style: fix ruff formatting in browser_toolkit.py

Co-Authored-By: João <joao@crewai.com>

.github/workflows/docs-broken-links.yml

@@ -23,7 +23,7 @@ jobs:
       - name: Set up Node
         uses: actions/setup-node@v4
         with:
-          node-version: "22"
+          node-version: "latest"
 
       - name: Install Mintlify CLI
         run: npm i -g mintlify

docs/ar/changelog.mdx

@@ -4,63 +4,6 @@ description: "تحديثات المنتج والتحسينات وإصلاحات
 icon: "clock"
 mode: "wide"
 ---
-<Update label="27 مارس 2026">
-  ## v1.13.0rc1
-
-  [عرض الإصدار على GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0rc1)
-
-  ## ما الذي تغير
-
-  ### الوثائق
-  - تحديث سجل التغييرات والإصدار لـ v1.13.0a2
-
-  ## المساهمون
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="27 مارس 2026">
-  ## v1.13.0a2
-
-  [عرض الإصدار على GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a2)
-
-  ## ما الذي تغير
-
-  ### الميزات
-  - تحديث تلقائي لمستودع اختبار النشر أثناء الإصدار
-  - تحسين مرونة إصدار المؤسسات وتجربة المستخدم
-
-  ### الوثائق
-  - تحديث سجل التغييرات والإصدار للإصدار v1.13.0a1
-
-  ## المساهمون
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="27 مارس 2026">
-  ## v1.13.0a1
-
-  [عرض الإصدار على GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a1)
-
-  ## ما الذي تغير
-
-  ### إصلاحات الأخطاء
-  - إصلاح الروابط المعطلة في سير العمل الوثائقي عن طريق تثبيت Node على LTS 22
-  - مسح ذاكرة التخزين المؤقت لـ uv للحزم المنشورة حديثًا في الإصدار المؤسسي
-
-  ### الوثائق
-  - إضافة مصفوفة شاملة لأذونات RBAC ودليل النشر
-  - تحديث سجل التغييرات والإصدار للإصدار v1.12.2
-
-  ## المساهمون
-
-  @greysonlalonde, @iris-clawd, @joaomdmoura
-
-</Update>
-
 <Update label="25 مارس 2026">
   ## v1.12.2
 

docs/en/changelog.mdx

@@ -4,63 +4,6 @@ description: "Product updates, improvements, and bug fixes for CrewAI"
 icon: "clock"
 mode: "wide"
 ---
-<Update label="Mar 27, 2026">
-  ## v1.13.0rc1
-
-  [View release on GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0rc1)
-
-  ## What's Changed
-
-  ### Documentation
-  - Update changelog and version for v1.13.0a2
-
-  ## Contributors
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="Mar 27, 2026">
-  ## v1.13.0a2
-
-  [View release on GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a2)
-
-  ## What's Changed
-
-  ### Features
-  - Auto-update deployment test repo during release
-  - Improve enterprise release resilience and UX
-
-  ### Documentation
-  - Update changelog and version for v1.13.0a1
-
-  ## Contributors
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="Mar 27, 2026">
-  ## v1.13.0a1
-
-  [View release on GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a1)
-
-  ## What's Changed
-
-  ### Bug Fixes
-  - Fix broken links in documentation workflow by pinning Node to LTS 22
-  - Bust the uv cache for freshly published packages in enterprise release
-
-  ### Documentation
-  - Add comprehensive RBAC permissions matrix and deployment guide
-  - Update changelog and version for v1.12.2
-
-  ## Contributors
-
-  @greysonlalonde, @iris-clawd, @joaomdmoura
-
-</Update>
-
 <Update label="Mar 25, 2026">
   ## v1.12.2
 

docs/en/concepts/files.mdx

@@ -134,10 +134,6 @@ result = flow.kickoff(
 )
 ```
 
-<Note type="info" title="CrewAI Platform Integration">
-When deployed on CrewAI Platform, `ImageFile`, `PDFFile`, and other file-typed fields in your flow state automatically get a file upload UI. Users can drag and drop files directly in the Platform interface. Files are stored securely and passed to agents using provider-specific optimizations (inline base64, file upload APIs, or URL references depending on the provider).
-</Note>
-
 ### With Standalone Agents
 
 Pass files directly to agent kickoff:

docs/en/concepts/flows.mdx

@@ -341,36 +341,6 @@ flow.kickoff()
 
 By providing both unstructured and structured state management options, CrewAI Flows empowers developers to build AI workflows that are both flexible and robust, catering to a wide range of application requirements.
 
-### File Inputs
-
-When using structured state, you can include file-typed fields using classes from `crewai-files`. This enables file uploads as part of your flow's input:
-
-```python
-from crewai.flow.flow import Flow, start
-from crewai_files import ImageFile, PDFFile
-from pydantic import BaseModel
-
-class OnboardingState(BaseModel):
-    document: PDFFile        # File upload
-    cover_image: ImageFile   # Image upload
-    title: str = ""          # Text input
-
-class OnboardingFlow(Flow[OnboardingState]):
-    @start()
-    def process_upload(self):
-        # Access files directly from state
-        print(f"Processing: {self.state.title}")
-        return self.state.document
-```
-
-When deployed on **CrewAI Platform**, file-typed fields automatically render as file upload dropzones in the UI. Users can drag and drop files, which are then passed to your flow.
-
-**Kicking off with files via API:**
-- **Multipart**: `POST /kickoff/multipart` with files embedded in the request
-- **Separate upload**: `POST /files` first to upload files, then `POST /kickoff` with the returned URLs
-
-API users can also pass URL strings directly to file-typed fields—Pydantic coerces them automatically.
-
 ## Flow Persistence
 
 The @persist decorator enables automatic state persistence in CrewAI Flows, allowing you to maintain flow state across restarts or different workflow executions. This decorator can be applied at either the class level or method level, providing flexibility in how you manage state persistence.

docs/en/enterprise/features/rbac.mdx

@@ -7,13 +7,11 @@ mode: "wide"
 
 ## Overview
 
-RBAC in CrewAI AMP enables secure, scalable access management through two layers:
-
-1. **Feature permissions** — control what each role can do across the platform (manage, read, or no access)
-2. **Entity-level permissions** — fine-grained access on individual automations, environment variables, LLM connections, and Git repositories
+RBAC in CrewAI AMP enables secure, scalable access management through a combination of organization‑level roles and automation‑level visibility controls.
 
 <Frame>
   <img src="/images/enterprise/users_and_roles.png" alt="RBAC overview in CrewAI AMP" />
+
 </Frame>
 
 ## Users and Roles
@@ -41,13 +39,6 @@ You can configure users and roles in Settings → Roles.
   </Step>
 </Steps>
 
-### Predefined Roles
-
-| Role       | Description                                                                 |
-| :--------- | :-------------------------------------------------------------------------- |
-| **Owner**  | Full access to all features and settings. Cannot be restricted.             |
-| **Member** | Read access to most features, manage access to Studio projects. Cannot modify organization or default settings. |
-
 ### Configuration summary
 
 | Area                  | Where to configure                 | Options                                 |
@@ -55,80 +46,23 @@ You can configure users and roles in Settings → Roles.
 | Users & Roles         | Settings → Roles                   | Predefined: Owner, Member; Custom roles |
 | Automation visibility | Automation → Settings → Visibility | Private; Whitelist users/roles          |
 
----
+## Automation‑level Access Control
 
-## Feature Permissions Matrix
+In addition to organization‑wide roles, CrewAI Automations support fine‑grained visibility settings that let you restrict access to specific automations by user or role.
 
-Every role has a permission level for each feature area. The three levels are:
-
-- **Manage** — full read/write access (create, edit, delete)
-- **Read** — view-only access
-- **No access** — feature is hidden/inaccessible
-
-| Feature                   | Owner   | Member (default) | Description                                                     |
-| :------------------------ | :------ | :--------------- | :-------------------------------------------------------------- |
-| `usage_dashboards`        | Manage  | Read             | View usage metrics and analytics                                |
-| `crews_dashboards`        | Manage  | Read             | View deployment dashboards, access automation details           |
-| `invitations`             | Manage  | Read             | Invite new members to the organization                          |
-| `training_ui`             | Manage  | Read             | Access training/fine-tuning interfaces                          |
-| `tools`                   | Manage  | Read             | Create and manage tools                                         |
-| `agents`                  | Manage  | Read             | Create and manage agents                                        |
-| `environment_variables`   | Manage  | Read             | Create and manage environment variables                         |
-| `llm_connections`         | Manage  | Read             | Configure LLM provider connections                              |
-| `default_settings`        | Manage  | No access        | Modify organization-wide default settings                       |
-| `organization_settings`   | Manage  | No access        | Manage billing, plans, and organization configuration           |
-| `studio_projects`         | Manage  | Manage           | Create and edit projects in Studio                              |
-
-<Tip>
-  When creating a custom role, you can set each feature independently to **Manage**, **Read**, or **No access** to match your team's needs.
-</Tip>
-
----
-
-## Deploying from GitHub or Zip
-
-One of the most common RBAC questions is: _"What permissions does a team member need to deploy?"_
-
-### Deploy from GitHub
-
-To deploy an automation from a GitHub repository, a user needs:
-
-1. **`crews_dashboards`**: at least `Read` — required to access the automations dashboard where deployments are created
-2. **Git repository access** (if entity-level RBAC for Git repositories is enabled): the user's role must be granted access to the specific Git repository via entity-level permissions
-3. **`studio_projects`: `Manage`** — if building the crew in Studio before deploying
-
-### Deploy from Zip
-
-To deploy an automation from a Zip file upload, a user needs:
-
-1. **`crews_dashboards`**: at least `Read` — required to access the automations dashboard
-2. **Zip deployments enabled**: the organization must not have disabled zip deployments in organization settings
-
-### Quick Reference: Minimum Permissions for Deployment
-
-| Action               | Required feature permissions          | Additional requirements                          |
-| :------------------- | :------------------------------------ | :----------------------------------------------- |
-| Deploy from GitHub   | `crews_dashboards: Read`              | Git repo entity access (if Git RBAC is enabled)  |
-| Deploy from Zip      | `crews_dashboards: Read`              | Zip deployments must be enabled at the org level |
-| Build in Studio      | `studio_projects: Manage`             | —                                                |
-| Configure LLM keys   | `llm_connections: Manage`             | —                                                |
-| Set environment vars  | `environment_variables: Manage`       | Entity-level access (if entity RBAC is enabled)  |
-
----
-
-## Automation‑level Access Control (Entity Permissions)
-
-In addition to organization‑wide roles, CrewAI supports fine‑grained entity-level permissions that restrict access to individual resources.
-
-### Automation Visibility
-
-Automations support visibility settings that restrict access by user or role. This is useful for:
+This is useful for:
 
 - Keeping sensitive or experimental automations private
 - Managing visibility across large teams or external collaborators
 - Testing automations in isolated contexts
 
-Deployments can be configured as private, meaning only whitelisted users and roles will be able to interact with them.
+Deployments can be configured as private, meaning only whitelisted users and roles will be able to:
+
+- View the deployment
+- Run it or interact with its API
+- Access its logs, metrics, and settings
+
+The organization owner always has access, regardless of visibility settings.
 
 You can configure automation‑level access control in Automation → Settings → Visibility tab.
 
@@ -165,92 +99,9 @@ You can configure automation‑level access control in Automation → Settings
 
 <Frame>
   <img src="/images/enterprise/visibility.png" alt="Automation Visibility settings in CrewAI AMP" />
+
 </Frame>
 
-### Deployment Permission Types
-
-When granting entity-level access to a specific automation, you can assign these permission types:
-
-| Permission           | What it allows                                      |
-| :------------------- | :-------------------------------------------------- |
-| `run`                | Execute the automation and use its API               |
-| `traces`             | View execution traces and logs                       |
-| `manage_settings`    | Edit, redeploy, rollback, or delete the automation   |
-| `human_in_the_loop`  | Respond to human-in-the-loop (HITL) requests         |
-| `full_access`        | All of the above                                     |
-
-### Entity-level RBAC for Other Resources
-
-When entity-level RBAC is enabled, access to these resources can also be controlled per user or role:
-
-| Resource               | Controlled by                    | Description                                           |
-| :--------------------- | :------------------------------- | :---------------------------------------------------- |
-| Environment variables  | Entity RBAC feature flag         | Restrict which roles/users can view or manage specific env vars |
-| LLM connections        | Entity RBAC feature flag         | Restrict access to specific LLM provider configurations |
-| Git repositories       | Git repositories RBAC org setting | Restrict which roles/users can access specific connected repos |
-
----
-
-## Common Role Patterns
-
-While CrewAI ships with Owner and Member roles, most teams benefit from creating custom roles. Here are common patterns:
-
-### Developer Role
-
-A role for team members who build and deploy automations but don't manage organization settings.
-
-| Feature                   | Permission |
-| :------------------------ | :--------- |
-| `usage_dashboards`        | Read       |
-| `crews_dashboards`        | Manage     |
-| `invitations`             | Read       |
-| `training_ui`             | Read       |
-| `tools`                   | Manage     |
-| `agents`                  | Manage     |
-| `environment_variables`   | Manage     |
-| `llm_connections`         | Read       |
-| `default_settings`        | No access  |
-| `organization_settings`   | No access  |
-| `studio_projects`         | Manage     |
-
-### Viewer / Stakeholder Role
-
-A role for non-technical stakeholders who need to monitor automations and view results.
-
-| Feature                   | Permission |
-| :------------------------ | :--------- |
-| `usage_dashboards`        | Read       |
-| `crews_dashboards`        | Read       |
-| `invitations`             | No access  |
-| `training_ui`             | Read       |
-| `tools`                   | Read       |
-| `agents`                  | Read       |
-| `environment_variables`   | No access  |
-| `llm_connections`         | No access  |
-| `default_settings`        | No access  |
-| `organization_settings`   | No access  |
-| `studio_projects`         | Read       |
-
-### Ops / Platform Admin Role
-
-A role for platform operators who manage infrastructure settings but may not build agents.
-
-| Feature                   | Permission |
-| :------------------------ | :--------- |
-| `usage_dashboards`        | Manage     |
-| `crews_dashboards`        | Manage     |
-| `invitations`             | Manage     |
-| `training_ui`             | Read       |
-| `tools`                   | Read       |
-| `agents`                  | Read       |
-| `environment_variables`   | Manage     |
-| `llm_connections`         | Manage     |
-| `default_settings`        | Manage     |
-| `organization_settings`   | Read       |
-| `studio_projects`         | Read       |
-
----
-
 <Card title="Need Help?" icon="headset" href="mailto:support@crewai.com">
   Contact our support team for assistance with RBAC questions.
 </Card>

docs/en/enterprise/features/sso.mdx

@@ -1,550 +0,0 @@
----
-title: Single Sign-On (SSO)
-icon: "key"
-description: Configure enterprise SSO authentication for CrewAI Platform — SaaS and Factory
----
-
-## Overview
-
-CrewAI Platform supports enterprise Single Sign-On (SSO) across both **SaaS (AMP)** and **Factory (self-hosted)** deployments. SSO enables your team to authenticate using your organization's existing identity provider, enforcing centralized access control, MFA policies, and user lifecycle management.
-
-### Supported Providers
-
-| Provider | SaaS | Factory | Protocol | CLI Support |
-|---|---|---|---|---|
-| **WorkOS** | ✅ (default) | ✅ | OAuth 2.0 / OIDC | ✅ |
-| **Microsoft Entra ID** (Azure AD) | ✅ (enterprise) | ✅ | OAuth 2.0 / SAML 2.0 | ✅ |
-| **Okta** | ✅ (enterprise) | ✅ | OAuth 2.0 / OIDC | ✅ |
-| **Auth0** | ✅ (enterprise) | ✅ | OAuth 2.0 / OIDC | ✅ |
-| **Keycloak** | — | ✅ | OAuth 2.0 / OIDC | ✅ |
-
-### Key Capabilities
-
-- **SAML 2.0 and OAuth 2.0 / OIDC** protocol support
-- **Device Authorization Grant** flow for CLI authentication
-- **Role-Based Access Control (RBAC)** with custom roles and per-resource permissions
-- **MFA enforcement** delegated to your identity provider
-- **User provisioning** through IdP assignment (users/groups)
-
----
-
-## SaaS SSO
-
-### Default Authentication
-
-CrewAI's managed SaaS platform (AMP) uses **WorkOS** as the default authentication provider. When you sign up at [app.crewai.com](https://app.crewai.com), authentication is handled through `login.crewai.com` — no additional SSO configuration is required.
-
-### Enterprise Custom SSO
-
-Enterprise SaaS customers can configure SSO with their own identity provider (Entra ID, Okta, Auth0). Contact your CrewAI account team to enable custom SSO for your organization. Once configured:
-
-1. Your team members authenticate through your organization's IdP
-2. Access control and MFA policies are enforced by your IdP
-3. The CrewAI CLI automatically detects your SSO configuration via `crewai enterprise configure`
-
-### CLI Defaults (SaaS)
-
-| Setting | Default Value |
-|---|---|
-| `enterprise_base_url` | `https://app.crewai.com` |
-| `oauth2_provider` | `workos` |
-| `oauth2_domain` | `login.crewai.com` |
-
----
-
-## Factory SSO Setup
-
-Factory (self-hosted) deployments require you to configure SSO by setting environment variables in your Helm `values.yaml` and registering an application in your identity provider.
-
-### Microsoft Entra ID (Azure AD)
-
-<Steps>
-  <Step title="Register an Application">
-    1. Go to [portal.azure.com](https://portal.azure.com) → **Microsoft Entra ID** → **App registrations** → **New registration**
-    2. Configure:
-       - **Name:** `CrewAI` (or your preferred name)
-       - **Supported account types:** Accounts in this organizational directory only
-       - **Redirect URI:** Select **Web**, enter `https://<your-domain>/auth/entra_id/callback`
-    3. Click **Register**
-  </Step>
-
-  <Step title="Collect Credentials">
-    From the app overview page, copy:
-    - **Application (client) ID** → `ENTRA_ID_CLIENT_ID`
-    - **Directory (tenant) ID** → `ENTRA_ID_TENANT_ID`
-  </Step>
-
-  <Step title="Create Client Secret">
-    1. Navigate to **Certificates & Secrets** → **New client secret**
-    2. Add a description and select expiration period
-    3. Copy the secret value immediately (it won't be shown again) → `ENTRA_ID_CLIENT_SECRET`
-  </Step>
-
-  <Step title="Grant Admin Consent">
-    1. Go to **Enterprise applications** → select your app
-    2. Under **Security** → **Permissions**, click **Grant admin consent**
-    3. Ensure **Microsoft Graph → User.Read** is granted
-  </Step>
-
-  <Step title="Configure App Roles (Recommended)">
-    Under **App registrations** → your app → **App roles**, create:
-
-    | Display Name | Value | Allowed Member Types |
-    |---|---|---|
-    | Member | `member` | Users/Groups |
-    | Factory Admin | `factory-admin` | Users/Groups |
-
-    <Note>
-      The `member` role grants login access. The `factory-admin` role grants admin panel access. Roles are included in the JWT automatically.
-    </Note>
-  </Step>
-
-  <Step title="Assign Users">
-    1. Under **Properties**, set **Assignment required?** to **Yes**
-    2. Under **Users and groups**, assign users/groups with the appropriate role
-  </Step>
-
-  <Step title="Set Environment Variables">
-    ```yaml
-    envVars:
-      AUTH_PROVIDER: "entra_id"
-
-    secrets:
-      ENTRA_ID_CLIENT_ID: "<Application (client) ID>"
-      ENTRA_ID_CLIENT_SECRET: "<Client Secret>"
-      ENTRA_ID_TENANT_ID: "<Directory (tenant) ID>"
-    ```
-  </Step>
-
-  <Step title="Enable CLI Support (Optional)">
-    To allow `crewai login` via Device Authorization Grant:
-
-    1. Under **Authentication** → **Advanced settings**, enable **Allow public client flows**
-    2. Under **Expose an API**, add an Application ID URI (e.g., `api://crewai-cli`)
-    3. Add a scope (e.g., `read`) with **Admins and users** consent
-    4. Under **Manifest**, set `accessTokenAcceptedVersion` to `2`
-    5. Add environment variables:
-
-    ```yaml
-    secrets:
-      ENTRA_ID_DEVICE_AUTHORIZATION_CLIENT_ID: "<Application (client) ID>"
-      ENTRA_ID_CUSTOM_OPENID_SCOPE: "<scope URI, e.g. api://crewai-cli/read>"
-    ```
-  </Step>
-</Steps>
-
----
-
-### Okta
-
-<Steps>
-  <Step title="Create App Integration">
-    1. Open Okta Admin Console → **Applications** → **Create App Integration**
-    2. Select **OIDC - OpenID Connect** → **Web Application** → **Next**
-    3. Configure:
-       - **App integration name:** `CrewAI SSO`
-       - **Sign-in redirect URI:** `https://<your-domain>/auth/okta/callback`
-       - **Sign-out redirect URI:** `https://<your-domain>`
-       - **Assignments:** Choose who can access (everyone or specific groups)
-    4. Click **Save**
-  </Step>
-
-  <Step title="Collect Credentials">
-    From the app details page:
-    - **Client ID** → `OKTA_CLIENT_ID`
-    - **Client Secret** → `OKTA_CLIENT_SECRET`
-    - **Okta URL** (top-right corner, under your username) → `OKTA_SITE`
-  </Step>
-
-  <Step title="Configure Authorization Server">
-    1. Navigate to **Security** → **API**
-    2. Select your authorization server (default: `default`)
-    3. Under **Access Policies**, add a policy and rule:
-       - In the rule, under **Scopes requested**, select **The following scopes** → **OIDC default scopes**
-    4. Note the **Name** and **Audience** of the authorization server
-
-    <Warning>
-      The authorization server name and audience must match `OKTA_AUTHORIZATION_SERVER` and `OKTA_AUDIENCE` exactly. Mismatches cause `401 Unauthorized` or `Invalid token: Signature verification failed` errors.
-    </Warning>
-  </Step>
-
-  <Step title="Set Environment Variables">
-    ```yaml
-    envVars:
-      AUTH_PROVIDER: "okta"
-
-    secrets:
-      OKTA_CLIENT_ID: "<Okta app client ID>"
-      OKTA_CLIENT_SECRET: "<Okta client secret>"
-      OKTA_SITE: "https://your-domain.okta.com"
-      OKTA_AUTHORIZATION_SERVER: "default"
-      OKTA_AUDIENCE: "api://default"
-    ```
-  </Step>
-
-  <Step title="Enable CLI Support (Optional)">
-    1. Create a **new** app integration: **OIDC** → **Native Application**
-    2. Enable **Device Authorization** and **Refresh Token** grant types
-    3. Allow everyone in your organization to access
-    4. Add environment variable:
-
-    ```yaml
-    secrets:
-      OKTA_DEVICE_AUTHORIZATION_CLIENT_ID: "<Native app client ID>"
-    ```
-
-    <Note>
-      Device Authorization requires a **Native Application** — it cannot use the Web Application created for browser-based SSO.
-    </Note>
-  </Step>
-</Steps>
-
----
-
-### Keycloak
-
-<Steps>
-  <Step title="Create a Client">
-    1. Open Keycloak Admin Console → navigate to your realm
-    2. **Clients** → **Create client**:
-       - **Client type:** OpenID Connect
-       - **Client ID:** `crewai-factory` (suggested)
-    3. Capability config:
-       - **Client authentication:** On
-       - **Standard flow:** Checked
-    4. Login settings:
-       - **Root URL:** `https://<your-domain>`
-       - **Valid redirect URIs:** `https://<your-domain>/auth/keycloak/callback`
-       - **Valid post logout redirect URIs:** `https://<your-domain>`
-    5. Click **Save**
-  </Step>
-
-  <Step title="Collect Credentials">
-    - **Client ID** → `KEYCLOAK_CLIENT_ID`
-    - Under **Credentials** tab: **Client secret** → `KEYCLOAK_CLIENT_SECRET`
-    - **Realm name** → `KEYCLOAK_REALM`
-    - **Keycloak server URL** → `KEYCLOAK_SITE`
-  </Step>
-
-  <Step title="Set Environment Variables">
-    ```yaml
-    envVars:
-      AUTH_PROVIDER: "keycloak"
-
-    secrets:
-      KEYCLOAK_CLIENT_ID: "<client ID>"
-      KEYCLOAK_CLIENT_SECRET: "<client secret>"
-      KEYCLOAK_SITE: "https://keycloak.yourdomain.com"
-      KEYCLOAK_REALM: "<realm name>"
-      KEYCLOAK_AUDIENCE: "account"
-      # Only set if using a custom base path (pre-v17 migrations):
-      # KEYCLOAK_BASE_URL: "/auth"
-    ```
-
-    <Note>
-      Keycloak includes `account` as the default audience in access tokens. For most installations, `KEYCLOAK_AUDIENCE=account` works without additional configuration. See [Keycloak audience documentation](https://www.keycloak.org/docs/latest/authorization_services/index.html) if you need a custom audience.
-    </Note>
-  </Step>
-
-  <Step title="Enable CLI Support (Optional)">
-    1. Create a **second** client:
-       - **Client type:** OpenID Connect
-       - **Client ID:** `crewai-factory-cli` (suggested)
-       - **Client authentication:** Off (Device Authorization requires a public client)
-       - **Authentication flow:** Check **only** OAuth 2.0 Device Authorization Grant
-    2. Add environment variable:
-
-    ```yaml
-    secrets:
-      KEYCLOAK_DEVICE_AUTHORIZATION_CLIENT_ID: "<CLI client ID>"
-    ```
-  </Step>
-</Steps>
-
----
-
-### WorkOS
-
-<Steps>
-  <Step title="Configure in WorkOS Dashboard">
-    1. Create an application in the [WorkOS Dashboard](https://dashboard.workos.com)
-    2. Configure the redirect URI: `https://<your-domain>/auth/workos/callback`
-    3. Note the **Client ID** and **AuthKit domain**
-    4. Set up organizations in the WorkOS dashboard
-  </Step>
-
-  <Step title="Set Environment Variables">
-    ```yaml
-    envVars:
-      AUTH_PROVIDER: "workos"
-
-    secrets:
-      WORKOS_CLIENT_ID: "<WorkOS client ID>"
-      WORKOS_AUTHKIT_DOMAIN: "<your-authkit-domain.authkit.com>"
-    ```
-  </Step>
-</Steps>
-
----
-
-### Auth0
-
-<Steps>
-  <Step title="Create Application">
-    1. In the [Auth0 Dashboard](https://manage.auth0.com), create a new **Regular Web Application**
-    2. Configure:
-       - **Allowed Callback URLs:** `https://<your-domain>/auth/auth0/callback`
-       - **Allowed Logout URLs:** `https://<your-domain>`
-    3. Note the **Domain**, **Client ID**, and **Client Secret**
-  </Step>
-
-  <Step title="Set Environment Variables">
-    ```yaml
-    envVars:
-      AUTH_PROVIDER: "auth0"
-
-    secrets:
-      AUTH0_CLIENT_ID: "<Auth0 client ID>"
-      AUTH0_CLIENT_SECRET: "<Auth0 client secret>"
-      AUTH0_DOMAIN: "<your-tenant.auth0.com>"
-    ```
-  </Step>
-
-  <Step title="Enable CLI Support (Optional)">
-    1. Create a **Native** application in Auth0 for Device Authorization
-    2. Enable the **Device Authorization** grant type under application settings
-    3. Configure the CLI with the appropriate audience and client ID
-  </Step>
-</Steps>
-
----
-
-## CLI Authentication
-
-The CrewAI CLI supports SSO authentication via the **Device Authorization Grant** flow. This allows developers to authenticate from their terminal without exposing credentials.
-
-### Quick Setup
-
-For Factory installations, the CLI can auto-configure all OAuth2 settings:
-
-```bash
-crewai enterprise configure https://your-factory-url.app
-```
-
-This command fetches the SSO configuration from your Factory instance and sets all required CLI parameters automatically.
-
-Then authenticate:
-
-```bash
-crewai login
-```
-
-<Note>
-  Requires CrewAI CLI version **1.6.0** or higher for Entra ID, **0.159.0** or higher for Okta, and **1.9.0** or higher for Keycloak.
-</Note>
-
-### Manual CLI Configuration
-
-If you need to configure the CLI manually, use `crewai config set`:
-
-```bash
-# Set the provider
-crewai config set oauth2_provider okta
-
-# Set provider-specific values
-crewai config set oauth2_domain your-domain.okta.com
-crewai config set oauth2_client_id your-client-id
-crewai config set oauth2_audience api://default
-
-# Set the enterprise base URL
-crewai config set enterprise_base_url https://your-factory-url.app
-```
-
-### CLI Configuration Reference
-
-| Setting | Description | Example |
-|---|---|---|
-| `enterprise_base_url` | Your CrewAI instance URL | `https://crewai.yourcompany.com` |
-| `oauth2_provider` | Provider name | `workos`, `okta`, `auth0`, `entra_id`, `keycloak` |
-| `oauth2_domain` | Provider domain | `your-domain.okta.com` |
-| `oauth2_client_id` | OAuth2 client ID | `0oaqnwji7pGW7VT6T697` |
-| `oauth2_audience` | API audience identifier | `api://default` |
-
-View current configuration:
-
-```bash
-crewai config list
-```
-
-### How Device Authorization Works
-
-1. Run `crewai login` — the CLI requests a device code from your IdP
-2. A verification URL and code are displayed in your terminal
-3. Your browser opens to the verification URL
-4. Enter the code and authenticate with your IdP credentials
-5. The CLI receives an access token and stores it locally
-
----
-
-## Role-Based Access Control (RBAC)
-
-CrewAI Platform provides granular RBAC that integrates with your SSO provider.
-
-### Permission Model
-
-| Permission | Description |
-|---|---|
-| **Read** | View resources (dashboards, automations, logs) |
-| **Write** | Create and modify resources |
-| **Manage** | Full control including deletion and configuration |
-
-### Resources
-
-Permissions can be scoped to individual resources:
-
-- **Usage Dashboard** — Platform usage metrics and analytics
-- **Automations Dashboard** — Crew and flow management
-- **Environment Variables** — Secret and configuration management
-- **Individual Automations** — Per-automation access control
-
-### Roles
-
-- **Predefined roles** come out of the box with standard permission sets
-- **Custom roles** can be created with any combination of permissions
-- **Per-resource assignment** — limit specific automations to individual users or roles
-
-### Factory Admin Access
-
-For Factory deployments using Entra ID, admin access is controlled via App Roles:
-
-- Assign the `factory-admin` role to users who need admin panel access
-- Assign the `member` role for standard platform access
-- Roles are communicated via JWT claims — no additional configuration needed after IdP setup
-
----
-
-## Troubleshooting
-
-### Invalid Redirect URI
-
-**Symptom:** Authentication fails with a redirect URI mismatch error.
-
-**Fix:** Ensure the redirect URI in your IdP exactly matches the expected callback URL:
-
-| Provider | Callback URL |
-|---|---|
-| Entra ID | `https://<domain>/auth/entra_id/callback` |
-| Okta | `https://<domain>/auth/okta/callback` |
-| Keycloak | `https://<domain>/auth/keycloak/callback` |
-| WorkOS | `https://<domain>/auth/workos/callback` |
-| Auth0 | `https://<domain>/auth/auth0/callback` |
-
-### CLI Login Fails (Device Authorization)
-
-**Symptom:** `crewai login` returns an error or times out.
-
-**Fix:**
-- Verify that Device Authorization Grant is enabled in your IdP
-- For Okta: ensure you have a **Native Application** (not Web) with Device Authorization grant
-- For Entra ID: ensure **Allow public client flows** is enabled
-- For Keycloak: ensure the CLI client has **Client authentication: Off** and only Device Authorization Grant enabled
-- Check that `*_DEVICE_AUTHORIZATION_CLIENT_ID` environment variable is set on the server
-
-### Token Validation Errors
-
-**Symptom:** `Invalid token: Signature verification failed` or `401 Unauthorized` after login.
-
-**Fix:**
-- **Okta:** Verify `OKTA_AUTHORIZATION_SERVER` and `OKTA_AUDIENCE` match the authorization server's Name and Audience exactly
-- **Entra ID:** Ensure `accessTokenAcceptedVersion` is set to `2` in the app manifest
-- **Keycloak:** Verify `KEYCLOAK_AUDIENCE` matches the audience in your access tokens (default: `account`)
-
-### Admin Consent Not Granted (Entra ID)
-
-**Symptom:** Users can't log in, see "needs admin approval" message.
-
-**Fix:** Go to **Enterprise applications** → your app → **Permissions** → **Grant admin consent**. Ensure `User.Read` is granted for Microsoft Graph.
-
-### 403 Forbidden After Login
-
-**Symptom:** User authenticates successfully but gets 403 errors.
-
-**Fix:**
-- Check that the user is assigned to the application in your IdP
-- For Entra ID with **Assignment required = Yes**: ensure the user has a role assignment (Member or Factory Admin)
-- For Okta: verify the user or their group is assigned under the app's **Assignments** tab
-
-### CLI Can't Reach Factory Instance
-
-**Symptom:** `crewai enterprise configure` fails to connect.
-
-**Fix:**
-- Verify the Factory URL is reachable from your machine
-- Check that `enterprise_base_url` is set correctly: `crewai config list`
-- Ensure TLS certificates are valid and trusted
-
----
-
-## Environment Variables Reference
-
-### Common
-
-| Variable | Description |
-|---|---|
-| `AUTH_PROVIDER` | Authentication provider: `entra_id`, `okta`, `workos`, `auth0`, `keycloak`, `local` |
-
-### Microsoft Entra ID
-
-| Variable | Required | Description |
-|---|---|---|
-| `ENTRA_ID_CLIENT_ID` | ✅ | Application (client) ID from Azure |
-| `ENTRA_ID_CLIENT_SECRET` | ✅ | Client secret from Azure |
-| `ENTRA_ID_TENANT_ID` | ✅ | Directory (tenant) ID from Azure |
-| `ENTRA_ID_DEVICE_AUTHORIZATION_CLIENT_ID` | CLI only | Client ID for Device Authorization Grant |
-| `ENTRA_ID_CUSTOM_OPENID_SCOPE` | CLI only | Custom scope from "Expose an API" (e.g., `api://crewai-cli/read`) |
-
-### Okta
-
-| Variable | Required | Description |
-|---|---|---|
-| `OKTA_CLIENT_ID` | ✅ | Okta application client ID |
-| `OKTA_CLIENT_SECRET` | ✅ | Okta client secret |
-| `OKTA_SITE` | ✅ | Okta organization URL (e.g., `https://your-domain.okta.com`) |
-| `OKTA_AUTHORIZATION_SERVER` | ✅ | Authorization server name (e.g., `default`) |
-| `OKTA_AUDIENCE` | ✅ | Authorization server audience (e.g., `api://default`) |
-| `OKTA_DEVICE_AUTHORIZATION_CLIENT_ID` | CLI only | Native app client ID for Device Authorization |
-
-### WorkOS
-
-| Variable | Required | Description |
-|---|---|---|
-| `WORKOS_CLIENT_ID` | ✅ | WorkOS application client ID |
-| `WORKOS_AUTHKIT_DOMAIN` | ✅ | AuthKit domain (e.g., `your-domain.authkit.com`) |
-
-### Auth0
-
-| Variable | Required | Description |
-|---|---|---|
-| `AUTH0_CLIENT_ID` | ✅ | Auth0 application client ID |
-| `AUTH0_CLIENT_SECRET` | ✅ | Auth0 client secret |
-| `AUTH0_DOMAIN` | ✅ | Auth0 tenant domain (e.g., `your-tenant.auth0.com`) |
-
-### Keycloak
-
-| Variable | Required | Description |
-|---|---|---|
-| `KEYCLOAK_CLIENT_ID` | ✅ | Keycloak client ID |
-| `KEYCLOAK_CLIENT_SECRET` | ✅ | Keycloak client secret |
-| `KEYCLOAK_SITE` | ✅ | Keycloak server URL |
-| `KEYCLOAK_REALM` | ✅ | Keycloak realm name |
-| `KEYCLOAK_AUDIENCE` | ✅ | Token audience (default: `account`) |
-| `KEYCLOAK_BASE_URL` | Optional | Base URL path (e.g., `/auth` for pre-v17 migrations) |
-| `KEYCLOAK_DEVICE_AUTHORIZATION_CLIENT_ID` | CLI only | Public client ID for Device Authorization |
-
----
-
-## Next Steps
-
-- [Installation Guide](/installation) — Get started with CrewAI
-- [Quickstart](/quickstart) — Build your first crew
-- [RBAC Setup](/enterprise/features/rbac) — Detailed role and permission management

docs/ko/changelog.mdx

@@ -4,63 +4,6 @@ description: "CrewAI의 제품 업데이트, 개선 사항 및 버그 수정"
 icon: "clock"
 mode: "wide"
 ---
-<Update label="2026년 3월 27일">
-  ## v1.13.0rc1
-
-  [GitHub 릴리스 보기](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0rc1)
-
-  ## 변경 사항
-
-  ### 문서
-  - v1.13.0a2의 변경 로그 및 버전 업데이트
-
-  ## 기여자
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="2026년 3월 27일">
-  ## v1.13.0a2
-
-  [GitHub 릴리스 보기](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a2)
-
-  ## 변경 사항
-
-  ### 기능
-  - 릴리스 중 자동 업데이트 배포 테스트 리포지토리
-  - 기업 릴리스의 복원력 및 사용자 경험 개선
-
-  ### 문서
-  - v1.13.0a1에 대한 변경 로그 및 버전 업데이트
-
-  ## 기여자
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="2026년 3월 27일">
-  ## v1.13.0a1
-
-  [GitHub 릴리스 보기](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a1)
-
-  ## 변경 사항
-
-  ### 버그 수정
-  - Node를 LTS 22로 고정하여 문서 작업 흐름의 끊어진 링크 수정
-  - 기업 릴리스에서 새로 게시된 패키지의 uv 캐시 초기화
-
-  ### 문서
-  - 포괄적인 RBAC 권한 매트릭스 및 배포 가이드 추가
-  - v1.12.2에 대한 변경 로그 및 버전 업데이트
-
-  ## 기여자
-
-  @greysonlalonde, @iris-clawd, @joaomdmoura
-
-</Update>
-
 <Update label="2026년 3월 25일">
   ## v1.12.2
 

docs/pt-BR/changelog.mdx

@@ -4,63 +4,6 @@ description: "Atualizações de produto, melhorias e correções do CrewAI"
 icon: "clock"
 mode: "wide"
 ---
-<Update label="27 mar 2026">
-  ## v1.13.0rc1
-
-  [Ver release no GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0rc1)
-
-  ## O que Mudou
-
-  ### Documentação
-  - Atualizar changelog e versão para v1.13.0a2
-
-  ## Contribuidores
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="27 mar 2026">
-  ## v1.13.0a2
-
-  [Ver release no GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a2)
-
-  ## O que Mudou
-
-  ### Recursos
-  - Repositório de teste de implantação de autoatualização durante o lançamento
-  - Melhorar a resiliência e a experiência do usuário na versão empresarial
-
-  ### Documentação
-  - Atualizar changelog e versão para v1.13.0a1
-
-  ## Contribuidores
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="27 mar 2026">
-  ## v1.13.0a1
-
-  [Ver release no GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a1)
-
-  ## O que Mudou
-
-  ### Correções de Bugs
-  - Corrigir links quebrados no fluxo de documentação fixando o Node na LTS 22
-  - Limpar o cache uv para pacotes recém-publicados na versão empresarial
-
-  ### Documentação
-  - Adicionar uma matriz abrangente de permissões RBAC e guia de implantação
-  - Atualizar o changelog e a versão para v1.12.2
-
-  ## Contributors
-
-  @greysonlalonde, @iris-clawd, @joaomdmoura
-
-</Update>
-
 <Update label="25 mar 2026">
   ## v1.12.2
 

lib/crewai-files/pyproject.toml

@@ -6,7 +6,7 @@ readme = "README.md"
 authors = [
     { name = "Greyson LaLonde", email = "greyson@crewai.com" }
 ]
-requires-python = ">=3.10, <3.14"
+requires-python = ">=3.10, <3.15"
 dependencies = [
     "Pillow~=12.1.1",
     "pypdf~=6.9.1",

lib/crewai-files/src/crewai_files/__init__.py

@@ -152,4 +152,4 @@ __all__ = [
     "wrap_file_source",
 ]
 
-__version__ = "1.13.0rc1"
+__version__ = "1.12.2"

lib/crewai-tools/pyproject.toml

@@ -6,12 +6,12 @@ readme = "README.md"
 authors = [
     { name = "João Moura", email = "joaomdmoura@gmail.com" },
 ]
-requires-python = ">=3.10, <3.14"
+requires-python = ">=3.10, <3.15"
 dependencies = [
     "pytube~=15.0.0",
     "requests~=2.32.5",
     "docker~=7.1.0",
-    "crewai==1.13.0rc1",
+    "crewai==1.12.2",
     "tiktoken~=0.8.0",
     "beautifulsoup4~=4.13.4",
     "python-docx~=1.2.0",

lib/crewai-tools/src/crewai_tools/__init__.py

@@ -309,4 +309,4 @@ __all__ = [
     "ZapierActionTools",
 ]
 
-__version__ = "1.13.0rc1"
+__version__ = "1.12.2"

lib/crewai-tools/src/crewai_tools/aws/bedrock/browser/browser_session_manager.py

@@ -47,7 +47,7 @@ class BrowserSessionManager:
         Returns:
             An async browser instance specific to the thread
         """
-        loop = asyncio.get_event_loop()
+        loop = asyncio.get_running_loop()
         while True:
             with self._lock:
                 if thread_id in self._async_sessions:

lib/crewai-tools/src/crewai_tools/aws/bedrock/browser/browser_toolkit.py

@@ -94,11 +94,9 @@ class BrowserBaseTool(BaseTool):
                 try:
                     import nest_asyncio  # type: ignore[import-untyped]
 
-                    loop = asyncio.get_event_loop()
+                    loop = asyncio.get_running_loop()
                     nest_asyncio.apply(loop)
-                    result: str = asyncio.get_event_loop().run_until_complete(
-                        self._arun(*args, **kwargs)
-                    )
+                    result: str = loop.run_until_complete(self._arun(*args, **kwargs))
                     return result
                 except Exception as e:
                     return f"Error in patched _run: {e!s}"
@@ -118,7 +116,7 @@ class BrowserBaseTool(BaseTool):
     def _is_in_asyncio_loop(self) -> bool:
         """Check if we're currently in an asyncio event loop."""
         try:
-            loop = asyncio.get_event_loop()
+            loop = asyncio.get_running_loop()
             return loop.is_running()
         except RuntimeError:
             return False
@@ -544,14 +542,13 @@ class BrowserToolkit:
     def _nest_current_loop(self) -> None:
         """Apply nest_asyncio if we're in an asyncio loop."""
         try:
-            loop = asyncio.get_event_loop()
-            if loop.is_running():
-                try:
-                    import nest_asyncio
+            loop = asyncio.get_running_loop()
+            try:
+                import nest_asyncio
 
-                    nest_asyncio.apply(loop)
-                except Exception as e:
-                    logger.warning(f"Failed to apply nest_asyncio: {e!s}")
+                nest_asyncio.apply(loop)
+            except Exception as e:
+                logger.warning(f"Failed to apply nest_asyncio: {e!s}")
         except RuntimeError:
             pass
 

lib/crewai-tools/src/crewai_tools/tools/snowflake_search_tool/snowflake_search_tool.py

@@ -168,7 +168,7 @@ class SnowflakeSearchTool(BaseTool):
         with self._pool_lock:
             if self._connection_pool:
                 return self._connection_pool.pop()
-        return await asyncio.get_event_loop().run_in_executor(
+        return await asyncio.get_running_loop().run_in_executor(
             self._thread_pool, self._create_connection
         )
 

lib/crewai/pyproject.toml

@@ -6,7 +6,7 @@ readme = "README.md"
 authors = [
     { name = "Joao Moura", email = "joao@crewai.com" }
 ]
-requires-python = ">=3.10, <3.14"
+requires-python = ">=3.10, <3.15"
 dependencies = [
     # Core Dependencies
     "pydantic~=2.11.9",
@@ -54,7 +54,7 @@ Repository = "https://github.com/crewAIInc/crewAI"
 
 [project.optional-dependencies]
 tools = [
-    "crewai-tools==1.13.0rc1",
+    "crewai-tools==1.12.2",
 ]
 embeddings = [
     "tiktoken~=0.8.0"

lib/crewai/src/crewai/__init__.py

@@ -42,7 +42,7 @@ def _suppress_pydantic_deprecation_warnings() -> None:
 
 _suppress_pydantic_deprecation_warnings()
 
-__version__ = "1.13.0rc1"
+__version__ = "1.12.2"
 _telemetry_submitted = False
 
 

lib/crewai/src/crewai/cli/memory_tui.py

@@ -362,7 +362,7 @@ class MemoryTUI(App[None]):
         panel.loading = True
         try:
             scope = self._selected_scope if self._selected_scope != "/" else None
-            loop = asyncio.get_event_loop()
+            loop = asyncio.get_running_loop()
             matches = await loop.run_in_executor(
                 None,
                 lambda: self._memory.recall(query, scope=scope, limit=10, depth="deep"),

lib/crewai/src/crewai/cli/templates/crew/pyproject.toml

@@ -5,7 +5,7 @@ description = "{{name}} using crewAI"
 authors = [{ name = "Your Name", email = "you@example.com" }]
 requires-python = ">=3.10,<3.14"
 dependencies = [
-    "crewai[tools]==1.13.0rc1"
+    "crewai[tools]==1.12.2"
 ]
 
 [project.scripts]

lib/crewai/src/crewai/cli/templates/flow/pyproject.toml

@@ -5,7 +5,7 @@ description = "{{name}} using crewAI"
 authors = [{ name = "Your Name", email = "you@example.com" }]
 requires-python = ">=3.10,<3.14"
 dependencies = [
-    "crewai[tools]==1.13.0rc1"
+    "crewai[tools]==1.12.2"
 ]
 
 [project.scripts]

lib/crewai/src/crewai/cli/templates/tool/pyproject.toml

@@ -5,7 +5,7 @@ description = "Power up your crews with {{folder_name}}"
 readme = "README.md"
 requires-python = ">=3.10,<3.14"
 dependencies = [
-    "crewai[tools]==1.13.0rc1"
+    "crewai[tools]==1.12.2"
 ]
 
 [tool.crewai]

lib/crewai/src/crewai/rag/chromadb/client.py

@@ -86,7 +86,7 @@ class ChromaDBClient(BaseClient):
             yield
             return
         lock_cm = store_lock(self._lock_name)
-        loop = asyncio.get_event_loop()
+        loop = asyncio.get_running_loop()
         await loop.run_in_executor(None, lock_cm.__enter__)
         try:
             yield

lib/crewai/src/crewai/tools/structured_tool.py

@@ -266,7 +266,7 @@ class CrewStructuredTool:
             # Run sync functions in a thread pool
             import asyncio
 
-            return await asyncio.get_event_loop().run_in_executor(
+            return await asyncio.get_running_loop().run_in_executor(
                 None, lambda: self.func(**parsed_args, **kwargs)
             )
         except Exception:

lib/crewai/src/crewai/utilities/streaming.py

@@ -184,7 +184,7 @@ def create_streaming_state(
 
     if use_async:
         async_queue = asyncio.Queue()
-        loop = asyncio.get_event_loop()
+        loop = asyncio.get_running_loop()
 
     handler = _create_stream_handler(current_task_info, sync_queue, async_queue, loop)
     crewai_event_bus.register_handler(LLMStreamChunkEvent, handler)

lib/crewai/tests/test_python314_compat.py

@@ -0,0 +1,210 @@
+"""Tests for Python 3.14 compatibility.
+
+Python 3.14 changed asyncio.get_event_loop() to raise RuntimeError when no
+running event loop exists instead of creating one. All async code paths must
+use asyncio.get_running_loop() instead.
+
+See: https://github.com/crewAIInc/crewAI/issues/5109
+"""
+
+import asyncio
+from contextlib import asynccontextmanager
+from typing import Any
+from unittest.mock import AsyncMock, MagicMock, patch
+
+import pytest
+
+from crewai.tools.structured_tool import CrewStructuredTool
+from crewai.utilities.streaming import create_streaming_state
+
+
+class TestStructuredToolAsyncCompat:
+    """Test that CrewStructuredTool.ainvoke uses get_running_loop correctly."""
+
+    @pytest.mark.asyncio
+    async def test_ainvoke_sync_func_uses_running_loop(self) -> None:
+        """ainvoke() with a sync function must use the running event loop."""
+
+        def sync_func(x: int) -> int:
+            """A sync function."""
+            return x * 2
+
+        tool = CrewStructuredTool.from_function(
+            func=sync_func, name="double", description="Doubles a number"
+        )
+        result = await tool.ainvoke({"x": 5})
+        assert result == 10
+
+    @pytest.mark.asyncio
+    async def test_ainvoke_async_func(self) -> None:
+        """ainvoke() with an async function should call it directly."""
+
+        async def async_func(x: int) -> int:
+            """An async function."""
+            return x * 3
+
+        tool = CrewStructuredTool.from_function(
+            func=async_func, name="triple", description="Triples a number"
+        )
+        result = await tool.ainvoke({"x": 4})
+        assert result == 12
+
+    @pytest.mark.asyncio
+    async def test_ainvoke_sync_func_runs_in_executor(self) -> None:
+        """Verify ainvoke offloads sync functions to an executor via the running loop."""
+        import threading
+
+        call_thread_ids: list[int] = []
+
+        def sync_func(x: int) -> int:
+            """A sync function that records its thread."""
+            call_thread_ids.append(threading.current_thread().ident or 0)
+            return x + 1
+
+        tool = CrewStructuredTool.from_function(
+            func=sync_func, name="inc", description="Increment"
+        )
+
+        result = await tool.ainvoke({"x": 1})
+        assert result == 2
+        assert len(call_thread_ids) == 1
+        # Sync func should run in a different thread (executor)
+        assert call_thread_ids[0] != threading.current_thread().ident
+
+
+class TestStreamingStateAsyncCompat:
+    """Test that create_streaming_state uses get_running_loop correctly."""
+
+    @pytest.mark.asyncio
+    async def test_create_streaming_state_async_uses_running_loop(self) -> None:
+        """create_streaming_state(use_async=True) must use the running loop."""
+        task_info = {
+            "index": 0,
+            "name": "test",
+            "id": "test-id",
+            "agent_role": "tester",
+            "agent_id": "agent-id",
+        }
+        state = create_streaming_state(
+            current_task_info=task_info,
+            result_holder=[],
+            use_async=True,
+        )
+        assert state.loop is not None
+        assert state.async_queue is not None
+        assert state.loop is asyncio.get_running_loop()
+
+    def test_create_streaming_state_sync_no_loop_needed(self) -> None:
+        """create_streaming_state(use_async=False) should not require a loop."""
+        task_info = {
+            "index": 0,
+            "name": "test",
+            "id": "test-id",
+            "agent_role": "tester",
+            "agent_id": "agent-id",
+        }
+        state = create_streaming_state(
+            current_task_info=task_info,
+            result_holder=[],
+            use_async=False,
+        )
+        assert state.loop is None
+        assert state.async_queue is None
+
+    @pytest.mark.asyncio
+    async def test_create_streaming_state_async_uses_get_running_loop_not_get_event_loop(
+        self,
+    ) -> None:
+        """Verify create_streaming_state does not call asyncio.get_event_loop()."""
+        task_info = {
+            "index": 0,
+            "name": "test",
+            "id": "test-id",
+            "agent_role": "tester",
+            "agent_id": "agent-id",
+        }
+
+        with patch("crewai.utilities.streaming.asyncio") as mock_asyncio:
+            mock_asyncio.Queue = asyncio.Queue
+            mock_asyncio.get_running_loop.return_value = asyncio.get_running_loop()
+
+            create_streaming_state(
+                current_task_info=task_info,
+                result_holder=[],
+                use_async=True,
+            )
+
+            mock_asyncio.get_running_loop.assert_called_once()
+            mock_asyncio.get_event_loop.assert_not_called()
+
+
+class TestChromaDBClientAsyncCompat:
+    """Test that ChromaDBClient._alocked uses get_running_loop correctly."""
+
+    @pytest.mark.asyncio
+    async def test_alocked_without_lock_name(self) -> None:
+        """_alocked should yield immediately when no lock name is set."""
+        from crewai.rag.chromadb.client import ChromaDBClient
+
+        mock_client = MagicMock()
+        mock_ef = MagicMock()
+        client = ChromaDBClient(
+            client=mock_client,
+            embedding_function=mock_ef,
+            lock_name=None,
+        )
+
+        async with client._alocked():
+            pass  # Should not raise
+
+    @pytest.mark.asyncio
+    async def test_alocked_uses_get_running_loop_not_get_event_loop(self) -> None:
+        """Verify _alocked does not call asyncio.get_event_loop()."""
+        from crewai.rag.chromadb.client import ChromaDBClient
+
+        mock_client = MagicMock()
+        mock_ef = MagicMock()
+        client = ChromaDBClient(
+            client=mock_client,
+            embedding_function=mock_ef,
+            lock_name="test-lock",
+        )
+
+        with patch("crewai.rag.chromadb.client.asyncio") as mock_asyncio:
+            loop = asyncio.get_running_loop()
+            mock_asyncio.get_running_loop.return_value = loop
+
+            mock_cm = MagicMock()
+            with patch("crewai.rag.chromadb.client.store_lock", return_value=mock_cm):
+                async with client._alocked():
+                    pass
+
+            mock_asyncio.get_running_loop.assert_called()
+            mock_asyncio.get_event_loop.assert_not_called()
+
+
+class TestGetRunningLoopInAsyncContext:
+    """General tests ensuring get_running_loop works in async contexts."""
+
+    @pytest.mark.asyncio
+    async def test_get_running_loop_available_in_async_context(self) -> None:
+        """asyncio.get_running_loop() should work in an async context."""
+        loop = asyncio.get_running_loop()
+        assert loop is not None
+        assert loop.is_running()
+
+    @pytest.mark.asyncio
+    async def test_run_in_executor_with_running_loop(self) -> None:
+        """run_in_executor should work with get_running_loop()."""
+        loop = asyncio.get_running_loop()
+
+        def sync_work() -> str:
+            return "done"
+
+        result = await loop.run_in_executor(None, sync_work)
+        assert result == "done"
+
+    def test_get_running_loop_raises_outside_async(self) -> None:
+        """get_running_loop() should raise RuntimeError outside async context."""
+        with pytest.raises(RuntimeError):
+            asyncio.get_running_loop()

lib/crewai/tests/utilities/events/test_shutdown.py

@@ -271,7 +271,7 @@ async def test_mixed_sync_async_handler_execution():
                     timeout=5
                 )
 
-        await asyncio.get_event_loop().run_in_executor(None, wait_for_completion)
+        await asyncio.get_running_loop().run_in_executor(None, wait_for_completion)
 
         assert len(sync_executed) == 5
         assert len(async_executed) == 5

lib/devtools/src/crewai_devtools/__init__.py

@@ -1,3 +1,3 @@
 """CrewAI development tools."""
 
-__version__ = "1.13.0rc1"
+__version__ = "1.12.2"

lib/devtools/src/crewai_devtools/cli.py

@@ -156,33 +156,6 @@ def update_version_in_file(file_path: Path, new_version: str) -> bool:
     return False
 
 
-def update_pyproject_version(file_path: Path, new_version: str) -> bool:
-    """Update the [project] version field in a pyproject.toml file.
-
-    Args:
-        file_path: Path to pyproject.toml file.
-        new_version: New version string.
-
-    Returns:
-        True if version was updated, False otherwise.
-    """
-    if not file_path.exists():
-        return False
-
-    content = file_path.read_text()
-    new_content = re.sub(
-        r'^(version\s*=\s*")[^"]+(")',
-        rf"\g<1>{new_version}\2",
-        content,
-        count=1,
-        flags=re.MULTILINE,
-    )
-    if new_content != content:
-        file_path.write_text(new_content)
-        return True
-    return False
-
-
 _DEFAULT_WORKSPACE_PACKAGES: Final[list[str]] = [
     "crewai",
     "crewai-tools",
@@ -1072,84 +1045,10 @@ def _update_enterprise_crewai_dep(pyproject_path: Path, version: str) -> bool:
     return False
 
 
-_DEPLOYMENT_TEST_REPO: Final[str] = "crewAIInc/crew_deployment_test"
-
 _PYPI_POLL_INTERVAL: Final[int] = 15
 _PYPI_POLL_TIMEOUT: Final[int] = 600
 
 
-def _update_deployment_test_repo(version: str, is_prerelease: bool) -> None:
-    """Update the deployment test repo to pin the new crewai version.
-
-    Clones the repo, updates the crewai[tools] pin in pyproject.toml,
-    regenerates the lockfile, commits, and pushes directly to main.
-
-    Args:
-        version: New crewai version string.
-        is_prerelease: Whether this is a pre-release version.
-    """
-    console.print(
-        f"\n[bold cyan]Updating {_DEPLOYMENT_TEST_REPO} to {version}[/bold cyan]"
-    )
-
-    with tempfile.TemporaryDirectory() as tmp:
-        repo_dir = Path(tmp) / "crew_deployment_test"
-        run_command(["gh", "repo", "clone", _DEPLOYMENT_TEST_REPO, str(repo_dir)])
-        console.print(f"[green]✓[/green] Cloned {_DEPLOYMENT_TEST_REPO}")
-
-        pyproject = repo_dir / "pyproject.toml"
-        content = pyproject.read_text()
-        new_content = re.sub(
-            r'"crewai\[tools\]==[^"]+"',
-            f'"crewai[tools]=={version}"',
-            content,
-        )
-        if new_content == content:
-            console.print(
-                "[yellow]Warning:[/yellow] No crewai[tools] pin found to update"
-            )
-            return
-        pyproject.write_text(new_content)
-        console.print(f"[green]✓[/green] Updated crewai[tools] pin to {version}")
-
-        lock_cmd = [
-            "uv",
-            "lock",
-            "--refresh-package",
-            "crewai",
-            "--refresh-package",
-            "crewai-tools",
-        ]
-        if is_prerelease:
-            lock_cmd.append("--prerelease=allow")
-
-        max_retries = 10
-        for attempt in range(1, max_retries + 1):
-            try:
-                run_command(lock_cmd, cwd=repo_dir)
-                break
-            except subprocess.CalledProcessError:
-                if attempt == max_retries:
-                    console.print(
-                        f"[red]Error:[/red] uv lock failed after {max_retries} attempts"
-                    )
-                    raise
-                console.print(
-                    f"[yellow]uv lock failed (attempt {attempt}/{max_retries}),"
-                    f" retrying in {_PYPI_POLL_INTERVAL}s...[/yellow]"
-                )
-                time.sleep(_PYPI_POLL_INTERVAL)
-        console.print("[green]✓[/green] Lockfile updated")
-
-        run_command(["git", "add", "pyproject.toml", "uv.lock"], cwd=repo_dir)
-        run_command(
-            ["git", "commit", "-m", f"chore: bump crewai to {version}"],
-            cwd=repo_dir,
-        )
-        run_command(["git", "push"], cwd=repo_dir)
-        console.print(f"[green]✓[/green] Pushed to {_DEPLOYMENT_TEST_REPO}")
-
-
 def _wait_for_pypi(package: str, version: str) -> None:
     """Poll PyPI until a specific package version is available.
 
@@ -1242,11 +1141,6 @@ def _release_enterprise(version: str, is_prerelease: bool, dry_run: bool) -> Non
 
             pyproject = pkg_dir / "pyproject.toml"
             if pyproject.exists():
-                if update_pyproject_version(pyproject, version):
-                    console.print(
-                        f"[green]✓[/green] Updated version in: "
-                        f"{pyproject.relative_to(repo_dir)}"
-                    )
                 if update_pyproject_dependencies(
                     pyproject, version, extra_packages=list(_ENTERPRISE_EXTRA_PACKAGES)
                 ):
@@ -1265,35 +1159,7 @@ def _release_enterprise(version: str, is_prerelease: bool, dry_run: bool) -> Non
         _wait_for_pypi("crewai", version)
 
         console.print("\nSyncing workspace...")
-        sync_cmd = [
-            "uv",
-            "sync",
-            "--refresh-package",
-            "crewai",
-            "--refresh-package",
-            "crewai-tools",
-            "--refresh-package",
-            "crewai-files",
-        ]
-        if is_prerelease:
-            sync_cmd.append("--prerelease=allow")
-
-        max_retries = 10
-        for attempt in range(1, max_retries + 1):
-            try:
-                run_command(sync_cmd, cwd=repo_dir)
-                break
-            except subprocess.CalledProcessError:
-                if attempt == max_retries:
-                    console.print(
-                        f"[red]Error:[/red] uv sync failed after {max_retries} attempts"
-                    )
-                    raise
-                console.print(
-                    f"[yellow]uv sync failed (attempt {attempt}/{max_retries}),"
-                    f" retrying in {_PYPI_POLL_INTERVAL}s...[/yellow]"
-                )
-                time.sleep(_PYPI_POLL_INTERVAL)
+        run_command(["uv", "sync"], cwd=repo_dir)
         console.print("[green]✓[/green] Workspace synced")
 
         # --- branch, commit, push, PR ---
@@ -1309,7 +1175,7 @@ def _release_enterprise(version: str, is_prerelease: bool, dry_run: bool) -> Non
         run_command(["git", "push", "-u", "origin", branch_name], cwd=repo_dir)
         console.print("[green]✓[/green] Branch pushed")
 
-        pr_url = run_command(
+        run_command(
             [
                 "gh",
                 "pr",
@@ -1326,7 +1192,6 @@ def _release_enterprise(version: str, is_prerelease: bool, dry_run: bool) -> Non
             cwd=repo_dir,
         )
         console.print("[green]✓[/green] Enterprise bump PR created")
-        console.print(f"[cyan]PR URL:[/cyan] {pr_url}")
 
         _poll_pr_until_merged(branch_name, "enterprise bump PR", repo=enterprise_repo)
 
@@ -1693,18 +1558,7 @@ def tag(dry_run: bool, no_edit: bool) -> None:
     is_flag=True,
     help="Skip the enterprise release phase",
 )
-@click.option(
-    "--skip-to-enterprise",
-    is_flag=True,
-    help="Skip phases 1 & 2, run only the enterprise release phase",
-)
-def release(
-    version: str,
-    dry_run: bool,
-    no_edit: bool,
-    skip_enterprise: bool,
-    skip_to_enterprise: bool,
-) -> None:
+def release(version: str, dry_run: bool, no_edit: bool, skip_enterprise: bool) -> None:
     """Full release: bump versions, tag, and publish a GitHub release.
 
     Combines bump and tag into a single workflow. Creates a version bump PR,
@@ -1717,19 +1571,11 @@ def release(
         dry_run: Show what would be done without making changes.
         no_edit: Skip editing release notes.
         skip_enterprise: Skip the enterprise release phase.
-        skip_to_enterprise: Skip phases 1 & 2, run only the enterprise release phase.
     """
     try:
         check_gh_installed()
 
-        if skip_enterprise and skip_to_enterprise:
-            console.print(
-                "[red]Error:[/red] Cannot use both --skip-enterprise "
-                "and --skip-to-enterprise"
-            )
-            sys.exit(1)
-
-        if not skip_enterprise or skip_to_enterprise:
+        if not skip_enterprise:
             missing: list[str] = []
             if not _ENTERPRISE_REPO:
                 missing.append("ENTERPRISE_REPO")
@@ -1748,15 +1594,6 @@ def release(
         cwd = Path.cwd()
         lib_dir = cwd / "lib"
 
-        is_prerelease = _is_prerelease(version)
-
-        if skip_to_enterprise:
-            _release_enterprise(version, is_prerelease, dry_run)
-            console.print(
-                f"\n[green]✓[/green] Enterprise release [bold]{version}[/bold] complete!"
-            )
-            return
-
         if not dry_run:
             console.print("Checking git status...")
             check_git_clean()
@@ -1850,8 +1687,7 @@ def release(
 
         if not dry_run:
             _create_tag_and_release(tag_name, release_notes, is_prerelease)
-            _trigger_pypi_publish(tag_name, wait=True)
-            _update_deployment_test_repo(version, is_prerelease)
+            _trigger_pypi_publish(tag_name, wait=not skip_enterprise)
 
         if not skip_enterprise:
             _release_enterprise(version, is_prerelease, dry_run)

pyproject.toml

@@ -1,7 +1,7 @@
 name = "crewai-workspace"
 description = "Cutting-edge framework for orchestrating role-playing, autonomous AI agents. By fostering collaborative intelligence, CrewAI empowers agents to work together seamlessly, tackling complex tasks."
 readme = "README.md"
-requires-python = ">=3.10,<3.14"
+requires-python = ">=3.10,<3.15"
 authors = [
     { name = "Joao Moura", email = "joao@crewai.com" }
 ]