feat(mastracode): support external tool injection and auth storage init

.changeset/huge-boxes-travel.md

@@ -0,0 +1,18 @@
+---
+'@mastra/core': patch
+'mastracode': patch
+---
+
+Renamed `images` to `files` in `harness.sendMessage(...)` to align with the AI SDK `FilePart` shape.
+
+**Migration**
+
+Before:
+```ts
+await harness.sendMessage({ content: "Hi", images: [{ data, mimeType }] });
+```
+
+After:
+```ts
+await harness.sendMessage({ content: "Hi", files: [{ data, mediaType, filename }] });
+```

.changeset/real-wolves-thank.md

@@ -0,0 +1,17 @@
+---
+'mastracode': minor
+'@mastra/core': patch
+---
+
+Added pre/post hook wrapping for tool execution via `HookManager` and exported `createAuthStorage` for standalone auth provider initialization.
+
+`@mastra/core` receives a patch bump as a peer dependency of `mastracode`.
+
+**New API: `createAuthStorage`**
+
+```ts
+import { createAuthStorage } from 'mastracode';
+
+const authStorage = createAuthStorage();
+// authStorage is now wired into Claude Max and OpenAI Codex providers
+```

.changeset/thin-walls-bet.md

@@ -0,0 +1,5 @@
+---
+---
+
+Added a daily GitHub Action workflow for forks to sync the default branch from `mastra-ai/mastra`.
+This is an infrastructure-only change and does not modify published packages.

.github/workflows/sync-upstream-fork.yml

@@ -0,0 +1,52 @@
+name: Sync Fork With Upstream
+
+permissions:
+  contents: write
+
+on:
+  schedule:
+    - cron: '0 6 * * *'
+  workflow_dispatch:
+
+jobs:
+  sync-upstream:
+    # Run only on forks. Upstream repository does not need this job.
+    if: ${{ github.repository != 'mastra-ai/mastra' }}
+    runs-on: ubuntu-latest
+    env:
+      DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+      UPSTREAM_REPO: mastra-ai/mastra
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git user
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Sync default branch from upstream
+        run: |
+          set -euo pipefail
+
+          if git remote get-url upstream >/dev/null 2>&1; then
+            git remote set-url upstream "https://github.com/${UPSTREAM_REPO}.git"
+          else
+            git remote add upstream "https://github.com/${UPSTREAM_REPO}.git"
+          fi
+
+          git fetch origin "${DEFAULT_BRANCH}"
+          git fetch upstream "${DEFAULT_BRANCH}"
+
+          git checkout -B "${DEFAULT_BRANCH}" "origin/${DEFAULT_BRANCH}"
+
+          UPSTREAM_NEW_COMMITS="$(git rev-list --count "origin/${DEFAULT_BRANCH}..upstream/${DEFAULT_BRANCH}")"
+          if [ "${UPSTREAM_NEW_COMMITS}" -eq 0 ]; then
+            echo "No upstream changes to sync."
+            exit 0
+          fi
+
+          git merge --no-edit "upstream/${DEFAULT_BRANCH}"
+          git push origin "${DEFAULT_BRANCH}"

README.md

@@ -62,6 +62,8 @@ If you are a developer and would like to contribute with code, please open an is
 
 Information about the project setup can be found in the [development documentation](./DEVELOPMENT.md)
 
+For fork maintainers: this repository includes a daily GitHub Action at `.github/workflows/sync-upstream-fork.yml` that syncs your fork's default branch from `mastra-ai/mastra`.
+
 ## Support
 
 We have an [open community Discord](https://discord.gg/BTYqqHKUrf). Come and say hello and let us know if you have any questions or need any help getting things running.

mastracode/src/__tests__/create-auth-storage.test.ts

@@ -0,0 +1,18 @@
+import { afterEach, describe, expect, it } from 'vitest';
+import { createAuthStorage } from '../index.js';
+import { getAuthStorage as getClaudeAuthStorage, setAuthStorage as setClaudeAuthStorage } from '../providers/claude-max.js';
+import { getAuthStorage as getOpenAIAuthStorage, setAuthStorage as setOpenAIAuthStorage } from '../providers/openai-codex.js';
+
+describe('createAuthStorage', () => {
+  afterEach(() => {
+    setClaudeAuthStorage(undefined as any);
+    setOpenAIAuthStorage(undefined as any);
+  });
+
+  it('wires a shared auth storage instance to provider modules', () => {
+    const authStorage = createAuthStorage();
+
+    expect(getClaudeAuthStorage()).toBe(authStorage);
+    expect(getOpenAIAuthStorage()).toBe(authStorage);
+  });
+});

mastracode/src/agents/__tests__/extra-tools.test.ts

@@ -183,6 +183,38 @@ describe('createDynamicTools – denied tool filtering', () => {
   });
 });
 
+describe('createDynamicTools – disabledTools filtering', () => {
+  it('should omit disabled built-in tools', () => {
+    const getDynamicTools = createDynamicTools(undefined, undefined, undefined, [
+      'request_sandbox_access',
+      'execute_command',
+    ]);
+
+    const tools = getDynamicTools({ requestContext: makeRequestContext() });
+    expect(tools).not.toHaveProperty('request_sandbox_access');
+    expect(tools).not.toHaveProperty('execute_command');
+    expect(tools).toHaveProperty('view');
+  });
+
+  it('should omit disabled extraTools', () => {
+    const myTool = createTool({
+      id: 'my_tool',
+      description: 'A custom tool',
+      inputSchema: z.object({}),
+      execute: async () => ({ result: 'custom' }),
+    });
+
+    const getDynamicTools = createDynamicTools(
+      undefined,
+      { my_tool: myTool },
+      undefined,
+      ['my_tool'],
+    );
+    const tools = getDynamicTools({ requestContext: makeRequestContext() });
+    expect(tools).not.toHaveProperty('my_tool');
+  });
+});
+
 describe('buildToolGuidance – denied tool filtering', () => {
   it('should omit guidance for denied tools', () => {
     const guidance = buildToolGuidance('build', {

mastracode/src/agents/__tests__/model.test.ts

@@ -39,6 +39,17 @@ vi.mock('@ai-sdk/anthropic', () => ({
   }),
 }));
 
+// Mock @ai-sdk/openai
+vi.mock('@ai-sdk/openai', () => ({
+  createOpenAI: vi.fn((_opts: Record<string, unknown>) => {
+    const openai = ((modelId: string) => ({ __provider: 'openai-direct', modelId })) as unknown as {
+      responses: (modelId: string) => Record<string, unknown>;
+    };
+    openai.responses = (modelId: string) => ({ __provider: 'openai-direct', modelId });
+    return openai;
+  }),
+}));
+
 // Mock ai SDK's wrapLanguageModel to pass through with a marker
 vi.mock('ai', () => ({
   wrapLanguageModel: vi.fn(({ model }: { model: Record<string, unknown> }) => ({
@@ -56,7 +67,8 @@ vi.mock('@mastra/core/llm', () => ({
 }));
 
 import { opencodeClaudeMaxProvider } from '../../providers/claude-max.js';
-import { resolveModel, getAnthropicApiKey } from '../model.js';
+import { openaiCodexProvider } from '../../providers/openai-codex.js';
+import { resolveModel, getAnthropicApiKey, getOpenAIApiKey } from '../model.js';
 
 describe('resolveModel', () => {
   const originalEnv = { ...process.env };
@@ -72,18 +84,22 @@ describe('resolveModel', () => {
   });
 
   describe('anthropic/* models', () => {
-    it('prefers Claude Max OAuth when logged in, even if API key is present', () => {
-      process.env.ANTHROPIC_API_KEY = 'sk-test-key-123';
-      mockAuthStorageInstance.isLoggedIn.mockImplementation((p: string) => p === 'anthropic');
+    it('prefers Claude Max OAuth when stored OAuth credential exists', () => {
+      mockAuthStorageInstance.get.mockReturnValue({
+        type: 'oauth',
+        access: 'oauth-access-token',
+        refresh: 'oauth-refresh-token',
+        expires: Date.now() + 60_000,
+      });
 
       resolveModel('anthropic/claude-sonnet-4-20250514');
 
       expect(opencodeClaudeMaxProvider).toHaveBeenCalledWith('claude-sonnet-4-20250514');
     });
 
-    it('falls back to API key when not logged in via OAuth', () => {
-      process.env.ANTHROPIC_API_KEY = 'sk-test-key-123';
-      mockAuthStorageInstance.isLoggedIn.mockReturnValue(false);
+    it('uses API key when stored credential is api_key, even if isLoggedIn reports true', () => {
+      mockAuthStorageInstance.isLoggedIn.mockImplementation((p: string) => p === 'anthropic');
+      mockAuthStorageInstance.get.mockReturnValue({ type: 'api_key', key: 'sk-stored-key-456' });
 
       const result = resolveModel('anthropic/claude-sonnet-4-20250514') as Record<string, unknown>;
 
@@ -93,6 +109,16 @@ describe('resolveModel', () => {
       expect(opencodeClaudeMaxProvider).not.toHaveBeenCalled();
     });
 
+    it('does not use env API key when no stored Anthropic credential exists', () => {
+      process.env.ANTHROPIC_API_KEY = 'sk-test-key-123';
+      mockAuthStorageInstance.get.mockReturnValue(undefined);
+
+      const result = resolveModel('anthropic/claude-sonnet-4-20250514') as Record<string, unknown>;
+
+      expect(result.__provider).toBe('claude-max-oauth');
+      expect(opencodeClaudeMaxProvider).toHaveBeenCalledWith('claude-sonnet-4-20250514');
+    });
+
     it('uses stored API key credential when not logged in via OAuth', () => {
       mockAuthStorageInstance.isLoggedIn.mockReturnValue(false);
       mockAuthStorageInstance.get.mockReturnValue({ type: 'api_key', key: 'sk-stored-key-456' });
@@ -106,7 +132,6 @@ describe('resolveModel', () => {
     });
 
     it('falls back to OAuth provider when no auth is configured (to prompt login)', () => {
-      mockAuthStorageInstance.isLoggedIn.mockReturnValue(false);
       mockAuthStorageInstance.get.mockReturnValue(undefined);
 
       resolveModel('anthropic/claude-sonnet-4-20250514');
@@ -122,14 +147,28 @@ describe('resolveModel', () => {
   });
 
   describe('openai/* models', () => {
-    it('uses codex provider when logged in via OAuth', () => {
-      mockAuthStorageInstance.isLoggedIn.mockReturnValue(true);
+    it('uses codex provider when stored OAuth credential exists', () => {
+      mockAuthStorageInstance.get.mockReturnValue({
+        type: 'oauth',
+        access: 'openai-oauth-access-token',
+        refresh: 'openai-oauth-refresh-token',
+        expires: Date.now() + 60_000,
+      });
       const result = resolveModel('openai/gpt-4o') as Record<string, unknown>;
       expect(result.__provider).toBe('openai-codex');
+      expect(openaiCodexProvider).toHaveBeenCalled();
     });
 
-    it('uses model router when not logged in via OAuth', () => {
-      mockAuthStorageInstance.isLoggedIn.mockReturnValue(false);
+    it('uses direct OpenAI API key provider when stored API key credential exists', () => {
+      mockAuthStorageInstance.get.mockReturnValue({ type: 'api_key', key: 'sk-openai-key' });
+      const result = resolveModel('openai/gpt-4o') as Record<string, unknown>;
+      expect(result.__provider).toBe('openai-direct');
+      expect(result.__wrapped).toBe(true);
+      expect(result.modelId).toBe('gpt-4o');
+    });
+
+    it('uses model router when no OpenAI auth is configured', () => {
+      mockAuthStorageInstance.get.mockReturnValue(undefined);
       const result = resolveModel('openai/gpt-4o') as Record<string, unknown>;
       expect(result.__provider).toBe('model-router');
     });
@@ -155,12 +194,7 @@ describe('getAnthropicApiKey', () => {
     process.env = { ...originalEnv };
   });
 
-  it('returns env var when ANTHROPIC_API_KEY is set', () => {
-    process.env.ANTHROPIC_API_KEY = 'sk-env-key';
-    expect(getAnthropicApiKey()).toBe('sk-env-key');
-  });
-
-  it('returns stored API key when no env var is set', () => {
+  it('returns stored API key when set', () => {
     mockAuthStorageInstance.get.mockReturnValue({ type: 'api_key', key: 'sk-stored-key' });
     expect(getAnthropicApiKey()).toBe('sk-stored-key');
   });
@@ -175,9 +209,26 @@ describe('getAnthropicApiKey', () => {
     expect(getAnthropicApiKey()).toBeUndefined();
   });
 
-  it('prefers env var over stored credential', () => {
+  it('ignores env var when no stored credential exists', () => {
     process.env.ANTHROPIC_API_KEY = 'sk-env-key';
-    mockAuthStorageInstance.get.mockReturnValue({ type: 'api_key', key: 'sk-stored-key' });
-    expect(getAnthropicApiKey()).toBe('sk-env-key');
+    mockAuthStorageInstance.get.mockReturnValue(undefined);
+    expect(getAnthropicApiKey()).toBeUndefined();
+  });
+});
+
+describe('getOpenAIApiKey', () => {
+  it('returns stored API key when set', () => {
+    mockAuthStorageInstance.get.mockReturnValue({ type: 'api_key', key: 'sk-openai-key' });
+    expect(getOpenAIApiKey()).toBe('sk-openai-key');
+  });
+
+  it('returns undefined when no API key is available', () => {
+    mockAuthStorageInstance.get.mockReturnValue(undefined);
+    expect(getOpenAIApiKey()).toBeUndefined();
+  });
+
+  it('returns undefined when stored credential is OAuth type', () => {
+    mockAuthStorageInstance.get.mockReturnValue({ type: 'oauth', access: 'token', refresh: 'r', expires: 0 });
+    expect(getOpenAIApiKey()).toBeUndefined();
   });
 });