Merge branch 'main' into implement-token-caching

Author: prashantrakheja

.github/workflows/check-version-bump.yaml

@@ -5,6 +5,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   check-version-bump:
     name: Enforce version bump when src/ is modified

.github/workflows/commit-validation.yaml

@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   commit-validation:
     runs-on: ${{ contains(github.server_url, 'github.com') && 'ubuntu-latest' || fromJSON('["self-hosted"]') }}

.github/workflows/proto-verify.yaml

@@ -15,6 +15,9 @@ on:
       - 'src/sap_cloud_sdk/core/auditlog_ng/proto/**'
       - 'Makefile'
 
+permissions:
+  contents: read
+
 jobs:
   verify-proto:
     name: Verify generated proto code is up-to-date

.github/workflows/release-internal.yml

@@ -6,6 +6,9 @@ on:
       - main
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     name: Publish to Artifactory

.github/workflows/reuse.yaml

@@ -8,6 +8,9 @@ on:
     branches:
       - "main"
 
+permissions:
+  contents: read
+
 jobs:
   check-reuse-compliance:
     runs-on: ${{ contains(github.server_url, 'github.com') && 'ubuntu-latest' || fromJSON('["self-hosted"]') }}

.github/workflows/sync.yaml

@@ -5,6 +5,9 @@ on:
     - cron: '0 */3 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: write
+
 jobs:
   sync:
     runs-on: ["self-hosted"]

README.md

@@ -11,11 +11,15 @@ The Python SDK offers a clean, type-safe API following Python best practices whi
 ### Key Features
 
 - **Agent Decorators**
+- **Agent Gateway**
+- **Agent Memory**
 - **AI Core Integration**
 - **Audit Log Service**
-- **Agent Memory Service**
+- **Audit Log NG**
 - **Destination Service**
 - **Document Management Service**
+- **Extensibility**
+- **IAS (Identity and Access Service)**
 - **ObjectStore Service**
 - **Secret Resolver**
 - **Telemetry & Observability**
@@ -60,10 +64,15 @@ The SDK automatically resolves configuration from multiple sources with the foll
 Each module has comprehensive usage guides:
 
 - [Agent Decorators](src/sap_cloud_sdk/agent_decorators/user-guide.md)
-- [AuditLog](src/sap_cloud_sdk/core/auditlog/user-guide.md)
+- [Agent Gateway](src/sap_cloud_sdk/agentgateway/user-guide.md)
 - [Agent Memory](src/sap_cloud_sdk/agent_memory/user-guide.md)
+- [AI Core](src/sap_cloud_sdk/aicore/user-guide.md)
+- [AuditLog](src/sap_cloud_sdk/core/auditlog/user-guide.md)
+- [AuditLog NG](src/sap_cloud_sdk/core/auditlog_ng/user-guide.md)
 - [Destination](src/sap_cloud_sdk/destination/user-guide.md)
 - [DMS](src/sap_cloud_sdk/dms/user-guide.md)
+- [Extensibility](src/sap_cloud_sdk/extensibility/user-guide.md)
+- [IAS](src/sap_cloud_sdk/ias/user-guide.md)
 - [ObjectStore](src/sap_cloud_sdk/objectstore/user-guide.md)
 - [Secret Resolver](src/sap_cloud_sdk/core/secret_resolver/user-guide.md)
 - [Telemetry](src/sap_cloud_sdk/core/telemetry/user-guide.md)

src/sap_cloud_sdk/agentgateway/__init__.py

@@ -53,6 +53,7 @@
 """
 
 from sap_cloud_sdk.agentgateway._models import MCPTool
+from sap_cloud_sdk.agentgateway.config import ClientConfig
 from sap_cloud_sdk.agentgateway.agw_client import create_client, AgentGatewayClient
 from sap_cloud_sdk.agentgateway.exceptions import (
     AgentGatewaySDKError,
@@ -65,6 +66,8 @@
     "create_client",
     # Client class
     "AgentGatewayClient",
+    # Configuration
+    "ClientConfig",
     # Data models
     "MCPTool",
     # Exceptions

src/sap_cloud_sdk/agentgateway/_customer.py

@@ -35,9 +35,6 @@
 # Default credential path for Kyma production deployments
 _CREDENTIALS_DEFAULT_PATH = "/etc/ums/credentials/credentials"
 
-# HTTP timeout for token requests and MCP server calls (seconds)
-_HTTP_TIMEOUT = 30.0
-
 # Resource URN for Agent Gateway token scope (hardcoded - production value)
 _AGW_RESOURCE_URN = "urn:sap:identity:application:provider:name:agent-gateway"
 
@@ -213,6 +210,7 @@ def _create_ssl_context(certificate: str, private_key: str) -> ssl.SSLContext:
 def _request_token_mtls(
     credentials: CustomerCredentials,
     grant_type: str,
+    timeout: float,
     app_tid: str | None = None,
     extra_data: dict | None = None,
 ) -> str:
@@ -255,7 +253,7 @@ def _request_token_mtls(
     try:
         with httpx.Client(
             verify=ssl_context,
-            timeout=_HTTP_TIMEOUT,
+            timeout=timeout,
         ) as client:
             response = client.post(
                 credentials.token_service_url,
@@ -293,6 +291,7 @@ def _request_token_mtls(
 
 def get_system_token_mtls(
     credentials: CustomerCredentials,
+    timeout: float,
     app_tid: str | None = None,
 ) -> str:
     """Get system-scoped token using mTLS client credentials flow.
@@ -301,6 +300,7 @@ def get_system_token_mtls(
 
     Args:
         credentials: Customer credentials.
+        timeout: HTTP timeout in seconds.
         app_tid: BTP Application Tenant ID of subscriber (optional).
 
     Returns:
@@ -310,6 +310,7 @@ def get_system_token_mtls(
     return _request_token_mtls(
         credentials,
         grant_type=_GRANT_TYPE_CLIENT_CREDENTIALS,
+        timeout=timeout,
         app_tid=app_tid,
         extra_data={"response_type": "token"},
     )
@@ -318,6 +319,7 @@ def get_system_token_mtls(
 def exchange_user_token(
     credentials: CustomerCredentials,
     user_token: str,
+    timeout: float,
     app_tid: str | None = None,
 ) -> str:
     """Exchange user token for AGW-scoped token using jwt-bearer grant.
@@ -328,6 +330,7 @@ def exchange_user_token(
     Args:
         credentials: Customer credentials.
         user_token: User's JWT token to exchange.
+        timeout: HTTP timeout in seconds.
         app_tid: BTP Application Tenant ID of subscriber (optional).
 
     Returns:
@@ -337,6 +340,7 @@ def exchange_user_token(
     return _request_token_mtls(
         credentials,
         grant_type=_GRANT_TYPE_JWT_BEARER,
+        timeout=timeout,
         app_tid=app_tid,
         extra_data={
             "assertion": user_token,
@@ -371,6 +375,7 @@ async def _list_server_tools(
     url: str,
     auth_token: str,
     dependency: IntegrationDependency,
+    timeout: float,
 ) -> list[MCPTool]:
     """List tools from a single MCP server.
 
@@ -390,7 +395,7 @@ async def _list_server_tools(
             "Authorization": f"Bearer {auth_token}",
             "x-correlation-id": str(uuid.uuid4()),
         },
-        timeout=_HTTP_TIMEOUT,
+        timeout=timeout,
     ) as http_client:
         async with streamable_http_client(url, http_client=http_client) as (
             read,
@@ -427,6 +432,7 @@ async def _list_server_tools(
 
 async def get_mcp_tools_customer(
     credentials: CustomerCredentials,
+    timeout: float,
     app_tid: str | None = None,
 ) -> list[MCPTool]:
     """List all MCP tools from servers defined in credentials.
@@ -456,7 +462,7 @@ async def get_mcp_tools_customer(
     # Get system token for discovery
     loop = asyncio.get_running_loop()
     system_token = await loop.run_in_executor(
-        None, get_system_token_mtls, credentials, app_tid
+        None, get_system_token_mtls, credentials, timeout, app_tid
     )
 
     tools: list[MCPTool] = []
@@ -471,7 +477,7 @@ async def get_mcp_tools_customer(
         )
 
         try:
-            server_tools = await _list_server_tools(url, system_token, dep)
+            server_tools = await _list_server_tools(url, system_token, dep, timeout)
             tools.extend(server_tools)
             logger.debug("Loaded %d tool(s) from %s", len(server_tools), dep.ord_id)
         except Exception:
@@ -487,6 +493,7 @@ async def call_mcp_tool_customer(
     credentials: CustomerCredentials,
     tool: MCPTool,
     user_token: str | None,
+    timeout: float,
     app_tid: str | None = None,
     **kwargs,
 ) -> str:
@@ -513,7 +520,7 @@ async def call_mcp_tool_customer(
     if user_token:
         # Exchange user token for AGW-scoped token (with principal propagation)
         agw_token = await loop.run_in_executor(
-            None, exchange_user_token, credentials, user_token, app_tid
+            None, exchange_user_token, credentials, user_token, timeout, app_tid
         )
     else:
         # TODO: IBD workaround - use system token when user_token is not available.
@@ -524,15 +531,15 @@ async def call_mcp_tool_customer(
             "Principal propagation will NOT work."
         )
         agw_token = await loop.run_in_executor(
-            None, get_system_token_mtls, credentials, app_tid
+            None, get_system_token_mtls, credentials, timeout, app_tid
         )
 
     async with httpx.AsyncClient(
         headers={
             "Authorization": f"Bearer {agw_token}",
             "x-correlation-id": str(uuid.uuid4()),
         },
-        timeout=_HTTP_TIMEOUT,
+        timeout=timeout,
     ) as http_client:
         async with streamable_http_client(tool.url, http_client=http_client) as (
             read,

src/sap_cloud_sdk/agentgateway/_lob.py

@@ -36,9 +36,6 @@
 
 _DESTINATION_INSTANCE = "default"
 
-# HTTP timeout for MCP server requests (seconds)
-_HTTP_TIMEOUT = 30.0
-
 
 def _ias_dest_name() -> str:
     """Get IAS destination name based on landscape.
@@ -227,7 +224,7 @@ def _fetch_user_auth_sync():
 
 
 async def list_server_tools(
-    dest_url: str, system_auth: str, fragment_name: str
+    dest_url: str, system_auth: str, fragment_name: str, timeout: float
 ) -> list[MCPTool]:
     """List tools from a single MCP server.
 
@@ -241,7 +238,7 @@ async def list_server_tools(
     """
     async with httpx.AsyncClient(
         headers={"Authorization": system_auth, "x-correlation-id": str(uuid.uuid4())},
-        timeout=_HTTP_TIMEOUT,
+        timeout=timeout,
     ) as http_client:
         async with streamable_http_client(dest_url, http_client=http_client) as (
             read,
@@ -273,6 +270,7 @@ async def list_server_tools(
 
 async def get_mcp_tools_lob(
     tenant_subdomain: str,
+    timeout: float,
 ) -> list[MCPTool]:
     """List all MCP tools using LoB flow (destination-based).
 
@@ -309,7 +307,9 @@ async def get_mcp_tools_lob(
 
         try:
             system_auth = await get_system_auth(tenant_subdomain)
-            server_tools = await list_server_tools(mcp_url, system_auth, fragment_name)
+            server_tools = await list_server_tools(
+                mcp_url, system_auth, fragment_name, timeout
+            )
             tools.extend(server_tools)
             logger.debug(
                 "Loaded %d tool(s) from fragment '%s'",
@@ -330,6 +330,7 @@ async def call_mcp_tool_lob(
     tool: MCPTool,
     user_token: str,
     tenant_subdomain: str,
+    timeout: float,
     **kwargs,
 ) -> str:
     """Invoke an MCP tool using LoB flow (destination-based).
@@ -357,7 +358,7 @@ async def call_mcp_tool_lob(
 
     async with httpx.AsyncClient(
         headers={"Authorization": user_auth, "x-correlation-id": str(uuid.uuid4())},
-        timeout=_HTTP_TIMEOUT,
+        timeout=timeout,
     ) as http_client:
         async with streamable_http_client(tool.url, http_client=http_client) as (
             read,