feat(governance): Google ADK adapter#362
Open
aditik0303 wants to merge 6 commits into
Open
Conversation
Installs governance on each LlmAgent's native callbacks (before/after_model_callback -> BEFORE/AFTER_MODEL, before/after_tool_callback -> TOOL_CALL/AFTER_TOOL) in place, walking the sub_agents tree. Self-registers via the uipath.governance.adapters entry point; unit-tested and cloud-verified end to end (CodedAgent03). BEFORE/AFTER_AGENT remain owned by the uipath-runtime wrapper. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…, framework-only can_handle) Mirror radu's LangChain-adapter review across the Google ADK adapter: - __init__: drop the import-time registration side-effect; registration only via the uipath.governance.adapters entry point. - can_handle: claim only a real google.adk BaseAgent; remove the duck-typed (name + model-callback / sub_agents) fallback. - docstring: 'governance host' instead of uipath-runtime internals. - tests: can_handle uses a real LlmAgent; duck-typed look-alikes are now rejected. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds a governance adapter for Google ADK so the governance host can attach deep hooks (BEFORE_MODEL / AFTER_MODEL / TOOL_CALL / AFTER_TOOL) to ADK LlmAgent callback slots via entry-point discovery (no import-time registration).
Changes:
- Introduces
GoogleADKAdapterandGovernanceCallbacksto install/remove governance callbacks across an ADK agent tree. - Adds adapter registration function exposed via the
uipath.governance.adaptersentry point. - Adds unit tests covering
can_handle, attach/detach behavior, payload extraction, and enforcement semantics.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/uipath-google-adk/tests/governance/test_adapter.py | New tests for adapter detection, callback wiring, payload extraction, and exception semantics. |
| packages/uipath-google-adk/tests/governance/init.py | Test package marker for governance tests. |
| packages/uipath-google-adk/src/uipath_google_adk/governance/adapter.py | New ADK governance adapter implementation and callback payload extraction logic. |
| packages/uipath-google-adk/src/uipath_google_adk/governance/init.py | Entry-point registration function for the governance adapter (idempotent, no import-time mutation). |
| packages/uipath-google-adk/pyproject.toml | Adds uipath-core dependency and the uipath.governance.adapters entry point. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Text-cap comment: refer to the governance host, not the uipath-runtime wrapper constant. - Test docstring: note can_handle uses a real google.adk LlmAgent (isinstance detection); only payload shapes are faked. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…K adapter Record that LlmRequest/LlmResponse/content/parts are read via getattr rather than isinstance on ADK's typed models, to avoid hard-coupling to google-adk internals and to let tests duck-type payloads without the package installed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Core PR #1761 removed BaseAdapter from uipath-core. Migrate to the factory-evaluator pattern (matching #899): - governance/adapter.py -> callbacks.py: replace the BaseAdapter subclass (name/can_handle/attach/detach) with module-level install_governance() that installs governance on each LlmAgent's native *_callback slots (walking sub_agents); keep GovernanceCallbacks + the callback helpers; drop the detach-only _remove_callbacks. File named for its seam (callbacks), like LangChain's callbacks.py. - runtime/factory.py: new_runtime reads `evaluator` from kwargs and calls install_governance before building the Runner. - governance/__init__.py: drop register_governance_adapter + registry import; expose install_governance. No import-time side effects. - pyproject.toml: remove the uipath.governance.adapters entry point. - tests (test_adapter.py -> test_callbacks.py): drop can_handle/attach/ detach; cover install_governance + factory wiring. ruff + mypy clean; 21 governance tests pass. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ool walk Review findings (Viswa) for PR #362: - Drop the per-callbacks uuid trace_id (identical for every call); trace correlation is owned by the layer below, matching LangChain. Requires uipath-core >= 0.5.20, which removed trace_id from EvaluatorProtocol — bumped in the lock. - Count llm/tool calls only after governance passes: a DENY raised before the bump, inflating the counter on blocked calls. - Follow AgentTool-wrapped agents: an agent exposed as a tool lives in ``tools`` (on ``tool.agent``), not ``sub_agents``, so the walk missed it. - Refresh governance metadata on cached-agent reuse: the factory caches agents by entrypoint, so a second new_runtime with a new session_id would otherwise keep the first run's session_id (install was a no-op). Added GovernanceCallbacks.rebind() + _find_governance_callbacks(). - Log (not silently drop) when the tree walk hits the node cap. - Cap _stringify output so an oversized tool result / args / response can't hand a multi-megabyte string to the evaluator. - Trailing newline (W292). Tests: added AgentTool-walk, cached-agent rebind, and no-inflation-on-block coverage. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.


Summary
Adds a Google ADK governance adapter to
uipath-google-adk. It lets UiPath governance evaluate what a Google ADK agent does at the model and tool level, and block disallowed actions, without the agent author writing governance code. This package contains only the ADK-specific bridge.What it does
Detects a
google.adk.agents.BaseAgent(can_handleclaims only realBaseAgentinstances). ADK agents are executed by aRunnerthat holds its own reference to the agent, so the adapter installs governance directly onto eachLlmAgent's native callback attributes (mutating them in place) and returns the original agent rather than a proxy.Maps each native callback to a governance check:
before_model_callbackBEFORE_MODELafter_model_callbackAFTER_MODELbefore_tool_callbackTOOL_CALLafter_tool_callbackAFTER_TOOLEnforces by letting a
GovernanceBlockException(raised on a DENY decision) propagate, stopping the model call or tool. Any other error inside a governance hook is logged and swallowed, so a governance failure cannot break an otherwise-healthy agent run.Discovered through the
uipath.governance.adaptersentry point, so no explicit import is needed to register it.What it does not do
BEFORE_AGENT/AFTER_AGENT); those are owned by the governance host.uipath-core.