Add diagnostics to Yoto

Bump webexpythonsdk to 2.0.6 (#173916 )
Bump hole to 0.9.2 (#173936 )
2026-06-16 17:02:57 +02:00 · 2026-06-16 16:56:10 +02:00 · 2026-06-16 09:50:37 +02:00 · 2026-06-16 09:37:58 +02:00 · 2026-06-16 09:34:44 +02:00 · 2026-06-16 09:22:22 +02:00
1659 changed files with 51440 additions and 47814 deletions
@@ -22,4 +22,4 @@ requirements.txt linguist-generated=true
 requirements_all.txt linguist-generated=true
 requirements_test_pre_commit.txt linguist-generated=true
 script/hassfest/docker/Dockerfile linguist-generated=true
-.github/workflows/*.lock.yml linguist-generated=true
+.github/workflows/*.lock.yml linguist-generated=true merge=ours
@@ -6,6 +6,7 @@

 - Start review comments with a short, one-sentence summary of the suggested fix.
 - Do not comment on code style, formatting or linting issues.
+- Flag comments that over-explain straightforward code, narrate the obvious, or read like AI commentary (multi-sentence justifications for a single line).
 - A Pull Request with a dependency version bump should only contain changes required for the version bump. If the PR includes other changes, request that they are removed from the PR.

 # GitHub Copilot & Claude Code Instructions
@@ -50,4 +51,5 @@ This repository contains the core of Home Assistant, a Python 3 based home autom
 - Integrations with Platinum or Gold level in the Integration Quality Scale reflect a high standard of code quality and maintainability. When looking for examples of something, these are good places to start. The level is indicated in the manifest.json of the integration.
 - When reviewing entity actions, do not suggest extra defensive checks for input fields that are already validated by Home Assistant's service/action schemas and entity selection filters. Suggest additional guards only when data bypasses those validators or is transformed into a less-safe form.
 - When validation guarantees a dict key exists, prefer direct key access (`data["key"]`) instead of `.get("key")` so contract violations are surfaced instead of silently masked.
- Do not add comments that just restate the code on the following line(s) (e.g. `# Check if initialized` above `if self.initialized:`). Comments should only explain why — non-obvious constraints, surprising behavior, or workarounds — never what.
+- Keep comments concise. Prefer one short line stating the non-obvious constraint, or no comment at all.
+- Do not add comments that just restate the code on the following line(s) (e.g. `# Check if initialized` above `if self.initialized:`). Comments should only explain why (non-obvious constraints, surprising behavior, or workarounds), never what. Never add comments that justify a change by referencing what the code looked like before.
@@ -14,3 +14,4 @@ updates:
    ignore:
      # Managed by gh aw compile. Version-locked to the gh-aw compiler; do not bump.
      - dependency-name: "github/gh-aw-actions/**"
+      - dependency-name: "github/gh-aw-actions"
@@ -38,7 +38,7 @@ jobs:
      base_image_version: ${{ env.BASE_IMAGE_VERSION }}
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false

@@ -102,7 +102,7 @@ jobs:
            os: ubuntu-24.04-arm
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false

@@ -193,7 +193,7 @@ jobs:
          echo "${GITHUB_SHA};${GITHUB_REF};${GITHUB_EVENT_NAME};${GITHUB_ACTOR}" > rootfs/OFFICIAL_IMAGE

      - name: Build base image
-        uses: home-assistant/builder/actions/build-image@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
+        uses: home-assistant/builder/actions/build-image@4de35182ce1e329181bffcbcc84d33db5e2c7e10 # 2026.06.0
        with:
          arch: ${{ matrix.arch }}
          build-args: |
@@ -245,7 +245,7 @@ jobs:
            runs-on: ubuntu-24.04
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false

@@ -264,7 +264,7 @@ jobs:
          fi

      - name: Build machine image
-        uses: home-assistant/builder/actions/build-image@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
+        uses: home-assistant/builder/actions/build-image@4de35182ce1e329181bffcbcc84d33db5e2c7e10 # 2026.06.0
        with:
          arch: ${{ matrix.arch }}
          build-args: |
@@ -292,7 +292,7 @@ jobs:
      contents: read
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false

@@ -471,7 +471,7 @@ jobs:
    if: github.repository_owner == 'home-assistant' && needs.init.outputs.publish == 'true'
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false

@@ -518,7 +518,7 @@ jobs:
      HASSFEST_IMAGE_TAG: ghcr.io/home-assistant/hassfest:${{ needs.init.outputs.version }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false

@@ -40,7 +40,7 @@ jobs:
    timeout-minutes: 10
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Set up Python
@@ -50,19 +50,24 @@ jobs:
          check-latest: true
      - name: Install script dependencies
        run: pip install -r script/check_requirements/requirements.txt
-      - name: Collect PR diff
+      - name: Collect PR diff and head SHA
+        id: pr
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ inputs.pull_request_number || github.event.pull_request.number }}
        run: |
          mkdir -p deterministic
          gh pr diff "${PR_NUMBER}" > deterministic/pr.diff
+          HEAD_SHA=$(gh pr view "${PR_NUMBER}" --json headRefOid --jq '.headRefOid')
+          echo "head_sha=${HEAD_SHA}" >> "${GITHUB_OUTPUT}"
      - name: Run deterministic checks
        env:
          PR_NUMBER: ${{ inputs.pull_request_number || github.event.pull_request.number }}
+          HEAD_SHA: ${{ steps.pr.outputs.head_sha }}
        run: |
          python -m script.check_requirements \
            --pr-number "${PR_NUMBER}" \
+            --head-sha "${HEAD_SHA}" \
            --diff deterministic/pr.diff \
            --output deterministic/results.json
      - name: Upload deterministic-results artifact
@@ -1,5 +1,5 @@
-# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"75b8b624ba0c144fb4b28cba143d16a47c30de8afae568fa3256c6febe01a68a","compiler_version":"v0.74.4","strict":true,"agent_id":"copilot"}
-# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"d3abfe96a194bce3a523ed2093ddedd5704cdf62","version":"v0.74.4"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.46"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.46"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.46"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.9","digest":"sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}
+# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"328ce915f8b178bbcfcb1b69f397ac996456a4ab50490805b5b3bdd26cbf58fe","body_hash":"0665c72fe4b0a14b3a0b396dc293ce78235771fe15ebc894662fece33b189135","compiler_version":"v0.79.6","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.60"}}
+# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6.0.3"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"v0.79.6","version":"v0.79.6"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.2","digest":"sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.2@sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2","digest":"sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2@sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.2","digest":"sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.2@sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.25","digest":"sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.25@sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa"},{"image":"ghcr.io/github/github-mcp-server:v1.1.2","digest":"sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c","pinned_image":"ghcr.io/github/github-mcp-server:v1.1.2@sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c"}]}
 #    ___                   _   _      
 #   / _ \                 | | (_)     
 #  | |_| | __ _  ___ _ __ | |_ _  ___ 
@@ -14,7 +14,7 @@
 # \  /\  / (_) | | | | ( | | | | (_) \ V  V /\__ \
 #  \/  \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
 #
-# This file was automatically generated by gh-aw (v0.74.4). DO NOT EDIT.
+# This file was automatically generated by gh-aw (v0.79.6). DO NOT EDIT.
 #
 # To update this file, edit the corresponding .md file and run:
 #   gh aw compile
@@ -31,20 +31,19 @@
 #   - GITHUB_TOKEN
 #
 # Custom actions used:
-#   - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+#   - actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 #   - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
 #   - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
 #   - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
 #   - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-#   - github/gh-aw-actions/setup@b11be78086764c43fa463398aed7ffdcf40549c1 # v0.77.0
+#   - github/gh-aw-actions/setup@v0.79.6
 #
 # Container images used:
-#   - ghcr.io/github/gh-aw-firewall/agent:0.25.46
-#   - ghcr.io/github/gh-aw-firewall/api-proxy:0.25.46
-#   - ghcr.io/github/gh-aw-firewall/squid:0.25.46
-#   - ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388
-#   - ghcr.io/github/github-mcp-server:v1.0.4
-#   - node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f
+#   - ghcr.io/github/gh-aw-firewall/agent:0.27.2@sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6
+#   - ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2@sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4
+#   - ghcr.io/github/gh-aw-firewall/squid:0.27.2@sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591
+#   - ghcr.io/github/gh-aw-mcpg:v0.3.25@sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa
+#   - ghcr.io/github/github-mcp-server:v1.1.2@sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c

 name: "Check requirements (AW)"
 on:
@@ -59,15 +58,13 @@ permissions: {}

 concurrency:
  cancel-in-progress: true
-  group: ${{ github.workflow }}-${{ github.event.workflow_run.head_sha }}
+  group: ${{ github.workflow }}-${{ github.event.workflow_run.id }}

 run-name: "Check requirements (AW)"

 jobs:
  activation:
-    needs:
-      - extract_pr_number
-      - pre_activation
+    needs: pre_activation
    # zizmor: ignore[dangerous-triggers] - workflow_run trigger is secured with role and fork validation
    if: >
      (needs.pre_activation.outputs.activated == 'true') && (github.event_name != 'workflow_run' || github.event.workflow_run.repository.id == github.repository_id &&
@@ -76,9 +73,14 @@ jobs:
    permissions:
      actions: read
      contents: read
+    env:
+      GH_AW_MAX_DAILY_AI_CREDITS: ${{ vars.GH_AW_DEFAULT_MAX_DAILY_AI_CREDITS || '5000' }}
    outputs:
      comment_id: ""
      comment_repo: ""
+      daily_effective_workflow_exceeded: ${{ steps.daily-effective-workflow-guardrail.outputs.daily_effective_workflow_exceeded == 'true' }}
+      daily_effective_workflow_threshold: ${{ steps.daily-effective-workflow-guardrail.outputs.daily_effective_workflow_threshold || '' }}
+      daily_effective_workflow_total_effective_tokens: ${{ steps.daily-effective-workflow-guardrail.outputs.daily_effective_workflow_total_effective_tokens || '' }}
      engine_id: ${{ steps.generate_aw_info.outputs.engine_id }}
      lockdown_check_failed: ${{ steps.generate_aw_info.outputs.lockdown_check_failed == 'true' }}
      model: ${{ steps.generate_aw_info.outputs.model }}
@@ -90,33 +92,35 @@ jobs:
    steps:
      - name: Setup Scripts
        id: setup
-        uses: github/gh-aw-actions/setup@b11be78086764c43fa463398aed7ffdcf40549c1 # v0.77.0
+        uses: github/gh-aw-actions/setup@v0.79.6
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
          job-name: ${{ github.job }}
          trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }}
          parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }}
+          safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_AI_CREDITS != '' }}
        env:
          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.48"
+          GH_AW_INFO_VERSION: "1.0.60"
+          GH_AW_INFO_AWF_VERSION: "v0.27.2"
          GH_AW_INFO_ENGINE_ID: "copilot"
      - name: Generate agentic run info
        id: generate_aw_info
        env:
          GH_AW_INFO_ENGINE_ID: "copilot"
          GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI"
-          GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'claude-sonnet-4.6' }}
-          GH_AW_INFO_VERSION: "1.0.48"
-          GH_AW_INFO_AGENT_VERSION: "1.0.48"
-          GH_AW_INFO_CLI_VERSION: "v0.74.4"
+          GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || vars.GH_AW_DEFAULT_MODEL_COPILOT || 'claude-sonnet-4.6' }}
+          GH_AW_INFO_VERSION: "1.0.60"
+          GH_AW_INFO_AGENT_VERSION: "1.0.60"
+          GH_AW_INFO_CLI_VERSION: "v0.79.6"
          GH_AW_INFO_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_INFO_EXPERIMENTAL: "false"
          GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true"
          GH_AW_INFO_STAGED: "false"
          GH_AW_INFO_ALLOWED_DOMAINS: '["python"]'
          GH_AW_INFO_FIREWALL_ENABLED: "true"
-          GH_AW_INFO_AWF_VERSION: "v0.25.46"
+          GH_AW_INFO_AWF_VERSION: "v0.27.2"
          GH_AW_INFO_AWMG_VERSION: ""
          GH_AW_INFO_FIREWALL_TYPE: "squid"
          GH_AW_COMPILED_STRICT: "true"
@@ -127,18 +131,37 @@ jobs:
            setupGlobals(core, github, context, exec, io, getOctokit);
            const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_aw_info.cjs');
            await main(core, context);
+      - name: Check daily workflow token guardrail
+        id: daily-effective-workflow-guardrail
+        if: ${{ env.GH_AW_MAX_DAILY_AI_CREDITS != '' }}
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        env:
+          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_WORKFLOW_ID: "check-requirements"
+          GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          GH_AW_WORKFLOW_DISPATCH_AW_CONTEXT: ${{ github.event.inputs.aw_context || '' }}
+          GH_AW_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_AW_MAX_DAILY_AI_CREDITS: ${{ vars.GH_AW_DEFAULT_MAX_DAILY_AI_CREDITS || '5000' }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+            setupGlobals(core, github, context, exec, io, getOctokit);
+            const { main } = require('${{ runner.temp }}/gh-aw/actions/check_daily_aic_workflow_guardrail.cjs');
+            await main();
      - name: Validate COPILOT_GITHUB_TOKEN secret
        id: validate-secret
        run: bash "${RUNNER_TEMP}/gh-aw/actions/validate_multi_secret.sh" COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default
        env:
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
      - name: Checkout .github and .agents folders
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
          sparse-checkout: |
            .github
            .agents
+            .antigravity
            .claude
            .codex
            .crush
@@ -149,8 +172,8 @@ jobs:
          fetch-depth: 1
      - name: Save agent config folders for base branch restoration
        env:
-          GH_AW_AGENT_FOLDERS: ".agents .claude .codex .crush .gemini .github .opencode .pi"
-          GH_AW_AGENT_FILES: ".crush.json AGENTS.md CLAUDE.md GEMINI.md PI.md opencode.jsonc"
+          GH_AW_AGENT_FOLDERS: ".agents .antigravity .claude .codex .crush .gemini .github .opencode .pi"
+          GH_AW_AGENT_FILES: ".crush.json AGENTS.md ANTIGRAVITY.md CLAUDE.md GEMINI.md PI.md opencode.jsonc"
        # poutine:ignore untrusted_checkout_exec
        run: bash "${RUNNER_TEMP}/gh-aw/actions/save_base_github_folders.sh"
      - name: Check workflow lock file
@@ -168,7 +191,7 @@ jobs:
      - name: Check compile-agentic version
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
-          GH_AW_COMPILED_VERSION: "v0.74.4"
+          GH_AW_COMPILED_VERSION: "v0.79.6"
        with:
          script: |
            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
@@ -191,20 +214,20 @@ jobs:
        run: |
          bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh"
          {
-          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
+          cat << 'GH_AW_PROMPT_781cf5b2f30d6d93_EOF'
          <system>
-          GH_AW_PROMPT_198418d99edc7d5b_EOF
+          GH_AW_PROMPT_781cf5b2f30d6d93_EOF
          cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
          cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
          cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
          cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
-          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
+          cat << 'GH_AW_PROMPT_781cf5b2f30d6d93_EOF'
          <safe-output-tools>
          Tools: add_comment, missing_tool, missing_data, noop
          </safe-output-tools>
-          GH_AW_PROMPT_198418d99edc7d5b_EOF
+          GH_AW_PROMPT_781cf5b2f30d6d93_EOF
          cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md"
-          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
+          cat << 'GH_AW_PROMPT_781cf5b2f30d6d93_EOF'
          <github-context>
          The following GitHub context information is available for this workflow:
          {{#if github.actor}}
@@ -233,12 +256,12 @@ jobs:
          {{/if}}
          </github-context>
          
-          GH_AW_PROMPT_198418d99edc7d5b_EOF
+          GH_AW_PROMPT_781cf5b2f30d6d93_EOF
          cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
-          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
+          cat << 'GH_AW_PROMPT_781cf5b2f30d6d93_EOF'
          </system>
          {{#runtime-import .github/workflows/check-requirements.md}}
-          GH_AW_PROMPT_198418d99edc7d5b_EOF
+          GH_AW_PROMPT_781cf5b2f30d6d93_EOF
          } > "$GH_AW_PROMPT"
      - name: Interpolate variables and render templates
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
@@ -306,12 +329,15 @@ jobs:
          include-hidden-files: true
          path: |
            /tmp/gh-aw/aw_info.json
+            /tmp/gh-aw/model_multipliers.json
+            /tmp/gh-aw/models.json
            /tmp/gh-aw/aw-prompts/prompt.txt
            /tmp/gh-aw/aw-prompts/prompt-template.txt
            /tmp/gh-aw/aw-prompts/prompt-import-tree.json
            /tmp/gh-aw/github_rate_limits.jsonl
            /tmp/gh-aw/base
            /tmp/gh-aw/.github/agents
+            /tmp/gh-aw/.github/skills
          if-no-files-found: ignore
          retention-days: 1

@@ -319,14 +345,16 @@ jobs:
    needs:
      - activation
      - extract_pr_number
+      - gate
+    if: needs.activation.outputs.daily_effective_workflow_exceeded != 'true'
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
-      issues: read
      pull-requests: read
    concurrency:
      group: "gh-aw-copilot-${{ github.workflow }}"
+      queue: max
    env:
      DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
      GH_AW_ASSETS_ALLOWED_EXTS: ""
@@ -335,24 +363,27 @@ jobs:
      GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
      GH_AW_WORKFLOW_ID_SANITIZED: checkrequirements
    outputs:
-      agentic_engine_timeout: ${{ steps.detect-copilot-errors.outputs.agentic_engine_timeout || 'false' }}
+      agentic_engine_timeout: ${{ steps.detect-agent-errors.outputs.agentic_engine_timeout || 'false' }}
+      ai_credits_rate_limit_error: ${{ steps.parse-mcp-gateway.outputs.ai_credits_rate_limit_error || 'false' }}
+      aic: ${{ steps.parse-mcp-gateway.outputs.aic }}
+      ambient_context: ${{ steps.parse-mcp-gateway.outputs.ambient_context }}
      checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }}
      effective_tokens: ${{ steps.parse-mcp-gateway.outputs.effective_tokens }}
-      effective_tokens_rate_limit_error: ${{ steps.parse-mcp-gateway.outputs.effective_tokens_rate_limit_error || 'false' }}
      has_patch: ${{ steps.collect_output.outputs.has_patch }}
-      inference_access_error: ${{ steps.detect-copilot-errors.outputs.inference_access_error || 'false' }}
-      mcp_policy_error: ${{ steps.detect-copilot-errors.outputs.mcp_policy_error || 'false' }}
+      inference_access_error: ${{ steps.detect-agent-errors.outputs.inference_access_error || 'false' }}
+      mcp_policy_error: ${{ steps.detect-agent-errors.outputs.mcp_policy_error || 'false' }}
      model: ${{ needs.activation.outputs.model }}
-      model_not_supported_error: ${{ steps.detect-copilot-errors.outputs.model_not_supported_error || 'false' }}
+      model_not_supported_error: ${{ steps.detect-agent-errors.outputs.model_not_supported_error || 'false' }}
      output: ${{ steps.collect_output.outputs.output }}
      output_types: ${{ steps.collect_output.outputs.output_types }}
      setup-parent-span-id: ${{ steps.setup.outputs.parent-span-id || steps.setup.outputs.span-id }}
      setup-span-id: ${{ steps.setup.outputs.span-id }}
      setup-trace-id: ${{ steps.setup.outputs.trace-id }}
+      unknown_model_ai_credits: ${{ steps.parse-mcp-gateway.outputs.unknown_model_ai_credits || 'false' }}
    steps:
      - name: Setup Scripts
        id: setup
-        uses: github/gh-aw-actions/setup@b11be78086764c43fa463398aed7ffdcf40549c1 # v0.77.0
+        uses: github/gh-aw-actions/setup@v0.79.6
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
          job-name: ${{ github.job }}
@@ -361,7 +392,8 @@ jobs:
        env:
          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.48"
+          GH_AW_INFO_VERSION: "1.0.60"
+          GH_AW_INFO_AWF_VERSION: "v0.27.2"
          GH_AW_INFO_ENGINE_ID: "copilot"
      - name: Set runtime paths
        id: set-runtime-paths
@@ -372,7 +404,7 @@ jobs:
            echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${RUNNER_TEMP}/gh-aw/safeoutputs/tools.json"
          } >> "$GITHUB_OUTPUT"
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Create gh-aw temp directory
@@ -406,7 +438,7 @@ jobs:
      - name: Checkout PR branch
        id: checkout-pr
        if: |
-          github.event.pull_request || github.event.issue.pull_request
+          github.event.pull_request || github.event.issue.pull_request || github.event_name == 'workflow_dispatch' && fromJSON(github.event.inputs.aw_context || '{}').item_type == 'pull_request'
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
@@ -418,11 +450,11 @@ jobs:
            const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs');
            await main();
      - name: Install GitHub Copilot CLI
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.48
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.60
        env:
          GH_HOST: github.com
      - name: Install AWF binary
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.46
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.2
      - name: Parse integrity filter lists
        id: parse-guard-vars
        env:
@@ -438,24 +470,28 @@ jobs:
      - name: Restore agent config folders from base branch
        if: steps.checkout-pr.outcome == 'success'
        env:
-          GH_AW_AGENT_FOLDERS: ".agents .claude .codex .crush .gemini .github .opencode .pi"
-          GH_AW_AGENT_FILES: ".crush.json AGENTS.md CLAUDE.md GEMINI.md PI.md opencode.jsonc"
+          GH_AW_AGENT_FOLDERS: ".agents .antigravity .claude .codex .crush .gemini .github .opencode .pi"
+          GH_AW_AGENT_FILES: ".crush.json AGENTS.md ANTIGRAVITY.md CLAUDE.md GEMINI.md PI.md opencode.jsonc"
        run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_base_github_folders.sh"
      - name: Restore inline sub-agents from activation artifact
        env:
          GH_AW_SUB_AGENT_DIR: ".github/agents"
          GH_AW_SUB_AGENT_EXT: ".agent.md"
        run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh"
+      - name: Restore inline skills from activation artifact
+        env:
+          GH_AW_SKILL_DIR: ".github/skills"
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_skills.sh"
      - name: Download container images
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.46 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.46 ghcr.io/github/gh-aw-firewall/squid:0.25.46 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.2@sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6 ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2@sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4 ghcr.io/github/gh-aw-firewall/squid:0.27.2@sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591 ghcr.io/github/gh-aw-mcpg:v0.3.25@sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa ghcr.io/github/github-mcp-server:v1.1.2@sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c
      - name: Generate Safe Outputs Config
        run: |
          mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs"
          mkdir -p /tmp/gh-aw/safeoutputs
          mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
-          cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_627e06df80c4e5ad_EOF'
+          cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_f496a449c5dccca1_EOF'
          {"add_comment":{"max":1,"target":"${{ needs.extract_pr_number.outputs.pr_number }}"},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}}
-          GH_AW_SAFE_OUTPUTS_CONFIG_627e06df80c4e5ad_EOF
+          GH_AW_SAFE_OUTPUTS_CONFIG_f496a449c5dccca1_EOF
      - name: Generate Safe Outputs Tools
        env:
          GH_AW_TOOLS_META_JSON: |
@@ -643,21 +679,21 @@ jobs:
            * ) DOCKER_SOCK_PATH=/var/run/docker.sock ;;
          esac
          DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0')
-          export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.9'
+          export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.25'
          
          mkdir -p /home/runner/.copilot
          GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node)
-          cat << GH_AW_MCP_CONFIG_175174907e5a28b4_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
+          cat << GH_AW_MCP_CONFIG_f09adf73c5e58a42_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
          {
            "mcpServers": {
              "github": {
                "type": "stdio",
-                "container": "ghcr.io/github/github-mcp-server:v1.0.4",
+                "container": "ghcr.io/github/github-mcp-server:v1.1.2",
                "env": {
                  "GITHUB_HOST": "\${GITHUB_SERVER_URL}",
                  "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
                  "GITHUB_READ_ONLY": "1",
-                  "GITHUB_TOOLSETS": "context,repos,issues,pull_requests,actions"
+                  "GITHUB_TOOLSETS": "repos,pull_requests"
                },
                "guard-policies": {
                  "allow-only": {
@@ -691,7 +727,7 @@ jobs:
              "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
            }
          }
-          GH_AW_MCP_CONFIG_175174907e5a28b4_EOF
+          GH_AW_MCP_CONFIG_f09adf73c5e58a42_EOF
      - name: Mount MCP servers as CLIs
        id: mount-mcp-clis
        continue-on-error: true
@@ -720,29 +756,48 @@ jobs:
        run: |
          set -o pipefail
          printf '%s' "$(date +%s%3N)" > /tmp/gh-aw/agent_cli_start_ms.txt
+          trap 'rm -f /home/runner/.copilot/settings.json' EXIT
+          mkdir -p /home/runner/.copilot
+          printf '%s' '{"builtInAgents":{"rubberDuck":false}}' > /home/runner/.copilot/settings.json
          touch /tmp/gh-aw/agent-step-summary.md
          GH_AW_NODE_BIN=$(command -v node 2>/dev/null || true)
          export GH_AW_NODE_BIN
+          export COPILOT_API_KEY="$COPILOT_DUMMY_BYOK"
          (umask 177 && touch /tmp/gh-aw/agent-stdio.log)
-          printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.25.46/awf-config.schema.json","network":{"allowDomains":["*.pythonhosted.org","anaconda.org","api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","binstar.org","bootstrap.pypa.io","conda.anaconda.org","conda.binstar.org","files.pythonhosted.org","github.com","host.docker.internal","pip.pypa.io","pypi.org","pypi.python.org","raw.githubusercontent.com","registry.npmjs.org","repo.anaconda.com","repo.continuum.io","telemetry.enterprise.githubcopilot.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxEffectiveTokens":25000000,"models":{"auto":["large"],"coding":["copilot/gpt-5*codex*","openai/gpt-5*codex*","gpt-5-codex"],"deep-research":["copilot/deep-research*","copilot/o3-deep-research*","copilot/o4-mini-deep-research*","google/deep-research*","gemini/deep-research*","openai/o3-deep-research*","openai/o4-mini-deep-research*"],"gemini-flash":["copilot/gemini-*flash*","google/gemini-*flash*","gemini/gemini-*flash*"],"gemini-flash-lite":["copilot/gemini-*flash*lite*","google/gemini-*flash*lite*","gemini/gemini-*flash*lite*"],"gemini-pro":["copilot/gemini-*pro*","google/gemini-*pro*","gemini/gemini-*pro*"],"gemma":["copilot/gemma*","google/gemma*","gemini/gemma*"],"gpt-4.1":["copilot/gpt-4.1*","openai/gpt-4.1*"],"gpt-5":["copilot/gpt-5*","openai/gpt-5*"],"gpt-5-codex":["copilot/gpt-5*codex*","openai/gpt-5*codex*"],"gpt-5-mini":["copilot/gpt-5*mini*","openai/gpt-5*mini*"],"gpt-5-nano":["copilot/gpt-5*nano*","openai/gpt-5*nano*"],"gpt-5-pro":["copilot/gpt-5*pro*","openai/gpt-5*pro*"],"haiku":["copilot/*haiku*","anthropic/*haiku*"],"large":["sonnet","gpt-5-pro","gpt-5","gemini-pro"],"mini":["haiku","gpt-5-mini","gpt-5-nano","gemini-flash-lite"],"opus":["copilot/*opus*","anthropic/*opus*"],"reasoning":["copilot/o1*","copilot/o3*","copilot/o4*","openai/o1*","openai/o3*","openai/o4*"],"small":["mini"],"sonnet":["copilot/*sonnet*","anthropic/*sonnet*"],"vision":["copilot/gemini-*image*","gemini/gemini-*image*","copilot/gemini-*flash*","gemini/gemini-*flash*"]}},"container":{"imageTag":"0.25.46"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" && cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
+          GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_MAX_AI_CREDITS || '1000' }}"
+          printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.2/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"*.pythonhosted.org\",\"anaconda.org\",\"api.business.githubcopilot.com\",\"api.enterprise.githubcopilot.com\",\"api.github.com\",\"api.githubcopilot.com\",\"api.individual.githubcopilot.com\",\"binstar.org\",\"bootstrap.pypa.io\",\"conda.anaconda.org\",\"conda.binstar.org\",\"files.pythonhosted.org\",\"github.com\",\"host.docker.internal\",\"pip.pypa.io\",\"pypi.org\",\"pypi.python.org\",\"raw.githubusercontent.com\",\"registry.npmjs.org\",\"repo.anaconda.com\",\"repo.continuum.io\",\"telemetry.enterprise.githubcopilot.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS},\"models\":{\"agent\":[\"sonnet-6x\",\"gpt-5.4\",\"gpt-5.3\",\"gemini-pro\",\"any\"],\"antigravity\":[\"copilot/antigravity*\",\"google/antigravity*\",\"gemini/antigravity*\"],\"any\":[\"copilot/*\",\"anthropic/*\",\"openai/*\",\"google/*\",\"gemini/*\"],\"claude\":[\"agent\"],\"codex\":[\"agent\"],\"coding\":[\"copilot/gpt-5*codex*\",\"openai/gpt-5*codex*\",\"gpt-5-codex\"],\"computer-use\":[\"copilot/*computer-use*\",\"google/*computer-use*\",\"gemini/*computer-use*\",\"openai/*computer-use*\"],\"copilot\":[\"agent\"],\"deep-research\":[\"copilot/deep-research*\",\"copilot/o3-deep-research*\",\"copilot/o4-mini-deep-research*\",\"google/deep-research*\",\"gemini/deep-research*\",\"openai/o3-deep-research*\",\"openai/o4-mini-deep-research*\"],\"gemini\":[\"agent\"],\"gemini-3-flash\":[\"copilot/gemini-3*flash*\",\"google/gemini-3*flash*\",\"gemini/gemini-3*flash*\"],\"gemini-3-pro\":[\"copilot/gemini-3*pro*\",\"google/gemini-3*pro*\",\"google/nano-banana*\",\"gemini/gemini-3*pro*\"],\"gemini-3.1-flash\":[\"copilot/gemini-3.1*flash*\",\"google/gemini-3.1*flash*\",\"gemini/gemini-3.1*flash*\"],\"gemini-3.1-pro\":[\"copilot/gemini-3.1*pro*\",\"google/gemini-3.1*pro*\",\"gemini/gemini-3.1*pro*\"],\"gemini-3.5-flash\":[\"copilot/gemini-3.5*flash*\",\"google/gemini-3.5*flash*\",\"gemini/gemini-3.5*flash*\"],\"gemini-flash\":[\"copilot/gemini-*flash*\",\"google/gemini-*flash*\",\"gemini/gemini-*flash*\"],\"gemini-flash-lite\":[\"copilot/gemini-*flash*lite*\",\"google/gemini-*flash*lite*\",\"gemini/gemini-*flash*lite*\"],\"gemini-pro\":[\"copilot/gemini-*pro*\",\"google/gemini-*pro*\",\"gemini/gemini-*pro*\"],\"gemma\":[\"copilot/gemma*\",\"google/gemma*\",\"gemini/gemma*\"],\"gpt-5\":[\"copilot/gpt-5*\",\"openai/gpt-5*\"],\"gpt-5-codex\":[\"copilot/gpt-5*codex*\",\"openai/gpt-5*codex*\"],\"gpt-5-mini\":[\"copilot/gpt-5*mini*\",\"openai/gpt-5*mini*\"],\"gpt-5-nano\":[\"copilot/gpt-5*nano*\",\"openai/gpt-5*nano*\"],\"gpt-5-pro\":[\"copilot/gpt-5*pro*\",\"openai/gpt-5*pro*\"],\"gpt-5.2\":[\"copilot/gpt-5.2*\",\"openai/gpt-5.2*\"],\"gpt-5.3\":[\"copilot/gpt-5.3*\",\"openai/gpt-5.3*\"],\"gpt-5.4\":[\"copilot/gpt-5.4*\",\"openai/gpt-5.4*\"],\"gpt-5.5\":[\"copilot/gpt-5.5*\",\"openai/gpt-5.5*\"],\"haiku\":[\"copilot/*haiku*\",\"anthropic/*haiku*\"],\"large\":[\"sonnet\",\"gpt-5-pro\",\"gpt-5\",\"gemini-pro\"],\"mai-code\":[\"copilot/MAI-Code*\",\"copilot/mai-code*\",\"openai/MAI-Code*\"],\"mini\":[\"haiku\",\"gpt-5-mini\",\"gpt-5-nano\",\"gemini-flash-lite\"],\"nano-banana\":[\"copilot/nano-banana*\",\"google/nano-banana*\",\"gemini/nano-banana*\"],\"opus\":[\"copilot/*opus*\",\"anthropic/*opus*\"],\"opusplan\":[\"opus?effort=high\"],\"reasoning\":[\"copilot/o1*\",\"copilot/o3*\",\"copilot/o4*\",\"openai/o1*\",\"openai/o3*\",\"openai/o4*\"],\"robotics\":[\"copilot/*robotics*\",\"google/*robotics*\",\"gemini/*robotics*\"],\"small\":[\"mini\"],\"small-agent\":[\"haiku\",\"gpt-5-mini\",\"gemini-flash\"],\"sonnet\":[\"copilot/*sonnet*\",\"anthropic/*sonnet*\"],\"sonnet-6x\":[\"copilot/*sonnet-4.5*\",\"copilot/*sonnet-4.6*\",\"copilot/*sonnet-4-5-*\",\"anthropic/*sonnet-4-5-*\",\"copilot/*sonnet-4-6*\",\"anthropic/*sonnet-4-6*\"],\"summarization\":[\"haiku\",\"gpt-5-mini\",\"gemini-flash-lite\",\"mini\"],\"vision\":[\"copilot/gemini-*image*\",\"gemini/gemini-*image*\",\"copilot/gemini-*flash*\",\"gemini/gemini-*flash*\"]}},\"container\":{\"imageTag\":\"0.27.2,squid=sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591,agent=sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6,api-proxy=sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4,cli-proxy=sha256:02f3ec08f32dc26c5427920c6a2e2f3036238fce44802f2f11ef49ed8621b5d0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json"
+          GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs"
+          cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
+          export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json"
          GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS=""
          if [[ "${DOCKER_HOST:-}" =~ ^tcp:// ]]; then
            GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS="--docker-host-path-prefix /tmp/gh-aw"
          fi
+          GH_AW_TOOL_CACHE_MOUNT=""
+          GH_AW_TOOL_CACHE="${RUNNER_TOOL_CACHE:-/opt/hostedtoolcache}"
+          if [ -d "$GH_AW_TOOL_CACHE" ]; then
+            if [[ "$GH_AW_TOOL_CACHE" != /opt/* ]]; then
+              GH_AW_TOOL_CACHE_MOUNT="$GH_AW_TOOL_CACHE:$GH_AW_TOOL_CACHE:ro"
+            fi
+          elif [ -d "/home/runner/work/_tool" ]; then
+            GH_AW_TOOL_CACHE_MOUNT="/home/runner/work/_tool:/home/runner/work/_tool:ro"
+          fi
          # shellcheck disable=SC1003
-          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
-            -- /bin/bash -c 'export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 5 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || true)"; fi; if [ -z "$GH_AW_NODE_EXEC" ]; then echo "node runtime missing on this runner — check runtimes.node in workflow YAML" >&2; exit 127; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
+          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_TOOL_CACHE_MOUNT:+--mount "$GH_AW_TOOL_CACHE_MOUNT"} ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
+            -- /bin/bash -c 'set +o histexpand; export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && GH_AW_TOOL_CACHE="${RUNNER_TOOL_CACHE:-/opt/hostedtoolcache}"; export PATH="$(find "$GH_AW_TOOL_CACHE" /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 5 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || true)"; fi; if [ -z "$GH_AW_NODE_EXEC" ]; then echo "node runtime missing on this runner — check runtimes.node in workflow YAML" >&2; exit 127; fi; GH_AW_NPM_GLOBAL_ROOT="$(npm root -g 2>/dev/null || true)"; if [ -n "$GH_AW_NPM_GLOBAL_ROOT" ]; then export NODE_PATH="${GH_AW_NPM_GLOBAL_ROOT}${NODE_PATH:+:${NODE_PATH}}"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
        env:
          AWF_REFLECT_ENABLED: 1
          COPILOT_AGENT_RUNNER_TYPE: STANDALONE
-          COPILOT_API_KEY: dummy-byok-key-for-offline-mode
+          COPILOT_DUMMY_BYOK: dummy-byok-key-for-offline-mode
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
-          COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'claude-sonnet-4.6' }}
+          COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || vars.GH_AW_DEFAULT_MODEL_COPILOT || 'claude-sonnet-4.6' }}
+          GH_AW_MAX_TURNS: ${{ vars.GH_AW_DEFAULT_MAX_TURNS || '' }}
          GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
          GH_AW_PHASE: agent
          GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
          GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
-          GH_AW_VERSION: v0.74.4
+          GH_AW_TIMEOUT_MINUTES: 20
+          GH_AW_VERSION: v0.79.6
          GITHUB_API_URL: ${{ github.api_url }}
          GITHUB_AW: true
          GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows
@@ -756,12 +811,13 @@ jobs:
          GIT_AUTHOR_NAME: github-actions[bot]
          GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
          GIT_COMMITTER_NAME: github-actions[bot]
+          RUNNER_TEMP: ${{ runner.temp }}
          XDG_CONFIG_HOME: /home/runner
-      - name: Detect Copilot errors
-        id: detect-copilot-errors
+      - name: Detect agent errors
        if: always()
+        id: detect-agent-errors
        continue-on-error: true
-        run: node "${RUNNER_TEMP}/gh-aw/actions/detect_copilot_errors.cjs"
+        run: node "${RUNNER_TEMP}/gh-aw/actions/detect_agent_errors.cjs"
      - name: Configure Git credentials
        env:
          REPO_NAME: ${{ github.repository }}
@@ -939,10 +995,11 @@ jobs:
      - agent
      - detection
      - extract_pr_number
+      - gate
      - safe_outputs
    if: >
      always() && (needs.agent.result != 'skipped' || needs.activation.outputs.lockdown_check_failed == 'true' ||
-      needs.activation.outputs.stale_lock_file_failed == 'true')
+      needs.activation.outputs.stale_lock_file_failed == 'true' || needs.activation.outputs.daily_effective_workflow_exceeded == 'true')
    runs-on: ubuntu-slim
    permissions:
      contents: read
@@ -961,7 +1018,7 @@ jobs:
    steps:
      - name: Setup Scripts
        id: setup
-        uses: github/gh-aw-actions/setup@b11be78086764c43fa463398aed7ffdcf40549c1 # v0.77.0
+        uses: github/gh-aw-actions/setup@v0.79.6
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
          job-name: ${{ github.job }}
@@ -970,7 +1027,8 @@ jobs:
        env:
          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.48"
+          GH_AW_INFO_VERSION: "1.0.60"
+          GH_AW_INFO_AWF_VERSION: "v0.27.2"
          GH_AW_INFO_ENGINE_ID: "copilot"
      - name: Download agent output artifact
        id: download-agent-output
@@ -986,6 +1044,40 @@ jobs:
          mkdir -p /tmp/gh-aw/
          find "/tmp/gh-aw/" -type f -print
          echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
+      - name: Collect usage artifact files
+        if: always()
+        continue-on-error: true
+        run: |
+          mkdir -p /tmp/gh-aw/usage/agent /tmp/gh-aw/usage/detection
+          echo "Usage artifact source file status:"
+          for file in /tmp/gh-aw/aw-info.jsonl /tmp/gh-aw/agent_usage.jsonl /tmp/gh-aw/detection_usage.jsonl /tmp/gh-aw/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/threat-detection/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/threat-detection/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/threat-detection/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl; do
+            [ -f "$file" ] && echo "FOUND: $file" || echo "MISSING: $file"
+          done
+          [ -f /tmp/gh-aw/aw-info.jsonl ] && cp /tmp/gh-aw/aw-info.jsonl /tmp/gh-aw/usage/aw-info.jsonl || true
+          [ -f /tmp/gh-aw/agent_usage.jsonl ] && cp /tmp/gh-aw/agent_usage.jsonl /tmp/gh-aw/usage/agent_usage.jsonl || true
+          [ -f /tmp/gh-aw/detection_usage.jsonl ] && cp /tmp/gh-aw/detection_usage.jsonl /tmp/gh-aw/usage/detection_usage.jsonl || true
+          [ -f /tmp/gh-aw/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/agent/token_usage.jsonl || true
+          [ -f /tmp/gh-aw/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/agent/token_usage.jsonl || true
+          [ -f /tmp/gh-aw/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/agent/token_usage.jsonl || true
+          [ -f /tmp/gh-aw/threat-detection/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/threat-detection/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/detection/token_usage.jsonl || true
+          [ -f /tmp/gh-aw/threat-detection/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/threat-detection/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/detection/token_usage.jsonl || true
+          [ -f /tmp/gh-aw/threat-detection/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/threat-detection/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/detection/token_usage.jsonl || true
+          [ -f /tmp/gh-aw/usage/agent/token_usage.jsonl ] || : > /tmp/gh-aw/usage/agent/token_usage.jsonl
+          [ -f /tmp/gh-aw/usage/detection/token_usage.jsonl ] || : > /tmp/gh-aw/usage/detection/token_usage.jsonl
+          find /tmp/gh-aw/usage -type f -print | sort
+      - name: Upload usage artifact
+        if: always()
+        continue-on-error: true
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: usage
+          path: |
+            /tmp/gh-aw/usage/aw-info.jsonl
+            /tmp/gh-aw/usage/agent_usage.jsonl
+            /tmp/gh-aw/usage/detection_usage.jsonl
+            /tmp/gh-aw/usage/agent/token_usage.jsonl
+            /tmp/gh-aw/usage/detection/token_usage.jsonl
+          if-no-files-found: ignore
      - name: Process no-op messages
        id: noop
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
@@ -993,9 +1085,14 @@ jobs:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
          GH_AW_NOOP_MAX: "1"
          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
          GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
          GH_AW_NOOP_REPORT_AS_ISSUE: "true"
+          GH_AW_AIC: ${{ needs.agent.outputs.aic }}
+          GH_AW_THREAT_DETECTION_AIC: ${{ needs.detection.outputs.aic }}
+          GH_AW_AMBIENT_CONTEXT: ${{ needs.agent.outputs.ambient_context }}
+          GH_AW_WORKFLOW_ID: "check-requirements"
        with:
          github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
          script: |
@@ -1009,6 +1106,7 @@ jobs:
        env:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
          GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
          GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
@@ -1026,6 +1124,7 @@ jobs:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
          GH_AW_MISSING_TOOL_CREATE_ISSUE: "true"
          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
        with:
          github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
          script: |
@@ -1040,6 +1139,7 @@ jobs:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
          GH_AW_REPORT_INCOMPLETE_CREATE_ISSUE: "true"
          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
        with:
          github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
          script: |
@@ -1054,6 +1154,7 @@ jobs:
        env:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+          GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
          GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
          GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
          GH_AW_WORKFLOW_ID: "check-requirements"
@@ -1062,7 +1163,11 @@ jobs:
          GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }}
          GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }}
          GH_AW_EFFECTIVE_TOKENS: ${{ needs.agent.outputs.effective_tokens || '' }}
-          GH_AW_EFFECTIVE_TOKENS_RATE_LIMIT_ERROR: ${{ needs.agent.outputs.effective_tokens_rate_limit_error || 'false' }}
+          GH_AW_AI_CREDITS_RATE_LIMIT_ERROR: ${{ needs.agent.outputs.ai_credits_rate_limit_error || 'false' }}
+          GH_AW_UNKNOWN_MODEL_AI_CREDITS: ${{ needs.agent.outputs.unknown_model_ai_credits || 'false' }}
+          GH_AW_AIC: ${{ needs.agent.outputs.aic }}
+          GH_AW_THREAT_DETECTION_AIC: ${{ needs.detection.outputs.aic }}
+          GH_AW_MAX_AI_CREDITS: ${{ vars.GH_AW_DEFAULT_MAX_AI_CREDITS || '1000' }}
          GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }}
          GH_AW_MCP_POLICY_ERROR: ${{ needs.agent.outputs.mcp_policy_error }}
          GH_AW_AGENTIC_ENGINE_TIMEOUT: ${{ needs.agent.outputs.agentic_engine_timeout }}
@@ -1070,12 +1175,14 @@ jobs:
          GH_AW_ENGINE_API_HOSTS: "api.enterprise.githubcopilot.com,api.githubcopilot.com,api.business.githubcopilot.com,api.individual.githubcopilot.com"
          GH_AW_LOCKDOWN_CHECK_FAILED: ${{ needs.activation.outputs.lockdown_check_failed }}
          GH_AW_STALE_LOCK_FILE_FAILED: ${{ needs.activation.outputs.stale_lock_file_failed }}
+          GH_AW_DAILY_EFFECTIVE_WORKFLOW_EXCEEDED: ${{ needs.activation.outputs.daily_effective_workflow_exceeded }}
+          GH_AW_DAILY_EFFECTIVE_WORKFLOW_TOTAL_EFFECTIVE_TOKENS: ${{ needs.activation.outputs.daily_effective_workflow_total_effective_tokens }}
+          GH_AW_DAILY_EFFECTIVE_WORKFLOW_THRESHOLD: ${{ needs.activation.outputs.daily_effective_workflow_threshold }}
          GH_AW_GROUP_REPORTS: "false"
          GH_AW_FAILURE_REPORT_AS_ISSUE: "true"
          GH_AW_MISSING_TOOL_REPORT_AS_FAILURE: "true"
          GH_AW_MISSING_DATA_REPORT_AS_FAILURE: "true"
          GH_AW_TIMEOUT_MINUTES: "20"
-          GH_AW_MAX_EFFECTIVE_TOKENS: "25000000"
        with:
          github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
          script: |
@@ -1094,13 +1201,14 @@ jobs:
    permissions:
      contents: read
    outputs:
+      aic: ${{ steps.parse_detection_token_usage.outputs.aic }}
      detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }}
      detection_reason: ${{ steps.detection_conclusion.outputs.reason }}
      detection_success: ${{ steps.detection_conclusion.outputs.success }}
    steps:
      - name: Setup Scripts
        id: setup
-        uses: github/gh-aw-actions/setup@b11be78086764c43fa463398aed7ffdcf40549c1 # v0.77.0
+        uses: github/gh-aw-actions/setup@v0.79.6
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
          job-name: ${{ github.job }}
@@ -1109,7 +1217,8 @@ jobs:
        env:
          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.48"
+          GH_AW_INFO_VERSION: "1.0.60"
+          GH_AW_INFO_AWF_VERSION: "v0.27.2"
          GH_AW_INFO_ENGINE_ID: "copilot"
      - name: Download agent output artifact
        id: download-agent-output
@@ -1127,7 +1236,7 @@ jobs:
          echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
      - name: Checkout repository for patch context
        if: needs.agent.outputs.has_patch == 'true'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      # --- Threat Detection ---
@@ -1136,7 +1245,7 @@ jobs:
          rm -rf /tmp/gh-aw/sandbox/firewall/logs
          rm -rf /tmp/gh-aw/sandbox/firewall/audit
      - name: Download container images
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.46 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.46 ghcr.io/github/gh-aw-firewall/squid:0.25.46
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.2@sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6 ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2@sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4 ghcr.io/github/gh-aw-firewall/squid:0.27.2@sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591
      - name: Check if detection needed
        id: detection_guard
        if: always()
@@ -1161,7 +1270,11 @@ jobs:
        if: always() && steps.detection_guard.outputs.run_detection == 'true'
        run: |
          mkdir -p /tmp/gh-aw/threat-detection/aw-prompts
+          rm -f /tmp/gh-aw/agent_usage.json
          cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null || true
+          if [ ! -s /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt ]; then
+            echo "::warning::ERR_VALIDATION: Missing or empty detection context prompt at /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt. Ensure the agent artifact includes /tmp/gh-aw/aw-prompts/prompt.txt. Detection will continue with fallback workflow context."
+          fi
          cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null || true
          for f in /tmp/gh-aw/aw-*.patch; do
            [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true
@@ -1195,11 +1308,11 @@ jobs:
          node-version: '24'
          package-manager-cache: false
      - name: Install GitHub Copilot CLI
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.48
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.60
        env:
          GH_HOST: github.com
      - name: Install AWF binary
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.46
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.2
      - name: Execute GitHub Copilot CLI
        if: always() && steps.detection_guard.outputs.run_detection == 'true'
        continue-on-error: true
@@ -1209,27 +1322,46 @@ jobs:
        run: |
          set -o pipefail
          printf '%s' "$(date +%s%3N)" > /tmp/gh-aw/agent_cli_start_ms.txt
+          trap 'rm -f /home/runner/.copilot/settings.json' EXIT
+          mkdir -p /home/runner/.copilot
+          printf '%s' '{"builtInAgents":{"rubberDuck":false}}' > /home/runner/.copilot/settings.json
          touch /tmp/gh-aw/agent-step-summary.md
          GH_AW_NODE_BIN=$(command -v node 2>/dev/null || true)
          export GH_AW_NODE_BIN
+          export COPILOT_API_KEY="$COPILOT_DUMMY_BYOK"
          (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log)
-          printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.25.46/awf-config.schema.json","network":{"allowDomains":["api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","github.com","host.docker.internal","telemetry.enterprise.githubcopilot.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxEffectiveTokens":25000000},"container":{"imageTag":"0.25.46"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" && cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
+          GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS || '400' }}"
+          printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.2/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"api.business.githubcopilot.com\",\"api.enterprise.githubcopilot.com\",\"api.github.com\",\"api.githubcopilot.com\",\"api.individual.githubcopilot.com\",\"github.com\",\"host.docker.internal\",\"registry.npmjs.org\",\"telemetry.enterprise.githubcopilot.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS}},\"container\":{\"imageTag\":\"0.27.2,squid=sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591,agent=sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6,api-proxy=sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4,cli-proxy=sha256:02f3ec08f32dc26c5427920c6a2e2f3036238fce44802f2f11ef49ed8621b5d0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json"
+          GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs"
+          cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
+          export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json"
          GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS=""
          if [[ "${DOCKER_HOST:-}" =~ ^tcp:// ]]; then
            GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS="--docker-host-path-prefix /tmp/gh-aw"
          fi
+          GH_AW_TOOL_CACHE_MOUNT=""
+          GH_AW_TOOL_CACHE="${RUNNER_TOOL_CACHE:-/opt/hostedtoolcache}"
+          if [ -d "$GH_AW_TOOL_CACHE" ]; then
+            if [[ "$GH_AW_TOOL_CACHE" != /opt/* ]]; then
+              GH_AW_TOOL_CACHE_MOUNT="$GH_AW_TOOL_CACHE:$GH_AW_TOOL_CACHE:ro"
+            fi
+          elif [ -d "/home/runner/work/_tool" ]; then
+            GH_AW_TOOL_CACHE_MOUNT="/home/runner/work/_tool:/home/runner/work/_tool:ro"
+          fi
          # shellcheck disable=SC1003
-          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
-            -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 5 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || true)"; fi; if [ -z "$GH_AW_NODE_EXEC" ]; then echo "node runtime missing on this runner — check runtimes.node in workflow YAML" >&2; exit 127; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
+          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_TOOL_CACHE_MOUNT:+--mount "$GH_AW_TOOL_CACHE_MOUNT"} ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
+            -- /bin/bash -c 'set +o histexpand; GH_AW_TOOL_CACHE="${RUNNER_TOOL_CACHE:-/opt/hostedtoolcache}"; export PATH="$(find "$GH_AW_TOOL_CACHE" /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 5 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || true)"; fi; if [ -z "$GH_AW_NODE_EXEC" ]; then echo "node runtime missing on this runner — check runtimes.node in workflow YAML" >&2; exit 127; fi; GH_AW_NPM_GLOBAL_ROOT="$(npm root -g 2>/dev/null || true)"; if [ -n "$GH_AW_NPM_GLOBAL_ROOT" ]; then export NODE_PATH="${GH_AW_NPM_GLOBAL_ROOT}${NODE_PATH:+:${NODE_PATH}}"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
        env:
          AWF_REFLECT_ENABLED: 1
          COPILOT_AGENT_RUNNER_TYPE: STANDALONE
-          COPILOT_API_KEY: dummy-byok-key-for-offline-mode
+          COPILOT_DUMMY_BYOK: dummy-byok-key-for-offline-mode
          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
-          COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || 'claude-sonnet-4.6' }}
+          COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || vars.GH_AW_DEFAULT_MODEL_COPILOT || 'claude-sonnet-4.6' }}
+          GH_AW_MAX_TURNS: ${{ vars.GH_AW_DEFAULT_MAX_TURNS || '' }}
          GH_AW_PHASE: detection
          GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
-          GH_AW_VERSION: v0.74.4
+          GH_AW_TIMEOUT_MINUTES: 20
+          GH_AW_VERSION: v0.79.6
          GITHUB_API_URL: ${{ github.api_url }}
          GITHUB_AW: true
          GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows
@@ -1242,7 +1374,21 @@ jobs:
          GIT_AUTHOR_NAME: github-actions[bot]
          GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
          GIT_COMMITTER_NAME: github-actions[bot]
+          RUNNER_TEMP: ${{ runner.temp }}
          XDG_CONFIG_HOME: /home/runner
+      - name: Parse threat detection token usage for step summary
+        id: parse_detection_token_usage
+        if: always()
+        continue-on-error: true
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        env:
+          GH_AW_TOKEN_USAGE_SUMMARY_TITLE: Threat Detection Token Usage
+        with:
+          script: |
+            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
+            setupGlobals(core, github, context, exec, io, getOctokit);
+            const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_token_usage.cjs');
+            await main();
      - name: Upload threat detection log
        if: always() && steps.detection_guard.outputs.run_detection == 'true'
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
@@ -1284,7 +1430,8 @@ jobs:
            }

  extract_pr_number:
-    if: github.event.workflow_run.conclusion == 'success'
+    needs: gate
+    if: needs.gate.outputs.skip != 'true' && github.event.workflow_run.conclusion == 'success'
    runs-on: ubuntu-latest
    permissions:
      actions: read
@@ -1295,6 +1442,7 @@ jobs:
      - name: Configure GH_HOST for enterprise compatibility
        id: ghes-host-config
        shell: bash
+        # zizmor: ignore[github-env] - GITHUB_SERVER_URL is set by GitHub Actions, not user input.
        run: |
          # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
          # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
@@ -1314,6 +1462,77 @@ jobs:
          PR=$(jq -r '.pr_number' /tmp/deterministic/results.json)
          echo "pr_number=${PR}" >> "${GITHUB_OUTPUT}"

+  gate:
+    needs: activation
+    if: github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      pull-requests: read
+
+    outputs:
+      skip: ${{ steps.gate.outputs.skip }}
+    steps:
+      - name: Configure GH_HOST for enterprise compatibility
+        id: ghes-host-config
+        shell: bash
+        # zizmor: ignore[github-env] - GITHUB_SERVER_URL is set by GitHub Actions, not user input.
+        run: |
+          # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
+          # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
+          GH_HOST="${GITHUB_SERVER_URL#https://}"
+          GH_HOST="${GH_HOST#http://}"
+          echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV"
+      - name: Download deterministic-results artifact
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          name: check-requirements-deterministic
+          path: /tmp/gate
+          run-id: ${{ github.event.workflow_run.id }}
+      - name: Decide whether requirements changed since the last comment
+        id: gate
+        run: |
+          PR=$(jq -r '.pr_number' /tmp/gate/results.json)
+          HEAD=$(jq -r '.head_sha // empty' /tmp/gate/results.json)
+          if [ -z "${HEAD}" ]; then
+            echo "Artifact has no head_sha; running the agent."
+            exit 0
+          fi
+          # Recover the commit recorded in the most recent requirements-check comment.
+          PRIOR=$(gh api --paginate "repos/${GITHUB_REPOSITORY}/issues/${PR}/comments" \
+            --jq '.[] | select(.body | contains("<!-- requirements-check -->")) | .body' \
+            | grep -oE '<!-- requirements-check-sha: [0-9a-f]{7,40} -->' \
+            | grep -oE '[0-9a-f]{7,40}' | tail -1 || true)
+          if [ -z "${PRIOR}" ]; then
+            echo "No previous comment with a recorded commit; running the agent."
+            exit 0
+          fi
+          if [ "${PRIOR}" = "${HEAD}" ]; then
+            echo "Head ${HEAD} unchanged since the last comment; skipping the agent."
+            echo "skip=true" >> "${GITHUB_OUTPUT}"
+            exit 0
+          fi
+          # List files changed between the recorded commit and the current head.
+          # Tracked patterns mirror script/check_requirements/diff.py TRACKED_PATTERNS.
+          CHANGED=$(gh api "repos/${GITHUB_REPOSITORY}/compare/${PRIOR}...${HEAD}" \
+            --jq '.files[].filename' 2>/dev/null) || {
+            echo "Could not compare ${PRIOR}...${HEAD}; running the agent."
+            exit 0
+          }
+          TRACKED=$(printf '%s\n' "${CHANGED}" \
+            | grep -Ex 'requirements.*\.txt|homeassistant/package_constraints\.txt' || true)
+          if [ -z "${TRACKED}" ]; then
+            echo "No tracked requirement files changed since ${PRIOR}; skipping the agent."
+            echo "skip=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "Tracked requirement files changed since ${PRIOR}; running the agent:"
+            printf '%s\n' "${TRACKED}"
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
  pre_activation:
    runs-on: ubuntu-slim
    outputs:
@@ -1325,14 +1544,15 @@ jobs:
    steps:
      - name: Setup Scripts
        id: setup
-        uses: github/gh-aw-actions/setup@b11be78086764c43fa463398aed7ffdcf40549c1 # v0.77.0
+        uses: github/gh-aw-actions/setup@v0.79.6
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
          job-name: ${{ github.job }}
        env:
          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.48"
+          GH_AW_INFO_VERSION: "1.0.60"
+          GH_AW_INFO_AWF_VERSION: "v0.27.2"
          GH_AW_INFO_ENGINE_ID: "copilot"
      - name: Check team membership for workflow
        id: check_membership
@@ -1360,17 +1580,22 @@ jobs:
      discussions: write
      issues: write
      pull-requests: write
-    timeout-minutes: 15
+    timeout-minutes: 45
    env:
+      GH_AW_AGENT_AIC: ${{ needs.agent.outputs.aic }}
+      GH_AW_AIC: ${{ needs.agent.outputs.aic }}
+      GH_AW_AMBIENT_CONTEXT: ${{ needs.agent.outputs.ambient_context }}
      GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/check-requirements"
      GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
      GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
      GH_AW_EFFECTIVE_TOKENS: ${{ needs.agent.outputs.effective_tokens }}
      GH_AW_ENGINE_ID: "copilot"
      GH_AW_ENGINE_MODEL: ${{ needs.agent.outputs.model }}
-      GH_AW_ENGINE_VERSION: "1.0.48"
+      GH_AW_ENGINE_VERSION: "1.0.60"
+      GH_AW_THREAT_DETECTION_AIC: ${{ needs.detection.outputs.aic }}
      GH_AW_WORKFLOW_ID: "check-requirements"
      GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
+      GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
    outputs:
      code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }}
      code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }}
@@ -1383,7 +1608,7 @@ jobs:
    steps:
      - name: Setup Scripts
        id: setup
-        uses: github/gh-aw-actions/setup@b11be78086764c43fa463398aed7ffdcf40549c1 # v0.77.0
+        uses: github/gh-aw-actions/setup@v0.79.6
        with:
          destination: ${{ runner.temp }}/gh-aw/actions
          job-name: ${{ github.job }}
@@ -1392,7 +1617,8 @@ jobs:
        env:
          GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
          GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.48"
+          GH_AW_INFO_VERSION: "1.0.60"
+          GH_AW_INFO_AWF_VERSION: "v0.27.2"
          GH_AW_INFO_ENGINE_ID: "copilot"
      - name: Download agent output artifact
        id: download-agent-output
@@ -1411,6 +1637,7 @@ jobs:
      - name: Configure GH_HOST for enterprise compatibility
        id: ghes-host-config
        shell: bash
+        # zizmor: ignore[github-env] - GITHUB_SERVER_URL is set by GitHub Actions, not user input.
        run: |
          # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
          # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
@@ -1422,6 +1649,7 @@ jobs:
        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
+          GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }}
          GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,files.pythonhosted.org,github.com,host.docker.internal,pip.pypa.io,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,telemetry.enterprise.githubcopilot.com"
          GITHUB_SERVER_URL: ${{ github.server_url }}
          GITHUB_API_URL: ${{ github.api_url }}
@@ -6,7 +6,6 @@ on:
 permissions:
  contents: read
  actions: read
-  issues: read
  pull-requests: read
 network:
  allowed:
@@ -14,7 +13,7 @@ network:
 tools:
  web-fetch: {}
  github:
-    toolsets: [default, actions]
+    toolsets: [repos, pull_requests]
    min-integrity: unapproved
 safe-outputs:
  add-comment:
@@ -23,9 +22,69 @@ safe-outputs:
  needs:
    - extract_pr_number
 jobs:
-  extract_pr_number:
+  gate:
+    # Skip the (token-spending) agent when no tracked requirement file changed
    if: github.event.workflow_run.conclusion == 'success'
    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      pull-requests: read
+    outputs:
+      skip: ${{ steps.gate.outputs.skip }}
+    steps:
+      - name: Download deterministic-results artifact
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: check-requirements-deterministic
+          path: /tmp/gate
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Decide whether requirements changed since the last comment
+        id: gate
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          PR=$(jq -r '.pr_number' /tmp/gate/results.json)
+          HEAD=$(jq -r '.head_sha // empty' /tmp/gate/results.json)
+          if [ -z "${HEAD}" ]; then
+            echo "Artifact has no head_sha; running the agent."
+            exit 0
+          fi
+          # Recover the commit recorded in the most recent requirements-check comment.
+          PRIOR=$(gh api --paginate "repos/${GITHUB_REPOSITORY}/issues/${PR}/comments" \
+            --jq '.[] | select(.body | contains("<!-- requirements-check -->")) | .body' \
+            | grep -oE '<!-- requirements-check-sha: [0-9a-f]{7,40} -->' \
+            | grep -oE '[0-9a-f]{7,40}' | tail -1 || true)
+          if [ -z "${PRIOR}" ]; then
+            echo "No previous comment with a recorded commit; running the agent."
+            exit 0
+          fi
+          if [ "${PRIOR}" = "${HEAD}" ]; then
+            echo "Head ${HEAD} unchanged since the last comment; skipping the agent."
+            echo "skip=true" >> "${GITHUB_OUTPUT}"
+            exit 0
+          fi
+          # List files changed between the recorded commit and the current head.
+          # Tracked patterns mirror script/check_requirements/diff.py TRACKED_PATTERNS.
+          CHANGED=$(gh api "repos/${GITHUB_REPOSITORY}/compare/${PRIOR}...${HEAD}" \
+            --jq '.files[].filename' 2>/dev/null) || {
+            echo "Could not compare ${PRIOR}...${HEAD}; running the agent."
+            exit 0
+          }
+          TRACKED=$(printf '%s\n' "${CHANGED}" \
+            | grep -Ex 'requirements.*\.txt|homeassistant/package_constraints\.txt' || true)
+          if [ -z "${TRACKED}" ]; then
+            echo "No tracked requirement files changed since ${PRIOR}; skipping the agent."
+            echo "skip=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "Tracked requirement files changed since ${PRIOR}; running the agent:"
+            printf '%s\n' "${TRACKED}"
+          fi
+  extract_pr_number:
+    needs: gate
+    if: needs.gate.outputs.skip != 'true' && github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
    permissions:
      actions: read
    outputs:
@@ -44,7 +103,7 @@ jobs:
          PR=$(jq -r '.pr_number' /tmp/deterministic/results.json)
          echo "pr_number=${PR}" >> "${GITHUB_OUTPUT}"
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.workflow_run.head_sha }}
+  group: ${{ github.workflow }}-${{ github.event.workflow_run.id }}
  cancel-in-progress: true
 steps:
  - name: Download deterministic-results artifact
@@ -83,296 +142,291 @@ description: >

 # Check requirements (AW)

-You are a code review assistant for the Home Assistant project. The
-deterministic stage has already evaluated every check it can on its own
-and produced an artifact containing the PR number, per-package check
-results, and a pre-rendered comment with placeholders. **Your only job is
-to read that artifact, resolve any `needs_agent` checks, and post the
-final comment.**
+You are a code-review assistant for Home Assistant. The deterministic
+stage already evaluated every check it can and produced an artifact at
+`/tmp/gh-aw/deterministic/results.json`. Your only job is to resolve any
+`needs_agent` checks and post the rendered comment.

-## Step 1 — Read the deterministic-stage artifact
+## Step 1 — Read the artifact

-The deterministic stage uploaded its results to the runner at
-`/tmp/gh-aw/deterministic/results.json`.
+Read the JSON directly for the full schema. Key fields:

-The JSON has this shape:
+- `pr_number`, `needs_agent` (bool), `packages[]`, `rendered_comment`.
+- Each `package`: `name`, `old_version` (`null` if new), `new_version`,
+  `repo_url`, `publisher_kind`, `checks` (keyed by check-kind, each
+  with `status` of `pass`/`warn`/`fail`/`needs_agent` and `details`).
+- `rendered_comment` contains, for each `needs_agent` check, two
+  placeholders to replace:
+  - `{{CHECK_CELL:<pkg>:<kind>}}` → exactly one of `✅`, `☑️`, `⚠️`, `❌`.  The
+    **`security`** check kind uses `☑️` instead of `✅` for the success
+    case — see its section below for why.
+  - `{{CHECK_DETAIL:<pkg>:<kind>}}` → `<icon> <one-line explanation>`
+    (the bullet's `- **<label>**:` prefix is already rendered; replace
+    only the placeholder).

- `pr_number` — the PR being checked. The `add_comment` safe-output is
-  already targeted at this PR (a pre-job extracts `pr_number` from the
-  artifact and the workflow wires it into the safe-output config via
-  `needs.extract_pr_number.outputs.pr_number`), so **you do not need to
-  set `item_number` yourself** — just emit `add_comment` with the
-  rendered body.
- `needs_agent` — `true` iff any package's check needs resolution.
- `packages[]` — one entry per changed package. Each entry has:
-  - `name`, `old_version` (`null` for a newly added package; otherwise the
-    previous pin), `new_version`, `repo_url`, `publisher_kind`.
-  - `checks` — a dict keyed by **check kind** (string). Each value has a
-    `status` (`pass`, `warn`, `fail`, or `needs_agent`) and `details`.
- `rendered_comment` — the final PR comment body, already rendered. For
-  every check whose status is `needs_agent` it contains two placeholders
-  you must replace:
-  - `{{CHECK_CELL:<pkg-name>:<check-kind>}}` — one cell of the summary
-    table. Replace with exactly one of `✅`, `⚠️`, `❌`.
-  - `{{CHECK_DETAIL:<pkg-name>:<check-kind>}}` — the body of one bullet
-    in the package's `<details>` block. Replace with
-    `<icon> <one-line explanation>` (the bullet's leading
-    `- **<label>**:` is already rendered — replace only the placeholder).
-
-You **must not** modify any other content in `rendered_comment`. Do not
-re-evaluate checks that already have a deterministic status. Do not add
-or remove packages.
+Do not modify other content in `rendered_comment`, do not re-evaluate
+deterministic checks, do not add or remove packages. If `needs_agent`
+is `false`, emit `rendered_comment` unchanged.

 ## Step 2 — Resolve each `needs_agent` check

-For each `package` in `packages`:
+For each `(package, check_kind)` with `status == "needs_agent"`, find
+the matching `### Check kind: <check_kind>` section below and follow
+it. If no section matches, emit a single `add_comment` with:

-For each `(check_kind, result)` in `package.checks` where
-`result.status == "needs_agent"`:
+```
+<!-- requirements-check -->
+## Check requirements

-1. Look up `## Check kind: <check_kind>` in the **Check instructions**
-   section below.
-2. **If no matching section exists**: emit a single `add_comment` whose
-   body is:
+❌ Internal error: deterministic artifact contains an unknown check kind
+(`<check_kind>` on `<pkg>`).
+```

-   ```
-   <!-- requirements-check -->
-   ## Check requirements
-
-   ❌ Internal error: the deterministic artifact contains a check kind
-   (`<check_kind>` on package `<pkg-name>`) that this workflow has no
-   instructions for. Update `.github/workflows/check-requirements.md`
-   to add a matching `## Check kind: <check_kind>` section, or remove
-   the kind from the deterministic stage.
-   ```
-
-   Then stop. **Do not improvise** a verdict for an unknown check kind.
-3. Otherwise, follow the instructions in that section. They tell you
-   which icon (✅/⚠️/❌) and one-line explanation to produce.
+Then stop. Do not improvise a verdict.

 ## Step 3 — Post the comment

-1. Replace every `{{CHECK_CELL:…}}` and `{{CHECK_DETAIL:…}}` placeholder
-   in `rendered_comment` with the resolved value.
-2. Emit the resulting markdown using `add_comment` — set `body` to the
-   merged `rendered_comment` verbatim (the leading
-   `<!-- requirements-check -->` marker must be preserved). The PR
-   target is already set by the workflow; do not pass `item_number`.
-
-If the artifact's top-level `needs_agent` is `false` (no checks need
-you), emit `rendered_comment` unchanged.
+Replace every placeholder with the resolved value and emit
+`rendered_comment` via `add_comment`. Preserve the leading
+`<!-- requirements-check -->` marker and the
+`<!-- requirements-check-sha: … -->` marker that follows it — the next
+run reads the recorded commit from it to decide whether anything changed.
+The PR target is already wired; do not pass `item_number`.

 ## Check instructions

 ### Check kind: `repo_public`

-Verify that the package's source repository is publicly reachable.
+`web-fetch` GET `package.repo_url`.
+- 200 + public repo page → ✅ `<repo_url> is publicly accessible.`
+- 4xx/5xx or login redirect → ❌ `Source repository at <repo_url> is
+  not publicly accessible. Home Assistant requires dependencies to
+  have publicly available source code.`
+- Otherwise → ⚠️ with a one-line description.

-1. Read `package.repo_url`.
-2. Use the `web-fetch` tool to GET that URL.
-3. Decide the verdict:
-   - HTTP 200, returns a public repository page → ✅
-     `<repo_url> is publicly accessible.`
-   - HTTP 4xx/5xx, or the response redirects to a login / sign-in page →
-     ❌ `Source repository at <repo_url> is not publicly accessible.
-     Home Assistant requires all dependencies to have publicly available
-     source code.`
-   - Any other inconclusive result → ⚠️ with a one-line description.
-
-If `repo_public` resolves to ❌ for a package, **also** mark that
-package's `release_pipeline` and `async_blocking` cells/details as `—`
-(em dash) and explain `Skipped because the source repository is not
-publicly accessible.` — neither check can be performed without a public
-repo.
+If ❌, also mark this package's `release_pipeline` and `async_blocking`
+cells/details as `—` and explain `Skipped because the source
+repository is not publicly accessible.`.

 ### Check kind: `pr_link`

-Verify the PR description contains the right link for the change.
+Fetch the PR body via the `pull_requests` MCP using `pr_number`. Extract URLs.

-1. Fetch the PR body via the GitHub MCP tool, using the `pr_number`
-   field from the artifact.
-2. Extract all URLs from the body.
-3. For a **new package** (`package.old_version` is `null`):
-   - The PR body must contain a URL that points at `package.repo_url`
-     (any sub-path of the same `owner/repo` on the same host is
-     acceptable). A PyPI link is **not** sufficient.
-   - ✅ if such a URL is present.
-   - ❌ otherwise:
-     `PR description must link to the source repository at <repo_url>.
-     A PyPI page link is not sufficient.`
-4. For a **version bump** (`package.old_version` is not `null`):
-   - The PR body must contain a URL on the same host as
-     `package.repo_url` that references **both** `package.old_version`
-     and `package.new_version` (e.g. a GitHub compare URL
-     `compare/vX...vY`, a release / changelog URL containing both
-     versions, etc.).
-   - ✅ if such a URL is present and the versions match the actual bump.
-   - ❌ otherwise:
-     `PR description should link to a changelog or compare URL on
-     <repo_url> that mentions both <old_version> and <new_version>.`
+- **New package** (`old_version == null`): body must contain a URL
+  pointing at `repo_url`'s `owner/repo` on the same host (any
+  sub-path OK). PyPI is not sufficient.
+  - ✅ if present; otherwise ❌ `PR description must link to the
+    source repository at <repo_url>. A PyPI page link is not
+    sufficient.`
+- **Version bump**: body must contain a URL on the same host as
+  `repo_url` that mentions **both** `old_version` and `new_version`
+  (compare URL, changelog, release page).
+  - ✅ if present and versions match; otherwise ❌ `PR description
+    should link to a changelog or compare URL on <repo_url> that
+    mentions both <old_version> and <new_version>.`

 ### Check kind: `release_pipeline`

-Inspect the upstream project's release / publish CI pipeline.
+Inspect the upstream's publish-to-PyPI CI. Host-specific lookup, same
+rubric:

-For each package needing inspection, determine the source repository
-host from `package.repo_url`, then apply the corresponding checklist.
-
-#### GitHub repositories (`github.com`)
-
-1. List workflows: `GET /repos/{owner}/{repo}/actions/workflows`.
-2. Identify any workflow whose name or filename suggests publishing to
-   PyPI (`release`, `publish`, `pypi`, or `deploy`).
-3. Fetch the workflow file and check:
-   - **Trigger sanity**: triggered by `push` to tags,
-     `release: published`, or `workflow_run` on a release job —
-     **not** solely `workflow_dispatch` with no environment-protection
-     guard.
-   - **OIDC / Trusted Publisher**: look for `id-token: write` and one of
-     `pypa/gh-action-pypi-publish`, `actions/attest-build-provenance`,
-     or `TWINE_PASSWORD` from a static `secrets.PYPI_TOKEN`.
-   - **No manual upload bypass**: no ungated `twine upload` or
-     `pip upload`.
-4. Verdict:
-   - ✅ if OIDC + sane triggers + no bypass.
-   - ⚠️ if static token but version bump, or details unclear.
-   - ❌ if static token on a new package, or only-manual triggers with
-     no environment protection.
-
-#### GitLab repositories (`gitlab.com` or self-hosted GitLab)
-
-1. Resolve the project ID via
-   `GET https://gitlab.com/api/v4/projects/{url-encoded-namespace-and-name}`.
-2. Fetch `.gitlab-ci.yml` via
-   `GET https://gitlab.com/api/v4/projects/{id}/repository/files/.gitlab-ci.yml/raw?ref=HEAD`.
-3. Apply the same conceptual checks: tag-only / protected-branch
-   triggers, GitLab OIDC `id_tokens` or CI/CD protected `PYPI_TOKEN`, no
-   ungated `twine upload`. Same verdict rules as GitHub.
-
-#### Other code hosting providers (Bitbucket, Codeberg, Gitea, Sourcehut, …)
-
-1. Use `web-fetch` to retrieve any visible CI configuration
-   (`.circleci/config.yml`, `Jenkinsfile`, `azure-pipelines.yml`,
-   `bitbucket-pipelines.yml`, `.builds/*.yml`).
-2. Apply the conceptual checks: automated triggers, CI-injected
-   credentials, no manual `twine upload`.
-3. If no CI config can be retrieved: ⚠️ `Release pipeline could not be
-   inspected; hosting provider is not GitHub or GitLab.`
+1. Locate the publish workflow / job (name or filename contains
+   `release`, `publish`, `pypi`, or `deploy`).
+   - GitHub: list `.github/workflows/` via the `repos` MCP, pick the
+     promising file by name, fetch its contents.
+   - GitLab: fetch `.gitlab-ci.yml` from the default ref via
+     `https://gitlab.com/api/v4/projects/{id}/repository/files/.gitlab-ci.yml/raw?ref=HEAD`.
+   - Other hosts: `web-fetch` an obvious CI config
+     (`.circleci/config.yml`, `bitbucket-pipelines.yml`, etc.).
+2. Apply this rubric:
+   - **Trigger**: tag push / `release: published` / protected branch —
+     not solely manual dispatch without an environment guard.
+   - **Credentials**: OIDC (`id-token: write` +
+     `pypa/gh-action-pypi-publish` or equivalent) preferred; static
+     `PYPI_TOKEN` from a CI secret acceptable for a bump.
+   - **No bypass**: no ungated `twine upload` / `pip upload`.
+3. Verdict:
+   - ✅ — OIDC + sane triggers + no bypass.
+   - ⚠️ — static token on a bump, details unclear, or
+     non-GitHub/GitLab host with limited CI visibility.
+   - ❌ — static token on a new package, or manual-only triggers
+     without environment protection.

 ### Check kind: `async_blocking`

-Verify whether the dependency performs blocking I/O inside async code
-paths. Home Assistant runs on a single asyncio event loop, so a library
-that exposes an `async` surface must not call blocking APIs from inside
-its `async def` functions — that stalls the whole loop. A purely sync
-library is fine: Home Assistant integrations are expected to wrap such
-calls in an executor.
+Verify the dependency does not call blocking APIs inside `async def`
+bodies. Home Assistant runs on a single asyncio loop, so blocking
+calls from the async surface stall the whole loop. A purely sync
+library is fine — integrations wrap its calls in an executor.

-**Two modes — pick by inspecting `package.old_version`:**
+**Mode** (decided by `old_version`):
+- `null` → new package: review the entire current source tree.
+- string → version bump: review only the diff between the two tags.
+  Blocking calls already present in `old_version` are not regressions.

- `old_version` is `null` → **new package**: review the *entire current
-  source tree*. Nothing about this dependency has been vetted before.
- `old_version` is a string → **version bump**: review only the *diff
-  between `old_version` and `new_version`*. The previous version was
-  already accepted, so blocking calls that were present in
-  `old_version` are not regressions; report only what `new_version`
-  introduces.
+**Step 1 — async surface?**

-#### Step 1 — Decide whether the library exposes an async surface
+Fetch `pyproject.toml` / `setup.py` / `setup.cfg` / `README*` at the
+tag matching `new_version` (try `v{version}`, `{version}`,
+`release-{version}` — at most three attempts). Use the `repos` MCP for
+github.com, `web-fetch` otherwise.

-Use the `github` MCP tool (for `github.com` repos) or `web-fetch`
-(other hosts) on `package.repo_url`. Always inspect the tag /
-ref matching `new_version` (e.g. `v{new_version}` or `{new_version}`).
+If sync-only (no `async def` in public modules; no
+asyncio/aiohttp/httpx/anyio in deps; no `Framework :: AsyncIO`
+classifier) → ✅ `Sync-only library; Home Assistant integrations must
+wrap calls in an executor.` (Same verdict for both modes.)

- Locate the top-level package directory (usually named after the
-  import name, often equal or close to `package.name`).
- Check `pyproject.toml` / `setup.py` / `setup.cfg` / `README*` for
-  async indicators (`Framework :: AsyncIO` trove classifier, `asyncio`
-  / `aiohttp` / `httpx` / `anyio` in dependencies, an async usage
-  example in the README).
- Grep the package source for `async def`. A handful of `async def`
-  entries in the public modules is enough to treat the library as
-  having an async surface.
+**Step 2 — review the surface**

-If the library is **sync-only** (no `async def` in its public modules
-and no async framework dependency) → ✅
-`Sync-only library; Home Assistant integrations must wrap calls in an
-executor.` *This verdict is the same in both modes.*
+- New package: grep public modules for `async def`, inspect each
+  async body and transitive helpers.
+- Bump: fetch the compare diff
+  (`/repos/{owner}/{repo}/compare/{old}...{new}` on GitHub, equivalent
+  on GitLab/other hosts). Only flag patterns on **added** lines that
+  are inside or reachable from `async def`. If no tag format resolves,
+  fall back to a full review and note that the diff was unavailable.

-#### Step 2a — Mode: new package (`old_version` is `null`)
+**Blocking patterns to flag inside `async def`:**

-Inspect **every `async def` in the public modules** for blocking
-patterns. Walk transitively into helpers the async functions call.
-
-#### Step 2b — Mode: version bump (`old_version` is a string)
-
-Fetch the diff between the two tags and review **only changed lines**:
-
- GitHub: `GET /repos/{owner}/{repo}/compare/{old_tag}...{new_tag}` via
-  the `github` MCP tool, or
-  `https://github.com/{owner}/{repo}/compare/{old_tag}...{new_tag}.diff`
-  via `web-fetch`. Try the common tag formats in order until one
-  resolves: `v{version}`, `{version}`, `release-{version}`.
- GitLab: `https://gitlab.com/{namespace}/{project}/-/compare/{old_tag}...{new_tag}.diff`.
- Other hosts: use the project's equivalent compare URL via
-  `web-fetch`.
-
-If neither tag format resolves on the host, fall back to a full review
-(Step 2a) and mention in the detail that the diff was unavailable.
-
-When reviewing the diff, only flag blocking patterns that appear in
-**added lines** *inside or reachable from* an `async def`. A blocking
-call that existed in `old_version` and is unchanged is not a regression
-for this bump.
-
-#### Step 3 — Blocking patterns to look for
-
-In both modes, the patterns to flag inside `async def` bodies are:
-
- Sync HTTP: `requests.`, `urllib.request`, `urllib3.` direct use,
-  `http.client.`, sync `httpx.Client(` / `httpx.get(` (NOT the
-  `AsyncClient`), `pycurl`.
- `time.sleep(` (must be `await asyncio.sleep(`).
- Sync sockets: bare `socket.socket` reads/writes, `ssl.wrap_socket`,
+- Sync HTTP: `requests.`, `urllib.request`, `urllib3.` direct,
+  `http.client.`, sync `httpx.Client(` / `httpx.get(`, `pycurl`.
+- `time.sleep(` (use `await asyncio.sleep(`).
+- Sync sockets/SSL: bare `socket.socket` I/O, `ssl.wrap_socket`,
  blocking `select.select`.
- File I/O: `open(` / `pathlib.Path.read_*` / `.write_*` for
-  non-trivial sizes (small one-shot reads during import are
-  acceptable; reads/writes on the request path are not — prefer
-  `aiofiles` / executor).
- Sync DB drivers used directly: `sqlite3`, `psycopg2`, `pymysql`,
-  `pymongo` (sync client), `redis.Redis` (sync client).
- `subprocess.run` / `subprocess.call` / `os.system` (must be
-  `asyncio.create_subprocess_*`).
+- File I/O on the request path: `open(` /
+  `pathlib.Path.read_*` / `.write_*` for non-trivial sizes (small
+  one-shot reads during import are OK).
+- Sync DB drivers: `sqlite3`, `psycopg2`, `pymysql`, sync `pymongo` /
+  `redis.Redis`.
+- `subprocess.run` / `subprocess.call` / `os.system`.

-A call that is clearly dispatched to an executor
-(`run_in_executor`, `asyncio.to_thread`, `anyio.to_thread.run_sync`)
-does NOT count as blocking.
+Calls dispatched to an executor (`run_in_executor`,
+`asyncio.to_thread`, `anyio.to_thread.run_sync`) do **not** count as
+blocking.

-#### Step 4 — Verdict
+**Verdict:**

- ✅ — no offending blocking pattern in the surface being reviewed
-  (whole tree for a new package, added lines for a bump). For a bump,
-  phrase the detail as `No new blocking calls introduced in
-  {old_version} → {new_version}.`.
- ⚠️ — blocking calls exist only in sync helpers that the async API
-  does not call, or only on a clearly non-hot path (e.g. one-shot
-  setup before the event loop is running). Cite at least one
-  `<file>:<line>` and explain why it is not on the hot path.
- ❌ — a blocking call is reachable from an `async def` that is part
-  of the public API on the request / polling path (for a bump: the
-  call was introduced or moved onto the hot path by this version).
-  Cite the offending `<file>:<line>` as a clickable link on the repo
-  host so the contributor can jump to it.
+- ✅ — no offending pattern. Bumps: phrase as `No new blocking calls
+  introduced in {old_version} → {new_version}.`.
+- ⚠️ — blocking only in sync helpers the async API never calls, or
+  clearly off the hot path (e.g. one-shot pre-loop setup). Cite at
+  least one `<file>:<line>` and say why it's not hot.
+- ❌ — blocking call reachable from a public `async def` on the
+  request/polling path (bump: introduced or moved onto the hot path
+  by this version). Cite the offending `<file>:<line>` as a clickable
+  link on the repo host.
+
+### Check kind: `security`
+
+**Baseline** scan of the upstream source for obvious supply-chain red
+flags — a cheap first pass, **not** a security review or malware audit.
+A clean result means "nothing obvious stood out", not "this package is
+safe". The success icon is `☑️` — **never** `✅` — so a passing scan is
+not read as an endorsement.
+
+If `repo_public` resolves to ❌ for the same package, mark `security`'s
+cell and detail as `—` and explain `Skipped because the source
+repository is not publicly accessible.` — the source cannot be fetched.
+
+**Step 1 — Fetch a representative slice**
+
+Locate the source from `package.repo_url`.
+
+- GitHub: resolve the default branch (`GET /repos/{owner}/{repo}`), list
+  the tree (`GET /repos/{owner}/{repo}/git/trees/{branch}?recursive=1`),
+  find the module dir (`{name}/` or `src/{name}/`, normalising `-` ↔ `_`).
+- GitLab: equivalent REST calls. Other hosts: `web-fetch` raw file URLs.
+
+Fetch the **raw contents** of `setup.py` (install-time code runs on every
+consumer), `pyproject.toml` (`[build-system]` / custom backend), the
+package's `__init__.py`, and co — prioritising `entry_points` targets, plus any name suggesting
+bootstrap / loader / self-update (`update*.py`, `loader*.py`,
+`bootstrap*.py`, `_native.py`, `_post_install*.py`, …).
+
+If the tree is too large for the API budget, inspect at least `setup.py`,
+`pyproject.toml`, and `__init__.py`, then return ⚠️ noting the partial scan.
+
+**Step 2 — Patterns to flag**
+
+Reason from principles, not a fixed checklist: for each file ask *would a
+well-behaved library doing what this package's PyPI description claims
+need to do this?* If "no" or "unclear", record a finding. The categories
+describe the **shape** of concerning behavior; the named APIs, filenames,
+and keys are illustrative — treat any equivalent construct (including ones
+that did not exist when this was written) the same way.
+
+For every finding include the file path, line number, a snippet
+(≤ 120 chars), a permalink
+(`https://github.com/{owner}/{repo}/blob/{sha}/{path}#L{line}` or the
+GitLab equivalent), and one sentence on why it is out of scope.
+
+1. **Reaches into Home Assistant internals.** A library should touch HA
+   only through its documented Python API — never the `config_dir`
+   filesystem or internal auth / session state. Flag code that opens,
+   reads, writes, or resolves paths to artifacts it does not own
+   (top-level YAML it did not create, anything under `.storage/`, other
+   integrations' files) or reads tokens / refresh tokens / auth providers
+   (e.g. `secrets.yaml`, `.storage/auth*`, `hass.auth`). The principle is
+   *out-of-scope access*, not a static list of names.
+2. **Network input flows into an execution sink (download-and-execute).**
+   Flag any data-flow from a network response body (any HTTP / WebSocket /
+   raw-socket client, sync or async) to an execution sink: `exec`, `eval`,
+   `compile`, `marshal.loads`, `pickle.loads`, `types.FunctionType`,
+   `importlib.util.spec_from_loader`, `subprocess.*`, `os.system`, shell
+   pipelines (`curl … | sh`), or a file later imported / executed — plus
+   package-manager calls (`pip install` / `download`) with args resolved
+   from network responses at runtime.
+3. **Build / install-time code is non-deterministic or non-local.**
+   `setup.py`, `setup.cfg` `cmdclass`, custom PEP 517 backends, and other
+   build hooks must only compile and copy files shipped in the sdist. Flag
+   build-stage code that opens a socket, shells out, writes outside the
+   build / install tree, or pulls a build backend not on PyPI (Git URL /
+   local path).
+4. **Reads secrets and combines them with an egress path.** The shape is
+   *secret-source → outbound-channel*. Flag code that reads credential
+   material (token-like env vars, credential files under the user's home,
+   OS keychain APIs, browser-profile dirs, HA token stores) **and** in the
+   same path sends it to a destination the package needn't talk to.
+   Reading or sending alone is not enough — the *combination* is the signal.
+5. **Hides what it does.** Flag opaque data flowing into an execution
+   sink: large encoded / compressed / hex strings (`base64`, `codecs`,
+   `zlib`, `lzma`, `bytes.fromhex`, or any equivalent) passed to `exec` /
+   `eval` / `compile` / `__import__`; identifiers assembled at runtime
+   then imported; or any construct whose evident purpose is to make the
+   behavior unreadable.
+6. **Hard-coded network destination off-purpose.** Flag outbound URLs or
+   hosts absent from the package's PyPI `project_urls` with no obvious
+   connection to its function — short-link / paste services, ephemeral
+   tunnels, raw IPs, non-default ports against unknown hosts — and any
+   network call at module top-level / `__init__.py` (runs on import for
+   every consumer).
+
+A clearly out-of-scope behavior that fits none of the above: flag under
+the closest category and explain. The categories guide reasoning, not bound it.
+
+**Verdict**
+
+Aggregate the findings into one of:
+
+- `☑️ Baseline scan found nothing obvious in <list of inspected files>.
+  This is not a security review — only the cheap checks were run.`
+  Use `☑️` (**not** `✅`) so a passing scan is not read as an endorsement.
+- `⚠️ <one-line summary>` — patterns with plausible legitimate uses;
+  include path / line / snippet / permalink per match for the reviewer.
+- `❌ <one-line summary>` — patterns with no legitimate explanation
+  (install-time network execution, decode-and-exec of opaque blobs, reads
+  of `secrets.yaml` / `.storage/auth*`, token exfiltration to an external
+  host); same detail.
+
+Be precise. False positives are expected — when in doubt prefer `⚠️` with
+context over `❌`. This check is informational and never blocks the
+workflow on its own; a human reviewer decides whether to merge.

 ## Notes

- Be constructive and helpful. Reference the inspected workflow / CI
-  file by URL where useful so the contributor can fix the issue.
- The dedup of the requirements-check comment is handled by gh-aw's
-  `add_comment` safe-output via the `<!-- requirements-check -->`
-  marker on the first line of `rendered_comment`.
- If the deterministic workflow concluded with a non-success status,
-  this workflow's `if:` guard on `Download deterministic-results
-  artifact` skipped the download. If you find no file at
-  `/tmp/gh-aw/deterministic/results.json`, emit nothing — the post-step
-  verification is also gated and will not complain.
+- Be constructive; reference the inspected file by URL when useful.
+- Comment dedup is handled by gh-aw's `add_comment` safe-output via
+  the `<!-- requirements-check -->` marker.
+- If `/tmp/gh-aw/deterministic/results.json` is missing (upstream
+  cancelled/failed), emit nothing — the post-step verification is
+  gated and won't complain.
@@ -98,7 +98,7 @@ jobs:
      skip_coverage: ${{ steps.info.outputs.skip_coverage }}
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Generate partial Python venv restore key
@@ -264,7 +264,7 @@ jobs:
      && github.event.inputs.audit-licenses-only != 'true'
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Register problem matchers
@@ -291,7 +291,7 @@ jobs:
      && github.event.inputs.audit-licenses-only != 'true'
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Run zizmor
@@ -318,7 +318,7 @@ jobs:
          - script/hassfest/docker/Dockerfile
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Register hadolint problem matcher
@@ -341,7 +341,7 @@ jobs:
        python-version: ${{ fromJson(needs.info.outputs.python_versions) }}
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Set up Python ${{ matrix.python-version }}
@@ -404,7 +404,7 @@ jobs:
          echo "version=$(grep '^uv==' requirements.txt | cut -d'=' -f3)" >> "$GITHUB_OUTPUT"
      - name: Set up uv
        if: steps.cache-venv.outputs.cache-hit != 'true'
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
        with:
          version: ${{ steps.read-uv-version.outputs.version }}
      - name: Create Python virtual environment
@@ -469,7 +469,7 @@ jobs:
      && github.event.inputs.audit-licenses-only != 'true'
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Install additional OS dependencies
@@ -512,7 +512,7 @@ jobs:
      && github.event.inputs.audit-licenses-only != 'true'
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Set up Python
@@ -548,7 +548,7 @@ jobs:
      && github.event.inputs.audit-licenses-only != 'true'
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Set up Python
@@ -576,7 +576,7 @@ jobs:
      && github.event_name == 'pull_request'
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Dependency review
@@ -603,7 +603,7 @@ jobs:
        python-version: ${{ fromJson(needs.info.outputs.python_versions) }}
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Set up Python ${{ matrix.python-version }}
@@ -654,7 +654,7 @@ jobs:
      || github.event.inputs.pylint-only == 'true'
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Set up Python
@@ -707,7 +707,7 @@ jobs:
      && (needs.info.outputs.tests_glob || needs.info.outputs.test_full_suite == 'true')
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Set up Python
@@ -758,7 +758,7 @@ jobs:
      || github.event.inputs.mypy-only == 'true'
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Set up Python
@@ -825,7 +825,7 @@ jobs:
      - base
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Install additional OS dependencies
@@ -889,7 +889,7 @@ jobs:
        group: ${{ fromJson(needs.info.outputs.test_groups) }}
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Install additional OS dependencies
@@ -1030,7 +1030,7 @@ jobs:
        mariadb-group: ${{ fromJson(needs.info.outputs.mariadb_groups) }}
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Install additional OS dependencies
@@ -1179,7 +1179,7 @@ jobs:
        postgresql-group: ${{ fromJson(needs.info.outputs.postgresql_groups) }}
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Install additional OS dependencies
@@ -1317,7 +1317,7 @@ jobs:
    if: needs.info.outputs.skip_coverage != 'true'
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Download all coverage artifacts
@@ -1326,7 +1326,7 @@ jobs:
          pattern: coverage-*
      - name: Upload coverage to Codecov
        if: needs.info.outputs.test_full_suite == 'true'
-        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
+        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
        with:
          fail_ci_if_error: true
          flags: full-suite
@@ -1355,7 +1355,7 @@ jobs:
        group: ${{ fromJson(needs.info.outputs.test_groups) }}
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Install additional OS dependencies
@@ -1476,7 +1476,7 @@ jobs:
      - pytest-partial
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - name: Download all coverage artifacts
@@ -1485,7 +1485,7 @@ jobs:
          pattern: coverage-*
      - name: Upload coverage to Codecov
        if: needs.info.outputs.test_full_suite == 'false'
-        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
+        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
        with:
          fail_ci_if_error: true
          token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env]
@@ -1513,7 +1513,7 @@ jobs:
        with:
          pattern: test-results-*
      - name: Upload test results to Codecov
-        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
+        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
        with:
          report_type: test_results
          fail_ci_if_error: true
@@ -23,16 +23,16 @@ jobs:

    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
        with:
          languages: python

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
        with:
          category: "/language:python"
@@ -22,7 +22,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false

@@ -29,7 +29,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false

@@ -116,7 +116,7 @@ jobs:
            os: ubuntu-24.04-arm
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false

@@ -137,7 +137,7 @@ jobs:
          sed -i "/uv/d" requirements_diff.txt

      - name: Build wheels
-        uses: home-assistant/wheels@e5742a69d69f0e274e2689c998900c7d19652c21 # 2025.12.0
+        uses: home-assistant/wheels@34957438948e0b3dcde73c77750643dadae594f5 # 2026.06.0
        with:
          abi: ${{ matrix.abi }}
          tag: musllinux_1_2
@@ -167,7 +167,7 @@ jobs:
            os: ubuntu-24.04-arm
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false

@@ -195,7 +195,7 @@ jobs:
          sed -i "/uv/d" requirements_diff.txt

      - name: Build wheels
-        uses: home-assistant/wheels@e5742a69d69f0e274e2689c998900c7d19652c21 # 2025.12.0
+        uses: home-assistant/wheels@34957438948e0b3dcde73c77750643dadae594f5 # 2026.06.0
        with:
          abi: ${{ matrix.abi }}
          tag: musllinux_1_2
@@ -3,7 +3,6 @@ config2/*

 tests/testing_config/deps
 tests/testing_config/home-assistant.log*
-tests/testing_config/.storage/sandbox/

 # hass-release
 data/
@@ -1,6 +1,6 @@
 repos:
  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.15.14
+    rev: v0.15.16
    hooks:
      - id: ruff-check
        args:
@@ -64,27 +64,6 @@ repos:
        files: ^(homeassistant|tests|script)/.+\.py$
  - repo: local
    hooks:
-      # Drift guard for the checked-in sandbox protobuf gencode. Manual
-      # stage only (grpcio-tools is not a project dep, so it bootstraps a
-      # throwaway venv and degrades gracefully when uv is absent): run with
-      # `prek run --hook-stage manual sandbox-proto-drift` or in a CI lane.
-      - id: sandbox-proto-drift
-        name: sandbox protobuf gencode drift guard
-        entry: sandbox/proto/check_drift.sh
-        language: script
-        pass_filenames: false
-        stages: [manual]
-        files: ^sandbox/proto/sandbox\.proto$
-      # Drift guard for the hand-mirrored sandbox wire modules (channel.py,
-      # codec_protobuf.py, messages.py). A plain byte-for-byte diff with no
-      # external tooling, so — unlike the proto gencode guard above — it runs as
-      # a regular hook whenever either copy of a mirrored file changes.
-      - id: sandbox-mirror-drift
-        name: sandbox wire-module mirror drift guard
-        entry: sandbox/proto/check_mirror_drift.sh
-        language: script
-        pass_filenames: false
-        files: ^(homeassistant/components/sandbox|sandbox/hass_client/hass_client)/(channel|codec_protobuf|messages)\.py$
      # Run mypy through our wrapper script in order to get the possible
      # pyenv and/or virtualenv activated; it may not have been e.g. if
      # committing from a GUI tool that was not launched from an activated
@@ -96,9 +75,6 @@ repos:
        require_serial: true
        types_or: [python, pyi]
        files: ^(homeassistant|pylint)/.+\.(py|pyi)$
-        # Checked-in protobuf gencode (sandbox): the .py + .pyi pair trips
-        # mypy's duplicate-module check, and it is machine-generated anyway.
-        exclude: _pb2\.(py|pyi)$
      - id: pylint
        name: pylint
        entry: script/run-in-env.sh pylint --ignore-missing-annotations=y
@@ -96,6 +96,7 @@ homeassistant.components.aprs.*
 homeassistant.components.apsystems.*
 homeassistant.components.aqualogic.*
 homeassistant.components.aquostv.*
+homeassistant.components.aqvify.*
 homeassistant.components.aranet.*
 homeassistant.components.arcam_fmj.*
 homeassistant.components.arris_tg2492lg.*
@@ -40,4 +40,5 @@ This repository contains the core of Home Assistant, a Python 3 based home autom
 - Integrations with Platinum or Gold level in the Integration Quality Scale reflect a high standard of code quality and maintainability. When looking for examples of something, these are good places to start. The level is indicated in the manifest.json of the integration.
 - When reviewing entity actions, do not suggest extra defensive checks for input fields that are already validated by Home Assistant's service/action schemas and entity selection filters. Suggest additional guards only when data bypasses those validators or is transformed into a less-safe form.
 - When validation guarantees a dict key exists, prefer direct key access (`data["key"]`) instead of `.get("key")` so contract violations are surfaced instead of silently masked.
- Do not add comments that just restate the code on the following line(s) (e.g. `# Check if initialized` above `if self.initialized:`). Comments should only explain why — non-obvious constraints, surprising behavior, or workarounds — never what.
+- Keep comments concise. Prefer one short line stating the non-obvious constraint, or no comment at all.
+- Do not add comments that just restate the code on the following line(s) (e.g. `# Check if initialized` above `if self.initialized:`). Comments should only explain why (non-obvious constraints, surprising behavior, or workarounds), never what. Never add comments that justify a change by referencing what the code looked like before.
@@ -162,6 +162,8 @@ CLAUDE.md @home-assistant/core
 /tests/components/apsystems/ @mawoka-myblock @SonnenladenGmbH
 /homeassistant/components/aquacell/ @Jordi1990
 /tests/components/aquacell/ @Jordi1990
+/homeassistant/components/aqvify/ @astrandb
+/tests/components/aqvify/ @astrandb
 /homeassistant/components/aranet/ @aschmitz @thecode @anrijs
 /tests/components/aranet/ @aschmitz @thecode @anrijs
 /homeassistant/components/arcam_fmj/ @elupus
@@ -260,8 +262,8 @@ CLAUDE.md @home-assistant/core
 /tests/components/braviatv/ @bieniu @Drafteed
 /homeassistant/components/bring/ @miaucl @tr4nt0r
 /tests/components/bring/ @miaucl @tr4nt0r
-/homeassistant/components/broadlink/ @danielhiversen @felipediel @L-I-Am @eifinger
-/tests/components/broadlink/ @danielhiversen @felipediel @L-I-Am @eifinger
+/homeassistant/components/broadlink/ @danielhiversen @felipediel @L-I-Am
+/tests/components/broadlink/ @danielhiversen @felipediel @L-I-Am
 /homeassistant/components/brother/ @bieniu
 /tests/components/brother/ @bieniu
 /homeassistant/components/brottsplatskartan/ @gjohansson-ST
@@ -574,8 +576,8 @@ CLAUDE.md @home-assistant/core
 /tests/components/flo/ @dmulcahey
 /homeassistant/components/flume/ @ChrisMandich @bdraco @jeeftor
 /tests/components/flume/ @ChrisMandich @bdraco @jeeftor
-/homeassistant/components/fluss/ @fluss
-/tests/components/fluss/ @fluss
+/homeassistant/components/fluss/ @fluss @Marcello17
+/tests/components/fluss/ @fluss @Marcello17
 /homeassistant/components/flux_led/ @icemanch
 /tests/components/flux_led/ @icemanch
 /homeassistant/components/forecast_solar/ @klaasnicolaas @frenck
@@ -693,6 +695,8 @@ CLAUDE.md @home-assistant/core
 /tests/components/gree/ @cmroche
 /homeassistant/components/green_planet_energy/ @petschni
 /tests/components/green_planet_energy/ @petschni
+/homeassistant/components/greencell/ @BrzezowskiGC
+/tests/components/greencell/ @BrzezowskiGC
 /homeassistant/components/greeneye_monitor/ @jkeljo
 /tests/components/greeneye_monitor/ @jkeljo
 /homeassistant/components/group/ @home-assistant/core
@@ -945,6 +949,8 @@ CLAUDE.md @home-assistant/core
 /tests/components/kiosker/ @Claeysson
 /homeassistant/components/kitchen_sink/ @home-assistant/core
 /tests/components/kitchen_sink/ @home-assistant/core
+/homeassistant/components/klik_aan_klik_uit/ @Phunkafizer
+/tests/components/klik_aan_klik_uit/ @Phunkafizer
 /homeassistant/components/kmtronic/ @dgomes
 /tests/components/kmtronic/ @dgomes
 /homeassistant/components/knocki/ @joostlek @jgatto1 @JakeBosh
@@ -1082,6 +1088,8 @@ CLAUDE.md @home-assistant/core
 /homeassistant/components/mediaroom/ @dgomes
 /homeassistant/components/melcloud/ @erwindouna
 /tests/components/melcloud/ @erwindouna
+/homeassistant/components/melcloud_home/ @erwindouna
+/tests/components/melcloud_home/ @erwindouna
 /homeassistant/components/melissa/ @kennedyshead
 /tests/components/melissa/ @kennedyshead
 /homeassistant/components/melnor/ @vanstinator
@@ -1149,7 +1157,6 @@ CLAUDE.md @home-assistant/core
 /tests/components/motionmount/ @laiho-vogels
 /homeassistant/components/mqtt/ @emontnemery @jbouwh @bdraco
 /tests/components/mqtt/ @emontnemery @jbouwh @bdraco
-/homeassistant/components/msteams/ @peroyvind
 /homeassistant/components/mta/ @OnFreund
 /tests/components/mta/ @OnFreund
 /homeassistant/components/mullvad/ @meichthys
@@ -1885,6 +1892,7 @@ CLAUDE.md @home-assistant/core
 /homeassistant/components/unifi_access/ @imhotep @RaHehl
 /tests/components/unifi_access/ @imhotep @RaHehl
 /homeassistant/components/unifi_direct/ @tofuSCHNITZEL
+/tests/components/unifi_direct/ @tofuSCHNITZEL
 /homeassistant/components/unifi_discovery/ @RaHehl
 /tests/components/unifi_discovery/ @RaHehl
 /homeassistant/components/unifiled/ @florisvdk
@@ -11,7 +11,6 @@
    "microsoft_face_identify",
    "microsoft_face",
    "microsoft",
-    "msteams",
    "onedrive",
    "onedrive_for_business",
    "xbox"
@@ -26,5 +26,5 @@
  "iot_class": "local_push",
  "loggers": ["aioacaia"],
  "quality_scale": "platinum",
-  "requirements": ["aioacaia==0.1.17"]
+  "requirements": ["aioacaia==0.1.18"]
 }
@@ -5,5 +5,5 @@
  "documentation": "https://www.home-assistant.io/integrations/acer_projector",
  "iot_class": "local_polling",
  "quality_scale": "legacy",
-  "requirements": ["serialx==1.8.0"]
+  "requirements": ["serialx==1.8.2"]
 }
@@ -6,5 +6,5 @@
  "documentation": "https://www.home-assistant.io/integrations/acmeda",
  "iot_class": "local_push",
  "loggers": ["aiopulse"],
-  "requirements": ["aiopulse==0.4.6"]
+  "requirements": ["aiopulse==0.4.7"]
 }
@@ -116,10 +116,6 @@ async def async_setup_entry(hass: HomeAssistant, entry: AirOSConfigEntry) -> boo
 async def async_migrate_entry(hass: HomeAssistant, entry: AirOSConfigEntry) -> bool:
    """Migrate old config entry."""

-    # This means the user has downgraded from a future version
-    if entry.version > 2:
-        return False
-
    # 1.1 Migrate config_entry to add advanced ssl settings
    if entry.version == 1 and entry.minor_version == 1:
        new_minor_version = 2
@@ -7,7 +7,7 @@
  "integration_type": "hub",
  "iot_class": "local_polling",
  "loggers": ["aioairq"],
-  "requirements": ["aioairq==0.4.7"],
+  "requirements": ["aioairq==0.4.8"],
  "zeroconf": [
    {
      "properties": {
@@ -1,6 +1,6 @@
 """The AirVisual Pro integration."""

-from homeassistant.helpers.device_registry import DeviceInfo
+from homeassistant.helpers.device_registry import CONNECTION_NETWORK_MAC, DeviceInfo
 from homeassistant.helpers.entity import EntityDescription
 from homeassistant.helpers.update_coordinator import CoordinatorEntity

@@ -25,6 +25,12 @@ class AirVisualProEntity(CoordinatorEntity[AirVisualProCoordinator]):
        """Return device registry information for this entity."""
        return DeviceInfo(
            identifiers={(DOMAIN, self.coordinator.data["serial_number"])},
+            connections={
+                (
+                    CONNECTION_NETWORK_MAC,
+                    self.coordinator.data["status"]["mac_address"],
+                )
+            },
            manufacturer="AirVisual",
            model=self.coordinator.data["status"]["model"],
            name=self.coordinator.data["settings"]["node_name"],
@@ -65,10 +65,6 @@ async def async_setup_entry(hass: HomeAssistant, entry: AmazonConfigEntry) -> bo
 async def async_migrate_entry(hass: HomeAssistant, entry: AmazonConfigEntry) -> bool:
    """Migrate old entry."""

-    if entry.version > 1:
-        # This means the user has downgraded from a future version
-        return False
-
    if entry.version == 1 and entry.minor_version < 3:
        if CONF_SITE in entry.data:
            # Site in data (wrong place), just move to login data
@@ -6,7 +6,7 @@ from homeassistant.helpers.entity import EntityDescription
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback
 from homeassistant.util import slugify

-from .coordinator import AmazonConfigEntry, AmazonDevicesCoordinator
+from .coordinator import AmazonConfigEntry, AmazonDevicesCoordinator, alexa_api_call
 from .entity import AmazonServiceEntity

 # Coordinator is used to centralize the data updates
@@ -49,4 +49,5 @@ class AmazonRoutineButton(AmazonServiceEntity, ButtonEntity):

    async def async_press(self) -> None:
        """Handle button press action."""
-        await self.coordinator.api.call_routine(self._routine)
+        async with alexa_api_call(self.coordinator):
+            await self.coordinator.api.call_routine(self._routine)
@@ -1,5 +1,7 @@
 """Support for Alexa Devices."""

+from collections.abc import AsyncGenerator
+from contextlib import asynccontextmanager
 from datetime import timedelta

 from aioamazondevices.api import AmazonEchoApi
@@ -19,7 +21,11 @@ from aiohttp import ClientSession
 from homeassistant.config_entries import ConfigEntry
 from homeassistant.const import CONF_PASSWORD, CONF_USERNAME, Platform
 from homeassistant.core import HomeAssistant
-from homeassistant.exceptions import ConfigEntryAuthFailed, ConfigEntryNotReady
+from homeassistant.exceptions import (
+    ConfigEntryAuthFailed,
+    ConfigEntryNotReady,
+    HomeAssistantError,
+)
 from homeassistant.helpers import device_registry as dr, entity_registry as er
 from homeassistant.helpers.debounce import Debouncer
 from homeassistant.helpers.update_coordinator import DataUpdateCoordinator, UpdateFailed
@@ -29,6 +35,65 @@ from .const import _LOGGER, CONF_LOGIN_DATA, DOMAIN

 SCAN_INTERVAL = 300

+
+@asynccontextmanager
+async def alexa_api_call(
+    coordinator: DataUpdateCoordinator | None = None,
+) -> AsyncGenerator[None]:
+    """Handle common Alexa API exceptions as HomeAssistantError."""
+    try:
+        yield
+    except CannotAuthenticate as err:
+        if coordinator:
+            coordinator.last_update_success = False
+        raise HomeAssistantError(
+            translation_domain=DOMAIN,
+            translation_key="invalid_auth",
+            translation_placeholders={"error": repr(err)},
+        ) from err
+    except CannotConnect as err:
+        if coordinator:
+            coordinator.last_update_success = False
+        raise HomeAssistantError(
+            translation_domain=DOMAIN,
+            translation_key="cannot_connect_with_error",
+            translation_placeholders={"error": repr(err)},
+        ) from err
+    except (CannotRetrieveData, ValueError) as err:
+        if coordinator:
+            coordinator.last_update_success = False
+        raise HomeAssistantError(
+            translation_domain=DOMAIN,
+            translation_key="cannot_retrieve_data_with_error",
+            translation_placeholders={"error": repr(err)},
+        ) from err
+
+
+@asynccontextmanager
+async def alexa_config_entry_errors() -> AsyncGenerator[None]:
+    """Handle common Alexa API exceptions as ConfigEntry errors."""
+    try:
+        yield
+    except CannotAuthenticate as err:
+        raise ConfigEntryAuthFailed(
+            translation_domain=DOMAIN,
+            translation_key="invalid_auth",
+            translation_placeholders={"error": repr(err)},
+        ) from err
+    except (CannotConnect, TimeoutError) as err:
+        raise ConfigEntryNotReady(
+            translation_domain=DOMAIN,
+            translation_key="cannot_connect_with_error",
+            translation_placeholders={"error": repr(err)},
+        ) from err
+    except (CannotRetrieveData, ValueError, KeyError, StopIteration) as err:
+        raise ConfigEntryNotReady(
+            translation_domain=DOMAIN,
+            translation_key="cannot_retrieve_data_with_error",
+            translation_placeholders={"error": repr(err)},
+        ) from err
+
+
 type AmazonConfigEntry = ConfigEntry[AmazonDevicesCoordinator]


@@ -113,6 +178,12 @@ class AmazonDevicesCoordinator(DataUpdateCoordinator[dict[str, AmazonDevice]]):
                translation_key="invalid_auth",
                translation_placeholders={"error": repr(err)},
            ) from err
+        except ValueError as err:
+            raise UpdateFailed(
+                translation_domain=DOMAIN,
+                translation_key="cannot_retrieve_data_with_error",
+                translation_placeholders={"error": repr(err)},
+            ) from err
        else:
            current_devices = set(data.keys())
            if stale_devices := self.previous_devices - current_devices:
@@ -169,26 +240,8 @@ class AmazonDevicesCoordinator(DataUpdateCoordinator[dict[str, AmazonDevice]]):

    async def sync_history_state(self) -> None:
        """Sync history state."""
-        try:
+        async with alexa_config_entry_errors():
            self._vocal_records = await self.api.sync_history_state()
-        except CannotAuthenticate as e:
-            raise ConfigEntryAuthFailed(
-                translation_domain=DOMAIN,
-                translation_key="invalid_auth",
-                translation_placeholders={"error": repr(e)},
-            ) from e
-        except CannotConnect as e:
-            raise ConfigEntryNotReady(
-                translation_domain=DOMAIN,
-                translation_key="cannot_connect_with_error",
-                translation_placeholders={"error": repr(e)},
-            ) from e
-        except BaseException as e:
-            raise ConfigEntryNotReady(
-                translation_domain=DOMAIN,
-                translation_key="cannot_retrieve_data_with_error",
-                translation_placeholders={"error": repr(e)},
-            ) from e

    async def history_state_event_handler(
        self, vocal_records: dict[str, AmazonVocalRecord]
@@ -204,26 +257,8 @@ class AmazonDevicesCoordinator(DataUpdateCoordinator[dict[str, AmazonDevice]]):

    async def sync_media_state(self) -> None:
        """Sync media state."""
-        try:
+        async with alexa_config_entry_errors():
            await self.api.sync_media_state()
-        except CannotAuthenticate as err:
-            raise ConfigEntryAuthFailed(
-                translation_domain=DOMAIN,
-                translation_key="invalid_auth",
-                translation_placeholders={"error": repr(err)},
-            ) from err
-        except (CannotConnect, TimeoutError) as err:
-            raise ConfigEntryNotReady(
-                translation_domain=DOMAIN,
-                translation_key="cannot_connect_with_error",
-                translation_placeholders={"error": repr(err)},
-            ) from err
-        except (CannotRetrieveData, ValueError) as err:
-            raise ConfigEntryNotReady(
-                translation_domain=DOMAIN,
-                translation_key="cannot_retrieve_data_with_error",
-                translation_placeholders={"error": repr(err)},
-            ) from err

    async def media_state_event_handler(
        self, media_state: dict[str, AmazonMediaState]
@@ -12,7 +12,18 @@ from homeassistant.helpers.device_registry import DeviceEntry

 from .coordinator import AmazonConfigEntry

-TO_REDACT = {CONF_PASSWORD, CONF_USERNAME, CONF_NAME, "title"}
+TO_REDACT = {
+    CONF_NAME,
+    CONF_PASSWORD,
+    CONF_USERNAME,
+    "access_token",
+    "adp_token",
+    "device_private_key",
+    "refresh_token",
+    "store_authentication_cookie",
+    "title",
+    "website_cookies",
+}


 async def async_get_config_entry_diagnostics(
@@ -8,5 +8,5 @@
  "iot_class": "cloud_polling",
  "loggers": ["aioamazondevices"],
  "quality_scale": "platinum",
-  "requirements": ["aioamazondevices==14.0.0"]
+  "requirements": ["aioamazondevices==14.0.4"]
 }
@@ -22,9 +22,8 @@ from homeassistant.core import HomeAssistant
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback

 from .const import _LOGGER
-from .coordinator import AmazonConfigEntry, AmazonDevicesCoordinator
+from .coordinator import AmazonConfigEntry, AmazonDevicesCoordinator, alexa_api_call
 from .entity import AmazonEntity
-from .utils import alexa_api_call

 PARALLEL_UPDATES = 1

@@ -216,16 +215,15 @@ class AlexaDevicesMediaPlayer(AmazonEntity, MediaPlayerEntity):
        provider = media_type.value if isinstance(media_type, MediaType) else media_type
        await self.async_call_alexa_music(media_id, provider)

-    @alexa_api_call
    async def async_call_alexa_music(
        self, search_phrase: str, provider_id: str
    ) -> None:
        """Call alexa music."""
-        await self.coordinator.api.call_alexa_music(
-            self.device, search_phrase, provider_id
-        )
+        async with alexa_api_call(self.coordinator):
+            await self.coordinator.api.call_alexa_music(
+                self.device, search_phrase, provider_id
+            )

-    @alexa_api_call
    async def async_set_device_volume(self, volume: int) -> None:
        """Set the device volume."""
        _LOGGER.debug(
@@ -233,7 +231,8 @@ class AlexaDevicesMediaPlayer(AmazonEntity, MediaPlayerEntity):
            self.device.serial_number,
            volume,
        )
-        await self.coordinator.api.set_device_volume(self.device, volume)
+        async with alexa_api_call(self.coordinator):
+            await self.coordinator.api.set_device_volume(self.device, volume)

    async def async_set_volume_level(self, volume: float) -> None:
        """Set the volume level (0.0 to 1.0)."""
@@ -263,12 +262,12 @@ class AlexaDevicesMediaPlayer(AmazonEntity, MediaPlayerEntity):
        await self.async_set_volume_level(target_volume / 100)
        self._prev_volume = None

-    @alexa_api_call
    async def _send_media_command(self, command: AmazonMediaControls) -> None:
        _LOGGER.debug(
            "Sending media command '%s' to %s", command, self.device.serial_number
        )
-        await self.coordinator.api.send_media_command(self.device, command)
+        async with alexa_api_call(self.coordinator):
+            await self.coordinator.api.send_media_command(self.device, command)

    async def async_media_stop(self) -> None:
        """Send stop command."""
@@ -12,9 +12,8 @@ from homeassistant.components.notify import NotifyEntity, NotifyEntityDescriptio
 from homeassistant.core import HomeAssistant
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback

-from .coordinator import AmazonConfigEntry
+from .coordinator import AmazonConfigEntry, alexa_api_call
 from .entity import AmazonEntity
-from .utils import alexa_api_call

 PARALLEL_UPDATES = 1

@@ -80,10 +79,11 @@ class AmazonNotifyEntity(AmazonEntity, NotifyEntity):

    entity_description: AmazonNotifyEntityDescription

-    @alexa_api_call
    async def async_send_message(
        self, message: str, title: str | None = None, **kwargs: Any
    ) -> None:
        """Send a message."""
-
-        await self.entity_description.method(self.coordinator.api, self.device, message)
+        async with alexa_api_call(self.coordinator):
+            await self.entity_description.method(
+                self.coordinator.api, self.device, message
+            )
@@ -11,7 +11,7 @@ from homeassistant.exceptions import ServiceValidationError
 from homeassistant.helpers import config_validation as cv, device_registry as dr

 from .const import DOMAIN, INFO_SKILLS_MAPPING
-from .coordinator import AmazonConfigEntry
+from .coordinator import AmazonConfigEntry, alexa_api_call

 ATTR_TEXT_COMMAND = "text_command"
 ATTR_SOUND = "sound"
@@ -85,13 +85,15 @@ async def _async_execute_action(call: ServiceCall, attribute: str) -> None:
                translation_key="invalid_sound_value",
                translation_placeholders={"sound": value},
            )
-        await coordinator.api.call_alexa_sound(
-            coordinator.data[device.serial_number], value
-        )
+        async with alexa_api_call():
+            await coordinator.api.call_alexa_sound(
+                coordinator.data[device.serial_number], value
+            )
    elif attribute == ATTR_TEXT_COMMAND:
-        await coordinator.api.call_alexa_text_command(
-            coordinator.data[device.serial_number], value
-        )
+        async with alexa_api_call():
+            await coordinator.api.call_alexa_text_command(
+                coordinator.data[device.serial_number], value
+            )
    elif attribute == ATTR_INFO_SKILL:
        info_skill = INFO_SKILLS_MAPPING.get(value)
        if info_skill not in ALEXA_INFO_SKILLS:
@@ -100,9 +102,10 @@ async def _async_execute_action(call: ServiceCall, attribute: str) -> None:
                translation_key="invalid_info_skill_value",
                translation_placeholders={"info_skill": value},
            )
-        await coordinator.api.call_alexa_info_skill(
-            coordinator.data[device.serial_number], info_skill
-        )
+        async with alexa_api_call():
+            await coordinator.api.call_alexa_info_skill(
+                coordinator.data[device.serial_number], info_skill
+            )


 async def async_send_sound_notification(call: ServiceCall) -> None:
@@ -14,13 +14,9 @@ from homeassistant.components.switch import (
 from homeassistant.core import HomeAssistant
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback

-from .coordinator import AmazonConfigEntry
+from .coordinator import AmazonConfigEntry, alexa_api_call
 from .entity import AmazonEntity
-from .utils import (
-    alexa_api_call,
-    async_remove_dnd_from_virtual_group,
-    async_update_unique_id,
-)
+from .utils import async_remove_dnd_from_virtual_group, async_update_unique_id

 PARALLEL_UPDATES = 1

@@ -90,7 +86,6 @@ class AmazonSwitchEntity(AmazonEntity, SwitchEntity):

    entity_description: AmazonSwitchEntityDescription

-    @alexa_api_call
    async def _switch_set_state(self, state: bool) -> None:
        """Set desired switch state."""
        method = getattr(self.coordinator.api, self.entity_description.method)
@@ -98,7 +93,8 @@ class AmazonSwitchEntity(AmazonEntity, SwitchEntity):
        if TYPE_CHECKING:
            assert method is not None

-        await method(self.device, state)
+        async with alexa_api_call(self.coordinator):
+            await method(self.device, state)
        self.coordinator.data[self.device.serial_number].sensors[
            self.entity_description.key
        ].value = state
@@ -1,54 +1,19 @@
 """Utils for Alexa Devices."""

-from collections.abc import Awaitable, Callable, Coroutine
-from functools import wraps
-from typing import Any, Concatenate
-
 from aioamazondevices.const.devices import SPEAKER_GROUP_FAMILY
 from aioamazondevices.const.schedules import (
    NOTIFICATION_ALARM,
    NOTIFICATION_REMINDER,
    NOTIFICATION_TIMER,
 )
-from aioamazondevices.exceptions import CannotConnect, CannotRetrieveData

 from homeassistant.components.sensor import DOMAIN as SENSOR_DOMAIN
 from homeassistant.components.switch import DOMAIN as SWITCH_DOMAIN
 from homeassistant.core import HomeAssistant
-from homeassistant.exceptions import HomeAssistantError
 import homeassistant.helpers.entity_registry as er

 from .const import _LOGGER, DOMAIN
 from .coordinator import AmazonDevicesCoordinator
-from .entity import AmazonEntity
-
-
-def alexa_api_call[_T: AmazonEntity, **_P](
-    func: Callable[Concatenate[_T, _P], Awaitable[None]],
-) -> Callable[Concatenate[_T, _P], Coroutine[Any, Any, None]]:
-    """Catch Alexa API call exceptions."""
-
-    @wraps(func)
-    async def cmd_wrapper(self: _T, *args: _P.args, **kwargs: _P.kwargs) -> None:
-        """Wrap all command methods."""
-        try:
-            await func(self, *args, **kwargs)
-        except CannotConnect as err:
-            self.coordinator.last_update_success = False
-            raise HomeAssistantError(
-                translation_domain=DOMAIN,
-                translation_key="cannot_connect_with_error",
-                translation_placeholders={"error": repr(err)},
-            ) from err
-        except CannotRetrieveData as err:
-            self.coordinator.last_update_success = False
-            raise HomeAssistantError(
-                translation_domain=DOMAIN,
-                translation_key="cannot_retrieve_data_with_error",
-                translation_placeholders={"error": repr(err)},
-            ) from err
-
-    return cmd_wrapper


 async def async_update_unique_id(
@@ -75,10 +75,6 @@ async def async_migrate_entry(hass: HomeAssistant, entry: AnovaConfigEntry) -> b
    """Migrate entry."""
    _LOGGER.debug("Migrating from version %s:%s", entry.version, entry.minor_version)

-    if entry.version > 1:
-        # This means the user has downgraded from a future version
-        return False
-
    if entry.version == 1 and entry.minor_version == 1:
        new_data = {**entry.data}
        if CONF_DEVICES in new_data:
@@ -7,5 +7,5 @@
  "integration_type": "hub",
  "iot_class": "cloud_push",
  "loggers": ["anova_wifi"],
-  "requirements": ["anova-wifi==0.17.0"]
+  "requirements": ["anova-wifi==0.17.1"]
 }
@@ -7,5 +7,5 @@
  "integration_type": "device",
  "iot_class": "local_push",
  "loggers": ["anthemav"],
-  "requirements": ["anthemav==1.4.1"]
+  "requirements": ["anthemav==1.4.2"]
 }
@@ -12,7 +12,7 @@ from homeassistant.components.media_player import (
 )
 from homeassistant.const import CONF_MAC, CONF_MODEL
 from homeassistant.core import HomeAssistant, callback
-from homeassistant.helpers.device_registry import DeviceInfo
+from homeassistant.helpers.device_registry import CONNECTION_NETWORK_MAC, DeviceInfo
 from homeassistant.helpers.dispatcher import async_dispatcher_connect
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback

@@ -87,9 +87,12 @@ class AnthemAVR(MediaPlayerEntity):
                via_device=(DOMAIN, mac_address),
            )
        else:
+            # Zone 1 is the physical receiver that owns the network MAC; higher
+            # zones are via_device children and carry no connection.
            self._attr_unique_id = mac_address
            self._attr_device_info = DeviceInfo(
                identifiers={(DOMAIN, mac_address)},
+                connections={(CONNECTION_NETWORK_MAC, mac_address)},
                name=name,
                manufacturer=MANUFACTURER,
                model=model,
@@ -178,10 +178,6 @@ async def async_migrate_entry(hass: HomeAssistant, entry: AnthropicConfigEntry)
    """Migrate entry."""
    LOGGER.debug("Migrating from version %s:%s", entry.version, entry.minor_version)

-    if entry.version > 2:
-        # This means the user has downgraded from a future version
-        return False
-
    if entry.version == 2 and entry.minor_version == 1:
        # Correct broken device migration in Home Assistant Core 2025.7.0b0-2025.7.0b1
        device_registry = dr.async_get(hass)
@@ -1,7 +1,6 @@
 """Coordinator for the Anthropic integration."""

 import datetime
-import re

 import anthropic

@@ -20,15 +19,12 @@ UPDATE_INTERVAL_DISCONNECTED = datetime.timedelta(minutes=1)
 type AnthropicConfigEntry = ConfigEntry[AnthropicCoordinator]


-_model_short_form = re.compile(r"[^\d]-\d$")
-
-
@callback
 def model_alias(model_id: str) -> str:
    """Resolve alias from versioned model name."""
    if model_id[-2:-1] != "-" and not model_id.endswith("-preview"):
        model_id = model_id[:-9]
-    if _model_short_form.search(model_id):
+    if model_id.endswith("-4"):
        return model_id + "-0"
    return model_id

@@ -9,5 +9,5 @@
  "integration_type": "service",
  "iot_class": "cloud_polling",
  "quality_scale": "silver",
-  "requirements": ["anthropic==0.96.0"]
+  "requirements": ["anthropic==0.108.0"]
 }
@@ -52,10 +52,7 @@ rules:
    status: exempt
    comment: |
      Service integration, no discovery.
-  docs-data-update:
-    status: exempt
-    comment: |
-      No data updates.
+  docs-data-update: done
  docs-examples: done
  docs-known-limitations: done
  docs-supported-devices: done
@@ -65,18 +65,18 @@ class ModelDeprecatedRepairFlow(RepairsFlow):
            ]
            self._model_list_cache[entry.entry_id] = model_list

-        if "opus" in model:
-            family = "claude-opus"
-        elif "sonnet" in model:
-            family = "claude-sonnet"
-        else:
-            family = "claude-haiku"
+        family = (
+            model.removeprefix("claude-")
+            .removesuffix("-preview")
+            .translate(str.maketrans("", "", "0123456789-."))
+            or "haiku"
+        )

        suggested_model = next(
            (
                model_option["value"]
                for model_option in sorted(
-                    (m for m in model_list if family in m["value"]),
+                    (m for m in model_list if f"claude-{family}" in m["value"]),
                    key=lambda x: x["value"],
                    reverse=True,
                )
@@ -59,7 +59,6 @@ ATTR_EXTERNAL_URL = "external_url"
 ATTR_INTERNAL_URL = "internal_url"
 ATTR_LOCATION_NAME = "location_name"
 ATTR_INSTALLATION_TYPE = "installation_type"
-ATTR_REQUIRES_API_PASSWORD = "requires_api_password"
 ATTR_UUID = "uuid"
 ATTR_VERSION = "version"

@@ -193,6 +193,7 @@ class AprilaireCoordinator(BaseDataUpdateCoordinatorProtocol):

        device_info = DeviceInfo(
            identifiers={(DOMAIN, self.unique_id)},
+            connections={(dr.CONNECTION_NETWORK_MAC, data[Attribute.MAC_ADDRESS])},
            name=self.create_device_name(data),
            manufacturer="Aprilaire",
        )
@@ -1,5 +1,6 @@
 """Config flow for Aquacell integration."""

+from collections.abc import Mapping
 from datetime import datetime
 import logging
 from typing import Any
@@ -31,6 +32,12 @@ DATA_SCHEMA = vol.Schema(
    }
 )

+STEP_REAUTH_SCHEMA = vol.Schema(
+    {
+        vol.Required(CONF_PASSWORD): str,
+    }
+)
+

 class AquaCellConfigFlow(ConfigFlow, domain=DOMAIN):
    """Handle a config flow for Aquacell."""
@@ -77,3 +84,48 @@ class AquaCellConfigFlow(ConfigFlow, domain=DOMAIN):
            data_schema=DATA_SCHEMA,
            errors=errors,
        )
+
+    async def async_step_reauth(
+        self, entry_data: Mapping[str, Any]
+    ) -> ConfigFlowResult:
+        """Perform reauth upon an API authentication error."""
+        return await self.async_step_reauth_confirm()
+
+    async def async_step_reauth_confirm(
+        self, user_input: dict[str, Any] | None = None
+    ) -> ConfigFlowResult:
+        """Confirm reauth dialog."""
+        errors: dict[str, str] = {}
+        reauth_entry = self._get_reauth_entry()
+        if user_input is not None:
+            session = async_get_clientsession(self.hass)
+            api = AquacellApi(
+                session, reauth_entry.data.get(CONF_BRAND, Brand.AQUACELL)
+            )
+            try:
+                refresh_token = await api.authenticate(
+                    reauth_entry.data[CONF_EMAIL], user_input[CONF_PASSWORD]
+                )
+            except ApiException, TimeoutError:
+                errors["base"] = "cannot_connect"
+            except AuthenticationFailed:
+                errors["base"] = "invalid_auth"
+            except Exception:
+                _LOGGER.exception("Unexpected exception")
+                errors["base"] = "unknown"
+            else:
+                return self.async_update_reload_and_abort(
+                    reauth_entry,
+                    data_updates={
+                        CONF_PASSWORD: user_input[CONF_PASSWORD],
+                        CONF_REFRESH_TOKEN: refresh_token,
+                        CONF_REFRESH_TOKEN_CREATION_TIME: datetime.now().timestamp(),
+                    },
+                )
+
+        return self.async_show_form(
+            step_id="reauth_confirm",
+            data_schema=STEP_REAUTH_SCHEMA,
+            description_placeholders={"email": reauth_entry.data[CONF_EMAIL]},
+            errors=errors,
+        )
@@ -14,7 +14,7 @@ from aioaquacell import (
 from homeassistant.config_entries import ConfigEntry
 from homeassistant.const import CONF_EMAIL, CONF_PASSWORD
 from homeassistant.core import HomeAssistant
-from homeassistant.exceptions import ConfigEntryError
+from homeassistant.exceptions import ConfigEntryAuthFailed
 from homeassistant.helpers.update_coordinator import DataUpdateCoordinator, UpdateFailed

 from .const import (
@@ -79,7 +79,7 @@ class AquacellCoordinator(DataUpdateCoordinator[dict[str, Softener]]):

                softeners = await self.aquacell_api.get_all_softeners()
            except AuthenticationFailed as err:
-                raise ConfigEntryError from err
+                raise ConfigEntryAuthFailed from err
            except (AquacellApiException, TimeoutError) as err:
                raise UpdateFailed(f"Error communicating with API: {err}") from err

@@ -1,7 +1,8 @@
 {
  "config": {
    "abort": {
-      "already_configured": "[%key:common::config_flow::abort::already_configured_device%]"
+      "already_configured": "[%key:common::config_flow::abort::already_configured_device%]",
+      "reauth_successful": "[%key:common::config_flow::abort::reauth_successful%]"
    },
    "error": {
      "cannot_connect": "[%key:common::config_flow::error::cannot_connect%]",
@@ -9,6 +10,13 @@
      "unknown": "[%key:common::config_flow::error::unknown%]"
    },
    "step": {
+      "reauth_confirm": {
+        "data": {
+          "password": "[%key:common::config_flow::data::password%]"
+        },
+        "description": "The password for {email} is no longer valid. Enter your current softener mobile app password to reconnect.",
+        "title": "[%key:common::config_flow::title::reauth%]"
+      },
      "user": {
        "data": {
          "brand": "Brand",
@@ -0,0 +1,28 @@
+"""The Aqvify integration."""
+
+import logging
+
+from homeassistant.const import Platform
+from homeassistant.core import HomeAssistant
+
+from .coordinator import AqvifyConfigEntry, AqvifyCoordinator
+
+_LOGGER = logging.getLogger(__name__)
+PLATFORMS: list[Platform] = [Platform.SENSOR]
+
+
+async def async_setup_entry(hass: HomeAssistant, entry: AqvifyConfigEntry) -> bool:
+    """Set up Aqvify from a config entry."""
+
+    coordinator = AqvifyCoordinator(hass, entry)
+    await coordinator.async_config_entry_first_refresh()
+    entry.runtime_data = coordinator
+
+    await hass.config_entries.async_forward_entry_setups(entry, PLATFORMS)
+
+    return True
+
+
+async def async_unload_entry(hass: HomeAssistant, entry: AqvifyConfigEntry) -> bool:
+    """Unload Aqvify config entry."""
+    return await hass.config_entries.async_unload_platforms(entry, PLATFORMS)
@@ -0,0 +1,113 @@
+"""Config flow for the Aqvify integration."""
+
+from collections.abc import Mapping
+import logging
+from typing import Any
+
+from aiohttp import ClientResponseError
+from pyaqvify import AqvifyAPI, AqvifyAuthException
+import voluptuous as vol
+
+from homeassistant.config_entries import (
+    SOURCE_RECONFIGURE,
+    ConfigFlow,
+    ConfigFlowResult,
+)
+from homeassistant.const import CONF_API_KEY
+from homeassistant.helpers.aiohttp_client import async_get_clientsession
+
+from .const import DOMAIN
+
+_LOGGER = logging.getLogger(__name__)
+
+STEP_USER_DATA_SCHEMA = vol.Schema(
+    {
+        vol.Required(CONF_API_KEY): str,
+    }
+)
+
+
+class AqvifyConfigFlow(ConfigFlow, domain=DOMAIN):
+    """Handle a config flow for Aqvify."""
+
+    VERSION = 1
+
+    async def async_step_user(
+        self, user_input: dict[str, Any] | None = None
+    ) -> ConfigFlowResult:
+        """Handle the initial step."""
+        errors: dict[str, str] = {}
+        if user_input is not None:
+            hub = AqvifyAPI(
+                user_input[CONF_API_KEY],
+                websession=async_get_clientsession(self.hass),
+            )
+            try:
+                account_data = await hub.async_get_account_id()
+            except AqvifyAuthException:
+                errors["base"] = "invalid_auth"
+            except ClientResponseError:
+                errors["base"] = "cannot_connect"
+            except Exception:
+                _LOGGER.exception("Unexpected exception")
+                errors["base"] = "unknown"
+            else:
+                await self.async_set_unique_id(account_data.account_id)
+                if self.source == SOURCE_RECONFIGURE:
+                    self._abort_if_unique_id_mismatch()
+                    return self.async_update_reload_and_abort(
+                        self._get_reconfigure_entry(), data_updates=user_input
+                    )
+                self._abort_if_unique_id_configured()
+                return self.async_create_entry(title="Aqvify", data=user_input)
+
+        return self.async_show_form(
+            step_id="user",
+            data_schema=STEP_USER_DATA_SCHEMA,
+            errors=errors,
+            description_placeholders={
+                "aqvify_url": "https://app.aqvify.com/User",
+            },
+        )
+
+    async def async_step_reauth(
+        self, entry_data: Mapping[str, Any]
+    ) -> ConfigFlowResult:
+        """Perform reauth upon an API authentication error."""
+
+        return await self.async_step_reauth_confirm()
+
+    async def async_step_reauth_confirm(
+        self, user_input: dict[str, Any] | None = None
+    ) -> ConfigFlowResult:
+        """Handle re-authentication confirmation."""
+        errors = {}
+
+        if user_input is not None:
+            api_client = AqvifyAPI(
+                user_input[CONF_API_KEY],
+                websession=async_get_clientsession(self.hass),
+            )
+            try:
+                account_data = await api_client.async_get_account_id()
+            except AqvifyAuthException:
+                errors["base"] = "invalid_auth"
+            except ClientResponseError:
+                errors["base"] = "cannot_connect"
+            else:
+                await self.async_set_unique_id(account_data.account_id)
+                self._abort_if_unique_id_mismatch()
+                return self.async_update_reload_and_abort(
+                    self._get_reauth_entry(), data_updates=user_input
+                )
+        return self.async_show_form(
+            step_id="reauth_confirm",
+            data_schema=STEP_USER_DATA_SCHEMA,
+            errors=errors,
+        )
+
+    async def async_step_reconfigure(
+        self, user_input: Mapping[str, Any] | None = None
+    ) -> ConfigFlowResult:
+        """User initiated reconfiguration."""
+        return await self.async_step_user()
@@ -0,0 +1,3 @@
+"""Constants for the Aqvify integration."""
+
+DOMAIN = "aqvify"
@@ -0,0 +1,154 @@
+"""Coordinator for Aqvify integration."""
+
+from dataclasses import dataclass
+from datetime import timedelta
+import logging
+
+from aiohttp import ClientResponseError
+from pyaqvify import AqvifyAPI, AqvifyAuthException, AqvifyDeviceData, AqvifyDevices
+
+from homeassistant.config_entries import ConfigEntry
+from homeassistant.const import CONF_API_KEY
+from homeassistant.core import HomeAssistant
+from homeassistant.exceptions import ConfigEntryAuthFailed, ConfigEntryNotReady
+from homeassistant.helpers.aiohttp_client import async_get_clientsession
+import homeassistant.helpers.device_registry as dr
+from homeassistant.helpers.update_coordinator import DataUpdateCoordinator, UpdateFailed
+
+from .const import DOMAIN
+
+_LOGGER = logging.getLogger(__name__)
+
+UPDATE_INTERVAL = timedelta(seconds=60)
+
+type AqvifyConfigEntry = ConfigEntry[AqvifyCoordinator]
+
+
+@dataclass
+class AqvifyCoordinatorData:
+    """Data class for storing coordinator data."""
+
+    devices: AqvifyDevices
+    device_data: dict[str, AqvifyDeviceData]
+
+
+class AqvifyCoordinator(DataUpdateCoordinator[AqvifyCoordinatorData]):
+    """Data update coordinator for Aqvify devices."""
+
+    config_entry: AqvifyConfigEntry
+
+    def __init__(self, hass: HomeAssistant, entry: AqvifyConfigEntry) -> None:
+        """Initialize the Aqvify data update coordinator."""
+        super().__init__(
+            hass,
+            logger=_LOGGER,
+            name=DOMAIN,
+            update_interval=UPDATE_INTERVAL,
+            config_entry=entry,
+        )
+
+        self.api_client = AqvifyAPI(
+            entry.data[CONF_API_KEY], websession=async_get_clientsession(hass)
+        )
+        self.previous_devices: set[str] = set()
+
+    async def _async_setup(self) -> None:
+        """Set up the coordinator."""
+        try:
+            await self.api_client.async_get_account_id()
+        except AqvifyAuthException:
+            raise ConfigEntryAuthFailed(
+                translation_domain=DOMAIN,
+                translation_key="invalid_api_key",
+            ) from None
+        except ClientResponseError as err:
+            raise ConfigEntryNotReady(
+                translation_domain=DOMAIN,
+                translation_key="api_error",
+                translation_placeholders={
+                    "entry": self.config_entry.title,
+                },
+            ) from err
+        except TimeoutError as err:
+            raise ConfigEntryNotReady(
+                translation_domain=DOMAIN,
+                translation_key="api_timeout",
+                translation_placeholders={
+                    "entry": self.config_entry.title,
+                },
+            ) from err
+
+    async def _async_update_data(self) -> AqvifyCoordinatorData:
+        """Fetch device state."""
+        try:
+            devices = await self.api_client.async_get_devices()
+        except AqvifyAuthException:
+            raise ConfigEntryAuthFailed(
+                translation_domain=DOMAIN,
+                translation_key="invalid_api_key",
+            ) from None
+        except ClientResponseError as err:
+            raise UpdateFailed(
+                translation_domain=DOMAIN,
+                translation_key="api_error",
+                translation_placeholders={
+                    "entry": self.config_entry.title,
+                },
+            ) from err
+        except TimeoutError as err:
+            raise UpdateFailed(
+                translation_domain=DOMAIN,
+                translation_key="api_timeout",
+                translation_placeholders={
+                    "entry": self.config_entry.title,
+                },
+            ) from err
+
+        current_devices = set(devices.devices.keys())
+        if stale_devices := self.previous_devices - current_devices:
+            account_id = self.config_entry.unique_id
+            device_registry = dr.async_get(self.hass)
+            for device_id in stale_devices:
+                device = device_registry.async_get_device(
+                    identifiers={(DOMAIN, f"{account_id}_{device_id}")}
+                )
+                if device:
+                    device_registry.async_update_device(
+                        device_id=device.id,
+                        remove_config_entry_id=self.config_entry.entry_id,
+                    )
+        self.previous_devices = current_devices
+
+        device_data = {}
+        for aqvify_device in devices.devices.values():
+            try:
+                device_key = str(aqvify_device.device_key)
+                device_data[
+                    device_key
+                ] = await self.api_client.async_get_device_latest_data(device_key)
+            except AqvifyAuthException:
+                raise ConfigEntryAuthFailed(
+                    translation_domain=DOMAIN,
+                    translation_key="invalid_api_key",
+                ) from None
+            except ClientResponseError as err:
+                raise UpdateFailed(
+                    translation_domain=DOMAIN,
+                    translation_key="api_error",
+                    translation_placeholders={
+                        "entry": self.config_entry.title,
+                    },
+                ) from err
+            except TimeoutError as err:
+                raise UpdateFailed(
+                    translation_domain=DOMAIN,
+                    translation_key="api_timeout",
+                    translation_placeholders={
+                        "entry": self.config_entry.title,
+                    },
+                ) from err
+
+        return AqvifyCoordinatorData(
+            devices=devices,
+            device_data=device_data,
+        )
@@ -0,0 +1,30 @@
+"""Diagnostics platform for Aqvify integration."""
+
+from typing import Any
+
+from homeassistant.components.diagnostics import async_redact_data
+from homeassistant.const import CONF_API_KEY
+from homeassistant.core import HomeAssistant
+
+from .coordinator import AqvifyConfigEntry
+
+TO_REDACT = [CONF_API_KEY]
+TO_REDACT_AQVIFY = ["name"]
+
+
+async def async_get_config_entry_diagnostics(
+    hass: HomeAssistant, entry: AqvifyConfigEntry
+) -> dict[str, Any]:
+    """Return diagnostics for a config entry."""
+
+    device_list_raw_data = entry.runtime_data.data.devices.raw
+    device_data_raw_data = {
+        key: device.raw_data
+        for key, device in entry.runtime_data.data.device_data.items()
+    }
+
+    return {
+        "entry_data": async_redact_data(entry.data, TO_REDACT),
+        "devices": async_redact_data(device_list_raw_data, TO_REDACT_AQVIFY),
+        "device_data": device_data_raw_data,
+    }
@@ -0,0 +1,35 @@
+"""Defines a base Aqvify entity."""
+
+from homeassistant.helpers.device_registry import DeviceInfo
+from homeassistant.helpers.entity import EntityDescription
+from homeassistant.helpers.update_coordinator import CoordinatorEntity
+
+from .const import DOMAIN
+from .coordinator import AqvifyCoordinator
+
+
+class AqvifyBaseEntity(CoordinatorEntity[AqvifyCoordinator]):
+    """Defines a base Aqvify entity."""
+
+    _attr_has_entity_name = True
+
+    def __init__(
+        self,
+        coordinator: AqvifyCoordinator,
+        description: EntityDescription,
+        device_key: str,
+    ) -> None:
+        """Initialize the Aqvify entity."""
+        super().__init__(coordinator)
+
+        account_id = self.coordinator.config_entry.unique_id
+        self.device_key = device_key
+        self._attr_device_info = DeviceInfo(
+            identifiers={(DOMAIN, f"{account_id}_{device_key}")},
+            name=coordinator.data.devices.devices[device_key].name,
+            manufacturer="Aqvify",
+            configuration_url="https://app.aqvify.com",
+            serial_number=device_key,
+        )
+        self._attr_unique_id = f"{account_id}_{device_key}_{description.key}"
+        self.entity_description = description
@@ -0,0 +1,12 @@
+{
+  "entity": {
+    "sensor": {
+      "meter_value": {
+        "default": "mdi:waves-arrow-up"
+      },
+      "water_level": {
+        "default": "mdi:waves"
+      }
+    }
+  }
+}
@@ -0,0 +1,12 @@
+{
+  "domain": "aqvify",
+  "name": "Aqvify",
+  "codeowners": ["@astrandb"],
+  "config_flow": true,
+  "documentation": "https://www.home-assistant.io/integrations/aqvify",
+  "integration_type": "hub",
+  "iot_class": "cloud_polling",
+  "loggers": ["pyaqvify"],
+  "quality_scale": "silver",
+  "requirements": ["pyaqvify==0.0.10"]
+}
@@ -0,0 +1,81 @@
+rules:
+  # Bronze
+  action-setup:
+    status: exempt
+    comment: |
+      No actions in this integration.
+  appropriate-polling: done
+  brands: done
+  common-modules: done
+  config-flow-test-coverage: done
+  config-flow: done
+  dependency-transparency: done
+  docs-actions:
+    status: exempt
+    comment: |
+      The integration does not provide any actions.
+  docs-high-level-description: done
+  docs-installation-instructions: done
+  docs-removal-instructions: done
+  entity-event-setup:
+    status: exempt
+    comment: |
+      Entities of this integration do not explicitly subscribe to events.
+  entity-unique-id: done
+  has-entity-name: done
+  runtime-data: done
+  test-before-configure: done
+  test-before-setup: done
+  unique-config-entry: done
+
+  # Silver
+  action-exceptions:
+    status: exempt
+    comment: |
+      The integration does not provide any actions.
+  config-entry-unloading: done
+  docs-configuration-parameters:
+    status: exempt
+    comment: |
+      There are no configuration options.
+  docs-installation-parameters: done
+  entity-unavailable:
+    status: done
+    comment: |
+      Handled by coordinator.
+  integration-owner: done
+  log-when-unavailable:
+    status: done
+    comment: |
+      Handled by coordinator.
+  parallel-updates: done
+  reauthentication-flow: done
+  test-coverage: done
+
+  # Gold
+  devices: todo
+  diagnostics: todo
+  discovery-update-info: todo
+  discovery: todo
+  docs-data-update: todo
+  docs-examples: todo
+  docs-known-limitations: todo
+  docs-supported-devices: todo
+  docs-supported-functions: todo
+  docs-troubleshooting: todo
+  docs-use-cases: todo
+  dynamic-devices: todo
+  entity-category: todo
+  entity-device-class: todo
+  entity-disabled-by-default: todo
+  entity-translations: todo
+  exception-translations: todo
+  icon-translations: done
+  reconfiguration-flow: todo
+  repair-issues: todo
+  stale-devices: todo
+
+  # Platinum
+  async-dependency: todo
+  inject-websession: todo
+  strict-typing: todo
@@ -0,0 +1,79 @@
+"""Sensor platform for Aqvify integration."""
+
+from collections.abc import Callable
+from dataclasses import dataclass
+from datetime import datetime
+
+from pyaqvify import AqvifyDeviceData
+
+from homeassistant.components.sensor import (
+    SensorDeviceClass,
+    SensorEntity,
+    SensorEntityDescription,
+    SensorStateClass,
+    StateType,
+)
+from homeassistant.const import UnitOfLength
+from homeassistant.core import HomeAssistant
+from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback
+
+from .coordinator import AqvifyConfigEntry
+from .entity import AqvifyBaseEntity
+
+# Coordinator is used to centralize the data updates.
+PARALLEL_UPDATES = 0
+
+
+@dataclass(frozen=True, kw_only=True)
+class AqvifySensorEntityDescription(SensorEntityDescription):
+    """Description of an Aqvify sensor entity."""
+
+    value_fn: Callable[[AqvifyDeviceData], float | int | None]
+
+
+ENTITIES: tuple[AqvifySensorEntityDescription, ...] = (
+    AqvifySensorEntityDescription(
+        key="meter_value",
+        translation_key="meter_value",
+        native_unit_of_measurement=UnitOfLength.METERS,
+        state_class=SensorStateClass.MEASUREMENT,
+        device_class=SensorDeviceClass.DISTANCE,
+        suggested_display_precision=2,
+        value_fn=lambda value: value.meter_value,
+    ),
+    AqvifySensorEntityDescription(
+        key="water_level",
+        translation_key="water_level",
+        native_unit_of_measurement=UnitOfLength.METERS,
+        state_class=SensorStateClass.MEASUREMENT,
+        device_class=SensorDeviceClass.DISTANCE,
+        suggested_display_precision=2,
+        value_fn=lambda value: value.water_level,
+    ),
+)
+
+
+async def async_setup_entry(
+    hass: HomeAssistant,
+    entry: AqvifyConfigEntry,
+    async_add_entities: AddConfigEntryEntitiesCallback,
+) -> None:
+    """Set up Aqvify sensor entities from a config entry."""
+    async_add_entities(
+        AqvifySensor(entry.runtime_data, description, device_key)
+        for description in ENTITIES
+        for device_key in entry.runtime_data.data.devices.devices
+    )
+
+
+class AqvifySensor(AqvifyBaseEntity, SensorEntity):
+    """Representation of an Aqvify sensor entity."""
+
+    entity_description: AqvifySensorEntityDescription
+
+    @property
+    def native_value(self) -> StateType | datetime | None:
+        """Return the state of the sensor."""
+        return self.entity_description.value_fn(
+            self.coordinator.data.device_data[self.device_key]
+        )
@@ -0,0 +1,56 @@
+{
+  "config": {
+    "abort": {
+      "already_configured": "[%key:common::config_flow::abort::already_configured_device%]",
+      "reauth_successful": "[%key:common::config_flow::abort::reauth_successful%]",
+      "reconfigure_successful": "[%key:common::config_flow::abort::reconfigure_successful%]",
+      "unique_id_mismatch": "The entered API key corresponds to a different account."
+    },
+    "error": {
+      "cannot_connect": "[%key:common::config_flow::error::cannot_connect%]",
+      "invalid_auth": "[%key:common::config_flow::error::invalid_auth%]",
+      "unknown": "[%key:common::config_flow::error::unknown%]"
+    },
+    "step": {
+      "reauth_confirm": {
+        "data": {
+          "api_key": "[%key:common::config_flow::data::api_key%]"
+        },
+        "data_description": {
+          "api_key": "[%key:component::aqvify::config::step::user::data_description::api_key%]"
+        },
+        "description": "Reauthentication required. Please enter your updated API key."
+      },
+      "user": {
+        "data": {
+          "api_key": "[%key:common::config_flow::data::api_key%]"
+        },
+        "data_description": {
+          "api_key": "Your Aqvify API key"
+        },
+        "description": "Navigate to your [Aqvify account]({aqvify_url}), copy your API key, and paste it below."
+      }
+    }
+  },
+  "entity": {
+    "sensor": {
+      "meter_value": {
+        "name": "Meter value"
+      },
+      "water_level": {
+        "name": "Water level"
+      }
+    }
+  },
+  "exceptions": {
+    "api_error": {
+      "message": "An error occurred while communicating with the Aqvify API for {entry}"
+    },
+    "api_timeout": {
+      "message": "Timeout occurred while communicating with the Aqvify API for {entry}"
+    },
+    "invalid_api_key": {
+      "message": "Invalid API key. Please verify your API key and try to reauthenticate."
+    }
+  }
+}
@@ -31,7 +31,7 @@ from homeassistant.const import (
    UnitOfTime,
 )
 from homeassistant.core import HomeAssistant
-from homeassistant.helpers.device_registry import DeviceInfo
+from homeassistant.helpers.device_registry import CONNECTION_BLUETOOTH, DeviceInfo
 from homeassistant.helpers.entity import EntityDescription
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback

@@ -144,7 +144,9 @@ def _sensor_device_info_to_hass(
    adv: Aranet4Advertisement,
 ) -> DeviceInfo:
    """Convert a sensor device info to hass device info."""
-    hass_device_info = DeviceInfo({})
+    hass_device_info = DeviceInfo(
+        connections={(CONNECTION_BLUETOOTH, adv.device.address)}
+    )
    if adv.readings and adv.readings.name:
        hass_device_info[ATTR_NAME] = adv.readings.name
        hass_device_info[ATTR_MANUFACTURER] = ARANET_MANUFACTURER_NAME
@@ -1816,6 +1816,11 @@ class PipelineInput:
                            await self.run.text_to_speech(tts_input)

        except PipelineError as err:
+            if self.run.tts_stream:
+                # Clean up TTS stream
+                self.run.tts_stream.delete()
+                self.run.tts_stream = None
+
            self.run.process_event(
                PipelineEvent(
                    PipelineEventType.ERROR,
@@ -1885,15 +1890,17 @@ class PipelineInput:
        ):
            prepare_tasks.append(self.run.prepare_recognize_intent(self.session))

+        if prepare_tasks:
+            await asyncio.gather(*prepare_tasks)
+
+        # Do TTS prepare separately so we don't create a ResultStream if the
+        # pipeline is invalid.
        if (
            start_stage_index
            <= PIPELINE_STAGE_ORDER.index(PipelineStage.TTS)
            <= end_stage_index
        ):
-            prepare_tasks.append(self.run.prepare_text_to_speech())
-
-        if prepare_tasks:
-            await asyncio.gather(*prepare_tasks)
+            await self.run.prepare_text_to_speech()


 class PipelinePreferred(CollectionError):
@@ -3,8 +3,11 @@
 from dataclasses import asdict
 import logging
 from pathlib import Path
+import re
 from typing import Any

+from hassil.parse_expression import parse_sentence
+from hassil.parser import ParseError
 from hassil.util import (
    PUNCTUATION_END,
    PUNCTUATION_END_WORD,
@@ -164,6 +167,7 @@ async def async_setup(hass: HomeAssistant, config: ConfigType) -> bool:
                            [cv.string],
                            has_one_non_empty_item,
                            has_no_punctuation,
+                            is_valid_sentence,
                        ),
                    }
                ],
@@ -201,6 +205,8 @@ async def async_unload_entry(hass: HomeAssistant, entry: ConfigEntry) -> bool:
 def has_no_punctuation(value: list[str]) -> list[str]:
    """Validate result does not contain punctuation."""
    for sentence in value:
+        # Exclude {list_references} which may contain punctuation characters.
+        sentence = _remove_list_references(sentence)
        if (
            PUNCTUATION_START.search(sentence)
            or PUNCTUATION_END.search(sentence)
@@ -212,6 +218,21 @@ def has_no_punctuation(value: list[str]) -> list[str]:
    return value


+def _remove_list_references(sentence: str) -> str:
+    """Remove {list_references} from a sentence for linting."""
+    return re.sub(r"(?<!\\)\{[^{}]*\}", "", sentence)
+
+
+def is_valid_sentence(value: list[str]) -> list[str]:
+    """Validate result can be parsed by hassil."""
+    for sentence in value:
+        try:
+            parse_sentence(sentence)
+        except ParseError as err:
+            raise vol.Invalid(f"invalid sentence: {err}") from err
+    return value
+
+
 def has_one_non_empty_item(value: list[str]) -> list[str]:
    """Validate result has at least one item."""
    if len(value) < 1:
@@ -6,5 +6,5 @@
  "documentation": "https://www.home-assistant.io/integrations/assist_satellite",
  "integration_type": "entity",
  "quality_scale": "internal",
-  "requirements": ["hassil==3.6.0"]
+  "requirements": ["hassil==3.8.0"]
 }
@@ -5,5 +5,5 @@
  "documentation": "https://www.home-assistant.io/integrations/aten_pe",
  "iot_class": "local_polling",
  "quality_scale": "legacy",
-  "requirements": ["atenpdu==0.3.2"]
+  "requirements": ["atenpdu==0.3.6"]
 }
@@ -30,5 +30,5 @@
  "integration_type": "hub",
  "iot_class": "cloud_push",
  "loggers": ["pubnub", "yalexs"],
-  "requirements": ["yalexs==9.2.7", "yalexs-ble==3.3.0"]
+  "requirements": ["yalexs==9.2.7", "yalexs-ble==3.3.1"]
 }
@@ -6,6 +6,6 @@
  "documentation": "https://www.home-assistant.io/integrations/bang_olufsen",
  "integration_type": "device",
  "iot_class": "local_push",
-  "requirements": ["mozart-api==5.3.1.108.2"],
+  "requirements": ["mozart-api==6.2.0.44.0"],
  "zeroconf": ["_bangolufsen._tcp.local."]
 }
@@ -1,9 +1,7 @@
 """The BleBox devices integration."""

-import logging
-
 from blebox_uniapi.box import Box
-from blebox_uniapi.error import Error
+from blebox_uniapi.error import ConnectionError, Error, HttpError, UnauthorizedRequest
 from blebox_uniapi.session import ApiHost

 from homeassistant.const import (
@@ -14,14 +12,16 @@ from homeassistant.const import (
    Platform,
 )
 from homeassistant.core import HomeAssistant
-from homeassistant.exceptions import ConfigEntryNotReady
+from homeassistant.exceptions import (
+    ConfigEntryAuthFailed,
+    ConfigEntryError,
+    ConfigEntryNotReady,
+)

 from .const import DEFAULT_SETUP_TIMEOUT
 from .coordinator import BleBoxConfigEntry, BleBoxCoordinator
 from .helpers import get_maybe_authenticated_session

-_LOGGER = logging.getLogger(__name__)
-
 PLATFORMS = [
    Platform.BINARY_SENSOR,
    Platform.BUTTON,
@@ -50,9 +50,15 @@ async def async_setup_entry(hass: HomeAssistant, entry: BleBoxConfigEntry) -> bo

    try:
        product = await Box.async_from_host(api_host)
-    except Error as ex:
-        _LOGGER.error("Identify failed at %s:%d (%s)", api_host.host, api_host.port, ex)
+    except UnauthorizedRequest as ex:
+        raise ConfigEntryAuthFailed from ex
+    except (
+        ConnectionError,
+        HttpError,
+    ) as ex:
        raise ConfigEntryNotReady from ex
+    except Error as ex:
+        raise ConfigEntryError from ex

    coordinator = BleBoxCoordinator(hass, entry, product)
    await coordinator.async_config_entry_first_refresh()
@@ -25,6 +25,9 @@ BINARY_SENSOR_TYPES = (
        key="open",
        device_class=BinarySensorDeviceClass.WINDOW,
    ),
+    BinarySensorEntityDescription(
+        key="input",
+    ),
 )


@@ -56,6 +59,8 @@ class BleBoxBinarySensorEntity(BleBoxEntity[BinarySensorFeature], BinarySensorEn
        """Initialize a BleBox binary sensor feature."""
        super().__init__(coordinator, feature)
        self.entity_description = description
+        if feature.name:
+            self._attr_name = feature.name

    @property
    def is_on(self) -> bool:
@@ -41,6 +41,8 @@ async def async_setup_entry(
 class BleBoxButtonEntity(BleBoxEntity[blebox_uniapi.button.Button], ButtonEntity):
    """Representation of BleBox buttons."""

+    _attr_name = None
+
    def __init__(
        self, coordinator: BleBoxCoordinator, feature: blebox_uniapi.button.Button
    ) -> None:
@@ -51,6 +51,7 @@ async def async_setup_entry(
 class BleBoxClimateEntity(BleBoxEntity[blebox_uniapi.climate.Climate], ClimateEntity):
    """Representation of a BleBox climate feature (saunaBox)."""

+    _attr_name = None
    _attr_supported_features = (
        ClimateEntityFeature.TARGET_TEMPERATURE
        | ClimateEntityFeature.TURN_OFF
@@ -1,5 +1,6 @@
 """Config flow for BleBox devices integration."""

+from collections.abc import Mapping
 import logging
 from typing import Any

@@ -16,6 +17,7 @@ import voluptuous as vol
 from homeassistant.config_entries import ConfigFlow, ConfigFlowResult
 from homeassistant.const import CONF_HOST, CONF_PASSWORD, CONF_PORT, CONF_USERNAME
 from homeassistant.helpers.aiohttp_client import async_get_clientsession
+from homeassistant.helpers.service_info.dhcp import DhcpServiceInfo
 from homeassistant.helpers.service_info.zeroconf import ZeroconfServiceInfo

 from . import get_maybe_authenticated_session
@@ -26,6 +28,7 @@ from .const import (
    DEFAULT_PORT,
    DEFAULT_SETUP_TIMEOUT,
    DOMAIN,
+    INVALID_AUTH,
    UNKNOWN,
    UNSUPPORTED_VERSION,
 )
@@ -46,6 +49,7 @@ STEP_SCHEMA = vol.Schema(
 LOG_MSG = {
    UNSUPPORTED_VERSION: "Outdated firmware",
    CANNOT_CONNECT: "Failed to identify device",
+    INVALID_AUTH: "Authentication failed",
    UNKNOWN: "Unknown error while identifying device",
 }

@@ -72,6 +76,21 @@ class BleBoxConfigFlow(ConfigFlow, domain=DOMAIN):
            description_placeholders={"address": f"{host}:{port}"},
        )

+    async def _async_box_from_host_or_abort(
+        self, api_host: ApiHost
+    ) -> Box | ConfigFlowResult:
+        """Try to connect to the device; return product or an abort result."""
+        try:
+            return await Box.async_from_host(api_host)
+        except UnsupportedBoxVersion:
+            return self.async_abort(reason="unsupported_device_version")
+        except UnsupportedBoxResponse:
+            return self.async_abort(reason="unsupported_device_response")
+        except UnauthorizedRequest:
+            return self.async_abort(reason="authorization_required")
+        except Error:
+            return self.async_abort(reason="cannot_connect")
+
    async def _async_from_host_or_form(
        self, api_host: ApiHost, user_input: dict[str, Any], step_id: str
    ) -> tuple[Box, None] | tuple[None, ConfigFlowResult]:
@@ -87,7 +106,7 @@ class BleBoxConfigFlow(ConfigFlow, domain=DOMAIN):
            )
        except UnauthorizedRequest as ex:
            return None, self.handle_step_exception(
-                ex, schema, host, port, CANNOT_CONNECT, _LOGGER.error, step_id
+                ex, schema, host, port, INVALID_AUTH, _LOGGER.error, step_id
            )
        except Error as ex:
            return None, self.handle_step_exception(
@@ -98,43 +117,50 @@ class BleBoxConfigFlow(ConfigFlow, domain=DOMAIN):
                ex, schema, host, port, UNKNOWN, _LOGGER.error, step_id
            )

-    async def async_step_zeroconf(
-        self, discovery_info: ZeroconfServiceInfo
-    ) -> ConfigFlowResult:
-        """Handle zeroconf discovery."""
-        hass = self.hass
-        ipaddress = (discovery_info.host, discovery_info.port)
-        self.device_config["host"] = discovery_info.host
-        self.device_config["port"] = discovery_info.port
-
-        websession = async_get_clientsession(hass)
+    async def _async_handle_discovery(self, host: str, port: int) -> ConfigFlowResult:
+        """Handle discovery by IP and port; probe device then confirm with the user."""
+        self.device_config["host"] = host
+        self.device_config["port"] = port

+        websession = async_get_clientsession(self.hass)
        api_host = ApiHost(
-            *ipaddress, DEFAULT_SETUP_TIMEOUT, websession, hass.loop, _LOGGER
+            host, port, DEFAULT_SETUP_TIMEOUT, websession, self.hass.loop, _LOGGER
        )

-        try:
-            product = await Box.async_from_host(api_host)
-        except UnsupportedBoxVersion:
-            return self.async_abort(reason="unsupported_device_version")
-        except UnsupportedBoxResponse:
-            return self.async_abort(reason="unsupported_device_response")
+        result = await self._async_box_from_host_or_abort(api_host)
+        if not isinstance(result, Box):
+            return result
+        product = result

        self.device_config["name"] = product.name
        # Check if configured but IP changed since
        await self.async_set_unique_id(product.unique_id)
-        self._abort_if_unique_id_configured(updates={CONF_HOST: discovery_info.host})
+        self._abort_if_unique_id_configured(updates={CONF_HOST: host})
        self.context.update(
            {
                "title_placeholders": {
                    "name": self.device_config["name"],
-                    "host": self.device_config["host"],
+                    "host": host,
                },
-                "configuration_url": f"http://{discovery_info.host}",
+                "configuration_url": f"http://{host}",
            }
        )
        return await self.async_step_confirm_discovery()

+    async def async_step_dhcp(
+        self, discovery_info: DhcpServiceInfo
+    ) -> ConfigFlowResult:
+        """Handle DHCP discovery."""
+        return await self._async_handle_discovery(discovery_info.ip, DEFAULT_PORT)
+
+    async def async_step_zeroconf(
+        self, discovery_info: ZeroconfServiceInfo
+    ) -> ConfigFlowResult:
+        """Handle zeroconf discovery."""
+        return await self._async_handle_discovery(
+            discovery_info.host, discovery_info.port or DEFAULT_PORT
+        )
+
    async def async_step_confirm_discovery(
        self, user_input: dict[str, Any] | None = None
    ) -> ConfigFlowResult:
@@ -153,7 +179,6 @@ class BleBoxConfigFlow(ConfigFlow, domain=DOMAIN):
            description_placeholders={
                "name": self.device_config["name"],
                "host": self.device_config["host"],
-                "port": self.device_config["port"],
            },
        )

@@ -246,3 +271,58 @@ class BleBoxConfigFlow(ConfigFlow, domain=DOMAIN):
            reconfigure_entry,
            data_updates=data_updates,
        )
+
+    async def async_step_reauth(
+        self, entry_data: Mapping[str, Any]
+    ) -> ConfigFlowResult:
+        """Handle reauthentication upon an API authentication error."""
+        self.context["title_placeholders"] = {
+            "name": self._get_reauth_entry().title,
+            "host": entry_data[CONF_HOST],
+        }
+        return await self.async_step_reauth_confirm()
+
+    async def async_step_reauth_confirm(
+        self, user_input: dict[str, Any] | None = None
+    ) -> ConfigFlowResult:
+        """Handle reauthentication confirmation."""
+        errors: dict[str, str] = {}
+        reauth_entry = self._get_reauth_entry()
+        host = reauth_entry.data[CONF_HOST]
+        port = reauth_entry.data[CONF_PORT]
+
+        if user_input is not None:
+            username = user_input.get(CONF_USERNAME)
+            password = user_input.get(CONF_PASSWORD)
+            websession = get_maybe_authenticated_session(self.hass, password, username)
+            api_host = ApiHost(
+                host, port, DEFAULT_SETUP_TIMEOUT, websession, self.hass.loop, _LOGGER
+            )
+            try:
+                await Box.async_from_host(api_host)
+            except UnauthorizedRequest:
+                errors["base"] = INVALID_AUTH
+            except Error:
+                errors["base"] = CANNOT_CONNECT
+            except RuntimeError:
+                errors["base"] = UNKNOWN
+            else:
+                return self.async_update_reload_and_abort(
+                    reauth_entry,
+                    data_updates={
+                        CONF_USERNAME: username,
+                        CONF_PASSWORD: password,
+                    },
+                )
+
+        return self.async_show_form(
+            step_id="reauth_confirm",
+            data_schema=vol.Schema(
+                {
+                    vol.Inclusive(CONF_USERNAME, "auth"): str,
+                    vol.Inclusive(CONF_PASSWORD, "auth"): str,
+                }
+            ),
+            errors=errors,
+            description_placeholders={"address": f"{host}:{port}"},
+        )
@@ -7,6 +7,7 @@ DEFAULT_SETUP_TIMEOUT = 10
 # translation strings
 ADDRESS_ALREADY_CONFIGURED = "address_already_configured"
 CANNOT_CONNECT = "cannot_connect"
+INVALID_AUTH = "invalid_auth"
 UNSUPPORTED_VERSION = "unsupported_version"
 UNKNOWN = "unknown"

@@ -24,3 +25,13 @@ OPEN_STATUS: dict[int, str] = {

 LIGHT_MAX_KELVINS = 6500  # 154 Mireds
 LIGHT_MIN_KELVINS = 2700  # 370 Mireds
+
+CO2_LEVEL: dict[int, str] = {
+    0: "excellent",
+    1: "good",
+    2: "acceptable",
+    3: "medium",
+    4: "poor",
+    5: "unhealthy",
+    6: "hazardous",
+}
@@ -4,10 +4,11 @@ from datetime import timedelta
 import logging

 from blebox_uniapi.box import Box
-from blebox_uniapi.error import Error
+from blebox_uniapi.error import Error, UnauthorizedRequest

 from homeassistant.config_entries import ConfigEntry
 from homeassistant.core import HomeAssistant
+from homeassistant.exceptions import ConfigEntryAuthFailed
 from homeassistant.helpers.update_coordinator import DataUpdateCoordinator, UpdateFailed

 from .const import DOMAIN
@@ -40,6 +41,8 @@ class BleBoxCoordinator(DataUpdateCoordinator[None]):
        """Fetch data from the BleBox device."""
        try:
            await self.box.async_update_data()
+        except UnauthorizedRequest as err:
+            raise ConfigEntryAuthFailed from err
        except Error as err:
            raise UpdateFailed(
                translation_domain=DOMAIN,
@@ -74,6 +74,8 @@ async def async_setup_entry(
 class BleBoxCoverEntity(BleBoxEntity[blebox_uniapi.cover.Cover], CoverEntity):
    """Representation of a BleBox cover feature."""

+    _attr_name = None
+
    def __init__(
        self, coordinator: BleBoxCoordinator, feature: blebox_uniapi.cover.Cover
    ) -> None:
@@ -90,10 +92,10 @@ class BleBoxCoverEntity(BleBoxEntity[blebox_uniapi.cover.Cover], CoverEntity):

        if feature.has_tilt:
            self._attr_supported_features |= (
-                CoverEntityFeature.SET_TILT_POSITION
-                | CoverEntityFeature.OPEN_TILT
-                | CoverEntityFeature.CLOSE_TILT
+                CoverEntityFeature.OPEN_TILT | CoverEntityFeature.CLOSE_TILT
            )
+            if feature.is_calibrated:
+                self._attr_supported_features |= CoverEntityFeature.SET_TILT_POSITION

        if feature.tilt_only:
            self._attr_supported_features &= ~(
@@ -12,11 +12,12 @@ from .coordinator import BleBoxCoordinator
 class BleBoxEntity[_FeatureT: Feature](CoordinatorEntity[BleBoxCoordinator]):
    """Implements a common class for entities representing a BleBox feature."""

+    _attr_has_entity_name = True
+
    def __init__(self, coordinator: BleBoxCoordinator, feature: _FeatureT) -> None:
        """Initialize a BleBox entity."""
        super().__init__(coordinator)
        self._feature = feature
-        self._attr_name = feature.full_name
        self._attr_unique_id = feature.unique_id
        product = feature.product
        self._attr_device_info = DeviceInfo(
@@ -18,6 +18,12 @@
      }
    },
    "sensor": {
+      "co2_level": {
+        "default": "mdi:molecule-co2"
+      },
+      "open_status": {
+        "default": "mdi:window-open"
+      },
      "power_consumption": {
        "default": "mdi:lightning-bolt"
      }
@@ -71,6 +71,11 @@ class BleBoxLightEntity(BleBoxEntity[blebox_uniapi.light.Light], LightEntity):
        super().__init__(coordinator, feature)
        if feature.effect_list:
            self._attr_supported_features = LightEntityFeature.EFFECT
+        if feature.index is not None:
+            self._attr_translation_key = "channel"
+            self._attr_translation_placeholders = {"index": str(feature.index + 1)}
+        else:
+            self._attr_name = None

    @property
    def is_on(self) -> bool:
@@ -3,10 +3,49 @@
  "name": "BleBox devices",
  "codeowners": ["@bbx-a", "@swistakm", "@bkobus-bbx"],
  "config_flow": true,
+  "dhcp": [
+    { "hostname": "rollergate*" },
+    { "hostname": "gatebox*" },
+    { "hostname": "doorbox*" },
+    { "hostname": "shutterbox*" },
+    { "hostname": "switchbox*" },
+    { "hostname": "dimmerbox*" },
+    { "hostname": "dacbox*" },
+    { "hostname": "wlightbox*" },
+    { "hostname": "pixelbox*" },
+    { "hostname": "saunabox*" },
+    { "hostname": "thermobox*" },
+    { "hostname": "tempsensor*" },
+    { "hostname": "energymeter*" },
+    { "hostname": "airsensor*" },
+    { "hostname": "humiditysensor*" },
+    { "hostname": "rainsensor*" },
+    { "hostname": "floodsensor*" },
+    { "hostname": "luxsensor*" },
+    { "hostname": "inputsensor*" },
+    { "hostname": "opensensor*" },
+    { "hostname": "windsensor*" },
+    { "hostname": "co2sensor*" },
+    { "hostname": "simongo*" },
+    { "hostname": "sabaj-k-smrt*" },
+    { "hostname": "rico*" },
+    { "hostname": "smartrollergate*" },
+    { "hostname": "darco_ero_32ws_0*" },
+    { "hostname": "pergoladc*" },
+    { "hostname": "seltsmartscreen*" },
+    { "hostname": "seltvenetianblind*" },
+    { "hostname": "doorunitbox*" },
+    { "hostname": "drutexsmart*" },
+    { "hostname": "swingatecontroller*" },
+    { "hostname": "windowopener*" },
+    { "hostname": "smartawning*" },
+    { "hostname": "smartshade*" },
+    { "hostname": "smartshutter*" }
+  ],
  "documentation": "https://www.home-assistant.io/integrations/blebox",
  "integration_type": "device",
  "iot_class": "local_polling",
  "loggers": ["blebox_uniapi"],
-  "requirements": ["blebox-uniapi==2.5.4"],
+  "requirements": ["blebox-uniapi==2.5.5"],
  "zeroconf": ["_bbxsrv._tcp.local."]
 }
@@ -1,5 +1,6 @@
 """BleBox sensor entities."""

+from collections import Counter
 from collections.abc import Callable
 from dataclasses import dataclass
 from datetime import datetime
@@ -14,6 +15,7 @@ from homeassistant.components.sensor import (
 )
 from homeassistant.const import (
    CONCENTRATION_MICROGRAMS_PER_CUBIC_METER,
+    CONCENTRATION_PARTS_PER_MILLION,
    LIGHT_LUX,
    PERCENTAGE,
    UnitOfApparentPower,
@@ -22,6 +24,7 @@ from homeassistant.const import (
    UnitOfEnergy,
    UnitOfFrequency,
    UnitOfPower,
+    UnitOfReactiveEnergy,
    UnitOfReactivePower,
    UnitOfSpeed,
    UnitOfTemperature,
@@ -31,7 +34,7 @@ from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback
 from homeassistant.helpers.typing import StateType

 from . import BleBoxConfigEntry
-from .const import OPEN_STATUS
+from .const import CO2_LEVEL, OPEN_STATUS
 from .coordinator import BleBoxCoordinator
 from .entity import BleBoxEntity

@@ -50,21 +53,26 @@ SENSOR_TYPES: tuple[BleBoxSensorEntityDescription, ...] = (
        key="pm1",
        device_class=SensorDeviceClass.PM1,
        native_unit_of_measurement=CONCENTRATION_MICROGRAMS_PER_CUBIC_METER,
+        state_class=SensorStateClass.MEASUREMENT,
    ),
    BleBoxSensorEntityDescription(
        key="pm2_5",
        device_class=SensorDeviceClass.PM25,
        native_unit_of_measurement=CONCENTRATION_MICROGRAMS_PER_CUBIC_METER,
+        state_class=SensorStateClass.MEASUREMENT,
    ),
    BleBoxSensorEntityDescription(
        key="pm10",
        device_class=SensorDeviceClass.PM10,
        native_unit_of_measurement=CONCENTRATION_MICROGRAMS_PER_CUBIC_METER,
+        state_class=SensorStateClass.MEASUREMENT,
    ),
    BleBoxSensorEntityDescription(
        key="temperature",
+        translation_key="temperature",
        device_class=SensorDeviceClass.TEMPERATURE,
        native_unit_of_measurement=UnitOfTemperature.CELSIUS,
+        state_class=SensorStateClass.MEASUREMENT,
    ),
    BleBoxSensorEntityDescription(
        key="powerConsumption",
@@ -76,65 +84,110 @@ SENSOR_TYPES: tuple[BleBoxSensorEntityDescription, ...] = (
        key="humidity",
        device_class=SensorDeviceClass.HUMIDITY,
        native_unit_of_measurement=PERCENTAGE,
+        state_class=SensorStateClass.MEASUREMENT,
    ),
    BleBoxSensorEntityDescription(
        key="wind",
        device_class=SensorDeviceClass.WIND_SPEED,
        native_unit_of_measurement=UnitOfSpeed.METERS_PER_SECOND,
+        state_class=SensorStateClass.MEASUREMENT,
    ),
    BleBoxSensorEntityDescription(
        key="illuminance",
        device_class=SensorDeviceClass.ILLUMINANCE,
        native_unit_of_measurement=LIGHT_LUX,
+        state_class=SensorStateClass.MEASUREMENT,
+    ),
+    BleBoxSensorEntityDescription(
+        key="forwardReactiveEnergy",
+        translation_key="forward_reactive_energy",
+        device_class=SensorDeviceClass.REACTIVE_ENERGY,
+        native_unit_of_measurement=UnitOfReactiveEnergy.KILO_VOLT_AMPERE_REACTIVE_HOUR,
+        state_class=SensorStateClass.TOTAL_INCREASING,
+    ),
+    BleBoxSensorEntityDescription(
+        key="reverseReactiveEnergy",
+        translation_key="reverse_reactive_energy",
+        device_class=SensorDeviceClass.REACTIVE_ENERGY,
+        native_unit_of_measurement=UnitOfReactiveEnergy.KILO_VOLT_AMPERE_REACTIVE_HOUR,
+        state_class=SensorStateClass.TOTAL_INCREASING,
    ),
    BleBoxSensorEntityDescription(
        key="forwardActiveEnergy",
+        translation_key="forward_active_energy",
        device_class=SensorDeviceClass.ENERGY,
        native_unit_of_measurement=UnitOfEnergy.KILO_WATT_HOUR,
+        state_class=SensorStateClass.TOTAL_INCREASING,
    ),
    BleBoxSensorEntityDescription(
        key="reverseActiveEnergy",
+        translation_key="reverse_active_energy",
        device_class=SensorDeviceClass.ENERGY,
        native_unit_of_measurement=UnitOfEnergy.KILO_WATT_HOUR,
+        state_class=SensorStateClass.TOTAL_INCREASING,
    ),
    BleBoxSensorEntityDescription(
        key="reactivePower",
-        device_class=SensorDeviceClass.POWER,
+        translation_key="reactive_power",
+        device_class=SensorDeviceClass.REACTIVE_POWER,
        native_unit_of_measurement=UnitOfReactivePower.VOLT_AMPERE_REACTIVE,
+        state_class=SensorStateClass.MEASUREMENT,
    ),
    BleBoxSensorEntityDescription(
        key="activePower",
+        translation_key="active_power",
        device_class=SensorDeviceClass.POWER,
        native_unit_of_measurement=UnitOfPower.WATT,
+        state_class=SensorStateClass.MEASUREMENT,
    ),
    BleBoxSensorEntityDescription(
        key="apparentPower",
+        translation_key="apparent_power",
        device_class=SensorDeviceClass.APPARENT_POWER,
        native_unit_of_measurement=UnitOfApparentPower.VOLT_AMPERE,
+        state_class=SensorStateClass.MEASUREMENT,
    ),
    BleBoxSensorEntityDescription(
        key="voltage",
+        translation_key="voltage",
        device_class=SensorDeviceClass.VOLTAGE,
        native_unit_of_measurement=UnitOfElectricPotential.VOLT,
+        state_class=SensorStateClass.MEASUREMENT,
    ),
    BleBoxSensorEntityDescription(
        key="current",
+        translation_key="current",
        device_class=SensorDeviceClass.CURRENT,
        native_unit_of_measurement=UnitOfElectricCurrent.MILLIAMPERE,
+        state_class=SensorStateClass.MEASUREMENT,
    ),
    BleBoxSensorEntityDescription(
        key="frequency",
+        translation_key="frequency",
        device_class=SensorDeviceClass.FREQUENCY,
        native_unit_of_measurement=UnitOfFrequency.HERTZ,
+        state_class=SensorStateClass.MEASUREMENT,
    ),
    BleBoxSensorEntityDescription(
        key="openStatus",
        translation_key="open_status",
        device_class=SensorDeviceClass.ENUM,
-        icon="mdi:window-open",
        options=list(OPEN_STATUS.values()),
        value_fn=lambda v: OPEN_STATUS.get(int(v)) if v is not None else None,
    ),
+    BleBoxSensorEntityDescription(
+        key="co2",
+        device_class=SensorDeviceClass.CO2,
+        native_unit_of_measurement=CONCENTRATION_PARTS_PER_MILLION,
+        state_class=SensorStateClass.MEASUREMENT,
+    ),
+    BleBoxSensorEntityDescription(
+        key="co2Definition",
+        translation_key="co2_level",
+        device_class=SensorDeviceClass.ENUM,
+        options=list(CO2_LEVEL.values()),
+        value_fn=lambda v: CO2_LEVEL.get(int(v)) if v is not None else None,
+    ),
 )


@@ -144,10 +197,20 @@ async def async_setup_entry(
    async_add_entities: AddConfigEntryEntitiesCallback,
 ) -> None:
    """Set up a BleBox entry."""
+
    coordinator = config_entry.runtime_data
+    features = coordinator.box.features.get("sensors", [])
+    counts = Counter(f.device_class for f in features)
    entities = [
-        BleBoxSensorEntity(coordinator, feature, description)
-        for feature in coordinator.box.features.get("sensors", [])
+        BleBoxSensorEntity(
+            coordinator,
+            feature,
+            description,
+            feature.index
+            if counts[feature.device_class] > 1 and feature.index
+            else None,
+        )
+        for feature in features
        for description in SENSOR_TYPES
        if description.key == feature.device_class
    ]
@@ -164,10 +227,16 @@ class BleBoxSensorEntity(BleBoxEntity[blebox_uniapi.sensor.BaseSensor], SensorEn
        coordinator: BleBoxCoordinator,
        feature: blebox_uniapi.sensor.BaseSensor,
        description: BleBoxSensorEntityDescription,
+        index: int | None = None,
    ) -> None:
        """Initialize a BleBox sensor feature."""
        super().__init__(coordinator, feature)
        self.entity_description = description
+        if feature.name:
+            self._attr_name = feature.name
+        elif index is not None and description.translation_key:
+            self._attr_translation_key = f"{description.translation_key}_n"
+            self._attr_translation_placeholders = {"index": str(index)}

    @property
    def native_value(self) -> StateType:
@@ -3,16 +3,38 @@
    "abort": {
      "address_already_configured": "A BleBox device is already configured at {address}.",
      "already_configured": "[%key:common::config_flow::abort::already_configured_device%]",
+      "authorization_required": "The BleBox device requires authentication.",
+      "cannot_connect": "[%key:common::config_flow::error::cannot_connect%]",
+      "reauth_successful": "[%key:common::config_flow::abort::reauth_successful%]",
      "reconfigure_successful": "[%key:common::config_flow::abort::reconfigure_successful%]",
-      "unique_id_mismatch": "The device identifier does not match the previously configured device."
+      "unique_id_mismatch": "The device identifier does not match the previously configured device.",
+      "unsupported_device_response": "The BleBox device returned an unrecognized response.",
+      "unsupported_device_version": "[%key:component::blebox::config::error::unsupported_version%]"
    },
    "error": {
      "cannot_connect": "[%key:common::config_flow::error::cannot_connect%]",
+      "invalid_auth": "[%key:common::config_flow::error::invalid_auth%]",
      "unknown": "[%key:common::config_flow::error::unknown%]",
      "unsupported_version": "BleBox device has outdated firmware. Please upgrade it first."
    },
    "flow_title": "{name} ({host})",
    "step": {
+      "confirm_discovery": {
+        "description": "Do you want to add the BleBox device **{name}** at `{host}` to Home Assistant?",
+        "title": "BleBox device discovered"
+      },
+      "reauth_confirm": {
+        "data": {
+          "password": "[%key:common::config_flow::data::password%]",
+          "username": "[%key:common::config_flow::data::username%]"
+        },
+        "data_description": {
+          "password": "The password for your BleBox device.",
+          "username": "The username for your BleBox device."
+        },
+        "description": "Enter credentials for the BleBox device at {address}.",
+        "title": "Reauthenticate your BleBox device"
+      },
      "reconfigure": {
        "data": {
          "host": "[%key:common::config_flow::data::ip%]",
@@ -30,14 +52,48 @@
          "port": "[%key:common::config_flow::data::port%]",
          "username": "[%key:common::config_flow::data::username%]"
        },
+        "data_description": {
+          "host": "The IP address of your BleBox device.",
+          "password": "The password for your BleBox device.",
+          "port": "The port of your BleBox device.",
+          "username": "The username for your BleBox device."
+        },
        "description": "Set up your BleBox to integrate with Home Assistant.",
        "title": "Set up your BleBox device"
      }
    }
  },
  "entity": {
+    "light": { "channel": { "name": "Channel {index}" } },
    "sensor": {
+      "active_power": { "name": "Active power" },
+      "active_power_n": { "name": "Active power {index}" },
+      "apparent_power": { "name": "Apparent power" },
+      "apparent_power_n": { "name": "Apparent power {index}" },
+      "co2_level": {
+        "name": "Carbon dioxide level",
+        "state": {
+          "acceptable": "Acceptable",
+          "excellent": "Excellent",
+          "good": "Good",
+          "hazardous": "Hazardous",
+          "medium": "Medium",
+          "poor": "Poor",
+          "unhealthy": "Unhealthy"
+        }
+      },
+      "current": { "name": "Current" },
+      "current_n": { "name": "Current {index}" },
+      "forward_active_energy": { "name": "Forward active energy" },
+      "forward_active_energy_n": { "name": "Forward active energy {index}" },
+      "forward_reactive_energy": { "name": "Forward reactive energy" },
+      "forward_reactive_energy_n": {
+        "name": "Forward reactive energy {index}"
+      },
+      "frequency": { "name": "Frequency" },
+      "frequency_n": { "name": "Frequency {index}" },
      "open_status": {
+        "name": "Open status",
        "state": {
          "ajar": "Ajar",
          "closed": "[%key:common::state::closed%]",
@@ -45,7 +101,20 @@
          "open": "[%key:common::state::open%]",
          "unclosed_or_unlocked": "Unclosed or unlocked"
        }
-      }
+      },
+      "power_consumption": { "name": "Energy last hour" },
+      "reactive_power": { "name": "Reactive power" },
+      "reactive_power_n": { "name": "Reactive power {index}" },
+      "reverse_active_energy": { "name": "Reverse active energy" },
+      "reverse_active_energy_n": { "name": "Reverse active energy {index}" },
+      "reverse_reactive_energy": { "name": "Reverse reactive energy" },
+      "reverse_reactive_energy_n": {
+        "name": "Reverse reactive energy {index}"
+      },
+      "temperature": { "name": "Temperature" },
+      "temperature_n": { "name": "Temperature {index}" },
+      "voltage": { "name": "Voltage" },
+      "voltage_n": { "name": "Voltage {index}" }
    }
  },
  "exceptions": {
@@ -9,6 +9,7 @@ from homeassistant.core import HomeAssistant
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback

 from . import BleBoxConfigEntry
+from .coordinator import BleBoxCoordinator
 from .entity import BleBoxEntity
 from .util import blebox_command

@@ -34,6 +35,16 @@ class BleBoxSwitchEntity(BleBoxEntity[blebox_uniapi.switch.Switch], SwitchEntity

    _attr_device_class = SwitchDeviceClass.SWITCH

+    _attr_name = None
+
+    def __init__(
+        self, coordinator: BleBoxCoordinator, feature: blebox_uniapi.switch.Switch
+    ) -> None:
+        """Initialize a BleBox switch feature."""
+        super().__init__(coordinator, feature)
+        if feature.name:
+            self._attr_name = feature.name
+
    @property
    def is_on(self) -> bool | None:
        """Return whether switch is on."""
@@ -169,9 +169,7 @@ class BlinkCamera(CoordinatorEntity[BlinkUpdateCoordinator], Camera):
        try:
            await self._camera.save_recent_clips(output_dir=file_path)
        except OSError as err:
-            # pylint: disable-next=home-assistant-exception-message-with-translation
            raise ServiceValidationError(
-                str(err),
                translation_domain=DOMAIN,
                translation_key="cant_write",
            ) from err
@@ -191,9 +189,7 @@ class BlinkCamera(CoordinatorEntity[BlinkUpdateCoordinator], Camera):
        try:
            await self._camera.video_to_file(filename)
        except OSError as err:
-            # pylint: disable-next=home-assistant-exception-message-with-translation
            raise ServiceValidationError(
-                str(err),
                translation_domain=DOMAIN,
                translation_key="cant_write",
            ) from err
@@ -21,5 +21,5 @@
  "integration_type": "hub",
  "iot_class": "cloud_polling",
  "loggers": ["blinkpy"],
-  "requirements": ["blinkpy==0.25.2"]
+  "requirements": ["blinkpy==0.25.6"]
 }
@@ -26,6 +26,12 @@
        "description": "The credentials for {username} need to be updated",
        "title": "Re-authenticate Blink"
      },
+      "reconfigure": {
+        "data": {
+          "password": "[%key:common::config_flow::data::password%]",
+          "username": "[%key:common::config_flow::data::username%]"
+        }
+      },
      "user": {
        "data": {
          "password": "[%key:common::config_flow::data::password%]",
@@ -54,7 +60,7 @@
  },
  "exceptions": {
    "cant_write": {
-      "message": "Can't write to file."
+      "message": "Can't write to file, check logs for details."
    },
    "failed_arm": {
      "message": "Blink failed to arm camera."
@@ -7,5 +7,5 @@
  "integration_type": "hub",
  "iot_class": "cloud_push",
  "loggers": ["bluecurrent_api"],
-  "requirements": ["bluecurrent-api==1.3.2"]
+  "requirements": ["bluecurrent-api==1.3.3"]
 }
@@ -105,7 +105,7 @@ class BluesoundButton(CoordinatorEntity[BluesoundCoordinator], ButtonEntity):
        if port == DEFAULT_PORT:
            self._attr_device_info = DeviceInfo(
                identifiers={(DOMAIN, format_mac(sync_status.mac))},
-                connections={(CONNECTION_NETWORK_MAC, format_mac(sync_status.mac))},
+                connections={(CONNECTION_NETWORK_MAC, sync_status.mac)},
                name=sync_status.name,
                manufacturer=sync_status.brand,
                model=sync_status.model_name,
@@ -7,7 +7,7 @@
  "documentation": "https://www.home-assistant.io/integrations/bluesound",
  "integration_type": "device",
  "iot_class": "local_polling",
-  "requirements": ["pyblu==2.0.6"],
+  "requirements": ["pyblu==2.0.8"],
  "zeroconf": [
    {
      "type": "_musc._tcp.local."
@@ -118,7 +118,7 @@ class BluesoundPlayer(CoordinatorEntity[BluesoundCoordinator], MediaPlayerEntity
        if port == DEFAULT_PORT:
            self._attr_device_info = DeviceInfo(
                identifiers={(DOMAIN, format_mac(sync_status.mac))},
-                connections={(CONNECTION_NETWORK_MAC, format_mac(sync_status.mac))},
+                connections={(CONNECTION_NETWORK_MAC, sync_status.mac)},
                name=sync_status.name,
                manufacturer=sync_status.brand,
                model=sync_status.model_name,
@@ -6,6 +6,7 @@ These APIs are the only documented way to interact with the bluetooth integratio
 import asyncio
 from asyncio import Future
 from collections.abc import Callable, Iterable
+from contextlib import ExitStack
 from typing import TYPE_CHECKING, cast

 from bleak import BleakScanner
@@ -178,15 +179,20 @@ async def async_process_advertisements(
        if not done.done() and callback(service_info):
            done.set_result(service_info)

-    unload = _get_manager(hass).async_register_callback(
-        _async_discovered_device, match_dict, mode, scan_duration=timeout
-    )
+    manager = _get_manager(hass)
+
+    with ExitStack() as stack:
+        unload = manager.async_register_callback(
+            _async_discovered_device, match_dict, mode
+        )
+        stack.callback(unload)
+
+        if mode == BluetoothScanningMode.ACTIVE:
+            task = hass.async_create_task(manager.async_request_active_scan(timeout))
+            stack.callback(task.cancel)

-    try:
        async with asyncio.timeout(timeout):
            return await done
-    finally:
-        unload()


@hass_callback
@@ -21,6 +21,6 @@
    "bluetooth-auto-recovery==1.6.4",
    "bluetooth-data-tools==1.29.18",
    "dbus-fast==5.0.16",
-    "habluetooth==6.8.1"
+    "habluetooth==6.8.3"
  ]
 }
@@ -55,7 +55,7 @@ async def async_setup_entry(hass: HomeAssistant, entry: BoschConfigEntry) -> boo
    device_registry = dr.async_get(hass)
    device_registry.async_get_or_create(
        config_entry_id=entry.entry_id,
-        connections={(dr.CONNECTION_NETWORK_MAC, dr.format_mac(shc_info.unique_id))},
+        connections={(dr.CONNECTION_NETWORK_MAC, shc_info.unique_id)},
        identifiers={(DOMAIN, shc_info.unique_id)},
        manufacturer="Bosch",
        name=entry.title,
@@ -8,7 +8,7 @@
  "integration_type": "hub",
  "iot_class": "local_push",
  "loggers": ["boschshcpy"],
-  "requirements": ["boschshcpy==0.2.107"],
+  "requirements": ["boschshcpy==0.2.111"],
  "zeroconf": [
    {
      "name": "bosch shc*",
@@ -125,7 +125,7 @@ class BringTodoListEntity(BringBaseEntity, TodoListEntity):
        await self.coordinator.async_refresh()

    async def async_update_todo_item(self, item: TodoItem) -> None:
-        """Update an item to the To-do list.
+        """Update an item in the To-do list.

        Bring has an internal 'recent' list which we want to use instead of a todo list
        status, therefore completed todo list items are matched to the recent list and
@@ -118,7 +118,14 @@ class BroadlinkDevice[_ApiT: blk.Device = blk.Device]:
            return False

        except (NetworkTimeoutError, OSError) as err:
-            raise ConfigEntryNotReady from err
+            raise ConfigEntryNotReady(
+                translation_domain=DOMAIN,
+                translation_key="connect_failed",
+                translation_placeholders={
+                    "host": api.host[0],
+                    "error": str(err),
+                },
+            ) from err

        except BroadlinkException as err:
            _LOGGER.error(
@@ -1,7 +1,7 @@
 {
  "domain": "broadlink",
  "name": "Broadlink",
-  "codeowners": ["@danielhiversen", "@felipediel", "@L-I-Am", "@eifinger"],
+  "codeowners": ["@danielhiversen", "@felipediel", "@L-I-Am"],
  "config_flow": true,
  "dhcp": [
    {
@@ -89,6 +89,9 @@
    }
  },
  "exceptions": {
+    "connect_failed": {
+      "message": "Failed to connect to the device at {host}: {error}"
+    },
    "frequency_not_supported": {
      "message": "Broadlink devices cannot transmit on {frequency} MHz"
    },
@@ -31,11 +31,7 @@ from homeassistant.exceptions import (
 )
 from homeassistant.helpers import config_validation as cv, device_registry as dr
 from homeassistant.helpers.aiohttp_client import async_get_clientsession
-from homeassistant.helpers.device_registry import (
-    CONNECTION_NETWORK_MAC,
-    DeviceInfo,
-    format_mac,
-)
+from homeassistant.helpers.device_registry import CONNECTION_NETWORK_MAC, DeviceInfo
 from homeassistant.helpers.typing import ConfigType

 from .const import (
@@ -75,7 +71,7 @@ def get_bsblan_device_info(
    """Build DeviceInfo for the main BSB-LAN controller device."""
    return DeviceInfo(
        identifiers={(DOMAIN, device.MAC)},
-        connections={(CONNECTION_NETWORK_MAC, format_mac(device.MAC))},
+        connections={(CONNECTION_NETWORK_MAC, device.MAC)},
        name=device.name,
        manufacturer="BSBLAN Inc.",
        model=(
@@ -230,10 +226,6 @@ async def async_migrate_entry(hass: HomeAssistant, entry: BSBLanConfigEntry) ->
        entry.minor_version,
    )

-    if entry.version > 1:
-        # Downgraded from a future version; cannot migrate.
-        return False
-
    # 1.1 -> 1.2: Add CONF_HEATING_CIRCUITS. Attempt to discover available
    # heating circuits from the device; fall back to [1] (pre-multi-circuit
    # default) if the device is unreachable or the endpoint is unsupported.
@@ -183,7 +183,6 @@ class BSBLANClimate(BSBLanCircuitEntity, ClimateEntity):
        try:
            await self.coordinator.client.thermostat(**data, circuit=self._circuit)
        except BSBLANError as err:
-            # pylint: disable-next=home-assistant-exception-message-with-translation
            raise HomeAssistantError(
                translation_domain=DOMAIN,
                translation_key="set_data_error",
@@ -20,5 +20,5 @@
  "dependencies": ["bluetooth_adapters"],
  "documentation": "https://www.home-assistant.io/integrations/bthome",
  "iot_class": "local_push",
-  "requirements": ["bthome-ble==3.23.2"]
+  "requirements": ["bthome-ble==3.23.4"]
 }
@@ -7,5 +7,5 @@
  "integration_type": "service",
  "iot_class": "cloud_polling",
  "loggers": ["buienradar", "vincenty"],
-  "requirements": ["buienradar==1.0.6"]
+  "requirements": ["buienradar==1.0.9"]
 }
@@ -24,7 +24,7 @@ from homeassistant.components.websocket_api import (
    ActiveConnection,
 )
 from homeassistant.config_entries import ConfigEntry
-from homeassistant.const import STATE_OFF, STATE_ON
+from homeassistant.const import CONF_EVENT, STATE_OFF, STATE_ON
 from homeassistant.core import (
    CALLBACK_TYPE,
    HomeAssistant,
@@ -45,7 +45,6 @@ from homeassistant.util import dt as dt_util
 from homeassistant.util.json import JsonValueType

 from .const import (
-    CONF_EVENT,
    DATA_COMPONENT,
    DOMAIN,
    EVENT_DESCRIPTION,
--- a/Show More
+++ b/Show More