docs: add top-level Security Policy page across all languages

Create a dedicated Security Policy page (docs/{en,pt-BR,ko,ar}/security.mdx) with vulnerability reporting instructions pointing to the Bugcrowd VDP (crewai-vdp-ess@submit.bugcrowd.com), consistent with the updated security policy from PR #5096. The page is added to the Documentation tab navigation (after Telemetry) across all versions and languages in docs.json. This is a top-level security page, not buried inside MCP docs.
2026-03-31 16:18:14 +00:00 · 2026-03-26 17:55:27 +00:00
44 changed files with 1066 additions and 2860 deletions
--- a/.github/workflows/docs-broken-links.yml
+++ b/.github/workflows/docs-broken-links.yml
@@ -23,7 +23,7 @@ jobs:
      - name: Set up Node
        uses: actions/setup-node@v4
        with:
-          node-version: "22"
+          node-version: "latest"

      - name: Install Mintlify CLI
        run: npm i -g mintlify
--- a/docs/ar/changelog.mdx
+++ b/docs/ar/changelog.mdx
@@ -4,63 +4,6 @@ description: "تحديثات المنتج والتحسينات وإصلاحات
 icon: "clock"
 mode: "wide"
 ---
-<Update label="27 مارس 2026">
-  ## v1.13.0rc1
-
-  [عرض الإصدار على GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0rc1)
-
-  ## ما الذي تغير
-
-  ### الوثائق
-  - تحديث سجل التغييرات والإصدار لـ v1.13.0a2
-
-  ## المساهمون
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="27 مارس 2026">
-  ## v1.13.0a2
-
-  [عرض الإصدار على GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a2)
-
-  ## ما الذي تغير
-
-  ### الميزات
-  - تحديث تلقائي لمستودع اختبار النشر أثناء الإصدار
-  - تحسين مرونة إصدار المؤسسات وتجربة المستخدم
-
-  ### الوثائق
-  - تحديث سجل التغييرات والإصدار للإصدار v1.13.0a1
-
-  ## المساهمون
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="27 مارس 2026">
-  ## v1.13.0a1
-
-  [عرض الإصدار على GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a1)
-
-  ## ما الذي تغير
-
-  ### إصلاحات الأخطاء
-  - إصلاح الروابط المعطلة في سير العمل الوثائقي عن طريق تثبيت Node على LTS 22
-  - مسح ذاكرة التخزين المؤقت لـ uv للحزم المنشورة حديثًا في الإصدار المؤسسي
-
-  ### الوثائق
-  - إضافة مصفوفة شاملة لأذونات RBAC ودليل النشر
-  - تحديث سجل التغييرات والإصدار للإصدار v1.12.2
-
-  ## المساهمون
-
-  @greysonlalonde, @iris-clawd, @joaomdmoura
-
-</Update>
-
 <Update label="25 مارس 2026">
  ## v1.12.2

--- a/docs/ar/mcp/security.mdx
+++ b/docs/ar/mcp/security.mdx
@@ -139,7 +139,19 @@ mode: "wide"
 - **الالتزام بمواصفات ترخيص MCP**: إذا كنت تنفذ المصادقة والترخيص، اتبع بدقة [مواصفات ترخيص MCP](https://modelcontextprotocol.io/specification/draft/basic/authorization).
 - **تدقيقات أمنية منتظمة**: إذا كان خادم MCP يتعامل مع بيانات حساسة، فكر في إجراء تدقيقات أمنية دورية.

-## 5. قراءة إضافية
+## 5. الإبلاغ عن الثغرات الأمنية
+
+إذا اكتشفت ثغرة أمنية في CrewAI، يرجى الإبلاغ عنها بشكل مسؤول من خلال برنامج الكشف عن الثغرات (VDP) الخاص بنا على Bugcrowd:
+
+**أرسل التقارير إلى:** [crewai-vdp-ess@submit.bugcrowd.com](mailto:crewai-vdp-ess@submit.bugcrowd.com)
+
+<Warning>
+**لا تكشف** عن الثغرات عبر issues العامة على GitHub أو pull requests أو وسائل التواصل الاجتماعي. لن تتم مراجعة التقارير المقدمة عبر قنوات غير Bugcrowd.
+</Warning>
+
+لمزيد من التفاصيل، راجع [سياسة الأمان](https://github.com/crewAIInc/crewAI/blob/main/.github/security.md) الخاصة بنا.
+
+## 6. قراءة إضافية

 لمزيد من المعلومات التفصيلية حول أمان MCP، راجع التوثيق الرسمي:
 - **[أمان نقل MCP](https://modelcontextprotocol.io/docs/concepts/transports#security-considerations)**
--- a/docs/ar/security.mdx
+++ b/docs/ar/security.mdx
@@ -0,0 +1,22 @@
+---
+title: سياسة الأمان
+description: تعرف على كيفية الإبلاغ عن الثغرات الأمنية وممارسات الأمان في CrewAI.
+icon: shield
+mode: "wide"
+---
+
+## الإبلاغ عن الثغرات الأمنية
+
+إذا اكتشفت ثغرة أمنية في CrewAI، يرجى الإبلاغ عنها بشكل مسؤول من خلال برنامج الكشف عن الثغرات (VDP) الخاص بنا على Bugcrowd:
+
+**أرسل التقارير إلى:** [crewai-vdp-ess@submit.bugcrowd.com](mailto:crewai-vdp-ess@submit.bugcrowd.com)
+
+<Warning>
+**لا تكشف** عن الثغرات عبر issues العامة على GitHub أو pull requests أو وسائل التواصل الاجتماعي. لن تتم مراجعة التقارير المقدمة عبر قنوات غير Bugcrowd.
+</Warning>
+
+لمزيد من التفاصيل، راجع [سياسة الأمان على GitHub](https://github.com/crewAIInc/crewAI/blob/main/.github/security.md).
+
+## موارد الأمان
+
+- **[اعتبارات أمان MCP](/mcp/security)** — أفضل الممارسات لدمج خوادم MCP بأمان مع وكلاء CrewAI، بما في ذلك أمان النقل ومخاطر حقن الأوامر ونصائح تنفيذ الخادم.
--- a/docs/docs.json
+++ b/docs/docs.json
--- a/docs/en/changelog.mdx
+++ b/docs/en/changelog.mdx
@@ -4,63 +4,6 @@ description: "Product updates, improvements, and bug fixes for CrewAI"
 icon: "clock"
 mode: "wide"
 ---
-<Update label="Mar 27, 2026">
-  ## v1.13.0rc1
-
-  [View release on GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0rc1)
-
-  ## What's Changed
-
-  ### Documentation
-  - Update changelog and version for v1.13.0a2
-
-  ## Contributors
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="Mar 27, 2026">
-  ## v1.13.0a2
-
-  [View release on GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a2)
-
-  ## What's Changed
-
-  ### Features
-  - Auto-update deployment test repo during release
-  - Improve enterprise release resilience and UX
-
-  ### Documentation
-  - Update changelog and version for v1.13.0a1
-
-  ## Contributors
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="Mar 27, 2026">
-  ## v1.13.0a1
-
-  [View release on GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a1)
-
-  ## What's Changed
-
-  ### Bug Fixes
-  - Fix broken links in documentation workflow by pinning Node to LTS 22
-  - Bust the uv cache for freshly published packages in enterprise release
-
-  ### Documentation
-  - Add comprehensive RBAC permissions matrix and deployment guide
-  - Update changelog and version for v1.12.2
-
-  ## Contributors
-
-  @greysonlalonde, @iris-clawd, @joaomdmoura
-
-</Update>
-
 <Update label="Mar 25, 2026">
  ## v1.12.2

--- a/docs/en/enterprise/features/sso.mdx
+++ b/docs/en/enterprise/features/sso.mdx
@@ -1,550 +0,0 @@
---
-title: Single Sign-On (SSO)
-icon: "key"
-description: Configure enterprise SSO authentication for CrewAI Platform — SaaS and Factory
---
-
-## Overview
-
-CrewAI Platform supports enterprise Single Sign-On (SSO) across both **SaaS (AMP)** and **Factory (self-hosted)** deployments. SSO enables your team to authenticate using your organization's existing identity provider, enforcing centralized access control, MFA policies, and user lifecycle management.
-
-### Supported Providers
-
-| Provider | SaaS | Factory | Protocol | CLI Support |
-|---|---|---|---|---|
-| **WorkOS** | ✅ (default) | ✅ | OAuth 2.0 / OIDC | ✅ |
-| **Microsoft Entra ID** (Azure AD) | ✅ (enterprise) | ✅ | OAuth 2.0 / SAML 2.0 | ✅ |
-| **Okta** | ✅ (enterprise) | ✅ | OAuth 2.0 / OIDC | ✅ |
-| **Auth0** | ✅ (enterprise) | ✅ | OAuth 2.0 / OIDC | ✅ |
-| **Keycloak** | — | ✅ | OAuth 2.0 / OIDC | ✅ |
-
-### Key Capabilities
-
- **SAML 2.0 and OAuth 2.0 / OIDC** protocol support
- **Device Authorization Grant** flow for CLI authentication
- **Role-Based Access Control (RBAC)** with custom roles and per-resource permissions
- **MFA enforcement** delegated to your identity provider
- **User provisioning** through IdP assignment (users/groups)
-
---
-
-## SaaS SSO
-
-### Default Authentication
-
-CrewAI's managed SaaS platform (AMP) uses **WorkOS** as the default authentication provider. When you sign up at [app.crewai.com](https://app.crewai.com), authentication is handled through `login.crewai.com` — no additional SSO configuration is required.
-
-### Enterprise Custom SSO
-
-Enterprise SaaS customers can configure SSO with their own identity provider (Entra ID, Okta, Auth0). Contact your CrewAI account team to enable custom SSO for your organization. Once configured:
-
-1. Your team members authenticate through your organization's IdP
-2. Access control and MFA policies are enforced by your IdP
-3. The CrewAI CLI automatically detects your SSO configuration via `crewai enterprise configure`
-
-### CLI Defaults (SaaS)
-
-| Setting | Default Value |
-|---|---|
-| `enterprise_base_url` | `https://app.crewai.com` |
-| `oauth2_provider` | `workos` |
-| `oauth2_domain` | `login.crewai.com` |
-
---
-
-## Factory SSO Setup
-
-Factory (self-hosted) deployments require you to configure SSO by setting environment variables in your Helm `values.yaml` and registering an application in your identity provider.
-
-### Microsoft Entra ID (Azure AD)
-
-<Steps>
-  <Step title="Register an Application">
-    1. Go to [portal.azure.com](https://portal.azure.com) → **Microsoft Entra ID** → **App registrations** → **New registration**
-    2. Configure:
-       - **Name:** `CrewAI` (or your preferred name)
-       - **Supported account types:** Accounts in this organizational directory only
-       - **Redirect URI:** Select **Web**, enter `https://<your-domain>/auth/entra_id/callback`
-    3. Click **Register**
-  </Step>
-
-  <Step title="Collect Credentials">
-    From the app overview page, copy:
-    - **Application (client) ID** → `ENTRA_ID_CLIENT_ID`
-    - **Directory (tenant) ID** → `ENTRA_ID_TENANT_ID`
-  </Step>
-
-  <Step title="Create Client Secret">
-    1. Navigate to **Certificates & Secrets** → **New client secret**
-    2. Add a description and select expiration period
-    3. Copy the secret value immediately (it won't be shown again) → `ENTRA_ID_CLIENT_SECRET`
-  </Step>
-
-  <Step title="Grant Admin Consent">
-    1. Go to **Enterprise applications** → select your app
-    2. Under **Security** → **Permissions**, click **Grant admin consent**
-    3. Ensure **Microsoft Graph → User.Read** is granted
-  </Step>
-
-  <Step title="Configure App Roles (Recommended)">
-    Under **App registrations** → your app → **App roles**, create:
-
-    | Display Name | Value | Allowed Member Types |
-    |---|---|---|
-    | Member | `member` | Users/Groups |
-    | Factory Admin | `factory-admin` | Users/Groups |
-
-    <Note>
-      The `member` role grants login access. The `factory-admin` role grants admin panel access. Roles are included in the JWT automatically.
-    </Note>
-  </Step>
-
-  <Step title="Assign Users">
-    1. Under **Properties**, set **Assignment required?** to **Yes**
-    2. Under **Users and groups**, assign users/groups with the appropriate role
-  </Step>
-
-  <Step title="Set Environment Variables">
-    ```yaml
-    envVars:
-      AUTH_PROVIDER: "entra_id"
-
-    secrets:
-      ENTRA_ID_CLIENT_ID: "<Application (client) ID>"
-      ENTRA_ID_CLIENT_SECRET: "<Client Secret>"
-      ENTRA_ID_TENANT_ID: "<Directory (tenant) ID>"
-    ```
-  </Step>
-
-  <Step title="Enable CLI Support (Optional)">
-    To allow `crewai login` via Device Authorization Grant:
-
-    1. Under **Authentication** → **Advanced settings**, enable **Allow public client flows**
-    2. Under **Expose an API**, add an Application ID URI (e.g., `api://crewai-cli`)
-    3. Add a scope (e.g., `read`) with **Admins and users** consent
-    4. Under **Manifest**, set `accessTokenAcceptedVersion` to `2`
-    5. Add environment variables:
-
-    ```yaml
-    secrets:
-      ENTRA_ID_DEVICE_AUTHORIZATION_CLIENT_ID: "<Application (client) ID>"
-      ENTRA_ID_CUSTOM_OPENID_SCOPE: "<scope URI, e.g. api://crewai-cli/read>"
-    ```
-  </Step>
-</Steps>
-
---
-
-### Okta
-
-<Steps>
-  <Step title="Create App Integration">
-    1. Open Okta Admin Console → **Applications** → **Create App Integration**
-    2. Select **OIDC - OpenID Connect** → **Web Application** → **Next**
-    3. Configure:
-       - **App integration name:** `CrewAI SSO`
-       - **Sign-in redirect URI:** `https://<your-domain>/auth/okta/callback`
-       - **Sign-out redirect URI:** `https://<your-domain>`
-       - **Assignments:** Choose who can access (everyone or specific groups)
-    4. Click **Save**
-  </Step>
-
-  <Step title="Collect Credentials">
-    From the app details page:
-    - **Client ID** → `OKTA_CLIENT_ID`
-    - **Client Secret** → `OKTA_CLIENT_SECRET`
-    - **Okta URL** (top-right corner, under your username) → `OKTA_SITE`
-  </Step>
-
-  <Step title="Configure Authorization Server">
-    1. Navigate to **Security** → **API**
-    2. Select your authorization server (default: `default`)
-    3. Under **Access Policies**, add a policy and rule:
-       - In the rule, under **Scopes requested**, select **The following scopes** → **OIDC default scopes**
-    4. Note the **Name** and **Audience** of the authorization server
-
-    <Warning>
-      The authorization server name and audience must match `OKTA_AUTHORIZATION_SERVER` and `OKTA_AUDIENCE` exactly. Mismatches cause `401 Unauthorized` or `Invalid token: Signature verification failed` errors.
-    </Warning>
-  </Step>
-
-  <Step title="Set Environment Variables">
-    ```yaml
-    envVars:
-      AUTH_PROVIDER: "okta"
-
-    secrets:
-      OKTA_CLIENT_ID: "<Okta app client ID>"
-      OKTA_CLIENT_SECRET: "<Okta client secret>"
-      OKTA_SITE: "https://your-domain.okta.com"
-      OKTA_AUTHORIZATION_SERVER: "default"
-      OKTA_AUDIENCE: "api://default"
-    ```
-  </Step>
-
-  <Step title="Enable CLI Support (Optional)">
-    1. Create a **new** app integration: **OIDC** → **Native Application**
-    2. Enable **Device Authorization** and **Refresh Token** grant types
-    3. Allow everyone in your organization to access
-    4. Add environment variable:
-
-    ```yaml
-    secrets:
-      OKTA_DEVICE_AUTHORIZATION_CLIENT_ID: "<Native app client ID>"
-    ```
-
-    <Note>
-      Device Authorization requires a **Native Application** — it cannot use the Web Application created for browser-based SSO.
-    </Note>
-  </Step>
-</Steps>
-
---
-
-### Keycloak
-
-<Steps>
-  <Step title="Create a Client">
-    1. Open Keycloak Admin Console → navigate to your realm
-    2. **Clients** → **Create client**:
-       - **Client type:** OpenID Connect
-       - **Client ID:** `crewai-factory` (suggested)
-    3. Capability config:
-       - **Client authentication:** On
-       - **Standard flow:** Checked
-    4. Login settings:
-       - **Root URL:** `https://<your-domain>`
-       - **Valid redirect URIs:** `https://<your-domain>/auth/keycloak/callback`
-       - **Valid post logout redirect URIs:** `https://<your-domain>`
-    5. Click **Save**
-  </Step>
-
-  <Step title="Collect Credentials">
-    - **Client ID** → `KEYCLOAK_CLIENT_ID`
-    - Under **Credentials** tab: **Client secret** → `KEYCLOAK_CLIENT_SECRET`
-    - **Realm name** → `KEYCLOAK_REALM`
-    - **Keycloak server URL** → `KEYCLOAK_SITE`
-  </Step>
-
-  <Step title="Set Environment Variables">
-    ```yaml
-    envVars:
-      AUTH_PROVIDER: "keycloak"
-
-    secrets:
-      KEYCLOAK_CLIENT_ID: "<client ID>"
-      KEYCLOAK_CLIENT_SECRET: "<client secret>"
-      KEYCLOAK_SITE: "https://keycloak.yourdomain.com"
-      KEYCLOAK_REALM: "<realm name>"
-      KEYCLOAK_AUDIENCE: "account"
-      # Only set if using a custom base path (pre-v17 migrations):
-      # KEYCLOAK_BASE_URL: "/auth"
-    ```
-
-    <Note>
-      Keycloak includes `account` as the default audience in access tokens. For most installations, `KEYCLOAK_AUDIENCE=account` works without additional configuration. See [Keycloak audience documentation](https://www.keycloak.org/docs/latest/authorization_services/index.html) if you need a custom audience.
-    </Note>
-  </Step>
-
-  <Step title="Enable CLI Support (Optional)">
-    1. Create a **second** client:
-       - **Client type:** OpenID Connect
-       - **Client ID:** `crewai-factory-cli` (suggested)
-       - **Client authentication:** Off (Device Authorization requires a public client)
-       - **Authentication flow:** Check **only** OAuth 2.0 Device Authorization Grant
-    2. Add environment variable:
-
-    ```yaml
-    secrets:
-      KEYCLOAK_DEVICE_AUTHORIZATION_CLIENT_ID: "<CLI client ID>"
-    ```
-  </Step>
-</Steps>
-
---
-
-### WorkOS
-
-<Steps>
-  <Step title="Configure in WorkOS Dashboard">
-    1. Create an application in the [WorkOS Dashboard](https://dashboard.workos.com)
-    2. Configure the redirect URI: `https://<your-domain>/auth/workos/callback`
-    3. Note the **Client ID** and **AuthKit domain**
-    4. Set up organizations in the WorkOS dashboard
-  </Step>
-
-  <Step title="Set Environment Variables">
-    ```yaml
-    envVars:
-      AUTH_PROVIDER: "workos"
-
-    secrets:
-      WORKOS_CLIENT_ID: "<WorkOS client ID>"
-      WORKOS_AUTHKIT_DOMAIN: "<your-authkit-domain.authkit.com>"
-    ```
-  </Step>
-</Steps>
-
---
-
-### Auth0
-
-<Steps>
-  <Step title="Create Application">
-    1. In the [Auth0 Dashboard](https://manage.auth0.com), create a new **Regular Web Application**
-    2. Configure:
-       - **Allowed Callback URLs:** `https://<your-domain>/auth/auth0/callback`
-       - **Allowed Logout URLs:** `https://<your-domain>`
-    3. Note the **Domain**, **Client ID**, and **Client Secret**
-  </Step>
-
-  <Step title="Set Environment Variables">
-    ```yaml
-    envVars:
-      AUTH_PROVIDER: "auth0"
-
-    secrets:
-      AUTH0_CLIENT_ID: "<Auth0 client ID>"
-      AUTH0_CLIENT_SECRET: "<Auth0 client secret>"
-      AUTH0_DOMAIN: "<your-tenant.auth0.com>"
-    ```
-  </Step>
-
-  <Step title="Enable CLI Support (Optional)">
-    1. Create a **Native** application in Auth0 for Device Authorization
-    2. Enable the **Device Authorization** grant type under application settings
-    3. Configure the CLI with the appropriate audience and client ID
-  </Step>
-</Steps>
-
---
-
-## CLI Authentication
-
-The CrewAI CLI supports SSO authentication via the **Device Authorization Grant** flow. This allows developers to authenticate from their terminal without exposing credentials.
-
-### Quick Setup
-
-For Factory installations, the CLI can auto-configure all OAuth2 settings:
-
-```bash
-crewai enterprise configure https://your-factory-url.app
-```
-
-This command fetches the SSO configuration from your Factory instance and sets all required CLI parameters automatically.
-
-Then authenticate:
-
-```bash
-crewai login
-```
-
-<Note>
-  Requires CrewAI CLI version **1.6.0** or higher for Entra ID, **0.159.0** or higher for Okta, and **1.9.0** or higher for Keycloak.
-</Note>
-
-### Manual CLI Configuration
-
-If you need to configure the CLI manually, use `crewai config set`:
-
-```bash
-# Set the provider
-crewai config set oauth2_provider okta
-
-# Set provider-specific values
-crewai config set oauth2_domain your-domain.okta.com
-crewai config set oauth2_client_id your-client-id
-crewai config set oauth2_audience api://default
-
-# Set the enterprise base URL
-crewai config set enterprise_base_url https://your-factory-url.app
-```
-
-### CLI Configuration Reference
-
-| Setting | Description | Example |
-|---|---|---|
-| `enterprise_base_url` | Your CrewAI instance URL | `https://crewai.yourcompany.com` |
-| `oauth2_provider` | Provider name | `workos`, `okta`, `auth0`, `entra_id`, `keycloak` |
-| `oauth2_domain` | Provider domain | `your-domain.okta.com` |
-| `oauth2_client_id` | OAuth2 client ID | `0oaqnwji7pGW7VT6T697` |
-| `oauth2_audience` | API audience identifier | `api://default` |
-
-View current configuration:
-
-```bash
-crewai config list
-```
-
-### How Device Authorization Works
-
-1. Run `crewai login` — the CLI requests a device code from your IdP
-2. A verification URL and code are displayed in your terminal
-3. Your browser opens to the verification URL
-4. Enter the code and authenticate with your IdP credentials
-5. The CLI receives an access token and stores it locally
-
---
-
-## Role-Based Access Control (RBAC)
-
-CrewAI Platform provides granular RBAC that integrates with your SSO provider.
-
-### Permission Model
-
-| Permission | Description |
-|---|---|
-| **Read** | View resources (dashboards, automations, logs) |
-| **Write** | Create and modify resources |
-| **Manage** | Full control including deletion and configuration |
-
-### Resources
-
-Permissions can be scoped to individual resources:
-
- **Usage Dashboard** — Platform usage metrics and analytics
- **Automations Dashboard** — Crew and flow management
- **Environment Variables** — Secret and configuration management
- **Individual Automations** — Per-automation access control
-
-### Roles
-
- **Predefined roles** come out of the box with standard permission sets
- **Custom roles** can be created with any combination of permissions
- **Per-resource assignment** — limit specific automations to individual users or roles
-
-### Factory Admin Access
-
-For Factory deployments using Entra ID, admin access is controlled via App Roles:
-
- Assign the `factory-admin` role to users who need admin panel access
- Assign the `member` role for standard platform access
- Roles are communicated via JWT claims — no additional configuration needed after IdP setup
-
---
-
-## Troubleshooting
-
-### Invalid Redirect URI
-
-**Symptom:** Authentication fails with a redirect URI mismatch error.
-
-**Fix:** Ensure the redirect URI in your IdP exactly matches the expected callback URL:
-
-| Provider | Callback URL |
-|---|---|
-| Entra ID | `https://<domain>/auth/entra_id/callback` |
-| Okta | `https://<domain>/auth/okta/callback` |
-| Keycloak | `https://<domain>/auth/keycloak/callback` |
-| WorkOS | `https://<domain>/auth/workos/callback` |
-| Auth0 | `https://<domain>/auth/auth0/callback` |
-
-### CLI Login Fails (Device Authorization)
-
-**Symptom:** `crewai login` returns an error or times out.
-
-**Fix:**
- Verify that Device Authorization Grant is enabled in your IdP
- For Okta: ensure you have a **Native Application** (not Web) with Device Authorization grant
- For Entra ID: ensure **Allow public client flows** is enabled
- For Keycloak: ensure the CLI client has **Client authentication: Off** and only Device Authorization Grant enabled
- Check that `*_DEVICE_AUTHORIZATION_CLIENT_ID` environment variable is set on the server
-
-### Token Validation Errors
-
-**Symptom:** `Invalid token: Signature verification failed` or `401 Unauthorized` after login.
-
-**Fix:**
- **Okta:** Verify `OKTA_AUTHORIZATION_SERVER` and `OKTA_AUDIENCE` match the authorization server's Name and Audience exactly
- **Entra ID:** Ensure `accessTokenAcceptedVersion` is set to `2` in the app manifest
- **Keycloak:** Verify `KEYCLOAK_AUDIENCE` matches the audience in your access tokens (default: `account`)
-
-### Admin Consent Not Granted (Entra ID)
-
-**Symptom:** Users can't log in, see "needs admin approval" message.
-
-**Fix:** Go to **Enterprise applications** → your app → **Permissions** → **Grant admin consent**. Ensure `User.Read` is granted for Microsoft Graph.
-
-### 403 Forbidden After Login
-
-**Symptom:** User authenticates successfully but gets 403 errors.
-
-**Fix:**
- Check that the user is assigned to the application in your IdP
- For Entra ID with **Assignment required = Yes**: ensure the user has a role assignment (Member or Factory Admin)
- For Okta: verify the user or their group is assigned under the app's **Assignments** tab
-
-### CLI Can't Reach Factory Instance
-
-**Symptom:** `crewai enterprise configure` fails to connect.
-
-**Fix:**
- Verify the Factory URL is reachable from your machine
- Check that `enterprise_base_url` is set correctly: `crewai config list`
- Ensure TLS certificates are valid and trusted
-
---
-
-## Environment Variables Reference
-
-### Common
-
-| Variable | Description |
-|---|---|
-| `AUTH_PROVIDER` | Authentication provider: `entra_id`, `okta`, `workos`, `auth0`, `keycloak`, `local` |
-
-### Microsoft Entra ID
-
-| Variable | Required | Description |
-|---|---|---|
-| `ENTRA_ID_CLIENT_ID` | ✅ | Application (client) ID from Azure |
-| `ENTRA_ID_CLIENT_SECRET` | ✅ | Client secret from Azure |
-| `ENTRA_ID_TENANT_ID` | ✅ | Directory (tenant) ID from Azure |
-| `ENTRA_ID_DEVICE_AUTHORIZATION_CLIENT_ID` | CLI only | Client ID for Device Authorization Grant |
-| `ENTRA_ID_CUSTOM_OPENID_SCOPE` | CLI only | Custom scope from "Expose an API" (e.g., `api://crewai-cli/read`) |
-
-### Okta
-
-| Variable | Required | Description |
-|---|---|---|
-| `OKTA_CLIENT_ID` | ✅ | Okta application client ID |
-| `OKTA_CLIENT_SECRET` | ✅ | Okta client secret |
-| `OKTA_SITE` | ✅ | Okta organization URL (e.g., `https://your-domain.okta.com`) |
-| `OKTA_AUTHORIZATION_SERVER` | ✅ | Authorization server name (e.g., `default`) |
-| `OKTA_AUDIENCE` | ✅ | Authorization server audience (e.g., `api://default`) |
-| `OKTA_DEVICE_AUTHORIZATION_CLIENT_ID` | CLI only | Native app client ID for Device Authorization |
-
-### WorkOS
-
-| Variable | Required | Description |
-|---|---|---|
-| `WORKOS_CLIENT_ID` | ✅ | WorkOS application client ID |
-| `WORKOS_AUTHKIT_DOMAIN` | ✅ | AuthKit domain (e.g., `your-domain.authkit.com`) |
-
-### Auth0
-
-| Variable | Required | Description |
-|---|---|---|
-| `AUTH0_CLIENT_ID` | ✅ | Auth0 application client ID |
-| `AUTH0_CLIENT_SECRET` | ✅ | Auth0 client secret |
-| `AUTH0_DOMAIN` | ✅ | Auth0 tenant domain (e.g., `your-tenant.auth0.com`) |
-
-### Keycloak
-
-| Variable | Required | Description |
-|---|---|---|
-| `KEYCLOAK_CLIENT_ID` | ✅ | Keycloak client ID |
-| `KEYCLOAK_CLIENT_SECRET` | ✅ | Keycloak client secret |
-| `KEYCLOAK_SITE` | ✅ | Keycloak server URL |
-| `KEYCLOAK_REALM` | ✅ | Keycloak realm name |
-| `KEYCLOAK_AUDIENCE` | ✅ | Token audience (default: `account`) |
-| `KEYCLOAK_BASE_URL` | Optional | Base URL path (e.g., `/auth` for pre-v17 migrations) |
-| `KEYCLOAK_DEVICE_AUTHORIZATION_CLIENT_ID` | CLI only | Public client ID for Device Authorization |
-
---
-
-## Next Steps
-
- [Installation Guide](/installation) — Get started with CrewAI
- [Quickstart](/quickstart) — Build your first crew
- [RBAC Setup](/enterprise/features/rbac) — Detailed role and permission management
--- a/docs/en/mcp/security.mdx
+++ b/docs/en/mcp/security.mdx
@@ -156,7 +156,19 @@ If you are developing an MCP server that CrewAI agents might connect to, conside
 - **Adherence to MCP Authorization Spec**: If implementing authentication and authorization, strictly follow the [MCP Authorization specification](https://modelcontextprotocol.io/specification/draft/basic/authorization) and relevant [OAuth 2.0 security best practices](https://datatracker.ietf.org/doc/html/rfc9700).
 - **Regular Security Audits**: If your MCP server handles sensitive data, performs critical operations, or is publicly exposed, consider periodic security audits by qualified professionals.

-## 5. Further Reading
+## 5. Reporting Security Vulnerabilities
+
+If you discover a security vulnerability in CrewAI, please report it responsibly through our Bugcrowd Vulnerability Disclosure Program (VDP):
+
+**Submit reports to:** [crewai-vdp-ess@submit.bugcrowd.com](mailto:crewai-vdp-ess@submit.bugcrowd.com)
+
+<Warning>
+**Do not** disclose vulnerabilities via public GitHub issues, pull requests, or social media. Reports submitted via channels other than Bugcrowd will not be reviewed.
+</Warning>
+
+For full details, see our [Security Policy](https://github.com/crewAIInc/crewAI/blob/main/.github/security.md).
+
+## 6. Further Reading

 For more detailed information on MCP security, refer to the official documentation:
 - **[MCP Transport Security](https://modelcontextprotocol.io/docs/concepts/transports#security-considerations)**
--- a/docs/en/security.mdx
+++ b/docs/en/security.mdx
@@ -0,0 +1,22 @@
+---
+title: Security Policy
+description: Learn how to report security vulnerabilities and about CrewAI's security practices.
+icon: shield
+mode: "wide"
+---
+
+## Reporting Security Vulnerabilities
+
+If you discover a security vulnerability in CrewAI, please report it responsibly through our Bugcrowd Vulnerability Disclosure Program (VDP):
+
+**Submit reports to:** [crewai-vdp-ess@submit.bugcrowd.com](mailto:crewai-vdp-ess@submit.bugcrowd.com)
+
+<Warning>
+**Do not** disclose vulnerabilities via public GitHub issues, pull requests, or social media. Reports submitted via channels other than Bugcrowd will not be reviewed.
+</Warning>
+
+For full details, see our [Security Policy on GitHub](https://github.com/crewAIInc/crewAI/blob/main/.github/security.md).
+
+## Security Resources
+
+- **[MCP Security Considerations](/mcp/security)** — Best practices for securely integrating MCP servers with your CrewAI agents, including transport security, prompt injection risks, and server implementation advice.
--- a/docs/ko/changelog.mdx
+++ b/docs/ko/changelog.mdx
@@ -4,63 +4,6 @@ description: "CrewAI의 제품 업데이트, 개선 사항 및 버그 수정"
 icon: "clock"
 mode: "wide"
 ---
-<Update label="2026년 3월 27일">
-  ## v1.13.0rc1
-
-  [GitHub 릴리스 보기](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0rc1)
-
-  ## 변경 사항
-
-  ### 문서
-  - v1.13.0a2의 변경 로그 및 버전 업데이트
-
-  ## 기여자
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="2026년 3월 27일">
-  ## v1.13.0a2
-
-  [GitHub 릴리스 보기](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a2)
-
-  ## 변경 사항
-
-  ### 기능
-  - 릴리스 중 자동 업데이트 배포 테스트 리포지토리
-  - 기업 릴리스의 복원력 및 사용자 경험 개선
-
-  ### 문서
-  - v1.13.0a1에 대한 변경 로그 및 버전 업데이트
-
-  ## 기여자
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="2026년 3월 27일">
-  ## v1.13.0a1
-
-  [GitHub 릴리스 보기](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a1)
-
-  ## 변경 사항
-
-  ### 버그 수정
-  - Node를 LTS 22로 고정하여 문서 작업 흐름의 끊어진 링크 수정
-  - 기업 릴리스에서 새로 게시된 패키지의 uv 캐시 초기화
-
-  ### 문서
-  - 포괄적인 RBAC 권한 매트릭스 및 배포 가이드 추가
-  - v1.12.2에 대한 변경 로그 및 버전 업데이트
-
-  ## 기여자
-
-  @greysonlalonde, @iris-clawd, @joaomdmoura
-
-</Update>
-
 <Update label="2026년 3월 25일">
  ## v1.12.2

--- a/docs/ko/mcp/security.mdx
+++ b/docs/ko/mcp/security.mdx
@@ -156,7 +156,19 @@ CrewAI 에이전트가 연결할 수 있는 MCP 서버를 개발하고 있다면
 - **MCP 인증 사양 준수**: 인증 및 권한 부여를 구현할 경우, [MCP Authorization specification](https://modelcontextprotocol.io/specification/draft/basic/authorization) 및 관련 [OAuth 2.0 security best practices](https://datatracker.ietf.org/doc/html/rfc9700)를 엄격히 준수하세요.
 - **정기적인 보안 감사**: MCP 서버가 민감한 데이터를 처리하거나, 중요한 작업을 수행하거나, 대외적으로 노출된 경우 자격을 갖춘 전문가의 정기적인 보안 감사를 고려하세요.

-## 5. 추가 참고 자료
+## 5. 보안 취약점 보고
+
+CrewAI에서 보안 취약점을 발견하셨다면, Bugcrowd 취약점 공개 프로그램(VDP)을 통해 책임감 있게 보고해 주세요:
+
+**보고서 제출:** [crewai-vdp-ess@submit.bugcrowd.com](mailto:crewai-vdp-ess@submit.bugcrowd.com)
+
+<Warning>
+공개 GitHub 이슈, 풀 리퀘스트 또는 소셜 미디어를 통해 취약점을 공개하지 **마세요**. Bugcrowd 이외의 채널로 제출된 보고서는 검토되지 않습니다.
+</Warning>
+
+자세한 내용은 [보안 정책](https://github.com/crewAIInc/crewAI/blob/main/.github/security.md)을 참조하세요.
+
+## 6. 추가 참고 자료

 MCP 보안에 대한 자세한 내용은 공식 문서를 참고하세요:
 - **[MCP 전송 보안](https://modelcontextprotocol.io/docs/concepts/transports#security-considerations)**
--- a/docs/ko/security.mdx
+++ b/docs/ko/security.mdx
@@ -0,0 +1,22 @@
+---
+title: 보안 정책
+description: CrewAI의 보안 취약점 보고 방법과 보안 관행에 대해 알아보세요.
+icon: shield
+mode: "wide"
+---
+
+## 보안 취약점 보고
+
+CrewAI에서 보안 취약점을 발견하셨다면, Bugcrowd 취약점 공개 프로그램(VDP)을 통해 책임감 있게 보고해 주세요:
+
+**보고서 제출:** [crewai-vdp-ess@submit.bugcrowd.com](mailto:crewai-vdp-ess@submit.bugcrowd.com)
+
+<Warning>
+공개 GitHub 이슈, 풀 리퀘스트 또는 소셜 미디어를 통해 취약점을 공개하지 **마세요**. Bugcrowd 이외의 채널로 제출된 보고서는 검토되지 않습니다.
+</Warning>
+
+자세한 내용은 [GitHub 보안 정책](https://github.com/crewAIInc/crewAI/blob/main/.github/security.md)을 참조하세요.
+
+## 보안 리소스
+
+- **[MCP 보안 고려사항](/mcp/security)** — MCP 서버를 CrewAI 에이전트와 안전하게 통합하기 위한 모범 사례로, 전송 보안, 프롬프트 인젝션 위험 및 서버 구현 권장 사항을 포함합니다.
--- a/docs/pt-BR/changelog.mdx
+++ b/docs/pt-BR/changelog.mdx
@@ -4,63 +4,6 @@ description: "Atualizações de produto, melhorias e correções do CrewAI"
 icon: "clock"
 mode: "wide"
 ---
-<Update label="27 mar 2026">
-  ## v1.13.0rc1
-
-  [Ver release no GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0rc1)
-
-  ## O que Mudou
-
-  ### Documentação
-  - Atualizar changelog e versão para v1.13.0a2
-
-  ## Contribuidores
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="27 mar 2026">
-  ## v1.13.0a2
-
-  [Ver release no GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a2)
-
-  ## O que Mudou
-
-  ### Recursos
-  - Repositório de teste de implantação de autoatualização durante o lançamento
-  - Melhorar a resiliência e a experiência do usuário na versão empresarial
-
-  ### Documentação
-  - Atualizar changelog e versão para v1.13.0a1
-
-  ## Contribuidores
-
-  @greysonlalonde
-
-</Update>
-
-<Update label="27 mar 2026">
-  ## v1.13.0a1
-
-  [Ver release no GitHub](https://github.com/crewAIInc/crewAI/releases/tag/1.13.0a1)
-
-  ## O que Mudou
-
-  ### Correções de Bugs
-  - Corrigir links quebrados no fluxo de documentação fixando o Node na LTS 22
-  - Limpar o cache uv para pacotes recém-publicados na versão empresarial
-
-  ### Documentação
-  - Adicionar uma matriz abrangente de permissões RBAC e guia de implantação
-  - Atualizar o changelog e a versão para v1.12.2
-
-  ## Contributors
-
-  @greysonlalonde, @iris-clawd, @joaomdmoura
-
-</Update>
-
 <Update label="25 mar 2026">
  ## v1.12.2

--- a/docs/pt-BR/mcp/security.mdx
+++ b/docs/pt-BR/mcp/security.mdx
@@ -156,7 +156,19 @@ Se você está desenvolvendo um servidor MCP ao qual agentes CrewAI possam se co
 - **Aderência à Especificação de Autorização MCP**: Caso implemente autenticação e autorização, siga estritamente a [especificação de autorização MCP](https://modelcontextprotocol.io/specification/draft/basic/authorization) e as [melhores práticas de segurança OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc9700) relevantes.
 - **Auditorias de Segurança Regulares**: Caso seu servidor MCP manipule dados sensíveis, realize operações críticas ou seja exposto publicamente, considere auditorias de segurança periódicas conduzidas por profissionais qualificados.

-## 5. Leituras Adicionais
+## 5. Reportando Vulnerabilidades de Segurança
+
+Se você descobrir uma vulnerabilidade de segurança no CrewAI, por favor reporte de forma responsável através do nosso Programa de Divulgação de Vulnerabilidades (VDP) no Bugcrowd:
+
+**Envie relatórios para:** [crewai-vdp-ess@submit.bugcrowd.com](mailto:crewai-vdp-ess@submit.bugcrowd.com)
+
+<Warning>
+**Não** divulgue vulnerabilidades por meio de issues públicas no GitHub, pull requests ou redes sociais. Relatórios enviados por outros canais que não o Bugcrowd não serão analisados.
+</Warning>
+
+Para mais detalhes, consulte nossa [Política de Segurança](https://github.com/crewAIInc/crewAI/blob/main/.github/security.md).
+
+## 6. Leituras Adicionais

 Para informações mais detalhadas sobre segurança MCP, consulte a documentação oficial:
 - **[Segurança de Transporte MCP](https://modelcontextprotocol.io/docs/concepts/transports#security-considerations)**
--- a/docs/pt-BR/security.mdx
+++ b/docs/pt-BR/security.mdx
@@ -0,0 +1,22 @@
+---
+title: Política de Segurança
+description: Saiba como reportar vulnerabilidades de segurança e sobre as práticas de segurança do CrewAI.
+icon: shield
+mode: "wide"
+---
+
+## Reportando Vulnerabilidades de Segurança
+
+Se você descobrir uma vulnerabilidade de segurança no CrewAI, por favor reporte de forma responsável através do nosso Programa de Divulgação de Vulnerabilidades (VDP) no Bugcrowd:
+
+**Envie relatórios para:** [crewai-vdp-ess@submit.bugcrowd.com](mailto:crewai-vdp-ess@submit.bugcrowd.com)
+
+<Warning>
+**Não** divulgue vulnerabilidades por meio de issues públicas no GitHub, pull requests ou redes sociais. Relatórios enviados por outros canais que não o Bugcrowd não serão analisados.
+</Warning>
+
+Para mais detalhes, consulte nossa [Política de Segurança no GitHub](https://github.com/crewAIInc/crewAI/blob/main/.github/security.md).
+
+## Recursos de Segurança
+
+- **[Considerações de Segurança MCP](/mcp/security)** — Melhores práticas para integrar servidores MCP com segurança aos seus agentes CrewAI, incluindo segurança de transporte, riscos de injeção de prompt e conselhos de implementação de servidor.
--- a/lib/crewai-files/src/crewai_files/init.py
+++ b/lib/crewai-files/src/crewai_files/init.py
@@ -152,4 +152,4 @@ __all__ = [
    "wrap_file_source",
 ]

-__version__ = "1.13.0rc1"
+__version__ = "1.12.2"
--- a/lib/crewai-tools/pyproject.toml
+++ b/lib/crewai-tools/pyproject.toml
@@ -11,7 +11,7 @@ dependencies = [
    "pytube~=15.0.0",
    "requests~=2.32.5",
    "docker~=7.1.0",
-    "crewai==1.13.0rc1",
+    "crewai==1.12.2",
    "tiktoken~=0.8.0",
    "beautifulsoup4~=4.13.4",
    "python-docx~=1.2.0",
--- a/lib/crewai-tools/src/crewai_tools/init.py
+++ b/lib/crewai-tools/src/crewai_tools/init.py
@@ -309,4 +309,4 @@ __all__ = [
    "ZapierActionTools",
 ]

-__version__ = "1.13.0rc1"
+__version__ = "1.12.2"
--- a/lib/crewai/pyproject.toml
+++ b/lib/crewai/pyproject.toml
@@ -54,7 +54,7 @@ Repository = "https://github.com/crewAIInc/crewAI"

 [project.optional-dependencies]
 tools = [
-    "crewai-tools==1.13.0rc1",
+    "crewai-tools==1.12.2",
 ]
 embeddings = [
    "tiktoken~=0.8.0"
--- a/lib/crewai/src/crewai/init.py
+++ b/lib/crewai/src/crewai/init.py
@@ -42,7 +42,7 @@ def _suppress_pydantic_deprecation_warnings() -> None:

 _suppress_pydantic_deprecation_warnings()

-__version__ = "1.13.0rc1"
+__version__ = "1.12.2"
 _telemetry_submitted = False


--- a/lib/crewai/src/crewai/cli/plus_api.py
+++ b/lib/crewai/src/crewai/cli/plus_api.py
@@ -73,7 +73,6 @@ class PlusAPI:
        description: str | None,
        encoded_file: str,
        available_exports: list[dict[str, Any]] | None = None,
-        tools_metadata: list[dict[str, Any]] | None = None,
    ) -> httpx.Response:
        params = {
            "handle": handle,
@@ -82,9 +81,6 @@ class PlusAPI:
            "file": encoded_file,
            "description": description,
            "available_exports": available_exports,
-            "tools_metadata": {"package": handle, "tools": tools_metadata}
-            if tools_metadata is not None
-            else None,
        }
        return self._make_request("POST", f"{self.TOOLS_RESOURCE}", json=params)

--- a/lib/crewai/src/crewai/cli/templates/crew/pyproject.toml
+++ b/lib/crewai/src/crewai/cli/templates/crew/pyproject.toml
@@ -5,7 +5,7 @@ description = "{{name}} using crewAI"
 authors = [{ name = "Your Name", email = "you@example.com" }]
 requires-python = ">=3.10,<3.14"
 dependencies = [
-    "crewai[tools]==1.13.0rc1"
+    "crewai[tools]==1.12.2"
 ]

 [project.scripts]
--- a/lib/crewai/src/crewai/cli/templates/flow/pyproject.toml
+++ b/lib/crewai/src/crewai/cli/templates/flow/pyproject.toml
@@ -5,7 +5,7 @@ description = "{{name}} using crewAI"
 authors = [{ name = "Your Name", email = "you@example.com" }]
 requires-python = ">=3.10,<3.14"
 dependencies = [
-    "crewai[tools]==1.13.0rc1"
+    "crewai[tools]==1.12.2"
 ]

 [project.scripts]
--- a/lib/crewai/src/crewai/cli/templates/tool/pyproject.toml
+++ b/lib/crewai/src/crewai/cli/templates/tool/pyproject.toml
@@ -5,7 +5,7 @@ description = "Power up your crews with {{folder_name}}"
 readme = "README.md"
 requires-python = ">=3.10,<3.14"
 dependencies = [
-    "crewai[tools]==1.13.0rc1"
+    "crewai[tools]==1.12.2"
 ]

 [tool.crewai]
--- a/lib/crewai/src/crewai/cli/tools/main.py
+++ b/lib/crewai/src/crewai/cli/tools/main.py
@@ -17,7 +17,6 @@ from crewai.cli.constants import DEFAULT_CREWAI_ENTERPRISE_URL
 from crewai.cli.utils import (
    build_env_with_tool_repository_credentials,
    extract_available_exports,
-    extract_tools_metadata,
    get_project_description,
    get_project_name,
    get_project_version,
@@ -102,18 +101,6 @@ class ToolCommand(BaseCommand, PlusAPIMixin):
            console.print(
                f"[green]Found these tools to publish: {', '.join([e['name'] for e in available_exports])}[/green]"
            )
-
-        console.print("[bold blue]Extracting tool metadata...[/bold blue]")
-        try:
-            tools_metadata = extract_tools_metadata()
-        except Exception as e:
-            console.print(
-                f"[yellow]Warning: Could not extract tool metadata: {e}[/yellow]\n"
-                f"Publishing will continue without detailed metadata."
-            )
-            tools_metadata = []
-
-        self._print_tools_preview(tools_metadata)
        self._print_current_organization()

        with tempfile.TemporaryDirectory() as temp_build_dir:
@@ -131,7 +118,7 @@ class ToolCommand(BaseCommand, PlusAPIMixin):
                    "Project build failed. Please ensure that the command `uv build --sdist` completes successfully.",
                    style="bold red",
                )
-                raise SystemExit(1)
+                raise SystemExit

            tarball_path = os.path.join(temp_build_dir, tarball_filename)
            with open(tarball_path, "rb") as file:
@@ -147,7 +134,6 @@ class ToolCommand(BaseCommand, PlusAPIMixin):
            description=project_description,
            encoded_file=f"data:application/x-gzip;base64,{encoded_tarball}",
            available_exports=available_exports,
-            tools_metadata=tools_metadata,
        )

        self._validate_response(publish_response)
@@ -260,55 +246,6 @@ class ToolCommand(BaseCommand, PlusAPIMixin):
            )
            raise SystemExit

-    def _print_tools_preview(self, tools_metadata: list[dict[str, Any]]) -> None:
-        if not tools_metadata:
-            console.print("[yellow]No tool metadata extracted.[/yellow]")
-            return
-
-        console.print(
-            f"\n[bold]Tools to be published ({len(tools_metadata)}):[/bold]\n"
-        )
-
-        for tool in tools_metadata:
-            console.print(f"  [bold cyan]{tool.get('name', 'Unknown')}[/bold cyan]")
-            if tool.get("module"):
-                console.print(f"    Module: {tool.get('module')}")
-            console.print(f"    Name: {tool.get('humanized_name', 'N/A')}")
-            console.print(
-                f"    Description: {tool.get('description', 'N/A')[:80]}{'...' if len(tool.get('description', '')) > 80 else ''}"
-            )
-
-            init_params = tool.get("init_params_schema", {}).get("properties", {})
-            if init_params:
-                required = tool.get("init_params_schema", {}).get("required", [])
-                console.print("    Init parameters:")
-                for param_name, param_info in init_params.items():
-                    param_type = param_info.get("type", "any")
-                    is_required = param_name in required
-                    req_marker = "[red]*[/red]" if is_required else ""
-                    default = (
-                        f" = {param_info['default']}" if "default" in param_info else ""
-                    )
-                    console.print(
-                        f"      - {param_name}: {param_type}{default} {req_marker}"
-                    )
-
-            env_vars = tool.get("env_vars", [])
-            if env_vars:
-                console.print("    Environment variables:")
-                for env_var in env_vars:
-                    req_marker = "[red]*[/red]" if env_var.get("required") else ""
-                    default = (
-                        f" (default: {env_var['default']})"
-                        if env_var.get("default")
-                        else ""
-                    )
-                    console.print(
-                        f"      - {env_var['name']}: {env_var.get('description', 'N/A')}{default} {req_marker}"
-                    )
-
-            console.print()
-
    def _print_current_organization(self) -> None:
        settings = Settings()
        if settings.org_uuid:
--- a/lib/crewai/src/crewai/cli/utils.py
+++ b/lib/crewai/src/crewai/cli/utils.py
@@ -1,15 +1,10 @@
-from collections.abc import Generator, Mapping
-from contextlib import contextmanager
-from functools import lru_cache, reduce
-import hashlib
+from functools import reduce
 import importlib.util
-import inspect
 from inspect import getmro, isclass, isfunction, ismethod
 import os
 from pathlib import Path
 import shutil
 import sys
-import types
 from typing import Any, cast, get_type_hints

 import click
@@ -549,62 +544,43 @@ def build_env_with_tool_repository_credentials(
    return env


-@contextmanager
-def _load_module_from_file(
-    init_file: Path, module_name: str | None = None
-) -> Generator[types.ModuleType | None, None, None]:
-    """
-    Context manager for loading a module from file with automatic cleanup.
-
-    Yields the loaded module or None if loading fails.
-    """
-    if module_name is None:
-        module_name = (
-            f"temp_module_{hashlib.sha256(str(init_file).encode()).hexdigest()[:8]}"
-        )
-
-    spec = importlib.util.spec_from_file_location(module_name, init_file)
-    if not spec or not spec.loader:
-        yield None
-        return
-
-    module = importlib.util.module_from_spec(spec)
-    sys.modules[module_name] = module
-
-    try:
-        spec.loader.exec_module(module)
-        yield module
-    finally:
-        sys.modules.pop(module_name, None)
-
-
 def _load_tools_from_init(init_file: Path) -> list[dict[str, Any]]:
    """
    Load and validate tools from a given __init__.py file.
    """
+    spec = importlib.util.spec_from_file_location("temp_module", init_file)
+
+    if not spec or not spec.loader:
+        return []
+
+    module = importlib.util.module_from_spec(spec)
+    sys.modules["temp_module"] = module
+
    try:
-        with _load_module_from_file(init_file) as module:
-            if module is None:
-                return []
+        spec.loader.exec_module(module)

-            if not hasattr(module, "__all__"):
-                console.print(
-                    f"Warning: No __all__ defined in {init_file}",
-                    style="bold yellow",
-                )
-                raise SystemExit(1)
+        if not hasattr(module, "__all__"):
+            console.print(
+                f"Warning: No __all__ defined in {init_file}",
+                style="bold yellow",
+            )
+            raise SystemExit(1)
+
+        return [
+            {
+                "name": name,
+            }
+            for name in module.__all__
+            if hasattr(module, name) and is_valid_tool(getattr(module, name))
+        ]

-            return [
-                {"name": name}
-                for name in module.__all__
-                if hasattr(module, name) and is_valid_tool(getattr(module, name))
-            ]
-    except SystemExit:
-        raise
    except Exception as e:
        console.print(f"[red]Warning: Could not load {init_file}: {e!s}[/red]")
        raise SystemExit(1) from e

+    finally:
+        sys.modules.pop("temp_module", None)
+

 def _print_no_tools_warning() -> None:
    """
@@ -634,242 +610,3 @@ def _print_no_tools_warning() -> None:
        "    # ... implementation\n"
        "    return result\n"
    )
-
-
-def extract_tools_metadata(dir_path: str = "src") -> list[dict[str, Any]]:
-    """
-    Extract rich metadata from tool classes in the project.
-
-    Returns a list of tool metadata dictionaries containing:
-    - name: Class name
-    - humanized_name: From name field default
-    - description: From description field default
-    - run_params_schema: JSON Schema for _run() params (from args_schema)
-    - init_params_schema: JSON Schema for __init__ params (filtered)
-    - env_vars: List of environment variable dicts
-    """
-    tools_metadata: list[dict[str, Any]] = []
-
-    for init_file in Path(dir_path).glob("**/__init__.py"):
-        tools = _extract_tool_metadata_from_init(init_file)
-        tools_metadata.extend(tools)
-
-    return tools_metadata
-
-
-def _extract_tool_metadata_from_init(init_file: Path) -> list[dict[str, Any]]:
-    """
-    Load module from init file and extract metadata from valid tool classes.
-    """
-    from crewai.tools.base_tool import BaseTool
-
-    try:
-        with _load_module_from_file(init_file) as module:
-            if module is None:
-                return []
-
-            exported_names = getattr(module, "__all__", None)
-            if not exported_names:
-                return []
-
-            tools_metadata = []
-            for name in exported_names:
-                obj = getattr(module, name, None)
-                if obj is None or not (
-                    inspect.isclass(obj) and issubclass(obj, BaseTool)
-                ):
-                    continue
-                if tool_info := _extract_single_tool_metadata(obj):
-                    tools_metadata.append(tool_info)
-
-            return tools_metadata
-    except Exception as e:
-        console.print(
-            f"[yellow]Warning: Could not extract metadata from {init_file}: {e}[/yellow]"
-        )
-        return []
-
-
-def _extract_single_tool_metadata(tool_class: type) -> dict[str, Any] | None:
-    """
-    Extract metadata from a single tool class.
-    """
-    try:
-        core_schema = cast(Any, tool_class).__pydantic_core_schema__
-        if not core_schema:
-            return None
-
-        schema = _unwrap_schema(core_schema)
-        fields = schema.get("schema", {}).get("fields", {})
-
-        try:
-            file_path = inspect.getfile(tool_class)
-            relative_path = Path(file_path).relative_to(Path.cwd())
-            module_path = relative_path.with_suffix("")
-            if module_path.parts[0] == "src":
-                module_path = Path(*module_path.parts[1:])
-            if module_path.name == "__init__":
-                module_path = module_path.parent
-            module = ".".join(module_path.parts)
-        except (TypeError, ValueError):
-            module = tool_class.__module__
-
-        return {
-            "name": tool_class.__name__,
-            "module": module,
-            "humanized_name": _extract_field_default(
-                fields.get("name"), fallback=tool_class.__name__
-            ),
-            "description": str(
-                _extract_field_default(fields.get("description"))
-            ).strip(),
-            "run_params_schema": _extract_run_params_schema(fields.get("args_schema")),
-            "init_params_schema": _extract_init_params_schema(tool_class),
-            "env_vars": _extract_env_vars(fields.get("env_vars")),
-        }
-
-    except Exception:
-        return None
-
-
-def _unwrap_schema(schema: Mapping[str, Any] | dict[str, Any]) -> dict[str, Any]:
-    """
-    Unwrap nested schema structures to get to the actual schema definition.
-    """
-    result: dict[str, Any] = dict(schema)
-    while (
-        result.get("type")
-        in {"function-after", "function-before", "function-wrap", "default"}
-        and "schema" in result
-    ):
-        result = dict(result["schema"])
-    if result.get("type") == "definitions" and "schema" in result:
-        result = dict(result["schema"])
-    return result
-
-
-def _extract_field_default(
-    field: dict[str, Any] | None, fallback: str | list[Any] = ""
-) -> str | list[Any] | int:
-    """
-    Extract the default value from a field schema.
-    """
-    if not field:
-        return fallback
-
-    schema = field.get("schema", {})
-    default = schema.get("default")
-    return default if isinstance(default, (list, str, int)) else fallback
-
-
-@lru_cache(maxsize=1)
-def _get_schema_generator() -> type:
-    """Get a SchemaGenerator that omits non-serializable defaults."""
-    from pydantic.json_schema import GenerateJsonSchema
-    from pydantic_core import PydanticOmit
-
-    class SchemaGenerator(GenerateJsonSchema):
-        def handle_invalid_for_json_schema(
-            self, schema: Any, error_info: Any
-        ) -> dict[str, Any]:
-            raise PydanticOmit
-
-    return SchemaGenerator
-
-
-def _extract_run_params_schema(
-    args_schema_field: dict[str, Any] | None,
-) -> dict[str, Any]:
-    """
-    Extract JSON Schema for the tool's run parameters from args_schema field.
-    """
-    from pydantic import BaseModel
-
-    if not args_schema_field:
-        return {}
-
-    args_schema_class = args_schema_field.get("schema", {}).get("default")
-    if not (
-        inspect.isclass(args_schema_class) and issubclass(args_schema_class, BaseModel)
-    ):
-        return {}
-
-    try:
-        return args_schema_class.model_json_schema(
-            schema_generator=_get_schema_generator()
-        )
-    except Exception:
-        return {}
-
-
-_IGNORED_INIT_PARAMS = frozenset(
-    {
-        "name",
-        "description",
-        "env_vars",
-        "args_schema",
-        "description_updated",
-        "cache_function",
-        "result_as_answer",
-        "max_usage_count",
-        "current_usage_count",
-        "package_dependencies",
-    }
-)
-
-
-def _extract_init_params_schema(tool_class: type) -> dict[str, Any]:
-    """
-    Extract JSON Schema for the tool's __init__ parameters, filtering out base fields.
-    """
-    try:
-        json_schema: dict[str, Any] = cast(Any, tool_class).model_json_schema(
-            schema_generator=_get_schema_generator(), mode="serialization"
-        )
-        filtered_properties = {
-            key: value
-            for key, value in json_schema.get("properties", {}).items()
-            if key not in _IGNORED_INIT_PARAMS
-        }
-        json_schema["properties"] = filtered_properties
-        if "required" in json_schema:
-            json_schema["required"] = [
-                key for key in json_schema["required"] if key in filtered_properties
-            ]
-        return json_schema
-    except Exception:
-        return {}
-
-
-def _extract_env_vars(env_vars_field: dict[str, Any] | None) -> list[dict[str, Any]]:
-    """
-    Extract environment variable definitions from env_vars field.
-    """
-    from crewai.tools.base_tool import EnvVar
-
-    if not env_vars_field:
-        return []
-
-    schema = env_vars_field.get("schema", {})
-    default = schema.get("default")
-    if default is None:
-        default_factory = schema.get("default_factory")
-        if callable(default_factory):
-            try:
-                default = default_factory()
-            except Exception:
-                default = []
-
-    if not isinstance(default, list):
-        return []
-
-    return [
-        {
-            "name": env_var.name,
-            "description": env_var.description,
-            "required": env_var.required,
-            "default": env_var.default,
-        }
-        for env_var in default
-        if isinstance(env_var, EnvVar)
-    ]
--- a/lib/crewai/src/crewai/experimental/agent_executor.py
+++ b/lib/crewai/src/crewai/experimental/agent_executor.py
@@ -1966,6 +1966,37 @@ class AgentExecutor(Flow[AgentExecutorState], CrewAgentExecutorMixin):
            "original_tool": original_tool,
        }

+    def _extract_tool_name(self, tool_call: Any) -> str:
+        """Extract tool name from various tool call formats."""
+        if hasattr(tool_call, "function"):
+            return sanitize_tool_name(tool_call.function.name)
+        if hasattr(tool_call, "function_call") and tool_call.function_call:
+            return sanitize_tool_name(tool_call.function_call.name)
+        if hasattr(tool_call, "name"):
+            return sanitize_tool_name(tool_call.name)
+        if isinstance(tool_call, dict):
+            func_info = tool_call.get("function", {})
+            return sanitize_tool_name(
+                func_info.get("name", "") or tool_call.get("name", "unknown")
+            )
+        return "unknown"
+
+    @router(execute_native_tool)
+    def check_native_todo_completion(
+        self,
+    ) -> Literal["todo_satisfied", "todo_not_satisfied"]:
+        """Check if the native tool execution satisfied the active todo.
+
+        Similar to check_todo_completion but for native tool execution path.
+        """
+        current_todo = self.state.todos.current_todo
+
+        if not current_todo:
+            return "todo_not_satisfied"
+
+        # For native tools, any tool execution satisfies the todo
+        return "todo_satisfied"
+
    @listen("initialized")
    def continue_iteration(self) -> Literal["check_iteration"]:
        """Bridge listener that connects iteration loop back to iteration check."""
--- a/lib/crewai/src/crewai/llm.py
+++ b/lib/crewai/src/crewai/llm.py
@@ -753,7 +753,7 @@ class LLM(BaseLLM):
            "temperature": self.temperature,
            "top_p": self.top_p,
            "n": self.n,
-            "stop": (self.stop or None) if self.supports_stop_words() else None,
+            "stop": self.stop or None,
            "max_tokens": self.max_tokens or self.max_completion_tokens,
            "presence_penalty": self.presence_penalty,
            "frequency_penalty": self.frequency_penalty,
@@ -1825,11 +1825,9 @@ class LLM(BaseLLM):
                    # whether to summarize the content or abort based on the respect_context_window flag
                    raise
                except Exception as e:
-                    error_str = str(e)
-                    unsupported_stop = "'stop'" in error_str and (
-                        "Unsupported parameter" in error_str
-                        or "does not support parameters" in error_str
-                    )
+                    unsupported_stop = "Unsupported parameter" in str(
+                        e
+                    ) and "'stop'" in str(e)

                    if unsupported_stop:
                        if (
@@ -1963,11 +1961,9 @@ class LLM(BaseLLM):
                except LLMContextLengthExceededError:
                    raise
                except Exception as e:
-                    error_str = str(e)
-                    unsupported_stop = "'stop'" in error_str and (
-                        "Unsupported parameter" in error_str
-                        or "does not support parameters" in error_str
-                    )
+                    unsupported_stop = "Unsupported parameter" in str(
+                        e
+                    ) and "'stop'" in str(e)

                    if unsupported_stop:
                        if (
@@ -2267,10 +2263,6 @@ class LLM(BaseLLM):
        Note: This method is only used by the litellm fallback path.
        Native providers override this method with their own implementation.
        """
-        model_lower = self.model.lower() if self.model else ""
-        if "gpt-5" in model_lower:
-            return False
-
        if not LITELLM_AVAILABLE or get_supported_openai_params is None:
            # When litellm is not available, assume stop words are supported
            return True
--- a/lib/crewai/src/crewai/llms/providers/openai/completion.py
+++ b/lib/crewai/src/crewai/llms/providers/openai/completion.py
@@ -2245,9 +2245,6 @@ class OpenAICompletion(BaseLLM):

    def supports_stop_words(self) -> bool:
        """Check if the model supports stop words."""
-        model_lower = self.model.lower() if self.model else ""
-        if "gpt-5" in model_lower:
-            return False
        return not self.is_o1_model

    def get_context_window_size(self) -> int:
--- a/lib/crewai/src/crewai/mcp/config.py
+++ b/lib/crewai/src/crewai/mcp/config.py
@@ -7,7 +7,6 @@ various transport types, similar to OpenAI's Agents SDK.
 from pydantic import BaseModel, Field

 from crewai.mcp.filters import ToolFilter
-from crewai.mcp.transports.stdio import DEFAULT_ALLOWED_COMMANDS


 class MCPServerStdio(BaseModel):
@@ -45,14 +44,6 @@ class MCPServerStdio(BaseModel):
        default=None,
        description="Optional tool filter for filtering available tools.",
    )
-    allowed_commands: frozenset[str] | None = Field(
-        default=DEFAULT_ALLOWED_COMMANDS,
-        description=(
-            "Optional frozenset of allowed command basenames for security validation. "
-            "Defaults to common runtimes (python, node, npx, uvx, uv, deno, docker). "
-            "Set to None to disable the allowlist check."
-        ),
-    )
    cache_tools_list: bool = Field(
        default=False,
        description="Whether to cache the tool list for faster subsequent access.",
--- a/lib/crewai/src/crewai/mcp/tool_resolver.py
+++ b/lib/crewai/src/crewai/mcp/tool_resolver.py
@@ -292,7 +292,6 @@ class MCPToolResolver:
                command=mcp_config.command,
                args=mcp_config.args,
                env=mcp_config.env,
-                allowed_commands=mcp_config.allowed_commands,
            )
            server_name = f"{mcp_config.command}_{'_'.join(mcp_config.args)}"
        elif isinstance(mcp_config, MCPServerHTTP):
--- a/lib/crewai/src/crewai/mcp/transports/init.py
+++ b/lib/crewai/src/crewai/mcp/transports/init.py
@@ -3,12 +3,11 @@
 from crewai.mcp.transports.base import BaseTransport, TransportType
 from crewai.mcp.transports.http import HTTPTransport
 from crewai.mcp.transports.sse import SSETransport
-from crewai.mcp.transports.stdio import DEFAULT_ALLOWED_COMMANDS, StdioTransport
+from crewai.mcp.transports.stdio import StdioTransport


 __all__ = [
    "BaseTransport",
-    "DEFAULT_ALLOWED_COMMANDS",
    "HTTPTransport",
    "SSETransport",
    "StdioTransport",
--- a/lib/crewai/src/crewai/mcp/transports/stdio.py
+++ b/lib/crewai/src/crewai/mcp/transports/stdio.py
@@ -9,22 +9,6 @@ from typing_extensions import Self

 from crewai.mcp.transports.base import BaseTransport, TransportType

-# Default allowlist for common MCP server runtimes.
-# Covers the vast majority of MCP server launch commands.
-# Pass ``allowed_commands=None`` to disable validation entirely.
-DEFAULT_ALLOWED_COMMANDS: frozenset[str] = frozenset(
-    {
-        "python",
-        "python3",
-        "node",
-        "npx",
-        "uvx",
-        "uv",
-        "deno",
-        "docker",
-    }
-)
-

 class StdioTransport(BaseTransport):
    """Stdio transport for connecting to local MCP servers.
@@ -50,7 +34,6 @@ class StdioTransport(BaseTransport):
        command: str,
        args: list[str] | None = None,
        env: dict[str, str] | None = None,
-        allowed_commands: frozenset[str] | None = DEFAULT_ALLOWED_COMMANDS,
        **kwargs: Any,
    ) -> None:
        """Initialize stdio transport.
@@ -59,24 +42,9 @@ class StdioTransport(BaseTransport):
            command: Command to execute (e.g., "python", "node", "npx").
            args: Command arguments (e.g., ["server.py"] or ["-y", "@mcp/server"]).
            env: Environment variables to pass to the process.
-            allowed_commands: Optional frozenset of allowed command basenames.
-                Defaults to ``DEFAULT_ALLOWED_COMMANDS`` which includes common
-                runtimes (python, node, npx, uvx, uv, deno, docker).  Pass
-                ``None`` to disable the check entirely.
            **kwargs: Additional transport options.
        """
        super().__init__(**kwargs)
-
-        if allowed_commands is not None:
-            base_command = os.path.basename(command)
-            if base_command not in allowed_commands:
-                raise ValueError(
-                    f"Command '{command}' is not in the allowed commands list: "
-                    f"{sorted(allowed_commands)}. "
-                    f"To allow this command, add it to allowed_commands or pass "
-                    f"allowed_commands=None to disable this check."
-                )
-
        self.command = command
        self.args = args or []
        self.env = env or {}
--- a/lib/crewai/tests/agents/test_agent_executor.py
+++ b/lib/crewai/tests/agents/test_agent_executor.py
@@ -879,6 +879,30 @@ class TestNativeToolExecution:
        assert len(tool_messages) == 1
        assert tool_messages[0]["tool_call_id"] == "call_1"

+    def test_check_native_todo_completion_requires_current_todo(
+        self, mock_dependencies
+    ):
+        from crewai.utilities.planning_types import TodoList
+
+        executor = AgentExecutor(**mock_dependencies)
+
+        # No current todo → not satisfied
+        executor.state.todos = TodoList(items=[])
+        assert executor.check_native_todo_completion() == "todo_not_satisfied"
+
+        # With a current todo that has tool_to_use → satisfied
+        running = TodoItem(
+            step_number=1,
+            description="Use the expected tool",
+            tool_to_use="expected_tool",
+            status="running",
+        )
+        executor.state.todos = TodoList(items=[running])
+        assert executor.check_native_todo_completion() == "todo_satisfied"
+
+        # With a current todo without tool_to_use → still satisfied
+        running.tool_to_use = None
+        assert executor.check_native_todo_completion() == "todo_satisfied"


 class TestPlannerObserver:
--- a/lib/crewai/tests/cassettes/test_litellm_gpt5_call_succeeds_without_stop_error.yaml
+++ b/lib/crewai/tests/cassettes/test_litellm_gpt5_call_succeeds_without_stop_error.yaml
@@ -1,110 +0,0 @@
-interactions:
- request:
-    body: '{"messages":[{"role":"user","content":"What is the capital of France?"}],"model":"gpt-5"}'
-    headers:
-      User-Agent:
-      - X-USER-AGENT-XXX
-      accept:
-      - application/json
-      accept-encoding:
-      - ACCEPT-ENCODING-XXX
-      authorization:
-      - AUTHORIZATION-XXX
-      connection:
-      - keep-alive
-      content-length:
-      - '89'
-      content-type:
-      - application/json
-      host:
-      - api.openai.com
-      x-stainless-arch:
-      - X-STAINLESS-ARCH-XXX
-      x-stainless-async:
-      - 'false'
-      x-stainless-lang:
-      - python
-      x-stainless-os:
-      - X-STAINLESS-OS-XXX
-      x-stainless-package-version:
-      - 1.83.0
-      x-stainless-raw-response:
-      - 'true'
-      x-stainless-read-timeout:
-      - X-STAINLESS-READ-TIMEOUT-XXX
-      x-stainless-retry-count:
-      - '0'
-      x-stainless-runtime:
-      - CPython
-      x-stainless-runtime-version:
-      - 3.13.2
-    method: POST
-    uri: https://api.openai.com/v1/chat/completions
-  response:
-    body:
-      string: "{\n  \"id\": \"chatcmpl-DO4LcSpy72yIXCYSIVOQEXWNXydgn\",\n  \"object\":
-        \"chat.completion\",\n  \"created\": 1774628956,\n  \"model\": \"gpt-5-2025-08-07\",\n
-        \ \"choices\": [\n    {\n      \"index\": 0,\n      \"message\": {\n        \"role\":
-        \"assistant\",\n        \"content\": \"Paris.\",\n        \"refusal\": null,\n
-        \       \"annotations\": []\n      },\n      \"finish_reason\": \"stop\"\n
-        \   }\n  ],\n  \"usage\": {\n    \"prompt_tokens\": 13,\n    \"completion_tokens\":
-        11,\n    \"total_tokens\": 24,\n    \"prompt_tokens_details\": {\n      \"cached_tokens\":
-        0,\n      \"audio_tokens\": 0\n    },\n    \"completion_tokens_details\":
-        {\n      \"reasoning_tokens\": 0,\n      \"audio_tokens\": 0,\n      \"accepted_prediction_tokens\":
-        0,\n      \"rejected_prediction_tokens\": 0\n    }\n  },\n  \"service_tier\":
-        \"default\",\n  \"system_fingerprint\": null\n}\n"
-    headers:
-      CF-Cache-Status:
-      - DYNAMIC
-      CF-Ray:
-      - 9e2fc5dce85582fb-GIG
-      Connection:
-      - keep-alive
-      Content-Type:
-      - application/json
-      Date:
-      - Fri, 27 Mar 2026 16:29:17 GMT
-      Server:
-      - cloudflare
-      Strict-Transport-Security:
-      - STS-XXX
-      Transfer-Encoding:
-      - chunked
-      X-Content-Type-Options:
-      - X-CONTENT-TYPE-XXX
-      access-control-expose-headers:
-      - ACCESS-CONTROL-XXX
-      alt-svc:
-      - h3=":443"; ma=86400
-      content-length:
-      - '772'
-      openai-organization:
-      - OPENAI-ORG-XXX
-      openai-processing-ms:
-      - '1343'
-      openai-project:
-      - OPENAI-PROJECT-XXX
-      openai-version:
-      - '2020-10-01'
-      set-cookie:
-      - SET-COOKIE-XXX
-      x-openai-proxy-wasm:
-      - v0.1
-      x-ratelimit-limit-requests:
-      - X-RATELIMIT-LIMIT-REQUESTS-XXX
-      x-ratelimit-limit-tokens:
-      - X-RATELIMIT-LIMIT-TOKENS-XXX
-      x-ratelimit-remaining-requests:
-      - X-RATELIMIT-REMAINING-REQUESTS-XXX
-      x-ratelimit-remaining-tokens:
-      - X-RATELIMIT-REMAINING-TOKENS-XXX
-      x-ratelimit-reset-requests:
-      - X-RATELIMIT-RESET-REQUESTS-XXX
-      x-ratelimit-reset-tokens:
-      - X-RATELIMIT-RESET-TOKENS-XXX
-      x-request-id:
-      - X-REQUEST-ID-XXX
-    status:
-      code: 200
-      message: OK
-version: 1
--- a/lib/crewai/tests/cli/test_plus_api.py
+++ b/lib/crewai/tests/cli/test_plus_api.py
@@ -136,7 +136,6 @@ class TestPlusAPI(unittest.TestCase):
            "file": encoded_file,
            "description": description,
            "available_exports": None,
-            "tools_metadata": None,
        }
        mock_make_request.assert_called_once_with(
            "POST", "/crewai_plus/api/v1/tools", json=params
@@ -174,7 +173,6 @@ class TestPlusAPI(unittest.TestCase):
            "file": encoded_file,
            "description": description,
            "available_exports": None,
-            "tools_metadata": None,
        }

        self.assert_request_with_org_id(
@@ -203,48 +201,6 @@ class TestPlusAPI(unittest.TestCase):
            "file": encoded_file,
            "description": description,
            "available_exports": None,
-            "tools_metadata": None,
-        }
-        mock_make_request.assert_called_once_with(
-            "POST", "/crewai_plus/api/v1/tools", json=params
-        )
-        self.assertEqual(response, mock_response)
-
-    @patch("crewai.cli.plus_api.PlusAPI._make_request")
-    def test_publish_tool_with_tools_metadata(self, mock_make_request):
-        mock_response = MagicMock()
-        mock_make_request.return_value = mock_response
-        handle = "test_tool_handle"
-        public = True
-        version = "1.0.0"
-        description = "Test tool description"
-        encoded_file = "encoded_test_file"
-        available_exports = [{"name": "MyTool"}]
-        tools_metadata = [
-            {
-                "name": "MyTool",
-                "humanized_name": "my_tool",
-                "description": "A test tool",
-                "run_params_schema": {"type": "object", "properties": {}},
-                "init_params_schema": {"type": "object", "properties": {}},
-                "env_vars": [{"name": "API_KEY", "description": "API key", "required": True, "default": None}],
-            }
-        ]
-
-        response = self.api.publish_tool(
-            handle, public, version, description, encoded_file,
-            available_exports=available_exports,
-            tools_metadata=tools_metadata,
-        )
-
-        params = {
-            "handle": handle,
-            "public": public,
-            "version": version,
-            "file": encoded_file,
-            "description": description,
-            "available_exports": available_exports,
-            "tools_metadata": {"package": handle, "tools": tools_metadata},
        }
        mock_make_request.assert_called_once_with(
            "POST", "/crewai_plus/api/v1/tools", json=params
--- a/lib/crewai/tests/cli/test_utils.py
+++ b/lib/crewai/tests/cli/test_utils.py
@@ -363,290 +363,3 @@ def test_get_crews_ignores_template_directories(
    utils.get_crews()

    assert not template_crew_detected
-
-
-# Tests for extract_tools_metadata
-
-
-def test_extract_tools_metadata_empty_project(temp_project_dir):
-    """Test that extract_tools_metadata returns empty list for empty project."""
-    metadata = utils.extract_tools_metadata(dir_path=str(temp_project_dir))
-    assert metadata == []
-
-
-def test_extract_tools_metadata_no_init_file(temp_project_dir):
-    """Test that extract_tools_metadata returns empty list when no __init__.py exists."""
-    (temp_project_dir / "some_file.py").write_text("print('hello')")
-    metadata = utils.extract_tools_metadata(dir_path=str(temp_project_dir))
-    assert metadata == []
-
-
-def test_extract_tools_metadata_empty_init_file(temp_project_dir):
-    """Test that extract_tools_metadata returns empty list for empty __init__.py."""
-    create_init_file(temp_project_dir, "")
-    metadata = utils.extract_tools_metadata(dir_path=str(temp_project_dir))
-    assert metadata == []
-
-
-def test_extract_tools_metadata_no_all_variable(temp_project_dir):
-    """Test that extract_tools_metadata returns empty list when __all__ is not defined."""
-    create_init_file(
-        temp_project_dir,
-        "from crewai.tools import BaseTool\n\nclass MyTool(BaseTool):\n    pass",
-    )
-    metadata = utils.extract_tools_metadata(dir_path=str(temp_project_dir))
-    assert metadata == []
-
-
-def test_extract_tools_metadata_valid_base_tool_class(temp_project_dir):
-    """Test that extract_tools_metadata extracts metadata from a valid BaseTool class."""
-    create_init_file(
-        temp_project_dir,
-        """from crewai.tools import BaseTool
-
-class MyTool(BaseTool):
-    name: str = "my_tool"
-    description: str = "A test tool"
-
-__all__ = ['MyTool']
-""",
-    )
-    metadata = utils.extract_tools_metadata(dir_path=str(temp_project_dir))
-    assert len(metadata) == 1
-    assert metadata[0]["name"] == "MyTool"
-    assert metadata[0]["humanized_name"] == "my_tool"
-    assert metadata[0]["description"] == "A test tool"
-
-
-def test_extract_tools_metadata_with_args_schema(temp_project_dir):
-    """Test that extract_tools_metadata extracts run_params_schema from args_schema."""
-    create_init_file(
-        temp_project_dir,
-        """from crewai.tools import BaseTool
-from pydantic import BaseModel
-
-class MyToolInput(BaseModel):
-    query: str
-    limit: int = 10
-
-class MyTool(BaseTool):
-    name: str = "my_tool"
-    description: str = "A test tool"
-    args_schema: type[BaseModel] = MyToolInput
-
-__all__ = ['MyTool']
-""",
-    )
-    metadata = utils.extract_tools_metadata(dir_path=str(temp_project_dir))
-    assert len(metadata) == 1
-    assert metadata[0]["name"] == "MyTool"
-    run_params = metadata[0]["run_params_schema"]
-    assert "properties" in run_params
-    assert "query" in run_params["properties"]
-    assert "limit" in run_params["properties"]
-
-
-def test_extract_tools_metadata_with_env_vars(temp_project_dir):
-    """Test that extract_tools_metadata extracts env_vars."""
-    create_init_file(
-        temp_project_dir,
-        """from crewai.tools import BaseTool
-from crewai.tools.base_tool import EnvVar
-
-class MyTool(BaseTool):
-    name: str = "my_tool"
-    description: str = "A test tool"
-    env_vars: list[EnvVar] = [
-        EnvVar(name="MY_API_KEY", description="API key for service", required=True),
-        EnvVar(name="MY_OPTIONAL_VAR", description="Optional var", required=False, default="default_value"),
-    ]
-
-__all__ = ['MyTool']
-""",
-    )
-    metadata = utils.extract_tools_metadata(dir_path=str(temp_project_dir))
-    assert len(metadata) == 1
-    env_vars = metadata[0]["env_vars"]
-    assert len(env_vars) == 2
-    assert env_vars[0]["name"] == "MY_API_KEY"
-    assert env_vars[0]["description"] == "API key for service"
-    assert env_vars[0]["required"] is True
-    assert env_vars[1]["name"] == "MY_OPTIONAL_VAR"
-    assert env_vars[1]["required"] is False
-    assert env_vars[1]["default"] == "default_value"
-
-
-def test_extract_tools_metadata_with_env_vars_field_default_factory(temp_project_dir):
-    """Test that extract_tools_metadata extracts env_vars declared with Field(default_factory=...)."""
-    create_init_file(
-        temp_project_dir,
-        """from crewai.tools import BaseTool
-from crewai.tools.base_tool import EnvVar
-from pydantic import Field
-
-class MyTool(BaseTool):
-    name: str = "my_tool"
-    description: str = "A test tool"
-    env_vars: list[EnvVar] = Field(
-        default_factory=lambda: [
-            EnvVar(name="MY_TOOL_API", description="API token for my tool", required=True),
-        ]
-    )
-
-__all__ = ['MyTool']
-""",
-    )
-    metadata = utils.extract_tools_metadata(dir_path=str(temp_project_dir))
-    assert len(metadata) == 1
-    env_vars = metadata[0]["env_vars"]
-    assert len(env_vars) == 1
-    assert env_vars[0]["name"] == "MY_TOOL_API"
-    assert env_vars[0]["description"] == "API token for my tool"
-    assert env_vars[0]["required"] is True
-
-
-def test_extract_tools_metadata_with_custom_init_params(temp_project_dir):
-    """Test that extract_tools_metadata extracts init_params_schema with custom params."""
-    create_init_file(
-        temp_project_dir,
-        """from crewai.tools import BaseTool
-
-class MyTool(BaseTool):
-    name: str = "my_tool"
-    description: str = "A test tool"
-    api_endpoint: str = "https://api.example.com"
-    timeout: int = 30
-
-__all__ = ['MyTool']
-""",
-    )
-    metadata = utils.extract_tools_metadata(dir_path=str(temp_project_dir))
-    assert len(metadata) == 1
-    init_params = metadata[0]["init_params_schema"]
-    assert "properties" in init_params
-    # Custom params should be included
-    assert "api_endpoint" in init_params["properties"]
-    assert "timeout" in init_params["properties"]
-    # Base params should be filtered out
-    assert "name" not in init_params["properties"]
-    assert "description" not in init_params["properties"]
-
-
-def test_extract_tools_metadata_multiple_tools(temp_project_dir):
-    """Test that extract_tools_metadata extracts metadata from multiple tools."""
-    create_init_file(
-        temp_project_dir,
-        """from crewai.tools import BaseTool
-
-class FirstTool(BaseTool):
-    name: str = "first_tool"
-    description: str = "First test tool"
-
-class SecondTool(BaseTool):
-    name: str = "second_tool"
-    description: str = "Second test tool"
-
-__all__ = ['FirstTool', 'SecondTool']
-""",
-    )
-    metadata = utils.extract_tools_metadata(dir_path=str(temp_project_dir))
-    assert len(metadata) == 2
-    names = [m["name"] for m in metadata]
-    assert "FirstTool" in names
-    assert "SecondTool" in names
-
-
-def test_extract_tools_metadata_multiple_init_files(temp_project_dir):
-    """Test that extract_tools_metadata extracts metadata from multiple __init__.py files."""
-    # Create tool in root __init__.py
-    create_init_file(
-        temp_project_dir,
-        """from crewai.tools import BaseTool
-
-class RootTool(BaseTool):
-    name: str = "root_tool"
-    description: str = "Root tool"
-
-__all__ = ['RootTool']
-""",
-    )
-
-    # Create nested package with another tool
-    nested_dir = temp_project_dir / "nested"
-    nested_dir.mkdir()
-    create_init_file(
-        nested_dir,
-        """from crewai.tools import BaseTool
-
-class NestedTool(BaseTool):
-    name: str = "nested_tool"
-    description: str = "Nested tool"
-
-__all__ = ['NestedTool']
-""",
-    )
-
-    metadata = utils.extract_tools_metadata(dir_path=str(temp_project_dir))
-    assert len(metadata) == 2
-    names = [m["name"] for m in metadata]
-    assert "RootTool" in names
-    assert "NestedTool" in names
-
-
-def test_extract_tools_metadata_ignores_non_tool_exports(temp_project_dir):
-    """Test that extract_tools_metadata ignores non-BaseTool exports."""
-    create_init_file(
-        temp_project_dir,
-        """from crewai.tools import BaseTool
-
-class MyTool(BaseTool):
-    name: str = "my_tool"
-    description: str = "A test tool"
-
-def not_a_tool():
-    pass
-
-SOME_CONSTANT = "value"
-
-__all__ = ['MyTool', 'not_a_tool', 'SOME_CONSTANT']
-""",
-    )
-    metadata = utils.extract_tools_metadata(dir_path=str(temp_project_dir))
-    assert len(metadata) == 1
-    assert metadata[0]["name"] == "MyTool"
-
-
-def test_extract_tools_metadata_import_error_returns_empty(temp_project_dir):
-    """Test that extract_tools_metadata returns empty list on import error."""
-    create_init_file(
-        temp_project_dir,
-        """from nonexistent_module import something
-
-class MyTool(BaseTool):
-    pass
-
-__all__ = ['MyTool']
-""",
-    )
-    # Should not raise, just return empty list
-    metadata = utils.extract_tools_metadata(dir_path=str(temp_project_dir))
-    assert metadata == []
-
-
-def test_extract_tools_metadata_syntax_error_returns_empty(temp_project_dir):
-    """Test that extract_tools_metadata returns empty list on syntax error."""
-    create_init_file(
-        temp_project_dir,
-        """from crewai.tools import BaseTool
-
-class MyTool(BaseTool):
-    # Missing closing parenthesis
-    def __init__(self, name:
-        pass
-
-__all__ = ['MyTool']
-""",
-    )
-    # Should not raise, just return empty list
-    metadata = utils.extract_tools_metadata(dir_path=str(temp_project_dir))
-    assert metadata == []
--- a/lib/crewai/tests/cli/tools/test_main.py
+++ b/lib/crewai/tests/cli/tools/test_main.py
@@ -185,14 +185,9 @@ def test_publish_when_not_in_sync(mock_is_synced, capsys, tool_command):
    "crewai.cli.tools.main.extract_available_exports",
    return_value=[{"name": "SampleTool"}],
 )
-@patch(
-    "crewai.cli.tools.main.extract_tools_metadata",
-    return_value=[{"name": "SampleTool", "humanized_name": "sample_tool", "description": "A sample tool", "run_params_schema": {}, "init_params_schema": {}, "env_vars": []}],
-)
@patch("crewai.cli.tools.main.ToolCommand._print_current_organization")
 def test_publish_when_not_in_sync_and_force(
    mock_print_org,
-    mock_tools_metadata,
    mock_available_exports,
    mock_is_synced,
    mock_publish,
@@ -227,7 +222,6 @@ def test_publish_when_not_in_sync_and_force(
        description="A sample tool",
        encoded_file=unittest.mock.ANY,
        available_exports=[{"name": "SampleTool"}],
-        tools_metadata=[{"name": "SampleTool", "humanized_name": "sample_tool", "description": "A sample tool", "run_params_schema": {}, "init_params_schema": {}, "env_vars": []}],
    )
    mock_print_org.assert_called_once()

@@ -248,12 +242,7 @@ def test_publish_when_not_in_sync_and_force(
    "crewai.cli.tools.main.extract_available_exports",
    return_value=[{"name": "SampleTool"}],
 )
-@patch(
-    "crewai.cli.tools.main.extract_tools_metadata",
-    return_value=[{"name": "SampleTool", "humanized_name": "sample_tool", "description": "A sample tool", "run_params_schema": {}, "init_params_schema": {}, "env_vars": []}],
-)
 def test_publish_success(
-    mock_tools_metadata,
    mock_available_exports,
    mock_is_synced,
    mock_publish,
@@ -288,7 +277,6 @@ def test_publish_success(
        description="A sample tool",
        encoded_file=unittest.mock.ANY,
        available_exports=[{"name": "SampleTool"}],
-        tools_metadata=[{"name": "SampleTool", "humanized_name": "sample_tool", "description": "A sample tool", "run_params_schema": {}, "init_params_schema": {}, "env_vars": []}],
    )


@@ -307,12 +295,7 @@ def test_publish_success(
    "crewai.cli.tools.main.extract_available_exports",
    return_value=[{"name": "SampleTool"}],
 )
-@patch(
-    "crewai.cli.tools.main.extract_tools_metadata",
-    return_value=[{"name": "SampleTool", "humanized_name": "sample_tool", "description": "A sample tool", "run_params_schema": {}, "init_params_schema": {}, "env_vars": []}],
-)
 def test_publish_failure(
-    mock_tools_metadata,
    mock_available_exports,
    mock_publish,
    mock_open,
@@ -353,12 +336,7 @@ def test_publish_failure(
    "crewai.cli.tools.main.extract_available_exports",
    return_value=[{"name": "SampleTool"}],
 )
-@patch(
-    "crewai.cli.tools.main.extract_tools_metadata",
-    return_value=[{"name": "SampleTool", "humanized_name": "sample_tool", "description": "A sample tool", "run_params_schema": {}, "init_params_schema": {}, "env_vars": []}],
-)
 def test_publish_api_error(
-    mock_tools_metadata,
    mock_available_exports,
    mock_publish,
    mock_open,
@@ -384,63 +362,6 @@ def test_publish_api_error(
    mock_publish.assert_called_once()


-@patch("crewai.cli.tools.main.get_project_name", return_value="sample-tool")
-@patch("crewai.cli.tools.main.get_project_version", return_value="1.0.0")
-@patch("crewai.cli.tools.main.get_project_description", return_value="A sample tool")
-@patch("crewai.cli.tools.main.subprocess.run")
-@patch("crewai.cli.tools.main.os.listdir", return_value=["sample-tool-1.0.0.tar.gz"])
-@patch(
-    "crewai.cli.tools.main.open",
-    new_callable=unittest.mock.mock_open,
-    read_data=b"sample tarball content",
-)
-@patch("crewai.cli.plus_api.PlusAPI.publish_tool")
-@patch("crewai.cli.tools.main.git.Repository.is_synced", return_value=True)
-@patch(
-    "crewai.cli.tools.main.extract_available_exports",
-    return_value=[{"name": "SampleTool"}],
-)
-@patch(
-    "crewai.cli.tools.main.extract_tools_metadata",
-    side_effect=Exception("Failed to extract metadata"),
-)
-def test_publish_metadata_extraction_failure_continues_with_warning(
-    mock_tools_metadata,
-    mock_available_exports,
-    mock_is_synced,
-    mock_publish,
-    mock_open,
-    mock_listdir,
-    mock_subprocess_run,
-    mock_get_project_description,
-    mock_get_project_version,
-    mock_get_project_name,
-    capsys,
-    tool_command,
-):
-    """Test that metadata extraction failure shows warning but continues publishing."""
-    mock_publish_response = MagicMock()
-    mock_publish_response.status_code = 200
-    mock_publish_response.json.return_value = {"handle": "sample-tool"}
-    mock_publish.return_value = mock_publish_response
-
-    tool_command.publish(is_public=True)
-
-    output = capsys.readouterr().out
-    assert "Warning: Could not extract tool metadata" in output
-    assert "Publishing will continue without detailed metadata" in output
-    assert "No tool metadata extracted" in output
-    mock_publish.assert_called_once_with(
-        handle="sample-tool",
-        is_public=True,
-        version="1.0.0",
-        description="A sample tool",
-        encoded_file=unittest.mock.ANY,
-        available_exports=[{"name": "SampleTool"}],
-        tools_metadata=[],
-    )
-
-
@patch("crewai.cli.tools.main.Settings")
 def test_print_current_organization_with_org(mock_settings, capsys, tool_command):
    mock_settings_instance = MagicMock()
--- a/lib/crewai/tests/llms/openai/test_openai.py
+++ b/lib/crewai/tests/llms/openai/test_openai.py
@@ -1523,69 +1523,6 @@ def test_openai_stop_words_not_applied_to_structured_output():
    assert "Observation:" in result.observation


-def test_openai_gpt5_models_do_not_support_stop_words():
-    """
-    Test that GPT-5 family models do not support stop words via the API.
-    GPT-5 models reject the 'stop' parameter, so stop words must be
-    applied client-side only.
-    """
-    gpt5_models = [
-        "gpt-5",
-        "gpt-5-mini",
-        "gpt-5-nano",
-        "gpt-5-pro",
-        "gpt-5.1",
-        "gpt-5.1-chat",
-        "gpt-5.2",
-        "gpt-5.2-chat",
-    ]
-
-    for model_name in gpt5_models:
-        llm = OpenAICompletion(model=model_name)
-        assert llm.supports_stop_words() == False, (
-            f"Expected {model_name} to NOT support stop words"
-        )
-
-
-def test_openai_non_gpt5_models_support_stop_words():
-    """
-    Test that non-GPT-5 models still support stop words normally.
-    """
-    supported_models = [
-        "gpt-4o",
-        "gpt-4o-mini",
-        "gpt-4.1",
-        "gpt-4.1-mini",
-        "gpt-4-turbo",
-    ]
-
-    for model_name in supported_models:
-        llm = OpenAICompletion(model=model_name)
-        assert llm.supports_stop_words() == True, (
-            f"Expected {model_name} to support stop words"
-        )
-
-
-def test_openai_gpt5_still_applies_stop_words_client_side():
-    """
-    Test that GPT-5 models still truncate responses at stop words client-side
-    via _apply_stop_words(), even though they don't send 'stop' to the API.
-    """
-    llm = OpenAICompletion(
-        model="gpt-5.2",
-        stop=["Observation:", "Final Answer:"],
-    )
-
-    assert llm.supports_stop_words() == False
-
-    response = "I need to search.\n\nAction: search\nObservation: Found results"
-    result = llm._apply_stop_words(response)
-
-    assert "Observation:" not in result
-    assert "Found results" not in result
-    assert "I need to search" in result
-
-
 def test_openai_stop_words_still_applied_to_regular_responses():
    """
    Test that stop words ARE still applied for regular (non-structured) responses.
--- a/lib/crewai/tests/mcp/test_stdio_config.py
+++ b/lib/crewai/tests/mcp/test_stdio_config.py
@@ -1,30 +0,0 @@
-"""Tests for MCPServerStdio allowed_commands config integration."""
-
-import pytest
-
-from crewai.mcp.config import MCPServerStdio
-from crewai.mcp.transports.stdio import DEFAULT_ALLOWED_COMMANDS
-
-
-class TestMCPServerStdioConfig:
-    """Tests for the allowed_commands field on MCPServerStdio."""
-
-    def test_default_allowed_commands(self):
-        """MCPServerStdio should default to DEFAULT_ALLOWED_COMMANDS."""
-        config = MCPServerStdio(command="python", args=["server.py"])
-        assert config.allowed_commands == DEFAULT_ALLOWED_COMMANDS
-
-    def test_custom_allowed_commands(self):
-        """Users can override allowed_commands in config."""
-        custom = frozenset({"my-runtime"})
-        config = MCPServerStdio(
-            command="my-runtime", args=[], allowed_commands=custom
-        )
-        assert config.allowed_commands == custom
-
-    def test_none_allowed_commands(self):
-        """Users can disable the allowlist via config."""
-        config = MCPServerStdio(
-            command="anything", args=[], allowed_commands=None
-        )
-        assert config.allowed_commands is None
--- a/lib/crewai/tests/mcp/test_stdio_transport.py
+++ b/lib/crewai/tests/mcp/test_stdio_transport.py
@@ -1,93 +0,0 @@
-"""Tests for StdioTransport command allowlist validation."""
-
-import pytest
-
-from crewai.mcp.transports.stdio import DEFAULT_ALLOWED_COMMANDS, StdioTransport
-
-
-class TestStdioTransportAllowlist:
-    """Tests for the command allowlist feature."""
-
-    def test_default_allowed_commands_contains_common_runtimes(self):
-        """DEFAULT_ALLOWED_COMMANDS should include all common MCP server runtimes."""
-        expected = {"python", "python3", "node", "npx", "uvx", "uv", "deno", "docker"}
-        assert expected == DEFAULT_ALLOWED_COMMANDS
-
-    def test_allowed_command_passes_validation(self):
-        """Commands in the default allowlist should be accepted."""
-        for cmd in DEFAULT_ALLOWED_COMMANDS:
-            transport = StdioTransport(command=cmd, args=["server.py"])
-            assert transport.command == cmd
-
-    def test_allowed_command_with_full_path(self):
-        """Full paths to allowed commands should pass (basename is checked)."""
-        transport = StdioTransport(command="/usr/bin/python3", args=["server.py"])
-        assert transport.command == "/usr/bin/python3"
-
-    def test_disallowed_command_raises_value_error(self):
-        """Commands not in the allowlist should raise ValueError."""
-        with pytest.raises(ValueError, match="not in the allowed commands list"):
-            StdioTransport(command="malicious-binary", args=["--evil"])
-
-    def test_disallowed_command_with_full_path_raises(self):
-        """Full paths to disallowed commands should also be rejected."""
-        with pytest.raises(ValueError, match="not in the allowed commands list"):
-            StdioTransport(command="/tmp/evil/script", args=[])
-
-    def test_allowed_commands_none_disables_validation(self):
-        """Setting allowed_commands=None should disable the check entirely."""
-        transport = StdioTransport(
-            command="any-custom-binary",
-            args=["--flag"],
-            allowed_commands=None,
-        )
-        assert transport.command == "any-custom-binary"
-
-    def test_custom_allowlist(self):
-        """Users should be able to pass a custom allowlist."""
-        custom = frozenset({"my-server", "python"})
-
-        # Allowed
-        transport = StdioTransport(
-            command="my-server", args=[], allowed_commands=custom
-        )
-        assert transport.command == "my-server"
-
-        # Not allowed
-        with pytest.raises(ValueError, match="not in the allowed commands list"):
-            StdioTransport(command="node", args=[], allowed_commands=custom)
-
-    def test_extended_allowlist(self):
-        """Users should be able to extend the default allowlist."""
-        extended = DEFAULT_ALLOWED_COMMANDS | frozenset({"my-custom-runtime"})
-
-        transport = StdioTransport(
-            command="my-custom-runtime", args=[], allowed_commands=extended
-        )
-        assert transport.command == "my-custom-runtime"
-
-        # Original defaults still work
-        transport2 = StdioTransport(
-            command="python", args=["server.py"], allowed_commands=extended
-        )
-        assert transport2.command == "python"
-
-    def test_error_message_includes_sorted_allowed_commands(self):
-        """The error message should list the allowed commands for discoverability."""
-        with pytest.raises(ValueError) as exc_info:
-            StdioTransport(command="bad-cmd", args=[])
-
-        error_msg = str(exc_info.value)
-        assert "bad-cmd" in error_msg
-        assert "allowed_commands=None" in error_msg
-
-    def test_args_and_env_still_work(self):
-        """Existing args and env functionality should be unaffected."""
-        transport = StdioTransport(
-            command="python",
-            args=["server.py", "--port", "8080"],
-            env={"API_KEY": "test123"},
-        )
-        assert transport.command == "python"
-        assert transport.args == ["server.py", "--port", "8080"]
-        assert transport.env == {"API_KEY": "test123"}
--- a/lib/crewai/tests/test_llm.py
+++ b/lib/crewai/tests/test_llm.py
@@ -682,126 +682,6 @@ def test_llm_call_when_stop_is_unsupported_when_additional_drop_params_is_provid
    assert "Paris" in result


-@pytest.mark.vcr()
-def test_litellm_gpt5_call_succeeds_without_stop_error():
-    """
-    Integration test: GPT-5 call succeeds when stop words are configured,
-    because stop is omitted from API params and applied client-side.
-    """
-    llm = LLM(model="gpt-5", stop=["Observation:"], is_litellm=True)
-    result = llm.call("What is the capital of France?")
-    assert isinstance(result, str)
-    assert len(result) > 0
-
-
-def test_litellm_gpt5_does_not_send_stop_in_params():
-    """
-    Test that the LiteLLM fallback path does not include 'stop' in API params
-    for GPT-5.x models, since they reject it at the API level.
-    """
-    llm = LLM(model="openai/gpt-5.2", stop=["Observation:"], is_litellm=True)
-
-    params = llm._prepare_completion_params(
-        messages=[{"role": "user", "content": "Hello"}]
-    )
-
-    assert params.get("stop") is None, (
-        "GPT-5.x models should not have 'stop' in API params"
-    )
-
-
-def test_litellm_non_gpt5_sends_stop_in_params():
-    """
-    Test that the LiteLLM fallback path still includes 'stop' in API params
-    for models that support it.
-    """
-    llm = LLM(model="gpt-4o", stop=["Observation:"], is_litellm=True)
-
-    params = llm._prepare_completion_params(
-        messages=[{"role": "user", "content": "Hello"}]
-    )
-
-    assert params.get("stop") == ["Observation:"], (
-        "Non-GPT-5 models should have 'stop' in API params"
-    )
-
-
-def test_litellm_retry_catches_litellm_unsupported_params_error(caplog):
-    """
-    Test that the retry logic catches LiteLLM's UnsupportedParamsError format
-    ("does not support parameters") in addition to the OpenAI API format.
-    """
-    llm = LLM(model="openai/gpt-5.2", stop=["Observation:"], is_litellm=True)
-
-    litellm_error = Exception(
-        "litellm.UnsupportedParamsError: openai does not support parameters: "
-        "['stop'], for model=openai/gpt-5.2."
-    )
-
-    call_count = 0
-
-    try:
-        import litellm
-    except ImportError:
-        pytest.skip("litellm is not installed; skipping LiteLLM retry test")
-
-    def mock_completion(*args, **kwargs):
-        nonlocal call_count
-        call_count += 1
-        if call_count == 1:
-            raise litellm_error
-        return MagicMock(
-            choices=[MagicMock(message=MagicMock(content="Paris", tool_calls=None))],
-            usage=MagicMock(
-                prompt_tokens=10,
-                completion_tokens=5,
-                total_tokens=15,
-            ),
-        )
-
-    with patch("litellm.completion", side_effect=mock_completion):
-        with caplog.at_level(logging.INFO):
-            result = llm.call("What is the capital of France?")
-
-    assert "Retrying LLM call without the unsupported 'stop'" in caplog.text
-    assert "stop" in llm.additional_params.get("additional_drop_params", [])
-
-
-def test_litellm_retry_catches_openai_api_stop_error(caplog):
-    """
-    Test that the retry logic still catches the OpenAI API error format
-    ("Unsupported parameter: 'stop'").
-    """
-    llm = LLM(model="openai/gpt-5.2", stop=["Observation:"], is_litellm=True)
-
-    api_error = Exception(
-        "Unsupported parameter: 'stop' is not supported with this model."
-    )
-
-    call_count = 0
-
-    def mock_completion(*args, **kwargs):
-        nonlocal call_count
-        call_count += 1
-        if call_count == 1:
-            raise api_error
-        return MagicMock(
-            choices=[MagicMock(message=MagicMock(content="Paris", tool_calls=None))],
-            usage=MagicMock(
-                prompt_tokens=10,
-                completion_tokens=5,
-                total_tokens=15,
-            ),
-        )
-
-    with patch("litellm.completion", side_effect=mock_completion):
-        with caplog.at_level(logging.INFO):
-            llm.call("What is the capital of France?")
-
-    assert "Retrying LLM call without the unsupported 'stop'" in caplog.text
-    assert "stop" in llm.additional_params.get("additional_drop_params", [])
-
-
@pytest.fixture
 def ollama_llm():
    return LLM(model="ollama/llama3.2:3b", is_litellm=True)
--- a/lib/devtools/src/crewai_devtools/init.py
+++ b/lib/devtools/src/crewai_devtools/init.py
@@ -1,3 +1,3 @@
 """CrewAI development tools."""

-__version__ = "1.13.0rc1"
+__version__ = "1.12.2"
--- a/lib/devtools/src/crewai_devtools/cli.py
+++ b/lib/devtools/src/crewai_devtools/cli.py
@@ -156,33 +156,6 @@ def update_version_in_file(file_path: Path, new_version: str) -> bool:
    return False


-def update_pyproject_version(file_path: Path, new_version: str) -> bool:
-    """Update the [project] version field in a pyproject.toml file.
-
-    Args:
-        file_path: Path to pyproject.toml file.
-        new_version: New version string.
-
-    Returns:
-        True if version was updated, False otherwise.
-    """
-    if not file_path.exists():
-        return False
-
-    content = file_path.read_text()
-    new_content = re.sub(
-        r'^(version\s*=\s*")[^"]+(")',
-        rf"\g<1>{new_version}\2",
-        content,
-        count=1,
-        flags=re.MULTILINE,
-    )
-    if new_content != content:
-        file_path.write_text(new_content)
-        return True
-    return False
-
-
 _DEFAULT_WORKSPACE_PACKAGES: Final[list[str]] = [
    "crewai",
    "crewai-tools",
@@ -1072,84 +1045,10 @@ def _update_enterprise_crewai_dep(pyproject_path: Path, version: str) -> bool:
    return False


-_DEPLOYMENT_TEST_REPO: Final[str] = "crewAIInc/crew_deployment_test"
-
 _PYPI_POLL_INTERVAL: Final[int] = 15
 _PYPI_POLL_TIMEOUT: Final[int] = 600


-def _update_deployment_test_repo(version: str, is_prerelease: bool) -> None:
-    """Update the deployment test repo to pin the new crewai version.
-
-    Clones the repo, updates the crewai[tools] pin in pyproject.toml,
-    regenerates the lockfile, commits, and pushes directly to main.
-
-    Args:
-        version: New crewai version string.
-        is_prerelease: Whether this is a pre-release version.
-    """
-    console.print(
-        f"\n[bold cyan]Updating {_DEPLOYMENT_TEST_REPO} to {version}[/bold cyan]"
-    )
-
-    with tempfile.TemporaryDirectory() as tmp:
-        repo_dir = Path(tmp) / "crew_deployment_test"
-        run_command(["gh", "repo", "clone", _DEPLOYMENT_TEST_REPO, str(repo_dir)])
-        console.print(f"[green]✓[/green] Cloned {_DEPLOYMENT_TEST_REPO}")
-
-        pyproject = repo_dir / "pyproject.toml"
-        content = pyproject.read_text()
-        new_content = re.sub(
-            r'"crewai\[tools\]==[^"]+"',
-            f'"crewai[tools]=={version}"',
-            content,
-        )
-        if new_content == content:
-            console.print(
-                "[yellow]Warning:[/yellow] No crewai[tools] pin found to update"
-            )
-            return
-        pyproject.write_text(new_content)
-        console.print(f"[green]✓[/green] Updated crewai[tools] pin to {version}")
-
-        lock_cmd = [
-            "uv",
-            "lock",
-            "--refresh-package",
-            "crewai",
-            "--refresh-package",
-            "crewai-tools",
-        ]
-        if is_prerelease:
-            lock_cmd.append("--prerelease=allow")
-
-        max_retries = 10
-        for attempt in range(1, max_retries + 1):
-            try:
-                run_command(lock_cmd, cwd=repo_dir)
-                break
-            except subprocess.CalledProcessError:
-                if attempt == max_retries:
-                    console.print(
-                        f"[red]Error:[/red] uv lock failed after {max_retries} attempts"
-                    )
-                    raise
-                console.print(
-                    f"[yellow]uv lock failed (attempt {attempt}/{max_retries}),"
-                    f" retrying in {_PYPI_POLL_INTERVAL}s...[/yellow]"
-                )
-                time.sleep(_PYPI_POLL_INTERVAL)
-        console.print("[green]✓[/green] Lockfile updated")
-
-        run_command(["git", "add", "pyproject.toml", "uv.lock"], cwd=repo_dir)
-        run_command(
-            ["git", "commit", "-m", f"chore: bump crewai to {version}"],
-            cwd=repo_dir,
-        )
-        run_command(["git", "push"], cwd=repo_dir)
-        console.print(f"[green]✓[/green] Pushed to {_DEPLOYMENT_TEST_REPO}")
-
-
 def _wait_for_pypi(package: str, version: str) -> None:
    """Poll PyPI until a specific package version is available.

@@ -1242,11 +1141,6 @@ def _release_enterprise(version: str, is_prerelease: bool, dry_run: bool) -> Non

            pyproject = pkg_dir / "pyproject.toml"
            if pyproject.exists():
-                if update_pyproject_version(pyproject, version):
-                    console.print(
-                        f"[green]✓[/green] Updated version in: "
-                        f"{pyproject.relative_to(repo_dir)}"
-                    )
                if update_pyproject_dependencies(
                    pyproject, version, extra_packages=list(_ENTERPRISE_EXTRA_PACKAGES)
                ):
@@ -1265,35 +1159,7 @@ def _release_enterprise(version: str, is_prerelease: bool, dry_run: bool) -> Non
        _wait_for_pypi("crewai", version)

        console.print("\nSyncing workspace...")
-        sync_cmd = [
-            "uv",
-            "sync",
-            "--refresh-package",
-            "crewai",
-            "--refresh-package",
-            "crewai-tools",
-            "--refresh-package",
-            "crewai-files",
-        ]
-        if is_prerelease:
-            sync_cmd.append("--prerelease=allow")
-
-        max_retries = 10
-        for attempt in range(1, max_retries + 1):
-            try:
-                run_command(sync_cmd, cwd=repo_dir)
-                break
-            except subprocess.CalledProcessError:
-                if attempt == max_retries:
-                    console.print(
-                        f"[red]Error:[/red] uv sync failed after {max_retries} attempts"
-                    )
-                    raise
-                console.print(
-                    f"[yellow]uv sync failed (attempt {attempt}/{max_retries}),"
-                    f" retrying in {_PYPI_POLL_INTERVAL}s...[/yellow]"
-                )
-                time.sleep(_PYPI_POLL_INTERVAL)
+        run_command(["uv", "sync"], cwd=repo_dir)
        console.print("[green]✓[/green] Workspace synced")

        # --- branch, commit, push, PR ---
@@ -1309,7 +1175,7 @@ def _release_enterprise(version: str, is_prerelease: bool, dry_run: bool) -> Non
        run_command(["git", "push", "-u", "origin", branch_name], cwd=repo_dir)
        console.print("[green]✓[/green] Branch pushed")

-        pr_url = run_command(
+        run_command(
            [
                "gh",
                "pr",
@@ -1326,7 +1192,6 @@ def _release_enterprise(version: str, is_prerelease: bool, dry_run: bool) -> Non
            cwd=repo_dir,
        )
        console.print("[green]✓[/green] Enterprise bump PR created")
-        console.print(f"[cyan]PR URL:[/cyan] {pr_url}")

        _poll_pr_until_merged(branch_name, "enterprise bump PR", repo=enterprise_repo)

@@ -1693,18 +1558,7 @@ def tag(dry_run: bool, no_edit: bool) -> None:
    is_flag=True,
    help="Skip the enterprise release phase",
 )
-@click.option(
-    "--skip-to-enterprise",
-    is_flag=True,
-    help="Skip phases 1 & 2, run only the enterprise release phase",
-)
-def release(
-    version: str,
-    dry_run: bool,
-    no_edit: bool,
-    skip_enterprise: bool,
-    skip_to_enterprise: bool,
-) -> None:
+def release(version: str, dry_run: bool, no_edit: bool, skip_enterprise: bool) -> None:
    """Full release: bump versions, tag, and publish a GitHub release.

    Combines bump and tag into a single workflow. Creates a version bump PR,
@@ -1717,19 +1571,11 @@ def release(
        dry_run: Show what would be done without making changes.
        no_edit: Skip editing release notes.
        skip_enterprise: Skip the enterprise release phase.
-        skip_to_enterprise: Skip phases 1 & 2, run only the enterprise release phase.
    """
    try:
        check_gh_installed()

-        if skip_enterprise and skip_to_enterprise:
-            console.print(
-                "[red]Error:[/red] Cannot use both --skip-enterprise "
-                "and --skip-to-enterprise"
-            )
-            sys.exit(1)
-
-        if not skip_enterprise or skip_to_enterprise:
+        if not skip_enterprise:
            missing: list[str] = []
            if not _ENTERPRISE_REPO:
                missing.append("ENTERPRISE_REPO")
@@ -1748,15 +1594,6 @@ def release(
        cwd = Path.cwd()
        lib_dir = cwd / "lib"

-        is_prerelease = _is_prerelease(version)
-
-        if skip_to_enterprise:
-            _release_enterprise(version, is_prerelease, dry_run)
-            console.print(
-                f"\n[green]✓[/green] Enterprise release [bold]{version}[/bold] complete!"
-            )
-            return
-
        if not dry_run:
            console.print("Checking git status...")
            check_git_clean()
@@ -1850,8 +1687,7 @@ def release(

        if not dry_run:
            _create_tag_and_release(tag_name, release_notes, is_prerelease)
-            _trigger_pypi_publish(tag_name, wait=True)
-            _update_deployment_test_repo(version, is_prerelease)
+            _trigger_pypi_publish(tag_name, wait=not skip_enterprise)

        if not skip_enterprise:
            _release_enterprise(version, is_prerelease, dry_run)