chore(deps): bump the ag-ui group across 1 directory with 5 updates

[dependabot]

Bumps the ag-ui group with 4 updates in the / directory: @ag-ui/core, @ag-ui/client, @ag-ui/mastra and @mastra/client-js.

Updates @ag-ui/core from 0.0.44 to 0.0.47

Updates @ag-ui/client from 0.0.44 to 0.0.47

Updates @ag-ui/mastra from 1.0.0 to 1.0.1

Updates @mastra/client-js from 1.1.0 to 1.7.3

Release notes

Sourced from @​mastra/client-js's releases.

February 24, 2026

Highlights

Background Process Management in Workspaces & Sandboxes

Workspaces now support spawning and managing long-running background processes (via SandboxProcessManager / ProcessHandle), with new tools like execute_command (background: true), get_process_output, and kill_process plus improved streaming terminal-style UI.

Runtime Tool Configuration Updates via Workspace.setToolsConfig()

You can dynamically enable/disable tools at runtime on an existing workspace instance (including re-enabling all tools by passing undefined), enabling safer modes like plan/read-only without recreating the workspace.

Observational Memory Reliability & Introspection Improvements

Core adds Harness.getObservationalMemoryRecord() for public access to the full OM record for the current thread, while @mastra/memory fixes major OM stability issues (shared tokenizer to prevent OOM/memory leaks, plus PostgreSQL deadlock fixes and clearer errors when threadId is missing).

Changelog

@​mastra/core@​1.7.0

Minor Changes

• Added getObservationalMemoryRecord() method to the Harness class. Fixes #13392. (#13395)

  This provides public access to the full ObservationalMemoryRecord for the current thread, including activeObservations, generationCount, and observationTokenCount. Previously, accessing raw observation text required bypassing the Harness abstraction by reaching into private storage internals.

  const record = await harness.getObservationalMemoryRecord();
  if (record) {
    console.log(record.activeObservations);
  }

• Added Workspace.setToolsConfig() method for dynamically updating per-tool configuration at runtime without recreating the workspace instance. Passing undefined re-enables all tools. (#13439)

  const workspace = new Workspace({ filesystem, sandbox });
  // Disable write tools (e.g., in plan/read-only mode)
  workspace.setToolsConfig({
  mastra_workspace_write_file: { enabled: false },
  mastra_workspace_edit_file: { enabled: false },
  });
  // Re-enable all tools
  workspace.setToolsConfig(undefined);

• Added HarnessDisplayState so any UI can read a single state snapshot instead of handling 35+ individual events. (#13427)

  Why: Previously, every UI (TUI, web, desktop) had to subscribe to dozens of granular Harness events and independently reconstruct what to display. This led to duplicated state tracking and inconsistencies across UI implementations. Now the Harness maintains a single canonical display state that any UI can read.

  Before: UIs subscribed to raw events and built up display state locally:

... (truncated)

Changelog

Sourced from @​mastra/client-js's changelog.

1.7.3

Patch Changes

• Fix agent losing conversation context ("amnesia") when using client-side tools with stateless server deployments. Recursive calls after tool execution now include the full conversation history when no threadId is provided. (#11476)

• Updated dependencies [41e48c1, 82469d3, 33e2fd5, 7ef6e2c, b12d2a5, fa37d39, b12d2a5, 71c38bf, f993c38, f51849a, 9bf3a0d, cafa045, 1fd9ddb, 6135ef4, d9d228c, 5576507, 79d69c9, 94f44b8, 13187db, 2ae5311, 6135ef4]:

  • @​mastra/core@​1.10.0

1.7.3-alpha.0

Patch Changes

• Fix agent losing conversation context ("amnesia") when using client-side tools with stateless server deployments. Recursive calls after tool execution now include the full conversation history when no threadId is provided. (#11476)

• Updated dependencies [41e48c1, 82469d3, 33e2fd5, 7ef6e2c, b12d2a5, fa37d39, b12d2a5, 71c38bf, f993c38, f51849a, 9bf3a0d, cafa045, 1fd9ddb, 6135ef4, d9d228c, 5576507, 79d69c9, 94f44b8, 13187db, 2ae5311, 6135ef4]:

  • @​mastra/core@​1.10.0-alpha.0

1.7.2

Patch Changes

• Added getFullUrl helper method for constructing auth redirect URLs and exported the AuthCapabilities type. HTTP retries now skip 4xx client errors to avoid retrying authentication failures. (#13163)

• Fixed CMS features (Create an agent button, clone, edit, create scorer) not appearing in built output. The build command now writes package metadata so the studio can detect installed Mastra packages at runtime. (#13163)

• Updated dependencies [504fc8b, f9c150b, 88de7e8, edee4b3, 3790c75, e7a235b, d51d298, 6dbeeb9, d5f0d8d, 09c3b18, b896379, 85c84eb, a89272a, ee9c8df, 77b4a25, 276246e, 08ecfdb, d5f628c, 524c0f3, c18a0e9, 4bd21ea, 115a7a4, 22a48ae, 3c6ef79, 9311c17, 7edf78f, 1c4221c, d25b9ea, fe1ce5c, b03c0e0, 0a8366b, 85664e9, bc79650, 9257d01, 3a3a59e, 3108d4e, 0c33b2c, 191e5bd, f77cd94, e8135c7, daca48f, 257d14f, 352f25d, 93477d0, 31c78b3, 0bc0720, 36516ac, e947652, 3c6ef79, 9257d01, ec248f6]:

  • @​mastra/core@​1.9.0

1.7.2-alpha.0

Patch Changes

• Added getFullUrl helper method for constructing auth redirect URLs and exported the AuthCapabilities type. HTTP retries now skip 4xx client errors to avoid retrying authentication failures. (#13163)

• Fixed CMS features (Create an agent button, clone, edit, create scorer) not appearing in built output. The build command now writes package metadata so the studio can detect installed Mastra packages at runtime. (#13163)

• Updated dependencies [504fc8b, f9c150b, 88de7e8, edee4b3, 3790c75, e7a235b, d51d298, 6dbeeb9, d5f0d8d, 09c3b18, b896379, 85c84eb, a89272a, ee9c8df, 77b4a25, 276246e, 08ecfdb, d5f628c, 524c0f3, c18a0e9, 4bd21ea, 115a7a4, 22a48ae, 3c6ef79, 9311c17, 7edf78f, 1c4221c, d25b9ea, fe1ce5c, b03c0e0, 0a8366b, 85664e9, bc79650, 9257d01, 3a3a59e, 3108d4e, 0c33b2c, 191e5bd, f77cd94, e8135c7, daca48f, 257d14f, 352f25d, 93477d0, 31c78b3, 0bc0720, 36516ac, e947652, 3c6ef79, 9257d01, ec248f6]:

  • @​mastra/core@​1.9.0-alpha.0

1.7.1

Patch Changes

• Updated dependencies [df170fd, ae55343, c290cec, f03e794, aa4a5ae, de3f584, d3fb010, 702ee1c, f495051, e622f1d, 8d14a59, 861f111, 00f43e8, 1b6f651, 96a1702, cb9f921, 114e7c1, 1b6f651, 72df4a8]:
  • @​mastra/core@​1.8.0
  • @​mastra/schema-compat@​1.1.3

1.7.1-alpha.0

... (truncated)

Commits

• 63ef4a0 chore: version - exit prerelease mode
• 38a3349 chore: version packages (alpha) (#13766)
• d1e26f0 fix(client-js): preserve conversation history in recursive calls for stateles...
• 812a472 chore: version - exit prerelease mode
• edfda99 chore: version packages (alpha) (#13523)
• 6dbeeb9 feat: auth core, server RBAC, and adapter permission enforcement (#13163)
• aaede49 fix(client-js): add missing JSON-RPC 2.0 envelope to A2A client requests (#13...
• d1bc3b4 chore: version - exit prerelease mode
• 6302b3a chore: version packages (alpha) (#13455)
• ea69176 chore: version - exit prerelease mode
• Additional commits viewable in compare view

Updates @mastra/core from 1.1.0 to 1.10.0

Release notes

Sourced from @​mastra/core's releases.

March 5, 2026

Highlights

Tool inputExamples to improve model tool-call accuracy

Tool definitions can now include inputExamples, which are passed through to models that support them (e.g., Anthropic’s input_examples) to demonstrate valid inputs and reduce malformed tool calls.

MCP client fetch hooks now receive RequestContext (auth/cookie forwarding)

@mastra/mcp adds requestContext support to custom fetch functions for MCP HTTP server definitions, enabling request-scoped forwarding of cookies/bearer tokens during tool execution while remaining backward compatible with (url, init) fetch signatures.

Reliability + DX fixes for agents, streaming, and memory cleanup

Provider stream errors are now consistently surfaced from generate()/resumeGenerate(), AI SDK errors are routed through the Mastra logger with structured context, client-side tools no longer lose history in stateless deployments, and memory.deleteThread()/deleteMessages() now automatically cleans up orphaned vector embeddings across supported vector stores.

Changelog

@​mastra/core@​1.10.0

Minor Changes

• Add inputExamples support on tool definitions to show AI models what valid tool inputs look like. Models that support this (e.g., Anthropic's input_examples) will receive the examples alongside the tool schema, improving tool call accuracy. (#12932)

  • Added optional inputExamples field to ToolAction, CoreTool, and Tool class

  const weatherTool = createTool({
    id: "get-weather",
    description: "Get weather for a location",
    inputSchema: z.object({
      city: z.string(),
      units: z.enum(["celsius", "fahrenheit"])
    }),
    inputExamples: [{ input: { city: "New York", units: "fahrenheit" } }, { input: { city: "Tokyo", units: "celsius" } }],
    execute: async ({ city, units }) => {
      return await fetchWeather(city, units);
    }
  });

Patch Changes

• dependencies updates: (#13209)

  • Updated dependency p-map@^7.0.4 ↗︎ (from ^7.0.3, in dependencies)

• dependencies updates: (#13210)

  • Updated dependency p-retry@^7.1.1 ↗︎ (from ^7.1.0, in dependencies)

• Update provider registry and model documentation with latest models and providers (33e2fd5)

• Fixed execute_command tool timeout parameter to accept seconds instead of milliseconds, preventing agents from accidentally setting extremely short timeouts (#13799)

... (truncated)

Changelog

Sourced from @​mastra/core's changelog.

1.10.0

Minor Changes

• Added editor shorthand to MastraCompositeStore for routing all editor-related domains (agents, prompt blocks, scorer definitions, MCP clients, MCP servers, workspaces, skills) to a single storage backend. Priority: domains > editor > default. (#13727)

  import { MastraCompositeStore } from '@mastra/core/storage';
  new MastraCompositeStore({
  id: 'composite',
  default: postgresStore,
  editor: filesystemStore,
  });

  Improved code-agent editing so editor overrides can be applied and reverted without losing original dynamic values for fields like instructions, model, and tools.

• Added FilesystemStore, a file-based storage adapter for editor domains. Stores agent configurations, prompt blocks, scorer definitions, MCP clients, MCP servers, workspaces, and skills as JSON files in a local directory (default: .mastra-storage/). Only published snapshots are written to disk — version history is kept in memory. Use with MastraCompositeStore's editor shorthand to enable Git-friendly editor configurations. (#13727)

  import { FilesystemStore, MastraCompositeStore } from '@mastra/core/storage';
  import { PostgresStore } from '@mastra/pg';
  export const mastra = new Mastra({
  storage: new MastraCompositeStore({
  id: 'composite',
  default: new PostgresStore({ id: 'pg', connectionString: process.env.DATABASE_URL }),
  editor: new FilesystemStore({ dir: '.mastra-storage' }),
  }),
  });

  Added applyStoredOverrides to the editor agent namespace. When a stored configuration exists for a code-defined agent, the editor merges the stored instructions and tools on top of the code agent's values at runtime. Model, memory, workspace, and other code-defined fields are never overridden — they may contain SDK instances or dynamic functions that cannot be safely serialized. Original code-defined values are preserved via a WeakMap and restored if the stored override is deleted.

• Add inputExamples support on tool definitions to show AI models what valid tool inputs look like. Models that support this (e.g., Anthropic's input_examples) will receive the examples alongside the tool schema, improving tool call accuracy. (#12932)

  • Added optional inputExamples field to ToolAction, CoreTool, and Tool class

  const weatherTool = createTool({
    id: 'get-weather',
    description: 'Get weather for a location',
    inputSchema: z.object({
      city: z.string(),
      units: z.enum(['celsius', 'fahrenheit']),
    }),
    inputExamples: [
      { input: { city: 'New York', units: 'fahrenheit' } },
      { input: { city: 'Tokyo', units: 'celsius' } },
    ],

... (truncated)

Commits

• 63ef4a0 chore: version - exit prerelease mode
• 38a3349 chore: version packages (alpha) (#13766)
• fa37d39 fix: make skill tools stateless, consolidate, and update playground UI (#13744)
• 33e2fd5 chore: regenerate providers and docs [skip ci]
• 79d69c9 Fix RequestContext constructor crashing when constructed from a deserialized ...
• 94f44b8 fix(core): route LLM errors through Mastra logger (#13857)
• 2ae5311 feat(core): add inputExamples support to tool definitions (#12932)
• b8753cf fix(llm): give Mastra logger to loop() function (#12580)
• d9d228c fix: filter empty aiV5 llmPrompt messages from source-only assistant parts (#...
• f993c38 fix(harness): use mediaType instead of mimeType in sendMessage file parts (#1...
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
@mastra/client-js	[>= 0.16.a, < 0.17]
@mastra/core	[>= 0.24.a, < 0.25]
@mastra/core	[< 1, > 0.20.2]
@mastra/client-js	[>= 0.17.a, < 0.18]

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cloud	Error		Apr 20, 2026 11:22pm
showcase	Error		Apr 20, 2026 11:22pm
tambo-docs	Error		Apr 20, 2026 11:22pm

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​mastra/​core@​1.1.0 ⏵ 1.25.0	-17		+1
	@​radix-ui/​react-slot@​1.2.4
	@​radix-ui/​react-tabs@​1.1.13
	@​react-leaflet/​core@​2.1.0
	@​radix-ui/​react-radio-group@​1.3.8
	@​radix-ui/​react-tooltip@​1.2.8
	@​radix-ui/​react-toast@​1.2.15
	@​radix-ui/​react-scroll-area@​1.2.10
	@​radix-ui/​react-select@​2.2.6
	@​mastra/​client-js@​1.1.0 ⏵ 1.13.4					-19
	@​react-email/​components@​1.0.8
	@​ag-ui/​core@​0.0.46 ⏵ 0.0.52			+1	-1
	@​ag-ui/​client@​0.0.46 ⏵ 0.0.52			+1	-1

View full report

[pullfrog]

TL;DR — Bumps the AG-UI dependency group (@ag-ui/core, @ag-ui/client, @ag-ui/mastra, @mastra/client-js) across four packages, with the lockfile pulling in @mastra/core transitively.

Key changes

• @ag-ui/core — ^0.0.44 → ^0.0.50 in packages/client, packages/backend, and react-sdk
• @ag-ui/client — 0.0.44 → 0.0.50 in apps/api and packages/backend
• @ag-ui/mastra — ^1.0.0 → ^1.0.1 in packages/backend
• @mastra/client-js — ^1.1.0 → ^1.12.0 in packages/backend
• @mastra/core — transitive dependency updated via lockfile

_{Summary ｜ 5 files ｜ 1 commit ｜ base: main ← dependabot/npm_and_yarn/ag-ui-eef16a0722}

Before: AG-UI packages pinned at 0.0.44, @ag-ui/mastra at 1.0.0, and @mastra/client-js at 1.1.0.
After: AG-UI packages at 0.0.50, @ag-ui/mastra at 1.0.1, @mastra/client-js at 1.12.0, with @mastra/core updated transitively in the lockfile.

The @mastra/client-js jump (1.1.0 → 1.12.0) is the largest direct change — it includes fixes for agent conversation context loss in stateless deployments, getFullUrl auth redirect helpers, JSON-RPC 2.0 envelope corrections, and RBAC/auth core support. The AG-UI core/client updates (0.0.44 → 0.0.50) are minor patch-level bumps. The transitive @mastra/core bump adds inputExamples on tool definitions, FilesystemStore for editor domains, structured LLM error logging, HarnessDisplayState for unified UI state snapshots, Workspace.setToolsConfig() for runtime tool configuration, and MastraCompositeStore editor shorthand.

apps/api/package.json · packages/backend/package.json · packages/client/package.json · react-sdk/package.json · package-lock.json

  ^{｜ View workflow run ｜ Triggered by Pullfrog ｜ Using Claude Opus ｜ 𝕏}

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.