Skip to content

feat(evals): add local report command and developer documentation#28369

Open
ved015 wants to merge 1 commit into
google-gemini:mainfrom
Gsoc26:feat/eval-reporting-docs
Open

feat(evals): add local report command and developer documentation#28369
ved015 wants to merge 1 commit into
google-gemini:mainfrom
Gsoc26:feat/eval-reporting-docs

Conversation

@ved015

@ved015 ved015 commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds a local evaluation report summary utility and a developer guide for behavioral evaluations. Developers can run npm run eval:report to aggregate pass rates by model from Vitest report.json files and map results back to their inventory policies, correctly supporting duplicate test names across different files via compound keys. Also adds a comprehensive contributor guide covering the EDK commands, validation rules, and CI setup.

Details

  • scripts/utils/eval-report.ts — recursive file scanner, model-path parser, pass rate aggregator (using compound file + title keys), and JSON/human summary formatters
  • scripts/eval-report-cli.ts — CLI wrapper for the report aggregator supporting positional paths, --json, and --root
  • scripts/tests/eval-report.test.ts — 11 unit tests covering model extraction, file scanning, formatting schemas, and duplicate test name non-collision checks
  • package.json — wired the "eval:report" command script
  • docs/behavioral-evals.md — comprehensive developer guide for EDK commands, validation rules, PR checklists, and CI steps
  • docs/sidebar.json — linked the guide under the Development sidebar section

Pre-Merge Checklist

  • Updated relevant documentation and README (if needed)
  • Added/updated tests (if needed)
  • Noted breaking changes (if any)
  • Validated on required platforms/methods:
    • MacOS
      • npm run
      • npx
      • Docker
      • Podman
      • Seatbelt
    • Windows
      • npm run
      • npx
      • Docker
    • Linux
      • npm run
      • npx
      • Docker

@ved015 ved015 requested review from a team as code owners July 12, 2026 21:35
@github-actions github-actions Bot added the size/l A large sized PR label Jul 12, 2026
@github-actions

Copy link
Copy Markdown

📊 PR Size: size/L

  • Lines changed: 873
  • Additions: +873
  • Deletions: -0
  • Files changed: 6

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the evaluation development kit (EDK) by adding tooling to analyze and report on behavioral evaluation results. It enables developers to easily aggregate pass rates across different models and provides clear documentation to streamline the contributor workflow for writing and maintaining behavioral evaluations.

Highlights

  • Local Evaluation Reporting: Added a new CLI utility npm run eval:report to aggregate and summarize Vitest report.json files, providing pass rate metrics per model.
  • Developer Documentation: Introduced a comprehensive guide for behavioral evaluations, covering EDK commands, validation rules, and CI integration.
  • Test Coverage: Added unit tests for the reporting utility to ensure accurate model extraction, report scanning, and handling of duplicate test names.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces the Eval Development Kit (EDK) reporting tool, which includes a new CLI command (npm run eval:report), utility functions to parse and summarize Vitest test reports, comprehensive unit tests, and documentation for behavioral evaluations. The review feedback highlights critical security and robustness improvements, specifically recommending that file path inputs and parsed JSON properties be validated and sanitized to prevent path traversal vulnerabilities, null byte injections, and potential runtime TypeErrors.

Comment on lines +38 to +42
export function findReportFiles(dir: string): string[] {
const reports: string[] = [];
if (!fs.existsSync(dir)) return reports;

const entries = fs.readdirSync(dir, { withFileTypes: true });

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Utility functions that perform file system operations, such as findReportFiles, should validate their path inputs internally to prevent path traversal vulnerabilities, rather than relying solely on callers to perform validation. Additionally, if dir is a file rather than a directory, fs.readdirSync will throw an ENOTDIR error. We should gracefully handle cases where a user passes a direct file path or an invalid path type, while ensuring the path is validated.

Suggested change
export function findReportFiles(dir: string): string[] {
const reports: string[] = [];
if (!fs.existsSync(dir)) return reports;
const entries = fs.readdirSync(dir, { withFileTypes: true });
export function findReportFiles(dir: string): string[] {
const reports: string[] = [];
if (!dir || dir.includes('\0') || dir.includes('..')) {
return reports;
}
if (!fs.existsSync(dir)) return reports;
try {
const stat = fs.statSync(dir);
if (stat.isFile()) {
if (path.basename(dir) === 'report.json') {
return [dir];
}
return reports;
}
} catch {
return reports;
}
const entries = fs.readdirSync(dir, { withFileTypes: true });
References
  1. Utility functions that perform file system operations should validate their path inputs internally to prevent path traversal vulnerabilities, rather than relying solely on callers to perform validation.

Comment on lines +96 to +101
for (const fileResult of data.testResults) {
const filePath = fileResult.name;
const normalizedPath = path.resolve(filePath).replace(/\\/g, '/');
if (Array.isArray(fileResult.assertionResults)) {
for (const assertion of fileResult.assertionResults) {
const testName = assertion.title;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

The properties fileResult.name and assertion.title are parsed from untrusted JSON. If either is missing or null, path.resolve(filePath) or accessing assertion.title will throw a TypeError. Furthermore, since fileResult.name is extracted from an untrusted source, we must sanitize the file path to prevent path traversal (..), null byte injection (\0), and other vulnerabilities.

Suggested change
for (const fileResult of data.testResults) {
const filePath = fileResult.name;
const normalizedPath = path.resolve(filePath).replace(/\\/g, '/');
if (Array.isArray(fileResult.assertionResults)) {
for (const assertion of fileResult.assertionResults) {
const testName = assertion.title;
for (const fileResult of data.testResults) {
if (!fileResult || typeof fileResult.name !== 'string') {
continue;
}
const filePath = fileResult.name;
if (filePath.includes('\0') || filePath.includes('..')) {
continue;
}
const normalizedPath = path.resolve(filePath).replace(/\\/g, '/');
if (Array.isArray(fileResult.assertionResults)) {
for (const assertion of fileResult.assertionResults) {
if (!assertion || typeof assertion.title !== 'string') {
continue;
}
const testName = assertion.title;
References
  1. Sanitize file paths extracted from untrusted sources, such as command output, to prevent path traversal (..), null byte injection (\0), and other vulnerabilities.

@gemini-cli gemini-cli Bot added the status/need-issue Pull requests that need to have an associated issue. label Jul 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/l A large sized PR status/need-issue Pull requests that need to have an associated issue.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant