Sasha Sobran

This commit introduces a **security fix** for **GKE deployments** managed by the **ADK CLI**, defaulting the Kubernetes service type to `ClusterIP` to prevent unintended public exposure. This change, primarily within the `to_gke` function, enhances security by ensuring services are internal by default. Concurrently, a **new feature** adds a `--service_type` command-line option to `cli_deploy_agent_engine` and `cli_deploy_gke`, empowering users to explicitly configure the service type. The update also provides user guidance on accessing `ClusterIP` services and includes corresponding test updates.

This commit introduces a **security fix** to the **builder API's GET endpoint** by **enforcing strict file extension validation**. It modifies the `_get_file_path` helper function within the `src/google/adk/cli/fast_api.py` module to reject requests for files with unauthorized extensions, primarily allowing only **YAML files**. New unit tests in `tests/unittests/cli/test_fast_api.py` confirm that the API correctly rejects non-YAML requests while permitting valid ones. This enhancement improves the **robustness and security** of the API, preventing potential misuse or unexpected behavior when requesting files through the builder interface.

This commit introduces a **security fix** and **robustness improvement** to the **ADK CLI's agent loading mechanism**. It adds **agent name validation** within `src/google/adk/cli/utils/agent_loader.py` to prevent arbitrary module imports and ensure that agent modules exist on disk before an attempt is made to load them. This enhancement safeguards against potential vulnerabilities by restricting the types of agent names that can be processed, thereby improving the overall security posture of the CLI. New unit tests have been added and existing ones updated in `tests/unittests/cli/utils/test_agent_loader.py` to cover the new validation logic and error messages, ensuring the stability of this critical security measure.

fix: Update eval extras to Vertex SDK package version with constrained LiteLLM upperbound

This commit introduces a **security fix** and **access control** for the **CLI's FastAPI interface**. It gates specific **agent builder endpoints** like `builder_build` and `builder_cancel` behind a 'web' configuration flag, ensuring they are only exposed when intended. Crucially, it also implements **robust file extension validation** within the upload functionality, preventing potential arbitrary file writes and enhancing the overall security posture. This change primarily affects the **`src/google/adk/cli/fast_api.py` module** and its **upload mechanism**, with new **unit tests** verifying the conditional endpoint registration and file validation.

This commit **updates the project's release automation configuration** to enforce a specific versioning strategy. It modifies the `.github/release-please-config.json` file, instructing the `release-please` tool to **always bump the minor version** for all future releases. This **maintenance chore** ensures a consistent and predictable release cadence, impacting the project's versioning scheme and how new versions are communicated to users.

This commit **refactors** the **error handling** within the `google.adk` library by modifying the inheritance of `SessionNotFoundError`. The `SessionNotFoundError` class, located in `src/google/adk/errors/session_not_found_error.py`, now **inherits solely from `ValueError`**, removing `NotFoundError` from its base classes. This **maintenance** change simplifies the **exception hierarchy**, clarifying that a session not found condition is semantically a type of invalid value error. The downstream impact is a more streamlined approach for consumers when **catching and handling** this specific session-related exception.

This commit introduces a **new `SessionNotFoundError`** to significantly improve **session management** and **error handling** within the system. It **fixes critical bugs** in the **API server endpoints** (`/run` and `/run_sse`) by eliminating duplicate session lookups and correctly enabling `auto_session_create`. The **refactoring** ensures that missing sessions now raise a specific `SessionNotFoundError` instead of a generic `ValueError`, leading to more precise HTTP 404 responses from the API. This **enhances the robustness and clarity** of session handling, particularly when interacting with the API server, and is supported by new and updated unit tests.

This commit **fixes** an issue by ensuring that **grounding and citation metadata** is correctly propagated within **streaming responses**. It enhances the `StreamingResponseAggregator` in `src/google/adk/utils/streaming_utils.py` to store and include this crucial information in the final aggregated output. This change guarantees that contextual data, particularly from sources like **Vertex AI Search**, is reliably preserved and delivered through **Server-Sent Events (SSE)**, supporting both progressive and non-progressive streaming modes. New **integration and unit tests** were added to thoroughly verify this improved metadata preservation.

This commit introduces a **security fix** to the **`load_web_page` utility** located in `src/google/adk/tools/load_web_page.py`. Specifically, it **disables automatic redirects** for HTTP requests made via the `requests.get` call within the `load_web_page` function. This crucial change **mitigates a Server-Side Request Forgery (SSRF) vulnerability**, preventing potential malicious redirection to internal or unauthorized resources. The fix enhances the overall security of the `adk` toolkit by ensuring that web content fetching operations do not inadvertently expose sensitive systems.

This commit **fixes** a serialization bug within the **telemetry tracing** module, ensuring byte data is correctly handled when generating JSON output. By adding `mode='json'` to `model_dump` calls in functions like `trace_send_data` and `_build_llm_request_for_trace`, binary content, such as `thought_signature` in **LLM request tracing**, is now properly encoded (e.g., base64). This **bug fix** prevents data corruption and ensures accurate capture of telemetry information. Corresponding unit tests were updated to specifically verify the base64 encoding of binary content, confirming the integrity of the traced data.

chore: bump google auth lower bound

This commit **updates the project documentation** by adding a new, dedicated **'Code Generation' section** to the `README.md` file. This **documentation enhancement** aims to make instructions for using recent SDK features for code generation more prominent and easily discoverable for developers. The change improves the overall user experience by providing clearer guidance on a key development task, ensuring critical setup information is readily accessible.

This commit introduces a **new feature** to the `google.genai` library, enabling users to configure the resource scope when a custom `base_url` is utilized. It defines a new `ResourceScope` enum and integrates a `base_url_resource_scope` option into `HttpOptions` within `google/genai/types.py`. The **API client** (`_api_client.py`) is updated to support this option, involving validation and adjustments to the URL construction logic in methods like `_build_request`. This enhancement provides greater flexibility in how resource paths are resolved against custom base URLs, ensuring accurate API endpoint configuration. Comprehensive new tests have been added to validate this functionality.

This commit **fixes** an issue in the **`google.genai` library's API client initialization** where a default location was incorrectly inferred and set, even when a custom `base_url` was explicitly provided. The **client initialization logic** in `_api_client.py` is updated to prevent the application of default location settings, particularly when a custom endpoint is specified, thereby avoiding conflicts with Application Default Credentials (ADC) behavior. This **bug fix** ensures that users' custom `base_url` configurations are respected, improving the predictability of client setup. A new **test case** in `test_client_initialization.py` validates this corrected behavior.

This commit provides a **bug fix** for the **Vertex AI session service**, specifically addressing "client closed errors" that occurred during its operation. It corrects the instantiation of the API client within the `_get_api_client` method in `src/google/adk/sessions/vertex_ai_session_service.py`. The fix involves directly using `genai.client.BaseApiClient` and removing an erroneous `._api_client` access, which was causing the instability. This ensures the **Vertex AI session service** can reliably establish and maintain client connections, preventing critical runtime errors for users.

This commit **fixes client closed errors** that occurred when utilizing the **Vertex AI session service** by improving client resource management. A `__del__` method is introduced to `BaseApiClient` in `google/genai/_api_client.py` to ensure **proper client closure** during garbage collection, preventing resource leaks and associated errors. Additionally, a minor **refactoring** in `google/genai/client.py` adjusts an `asyncio` import for better code organization. This change enhances the **stability and reliability** of the `genai` client, particularly for long-running sessions with Vertex AI.

This commit is a **documentation update** for the **Generative AI (GenAI) module**, primarily focused on improving clarity and completeness. It **adds new documentation** for the `shouldReturnHttpResponse` field, detailing its purpose and behavior. Furthermore, this update **clarifies existing descriptions** for various image and video generation parameters, enhancing user understanding of these features. This **maintenance chore** ensures the project's documentation accurately reflects the current GenAI capabilities, particularly regarding HTTP response handling and media generation.

This commit performs a **maintenance** task by relocating the `codegen_instructions.md` file within the project's documentation structure. This organizational **chore** ensures that the instructions pertaining to **code generation** are stored in a more appropriate or consistent directory. The content of the documentation remains entirely unchanged, with the primary impact being an update to the file path for this specific set of instructions.

This commit provides a **bug fix** for **broken async streams** within the `google.genai` API client when `aiohttp` is used. It refactors the asynchronous streaming logic in `google/genai/_api_client.py`, specifically impacting methods like `__aiter__` and `_async_request`. The changes ensure that data chunks are correctly handled and sessions are properly closed, resolving issues that previously led to unreliable or non-functional async streams. This significantly improves the stability and correctness of **asynchronous data retrieval** for users relying on `aiohttp` in the `google.genai` library.