warpdotdev · warpmachineuser · Jun 4, 2026 · Jun 8, 2026 · Jun 11, 2026 · Jun 11, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -18,7 +18,7 @@
   lint:
     timeout-minutes: 10
     name: lint
-    runs-on: ${{ github.repository == 'stainless-sdks/warp-api-python' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
+    runs-on: ubuntu-latest
     if: (github.event_name == 'push' || github.event.pull_request.head.repo.fork) && (github.event_name != 'push' || github.event.head_commit.message != 'codegen metadata')
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -41,7 +41,7 @@
     permissions:
       contents: read
       id-token: write
-    runs-on: ${{ github.repository == 'stainless-sdks/warp-api-python' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
@@ -56,40 +56,21 @@
       - name: Run build
         run: uv build
 
-      - name: Get GitHub OIDC Token
-        if: |-
-          github.repository == 'stainless-sdks/warp-api-python' &&
-          !startsWith(github.ref, 'refs/heads/stl/')
-        id: github-oidc
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-        with:
-          script: core.setOutput('github_token', await core.getIDToken());
-
-      - name: Upload tarball
-        if: |-
-          github.repository == 'stainless-sdks/warp-api-python' &&
-          !startsWith(github.ref, 'refs/heads/stl/')
-        env:
-          URL: https://pkg.stainless.com/s
-          AUTH: ${{ steps.github-oidc.outputs.github_token }}
-          SHA: ${{ github.sha }}
-        run: ./scripts/utils/upload-artifact.sh
-
   test:
+    if: (github.event_name == 'push' || github.event.pull_request.head.repo.fork) && (github.event_name != 'push' || github.event.head_commit.message != 'codegen metadata')
     timeout-minutes: 10
     name: test
-    runs-on: ${{ github.repository == 'stainless-sdks/warp-api-python' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
-    if: github.event_name == 'push' || github.event.pull_request.head.repo.fork
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
      - name: Install uv
        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2
        with:
          version: '0.10.2'

      - name: Bootstrap
        run: ./scripts/bootstrap

      - name: Run tests
        run: ./scripts/test
diff --git a/.github/workflows/promote_sdk.yml b/.github/workflows/promote_sdk.yml
@@ -0,0 +1,26 @@
+# Promote SDK updates from this staging repository to the corresponding
+# production repository.
+
+name: Promote SDK
+
+on:
+  workflow_dispatch:
+
+jobs:
+  promote:
+    name: promote
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ github.event.repository.default_branch }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Promote SDK to production
+        uses: warpdotdev/warp-github-actions/.github/actions/promote_sdk@main
+        with:
+          production_repo_token: ${{ secrets.STAINLESS_SDK_PROD_WRITE_TOKEN }}
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
@@ -1,13 +1,9 @@
-# This workflow is triggered when a GitHub release is created.
-# It can also be run manually to re-publish to PyPI in case it failed for some reason.
-# You can run this workflow by navigating to https://www.github.com/warpdotdev/oz-sdk-python/actions/workflows/publish-pypi.yml
+# workflow for re-running publishing to PyPI in case it fails for some reason
+# you can run this workflow by navigating to https://www.github.com/warpdotdev/oz-sdk-python/actions/workflows/publish-pypi.yml
 name: Publish PyPI
 on:
   workflow_dispatch:
 
-  release:
-    types: [published]
-
 jobs:
   publish:
     name: publish

diff --git a/.github/workflows/release-doctor.yml b/.github/workflows/release-doctor.yml
@@ -17,3 +17,5 @@ jobs:
       - name: Check release environment
         run: |
           bash ./bin/check-release-environment
+        env:
+          RELEASE_PLEASE_TOKEN: ${{ secrets.RELEASE_PLEASE_TOKEN }}
diff --git a/.stats.yml b/.stats.yml
@@ -1,4 +1 @@
 configured_endpoints: 23
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/warp-bnavetta/warp-api-964f646a32c318735de7673531a12788aede1840f7ab4893f2efa31c83440837.yml
-openapi_spec_hash: 30f07ff0bfb491efb11cd88fce79968a
-config_hash: 236823a4936c76818117c16aa5c188df
diff --git a/bin/check-release-environment b/bin/check-release-environment
@@ -2,6 +2,10 @@
 
 errors=()
 
+if [ -z "${RELEASE_PLEASE_TOKEN}" ]; then
+  errors+=("The RELEASE_PLEASE_TOKEN secret has not been set. Create a fine-grained GitHub PAT and add it as a repository secret.")
+fi
+
 lenErrors=${#errors[@]}
 
 if [[ lenErrors -gt 0 ]]; then

diff --git a/pyproject.toml b/pyproject.toml
@@ -41,11 +41,26 @@ Homepage = "https://github.com/warpdotdev/oz-sdk-python"
 Repository = "https://github.com/warpdotdev/oz-sdk-python"
 
 [project.optional-dependencies]
-aiohttp = ["aiohttp", "httpx_aiohttp>=0.1.9"]
+# Security pin: aiohttp<3.14.0 is vulnerable to multiple CVEs (CVE-2026-34993,
+# CVE-2026-47265, CVE-2026-54273 through CVE-2026-54280, CVE-2026-50269).
+# aiohttp 3.14.x dropped Python 3.9 support, so restrict to python_version >= '3.10'.
+aiohttp = ["aiohttp>=3.14.1; python_version >= '3.10'", "httpx_aiohttp>=0.1.9; python_version >= '3.10'"]
 
 [tool.uv]
 managed = true
 required-version = ">=0.9"
+# Security pin: idna is a transitive dependency (via httpx + anyio) and is not
+# declared above. Versions <3.15 are vulnerable to CVE-2026-45409
+# (GHSA-65pc-fj4g-8rjx), so constrain it without adding it as a direct
+# dependency. Sealed as custom code so it survives SDK regeneration.
+constraint-dependencies = [
+  "idna>=3.15",
+  # Security pin: pytest<9.0.3 is vulnerable to CVE-2025-71176 (tmpdir handling).
+  # pytest 9.0.3 requires Python>=3.10; pin only for compatible versions.
+  "pytest>=9.0.3; python_version >= '3.10'",
+  # Security pin: pygments<2.20.0 is vulnerable to CVE-2026-4539 (ReDoS).
+  "pygments>=2.20.0",
+]
 conflicts = [
     [
       { group = "pydantic-v1" },

diff --git a/release-please-config.json b/release-please-config.json
@@ -2,7 +2,7 @@
   "packages": {
     ".": {}
   },
-  "$schema": "https://raw.githubusercontent.com/stainless-api/release-please/main/schemas/config.json",
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json",
   "include-v-in-tag": true,
   "include-component-in-tag": false,
   "versioning": "prerelease",

diff --git a/requirements-dev.lock b/requirements-dev.lock
@@ -1,5 +1,5 @@
 # This file was autogenerated by uv via the following command:
-#    uv export -o requirements-dev.lock --no-hashes
+#    uv export --group dev --no-hashes
 -e .
 annotated-types==0.7.0
     # via pydantic
@@ -32,7 +32,7 @@ httpx==0.28.1
     # via
     #   oz-agent-sdk
     #   respx
-idna==3.11
+idna==3.18
     # via
     #   anyio
     #   httpx
@@ -62,7 +62,7 @@ pydantic==2.12.5
     # via oz-agent-sdk
 pydantic-core==2.41.5
     # via pydantic
-pygments==2.19.2
+pygments==2.20.0
     # via
     #   pytest
     #   rich
@@ -71,7 +71,7 @@ pytest==8.4.2 ; python_full_version < '3.10'
     # via
     #   pytest-asyncio
     #   pytest-xdist
-pytest==9.0.2 ; python_full_version >= '3.10'
+pytest==9.1.1 ; python_full_version >= '3.10'
     # via
     #   pytest-asyncio
     #   pytest-xdist

diff --git a/scripts/utils/upload-artifact.sh b/scripts/utils/upload-artifact.sh
@@ -20,7 +20,7 @@ UPLOAD_RESPONSE=$(curl -v -X PUT \
 
 if echo "$UPLOAD_RESPONSE" | grep -q "HTTP/[0-9.]* 200"; then
   echo -e "\033[32mUploaded build to Stainless storage.\033[0m"
-  echo -e "\033[32mInstallation: pip install 'https://pkg.stainless.com/s/warp-api-python/$SHA/$FILENAME'\033[0m"
+  echo -e "\033[32mInstallation: pip install 'https://pkg.stainless.com/s/oz-sdk-python-staging/$SHA/$FILENAME'\033[0m"
 else
   echo -e "\033[31mFailed to upload artifact.\033[0m"
   exit 1

diff --git a/src/oz_agent_sdk/_base_client.py b/src/oz_agent_sdk/_base_client.py
@@ -1397,7 +1397,7 @@ def __init__(self, **kwargs: Any) -> None:
 
 
 try:
-    import httpx_aiohttp
+    import httpx_aiohttp  # type: ignore[import]
 except ImportError:
 
     class _DefaultAioHttpClient(httpx.AsyncClient):
@@ -1411,7 +1411,7 @@ def __init__(self, **kwargs: Any) -> None:
             kwargs.setdefault("limits", DEFAULT_CONNECTION_LIMITS)
             kwargs.setdefault("follow_redirects", True)
 
-            super().__init__(**kwargs)
+            super().__init__(**kwargs)  # type: ignore[no-untyped-call]
 
 
 if TYPE_CHECKING:

diff --git a/src/oz_agent_sdk/resources/agent/agent.py b/src/oz_agent_sdk/resources/agent/agent.py
@@ -275,10 +275,10 @@ def run(
         extra_body: Body | None = None,
         timeout: float | httpx.Timeout | None | NotGiven = not_given,
     ) -> AgentRunResponse:
-        """Alias for POST /agent/run.
+        """Spawn a cloud agent with a prompt and optional configuration.
 
-        This is the preferred endpoint for creating new agent
-        runs. Behavior is identical to POST /agent/run.
+        The agent will be
+        queued for execution and assigned a unique run ID.
 
         Args:
           agent_identity_uid: Optional agent identity UID to use as the execution principal for the run. This
@@ -302,7 +302,8 @@ def run(
               hierarchies.
 
           prompt: The prompt/instruction for the agent to execute. Required unless a skill is
-              specified via the skill field, config.skill_spec, or config.skills.
+              specified via the skill field, config.skill_spec, or config.skills. Handoff
+              requests may omit prompt when conversation_id is set.
 
           skill:
               Skill specification to use as the base prompt for the agent. Supported formats:
@@ -566,10 +567,10 @@ async def run(
         extra_body: Body | None = None,
         timeout: float | httpx.Timeout | None | NotGiven = not_given,
     ) -> AgentRunResponse:
-        """Alias for POST /agent/run.
+        """Spawn a cloud agent with a prompt and optional configuration.
 
-        This is the preferred endpoint for creating new agent
-        runs. Behavior is identical to POST /agent/run.
+        The agent will be
+        queued for execution and assigned a unique run ID.
 
         Args:
           agent_identity_uid: Optional agent identity UID to use as the execution principal for the run. This
@@ -593,7 +594,8 @@ async def run(
               hierarchies.
 
           prompt: The prompt/instruction for the agent to execute. Required unless a skill is
-              specified via the skill field, config.skill_spec, or config.skills.
+              specified via the skill field, config.skill_spec, or config.skills. Handoff
+              requests may omit prompt when conversation_id is set.
 
           skill:
               Skill specification to use as the base prompt for the agent. Supported formats: