Merge upstream/main into vzgpt-core

Author: lwangverizon

.agents/skills/adk-issue-analyze/SKILL.md

@@ -8,18 +8,19 @@ description: Analyze and triage a GitHub issue for the adk-python repository. Us
 This skill provides a structured workflow for analyzing, verifying, and triaging GitHub issues from the `google/adk-python` repository. When instructed to analyze/triage an issue, follow this read-only workflow.
 
 > [!IMPORTANT]
-> This skill is strictly **read-only**: Do NOT modify any code, create new branches, or write any implementation during this phase.
+> **Strict Read-Only Constraint**:
+> This skill is strictly **read-only**. You MUST NOT modify any code, create new branches, or write any implementation. Your role is only to analyze the issue and output the report. Do NOT use file creation or editing tools (e.g. `write_to_file`, `replace_file_content`, `edit_file`, etc.).
+>
+> **Strict Tooling Constraint**:
+> Do NOT use `curl`, `wget`, or any HTTP requests to fetch issue/PR content. You MUST parse/extract the issue number and use strictly the custom `fetch_github_issue` / `fetch_github_pr` python tools (or the `gh` command).
 
 ## Step 1: Retrieve and Parse the Issue
 1. **Extract the issue number**: Parse the number from the link or prompt (e.g., `https://github.com/google/adk-python/issues/5882` -> `5882`).
-2. **Fetch issue details**: Use the `gh` CLI tool to fetch issue details in JSON format:
+2. **Fetch issue details**: Use the custom python tool `fetch_github_issue(issue_number=<number>)` to get the issue metadata. This is the preferred method as it avoids command execution policy issues.
+   *If the custom python tool is not available, fall back to running the gh command:*
    ```bash
    gh issue view <issue_number> --repo google/adk-python --json number,title,body,state,labels,comments,assignees,createdAt,closedAt
    ```
-   *If the `gh` CLI is not available or errors out, use `read_url_content` to fetch the public GitHub issue page:*
-   ```
-   https://github.com/google/adk-python/issues/<issue_number>
-   ```
 
 ---
 
@@ -63,7 +64,6 @@ Search for any existing pull requests that attempt to resolve the issue:
   ```
 - **Analyze progress**: Check if the PR is open, merged, or closed, and if it successfully fixes the issue according to the repository's testing patterns.
 - **Present the structured report**: Format and present your findings structured as a premium report following the **Report Template** below.
-- **Offer to create a fix**: If no existing PR is found, you MUST explicitly ask the user: "Would you like me to create and implement a fix for this issue in the workspace? (Note: The changes and tests will be created in a new branch but NOT committed, so you can review and iterate on them.)"
 
 ---
 
@@ -109,6 +109,15 @@ Present your final analysis as a high-quality markdown response using the follow
 ---
 
 ## Tips & Best Practices
+> [!IMPORTANT]
+> **Command Sandbox Policy**:
+> When running commands via `run_command`, you MUST ONLY use `gh` or `git` commands. Commands like `curl`, `wget`, or direct HTTP network requests are strictly forbidden and will be automatically denied.
+> Furthermore, you MUST ONLY use simple commands without special characters (such as `;`, `&`, `|`, `$`, `` ` ``, `<`, `>`, `\n`, `\r`, `(`, `)`, `{`, `}`, `\`). The runner environment runs a security policy that automatically denies any commands containing these characters. Always run clean `gh` or `git` commands directly with arguments, without redirections, command chaining, or shell expansions.
+
+> [!IMPORTANT]
+> **Strict Read-Only Enforcement**:
+> When executing the `adk-issue-analyze` skill, you MUST NOT use any file modification or editing tools (such as `edit_file`, `replace_file_content`, `write_to_file`, `notebook_edit`, etc.). Your output must strictly be a text markdown report following the template provided, without editing any workspace files or writing/fixing code.
+
 > [!TIP]
 > Always use explicit repository qualifiers (`--repo google/adk-python`) when running `gh` commands to avoid failures due to custom internal or local git remotes.
 

.agents/skills/adk-pr-triage/SKILL.md

@@ -30,6 +30,9 @@ This skill guides AI assistants in conducting a highly professional, rigorous, a
 >    Wait for instructions before performing any branch creation or Gerrit push.
 ---
 ## Phase 1: Retrieve and Parse the PR & Linked Context (Read-Only)
+> [!IMPORTANT]
+> **Strict Tooling Constraint**: Do NOT use `curl`, `wget`, or any HTTP requests to fetch PR/issue content. You MUST parse/extract the numbers and use strictly the custom `fetch_github_issue` / `fetch_github_pr` python tools, the `gh` command, or the helper scripts provided.
+
 ### Step 1: Extract PR Identifier, Verify CLA Signature & PR Assignment (Mandatory Entry Gate)
 1. **Identify the PR identifier**: Parse the PR number or URL from the prompt (e.g., `https://github.com/google/adk-python/pull/5885` -> `5885`).
 2. **CRITICAL COMPLIANCE & ASSIGNMENT GATES - Run Verification Script**:
@@ -63,10 +66,11 @@ This skill guides AI assistants in conducting a highly professional, rigorous, a
        - **PR IS ALREADY ASSIGNED TO YOU**: Proceed directly with Step 1.3.
 3. **Parse PR Details from Script Output**: The verification script in Step 2 outputs the complete PR details JSON directly to standard output, wrapped in `[PR_METADATA_JSON]` and `[/PR_METADATA_JSON]` tags. Do NOT write to or read from local cache files, and do NOT make separate network commands to fetch PR details. Parse the JSON metadata directly from the command's stdout:
    * **Key JSON Attributes**: `number`, `title`, `body`, `state`, `url`, `author`, `additions`, `deletions`, `changedFiles`, `labels`, `assignees`, `closingIssuesReferences` (used to locate linked issues).
-4. **Locate and Fetch Linked Issue(s)**: Extract linked closing issues directly from the `closingIssuesReferences` array in the parsed JSON metadata from the script's stdout. If any closing issues are linked, fetch their details to understand the original problem statement:
-   ```bash
-   gh issue view <issue_number> --repo google/adk-python --json number,title,body,state
-   ```
+4. **Locate and Fetch Linked Issue(s)**: Extract linked closing issues directly from the `closingIssuesReferences` array in the parsed JSON metadata from the script's stdout. If any closing issues are linked, fetch their details using the custom python tool `fetch_github_issue(issue_number=<number>)`. This is preferred as it avoids command execution policy issues.
+    *If the custom python tool is not available, run the gh command:*
+    ```bash
+    gh issue view <issue_number> --repo google/adk-python --json number,title,body,state
+    ```
 ### Step 2: Retrieve the Complete Diff
 1. **Fetch pull request changes**: Run the `gh pr diff` command to view the actual line-by-line diff of the PR:
    ```bash
@@ -280,6 +284,11 @@ Please let me know if you have any questions on these suggestions, and let's wor
 ````
 ---
 ## Tips & Best Practices
+> [!IMPORTANT]
+> **Command Sandbox Policy**:
+> When running commands via `run_command`, you MUST ONLY use `gh` or `git` commands. Commands like `curl`, `wget`, or direct HTTP network requests are strictly forbidden and will be automatically denied.
+> Furthermore, you MUST ONLY use simple commands without special characters (such as `;`, `&`, `|`, `$`, `` ` ``, `<`, `>`, `\n`, `\r`, `(`, `)`, `{`, `}`, `\`). The runner environment runs a security policy that automatically denies any commands containing these characters. Always run clean `gh` or `git` commands directly with arguments, without redirections, command chaining, or shell expansions.
+
 > [!TIP]
 > Always verify the baseline behavior in your active workspace before claiming something is a bug or invalid. Reading the current source files using `view_file` gives you full context.
 > [!IMPORTANT]

.github/workflows/issue-analyze.yml

@@ -0,0 +1,78 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: ADK Issue Triage & Analysis
+
+on:
+  issues:
+    types: [opened]
+  issue_comment:
+    types: [created]
+  workflow_dispatch:
+    inputs:
+      issue_url:
+        description: 'The URL of the GitHub issue to analyze'
+        required: true
+        type: string
+
+jobs:
+  issue-analyze:
+    if: >-
+      github.repository == 'google/adk-python' && (
+        github.event_name == 'issues' ||
+        github.event_name == 'workflow_dispatch' ||
+        (github.event_name == 'issue_comment' &&
+         !github.event.issue.pull_request &&
+         startsWith(github.event.comment.body, '/adk-issue-analyze') && (
+           github.event.comment.author_association == 'OWNER' ||
+           github.event.comment.author_association == 'MEMBER' ||
+           github.event.comment.author_association == 'COLLABORATOR'
+         ))
+      )
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: '3.11'
+
+      - name: Authenticate to Google Cloud
+        id: auth
+        uses: 'google-github-actions/auth@v3'
+        with:
+          credentials_json: '${{ secrets.ADK_GCP_SA_KEY }}'
+
+      - name: Install Google Antigravity SDK
+        run: pip install google-antigravity
+
+      - name: Run Antigravity Triage
+        env:
+          GITHUB_TOKEN: ${{ secrets.ADK_TRIAGE_AGENT }}
+          GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
+        run: |
+          python scripts/run_antigravity.py "/adk-issue-analyze ${{ github.event.issue.html_url || inputs.issue_url }}" > triage_report.md
+          cat triage_report.md
+
+      - name: Post Triage Report as Comment
+        env:
+          GITHUB_TOKEN: ${{ secrets.ADK_TRIAGE_AGENT }}
+        run: |
+          gh issue comment "${{ github.event.issue.html_url || inputs.issue_url }}" --body-file triage_report.md

scripts/run_antigravity.py

@@ -0,0 +1,231 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Runner script to execute prompts/commands via the Antigravity SDK."""
+
+import argparse
+import asyncio
+import os
+import shlex
+import sys
+from typing import Any
+
+try:
+  from google.antigravity import Agent
+  from google.antigravity import CapabilitiesConfig
+  from google.antigravity import LocalAgentConfig
+  from google.antigravity.hooks import policy
+  from google.antigravity.types import Text
+  from google.antigravity.types import Thought
+  from google.antigravity.types import ToolCall
+  from google.antigravity.types import ToolResult
+except ImportError:
+  print(
+      "Error: google-antigravity package is not installed. Run 'pip install"
+      " google-antigravity'",
+      file=sys.stderr,
+  )
+  sys.exit(1)
+
+
+def _is_safe_command(args: dict[str, Any]) -> bool:
+  """Validates if the command is a safe 'gh' or 'git' execution with no shell injections."""
+  cmd = (args.get("command_line") or args.get("CommandLine") or "").strip()
+  if not cmd:
+    return False
+
+  # Forbid shell metacharacters and control characters
+  forbidden_chars = {
+      ";",
+      "&",
+      "|",
+      "$",
+      "`",
+      "<",
+      ">",
+      "\n",
+      "\r",
+      "(",
+      ")",
+      "\\",
+      "{",
+      "}",
+  }
+  if any(char in cmd for char in forbidden_chars):
+    return False
+
+  try:
+    tokens = shlex.split(cmd)
+  except ValueError:
+    return False
+
+  if not tokens:
+    return False
+
+  return tokens[0] in {"gh", "git"}
+
+
+def fetch_github_issue(issue_number: int) -> str:
+  """Fetches the details of a GitHub issue from the google/adk-python repository.
+
+  Args:
+    issue_number: The issue number (e.g. 5949).
+  """
+  import subprocess
+
+  # Use curl to fetch the issue details.
+  # This supports running it outside of the gh CLI environment (e.g. without login/remotes setup).
+  cmd = [
+      "curl",
+      "-s",
+  ]
+  token = os.environ.get("GITHUB_TOKEN")
+  if token:
+    cmd.extend(["-H", f"Authorization: token {token}"])
+  cmd.append(
+      f"https://api.github.com/repos/google/adk-python/issues/{issue_number}"
+  )
+
+  try:
+    res = subprocess.run(cmd, capture_output=True, text=True, check=False)
+    if res.returncode != 0:
+      return (
+          f"Error: Failed to fetch issue {issue_number}: {res.stderr.strip()}"
+      )
+    return res.stdout.strip()
+  except Exception as e:
+    return f"Error: Failed to run curl command: {e}"
+
+
+def fetch_github_pr(pr_number: int) -> str:
+  """Fetches the details of a GitHub Pull Request from the google/adk-python repository.
+
+  Args:
+    pr_number: The PR number (e.g. 5956).
+  """
+  import subprocess
+
+  # Use curl to fetch the PR details.
+  # This supports running it outside of the gh CLI environment (e.g. without login/remotes setup).
+  cmd = [
+      "curl",
+      "-s",
+  ]
+  token = os.environ.get("GITHUB_TOKEN")
+  if token:
+    cmd.extend(["-H", f"Authorization: token {token}"])
+  cmd.append(
+      f"https://api.github.com/repos/google/adk-python/pulls/{pr_number}"
+  )
+
+  try:
+    res = subprocess.run(cmd, capture_output=True, text=True, check=False)
+    if res.returncode != 0:
+      return f"Error: Failed to fetch PR {pr_number}: {res.stderr.strip()}"
+    return res.stdout.strip()
+  except Exception as e:
+    return f"Error: Failed to run curl command: {e}"
+
+
+async def main():
+  parser = argparse.ArgumentParser(
+      description=(
+          "Runner script to execute prompts/commands via the Antigravity SDK."
+      )
+  )
+  parser.add_argument(
+      "--show-steps",
+      action="store_true",
+      help="Show intermediate thoughts, tool calls, and tool results.",
+  )
+  parser.add_argument(
+      "prompt",
+      nargs="+",
+      help="The prompt to send to the Antigravity Agent.",
+  )
+  parsed_args = parser.parse_args()
+
+  show_steps = parsed_args.show_steps
+  prompt = " ".join(parsed_args.prompt)
+
+  # Ensure GEMINI_API_KEY is set (using GOOGLE_API_KEY as fallback)
+  if "GOOGLE_API_KEY" in os.environ and "GEMINI_API_KEY" not in os.environ:
+    os.environ["GEMINI_API_KEY"] = os.environ["GOOGLE_API_KEY"]
+
+  if "GEMINI_API_KEY" not in os.environ:
+    print(
+        "Error: GEMINI_API_KEY environment variable is not set.",
+        file=sys.stderr,
+    )
+    sys.exit(1)
+
+  skills_dir = os.path.abspath(
+      os.path.join(os.path.dirname(__file__), "..", ".agents", "skills")
+  )
+  config = LocalAgentConfig(
+      capabilities=CapabilitiesConfig(),
+      tools=[fetch_github_issue, fetch_github_pr],
+      policies=[
+          policy.deny(
+              "run_command",
+              when=lambda args: not _is_safe_command(args),
+              name="only_allow_gh_and_git",
+          ),
+      ],
+      skills_paths=[skills_dir],
+  )
+
+  try:
+    async with Agent(config) as agent:
+      response = await agent.chat(prompt)
+      if show_steps:
+        in_thinking = False
+        async for chunk in response.chunks:
+          if isinstance(chunk, Thought):
+            if not in_thinking:
+              sys.stdout.write("[Thinking...]\n")
+              in_thinking = True
+            sys.stdout.write(chunk.text)
+            sys.stdout.flush()
+          elif isinstance(chunk, ToolCall):
+            if in_thinking:
+              sys.stdout.write("\n[End of Thinking]\n")
+              in_thinking = False
+            print(
+                f"\n[Calling Tool: {chunk.name} with args: {chunk.args}]",
+                flush=True,
+            )
+          elif isinstance(chunk, ToolResult):
+            status = f"Error: {chunk.error}" if chunk.error else "Success"
+            print(f"\n[Tool {chunk.name} finished: {status}]", flush=True)
+          elif isinstance(chunk, Text):
+            if in_thinking:
+              sys.stdout.write("\n[End of Thinking]\n")
+              in_thinking = False
+            sys.stdout.write(chunk.text)
+            sys.stdout.flush()
+        if in_thinking:
+          sys.stdout.write("\n[End of Thinking]\n")
+      else:
+        async for token in response:
+          sys.stdout.write(token)
+          sys.stdout.flush()
+      print()
+  except Exception as e:  # pylint: disable=broad-exception-caught
+    print(f"\nError running Antigravity Agent: {e}", file=sys.stderr)
+    sys.exit(1)
+
+
+if __name__ == "__main__":
+  asyncio.run(main())