release: 0.55.0

.github/workflows/ci.yml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ${{ github.repository == 'stainless-sdks/kernel-python' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
     if: (github.event_name == 'push' || github.event.pull_request.head.repo.fork) && (github.event_name != 'push' || github.event.head_commit.message != 'codegen metadata')
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Rye
         run: |
@@ -46,7 +46,7 @@ jobs:
       id-token: write
     runs-on: ${{ github.repository == 'stainless-sdks/kernel-python' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Rye
         run: |
@@ -67,7 +67,7 @@ jobs:
           github.repository == 'stainless-sdks/kernel-python' &&
           !startsWith(github.ref, 'refs/heads/stl/')
         id: github-oidc
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: core.setOutput('github_token', await core.getIDToken());
 
@@ -87,7 +87,7 @@ jobs:
     runs-on: ${{ github.repository == 'stainless-sdks/kernel-python' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
     if: github.event_name == 'push' || github.event.pull_request.head.repo.fork
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Rye
         run: |

.github/workflows/publish-pypi.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Rye
         run: |

.github/workflows/release-doctor.yml

@@ -12,7 +12,7 @@ jobs:
     if: github.repository == 'kernel/kernel-python-sdk' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch' || startsWith(github.head_ref, 'release-please') || github.head_ref == 'next')
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Check release environment
         run: |

.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "0.53.0"
+  ".": "0.55.0"
 }

.stats.yml

@@ -1,4 +1,4 @@
 configured_endpoints: 112
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/kernel/kernel-a33e59aa1758ba51f13538838ecd70b0a23ed69739b3022e8c2ce0622e42b904.yml
-openapi_spec_hash: c042d2f6880c927be09aa9fa79d7241e
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/kernel/kernel-b7a19ff1fbd93322c8cffcd0b397ce2536ca8bff91594e0081bd030d4bec879f.yml
+openapi_spec_hash: 9dd204b37a357b19032aea9eb4496645
 config_hash: 08d55086449943a8fec212b870061a3f

CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## 0.55.0 (2026-05-15)
+
+Full Changelog: [v0.53.0...v0.55.0](https://github.com/kernel/kernel-python-sdk/compare/v0.53.0...v0.55.0)
+
+### Features
+
+* Add health check and auto-reauth controls for managed auth connections ([9a0655e](https://github.com/kernel/kernel-python-sdk/commit/9a0655efbeef25e4929397b04f492644339f839e))
+* Polish start URL OpenAPI descriptions ([4f16fb0](https://github.com/kernel/kernel-python-sdk/commit/4f16fb073e0d295fd962e8a8aabd55bdf3144e00))
+
 ## 0.53.0 (2026-05-12)
 
 Full Changelog: [v0.52.0...v0.53.0](https://github.com/kernel/kernel-python-sdk/compare/v0.52.0...v0.53.0)

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "kernel"
-version = "0.53.0"
+version = "0.55.0"
 description = "The official Python library for the kernel API"
 dynamic = ["readme"]
 license = "Apache-2.0"

src/kernel/_version.py

@@ -1,4 +1,4 @@
 # File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
 
 __title__ = "kernel"
-__version__ = "0.53.0"  # x-release-please-version
+__version__ = "0.55.0"  # x-release-please-version

src/kernel/resources/auth/connections.py

@@ -62,8 +62,10 @@ def create(
         domain: str,
         profile_name: str,
         allowed_domains: SequenceNotStr[str] | Omit = omit,
+        auto_reauth: bool | Omit = omit,
         credential: connection_create_params.Credential | Omit = omit,
         health_check_interval: int | Omit = omit,
+        health_checks: bool | Omit = omit,
         login_url: str | Omit = omit,
         proxy: connection_create_params.Proxy | Omit = omit,
         record_session: bool | Omit = omit,
@@ -105,6 +107,15 @@ def create(
               - OneLogin: \\**.onelogin.com
               - Ping Identity: _.pingone.com, _.pingidentity.com
 
+          auto_reauth: Whether to permit automatic re-authentication when a scheduled health check
+              detects an expired session. This is an opt-in flag only — it does not check
+              whether re-auth is actually feasible. Even when true, re-auth only runs when the
+              system has what it needs to perform it (for example, saved credentials for the
+              required login fields), and only after a scheduled health check detects an
+              expired session — so this flag has no effect when `health_checks` is false. When
+              false, expired sessions are marked as `NEEDS_AUTH` instead of attempting
+              re-auth. Defaults to true.
+
           credential:
               Reference to credentials for the auth connection. Use one of:
 
@@ -118,6 +129,11 @@ def create(
               depends on your plan: Enterprise: 300 (5 minutes), Startup: 1200 (20 minutes),
               Hobbyist: 3600 (1 hour).
 
+          health_checks: Whether to enable periodic health checks. When false, the system will not
+              automatically verify authentication status, and `auto_reauth` has no effect on
+              the automatic flow (since re-auth is only triggered by a failed scheduled health
+              check). Defaults to true.
+
           login_url: Optional login page URL to skip discovery
 
           proxy: Proxy selection. Provide either id or name. The proxy must belong to the
@@ -144,8 +160,10 @@ def create(
                     "domain": domain,
                     "profile_name": profile_name,
                     "allowed_domains": allowed_domains,
+                    "auto_reauth": auto_reauth,
                     "credential": credential,
                     "health_check_interval": health_check_interval,
+                    "health_checks": health_checks,
                     "login_url": login_url,
                     "proxy": proxy,
                     "record_session": record_session,
@@ -199,8 +217,10 @@ def update(
         id: str,
         *,
         allowed_domains: SequenceNotStr[str] | Omit = omit,
+        auto_reauth: bool | Omit = omit,
         credential: connection_update_params.Credential | Omit = omit,
         health_check_interval: int | Omit = omit,
+        health_checks: bool | Omit = omit,
         login_url: str | Omit = omit,
         proxy: connection_update_params.Proxy | Omit = omit,
         record_session: bool | Omit = omit,
@@ -220,6 +240,14 @@ def update(
         Args:
           allowed_domains: Additional domains valid for this auth flow (replaces existing list)
 
+          auto_reauth: Whether automatic re-authentication is permitted for this connection. This is an
+              opt-in flag only — it does not check whether re-auth is actually feasible. Even
+              when true, re-auth only runs when the system has what it needs to perform it
+              (for example, saved credentials for the required login fields), and only after a
+              scheduled health check detects an expired session — so this flag has no effect
+              when `health_checks` is false. When false, expired sessions detected by a health
+              check are marked as `NEEDS_AUTH` instead of attempting re-auth.
+
           credential:
               Reference to credentials for the auth connection. Use one of:
 
@@ -229,6 +257,11 @@ def update(
 
           health_check_interval: Interval in seconds between automatic health checks
 
+          health_checks: Whether periodic health checks are enabled. When set to false, the system will
+              not automatically verify authentication status, and `auto_reauth` has no effect
+              on the automatic flow (since re-auth is only triggered by a failed scheduled
+              health check).
+
           login_url: Login page URL. Set to empty string to clear.
 
           proxy: Proxy selection. Provide either id or name. The proxy must belong to the
@@ -253,8 +286,10 @@ def update(
             body=maybe_transform(
                 {
                     "allowed_domains": allowed_domains,
+                    "auto_reauth": auto_reauth,
                     "credential": credential,
                     "health_check_interval": health_check_interval,
+                    "health_checks": health_checks,
                     "login_url": login_url,
                     "proxy": proxy,
                     "record_session": record_session,
@@ -544,8 +579,10 @@ async def create(
         domain: str,
         profile_name: str,
         allowed_domains: SequenceNotStr[str] | Omit = omit,
+        auto_reauth: bool | Omit = omit,
         credential: connection_create_params.Credential | Omit = omit,
         health_check_interval: int | Omit = omit,
+        health_checks: bool | Omit = omit,
         login_url: str | Omit = omit,
         proxy: connection_create_params.Proxy | Omit = omit,
         record_session: bool | Omit = omit,
@@ -587,6 +624,15 @@ async def create(
               - OneLogin: \\**.onelogin.com
               - Ping Identity: _.pingone.com, _.pingidentity.com
 
+          auto_reauth: Whether to permit automatic re-authentication when a scheduled health check
+              detects an expired session. This is an opt-in flag only — it does not check
+              whether re-auth is actually feasible. Even when true, re-auth only runs when the
+              system has what it needs to perform it (for example, saved credentials for the
+              required login fields), and only after a scheduled health check detects an
+              expired session — so this flag has no effect when `health_checks` is false. When
+              false, expired sessions are marked as `NEEDS_AUTH` instead of attempting
+              re-auth. Defaults to true.
+
           credential:
               Reference to credentials for the auth connection. Use one of:
 
@@ -600,6 +646,11 @@ async def create(
               depends on your plan: Enterprise: 300 (5 minutes), Startup: 1200 (20 minutes),
               Hobbyist: 3600 (1 hour).
 
+          health_checks: Whether to enable periodic health checks. When false, the system will not
+              automatically verify authentication status, and `auto_reauth` has no effect on
+              the automatic flow (since re-auth is only triggered by a failed scheduled health
+              check). Defaults to true.
+
           login_url: Optional login page URL to skip discovery
 
           proxy: Proxy selection. Provide either id or name. The proxy must belong to the
@@ -626,8 +677,10 @@ async def create(
                     "domain": domain,
                     "profile_name": profile_name,
                     "allowed_domains": allowed_domains,
+                    "auto_reauth": auto_reauth,
                     "credential": credential,
                     "health_check_interval": health_check_interval,
+                    "health_checks": health_checks,
                     "login_url": login_url,
                     "proxy": proxy,
                     "record_session": record_session,
@@ -681,8 +734,10 @@ async def update(
         id: str,
         *,
         allowed_domains: SequenceNotStr[str] | Omit = omit,
+        auto_reauth: bool | Omit = omit,
         credential: connection_update_params.Credential | Omit = omit,
         health_check_interval: int | Omit = omit,
+        health_checks: bool | Omit = omit,
         login_url: str | Omit = omit,
         proxy: connection_update_params.Proxy | Omit = omit,
         record_session: bool | Omit = omit,
@@ -702,6 +757,14 @@ async def update(
         Args:
           allowed_domains: Additional domains valid for this auth flow (replaces existing list)
 
+          auto_reauth: Whether automatic re-authentication is permitted for this connection. This is an
+              opt-in flag only — it does not check whether re-auth is actually feasible. Even
+              when true, re-auth only runs when the system has what it needs to perform it
+              (for example, saved credentials for the required login fields), and only after a
+              scheduled health check detects an expired session — so this flag has no effect
+              when `health_checks` is false. When false, expired sessions detected by a health
+              check are marked as `NEEDS_AUTH` instead of attempting re-auth.
+
           credential:
               Reference to credentials for the auth connection. Use one of:
 
@@ -711,6 +774,11 @@ async def update(
 
           health_check_interval: Interval in seconds between automatic health checks
 
+          health_checks: Whether periodic health checks are enabled. When set to false, the system will
+              not automatically verify authentication status, and `auto_reauth` has no effect
+              on the automatic flow (since re-auth is only triggered by a failed scheduled
+              health check).
+
           login_url: Login page URL. Set to empty string to clear.
 
           proxy: Proxy selection. Provide either id or name. The proxy must belong to the
@@ -735,8 +803,10 @@ async def update(
             body=await async_maybe_transform(
                 {
                     "allowed_domains": allowed_domains,
+                    "auto_reauth": auto_reauth,
                     "credential": credential,
                     "health_check_interval": health_check_interval,
+                    "health_checks": health_checks,
                     "login_url": login_url,
                     "proxy": proxy,
                     "record_session": record_session,

src/kernel/resources/browser_pools.py

@@ -110,11 +110,9 @@ def create(
           proxy_id: Optional proxy to associate to the browser session. Must reference a proxy
               belonging to the caller's org.
 
-          start_url: Optional URL to navigate to when a new browser is warmed into the pool.
-              Best-effort: failures to navigate do not fail pool fill. Only applied to
-              newly-warmed browsers — browsers reused via release/acquire keep whatever URL
-              the previous lease left them on. Accepts any URL Chromium can resolve, including
-              chrome:// pages.
+          start_url: Optional URL to open when a browser is created for the pool. Navigation is
+              best-effort, so navigation failures do not prevent the pool from filling. Reused
+              browsers keep the page left by the previous lease.
 
           stealth: If true, launches the browser in stealth mode to reduce detection by anti-bot
               mechanisms.
@@ -261,11 +259,9 @@ def update(
           proxy_id: Optional proxy to associate to the browser session. Must reference a proxy
               belonging to the caller's org.
 
-          start_url: Optional URL to navigate to when a new browser is warmed into the pool.
-              Best-effort: failures to navigate do not fail pool fill. Only applied to
-              newly-warmed browsers — browsers reused via release/acquire keep whatever URL
-              the previous lease left them on. Accepts any URL Chromium can resolve, including
-              chrome:// pages.
+          start_url: Optional URL to open when a browser is created for the pool. Navigation is
+              best-effort, so navigation failures do not prevent the pool from filling. Reused
+              browsers keep the page left by the previous lease.
 
           stealth: If true, launches the browser in stealth mode to reduce detection by anti-bot
               mechanisms.
@@ -588,11 +584,9 @@ async def create(
           proxy_id: Optional proxy to associate to the browser session. Must reference a proxy
               belonging to the caller's org.
 
-          start_url: Optional URL to navigate to when a new browser is warmed into the pool.
-              Best-effort: failures to navigate do not fail pool fill. Only applied to
-              newly-warmed browsers — browsers reused via release/acquire keep whatever URL
-              the previous lease left them on. Accepts any URL Chromium can resolve, including
-              chrome:// pages.
+          start_url: Optional URL to open when a browser is created for the pool. Navigation is
+              best-effort, so navigation failures do not prevent the pool from filling. Reused
+              browsers keep the page left by the previous lease.
 
           stealth: If true, launches the browser in stealth mode to reduce detection by anti-bot
               mechanisms.
@@ -739,11 +733,9 @@ async def update(
           proxy_id: Optional proxy to associate to the browser session. Must reference a proxy
               belonging to the caller's org.
 
-          start_url: Optional URL to navigate to when a new browser is warmed into the pool.
-              Best-effort: failures to navigate do not fail pool fill. Only applied to
-              newly-warmed browsers — browsers reused via release/acquire keep whatever URL
-              the previous lease left them on. Accepts any URL Chromium can resolve, including
-              chrome:// pages.
+          start_url: Optional URL to open when a browser is created for the pool. Navigation is
+              best-effort, so navigation failures do not prevent the pool from filling. Reused
+              browsers keep the page left by the previous lease.
 
           stealth: If true, launches the browser in stealth mode to reduce detection by anti-bot
               mechanisms.

src/kernel/resources/browsers/browsers.py

@@ -197,11 +197,9 @@ def create(
           proxy_id: Optional proxy to associate to the browser session. Must reference a proxy
               belonging to the caller's org.
 
-          start_url: Optional URL to navigate to immediately after the browser is created.
-              Best-effort: failures to navigate do not fail browser creation. Any pre-existing
-              tabs are reduced to a single tab which is then navigated. Accepts any URL
-              Chromium can resolve, including chrome:// pages. Ignored when reusing an
-              existing persistent session.
+          start_url: Optional URL to open when the browser session is created. Navigation is
+              best-effort, so navigation failures do not prevent the session from being
+              created.
 
           stealth: If true, launches the browser in stealth mode to reduce detection by anti-bot
               mechanisms.
@@ -763,11 +761,9 @@ async def create(
           proxy_id: Optional proxy to associate to the browser session. Must reference a proxy
               belonging to the caller's org.
 
-          start_url: Optional URL to navigate to immediately after the browser is created.
-              Best-effort: failures to navigate do not fail browser creation. Any pre-existing
-              tabs are reduced to a single tab which is then navigated. Accepts any URL
-              Chromium can resolve, including chrome:// pages. Ignored when reusing an
-              existing persistent session.
+          start_url: Optional URL to open when the browser session is created. Navigation is
+              best-effort, so navigation failures do not prevent the session from being
+              created.
 
           stealth: If true, launches the browser in stealth mode to reduce detection by anti-bot
               mechanisms.