Merge branch 'ci-cache-postgres-mariadb-deps' into ci-uv-managed-python

Use dpkg-architecture to derive multiarch lib path
So the ldconfig workaround also works on non-x86_64 runners.
2026-05-22 08:45:16 +02:00 · 2026-05-21 14:33:44 -05:00 · 2026-05-21 14:32:58 -05:00 · 2026-05-21 13:37:03 -05:00 · 2026-05-21 20:36:17 +02:00 · 2026-05-21 13:16:39 -05:00
1176 changed files with 34756 additions and 17617 deletions
@@ -18,6 +18,13 @@ description: Reviews GitHub pull requests and provides feedback comments. This i
 4. Ensure any existing review comments have been addressed.
 5. Generate constructive review comments in the CONSOLE. DO NOT POST TO GITHUB YOURSELF.

+## Verification:
+
+- After the review, run parallel subagents for each finding to double check it.
+- Spawn up to a maximum of 10 parallel subagents at a time.
+- Gather the results from the subagents and summarize them in the final review comments.
+
+
 ## IMPORTANT:
 - Just review. DO NOT make any changes
 - Be constructive and specific in your comments
@@ -14,13 +14,11 @@ Dockerfile.dev linguist-language=Dockerfile

 # Generated files
 CODEOWNERS linguist-generated=true
-Dockerfile linguist-generated=true
 homeassistant/generated/*.py linguist-generated=true
 machine/* linguist-generated=true
 mypy.ini linguist-generated=true
 requirements.txt linguist-generated=true
 requirements_all.txt linguist-generated=true
-requirements_test_all.txt linguist-generated=true
 requirements_test_pre_commit.txt linguist-generated=true
 script/hassfest/docker/Dockerfile linguist-generated=true
 .github/workflows/*.lock.yml linguist-generated=true
@@ -0,0 +1,52 @@
+name: Cache and install APT packages
+description: >-
+  Wraps awalsh128/cache-apt-pkgs-action with the workarounds Home Assistant CI
+  needs. Removes the conflicting Microsoft apt source before any apt run, and
+  points the dynamic linker at the host's multiarch lib subdirectories so
+  shared libraries that rely on update-alternatives or postinst-managed paths
+  (eg libblas, liblapack pulled in by ffmpeg) stay reachable since the upstream
+  action does not execute postinst scripts on cache restore.
+
+inputs:
+  packages:
+    description: Space-delimited list of apt packages to install.
+    required: true
+  version:
+    description: Cache version. Bump to invalidate the cache.
+    required: false
+    default: "1"
+  execute_install_scripts:
+    description: >-
+      Pass-through to awalsh128/cache-apt-pkgs-action. Postinst scripts are not
+      actually cached by the upstream action, so this is largely a no-op today.
+    required: false
+    default: "false"
+
+runs:
+  using: composite
+  steps:
+    - name: Remove conflicting Microsoft apt source
+      shell: bash
+      run: sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
+    - name: Install apt packages via cache
+      uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # v1.5.3
+      with:
+        packages: ${{ inputs.packages }}
+        version: ${{ inputs.version }}
+        execute_install_scripts: ${{ inputs.execute_install_scripts }}
+    - name: Refresh dynamic linker cache
+      shell: bash
+      run: |
+        # awalsh128/cache-apt-pkgs-action does not run postinst scripts on
+        # cache restore, so update-alternatives symlinks (eg the one libblas
+        # creates at /usr/lib/<multiarch>/libblas.so.3) are never produced.
+        # Add every /usr/lib/<multiarch> subdirectory that holds shared
+        # libraries to the ldconfig search path so the dynamic linker still
+        # finds them.  Use dpkg-architecture to derive the host's multiarch
+        # tuple so this works on non-x86_64 runners too.
+        multiarch="$(dpkg-architecture -qDEB_HOST_MULTIARCH)"
+        find "/usr/lib/${multiarch}" -mindepth 2 -maxdepth 2 \
+          -name '*.so.*' -printf '%h\n' \
+          | sort -u \
+          | sudo tee /etc/ld.so.conf.d/zzz-cache-apt-extras.conf > /dev/null
+        sudo ldconfig
@@ -0,0 +1,42 @@
+name: Set up uv and managed Python
+description: >-
+  Pins uv (avoids the raw.githubusercontent.com manifest fetch on cache miss)
+  and proactively installs the requested Python so cached venvs created with
+  `uv venv` resolve their interpreter symlinks in jobs that only restore the
+  venv. setup-uv alone only sets UV_PYTHON, it does not actually fetch the
+  interpreter until uv first uses it, so jobs that just activate the venv
+  blow up with broken symlinks on cache hit.
+
+inputs:
+  python-version:
+    description: The Python version uv should install and use.
+    required: true
+  uv-version:
+    description: The uv version setup-uv should install.
+    required: true
+
+outputs:
+  python-version:
+    description: The Python version uv reports as installed.
+    value: ${{ steps.uv.outputs.python-version }}
+
+runs:
+  using: composite
+  steps:
+    - name: Set up uv
+      id: uv
+      uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+      with:
+        version: ${{ inputs.uv-version }}
+        python-version: ${{ inputs.python-version }}
+        # Persist astral's managed Python across jobs so 'uv venv' below is
+        # fast on the second job onwards.
+        cache-python: true
+        # Lint-only and codegen jobs touch no Python deps, so the post-step
+        # cache save would otherwise abort the job.
+        ignore-nothing-to-cache: true
+    - name: Install Python interpreter
+      shell: bash
+      env:
+        PYTHON_VERSION: ${{ inputs.python-version }}
+      run: uv python install "${PYTHON_VERSION}"
@@ -6,6 +6,7 @@
    "pep621",
    "pip_requirements",
    "pre-commit",
+    "dockerfile",
    "custom.regex",
    "homeassistant-manifest"
  ],
@@ -21,6 +22,10 @@
    ]
  },

+  "dockerfile": {
+    "managerFilePatterns": ["/^Dockerfile$/"]
+  },
+
  "homeassistant-manifest": {
    "managerFilePatterns": [
      "/^homeassistant/components/[^/]+/manifest\\.json$/"
@@ -35,6 +40,14 @@
      "matchStrings": ["required-version = \">=(?<currentValue>[\\d.]+)\""],
      "depNameTemplate": "ruff",
      "datasourceTemplate": "pypi"
+    },
+    {
+      "customType": "regex",
+      "description": "Update go2rtc RECOMMENDED_VERSION in const.py alongside the Dockerfile pin",
+      "managerFilePatterns": ["/^homeassistant/components/go2rtc/const\\.py$/"],
+      "matchStrings": ["RECOMMENDED_VERSION = \"(?<currentValue>[\\d.]+)\""],
+      "depNameTemplate": "ghcr.io/alexxit/go2rtc",
+      "datasourceTemplate": "docker"
    }
  ],

@@ -115,6 +128,7 @@
        "standard-aifc",
        "standard-telnetlib",
        "ulid-transform",
+        "unidiff",
        "url-normalize",
        "xmltodict"
      ],
@@ -184,6 +198,13 @@
      "enabled": true,
      "labels": ["dependency"]
    },
+    {
+      "description": "Docker allowlist (ghcr.io exposes no release timestamps so the global cooldown needs to be bypassed)",
+      "matchPackageNames": ["ghcr.io/alexxit/go2rtc"],
+      "enabled": true,
+      "minimumReleaseAge": null,
+      "labels": ["dependency"]
+    },
    {
      "description": "Group ruff pre-commit hook with its PyPI twin into one PR",
      "matchPackageNames": ["astral-sh/ruff-pre-commit", "ruff"],
@@ -213,6 +234,12 @@
      "matchPackageNames": ["pylint", "astroid"],
      "groupName": "pylint",
      "groupSlug": "pylint"
+    },
+    {
+      "description": "Group go2rtc Dockerfile pin with const.py RECOMMENDED_VERSION into one PR",
+      "matchPackageNames": ["ghcr.io/alexxit/go2rtc"],
+      "groupName": "go2rtc",
+      "groupSlug": "go2rtc"
    }
  ]
 }
@@ -14,7 +14,7 @@ env:
  UV_HTTP_TIMEOUT: 60
  UV_SYSTEM_PYTHON: "true"
  # Base image version from https://github.com/home-assistant/docker
-  BASE_IMAGE_VERSION: "2026.04.0"
+  BASE_IMAGE_VERSION: "2026.05.0"
  ARCHITECTURES: '["amd64", "aarch64"]'

 permissions: {}
@@ -0,0 +1,74 @@
+name: Check requirements (deterministic)
+
+# Stage 1 of the Check requirements pipeline.
+#
+# Runs the deterministic Python checks and uploads the structured
+# results as an artifact. Stage 2 (the agentic workflow defined in
+# `check-requirements.md`) consumes the artifact on completion.
+
+# yamllint disable-line rule:truthy
+on:
+  # Auto-trigger on PRs that touch tracked requirement files is disabled
+  # for now while we iterate — testing the workflow_run handoff to the
+  # agentic stage is hard with an auto-trigger. Re-enable once the chain
+  # has been validated end-to-end.
+  # pull_request:
+  #   types: [opened, synchronize, reopened]
+  #   paths:
+  #     - "**/requirements*.txt"
+  #     - "homeassistant/package_constraints.txt"
+  workflow_dispatch:
+    inputs:
+      pull_request_number:
+        description: "Pull request number to (re-)check"
+        required: true
+        type: number
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ inputs.pull_request_number || github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  deterministic:
+    name: Run deterministic requirement checks
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      pull-requests: read # To fetch the PR diff via gh CLI
+    timeout-minutes: 10
+    steps:
+      - name: Check out code from GitHub
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version-file: ".python-version"
+          check-latest: true
+      - name: Install script dependencies
+        run: pip install -r script/check_requirements/requirements.txt
+      - name: Collect PR diff
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ inputs.pull_request_number || github.event.pull_request.number }}
+        run: |
+          mkdir -p deterministic
+          gh pr diff "${PR_NUMBER}" > deterministic/pr.diff
+      - name: Run deterministic checks
+        env:
+          PR_NUMBER: ${{ inputs.pull_request_number || github.event.pull_request.number }}
+        run: |
+          python -m script.check_requirements \
+            --pr-number "${PR_NUMBER}" \
+            --diff deterministic/pr.diff \
+            --output deterministic/results.json
+      - name: Upload deterministic-results artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: check-requirements-deterministic
+          path: deterministic/results.json
+          if-no-files-found: error
+          retention-days: 7
@@ -1,4 +1,4 @@
-# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"70aa938926d4aac250b6d7aca7251f663476fc2da39a29d1ffd569dc725c133a","compiler_version":"v0.74.4","strict":true,"agent_id":"copilot"}
+# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"75b8b624ba0c144fb4b28cba143d16a47c30de8afae568fa3256c6febe01a68a","compiler_version":"v0.74.4","strict":true,"agent_id":"copilot"}
 # gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"d3abfe96a194bce3a523ed2093ddedd5704cdf62","version":"v0.74.4"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.46"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.46"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.46"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.9","digest":"sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}
 #    ___                   _   _      
 #   / _ \                 | | (_)     
@@ -22,7 +22,7 @@
 #
 # For more information: https://github.github.com/gh-aw/introduction/overview/
 #
-# Checks changed Python package requirements on PRs targeting the core repo (including PRs opened from forks) and verifies licenses match PyPI metadata, source repositories are publicly accessible, PyPI releases were uploaded via automated CI (Trusted Publisher attestation), the package's release pipeline uses OIDC or equivalent automated credentials (not static tokens), and the PR description contains the required links.
+# Resolves the deterministic-stage artifact's NEEDS_AGENT checks for changed Python package requirements on PRs targeting the core repo, then posts the final review comment. Triggered by completion of the deterministic workflow. Reads the uploaded artifact from disk, replaces placeholders for any check whose status is `needs_agent`, and posts the merged comment using the PR number recorded inside the artifact itself. Each check kind has a dedicated instruction section below; if the artifact contains a check kind that does not have a section here, the agent fails hard rather than guess.
 #
 # Secrets used:
 #   - COPILOT_GITHUB_TOKEN
@@ -34,7 +34,6 @@
 #   - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 #   - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
 #   - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-#   - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9)
 #   - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
 #   - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
 #   - github/gh-aw-actions/setup@d3abfe96a194bce3a523ed2093ddedd5704cdf62 # v0.74.4
@@ -47,48 +46,37 @@
 #   - ghcr.io/github/github-mcp-server:v1.0.4
 #   - node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f

-name: "Requirements License and Availability Check"
+name: "Check requirements (AW)"
 on:
-  pull_request:
-    # forks: # Fork filtering applied via job conditions
-    # - "*" # Fork filtering applied via job conditions
-    paths:
-    - requirements*.txt
-    - homeassistant/package_constraints.txt
-    - pyproject.toml
+  workflow_run:
+    # zizmor: ignore[dangerous-triggers] - workflow_run trigger is secured with role and fork validation
    types:
-    - opened
-    - synchronize
-    - reopened
-  # roles: all # Roles processed as role check in pre-activation job
-  workflow_dispatch:
-    inputs:
-      aw_context:
-        default: ""
-        description: Agent caller context (used internally by Agentic Workflows).
-        required: false
-        type: string
-      pull_request_number:
-        description: Pull request number to (re-)check
-        required: true
-        type: number
+    - completed
+    workflows:
+    - Check requirements (deterministic)

 permissions: {}

 concurrency:
-  group: "gh-aw-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref || github.run_id }}"
  cancel-in-progress: true
+  group: ${{ github.workflow }}-${{ github.event.workflow_run.head_sha }}

-run-name: "Requirements License and Availability Check"
+run-name: "Check requirements (AW)"

 jobs:
  activation:
+    needs:
+      - extract_pr_number
+      - pre_activation
+    # zizmor: ignore[dangerous-triggers] - workflow_run trigger is secured with role and fork validation
+    if: >
+      (needs.pre_activation.outputs.activated == 'true') && (github.event_name != 'workflow_run' || github.event.workflow_run.repository.id == github.repository_id &&
+      (!(github.event.workflow_run.repository.fork)))
    runs-on: ubuntu-slim
    permissions:
      actions: read
      contents: read
    outputs:
-      body: ${{ steps.sanitized.outputs.body }}
      comment_id: ""
      comment_repo: ""
      engine_id: ${{ steps.generate_aw_info.outputs.engine_id }}
@@ -99,8 +87,6 @@ jobs:
      setup-span-id: ${{ steps.setup.outputs.span-id }}
      setup-trace-id: ${{ steps.setup.outputs.trace-id }}
      stale_lock_file_failed: ${{ steps.check-lock-file.outputs.stale_lock_file_failed == 'true' }}
-      text: ${{ steps.sanitized.outputs.text }}
-      title: ${{ steps.sanitized.outputs.title }}
    steps:
      - name: Setup Scripts
        id: setup
@@ -108,8 +94,10 @@ jobs:
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
          job-name: ${{ github.job }}
+          trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }}
+          parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }}
        env:
-          GH_AW_SETUP_WORKFLOW_NAME: "Requirements License and Availability Check"
+          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
          GH_AW_INFO_VERSION: "1.0.48"
          GH_AW_INFO_ENGINE_ID: "copilot"
@@ -122,7 +110,7 @@ jobs:
          GH_AW_INFO_VERSION: "1.0.48"
          GH_AW_INFO_AGENT_VERSION: "1.0.48"
          GH_AW_INFO_CLI_VERSION: "v0.74.4"
-          GH_AW_INFO_WORKFLOW_NAME: "Requirements License and Availability Check"
+          GH_AW_INFO_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_INFO_EXPERIMENTAL: "false"
          GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true"
          GH_AW_INFO_STAGED: "false"
@@ -187,17 +175,6 @@ jobs:
            setupGlobals(core, github, context, exec, io, getOctokit);
            const { main } = require('${{ runner.temp }}/gh-aw/actions/check_version_updates.cjs');
            await main();
-      - name: Compute current body text
-        id: sanitized
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        env:
-          GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,files.pythonhosted.org,github.com,host.docker.internal,pip.pypa.io,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,telemetry.enterprise.githubcopilot.com"
-        with:
-          script: |
-            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
-            setupGlobals(core, github, context, exec, io, getOctokit);
-            const { main } = require('${{ runner.temp }}/gh-aw/actions/compute_text.cjs');
-            await main();
      - name: Create prompt with built-in context
        env:
          GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
@@ -214,20 +191,20 @@ jobs:
        run: |
          bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh"
          {
-          cat << 'GH_AW_PROMPT_f9148b37e60758ba_EOF'
+          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
          <system>
-          GH_AW_PROMPT_f9148b37e60758ba_EOF
+          GH_AW_PROMPT_198418d99edc7d5b_EOF
          cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
          cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
          cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
          cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
-          cat << 'GH_AW_PROMPT_f9148b37e60758ba_EOF'
+          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
          <safe-output-tools>
          Tools: add_comment, missing_tool, missing_data, noop
          </safe-output-tools>
-          GH_AW_PROMPT_f9148b37e60758ba_EOF
+          GH_AW_PROMPT_198418d99edc7d5b_EOF
          cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md"
-          cat << 'GH_AW_PROMPT_f9148b37e60758ba_EOF'
+          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
          <github-context>
          The following GitHub context information is available for this workflow:
          {{#if github.actor}}
@@ -256,12 +233,12 @@ jobs:
          {{/if}}
          </github-context>
          
-          GH_AW_PROMPT_f9148b37e60758ba_EOF
+          GH_AW_PROMPT_198418d99edc7d5b_EOF
          cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
-          cat << 'GH_AW_PROMPT_f9148b37e60758ba_EOF'
+          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
          </system>
          {{#runtime-import .github/workflows/check-requirements.md}}
-          GH_AW_PROMPT_f9148b37e60758ba_EOF
+          GH_AW_PROMPT_198418d99edc7d5b_EOF
          } > "$GH_AW_PROMPT"
      - name: Interpolate variables and render templates
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
@@ -287,6 +264,7 @@ jobs:
          GH_AW_GITHUB_RUN_ID: ${{ github.run_id }}
          GH_AW_GITHUB_WORKSPACE: ${{ github.workspace }}
          GH_AW_MCP_CLI_SERVERS_LIST: '- `safeoutputs` — run `safeoutputs --help` to see available tools'
+          GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: ${{ needs.pre_activation.outputs.activated }}
        with:
          script: |
            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
@@ -306,7 +284,8 @@ jobs:
                GH_AW_GITHUB_REPOSITORY: process.env.GH_AW_GITHUB_REPOSITORY,
                GH_AW_GITHUB_RUN_ID: process.env.GH_AW_GITHUB_RUN_ID,
                GH_AW_GITHUB_WORKSPACE: process.env.GH_AW_GITHUB_WORKSPACE,
-                GH_AW_MCP_CLI_SERVERS_LIST: process.env.GH_AW_MCP_CLI_SERVERS_LIST
+                GH_AW_MCP_CLI_SERVERS_LIST: process.env.GH_AW_MCP_CLI_SERVERS_LIST,
+                GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED: process.env.GH_AW_NEEDS_PRE_ACTIVATION_OUTPUTS_ACTIVATED
              }
            });
      - name: Validate prompt placeholders
@@ -337,12 +316,17 @@ jobs:
          retention-days: 1

  agent:
-    needs: activation
+    needs:
+      - activation
+      - extract_pr_number
    runs-on: ubuntu-latest
    permissions:
+      actions: read
      contents: read
      issues: read
      pull-requests: read
+    concurrency:
+      group: "gh-aw-copilot-${{ github.workflow }}"
    env:
      DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
      GH_AW_ASSETS_ALLOWED_EXTS: ""
@@ -375,7 +359,7 @@ jobs:
          trace-id: ${{ needs.activation.outputs.setup-trace-id }}
          parent-span-id: ${{ needs.activation.outputs.setup-parent-span-id || needs.activation.outputs.setup-span-id }}
        env:
-          GH_AW_SETUP_WORKFLOW_NAME: "Requirements License and Availability Check"
+          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
          GH_AW_INFO_VERSION: "1.0.48"
          GH_AW_INFO_ENGINE_ID: "copilot"
@@ -397,6 +381,15 @@ jobs:
        run: bash "${RUNNER_TEMP}/gh-aw/actions/configure_gh_for_ghe.sh"
        env:
          GH_TOKEN: ${{ github.token }}
+      - if: github.event.workflow_run.conclusion == 'success'
+        name: Download deterministic-results artifact
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          name: check-requirements-deterministic
+          path: /tmp/gh-aw/deterministic
+          run-id: ${{ github.event.workflow_run.id }}
+
      - name: Configure Git credentials
        env:
          REPO_NAME: ${{ github.repository }}
@@ -430,16 +423,13 @@ jobs:
          GH_HOST: github.com
      - name: Install AWF binary
        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.46
-      - name: Determine automatic lockdown mode for GitHub MCP Server
-        id: determine-automatic-lockdown
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9)
+      - name: Parse integrity filter lists
+        id: parse-guard-vars
        env:
-          GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
-          GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
-        with:
-          script: |
-            const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs');
-            await determineAutomaticLockdown(github, context, core);
+          GH_AW_BLOCKED_USERS_VAR: ${{ vars.GH_AW_GITHUB_BLOCKED_USERS || '' }}
+          GH_AW_TRUSTED_USERS_VAR: ${{ vars.GH_AW_GITHUB_TRUSTED_USERS || '' }}
+          GH_AW_APPROVAL_LABELS_VAR: ${{ vars.GH_AW_GITHUB_APPROVAL_LABELS || '' }}
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/parse_guard_list.sh"
      - name: Download activation artifact
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
@@ -463,15 +453,15 @@ jobs:
          mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs"
          mkdir -p /tmp/gh-aw/safeoutputs
          mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
-          cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_e3fcd372e2542806_EOF'
-          {"add_comment":{"max":1},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}}
-          GH_AW_SAFE_OUTPUTS_CONFIG_e3fcd372e2542806_EOF
+          cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_627e06df80c4e5ad_EOF'
+          {"add_comment":{"max":1,"target":"${{ needs.extract_pr_number.outputs.pr_number }}"},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}}
+          GH_AW_SAFE_OUTPUTS_CONFIG_627e06df80c4e5ad_EOF
      - name: Generate Safe Outputs Tools
        env:
          GH_AW_TOOLS_META_JSON: |
            {
              "description_suffixes": {
-                "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added. Supports reply_to_id for discussion threading."
+                "add_comment": " CONSTRAINTS: Maximum 1 comment(s) can be added. Target: ${{ needs.extract_pr_number.outputs.pr_number }}. Supports reply_to_id for discussion threading."
              },
              "repo_params": {},
              "dynamic_tools": []
@@ -627,8 +617,6 @@ jobs:
          GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
          GH_AW_SAFE_OUTPUTS_API_KEY: ${{ steps.safe-outputs-start.outputs.api_key }}
          GH_AW_SAFE_OUTPUTS_PORT: ${{ steps.safe-outputs-start.outputs.port }}
-          GITHUB_MCP_GUARD_MIN_INTEGRITY: ${{ steps.determine-automatic-lockdown.outputs.min_integrity }}
-          GITHUB_MCP_GUARD_REPOS: ${{ steps.determine-automatic-lockdown.outputs.repos }}
          GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
        run: |
          set -eo pipefail
@@ -659,7 +647,7 @@ jobs:
          
          mkdir -p /home/runner/.copilot
          GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node)
-          cat << GH_AW_MCP_CONFIG_710f47825b96ccb9_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
+          cat << GH_AW_MCP_CONFIG_175174907e5a28b4_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
          {
            "mcpServers": {
              "github": {
@@ -669,12 +657,15 @@ jobs:
                  "GITHUB_HOST": "\${GITHUB_SERVER_URL}",
                  "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
                  "GITHUB_READ_ONLY": "1",
-                  "GITHUB_TOOLSETS": "context,repos,issues,pull_requests"
+                  "GITHUB_TOOLSETS": "context,repos,issues,pull_requests,actions"
                },
                "guard-policies": {
                  "allow-only": {
-                    "min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY",
-                    "repos": "$GITHUB_MCP_GUARD_REPOS"
+                    "approval-labels": ${{ steps.parse-guard-vars.outputs.approval_labels }},
+                    "blocked-users": ${{ steps.parse-guard-vars.outputs.blocked_users }},
+                    "min-integrity": "unapproved",
+                    "repos": "all",
+                    "trusted-users": ${{ steps.parse-guard-vars.outputs.trusted_users }}
                  }
                }
              },
@@ -700,7 +691,7 @@ jobs:
              "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
            }
          }
-          GH_AW_MCP_CONFIG_710f47825b96ccb9_EOF
+          GH_AW_MCP_CONFIG_175174907e5a28b4_EOF
      - name: Mount MCP servers as CLIs
        id: mount-mcp-clis
        continue-on-error: true
@@ -899,6 +890,21 @@ jobs:
          if [ ! -f /tmp/gh-aw/agent_output.json ]; then
            echo '{"items":[]}' > /tmp/gh-aw/agent_output.json
          fi
+      - if: always() && github.event.workflow_run.conclusion == 'success'
+        name: Verify agent produced an add_comment safe-output
+        run: |-
+          OUTPUT=/tmp/gh-aw/agent_output.json
+          if [ ! -f "${OUTPUT}" ]; then
+            echo "::error::Agent output file ${OUTPUT} is missing; the agent did not run to completion."
+            exit 1
+          fi
+          if ! grep -q '"add_comment"' "${OUTPUT}"; then
+            echo "::error::Agent did not emit an add_comment safe-output; no review comment was posted to the PR."
+            echo "Agent output:"
+            cat "${OUTPUT}"
+            exit 1
+          fi
+
      - name: Upload agent artifacts
        if: always()
        continue-on-error: true
@@ -910,6 +916,8 @@ jobs:
            /tmp/gh-aw/sandbox/agent/logs/
            /tmp/gh-aw/redacted-urls.log
            /tmp/gh-aw/mcp-logs/
+            /tmp/gh-aw/proxy-logs/
+            !/tmp/gh-aw/proxy-logs/proxy-tls/
            /tmp/gh-aw/agent_usage.json
            /tmp/gh-aw/agent-stdio.log
            /tmp/gh-aw/pre-agent-audit.txt
@@ -930,6 +938,7 @@ jobs:
      - activation
      - agent
      - detection
+      - extract_pr_number
      - safe_outputs
    if: >
      always() && (needs.agent.result != 'skipped' || needs.activation.outputs.lockdown_check_failed == 'true' ||
@@ -959,7 +968,7 @@ jobs:
          trace-id: ${{ needs.activation.outputs.setup-trace-id }}
          parent-span-id: ${{ needs.activation.outputs.setup-parent-span-id || needs.activation.outputs.setup-span-id }}
        env:
-          GH_AW_SETUP_WORKFLOW_NAME: "Requirements License and Availability Check"
+          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
          GH_AW_INFO_VERSION: "1.0.48"
          GH_AW_INFO_ENGINE_ID: "copilot"
@@ -983,7 +992,7 @@ jobs:
        env:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
          GH_AW_NOOP_MAX: "1"
-          GH_AW_WORKFLOW_NAME: "Requirements License and Availability Check"
+          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
          GH_AW_NOOP_REPORT_AS_ISSUE: "true"
@@ -999,7 +1008,7 @@ jobs:
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
-          GH_AW_WORKFLOW_NAME: "Requirements License and Availability Check"
+          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
          GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
@@ -1016,7 +1025,7 @@ jobs:
        env:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
          GH_AW_MISSING_TOOL_CREATE_ISSUE: "true"
-          GH_AW_WORKFLOW_NAME: "Requirements License and Availability Check"
+          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
        with:
          github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
          script: |
@@ -1030,7 +1039,7 @@ jobs:
        env:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
          GH_AW_REPORT_INCOMPLETE_CREATE_ISSUE: "true"
-          GH_AW_WORKFLOW_NAME: "Requirements License and Availability Check"
+          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
        with:
          github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
          script: |
@@ -1044,7 +1053,7 @@ jobs:
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
-          GH_AW_WORKFLOW_NAME: "Requirements License and Availability Check"
+          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
          GH_AW_WORKFLOW_ID: "check-requirements"
@@ -1098,7 +1107,7 @@ jobs:
          trace-id: ${{ needs.activation.outputs.setup-trace-id }}
          parent-span-id: ${{ needs.activation.outputs.setup-parent-span-id || needs.activation.outputs.setup-span-id }}
        env:
-          GH_AW_SETUP_WORKFLOW_NAME: "Requirements License and Availability Check"
+          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
          GH_AW_INFO_VERSION: "1.0.48"
          GH_AW_INFO_ENGINE_ID: "copilot"
@@ -1166,8 +1175,8 @@ jobs:
        if: always() && steps.detection_guard.outputs.run_detection == 'true'
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
-          WORKFLOW_NAME: "Requirements License and Availability Check"
-          WORKFLOW_DESCRIPTION: "Checks changed Python package requirements on PRs targeting the core repo (including PRs opened from forks) and verifies licenses match PyPI metadata, source repositories are publicly accessible, PyPI releases were uploaded via automated CI (Trusted Publisher attestation), the package's release pipeline uses OIDC or equivalent automated credentials (not static tokens), and the PR description contains the required links."
+          WORKFLOW_NAME: "Check requirements (AW)"
+          WORKFLOW_DESCRIPTION: "Resolves the deterministic-stage artifact's NEEDS_AGENT checks for changed Python package requirements on PRs targeting the core repo, then posts the final review comment. Triggered by completion of the deterministic workflow. Reads the uploaded artifact from disk, replaces placeholders for any check whose status is `needs_agent`, and posts the merged comment using the PR number recorded inside the artifact itself. Each check kind has a dedicated instruction section below; if the artifact contains a check kind that does not have a section here, the agent fails hard rather than guess."
          HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
        with:
          script: |
@@ -1274,11 +1283,76 @@ jobs:
              }
            }

+  extract_pr_number:
+    if: github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+
+    outputs:
+      pr_number: ${{ steps.extract.outputs.pr_number }}
+    steps:
+      - name: Configure GH_HOST for enterprise compatibility
+        id: ghes-host-config
+        shell: bash
+        run: |
+          # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
+          # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
+          GH_HOST="${GITHUB_SERVER_URL#https://}"
+          GH_HOST="${GH_HOST#http://}"
+          echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV"
+      - name: Download deterministic-results artifact
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          name: check-requirements-deterministic
+          path: /tmp/deterministic
+          run-id: ${{ github.event.workflow_run.id }}
+      - name: Extract PR number from artifact
+        id: extract
+        run: |
+          PR=$(jq -r '.pr_number' /tmp/deterministic/results.json)
+          echo "pr_number=${PR}" >> "${GITHUB_OUTPUT}"
+
+  pre_activation:
+    runs-on: ubuntu-slim
+    outputs:
+      activated: ${{ steps.check_membership.outputs.is_team_member == 'true' }}
+      matched_command: ''
+      setup-parent-span-id: ${{ steps.setup.outputs.parent-span-id || steps.setup.outputs.span-id }}
+      setup-span-id: ${{ steps.setup.outputs.span-id }}
+      setup-trace-id: ${{ steps.setup.outputs.trace-id }}
+    steps:
+      - name: Setup Scripts
+        id: setup
+        uses: github/gh-aw-actions/setup@d3abfe96a194bce3a523ed2093ddedd5704cdf62 # v0.74.4
+        with:
+          destination: ${{ runner.temp }}/gh-aw/actions
+          job-name: ${{ github.job }}
+        env:
+          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
+          GH_AW_INFO_VERSION: "1.0.48"
+          GH_AW_INFO_ENGINE_ID: "copilot"
+      - name: Check team membership for workflow
+        id: check_membership
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        env:
+          GH_AW_REQUIRED_ROLES: "admin,maintainer,write"
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+            setupGlobals(core, github, context, exec, io, getOctokit);
+            const { main } = require('${{ runner.temp }}/gh-aw/actions/check_membership.cjs');
+            await main();
+
  safe_outputs:
    needs:
      - activation
      - agent
      - detection
+      - extract_pr_number
    if: (!cancelled()) && needs.agent.result != 'skipped' && needs.detection.result == 'success'
    runs-on: ubuntu-slim
    permissions:
@@ -1296,7 +1370,7 @@ jobs:
      GH_AW_ENGINE_MODEL: ${{ needs.agent.outputs.model }}
      GH_AW_ENGINE_VERSION: "1.0.48"
      GH_AW_WORKFLOW_ID: "check-requirements"
-      GH_AW_WORKFLOW_NAME: "Requirements License and Availability Check"
+      GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
    outputs:
      code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }}
      code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }}
@@ -1316,7 +1390,7 @@ jobs:
          trace-id: ${{ needs.activation.outputs.setup-trace-id }}
          parent-span-id: ${{ needs.activation.outputs.setup-parent-span-id || needs.activation.outputs.setup-span-id }}
        env:
-          GH_AW_SETUP_WORKFLOW_NAME: "Requirements License and Availability Check"
+          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
          GH_AW_INFO_VERSION: "1.0.48"
          GH_AW_INFO_ENGINE_ID: "copilot"
@@ -1351,7 +1425,7 @@ jobs:
          GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,files.pythonhosted.org,github.com,host.docker.internal,pip.pypa.io,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,telemetry.enterprise.githubcopilot.com"
          GITHUB_SERVER_URL: ${{ github.server_url }}
          GITHUB_API_URL: ${{ github.api_url }}
-          GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}"
+          GH_AW_SAFE_OUTPUTS_HANDLER_CONFIG: "{\"add_comment\":{\"max\":1,\"target\":\"${{ needs.extract_pr_number.outputs.pr_number }}\"},\"create_report_incomplete_issue\":{},\"missing_data\":{},\"missing_tool\":{},\"noop\":{\"max\":1,\"report-as-issue\":\"true\"},\"report_incomplete\":{}}"
        with:
          github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
          script: |
@@ -1,405 +1,378 @@
 ---
 on:
-  pull_request:
-    types: [opened, synchronize, reopened]
-    paths:
-      - "requirements*.txt"
-      - "homeassistant/package_constraints.txt"
-      - "pyproject.toml"
-    forks: ["*"]
-  workflow_dispatch:
-    inputs:
-      pull_request_number:
-        description: "Pull request number to (re-)check"
-        required: true
-        type: number
-  roles: all
+  workflow_run:
+    workflows: ["Check requirements (deterministic)"]
+    types: [completed]
 permissions:
  contents: read
-  pull-requests: read
+  actions: read
  issues: read
+  pull-requests: read
 network:
  allowed:
    - python
 tools:
  web-fetch: {}
  github:
-    toolsets: [default]
+    toolsets: [default, actions]
+    min-integrity: unapproved
 safe-outputs:
  add-comment:
    max: 1
+    target: "${{ needs.extract_pr_number.outputs.pr_number }}"
+  needs:
+    - extract_pr_number
+jobs:
+  extract_pr_number:
+    if: github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+    outputs:
+      pr_number: ${{ steps.extract.outputs.pr_number }}
+    steps:
+      - name: Download deterministic-results artifact
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: check-requirements-deterministic
+          path: /tmp/deterministic
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Extract PR number from artifact
+        id: extract
+        run: |
+          PR=$(jq -r '.pr_number' /tmp/deterministic/results.json)
+          echo "pr_number=${PR}" >> "${GITHUB_OUTPUT}"
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.workflow_run.head_sha }}
+  cancel-in-progress: true
+steps:
+  - name: Download deterministic-results artifact
+    if: github.event.workflow_run.conclusion == 'success'
+    uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+    with:
+      name: check-requirements-deterministic
+      path: /tmp/gh-aw/deterministic
+      run-id: ${{ github.event.workflow_run.id }}
+      github-token: ${{ secrets.GITHUB_TOKEN }}
+post-steps:
+  - name: Verify agent produced an add_comment safe-output
+    if: always() && github.event.workflow_run.conclusion == 'success'
+    run: |
+      OUTPUT=/tmp/gh-aw/agent_output.json
+      if [ ! -f "${OUTPUT}" ]; then
+        echo "::error::Agent output file ${OUTPUT} is missing; the agent did not run to completion."
+        exit 1
+      fi
+      if ! grep -q '"add_comment"' "${OUTPUT}"; then
+        echo "::error::Agent did not emit an add_comment safe-output; no review comment was posted to the PR."
+        echo "Agent output:"
+        cat "${OUTPUT}"
+        exit 1
+      fi
 description: >
-  Checks changed Python package requirements on PRs targeting the core repo
-  (including PRs opened from forks) and verifies licenses match PyPI metadata, source
-  repositories are publicly accessible, PyPI releases were uploaded via
-  automated CI (Trusted Publisher attestation), the package's release pipeline
-  uses OIDC or equivalent automated credentials (not static tokens), and the PR
-  description contains the required links.
+  Resolves the deterministic-stage artifact's NEEDS_AGENT checks for changed
+  Python package requirements on PRs targeting the core repo, then posts the
+  final review comment. Triggered by completion of the deterministic workflow.
+  Reads the uploaded artifact from disk, replaces placeholders for any check
+  whose status is `needs_agent`, and posts the merged comment using the PR
+  number recorded inside the artifact itself. Each check kind has a dedicated
+  instruction section below; if the artifact contains a check kind that does
+  not have a section here, the agent fails hard rather than guess.
 ---

-# Requirements License and Availability Check
-
-You are a code review assistant for the Home Assistant project. Your job is to
-review changes to Python package requirements and verify they meet the project's
-standards.
-
-## Context
-
- Home Assistant uses `requirements_all.txt` (all integration packages),
-  `requirements.txt` (core packages), `requirements_test.txt` (test
-  dependencies), and `requirements_test_all.txt` (all test dependencies) to
-  declare Python dependencies.
- Each integration lists its packages in `homeassistant/components/<name>/manifest.json`
-  under the `requirements` field.
- Allowed licenses are maintained in `script/licenses.py` under
-  `OSI_APPROVED_LICENSES_SPDX` (SPDX identifiers) and `OSI_APPROVED_LICENSES`
-  (classifier strings).
-
-## Step 1 — Identify Changed Packages
-
-Use the GitHub tool to fetch the PR diff. Look for lines that were added (`+`)
-or removed (`-`) in **any** of these files:
- `requirements.txt`
- `requirements_all.txt`
- `requirements_test.txt`
- `requirements_test_all.txt`
- `homeassistant/package_constraints.txt`
- `pyproject.toml`
-
-For each changed line that contains a package pin (e.g. `SomePackage==1.2.3`),
-classify it as:
- **New package**: the package name appears only in `+` lines, with no
-  corresponding `-` line for the same package name.
- **Version bump**: the same package name appears in both `+` lines (new
-  version) and `-` lines (old version), with different version numbers.
-
-Record the **old version** and **new version** for every version bump — you
-will need these values in Step 4.
-
-
-## Step 2 — Check License via PyPI
-
-For each new or bumped package:
-
-1. Fetch `https://pypi.org/pypi/{package_name}/json` (use the exact
-   package name as it appears on the requirements file).
-2. From the JSON response, extract:
-   - `info.license` — free-text license field
-   - `info.license_expression` — SPDX expression (if present)
-   - `info.classifiers` — filter for entries starting with `"License ::"`,
-     then normalize each match the same way as `script/licenses.py` by
-     extracting the final ` :: ` segment (for example,
-     `"License :: OSI Approved :: MIT License"` → `"MIT License"`).
-3. Determine if the license is in the approved list from `script/licenses.py`:
-   - SPDX identifiers: compare against `OSI_APPROVED_LICENSES_SPDX`
-   - Normalized classifier strings: compare against `OSI_APPROVED_LICENSES`
-4. Flag a package as ❌ if the license is unknown, missing, or not in the
-   approved list. Flag as ⚠️ if the license information is ambiguous or cannot
-   be definitively determined.
-
-## Step 2b — Verify PyPI Release Was Uploaded by CI
-
-For each new or bumped package, verify that the release on PyPI was published
-automatically by a CI pipeline (via OIDC Trusted Publisher), not uploaded
-manually.
-
-1. Fetch the PyPI JSON for the specific version being introduced or bumped:
-   `https://pypi.org/pypi/{package_name}/{version}/json`
-2. Inspect the `urls` array in the response. For each distribution file (wheel
-   or sdist), note the filename.
-3. For each filename, attempt to fetch the PyPI provenance attestation:
-   `https://pypi.org/integrity/{package_name}/{version}/{filename}/provenance`
-   - If the response is HTTP 200 and contains a valid attestation object,
-     inspect `attestation_bundles[*].publisher`. A Trusted Publisher attestation
-     will have a `kind` identifying the CI system (e.g. `"GitHub Actions"`,
-     `"GitLab"`) and a `repository` or `project` field matching the source
-     repository.
-   - If at least one distribution file has a valid Trusted Publisher attestation,
-     mark ✅ CI-uploaded.
-   - If no attestation is found for any file (404 for all), mark ❌ — "Release
-     has no provenance attestation; it may have been uploaded manually".
-   - If an attestation exists but the `publisher` does not identify a recognized
-     CI system or Trusted Publisher, mark ⚠️ — "Attestation present but
-     publisher cannot be verified as automated CI".
-
-Note: if PyPI returns an error fetching the per-version JSON, fall back to the
-latest JSON (`https://pypi.org/pypi/{package_name}/json`) and look up the
-specific version in the `releases` dict.
-
-## Step 3 — Identify Repository URL
-
-For each new or bumped package:
-
-1. From the PyPI JSON at `info.project_urls`, find the source repository URL
-   (keys such as `"Source"`, `"Homepage"`, `"Repository"`, or `"Source Code"`).
-2. Record that repository URL for later checks.
-3. If no suitable repository URL is present, mark ❌ with a note that the
-   source repository URL is missing and cannot be verified.
-
-## Step 4 — Check PR Description
-
-Read the PR body from the GitHub API using the PR number from the workflow
-context (`pull-request-number`). If that value is absent, use the
-`workflow_dispatch` input `pull_request_number`.
-Extract all URLs present in the PR body.
-
-### 4a — New packages: repository link required
-
-For **new packages** (brand-new dependency not previously in any requirements
-file): the PR description must contain a link that points to the package's
-**source repository** as identified in Step 3 (the URL recorded from
-`info.project_urls`). A PyPI page link alone is **not** acceptable — the link
-must point directly to the source repository (e.g. a GitHub or GitLab URL).
-
- If a URL in the PR body matches (or is a sub-path of) the source repository
-  URL identified via PyPI, mark ✅.
- If the PR body contains a source repository URL that does **not** match the
-  repository URL found in the package's PyPI metadata (`info.project_urls`),
-  mark ❌ — "PR description links to `<pr_url>` but PyPI reports the source
-  repository as `<pypi_repo_url>`; please use the correct repository URL."
- If no source repository URL is present in the PR body at all, mark ❌ —
-  "PR description must link to the source repository at `<repo_url>` (found
-  via PyPI). A PyPI page link is not sufficient."
-
-### 4b — Version bumps: changelog or diff link required
-
-For **version bumps**: the PR description must contain a link to a changelog,
-release notes page, or a diff/comparison URL that references the **correct
-versions** being bumped (old → new).
-
-Checks to perform for each bumped package (old version = X, new version = Y):
-1. Extract all URLs from the PR body that contain the repository's domain or
-   path (as identified in Step 3).
-2. Verify that at least one such URL includes both the old version string and
-   new version string in some form — e.g. a GitHub compare URL like
-   `compare/vX...vY`, a releases URL mentioning version Y, or a
-   `CHANGELOG.md` anchor referencing Y.
-3. If no URL matches, check if the PR body contains any changelog/diff link at
-   all for this package.
-
-Outcome:
- ✅ — a URL pointing to the correct repo with version references covering the
-  exact bump (X → Y).
- ⚠️ — a changelog/diff link exists but does not clearly reference the correct
-  versions or the correct repository; explain what was found and what is
-  expected.
- ❌ — no changelog or diff link found at all in the PR description for this
-  package.
-
-### 4c — Diff consistency check
-
-For each **version bump**, verify that the version change recorded in the diff
-(Step 1) is internally consistent:
- The `-` line must contain the old version and the `+` line must contain the
-  new version for the same package name.
- Flag ❌ if the diff shows a downgrade (new version < old version) without an
-  explanation, or if the version strings cannot be parsed.
-
-## Step 5 — Verify Source Repository is Publicly Accessible
-
-Before inspecting the release pipeline, confirm that the source repository
-identified in Step 3 is publicly reachable.
-
-For each new or bumped package:
-
-1. Use the source repository URL recorded in Step 3.
-2. If no repository URL was found in `info.project_urls`, mark ❌ — "No source
-   repository URL found in PyPI metadata; a public source repository is
-   required."
-3. If a repository URL was found, perform a GET request to that URL (using
-   web-fetch). If the response is HTTP 200 and returns a publicly accessible
-   page (not a login redirect or error page), mark ✅.
-4. If the response is non-200, the URL redirects to a login/authentication page,
-   or the repository appears private or unavailable, mark ❌ — "Source
-   repository at `<repo_url>` is not publicly accessible. Home Assistant
-   requires all dependencies to have publicly available source code." **Do not
-   proceed with the release pipeline check (Step 6) for this package.**
-
-## Step 6 — Check Release Pipeline Sanity
-
-For each new or bumped package, determine the source repository host from the
-URL identified in Step 3, then inspect whether the project's release/publish CI
-workflow is sane. The checks differ by hosting provider.
-
-### GitHub repositories (`github.com`)
-
-1. Using the GitHub API, list the workflows in the source repository:
-   `GET /repos/{owner}/{repo}/actions/workflows`
-2. Identify any workflow whose name or filename suggests publishing to PyPI
-   (e.g., contains "release", "publish", "pypi", or "deploy").
-3. Fetch the workflow file content and check the following:
-   a. **Trigger sanity**: The publish job should be triggered by `push` to tags,
-      `release: published`, or `workflow_run` on a release job — **not** solely
-      by `workflow_dispatch` with no additional guards. A `workflow_dispatch`
-      trigger alongside other triggers is acceptable. Mark ❌ if the only trigger
-      is manual `workflow_dispatch` with no environment protection rules.
-   b. **OIDC / Trusted Publisher**: The workflow should use OIDC-based publishing.
-      Look for `id-token: write` permission and one of:
-      - `pypa/gh-action-pypi-publish` action
-      - `actions/attest-build-provenance` action
-      - Any step that sets `TWINE_PASSWORD` from `secrets.PYPI_TOKEN` directly
-        (flag ❌ if a long-lived API token is used instead of OIDC).
-      Mark ✅ if OIDC is used, ⚠️ if the publish method cannot be determined,
-      ❌ if a static secret token is the only credential.
-   c. **No manual upload bypass**: Verify there is no step that calls
-      `twine upload` or `pip upload` outside of a properly gated job (e.g., one
-      that requires an environment approval). Flag ⚠️ if such steps exist.
-4. If no publish workflow is found in the repository, mark ⚠️ — "No publish
-   workflow found; it is unclear how this package is released to PyPI."
-
-### GitLab repositories (`gitlab.com` or self-hosted GitLab)
-
-1. Use the GitLab REST API to list CI/CD pipeline configuration files. First
-   resolve the project ID via
-   `GET https://gitlab.com/api/v4/projects/{url-encoded-namespace-and-name}`
-   and note the `id` field.
-2. Fetch the repository's `.gitlab-ci.yml` (and any included files) using
-   `GET https://gitlab.com/api/v4/projects/{id}/repository/files/.gitlab-ci.yml/raw?ref=HEAD`
-   (use web-fetch for public repos).
-3. Identify any job whose name or `stage` suggests publishing to PyPI
-   (e.g., "publish", "deploy", "release", "pypi").
-4. For each such job, check:
-   a. **Trigger sanity**: The job should run only on tag pipelines (`only: tags`
-      or `rules: - if: $CI_COMMIT_TAG`) or on protected branches — **not**
-      solely on manual triggers (`when: manual`) with no additional protection.
-      Mark ❌ if the only trigger is manual with no environment or protected-branch
-      guard.
-   b. **Automated credentials**: The job should use GitLab's OIDC ID token
-      (`id_tokens:` block) and `pypa/gh-action-pypi-publish` equivalent, or
-      reference `secrets.PYPI_TOKEN` / `$PYPI_TOKEN` injected from GitLab CI/CD
-      protected variables (flag ❌ if the token is hard-coded or unprotected).
-      Mark ✅ if OIDC or protected CI variables are used, ⚠️ if the method
-      cannot be determined, ❌ if credentials appear to be insecure.
-   c. **No manual upload bypass**: Flag ⚠️ if any job calls `twine upload`
-      without being behind a protected-variable or environment guard.
-5. If no publish job is found, mark ⚠️ — "No publish job found in .gitlab-ci.yml;
-   it is unclear how this package is released to PyPI."
-
-### Other code hosting providers
-
-For repositories hosted on platforms other than GitHub or GitLab (e.g.,
-Bitbucket, Codeberg, Gitea, Sourcehut):
-1. Use web-fetch to retrieve the repository's root page and look for any
-   publicly visible CI configuration files (e.g., `.circleci/config.yml`,
-   `Jenkinsfile`, `azure-pipelines.yml`, `bitbucket-pipelines.yml`,
-   `.builds/*.yml` for Sourcehut).
-2. Apply the same conceptual checks as above:
-   - Does publishing run on automated triggers (tags/releases), not solely
-     manual ones?
-   - Are credentials injected by the CI system (not hard-coded)?
-   - Is there a `twine upload` or equivalent step that could be run manually?
-3. If no CI configuration can be retrieved, mark ⚠️ — "Release pipeline could
-   not be inspected; hosting provider is not GitHub or GitLab."
-
-## Step 7 — Post a Review Comment
-
-**Always** post a review comment using `add_comment`, regardless of whether
-packages pass or fail. Use the following structure:
-
-**Note on deduplication**: The workflow automatically updates any previous
-requirements-check comment on the PR in place (preserving its position in the
-thread). If no previous comment exists, the newly created comment is kept as-is.
-You do not need to search for or update previous comments yourself.
-
-### Comment structure
-
-Begin every comment with the HTML marker `<!-- requirements-check -->` on its
-own line (this is used by the workflow to find the previous comment and update
-it on the next run).
-
-### 7a — Overall summary line
-
-Begin the comment with a single summary line, before anything else:
-
- If everything passed: `All requirements checks passed. ✅`
- If there are failures or warnings: `⚠️ Some checks require attention — see the details below.`
-
-### 7b — Summary table
-
-Render a compact table where every check column contains **only the status
-icon** (✅, ⚠️, or ❌). No explanatory text belongs inside the table cells —
-all detail goes in the per-package sections below.
-
-Use `—` (em dash) when a check was skipped (e.g. Release Pipeline is skipped
-when the repository is not publicly accessible).
-
-```
-<!-- requirements-check -->
-## Requirements Check
-
-| Package | Type | Old→New | License | Repo Public | CI Upload | Release Pipeline | PR Link | Diff Consistent |
-|---------|------|---------|---------|-------------|-----------|------------------|---------|-----------------|
-| PackageA | bump | 1.2.3→1.3.0 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
-| PackageB | new  | —→4.5.6 | ❌ | ✅ | ❌ | ⚠️ | ❌ | ✅ |
-| PackageC | bump | 2.0.0→2.1.0 | ✅ | ❌ | — | — | ⚠️ | ✅ |
-```
-
-### 7c — Per-package detail sections
-
-After the table, add one collapsible `<details>` block per package.
-
- If **all checks passed** for that package, render the block **collapsed**
-  (no `open` attribute) so the comment stays concise.
- If **any check failed or produced a warning**, render the block **open**
-  (`<details open>`) so the contributor sees the issues immediately.
-
-Each block must include the full detail for every check: the license found, the
-repository URL, whether a provenance attestation was found, the release
-pipeline findings, the PR link found (or missing), and whether the diff is
-consistent. For failed or warned checks, explain exactly what the contributor
-must fix, including the expected source repository URL, expected version range,
-etc.
-
-Template (repeat for each package):
-
-```
-<details open>
-<summary><strong>PackageB 📦 new —→4.5.6</strong></summary>
-
- **License**: ❌ License is `UNKNOWN` — not in the approved list. Check PyPI metadata and `script/licenses.py`.
- **Repository Public**: ✅ https://github.com/example/packageb is publicly accessible.
- **CI Upload**: ❌ No provenance attestation found for any distribution file. The release may have been uploaded manually.
- **Release Pipeline**: ⚠️ No publish workflow found in the repository; it is unclear how this package is released to PyPI.
- **PR Link**: ❌ PR description must link to the source repository at https://github.com/example/packageb (a PyPI page link is not sufficient).
- **Diff Consistent**: ✅
-
-</details>
-```
-
-Collapsed example (all checks passed):
-
-```
-<details>
-<summary><strong>PackageA 📦 bump 1.2.3→1.3.0</strong></summary>
-
- **License**: ✅ MIT
- **Repository Public**: ✅ https://github.com/example/packagea
- **CI Upload**: ✅ Trusted Publisher attestation found (GitHub Actions).
- **Release Pipeline**: ✅ OIDC via `pypa/gh-action-pypi-publish`; triggered on `release: published`; `environment: release` gate.
- **PR Link**: ✅ https://github.com/example/packagea/compare/v1.2.3...v1.3.0
- **Diff Consistent**: ✅
-
-</details>
-```
+# Check requirements (AW)
+
+You are a code review assistant for the Home Assistant project. The
+deterministic stage has already evaluated every check it can on its own
+and produced an artifact containing the PR number, per-package check
+results, and a pre-rendered comment with placeholders. **Your only job is
+to read that artifact, resolve any `needs_agent` checks, and post the
+final comment.**
+
+## Step 1 — Read the deterministic-stage artifact
+
+The deterministic stage uploaded its results to the runner at
+`/tmp/gh-aw/deterministic/results.json`.
+
+The JSON has this shape:
+
+- `pr_number` — the PR being checked. The `add_comment` safe-output is
+  already targeted at this PR (a pre-job extracts `pr_number` from the
+  artifact and the workflow wires it into the safe-output config via
+  `needs.extract_pr_number.outputs.pr_number`), so **you do not need to
+  set `item_number` yourself** — just emit `add_comment` with the
+  rendered body.
+- `needs_agent` — `true` iff any package's check needs resolution.
+- `packages[]` — one entry per changed package. Each entry has:
+  - `name`, `old_version` (`null` for a newly added package; otherwise the
+    previous pin), `new_version`, `repo_url`, `publisher_kind`.
+  - `checks` — a dict keyed by **check kind** (string). Each value has a
+    `status` (`pass`, `warn`, `fail`, or `needs_agent`) and `details`.
+- `rendered_comment` — the final PR comment body, already rendered. For
+  every check whose status is `needs_agent` it contains two placeholders
+  you must replace:
+  - `{{CHECK_CELL:<pkg-name>:<check-kind>}}` — one cell of the summary
+    table. Replace with exactly one of `✅`, `⚠️`, `❌`.
+  - `{{CHECK_DETAIL:<pkg-name>:<check-kind>}}` — the body of one bullet
+    in the package's `<details>` block. Replace with
+    `<icon> <one-line explanation>` (the bullet's leading
+    `- **<label>**:` is already rendered — replace only the placeholder).
+
+You **must not** modify any other content in `rendered_comment`. Do not
+re-evaluate checks that already have a deterministic status. Do not add
+or remove packages.
+
+## Step 2 — Resolve each `needs_agent` check
+
+For each `package` in `packages`:
+
+For each `(check_kind, result)` in `package.checks` where
+`result.status == "needs_agent"`:
+
+1. Look up `## Check kind: <check_kind>` in the **Check instructions**
+   section below.
+2. **If no matching section exists**: emit a single `add_comment` whose
+   body is:
+
+   ```
+   <!-- requirements-check -->
+   ## Check requirements
+
+   ❌ Internal error: the deterministic artifact contains a check kind
+   (`<check_kind>` on package `<pkg-name>`) that this workflow has no
+   instructions for. Update `.github/workflows/check-requirements.md`
+   to add a matching `## Check kind: <check_kind>` section, or remove
+   the kind from the deterministic stage.
+   ```
+
+   Then stop. **Do not improvise** a verdict for an unknown check kind.
+3. Otherwise, follow the instructions in that section. They tell you
+   which icon (✅/⚠️/❌) and one-line explanation to produce.
+
+## Step 3 — Post the comment
+
+1. Replace every `{{CHECK_CELL:…}}` and `{{CHECK_DETAIL:…}}` placeholder
+   in `rendered_comment` with the resolved value.
+2. Emit the resulting markdown using `add_comment` — set `body` to the
+   merged `rendered_comment` verbatim (the leading
+   `<!-- requirements-check -->` marker must be preserved). The PR
+   target is already set by the workflow; do not pass `item_number`.
+
+If the artifact's top-level `needs_agent` is `false` (no checks need
+you), emit `rendered_comment` unchanged.
+
+## Check instructions
+
+### Check kind: `repo_public`
+
+Verify that the package's source repository is publicly reachable.
+
+1. Read `package.repo_url`.
+2. Use the `web-fetch` tool to GET that URL.
+3. Decide the verdict:
+   - HTTP 200, returns a public repository page → ✅
+     `<repo_url> is publicly accessible.`
+   - HTTP 4xx/5xx, or the response redirects to a login / sign-in page →
+     ❌ `Source repository at <repo_url> is not publicly accessible.
+     Home Assistant requires all dependencies to have publicly available
+     source code.`
+   - Any other inconclusive result → ⚠️ with a one-line description.
+
+If `repo_public` resolves to ❌ for a package, **also** mark that
+package's `release_pipeline` and `async_blocking` cells/details as `—`
+(em dash) and explain `Skipped because the source repository is not
+publicly accessible.` — neither check can be performed without a public
+repo.
+
+### Check kind: `pr_link`
+
+Verify the PR description contains the right link for the change.
+
+1. Fetch the PR body via the GitHub MCP tool, using the `pr_number`
+   field from the artifact.
+2. Extract all URLs from the body.
+3. For a **new package** (`package.old_version` is `null`):
+   - The PR body must contain a URL that points at `package.repo_url`
+     (any sub-path of the same `owner/repo` on the same host is
+     acceptable). A PyPI link is **not** sufficient.
+   - ✅ if such a URL is present.
+   - ❌ otherwise:
+     `PR description must link to the source repository at <repo_url>.
+     A PyPI page link is not sufficient.`
+4. For a **version bump** (`package.old_version` is not `null`):
+   - The PR body must contain a URL on the same host as
+     `package.repo_url` that references **both** `package.old_version`
+     and `package.new_version` (e.g. a GitHub compare URL
+     `compare/vX...vY`, a release / changelog URL containing both
+     versions, etc.).
+   - ✅ if such a URL is present and the versions match the actual bump.
+   - ❌ otherwise:
+     `PR description should link to a changelog or compare URL on
+     <repo_url> that mentions both <old_version> and <new_version>.`
+
+### Check kind: `release_pipeline`
+
+Inspect the upstream project's release / publish CI pipeline.
+
+For each package needing inspection, determine the source repository
+host from `package.repo_url`, then apply the corresponding checklist.
+
+#### GitHub repositories (`github.com`)
+
+1. List workflows: `GET /repos/{owner}/{repo}/actions/workflows`.
+2. Identify any workflow whose name or filename suggests publishing to
+   PyPI (`release`, `publish`, `pypi`, or `deploy`).
+3. Fetch the workflow file and check:
+   - **Trigger sanity**: triggered by `push` to tags,
+     `release: published`, or `workflow_run` on a release job —
+     **not** solely `workflow_dispatch` with no environment-protection
+     guard.
+   - **OIDC / Trusted Publisher**: look for `id-token: write` and one of
+     `pypa/gh-action-pypi-publish`, `actions/attest-build-provenance`,
+     or `TWINE_PASSWORD` from a static `secrets.PYPI_TOKEN`.
+   - **No manual upload bypass**: no ungated `twine upload` or
+     `pip upload`.
+4. Verdict:
+   - ✅ if OIDC + sane triggers + no bypass.
+   - ⚠️ if static token but version bump, or details unclear.
+   - ❌ if static token on a new package, or only-manual triggers with
+     no environment protection.
+
+#### GitLab repositories (`gitlab.com` or self-hosted GitLab)
+
+1. Resolve the project ID via
+   `GET https://gitlab.com/api/v4/projects/{url-encoded-namespace-and-name}`.
+2. Fetch `.gitlab-ci.yml` via
+   `GET https://gitlab.com/api/v4/projects/{id}/repository/files/.gitlab-ci.yml/raw?ref=HEAD`.
+3. Apply the same conceptual checks: tag-only / protected-branch
+   triggers, GitLab OIDC `id_tokens` or CI/CD protected `PYPI_TOKEN`, no
+   ungated `twine upload`. Same verdict rules as GitHub.
+
+#### Other code hosting providers (Bitbucket, Codeberg, Gitea, Sourcehut, …)
+
+1. Use `web-fetch` to retrieve any visible CI configuration
+   (`.circleci/config.yml`, `Jenkinsfile`, `azure-pipelines.yml`,
+   `bitbucket-pipelines.yml`, `.builds/*.yml`).
+2. Apply the conceptual checks: automated triggers, CI-injected
+   credentials, no manual `twine upload`.
+3. If no CI config can be retrieved: ⚠️ `Release pipeline could not be
+   inspected; hosting provider is not GitHub or GitLab.`
+
+### Check kind: `async_blocking`
+
+Verify whether the dependency performs blocking I/O inside async code
+paths. Home Assistant runs on a single asyncio event loop, so a library
+that exposes an `async` surface must not call blocking APIs from inside
+its `async def` functions — that stalls the whole loop. A purely sync
+library is fine: Home Assistant integrations are expected to wrap such
+calls in an executor.
+
+**Two modes — pick by inspecting `package.old_version`:**
+
+- `old_version` is `null` → **new package**: review the *entire current
+  source tree*. Nothing about this dependency has been vetted before.
+- `old_version` is a string → **version bump**: review only the *diff
+  between `old_version` and `new_version`*. The previous version was
+  already accepted, so blocking calls that were present in
+  `old_version` are not regressions; report only what `new_version`
+  introduces.
+
+#### Step 1 — Decide whether the library exposes an async surface
+
+Use the `github` MCP tool (for `github.com` repos) or `web-fetch`
+(other hosts) on `package.repo_url`. Always inspect the tag /
+ref matching `new_version` (e.g. `v{new_version}` or `{new_version}`).
+
+- Locate the top-level package directory (usually named after the
+  import name, often equal or close to `package.name`).
+- Check `pyproject.toml` / `setup.py` / `setup.cfg` / `README*` for
+  async indicators (`Framework :: AsyncIO` trove classifier, `asyncio`
+  / `aiohttp` / `httpx` / `anyio` in dependencies, an async usage
+  example in the README).
+- Grep the package source for `async def`. A handful of `async def`
+  entries in the public modules is enough to treat the library as
+  having an async surface.
+
+If the library is **sync-only** (no `async def` in its public modules
+and no async framework dependency) → ✅
+`Sync-only library; Home Assistant integrations must wrap calls in an
+executor.` *This verdict is the same in both modes.*
+
+#### Step 2a — Mode: new package (`old_version` is `null`)
+
+Inspect **every `async def` in the public modules** for blocking
+patterns. Walk transitively into helpers the async functions call.
+
+#### Step 2b — Mode: version bump (`old_version` is a string)
+
+Fetch the diff between the two tags and review **only changed lines**:
+
+- GitHub: `GET /repos/{owner}/{repo}/compare/{old_tag}...{new_tag}` via
+  the `github` MCP tool, or
+  `https://github.com/{owner}/{repo}/compare/{old_tag}...{new_tag}.diff`
+  via `web-fetch`. Try the common tag formats in order until one
+  resolves: `v{version}`, `{version}`, `release-{version}`.
+- GitLab: `https://gitlab.com/{namespace}/{project}/-/compare/{old_tag}...{new_tag}.diff`.
+- Other hosts: use the project's equivalent compare URL via
+  `web-fetch`.
+
+If neither tag format resolves on the host, fall back to a full review
+(Step 2a) and mention in the detail that the diff was unavailable.
+
+When reviewing the diff, only flag blocking patterns that appear in
+**added lines** *inside or reachable from* an `async def`. A blocking
+call that existed in `old_version` and is unchanged is not a regression
+for this bump.
+
+#### Step 3 — Blocking patterns to look for
+
+In both modes, the patterns to flag inside `async def` bodies are:
+
+- Sync HTTP: `requests.`, `urllib.request`, `urllib3.` direct use,
+  `http.client.`, sync `httpx.Client(` / `httpx.get(` (NOT the
+  `AsyncClient`), `pycurl`.
+- `time.sleep(` (must be `await asyncio.sleep(`).
+- Sync sockets: bare `socket.socket` reads/writes, `ssl.wrap_socket`,
+  blocking `select.select`.
+- File I/O: `open(` / `pathlib.Path.read_*` / `.write_*` for
+  non-trivial sizes (small one-shot reads during import are
+  acceptable; reads/writes on the request path are not — prefer
+  `aiofiles` / executor).
+- Sync DB drivers used directly: `sqlite3`, `psycopg2`, `pymysql`,
+  `pymongo` (sync client), `redis.Redis` (sync client).
+- `subprocess.run` / `subprocess.call` / `os.system` (must be
+  `asyncio.create_subprocess_*`).
+
+A call that is clearly dispatched to an executor
+(`run_in_executor`, `asyncio.to_thread`, `anyio.to_thread.run_sync`)
+does NOT count as blocking.
+
+#### Step 4 — Verdict
+
+- ✅ — no offending blocking pattern in the surface being reviewed
+  (whole tree for a new package, added lines for a bump). For a bump,
+  phrase the detail as `No new blocking calls introduced in
+  {old_version} → {new_version}.`.
+- ⚠️ — blocking calls exist only in sync helpers that the async API
+  does not call, or only on a clearly non-hot path (e.g. one-shot
+  setup before the event loop is running). Cite at least one
+  `<file>:<line>` and explain why it is not on the hot path.
+- ❌ — a blocking call is reachable from an `async def` that is part
+  of the public API on the request / polling path (for a bump: the
+  call was introduced or moved onto the hot path by this version).
+  Cite the offending `<file>:<line>` as a clickable link on the repo
+  host so the contributor can jump to it.

 ## Notes

- Be constructive and helpful. Provide direct links where possible so the
-  contributor can quickly fix the issue.
- If PyPI returns an error for a package, mention that it could not be found and
-  suggest the contributor verify the package name.
- For packages that only appear in `homeassistant/package_constraints.txt` or
-  `pyproject.toml` without being tied to a specific integration, the PR
-  description link requirement still applies.
- When checking test-only packages (from `requirements_test.txt` or
-  `requirements_test_all.txt`), apply the same license, repository, and PR
-  description checks as for production dependencies.
- A package that appears in both a production file and a test file should only
-  be reported once; use the production file entry as the canonical one.
- This workflow is only triggered when a commit actually changes one of the
-  tracked requirements files (for `synchronize` events GitHub compares the
-  before/after SHAs of the push, not the entire PR diff). Members can manually
-  retrigger the workflow via `workflow_dispatch` with the PR number to re-run
-  the check after updating the PR description or fixing issues without changing
-  any requirements files. On a retrigger the existing comment is updated in
-  place so there is always exactly one requirements-check comment in the PR.
+- Be constructive and helpful. Reference the inspected workflow / CI
+  file by URL where useful so the contributor can fix the issue.
+- The dedup of the requirements-check comment is handled by gh-aw's
+  `add_comment` safe-output via the `<!-- requirements-check -->`
+  marker on the first line of `rendered_comment`.
+- If the deterministic workflow concluded with a non-success status,
+  this workflow's `if:` guard on `Download deterministic-results
+  artifact` skipped the download. If you find no file at
+  `/tmp/gh-aw/deterministic/results.json`, emit nothing — the post-step
+  verification is also gated and will not complain.
@@ -37,7 +37,7 @@ on:
        type: boolean

 env:
-  CACHE_VERSION: 3
+  CACHE_VERSION: 4
  MYPY_CACHE_VERSION: 1
  HA_SHORT_VERSION: "2026.6"
  ADDITIONAL_PYTHON_VERSIONS: "[]"
@@ -60,9 +60,7 @@ env:
  # - 15.2 is the latest (as of 9 Feb 2023)
  POSTGRESQL_VERSIONS: "['postgres:12.14','postgres:15.2']"
  UV_CACHE_DIR: /tmp/uv-cache
-  APT_CACHE_BASE: /home/runner/work/apt
-  APT_CACHE_DIR: /home/runner/work/apt/cache
-  APT_LIST_CACHE_DIR: /home/runner/work/apt/lists
+  APT_CACHE_VERSION: 1
  SQLALCHEMY_WARN_20: 1
  PYTHONASYNCIODEBUG: 1
  HASS_CI: 1
@@ -86,12 +84,13 @@ jobs:
      core: ${{ steps.core.outputs.changes }}
      integrations_glob: ${{ steps.info.outputs.integrations_glob }}
      integrations: ${{ steps.integrations.outputs.changes }}
-      apt_cache_key: ${{ steps.generate_apt_cache_key.outputs.key }}
      python_cache_key: ${{ steps.generate_python_cache_key.outputs.key }}
      requirements: ${{ steps.core.outputs.requirements }}
      mariadb_groups: ${{ steps.info.outputs.mariadb_groups }}
      postgresql_groups: ${{ steps.info.outputs.postgresql_groups }}
      python_versions: ${{ steps.info.outputs.python_versions }}
+      default_python: ${{ steps.info.outputs.default_python }}
+      uv_version: ${{ steps.info.outputs.uv_version }}
      test_full_suite: ${{ steps.info.outputs.test_full_suite }}
      test_group_count: ${{ steps.info.outputs.test_group_count }}
      test_groups: ${{ steps.info.outputs.test_groups }}
@@ -116,10 +115,6 @@ jobs:
          # Include HA_SHORT_VERSION to force the immediate creation
          # of a new uv cache entry after a version bump.
          echo "key=venv-${CACHE_VERSION}-${HA_SHORT_VERSION}-${HASH_REQUIREMENTS_TEST}-${HASH_REQUIREMENTS}-${HASH_REQUIREMENTS_ALL}-${HASH_PACKAGE_CONSTRAINTS}-${HASH_GEN_REQUIREMENTS}" >> $GITHUB_OUTPUT
-      - name: Generate partial apt restore key
-        id: generate_apt_cache_key
-        run: |
-          echo "key=$(lsb_release -rs)-apt-${CACHE_VERSION}-${HA_SHORT_VERSION}" >> $GITHUB_OUTPUT
      - name: Filter for core changes
        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
        id: core
@@ -242,6 +237,11 @@ jobs:
          echo "postgresql_groups=${postgresql_groups}" >> $GITHUB_OUTPUT
          echo "python_versions: ${all_python_versions}"
          echo "python_versions=${all_python_versions}" >> $GITHUB_OUTPUT
+          echo "default_python: ${default_python}"
+          echo "default_python=${default_python}" >> $GITHUB_OUTPUT
+          uv_version=$(grep '^uv==' requirements.txt | cut -d'=' -f3)
+          echo "uv_version: ${uv_version}"
+          echo "uv_version=${uv_version}" >> $GITHUB_OUTPUT
          echo "test_full_suite: ${test_full_suite}"
          echo "test_full_suite=${test_full_suite}" >> $GITHUB_OUTPUT
          echo "integrations_glob: ${integrations_glob}"
@@ -351,12 +351,12 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
-      - name: Set up Python ${{ matrix.python-version }}
+      - name: Set up uv and Python ${{ matrix.python-version }}
        id: python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: ./.github/actions/setup-uv-python
        with:
+          uv-version: ${{ needs.info.outputs.uv_version }}
          python-version: ${{ matrix.python-version }}
-          check-latest: true
      - name: Restore base Python virtual environment
        id: cache-venv
        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -384,80 +384,41 @@ jobs:
          path: ${{ env.UV_CACHE_DIR }}
          key: ${{ steps.generate-uv-key.outputs.full_key }}
          restore-keys: ${{ steps.generate-uv-key.outputs.partial_key }}
-      - name: Check if apt cache exists
-        id: cache-apt-check
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-        with:
-          lookup-only: ${{ steps.cache-venv.outputs.cache-hit == 'true' }}
-          path: |
-            ${{ env.APT_CACHE_DIR }}
-            ${{ env.APT_LIST_CACHE_DIR }}
-          key: >-
-            ${{ runner.os }}-${{ runner.arch }}-${{ needs.info.outputs.apt_cache_key }}
      - name: Install additional OS dependencies
-        if: |
-          steps.cache-venv.outputs.cache-hit != 'true'
-          || steps.cache-apt-check.outputs.cache-hit != 'true'
-        id: install-os-deps
+        if: steps.cache-venv.outputs.cache-hit != 'true'
        timeout-minutes: 10
-        env:
-          APT_CACHE_HIT: ${{ steps.cache-apt-check.outputs.cache-hit }}
-        run: |
-          sudo rm /etc/apt/sources.list.d/microsoft-prod.list
-          if [[ "${APT_CACHE_HIT}" != 'true' ]]; then
-            mkdir -p ${APT_CACHE_DIR}
-            mkdir -p ${APT_LIST_CACHE_DIR}
-          fi
-
-          sudo apt-get update \
-            -o Dir::Cache=${APT_CACHE_DIR} \
-            -o Dir::State::Lists=${APT_LIST_CACHE_DIR}
-          sudo apt-get -y install \
-            -o Dir::Cache=${APT_CACHE_DIR} \
-            -o Dir::State::Lists=${APT_LIST_CACHE_DIR} \
-            bluez \
-            ffmpeg \
-            libturbojpeg \
-            libxml2-utils \
-            libavcodec-dev \
-            libavdevice-dev \
-            libavfilter-dev \
-            libavformat-dev \
-            libavutil-dev \
-            libswresample-dev \
-            libswscale-dev \
-            libudev-dev
-
-          if [[ "${APT_CACHE_HIT}" != 'true' ]]; then
-            sudo chmod -R 755 ${APT_CACHE_BASE}
-          fi
-      - name: Save apt cache
-        if: |
-          always()
-          && steps.cache-apt-check.outputs.cache-hit != 'true'
-          && steps.install-os-deps.outcome == 'success'
-        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: ./.github/actions/cache-apt-packages
        with:
-          path: |
-            ${{ env.APT_CACHE_DIR }}
-            ${{ env.APT_LIST_CACHE_DIR }}
-          key: >-
-            ${{ runner.os }}-${{ runner.arch }}-${{ needs.info.outputs.apt_cache_key }}
+          packages: >-
+            bluez
+            ffmpeg
+            libturbojpeg
+            libxml2-utils
+            libavcodec-dev
+            libavdevice-dev
+            libavfilter-dev
+            libavformat-dev
+            libavutil-dev
+            libswresample-dev
+            libswscale-dev
+            libudev-dev
+          version: ${{ env.APT_CACHE_VERSION }}
+          execute_install_scripts: true
      - name: Create Python virtual environment
        if: steps.cache-venv.outputs.cache-hit != 'true'
        id: create-venv
+        env:
+          PYTHON_VERSION: ${{ steps.python.outputs.python-version }}
        run: |
-          python -m venv venv
+          uv venv venv --python "${PYTHON_VERSION}"
          . venv/bin/activate
          python --version
-          pip install "$(grep '^uv' < requirements.txt)"
          uv pip install -U "pip>=25.2"
          uv pip install -r requirements.txt
          uv pip install -r requirements_all.txt -r requirements_test.txt
          uv pip install -e . --config-settings editable_mode=compat
      - name: Dump pip freeze
        run: |
-          python -m venv venv
          . venv/bin/activate
          python --version
          uv pip freeze >> pip_freeze.txt
@@ -506,36 +467,22 @@ jobs:
      && github.event.inputs.mypy-only != 'true'
      && github.event.inputs.audit-licenses-only != 'true'
    steps:
-      - name: Restore apt cache
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-        with:
-          path: |
-            ${{ env.APT_CACHE_DIR }}
-            ${{ env.APT_LIST_CACHE_DIR }}
-          fail-on-cache-miss: true
-          key: >-
-            ${{ runner.os }}-${{ runner.arch }}-${{ needs.info.outputs.apt_cache_key }}
-      - name: Install additional OS dependencies
-        timeout-minutes: 10
-        run: |
-          sudo rm /etc/apt/sources.list.d/microsoft-prod.list
-          sudo apt-get update \
-            -o Dir::Cache=${APT_CACHE_DIR} \
-            -o Dir::State::Lists=${APT_LIST_CACHE_DIR}
-          sudo apt-get -y install \
-            -o Dir::Cache=${APT_CACHE_DIR} \
-            -o Dir::State::Lists=${APT_LIST_CACHE_DIR} \
-            libturbojpeg
      - name: Check out code from GitHub
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
+      - name: Install additional OS dependencies
+        timeout-minutes: 10
+        uses: ./.github/actions/cache-apt-packages
+        with:
+          packages: libturbojpeg
+          version: ${{ env.APT_CACHE_VERSION }}
      - name: Set up Python
        id: python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: ./.github/actions/setup-uv-python
        with:
-          python-version-file: ".python-version"
-          check-latest: true
+          uv-version: ${{ needs.info.outputs.uv_version }}
+          python-version: ${{ needs.info.outputs.default_python }}
      - name: Restore full Python virtual environment
        id: cache-venv
        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -569,10 +516,10 @@ jobs:
          persist-credentials: false
      - name: Set up Python
        id: python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: ./.github/actions/setup-uv-python
        with:
-          python-version-file: ".python-version"
-          check-latest: true
+          uv-version: ${{ needs.info.outputs.uv_version }}
+          python-version: ${{ needs.info.outputs.default_python }}
      - name: Restore full Python virtual environment
        id: cache-venv
        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -605,10 +552,10 @@ jobs:
          persist-credentials: false
      - name: Set up Python
        id: python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: ./.github/actions/setup-uv-python
        with:
-          python-version-file: ".python-version"
-          check-latest: true
+          uv-version: ${{ needs.info.outputs.uv_version }}
+          python-version: ${{ needs.info.outputs.default_python }}
      - name: Run gen_copilot_instructions.py
        run: |
          python -m script.gen_copilot_instructions validate
@@ -660,10 +607,10 @@ jobs:
          persist-credentials: false
      - name: Set up Python ${{ matrix.python-version }}
        id: python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: ./.github/actions/setup-uv-python
        with:
+          uv-version: ${{ needs.info.outputs.uv_version }}
          python-version: ${{ matrix.python-version }}
-          check-latest: true
      - name: Restore full Python ${{ matrix.python-version }} virtual environment
        id: cache-venv
        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -711,10 +658,10 @@ jobs:
          persist-credentials: false
      - name: Set up Python
        id: python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: ./.github/actions/setup-uv-python
        with:
-          python-version-file: ".python-version"
-          check-latest: true
+          uv-version: ${{ needs.info.outputs.uv_version }}
+          python-version: ${{ needs.info.outputs.default_python }}
      - name: Restore full Python virtual environment
        id: cache-venv
        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -764,10 +711,10 @@ jobs:
          persist-credentials: false
      - name: Set up Python
        id: python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: ./.github/actions/setup-uv-python
        with:
-          python-version-file: ".python-version"
-          check-latest: true
+          uv-version: ${{ needs.info.outputs.uv_version }}
+          python-version: ${{ needs.info.outputs.default_python }}
      - name: Restore full Python virtual environment
        id: cache-venv
        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -815,10 +762,10 @@ jobs:
          persist-credentials: false
      - name: Set up Python
        id: python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: ./.github/actions/setup-uv-python
        with:
-          python-version-file: ".python-version"
-          check-latest: true
+          uv-version: ${{ needs.info.outputs.uv_version }}
+          python-version: ${{ needs.info.outputs.default_python }}
      - name: Generate partial mypy restore key
        id: generate-mypy-key
        run: |
@@ -876,38 +823,26 @@ jobs:
      - info
      - base
    steps:
-      - name: Restore apt cache
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-        with:
-          path: |
-            ${{ env.APT_CACHE_DIR }}
-            ${{ env.APT_LIST_CACHE_DIR }}
-          fail-on-cache-miss: true
-          key: >-
-            ${{ runner.os }}-${{ runner.arch }}-${{ needs.info.outputs.apt_cache_key }}
-      - name: Install additional OS dependencies
-        timeout-minutes: 10
-        run: |
-          sudo rm /etc/apt/sources.list.d/microsoft-prod.list
-          sudo apt-get update \
-            -o Dir::Cache=${APT_CACHE_DIR} \
-            -o Dir::State::Lists=${APT_LIST_CACHE_DIR}
-          sudo apt-get -y install \
-            -o Dir::Cache=${APT_CACHE_DIR} \
-            -o Dir::State::Lists=${APT_LIST_CACHE_DIR} \
-            bluez \
-            ffmpeg \
-            libturbojpeg
      - name: Check out code from GitHub
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
+      - name: Install additional OS dependencies
+        timeout-minutes: 10
+        uses: ./.github/actions/cache-apt-packages
+        with:
+          packages: >-
+            bluez
+            ffmpeg
+            libturbojpeg
+          version: ${{ env.APT_CACHE_VERSION }}
+          execute_install_scripts: true
      - name: Set up Python
        id: python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: ./.github/actions/setup-uv-python
        with:
-          python-version-file: ".python-version"
-          check-latest: true
+          uv-version: ${{ needs.info.outputs.uv_version }}
+          python-version: ${{ needs.info.outputs.default_python }}
      - name: Restore full Python virtual environment
        id: cache-venv
        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -952,39 +887,27 @@ jobs:
        python-version: ${{ fromJson(needs.info.outputs.python_versions) }}
        group: ${{ fromJson(needs.info.outputs.test_groups) }}
    steps:
-      - name: Restore apt cache
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-        with:
-          path: |
-            ${{ env.APT_CACHE_DIR }}
-            ${{ env.APT_LIST_CACHE_DIR }}
-          fail-on-cache-miss: true
-          key: >-
-            ${{ runner.os }}-${{ runner.arch }}-${{ needs.info.outputs.apt_cache_key }}
-      - name: Install additional OS dependencies
-        timeout-minutes: 10
-        run: |
-          sudo rm /etc/apt/sources.list.d/microsoft-prod.list
-          sudo apt-get update \
-            -o Dir::Cache=${APT_CACHE_DIR} \
-            -o Dir::State::Lists=${APT_LIST_CACHE_DIR}
-          sudo apt-get -y install \
-            -o Dir::Cache=${APT_CACHE_DIR} \
-            -o Dir::State::Lists=${APT_LIST_CACHE_DIR} \
-            bluez \
-            ffmpeg \
-            libturbojpeg \
-            libxml2-utils
      - name: Check out code from GitHub
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
+      - name: Install additional OS dependencies
+        timeout-minutes: 10
+        uses: ./.github/actions/cache-apt-packages
+        with:
+          packages: >-
+            bluez
+            ffmpeg
+            libturbojpeg
+            libxml2-utils
+          version: ${{ env.APT_CACHE_VERSION }}
+          execute_install_scripts: true
      - name: Set up Python ${{ matrix.python-version }}
        id: python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: ./.github/actions/setup-uv-python
        with:
+          uv-version: ${{ needs.info.outputs.uv_version }}
          python-version: ${{ matrix.python-version }}
-          check-latest: true
      - name: Restore full Python ${{ matrix.python-version }} virtual environment
        id: cache-venv
        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -1105,40 +1028,28 @@ jobs:
        python-version: ${{ fromJson(needs.info.outputs.python_versions) }}
        mariadb-group: ${{ fromJson(needs.info.outputs.mariadb_groups) }}
    steps:
-      - name: Restore apt cache
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-        with:
-          path: |
-            ${{ env.APT_CACHE_DIR }}
-            ${{ env.APT_LIST_CACHE_DIR }}
-          fail-on-cache-miss: true
-          key: >-
-            ${{ runner.os }}-${{ runner.arch }}-${{ needs.info.outputs.apt_cache_key }}
-      - name: Install additional OS dependencies
-        timeout-minutes: 10
-        run: |
-          sudo rm /etc/apt/sources.list.d/microsoft-prod.list
-          sudo apt-get update \
-            -o Dir::Cache=${APT_CACHE_DIR} \
-            -o Dir::State::Lists=${APT_LIST_CACHE_DIR}
-          sudo apt-get -y install \
-            -o Dir::Cache=${APT_CACHE_DIR} \
-            -o Dir::State::Lists=${APT_LIST_CACHE_DIR} \
-            bluez \
-            ffmpeg \
-            libturbojpeg \
-            libmariadb-dev-compat \
-            libxml2-utils
      - name: Check out code from GitHub
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
+      - name: Install additional OS dependencies
+        timeout-minutes: 10
+        uses: ./.github/actions/cache-apt-packages
+        with:
+          packages: >-
+            bluez
+            ffmpeg
+            libturbojpeg
+            libmariadb-dev-compat
+            libxml2-utils
+          version: ${{ env.APT_CACHE_VERSION }}
+          execute_install_scripts: true
      - name: Set up Python ${{ matrix.python-version }}
        id: python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: ./.github/actions/setup-uv-python
        with:
+          uv-version: ${{ needs.info.outputs.uv_version }}
          python-version: ${{ matrix.python-version }}
-          check-latest: true
      - name: Restore full Python ${{ matrix.python-version }} virtual environment
        id: cache-venv
        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -1266,42 +1177,35 @@ jobs:
        python-version: ${{ fromJson(needs.info.outputs.python_versions) }}
        postgresql-group: ${{ fromJson(needs.info.outputs.postgresql_groups) }}
    steps:
-      - name: Restore apt cache
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-        with:
-          path: |
-            ${{ env.APT_CACHE_DIR }}
-            ${{ env.APT_LIST_CACHE_DIR }}
-          fail-on-cache-miss: true
-          key: >-
-            ${{ runner.os }}-${{ runner.arch }}-${{ needs.info.outputs.apt_cache_key }}
-      - name: Install additional OS dependencies
-        timeout-minutes: 10
-        run: |
-          sudo rm /etc/apt/sources.list.d/microsoft-prod.list
-          sudo apt-get update \
-            -o Dir::Cache=${APT_CACHE_DIR} \
-            -o Dir::State::Lists=${APT_LIST_CACHE_DIR}
-          sudo apt-get -y install \
-            -o Dir::Cache=${APT_CACHE_DIR} \
-            -o Dir::State::Lists=${APT_LIST_CACHE_DIR} \
-            bluez \
-            ffmpeg \
-            libturbojpeg \
-            libxml2-utils
-          sudo /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y
-          sudo apt-get -y install \
-            postgresql-server-dev-14
      - name: Check out code from GitHub
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
+      - name: Install additional OS dependencies
+        timeout-minutes: 10
+        uses: ./.github/actions/cache-apt-packages
+        with:
+          packages: >-
+            bluez
+            ffmpeg
+            libturbojpeg
+            libxml2-utils
+          version: ${{ env.APT_CACHE_VERSION }}
+          execute_install_scripts: true
+      - name: Set up PostgreSQL apt repository
+        run: sudo /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y
+      - name: Cache PostgreSQL development headers
+        timeout-minutes: 10
+        uses: ./.github/actions/cache-apt-packages
+        with:
+          packages: postgresql-server-dev-14
+          version: ${{ env.APT_CACHE_VERSION }}
      - name: Set up Python ${{ matrix.python-version }}
        id: python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: ./.github/actions/setup-uv-python
        with:
+          uv-version: ${{ needs.info.outputs.uv_version }}
          python-version: ${{ matrix.python-version }}
-          check-latest: true
      - name: Restore full Python ${{ matrix.python-version }} virtual environment
        id: cache-venv
        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -1449,39 +1353,27 @@ jobs:
        python-version: ${{ fromJson(needs.info.outputs.python_versions) }}
        group: ${{ fromJson(needs.info.outputs.test_groups) }}
    steps:
-      - name: Restore apt cache
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
-        with:
-          path: |
-            ${{ env.APT_CACHE_DIR }}
-            ${{ env.APT_LIST_CACHE_DIR }}
-          fail-on-cache-miss: true
-          key: >-
-            ${{ runner.os }}-${{ runner.arch }}-${{ needs.info.outputs.apt_cache_key }}
-      - name: Install additional OS dependencies
-        timeout-minutes: 10
-        run: |
-          sudo rm /etc/apt/sources.list.d/microsoft-prod.list
-          sudo apt-get update \
-            -o Dir::Cache=${APT_CACHE_DIR} \
-            -o Dir::State::Lists=${APT_LIST_CACHE_DIR}
-          sudo apt-get -y install \
-            -o Dir::Cache=${APT_CACHE_DIR} \
-            -o Dir::State::Lists=${APT_LIST_CACHE_DIR} \
-            bluez \
-            ffmpeg \
-            libturbojpeg \
-            libxml2-utils
      - name: Check out code from GitHub
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
+      - name: Install additional OS dependencies
+        timeout-minutes: 10
+        uses: ./.github/actions/cache-apt-packages
+        with:
+          packages: >-
+            bluez
+            ffmpeg
+            libturbojpeg
+            libxml2-utils
+          version: ${{ env.APT_CACHE_VERSION }}
+          execute_install_scripts: true
      - name: Set up Python ${{ matrix.python-version }}
        id: python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        uses: ./.github/actions/setup-uv-python
        with:
+          uv-version: ${{ needs.info.outputs.uv_version }}
          python-version: ${{ matrix.python-version }}
-          check-latest: true
      - name: Restore full Python ${{ matrix.python-version }} virtual environment
        id: cache-venv
        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -236,7 +236,7 @@ jobs:
      - name: Detect duplicates using AI
        id: ai_detection
        if: steps.extract.outputs.should_continue == 'true' && steps.fetch_similar.outputs.has_similar == 'true'
-        uses: actions/ai-inference@e09e65981758de8b2fdab13c2bfb7c7d5493b0b6 # v2.0.7
+        uses: actions/ai-inference@17ff458cb182449bbb2e43701fcd98f6af8f6570 # v2.1.0
        with:
          model: openai/gpt-4o
          system-prompt: |
@@ -62,7 +62,7 @@ jobs:
      - name: Detect language using AI
        id: ai_language_detection
        if: steps.detect_language.outputs.should_continue == 'true'
-        uses: actions/ai-inference@e09e65981758de8b2fdab13c2bfb7c7d5493b0b6 # v2.0.7
+        uses: actions/ai-inference@17ff458cb182449bbb2e43701fcd98f6af8f6570 # v2.1.0
        with:
          model: openai/gpt-4o-mini
          system-prompt: |
@@ -1 +1 @@
-3.14.4
+3.14.5
@@ -132,7 +132,7 @@
      "problemMatcher": []
    },
    {
-      "label": "Install all Requirements",
+      "label": "Install all production Requirements",
      "type": "shell",
      "command": "uv pip install -r requirements_all.txt",
      "group": {
@@ -146,9 +146,9 @@
      "problemMatcher": []
    },
    {
-      "label": "Install all Test Requirements",
+      "label": "Install all (test & production) Requirements",
      "type": "shell",
-      "command": "uv pip install -r requirements.txt -r requirements_test_all.txt",
+      "command": "uv pip install -r requirements_all.txt -r requirements_test.txt",
      "group": {
        "kind": "build",
        "isDefault": true
@@ -1413,8 +1413,8 @@ CLAUDE.md @home-assistant/core
 /tests/components/pushover/ @engrbm87
 /homeassistant/components/pvoutput/ @frenck
 /tests/components/pvoutput/ @frenck
-/homeassistant/components/pvpc_hourly_pricing/ @azogue
-/tests/components/pvpc_hourly_pricing/ @azogue
+/homeassistant/components/pvpc_hourly_pricing/ @azogue @chiro79
+/tests/components/pvpc_hourly_pricing/ @azogue @chiro79
 /homeassistant/components/pyload/ @tr4nt0r
 /tests/components/pyload/ @tr4nt0r
 /homeassistant/components/qbittorrent/ @geoffreylagaisse @finder39
@@ -1538,8 +1538,8 @@ CLAUDE.md @home-assistant/core
 /homeassistant/components/saj/ @fredericvl
 /homeassistant/components/samsung_infrared/ @lmaertin
 /tests/components/samsung_infrared/ @lmaertin
-/homeassistant/components/samsungtv/ @chemelli74 @epenet
-/tests/components/samsungtv/ @chemelli74 @epenet
+/homeassistant/components/samsungtv/ @chemelli74
+/tests/components/samsungtv/ @chemelli74
 /homeassistant/components/sanix/ @tomaszsluszniak
 /tests/components/sanix/ @tomaszsluszniak
 /homeassistant/components/satel_integra/ @Tommatheussen
@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile@sha256:2780b5c3bab67f1f76c781860de469442999ed1a0d7992a5efdf2cffc0e3d769
-# Automatically generated by hassfest.
+# Partly generated by hassfest.
 #
 # To update, run python3 -m script.hassfest -p docker
 ARG BUILD_FROM
@@ -26,7 +26,7 @@ WORKDIR /usr/src
 COPY rootfs /

 # Add go2rtc binary
-COPY --from=ghcr.io/alexxit/go2rtc@sha256:675c318b23c06fd862a61d262240c9a63436b4050d177ffc68a32710d9e05bae /usr/local/bin/go2rtc /bin/go2rtc
+COPY --from=ghcr.io/alexxit/go2rtc:1.9.14@sha256:675c318b23c06fd862a61d262240c9a63436b4050d177ffc68a32710d9e05bae /usr/local/bin/go2rtc /bin/go2rtc

 ## Setup Home Assistant Core dependencies
 COPY --parents requirements.txt homeassistant/package_constraints.txt homeassistant/
@@ -134,7 +134,7 @@ class AuthManagerFlowManager(
        """
        flow = cast(LoginFlow, flow)

-        if result["type"] != FlowResultType.CREATE_ENTRY:
+        if result["type"] is not FlowResultType.CREATE_ENTRY:
            return result

        # we got final result
@@ -19,6 +19,7 @@ from .hub import AdsHub

 DEFAULT_NAME = "ADS select"

+# pylint: disable-next=home-assistant-duplicate-const
 CONF_OPTIONS = "options"

 PLATFORM_SCHEMA = SELECT_PLATFORM_SCHEMA.extend(
@@ -81,8 +81,10 @@ async def async_setup_entry(hass: HomeAssistant, entry: AirOSConfigEntry) -> boo
    ) as err:
        raise ConfigEntryAuthFailed from err
    except AirOSKeyDataMissingError as err:
+        # pylint: disable-next=home-assistant-exception-not-translated
        raise ConfigEntryError("key_data_missing") from err
    except Exception as err:
+        # pylint: disable-next=home-assistant-exception-not-translated
        raise ConfigEntryError("unknown") from err

    airos_class: type[AirOS8 | AirOS6] = (
@@ -91,6 +91,7 @@ class AmazonDevicesCoordinator(DataUpdateCoordinator[dict[str, AmazonDevice]]):
                translation_placeholders={"error": repr(err)},
            ) from err
        except CannotAuthenticate as err:
+            # pylint: disable-next=home-assistant-exception-translation-key-missing
            raise ConfigEntryAuthFailed(
                translation_domain=DOMAIN,
                translation_key="invalid_auth",
@@ -2,4 +2,5 @@

 DOMAIN = "altruist"

+# pylint: disable-next=home-assistant-duplicate-const
 CONF_HOST = "host"
@@ -16,6 +16,8 @@ from .entity import AnthropicBaseLLMEntity
 if TYPE_CHECKING:
    from . import AnthropicConfigEntry

+PARALLEL_UPDATES = 0
+
 _LOGGER = logging.getLogger(__name__)


@@ -24,10 +24,10 @@ from homeassistant.const import (
    CONF_API_KEY,
    CONF_LLM_HASS_API,
    CONF_NAME,
+    CONF_PROMPT,
 )
 from homeassistant.core import HomeAssistant, callback
-from homeassistant.helpers import llm
-import homeassistant.helpers.config_validation as cv
+from homeassistant.helpers import config_validation as cv, llm
 from homeassistant.helpers.httpx_client import get_async_client
 from homeassistant.helpers.selector import (
    NumberSelector,
@@ -44,12 +44,13 @@ from .const import (
    CONF_CHAT_MODEL,
    CONF_CODE_EXECUTION,
    CONF_MAX_TOKENS,
-    CONF_PROMPT,
    CONF_PROMPT_CACHING,
    CONF_RECOMMENDED,
    CONF_THINKING_BUDGET,
    CONF_THINKING_EFFORT,
    CONF_TOOL_SEARCH,
+    CONF_WEB_FETCH,
+    CONF_WEB_FETCH_MAX_USES,
    CONF_WEB_SEARCH,
    CONF_WEB_SEARCH_CITY,
    CONF_WEB_SEARCH_COUNTRY,
@@ -225,7 +226,7 @@ class ConversationSubentryFlowHandler(ConfigSubentryFlow):
    ) -> SubentryFlowResult:
        """Set initial options."""
        # abort if entry is not loaded
-        if self._get_entry().state != ConfigEntryState.LOADED:
+        if self._get_entry().state is not ConfigEntryState.LOADED:
            return self.async_abort(reason="entry_not_loaded")

        hass_apis: list[SelectOptionDict] = [
@@ -452,11 +453,19 @@ class ConversationSubentryFlowHandler(ConfigSubentryFlow):
                vol.Optional(
                    CONF_WEB_SEARCH_MAX_USES,
                    default=DEFAULT[CONF_WEB_SEARCH_MAX_USES],
-                ): int,
+                ): cv.positive_int,
                vol.Optional(
                    CONF_WEB_SEARCH_USER_LOCATION,
                    default=DEFAULT[CONF_WEB_SEARCH_USER_LOCATION],
                ): bool,
+                vol.Optional(
+                    CONF_WEB_FETCH,
+                    default=DEFAULT[CONF_WEB_FETCH],
+                ): bool,
+                vol.Optional(
+                    CONF_WEB_FETCH_MAX_USES,
+                    default=DEFAULT[CONF_WEB_FETCH_MAX_USES],
+                ): cv.positive_int,
            }
        )

@@ -10,7 +10,6 @@ DEFAULT_CONVERSATION_NAME = "Claude conversation"
 DEFAULT_AI_TASK_NAME = "Claude AI Task"

 CONF_RECOMMENDED = "recommended"
-CONF_PROMPT = "prompt"
 CONF_CHAT_MODEL = "chat_model"
 CONF_CODE_EXECUTION = "code_execution"
 CONF_MAX_TOKENS = "max_tokens"
@@ -18,6 +17,8 @@ CONF_PROMPT_CACHING = "prompt_caching"
 CONF_THINKING_BUDGET = "thinking_budget"
 CONF_THINKING_EFFORT = "thinking_effort"
 CONF_TOOL_SEARCH = "tool_search"
+CONF_WEB_FETCH = "web_fetch"
+CONF_WEB_FETCH_MAX_USES = "web_fetch_max_uses"
 CONF_WEB_SEARCH = "web_search"
 CONF_WEB_SEARCH_USER_LOCATION = "user_location"
 CONF_WEB_SEARCH_MAX_USES = "web_search_max_uses"
@@ -45,6 +46,8 @@ DEFAULT = {
    CONF_THINKING_BUDGET: MIN_THINKING_BUDGET,
    CONF_THINKING_EFFORT: "low",
    CONF_TOOL_SEARCH: False,
+    CONF_WEB_FETCH: False,
+    CONF_WEB_FETCH_MAX_USES: 5,
    CONF_WEB_SEARCH: False,
    CONF_WEB_SEARCH_USER_LOCATION: False,
    CONF_WEB_SEARCH_MAX_USES: 5,
@@ -4,14 +4,16 @@ from typing import Literal

 from homeassistant.components import conversation
 from homeassistant.config_entries import ConfigSubentry
-from homeassistant.const import CONF_LLM_HASS_API, MATCH_ALL
+from homeassistant.const import CONF_LLM_HASS_API, CONF_PROMPT, MATCH_ALL
 from homeassistant.core import HomeAssistant
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback

 from . import AnthropicConfigEntry
-from .const import CONF_PROMPT, DOMAIN
+from .const import DOMAIN
 from .entity import AnthropicBaseLLMEntity

+PARALLEL_UPDATES = 0
+

 async def async_setup_entry(
    hass: HomeAssistant,
@@ -5,11 +5,10 @@ from typing import TYPE_CHECKING, Any
 from anthropic import __title__, __version__

 from homeassistant.components.diagnostics import async_redact_data
-from homeassistant.const import CONF_API_KEY
+from homeassistant.const import CONF_API_KEY, CONF_PROMPT
 from homeassistant.helpers import entity_registry as er

 from .const import (
-    CONF_PROMPT,
    CONF_WEB_SEARCH_CITY,
    CONF_WEB_SEARCH_COUNTRY,
    CONF_WEB_SEARCH_REGION,
@@ -17,8 +17,6 @@ from anthropic.types import (
    Base64PDFSourceParam,
    BashCodeExecutionToolResultBlock,
    CitationsDelta,
-    CitationsWebSearchResultLocation,
-    CitationWebSearchResultLocationParam,
    CodeExecutionTool20250825Param,
    CodeExecutionToolResultBlock,
    CodeExecutionToolResultBlockContent,
@@ -70,6 +68,9 @@ from anthropic.types import (
    ToolUseBlock,
    ToolUseBlockParam,
    Usage,
+    WebFetchTool20250910Param,
+    WebFetchTool20260209Param,
+    WebFetchToolResultBlock,
    WebSearchTool20250305Param,
    WebSearchTool20260209Param,
    WebSearchToolResultBlock,
@@ -97,6 +98,12 @@ from anthropic.types.tool_search_tool_result_block_param import (
    Content as ToolSearchToolResultBlockParamContentParam,
 )
 from anthropic.types.tool_use_block import Caller
+from anthropic.types.web_fetch_tool_result_block import (
+    Content as WebFetchToolResultBlockContent,
+)
+from anthropic.types.web_fetch_tool_result_block_param import (
+    Content as WebFetchToolResultBlockParamContentParam,
+)
 import voluptuous as vol
 from voluptuous_openapi import convert

@@ -118,6 +125,8 @@ from .const import (
    CONF_THINKING_BUDGET,
    CONF_THINKING_EFFORT,
    CONF_TOOL_SEARCH,
+    CONF_WEB_FETCH,
+    CONF_WEB_FETCH_MAX_USES,
    CONF_WEB_SEARCH,
    CONF_WEB_SEARCH_CITY,
    CONF_WEB_SEARCH_COUNTRY,
@@ -208,17 +217,9 @@ class ContentDetails:
        """Add a citation to the current detail."""
        if not self.citation_details:
            self.citation_details.append(CitationDetails())
-        citation_param: TextCitationParam | None = None
-        if isinstance(citation, CitationsWebSearchResultLocation):
-            citation_param = CitationWebSearchResultLocationParam(
-                type="web_search_result_location",
-                title=citation.title,
-                url=citation.url,
-                cited_text=citation.cited_text,
-                encrypted_index=citation.encrypted_index,
-            )
-        if citation_param:
-            self.citation_details[-1].citations.append(citation_param)
+        self.citation_details[-1].citations.append(
+            cast(TextCitationParam, citation.to_dict())
+        )

    def delete_empty(self) -> None:
        """Delete empty citation details."""
@@ -289,6 +290,15 @@ def _convert_content(  # noqa: C901
                        content.tool_result,
                    ),
                }
+            elif content.tool_name == "web_fetch":
+                tool_result_block = {
+                    "type": "web_fetch_tool_result",
+                    "tool_use_id": content.tool_call_id,
+                    "content": cast(
+                        WebFetchToolResultBlockParamContentParam,
+                        content.tool_result,
+                    ),
+                }
            else:
                tool_result_block = {
                    "type": "tool_result",
@@ -415,6 +425,7 @@ def _convert_content(  # noqa: C901
                            id=tool_call.id,
                            name=cast(
                                Literal[
+                                    "web_fetch",
                                    "web_search",
                                    "code_execution",
                                    "bash_code_execution",
@@ -428,6 +439,7 @@ def _convert_content(  # noqa: C901
                        if tool_call.external
                        and tool_call.tool_name
                        in [
+                            "web_fetch",
                            "web_search",
                            "code_execution",
                            "bash_code_execution",
@@ -609,6 +621,7 @@ class AnthropicDeltaStream:
        if isinstance(
            content_block,
            (
+                WebFetchToolResultBlock,
                WebSearchToolResultBlock,
                CodeExecutionToolResultBlock,
                BashCodeExecutionToolResultBlock,
@@ -724,13 +737,15 @@ class AnthropicDeltaStream:
        self,
        tool_use_id: str,
        tool_name: Literal[
+            "web_fetch_tool_result",
            "web_search_tool_result",
            "code_execution_tool_result",
            "bash_code_execution_tool_result",
            "text_editor_code_execution_tool_result",
            "tool_search_tool_result",
        ],
-        content: WebSearchToolResultBlockContent
+        content: WebFetchToolResultBlockContent
+        | WebSearchToolResultBlockContent
        | CodeExecutionToolResultBlockContent
        | BashCodeExecutionToolResultBlockContent
        | TextEditorCodeExecutionToolResultBlockContent
@@ -907,6 +922,7 @@ class AnthropicBaseLLMEntity(CoordinatorEntity[AnthropicCoordinator]):
            "GetLiveContext",
            "code_execution",
            "web_search",
+            "web_fetch",
        ]

        system = chat_log.content[0]
@@ -980,12 +996,12 @@ class AnthropicBaseLLMEntity(CoordinatorEntity[AnthropicCoordinator]):
            ]

        if options[CONF_CODE_EXECUTION]:
-            # The `web_search_20260209` tool automatically enables
-            # `code_execution_20260120` tool
+            # The `web_search_20260209` and `web_fetch_20260209` tools
+            # automatically enable `code_execution_20260120` tool
            if (
                not self.model_info.capabilities
                or not self.model_info.capabilities.code_execution.supported
-                or not options[CONF_WEB_SEARCH]
+                or (not options[CONF_WEB_SEARCH] and not options[CONF_WEB_FETCH])
            ):
                tools.append(
                    CodeExecutionTool20250825Param(
@@ -1023,6 +1039,28 @@ class AnthropicBaseLLMEntity(CoordinatorEntity[AnthropicCoordinator]):
                }
            tools.append(web_search)

+        if options[CONF_WEB_FETCH]:
+            if (
+                not self.model_info.capabilities
+                or not self.model_info.capabilities.code_execution.supported
+                or not options[CONF_CODE_EXECUTION]
+            ):
+                tools.append(
+                    WebFetchTool20250910Param(
+                        name="web_fetch",
+                        type="web_fetch_20250910",
+                        max_uses=options[CONF_WEB_FETCH_MAX_USES],
+                    )
+                )
+            else:
+                tools.append(
+                    WebFetchTool20260209Param(
+                        name="web_fetch",
+                        type="web_fetch_20260209",
+                        max_uses=options[CONF_WEB_FETCH_MAX_USES],
+                    )
+                )
+
        # Handle attachments by adding them to the last user message
        last_content = chat_log.content[-1]
        if last_content.role == "user" and last_content.attachments:
@@ -38,10 +38,7 @@ rules:
  entity-unavailable: done
  integration-owner: done
  log-when-unavailable: done
-  parallel-updates:
-    status: exempt
-    comment: |
-      The API does not limit parallel updates.
+  parallel-updates: done
  reauthentication-flow: done
  test-coverage: done
  # Gold
@@ -40,9 +40,11 @@ class ModelDeprecatedRepairFlow(RepairsFlow):
        self._current_subentry_id = None
        self._model_list_cache = None

-    async def async_step_init(self, user_input: dict[str, str]) -> RepairsFlowResult:
+    async def async_step_init(
+        self, user_input: dict[str, str] | None
+    ) -> RepairsFlowResult:
        """Handle the steps of a fix flow."""
-        if user_input.get(CONF_CHAT_MODEL):
+        if user_input and user_input.get(CONF_CHAT_MODEL):
            self._async_update_current_subentry(user_input)

        target = await self._async_next_target()
@@ -51,13 +51,11 @@
        "advanced": {
          "data": {
            "chat_model": "[%key:common::generic::model%]",
-            "prompt_caching": "[%key:component::anthropic::config_subentries::conversation::step::advanced::data::prompt_caching%]",
-            "temperature": "[%key:component::anthropic::config_subentries::conversation::step::advanced::data::temperature%]"
+            "prompt_caching": "[%key:component::anthropic::config_subentries::conversation::step::advanced::data::prompt_caching%]"
          },
          "data_description": {
            "chat_model": "[%key:component::anthropic::config_subentries::conversation::step::advanced::data_description::chat_model%]",
-            "prompt_caching": "[%key:component::anthropic::config_subentries::conversation::step::advanced::data_description::prompt_caching%]",
-            "temperature": "[%key:component::anthropic::config_subentries::conversation::step::advanced::data_description::temperature%]"
+            "prompt_caching": "[%key:component::anthropic::config_subentries::conversation::step::advanced::data_description::prompt_caching%]"
          },
          "title": "[%key:component::anthropic::config_subentries::conversation::step::advanced::title%]"
        },
@@ -80,6 +78,8 @@
            "thinking_effort": "[%key:component::anthropic::config_subentries::conversation::step::model::data::thinking_effort%]",
            "tool_search": "[%key:component::anthropic::config_subentries::conversation::step::model::data::tool_search%]",
            "user_location": "[%key:component::anthropic::config_subentries::conversation::step::model::data::user_location%]",
+            "web_fetch": "[%key:component::anthropic::config_subentries::conversation::step::model::data::web_fetch%]",
+            "web_fetch_max_uses": "[%key:component::anthropic::config_subentries::conversation::step::model::data::web_fetch_max_uses%]",
            "web_search": "[%key:component::anthropic::config_subentries::conversation::step::model::data::web_search%]",
            "web_search_max_uses": "[%key:component::anthropic::config_subentries::conversation::step::model::data::web_search_max_uses%]"
          },
@@ -90,6 +90,8 @@
            "thinking_effort": "[%key:component::anthropic::config_subentries::conversation::step::model::data_description::thinking_effort%]",
            "tool_search": "[%key:component::anthropic::config_subentries::conversation::step::model::data_description::tool_search%]",
            "user_location": "[%key:component::anthropic::config_subentries::conversation::step::model::data_description::user_location%]",
+            "web_fetch": "[%key:component::anthropic::config_subentries::conversation::step::model::data_description::web_fetch%]",
+            "web_fetch_max_uses": "[%key:component::anthropic::config_subentries::conversation::step::model::data_description::web_fetch_max_uses%]",
            "web_search": "[%key:component::anthropic::config_subentries::conversation::step::model::data_description::web_search%]",
            "web_search_max_uses": "[%key:component::anthropic::config_subentries::conversation::step::model::data_description::web_search_max_uses%]"
          },
@@ -116,13 +118,11 @@
        "advanced": {
          "data": {
            "chat_model": "[%key:common::generic::model%]",
-            "prompt_caching": "Caching strategy",
-            "temperature": "Temperature"
+            "prompt_caching": "Caching strategy"
          },
          "data_description": {
            "chat_model": "The model to serve the responses.",
-            "prompt_caching": "Optimize your API cost and response times based on your usage.",
-            "temperature": "Control the randomness of the response, trading off between creativity and coherence."
+            "prompt_caching": "Optimize your API cost and response times based on your usage."
          },
          "title": "Advanced settings"
        },
@@ -149,6 +149,8 @@
            "thinking_effort": "Thinking effort",
            "tool_search": "Enable tool search tool",
            "user_location": "Include home location",
+            "web_fetch": "Enable web fetch",
+            "web_fetch_max_uses": "Maximum web fetches",
            "web_search": "Enable web search",
            "web_search_max_uses": "Maximum web searches"
          },
@@ -159,6 +161,8 @@
            "thinking_effort": "Control how many tokens Claude uses when responding, trading off between response thoroughness and token efficiency",
            "tool_search": "Enable dynamic tool discovery instead of preloading all tools into the context",
            "user_location": "Localize search results based on home location",
+            "web_fetch": "The web fetch tool allows Claude to retrieve full content from specified web pages and PDF documents to augment Claude's context with live web content",
+            "web_fetch_max_uses": "Limit the number of web fetches performed per response",
            "web_search": "The web search tool gives Claude direct access to real-time web content, allowing it to answer questions with up-to-date information beyond its knowledge cutoff",
            "web_search_max_uses": "Limit the number of searches performed per response"
          },
@@ -6,5 +6,5 @@
  "documentation": "https://www.home-assistant.io/integrations/aosmith",
  "integration_type": "hub",
  "iot_class": "cloud_polling",
-  "requirements": ["py-aosmith==1.0.17"]
+  "requirements": ["py-aosmith==1.0.18"]
 }
@@ -89,7 +89,7 @@ class AOSmithWaterHeaterEntity(AOSmithStatusEntity, WaterHeaterEntity):
    def supported_features(self) -> WaterHeaterEntityFeature:
        """Return the list of supported features."""
        supports_vacation_mode = any(
-            supported_mode.mode == AOSmithOperationMode.VACATION
+            supported_mode.mode is AOSmithOperationMode.VACATION
            for supported_mode in self.device.supported_modes
        )

@@ -122,7 +122,7 @@ class AOSmithWaterHeaterEntity(AOSmithStatusEntity, WaterHeaterEntity):
    @property
    def is_away_mode_on(self) -> bool:
        """Return True if away mode is on."""
-        return self.device.status.current_mode == AOSmithOperationMode.VACATION
+        return self.device.status.current_mode is AOSmithOperationMode.VACATION

    async def async_set_operation_mode(self, operation_mode: str) -> None:
        """Set new target operation mode."""
@@ -369,7 +369,7 @@ class AppleTVManager(DeviceListener):

            attrs[ATTR_MODEL] = (
                dev_info.raw_model
-                if dev_info.model == DeviceModel.Unknown and dev_info.raw_model
+                if dev_info.model is DeviceModel.Unknown and dev_info.raw_model
                else model_str(dev_info.model)
            )
            attrs[ATTR_SW_VERSION] = dev_info.version
@@ -63,7 +63,7 @@ class AppleTVKeyboardFocused(AppleTVEntity, BinarySensorEntity, KeyboardListener
        # Listen to keyboard updates
        atv.keyboard.listener = self
        # Set initial state based on current focus state
-        self._update_state(atv.keyboard.text_focus_state == KeyboardFocusState.Focused)
+        self._update_state(atv.keyboard.text_focus_state is KeyboardFocusState.Focused)

    @callback
    def async_device_disconnected(self) -> None:
@@ -78,7 +78,7 @@ class AppleTVKeyboardFocused(AppleTVEntity, BinarySensorEntity, KeyboardListener

        This is a callback function from pyatv.interface.KeyboardListener.
        """
-        self._update_state(new_state == KeyboardFocusState.Focused)
+        self._update_state(new_state is KeyboardFocusState.Focused)

    def _update_state(self, new_state: bool) -> None:
        """Update and report."""
@@ -354,7 +354,7 @@ class AppleTVConfigFlow(ConfigFlow, domain=DOMAIN):
            "name": self.atv.name,
            "type": (
                dev_info.raw_model
-                if dev_info.model == DeviceModel.Unknown and dev_info.raw_model
+                if dev_info.model is DeviceModel.Unknown and dev_info.raw_model
                else model_str(dev_info.model)
            ),
        }
@@ -441,12 +441,12 @@ class AppleTVConfigFlow(ConfigFlow, domain=DOMAIN):
            return await self.async_step_password()

        # Figure out, depending on protocol, what kind of pairing is needed
-        if service.pairing == PairingRequirement.Unsupported:
+        if service.pairing is PairingRequirement.Unsupported:
            _LOGGER.debug("%s does not support pairing", self.protocol)
            return await self.async_pair_next_protocol()
-        if service.pairing == PairingRequirement.Disabled:
+        if service.pairing is PairingRequirement.Disabled:
            return await self.async_step_protocol_disabled()
-        if service.pairing == PairingRequirement.NotNeeded:
+        if service.pairing is PairingRequirement.NotNeeded:
            _LOGGER.debug("%s does not require pairing", self.protocol)
            self.credentials[self.protocol.value] = None
            return await self.async_pair_next_protocol()
@@ -457,7 +457,7 @@ class AppleTVConfigFlow(ConfigFlow, domain=DOMAIN):
        pair_args: dict[str, Any] = {}
        if self.protocol in {Protocol.AirPlay, Protocol.Companion, Protocol.DMAP}:
            pair_args["name"] = "Home Assistant"
-        if self.protocol == Protocol.DMAP:
+        if self.protocol is Protocol.DMAP:
            pair_args["zeroconf"] = await zeroconf.async_get_instance(self.hass)

        # Initiate the pairing process
@@ -139,7 +139,7 @@ class AppleTvMediaPlayer(
        all_features = atv.features.all_features()
        for feature_name, support_flag in SUPPORT_FEATURE_MAPPING.items():
            feature_info = all_features.get(feature_name)
-            if feature_info and feature_info.state != FeatureState.Unsupported:
+            if feature_info and feature_info.state is not FeatureState.Unsupported:
                self._attr_supported_features |= support_flag

        # No need to schedule state update here as that will happen when the first
@@ -188,14 +188,14 @@ class AppleTvMediaPlayer(
            return MediaPlayerState.OFF
        if (
            self._is_feature_available(FeatureName.PowerState)
-            and self.atv.power.power_state == PowerState.Off
+            and self.atv.power.power_state is PowerState.Off
        ):
            return MediaPlayerState.OFF
        if self._playing:
            state = self._playing.device_state
            if state in (DeviceState.Idle, DeviceState.Loading):
                return MediaPlayerState.IDLE
-            if state == DeviceState.Playing:
+            if state is DeviceState.Playing:
                return MediaPlayerState.PLAYING
            if state in (DeviceState.Paused, DeviceState.Seeking, DeviceState.Stopped):
                return MediaPlayerState.PAUSED
@@ -446,7 +446,7 @@ class AppleTvMediaPlayer(
    def shuffle(self) -> bool | None:
        """Boolean if shuffle is enabled."""
        if self._playing and self._is_feature_available(FeatureName.Shuffle):
-            return self._playing.shuffle != ShuffleState.Off
+            return self._playing.shuffle is not ShuffleState.Off
        return None

    def _is_feature_available(self, feature: FeatureName) -> bool:
@@ -506,7 +506,7 @@ class AppleTvMediaPlayer(
            and (self._is_feature_available(FeatureName.TurnOff))
            and (
                not self._is_feature_available(FeatureName.PowerState)
-                or self.atv.power.power_state == PowerState.On
+                or self.atv.power.power_state is PowerState.On
            )
        ):
            await self.atv.power.turn_off()
@@ -59,7 +59,7 @@ def _check_keyboard_focus(atv: AppleTVInterface) -> None:
            translation_domain=DOMAIN,
            translation_key="keyboard_not_available",
        ) from err
-    if focus_state != KeyboardFocusState.Focused:
+    if focus_state is not KeyboardFocusState.Focused:
        raise ServiceValidationError(
            translation_domain=DOMAIN,
            translation_key="keyboard_not_focused",
@@ -16,6 +16,9 @@ from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback
 from .coordinator import ArcamFmjConfigEntry
 from .entity import ArcamFmjEntity

+# Read-only, coordinator-driven entities; no per-entity I/O to bound.
+PARALLEL_UPDATES = 0
+

@dataclass(frozen=True, kw_only=True)
 class ArcamFmjBinarySensorEntityDescription(BinarySensorEntityDescription):
@@ -1,9 +1,11 @@
 """Config flow to configure the Arcam FMJ component."""

+import socket
 from typing import Any
 from urllib.parse import urlparse

-from arcam.fmj.client import Client, ConnectionFailed
+from arcam.fmj import ConnectionFailed
+from arcam.fmj.client import Client
 from arcam.fmj.utils import get_uniqueid_from_host, get_uniqueid_from_udn
 import voluptuous as vol

@@ -29,26 +31,19 @@ class ArcamFmjFlowHandler(ConfigFlow, domain=DOMAIN):
        await self.async_set_unique_id(uuid)
        self._abort_if_unique_id_configured({CONF_HOST: host, CONF_PORT: port})

-    async def _async_check_and_create(self, host: str, port: int) -> ConfigFlowResult:
+    async def _async_try_connect(self, host: str, port: int) -> None:
+        """Verify the device is reachable."""
        client = Client(host, port)
        try:
            await client.start()
-        except ConnectionFailed:
-            return self.async_abort(reason="cannot_connect")
        finally:
            await client.stop()

-        return self.async_create_entry(
-            title=f"{DEFAULT_NAME} ({host})",
-            data={CONF_HOST: host, CONF_PORT: port},
-        )
-
    async def async_step_user(
        self, user_input: dict[str, Any] | None = None
    ) -> ConfigFlowResult:
        """Handle a discovered device."""
        errors: dict[str, str] = {}
-
        if user_input is not None:
            uuid = await get_uniqueid_from_host(
                async_get_clientsession(self.hass), user_input[CONF_HOST]
@@ -58,18 +53,36 @@ class ArcamFmjFlowHandler(ConfigFlow, domain=DOMAIN):
                    user_input[CONF_HOST], user_input[CONF_PORT], uuid
                )

-            return await self._async_check_and_create(
-                user_input[CONF_HOST], user_input[CONF_PORT]
-            )
+            try:
+                await self._async_try_connect(
+                    user_input[CONF_HOST], user_input[CONF_PORT]
+                )
+            except socket.gaierror:
+                errors["base"] = "invalid_host"
+            except TimeoutError:
+                errors["base"] = "timeout_connect"
+            except ConnectionRefusedError:
+                errors["base"] = "connection_refused"
+            except ConnectionFailed, OSError:
+                errors["base"] = "cannot_connect"
+            else:
+                return self.async_create_entry(
+                    title=f"{DEFAULT_NAME} ({user_input[CONF_HOST]})",
+                    data={
+                        CONF_HOST: user_input[CONF_HOST],
+                        CONF_PORT: user_input[CONF_PORT],
+                    },
+                )

        fields = {
            vol.Required(CONF_HOST): str,
            vol.Required(CONF_PORT, default=DEFAULT_PORT): int,
        }
+        schema = vol.Schema(fields)
+        if user_input is not None:
+            schema = self.add_suggested_values_to_schema(schema, user_input)

-        return self.async_show_form(
-            step_id="user", data_schema=vol.Schema(fields), errors=errors
-        )
+        return self.async_show_form(step_id="user", data_schema=schema, errors=errors)

    async def async_step_confirm(
        self, user_input: dict[str, Any] | None = None
@@ -79,7 +92,10 @@ class ArcamFmjFlowHandler(ConfigFlow, domain=DOMAIN):
        self.context["title_placeholders"] = placeholders

        if user_input is not None:
-            return await self._async_check_and_create(self.host, self.port)
+            return self.async_create_entry(
+                title=f"{DEFAULT_NAME} ({self.host})",
+                data={CONF_HOST: self.host, CONF_PORT: self.port},
+            )

        return self.async_show_form(
            step_id="confirm", description_placeholders=placeholders
@@ -97,6 +113,11 @@ class ArcamFmjFlowHandler(ConfigFlow, domain=DOMAIN):

        await self._async_set_unique_id_and_update(host, port, uuid)

+        try:
+            await self._async_try_connect(host, port)
+        except ConnectionFailed, OSError:
+            return self.async_abort(reason="cannot_connect")
+
        self.host = host
-        self.port = DEFAULT_PORT
+        self.port = port
        return await self.async_step_confirm()
@@ -25,6 +25,10 @@ from .entity import ArcamFmjEntity, convert_exception

 _LOGGER = logging.getLogger(__name__)

+# arcam-fmj serializes commands on a single TCP writer at the library
+# layer; serialize at HA's layer to match the device's contract.
+PARALLEL_UPDATES = 1
+

 async def async_setup_entry(
    hass: HomeAssistant,
@@ -259,9 +263,9 @@ class ArcamFmj(ArcamFmjEntity, MediaPlayerEntity):
    def media_channel(self) -> str | None:
        """Channel currently playing."""
        source = self._state.get_source()
-        if source == SourceCodes.DAB:
+        if source is SourceCodes.DAB:
            value = self._state.get_dab_station()
-        elif source == SourceCodes.FM:
+        elif source is SourceCodes.FM:
            value = self._state.get_rds_information()
        else:
            value = None
@@ -270,7 +274,7 @@ class ArcamFmj(ArcamFmjEntity, MediaPlayerEntity):
    @property
    def media_artist(self) -> str | None:
        """Artist of current playing media, music track only."""
-        if self._state.get_source() == SourceCodes.DAB:
+        if self._state.get_source() is SourceCodes.DAB:
            value = self._state.get_dls_pdt()
        else:
            value = None
@@ -22,6 +22,9 @@ from .entity import ArcamFmjEntity

 _LOGGER = logging.getLogger(__name__)

+# Read-only, coordinator-driven entities; no per-entity I/O to bound.
+PARALLEL_UPDATES = 0
+

 def _enum_options(value: type[IntOrTypeEnum]) -> list[str]:
    return [
@@ -5,6 +5,12 @@
      "already_in_progress": "[%key:common::config_flow::abort::already_in_progress%]",
      "cannot_connect": "[%key:common::config_flow::error::cannot_connect%]"
    },
+    "error": {
+      "cannot_connect": "[%key:common::config_flow::error::cannot_connect%]",
+      "connection_refused": "Host refused connection",
+      "invalid_host": "[%key:common::config_flow::error::invalid_host%]",
+      "timeout_connect": "[%key:common::config_flow::error::timeout_connect%]"
+    },
    "flow_title": "{host}",
    "step": {
      "confirm": {
@@ -1355,7 +1355,7 @@ class PipelineRun:
    ) -> bool:
        """Return true if all targeted entities were in the same area as the device."""
        if (
-            intent_response.response_type != intent.IntentResponseType.ACTION_DONE
+            intent_response.response_type is not intent.IntentResponseType.ACTION_DONE
            or not intent_response.matched_states
        ):
            return False
@@ -19,6 +19,8 @@ DEVICES = "devices"
 MANUFACTURER = "ABB"

 ATTR_DEVICE_NAME = "device_name"
+# pylint: disable-next=home-assistant-duplicate-const
 ATTR_DEVICE_ID = "device_id"
+# pylint: disable-next=home-assistant-duplicate-const
 ATTR_MODEL = "model"
 ATTR_FIRMWARE = "firmware"
@@ -82,7 +82,7 @@ rules:
    comment: |
      This integration does not have any entities that should disabled by default.
  entity-translations: done
-  exception-translations: done
+  exception-translations: todo
  icon-translations: done
  reconfiguration-flow: todo
  repair-issues:
@@ -251,12 +251,12 @@ class AuthProvidersView(HomeAssistantView):

 def _prepare_result_json(result: AuthFlowResult) -> dict[str, Any]:
    """Convert result to JSON serializable dict."""
-    if result["type"] == data_entry_flow.FlowResultType.CREATE_ENTRY:
+    if result["type"] is data_entry_flow.FlowResultType.CREATE_ENTRY:
        return {
            key: val for key, val in result.items() if key not in ("result", "data")
        }

-    if result["type"] != data_entry_flow.FlowResultType.FORM:
+    if result["type"] is not data_entry_flow.FlowResultType.FORM:
        return result  # type: ignore[return-value]

    data = dict(result)
@@ -289,11 +289,11 @@ class LoginFlowBaseView(HomeAssistantView):
        result: AuthFlowResult,
    ) -> web.Response:
        """Convert the flow result to a response."""
-        if result["type"] != data_entry_flow.FlowResultType.CREATE_ENTRY:
+        if result["type"] is not data_entry_flow.FlowResultType.CREATE_ENTRY:
            # @log_invalid_auth does not work here since it returns HTTP 200.
            # We need to manually log failed login attempts.
            if (
-                result["type"] == data_entry_flow.FlowResultType.FORM
+                result["type"] is data_entry_flow.FlowResultType.FORM
                and (errors := result.get("errors"))
                and errors.get("base")
                in (
@@ -142,9 +142,9 @@ def websocket_depose_mfa(

 def _prepare_result_json(result: data_entry_flow.FlowResult) -> dict[str, Any]:
    """Convert result to JSON serializable dict."""
-    if result["type"] == data_entry_flow.FlowResultType.CREATE_ENTRY:
+    if result["type"] is data_entry_flow.FlowResultType.CREATE_ENTRY:
        return dict(result)
-    if result["type"] != data_entry_flow.FlowResultType.FORM:
+    if result["type"] is not data_entry_flow.FlowResultType.FORM:
        return result  # type: ignore[return-value]

    data = dict(result)
@@ -67,7 +67,7 @@ rules:
    comment: |
      Only one entity type (device_tracker) is created, making this not applicable.
  entity-translations: done
-  exception-translations: done
+  exception-translations: todo
  icon-translations: done
  reconfiguration-flow:
    status: todo
@@ -205,9 +205,9 @@ class AveaLight(LightEntity):

    def turn_off(self, **kwargs: Any) -> None:
        """Instruct the light to turn off."""
-        if self._attr_brightness:
-            self._last_brightness = self._attr_brightness
        self._light.set_brightness(0)
+        self._attr_is_on = False
+        self._attr_brightness = 0

    def update(self) -> None:
        """Fetch new state data for this light."""
@@ -14,5 +14,5 @@
  "integration_type": "device",
  "iot_class": "local_polling",
  "loggers": ["avea"],
-  "requirements": ["avea==1.6.1"]
+  "requirements": ["avea==1.8.0"]
 }
@@ -51,6 +51,7 @@ async def async_setup_entry(hass: HomeAssistant, entry: S3ConfigEntry) -> bool:
                translation_key="invalid_bucket_name",
            ) from err
    except ValueError as err:
+        # pylint: disable-next=home-assistant-exception-translation-key-missing
        raise ConfigEntryError(
            translation_domain=DOMAIN,
            translation_key="invalid_endpoint_url",
@@ -11,6 +11,7 @@ CONF_ACCESS_KEY_ID = "access_key_id"
 CONF_SECRET_ACCESS_KEY = "secret_access_key"
 CONF_ENDPOINT_URL = "endpoint_url"
 CONF_BUCKET = "bucket"
+# pylint: disable-next=home-assistant-duplicate-const
 CONF_PREFIX = "prefix"

 AWS_DOMAIN = "amazonaws.com"
@@ -72,7 +72,7 @@ rules:
  entity-device-class: done
  entity-disabled-by-default: done
  entity-translations: done
-  exception-translations: done
+  exception-translations: todo
  icon-translations:
    status: exempt
    comment: This integration does not use icons.
@@ -75,11 +75,13 @@ def handle_backup_errors[_R, **P](
                err.message,
                exc_info=True,
            )
+            # pylint: disable-next=home-assistant-exception-not-translated
            raise BackupAgentError(
                f"Error during backup operation in {func.__name__}:"
                f" Status {err.status_code}, message: {err.message}"
            ) from err
        except ServiceRequestError as err:
+            # pylint: disable-next=home-assistant-exception-not-translated
            raise BackupAgentError(
                f"Timeout during backup operation in {func.__name__}"
            ) from err
@@ -90,6 +92,7 @@ def handle_backup_errors[_R, **P](
                err,
                exc_info=True,
            )
+            # pylint: disable-next=home-assistant-exception-not-translated
            raise BackupAgentError(
                f"Error during backup operation in {func.__name__}: {err}"
            ) from err
@@ -118,6 +121,7 @@ class AzureStorageBackupAgent(BackupAgent):
        """Download a backup file."""
        blob = await self._find_blob_by_backup_id(backup_id)
        if blob is None:
+            # pylint: disable-next=home-assistant-exception-not-translated
            raise BackupNotFound(f"Backup {backup_id} not found")
        download_stream = await self._client.download_blob(blob.name)
        return download_stream.chunks()
@@ -155,6 +159,7 @@ class AzureStorageBackupAgent(BackupAgent):
        """Delete a backup file."""
        blob = await self._find_blob_by_backup_id(backup_id)
        if blob is None:
+            # pylint: disable-next=home-assistant-exception-not-translated
            raise BackupNotFound(f"Backup {backup_id} not found")
        await self._client.delete_blob(blob.name)

@@ -181,6 +186,7 @@ class AzureStorageBackupAgent(BackupAgent):
        """Return a backup."""
        blob = await self._find_blob_by_backup_id(backup_id)
        if blob is None:
+            # pylint: disable-next=home-assistant-exception-not-translated
            raise BackupNotFound(f"Backup {backup_id} not found")

        return AgentBackup.from_dict(json.loads(blob.metadata["backup_metadata"]))
@@ -89,6 +89,7 @@ async def async_setup_entry(hass: HomeAssistant, entry: BackblazeConfigEntry) ->
            translation_key="cannot_connect",
        ) from err
    except exception.MissingAccountData as err:
+        # pylint: disable-next=home-assistant-exception-translation-key-missing
        raise ConfigEntryAuthFailed(
            translation_domain=DOMAIN,
            translation_key="invalid_auth",
@@ -20,12 +20,12 @@ from homeassistant.components.backup import (
    OnProgressCallback,
    suggested_filename,
 )
+from homeassistant.const import CONF_PREFIX
 from homeassistant.core import HomeAssistant, callback
 from homeassistant.util.async_iterator import AsyncIteratorReader

 from . import BackblazeConfigEntry
 from .const import (
-    CONF_PREFIX,
    DATA_BACKUP_AGENT_LISTENERS,
    DOMAIN,
    METADATA_FILE_SUFFIX,
@@ -8,6 +8,7 @@ from b2sdk.v2 import exception
 import voluptuous as vol

 from homeassistant.config_entries import ConfigEntry, ConfigFlow, ConfigFlowResult
+from homeassistant.const import CONF_PREFIX
 from homeassistant.helpers import config_validation as cv
 from homeassistant.helpers.selector import (
    TextSelector,
@@ -22,7 +23,6 @@ from .const import (
    CONF_APPLICATION_KEY,
    CONF_BUCKET,
    CONF_KEY_ID,
-    CONF_PREFIX,
    DOMAIN,
 )

@@ -10,7 +10,6 @@ DOMAIN: Final = "backblaze_b2"
 CONF_KEY_ID = "key_id"
 CONF_APPLICATION_KEY = "application_key"
 CONF_BUCKET = "bucket"
-CONF_PREFIX = "prefix"

 DATA_BACKUP_AGENT_LISTENERS: HassKey[list[Callable[[], None]]] = HassKey(
    f"{DOMAIN}.backup_agent_listeners"
@@ -96,7 +96,7 @@ rules:
  entity-translations:
    status: exempt
    comment: This integration does not have entities.
-  exception-translations: done
+  exception-translations: todo
  icon-translations:
    status: exempt
    comment: This integration does not use icons.
@@ -67,6 +67,9 @@
    "cannot_connect": {
      "message": "Cannot connect to endpoint"
    },
+    "invalid_auth": {
+      "message": "Authentication failed using the provided key ID and application key."
+    },
    "invalid_bucket_name": {
      "message": "Bucket does not exist or is not writable by the provided credentials."
    },
@@ -169,6 +169,7 @@ class BlinkCamera(CoordinatorEntity[BlinkUpdateCoordinator], Camera):
        try:
            await self._camera.save_recent_clips(output_dir=file_path)
        except OSError as err:
+            # pylint: disable-next=home-assistant-exception-message-with-translation
            raise ServiceValidationError(
                str(err),
                translation_domain=DOMAIN,
@@ -190,6 +191,7 @@ class BlinkCamera(CoordinatorEntity[BlinkUpdateCoordinator], Camera):
        try:
            await self._camera.video_to_file(filename)
        except OSError as err:
+            # pylint: disable-next=home-assistant-exception-message-with-translation
            raise ServiceValidationError(
                str(err),
                translation_domain=DOMAIN,
@@ -16,6 +16,7 @@ CONF_DETAILS = "details"
 CONF_PASSIVE = "passive"


+# pylint: disable-next=home-assistant-duplicate-const
 CONF_SOURCE: Final = "source"
 CONF_SOURCE_DOMAIN: Final = "source_domain"
 CONF_SOURCE_MODEL: Final = "source_model"
@@ -19,8 +19,8 @@
    "bleak-retry-connector==4.6.0",
    "bluetooth-adapters==2.1.0",
    "bluetooth-auto-recovery==1.5.3",
-    "bluetooth-data-tools==1.28.4",
-    "dbus-fast==4.0.4",
+    "bluetooth-data-tools==1.29.11",
+    "dbus-fast==5.0.0",
    "habluetooth==6.1.0"
  ]
 }
@@ -273,7 +273,7 @@ async def ws_subscribe_scanner_details(

    def _async_registration_changed(registration: HaScannerRegistration) -> None:
        added_event = HaScannerRegistrationEvent.ADDED
-        event_type = "add" if registration.event == added_event else "remove"
+        event_type = "add" if registration.event is added_event else "remove"
        _async_event_message({event_type: [registration.scanner.details]})

    manager = _get_manager(hass)
@@ -6,6 +6,7 @@ from typing import Final
 ATTR_CID: Final = "cid"
 ATTR_MAC: Final = "macAddr"
 ATTR_MANUFACTURER: Final = "Sony"
+# pylint: disable-next=home-assistant-duplicate-const
 ATTR_MODEL: Final = "model"

 CONF_NICKNAME: Final = "nickname"
@@ -183,8 +183,8 @@ class BSBLANClimate(BSBLanCircuitEntity, ClimateEntity):
        try:
            await self.coordinator.client.thermostat(**data, circuit=self._circuit)
        except BSBLANError as err:
+            # pylint: disable-next=home-assistant-exception-message-with-translation
            raise HomeAssistantError(
-                "An error occurred while updating the BSBLAN device",
                translation_domain=DOMAIN,
                translation_key="set_data_error",
            ) from err
@@ -8,7 +8,7 @@
  "iot_class": "local_polling",
  "loggers": ["bsblan"],
  "quality_scale": "silver",
-  "requirements": ["python-bsblan==5.2.1"],
+  "requirements": ["python-bsblan==6.0.1"],
  "zeroconf": [
    {
      "name": "bsb-lan*",
@@ -8,6 +8,7 @@ from bsblan import BSBLANError, DaySchedule, DHWSchedule, TimeSlot
 import voluptuous as vol

 from homeassistant.config_entries import ConfigEntryState
+from homeassistant.const import ATTR_DEVICE_ID
 from homeassistant.core import HomeAssistant, ServiceCall, callback
 from homeassistant.exceptions import HomeAssistantError, ServiceValidationError
 from homeassistant.helpers import config_validation as cv, device_registry as dr
@@ -20,7 +21,6 @@ if TYPE_CHECKING:

 LOGGER = logging.getLogger(__name__)

-ATTR_DEVICE_ID = "device_id"
 ATTR_MONDAY_SLOTS = "monday_slots"
 ATTR_TUESDAY_SLOTS = "tuesday_slots"
 ATTR_WEDNESDAY_SLOTS = "wednesday_slots"
@@ -158,7 +158,10 @@ def process_service_info(
            )

    # If payload is encrypted and the bindkey is not verified then we need to reauth
-    if data.encryption_scheme != EncryptionScheme.NONE and not data.bindkey_verified:
+    if (
+        data.encryption_scheme is not EncryptionScheme.NONE
+        and not data.bindkey_verified
+    ):
        entry.async_start_reauth(hass, data={"device": data})

    return update
@@ -59,7 +59,7 @@ class BTHomeConfigFlow(ConfigFlow, domain=DOMAIN):
        self._discovery_info = discovery_info
        self._discovered_device = device

-        if device.encryption_scheme == EncryptionScheme.BTHOME_BINDKEY:
+        if device.encryption_scheme is EncryptionScheme.BTHOME_BINDKEY:
            return await self.async_step_get_encryption_key()
        return await self.async_step_bluetooth_confirm()

@@ -125,7 +125,7 @@ class BTHomeConfigFlow(ConfigFlow, domain=DOMAIN):
            self._discovery_info = discovery.discovery_info
            self._discovered_device = discovery.device

-            if discovery.device.encryption_scheme == EncryptionScheme.BTHOME_BINDKEY:
+            if discovery.device.encryption_scheme is EncryptionScheme.BTHOME_BINDKEY:
                return await self.async_step_get_encryption_key()

            return self._async_get_or_create_entry()
@@ -164,7 +164,7 @@ class BTHomeConfigFlow(ConfigFlow, domain=DOMAIN):

        self._discovery_info = device.last_service_info

-        if device.encryption_scheme == EncryptionScheme.BTHOME_BINDKEY:
+        if device.encryption_scheme is EncryptionScheme.BTHOME_BINDKEY:
            return await self.async_step_get_encryption_key()

        # Otherwise there wasn't actually encryption so abort
@@ -17,6 +17,8 @@ from homeassistant.const import (
 from homeassistant.core import HomeAssistant
 from homeassistant.exceptions import ConfigEntryAuthFailed, ConfigEntryNotReady

+from .const import TIMEOUT
+
 type CalDavConfigEntry = ConfigEntry[caldav.DAVClient]

 _LOGGER = logging.getLogger(__name__)
@@ -32,7 +34,7 @@ async def async_setup_entry(hass: HomeAssistant, entry: CalDavConfigEntry) -> bo
        username=entry.data[CONF_USERNAME],
        password=entry.data[CONF_PASSWORD],
        ssl_verify_cert=entry.data[CONF_VERIFY_SSL],
-        timeout=30,
+        timeout=TIMEOUT,
    )
    try:
        await hass.async_add_executor_job(client.principal)
@@ -43,6 +45,8 @@ async def async_setup_entry(hass: HomeAssistant, entry: CalDavConfigEntry) -> bo
        # on some other unexpected server response.
        _LOGGER.warning("Unexpected CalDAV server response: %s", err)
        return False
+    except requests.Timeout as err:
+        raise ConfigEntryNotReady("Timeout connecting to CalDAV server") from err
    except requests.ConnectionError as err:
        raise ConfigEntryNotReady("Connection error from CalDAV server") from err
    except DAVError as err:
@@ -38,6 +38,7 @@ from homeassistant.helpers.update_coordinator import CoordinatorEntity

 from . import CalDavConfigEntry
 from .api import async_get_calendars
+from .const import TIMEOUT
 from .coordinator import CalDavUpdateCoordinator

 _LOGGER = logging.getLogger(__name__)
@@ -91,7 +92,12 @@ async def async_setup_platform(
    days = config[CONF_DAYS]

    client = caldav.DAVClient(
-        url, None, username, password, ssl_verify_cert=config[CONF_VERIFY_SSL]
+        url,
+        None,
+        username,
+        password,
+        ssl_verify_cert=config[CONF_VERIFY_SSL],
+        timeout=TIMEOUT,
    )

    calendars = await async_get_calendars(hass, client, SUPPORTED_COMPONENT)
@@ -231,7 +237,7 @@ class WebDavCalendarEntity(CoordinatorEntity[CalDavUpdateCoordinator], CalendarE
            await self.hass.async_add_executor_job(
                partial(self.coordinator.calendar.add_event, **item_data),
            )
-        except (requests.ConnectionError, DAVError) as err:
+        except (requests.ConnectionError, requests.Timeout, DAVError) as err:
            raise HomeAssistantError(f"CalDAV save error: {err}") from err

    @callback
@@ -13,7 +13,7 @@ from homeassistant.config_entries import ConfigFlow, ConfigFlowResult
 from homeassistant.const import CONF_PASSWORD, CONF_URL, CONF_USERNAME, CONF_VERIFY_SSL
 from homeassistant.helpers import config_validation as cv

-from .const import DOMAIN
+from .const import DOMAIN, TIMEOUT

 _LOGGER = logging.getLogger(__name__)

@@ -65,6 +65,7 @@ class CalDavConfigFlow(ConfigFlow, domain=DOMAIN):
            username=user_input[CONF_USERNAME],
            password=user_input[CONF_PASSWORD],
            ssl_verify_cert=user_input[CONF_VERIFY_SSL],
+            timeout=TIMEOUT,
        )
        try:
            await self.hass.async_add_executor_job(client.principal)
@@ -75,6 +76,9 @@ class CalDavConfigFlow(ConfigFlow, domain=DOMAIN):
            # AuthorizationError can be raised if the url is incorrect or
            # on some other unexpected server response.
            return "cannot_connect"
+        except requests.Timeout as err:
+            _LOGGER.warning("Timeout connecting to CalDAV server: %s", err)
+            return "cannot_connect"
        except requests.ConnectionError as err:
            _LOGGER.warning("Connection Error connecting to CalDAV server: %s", err)
            return "cannot_connect"
@@ -3,3 +3,4 @@
 from typing import Final

 DOMAIN: Final = "caldav"
+TIMEOUT: Final = 30
@@ -138,7 +138,7 @@ class WebDavTodoListEntity(TodoListEntity):
            )
            # refreshing async otherwise it would take too much time
            self.hass.async_create_task(self.async_update_ha_state(force_refresh=True))
-        except (requests.ConnectionError, DAVError) as err:
+        except (requests.ConnectionError, requests.Timeout, DAVError) as err:
            raise HomeAssistantError(f"CalDAV save error: {err}") from err

    async def async_update_todo_item(self, item: TodoItem) -> None:
@@ -150,7 +150,7 @@ class WebDavTodoListEntity(TodoListEntity):
            )
        except NotFoundError as err:
            raise HomeAssistantError(f"Could not find To-do item {uid}") from err
-        except (requests.ConnectionError, DAVError) as err:
+        except (requests.ConnectionError, requests.Timeout, DAVError) as err:
            raise HomeAssistantError(f"CalDAV lookup error: {err}") from err
        vtodo = todo.icalendar_component  # type: ignore[attr-defined]
        vtodo["SUMMARY"] = item.summary or ""
@@ -174,7 +174,7 @@ class WebDavTodoListEntity(TodoListEntity):
            )
            # refreshing async otherwise it would take too much time
            self.hass.async_create_task(self.async_update_ha_state(force_refresh=True))
-        except (requests.ConnectionError, DAVError) as err:
+        except (requests.ConnectionError, requests.Timeout, DAVError) as err:
            raise HomeAssistantError(f"CalDAV save error: {err}") from err

    async def async_delete_todo_items(self, uids: list[str]) -> None:
@@ -188,14 +188,14 @@ class WebDavTodoListEntity(TodoListEntity):
            items = await asyncio.gather(*tasks)
        except NotFoundError as err:
            raise HomeAssistantError("Could not find To-do item") from err
-        except (requests.ConnectionError, DAVError) as err:
+        except (requests.ConnectionError, requests.Timeout, DAVError) as err:
            raise HomeAssistantError(f"CalDAV lookup error: {err}") from err

        # Run serially as some CalDAV servers do not support concurrent modifications
        for item in items:
            try:
                await self.hass.async_add_executor_job(item.delete)
-            except (requests.ConnectionError, DAVError) as err:
+            except (requests.ConnectionError, requests.Timeout, DAVError) as err:
                raise HomeAssistantError(f"CalDAV delete error: {err}") from err
        # refreshing async otherwise it would take too much time
        self.hass.async_create_task(self.async_update_ha_state(force_refresh=True))
@@ -13,6 +13,7 @@ if TYPE_CHECKING:
 DOMAIN = "calendar"
 DATA_COMPONENT: HassKey[EntityComponent[CalendarEntity]] = HassKey(DOMAIN)

+# pylint: disable-next=home-assistant-duplicate-const
 CONF_EVENT = "event"


@@ -7,6 +7,7 @@ from homeassistant.const import CONF_ADDRESS, Platform
 from homeassistant.core import HomeAssistant
 from homeassistant.exceptions import ConfigEntryNotReady

+from .const import DOMAIN
 from .coordinator import CasperGlowConfigEntry, CasperGlowCoordinator

 PLATFORMS: list[Platform] = [
@@ -24,7 +25,9 @@ async def async_setup_entry(hass: HomeAssistant, entry: CasperGlowConfigEntry) -
    ble_device = bluetooth.async_ble_device_from_address(hass, address.upper(), True)
    if not ble_device:
        raise ConfigEntryNotReady(
-            f"Could not find Casper Glow device with address {address}"
+            translation_domain=DOMAIN,
+            translation_key="device_not_found",
+            translation_placeholders={"address": address},
        )

    glow = CasperGlow(ble_device)
@@ -54,6 +54,9 @@
  "exceptions": {
    "communication_error": {
      "message": "An error occurred while communicating with the Casper Glow: {error}"
+    },
+    "device_not_found": {
+      "message": "Could not find Casper Glow device with address {address}"
    }
  }
 }
@@ -9,7 +9,6 @@ from homeassistant.config_entries import ConfigFlow, ConfigFlowResult, OptionsFl
 from homeassistant.const import CONF_UUID
 from homeassistant.core import callback
 from homeassistant.data_entry_flow import SectionConfig, section
-from homeassistant.helpers import config_validation as cv
 from homeassistant.helpers.selector import SelectSelector, SelectSelectorConfig
 from homeassistant.helpers.service_info.zeroconf import ZeroconfServiceInfo

@@ -19,7 +18,6 @@ if TYPE_CHECKING:
    from . import CastConfigEntry

 CONF_MORE_OPTIONS = "more_options"
-IGNORE_CEC_SCHEMA = vol.Schema(vol.All(cv.ensure_list, [cv.string]))
 KNOWN_HOSTS_SCHEMA = vol.Schema(
    {
        vol.Optional(
@@ -42,7 +40,6 @@ OPTIONS_SCHEMA = KNOWN_HOSTS_SCHEMA.extend(
        )
    }
 )
-WANTED_UUID_SCHEMA = vol.Schema(vol.All(cv.ensure_list, [cv.string]))


 class FlowHandler(ConfigFlow, domain=DOMAIN):
@@ -111,62 +108,50 @@ class CastOptionsFlowHandler(OptionsFlow):
        self, user_input: dict[str, Any] | None = None
    ) -> ConfigFlowResult:
        """Manage the Google Cast options."""
-        errors: dict[str, str] = {}
        if user_input is not None:
-            bad_cec, ignore_cec = _string_to_list(
-                user_input[CONF_MORE_OPTIONS].get(CONF_IGNORE_CEC, ""),
-                IGNORE_CEC_SCHEMA,
+            ignore_cec = _string_to_list(
+                user_input[CONF_MORE_OPTIONS].get(CONF_IGNORE_CEC, "")
            )
-            bad_uuid, wanted_uuid = _string_to_list(
-                user_input[CONF_MORE_OPTIONS].get(CONF_UUID, ""), WANTED_UUID_SCHEMA
+            known_hosts = _trim_items(user_input.get(CONF_KNOWN_HOSTS, []))
+            wanted_uuid = _string_to_list(
+                user_input[CONF_MORE_OPTIONS].get(CONF_UUID, "")
            )
-            if not bad_cec and not bad_uuid:
-                known_hosts = _trim_items(user_input.get(CONF_KNOWN_HOSTS, []))
-                updated_config = dict(self.config_entry.data)
-                updated_config[CONF_IGNORE_CEC] = ignore_cec
-                updated_config[CONF_KNOWN_HOSTS] = known_hosts
-                updated_config[CONF_UUID] = wanted_uuid
+            updated_config = dict(self.config_entry.data)
+            updated_config[CONF_IGNORE_CEC] = ignore_cec
+            updated_config[CONF_KNOWN_HOSTS] = known_hosts
+            updated_config[CONF_UUID] = wanted_uuid

-                self.hass.config_entries.async_update_entry(
-                    self.config_entry, data=updated_config
-                )
-                return self.async_create_entry(title="", data={})
-            suggested: dict[str, Any] = user_input
-        else:
-            suggested = {CONF_MORE_OPTIONS: {}}
-            if CONF_KNOWN_HOSTS in self.config_entry.data:
-                suggested[CONF_KNOWN_HOSTS] = self.config_entry.data[CONF_KNOWN_HOSTS]
-            for key in (CONF_UUID, CONF_IGNORE_CEC):
-                if key not in self.config_entry.data:
-                    continue
-                suggested[CONF_MORE_OPTIONS][key] = _list_to_string(
-                    self.config_entry.data[key]
-                )
+            self.hass.config_entries.async_update_entry(
+                self.config_entry, data=updated_config
+            )
+            return self.async_create_entry(title="", data={})
+
+        suggested: dict[str, Any] = {CONF_MORE_OPTIONS: {}}
+        if CONF_KNOWN_HOSTS in self.config_entry.data:
+            suggested[CONF_KNOWN_HOSTS] = self.config_entry.data[CONF_KNOWN_HOSTS]
+        for key in (CONF_UUID, CONF_IGNORE_CEC):
+            if key not in self.config_entry.data:
+                continue
+            suggested[CONF_MORE_OPTIONS][key] = _list_to_string(
+                self.config_entry.data[key]
+            )

        return self.async_show_form(
            step_id="init",
            data_schema=self.add_suggested_values_to_schema(OPTIONS_SCHEMA, suggested),
-            errors=errors,
            last_step=True,
        )


-def _list_to_string(items):
+def _list_to_string(items: list[str]) -> str:
    comma_separated_string = ""
    if items:
        comma_separated_string = ",".join(items)
    return comma_separated_string


-def _string_to_list(string, schema):
-    invalid = False
-    items = [x.strip() for x in string.split(",") if x.strip()]
-    try:
-        items = schema(items)
-    except vol.Invalid:
-        invalid = True
-
-    return invalid, items
+def _string_to_list(string: str) -> list[str]:
+    return [x.strip() for x in string.split(",") if x.strip()]


 def _trim_items(items: list[str]) -> list[str]:
@@ -24,9 +24,6 @@
    }
  },
  "options": {
-    "error": {
-      "invalid_known_hosts": "[%key:component::cast::config::error::invalid_known_hosts%]"
-    },
    "step": {
      "init": {
        "data": {
@@ -1,12 +1,11 @@
 """Config flow for the Cert Expiry platform."""

 from collections.abc import Mapping
-import logging
 from typing import Any

 import voluptuous as vol

-from homeassistant.config_entries import SOURCE_IMPORT, ConfigFlow, ConfigFlowResult
+from homeassistant.config_entries import ConfigFlow, ConfigFlowResult
 from homeassistant.const import CONF_HOST, CONF_PORT

 from .const import DEFAULT_PORT, DOMAIN
@@ -19,8 +18,6 @@ from .errors import (
 )
 from .helper import get_cert_expiry_timestamp

-_LOGGER = logging.getLogger(__name__)
-

 class CertexpiryConfigFlow(ConfigFlow, domain=DOMAIN):
    """Handle a config flow."""
@@ -75,9 +72,6 @@ class CertexpiryConfigFlow(ConfigFlow, domain=DOMAIN):
                    title=title,
                    data={CONF_HOST: host, CONF_PORT: port},
                )
-            if self.source == SOURCE_IMPORT:
-                _LOGGER.error("Config import failed for %s", user_input[CONF_HOST])
-                return self.async_abort(reason="import_failed")
        else:
            user_input = {}
            user_input[CONF_HOST] = ""
@@ -95,3 +89,42 @@ class CertexpiryConfigFlow(ConfigFlow, domain=DOMAIN):
            ),
            errors=self._errors,
        )
+
+    async def async_step_reconfigure(
+        self,
+        user_input: Mapping[str, Any] | None = None,
+    ) -> ConfigFlowResult:
+        """Handle reconfiguration of an existing entry."""
+        self._errors = {}
+        reconfigure_entry = self._get_reconfigure_entry()
+
+        if user_input is not None:
+            host = user_input[CONF_HOST]
+            port = user_input.get(CONF_PORT, DEFAULT_PORT)
+
+            if (
+                host != reconfigure_entry.data[CONF_HOST]
+                or port != reconfigure_entry.data[CONF_PORT]
+            ):
+                self._async_abort_entries_match({CONF_HOST: host, CONF_PORT: port})
+
+            if await self._test_connection(user_input):
+                return self.async_update_reload_and_abort(
+                    reconfigure_entry,
+                    data_updates={CONF_HOST: host, CONF_PORT: port},
+                    unique_id=f"{host}:{port}",
+                )
+
+        return self.async_show_form(
+            step_id="reconfigure",
+            data_schema=self.add_suggested_values_to_schema(
+                vol.Schema(
+                    {
+                        vol.Required(CONF_HOST): str,
+                        vol.Required(CONF_PORT, default=DEFAULT_PORT): int,
+                    }
+                ),
+                user_input or reconfigure_entry.data,
+            ),
+            errors=self._errors,
+        )
@@ -2,7 +2,7 @@
  "config": {
    "abort": {
      "already_configured": "[%key:common::config_flow::abort::already_configured_service%]",
-      "import_failed": "Import from config failed"
+      "reconfigure_successful": "[%key:common::config_flow::abort::reconfigure_successful%]"
    },
    "error": {
      "connection_refused": "Connection refused when connecting to host",
@@ -11,6 +11,13 @@
      "resolve_failed": "This host cannot be resolved"
    },
    "step": {
+      "reconfigure": {
+        "data": {
+          "host": "[%key:common::config_flow::data::host%]",
+          "port": "[%key:common::config_flow::data::port%]"
+        },
+        "title": "Reconfigure the certificate to test"
+      },
      "user": {
        "data": {
          "host": "[%key:common::config_flow::data::host%]",
@@ -17,6 +17,8 @@ from homeassistant.components.sensor import (
 )
 from homeassistant.const import (
    APPLICATION_NAME,
+    ATTR_LATITUDE,
+    ATTR_LONGITUDE,
    CONF_LATITUDE,
    CONF_LONGITUDE,
    CONF_NAME,
@@ -45,8 +47,6 @@ HA_USER_AGENT = (
 )

 ATTR_UID = "uid"
-ATTR_LATITUDE = "latitude"
-ATTR_LONGITUDE = "longitude"
 ATTR_EMPTY_SLOTS = "empty_slots"
 ATTR_FREE_EBIKES = "free_ebikes"
 ATTR_TIMESTAMP = "timestamp"
@@ -29,6 +29,7 @@ BASE_API_URL = "https://rest.clicksend.com/v3"

 HEADERS = {"Content-Type": CONTENT_TYPE_JSON}

+# pylint: disable-next=home-assistant-duplicate-const
 CONF_LANGUAGE = "language"
 CONF_VOICE = "voice"

@@ -32,28 +32,28 @@ set_temperature:
          max: 250
          step: 0.1
          mode: box
-    target_temp_high:
-      filter:
-        supported_features:
-          - climate.ClimateEntityFeature.TARGET_TEMPERATURE_RANGE
-      advanced: true
-      selector:
-        number:
-          min: 0
-          max: 250
-          step: 0.1
-          mode: box
-    target_temp_low:
-      filter:
-        supported_features:
-          - climate.ClimateEntityFeature.TARGET_TEMPERATURE_RANGE
-      advanced: true
-      selector:
-        number:
-          min: 0
-          max: 250
-          step: 0.1
-          mode: box
+    temperature_range:
+      fields:
+        target_temp_high:
+          filter:
+            supported_features:
+              - climate.ClimateEntityFeature.TARGET_TEMPERATURE_RANGE
+          selector:
+            number:
+              min: 0
+              max: 250
+              step: 0.1
+              mode: box
+        target_temp_low:
+          filter:
+            supported_features:
+              - climate.ClimateEntityFeature.TARGET_TEMPERATURE_RANGE
+          selector:
+            number:
+              min: 0
+              max: 250
+              step: 0.1
+              mode: box
    hvac_mode:
      selector:
        state:
@@ -373,7 +373,12 @@
          "name": "Target temperature"
        }
      },
-      "name": "Set thermostat target temperature"
+      "name": "Set thermostat target temperature",
+      "sections": {
+        "temperature_range": {
+          "name": "Temperature range"
+        }
+      }
    },
    "toggle": {
      "description": "Toggles a thermostat on/off.",
@@ -11,6 +11,7 @@ CONF_ACCESS_KEY_ID = "access_key_id"
 CONF_SECRET_ACCESS_KEY = "secret_access_key"
 CONF_ENDPOINT_URL = "endpoint_url"
 CONF_BUCKET = "bucket"
+# pylint: disable-next=home-assistant-duplicate-const
 CONF_PREFIX = "prefix"

 # R2 is S3-compatible. Endpoint should be like:
@@ -94,7 +94,7 @@ rules:
  entity-translations:
    status: exempt
    comment: This integration does not have entities.
-  exception-translations: done
+  exception-translations: todo
  icon-translations:
    status: exempt
    comment: This integration does not use icons.
@@ -6,4 +6,5 @@ ATTR_URL = "color_extract_url"
 DOMAIN = "color_extractor"
 DEFAULT_NAME = "Color extractor"

+# pylint: disable-next=home-assistant-duplicate-const
 SERVICE_TURN_ON = "turn_on"
@@ -110,7 +110,7 @@ class ComelitAlarmEntity(
    @property
    def available(self) -> bool:
        """Return True if alarm is available."""
-        if self._area.human_status == AlarmAreaState.UNKNOWN:
+        if self._area.human_status is AlarmAreaState.UNKNOWN:
            return False
        return super().available

@@ -124,7 +124,7 @@ class ComelitAlarmEntity(
            self._area.human_status,
            self._area.armed,
        )
-        if self._area.human_status == AlarmAreaState.ARMED:
+        if self._area.human_status is AlarmAreaState.ARMED:
            if self._area.armed == ALARM_AREA_ARMED_STATUS[AWAY]:
                return AlarmControlPanelState.ARMED_AWAY
            if self._area.armed == ALARM_AREA_ARMED_STATUS[NIGHT]:
@@ -43,7 +43,7 @@ BINARY_SENSOR_TYPES: Final[tuple[ComelitBinarySensorEntityDescription, ...]] = (
        device_class=BinarySensorDeviceClass.PROBLEM,
        is_on_fn=lambda obj: cast(ComelitVedoAreaObject, obj).anomaly,
        available_fn=lambda obj: (
-            cast(ComelitVedoAreaObject, obj).human_status != AlarmAreaState.UNKNOWN
+            cast(ComelitVedoAreaObject, obj).human_status is not AlarmAreaState.UNKNOWN
        ),
    ),
    ComelitBinarySensorEntityDescription(
@@ -67,7 +67,7 @@ BINARY_SENSOR_TYPES: Final[tuple[ComelitBinarySensorEntityDescription, ...]] = (
        object_type=ALARM_ZONE,
        device_class=BinarySensorDeviceClass.PROBLEM,
        is_on_fn=lambda obj: (
-            cast(ComelitVedoZoneObject, obj).human_status == AlarmZoneState.FAULTY
+            cast(ComelitVedoZoneObject, obj).human_status is AlarmZoneState.FAULTY
        ),
        available_fn=lambda obj: (
            cast(ComelitVedoZoneObject, obj).human_status
@@ -65,6 +65,7 @@ async def validate_input(hass: HomeAssistant, data: dict[str, Any]) -> dict[str,
            translation_placeholders={"error": repr(err)},
        ) from err
    except aiocomelit_exceptions.CannotAuthenticate as err:
+        # pylint: disable-next=home-assistant-exception-placeholder-mismatch
        raise InvalidAuth(
            translation_domain=DOMAIN,
            translation_key="cannot_authenticate",
@@ -166,12 +166,12 @@ class ComelitVedoSensorEntity(
    @property
    def available(self) -> bool:
        """Sensor availability."""
-        return self._zone_object.human_status != AlarmZoneState.UNAVAILABLE
+        return self._zone_object.human_status is not AlarmZoneState.UNAVAILABLE

    @property
    def native_value(self) -> StateType:
        """Sensor value."""
-        if (status := self._zone_object.human_status) == AlarmZoneState.UNKNOWN:
+        if (status := self._zone_object.human_status) is AlarmZoneState.UNKNOWN:
            return None

        return cast(str, status.value)
@@ -10,10 +10,11 @@ from homeassistant.components.notify import (
 )
 from homeassistant.const import CONF_COMMAND
 from homeassistant.core import HomeAssistant
+from homeassistant.exceptions import HomeAssistantError
 from homeassistant.helpers.typing import ConfigType, DiscoveryInfoType
 from homeassistant.util.process import kill_subprocess

-from .const import CONF_COMMAND_TIMEOUT, LOGGER
+from .const import CONF_COMMAND_TIMEOUT, DOMAIN, LOGGER
 from .utils import create_platform_yaml_not_supported_issue, render_template_args

 _LOGGER = logging.getLogger(__name__)
@@ -66,9 +67,18 @@ class CommandLineNotificationService(BaseNotificationService):
                        proc.returncode,
                        command,
                    )
-            # pylint: disable-next=home-assistant-action-swallowed-exception
-            except subprocess.TimeoutExpired:
-                _LOGGER.error("Timeout for command: %s", command)
+            except subprocess.TimeoutExpired as err:
+                _LOGGER.debug("Timeout for command: %s", command)
                kill_subprocess(proc)
-            except subprocess.SubprocessError:
-                _LOGGER.error("Error trying to exec command: %s", command)
+                raise HomeAssistantError(
+                    translation_domain=DOMAIN,
+                    translation_key="timeout_error",
+                    translation_placeholders={"command": command},
+                ) from err
+            except subprocess.SubprocessError as err:
+                _LOGGER.debug("Error trying to exec command: %s", command)
+                raise HomeAssistantError(
+                    translation_domain=DOMAIN,
+                    translation_key="command_error",
+                    translation_placeholders={"command": command, "error": str(err)},
+                ) from err
@@ -1,8 +1,10 @@
 {
-  "issues": {
-    "platform_yaml_not_supported": {
-      "description": "Platform YAML setup is not supported.\nChange from configuring it using the `{platform}:` key to using the `command_line:` key directly in configuration.yaml and restart Home Assistant to resolve the issue.\nTo see the detailed documentation, select Learn more.",
-      "title": "Platform YAML is not supported in Command Line"
+  "exceptions": {
+    "command_error": {
+      "message": "Error trying to execute command: {command}. Error: {error}"
+    },
+    "timeout_error": {
+      "message": "Timeout trying to execute command: {command}"
    }
  },
  "services": {
@@ -4,7 +4,9 @@ import asyncio

 from homeassistant.core import HomeAssistant
 from homeassistant.exceptions import TemplateError
-from homeassistant.helpers.issue_registry import IssueSeverity, async_create_issue
+from homeassistant.helpers.entity_platform import (
+    async_create_platform_config_not_supported_issue,
+)
 from homeassistant.helpers.template import Template

 from .const import DOMAIN, LOGGER
@@ -98,13 +100,11 @@ def create_platform_yaml_not_supported_issue(
    hass: HomeAssistant, platform_domain: str
 ) -> None:
    """Create an issue when platform yaml is used."""
-    async_create_issue(
+    async_create_platform_config_not_supported_issue(
        hass,
        DOMAIN,
-        f"{platform_domain}_platform_yaml_not_supported",
-        is_fixable=False,
-        severity=IssueSeverity.ERROR,
-        translation_key="platform_yaml_not_supported",
-        translation_placeholders={"platform": platform_domain},
+        platform_domain,
+        yaml_config_under_integration_supported=True,
        learn_more_url="https://www.home-assistant.io/integrations/command_line/",
+        logger=LOGGER,
    )
@@ -91,6 +91,11 @@ async def async_setup(hass: HomeAssistant, config: ConfigType) -> bool:
    """Set up the Compensation sensor."""
    hass.data[DATA_COMPENSATION] = {}

+    # Exit early if no compensations are configured using the compensation: key in configuration.yaml.
+    # This allows us to create an issue if platform: compensation is present in the sensor: section.
+    if DOMAIN not in config:
+        return True
+
    for compensation, conf in config[DOMAIN].items():
        _LOGGER.debug("Setup %s.%s", DOMAIN, compensation)

@@ -8,6 +8,7 @@ import numpy as np
 from homeassistant.components.sensor import (
    ATTR_STATE_CLASS,
    CONF_STATE_CLASS,
+    DOMAIN as SENSOR_DOMAIN,
    SensorEntity,
 )
 from homeassistant.const import (
@@ -31,7 +32,10 @@ from homeassistant.core import (
    State,
    callback,
 )
-from homeassistant.helpers.entity_platform import AddEntitiesCallback
+from homeassistant.helpers.entity_platform import (
+    AddEntitiesCallback,
+    async_create_platform_config_not_supported_issue,
+)
 from homeassistant.helpers.event import async_track_state_change_event
 from homeassistant.helpers.typing import ConfigType, DiscoveryInfoType

@@ -41,6 +45,7 @@ from .const import (
    CONF_PRECISION,
    DATA_COMPENSATION,
    DEFAULT_NAME,
+    DOMAIN,
 )

 _LOGGER = logging.getLogger(__name__)
@@ -58,6 +63,14 @@ async def async_setup_platform(
 ) -> None:
    """Set up the Compensation sensor."""
    if discovery_info is None:
+        async_create_platform_config_not_supported_issue(
+            hass,
+            DOMAIN,
+            SENSOR_DOMAIN,
+            yaml_config_under_integration_supported=True,
+            learn_more_url="https://www.home-assistant.io/integrations/compensation/",
+            logger=_LOGGER,
+        )
        return

    compensation: str = discovery_info[CONF_COMPENSATION]
@@ -16,6 +16,7 @@ PLATFORMS = [
    Platform.NUMBER,
    Platform.SELECT,
    Platform.SENSOR,
+    Platform.SWITCH,
    Platform.WATER_HEATER,
 ]

@@ -279,6 +279,20 @@
          "no_alarm": "mdi:check-circle"
        }
      }
+    },
+    "switch": {
+      "device_on_off": {
+        "default": "mdi:power",
+        "state": {
+          "off": "mdi:power-off"
+        }
+      },
+      "force_dhw": {
+        "default": "mdi:water-boiler",
+        "state": {
+          "off": "mdi:water-boiler-off"
+        }
+      }
    }
  }
 }
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .14.4
 .14.5