark
+        files: ^classic/benchmark/(agbenchmark|tests)/((?!reports).)*[/.]
+        args: [--config=classic/benchmark/.flake8]
+
+  - repo: local
+    hooks:
+      - id: prettier
+        name: Format (Prettier) - AutoGPT Platform - Frontend
+        alias: format-platform-frontend
+        entry: bash -c 'cd autogpt_platform/frontend && npx prettier --write $(echo "$@" | sed "s|autogpt_platform/frontend/||g")' --
+        files: ^autogpt_platform/frontend/
+        types: [file]
+        language: system
+
   - repo: local
     # For proper type checking, all dependencies need to be up-to-date.
     # It's also a good idea to check that poetry.lock is consistent with pyproject.toml.
@@ -164,7 +261,7 @@ repos:
         entry: >
           bash -c '
           cd autogpt_platform/backend
-          && poetry run export-api-schema --output ../frontend/src/app/api/openapi.json
+          && poetry run export-api-schema --api internal --output ../frontend/src/app/api/openapi.json
           && cd ../frontend
           && pnpm prettier --write ./src/app/api/openapi.json
           '
@@ -190,103 +287,6 @@ repos:
         pass_filenames: false
         stages: [pre-commit, post-checkout]
 
-  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.7.2
-    hooks:
-      - id: ruff
-        name: Lint (Ruff) - AutoGPT Platform - Backend
-        alias: ruff-lint-platform-backend
-        files: ^autogpt_platform/backend/
-        args: [--fix]
-
-      - id: ruff
-        name: Lint (Ruff) - AutoGPT Platform - Libs
-        alias: ruff-lint-platform-libs
-        files: ^autogpt_platform/autogpt_libs/
-        args: [--fix]
-
-      - id: ruff-format
-        name: Format (Ruff) - AutoGPT Platform - Libs
-        alias: ruff-lint-platform-libs
-        files: ^autogpt_platform/autogpt_libs/
-
-  - repo: local
-    # isort needs the context of which packages are installed to function, so we
-    # can't use a vendored isort pre-commit hook (which runs in its own isolated venv).
-    hooks:
-      - id: isort
-        name: Lint (isort) - AutoGPT Platform - Backend
-        alias: isort-platform-backend
-        entry: poetry -P autogpt_platform/backend run isort -p backend
-        files: ^autogpt_platform/backend/
-        types: [file, python]
-        language: system
-
-      - id: isort
-        name: Lint (isort) - Classic - AutoGPT
-        alias: isort-classic-autogpt
-        entry: poetry -P classic/original_autogpt run isort -p autogpt
-        files: ^classic/original_autogpt/
-        types: [file, python]
-        language: system
-
-      - id: isort
-        name: Lint (isort) - Classic - Forge
-        alias: isort-classic-forge
-        entry: poetry -P classic/forge run isort -p forge
-        files: ^classic/forge/
-        types: [file, python]
-        language: system
-
-      - id: isort
-        name: Lint (isort) - Classic - Benchmark
-        alias: isort-classic-benchmark
-        entry: poetry -P classic/benchmark run isort -p agbenchmark
-        files: ^classic/benchmark/
-        types: [file, python]
-        language: system
-
-  - repo: https://github.com/psf/black
-    rev: 24.10.0
-    # Black has sensible defaults, doesn't need package context, and ignores
-    # everything in .gitignore, so it works fine without any config or arguments.
-    hooks:
-      - id: black
-        name: Format (Black)
-
-  - repo: https://github.com/PyCQA/flake8
-    rev: 7.0.0
-    # To have flake8 load the config of the individual subprojects, we have to call
-    # them separately.
-    hooks:
-      - id: flake8
-        name: Lint (Flake8) - Classic - AutoGPT
-        alias: flake8-classic-autogpt
-        files: ^classic/original_autogpt/(autogpt|scripts|tests)/
-        args: [--config=classic/original_autogpt/.flake8]
-
-      - id: flake8
-        name: Lint (Flake8) - Classic - Forge
-        alias: flake8-classic-forge
-        files: ^classic/forge/(forge|tests)/
-        args: [--config=classic/forge/.flake8]
-
-      - id: flake8
-        name: Lint (Flake8) - Classic - Benchmark
-        alias: flake8-classic-benchmark
-        files: ^classic/benchmark/(agbenchmark|tests)/((?!reports).)*[/.]
-        args: [--config=classic/benchmark/.flake8]
-
-  - repo: local
-    hooks:
-      - id: prettier
-        name: Format (Prettier) - AutoGPT Platform - Frontend
-        alias: format-platform-frontend
-        entry: bash -c 'cd autogpt_platform/frontend && npx prettier --write $(echo "$@" | sed "s|autogpt_platform/frontend/||g")' --
-        files: ^autogpt_platform/frontend/
-        types: [file]
-        language: system
-
   - repo: local
     # To have watertight type checking, we check *all* the files in an affected
     # project. To trigger on poetry.lock we also reset the file `types` filter.

autogpt_platform/CLAUDE.md

@@ -60,12 +60,9 @@ AutoGPT Platform is a monorepo containing:
 
 ### Reviewing/Revising Pull Requests
 
-Use `/pr-review` to review a PR or `/pr-address` to address comments.
-
-When fetching comments manually:
-- `gh api repos/Significant-Gravitas/AutoGPT/pulls/{N}/reviews` — top-level reviews
-- `gh api repos/Significant-Gravitas/AutoGPT/pulls/{N}/comments` — inline review comments
-- `gh api repos/Significant-Gravitas/AutoGPT/issues/{N}/comments` — PR conversation comments
+- When the user runs /pr-comments or tries to fetch them, also run gh api /repos/Significant-Gravitas/AutoGPT/pulls/[issuenum]/reviews to get the reviews
+- Use gh api /repos/Significant-Gravitas/AutoGPT/pulls/[issuenum]/reviews/[review_id]/comments to get the review contents
+- Use gh api /repos/Significant-Gravitas/AutoGPT/issues/9924/comments to get the pr specific comments
 
 ### Conventional Commits
 

autogpt_platform/analytics/queries/auth_activities.sql

@@ -1,40 +0,0 @@
--- =============================================================
--- View: analytics.auth_activities
--- Looker source alias: ds49  |  Charts: 1
--- =============================================================
--- DESCRIPTION
---   Tracks authentication events (login, logout, SSO, password
---   reset, etc.) from Supabase's internal audit log.
---   Useful for monitoring sign-in patterns and detecting anomalies.
---
--- SOURCE TABLES
---   auth.audit_log_entries  — Supabase internal auth event log
---
--- OUTPUT COLUMNS
---   created_at      TIMESTAMPTZ  When the auth event occurred
---   actor_id        TEXT         User ID who triggered the event
---   actor_via_sso   TEXT         Whether the action was via SSO ('true'/'false')
---   action          TEXT         Event type (e.g. 'login', 'logout', 'token_refreshed')
---
--- WINDOW
---   Rolling 90 days from current date
---
--- EXAMPLE QUERIES
---   -- Daily login counts
---   SELECT DATE_TRUNC('day', created_at) AS day, COUNT(*) AS logins
---   FROM analytics.auth_activities
---   WHERE action = 'login'
---   GROUP BY 1 ORDER BY 1;
---
---   -- SSO vs password login breakdown
---   SELECT actor_via_sso, COUNT(*) FROM analytics.auth_activities
---   WHERE action = 'login' GROUP BY 1;
--- =============================================================
-
-SELECT
-    created_at,
-    payload->>'actor_id'      AS actor_id,
-    payload->>'actor_via_sso' AS actor_via_sso,
-    payload->>'action'        AS action
-FROM auth.audit_log_entries
-WHERE created_at >= NOW() - INTERVAL '90 days'

autogpt_platform/analytics/queries/graph_execution.sql

@@ -1,105 +0,0 @@
--- =============================================================
--- View: analytics.graph_execution
--- Looker source alias: ds16  |  Charts: 21
--- =============================================================
--- DESCRIPTION
---   One row per agent graph execution (last 90 days).
---   Unpacks the JSONB stats column into individual numeric columns
---   and normalises the executionStatus — runs that failed due to
---   insufficient credits are reclassified as 'NO_CREDITS' for
---   easier filtering.  Error messages are scrubbed of IDs and URLs
---   to allow safe grouping.
---
--- SOURCE TABLES
---   platform.AgentGraphExecution  — Execution records
---   platform.AgentGraph           — Agent graph metadata (for name)
---   platform.LibraryAgent         — To flag possibly-AI (safe-mode) agents
---
--- OUTPUT COLUMNS
---   id                TEXT         Execution UUID
---   agentGraphId      TEXT         Agent graph UUID
---   agentGraphVersion INT          Graph version number
---   executionStatus   TEXT         COMPLETED | FAILED | NO_CREDITS | RUNNING | QUEUED | TERMINATED
---   createdAt         TIMESTAMPTZ  When the execution was queued
---   updatedAt         TIMESTAMPTZ  Last status update time
---   userId            TEXT         Owner user UUID
---   agentGraphName    TEXT         Human-readable agent name
---   cputime           DECIMAL      Total CPU seconds consumed
---   walltime          DECIMAL      Total wall-clock seconds
---   node_count        DECIMAL      Number of nodes in the graph
---   nodes_cputime     DECIMAL      CPU time across all nodes
---   nodes_walltime    DECIMAL      Wall time across all nodes
---   execution_cost    DECIMAL      Credit cost of this execution
---   correctness_score FLOAT        AI correctness score (if available)
---   possibly_ai       BOOLEAN      True if agent has sensitive_action_safe_mode enabled
---   groupedErrorMessage TEXT       Scrubbed error string (IDs/URLs replaced with wildcards)
---
--- WINDOW
---   Rolling 90 days (createdAt > CURRENT_DATE - 90 days)
---
--- EXAMPLE QUERIES
---   -- Daily execution counts by status
---   SELECT DATE_TRUNC('day', "createdAt") AS day, "executionStatus", COUNT(*)
---   FROM analytics.graph_execution
---   GROUP BY 1, 2 ORDER BY 1;
---
---   -- Average cost per execution by agent
---   SELECT "agentGraphName", AVG("execution_cost") AS avg_cost, COUNT(*) AS runs
---   FROM analytics.graph_execution
---   WHERE "executionStatus" = 'COMPLETED'
---   GROUP BY 1 ORDER BY avg_cost DESC;
---
---   -- Top error messages
---   SELECT "groupedErrorMessage", COUNT(*) AS occurrences
---   FROM analytics.graph_execution
---   WHERE "executionStatus" = 'FAILED'
---   GROUP BY 1 ORDER BY 2 DESC LIMIT 20;
--- =============================================================
-
-SELECT
-    ge."id"                                                        AS id,
-    ge."agentGraphId"                                              AS agentGraphId,
-    ge."agentGraphVersion"                                         AS agentGraphVersion,
-    CASE
-        WHEN jsonb_exists(ge."stats"::jsonb, 'error')
-         AND (
-               (ge."stats"::jsonb->>'error') ILIKE '%insufficient balance%'
-            OR (ge."stats"::jsonb->>'error') ILIKE '%you have no credits left%'
-             )
-        THEN 'NO_CREDITS'
-        ELSE CAST(ge."executionStatus" AS TEXT)
-    END                                                            AS executionStatus,
-    ge."createdAt"                                                 AS createdAt,
-    ge."updatedAt"                                                 AS updatedAt,
-    ge."userId"                                                    AS userId,
-    g."name"                                                       AS agentGraphName,
-    (ge."stats"::jsonb->>'cputime')::decimal                       AS cputime,
-    (ge."stats"::jsonb->>'walltime')::decimal                      AS walltime,
-    (ge."stats"::jsonb->>'node_count')::decimal                    AS node_count,
-    (ge."stats"::jsonb->>'nodes_cputime')::decimal                 AS nodes_cputime,
-    (ge."stats"::jsonb->>'nodes_walltime')::decimal                AS nodes_walltime,
-    (ge."stats"::jsonb->>'cost')::decimal                          AS execution_cost,
-    (ge."stats"::jsonb->>'correctness_score')::float               AS correctness_score,
-    COALESCE(la.possibly_ai, FALSE)                                AS possibly_ai,
-    REGEXP_REPLACE(
-        REGEXP_REPLACE(
-            TRIM(BOTH '"' FROM ge."stats"::jsonb->>'error'),
-            '(https?://)([A-Za-z0-9.-]+)(:[0-9]+)?(/[^\s]*)?',
-            '\1\2/...', 'gi'
-        ),
-        '[a-zA-Z0-9_:-]*\d[a-zA-Z0-9_:-]*', '*', 'g'
-    )                                                              AS groupedErrorMessage
-FROM platform."AgentGraphExecution" ge
-LEFT JOIN platform."AgentGraph" g
-       ON ge."agentGraphId" = g."id"
-      AND ge."agentGraphVersion" = g."version"
-LEFT JOIN (
-    SELECT DISTINCT ON ("userId", "agentGraphId")
-           "userId", "agentGraphId",
-           ("settings"::jsonb->>'sensitive_action_safe_mode')::boolean AS possibly_ai
-    FROM platform."LibraryAgent"
-    WHERE "isDeleted"  = FALSE
-      AND "isArchived" = FALSE
-    ORDER BY "userId", "agentGraphId", "agentGraphVersion" DESC
-) la ON la."userId" = ge."userId" AND la."agentGraphId" = ge."agentGraphId"
-WHERE ge."createdAt" > CURRENT_DATE - INTERVAL '90 days'

autogpt_platform/analytics/queries/node_block_execution.sql

@@ -1,101 +0,0 @@
--- =============================================================
--- View: analytics.node_block_execution
--- Looker source alias: ds14  |  Charts: 11
--- =============================================================
--- DESCRIPTION
---   One row per node (block) execution (last 90 days).
---   Unpacks stats JSONB and joins to identify which block type
---   was run.  For failed nodes, joins the error output and
---   scrubs it for safe grouping.
---
--- SOURCE TABLES
---   platform.AgentNodeExecution              — Node execution records
---   platform.AgentNode                       — Node → block mapping
---   platform.AgentBlock                      — Block name/ID
---   platform.AgentNodeExecutionInputOutput   — Error output values
---
--- OUTPUT COLUMNS
---   id                    TEXT         Node execution UUID
---   agentGraphExecutionId TEXT         Parent graph execution UUID
---   agentNodeId           TEXT         Node UUID within the graph
---   executionStatus       TEXT         COMPLETED | FAILED | QUEUED | RUNNING | TERMINATED
---   addedTime             TIMESTAMPTZ  When the node was queued
---   queuedTime            TIMESTAMPTZ  When it entered the queue
---   startedTime           TIMESTAMPTZ  When execution started
---   endedTime             TIMESTAMPTZ  When execution finished
---   inputSize             BIGINT       Input payload size in bytes
---   outputSize            BIGINT       Output payload size in bytes
---   walltime              NUMERIC      Wall-clock seconds for this node
---   cputime               NUMERIC      CPU seconds for this node
---   llmRetryCount         INT          Number of LLM retries
---   llmCallCount          INT          Number of LLM API calls made
---   inputTokenCount       BIGINT       LLM input tokens consumed
---   outputTokenCount      BIGINT       LLM output tokens produced
---   blockName             TEXT         Human-readable block name (e.g. 'OpenAIBlock')
---   blockId               TEXT         Block UUID
---   groupedErrorMessage   TEXT         Scrubbed error (IDs/URLs wildcarded)
---   errorMessage          TEXT         Raw error output (only set when FAILED)
---
--- WINDOW
---   Rolling 90 days (addedTime > CURRENT_DATE - 90 days)
---
--- EXAMPLE QUERIES
---   -- Most-used blocks by execution count
---   SELECT "blockName", COUNT(*) AS executions,
---          COUNT(*) FILTER (WHERE "executionStatus"='FAILED') AS failures
---   FROM analytics.node_block_execution
---   GROUP BY 1 ORDER BY executions DESC LIMIT 20;
---
---   -- Average LLM token usage per block
---   SELECT "blockName",
---          AVG("inputTokenCount") AS avg_input_tokens,
---          AVG("outputTokenCount") AS avg_output_tokens
---   FROM analytics.node_block_execution
---   WHERE "llmCallCount" > 0
---   GROUP BY 1 ORDER BY avg_input_tokens DESC;
---
---   -- Top failure reasons
---   SELECT "blockName", "groupedErrorMessage", COUNT(*) AS count
---   FROM analytics.node_block_execution
---   WHERE "executionStatus" = 'FAILED'
---   GROUP BY 1, 2 ORDER BY count DESC LIMIT 20;
--- =============================================================
-
-SELECT
-    ne."id"                                                            AS id,
-    ne."agentGraphExecutionId"                                         AS agentGraphExecutionId,
-    ne."agentNodeId"                                                   AS agentNodeId,
-    CAST(ne."executionStatus" AS TEXT)                                 AS executionStatus,
-    ne."addedTime"                                                     AS addedTime,
-    ne."queuedTime"                                                    AS queuedTime,
-    ne."startedTime"                                                   AS startedTime,
-    ne."endedTime"                                                     AS endedTime,
-    (ne."stats"::jsonb->>'input_size')::bigint                         AS inputSize,
-    (ne."stats"::jsonb->>'output_size')::bigint                        AS outputSize,
-    (ne."stats"::jsonb->>'walltime')::numeric                          AS walltime,
-    (ne."stats"::jsonb->>'cputime')::numeric                           AS cputime,
-    (ne."stats"::jsonb->>'llm_retry_count')::int                       AS llmRetryCount,
-    (ne."stats"::jsonb->>'llm_call_count')::int                        AS llmCallCount,
-    (ne."stats"::jsonb->>'input_token_count')::bigint                  AS inputTokenCount,
-    (ne."stats"::jsonb->>'output_token_count')::bigint                 AS outputTokenCount,
-    b."name"                                                           AS blockName,
-    b."id"                                                             AS blockId,
-    REGEXP_REPLACE(
-        REGEXP_REPLACE(
-            TRIM(BOTH '"' FROM eio."data"::text),
-            '(https?://)([A-Za-z0-9.-]+)(:[0-9]+)?(/[^\s]*)?',
-            '\1\2/...', 'gi'
-        ),
-        '[a-zA-Z0-9_:-]*\d[a-zA-Z0-9_:-]*', '*', 'g'
-    )                                                                  AS groupedErrorMessage,
-    eio."data"                                                         AS errorMessage
-FROM platform."AgentNodeExecution" ne
-LEFT JOIN platform."AgentNode" nd
-       ON ne."agentNodeId" = nd."id"
-LEFT JOIN platform."AgentBlock" b
-       ON nd."agentBlockId" = b."id"
-LEFT JOIN platform."AgentNodeExecutionInputOutput" eio
-       ON eio."referencedByOutputExecId" = ne."id"
-      AND eio."name" = 'error'
-      AND ne."executionStatus" = 'FAILED'
-WHERE ne."addedTime" > CURRENT_DATE - INTERVAL '90 days'

autogpt_platform/analytics/queries/retention_agent.sql

@@ -1,97 +0,0 @@
--- =============================================================
--- View: analytics.retention_agent
--- Looker source alias: ds35  |  Charts: 2
--- =============================================================
--- DESCRIPTION
---   Weekly cohort retention broken down per individual agent.
---   Cohort = week of a user's first use of THAT specific agent.
---   Tells you which agents keep users coming back vs. one-shot
---   use. Only includes cohorts from the last 180 days.
---
--- SOURCE TABLES
---   platform.AgentGraphExecution  — Execution records (user × agent × time)
---   platform.AgentGraph           — Agent names
---
--- OUTPUT COLUMNS
---   agent_id            TEXT   Agent graph UUID
---   agent_label         TEXT   'AgentName [first8chars]'
---   agent_label_n       TEXT   'AgentName [first8chars] (n=total_users)'
---   cohort_week_start   DATE   Week users first ran this agent
---   cohort_label        TEXT   ISO week label
---   cohort_label_n      TEXT   ISO week label with cohort size
---   user_lifetime_week  INT    Weeks since first use of this agent
---   cohort_users        BIGINT Users in this cohort for this agent
---   active_users        BIGINT Users who ran the agent again in week k
---   retention_rate      FLOAT  active_users / cohort_users
---   cohort_users_w0     BIGINT cohort_users only at week 0 (safe to SUM)
---   agent_total_users   BIGINT Total users across all cohorts for this agent
---
--- EXAMPLE QUERIES
---   -- Best-retained agents at week 2
---   SELECT agent_label, AVG(retention_rate) AS w2_retention
---   FROM analytics.retention_agent
---   WHERE user_lifetime_week = 2 AND cohort_users >= 10
---   GROUP BY 1 ORDER BY w2_retention DESC LIMIT 10;
---
---   -- Agents with most unique users
---   SELECT DISTINCT agent_label, agent_total_users
---   FROM analytics.retention_agent
---   ORDER BY agent_total_users DESC LIMIT 20;
--- =============================================================
-
-WITH params AS (SELECT 12::int AS max_weeks, (CURRENT_DATE - INTERVAL '180 days') AS cohort_start),
-events AS (
-  SELECT e."userId"::text AS user_id, e."agentGraphId" AS agent_id,
-         e."createdAt"::timestamptz AS created_at,
-         DATE_TRUNC('week', e."createdAt")::date AS week_start
-  FROM platform."AgentGraphExecution" e
-),
-first_use AS (
-  SELECT user_id, agent_id, MIN(created_at) AS first_use_at,
-         DATE_TRUNC('week', MIN(created_at))::date AS cohort_week_start
-  FROM events GROUP BY 1,2
-  HAVING MIN(created_at) >= (SELECT cohort_start FROM params)
-),
-activity_weeks AS (SELECT DISTINCT user_id, agent_id, week_start FROM events),
-user_week_age AS (
-  SELECT aw.user_id, aw.agent_id, fu.cohort_week_start,
-         ((aw.week_start - DATE_TRUNC('week',fu.first_use_at)::date)/7)::int AS user_lifetime_week
-  FROM activity_weeks aw JOIN first_use fu USING (user_id, agent_id)
-  WHERE aw.week_start >= DATE_TRUNC('week',fu.first_use_at)::date
-),
-active_counts AS (
-  SELECT agent_id, cohort_week_start, user_lifetime_week, COUNT(DISTINCT user_id) AS active_users
-  FROM user_week_age WHERE user_lifetime_week >= 0 GROUP BY 1,2,3
-),
-cohort_sizes AS (
-  SELECT agent_id, cohort_week_start, COUNT(DISTINCT user_id) AS cohort_users FROM first_use GROUP BY 1,2
-),
-cohort_caps AS (
-  SELECT cs.agent_id, cs.cohort_week_start, cs.cohort_users,
-         LEAST((SELECT max_weeks FROM params),
-               GREATEST(0,((DATE_TRUNC('week',CURRENT_DATE)::date-cs.cohort_week_start)/7)::int)) AS cap_weeks
-  FROM cohort_sizes cs
-),
-grid AS (
-  SELECT cc.agent_id, cc.cohort_week_start, gs AS user_lifetime_week, cc.cohort_users
-  FROM cohort_caps cc CROSS JOIN LATERAL generate_series(0, cc.cap_weeks) gs
-),
-agent_names AS (SELECT DISTINCT ON (g."id") g."id" AS agent_id, g."name" AS agent_name FROM platform."AgentGraph" g ORDER BY g."id", g."version" DESC),
-agent_total_users AS (SELECT agent_id, SUM(cohort_users) AS agent_total_users FROM cohort_sizes GROUP BY 1)
-SELECT
-  g.agent_id,
-  COALESCE(an.agent_name,'(unnamed)')||' ['||LEFT(g.agent_id::text,8)||']'  AS agent_label,
-  COALESCE(an.agent_name,'(unnamed)')||' ['||LEFT(g.agent_id::text,8)||'] (n='||COALESCE(atu.agent_total_users,0)||')' AS agent_label_n,
-  g.cohort_week_start,
-  TO_CHAR(g.cohort_week_start,'IYYY-"W"IW')                               AS cohort_label,
-  TO_CHAR(g.cohort_week_start,'IYYY-"W"IW')||' (n='||g.cohort_users||')'  AS cohort_label_n,
-  g.user_lifetime_week, g.cohort_users,
-  COALESCE(ac.active_users,0)                                              AS active_users,
-  COALESCE(ac.active_users,0)::float / NULLIF(g.cohort_users,0)           AS retention_rate,
-  CASE WHEN g.user_lifetime_week=0 THEN g.cohort_users ELSE 0 END         AS cohort_users_w0,
-  COALESCE(atu.agent_total_users,0)                                        AS agent_total_users
-FROM grid g
-LEFT JOIN active_counts     ac  ON ac.agent_id=g.agent_id AND ac.cohort_week_start=g.cohort_week_start AND ac.user_lifetime_week=g.user_lifetime_week
-LEFT JOIN agent_names       an  ON an.agent_id=g.agent_id
-LEFT JOIN agent_total_users atu ON atu.agent_id=g.agent_id
-ORDER BY agent_label, g.cohort_week_start, g.user_lifetime_week;

autogpt_platform/analytics/queries/retention_execution_daily.sql

@@ -1,81 +0,0 @@
--- =============================================================
--- View: analytics.retention_execution_daily
--- Looker source alias: ds111  |  Charts: 1
--- =============================================================
--- DESCRIPTION
---   Daily cohort retention based on agent executions.
---   Cohort anchor = day of user's FIRST ever execution.
---   Only includes cohorts from the last 90 days, up to day 30.
---   Great for early engagement analysis (did users run another
---   agent the next day?).
---
--- SOURCE TABLES
---   platform.AgentGraphExecution  — Execution records
---
--- OUTPUT COLUMNS
---   Same pattern as retention_login_daily.
---   cohort_day_start = day of first execution (not first login)
---
--- EXAMPLE QUERIES
---   -- Day-3 execution retention
---   SELECT cohort_label, retention_rate_bounded AS d3_retention
---   FROM analytics.retention_execution_daily
---   WHERE user_lifetime_day = 3 ORDER BY cohort_day_start;
--- =============================================================
-
-WITH params AS (SELECT 30::int AS max_days, (CURRENT_DATE - INTERVAL '90 days') AS cohort_start),
-events AS (
-  SELECT e."userId"::text AS user_id, e."createdAt"::timestamptz AS created_at,
-         DATE_TRUNC('day', e."createdAt")::date AS day_start
-  FROM platform."AgentGraphExecution" e WHERE e."userId" IS NOT NULL
-),
-first_exec AS (
-  SELECT user_id, MIN(created_at) AS first_exec_at,
-         DATE_TRUNC('day', MIN(created_at))::date AS cohort_day_start
-  FROM events GROUP BY 1
-  HAVING MIN(created_at) >= (SELECT cohort_start FROM params)
-),
-activity_days AS (SELECT DISTINCT user_id, day_start FROM events),
-user_day_age AS (
-  SELECT ad.user_id, fe.cohort_day_start,
-         (ad.day_start - DATE_TRUNC('day',fe.first_exec_at)::date)::int AS user_lifetime_day
-  FROM activity_days ad JOIN first_exec fe USING (user_id)
-  WHERE ad.day_start >= DATE_TRUNC('day',fe.first_exec_at)::date
-),
-bounded_counts AS (
-  SELECT cohort_day_start, user_lifetime_day, COUNT(DISTINCT user_id) AS active_users_bounded
-  FROM user_day_age WHERE user_lifetime_day >= 0 GROUP BY 1,2
-),
-last_active AS (
-  SELECT cohort_day_start, user_id, MAX(user_lifetime_day) AS last_active_day FROM user_day_age GROUP BY 1,2
-),
-unbounded_counts AS (
-  SELECT la.cohort_day_start, gs AS user_lifetime_day, COUNT(*) AS retained_users_unbounded
-  FROM last_active la
-  CROSS JOIN LATERAL generate_series(0, LEAST(la.last_active_day,(SELECT max_days FROM params))) gs
-  GROUP BY 1,2
-),
-cohort_sizes AS (SELECT cohort_day_start, COUNT(DISTINCT user_id) AS cohort_users FROM first_exec GROUP BY 1),
-cohort_caps AS (
-  SELECT cs.cohort_day_start, cs.cohort_users,
-         LEAST((SELECT max_days FROM params), GREATEST(0,(CURRENT_DATE-cs.cohort_day_start)::int)) AS cap_days
-  FROM cohort_sizes cs
-),
-grid AS (
-  SELECT cc.cohort_day_start, gs AS user_lifetime_day, cc.cohort_users
-  FROM cohort_caps cc CROSS JOIN LATERAL generate_series(0, cc.cap_days) gs
-)
-SELECT
-  g.cohort_day_start,
-  TO_CHAR(g.cohort_day_start,'YYYY-MM-DD')                                AS cohort_label,
-  TO_CHAR(g.cohort_day_start,'YYYY-MM-DD')||' (n='||g.cohort_users||')'   AS cohort_label_n,
-  g.user_lifetime_day, g.cohort_users,
-  COALESCE(b.active_users_bounded,0)     AS active_users_bounded,
-  COALESCE(u.retained_users_unbounded,0) AS retained_users_unbounded,
-  CASE WHEN g.cohort_users>0 THEN COALESCE(b.active_users_bounded,0)::float/g.cohort_users END    AS retention_rate_bounded,
-  CASE WHEN g.cohort_users>0 THEN COALESCE(u.retained_users_unbounded,0)::float/g.cohort_users END AS retention_rate_unbounded,
-  CASE WHEN g.user_lifetime_day=0 THEN g.cohort_users ELSE 0 END          AS cohort_users_d0
-FROM grid g
-LEFT JOIN bounded_counts   b ON b.cohort_day_start=g.cohort_day_start AND b.user_lifetime_day=g.user_lifetime_day
-LEFT JOIN unbounded_counts u ON u.cohort_day_start=g.cohort_day_start AND u.user_lifetime_day=g.user_lifetime_day
-ORDER BY g.cohort_day_start, g.user_lifetime_day;

autogpt_platform/analytics/queries/retention_execution_weekly.sql

@@ -1,81 +0,0 @@
--- =============================================================
--- View: analytics.retention_execution_weekly
--- Looker source alias: ds92  |  Charts: 2
--- =============================================================
--- DESCRIPTION
---   Weekly cohort retention based on agent executions.
---   Cohort anchor = week of user's FIRST ever agent execution
---   (not first login). Only includes cohorts from the last 180 days.
---   Useful when you care about product engagement, not just visits.
---
--- SOURCE TABLES
---   platform.AgentGraphExecution  — Execution records
---
--- OUTPUT COLUMNS
---   Same pattern as retention_login_weekly.
---   cohort_week_start = week of first execution (not first login)
---
--- EXAMPLE QUERIES
---   -- Week-2 execution retention
---   SELECT cohort_label, retention_rate_bounded
---   FROM analytics.retention_execution_weekly
---   WHERE user_lifetime_week = 2 ORDER BY cohort_week_start;
--- =============================================================
-
-WITH params AS (SELECT 12::int AS max_weeks, (CURRENT_DATE - INTERVAL '180 days') AS cohort_start),
-events AS (
-  SELECT e."userId"::text AS user_id, e."createdAt"::timestamptz AS created_at,
-         DATE_TRUNC('week', e."createdAt")::date AS week_start
-  FROM platform."AgentGraphExecution" e WHERE e."userId" IS NOT NULL
-),
-first_exec AS (
-  SELECT user_id, MIN(created_at) AS first_exec_at,
-         DATE_TRUNC('week', MIN(created_at))::date AS cohort_week_start
-  FROM events GROUP BY 1
-  HAVING MIN(created_at) >= (SELECT cohort_start FROM params)
-),
-activity_weeks AS (SELECT DISTINCT user_id, week_start FROM events),
-user_week_age AS (
-  SELECT aw.user_id, fe.cohort_week_start,
-         ((aw.week_start - DATE_TRUNC('week',fe.first_exec_at)::date)/7)::int AS user_lifetime_week
-  FROM activity_weeks aw JOIN first_exec fe USING (user_id)
-  WHERE aw.week_start >= DATE_TRUNC('week',fe.first_exec_at)::date
-),
-bounded_counts AS (
-  SELECT cohort_week_start, user_lifetime_week, COUNT(DISTINCT user_id) AS active_users_bounded
-  FROM user_week_age WHERE user_lifetime_week >= 0 GROUP BY 1,2
-),
-last_active AS (
-  SELECT cohort_week_start, user_id, MAX(user_lifetime_week) AS last_active_week FROM user_week_age GROUP BY 1,2
-),
-unbounded_counts AS (
-  SELECT la.cohort_week_start, gs AS user_lifetime_week, COUNT(*) AS retained_users_unbounded
-  FROM last_active la
-  CROSS JOIN LATERAL generate_series(0, LEAST(la.last_active_week,(SELECT max_weeks FROM params))) gs
-  GROUP BY 1,2
-),
-cohort_sizes AS (SELECT cohort_week_start, COUNT(DISTINCT user_id) AS cohort_users FROM first_exec GROUP BY 1),
-cohort_caps AS (
-  SELECT cs.cohort_week_start, cs.cohort_users,
-         LEAST((SELECT max_weeks FROM params),
-               GREATEST(0,((DATE_TRUNC('week',CURRENT_DATE)::date-cs.cohort_week_start)/7)::int)) AS cap_weeks
-  FROM cohort_sizes cs
-),
-grid AS (
-  SELECT cc.cohort_week_start, gs AS user_lifetime_week, cc.cohort_users
-  FROM cohort_caps cc CROSS JOIN LATERAL generate_series(0, cc.cap_weeks) gs
-)
-SELECT
-  g.cohort_week_start,
-  TO_CHAR(g.cohort_week_start,'IYYY-"W"IW')                               AS cohort_label,
-  TO_CHAR(g.cohort_week_start,'IYYY-"W"IW')||' (n='||g.cohort_users||')'  AS cohort_label_n,
-  g.user_lifetime_week, g.cohort_users,
-  COALESCE(b.active_users_bounded,0)     AS active_users_bounded,
-  COALESCE(u.retained_users_unbounded,0) AS retained_users_unbounded,
-  CASE WHEN g.cohort_users>0 THEN COALESCE(b.active_users_bounded,0)::float/g.cohort_users END    AS retention_rate_bounded,
-  CASE WHEN g.cohort_users>0 THEN COALESCE(u.retained_users_unbounded,0)::float/g.cohort_users END AS retention_rate_unbounded,
-  CASE WHEN g.user_lifetime_week=0 THEN g.cohort_users ELSE 0 END         AS cohort_users_w0
-FROM grid g
-LEFT JOIN bounded_counts   b ON b.cohort_week_start=g.cohort_week_start AND b.user_lifetime_week=g.user_lifetime_week
-LEFT JOIN unbounded_counts u ON u.cohort_week_start=g.cohort_week_start AND u.user_lifetime_week=g.user_lifetime_week
-ORDER BY g.cohort_week_start, g.user_lifetime_week;

autogpt_platform/analytics/queries/retention_login_daily.sql

@@ -1,94 +0,0 @@
--- =============================================================
--- View: analytics.retention_login_daily
--- Looker source alias: ds112  |  Charts: 1
--- =============================================================
--- DESCRIPTION
---   Daily cohort retention based on login sessions.
---   Same logic as retention_login_weekly but at day granularity,
---   showing up to day 30 for cohorts from the last 90 days.
---   Useful for analysing early activation (days 1-7) in detail.
---
--- SOURCE TABLES
---   auth.sessions  — Login session records
---
--- OUTPUT COLUMNS (same pattern as retention_login_weekly)
---   cohort_day_start          DATE     First day the cohort logged in
---   cohort_label              TEXT     Date string (e.g. '2025-03-01')
---   cohort_label_n            TEXT     Date + cohort size (e.g. '2025-03-01 (n=12)')
---   user_lifetime_day         INT      Days since first login (0 = signup day)
---   cohort_users              BIGINT   Total users in cohort
---   active_users_bounded      BIGINT   Users active on exactly day k
---   retained_users_unbounded  BIGINT   Users active any time on/after day k
---   retention_rate_bounded    FLOAT    bounded / cohort_users
---   retention_rate_unbounded  FLOAT    unbounded / cohort_users
---   cohort_users_d0           BIGINT   cohort_users only at day 0, else 0 (safe to SUM)
---
--- EXAMPLE QUERIES
---   -- Day-1 retention rate (came back next day)
---   SELECT cohort_label, retention_rate_bounded AS d1_retention
---   FROM analytics.retention_login_daily
---   WHERE user_lifetime_day = 1 ORDER BY cohort_day_start;
---
---   -- Average retention curve across all cohorts
---   SELECT user_lifetime_day,
---          SUM(active_users_bounded)::float / NULLIF(SUM(cohort_users_d0), 0) AS avg_retention
---   FROM analytics.retention_login_daily
---   GROUP BY 1 ORDER BY 1;
--- =============================================================
-
-WITH params AS (SELECT 30::int AS max_days, (CURRENT_DATE - INTERVAL '90 days')::date AS cohort_start),
-events AS (
-  SELECT s.user_id::text AS user_id, s.created_at::timestamptz AS created_at,
-         DATE_TRUNC('day', s.created_at)::date AS day_start
-  FROM auth.sessions s WHERE s.user_id IS NOT NULL
-),
-first_login AS (
-  SELECT user_id, MIN(created_at) AS first_login_time,
-         DATE_TRUNC('day', MIN(created_at))::date AS cohort_day_start
-  FROM events GROUP BY 1
-  HAVING MIN(created_at) >= (SELECT cohort_start FROM params)
-),
-activity_days AS (SELECT DISTINCT user_id, day_start FROM events),
-user_day_age AS (
-  SELECT ad.user_id, fl.cohort_day_start,
-         (ad.day_start - DATE_TRUNC('day', fl.first_login_time)::date)::int AS user_lifetime_day
-  FROM activity_days ad JOIN first_login fl USING (user_id)
-  WHERE ad.day_start >= DATE_TRUNC('day', fl.first_login_time)::date
-),
-bounded_counts AS (
-  SELECT cohort_day_start, user_lifetime_day, COUNT(DISTINCT user_id) AS active_users_bounded
-  FROM user_day_age WHERE user_lifetime_day >= 0 GROUP BY 1,2
-),
-last_active AS (
-  SELECT cohort_day_start, user_id, MAX(user_lifetime_day) AS last_active_day FROM user_day_age GROUP BY 1,2
-),
-unbounded_counts AS (
-  SELECT la.cohort_day_start, gs AS user_lifetime_day, COUNT(*) AS retained_users_unbounded
-  FROM last_active la
-  CROSS JOIN LATERAL generate_series(0, LEAST(la.last_active_day,(SELECT max_days FROM params))) gs
-  GROUP BY 1,2
-),
-cohort_sizes AS (SELECT cohort_day_start, COUNT(DISTINCT user_id) AS cohort_users FROM first_login GROUP BY 1),
-cohort_caps AS (
-  SELECT cs.cohort_day_start, cs.cohort_users,
-         LEAST((SELECT max_days FROM params), GREATEST(0,(CURRENT_DATE-cs.cohort_day_start)::int)) AS cap_days
-  FROM cohort_sizes cs
-),
-grid AS (
-  SELECT cc.cohort_day_start, gs AS user_lifetime_day, cc.cohort_users
-  FROM cohort_caps cc CROSS JOIN LATERAL generate_series(0, cc.cap_days) gs
-)
-SELECT
-  g.cohort_day_start,
-  TO_CHAR(g.cohort_day_start,'YYYY-MM-DD')                                  AS cohort_label,
-  TO_CHAR(g.cohort_day_start,'YYYY-MM-DD')||' (n='||g.cohort_users||')'     AS cohort_label_n,
-  g.user_lifetime_day, g.cohort_users,
-  COALESCE(b.active_users_bounded,0)     AS active_users_bounded,
-  COALESCE(u.retained_users_unbounded,0) AS retained_users_unbounded,
-  CASE WHEN g.cohort_users>0 THEN COALESCE(b.active_users_bounded,0)::float/g.cohort_users END    AS retention_rate_bounded,
-  CASE WHEN g.cohort_users>0 THEN COALESCE(u.retained_users_unbounded,0)::float/g.cohort_users END AS retention_rate_unbounded,
-  CASE WHEN g.user_lifetime_day=0 THEN g.cohort_users ELSE 0 END            AS cohort_users_d0
-FROM grid g
-LEFT JOIN bounded_counts   b ON b.cohort_day_start=g.cohort_day_start AND b.user_lifetime_day=g.user_lifetime_day
-LEFT JOIN unbounded_counts u ON u.cohort_day_start=g.cohort_day_start AND u.user_lifetime_day=g.user_lifetime_day
-ORDER BY g.cohort_day_start, g.user_lifetime_day;

autogpt_platform/analytics/queries/retention_login_onboarded_weekly.sql

@@ -1,96 +0,0 @@
--- =============================================================
--- View: analytics.retention_login_onboarded_weekly
--- Looker source alias: ds101  |  Charts: 2
--- =============================================================
--- DESCRIPTION
---   Weekly cohort retention from login sessions, restricted to
---   users who "onboarded" — defined as running at least one
---   agent within 365 days of their first login.
---   Filters out users who signed up but never activated,
---   giving a cleaner view of engaged-user retention.
---
--- SOURCE TABLES
---   auth.sessions                  — Login session records
---   platform.AgentGraphExecution   — Used to identify onboarders
---
--- OUTPUT COLUMNS
---   Same as retention_login_weekly (cohort_week_start, user_lifetime_week,
---   retention_rate_bounded, retention_rate_unbounded, etc.)
---   Only difference: cohort is filtered to onboarded users only.
---
--- EXAMPLE QUERIES
---   -- Compare week-4 retention: all users vs onboarded only
---   SELECT 'all_users' AS segment, AVG(retention_rate_bounded) AS w4_retention
---   FROM analytics.retention_login_weekly WHERE user_lifetime_week = 4
---   UNION ALL
---   SELECT 'onboarded', AVG(retention_rate_bounded)
---   FROM analytics.retention_login_onboarded_weekly WHERE user_lifetime_week = 4;
--- =============================================================
-
-WITH params AS (SELECT 12::int AS max_weeks, 365::int AS onboarding_window_days),
-events AS (
-  SELECT s.user_id::text AS user_id, s.created_at::timestamptz AS created_at,
-         DATE_TRUNC('week', s.created_at)::date AS week_start
-  FROM auth.sessions s WHERE s.user_id IS NOT NULL
-),
-first_login_all AS (
-  SELECT user_id, MIN(created_at) AS first_login_time,
-         DATE_TRUNC('week', MIN(created_at))::date AS cohort_week_start
-  FROM events GROUP BY 1
-),
-onboarders AS (
-  SELECT fl.user_id FROM first_login_all fl
-  WHERE EXISTS (
-    SELECT 1 FROM platform."AgentGraphExecution" e
-    WHERE e."userId"::text = fl.user_id
-      AND e."createdAt" >= fl.first_login_time
-      AND e."createdAt" < fl.first_login_time
-          + make_interval(days => (SELECT onboarding_window_days FROM params))
-  )
-),
-first_login AS (SELECT * FROM first_login_all WHERE user_id IN (SELECT user_id FROM onboarders)),
-activity_weeks AS (SELECT DISTINCT user_id, week_start FROM events),
-user_week_age AS (
-  SELECT aw.user_id, fl.cohort_week_start,
-         ((aw.week_start - DATE_TRUNC('week',fl.first_login_time)::date)/7)::int AS user_lifetime_week
-  FROM activity_weeks aw JOIN first_login fl USING (user_id)
-  WHERE aw.week_start >= DATE_TRUNC('week',fl.first_login_time)::date
-),
-bounded_counts AS (
-  SELECT cohort_week_start, user_lifetime_week, COUNT(DISTINCT user_id) AS active_users_bounded
-  FROM user_week_age WHERE user_lifetime_week >= 0 GROUP BY 1,2
-),
-last_active AS (
-  SELECT cohort_week_start, user_id, MAX(user_lifetime_week) AS last_active_week FROM user_week_age GROUP BY 1,2
-),
-unbounded_counts AS (
-  SELECT la.cohort_week_start, gs AS user_lifetime_week, COUNT(*) AS retained_users_unbounded
-  FROM last_active la
-  CROSS JOIN LATERAL generate_series(0, LEAST(la.last_active_week,(SELECT max_weeks FROM params))) gs
-  GROUP BY 1,2
-),
-cohort_sizes AS (SELECT cohort_week_start, COUNT(DISTINCT user_id) AS cohort_users FROM first_login GROUP BY 1),
-cohort_caps AS (
-  SELECT cs.cohort_week_start, cs.cohort_users,
-         LEAST((SELECT max_weeks FROM params),
-               GREATEST(0,((DATE_TRUNC('week',CURRENT_DATE)::date-cs.cohort_week_start)/7)::int)) AS cap_weeks
-  FROM cohort_sizes cs
-),
-grid AS (
-  SELECT cc.cohort_week_start, gs AS user_lifetime_week, cc.cohort_users
-  FROM cohort_caps cc CROSS JOIN LATERAL generate_series(0, cc.cap_weeks) gs
-)
-SELECT
-  g.cohort_week_start,
-  TO_CHAR(g.cohort_week_start,'IYYY-"W"IW')                               AS cohort_label,
-  TO_CHAR(g.cohort_week_start,'IYYY-"W"IW')||' (n='||g.cohort_users||')'  AS cohort_label_n,
-  g.user_lifetime_week, g.cohort_users,
-  COALESCE(b.active_users_bounded,0)     AS active_users_bounded,
-  COALESCE(u.retained_users_unbounded,0) AS retained_users_unbounded,
-  CASE WHEN g.cohort_users>0 THEN COALESCE(b.active_users_bounded,0)::float/g.cohort_users END    AS retention_rate_bounded,
-  CASE WHEN g.cohort_users>0 THEN COALESCE(u.retained_users_unbounded,0)::float/g.cohort_users END AS retention_rate_unbounded,
-  CASE WHEN g.user_lifetime_week=0 THEN g.cohort_users ELSE 0 END         AS cohort_users_w0
-FROM grid g
-LEFT JOIN bounded_counts   b ON b.cohort_week_start=g.cohort_week_start AND b.user_lifetime_week=g.user_lifetime_week
-LEFT JOIN unbounded_counts u ON u.cohort_week_start=g.cohort_week_start AND u.user_lifetime_week=g.user_lifetime_week
-ORDER BY g.cohort_week_start, g.user_lifetime_week;

autogpt_platform/analytics/queries/retention_login_weekly.sql

@@ -1,103 +0,0 @@
--- =============================================================
--- View: analytics.retention_login_weekly
--- Looker source alias: ds83  |  Charts: 2
--- =============================================================
--- DESCRIPTION
---   Weekly cohort retention based on login sessions.
---   Users are grouped by the ISO week of their first ever login.
---   For each cohort × lifetime-week combination, outputs both:
---     - bounded rate: % active in exactly that week
---     - unbounded rate: % who were ever active on or after that week
---   Weeks are capped to the cohort's actual age (no future data points).
---
--- SOURCE TABLES
---   auth.sessions  — Login session records
---
--- HOW TO READ THE OUTPUT
---   cohort_week_start   The Monday of the week users first logged in
---   user_lifetime_week  0 = signup week, 1 = one week later, etc.
---   retention_rate_bounded   = active_users_bounded / cohort_users
---   retention_rate_unbounded = retained_users_unbounded / cohort_users
---
--- OUTPUT COLUMNS
---   cohort_week_start         DATE     First day of the cohort's signup week
---   cohort_label              TEXT     ISO week label (e.g. '2025-W01')
---   cohort_label_n            TEXT     ISO week label with cohort size (e.g. '2025-W01 (n=42)')
---   user_lifetime_week        INT      Weeks since first login (0 = signup week)
---   cohort_users              BIGINT   Total users in this cohort (denominator)
---   active_users_bounded      BIGINT   Users active in exactly week k
---   retained_users_unbounded  BIGINT   Users active any time on/after week k
---   retention_rate_bounded    FLOAT    bounded active / cohort_users
---   retention_rate_unbounded  FLOAT    unbounded retained / cohort_users
---   cohort_users_w0           BIGINT   cohort_users only at week 0, else 0 (safe to SUM in pivot tables)
---
--- EXAMPLE QUERIES
---   -- Week-1 retention rate per cohort
---   SELECT cohort_label, retention_rate_bounded AS w1_retention
---   FROM analytics.retention_login_weekly
---   WHERE user_lifetime_week = 1
---   ORDER BY cohort_week_start;
---
---   -- Overall average retention curve (all cohorts combined)
---   SELECT user_lifetime_week,
---          SUM(active_users_bounded)::float / NULLIF(SUM(cohort_users_w0), 0) AS avg_retention
---   FROM analytics.retention_login_weekly
---   GROUP BY 1 ORDER BY 1;
--- =============================================================
-
-WITH params AS (SELECT 12::int AS max_weeks),
-events AS (
-  SELECT s.user_id::text AS user_id, s.created_at::timestamptz AS created_at,
-         DATE_TRUNC('week', s.created_at)::date AS week_start
-  FROM auth.sessions s WHERE s.user_id IS NOT NULL
-),
-first_login AS (
-  SELECT user_id, MIN(created_at) AS first_login_time,
-         DATE_TRUNC('week', MIN(created_at))::date AS cohort_week_start
-  FROM events GROUP BY 1
-),
-activity_weeks AS (SELECT DISTINCT user_id, week_start FROM events),
-user_week_age AS (
-  SELECT aw.user_id, fl.cohort_week_start,
-         ((aw.week_start - DATE_TRUNC('week', fl.first_login_time)::date) / 7)::int AS user_lifetime_week
-  FROM activity_weeks aw JOIN first_login fl USING (user_id)
-  WHERE aw.week_start >= DATE_TRUNC('week', fl.first_login_time)::date
-),
-bounded_counts AS (
-  SELECT cohort_week_start, user_lifetime_week, COUNT(DISTINCT user_id) AS active_users_bounded
-  FROM user_week_age WHERE user_lifetime_week >= 0 GROUP BY 1,2
-),
-last_active AS (
-  SELECT cohort_week_start, user_id, MAX(user_lifetime_week) AS last_active_week FROM user_week_age GROUP BY 1,2
-),
-unbounded_counts AS (
-  SELECT la.cohort_week_start, gs AS user_lifetime_week, COUNT(*) AS retained_users_unbounded
-  FROM last_active la
-  CROSS JOIN LATERAL generate_series(0, LEAST(la.last_active_week,(SELECT max_weeks FROM params))) gs
-  GROUP BY 1,2
-),
-cohort_sizes AS (SELECT cohort_week_start, COUNT(DISTINCT user_id) AS cohort_users FROM first_login GROUP BY 1),
-cohort_caps AS (
-  SELECT cs.cohort_week_start, cs.cohort_users,
-         LEAST((SELECT max_weeks FROM params),
-               GREATEST(0,((DATE_TRUNC('week',CURRENT_DATE)::date - cs.cohort_week_start)/7)::int)) AS cap_weeks
-  FROM cohort_sizes cs
-),
-grid AS (
-  SELECT cc.cohort_week_start, gs AS user_lifetime_week, cc.cohort_users
-  FROM cohort_caps cc CROSS JOIN LATERAL generate_series(0, cc.cap_weeks) gs
-)
-SELECT
-  g.cohort_week_start,
-  TO_CHAR(g.cohort_week_start,'IYYY-"W"IW')                                    AS cohort_label,
-  TO_CHAR(g.cohort_week_start,'IYYY-"W"IW')||' (n='||g.cohort_users||')'       AS cohort_label_n,
-  g.user_lifetime_week, g.cohort_users,
-  COALESCE(b.active_users_bounded,0)     AS active_users_bounded,
-  COALESCE(u.retained_users_unbounded,0) AS retained_users_unbounded,
-  CASE WHEN g.cohort_users>0 THEN COALESCE(b.active_users_bounded,0)::float/g.cohort_users END    AS retention_rate_bounded,
-  CASE WHEN g.cohort_users>0 THEN COALESCE(u.retained_users_unbounded,0)::float/g.cohort_users END AS retention_rate_unbounded,
-  CASE WHEN g.user_lifetime_week=0 THEN g.cohort_users ELSE 0 END               AS cohort_users_w0
-FROM grid g
-LEFT JOIN bounded_counts   b ON b.cohort_week_start=g.cohort_week_start AND b.user_lifetime_week=g.user_lifetime_week
-LEFT JOIN unbounded_counts u ON u.cohort_week_start=g.cohort_week_start AND u.user_lifetime_week=g.user_lifetime_week
-ORDER BY g.cohort_week_start, g.user_lifetime_week

autogpt_platform/analytics/queries/user_block_spending.sql

@@ -1,71 +0,0 @@
--- =============================================================
--- View: analytics.user_block_spending
--- Looker source alias: ds6  |  Charts: 5
--- =============================================================
--- DESCRIPTION
---   One row per credit transaction (last 90 days).
---   Shows how users spend credits broken down by block type,
---   LLM provider and model.  Joins node execution stats for
---   token-level detail.
---
--- SOURCE TABLES
---   platform.CreditTransaction   — Credit debit/credit records
---   platform.AgentNodeExecution  — Node execution stats (for token counts)
---
--- OUTPUT COLUMNS
---   transactionKey        TEXT         Unique transaction identifier
---   userId                TEXT         User who was charged
---   amount                DECIMAL      Credit amount (positive = credit, negative = debit)
---   negativeAmount        DECIMAL      amount * -1 (convenience for spend charts)
---   transactionType       TEXT         Transaction type (e.g. 'USAGE', 'REFUND', 'TOP_UP')
---   transactionTime       TIMESTAMPTZ  When the transaction was recorded
---   blockId               TEXT         Block UUID that triggered the spend
---   blockName             TEXT         Human-readable block name
---   llm_provider          TEXT         LLM provider (e.g. 'openai', 'anthropic')
---   llm_model             TEXT         Model name (e.g. 'gpt-4o', 'claude-3-5-sonnet')
---   node_exec_id          TEXT         Linked node execution UUID
---   llm_call_count        INT          LLM API calls made in that execution
---   llm_retry_count       INT          LLM retries in that execution
---   llm_input_token_count INT          Input tokens consumed
---   llm_output_token_count INT         Output tokens produced
---
--- WINDOW
---   Rolling 90 days (createdAt > CURRENT_DATE - 90 days)
---
--- EXAMPLE QUERIES
---   -- Total spend per user (last 90 days)
---   SELECT "userId", SUM("negativeAmount") AS total_spent
---   FROM analytics.user_block_spending
---   WHERE "transactionType" = 'USAGE'
---   GROUP BY 1 ORDER BY total_spent DESC;
---
---   -- Spend by LLM provider + model
---   SELECT "llm_provider", "llm_model",
---          SUM("negativeAmount") AS total_cost,
---          SUM("llm_input_token_count") AS input_tokens,
---          SUM("llm_output_token_count") AS output_tokens
---   FROM analytics.user_block_spending
---   WHERE "llm_provider" IS NOT NULL
---   GROUP BY 1, 2 ORDER BY total_cost DESC;
--- =============================================================
-
-SELECT
-    c."transactionKey"                                        AS transactionKey,
-    c."userId"                                                AS userId,
-    c."amount"                                                AS amount,
-    c."amount" * -1                                           AS negativeAmount,
-    c."type"                                                  AS transactionType,
-    c."createdAt"                                             AS transactionTime,
-    c.metadata->>'block_id'                                   AS blockId,
-    c.metadata->>'block'                                      AS blockName,
-    c.metadata->'input'->'credentials'->>'provider'           AS llm_provider,
-    c.metadata->'input'->>'model'                             AS llm_model,
-    c.metadata->>'node_exec_id'                               AS node_exec_id,
-    (ne."stats"->>'llm_call_count')::int                       AS llm_call_count,
-    (ne."stats"->>'llm_retry_count')::int                      AS llm_retry_count,
-    (ne."stats"->>'input_token_count')::int                    AS llm_input_token_count,
-    (ne."stats"->>'output_token_count')::int                   AS llm_output_token_count
-FROM platform."CreditTransaction" c
-LEFT JOIN platform."AgentNodeExecution" ne
-       ON (c.metadata->>'node_exec_id') = ne."id"::text
-WHERE c."createdAt" > CURRENT_DATE - INTERVAL '90 days'

autogpt_platform/analytics/queries/user_onboarding.sql

@@ -1,45 +0,0 @@
--- =============================================================
--- View: analytics.user_onboarding
--- Looker source alias: ds68  |  Charts: 3
--- =============================================================
--- DESCRIPTION
---   One row per user onboarding record.  Contains the user's
---   stated usage reason, selected integrations, completed
---   onboarding steps and optional first agent selection.
---   Full history (no date filter) since onboarding happens
---   once per user.
---
--- SOURCE TABLES
---   platform.UserOnboarding  — Onboarding state per user
---
--- OUTPUT COLUMNS
---   id                            TEXT         Onboarding record UUID
---   createdAt                     TIMESTAMPTZ  When onboarding started
---   updatedAt                     TIMESTAMPTZ  Last update to onboarding state
---   usageReason                   TEXT         Why user signed up (e.g. 'work', 'personal')
---   integrations                  TEXT[]       Array of integration names the user selected
---   userId                        TEXT         User UUID
---   completedSteps                TEXT[]       Array of onboarding step enums completed
---   selectedStoreListingVersionId TEXT         First marketplace agent the user chose (if any)
---
--- EXAMPLE QUERIES
---   -- Usage reason breakdown
---   SELECT "usageReason", COUNT(*) FROM analytics.user_onboarding GROUP BY 1;
---
---   -- Completion rate per step
---   SELECT step, COUNT(*) AS users_completed
---   FROM analytics.user_onboarding
---   CROSS JOIN LATERAL UNNEST("completedSteps") AS step
---   GROUP BY 1 ORDER BY users_completed DESC;
--- =============================================================
-
-SELECT
-    id,
-    "createdAt",
-    "updatedAt",
-    "usageReason",
-    integrations,
-    "userId",
-    "completedSteps",
-    "selectedStoreListingVersionId"
-FROM platform."UserOnboarding"

autogpt_platform/analytics/queries/user_onboarding_funnel.sql

@@ -1,100 +0,0 @@
--- =============================================================
--- View: analytics.user_onboarding_funnel
--- Looker source alias: ds74  |  Charts: 1
--- =============================================================
--- DESCRIPTION
---   Pre-aggregated onboarding funnel showing how many users
---   completed each step and the drop-off percentage from the
---   previous step.  One row per onboarding step (all 22 steps
---   always present, even with 0 completions — prevents sparse
---   gaps from making LAG compare the wrong predecessors).
---
--- SOURCE TABLES
---   platform.UserOnboarding  — Onboarding records with completedSteps array
---
--- OUTPUT COLUMNS
---   step             TEXT     Onboarding step enum name (e.g. 'WELCOME', 'CONGRATS')
---   step_order       INT      Numeric position in the funnel (1=first, 22=last)
---   users_completed  BIGINT   Distinct users who completed this step
---   pct_from_prev    NUMERIC  % of users from the previous step who reached this one
---
--- STEP ORDER
---   1  WELCOME               9  MARKETPLACE_VISIT     17  SCHEDULE_AGENT
---   2  USAGE_REASON         10  MARKETPLACE_ADD_AGENT  18  RUN_AGENTS
---   3  INTEGRATIONS         11  MARKETPLACE_RUN_AGENT  19  RUN_3_DAYS
---   4  AGENT_CHOICE         12  BUILDER_OPEN           20  TRIGGER_WEBHOOK
---   5  AGENT_NEW_RUN        13  BUILDER_SAVE_AGENT     21  RUN_14_DAYS
---   6  AGENT_INPUT          14  BUILDER_RUN_AGENT      22  RUN_AGENTS_100
---   7  CONGRATS             15  VISIT_COPILOT
---   8  GET_RESULTS          16  RE_RUN_AGENT
---
--- WINDOW
---   Users who started onboarding in the last 90 days
---
--- EXAMPLE QUERIES
---   -- Full funnel
---   SELECT * FROM analytics.user_onboarding_funnel ORDER BY step_order;
---
---   -- Biggest drop-off point
---   SELECT step, pct_from_prev FROM analytics.user_onboarding_funnel
---   ORDER BY pct_from_prev ASC LIMIT 3;
--- =============================================================
-
-WITH all_steps AS (
-  -- Complete ordered grid of all 22 steps so zero-completion steps
-  -- are always present, keeping LAG comparisons correct.
-  SELECT step_name, step_order
-  FROM (VALUES
-    ('WELCOME',               1),
-    ('USAGE_REASON',          2),
-    ('INTEGRATIONS',          3),
-    ('AGENT_CHOICE',          4),
-    ('AGENT_NEW_RUN',         5),
-    ('AGENT_INPUT',           6),
-    ('CONGRATS',              7),
-    ('GET_RESULTS',           8),
-    ('MARKETPLACE_VISIT',     9),
-    ('MARKETPLACE_ADD_AGENT', 10),
-    ('MARKETPLACE_RUN_AGENT', 11),
-    ('BUILDER_OPEN',          12),
-    ('BUILDER_SAVE_AGENT',    13),
-    ('BUILDER_RUN_AGENT',     14),
-    ('VISIT_COPILOT',         15),
-    ('RE_RUN_AGENT',          16),
-    ('SCHEDULE_AGENT',        17),
-    ('RUN_AGENTS',            18),
-    ('RUN_3_DAYS',            19),
-    ('TRIGGER_WEBHOOK',       20),
-    ('RUN_14_DAYS',           21),
-    ('RUN_AGENTS_100',        22)
-  ) AS t(step_name, step_order)
-),
-raw AS (
-  SELECT
-      u."userId",
-      step_txt::text AS step
-  FROM platform."UserOnboarding" u
-  CROSS JOIN LATERAL UNNEST(u."completedSteps") AS step_txt
-  WHERE u."createdAt" >= CURRENT_DATE - INTERVAL '90 days'
-),
-step_counts AS (
-  SELECT step, COUNT(DISTINCT "userId") AS users_completed
-  FROM raw GROUP BY step
-),
-funnel AS (
-  SELECT
-      a.step_name                          AS step,
-      a.step_order,
-      COALESCE(sc.users_completed, 0)      AS users_completed,
-      ROUND(
-        100.0 * COALESCE(sc.users_completed, 0)
-        / NULLIF(
-            LAG(COALESCE(sc.users_completed, 0)) OVER (ORDER BY a.step_order),
-            0
-          ),
-        2
-      )                                    AS pct_from_prev
-  FROM all_steps a
-  LEFT JOIN step_counts sc ON sc.step = a.step_name
-)
-SELECT * FROM funnel ORDER BY step_order

autogpt_platform/analytics/queries/user_onboarding_integration.sql

@@ -1,41 +0,0 @@
--- =============================================================
--- View: analytics.user_onboarding_integration
--- Looker source alias: ds75  |  Charts: 1
--- =============================================================
--- DESCRIPTION
---   Pre-aggregated count of users who selected each integration
---   during onboarding.  One row per integration type, sorted
---   by popularity.
---
--- SOURCE TABLES
---   platform.UserOnboarding  — integrations array column
---
--- OUTPUT COLUMNS
---   integration            TEXT    Integration name (e.g. 'github', 'slack', 'notion')
---   users_with_integration BIGINT  Distinct users who selected this integration
---
--- WINDOW
---   Users who started onboarding in the last 90 days
---
--- EXAMPLE QUERIES
---   -- Full integration popularity ranking
---   SELECT * FROM analytics.user_onboarding_integration;
---
---   -- Top 5 integrations
---   SELECT * FROM analytics.user_onboarding_integration LIMIT 5;
--- =============================================================
-
-WITH exploded AS (
-  SELECT
-      u."userId" AS user_id,
-      UNNEST(u."integrations") AS integration
-  FROM platform."UserOnboarding" u
-  WHERE u."createdAt" >= CURRENT_DATE - INTERVAL '90 days'
-)
-SELECT
-    integration,
-    COUNT(DISTINCT user_id) AS users_with_integration
-FROM exploded
-WHERE integration IS NOT NULL AND integration <> ''
-GROUP BY integration
-ORDER BY users_with_integration DESC

autogpt_platform/analytics/queries/users_activities.sql

@@ -1,145 +0,0 @@
--- =============================================================
--- View: analytics.users_activities
--- Looker source alias: ds56  |  Charts: 5
--- =============================================================
--- DESCRIPTION
---   One row per user with lifetime activity summary.
---   Joins login sessions with agent graphs, executions and
---   node-level runs to give a full picture of how engaged
---   each user is.  Includes a convenience flag for 7-day
---   activation (did the user return at least 7 days after
---   their first login?).
---
--- SOURCE TABLES
---   auth.sessions                    — Login/session records
---   platform.AgentGraph              — Graphs (agents) built by the user
---   platform.AgentGraphExecution     — Agent run history
---   platform.AgentNodeExecution      — Individual block execution history
---
--- PERFORMANCE NOTE
---   Each CTE aggregates its own table independently by userId.
---   This avoids the fan-out that occurs when driving every join
---   from user_logins across the two largest tables
---   (AgentGraphExecution and AgentNodeExecution).
---
--- OUTPUT COLUMNS
---   user_id                   TEXT         Supabase user UUID
---   first_login_time          TIMESTAMPTZ  First ever session created_at
---   last_login_time           TIMESTAMPTZ  Most recent session created_at
---   last_visit_time           TIMESTAMPTZ  Max of last refresh or login
---   last_agent_save_time      TIMESTAMPTZ  Last time user saved an agent graph
---   agent_count               BIGINT       Number of distinct active graphs built (0 if none)
---   first_agent_run_time      TIMESTAMPTZ  First ever graph execution
---   last_agent_run_time       TIMESTAMPTZ  Most recent graph execution
---   unique_agent_runs         BIGINT       Distinct agent graphs ever run (0 if none)
---   agent_runs                BIGINT       Total graph execution count (0 if none)
---   node_execution_count      BIGINT       Total node executions across all runs
---   node_execution_failed     BIGINT       Node executions with FAILED status
---   node_execution_completed  BIGINT       Node executions with COMPLETED status
---   node_execution_terminated BIGINT       Node executions with TERMINATED status
---   node_execution_queued     BIGINT       Node executions with QUEUED status
---   node_execution_running    BIGINT       Node executions with RUNNING status
---   is_active_after_7d        INT          1=returned after day 7, 0=did not, NULL=too early to tell
---   node_execution_incomplete BIGINT       Node executions with INCOMPLETE status
---   node_execution_review     BIGINT       Node executions with REVIEW status
---
--- EXAMPLE QUERIES
---   -- Users who ran at least one agent and returned after 7 days
---   SELECT COUNT(*) FROM analytics.users_activities
---   WHERE agent_runs > 0 AND is_active_after_7d = 1;
---
---   -- Top 10 most active users by agent runs
---   SELECT user_id, agent_runs, node_execution_count
---   FROM analytics.users_activities
---   ORDER BY agent_runs DESC LIMIT 10;
---
---   -- 7-day activation rate
---   SELECT
---     SUM(CASE WHEN is_active_after_7d = 1 THEN 1 ELSE 0 END)::float
---     / NULLIF(COUNT(CASE WHEN is_active_after_7d IS NOT NULL THEN 1 END), 0)
---     AS activation_rate
---   FROM analytics.users_activities;
--- =============================================================
-
-WITH user_logins AS (
-  SELECT
-    user_id::text                                    AS user_id,
-    MIN(created_at)                                  AS first_login_time,
-    MAX(created_at)                                  AS last_login_time,
-    GREATEST(
-      MAX(refreshed_at)::timestamptz,
-      MAX(created_at)::timestamptz
-    )                                                AS last_visit_time
-  FROM auth.sessions
-  GROUP BY user_id
-),
-user_agents AS (
-  -- Aggregate AgentGraph directly by userId (no fan-out from user_logins)
-  SELECT
-    "userId"::text                AS user_id,
-    MAX("updatedAt")              AS last_agent_save_time,
-    COUNT(DISTINCT "id")          AS agent_count
-  FROM platform."AgentGraph"
-  WHERE "isActive"
-  GROUP BY "userId"
-),
-user_graph_runs AS (
-  -- Aggregate AgentGraphExecution directly by userId
-  SELECT
-    "userId"::text                        AS user_id,
-    MIN("createdAt")                      AS first_agent_run_time,
-    MAX("createdAt")                      AS last_agent_run_time,
-    COUNT(DISTINCT "agentGraphId")        AS unique_agent_runs,
-    COUNT("id")                           AS agent_runs
-  FROM platform."AgentGraphExecution"
-  GROUP BY "userId"
-),
-user_node_runs AS (
-  -- Aggregate AgentNodeExecution directly; resolve userId via a
-  -- single join to AgentGraphExecution instead of fanning out from
-  -- user_logins through both large tables.
-  SELECT
-    g."userId"::text                                                   AS user_id,
-    COUNT(*)                                                           AS node_execution_count,
-    COUNT(*) FILTER (WHERE n."executionStatus" = 'FAILED')             AS node_execution_failed,
-    COUNT(*) FILTER (WHERE n."executionStatus" = 'COMPLETED')          AS node_execution_completed,
-    COUNT(*) FILTER (WHERE n."executionStatus" = 'TERMINATED')         AS node_execution_terminated,
-    COUNT(*) FILTER (WHERE n."executionStatus" = 'QUEUED')             AS node_execution_queued,
-    COUNT(*) FILTER (WHERE n."executionStatus" = 'RUNNING')            AS node_execution_running,
-    COUNT(*) FILTER (WHERE n."executionStatus" = 'INCOMPLETE')         AS node_execution_incomplete,
-    COUNT(*) FILTER (WHERE n."executionStatus" = 'REVIEW')             AS node_execution_review
-  FROM platform."AgentNodeExecution" n
-  JOIN platform."AgentGraphExecution" g
-    ON g."id" = n."agentGraphExecutionId"
-  GROUP BY g."userId"
-)
-SELECT
-  ul.user_id,
-  ul.first_login_time,
-  ul.last_login_time,
-  ul.last_visit_time,
-  ua.last_agent_save_time,
-  COALESCE(ua.agent_count, 0)             AS agent_count,
-  gr.first_agent_run_time,
-  gr.last_agent_run_time,
-  COALESCE(gr.unique_agent_runs, 0)       AS unique_agent_runs,
-  COALESCE(gr.agent_runs, 0)              AS agent_runs,
-  COALESCE(nr.node_execution_count, 0)      AS node_execution_count,
-  COALESCE(nr.node_execution_failed, 0)     AS node_execution_failed,
-  COALESCE(nr.node_execution_completed, 0)  AS node_execution_completed,
-  COALESCE(nr.node_execution_terminated, 0) AS node_execution_terminated,
-  COALESCE(nr.node_execution_queued, 0)     AS node_execution_queued,
-  COALESCE(nr.node_execution_running, 0)    AS node_execution_running,
-  CASE
-    WHEN ul.first_login_time < NOW() - INTERVAL '7 days'
-     AND ul.last_visit_time  >= ul.first_login_time + INTERVAL '7 days' THEN 1
-    WHEN ul.first_login_time < NOW() - INTERVAL '7 days'
-     AND ul.last_visit_time  <  ul.first_login_time + INTERVAL '7 days' THEN 0
-    ELSE NULL
-  END AS is_active_after_7d,
-  COALESCE(nr.node_execution_incomplete, 0) AS node_execution_incomplete,
-  COALESCE(nr.node_execution_review, 0)     AS node_execution_review
-FROM user_logins ul
-LEFT JOIN user_agents     ua ON ul.user_id = ua.user_id
-LEFT JOIN user_graph_runs gr ON ul.user_id = gr.user_id
-LEFT JOIN user_node_runs  nr ON ul.user_id = nr.user_id

autogpt_platform/autogpt_libs/autogpt_libs/auth/__init__.py

@@ -5,7 +5,7 @@ from .dependencies import (
     requires_admin_user,
     requires_user,
 )
-from .helpers import add_auth_responses_to_openapi
+from .jwt_utils import add_auth_responses_to_openapi
 from .models import User
 
 __all__ = [

autogpt_platform/autogpt_libs/autogpt_libs/auth/helpers.py

@@ -1,9 +1,9 @@
 from fastapi import FastAPI
 
-from .jwt_utils import bearer_jwt_auth
 
-
-def add_auth_responses_to_openapi(app: FastAPI) -> None:
+def add_auth_responses_to_openapi(
+    app: FastAPI, supported_auth_schemes: list[str]
+) -> None:
     """
     Patch a FastAPI instance's `openapi()` method to add 401 responses
     to all authenticated endpoints.
@@ -29,7 +29,7 @@ def add_auth_responses_to_openapi(app: FastAPI) -> None:
                     for auth_option in details.get("security", [])
                     for schema in auth_option.keys()
                 ]
-                if bearer_jwt_auth.scheme_name not in security_schemas:
+                if not any(s in security_schemas for s in supported_auth_schemes):
                     continue
 
                 if "responses" not in details:

autogpt_platform/autogpt_libs/autogpt_libs/auth/helpers_test.py

@@ -8,8 +8,7 @@ from unittest import mock
 from fastapi import FastAPI
 from fastapi.openapi.utils import get_openapi
 
-from autogpt_libs.auth.helpers import add_auth_responses_to_openapi
-from autogpt_libs.auth.jwt_utils import bearer_jwt_auth
+from autogpt_libs.auth.jwt_utils import add_auth_responses_to_openapi, bearer_jwt_auth
 
 
 def test_add_auth_responses_to_openapi_basic():

autogpt_platform/autogpt_libs/autogpt_libs/auth/jwt_utils.py

@@ -2,7 +2,7 @@ import logging
 from typing import Any
 
 import jwt
-from fastapi import HTTPException, Security
+from fastapi import FastAPI, HTTPException, Security
 from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
 
 from .config import get_settings
@@ -78,3 +78,12 @@ def verify_user(jwt_payload: dict | None, admin_only: bool) -> User:
         raise HTTPException(status_code=403, detail="Admin access required")
 
     return User.from_payload(jwt_payload)
+
+
+def add_auth_responses_to_openapi(app: FastAPI) -> None:
+    """
+    Add 401 responses to all endpoints that use the bearer JWT authentication scheme.
+    """
+    from .helpers import add_auth_responses_to_openapi
+
+    add_auth_responses_to_openapi(app, [bearer_jwt_auth.scheme_name])

autogpt_platform/backend/.env.default

@@ -37,10 +37,6 @@ JWT_VERIFY_KEY=your-super-secret-jwt-token-with-at-least-32-characters-long
 ENCRYPTION_KEY=dvziYgz0KSK8FENhju0ZYi8-fRTfAdlz6YLhdB_jhNw=
 UNSUBSCRIBE_SECRET_KEY=HlP8ivStJjmbf6NKi78m_3FnOogut0t5ckzjsIqeaio=
 
-## ===== SIGNUP / INVITE GATE ===== ##
-# Set to true to require an invite before users can sign up
-ENABLE_INVITE_GATE=false
-
 ## ===== IMPORTANT OPTIONAL CONFIGURATION ===== ##
 # Platform URLs (set these for webhooks and OAuth to work)
 PLATFORM_BASE_URL=http://localhost:8000

autogpt_platform/backend/CLAUDE.md

@@ -58,31 +58,10 @@ poetry run pytest path/to/test.py --snapshot-update
 - **Authentication**: JWT-based with Supabase integration
 - **Security**: Cache protection middleware prevents sensitive data caching in browsers/proxies
 
-## Code Style
-
-- **Top-level imports only** — no local/inner imports (lazy imports only for heavy optional deps like `openpyxl`)
-- **No duck typing** — no `hasattr`/`getattr`/`isinstance` for type dispatch; use typed interfaces/unions/protocols
-- **Pydantic models** over dataclass/namedtuple/dict for structured data
-- **No linter suppressors** — no `# type: ignore`, `# noqa`, `# pyright: ignore`; fix the type/code
-- **List comprehensions** over manual loop-and-append
-- **Early return** — guard clauses first, avoid deep nesting
-- **Lazy `%s` logging** — `logger.info("Processing %s items", count)` not `logger.info(f"Processing {count} items")`
-- **Sanitize error paths** — `os.path.basename()` in error messages to avoid leaking directory structure
-- **TOCTOU awareness** — avoid check-then-act patterns for file access and credit charging
-- **`Security()` vs `Depends()`** — use `Security()` for auth deps to get proper OpenAPI security spec
-- **Redis pipelines** — `transaction=True` for atomicity on multi-step operations
-- **`max(0, value)` guards** — for computed values that should never be negative
-- **SSE protocol** — `data:` lines for frontend-parsed events (must match Zod schema), `: comment` lines for heartbeats/status
-- **File length** — keep files under ~300 lines; if a file grows beyond this, split by responsibility (e.g. extract helpers, models, or a sub-module into a new file). Never keep appending to a long file.
-- **Function length** — keep functions under ~40 lines; extract named helpers when a function grows longer. Long functions are a sign of mixed concerns, not complexity.
-
 ## Testing Approach
 
 - Uses pytest with snapshot testing for API responses
 - Test files are colocated with source files (`*_test.py`)
-- Mock at boundaries — mock where the symbol is **used**, not where it's **defined**
-- After refactoring, update mock targets to match new module paths
-- Use `AsyncMock` for async functions (`from unittest.mock import AsyncMock`)
 
 ## Database Schema
 

autogpt_platform/backend/backend/api/external/fastapi_app.py

@@ -1,21 +1,57 @@
-from fastapi import FastAPI
+"""
+External API Application
+
+This module defines the main FastAPI application for the external API,
+which mounts the v1 and v2 sub-applications.
+"""
+
+from fastapi import FastAPI
+from fastapi.responses import RedirectResponse
 
-from backend.api.middleware.security import SecurityHeadersMiddleware
 from backend.monitoring.instrumentation import instrument_fastapi
 
-from .v1.routes import v1_router
+from .v1.app import v1_app
+from .v2.app import v2_app
+
+DESCRIPTION = """
+The external API provides programmatic access to the AutoGPT Platform for building
+integrations, automations, and custom applications.
+
+### API Versions
+
+| Version             | End of Life | Path                   | Documentation |
+|---------------------|-------------|------------------------|---------------|
+| **v2**              |             | `/external-api/v2/...` | [v2 docs](v2/docs) |
+| **v1** (deprecated) | 2025-05-01  | `/external-api/v1/...` | [v1 docs](v1/docs) |
+
+**Recommendation**: New integrations should use v2.
+
+For authentication details and usage examples, see the
+[API Integration Guide](https://docs.agpt.co/platform/integrating/api-guide/).
+"""
 
 external_api = FastAPI(
-    title="AutoGPT External API",
-    description="External API for AutoGPT integrations",
+    title="AutoGPT Platform API",
+    summary="External API for AutoGPT Platform integrations",
+    description=DESCRIPTION,
+    version="2.0.0",
     docs_url="/docs",
-    version="1.0",
+    redoc_url="/redoc",
 )
 
-external_api.add_middleware(SecurityHeadersMiddleware)
-external_api.include_router(v1_router, prefix="/v1")
 
-# Add Prometheus instrumentation
+@external_api.get("/", include_in_schema=False)
+async def root_redirect() -> RedirectResponse:
+    """Redirect root to API documentation."""
+    return RedirectResponse(url="/docs")
+
+
+# Mount versioned sub-applications
+# Each sub-app has its own /docs page at /v1/docs and /v2/docs
+external_api.mount("/v1", v1_app)
+external_api.mount("/v2", v2_app)
+
+# Add Prometheus instrumentation to the main app
 instrument_fastapi(
     external_api,
     service_name="external-api",

autogpt_platform/backend/backend/api/external/middleware.py

@@ -1,4 +1,4 @@
-from fastapi import HTTPException, Security, status
+from fastapi import FastAPI, HTTPException, Security, status
 from fastapi.security import APIKeyHeader, HTTPAuthorizationCredentials, HTTPBearer
 from prisma.enums import APIKeyPermission
 
@@ -96,7 +96,9 @@ def require_permission(*permissions: APIKeyPermission):
     """
 
     async def check_permissions(
-        auth: APIAuthorizationInfo = Security(require_auth),
+        auth: APIAuthorizationInfo = Security(
+            require_auth, scopes=[p.value for p in permissions]
+        ),
     ) -> APIAuthorizationInfo:
         missing = [p for p in permissions if p not in auth.scopes]
         if missing:
@@ -108,3 +110,15 @@ def require_permission(*permissions: APIKeyPermission):
         return auth
 
     return check_permissions
+
+
+def add_auth_responses_to_openapi(app: FastAPI) -> None:
+    """
+    Add 401 responses to all endpoints secured with `require_auth`,
+    `require_api_key`, or `require_access_token` middleware.
+    """
+    from autogpt_libs.auth.helpers import add_auth_responses_to_openapi
+
+    add_auth_responses_to_openapi(
+        app, [api_key_header.scheme_name, bearer_auth.scheme_name]
+    )

autogpt_platform/backend/backend/api/external/v1/app.py

@@ -0,0 +1,50 @@
+"""
+V1 External API Application
+
+This module defines the FastAPI application for the v1 external API.
+"""
+
+from fastapi import FastAPI
+
+from backend.api.external.middleware import add_auth_responses_to_openapi
+from backend.api.middleware.security import SecurityHeadersMiddleware
+from backend.api.utils.exceptions import add_exception_handlers
+from backend.api.utils.openapi import sort_openapi
+
+from .routes import v1_router
+
+DESCRIPTION = """
+The v1 API provides access to core AutoGPT functionality for external integrations.
+
+For authentication details and usage examples, see the
+[API Integration Guide](https://docs.agpt.co/platform/integrating/api-guide/).
+"""
+
+v1_app = FastAPI(
+    title="AutoGPT Platform API",
+    summary="External API for AutoGPT Platform integrations (v1)",
+    description=DESCRIPTION,
+    version="1.0.0",
+    docs_url="/docs",
+    redoc_url="/redoc",
+    openapi_url="/openapi.json",
+    openapi_tags=[
+        {"name": "user", "description": "User information"},
+        {"name": "blocks", "description": "Block operations"},
+        {"name": "graphs", "description": "Graph execution"},
+        {"name": "store", "description": "Marketplace agents and creators"},
+        {"name": "integrations", "description": "OAuth credential management"},
+        {"name": "tools", "description": "AI assistant tools"},
+    ],
+)
+
+v1_app.add_middleware(SecurityHeadersMiddleware)
+v1_app.include_router(v1_router)
+
+# Mounted sub-apps do NOT inherit exception handlers from the parent app.
+add_exception_handlers(v1_app)
+
+# Add 401 responses to authenticated endpoints in OpenAPI spec
+add_auth_responses_to_openapi(v1_app)
+# Sort OpenAPI schema to eliminate diff on refactors
+sort_openapi(v1_app)

autogpt_platform/backend/backend/api/external/v2/__init__.py

@@ -0,0 +1,9 @@
+"""
+V2 External API
+
+This module provides the v2 external API for programmatic access to the AutoGPT Platform.
+"""
+
+from .routes import v2_router
+
+__all__ = ["v2_router"]

autogpt_platform/backend/backend/api/external/v2/app.py

@@ -0,0 +1,112 @@
+"""
+V2 External API Application
+
+This module defines the FastAPI application for the v2 external API.
+"""
+
+from fastapi import FastAPI
+
+from backend.api.external.middleware import add_auth_responses_to_openapi
+from backend.api.middleware.security import SecurityHeadersMiddleware
+from backend.api.utils.exceptions import add_exception_handlers
+from backend.api.utils.openapi import sort_openapi
+
+from .mcp_server import create_mcp_app
+from .routes import v2_router
+
+DESCRIPTION = """
+The v2 API provides comprehensive access to the AutoGPT Platform for building
+integrations, automations, and custom applications.
+
+### Key Improvements over v1
+
+- **Consistent naming**: Uses `graph_id`/`graph_version` consistently
+- **Better pagination**: All list endpoints support pagination
+- **Comprehensive coverage**: Access to library, runs, schedules, credits, and more
+- **Human-in-the-loop**: Review and approve agent decisions via the API
+
+For authentication details and usage examples, see the
+[API Integration Guide](https://docs.agpt.co/platform/integrating/api-guide/).
+
+### Pagination
+
+List endpoints return paginated responses. Use `page` and `page_size` query
+parameters to navigate results. Maximum page size is 100 items.
+""".strip()
+
+v2_app = FastAPI(
+    title="AutoGPT Platform External API",
+    summary="External API for AutoGPT Platform integrations (v2)",
+    description=DESCRIPTION,
+    version="2.0.0",
+    docs_url="/docs",
+    redoc_url="/redoc",
+    openapi_url="/openapi.json",
+    openapi_tags=[
+        {
+            "name": "graphs",
+            "description": "Create, update, and manage agent graphs",
+        },
+        {
+            "name": "schedules",
+            "description": "Manage scheduled graph executions",
+        },
+        {
+            "name": "blocks",
+            "description": "Discover available building blocks",
+        },
+        {
+            "name": "search",
+            "description": "Cross-domain hybrid search across agents, blocks, and docs",
+        },
+        {
+            "name": "marketplace",
+            "description": "Browse agents and creators, manage submissions",
+        },
+        {
+            "name": "library",
+            "description": (
+                "Manage your agent library (agents and presets), "
+                "execute agents, organize with folders"
+            ),
+        },
+        {
+            "name": "presets",
+            "description": "Agent execution presets with webhook triggers",
+        },
+        {
+            "name": "runs",
+            "description": (
+                "Monitor, stop, delete, and share agent runs; "
+                "manage human-in-the-loop reviews"
+            ),
+        },
+        {
+            "name": "credits",
+            "description": "Check balance and view transaction history",
+        },
+        {
+            "name": "integrations",
+            "description": "List, create, and delete integration credentials",
+        },
+        {
+            "name": "files",
+            "description": "Upload, list, download, and delete workspace files",
+        },
+    ],
+)
+
+v2_app.add_middleware(SecurityHeadersMiddleware)
+v2_app.include_router(v2_router)
+
+# Mounted sub-apps do NOT inherit exception handlers from the parent app,
+# so we must register them here for the v2 API specifically.
+add_exception_handlers(v2_app)
+
+# Mount MCP server (Copilot tools via Streamable HTTP)
+v2_app.mount("/mcp", create_mcp_app())
+
+# Add 401 responses to authenticated endpoints in OpenAPI spec
+add_auth_responses_to_openapi(v2_app)
+# Sort OpenAPI schema to eliminate diff on refactors
+sort_openapi(v2_app)

autogpt_platform/backend/backend/api/external/v2/app_test.py

@@ -0,0 +1,276 @@
+"""
+Tests for v2 API error handling behavior.
+
+The v2 app registers its own exception handlers (since mounted sub-apps don't
+inherit handlers from the parent app). These tests verify that exceptions from
+the DB/service layer are correctly mapped to HTTP status codes.
+
+We construct a lightweight test app rather than importing the full v2_app,
+because the latter eagerly loads the MCP server, block registry, and other
+heavy dependencies that are irrelevant for error handling tests.
+"""
+
+import json
+from datetime import datetime, timezone
+from unittest.mock import AsyncMock
+
+import fastapi
+import fastapi.testclient
+import pytest
+import pytest_mock
+from prisma.enums import APIKeyPermission
+from pytest_snapshot.plugin import Snapshot
+
+from backend.api.external.middleware import require_auth
+from backend.api.utils.exceptions import add_exception_handlers
+from backend.data.auth.base import APIAuthorizationInfo
+from backend.util.exceptions import DatabaseError, NotFoundError
+
+from .library.agents import agents_router
+from .marketplace import marketplace_router
+
+TEST_USER_ID = "test-user-id"
+
+_mock_auth = APIAuthorizationInfo(
+    user_id=TEST_USER_ID,
+    scopes=list(APIKeyPermission),
+    type="api_key",
+    created_at=datetime.now(tz=timezone.utc),
+)
+
+# ---------------------------------------------------------------------------
+# Build a lightweight test app with the shared exception handlers
+# but only the routers we need for testing.
+# ---------------------------------------------------------------------------
+
+app = fastapi.FastAPI()
+app.include_router(agents_router, prefix="/library")
+app.include_router(marketplace_router, prefix="/marketplace")
+add_exception_handlers(app)
+
+
+@pytest.fixture(autouse=True)
+def _override_auth():
+    """Bypass API key / OAuth auth for all tests in this module."""
+
+    async def fake_auth() -> APIAuthorizationInfo:
+        return _mock_auth
+
+    app.dependency_overrides[require_auth] = fake_auth
+    yield
+    app.dependency_overrides.clear()
+
+
+client = fastapi.testclient.TestClient(app, raise_server_exceptions=False)
+
+
+# ============================================================================
+# NotFoundError → 404
+# ============================================================================
+
+
+def test_not_found_error_returns_404(
+    mocker: pytest_mock.MockFixture,
+    snapshot: Snapshot,
+) -> None:
+    """NotFoundError raised by the DB layer should become a 404 response."""
+    mocker.patch(
+        "backend.api.features.library.db.get_library_agent",
+        new_callable=AsyncMock,
+        side_effect=NotFoundError("Agent #nonexistent not found"),
+    )
+
+    response = client.get("/library/agents/nonexistent")
+
+    assert response.status_code == 404
+    body = response.json()
+    assert body["detail"] == "Agent #nonexistent not found"
+    assert "message" in body
+    assert body["hint"] == "Adjust the request and retry."
+
+    snapshot.snapshot_dir = "snapshots"
+    snapshot.assert_match(
+        json.dumps(body, indent=2, sort_keys=True),
+        "v2_not_found_error_404",
+    )
+
+
+def test_not_found_error_on_delete_returns_404(
+    mocker: pytest_mock.MockFixture,
+) -> None:
+    """NotFoundError on DELETE should return 404, not 204 or 500."""
+    mocker.patch(
+        "backend.api.features.library.db.delete_library_agent",
+        new_callable=AsyncMock,
+        side_effect=NotFoundError("Agent #gone not found"),
+    )
+
+    response = client.delete("/library/agents/gone")
+
+    assert response.status_code == 404
+    assert response.json()["detail"] == "Agent #gone not found"
+    assert "message" in response.json()
+
+
+def test_not_found_error_on_marketplace_returns_404(
+    mocker: pytest_mock.MockFixture,
+) -> None:
+    """NotFoundError from store DB layer should become a 404."""
+    mocker.patch(
+        "backend.api.features.store.db.get_store_agent_by_version_id",
+        new_callable=AsyncMock,
+        side_effect=NotFoundError("Store listing not found"),
+    )
+
+    response = client.get("/marketplace/agents/by-version/nonexistent")
+
+    assert response.status_code == 404
+    assert response.json()["detail"] == "Store listing not found"
+    assert "message" in response.json()
+
+
+# ============================================================================
+# ValueError → 400
+# ============================================================================
+
+
+def test_value_error_returns_400(
+    mocker: pytest_mock.MockFixture,
+    snapshot: Snapshot,
+) -> None:
+    """ValueError raised by the service layer should become a 400 response."""
+    mocker.patch(
+        "backend.api.features.library.db.update_library_agent",
+        new_callable=AsyncMock,
+        side_effect=ValueError("Invalid graph version: -1"),
+    )
+
+    response = client.patch(
+        "/library/agents/some-id",
+        json={"graph_version": -1},
+    )
+
+    assert response.status_code == 400
+    body = response.json()
+    assert body["detail"] == "Invalid graph version: -1"
+    assert "message" in body
+    assert body["hint"] == "Adjust the request and retry."
+
+    snapshot.snapshot_dir = "snapshots"
+    snapshot.assert_match(
+        json.dumps(body, indent=2, sort_keys=True),
+        "v2_value_error_400",
+    )
+
+
+# ============================================================================
+# NotFoundError is a ValueError subclass — verify specificity wins
+# ============================================================================
+
+
+def test_not_found_error_takes_precedence_over_value_error(
+    mocker: pytest_mock.MockFixture,
+) -> None:
+    """
+    NotFoundError(ValueError) should match the NotFoundError handler (404),
+    not the ValueError handler (400).
+    """
+    mocker.patch(
+        "backend.api.features.library.db.get_library_agent",
+        new_callable=AsyncMock,
+        side_effect=NotFoundError("Specific not found"),
+    )
+
+    response = client.get("/library/agents/test-id")
+
+    # Must be 404, not 400
+    assert response.status_code == 404
+
+
+# ============================================================================
+# Unhandled Exception → 500
+# ============================================================================
+
+
+def test_unhandled_exception_returns_500(
+    mocker: pytest_mock.MockFixture,
+    snapshot: Snapshot,
+) -> None:
+    """
+    Unexpected exceptions should return a generic 500 without leaking
+    internal details.
+    """
+    mocker.patch(
+        "backend.api.features.library.db.get_library_agent",
+        new_callable=AsyncMock,
+        side_effect=DatabaseError("connection refused"),
+    )
+
+    response = client.get("/library/agents/some-id")
+
+    assert response.status_code == 500
+    body = response.json()
+    assert "message" in body
+    assert "detail" in body
+    assert body["hint"] == "Check server logs and dependent services."
+
+    snapshot.snapshot_dir = "snapshots"
+    snapshot.assert_match(
+        json.dumps(body, indent=2, sort_keys=True),
+        "v2_unhandled_exception_500",
+    )
+
+
+def test_runtime_error_returns_500(
+    mocker: pytest_mock.MockFixture,
+) -> None:
+    """RuntimeError (not ValueError) should hit the catch-all 500 handler."""
+    mocker.patch(
+        "backend.api.features.library.db.delete_library_agent",
+        new_callable=AsyncMock,
+        side_effect=RuntimeError("something broke"),
+    )
+
+    response = client.delete("/library/agents/some-id")
+
+    assert response.status_code == 500
+    assert "detail" in response.json()
+    assert response.json()["hint"] == "Check server logs and dependent services."
+
+
+# ============================================================================
+# Response format consistency
+# ============================================================================
+
+
+def test_all_error_responses_have_consistent_format(
+    mocker: pytest_mock.MockFixture,
+) -> None:
+    """All error responses should use {"message": ..., "detail": ..., "hint": ...} format."""
+    cases = [
+        (NotFoundError("not found"), 404),
+        (ValueError("bad value"), 400),
+        (RuntimeError("boom"), 500),
+    ]
+
+    for exc, expected_status in cases:
+        mocker.patch(
+            "backend.api.features.library.db.get_library_agent",
+            new_callable=AsyncMock,
+            side_effect=exc,
+        )
+
+        response = client.get("/library/agents/test-id")
+
+        assert response.status_code == expected_status, (
+            f"Expected {expected_status} for {type(exc).__name__}, "
+            f"got {response.status_code}"
+        )
+        body = response.json()
+        assert (
+            "message" in body
+        ), f"Missing 'message' key for {type(exc).__name__}: {body}"
+        assert (
+            "detail" in body
+        ), f"Missing 'detail' key for {type(exc).__name__}: {body}"
+        assert "hint" in body, f"Missing 'hint' key for {type(exc).__name__}: {body}"

autogpt_platform/backend/backend/api/external/v2/blocks.py

@@ -0,0 +1,68 @@
+"""
+V2 External API - Blocks Endpoints
+
+Provides read-only access to available building blocks.
+"""
+
+import logging
+
+from fastapi import APIRouter, Security
+from fastapi.concurrency import run_in_threadpool
+from prisma.enums import APIKeyPermission
+
+from backend.api.external.middleware import require_permission
+from backend.blocks import get_blocks
+from backend.data.auth.base import APIAuthorizationInfo
+from backend.util.cache import cached
+
+from .models import BlockInfo
+
+logger = logging.getLogger(__name__)
+
+blocks_router = APIRouter(tags=["blocks"])
+
+
+# ============================================================================
+# Internal Functions
+# ============================================================================
+
+
+def _compute_blocks_sync() -> list[BlockInfo]:
+    """
+    Synchronous function to compute blocks data.
+    This does the heavy lifting: instantiate 226+ blocks, compute costs, serialize.
+    """
+    return [
+        BlockInfo.from_internal(block)
+        for block_class in get_blocks().values()
+        if not (block := block_class()).disabled
+    ]
+
+
+@cached(ttl_seconds=3600)
+async def _get_cached_blocks() -> list[BlockInfo]:
+    """
+    Async cached function with thundering herd protection.
+    On cache miss: runs heavy work in thread pool
+    On cache hit: returns cached list immediately
+    """
+    return await run_in_threadpool(_compute_blocks_sync)
+
+
+# ============================================================================
+# Endpoints
+# ============================================================================
+
+
+@blocks_router.get(
+    path="",
+    summary="List available blocks",
+    operation_id="listAvailableBlocks",
+)
+async def list_available_blocks(
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_BLOCK)
+    ),
+) -> list[BlockInfo]:
+    """List all available blocks with their input/output schemas and cost information."""
+    return await _get_cached_blocks()

autogpt_platform/backend/backend/api/external/v2/common.py

@@ -0,0 +1,7 @@
+"""
+Common utilities for V2 External API
+"""
+
+# Constants for pagination
+MAX_PAGE_SIZE = 100
+DEFAULT_PAGE_SIZE = 20

autogpt_platform/backend/backend/api/external/v2/credits.py

@@ -0,0 +1,90 @@
+"""
+V2 External API - Credits Endpoints
+
+Provides access to credit balance and transaction history.
+"""
+
+import logging
+from typing import Optional
+
+from fastapi import APIRouter, Query, Security
+from prisma.enums import APIKeyPermission
+
+from backend.api.external.middleware import require_permission
+from backend.data.auth.base import APIAuthorizationInfo
+from backend.data.credit import get_user_credit_model
+
+from .common import DEFAULT_PAGE_SIZE, MAX_PAGE_SIZE
+from .models import CreditBalance, CreditTransaction, CreditTransactionsResponse
+
+logger = logging.getLogger(__name__)
+
+credits_router = APIRouter(tags=["credits"])
+
+
+# ============================================================================
+# Endpoints
+# ============================================================================
+
+
+@credits_router.get(
+    path="",
+    summary="Get credit balance",
+    operation_id="getCreditBalance",
+)
+async def get_balance(
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_CREDITS)
+    ),
+) -> CreditBalance:
+    """Get the current credit balance for the authenticated user."""
+    user_credit_model = await get_user_credit_model(auth.user_id)
+    balance = await user_credit_model.get_credits(auth.user_id)
+
+    return CreditBalance(balance=balance)
+
+
+@credits_router.get(
+    path="/transactions",
+    summary="Get credit transaction history",
+    operation_id="listCreditTransactions",
+)
+async def get_transactions(
+    page: int = Query(default=1, ge=1, description="Page number (1-indexed)"),
+    page_size: int = Query(
+        default=DEFAULT_PAGE_SIZE,
+        ge=1,
+        le=MAX_PAGE_SIZE,
+        description=f"Items per page (max {MAX_PAGE_SIZE})",
+    ),
+    transaction_type: Optional[str] = Query(
+        default=None,
+        description="Filter by transaction type (TOP_UP, USAGE, GRANT, REFUND)",
+    ),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_CREDITS)
+    ),
+) -> CreditTransactionsResponse:
+    """Get credit transaction history for the authenticated user."""
+    user_credit_model = await get_user_credit_model(auth.user_id)
+
+    history = await user_credit_model.get_transaction_history(
+        user_id=auth.user_id,
+        transaction_count_limit=page_size,
+        transaction_type=transaction_type,
+    )
+
+    transactions = [CreditTransaction.from_internal(t) for t in history.transactions]
+
+    # Note: The current credit module doesn't support true pagination,
+    # so we're returning what we have
+    total_count = len(transactions)
+    total_pages = 1  # Without true pagination support
+
+    return CreditTransactionsResponse(
+        transactions=transactions,
+        page=page,
+        page_size=page_size,
+        total_count=total_count,
+        total_pages=total_pages,
+    )

autogpt_platform/backend/backend/api/external/v2/files.py

@@ -0,0 +1,341 @@
+"""
+V2 External API - Files Endpoints
+
+Provides file upload, download, listing, metadata, and deletion functionality.
+"""
+
+import base64
+import logging
+import re
+from urllib.parse import quote
+
+from fastapi import APIRouter, File, HTTPException, Query, Security, UploadFile
+from fastapi.responses import RedirectResponse, Response
+from prisma.enums import APIKeyPermission
+from starlette import status
+
+from backend.api.external.middleware import require_permission
+from backend.data.auth.base import APIAuthorizationInfo
+from backend.data.workspace import (
+    count_workspace_files,
+    get_workspace,
+    get_workspace_file,
+    list_workspace_files,
+    soft_delete_workspace_file,
+)
+from backend.util.cloud_storage import get_cloud_storage_handler
+from backend.util.settings import Settings
+from backend.util.virus_scanner import scan_content_safe
+from backend.util.workspace_storage import get_workspace_storage
+
+from .common import DEFAULT_PAGE_SIZE, MAX_PAGE_SIZE
+from .models import (
+    UploadWorkspaceFileResponse,
+    WorkspaceFileInfo,
+    WorkspaceFileListResponse,
+)
+from .rate_limit import file_upload_limiter
+
+logger = logging.getLogger(__name__)
+settings = Settings()
+
+file_workspace_router = APIRouter(tags=["files"])
+
+
+# ============================================================================
+# Endpoints
+# ============================================================================
+
+
+@file_workspace_router.get(
+    path="",
+    summary="List workspace files",
+    operation_id="listWorkspaceFiles",
+)
+async def list_files(
+    page: int = Query(default=1, ge=1, description="Page number (1-indexed)"),
+    page_size: int = Query(
+        default=DEFAULT_PAGE_SIZE,
+        ge=1,
+        le=MAX_PAGE_SIZE,
+        description=f"Items per page (max {MAX_PAGE_SIZE})",
+    ),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_FILES)
+    ),
+) -> WorkspaceFileListResponse:
+    """List files in the user's workspace."""
+    workspace = await get_workspace(auth.user_id)
+    if workspace is None:
+        return WorkspaceFileListResponse(
+            files=[], page=page, page_size=page_size, total_count=0, total_pages=0
+        )
+
+    total_count = await count_workspace_files(workspace.id)
+    total_pages = (total_count + page_size - 1) // page_size if total_count > 0 else 0
+    offset = (page - 1) * page_size
+
+    files = await list_workspace_files(
+        workspace_id=workspace.id,
+        limit=page_size,
+        offset=offset,
+    )
+
+    return WorkspaceFileListResponse(
+        files=[
+            WorkspaceFileInfo(
+                id=f.id,
+                name=f.name,
+                path=f.path,
+                mime_type=f.mime_type,
+                size_bytes=f.size_bytes,
+                created_at=f.created_at,
+                updated_at=f.updated_at,
+            )
+            for f in files
+        ],
+        page=page,
+        page_size=page_size,
+        total_count=total_count,
+        total_pages=total_pages,
+    )
+
+
+@file_workspace_router.get(
+    path="/{file_id}",
+    summary="Get workspace file metadata",
+    operation_id="getWorkspaceFileInfo",
+)
+async def get_file(
+    file_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_FILES)
+    ),
+) -> WorkspaceFileInfo:
+    """Get metadata for a specific file in the user's workspace."""
+    workspace = await get_workspace(auth.user_id)
+    if workspace is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Workspace not found",
+        )
+
+    file = await get_workspace_file(file_id, workspace.id)
+    if file is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"File #{file_id} not found",
+        )
+
+    return WorkspaceFileInfo(
+        id=file.id,
+        name=file.name,
+        path=file.path,
+        mime_type=file.mime_type,
+        size_bytes=file.size_bytes,
+        created_at=file.created_at,
+        updated_at=file.updated_at,
+    )
+
+
+@file_workspace_router.delete(
+    path="/{file_id}",
+    summary="Delete file from workspace",
+    operation_id="deleteWorkspaceFile",
+    status_code=status.HTTP_204_NO_CONTENT,
+)
+async def delete_file(
+    file_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_FILES)
+    ),
+) -> None:
+    """Soft-delete a file from the user's workspace."""
+    workspace = await get_workspace(auth.user_id)
+    if workspace is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Workspace not found",
+        )
+
+    result = await soft_delete_workspace_file(file_id, workspace.id)
+    if result is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"File #{file_id} not found",
+        )
+
+
+def _create_file_size_error(size_bytes: int, max_size_mb: int) -> HTTPException:
+    """Create standardized file size error response."""
+    return HTTPException(
+        status_code=status.HTTP_400_BAD_REQUEST,
+        detail=(
+            f"File size ({size_bytes} bytes) exceeds "
+            f"the maximum allowed size of {max_size_mb}MB"
+        ),
+    )
+
+
+@file_workspace_router.post(
+    path="/upload",
+    summary="Upload file to workspace",
+    operation_id="uploadWorkspaceFile",
+)
+async def upload_file(
+    file: UploadFile = File(...),
+    expiration_hours: int = Query(
+        default=24, ge=1, le=48, description="Hours until file expires (1-48)"
+    ),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_FILES)
+    ),
+) -> UploadWorkspaceFileResponse:
+    """
+    Upload a file to cloud storage for use with agents.
+
+    Returns a `file_uri` that can be passed to agent graph/node file inputs.
+    Uploaded files are virus-scanned before storage.
+    """
+    file_upload_limiter.check(auth.user_id)
+
+    # Check file size limit
+    max_size_mb = settings.config.upload_file_size_limit_mb
+    max_size_bytes = max_size_mb * 1024 * 1024
+
+    # Try to get file size from headers first
+    if hasattr(file, "size") and file.size is not None and file.size > max_size_bytes:
+        raise _create_file_size_error(file.size, max_size_mb)
+
+    # Read file content
+    content = await file.read()
+    content_size = len(content)
+
+    # Double-check file size after reading
+    if content_size > max_size_bytes:
+        raise _create_file_size_error(content_size, max_size_mb)
+
+    # Extract file info
+    file_name = file.filename or "uploaded_file"
+    content_type = file.content_type or "application/octet-stream"
+
+    # Virus scan the content
+    await scan_content_safe(content, filename=file_name)
+
+    # Check if cloud storage is configured
+    cloud_storage = await get_cloud_storage_handler()
+    if not cloud_storage.config.gcs_bucket_name:
+        # Fallback to base64 data URI when GCS is not configured
+        base64_content = base64.b64encode(content).decode("utf-8")
+        data_uri = f"data:{content_type};base64,{base64_content}"
+
+        return UploadWorkspaceFileResponse(
+            file_uri=data_uri,
+            file_name=file_name,
+            size=content_size,
+            content_type=content_type,
+            expires_in_hours=expiration_hours,
+        )
+
+    # Store in cloud storage
+    storage_path = await cloud_storage.store_file(
+        content=content,
+        filename=file_name,
+        expiration_hours=expiration_hours,
+        user_id=auth.user_id,
+    )
+
+    return UploadWorkspaceFileResponse(
+        file_uri=storage_path,
+        file_name=file_name,
+        size=content_size,
+        content_type=content_type,
+        expires_in_hours=expiration_hours,
+    )
+
+
+# ============================================================================
+# Endpoints - Download
+# ============================================================================
+
+
+def _sanitize_filename_for_header(filename: str) -> str:
+    """Sanitize filename for Content-Disposition header."""
+    sanitized = re.sub(r"[\r\n\x00]", "", filename)
+    sanitized = sanitized.replace('"', '\\"')
+    try:
+        sanitized.encode("ascii")
+        return f'attachment; filename="{sanitized}"'
+    except UnicodeEncodeError:
+        encoded = quote(sanitized, safe="")
+        return f"attachment; filename*=UTF-8''{encoded}"
+
+
+@file_workspace_router.get(
+    path="/{file_id}/download",
+    summary="Download file from workspace",
+    operation_id="getWorkspaceFileDownload",
+)
+async def download_file(
+    file_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_FILES)
+    ),
+) -> Response:
+    """Download a file from the user's workspace."""
+    workspace = await get_workspace(auth.user_id)
+    if workspace is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Workspace not found",
+        )
+
+    file = await get_workspace_file(file_id, workspace.id)
+    if file is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"File #{file_id} not found",
+        )
+
+    storage = await get_workspace_storage()
+
+    # For local storage, stream directly
+    if file.storage_path.startswith("local://"):
+        content = await storage.retrieve(file.storage_path)
+        return Response(
+            content=content,
+            media_type=file.mime_type,
+            headers={
+                "Content-Disposition": _sanitize_filename_for_header(file.name),
+                "Content-Length": str(len(content)),
+            },
+        )
+
+    # For cloud storage, try signed URL redirect, fall back to streaming
+    try:
+        url = await storage.get_download_url(file.storage_path, expires_in=300)
+        if url.startswith("/api/"):
+            content = await storage.retrieve(file.storage_path)
+            return Response(
+                content=content,
+                media_type=file.mime_type,
+                headers={
+                    "Content-Disposition": _sanitize_filename_for_header(file.name),
+                    "Content-Length": str(len(content)),
+                },
+            )
+        return RedirectResponse(url=url, status_code=302)
+    except Exception:
+        logger.error(
+            f"Failed to get download URL for file {file.id}, falling back to stream",
+            exc_info=True,
+        )
+        content = await storage.retrieve(file.storage_path)
+        return Response(
+            content=content,
+            media_type=file.mime_type,
+            headers={
+                "Content-Disposition": _sanitize_filename_for_header(file.name),
+                "Content-Length": str(len(content)),
+            },
+        )

autogpt_platform/backend/backend/api/external/v2/graphs.py

@@ -0,0 +1,458 @@
+"""
+V2 External API - Graphs Endpoints
+
+Provides endpoints for managing agent graphs (CRUD operations).
+"""
+
+import logging
+from typing import Optional
+from uuid import uuid4
+
+from fastapi import APIRouter, HTTPException, Query, Security
+from prisma.enums import APIKeyPermission
+from starlette import status
+
+from backend.api.external.middleware import require_permission
+from backend.api.features.library import db as library_db
+from backend.data import graph as graph_db
+from backend.data.auth.base import APIAuthorizationInfo
+from backend.integrations.webhooks.graph_lifecycle_hooks import (
+    on_graph_activate,
+    on_graph_deactivate,
+)
+
+from .common import DEFAULT_PAGE_SIZE, MAX_PAGE_SIZE
+from .integrations.helpers import get_credential_requirements
+from .models import (
+    BlockInfo,
+    CredentialRequirementsResponse,
+    Graph,
+    GraphCreateRequest,
+    GraphListResponse,
+    GraphMeta,
+    GraphSetActiveVersionRequest,
+    GraphSettings,
+    LibraryAgent,
+    MarketplaceAgentDetails,
+)
+
+logger = logging.getLogger(__name__)
+
+graphs_router = APIRouter(tags=["graphs"])
+
+
+@graphs_router.get(
+    path="",
+    summary="List graphs",
+    operation_id="listGraphs",
+)
+async def list_graphs(
+    page: int = Query(default=1, ge=1, description="Page number (1-indexed)"),
+    page_size: int = Query(
+        default=DEFAULT_PAGE_SIZE,
+        ge=1,
+        le=MAX_PAGE_SIZE,
+        description=f"Items per page (max {MAX_PAGE_SIZE})",
+    ),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_GRAPH)
+    ),
+) -> GraphListResponse:
+    """List all graphs owned by the authenticated user."""
+    graphs, pagination_info = await graph_db.list_graphs_paginated(
+        user_id=auth.user_id,
+        page=page,
+        page_size=page_size,
+        filter_by="active",
+    )
+    return GraphListResponse(
+        graphs=[GraphMeta.from_internal(g) for g in graphs],
+        page=pagination_info.current_page,
+        page_size=pagination_info.page_size,
+        total_count=pagination_info.total_items,
+        total_pages=pagination_info.total_pages,
+    )
+
+
+@graphs_router.get(
+    path="/{graph_id}",
+    summary="Get graph details",
+    operation_id="getGraphDetails",
+)
+async def get_graph(
+    graph_id: str,
+    version: Optional[int] = Query(
+        default=None,
+        description="Specific version to retrieve (default: active version)",
+    ),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_GRAPH)
+    ),
+) -> Graph:
+    """
+    Get detailed information about a specific graph.
+
+    Returns the active version by default. Pass `version` to retrieve
+    a specific version instead.
+    """
+    graph = await graph_db.get_graph(
+        graph_id,
+        version,
+        user_id=auth.user_id,
+        include_subgraphs=True,
+    )
+    if not graph:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Graph #{graph_id} not found.",
+        )
+    return Graph.from_internal(graph)
+
+
+@graphs_router.post(
+    path="",
+    summary="Create graph",
+    operation_id="createGraph",
+)
+async def create_graph(
+    create_graph: GraphCreateRequest,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_GRAPH)
+    ),
+) -> Graph:
+    """Create a new agent graph."""
+    from backend.api.features.library import db as library_db
+
+    internal_graph = create_graph.to_internal(id=str(uuid4()), version=1)
+
+    graph = graph_db.make_graph_model(internal_graph, auth.user_id)
+    graph.reassign_ids(user_id=auth.user_id, reassign_graph_id=True)
+    graph.validate_graph(for_run=False)
+
+    await graph_db.create_graph(graph, user_id=auth.user_id)
+    await library_db.create_library_agent(graph, user_id=auth.user_id)
+    activated_graph = await on_graph_activate(graph, user_id=auth.user_id)
+
+    return Graph.from_internal(activated_graph)
+
+
+@graphs_router.put(
+    path="/{graph_id}",
+    summary="Update graph by creating a new version",
+    operation_id="updateGraphCreateVersion",
+)
+async def update_graph(
+    graph_id: str,
+    update_graph: GraphCreateRequest,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_GRAPH)
+    ),
+) -> Graph:
+    """
+    Update a graph by creating a new version.
+
+    This does not modify existing versions; it creates a new version
+    with the provided graph definition.
+    """
+    from backend.api.features.library import db as library_db
+
+    existing_versions = await graph_db.get_graph_all_versions(
+        graph_id, user_id=auth.user_id
+    )
+    if not existing_versions:
+        raise HTTPException(
+            status.HTTP_404_NOT_FOUND, detail=f"Graph #{graph_id} not found"
+        )
+
+    latest_version_number = max(g.version for g in existing_versions)
+
+    internal_graph = update_graph.to_internal(
+        id=graph_id, version=latest_version_number + 1
+    )
+
+    current_active_version = next((v for v in existing_versions if v.is_active), None)
+    graph = graph_db.make_graph_model(internal_graph, auth.user_id)
+    graph.reassign_ids(user_id=auth.user_id, reassign_graph_id=False)
+    graph.validate_graph(for_run=False)
+
+    new_graph_version = await graph_db.create_graph(graph, user_id=auth.user_id)
+
+    if new_graph_version.is_active:
+        await library_db.update_agent_version_in_library(
+            auth.user_id, new_graph_version.id, new_graph_version.version
+        )
+        new_graph_version = await on_graph_activate(
+            new_graph_version, user_id=auth.user_id
+        )
+        await graph_db.set_graph_active_version(
+            graph_id=graph_id, version=new_graph_version.version, user_id=auth.user_id
+        )
+        if current_active_version:
+            await on_graph_deactivate(current_active_version, user_id=auth.user_id)
+
+    new_graph_version_with_subgraphs = await graph_db.get_graph(
+        graph_id,
+        new_graph_version.version,
+        user_id=auth.user_id,
+        include_subgraphs=True,
+    )
+    assert new_graph_version_with_subgraphs
+    return Graph.from_internal(new_graph_version_with_subgraphs)
+
+
+# NOTE: we don't expose graph deletion in the UI, so this is commented for now
+# @graphs_router.delete(
+#     path="/{graph_id}",
+#     summary="Delete graph permanently",
+#     status_code=status.HTTP_204_NO_CONTENT,
+# )
+# async def delete_graph(
+#     graph_id: str,
+#     auth: APIAuthorizationInfo = Security(
+#         require_permission(APIKeyPermission.WRITE_GRAPH)
+#     ),
+# ) -> None:
+#     """
+#     Permanently delete a graph and all its versions.
+
+#     This action cannot be undone. All associated executions will remain
+#     but will reference a deleted graph.
+#     """
+#     if active_version := await graph_db.get_graph(
+#         graph_id=graph_id, version=None, user_id=auth.user_id
+#     ):
+#         await on_graph_deactivate(active_version, user_id=auth.user_id)
+
+#     # FIXME: maybe only expose delete for library agents?
+#     deleted_count = await graph_db.delete_graph(graph_id, user_id=auth.user_id)
+#     if deleted_count == 0:
+#         raise HTTPException(
+#             status_code=status.HTTP_404_NOT_FOUND, detail=f"Graph {graph_id} not found"
+#         )
+
+
+@graphs_router.get(
+    path="/{graph_id}/versions",
+    summary="List graph versions",
+    operation_id="listGraphVersions",
+)
+async def list_graph_versions(
+    graph_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_GRAPH)
+    ),
+) -> list[Graph]:
+    """Get all versions of a specific graph."""
+    graphs = await graph_db.get_graph_all_versions(graph_id, user_id=auth.user_id)
+    if not graphs:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Graph #{graph_id} not found.",
+        )
+    return [Graph.from_internal(g) for g in graphs]
+
+
+@graphs_router.put(
+    path="/{graph_id}/versions/active",
+    summary="Set active graph version",
+    operation_id="updateGraphSetActiveVersion",
+)
+async def set_active_version(
+    graph_id: str,
+    request_body: GraphSetActiveVersionRequest,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_GRAPH)
+    ),
+) -> None:
+    """
+    Set which version of a graph is the active version.
+
+    The active version is the one used when executing the graph
+    and what is shown to users in the UI.
+    """
+    from backend.api.features.library import db as library_db
+
+    new_active_version = request_body.active_graph_version
+    new_active_graph = await graph_db.get_graph(
+        graph_id, new_active_version, user_id=auth.user_id
+    )
+    if not new_active_graph:
+        raise HTTPException(
+            status.HTTP_404_NOT_FOUND,
+            f"Graph #{graph_id} v{new_active_version} not found",
+        )
+
+    current_active_graph = await graph_db.get_graph(
+        graph_id=graph_id,
+        version=None,
+        user_id=auth.user_id,
+    )
+
+    await on_graph_activate(new_active_graph, user_id=auth.user_id)
+    await graph_db.set_graph_active_version(
+        graph_id=graph_id,
+        version=new_active_version,
+        user_id=auth.user_id,
+    )
+
+    await library_db.update_agent_version_in_library(
+        auth.user_id, new_active_graph.id, new_active_graph.version
+    )
+
+    if current_active_graph and current_active_graph.version != new_active_version:
+        await on_graph_deactivate(current_active_graph, user_id=auth.user_id)
+
+
+@graphs_router.patch(
+    path="/{graph_id}/settings",
+    summary="Update graph settings",
+    operation_id="updateGraphSettings",
+)
+async def update_graph_settings(
+    graph_id: str,
+    settings: GraphSettings,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_GRAPH)
+    ),
+) -> GraphSettings:
+    """Update settings for a graph."""
+    from backend.api.features.library import db as library_db
+
+    library_agent = await library_db.get_library_agent_by_graph_id(
+        graph_id=graph_id, user_id=auth.user_id
+    )
+    if not library_agent:
+        raise HTTPException(
+            status.HTTP_404_NOT_FOUND, f"Graph #{graph_id} not found in user's library"
+        )
+
+    updated_agent = await library_db.update_library_agent(
+        user_id=auth.user_id,
+        library_agent_id=library_agent.id,
+        settings=settings.to_internal(),
+    )
+
+    return GraphSettings(
+        human_in_the_loop_safe_mode=updated_agent.settings.human_in_the_loop_safe_mode
+    )
+
+
+@graphs_router.get(
+    path="/{graph_id}/library-agent",
+    summary="Get library agent for graph",
+    operation_id="getLibraryAgentForGraph",
+)
+async def get_library_agent_by_graph(
+    graph_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_LIBRARY)
+    ),
+) -> LibraryAgent:
+    """Get the library agent associated with a specific graph."""
+    agent = await library_db.get_library_agent_by_graph_id(
+        graph_id=graph_id,
+        user_id=auth.user_id,
+    )
+    if not agent:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"No library agent found for graph #{graph_id}",
+        )
+    return LibraryAgent.from_internal(agent)
+
+
+@graphs_router.get(
+    path="/{graph_id}/blocks",
+    summary="List blocks used in a graph",
+    operation_id="listBlocksInGraph",
+)
+async def list_graph_blocks(
+    graph_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_GRAPH)
+    ),
+) -> list[BlockInfo]:
+    """List the unique blocks used by a graph."""
+    from backend.blocks import get_block
+
+    graph = await graph_db.get_graph(
+        graph_id,
+        version=None,
+        user_id=auth.user_id,
+        include_subgraphs=True,
+    )
+    if not graph:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Graph #{graph_id} not found.",
+        )
+
+    seen_block_ids: set[str] = set()
+    blocks: list[BlockInfo] = []
+
+    for node in graph.nodes:
+        if node.block_id in seen_block_ids:
+            continue
+        seen_block_ids.add(node.block_id)
+
+        block = get_block(node.block_id)
+        if block and not block.disabled:
+            blocks.append(BlockInfo.from_internal(block))
+
+    return blocks
+
+
+@graphs_router.get(
+    path="/{graph_id}/credentials",
+    summary="Get graph credentials",
+    operation_id="getCredentialRequirementsForGraph",
+)
+async def list_graph_credential_requirements(
+    graph_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_INTEGRATIONS)
+    ),
+) -> CredentialRequirementsResponse:
+    """List credential requirements for a graph and matching user credentials."""
+    graph = await graph_db.get_graph(
+        graph_id=graph_id,
+        version=None,
+        user_id=auth.user_id,
+        include_subgraphs=True,
+    )
+    if not graph:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail=f"Graph #{graph_id} not found"
+        )
+
+    requirements = await get_credential_requirements(
+        graph.credentials_input_schema, auth.user_id
+    )
+    return CredentialRequirementsResponse(requirements=requirements)
+
+
+@graphs_router.get(
+    path="/{graph_id}/marketplace-listing",
+    summary="Get marketplace listing for graph",
+    operation_id="getMarketplaceListingForGraph",
+)
+async def get_marketplace_listing_for_graph(
+    graph_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_STORE)
+    ),
+) -> MarketplaceAgentDetails:
+    """Get the marketplace listing for a given graph, if one exists."""
+    import prisma.models
+
+    from backend.api.features.store.model import StoreAgentDetails
+
+    agent = await prisma.models.StoreAgent.prisma().find_first(
+        where={"graph_id": graph_id}
+    )
+    if not agent:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"No marketplace listing found for graph {graph_id}",
+        )
+    return MarketplaceAgentDetails.from_internal(StoreAgentDetails.from_db(agent))

autogpt_platform/backend/backend/api/external/v2/integrations/__init__.py

@@ -0,0 +1,13 @@
+"""
+V2 External API - Integrations Package
+
+Aggregates all integration-related sub-routers.
+"""
+
+from fastapi import APIRouter
+
+from .credentials import credentials_router
+
+integrations_router = APIRouter(tags=["integrations"])
+
+integrations_router.include_router(credentials_router)

autogpt_platform/backend/backend/api/external/v2/integrations/credentials.py

@@ -0,0 +1,131 @@
+"""
+V2 External API - Credential CRUD Endpoints
+
+Provides endpoints for managing integration credentials.
+"""
+
+import logging
+from typing import Annotated, Optional
+from uuid import uuid4
+
+from fastapi import APIRouter, Body, HTTPException, Query, Security
+from prisma.enums import APIKeyPermission
+from pydantic import SecretStr
+from starlette import status
+
+from backend.api.external.middleware import require_permission
+from backend.data.auth.base import APIAuthorizationInfo
+from backend.data.model import (
+    APIKeyCredentials,
+    HostScopedCredentials,
+    UserPasswordCredentials,
+)
+
+from ..models import CredentialCreateRequest, CredentialInfo, CredentialListResponse
+from .helpers import creds_manager
+
+logger = logging.getLogger(__name__)
+
+credentials_router = APIRouter()
+
+
+@credentials_router.get(
+    path="/credentials",
+    summary="List integration credentials",
+    operation_id="listIntegrationCredentials",
+)
+async def list_credentials(
+    provider: Optional[str] = Query(
+        default=None,
+        description="Filter by provider name (e.g., 'github', 'google')",
+    ),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_INTEGRATIONS)
+    ),
+) -> CredentialListResponse:
+    """List integration credentials for the authenticated user."""
+    credentials = await creds_manager.store.get_all_creds(auth.user_id)
+
+    if provider:
+        credentials = [c for c in credentials if c.provider.lower() == provider.lower()]
+
+    return CredentialListResponse(
+        credentials=[CredentialInfo.from_internal(c) for c in credentials]
+    )
+
+
+@credentials_router.post(
+    path="/credentials",
+    summary="Create integration credential",
+    operation_id="createIntegrationCredential",
+    status_code=status.HTTP_201_CREATED,
+)
+async def create_credential(
+    request: Annotated[CredentialCreateRequest, Body(discriminator="type")],
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.MANAGE_INTEGRATIONS)
+    ),
+) -> CredentialInfo:
+    """
+    Create a new integration credential.
+
+    Supports `api_key`, `user_password`, and `host_scoped` credential types.
+    OAuth credentials must be set up through the web UI.
+    """
+    cred_id = str(uuid4())
+
+    if request.type == "api_key":
+        credentials = APIKeyCredentials(
+            id=cred_id,
+            provider=request.provider,
+            title=request.title,
+            api_key=SecretStr(request.api_key),
+        )
+    elif request.type == "user_password":
+        credentials = UserPasswordCredentials(
+            id=cred_id,
+            provider=request.provider,
+            title=request.title,
+            username=SecretStr(request.username),
+            password=SecretStr(request.password),
+        )
+    else:
+        credentials = HostScopedCredentials(
+            id=cred_id,
+            provider=request.provider,
+            title=request.title,
+            host=request.host,
+            headers={k: SecretStr(v) for k, v in request.headers.items()},
+        )
+
+    await creds_manager.create(auth.user_id, credentials)
+    return CredentialInfo.from_internal(credentials)
+
+
+@credentials_router.delete(
+    path="/credentials/{credential_id}",
+    summary="Delete integration credential",
+    operation_id="deleteIntegrationCredential",
+    status_code=status.HTTP_204_NO_CONTENT,
+)
+async def delete_credential(
+    credential_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.DELETE_INTEGRATIONS)
+    ),
+) -> None:
+    """
+    Delete an integration credential.
+
+    Any agents using this credential will fail on their next run.
+    """
+    existing = await creds_manager.store.get_creds_by_id(
+        user_id=auth.user_id, credentials_id=credential_id
+    )
+    if not existing:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Credential #{credential_id} not found",
+        )
+
+    await creds_manager.delete(auth.user_id, credential_id)

autogpt_platform/backend/backend/api/external/v2/integrations/helpers.py

@@ -0,0 +1,49 @@
+"""
+V2 External API - Integration Helpers
+
+Shared logic for credential-related operations.
+"""
+
+from backend.integrations.creds_manager import IntegrationCredentialsManager
+
+from ..models import CredentialInfo, CredentialRequirement
+
+creds_manager = IntegrationCredentialsManager()
+
+
+async def get_credential_requirements(
+    creds_schema: dict,
+    user_id: str,
+) -> list[CredentialRequirement]:
+    """
+    Extract credential requirements from a graph's credentials input schema
+    and match them against the user's existing credentials.
+    """
+    all_credentials = await creds_manager.store.get_all_creds(user_id)
+
+    requirements = []
+    for field_name, field_schema in creds_schema.get("properties", {}).items():
+        providers: list[str] = []
+        if "anyOf" in field_schema:
+            for option in field_schema["anyOf"]:
+                if "provider" in option:
+                    providers.append(option["provider"])
+        elif "provider" in field_schema:
+            providers.append(field_schema["provider"])
+
+        for provider in providers:
+            matching = [
+                CredentialInfo.from_internal(c)
+                for c in all_credentials
+                if c.provider.lower() == provider.lower()
+            ]
+
+            requirements.append(
+                CredentialRequirement(
+                    provider=provider,
+                    required_scopes=[],
+                    matching_credentials=matching,
+                )
+            )
+
+    return requirements

autogpt_platform/backend/backend/api/external/v2/library/__init__.py

@@ -0,0 +1,17 @@
+"""
+V2 External API - Library Package
+
+Aggregates all library-related sub-routers (agents, folders, presets).
+"""
+
+from fastapi import APIRouter
+
+from .agents import agents_router
+from .folders import folders_router
+from .presets import presets_router
+
+library_router = APIRouter()
+
+library_router.include_router(agents_router)
+library_router.include_router(folders_router)
+library_router.include_router(presets_router)

autogpt_platform/backend/backend/api/external/v2/library/agents.py

@@ -0,0 +1,239 @@
+"""V2 External API - Library Agent Endpoints"""
+
+import logging
+from typing import Optional
+
+from fastapi import APIRouter, HTTPException, Query, Security
+from prisma.enums import APIKeyPermission
+from starlette import status
+
+from backend.api.external.middleware import require_permission
+from backend.api.features.library import db as library_db
+from backend.data import graph as graph_db
+from backend.data.auth.base import APIAuthorizationInfo
+from backend.data.credit import get_user_credit_model
+from backend.executor import utils as execution_utils
+
+from ..common import DEFAULT_PAGE_SIZE, MAX_PAGE_SIZE
+from ..integrations.helpers import get_credential_requirements
+from ..models import (
+    AgentGraphRun,
+    AgentRunRequest,
+    CredentialRequirementsResponse,
+    LibraryAgent,
+    LibraryAgentListResponse,
+    LibraryAgentUpdateRequest,
+)
+from ..rate_limit import execute_limiter
+
+logger = logging.getLogger(__name__)
+
+agents_router = APIRouter(tags=["library"])
+
+
+# ============================================================================
+# Endpoints
+# ============================================================================
+
+
+@agents_router.get(
+    path="/agents",
+    summary="List library agents",
+    operation_id="listLibraryAgents",
+)
+async def list_library_agents(
+    published: Optional[bool] = Query(
+        default=None,
+        description="Filter by marketplace publish status",
+    ),
+    favorite: Optional[bool] = Query(
+        default=None,
+        description="Filter by `isFavorite` attribute",
+    ),
+    page: int = Query(default=1, ge=1, description="Page number (1-indexed)"),
+    page_size: int = Query(
+        default=DEFAULT_PAGE_SIZE,
+        ge=1,
+        le=MAX_PAGE_SIZE,
+        description=f"Items per page (max {MAX_PAGE_SIZE})",
+    ),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_LIBRARY)
+    ),
+) -> LibraryAgentListResponse:
+    """List agents in the user's library."""
+    result = await library_db.list_library_agents(
+        user_id=auth.user_id,
+        page=page,
+        page_size=page_size,
+        published=published,
+        favorite=favorite,
+    )
+
+    return LibraryAgentListResponse(
+        agents=[LibraryAgent.from_internal(a) for a in result.agents],
+        page=result.pagination.current_page,
+        page_size=result.pagination.page_size,
+        total_count=result.pagination.total_items,
+        total_pages=result.pagination.total_pages,
+    )
+
+
+@agents_router.get(
+    path="/agents/{agent_id}",
+    summary="Get library agent",
+    operation_id="getLibraryAgent",
+)
+async def get_library_agent(
+    agent_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_LIBRARY)
+    ),
+) -> LibraryAgent:
+    """Get detailed information about a specific agent in the user's library."""
+    agent = await library_db.get_library_agent(
+        id=agent_id,
+        user_id=auth.user_id,
+    )
+    return LibraryAgent.from_internal(agent)
+
+
+@agents_router.patch(
+    path="/agents/{agent_id}",
+    summary="Update library agent",
+    operation_id="updateLibraryAgent",
+)
+async def update_library_agent(
+    request: LibraryAgentUpdateRequest,
+    agent_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_LIBRARY)
+    ),
+) -> LibraryAgent:
+    """Update properties of a library agent."""
+    updated = await library_db.update_library_agent(
+        library_agent_id=agent_id,
+        user_id=auth.user_id,
+        auto_update_version=request.auto_update_version,
+        graph_version=request.graph_version,
+        is_favorite=request.is_favorite,
+        is_archived=request.is_archived,
+        folder_id=request.folder_id,
+    )
+    return LibraryAgent.from_internal(updated)
+
+
+@agents_router.delete(
+    path="/agents/{agent_id}",
+    summary="Delete library agent",
+    operation_id="deleteLibraryAgent",
+    status_code=status.HTTP_204_NO_CONTENT,
+)
+async def delete_library_agent(
+    agent_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_LIBRARY)
+    ),
+) -> None:
+    """Remove an agent from the user's library."""
+    await library_db.delete_library_agent(
+        library_agent_id=agent_id,
+        user_id=auth.user_id,
+    )
+
+
+@agents_router.post(
+    path="/agents/{agent_id}/fork",
+    summary="Fork library agent",
+    operation_id="forkLibraryAgent",
+    status_code=status.HTTP_201_CREATED,
+)
+async def fork_library_agent(
+    agent_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_LIBRARY)
+    ),
+) -> LibraryAgent:
+    """Fork (clone) a library agent.
+
+    Creates a deep copy of the agent's underlying graph and all its nodes,
+    assigning new IDs. The cloned graph is added to the user's library as
+    an independent agent that can be modified without affecting the original.
+    """
+    forked = await library_db.fork_library_agent(
+        library_agent_id=agent_id,
+        user_id=auth.user_id,
+    )
+    return LibraryAgent.from_internal(forked)
+
+
+@agents_router.post(
+    path="/agents/{agent_id}/runs",
+    summary="Execute library agent",
+    operation_id="executeLibraryAgent",
+)
+async def execute_agent(
+    request: AgentRunRequest,
+    agent_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.RUN_AGENT)
+    ),
+) -> AgentGraphRun:
+    """Execute an agent from the library."""
+    execute_limiter.check(auth.user_id)
+
+    # Check credit balance
+    user_credit_model = await get_user_credit_model(auth.user_id)
+    current_balance = await user_credit_model.get_credits(auth.user_id)
+    if current_balance <= 0:
+        raise HTTPException(
+            status_code=status.HTTP_402_PAYMENT_REQUIRED,
+            detail="Insufficient balance to execute the agent. Please top up your account.",
+        )
+
+    # Get the library agent to find the graph ID and version
+    library_agent = await library_db.get_library_agent(
+        id=agent_id,
+        user_id=auth.user_id,
+    )
+
+    result = await execution_utils.add_graph_execution(
+        graph_id=library_agent.graph_id,
+        user_id=auth.user_id,
+        inputs=request.inputs,
+        graph_version=library_agent.graph_version,
+        graph_credentials_inputs=request.credentials_inputs,
+    )
+    return AgentGraphRun.from_internal(result)
+
+
+@agents_router.get(
+    path="/agents/{agent_id}/credentials",
+    summary="Get library agent credential requirements",
+    operation_id="getCredentialRequirementsForLibraryAgent",
+)
+async def list_agent_credential_requirements(
+    agent_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_INTEGRATIONS)
+    ),
+) -> CredentialRequirementsResponse:
+    """List credential requirements and matching user credentials for a library agent."""
+    library_agent = await library_db.get_library_agent(agent_id, user_id=auth.user_id)
+
+    graph = await graph_db.get_graph(
+        graph_id=library_agent.graph_id,
+        version=library_agent.graph_version,
+        user_id=auth.user_id,
+        include_subgraphs=True,
+    )
+    if not graph:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Graph for agent #{agent_id} not found",
+        )
+
+    requirements = await get_credential_requirements(
+        graph.credentials_input_schema, auth.user_id
+    )
+    return CredentialRequirementsResponse(requirements=requirements)

autogpt_platform/backend/backend/api/external/v2/library/folders.py

@@ -0,0 +1,175 @@
+"""V2 External API - Library Folder Endpoints"""
+
+import logging
+from typing import Optional
+
+from fastapi import APIRouter, Query, Security
+from prisma.enums import APIKeyPermission
+from starlette import status
+
+from backend.api.external.middleware import require_permission
+from backend.api.features.library import db as library_db
+from backend.data.auth.base import APIAuthorizationInfo
+
+from ..models import (
+    LibraryFolder,
+    LibraryFolderCreateRequest,
+    LibraryFolderListResponse,
+    LibraryFolderMoveRequest,
+    LibraryFolderTree,
+    LibraryFolderTreeResponse,
+    LibraryFolderUpdateRequest,
+)
+
+logger = logging.getLogger(__name__)
+
+folders_router = APIRouter(tags=["library"])
+
+
+@folders_router.get(
+    path="/folders",
+    summary="List folders in library",
+    operation_id="listLibraryFolders",
+)
+async def list_folders(
+    parent_id: Optional[str] = Query(
+        default=None, description="Filter by parent folder ID. Omit for root folders."
+    ),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_LIBRARY)
+    ),
+) -> LibraryFolderListResponse:
+    """List folders in the user's library."""
+    folders = await library_db.list_folders(
+        user_id=auth.user_id,
+        parent_id=parent_id,
+    )
+
+    return LibraryFolderListResponse(
+        folders=[LibraryFolder.from_internal(f) for f in folders],
+    )
+
+
+@folders_router.get(
+    path="/folders/tree",
+    summary="Get library folder tree",
+    operation_id="getLibraryFolderTree",
+)
+async def get_folder_tree(
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_LIBRARY)
+    ),
+) -> LibraryFolderTreeResponse:
+    """Get the full folder tree for the user's library."""
+    tree = await library_db.get_folder_tree(user_id=auth.user_id)
+
+    return LibraryFolderTreeResponse(
+        tree=[LibraryFolderTree.from_internal(f) for f in tree],
+    )
+
+
+@folders_router.get(
+    path="/folders/{folder_id}",
+    summary="Get folder in library",
+    operation_id="getLibraryFolder",
+)
+async def get_folder(
+    folder_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_LIBRARY)
+    ),
+) -> LibraryFolder:
+    """Get details of a specific folder."""
+    folder = await library_db.get_folder(
+        folder_id=folder_id,
+        user_id=auth.user_id,
+    )
+    return LibraryFolder.from_internal(folder)
+
+
+@folders_router.post(
+    path="/folders",
+    summary="Create folder in library",
+    operation_id="createLibraryFolder",
+    status_code=status.HTTP_201_CREATED,
+)
+async def create_folder(
+    request: LibraryFolderCreateRequest,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_LIBRARY)
+    ),
+) -> LibraryFolder:
+    """Create a new folder in the user's library."""
+    folder = await library_db.create_folder(
+        user_id=auth.user_id,
+        name=request.name,
+        parent_id=request.parent_id,
+        icon=request.icon,
+        color=request.color,
+    )
+    return LibraryFolder.from_internal(folder)
+
+
+@folders_router.patch(
+    path="/folders/{folder_id}",
+    summary="Update folder in library",
+    operation_id="updateLibraryFolder",
+)
+async def update_folder(
+    request: LibraryFolderUpdateRequest,
+    folder_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_LIBRARY)
+    ),
+) -> LibraryFolder:
+    """Update properties of a folder."""
+    folder = await library_db.update_folder(
+        folder_id=folder_id,
+        user_id=auth.user_id,
+        name=request.name,
+        icon=request.icon,
+        color=request.color,
+    )
+    return LibraryFolder.from_internal(folder)
+
+
+@folders_router.post(
+    path="/folders/{folder_id}/move",
+    summary="Move folder in library",
+    operation_id="moveLibraryFolder",
+)
+async def move_folder(
+    request: LibraryFolderMoveRequest,
+    folder_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_LIBRARY)
+    ),
+) -> LibraryFolder:
+    """Move a folder to a new parent. Set target_parent_id to null to move to root."""
+    folder = await library_db.move_folder(
+        folder_id=folder_id,
+        user_id=auth.user_id,
+        target_parent_id=request.target_parent_id,
+    )
+    return LibraryFolder.from_internal(folder)
+
+
+@folders_router.delete(
+    path="/folders/{folder_id}",
+    summary="Delete folder in library",
+    operation_id="deleteLibraryFolder",
+    status_code=status.HTTP_204_NO_CONTENT,
+)
+async def delete_folder(
+    folder_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_LIBRARY)
+    ),
+) -> None:
+    """
+    Delete a folder and its subfolders. Agents in this folder will be moved to root.
+    """
+    await library_db.delete_folder(
+        folder_id=folder_id,
+        user_id=auth.user_id,
+    )

autogpt_platform/backend/backend/api/external/v2/library/presets.py

@@ -0,0 +1,262 @@
+"""
+V2 External API - Library Preset Endpoints
+
+Provides endpoints for managing agent presets (saved run configurations).
+"""
+
+import logging
+from typing import Optional
+
+from fastapi import APIRouter, HTTPException, Query, Security
+from prisma.enums import APIKeyPermission
+from starlette import status
+
+from backend.api.external.middleware import require_permission
+from backend.api.features.library import db as library_db
+from backend.api.features.library.model import LibraryAgentPresetCreatable
+from backend.api.features.library.model import (
+    TriggeredPresetSetupRequest as _TriggeredPresetSetupRequest,
+)
+from backend.data.auth.base import APIAuthorizationInfo
+from backend.data.credit import get_user_credit_model
+from backend.executor import utils as execution_utils
+
+from ..common import DEFAULT_PAGE_SIZE, MAX_PAGE_SIZE
+from ..models import (
+    AgentGraphRun,
+    AgentPreset,
+    AgentPresetCreateRequest,
+    AgentPresetListResponse,
+    AgentPresetRunRequest,
+    AgentPresetUpdateRequest,
+    AgentTriggerSetupRequest,
+)
+from ..rate_limit import execute_limiter
+
+logger = logging.getLogger(__name__)
+
+presets_router = APIRouter(tags=["library", "presets"])
+
+
+@presets_router.get(
+    path="/presets",
+    summary="List agent execution presets",
+    operation_id="listAgentRunPresets",
+)
+async def list_presets(
+    graph_id: Optional[str] = Query(default=None, description="Filter by graph ID"),
+    page: int = Query(default=1, ge=1, description="Page number (1-indexed)"),
+    page_size: int = Query(
+        default=DEFAULT_PAGE_SIZE,
+        ge=1,
+        le=MAX_PAGE_SIZE,
+        description=f"Items per page (max {MAX_PAGE_SIZE})",
+    ),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_LIBRARY)
+    ),
+) -> AgentPresetListResponse:
+    """List presets in the user's library, optionally filtered by graph ID."""
+    result = await library_db.list_presets(
+        user_id=auth.user_id,
+        page=page,
+        page_size=page_size,
+        graph_id=graph_id,
+    )
+
+    return AgentPresetListResponse(
+        presets=[AgentPreset.from_internal(p) for p in result.presets],
+        page=result.pagination.current_page,
+        page_size=result.pagination.page_size,
+        total_count=result.pagination.total_items,
+        total_pages=result.pagination.total_pages,
+    )
+
+
+@presets_router.get(
+    path="/presets/{preset_id}",
+    summary="Get agent execution preset",
+    operation_id="getAgentRunPreset",
+)
+async def get_preset(
+    preset_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_LIBRARY)
+    ),
+) -> AgentPreset:
+    """Get details of a specific preset."""
+    preset = await library_db.get_preset(
+        user_id=auth.user_id,
+        preset_id=preset_id,
+    )
+    if not preset:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Preset #{preset_id} not found",
+        )
+
+    return AgentPreset.from_internal(preset)
+
+
+@presets_router.post(
+    path="/presets",
+    summary="Create agent execution preset",
+    operation_id="createAgentRunPreset",
+    status_code=status.HTTP_201_CREATED,
+)
+async def create_preset(
+    request: AgentPresetCreateRequest,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_LIBRARY)
+    ),
+) -> AgentPreset:
+    """Create a new preset with saved inputs and credentials for an agent."""
+    creatable = LibraryAgentPresetCreatable(
+        graph_id=request.graph_id,
+        graph_version=request.graph_version,
+        name=request.name,
+        description=request.description,
+        inputs=request.inputs,
+        credentials=request.credentials,
+        is_active=request.is_active,
+    )
+
+    preset = await library_db.create_preset(
+        user_id=auth.user_id,
+        preset=creatable,
+    )
+    return AgentPreset.from_internal(preset)
+
+
+@presets_router.post(
+    path="/presets/setup-trigger",
+    summary="Setup triggered preset",
+    operation_id="setupAgentRunTrigger",
+    status_code=status.HTTP_201_CREATED,
+)
+async def setup_trigger(
+    request: AgentTriggerSetupRequest,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_LIBRARY)
+    ),
+) -> AgentPreset:
+    """
+    Create a preset with a webhook trigger for automatic execution.
+
+    The agent's `trigger_setup_info` describes the required trigger configuration
+    schema and credentials. Use it to populate `trigger_config` and
+    `agent_credentials`.
+    """
+    # Use internal trigger setup endpoint to avoid logic duplication:
+    from backend.api.features.library.routes.presets import (
+        setup_trigger as _internal_setup_trigger,
+    )
+
+    internal_request = _TriggeredPresetSetupRequest(
+        name=request.name,
+        description=request.description,
+        graph_id=request.graph_id,
+        graph_version=request.graph_version,
+        trigger_config=request.trigger_config,
+        agent_credentials=request.agent_credentials,
+    )
+
+    preset = await _internal_setup_trigger(
+        params=internal_request,
+        user_id=auth.user_id,
+    )
+    return AgentPreset.from_internal(preset)
+
+
+@presets_router.patch(
+    path="/presets/{preset_id}",
+    operation_id="updateAgentRunPreset",
+    summary="Update agent execution preset",
+)
+async def update_preset(
+    request: AgentPresetUpdateRequest,
+    preset_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_LIBRARY)
+    ),
+) -> AgentPreset:
+    """Update properties of a preset. Only provided fields will be updated."""
+    preset = await library_db.update_preset(
+        user_id=auth.user_id,
+        preset_id=preset_id,
+        name=request.name,
+        description=request.description,
+        inputs=request.inputs,
+        credentials=request.credentials,
+        is_active=request.is_active,
+    )
+    return AgentPreset.from_internal(preset)
+
+
+@presets_router.delete(
+    path="/presets/{preset_id}",
+    summary="Delete agent execution preset",
+    operation_id="deleteAgentRunPreset",
+    status_code=status.HTTP_204_NO_CONTENT,
+)
+async def delete_preset(
+    preset_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_LIBRARY)
+    ),
+) -> None:
+    """Delete a preset."""
+    await library_db.delete_preset(
+        user_id=auth.user_id,
+        preset_id=preset_id,
+    )
+
+
+@presets_router.post(
+    path="/presets/{preset_id}/execute",
+    summary="Execute agent preset",
+    operation_id="executeAgentRunPreset",
+)
+async def execute_preset(
+    preset_id: str,
+    request: AgentPresetRunRequest = AgentPresetRunRequest(),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.RUN_AGENT)
+    ),
+) -> AgentGraphRun:
+    """Execute a preset, optionally overriding saved inputs and credentials."""
+    execute_limiter.check(auth.user_id)
+
+    # Check credit balance
+    user_credit_model = await get_user_credit_model(auth.user_id)
+    current_balance = await user_credit_model.get_credits(auth.user_id)
+    if current_balance <= 0:
+        raise HTTPException(
+            status_code=status.HTTP_402_PAYMENT_REQUIRED,
+            detail="Insufficient balance to execute the agent. Please top up your account.",
+        )
+
+    # Fetch preset
+    preset = await library_db.get_preset(
+        user_id=auth.user_id,
+        preset_id=preset_id,
+    )
+    if not preset:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Preset #{preset_id} not found",
+        )
+
+    # Merge preset inputs with overrides
+    merged_inputs = {**preset.inputs, **request.inputs}
+    merged_credentials = {**preset.credentials, **request.credentials_inputs}
+
+    result = await execution_utils.add_graph_execution(
+        graph_id=preset.graph_id,
+        user_id=auth.user_id,
+        inputs=merged_inputs,
+        graph_version=preset.graph_version,
+        graph_credentials_inputs=merged_credentials,
+        preset_id=preset_id,
+    )
+    return AgentGraphRun.from_internal(result)

autogpt_platform/backend/backend/api/external/v2/marketplace.py

@@ -0,0 +1,443 @@
+"""
+V2 External API - Marketplace Endpoints
+
+Provides access to the agent marketplace (store).
+"""
+
+import logging
+import urllib.parse
+from typing import Literal, Optional
+
+from fastapi import APIRouter, File, HTTPException, Path, Query, Security, UploadFile
+from prisma.enums import APIKeyPermission
+from starlette import status
+
+from backend.api.external.middleware import require_auth, require_permission
+from backend.api.features.store import cache as store_cache
+from backend.api.features.store import db as store_db
+from backend.api.features.store import media as store_media
+from backend.api.features.store.db import (
+    StoreAgentsSortOptions,
+    StoreCreatorsSortOptions,
+)
+from backend.data.auth.base import APIAuthorizationInfo
+from backend.util.virus_scanner import scan_content_safe
+
+from .common import DEFAULT_PAGE_SIZE, MAX_PAGE_SIZE
+from .models import (
+    LibraryAgent,
+    MarketplaceAgent,
+    MarketplaceAgentDetails,
+    MarketplaceAgentListResponse,
+    MarketplaceAgentSubmission,
+    MarketplaceAgentSubmissionCreateRequest,
+    MarketplaceAgentSubmissionEditRequest,
+    MarketplaceAgentSubmissionsListResponse,
+    MarketplaceCreatorDetails,
+    MarketplaceCreatorsResponse,
+    MarketplaceMediaUploadResponse,
+    MarketplaceUserProfile,
+    MarketplaceUserProfileUpdateRequest,
+)
+from .rate_limit import media_upload_limiter
+
+logger = logging.getLogger(__name__)
+
+marketplace_router = APIRouter(tags=["marketplace"])
+
+
+# ============================================================================
+# Agents
+# ============================================================================
+
+
+@marketplace_router.get(
+    path="/agents",
+    summary="List or search marketplace agents",
+    operation_id="listMarketplaceAgents",
+)
+async def list_agents(
+    featured: bool = Query(
+        default=False, description="Filter to only show featured agents"
+    ),
+    creator: Optional[str] = Query(
+        default=None, description="Filter by creator username"
+    ),
+    category: Optional[str] = Query(default=None, description="Filter by category"),
+    search_query: Optional[str] = Query(
+        default=None, description="Literal + semantic search on names and descriptions"
+    ),
+    sorted_by: Optional[Literal["rating", "runs", "name", "updated_at"]] = Query(
+        default=None,
+        description="Property to sort results by. Ignored if search_query is provided.",
+    ),
+    page: int = Query(ge=1, default=1),
+    page_size: int = Query(ge=1, le=MAX_PAGE_SIZE, default=DEFAULT_PAGE_SIZE),
+    # This data is public, but we still require auth for access tracking and rate limits
+    auth: APIAuthorizationInfo = Security(require_auth),
+) -> MarketplaceAgentListResponse:
+    """List agents available in the marketplace, with optional filtering and sorting."""
+    result = await store_cache._get_cached_store_agents(
+        featured=featured,
+        creator=creator,
+        sorted_by=StoreAgentsSortOptions(sorted_by) if sorted_by else None,
+        search_query=search_query,
+        category=category,
+        page=page,
+        page_size=page_size,
+    )
+
+    return MarketplaceAgentListResponse(
+        agents=[MarketplaceAgent.from_internal(a) for a in result.agents],
+        page=result.pagination.current_page,
+        page_size=result.pagination.page_size,
+        total_count=result.pagination.total_items,
+        total_pages=result.pagination.total_pages,
+    )
+
+
+@marketplace_router.get(
+    path="/agents/by-version/{version_id}",
+    summary="Get marketplace agent by version ID",
+    operation_id="getMarketplaceAgentByListingVersion",
+)
+async def get_agent_by_version(
+    version_id: str,
+    # This data is public, but we still require auth for access tracking and rate limits
+    auth: APIAuthorizationInfo = Security(require_auth),
+) -> MarketplaceAgentDetails:
+    """Get details of a marketplace agent by its store listing version ID."""
+    agent = await store_db.get_store_agent_by_version_id(version_id)
+    return MarketplaceAgentDetails.from_internal(agent)
+
+
+@marketplace_router.get(
+    path="/agents/{username}/{agent_name}",
+    summary="Get marketplace agent details",
+    operation_id="getMarketplaceAgent",
+)
+async def get_agent_details(
+    username: str,
+    agent_name: str,
+    # This data is public, but we still require auth for access tracking and rate limits
+    auth: APIAuthorizationInfo = Security(require_auth),
+) -> MarketplaceAgentDetails:
+    """Get details of a specific marketplace agent."""
+    username = urllib.parse.unquote(username).lower()
+    agent_name = urllib.parse.unquote(agent_name).lower()
+
+    agent = await store_cache._get_cached_agent_details(
+        username=username, agent_name=agent_name
+    )
+
+    return MarketplaceAgentDetails.from_internal(agent)
+
+
+@marketplace_router.post(
+    path="/agents/{username}/{agent_name}/add-to-library",
+    summary="Add marketplace agent to library",
+    operation_id="addMarketplaceAgentToLibrary",
+    status_code=status.HTTP_201_CREATED,
+)
+async def add_agent_to_library(
+    username: str,
+    agent_name: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_LIBRARY)
+    ),
+) -> LibraryAgent:
+    """Add a marketplace agent to the authenticated user's library."""
+    from backend.api.features.library import db as library_db
+
+    username = urllib.parse.unquote(username).lower()
+    agent_name = urllib.parse.unquote(agent_name).lower()
+
+    agent_details = await store_cache._get_cached_agent_details(
+        username=username, agent_name=agent_name
+    )
+
+    agent = await library_db.add_store_agent_to_library(
+        store_listing_version_id=agent_details.store_listing_version_id,
+        user_id=auth.user_id,
+    )
+
+    return LibraryAgent.from_internal(agent)
+
+
+# ============================================================================
+# Creators
+# ============================================================================
+
+
+@marketplace_router.get(
+    path="/creators",
+    summary="List marketplace creators",
+    operation_id="listMarketplaceCreators",
+)
+async def list_creators(
+    featured: bool = Query(
+        default=False, description="Filter to featured creators only"
+    ),
+    search_query: Optional[str] = Query(
+        default=None, description="Literal + semantic search on names and descriptions"
+    ),
+    sorted_by: Optional[Literal["agent_rating", "agent_runs", "num_agents"]] = Query(
+        default=None, description="Sort field"
+    ),
+    page: int = Query(ge=1, default=1),
+    page_size: int = Query(ge=1, le=MAX_PAGE_SIZE, default=DEFAULT_PAGE_SIZE),
+    # This data is public, but we still require auth for access tracking and rate limits
+    auth: APIAuthorizationInfo = Security(require_auth),
+) -> MarketplaceCreatorsResponse:
+    """List or search marketplace creators."""
+    result = await store_cache._get_cached_store_creators(
+        featured=featured,
+        search_query=search_query,
+        sorted_by=StoreCreatorsSortOptions(sorted_by) if sorted_by else None,
+        page=page,
+        page_size=page_size,
+    )
+
+    return MarketplaceCreatorsResponse(
+        creators=[MarketplaceCreatorDetails.from_internal(c) for c in result.creators],
+        page=result.pagination.current_page,
+        page_size=result.pagination.page_size,
+        total_count=result.pagination.total_items,
+        total_pages=result.pagination.total_pages,
+    )
+
+
+@marketplace_router.get(
+    path="/creators/{username}",
+    summary="Get marketplace creator details",
+    operation_id="getMarketplaceCreator",
+)
+async def get_creator_details(
+    username: str,
+    # This data is public, but we still require auth for access tracking and rate limits
+    auth: APIAuthorizationInfo = Security(require_auth),
+) -> MarketplaceCreatorDetails:
+    """Get a marketplace creator's profile w/ stats."""
+    username = urllib.parse.unquote(username).lower()
+    creator = await store_cache._get_cached_creator_details(username=username)
+    return MarketplaceCreatorDetails.from_internal(creator)
+
+
+# ============================================================================
+# Profile
+# ============================================================================
+
+
+@marketplace_router.get(
+    path="/profile",
+    summary="Get my marketplace profile",
+    operation_id="getMarketplaceMyProfile",
+)
+async def get_profile(
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_STORE)
+    ),
+) -> MarketplaceCreatorDetails:
+    """Get the authenticated user's marketplace profile w/ creator stats."""
+    profile = await store_db.get_user_profile(auth.user_id)
+    if not profile:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Profile not found",
+        )
+
+    creator = await store_cache._get_cached_creator_details(username=profile.username)
+    return MarketplaceCreatorDetails.from_internal(creator)
+
+
+@marketplace_router.patch(
+    path="/profile",
+    summary="Update my marketplace profile",
+    operation_id="updateMarketplaceMyProfile",
+)
+async def update_profile(
+    request: MarketplaceUserProfileUpdateRequest,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_STORE)
+    ),
+) -> MarketplaceUserProfile:
+    """Update the authenticated user's marketplace profile."""
+    from backend.api.features.store.model import ProfileUpdateRequest
+
+    profile = ProfileUpdateRequest(
+        name=request.name,
+        username=request.username,
+        description=request.description,
+        links=request.links,
+        avatar_url=request.avatar_url,
+    )
+
+    updated_profile = await store_db.update_profile(auth.user_id, profile)
+    return MarketplaceUserProfile.from_internal(updated_profile)
+
+
+# ============================================================================
+# Submissions
+# ============================================================================
+
+
+@marketplace_router.get(
+    path="/submissions",
+    summary="List my marketplace submissions",
+    operation_id="listMarketplaceSubmissions",
+)
+async def list_submissions(
+    page: int = Query(ge=1, default=1),
+    page_size: int = Query(ge=1, le=MAX_PAGE_SIZE, default=DEFAULT_PAGE_SIZE),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_STORE)
+    ),
+) -> MarketplaceAgentSubmissionsListResponse:
+    """List the authenticated user's marketplace listing submissions."""
+    result = await store_db.get_store_submissions(
+        user_id=auth.user_id,
+        page=page,
+        page_size=page_size,
+    )
+
+    return MarketplaceAgentSubmissionsListResponse(
+        submissions=[
+            MarketplaceAgentSubmission.from_internal(s) for s in result.submissions
+        ],
+        page=result.pagination.current_page,
+        page_size=result.pagination.page_size,
+        total_count=result.pagination.total_items,
+        total_pages=result.pagination.total_pages,
+    )
+
+
+@marketplace_router.post(
+    path="/submissions",
+    summary="Create marketplace submission",
+    operation_id="createMarketplaceSubmission",
+)
+async def create_submission(
+    request: MarketplaceAgentSubmissionCreateRequest,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_STORE)
+    ),
+) -> MarketplaceAgentSubmission:
+    """Submit a new marketplace listing for review."""
+    submission = await store_db.create_store_submission(
+        user_id=auth.user_id,
+        graph_id=request.graph_id,
+        graph_version=request.graph_version,
+        slug=request.slug,
+        name=request.name,
+        sub_heading=request.sub_heading,
+        description=request.description,
+        instructions=request.instructions,
+        categories=request.categories,
+        image_urls=request.image_urls,
+        video_url=request.video_url,
+        agent_output_demo_url=request.agent_output_demo_url,
+        changes_summary=request.changes_summary or "Initial Submission",
+        recommended_schedule_cron=request.recommended_schedule_cron,
+    )
+
+    return MarketplaceAgentSubmission.from_internal(submission)
+
+
+@marketplace_router.put(
+    path="/submissions/{version_id}",
+    summary="Edit marketplace submission",
+    operation_id="updateMarketplaceSubmission",
+)
+async def edit_submission(
+    request: MarketplaceAgentSubmissionEditRequest,
+    version_id: str = Path(description="Store listing version ID"),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_STORE)
+    ),
+) -> MarketplaceAgentSubmission:
+    """Update a pending marketplace listing submission."""
+    try:
+        submission = await store_db.edit_store_submission(
+            user_id=auth.user_id,
+            store_listing_version_id=version_id,
+            name=request.name,
+            sub_heading=request.sub_heading,
+            description=request.description,
+            image_urls=request.image_urls,
+            video_url=request.video_url,
+            agent_output_demo_url=request.agent_output_demo_url,
+            categories=request.categories,
+            changes_summary=request.changes_summary,
+            recommended_schedule_cron=request.recommended_schedule_cron,
+            instructions=request.instructions,
+        )
+    except Exception as e:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(e))
+
+    return MarketplaceAgentSubmission.from_internal(submission)
+
+
+@marketplace_router.delete(
+    path="/submissions/{version_id}",
+    summary="Delete marketplace submission",
+    operation_id="deleteMarketplaceSubmission",
+)
+async def delete_submission(
+    version_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_STORE)
+    ),
+) -> None:
+    """Delete a marketplace listing submission. Approved listings can not be deleted."""
+    success = await store_db.delete_store_submission(
+        user_id=auth.user_id,
+        store_listing_version_id=version_id,
+    )
+
+    if not success:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Submission #{version_id} not found",
+        )
+
+
+# ============================================================================
+# Submission Media
+# ============================================================================
+
+
+@marketplace_router.post(
+    path="/submissions/media",
+    summary="Upload marketplace submission media",
+    operation_id="uploadMarketplaceSubmissionMedia",
+)
+async def upload_submission_media(
+    file: UploadFile = File(...),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_STORE)
+    ),
+) -> MarketplaceMediaUploadResponse:
+    """Upload an image or video for a marketplace submission. Max size: 10MB."""
+    media_upload_limiter.check(auth.user_id)
+
+    max_size = 10 * 1024 * 1024  # 10MB limit for external API
+
+    content = await file.read()
+    if len(content) > max_size:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=f"File size ({len(content)} bytes) exceeds the 10MB limit",
+        )
+
+    # Virus scan
+    await scan_content_safe(content, filename=file.filename or "upload")
+
+    # Reset file position for store_media to read
+    await file.seek(0)
+
+    url = await store_media.upload_media(
+        user_id=auth.user_id,
+        file=file,
+    )
+
+    return MarketplaceMediaUploadResponse(url=url)

autogpt_platform/backend/backend/api/external/v2/mcp_server.py

@@ -0,0 +1,197 @@
+"""
+V2 External API - MCP Server Endpoint
+
+Exposes the platform's Copilot tools as an MCP (Model Context Protocol) server,
+allowing external MCP clients (Claude Desktop, Cursor, etc.) to interact with
+agents, runs, library, and other platform features programmatically.
+
+Uses Streamable HTTP transport with stateless sessions, authenticated via the
+same API key / OAuth bearer token mechanism as the rest of the external API.
+"""
+
+import logging
+from typing import Any, Sequence
+
+import pydantic
+from mcp.server.auth.middleware.auth_context import get_access_token
+from mcp.server.auth.provider import AccessToken, TokenVerifier
+from mcp.server.auth.settings import AuthSettings
+from mcp.server.fastmcp import FastMCP
+from mcp.server.fastmcp.server import Context
+from mcp.server.fastmcp.tools.base import Tool as MCPTool
+from mcp.server.fastmcp.utilities.func_metadata import ArgModelBase, FuncMetadata
+from prisma.enums import APIKeyPermission
+from pydantic import AnyHttpUrl
+from starlette.applications import Starlette
+
+from backend.copilot.model import ChatSession
+from backend.copilot.sdk.tool_adapter import _build_input_schema, _execute_tool_sync
+from backend.copilot.tools import TOOL_REGISTRY
+from backend.copilot.tools.base import BaseTool
+from backend.data.auth.api_key import validate_api_key
+from backend.data.auth.oauth import (
+    InvalidClientError,
+    InvalidTokenError,
+    validate_access_token,
+)
+from backend.util.settings import Settings
+
+logger = logging.getLogger(__name__)
+
+
+# ---------------------------------------------------------------------------
+# Server factory
+# ---------------------------------------------------------------------------
+
+
+def create_mcp_server() -> FastMCP:
+    """Create the MCP server with all eligible Copilot tools registered."""
+    settings = Settings()
+    base_url = settings.config.platform_base_url or "https://platform.agpt.co"
+
+    server = FastMCP(
+        name="autogpt-platform",
+        instructions=(
+            "AutoGPT Platform MCP Server. "
+            "Use these tools to find, create, run, and manage AI agents."
+        ),
+        token_verifier=ExternalAPITokenVerifier(),
+        auth=AuthSettings(
+            issuer_url=AnyHttpUrl(base_url),
+            resource_server_url=AnyHttpUrl(f"{base_url}/external-api/v2/mcp"),
+        ),
+        stateless_http=True,
+        streamable_http_path="/",
+    )
+
+    registered: list[str] = []
+    for tool in TOOL_REGISTRY.values():
+        allowed, required_perms = tool.allow_external_use
+        if not allowed or required_perms is None:
+            logger.debug(f"Skipping MCP tool {tool.name} (not allowed externally)")
+            continue
+        _register_tool(server, tool, required_perms)
+        registered.append(tool.name)
+
+    logger.info(f"MCP server created with {len(registered)} tools: {registered}")
+    return server
+
+
+def create_mcp_app() -> Starlette:
+    """Create the Starlette ASGI app for the MCP server."""
+    server = create_mcp_server()
+    return server.streamable_http_app()
+
+
+# ---------------------------------------------------------------------------
+# Token verification — reuses existing external API auth infrastructure
+# ---------------------------------------------------------------------------
+
+
+class ExternalAPITokenVerifier(TokenVerifier):
+    """Validates API keys and OAuth tokens via external API auth."""
+
+    async def verify_token(self, token: str) -> AccessToken | None:
+        # Try API key first
+        api_key_info = await validate_api_key(token)
+        if api_key_info:
+            return AccessToken(
+                token=token,
+                client_id=api_key_info.user_id,
+                scopes=[s.value for s in api_key_info.scopes],
+            )
+
+        # Try OAuth bearer token
+        try:
+            token_info, _ = await validate_access_token(token)
+            return AccessToken(
+                token=token,
+                client_id=token_info.user_id,
+                scopes=[s.value for s in token_info.scopes],
+            )
+        except (InvalidClientError, InvalidTokenError):
+            return None
+
+
+# ---------------------------------------------------------------------------
+# Tool registration
+# ---------------------------------------------------------------------------
+
+
+def _create_tool_handler(
+    tool: BaseTool,
+    required_scopes: Sequence[str],
+):
+    """Create an async MCP tool handler that wraps a BaseTool subclass.
+
+    The handler checks that the caller's API key / OAuth token
+    has all `required_scopes` before executing the tool.
+    """
+
+    async def handler(ctx: Context, **kwargs: Any) -> str:
+        access_token = get_access_token()
+        if not access_token:
+            return "Authentication required"
+
+        # Enforce per-tool permission scopes
+        if required_scopes:
+            missing = [s for s in required_scopes if s not in access_token.scopes]
+            if missing:
+                return f"Missing required permission(s): " f"{', '.join(missing)}"
+
+        user_id = access_token.client_id
+        session = ChatSession.new(user_id)
+
+        result = await _execute_tool_sync(tool, user_id, session, kwargs)
+
+        parts = []
+        for block in result.get("content", []):
+            if block.get("type") == "text":
+                parts.append(block["text"])
+        return "\n".join(parts) if parts else ""
+
+    return handler
+
+
+def _register_tool(
+    server: FastMCP, tool: BaseTool, required_perms: Sequence[APIKeyPermission]
+) -> None:
+    """Register a Copilot tool on the MCP server."""
+    required_scopes = [p.value for p in required_perms]
+    handler = _create_tool_handler(tool, required_scopes)
+
+    mcp_tool = MCPTool(
+        fn=handler,
+        name=tool.name,
+        title=None,
+        description=tool.description,
+        parameters=_build_input_schema(tool),
+        fn_metadata=_PASSTHROUGH_META,
+        is_async=True,
+        context_kwarg="ctx",
+        annotations=None,
+    )
+    server._tool_manager._tools[tool.name] = mcp_tool
+
+
+# ---------------------------------------------------------------------------
+# Passthrough arg model — lets us specify JSON Schema directly instead of
+# having FastMCP introspect the handler function's signature.
+# ---------------------------------------------------------------------------
+
+
+class _PassthroughArgs(ArgModelBase):
+    """Accepts any fields and passes them through as kwargs."""
+
+    model_config = pydantic.ConfigDict(extra="allow")
+
+    def model_dump_one_level(self, **_kwargs: Any) -> dict[str, Any]:
+        return dict(self.__pydantic_extra__ or {})
+
+
+_PASSTHROUGH_META = FuncMetadata(
+    arg_model=_PassthroughArgs,
+    output_schema=None,
+    output_model=None,
+    wrap_output=False,
+)

autogpt_platform/backend/backend/api/external/v2/rate_limit.py

@@ -0,0 +1,43 @@
+"""
+V2 External API - Rate Limiting
+
+Simple in-memory sliding window rate limiter per user.
+"""
+
+import time
+from collections import defaultdict
+
+from fastapi import HTTPException
+
+
+class RateLimiter:
+    """Sliding window rate limiter."""
+
+    def __init__(self, max_requests: int, window_seconds: int):
+        self.max_requests = max_requests
+        self.window_seconds = window_seconds
+        self._requests: dict[str, list[float]] = defaultdict(list)
+
+    def check(self, key: str) -> None:
+        """Check if the request is within rate limits. Raises 429 if exceeded."""
+        now = time.monotonic()
+        cutoff = now - self.window_seconds
+
+        # Remove expired timestamps
+        timestamps = self._requests[key]
+        self._requests[key] = [t for t in timestamps if t > cutoff]
+
+        if len(self._requests[key]) >= self.max_requests:
+            raise HTTPException(
+                status_code=429,
+                detail=f"Rate limit exceeded. Max {self.max_requests} requests per {self.window_seconds}s.",
+            )
+
+        self._requests[key].append(now)
+
+
+# Pre-configured rate limiters for specific endpoints
+media_upload_limiter = RateLimiter(max_requests=10, window_seconds=300)  # 10 / 5min
+search_limiter = RateLimiter(max_requests=30, window_seconds=60)  # 30 / min
+execute_limiter = RateLimiter(max_requests=60, window_seconds=60)  # 60 / min
+file_upload_limiter = RateLimiter(max_requests=20, window_seconds=300)  # 20 / 5min

autogpt_platform/backend/backend/api/external/v2/routes.py

@@ -0,0 +1,33 @@
+"""
+V2 External API Routes
+
+This module defines the main v2 router that aggregates all v2 API endpoints.
+"""
+
+from fastapi import APIRouter
+
+from .blocks import blocks_router
+from .credits import credits_router
+from .files import file_workspace_router
+from .graphs import graphs_router
+from .integrations import integrations_router
+from .library import library_router
+from .marketplace import marketplace_router
+from .runs import runs_router
+from .schedules import graph_schedules_router, schedules_router
+from .search import search_router
+
+v2_router = APIRouter()
+
+# Include all sub-routers
+v2_router.include_router(blocks_router, prefix="/blocks")
+v2_router.include_router(credits_router, prefix="/credits")
+v2_router.include_router(file_workspace_router, prefix="/files")
+v2_router.include_router(graph_schedules_router, prefix="/graphs")
+v2_router.include_router(graphs_router, prefix="/graphs")
+v2_router.include_router(integrations_router, prefix="/integrations")
+v2_router.include_router(library_router, prefix="/library")
+v2_router.include_router(marketplace_router, prefix="/marketplace")
+v2_router.include_router(runs_router, prefix="/runs")
+v2_router.include_router(schedules_router, prefix="/schedules")
+v2_router.include_router(search_router, prefix="/search")

autogpt_platform/backend/backend/api/external/v2/runs.py

@@ -0,0 +1,345 @@
+"""
+V2 External API - Runs Endpoints
+
+Provides access to agent runs and human-in-the-loop reviews.
+"""
+
+import logging
+import uuid
+from datetime import datetime, timezone
+from typing import Optional
+
+from fastapi import APIRouter, HTTPException, Path, Query, Security
+from prisma.enums import APIKeyPermission, ReviewStatus
+from pydantic import JsonValue
+from starlette import status
+
+from backend.api.external.middleware import require_permission
+from backend.data import execution as execution_db
+from backend.data import human_review as review_db
+from backend.data.auth.base import APIAuthorizationInfo
+from backend.executor import utils as execution_utils
+from backend.util.settings import Settings
+
+from .common import DEFAULT_PAGE_SIZE, MAX_PAGE_SIZE
+from .models import (
+    AgentGraphRun,
+    AgentGraphRunDetails,
+    AgentRunListResponse,
+    AgentRunReview,
+    AgentRunReviewsResponse,
+    AgentRunReviewsSubmitRequest,
+    AgentRunReviewsSubmitResponse,
+    AgentRunShareResponse,
+)
+
+logger = logging.getLogger(__name__)
+settings = Settings()
+
+runs_router = APIRouter(tags=["runs"])
+
+
+# ============================================================================
+# Endpoints - Runs
+# ============================================================================
+
+
+@runs_router.get(
+    path="",
+    summary="List agent runs",
+    operation_id="listAgentRuns",
+)
+async def list_runs(
+    graph_id: Optional[str] = Query(default=None, description="Filter by graph ID"),
+    page: int = Query(default=1, ge=1, description="Page number (1-indexed)"),
+    page_size: int = Query(
+        default=DEFAULT_PAGE_SIZE,
+        ge=1,
+        le=MAX_PAGE_SIZE,
+        description=f"Items per page (max {MAX_PAGE_SIZE})",
+    ),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_RUN)
+    ),
+) -> AgentRunListResponse:
+    """List agent runs, optionally filtered by graph ID."""
+    result = await execution_db.get_graph_executions_paginated(
+        user_id=auth.user_id,
+        graph_id=graph_id,
+        page=page,
+        page_size=page_size,
+    )
+
+    return AgentRunListResponse(
+        runs=[AgentGraphRun.from_internal(e) for e in result.executions],
+        page=result.pagination.current_page,
+        page_size=result.pagination.page_size,
+        total_count=result.pagination.total_items,
+        total_pages=result.pagination.total_pages,
+    )
+
+
+@runs_router.get(
+    path="/{run_id}",
+    summary="Get agent run details",
+    operation_id="getAgentRunDetails",
+)
+async def get_run(
+    run_id: str = Path(description="Graph Execution ID"),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_RUN)
+    ),
+) -> AgentGraphRunDetails:
+    """Get detailed information about a specific run."""
+    result = await execution_db.get_graph_execution(
+        user_id=auth.user_id,
+        execution_id=run_id,
+        include_node_executions=True,
+    )
+
+    if not result:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Run #{run_id} not found",
+        )
+
+    return AgentGraphRunDetails.from_internal(result)
+
+
+@runs_router.post(
+    path="/{run_id}/stop",
+    summary="Stop agent run",
+    operation_id="stopAgentRun",
+)
+async def stop_run(
+    run_id: str = Path(description="Graph Execution ID"),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_RUN)
+    ),
+) -> AgentGraphRun:
+    """
+    Stop a running execution.
+
+    Only runs with status QUEUED or RUNNING can be stopped.
+    """
+    # Verify the run exists and belongs to the user
+    exec = await execution_db.get_graph_execution(
+        user_id=auth.user_id,
+        execution_id=run_id,
+    )
+    if not exec:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Run #{run_id} not found",
+        )
+
+    # Stop the execution
+    await execution_utils.stop_graph_execution(
+        graph_exec_id=run_id,
+        user_id=auth.user_id,
+    )
+
+    # Fetch updated execution
+    updated_exec = await execution_db.get_graph_execution(
+        user_id=auth.user_id,
+        execution_id=run_id,
+    )
+
+    if not updated_exec:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Run #{run_id} not found",
+        )
+
+    return AgentGraphRun.from_internal(updated_exec)
+
+
+@runs_router.delete(
+    path="/{run_id}",
+    summary="Delete agent run",
+    operation_id="deleteAgentRun",
+)
+async def delete_run(
+    run_id: str = Path(description="Graph Execution ID"),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_RUN)
+    ),
+) -> None:
+    """Delete an agent run."""
+    await execution_db.delete_graph_execution(
+        graph_exec_id=run_id,
+        user_id=auth.user_id,
+    )
+
+
+# ============================================================================
+# Endpoints - Sharing
+# ============================================================================
+
+
+@runs_router.post(
+    path="/{run_id}/share",
+    summary="Enable sharing for an agent run",
+    operation_id="enableAgentRunShare",
+)
+async def enable_sharing(
+    run_id: str = Path(description="Graph Execution ID"),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_RUN, APIKeyPermission.SHARE_RUN)
+    ),
+) -> AgentRunShareResponse:
+    """Enable public sharing for a run."""
+    execution = await execution_db.get_graph_execution(
+        user_id=auth.user_id,
+        execution_id=run_id,
+    )
+    if not execution:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Run #{run_id} not found",
+        )
+
+    share_token = str(uuid.uuid4())
+
+    await execution_db.update_graph_execution_share_status(
+        execution_id=run_id,
+        user_id=auth.user_id,
+        is_shared=True,
+        share_token=share_token,
+        shared_at=datetime.now(timezone.utc),
+    )
+
+    frontend_url = settings.config.frontend_base_url or "http://localhost:3000"
+    share_url = f"{frontend_url}/share/{share_token}"
+
+    return AgentRunShareResponse(share_url=share_url, share_token=share_token)
+
+
+@runs_router.delete(
+    path="/{run_id}/share",
+    summary="Disable sharing for an agent run",
+    operation_id="disableAgentRunShare",
+    status_code=status.HTTP_204_NO_CONTENT,
+)
+async def disable_sharing(
+    run_id: str = Path(description="Graph Execution ID"),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.SHARE_RUN)
+    ),
+) -> None:
+    """Disable public sharing for a run."""
+    execution = await execution_db.get_graph_execution(
+        user_id=auth.user_id,
+        execution_id=run_id,
+    )
+    if not execution:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Run #{run_id} not found",
+        )
+
+    await execution_db.update_graph_execution_share_status(
+        execution_id=run_id,
+        user_id=auth.user_id,
+        is_shared=False,
+        share_token=None,
+        shared_at=None,
+    )
+
+
+# ============================================================================
+# Endpoints - Reviews (Human-in-the-loop)
+# ============================================================================
+
+
+@runs_router.get(
+    path="/reviews",
+    summary="List agent run human-in-the-loop reviews",
+    operation_id="listAgentRunReviews",
+)
+async def list_reviews(
+    run_id: Optional[str] = Query(
+        default=None, description="Filter by graph execution ID"
+    ),
+    status: Optional[ReviewStatus] = Query(
+        description="Filter by review status",
+    ),
+    page: int = Query(default=1, ge=1, description="Page number (1-indexed)"),
+    page_size: int = Query(
+        default=DEFAULT_PAGE_SIZE,
+        ge=1,
+        le=MAX_PAGE_SIZE,
+        description=f"Items per page (max {MAX_PAGE_SIZE})",
+    ),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_RUN_REVIEW)
+    ),
+) -> AgentRunReviewsResponse:
+    """
+    List human-in-the-loop reviews for agent runs.
+
+    Returns reviews with status WAITING if no status filter is given.
+    """
+    reviews, pagination = await review_db.get_reviews(
+        user_id=auth.user_id,
+        graph_exec_id=run_id,
+        status=status,
+        page=page,
+        page_size=page_size,
+    )
+
+    return AgentRunReviewsResponse(
+        reviews=[AgentRunReview.from_internal(r) for r in reviews],
+        page=pagination.current_page,
+        page_size=pagination.page_size,
+        total_count=pagination.total_items,
+        total_pages=pagination.total_pages,
+    )
+
+
+@runs_router.post(
+    path="/{run_id}/reviews",
+    summary="Submit agent run human-in-the-loop reviews",
+    operation_id="submitAgentRunReviews",
+)
+async def submit_reviews(
+    request: AgentRunReviewsSubmitRequest,
+    run_id: str = Path(description="Graph Execution ID"),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_RUN_REVIEW)
+    ),
+) -> AgentRunReviewsSubmitResponse:
+    """
+    Submit responses to all pending human-in-the-loop reviews for a run.
+
+    All pending reviews for the run must be included in the request.
+    Approving a review continues execution; rejecting terminates that branch.
+    """
+    # Build review decisions dict for process_all_reviews_for_execution
+    review_decisions: dict[str, tuple[ReviewStatus, JsonValue | None, str | None]] = {}
+
+    for decision in request.reviews:
+        status = ReviewStatus.APPROVED if decision.approved else ReviewStatus.REJECTED
+        review_decisions[decision.node_exec_id] = (
+            status,
+            decision.edited_payload,
+            decision.message,
+        )
+
+    results = await review_db.process_all_reviews_for_execution(
+        user_id=auth.user_id,
+        review_decisions=review_decisions,
+    )
+
+    approved_count = sum(
+        1 for r in results.values() if r.status == ReviewStatus.APPROVED
+    )
+    rejected_count = sum(
+        1 for r in results.values() if r.status == ReviewStatus.REJECTED
+    )
+
+    return AgentRunReviewsSubmitResponse(
+        run_id=run_id,
+        approved_count=approved_count,
+        rejected_count=rejected_count,
+    )

autogpt_platform/backend/backend/api/external/v2/schedules.py

@@ -0,0 +1,155 @@
+"""
+V2 External API - Schedules Endpoints
+
+Provides endpoints for managing execution schedules.
+"""
+
+import logging
+from typing import Optional
+
+from fastapi import APIRouter, HTTPException, Query, Security
+from prisma.enums import APIKeyPermission
+from starlette import status
+
+from backend.api.external.middleware import require_permission
+from backend.data import graph as graph_db
+from backend.data.auth.base import APIAuthorizationInfo
+from backend.data.user import get_user_by_id
+from backend.util.clients import get_scheduler_client
+from backend.util.timezone_utils import get_user_timezone_or_utc
+
+from .common import DEFAULT_PAGE_SIZE, MAX_PAGE_SIZE
+from .models import (
+    AgentRunSchedule,
+    AgentRunScheduleCreateRequest,
+    AgentRunScheduleListResponse,
+)
+
+logger = logging.getLogger(__name__)
+
+schedules_router = APIRouter(tags=["graphs", "schedules"])
+
+
+# ============================================================================
+# Endpoints
+# ============================================================================
+
+
+@schedules_router.get(
+    path="",
+    summary="List run schedules",
+    operation_id="listGraphRunSchedules",
+)
+async def list_all_schedules(
+    graph_id: Optional[str] = Query(default=None, description="Filter by graph ID"),
+    page: int = Query(default=1, ge=1, description="Page number (1-indexed)"),
+    page_size: int = Query(
+        default=DEFAULT_PAGE_SIZE,
+        ge=1,
+        le=MAX_PAGE_SIZE,
+        description=f"Items per page (max {MAX_PAGE_SIZE})",
+    ),
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.READ_SCHEDULE)
+    ),
+) -> AgentRunScheduleListResponse:
+    """List schedules for the authenticated user."""
+    schedules = await get_scheduler_client().get_execution_schedules(
+        user_id=auth.user_id,
+        graph_id=graph_id,
+    )
+    converted = [AgentRunSchedule.from_internal(s) for s in schedules]
+
+    # Manual pagination (scheduler doesn't support pagination natively)
+    total_count = len(converted)
+    total_pages = (total_count + page_size - 1) // page_size if total_count > 0 else 1
+    start = (page - 1) * page_size
+    end = start + page_size
+    paginated = converted[start:end]
+
+    return AgentRunScheduleListResponse(
+        schedules=paginated,
+        page=page,
+        page_size=page_size,
+        total_count=total_count,
+        total_pages=total_pages,
+    )
+
+
+@schedules_router.delete(
+    path="/{schedule_id}",
+    summary="Delete run schedule",
+    operation_id="deleteGraphRunSchedule",
+)
+async def delete_schedule(
+    schedule_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_SCHEDULE)
+    ),
+) -> None:
+    """Delete an execution schedule."""
+    try:
+        await get_scheduler_client().delete_schedule(
+            schedule_id=schedule_id,
+            user_id=auth.user_id,
+        )
+    except Exception as e:
+        if "not found" in str(e).lower():
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail=f"Schedule #{schedule_id} not found",
+            )
+        raise
+
+
+# ============================================================================
+# Graph-specific Schedule Endpoints (nested under /graphs)
+# These are included in the graphs router via include_router
+# ============================================================================
+
+graph_schedules_router = APIRouter(tags=["graphs"])
+
+
+@graph_schedules_router.post(
+    path="/{graph_id}/schedules",
+    summary="Create run schedule",
+    operation_id="createGraphRunSchedule",
+)
+async def create_graph_schedule(
+    request: AgentRunScheduleCreateRequest,
+    graph_id: str,
+    auth: APIAuthorizationInfo = Security(
+        require_permission(APIKeyPermission.WRITE_SCHEDULE)
+    ),
+) -> AgentRunSchedule:
+    """Create a new execution schedule for a graph."""
+    graph = await graph_db.get_graph(
+        graph_id=graph_id,
+        version=request.graph_version,
+        user_id=auth.user_id,
+    )
+    if not graph:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Graph #{graph_id} v{request.graph_version} not found.",
+        )
+
+    # Determine timezone
+    if request.timezone:
+        user_timezone = request.timezone
+    else:
+        user = await get_user_by_id(auth.user_id)
+        user_timezone = get_user_timezone_or_utc(user.timezone if user else None)
+
+    result = await get_scheduler_client().add_execution_schedule(
+        user_id=auth.user_id,
+        graph_id=graph_id,
+        graph_version=graph.version,
+        name=request.name,
+        cron=request.cron,
+        input_data=request.input_data,
+        input_credentials=request.credentials_inputs,
+        user_timezone=user_timezone,
+    )
+
+    return AgentRunSchedule.from_internal(result)

autogpt_platform/backend/backend/api/external/v2/search.py

@@ -0,0 +1,76 @@
+"""
+V2 External API - Search Endpoints
+
+Cross-domain hybrid search across agents, blocks, and documentation.
+"""
+
+import logging
+from typing import Optional
+
+from fastapi import APIRouter, Query, Security
+from prisma.enums import ContentType as SearchContentType
+
+from backend.api.external.middleware import require_auth
+from backend.api.features.store.hybrid_search import unified_hybrid_search
+from backend.data.auth.base import APIAuthorizationInfo
+
+from .common import DEFAULT_PAGE_SIZE, MAX_PAGE_SIZE
+from .models import MarketplaceSearchResponse, MarketplaceSearchResult
+from .rate_limit import search_limiter
+
+logger = logging.getLogger(__name__)
+
+search_router = APIRouter(tags=["search"])
+
+
+@search_router.get(
+    path="",
+    summary="Search content and capabilities of the platform",
+    operation_id="search",
+)
+async def search(
+    query: str = Query(description="Search query"),
+    content_types: Optional[list[SearchContentType]] = Query(
+        default=None, description="Content types to filter by"
+    ),
+    category: Optional[str] = Query(default=None, description="Filter by category"),
+    page: int = Query(ge=1, default=1),
+    page_size: int = Query(ge=1, le=MAX_PAGE_SIZE, default=DEFAULT_PAGE_SIZE),
+    auth: APIAuthorizationInfo = Security(require_auth),
+) -> MarketplaceSearchResponse:
+    """
+    Search the platform's content and capabilities (hybrid search: literal + semantic).
+
+    Searches across agents, blocks, and documentation. Results are ranked
+    by a combination of keyword matching and semantic similarity.
+    """
+    search_limiter.check(auth.user_id)
+
+    results, total_count = await unified_hybrid_search(
+        query=query,
+        content_types=content_types,
+        category=category,
+        page=page,
+        page_size=page_size,
+        user_id=auth.user_id,
+    )
+
+    total_pages = max(1, (total_count + page_size - 1) // page_size)
+
+    return MarketplaceSearchResponse(
+        results=[
+            MarketplaceSearchResult(
+                content_type=r.get("content_type", ""),
+                content_id=r.get("content_id", ""),
+                searchable_text=r.get("searchable_text", ""),
+                metadata=r.get("metadata"),
+                updated_at=r.get("updated_at"),
+                combined_score=r.get("combined_score"),
+            )
+            for r in results
+        ],
+        page=page,
+        page_size=page_size,
+        total_count=total_count,
+        total_pages=total_pages,
+    )

autogpt_platform/backend/backend/api/features/admin/model.py

@@ -1,17 +1,8 @@
-from __future__ import annotations
-
-from datetime import datetime
-from typing import TYPE_CHECKING, Any, Literal, Optional
-
-import prisma.enums
-from pydantic import BaseModel, EmailStr
+from pydantic import BaseModel
 
 from backend.data.model import UserTransaction
 from backend.util.models import Pagination
 
-if TYPE_CHECKING:
-    from backend.data.invited_user import BulkInvitedUsersResult, InvitedUserRecord
-
 
 class UserHistoryResponse(BaseModel):
     """Response model for listings with version history"""
@@ -23,70 +14,3 @@ class UserHistoryResponse(BaseModel):
 class AddUserCreditsResponse(BaseModel):
     new_balance: int
     transaction_key: str
-
-
-class CreateInvitedUserRequest(BaseModel):
-    email: EmailStr
-    name: Optional[str] = None
-
-
-class InvitedUserResponse(BaseModel):
-    id: str
-    email: str
-    status: prisma.enums.InvitedUserStatus
-    auth_user_id: Optional[str] = None
-    name: Optional[str] = None
-    tally_understanding: Optional[dict[str, Any]] = None
-    tally_status: prisma.enums.TallyComputationStatus
-    tally_computed_at: Optional[datetime] = None
-    tally_error: Optional[str] = None
-    created_at: datetime
-    updated_at: datetime
-
-    @classmethod
-    def from_record(cls, record: InvitedUserRecord) -> InvitedUserResponse:
-        return cls.model_validate(record.model_dump())
-
-
-class InvitedUsersResponse(BaseModel):
-    invited_users: list[InvitedUserResponse]
-    pagination: Pagination
-
-
-class BulkInvitedUserRowResponse(BaseModel):
-    row_number: int
-    email: Optional[str] = None
-    name: Optional[str] = None
-    status: Literal["CREATED", "SKIPPED", "ERROR"]
-    message: str
-    invited_user: Optional[InvitedUserResponse] = None
-
-
-class BulkInvitedUsersResponse(BaseModel):
-    created_count: int
-    skipped_count: int
-    error_count: int
-    results: list[BulkInvitedUserRowResponse]
-
-    @classmethod
-    def from_result(cls, result: BulkInvitedUsersResult) -> BulkInvitedUsersResponse:
-        return cls(
-            created_count=result.created_count,
-            skipped_count=result.skipped_count,
-            error_count=result.error_count,
-            results=[
-                BulkInvitedUserRowResponse(
-                    row_number=row.row_number,
-                    email=row.email,
-                    name=row.name,
-                    status=row.status,
-                    message=row.message,
-                    invited_user=(
-                        InvitedUserResponse.from_record(row.invited_user)
-                        if row.invited_user is not None
-                        else None
-                    ),
-                )
-                for row in result.results
-            ],
-        )

autogpt_platform/backend/backend/api/features/admin/user_admin_routes.py

@@ -1,137 +0,0 @@
-import logging
-import math
-
-from autogpt_libs.auth import get_user_id, requires_admin_user
-from fastapi import APIRouter, File, Query, Security, UploadFile
-
-from backend.data.invited_user import (
-    bulk_create_invited_users_from_file,
-    create_invited_user,
-    list_invited_users,
-    retry_invited_user_tally,
-    revoke_invited_user,
-)
-from backend.data.tally import mask_email
-from backend.util.models import Pagination
-
-from .model import (
-    BulkInvitedUsersResponse,
-    CreateInvitedUserRequest,
-    InvitedUserResponse,
-    InvitedUsersResponse,
-)
-
-logger = logging.getLogger(__name__)
-
-
-router = APIRouter(
-    prefix="/admin",
-    tags=["users", "admin"],
-    dependencies=[Security(requires_admin_user)],
-)
-
-
-@router.get(
-    "/invited-users",
-    response_model=InvitedUsersResponse,
-    summary="List Invited Users",
-)
-async def get_invited_users(
-    admin_user_id: str = Security(get_user_id),
-    page: int = Query(1, ge=1),
-    page_size: int = Query(50, ge=1, le=200),
-) -> InvitedUsersResponse:
-    logger.info("Admin user %s requested invited users", admin_user_id)
-    invited_users, total = await list_invited_users(page=page, page_size=page_size)
-    return InvitedUsersResponse(
-        invited_users=[InvitedUserResponse.from_record(iu) for iu in invited_users],
-        pagination=Pagination(
-            total_items=total,
-            total_pages=max(1, math.ceil(total / page_size)),
-            current_page=page,
-            page_size=page_size,
-        ),
-    )
-
-
-@router.post(
-    "/invited-users",
-    response_model=InvitedUserResponse,
-    summary="Create Invited User",
-)
-async def create_invited_user_route(
-    request: CreateInvitedUserRequest,
-    admin_user_id: str = Security(get_user_id),
-) -> InvitedUserResponse:
-    logger.info(
-        "Admin user %s creating invited user for %s",
-        admin_user_id,
-        mask_email(request.email),
-    )
-    invited_user = await create_invited_user(request.email, request.name)
-    logger.info(
-        "Admin user %s created invited user %s",
-        admin_user_id,
-        invited_user.id,
-    )
-    return InvitedUserResponse.from_record(invited_user)
-
-
-@router.post(
-    "/invited-users/bulk",
-    response_model=BulkInvitedUsersResponse,
-    summary="Bulk Create Invited Users",
-    operation_id="postV2BulkCreateInvitedUsers",
-)
-async def bulk_create_invited_users_route(
-    file: UploadFile = File(...),
-    admin_user_id: str = Security(get_user_id),
-) -> BulkInvitedUsersResponse:
-    logger.info(
-        "Admin user %s bulk invited users from %s",
-        admin_user_id,
-        file.filename or "<unnamed>",
-    )
-    content = await file.read()
-    result = await bulk_create_invited_users_from_file(file.filename, content)
-    return BulkInvitedUsersResponse.from_result(result)
-
-
-@router.post(
-    "/invited-users/{invited_user_id}/revoke",
-    response_model=InvitedUserResponse,
-    summary="Revoke Invited User",
-)
-async def revoke_invited_user_route(
-    invited_user_id: str,
-    admin_user_id: str = Security(get_user_id),
-) -> InvitedUserResponse:
-    logger.info(
-        "Admin user %s revoking invited user %s", admin_user_id, invited_user_id
-    )
-    invited_user = await revoke_invited_user(invited_user_id)
-    logger.info("Admin user %s revoked invited user %s", admin_user_id, invited_user_id)
-    return InvitedUserResponse.from_record(invited_user)
-
-
-@router.post(
-    "/invited-users/{invited_user_id}/retry-tally",
-    response_model=InvitedUserResponse,
-    summary="Retry Invited User Tally",
-)
-async def retry_invited_user_tally_route(
-    invited_user_id: str,
-    admin_user_id: str = Security(get_user_id),
-) -> InvitedUserResponse:
-    logger.info(
-        "Admin user %s retrying Tally seed for invited user %s",
-        admin_user_id,
-        invited_user_id,
-    )
-    invited_user = await retry_invited_user_tally(invited_user_id)
-    logger.info(
-        "Admin user %s retried Tally seed for invited user %s",
-        admin_user_id,
-        invited_user_id,
-    )
-    return InvitedUserResponse.from_record(invited_user)

autogpt_platform/backend/backend/api/features/admin/user_admin_routes_test.py

@@ -1,168 +0,0 @@
-from datetime import datetime, timezone
-from unittest.mock import AsyncMock
-
-import fastapi
-import fastapi.testclient
-import prisma.enums
-import pytest
-import pytest_mock
-from autogpt_libs.auth.jwt_utils import get_jwt_payload
-
-from backend.data.invited_user import (
-    BulkInvitedUserRowResult,
-    BulkInvitedUsersResult,
-    InvitedUserRecord,
-)
-
-from .user_admin_routes import router as user_admin_router
-
-app = fastapi.FastAPI()
-app.include_router(user_admin_router)
-
-client = fastapi.testclient.TestClient(app)
-
-
-@pytest.fixture(autouse=True)
-def setup_app_admin_auth(mock_jwt_admin):
-    app.dependency_overrides[get_jwt_payload] = mock_jwt_admin["get_jwt_payload"]
-    yield
-    app.dependency_overrides.clear()
-
-
-def _sample_invited_user() -> InvitedUserRecord:
-    now = datetime.now(timezone.utc)
-    return InvitedUserRecord(
-        id="invite-1",
-        email="invited@example.com",
-        status=prisma.enums.InvitedUserStatus.INVITED,
-        auth_user_id=None,
-        name="Invited User",
-        tally_understanding=None,
-        tally_status=prisma.enums.TallyComputationStatus.PENDING,
-        tally_computed_at=None,
-        tally_error=None,
-        created_at=now,
-        updated_at=now,
-    )
-
-
-def _sample_bulk_invited_users_result() -> BulkInvitedUsersResult:
-    return BulkInvitedUsersResult(
-        created_count=1,
-        skipped_count=1,
-        error_count=0,
-        results=[
-            BulkInvitedUserRowResult(
-                row_number=1,
-                email="invited@example.com",
-                name=None,
-                status="CREATED",
-                message="Invite created",
-                invited_user=_sample_invited_user(),
-            ),
-            BulkInvitedUserRowResult(
-                row_number=2,
-                email="duplicate@example.com",
-                name=None,
-                status="SKIPPED",
-                message="An invited user with this email already exists",
-                invited_user=None,
-            ),
-        ],
-    )
-
-
-def test_get_invited_users(
-    mocker: pytest_mock.MockerFixture,
-) -> None:
-    mocker.patch(
-        "backend.api.features.admin.user_admin_routes.list_invited_users",
-        AsyncMock(return_value=([_sample_invited_user()], 1)),
-    )
-
-    response = client.get("/admin/invited-users")
-
-    assert response.status_code == 200
-    data = response.json()
-    assert len(data["invited_users"]) == 1
-    assert data["invited_users"][0]["email"] == "invited@example.com"
-    assert data["invited_users"][0]["status"] == "INVITED"
-    assert data["pagination"]["total_items"] == 1
-    assert data["pagination"]["current_page"] == 1
-    assert data["pagination"]["page_size"] == 50
-
-
-def test_create_invited_user(
-    mocker: pytest_mock.MockerFixture,
-) -> None:
-    mocker.patch(
-        "backend.api.features.admin.user_admin_routes.create_invited_user",
-        AsyncMock(return_value=_sample_invited_user()),
-    )
-
-    response = client.post(
-        "/admin/invited-users",
-        json={"email": "invited@example.com", "name": "Invited User"},
-    )
-
-    assert response.status_code == 200
-    data = response.json()
-    assert data["email"] == "invited@example.com"
-    assert data["name"] == "Invited User"
-
-
-def test_bulk_create_invited_users(
-    mocker: pytest_mock.MockerFixture,
-) -> None:
-    mocker.patch(
-        "backend.api.features.admin.user_admin_routes.bulk_create_invited_users_from_file",
-        AsyncMock(return_value=_sample_bulk_invited_users_result()),
-    )
-
-    response = client.post(
-        "/admin/invited-users/bulk",
-        files={
-            "file": ("invites.txt", b"invited@example.com\nduplicate@example.com\n")
-        },
-    )
-
-    assert response.status_code == 200
-    data = response.json()
-    assert data["created_count"] == 1
-    assert data["skipped_count"] == 1
-    assert data["results"][0]["status"] == "CREATED"
-    assert data["results"][1]["status"] == "SKIPPED"
-
-
-def test_revoke_invited_user(
-    mocker: pytest_mock.MockerFixture,
-) -> None:
-    revoked = _sample_invited_user().model_copy(
-        update={"status": prisma.enums.InvitedUserStatus.REVOKED}
-    )
-    mocker.patch(
-        "backend.api.features.admin.user_admin_routes.revoke_invited_user",
-        AsyncMock(return_value=revoked),
-    )
-
-    response = client.post("/admin/invited-users/invite-1/revoke")
-
-    assert response.status_code == 200
-    assert response.json()["status"] == "REVOKED"
-
-
-def test_retry_invited_user_tally(
-    mocker: pytest_mock.MockerFixture,
-) -> None:
-    retried = _sample_invited_user().model_copy(
-        update={"tally_status": prisma.enums.TallyComputationStatus.RUNNING}
-    )
-    mocker.patch(
-        "backend.api.features.admin.user_admin_routes.retry_invited_user_tally",
-        AsyncMock(return_value=retried),
-    )
-
-    response = client.post("/admin/invited-users/invite-1/retry-tally")
-
-    assert response.status_code == 200
-    assert response.json()["tally_status"] == "RUNNING"

autogpt_platform/backend/backend/api/features/chat/routes.py

@@ -53,8 +53,6 @@ from backend.copilot.tools.models import (
     UnderstandingUpdatedResponse,
 )
 from backend.copilot.tracking import track_user_message
-from backend.data.redis_client import get_redis_async
-from backend.data.understanding import get_business_understanding
 from backend.data.workspace import get_or_create_workspace
 from backend.util.exceptions import NotFoundError
 
@@ -129,7 +127,6 @@ class SessionSummaryResponse(BaseModel):
     created_at: str
     updated_at: str
     title: str | None = None
-    is_processing: bool
 
 
 class ListSessionsResponse(BaseModel):
@@ -188,28 +185,6 @@ async def list_sessions(
     """
     sessions, total_count = await get_user_sessions(user_id, limit, offset)
 
-    # Batch-check Redis for active stream status on each session
-    processing_set: set[str] = set()
-    if sessions:
-        try:
-            redis = await get_redis_async()
-            pipe = redis.pipeline(transaction=False)
-            for session in sessions:
-                pipe.hget(
-                    f"{config.session_meta_prefix}{session.session_id}",
-                    "status",
-                )
-            statuses = await pipe.execute()
-            processing_set = {
-                session.session_id
-                for session, st in zip(sessions, statuses)
-                if st == "running"
-            }
-        except Exception:
-            logger.warning(
-                "Failed to fetch processing status from Redis; " "defaulting to empty"
-            )
-
     return ListSessionsResponse(
         sessions=[
             SessionSummaryResponse(
@@ -217,7 +192,6 @@ async def list_sessions(
                 created_at=session.started_at.isoformat(),
                 updated_at=session.updated_at.isoformat(),
                 title=session.title,
-                is_processing=session.session_id in processing_set,
             )
             for session in sessions
         ],
@@ -854,36 +828,6 @@ async def session_assign_user(
     return {"status": "ok"}
 
 
-# ========== Suggested Prompts ==========
-
-
-class SuggestedPromptsResponse(BaseModel):
-    """Response model for user-specific suggested prompts."""
-
-    prompts: list[str]
-
-
-@router.get(
-    "/suggested-prompts",
-    dependencies=[Security(auth.requires_user)],
-)
-async def get_suggested_prompts(
-    user_id: Annotated[str, Security(auth.get_user_id)],
-) -> SuggestedPromptsResponse:
-    """
-    Get LLM-generated suggested prompts for the authenticated user.
-
-    Returns personalized quick-action prompts based on the user's
-    business understanding. Returns an empty list if no custom prompts
-    are available.
-    """
-    understanding = await get_business_understanding(user_id)
-    if understanding is None:
-        return SuggestedPromptsResponse(prompts=[])
-
-    return SuggestedPromptsResponse(prompts=understanding.suggested_prompts)
-
-
 # ========== Configuration ==========
 
 

autogpt_platform/backend/backend/api/features/chat/routes_test.py

@@ -1,6 +1,6 @@
-"""Tests for chat API routes: session title update, file attachment validation, and suggested prompts."""
+"""Tests for chat API routes: session title update and file attachment validation."""
 
-from unittest.mock import AsyncMock, MagicMock
+from unittest.mock import AsyncMock
 
 import fastapi
 import fastapi.testclient
@@ -249,62 +249,3 @@ def test_file_ids_scoped_to_workspace(mocker: pytest_mock.MockFixture):
     call_kwargs = mock_prisma.find_many.call_args[1]
     assert call_kwargs["where"]["workspaceId"] == "my-workspace-id"
     assert call_kwargs["where"]["isDeleted"] is False
-
-
-# ─── Suggested prompts endpoint ──────────────────────────────────────
-
-
-def _mock_get_business_understanding(
-    mocker: pytest_mock.MockerFixture,
-    *,
-    return_value=None,
-):
-    """Mock get_business_understanding."""
-    return mocker.patch(
-        "backend.api.features.chat.routes.get_business_understanding",
-        new_callable=AsyncMock,
-        return_value=return_value,
-    )
-
-
-def test_suggested_prompts_returns_prompts(
-    mocker: pytest_mock.MockerFixture,
-    test_user_id: str,
-) -> None:
-    """User with understanding and prompts gets them back."""
-    mock_understanding = MagicMock()
-    mock_understanding.suggested_prompts = ["Do X", "Do Y", "Do Z"]
-    _mock_get_business_understanding(mocker, return_value=mock_understanding)
-
-    response = client.get("/suggested-prompts")
-
-    assert response.status_code == 200
-    assert response.json() == {"prompts": ["Do X", "Do Y", "Do Z"]}
-
-
-def test_suggested_prompts_no_understanding(
-    mocker: pytest_mock.MockerFixture,
-    test_user_id: str,
-) -> None:
-    """User with no understanding gets empty list."""
-    _mock_get_business_understanding(mocker, return_value=None)
-
-    response = client.get("/suggested-prompts")
-
-    assert response.status_code == 200
-    assert response.json() == {"prompts": []}
-
-
-def test_suggested_prompts_empty_prompts(
-    mocker: pytest_mock.MockerFixture,
-    test_user_id: str,
-) -> None:
-    """User with understanding but no prompts gets empty list."""
-    mock_understanding = MagicMock()
-    mock_understanding.suggested_prompts = []
-    _mock_get_business_understanding(mocker, return_value=mock_understanding)
-
-    response = client.get("/suggested-prompts")
-
-    assert response.status_code == 200
-    assert response.json() == {"prompts": []}

autogpt_platform/backend/backend/api/features/library/db.py

@@ -4,9 +4,11 @@ import logging
 from typing import Literal, Optional
 
 import fastapi
+import prisma.enums
 import prisma.errors
 import prisma.models
 import prisma.types
+from prisma.enums import SubmissionStatus
 
 import backend.api.features.store.image_gen as store_image_gen
 import backend.api.features.store.media as store_media
@@ -46,6 +48,8 @@ integration_creds_manager = IntegrationCredentialsManager()
 async def list_library_agents(
     user_id: str,
     search_term: Optional[str] = None,
+    published: Optional[bool] = None,
+    favorite: Optional[bool] = None,
     sort_by: library_model.LibraryAgentSort = library_model.LibraryAgentSort.UPDATED_AT,
     page: int = 1,
     page_size: int = 50,
@@ -59,6 +63,8 @@ async def list_library_agents(
     Args:
         user_id: The ID of the user whose LibraryAgents we want to retrieve.
         search_term: Optional string to filter agents by name/description.
+        published: Allows filtering by marketplace publish status;
+            `True` -> only published agents, `False` -> only unpublished agents.
         sort_by: Sorting field (createdAt, updatedAt, isFavorite, isCreatedByUser).
         page: Current page (1-indexed).
         page_size: Number of items per page.
@@ -117,6 +123,28 @@ async def list_library_agents(
             },
         ]
 
+    # Filter by marketplace publish status
+    if published is not None:
+        active_listing_filter: prisma.types.StoreListingVersionWhereInput = {
+            "isAvailable": True,
+            "isDeleted": False,
+            "submissionStatus": prisma.enums.SubmissionStatus.APPROVED,
+            "StoreListing": {"is": {"isDeleted": False}},
+        }
+        where_clause["AgentGraph"] = {
+            "is": {
+                "StoreListingVersions": (
+                    {"some": active_listing_filter}
+                    if published
+                    else {"none": active_listing_filter}
+                )
+            }
+        }
+
+    # Filter by favorite status
+    if favorite is not None:
+        where_clause["isFavorite"] = favorite
+
     order_by: prisma.types.LibraryAgentOrderByInput | None = None
 
     if sort_by == library_model.LibraryAgentSort.CREATED_AT:
@@ -259,32 +287,12 @@ async def get_library_agent(id: str, user_id: str) -> library_model.LibraryAgent
             "userId": user_id,
             "isDeleted": False,
         },
-        include=library_agent_include(user_id),
+        include=library_agent_include(user_id, include_store_listing=True),
     )
 
     if not library_agent:
         raise NotFoundError(f"Library agent #{id} not found")
 
-    # Fetch marketplace listing if the agent has been published
-    store_listing = None
-    profile = None
-    if library_agent.AgentGraph:
-        store_listing = await prisma.models.StoreListing.prisma().find_first(
-            where={
-                "agentGraphId": library_agent.AgentGraph.id,
-                "isDeleted": False,
-                "hasApprovedVersion": True,
-            },
-            include={
-                "ActiveVersion": True,
-            },
-        )
-        if store_listing and store_listing.ActiveVersion and store_listing.owningUserId:
-            # Fetch Profile separately since User doesn't have a direct Profile relation
-            profile = await prisma.models.Profile.prisma().find_first(
-                where={"userId": store_listing.owningUserId}
-            )
-
     return library_model.LibraryAgent.from_db(
         library_agent,
         sub_graphs=(
@@ -292,8 +300,6 @@ async def get_library_agent(id: str, user_id: str) -> library_model.LibraryAgent
             if library_agent.AgentGraph
             else None
         ),
-        store_listing=store_listing,
-        profile=profile,
     )
 
 
@@ -447,9 +453,8 @@ async def create_library_agent(
                             }
                         },
                         settings=SafeJson(
-                            GraphSettings.from_graph(
-                                graph_entry,
-                                hitl_safe_mode=hitl_safe_mode,
+                            GraphSettings(
+                                human_in_the_loop_safe_mode=hitl_safe_mode,
                                 sensitive_action_safe_mode=sensitive_action_safe_mode,
                             ).model_dump()
                         ),
@@ -586,8 +591,8 @@ async def update_graph_in_library(
     if not library_agent:
         raise NotFoundError(f"Library agent not found for graph {created_graph.id}")
 
-    library_agent = await update_library_agent_version_and_settings(
-        user_id, created_graph
+    library_agent = await update_agent_version_in_library(
+        user_id, created_graph.id, created_graph.version
     )
 
     if created_graph.is_active:
@@ -603,27 +608,6 @@ async def update_graph_in_library(
     return created_graph, library_agent
 
 
-async def update_library_agent_version_and_settings(
-    user_id: str, agent_graph: graph_db.GraphModel
-) -> library_model.LibraryAgent:
-    """Update library agent to point to new graph version and sync settings."""
-    library = await update_agent_version_in_library(
-        user_id, agent_graph.id, agent_graph.version
-    )
-    updated_settings = GraphSettings.from_graph(
-        graph=agent_graph,
-        hitl_safe_mode=library.settings.human_in_the_loop_safe_mode,
-        sensitive_action_safe_mode=library.settings.sensitive_action_safe_mode,
-    )
-    if updated_settings != library.settings:
-        library = await update_library_agent(
-            library_agent_id=library.id,
-            user_id=user_id,
-            settings=updated_settings,
-        )
-    return library
-
-
 async def update_library_agent(
     library_agent_id: str,
     user_id: str,
@@ -823,7 +807,7 @@ async def add_store_agent_to_library(
 
     Args:
         store_listing_version_id: The ID of the store listing version containing the agent.
-        user_id: The user’s library to which the agent is being added.
+        user_id: The user's library to which the agent is being added.
 
     Returns:
         The newly created LibraryAgent if successfully added, the existing corresponding one if any.
@@ -837,34 +821,30 @@ async def add_store_agent_to_library(
         f"to library for user #{user_id}"
     )
 
-    store_listing_version = (
-        await prisma.models.StoreListingVersion.prisma().find_unique(
-            where={"id": store_listing_version_id}, include={"AgentGraph": True}
-        )
+    listing_version = await prisma.models.StoreListingVersion.prisma().find_unique(
+        where={"id": store_listing_version_id}
     )
-    if not store_listing_version or not store_listing_version.AgentGraph:
-        logger.warning(f"Store listing version not found: {store_listing_version_id}")
+    if (
+        not listing_version
+        or not listing_version.AgentGraph
+        or listing_version.submissionStatus != SubmissionStatus.APPROVED
+        or listing_version.isDeleted
+    ):
+        logger.warning(
+            "Store listing version not found or not available: "
+            f"{store_listing_version_id}"
+        )
         raise NotFoundError(
-            f"Store listing version {store_listing_version_id} not found or invalid"
+            f"Store listing version {store_listing_version_id} not found "
+            "or not available"
         )
 
-    graph = store_listing_version.AgentGraph
-
-    # Convert to GraphModel to check for HITL blocks
-    graph_model = await graph_db.get_graph(
-        graph_id=graph.id,
-        version=graph.version,
-        user_id=user_id,
-        include_subgraphs=False,
-    )
-    if not graph_model:
-        raise NotFoundError(
-            f"Graph #{graph.id} v{graph.version} not found or accessible"
-        )
+    graph_id = listing_version.agentGraphId
+    graph_version = listing_version.agentGraphVersion
 
     # Check if user already has this agent (non-deleted)
     if existing := await get_library_agent_by_graph_id(
-        user_id, graph.id, graph.version
+        user_id, graph_id, graph_version
     ):
         return existing
 
@@ -873,8 +853,8 @@ async def add_store_agent_to_library(
         where={
             "userId_agentGraphId_agentGraphVersion": {
                 "userId": user_id,
-                "agentGraphId": graph.id,
-                "agentGraphVersion": graph.version,
+                "agentGraphId": graph_id,
+                "agentGraphVersion": graph_version,
             }
         },
     )
@@ -887,20 +867,20 @@ async def add_store_agent_to_library(
             "User": {"connect": {"id": user_id}},
             "AgentGraph": {
                 "connect": {
-                    "graphVersionId": {"id": graph.id, "version": graph.version}
+                    "graphVersionId": {"id": graph_id, "version": graph_version}
                 }
             },
             "isCreatedByUser": False,
             "useGraphIsActiveVersion": False,
-            "settings": SafeJson(GraphSettings.from_graph(graph_model).model_dump()),
+            "settings": SafeJson(GraphSettings().model_dump()),
         },
         include=library_agent_include(
             user_id, include_nodes=False, include_executions=False
         ),
     )
     logger.debug(
-        f"Added graph #{graph.id} v{graph.version}"
-        f"for store listing version #{store_listing_version.id} "
+        f"Added graph #{graph_id} v{graph_version}"
+        f"for store listing version #{listing_version.id} "
         f"to library for user #{user_id}"
     )
     return library_model.LibraryAgent.from_db(added_agent)
@@ -911,37 +891,6 @@ async def add_store_agent_to_library(
 ##############################################
 
 
-async def _fetch_user_folders(
-    user_id: str,
-    extra_where: Optional[prisma.types.LibraryFolderWhereInput] = None,
-    include_relations: bool = True,
-) -> list[prisma.models.LibraryFolder]:
-    """
-    Shared helper to fetch folders for a user with consistent query params.
-
-    Args:
-        user_id: The ID of the user.
-        extra_where: Additional where-clause filters to merge in.
-        include_relations: Whether to include LibraryAgents and Children relations
-            (used to derive counts via len(); Prisma Python has no _count include).
-
-    Returns:
-        A list of raw Prisma LibraryFolder records.
-    """
-    where_clause: prisma.types.LibraryFolderWhereInput = {
-        "userId": user_id,
-        "isDeleted": False,
-    }
-    if extra_where:
-        where_clause.update(extra_where)
-
-    return await prisma.models.LibraryFolder.prisma().find_many(
-        where=where_clause,
-        order={"createdAt": "asc"},
-        include=LIBRARY_FOLDER_INCLUDE if include_relations else None,
-    )
-
-
 async def list_folders(
     user_id: str,
     parent_id: Optional[str] = None,
@@ -1019,6 +968,37 @@ async def get_folder_tree(
     return root_folders
 
 
+async def _fetch_user_folders(
+    user_id: str,
+    extra_where: Optional[prisma.types.LibraryFolderWhereInput] = None,
+    include_relations: bool = True,
+) -> list[prisma.models.LibraryFolder]:
+    """
+    Shared helper to fetch folders for a user with consistent query params.
+
+    Args:
+        user_id: The ID of the user.
+        extra_where: Additional where-clause filters to merge in.
+        include_relations: Whether to include LibraryAgents and Children relations
+            (used to derive counts via len(); Prisma Python has no _count include).
+
+    Returns:
+        A list of raw Prisma LibraryFolder records.
+    """
+    where_clause: prisma.types.LibraryFolderWhereInput = {
+        "userId": user_id,
+        "isDeleted": False,
+    }
+    if extra_where:
+        where_clause.update(extra_where)
+
+    return await prisma.models.LibraryFolder.prisma().find_many(
+        where=where_clause,
+        order={"createdAt": "asc"},
+        include=LIBRARY_FOLDER_INCLUDE if include_relations else None,
+    )
+
+
 async def get_folder(
     folder_id: str,
     user_id: str,
@@ -1055,43 +1035,6 @@ async def get_folder(
     )
 
 
-async def _is_descendant_of(
-    folder_id: str,
-    potential_ancestor_id: str,
-    user_id: str,
-) -> bool:
-    """
-    Check if folder_id is a descendant of (or equal to) potential_ancestor_id.
-
-    Fetches all user folders in a single query and walks the parent chain
-    in memory to avoid N database round-trips.
-
-    Args:
-        folder_id: The ID of the folder to check.
-        potential_ancestor_id: The ID of the potential ancestor.
-        user_id: The ID of the user.
-
-    Returns:
-        True if folder_id is a descendant of (or equal to) potential_ancestor_id.
-    """
-    all_folders = await prisma.models.LibraryFolder.prisma().find_many(
-        where={"userId": user_id, "isDeleted": False},
-    )
-    parent_map = {f.id: f.parentId for f in all_folders}
-
-    visited: set[str] = set()
-    current_id: str | None = folder_id
-    while current_id:
-        if current_id == potential_ancestor_id:
-            return True
-        if current_id in visited:
-            break  # cycle detected
-        visited.add(current_id)
-        current_id = parent_map.get(current_id)
-
-    return False
-
-
 async def create_folder(
     user_id: str,
     name: str,
@@ -1303,6 +1246,43 @@ async def move_folder(
     )
 
 
+async def _is_descendant_of(
+    folder_id: str,
+    potential_ancestor_id: str,
+    user_id: str,
+) -> bool:
+    """
+    Check if folder_id is a descendant of (or equal to) potential_ancestor_id.
+
+    Fetches all user folders in a single query and walks the parent chain
+    in memory to avoid N database round-trips.
+
+    Args:
+        folder_id: The ID of the folder to check.
+        potential_ancestor_id: The ID of the potential ancestor.
+        user_id: The ID of the user.
+
+    Returns:
+        True if folder_id is a descendant of (or equal to) potential_ancestor_id.
+    """
+    all_folders = await prisma.models.LibraryFolder.prisma().find_many(
+        where={"userId": user_id, "isDeleted": False},
+    )
+    parent_map = {f.id: f.parentId for f in all_folders}
+
+    visited: set[str] = set()
+    current_id: str | None = folder_id
+    while current_id:
+        if current_id == potential_ancestor_id:
+            return True
+        if current_id in visited:
+            break  # cycle detected
+        visited.add(current_id)
+        current_id = parent_map.get(current_id)
+
+    return False
+
+
 async def delete_folder(
     folder_id: str,
     user_id: str,

autogpt_platform/backend/backend/api/features/library/model.py

@@ -165,6 +165,7 @@ class LibraryAgent(pydantic.BaseModel):
     id: str
     graph_id: str
     graph_version: int
+    owner_user_id: str
 
     image_url: str | None
 
@@ -205,9 +206,7 @@ class LibraryAgent(pydantic.BaseModel):
         default_factory=list,
         description="List of recent executions with status, score, and summary",
     )
-    can_access_graph: bool = pydantic.Field(
-        description="Indicates whether the same user owns the corresponding graph"
-    )
+    can_access_graph: bool
     is_latest_version: bool
     is_favorite: bool
     folder_id: str | None = None
@@ -221,8 +220,6 @@ class LibraryAgent(pydantic.BaseModel):
     def from_db(
         agent: prisma.models.LibraryAgent,
         sub_graphs: Optional[list[prisma.models.AgentGraph]] = None,
-        store_listing: Optional[prisma.models.StoreListing] = None,
-        profile: Optional[prisma.models.Profile] = None,
     ) -> "LibraryAgent":
         """
         Factory method that constructs a LibraryAgent from a Prisma LibraryAgent
@@ -307,24 +304,39 @@ class LibraryAgent(pydantic.BaseModel):
         can_access_graph = agent.AgentGraph.userId == agent.userId
         is_latest_version = True
 
-        marketplace_listing_data = None
-        if store_listing and store_listing.ActiveVersion and profile:
-            creator_data = MarketplaceListingCreator(
-                name=profile.name,
-                id=profile.id,
-                slug=profile.username,
-            )
-            marketplace_listing_data = MarketplaceListing(
+        # NOTE: this access pattern is designed for use with
+        # `library_agent_include(..., include_store_listing=True)`
+        active_listing = (
+            agent.AgentGraph.StoreListingVersions[0]
+            if agent.AgentGraph.StoreListingVersions
+            else None
+        )
+        store_listing = active_listing.StoreListing if active_listing else None
+        active_listing = store_listing.ActiveVersion if store_listing else None
+        creator_profile = store_listing.CreatorProfile if store_listing else None
+        marketplace_listing_info = (
+            MarketplaceListing(
                 id=store_listing.id,
-                name=store_listing.ActiveVersion.name,
+                name=active_listing.name,
                 slug=store_listing.slug,
-                creator=creator_data,
+                creator=MarketplaceListingCreator(
+                    name=creator_profile.name,
+                    id=creator_profile.id,
+                    slug=creator_profile.username,
+                ),
             )
+            if store_listing
+            and active_listing
+            and creator_profile
+            and not store_listing.isDeleted
+            else None
+        )
 
         return LibraryAgent(
             id=agent.id,
             graph_id=agent.agentGraphId,
             graph_version=agent.agentGraphVersion,
+            owner_user_id=agent.userId,
             image_url=agent.imageUrl,
             creator_name=creator_name,
             creator_image_url=creator_image_url,
@@ -355,7 +367,7 @@ class LibraryAgent(pydantic.BaseModel):
             folder_name=agent.Folder.name if agent.Folder else None,
             recommended_schedule_cron=agent.AgentGraph.recommendedScheduleCron,
             settings=_parse_settings(agent.settings),
-            marketplace_listing=marketplace_listing_data,
+            marketplace_listing=marketplace_listing_info,
         )
 
 

autogpt_platform/backend/backend/api/features/library/routes_test.py

@@ -42,6 +42,7 @@ async def test_get_library_agents_success(
                 id="test-agent-1",
                 graph_id="test-agent-1",
                 graph_version=1,
+                owner_user_id=test_user_id,
                 name="Test Agent 1",
                 description="Test Description 1",
                 image_url=None,
@@ -66,6 +67,7 @@ async def test_get_library_agents_success(
                 id="test-agent-2",
                 graph_id="test-agent-2",
                 graph_version=1,
+                owner_user_id=test_user_id,
                 name="Test Agent 2",
                 description="Test Description 2",
                 image_url=None,
@@ -129,6 +131,7 @@ async def test_get_favorite_library_agents_success(
                 id="test-agent-1",
                 graph_id="test-agent-1",
                 graph_version=1,
+                owner_user_id=test_user_id,
                 name="Favorite Agent 1",
                 description="Test Favorite Description 1",
                 image_url=None,
@@ -181,6 +184,7 @@ def test_add_agent_to_library_success(
         id="test-library-agent-id",
         graph_id="test-agent-1",
         graph_version=1,
+        owner_user_id=test_user_id,
         name="Test Agent 1",
         description="Test Description 1",
         image_url=None,

autogpt_platform/backend/backend/api/features/mcp/test_routes.py

@@ -282,7 +282,7 @@ class TestOAuthLogin:
             )
             mock_register.return_value = {
                 "client_id": "registered-client-id",
-                "client_secret": "registered-secret",
+                "client_secret": "registered-secret",  # pragma: allowlist secret
             }
             mock_cm.store.store_state_token = AsyncMock(
                 return_value=("state-token-123", "code-challenge-abc")
@@ -383,7 +383,7 @@ class TestOAuthCallback:
                 "authorize_url": "https://auth.sentry.io/authorize",
                 "token_url": "https://auth.sentry.io/token",
                 "client_id": "test-client-id",
-                "client_secret": "test-secret",
+                "client_secret": "test-secret",  # pragma: allowlist secret
                 "server_url": "https://mcp.sentry.dev/mcp",
             }
             mock_state.scopes = ["openid"]

autogpt_platform/backend/backend/api/features/store/db.py

@@ -518,22 +518,22 @@ async def get_store_submissions(
 
 async def delete_store_submission(
     user_id: str,
-    submission_id: str,
+    store_listing_version_id: str,
 ) -> bool:
     """
     Delete a store submission version as the submitting user.
 
     Args:
         user_id: ID of the authenticated user
-        submission_id: StoreListingVersion ID to delete
+        store_listing_version_id: StoreListingVersion ID to delete
 
     Returns:
         bool: True if successfully deleted
     """
     try:
         # Find the submission version with ownership check
-        version = await prisma.models.StoreListingVersion.prisma().find_first(
-            where={"id": submission_id}, include={"StoreListing": True}
+        version = await prisma.models.StoreListingVersion.prisma().find_unique(
+            where={"id": store_listing_version_id}, include={"StoreListing": True}
         )
 
         if (
@@ -546,7 +546,7 @@ async def delete_store_submission(
         # Prevent deletion of approved submissions
         if version.submissionStatus == prisma.enums.SubmissionStatus.APPROVED:
             raise store_exceptions.InvalidOperationError(
-                "Cannot delete approved submissions"
+                "Cannot delete approved store listings"
             )
 
         # Delete the version
@@ -916,7 +916,7 @@ async def get_user_profile(
 
 
 async def update_profile(
-    user_id: str, profile: store_model.Profile
+    user_id: str, profile: store_model.ProfileUpdateRequest
 ) -> store_model.ProfileDetails:
     """
     Update the store profile for a user or create a new one if it doesn't exist.
@@ -930,11 +930,6 @@ async def update_profile(
     """
     logger.info(f"Updating profile for user {user_id} with data: {profile}")
     try:
-        # Sanitize username to allow only letters, numbers, and hyphens
-        username = "".join(
-            c if c.isalpha() or c == "-" or c.isnumeric() else ""
-            for c in profile.username
-        ).lower()
         # Check if profile exists for the given user_id
         existing_profile = await prisma.models.Profile.prisma().find_first(
             where={"userId": user_id}
@@ -957,17 +952,26 @@ async def update_profile(
 
         logger.debug(f"Updating existing profile for user {user_id}")
         # Prepare update data, only including non-None values
-        update_data = {}
+        update_data: prisma.types.ProfileUpdateInput = {}
         if profile.name is not None:
-            update_data["name"] = profile.name
+            update_data["name"] = profile.name.strip()
         if profile.username is not None:
-            update_data["username"] = username
+            # Sanitize username to allow only letters, numbers, and hyphens
+            update_data["username"] = "".join(
+                c if c.isalpha() or c == "-" or c.isnumeric() else ""
+                for c in profile.username
+            ).lower()
         if profile.description is not None:
-            update_data["description"] = profile.description
+            update_data["description"] = profile.description.strip()
         if profile.links is not None:
-            update_data["links"] = profile.links
+            update_data["links"] = [
+                # Filter out empty links
+                link
+                for _link in profile.links
+                if (link := _link.strip())
+            ]
         if profile.avatar_url is not None:
-            update_data["avatarUrl"] = profile.avatar_url
+            update_data["avatarUrl"] = profile.avatar_url.strip() or None
 
         # Update the existing profile
         updated_profile = await prisma.models.Profile.prisma().update(
@@ -996,12 +1000,13 @@ async def get_my_agents(
     try:
         search_filter: prisma.types.LibraryAgentWhereInput = {
             "userId": user_id,
-            # Filter for unpublished agents only:
+            # Filter for unsubmitted agents only:
             "AgentGraph": {
                 "is": {
                     "StoreListingVersions": {
                         "none": {
                             "isAvailable": True,
+                            "isDeleted": False,
                             "StoreListing": {"is": {"isDeleted": False}},
                         }
                     }

autogpt_platform/backend/backend/api/features/store/db_test.py

@@ -7,7 +7,7 @@ import pytest
 from prisma import Prisma
 
 from . import db
-from .model import Profile
+from .model import ProfileUpdateRequest
 
 
 @pytest.fixture(autouse=True)
@@ -297,7 +297,7 @@ async def test_update_profile(mocker):
     mock_profile_db.return_value.update = mocker.AsyncMock(return_value=mock_profile)
 
     # Test data
-    profile = Profile(
+    profile = ProfileUpdateRequest(
         name="Test Creator",
         username="creator",
         description="Test description",

autogpt_platform/backend/backend/api/features/store/model.py

@@ -117,19 +117,24 @@ class StoreAgentDetails(pydantic.BaseModel):
         )
 
 
-class Profile(pydantic.BaseModel):
+class ProfileUpdateRequest(pydantic.BaseModel):
     """Marketplace user profile (only attributes that the user can update)"""
 
+    username: str | None = None
+    name: str | None = None
+    description: str | None = None
+    avatar_url: str | None = None
+    links: list[str] | None = None
+
+
+class ProfileDetails(pydantic.BaseModel):
+    """Marketplace user profile (including read-only fields)"""
+
     username: str
     name: str
     description: str
     avatar_url: str | None
     links: list[str]
-
-
-class ProfileDetails(Profile):
-    """Marketplace user profile (including read-only fields)"""
-
     is_featured: bool
 
     @classmethod

autogpt_platform/backend/backend/api/features/store/routes.py

@@ -54,7 +54,7 @@ async def get_profile(
     dependencies=[Security(autogpt_libs.auth.requires_user)],
 )
 async def update_or_create_profile(
-    profile: store_model.Profile,
+    profile: store_model.ProfileUpdateRequest,
     user_id: str = Security(autogpt_libs.auth.get_user_id),
 ) -> store_model.ProfileDetails:
     """Update the store profile for the authenticated user."""
@@ -354,7 +354,7 @@ async def delete_submission(
     """Delete a marketplace listing submission"""
     result = await store_db.delete_store_submission(
         user_id=user_id,
-        submission_id=submission_id,
+        store_listing_version_id=submission_id,
     )
     return result
 

autogpt_platform/backend/backend/api/features/v1.py

@@ -55,7 +55,6 @@ from backend.data.credit import (
     set_auto_top_up,
 )
 from backend.data.graph import GraphSettings
-from backend.data.invited_user import get_or_activate_user
 from backend.data.model import CredentialsMetaInput, UserOnboarding
 from backend.data.notifications import NotificationPreference, NotificationPreferenceDTO
 from backend.data.onboarding import (
@@ -71,6 +70,7 @@ from backend.data.onboarding import (
     update_user_onboarding,
 )
 from backend.data.user import (
+    get_or_create_user,
     get_user_by_id,
     get_user_notification_preference,
     update_user_email,
@@ -136,10 +136,12 @@ _tally_background_tasks: set[asyncio.Task] = set()
     dependencies=[Security(requires_user)],
 )
 async def get_or_create_user_route(user_data: dict = Security(get_jwt_payload)):
-    user = await get_or_activate_user(user_data)
+    user = await get_or_create_user(user_data)
 
-    # Fire-and-forget: backfill Tally understanding when invite pre-seeding did
-    # not produce a stored result before first activation.
+    # Fire-and-forget: populate business understanding from Tally form.
+    # We use created_at proximity instead of an is_new flag because
+    # get_or_create_user is cached — a separate is_new return value would be
+    # unreliable on repeated calls within the cache TTL.
     age_seconds = (datetime.now(timezone.utc) - user.created_at).total_seconds()
     if age_seconds < 30:
         try:
@@ -163,8 +165,7 @@ async def get_or_create_user_route(user_data: dict = Security(get_jwt_payload)):
     dependencies=[Security(requires_user)],
 )
 async def update_user_email_route(
-    user_id: Annotated[str, Security(get_user_id)],
-    email: str = Body(...),
+    user_id: Annotated[str, Security(get_user_id)], email: str = Body(...)
 ) -> dict[str, str]:
     await update_user_email(user_id, email)
 
@@ -178,16 +179,10 @@ async def update_user_email_route(
     dependencies=[Security(requires_user)],
 )
 async def get_user_timezone_route(
-    user_id: Annotated[str, Security(get_user_id)],
+    user_data: dict = Security(get_jwt_payload),
 ) -> TimezoneResponse:
     """Get user timezone setting."""
-    try:
-        user = await get_user_by_id(user_id)
-    except ValueError:
-        raise HTTPException(
-            status_code=HTTP_404_NOT_FOUND,
-            detail="User not found. Please complete activation via /auth/user first.",
-        )
+    user = await get_or_create_user(user_data)
     return TimezoneResponse(timezone=user.timezone)
 
 
@@ -198,8 +193,7 @@ async def get_user_timezone_route(
     dependencies=[Security(requires_user)],
 )
 async def update_user_timezone_route(
-    user_id: Annotated[str, Security(get_user_id)],
-    request: UpdateTimezoneRequest,
+    user_id: Annotated[str, Security(get_user_id)], request: UpdateTimezoneRequest
 ) -> TimezoneResponse:
     """Update user timezone. The timezone should be a valid IANA timezone identifier."""
     user = await update_user_timezone(user_id, str(request.timezone))
@@ -742,13 +736,13 @@ class DeleteGraphResponse(TypedDict):
 async def list_graphs(
     user_id: Annotated[str, Security(get_user_id)],
 ) -> Sequence[graph_db.GraphMeta]:
-    paginated_result = await graph_db.list_graphs_paginated(
+    graphs, _ = await graph_db.list_graphs_paginated(
         user_id=user_id,
         page=1,
         page_size=250,
         filter_by="active",
     )
-    return paginated_result.graphs
+    return graphs
 
 
 @v1_router.get(
@@ -865,8 +859,8 @@ async def update_graph(
     new_graph_version = await graph_db.create_graph(graph, user_id=user_id)
 
     if new_graph_version.is_active:
-        await library_db.update_library_agent_version_and_settings(
-            user_id, new_graph_version
+        await library_db.update_agent_version_in_library(
+            user_id, new_graph_version.id, new_graph_version.version
         )
         new_graph_version = await on_graph_activate(new_graph_version, user_id=user_id)
         await graph_db.set_graph_active_version(
@@ -919,8 +913,8 @@ async def set_graph_active_version(
     )
 
     # Keep the library agent up to date with the new active version
-    await library_db.update_library_agent_version_and_settings(
-        user_id, new_active_graph
+    await library_db.update_agent_version_in_library(
+        user_id, new_active_graph.id, new_active_graph.version
     )
 
     if current_active_graph and current_active_graph.version != new_active_version:

autogpt_platform/backend/backend/api/features/v1_test.py

@@ -51,7 +51,7 @@ def test_get_or_create_user_route(
     }
 
     mocker.patch(
-        "backend.api.features.v1.get_or_activate_user",
+        "backend.api.features.v1.get_or_create_user",
         return_value=mock_user,
     )
 

autogpt_platform/backend/backend/api/model.py

@@ -94,8 +94,3 @@ class NotificationPayload(pydantic.BaseModel):
 
 class OnboardingNotificationPayload(NotificationPayload):
     step: OnboardingStep | None
-
-
-class CopilotCompletionPayload(NotificationPayload):
-    session_id: str
-    status: Literal["completed", "failed"]

autogpt_platform/backend/backend/api/rest_api.py

@@ -5,21 +5,16 @@ from enum import Enum
 from typing import Any, Optional
 
 import fastapi
-import fastapi.responses
-import pydantic
 import starlette.middleware.cors
 import uvicorn
 from autogpt_libs.auth import add_auth_responses_to_openapi
 from autogpt_libs.auth import verify_settings as verify_auth_settings
-from fastapi.exceptions import RequestValidationError
 from fastapi.middleware.gzip import GZipMiddleware
 from fastapi.routing import APIRoute
-from prisma.errors import PrismaError
 
 import backend.api.features.admin.credit_admin_routes
 import backend.api.features.admin.execution_analytics_routes
 import backend.api.features.admin.store_admin_routes
-import backend.api.features.admin.user_admin_routes
 import backend.api.features.builder
 import backend.api.features.builder.routes
 import backend.api.features.chat.routes as chat_routes
@@ -42,22 +37,12 @@ import backend.data.user
 import backend.integrations.webhooks.utils
 import backend.util.service
 import backend.util.settings
-from backend.api.features.library.exceptions import (
-    FolderAlreadyExistsError,
-    FolderValidationError,
-)
+from backend.api.utils.exceptions import add_exception_handlers
 from backend.blocks.llm import DEFAULT_LLM_MODEL
 from backend.data.model import Credentials
 from backend.integrations.providers import ProviderName
 from backend.monitoring.instrumentation import instrument_fastapi
-from backend.util import json
 from backend.util.cloud_storage import shutdown_cloud_storage_handler
-from backend.util.exceptions import (
-    MissingConfigError,
-    NotAuthorizedError,
-    NotFoundError,
-    PreconditionFailed,
-)
 from backend.util.feature_flag import initialize_launchdarkly, shutdown_launchdarkly
 from backend.util.service import UnhealthyServiceError
 from backend.util.workspace_storage import shutdown_workspace_storage
@@ -208,77 +193,7 @@ instrument_fastapi(
 )
 
 
-def handle_internal_http_error(status_code: int = 500, log_error: bool = True):
-    def handler(request: fastapi.Request, exc: Exception):
-        if log_error:
-            logger.exception(
-                "%s %s failed. Investigate and resolve the underlying issue: %s",
-                request.method,
-                request.url.path,
-                exc,
-                exc_info=exc,
-            )
-
-        hint = (
-            "Adjust the request and retry."
-            if status_code < 500
-            else "Check server logs and dependent services."
-        )
-        return fastapi.responses.JSONResponse(
-            content={
-                "message": f"Failed to process {request.method} {request.url.path}",
-                "detail": str(exc),
-                "hint": hint,
-            },
-            status_code=status_code,
-        )
-
-    return handler
-
-
-async def validation_error_handler(
-    request: fastapi.Request, exc: Exception
-) -> fastapi.responses.Response:
-    logger.error(
-        "Validation failed for %s %s: %s. Fix the request payload and try again.",
-        request.method,
-        request.url.path,
-        exc,
-    )
-    errors: list | str
-    if hasattr(exc, "errors"):
-        errors = exc.errors()  # type: ignore[call-arg]
-    else:
-        errors = str(exc)
-
-    response_content = {
-        "message": f"Invalid data for {request.method} {request.url.path}",
-        "detail": errors,
-        "hint": "Ensure the request matches the API schema.",
-    }
-
-    content_json = json.dumps(response_content)
-
-    return fastapi.responses.Response(
-        content=content_json,
-        status_code=422,
-        media_type="application/json",
-    )
-
-
-app.add_exception_handler(PrismaError, handle_internal_http_error(500))
-app.add_exception_handler(
-    FolderAlreadyExistsError, handle_internal_http_error(409, False)
-)
-app.add_exception_handler(FolderValidationError, handle_internal_http_error(400, False))
-app.add_exception_handler(NotFoundError, handle_internal_http_error(404, False))
-app.add_exception_handler(NotAuthorizedError, handle_internal_http_error(403, False))
-app.add_exception_handler(RequestValidationError, validation_error_handler)
-app.add_exception_handler(pydantic.ValidationError, validation_error_handler)
-app.add_exception_handler(MissingConfigError, handle_internal_http_error(503))
-app.add_exception_handler(ValueError, handle_internal_http_error(400))
-app.add_exception_handler(PreconditionFailed, handle_internal_http_error(428))
-app.add_exception_handler(Exception, handle_internal_http_error(500))
+add_exception_handlers(app)
 
 app.include_router(backend.api.features.v1.v1_router, tags=["v1"], prefix="/api")
 app.include_router(
@@ -312,11 +227,6 @@ app.include_router(
     tags=["v2", "admin"],
     prefix="/api/executions",
 )
-app.include_router(
-    backend.api.features.admin.user_admin_routes.router,
-    tags=["v2", "admin"],
-    prefix="/api/users",
-)
 app.include_router(
     backend.api.features.executions.review.routes.router,
     tags=["v2", "executions", "review"],

autogpt_platform/backend/backend/api/utils/exceptions.py

@@ -0,0 +1,119 @@
+"""
+Shared exception handlers for FastAPI applications.
+
+Provides a single `add_exception_handlers` function that registers a consistent
+set of exception-to-HTTP-status mappings on any FastAPI app instance. This
+ensures that all mounted sub-apps (v1, v2, main) handle errors uniformly.
+"""
+
+import json
+import logging
+
+import fastapi
+import fastapi.responses
+import pydantic
+from fastapi.exceptions import RequestValidationError
+from prisma.errors import PrismaError
+from prisma.errors import RecordNotFoundError as PrismaRecordNotFoundError
+from starlette import status
+
+from backend.api.features.library.exceptions import (
+    FolderAlreadyExistsError,
+    FolderValidationError,
+)
+from backend.util.exceptions import (
+    MissingConfigError,
+    NotAuthorizedError,
+    NotFoundError,
+    PreconditionFailed,
+)
+
+logger = logging.getLogger(__name__)
+
+
+def add_exception_handlers(app: fastapi.FastAPI) -> None:
+    """
+    Register standard exception handlers on the given FastAPI app.
+
+    Mounted sub-apps do NOT inherit exception handlers from the parent app,
+    so each app instance must register its own handlers.
+    """
+    for exception, handler in {
+        # It's the client's problem: HTTP 4XX
+        NotFoundError: _handle_error(status.HTTP_404_NOT_FOUND, log_error=False),
+        NotAuthorizedError: _handle_error(status.HTTP_403_FORBIDDEN, log_error=False),
+        PreconditionFailed: _handle_error(status.HTTP_428_PRECONDITION_REQUIRED),
+        RequestValidationError: _handle_validation_error,
+        pydantic.ValidationError: _handle_validation_error,
+        PrismaRecordNotFoundError: _handle_error(status.HTTP_404_NOT_FOUND),
+        FolderAlreadyExistsError: _handle_error(
+            status.HTTP_409_CONFLICT, log_error=False
+        ),
+        FolderValidationError: _handle_error(
+            status.HTTP_400_BAD_REQUEST, log_error=False
+        ),
+        ValueError: _handle_error(status.HTTP_400_BAD_REQUEST),
+        # It's the backend's problem: HTTP 5XX
+        MissingConfigError: _handle_error(status.HTTP_503_SERVICE_UNAVAILABLE),
+        PrismaError: _handle_error(status.HTTP_500_INTERNAL_SERVER_ERROR),
+        Exception: _handle_error(status.HTTP_500_INTERNAL_SERVER_ERROR),
+    }.items():
+        app.add_exception_handler(exception, handler)
+
+
+def _handle_error(status_code: int = 500, log_error: bool = True):
+    def handler(request: fastapi.Request, exc: Exception):
+        if log_error:
+            logger.exception(
+                "%s %s failed. Investigate and resolve the underlying issue: %s",
+                request.method,
+                request.url.path,
+                exc,
+                exc_info=exc,
+            )
+
+        hint = (
+            "Adjust the request and retry."
+            if status_code < 500
+            else "Check server logs and dependent services."
+        )
+        return fastapi.responses.JSONResponse(
+            content={
+                "message": f"Failed to process {request.method} {request.url.path}",
+                "detail": str(exc),
+                "hint": hint,
+            },
+            status_code=status_code,
+        )
+
+    return handler
+
+
+async def _handle_validation_error(
+    request: fastapi.Request, exc: Exception
+) -> fastapi.responses.Response:
+    logger.error(
+        "Validation failed for %s %s: %s. Fix the request payload and try again.",
+        request.method,
+        request.url.path,
+        exc,
+    )
+    errors: list | str
+    if hasattr(exc, "errors"):
+        errors = exc.errors()  # type: ignore[call-arg]
+    else:
+        errors = str(exc)
+
+    response_content = {
+        "message": f"Invalid data for {request.method} {request.url.path}",
+        "detail": errors,
+        "hint": "Ensure the request matches the API schema.",
+    }
+
+    content_json = json.dumps(response_content)
+
+    return fastapi.responses.Response(
+        content=content_json,
+        status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
+        media_type="application/json",
+    )

autogpt_platform/backend/backend/blocks/github/commits.py

@@ -11,10 +11,7 @@ from backend.blocks._base import (
     BlockSchemaInput,
     BlockSchemaOutput,
 )
-from backend.data.execution import ExecutionContext
 from backend.data.model import SchemaField
-from backend.util.file import parse_data_uri, resolve_media_content
-from backend.util.type import MediaFileType
 
 from ._api import get_api
 from ._auth import (
@@ -181,8 +178,7 @@ class FileOperation(StrEnum):
 
 class FileOperationInput(TypedDict):
     path: str
-    # MediaFileType is a str NewType — no runtime breakage for existing callers.
-    content: MediaFileType
+    content: str
     operation: FileOperation
 
 
@@ -279,11 +275,11 @@ class GithubMultiFileCommitBlock(Block):
         base_tree_sha = commit_data["tree"]["sha"]
 
         # 3. Build tree entries for each file operation (blobs created concurrently)
-        async def _create_blob(content: str, encoding: str = "utf-8") -> str:
+        async def _create_blob(content: str) -> str:
             blob_url = repo_url + "/git/blobs"
             blob_response = await api.post(
                 blob_url,
-                json={"content": content, "encoding": encoding},
+                json={"content": content, "encoding": "utf-8"},
             )
             return blob_response.json()["sha"]
 
@@ -305,19 +301,10 @@ class GithubMultiFileCommitBlock(Block):
             else:
                 upsert_files.append((path, file_op.get("content", "")))
 
-        # Create all blobs concurrently. Data URIs (from store_media_file)
-        # are sent as base64 blobs to preserve binary content.
+        # Create all blobs concurrently
         if upsert_files:
-
-            async def _make_blob(content: str) -> str:
-                parsed = parse_data_uri(content)
-                if parsed is not None:
-                    _, b64_payload = parsed
-                    return await _create_blob(b64_payload, encoding="base64")
-                return await _create_blob(content)
-
             blob_shas = await asyncio.gather(
-                *[_make_blob(content) for _, content in upsert_files]
+                *[_create_blob(content) for _, content in upsert_files]
             )
             for (path, _), blob_sha in zip(upsert_files, blob_shas):
                 tree_entries.append(
@@ -371,36 +358,15 @@ class GithubMultiFileCommitBlock(Block):
         input_data: Input,
         *,
         credentials: GithubCredentials,
-        execution_context: ExecutionContext,
         **kwargs,
     ) -> BlockOutput:
         try:
-            # Resolve media references (workspace://, data:, URLs) to data
-            # URIs so _make_blob can send binary content correctly.
-            resolved_files: list[FileOperationInput] = []
-            for file_op in input_data.files:
-                content = file_op.get("content", "")
-                operation = FileOperation(file_op.get("operation", "upsert"))
-                if operation != FileOperation.DELETE:
-                    content = await resolve_media_content(
-                        MediaFileType(content),
-                        execution_context,
-                        return_format="for_external_api",
-                    )
-                resolved_files.append(
-                    FileOperationInput(
-                        path=file_op["path"],
-                        content=MediaFileType(content),
-                        operation=operation,
-                    )
-                )
-
             sha, url = await self.multi_file_commit(
                 credentials,
                 input_data.repo_url,
                 input_data.branch,
                 input_data.commit_message,
-                resolved_files,
+                input_data.files,
             )
             yield "sha", sha
             yield "url", url

autogpt_platform/backend/backend/blocks/github/test_github_blocks.py

@@ -8,7 +8,6 @@ from backend.blocks.github.pull_requests import (
     GithubMergePullRequestBlock,
     prepare_pr_api_url,
 )
-from backend.data.execution import ExecutionContext
 from backend.util.exceptions import BlockExecutionError
 
 # ── prepare_pr_api_url tests ──
@@ -98,11 +97,7 @@ async def test_multi_file_commit_error_path():
         "credentials": TEST_CREDENTIALS_INPUT,
     }
     with pytest.raises(BlockExecutionError, match="ref update failed"):
-        async for _ in block.execute(
-            input_data,
-            credentials=TEST_CREDENTIALS,
-            execution_context=ExecutionContext(),
-        ):
+        async for _ in block.execute(input_data, credentials=TEST_CREDENTIALS):
             pass
 
 

autogpt_platform/backend/backend/blocks/llm.py

@@ -156,15 +156,10 @@ class LlmModel(str, Enum, metaclass=LlmModelMeta):
     CODESTRAL = "mistralai/codestral-2508"
     COHERE_COMMAND_R_08_2024 = "cohere/command-r-08-2024"
     COHERE_COMMAND_R_PLUS_08_2024 = "cohere/command-r-plus-08-2024"
-    COHERE_COMMAND_A_03_2025 = "cohere/command-a-03-2025"
-    COHERE_COMMAND_A_TRANSLATE_08_2025 = "cohere/command-a-translate-08-2025"
-    COHERE_COMMAND_A_REASONING_08_2025 = "cohere/command-a-reasoning-08-2025"
-    COHERE_COMMAND_A_VISION_07_2025 = "cohere/command-a-vision-07-2025"
     DEEPSEEK_CHAT = "deepseek/deepseek-chat"  # Actually: DeepSeek V3
     DEEPSEEK_R1_0528 = "deepseek/deepseek-r1-0528"
     PERPLEXITY_SONAR = "perplexity/sonar"
     PERPLEXITY_SONAR_PRO = "perplexity/sonar-pro"
-    PERPLEXITY_SONAR_REASONING_PRO = "perplexity/sonar-reasoning-pro"
     PERPLEXITY_SONAR_DEEP_RESEARCH = "perplexity/sonar-deep-research"
     NOUSRESEARCH_HERMES_3_LLAMA_3_1_405B = "nousresearch/hermes-3-llama-3.1-405b"
     NOUSRESEARCH_HERMES_3_LLAMA_3_1_70B = "nousresearch/hermes-3-llama-3.1-70b"
@@ -172,11 +167,9 @@ class LlmModel(str, Enum, metaclass=LlmModelMeta):
     AMAZON_NOVA_MICRO_V1 = "amazon/nova-micro-v1"
     AMAZON_NOVA_PRO_V1 = "amazon/nova-pro-v1"
     MICROSOFT_WIZARDLM_2_8X22B = "microsoft/wizardlm-2-8x22b"
-    MICROSOFT_PHI_4 = "microsoft/phi-4"
     GRYPHE_MYTHOMAX_L2_13B = "gryphe/mythomax-l2-13b"
     META_LLAMA_4_SCOUT = "meta-llama/llama-4-scout"
     META_LLAMA_4_MAVERICK = "meta-llama/llama-4-maverick"
-    GROK_3 = "x-ai/grok-3"
     GROK_4 = "x-ai/grok-4"
     GROK_4_FAST = "x-ai/grok-4-fast"
     GROK_4_1_FAST = "x-ai/grok-4.1-fast"
@@ -468,36 +461,6 @@ MODEL_METADATA = {
     LlmModel.COHERE_COMMAND_R_PLUS_08_2024: ModelMetadata(
         "open_router", 128000, 4096, "Command R Plus 08.2024", "OpenRouter", "Cohere", 2
     ),
-    LlmModel.COHERE_COMMAND_A_03_2025: ModelMetadata(
-        "open_router", 256000, 8192, "Command A 03.2025", "OpenRouter", "Cohere", 2
-    ),
-    LlmModel.COHERE_COMMAND_A_TRANSLATE_08_2025: ModelMetadata(
-        "open_router",
-        128000,
-        8192,
-        "Command A Translate 08.2025",
-        "OpenRouter",
-        "Cohere",
-        2,
-    ),
-    LlmModel.COHERE_COMMAND_A_REASONING_08_2025: ModelMetadata(
-        "open_router",
-        256000,
-        32768,
-        "Command A Reasoning 08.2025",
-        "OpenRouter",
-        "Cohere",
-        3,
-    ),
-    LlmModel.COHERE_COMMAND_A_VISION_07_2025: ModelMetadata(
-        "open_router",
-        128000,
-        8192,
-        "Command A Vision 07.2025",
-        "OpenRouter",
-        "Cohere",
-        2,
-    ),
     LlmModel.DEEPSEEK_CHAT: ModelMetadata(
         "open_router", 64000, 2048, "DeepSeek Chat", "OpenRouter", "DeepSeek", 1
     ),
@@ -510,15 +473,6 @@ MODEL_METADATA = {
     LlmModel.PERPLEXITY_SONAR_PRO: ModelMetadata(
         "open_router", 200000, 8000, "Sonar Pro", "OpenRouter", "Perplexity", 2
     ),
-    LlmModel.PERPLEXITY_SONAR_REASONING_PRO: ModelMetadata(
-        "open_router",
-        128000,
-        8000,
-        "Sonar Reasoning Pro",
-        "OpenRouter",
-        "Perplexity",
-        2,
-    ),
     LlmModel.PERPLEXITY_SONAR_DEEP_RESEARCH: ModelMetadata(
         "open_router",
         128000,
@@ -564,9 +518,6 @@ MODEL_METADATA = {
     LlmModel.MICROSOFT_WIZARDLM_2_8X22B: ModelMetadata(
         "open_router", 65536, 4096, "WizardLM 2 8x22B", "OpenRouter", "Microsoft", 1
     ),
-    LlmModel.MICROSOFT_PHI_4: ModelMetadata(
-        "open_router", 16384, 16384, "Phi-4", "OpenRouter", "Microsoft", 1
-    ),
     LlmModel.GRYPHE_MYTHOMAX_L2_13B: ModelMetadata(
         "open_router", 4096, 4096, "MythoMax L2 13B", "OpenRouter", "Gryphe", 1
     ),
@@ -576,15 +527,6 @@ MODEL_METADATA = {
     LlmModel.META_LLAMA_4_MAVERICK: ModelMetadata(
         "open_router", 1048576, 1000000, "Llama 4 Maverick", "OpenRouter", "Meta", 1
     ),
-    LlmModel.GROK_3: ModelMetadata(
-        "open_router",
-        131072,
-        131072,
-        "Grok 3",
-        "OpenRouter",
-        "xAI",
-        2,
-    ),
     LlmModel.GROK_4: ModelMetadata(
         "open_router", 256000, 256000, "Grok 4", "OpenRouter", "xAI", 3
     ),

autogpt_platform/backend/backend/blocks/mcp/test_helpers.py

@@ -43,7 +43,12 @@ def test_server_host_standard_url():
 
 def test_server_host_strips_credentials():
     """hostname must not expose user:pass."""
-    assert server_host("https://user:secret@mcp.example.com/mcp") == "mcp.example.com"
+    assert (
+        server_host(
+            "https://user:secret@mcp.example.com/mcp"  # pragma: allowlist secret
+        )
+        == "mcp.example.com"
+    )
 
 
 def test_server_host_with_port():

autogpt_platform/backend/backend/blocks/perplexity.py

@@ -4,7 +4,7 @@ from enum import Enum
 from typing import Any, Literal
 
 import openai
-from pydantic import SecretStr, field_validator
+from pydantic import SecretStr
 
 from backend.blocks._base import (
     Block,
@@ -13,7 +13,6 @@ from backend.blocks._base import (
     BlockSchemaInput,
     BlockSchemaOutput,
 )
-from backend.data.block import BlockInput
 from backend.data.model import (
     APIKeyCredentials,
     CredentialsField,
@@ -36,20 +35,6 @@ class PerplexityModel(str, Enum):
     SONAR_DEEP_RESEARCH = "perplexity/sonar-deep-research"
 
 
-def _sanitize_perplexity_model(value: Any) -> PerplexityModel:
-    """Return a valid PerplexityModel, falling back to SONAR for invalid values."""
-    if isinstance(value, PerplexityModel):
-        return value
-    try:
-        return PerplexityModel(value)
-    except ValueError:
-        logger.warning(
-            f"Invalid PerplexityModel '{value}', "
-            f"falling back to {PerplexityModel.SONAR.value}"
-        )
-        return PerplexityModel.SONAR
-
-
 PerplexityCredentials = CredentialsMetaInput[
     Literal[ProviderName.OPEN_ROUTER], Literal["api_key"]
 ]
@@ -88,25 +73,6 @@ class PerplexityBlock(Block):
             advanced=False,
         )
         credentials: PerplexityCredentials = PerplexityCredentialsField()
-
-        @field_validator("model", mode="before")
-        @classmethod
-        def fallback_invalid_model(cls, v: Any) -> PerplexityModel:
-            """Fall back to SONAR if the model value is not a valid
-            PerplexityModel (e.g. an OpenAI model ID set by the agent
-            generator)."""
-            return _sanitize_perplexity_model(v)
-
-        @classmethod
-        def validate_data(cls, data: BlockInput) -> str | None:
-            """Sanitize the model field before JSON schema validation so that
-            invalid values are replaced with the default instead of raising a
-            BlockInputError."""
-            model_value = data.get("model")
-            if model_value is not None:
-                data["model"] = _sanitize_perplexity_model(model_value).value
-            return super().validate_data(data)
-
         system_prompt: str = SchemaField(
             title="System Prompt",
             default="",

autogpt_platform/backend/backend/blocks/test/test_perplexity.py

@@ -1,81 +0,0 @@
-"""Unit tests for PerplexityBlock model fallback behavior."""
-
-import pytest
-
-from backend.blocks.perplexity import (
-    TEST_CREDENTIALS_INPUT,
-    PerplexityBlock,
-    PerplexityModel,
-)
-
-
-def _make_input(**overrides) -> dict:
-    defaults = {
-        "prompt": "test query",
-        "credentials": TEST_CREDENTIALS_INPUT,
-    }
-    defaults.update(overrides)
-    return defaults
-
-
-class TestPerplexityModelFallback:
-    """Tests for fallback_invalid_model field_validator."""
-
-    def test_invalid_model_falls_back_to_sonar(self):
-        inp = PerplexityBlock.Input(**_make_input(model="gpt-5.2-2025-12-11"))
-        assert inp.model == PerplexityModel.SONAR
-
-    def test_another_invalid_model_falls_back_to_sonar(self):
-        inp = PerplexityBlock.Input(**_make_input(model="gpt-4o"))
-        assert inp.model == PerplexityModel.SONAR
-
-    def test_valid_model_string_is_kept(self):
-        inp = PerplexityBlock.Input(**_make_input(model="perplexity/sonar-pro"))
-        assert inp.model == PerplexityModel.SONAR_PRO
-
-    def test_valid_enum_value_is_kept(self):
-        inp = PerplexityBlock.Input(
-            **_make_input(model=PerplexityModel.SONAR_DEEP_RESEARCH)
-        )
-        assert inp.model == PerplexityModel.SONAR_DEEP_RESEARCH
-
-    def test_default_model_when_omitted(self):
-        inp = PerplexityBlock.Input(**_make_input())
-        assert inp.model == PerplexityModel.SONAR
-
-    @pytest.mark.parametrize(
-        "model_value",
-        [
-            "perplexity/sonar",
-            "perplexity/sonar-pro",
-            "perplexity/sonar-deep-research",
-        ],
-    )
-    def test_all_valid_models_accepted(self, model_value: str):
-        inp = PerplexityBlock.Input(**_make_input(model=model_value))
-        assert inp.model.value == model_value
-
-
-class TestPerplexityValidateData:
-    """Tests for validate_data which runs during block execution (before
-    Pydantic instantiation). Invalid models must be sanitized here so
-    JSON schema validation does not reject them."""
-
-    def test_invalid_model_sanitized_before_schema_validation(self):
-        data = _make_input(model="gpt-5.2-2025-12-11")
-        error = PerplexityBlock.Input.validate_data(data)
-        assert error is None
-        assert data["model"] == PerplexityModel.SONAR.value
-
-    def test_valid_model_unchanged_by_validate_data(self):
-        data = _make_input(model="perplexity/sonar-pro")
-        error = PerplexityBlock.Input.validate_data(data)
-        assert error is None
-        assert data["model"] == "perplexity/sonar-pro"
-
-    def test_missing_model_uses_default(self):
-        data = _make_input()  # no model key
-        error = PerplexityBlock.Input.validate_data(data)
-        assert error is None
-        inp = PerplexityBlock.Input(**data)
-        assert inp.model == PerplexityModel.SONAR

autogpt_platform/backend/backend/check_db.py

@@ -160,7 +160,6 @@ async def add_test_data(db):
                 data={
                     "slug": f"test-agent-{graph.id[:8]}",
                     "agentGraphId": graph.id,
-                    "agentGraphVersion": graph.version,
                     "hasApprovedVersion": True,
                     "owningUserId": graph.userId,
                 }

autogpt_platform/backend/backend/cli/generate_openapi_json.py

@@ -6,9 +6,9 @@ This script imports the FastAPI app from backend.api.rest_api and outputs
 the OpenAPI specification as JSON to stdout or a specified file.
 
 Usage:
-  `poetry run python generate_openapi_json.py`
-  `poetry run python generate_openapi_json.py --output openapi.json`
-  `poetry run python generate_openapi_json.py --indent 4 --output openapi.json`
+  `poetry run export-api-schema`
+  `poetry run export-api-schema --output openapi.json`
+  `poetry run export-api-schema --api v2 --output openapi.json`
 """
 
 import json
@@ -17,8 +17,16 @@ from pathlib import Path
 
 import click
 
+API_CHOICES = ["internal", "v1", "v2"]
+
 
 @click.command()
+@click.option(
+    "--api",
+    type=click.Choice(API_CHOICES),
+    default="internal",
+    help="Which API schema to export (default: internal)",
+)
 @click.option(
     "--output",
     type=click.Path(dir_okay=False, path_type=Path),
@@ -26,13 +34,12 @@ import click
 )
 @click.option(
     "--pretty",
-    type=click.BOOL,
-    default=False,
+    is_flag=True,
     help="Pretty-print JSON output (indented 2 spaces)",
 )
-def main(output: Path, pretty: bool):
+def main(api: str, output: Path, pretty: bool):
     """Generate and output the OpenAPI JSON specification."""
-    openapi_schema = get_openapi_schema()
+    openapi_schema = get_openapi_schema(api)
 
     json_output = json.dumps(
         openapi_schema, indent=2 if pretty else None, ensure_ascii=False
@@ -46,11 +53,22 @@ def main(output: Path, pretty: bool):
         print(json_output)
 
 
-def get_openapi_schema():
-    """Get the OpenAPI schema from the FastAPI app"""
-    from backend.api.rest_api import app
+def get_openapi_schema(api: str = "internal"):
+    """Get the OpenAPI schema from the specified FastAPI app."""
+    if api == "internal":
+        from backend.api.rest_api import app
 
-    return app.openapi()
+        return app.openapi()
+    elif api == "v1":
+        from backend.api.external.v1.app import v1_app
+
+        return v1_app.openapi()
+    elif api == "v2":
+        from backend.api.external.v2.app import v2_app
+
+        return v2_app.openapi()
+    else:
+        raise click.BadParameter(f"Unknown API: {api}. Choose from {API_CHOICES}")
 
 
 if __name__ == "__main__":

autogpt_platform/backend/backend/copilot/config.py

@@ -115,7 +115,7 @@ class ChatConfig(BaseSettings):
         description="E2B sandbox template to use for copilot sessions.",
     )
     e2b_sandbox_timeout: int = Field(
-        default=300,  # 5 min safety net — explicit per-turn pause is the primary mechanism
+        default=10800,  # 3 hours — wall-clock timeout, not idle; explicit pause is primary
         description="E2B sandbox running-time timeout (seconds). "
         "E2B timeout is wall-clock (not idle). Explicit per-turn pause is the primary "
         "mechanism; this is the safety net.",

autogpt_platform/backend/backend/copilot/context.py

@@ -11,8 +11,6 @@ from contextvars import ContextVar
 from typing import TYPE_CHECKING
 
 from backend.copilot.model import ChatSession
-from backend.data.db_accessors import workspace_db
-from backend.util.workspace import WorkspaceManager
 
 if TYPE_CHECKING:
     from e2b import AsyncSandbox
@@ -84,17 +82,6 @@ def resolve_sandbox_path(path: str) -> str:
     return normalized
 
 
-async def get_workspace_manager(user_id: str, session_id: str) -> WorkspaceManager:
-    """Create a session-scoped :class:`WorkspaceManager`.
-
-    Placed here (rather than in ``tools/workspace_files``) so that modules
-    like ``sdk/file_ref`` can import it without triggering the heavy
-    ``tools/__init__`` import chain.
-    """
-    workspace = await workspace_db().get_or_create_workspace(user_id)
-    return WorkspaceManager(user_id, workspace.id, session_id)
-
-
 def is_allowed_local_path(path: str, sdk_cwd: str | None = None) -> bool:
     """Return True if *path* is within an allowed host-filesystem location.
 

autogpt_platform/backend/backend/copilot/integration_creds.py

@@ -1,162 +0,0 @@
-"""Integration credential lookup with per-process TTL cache.
-
-Provides token retrieval for connected integrations so that copilot tools
-(e.g. bash_exec) can inject auth tokens into the execution environment without
-hitting the database on every command.
-
-Cache semantics (handled automatically by TTLCache):
-- Token found → cached for _TOKEN_CACHE_TTL (5 min).  Avoids repeated DB hits
-  for users who have credentials and are running many bash commands.
-- No credentials found → cached for _NULL_CACHE_TTL (60 s).  Avoids a DB hit
-  on every E2B command for users who haven't connected an account yet, while
-  still picking up a newly-connected account within one minute.
-
-Both caches are bounded to _CACHE_MAX_SIZE entries; cachetools evicts the
-least-recently-used entry when the limit is reached.
-
-Multi-worker note: both caches are in-process only.  Each worker/replica
-maintains its own independent cache, so a credential fetch may be duplicated
-across processes.  This is acceptable for the current goal (reduce DB hits per
-session per-process), but if cache efficiency across replicas becomes important
-a shared cache (e.g. Redis) should be used instead.
-"""
-
-import logging
-from typing import cast
-
-from cachetools import TTLCache
-
-from backend.data.model import APIKeyCredentials, OAuth2Credentials
-from backend.integrations.creds_manager import (
-    IntegrationCredentialsManager,
-    register_creds_changed_hook,
-)
-
-logger = logging.getLogger(__name__)
-
-# Maps provider slug → env var names to inject when the provider is connected.
-# Add new providers here when adding integration support.
-# NOTE: keep in sync with connect_integration._PROVIDER_INFO — both registries
-# must be updated when adding a new provider.
-PROVIDER_ENV_VARS: dict[str, list[str]] = {
-    "github": ["GH_TOKEN", "GITHUB_TOKEN"],
-}
-
-_TOKEN_CACHE_TTL = 300.0  # seconds — for found tokens
-_NULL_CACHE_TTL = 60.0  # seconds — for "not connected" results
-_CACHE_MAX_SIZE = 10_000
-
-# (user_id, provider) → token string.  TTLCache handles expiry + eviction.
-# Thread-safety note: TTLCache is NOT thread-safe, but that is acceptable here
-# because all callers (get_provider_token, invalidate_user_provider_cache) run
-# exclusively on the asyncio event loop.  There are no await points between a
-# cache read and its corresponding write within any function, so no concurrent
-# coroutine can interleave.  If ThreadPoolExecutor workers are ever added to
-# this path, a threading.RLock should be wrapped around these caches.
-_token_cache: TTLCache[tuple[str, str], str] = TTLCache(
-    maxsize=_CACHE_MAX_SIZE, ttl=_TOKEN_CACHE_TTL
-)
-# Separate cache for "no credentials" results with a shorter TTL.
-_null_cache: TTLCache[tuple[str, str], bool] = TTLCache(
-    maxsize=_CACHE_MAX_SIZE, ttl=_NULL_CACHE_TTL
-)
-
-
-def invalidate_user_provider_cache(user_id: str, provider: str) -> None:
-    """Remove the cached entry for *user_id*/*provider* from both caches.
-
-    Call this after storing new credentials so that the next
-    ``get_provider_token()`` call performs a fresh DB lookup instead of
-    serving a stale TTL-cached result.
-    """
-    key = (user_id, provider)
-    _token_cache.pop(key, None)
-    _null_cache.pop(key, None)
-
-
-# Register this module's cache-bust function with the credentials manager so
-# that any create/update/delete operation immediately evicts stale cache
-# entries.  This avoids a lazy import inside creds_manager and eliminates the
-# circular-import risk.
-register_creds_changed_hook(invalidate_user_provider_cache)
-
-# Module-level singleton to avoid re-instantiating IntegrationCredentialsManager
-# on every cache-miss call to get_provider_token().
-_manager = IntegrationCredentialsManager()
-
-
-async def get_provider_token(user_id: str, provider: str) -> str | None:
-    """Return the user's access token for *provider*, or ``None`` if not connected.
-
-    OAuth2 tokens are preferred (refreshed if needed); API keys are the fallback.
-    Found tokens are cached for _TOKEN_CACHE_TTL (5 min).  "Not connected" results
-    are cached for _NULL_CACHE_TTL (60 s) to avoid a DB hit on every bash_exec
-    command for users who haven't connected yet, while still picking up a
-    newly-connected account within one minute.
-    """
-    cache_key = (user_id, provider)
-
-    if cache_key in _null_cache:
-        return None
-    if cached := _token_cache.get(cache_key):
-        return cached
-
-    manager = _manager
-    try:
-        creds_list = await manager.store.get_creds_by_provider(user_id, provider)
-    except Exception:
-        logger.debug("Failed to fetch %s credentials for user %s", provider, user_id)
-        return None
-
-    # Pass 1: prefer OAuth2 (carry scope info, refreshable via token endpoint).
-    # Sort so broader-scoped tokens come first: a token with "repo" scope covers
-    # full git access, while a public-data-only token lacks push/pull permission.
-    # lock=False — background injection; not worth a distributed lock acquisition.
-    oauth2_creds = sorted(
-        [c for c in creds_list if c.type == "oauth2"],
-        key=lambda c: 0 if "repo" in (cast(OAuth2Credentials, c).scopes or []) else 1,
-    )
-    for creds in oauth2_creds:
-        if creds.type == "oauth2":
-            try:
-                fresh = await manager.refresh_if_needed(
-                    user_id, cast(OAuth2Credentials, creds), lock=False
-                )
-                token = fresh.access_token.get_secret_value()
-            except Exception:
-                logger.warning(
-                    "Failed to refresh %s OAuth token for user %s; "
-                    "falling back to potentially stale token",
-                    provider,
-                    user_id,
-                )
-                token = cast(OAuth2Credentials, creds).access_token.get_secret_value()
-            _token_cache[cache_key] = token
-            return token
-
-    # Pass 2: fall back to API key (no expiry, no refresh needed).
-    for creds in creds_list:
-        if creds.type == "api_key":
-            token = cast(APIKeyCredentials, creds).api_key.get_secret_value()
-            _token_cache[cache_key] = token
-            return token
-
-    # No credentials found — cache to avoid repeated DB hits.
-    _null_cache[cache_key] = True
-    return None
-
-
-async def get_integration_env_vars(user_id: str) -> dict[str, str]:
-    """Return env vars for all providers the user has connected.
-
-    Iterates :data:`PROVIDER_ENV_VARS`, fetches each token, and builds a flat
-    ``{env_var: token}`` dict ready to pass to a subprocess or E2B sandbox.
-    Only providers with a stored credential contribute entries.
-    """
-    env: dict[str, str] = {}
-    for provider, var_names in PROVIDER_ENV_VARS.items():
-        token = await get_provider_token(user_id, provider)
-        if token:
-            for var in var_names:
-                env[var] = token
-    return env

autogpt_platform/backend/backend/copilot/integration_creds_test.py

@@ -1,193 +0,0 @@
-"""Tests for integration_creds — TTL cache and token lookup paths."""
-
-from unittest.mock import AsyncMock, MagicMock, patch
-
-import pytest
-from pydantic import SecretStr
-
-from backend.copilot.integration_creds import (
-    _NULL_CACHE_TTL,
-    _TOKEN_CACHE_TTL,
-    PROVIDER_ENV_VARS,
-    _null_cache,
-    _token_cache,
-    get_integration_env_vars,
-    get_provider_token,
-    invalidate_user_provider_cache,
-)
-from backend.data.model import APIKeyCredentials, OAuth2Credentials
-
-_USER = "user-integration-creds-test"
-_PROVIDER = "github"
-
-
-def _make_api_key_creds(key: str = "test-api-key") -> APIKeyCredentials:
-    return APIKeyCredentials(
-        id="creds-api-key",
-        provider=_PROVIDER,
-        api_key=SecretStr(key),
-        title="Test API Key",
-        expires_at=None,
-    )
-
-
-def _make_oauth2_creds(token: str = "test-oauth-token") -> OAuth2Credentials:
-    return OAuth2Credentials(
-        id="creds-oauth2",
-        provider=_PROVIDER,
-        title="Test OAuth",
-        access_token=SecretStr(token),
-        refresh_token=SecretStr("test-refresh"),
-        access_token_expires_at=None,
-        refresh_token_expires_at=None,
-        scopes=[],
-    )
-
-
-@pytest.fixture(autouse=True)
-def clear_caches():
-    """Ensure clean caches before and after every test."""
-    _token_cache.clear()
-    _null_cache.clear()
-    yield
-    _token_cache.clear()
-    _null_cache.clear()
-
-
-class TestInvalidateUserProviderCache:
-    def test_removes_token_entry(self):
-        key = (_USER, _PROVIDER)
-        _token_cache[key] = "tok"
-        invalidate_user_provider_cache(_USER, _PROVIDER)
-        assert key not in _token_cache
-
-    def test_removes_null_entry(self):
-        key = (_USER, _PROVIDER)
-        _null_cache[key] = True
-        invalidate_user_provider_cache(_USER, _PROVIDER)
-        assert key not in _null_cache
-
-    def test_noop_when_key_not_cached(self):
-        # Should not raise even when there is no cache entry.
-        invalidate_user_provider_cache("no-such-user", _PROVIDER)
-
-    def test_only_removes_targeted_key(self):
-        other_key = ("other-user", _PROVIDER)
-        _token_cache[other_key] = "other-tok"
-        invalidate_user_provider_cache(_USER, _PROVIDER)
-        assert other_key in _token_cache
-
-
-class TestGetProviderToken:
-    @pytest.mark.asyncio(loop_scope="session")
-    async def test_returns_cached_token_without_db_hit(self):
-        _token_cache[(_USER, _PROVIDER)] = "cached-tok"
-
-        mock_manager = MagicMock()
-        with patch("backend.copilot.integration_creds._manager", mock_manager):
-            result = await get_provider_token(_USER, _PROVIDER)
-
-        assert result == "cached-tok"
-        mock_manager.store.get_creds_by_provider.assert_not_called()
-
-    @pytest.mark.asyncio(loop_scope="session")
-    async def test_returns_none_for_null_cached_provider(self):
-        _null_cache[(_USER, _PROVIDER)] = True
-
-        mock_manager = MagicMock()
-        with patch("backend.copilot.integration_creds._manager", mock_manager):
-            result = await get_provider_token(_USER, _PROVIDER)
-
-        assert result is None
-        mock_manager.store.get_creds_by_provider.assert_not_called()
-
-    @pytest.mark.asyncio(loop_scope="session")
-    async def test_api_key_creds_returned_and_cached(self):
-        api_creds = _make_api_key_creds("my-api-key")
-        mock_manager = MagicMock()
-        mock_manager.store.get_creds_by_provider = AsyncMock(return_value=[api_creds])
-
-        with patch("backend.copilot.integration_creds._manager", mock_manager):
-            result = await get_provider_token(_USER, _PROVIDER)
-
-        assert result == "my-api-key"
-        assert _token_cache.get((_USER, _PROVIDER)) == "my-api-key"
-
-    @pytest.mark.asyncio(loop_scope="session")
-    async def test_oauth2_preferred_over_api_key(self):
-        oauth_creds = _make_oauth2_creds("oauth-tok")
-        api_creds = _make_api_key_creds("api-tok")
-        mock_manager = MagicMock()
-        mock_manager.store.get_creds_by_provider = AsyncMock(
-            return_value=[api_creds, oauth_creds]
-        )
-        mock_manager.refresh_if_needed = AsyncMock(return_value=oauth_creds)
-
-        with patch("backend.copilot.integration_creds._manager", mock_manager):
-            result = await get_provider_token(_USER, _PROVIDER)
-
-        assert result == "oauth-tok"
-
-    @pytest.mark.asyncio(loop_scope="session")
-    async def test_oauth2_refresh_failure_falls_back_to_stale_token(self):
-        oauth_creds = _make_oauth2_creds("stale-oauth-tok")
-        mock_manager = MagicMock()
-        mock_manager.store.get_creds_by_provider = AsyncMock(return_value=[oauth_creds])
-        mock_manager.refresh_if_needed = AsyncMock(side_effect=RuntimeError("network"))
-
-        with patch("backend.copilot.integration_creds._manager", mock_manager):
-            result = await get_provider_token(_USER, _PROVIDER)
-
-        assert result == "stale-oauth-tok"
-
-    @pytest.mark.asyncio(loop_scope="session")
-    async def test_no_credentials_caches_null_entry(self):
-        mock_manager = MagicMock()
-        mock_manager.store.get_creds_by_provider = AsyncMock(return_value=[])
-
-        with patch("backend.copilot.integration_creds._manager", mock_manager):
-            result = await get_provider_token(_USER, _PROVIDER)
-
-        assert result is None
-        assert _null_cache.get((_USER, _PROVIDER)) is True
-
-    @pytest.mark.asyncio(loop_scope="session")
-    async def test_db_exception_returns_none_without_caching(self):
-        mock_manager = MagicMock()
-        mock_manager.store.get_creds_by_provider = AsyncMock(
-            side_effect=RuntimeError("db down")
-        )
-
-        with patch("backend.copilot.integration_creds._manager", mock_manager):
-            result = await get_provider_token(_USER, _PROVIDER)
-
-        assert result is None
-        # DB errors are not cached — next call will retry
-        assert (_USER, _PROVIDER) not in _token_cache
-        assert (_USER, _PROVIDER) not in _null_cache
-
-    @pytest.mark.asyncio(loop_scope="session")
-    async def test_null_cache_has_shorter_ttl_than_token_cache(self):
-        """Verify the TTL constants are set correctly for each cache."""
-        assert _null_cache.ttl == _NULL_CACHE_TTL
-        assert _token_cache.ttl == _TOKEN_CACHE_TTL
-        assert _NULL_CACHE_TTL < _TOKEN_CACHE_TTL
-
-
-class TestGetIntegrationEnvVars:
-    @pytest.mark.asyncio(loop_scope="session")
-    async def test_injects_all_env_vars_for_provider(self):
-        _token_cache[(_USER, "github")] = "gh-tok"
-
-        result = await get_integration_env_vars(_USER)
-
-        for var in PROVIDER_ENV_VARS["github"]:
-            assert result[var] == "gh-tok"
-
-    @pytest.mark.asyncio(loop_scope="session")
-    async def test_empty_dict_when_no_credentials(self):
-        _null_cache[(_USER, "github")] = True
-
-        result = await get_integration_env_vars(_USER)
-
-        assert result == {}

autogpt_platform/backend/backend/copilot/prompting.py

@@ -52,68 +52,12 @@ Examples:
 You can embed a reference inside any string argument, or use it as the entire
 value.  Multiple references in one argument are all expanded.
 
-**Structured data**: When the **entire** argument value is a single file
-reference (no surrounding text), the platform automatically parses the file
-content based on its extension or MIME type.  Supported formats: JSON, JSONL,
-CSV, TSV, YAML, TOML, Parquet, and Excel (.xlsx — first sheet only).
-For example, pass `@@agptfile:workspace://<id>` where the file is a `.csv` and
-the rows will be parsed into `list[list[str]]` automatically.  If the format is
-unrecognised or parsing fails, the content is returned as a plain string.
-Legacy `.xls` files are **not** supported — only the modern `.xlsx` format.
-
-**Type coercion**: The platform also coerces expanded values to match the
-block's expected input types.  For example, if a block expects `list[list[str]]`
-and the expanded value is a JSON string, it will be parsed into the correct type.
-
-### Media file inputs (format: "file")
-Some block inputs accept media files — their schema shows `"format": "file"`.
-These fields accept:
-- **`workspace://<file_id>`** or **`workspace://<file_id>#<mime>`** — preferred
-  for large files (images, videos, PDFs). The platform passes the reference
-  directly to the block without reading the content into memory.
-- **`data:<mime>;base64,<payload>`** — inline base64 data URI, suitable for
-  small files only.
-
-When a block input has `format: "file"`, **pass the `workspace://` URI
-directly as the value** (do NOT wrap it in `@@agptfile:`). This avoids large
-payloads in tool arguments and preserves binary content (images, videos)
-that would be corrupted by text encoding.
-
-Example — committing an image file to GitHub:
-```json
-{
-  "files": [{
-    "path": "docs/hero.png",
-    "content": "workspace://abc123#image/png",
-    "operation": "upsert"
-  }]
-}
-```
 
 ### Sub-agent tasks
 - When using the Task tool, NEVER set `run_in_background` to true.
   All tasks must run in the foreground.
 """
 
-# E2B-only notes — E2B has full internet access so gh CLI works there.
-# Not shown in local (bubblewrap) mode: --unshare-net blocks all network.
-_E2B_TOOL_NOTES = """
-### GitHub CLI (`gh`) and git
-- If the user has connected their GitHub account, both `gh` and `git` are
-  pre-authenticated — use them directly without any manual login step.
-  `git` HTTPS operations (clone, push, pull) work automatically.
-- If the token changes mid-session (e.g. user reconnects with a new token),
-  run `gh auth setup-git` to re-register the credential helper.
-- If `gh` or `git` fails with an authentication error (e.g. "authentication
-  required", "could not read Username", or exit code 128), call
-  `connect_integration(provider="github")` to surface the GitHub credentials
-  setup card so the user can connect their account. Once connected, retry
-  the operation.
-- For operations that need broader access (e.g. private org repos, GitHub
-  Actions), pass the required scopes: e.g.
-  `connect_integration(provider="github", scopes=["repo", "read:org"])`.
-"""
-
 
 # Environment-specific supplement templates
 def _build_storage_supplement(
@@ -124,7 +68,6 @@ def _build_storage_supplement(
     storage_system_1_persistence: list[str],
     file_move_name_1_to_2: str,
     file_move_name_2_to_1: str,
-    extra_notes: str = "",
 ) -> str:
     """Build storage/filesystem supplement for a specific environment.
 
@@ -139,7 +82,6 @@ def _build_storage_supplement(
         storage_system_1_persistence: List of persistence behavior descriptions
         file_move_name_1_to_2: Direction label for primary→persistent
         file_move_name_2_to_1: Direction label for persistent→primary
-        extra_notes: Environment-specific notes appended after shared notes
     """
     # Format lists as bullet points with proper indentation
     characteristics = "\n".join(f"   - {c}" for c in storage_system_1_characteristics)
@@ -173,16 +115,12 @@ def _build_storage_supplement(
 
 ### File persistence
 Important files (code, configs, outputs) should be saved to workspace to ensure they persist.
-{_SHARED_TOOL_NOTES}{extra_notes}"""
+{_SHARED_TOOL_NOTES}"""
 
 
 # Pre-built supplements for common environments
 def _get_local_storage_supplement(cwd: str) -> str:
-    """Local ephemeral storage (files lost between turns).
-
-    Network is isolated (bubblewrap --unshare-net), so internet-dependent CLIs
-    like gh will not work — no integration env-var notes are included.
-    """
+    """Local ephemeral storage (files lost between turns)."""
     return _build_storage_supplement(
         working_dir=cwd,
         sandbox_type="in a network-isolated sandbox",
@@ -200,11 +138,7 @@ def _get_local_storage_supplement(cwd: str) -> str:
 
 
 def _get_cloud_sandbox_supplement() -> str:
-    """Cloud persistent sandbox (files survive across turns in session).
-
-    E2B has full internet access, so integration tokens (GH_TOKEN etc.) are
-    injected per command in bash_exec — include the CLI guidance notes.
-    """
+    """Cloud persistent sandbox (files survive across turns in session)."""
     return _build_storage_supplement(
         working_dir="/home/user",
         sandbox_type="in a cloud sandbox with full internet access",
@@ -219,7 +153,6 @@ def _get_cloud_sandbox_supplement() -> str:
         ],
         file_move_name_1_to_2="Sandbox → Persistent",
         file_move_name_2_to_1="Persistent → Sandbox",
-        extra_notes=_E2B_TOOL_NOTES,
     )
 
 

autogpt_platform/backend/backend/copilot/sdk/__init__.py

@@ -3,45 +3,12 @@
 This module provides the integration layer between the Claude Agent SDK
 and the existing CoPilot tool system, enabling drop-in replacement of
 the current LLM orchestration with the battle-tested Claude Agent SDK.
-
-Submodule imports are deferred via PEP 562 ``__getattr__`` to break a
-circular import cycle::
-
-    sdk/__init__ → tool_adapter → copilot.tools (TOOL_REGISTRY)
-    copilot.tools → run_block → sdk.file_ref  (no cycle here, but…)
-    sdk/__init__ → service → copilot.prompting → copilot.tools  (cycle!)
-
-``tool_adapter`` uses ``TOOL_REGISTRY`` at **module level** to build the
-static ``COPILOT_TOOL_NAMES`` list, so the import cannot be deferred to
-function scope without a larger refactor (moving tool-name registration
-to a separate lightweight module).  The lazy-import pattern here is the
-least invasive way to break the cycle while keeping module-level constants
-intact.
 """
 
-from typing import Any
+from .service import stream_chat_completion_sdk
+from .tool_adapter import create_copilot_mcp_server
 
 __all__ = [
     "stream_chat_completion_sdk",
     "create_copilot_mcp_server",
 ]
-
-# Dispatch table for PEP 562 lazy imports.  Each entry is a (module, attr)
-# pair so new exports can be added without touching __getattr__ itself.
-_LAZY_IMPORTS: dict[str, tuple[str, str]] = {
-    "stream_chat_completion_sdk": (".service", "stream_chat_completion_sdk"),
-    "create_copilot_mcp_server": (".tool_adapter", "create_copilot_mcp_server"),
-}
-
-
-def __getattr__(name: str) -> Any:
-    entry = _LAZY_IMPORTS.get(name)
-    if entry is not None:
-        module_path, attr = entry
-        import importlib
-
-        module = importlib.import_module(module_path, package=__name__)
-        value = getattr(module, attr)
-        globals()[name] = value
-        return value
-    raise AttributeError(f"module {__name__!r} has no attribute {name!r}")

autogpt_platform/backend/backend/copilot/sdk/compaction.py

@@ -11,7 +11,7 @@ persistence, and the ``CompactionTracker`` state machine.
 import asyncio
 import logging
 import uuid
-from dataclasses import dataclass, field
+from collections.abc import Callable
 
 from ..constants import COMPACTION_DONE_MSG, COMPACTION_TOOL_NAME
 from ..model import ChatMessage, ChatSession
@@ -27,19 +27,6 @@ from ..response_model import (
 logger = logging.getLogger(__name__)
 
 
-@dataclass
-class CompactionResult:
-    """Result of emit_end_if_ready — bundles events with compaction metadata.
-
-    Eliminates the need for separate ``compaction_just_ended`` checks,
-    preventing TOCTOU races between the emit call and the flag read.
-    """
-
-    events: list[StreamBaseResponse] = field(default_factory=list)
-    just_ended: bool = False
-    transcript_path: str = ""
-
-
 # ---------------------------------------------------------------------------
 # Event builders (private — use CompactionTracker or compaction_events)
 # ---------------------------------------------------------------------------
@@ -190,22 +177,11 @@ class CompactionTracker:
         self._start_emitted = False
         self._done = False
         self._tool_call_id = ""
-        self._transcript_path: str = ""
 
-    def on_compact(self, transcript_path: str = "") -> None:
-        """Callback for the PreCompact hook. Stores transcript_path."""
-        if (
-            self._transcript_path
-            and transcript_path
-            and self._transcript_path != transcript_path
-        ):
-            logger.warning(
-                "[Compaction] Overwriting transcript_path %s -> %s",
-                self._transcript_path,
-                transcript_path,
-            )
-        self._transcript_path = transcript_path
-        self._compact_start.set()
+    @property
+    def on_compact(self) -> Callable[[], None]:
+        """Callback for the PreCompact hook."""
+        return self._compact_start.set
 
     # ------------------------------------------------------------------
     # Pre-query compaction
@@ -225,7 +201,6 @@ class CompactionTracker:
         self._done = False
         self._start_emitted = False
         self._tool_call_id = ""
-        self._transcript_path = ""
 
     def emit_start_if_ready(self) -> list[StreamBaseResponse]:
         """If the PreCompact hook fired, emit start events (spinning tool)."""
@@ -236,20 +211,15 @@ class CompactionTracker:
             return _start_events(self._tool_call_id)
         return []
 
-    async def emit_end_if_ready(self, session: ChatSession) -> CompactionResult:
-        """If compaction is in progress, emit end events and persist.
-
-        Returns a ``CompactionResult`` with ``just_ended=True`` and the
-        captured ``transcript_path`` when a compaction cycle completes.
-        This avoids a separate flag check (TOCTOU-safe).
-        """
+    async def emit_end_if_ready(self, session: ChatSession) -> list[StreamBaseResponse]:
+        """If compaction is in progress, emit end events and persist."""
         # Yield so pending hook tasks can set compact_start
         await asyncio.sleep(0)
 
         if self._done:
-            return CompactionResult()
+            return []
         if not self._start_emitted and not self._compact_start.is_set():
-            return CompactionResult()
+            return []
 
         if self._start_emitted:
             # Close the open spinner
@@ -262,12 +232,8 @@ class CompactionTracker:
                 COMPACTION_DONE_MSG, tool_call_id=persist_id
             )
 
-        transcript_path = self._transcript_path
         self._compact_start.clear()
         self._start_emitted = False
         self._done = True
-        self._transcript_path = ""
         _persist(session, persist_id, COMPACTION_DONE_MSG)
-        return CompactionResult(
-            events=done_events, just_ended=True, transcript_path=transcript_path
-        )
+        return done_events

autogpt_platform/backend/backend/copilot/sdk/compaction_test.py

@@ -195,11 +195,10 @@ class TestCompactionTracker:
         session = _make_session()
         tracker.on_compact()
         tracker.emit_start_if_ready()
-        result = await tracker.emit_end_if_ready(session)
-        assert result.just_ended is True
-        assert len(result.events) == 2
-        assert isinstance(result.events[0], StreamToolOutputAvailable)
-        assert isinstance(result.events[1], StreamFinishStep)
+        evts = await tracker.emit_end_if_ready(session)
+        assert len(evts) == 2
+        assert isinstance(evts[0], StreamToolOutputAvailable)
+        assert isinstance(evts[1], StreamFinishStep)
         # Should persist
         assert len(session.messages) == 2
 
@@ -211,32 +210,28 @@ class TestCompactionTracker:
         session = _make_session()
         tracker.on_compact()
         # Don't call emit_start_if_ready
-        result = await tracker.emit_end_if_ready(session)
-        assert result.just_ended is True
-        assert len(result.events) == 5  # Full self-contained event
-        assert isinstance(result.events[0], StreamStartStep)
+        evts = await tracker.emit_end_if_ready(session)
+        assert len(evts) == 5  # Full self-contained event
+        assert isinstance(evts[0], StreamStartStep)
         assert len(session.messages) == 2
 
     @pytest.mark.asyncio
-    async def test_emit_end_no_op_when_no_new_compaction(self):
+    async def test_emit_end_no_op_when_done(self):
         tracker = CompactionTracker()
         session = _make_session()
         tracker.on_compact()
         tracker.emit_start_if_ready()
-        result1 = await tracker.emit_end_if_ready(session)
-        assert result1.just_ended is True
-        # Second call should be no-op (no new on_compact)
-        result2 = await tracker.emit_end_if_ready(session)
-        assert result2.just_ended is False
-        assert result2.events == []
+        await tracker.emit_end_if_ready(session)
+        # Second call should be no-op
+        evts = await tracker.emit_end_if_ready(session)
+        assert evts == []
 
     @pytest.mark.asyncio
     async def test_emit_end_no_op_when_nothing_happened(self):
         tracker = CompactionTracker()
         session = _make_session()
-        result = await tracker.emit_end_if_ready(session)
-        assert result.just_ended is False
-        assert result.events == []
+        evts = await tracker.emit_end_if_ready(session)
+        assert evts == []
 
     def test_emit_pre_query(self):
         tracker = CompactionTracker()
@@ -251,29 +246,20 @@ class TestCompactionTracker:
         tracker._done = True
         tracker._start_emitted = True
         tracker._tool_call_id = "old"
-        tracker._transcript_path = "/some/path"
         tracker.reset_for_query()
         assert tracker._done is False
         assert tracker._start_emitted is False
         assert tracker._tool_call_id == ""
-        assert tracker._transcript_path == ""
 
     @pytest.mark.asyncio
-    async def test_pre_query_blocks_sdk_compaction_until_reset(self):
-        """After pre-query compaction, SDK compaction is blocked until
-        reset_for_query is called."""
+    async def test_pre_query_blocks_sdk_compaction(self):
+        """After pre-query compaction, SDK compaction events are suppressed."""
         tracker = CompactionTracker()
         session = _make_session()
         tracker.emit_pre_query(session)
         tracker.on_compact()
-        # _done is True so emit_start_if_ready is blocked
         evts = tracker.emit_start_if_ready()
-        assert evts == []
-        # Reset clears _done, allowing subsequent compaction
-        tracker.reset_for_query()
-        tracker.on_compact()
-        evts = tracker.emit_start_if_ready()
-        assert len(evts) == 3
+        assert evts == []  # _done blocks it
 
     @pytest.mark.asyncio
     async def test_reset_allows_new_compaction(self):
@@ -293,9 +279,9 @@ class TestCompactionTracker:
         session = _make_session()
         tracker.on_compact()
         start_evts = tracker.emit_start_if_ready()
-        result = await tracker.emit_end_if_ready(session)
+        end_evts = await tracker.emit_end_if_ready(session)
         start_evt = start_evts[1]
-        end_evt = result.events[0]
+        end_evt = end_evts[0]
         assert isinstance(start_evt, StreamToolInputStart)
         assert isinstance(end_evt, StreamToolOutputAvailable)
         assert start_evt.toolCallId == end_evt.toolCallId
@@ -303,105 +289,3 @@ class TestCompactionTracker:
         tool_calls = session.messages[0].tool_calls
         assert tool_calls is not None
         assert tool_calls[0]["id"] == start_evt.toolCallId
-
-    @pytest.mark.asyncio
-    async def test_multiple_compactions_within_query(self):
-        """Two mid-stream compactions within a single query both trigger."""
-        tracker = CompactionTracker()
-        session = _make_session()
-
-        # First compaction cycle
-        tracker.on_compact("/path/1")
-        tracker.emit_start_if_ready()
-        result1 = await tracker.emit_end_if_ready(session)
-        assert result1.just_ended is True
-        assert len(result1.events) == 2
-        assert result1.transcript_path == "/path/1"
-
-        # Second compaction cycle (should NOT be blocked — _done resets
-        # because emit_end_if_ready sets it True, but the next on_compact
-        # + emit_start_if_ready checks !_done which IS True now.
-        # So we need reset_for_query between queries, but within a single
-        # query multiple compactions work because _done blocks emit_start
-        # until the next message arrives, at which point emit_end detects it)
-        #
-        # Actually: _done=True blocks emit_start_if_ready, so we need
-        # the stream loop to reset. In practice service.py doesn't call
-        # reset between compactions within the same query — let's verify
-        # the actual behavior.
-        tracker.on_compact("/path/2")
-        # _done is True from first compaction, so start is blocked
-        start_evts = tracker.emit_start_if_ready()
-        assert start_evts == []
-        # But emit_end returns no-op because _done is True
-        result2 = await tracker.emit_end_if_ready(session)
-        assert result2.just_ended is False
-
-    @pytest.mark.asyncio
-    async def test_multiple_compactions_with_intervening_message(self):
-        """Multiple compactions work when the stream loop processes messages between them.
-
-        In the real service.py flow:
-        1. PreCompact fires → on_compact()
-        2. emit_start shows spinner
-        3. Next message arrives → emit_end completes compaction (_done=True)
-        4. Stream continues processing messages...
-        5. If a second PreCompact fires, _done=True blocks emit_start
-        6. But the next message triggers emit_end, which sees _done=True → no-op
-        7. The stream loop needs to detect this and handle accordingly
-
-        The actual flow for multiple compactions within a query requires
-        _done to be cleared between them. The service.py code uses
-        CompactionResult.just_ended to trigger replace_entries, and _done
-        stays True until reset_for_query.
-        """
-        tracker = CompactionTracker()
-        session = _make_session()
-
-        # First compaction
-        tracker.on_compact("/path/1")
-        tracker.emit_start_if_ready()
-        result1 = await tracker.emit_end_if_ready(session)
-        assert result1.just_ended is True
-        assert result1.transcript_path == "/path/1"
-
-        # Simulate reset between queries
-        tracker.reset_for_query()
-
-        # Second compaction in new query
-        tracker.on_compact("/path/2")
-        start_evts = tracker.emit_start_if_ready()
-        assert len(start_evts) == 3
-        result2 = await tracker.emit_end_if_ready(session)
-        assert result2.just_ended is True
-        assert result2.transcript_path == "/path/2"
-
-    def test_on_compact_stores_transcript_path(self):
-        tracker = CompactionTracker()
-        tracker.on_compact("/some/path.jsonl")
-        assert tracker._transcript_path == "/some/path.jsonl"
-
-    @pytest.mark.asyncio
-    async def test_emit_end_returns_transcript_path(self):
-        """CompactionResult includes the transcript_path from on_compact."""
-        tracker = CompactionTracker()
-        session = _make_session()
-        tracker.on_compact("/my/session.jsonl")
-        tracker.emit_start_if_ready()
-        result = await tracker.emit_end_if_ready(session)
-        assert result.just_ended is True
-        assert result.transcript_path == "/my/session.jsonl"
-        # transcript_path is cleared after emit_end
-        assert tracker._transcript_path == ""
-
-    @pytest.mark.asyncio
-    async def test_emit_end_clears_transcript_path(self):
-        """After emit_end, _transcript_path is reset so it doesn't leak to
-        subsequent non-compaction emit_end calls."""
-        tracker = CompactionTracker()
-        session = _make_session()
-        tracker.on_compact("/first/path.jsonl")
-        tracker.emit_start_if_ready()
-        await tracker.emit_end_if_ready(session)
-        # After compaction, _transcript_path is cleared
-        assert tracker._transcript_path == ""

autogpt_platform/backend/backend/copilot/sdk/e2e_compaction_test.py

@@ -1,531 +0,0 @@
-"""End-to-end compaction flow test.
-
-Simulates the full service.py compaction lifecycle using real-format
-JSONL session files — no SDK subprocess needed. Exercises:
-
-  1. TranscriptBuilder loads a "downloaded" transcript
-  2. User query appended, assistant response streamed
-  3. PreCompact hook fires → CompactionTracker.on_compact()
-  4. Next message → emit_start_if_ready() yields spinner events
-  5. Message after that → emit_end_if_ready() returns CompactionResult
-  6. read_compacted_entries() reads the CLI session file
-  7. TranscriptBuilder.replace_entries() syncs state
-  8. More messages appended post-compaction
-  9. to_jsonl() exports full state for upload
-  10. Fresh builder loads the export — roundtrip verified
-"""
-
-import asyncio
-
-from backend.copilot.model import ChatSession
-from backend.copilot.response_model import (
-    StreamFinishStep,
-    StreamStartStep,
-    StreamToolInputAvailable,
-    StreamToolInputStart,
-    StreamToolOutputAvailable,
-)
-from backend.copilot.sdk.compaction import CompactionTracker
-from backend.copilot.sdk.transcript import (
-    read_compacted_entries,
-    strip_progress_entries,
-)
-from backend.copilot.sdk.transcript_builder import TranscriptBuilder
-from backend.util import json
-
-
-def _make_jsonl(*entries: dict) -> str:
-    return "\n".join(json.dumps(e) for e in entries) + "\n"
-
-
-def _run(coro):
-    """Run an async coroutine synchronously."""
-    return asyncio.run(coro)
-
-
-# ---------------------------------------------------------------------------
-# Fixtures: realistic CLI session file content
-# ---------------------------------------------------------------------------
-
-# Pre-compaction conversation
-USER_1 = {
-    "type": "user",
-    "uuid": "u1",
-    "message": {"role": "user", "content": "What files are in this project?"},
-}
-ASST_1_THINKING = {
-    "type": "assistant",
-    "uuid": "a1-think",
-    "parentUuid": "u1",
-    "message": {
-        "role": "assistant",
-        "id": "msg_sdk_aaa",
-        "type": "message",
-        "content": [{"type": "thinking", "thinking": "Let me look at the files..."}],
-        "stop_reason": None,
-        "stop_sequence": None,
-    },
-}
-ASST_1_TOOL = {
-    "type": "assistant",
-    "uuid": "a1-tool",
-    "parentUuid": "u1",
-    "message": {
-        "role": "assistant",
-        "id": "msg_sdk_aaa",
-        "type": "message",
-        "content": [
-            {
-                "type": "tool_use",
-                "id": "tu1",
-                "name": "Bash",
-                "input": {"command": "ls"},
-            }
-        ],
-        "stop_reason": "tool_use",
-        "stop_sequence": None,
-    },
-}
-TOOL_RESULT_1 = {
-    "type": "user",
-    "uuid": "tr1",
-    "parentUuid": "a1-tool",
-    "message": {
-        "role": "user",
-        "content": [
-            {
-                "type": "tool_result",
-                "tool_use_id": "tu1",
-                "content": "file1.py\nfile2.py",
-            }
-        ],
-    },
-}
-ASST_1_TEXT = {
-    "type": "assistant",
-    "uuid": "a1-text",
-    "parentUuid": "tr1",
-    "message": {
-        "role": "assistant",
-        "id": "msg_sdk_bbb",
-        "type": "message",
-        "content": [{"type": "text", "text": "I found file1.py and file2.py."}],
-        "stop_reason": "end_turn",
-        "stop_sequence": None,
-    },
-}
-# Progress entries (should be stripped during upload)
-PROGRESS_1 = {
-    "type": "progress",
-    "uuid": "prog1",
-    "parentUuid": "a1-tool",
-    "data": {"type": "bash_progress", "stdout": "running ls..."},
-}
-# Second user message
-USER_2 = {
-    "type": "user",
-    "uuid": "u2",
-    "parentUuid": "a1-text",
-    "message": {"role": "user", "content": "Show me file1.py"},
-}
-ASST_2 = {
-    "type": "assistant",
-    "uuid": "a2",
-    "parentUuid": "u2",
-    "message": {
-        "role": "assistant",
-        "id": "msg_sdk_ccc",
-        "type": "message",
-        "content": [{"type": "text", "text": "Here is file1.py content..."}],
-        "stop_reason": "end_turn",
-        "stop_sequence": None,
-    },
-}
-
-# --- Compaction summary (written by CLI after context compaction) ---
-COMPACT_SUMMARY = {
-    "type": "summary",
-    "uuid": "cs1",
-    "isCompactSummary": True,
-    "message": {
-        "role": "user",
-        "content": (
-            "Summary: User asked about project files. Found file1.py and file2.py. "
-            "User then asked to see file1.py."
-        ),
-    },
-}
-
-# Post-compaction assistant response
-POST_COMPACT_ASST = {
-    "type": "assistant",
-    "uuid": "a3",
-    "parentUuid": "cs1",
-    "message": {
-        "role": "assistant",
-        "id": "msg_sdk_ddd",
-        "type": "message",
-        "content": [{"type": "text", "text": "Here is the content of file1.py..."}],
-        "stop_reason": "end_turn",
-        "stop_sequence": None,
-    },
-}
-
-# Post-compaction user follow-up
-USER_3 = {
-    "type": "user",
-    "uuid": "u3",
-    "parentUuid": "a3",
-    "message": {"role": "user", "content": "Now show file2.py"},
-}
-ASST_3 = {
-    "type": "assistant",
-    "uuid": "a4",
-    "parentUuid": "u3",
-    "message": {
-        "role": "assistant",
-        "id": "msg_sdk_eee",
-        "type": "message",
-        "content": [{"type": "text", "text": "Here is file2.py..."}],
-        "stop_reason": "end_turn",
-        "stop_sequence": None,
-    },
-}
-
-
-# ---------------------------------------------------------------------------
-# E2E test
-# ---------------------------------------------------------------------------
-
-
-class TestCompactionE2E:
-    def _write_session_file(self, session_dir, entries):
-        """Write a CLI session JSONL file."""
-        path = session_dir / "session.jsonl"
-        path.write_text(_make_jsonl(*entries))
-        return path
-
-    def test_full_compaction_lifecycle(self, tmp_path, monkeypatch):
-        """Simulate the complete service.py compaction flow.
-
-        Timeline:
-        1. Previous turn uploaded transcript with [USER_1, ASST_1, USER_2, ASST_2]
-        2. Current turn: download → load_previous
-        3. User sends "Now show file2.py" → append_user
-        4. SDK starts streaming response
-        5. Mid-stream: PreCompact hook fires (context too large)
-        6. CLI writes compaction summary to session file
-        7. Next SDK message → emit_start (spinner)
-        8. Following message → emit_end (CompactionResult)
-        9. read_compacted_entries reads the session file
-        10. replace_entries syncs TranscriptBuilder
-        11. More assistant messages appended
-        12. Export → upload → next turn downloads it
-        """
-        # --- Setup CLI projects directory ---
-        config_dir = tmp_path / "config"
-        projects_dir = config_dir / "projects"
-        session_dir = projects_dir / "proj"
-        session_dir.mkdir(parents=True)
-        monkeypatch.setenv("CLAUDE_CONFIG_DIR", str(config_dir))
-
-        # --- Step 1-2: Load "downloaded" transcript from previous turn ---
-        previous_transcript = _make_jsonl(
-            USER_1,
-            ASST_1_THINKING,
-            ASST_1_TOOL,
-            TOOL_RESULT_1,
-            ASST_1_TEXT,
-            USER_2,
-            ASST_2,
-        )
-        builder = TranscriptBuilder()
-        builder.load_previous(previous_transcript)
-        assert builder.entry_count == 7
-
-        # --- Step 3: User sends new query ---
-        builder.append_user("Now show file2.py")
-        assert builder.entry_count == 8
-
-        # --- Step 4: SDK starts streaming ---
-        builder.append_assistant(
-            [{"type": "thinking", "thinking": "Let me read file2.py..."}],
-            model="claude-sonnet-4-20250514",
-        )
-        assert builder.entry_count == 9
-
-        # --- Step 5-6: PreCompact fires, CLI writes session file ---
-        session_file = self._write_session_file(
-            session_dir,
-            [
-                USER_1,
-                ASST_1_THINKING,
-                ASST_1_TOOL,
-                PROGRESS_1,
-                TOOL_RESULT_1,
-                ASST_1_TEXT,
-                USER_2,
-                ASST_2,
-                COMPACT_SUMMARY,
-                POST_COMPACT_ASST,
-                USER_3,
-                ASST_3,
-            ],
-        )
-
-        # --- Step 7: CompactionTracker receives PreCompact hook ---
-        tracker = CompactionTracker()
-        session = ChatSession.new(user_id="test-user")
-        tracker.on_compact(str(session_file))
-
-        # --- Step 8: Next SDK message arrives → emit_start ---
-        start_events = tracker.emit_start_if_ready()
-        assert len(start_events) == 3
-        assert isinstance(start_events[0], StreamStartStep)
-        assert isinstance(start_events[1], StreamToolInputStart)
-        assert isinstance(start_events[2], StreamToolInputAvailable)
-
-        # Verify tool_call_id is set
-        tool_call_id = start_events[1].toolCallId
-        assert tool_call_id.startswith("compaction-")
-
-        # --- Step 9: Following message → emit_end ---
-        result = _run(tracker.emit_end_if_ready(session))
-        assert result.just_ended is True
-        assert result.transcript_path == str(session_file)
-        assert len(result.events) == 2
-        assert isinstance(result.events[0], StreamToolOutputAvailable)
-        assert isinstance(result.events[1], StreamFinishStep)
-        # Verify same tool_call_id
-        assert result.events[0].toolCallId == tool_call_id
-
-        # Session should have compaction messages persisted
-        assert len(session.messages) == 2
-        assert session.messages[0].role == "assistant"
-        assert session.messages[1].role == "tool"
-
-        # --- Step 10: read_compacted_entries + replace_entries ---
-        compacted = read_compacted_entries(str(session_file))
-        assert compacted is not None
-        # Should have: COMPACT_SUMMARY + POST_COMPACT_ASST + USER_3 + ASST_3
-        assert len(compacted) == 4
-        assert compacted[0]["uuid"] == "cs1"
-        assert compacted[0]["isCompactSummary"] is True
-
-        # Replace builder state with compacted entries
-        old_count = builder.entry_count
-        builder.replace_entries(compacted)
-        assert builder.entry_count == 4  # Only compacted entries
-        assert builder.entry_count < old_count  # Compaction reduced entries
-
-        # --- Step 11: More assistant messages after compaction ---
-        builder.append_assistant(
-            [{"type": "text", "text": "Here is file2.py:\n\ndef hello():\n    pass"}],
-            model="claude-sonnet-4-20250514",
-            stop_reason="end_turn",
-        )
-        assert builder.entry_count == 5
-
-        # --- Step 12: Export for upload ---
-        output = builder.to_jsonl()
-        assert output  # Not empty
-        output_entries = [json.loads(line) for line in output.strip().split("\n")]
-        assert len(output_entries) == 5
-
-        # Verify structure:
-        # [COMPACT_SUMMARY, POST_COMPACT_ASST, USER_3, ASST_3, new_assistant]
-        assert output_entries[0]["type"] == "summary"
-        assert output_entries[0].get("isCompactSummary") is True
-        assert output_entries[0]["uuid"] == "cs1"
-        assert output_entries[1]["uuid"] == "a3"
-        assert output_entries[2]["uuid"] == "u3"
-        assert output_entries[3]["uuid"] == "a4"
-        assert output_entries[4]["type"] == "assistant"
-
-        # Verify parent chain is intact
-        assert output_entries[1]["parentUuid"] == "cs1"  # a3 → cs1
-        assert output_entries[2]["parentUuid"] == "a3"  # u3 → a3
-        assert output_entries[3]["parentUuid"] == "u3"  # a4 → u3
-        assert output_entries[4]["parentUuid"] == "a4"  # new → a4
-
-        # --- Step 13: Roundtrip — next turn loads this export ---
-        builder2 = TranscriptBuilder()
-        builder2.load_previous(output)
-        assert builder2.entry_count == 5
-
-        # isCompactSummary survives roundtrip
-        output2 = builder2.to_jsonl()
-        first_entry = json.loads(output2.strip().split("\n")[0])
-        assert first_entry.get("isCompactSummary") is True
-
-        # Can append more messages
-        builder2.append_user("What about file3.py?")
-        assert builder2.entry_count == 6
-        final_output = builder2.to_jsonl()
-        last_entry = json.loads(final_output.strip().split("\n")[-1])
-        assert last_entry["type"] == "user"
-        # Parented to the last entry from previous turn
-        assert last_entry["parentUuid"] == output_entries[-1]["uuid"]
-
-    def test_double_compaction_within_session(self, tmp_path, monkeypatch):
-        """Two compactions in the same session (across reset_for_query)."""
-        config_dir = tmp_path / "config"
-        projects_dir = config_dir / "projects"
-        session_dir = projects_dir / "proj"
-        session_dir.mkdir(parents=True)
-        monkeypatch.setenv("CLAUDE_CONFIG_DIR", str(config_dir))
-
-        tracker = CompactionTracker()
-        session = ChatSession.new(user_id="test")
-        builder = TranscriptBuilder()
-
-        # --- First query with compaction ---
-        builder.append_user("first question")
-        builder.append_assistant([{"type": "text", "text": "first answer"}])
-
-        # Write session file for first compaction
-        first_summary = {
-            "type": "summary",
-            "uuid": "cs-first",
-            "isCompactSummary": True,
-            "message": {"role": "user", "content": "First compaction summary"},
-        }
-        first_post = {
-            "type": "assistant",
-            "uuid": "a-first",
-            "parentUuid": "cs-first",
-            "message": {"role": "assistant", "content": "first post-compact"},
-        }
-        file1 = session_dir / "session1.jsonl"
-        file1.write_text(_make_jsonl(first_summary, first_post))
-
-        tracker.on_compact(str(file1))
-        tracker.emit_start_if_ready()
-        result1 = _run(tracker.emit_end_if_ready(session))
-        assert result1.just_ended is True
-
-        compacted1 = read_compacted_entries(str(file1))
-        assert compacted1 is not None
-        builder.replace_entries(compacted1)
-        assert builder.entry_count == 2
-
-        # --- Reset for second query ---
-        tracker.reset_for_query()
-
-        # --- Second query with compaction ---
-        builder.append_user("second question")
-        builder.append_assistant([{"type": "text", "text": "second answer"}])
-
-        second_summary = {
-            "type": "summary",
-            "uuid": "cs-second",
-            "isCompactSummary": True,
-            "message": {"role": "user", "content": "Second compaction summary"},
-        }
-        second_post = {
-            "type": "assistant",
-            "uuid": "a-second",
-            "parentUuid": "cs-second",
-            "message": {"role": "assistant", "content": "second post-compact"},
-        }
-        file2 = session_dir / "session2.jsonl"
-        file2.write_text(_make_jsonl(second_summary, second_post))
-
-        tracker.on_compact(str(file2))
-        tracker.emit_start_if_ready()
-        result2 = _run(tracker.emit_end_if_ready(session))
-        assert result2.just_ended is True
-
-        compacted2 = read_compacted_entries(str(file2))
-        assert compacted2 is not None
-        builder.replace_entries(compacted2)
-        assert builder.entry_count == 2  # Only second compaction entries
-
-        # Export and verify
-        output = builder.to_jsonl()
-        entries = [json.loads(line) for line in output.strip().split("\n")]
-        assert entries[0]["uuid"] == "cs-second"
-        assert entries[0].get("isCompactSummary") is True
-
-    def test_strip_progress_then_load_then_compact_roundtrip(
-        self, tmp_path, monkeypatch
-    ):
-        """Full pipeline: strip → load → compact → replace → export → reload.
-
-        This tests the exact sequence that happens across two turns:
-        Turn 1: SDK produces transcript with progress entries
-        Upload: strip_progress_entries removes progress, upload to cloud
-        Turn 2: Download → load_previous → compaction fires → replace → export
-        Turn 3: Download the Turn 2 export → load_previous (roundtrip)
-        """
-        config_dir = tmp_path / "config"
-        projects_dir = config_dir / "projects"
-        session_dir = projects_dir / "proj"
-        session_dir.mkdir(parents=True)
-        monkeypatch.setenv("CLAUDE_CONFIG_DIR", str(config_dir))
-
-        # --- Turn 1: SDK produces raw transcript ---
-        raw_content = _make_jsonl(
-            USER_1,
-            ASST_1_THINKING,
-            ASST_1_TOOL,
-            PROGRESS_1,
-            TOOL_RESULT_1,
-            ASST_1_TEXT,
-            USER_2,
-            ASST_2,
-        )
-
-        # Strip progress for upload
-        stripped = strip_progress_entries(raw_content)
-        stripped_entries = [
-            json.loads(line) for line in stripped.strip().split("\n") if line.strip()
-        ]
-        # Progress should be gone
-        assert not any(e.get("type") == "progress" for e in stripped_entries)
-        assert len(stripped_entries) == 7  # 8 - 1 progress
-
-        # --- Turn 2: Download stripped, load, compaction happens ---
-        builder = TranscriptBuilder()
-        builder.load_previous(stripped)
-        assert builder.entry_count == 7
-
-        builder.append_user("Now show file2.py")
-        builder.append_assistant(
-            [{"type": "text", "text": "Reading file2.py..."}],
-            model="claude-sonnet-4-20250514",
-        )
-
-        # CLI writes session file with compaction
-        session_file = self._write_session_file(
-            session_dir,
-            [
-                USER_1,
-                ASST_1_TOOL,
-                TOOL_RESULT_1,
-                ASST_1_TEXT,
-                USER_2,
-                ASST_2,
-                COMPACT_SUMMARY,
-                POST_COMPACT_ASST,
-            ],
-        )
-
-        compacted = read_compacted_entries(str(session_file))
-        assert compacted is not None
-        builder.replace_entries(compacted)
-
-        # Append post-compaction message
-        builder.append_user("Thanks!")
-        output = builder.to_jsonl()
-
-        # --- Turn 3: Fresh load of Turn 2 export ---
-        builder3 = TranscriptBuilder()
-        builder3.load_previous(output)
-        # Should have: compact_summary + post_compact_asst + "Thanks!"
-        assert builder3.entry_count == 3
-
-        # Compact summary survived the full pipeline
-        first = json.loads(builder3.to_jsonl().strip().split("\n")[0])
-        assert first.get("isCompactSummary") is True
-        assert first["type"] == "summary"

autogpt_platform/backend/backend/copilot/sdk/file_ref.py

@@ -41,20 +41,12 @@ from typing import Any
 from backend.copilot.context import (
     get_current_sandbox,
     get_sdk_cwd,
-    get_workspace_manager,
     is_allowed_local_path,
     resolve_sandbox_path,
 )
 from backend.copilot.model import ChatSession
+from backend.copilot.tools.workspace_files import get_manager
 from backend.util.file import parse_workspace_uri
-from backend.util.file_content_parser import (
-    BINARY_FORMATS,
-    MIME_TO_FORMAT,
-    PARSE_EXCEPTIONS,
-    infer_format_from_uri,
-    parse_file_content,
-)
-from backend.util.type import MediaFileType
 
 
 class FileRefExpansionError(Exception):
@@ -82,8 +74,6 @@ _FILE_REF_RE = re.compile(
 _MAX_EXPAND_CHARS = 200_000
 # Maximum total characters across all @@agptfile: expansions in one string.
 _MAX_TOTAL_EXPAND_CHARS = 1_000_000
-# Maximum raw byte size for bare ref structured parsing (10 MB).
-_MAX_BARE_REF_BYTES = 10_000_000
 
 
 @dataclass
@@ -93,11 +83,6 @@ class FileRef:
     end_line: int | None  # 1-indexed, inclusive
 
 
-# ---------------------------------------------------------------------------
-# Public API  (top-down: main functions first, helpers below)
-# ---------------------------------------------------------------------------
-
-
 def parse_file_ref(text: str) -> FileRef | None:
     """Return a :class:`FileRef` if *text* is a bare file reference token.
 
@@ -119,6 +104,17 @@ def parse_file_ref(text: str) -> FileRef | None:
     return FileRef(uri=m.group(1), start_line=start, end_line=end)
 
 
+def _apply_line_range(text: str, start: int | None, end: int | None) -> str:
+    """Slice *text* to the requested 1-indexed line range (inclusive)."""
+    if start is None and end is None:
+        return text
+    lines = text.splitlines(keepends=True)
+    s = (start - 1) if start is not None else 0
+    e = end if end is not None else len(lines)
+    selected = list(itertools.islice(lines, s, e))
+    return "".join(selected)
+
+
 async def read_file_bytes(
     uri: str,
     user_id: str | None,
@@ -134,47 +130,27 @@ async def read_file_bytes(
     if plain.startswith("workspace://"):
         if not user_id:
             raise ValueError("workspace:// file references require authentication")
-        manager = await get_workspace_manager(user_id, session.session_id)
+        manager = await get_manager(user_id, session.session_id)
         ws = parse_workspace_uri(plain)
         try:
-            data = await (
+            return await (
                 manager.read_file(ws.file_ref)
                 if ws.is_path
                 else manager.read_file_by_id(ws.file_ref)
             )
         except FileNotFoundError:
             raise ValueError(f"File not found: {plain}")
-        except (PermissionError, OSError) as exc:
+        except Exception as exc:
             raise ValueError(f"Failed to read {plain}: {exc}") from exc
-        except (AttributeError, TypeError, RuntimeError) as exc:
-            # AttributeError/TypeError: workspace manager returned an
-            # unexpected type or interface; RuntimeError: async runtime issues.
-            logger.warning("Unexpected error reading %s: %s", plain, exc)
-            raise ValueError(f"Failed to read {plain}: {exc}") from exc
-        # NOTE: Workspace API does not support pre-read size checks;
-        # the full file is loaded before the size guard below.
-        if len(data) > _MAX_BARE_REF_BYTES:
-            raise ValueError(
-                f"File too large ({len(data)} bytes, limit {_MAX_BARE_REF_BYTES})"
-            )
-        return data
 
     if is_allowed_local_path(plain, get_sdk_cwd()):
         resolved = os.path.realpath(os.path.expanduser(plain))
         try:
-            # Read with a one-byte overshoot to detect files that exceed the limit
-            # without a separate os.path.getsize call (avoids TOCTOU race).
             with open(resolved, "rb") as fh:
-                data = fh.read(_MAX_BARE_REF_BYTES + 1)
-            if len(data) > _MAX_BARE_REF_BYTES:
-                raise ValueError(
-                    f"File too large (>{_MAX_BARE_REF_BYTES} bytes, "
-                    f"limit {_MAX_BARE_REF_BYTES})"
-                )
-            return data
+                return fh.read()
         except FileNotFoundError:
             raise ValueError(f"File not found: {plain}")
-        except OSError as exc:
+        except Exception as exc:
             raise ValueError(f"Failed to read {plain}: {exc}") from exc
 
     sandbox = get_current_sandbox()
@@ -186,33 +162,9 @@ async def read_file_bytes(
                 f"Path is not allowed (not in workspace, sdk_cwd, or sandbox): {plain}"
             ) from exc
         try:
-            data = bytes(await sandbox.files.read(remote, format="bytes"))
-        except (FileNotFoundError, OSError, UnicodeDecodeError) as exc:
-            raise ValueError(f"Failed to read from sandbox: {plain}: {exc}") from exc
+            return bytes(await sandbox.files.read(remote, format="bytes"))
         except Exception as exc:
-            # E2B SDK raises SandboxException subclasses (NotFoundException,
-            # TimeoutException, NotEnoughSpaceException, etc.) which don't
-            # inherit from standard exceptions.  Import lazily to avoid a
-            # hard dependency on e2b at module level.
-            try:
-                from e2b.exceptions import SandboxException  # noqa: PLC0415
-
-                if isinstance(exc, SandboxException):
-                    raise ValueError(
-                        f"Failed to read from sandbox: {plain}: {exc}"
-                    ) from exc
-            except ImportError:
-                pass
-            # Re-raise unexpected exceptions (TypeError, AttributeError, etc.)
-            # so they surface as real bugs rather than being silently masked.
-            raise
-        # NOTE: E2B sandbox API does not support pre-read size checks;
-        # the full file is loaded before the size guard below.
-        if len(data) > _MAX_BARE_REF_BYTES:
-            raise ValueError(
-                f"File too large ({len(data)} bytes, limit {_MAX_BARE_REF_BYTES})"
-            )
-        return data
+            raise ValueError(f"Failed to read from sandbox: {plain}: {exc}") from exc
 
     raise ValueError(
         f"Path is not allowed (not in workspace, sdk_cwd, or sandbox): {plain}"
@@ -226,13 +178,15 @@ async def resolve_file_ref(
 ) -> str:
     """Resolve a :class:`FileRef` to its text content."""
     raw = await read_file_bytes(ref.uri, user_id, session)
-    return _apply_line_range(_to_str(raw), ref.start_line, ref.end_line)
+    return _apply_line_range(
+        raw.decode("utf-8", errors="replace"), ref.start_line, ref.end_line
+    )
 
 
 async def expand_file_refs_in_string(
     text: str,
     user_id: str | None,
-    session: ChatSession,
+    session: "ChatSession",
     *,
     raise_on_error: bool = False,
 ) -> str:
@@ -278,9 +232,6 @@ async def expand_file_refs_in_string(
             if len(content) > _MAX_EXPAND_CHARS:
                 content = content[:_MAX_EXPAND_CHARS] + "\n... [truncated]"
             remaining = _MAX_TOTAL_EXPAND_CHARS - total_chars
-            # remaining == 0 means the budget was exactly exhausted by the
-            # previous ref.  The elif below (len > remaining) won't catch
-            # this since 0 > 0 is false, so we need the <= 0 check.
             if remaining <= 0:
                 content = "[file-ref budget exhausted: total expansion limit reached]"
             elif len(content) > remaining:
@@ -301,31 +252,13 @@ async def expand_file_refs_in_string(
 async def expand_file_refs_in_args(
     args: dict[str, Any],
     user_id: str | None,
-    session: ChatSession,
-    *,
-    input_schema: dict[str, Any] | None = None,
+    session: "ChatSession",
 ) -> dict[str, Any]:
     """Recursively expand ``@@agptfile:...`` references in tool call arguments.
 
     String values are expanded in-place.  Nested dicts and lists are
     traversed.  Non-string scalars are returned unchanged.
 
-    **Bare references** (the entire argument value is a single
-    ``@@agptfile:...`` token with no surrounding text) are resolved and then
-    parsed according to the file's extension or MIME type.  See
-    :mod:`backend.util.file_content_parser` for the full list of supported
-    formats (JSON, JSONL, CSV, TSV, YAML, TOML, Parquet, Excel).
-
-    When *input_schema* is provided and the target property has
-    ``"type": "string"``, structured parsing is skipped — the raw file content
-    is returned as a plain string so blocks receive the original text.
-
-    If the format is unrecognised or parsing fails, the content is returned as
-    a plain string (the fallback).
-
-    **Embedded references** (``@@agptfile:`` mixed with other text) always
-    produce a plain string — structured parsing only applies to bare refs.
-
     Raises :class:`FileRefExpansionError` if any reference fails to resolve,
     so the tool is *not* executed with an error string as its input.  The
     caller (the MCP tool wrapper) should convert this into an MCP error
@@ -334,382 +267,15 @@ async def expand_file_refs_in_args(
     if not args:
         return args
 
-    properties = (input_schema or {}).get("properties", {})
-
-    async def _expand(
-        value: Any,
-        *,
-        prop_schema: dict[str, Any] | None = None,
-    ) -> Any:
-        """Recursively expand a single argument value.
-
-        Strings are checked for ``@@agptfile:`` references and expanded
-        (bare refs get structured parsing; embedded refs get inline
-        substitution).  Dicts and lists are traversed recursively,
-        threading the corresponding sub-schema from *prop_schema* so
-        that nested fields also receive correct type-aware expansion.
-        Non-string scalars pass through unchanged.
-        """
+    async def _expand(value: Any) -> Any:
         if isinstance(value, str):
-            ref = parse_file_ref(value)
-            if ref is not None:
-                # MediaFileType fields: return the raw URI immediately —
-                # no file reading, no format inference, no content parsing.
-                if _is_media_file_field(prop_schema):
-                    return ref.uri
-
-                fmt = infer_format_from_uri(ref.uri)
-                # Workspace URIs by ID (workspace://abc123) have no extension.
-                # When the MIME fragment is also missing, fall back to the
-                # workspace file manager's metadata for format detection.
-                if fmt is None and ref.uri.startswith("workspace://"):
-                    fmt = await _infer_format_from_workspace(ref.uri, user_id, session)
-                return await _expand_bare_ref(ref, fmt, user_id, session, prop_schema)
-
-            # Not a bare ref — do normal inline expansion.
             return await expand_file_refs_in_string(
                 value, user_id, session, raise_on_error=True
             )
         if isinstance(value, dict):
-            # When the schema says this is an object but doesn't define
-            # inner properties, skip expansion — the caller (e.g.
-            # RunBlockTool) will expand with the actual nested schema.
-            if (
-                prop_schema is not None
-                and prop_schema.get("type") == "object"
-                and "properties" not in prop_schema
-            ):
-                return value
-            nested_props = (prop_schema or {}).get("properties", {})
-            return {
-                k: await _expand(v, prop_schema=nested_props.get(k))
-                for k, v in value.items()
-            }
+            return {k: await _expand(v) for k, v in value.items()}
         if isinstance(value, list):
-            items_schema = (prop_schema or {}).get("items")
-            return [await _expand(item, prop_schema=items_schema) for item in value]
+            return [await _expand(item) for item in value]
         return value
 
-    return {k: await _expand(v, prop_schema=properties.get(k)) for k, v in args.items()}
-
-
-# ---------------------------------------------------------------------------
-# Private helpers  (used by the public functions above)
-# ---------------------------------------------------------------------------
-
-
-def _apply_line_range(text: str, start: int | None, end: int | None) -> str:
-    """Slice *text* to the requested 1-indexed line range (inclusive).
-
-    When the requested range extends beyond the file, a note is appended
-    so the LLM knows it received the entire remaining content.
-    """
-    if start is None and end is None:
-        return text
-    lines = text.splitlines(keepends=True)
-    total = len(lines)
-    s = (start - 1) if start is not None else 0
-    e = end if end is not None else total
-    selected = list(itertools.islice(lines, s, e))
-    result = "".join(selected)
-    if end is not None and end > total:
-        result += f"\n[Note: file has only {total} lines]\n"
-    return result
-
-
-def _to_str(content: str | bytes) -> str:
-    """Decode *content* to a string if it is bytes, otherwise return as-is."""
-    if isinstance(content, str):
-        return content
-    return content.decode("utf-8", errors="replace")
-
-
-def _check_content_size(content: str | bytes) -> None:
-    """Raise :class:`ValueError` if *content* exceeds the byte limit.
-
-    Raises ``ValueError`` (not ``FileRefExpansionError``) so that the caller
-    (``_expand_bare_ref``) can unify all resolution errors into a single
-    ``except ValueError`` → ``FileRefExpansionError`` handler, keeping the
-    error-flow consistent with ``read_file_bytes`` and ``resolve_file_ref``.
-
-    For ``bytes``, the length is the byte count directly.  For ``str``,
-    we encode to UTF-8 first because multi-byte characters (e.g. emoji)
-    mean the byte size can be up to 4x the character count.
-    """
-    if isinstance(content, bytes):
-        size = len(content)
-    else:
-        char_len = len(content)
-        # Fast lower bound: UTF-8 byte count >= char count.
-        # If char count already exceeds the limit, reject immediately
-        # without allocating an encoded copy.
-        if char_len > _MAX_BARE_REF_BYTES:
-            size = char_len  # real byte size is even larger
-        # Fast upper bound: each char is at most 4 UTF-8 bytes.
-        # If worst-case is still under the limit, skip encoding entirely.
-        elif char_len * 4 <= _MAX_BARE_REF_BYTES:
-            return
-        else:
-            # Edge case: char count is under limit but multibyte chars
-            # might push byte count over. Encode to get exact size.
-            size = len(content.encode("utf-8"))
-    if size > _MAX_BARE_REF_BYTES:
-        raise ValueError(
-            f"File too large for structured parsing "
-            f"({size} bytes, limit {_MAX_BARE_REF_BYTES})"
-        )
-
-
-async def _infer_format_from_workspace(
-    uri: str,
-    user_id: str | None,
-    session: ChatSession,
-) -> str | None:
-    """Look up workspace file metadata to infer the format.
-
-    Workspace URIs by ID (``workspace://abc123``) have no file extension.
-    When the MIME fragment is also absent, we query the workspace file
-    manager for the file's stored MIME type and original filename.
-    """
-    if not user_id:
-        return None
-    try:
-        ws = parse_workspace_uri(uri)
-        manager = await get_workspace_manager(user_id, session.session_id)
-        info = await (
-            manager.get_file_info(ws.file_ref)
-            if not ws.is_path
-            else manager.get_file_info_by_path(ws.file_ref)
-        )
-        if info is None:
-            return None
-        # Try MIME type first, then filename extension.
-        mime = (info.mime_type or "").split(";", 1)[0].strip().lower()
-        return MIME_TO_FORMAT.get(mime) or infer_format_from_uri(info.name)
-    except (
-        ValueError,
-        FileNotFoundError,
-        OSError,
-        PermissionError,
-        AttributeError,
-        TypeError,
-    ):
-        # Expected failures: bad URI, missing file, permission denied, or
-        # workspace manager returning unexpected types.  Propagate anything
-        # else (e.g. programming errors) so they don't get silently swallowed.
-        logger.debug("workspace metadata lookup failed for %s", uri, exc_info=True)
-        return None
-
-
-def _is_media_file_field(prop_schema: dict[str, Any] | None) -> bool:
-    """Return True if *prop_schema* describes a MediaFileType field (format: file)."""
-    if prop_schema is None:
-        return False
-    return (
-        prop_schema.get("type") == "string"
-        and prop_schema.get("format") == MediaFileType.string_format
-    )
-
-
-async def _expand_bare_ref(
-    ref: FileRef,
-    fmt: str | None,
-    user_id: str | None,
-    session: ChatSession,
-    prop_schema: dict[str, Any] | None,
-) -> Any:
-    """Resolve and parse a bare ``@@agptfile:`` reference.
-
-    This is the structured-parsing path: the file is read, optionally parsed
-    according to *fmt*, and adapted to the target *prop_schema*.
-
-    Raises :class:`FileRefExpansionError` on resolution or parsing failure.
-
-    Note: MediaFileType fields (format: "file") are handled earlier in
-    ``_expand`` to avoid unnecessary format inference and file I/O.
-    """
-    try:
-        if fmt is not None and fmt in BINARY_FORMATS:
-            # Binary formats need raw bytes, not UTF-8 text.
-            # Line ranges are meaningless for binary formats (parquet/xlsx)
-            # — ignore them and parse full bytes.  Warn so the caller/model
-            # knows the range was silently dropped.
-            if ref.start_line is not None or ref.end_line is not None:
-                logger.warning(
-                    "Line range [%s-%s] ignored for binary format %s (%s); "
-                    "binary formats are always parsed in full.",
-                    ref.start_line,
-                    ref.end_line,
-                    fmt,
-                    ref.uri,
-                )
-            content: str | bytes = await read_file_bytes(ref.uri, user_id, session)
-        else:
-            content = await resolve_file_ref(ref, user_id, session)
-    except ValueError as exc:
-        raise FileRefExpansionError(str(exc)) from exc
-
-    # For known formats this rejects files >10 MB before parsing.
-    # For unknown formats _MAX_EXPAND_CHARS (200K chars) below is stricter,
-    # but this check still guards the parsing path which has no char limit.
-    # _check_content_size raises ValueError, which we unify here just like
-    # resolution errors above.
-    try:
-        _check_content_size(content)
-    except ValueError as exc:
-        raise FileRefExpansionError(str(exc)) from exc
-
-    # When the schema declares this parameter as "string",
-    # return raw file content — don't parse into a structured
-    # type that would need json.dumps() serialisation.
-    expect_string = (prop_schema or {}).get("type") == "string"
-    if expect_string:
-        if isinstance(content, bytes):
-            raise FileRefExpansionError(
-                f"Cannot use {fmt} file as text input: "
-                f"binary formats (parquet, xlsx) must be passed "
-                f"to a block that accepts structured data (list/object), "
-                f"not a string-typed parameter."
-            )
-        return content
-
-    if fmt is not None:
-        # Use strict mode for binary formats so we surface the
-        # actual error (e.g. missing pyarrow/openpyxl, corrupt
-        # file) instead of silently returning garbled bytes.
-        strict = fmt in BINARY_FORMATS
-        try:
-            parsed = parse_file_content(content, fmt, strict=strict)
-        except PARSE_EXCEPTIONS as exc:
-            raise FileRefExpansionError(f"Failed to parse {fmt} file: {exc}") from exc
-        # Normalize bytes fallback to str so tools never
-        # receive raw bytes when parsing fails.
-        if isinstance(parsed, bytes):
-            parsed = _to_str(parsed)
-        return _adapt_to_schema(parsed, prop_schema)
-
-    # Unknown format — return as plain string, but apply
-    # the same per-ref character limit used by inline refs
-    # to prevent injecting unexpectedly large content.
-    text = _to_str(content)
-    if len(text) > _MAX_EXPAND_CHARS:
-        text = text[:_MAX_EXPAND_CHARS] + "\n... [truncated]"
-    return text
-
-
-def _adapt_to_schema(parsed: Any, prop_schema: dict[str, Any] | None) -> Any:
-    """Adapt a parsed file value to better fit the target schema type.
-
-    When the parser returns a natural type (e.g. dict from YAML, list from CSV)
-    that doesn't match the block's expected type, this function converts it to
-    a more useful representation instead of relying on pydantic's generic
-    coercion (which can produce awkward results like flattened dicts → lists).
-
-    Returns *parsed* unchanged when no adaptation is needed.
-    """
-    if prop_schema is None:
-        return parsed
-
-    target_type = prop_schema.get("type")
-
-    # Dict → array: delegate to helper.
-    if isinstance(parsed, dict) and target_type == "array":
-        return _adapt_dict_to_array(parsed, prop_schema)
-
-    # List → object: delegate to helper (raises for non-tabular lists).
-    if isinstance(parsed, list) and target_type == "object":
-        return _adapt_list_to_object(parsed)
-
-    # Tabular list → Any (no type): convert to list of dicts.
-    # Blocks like FindInDictionaryBlock have `input: Any` which produces
-    # a schema with no "type" key.  Tabular [[header],[rows]] is unusable
-    # for key lookup, but [{col: val}, ...] works with FindInDict's
-    # list-of-dicts branch (line 195-199 in data_manipulation.py).
-    if isinstance(parsed, list) and target_type is None and _is_tabular(parsed):
-        return _tabular_to_list_of_dicts(parsed)
-
-    return parsed
-
-
-def _adapt_dict_to_array(parsed: dict, prop_schema: dict[str, Any]) -> Any:
-    """Adapt a parsed dict to an array-typed field.
-
-    Extracts list-valued entries when the target item type is ``array``,
-    passes through unchanged when item type is ``string`` (lets pydantic error),
-    or wraps in ``[parsed]`` as a fallback.
-    """
-    items_type = (prop_schema.get("items") or {}).get("type")
-    if items_type == "array":
-        # Target is List[List[Any]] — extract list-typed values from the
-        # dict as inner lists.  E.g. YAML {"fruits": [{...},...]}} with
-        # ConcatenateLists (List[List[Any]]) → [[{...},...]].
-        list_values = [v for v in parsed.values() if isinstance(v, list)]
-        if list_values:
-            return list_values
-    if items_type == "string":
-        # Target is List[str] — wrapping a dict would give [dict]
-        # which can't coerce to strings.  Return unchanged and let
-        # pydantic surface a clear validation error.
-        return parsed
-    # Fallback: wrap in a single-element list so the block gets [dict]
-    # instead of pydantic flattening keys/values into a flat list.
-    return [parsed]
-
-
-def _adapt_list_to_object(parsed: list) -> Any:
-    """Adapt a parsed list to an object-typed field.
-
-    Converts tabular lists to column-dicts; raises for non-tabular lists.
-    """
-    if _is_tabular(parsed):
-        return _tabular_to_column_dict(parsed)
-    # Non-tabular list (e.g. a plain Python list from a YAML file) cannot
-    # be meaningfully coerced to an object.  Raise explicitly so callers
-    # get a clear error rather than pydantic silently wrapping the list.
-    raise FileRefExpansionError(
-        "Cannot adapt a non-tabular list to an object-typed field. "
-        "Expected a tabular structure ([[header], [row1], ...]) or a dict."
-    )
-
-
-def _is_tabular(parsed: Any) -> bool:
-    """Check if parsed data is in tabular format: [[header], [row1], ...].
-
-    Uses isinstance checks because this is a structural type guard on
-    opaque parser output (Any), not duck typing.  A Protocol wouldn't
-    help here — we need to verify exact list-of-lists shape.
-    """
-    if not isinstance(parsed, list) or len(parsed) < 2:
-        return False
-    header = parsed[0]
-    if not isinstance(header, list) or not header:
-        return False
-    if not all(isinstance(h, str) for h in header):
-        return False
-    return all(isinstance(row, list) for row in parsed[1:])
-
-
-def _tabular_to_list_of_dicts(parsed: list) -> list[dict[str, Any]]:
-    """Convert [[header], [row1], ...] → [{header[0]: row[0], ...}, ...].
-
-    Ragged rows (fewer columns than the header) get None for missing values.
-    Extra values beyond the header length are silently dropped.
-    """
-    header = parsed[0]
-    return [
-        dict(itertools.zip_longest(header, row[: len(header)], fillvalue=None))
-        for row in parsed[1:]
-    ]
-
-
-def _tabular_to_column_dict(parsed: list) -> dict[str, list]:
-    """Convert [[header], [row1], ...] → {"col1": [val1, ...], ...}.
-
-    Ragged rows (fewer columns than the header) get None for missing values,
-    ensuring all columns have equal length.
-    """
-    header = parsed[0]
-    return {
-        col: [row[i] if i < len(row) else None for row in parsed[1:]]
-        for i, col in enumerate(header)
-    }
+    return {k: await _expand(v) for k, v in args.items()}

autogpt_platform/backend/backend/copilot/sdk/file_ref_integration_test.py

@@ -175,199 +175,6 @@ async def test_expand_args_replaces_file_ref_in_nested_dict():
         assert result["count"] == 42
 
 
-# ---------------------------------------------------------------------------
-# expand_file_refs_in_args — bare ref structured parsing
-# ---------------------------------------------------------------------------
-
-
-@pytest.mark.asyncio
-async def test_bare_ref_json_returns_parsed_dict():
-    """Bare ref to a .json file returns parsed dict, not raw string."""
-    with tempfile.TemporaryDirectory() as sdk_cwd:
-        json_file = os.path.join(sdk_cwd, "data.json")
-        with open(json_file, "w") as f:
-            f.write('{"key": "value", "count": 42}')
-
-        with patch("backend.copilot.context._current_sdk_cwd") as mock_cwd_var:
-            mock_cwd_var.get.return_value = sdk_cwd
-
-            result = await expand_file_refs_in_args(
-                {"data": f"@@agptfile:{json_file}"},
-                user_id="u1",
-                session=_make_session(),
-            )
-
-        assert result["data"] == {"key": "value", "count": 42}
-
-
-@pytest.mark.asyncio
-async def test_bare_ref_csv_returns_parsed_table():
-    """Bare ref to a .csv file returns list[list[str]] table."""
-    with tempfile.TemporaryDirectory() as sdk_cwd:
-        csv_file = os.path.join(sdk_cwd, "data.csv")
-        with open(csv_file, "w") as f:
-            f.write("Name,Score\nAlice,90\nBob,85")
-
-        with patch("backend.copilot.context._current_sdk_cwd") as mock_cwd_var:
-            mock_cwd_var.get.return_value = sdk_cwd
-
-            result = await expand_file_refs_in_args(
-                {"input": f"@@agptfile:{csv_file}"},
-                user_id="u1",
-                session=_make_session(),
-            )
-
-        assert result["input"] == [
-            ["Name", "Score"],
-            ["Alice", "90"],
-            ["Bob", "85"],
-        ]
-
-
-@pytest.mark.asyncio
-async def test_bare_ref_unknown_extension_returns_string():
-    """Bare ref to a file with unknown extension returns plain string."""
-    with tempfile.TemporaryDirectory() as sdk_cwd:
-        txt_file = os.path.join(sdk_cwd, "readme.txt")
-        with open(txt_file, "w") as f:
-            f.write("plain text content")
-
-        with patch("backend.copilot.context._current_sdk_cwd") as mock_cwd_var:
-            mock_cwd_var.get.return_value = sdk_cwd
-
-            result = await expand_file_refs_in_args(
-                {"data": f"@@agptfile:{txt_file}"},
-                user_id="u1",
-                session=_make_session(),
-            )
-
-        assert result["data"] == "plain text content"
-        assert isinstance(result["data"], str)
-
-
-@pytest.mark.asyncio
-async def test_bare_ref_invalid_json_falls_back_to_string():
-    """Bare ref to a .json file with invalid JSON falls back to string."""
-    with tempfile.TemporaryDirectory() as sdk_cwd:
-        json_file = os.path.join(sdk_cwd, "bad.json")
-        with open(json_file, "w") as f:
-            f.write("not valid json {{{")
-
-        with patch("backend.copilot.context._current_sdk_cwd") as mock_cwd_var:
-            mock_cwd_var.get.return_value = sdk_cwd
-
-            result = await expand_file_refs_in_args(
-                {"data": f"@@agptfile:{json_file}"},
-                user_id="u1",
-                session=_make_session(),
-            )
-
-        assert result["data"] == "not valid json {{{"
-        assert isinstance(result["data"], str)
-
-
-@pytest.mark.asyncio
-async def test_embedded_ref_always_returns_string_even_for_json():
-    """Embedded ref (text around it) returns plain string, not parsed JSON."""
-    with tempfile.TemporaryDirectory() as sdk_cwd:
-        json_file = os.path.join(sdk_cwd, "data.json")
-        with open(json_file, "w") as f:
-            f.write('{"key": "value"}')
-
-        with patch("backend.copilot.context._current_sdk_cwd") as mock_cwd_var:
-            mock_cwd_var.get.return_value = sdk_cwd
-
-            result = await expand_file_refs_in_args(
-                {"data": f"prefix @@agptfile:{json_file} suffix"},
-                user_id="u1",
-                session=_make_session(),
-            )
-
-        assert isinstance(result["data"], str)
-        assert result["data"].startswith("prefix ")
-        assert result["data"].endswith(" suffix")
-
-
-@pytest.mark.asyncio
-async def test_bare_ref_yaml_returns_parsed_dict():
-    """Bare ref to a .yaml file returns parsed dict."""
-    with tempfile.TemporaryDirectory() as sdk_cwd:
-        yaml_file = os.path.join(sdk_cwd, "config.yaml")
-        with open(yaml_file, "w") as f:
-            f.write("name: test\ncount: 42\n")
-
-        with patch("backend.copilot.context._current_sdk_cwd") as mock_cwd_var:
-            mock_cwd_var.get.return_value = sdk_cwd
-
-            result = await expand_file_refs_in_args(
-                {"config": f"@@agptfile:{yaml_file}"},
-                user_id="u1",
-                session=_make_session(),
-            )
-
-        assert result["config"] == {"name": "test", "count": 42}
-
-
-@pytest.mark.asyncio
-async def test_bare_ref_binary_with_line_range_ignores_range():
-    """Bare ref to a binary file (.parquet) with line range parses the full file.
-
-    Binary formats (parquet, xlsx) ignore line ranges — the full content is
-    parsed and the range is silently dropped with a log warning.
-    """
-    try:
-        import pandas as pd
-    except ImportError:
-        pytest.skip("pandas not installed")
-    try:
-        import pyarrow  # noqa: F401  # pyright: ignore[reportMissingImports]
-    except ImportError:
-        pytest.skip("pyarrow not installed")
-
-    with tempfile.TemporaryDirectory() as sdk_cwd:
-        parquet_file = os.path.join(sdk_cwd, "data.parquet")
-        import io as _io
-
-        df = pd.DataFrame({"A": [1, 2, 3], "B": [4, 5, 6]})
-        buf = _io.BytesIO()
-        df.to_parquet(buf, index=False)
-        with open(parquet_file, "wb") as f:
-            f.write(buf.getvalue())
-
-        with patch("backend.copilot.context._current_sdk_cwd") as mock_cwd_var:
-            mock_cwd_var.get.return_value = sdk_cwd
-
-            # Line range [1-2] should be silently ignored for binary formats.
-            result = await expand_file_refs_in_args(
-                {"data": f"@@agptfile:{parquet_file}[1-2]"},
-                user_id="u1",
-                session=_make_session(),
-            )
-
-        # Full file is returned despite the line range.
-        assert result["data"] == [["A", "B"], [1, 4], [2, 5], [3, 6]]
-
-
-@pytest.mark.asyncio
-async def test_bare_ref_toml_returns_parsed_dict():
-    """Bare ref to a .toml file returns parsed dict."""
-    with tempfile.TemporaryDirectory() as sdk_cwd:
-        toml_file = os.path.join(sdk_cwd, "config.toml")
-        with open(toml_file, "w") as f:
-            f.write('name = "test"\ncount = 42\n')
-
-        with patch("backend.copilot.context._current_sdk_cwd") as mock_cwd_var:
-            mock_cwd_var.get.return_value = sdk_cwd
-
-            result = await expand_file_refs_in_args(
-                {"config": f"@@agptfile:{toml_file}"},
-                user_id="u1",
-                session=_make_session(),
-            )
-
-        assert result["config"] == {"name": "test", "count": 42}
-
-
 # ---------------------------------------------------------------------------
 # _read_file_handler — extended to accept workspace:// and local paths
 # ---------------------------------------------------------------------------
@@ -412,7 +219,7 @@ async def test_read_file_handler_workspace_uri():
         "backend.copilot.sdk.tool_adapter.get_execution_context",
         return_value=("user-1", mock_session),
     ), patch(
-        "backend.copilot.sdk.file_ref.get_workspace_manager",
+        "backend.copilot.sdk.file_ref.get_manager",
         new=AsyncMock(return_value=mock_manager),
     ):
         result = await _read_file_handler(
@@ -469,7 +276,7 @@ async def test_read_file_bytes_workspace_virtual_path():
     mock_manager.read_file.return_value = b"virtual path content"
 
     with patch(
-        "backend.copilot.sdk.file_ref.get_workspace_manager",
+        "backend.copilot.sdk.file_ref.get_manager",
         new=AsyncMock(return_value=mock_manager),
     ):
         result = await read_file_bytes("workspace:///reports/q1.md", "user-1", session)

autogpt_platform/backend/backend/copilot/sdk/mcp_tool_guide.md

@@ -20,40 +20,9 @@ Use these URLs directly without asking the user:
 | Cloudflare | `https://mcp.cloudflare.com/mcp` |
 | Atlassian / Jira | `https://mcp.atlassian.com/mcp` |
 
-For other services, search the MCP registry API:
-```http
-GET https://registry.modelcontextprotocol.io/v0/servers?q=<search_term>
-```
-Each result includes a `remotes` array with the exact server URL to use.
-
-### Important: Check blocks first
-
-Before using `run_mcp_tool`, always check if the platform already has blocks for the service
-using `find_block`. The platform has hundreds of built-in blocks (Google Sheets, Google Docs,
-Google Calendar, Gmail, etc.) that work without MCP setup.
-
-Only use `run_mcp_tool` when:
-- The service is in the known hosted MCP servers list above, OR
-- You searched `find_block` first and found no matching blocks
-
-**Never guess or construct MCP server URLs.** Only use URLs from the known servers list above
-or from the `remotes[].url` field in MCP registry search results.
+For other services, search the MCP registry at https://registry.modelcontextprotocol.io/.
 
 ### Authentication
 
 If the server requires credentials, a `SetupRequirementsResponse` is returned with an OAuth
 login prompt. Once the user completes the flow and confirms, retry the same call immediately.
-
-### Communication style
-
-Avoid technical jargon like "MCP server", "OAuth", or "credentials" when talking to the user.
-Use plain, friendly language instead:
-
-| Instead of… | Say… |
-|---|---|
-| "Let me connect to Sentry's MCP server and discover what tools are available." | "I can connect to Sentry and help identify important issues." |
-| "Let me connect to Sentry's MCP server now." | "Next, I'll connect to Sentry." |
-| "The MCP server at mcp.sentry.dev requires authentication. Please connect your credentials to continue." | "To continue, sign in to Sentry and approve access." |
-| "Sentry's MCP server needs OAuth authentication. You should see a prompt to connect your Sentry account…" | "You should see a prompt to sign in to Sentry. Once connected, I can help surface critical issues right away." |
-
-Use **"connect to [Service]"** or **"sign in to [Service]"** — never "MCP server", "OAuth", or "credentials".

autogpt_platform/backend/backend/copilot/sdk/otel_setup_test.py

@@ -36,7 +36,7 @@ class TestSetupLangfuseOtel:
         """OTEL env vars should be set when Langfuse credentials exist."""
         mock_settings = MagicMock()
         mock_settings.secrets.langfuse_public_key = "pk-test-123"
-        mock_settings.secrets.langfuse_secret_key = "sk-test-456"
+        mock_settings.secrets.langfuse_secret_key = "sk-test-456"  # pragma: allowlist secret  # noqa: E501; fmt: skip
         mock_settings.secrets.langfuse_host = "https://langfuse.example.com"
         mock_settings.secrets.langfuse_tracing_environment = "test"
 
@@ -91,7 +91,7 @@ class TestSetupLangfuseOtel:
         """Explicit env-var overrides should not be clobbered."""
         mock_settings = MagicMock()
         mock_settings.secrets.langfuse_public_key = "pk-test"
-        mock_settings.secrets.langfuse_secret_key = "sk-test"
+        mock_settings.secrets.langfuse_secret_key = "sk-test"  # pragma: allowlist secret  # noqa: E501; fmt: skip
         mock_settings.secrets.langfuse_host = "https://langfuse.example.com"
 
         with (

autogpt_platform/backend/backend/copilot/sdk/security_hooks.py

@@ -127,7 +127,7 @@ def create_security_hooks(
     user_id: str | None,
     sdk_cwd: str | None = None,
     max_subtasks: int = 3,
-    on_compact: Callable[[str], None] | None = None,
+    on_compact: Callable[[], None] | None = None,
 ) -> dict[str, Any]:
     """Create the security hooks configuration for Claude Agent SDK.
 
@@ -142,7 +142,6 @@ def create_security_hooks(
         sdk_cwd: SDK working directory for workspace-scoped tool validation
         max_subtasks: Maximum concurrent Task (sub-agent) spawns allowed per session
         on_compact: Callback invoked when SDK starts compacting context.
-            Receives the transcript_path from the hook input.
 
     Returns:
         Hooks configuration dict for ClaudeAgentOptions
@@ -302,21 +301,11 @@ def create_security_hooks(
             """
             _ = context, tool_use_id
             trigger = input_data.get("trigger", "auto")
-            # Sanitize untrusted input before logging to prevent log injection
-            transcript_path = (
-                str(input_data.get("transcript_path", ""))
-                .replace("\n", "")
-                .replace("\r", "")
-            )
             logger.info(
-                "[SDK] Context compaction triggered: %s, user=%s, "
-                "transcript_path=%s",
-                trigger,
-                user_id,
-                transcript_path,
+                f"[SDK] Context compaction triggered: {trigger}, user={user_id}"
             )
             if on_compact is not None:
-                on_compact(transcript_path)
+                on_compact()
             return cast(SyncHookJSONOutput, {})
 
         hooks: dict[str, Any] = {

autogpt_platform/backend/backend/copilot/sdk/service.py

@@ -29,7 +29,6 @@ from langfuse import propagate_attributes
 from langsmith.integrations.claude_agent_sdk import configure_claude_agent_sdk
 from pydantic import BaseModel
 
-from backend.copilot.context import get_workspace_manager
 from backend.data.redis_client import get_redis_async
 from backend.executor.cluster_lock import AsyncClusterLock
 from backend.util.exceptions import NotFoundError
@@ -63,6 +62,7 @@ from ..service import (
 )
 from ..tools.e2b_sandbox import get_or_create_sandbox, pause_sandbox_direct
 from ..tools.sandbox import WORKSPACE_PREFIX, make_session_path
+from ..tools.workspace_files import get_manager
 from ..tracking import track_user_message
 from .compaction import CompactionTracker, filter_compaction_messages
 from .response_adapter import SDKResponseAdapter
@@ -77,7 +77,6 @@ from .tool_adapter import (
 from .transcript import (
     cleanup_cli_project_dir,
     download_transcript,
-    read_compacted_entries,
     upload_transcript,
     validate_transcript,
     write_transcript_to_tempfile,
@@ -565,7 +564,7 @@ async def _prepare_file_attachments(
         return empty
 
     try:
-        manager = await get_workspace_manager(user_id, session_id)
+        manager = await get_manager(user_id, session_id)
     except Exception:
         logger.warning(
             "Failed to create workspace manager for file attachments",
@@ -769,7 +768,7 @@ async def stream_chat_completion_sdk(
                     )
                 return None
             try:
-                sandbox = await get_or_create_sandbox(
+                return await get_or_create_sandbox(
                     session_id,
                     api_key=e2b_api_key,
                     template=config.e2b_sandbox_template,
@@ -783,9 +782,7 @@ async def stream_chat_completion_sdk(
                     e2b_err,
                     exc_info=True,
                 )
-                return None
-
-            return sandbox
+            return None
 
         async def _fetch_transcript():
             """Download transcript for --resume if applicable."""
@@ -1048,7 +1045,6 @@ async def stream_chat_completion_sdk(
                             exc_info=True,
                         )
                         ended_with_stream_error = True
-
                         yield StreamError(
                             errorText=f"SDK stream error: {stream_err}",
                             code="sdk_stream_error",
@@ -1133,26 +1129,9 @@ async def stream_chat_completion_sdk(
                                 sdk_msg.result or "(no error message provided)",
                             )
 
-                    # Emit compaction end if SDK finished compacting.
-                    # When compaction ends, sync TranscriptBuilder with the
-                    # CLI's active context so they stay identical.
-                    compact_result = await compaction.emit_end_if_ready(session)
-                    for ev in compact_result.events:
+                    # Emit compaction end if SDK finished compacting
+                    for ev in await compaction.emit_end_if_ready(session):
                         yield ev
-                    # After replace_entries, skip append_assistant for this
-                    # sdk_msg — the CLI session file already contains it,
-                    # so appending again would create a duplicate.
-                    entries_replaced = False
-                    if compact_result.just_ended:
-                        compacted = await asyncio.to_thread(
-                            read_compacted_entries,
-                            compact_result.transcript_path,
-                        )
-                        if compacted is not None:
-                            transcript_builder.replace_entries(
-                                compacted, log_prefix=log_prefix
-                            )
-                            entries_replaced = True
 
                     for response in adapter.convert_message(sdk_msg):
                         if isinstance(response, StreamStart):
@@ -1239,11 +1218,10 @@ async def stream_chat_completion_sdk(
                                     tool_call_id=response.toolCallId,
                                 )
                             )
-                            if not entries_replaced:
-                                transcript_builder.append_tool_result(
-                                    tool_use_id=response.toolCallId,
-                                    content=content,
-                                )
+                            transcript_builder.append_tool_result(
+                                tool_use_id=response.toolCallId,
+                                content=content,
+                            )
                             has_tool_results = True
 
                         elif isinstance(response, StreamFinish):
@@ -1253,9 +1231,7 @@ async def stream_chat_completion_sdk(
                     # any stashed tool results from the previous turn are
                     # recorded first, preserving the required API order:
                     # assistant(tool_use) → tool_result → assistant(text).
-                    # Skip if replace_entries just ran — the CLI session
-                    # file already contains this message.
-                    if isinstance(sdk_msg, AssistantMessage) and not entries_replaced:
+                    if isinstance(sdk_msg, AssistantMessage):
                         transcript_builder.append_assistant(
                             content_blocks=_format_sdk_content_blocks(sdk_msg.content),
                             model=sdk_msg.model,
@@ -1446,13 +1422,13 @@ async def stream_chat_completion_sdk(
             task.add_done_callback(_background_tasks.discard)
 
         # --- Upload transcript for next-turn --resume ---
-        # TranscriptBuilder is the single source of truth.  It mirrors the
-        # CLI's active context: on compaction, replace_entries() syncs it
-        # with the compacted session file.  No CLI file read needed here.
+        # This MUST run in finally so the transcript is uploaded even when
+        # the streaming loop raises an exception.
+        # The transcript represents the COMPLETE active context (atomic).
         if config.claude_agent_use_resume and user_id and session is not None:
             try:
+                # Build complete transcript from captured SDK messages
                 transcript_content = transcript_builder.to_jsonl()
-                entry_count = transcript_builder.entry_count
 
                 if not transcript_content:
                     logger.warning(
@@ -1462,15 +1438,18 @@ async def stream_chat_completion_sdk(
                     logger.warning(
                         "%s Transcript invalid, skipping upload (entries=%d)",
                         log_prefix,
-                        entry_count,
+                        transcript_builder.entry_count,
                     )
                 else:
                     logger.info(
-                        "%s Uploading transcript (entries=%d, bytes=%d)",
+                        "%s Uploading complete transcript (entries=%d, bytes=%d)",
                         log_prefix,
-                        entry_count,
+                        transcript_builder.entry_count,
                         len(transcript_content),
                     )
+                    # Shield upload from cancellation - let it complete even if
+                    # the finally block is interrupted. No timeout to avoid race
+                    # conditions where backgrounded uploads overwrite newer transcripts.
                     await asyncio.shield(
                         upload_transcript(
                             user_id=user_id,