[PENDING] Adding sessiontemplate tools to serverless-spark #1
Draft
vinodhinic wants to merge 51 commits intodborowitz:mainfrom
Draft
[PENDING] Adding sessiontemplate tools to serverless-spark #1vinodhinic wants to merge 51 commits intodborowitz:mainfrom
vinodhinic wants to merge 51 commits intodborowitz:mainfrom
Conversation
Author
|
Docs and integ tests need to be updated still. |
…s add other serverless-spark clients.
## Description Adds commands for Serverless Spark sessions analogous to existing list/get commands for batches. Unlike batches, we don't plan to add create session commands, as these are generally only created via the Jupyter protocol. Agents will need to have other ways to create sessions, for example by interacting directly with an IDE like Jupyter Lab or VS Code, but those won't be part of MCP Toolbox. ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [ ] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md) - [ ] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [ ] Ensure the tests and linter pass - [ ] Code coverage does not decrease (if any source code was changed) - [ ] Appropriate docs were updated (if necessary) - [ ] Make sure to add `!` if this involve a breaking change 🛠️ Part of googleapis#2405 Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com>
…nding (googleapis#2219) ## Summary Adds MCP tool annotations (`readOnlyHint`, `destructiveHint`) to all 9 MongoDB tools to help LLMs better understand tool behavior and make safer decisions. ## Changes | Tool | Annotation | |------|------------| | mongodb-find | `readOnlyHint: true` | | mongodb-find-one | `readOnlyHint: true` | | mongodb-aggregate | `readOnlyHint: true` | | mongodb-insert-one | `destructiveHint: true` | | mongodb-insert-many | `destructiveHint: true` | | mongodb-update-one | `destructiveHint: true` | | mongodb-update-many | `destructiveHint: true` | | mongodb-delete-one | `destructiveHint: true` | | mongodb-delete-many | `destructiveHint: true` | ## Implementation Each tool now: 1. Has an `Annotations` field in its Config struct for YAML configurability 2. Provides default annotations if not explicitly configured 3. Passes annotations to `GetMcpManifest()` instead of `nil` This follows the exact pattern established by the Looker tools (e.g., `lookergetconnectionschemas`, `lookerupdateprojectfile`). ## Why This Matters - **Semantic metadata**: Annotations provide information beyond just the tool description - **Safety signals**: `readOnlyHint` tells LLMs a tool is safe to call without side effects - **Destructive awareness**: `destructiveHint` signals LLMs should be more careful before executing - **Better tool selection**: LLMs can prioritize read-only tools for information gathering - **MCP compliance**: Follows the [MCP tool annotations specification](https://modelcontextprotocol.io/specification/2025-06-18/schema#toolannotations) ## Testing - [ ] CI builds successfully - [ ] `tools/list` returns annotations in MCP response ## Files Changed - `internal/tools/mongodb/mongodbfind/mongodbfind.go` - `internal/tools/mongodb/mongodbfindone/mongodbfindone.go` - `internal/tools/mongodb/mongodbaggregate/mongodbaggregate.go` - `internal/tools/mongodb/mongodbinsertone/mongodbinsertone.go` - `internal/tools/mongodb/mongodbinsertmany/mongodbinsertmany.go` - `internal/tools/mongodb/mongodbupdateone/mongodbupdateone.go` - `internal/tools/mongodb/mongodbupdatemany/mongodbupdatemany.go` - `internal/tools/mongodb/mongodbdeleteone/mongodbdeleteone.go` - `internal/tools/mongodb/mongodbdeletemany/mongodbdeletemany.go` 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: triepod-ai <199543909+triepod-ai@users.noreply.github.com> Co-authored-by: bryankthompson <199543909+bryankthompson@users.noreply.github.com> Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com>
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-go](https://redirect.github.com/actions/setup-go) | action | minor | `v6.2.0` → `v6.3.0` | | [lycheeverse/lychee-action](https://redirect.github.com/lycheeverse/lychee-action) ([changelog](https://redirect.github.com/lycheeverse/lychee-action/compare/a8c4c7cb88f0c7386610c35eb25108e448569cb0..8646ba30535128ac92d33dfc9133794bfdd9b411)) | action | digest | `a8c4c7c` → `8646ba3` | --- ### Release Notes <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v6.3.0`](https://redirect.github.com/actions/setup-go/compare/v6.2.0...v6.3.0) [Compare Source](https://redirect.github.com/actions/setup-go/compare/v6.2.0...v6.3.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/googleapis/genai-toolbox). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zMi4wIiwidXBkYXRlZEluVmVyIjoiNDMuNDMuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com> Co-authored-by: Averi Kitsch <akitsch@google.com>
…2628) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-node](https://redirect.github.com/actions/setup-node) ([changelog](https://redirect.github.com/actions/setup-node/compare/6044e13b5dc448c55e2357c09f80417699197238..53b83947a5a98c8d113130e565377fae1a50d02f)) | action | digest | `6044e13` → `53b8394` | --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/googleapis/genai-toolbox). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My40OC4xIiwidXBkYXRlZEluVmVyIjoiNDMuNDguMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
…ted/quickstart/js/adk (googleapis#2630) Bumps [hono](https://github.com/honojs/hono) from 4.12.2 to 4.12.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/honojs/hono/releases">hono's releases</a>.</em></p> <blockquote> <h2>v4.12.5</h2> <h2>What's Changed</h2> <ul> <li>fix(request): return <code>string | undefined</code> from param() when path type is any by <a href="https://github.com/andrewdamelio"><code>@andrewdamelio</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4723">honojs/hono#4723</a></li> <li>fix(jwt): validate token format in decode and decodeHeader functions by <a href="https://github.com/otoneko1102"><code>@otoneko1102</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4752">honojs/hono#4752</a></li> <li>fix(jsx): Fix "Invalid state: Controller is already closed" by <a href="https://github.com/gaearon"><code>@gaearon</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4770">honojs/hono#4770</a></li> <li>chore(eslint): upgrade <code>@hono/eslint-config</code> by <a href="https://github.com/BarryThePenguin"><code>@BarryThePenguin</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4781">honojs/hono#4781</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/andrewdamelio"><code>@andrewdamelio</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4723">honojs/hono#4723</a></li> <li><a href="https://github.com/otoneko1102"><code>@otoneko1102</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4752">honojs/hono#4752</a></li> <li><a href="https://github.com/gaearon"><code>@gaearon</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4770">honojs/hono#4770</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.12.4...v4.12.5">https://github.com/honojs/hono/compare/v4.12.4...v4.12.5</a></p> <h2>v4.12.4</h2> <h2>Security fixes</h2> <p>This release includes fixes for the following security issues:</p> <h3>SSE Control Field Injection</h3> <p>Affects: <code>streamSSE()</code> in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in <code>event</code>, <code>id</code>, and <code>retry</code>. <a href="https://github.com/honojs/hono/security/advisories/GHSA-p6xx-57qc-3wxr">https://github.com/honojs/hono/security/advisories/GHSA-p6xx-57qc-3wxr</a></p> <h3>Cookie Attribute Injection in <code>setCookie()</code></h3> <p>Affects: <code>setCookie()</code> from <code>hono/cookie</code>. Fixes cookie attribute manipulation by rejecting <code>;</code>, <code>\r</code>, and <code>\n</code> in <code>domain</code> and <code>path</code> options. <a href="https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w">https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w</a></p> <h3>Middleware Bypass in Serve Static</h3> <p>Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. <a href="https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr">https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr</a></p> <p>Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.</p> <hr /> <h2>Other changes</h2> <ul> <li>fix(client): preserve route schema in ApplyGlobalResponse by <a href="https://github.com/agumy"><code>@agumy</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4777">honojs/hono#4777</a></li> <li>fix(utils/url): specify the return type of <code>tryDecodeURI</code> by <a href="https://github.com/yusukebe"><code>@yusukebe</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4779">honojs/hono#4779</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/agumy"><code>@agumy</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4777">honojs/hono#4777</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.12.3...v4.12.4">https://github.com/honojs/hono/compare/v4.12.3...v4.12.4</a></p> <h2>v4.12.3</h2> <h2>What's Changed</h2> <ul> <li>fix(validator): prevent type diff bug in form data parsing by <a href="https://github.com/EdamAme-x"><code>@EdamAme-x</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4753">honojs/hono#4753</a></li> <li>fix(jwt): use <code>Math.floor</code> instead of bitwise OR for safe timestamp by <a href="https://github.com/EdamAme-x"><code>@EdamAme-x</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4754">honojs/hono#4754</a></li> <li>fix(jwt): fix <code>JwtVariables</code> for <code>ContextVariableMap</code> by <a href="https://github.com/yusukebe"><code>@yusukebe</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4764">honojs/hono#4764</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/honojs/hono/commit/18cc595fc2a6a24c919bda8d733e7f95460eef4f"><code>18cc595</code></a> 4.12.5</li> <li><a href="https://github.com/honojs/hono/commit/5d59ac770b8adb10dc7b1b45be748dc4931fb3ca"><code>5d59ac7</code></a> chore(eslint): upgrade <code>@hono/eslint-config</code> (<a href="https://redirect.github.com/honojs/hono/issues/4781">#4781</a>)</li> <li><a href="https://github.com/honojs/hono/commit/b8cff189051d408c8c4cf57d24ca82ec8712e73d"><code>b8cff18</code></a> fix(jsx): Fix "Invalid state: Controller is already closed" (<a href="https://redirect.github.com/honojs/hono/issues/4770">#4770</a>)</li> <li><a href="https://github.com/honojs/hono/commit/8c4d7f3d2feea19c726bcaf3b7d01b62215eae8b"><code>8c4d7f3</code></a> fix(jwt): validate token format in decode and decodeHeader functions (<a href="https://redirect.github.com/honojs/hono/issues/4752">#4752</a>)</li> <li><a href="https://github.com/honojs/hono/commit/0f499152ee20daf4f394d1f0ef5cc700ce7e2735"><code>0f49915</code></a> fix(request): return <code>string | undefined</code> from param() when path type is any ...</li> <li><a href="https://github.com/honojs/hono/commit/19d20d23a2921e26c3bbfdb5549fce98b4a39b28"><code>19d20d2</code></a> 4.12.4</li> <li><a href="https://github.com/honojs/hono/commit/44ae0c8cc4d5ab2bed529127a4ac72e1483ad073"><code>44ae0c8</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/f4123ed9ea3c7c52380cc99a079a4d773838846e"><code>f4123ed</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/80a9837904c346f264b57dbfd22822a46cc24b08"><code>80a9837</code></a> fix(utils/url): specify the return type of <code>tryDecodeURI</code> (<a href="https://redirect.github.com/honojs/hono/issues/4779">#4779</a>)</li> <li><a href="https://github.com/honojs/hono/commit/6a0607a929d888893f0c91d92dce2fcfdb3662a3"><code>6a0607a</code></a> Merge commit from fork</li> <li>Additional commits viewable in <a href="https://github.com/honojs/hono/compare/v4.12.2...v4.12.5">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/googleapis/genai-toolbox/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Twisha Bansal <58483338+twishabansal@users.noreply.github.com>
…n/samples/pre_post_processing/js/adk (googleapis#2633) Bumps [@hono/node-server](https://github.com/honojs/node-server) from 1.19.9 to 1.19.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/honojs/node-server/releases"><code>@hono/node-server</code>'s releases</a>.</em></p> <blockquote> <h2>v1.19.10</h2> <h2>Security Fix</h2> <p>Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (<code>%2F</code> handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.</p> <p>See GHSA-wc8c-qw6v-h7f6 for details.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/honojs/node-server/commit/2f8ca3665f5257305603783ec9999bd1a9bec0f2"><code>2f8ca36</code></a> 1.19.10</li> <li><a href="https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e"><code>455015b</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/node-server/commit/cc05c48d8eb34007d5d5ff3861ea554721387041"><code>cc05c48</code></a> chore: add benchmark for comparing with npm and local (dev) (<a href="https://redirect.github.com/honojs/node-server/issues/305">#305</a>)</li> <li><a href="https://github.com/honojs/node-server/commit/58c44121523b418578be5bd911f2b67d8ef73ceb"><code>58c4412</code></a> chore: Adding LICENSE file with MIT license referenced in README.md (<a href="https://redirect.github.com/honojs/node-server/issues/297">#297</a>)</li> <li><a href="https://github.com/honojs/node-server/commit/b1daa4cfb30ea58a926f3befed2fb883ae2fd9df"><code>b1daa4c</code></a> docs(readme): add <a href="https://github.com/usualoma"><code>@usualoma</code></a> as an author (<a href="https://redirect.github.com/honojs/node-server/issues/300">#300</a>)</li> <li>See full diff in <a href="https://github.com/honojs/node-server/compare/v1.19.9...v1.19.10">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/googleapis/genai-toolbox/network/alerts). </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Twisha Bansal <58483338+twishabansal@users.noreply.github.com> Co-authored-by: Twisha Bansal <twishabansal07@gmail.com>
…n/getting-started/quickstart/js/adk (googleapis#2631) Bumps [@hono/node-server](https://github.com/honojs/node-server) from 1.19.9 to 1.19.10. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/honojs/node-server/releases"><code>@hono/node-server</code>'s releases</a>.</em></p> <blockquote> <h2>v1.19.10</h2> <h2>Security Fix</h2> <p>Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (<code>%2F</code> handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.</p> <p>See GHSA-wc8c-qw6v-h7f6 for details.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/honojs/node-server/commit/2f8ca3665f5257305603783ec9999bd1a9bec0f2"><code>2f8ca36</code></a> 1.19.10</li> <li><a href="https://github.com/honojs/node-server/commit/455015be1697dd89974a68b70350ea7b2d126d2e"><code>455015b</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/node-server/commit/cc05c48d8eb34007d5d5ff3861ea554721387041"><code>cc05c48</code></a> chore: add benchmark for comparing with npm and local (dev) (<a href="https://redirect.github.com/honojs/node-server/issues/305">#305</a>)</li> <li><a href="https://github.com/honojs/node-server/commit/58c44121523b418578be5bd911f2b67d8ef73ceb"><code>58c4412</code></a> chore: Adding LICENSE file with MIT license referenced in README.md (<a href="https://redirect.github.com/honojs/node-server/issues/297">#297</a>)</li> <li><a href="https://github.com/honojs/node-server/commit/b1daa4cfb30ea58a926f3befed2fb883ae2fd9df"><code>b1daa4c</code></a> docs(readme): add <a href="https://github.com/usualoma"><code>@usualoma</code></a> as an author (<a href="https://redirect.github.com/honojs/node-server/issues/300">#300</a>)</li> <li>See full diff in <a href="https://github.com/honojs/node-server/compare/v1.19.9...v1.19.10">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/googleapis/genai-toolbox/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Twisha Bansal <58483338+twishabansal@users.noreply.github.com>
…post_processing/js/adk (googleapis#2632) Bumps [hono](https://github.com/honojs/hono) from 4.12.2 to 4.12.5. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/honojs/hono/releases">hono's releases</a>.</em></p> <blockquote> <h2>v4.12.5</h2> <h2>What's Changed</h2> <ul> <li>fix(request): return <code>string | undefined</code> from param() when path type is any by <a href="https://github.com/andrewdamelio"><code>@andrewdamelio</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4723">honojs/hono#4723</a></li> <li>fix(jwt): validate token format in decode and decodeHeader functions by <a href="https://github.com/otoneko1102"><code>@otoneko1102</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4752">honojs/hono#4752</a></li> <li>fix(jsx): Fix "Invalid state: Controller is already closed" by <a href="https://github.com/gaearon"><code>@gaearon</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4770">honojs/hono#4770</a></li> <li>chore(eslint): upgrade <code>@hono/eslint-config</code> by <a href="https://github.com/BarryThePenguin"><code>@BarryThePenguin</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4781">honojs/hono#4781</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/andrewdamelio"><code>@andrewdamelio</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4723">honojs/hono#4723</a></li> <li><a href="https://github.com/otoneko1102"><code>@otoneko1102</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4752">honojs/hono#4752</a></li> <li><a href="https://github.com/gaearon"><code>@gaearon</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4770">honojs/hono#4770</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.12.4...v4.12.5">https://github.com/honojs/hono/compare/v4.12.4...v4.12.5</a></p> <h2>v4.12.4</h2> <h2>Security fixes</h2> <p>This release includes fixes for the following security issues:</p> <h3>SSE Control Field Injection</h3> <p>Affects: <code>streamSSE()</code> in Streaming Helper. Fixes injection of unintended SSE fields by rejecting CR/LF characters in <code>event</code>, <code>id</code>, and <code>retry</code>. <a href="https://github.com/honojs/hono/security/advisories/GHSA-p6xx-57qc-3wxr">https://github.com/honojs/hono/security/advisories/GHSA-p6xx-57qc-3wxr</a></p> <h3>Cookie Attribute Injection in <code>setCookie()</code></h3> <p>Affects: <code>setCookie()</code> from <code>hono/cookie</code>. Fixes cookie attribute manipulation by rejecting <code>;</code>, <code>\r</code>, and <code>\n</code> in <code>domain</code> and <code>path</code> options. <a href="https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w">https://github.com/honojs/hono/security/advisories/GHSA-5pq2-9x2x-5p6w</a></p> <h3>Middleware Bypass in Serve Static</h3> <p>Affects: Serve Static middleware. Fixes inconsistent URL decoding that could allow protected static resources to be accessed without triggering route-based middleware. <a href="https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr">https://github.com/honojs/hono/security/advisories/GHSA-q5qw-h33p-qvwr</a></p> <p>Users who uses Strreaming Helper, Cookie utility, and Serve Static are strongly encouraged to upgrade to this version.</p> <hr /> <h2>Other changes</h2> <ul> <li>fix(client): preserve route schema in ApplyGlobalResponse by <a href="https://github.com/agumy"><code>@agumy</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4777">honojs/hono#4777</a></li> <li>fix(utils/url): specify the return type of <code>tryDecodeURI</code> by <a href="https://github.com/yusukebe"><code>@yusukebe</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4779">honojs/hono#4779</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/agumy"><code>@agumy</code></a> made their first contribution in <a href="https://redirect.github.com/honojs/hono/pull/4777">honojs/hono#4777</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/honojs/hono/compare/v4.12.3...v4.12.4">https://github.com/honojs/hono/compare/v4.12.3...v4.12.4</a></p> <h2>v4.12.3</h2> <h2>What's Changed</h2> <ul> <li>fix(validator): prevent type diff bug in form data parsing by <a href="https://github.com/EdamAme-x"><code>@EdamAme-x</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4753">honojs/hono#4753</a></li> <li>fix(jwt): use <code>Math.floor</code> instead of bitwise OR for safe timestamp by <a href="https://github.com/EdamAme-x"><code>@EdamAme-x</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4754">honojs/hono#4754</a></li> <li>fix(jwt): fix <code>JwtVariables</code> for <code>ContextVariableMap</code> by <a href="https://github.com/yusukebe"><code>@yusukebe</code></a> in <a href="https://redirect.github.com/honojs/hono/pull/4764">honojs/hono#4764</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/honojs/hono/commit/18cc595fc2a6a24c919bda8d733e7f95460eef4f"><code>18cc595</code></a> 4.12.5</li> <li><a href="https://github.com/honojs/hono/commit/5d59ac770b8adb10dc7b1b45be748dc4931fb3ca"><code>5d59ac7</code></a> chore(eslint): upgrade <code>@hono/eslint-config</code> (<a href="https://redirect.github.com/honojs/hono/issues/4781">#4781</a>)</li> <li><a href="https://github.com/honojs/hono/commit/b8cff189051d408c8c4cf57d24ca82ec8712e73d"><code>b8cff18</code></a> fix(jsx): Fix "Invalid state: Controller is already closed" (<a href="https://redirect.github.com/honojs/hono/issues/4770">#4770</a>)</li> <li><a href="https://github.com/honojs/hono/commit/8c4d7f3d2feea19c726bcaf3b7d01b62215eae8b"><code>8c4d7f3</code></a> fix(jwt): validate token format in decode and decodeHeader functions (<a href="https://redirect.github.com/honojs/hono/issues/4752">#4752</a>)</li> <li><a href="https://github.com/honojs/hono/commit/0f499152ee20daf4f394d1f0ef5cc700ce7e2735"><code>0f49915</code></a> fix(request): return <code>string | undefined</code> from param() when path type is any ...</li> <li><a href="https://github.com/honojs/hono/commit/19d20d23a2921e26c3bbfdb5549fce98b4a39b28"><code>19d20d2</code></a> 4.12.4</li> <li><a href="https://github.com/honojs/hono/commit/44ae0c8cc4d5ab2bed529127a4ac72e1483ad073"><code>44ae0c8</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/f4123ed9ea3c7c52380cc99a079a4d773838846e"><code>f4123ed</code></a> Merge commit from fork</li> <li><a href="https://github.com/honojs/hono/commit/80a9837904c346f264b57dbfd22822a46cc24b08"><code>80a9837</code></a> fix(utils/url): specify the return type of <code>tryDecodeURI</code> (<a href="https://redirect.github.com/honojs/hono/issues/4779">#4779</a>)</li> <li><a href="https://github.com/honojs/hono/commit/6a0607a929d888893f0c91d92dce2fcfdb3662a3"><code>6a0607a</code></a> Merge commit from fork</li> <li>Additional commits viewable in <a href="https://github.com/honojs/hono/compare/v4.12.2...v4.12.5">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/googleapis/genai-toolbox/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Twisha Bansal <58483338+twishabansal@users.noreply.github.com>
… signature (googleapis#2627) ## Description This PR fixes a critical signature mismatch that caused all `oracle-execute-sql` tool invocations to fail with an incompatible source type error (`500` Internal Server Error). In a previous PR (googleapis#2323), the `RunSQL` method in the Oracle Source was updated to include a `readOnly` bool parameter to support DML operations for the `oracle-sql` tool: However, the `oracle-execute-sql` tool's required interface (`compatibleSource`) was inadvertently left unchanged, still expecting the old 3-argument signature. Because Go interfaces are satisfied implicitly, the updated Oracle source no longer implemented the `oracle-execute-sql` tool's interface, causing `tools.GetCompatibleSource` to reject it at runtime during invocation. 🛠️ Fixes googleapis#2614
…getting-started/quickstart/js/adk (googleapis#2657) Bumps [express-rate-limit](https://github.com/express-rate-limit/express-rate-limit) from 8.2.1 to 8.3.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/express-rate-limit/express-rate-limit/releases">express-rate-limit's releases</a>.</em></p> <blockquote> <h2>v8.3.0</h2> <p>You can view the changelog <a href="https://express-rate-limit.mintlify.app/reference/changelog">here</a>.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/express-rate-limit/express-rate-limit/commit/9c90752747e169904c44ea1b1bc61a636b9594db"><code>9c90752</code></a> ci: setup oidc connect with npm for automatatic publish</li> <li><a href="https://github.com/express-rate-limit/express-rate-limit/commit/e4477fabff4030274bbad571be8e00d87879a663"><code>e4477fa</code></a> 8.3.0</li> <li><a href="https://github.com/express-rate-limit/express-rate-limit/commit/06d73405db2c00b22332c5ac278b6bd1c82ebfbc"><code>06d7340</code></a> docs: add changelog for 8.3.0</li> <li><a href="https://github.com/express-rate-limit/express-rate-limit/commit/14e53888cdfd1b9798faf5b634c4206409e27fc4"><code>14e5388</code></a> fix: handle ipv4 mapped to ipv6 (GHSA-46wh-pxpv-q5gq)</li> <li><a href="https://github.com/express-rate-limit/express-rate-limit/commit/2767a954932d5811a66c786824980b0075d6e27a"><code>2767a95</code></a> chore(deps-dev): bump the development-dependencies group across 1 directory w...</li> <li><a href="https://github.com/express-rate-limit/express-rate-limit/commit/f400c7fdb73c217b791bf0c5da2f51a6cb6fc41b"><code>f400c7f</code></a> chore(deps-dev): bump the development-dependencies group with 2 updates (<a href="https://redirect.github.com/express-rate-limit/express-rate-limit/issues/603">#603</a>)</li> <li><a href="https://github.com/express-rate-limit/express-rate-limit/commit/4e4884c45b41faf47f342234a44965cd5419eb4a"><code>4e4884c</code></a> chore(deps-dev): bump the development-dependencies group across 1 directory w...</li> <li><a href="https://github.com/express-rate-limit/express-rate-limit/commit/fadbccbf3732ebc9e08056ddbad39530a6391345"><code>fadbccb</code></a> formatting</li> <li><a href="https://github.com/express-rate-limit/express-rate-limit/commit/7b57b955990edbfcbfd28bb0db10510b0a32e947"><code>7b57b95</code></a> biome migration</li> <li><a href="https://github.com/express-rate-limit/express-rate-limit/commit/88a1f7f7912b7883a20facab674d778c7d020fb9"><code>88a1f7f</code></a> docs: typo fix</li> <li>Additional commits viewable in <a href="https://github.com/express-rate-limit/express-rate-limit/compare/v8.2.1...v8.3.0">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~gamemaker1">gamemaker1</a>, a new releaser for express-rate-limit since your current version.</p> </details> <details> <summary>Attestation changes</summary> <p>This version has no provenance attestation, while the previous version (8.2.1) was attested. Review the <a href="https://www.npmjs.com/package/express-rate-limit?activeTab=versions">package versions</a> before updating.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/googleapis/genai-toolbox/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Twisha Bansal <58483338+twishabansal@users.noreply.github.com>
…googleapis#2672) This PR migrates the CockroachDB integration tests from relying on an external persistent database instance to using local, ephemeral Docker containers via `testcontainers-go/modules/cockroachdb`. It will spin up an isolated `cockroachdb/cockroach:latest-v23.1` container for each test run.
…oogleapis#2588) Bumps [go.opentelemetry.io/otel/sdk](https://github.com/open-telemetry/opentelemetry-go) from 1.38.0 to 1.40.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/open-telemetry/opentelemetry-go/blob/main/CHANGELOG.md">go.opentelemetry.io/otel/sdk's changelog</a>.</em></p> <blockquote> <h2>[1.40.0/0.62.0/0.16.0] 2026-02-02</h2> <h3>Added</h3> <ul> <li>Add <code>AlwaysRecord</code> sampler in <code>go.opentelemetry.io/otel/sdk/trace</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7724">#7724</a>)</li> <li>Add <code>Enabled</code> method to all synchronous instrument interfaces (<code>Float64Counter</code>, <code>Float64UpDownCounter</code>, <code>Float64Histogram</code>, <code>Float64Gauge</code>, <code>Int64Counter</code>, <code>Int64UpDownCounter</code>, <code>Int64Histogram</code>, <code>Int64Gauge</code>,) in <code>go.opentelemetry.io/otel/metric</code>. This stabilizes the synchronous instrument enabled feature, allowing users to check if an instrument will process measurements before performing computationally expensive operations. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7763">#7763</a>)</li> <li>Add <code>go.opentelemetry.io/otel/semconv/v1.39.0</code> package. The package contains semantic conventions from the <code>v1.39.0</code> version of the OpenTelemetry Semantic Conventions. See the <a href="https://github.com/open-telemetry/opentelemetry-go/blob/main/semconv/v1.39.0/MIGRATION.md">migration documentation</a> for information on how to upgrade from <code>go.opentelemetry.io/otel/semconv/v1.38.0.</code> (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7783">#7783</a>, <a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7789">#7789</a>)</li> </ul> <h3>Changed</h3> <ul> <li>Improve the concurrent performance of <code>HistogramReservoir</code> in <code>go.opentelemetry.io/otel/sdk/metric/exemplar</code> by 4x. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7443">#7443</a>)</li> <li>Improve the concurrent performance of <code>FixedSizeReservoir</code> in <code>go.opentelemetry.io/otel/sdk/metric/exemplar</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7447">#7447</a>)</li> <li>Improve performance of concurrent histogram measurements in <code>go.opentelemetry.io/otel/sdk/metric</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7474">#7474</a>)</li> <li>Improve performance of concurrent synchronous gauge measurements in <code>go.opentelemetry.io/otel/sdk/metric</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7478">#7478</a>)</li> <li>Add experimental observability metrics in <code>go.opentelemetry.io/otel/exporters/stdout/stdoutmetric</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7492">#7492</a>)</li> <li><code>Exporter</code> in <code>go.opentelemetry.io/otel/exporters/prometheus</code> ignores metrics with the scope <code>go.opentelemetry.io/contrib/bridges/prometheus</code>. This prevents scrape failures when the Prometheus exporter is misconfigured to get data from the Prometheus bridge. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7688">#7688</a>)</li> <li>Improve performance of concurrent exponential histogram measurements in <code>go.opentelemetry.io/otel/sdk/metric</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7702">#7702</a>)</li> <li>The <code>rpc.grpc.status_code</code> attribute in the experimental metrics emitted from <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc</code> is replaced with the <code>rpc.response.status_code</code> attribute to align with the semantic conventions. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7854">#7854</a>)</li> <li>The <code>rpc.grpc.status_code</code> attribute in the experimental metrics emitted from <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc</code> is replaced with the <code>rpc.response.status_code</code> attribute to align with the semantic conventions. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7854">#7854</a>)</li> </ul> <h3>Fixed</h3> <ul> <li>Fix bad log message when key-value pairs are dropped because of key duplication in <code>go.opentelemetry.io/otel/sdk/log</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7662">#7662</a>)</li> <li>Fix <code>DroppedAttributes</code> on <code>Record</code> in <code>go.opentelemetry.io/otel/sdk/log</code> to not count the non-attribute key-value pairs dropped because of key duplication. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7662">#7662</a>)</li> <li>Fix <code>SetAttributes</code> on <code>Record</code> in <code>go.opentelemetry.io/otel/sdk/log</code> to not log that attributes are dropped when they are actually not dropped. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7662">#7662</a>)</li> <li>Fix missing <code>request.GetBody</code> in <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp</code> to correctly handle HTTP/2 <code>GOAWAY</code> frame. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7794">#7794</a>)</li> <li><code>WithHostID</code> detector in <code>go.opentelemetry.io/otel/sdk/resource</code> to use full path for <code>ioreg</code> command on Darwin (macOS). (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7818">#7818</a>)</li> </ul> <h3>Deprecated</h3> <ul> <li>Deprecate <code>go.opentelemetry.io/otel/exporters/zipkin</code>. For more information, see the <a href="https://opentelemetry.io/blog/2025/deprecating-zipkin-exporters/">OTel blog post deprecating the Zipkin exporter</a>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7670">#7670</a>)</li> </ul> <h2>[1.39.0/0.61.0/0.15.0/0.0.14] 2025-12-05</h2> <h3>Added</h3> <ul> <li>Greatly reduce the cost of recording metrics in <code>go.opentelemetry.io/otel/sdk/metric</code> using hashing for map keys. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7175">#7175</a>)</li> <li>Add <code>WithInstrumentationAttributeSet</code> option to <code>go.opentelemetry.io/otel/log</code>, <code>go.opentelemetry.io/otel/metric</code>, and <code>go.opentelemetry.io/otel/trace</code> packages. This provides a concurrent-safe and performant alternative to <code>WithInstrumentationAttributes</code> by accepting a pre-constructed <code>attribute.Set</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7287">#7287</a>)</li> <li>Add experimental observability for the Prometheus exporter in <code>go.opentelemetry.io/otel/exporters/prometheus</code>. Check the <code>go.opentelemetry.io/otel/exporters/prometheus/internal/x</code> package documentation for more information. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7345">#7345</a>)</li> <li>Add experimental observability metrics in <code>go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7353">#7353</a>)</li> <li>Add temporality selector functions <code>DeltaTemporalitySelector</code>, <code>CumulativeTemporalitySelector</code>, <code>LowMemoryTemporalitySelector</code> to <code>go.opentelemetry.io/otel/sdk/metric</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7434">#7434</a>)</li> <li>Add experimental observability metrics for simple log processor in <code>go.opentelemetry.io/otel/sdk/log</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7548">#7548</a>)</li> <li>Add experimental observability metrics in <code>go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc</code>. (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7459">#7459</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/a3a5317c5caed1656fb5b301b66dfeb3c4c944e0"><code>a3a5317</code></a> Release v1.40.0 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7859">#7859</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/77785da545d67b38774891cbdd334368bfacdfd8"><code>77785da</code></a> chore(deps): update github/codeql-action action to v4.32.1 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7858">#7858</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/56fa1c297bf71f0ada3dbf4574a45d0607812cc0"><code>56fa1c2</code></a> chore(deps): update module github.com/clipperhouse/uax29/v2 to v2.5.0 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7857">#7857</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/298cbedf256b7a9ab3c21e41fc5e3e6d6e4e94aa"><code>298cbed</code></a> Upgrade semconv use to v1.39.0 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7854">#7854</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/3264bf171b1e6cd70f6be4a483f2bcb84eda6ccf"><code>3264bf1</code></a> refactor: modernize code (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7850">#7850</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/fd5d030c0aa8b5bfe786299047bc914b5714d642"><code>fd5d030</code></a> chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27...</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/8d3b4cb2501dec9f1c5373123e425f109c43b8d2"><code>8d3b4cb</code></a> chore(deps): update actions/cache action to v5.0.3 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7847">#7847</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/91f7cadfcac363d67030f6913687c6dbbe086823"><code>91f7cad</code></a> chore(deps): update github.com/timakin/bodyclose digest to 73d1f95 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7845">#7845</a>)</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/fdad1eb7f350ee1f5fdb3d9a0c6855cc88ee9d75"><code>fdad1eb</code></a> chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27...</li> <li><a href="https://github.com/open-telemetry/opentelemetry-go/commit/c46d3bac181ddaaa83286e9ccf2cd9f7705fd3d9"><code>c46d3ba</code></a> chore(deps): update golang.org/x/telemetry digest to fcf36f6 (<a href="https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7843">#7843</a>)</li> <li>Additional commits viewable in <a href="https://github.com/open-telemetry/opentelemetry-go/compare/v1.38.0...v1.40.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/googleapis/genai-toolbox/network/alerts). </details> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Averi Kitsch <akitsch@google.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> Co-authored-by: Yuan Teoh <yuanteoh@google.com>
…oogleapis#2554) ## Description Updated `toolset.name` attribute uniformly across metrics and spans. Also, updated `session_id` to `mcp.session.id` attribute - as in the semantic convention ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [x] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md) - [x] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [x] Ensure the tests and linter pass - [x] Code coverage does not decrease (if any source code was changed) - [ ] Appropriate docs were updated (if necessary) - [ ] Make sure to add `!` if this involve a breaking change 🛠️ Fixes googleapis#2222 Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com>
This PR refactors the tool file parsing logic by introducing a new ToolsFileParser struct. This encapsulation allows for stateful parsing, specifically enabling the tracking of resolved environment variables during configuration loading. This is useful for skill generation, where we can now identify and omit default values that correspond to environment variables, ensuring more precise generated skill.
This PR refactors and improves the skill generation logic to make it more configurable and also simplifies the generated skill. - Shift from generating individual tool-specific YAML files to a more centralized configuration approach using global toolbox flags. - Add support for --license-header to prepend license information to generated Node.js scripts. - Refactored tool parameter documentation from a JSON schema format to a more readable Markdown table. - Update tool invocation log level to avoid unnecessary outputs. - Make generated skill to be compatible with Gemini CLI's env variable.
Fixed broken links --------- Co-authored-by: Twisha Bansal <58483338+twishabansal@users.noreply.github.com>
## Description Due to a RCE Vulnerability, we can safely change the workflow to run on pull_request while still maintaining it's run on PRs from forks. Changes: - Remove usage of pull_request_target - Remove write permissions from the workflow as these workflows will move from the labeled runs ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [ ] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md) - [ ] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [ ] Ensure the tests and linter pass - [ ] Code coverage does not decrease (if any source code was changed) - [ ] Appropriate docs were updated (if necessary) - [ ] Make sure to add `!` if this involve a breaking change 🛠️ Fixes #<issue_number_goes_here>
## Summary - build request URLs by resolving validated relative paths against the base URL - reject path templates that attempt to set scheme/host/userinfo - add regression tests for host-override attempts ## Testing - go test ./internal/tools/http Fixes googleapis#2616 Co-authored-by: Wenxin Du <117315983+duwenxin99@users.noreply.github.com>
Adds support for custom OAuth header and updates documentation. ## Description > Should include a concise description of the changes (bug or feature), it's > impact, along with a summary of the solution ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [ ] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md) - [ ] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [ ] Ensure the tests and linter pass - [ ] Code coverage does not decrease (if any source code was changed) - [ ] Appropriate docs were updated (if necessary) - [ ] Make sure to add `!` if this involve a breaking change 🛠️ Fixes #<issue_number_goes_here>
## Description This PR removes an RCE vulnerability in our documentation preview pipeline while preserving the automated preview deployments for community forks. It also removes the need for maintainers to manually apply the `docs: deploy-preview` label. ## Context Previously, `docs.yam`l used the `pull_request_target` trigger to evaluate fork PRs. Because it checked out untrusted code and ran npm ci and hugo in a context with a privileged GITHUB_TOKEN (contents: write, pull-requests: write) an RCE Vulnerability is created. ## Solution The pipeline has been split into two isolated workflows to create a gap: ### `docs_preview_build.yaml`: Triggers on standard pull_request (read-only token). Safely checks out untrusted fork code in a sandboxed environment. Runs npm ci --ignore-scripts (added as an extra defense-in-depth layer to prevent malicious package scripts) and builds the Hugo site. Packages the generated HTML and the PR number into a secure artifact. ### `docs_preview_deploy.yaml`: Triggers on workflow_run (runs safely in the context of our base repository). Holds the privileged token (contents: write, pull-requests: write). Never checks out or executes the fork's code. Simply downloads the artifact, deploys it to the `versioned-gh-pages` branch, and posts the preview link comment to the PR. This workflow can be run independently in case of failure by providing the PR number and the Build workflow's ID This setup guarantees that untrusted code never executes a token with write access, keeping our repository and secrets secure. ## PR Checklist > Thank you for opening a Pull Request! Before submitting your PR, there are a > few things you can do to make sure it goes smoothly: - [ ] Make sure you reviewed [CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md) - [ ] Make sure to open an issue as a [bug/issue](https://github.com/googleapis/genai-toolbox/issues/new/choose) before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea - [ ] Ensure the tests and linter pass - [ ] Code coverage does not decrease (if any source code was changed) - [ ] Appropriate docs were updated (if necessary) - [ ] Make sure to add `!` if this involve a breaking change 🛠️ Fixes #<issue_number_goes_here>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
13 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
PR Checklist
CONTRIBUTING.md
bug/issue
before writing your code! That way we can discuss the change, evaluate
designs, and agree on the general idea
!if this involve a breaking change🛠️ Fixes #<issue_number_goes_here>