Skip to content

chore(deps): update all non-major dependencies#120

Merged
HugoRCD merged 1 commit intomainfrom
renovate/all-minor-patch
Feb 10, 2026
Merged

chore(deps): update all non-major dependencies#120
HugoRCD merged 1 commit intomainfrom
renovate/all-minor-patch

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Feb 9, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
@ai-sdk/mcp (source) ^1.0.18^1.0.19 age confidence
@iconify-json/lucide ^1.2.87^1.2.89 age confidence
@iconify-json/simple-icons ^1.2.69^1.2.70 age confidence
@modelcontextprotocol/sdk (source) ^1.25.3^1.26.0 age confidence
@nuxt/eslint-config (source) ^1.13.0^1.15.1 age confidence
agents (source) >=0.3.6>=0.4.0 age confidence
drizzle-kit (source) ^0.31.8^0.31.9 age confidence
motion-v ^1.10.2^1.10.3 age confidence
nuxt-studio ^1.3.0^1.3.1 age confidence
pnpm (source) 10.28.210.29.2 age confidence
pnpm (source) 10.28.210.29.2 age confidence
turbo (source) ^2.8.1^2.8.3 age confidence

Release Notes

vercel/ai (@​ai-sdk/mcp)

v1.0.19

Compare Source

Patch Changes
modelcontextprotocol/typescript-sdk (@​modelcontextprotocol/sdk)

v1.26.0

Compare Source

Addresses "Sharing server/transport instances can leak cross-client response data" in this GHSA GHSA-345p-7cg4-v4c7

What's Changed

New Contributors

Full Changelog: modelcontextprotocol/typescript-sdk@v1.25.3...v1.26.0

nuxt/eslint (@​nuxt/eslint-config)

v1.15.1

   🐞 Bug Fixes
    View changes on GitHub

v1.15.0

Compare Source

   🚀 Features
    View changes on GitHub

v1.14.0

Compare Source

   🚀 Features
    View changes on GitHub
cloudflare/agents (agents)

v0.4.0

Compare Source

Minor Changes

  • #​848 a167344 Thanks @​mattzcarey! - Upgrade MCP SDK to 1.26.0 to prevent cross-client response leakage. Updated examples for stateless MCP Servers create new McpServer instance per request instead of sharing a single instance. A guard is added in this version of the MCP SDK which will prevent connection to a Server instance that has already been connected to a transport. Developers will need to modify their code if they declare their McpServer instance as a global variable.

  • #​298 27f4e3e Thanks @​jaredhanson! - Add createMcpOAuthProvider method to the Agent class, allowing subclasses to override the default OAuth provider used when connecting to MCP servers. This enables custom authentication strategies such as pre-registered client credentials or mTLS, beyond the built-in dynamic client registration.

  • #​610 f59f305 Thanks @​threepointone! - Deprecate onStateUpdate server-side hook in favor of onStateChanged

    • onStateChanged is a drop-in rename of onStateUpdate (same signature, same behavior)
    • onStateUpdate still works but emits a one-time console warning per class
    • Throws if a class overrides both hooks simultaneously
    • validateStateChange rejections now propagate a CF_AGENT_STATE_ERROR message back to the client

  • #​871 27f8f75 Thanks @​threepointone! - Migrate x402 MCP integration from legacy x402 package to @x402/core and @x402/evm v2

    Breaking changes for x402 users:

    • Peer dependencies changed: replace x402 with @x402/core and @x402/evm
    • PaymentRequirements type now uses v2 fields (e.g. amount instead of maxAmountRequired)
    • X402ClientConfig.account type changed from viem.Account to ClientEvmSigner (structurally compatible with privateKeyToAccount())

    Migration guide:

    1. Update dependencies:

      npm uninstall x402
npm install @​x402/core @​x402/evm

    2. Update network identifiers — both legacy names and CAIP-2 format are accepted:

      // Before
{
  network: "base-sepolia";
}
// After (either works)
{
  network: "base-sepolia";
} // legacy name, auto-converted
{
  network: "eip155:84532";
} // CAIP-2 format (preferred)

    3. If you access PaymentRequirements fields in callbacks, update to v2 field names (see @x402/core docs).

    4. The version field on X402Config and X402ClientConfig is now deprecated and ignored — the protocol version is determined automatically.

    Other changes:

    • X402ClientConfig.network is now optional — the client auto-selects from available payment requirements
    • Server-side lazy initialization: facilitator connection is deferred until the first paid tool invocation
    • Payment tokens support both v2 (PAYMENT-SIGNATURE) and v1 (X-PAYMENT) HTTP headers
    • Added normalizeNetwork export for converting legacy network names to CAIP-2 format
    • Re-exports PaymentRequirements, PaymentRequired, Network, FacilitatorConfig, and ClientEvmSigner from agents/x402
Patch Changes

  • #​610 f59f305 Thanks @​threepointone! - Add readonly connections: restrict WebSocket clients from modifying agent state

    • New hooks: shouldConnectionBeReadonly, setConnectionReadonly, isConnectionReadonly
    • Blocks both client-side setState() and mutating @callable() methods for readonly connections
    • Readonly flag stored in a namespaced connection attachment (_cf_readonly), surviving hibernation without extra SQL
    • Connection state wrapping hides the internal flag from user code and preserves it across connection.setState() calls
    • Client-side onStateUpdateError callback for handling rejected state updates

  • #​855 271a3cf Thanks @​threepointone! - Fix useAgent and AgentClient crashing when using basePath routing.

  • #​868 b3e2dc1 Thanks @​threepointone! - Fix MCP OAuth callback URL leaking instance name

    Add callbackPath option to addMcpServer to prevent instance name leakage in MCP OAuth callback URLs. When sendIdentityOnConnect is false, callbackPath is now required — the default callback URL would expose the instance name, undermining the security intent. Also fixes callback request detection to match via the state parameter instead of a loose /callback URL substring check, enabling custom callback paths.

  • #​872 de71f9e Thanks @​threepointone! - update dependencies

  • 8893fbe Thanks @​threepointone! - partykit releases

v0.3.10

Compare Source

Patch Changes

v0.3.9

Compare Source

Patch Changes

  • #​837 b11b9dd Thanks @​threepointone! - Fix AgentWorkflow run() method not being called in production

    The run() method wrapper was being set as an instance property in the constructor, but Cloudflare's RPC system invokes methods from the prototype chain. This caused the initialization wrapper to be bypassed in production, resulting in _initAgent never being called.

    Changed to wrap the subclass prototype's run method directly with proper safeguards:

    • Uses Object.hasOwn() to only wrap prototypes that define their own run method (prevents double-wrapping inherited methods)
    • Uses a WeakSet to track wrapped prototypes (prevents re-wrapping on subsequent instantiations)
    • Uses an instance-level __agentInitCalled flag to prevent double initialization if super.run() is called from a subclass

v0.3.8

Compare Source

Patch Changes

  • #​833 6c80022 Thanks @​tarushnagpal! - On invalid OAuth state, clear auth_url in storage and set the MCP connection state to FAILED ready for reconnection.

  • #​834 2b4aecd Thanks @​threepointone! - Fix AgentClient.close() to immediately reject pending RPC calls instead of waiting for WebSocket close handshake timeout.

    Previously, calling client.close() would not reject pending RPC calls until the WebSocket close handshake completed (which could take 15+ seconds in some environments). Now pending calls are rejected immediately when close() is called, providing faster feedback on intentional disconnects.

v0.3.7

Compare Source

This release introduces Cloudflare Workflows integration for durable multi-step processing, secure email reply routing with HMAC-SHA256 signatures, 15+ new documentation files, and significant improvements to state management, the callable RPC system, and scheduling.

Highlights

  • Workflows Integration - Seamless integration between Cloudflare Agents and Cloudflare Workflows for durable, multi-step background processing
  • Secure Email Routing - HMAC-SHA256 signed email headers prevent unauthorized routing of emails to agent instances
  • Comprehensive Documentation - 15+ new docs covering getting started, state, routing, HTTP/WebSocket lifecycle, callable methods, MCP, and scheduling
  • Synchronous setState() - State updates are now synchronous with a new validateStateChange() validation hook
  • scheduleEvery() Method - Fixed-interval recurring tasks with overlap prevention
  • Callable System Improvements - Client-side RPC timeouts, streaming error signaling, introspection API
  • 100+ New Tests - Comprehensive test coverage across state, routing, callable, and email utilities

Cloudflare Workflows Integration

Agents excel at real-time communication and state management. Workflows excel at durable execution. Together, they enable powerful patterns where Agents handle WebSocket connections while Workflows handle long-running tasks, retries, and human-in-the-loop flows.

AgentWorkflow Base Class

Extend AgentWorkflow instead of WorkflowEntrypoint to get typed access to the originating Agent:

import { AgentWorkflow } from "agents/workflows";

export class ProcessingWorkflow extends AgentWorkflow<MyAgent, TaskParams> {
  async run(event: AgentWorkflowEvent<TaskParams>, step: AgentWorkflowStep) {
    // Call Agent methods via RPC
    await this.agent.updateStatus(params.taskId, "processing");

    // Non-durable: progress reporting
    await this.reportProgress({ step: "process", percent: 0.5 });
    this.broadcastToClients({ type: "update", taskId: params.taskId });

    // Durable via step: idempotent, won't repeat on retry
    await step.mergeAgentState({ taskProgress: 0.5 });
    await step.reportComplete(result);

    return result;
  }
}
Agent Methods for Workflows
  • runWorkflow(workflowName, params, options?) - Start workflow with optional metadata
  • sendWorkflowEvent(workflowName, workflowId, event) - Send events to waiting workflows
  • getWorkflow(workflowId) / getWorkflows(criteria?) - Query workflows with cursor-based pagination
  • deleteWorkflow(workflowId) / deleteWorkflows(criteria?) - Delete workflows by ID or criteria
  • approveWorkflow(workflowId) / rejectWorkflow(workflowId) - Human-in-the-loop approval flows
  • terminateWorkflow(), pauseWorkflow(), resumeWorkflow(), restartWorkflow() - Workflow control
Lifecycle Callbacks
async onWorkflowProgress(workflowName, workflowId, progress) {}
async onWorkflowComplete(workflowName, workflowId, result?) {}
async onWorkflowError(workflowName, workflowId, error) {}
async onWorkflowEvent(workflowName, workflowId, event) {}

See docs/workflows.md for full documentation.

Secure Email Reply Routing

Prevents unauthorized routing of emails to arbitrary agent instances using HMAC-SHA256 signed headers.

New Resolver
import { createSecureReplyEmailResolver } from "agents/email";

const resolver = createSecureReplyEmailResolver(env.EMAIL_SECRET, {
  maxAge: 7 * 24 * 60 * 60, // Optional: 7 days (default: 30 days)
  onInvalidSignature: (email, reason) => {
    console.warn(`Invalid signature from ${email.from}: ${reason}`);
  },
});
Automatic Signing on Reply
await this.replyToEmail(email, {
  fromName: "My Agent",
  body: "Thanks!",
  secret: this.env.EMAIL_SECRET, // Signs headers for secure reply routing
});
Breaking Changes
  • Email utilities moved to agents/email subpath
  • createHeaderBasedEmailResolver removed (security vulnerability)
  • New onNoRoute callback for handling unmatched emails

New Documentation

Document Description
getting-started.md Quick start guide: installation, first agent, state basics, deployment
adding-to-existing-project.md Integrating agents into existing Workers, React apps, Hono
state.md State management, validateStateChange(), persistence, client sync
routing.md URL routing patterns, basePath, server-sent identity
http-websockets.md HTTP/WebSocket lifecycle hooks, connection management, hibernation
callable-methods.md @callable decorator, RPC over WebSocket, streaming responses
mcp-client.md Connecting to MCP servers, OAuth flows, transport options
scheduling.md One-time, recurring (scheduleEvery), and cron-based scheduling
workflows.md Complete Workflows integration guide

State Management Improvements

Synchronous setState()

setState() is now synchronous. Existing await this.setState(...) code continues to work.

// Preferred (new)
this.setState({ count: 1 });

// Still works (backward compatible)
await this.setState({ count: 1 });
validateStateChange() Hook

New synchronous validation hook that runs before state is persisted:

validateStateChange(nextState: State, source: Connection | "server") {
  if (nextState.count < 0) {
    throw new Error("Count cannot be negative");
  }
}
Execution Order
  1. validateStateChange(nextState, source) - validation (sync, gating)
  2. State persisted to SQLite
  3. State broadcast to connected clients
  4. onStateUpdate(nextState, source) - notifications (async via ctx.waitUntil, non-gating)

Scheduling: scheduleEvery()

Fixed-interval recurring tasks with overlap prevention and error resilience:

await this.scheduleEvery(60, "cleanup");
await this.scheduleEvery(300, "syncData", { source: "api" });
  • Validates interval doesn't exceed 30 days (DO alarm limit)
  • Overlap prevention with hung callback detection (configurable via hungScheduleTimeoutSeconds)

Callable System Improvements

Client-side RPC Timeout
await agent.call("method", [args], {
  timeout: 5000,
  stream: { onChunk, onDone, onError },
});
New Features
  • StreamingResponse.error(message) - Graceful stream error signaling
  • getCallableMethods() - Introspection API for callable methods
  • Connection close handling - Pending calls rejected on disconnect
  • crypto.randomUUID() for more robust RPC IDs
  • Streaming observability events and error logging

MCP Server API

Options-based addMcpServer() overload for cleaner configuration:

await this.addMcpServer("server", url, {
  callbackHost: "https://my-worker.workers.dev",
  transport: { headers: { Authorization: "Bearer ..." } },
});

Routing & Identity Enhancements

  • basePath - Bypass default URL construction for custom routing
  • Server-sent identity - Agents send name and agent type on connect
  • onIdentity / onIdentityChange callbacks on the client
  • static options = { sendIdentityOnConnect } for server-side control
const agent = useAgent({
  basePath: "user",
  onIdentity: (name, agentType) => console.log(`Connected to ${name}`),
});

Email Utilities

  • isAutoReplyEmail(headers) - Detect auto-reply emails using standard RFC headers

Bug Fixes

  • Fixed tool error content type in getAITools (#​781)
  • Fixed React useRef type error
  • Memory leak prevention with WeakMap for callable metadata
  • Connection cleanup - pending RPC calls rejected on WebSocket close
  • JSON parse error handling - graceful fallback to initialState on corrupted state
  • Fixed resumable streaming to avoid delivering live chunks before resume ACK (#​795)

Migration Notes

Email Imports
// Before
import { createAddressBasedEmailResolver, signAgentHeaders } from "agents";

// After
import {
  createAddressBasedEmailResolver,
  signAgentHeaders,
} from "agents/email";
Workflow Imports
import { AgentWorkflow } from "agents/workflows";
import type { AgentWorkflowStep, WorkflowInfo } from "agents/workflows";
OpenAI Provider Options

When using scheduleSchema with OpenAI models via the AI SDK, pass providerOptions:

await generateObject({
  // ... other options
  providerOptions: { openai: { strictJsonSchema: false } },
});
Patch Changes

  • #​825 0c3c9bb Thanks @​threepointone! - Add cursor-based pagination to getWorkflows(). Returns a WorkflowPage with workflows, total count, and cursor for next page. Default limit is 50 (max 100).

  • #​825 0c3c9bb Thanks @​threepointone! - Add workflow control methods: terminateWorkflow(), pauseWorkflow(), resumeWorkflow(), and restartWorkflow().

  • #​799 d1a0c2b Thanks @​threepointone! - feat: Add Cloudflare Workflows integration for Agents

    Adds seamless integration between Cloudflare Agents and Cloudflare Workflows for durable, multi-step background processing.

Why use Workflows with Agents?

Agents excel at real-time communication and state management, while Workflows excel at durable execution. Together:

  • Agents handle WebSocket connections and quick operations
  • Workflows handle long-running tasks, retries, and human-in-the-loop flows
AgentWorkflow Base Class

Extend AgentWorkflow instead of WorkflowEntrypoint to get typed access to the originating Agent:

export class ProcessingWorkflow extends AgentWorkflow<MyAgent, TaskParams> {
  async run(event: AgentWorkflowEvent<TaskParams>, step: AgentWorkflowStep) {
    const params = event.payload;

    // Call Agent methods via RPC
    await this.agent.updateStatus(params.taskId, "processing");

    // Non-durable: progress reporting (lightweight, for frequent updates)
    await this.reportProgress({
      step: "process",
      percent: 0.5,
      message: "Halfway done",
    });
    this.broadcastToClients({ type: "update", taskId: params.taskId });

    // Durable via step: idempotent, won't repeat on retry
    await step.mergeAgentState({ taskProgress: 0.5 });
    await step.reportComplete(result);

    return result;
  }
}
Agent Methods
  • runWorkflow(workflowName, params, options?) - Start workflow with optional metadata for querying
  • sendWorkflowEvent(workflowName, workflowId, event) - Send events to waiting workflows
  • getWorkflow(workflowId) - Get tracked workflow by ID
  • getWorkflows(criteria?) - Query by status, workflowName, or metadata with pagination
  • deleteWorkflow(workflowId) - Delete a workflow tracking record
  • deleteWorkflows(criteria?) - Delete workflows by criteria (status, workflowName, metadata, createdBefore)
  • approveWorkflow(workflowId, data?) - Approve a waiting workflow
  • rejectWorkflow(workflowId, data?) - Reject a waiting workflow
AgentWorkflow Methods

On this (non-durable, lightweight):

  • reportProgress(progress) - Report typed progress object to Agent
  • broadcastToClients(message) - Broadcast to WebSocket clients
  • waitForApproval(step, opts?) - Wait for approval (throws on rejection)

On step (durable, idempotent):

  • step.reportComplete(result?) - Report successful completion
  • step.reportError(error) - Report an error
  • step.sendEvent(event) - Send custom event to Agent
  • step.updateAgentState(state) - Replace Agent state (broadcasts to clients)
  • step.mergeAgentState(partial) - Merge into Agent state (broadcasts to clients)
  • step.resetAgentState() - Reset Agent state to initialState (broadcasts to clients)
Lifecycle Callbacks

Override these methods to handle workflow events (workflowName is first for easy differentiation):

async onWorkflowProgress(workflowName, workflowId, progress) {} // progress is typed object
async onWorkflowComplete(workflowName, workflowId, result?) {}
async onWorkflowError(workflowName, workflowId, error) {}
async onWorkflowEvent(workflowName, workflowId, event) {}
Workflow Tracking

Workflows are automatically tracked in cf_agents_workflows SQLite table:

  • Status, timestamps, errors
  • Optional metadata field for queryable key-value data
  • Params/output NOT stored by default (could be large)

See docs/workflows.md for full documentation.

1. Hung Callback Detection in scheduleEvery()

Fixed a deadlock where if an interval callback hung indefinitely, all future interval executions would be skipped forever.

Fix: Track execution start time and force reset after 30 seconds of inactivity. If a previous execution appears hung (started more than 30s ago), it is force-reset and re-executed.

// Now safe - hung callbacks won't block future executions
await this.scheduleEvery(60, "myCallback");

2. Corrupted State Recovery

Fixed a crash when the database contains malformed JSON state.

Fix: Wrapped JSON.parse in try-catch with fallback to initialState. If parsing fails, the agent logs an error and recovers gracefully.

// Agent now survives corrupted state
class MyAgent extends Agent {
  initialState = { count: 0 }; // Used as fallback if DB state is corrupted
}

3. getCallableMethods() Prototype Chain Traversal

Fixed getCallableMethods() to find @callable methods from parent classes, not just the immediate class.

Fix: Walk the full prototype chain using Object.getPrototypeOf() loop.

class BaseAgent extends Agent {
  @&#8203;callable()
  parentMethod() {
    return "parent";
  }
}

class ChildAgent extends BaseAgent {
  @&#8203;callable()
  childMethod() {
    return "child";
  }
}

// Now correctly returns both parentMethod and childMethod
const methods = childAgent.getCallableMethods();

  • #​812 6218541 Thanks @​threepointone! - # Callable System Improvements

    This release includes several improvements to the @callable decorator and RPC system:

New Features

Client-side RPC Timeout

You can now specify a timeout for RPC calls that will reject if the call doesn't complete in time:

await agent.call("slowMethod", [], { timeout: 5000 });
StreamingResponse.error()

New method to gracefully signal an error during streaming and close the stream:

@&#8203;callable({ streaming: true })
async processItems(stream: StreamingResponse, items: string[]) {
  for (const item of items) {
    try {
      const result = await this.process(item);
      stream.send(result);
    } catch (e) {
      stream.error(`Failed to process ${item}: ${e.message}`);
      return;
    }
  }
  stream.end();
}
getCallableMethods() API

New method on the Agent class to introspect all callable methods and their metadata:

const methods = agent.getCallableMethods();
// Returns Map<string, CallableMetadata>

for (const [name, meta] of methods) {
  console.log(`${name}: ${meta.description || "(no description)"}`);
}
Connection Close Handling

Pending RPC calls are now automatically rejected with a "Connection closed" error when the WebSocket connection closes unexpectedly.

Internal Improvements

  • WeakMap for metadata storage: Changed callableMetadata from Map to WeakMap to prevent memory leaks when function references are garbage collected.
  • UUID for RPC IDs: Replaced Math.random().toString(36) with crypto.randomUUID() for more robust and unique RPC call identifiers.
  • Streaming observability: Added observability events for streaming RPC calls.

API Enhancements

The agent.call() method now accepts a unified CallOptions object with timeout support:

// New format (preferred, supports timeout)
await agent.call("method", [args], {
  timeout: 5000,
  stream: { onChunk, onDone, onError },
});

// Legacy format (still fully supported for backward compatibility)
await agent.call("method", [args], { onChunk, onDone, onError });

Both formats work seamlessly - the client auto-detects which format you're using.

  • #​812 6218541 Thanks @​threepointone! - feat: Add scheduleEvery method for fixed-interval scheduling

    Adds a new scheduleEvery(intervalSeconds, callback, payload?) method to the Agent class for scheduling recurring tasks at fixed intervals.

Features
  • Fixed interval execution: Schedule a callback to run every N seconds
  • Overlap prevention: If a callback is still running when the next interval fires, the next execution is skipped
  • Error resilience: If a callback throws, the schedule persists and continues on the next interval
  • Cancellable: Use cancelSchedule(id) to stop the recurring schedule
Usage
class MyAgent extends Agent {
  async onStart() {
    // Run cleanup every 60 seconds
    await this.scheduleEvery(60, "cleanup");

    // With payload
    await this.scheduleEvery(300, "syncData", { source: "api" });
  }

  cleanup() {
    // Runs every 60 seconds
  }

  syncData(payload: { source: string }) {
    // Runs every 300 seconds with payload
  }
}
Querying interval schedules
// Get all interval schedules
const intervals = await this.getSchedules({ type: "interval" });
Schema changes

Adds intervalSeconds and running columns to cf_agents_schedules table (auto-migrated for existing agents).

  • #​812 6218541 Thanks @​threepointone! - Add isAutoReplyEmail() utility to detect auto-reply emails

    Detects auto-reply emails based on standard RFC 3834 headers (Auto-Submitted, X-Auto-Response-Suppress, Precedence). Use this to avoid mail loops when sending automated replies.

    import { isAutoReplyEmail } from "agents/email";
import PostalMime from "postal-mime";

async onEmail(email: AgentEmail) {
  const raw = await email.getRaw();
  const parsed = await PostalMime.parse(raw);

  // Detect and skip auto-reply emails
  if (isAutoReplyEmail(parsed.headers)) {
    console.log("Skipping auto-reply");
    return;
  }

  // Process the email...
}

  • #​781 fd79481 Thanks @​HueCodes! - fix: properly type tool error content in getAITools

  • #​812 6218541 Thanks @​threepointone! - fix: improve type inference for RPC methods returning custom interfaces

    Previously, RPCMethod used { [key: string]: SerializableValue } to check if return types were serializable. This didn't work with TypeScript interfaces that have named properties (like interface CoreState { counter: number; name: string; }), causing those methods to be incorrectly excluded from typed RPC calls.

    Now uses a recursive CanSerialize<T> type that checks if all properties of an object are serializable, properly supporting:

    • Custom interfaces with named properties
    • Nested object types
    • Arrays of objects
    • Optional and nullable properties
    • Union types

    Also expanded NonSerializable to explicitly exclude non-JSON-serializable types like Date, RegExp, Map, Set, Error, and typed arrays.

    // Before: these methods were NOT recognized as callable
interface MyState {
  counter: number;
  items: string[];
}

class MyAgent extends Agent<Env, MyState> {
  @&#8203;callable()
  getState(): MyState {
    return this.state;
  } // ❌ Not typed
}

// After: properly recognized and typed
const agent = useAgent<MyAgent, MyState>({ agent: "my-agent" });
agent.call("getState"); // ✅ Typed as Promise<MyState>

  • #​825 0c3c9bb Thanks @​threepointone! - Fix workflow tracking table not being updated by AgentWorkflow callbacks.

    Previously, when a workflow reported progress, completion, or errors via callbacks, the cf_agents_workflows tracking table was not updated. This caused getWorkflow() and getWorkflows() to return stale status (e.g., "queued" instead of "running" or "complete").

    Now, onWorkflowCallback() automatically updates the tracking table:

    • Progress callbacks set status to "running"
    • Complete callbacks set status to "complete" with completed_at timestamp
    • Error callbacks set status to "errored" with error details

    Fixes #​821.

  • #​812 6218541 Thanks @​threepointone! - feat: Add options-based API for addMcpServer

    Adds a cleaner options-based overload for addMcpServer() that avoids passing undefined for unused positional parameters.

Before (still works)
// Awkward when you only need transport options
await this.addMcpServer("server", url, undefined, undefined, {
  transport: { headers: { Authorization: "Bearer ..." } },
});
After (preferred)
// Clean options object
await this.addMcpServer("server", url, {
  transport: { headers: { Authorization: "Bearer ..." } },
});

// With callback host
await this.addMcpServer("server", url, {
  callbackHost: "https://my-worker.workers.dev",
  transport: { type: "sse" },
});
Options
type AddMcpServerOptions = {
  callbackHost?: string; // OAuth callback host (auto-derived if omitted)
  agentsPrefix?: string; // Routing prefix (default: "agents")
  client?: ClientOptions; // MCP client options
  transport?: {
    headers?: HeadersInit; // Custom headers for auth
    type?: "sse" | "streamable-http" | "auto";
  };
};

The legacy 5-parameter signature remains fully supported for backward compatibility.

Custom URL Routing with basePath

New basePath option bypasses default /agents/{agent}/{name} URL construction, enabling custom routing patterns:

// Client connects to /user instead of /agents/user-agent/...
const agent = useAgent({
  agent: "UserAgent",
  basePath: "user",
});

Server handles routing manually with getAgentByName:

export default {
  async fetch(request: Request, env: Env) {
    const url = new URL(request.url);

    if (url.pathname === "/user") {
      const session = await getSession(request);
      const agent = await getAgentByName(env.UserAgent, session.userId);
      return agent.fetch(request);
    }

    return (
      (await routeAgentRequest(request, env)) ??
      new Response("Not found", { status: 404 })
    );
  },
};

Server-Sent Identity

Agents now send their identity (name and agent class) to clients on connect:

  • onIdentity callback - called when server sends identity
  • agent.name and agent.agent are updated from server (authoritative)
const agent = useAgent({
  agent: "UserAgent",
  basePath: "user",
  onIdentity: (name, agentType) => {
    console.log(`Connected to ${agentType} instance: ${name}`);
  },
});

Identity State & Ready Promise

  • identified: boolean - whether identity has been received
  • ready: Promise<void> - resolves when identity is received
  • In React, name, agent, and identified are reactive state
// React - reactive rendering
return agent.identified ? `Connected to: ${agent.name}` : "Connecting...";

// Vanilla JS - await ready
await agent.ready;
console.log(agent.name);

Identity Change Detection

  • onIdentityChange callback - fires when identity differs on reconnect
  • Warns if identity changes without handler (helps catch session issues)
useAgent({
  basePath: "user",
  onIdentityChange: (oldName, newName, oldAgent, newAgent) => {
    console.log(`Session changed: ${oldName}${newName}`);
  },
});

Sub-Paths with path Option

Append additional path segments:

// /user/settings
useAgent({ basePath: "user", path: "settings" });

// /agents/my-agent/room/settings
useAgent({ agent: "MyAgent", name: "room", path: "settings" });

Server-Side Identity Control

Disable identity sending for security-sensitive instance names:

class SecureAgent extends Agent {
  static options = { sendIdentityOnConnect: false };
}

  • #​827 e20da53 Thanks @​threepointone! - Move workflow exports to agents/workflows subpath for better separation of concerns.

    import { AgentWorkflow } from "agents/workflows";
import type { AgentWorkflowStep, WorkflowInfo } from "agents/workflows";

  • #​811 f604008 Thanks @​threepointone! - ### Secure Email Reply Routing

    This release introduces secure email reply routing with HMAC-SHA256 signed headers, preventing unauthorized routing of emails to arbitrary agent instances.

Breaking Changes

Email utilities moved to agents/email subpath: Email-specific resolvers and utilities have been moved to a dedicated subpath for better organization.

// Before
import { createAddressBasedEmailResolver, signAgentHeaders } from "agents";

// After
import {
  createAddressBasedEmailResolver,
  signAgentHeaders,
} from "agents/email";

The following remain in root: routeAgentEmail, createHeaderBasedEmailResolver (deprecated).

createHeaderBasedEmailResolver removed: This function now throws an error with migration guidance. It was removed because it trusted attacker-controlled email headers for routing.

Migration:

  • For inbound mail: use createAddressBasedEmailResolver(agentName)
  • For reply flows: use createSecureReplyEmailResolver(secret) with signed headers

See https://github.com/cloudflare/agents/blob/main/docs/email.md for details.

EmailSendOptions type removed: This type was unused and has been removed.

New Features

createSecureReplyEmailResolver: A new resolver that verifies HMAC-SHA256 signatures on incoming emails before routing. Signatures include a timestamp and expire after 30 days by default.

const resolver = createSecureReplyEmailResolver(env.EMAIL_SECRET, {
  maxAge: 7 * 24 * 60 * 60, // Optional: 7 days (default: 30 days)
  onInvalidSignature: (email, reason) => {
    // Optional: log failures for debugging
    // reason: "missing_headers" | "expired" | "invalid" | "malformed_timestamp"
    console.warn(`Invalid signature from ${email.from}: ${reason}`);
  },
});

signAgentHeaders: Helper function to manually sign agent routing headers for use with external email services.

const headers = await signAgentHeaders(secret, agentName, agentId);
// Returns: { "X-Agent-Name", "X-Agent-ID", "X-Agent-Sig", "X-Agent-Sig-Ts" }

replyToEmail signing: The replyToEmail method now accepts a secret option to automatically sign outbound email headers.

await this.replyToEmail(email, {
  fromName: "My Agent",
  body: "Thanks!",
  secret: this.env.EMAIL_SECRET, // Signs headers for secure reply routing
});

If an email was routed via createSecureReplyEmailResolver, calling replyToEmail without a secret will throw an error (pass explicit null to opt-out).

onNoRoute callback: routeAgentEmail now accepts an onNoRoute callback for handling emails that don't match any routing rule.

await routeAgentEmail(message, env, {
  resolver,
  onNoRoute: (email) => {
    email.setReject("Unknown recipient");
  },
});

Breaking Changes

setState() returns void instead of Promise<void>
// Before (still works - awaiting a non-promise is harmless)
await this.setState({ count: 1 });

// After (preferred)
this.setState({ count: 1 });

Existing code that uses await this.setState(...) will continue to work without changes.

onStateUpdate() no longer gates state broadcasts

Previously, if onStateUpdate() threw an error, the state update would be aborted. Now, onStateUpdate() runs asynchronously via ctx.waitUntil() after the state is persisted and broadcast. Errors in onStateUpdate() are routed to onError() but do not prevent the state from being saved or broadcast.

If you were using onStateUpdate() for validation, migrate to validateStateChange().

New Features

validateStateChange() validation hook

A new synchronous hook that runs before state is persisted or broadcast. Use this for validation:

validateStateChange(nextState: State, source: Connection | "server") {
  if (nextState.count < 0) {
    throw new Error("Count cannot be negative");
  }
}
  • Runs synchronously before persistence and broadcast
  • Throwing aborts the state update entirely
  • Ideal for validation logic
Execution order
  1. validateStateChange(nextState, source) - validation (sync, gating)
  2. State persisted to SQLite
  3. State broadcast to connected clients
  4. onStateUpdate(nextState, source) - notifications (async via ctx.waitUntil, non-gating)

  • #​815 ded8d3e Thanks @​threepointone! - docs: add OpenAI provider options documentation to scheduleSchema

    When using scheduleSchema with OpenAI models via the AI SDK, users must now pass providerOptions: { openai: { strictJsonSchema: false } } to generateObject. This is documented in the JSDoc for scheduleSchema.

    This is required because @ai-sdk/openai now defaults strictJsonSchema to true, which requires all schema properties to be in the required array. The scheduleSchema uses optional fields which are not compatible with this strict mode.

  • Updated dependencies [7aebab3, 77be4f8, a54edf5, 7c74336, 99cbca0]:

0.3.6

Patch Changes

0.3.5

Patch Changes

0.3.4

Patch Changes

Configuration

📅 Schedule: Branch creation - "on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@vercel
Copy link
Copy Markdown
Contributor

vercel bot commented Feb 9, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
nuxt-mcp-toolkit-docs Ready Ready Preview, Comment Feb 10, 2026 9:05am

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new bot commented Feb 9, 2026
edited
Loading 

npm i https://pkg.pr.new/@nuxtjs/mcp-toolkit@120

commit: 19e2d8f

@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 54f82bf to 3303ba5 Compare February 9, 2026 08:26
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 3303ba5 to e3bc736 Compare February 9, 2026 15:34
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from e3bc736 to 4288041 Compare February 9, 2026 17:27
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 4288041 to fe00bb7 Compare February 9, 2026 17:48
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from fe00bb7 to 0308f7f Compare February 9, 2026 22:33
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 0308f7f to 47a73e6 Compare February 10, 2026 03:52
@renovate renovate bot force-pushed the renovate/all-minor-patch branch from 47a73e6 to 19e2d8f Compare February 10, 2026 06:36
@HugoRCD HugoRCD merged commit b996443 into main Feb 10, 2026
12 checks passed
@HugoRCD HugoRCD deleted the renovate/all-minor-patch branch February 10, 2026 09:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@HugoRCD