Further enhancements

Key Changes:

New Services & Features:
*   **Prompt Guard Service:** Created `services/prompt_guard_service` to offload prompt injection detection models from the orchestrator and agents.
*   **CI/CD Pipeline:** Added `.github/workflows/ci.yml` to automate linting (`ruff`), testing (`pytest` with coverage), and security scanning (`bandit`, `pip-audit`).

Refactoring & Improvements:
*   **Vector DB Service:** Removed local `SentenceTransformer` fallback. The service now strictly relies on `EMBEDDING_SERVICE_URL` and uses gRPC (port 6334) for `QdrantClient` performance.
*   **Prompt Injection Guard:** Refactored `common/prompt_injection/guard.py` to function as a lightweight client for the new `prompt-guard-service`.
*   **Orchestrator:** optimized `reserve_agent_waiting_if_needed` logic and adjusted wait intervals.
*   **Dependencies:** Cleaned up `requirements.txt` by moving heavy ML libraries (torch, transformers) to their specific service Dockerfiles.

Infrastructure & Configuration:
*   **Cloud Build:** Updated `cloudbuild.yaml` to include the new prompt-guard service and granular deployment logic.
*   **Linting:** Added `ruff.toml` for consistent code styling.

BREAKING CHANGES:
*   `PROMPT_GUARD_SERVICE_URL` env var is now required if prompt injection checks are enabled.
*   `EMBEDDING_SERVICE_URL` env var is now mandatory; local embedding fallback has been removed.
*   `QDRANT_GRPC_PORT` defaults to 6334.

Author: partarstu

.github/workflows/ci.yml

@@ -0,0 +1,149 @@
+# SPDX-FileCopyrightText: 2025 Taras Paruta (partarstu@gmail.com)
+#
+# SPDX-License-Identifier: Apache-2.0
+
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+    branches:
+      - main
+      - develop
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.14"
+          cache: "pip"
+
+      - name: Install ruff
+        run: pip install ruff
+
+      - name: Run ruff linter
+        run: ruff check . --output-format=github
+
+  test:
+    name: Test (Python ${{ matrix.python-version }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.14"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+          cache: "pip"
+
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libmagic1
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+          pip install ruff
+
+      - name: Run tests with coverage
+        run: |
+          pytest tests/ \
+            --cov=. \
+            --cov-report=xml \
+            --cov-report=term-missing \
+            --junitxml=test-results.xml \
+            -v
+
+      - name: Upload coverage report
+        uses: codecov/codecov-action@v4
+        if: matrix.python-version == '3.14'
+        with:
+          files: ./coverage.xml
+          fail_ci_if_error: false
+          verbose: true
+        continue-on-error: true
+
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: test-results-${{ matrix.python-version }}
+          path: |
+            test-results.xml
+            coverage.xml
+          retention-days: 30
+
+  security:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.14"
+          cache: "pip"
+
+      - name: Install bandit
+        run: pip install bandit
+
+      - name: Run bandit security scan
+        run: bandit -r . -x ./tests,./orchestrator/ui,./.venv -f json -o bandit-report.json || true
+
+      - name: Upload bandit report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: bandit-security-report
+          path: bandit-report.json
+          retention-days: 30
+
+  dependency-check:
+    name: Dependency Vulnerability Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.14"
+          cache: "pip"
+
+      - name: Install pip-audit
+        run: pip install pip-audit
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Run pip-audit
+        run: pip-audit --strict --desc || true
+        continue-on-error: true

Dockerfile.base

@@ -16,12 +16,5 @@ RUN pip install --no-cache-dir -r requirements.txt
 # Create local_models directory for pre-downloaded models
 RUN mkdir -p /app/local_models
 
-# Copy and run scripts to pre-download the models
-COPY config.py /app/config.py
-COPY scripts/download_prompt_guard_model.py /app/scripts/download_prompt_guard_model.py
-
-# Download prompt injection detection model (if enabled)
-RUN python /app/scripts/download_prompt_guard_model.py
-
 # Keep the image clean
-RUN rm -rf /var/lib/apt/lists/*
+RUN rm -rf /var/lib/apt/lists/*

GEMINI.md

@@ -16,8 +16,13 @@ expertise in working with agentic systems.
   solution.
 * Every time you work with OS-specific commands, check the OS version and type in order to know which commands are
   correct.
-* Write code that is clear, readable, and follows the principles of [PEP 8](https://peps.python.org/pep-0008/).
-  Prioritize clarity over cleverness; avoid overly complex one-liners or list comprehensions.
+* Never reformat the code which you haven't modified!
+* Before implementing anything, always let the user know what you plan to do and ask the user to confirm it.
+* Never duplicate existing functionality. If you've noticed any existing logic or functionality which you need for your implementation, 
+  always reuse it. If reusing it directly can't be done, always extract it so that it's accessible (inheritance or composition) and then 
+  reuse it.
+* Never commit changes you've made into git unless explicitly asked by the user.
+* Write code that is clear and readable. Prioritize clarity over cleverness; avoid overly complex one-liners or list comprehensions.
 * Strictly adhere to PEP 8 naming conventions: `snake_case` for functions, methods, variables, and modules; `PascalCase`
   for classes; and `SCREAMING_SNAKE_CASE` for constants.
 * Use type hints for all function signatures (arguments and return values) to improve code clarity, enable static
@@ -36,9 +41,7 @@ expertise in working with agentic systems.
   code.
 * Avoid bare `except:` blocks. Always catch specific exceptions. Never let exceptions pass silently; at a minimum, log
   the exception to ensure errors are not ignored.
-* Write docstrings for all public modules, classes, and functions, following
-  the [PEP 257](https://peps.python.org/pep-0257/) conventions. Use comments to explain the *why*, not the *what*, of
-  non-obvious code.
+* Write docstrings for all public modules, classes, and functions, following the PEP 257 conventions. Use comments to explain the *why*, not the *what*, of non-obvious code.
 * Use `asyncio` for high-level, I/O-bound tasks, such as network requests or database interactions, to achieve high
   concurrency with a single thread.
 * Use `threading` for I/O-bound tasks where `asyncio` is not suitable or when integrating with blocking libraries.

README.md

@@ -24,6 +24,7 @@ Watch a demo of QuAIA™ in action:
     * UI & API Test Execution (separate project)    
     * Incident Report Creation
     * Jira Ticket RAG
+* **Dedicated Prompt Guard Service:** A dedicated microservice for detecting prompt injection attacks using the ProtectAI model.
 * **Web UI Monitoring Dashboard:** Real-time monitoring interface for:
     * Agent status visualization (AVAILABLE, BUSY, BROKEN states)
     * Task history with execution details and duration
@@ -101,7 +102,7 @@ For a visual representation of the system's architecture and data flow, please r
 
 ### Prerequisites
 
-* Python 3.13+
+* Python 3.14+
 * Docker
 * `pip` (Python package installer)
 * `virtualenv` (or `conda` for environment management)
@@ -200,13 +201,14 @@ TEMPERATURE=0.0 # Default: 0.0. Temperature parameter for models.
 # Qdrant Vector Database (for RAG and semantic search)
 QDRANT_URL=http://localhost # Default: http://localhost. URL of the Qdrant server.
 QDRANT_PORT=6333 # Default: 6333. Port of the Qdrant server.
+QDRANT_GRPC_PORT=6334 # Default: 6334. gRPC Port of the Qdrant server.
 QDRANT_API_KEY= # Optional. API key for Qdrant authentication.
 QDRANT_COLLECTION_NAME=jira_issues # Default: jira_issues. Name of the main collection for Jira issues.
 QDRANT_METADATA_COLLECTION_NAME=rag_metadata # Default: rag_metadata. Name of the collection for RAG metadata.
 RAG_MIN_SIMILARITY_SCORE=0.7 # Default: 0.7. Minimum similarity score for vector search results.
 RAG_MAX_RESULTS=5 # Default: 5. Maximum number of results to return from vector search.
 RAG_EMBEDDING_MODEL=Qwen/Qwen3-Embedding-0.6B # Default: Qwen/Qwen3-Embedding-0.6B. SentenceTransformer model for embeddings.
-EMBEDDING_SERVICE_URL= # Optional. URL of the embedding service for remote embedding generation.
+EMBEDDING_SERVICE_URL= # Required for agents using Vector DB. URL of the embedding service for remote embedding generation.
 EMBEDDING_SERVICE_TIMEOUT_SECONDS=60.0 # Default: 60.0. Timeout for embedding service requests.
 
 # Incident Creation Agent Configuration
@@ -217,6 +219,7 @@ ISSUE_SEVERITY_FIELD_NAME=customfield_10124 # Default: customfield_10124. Jira c
 # Prompt Injection Detection
 PROMPT_INJECTION_CHECK_ENABLED=False # Default: False. Set to "True" to enable prompt injection detection.
 PROMPT_GUARD_PROVIDER=protect_ai # Default: protect_ai. The provider for prompt injection detection.
+PROMPT_GUARD_SERVICE_URL= # Required if PROMPT_INJECTION_CHECK_ENABLED is True. URL of the prompt guard service.
 PROMPT_INJECTION_MIN_SCORE=0.8 # Default: 0.8. The minimum score for a prompt to be considered an injection.
 PROMPT_INJECTION_MODEL_NAME=ProtectAI/deberta-v3-base-prompt-injection-v2 # Default: ProtectAI/deberta-v3-base-prompt-injection-v2. The name of the model used for prompt injection detection.
 
@@ -291,7 +294,13 @@ To run the Jira MCP server, you will need Docker installed.
    python services/embedding_service/main.py
    ```
 
-3. **Start Individual Agents:**
+3. **Start the Prompt Guard Service (optional):**
+   Required if prompt injection checks are enabled.
+   ```bash
+   python services/prompt_guard_service/main.py
+   ```
+
+4. **Start Individual Agents:**
    Open separate terminal windows for each agent you want to run:
 
     * **Requirements Review Agent:**
@@ -319,7 +328,7 @@ To run the Jira MCP server, you will need Docker installed.
       python agents/jira_rag/main.py
       ```
 
-4. **Start the Orchestrator:**
+5. **Start the Orchestrator:**
    ```bash
    python orchestrator/main.py
    ```
@@ -418,11 +427,11 @@ you run any of the commands below.
 After having all preconditions fulfilled, you can execute the following command:
 
 ```bash
-gcloud builds submit --config 'path/to/your/cloudbuild.yaml' --substitutions "^;^_BUCKET_NAME=YOUR_GCS_BUCKET_NAME;_ALLURE_REPORTS_BUCKET=YOUR_ALLURE_REPORTS_BUCKET_NAME;_REQUIREMENTS_REVIEW_AGENT_BASE_URL=YOUR_REQUIREMENTS_REVIEW_AGENT_URL;_TEST_CASE_GENERATION_AGENT_BASE_URL=YOUR_TEST_CASE_GENERATION_AGENT_URL;_TEST_CASE_CLASSIFICATION_AGENT_BASE_URL=YOUR_TEST_CASE_CLASSIFICATION_AGENT_URL;_TEST_CASE_REVIEW_AGENT_BASE_URL=YOUR_TEST_CASE_REVIEW_AGENT_URL;_REMOTE_EXECUTION_AGENT_HOSTS=YOUR_COMMA_SEPARATED_AGENT_HOSTS" .
+gcloud builds submit --config 'path/to/your/cloudbuild.yaml' --substitutions "^;^_BUCKET_NAME=YOUR_GCS_BUCKET_NAME;_ALLURE_REPORTS_BUCKET=YOUR_ALLURE_REPORTS_BUCKET_NAME;_REQUIREMENTS_REVIEW_AGENT_BASE_URL=YOUR_REQUIREMENTS_REVIEW_AGENT_URL;_TEST_CASE_GENERATION_AGENT_BASE_URL=YOUR_TEST_CASE_GENERATION_AGENT_URL;_TEST_CASE_CLASSIFICATION_AGENT_BASE_URL=YOUR_TEST_CASE_CLASSIFICATION_AGENT_URL;_TEST_CASE_REVIEW_AGENT_BASE_URL=YOUR_TEST_CASE_REVIEW_AGENT_URL;_INCIDENT_CREATION_AGENT_BASE_URL=YOUR_INCIDENT_CREATION_AGENT_URL;_JIRA_RAG_UPDATE_AGENT_BASE_URL=YOUR_JIRA_RAG_UPDATE_AGENT_URL;_REMOTE_EXECUTION_AGENT_HOSTS=YOUR_COMMA_SEPARATED_AGENT_HOSTS;_PROMPT_GUARD_SERVICE_URL=YOUR_PROMPT_GUARD_SERVICE_URL;_DEPLOY_ALL_SERVICES=true" .
 ```
 
 ```powershell
-gcloud builds submit --config 'path/to/your/cloudbuild.yaml' --substitutions "`^;`^_BUCKET_NAME=YOUR_GCS_BUCKET_NAME;_ALLURE_REPORTS_BUCKET=YOUR_ALLURE_REPORTS_BUCKET_NAME;_REQUIREMENTS_REVIEW_AGENT_BASE_URL=YOUR_REQUIREMENTS_REVIEW_AGENT_URL;_TEST_CASE_GENERATION_AGENT_BASE_URL=YOUR_TEST_CASE_GENERATION_AGENT_URL;_TEST_CASE_CLASSIFICATION_AGENT_BASE_URL=YOUR_TEST_CASE_CLASSIFICATION_AGENT_URL;_TEST_CASE_REVIEW_AGENT_BASE_URL=YOUR_TEST_CASE_REVIEW_AGENT_URL;_REMOTE_EXECUTION_AGENT_HOSTS=YOUR_COMMA_SEPARATED_AGENT_HOSTS" .
+gcloud builds submit --config 'path/to/your/cloudbuild.yaml' --substitutions "`^;`^_BUCKET_NAME=YOUR_GCS_BUCKET_NAME;_ALLURE_REPORTS_BUCKET=YOUR_ALLURE_REPORTS_BUCKET_NAME;_REQUIREMENTS_REVIEW_AGENT_BASE_URL=YOUR_REQUIREMENTS_REVIEW_AGENT_URL;_TEST_CASE_GENERATION_AGENT_BASE_URL=YOUR_TEST_CASE_GENERATION_AGENT_URL;_TEST_CASE_CLASSIFICATION_AGENT_BASE_URL=YOUR_TEST_CASE_CLASSIFICATION_AGENT_URL;_TEST_CASE_REVIEW_AGENT_BASE_URL=YOUR_TEST_CASE_REVIEW_AGENT_URL;_INCIDENT_CREATION_AGENT_BASE_URL=YOUR_INCIDENT_CREATION_AGENT_URL;_JIRA_RAG_UPDATE_AGENT_BASE_URL=YOUR_JIRA_RAG_UPDATE_AGENT_URL;_REMOTE_EXECUTION_AGENT_HOSTS=YOUR_COMMA_SEPARATED_AGENT_HOSTS;_PROMPT_GUARD_SERVICE_URL=YOUR_PROMPT_GUARD_SERVICE_URL;_DEPLOY_ALL_SERVICES=true" .
 ```
 
 **Substitution Variables:**
@@ -439,6 +448,8 @@ gcloud builds submit --config 'path/to/your/cloudbuild.yaml' --substitutions "`^
 * `_JIRA_RAG_UPDATE_AGENT_BASE_URL`: The URL of the deployed Jira RAG Update Agent.
 * `_REMOTE_EXECUTION_AGENT_HOSTS`: A comma-separated list of URLs for all deployed agents that the orchestrator will
   interact with.
+* `_PROMPT_GUARD_SERVICE_URL`: The URL of the deployed Prompt Guard Service.
+* `_DEPLOY_ALL_SERVICES`: Set to `true` to deploy all services. Individual service flags (e.g., `_DEPLOY_JIRA_MCP`) are available for granular deployment.
 
 **Important**: Before the initial deployment of the framework into Google Cloud Run it's quite hard to know which URL
 will be assigned to each agent and orchestrator. That's why most probably you'll have to run the deployment command

agents/incident_creation/main.py

@@ -6,22 +6,21 @@
 import json
 import os
 import uuid
-from typing import List
 
 from a2a.types import FilePart, FileWithBytes
 from pydantic_ai import Agent
-from qdrant_client import models as qdrant_models
 from pydantic_ai.mcp import MCPServerSSE
+from qdrant_client import models as qdrant_models
 
 import config
-from agents.incident_creation.prompt import IncidentCreationPrompt, DuplicateDetectionPrompt
+from agents.incident_creation.prompt import DuplicateDetectionPrompt, IncidentCreationPrompt
 from common import utils
 from common.agent_base import AgentBase
 from common.custom_llm_wrapper import CustomLlmWrapper
 from common.models import (
+    DuplicateDetectionResult,
     IncidentCreationInput,
     IncidentCreationResult,
-    DuplicateDetectionResult,
     JiraIssue,
 )
 from common.services.test_management_system_client_provider import get_test_management_client
@@ -130,7 +129,7 @@ async def _search_duplicate_candidates_in_rag(self, incident_description: str) -
         return candidates
 
     @staticmethod
-    async def _get_linked_issues(test_case_key: str) -> List[str]:
+    async def _get_linked_issues(test_case_key: str) -> list[str]:
         """Fetches all Jira issues linked to the test case.
 
         Args:
@@ -150,7 +149,7 @@ async def _get_linked_issues(test_case_key: str) -> List[str]:
 
     def _save_artifacts(self) -> list[str]:
         """Saves all received file artifacts into the file system and returns their paths.
-        
+
         Files are saved to the local/host path (ATTACHMENTS_LOCAL_DESTINATION_FOLDER_PATH) but
         the returned paths use the MCP server's container path (MCP_SERVER_ATTACHMENTS_FOLDER_PATH)
         since the Jira MCP server runs in Docker and expects paths relative to its filesystem.
@@ -185,7 +184,7 @@ def _save_artifacts(self) -> list[str]:
                         saved_paths.append(mcp_file_path)
                         logger.info(f"Saved artifact '{original_name}' to {local_file_path} (MCP path: {mcp_file_path})")
                     except Exception:
-                        logger.exception(f"Failed to save artifact.")
+                        logger.exception("Failed to save artifact.")
 
         if saved_paths:
             logger.info(f"Saved {len(saved_paths)} artifacts so that they could be used by MCP server.")
@@ -211,7 +210,7 @@ async def _check_if_duplicate(self, input_data: IncidentCreationInput, candidate
     @staticmethod
     async def _link_issue_to_test_case(test_case_key: str, issue_id: int, link_type: str) -> str:
         """Links a bug issue to the test case using the test management system.
-        
+
         Args:
             test_case_key: The key of the test case (e.g., 'PROJ-T123').
             issue_id: The numeric ID of the created bug issue (not the key, but the ID).

agents/incident_creation/prompt.py

@@ -3,9 +3,10 @@
 # SPDX-License-Identifier: Apache-2.0
 
 from pathlib import Path
-from common.prompt_base import PromptBase
-from common import utils
+
 import config
+from common import utils
+from common.prompt_base import PromptBase
 
 logger = utils.get_logger("incident_creation_agent")