chore(deps): bump the ag-ui group with 4 updates

[dependabot]

Bumps the ag-ui group with 4 updates: @ag-ui/core, @ag-ui/client, @mastra/client-js and @mastra/core.

Updates @ag-ui/core from 0.0.44 to 0.0.45

Updates @ag-ui/client from 0.0.44 to 0.0.45

Updates @mastra/client-js from 1.1.0 to 1.5.0

Release notes

Sourced from @​mastra/client-js's releases.

February 19, 2026

Highlights

Core Harness: A Reusable Orchestration Layer for Agent Apps

A new generic Harness in @mastra/core provides a foundation for building agent-powered applications with modes, state management, built-in tools (ask_user, submit_plan), subagent support, Observational Memory integration, model discovery, permission-aware tool approval, and event-driven/thread/heartbeat management.

Workspace Capability Upgrades (Security, Discovery, and Search)

Workspaces gain least-privilege filesystem access via LocalFilesystem.allowedPaths (plus runtime updates with setAllowedPaths()), expanded glob-based configuration for file listing/indexing/skill discovery, and a new regex search tool mastra_workspace_grep to complement semantic search.

Better Tool I/O and Streaming Behavior in the Agent Loop

Tools can now define toModelOutput to transform tool results into model-friendly content while preserving raw outputs in storage, and workspace tools now return raw text (moving structured metadata to data-workspace-metadata stream chunks) to reduce token usage. Streaming reliability also improves (correct chunk types for tool errors, onChunk receives raw Mastra chunks, agent loop continues after tool errors).

Changelog

@​mastra/core@​1.5.0

Minor Changes

• Added allowedPaths option to LocalFilesystem for granting agents access to specific directories outside basePath without disabling containment. (#13054)

  const workspace = new Workspace({
    filesystem: new LocalFilesystem({
      basePath: './workspace',
      allowedPaths: ['/home/user/.config', '/home/user/documents'],
    }),
  });

  Allowed paths can be updated at runtime using setAllowedPaths():

  workspace.filesystem.setAllowedPaths(prev => [...prev, '/home/user/new-dir']);

  This is the recommended approach for least-privilege access — agents can only reach the specific directories you allow, while containment stays enabled for everything else.

• Added generic Harness class for orchestrating agents with modes, state management, built-in tools (ask_user, submit_plan), subagent support, Observational Memory integration, model discovery, and permission-aware tool approval. The Harness provides a reusable foundation for building agent-powered applications with features like thread management, heartbeat monitoring, and event-driven architecture. (#13245)

• Added glob pattern support for workspace configuration. The list_files tool now accepts a pattern parameter for filtering files (e.g., **/*.ts, src/**/*.test.ts). autoIndexPaths accepts glob patterns like ./docs/**/*.md to selectively index files for BM25 search. Skills paths support globs like ./**/skills to discover skill directories at any depth, including dot-directories like .agents/skills. (#13023)

  list_files tool with pattern:

  // Agent can now use glob patterns to filter files
  const result = await workspace.tools.workspace_list_files({
    path: '/',

... (truncated)

Changelog

Sourced from @​mastra/client-js's changelog.

1.5.0

Minor Changes

• Added scorer version management and CMS draft/publish flow for scorers. (#13194)
  • Added scorer version methods to the client SDK: listVersions, createVersion, getVersion, activateVersion, restoreVersion, deleteVersion, compareVersions.
  • Added ScorerVersionCombobox for navigating scorer versions with Published/Draft labels.
  • Scorer edit page now supports Save (draft) and Publish workflows with an "Unpublished changes" indicator.
  • Storage list methods for agents and scorers no longer default to filtering only published entities, allowing drafts to appear in the playground.

Patch Changes

• Fixed schema form to apply changes only on Save click instead of every keystroke. Removed AgentPromptExperimentProvider in favor of inline prompt rendering. Switched hooks to use merged request context for proper request-scoped data fetching. (#13034)

• Fixed conditional rules not being persisted for workflows, agents, and scorers when creating or updating agents in the CMS. Rules configured on these entities are now correctly saved to storage. (#13044)

• Added requestContext support to listScorers for request-scoped scorer resolution (#13034)

• Dataset schemas now appear in the Edit Dataset dialog. Previously the inputSchema and groundTruthSchema fields were not passed to the dialog, so editing a dataset always showed empty schemas. (#13175)

  Schema edits in the JSON editor no longer cause the cursor to jump to the top of the field. Typing {"type": "object"} in the schema editor now behaves like a normal text input instead of resetting on every keystroke.

  Validation errors are now surfaced when updating a dataset schema that conflicts with existing items. For example, adding a required: ["name"] constraint when existing items lack a name field now shows "2 existing item(s) fail validation" in the dialog instead of silently dropping the error.

  Disabling a dataset schema from the Studio UI now correctly clears it. Previously the server converted null (disable) to undefined (no change), so the old schema persisted and validation continued.

  Workflow schemas fetched via client.getWorkflow().getSchema() are now correctly parsed. The server serializes schemas with superjson, but the client was using plain JSON.parse, yielding a {json: {...}} wrapper instead of the actual JSON Schema object.

• CMS draft support with status badges for agents. (#13194)

  • Agent list now resolves the latest (draft) version for each stored agent, showing current edits rather than the last published state.
  • Added hasDraft and activeVersionId fields to the agent list API response.
  • Agent list badges: "Published" (green) when a published version exists, "Draft" (colored when unpublished changes exist, grayed out otherwise).
  • Added resolvedVersionId to all StorageResolved*Type types so the server can detect whether the latest version differs from the active version.
  • Added status option to GetByIdOptions to allow resolving draft vs published versions through the editor layer.
  • Fixed editor cache not being cleared on version activate, restore, and delete — all four versioned domains (agents, scorers, prompt-blocks, mcp-clients) now clear the cache after version mutations.
  • Added ALTER TABLE migration for mastra_agent_versions in libsql and pg to add newer columns (mcpClients, requestContextSchema, workspace, skills, skillsFormat).

• Updated dependencies [252580a, f8e819f, 5c75261, e27d832, e37ef84, 6fdd3d4, 10cf521, efdb682, 0dee7a0, 04c2c8e, 02dc07a, bb7262b, 1415bcd, cf1c6e7, 5ffadfe, 1e1339c, d03df73, 79b8f45, 9bbf08e, 0a25952, ffa5468, 3264a04, 6fdd3d4, 088d9ba, 74fbebd, aea6217, b6a855e, ae408ea, 17e942e, 2015cf9, 7ef454e, 2be1d99, 2708fa1, ba74aef, ba74aef, ec53e89, 9b5a8cb, 607e66b, a215d06, 6909c74, 192438f]:

  • @​mastra/core@​1.5.0
  • @​mastra/schema-compat@​1.1.1

1.5.0-alpha.1

Patch Changes

• Updated dependencies [1415bcd]:
  • @​mastra/schema-compat@​1.1.1-alpha.0
  • @​mastra/core@​1.5.0-alpha.1

1.5.0-alpha.0

... (truncated)

Commits

• 0d9efb4 feat(editor): processor providers and stored processor graphs (#13219)
• 355b9ae chore: version - exit prerelease mode
• f090302 chore: version packages (alpha) (#13252)
• a0b5df2 chore: version packages (alpha) (#13037)
• ae408ea fix: dataset schema validation and display in Studio (#13175)
• ba74aef feat(playground): CMS draft support with status badges and scorer versioning ...
• 5ffadfe fix(playground): persist conditional rules for workflows, agents, and scorers...
• 55a0ab1 fix(playground): use merged request context and apply schema form on submit (...
• 230f5a6 chore: version - exit prerelease mode
• 78f020a chore: version packages (alpha) (#12946)
• Additional commits viewable in compare view

Updates @mastra/core from 1.1.0 to 1.5.0

Release notes

Sourced from @​mastra/core's releases.

February 19, 2026

Highlights

Core Harness: A Reusable Orchestration Layer for Agent Apps

A new generic Harness in @mastra/core provides a foundation for building agent-powered applications with modes, state management, built-in tools (ask_user, submit_plan), subagent support, Observational Memory integration, model discovery, permission-aware tool approval, and event-driven/thread/heartbeat management.

Workspace Capability Upgrades (Security, Discovery, and Search)

Workspaces gain least-privilege filesystem access via LocalFilesystem.allowedPaths (plus runtime updates with setAllowedPaths()), expanded glob-based configuration for file listing/indexing/skill discovery, and a new regex search tool mastra_workspace_grep to complement semantic search.

Better Tool I/O and Streaming Behavior in the Agent Loop

Tools can now define toModelOutput to transform tool results into model-friendly content while preserving raw outputs in storage, and workspace tools now return raw text (moving structured metadata to data-workspace-metadata stream chunks) to reduce token usage. Streaming reliability also improves (correct chunk types for tool errors, onChunk receives raw Mastra chunks, agent loop continues after tool errors).

Changelog

@​mastra/core@​1.5.0

Minor Changes

• Added allowedPaths option to LocalFilesystem for granting agents access to specific directories outside basePath without disabling containment. (#13054)

  const workspace = new Workspace({
    filesystem: new LocalFilesystem({
      basePath: './workspace',
      allowedPaths: ['/home/user/.config', '/home/user/documents'],
    }),
  });

  Allowed paths can be updated at runtime using setAllowedPaths():

  workspace.filesystem.setAllowedPaths(prev => [...prev, '/home/user/new-dir']);

  This is the recommended approach for least-privilege access — agents can only reach the specific directories you allow, while containment stays enabled for everything else.

• Added generic Harness class for orchestrating agents with modes, state management, built-in tools (ask_user, submit_plan), subagent support, Observational Memory integration, model discovery, and permission-aware tool approval. The Harness provides a reusable foundation for building agent-powered applications with features like thread management, heartbeat monitoring, and event-driven architecture. (#13245)

• Added glob pattern support for workspace configuration. The list_files tool now accepts a pattern parameter for filtering files (e.g., **/*.ts, src/**/*.test.ts). autoIndexPaths accepts glob patterns like ./docs/**/*.md to selectively index files for BM25 search. Skills paths support globs like ./**/skills to discover skill directories at any depth, including dot-directories like .agents/skills. (#13023)

  list_files tool with pattern:

  // Agent can now use glob patterns to filter files
  const result = await workspace.tools.workspace_list_files({
    path: '/',

... (truncated)

Changelog

Sourced from @​mastra/core's changelog.

1.5.0

Minor Changes

• Added allowedPaths option to LocalFilesystem for granting agents access to specific directories outside basePath without disabling containment. (#13054)

  const workspace = new Workspace({
    filesystem: new LocalFilesystem({
      basePath: './workspace',
      allowedPaths: ['/home/user/.config', '/home/user/documents'],
    }),
  });

  Allowed paths can be updated at runtime using setAllowedPaths():

  workspace.filesystem.setAllowedPaths(prev => [...prev, '/home/user/new-dir']);

  This is the recommended approach for least-privilege access — agents can only reach the specific directories you allow, while containment stays enabled for everything else.

• Added generic Harness class to @​mastra/core for orchestrating agents with modes, state management, built-in tools (ask_user, submit_plan), subagent support, Observational Memory integration, model discovery, and permission-aware tool approval. The Harness provides a reusable foundation for building agent-powered applications with features like thread management, heartbeat monitoring, and event-driven architecture. (#13245)

• Added glob pattern support for workspace configuration. The list_files tool now accepts a pattern parameter for filtering files (e.g., **/*.ts, src/**/*.test.ts). autoIndexPaths accepts glob patterns like ./docs/**/*.md to selectively index files for BM25 search. Skills paths support globs like ./**/skills to discover skill directories at any depth, including dot-directories like .agents/skills. (#13023)

  list_files tool with pattern:

  // Agent can now use glob patterns to filter files
  const result = await workspace.tools.workspace_list_files({
    path: '/',
    pattern: '**/*.test.ts',
  });

  autoIndexPaths with globs:

  const workspace = new Workspace({
    filesystem: new LocalFilesystem({ basePath: './project' }),
    bm25: true,
    // Only index markdown files under ./docs
    autoIndexPaths: ['./docs/**/*.md'],
  });

  Skills paths with globs:

... (truncated)

Commits

• b260123 fix(memory): improve OM activation chunk selection and safeguards (#13305)
• 940163f feat(core): add workspace AST edit tool (COR-523) (#13233)
• d84e52d fix(editor): agent publish flow and recursive processor graph schema (#13292)
• 5caa13d chore(core): remove redundant vercel PROVIDER_OVERRIDES entry (#13291)
• 47892c8 fix(core): stop overriding Vercel AI Gateway base URL in model router (#13287)
• 0d9efb4 feat(editor): processor providers and stored processor graphs (#13219)
• dff79a4 feat(workflows): shared test suite for workflow engines (#12568)
• 4ada5f9 test(core): move real-API tests to e2e files and fix failing unit tests (#13193)
• 355b9ae chore: version - exit prerelease mode
• f090302 chore: version packages (alpha) (#13252)
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
@mastra/client-js	[>= 0.16.a, < 0.17]
@mastra/core	[>= 0.24.a, < 0.25]
@mastra/core	[< 1, > 0.20.2]
@mastra/client-js	[>= 0.17.a, < 0.18]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cloud	Error		Feb 27, 2026 10:21pm
showcase	Error		Feb 27, 2026 10:21pm
tambo-docs	Error		Feb 27, 2026 10:21pm

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​mastra/​core@​1.1.0 ⏵ 1.6.0	-11
	@​ag-ui/​core@​0.0.44 ⏵ 0.0.45			+1	+1
	@​ag-ui/​client@​0.0.44 ⏵ 0.0.45			+1	+1
	@​mastra/​client-js@​1.1.0 ⏵ 1.6.0

View full report