Merged
Conversation
- Add setup.sh to download lit CLI binary and .litertlm model - Support macOS arm64 and x86_64 architectures - Auto-generate .env with LIT_BINARY_PATH and LIT_MODEL_PATH - Add .gitignore for bin/, models/, .env - Update README with Quick Setup section Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly improves the developer experience for setting up the LiteRT-LM MCP server by introducing an automated setup script. This script handles the download of essential binaries and models, and configures environment variables, thereby simplifying the initial configuration and reducing manual steps for users. The accompanying documentation update ensures that the new streamlined process is clearly communicated. Highlights
Changelog
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces a setup script for the LiteRT-LM MCP server, aiming to simplify user onboarding. However, a security audit of the setup.sh script revealed two high-severity vulnerabilities: a path traversal vulnerability allowing arbitrary file overwrites via curl due to insufficient validation of the MODEL_NAME environment variable, and a command injection vector stemming from the generation and suggested loading of the .env file. Additionally, the script currently only supports macOS and needs to be extended for Linux compatibility. The method for creating and loading the .env file also needs to be made more robust to handle paths with spaces. These security and robustness issues should be addressed by implementing strict input validation and sanitization for all environment variables used in file paths or written to configuration files, and by enhancing cross-platform compatibility.
Comment on lines
+49
to
+58
| cat > "$ENV_FILE" <<EOF | ||
| LIT_BINARY_PATH=$LIT_BIN | ||
| LIT_MODEL_PATH=$MODEL_PATH | ||
| EOF | ||
| echo "✓ Wrote $ENV_FILE" | ||
|
|
||
| echo "" | ||
| echo "Setup complete. Start the MCP server with:" | ||
| echo " cd $SCRIPT_DIR" | ||
| echo " export \$(cat .env | xargs)" |
Contributor
There was a problem hiding this comment.
This section of the script introduces a high-severity command injection vulnerability. The unsanitized MODEL_PATH, which includes the user-controlled MODEL_NAME, is written to the .env file. The subsequent suggestion to run export $(cat .env | xargs) can lead to arbitrary command execution if MODEL_NAME contains shell command substitutions (e.g., $(whoami)). Furthermore, the paths written to the .env file are not quoted. If the project is located in a directory with spaces, sourcing these environment variables can fail. To remediate, ensure all variables written to the .env file are properly sanitized, consider safer methods for loading environment variables that avoid shell expansion, and quote paths within the .env file for robustness.
Suggested change
| cat > "$ENV_FILE" <<EOF | |
| LIT_BINARY_PATH=$LIT_BIN | |
| LIT_MODEL_PATH=$MODEL_PATH | |
| EOF | |
| echo "✓ Wrote $ENV_FILE" | |
| echo "" | |
| echo "Setup complete. Start the MCP server with:" | |
| echo " cd $SCRIPT_DIR" | |
| echo " export \$(cat .env | xargs)" | |
| cat > "$ENV_FILE" <<EOF | |
| LIT_BINARY_PATH="$LIT_BIN" | |
| LIT_MODEL_PATH="$MODEL_PATH" | |
| EOF |
Comment on lines
+34
to
+41
| MODEL_NAME="${MODEL_NAME:-gemma3n-E2B-it-int4.litertlm}" | ||
| MODEL_URL="https://huggingface.co/litert-community/${MODEL_NAME%.litertlm}/resolve/main/${MODEL_NAME}" | ||
| MODEL_PATH="$MODEL_DIR/$MODEL_NAME" | ||
|
|
||
| if [ ! -f "$MODEL_PATH" ]; then | ||
| echo "Downloading model ${MODEL_NAME} from HuggingFace..." | ||
| echo "(This may take a while depending on model size)" | ||
| curl -fSL "$MODEL_URL" -o "$MODEL_PATH" |
Contributor
There was a problem hiding this comment.
The script is vulnerable to a path traversal attack via the MODEL_NAME environment variable. The variable is used to construct MODEL_PATH (line 36) which is then used as the output path for curl (line 41). An attacker could trick a user into setting MODEL_NAME to a value like ../../.bashrc, causing the script to overwrite sensitive files on the user's system.
To remediate this, you should validate that MODEL_NAME does not contain any path traversal sequences or directory separators.
Comment on lines
+14
to
+19
| ARCH="$(uname -m)" | ||
| case "$ARCH" in | ||
| arm64|aarch64) ASSET="lit-macos-arm64" ;; | ||
| x86_64) ASSET="lit-macos-x86_64" ;; | ||
| *) echo "Unsupported arch: $ARCH"; exit 1 ;; | ||
| esac |
Contributor
There was a problem hiding this comment.
The script currently only supports downloading binaries for macOS. This will cause it to fail for users on other operating systems like Linux. To improve cross-platform compatibility, you should detect the operating system and adjust the asset name accordingly.
Suggested change
| ARCH="$(uname -m)" | |
| case "$ARCH" in | |
| arm64|aarch64) ASSET="lit-macos-arm64" ;; | |
| x86_64) ASSET="lit-macos-x86_64" ;; | |
| *) echo "Unsupported arch: $ARCH"; exit 1 ;; | |
| esac | |
| OS="$(uname -s)" | |
| ARCH="$(uname -m)" | |
| case "$OS" in | |
| "Linux") | |
| case "$ARCH" in | |
| "x86_64") ASSET="lit-linux-x86_64" ;; | |
| "aarch64") ASSET="lit-linux-aarch64" ;; | |
| *) echo "Unsupported Linux arch: $ARCH"; exit 1 ;; | |
| esac | |
| ;; | |
| "Darwin") | |
| case "$ARCH" in | |
| "arm64"|"aarch64") ASSET="lit-macos-arm64" ;; | |
| "x86_64") ASSET="lit-macos-x86_64" ;; | |
| *) echo "Unsupported macOS arch: $ARCH"; exit 1 ;; | |
| esac | |
| ;; | |
| *) echo "Unsupported OS: $OS"; exit 1 ;; | |
| esac |
| Then start the server: | ||
|
|
||
| ```bash | ||
| export $(cat .env | xargs) |
Contributor
There was a problem hiding this comment.
The command export $(cat .env | xargs) is not robust for sourcing environment variables and will fail if paths contain spaces. A more reliable and safer method is to use source with set -a to ensure all variables in the file are exported.
Suggested change
| export $(cat .env | xargs) | |
| set -a && source .env && set +a |
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| Then start the server: | ||
|
|
||
| ```bash | ||
| export $(cat .env | xargs) |
There was a problem hiding this comment.
Bug: The recommended xargs command for loading environment variables fails if file paths contain spaces, leading to truncated paths and runtime errors when starting the server.
Severity: CRITICAL
Suggested Fix
Update setup.sh to wrap the path variables in the .env file with double quotes (e.g., echo "LIT_BINARY_PATH=\"$LIT_BINARY_PATH\"" >> .env). Also, update the README.md to use a more robust command that handles quoted variables, such as export $(grep -v '^#' .env | xargs). This will ensure paths with spaces are parsed correctly.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: mcp-servers/litert-mcp/README.md#L26
Potential issue: The command `export $(cat .env | xargs)` recommended in the README.md
for loading environment variables does not handle file paths containing spaces. The
`setup.sh` script generates a `.env` file with unquoted paths. When a user's directory
path includes a space (e.g., `/Users/John Doe/...`), `xargs` splits the path, causing
environment variables like `LIT_BINARY_PATH` to be set to a truncated, invalid value.
This leads to a runtime failure in `server.py` when `os.path.exists()` checks for the
binary or model, resulting in a "binary not found" or "model not found" error.
Did we get this right? 👍 / 👎 to inform future reviews.
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a bootstrap path for the LiteRT-LM MCP server by introducing an automated setup script to fetch the lit CLI and a default .litertlm model, plus README quick-start instructions.
Changes:
- Add
setup.shto download the LiteRT-LMlitCLI and a default Gemma 3n.litertlmmodel and write a local.env. - Update the LiteRT MCP server README with “Quick Setup” instructions using the script.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
mcp-servers/litert-mcp/setup.sh |
New installer script that downloads the lit CLI + model and writes env vars for the server. |
mcp-servers/litert-mcp/README.md |
Adds quick-start steps to run setup.sh and start server.py. |
Comment on lines
+14
to
+19
| ARCH="$(uname -m)" | ||
| case "$ARCH" in | ||
| arm64|aarch64) ASSET="lit-macos-arm64" ;; | ||
| x86_64) ASSET="lit-macos-x86_64" ;; | ||
| *) echo "Unsupported arch: $ARCH"; exit 1 ;; | ||
| esac |
There was a problem hiding this comment.
The download asset selection only looks at CPU arch and hard-codes macOS asset names (lit-macos-*). On Linux/Windows this will likely download an incompatible binary and then fail at runtime. Detect the OS (e.g., via uname -s) and choose the correct asset per platform, or explicitly error out with a clear message when not on supported OSes.
Comment on lines
+49
to
+53
| cat > "$ENV_FILE" <<EOF | ||
| LIT_BINARY_PATH=$LIT_BIN | ||
| LIT_MODEL_PATH=$MODEL_PATH | ||
| EOF | ||
| echo "✓ Wrote $ENV_FILE" |
There was a problem hiding this comment.
cat > "$ENV_FILE" will overwrite any existing .env in this directory, which can unexpectedly clobber local configuration. Consider refusing to overwrite by default (or writing to .env.litert), or adding a prompt/flag to allow overwriting explicitly.
Suggested change
| cat > "$ENV_FILE" <<EOF | |
| LIT_BINARY_PATH=$LIT_BIN | |
| LIT_MODEL_PATH=$MODEL_PATH | |
| EOF | |
| echo "✓ Wrote $ENV_FILE" | |
| if [ -f "$ENV_FILE" ] && [ "${FORCE_LITERT_ENV_OVERWRITE:-0}" != "1" ]; then | |
| echo "ℹ $ENV_FILE already exists. Not overwriting." | |
| echo " To regenerate it, rerun this script with FORCE_LITERT_ENV_OVERWRITE=1." | |
| else | |
| cat > "$ENV_FILE" <<EOF | |
| LIT_BINARY_PATH=$LIT_BIN | |
| LIT_MODEL_PATH=$MODEL_PATH | |
| EOF | |
| echo "✓ Wrote $ENV_FILE" | |
| fi |
| Then start the server: | ||
|
|
||
| ```bash | ||
| export $(cat .env | xargs) |
There was a problem hiding this comment.
The suggested export $(cat .env | xargs) pattern is brittle (breaks on spaces/special chars) and can be unsafe if the file contains unexpected content. Prefer a safer load pattern (e.g., set -a; source .env; set +a) and ensure values in .env are quoted appropriately.
Suggested change
| export $(cat .env | xargs) | |
| set -a | |
| source .env | |
| set +a |
Comment on lines
+21
to
+27
| LIT_URL="https://github.com/google-ai-edge/LiteRT-LM/releases/download/${LIT_VERSION}/${ASSET}" | ||
| LIT_BIN="$BIN_DIR/lit" | ||
|
|
||
| if [ ! -x "$LIT_BIN" ]; then | ||
| echo "Downloading lit binary (${LIT_VERSION}, ${ASSET})..." | ||
| curl -fSL "$LIT_URL" -o "$LIT_BIN" | ||
| chmod +x "$LIT_BIN" |
There was a problem hiding this comment.
This script downloads the lit binary from LIT_URL using curl and then marks it executable without any checksum or signature verification. If the GitHub release or the download path is ever compromised, a malicious binary could be silently installed and later executed with the user's privileges, leading to full compromise of their environment. Add integrity verification (for example by pinning to an immutable release artifact and validating a published checksum or signature) before trusting or executing the downloaded binary.
groupthinking
added a commit
that referenced
this pull request
Mar 4, 2026
…51) * feat: Initialize PGLite v17 database data files for the dataconnect project. * feat: enable automatic outline generation for Gemini Code Assist in VS Code settings. * feat: Add NotebookLM integration with a new processor and `analyze_video_with_notebooklm` MCP tool. * feat: Add NotebookLM profile data and an ingestion test. * chore: Update and add generated browser profile files for notebooklm development. * Update `notebooklm_chrome_profile` internal state and add architectural context documentation and video asset. * feat: Add various knowledge prototypes for MCP servers and universal automation, archive numerous scripts and documentation, and update local browser profile data. * chore: Add generated browser profile cache and data for notebooklm. * Update notebooklm Chrome profile preferences, cache, and session data. * feat: Update NotebookLM Chrome profile with new cache, preferences, and service worker data. * feat: Add generated Chrome profile cache and code cache files and update associated profile data. * Update `notebooklm` Chrome profile cache, code cache, GPU cache, and safe browsing data. * chore(deps): bump the npm_and_yarn group across 4 directories with 5 updates Bumps the npm_and_yarn group with 3 updates in the / directory: [ajv](https://github.com/ajv-validator/ajv), [hono](https://github.com/honojs/hono) and [qs](https://github.com/ljharb/qs). Bumps the npm_and_yarn group with 3 updates in the /docs/knowledge_prototypes/mcp-servers/fetch-mcp directory: [@modelcontextprotocol/sdk](https://github.com/modelcontextprotocol/typescript-sdk), [ajv](https://github.com/ajv-validator/ajv) and [hono](https://github.com/honojs/hono). Bumps the npm_and_yarn group with 1 update in the /scripts/archive/software-on-demand directory: [ajv](https://github.com/ajv-validator/ajv). Bumps the npm_and_yarn group with 2 updates in the /scripts/archive/supabase_cleanup directory: [next](https://github.com/vercel/next.js) and [qs](https://github.com/ljharb/qs). Updates `ajv` from 8.17.1 to 8.18.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v8.17.1...v8.18.0) Updates `hono` from 4.11.7 to 4.12.1 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.7...v4.12.1) Updates `qs` from 6.14.1 to 6.15.0 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.1...v6.15.0) Updates `@modelcontextprotocol/sdk` from 1.25.2 to 1.26.0 - [Release notes](https://github.com/modelcontextprotocol/typescript-sdk/releases) - [Commits](modelcontextprotocol/typescript-sdk@v1.25.2...v1.26.0) Updates `ajv` from 8.17.1 to 8.18.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v8.17.1...v8.18.0) Updates `hono` from 4.11.5 to 4.12.1 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.11.7...v4.12.1) Updates `qs` from 6.14.1 to 6.15.0 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.1...v6.15.0) Updates `ajv` from 8.17.1 to 8.18.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v8.17.1...v8.18.0) Updates `next` from 15.4.10 to 15.5.10 - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v15.4.10...v15.5.10) Updates `qs` from 6.14.1 to 6.15.0 - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.1...v6.15.0) --- updated-dependencies: - dependency-name: ajv dependency-version: 8.18.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: "@modelcontextprotocol/sdk" dependency-version: 1.26.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: ajv dependency-version: 8.18.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.0 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: ajv dependency-version: 8.18.0 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: next dependency-version: 15.5.10 dependency-type: direct:production dependency-group: npm_and_yarn - dependency-name: qs dependency-version: 6.15.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump minimatch Bumps the npm_and_yarn group with 1 update in the /scripts/archive/supabase_cleanup directory: [minimatch](https://github.com/isaacs/minimatch). Updates `minimatch` from 3.1.2 to 3.1.4 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.4) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.4 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> * chore(deps): bump the npm_and_yarn group across 2 directories with 1 update Bumps the npm_and_yarn group with 1 update in the / directory: [hono](https://github.com/honojs/hono). Bumps the npm_and_yarn group with 1 update in the /docs/knowledge_prototypes/mcp-servers/fetch-mcp directory: [hono](https://github.com/honojs/hono). Updates `hono` from 4.12.1 to 4.12.2 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.1...v4.12.2) Updates `hono` from 4.12.1 to 4.12.2 - [Release notes](https://github.com/honojs/hono/releases) - [Commits](honojs/hono@v4.12.1...v4.12.2) --- updated-dependencies: - dependency-name: hono dependency-version: 4.12.2 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: hono dependency-version: 4.12.2 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> * feat: enable frontend-only video ingestion pipeline for Vercel deployment The core pipeline previously required the Python backend to be running. When deployed to Vercel (https://v0-uvai.vercel.app/), the backend is unavailable, causing all video analysis to fail immediately. Changes: - /api/video: Falls back to frontend-only pipeline (transcribe + extract) when the Python backend is unreachable, with 15s timeout - /api/transcribe: Adds Gemini fallback when OpenAI is unavailable, plus 8s timeout on backend probe to avoid hanging on Vercel - layout.tsx: Loads Google Fonts via <link> instead of next/font/google to avoid build failures in offline/sandboxed CI environments - page.tsx: Replace example URLs with technical content (3Blue1Brown neural networks, Karpathy LLM intro) instead of rick roll / zoo videos - gemini_service.py: Gate Vertex AI import behind GOOGLE_CLOUD_PROJECT env var to prevent 30s+ hangs on the GCE metadata probe - agent_gap_analyzer.py: Fix f-string backslash syntax errors (Python 3.11) https://claude.ai/code/session_015Pd3a6hinTenCNrPRGiZqE * Potential fix for code scanning alert no. 4518: Server-side request forgery Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Initial plan * Potential fix for code scanning alert no. 4517: Server-side request forgery Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * Initial plan * Fix review feedback: timeout cleanup, transcript_segments shape, ENABLE_VERTEX_AI boolean parsing Co-authored-by: groupthinking <154503486+groupthinking@users.noreply.github.com> * fix: clearTimeout in finally blocks, transcript_segments shape, ENABLE_VERTEX_AI boolean parsing Co-authored-by: groupthinking <154503486+groupthinking@users.noreply.github.com> * Update src/youtube_extension/services/ai/gemini_service.py Co-authored-by: vercel[bot] <35613825+vercel[bot]@users.noreply.github.com> * Update apps/web/src/app/api/video/route.ts Co-authored-by: vercel[bot] <35613825+vercel[bot]@users.noreply.github.com> * Update apps/web/src/app/api/video/route.ts Co-authored-by: vercel[bot] <35613825+vercel[bot]@users.noreply.github.com> * Initial plan * Initial plan * Fix: move clearTimeout into .finally() to prevent timer leaks on fetch abort/error Co-authored-by: groupthinking <154503486+groupthinking@users.noreply.github.com> * Fix clearTimeout not called in finally blocks for AbortController timeouts Co-authored-by: groupthinking <154503486+groupthinking@users.noreply.github.com> * Fix: Relative URLs in server-side fetch calls fail in production - fetch('/api/transcribe') and fetch('/api/extract-events') use relative URLs which don't resolve correctly in server-side Next.js code on production deployments like Vercel. This commit fixes the issue reported at apps/web/src/app/api/video/route.ts:101 ## Bug Analysis **Why it happens:** In Next.js API routes running on the server (Node.js runtime), the `fetch()` API requires absolute URLs. Unlike browsers which have an implicit base URL (the current origin), server-side code has no context for resolving relative URLs like `/api/transcribe`. The Node.js fetch implementation will fail to resolve these relative paths, resulting in TypeError or connection errors. **When it manifests:** - **Development (localhost:3000)**: Works accidentally because the request URL contains the host - **Production (Vercel)**: Fails because the relative URL cannot be resolved to a valid absolute URL without proper host context **What impact it has:** The frontend-only pipeline fallback (Strategy 2) in lines 101-132 is completely broken in production. When the backend is unavailable (common on Vercel), the code attempts to use `/api/transcribe` and `/api/extract-events` serverless functions but fails due to unresolvable relative URLs. This causes the entire video analysis endpoint to fail when the backend is unavailable. ## Fix Explanation **Changes made:** 1. Added a `getBaseUrl(request: Request)` helper function that extracts the absolute base URL from the incoming request object using `new URL(request.url)` 2. Updated line 108: `fetch('/api/transcribe', ...)` → `fetch(`${baseUrl}/api/transcribe`, ...)` 3. Updated line 127: `fetch('/api/extract-events', ...)` → `fetch(`${baseUrl}/api/extract-events`, ...)` **Why it solves the issue:** - The incoming `request` object contains the full URL including protocol and host - By constructing an absolute URL from the request, we ensure the fetch calls work in both development and production - This approach is more reliable than environment variables because it uses the actual request context, handling reverse proxies and different deployment configurations correctly Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com> Co-authored-by: groupthinking <garveyht@gmail.com> * Initial plan * chore(deps): bump the npm_and_yarn group across 1 directory with 1 update Bumps the npm_and_yarn group with 1 update in the /docs/knowledge_prototypes/mcp-servers/fetch-mcp directory: [minimatch](https://github.com/isaacs/minimatch). Updates `minimatch` from 3.1.2 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) Updates `minimatch` from 5.1.6 to 5.1.9 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.5) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: minimatch dependency-version: 5.1.9 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com> * fix: validate BACKEND_URL before using it Skip backend calls entirely when BACKEND_URL is not configured or contains an invalid value (like a literal ${...} template string). This prevents URL parse errors on Vercel where the env var may not be set. https://claude.ai/code/session_015Pd3a6hinTenCNrPRGiZqE * fix: resolve embeddings package build errors (#41) - Create stub types for Firebase Data Connect SDK in src/dataconnect-generated/ - Fix import path from ../dataconnect-generated to ./dataconnect-generated (rootDir constraint) - Add explicit type assertions for JSON responses (predictions, access_token) - All 6 TypeScript errors resolved, clean build verified Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: Gemini SDK upgrade + VideoPack schema alignment (#43) * chore: Update generated Chrome profile cache and session data for notebooklm. * chore: refresh notebooklm Chrome profile data, including Safe Browsing lists, caches, and session files. * Update local application cache and database files within the NotebookLM Chrome profile. * chore: update Chrome profile cache and Safe Browsing data files. * feat: upgrade Gemini to @google/genai SDK with structured output, search grounding, video URL processing, and extend VideoPack schema - Upgrade extract-events/route.ts from @google/generative-ai to @google/genai - Add Gemini responseSchema with Type system for structured output enforcement - Add Google Search grounding (googleSearch tool) to Gemini calls - Upgrade transcribe/route.ts to @google/genai with direct YouTube URL processing via fileData - Add Gemini video URL fallback chain: direct video → text+search → other strategies - Extend VideoPackV0 schema with Chapter, CodeCue, Task models - Update versioning shim for new fields - Export new types from videopack __init__ Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: wire CloudEvents pipeline + Chrome Built-in AI fallback (#44) - Add TypeScript CloudEvents publisher (apps/web/src/lib/cloudevents.ts) emitting standardized events at each video processing stage - Wire CloudEvents into /api/video route (both backend + frontend strategies) - Wire CloudEvents into FastAPI backend router (process_video_v1 endpoint) - Add Chrome Built-in AI service (Prompt API + Summarizer API) for on-device client-side transcript analysis when API keys are unavailable - Add useBuiltInAI React hook for component integration - Add .next/ to .gitignore Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: wire A2A inter-agent messaging into orchestrator + API (#45) - Add A2AContextMessage dataclass to AgentOrchestrator for lightweight inter-agent context sharing during parallel task execution - Auto-broadcast agent results to peer agents after parallel execution - Add send_a2a_message() and get_a2a_log() methods to orchestrator - Add POST /api/v1/agents/a2a/send endpoint for frontend-to-agent messaging - Add GET /api/v1/agents/a2a/log endpoint to query message history - Extend frontend agentService with sendA2AMessage() and getA2ALog() Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: add LiteRT-LM setup script and update README (#46) - Add setup.sh to download lit CLI binary and .litertlm model - Support macOS arm64 and x86_64 architectures - Auto-generate .env with LIT_BINARY_PATH and LIT_MODEL_PATH - Add .gitignore for bin/, models/, .env - Update README with Quick Setup section Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: implement Gemini agentic video analysis with Google Search grounding (#47) - Create gemini-video-analyzer.ts: single Gemini call with googleSearch tool for transcript extraction AND event analysis (PK=998 pattern) - Add youtube-metadata.ts: scrapes title, description, chapters from YouTube without API key - Update /api/video: Gemini agentic analysis as primary strategy, transcribe→extract chain as fallback - Fix /api/transcribe: remove broken fileData.fileUri, use Gemini Google Search grounding as primary, add metadata context, filter garbage OpenAI results - Fix /api/extract-events: accept videoUrl without requiring transcript, direct Gemini analysis via Google Search when no transcript available Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: support Vertex_AI_API_KEY as Gemini key fallback Create shared gemini-client.ts that resolves API key from: GEMINI_API_KEY → GOOGLE_API_KEY → Vertex_AI_API_KEY All API routes now use the shared client instead of hardcoding process.env.GEMINI_API_KEY. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: use Vertex AI Express Mode for Vertex_AI_API_KEY When only Vertex_AI_API_KEY is set (no GEMINI_API_KEY), the client now initializes in Vertex AI mode with vertexai: true + apiKey. Uses project uvai-730bb and us-central1 as defaults. Also added GOOGLE_CLOUD_PROJECT env var to Vercel. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: Vertex AI Express Mode compatibility — remove responseSchema+googleSearch conflict (#48) Vertex AI does not support controlled generation (responseSchema) combined with the googleSearch tool. This caused 400 errors on every Gemini call. Changes: - gemini-client.ts: Prioritize Vertex_AI_API_KEY, support GOOGLE_GENAI_USE_VERTEXAI env var - gemini-video-analyzer.ts: Remove responseSchema, enforce JSON via prompt instructions - extract-events/route.ts: Same fix for extractWithGemini and inline Gemini calls - Strip markdown code fences from responses before JSON parsing Tested end-to-end with Vertex AI Express Mode key against multiple YouTube videos. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: restore full PK=998 pattern — responseSchema + googleSearch + gemini-3-pro-preview (#49) The previous fix (PR #48) was a shortcut — it removed responseSchema when the real issue was using gemini-2.5-flash which doesn't support responseSchema + googleSearch together on Vertex AI. gemini-3-pro-preview DOES support the combination. This commit restores the exact PK=998 pattern: - gemini-video-analyzer.ts: Restored responseSchema with Type system, responseMimeType, e22Snippets field, model → gemini-3-pro-preview - extract-events/route.ts: Restored geminiResponseSchema, Type import, responseMimeType, model → gemini-3-pro-preview - transcribe/route.ts: model → gemini-3-pro-preview Tested with Vertex AI Express Mode key on two YouTube videos. Both return structured JSON with events, transcript, actions, codeMapping, cloudService, e22Snippets, architectureCode, ingestScript. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * feat: end-to-end pipeline — YouTube URL to deployed software (#50) - Add /api/pipeline route for full end-to-end pipeline (video analysis → code generation → GitHub repo → Vercel deploy) - Add deployPipeline() action to dashboard store with stage tracking - Add 🚀 Deploy button to dashboard alongside Analyze - Show pipeline results (live URL, GitHub repo, framework) in video cards - Fix deployment_manager import path in video_processing_service - Wire pipeline to backend /api/v1/video-to-software endpoint - Fallback to Gemini-only analysis when no backend available Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: add writable directories to Docker image for deployment pipeline Create /app/generated_projects, /app/youtube_processed_videos, and /tmp/uvai_data directories in Dockerfile to fix permission denied errors in the deployment and video processing pipeline on Railway. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: security hardening, video-specific codegen, API consistency - CORS: replace wildcard/glob with explicit allowed origins in both entry points - Rate limiting: enable 60 req/min with 15 burst on backend - API auth: add optional X-API-Key middleware for pipeline endpoints - Codegen: generate video-specific HTML/CSS/JS from analysis output - API: accept both 'url' and 'video_url' via Pydantic alias - Deploy: fix Vercel REST API payload format (gitSource instead of gitRepository) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: Vercel deployment returning empty live_url Root causes fixed: - Case mismatch in _poll_deployment_status: compared lowercased status against uppercase success_statuses list, so READY was never matched - Vercel API returns bare domain URLs without https:// prefix; added _ensure_https() to normalize them - Poll requests were missing auth headers, causing 401 failures - _deploy_files_directly fallback returned fake simulated URLs that masked real failures; removed in favor of proper error reporting - _generate_deployment_urls only returned URLs from 'success' status deployments, discarding useful fallback URLs from failed deployments Improvements: - On API failure (permissions, plan limits), return a Vercel import URL the user can click to deploy manually instead of an empty string - Support VERCEL_ORG_ID team scoping on deploy and poll endpoints - Use readyState field (Vercel v13 API) for initial status check - Add 'canceled' to failure status list in poll loop - Poll failures are now non-fatal; initial URL is used as fallback Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: harden slim entry point — CORS, rate limiting, auth, security headers - Add uvaiio.vercel.app to CORS allowed origins - Add slowapi rate limiting (60 req/min) - Add API key auth middleware (optional via EVENTRELAY_API_KEY) - Add security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection) - Fixes production gap where slim main.py had none of the backend/main.py protections Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: resolve Pydantic Config/model_config conflict breaking Railway deploy The VideoToSoftwareRequest model had both 'model_config = ConfigDict(...)' and 'class Config:' which Pydantic v2 rejects. Merged into single model_config. This was causing the v1 router to fail loading, making /api/v1/health return 404. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: vercel[bot] <35613825+vercel[bot]@users.noreply.github.com> Co-authored-by: Vercel <vercel[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds setup.sh to download the lit CLI binary and a default .litertlm model for the LiteRT MCP server. Updates README with quick setup instructions.