ci(workflow): Support intermediate steps output in Antigravity runner

- Adds secure command policy to the LocalAgentConfig in scripts/run_antigravity.py
  that denies unsafe command executions and checks for shell injection.
- Allows both `gh` and `git` commands to be executed by the agent runner.
- Adds custom `fetch_github_issue` and `fetch_github_pr` Python tools to the
  Antigravity agent runner configuration, using `curl` to enable direct JSON
  metadata fetches from GitHub without requiring a configured `gh` CLI environment.
- Introduces the --show-steps CLI flag to scripts/run_antigravity.py
  to output intermediate thoughts, tool calls, and tool results (default off).
- Updates .github/workflows/issue-analyze.yml to capture stdout from the
  runner script, run automatic triage for any user's opened issues, and post
  the report to the triggering GitHub issue as a comment via the `gh` CLI tool.
- Updates the adk-issue-analyze and adk-pr-triage skills to prefer using the
  custom `fetch_github_issue` Python tool over raw `gh` command lines, and
  strictly enforces that the issue-analyze skill is read-only and must not edit files.

Change-Id: I58a9c64f0680a56d07b9877cbcb9ffe027afeee2

Author: boyangsvl

.agents/skills/adk-issue-analyze/SKILL.md

@@ -8,18 +8,19 @@ description: Analyze and triage a GitHub issue for the adk-python repository. Us
 This skill provides a structured workflow for analyzing, verifying, and triaging GitHub issues from the `google/adk-python` repository. When instructed to analyze/triage an issue, follow this read-only workflow.
 
 > [!IMPORTANT]
-> This skill is strictly **read-only**: Do NOT modify any code, create new branches, or write any implementation during this phase.
+> **Strict Read-Only Constraint**:
+> This skill is strictly **read-only**. You MUST NOT modify any code, create new branches, or write any implementation. Your role is only to analyze the issue and output the report. Do NOT use file creation or editing tools (e.g. `write_to_file`, `replace_file_content`, `edit_file`, etc.).
+>
+> **Strict Tooling Constraint**:
+> Do NOT use `curl`, `wget`, or any HTTP requests to fetch issue/PR content. You MUST parse/extract the issue number and use strictly the custom `fetch_github_issue` / `fetch_github_pr` python tools (or the `gh` command).
 
 ## Step 1: Retrieve and Parse the Issue
 1. **Extract the issue number**: Parse the number from the link or prompt (e.g., `https://github.com/google/adk-python/issues/5882` -> `5882`).
-2. **Fetch issue details**: Use the `gh` CLI tool to fetch issue details in JSON format:
+2. **Fetch issue details**: Use the custom python tool `fetch_github_issue(issue_number=<number>)` to get the issue metadata. This is the preferred method as it avoids command execution policy issues.
+   *If the custom python tool is not available, fall back to running the gh command:*
    ```bash
    gh issue view <issue_number> --repo google/adk-python --json number,title,body,state,labels,comments,assignees,createdAt,closedAt
    ```
-   *If the `gh` CLI is not available or errors out, use `read_url_content` to fetch the public GitHub issue page:*
-   ```
-   https://github.com/google/adk-python/issues/<issue_number>
-   ```
 
 ---
 
@@ -108,6 +109,15 @@ Present your final analysis as a high-quality markdown response using the follow
 ---
 
 ## Tips & Best Practices
+> [!IMPORTANT]
+> **Command Sandbox Policy**:
+> When running commands via `run_command`, you MUST ONLY use `gh` or `git` commands. Commands like `curl`, `wget`, or direct HTTP network requests are strictly forbidden and will be automatically denied.
+> Furthermore, you MUST ONLY use simple commands without special characters (such as `;`, `&`, `|`, `$`, `` ` ``, `<`, `>`, `\n`, `\r`, `(`, `)`, `{`, `}`, `\`). The runner environment runs a security policy that automatically denies any commands containing these characters. Always run clean `gh` or `git` commands directly with arguments, without redirections, command chaining, or shell expansions.
+
+> [!IMPORTANT]
+> **Strict Read-Only Enforcement**:
+> When executing the `adk-issue-analyze` skill, you MUST NOT use any file modification or editing tools (such as `edit_file`, `replace_file_content`, `write_to_file`, `notebook_edit`, etc.). Your output must strictly be a text markdown report following the template provided, without editing any workspace files or writing/fixing code.
+
 > [!TIP]
 > Always use explicit repository qualifiers (`--repo google/adk-python`) when running `gh` commands to avoid failures due to custom internal or local git remotes.
 

.agents/skills/adk-pr-triage/SKILL.md

@@ -30,6 +30,9 @@ This skill guides AI assistants in conducting a highly professional, rigorous, a
 >    Wait for instructions before performing any branch creation or Gerrit push.
 ---
 ## Phase 1: Retrieve and Parse the PR & Linked Context (Read-Only)
+> [!IMPORTANT]
+> **Strict Tooling Constraint**: Do NOT use `curl`, `wget`, or any HTTP requests to fetch PR/issue content. You MUST parse/extract the numbers and use strictly the custom `fetch_github_issue` / `fetch_github_pr` python tools, the `gh` command, or the helper scripts provided.
+
 ### Step 1: Extract PR Identifier, Verify CLA Signature & PR Assignment (Mandatory Entry Gate)
 1. **Identify the PR identifier**: Parse the PR number or URL from the prompt (e.g., `https://github.com/google/adk-python/pull/5885` -> `5885`).
 2. **CRITICAL COMPLIANCE & ASSIGNMENT GATES - Run Verification Script**:
@@ -63,10 +66,11 @@ This skill guides AI assistants in conducting a highly professional, rigorous, a
        - **PR IS ALREADY ASSIGNED TO YOU**: Proceed directly with Step 1.3.
 3. **Parse PR Details from Script Output**: The verification script in Step 2 outputs the complete PR details JSON directly to standard output, wrapped in `[PR_METADATA_JSON]` and `[/PR_METADATA_JSON]` tags. Do NOT write to or read from local cache files, and do NOT make separate network commands to fetch PR details. Parse the JSON metadata directly from the command's stdout:
    * **Key JSON Attributes**: `number`, `title`, `body`, `state`, `url`, `author`, `additions`, `deletions`, `changedFiles`, `labels`, `assignees`, `closingIssuesReferences` (used to locate linked issues).
-4. **Locate and Fetch Linked Issue(s)**: Extract linked closing issues directly from the `closingIssuesReferences` array in the parsed JSON metadata from the script's stdout. If any closing issues are linked, fetch their details to understand the original problem statement:
-   ```bash
-   gh issue view <issue_number> --repo google/adk-python --json number,title,body,state
-   ```
+4. **Locate and Fetch Linked Issue(s)**: Extract linked closing issues directly from the `closingIssuesReferences` array in the parsed JSON metadata from the script's stdout. If any closing issues are linked, fetch their details using the custom python tool `fetch_github_issue(issue_number=<number>)`. This is preferred as it avoids command execution policy issues.
+    *If the custom python tool is not available, run the gh command:*
+    ```bash
+    gh issue view <issue_number> --repo google/adk-python --json number,title,body,state
+    ```
 ### Step 2: Retrieve the Complete Diff
 1. **Fetch pull request changes**: Run the `gh pr diff` command to view the actual line-by-line diff of the PR:
    ```bash
@@ -280,6 +284,11 @@ Please let me know if you have any questions on these suggestions, and let's wor
 ````
 ---
 ## Tips & Best Practices
+> [!IMPORTANT]
+> **Command Sandbox Policy**:
+> When running commands via `run_command`, you MUST ONLY use `gh` or `git` commands. Commands like `curl`, `wget`, or direct HTTP network requests are strictly forbidden and will be automatically denied.
+> Furthermore, you MUST ONLY use simple commands without special characters (such as `;`, `&`, `|`, `$`, `` ` ``, `<`, `>`, `\n`, `\r`, `(`, `)`, `{`, `}`, `\`). The runner environment runs a security policy that automatically denies any commands containing these characters. Always run clean `gh` or `git` commands directly with arguments, without redirections, command chaining, or shell expansions.
+
 > [!TIP]
 > Always verify the baseline behavior in your active workspace before claiming something is a bug or invalid. Reading the current source files using `view_file` gives you full context.
 > [!IMPORTANT]

.github/workflows/issue-analyze.yml

@@ -34,7 +34,11 @@ jobs:
         github.event_name == 'workflow_dispatch' ||
         (github.event_name == 'issue_comment' &&
          !github.event.issue.pull_request &&
-         startsWith(github.event.comment.body, '/adk-issue-analyze'))
+         startsWith(github.event.comment.body, '/adk-issue-analyze') && (
+           github.event.comment.author_association == 'OWNER' ||
+           github.event.comment.author_association == 'MEMBER' ||
+           github.event.comment.author_association == 'COLLABORATOR'
+         ))
       )
     runs-on: ubuntu-latest
     permissions:
@@ -63,4 +67,12 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.ADK_TRIAGE_AGENT }}
           GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
-        run: python scripts/run_antigravity.py "/adk-issue-analyze ${{ github.event.issue.html_url || inputs.issue_url }}"
+        run: |
+          python scripts/run_antigravity.py "/adk-issue-analyze ${{ github.event.issue.html_url || inputs.issue_url }}" > triage_report.md
+          cat triage_report.md
+
+      - name: Post Triage Report as Comment
+        env:
+          GITHUB_TOKEN: ${{ secrets.ADK_TRIAGE_AGENT }}
+        run: |
+          gh issue comment "${{ github.event.issue.html_url || inputs.issue_url }}" --body-file triage_report.md

scripts/run_antigravity.py

@@ -14,14 +14,22 @@
 
 """Runner script to execute prompts/commands via the Antigravity SDK."""
 
+import argparse
 import asyncio
 import os
+import shlex
 import sys
+from typing import Any
 
 try:
   from google.antigravity import Agent
   from google.antigravity import CapabilitiesConfig
   from google.antigravity import LocalAgentConfig
+  from google.antigravity.hooks import policy
+  from google.antigravity.types import Text
+  from google.antigravity.types import Thought
+  from google.antigravity.types import ToolCall
+  from google.antigravity.types import ToolResult
 except ImportError:
   print(
       "Error: google-antigravity package is not installed. Run 'pip install"
@@ -31,12 +39,125 @@
   sys.exit(1)
 
 
+def _is_safe_command(args: dict[str, Any]) -> bool:
+  """Validates if the command is a safe 'gh' or 'git' execution with no shell injections."""
+  cmd = (args.get("command_line") or args.get("CommandLine") or "").strip()
+  if not cmd:
+    return False
+
+  # Forbid shell metacharacters and control characters
+  forbidden_chars = {
+      ";",
+      "&",
+      "|",
+      "$",
+      "`",
+      "<",
+      ">",
+      "\n",
+      "\r",
+      "(",
+      ")",
+      "\\",
+      "{",
+      "}",
+  }
+  if any(char in cmd for char in forbidden_chars):
+    return False
+
+  try:
+    tokens = shlex.split(cmd)
+  except ValueError:
+    return False
+
+  if not tokens:
+    return False
+
+  return tokens[0] in {"gh", "git"}
+
+
+def fetch_github_issue(issue_number: int) -> str:
+  """Fetches the details of a GitHub issue from the google/adk-python repository.
+
+  Args:
+    issue_number: The issue number (e.g. 5949).
+  """
+  import subprocess
+
+  # Use curl to fetch the issue details.
+  # This supports running it outside of the gh CLI environment (e.g. without login/remotes setup).
+  cmd = [
+      "curl",
+      "-s",
+  ]
+  token = os.environ.get("GITHUB_TOKEN")
+  if token:
+    cmd.extend(["-H", f"Authorization: token {token}"])
+  cmd.append(
+      f"https://api.github.com/repos/google/adk-python/issues/{issue_number}"
+  )
+
+  try:
+    res = subprocess.run(cmd, capture_output=True, text=True, check=False)
+    if res.returncode != 0:
+      return (
+          f"Error: Failed to fetch issue {issue_number}: {res.stderr.strip()}"
+      )
+    return res.stdout.strip()
+  except Exception as e:
+    return f"Error: Failed to run curl command: {e}"
+
+
+def fetch_github_pr(pr_number: int) -> str:
+  """Fetches the details of a GitHub Pull Request from the google/adk-python repository.
+
+  Args:
+    pr_number: The PR number (e.g. 5956).
+  """
+  import subprocess
+
+  # Use curl to fetch the PR details.
+  # This supports running it outside of the gh CLI environment (e.g. without login/remotes setup).
+  cmd = [
+      "curl",
+      "-s",
+  ]
+  token = os.environ.get("GITHUB_TOKEN")
+  if token:
+    cmd.extend(["-H", f"Authorization: token {token}"])
+  cmd.append(
+      f"https://api.github.com/repos/google/adk-python/pulls/{pr_number}"
+  )
+
+  try:
+    res = subprocess.run(cmd, capture_output=True, text=True, check=False)
+    if res.returncode != 0:
+      return f"Error: Failed to fetch PR {pr_number}: {res.stderr.strip()}"
+    return res.stdout.strip()
+  except Exception as e:
+    return f"Error: Failed to run curl command: {e}"
+
+
 async def main():
-  if len(sys.argv) < 2:
-    print("Usage: python run_antigravity.py <prompt>", file=sys.stderr)
-    sys.exit(1)
+  parser = argparse.ArgumentParser(
+      description=(
+          "Runner script to execute prompts/commands via the Antigravity SDK."
+      )
+  )
+  parser.add_argument(
+      "--show-steps",
+      action="store_true",
+      help="Show intermediate thoughts, tool calls, and tool results.",
+  )
+  parser.add_argument(
+      "prompt",
+      nargs="+",
+      help="The prompt to send to the Antigravity Agent.",
+  )
+  parsed_args = parser.parse_args()
 
-  prompt = " ".join(sys.argv[1:])
+  show_steps = parsed_args.show_steps
+  prompt = " ".join(parsed_args.prompt)
 
   # Ensure GEMINI_API_KEY is set (using GOOGLE_API_KEY as fallback)
   if "GOOGLE_API_KEY" in os.environ and "GEMINI_API_KEY" not in os.environ:
@@ -49,16 +170,57 @@ async def main():
     )
     sys.exit(1)
 
+  skills_dir = os.path.abspath(
+      os.path.join(os.path.dirname(__file__), "..", ".agents", "skills")
+  )
   config = LocalAgentConfig(
       capabilities=CapabilitiesConfig(),
+      tools=[fetch_github_issue, fetch_github_pr],
+      policies=[
+          policy.deny(
+              "run_command",
+              when=lambda args: not _is_safe_command(args),
+              name="only_allow_gh_and_git",
+          ),
+      ],
+      skills_paths=[skills_dir],
   )
 
   try:
     async with Agent(config) as agent:
       response = await agent.chat(prompt)
-      async for token in response:
-        sys.stdout.write(token)
-        sys.stdout.flush()
+      if show_steps:
+        in_thinking = False
+        async for chunk in response.chunks:
+          if isinstance(chunk, Thought):
+            if not in_thinking:
+              sys.stdout.write("[Thinking...]\n")
+              in_thinking = True
+            sys.stdout.write(chunk.text)
+            sys.stdout.flush()
+          elif isinstance(chunk, ToolCall):
+            if in_thinking:
+              sys.stdout.write("\n[End of Thinking]\n")
+              in_thinking = False
+            print(
+                f"\n[Calling Tool: {chunk.name} with args: {chunk.args}]",
+                flush=True,
+            )
+          elif isinstance(chunk, ToolResult):
+            status = f"Error: {chunk.error}" if chunk.error else "Success"
+            print(f"\n[Tool {chunk.name} finished: {status}]", flush=True)
+          elif isinstance(chunk, Text):
+            if in_thinking:
+              sys.stdout.write("\n[End of Thinking]\n")
+              in_thinking = False
+            sys.stdout.write(chunk.text)
+            sys.stdout.flush()
+        if in_thinking:
+          sys.stdout.write("\n[End of Thinking]\n")
+      else:
+        async for token in response:
+          sys.stdout.write(token)
+          sys.stdout.flush()
       print()
   except Exception as e:  # pylint: disable=broad-exception-caught
     print(f"\nError running Antigravity Agent: {e}", file=sys.stderr)