Merge branch 'main' into add-generate-card-command

Author: guillaumeblaquiere

.github/workflows/mypy-new-errors.yml

@@ -0,0 +1,74 @@
+name: Mypy New Error Check
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+
+jobs:
+  mypy-diff:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ['3.10', '3.11', '3.12', '3.13',]
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Generate Baseline (Main)
+        run: |
+          # Switch to main branch to generate baseline
+          git checkout origin/main
+
+          git checkout ${{ github.sha }} -- pyproject.toml
+          
+          # Install dependencies for main
+          uv venv .venv
+          source .venv/bin/activate
+          uv sync --all-extras
+          
+          # Run mypy, filter for errors only, remove line numbers (file:123: -> file::), and sort
+          # We ignore exit code (|| true) because we expect errors on main
+          uv run mypy . | grep "error:" | sed 's/:\([0-9]\+\):/::/g' | sort > main_errors.txt || true
+          
+          echo "Found $(wc -l < main_errors.txt) errors on main."
+
+      - name: Check PR Branch
+        run: |
+          # Switch back to the PR commit
+          git checkout ${{ github.sha }}
+          
+          # Re-sync dependencies in case the PR changed them
+          source .venv/bin/activate
+          uv sync --all-extras
+          
+          # Run mypy on PR code, apply same processing
+          uv run mypy . | grep "error:" | sed 's/:\([0-9]\+\):/::/g' | sort > pr_errors.txt || true
+          
+          echo "Found $(wc -l < pr_errors.txt) errors on PR branch."
+
+      - name: Compare and Fail on New Errors
+        run: |
+          # 'comm -13' suppresses unique lines in file1 (main) and common lines, 
+          # leaving only lines unique to file2 (PR) -> The new errors.
+          comm -13 main_errors.txt pr_errors.txt > new_errors.txt
+          
+          if [ -s new_errors.txt ]; then
+            echo "::error::The following NEW mypy errors were introduced:"
+            cat new_errors.txt
+            exit 1
+          else
+            echo "Great job! No new mypy errors introduced."
+          fi

.github/workflows/mypy.yml

@@ -0,0 +1,32 @@
+name: Mypy Type Check
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  mypy:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ['3.10', '3.11', '3.12', '3.13',]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v1
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: uv sync --all-extras
+
+      - name: Run mypy
+
+        run: uv run mypy . --strict

contributing/samples/adk_documentation/adk_release_analyzer/agent.py

@@ -57,8 +57,25 @@
 from google.adk.agents.loop_agent import LoopAgent
 from google.adk.agents.readonly_context import ReadonlyContext
 from google.adk.agents.sequential_agent import SequentialAgent
+from google.adk.models import Gemini
 from google.adk.tools.exit_loop_tool import exit_loop
 from google.adk.tools.tool_context import ToolContext
+from google.genai import types
+
+# Retry configuration for handling API rate limits and overload
+_RETRY_OPTIONS = types.HttpRetryOptions(
+    initial_delay=10,
+    attempts=8,
+    exp_base=2,
+    max_delay=300,
+    http_status_codes=[429, 503],
+)
+
+# Use gemini-3-pro-preview for planning and summary (better quality)
+GEMINI_PRO_WITH_RETRY = Gemini(
+    model="gemini-3-pro-preview",
+    retry_options=_RETRY_OPTIONS,
+)
 
 # Maximum number of files per analysis group to avoid context overflow
 MAX_FILES_PER_GROUP = 5
@@ -249,7 +266,7 @@ def get_release_context(tool_context: ToolContext) -> dict[str, Any]:
 # =============================================================================
 
 planner_agent = Agent(
-    model="gemini-2.5-pro",
+    model=GEMINI_PRO_WITH_RETRY,
     name="release_planner",
     description=(
         "Plans the analysis by fetching release info and organizing files into"
@@ -272,12 +289,12 @@ def get_release_context(tool_context: ToolContext) -> dict[str, Any]:
 
 3. Call `get_changed_files_summary` to get the list of changed files WITHOUT
    the full patches (to save context space).
-   - **IMPORTANT**: Pass `local_repo_path="{LOCAL_REPOS_DIR_PATH}/{CODE_REPO}"`
-     to use local git and avoid GitHub API's 300-file limit.
+   - **IMPORTANT**: Pass these parameters:
+     - `local_repo_path="{LOCAL_REPOS_DIR_PATH}/{CODE_REPO}"` to avoid 300-file limit
+     - `path_filter="src/google/adk/"` to only get ADK source files (reduces token usage)
 
-4. Filter and organize the files:
-   - **INCLUDE** only files in `src/google/adk/` directory
-   - **EXCLUDE** test files, `__init__.py`, and files outside src/
+4. Further filter the returned files:
+   - **EXCLUDE** test files and `__init__.py` files
    - **IMPORTANT**: Do NOT exclude any file just because it has few changes.
      Even single-line changes to public APIs need documentation updates.
    - **PRIORITIZE** by importance:
@@ -423,7 +440,7 @@ def file_analyzer_instruction(readonly_context: ReadonlyContext) -> str:
 
 
 file_group_analyzer = Agent(
-    model="gemini-2.5-pro",
+    model=GEMINI_PRO_WITH_RETRY,
     name="file_group_analyzer",
     description=(
         "Analyzes a group of changed files and generates recommendations."
@@ -507,7 +524,7 @@ def summary_instruction(readonly_context: ReadonlyContext) -> str:
 
 
 summary_agent = Agent(
-    model="gemini-2.5-pro",
+    model=GEMINI_PRO_WITH_RETRY,
     name="summary_agent",
     description="Compiles recommendations and creates the GitHub issue.",
     instruction=summary_instruction,
@@ -542,7 +559,7 @@ def summary_instruction(readonly_context: ReadonlyContext) -> str:
 # =============================================================================
 
 root_agent = Agent(
-    model="gemini-2.5-pro",
+    model=GEMINI_PRO_WITH_RETRY,
     name="adk_release_analyzer",
     description=(
         "Analyzes ADK Python releases and generates documentation update"

contributing/samples/adk_documentation/tools.py

@@ -605,6 +605,7 @@ def get_changed_files_summary(
     start_tag: str,
     end_tag: str,
     local_repo_path: Optional[str] = None,
+    path_filter: Optional[str] = None,
 ) -> Dict[str, Any]:
   """Gets a summary of changed files between two releases without patches.
 
@@ -620,14 +621,17 @@ def get_changed_files_summary(
       local_repo_path: Optional absolute path to local git repo. If provided
           and valid, uses git diff instead of GitHub API to get complete
           file list (avoids 300-file limit).
+      path_filter: Optional path prefix to filter files. Only files whose
+          path starts with this prefix will be included. Example:
+          "src/google/adk/" to only include ADK source files.
 
   Returns:
       A dictionary containing the status and a summary of changed files.
   """
   # Use local git if valid path is provided (avoids GitHub API 300-file limit)
   if local_repo_path and os.path.isdir(os.path.join(local_repo_path, ".git")):
     return _get_changed_files_from_local_git(
-        local_repo_path, start_tag, end_tag, repo_owner, repo_name
+        local_repo_path, start_tag, end_tag, repo_owner, repo_name, path_filter
     )
 
   # Fall back to GitHub API (limited to 300 files)
@@ -689,6 +693,7 @@ def _get_changed_files_from_local_git(
     end_tag: str,
     repo_owner: str,
     repo_name: str,
+    path_filter: Optional[str] = None,
 ) -> Dict[str, Any]:
   """Gets changed files using local git commands (no file limit).
 
@@ -698,6 +703,7 @@ def _get_changed_files_from_local_git(
       end_tag: The newer tag (head) for the comparison.
       repo_owner: Repository owner for compare URL.
       repo_name: Repository name for compare URL.
+      path_filter: Optional path prefix to filter files.
 
   Returns:
       A dictionary containing the status and a summary of changed files.
@@ -766,6 +772,10 @@ def _get_changed_files_from_local_git(
         status_code = parts[0][0]  # First char is the status
         filename = parts[-1]  # Last part is filename (handles renames)
 
+        # Apply path filter if specified
+        if path_filter and not filename.startswith(path_filter):
+          continue
+
         stats = file_stats.get(
             filename,
             {

contributing/samples/mcp_toolset_auth/README.md

@@ -0,0 +1,47 @@
+# MCP Toolset OAuth Authentication Sample
+
+This sample demonstrates the toolset authentication feature where OAuth credentials are required for both tool listing and tool calling.
+
+## Overview
+
+The toolset authentication flow works in two phases:
+
+1. **Phase 1**: When the agent tries to get tools from the MCP server without credentials, the toolset signals "authentication required" and returns an auth request event.
+
+2. **Phase 2**: After the user provides OAuth credentials, the agent can successfully list and call tools.
+
+## Files
+
+- `oauth_mcp_server.py` - MCP server that requires Bearer token authentication
+- `agent.py` - Agent configuration with OAuth-protected MCP toolset
+- `main.py` - Test script demonstrating the two-phase auth flow
+
+## Running the Sample
+
+1. Start the MCP server in one terminal:
+
+```bash
+PYTHONPATH=src python contributing/samples/mcp_toolset_auth/oauth_mcp_server.py
+```
+
+2. Run the test script in another terminal:
+
+```bash
+PYTHONPATH=src python contributing/samples/mcp_toolset_auth/main.py
+```
+
+## Expected Behavior
+
+1. First invocation yields an `adk_request_credential` function call
+2. The credential ID is `_adk_toolset_auth_McpToolset` to indicate toolset auth
+3. After providing the access token, the agent can list and call tools
+
+## Testing with ADK Web UI
+
+You can also test with the ADK web UI:
+
+```bash
+adk web contributing/samples/mcp_toolset_auth
+```
+
+Note: The web UI will display the auth request and you'll need to manually provide credentials.

contributing/samples/mcp_toolset_auth/__init__.py

@@ -0,0 +1,15 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from . import agent

contributing/samples/mcp_toolset_auth/agent.py

@@ -0,0 +1,76 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Agent that uses MCP toolset requiring OAuth authentication.
+
+This agent demonstrates the toolset authentication feature where OAuth
+credentials are required for both tool listing and tool calling.
+"""
+
+from __future__ import annotations
+
+from fastapi.openapi.models import OAuth2
+from fastapi.openapi.models import OAuthFlowAuthorizationCode
+from fastapi.openapi.models import OAuthFlows
+from google.adk.agents import LlmAgent
+from google.adk.auth.auth_credential import AuthCredential
+from google.adk.auth.auth_credential import AuthCredentialTypes
+from google.adk.auth.auth_credential import OAuth2Auth
+from google.adk.tools.mcp_tool.mcp_session_manager import StreamableHTTPConnectionParams
+from google.adk.tools.mcp_tool.mcp_toolset import McpToolset
+
+# OAuth2 auth scheme with authorization code flow
+# This specifies the OAuth metadata needed for the full OAuth flow
+auth_scheme = OAuth2(
+    flows=OAuthFlows(
+        authorizationCode=OAuthFlowAuthorizationCode(
+            authorizationUrl='https://example.com/oauth/authorize',
+            tokenUrl='https://example.com/oauth/token',
+            scopes={'read': 'Read access', 'write': 'Write access'},
+        )
+    )
+)
+
+# OAuth credential with client credentials (used for token exchange)
+# In a real scenario, this would be used to obtain the access token
+auth_credential = AuthCredential(
+    auth_type=AuthCredentialTypes.OAUTH2,
+    oauth2=OAuth2Auth(
+        client_id='test_client_id',
+        client_secret='test_client_secret',
+    ),
+)
+
+# Create the MCP toolset with OAuth authentication
+mcp_toolset = McpToolset(
+    connection_params=StreamableHTTPConnectionParams(
+        url='http://localhost:3001/mcp',
+    ),
+    auth_scheme=auth_scheme,
+    auth_credential=auth_credential,
+)
+
+# Define the agent that uses the OAuth-protected MCP toolset
+root_agent = LlmAgent(
+    model='gemini-2.0-flash',
+    name='oauth_mcp_agent',
+    instruction="""You are a helpful assistant that can access user information.
+
+You have access to tools that require authentication:
+- get_user_profile: Get profile information for a specific user
+- list_users: List all available users
+
+When the user asks about users, use these tools to help them.""",
+    tools=[mcp_toolset],
+)