George Weale

This commit **fixes** and **updates the v2 release workflow** by modifying `.github/workflows/release-v2-publish.yml`. The workflow now correctly extracts the release version from `.release-please-manifest-v2.json` and applies it to `src/google/adk/version.py`, rather than `pyproject.toml`. This **maintenance** change ensures **accurate versioning** for **v2 releases** and enables the workflow to be dispatched from the `v2` branch with a configurable `release_branch` input, improving the robustness of the **CI/CD pipeline**.

This commit introduces a **fix** to the **`AgentLoader` utility** within the **ADK CLI**, specifically modifying the `list_agents` method. Previously, `list_agents` attempted to validate agent definitions and determine their language while listing, which was an unnecessary and potentially error-prone step. The updated implementation now **simplifies agent discovery** by ensuring `list_agents` only enumerates directories, deferring validation to a later stage. This change **improves the performance and reliability** of agent listing by removing complex and out-of-scope logic from the initial directory scan.

This commit **fixes a race condition** in the **`DatabaseSessionService`** by introducing a new helper function, `_get_or_create_state`, to safely handle the concurrent creation of application and user state rows. This helper utilizes a nested transaction (SAVEPOINT) to attempt an insert, catching `IntegrityError` if the row already exists due to a concurrent operation, and then fetching the pre-existing row. The `create_session` method now leverages this mechanism to prevent duplicate row insertions. This **bug fix** ensures **data integrity** and prevents errors during simultaneous session creations, with new unit tests validating the concurrent behavior of `_get_or_create_state` and `create_session`.

This commit introduces a **new index** `idx_events_app_user_session_ts` on the `events` table within both V0 and V1 database schemas, covering `app_name`, `user_id`, `session_id`, and `timestamp` to **improve query performance** for event lookups. It also enhances the **`DatabaseSessionService`** by adding a **new capability** to automatically ensure all defined SQLAlchemy indexes exist when preparing the database. This **feature** improves **database schema management** by proactively creating missing indexes. The changes affect the **`sessions` module's database setup** and are expected to provide **performance benefits** for event-related queries.

fix: Exclude compromised LiteLLM versions from dependencies pin to 1.82.6

This commit implements a **security fix** by introducing robust **origin checking** for the **`AdkWebServer`**. It adds an **ASGI middleware**, `_OriginCheckMiddleware`, and associated helper functions to enforce origin validation for both **HTTP and WebSocket requests**, specifically preventing unauthorized cross-origin state-changing operations. This significantly enhances the **security posture** of the web server, particularly for endpoints like `AdkWebServer.run_live` and `AdkWebServer.run_live_websocket`, by ensuring only trusted origins can interact with sensitive functionality. New **unit tests** have been added to comprehensively verify the correct behavior of this cross-origin request handling for both WebSocket and builder endpoints.

This commit is a **maintenance chore** that **improves logging clarity** within the **`adk.cli.utils` module**. Specifically, it updates a log message emitted during the instantiation of the **`DatabaseSessionService`** via the `create_session_service_from_options` function in `src/google/adk/cli/utils/service_factory.py`. The message is changed from "Falling back to..." to "Using..." to more accurately reflect the system's behavior, primarily benefiting **developer debugging and monitoring** by providing clearer operational feedback.

This **feature** introduces the capability to **extract and merge ADK EventActions** embedded within **A2A object metadata** during the conversion process. It enhances the **A2A to ADK event conversion** module by adding new functions to parse JSON-encoded metadata values and consolidate `EventActions` from multiple sources within an `A2A Task`. This logic is integrated into existing conversion functions like `convert_a2a_task_to_event`, ensuring that rich `EventAction` data is correctly transferred. The change improves the fidelity of data transformation when converting various `A2A` objects into `ADK Event` objects. New unit tests validate this critical extraction and merging functionality.

This commit **fixes a bug** in the **`compaction` module** by preventing the premature removal of events that contain function calls awaiting a response. It introduces new helper functions, like `_pending_function_call_ids`, to identify and exclude these events from both **sliding window and token threshold-based compaction strategies**. This ensures the integrity of session state by preserving critical function call information, with new unit tests verifying the correct exclusion behavior.

This commit implements a **fix** by **introducing read-only session support** within the `DatabaseSessionService` for Spanner connections. It achieves this by creating a separate async session factory specifically configured with `read_only=True`, ensuring that certain database interactions are explicitly read-only. The core logic in `src/google/adk/sessions/database_session_service.py` is updated to manage and utilize these new session types, affecting methods like `get_session` and `list_sessions`. This **enhancement** improves the efficiency and safety of read operations by providing dedicated read-only sessions, with comprehensive unit tests added in `tests/unittests/sessions/test_session_service.py` to validate the new functionality.

This commit implements **optimistic concurrency control** within the **DatabaseSessionService** to address potential data corruption from concurrent modifications. As a **bug fix**, the `append_event` method now explicitly **rejects appends to stale sessions** by raising a `ValueError`, rather than attempting an automatic merge. This change introduces a `_storage_update_marker` to the `Session` class and updates session schemas (`v0.py`, `v1.py`) to generate and utilize these revision markers for consistency checks. This ensures that all session modifications operate on the most current state, significantly improving the **data integrity** of the session management system.

This commit introduces a **new capability** to the **LiteLLM integration**, specifically enhancing its support for **Anthropic models**. It enables the correct parsing and generation of Anthropic's structured `thinking_blocks` format, including the crucial `signature` field, which is vital for maintaining model reasoning state during multi-turn interactions and tool calls. This **feature enhancement** ensures robust communication with Anthropic models using this advanced reasoning structure, primarily affecting the `lite_llm.py` adapter and thoroughly covered by new unit tests.

This commit introduces a **fix** and **enhancement** to the **Vertex AI session service** by enabling the persistence and retrieval of `usage_metadata`. Since the service does not natively support `usage_metadata`, this change serializes it into the `custom_metadata` field under the `_usage_metadata` key when events are appended via `append_event`, and deserializes it back during retrieval in `_from_api_event`. This ensures that **usage information is correctly round-tripped** through the session service, improving data completeness for `Vertex AI` interactions. The changes primarily affect `src/google/adk/sessions/vertex_ai_session_service.py`, specifically the `_set_internal_custom_metadata`, `append_event`, and `_from_api_event` methods. New unit tests in `test_vertex_ai_session_service.py` validate this behavior, including scenarios with existing `custom_metadata` and compaction.

This commit **improves the testing coverage** for the **LiteLLM integration** within the Agent Development Kit (ADK). It **updates a unit test** in `tests/unittests/models/test_litellm.py` that verifies ADK's handling of unmapped `finish_reason` values from LiteLLM. The previous test was ineffective because LiteLLM's internal models normalized certain values before ADK could process them. This **test fix** now bypasses LiteLLM's normalization, allowing for direct validation of ADK's fallback mapping logic and ensuring the robustness of the integration.

This commit implements a **bug fix** by **removing a redundant `client_id` parameter** from the `fetch_token` call within the **OAuth2 credential exchanger** (`oauth2_credential_exchanger.py`). Previously, when using `client_secret_post` authentication, `Authlib` would automatically include `client_id` in the request body, leading to duplicate parameters if explicitly passed again. This change **prevents potential token exchange failures** with OAuth providers that reject requests containing duplicate parameters, thereby enhancing the reliability of the authentication process. A new **unit test** was also added to verify that `client_id` is no longer duplicated in these scenarios.

This commit **refactors** the `can_use_output_schema_with_tools` function within the **output schema utility** (`src/google/adk/utils/output_schema_utils.py`) to prevent `ImportError` exceptions. Previously, the function directly imported `LiteLlm`, causing issues if the module was not installed. Now, it robustly checks for `LiteLlm` instances by inspecting the model's type Method Resolution Order and conditionally importing `LiteLlm`. This **bug fix** improves the **resilience** of the system's ability to determine output schema compatibility with various models, ensuring the utility functions correctly even when `LiteLlm` is unavailable. New **unit tests** validate this behavior, covering scenarios both with and without `LiteLlm` installed.

This commit delivers a **bug fix** for the **LiteLLM integration** within the ADK, specifically ensuring the preservation of the `thought_signature` field in **Gemini model tool calls**. Previously, this crucial metadata was lost during the conversion between LiteLLM's `ChatCompletionMessageToolCall` and ADK's internal types. The updated logic in `src/google/adk/models/lite_llm.py` now correctly extracts and re-embeds `thought_signature` during these conversions, preventing data loss and maintaining the full context of tool calls. This **fix** is validated by new comprehensive unit tests in `tests/unittests/models/test_litellm.py`.

This commit provides a **bug fix** for the **LiteLLM integration**, specifically addressing how responses with a `finish_reason` of "length" are processed. It now correctly maps this reason to `types.FinishReason.MAX_TOKENS` within the **model response finalization logic**. Crucially, it enhances error handling by detecting and reporting issues when **tool call arguments** are truncated due to hitting token limits, preventing silent failures in `_finalize_tool_call_response`. This ensures more robust and accurate handling of **LiteLLM-based model interactions**, particularly when responses are cut short.

This commit **fixes** and **enhances** the **LiteLLM model integration** by expanding its reasoning extraction capabilities. The `_extract_reasoning_value` function within the `src/google/adk/models/lite_llm.py` module now robustly checks for both `'reasoning_content'` and `'reasoning'` fields in LiteLLM messages, prioritizing the former. This ensures more reliable extraction of **model reasoning information** from diverse response formats, improving the accuracy of **model response interpretation**. New unit tests in `tests/unittests/models/test_litellm.py` validate this expanded logic, covering precedence rules and various message structures.

This commit **adjusts the CI/CD pipeline** by changing the trigger mechanism for the **Mypy type checking workflow**. Specifically, the `.github/workflows/mypy.yml` configuration is updated to remove automatic execution on `push` and `pull_request` events. This **maintenance fix** now requires the Mypy workflow to be manually initiated via `workflow_dispatch`. The change impacts the **developer workflow** by making Mypy checks an explicit, opt-in process, which can help optimize CI resource usage and speed up automated checks for routine code changes.