diff --git a/docs.json b/docs.json
index ddeff833..7648a712 100644
--- a/docs.json
+++ b/docs.json
@@ -280,7 +280,8 @@
"sdk/arch/llm",
"sdk/arch/skill",
"sdk/arch/condenser",
- "sdk/arch/security"
+ "sdk/arch/security",
+ "sdk/arch/agent-server"
]
}
]
diff --git a/sdk/arch/agent-server.mdx b/sdk/arch/agent-server.mdx
index 8ad7663c..65e76ea6 100644
--- a/sdk/arch/agent-server.mdx
+++ b/sdk/arch/agent-server.mdx
@@ -1,534 +1,247 @@
---
-title: Agent Server Package
-description: HTTP API server for remote agent execution with workspace isolation, container orchestration, and multi-user support.
+title: Agent Server
+description: HTTP API server for remote agent execution with conversation/event endpoints and WebSocket streaming.
---
-The Agent Server package (`openhands.agent_server`) provides an HTTP API server for remote agent execution. It enables building multi-user systems, SaaS products, and distributed agent platforms.
+The Agent Server (`openhands.agent_server`) provides an HTTP/WebSocket interface for running OpenHands conversations remotely. It is stateless with respect to agent logic; containerization is handled by workspace implementations (e.g., DockerWorkspace) that launch this server inside a sandbox when needed.
-**Source**: [`openhands/agent_server/`](https://github.com/OpenHands/software-agent-sdk/tree/main/openhands/agent_server)
+Source: [`openhands-agent-server/`](https://github.com/OpenHands/software-agent-sdk/tree/main/openhands-agent-server)
-## Purpose
+## Core Responsibilities
-The Agent Server enables:
-- **Remote execution**: Clients interact with agents via HTTP API
-- **Multi-user isolation**: Each user gets isolated workspace
-- **Container orchestration**: Manages Docker containers for workspaces
-- **Centralized management**: Monitor and control all agents
-- **Scalability**: Horizontal scaling with multiple servers
+The server provides:
-## Architecture Overview
+1. **Conversation lifecycle API** – Start, run, pause, delete conversations ([conversation_router.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/conversation_router.py))
+2. **Event access** – Search/get conversation events; WebSocket streaming ([event_router.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/event_router.py), [sockets.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/sockets.py))
+3. **Execution utilities** – Bash commands, file upload/download, simple Git ops ([bash_router.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/bash_router.py), [file_router.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/file_router.py), [git_router.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/git_router.py))
+4. **Tool registry** – List registered tools ([tool_router.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/tool_router.py))
+5. **Server details** – Health, uptime/idle info ([server_details_router.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/server_details_router.py))
-```mermaid
-graph TB
- Client[Web/Mobile Client] -->|HTTPS| API[FastAPI Server]
-
- API --> Auth[Authentication]
- API --> Router[API Router]
-
- Router --> WS[Workspace Manager]
- Router --> Conv[Conversation Handler]
-
- WS --> Docker[Docker Manager]
- Docker --> C1[Container 1
User A]
- Docker --> C2[Container 2
User B]
- Docker --> C3[Container 3
User C]
-
- Conv --> Agent[Software Agent SDK]
- Agent --> C1
- Agent --> C2
- Agent --> C3
-
- style Client fill:#e1f5fe
- style API fill:#fff3e0
- style WS fill:#e8f5e8
- style Docker fill:#f3e5f5
- style Agent fill:#fce4ec
-```
-
-### Key Components
-
-**1. FastAPI Server**
-- HTTP REST API endpoints
-- Authentication and authorization
-- Request validation
-- WebSocket support for streaming
-
-**2. Workspace Manager**
-- Creates and manages Docker containers
-- Isolates workspaces per user
-- Handles container lifecycle
-- Manages resource limits
-
-**3. Conversation Handler**
-- Routes requests to appropriate workspace
-- Manages conversation state
-- Handles concurrent requests
-- Supports streaming responses
-
-**4. Docker Manager**
-- Interfaces with Docker daemon
-- Builds and pulls images
-- Creates and destroys containers
-- Monitors container health
-
-## Design Decisions
-
-### Why HTTP API?
-
-Alternative approaches considered:
-- **gRPC**: More efficient but harder for web clients
-- **WebSockets only**: Good for streaming but not RESTful
-- **HTTP + WebSockets**: Best of both worlds
-
-**Decision**: HTTP REST for operations, WebSockets for streaming
-- ✅ Works from any client (web, mobile, CLI)
-- ✅ Easy to debug (curl, Postman)
-- ✅ Standard authentication (API keys, OAuth)
-- ✅ Streaming where needed
-
-### Why Container Per User?
-
-Alternative approaches:
-- **Shared container**: Multiple users in one container
-- **Container per session**: New container each conversation
-- **Container per user**: One container per user (chosen)
-
-**Decision**: Container per user
-- ✅ Strong isolation between users
-- ✅ Persistent workspace across sessions
-- ✅ Better resource management
-- ⚠️ More containers, but worth it for isolation
-
-### Why FastAPI?
-
-Alternative frameworks:
-- **Flask**: Simpler but less type-safe
-- **Django**: Too heavyweight
-- **FastAPI**: Modern, fast, type-safe (chosen)
-
-**Decision**: FastAPI
-- ✅ Automatic API documentation (OpenAPI)
-- ✅ Type validation with Pydantic
-- ✅ Async support for performance
-- ✅ WebSocket support built-in
-
-## API Design
-
-### Key Endpoints
-
-**Workspace Management**
-```
-POST /workspaces Create new workspace
-GET /workspaces/{id} Get workspace info
-DELETE /workspaces/{id} Delete workspace
-POST /workspaces/{id}/execute Execute command
-```
-
-**Conversation Management**
-```
-POST /conversations Create conversation
-GET /conversations/{id} Get conversation
-POST /conversations/{id}/messages Send message
-GET /conversations/{id}/stream Stream responses (WebSocket)
-```
-
-**Health & Monitoring**
-```
-GET /health Server health check
-GET /metrics Prometheus metrics
-```
-
-### Authentication
-
-**API Key Authentication**
-```bash
-curl -H "Authorization: Bearer YOUR_API_KEY" \
- https://agent-server.example.com/conversations
-```
-
-**Per-user workspace isolation**
-- API key → user ID mapping
-- Each user gets separate workspace
-- Users can't access each other's workspaces
-
-### Streaming Responses
-
-**WebSocket for real-time updates**
-```python
-async with websocket_connect(url) as ws:
- # Send message
- await ws.send_json({"message": "Hello"})
-
- # Receive events
- async for event in ws:
- if event["type"] == "message":
- print(event["content"])
-```
-
-**Why streaming?**
-- Real-time feedback to users
-- Show agent thinking process
-- Better UX for long-running tasks
-
-## Deployment Models
-
-### 1. Local Development
+## Architecture
-Run server locally for testing:
-```bash
-# Start server
-openhands-agent-server --port 8000
-
-# Or with Docker
-docker run -p 8000:8000 \
- -v /var/run/docker.sock:/var/run/docker.sock \
- ghcr.io/all-hands-ai/agent-server:latest
-```
-
-**Use case**: Development and testing
-
-### 2. Single-Server Deployment
-
-Deploy on one server (VPS, EC2, etc.):
-```bash
-# Install
-pip install openhands-agent-server
-
-# Run with systemd/supervisor
-openhands-agent-server \
- --host 0.0.0.0 \
- --port 8000 \
- --workers 4
-```
-
-**Use case**: Small deployments, prototypes, MVPs
+```mermaid
+%%{init: {"theme": "default", "flowchart": {"nodeSpacing": 28, "rankSpacing": 40}} }%%
+flowchart TB
+ Client[Client / SDK] -->|HTTP/WS| API[FastAPI App]
-### 3. Multi-Server Deployment
+ subgraph Routers["Routers (/api/*)"]
+ Conv[conversations]
+ Events[conversations/{id}/events]
+ Bash[bash]
+ File[file]
+ Git[git]
+ Tools[tools]
+ end
-Scale horizontally with load balancer:
-```
- Load Balancer
- |
- +-------------+-------------+
- | | |
- Server 1 Server 2 Server 3
- (Agents) (Agents) (Agents)
- | | |
- +-------------+-------------+
- |
- Shared State Store
- (Database, Redis, etc.)
-```
+ WS[/sockets/* (WebSocket)/]
-**Use case**: Production SaaS, high traffic, need redundancy
-
-### 4. Kubernetes Deployment
-
-Container orchestration with Kubernetes:
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: agent-server
-spec:
- replicas: 3
- template:
- spec:
- containers:
- - name: agent-server
- image: ghcr.io/all-hands-ai/agent-server:latest
- ports:
- - containerPort: 8000
-```
+ API --> Routers
+ API --> WS
-**Use case**: Enterprise deployments, auto-scaling, high availability
+ subgraph Services[Services]
+ ConvSvc[ConversationService]
+ EventSvc[EventService]
+ end
-## Resource Management
+ Routers --> ConvSvc
+ Routers --> EventSvc
+ WS --> EventSvc
-### Container Limits
+ classDef primary fill:#f3e8ff,stroke:#7c3aed,stroke-width:2px
+ classDef secondary fill:#e8f3ff,stroke:#2b6cb0,stroke-width:2px
+ classDef tertiary fill:#fff4df,stroke:#b7791f,stroke-width:2px
-Set per-workspace resource limits:
-```python
-# In server configuration
-WORKSPACE_CONFIG = {
- "resource_limits": {
- "memory": "2g", # 2GB RAM
- "cpus": "2", # 2 CPU cores
- "disk": "10g" # 10GB disk
- },
- "timeout": 300, # 5 min timeout
-}
+ class API primary
+ class Routers,WS secondary
+ class Services tertiary
```
-**Why limit resources?**
-- Prevent one user from consuming all resources
-- Fair usage across users
-- Protect server from runaway processes
-- Cost control
-
-### Cleanup & Garbage Collection
-
-**Container lifecycle**:
-- Containers created on first use
-- Kept alive between requests (warm)
-- Cleaned up after inactivity timeout
-- Force cleanup on server shutdown
-
-**Storage management**:
-- Old workspaces deleted automatically
-- Disk usage monitored
-- Alerts when approaching limits
-
-## Security Considerations
-
-### Multi-Tenant Isolation
-
-**Container isolation**:
-- Each user gets separate container
-- Containers can't communicate
-- Network isolation (optional)
-- File system isolation
+- App construction and route wiring happen in [api.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/api.py): a single `/api` router includes conversation, event, tool, bash, git, file, vscode, and desktop routers.
+- Event and VSCode/Desktop services are initialized in the lifespan context ([api.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/api.py)).
-**API isolation**:
-- API keys mapped to users
-- Users can only access their workspaces
-- Server validates all permissions
+## Endpoints (selected)
-### Input Validation
+Representative API surface under `/api`:
-**Server validates**:
-- API request schemas
-- Command injection attempts
-- Path traversal attempts
-- File size limits
+- Conversations ([conversation_router.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/conversation_router.py))
+ - `POST /api/conversations` – start conversation (StartConversationRequest)
+ - `POST /api/conversations/{conversation_id}/run` – run agent loop
+ - `POST /api/conversations/{conversation_id}/events` – send Message (optionally `run: true`)
-**Defense in depth**:
-- API validation
-- Container validation
-- Docker security features
-- OS-level security
+- Events ([event_router.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/event_router.py))
+ - `GET /api/conversations/{conversation_id}/events/search` – list events
+ - `GET /api/conversations/{conversation_id}/events/{event_id}` – get event
-### Network Security
+- Bash ([bash_router.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/bash_router.py))
+ - `POST /api/bash/start_bash_command` – start background command
+ - `GET /api/bash/bash_events/search` – list bash events
-**Best practices**:
-- HTTPS only (TLS certificates)
-- Firewall rules (only port 443/8000)
-- Rate limiting
-- DDoS protection
-
-**Container networking**:
-```python
-# Disable network for workspace
-WORKSPACE_CONFIG = {
- "network_mode": "none" # No network access
-}
-
-# Or allow specific hosts
-WORKSPACE_CONFIG = {
- "allowed_hosts": ["api.example.com"]
-}
-```
+- Files ([file_router.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/file_router.py))
+ - `POST /api/file/upload/{path}` – upload file (absolute path)
+ - `GET /api/file/download/{path}` – download file (absolute path)
-## Monitoring & Observability
+- Tools ([tool_router.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/tool_router.py))
+ - `GET /api/tools/` – list registered tools
-### Health Checks
+- Server details ([server_details_router.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/server_details_router.py))
+ - `GET /server_info` – uptime and idle_time
-```bash
-# Simple health check
-curl https://agent-server.example.com/health
+## Authentication
-# Response
-{
- "status": "healthy",
- "docker": "connected",
- "workspaces": 15,
- "uptime": 86400
-}
+```mermaid
+flowchart LR
+ Client -->|X-Session-API-Key| HTTP[HTTP /api/*]
+ Client -->|session_api_key| WS[/sockets/*]
```
-### Metrics
-
-**Prometheus metrics**:
-- Request count and latency
-- Active workspaces
-- Container resource usage
-- Error rates
-
-**Logging**:
-- Structured JSON logs
-- Per-request tracing
-- Workspace events
-- Error tracking
-
-### Alerting
-
-**Alert on**:
-- Server down
-- High error rate
-- Resource exhaustion
-- Container failures
+- HTTP requests: header `X-Session-API-Key` if configured ([dependencies.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/dependencies.py))
+- WebSocket: query parameter `session_api_key` ([dependencies.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/dependencies.py), [sockets.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/sockets.py))
+- Configuration: environment-driven `Config` ([config.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/config.py))
## Client SDK
-Python SDK for interacting with Agent Server:
+Python examples for interacting with Agent Server:
```python
-from openhands.client import AgentServerClient
-
-client = AgentServerClient(
- url="https://agent-server.example.com",
- api_key="your-api-key"
+# Minimal REST client using httpx (no SDK wrapper required)
+# Endpoints from conversation/event routers:
+# - POST /api/conversations/{conversation_id}/events (send message)
+# - GET /api/conversations/{conversation_id}/events/search (read events)
+# (source: event_router.py)
+# https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/event_router.py
+
+import httpx
+
+BASE_URL = "https://agent-server.example.com"
+API_KEY = "your-api-key"
+CONVERSATION_ID = "your-conversation-uuid"
+
+headers = {"X-Session-API-Key": API_KEY}
+
+# Send a user message and start the agent loop
+send = {
+ "role": "user",
+ "content": [{"type": "text", "text": "Hello, agent!"}],
+ "run": True,
+}
+r = httpx.post(
+ f"{BASE_URL}/api/conversations/{CONVERSATION_ID}/events",
+ json=send,
+ headers=headers,
)
+r.raise_for_status()
-# Create conversation
-conversation = client.create_conversation()
-
-# Send message
-response = client.send_message(
- conversation_id=conversation.id,
- message="Hello, agent!"
+# Poll recent events (use WebSockets for streaming if preferred)
+resp = httpx.get(
+ f"{BASE_URL}/api/conversations/{CONVERSATION_ID}/events/search",
+ headers=headers,
+ params={"limit": 50},
)
-
-# Stream responses
-for event in client.stream_conversation(conversation.id):
- if event.type == "message":
- print(event.content)
+resp.raise_for_status()
+for ev in resp.json().get("items", []):
+ print(ev.get("kind"), ev.get("source"))
```
-**Client handles**:
-- Authentication
-- Request/response serialization
-- Error handling
-- Streaming
-- Retries
-
-## Cost Considerations
-
-### Server Costs
-
-**Compute**: CPU and memory for containers
-- Each active workspace = 1 container
-- Typically 1-2 GB RAM per workspace
-- 0.5-1 CPU core per workspace
+
+To create a new conversation via REST, post a StartConversationRequest to `/api/conversations`.
+See the JSON example in
+[conversation_router.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/conversation_router.py)
+(START_CONVERSATION_EXAMPLES).
+
-**Storage**: Workspace files and conversation state
-- ~1-10 GB per workspace (depends on usage)
-- Conversation history in database
+### WebSocket streaming example (events)
-**Network**: API requests and responses
-- Minimal (mostly text)
-- Streaming adds bandwidth
-
-### Cost Optimization
-
-**1. Idle timeout**: Shutdown containers after inactivity
```python
-WORKSPACE_CONFIG = {
- "idle_timeout": 3600 # 1 hour
-}
-```
+# Stream conversation events over WebSocket
+# Endpoint: /sockets/events/{conversation_id}?session_api_key=...
+# (source: sockets.py)
+# https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/sockets.py
+
+import asyncio
+import json
+import websockets
+
+BASE_WS = "wss://agent-server.example.com"
+API_KEY = "your-api-key"
+CONVERSATION_ID = "your-conversation-uuid"
+
+async def stream_events():
+ ws_url = (
+ f"{BASE_WS}/sockets/events/{CONVERSATION_ID}"
+ f"?session_api_key={API_KEY}&resend_all=false"
+ )
+ async with websockets.connect(ws_url) as ws:
+ while True:
+ raw = await ws.recv()
+ event = json.loads(raw)
+ print(event.get("kind"), event.get("source"))
-**2. Resource limits**: Don't over-provision
-```python
-WORKSPACE_CONFIG = {
- "resource_limits": {
- "memory": "1g", # Smaller limit
- "cpus": "0.5" # Fractional CPU
- }
-}
+asyncio.run(stream_events())
```
-**3. Shared resources**: Use single server for multiple low-traffic apps
-
-**4. Auto-scaling**: Scale servers based on demand
-
-## When to Use Agent Server
-
-### Use Agent Server When:
-
-✅ **Multi-user system**: Web app with many users
-✅ **Remote clients**: Mobile app, web frontend
-✅ **Centralized management**: Need to monitor all agents
-✅ **Workspace isolation**: Users shouldn't interfere
-✅ **SaaS product**: Building agent-as-a-service
-✅ **Scaling**: Need to handle concurrent users
-
-**Examples**:
-- Chatbot platforms
-- Code assistant web apps
-- Agent marketplaces
-- Enterprise agent deployments
-
-### Use Standalone SDK When:
+
+WebSockets require passing the session key as a query parameter
+(`session_api_key`). See
+[sockets.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/sockets.py).
+
-✅ **Single-user**: Personal tool or script
-✅ **Local execution**: Running on your machine
-✅ **Full control**: Need programmatic access
-✅ **Simpler deployment**: No server management
-✅ **Lower latency**: No network overhead
+### WebSocket streaming example (bash-events)
-**Examples**:
-- CLI tools
-- Automation scripts
-- Local development
-- Desktop applications
-
-### Hybrid Approach
-
-Use SDK locally but RemoteAPIWorkspace for execution:
-- Agent logic in your Python code
-- Execution happens on remote server
-- Best of both worlds
+```python
+# Stream bash events over WebSocket
+# Endpoint: /sockets/bash-events?session_api_key=...
+# (source: sockets.py)
+# https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/sockets.py
-## Building Custom Agent Server
+import asyncio
+import json
+import websockets
-The server is extensible for custom needs:
+BASE_WS = "wss://agent-server.example.com"
+API_KEY = "your-api-key"
-**Custom authentication**:
-```python
-from openhands.agent_server import AgentServer
+async def stream_bash_events():
+ ws_url = f"{BASE_WS}/sockets/bash-events?session_api_key={API_KEY}&resend_all=false"
+ async with websockets.connect(ws_url) as ws:
+ while True:
+ raw = await ws.recv()
+ event = json.loads(raw)
+ print(event.get("kind"), event.get("timestamp"))
-class CustomAgentServer(AgentServer):
- async def authenticate(self, request):
- # Custom auth logic
- return await oauth_verify(request)
+asyncio.run(stream_bash_events())
```
-**Custom workspace configuration**:
-```python
-server = AgentServer(
- workspace_factory=lambda user: DockerWorkspace(
- image=f"custom-image-{user.tier}",
- resource_limits=user.resource_limits
- )
-)
-```
+
+Bash WebSocket events include BashCommand and BashOutput items. For filtering or paging
+via REST, see
+[bash_router.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/bash_router.py).
+
-**Custom middleware**:
-```python
-@server.middleware
-async def logging_middleware(request, call_next):
- # Custom logging
- response = await call_next(request)
- return response
-```
+## Design Notes
-## Next Steps
+- The server itself does not manage Docker containers. Containerization and lifecycle are handled by workspace implementations such as `DockerWorkspace` in the `openhands-workspace` package, which run this server inside the container and connect via HTTP ([docker/workspace.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-workspace/openhands/workspace/docker/workspace.py)).
+- Request/response models are Pydantic classes in `models.py` ([models.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/models.py)).
+- Security: schema-level API key checks, path validation for file ops (absolute path enforcement), and typed payloads ([dependencies.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/dependencies.py), [file_router.py](https://github.com/OpenHands/software-agent-sdk/blob/HEAD/openhands-agent-server/openhands/agent_server/file_router.py)).
-### For Usage Examples
+## Component Relationships
-- [Local Agent Server](/sdk/guides/agent-server/local-server) - Run locally
-- [Docker Sandboxed Server](/sdk/guides/agent-server/docker-sandbox) - Docker setup
-- [API Sandboxed Server](/sdk/guides/agent-server/api-sandbox) - Remote API
-- [Remote Agent Server Overview](/sdk/guides/agent-server/overview) - All options
+```mermaid
+%%{init: {"theme": "default", "flowchart": {"nodeSpacing": 30}} }%%
+flowchart LR
+ Server[Agent Server]
+ SDK[SDK RemoteWorkspace]
+ Docker[DockerWorkspace]
-### For Related Architecture
+ Docker -.->|launches server in container| Server
+ SDK -->|HTTP/WS| Server
-- [Workspace Architecture](/sdk/arch/workspace) - RemoteAPIWorkspace details
-- [SDK Architecture](/sdk/arch/sdk) - Core framework
-- [Architecture Overview](/sdk/arch/overview) - System design
+ classDef primary fill:#f3e8ff,stroke:#7c3aed,stroke-width:2px
+ classDef secondary fill:#e8f3ff,stroke:#2b6cb0,stroke-width:2px
-### For Implementation Details
+ class Server primary
+ class SDK,Docker secondary
+```
-- [`openhands/agent_server/`](https://github.com/OpenHands/software-agent-sdk/tree/main/openhands/agent_server) - Server source
-- [`examples/`](https://github.com/OpenHands/software-agent-sdk/tree/main/examples) - Working examples
+---
+Last updated: 2025-12-09 06:57 UTC
+Source commit (software-agent-sdk): `93d405c9`
diff --git a/sdk/arch/security.mdx b/sdk/arch/security.mdx
index c8118fe6..50493b9c 100644
--- a/sdk/arch/security.mdx
+++ b/sdk/arch/security.mdx
@@ -5,7 +5,7 @@ description: High-level architecture of action security analysis and validation
The **Security** system evaluates agent actions for potential risks before execution. It provides pluggable security analyzers that assess action risk levels and enforce confirmation policies based on security characteristics.
-**Source:** [`openhands-sdk/penhands/sdk/security/`](https://github.com/OpenHands/software-agent-sdk/tree/main/openhands-sdk/openhands/sdk/security)
+**Source:** [`openhands-sdk/openhands/sdk/security/`](https://github.com/OpenHands/software-agent-sdk/tree/main/openhands-sdk/openhands/sdk/security)
## Core Responsibilities
@@ -58,7 +58,7 @@ flowchart TB
Check --> Mode
Mode --> Decision
-
+
classDef primary fill:#f3e8ff,stroke:#7c3aed,stroke-width:2px
classDef secondary fill:#e8f3ff,stroke:#2b6cb0,stroke-width:2px
classDef tertiary fill:#fff4df,stroke:#b7791f,stroke-width:2px
@@ -102,7 +102,8 @@ flowchart TB
Analyze --> Medium
Analyze --> High
Analyze --> Unknown
-
+
+
style Low fill:#d1fae5,stroke:#10b981,stroke-width:2px
style Medium fill:#fef3c7,stroke:#f59e0b,stroke-width:2px
style High fill:#ffe8e8,stroke:#dc2626,stroke-width:2px
@@ -308,3 +309,8 @@ flowchart LR
- **[Agent Architecture](/sdk/arch/agent)** - How agents use security analyzers
- **[Tool System](/sdk/arch/tool-system)** - Tool annotations and metadata; includes MCP tool hints
- **[Security Guide](/sdk/guides/security)** - Configuring security policies
+
+---
+Last updated: 2025-12-09 06:57 UTC
+Source commit (software-agent-sdk): `93d405c9`
+