Merge branch 'main' into docs/superlinked-sie

Author: zhujiale520

.github/workflows/pr-welcome-comment.yml

@@ -104,13 +104,18 @@ jobs:
 
             // --- Group by product, merging owners across files ---
             const productOwners = new Map();
+            let authorIsOwner = false;
             for (const file of files) {
               const owners = findOwners(file.filename);
+              const ownerNames = owners.map(o => o.replace(/^@/, ''));
+
+              if (ownerNames.some(o => o.toLowerCase() === author.toLowerCase())) {
+                authorIsOwner = true;
+              }
+
               const product = getProductName(file.filename);
               if (!product || owners.length === 0) continue;
 
-              const ownerNames = owners.map(o => o.replace(/^@/, ''));
-
               // Skip areas where the author is already an owner
               if (ownerNames.some(o => o.toLowerCase() === author.toLowerCase())) continue;
 
@@ -123,7 +128,8 @@ jobs:
             }
 
             if (productOwners.size === 0) {
-              if (author.toLowerCase() === 'lnhsingh') return;
+              // Skip fallback if author owns any of the changed files
+              if (authorIsOwner || author.toLowerCase() === 'lnhsingh') return;
               productOwners.set('General changes', new Set(['lnhsingh']));
             }
 

src/code-samples/deepagents/content-builder.py

@@ -140,7 +140,7 @@ def load_subagents(config_path: Path) -> list:
 def create_content_writer():
     """Create a content writer agent configured by filesystem files."""
     return create_deep_agent(
-        model="openai:gpt-5.4",
+        model="anthropic:claude-sonnet-4-6",
         memory=["./AGENTS.md"],
         skills=["./skills/"],
         tools=[generate_cover, generate_social_image],

src/docs.json

@@ -734,8 +734,8 @@
                   "group": "Deployment guides",
                   "pages": [
                     "langsmith/deploy-to-cloud",
-                    "langsmith/deploy-with-control-plane",
                     "langsmith/deploy-standalone-server",
+                    "langsmith/deploy-with-control-plane",
                     "langsmith/diagnostics-self-hosted"
                   ]
                 },
@@ -963,7 +963,7 @@
             {
               "group": "Configure",
               "pages": [
-                "langsmith/fleet/setup",
+                "langsmith/fleet/workspace-admin",
                 "langsmith/fleet/agent-identity",
                 "langsmith/fleet/manage-agent-settings"
               ]
@@ -978,7 +978,8 @@
                 "langsmith/fleet/slack-app",
                 "langsmith/fleet/teams-app",
                 "langsmith/fleet/remote-mcp-servers",
-                "langsmith/fleet/arcade"
+                "langsmith/fleet/arcade",
+                "langsmith/fleet/salesforce"
               ]
             },
             {
@@ -2036,7 +2037,7 @@
     },
     {
       "source": "/langsmith/agent-builder-setup",
-      "destination": "/langsmith/fleet/setup"
+      "destination": "/langsmith/fleet/workspace-admin"
     },
     {
       "source": "/langsmith/agent-builder-manage-agent-settings",
@@ -2681,6 +2682,14 @@
     {
       "source": "/oss/python/langchain/frontend/integrations",
       "destination": "/oss/python/langchain/frontend/integrations/overview"
+    },
+    {
+      "source": "/langsmith/fleet/setup",
+      "destination": "/langsmith/fleet/workspace-admin"
+    },
+    {
+      "source": "/langsmith/fleet/workspace-settings",
+      "destination": "/langsmith/fleet/workspace-admin"
     }
   ]
 }

src/langsmith/abac.mdx

@@ -104,6 +104,8 @@ Each condition group specifies:
 | `prompt` | `prompts:read`, `prompts:update`, `prompts:delete`, `prompts:share`, `prompts:tag` |
 | `dataset` | `datasets:read`, `datasets:update`, `datasets:delete`, `datasets:share` |
 | `deployment` | `deployments:read`, `deployments:update`, `deployments:delete` |
+| `mcp_server` | `mcp-servers:read`, `mcp-servers:invoke`, `mcp-servers:update`, `mcp-servers:delete`. See [Fleet tool access control](/langsmith/fleet/access-and-oversight#tool-access-control). |
+| `fleet_integration` | `mcp-servers:read`, `mcp-servers:invoke`. See [Fleet tool access control](/langsmith/fleet/access-and-oversight#tool-access-control). |
 
 <Note>
 Runs don't have their own tags. Run permissions (`runs:read`, `runs:create`, `runs:share`, `runs:delete`) are evaluated against the parent project's tags.

src/langsmith/configure-input-output-preview.mdx

@@ -35,7 +35,7 @@ alt="Runs table showing the Format button at the top to configure input and outp
 
 When you select a trace name, LangSmith loads a successful trace example and renders its structure as an expandable tree. Each node in the tree represents a field in your data, showing:
 
-- Field names (e.g., messages, output, metadata).
+- Field names (e.g., `messages` for LLM conversation history, `output`, `metadata`).
 - Array indices (e.g., [0], [1], [-1] for last item).
 - Item counts for arrays (e.g., (3) indicating 3 items).
 - Preview values for strings and numbers displayed inline.
@@ -99,6 +99,8 @@ For example, your trace input is this:
 }
 ```
 
+In this example, `messages` is an array of message objects, each with a `role` (such as `system` or `user`) and a `content` field.
+
 To display the user's question:
 
 1. Expand the **messages** node (shows array items).

src/langsmith/deploy-standalone-server.mdx

@@ -5,23 +5,10 @@ icon: "server"
 description: Deploy standalone Agent Servers using Docker, Docker Compose, or Kubernetes without the LangSmith control plane.
 ---
 
-This guide shows you how to deploy **standalone <Tooltip tip="The server that runs your LangGraph applications.">Agent Servers</Tooltip>** without the LangSmith UI or control plane. This is the most lightweight self-hosting option for running one or a few agents as independent services.
-
-<Warning>
-This deployment option provides flexibility but requires you to manage your own infrastructure and configuration.
-
-For production workloads, consider [self-hosting the full LangSmith platform](/langsmith/self-hosted) or [deploying with the control plane](/langsmith/deploy-with-control-plane), which offer standardized deployment patterns and UI-based management.
-</Warning>
+This guide shows you how to deploy **standalone <Tooltip tip="The server that runs your LangGraph applications.">Agent Servers</Tooltip>** directly, without using the [LangSmith control plane](/langsmith/deploy-with-control-plane). You can deploy the server independently and still use LangSmith separately for tracing and evaluation. Standalone servers are production-ready and provide the most lightweight self-hosting option for running agents.
 
 <Note>
-**This is the setup page for deploying Agent Servers directly without the LangSmith platform.**
-
-Review the [self-hosted options](/langsmith/self-hosted) to understand:
-- [Standalone Server](/langsmith/self-hosted#standalone-server): What this guide covers (no UI, just servers).
-- [LangSmith](/langsmith/self-hosted#langsmith): For the full LangSmith platform with UI.
-- [LangSmith Deployment](/langsmith/self-hosted#enable-langsmith-deployment): For UI-based deployment management.
-
-Before continuing, review the [standalone server overview](/langsmith/self-hosted#standalone-server).
+For an overview of self-hosted deployment options, see [self-hosted options](/langsmith/self-hosted).
 </Note>
 
 ## Prerequisites
@@ -54,12 +41,14 @@ Before continuing, review the [standalone server overview](/langsmith/self-hoste
 <a id="helm"></a>
 ## Kubernetes
 
-Use this [Helm chart](https://github.com/langchain-ai/helm/blob/main/charts/langgraph-cloud/README.md) to deploy an Agent Server to a Kubernetes cluster.
+Use this [Helm chart](https://github.com/langchain-ai/helm/blob/main/charts/langgraph-cloud/README.md) to deploy an Agent Server to a Kubernetes cluster. This is the recommended setup for production standalone server deployments.
 
 The Helm chart (v0.2.6+) supports MongoDB checkpointing with a bundled instance (dev/testing) or an external deployment (production). Set `mongo.enabled: true` in your values file. See [Configure checkpointer backend](/langsmith/configure-checkpointer#deploy-by-environment) for full configuration details.
 
 ## Docker
 
+This `docker` example is intended for local development and testing.
+
 Run the following `docker` command:
 
 ```shell
@@ -82,7 +71,9 @@ and you should provide appropriate values for `REDIS_URI`, `DATABASE_URI`, and `
 
 ## Docker Compose
 
-Docker Compose YAML file:
+This Docker Compose example is intended for local development and testing.
+
+Use the following Docker Compose file:
 
 ```yml
 volumes:

src/langsmith/fleet/access-and-oversight.mdx

@@ -30,6 +30,101 @@ This is configurable per agent, so you can choose the right model for each use c
 
 For setup instructions, see [Agent identity](/langsmith/fleet/agent-identity).
 
+## Tool access control
+
+Fleet provides layered access control for tools, covering both **custom MCP servers** (user-added, workspace-scoped) and **built-in integrations** (platform-provided, such as Gmail, Slack, and GitHub):
+
+- **[Role-based access control (RBAC)](#rbac-role-based-permissions)**: Controls access at the role level.
+- **[Attribute-based access control (ABAC)](#attribute-based-access-control)**: Adds per-resource granularity on top of RBAC.
+- **[Workspace integration policy](#workspace-integration-policy)**: Provides an admin-controlled enable/disable gate for built-in integrations.
+
+<Note>
+Tool access control is an Enterprise feature. If you are interested in this feature, [contact our sales team](https://www.langchain.com/contact-sales).
+</Note>
+
+### Role-based permissions
+
+Role-based access control (RBAC) grants or denies access to all MCP servers and integrations in a workspace based on a user's role. Configure roles in **Settings > Roles**.
+
+The following permissions are available for MCP servers and integrations:
+
+| Permission | Description |
+|------------|-------------|
+| `mcp-servers:read` | Discover and list MCP servers and integrations |
+| `mcp-servers:invoke` | Execute tools from MCP servers and integrations, including OAuth connect/disconnect |
+| `mcp-servers:create` | Create new MCP server configurations |
+| `mcp-servers:update` | Modify MCP server configurations |
+| `mcp-servers:delete` | Remove MCP server configurations |
+
+<Note>
+A role with `mcp-servers:read` and `mcp-servers:invoke` can see and use all MCP servers and integrations in the workspace.
+</Note>
+
+For more on RBAC, see [Role-based access control](/langsmith/rbac).
+
+#### Create a role with tool permissions
+
+<Steps>
+  <Step title="Open role settings">
+    Navigate to **Settings > Roles** and click **Create role**.
+  </Step>
+  <Step title="Configure MCP Servers permissions">
+    Expand the **MCP Servers** section and select the permissions to include. For example, grant `Read` and `Invoke` for users who need to use tools but not manage server configurations.
+  </Step>
+  <Step title="Assign the role">
+    Assign the role to users in the workspace in **Settings > Members**.
+  </Step>
+</Steps>
+
+### Attribute-based access control
+
+Attribute-based access control (ABAC) adds resource-level granularity on top of RBAC. Admins can tag individual MCP servers or integrations and create policies that grant or restrict access based on those tags.
+
+ABAC operates on two resource types for tools:
+
+| Resource type | Applies to |
+|---------------|-----------|
+| `mcp_server` | Custom MCP servers added to the workspace |
+| `fleet_integration` | Built-in integrations (Gmail, Slack, GitHub, etc.) |
+
+<Note>
+A role with no `mcp-servers:*` RBAC permissions can still be granted access to specific tagged resources (e.g. only Notion and Gmail) via an ABAC allow policy. Conversely, a role with broad RBAC access can be restricted from specific resources via an ABAC deny policy.
+</Note>
+
+For details on policy structure, operators, and managing policies via the API, see [Attribute-based access control](/langsmith/abac).
+
+### Workspace integration policy
+
+Built-in integrations have an additional control layer: a workspace-level enable/disable toggle managed from **Settings > Integrations > Access control**. This acts as an admin-controlled baseline that runs before per-user RBAC and ABAC.
+
+If an integration is disabled at the workspace level, no user can access it regardless of their role or ABAC policies.
+
+<Note>
+The Access control page is only visible to admin users (requires `workspaces:manage` permission).
+</Note>
+
+### Policy evaluation order
+
+The three layers evaluate in sequence. The evaluation order differs slightly between custom MCP servers and built-in integrations:
+
+**Custom MCP servers:**
+
+```
+ABAC deny → RBAC → ABAC allow
+```
+
+**Built-in integrations:**
+
+```
+Workspace policy gate → ABAC deny → RBAC → ABAC allow
+```
+
+At each step:
+1. **Workspace policy gate** (integrations only): If the integration is disabled, access is denied. No further evaluation.
+2. **ABAC deny**: If a deny policy matches, access is denied. Deny always wins.
+3. **RBAC**: If the user's role grants the required permission, access is allowed (unless step 4 is needed).
+4. **ABAC allow**: If RBAC does not grant access, an allow policy can still grant it for specific tagged resources.
+
 ## Observability and audit trail
 
 Agent actions in Fleet are captured in a structured [LangSmith trace](/langsmith/observability), including tool calls, decisions, and outputs. You can inspect, search, and export traces.

src/langsmith/fleet/agent-identity.mdx

@@ -3,7 +3,7 @@ title: Agent identity
 description: Choose whether your Fleet agent authenticates with its own credentials or with each user's credentials.
 ---
 
-Agent identity controls whose [credentials](/langsmith/fleet/setup) the agent uses when it interacts with apps and services.
+Agent identity controls whose [credentials](/langsmith/fleet/workspace-admin) the agent uses when it interacts with apps and services.
 
 <Warning>
 Once an agent identity is set, it cannot be changed.

src/langsmith/fleet/essentials.mdx

@@ -7,7 +7,7 @@ LangSmith Fleet essentials are the core features that make up the foundation of
 
 ## Agent identity
 
-Agent identity controls whose [credentials](/langsmith/fleet/setup) the agent uses when it interacts with apps and services.
+Agent identity controls whose [credentials](/langsmith/fleet/workspace-admin) the agent uses when it interacts with apps and services.
 
 See [Agent identity](/langsmith/fleet/agent-identity) for more information.
 
@@ -91,19 +91,26 @@ To edit instructions:
 You can also update instructions by prompting the agent directly in the chat. For example: "Update your instructions to always respond in bullet points."
 </Tip>
 
-## Memory and updates
+## Memory
 
-Agents remember important information from previous conversations and can update themselves to work better.
+Agents remember important information from previous conversations and can update themselves to work better. Fleet agents use two sources of memory:
 
-- **Memory**: Agents persist relevant details from past interactions by writing files to a **memories folder** (using `write_file` and `edit_file` tool calls). This lets them make better decisions in future conversations.
-- **Self-updates**: Agents can add new tools, remove ones they don't need, or adjust their instructions to improve how they work.
-- **What stays the same**: Agents can't change their name, description, or the channels that start them.
+- **Thread-scoped memory**: Context from the current conversation thread, including messages and actions in that thread.
+- **Long-term memory**: Persistent files in the agent workspace, such as `AGENTS.md`, `tools.json` (tool configuration), `subagents/*`, and `skills/*`. These are loaded at runtime and available from the start of each run. `AGENTS.md` is inserted into the system prompt automatically. Other long-term files are not added to the prompt automatically; the agent must read them on demand (for example, using the `read_file` tool).
+
+Agents persist relevant details from past interactions by writing files to a **memories folder** (using `write_file` and `edit_file` tool calls). This helps them make better decisions in future conversations.
 
 <Note>
-By default, agents require approval before saving to the memories folder. You can disable this in the agent's settings. For agents that run on automated schedules (such as [schedules](/langsmith/fleet/schedules#add-a-schedule)), disable the approval requirement so the agent can persist information without manual intervention. See [Update memory](/langsmith/fleet/manage-agent-settings#update-memory) for instructions.
+By default, agents require approval before saving to the memories folder. You can disable this in the agent's settings.
+
+For agents that run on automated [schedules](/langsmith/fleet/schedules#add-a-schedule), we recommend [disabling the approval requirement](/langsmith/fleet/manage-agent-settings#disable-required-approval-for-memory-updates) so the agent can persist information without manual intervention.
 </Note>
 
-For more information, see [How we built Agent Builder's memory system](https://www.langchain.com/conceptual-guides/how-we-built-agent-builders-memory).
+For more information, see [How we built the memory system for Fleet (formerly known as Agent Builder)](https://www.langchain.com/conceptual-guides/how-we-built-agent-builders-memory).
+
+## Self-updates
+
+Agents can update themselves: they can add new tools, remove ones they don't need, or adjust their instructions. However, agents can't change their name, description, or the channels that start them.
 
 ## Skills
 
@@ -173,7 +180,7 @@ Fleet traces all agent runs and stores them in LangSmith. LLM providers do not r
 
 ## Next steps
 
-- [Set up your workspace](/langsmith/fleet/setup)
+- [Set up your workspace](/langsmith/fleet/workspace-admin)
 - [Connect apps and services](/langsmith/fleet/tools)
 - [Use remote servers for tools](/langsmith/fleet/remote-mcp-servers)
 - [Choose between workspace and private agents](/langsmith/fleet/manage-agent-settings)

src/langsmith/fleet/index.mdx

@@ -68,7 +68,7 @@ Disclaimers:
 
 - [Essentials: connections, automation, memory, approvals](/langsmith/fleet/essentials)
 - [Create from a template](/langsmith/fleet/templates)
-- [Set up your workspace](/langsmith/fleet/setup)
+- [Set up your workspace](/langsmith/fleet/workspace-admin)
 - [Connect apps and services](/langsmith/fleet/tools) and [use remote connections](/langsmith/fleet/mcp-framework)
 - [Choose between workspace and private agents](/langsmith/fleet/manage-agent-settings)
 - [Authorize accounts when prompted](/langsmith/fleet/auth-format)