Merge branch 'feat/langchain-stdio-support'

Author: RadCod3

.github/workflows/release-docker.yml

@@ -23,6 +23,11 @@ on:
         description: "Human-readable image title for OCI labels (e.g., AFM Ballerina Interpreter)"
         required: true
         type: string
+      build_slim:
+        description: "Whether to build and push a slim image variant"
+        required: false
+        default: false
+        type: boolean
 
 jobs:
   docker:
@@ -85,6 +90,7 @@ jobs:
             index:org.opencontainers.image.licenses=Apache-2.0
 
       - name: Build and push slim image
+        if: ${{ inputs.build_slim }}
         uses: docker/build-push-action@v5
         with:
           context: ${{ inputs.context }}
@@ -102,18 +108,37 @@ jobs:
             index:org.opencontainers.image.source=https://github.com/${{ github.repository }}
             index:org.opencontainers.image.licenses=Apache-2.0
 
-      - name: Scan Docker image for vulnerabilities
+      - name: Scan full Docker image for vulnerabilities
         uses: aquasecurity/trivy-action@0.34.0
         with:
           image-ref: ${{ steps.docker-tags.outputs.FULL_IMAGE }}:v${{ inputs.version }}
           format: "sarif"
-          output: "trivy-results.sarif"
+          output: "trivy-results-full.sarif"
           severity: "CRITICAL,HIGH"
           limit-severities-for-sarif: true
           exit-code: "1"
 
-      - name: Upload Trivy scan results to GitHub Security tab
+      - name: Upload full image Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v4
         if: always()
         with:
-          sarif_file: "trivy-results.sarif"
+          sarif_file: "trivy-results-full.sarif"
+          category: "trivy-full-${{ inputs.image_name }}"
+
+      - name: Scan slim Docker image for vulnerabilities
+        if: ${{ always() && inputs.build_slim }}
+        uses: aquasecurity/trivy-action@0.34.0
+        with:
+          image-ref: ${{ steps.docker-tags.outputs.FULL_IMAGE }}:v${{ inputs.version }}-slim
+          format: "sarif"
+          output: "trivy-results-slim.sarif"
+          severity: "CRITICAL,HIGH"
+          limit-severities-for-sarif: true
+          exit-code: "1"
+
+      - name: Upload slim image Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v4
+        if: ${{ always() && inputs.build_slim }}
+        with:
+          sarif_file: "trivy-results-slim.sarif"
+          category: "trivy-slim-${{ inputs.image_name }}"

.github/workflows/release-python.yml

@@ -4,16 +4,16 @@ on:
   workflow_dispatch:
     inputs:
       package:
-        description: 'Python package to release'
+        description: "Python package to release"
         required: true
         type: choice
         options:
           - afm-core
           - afm-langchain
       branch:
-        description: 'Branch to release from'
+        description: "Branch to release from"
         required: false
-        default: 'main'
+        default: "main"
         type: string
       skip_pypi:
         description: 'Skip PyPI publishing'
@@ -126,12 +126,11 @@ jobs:
   pypi-publish:
     needs: [validate, test, docker]
     if: >-
-          !cancelled()
-          && !inputs.skip_pypi
-          && needs.validate.result == 'success'
-          && needs.test.result == 'success'
-          && (needs.docker.result == 'success'
-            || needs.docker.result == 'skipped')
+      !cancelled()
+      && needs.validate.result == 'success'
+      && needs.test.result == 'success'
+      && (needs.docker.result == 'success'
+        || needs.docker.result == 'skipped')
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
@@ -187,19 +186,19 @@ jobs:
       version: ${{ needs.validate.outputs.release_version }}
       branch: ${{ inputs.branch }}
       image_title: AFM LangChain Interpreter
+      build_slim: false
     permissions:
       packages: write
       security-events: write
 
   finalize:
     needs: [validate, pypi-publish, docker]
     if: >-
-          !cancelled()
-          && needs.validate.result == 'success'
-          && (needs.pypi-publish.result == 'success'
-            || needs.pypi-publish.result == 'skipped')
-          && (needs.docker.result == 'success'
-            || needs.docker.result == 'skipped')
+      !cancelled()
+      && needs.validate.result == 'success'
+      && needs.pypi-publish.result == 'success'
+      && (needs.docker.result == 'success'
+        || needs.docker.result == 'skipped')
     uses: ./.github/workflows/release-finalize.yml
     with:
       tag: ${{ needs.validate.outputs.tag }}
@@ -214,9 +213,9 @@ jobs:
   bump-version:
     needs: [validate, finalize]
     if: >-
-          !cancelled()
-          && needs.validate.result == 'success'
-          && needs.finalize.result == 'success'
+      !cancelled()
+      && needs.validate.result == 'success'
+      && needs.finalize.result == 'success'
     runs-on: ubuntu-latest
     permissions:
       contents: write

ballerina-interpreter/Dependencies.toml

@@ -5,7 +5,7 @@
 
 [ballerina]
 dependencies-toml-version = "2"
-distribution-version = "2201.12.7"
+distribution-version = "2201.13.1"
 
 [[package]]
 org = "ballerina"
@@ -90,7 +90,7 @@ dependencies = [
 [[package]]
 org = "ballerina"
 name = "data.xmldata"
-version = "1.5.2"
+version = "1.6.0"
 dependencies = [
 	{org = "ballerina", name = "jballerina.java"},
 	{org = "ballerina", name = "lang.object"}
@@ -121,7 +121,7 @@ dependencies = [
 [[package]]
 org = "ballerina"
 name = "http"
-version = "2.14.9"
+version = "2.15.4"
 dependencies = [
 	{org = "ballerina", name = "auth"},
 	{org = "ballerina", name = "cache"},
@@ -154,7 +154,7 @@ modules = [
 [[package]]
 org = "ballerina"
 name = "io"
-version = "1.8.1"
+version = "1.8.0"
 dependencies = [
 	{org = "ballerina", name = "jballerina.java"},
 	{org = "ballerina", name = "lang.value"}
@@ -278,7 +278,7 @@ dependencies = [
 [[package]]
 org = "ballerina"
 name = "log"
-version = "2.14.0"
+version = "2.17.0"
 dependencies = [
 	{org = "ballerina", name = "io"},
 	{org = "ballerina", name = "jballerina.java"},
@@ -318,7 +318,7 @@ dependencies = [
 [[package]]
 org = "ballerina"
 name = "oauth2"
-version = "2.14.1"
+version = "2.15.0"
 dependencies = [
 	{org = "ballerina", name = "cache"},
 	{org = "ballerina", name = "crypto"},
@@ -331,7 +331,7 @@ dependencies = [
 [[package]]
 org = "ballerina"
 name = "observe"
-version = "1.6.0"
+version = "1.7.0"
 dependencies = [
 	{org = "ballerina", name = "jballerina.java"}
 ]
@@ -375,7 +375,7 @@ modules = [
 [[package]]
 org = "ballerina"
 name = "time"
-version = "2.8.1"
+version = "2.8.0"
 dependencies = [
 	{org = "ballerina", name = "jballerina.java"}
 ]

ballerina-interpreter/agent.bal

@@ -31,9 +31,8 @@ function createAgent(AFMRecord afmRecord) returns ai:Agent|error {
     if mcpServers is MCPServer[] {
         foreach MCPServer mcpConn in mcpServers {
             Transport transport = mcpConn.transport;
-            if transport.'type != "http" {
-                log:printWarn(string `Unsupported transport type: ${transport.'type}, only 'http' is supported`);
-                continue;
+            if transport is StdioTransport {
+                return error("Stdio transport is not yet supported by the Ballerina interpreter");
             }
 
             string[]? filteredTools = getFilteredTools(mcpConn.tool_filter);

ballerina-interpreter/parser.bal

@@ -246,12 +246,38 @@ function validateHttpVariables(AFMRecord afmRecord) returns error? {
                 }
 
                 Transport transport = server.transport;
-                if containsHttpVariable(transport.url) {
-                    erroredKeys.push("tools.mcp.transport.url");
-                }
-
-                if authenticationContainsHttpVariable(transport.authentication) {
-                    erroredKeys.push("tools.mcp.transport.authentication");
+                if transport is HttpTransport {
+                    if containsHttpVariable(transport.url) {
+                        erroredKeys.push("tools.mcp.transport.url");
+                    }
+
+                    if authenticationContainsHttpVariable(transport.authentication) {
+                        erroredKeys.push("tools.mcp.transport.authentication");
+                    }
+                } else {
+                    if containsHttpVariable(transport.command) {
+                        erroredKeys.push("tools.mcp.transport.command");
+                    }
+
+                    string[]? args = transport.args;
+                    if args is string[] {
+                        foreach string arg in args {
+                            if containsHttpVariable(arg) {
+                                erroredKeys.push("tools.mcp.transport.args");
+                                break;
+                            }
+                        }
+                    }
+
+                    map<string>? env = transport.env;
+                    if env is map<string> {
+                        foreach string val in env {
+                            if containsHttpVariable(val) {
+                                erroredKeys.push("tools.mcp.transport.env");
+                                break;
+                            }
+                        }
+                    }
                 }
 
                 if toolFilterContainsHttpVariable(server.tool_filter) {

ballerina-interpreter/types.bal

@@ -27,15 +27,25 @@ type Model record {|
 |};
 
 enum TransportType {
-    http
+    http,
+    stdio
 }
 
-type Transport record {|
+type HttpTransport record {|
     http 'type = http;
     string url;
     ClientAuthentication authentication?;
 |};
 
+type StdioTransport record {|
+    stdio 'type = stdio;
+    string command;
+    string[] args?;
+    map<string> env?;
+|};
+
+type Transport HttpTransport|StdioTransport;
+
 type ClientAuthentication record {
     string 'type;
 };

python-interpreter/Dockerfile

@@ -35,7 +35,6 @@ ARG VARIANT=full
 
 RUN if [ "$VARIANT" = "full" ]; then \
         apk add --no-cache nodejs npm git && \
-        echo "Full variant: nodejs, npm, git installed"; \
     fi
 
 # Install uv and uvx for Python-based MCP server support (full variant only)

python-interpreter/packages/afm-langchain/src/afm_langchain/tools/mcp.py

@@ -19,10 +19,6 @@
 import logging
 
 import httpx
-from langchain_core.tools import BaseTool
-from langchain_mcp_adapters.client import MultiServerMCPClient
-from langchain_mcp_adapters.sessions import StdioConnection, StreamableHttpConnection
-
 from afm.exceptions import (
     MCPAuthenticationError,
     MCPConnectionError,
@@ -36,6 +32,9 @@
     StdioTransport,
     ToolFilter,
 )
+from langchain_core.tools import BaseTool
+from langchain_mcp_adapters.client import MultiServerMCPClient
+from langchain_mcp_adapters.sessions import StdioConnection, StreamableHttpConnection
 
 logger = logging.getLogger(__name__)
 
@@ -164,7 +163,6 @@ def _build_connection_config(self) -> StreamableHttpConnection | StdioConnection
             return config
 
         else:
-            # StdioTransport
             config: StdioConnection = {
                 "transport": "stdio",
                 "command": self.transport.command,