Release 2.0.1: Azure Foundry v1 API, credentials CLI improvements

- Azure Foundry: use ChatOpenAI + base_url for cognitiveservices.azure.com/openai/v1
- Strip provider prefix (azure:gpt-5-mini -> gpt-5-mini) when calling API
- credentials set: optional inline value and stdin; only mask api_key/token
- .env.example: document correct Azure endpoint (openai/v1 not openai/responses)

Made-with: Cursor

Author: rithulkamesh

.env.example

@@ -9,9 +9,12 @@ GOOGLE_API_KEY=
 
 # --- Azure OpenAI (GPT: gpt-4o, gpt-5-mini on same endpoint) ---
 # When set, GPT models use Azure; deployment name = model name (e.g. gpt-4o, gpt-5-mini).
-# AZURE_OPENAI_ENDPOINT=https://your-resource.services.ai.azure.com/...
+# Use the CHAT COMPLETIONS base URL, not the Responses API URL:
+#   - Correct (Azure Foundry): https://your-resource.cognitiveservices.azure.com/openai/v1
+#   - Wrong:  .../openai/responses (Responses API; causes 404 DeploymentNotFound)
+# AZURE_OPENAI_ENDPOINT=https://your-resource.cognitiveservices.azure.com/openai/v1
 # AZURE_OPENAI_API_KEY=
-# AZURE_OPENAI_API_VERSION=2024-05-01-preview
+# AZURE_OPENAI_API_VERSION=2025-04-01-preview
 # Optional default deployment if not passing model name: AZURE_OPENAI_DEPLOYMENT_NAME=gpt-5-mini
 
 # --- Azure Anthropic (Claude: e.g. claude-opus-4-6-2) ---

CHANGELOG.md

@@ -7,6 +7,44 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.0.1] — 2026-03-10
+
+### Added
+
+- **Azure Foundry (v1 API) support** — When `AZURE_OPENAI_ENDPOINT` points to Azure Foundry (URL contains `cognitiveservices.azure.com` or `/openai/v1`), the provider uses the v1 chat-completions API via `ChatOpenAI` with `base_url` instead of the legacy deployment-path API, fixing 404s on Foundry resources.
+- **Credentials `set` inline and stdin** — `hivemind credentials set <provider> <key> [value]` accepts an optional value; if omitted and stdin is not a TTY, reads value from stdin (e.g. `echo "https://..." | hivemind credentials set azure endpoint`).
+
+### Changed
+
+- **Credentials input masking** — Only sensitive keys (`api_key`, `token`) use hidden input; endpoint, deployment, and api_version prompts show typed input.
+- **Azure model spec** — Provider strips `provider:` prefix (e.g. `azure:gpt-5-mini` → `gpt-5-mini`) before sending to the API so deployment name is correct.
+- **.env.example** — Documents correct Azure Foundry endpoint (`.../openai/v1` for chat completions; avoid `.../openai/responses`).
+
+## [2.0.0] — 2026-03-10
+
+### Breaking Changes
+
+- Provider config schema updated: existing provider strings unchanged, new backends require new config sections
+- Agent execution now routed through AgentSandbox by default (disable with `sandbox.enabled = false`)
+- Memory storage now redacts PII by default if `compliance.pii_redaction = true`
+
+### Added
+
+- Abstract LLM router with Ollama, vLLM, and custom OpenAI-compatible endpoint backends
+- Provider fallback chains: automatic failover across backends
+- Agent sandboxing: resource quotas, tool category restrictions, per-role sandbox profiles
+- Audit logging: append-only JSONL with chain integrity verification
+- PII redaction: regex + optional spaCy NER, configurable PII types
+- GDPR/CCPA compliance config section
+- Decision tree and rationale generation for every agent action
+- Simulation mode: dry-run planning without LLM calls or tool execution
+- `hivemind explain`, `hivemind simulate`, `hivemind audit` CLI commands
+- PROVIDER_FALLBACK event type
+
+### Migration from 1.x
+
+See docs/migration/v2.md
+
 ## [1.10.5] - 2026-03-10
 
 ### Added

hivemind/cli/main.py

@@ -534,9 +534,9 @@ def _run_doctor() -> int:
 
 
 def _run_mcp_list() -> int:
-    """List all registered MCP servers and their tool counts."""
+    """List configured MCP servers and their tool counts (from live discovery)."""
     from hivemind.config import get_config
-    from hivemind.tools.registry import list_tools
+    from hivemind.tools.mcp import discover_mcp_tools
     cfg = get_config()
     servers = getattr(getattr(cfg, "mcp", None), "servers", None) or []
     try:
@@ -547,17 +547,14 @@ def _run_mcp_list() -> int:
         table.add_column("Name", style="cyan")
         table.add_column("Transport", style="dim")
         table.add_column("Tools", justify="right")
-        all_tools = list_tools()
-        mcp_tools = [t for t in all_tools if getattr(t, "category", "") == "mcp"]
-        by_server: dict[str, int] = {}
-        for t in mcp_tools:
-            name = getattr(t, "name", "")
-            if "." in name:
-                srv = name.split(".", 1)[0]
-                by_server[srv] = by_server.get(srv, 0) + 1
         for s in servers:
             sname = getattr(s, "name", "?")
-            table.add_row(sname, getattr(s, "transport", "?"), str(by_server.get(sname, 0)))
+            try:
+                adapters = discover_mcp_tools(s)
+                count = len(adapters)
+            except Exception:
+                count = "—"
+            table.add_row(sname, getattr(s, "transport", "?"), str(count))
         if not servers:
             console.print("No MCP servers configured. Add [[mcp.servers]] to hivemind.toml or use [cyan]hivemind mcp add[/].")
         else:
@@ -1277,6 +1274,124 @@ def _run_checkpoint_restore(run_id: str) -> int:
     return 0
 
 
+def _run_audit_dispatch(args: object) -> int:
+    """Audit: print table, export, or verify."""
+    from hivemind.config import get_config
+    from hivemind.audit.logger import AuditLogger
+    cmd = getattr(args, "audit_cmd", None)
+    run_id = getattr(args, "run_id", None)
+    export_fmt = getattr(args, "export", None)
+    if cmd == "verify":
+        run_id = getattr(args, "run_id", run_id)
+        if not run_id:
+            print("Error: run_id required for verify", file=sys.stderr)
+            return 1
+        cfg = get_config()
+        ok, msg = AuditLogger.verify(run_id, cfg.data_dir)
+        print(msg)
+        return 0 if ok else 1
+    if not run_id:
+        print("Error: run_id required (e.g. hivemind audit events_2025-03-10...)", file=sys.stderr)
+        return 1
+    cfg = get_config()
+    logger = AuditLogger(cfg.data_dir, run_id=run_id)
+    if export_fmt:
+        out = logger.export(run_id, format=export_fmt)
+        print(out)
+        return 0
+    out = logger.export(run_id, format="jsonl")
+    if not out:
+        print(f"No audit log for run_id={run_id}", file=sys.stderr)
+        return 1
+    try:
+        from rich.console import Console
+        from rich.table import Table
+        console = Console()
+        table = Table(title=f"Audit log: {run_id}")
+        table.add_column("timestamp")
+        table.add_column("event_type")
+        table.add_column("task_id")
+        table.add_column("resource")
+        table.add_column("success")
+        for line in out.strip().split("\n"):
+            if not line:
+                continue
+            import json
+            r = json.loads(line)
+            table.add_row(
+                r.get("timestamp", "")[:19],
+                r.get("event_type", ""),
+                r.get("task_id", ""),
+                r.get("resource", ""),
+                str(r.get("success", "")),
+            )
+        console.print(table)
+    except Exception:
+        print(out)
+    return 0
+
+
+def _run_explain(args: object) -> int:
+    """Explain: decision records for run or task."""
+    run_id = getattr(args, "run_id", None)
+    task_id = getattr(args, "task_id", None)
+    if not run_id:
+        print("Error: run_id required", file=sys.stderr)
+        return 1
+    try:
+        from hivemind.explainability.decision_tree import DecisionTreeBuilder
+        from hivemind.config import get_config
+        cfg = get_config()
+        events_dir = cfg.events_dir
+        builder = DecisionTreeBuilder()
+        records = builder.build_from_events(run_id, events_dir)
+        if not records:
+            print(f"No decision records for run_id={run_id}", file=sys.stderr)
+            return 1
+        if task_id:
+            records = [r for r in records if r.task_id == task_id]
+            if not records:
+                print(f"No task {task_id} in run {run_id}", file=sys.stderr)
+                return 1
+        for r in records:
+            print(f"--- {r.task_id} ---")
+            print(f"  strategy: {r.strategy_selected}")
+            print(f"  model: {r.model_selected} ({r.model_tier})")
+            print(f"  tools: {r.tools_selected}")
+            print(f"  confidence: {r.confidence:.0%}")
+            print(f"  rationale: {r.rationale[:300]}..." if len(r.rationale or "") > 300 else f"  rationale: {r.rationale}")
+        return 0
+    except Exception as e:
+        print(f"Error: {e}", file=sys.stderr)
+        return 1
+
+
+def _run_simulate(args: object) -> int:
+    """Simulate: dry-run planning, no LLM or tools."""
+    import asyncio
+    task = getattr(args, "task", "")
+    cost_only = getattr(args, "cost_only", False) or getattr(args, "cost", False)
+    if not task:
+        print("Error: task required (e.g. hivemind simulate \"Summarize X\")", file=sys.stderr)
+        return 1
+    try:
+        from hivemind.explainability.simulation import SimulationMode
+        sim = SimulationMode()
+        report = asyncio.run(sim.simulate(task))
+        if cost_only:
+            print(f"Estimated cost: {getattr(report, 'estimated_cost', 'N/A')}")
+            return 0
+        print(f"Tasks: {len(report.task_list)}")
+        for t in report.task_list:
+            print(f"  - {t}")
+        print(f"Estimated cost: {getattr(report, 'estimated_cost', 'N/A')}")
+        print(f"Estimated duration: {getattr(report, 'estimated_duration', 'N/A')}")
+        return 0
+    except Exception as e:
+        print(f"Error: {e}", file=sys.stderr)
+        return 1
+
+
 def _run_health(args: object) -> int:
     """Run health checks. Exit 0 if healthy, 1 otherwise. Print ✓/✗ per check."""
     import asyncio
@@ -1867,6 +1982,7 @@ def main() -> int:
         epilog="""
 Examples:
   hivemind credentials set openai api_key
+  hivemind credentials set azure endpoint \"https://.../openai/v1\"
   hivemind credentials list
   hivemind credentials migrate
   hivemind credentials export azure    # print env KEY=value for sourcing
@@ -1890,6 +2006,11 @@ def main() -> int:
         nargs="?",
         help="Key name (e.g. api_key)",
     )
+    credentials_parser.add_argument(
+        "value",
+        nargs="?",
+        help="Value (for set only). Omit to be prompted, or pipe: echo 'val' | hivemind credentials set azure endpoint",
+    )
     credentials_parser.set_defaults(func=lambda a: _run_credentials(a))
 
     completion_parser = subparsers.add_parser(
@@ -1965,6 +2086,37 @@ def main() -> int:
     checkpoint_restore_p.set_defaults(func=_run_checkpoint_dispatch)
     checkpoint_parser.set_defaults(checkpoint_cmd="list", func=_run_checkpoint_dispatch)
 
+    audit_parser = subparsers.add_parser(
+        "audit",
+        help="View or export audit log for a run",
+        description="Print audit log as table, export to CSV/JSONL, or verify chain integrity.",
+    )
+    audit_parser.add_argument("run_id", nargs="?", default=None, help="Run ID (e.g. events_...)")
+    audit_parser.add_argument("--export", choices=["jsonl", "csv", "siem"], default=None, help="Export format")
+    audit_sub = audit_parser.add_subparsers(dest="audit_cmd", help="Subcommand")
+    audit_verify_p = audit_sub.add_parser("verify", help="Verify audit log chain integrity")
+    audit_verify_p.add_argument("run_id", help="Run ID to verify")
+    audit_verify_p.set_defaults(audit_cmd="verify")
+    audit_parser.set_defaults(func=_run_audit_dispatch)
+
+    explain_parser = subparsers.add_parser(
+        "explain",
+        help="Show decision records for a run or task",
+        description="Print decision tree and rationale for agent actions.",
+    )
+    explain_parser.add_argument("run_id", help="Run ID")
+    explain_parser.add_argument("task_id", nargs="?", default=None, help="Optional task ID for single task")
+    explain_parser.set_defaults(func=_run_explain)
+
+    simulate_parser = subparsers.add_parser(
+        "simulate",
+        help="Dry-run planning without LLM or tool execution",
+        description="Run planner and scheduler only; output task list and cost estimate.",
+    )
+    simulate_parser.add_argument("task", help="Root task description")
+    simulate_parser.add_argument("--cost", action="store_true", help="Print cost estimate only")
+    simulate_parser.set_defaults(func=_run_simulate)
+
     health_parser = subparsers.add_parser(
         "health",
         help="Health and readiness check",

hivemind/credentials/cli.py

@@ -24,6 +24,9 @@
     "azure_anthropic": ["endpoint", "api_key", "deployment"],
 }
 
+# Keys that must never be shown in list (only "(stored)"); all others can show value
+SENSITIVE_KEYS = {"api_key", "token"}
+
 # (provider, key) -> env var name for export
 PROVIDER_KEY_TO_ENV: dict[tuple[str, str], str] = {
     ("openai", "api_key"): "OPENAI_API_KEY",
@@ -66,20 +69,37 @@ def _run_credentials_export(provider: str) -> int:
     return 0
 
 
-def _run_credentials_set(provider: str, key: str) -> int:
-    """Prompt for value and store credential."""
+def _run_credentials_set(provider: str, key: str, value: str | None = None) -> int:
+    """Store credential. Value can be passed inline, read from stdin, or prompted interactively."""
     if provider not in KNOWN_CREDENTIALS:
         print(f"Unknown provider: {provider}", file=sys.stderr)
         return 1
     if key not in KNOWN_CREDENTIALS[provider]:
         print(f"Unknown key for {provider}: {key}", file=sys.stderr)
         return 1
-    try:
-        value = getpass.getpass(f"Enter value for {provider}/{key}: ")
-    except (KeyboardInterrupt, EOFError):
-        print("\nCancelled.", file=sys.stderr)
-        return 130
-    if not value.strip():
+
+    if value is not None and value.strip():
+        # Inline value from CLI
+        pass
+    elif not sys.stdin.isatty():
+        # Piped input: echo "val" | hivemind credentials set ...
+        try:
+            value = sys.stdin.read().strip()
+        except (KeyboardInterrupt, EOFError):
+            print("\nCancelled.", file=sys.stderr)
+            return 130
+    else:
+        # Interactive prompt
+        try:
+            if key in SENSITIVE_KEYS:
+                value = getpass.getpass(f"Enter value for {provider}/{key}: ")
+            else:
+                value = input(f"Enter value for {provider}/{key}: ")
+        except (KeyboardInterrupt, EOFError):
+            print("\nCancelled.", file=sys.stderr)
+            return 130
+
+    if not value or not value.strip():
         print("Empty value, not stored.", file=sys.stderr)
         return 1
     set_credential(provider, key, value.strip())
@@ -88,16 +108,23 @@ def _run_credentials_set(provider: str, key: str) -> int:
 
 
 def _run_credentials_list() -> int:
-    """List credentials as table (provider, key). Never shows values."""
+    """List credentials as table (provider, key, value). Secret keys show '(stored)', others show value."""
     creds = list_credentials()
     if not creds:
         print("No credentials stored.")
         return 0
     table = Table(title="Stored credentials")
     table.add_column("Provider", style="cyan")
     table.add_column("Key", style="green")
+    table.add_column("Value", style="dim")
     for c in creds:
-        table.add_row(c["provider"], c["key"])
+        p, k = c["provider"], c["key"]
+        if k in SENSITIVE_KEYS:
+            value = "(stored)"
+        else:
+            val = get_credential(p, k)
+            value = (val[:60] + "…") if val and len(val) > 60 else (val or "")
+        table.add_row(p, k, value)
     console = Console()
     console.print(table)
     return 0
@@ -147,9 +174,10 @@ def run_credentials(args: object) -> int:
 
     if sub == "set":
         if not provider or not key:
-            print("Usage: hivemind credentials set <provider> <key>", file=sys.stderr)
+            print("Usage: hivemind credentials set <provider> <key> [value]", file=sys.stderr)
             return 1
-        return _run_credentials_set(provider, key)
+        value = getattr(args, "value", None)
+        return _run_credentials_set(provider, key, value)
     if sub == "list":
         return _run_credentials_list()
     if sub == "delete":