Release SDK updates

pyproject.toml

@@ -41,7 +41,10 @@ Homepage = "https://github.com/warpdotdev/oz-sdk-python"
 Repository = "https://github.com/warpdotdev/oz-sdk-python"
 
 [project.optional-dependencies]
-aiohttp = ["aiohttp>=3.13.5", "httpx_aiohttp>=0.1.9"]
+# Security pin: aiohttp<3.14.0 is vulnerable to multiple CVEs (CVE-2026-34993,
+# CVE-2026-47265, CVE-2026-54273 through CVE-2026-54280, CVE-2026-50269).
+# aiohttp 3.14.x dropped Python 3.9 support, so restrict to python_version >= '3.10'.
+aiohttp = ["aiohttp>=3.14.1; python_version >= '3.10'", "httpx_aiohttp>=0.1.9; python_version >= '3.10'"]
 
 [tool.uv]
 managed = true
@@ -50,7 +53,14 @@ required-version = ">=0.9"
 # declared above. Versions <3.15 are vulnerable to CVE-2026-45409
 # (GHSA-65pc-fj4g-8rjx), so constrain it without adding it as a direct
 # dependency. Sealed as custom code so it survives SDK regeneration.
-constraint-dependencies = ["idna>=3.15"]
+constraint-dependencies = [
+  "idna>=3.15",
+  # Security pin: pytest<9.0.3 is vulnerable to CVE-2025-71176 (tmpdir handling).
+  # pytest 9.0.3 requires Python>=3.10; pin only for compatible versions.
+  "pytest>=9.0.3; python_version >= '3.10'",
+  # Security pin: pygments<2.20.0 is vulnerable to CVE-2026-4539 (ReDoS).
+  "pygments>=2.20.0",
+]
 conflicts = [
     [
       { group = "pydantic-v1" },

requirements-dev.lock

@@ -1,5 +1,5 @@
 # This file was autogenerated by uv via the following command:
-#    uv export -o requirements-dev.lock --no-hashes
+#    uv export --group dev --no-hashes
 -e .
 annotated-types==0.7.0
     # via pydantic
@@ -32,7 +32,7 @@ httpx==0.28.1
     # via
     #   oz-agent-sdk
     #   respx
-idna==3.11
+idna==3.18
     # via
     #   anyio
     #   httpx
@@ -62,7 +62,7 @@ pydantic==2.12.5
     # via oz-agent-sdk
 pydantic-core==2.41.5
     # via pydantic
-pygments==2.19.2
+pygments==2.20.0
     # via
     #   pytest
     #   rich
@@ -71,7 +71,7 @@ pytest==8.4.2 ; python_full_version < '3.10'
     # via
     #   pytest-asyncio
     #   pytest-xdist
-pytest==9.0.2 ; python_full_version >= '3.10'
+pytest==9.1.1 ; python_full_version >= '3.10'
     # via
     #   pytest-asyncio
     #   pytest-xdist

src/oz_agent_sdk/_base_client.py

@@ -1397,7 +1397,7 @@ def __init__(self, **kwargs: Any) -> None:
 
 
 try:
-    import httpx_aiohttp
+    import httpx_aiohttp  # type: ignore[import]
 except ImportError:
 
     class _DefaultAioHttpClient(httpx.AsyncClient):
@@ -1411,7 +1411,7 @@ def __init__(self, **kwargs: Any) -> None:
             kwargs.setdefault("limits", DEFAULT_CONNECTION_LIMITS)
             kwargs.setdefault("follow_redirects", True)
 
-            super().__init__(**kwargs)
+            super().__init__(**kwargs)  # type: ignore[no-untyped-call]
 
 
 if TYPE_CHECKING:

src/oz_agent_sdk/resources/agent/agent_.py

@@ -58,7 +58,7 @@ def create(
         harness_auth_secrets: agent_create_params.HarnessAuthSecrets | Omit = omit,
         inference_providers: agent_create_params.InferenceProviders | Omit = omit,
         mcp_servers: Dict[str, McpServerConfigParam] | Omit = omit,
-        memory_stores: Iterable[agent_create_params.MemoryStore] | Omit = omit,
+        memory: agent_create_params.Memory | Omit = omit,
         prompt: Optional[str] | Omit = omit,
         secrets: Iterable[agent_create_params.Secret] | Omit = omit,
         skills: SequenceNotStr[str] | Omit = omit,
@@ -94,9 +94,7 @@ def create(
           mcp_servers: Optional map of MCP server configurations by name to attach to runs executed by
               this agent. Run-level MCP config takes precedence over this agent-level default.
 
-          memory_stores: Optional list of memory stores to attach to the agent. Each store must be
-              team-owned by the same team as the agent. Duplicate UIDs within a single request
-              are rejected.
+          memory: Memory settings for creating an agent.
 
           prompt: Optional base prompt for this agent
 
@@ -131,7 +129,7 @@ def create(
                     "harness_auth_secrets": harness_auth_secrets,
                     "inference_providers": inference_providers,
                     "mcp_servers": mcp_servers,
-                    "memory_stores": memory_stores,
+                    "memory": memory,
                     "prompt": prompt,
                     "secrets": secrets,
                     "skills": skills,
@@ -155,7 +153,7 @@ def update(
         harness_auth_secrets: Optional[agent_update_params.HarnessAuthSecrets] | Omit = omit,
         inference_providers: Optional[agent_update_params.InferenceProviders] | Omit = omit,
         mcp_servers: Dict[str, McpServerConfigParam] | Omit = omit,
-        memory_stores: Optional[Iterable[agent_update_params.MemoryStore]] | Omit = omit,
+        memory: Optional[agent_update_params.Memory] | Omit = omit,
         name: str | Omit = omit,
         prompt: Optional[str] | Omit = omit,
         secrets: Optional[Iterable[agent_update_params.Secret]] | Omit = omit,
@@ -193,8 +191,7 @@ def update(
               pass an empty object to clear, or pass a non-empty object to replace. Run-level
               MCP config takes precedence over this agent-level default.
 
-          memory_stores: Replacement list of memory stores. Omit to leave unchanged, pass an empty array
-              to clear, or pass a non-empty array to replace.
+          memory: Memory settings for updating an agent.
 
           name: The new name for the agent
 
@@ -228,7 +225,7 @@ def update(
                     "harness_auth_secrets": harness_auth_secrets,
                     "inference_providers": inference_providers,
                     "mcp_servers": mcp_servers,
-                    "memory_stores": memory_stores,
+                    "memory": memory,
                     "name": name,
                     "prompt": prompt,
                     "secrets": secrets,
@@ -370,7 +367,7 @@ async def create(
         harness_auth_secrets: agent_create_params.HarnessAuthSecrets | Omit = omit,
         inference_providers: agent_create_params.InferenceProviders | Omit = omit,
         mcp_servers: Dict[str, McpServerConfigParam] | Omit = omit,
-        memory_stores: Iterable[agent_create_params.MemoryStore] | Omit = omit,
+        memory: agent_create_params.Memory | Omit = omit,
         prompt: Optional[str] | Omit = omit,
         secrets: Iterable[agent_create_params.Secret] | Omit = omit,
         skills: SequenceNotStr[str] | Omit = omit,
@@ -406,9 +403,7 @@ async def create(
           mcp_servers: Optional map of MCP server configurations by name to attach to runs executed by
               this agent. Run-level MCP config takes precedence over this agent-level default.
 
-          memory_stores: Optional list of memory stores to attach to the agent. Each store must be
-              team-owned by the same team as the agent. Duplicate UIDs within a single request
-              are rejected.
+          memory: Memory settings for creating an agent.
 
           prompt: Optional base prompt for this agent
 
@@ -443,7 +438,7 @@ async def create(
                     "harness_auth_secrets": harness_auth_secrets,
                     "inference_providers": inference_providers,
                     "mcp_servers": mcp_servers,
-                    "memory_stores": memory_stores,
+                    "memory": memory,
                     "prompt": prompt,
                     "secrets": secrets,
                     "skills": skills,
@@ -467,7 +462,7 @@ async def update(
         harness_auth_secrets: Optional[agent_update_params.HarnessAuthSecrets] | Omit = omit,
         inference_providers: Optional[agent_update_params.InferenceProviders] | Omit = omit,
         mcp_servers: Dict[str, McpServerConfigParam] | Omit = omit,
-        memory_stores: Optional[Iterable[agent_update_params.MemoryStore]] | Omit = omit,
+        memory: Optional[agent_update_params.Memory] | Omit = omit,
         name: str | Omit = omit,
         prompt: Optional[str] | Omit = omit,
         secrets: Optional[Iterable[agent_update_params.Secret]] | Omit = omit,
@@ -505,8 +500,7 @@ async def update(
               pass an empty object to clear, or pass a non-empty object to replace. Run-level
               MCP config takes precedence over this agent-level default.
 
-          memory_stores: Replacement list of memory stores. Omit to leave unchanged, pass an empty array
-              to clear, or pass a non-empty array to replace.
+          memory: Memory settings for updating an agent.
 
           name: The new name for the agent
 
@@ -540,7 +534,7 @@ async def update(
                     "harness_auth_secrets": harness_auth_secrets,
                     "inference_providers": inference_providers,
                     "mcp_servers": mcp_servers,
-                    "memory_stores": memory_stores,
+                    "memory": memory,
                     "name": name,
                     "prompt": prompt,
                     "secrets": secrets,

src/oz_agent_sdk/types/agent/agent_create_params.py

@@ -13,7 +13,9 @@
     "HarnessAuthSecrets",
     "InferenceProviders",
     "InferenceProvidersAws",
-    "MemoryStore",
+    "Memory",
+    "MemoryAttachedStore",
+    "MemoryAutoMemory",
     "Secret",
 ]
 
@@ -52,12 +54,8 @@ class AgentCreateParams(TypedDict, total=False):
     this agent. Run-level MCP config takes precedence over this agent-level default.
     """
 
-    memory_stores: Iterable[MemoryStore]
-    """
-    Optional list of memory stores to attach to the agent. Each store must be
-    team-owned by the same team as the agent. Duplicate UIDs within a single request
-    are rejected.
-    """
+    memory: Memory
+    """Memory settings for creating an agent."""
 
     prompt: Optional[str]
     """Optional base prompt for this agent"""
@@ -123,7 +121,7 @@ class InferenceProviders(TypedDict, total=False):
     """Configures AWS Bedrock as the LLM inference provider for this agent or run."""
 
 
-class MemoryStore(TypedDict, total=False):
+class MemoryAttachedStore(TypedDict, total=False):
     """Reference to a memory store to attach to an agent."""
 
     access: Required[Literal["read_write", "read_only"]]
@@ -136,6 +134,29 @@ class MemoryStore(TypedDict, total=False):
     """UID of the memory store."""
 
 
+class MemoryAutoMemory(TypedDict, total=False):
+    """Auto-memory settings for creating an agent."""
+
+    enabled: bool
+    """
+    Whether to create and attach a default service-account-owned memory store for
+    this agent. Defaults to true when omitted.
+    """
+
+
+class Memory(TypedDict, total=False):
+    """Memory settings for creating an agent."""
+
+    attached_stores: Iterable[MemoryAttachedStore]
+    """
+    Existing team memory stores to attach to the agent. Duplicate UIDs within a
+    single request are rejected.
+    """
+
+    auto_memory: MemoryAutoMemory
+    """Auto-memory settings for creating an agent."""
+
+
 class Secret(TypedDict, total=False):
     """Reference to a managed secret by name."""
 

src/oz_agent_sdk/types/agent/agent_response.py

@@ -9,15 +9,18 @@
 
 __all__ = [
     "AgentResponse",
-    "MemoryStore",
+    "Memory",
+    "MemoryAttachedStore",
+    "MemoryAutoMemory",
+    "MemoryAutoMemoryStore",
     "Secret",
     "HarnessAuthSecrets",
     "InferenceProviders",
     "InferenceProvidersAws",
 ]
 
 
-class MemoryStore(BaseModel):
+class MemoryAttachedStore(BaseModel):
     """Reference to a memory store to attach to an agent."""
 
     access: Literal["read_write", "read_only"]
@@ -30,6 +33,48 @@ class MemoryStore(BaseModel):
     """UID of the memory store."""
 
 
+class MemoryAutoMemoryStore(BaseModel):
+    """Memory store attached to an agent."""
+
+    access: Literal["read_write", "read_only"]
+    """Access level for the store."""
+
+    instructions: str
+    """Instructions for how the agent should use this memory store."""
+
+    owner_type: Literal["user", "service_account", "team"]
+    """Public owner type."""
+
+    owner_uid: str
+    """Public UID of the user, service account, or team that owns the memory store."""
+
+    uid: str
+    """UID of the memory store."""
+
+    description: Optional[str] = None
+    """Optional description for the memory store."""
+
+
+class MemoryAutoMemory(BaseModel):
+    """Auto-memory state for an agent."""
+
+    enabled: bool
+    """Whether this agent has an agent-owned memory store."""
+
+    store: Optional[MemoryAutoMemoryStore] = None
+    """Memory store attached to an agent."""
+
+
+class Memory(BaseModel):
+    """Memory settings for an agent."""
+
+    attached_stores: List[MemoryAttachedStore]
+    """Team memory stores attached to the agent."""
+
+    auto_memory: MemoryAutoMemory
+    """Auto-memory state for an agent."""
+
+
 class Secret(BaseModel):
     """Reference to a managed secret by name."""
 
@@ -88,11 +133,8 @@ class AgentResponse(BaseModel):
     created_at: datetime
     """When the agent was created (RFC3339)"""
 
-    memory_stores: List[MemoryStore]
-    """
-    Memory stores attached to this agent. Always present; empty when no stores are
-    attached.
-    """
+    memory: Memory
+    """Memory settings for an agent."""
 
     name: str
     """Name of the agent"""

src/oz_agent_sdk/types/agent/agent_update_params.py

@@ -13,7 +13,8 @@
     "HarnessAuthSecrets",
     "InferenceProviders",
     "InferenceProvidersAws",
-    "MemoryStore",
+    "Memory",
+    "MemoryAttachedStore",
     "Secret",
 ]
 
@@ -60,12 +61,8 @@ class AgentUpdateParams(TypedDict, total=False):
     default.
     """
 
-    memory_stores: Optional[Iterable[MemoryStore]]
-    """Replacement list of memory stores.
-
-    Omit to leave unchanged, pass an empty array to clear, or pass a non-empty array
-    to replace.
-    """
+    memory: Optional[Memory]
+    """Memory settings for updating an agent."""
 
     name: str
     """The new name for the agent"""
@@ -135,7 +132,7 @@ class InferenceProviders(TypedDict, total=False):
     """Configures AWS Bedrock as the LLM inference provider for this agent or run."""
 
 
-class MemoryStore(TypedDict, total=False):
+class MemoryAttachedStore(TypedDict, total=False):
     """Reference to a memory store to attach to an agent."""
 
     access: Required[Literal["read_write", "read_only"]]
@@ -148,6 +145,17 @@ class MemoryStore(TypedDict, total=False):
     """UID of the memory store."""
 
 
+class Memory(TypedDict, total=False):
+    """Memory settings for updating an agent."""
+
+    attached_stores: Optional[Iterable[MemoryAttachedStore]]
+    """Replacement list of attached team memory stores.
+
+    Omit to leave unchanged, pass an empty array to clear, or pass a non-empty array
+    to replace.
+    """
+
+
 class Secret(TypedDict, total=False):
     """Reference to a managed secret by name."""