Make TriggerNotTriggeredAction a regular function

Call did_not_trigger when entity triggers do not match
Add optional callback did_not_trigger to triggers
2026-06-18 09:52:57 +02:00 · 2026-06-17 13:08:31 +02:00 · 2026-06-17 10:34:27 +02:00 · 2026-06-17 10:34:08 +02:00 · 2026-06-17 09:23:32 +02:00 · 2026-06-17 09:22:25 +02:00
971 changed files with 38289 additions and 4857 deletions
@@ -22,4 +22,4 @@ requirements.txt linguist-generated=true
 requirements_all.txt linguist-generated=true
 requirements_test_pre_commit.txt linguist-generated=true
 script/hassfest/docker/Dockerfile linguist-generated=true
-.github/workflows/*.lock.yml linguist-generated=true
+.github/workflows/*.lock.yml linguist-generated=true merge=ours
@@ -6,6 +6,7 @@

 - Start review comments with a short, one-sentence summary of the suggested fix.
 - Do not comment on code style, formatting or linting issues.
+- Flag comments that over-explain straightforward code, narrate the obvious, or read like AI commentary (multi-sentence justifications for a single line).
 - A Pull Request with a dependency version bump should only contain changes required for the version bump. If the PR includes other changes, request that they are removed from the PR.

 # GitHub Copilot & Claude Code Instructions
@@ -50,4 +51,5 @@ This repository contains the core of Home Assistant, a Python 3 based home autom
 - Integrations with Platinum or Gold level in the Integration Quality Scale reflect a high standard of code quality and maintainability. When looking for examples of something, these are good places to start. The level is indicated in the manifest.json of the integration.
 - When reviewing entity actions, do not suggest extra defensive checks for input fields that are already validated by Home Assistant's service/action schemas and entity selection filters. Suggest additional guards only when data bypasses those validators or is transformed into a less-safe form.
 - When validation guarantees a dict key exists, prefer direct key access (`data["key"]`) instead of `.get("key")` so contract violations are surfaced instead of silently masked.
- Do not add comments that just restate the code on the following line(s) (e.g. `# Check if initialized` above `if self.initialized:`). Comments should only explain why — non-obvious constraints, surprising behavior, or workarounds — never what.
+- Keep comments concise. Prefer one short line stating the non-obvious constraint, or no comment at all.
+- Do not add comments that just restate the code on the following line(s) (e.g. `# Check if initialized` above `if self.initialized:`). Comments should only explain why (non-obvious constraints, surprising behavior, or workarounds), never what. Never add comments that justify a change by referencing what the code looked like before.
@@ -14,3 +14,4 @@ updates:
    ignore:
      # Managed by gh aw compile. Version-locked to the gh-aw compiler; do not bump.
      - dependency-name: "github/gh-aw-actions/**"
+      - dependency-name: "github/gh-aw-actions"
@@ -193,7 +193,7 @@ jobs:
          echo "${GITHUB_SHA};${GITHUB_REF};${GITHUB_EVENT_NAME};${GITHUB_ACTOR}" > rootfs/OFFICIAL_IMAGE

      - name: Build base image
-        uses: home-assistant/builder/actions/build-image@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
+        uses: home-assistant/builder/actions/build-image@4de35182ce1e329181bffcbcc84d33db5e2c7e10 # 2026.06.0
        with:
          arch: ${{ matrix.arch }}
          build-args: |
@@ -264,7 +264,7 @@ jobs:
          fi

      - name: Build machine image
-        uses: home-assistant/builder/actions/build-image@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
+        uses: home-assistant/builder/actions/build-image@4de35182ce1e329181bffcbcc84d33db5e2c7e10 # 2026.06.0
        with:
          arch: ${{ matrix.arch }}
          build-args: |
@@ -50,19 +50,24 @@ jobs:
          check-latest: true
      - name: Install script dependencies
        run: pip install -r script/check_requirements/requirements.txt
-      - name: Collect PR diff
+      - name: Collect PR diff and head SHA
+        id: pr
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ inputs.pull_request_number || github.event.pull_request.number }}
        run: |
          mkdir -p deterministic
          gh pr diff "${PR_NUMBER}" > deterministic/pr.diff
+          HEAD_SHA=$(gh pr view "${PR_NUMBER}" --json headRefOid --jq '.headRefOid')
+          echo "head_sha=${HEAD_SHA}" >> "${GITHUB_OUTPUT}"
      - name: Run deterministic checks
        env:
          PR_NUMBER: ${{ inputs.pull_request_number || github.event.pull_request.number }}
+          HEAD_SHA: ${{ steps.pr.outputs.head_sha }}
        run: |
          python -m script.check_requirements \
            --pr-number "${PR_NUMBER}" \
+            --head-sha "${HEAD_SHA}" \
            --diff deterministic/pr.diff \
            --output deterministic/results.json
      - name: Upload deterministic-results artifact
@@ -1,5 +1,5 @@
-# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"75b8b624ba0c144fb4b28cba143d16a47c30de8afae568fa3256c6febe01a68a","compiler_version":"v0.74.4","strict":true,"agent_id":"copilot"}
-# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"d3abfe96a194bce3a523ed2093ddedd5704cdf62","version":"v0.74.4"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.46"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.46"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.46"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.9","digest":"sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}
+# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"7b142e96e0f8b454cdcc9c0c25070cf9a52c44d83a6b1fbc3ad6725b6567337c","body_hash":"3894ded07d5934ac5f29d160ffb1f9115cf72b6da8a7e453a4d4f69e8641a48e","compiler_version":"v0.79.6","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.60"}}
+# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6.0.3"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"v0.79.6","version":"v0.79.6"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.2","digest":"sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.2@sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2","digest":"sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2@sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.2","digest":"sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.2@sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.25","digest":"sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.25@sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa"},{"image":"ghcr.io/github/github-mcp-server:v1.1.2","digest":"sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c","pinned_image":"ghcr.io/github/github-mcp-server:v1.1.2@sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c"}]}
 #    ___                   _   _      
 #   / _ \                 | | (_)     
 #  | |_| | __ _  ___ _ __ | |_ _  ___ 
@@ -14,7 +14,7 @@
 # \  /\  / (_) | | | | ( | | | | (_) \ V  V /\__ \
 #  \/  \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
 #
-# This file was automatically generated by gh-aw (v0.74.4). DO NOT EDIT.
+# This file was automatically generated by gh-aw (v0.79.6). DO NOT EDIT.
 #
 # To update this file, edit the corresponding .md file and run:
 #   gh aw compile
@@ -36,15 +36,14 @@
 #   - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
 #   - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
 #   - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-#   - github/gh-aw-actions/setup@73ed520ae4ecd087a485e1991605595978b32ac1 # v0.78.1
+#   - github/gh-aw-actions/setup@v0.79.6
 #
 # Container images used:
-#   - ghcr.io/github/gh-aw-firewall/agent:0.25.46
-#   - ghcr.io/github/gh-aw-firewall/api-proxy:0.25.46
-#   - ghcr.io/github/gh-aw-firewall/squid:0.25.46
-#   - ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388
-#   - ghcr.io/github/github-mcp-server:v1.0.4
-#   - node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f
+#   - ghcr.io/github/gh-aw-firewall/agent:0.27.2@sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6
+#   - ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2@sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4
+#   - ghcr.io/github/gh-aw-firewall/squid:0.27.2@sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591
+#   - ghcr.io/github/gh-aw-mcpg:v0.3.25@sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa
+#   - ghcr.io/github/github-mcp-server:v1.1.2@sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c

 name: "Check requirements (AW)"
 on:
@@ -59,15 +58,13 @@ permissions: {}

 concurrency:
  cancel-in-progress: true
-  group: ${{ github.workflow }}-${{ github.event.workflow_run.head_sha }}
+  group: ${{ github.workflow }}-${{ github.event.workflow_run.id }}

 run-name: "Check requirements (AW)"

 jobs:
  activation:
-    needs:
-      - extract_pr_number
-      - pre_activation
+    needs: pre_activation
    # zizmor: ignore[dangerous-triggers] - workflow_run trigger is secured with role and fork validation
    if: >
      (needs.pre_activation.outputs.activated == 'true') && (github.event_name != 'workflow_run' || github.event.workflow_run.repository.id == github.repository_id &&
@@ -76,9 +73,14 @@ jobs:
    permissions:
      actions: read
      contents: read
+    env:
+      GH_AW_MAX_DAILY_AI_CREDITS: ${{ vars.GH_AW_DEFAULT_MAX_DAILY_AI_CREDITS || '5000' }}
    outputs:
      comment_id: ""
      comment_repo: ""
+      daily_effective_workflow_exceeded: ${{ steps.daily-effective-workflow-guardrail.outputs.daily_effective_workflow_exceeded == 'true' }}
+      daily_effective_workflow_threshold: ${{ steps.daily-effective-workflow-guardrail.outputs.daily_effective_workflow_threshold || '' }}
+      daily_effective_workflow_total_effective_tokens: ${{ steps.daily-effective-workflow-guardrail.outputs.daily_effective_workflow_total_effective_tokens || '' }}
      engine_id: ${{ steps.generate_aw_info.outputs.engine_id }}
      lockdown_check_failed: ${{ steps.generate_aw_info.outputs.lockdown_check_failed == 'true' }}
      model: ${{ steps.generate_aw_info.outputs.model }}
@@ -90,33 +92,35 @@ jobs:
    steps:
      - name: Setup Scripts
        id: setup
-        uses: github/gh-aw-actions/setup@73ed520ae4ecd087a485e1991605595978b32ac1 # v0.78.1
+        uses: github/gh-aw-actions/setup@v0.79.6
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
          job-name: ${{ github.job }}
          trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }}
          parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }}
+          safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_AI_CREDITS != '' }}
        env:
          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.48"
+          GH_AW_INFO_VERSION: "1.0.60"
+          GH_AW_INFO_AWF_VERSION: "v0.27.2"
          GH_AW_INFO_ENGINE_ID: "copilot"
      - name: Generate agentic run info
        id: generate_aw_info
        env:
          GH_AW_INFO_ENGINE_ID: "copilot"
          GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI"
-          GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'claude-sonnet-4.6' }}
-          GH_AW_INFO_VERSION: "1.0.48"
-          GH_AW_INFO_AGENT_VERSION: "1.0.48"
-          GH_AW_INFO_CLI_VERSION: "v0.74.4"
+          GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || vars.GH_AW_DEFAULT_MODEL_COPILOT || 'claude-sonnet-4.6' }}
+          GH_AW_INFO_VERSION: "1.0.60"
+          GH_AW_INFO_AGENT_VERSION: "1.0.60"
+          GH_AW_INFO_CLI_VERSION: "v0.79.6"
          GH_AW_INFO_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_INFO_EXPERIMENTAL: "false"
          GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true"
          GH_AW_INFO_STAGED: "false"
          GH_AW_INFO_ALLOWED_DOMAINS: '["python"]'
          GH_AW_INFO_FIREWALL_ENABLED: "true"
-          GH_AW_INFO_AWF_VERSION: "v0.25.46"
+          GH_AW_INFO_AWF_VERSION: "v0.27.2"
          GH_AW_INFO_AWMG_VERSION: ""
          GH_AW_INFO_FIREWALL_TYPE: "squid"
          GH_AW_COMPILED_STRICT: "true"
@@ -127,6 +131,24 @@ jobs:
            setupGlobals(core, github, context, exec, io, getOctokit);
            const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_aw_info.cjs');
            await main(core, context);
+      - name: Check daily workflow token guardrail
+        id: daily-effective-workflow-guardrail
+        if: ${{ env.GH_AW_MAX_DAILY_AI_CREDITS != '' }}
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        env:
+          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_WORKFLOW_ID: "check-requirements"
+          GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          GH_AW_WORKFLOW_DISPATCH_AW_CONTEXT: ${{ github.event.inputs.aw_context || '' }}
+          GH_AW_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_AW_MAX_DAILY_AI_CREDITS: ${{ vars.GH_AW_DEFAULT_MAX_DAILY_AI_CREDITS || '5000' }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+            setupGlobals(core, github, context, exec, io, getOctokit);
+            const { main } = require('${{ runner.temp }}/gh-aw/actions/check_daily_aic_workflow_guardrail.cjs');
+            await main();
      - name: Validate COPILOT_GITHUB_TOKEN secret
        id: validate-secret
        run: bash "${RUNNER_TEMP}/gh-aw/actions/validate_multi_secret.sh" COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default
@@ -139,6 +161,7 @@ jobs:
          sparse-checkout: |
            .github
            .agents
+            .antigravity
            .claude
            .codex
            .crush
@@ -149,8 +172,8 @@ jobs:
          fetch-depth: 1
      - name: Save agent config folders for base branch restoration
        env:
-          GH_AW_AGENT_FOLDERS: ".agents .claude .codex .crush .gemini .github .opencode .pi"
-          GH_AW_AGENT_FILES: ".crush.json AGENTS.md CLAUDE.md GEMINI.md PI.md opencode.jsonc"
+          GH_AW_AGENT_FOLDERS: ".agents .antigravity .claude .codex .crush .gemini .github .opencode .pi"
+          GH_AW_AGENT_FILES: ".crush.json AGENTS.md ANTIGRAVITY.md CLAUDE.md GEMINI.md PI.md opencode.jsonc"
        # poutine:ignore untrusted_checkout_exec
        run: bash "${RUNNER_TEMP}/gh-aw/actions/save_base_github_folders.sh"
      - name: Check workflow lock file
@@ -168,7 +191,7 @@ jobs:
      - name: Check compile-agentic version
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
-          GH_AW_COMPILED_VERSION: "v0.74.4"
+          GH_AW_COMPILED_VERSION: "v0.79.6"
        with:
          script: |
            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
@@ -191,20 +214,20 @@ jobs:
        run: |
          bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh"
          {
-          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
+          cat << 'GH_AW_PROMPT_781cf5b2f30d6d93_EOF'
          <system>
-          GH_AW_PROMPT_198418d99edc7d5b_EOF
+          GH_AW_PROMPT_781cf5b2f30d6d93_EOF
          cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
          cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
          cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
          cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
-          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
+          cat << 'GH_AW_PROMPT_781cf5b2f30d6d93_EOF'
          <safe-output-tools>
          Tools: add_comment, missing_tool, missing_data, noop
          </safe-output-tools>
-          GH_AW_PROMPT_198418d99edc7d5b_EOF
+          GH_AW_PROMPT_781cf5b2f30d6d93_EOF
          cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md"
-          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
+          cat << 'GH_AW_PROMPT_781cf5b2f30d6d93_EOF'
          <github-context>
          The following GitHub context information is available for this workflow:
          {{#if github.actor}}
@@ -233,12 +256,12 @@ jobs:
          {{/if}}
          </github-context>
          
-          GH_AW_PROMPT_198418d99edc7d5b_EOF
+          GH_AW_PROMPT_781cf5b2f30d6d93_EOF
          cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
-          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
+          cat << 'GH_AW_PROMPT_781cf5b2f30d6d93_EOF'
          </system>
          {{#runtime-import .github/workflows/check-requirements.md}}
-          GH_AW_PROMPT_198418d99edc7d5b_EOF
+          GH_AW_PROMPT_781cf5b2f30d6d93_EOF
          } > "$GH_AW_PROMPT"
      - name: Interpolate variables and render templates
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
@@ -306,12 +329,15 @@ jobs:
          include-hidden-files: true
          path: |
            /tmp/gh-aw/aw_info.json
+            /tmp/gh-aw/model_multipliers.json
+            /tmp/gh-aw/models.json
            /tmp/gh-aw/aw-prompts/prompt.txt
            /tmp/gh-aw/aw-prompts/prompt-template.txt
            /tmp/gh-aw/aw-prompts/prompt-import-tree.json
            /tmp/gh-aw/github_rate_limits.jsonl
            /tmp/gh-aw/base
            /tmp/gh-aw/.github/agents
+            /tmp/gh-aw/.github/skills
          if-no-files-found: ignore
          retention-days: 1

@@ -319,14 +345,16 @@ jobs:
    needs:
      - activation
      - extract_pr_number
+      - gate
+    if: needs.activation.outputs.daily_effective_workflow_exceeded != 'true'
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
-      issues: read
      pull-requests: read
    concurrency:
      group: "gh-aw-copilot-${{ github.workflow }}"
+      queue: max
    env:
      DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
      GH_AW_ASSETS_ALLOWED_EXTS: ""
@@ -335,24 +363,27 @@ jobs:
      GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
      GH_AW_WORKFLOW_ID_SANITIZED: checkrequirements
    outputs:
-      agentic_engine_timeout: ${{ steps.detect-copilot-errors.outputs.agentic_engine_timeout || 'false' }}
+      agentic_engine_timeout: ${{ steps.detect-agent-errors.outputs.agentic_engine_timeout || 'false' }}
+      ai_credits_rate_limit_error: ${{ steps.parse-mcp-gateway.outputs.ai_credits_rate_limit_error || 'false' }}
+      aic: ${{ steps.parse-mcp-gateway.outputs.aic }}
+      ambient_context: ${{ steps.parse-mcp-gateway.outputs.ambient_context }}
      checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }}
      effective_tokens: ${{ steps.parse-mcp-gateway.outputs.effective_tokens }}
-      effective_tokens_rate_limit_error: ${{ steps.parse-mcp-gateway.outputs.effective_tokens_rate_limit_error || 'false' }}
      has_patch: ${{ steps.collect_output.outputs.has_patch }}
-      inference_access_error: ${{ steps.detect-copilot-errors.outputs.inference_access_error || 'false' }}
-      mcp_policy_error: ${{ steps.detect-copilot-errors.outputs.mcp_policy_error || 'false' }}
+      inference_access_error: ${{ steps.detect-agent-errors.outputs.inference_access_error || 'false' }}
+      mcp_policy_error: ${{ steps.detect-agent-errors.outputs.mcp_policy_error || 'false' }}
      model: ${{ needs.activation.outputs.model }}
-      model_not_supported_error: ${{ steps.detect-copilot-errors.outputs.model_not_supported_error || 'false' }}
+      model_not_supported_error: ${{ steps.detect-agent-errors.outputs.model_not_supported_error || 'false' }}
      output: ${{ steps.collect_output.outputs.output }}
      output_types: ${{ steps.collect_output.outputs.output_types }}
      setup-parent-span-id: ${{ steps.setup.outputs.parent-span-id || steps.setup.outputs.span-id }}
      setup-span-id: ${{ steps.setup.outputs.span-id }}
      setup-trace-id: ${{ steps.setup.outputs.trace-id }}
+      unknown_model_ai_credits: ${{ steps.parse-mcp-gateway.outputs.unknown_model_ai_credits || 'false' }}
    steps:
      - name: Setup Scripts
        id: setup
-        uses: github/gh-aw-actions/setup@73ed520ae4ecd087a485e1991605595978b32ac1 # v0.78.1
+        uses: github/gh-aw-actions/setup@v0.79.6
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
          job-name: ${{ github.job }}
@@ -361,7 +392,8 @@ jobs:
        env:
          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.48"
+          GH_AW_INFO_VERSION: "1.0.60"
+          GH_AW_INFO_AWF_VERSION: "v0.27.2"
          GH_AW_INFO_ENGINE_ID: "copilot"
      - name: Set runtime paths
        id: set-runtime-paths
@@ -406,7 +438,7 @@ jobs:
      - name: Checkout PR branch
        id: checkout-pr
        if: |
-          github.event.pull_request || github.event.issue.pull_request
+          github.event.pull_request || github.event.issue.pull_request || github.event_name == 'workflow_dispatch' && fromJSON(github.event.inputs.aw_context || '{}').item_type == 'pull_request'
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
@@ -418,11 +450,11 @@ jobs:
            const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs');
            await main();
      - name: Install GitHub Copilot CLI
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.48
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.60
        env:
          GH_HOST: github.com
      - name: Install AWF binary
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.46
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.2
      - name: Parse integrity filter lists
        id: parse-guard-vars
        env:
@@ -438,24 +470,28 @@ jobs:
      - name: Restore agent config folders from base branch
        if: steps.checkout-pr.outcome == 'success'
        env:
-          GH_AW_AGENT_FOLDERS: ".agents .claude .codex .crush .gemini .github .opencode .pi"
-          GH_AW_AGENT_FILES: ".crush.json AGENTS.md CLAUDE.md GEMINI.md PI.md opencode.jsonc"
+          GH_AW_AGENT_FOLDERS: ".agents .antigravity .claude .codex .crush .gemini .github .opencode .pi"
+          GH_AW_AGENT_FILES: ".crush.json AGENTS.md ANTIGRAVITY.md CLAUDE.md GEMINI.md PI.md opencode.jsonc"
        run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_base_github_folders.sh"
      - name: Restore inline sub-agents from activation artifact
        env:
          GH_AW_SUB_AGENT_DIR: ".github/agents"
          GH_AW_SUB_AGENT_EXT: ".agent.md"
        run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh"
+      - name: Restore inline skills from activation artifact
+        env:
+          GH_AW_SKILL_DIR: ".github/skills"
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_skills.sh"
      - name: Download container images
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.46 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.46 ghcr.io/github/gh-aw-firewall/squid:0.25.46 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.2@sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6 ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2@sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4 ghcr.io/github/gh-aw-firewall/squid:0.27.2@sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591 ghcr.io/github/gh-aw-mcpg:v0.3.25@sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa ghcr.io/github/github-mcp-server:v1.1.2@sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c
      - name: Generate Safe Outputs Config
        run: |
          mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs"
          mkdir -p /tmp/gh-aw/safeoutputs
          mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
-          cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_627e06df80c4e5ad_EOF'
+          cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_f496a449c5dccca1_EOF'
          {"add_comment":{"max":1,"target":"${{ needs.extract_pr_number.outputs.pr_number }}"},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}}
-          GH_AW_SAFE_OUTPUTS_CONFIG_627e06df80c4e5ad_EOF
+          GH_AW_SAFE_OUTPUTS_CONFIG_f496a449c5dccca1_EOF
      - name: Generate Safe Outputs Tools
        env:
          GH_AW_TOOLS_META_JSON: |
@@ -643,21 +679,21 @@ jobs:
            * ) DOCKER_SOCK_PATH=/var/run/docker.sock ;;
          esac
          DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0')
-          export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.9'
+          export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.25'
          
          mkdir -p /home/runner/.copilot
          GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node)
-          cat << GH_AW_MCP_CONFIG_175174907e5a28b4_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
+          cat << GH_AW_MCP_CONFIG_f09adf73c5e58a42_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
          {
            "mcpServers": {
              "github": {
                "type": "stdio",
-                "container": "ghcr.io/github/github-mcp-server:v1.0.4",
+                "container": "ghcr.io/github/github-mcp-server:v1.1.2",
                "env": {
                  "GITHUB_HOST": "\${GITHUB_SERVER_URL}",
                  "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
                  "GITHUB_READ_ONLY": "1",
-                  "GITHUB_TOOLSETS": "context,repos,issues,pull_requests,actions"
+                  "GITHUB_TOOLSETS": "repos,pull_requests"
                },
                "guard-policies": {
                  "allow-only": {
@@ -691,7 +727,7 @@ jobs:
              "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
            }
          }
-          GH_AW_MCP_CONFIG_175174907e5a28b4_EOF
+          GH_AW_MCP_CONFIG_f09adf73c5e58a42_EOF
      - name: Mount MCP servers as CLIs
        id: mount-mcp-clis
        continue-on-error: true
@@ -720,29 +756,48 @@ jobs:
        run: |
          set -o pipefail
          printf '%s' "$(date +%s%3N)" > /tmp/gh-aw/agent_cli_start_ms.txt
+          trap 'rm -f /home/runner/.copilot/settings.json' EXIT
+          mkdir -p /home/runner/.copilot
+          printf '%s' '{"builtInAgents":{"rubberDuck":false}}' > /home/runner/.copilot/settings.json
          touch /tmp/gh-aw/agent-step-summary.md
          GH_AW_NODE_BIN=$(command -v node 2>/dev/null || true)
          export GH_AW_NODE_BIN
+          export COPILOT_API_KEY="$COPILOT_DUMMY_BYOK"
          (umask 177 && touch /tmp/gh-aw/agent-stdio.log)
-          printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.25.46/awf-config.schema.json","network":{"allowDomains":["*.pythonhosted.org","anaconda.org","api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","binstar.org","bootstrap.pypa.io","conda.anaconda.org","conda.binstar.org","files.pythonhosted.org","github.com","host.docker.internal","pip.pypa.io","pypi.org","pypi.python.org","raw.githubusercontent.com","registry.npmjs.org","repo.anaconda.com","repo.continuum.io","telemetry.enterprise.githubcopilot.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxEffectiveTokens":25000000,"models":{"auto":["large"],"coding":["copilot/gpt-5*codex*","openai/gpt-5*codex*","gpt-5-codex"],"deep-research":["copilot/deep-research*","copilot/o3-deep-research*","copilot/o4-mini-deep-research*","google/deep-research*","gemini/deep-research*","openai/o3-deep-research*","openai/o4-mini-deep-research*"],"gemini-flash":["copilot/gemini-*flash*","google/gemini-*flash*","gemini/gemini-*flash*"],"gemini-flash-lite":["copilot/gemini-*flash*lite*","google/gemini-*flash*lite*","gemini/gemini-*flash*lite*"],"gemini-pro":["copilot/gemini-*pro*","google/gemini-*pro*","gemini/gemini-*pro*"],"gemma":["copilot/gemma*","google/gemma*","gemini/gemma*"],"gpt-4.1":["copilot/gpt-4.1*","openai/gpt-4.1*"],"gpt-5":["copilot/gpt-5*","openai/gpt-5*"],"gpt-5-codex":["copilot/gpt-5*codex*","openai/gpt-5*codex*"],"gpt-5-mini":["copilot/gpt-5*mini*","openai/gpt-5*mini*"],"gpt-5-nano":["copilot/gpt-5*nano*","openai/gpt-5*nano*"],"gpt-5-pro":["copilot/gpt-5*pro*","openai/gpt-5*pro*"],"haiku":["copilot/*haiku*","anthropic/*haiku*"],"large":["sonnet","gpt-5-pro","gpt-5","gemini-pro"],"mini":["haiku","gpt-5-mini","gpt-5-nano","gemini-flash-lite"],"opus":["copilot/*opus*","anthropic/*opus*"],"reasoning":["copilot/o1*","copilot/o3*","copilot/o4*","openai/o1*","openai/o3*","openai/o4*"],"small":["mini"],"sonnet":["copilot/*sonnet*","anthropic/*sonnet*"],"vision":["copilot/gemini-*image*","gemini/gemini-*image*","copilot/gemini-*flash*","gemini/gemini-*flash*"]}},"container":{"imageTag":"0.25.46"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" && cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
+          GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_MAX_AI_CREDITS || '1000' }}"
+          printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.2/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"*.pythonhosted.org\",\"anaconda.org\",\"api.business.githubcopilot.com\",\"api.enterprise.githubcopilot.com\",\"api.github.com\",\"api.githubcopilot.com\",\"api.individual.githubcopilot.com\",\"binstar.org\",\"bootstrap.pypa.io\",\"conda.anaconda.org\",\"conda.binstar.org\",\"files.pythonhosted.org\",\"github.com\",\"host.docker.internal\",\"pip.pypa.io\",\"pypi.org\",\"pypi.python.org\",\"raw.githubusercontent.com\",\"registry.npmjs.org\",\"repo.anaconda.com\",\"repo.continuum.io\",\"telemetry.enterprise.githubcopilot.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS},\"models\":{\"agent\":[\"sonnet-6x\",\"gpt-5.4\",\"gpt-5.3\",\"gemini-pro\",\"any\"],\"antigravity\":[\"copilot/antigravity*\",\"google/antigravity*\",\"gemini/antigravity*\"],\"any\":[\"copilot/*\",\"anthropic/*\",\"openai/*\",\"google/*\",\"gemini/*\"],\"claude\":[\"agent\"],\"codex\":[\"agent\"],\"coding\":[\"copilot/gpt-5*codex*\",\"openai/gpt-5*codex*\",\"gpt-5-codex\"],\"computer-use\":[\"copilot/*computer-use*\",\"google/*computer-use*\",\"gemini/*computer-use*\",\"openai/*computer-use*\"],\"copilot\":[\"agent\"],\"deep-research\":[\"copilot/deep-research*\",\"copilot/o3-deep-research*\",\"copilot/o4-mini-deep-research*\",\"google/deep-research*\",\"gemini/deep-research*\",\"openai/o3-deep-research*\",\"openai/o4-mini-deep-research*\"],\"gemini\":[\"agent\"],\"gemini-3-flash\":[\"copilot/gemini-3*flash*\",\"google/gemini-3*flash*\",\"gemini/gemini-3*flash*\"],\"gemini-3-pro\":[\"copilot/gemini-3*pro*\",\"google/gemini-3*pro*\",\"google/nano-banana*\",\"gemini/gemini-3*pro*\"],\"gemini-3.1-flash\":[\"copilot/gemini-3.1*flash*\",\"google/gemini-3.1*flash*\",\"gemini/gemini-3.1*flash*\"],\"gemini-3.1-pro\":[\"copilot/gemini-3.1*pro*\",\"google/gemini-3.1*pro*\",\"gemini/gemini-3.1*pro*\"],\"gemini-3.5-flash\":[\"copilot/gemini-3.5*flash*\",\"google/gemini-3.5*flash*\",\"gemini/gemini-3.5*flash*\"],\"gemini-flash\":[\"copilot/gemini-*flash*\",\"google/gemini-*flash*\",\"gemini/gemini-*flash*\"],\"gemini-flash-lite\":[\"copilot/gemini-*flash*lite*\",\"google/gemini-*flash*lite*\",\"gemini/gemini-*flash*lite*\"],\"gemini-pro\":[\"copilot/gemini-*pro*\",\"google/gemini-*pro*\",\"gemini/gemini-*pro*\"],\"gemma\":[\"copilot/gemma*\",\"google/gemma*\",\"gemini/gemma*\"],\"gpt-5\":[\"copilot/gpt-5*\",\"openai/gpt-5*\"],\"gpt-5-codex\":[\"copilot/gpt-5*codex*\",\"openai/gpt-5*codex*\"],\"gpt-5-mini\":[\"copilot/gpt-5*mini*\",\"openai/gpt-5*mini*\"],\"gpt-5-nano\":[\"copilot/gpt-5*nano*\",\"openai/gpt-5*nano*\"],\"gpt-5-pro\":[\"copilot/gpt-5*pro*\",\"openai/gpt-5*pro*\"],\"gpt-5.2\":[\"copilot/gpt-5.2*\",\"openai/gpt-5.2*\"],\"gpt-5.3\":[\"copilot/gpt-5.3*\",\"openai/gpt-5.3*\"],\"gpt-5.4\":[\"copilot/gpt-5.4*\",\"openai/gpt-5.4*\"],\"gpt-5.5\":[\"copilot/gpt-5.5*\",\"openai/gpt-5.5*\"],\"haiku\":[\"copilot/*haiku*\",\"anthropic/*haiku*\"],\"large\":[\"sonnet\",\"gpt-5-pro\",\"gpt-5\",\"gemini-pro\"],\"mai-code\":[\"copilot/MAI-Code*\",\"copilot/mai-code*\",\"openai/MAI-Code*\"],\"mini\":[\"haiku\",\"gpt-5-mini\",\"gpt-5-nano\",\"gemini-flash-lite\"],\"nano-banana\":[\"copilot/nano-banana*\",\"google/nano-banana*\",\"gemini/nano-banana*\"],\"opus\":[\"copilot/*opus*\",\"anthropic/*opus*\"],\"opusplan\":[\"opus?effort=high\"],\"reasoning\":[\"copilot/o1*\",\"copilot/o3*\",\"copilot/o4*\",\"openai/o1*\",\"openai/o3*\",\"openai/o4*\"],\"robotics\":[\"copilot/*robotics*\",\"google/*robotics*\",\"gemini/*robotics*\"],\"small\":[\"mini\"],\"small-agent\":[\"haiku\",\"gpt-5-mini\",\"gemini-flash\"],\"sonnet\":[\"copilot/*sonnet*\",\"anthropic/*sonnet*\"],\"sonnet-6x\":[\"copilot/*sonnet-4.5*\",\"copilot/*sonnet-4.6*\",\"copilot/*sonnet-4-5-*\",\"anthropic/*sonnet-4-5-*\",\"copilot/*sonnet-4-6*\",\"anthropic/*sonnet-4-6*\"],\"summarization\":[\"haiku\",\"gpt-5-mini\",\"gemini-flash-lite\",\"mini\"],\"vision\":[\"copilot/gemini-*image*\",\"gemini/gemini-*image*\",\"copilot/gemini-*flash*\",\"gemini/gemini-*flash*\"]}},\"container\":{\"imageTag\":\"0.27.2,squid=sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591,agent=sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6,api-proxy=sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4,cli-proxy=sha256:02f3ec08f32dc26c5427920c6a2e2f3036238fce44802f2f11ef49ed8621b5d0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json"
+          GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs"
+          cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
+          export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json"
          GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS=""
          if [[ "${DOCKER_HOST:-}" =~ ^tcp:// ]]; then
            GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS="--docker-host-path-prefix /tmp/gh-aw"
          fi
+          GH_AW_TOOL_CACHE_MOUNT=""
+          GH_AW_TOOL_CACHE="${RUNNER_TOOL_CACHE:-/opt/hostedtoolcache}"
+          if [ -d "$GH_AW_TOOL_CACHE" ]; then
+            if [[ "$GH_AW_TOOL_CACHE" != /opt/* ]]; then
+              GH_AW_TOOL_CACHE_MOUNT="$GH_AW_TOOL_CACHE:$GH_AW_TOOL_CACHE:ro"
+            fi
+          elif [ -d "/home/runner/work/_tool" ]; then
+            GH_AW_TOOL_CACHE_MOUNT="/home/runner/work/_tool:/home/runner/work/_tool:ro"
+          fi
          # shellcheck disable=SC1003
-          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
-            -- /bin/bash -c 'export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 5 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || true)"; fi; if [ -z "$GH_AW_NODE_EXEC" ]; then echo "node runtime missing on this runner — check runtimes.node in workflow YAML" >&2; exit 127; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
+          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_TOOL_CACHE_MOUNT:+--mount "$GH_AW_TOOL_CACHE_MOUNT"} ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
+            -- /bin/bash -c 'set +o histexpand; export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && GH_AW_TOOL_CACHE="${RUNNER_TOOL_CACHE:-/opt/hostedtoolcache}"; export PATH="$(find "$GH_AW_TOOL_CACHE" /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 5 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || true)"; fi; if [ -z "$GH_AW_NODE_EXEC" ]; then echo "node runtime missing on this runner — check runtimes.node in workflow YAML" >&2; exit 127; fi; GH_AW_NPM_GLOBAL_ROOT="$(npm root -g 2>/dev/null || true)"; if [ -n "$GH_AW_NPM_GLOBAL_ROOT" ]; then export NODE_PATH="${GH_AW_NPM_GLOBAL_ROOT}${NODE_PATH:+:${NODE_PATH}}"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
        env:
          AWF_REFLECT_ENABLED: 1
          COPILOT_AGENT_RUNNER_TYPE: STANDALONE
-          COPILOT_API_KEY: dummy-byok-key-for-offline-mode
+          COPILOT_DUMMY_BYOK: dummy-byok-key-for-offline-mode
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
-          COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'claude-sonnet-4.6' }}
+          COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || vars.GH_AW_DEFAULT_MODEL_COPILOT || 'claude-sonnet-4.6' }}
+          GH_AW_MAX_TURNS: ${{ vars.GH_AW_DEFAULT_MAX_TURNS || '' }}
          GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
          GH_AW_PHASE: agent
          GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
          GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
-          GH_AW_VERSION: v0.74.4
+          GH_AW_TIMEOUT_MINUTES: 20
+          GH_AW_VERSION: v0.79.6
          GITHUB_API_URL: ${{ github.api_url }}
          GITHUB_AW: true
          GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows
@@ -756,12 +811,13 @@ jobs:
          GIT_AUTHOR_NAME: github-actions[bot]
          GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
          GIT_COMMITTER_NAME: github-actions[bot]
+          RUNNER_TEMP: ${{ runner.temp }}
          XDG_CONFIG_HOME: /home/runner
-      - name: Detect Copilot errors
-        id: detect-copilot-errors
+      - name: Detect agent errors
        if: always()
+        id: detect-agent-errors
        continue-on-error: true
-        run: node "${RUNNER_TEMP}/gh-aw/actions/detect_copilot_errors.cjs"
+        run: node "${RUNNER_TEMP}/gh-aw/actions/detect_agent_errors.cjs"
      - name: Configure Git credentials
        env:
          REPO_NAME: ${{ github.repository }}
@@ -939,10 +995,11 @@ jobs:
      - agent
      - detection
      - extract_pr_number
+      - gate
      - safe_outputs
    if: >
      always() && (needs.agent.result != 'skipped' || needs.activation.outputs.lockdown_check_failed == 'true' ||
-      needs.activation.outputs.stale_lock_file_failed == 'true')
+      needs.activation.outputs.stale_lock_file_failed == 'true' || needs.activation.outputs.daily_effective_workflow_exceeded == 'true')
    runs-on: ubuntu-slim
    permissions:
      contents: read
@@ -961,7 +1018,7 @@ jobs:
    steps:
      - name: Setup Scripts
        id: setup
-        uses: github/gh-aw-actions/setup@73ed520ae4ecd087a485e1991605595978b32ac1 # v0.78.1
+        uses: github/gh-aw-actions/setup@v0.79.6
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
          job-name: ${{ github.job }}
@@ -970,7 +1027,8 @@ jobs:
        env:
          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.48"
+          GH_AW_INFO_VERSION: "1.0.60"
+          GH_AW_INFO_AWF_VERSION: "v0.27.2"
          GH_AW_INFO_ENGINE_ID: "copilot"
      - name: Download agent output artifact
        id: download-agent-output
@@ -986,6 +1044,40 @@ jobs:
          mkdir -p /tmp/gh-aw/
          find "/tmp/gh-aw/" -type f -print
          echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
+      - name: Collect usage artifact files
+        if: always()
+        continue-on-error: true
+        run: |
+          mkdir -p /tmp/gh-aw/usage/agent /tmp/gh-aw/usage/detection
+          echo "Usage artifact source file status:"
+          for file in /tmp/gh-aw/aw-info.jsonl /tmp/gh-aw/agent_usage.jsonl /tmp/gh-aw/detection_usage.jsonl /tmp/gh-aw/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/threat-detection/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/threat-detection/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/threat-detection/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl; do
+            [ -f "$file" ] && echo "FOUND: $file" || echo "MISSING: $file"
+          done
+          [ -f /tmp/gh-aw/aw-info.jsonl ] && cp /tmp/gh-aw/aw-info.jsonl /tmp/gh-aw/usage/aw-info.jsonl || true
+          [ -f /tmp/gh-aw/agent_usage.jsonl ] && cp /tmp/gh-aw/agent_usage.jsonl /tmp/gh-aw/usage/agent_usage.jsonl || true
+          [ -f /tmp/gh-aw/detection_usage.jsonl ] && cp /tmp/gh-aw/detection_usage.jsonl /tmp/gh-aw/usage/detection_usage.jsonl || true
+          [ -f /tmp/gh-aw/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/agent/token_usage.jsonl || true
+          [ -f /tmp/gh-aw/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/agent/token_usage.jsonl || true
+          [ -f /tmp/gh-aw/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/agent/token_usage.jsonl || true
+          [ -f /tmp/gh-aw/threat-detection/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/threat-detection/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/detection/token_usage.jsonl || true
+          [ -f /tmp/gh-aw/threat-detection/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/threat-detection/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/detection/token_usage.jsonl || true
+          [ -f /tmp/gh-aw/threat-detection/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/threat-detection/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/detection/token_usage.jsonl || true
+          [ -f /tmp/gh-aw/usage/agent/token_usage.jsonl ] || : > /tmp/gh-aw/usage/agent/token_usage.jsonl
+          [ -f /tmp/gh-aw/usage/detection/token_usage.jsonl ] || : > /tmp/gh-aw/usage/detection/token_usage.jsonl
+          find /tmp/gh-aw/usage -type f -print | sort
+      - name: Upload usage artifact
+        if: always()
+        continue-on-error: true
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: usage
+          path: |
+            /tmp/gh-aw/usage/aw-info.jsonl
+            /tmp/gh-aw/usage/agent_usage.jsonl
+            /tmp/gh-aw/usage/detection_usage.jsonl
+            /tmp/gh-aw/usage/agent/token_usage.jsonl
+            /tmp/gh-aw/usage/detection/token_usage.jsonl
+          if-no-files-found: ignore
      - name: Process no-op messages
        id: noop
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
@@ -993,9 +1085,14 @@ jobs:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
          GH_AW_NOOP_MAX: "1"
          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
          GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
          GH_AW_NOOP_REPORT_AS_ISSUE: "true"
+          GH_AW_AIC: ${{ needs.agent.outputs.aic }}
+          GH_AW_THREAT_DETECTION_AIC: ${{ needs.detection.outputs.aic }}
+          GH_AW_AMBIENT_CONTEXT: ${{ needs.agent.outputs.ambient_context }}
+          GH_AW_WORKFLOW_ID: "check-requirements"
        with:
          github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
          script: |
@@ -1009,6 +1106,7 @@ jobs:
        env:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
          GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
          GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
@@ -1026,6 +1124,7 @@ jobs:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
          GH_AW_MISSING_TOOL_CREATE_ISSUE: "true"
          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
        with:
          github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
          script: |
@@ -1040,6 +1139,7 @@ jobs:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
          GH_AW_REPORT_INCOMPLETE_CREATE_ISSUE: "true"
          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
        with:
          github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
          script: |
@@ -1054,6 +1154,7 @@ jobs:
        env:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
          GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
          GH_AW_WORKFLOW_ID: "check-requirements"
@@ -1062,7 +1163,11 @@ jobs:
          GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }}
          GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }}
          GH_AW_EFFECTIVE_TOKENS: ${{ needs.agent.outputs.effective_tokens || '' }}
-          GH_AW_EFFECTIVE_TOKENS_RATE_LIMIT_ERROR: ${{ needs.agent.outputs.effective_tokens_rate_limit_error || 'false' }}
+          GH_AW_AI_CREDITS_RATE_LIMIT_ERROR: ${{ needs.agent.outputs.ai_credits_rate_limit_error || 'false' }}
+          GH_AW_UNKNOWN_MODEL_AI_CREDITS: ${{ needs.agent.outputs.unknown_model_ai_credits || 'false' }}
+          GH_AW_AIC: ${{ needs.agent.outputs.aic }}
+          GH_AW_THREAT_DETECTION_AIC: ${{ needs.detection.outputs.aic }}
+          GH_AW_MAX_AI_CREDITS: ${{ vars.GH_AW_DEFAULT_MAX_AI_CREDITS || '1000' }}
          GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }}
          GH_AW_MCP_POLICY_ERROR: ${{ needs.agent.outputs.mcp_policy_error }}
          GH_AW_AGENTIC_ENGINE_TIMEOUT: ${{ needs.agent.outputs.agentic_engine_timeout }}
@@ -1070,12 +1175,14 @@ jobs:
          GH_AW_ENGINE_API_HOSTS: "api.enterprise.githubcopilot.com,api.githubcopilot.com,api.business.githubcopilot.com,api.individual.githubcopilot.com"
          GH_AW_LOCKDOWN_CHECK_FAILED: ${{ needs.activation.outputs.lockdown_check_failed }}
          GH_AW_STALE_LOCK_FILE_FAILED: ${{ needs.activation.outputs.stale_lock_file_failed }}
+          GH_AW_DAILY_EFFECTIVE_WORKFLOW_EXCEEDED: ${{ needs.activation.outputs.daily_effective_workflow_exceeded }}
+          GH_AW_DAILY_EFFECTIVE_WORKFLOW_TOTAL_EFFECTIVE_TOKENS: ${{ needs.activation.outputs.daily_effective_workflow_total_effective_tokens }}
+          GH_AW_DAILY_EFFECTIVE_WORKFLOW_THRESHOLD: ${{ needs.activation.outputs.daily_effective_workflow_threshold }}
          GH_AW_GROUP_REPORTS: "false"
          GH_AW_FAILURE_REPORT_AS_ISSUE: "true"
          GH_AW_MISSING_TOOL_REPORT_AS_FAILURE: "true"
          GH_AW_MISSING_DATA_REPORT_AS_FAILURE: "true"
          GH_AW_TIMEOUT_MINUTES: "20"
-          GH_AW_MAX_EFFECTIVE_TOKENS: "25000000"
        with:
          github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
          script: |
@@ -1094,13 +1201,14 @@ jobs:
    permissions:
      contents: read
    outputs:
+      aic: ${{ steps.parse_detection_token_usage.outputs.aic }}
      detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }}
      detection_reason: ${{ steps.detection_conclusion.outputs.reason }}
      detection_success: ${{ steps.detection_conclusion.outputs.success }}
    steps:
      - name: Setup Scripts
        id: setup
-        uses: github/gh-aw-actions/setup@73ed520ae4ecd087a485e1991605595978b32ac1 # v0.78.1
+        uses: github/gh-aw-actions/setup@v0.79.6
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
          job-name: ${{ github.job }}
@@ -1109,7 +1217,8 @@ jobs:
        env:
          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.48"
+          GH_AW_INFO_VERSION: "1.0.60"
+          GH_AW_INFO_AWF_VERSION: "v0.27.2"
          GH_AW_INFO_ENGINE_ID: "copilot"
      - name: Download agent output artifact
        id: download-agent-output
@@ -1136,7 +1245,7 @@ jobs:
          rm -rf /tmp/gh-aw/sandbox/firewall/logs
          rm -rf /tmp/gh-aw/sandbox/firewall/audit
      - name: Download container images
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.46 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.46 ghcr.io/github/gh-aw-firewall/squid:0.25.46
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.2@sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6 ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2@sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4 ghcr.io/github/gh-aw-firewall/squid:0.27.2@sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591
      - name: Check if detection needed
        id: detection_guard
        if: always()
@@ -1161,7 +1270,11 @@ jobs:
        if: always() && steps.detection_guard.outputs.run_detection == 'true'
        run: |
          mkdir -p /tmp/gh-aw/threat-detection/aw-prompts
+          rm -f /tmp/gh-aw/agent_usage.json
          cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null || true
+          if [ ! -s /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt ]; then
+            echo "::warning::ERR_VALIDATION: Missing or empty detection context prompt at /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt. Ensure the agent artifact includes /tmp/gh-aw/aw-prompts/prompt.txt. Detection will continue with fallback workflow context."
+          fi
          cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null || true
          for f in /tmp/gh-aw/aw-*.patch; do
            [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true
@@ -1195,11 +1308,11 @@ jobs:
          node-version: '24'
          package-manager-cache: false
      - name: Install GitHub Copilot CLI
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.48
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.60
        env:
          GH_HOST: github.com
      - name: Install AWF binary
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.46
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.2
      - name: Execute GitHub Copilot CLI
        if: always() && steps.detection_guard.outputs.run_detection == 'true'
        continue-on-error: true
@@ -1209,27 +1322,46 @@ jobs:
        run: |
          set -o pipefail
          printf '%s' "$(date +%s%3N)" > /tmp/gh-aw/agent_cli_start_ms.txt
+          trap 'rm -f /home/runner/.copilot/settings.json' EXIT
+          mkdir -p /home/runner/.copilot
+          printf '%s' '{"builtInAgents":{"rubberDuck":false}}' > /home/runner/.copilot/settings.json
          touch /tmp/gh-aw/agent-step-summary.md
          GH_AW_NODE_BIN=$(command -v node 2>/dev/null || true)
          export GH_AW_NODE_BIN
+          export COPILOT_API_KEY="$COPILOT_DUMMY_BYOK"
          (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log)
-          printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.25.46/awf-config.schema.json","network":{"allowDomains":["api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","github.com","host.docker.internal","telemetry.enterprise.githubcopilot.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxEffectiveTokens":25000000},"container":{"imageTag":"0.25.46"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" && cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
+          GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS || '400' }}"
+          printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.2/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"api.business.githubcopilot.com\",\"api.enterprise.githubcopilot.com\",\"api.github.com\",\"api.githubcopilot.com\",\"api.individual.githubcopilot.com\",\"github.com\",\"host.docker.internal\",\"registry.npmjs.org\",\"telemetry.enterprise.githubcopilot.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS}},\"container\":{\"imageTag\":\"0.27.2,squid=sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591,agent=sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6,api-proxy=sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4,cli-proxy=sha256:02f3ec08f32dc26c5427920c6a2e2f3036238fce44802f2f11ef49ed8621b5d0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json"
+          GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs"
+          cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
+          export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json"
          GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS=""
          if [[ "${DOCKER_HOST:-}" =~ ^tcp:// ]]; then
            GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS="--docker-host-path-prefix /tmp/gh-aw"
          fi
+          GH_AW_TOOL_CACHE_MOUNT=""
+          GH_AW_TOOL_CACHE="${RUNNER_TOOL_CACHE:-/opt/hostedtoolcache}"
+          if [ -d "$GH_AW_TOOL_CACHE" ]; then
+            if [[ "$GH_AW_TOOL_CACHE" != /opt/* ]]; then
+              GH_AW_TOOL_CACHE_MOUNT="$GH_AW_TOOL_CACHE:$GH_AW_TOOL_CACHE:ro"
+            fi
+          elif [ -d "/home/runner/work/_tool" ]; then
+            GH_AW_TOOL_CACHE_MOUNT="/home/runner/work/_tool:/home/runner/work/_tool:ro"
+          fi
          # shellcheck disable=SC1003
-          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
-            -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 5 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || true)"; fi; if [ -z "$GH_AW_NODE_EXEC" ]; then echo "node runtime missing on this runner — check runtimes.node in workflow YAML" >&2; exit 127; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
+          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_TOOL_CACHE_MOUNT:+--mount "$GH_AW_TOOL_CACHE_MOUNT"} ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
+            -- /bin/bash -c 'set +o histexpand; GH_AW_TOOL_CACHE="${RUNNER_TOOL_CACHE:-/opt/hostedtoolcache}"; export PATH="$(find "$GH_AW_TOOL_CACHE" /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 5 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || true)"; fi; if [ -z "$GH_AW_NODE_EXEC" ]; then echo "node runtime missing on this runner — check runtimes.node in workflow YAML" >&2; exit 127; fi; GH_AW_NPM_GLOBAL_ROOT="$(npm root -g 2>/dev/null || true)"; if [ -n "$GH_AW_NPM_GLOBAL_ROOT" ]; then export NODE_PATH="${GH_AW_NPM_GLOBAL_ROOT}${NODE_PATH:+:${NODE_PATH}}"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
        env:
          AWF_REFLECT_ENABLED: 1
          COPILOT_AGENT_RUNNER_TYPE: STANDALONE
-          COPILOT_API_KEY: dummy-byok-key-for-offline-mode
+          COPILOT_DUMMY_BYOK: dummy-byok-key-for-offline-mode
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
-          COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || 'claude-sonnet-4.6' }}
+          COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || vars.GH_AW_DEFAULT_MODEL_COPILOT || 'claude-sonnet-4.6' }}
+          GH_AW_MAX_TURNS: ${{ vars.GH_AW_DEFAULT_MAX_TURNS || '' }}
          GH_AW_PHASE: detection
          GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
-          GH_AW_VERSION: v0.74.4
+          GH_AW_TIMEOUT_MINUTES: 20
+          GH_AW_VERSION: v0.79.6
          GITHUB_API_URL: ${{ github.api_url }}
          GITHUB_AW: true
          GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows
@@ -1242,7 +1374,21 @@ jobs:
          GIT_AUTHOR_NAME: github-actions[bot]
          GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
          GIT_COMMITTER_NAME: github-actions[bot]
+          RUNNER_TEMP: ${{ runner.temp }}
          XDG_CONFIG_HOME: /home/runner
+      - name: Parse threat detection token usage for step summary
+        id: parse_detection_token_usage
+        if: always()
+        continue-on-error: true
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        env:
+          GH_AW_TOKEN_USAGE_SUMMARY_TITLE: Threat Detection Token Usage
+        with:
+          script: |
+            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+            setupGlobals(core, github, context, exec, io, getOctokit);
+            const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_token_usage.cjs');
+            await main();
      - name: Upload threat detection log
        if: always() && steps.detection_guard.outputs.run_detection == 'true'
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
@@ -1284,7 +1430,8 @@ jobs:
            }

  extract_pr_number:
-    if: github.event.workflow_run.conclusion == 'success'
+    needs: gate
+    if: needs.gate.outputs.skip != 'true' && github.event.workflow_run.conclusion == 'success'
    runs-on: ubuntu-latest
    permissions:
      actions: read
@@ -1295,6 +1442,7 @@ jobs:
      - name: Configure GH_HOST for enterprise compatibility
        id: ghes-host-config
        shell: bash
+        # zizmor: ignore[github-env] - GITHUB_SERVER_URL is set by GitHub Actions, not user input.
        run: |
          # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
          # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
@@ -1314,6 +1462,78 @@ jobs:
          PR=$(jq -r '.pr_number' /tmp/deterministic/results.json)
          echo "pr_number=${PR}" >> "${GITHUB_OUTPUT}"

+  gate:
+    needs: activation
+    if: github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      pull-requests: read
+
+    outputs:
+      skip: ${{ steps.gate.outputs.skip }}
+    steps:
+      - name: Configure GH_HOST for enterprise compatibility
+        id: ghes-host-config
+        shell: bash
+        # zizmor: ignore[github-env] - GITHUB_SERVER_URL is set by GitHub Actions, not user input.
+        run: |
+          # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
+          # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
+          GH_HOST="${GITHUB_SERVER_URL#https://}"
+          GH_HOST="${GH_HOST#http://}"
+          echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV"
+      - name: Download deterministic-results artifact
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          name: check-requirements-deterministic
+          path: /tmp/gate
+          run-id: ${{ github.event.workflow_run.id }}
+      - name: Decide whether requirements changed since the last comment
+        id: gate
+        run: |
+          PR=$(jq -r '.pr_number' /tmp/gate/results.json)
+          HEAD=$(jq -r '.head_sha // empty' /tmp/gate/results.json)
+          if [ -z "${HEAD}" ]; then
+            echo "Artifact has no head_sha; running the agent."
+            exit 0
+          fi
+          # Recover the commit recorded in the most recent requirements-check
+          # comment from the "Checked at commit" link
+          PRIOR=$(gh api --paginate "repos/${GITHUB_REPOSITORY}/issues/${PR}/comments" \
+            --jq '.[] | select(.body | contains("<!-- requirements-check -->")) | .body' \
+            | grep -oiE '/commit/[0-9a-f]{40}' \
+            | grep -oiE '[0-9a-f]{40}' | tail -1 || true)
+          if [ -z "${PRIOR}" ]; then
+            echo "No previous comment with a recorded commit; running the agent."
+            exit 0
+          fi
+          if [ "${PRIOR}" = "${HEAD}" ]; then
+            echo "Head ${HEAD} unchanged since the last comment; skipping the agent."
+            echo "skip=true" >> "${GITHUB_OUTPUT}"
+            exit 0
+          fi
+          # List files changed between the recorded commit and the current head.
+          # Tracked patterns mirror script/check_requirements/diff.py TRACKED_PATTERNS.
+          CHANGED=$(gh api "repos/${GITHUB_REPOSITORY}/compare/${PRIOR}...${HEAD}" \
+            --jq '.files[].filename' 2>/dev/null) || {
+            echo "Could not compare ${PRIOR}...${HEAD}; running the agent."
+            exit 0
+          }
+          TRACKED=$(printf '%s\n' "${CHANGED}" \
+            | grep -Ex 'requirements.*\.txt|homeassistant/package_constraints\.txt' || true)
+          if [ -z "${TRACKED}" ]; then
+            echo "No tracked requirement files changed since ${PRIOR}; skipping the agent."
+            echo "skip=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "Tracked requirement files changed since ${PRIOR}; running the agent:"
+            printf '%s\n' "${TRACKED}"
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
  pre_activation:
    runs-on: ubuntu-slim
    outputs:
@@ -1325,14 +1545,15 @@ jobs:
    steps:
      - name: Setup Scripts
        id: setup
-        uses: github/gh-aw-actions/setup@73ed520ae4ecd087a485e1991605595978b32ac1 # v0.78.1
+        uses: github/gh-aw-actions/setup@v0.79.6
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
          job-name: ${{ github.job }}
        env:
          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.48"
+          GH_AW_INFO_VERSION: "1.0.60"
+          GH_AW_INFO_AWF_VERSION: "v0.27.2"
          GH_AW_INFO_ENGINE_ID: "copilot"
      - name: Check team membership for workflow
        id: check_membership
@@ -1360,17 +1581,22 @@ jobs:
      discussions: write
      issues: write
      pull-requests: write
-    timeout-minutes: 15
+    timeout-minutes: 45
    env:
+      GH_AW_AGENT_AIC: ${{ needs.agent.outputs.aic }}
+      GH_AW_AIC: ${{ needs.agent.outputs.aic }}
+      GH_AW_AMBIENT_CONTEXT: ${{ needs.agent.outputs.ambient_context }}
      GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/check-requirements"
      GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
      GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
      GH_AW_EFFECTIVE_TOKENS: ${{ needs.agent.outputs.effective_tokens }}
      GH_AW_ENGINE_ID: "copilot"
      GH_AW_ENGINE_MODEL: ${{ needs.agent.outputs.model }}
-      GH_AW_ENGINE_VERSION: "1.0.48"
+      GH_AW_ENGINE_VERSION: "1.0.60"
+      GH_AW_THREAT_DETECTION_AIC: ${{ needs.detection.outputs.aic }}
      GH_AW_WORKFLOW_ID: "check-requirements"
      GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+      GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
    outputs:
      code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }}
      code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }}
@@ -1383,7 +1609,7 @@ jobs:
    steps:
      - name: Setup Scripts
        id: setup
-        uses: github/gh-aw-actions/setup@73ed520ae4ecd087a485e1991605595978b32ac1 # v0.78.1
+        uses: github/gh-aw-actions/setup@v0.79.6
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
          job-name: ${{ github.job }}
@@ -1392,7 +1618,8 @@ jobs:
        env:
          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.48"
+          GH_AW_INFO_VERSION: "1.0.60"
+          GH_AW_INFO_AWF_VERSION: "v0.27.2"
          GH_AW_INFO_ENGINE_ID: "copilot"
      - name: Download agent output artifact
        id: download-agent-output
@@ -1411,6 +1638,7 @@ jobs:
      - name: Configure GH_HOST for enterprise compatibility
        id: ghes-host-config
        shell: bash
+        # zizmor: ignore[github-env] - GITHUB_SERVER_URL is set by GitHub Actions, not user input.
        run: |
          # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
          # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
@@ -1422,6 +1650,7 @@ jobs:
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
+          GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }}
          GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,files.pythonhosted.org,github.com,host.docker.internal,pip.pypa.io,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,telemetry.enterprise.githubcopilot.com"
          GITHUB_SERVER_URL: ${{ github.server_url }}
          GITHUB_API_URL: ${{ github.api_url }}
@@ -6,7 +6,6 @@ on:
 permissions:
  contents: read
  actions: read
-  issues: read
  pull-requests: read
 network:
  allowed:
@@ -14,7 +13,7 @@ network:
 tools:
  web-fetch: {}
  github:
-    toolsets: [default, actions]
+    toolsets: [repos, pull_requests]
    min-integrity: unapproved
 safe-outputs:
  add-comment:
@@ -23,9 +22,70 @@ safe-outputs:
  needs:
    - extract_pr_number
 jobs:
-  extract_pr_number:
+  gate:
+    # Skip the (token-spending) agent when no tracked requirement file changed
    if: github.event.workflow_run.conclusion == 'success'
    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      pull-requests: read
+    outputs:
+      skip: ${{ steps.gate.outputs.skip }}
+    steps:
+      - name: Download deterministic-results artifact
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: check-requirements-deterministic
+          path: /tmp/gate
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Decide whether requirements changed since the last comment
+        id: gate
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PR=$(jq -r '.pr_number' /tmp/gate/results.json)
+          HEAD=$(jq -r '.head_sha // empty' /tmp/gate/results.json)
+          if [ -z "${HEAD}" ]; then
+            echo "Artifact has no head_sha; running the agent."
+            exit 0
+          fi
+          # Recover the commit recorded in the most recent requirements-check
+          # comment from the "Checked at commit" link
+          PRIOR=$(gh api --paginate "repos/${GITHUB_REPOSITORY}/issues/${PR}/comments" \
+            --jq '.[] | select(.body | contains("<!-- requirements-check -->")) | .body' \
+            | grep -oiE '/commit/[0-9a-f]{40}' \
+            | grep -oiE '[0-9a-f]{40}' | tail -1 || true)
+          if [ -z "${PRIOR}" ]; then
+            echo "No previous comment with a recorded commit; running the agent."
+            exit 0
+          fi
+          if [ "${PRIOR}" = "${HEAD}" ]; then
+            echo "Head ${HEAD} unchanged since the last comment; skipping the agent."
+            echo "skip=true" >> "${GITHUB_OUTPUT}"
+            exit 0
+          fi
+          # List files changed between the recorded commit and the current head.
+          # Tracked patterns mirror script/check_requirements/diff.py TRACKED_PATTERNS.
+          CHANGED=$(gh api "repos/${GITHUB_REPOSITORY}/compare/${PRIOR}...${HEAD}" \
+            --jq '.files[].filename' 2>/dev/null) || {
+            echo "Could not compare ${PRIOR}...${HEAD}; running the agent."
+            exit 0
+          }
+          TRACKED=$(printf '%s\n' "${CHANGED}" \
+            | grep -Ex 'requirements.*\.txt|homeassistant/package_constraints\.txt' || true)
+          if [ -z "${TRACKED}" ]; then
+            echo "No tracked requirement files changed since ${PRIOR}; skipping the agent."
+            echo "skip=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "Tracked requirement files changed since ${PRIOR}; running the agent:"
+            printf '%s\n' "${TRACKED}"
+          fi
+  extract_pr_number:
+    needs: gate
+    if: needs.gate.outputs.skip != 'true' && github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
    permissions:
      actions: read
    outputs:
@@ -44,7 +104,7 @@ jobs:
          PR=$(jq -r '.pr_number' /tmp/deterministic/results.json)
          echo "pr_number=${PR}" >> "${GITHUB_OUTPUT}"
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.workflow_run.head_sha }}
+  group: ${{ github.workflow }}-${{ github.event.workflow_run.id }}
  cancel-in-progress: true
 steps:
  - name: Download deterministic-results artifact
@@ -83,296 +143,289 @@ description: >

 # Check requirements (AW)

-You are a code review assistant for the Home Assistant project. The
-deterministic stage has already evaluated every check it can on its own
-and produced an artifact containing the PR number, per-package check
-results, and a pre-rendered comment with placeholders. **Your only job is
-to read that artifact, resolve any `needs_agent` checks, and post the
-final comment.**
+You are a code-review assistant for Home Assistant. The deterministic
+stage already evaluated every check it can and produced an artifact at
+`/tmp/gh-aw/deterministic/results.json`. Your only job is to resolve any
+`needs_agent` checks and post the rendered comment.

-## Step 1 — Read the deterministic-stage artifact
+## Step 1 — Read the artifact

-The deterministic stage uploaded its results to the runner at
-`/tmp/gh-aw/deterministic/results.json`.
+Read the JSON directly for the full schema. Key fields:

-The JSON has this shape:
+- `pr_number`, `needs_agent` (bool), `packages[]`, `rendered_comment`.
+- Each `package`: `name`, `old_version` (`null` if new), `new_version`,
+  `repo_url`, `publisher_kind`, `checks` (keyed by check-kind, each
+  with `status` of `pass`/`warn`/`fail`/`needs_agent` and `details`).
+- `rendered_comment` contains, for each `needs_agent` check, two
+  placeholders to replace:
+  - `{{CHECK_CELL:<pkg>:<kind>}}` → exactly one of `✅`, `☑️`, `⚠️`, `❌`.  The
+    **`security`** check kind uses `☑️` instead of `✅` for the success
+    case — see its section below for why.
+  - `{{CHECK_DETAIL:<pkg>:<kind>}}` → `<icon> <one-line explanation>`
+    (the bullet's `- **<label>**:` prefix is already rendered; replace
+    only the placeholder).

- `pr_number` — the PR being checked. The `add_comment` safe-output is
-  already targeted at this PR (a pre-job extracts `pr_number` from the
-  artifact and the workflow wires it into the safe-output config via
-  `needs.extract_pr_number.outputs.pr_number`), so **you do not need to
-  set `item_number` yourself** — just emit `add_comment` with the
-  rendered body.
- `needs_agent` — `true` iff any package's check needs resolution.
- `packages[]` — one entry per changed package. Each entry has:
-  - `name`, `old_version` (`null` for a newly added package; otherwise the
-    previous pin), `new_version`, `repo_url`, `publisher_kind`.
-  - `checks` — a dict keyed by **check kind** (string). Each value has a
-    `status` (`pass`, `warn`, `fail`, or `needs_agent`) and `details`.
- `rendered_comment` — the final PR comment body, already rendered. For
-  every check whose status is `needs_agent` it contains two placeholders
-  you must replace:
-  - `{{CHECK_CELL:<pkg-name>:<check-kind>}}` — one cell of the summary
-    table. Replace with exactly one of `✅`, `⚠️`, `❌`.
-  - `{{CHECK_DETAIL:<pkg-name>:<check-kind>}}` — the body of one bullet
-    in the package's `<details>` block. Replace with
-    `<icon> <one-line explanation>` (the bullet's leading
-    `- **<label>**:` is already rendered — replace only the placeholder).
-
-You **must not** modify any other content in `rendered_comment`. Do not
-re-evaluate checks that already have a deterministic status. Do not add
-or remove packages.
+Do not modify other content in `rendered_comment`, do not re-evaluate
+deterministic checks, do not add or remove packages. If `needs_agent`
+is `false`, emit `rendered_comment` unchanged.

 ## Step 2 — Resolve each `needs_agent` check

-For each `package` in `packages`:
+For each `(package, check_kind)` with `status == "needs_agent"`, find
+the matching `### Check kind: <check_kind>` section below and follow
+it. If no section matches, emit a single `add_comment` with:

-For each `(check_kind, result)` in `package.checks` where
-`result.status == "needs_agent"`:
+```
+<!-- requirements-check -->
+## Check requirements

-1. Look up `## Check kind: <check_kind>` in the **Check instructions**
-   section below.
-2. **If no matching section exists**: emit a single `add_comment` whose
-   body is:
+❌ Internal error: deterministic artifact contains an unknown check kind
+(`<check_kind>` on `<pkg>`).
+```

-   ```
-   <!-- requirements-check -->
-   ## Check requirements
-
-   ❌ Internal error: the deterministic artifact contains a check kind
-   (`<check_kind>` on package `<pkg-name>`) that this workflow has no
-   instructions for. Update `.github/workflows/check-requirements.md`
-   to add a matching `## Check kind: <check_kind>` section, or remove
-   the kind from the deterministic stage.
-   ```
-
-   Then stop. **Do not improvise** a verdict for an unknown check kind.
-3. Otherwise, follow the instructions in that section. They tell you
-   which icon (✅/⚠️/❌) and one-line explanation to produce.
+Then stop. Do not improvise a verdict.

 ## Step 3 — Post the comment

-1. Replace every `{{CHECK_CELL:…}}` and `{{CHECK_DETAIL:…}}` placeholder
-   in `rendered_comment` with the resolved value.
-2. Emit the resulting markdown using `add_comment` — set `body` to the
-   merged `rendered_comment` verbatim (the leading
-   `<!-- requirements-check -->` marker must be preserved). The PR
-   target is already set by the workflow; do not pass `item_number`.
-
-If the artifact's top-level `needs_agent` is `false` (no checks need
-you), emit `rendered_comment` unchanged.
+Replace every placeholder with the resolved value and emit
+`rendered_comment` via `add_comment`. Preserve the leading
+`<!-- requirements-check -->` marker. The PR target is already wired;
+do not pass `item_number`.

 ## Check instructions

 ### Check kind: `repo_public`

-Verify that the package's source repository is publicly reachable.
+`web-fetch` GET `package.repo_url`.
+- 200 + public repo page → ✅ `<repo_url> is publicly accessible.`
+- 4xx/5xx or login redirect → ❌ `Source repository at <repo_url> is
+  not publicly accessible. Home Assistant requires dependencies to
+  have publicly available source code.`
+- Otherwise → ⚠️ with a one-line description.

-1. Read `package.repo_url`.
-2. Use the `web-fetch` tool to GET that URL.
-3. Decide the verdict:
-   - HTTP 200, returns a public repository page → ✅
-     `<repo_url> is publicly accessible.`
-   - HTTP 4xx/5xx, or the response redirects to a login / sign-in page →
-     ❌ `Source repository at <repo_url> is not publicly accessible.
-     Home Assistant requires all dependencies to have publicly available
-     source code.`
-   - Any other inconclusive result → ⚠️ with a one-line description.
-
-If `repo_public` resolves to ❌ for a package, **also** mark that
-package's `release_pipeline` and `async_blocking` cells/details as `—`
-(em dash) and explain `Skipped because the source repository is not
-publicly accessible.` — neither check can be performed without a public
-repo.
+If ❌, also mark this package's `release_pipeline` and `async_blocking`
+cells/details as `—` and explain `Skipped because the source
+repository is not publicly accessible.`.

 ### Check kind: `pr_link`

-Verify the PR description contains the right link for the change.
+Fetch the PR body via the `pull_requests` MCP using `pr_number`. Extract URLs.

-1. Fetch the PR body via the GitHub MCP tool, using the `pr_number`
-   field from the artifact.
-2. Extract all URLs from the body.
-3. For a **new package** (`package.old_version` is `null`):
-   - The PR body must contain a URL that points at `package.repo_url`
-     (any sub-path of the same `owner/repo` on the same host is
-     acceptable). A PyPI link is **not** sufficient.
-   - ✅ if such a URL is present.
-   - ❌ otherwise:
-     `PR description must link to the source repository at <repo_url>.
-     A PyPI page link is not sufficient.`
-4. For a **version bump** (`package.old_version` is not `null`):
-   - The PR body must contain a URL on the same host as
-     `package.repo_url` that references **both** `package.old_version`
-     and `package.new_version` (e.g. a GitHub compare URL
-     `compare/vX...vY`, a release / changelog URL containing both
-     versions, etc.).
-   - ✅ if such a URL is present and the versions match the actual bump.
-   - ❌ otherwise:
-     `PR description should link to a changelog or compare URL on
-     <repo_url> that mentions both <old_version> and <new_version>.`
+- **New package** (`old_version == null`): body must contain a URL
+  pointing at `repo_url`'s `owner/repo` on the same host (any
+  sub-path OK). PyPI is not sufficient.
+  - ✅ if present; otherwise ❌ `PR description must link to the
+    source repository at <repo_url>. A PyPI page link is not
+    sufficient.`
+- **Version bump**: body must contain a URL on the same host as
+  `repo_url` that mentions **both** `old_version` and `new_version`
+  (compare URL, changelog, release page).
+  - ✅ if present and versions match; otherwise ❌ `PR description
+    should link to a changelog or compare URL on <repo_url> that
+    mentions both <old_version> and <new_version>.`

 ### Check kind: `release_pipeline`

-Inspect the upstream project's release / publish CI pipeline.
+Inspect the upstream's publish-to-PyPI CI. Host-specific lookup, same
+rubric:

-For each package needing inspection, determine the source repository
-host from `package.repo_url`, then apply the corresponding checklist.
-
-#### GitHub repositories (`github.com`)
-
-1. List workflows: `GET /repos/{owner}/{repo}/actions/workflows`.
-2. Identify any workflow whose name or filename suggests publishing to
-   PyPI (`release`, `publish`, `pypi`, or `deploy`).
-3. Fetch the workflow file and check:
-   - **Trigger sanity**: triggered by `push` to tags,
-     `release: published`, or `workflow_run` on a release job —
-     **not** solely `workflow_dispatch` with no environment-protection
-     guard.
-   - **OIDC / Trusted Publisher**: look for `id-token: write` and one of
-     `pypa/gh-action-pypi-publish`, `actions/attest-build-provenance`,
-     or `TWINE_PASSWORD` from a static `secrets.PYPI_TOKEN`.
-   - **No manual upload bypass**: no ungated `twine upload` or
-     `pip upload`.
-4. Verdict:
-   - ✅ if OIDC + sane triggers + no bypass.
-   - ⚠️ if static token but version bump, or details unclear.
-   - ❌ if static token on a new package, or only-manual triggers with
-     no environment protection.
-
-#### GitLab repositories (`gitlab.com` or self-hosted GitLab)
-
-1. Resolve the project ID via
-   `GET https://gitlab.com/api/v4/projects/{url-encoded-namespace-and-name}`.
-2. Fetch `.gitlab-ci.yml` via
-   `GET https://gitlab.com/api/v4/projects/{id}/repository/files/.gitlab-ci.yml/raw?ref=HEAD`.
-3. Apply the same conceptual checks: tag-only / protected-branch
-   triggers, GitLab OIDC `id_tokens` or CI/CD protected `PYPI_TOKEN`, no
-   ungated `twine upload`. Same verdict rules as GitHub.
-
-#### Other code hosting providers (Bitbucket, Codeberg, Gitea, Sourcehut, …)
-
-1. Use `web-fetch` to retrieve any visible CI configuration
-   (`.circleci/config.yml`, `Jenkinsfile`, `azure-pipelines.yml`,
-   `bitbucket-pipelines.yml`, `.builds/*.yml`).
-2. Apply the conceptual checks: automated triggers, CI-injected
-   credentials, no manual `twine upload`.
-3. If no CI config can be retrieved: ⚠️ `Release pipeline could not be
-   inspected; hosting provider is not GitHub or GitLab.`
+1. Locate the publish workflow / job (name or filename contains
+   `release`, `publish`, `pypi`, or `deploy`).
+   - GitHub: list `.github/workflows/` via the `repos` MCP, pick the
+     promising file by name, fetch its contents.
+   - GitLab: fetch `.gitlab-ci.yml` from the default ref via
+     `https://gitlab.com/api/v4/projects/{id}/repository/files/.gitlab-ci.yml/raw?ref=HEAD`.
+   - Other hosts: `web-fetch` an obvious CI config
+     (`.circleci/config.yml`, `bitbucket-pipelines.yml`, etc.).
+2. Apply this rubric:
+   - **Trigger**: tag push / `release: published` / protected branch —
+     not solely manual dispatch without an environment guard.
+   - **Credentials**: OIDC (`id-token: write` +
+     `pypa/gh-action-pypi-publish` or equivalent) preferred; static
+     `PYPI_TOKEN` from a CI secret acceptable for a bump.
+   - **No bypass**: no ungated `twine upload` / `pip upload`.
+3. Verdict:
+   - ✅ — OIDC + sane triggers + no bypass.
+   - ⚠️ — static token on a bump, details unclear, or
+     non-GitHub/GitLab host with limited CI visibility.
+   - ❌ — static token on a new package, or manual-only triggers
+     without environment protection.

 ### Check kind: `async_blocking`

-Verify whether the dependency performs blocking I/O inside async code
-paths. Home Assistant runs on a single asyncio event loop, so a library
-that exposes an `async` surface must not call blocking APIs from inside
-its `async def` functions — that stalls the whole loop. A purely sync
-library is fine: Home Assistant integrations are expected to wrap such
-calls in an executor.
+Verify the dependency does not call blocking APIs inside `async def`
+bodies. Home Assistant runs on a single asyncio loop, so blocking
+calls from the async surface stall the whole loop. A purely sync
+library is fine — integrations wrap its calls in an executor.

-**Two modes — pick by inspecting `package.old_version`:**
+**Mode** (decided by `old_version`):
+- `null` → new package: review the entire current source tree.
+- string → version bump: review only the diff between the two tags.
+  Blocking calls already present in `old_version` are not regressions.

- `old_version` is `null` → **new package**: review the *entire current
-  source tree*. Nothing about this dependency has been vetted before.
- `old_version` is a string → **version bump**: review only the *diff
-  between `old_version` and `new_version`*. The previous version was
-  already accepted, so blocking calls that were present in
-  `old_version` are not regressions; report only what `new_version`
-  introduces.
+**Step 1 — async surface?**

-#### Step 1 — Decide whether the library exposes an async surface
+Fetch `pyproject.toml` / `setup.py` / `setup.cfg` / `README*` at the
+tag matching `new_version` (try `v{version}`, `{version}`,
+`release-{version}` — at most three attempts). Use the `repos` MCP for
+github.com, `web-fetch` otherwise.

-Use the `github` MCP tool (for `github.com` repos) or `web-fetch`
-(other hosts) on `package.repo_url`. Always inspect the tag /
-ref matching `new_version` (e.g. `v{new_version}` or `{new_version}`).
+If sync-only (no `async def` in public modules; no
+asyncio/aiohttp/httpx/anyio in deps; no `Framework :: AsyncIO`
+classifier) → ✅ `Sync-only library; Home Assistant integrations must
+wrap calls in an executor.` (Same verdict for both modes.)

- Locate the top-level package directory (usually named after the
-  import name, often equal or close to `package.name`).
- Check `pyproject.toml` / `setup.py` / `setup.cfg` / `README*` for
-  async indicators (`Framework :: AsyncIO` trove classifier, `asyncio`
-  / `aiohttp` / `httpx` / `anyio` in dependencies, an async usage
-  example in the README).
- Grep the package source for `async def`. A handful of `async def`
-  entries in the public modules is enough to treat the library as
-  having an async surface.
+**Step 2 — review the surface**

-If the library is **sync-only** (no `async def` in its public modules
-and no async framework dependency) → ✅
-`Sync-only library; Home Assistant integrations must wrap calls in an
-executor.` *This verdict is the same in both modes.*
+- New package: grep public modules for `async def`, inspect each
+  async body and transitive helpers.
+- Bump: fetch the compare diff
+  (`/repos/{owner}/{repo}/compare/{old}...{new}` on GitHub, equivalent
+  on GitLab/other hosts). Only flag patterns on **added** lines that
+  are inside or reachable from `async def`. If no tag format resolves,
+  fall back to a full review and note that the diff was unavailable.

-#### Step 2a — Mode: new package (`old_version` is `null`)
+**Blocking patterns to flag inside `async def`:**

-Inspect **every `async def` in the public modules** for blocking
-patterns. Walk transitively into helpers the async functions call.
-
-#### Step 2b — Mode: version bump (`old_version` is a string)
-
-Fetch the diff between the two tags and review **only changed lines**:
-
- GitHub: `GET /repos/{owner}/{repo}/compare/{old_tag}...{new_tag}` via
-  the `github` MCP tool, or
-  `https://github.com/{owner}/{repo}/compare/{old_tag}...{new_tag}.diff`
-  via `web-fetch`. Try the common tag formats in order until one
-  resolves: `v{version}`, `{version}`, `release-{version}`.
- GitLab: `https://gitlab.com/{namespace}/{project}/-/compare/{old_tag}...{new_tag}.diff`.
- Other hosts: use the project's equivalent compare URL via
-  `web-fetch`.
-
-If neither tag format resolves on the host, fall back to a full review
-(Step 2a) and mention in the detail that the diff was unavailable.
-
-When reviewing the diff, only flag blocking patterns that appear in
-**added lines** *inside or reachable from* an `async def`. A blocking
-call that existed in `old_version` and is unchanged is not a regression
-for this bump.
-
-#### Step 3 — Blocking patterns to look for
-
-In both modes, the patterns to flag inside `async def` bodies are:
-
- Sync HTTP: `requests.`, `urllib.request`, `urllib3.` direct use,
-  `http.client.`, sync `httpx.Client(` / `httpx.get(` (NOT the
-  `AsyncClient`), `pycurl`.
- `time.sleep(` (must be `await asyncio.sleep(`).
- Sync sockets: bare `socket.socket` reads/writes, `ssl.wrap_socket`,
+- Sync HTTP: `requests.`, `urllib.request`, `urllib3.` direct,
+  `http.client.`, sync `httpx.Client(` / `httpx.get(`, `pycurl`.
+- `time.sleep(` (use `await asyncio.sleep(`).
+- Sync sockets/SSL: bare `socket.socket` I/O, `ssl.wrap_socket`,
  blocking `select.select`.
- File I/O: `open(` / `pathlib.Path.read_*` / `.write_*` for
-  non-trivial sizes (small one-shot reads during import are
-  acceptable; reads/writes on the request path are not — prefer
-  `aiofiles` / executor).
- Sync DB drivers used directly: `sqlite3`, `psycopg2`, `pymysql`,
-  `pymongo` (sync client), `redis.Redis` (sync client).
- `subprocess.run` / `subprocess.call` / `os.system` (must be
-  `asyncio.create_subprocess_*`).
+- File I/O on the request path: `open(` /
+  `pathlib.Path.read_*` / `.write_*` for non-trivial sizes (small
+  one-shot reads during import are OK).
+- Sync DB drivers: `sqlite3`, `psycopg2`, `pymysql`, sync `pymongo` /
+  `redis.Redis`.
+- `subprocess.run` / `subprocess.call` / `os.system`.

-A call that is clearly dispatched to an executor
-(`run_in_executor`, `asyncio.to_thread`, `anyio.to_thread.run_sync`)
-does NOT count as blocking.
+Calls dispatched to an executor (`run_in_executor`,
+`asyncio.to_thread`, `anyio.to_thread.run_sync`) do **not** count as
+blocking.

-#### Step 4 — Verdict
+**Verdict:**

- ✅ — no offending blocking pattern in the surface being reviewed
-  (whole tree for a new package, added lines for a bump). For a bump,
-  phrase the detail as `No new blocking calls introduced in
-  {old_version} → {new_version}.`.
- ⚠️ — blocking calls exist only in sync helpers that the async API
-  does not call, or only on a clearly non-hot path (e.g. one-shot
-  setup before the event loop is running). Cite at least one
-  `<file>:<line>` and explain why it is not on the hot path.
- ❌ — a blocking call is reachable from an `async def` that is part
-  of the public API on the request / polling path (for a bump: the
-  call was introduced or moved onto the hot path by this version).
-  Cite the offending `<file>:<line>` as a clickable link on the repo
-  host so the contributor can jump to it.
+- ✅ — no offending pattern. Bumps: phrase as `No new blocking calls
+  introduced in {old_version} → {new_version}.`.
+- ⚠️ — blocking only in sync helpers the async API never calls, or
+  clearly off the hot path (e.g. one-shot pre-loop setup). Cite at
+  least one `<file>:<line>` and say why it's not hot.
+- ❌ — blocking call reachable from a public `async def` on the
+  request/polling path (bump: introduced or moved onto the hot path
+  by this version). Cite the offending `<file>:<line>` as a clickable
+  link on the repo host.
+
+### Check kind: `security`
+
+**Baseline** scan of the upstream source for obvious supply-chain red
+flags — a cheap first pass, **not** a security review or malware audit.
+A clean result means "nothing obvious stood out", not "this package is
+safe". The success icon is `☑️` — **never** `✅` — so a passing scan is
+not read as an endorsement.
+
+If `repo_public` resolves to ❌ for the same package, mark `security`'s
+cell and detail as `—` and explain `Skipped because the source
+repository is not publicly accessible.` — the source cannot be fetched.
+
+**Step 1 — Fetch a representative slice**
+
+Locate the source from `package.repo_url`.
+
+- GitHub: resolve the default branch (`GET /repos/{owner}/{repo}`), list
+  the tree (`GET /repos/{owner}/{repo}/git/trees/{branch}?recursive=1`),
+  find the module dir (`{name}/` or `src/{name}/`, normalising `-` ↔ `_`).
+- GitLab: equivalent REST calls. Other hosts: `web-fetch` raw file URLs.
+
+Fetch the **raw contents** of `setup.py` (install-time code runs on every
+consumer), `pyproject.toml` (`[build-system]` / custom backend), the
+package's `__init__.py`, and co — prioritising `entry_points` targets, plus any name suggesting
+bootstrap / loader / self-update (`update*.py`, `loader*.py`,
+`bootstrap*.py`, `_native.py`, `_post_install*.py`, …).
+
+If the tree is too large for the API budget, inspect at least `setup.py`,
+`pyproject.toml`, and `__init__.py`, then return ⚠️ noting the partial scan.
+
+**Step 2 — Patterns to flag**
+
+Reason from principles, not a fixed checklist: for each file ask *would a
+well-behaved library doing what this package's PyPI description claims
+need to do this?* If "no" or "unclear", record a finding. The categories
+describe the **shape** of concerning behavior; the named APIs, filenames,
+and keys are illustrative — treat any equivalent construct (including ones
+that did not exist when this was written) the same way.
+
+For every finding include the file path, line number, a snippet
+(≤ 120 chars), a permalink
+(`https://github.com/{owner}/{repo}/blob/{sha}/{path}#L{line}` or the
+GitLab equivalent), and one sentence on why it is out of scope.
+
+1. **Reaches into Home Assistant internals.** A library should touch HA
+   only through its documented Python API — never the `config_dir`
+   filesystem or internal auth / session state. Flag code that opens,
+   reads, writes, or resolves paths to artifacts it does not own
+   (top-level YAML it did not create, anything under `.storage/`, other
+   integrations' files) or reads tokens / refresh tokens / auth providers
+   (e.g. `secrets.yaml`, `.storage/auth*`, `hass.auth`). The principle is
+   *out-of-scope access*, not a static list of names.
+2. **Network input flows into an execution sink (download-and-execute).**
+   Flag any data-flow from a network response body (any HTTP / WebSocket /
+   raw-socket client, sync or async) to an execution sink: `exec`, `eval`,
+   `compile`, `marshal.loads`, `pickle.loads`, `types.FunctionType`,
+   `importlib.util.spec_from_loader`, `subprocess.*`, `os.system`, shell
+   pipelines (`curl … | sh`), or a file later imported / executed — plus
+   package-manager calls (`pip install` / `download`) with args resolved
+   from network responses at runtime.
+3. **Build / install-time code is non-deterministic or non-local.**
+   `setup.py`, `setup.cfg` `cmdclass`, custom PEP 517 backends, and other
+   build hooks must only compile and copy files shipped in the sdist. Flag
+   build-stage code that opens a socket, shells out, writes outside the
+   build / install tree, or pulls a build backend not on PyPI (Git URL /
+   local path).
+4. **Reads secrets and combines them with an egress path.** The shape is
+   *secret-source → outbound-channel*. Flag code that reads credential
+   material (token-like env vars, credential files under the user's home,
+   OS keychain APIs, browser-profile dirs, HA token stores) **and** in the
+   same path sends it to a destination the package needn't talk to.
+   Reading or sending alone is not enough — the *combination* is the signal.
+5. **Hides what it does.** Flag opaque data flowing into an execution
+   sink: large encoded / compressed / hex strings (`base64`, `codecs`,
+   `zlib`, `lzma`, `bytes.fromhex`, or any equivalent) passed to `exec` /
+   `eval` / `compile` / `__import__`; identifiers assembled at runtime
+   then imported; or any construct whose evident purpose is to make the
+   behavior unreadable.
+6. **Hard-coded network destination off-purpose.** Flag outbound URLs or
+   hosts absent from the package's PyPI `project_urls` with no obvious
+   connection to its function — short-link / paste services, ephemeral
+   tunnels, raw IPs, non-default ports against unknown hosts — and any
+   network call at module top-level / `__init__.py` (runs on import for
+   every consumer).
+
+A clearly out-of-scope behavior that fits none of the above: flag under
+the closest category and explain. The categories guide reasoning, not bound it.
+
+**Verdict**
+
+Aggregate the findings into one of:
+
+- `☑️ Baseline scan found nothing obvious in <list of inspected files>.
+  This is not a security review — only the cheap checks were run.`
+  Use `☑️` (**not** `✅`) so a passing scan is not read as an endorsement.
+- `⚠️ <one-line summary>` — patterns with plausible legitimate uses;
+  include path / line / snippet / permalink per match for the reviewer.
+- `❌ <one-line summary>` — patterns with no legitimate explanation
+  (install-time network execution, decode-and-exec of opaque blobs, reads
+  of `secrets.yaml` / `.storage/auth*`, token exfiltration to an external
+  host); same detail.
+
+Be precise. False positives are expected — when in doubt prefer `⚠️` with
+context over `❌`. This check is informational and never blocks the
+workflow on its own; a human reviewer decides whether to merge.

 ## Notes

- Be constructive and helpful. Reference the inspected workflow / CI
-  file by URL where useful so the contributor can fix the issue.
- The dedup of the requirements-check comment is handled by gh-aw's
-  `add_comment` safe-output via the `<!-- requirements-check -->`
-  marker on the first line of `rendered_comment`.
- If the deterministic workflow concluded with a non-success status,
-  this workflow's `if:` guard on `Download deterministic-results
-  artifact` skipped the download. If you find no file at
-  `/tmp/gh-aw/deterministic/results.json`, emit nothing — the post-step
-  verification is also gated and will not complain.
+- Be constructive; reference the inspected file by URL when useful.
+- Comment dedup is handled by gh-aw's `add_comment` safe-output via
+  the `<!-- requirements-check -->` marker.
+- If `/tmp/gh-aw/deterministic/results.json` is missing (upstream
+  cancelled/failed), emit nothing — the post-step verification is
+  gated and won't complain.
@@ -28,11 +28,11 @@ jobs:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
        with:
          languages: python

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@87557b9c84dde89fdd9b10e88954ac2f4248e463 # v4.36.1
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
        with:
          category: "/language:python"
@@ -1,6 +1,6 @@
 repos:
  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.15.15
+    rev: v0.15.16
    hooks:
      - id: ruff-check
        args:
@@ -102,7 +102,7 @@ repos:
        pass_filenames: false
        language: script
        types: [text]
-        files: ^(homeassistant/.+/(icons|manifest|strings)\.json|homeassistant/.+/(conditions|quality_scale|services|triggers)\.yaml|homeassistant/brands/.*\.json|script/hassfest/(?!metadata|mypy_config).+\.py|requirements.+\.txt)$
+        files: ^(homeassistant/.+/(icons|manifest|strings)\.json|homeassistant/.+/(conditions|quality_scale|services|triggers)\.yaml|homeassistant/brands/.*\.json|script/hassfest/(?!metadata|mypy_config).+\.py|homeassistant/components/sensor/const\.py|requirements.+\.txt)$
      - id: hassfest-metadata
        name: hassfest-metadata
        entry: script/run-in-env.sh python3 -m script.hassfest -p metadata,docker
@@ -642,6 +642,7 @@ homeassistant.components.xbox.*
 homeassistant.components.xiaomi_ble.*
 homeassistant.components.yale_smart_alarm.*
 homeassistant.components.yalexs_ble.*
+homeassistant.components.yoto.*
 homeassistant.components.youtube.*
 homeassistant.components.zeroconf.*
 homeassistant.components.zinvolt.*
@@ -40,4 +40,5 @@ This repository contains the core of Home Assistant, a Python 3 based home autom
 - Integrations with Platinum or Gold level in the Integration Quality Scale reflect a high standard of code quality and maintainability. When looking for examples of something, these are good places to start. The level is indicated in the manifest.json of the integration.
 - When reviewing entity actions, do not suggest extra defensive checks for input fields that are already validated by Home Assistant's service/action schemas and entity selection filters. Suggest additional guards only when data bypasses those validators or is transformed into a less-safe form.
 - When validation guarantees a dict key exists, prefer direct key access (`data["key"]`) instead of `.get("key")` so contract violations are surfaced instead of silently masked.
- Do not add comments that just restate the code on the following line(s) (e.g. `# Check if initialized` above `if self.initialized:`). Comments should only explain why — non-obvious constraints, surprising behavior, or workarounds — never what.
+- Keep comments concise. Prefer one short line stating the non-obvious constraint, or no comment at all.
+- Do not add comments that just restate the code on the following line(s) (e.g. `# Check if initialized` above `if self.initialized:`). Comments should only explain why (non-obvious constraints, surprising behavior, or workarounds), never what. Never add comments that justify a change by referencing what the code looked like before.
@@ -262,8 +262,8 @@ CLAUDE.md @home-assistant/core
 /tests/components/braviatv/ @bieniu @Drafteed
 /homeassistant/components/bring/ @miaucl @tr4nt0r
 /tests/components/bring/ @miaucl @tr4nt0r
-/homeassistant/components/broadlink/ @danielhiversen @felipediel @L-I-Am @eifinger
-/tests/components/broadlink/ @danielhiversen @felipediel @L-I-Am @eifinger
+/homeassistant/components/broadlink/ @danielhiversen @felipediel @L-I-Am
+/tests/components/broadlink/ @danielhiversen @felipediel @L-I-Am
 /homeassistant/components/brother/ @bieniu
 /tests/components/brother/ @bieniu
 /homeassistant/components/brottsplatskartan/ @gjohansson-ST
@@ -695,6 +695,8 @@ CLAUDE.md @home-assistant/core
 /tests/components/gree/ @cmroche
 /homeassistant/components/green_planet_energy/ @petschni
 /tests/components/green_planet_energy/ @petschni
+/homeassistant/components/greencell/ @BrzezowskiGC
+/tests/components/greencell/ @BrzezowskiGC
 /homeassistant/components/greeneye_monitor/ @jkeljo
 /tests/components/greeneye_monitor/ @jkeljo
 /homeassistant/components/group/ @home-assistant/core
@@ -947,6 +949,8 @@ CLAUDE.md @home-assistant/core
 /tests/components/kiosker/ @Claeysson
 /homeassistant/components/kitchen_sink/ @home-assistant/core
 /tests/components/kitchen_sink/ @home-assistant/core
+/homeassistant/components/klik_aan_klik_uit/ @Phunkafizer
+/tests/components/klik_aan_klik_uit/ @Phunkafizer
 /homeassistant/components/kmtronic/ @dgomes
 /tests/components/kmtronic/ @dgomes
 /homeassistant/components/knocki/ @joostlek @jgatto1 @JakeBosh
@@ -1084,6 +1088,8 @@ CLAUDE.md @home-assistant/core
 /homeassistant/components/mediaroom/ @dgomes
 /homeassistant/components/melcloud/ @erwindouna
 /tests/components/melcloud/ @erwindouna
+/homeassistant/components/melcloud_home/ @erwindouna
+/tests/components/melcloud_home/ @erwindouna
 /homeassistant/components/melissa/ @kennedyshead
 /tests/components/melissa/ @kennedyshead
 /homeassistant/components/melnor/ @vanstinator
@@ -1151,7 +1157,6 @@ CLAUDE.md @home-assistant/core
 /tests/components/motionmount/ @laiho-vogels
 /homeassistant/components/mqtt/ @emontnemery @jbouwh @bdraco
 /tests/components/mqtt/ @emontnemery @jbouwh @bdraco
-/homeassistant/components/msteams/ @peroyvind
 /homeassistant/components/mta/ @OnFreund
 /tests/components/mta/ @OnFreund
 /homeassistant/components/mullvad/ @meichthys
@@ -1887,6 +1892,7 @@ CLAUDE.md @home-assistant/core
 /homeassistant/components/unifi_access/ @imhotep @RaHehl
 /tests/components/unifi_access/ @imhotep @RaHehl
 /homeassistant/components/unifi_direct/ @tofuSCHNITZEL
+/tests/components/unifi_direct/ @tofuSCHNITZEL
 /homeassistant/components/unifi_discovery/ @RaHehl
 /tests/components/unifi_discovery/ @RaHehl
 /homeassistant/components/unifiled/ @florisvdk
@@ -11,7 +11,6 @@
    "microsoft_face_identify",
    "microsoft_face",
    "microsoft",
-    "msteams",
    "onedrive",
    "onedrive_for_business",
    "xbox"
@@ -26,5 +26,5 @@
  "iot_class": "local_push",
  "loggers": ["aioacaia"],
  "quality_scale": "platinum",
-  "requirements": ["aioacaia==0.1.17"]
+  "requirements": ["aioacaia==0.1.18"]
 }
@@ -5,5 +5,5 @@
  "documentation": "https://www.home-assistant.io/integrations/acer_projector",
  "iot_class": "local_polling",
  "quality_scale": "legacy",
-  "requirements": ["serialx==1.8.0"]
+  "requirements": ["serialx==1.8.2"]
 }
@@ -6,5 +6,5 @@
  "documentation": "https://www.home-assistant.io/integrations/acmeda",
  "iot_class": "local_push",
  "loggers": ["aiopulse"],
-  "requirements": ["aiopulse==0.4.6"]
+  "requirements": ["aiopulse==0.4.7"]
 }
@@ -30,7 +30,7 @@ from homeassistant.exceptions import (
 from homeassistant.helpers import device_registry as dr, entity_registry as er
 from homeassistant.helpers.aiohttp_client import async_get_clientsession

-from .const import DEFAULT_SSL, DEFAULT_VERIFY_SSL, DOMAIN, SECTION_ADVANCED_SETTINGS
+from .const import DEFAULT_SSL, DEFAULT_VERIFY_SSL, DOMAIN, SECTION_ADDITIONAL_SETTINGS
 from .coordinator import (
    AirOSConfigEntry,
    AirOSDataUpdateCoordinator,
@@ -55,14 +55,14 @@ async def async_setup_entry(hass: HomeAssistant, entry: AirOSConfigEntry) -> boo
    # By default airOS 8 comes with self-signed SSL certificates,
    # with no option in the web UI to change or upload a custom certificate.
    session = async_get_clientsession(
-        hass, verify_ssl=entry.data[SECTION_ADVANCED_SETTINGS][CONF_VERIFY_SSL]
+        hass, verify_ssl=entry.data[SECTION_ADDITIONAL_SETTINGS][CONF_VERIFY_SSL]
    )

    conn_data = {
        CONF_HOST: entry.data[CONF_HOST],
        CONF_USERNAME: entry.data[CONF_USERNAME],
        CONF_PASSWORD: entry.data[CONF_PASSWORD],
-        "use_ssl": entry.data[SECTION_ADVANCED_SETTINGS][CONF_SSL],
+        "use_ssl": entry.data[SECTION_ADDITIONAL_SETTINGS][CONF_SSL],
        "session": session,
    }

@@ -116,15 +116,15 @@ async def async_setup_entry(hass: HomeAssistant, entry: AirOSConfigEntry) -> boo
 async def async_migrate_entry(hass: HomeAssistant, entry: AirOSConfigEntry) -> bool:
    """Migrate old config entry."""

-    # 1.1 Migrate config_entry to add advanced ssl settings
+    # 1.1 Migrate config_entry to add additional ssl settings
    if entry.version == 1 and entry.minor_version == 1:
        new_minor_version = 2
        new_data = {**entry.data}
-        advanced_data = {
+        additional_data = {
            CONF_SSL: DEFAULT_SSL,
            CONF_VERIFY_SSL: DEFAULT_VERIFY_SSL,
        }
-        new_data[SECTION_ADVANCED_SETTINGS] = advanced_data
+        new_data[SECTION_ADDITIONAL_SETTINGS] = additional_data

        hass.config_entries.async_update_entry(
            entry,
@@ -52,7 +52,7 @@ from .const import (
    HOSTNAME,
    IP_ADDRESS,
    MAC_ADDRESS,
-    SECTION_ADVANCED_SETTINGS,
+    SECTION_ADDITIONAL_SETTINGS,
 )

 _LOGGER = logging.getLogger(__name__)
@@ -66,7 +66,7 @@ STEP_DISCOVERY_DATA_SCHEMA = vol.Schema(
    {
        vol.Required(CONF_USERNAME, default=DEFAULT_USERNAME): str,
        vol.Required(CONF_PASSWORD): str,
-        vol.Required(SECTION_ADVANCED_SETTINGS): section(
+        vol.Required(SECTION_ADDITIONAL_SETTINGS): section(
            vol.Schema(
                {
                    vol.Required(CONF_SSL, default=DEFAULT_SSL): bool,
@@ -134,7 +134,7 @@ class AirOSConfigFlow(ConfigFlow, domain=DOMAIN):
        # with no option in the web UI to change or upload a custom certificate.
        session = async_get_clientsession(
            self.hass,
-            verify_ssl=config_data[SECTION_ADVANCED_SETTINGS][CONF_VERIFY_SSL],
+            verify_ssl=config_data[SECTION_ADDITIONAL_SETTINGS][CONF_VERIFY_SSL],
        )

        try:
@@ -143,7 +143,7 @@ class AirOSConfigFlow(ConfigFlow, domain=DOMAIN):
                username=config_data[CONF_USERNAME],
                password=config_data[CONF_PASSWORD],
                session=session,
-                use_ssl=config_data[SECTION_ADVANCED_SETTINGS][CONF_SSL],
+                use_ssl=config_data[SECTION_ADDITIONAL_SETTINGS][CONF_SSL],
            )

        except (
@@ -234,18 +234,18 @@ class AirOSConfigFlow(ConfigFlow, domain=DOMAIN):
                            autocomplete="current-password",
                        )
                    ),
-                    vol.Required(SECTION_ADVANCED_SETTINGS): section(
+                    vol.Required(SECTION_ADDITIONAL_SETTINGS): section(
                        vol.Schema(
                            {
                                vol.Required(
                                    CONF_SSL,
-                                    default=current_data[SECTION_ADVANCED_SETTINGS][
+                                    default=current_data[SECTION_ADDITIONAL_SETTINGS][
                                        CONF_SSL
                                    ],
                                ): bool,
                                vol.Required(
                                    CONF_VERIFY_SSL,
-                                    default=current_data[SECTION_ADVANCED_SETTINGS][
+                                    default=current_data[SECTION_ADDITIONAL_SETTINGS][
                                        CONF_VERIFY_SSL
                                    ],
                                ): bool,
@@ -12,7 +12,7 @@ MANUFACTURER = "Ubiquiti"
 DEFAULT_VERIFY_SSL = False
 DEFAULT_SSL = True

-SECTION_ADVANCED_SETTINGS = "advanced_settings"
+SECTION_ADDITIONAL_SETTINGS = "additional_settings"

 # Discovery related
 DEFAULT_USERNAME = "ubnt"
@@ -4,7 +4,7 @@ from homeassistant.const import CONF_HOST, CONF_SSL
 from homeassistant.helpers.device_registry import CONNECTION_NETWORK_MAC, DeviceInfo
 from homeassistant.helpers.update_coordinator import CoordinatorEntity

-from .const import DOMAIN, MANUFACTURER, SECTION_ADVANCED_SETTINGS
+from .const import DOMAIN, MANUFACTURER, SECTION_ADDITIONAL_SETTINGS
 from .coordinator import AirOSDataUpdateCoordinator


@@ -20,7 +20,7 @@ class AirOSEntity(CoordinatorEntity[AirOSDataUpdateCoordinator]):
        airos_data = self.coordinator.data
        url_schema = (
            "https"
-            if coordinator.config_entry.data[SECTION_ADVANCED_SETTINGS][CONF_SSL]
+            if coordinator.config_entry.data[SECTION_ADDITIONAL_SETTINGS][CONF_SSL]
            else "http"
        )

@@ -33,16 +33,16 @@
        },
        "description": "Enter the username and password for {device_name}",
        "sections": {
-          "advanced_settings": {
+          "additional_settings": {
            "data": {
-              "ssl": "[%key:component::airos::config::step::manual::sections::advanced_settings::data::ssl%]",
+              "ssl": "[%key:component::airos::config::step::manual::sections::additional_settings::data::ssl%]",
              "verify_ssl": "[%key:common::config_flow::data::verify_ssl%]"
            },
            "data_description": {
-              "ssl": "[%key:component::airos::config::step::manual::sections::advanced_settings::data_description::ssl%]",
-              "verify_ssl": "[%key:component::airos::config::step::manual::sections::advanced_settings::data_description::verify_ssl%]"
+              "ssl": "[%key:component::airos::config::step::manual::sections::additional_settings::data_description::ssl%]",
+              "verify_ssl": "[%key:component::airos::config::step::manual::sections::additional_settings::data_description::verify_ssl%]"
            },
-            "name": "[%key:component::airos::config::step::manual::sections::advanced_settings::name%]"
+            "name": "[%key:component::airos::config::step::manual::sections::additional_settings::name%]"
          }
        }
      },
@@ -58,7 +58,7 @@
          "username": "Administrator username for the airOS device, normally 'ubnt'"
        },
        "sections": {
-          "advanced_settings": {
+          "additional_settings": {
            "data": {
              "ssl": "Use HTTPS",
              "verify_ssl": "[%key:common::config_flow::data::verify_ssl%]"
@@ -67,7 +67,7 @@
              "ssl": "Whether the connection should be encrypted (required for most devices)",
              "verify_ssl": "Whether the certificate should be verified when using HTTPS. This should be off for self-signed certificates"
            },
-            "name": "Advanced settings"
+            "name": "Additional settings"
          }
        }
      },
@@ -87,16 +87,16 @@
          "password": "[%key:component::airos::config::step::manual::data_description::password%]"
        },
        "sections": {
-          "advanced_settings": {
+          "additional_settings": {
            "data": {
-              "ssl": "[%key:component::airos::config::step::manual::sections::advanced_settings::data::ssl%]",
+              "ssl": "[%key:component::airos::config::step::manual::sections::additional_settings::data::ssl%]",
              "verify_ssl": "[%key:common::config_flow::data::verify_ssl%]"
            },
            "data_description": {
-              "ssl": "[%key:component::airos::config::step::manual::sections::advanced_settings::data_description::ssl%]",
-              "verify_ssl": "[%key:component::airos::config::step::manual::sections::advanced_settings::data_description::verify_ssl%]"
+              "ssl": "[%key:component::airos::config::step::manual::sections::additional_settings::data_description::ssl%]",
+              "verify_ssl": "[%key:component::airos::config::step::manual::sections::additional_settings::data_description::verify_ssl%]"
            },
-            "name": "[%key:component::airos::config::step::manual::sections::advanced_settings::name%]"
+            "name": "[%key:component::airos::config::step::manual::sections::additional_settings::name%]"
          }
        }
      },
@@ -7,7 +7,7 @@
  "integration_type": "hub",
  "iot_class": "local_polling",
  "loggers": ["aioairq"],
-  "requirements": ["aioairq==0.4.7"],
+  "requirements": ["aioairq==0.4.8"],
  "zeroconf": [
    {
      "properties": {
@@ -37,6 +37,9 @@
        "title": "Re-authenticate AirVisual"
      },
      "user": {
+        "data": {
+          "type": "Integration type"
+        },
        "description": "Pick what type of AirVisual data you want to monitor.",
        "title": "Configure AirVisual"
      }
@@ -1,10 +1,6 @@
 """The AirVisual Pro integration."""

-from homeassistant.helpers.device_registry import (
-    CONNECTION_NETWORK_MAC,
-    DeviceInfo,
-    format_mac,
-)
+from homeassistant.helpers.device_registry import CONNECTION_NETWORK_MAC, DeviceInfo
 from homeassistant.helpers.entity import EntityDescription
 from homeassistant.helpers.update_coordinator import CoordinatorEntity

@@ -32,7 +28,7 @@ class AirVisualProEntity(CoordinatorEntity[AirVisualProCoordinator]):
            connections={
                (
                    CONNECTION_NETWORK_MAC,
-                    format_mac(self.coordinator.data["status"]["mac_address"]),
+                    self.coordinator.data["status"]["mac_address"],
                )
            },
            manufacturer="AirVisual",
@@ -12,7 +12,18 @@ from homeassistant.helpers.device_registry import DeviceEntry

 from .coordinator import AmazonConfigEntry

-TO_REDACT = {CONF_PASSWORD, CONF_USERNAME, CONF_NAME, "title"}
+TO_REDACT = {
+    CONF_NAME,
+    CONF_PASSWORD,
+    CONF_USERNAME,
+    "access_token",
+    "adp_token",
+    "device_private_key",
+    "refresh_token",
+    "store_authentication_cookie",
+    "title",
+    "website_cookies",
+}


 async def async_get_config_entry_diagnostics(
@@ -8,5 +8,5 @@
  "iot_class": "cloud_polling",
  "loggers": ["aioamazondevices"],
  "quality_scale": "platinum",
-  "requirements": ["aioamazondevices==14.0.0"]
+  "requirements": ["aioamazondevices==14.0.4"]
 }
@@ -34,11 +34,13 @@ def generate_site_selector_name(site: Site) -> str:


 def filter_sites(sites: list[Site]) -> list[Site]:
-    """Deduplicates the list of sites."""
+    """Filter out closed sites and deduplicate the list of sites."""
    filtered: list[Site] = []
    filtered_nmi: set[str] = set()

    for site in sorted(sites, key=lambda site: site.status):
+        if site.status == SiteStatus.CLOSED:
+            continue
        if site.status == SiteStatus.ACTIVE or site.nmi not in filtered_nmi:
            filtered.append(site)
            filtered_nmi.add(site.nmi)
@@ -7,5 +7,5 @@
  "integration_type": "hub",
  "iot_class": "cloud_push",
  "loggers": ["anova_wifi"],
-  "requirements": ["anova-wifi==0.17.0"]
+  "requirements": ["anova-wifi==0.17.1"]
 }
@@ -7,5 +7,5 @@
  "integration_type": "device",
  "iot_class": "local_push",
  "loggers": ["anthemav"],
-  "requirements": ["anthemav==1.4.1"]
+  "requirements": ["anthemav==1.4.2"]
 }
@@ -12,7 +12,7 @@ from homeassistant.components.media_player import (
 )
 from homeassistant.const import CONF_MAC, CONF_MODEL
 from homeassistant.core import HomeAssistant, callback
-from homeassistant.helpers.device_registry import DeviceInfo
+from homeassistant.helpers.device_registry import CONNECTION_NETWORK_MAC, DeviceInfo
 from homeassistant.helpers.dispatcher import async_dispatcher_connect
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback

@@ -87,9 +87,12 @@ class AnthemAVR(MediaPlayerEntity):
                via_device=(DOMAIN, mac_address),
            )
        else:
+            # Zone 1 is the physical receiver that owns the network MAC; higher
+            # zones are via_device children and carry no connection.
            self._attr_unique_id = mac_address
            self._attr_device_info = DeviceInfo(
                identifiers={(DOMAIN, mac_address)},
+                connections={(CONNECTION_NETWORK_MAC, mac_address)},
                name=name,
                manufacturer=MANUFACTURER,
                model=model,
@@ -1,7 +1,6 @@
 """Coordinator for the Anthropic integration."""

 import datetime
-import re

 import anthropic

@@ -20,15 +19,12 @@ UPDATE_INTERVAL_DISCONNECTED = datetime.timedelta(minutes=1)
 type AnthropicConfigEntry = ConfigEntry[AnthropicCoordinator]


-_model_short_form = re.compile(r"[^\d]-\d$")
-
-
@callback
 def model_alias(model_id: str) -> str:
    """Resolve alias from versioned model name."""
    if model_id[-2:-1] != "-" and not model_id.endswith("-preview"):
        model_id = model_id[:-9]
-    if _model_short_form.search(model_id):
+    if model_id.endswith("-4"):
        return model_id + "-0"
    return model_id

@@ -9,5 +9,5 @@
  "integration_type": "service",
  "iot_class": "cloud_polling",
  "quality_scale": "silver",
-  "requirements": ["anthropic==0.96.0"]
+  "requirements": ["anthropic==0.108.0"]
 }
@@ -52,10 +52,7 @@ rules:
    status: exempt
    comment: |
      Service integration, no discovery.
-  docs-data-update:
-    status: exempt
-    comment: |
-      No data updates.
+  docs-data-update: done
  docs-examples: done
  docs-known-limitations: done
  docs-supported-devices: done
@@ -65,18 +65,18 @@ class ModelDeprecatedRepairFlow(RepairsFlow):
            ]
            self._model_list_cache[entry.entry_id] = model_list

-        if "opus" in model:
-            family = "claude-opus"
-        elif "sonnet" in model:
-            family = "claude-sonnet"
-        else:
-            family = "claude-haiku"
+        family = (
+            model.removeprefix("claude-")
+            .removesuffix("-preview")
+            .translate(str.maketrans("", "", "0123456789-."))
+            or "haiku"
+        )

        suggested_model = next(
            (
                model_option["value"]
                for model_option in sorted(
-                    (m for m in model_list if family in m["value"]),
+                    (m for m in model_list if f"claude-{family}" in m["value"]),
                    key=lambda x: x["value"],
                    reverse=True,
                )
@@ -193,6 +193,7 @@ class AprilaireCoordinator(BaseDataUpdateCoordinatorProtocol):

        device_info = DeviceInfo(
            identifiers={(DOMAIN, self.unique_id)},
+            connections={(dr.CONNECTION_NETWORK_MAC, data[Attribute.MAC_ADDRESS])},
            name=self.create_device_name(data),
            manufacturer="Aprilaire",
        )
@@ -1,5 +1,6 @@
 """Config flow for Aquacell integration."""

+from collections.abc import Mapping
 from datetime import datetime
 import logging
 from typing import Any
@@ -31,6 +32,12 @@ DATA_SCHEMA = vol.Schema(
    }
 )

+STEP_REAUTH_SCHEMA = vol.Schema(
+    {
+        vol.Required(CONF_PASSWORD): str,
+    }
+)
+

 class AquaCellConfigFlow(ConfigFlow, domain=DOMAIN):
    """Handle a config flow for Aquacell."""
@@ -77,3 +84,48 @@ class AquaCellConfigFlow(ConfigFlow, domain=DOMAIN):
            data_schema=DATA_SCHEMA,
            errors=errors,
        )
+
+    async def async_step_reauth(
+        self, entry_data: Mapping[str, Any]
+    ) -> ConfigFlowResult:
+        """Perform reauth upon an API authentication error."""
+        return await self.async_step_reauth_confirm()
+
+    async def async_step_reauth_confirm(
+        self, user_input: dict[str, Any] | None = None
+    ) -> ConfigFlowResult:
+        """Confirm reauth dialog."""
+        errors: dict[str, str] = {}
+        reauth_entry = self._get_reauth_entry()
+        if user_input is not None:
+            session = async_get_clientsession(self.hass)
+            api = AquacellApi(
+                session, reauth_entry.data.get(CONF_BRAND, Brand.AQUACELL)
+            )
+            try:
+                refresh_token = await api.authenticate(
+                    reauth_entry.data[CONF_EMAIL], user_input[CONF_PASSWORD]
+                )
+            except ApiException, TimeoutError:
+                errors["base"] = "cannot_connect"
+            except AuthenticationFailed:
+                errors["base"] = "invalid_auth"
+            except Exception:
+                _LOGGER.exception("Unexpected exception")
+                errors["base"] = "unknown"
+            else:
+                return self.async_update_reload_and_abort(
+                    reauth_entry,
+                    data_updates={
+                        CONF_PASSWORD: user_input[CONF_PASSWORD],
+                        CONF_REFRESH_TOKEN: refresh_token,
+                        CONF_REFRESH_TOKEN_CREATION_TIME: datetime.now().timestamp(),
+                    },
+                )
+
+        return self.async_show_form(
+            step_id="reauth_confirm",
+            data_schema=STEP_REAUTH_SCHEMA,
+            description_placeholders={"email": reauth_entry.data[CONF_EMAIL]},
+            errors=errors,
+        )
@@ -14,7 +14,7 @@ from aioaquacell import (
 from homeassistant.config_entries import ConfigEntry
 from homeassistant.const import CONF_EMAIL, CONF_PASSWORD
 from homeassistant.core import HomeAssistant
-from homeassistant.exceptions import ConfigEntryError
+from homeassistant.exceptions import ConfigEntryAuthFailed
 from homeassistant.helpers.update_coordinator import DataUpdateCoordinator, UpdateFailed

 from .const import (
@@ -79,7 +79,7 @@ class AquacellCoordinator(DataUpdateCoordinator[dict[str, Softener]]):

                softeners = await self.aquacell_api.get_all_softeners()
            except AuthenticationFailed as err:
-                raise ConfigEntryError from err
+                raise ConfigEntryAuthFailed from err
            except (AquacellApiException, TimeoutError) as err:
                raise UpdateFailed(f"Error communicating with API: {err}") from err

@@ -1,7 +1,8 @@
 {
  "config": {
    "abort": {
-      "already_configured": "[%key:common::config_flow::abort::already_configured_device%]"
+      "already_configured": "[%key:common::config_flow::abort::already_configured_device%]",
+      "reauth_successful": "[%key:common::config_flow::abort::reauth_successful%]"
    },
    "error": {
      "cannot_connect": "[%key:common::config_flow::error::cannot_connect%]",
@@ -9,6 +10,13 @@
      "unknown": "[%key:common::config_flow::error::unknown%]"
    },
    "step": {
+      "reauth_confirm": {
+        "data": {
+          "password": "[%key:common::config_flow::data::password%]"
+        },
+        "description": "The password for {email} is no longer valid. Enter your current softener mobile app password to reconnect.",
+        "title": "[%key:common::config_flow::title::reauth%]"
+      },
      "user": {
        "data": {
          "brand": "Brand",
@@ -8,7 +8,11 @@ from aiohttp import ClientResponseError
 from pyaqvify import AqvifyAPI, AqvifyAuthException
 import voluptuous as vol

-from homeassistant.config_entries import ConfigFlow, ConfigFlowResult
+from homeassistant.config_entries import (
+    SOURCE_RECONFIGURE,
+    ConfigFlow,
+    ConfigFlowResult,
+)
 from homeassistant.const import CONF_API_KEY
 from homeassistant.helpers.aiohttp_client import async_get_clientsession

@@ -49,8 +53,15 @@ class AqvifyConfigFlow(ConfigFlow, domain=DOMAIN):
                errors["base"] = "unknown"
            else:
                await self.async_set_unique_id(account_data.account_id)
+                if self.source == SOURCE_RECONFIGURE:
+                    self._abort_if_unique_id_mismatch()
+                    return self.async_update_reload_and_abort(
+                        self._get_reconfigure_entry(), data_updates=user_input
+                    )
                self._abort_if_unique_id_configured()
-                return self.async_create_entry(title="Aqvify", data=user_input)
+                return self.async_create_entry(
+                    title=account_data.name or "Aqvify", data=user_input
+                )

        return self.async_show_form(
            step_id="user",
@@ -96,3 +107,9 @@ class AqvifyConfigFlow(ConfigFlow, domain=DOMAIN):
            data_schema=STEP_USER_DATA_SCHEMA,
            errors=errors,
        )
+
+    async def async_step_reconfigure(
+        self, user_input: Mapping[str, Any] | None = None
+    ) -> ConfigFlowResult:
+        """User initiated reconfiguration."""
+        return await self.async_step_user()
@@ -12,6 +12,7 @@ from homeassistant.const import CONF_API_KEY
 from homeassistant.core import HomeAssistant
 from homeassistant.exceptions import ConfigEntryAuthFailed, ConfigEntryNotReady
 from homeassistant.helpers.aiohttp_client import async_get_clientsession
+import homeassistant.helpers.device_registry as dr
 from homeassistant.helpers.update_coordinator import DataUpdateCoordinator, UpdateFailed

 from .const import DOMAIN
@@ -49,6 +50,7 @@ class AqvifyCoordinator(DataUpdateCoordinator[AqvifyCoordinatorData]):
        self.api_client = AqvifyAPI(
            entry.data[CONF_API_KEY], websession=async_get_clientsession(hass)
        )
+        self.previous_devices: set[str] = set()

    async def _async_setup(self) -> None:
        """Set up the coordinator."""
@@ -102,10 +104,25 @@ class AqvifyCoordinator(DataUpdateCoordinator[AqvifyCoordinatorData]):
                },
            ) from err

+        current_devices = set(devices.devices.keys())
+        if stale_devices := self.previous_devices - current_devices:
+            account_id = self.config_entry.unique_id
+            device_registry = dr.async_get(self.hass)
+            for device_id in stale_devices:
+                device = device_registry.async_get_device(
+                    identifiers={(DOMAIN, f"{account_id}_{device_id}")}
+                )
+                if device:
+                    device_registry.async_update_device(
+                        device_id=device.id,
+                        remove_config_entry_id=self.config_entry.entry_id,
+                    )
+        self.previous_devices = current_devices
+
        device_data = {}
-        for device in devices.devices.values():
+        for aqvify_device in devices.devices.values():
            try:
-                device_key = str(device.device_key)
+                device_key = str(aqvify_device.device_key)
                device_data[
                    device_key
                ] = await self.api_client.async_get_device_latest_data(device_key)
@@ -135,3 +152,10 @@ class AqvifyCoordinator(DataUpdateCoordinator[AqvifyCoordinatorData]):
            devices=devices,
            device_data=device_data,
        )
+
+    def async_add_devices(self, added_devices: set[str]) -> tuple[set[str], set[str]]:
+        """Return newly discovered device keys and the full current device set."""
+
+        current_devices = set(self.data.devices.devices)
+        new_devices: set[str] = current_devices - added_devices
+        return (new_devices, current_devices)
@@ -7,6 +7,6 @@
  "integration_type": "hub",
  "iot_class": "cloud_polling",
  "loggers": ["pyaqvify"],
-  "quality_scale": "bronze",
-  "requirements": ["pyaqvify==0.0.9"]
+  "quality_scale": "gold",
+  "requirements": ["pyaqvify==0.0.11"]
 }
@@ -29,40 +29,66 @@ rules:
  unique-config-entry: done

  # Silver
-  action-exceptions: todo
+  action-exceptions:
+    status: exempt
+    comment: |
+      The integration does not provide any actions.
  config-entry-unloading: done
-  docs-configuration-parameters: todo
-  docs-installation-parameters: todo
-  entity-unavailable: todo
-  integration-owner: todo
-  log-when-unavailable: todo
+  docs-configuration-parameters:
+    status: exempt
+    comment: |
+      There are no configuration options.
+  docs-installation-parameters: done
+  entity-unavailable:
+    status: done
+    comment: |
+      Handled by coordinator.
+  integration-owner: done
+  log-when-unavailable:
+    status: done
+    comment: |
+      Handled by coordinator.
  parallel-updates: done
-  reauthentication-flow: todo
-  test-coverage: todo
+  reauthentication-flow: done
+  test-coverage: done

  # Gold
-  devices: todo
-  diagnostics: todo
-  discovery-update-info: todo
-  discovery: todo
-  docs-data-update: todo
-  docs-examples: todo
-  docs-known-limitations: todo
-  docs-supported-devices: todo
-  docs-supported-functions: todo
-  docs-troubleshooting: todo
-  docs-use-cases: todo
-  dynamic-devices: todo
-  entity-category: todo
-  entity-device-class: todo
-  entity-disabled-by-default: todo
-  entity-translations: todo
-  exception-translations: todo
+  devices: done
+  diagnostics: done
+  discovery-update-info:
+    status: exempt
+    comment: |
+      Discovery not possible, as device is connected via 4G only. No LAN connection.
+  discovery:
+    status: exempt
+    comment: |
+      Discovery not possible, as device is connected via 4G only. No LAN connection.
+  docs-data-update: done
+  docs-examples: done
+  docs-known-limitations:
+    status: done
+    comment: |
+      No known limitations
+  docs-supported-devices: done
+  docs-supported-functions: done
+  docs-troubleshooting: done
+  docs-use-cases: done
+  dynamic-devices: done
+  entity-category:
+    status: done
+    comment: |
+      None of current sensors should be set as diagnostic
+  entity-device-class: done
+  entity-disabled-by-default: done
+  entity-translations: done
+  exception-translations: done
  icon-translations: done
-  reconfiguration-flow: todo
-  repair-issues: todo
-  stale-devices: todo
-
+  reconfiguration-flow: done
+  repair-issues:
+    status: exempt
+    comment: |
+      No repair issues are created.
+  stale-devices: done
  # Platinum
  async-dependency: todo
  inject-websession: todo
@@ -13,7 +13,7 @@ from homeassistant.components.sensor import (
    SensorStateClass,
    StateType,
 )
-from homeassistant.const import UnitOfLength
+from homeassistant.const import UnitOfLength, UnitOfTemperature, UnitOfVolume
 from homeassistant.core import HomeAssistant
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback

@@ -50,6 +50,23 @@ ENTITIES: tuple[AqvifySensorEntityDescription, ...] = (
        suggested_display_precision=2,
        value_fn=lambda value: value.water_level,
    ),
+    AqvifySensorEntityDescription(
+        key="volume",
+        native_unit_of_measurement=UnitOfVolume.LITERS,
+        state_class=SensorStateClass.MEASUREMENT,
+        device_class=SensorDeviceClass.VOLUME_STORAGE,
+        suggested_display_precision=0,
+        value_fn=lambda value: value.volume,
+    ),
+    AqvifySensorEntityDescription(
+        key="temperature",
+        native_unit_of_measurement=UnitOfTemperature.CELSIUS,
+        state_class=SensorStateClass.MEASUREMENT,
+        device_class=SensorDeviceClass.TEMPERATURE,
+        suggested_display_precision=1,
+        value_fn=lambda value: value.temperature,
+        entity_registry_enabled_default=False,
+    ),
 )


@@ -59,11 +76,23 @@ async def async_setup_entry(
    async_add_entities: AddConfigEntryEntitiesCallback,
 ) -> None:
    """Set up Aqvify sensor entities from a config entry."""
-    async_add_entities(
-        AqvifySensor(entry.runtime_data, description, device_key)
-        for description in ENTITIES
-        for device_key in entry.runtime_data.data.devices.devices
-    )
+
+    coordinator = entry.runtime_data
+    added_devices: set[str] = set()
+
+    def _async_add_new_devices() -> None:
+        nonlocal added_devices
+        new_devices_set, current_devices = coordinator.async_add_devices(added_devices)
+        added_devices = current_devices
+
+        async_add_entities(
+            AqvifySensor(coordinator, description, device_key)
+            for description in ENTITIES
+            for device_key in new_devices_set
+        )
+
+    entry.async_on_unload(coordinator.async_add_listener(_async_add_new_devices))
+    _async_add_new_devices()


 class AqvifySensor(AqvifyBaseEntity, SensorEntity):
@@ -3,6 +3,7 @@
    "abort": {
      "already_configured": "[%key:common::config_flow::abort::already_configured_device%]",
      "reauth_successful": "[%key:common::config_flow::abort::reauth_successful%]",
+      "reconfigure_successful": "[%key:common::config_flow::abort::reconfigure_successful%]",
      "unique_id_mismatch": "The entered API key corresponds to a different account."
    },
    "error": {
@@ -31,7 +31,7 @@ from homeassistant.const import (
    UnitOfTime,
 )
 from homeassistant.core import HomeAssistant
-from homeassistant.helpers.device_registry import DeviceInfo
+from homeassistant.helpers.device_registry import CONNECTION_BLUETOOTH, DeviceInfo
 from homeassistant.helpers.entity import EntityDescription
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback

@@ -144,7 +144,9 @@ def _sensor_device_info_to_hass(
    adv: Aranet4Advertisement,
 ) -> DeviceInfo:
    """Convert a sensor device info to hass device info."""
-    hass_device_info = DeviceInfo({})
+    hass_device_info = DeviceInfo(
+        connections={(CONNECTION_BLUETOOTH, adv.device.address)}
+    )
    if adv.readings and adv.readings.name:
        hass_device_info[ATTR_NAME] = adv.readings.name
        hass_device_info[ATTR_MANUFACTURER] = ARANET_MANUFACTURER_NAME
@@ -6,5 +6,5 @@
  "documentation": "https://www.home-assistant.io/integrations/assist_satellite",
  "integration_type": "entity",
  "quality_scale": "internal",
-  "requirements": ["hassil==3.6.0"]
+  "requirements": ["hassil==3.8.0"]
 }
@@ -5,5 +5,5 @@
  "documentation": "https://www.home-assistant.io/integrations/aten_pe",
  "iot_class": "local_polling",
  "quality_scale": "legacy",
-  "requirements": ["atenpdu==0.3.2"]
+  "requirements": ["atenpdu==0.3.6"]
 }
@@ -30,5 +30,5 @@
  "integration_type": "hub",
  "iot_class": "cloud_push",
  "loggers": ["pubnub", "yalexs"],
-  "requirements": ["yalexs==9.2.7", "yalexs-ble==3.3.0"]
+  "requirements": ["yalexs==9.2.7", "yalexs-ble==3.3.1"]
 }
@@ -976,6 +976,51 @@ class AutomationEntity(BaseAutomationEntity, RestoreEntity):
            return None
        return await self.async_trigger(run_variables, context, skip_condition)

+    @callback
+    def _handle_not_triggered(
+        self,
+        run_variables: dict[str, Any],
+        info: trigger_helper.NotTriggeredInfo,
+        context: Context | None = None,
+    ) -> None:
+        """Record a trace for a trigger that evaluated a change but did not fire.
+
+        This is the diagnostic sibling of async_trigger: a trigger calls it - in
+        certain interesting cases - when it does not run the action, so the user
+        can see in the trace why the automation was not triggered.
+        """
+        if not self._is_enabled:
+            return
+
+        # Create a new context referring to the old context.
+        parent_id = None if context is None else context.id
+        trigger_context = Context(parent_id=parent_id)
+
+        with trace_automation(
+            self.hass,
+            self.unique_id,
+            self.raw_config,
+            self._blueprint_inputs,
+            trigger_context,
+            self._trace_config,
+            not_triggered=True,
+        ) as automation_trace:
+            automation_trace.set_trace(trace_get())
+
+            trigger_description = run_variables.get("trigger", {}).get("description")
+            automation_trace.set_trigger_description(trigger_description)
+
+            # Record the trigger and its diagnostics as the trigger step.
+            if "idx" in run_variables.get("trigger", {}):
+                trigger_path = f"trigger/{run_variables['trigger']['idx']}"
+            else:
+                trigger_path = "trigger"
+            trace_element = TraceElement(run_variables, trigger_path)
+            trace_element.set_result(**info.as_dict())
+            trace_append_element(trace_element)
+
+            script_execution_set("not_triggered")
+
    async def _async_attach_triggers(
        self, home_assistant_start: bool
    ) -> Callable[[], None] | None:
@@ -1004,6 +1049,7 @@ class AutomationEntity(BaseAutomationEntity, RestoreEntity):
            self._log_callback,
            home_assistant_start,
            variables,
+            did_not_trigger=self._handle_not_triggered,
        )


@@ -26,10 +26,13 @@ class AutomationTrace(ActionTrace):
        config: ConfigType | None,
        blueprint_inputs: ConfigType | None,
        context: Context,
+        *,
+        not_triggered: bool = False,
    ) -> None:
        """Container for automation trace."""
        super().__init__(item_id, config, blueprint_inputs, context)
        self._trigger_description: str | None = None
+        self.not_triggered = not_triggered

    def set_trigger_description(self, trigger: str) -> None:
        """Set trigger description."""
@@ -53,9 +56,13 @@ def trace_automation(
    blueprint_inputs: ConfigType | None,
    context: Context,
    trace_config: ConfigType,
+    *,
+    not_triggered: bool = False,
 ) -> Generator[AutomationTrace]:
    """Trace action execution of automation with automation_id."""
-    trace = AutomationTrace(automation_id, config, blueprint_inputs, context)
+    trace = AutomationTrace(
+        automation_id, config, blueprint_inputs, context, not_triggered=not_triggered
+    )
    async_store_trace(hass, trace, trace_config[CONF_STORED_TRACES])

    try:
@@ -6,6 +6,6 @@
  "documentation": "https://www.home-assistant.io/integrations/bang_olufsen",
  "integration_type": "device",
  "iot_class": "local_push",
-  "requirements": ["mozart-api==5.3.1.108.2"],
+  "requirements": ["mozart-api==6.2.0.44.0"],
  "zeroconf": ["_bangolufsen._tcp.local."]
 }
@@ -1,6 +1,6 @@
 {
  "common": {
-    "jid_options_description": "Advanced grouping options, where devices' unique Beolink IDs (Called JIDs) are used directly. JIDs can be found in the state attributes of the media player entity.",
+    "jid_options_description": "Additional grouping options, where devices' unique Beolink IDs (Called JIDs) are used directly. JIDs can be found in the state attributes of the media player entity.",
    "jid_options_name": "JID options",
    "key_press": "Press",
    "key_release": "Release",
@@ -1,9 +1,7 @@
 """The BleBox devices integration."""

-import logging
-
 from blebox_uniapi.box import Box
-from blebox_uniapi.error import Error
+from blebox_uniapi.error import ConnectionError, Error, HttpError, UnauthorizedRequest
 from blebox_uniapi.session import ApiHost

 from homeassistant.const import (
@@ -14,14 +12,16 @@ from homeassistant.const import (
    Platform,
 )
 from homeassistant.core import HomeAssistant
-from homeassistant.exceptions import ConfigEntryNotReady
+from homeassistant.exceptions import (
+    ConfigEntryAuthFailed,
+    ConfigEntryError,
+    ConfigEntryNotReady,
+)

 from .const import DEFAULT_SETUP_TIMEOUT
 from .coordinator import BleBoxConfigEntry, BleBoxCoordinator
 from .helpers import get_maybe_authenticated_session

-_LOGGER = logging.getLogger(__name__)
-
 PLATFORMS = [
    Platform.BINARY_SENSOR,
    Platform.BUTTON,
@@ -50,9 +50,15 @@ async def async_setup_entry(hass: HomeAssistant, entry: BleBoxConfigEntry) -> bo

    try:
        product = await Box.async_from_host(api_host)
-    except Error as ex:
-        _LOGGER.error("Identify failed at %s:%d (%s)", api_host.host, api_host.port, ex)
+    except UnauthorizedRequest as ex:
+        raise ConfigEntryAuthFailed from ex
+    except (
+        ConnectionError,
+        HttpError,
+    ) as ex:
        raise ConfigEntryNotReady from ex
+    except Error as ex:
+        raise ConfigEntryError from ex

    coordinator = BleBoxCoordinator(hass, entry, product)
    await coordinator.async_config_entry_first_refresh()
@@ -25,6 +25,9 @@ BINARY_SENSOR_TYPES = (
        key="open",
        device_class=BinarySensorDeviceClass.WINDOW,
    ),
+    BinarySensorEntityDescription(
+        key="input",
+    ),
 )


@@ -56,6 +59,8 @@ class BleBoxBinarySensorEntity(BleBoxEntity[BinarySensorFeature], BinarySensorEn
        """Initialize a BleBox binary sensor feature."""
        super().__init__(coordinator, feature)
        self.entity_description = description
+        if feature.name:
+            self._attr_name = feature.name

    @property
    def is_on(self) -> bool:
@@ -41,6 +41,8 @@ async def async_setup_entry(
 class BleBoxButtonEntity(BleBoxEntity[blebox_uniapi.button.Button], ButtonEntity):
    """Representation of BleBox buttons."""

+    _attr_name = None
+
    def __init__(
        self, coordinator: BleBoxCoordinator, feature: blebox_uniapi.button.Button
    ) -> None:
@@ -51,6 +51,7 @@ async def async_setup_entry(
 class BleBoxClimateEntity(BleBoxEntity[blebox_uniapi.climate.Climate], ClimateEntity):
    """Representation of a BleBox climate feature (saunaBox)."""

+    _attr_name = None
    _attr_supported_features = (
        ClimateEntityFeature.TARGET_TEMPERATURE
        | ClimateEntityFeature.TURN_OFF
@@ -1,5 +1,6 @@
 """Config flow for BleBox devices integration."""

+from collections.abc import Mapping
 import logging
 from typing import Any

@@ -16,6 +17,7 @@ import voluptuous as vol
 from homeassistant.config_entries import ConfigFlow, ConfigFlowResult
 from homeassistant.const import CONF_HOST, CONF_PASSWORD, CONF_PORT, CONF_USERNAME
 from homeassistant.helpers.aiohttp_client import async_get_clientsession
+from homeassistant.helpers.service_info.dhcp import DhcpServiceInfo
 from homeassistant.helpers.service_info.zeroconf import ZeroconfServiceInfo

 from . import get_maybe_authenticated_session
@@ -26,6 +28,7 @@ from .const import (
    DEFAULT_PORT,
    DEFAULT_SETUP_TIMEOUT,
    DOMAIN,
+    INVALID_AUTH,
    UNKNOWN,
    UNSUPPORTED_VERSION,
 )
@@ -46,6 +49,7 @@ STEP_SCHEMA = vol.Schema(
 LOG_MSG = {
    UNSUPPORTED_VERSION: "Outdated firmware",
    CANNOT_CONNECT: "Failed to identify device",
+    INVALID_AUTH: "Authentication failed",
    UNKNOWN: "Unknown error while identifying device",
 }

@@ -72,6 +76,21 @@ class BleBoxConfigFlow(ConfigFlow, domain=DOMAIN):
            description_placeholders={"address": f"{host}:{port}"},
        )

+    async def _async_box_from_host_or_abort(
+        self, api_host: ApiHost
+    ) -> Box | ConfigFlowResult:
+        """Try to connect to the device; return product or an abort result."""
+        try:
+            return await Box.async_from_host(api_host)
+        except UnsupportedBoxVersion:
+            return self.async_abort(reason="unsupported_device_version")
+        except UnsupportedBoxResponse:
+            return self.async_abort(reason="unsupported_device_response")
+        except UnauthorizedRequest:
+            return self.async_abort(reason="authorization_required")
+        except Error:
+            return self.async_abort(reason="cannot_connect")
+
    async def _async_from_host_or_form(
        self, api_host: ApiHost, user_input: dict[str, Any], step_id: str
    ) -> tuple[Box, None] | tuple[None, ConfigFlowResult]:
@@ -87,7 +106,7 @@ class BleBoxConfigFlow(ConfigFlow, domain=DOMAIN):
            )
        except UnauthorizedRequest as ex:
            return None, self.handle_step_exception(
-                ex, schema, host, port, CANNOT_CONNECT, _LOGGER.error, step_id
+                ex, schema, host, port, INVALID_AUTH, _LOGGER.error, step_id
            )
        except Error as ex:
            return None, self.handle_step_exception(
@@ -98,43 +117,50 @@ class BleBoxConfigFlow(ConfigFlow, domain=DOMAIN):
                ex, schema, host, port, UNKNOWN, _LOGGER.error, step_id
            )

-    async def async_step_zeroconf(
-        self, discovery_info: ZeroconfServiceInfo
-    ) -> ConfigFlowResult:
-        """Handle zeroconf discovery."""
-        hass = self.hass
-        ipaddress = (discovery_info.host, discovery_info.port)
-        self.device_config["host"] = discovery_info.host
-        self.device_config["port"] = discovery_info.port
-
-        websession = async_get_clientsession(hass)
+    async def _async_handle_discovery(self, host: str, port: int) -> ConfigFlowResult:
+        """Handle discovery by IP and port; probe device then confirm with the user."""
+        self.device_config["host"] = host
+        self.device_config["port"] = port

+        websession = async_get_clientsession(self.hass)
        api_host = ApiHost(
-            *ipaddress, DEFAULT_SETUP_TIMEOUT, websession, hass.loop, _LOGGER
+            host, port, DEFAULT_SETUP_TIMEOUT, websession, self.hass.loop, _LOGGER
        )

-        try:
-            product = await Box.async_from_host(api_host)
-        except UnsupportedBoxVersion:
-            return self.async_abort(reason="unsupported_device_version")
-        except UnsupportedBoxResponse:
-            return self.async_abort(reason="unsupported_device_response")
+        result = await self._async_box_from_host_or_abort(api_host)
+        if not isinstance(result, Box):
+            return result
+        product = result

        self.device_config["name"] = product.name
        # Check if configured but IP changed since
        await self.async_set_unique_id(product.unique_id)
-        self._abort_if_unique_id_configured(updates={CONF_HOST: discovery_info.host})
+        self._abort_if_unique_id_configured(updates={CONF_HOST: host})
        self.context.update(
            {
                "title_placeholders": {
                    "name": self.device_config["name"],
-                    "host": self.device_config["host"],
+                    "host": host,
                },
-                "configuration_url": f"http://{discovery_info.host}",
+                "configuration_url": f"http://{host}",
            }
        )
        return await self.async_step_confirm_discovery()

+    async def async_step_dhcp(
+        self, discovery_info: DhcpServiceInfo
+    ) -> ConfigFlowResult:
+        """Handle DHCP discovery."""
+        return await self._async_handle_discovery(discovery_info.ip, DEFAULT_PORT)
+
+    async def async_step_zeroconf(
+        self, discovery_info: ZeroconfServiceInfo
+    ) -> ConfigFlowResult:
+        """Handle zeroconf discovery."""
+        return await self._async_handle_discovery(
+            discovery_info.host, discovery_info.port or DEFAULT_PORT
+        )
+
    async def async_step_confirm_discovery(
        self, user_input: dict[str, Any] | None = None
    ) -> ConfigFlowResult:
@@ -153,7 +179,6 @@ class BleBoxConfigFlow(ConfigFlow, domain=DOMAIN):
            description_placeholders={
                "name": self.device_config["name"],
                "host": self.device_config["host"],
-                "port": self.device_config["port"],
            },
        )

@@ -246,3 +271,58 @@ class BleBoxConfigFlow(ConfigFlow, domain=DOMAIN):
            reconfigure_entry,
            data_updates=data_updates,
        )
+
+    async def async_step_reauth(
+        self, entry_data: Mapping[str, Any]
+    ) -> ConfigFlowResult:
+        """Handle reauthentication upon an API authentication error."""
+        self.context["title_placeholders"] = {
+            "name": self._get_reauth_entry().title,
+            "host": entry_data[CONF_HOST],
+        }
+        return await self.async_step_reauth_confirm()
+
+    async def async_step_reauth_confirm(
+        self, user_input: dict[str, Any] | None = None
+    ) -> ConfigFlowResult:
+        """Handle reauthentication confirmation."""
+        errors: dict[str, str] = {}
+        reauth_entry = self._get_reauth_entry()
+        host = reauth_entry.data[CONF_HOST]
+        port = reauth_entry.data[CONF_PORT]
+
+        if user_input is not None:
+            username = user_input.get(CONF_USERNAME)
+            password = user_input.get(CONF_PASSWORD)
+            websession = get_maybe_authenticated_session(self.hass, password, username)
+            api_host = ApiHost(
+                host, port, DEFAULT_SETUP_TIMEOUT, websession, self.hass.loop, _LOGGER
+            )
+            try:
+                await Box.async_from_host(api_host)
+            except UnauthorizedRequest:
+                errors["base"] = INVALID_AUTH
+            except Error:
+                errors["base"] = CANNOT_CONNECT
+            except RuntimeError:
+                errors["base"] = UNKNOWN
+            else:
+                return self.async_update_reload_and_abort(
+                    reauth_entry,
+                    data_updates={
+                        CONF_USERNAME: username,
+                        CONF_PASSWORD: password,
+                    },
+                )
+
+        return self.async_show_form(
+            step_id="reauth_confirm",
+            data_schema=vol.Schema(
+                {
+                    vol.Inclusive(CONF_USERNAME, "auth"): str,
+                    vol.Inclusive(CONF_PASSWORD, "auth"): str,
+                }
+            ),
+            errors=errors,
+            description_placeholders={"address": f"{host}:{port}"},
+        )
@@ -7,6 +7,7 @@ DEFAULT_SETUP_TIMEOUT = 10
 # translation strings
 ADDRESS_ALREADY_CONFIGURED = "address_already_configured"
 CANNOT_CONNECT = "cannot_connect"
+INVALID_AUTH = "invalid_auth"
 UNSUPPORTED_VERSION = "unsupported_version"
 UNKNOWN = "unknown"

@@ -24,3 +25,13 @@ OPEN_STATUS: dict[int, str] = {

 LIGHT_MAX_KELVINS = 6500  # 154 Mireds
 LIGHT_MIN_KELVINS = 2700  # 370 Mireds
+
+CO2_LEVEL: dict[int, str] = {
+    0: "excellent",
+    1: "good",
+    2: "acceptable",
+    3: "medium",
+    4: "poor",
+    5: "unhealthy",
+    6: "hazardous",
+}
@@ -4,10 +4,11 @@ from datetime import timedelta
 import logging

 from blebox_uniapi.box import Box
-from blebox_uniapi.error import Error
+from blebox_uniapi.error import Error, UnauthorizedRequest

 from homeassistant.config_entries import ConfigEntry
 from homeassistant.core import HomeAssistant
+from homeassistant.exceptions import ConfigEntryAuthFailed
 from homeassistant.helpers.update_coordinator import DataUpdateCoordinator, UpdateFailed

 from .const import DOMAIN
@@ -40,6 +41,8 @@ class BleBoxCoordinator(DataUpdateCoordinator[None]):
        """Fetch data from the BleBox device."""
        try:
            await self.box.async_update_data()
+        except UnauthorizedRequest as err:
+            raise ConfigEntryAuthFailed from err
        except Error as err:
            raise UpdateFailed(
                translation_domain=DOMAIN,
@@ -74,6 +74,8 @@ async def async_setup_entry(
 class BleBoxCoverEntity(BleBoxEntity[blebox_uniapi.cover.Cover], CoverEntity):
    """Representation of a BleBox cover feature."""

+    _attr_name = None
+
    def __init__(
        self, coordinator: BleBoxCoordinator, feature: blebox_uniapi.cover.Cover
    ) -> None:
@@ -90,10 +92,10 @@ class BleBoxCoverEntity(BleBoxEntity[blebox_uniapi.cover.Cover], CoverEntity):

        if feature.has_tilt:
            self._attr_supported_features |= (
-                CoverEntityFeature.SET_TILT_POSITION
-                | CoverEntityFeature.OPEN_TILT
-                | CoverEntityFeature.CLOSE_TILT
+                CoverEntityFeature.OPEN_TILT | CoverEntityFeature.CLOSE_TILT
            )
+            if feature.is_calibrated:
+                self._attr_supported_features |= CoverEntityFeature.SET_TILT_POSITION

        if feature.tilt_only:
            self._attr_supported_features &= ~(
@@ -12,11 +12,12 @@ from .coordinator import BleBoxCoordinator
 class BleBoxEntity[_FeatureT: Feature](CoordinatorEntity[BleBoxCoordinator]):
    """Implements a common class for entities representing a BleBox feature."""

+    _attr_has_entity_name = True
+
    def __init__(self, coordinator: BleBoxCoordinator, feature: _FeatureT) -> None:
        """Initialize a BleBox entity."""
        super().__init__(coordinator)
        self._feature = feature
-        self._attr_name = feature.full_name
        self._attr_unique_id = feature.unique_id
        product = feature.product
        self._attr_device_info = DeviceInfo(
@@ -18,6 +18,9 @@
      }
    },
    "sensor": {
+      "co2_level": {
+        "default": "mdi:molecule-co2"
+      },
      "open_status": {
        "default": "mdi:window-open"
      },
@@ -71,6 +71,11 @@ class BleBoxLightEntity(BleBoxEntity[blebox_uniapi.light.Light], LightEntity):
        super().__init__(coordinator, feature)
        if feature.effect_list:
            self._attr_supported_features = LightEntityFeature.EFFECT
+        if feature.index is not None:
+            self._attr_translation_key = "channel"
+            self._attr_translation_placeholders = {"index": str(feature.index + 1)}
+        else:
+            self._attr_name = None

    @property
    def is_on(self) -> bool:
@@ -3,10 +3,49 @@
  "name": "BleBox devices",
  "codeowners": ["@bbx-a", "@swistakm", "@bkobus-bbx"],
  "config_flow": true,
+  "dhcp": [
+    { "hostname": "rollergate*" },
+    { "hostname": "gatebox*" },
+    { "hostname": "doorbox*" },
+    { "hostname": "shutterbox*" },
+    { "hostname": "switchbox*" },
+    { "hostname": "dimmerbox*" },
+    { "hostname": "dacbox*" },
+    { "hostname": "wlightbox*" },
+    { "hostname": "pixelbox*" },
+    { "hostname": "saunabox*" },
+    { "hostname": "thermobox*" },
+    { "hostname": "tempsensor*" },
+    { "hostname": "energymeter*" },
+    { "hostname": "airsensor*" },
+    { "hostname": "humiditysensor*" },
+    { "hostname": "rainsensor*" },
+    { "hostname": "floodsensor*" },
+    { "hostname": "luxsensor*" },
+    { "hostname": "inputsensor*" },
+    { "hostname": "opensensor*" },
+    { "hostname": "windsensor*" },
+    { "hostname": "co2sensor*" },
+    { "hostname": "simongo*" },
+    { "hostname": "sabaj-k-smrt*" },
+    { "hostname": "rico*" },
+    { "hostname": "smartrollergate*" },
+    { "hostname": "darco_ero_32ws_0*" },
+    { "hostname": "pergoladc*" },
+    { "hostname": "seltsmartscreen*" },
+    { "hostname": "seltvenetianblind*" },
+    { "hostname": "doorunitbox*" },
+    { "hostname": "drutexsmart*" },
+    { "hostname": "swingatecontroller*" },
+    { "hostname": "windowopener*" },
+    { "hostname": "smartawning*" },
+    { "hostname": "smartshade*" },
+    { "hostname": "smartshutter*" }
+  ],
  "documentation": "https://www.home-assistant.io/integrations/blebox",
  "integration_type": "device",
  "iot_class": "local_polling",
  "loggers": ["blebox_uniapi"],
-  "requirements": ["blebox-uniapi==2.5.4"],
+  "requirements": ["blebox-uniapi==2.5.5"],
  "zeroconf": ["_bbxsrv._tcp.local."]
 }
@@ -1,5 +1,6 @@
 """BleBox sensor entities."""

+from collections import Counter
 from collections.abc import Callable
 from dataclasses import dataclass
 from datetime import datetime
@@ -14,6 +15,7 @@ from homeassistant.components.sensor import (
 )
 from homeassistant.const import (
    CONCENTRATION_MICROGRAMS_PER_CUBIC_METER,
+    CONCENTRATION_PARTS_PER_MILLION,
    LIGHT_LUX,
    PERCENTAGE,
    UnitOfApparentPower,
@@ -22,6 +24,7 @@ from homeassistant.const import (
    UnitOfEnergy,
    UnitOfFrequency,
    UnitOfPower,
+    UnitOfReactiveEnergy,
    UnitOfReactivePower,
    UnitOfSpeed,
    UnitOfTemperature,
@@ -31,7 +34,7 @@ from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback
 from homeassistant.helpers.typing import StateType

 from . import BleBoxConfigEntry
-from .const import OPEN_STATUS
+from .const import CO2_LEVEL, OPEN_STATUS
 from .coordinator import BleBoxCoordinator
 from .entity import BleBoxEntity

@@ -66,6 +69,7 @@ SENSOR_TYPES: tuple[BleBoxSensorEntityDescription, ...] = (
    ),
    BleBoxSensorEntityDescription(
        key="temperature",
+        translation_key="temperature",
        device_class=SensorDeviceClass.TEMPERATURE,
        native_unit_of_measurement=UnitOfTemperature.CELSIUS,
        state_class=SensorStateClass.MEASUREMENT,
@@ -94,50 +98,72 @@ SENSOR_TYPES: tuple[BleBoxSensorEntityDescription, ...] = (
        native_unit_of_measurement=LIGHT_LUX,
        state_class=SensorStateClass.MEASUREMENT,
    ),
+    BleBoxSensorEntityDescription(
+        key="forwardReactiveEnergy",
+        translation_key="forward_reactive_energy",
+        device_class=SensorDeviceClass.REACTIVE_ENERGY,
+        native_unit_of_measurement=UnitOfReactiveEnergy.KILO_VOLT_AMPERE_REACTIVE_HOUR,
+        state_class=SensorStateClass.TOTAL_INCREASING,
+    ),
+    BleBoxSensorEntityDescription(
+        key="reverseReactiveEnergy",
+        translation_key="reverse_reactive_energy",
+        device_class=SensorDeviceClass.REACTIVE_ENERGY,
+        native_unit_of_measurement=UnitOfReactiveEnergy.KILO_VOLT_AMPERE_REACTIVE_HOUR,
+        state_class=SensorStateClass.TOTAL_INCREASING,
+    ),
    BleBoxSensorEntityDescription(
        key="forwardActiveEnergy",
+        translation_key="forward_active_energy",
        device_class=SensorDeviceClass.ENERGY,
        native_unit_of_measurement=UnitOfEnergy.KILO_WATT_HOUR,
        state_class=SensorStateClass.TOTAL_INCREASING,
    ),
    BleBoxSensorEntityDescription(
        key="reverseActiveEnergy",
+        translation_key="reverse_active_energy",
        device_class=SensorDeviceClass.ENERGY,
        native_unit_of_measurement=UnitOfEnergy.KILO_WATT_HOUR,
        state_class=SensorStateClass.TOTAL_INCREASING,
    ),
    BleBoxSensorEntityDescription(
        key="reactivePower",
-        device_class=SensorDeviceClass.POWER,
+        translation_key="reactive_power",
+        device_class=SensorDeviceClass.REACTIVE_POWER,
        native_unit_of_measurement=UnitOfReactivePower.VOLT_AMPERE_REACTIVE,
        state_class=SensorStateClass.MEASUREMENT,
    ),
    BleBoxSensorEntityDescription(
        key="activePower",
+        translation_key="active_power",
        device_class=SensorDeviceClass.POWER,
        native_unit_of_measurement=UnitOfPower.WATT,
        state_class=SensorStateClass.MEASUREMENT,
    ),
    BleBoxSensorEntityDescription(
        key="apparentPower",
+        translation_key="apparent_power",
        device_class=SensorDeviceClass.APPARENT_POWER,
        native_unit_of_measurement=UnitOfApparentPower.VOLT_AMPERE,
        state_class=SensorStateClass.MEASUREMENT,
    ),
    BleBoxSensorEntityDescription(
        key="voltage",
+        translation_key="voltage",
        device_class=SensorDeviceClass.VOLTAGE,
        native_unit_of_measurement=UnitOfElectricPotential.VOLT,
        state_class=SensorStateClass.MEASUREMENT,
    ),
    BleBoxSensorEntityDescription(
        key="current",
+        translation_key="current",
        device_class=SensorDeviceClass.CURRENT,
        native_unit_of_measurement=UnitOfElectricCurrent.MILLIAMPERE,
        state_class=SensorStateClass.MEASUREMENT,
    ),
    BleBoxSensorEntityDescription(
        key="frequency",
+        translation_key="frequency",
        device_class=SensorDeviceClass.FREQUENCY,
        native_unit_of_measurement=UnitOfFrequency.HERTZ,
        state_class=SensorStateClass.MEASUREMENT,
@@ -149,6 +175,19 @@ SENSOR_TYPES: tuple[BleBoxSensorEntityDescription, ...] = (
        options=list(OPEN_STATUS.values()),
        value_fn=lambda v: OPEN_STATUS.get(int(v)) if v is not None else None,
    ),
+    BleBoxSensorEntityDescription(
+        key="co2",
+        device_class=SensorDeviceClass.CO2,
+        native_unit_of_measurement=CONCENTRATION_PARTS_PER_MILLION,
+        state_class=SensorStateClass.MEASUREMENT,
+    ),
+    BleBoxSensorEntityDescription(
+        key="co2Definition",
+        translation_key="co2_level",
+        device_class=SensorDeviceClass.ENUM,
+        options=list(CO2_LEVEL.values()),
+        value_fn=lambda v: CO2_LEVEL.get(int(v)) if v is not None else None,
+    ),
 )


@@ -158,10 +197,20 @@ async def async_setup_entry(
    async_add_entities: AddConfigEntryEntitiesCallback,
 ) -> None:
    """Set up a BleBox entry."""
+
    coordinator = config_entry.runtime_data
+    features = coordinator.box.features.get("sensors", [])
+    counts = Counter(f.device_class for f in features)
    entities = [
-        BleBoxSensorEntity(coordinator, feature, description)
-        for feature in coordinator.box.features.get("sensors", [])
+        BleBoxSensorEntity(
+            coordinator,
+            feature,
+            description,
+            feature.index
+            if counts[feature.device_class] > 1 and feature.index
+            else None,
+        )
+        for feature in features
        for description in SENSOR_TYPES
        if description.key == feature.device_class
    ]
@@ -178,10 +227,16 @@ class BleBoxSensorEntity(BleBoxEntity[blebox_uniapi.sensor.BaseSensor], SensorEn
        coordinator: BleBoxCoordinator,
        feature: blebox_uniapi.sensor.BaseSensor,
        description: BleBoxSensorEntityDescription,
+        index: int | None = None,
    ) -> None:
        """Initialize a BleBox sensor feature."""
        super().__init__(coordinator, feature)
        self.entity_description = description
+        if feature.name:
+            self._attr_name = feature.name
+        elif index is not None and description.translation_key:
+            self._attr_translation_key = f"{description.translation_key}_n"
+            self._attr_translation_placeholders = {"index": str(index)}

    @property
    def native_value(self) -> StateType:
@@ -3,16 +3,38 @@
    "abort": {
      "address_already_configured": "A BleBox device is already configured at {address}.",
      "already_configured": "[%key:common::config_flow::abort::already_configured_device%]",
+      "authorization_required": "The BleBox device requires authentication.",
+      "cannot_connect": "[%key:common::config_flow::error::cannot_connect%]",
+      "reauth_successful": "[%key:common::config_flow::abort::reauth_successful%]",
      "reconfigure_successful": "[%key:common::config_flow::abort::reconfigure_successful%]",
-      "unique_id_mismatch": "The device identifier does not match the previously configured device."
+      "unique_id_mismatch": "The device identifier does not match the previously configured device.",
+      "unsupported_device_response": "The BleBox device returned an unrecognized response.",
+      "unsupported_device_version": "[%key:component::blebox::config::error::unsupported_version%]"
    },
    "error": {
      "cannot_connect": "[%key:common::config_flow::error::cannot_connect%]",
+      "invalid_auth": "[%key:common::config_flow::error::invalid_auth%]",
      "unknown": "[%key:common::config_flow::error::unknown%]",
      "unsupported_version": "BleBox device has outdated firmware. Please upgrade it first."
    },
    "flow_title": "{name} ({host})",
    "step": {
+      "confirm_discovery": {
+        "description": "Do you want to add the BleBox device **{name}** at `{host}` to Home Assistant?",
+        "title": "BleBox device discovered"
+      },
+      "reauth_confirm": {
+        "data": {
+          "password": "[%key:common::config_flow::data::password%]",
+          "username": "[%key:common::config_flow::data::username%]"
+        },
+        "data_description": {
+          "password": "The password for your BleBox device.",
+          "username": "The username for your BleBox device."
+        },
+        "description": "Enter credentials for the BleBox device at {address}.",
+        "title": "Reauthenticate your BleBox device"
+      },
      "reconfigure": {
        "data": {
          "host": "[%key:common::config_flow::data::ip%]",
@@ -30,14 +52,48 @@
          "port": "[%key:common::config_flow::data::port%]",
          "username": "[%key:common::config_flow::data::username%]"
        },
+        "data_description": {
+          "host": "The IP address of your BleBox device.",
+          "password": "The password for your BleBox device.",
+          "port": "The port of your BleBox device.",
+          "username": "The username for your BleBox device."
+        },
        "description": "Set up your BleBox to integrate with Home Assistant.",
        "title": "Set up your BleBox device"
      }
    }
  },
  "entity": {
+    "light": { "channel": { "name": "Channel {index}" } },
    "sensor": {
+      "active_power": { "name": "Active power" },
+      "active_power_n": { "name": "Active power {index}" },
+      "apparent_power": { "name": "Apparent power" },
+      "apparent_power_n": { "name": "Apparent power {index}" },
+      "co2_level": {
+        "name": "Carbon dioxide level",
+        "state": {
+          "acceptable": "Acceptable",
+          "excellent": "Excellent",
+          "good": "Good",
+          "hazardous": "Hazardous",
+          "medium": "Medium",
+          "poor": "Poor",
+          "unhealthy": "Unhealthy"
+        }
+      },
+      "current": { "name": "Current" },
+      "current_n": { "name": "Current {index}" },
+      "forward_active_energy": { "name": "Forward active energy" },
+      "forward_active_energy_n": { "name": "Forward active energy {index}" },
+      "forward_reactive_energy": { "name": "Forward reactive energy" },
+      "forward_reactive_energy_n": {
+        "name": "Forward reactive energy {index}"
+      },
+      "frequency": { "name": "Frequency" },
+      "frequency_n": { "name": "Frequency {index}" },
      "open_status": {
+        "name": "Open status",
        "state": {
          "ajar": "Ajar",
          "closed": "[%key:common::state::closed%]",
@@ -45,7 +101,20 @@
          "open": "[%key:common::state::open%]",
          "unclosed_or_unlocked": "Unclosed or unlocked"
        }
-      }
+      },
+      "power_consumption": { "name": "Energy last hour" },
+      "reactive_power": { "name": "Reactive power" },
+      "reactive_power_n": { "name": "Reactive power {index}" },
+      "reverse_active_energy": { "name": "Reverse active energy" },
+      "reverse_active_energy_n": { "name": "Reverse active energy {index}" },
+      "reverse_reactive_energy": { "name": "Reverse reactive energy" },
+      "reverse_reactive_energy_n": {
+        "name": "Reverse reactive energy {index}"
+      },
+      "temperature": { "name": "Temperature" },
+      "temperature_n": { "name": "Temperature {index}" },
+      "voltage": { "name": "Voltage" },
+      "voltage_n": { "name": "Voltage {index}" }
    }
  },
  "exceptions": {
@@ -9,6 +9,7 @@ from homeassistant.core import HomeAssistant
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback

 from . import BleBoxConfigEntry
+from .coordinator import BleBoxCoordinator
 from .entity import BleBoxEntity
 from .util import blebox_command

@@ -34,6 +35,16 @@ class BleBoxSwitchEntity(BleBoxEntity[blebox_uniapi.switch.Switch], SwitchEntity

    _attr_device_class = SwitchDeviceClass.SWITCH

+    _attr_name = None
+
+    def __init__(
+        self, coordinator: BleBoxCoordinator, feature: blebox_uniapi.switch.Switch
+    ) -> None:
+        """Initialize a BleBox switch feature."""
+        super().__init__(coordinator, feature)
+        if feature.name:
+            self._attr_name = feature.name
+
    @property
    def is_on(self) -> bool | None:
        """Return whether switch is on."""
@@ -21,5 +21,5 @@
  "integration_type": "hub",
  "iot_class": "cloud_polling",
  "loggers": ["blinkpy"],
-  "requirements": ["blinkpy==0.25.2"]
+  "requirements": ["blinkpy==0.25.6"]
 }
@@ -26,6 +26,12 @@
        "description": "The credentials for {username} need to be updated",
        "title": "Re-authenticate Blink"
      },
+      "reconfigure": {
+        "data": {
+          "password": "[%key:common::config_flow::data::password%]",
+          "username": "[%key:common::config_flow::data::username%]"
+        }
+      },
      "user": {
        "data": {
          "password": "[%key:common::config_flow::data::password%]",
@@ -7,5 +7,5 @@
  "integration_type": "hub",
  "iot_class": "cloud_push",
  "loggers": ["bluecurrent_api"],
-  "requirements": ["bluecurrent-api==1.3.2"]
+  "requirements": ["bluecurrent-api==1.3.3"]
 }
@@ -105,7 +105,7 @@ class BluesoundButton(CoordinatorEntity[BluesoundCoordinator], ButtonEntity):
        if port == DEFAULT_PORT:
            self._attr_device_info = DeviceInfo(
                identifiers={(DOMAIN, format_mac(sync_status.mac))},
-                connections={(CONNECTION_NETWORK_MAC, format_mac(sync_status.mac))},
+                connections={(CONNECTION_NETWORK_MAC, sync_status.mac)},
                name=sync_status.name,
                manufacturer=sync_status.brand,
                model=sync_status.model_name,
@@ -7,7 +7,7 @@
  "documentation": "https://www.home-assistant.io/integrations/bluesound",
  "integration_type": "device",
  "iot_class": "local_polling",
-  "requirements": ["pyblu==2.0.6"],
+  "requirements": ["pyblu==2.0.8"],
  "zeroconf": [
    {
      "type": "_musc._tcp.local."
@@ -118,7 +118,7 @@ class BluesoundPlayer(CoordinatorEntity[BluesoundCoordinator], MediaPlayerEntity
        if port == DEFAULT_PORT:
            self._attr_device_info = DeviceInfo(
                identifiers={(DOMAIN, format_mac(sync_status.mac))},
-                connections={(CONNECTION_NETWORK_MAC, format_mac(sync_status.mac))},
+                connections={(CONNECTION_NETWORK_MAC, sync_status.mac)},
                name=sync_status.name,
                manufacturer=sync_status.brand,
                model=sync_status.model_name,
@@ -55,7 +55,7 @@ async def async_setup_entry(hass: HomeAssistant, entry: BoschConfigEntry) -> boo
    device_registry = dr.async_get(hass)
    device_registry.async_get_or_create(
        config_entry_id=entry.entry_id,
-        connections={(dr.CONNECTION_NETWORK_MAC, dr.format_mac(shc_info.unique_id))},
+        connections={(dr.CONNECTION_NETWORK_MAC, shc_info.unique_id)},
        identifiers={(DOMAIN, shc_info.unique_id)},
        manufacturer="Bosch",
        name=entry.title,
@@ -8,7 +8,7 @@
  "integration_type": "hub",
  "iot_class": "local_push",
  "loggers": ["boschshcpy"],
-  "requirements": ["boschshcpy==0.2.107"],
+  "requirements": ["boschshcpy==0.2.111"],
  "zeroconf": [
    {
      "name": "bosch shc*",
@@ -1,19 +1,18 @@
 """The Brands integration."""

 from collections import deque
-from collections.abc import Container, Mapping
 from http import HTTPStatus
 import logging
 from pathlib import Path
 from random import SystemRandom
 import time
-from typing import Any, Final, override
+from typing import Any, Final

-from aiohttp import ClientError, web
+from aiohttp import ClientError, hdrs, web
 import voluptuous as vol

 from homeassistant.components import websocket_api
-from homeassistant.components.http import HomeAssistantView
+from homeassistant.components.http import KEY_AUTHENTICATED, HomeAssistantView
 from homeassistant.core import HomeAssistant, callback, valid_domain
 from homeassistant.helpers import config_validation as cv
 from homeassistant.helpers.aiohttp_client import async_get_clientsession
@@ -109,18 +108,30 @@ def _read_brand_file(brand_dir: Path, image: str) -> bytes | None:
 class _BrandsBaseView(HomeAssistantView):
    """Base view for serving brand images."""

-    use_query_token_for_auth = True
+    requires_auth = False

    def __init__(self, hass: HomeAssistant) -> None:
        """Initialize the view."""
        self._hass = hass
        self._cache_dir = Path(hass.config.cache_path(DOMAIN))

-    @callback
-    @override
-    def get_valid_auth_tokens(self, match_info: Mapping[str, str]) -> Container[str]:
-        """Return valid auth tokens, which can be used for query token authentication."""
-        return self._hass.data[DOMAIN]
+    def _authenticate(self, request: web.Request) -> None:
+        """Authenticate the request using Bearer token or query token."""
+        access_tokens: deque[str] = self._hass.data[DOMAIN]
+        authenticated = (
+            request[KEY_AUTHENTICATED] or request.query.get("token") in access_tokens
+        )
+        if not authenticated:
+            if hdrs.AUTHORIZATION in request.headers:
+                # A failed request that carried an Authorization header is a real
+                # Bearer auth attempt — return 401 and let the ban middleware count
+                # it as a wrong login.
+                raise web.HTTPUnauthorized
+            # No Authorization header: most likely a benign signed-URL / query-
+            # token request whose token has expired (e.g. a browser tab left
+            # open that re-fetches resources later). Return 403 so it doesn't
+            # register as a wrong login and ban the user's own IP.
+            raise web.HTTPForbidden

    async def _serve_from_custom_integration(
        self,
@@ -236,6 +247,8 @@ class BrandsIntegrationView(_BrandsBaseView):
        image: str,
    ) -> web.Response:
        """Handle GET request for an integration brand image."""
+        self._authenticate(request)
+
        if not valid_domain(domain) or image not in ALLOWED_IMAGES:
            return web.Response(status=HTTPStatus.NOT_FOUND)

@@ -268,6 +281,8 @@ class BrandsHardwareView(_BrandsBaseView):
        image: str,
    ) -> web.Response:
        """Handle GET request for a hardware brand image."""
+        self._authenticate(request)
+
        if not CATEGORY_RE.match(category):
            return web.Response(status=HTTPStatus.NOT_FOUND)
        # Hardware images have dynamic names like "manufacturer_model.png"
@@ -125,7 +125,7 @@ class BringTodoListEntity(BringBaseEntity, TodoListEntity):
        await self.coordinator.async_refresh()

    async def async_update_todo_item(self, item: TodoItem) -> None:
-        """Update an item to the To-do list.
+        """Update an item in the To-do list.

        Bring has an internal 'recent' list which we want to use instead of a todo list
        status, therefore completed todo list items are matched to the recent list and
@@ -118,7 +118,14 @@ class BroadlinkDevice[_ApiT: blk.Device = blk.Device]:
            return False

        except (NetworkTimeoutError, OSError) as err:
-            raise ConfigEntryNotReady from err
+            raise ConfigEntryNotReady(
+                translation_domain=DOMAIN,
+                translation_key="connect_failed",
+                translation_placeholders={
+                    "host": api.host[0],
+                    "error": str(err),
+                },
+            ) from err

        except BroadlinkException as err:
            _LOGGER.error(
@@ -1,7 +1,7 @@
 {
  "domain": "broadlink",
  "name": "Broadlink",
-  "codeowners": ["@danielhiversen", "@felipediel", "@L-I-Am", "@eifinger"],
+  "codeowners": ["@danielhiversen", "@felipediel", "@L-I-Am"],
  "config_flow": true,
  "dhcp": [
    {
@@ -89,6 +89,9 @@
    }
  },
  "exceptions": {
+    "connect_failed": {
+      "message": "Failed to connect to the device at {host}: {error}"
+    },
    "frequency_not_supported": {
      "message": "Broadlink devices cannot transmit on {frequency} MHz"
    },
@@ -6,5 +6,5 @@
  "documentation": "https://www.home-assistant.io/integrations/bryant_evolution",
  "integration_type": "device",
  "iot_class": "local_polling",
-  "requirements": ["evolutionhttp==0.0.18"]
+  "requirements": ["evolutionhttp==0.0.19"]
 }
@@ -31,11 +31,7 @@ from homeassistant.exceptions import (
 )
 from homeassistant.helpers import config_validation as cv, device_registry as dr
 from homeassistant.helpers.aiohttp_client import async_get_clientsession
-from homeassistant.helpers.device_registry import (
-    CONNECTION_NETWORK_MAC,
-    DeviceInfo,
-    format_mac,
-)
+from homeassistant.helpers.device_registry import CONNECTION_NETWORK_MAC, DeviceInfo
 from homeassistant.helpers.typing import ConfigType

 from .const import (
@@ -75,7 +71,7 @@ def get_bsblan_device_info(
    """Build DeviceInfo for the main BSB-LAN controller device."""
    return DeviceInfo(
        identifiers={(DOMAIN, device.MAC)},
-        connections={(CONNECTION_NETWORK_MAC, format_mac(device.MAC))},
+        connections={(CONNECTION_NETWORK_MAC, device.MAC)},
        name=device.name,
        manufacturer="BSBLAN Inc.",
        model=(
@@ -20,5 +20,5 @@
  "dependencies": ["bluetooth_adapters"],
  "documentation": "https://www.home-assistant.io/integrations/bthome",
  "iot_class": "local_push",
-  "requirements": ["bthome-ble==3.23.2"]
+  "requirements": ["bthome-ble==3.23.4"]
 }
@@ -7,5 +7,5 @@
  "integration_type": "service",
  "iot_class": "cloud_polling",
  "loggers": ["buienradar", "vincenty"],
-  "requirements": ["buienradar==1.0.6"]
+  "requirements": ["buienradar==1.0.9"]
 }
@@ -24,7 +24,7 @@ from homeassistant.components.websocket_api import (
    ActiveConnection,
 )
 from homeassistant.config_entries import ConfigEntry
-from homeassistant.const import STATE_OFF, STATE_ON
+from homeassistant.const import CONF_EVENT, STATE_OFF, STATE_ON
 from homeassistant.core import (
    CALLBACK_TYPE,
    HomeAssistant,
@@ -45,7 +45,6 @@ from homeassistant.util import dt as dt_util
 from homeassistant.util.json import JsonValueType

 from .const import (
-    CONF_EVENT,
    DATA_COMPONENT,
    DOMAIN,
    EVENT_DESCRIPTION,
@@ -13,9 +13,6 @@ if TYPE_CHECKING:
 DOMAIN = "calendar"
 DATA_COMPONENT: HassKey[EntityComponent[CalendarEntity]] = HassKey(DOMAIN)

-# pylint: disable-next=home-assistant-duplicate-const
-CONF_EVENT = "event"
-

 class CalendarEntityFeature(IntFlag):
    """Supported features of the calendar entity."""
@@ -27,7 +27,12 @@ from homeassistant.helpers.event import (
    async_track_time_interval,
 )
 from homeassistant.helpers.target import TargetEntityChangeTracker, TargetSelection
-from homeassistant.helpers.trigger import Trigger, TriggerActionRunner, TriggerConfig
+from homeassistant.helpers.trigger import (
+    Trigger,
+    TriggerActionRunner,
+    TriggerConfig,
+    TriggerNotTriggeredReporter,
+)
 from homeassistant.helpers.typing import ConfigType
 from homeassistant.util import dt as dt_util

@@ -393,7 +398,9 @@ class SingleEntityEventTrigger(Trigger):
        self._options = config.options

    async def async_attach_runner(
-        self, run_action: TriggerActionRunner
+        self,
+        run_action: TriggerActionRunner,
+        did_not_trigger: TriggerNotTriggeredReporter | None = None,
    ) -> CALLBACK_TYPE:
        """Attach a trigger."""

@@ -444,7 +451,9 @@ class EventTrigger(Trigger):
        self._options = config.options

    async def async_attach_runner(
-        self, run_action: TriggerActionRunner
+        self,
+        run_action: TriggerActionRunner,
+        did_not_trigger: TriggerNotTriggeredReporter | None = None,
    ) -> CALLBACK_TYPE:
        """Attach a trigger."""

@@ -460,7 +469,7 @@ class EventTrigger(Trigger):
        listener = TargetCalendarEventListener(
            self._hass, target_selection, self._event_type, offset, run_action
        )
-        return listener.async_setup()
+        return await listener.async_setup()


 class EventStartedTrigger(EventTrigger):
@@ -2,7 +2,7 @@

 import asyncio
 import collections
-from collections.abc import Awaitable, Callable, Container, Coroutine, Mapping
+from collections.abc import Awaitable, Callable, Coroutine
 from contextlib import suppress
 from dataclasses import asdict, dataclass
 from datetime import datetime, timedelta
@@ -12,16 +12,16 @@ import logging
 import os
 from random import SystemRandom
 import time
-from typing import Any, Final, final, override
+from typing import Any, Final, final

-from aiohttp import web
+from aiohttp import hdrs, web
 import attr
 from propcache.api import cached_property, under_cached_property
 import voluptuous as vol
 from webrtc_models import RTCIceCandidateInit

 from homeassistant.components import websocket_api
-from homeassistant.components.http import HomeAssistantView
+from homeassistant.components.http import KEY_AUTHENTICATED, HomeAssistantView
 from homeassistant.components.media_player import (
    ATTR_MEDIA_CONTENT_ID,
    ATTR_MEDIA_CONTENT_TYPE,
@@ -776,25 +776,35 @@ class Camera(Entity, cached_properties=CACHED_PROPERTIES_WITH_ATTR_):
 class CameraView(HomeAssistantView):
    """Base CameraView."""

-    use_query_token_for_auth = True
+    requires_auth = False

    def __init__(self, component: EntityComponent[Camera]) -> None:
        """Initialize a basic camera view."""
        self.component = component

-    @callback
-    @override
-    def get_valid_auth_tokens(self, match_info: Mapping[str, str]) -> Container[str]:
-        """Return valid auth tokens, which can be used for query token authentication."""
-        if (camera := self.component.get_entity(match_info["entity_id"])) is None:
-            return ()
-
-        return camera.access_tokens
-
    async def get(self, request: web.Request, entity_id: str) -> web.StreamResponse:
        """Start a GET request."""
        if (camera := self.component.get_entity(entity_id)) is None:
-            raise web.HTTPNotFound
+            raise (
+                web.HTTPNotFound if request[KEY_AUTHENTICATED] else web.HTTPUnauthorized
+            )
+
+        authenticated = (
+            request[KEY_AUTHENTICATED]
+            or request.query.get("token") in camera.access_tokens
+        )
+
+        if not authenticated:
+            if hdrs.AUTHORIZATION in request.headers:
+                # A failed request that carried an Authorization header is a real
+                # Bearer auth attempt — return 401 and let the ban middleware count
+                # it as a wrong login.
+                raise web.HTTPUnauthorized
+            # No Authorization header: most likely a benign signed-URL / query-
+            # token request whose token has expired (e.g. a browser tab left
+            # open that re-fetches resources later). Return 403 so it doesn't
+            # register as a wrong login and ban the user's own IP.
+            raise web.HTTPForbidden

        if not camera.is_on:
            _LOGGER.debug("Camera is off")
@@ -3,6 +3,7 @@
 from pycasperglow import CasperGlow

 from homeassistant.components import bluetooth
+from homeassistant.components.bluetooth import BluetoothReachabilityIntent
 from homeassistant.const import CONF_ADDRESS, Platform
 from homeassistant.core import HomeAssistant
 from homeassistant.exceptions import ConfigEntryNotReady
@@ -27,7 +28,12 @@ async def async_setup_entry(hass: HomeAssistant, entry: CasperGlowConfigEntry) -
        raise ConfigEntryNotReady(
            translation_domain=DOMAIN,
            translation_key="device_not_found",
-            translation_placeholders={"address": address},
+            translation_placeholders={
+                "address": address,
+                "reason": bluetooth.async_address_reachability_diagnostics(
+                    hass, address.upper(), BluetoothReachabilityIntent.CONNECTION
+                ),
+            },
        )

    glow = CasperGlow(ble_device)
@@ -56,7 +56,7 @@
      "message": "An error occurred while communicating with the Casper Glow: {error}"
    },
    "device_not_found": {
-      "message": "Could not find Casper Glow device with address {address}"
+      "message": "Could not find Casper Glow device with address {address}: {reason}"
    }
  }
 }
@@ -49,7 +49,6 @@ async def async_setup_entry(
 class CCM15Climate(CoordinatorEntity[CCM15Coordinator], ClimateEntity):
    """Climate device for CCM15 coordinator."""

-    _attr_temperature_unit = UnitOfTemperature.CELSIUS
    _attr_has_entity_name = True
    _attr_target_temperature_step = PRECISION_WHOLE
    _attr_hvac_modes = [
@@ -93,6 +92,13 @@ class CCM15Climate(CoordinatorEntity[CCM15Coordinator], ClimateEntity):
        """Return device data."""
        return self.coordinator.get_ac_data(self._ac_index)

+    @property
+    def temperature_unit(self) -> str:
+        """Return the unit of measurement reported by the device."""
+        if (data := self.data) is not None and not data.is_celsius:
+            return UnitOfTemperature.FAHRENHEIT
+        return UnitOfTemperature.CELSIUS
+
    @property
    def current_temperature(self) -> int | None:
        """Return current temperature."""
@@ -3,11 +3,7 @@
 from cieloconnectapi.device import CieloDeviceAPI
 from cieloconnectapi.model import CieloDevice

-from homeassistant.helpers.device_registry import (
-    CONNECTION_NETWORK_MAC,
-    DeviceInfo,
-    format_mac,
-)
+from homeassistant.helpers.device_registry import CONNECTION_NETWORK_MAC, DeviceInfo
 from homeassistant.helpers.update_coordinator import CoordinatorEntity

 from .const import DOMAIN
@@ -69,7 +65,7 @@ class CieloDeviceEntity(CieloBaseEntity):
        self._attr_device_info = DeviceInfo(
            identifiers={(DOMAIN, device.id)},
            name=device.name,
-            connections={(CONNECTION_NETWORK_MAC, format_mac(device.mac_address))},
+            connections={(CONNECTION_NETWORK_MAC, device.mac_address)},
            manufacturer="Cielo",
            configuration_url="https://home.cielowigle.com/",
            suggested_area=device.name,
@@ -6,5 +6,5 @@
  "iot_class": "cloud_push",
  "loggers": ["webexpythonsdk"],
  "quality_scale": "legacy",
-  "requirements": ["webexpythonsdk==2.0.1"]
+  "requirements": ["webexpythonsdk==2.0.6"]
 }
@@ -31,12 +31,24 @@ async def system_health_info(hass: HomeAssistant) -> dict[str, Any]:
        data["relayer_region"] = client.relayer_region
        data["remote_enabled"] = client.prefs.remote_enabled
        data["remote_connected"] = cloud.remote.is_connected
+        data["remote_server"] = cloud.remote.snitun_server
        data["alexa_enabled"] = client.prefs.alexa_enabled
        data["google_enabled"] = client.prefs.google_enabled
        data["cloud_ice_servers_enabled"] = client.prefs.cloud_ice_servers_enabled
-        data["remote_server"] = cloud.remote.snitun_server
        data["certificate_status"] = cloud.remote.certificate_status
        data["instance_id"] = client.prefs.instance_id
+        data["iot_state"] = cloud.iot.state
+        data["iot_tries"] = cloud.iot.tries
+
+        if (cert := cloud.remote.certificate) is not None:
+            data["certificate_expire_date"] = cert.expire_date
+            data["certificate_fingerprint"] = cert.fingerprint
+            if cert.alternative_names:
+                data["certificate_alternative_names"] = cert.alternative_names
+
+        if (disconnect := cloud.iot.last_disconnect_reason) is not None:
+            data["iot_last_disconnect_clean"] = disconnect.clean
+            data["iot_last_disconnect_reason"] = disconnect.reason

    data["can_reach_cert_server"] = system_health.async_check_can_reach_url(
        hass, f"https://{cloud.acme_server}/directory"
@@ -8,5 +8,5 @@
  "iot_class": "local_polling",
  "loggers": ["aiocomelit"],
  "quality_scale": "platinum",
-  "requirements": ["aiocomelit==2.0.3"]
+  "requirements": ["aiocomelit==2.0.5"]
 }
@@ -3,7 +3,7 @@
 import logging
 from typing import Any

-from compit_inext_api import Param, Parameter
+from compit_inext_api import Parameter
 from compit_inext_api.consts import (
    CompitFanMode,
    CompitHVACMode,
@@ -150,7 +150,7 @@ class CompitClimate(CoordinatorEntity[CompitDataUpdateCoordinator], ClimateEntit
        value = self.get_parameter_value(CompitParameter.CURRENT_TEMPERATURE)
        if value is None:
            return None
-        return float(value.value)
+        return float(value)

    @property
    def target_temperature(self) -> float | None:
@@ -158,7 +158,7 @@ class CompitClimate(CoordinatorEntity[CompitDataUpdateCoordinator], ClimateEntit
        value = self.get_parameter_value(CompitParameter.SET_TARGET_TEMPERATURE)
        if value is None:
            return None
-        return float(value.value)
+        return float(value)

    @cached_property
    def preset_modes(self) -> list[str] | None:
@@ -195,27 +195,24 @@ class CompitClimate(CoordinatorEntity[CompitDataUpdateCoordinator], ClimateEntit
        """Return the current preset mode."""
        preset_mode = self.get_parameter_value(CompitParameter.PRESET_MODE)

-        if preset_mode:
-            compit_preset_mode = CompitPresetMode(preset_mode.value)
-            return COMPIT_PRESET_MAP.get(compit_preset_mode)
+        if preset_mode is not None:
+            return COMPIT_PRESET_MAP.get(CompitPresetMode(preset_mode))
        return None

    @property
    def fan_mode(self) -> str | None:
        """Return the current fan mode."""
        fan_mode = self.get_parameter_value(CompitParameter.FAN_MODE)
-        if fan_mode:
-            compit_fan_mode = CompitFanMode(fan_mode.value)
-            return COMPIT_FANSPEED_MAP.get(compit_fan_mode)
+        if fan_mode is not None:
+            return COMPIT_FANSPEED_MAP.get(CompitFanMode(fan_mode))
        return None

    @property
    def hvac_mode(self) -> HVACMode | None:
        """Return the current HVAC mode."""
        hvac_mode = self.get_parameter_value(CompitParameter.HVAC_MODE)
-        if hvac_mode:
-            compit_hvac_mode = CompitHVACMode(hvac_mode.value)
-            return COMPIT_MODE_MAP.get(compit_hvac_mode)
+        if hvac_mode is not None:
+            return COMPIT_MODE_MAP.get(CompitHVACMode(hvac_mode))
        return None

    async def async_set_temperature(self, **kwargs: Any) -> None:
@@ -258,8 +255,6 @@ class CompitClimate(CoordinatorEntity[CompitDataUpdateCoordinator], ClimateEntit
        )
        self.async_write_ha_state()

-    def get_parameter_value(self, parameter: CompitParameter) -> Param | None:
+    def get_parameter_value(self, parameter: CompitParameter) -> str | float | None:
        """Get the parameter value from the device state."""
-        return self.coordinator.connector.get_device_parameter(
-            self.device_id, parameter
-        )
+        return self.coordinator.connector.get_current_value(self.device_id, parameter)
@@ -8,5 +8,5 @@
  "iot_class": "cloud_polling",
  "loggers": ["compit"],
  "quality_scale": "bronze",
-  "requirements": ["compit-inext-api==0.8.0"]
+  "requirements": ["compit-inext-api==0.9.1"]
 }
@@ -6,7 +6,7 @@ import voluptuous as vol

 from homeassistant.components import websocket_api
 from homeassistant.core import HomeAssistant, callback
-from homeassistant.helpers import area_registry as ar, label_registry as lr
+from homeassistant.helpers import area_registry as ar


@callback
@@ -69,9 +69,8 @@ def websocket_create_area(
        data["aliases"] = {s_strip for s in data["aliases"] if (s_strip := s.strip())}

    if "labels" in data:
-        # Strip labels which are not in the label registry
-        labels = set(data["labels"])
-        data["labels"] = labels - lr.async_get_missing_label_ids(hass, labels)
+        # Convert labels to a set
+        data["labels"] = set(data["labels"])

    try:
        entry = registry.async_create(**data)
@@ -140,11 +139,8 @@ def websocket_update_area(
        data["aliases"] = {s_strip for s in data["aliases"] if (s_strip := s.strip())}

    if "labels" in data:
-        # Strip labels which are not in the label registry. This also cleans up
-        # any stale labels already stored on the area (e.g. left behind by a
-        # deleted label) the next time it is saved.
-        labels = set(data["labels"])
-        data["labels"] = labels - lr.async_get_missing_label_ids(hass, labels)
+        # Convert labels to a set
+        data["labels"] = set(data["labels"])

    try:
        entry = registry.async_update(**data)
@@ -9,7 +9,7 @@ from homeassistant.components import websocket_api
 from homeassistant.components.websocket_api import require_admin
 from homeassistant.core import HomeAssistant, callback
 from homeassistant.exceptions import HomeAssistantError
-from homeassistant.helpers import device_registry as dr, label_registry as lr
+from homeassistant.helpers import device_registry as dr
 from homeassistant.helpers.device_registry import DeviceEntry, DeviceEntryDisabler


@@ -84,11 +84,8 @@ def websocket_update_device(
        msg["disabled_by"] = DeviceEntryDisabler(msg["disabled_by"])

    if "labels" in msg:
-        # Strip labels which are not in the label registry. This also cleans up
-        # any stale labels already stored on the device (e.g. left behind by a
-        # deleted label) the next time it is saved.
-        labels = set(msg["labels"])
-        msg["labels"] = labels - lr.async_get_missing_label_ids(hass, labels)
+        # Convert labels to a set
+        msg["labels"] = set(msg["labels"])

    entry = cast(DeviceEntry, registry.async_update_device(**msg))

@@ -13,7 +13,6 @@ from homeassistant.helpers import (
    config_validation as cv,
    device_registry as dr,
    entity_registry as er,
-    label_registry as lr,
 )
 from homeassistant.helpers.json import json_dumps

@@ -235,11 +234,8 @@ def websocket_update_entity(
                aliases.append(alias)

    if "labels" in msg:
-        # Strip labels which are not in the label registry. This also cleans up
-        # any stale labels already stored on the entity (e.g. left behind by a
-        # deleted label) the next time it is saved.
-        labels = set(msg["labels"])
-        changes["labels"] = labels - lr.async_get_missing_label_ids(hass, labels)
+        # Convert labels to a set
+        changes["labels"] = set(msg["labels"])

    if "disabled_by" in msg and msg["disabled_by"] is None:
        # Don't allow enabling an entity of a disabled device
--- a/Show More
+++ b/Show More