sandbox/docs: add core-HA touch-surface slide; note unregister hook

Add PRESENTATION.md Slide 11 enumerating the five core-HA seams (from
ARCHITECTURE.md §12) and the no-monkey-patching discipline. Update §12 +
the slide to include the inverse `async_unregister_remote_platform` hook
that the crash-recovery plan added alongside `async_register_remote_platform`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.gitattributes

@@ -22,4 +22,4 @@ requirements.txt linguist-generated=true
 requirements_all.txt linguist-generated=true
 requirements_test_pre_commit.txt linguist-generated=true
 script/hassfest/docker/Dockerfile linguist-generated=true
-.github/workflows/*.lock.yml linguist-generated=true merge=ours
+.github/workflows/*.lock.yml linguist-generated=true

.github/copilot-instructions.md

@@ -6,7 +6,6 @@
 
 - Start review comments with a short, one-sentence summary of the suggested fix.
 - Do not comment on code style, formatting or linting issues.
-- Flag comments that over-explain straightforward code, narrate the obvious, or read like AI commentary (multi-sentence justifications for a single line).
 - A Pull Request with a dependency version bump should only contain changes required for the version bump. If the PR includes other changes, request that they are removed from the PR.
 
 # GitHub Copilot & Claude Code Instructions
@@ -51,5 +50,4 @@ This repository contains the core of Home Assistant, a Python 3 based home autom
 - Integrations with Platinum or Gold level in the Integration Quality Scale reflect a high standard of code quality and maintainability. When looking for examples of something, these are good places to start. The level is indicated in the manifest.json of the integration.
 - When reviewing entity actions, do not suggest extra defensive checks for input fields that are already validated by Home Assistant's service/action schemas and entity selection filters. Suggest additional guards only when data bypasses those validators or is transformed into a less-safe form.
 - When validation guarantees a dict key exists, prefer direct key access (`data["key"]`) instead of `.get("key")` so contract violations are surfaced instead of silently masked.
-- Keep comments concise. Prefer one short line stating the non-obvious constraint, or no comment at all.
-- Do not add comments that just restate the code on the following line(s) (e.g. `# Check if initialized` above `if self.initialized:`). Comments should only explain why (non-obvious constraints, surprising behavior, or workarounds), never what. Never add comments that justify a change by referencing what the code looked like before.
+- Do not add comments that just restate the code on the following line(s) (e.g. `# Check if initialized` above `if self.initialized:`). Comments should only explain why — non-obvious constraints, surprising behavior, or workarounds — never what.

.github/dependabot.yml

@@ -14,4 +14,3 @@ updates:
     ignore:
       # Managed by gh aw compile. Version-locked to the gh-aw compiler; do not bump.
       - dependency-name: "github/gh-aw-actions/**"
-      - dependency-name: "github/gh-aw-actions"

.github/workflows/builder.yml

@@ -38,7 +38,7 @@ jobs:
       base_image_version: ${{ env.BASE_IMAGE_VERSION }}
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -102,7 +102,7 @@ jobs:
             os: ubuntu-24.04-arm
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -193,7 +193,7 @@ jobs:
           echo "${GITHUB_SHA};${GITHUB_REF};${GITHUB_EVENT_NAME};${GITHUB_ACTOR}" > rootfs/OFFICIAL_IMAGE
 
       - name: Build base image
-        uses: home-assistant/builder/actions/build-image@4de35182ce1e329181bffcbcc84d33db5e2c7e10 # 2026.06.0
+        uses: home-assistant/builder/actions/build-image@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
         with:
           arch: ${{ matrix.arch }}
           build-args: |
@@ -245,7 +245,7 @@ jobs:
             runs-on: ubuntu-24.04
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -264,7 +264,7 @@ jobs:
           fi
 
       - name: Build machine image
-        uses: home-assistant/builder/actions/build-image@4de35182ce1e329181bffcbcc84d33db5e2c7e10 # 2026.06.0
+        uses: home-assistant/builder/actions/build-image@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
         with:
           arch: ${{ matrix.arch }}
           build-args: |
@@ -292,7 +292,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -471,7 +471,7 @@ jobs:
     if: github.repository_owner == 'home-assistant' && needs.init.outputs.publish == 'true'
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -518,7 +518,7 @@ jobs:
       HASSFEST_IMAGE_TAG: ghcr.io/home-assistant/hassfest:${{ needs.init.outputs.version }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 

.github/workflows/check-requirements-deterministic.yml

@@ -40,7 +40,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Set up Python
@@ -50,24 +50,19 @@ jobs:
           check-latest: true
       - name: Install script dependencies
         run: pip install -r script/check_requirements/requirements.txt
-      - name: Collect PR diff and head SHA
-        id: pr
+      - name: Collect PR diff
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ inputs.pull_request_number || github.event.pull_request.number }}
         run: |
           mkdir -p deterministic
           gh pr diff "${PR_NUMBER}" > deterministic/pr.diff
-          HEAD_SHA=$(gh pr view "${PR_NUMBER}" --json headRefOid --jq '.headRefOid')
-          echo "head_sha=${HEAD_SHA}" >> "${GITHUB_OUTPUT}"
       - name: Run deterministic checks
         env:
           PR_NUMBER: ${{ inputs.pull_request_number || github.event.pull_request.number }}
-          HEAD_SHA: ${{ steps.pr.outputs.head_sha }}
         run: |
           python -m script.check_requirements \
             --pr-number "${PR_NUMBER}" \
-            --head-sha "${HEAD_SHA}" \
             --diff deterministic/pr.diff \
             --output deterministic/results.json
       - name: Upload deterministic-results artifact

.github/workflows/check-requirements.lock.yml

@@ -1,5 +1,5 @@
-# gh-aw-metadata: {"schema_version":"v4","frontmatter_hash":"328ce915f8b178bbcfcb1b69f397ac996456a4ab50490805b5b3bdd26cbf58fe","body_hash":"0665c72fe4b0a14b3a0b396dc293ce78235771fe15ebc894662fece33b189135","compiler_version":"v0.79.6","strict":true,"agent_id":"copilot","engine_versions":{"copilot":"1.0.60"}}
-# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"df4cb1c069e1874edd31b4311f1884172cec0e10","version":"v6.0.3"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"v0.79.6","version":"v0.79.6"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.27.2","digest":"sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6","pinned_image":"ghcr.io/github/gh-aw-firewall/agent:0.27.2@sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2","digest":"sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4","pinned_image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2@sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.27.2","digest":"sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591","pinned_image":"ghcr.io/github/gh-aw-firewall/squid:0.27.2@sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.25","digest":"sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.25@sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa"},{"image":"ghcr.io/github/github-mcp-server:v1.1.2","digest":"sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c","pinned_image":"ghcr.io/github/github-mcp-server:v1.1.2@sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c"}]}
+# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"75b8b624ba0c144fb4b28cba143d16a47c30de8afae568fa3256c6febe01a68a","compiler_version":"v0.74.4","strict":true,"agent_id":"copilot"}
+# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9.0.0"},{"repo":"actions/setup-node","sha":"48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e","version":"v6.4.0"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"d3abfe96a194bce3a523ed2093ddedd5704cdf62","version":"v0.74.4"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.46"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.46"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.46"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.3.9","digest":"sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388","pinned_image":"ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388"},{"image":"ghcr.io/github/github-mcp-server:v1.0.4"},{"image":"node:lts-alpine","digest":"sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f","pinned_image":"node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f"}]}
 #    ___                   _   _      
 #   / _ \                 | | (_)     
 #  | |_| | __ _  ___ _ __ | |_ _  ___ 
@@ -14,7 +14,7 @@
 # \  /\  / (_) | | | | ( | | | | (_) \ V  V /\__ \
 #  \/  \/ \___/|_| |_|\_\|_| |_|\___/ \_/\_/ |___/
 #
-# This file was automatically generated by gh-aw (v0.79.6). DO NOT EDIT.
+# This file was automatically generated by gh-aw (v0.74.4). DO NOT EDIT.
 #
 # To update this file, edit the corresponding .md file and run:
 #   gh aw compile
@@ -31,19 +31,20 @@
 #   - GITHUB_TOKEN
 #
 # Custom actions used:
-#   - actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+#   - actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 #   - actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
 #   - actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
 #   - actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
 #   - actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-#   - github/gh-aw-actions/setup@v0.79.6
+#   - github/gh-aw-actions/setup@b11be78086764c43fa463398aed7ffdcf40549c1 # v0.77.0
 #
 # Container images used:
-#   - ghcr.io/github/gh-aw-firewall/agent:0.27.2@sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6
-#   - ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2@sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4
-#   - ghcr.io/github/gh-aw-firewall/squid:0.27.2@sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591
-#   - ghcr.io/github/gh-aw-mcpg:v0.3.25@sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa
-#   - ghcr.io/github/github-mcp-server:v1.1.2@sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c
+#   - ghcr.io/github/gh-aw-firewall/agent:0.25.46
+#   - ghcr.io/github/gh-aw-firewall/api-proxy:0.25.46
+#   - ghcr.io/github/gh-aw-firewall/squid:0.25.46
+#   - ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388
+#   - ghcr.io/github/github-mcp-server:v1.0.4
+#   - node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f
 
 name: "Check requirements (AW)"
 on:
@@ -58,13 +59,15 @@ permissions: {}
 
 concurrency:
   cancel-in-progress: true
-  group: ${{ github.workflow }}-${{ github.event.workflow_run.id }}
+  group: ${{ github.workflow }}-${{ github.event.workflow_run.head_sha }}
 
 run-name: "Check requirements (AW)"
 
 jobs:
   activation:
-    needs: pre_activation
+    needs:
+      - extract_pr_number
+      - pre_activation
     # zizmor: ignore[dangerous-triggers] - workflow_run trigger is secured with role and fork validation
     if: >
       (needs.pre_activation.outputs.activated == 'true') && (github.event_name != 'workflow_run' || github.event.workflow_run.repository.id == github.repository_id &&
@@ -73,14 +76,9 @@ jobs:
     permissions:
       actions: read
       contents: read
-    env:
-      GH_AW_MAX_DAILY_AI_CREDITS: ${{ vars.GH_AW_DEFAULT_MAX_DAILY_AI_CREDITS || '5000' }}
     outputs:
       comment_id: ""
       comment_repo: ""
-      daily_effective_workflow_exceeded: ${{ steps.daily-effective-workflow-guardrail.outputs.daily_effective_workflow_exceeded == 'true' }}
-      daily_effective_workflow_threshold: ${{ steps.daily-effective-workflow-guardrail.outputs.daily_effective_workflow_threshold || '' }}
-      daily_effective_workflow_total_effective_tokens: ${{ steps.daily-effective-workflow-guardrail.outputs.daily_effective_workflow_total_effective_tokens || '' }}
       engine_id: ${{ steps.generate_aw_info.outputs.engine_id }}
       lockdown_check_failed: ${{ steps.generate_aw_info.outputs.lockdown_check_failed == 'true' }}
       model: ${{ steps.generate_aw_info.outputs.model }}
@@ -92,35 +90,33 @@ jobs:
     steps:
       - name: Setup Scripts
         id: setup
-        uses: github/gh-aw-actions/setup@v0.79.6
+        uses: github/gh-aw-actions/setup@b11be78086764c43fa463398aed7ffdcf40549c1 # v0.77.0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
           job-name: ${{ github.job }}
           trace-id: ${{ needs.pre_activation.outputs.setup-trace-id }}
           parent-span-id: ${{ needs.pre_activation.outputs.setup-parent-span-id || needs.pre_activation.outputs.setup-span-id }}
-          safe-output-artifact-client: ${{ env.GH_AW_MAX_DAILY_AI_CREDITS != '' }}
         env:
           GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
           GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.60"
-          GH_AW_INFO_AWF_VERSION: "v0.27.2"
+          GH_AW_INFO_VERSION: "1.0.48"
           GH_AW_INFO_ENGINE_ID: "copilot"
       - name: Generate agentic run info
         id: generate_aw_info
         env:
           GH_AW_INFO_ENGINE_ID: "copilot"
           GH_AW_INFO_ENGINE_NAME: "GitHub Copilot CLI"
-          GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || vars.GH_AW_DEFAULT_MODEL_COPILOT || 'claude-sonnet-4.6' }}
-          GH_AW_INFO_VERSION: "1.0.60"
-          GH_AW_INFO_AGENT_VERSION: "1.0.60"
-          GH_AW_INFO_CLI_VERSION: "v0.79.6"
+          GH_AW_INFO_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'claude-sonnet-4.6' }}
+          GH_AW_INFO_VERSION: "1.0.48"
+          GH_AW_INFO_AGENT_VERSION: "1.0.48"
+          GH_AW_INFO_CLI_VERSION: "v0.74.4"
           GH_AW_INFO_WORKFLOW_NAME: "Check requirements (AW)"
           GH_AW_INFO_EXPERIMENTAL: "false"
           GH_AW_INFO_SUPPORTS_TOOLS_ALLOWLIST: "true"
           GH_AW_INFO_STAGED: "false"
           GH_AW_INFO_ALLOWED_DOMAINS: '["python"]'
           GH_AW_INFO_FIREWALL_ENABLED: "true"
-          GH_AW_INFO_AWF_VERSION: "v0.27.2"
+          GH_AW_INFO_AWF_VERSION: "v0.25.46"
           GH_AW_INFO_AWMG_VERSION: ""
           GH_AW_INFO_FIREWALL_TYPE: "squid"
           GH_AW_COMPILED_STRICT: "true"
@@ -131,37 +127,18 @@ jobs:
             setupGlobals(core, github, context, exec, io, getOctokit);
             const { main } = require('${{ runner.temp }}/gh-aw/actions/generate_aw_info.cjs');
             await main(core, context);
-      - name: Check daily workflow token guardrail
-        id: daily-effective-workflow-guardrail
-        if: ${{ env.GH_AW_MAX_DAILY_AI_CREDITS != '' }}
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        env:
-          GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
-          GH_AW_WORKFLOW_ID: "check-requirements"
-          GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-          GH_AW_WORKFLOW_DISPATCH_AW_CONTEXT: ${{ github.event.inputs.aw_context || '' }}
-          GH_AW_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GH_AW_MAX_DAILY_AI_CREDITS: ${{ vars.GH_AW_DEFAULT_MAX_DAILY_AI_CREDITS || '5000' }}
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
-            setupGlobals(core, github, context, exec, io, getOctokit);
-            const { main } = require('${{ runner.temp }}/gh-aw/actions/check_daily_aic_workflow_guardrail.cjs');
-            await main();
       - name: Validate COPILOT_GITHUB_TOKEN secret
         id: validate-secret
         run: bash "${RUNNER_TEMP}/gh-aw/actions/validate_multi_secret.sh" COPILOT_GITHUB_TOKEN 'GitHub Copilot CLI' https://github.github.com/gh-aw/reference/engines/#github-copilot-default
         env:
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
       - name: Checkout .github and .agents folders
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           sparse-checkout: |
             .github
             .agents
-            .antigravity
             .claude
             .codex
             .crush
@@ -172,8 +149,8 @@ jobs:
           fetch-depth: 1
       - name: Save agent config folders for base branch restoration
         env:
-          GH_AW_AGENT_FOLDERS: ".agents .antigravity .claude .codex .crush .gemini .github .opencode .pi"
-          GH_AW_AGENT_FILES: ".crush.json AGENTS.md ANTIGRAVITY.md CLAUDE.md GEMINI.md PI.md opencode.jsonc"
+          GH_AW_AGENT_FOLDERS: ".agents .claude .codex .crush .gemini .github .opencode .pi"
+          GH_AW_AGENT_FILES: ".crush.json AGENTS.md CLAUDE.md GEMINI.md PI.md opencode.jsonc"
         # poutine:ignore untrusted_checkout_exec
         run: bash "${RUNNER_TEMP}/gh-aw/actions/save_base_github_folders.sh"
       - name: Check workflow lock file
@@ -191,7 +168,7 @@ jobs:
       - name: Check compile-agentic version
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
-          GH_AW_COMPILED_VERSION: "v0.79.6"
+          GH_AW_COMPILED_VERSION: "v0.74.4"
         with:
           script: |
             const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
@@ -214,20 +191,20 @@ jobs:
         run: |
           bash "${RUNNER_TEMP}/gh-aw/actions/create_prompt_first.sh"
           {
-          cat << 'GH_AW_PROMPT_781cf5b2f30d6d93_EOF'
+          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
           <system>
-          GH_AW_PROMPT_781cf5b2f30d6d93_EOF
+          GH_AW_PROMPT_198418d99edc7d5b_EOF
           cat "${RUNNER_TEMP}/gh-aw/prompts/xpia.md"
           cat "${RUNNER_TEMP}/gh-aw/prompts/temp_folder_prompt.md"
           cat "${RUNNER_TEMP}/gh-aw/prompts/markdown.md"
           cat "${RUNNER_TEMP}/gh-aw/prompts/safe_outputs_prompt.md"
-          cat << 'GH_AW_PROMPT_781cf5b2f30d6d93_EOF'
+          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
           <safe-output-tools>
           Tools: add_comment, missing_tool, missing_data, noop
           </safe-output-tools>
-          GH_AW_PROMPT_781cf5b2f30d6d93_EOF
+          GH_AW_PROMPT_198418d99edc7d5b_EOF
           cat "${RUNNER_TEMP}/gh-aw/prompts/mcp_cli_tools_prompt.md"
-          cat << 'GH_AW_PROMPT_781cf5b2f30d6d93_EOF'
+          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
           <github-context>
           The following GitHub context information is available for this workflow:
           {{#if github.actor}}
@@ -256,12 +233,12 @@ jobs:
           {{/if}}
           </github-context>
           
-          GH_AW_PROMPT_781cf5b2f30d6d93_EOF
+          GH_AW_PROMPT_198418d99edc7d5b_EOF
           cat "${RUNNER_TEMP}/gh-aw/prompts/github_mcp_tools_with_safeoutputs_prompt.md"
-          cat << 'GH_AW_PROMPT_781cf5b2f30d6d93_EOF'
+          cat << 'GH_AW_PROMPT_198418d99edc7d5b_EOF'
           </system>
           {{#runtime-import .github/workflows/check-requirements.md}}
-          GH_AW_PROMPT_781cf5b2f30d6d93_EOF
+          GH_AW_PROMPT_198418d99edc7d5b_EOF
           } > "$GH_AW_PROMPT"
       - name: Interpolate variables and render templates
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
@@ -329,15 +306,12 @@ jobs:
           include-hidden-files: true
           path: |
             /tmp/gh-aw/aw_info.json
-            /tmp/gh-aw/model_multipliers.json
-            /tmp/gh-aw/models.json
             /tmp/gh-aw/aw-prompts/prompt.txt
             /tmp/gh-aw/aw-prompts/prompt-template.txt
             /tmp/gh-aw/aw-prompts/prompt-import-tree.json
             /tmp/gh-aw/github_rate_limits.jsonl
             /tmp/gh-aw/base
             /tmp/gh-aw/.github/agents
-            /tmp/gh-aw/.github/skills
           if-no-files-found: ignore
           retention-days: 1
 
@@ -345,16 +319,14 @@ jobs:
     needs:
       - activation
       - extract_pr_number
-      - gate
-    if: needs.activation.outputs.daily_effective_workflow_exceeded != 'true'
     runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: read
+      issues: read
       pull-requests: read
     concurrency:
       group: "gh-aw-copilot-${{ github.workflow }}"
-      queue: max
     env:
       DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
       GH_AW_ASSETS_ALLOWED_EXTS: ""
@@ -363,27 +335,24 @@ jobs:
       GH_AW_MCP_LOG_DIR: /tmp/gh-aw/mcp-logs/safeoutputs
       GH_AW_WORKFLOW_ID_SANITIZED: checkrequirements
     outputs:
-      agentic_engine_timeout: ${{ steps.detect-agent-errors.outputs.agentic_engine_timeout || 'false' }}
-      ai_credits_rate_limit_error: ${{ steps.parse-mcp-gateway.outputs.ai_credits_rate_limit_error || 'false' }}
-      aic: ${{ steps.parse-mcp-gateway.outputs.aic }}
-      ambient_context: ${{ steps.parse-mcp-gateway.outputs.ambient_context }}
+      agentic_engine_timeout: ${{ steps.detect-copilot-errors.outputs.agentic_engine_timeout || 'false' }}
       checkout_pr_success: ${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }}
       effective_tokens: ${{ steps.parse-mcp-gateway.outputs.effective_tokens }}
+      effective_tokens_rate_limit_error: ${{ steps.parse-mcp-gateway.outputs.effective_tokens_rate_limit_error || 'false' }}
       has_patch: ${{ steps.collect_output.outputs.has_patch }}
-      inference_access_error: ${{ steps.detect-agent-errors.outputs.inference_access_error || 'false' }}
-      mcp_policy_error: ${{ steps.detect-agent-errors.outputs.mcp_policy_error || 'false' }}
+      inference_access_error: ${{ steps.detect-copilot-errors.outputs.inference_access_error || 'false' }}
+      mcp_policy_error: ${{ steps.detect-copilot-errors.outputs.mcp_policy_error || 'false' }}
       model: ${{ needs.activation.outputs.model }}
-      model_not_supported_error: ${{ steps.detect-agent-errors.outputs.model_not_supported_error || 'false' }}
+      model_not_supported_error: ${{ steps.detect-copilot-errors.outputs.model_not_supported_error || 'false' }}
       output: ${{ steps.collect_output.outputs.output }}
       output_types: ${{ steps.collect_output.outputs.output_types }}
       setup-parent-span-id: ${{ steps.setup.outputs.parent-span-id || steps.setup.outputs.span-id }}
       setup-span-id: ${{ steps.setup.outputs.span-id }}
       setup-trace-id: ${{ steps.setup.outputs.trace-id }}
-      unknown_model_ai_credits: ${{ steps.parse-mcp-gateway.outputs.unknown_model_ai_credits || 'false' }}
     steps:
       - name: Setup Scripts
         id: setup
-        uses: github/gh-aw-actions/setup@v0.79.6
+        uses: github/gh-aw-actions/setup@b11be78086764c43fa463398aed7ffdcf40549c1 # v0.77.0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
           job-name: ${{ github.job }}
@@ -392,8 +361,7 @@ jobs:
         env:
           GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
           GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.60"
-          GH_AW_INFO_AWF_VERSION: "v0.27.2"
+          GH_AW_INFO_VERSION: "1.0.48"
           GH_AW_INFO_ENGINE_ID: "copilot"
       - name: Set runtime paths
         id: set-runtime-paths
@@ -404,7 +372,7 @@ jobs:
             echo "GH_AW_SAFE_OUTPUTS_TOOLS_PATH=${RUNNER_TEMP}/gh-aw/safeoutputs/tools.json"
           } >> "$GITHUB_OUTPUT"
       - name: Checkout repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Create gh-aw temp directory
@@ -438,7 +406,7 @@ jobs:
       - name: Checkout PR branch
         id: checkout-pr
         if: |
-          github.event.pull_request || github.event.issue.pull_request || github.event_name == 'workflow_dispatch' && fromJSON(github.event.inputs.aw_context || '{}').item_type == 'pull_request'
+          github.event.pull_request || github.event.issue.pull_request
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
@@ -450,11 +418,11 @@ jobs:
             const { main } = require('${{ runner.temp }}/gh-aw/actions/checkout_pr_branch.cjs');
             await main();
       - name: Install GitHub Copilot CLI
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.60
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.48
         env:
           GH_HOST: github.com
       - name: Install AWF binary
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.2
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.46
       - name: Parse integrity filter lists
         id: parse-guard-vars
         env:
@@ -470,28 +438,24 @@ jobs:
       - name: Restore agent config folders from base branch
         if: steps.checkout-pr.outcome == 'success'
         env:
-          GH_AW_AGENT_FOLDERS: ".agents .antigravity .claude .codex .crush .gemini .github .opencode .pi"
-          GH_AW_AGENT_FILES: ".crush.json AGENTS.md ANTIGRAVITY.md CLAUDE.md GEMINI.md PI.md opencode.jsonc"
+          GH_AW_AGENT_FOLDERS: ".agents .claude .codex .crush .gemini .github .opencode .pi"
+          GH_AW_AGENT_FILES: ".crush.json AGENTS.md CLAUDE.md GEMINI.md PI.md opencode.jsonc"
         run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_base_github_folders.sh"
       - name: Restore inline sub-agents from activation artifact
         env:
           GH_AW_SUB_AGENT_DIR: ".github/agents"
           GH_AW_SUB_AGENT_EXT: ".agent.md"
         run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_sub_agents.sh"
-      - name: Restore inline skills from activation artifact
-        env:
-          GH_AW_SKILL_DIR: ".github/skills"
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/restore_inline_skills.sh"
       - name: Download container images
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.2@sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6 ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2@sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4 ghcr.io/github/gh-aw-firewall/squid:0.27.2@sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591 ghcr.io/github/gh-aw-mcpg:v0.3.25@sha256:c10331ad17668ef89f38f5e356678788a40b0cd5fef96e8f92e1d9c1de47cbaa ghcr.io/github/github-mcp-server:v1.1.2@sha256:30197479d8036c7811892bc07e06f9a05c9ef3cdd79bc59f256d50647f95788c
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.46 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.46 ghcr.io/github/gh-aw-firewall/squid:0.25.46 ghcr.io/github/gh-aw-mcpg:v0.3.9@sha256:64828b42a4482f58fab16509d7f8f495a6d97c972a98a68aff20543531ac0388 ghcr.io/github/github-mcp-server:v1.0.4 node:lts-alpine@sha256:d1b3b4da11eefd5941e7f0b9cf17783fc99d9c6fc34884a665f40a06dbdfc94f
       - name: Generate Safe Outputs Config
         run: |
           mkdir -p "${RUNNER_TEMP}/gh-aw/safeoutputs"
           mkdir -p /tmp/gh-aw/safeoutputs
           mkdir -p /tmp/gh-aw/mcp-logs/safeoutputs
-          cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_f496a449c5dccca1_EOF'
+          cat > "${RUNNER_TEMP}/gh-aw/safeoutputs/config.json" << 'GH_AW_SAFE_OUTPUTS_CONFIG_627e06df80c4e5ad_EOF'
           {"add_comment":{"max":1,"target":"${{ needs.extract_pr_number.outputs.pr_number }}"},"create_report_incomplete_issue":{},"missing_data":{},"missing_tool":{},"noop":{"max":1,"report-as-issue":"true"},"report_incomplete":{}}
-          GH_AW_SAFE_OUTPUTS_CONFIG_f496a449c5dccca1_EOF
+          GH_AW_SAFE_OUTPUTS_CONFIG_627e06df80c4e5ad_EOF
       - name: Generate Safe Outputs Tools
         env:
           GH_AW_TOOLS_META_JSON: |
@@ -679,21 +643,21 @@ jobs:
             * ) DOCKER_SOCK_PATH=/var/run/docker.sock ;;
           esac
           DOCKER_SOCK_GID=$(stat -c '%g' "$DOCKER_SOCK_PATH" 2>/dev/null || echo '0')
-          export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.25'
+          export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host --add-host host.docker.internal:127.0.0.1 --user '"${MCP_GATEWAY_UID}"':'"${MCP_GATEWAY_GID}"' --group-add '"${DOCKER_SOCK_GID}"' -v '"${DOCKER_SOCK_PATH}"':/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DOCKER_HOST=unix:///var/run/docker.sock -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_GUARD_MIN_INTEGRITY -e GITHUB_MCP_GUARD_REPOS -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GH_AW_SAFE_OUTPUTS_PORT -e GH_AW_SAFE_OUTPUTS_API_KEY -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.3.9'
           
           mkdir -p /home/runner/.copilot
           GH_AW_NODE=$(which node 2>/dev/null || command -v node 2>/dev/null || echo node)
-          cat << GH_AW_MCP_CONFIG_f09adf73c5e58a42_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
+          cat << GH_AW_MCP_CONFIG_175174907e5a28b4_EOF | "$GH_AW_NODE" "${RUNNER_TEMP}/gh-aw/actions/start_mcp_gateway.cjs"
           {
             "mcpServers": {
               "github": {
                 "type": "stdio",
-                "container": "ghcr.io/github/github-mcp-server:v1.1.2",
+                "container": "ghcr.io/github/github-mcp-server:v1.0.4",
                 "env": {
                   "GITHUB_HOST": "\${GITHUB_SERVER_URL}",
                   "GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}",
                   "GITHUB_READ_ONLY": "1",
-                  "GITHUB_TOOLSETS": "repos,pull_requests"
+                  "GITHUB_TOOLSETS": "context,repos,issues,pull_requests,actions"
                 },
                 "guard-policies": {
                   "allow-only": {
@@ -727,7 +691,7 @@ jobs:
               "payloadDir": "${MCP_GATEWAY_PAYLOAD_DIR}"
             }
           }
-          GH_AW_MCP_CONFIG_f09adf73c5e58a42_EOF
+          GH_AW_MCP_CONFIG_175174907e5a28b4_EOF
       - name: Mount MCP servers as CLIs
         id: mount-mcp-clis
         continue-on-error: true
@@ -756,48 +720,29 @@ jobs:
         run: |
           set -o pipefail
           printf '%s' "$(date +%s%3N)" > /tmp/gh-aw/agent_cli_start_ms.txt
-          trap 'rm -f /home/runner/.copilot/settings.json' EXIT
-          mkdir -p /home/runner/.copilot
-          printf '%s' '{"builtInAgents":{"rubberDuck":false}}' > /home/runner/.copilot/settings.json
           touch /tmp/gh-aw/agent-step-summary.md
           GH_AW_NODE_BIN=$(command -v node 2>/dev/null || true)
           export GH_AW_NODE_BIN
-          export COPILOT_API_KEY="$COPILOT_DUMMY_BYOK"
           (umask 177 && touch /tmp/gh-aw/agent-stdio.log)
-          GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_MAX_AI_CREDITS || '1000' }}"
-          printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.2/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"*.pythonhosted.org\",\"anaconda.org\",\"api.business.githubcopilot.com\",\"api.enterprise.githubcopilot.com\",\"api.github.com\",\"api.githubcopilot.com\",\"api.individual.githubcopilot.com\",\"binstar.org\",\"bootstrap.pypa.io\",\"conda.anaconda.org\",\"conda.binstar.org\",\"files.pythonhosted.org\",\"github.com\",\"host.docker.internal\",\"pip.pypa.io\",\"pypi.org\",\"pypi.python.org\",\"raw.githubusercontent.com\",\"registry.npmjs.org\",\"repo.anaconda.com\",\"repo.continuum.io\",\"telemetry.enterprise.githubcopilot.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS},\"models\":{\"agent\":[\"sonnet-6x\",\"gpt-5.4\",\"gpt-5.3\",\"gemini-pro\",\"any\"],\"antigravity\":[\"copilot/antigravity*\",\"google/antigravity*\",\"gemini/antigravity*\"],\"any\":[\"copilot/*\",\"anthropic/*\",\"openai/*\",\"google/*\",\"gemini/*\"],\"claude\":[\"agent\"],\"codex\":[\"agent\"],\"coding\":[\"copilot/gpt-5*codex*\",\"openai/gpt-5*codex*\",\"gpt-5-codex\"],\"computer-use\":[\"copilot/*computer-use*\",\"google/*computer-use*\",\"gemini/*computer-use*\",\"openai/*computer-use*\"],\"copilot\":[\"agent\"],\"deep-research\":[\"copilot/deep-research*\",\"copilot/o3-deep-research*\",\"copilot/o4-mini-deep-research*\",\"google/deep-research*\",\"gemini/deep-research*\",\"openai/o3-deep-research*\",\"openai/o4-mini-deep-research*\"],\"gemini\":[\"agent\"],\"gemini-3-flash\":[\"copilot/gemini-3*flash*\",\"google/gemini-3*flash*\",\"gemini/gemini-3*flash*\"],\"gemini-3-pro\":[\"copilot/gemini-3*pro*\",\"google/gemini-3*pro*\",\"google/nano-banana*\",\"gemini/gemini-3*pro*\"],\"gemini-3.1-flash\":[\"copilot/gemini-3.1*flash*\",\"google/gemini-3.1*flash*\",\"gemini/gemini-3.1*flash*\"],\"gemini-3.1-pro\":[\"copilot/gemini-3.1*pro*\",\"google/gemini-3.1*pro*\",\"gemini/gemini-3.1*pro*\"],\"gemini-3.5-flash\":[\"copilot/gemini-3.5*flash*\",\"google/gemini-3.5*flash*\",\"gemini/gemini-3.5*flash*\"],\"gemini-flash\":[\"copilot/gemini-*flash*\",\"google/gemini-*flash*\",\"gemini/gemini-*flash*\"],\"gemini-flash-lite\":[\"copilot/gemini-*flash*lite*\",\"google/gemini-*flash*lite*\",\"gemini/gemini-*flash*lite*\"],\"gemini-pro\":[\"copilot/gemini-*pro*\",\"google/gemini-*pro*\",\"gemini/gemini-*pro*\"],\"gemma\":[\"copilot/gemma*\",\"google/gemma*\",\"gemini/gemma*\"],\"gpt-5\":[\"copilot/gpt-5*\",\"openai/gpt-5*\"],\"gpt-5-codex\":[\"copilot/gpt-5*codex*\",\"openai/gpt-5*codex*\"],\"gpt-5-mini\":[\"copilot/gpt-5*mini*\",\"openai/gpt-5*mini*\"],\"gpt-5-nano\":[\"copilot/gpt-5*nano*\",\"openai/gpt-5*nano*\"],\"gpt-5-pro\":[\"copilot/gpt-5*pro*\",\"openai/gpt-5*pro*\"],\"gpt-5.2\":[\"copilot/gpt-5.2*\",\"openai/gpt-5.2*\"],\"gpt-5.3\":[\"copilot/gpt-5.3*\",\"openai/gpt-5.3*\"],\"gpt-5.4\":[\"copilot/gpt-5.4*\",\"openai/gpt-5.4*\"],\"gpt-5.5\":[\"copilot/gpt-5.5*\",\"openai/gpt-5.5*\"],\"haiku\":[\"copilot/*haiku*\",\"anthropic/*haiku*\"],\"large\":[\"sonnet\",\"gpt-5-pro\",\"gpt-5\",\"gemini-pro\"],\"mai-code\":[\"copilot/MAI-Code*\",\"copilot/mai-code*\",\"openai/MAI-Code*\"],\"mini\":[\"haiku\",\"gpt-5-mini\",\"gpt-5-nano\",\"gemini-flash-lite\"],\"nano-banana\":[\"copilot/nano-banana*\",\"google/nano-banana*\",\"gemini/nano-banana*\"],\"opus\":[\"copilot/*opus*\",\"anthropic/*opus*\"],\"opusplan\":[\"opus?effort=high\"],\"reasoning\":[\"copilot/o1*\",\"copilot/o3*\",\"copilot/o4*\",\"openai/o1*\",\"openai/o3*\",\"openai/o4*\"],\"robotics\":[\"copilot/*robotics*\",\"google/*robotics*\",\"gemini/*robotics*\"],\"small\":[\"mini\"],\"small-agent\":[\"haiku\",\"gpt-5-mini\",\"gemini-flash\"],\"sonnet\":[\"copilot/*sonnet*\",\"anthropic/*sonnet*\"],\"sonnet-6x\":[\"copilot/*sonnet-4.5*\",\"copilot/*sonnet-4.6*\",\"copilot/*sonnet-4-5-*\",\"anthropic/*sonnet-4-5-*\",\"copilot/*sonnet-4-6*\",\"anthropic/*sonnet-4-6*\"],\"summarization\":[\"haiku\",\"gpt-5-mini\",\"gemini-flash-lite\",\"mini\"],\"vision\":[\"copilot/gemini-*image*\",\"gemini/gemini-*image*\",\"copilot/gemini-*flash*\",\"gemini/gemini-*flash*\"]}},\"container\":{\"imageTag\":\"0.27.2,squid=sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591,agent=sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6,api-proxy=sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4,cli-proxy=sha256:02f3ec08f32dc26c5427920c6a2e2f3036238fce44802f2f11ef49ed8621b5d0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json"
-          GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs"
-          cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
-          export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json"
+          printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.25.46/awf-config.schema.json","network":{"allowDomains":["*.pythonhosted.org","anaconda.org","api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","binstar.org","bootstrap.pypa.io","conda.anaconda.org","conda.binstar.org","files.pythonhosted.org","github.com","host.docker.internal","pip.pypa.io","pypi.org","pypi.python.org","raw.githubusercontent.com","registry.npmjs.org","repo.anaconda.com","repo.continuum.io","telemetry.enterprise.githubcopilot.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxEffectiveTokens":25000000,"models":{"auto":["large"],"coding":["copilot/gpt-5*codex*","openai/gpt-5*codex*","gpt-5-codex"],"deep-research":["copilot/deep-research*","copilot/o3-deep-research*","copilot/o4-mini-deep-research*","google/deep-research*","gemini/deep-research*","openai/o3-deep-research*","openai/o4-mini-deep-research*"],"gemini-flash":["copilot/gemini-*flash*","google/gemini-*flash*","gemini/gemini-*flash*"],"gemini-flash-lite":["copilot/gemini-*flash*lite*","google/gemini-*flash*lite*","gemini/gemini-*flash*lite*"],"gemini-pro":["copilot/gemini-*pro*","google/gemini-*pro*","gemini/gemini-*pro*"],"gemma":["copilot/gemma*","google/gemma*","gemini/gemma*"],"gpt-4.1":["copilot/gpt-4.1*","openai/gpt-4.1*"],"gpt-5":["copilot/gpt-5*","openai/gpt-5*"],"gpt-5-codex":["copilot/gpt-5*codex*","openai/gpt-5*codex*"],"gpt-5-mini":["copilot/gpt-5*mini*","openai/gpt-5*mini*"],"gpt-5-nano":["copilot/gpt-5*nano*","openai/gpt-5*nano*"],"gpt-5-pro":["copilot/gpt-5*pro*","openai/gpt-5*pro*"],"haiku":["copilot/*haiku*","anthropic/*haiku*"],"large":["sonnet","gpt-5-pro","gpt-5","gemini-pro"],"mini":["haiku","gpt-5-mini","gpt-5-nano","gemini-flash-lite"],"opus":["copilot/*opus*","anthropic/*opus*"],"reasoning":["copilot/o1*","copilot/o3*","copilot/o4*","openai/o1*","openai/o3*","openai/o4*"],"small":["mini"],"sonnet":["copilot/*sonnet*","anthropic/*sonnet*"],"vision":["copilot/gemini-*image*","gemini/gemini-*image*","copilot/gemini-*flash*","gemini/gemini-*flash*"]}},"container":{"imageTag":"0.25.46"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" && cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
           GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS=""
           if [[ "${DOCKER_HOST:-}" =~ ^tcp:// ]]; then
             GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS="--docker-host-path-prefix /tmp/gh-aw"
           fi
-          GH_AW_TOOL_CACHE_MOUNT=""
-          GH_AW_TOOL_CACHE="${RUNNER_TOOL_CACHE:-/opt/hostedtoolcache}"
-          if [ -d "$GH_AW_TOOL_CACHE" ]; then
-            if [[ "$GH_AW_TOOL_CACHE" != /opt/* ]]; then
-              GH_AW_TOOL_CACHE_MOUNT="$GH_AW_TOOL_CACHE:$GH_AW_TOOL_CACHE:ro"
-            fi
-          elif [ -d "/home/runner/work/_tool" ]; then
-            GH_AW_TOOL_CACHE_MOUNT="/home/runner/work/_tool:/home/runner/work/_tool:ro"
-          fi
           # shellcheck disable=SC1003
-          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_TOOL_CACHE_MOUNT:+--mount "$GH_AW_TOOL_CACHE_MOUNT"} ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
-            -- /bin/bash -c 'set +o histexpand; export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && GH_AW_TOOL_CACHE="${RUNNER_TOOL_CACHE:-/opt/hostedtoolcache}"; export PATH="$(find "$GH_AW_TOOL_CACHE" /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 5 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || true)"; fi; if [ -z "$GH_AW_NODE_EXEC" ]; then echo "node runtime missing on this runner — check runtimes.node in workflow YAML" >&2; exit 127; fi; GH_AW_NPM_GLOBAL_ROOT="$(npm root -g 2>/dev/null || true)"; if [ -n "$GH_AW_NPM_GLOBAL_ROOT" ]; then export NODE_PATH="${GH_AW_NPM_GLOBAL_ROOT}${NODE_PATH:+:${NODE_PATH}}"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
+          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
+            -- /bin/bash -c 'export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 5 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || true)"; fi; if [ -z "$GH_AW_NODE_EXEC" ]; then echo "node runtime missing on this runner — check runtimes.node in workflow YAML" >&2; exit 127; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
         env:
           AWF_REFLECT_ENABLED: 1
           COPILOT_AGENT_RUNNER_TYPE: STANDALONE
-          COPILOT_DUMMY_BYOK: dummy-byok-key-for-offline-mode
+          COPILOT_API_KEY: dummy-byok-key-for-offline-mode
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
-          COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || vars.GH_AW_DEFAULT_MODEL_COPILOT || 'claude-sonnet-4.6' }}
-          GH_AW_MAX_TURNS: ${{ vars.GH_AW_DEFAULT_MAX_TURNS || '' }}
+          COPILOT_MODEL: ${{ vars.GH_AW_MODEL_AGENT_COPILOT || 'claude-sonnet-4.6' }}
           GH_AW_MCP_CONFIG: /home/runner/.copilot/mcp-config.json
           GH_AW_PHASE: agent
           GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
           GH_AW_SAFE_OUTPUTS: ${{ steps.set-runtime-paths.outputs.GH_AW_SAFE_OUTPUTS }}
-          GH_AW_TIMEOUT_MINUTES: 20
-          GH_AW_VERSION: v0.79.6
+          GH_AW_VERSION: v0.74.4
           GITHUB_API_URL: ${{ github.api_url }}
           GITHUB_AW: true
           GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows
@@ -811,13 +756,12 @@ jobs:
           GIT_AUTHOR_NAME: github-actions[bot]
           GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
           GIT_COMMITTER_NAME: github-actions[bot]
-          RUNNER_TEMP: ${{ runner.temp }}
           XDG_CONFIG_HOME: /home/runner
-      - name: Detect agent errors
+      - name: Detect Copilot errors
+        id: detect-copilot-errors
         if: always()
-        id: detect-agent-errors
         continue-on-error: true
-        run: node "${RUNNER_TEMP}/gh-aw/actions/detect_agent_errors.cjs"
+        run: node "${RUNNER_TEMP}/gh-aw/actions/detect_copilot_errors.cjs"
       - name: Configure Git credentials
         env:
           REPO_NAME: ${{ github.repository }}
@@ -995,11 +939,10 @@ jobs:
       - agent
       - detection
       - extract_pr_number
-      - gate
       - safe_outputs
     if: >
       always() && (needs.agent.result != 'skipped' || needs.activation.outputs.lockdown_check_failed == 'true' ||
-      needs.activation.outputs.stale_lock_file_failed == 'true' || needs.activation.outputs.daily_effective_workflow_exceeded == 'true')
+      needs.activation.outputs.stale_lock_file_failed == 'true')
     runs-on: ubuntu-slim
     permissions:
       contents: read
@@ -1018,7 +961,7 @@ jobs:
     steps:
       - name: Setup Scripts
         id: setup
-        uses: github/gh-aw-actions/setup@v0.79.6
+        uses: github/gh-aw-actions/setup@b11be78086764c43fa463398aed7ffdcf40549c1 # v0.77.0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
           job-name: ${{ github.job }}
@@ -1027,8 +970,7 @@ jobs:
         env:
           GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
           GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.60"
-          GH_AW_INFO_AWF_VERSION: "v0.27.2"
+          GH_AW_INFO_VERSION: "1.0.48"
           GH_AW_INFO_ENGINE_ID: "copilot"
       - name: Download agent output artifact
         id: download-agent-output
@@ -1044,40 +986,6 @@ jobs:
           mkdir -p /tmp/gh-aw/
           find "/tmp/gh-aw/" -type f -print
           echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
-      - name: Collect usage artifact files
-        if: always()
-        continue-on-error: true
-        run: |
-          mkdir -p /tmp/gh-aw/usage/agent /tmp/gh-aw/usage/detection
-          echo "Usage artifact source file status:"
-          for file in /tmp/gh-aw/aw-info.jsonl /tmp/gh-aw/agent_usage.jsonl /tmp/gh-aw/detection_usage.jsonl /tmp/gh-aw/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/threat-detection/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/threat-detection/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/threat-detection/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl; do
-            [ -f "$file" ] && echo "FOUND: $file" || echo "MISSING: $file"
-          done
-          [ -f /tmp/gh-aw/aw-info.jsonl ] && cp /tmp/gh-aw/aw-info.jsonl /tmp/gh-aw/usage/aw-info.jsonl || true
-          [ -f /tmp/gh-aw/agent_usage.jsonl ] && cp /tmp/gh-aw/agent_usage.jsonl /tmp/gh-aw/usage/agent_usage.jsonl || true
-          [ -f /tmp/gh-aw/detection_usage.jsonl ] && cp /tmp/gh-aw/detection_usage.jsonl /tmp/gh-aw/usage/detection_usage.jsonl || true
-          [ -f /tmp/gh-aw/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/agent/token_usage.jsonl || true
-          [ -f /tmp/gh-aw/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/agent/token_usage.jsonl || true
-          [ -f /tmp/gh-aw/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/agent/token_usage.jsonl || true
-          [ -f /tmp/gh-aw/threat-detection/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/threat-detection/sandbox/firewall-audit-logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/detection/token_usage.jsonl || true
-          [ -f /tmp/gh-aw/threat-detection/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/threat-detection/sandbox/firewall/logs/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/detection/token_usage.jsonl || true
-          [ -f /tmp/gh-aw/threat-detection/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl ] && cp /tmp/gh-aw/threat-detection/sandbox/firewall/audit/api-proxy-logs/token-usage.jsonl /tmp/gh-aw/usage/detection/token_usage.jsonl || true
-          [ -f /tmp/gh-aw/usage/agent/token_usage.jsonl ] || : > /tmp/gh-aw/usage/agent/token_usage.jsonl
-          [ -f /tmp/gh-aw/usage/detection/token_usage.jsonl ] || : > /tmp/gh-aw/usage/detection/token_usage.jsonl
-          find /tmp/gh-aw/usage -type f -print | sort
-      - name: Upload usage artifact
-        if: always()
-        continue-on-error: true
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
-        with:
-          name: usage
-          path: |
-            /tmp/gh-aw/usage/aw-info.jsonl
-            /tmp/gh-aw/usage/agent_usage.jsonl
-            /tmp/gh-aw/usage/detection_usage.jsonl
-            /tmp/gh-aw/usage/agent/token_usage.jsonl
-            /tmp/gh-aw/usage/detection/token_usage.jsonl
-          if-no-files-found: ignore
       - name: Process no-op messages
         id: noop
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
@@ -1085,14 +993,9 @@ jobs:
           GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
           GH_AW_NOOP_MAX: "1"
           GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
-          GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
           GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
           GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
           GH_AW_NOOP_REPORT_AS_ISSUE: "true"
-          GH_AW_AIC: ${{ needs.agent.outputs.aic }}
-          GH_AW_THREAT_DETECTION_AIC: ${{ needs.detection.outputs.aic }}
-          GH_AW_AMBIENT_CONTEXT: ${{ needs.agent.outputs.ambient_context }}
-          GH_AW_WORKFLOW_ID: "check-requirements"
         with:
           github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
           script: |
@@ -1106,7 +1009,6 @@ jobs:
         env:
           GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
           GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
-          GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
           GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
           GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
           GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
@@ -1124,7 +1026,6 @@ jobs:
           GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
           GH_AW_MISSING_TOOL_CREATE_ISSUE: "true"
           GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
-          GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
         with:
           github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
           script: |
@@ -1139,7 +1040,6 @@ jobs:
           GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
           GH_AW_REPORT_INCOMPLETE_CREATE_ISSUE: "true"
           GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
-          GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
         with:
           github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
           script: |
@@ -1154,7 +1054,6 @@ jobs:
         env:
           GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
           GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
-          GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
           GH_AW_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
           GH_AW_AGENT_CONCLUSION: ${{ needs.agent.result }}
           GH_AW_WORKFLOW_ID: "check-requirements"
@@ -1163,11 +1062,7 @@ jobs:
           GH_AW_SECRET_VERIFICATION_RESULT: ${{ needs.activation.outputs.secret_verification_result }}
           GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.agent.outputs.checkout_pr_success }}
           GH_AW_EFFECTIVE_TOKENS: ${{ needs.agent.outputs.effective_tokens || '' }}
-          GH_AW_AI_CREDITS_RATE_LIMIT_ERROR: ${{ needs.agent.outputs.ai_credits_rate_limit_error || 'false' }}
-          GH_AW_UNKNOWN_MODEL_AI_CREDITS: ${{ needs.agent.outputs.unknown_model_ai_credits || 'false' }}
-          GH_AW_AIC: ${{ needs.agent.outputs.aic }}
-          GH_AW_THREAT_DETECTION_AIC: ${{ needs.detection.outputs.aic }}
-          GH_AW_MAX_AI_CREDITS: ${{ vars.GH_AW_DEFAULT_MAX_AI_CREDITS || '1000' }}
+          GH_AW_EFFECTIVE_TOKENS_RATE_LIMIT_ERROR: ${{ needs.agent.outputs.effective_tokens_rate_limit_error || 'false' }}
           GH_AW_INFERENCE_ACCESS_ERROR: ${{ needs.agent.outputs.inference_access_error }}
           GH_AW_MCP_POLICY_ERROR: ${{ needs.agent.outputs.mcp_policy_error }}
           GH_AW_AGENTIC_ENGINE_TIMEOUT: ${{ needs.agent.outputs.agentic_engine_timeout }}
@@ -1175,14 +1070,12 @@ jobs:
           GH_AW_ENGINE_API_HOSTS: "api.enterprise.githubcopilot.com,api.githubcopilot.com,api.business.githubcopilot.com,api.individual.githubcopilot.com"
           GH_AW_LOCKDOWN_CHECK_FAILED: ${{ needs.activation.outputs.lockdown_check_failed }}
           GH_AW_STALE_LOCK_FILE_FAILED: ${{ needs.activation.outputs.stale_lock_file_failed }}
-          GH_AW_DAILY_EFFECTIVE_WORKFLOW_EXCEEDED: ${{ needs.activation.outputs.daily_effective_workflow_exceeded }}
-          GH_AW_DAILY_EFFECTIVE_WORKFLOW_TOTAL_EFFECTIVE_TOKENS: ${{ needs.activation.outputs.daily_effective_workflow_total_effective_tokens }}
-          GH_AW_DAILY_EFFECTIVE_WORKFLOW_THRESHOLD: ${{ needs.activation.outputs.daily_effective_workflow_threshold }}
           GH_AW_GROUP_REPORTS: "false"
           GH_AW_FAILURE_REPORT_AS_ISSUE: "true"
           GH_AW_MISSING_TOOL_REPORT_AS_FAILURE: "true"
           GH_AW_MISSING_DATA_REPORT_AS_FAILURE: "true"
           GH_AW_TIMEOUT_MINUTES: "20"
+          GH_AW_MAX_EFFECTIVE_TOKENS: "25000000"
         with:
           github-token: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
           script: |
@@ -1201,14 +1094,13 @@ jobs:
     permissions:
       contents: read
     outputs:
-      aic: ${{ steps.parse_detection_token_usage.outputs.aic }}
       detection_conclusion: ${{ steps.detection_conclusion.outputs.conclusion }}
       detection_reason: ${{ steps.detection_conclusion.outputs.reason }}
       detection_success: ${{ steps.detection_conclusion.outputs.success }}
     steps:
       - name: Setup Scripts
         id: setup
-        uses: github/gh-aw-actions/setup@v0.79.6
+        uses: github/gh-aw-actions/setup@b11be78086764c43fa463398aed7ffdcf40549c1 # v0.77.0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
           job-name: ${{ github.job }}
@@ -1217,8 +1109,7 @@ jobs:
         env:
           GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
           GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.60"
-          GH_AW_INFO_AWF_VERSION: "v0.27.2"
+          GH_AW_INFO_VERSION: "1.0.48"
           GH_AW_INFO_ENGINE_ID: "copilot"
       - name: Download agent output artifact
         id: download-agent-output
@@ -1236,7 +1127,7 @@ jobs:
           echo "GH_AW_AGENT_OUTPUT=/tmp/gh-aw/agent_output.json" >> "$GITHUB_OUTPUT"
       - name: Checkout repository for patch context
         if: needs.agent.outputs.has_patch == 'true'
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       # --- Threat Detection ---
@@ -1245,7 +1136,7 @@ jobs:
           rm -rf /tmp/gh-aw/sandbox/firewall/logs
           rm -rf /tmp/gh-aw/sandbox/firewall/audit
       - name: Download container images
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.27.2@sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6 ghcr.io/github/gh-aw-firewall/api-proxy:0.27.2@sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4 ghcr.io/github/gh-aw-firewall/squid:0.27.2@sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/download_docker_images.sh" ghcr.io/github/gh-aw-firewall/agent:0.25.46 ghcr.io/github/gh-aw-firewall/api-proxy:0.25.46 ghcr.io/github/gh-aw-firewall/squid:0.25.46
       - name: Check if detection needed
         id: detection_guard
         if: always()
@@ -1270,11 +1161,7 @@ jobs:
         if: always() && steps.detection_guard.outputs.run_detection == 'true'
         run: |
           mkdir -p /tmp/gh-aw/threat-detection/aw-prompts
-          rm -f /tmp/gh-aw/agent_usage.json
           cp /tmp/gh-aw/aw-prompts/prompt.txt /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt 2>/dev/null || true
-          if [ ! -s /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt ]; then
-            echo "::warning::ERR_VALIDATION: Missing or empty detection context prompt at /tmp/gh-aw/threat-detection/aw-prompts/prompt.txt. Ensure the agent artifact includes /tmp/gh-aw/aw-prompts/prompt.txt. Detection will continue with fallback workflow context."
-          fi
           cp /tmp/gh-aw/agent_output.json /tmp/gh-aw/threat-detection/agent_output.json 2>/dev/null || true
           for f in /tmp/gh-aw/aw-*.patch; do
             [ -f "$f" ] && cp "$f" /tmp/gh-aw/threat-detection/ 2>/dev/null || true
@@ -1308,11 +1195,11 @@ jobs:
           node-version: '24'
           package-manager-cache: false
       - name: Install GitHub Copilot CLI
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.60
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_copilot_cli.sh" 1.0.48
         env:
           GH_HOST: github.com
       - name: Install AWF binary
-        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.2
+        run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.25.46
       - name: Execute GitHub Copilot CLI
         if: always() && steps.detection_guard.outputs.run_detection == 'true'
         continue-on-error: true
@@ -1322,46 +1209,27 @@ jobs:
         run: |
           set -o pipefail
           printf '%s' "$(date +%s%3N)" > /tmp/gh-aw/agent_cli_start_ms.txt
-          trap 'rm -f /home/runner/.copilot/settings.json' EXIT
-          mkdir -p /home/runner/.copilot
-          printf '%s' '{"builtInAgents":{"rubberDuck":false}}' > /home/runner/.copilot/settings.json
           touch /tmp/gh-aw/agent-step-summary.md
           GH_AW_NODE_BIN=$(command -v node 2>/dev/null || true)
           export GH_AW_NODE_BIN
-          export COPILOT_API_KEY="$COPILOT_DUMMY_BYOK"
           (umask 177 && touch /tmp/gh-aw/threat-detection/detection.log)
-          GH_AW_MAX_AI_CREDITS="${{ vars.GH_AW_DEFAULT_DETECTION_MAX_AI_CREDITS || '400' }}"
-          printf '%s\n' "{\"\$schema\":\"https://github.com/github/gh-aw-firewall/releases/download/v0.27.2/awf-config.schema.json\",\"network\":{\"allowDomains\":[\"api.business.githubcopilot.com\",\"api.enterprise.githubcopilot.com\",\"api.github.com\",\"api.githubcopilot.com\",\"api.individual.githubcopilot.com\",\"github.com\",\"host.docker.internal\",\"registry.npmjs.org\",\"telemetry.enterprise.githubcopilot.com\"]},\"apiProxy\":{\"enabled\":true,\"enableTokenSteering\":true,\"maxRuns\":500,\"maxAiCredits\":${GH_AW_MAX_AI_CREDITS}},\"container\":{\"imageTag\":\"0.27.2,squid=sha256:2e3a717e5f19a654cd9a2263beb52012b56bcb68562ec5ae2e42f9d156b49591,agent=sha256:f88e5b17b6b7a600117bc121114d6ce2155c88c983c0c939c5df884f730fa1d6,api-proxy=sha256:ee39841d980878ebbb87592903b06d31a1af500c71525c9616f7e8e2a27041a4,cli-proxy=sha256:02f3ec08f32dc26c5427920c6a2e2f3036238fce44802f2f11ef49ed8621b5d0\"}}" > "${RUNNER_TEMP}/gh-aw/awf-config.json"
-          GH_AW_MODEL_MULTIPLIERS_PATH="/tmp/gh-aw/model_multipliers.json" node "${RUNNER_TEMP}/gh-aw/actions/merge_awf_model_multipliers.cjs"
-          cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
-          export GH_AW_MODELS_JSON_PATH="/tmp/gh-aw/models.json"
+          printf '%s\n' '{"$schema":"https://github.com/github/gh-aw-firewall/releases/download/v0.25.46/awf-config.schema.json","network":{"allowDomains":["api.business.githubcopilot.com","api.enterprise.githubcopilot.com","api.github.com","api.githubcopilot.com","api.individual.githubcopilot.com","github.com","host.docker.internal","telemetry.enterprise.githubcopilot.com"]},"apiProxy":{"enabled":true,"enableTokenSteering":true,"maxRuns":500,"maxEffectiveTokens":25000000},"container":{"imageTag":"0.25.46"}}' > "${RUNNER_TEMP}/gh-aw/awf-config.json" && cp "${RUNNER_TEMP}/gh-aw/awf-config.json" /tmp/gh-aw/awf-config.json
           GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS=""
           if [[ "${DOCKER_HOST:-}" =~ ^tcp:// ]]; then
             GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS="--docker-host-path-prefix /tmp/gh-aw"
           fi
-          GH_AW_TOOL_CACHE_MOUNT=""
-          GH_AW_TOOL_CACHE="${RUNNER_TOOL_CACHE:-/opt/hostedtoolcache}"
-          if [ -d "$GH_AW_TOOL_CACHE" ]; then
-            if [[ "$GH_AW_TOOL_CACHE" != /opt/* ]]; then
-              GH_AW_TOOL_CACHE_MOUNT="$GH_AW_TOOL_CACHE:$GH_AW_TOOL_CACHE:ro"
-            fi
-          elif [ -d "/home/runner/work/_tool" ]; then
-            GH_AW_TOOL_CACHE_MOUNT="/home/runner/work/_tool:/home/runner/work/_tool:ro"
-          fi
           # shellcheck disable=SC1003
-          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_TOOL_CACHE_MOUNT:+--mount "$GH_AW_TOOL_CACHE_MOUNT"} ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
-            -- /bin/bash -c 'set +o histexpand; GH_AW_TOOL_CACHE="${RUNNER_TOOL_CACHE:-/opt/hostedtoolcache}"; export PATH="$(find "$GH_AW_TOOL_CACHE" /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 5 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || true)"; fi; if [ -z "$GH_AW_NODE_EXEC" ]; then echo "node runtime missing on this runner — check runtimes.node in workflow YAML" >&2; exit 127; fi; GH_AW_NPM_GLOBAL_ROOT="$(npm root -g 2>/dev/null || true)"; if [ -n "$GH_AW_NPM_GLOBAL_ROOT" ]; then export NODE_PATH="${GH_AW_NPM_GLOBAL_ROOT}${NODE_PATH:+:${NODE_PATH}}"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
+          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --env-all --exclude-env COPILOT_GITHUB_TOKEN --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
+            -- /bin/bash -c 'export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 5 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || true)"; fi; if [ -z "$GH_AW_NODE_EXEC" ]; then echo "node runtime missing on this runner — check runtimes.node in workflow YAML" >&2; exit 127; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-all-tools --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/threat-detection/detection.log
         env:
           AWF_REFLECT_ENABLED: 1
           COPILOT_AGENT_RUNNER_TYPE: STANDALONE
-          COPILOT_DUMMY_BYOK: dummy-byok-key-for-offline-mode
+          COPILOT_API_KEY: dummy-byok-key-for-offline-mode
           COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
-          COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || vars.GH_AW_DEFAULT_MODEL_COPILOT || 'claude-sonnet-4.6' }}
-          GH_AW_MAX_TURNS: ${{ vars.GH_AW_DEFAULT_MAX_TURNS || '' }}
+          COPILOT_MODEL: ${{ vars.GH_AW_MODEL_DETECTION_COPILOT || 'claude-sonnet-4.6' }}
           GH_AW_PHASE: detection
           GH_AW_PROMPT: /tmp/gh-aw/aw-prompts/prompt.txt
-          GH_AW_TIMEOUT_MINUTES: 20
-          GH_AW_VERSION: v0.79.6
+          GH_AW_VERSION: v0.74.4
           GITHUB_API_URL: ${{ github.api_url }}
           GITHUB_AW: true
           GITHUB_COPILOT_INTEGRATION_ID: agentic-workflows
@@ -1374,21 +1242,7 @@ jobs:
           GIT_AUTHOR_NAME: github-actions[bot]
           GIT_COMMITTER_EMAIL: github-actions[bot]@users.noreply.github.com
           GIT_COMMITTER_NAME: github-actions[bot]
-          RUNNER_TEMP: ${{ runner.temp }}
           XDG_CONFIG_HOME: /home/runner
-      - name: Parse threat detection token usage for step summary
-        id: parse_detection_token_usage
-        if: always()
-        continue-on-error: true
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
-        env:
-          GH_AW_TOKEN_USAGE_SUMMARY_TITLE: Threat Detection Token Usage
-        with:
-          script: |
-            const { setupGlobals } = require('${{ runner.temp }}/gh-aw/actions/setup_globals.cjs');
-            setupGlobals(core, github, context, exec, io, getOctokit);
-            const { main } = require('${{ runner.temp }}/gh-aw/actions/parse_token_usage.cjs');
-            await main();
       - name: Upload threat detection log
         if: always() && steps.detection_guard.outputs.run_detection == 'true'
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
@@ -1430,8 +1284,7 @@ jobs:
             }
 
   extract_pr_number:
-    needs: gate
-    if: needs.gate.outputs.skip != 'true' && github.event.workflow_run.conclusion == 'success'
+    if: github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
     permissions:
       actions: read
@@ -1442,7 +1295,6 @@ jobs:
       - name: Configure GH_HOST for enterprise compatibility
         id: ghes-host-config
         shell: bash
-        # zizmor: ignore[github-env] - GITHUB_SERVER_URL is set by GitHub Actions, not user input.
         run: |
           # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
           # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
@@ -1462,77 +1314,6 @@ jobs:
           PR=$(jq -r '.pr_number' /tmp/deterministic/results.json)
           echo "pr_number=${PR}" >> "${GITHUB_OUTPUT}"
 
-  gate:
-    needs: activation
-    if: github.event.workflow_run.conclusion == 'success'
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      pull-requests: read
-
-    outputs:
-      skip: ${{ steps.gate.outputs.skip }}
-    steps:
-      - name: Configure GH_HOST for enterprise compatibility
-        id: ghes-host-config
-        shell: bash
-        # zizmor: ignore[github-env] - GITHUB_SERVER_URL is set by GitHub Actions, not user input.
-        run: |
-          # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
-          # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
-          GH_HOST="${GITHUB_SERVER_URL#https://}"
-          GH_HOST="${GH_HOST#http://}"
-          echo "GH_HOST=${GH_HOST}" >> "$GITHUB_ENV"
-      - name: Download deterministic-results artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          name: check-requirements-deterministic
-          path: /tmp/gate
-          run-id: ${{ github.event.workflow_run.id }}
-      - name: Decide whether requirements changed since the last comment
-        id: gate
-        run: |
-          PR=$(jq -r '.pr_number' /tmp/gate/results.json)
-          HEAD=$(jq -r '.head_sha // empty' /tmp/gate/results.json)
-          if [ -z "${HEAD}" ]; then
-            echo "Artifact has no head_sha; running the agent."
-            exit 0
-          fi
-          # Recover the commit recorded in the most recent requirements-check comment.
-          PRIOR=$(gh api --paginate "repos/${GITHUB_REPOSITORY}/issues/${PR}/comments" \
-            --jq '.[] | select(.body | contains("<!-- requirements-check -->")) | .body' \
-            | grep -oE '<!-- requirements-check-sha: [0-9a-f]{7,40} -->' \
-            | grep -oE '[0-9a-f]{7,40}' | tail -1 || true)
-          if [ -z "${PRIOR}" ]; then
-            echo "No previous comment with a recorded commit; running the agent."
-            exit 0
-          fi
-          if [ "${PRIOR}" = "${HEAD}" ]; then
-            echo "Head ${HEAD} unchanged since the last comment; skipping the agent."
-            echo "skip=true" >> "${GITHUB_OUTPUT}"
-            exit 0
-          fi
-          # List files changed between the recorded commit and the current head.
-          # Tracked patterns mirror script/check_requirements/diff.py TRACKED_PATTERNS.
-          CHANGED=$(gh api "repos/${GITHUB_REPOSITORY}/compare/${PRIOR}...${HEAD}" \
-            --jq '.files[].filename' 2>/dev/null) || {
-            echo "Could not compare ${PRIOR}...${HEAD}; running the agent."
-            exit 0
-          }
-          TRACKED=$(printf '%s\n' "${CHANGED}" \
-            | grep -Ex 'requirements.*\.txt|homeassistant/package_constraints\.txt' || true)
-          if [ -z "${TRACKED}" ]; then
-            echo "No tracked requirement files changed since ${PRIOR}; skipping the agent."
-            echo "skip=true" >> "${GITHUB_OUTPUT}"
-          else
-            echo "Tracked requirement files changed since ${PRIOR}; running the agent:"
-            printf '%s\n' "${TRACKED}"
-          fi
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
   pre_activation:
     runs-on: ubuntu-slim
     outputs:
@@ -1544,15 +1325,14 @@ jobs:
     steps:
       - name: Setup Scripts
         id: setup
-        uses: github/gh-aw-actions/setup@v0.79.6
+        uses: github/gh-aw-actions/setup@b11be78086764c43fa463398aed7ffdcf40549c1 # v0.77.0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
           job-name: ${{ github.job }}
         env:
           GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
           GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.60"
-          GH_AW_INFO_AWF_VERSION: "v0.27.2"
+          GH_AW_INFO_VERSION: "1.0.48"
           GH_AW_INFO_ENGINE_ID: "copilot"
       - name: Check team membership for workflow
         id: check_membership
@@ -1580,22 +1360,17 @@ jobs:
       discussions: write
       issues: write
       pull-requests: write
-    timeout-minutes: 45
+    timeout-minutes: 15
     env:
-      GH_AW_AGENT_AIC: ${{ needs.agent.outputs.aic }}
-      GH_AW_AIC: ${{ needs.agent.outputs.aic }}
-      GH_AW_AMBIENT_CONTEXT: ${{ needs.agent.outputs.ambient_context }}
       GH_AW_CALLER_WORKFLOW_ID: "${{ github.repository }}/check-requirements"
       GH_AW_DETECTION_CONCLUSION: ${{ needs.detection.outputs.detection_conclusion }}
       GH_AW_DETECTION_REASON: ${{ needs.detection.outputs.detection_reason }}
       GH_AW_EFFECTIVE_TOKENS: ${{ needs.agent.outputs.effective_tokens }}
       GH_AW_ENGINE_ID: "copilot"
       GH_AW_ENGINE_MODEL: ${{ needs.agent.outputs.model }}
-      GH_AW_ENGINE_VERSION: "1.0.60"
-      GH_AW_THREAT_DETECTION_AIC: ${{ needs.detection.outputs.aic }}
+      GH_AW_ENGINE_VERSION: "1.0.48"
       GH_AW_WORKFLOW_ID: "check-requirements"
       GH_AW_WORKFLOW_NAME: "Check requirements (AW)"
-      GH_AW_WORKFLOW_SOURCE_URL: "${{ github.server_url }}/${{ github.repository }}/blob/${{ github.ref_name }}/.github/workflows/check-requirements.md"
     outputs:
       code_push_failure_count: ${{ steps.process_safe_outputs.outputs.code_push_failure_count }}
       code_push_failure_errors: ${{ steps.process_safe_outputs.outputs.code_push_failure_errors }}
@@ -1608,7 +1383,7 @@ jobs:
     steps:
       - name: Setup Scripts
         id: setup
-        uses: github/gh-aw-actions/setup@v0.79.6
+        uses: github/gh-aw-actions/setup@b11be78086764c43fa463398aed7ffdcf40549c1 # v0.77.0
         with:
           destination: ${{ runner.temp }}/gh-aw/actions
           job-name: ${{ github.job }}
@@ -1617,8 +1392,7 @@ jobs:
         env:
           GH_AW_SETUP_WORKFLOW_NAME: "Check requirements (AW)"
           GH_AW_CURRENT_WORKFLOW_REF: ${{ github.repository }}/.github/workflows/check-requirements.lock.yml@${{ github.ref }}
-          GH_AW_INFO_VERSION: "1.0.60"
-          GH_AW_INFO_AWF_VERSION: "v0.27.2"
+          GH_AW_INFO_VERSION: "1.0.48"
           GH_AW_INFO_ENGINE_ID: "copilot"
       - name: Download agent output artifact
         id: download-agent-output
@@ -1637,7 +1411,6 @@ jobs:
       - name: Configure GH_HOST for enterprise compatibility
         id: ghes-host-config
         shell: bash
-        # zizmor: ignore[github-env] - GITHUB_SERVER_URL is set by GitHub Actions, not user input.
         run: |
           # Derive GH_HOST from GITHUB_SERVER_URL so the gh CLI targets the correct
           # GitHub instance (GHES/GHEC). On github.com this is a harmless no-op.
@@ -1649,7 +1422,6 @@ jobs:
         uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
         env:
           GH_AW_AGENT_OUTPUT: ${{ steps.setup-agent-output-env.outputs.GH_AW_AGENT_OUTPUT }}
-          GH_AW_COMMENT_ID: ${{ needs.activation.outputs.comment_id }}
           GH_AW_ALLOWED_DOMAINS: "*.pythonhosted.org,anaconda.org,api.business.githubcopilot.com,api.enterprise.githubcopilot.com,api.github.com,api.githubcopilot.com,api.individual.githubcopilot.com,binstar.org,bootstrap.pypa.io,conda.anaconda.org,conda.binstar.org,files.pythonhosted.org,github.com,host.docker.internal,pip.pypa.io,pypi.org,pypi.python.org,raw.githubusercontent.com,registry.npmjs.org,repo.anaconda.com,repo.continuum.io,telemetry.enterprise.githubcopilot.com"
           GITHUB_SERVER_URL: ${{ github.server_url }}
           GITHUB_API_URL: ${{ github.api_url }}

.github/workflows/check-requirements.md

@@ -6,6 +6,7 @@ on:
 permissions:
   contents: read
   actions: read
+  issues: read
   pull-requests: read
 network:
   allowed:
@@ -13,7 +14,7 @@ network:
 tools:
   web-fetch: {}
   github:
-    toolsets: [repos, pull_requests]
+    toolsets: [default, actions]
     min-integrity: unapproved
 safe-outputs:
   add-comment:
@@ -22,68 +23,8 @@ safe-outputs:
   needs:
     - extract_pr_number
 jobs:
-  gate:
-    # Skip the (token-spending) agent when no tracked requirement file changed
-    if: github.event.workflow_run.conclusion == 'success'
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      pull-requests: read
-    outputs:
-      skip: ${{ steps.gate.outputs.skip }}
-    steps:
-      - name: Download deterministic-results artifact
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: check-requirements-deterministic
-          path: /tmp/gate
-          run-id: ${{ github.event.workflow_run.id }}
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Decide whether requirements changed since the last comment
-        id: gate
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          PR=$(jq -r '.pr_number' /tmp/gate/results.json)
-          HEAD=$(jq -r '.head_sha // empty' /tmp/gate/results.json)
-          if [ -z "${HEAD}" ]; then
-            echo "Artifact has no head_sha; running the agent."
-            exit 0
-          fi
-          # Recover the commit recorded in the most recent requirements-check comment.
-          PRIOR=$(gh api --paginate "repos/${GITHUB_REPOSITORY}/issues/${PR}/comments" \
-            --jq '.[] | select(.body | contains("<!-- requirements-check -->")) | .body' \
-            | grep -oE '<!-- requirements-check-sha: [0-9a-f]{7,40} -->' \
-            | grep -oE '[0-9a-f]{7,40}' | tail -1 || true)
-          if [ -z "${PRIOR}" ]; then
-            echo "No previous comment with a recorded commit; running the agent."
-            exit 0
-          fi
-          if [ "${PRIOR}" = "${HEAD}" ]; then
-            echo "Head ${HEAD} unchanged since the last comment; skipping the agent."
-            echo "skip=true" >> "${GITHUB_OUTPUT}"
-            exit 0
-          fi
-          # List files changed between the recorded commit and the current head.
-          # Tracked patterns mirror script/check_requirements/diff.py TRACKED_PATTERNS.
-          CHANGED=$(gh api "repos/${GITHUB_REPOSITORY}/compare/${PRIOR}...${HEAD}" \
-            --jq '.files[].filename' 2>/dev/null) || {
-            echo "Could not compare ${PRIOR}...${HEAD}; running the agent."
-            exit 0
-          }
-          TRACKED=$(printf '%s\n' "${CHANGED}" \
-            | grep -Ex 'requirements.*\.txt|homeassistant/package_constraints\.txt' || true)
-          if [ -z "${TRACKED}" ]; then
-            echo "No tracked requirement files changed since ${PRIOR}; skipping the agent."
-            echo "skip=true" >> "${GITHUB_OUTPUT}"
-          else
-            echo "Tracked requirement files changed since ${PRIOR}; running the agent:"
-            printf '%s\n' "${TRACKED}"
-          fi
   extract_pr_number:
-    needs: gate
-    if: needs.gate.outputs.skip != 'true' && github.event.workflow_run.conclusion == 'success'
+    if: github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
     permissions:
       actions: read
@@ -103,7 +44,7 @@ jobs:
           PR=$(jq -r '.pr_number' /tmp/deterministic/results.json)
           echo "pr_number=${PR}" >> "${GITHUB_OUTPUT}"
 concurrency:
-  group: ${{ github.workflow }}-${{ github.event.workflow_run.id }}
+  group: ${{ github.workflow }}-${{ github.event.workflow_run.head_sha }}
   cancel-in-progress: true
 steps:
   - name: Download deterministic-results artifact
@@ -142,291 +83,296 @@ description: >
 
 # Check requirements (AW)
 
-You are a code-review assistant for Home Assistant. The deterministic
-stage already evaluated every check it can and produced an artifact at
-`/tmp/gh-aw/deterministic/results.json`. Your only job is to resolve any
-`needs_agent` checks and post the rendered comment.
+You are a code review assistant for the Home Assistant project. The
+deterministic stage has already evaluated every check it can on its own
+and produced an artifact containing the PR number, per-package check
+results, and a pre-rendered comment with placeholders. **Your only job is
+to read that artifact, resolve any `needs_agent` checks, and post the
+final comment.**
 
-## Step 1 — Read the artifact
+## Step 1 — Read the deterministic-stage artifact
 
-Read the JSON directly for the full schema. Key fields:
+The deterministic stage uploaded its results to the runner at
+`/tmp/gh-aw/deterministic/results.json`.
 
-- `pr_number`, `needs_agent` (bool), `packages[]`, `rendered_comment`.
-- Each `package`: `name`, `old_version` (`null` if new), `new_version`,
-  `repo_url`, `publisher_kind`, `checks` (keyed by check-kind, each
-  with `status` of `pass`/`warn`/`fail`/`needs_agent` and `details`).
-- `rendered_comment` contains, for each `needs_agent` check, two
-  placeholders to replace:
-  - `{{CHECK_CELL:<pkg>:<kind>}}` → exactly one of `✅`, `☑️`, `⚠️`, `❌`.  The
-    **`security`** check kind uses `☑️` instead of `✅` for the success
-    case — see its section below for why.
-  - `{{CHECK_DETAIL:<pkg>:<kind>}}` → `<icon> <one-line explanation>`
-    (the bullet's `- **<label>**:` prefix is already rendered; replace
-    only the placeholder).
+The JSON has this shape:
 
-Do not modify other content in `rendered_comment`, do not re-evaluate
-deterministic checks, do not add or remove packages. If `needs_agent`
-is `false`, emit `rendered_comment` unchanged.
+- `pr_number` — the PR being checked. The `add_comment` safe-output is
+  already targeted at this PR (a pre-job extracts `pr_number` from the
+  artifact and the workflow wires it into the safe-output config via
+  `needs.extract_pr_number.outputs.pr_number`), so **you do not need to
+  set `item_number` yourself** — just emit `add_comment` with the
+  rendered body.
+- `needs_agent` — `true` iff any package's check needs resolution.
+- `packages[]` — one entry per changed package. Each entry has:
+  - `name`, `old_version` (`null` for a newly added package; otherwise the
+    previous pin), `new_version`, `repo_url`, `publisher_kind`.
+  - `checks` — a dict keyed by **check kind** (string). Each value has a
+    `status` (`pass`, `warn`, `fail`, or `needs_agent`) and `details`.
+- `rendered_comment` — the final PR comment body, already rendered. For
+  every check whose status is `needs_agent` it contains two placeholders
+  you must replace:
+  - `{{CHECK_CELL:<pkg-name>:<check-kind>}}` — one cell of the summary
+    table. Replace with exactly one of `✅`, `⚠️`, `❌`.
+  - `{{CHECK_DETAIL:<pkg-name>:<check-kind>}}` — the body of one bullet
+    in the package's `<details>` block. Replace with
+    `<icon> <one-line explanation>` (the bullet's leading
+    `- **<label>**:` is already rendered — replace only the placeholder).
+
+You **must not** modify any other content in `rendered_comment`. Do not
+re-evaluate checks that already have a deterministic status. Do not add
+or remove packages.
 
 ## Step 2 — Resolve each `needs_agent` check
 
-For each `(package, check_kind)` with `status == "needs_agent"`, find
-the matching `### Check kind: <check_kind>` section below and follow
-it. If no section matches, emit a single `add_comment` with:
+For each `package` in `packages`:
 
-```
-<!-- requirements-check -->
-## Check requirements
+For each `(check_kind, result)` in `package.checks` where
+`result.status == "needs_agent"`:
 
-❌ Internal error: deterministic artifact contains an unknown check kind
-(`<check_kind>` on `<pkg>`).
-```
+1. Look up `## Check kind: <check_kind>` in the **Check instructions**
+   section below.
+2. **If no matching section exists**: emit a single `add_comment` whose
+   body is:
 
-Then stop. Do not improvise a verdict.
+   ```
+   <!-- requirements-check -->
+   ## Check requirements
+
+   ❌ Internal error: the deterministic artifact contains a check kind
+   (`<check_kind>` on package `<pkg-name>`) that this workflow has no
+   instructions for. Update `.github/workflows/check-requirements.md`
+   to add a matching `## Check kind: <check_kind>` section, or remove
+   the kind from the deterministic stage.
+   ```
+
+   Then stop. **Do not improvise** a verdict for an unknown check kind.
+3. Otherwise, follow the instructions in that section. They tell you
+   which icon (✅/⚠️/❌) and one-line explanation to produce.
 
 ## Step 3 — Post the comment
 
-Replace every placeholder with the resolved value and emit
-`rendered_comment` via `add_comment`. Preserve the leading
-`<!-- requirements-check -->` marker and the
-`<!-- requirements-check-sha: … -->` marker that follows it — the next
-run reads the recorded commit from it to decide whether anything changed.
-The PR target is already wired; do not pass `item_number`.
+1. Replace every `{{CHECK_CELL:…}}` and `{{CHECK_DETAIL:…}}` placeholder
+   in `rendered_comment` with the resolved value.
+2. Emit the resulting markdown using `add_comment` — set `body` to the
+   merged `rendered_comment` verbatim (the leading
+   `<!-- requirements-check -->` marker must be preserved). The PR
+   target is already set by the workflow; do not pass `item_number`.
+
+If the artifact's top-level `needs_agent` is `false` (no checks need
+you), emit `rendered_comment` unchanged.
 
 ## Check instructions
 
 ### Check kind: `repo_public`
 
-`web-fetch` GET `package.repo_url`.
-- 200 + public repo page → ✅ `<repo_url> is publicly accessible.`
-- 4xx/5xx or login redirect → ❌ `Source repository at <repo_url> is
-  not publicly accessible. Home Assistant requires dependencies to
-  have publicly available source code.`
-- Otherwise → ⚠️ with a one-line description.
+Verify that the package's source repository is publicly reachable.
 
-If ❌, also mark this package's `release_pipeline` and `async_blocking`
-cells/details as `—` and explain `Skipped because the source
-repository is not publicly accessible.`.
+1. Read `package.repo_url`.
+2. Use the `web-fetch` tool to GET that URL.
+3. Decide the verdict:
+   - HTTP 200, returns a public repository page → ✅
+     `<repo_url> is publicly accessible.`
+   - HTTP 4xx/5xx, or the response redirects to a login / sign-in page →
+     ❌ `Source repository at <repo_url> is not publicly accessible.
+     Home Assistant requires all dependencies to have publicly available
+     source code.`
+   - Any other inconclusive result → ⚠️ with a one-line description.
+
+If `repo_public` resolves to ❌ for a package, **also** mark that
+package's `release_pipeline` and `async_blocking` cells/details as `—`
+(em dash) and explain `Skipped because the source repository is not
+publicly accessible.` — neither check can be performed without a public
+repo.
 
 ### Check kind: `pr_link`
 
-Fetch the PR body via the `pull_requests` MCP using `pr_number`. Extract URLs.
+Verify the PR description contains the right link for the change.
 
-- **New package** (`old_version == null`): body must contain a URL
-  pointing at `repo_url`'s `owner/repo` on the same host (any
-  sub-path OK). PyPI is not sufficient.
-  - ✅ if present; otherwise ❌ `PR description must link to the
-    source repository at <repo_url>. A PyPI page link is not
-    sufficient.`
-- **Version bump**: body must contain a URL on the same host as
-  `repo_url` that mentions **both** `old_version` and `new_version`
-  (compare URL, changelog, release page).
-  - ✅ if present and versions match; otherwise ❌ `PR description
-    should link to a changelog or compare URL on <repo_url> that
-    mentions both <old_version> and <new_version>.`
+1. Fetch the PR body via the GitHub MCP tool, using the `pr_number`
+   field from the artifact.
+2. Extract all URLs from the body.
+3. For a **new package** (`package.old_version` is `null`):
+   - The PR body must contain a URL that points at `package.repo_url`
+     (any sub-path of the same `owner/repo` on the same host is
+     acceptable). A PyPI link is **not** sufficient.
+   - ✅ if such a URL is present.
+   - ❌ otherwise:
+     `PR description must link to the source repository at <repo_url>.
+     A PyPI page link is not sufficient.`
+4. For a **version bump** (`package.old_version` is not `null`):
+   - The PR body must contain a URL on the same host as
+     `package.repo_url` that references **both** `package.old_version`
+     and `package.new_version` (e.g. a GitHub compare URL
+     `compare/vX...vY`, a release / changelog URL containing both
+     versions, etc.).
+   - ✅ if such a URL is present and the versions match the actual bump.
+   - ❌ otherwise:
+     `PR description should link to a changelog or compare URL on
+     <repo_url> that mentions both <old_version> and <new_version>.`
 
 ### Check kind: `release_pipeline`
 
-Inspect the upstream's publish-to-PyPI CI. Host-specific lookup, same
-rubric:
+Inspect the upstream project's release / publish CI pipeline.
 
-1. Locate the publish workflow / job (name or filename contains
-   `release`, `publish`, `pypi`, or `deploy`).
-   - GitHub: list `.github/workflows/` via the `repos` MCP, pick the
-     promising file by name, fetch its contents.
-   - GitLab: fetch `.gitlab-ci.yml` from the default ref via
-     `https://gitlab.com/api/v4/projects/{id}/repository/files/.gitlab-ci.yml/raw?ref=HEAD`.
-   - Other hosts: `web-fetch` an obvious CI config
-     (`.circleci/config.yml`, `bitbucket-pipelines.yml`, etc.).
-2. Apply this rubric:
-   - **Trigger**: tag push / `release: published` / protected branch —
-     not solely manual dispatch without an environment guard.
-   - **Credentials**: OIDC (`id-token: write` +
-     `pypa/gh-action-pypi-publish` or equivalent) preferred; static
-     `PYPI_TOKEN` from a CI secret acceptable for a bump.
-   - **No bypass**: no ungated `twine upload` / `pip upload`.
-3. Verdict:
-   - ✅ — OIDC + sane triggers + no bypass.
-   - ⚠️ — static token on a bump, details unclear, or
-     non-GitHub/GitLab host with limited CI visibility.
-   - ❌ — static token on a new package, or manual-only triggers
-     without environment protection.
+For each package needing inspection, determine the source repository
+host from `package.repo_url`, then apply the corresponding checklist.
+
+#### GitHub repositories (`github.com`)
+
+1. List workflows: `GET /repos/{owner}/{repo}/actions/workflows`.
+2. Identify any workflow whose name or filename suggests publishing to
+   PyPI (`release`, `publish`, `pypi`, or `deploy`).
+3. Fetch the workflow file and check:
+   - **Trigger sanity**: triggered by `push` to tags,
+     `release: published`, or `workflow_run` on a release job —
+     **not** solely `workflow_dispatch` with no environment-protection
+     guard.
+   - **OIDC / Trusted Publisher**: look for `id-token: write` and one of
+     `pypa/gh-action-pypi-publish`, `actions/attest-build-provenance`,
+     or `TWINE_PASSWORD` from a static `secrets.PYPI_TOKEN`.
+   - **No manual upload bypass**: no ungated `twine upload` or
+     `pip upload`.
+4. Verdict:
+   - ✅ if OIDC + sane triggers + no bypass.
+   - ⚠️ if static token but version bump, or details unclear.
+   - ❌ if static token on a new package, or only-manual triggers with
+     no environment protection.
+
+#### GitLab repositories (`gitlab.com` or self-hosted GitLab)
+
+1. Resolve the project ID via
+   `GET https://gitlab.com/api/v4/projects/{url-encoded-namespace-and-name}`.
+2. Fetch `.gitlab-ci.yml` via
+   `GET https://gitlab.com/api/v4/projects/{id}/repository/files/.gitlab-ci.yml/raw?ref=HEAD`.
+3. Apply the same conceptual checks: tag-only / protected-branch
+   triggers, GitLab OIDC `id_tokens` or CI/CD protected `PYPI_TOKEN`, no
+   ungated `twine upload`. Same verdict rules as GitHub.
+
+#### Other code hosting providers (Bitbucket, Codeberg, Gitea, Sourcehut, …)
+
+1. Use `web-fetch` to retrieve any visible CI configuration
+   (`.circleci/config.yml`, `Jenkinsfile`, `azure-pipelines.yml`,
+   `bitbucket-pipelines.yml`, `.builds/*.yml`).
+2. Apply the conceptual checks: automated triggers, CI-injected
+   credentials, no manual `twine upload`.
+3. If no CI config can be retrieved: ⚠️ `Release pipeline could not be
+   inspected; hosting provider is not GitHub or GitLab.`
 
 ### Check kind: `async_blocking`
 
-Verify the dependency does not call blocking APIs inside `async def`
-bodies. Home Assistant runs on a single asyncio loop, so blocking
-calls from the async surface stall the whole loop. A purely sync
-library is fine — integrations wrap its calls in an executor.
+Verify whether the dependency performs blocking I/O inside async code
+paths. Home Assistant runs on a single asyncio event loop, so a library
+that exposes an `async` surface must not call blocking APIs from inside
+its `async def` functions — that stalls the whole loop. A purely sync
+library is fine: Home Assistant integrations are expected to wrap such
+calls in an executor.
 
-**Mode** (decided by `old_version`):
-- `null` → new package: review the entire current source tree.
-- string → version bump: review only the diff between the two tags.
-  Blocking calls already present in `old_version` are not regressions.
+**Two modes — pick by inspecting `package.old_version`:**
 
-**Step 1 — async surface?**
+- `old_version` is `null` → **new package**: review the *entire current
+  source tree*. Nothing about this dependency has been vetted before.
+- `old_version` is a string → **version bump**: review only the *diff
+  between `old_version` and `new_version`*. The previous version was
+  already accepted, so blocking calls that were present in
+  `old_version` are not regressions; report only what `new_version`
+  introduces.
 
-Fetch `pyproject.toml` / `setup.py` / `setup.cfg` / `README*` at the
-tag matching `new_version` (try `v{version}`, `{version}`,
-`release-{version}` — at most three attempts). Use the `repos` MCP for
-github.com, `web-fetch` otherwise.
+#### Step 1 — Decide whether the library exposes an async surface
 
-If sync-only (no `async def` in public modules; no
-asyncio/aiohttp/httpx/anyio in deps; no `Framework :: AsyncIO`
-classifier) → ✅ `Sync-only library; Home Assistant integrations must
-wrap calls in an executor.` (Same verdict for both modes.)
+Use the `github` MCP tool (for `github.com` repos) or `web-fetch`
+(other hosts) on `package.repo_url`. Always inspect the tag /
+ref matching `new_version` (e.g. `v{new_version}` or `{new_version}`).
 
-**Step 2 — review the surface**
+- Locate the top-level package directory (usually named after the
+  import name, often equal or close to `package.name`).
+- Check `pyproject.toml` / `setup.py` / `setup.cfg` / `README*` for
+  async indicators (`Framework :: AsyncIO` trove classifier, `asyncio`
+  / `aiohttp` / `httpx` / `anyio` in dependencies, an async usage
+  example in the README).
+- Grep the package source for `async def`. A handful of `async def`
+  entries in the public modules is enough to treat the library as
+  having an async surface.
 
-- New package: grep public modules for `async def`, inspect each
-  async body and transitive helpers.
-- Bump: fetch the compare diff
-  (`/repos/{owner}/{repo}/compare/{old}...{new}` on GitHub, equivalent
-  on GitLab/other hosts). Only flag patterns on **added** lines that
-  are inside or reachable from `async def`. If no tag format resolves,
-  fall back to a full review and note that the diff was unavailable.
+If the library is **sync-only** (no `async def` in its public modules
+and no async framework dependency) → ✅
+`Sync-only library; Home Assistant integrations must wrap calls in an
+executor.` *This verdict is the same in both modes.*
 
-**Blocking patterns to flag inside `async def`:**
+#### Step 2a — Mode: new package (`old_version` is `null`)
 
-- Sync HTTP: `requests.`, `urllib.request`, `urllib3.` direct,
-  `http.client.`, sync `httpx.Client(` / `httpx.get(`, `pycurl`.
-- `time.sleep(` (use `await asyncio.sleep(`).
-- Sync sockets/SSL: bare `socket.socket` I/O, `ssl.wrap_socket`,
+Inspect **every `async def` in the public modules** for blocking
+patterns. Walk transitively into helpers the async functions call.
+
+#### Step 2b — Mode: version bump (`old_version` is a string)
+
+Fetch the diff between the two tags and review **only changed lines**:
+
+- GitHub: `GET /repos/{owner}/{repo}/compare/{old_tag}...{new_tag}` via
+  the `github` MCP tool, or
+  `https://github.com/{owner}/{repo}/compare/{old_tag}...{new_tag}.diff`
+  via `web-fetch`. Try the common tag formats in order until one
+  resolves: `v{version}`, `{version}`, `release-{version}`.
+- GitLab: `https://gitlab.com/{namespace}/{project}/-/compare/{old_tag}...{new_tag}.diff`.
+- Other hosts: use the project's equivalent compare URL via
+  `web-fetch`.
+
+If neither tag format resolves on the host, fall back to a full review
+(Step 2a) and mention in the detail that the diff was unavailable.
+
+When reviewing the diff, only flag blocking patterns that appear in
+**added lines** *inside or reachable from* an `async def`. A blocking
+call that existed in `old_version` and is unchanged is not a regression
+for this bump.
+
+#### Step 3 — Blocking patterns to look for
+
+In both modes, the patterns to flag inside `async def` bodies are:
+
+- Sync HTTP: `requests.`, `urllib.request`, `urllib3.` direct use,
+  `http.client.`, sync `httpx.Client(` / `httpx.get(` (NOT the
+  `AsyncClient`), `pycurl`.
+- `time.sleep(` (must be `await asyncio.sleep(`).
+- Sync sockets: bare `socket.socket` reads/writes, `ssl.wrap_socket`,
   blocking `select.select`.
-- File I/O on the request path: `open(` /
-  `pathlib.Path.read_*` / `.write_*` for non-trivial sizes (small
-  one-shot reads during import are OK).
-- Sync DB drivers: `sqlite3`, `psycopg2`, `pymysql`, sync `pymongo` /
-  `redis.Redis`.
-- `subprocess.run` / `subprocess.call` / `os.system`.
+- File I/O: `open(` / `pathlib.Path.read_*` / `.write_*` for
+  non-trivial sizes (small one-shot reads during import are
+  acceptable; reads/writes on the request path are not — prefer
+  `aiofiles` / executor).
+- Sync DB drivers used directly: `sqlite3`, `psycopg2`, `pymysql`,
+  `pymongo` (sync client), `redis.Redis` (sync client).
+- `subprocess.run` / `subprocess.call` / `os.system` (must be
+  `asyncio.create_subprocess_*`).
 
-Calls dispatched to an executor (`run_in_executor`,
-`asyncio.to_thread`, `anyio.to_thread.run_sync`) do **not** count as
-blocking.
+A call that is clearly dispatched to an executor
+(`run_in_executor`, `asyncio.to_thread`, `anyio.to_thread.run_sync`)
+does NOT count as blocking.
 
-**Verdict:**
+#### Step 4 — Verdict
 
-- ✅ — no offending pattern. Bumps: phrase as `No new blocking calls
-  introduced in {old_version} → {new_version}.`.
-- ⚠️ — blocking only in sync helpers the async API never calls, or
-  clearly off the hot path (e.g. one-shot pre-loop setup). Cite at
-  least one `<file>:<line>` and say why it's not hot.
-- ❌ — blocking call reachable from a public `async def` on the
-  request/polling path (bump: introduced or moved onto the hot path
-  by this version). Cite the offending `<file>:<line>` as a clickable
-  link on the repo host.
-
-### Check kind: `security`
-
-**Baseline** scan of the upstream source for obvious supply-chain red
-flags — a cheap first pass, **not** a security review or malware audit.
-A clean result means "nothing obvious stood out", not "this package is
-safe". The success icon is `☑️` — **never** `✅` — so a passing scan is
-not read as an endorsement.
-
-If `repo_public` resolves to ❌ for the same package, mark `security`'s
-cell and detail as `—` and explain `Skipped because the source
-repository is not publicly accessible.` — the source cannot be fetched.
-
-**Step 1 — Fetch a representative slice**
-
-Locate the source from `package.repo_url`.
-
-- GitHub: resolve the default branch (`GET /repos/{owner}/{repo}`), list
-  the tree (`GET /repos/{owner}/{repo}/git/trees/{branch}?recursive=1`),
-  find the module dir (`{name}/` or `src/{name}/`, normalising `-` ↔ `_`).
-- GitLab: equivalent REST calls. Other hosts: `web-fetch` raw file URLs.
-
-Fetch the **raw contents** of `setup.py` (install-time code runs on every
-consumer), `pyproject.toml` (`[build-system]` / custom backend), the
-package's `__init__.py`, and co — prioritising `entry_points` targets, plus any name suggesting
-bootstrap / loader / self-update (`update*.py`, `loader*.py`,
-`bootstrap*.py`, `_native.py`, `_post_install*.py`, …).
-
-If the tree is too large for the API budget, inspect at least `setup.py`,
-`pyproject.toml`, and `__init__.py`, then return ⚠️ noting the partial scan.
-
-**Step 2 — Patterns to flag**
-
-Reason from principles, not a fixed checklist: for each file ask *would a
-well-behaved library doing what this package's PyPI description claims
-need to do this?* If "no" or "unclear", record a finding. The categories
-describe the **shape** of concerning behavior; the named APIs, filenames,
-and keys are illustrative — treat any equivalent construct (including ones
-that did not exist when this was written) the same way.
-
-For every finding include the file path, line number, a snippet
-(≤ 120 chars), a permalink
-(`https://github.com/{owner}/{repo}/blob/{sha}/{path}#L{line}` or the
-GitLab equivalent), and one sentence on why it is out of scope.
-
-1. **Reaches into Home Assistant internals.** A library should touch HA
-   only through its documented Python API — never the `config_dir`
-   filesystem or internal auth / session state. Flag code that opens,
-   reads, writes, or resolves paths to artifacts it does not own
-   (top-level YAML it did not create, anything under `.storage/`, other
-   integrations' files) or reads tokens / refresh tokens / auth providers
-   (e.g. `secrets.yaml`, `.storage/auth*`, `hass.auth`). The principle is
-   *out-of-scope access*, not a static list of names.
-2. **Network input flows into an execution sink (download-and-execute).**
-   Flag any data-flow from a network response body (any HTTP / WebSocket /
-   raw-socket client, sync or async) to an execution sink: `exec`, `eval`,
-   `compile`, `marshal.loads`, `pickle.loads`, `types.FunctionType`,
-   `importlib.util.spec_from_loader`, `subprocess.*`, `os.system`, shell
-   pipelines (`curl … | sh`), or a file later imported / executed — plus
-   package-manager calls (`pip install` / `download`) with args resolved
-   from network responses at runtime.
-3. **Build / install-time code is non-deterministic or non-local.**
-   `setup.py`, `setup.cfg` `cmdclass`, custom PEP 517 backends, and other
-   build hooks must only compile and copy files shipped in the sdist. Flag
-   build-stage code that opens a socket, shells out, writes outside the
-   build / install tree, or pulls a build backend not on PyPI (Git URL /
-   local path).
-4. **Reads secrets and combines them with an egress path.** The shape is
-   *secret-source → outbound-channel*. Flag code that reads credential
-   material (token-like env vars, credential files under the user's home,
-   OS keychain APIs, browser-profile dirs, HA token stores) **and** in the
-   same path sends it to a destination the package needn't talk to.
-   Reading or sending alone is not enough — the *combination* is the signal.
-5. **Hides what it does.** Flag opaque data flowing into an execution
-   sink: large encoded / compressed / hex strings (`base64`, `codecs`,
-   `zlib`, `lzma`, `bytes.fromhex`, or any equivalent) passed to `exec` /
-   `eval` / `compile` / `__import__`; identifiers assembled at runtime
-   then imported; or any construct whose evident purpose is to make the
-   behavior unreadable.
-6. **Hard-coded network destination off-purpose.** Flag outbound URLs or
-   hosts absent from the package's PyPI `project_urls` with no obvious
-   connection to its function — short-link / paste services, ephemeral
-   tunnels, raw IPs, non-default ports against unknown hosts — and any
-   network call at module top-level / `__init__.py` (runs on import for
-   every consumer).
-
-A clearly out-of-scope behavior that fits none of the above: flag under
-the closest category and explain. The categories guide reasoning, not bound it.
-
-**Verdict**
-
-Aggregate the findings into one of:
-
-- `☑️ Baseline scan found nothing obvious in <list of inspected files>.
-  This is not a security review — only the cheap checks were run.`
-  Use `☑️` (**not** `✅`) so a passing scan is not read as an endorsement.
-- `⚠️ <one-line summary>` — patterns with plausible legitimate uses;
-  include path / line / snippet / permalink per match for the reviewer.
-- `❌ <one-line summary>` — patterns with no legitimate explanation
-  (install-time network execution, decode-and-exec of opaque blobs, reads
-  of `secrets.yaml` / `.storage/auth*`, token exfiltration to an external
-  host); same detail.
-
-Be precise. False positives are expected — when in doubt prefer `⚠️` with
-context over `❌`. This check is informational and never blocks the
-workflow on its own; a human reviewer decides whether to merge.
+- ✅ — no offending blocking pattern in the surface being reviewed
+  (whole tree for a new package, added lines for a bump). For a bump,
+  phrase the detail as `No new blocking calls introduced in
+  {old_version} → {new_version}.`.
+- ⚠️ — blocking calls exist only in sync helpers that the async API
+  does not call, or only on a clearly non-hot path (e.g. one-shot
+  setup before the event loop is running). Cite at least one
+  `<file>:<line>` and explain why it is not on the hot path.
+- ❌ — a blocking call is reachable from an `async def` that is part
+  of the public API on the request / polling path (for a bump: the
+  call was introduced or moved onto the hot path by this version).
+  Cite the offending `<file>:<line>` as a clickable link on the repo
+  host so the contributor can jump to it.
 
 ## Notes
 
-- Be constructive; reference the inspected file by URL when useful.
-- Comment dedup is handled by gh-aw's `add_comment` safe-output via
-  the `<!-- requirements-check -->` marker.
-- If `/tmp/gh-aw/deterministic/results.json` is missing (upstream
-  cancelled/failed), emit nothing — the post-step verification is
-  gated and won't complain.
+- Be constructive and helpful. Reference the inspected workflow / CI
+  file by URL where useful so the contributor can fix the issue.
+- The dedup of the requirements-check comment is handled by gh-aw's
+  `add_comment` safe-output via the `<!-- requirements-check -->`
+  marker on the first line of `rendered_comment`.
+- If the deterministic workflow concluded with a non-success status,
+  this workflow's `if:` guard on `Download deterministic-results
+  artifact` skipped the download. If you find no file at
+  `/tmp/gh-aw/deterministic/results.json`, emit nothing — the post-step
+  verification is also gated and will not complain.

.github/workflows/ci.yaml

@@ -98,7 +98,7 @@ jobs:
       skip_coverage: ${{ steps.info.outputs.skip_coverage }}
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Generate partial Python venv restore key
@@ -264,7 +264,7 @@ jobs:
       && github.event.inputs.audit-licenses-only != 'true'
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Register problem matchers
@@ -291,7 +291,7 @@ jobs:
       && github.event.inputs.audit-licenses-only != 'true'
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Run zizmor
@@ -318,7 +318,7 @@ jobs:
           - script/hassfest/docker/Dockerfile
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Register hadolint problem matcher
@@ -341,7 +341,7 @@ jobs:
         python-version: ${{ fromJson(needs.info.outputs.python_versions) }}
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
@@ -404,7 +404,7 @@ jobs:
           echo "version=$(grep '^uv==' requirements.txt | cut -d'=' -f3)" >> "$GITHUB_OUTPUT"
       - name: Set up uv
         if: steps.cache-venv.outputs.cache-hit != 'true'
-        uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           version: ${{ steps.read-uv-version.outputs.version }}
       - name: Create Python virtual environment
@@ -469,7 +469,7 @@ jobs:
       && github.event.inputs.audit-licenses-only != 'true'
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Install additional OS dependencies
@@ -512,7 +512,7 @@ jobs:
       && github.event.inputs.audit-licenses-only != 'true'
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Set up Python
@@ -548,7 +548,7 @@ jobs:
       && github.event.inputs.audit-licenses-only != 'true'
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Set up Python
@@ -576,7 +576,7 @@ jobs:
       && github.event_name == 'pull_request'
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Dependency review
@@ -603,7 +603,7 @@ jobs:
         python-version: ${{ fromJson(needs.info.outputs.python_versions) }}
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
@@ -654,7 +654,7 @@ jobs:
       || github.event.inputs.pylint-only == 'true'
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Set up Python
@@ -707,7 +707,7 @@ jobs:
       && (needs.info.outputs.tests_glob || needs.info.outputs.test_full_suite == 'true')
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Set up Python
@@ -758,7 +758,7 @@ jobs:
       || github.event.inputs.mypy-only == 'true'
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Set up Python
@@ -825,7 +825,7 @@ jobs:
       - base
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Install additional OS dependencies
@@ -889,7 +889,7 @@ jobs:
         group: ${{ fromJson(needs.info.outputs.test_groups) }}
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Install additional OS dependencies
@@ -1030,7 +1030,7 @@ jobs:
         mariadb-group: ${{ fromJson(needs.info.outputs.mariadb_groups) }}
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Install additional OS dependencies
@@ -1179,7 +1179,7 @@ jobs:
         postgresql-group: ${{ fromJson(needs.info.outputs.postgresql_groups) }}
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Install additional OS dependencies
@@ -1317,7 +1317,7 @@ jobs:
     if: needs.info.outputs.skip_coverage != 'true'
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Download all coverage artifacts
@@ -1326,7 +1326,7 @@ jobs:
           pattern: coverage-*
       - name: Upload coverage to Codecov
         if: needs.info.outputs.test_full_suite == 'true'
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
         with:
           fail_ci_if_error: true
           flags: full-suite
@@ -1355,7 +1355,7 @@ jobs:
         group: ${{ fromJson(needs.info.outputs.test_groups) }}
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Install additional OS dependencies
@@ -1476,7 +1476,7 @@ jobs:
       - pytest-partial
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Download all coverage artifacts
@@ -1485,7 +1485,7 @@ jobs:
           pattern: coverage-*
       - name: Upload coverage to Codecov
         if: needs.info.outputs.test_full_suite == 'false'
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
         with:
           fail_ci_if_error: true
           token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env]
@@ -1513,7 +1513,7 @@ jobs:
         with:
           pattern: test-results-*
       - name: Upload test results to Codecov
-        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
+        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
         with:
           report_type: test_results
           fail_ci_if_error: true

.github/workflows/codeql.yml

@@ -23,16 +23,16 @@ jobs:
 
     steps:
       - name: Check out code from GitHub
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           languages: python
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           category: "/language:python"

.github/workflows/translations.yml

@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 

.github/workflows/wheels.yml

@@ -29,7 +29,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -116,7 +116,7 @@ jobs:
             os: ubuntu-24.04-arm
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -137,7 +137,7 @@ jobs:
           sed -i "/uv/d" requirements_diff.txt
 
       - name: Build wheels
-        uses: home-assistant/wheels@34957438948e0b3dcde73c77750643dadae594f5 # 2026.06.0
+        uses: home-assistant/wheels@e5742a69d69f0e274e2689c998900c7d19652c21 # 2025.12.0
         with:
           abi: ${{ matrix.abi }}
           tag: musllinux_1_2
@@ -167,7 +167,7 @@ jobs:
             os: ubuntu-24.04-arm
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -195,7 +195,7 @@ jobs:
           sed -i "/uv/d" requirements_diff.txt
 
       - name: Build wheels
-        uses: home-assistant/wheels@34957438948e0b3dcde73c77750643dadae594f5 # 2026.06.0
+        uses: home-assistant/wheels@e5742a69d69f0e274e2689c998900c7d19652c21 # 2025.12.0
         with:
           abi: ${{ matrix.abi }}
           tag: musllinux_1_2

.gitignore

@@ -3,6 +3,7 @@ config2/*
 
 tests/testing_config/deps
 tests/testing_config/home-assistant.log*
+tests/testing_config/.storage/sandbox/
 
 # hass-release
 data/

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.15.16
+    rev: v0.15.14
     hooks:
       - id: ruff-check
         args:
@@ -64,6 +64,27 @@ repos:
         files: ^(homeassistant|tests|script)/.+\.py$
   - repo: local
     hooks:
+      # Drift guard for the checked-in sandbox protobuf gencode. Manual
+      # stage only (grpcio-tools is not a project dep, so it bootstraps a
+      # throwaway venv and degrades gracefully when uv is absent): run with
+      # `prek run --hook-stage manual sandbox-proto-drift` or in a CI lane.
+      - id: sandbox-proto-drift
+        name: sandbox protobuf gencode drift guard
+        entry: sandbox/proto/check_drift.sh
+        language: script
+        pass_filenames: false
+        stages: [manual]
+        files: ^sandbox/proto/sandbox\.proto$
+      # Drift guard for the hand-mirrored sandbox wire modules (channel.py,
+      # codec_protobuf.py, messages.py). A plain byte-for-byte diff with no
+      # external tooling, so — unlike the proto gencode guard above — it runs as
+      # a regular hook whenever either copy of a mirrored file changes.
+      - id: sandbox-mirror-drift
+        name: sandbox wire-module mirror drift guard
+        entry: sandbox/proto/check_mirror_drift.sh
+        language: script
+        pass_filenames: false
+        files: ^(homeassistant/components/sandbox|sandbox/hass_client/hass_client)/(channel|codec_protobuf|messages)\.py$
       # Run mypy through our wrapper script in order to get the possible
       # pyenv and/or virtualenv activated; it may not have been e.g. if
       # committing from a GUI tool that was not launched from an activated
@@ -75,6 +96,9 @@ repos:
         require_serial: true
         types_or: [python, pyi]
         files: ^(homeassistant|pylint)/.+\.(py|pyi)$
+        # Checked-in protobuf gencode (sandbox): the .py + .pyi pair trips
+        # mypy's duplicate-module check, and it is machine-generated anyway.
+        exclude: _pb2\.(py|pyi)$
       - id: pylint
         name: pylint
         entry: script/run-in-env.sh pylint --ignore-missing-annotations=y

.strict-typing

@@ -96,7 +96,6 @@ homeassistant.components.aprs.*
 homeassistant.components.apsystems.*
 homeassistant.components.aqualogic.*
 homeassistant.components.aquostv.*
-homeassistant.components.aqvify.*
 homeassistant.components.aranet.*
 homeassistant.components.arcam_fmj.*
 homeassistant.components.arris_tg2492lg.*

AGENTS.md

@@ -40,5 +40,4 @@ This repository contains the core of Home Assistant, a Python 3 based home autom
 - Integrations with Platinum or Gold level in the Integration Quality Scale reflect a high standard of code quality and maintainability. When looking for examples of something, these are good places to start. The level is indicated in the manifest.json of the integration.
 - When reviewing entity actions, do not suggest extra defensive checks for input fields that are already validated by Home Assistant's service/action schemas and entity selection filters. Suggest additional guards only when data bypasses those validators or is transformed into a less-safe form.
 - When validation guarantees a dict key exists, prefer direct key access (`data["key"]`) instead of `.get("key")` so contract violations are surfaced instead of silently masked.
-- Keep comments concise. Prefer one short line stating the non-obvious constraint, or no comment at all.
-- Do not add comments that just restate the code on the following line(s) (e.g. `# Check if initialized` above `if self.initialized:`). Comments should only explain why (non-obvious constraints, surprising behavior, or workarounds), never what. Never add comments that justify a change by referencing what the code looked like before.
+- Do not add comments that just restate the code on the following line(s) (e.g. `# Check if initialized` above `if self.initialized:`). Comments should only explain why — non-obvious constraints, surprising behavior, or workarounds — never what.

CODEOWNERS

@@ -162,8 +162,6 @@ CLAUDE.md @home-assistant/core
 /tests/components/apsystems/ @mawoka-myblock @SonnenladenGmbH
 /homeassistant/components/aquacell/ @Jordi1990
 /tests/components/aquacell/ @Jordi1990
-/homeassistant/components/aqvify/ @astrandb
-/tests/components/aqvify/ @astrandb
 /homeassistant/components/aranet/ @aschmitz @thecode @anrijs
 /tests/components/aranet/ @aschmitz @thecode @anrijs
 /homeassistant/components/arcam_fmj/ @elupus
@@ -262,8 +260,8 @@ CLAUDE.md @home-assistant/core
 /tests/components/braviatv/ @bieniu @Drafteed
 /homeassistant/components/bring/ @miaucl @tr4nt0r
 /tests/components/bring/ @miaucl @tr4nt0r
-/homeassistant/components/broadlink/ @danielhiversen @felipediel @L-I-Am
-/tests/components/broadlink/ @danielhiversen @felipediel @L-I-Am
+/homeassistant/components/broadlink/ @danielhiversen @felipediel @L-I-Am @eifinger
+/tests/components/broadlink/ @danielhiversen @felipediel @L-I-Am @eifinger
 /homeassistant/components/brother/ @bieniu
 /tests/components/brother/ @bieniu
 /homeassistant/components/brottsplatskartan/ @gjohansson-ST
@@ -576,8 +574,8 @@ CLAUDE.md @home-assistant/core
 /tests/components/flo/ @dmulcahey
 /homeassistant/components/flume/ @ChrisMandich @bdraco @jeeftor
 /tests/components/flume/ @ChrisMandich @bdraco @jeeftor
-/homeassistant/components/fluss/ @fluss @Marcello17
-/tests/components/fluss/ @fluss @Marcello17
+/homeassistant/components/fluss/ @fluss
+/tests/components/fluss/ @fluss
 /homeassistant/components/flux_led/ @icemanch
 /tests/components/flux_led/ @icemanch
 /homeassistant/components/forecast_solar/ @klaasnicolaas @frenck
@@ -695,8 +693,6 @@ CLAUDE.md @home-assistant/core
 /tests/components/gree/ @cmroche
 /homeassistant/components/green_planet_energy/ @petschni
 /tests/components/green_planet_energy/ @petschni
-/homeassistant/components/greencell/ @BrzezowskiGC
-/tests/components/greencell/ @BrzezowskiGC
 /homeassistant/components/greeneye_monitor/ @jkeljo
 /tests/components/greeneye_monitor/ @jkeljo
 /homeassistant/components/group/ @home-assistant/core
@@ -949,8 +945,6 @@ CLAUDE.md @home-assistant/core
 /tests/components/kiosker/ @Claeysson
 /homeassistant/components/kitchen_sink/ @home-assistant/core
 /tests/components/kitchen_sink/ @home-assistant/core
-/homeassistant/components/klik_aan_klik_uit/ @Phunkafizer
-/tests/components/klik_aan_klik_uit/ @Phunkafizer
 /homeassistant/components/kmtronic/ @dgomes
 /tests/components/kmtronic/ @dgomes
 /homeassistant/components/knocki/ @joostlek @jgatto1 @JakeBosh
@@ -1088,8 +1082,6 @@ CLAUDE.md @home-assistant/core
 /homeassistant/components/mediaroom/ @dgomes
 /homeassistant/components/melcloud/ @erwindouna
 /tests/components/melcloud/ @erwindouna
-/homeassistant/components/melcloud_home/ @erwindouna
-/tests/components/melcloud_home/ @erwindouna
 /homeassistant/components/melissa/ @kennedyshead
 /tests/components/melissa/ @kennedyshead
 /homeassistant/components/melnor/ @vanstinator
@@ -1157,6 +1149,7 @@ CLAUDE.md @home-assistant/core
 /tests/components/motionmount/ @laiho-vogels
 /homeassistant/components/mqtt/ @emontnemery @jbouwh @bdraco
 /tests/components/mqtt/ @emontnemery @jbouwh @bdraco
+/homeassistant/components/msteams/ @peroyvind
 /homeassistant/components/mta/ @OnFreund
 /tests/components/mta/ @OnFreund
 /homeassistant/components/mullvad/ @meichthys
@@ -1892,7 +1885,6 @@ CLAUDE.md @home-assistant/core
 /homeassistant/components/unifi_access/ @imhotep @RaHehl
 /tests/components/unifi_access/ @imhotep @RaHehl
 /homeassistant/components/unifi_direct/ @tofuSCHNITZEL
-/tests/components/unifi_direct/ @tofuSCHNITZEL
 /homeassistant/components/unifi_discovery/ @RaHehl
 /tests/components/unifi_discovery/ @RaHehl
 /homeassistant/components/unifiled/ @florisvdk

homeassistant/brands/microsoft.json

@@ -11,6 +11,7 @@
     "microsoft_face_identify",
     "microsoft_face",
     "microsoft",
+    "msteams",
     "onedrive",
     "onedrive_for_business",
     "xbox"

homeassistant/components/acaia/manifest.json

@@ -26,5 +26,5 @@
   "iot_class": "local_push",
   "loggers": ["aioacaia"],
   "quality_scale": "platinum",
-  "requirements": ["aioacaia==0.1.18"]
+  "requirements": ["aioacaia==0.1.17"]
 }

homeassistant/components/acer_projector/manifest.json

@@ -5,5 +5,5 @@
   "documentation": "https://www.home-assistant.io/integrations/acer_projector",
   "iot_class": "local_polling",
   "quality_scale": "legacy",
-  "requirements": ["serialx==1.8.2"]
+  "requirements": ["serialx==1.8.0"]
 }

homeassistant/components/acmeda/manifest.json

@@ -6,5 +6,5 @@
   "documentation": "https://www.home-assistant.io/integrations/acmeda",
   "iot_class": "local_push",
   "loggers": ["aiopulse"],
-  "requirements": ["aiopulse==0.4.7"]
+  "requirements": ["aiopulse==0.4.6"]
 }

homeassistant/components/airos/__init__.py

@@ -116,6 +116,10 @@ async def async_setup_entry(hass: HomeAssistant, entry: AirOSConfigEntry) -> boo
 async def async_migrate_entry(hass: HomeAssistant, entry: AirOSConfigEntry) -> bool:
     """Migrate old config entry."""
 
+    # This means the user has downgraded from a future version
+    if entry.version > 2:
+        return False
+
     # 1.1 Migrate config_entry to add advanced ssl settings
     if entry.version == 1 and entry.minor_version == 1:
         new_minor_version = 2

homeassistant/components/airq/manifest.json

@@ -7,7 +7,7 @@
   "integration_type": "hub",
   "iot_class": "local_polling",
   "loggers": ["aioairq"],
-  "requirements": ["aioairq==0.4.8"],
+  "requirements": ["aioairq==0.4.7"],
   "zeroconf": [
     {
       "properties": {

homeassistant/components/airvisual_pro/entity.py

@@ -1,6 +1,6 @@
 """The AirVisual Pro integration."""
 
-from homeassistant.helpers.device_registry import CONNECTION_NETWORK_MAC, DeviceInfo
+from homeassistant.helpers.device_registry import DeviceInfo
 from homeassistant.helpers.entity import EntityDescription
 from homeassistant.helpers.update_coordinator import CoordinatorEntity
 
@@ -25,12 +25,6 @@ class AirVisualProEntity(CoordinatorEntity[AirVisualProCoordinator]):
         """Return device registry information for this entity."""
         return DeviceInfo(
             identifiers={(DOMAIN, self.coordinator.data["serial_number"])},
-            connections={
-                (
-                    CONNECTION_NETWORK_MAC,
-                    self.coordinator.data["status"]["mac_address"],
-                )
-            },
             manufacturer="AirVisual",
             model=self.coordinator.data["status"]["model"],
             name=self.coordinator.data["settings"]["node_name"],

homeassistant/components/alexa_devices/__init__.py

@@ -65,6 +65,10 @@ async def async_setup_entry(hass: HomeAssistant, entry: AmazonConfigEntry) -> bo
 async def async_migrate_entry(hass: HomeAssistant, entry: AmazonConfigEntry) -> bool:
     """Migrate old entry."""
 
+    if entry.version > 1:
+        # This means the user has downgraded from a future version
+        return False
+
     if entry.version == 1 and entry.minor_version < 3:
         if CONF_SITE in entry.data:
             # Site in data (wrong place), just move to login data

homeassistant/components/alexa_devices/button.py

@@ -6,7 +6,7 @@ from homeassistant.helpers.entity import EntityDescription
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback
 from homeassistant.util import slugify
 
-from .coordinator import AmazonConfigEntry, AmazonDevicesCoordinator, alexa_api_call
+from .coordinator import AmazonConfigEntry, AmazonDevicesCoordinator
 from .entity import AmazonServiceEntity
 
 # Coordinator is used to centralize the data updates
@@ -49,5 +49,4 @@ class AmazonRoutineButton(AmazonServiceEntity, ButtonEntity):
 
     async def async_press(self) -> None:
         """Handle button press action."""
-        async with alexa_api_call(self.coordinator):
-            await self.coordinator.api.call_routine(self._routine)
+        await self.coordinator.api.call_routine(self._routine)

homeassistant/components/alexa_devices/coordinator.py

@@ -1,7 +1,5 @@
 """Support for Alexa Devices."""
 
-from collections.abc import AsyncGenerator
-from contextlib import asynccontextmanager
 from datetime import timedelta
 
 from aioamazondevices.api import AmazonEchoApi
@@ -21,11 +19,7 @@ from aiohttp import ClientSession
 from homeassistant.config_entries import ConfigEntry
 from homeassistant.const import CONF_PASSWORD, CONF_USERNAME, Platform
 from homeassistant.core import HomeAssistant
-from homeassistant.exceptions import (
-    ConfigEntryAuthFailed,
-    ConfigEntryNotReady,
-    HomeAssistantError,
-)
+from homeassistant.exceptions import ConfigEntryAuthFailed, ConfigEntryNotReady
 from homeassistant.helpers import device_registry as dr, entity_registry as er
 from homeassistant.helpers.debounce import Debouncer
 from homeassistant.helpers.update_coordinator import DataUpdateCoordinator, UpdateFailed
@@ -35,65 +29,6 @@ from .const import _LOGGER, CONF_LOGIN_DATA, DOMAIN
 
 SCAN_INTERVAL = 300
 
-
-@asynccontextmanager
-async def alexa_api_call(
-    coordinator: DataUpdateCoordinator | None = None,
-) -> AsyncGenerator[None]:
-    """Handle common Alexa API exceptions as HomeAssistantError."""
-    try:
-        yield
-    except CannotAuthenticate as err:
-        if coordinator:
-            coordinator.last_update_success = False
-        raise HomeAssistantError(
-            translation_domain=DOMAIN,
-            translation_key="invalid_auth",
-            translation_placeholders={"error": repr(err)},
-        ) from err
-    except CannotConnect as err:
-        if coordinator:
-            coordinator.last_update_success = False
-        raise HomeAssistantError(
-            translation_domain=DOMAIN,
-            translation_key="cannot_connect_with_error",
-            translation_placeholders={"error": repr(err)},
-        ) from err
-    except (CannotRetrieveData, ValueError) as err:
-        if coordinator:
-            coordinator.last_update_success = False
-        raise HomeAssistantError(
-            translation_domain=DOMAIN,
-            translation_key="cannot_retrieve_data_with_error",
-            translation_placeholders={"error": repr(err)},
-        ) from err
-
-
-@asynccontextmanager
-async def alexa_config_entry_errors() -> AsyncGenerator[None]:
-    """Handle common Alexa API exceptions as ConfigEntry errors."""
-    try:
-        yield
-    except CannotAuthenticate as err:
-        raise ConfigEntryAuthFailed(
-            translation_domain=DOMAIN,
-            translation_key="invalid_auth",
-            translation_placeholders={"error": repr(err)},
-        ) from err
-    except (CannotConnect, TimeoutError) as err:
-        raise ConfigEntryNotReady(
-            translation_domain=DOMAIN,
-            translation_key="cannot_connect_with_error",
-            translation_placeholders={"error": repr(err)},
-        ) from err
-    except (CannotRetrieveData, ValueError, KeyError, StopIteration) as err:
-        raise ConfigEntryNotReady(
-            translation_domain=DOMAIN,
-            translation_key="cannot_retrieve_data_with_error",
-            translation_placeholders={"error": repr(err)},
-        ) from err
-
-
 type AmazonConfigEntry = ConfigEntry[AmazonDevicesCoordinator]
 
 
@@ -178,12 +113,6 @@ class AmazonDevicesCoordinator(DataUpdateCoordinator[dict[str, AmazonDevice]]):
                 translation_key="invalid_auth",
                 translation_placeholders={"error": repr(err)},
             ) from err
-        except ValueError as err:
-            raise UpdateFailed(
-                translation_domain=DOMAIN,
-                translation_key="cannot_retrieve_data_with_error",
-                translation_placeholders={"error": repr(err)},
-            ) from err
         else:
             current_devices = set(data.keys())
             if stale_devices := self.previous_devices - current_devices:
@@ -240,8 +169,26 @@ class AmazonDevicesCoordinator(DataUpdateCoordinator[dict[str, AmazonDevice]]):
 
     async def sync_history_state(self) -> None:
         """Sync history state."""
-        async with alexa_config_entry_errors():
+        try:
             self._vocal_records = await self.api.sync_history_state()
+        except CannotAuthenticate as e:
+            raise ConfigEntryAuthFailed(
+                translation_domain=DOMAIN,
+                translation_key="invalid_auth",
+                translation_placeholders={"error": repr(e)},
+            ) from e
+        except CannotConnect as e:
+            raise ConfigEntryNotReady(
+                translation_domain=DOMAIN,
+                translation_key="cannot_connect_with_error",
+                translation_placeholders={"error": repr(e)},
+            ) from e
+        except BaseException as e:
+            raise ConfigEntryNotReady(
+                translation_domain=DOMAIN,
+                translation_key="cannot_retrieve_data_with_error",
+                translation_placeholders={"error": repr(e)},
+            ) from e
 
     async def history_state_event_handler(
         self, vocal_records: dict[str, AmazonVocalRecord]
@@ -257,8 +204,26 @@ class AmazonDevicesCoordinator(DataUpdateCoordinator[dict[str, AmazonDevice]]):
 
     async def sync_media_state(self) -> None:
         """Sync media state."""
-        async with alexa_config_entry_errors():
+        try:
             await self.api.sync_media_state()
+        except CannotAuthenticate as err:
+            raise ConfigEntryAuthFailed(
+                translation_domain=DOMAIN,
+                translation_key="invalid_auth",
+                translation_placeholders={"error": repr(err)},
+            ) from err
+        except (CannotConnect, TimeoutError) as err:
+            raise ConfigEntryNotReady(
+                translation_domain=DOMAIN,
+                translation_key="cannot_connect_with_error",
+                translation_placeholders={"error": repr(err)},
+            ) from err
+        except (CannotRetrieveData, ValueError) as err:
+            raise ConfigEntryNotReady(
+                translation_domain=DOMAIN,
+                translation_key="cannot_retrieve_data_with_error",
+                translation_placeholders={"error": repr(err)},
+            ) from err
 
     async def media_state_event_handler(
         self, media_state: dict[str, AmazonMediaState]

homeassistant/components/alexa_devices/diagnostics.py

@@ -12,18 +12,7 @@ from homeassistant.helpers.device_registry import DeviceEntry
 
 from .coordinator import AmazonConfigEntry
 
-TO_REDACT = {
-    CONF_NAME,
-    CONF_PASSWORD,
-    CONF_USERNAME,
-    "access_token",
-    "adp_token",
-    "device_private_key",
-    "refresh_token",
-    "store_authentication_cookie",
-    "title",
-    "website_cookies",
-}
+TO_REDACT = {CONF_PASSWORD, CONF_USERNAME, CONF_NAME, "title"}
 
 
 async def async_get_config_entry_diagnostics(

homeassistant/components/alexa_devices/manifest.json

@@ -8,5 +8,5 @@
   "iot_class": "cloud_polling",
   "loggers": ["aioamazondevices"],
   "quality_scale": "platinum",
-  "requirements": ["aioamazondevices==14.0.4"]
+  "requirements": ["aioamazondevices==14.0.0"]
 }

homeassistant/components/alexa_devices/media_player.py

@@ -22,8 +22,9 @@ from homeassistant.core import HomeAssistant
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback
 
 from .const import _LOGGER
-from .coordinator import AmazonConfigEntry, AmazonDevicesCoordinator, alexa_api_call
+from .coordinator import AmazonConfigEntry, AmazonDevicesCoordinator
 from .entity import AmazonEntity
+from .utils import alexa_api_call
 
 PARALLEL_UPDATES = 1
 
@@ -215,15 +216,16 @@ class AlexaDevicesMediaPlayer(AmazonEntity, MediaPlayerEntity):
         provider = media_type.value if isinstance(media_type, MediaType) else media_type
         await self.async_call_alexa_music(media_id, provider)
 
+    @alexa_api_call
     async def async_call_alexa_music(
         self, search_phrase: str, provider_id: str
     ) -> None:
         """Call alexa music."""
-        async with alexa_api_call(self.coordinator):
-            await self.coordinator.api.call_alexa_music(
-                self.device, search_phrase, provider_id
-            )
+        await self.coordinator.api.call_alexa_music(
+            self.device, search_phrase, provider_id
+        )
 
+    @alexa_api_call
     async def async_set_device_volume(self, volume: int) -> None:
         """Set the device volume."""
         _LOGGER.debug(
@@ -231,8 +233,7 @@ class AlexaDevicesMediaPlayer(AmazonEntity, MediaPlayerEntity):
             self.device.serial_number,
             volume,
         )
-        async with alexa_api_call(self.coordinator):
-            await self.coordinator.api.set_device_volume(self.device, volume)
+        await self.coordinator.api.set_device_volume(self.device, volume)
 
     async def async_set_volume_level(self, volume: float) -> None:
         """Set the volume level (0.0 to 1.0)."""
@@ -262,12 +263,12 @@ class AlexaDevicesMediaPlayer(AmazonEntity, MediaPlayerEntity):
         await self.async_set_volume_level(target_volume / 100)
         self._prev_volume = None
 
+    @alexa_api_call
     async def _send_media_command(self, command: AmazonMediaControls) -> None:
         _LOGGER.debug(
             "Sending media command '%s' to %s", command, self.device.serial_number
         )
-        async with alexa_api_call(self.coordinator):
-            await self.coordinator.api.send_media_command(self.device, command)
+        await self.coordinator.api.send_media_command(self.device, command)
 
     async def async_media_stop(self) -> None:
         """Send stop command."""

homeassistant/components/alexa_devices/notify.py

@@ -12,8 +12,9 @@ from homeassistant.components.notify import NotifyEntity, NotifyEntityDescriptio
 from homeassistant.core import HomeAssistant
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback
 
-from .coordinator import AmazonConfigEntry, alexa_api_call
+from .coordinator import AmazonConfigEntry
 from .entity import AmazonEntity
+from .utils import alexa_api_call
 
 PARALLEL_UPDATES = 1
 
@@ -79,11 +80,10 @@ class AmazonNotifyEntity(AmazonEntity, NotifyEntity):
 
     entity_description: AmazonNotifyEntityDescription
 
+    @alexa_api_call
     async def async_send_message(
         self, message: str, title: str | None = None, **kwargs: Any
     ) -> None:
         """Send a message."""
-        async with alexa_api_call(self.coordinator):
-            await self.entity_description.method(
-                self.coordinator.api, self.device, message
-            )
+
+        await self.entity_description.method(self.coordinator.api, self.device, message)

homeassistant/components/alexa_devices/services.py

@@ -11,7 +11,7 @@ from homeassistant.exceptions import ServiceValidationError
 from homeassistant.helpers import config_validation as cv, device_registry as dr
 
 from .const import DOMAIN, INFO_SKILLS_MAPPING
-from .coordinator import AmazonConfigEntry, alexa_api_call
+from .coordinator import AmazonConfigEntry
 
 ATTR_TEXT_COMMAND = "text_command"
 ATTR_SOUND = "sound"
@@ -85,15 +85,13 @@ async def _async_execute_action(call: ServiceCall, attribute: str) -> None:
                 translation_key="invalid_sound_value",
                 translation_placeholders={"sound": value},
             )
-        async with alexa_api_call():
-            await coordinator.api.call_alexa_sound(
-                coordinator.data[device.serial_number], value
-            )
+        await coordinator.api.call_alexa_sound(
+            coordinator.data[device.serial_number], value
+        )
     elif attribute == ATTR_TEXT_COMMAND:
-        async with alexa_api_call():
-            await coordinator.api.call_alexa_text_command(
-                coordinator.data[device.serial_number], value
-            )
+        await coordinator.api.call_alexa_text_command(
+            coordinator.data[device.serial_number], value
+        )
     elif attribute == ATTR_INFO_SKILL:
         info_skill = INFO_SKILLS_MAPPING.get(value)
         if info_skill not in ALEXA_INFO_SKILLS:
@@ -102,10 +100,9 @@ async def _async_execute_action(call: ServiceCall, attribute: str) -> None:
                 translation_key="invalid_info_skill_value",
                 translation_placeholders={"info_skill": value},
             )
-        async with alexa_api_call():
-            await coordinator.api.call_alexa_info_skill(
-                coordinator.data[device.serial_number], info_skill
-            )
+        await coordinator.api.call_alexa_info_skill(
+            coordinator.data[device.serial_number], info_skill
+        )
 
 
 async def async_send_sound_notification(call: ServiceCall) -> None:

homeassistant/components/alexa_devices/switch.py

@@ -14,9 +14,13 @@ from homeassistant.components.switch import (
 from homeassistant.core import HomeAssistant
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback
 
-from .coordinator import AmazonConfigEntry, alexa_api_call
+from .coordinator import AmazonConfigEntry
 from .entity import AmazonEntity
-from .utils import async_remove_dnd_from_virtual_group, async_update_unique_id
+from .utils import (
+    alexa_api_call,
+    async_remove_dnd_from_virtual_group,
+    async_update_unique_id,
+)
 
 PARALLEL_UPDATES = 1
 
@@ -86,6 +90,7 @@ class AmazonSwitchEntity(AmazonEntity, SwitchEntity):
 
     entity_description: AmazonSwitchEntityDescription
 
+    @alexa_api_call
     async def _switch_set_state(self, state: bool) -> None:
         """Set desired switch state."""
         method = getattr(self.coordinator.api, self.entity_description.method)
@@ -93,8 +98,7 @@ class AmazonSwitchEntity(AmazonEntity, SwitchEntity):
         if TYPE_CHECKING:
             assert method is not None
 
-        async with alexa_api_call(self.coordinator):
-            await method(self.device, state)
+        await method(self.device, state)
         self.coordinator.data[self.device.serial_number].sensors[
             self.entity_description.key
         ].value = state

homeassistant/components/alexa_devices/utils.py

@@ -1,19 +1,54 @@
 """Utils for Alexa Devices."""
 
+from collections.abc import Awaitable, Callable, Coroutine
+from functools import wraps
+from typing import Any, Concatenate
+
 from aioamazondevices.const.devices import SPEAKER_GROUP_FAMILY
 from aioamazondevices.const.schedules import (
     NOTIFICATION_ALARM,
     NOTIFICATION_REMINDER,
     NOTIFICATION_TIMER,
 )
+from aioamazondevices.exceptions import CannotConnect, CannotRetrieveData
 
 from homeassistant.components.sensor import DOMAIN as SENSOR_DOMAIN
 from homeassistant.components.switch import DOMAIN as SWITCH_DOMAIN
 from homeassistant.core import HomeAssistant
+from homeassistant.exceptions import HomeAssistantError
 import homeassistant.helpers.entity_registry as er
 
 from .const import _LOGGER, DOMAIN
 from .coordinator import AmazonDevicesCoordinator
+from .entity import AmazonEntity
+
+
+def alexa_api_call[_T: AmazonEntity, **_P](
+    func: Callable[Concatenate[_T, _P], Awaitable[None]],
+) -> Callable[Concatenate[_T, _P], Coroutine[Any, Any, None]]:
+    """Catch Alexa API call exceptions."""
+
+    @wraps(func)
+    async def cmd_wrapper(self: _T, *args: _P.args, **kwargs: _P.kwargs) -> None:
+        """Wrap all command methods."""
+        try:
+            await func(self, *args, **kwargs)
+        except CannotConnect as err:
+            self.coordinator.last_update_success = False
+            raise HomeAssistantError(
+                translation_domain=DOMAIN,
+                translation_key="cannot_connect_with_error",
+                translation_placeholders={"error": repr(err)},
+            ) from err
+        except CannotRetrieveData as err:
+            self.coordinator.last_update_success = False
+            raise HomeAssistantError(
+                translation_domain=DOMAIN,
+                translation_key="cannot_retrieve_data_with_error",
+                translation_placeholders={"error": repr(err)},
+            ) from err
+
+    return cmd_wrapper
 
 
 async def async_update_unique_id(

homeassistant/components/anova/__init__.py

@@ -75,6 +75,10 @@ async def async_migrate_entry(hass: HomeAssistant, entry: AnovaConfigEntry) -> b
     """Migrate entry."""
     _LOGGER.debug("Migrating from version %s:%s", entry.version, entry.minor_version)
 
+    if entry.version > 1:
+        # This means the user has downgraded from a future version
+        return False
+
     if entry.version == 1 and entry.minor_version == 1:
         new_data = {**entry.data}
         if CONF_DEVICES in new_data:

homeassistant/components/anova/manifest.json

@@ -7,5 +7,5 @@
   "integration_type": "hub",
   "iot_class": "cloud_push",
   "loggers": ["anova_wifi"],
-  "requirements": ["anova-wifi==0.17.1"]
+  "requirements": ["anova-wifi==0.17.0"]
 }

homeassistant/components/anthemav/manifest.json

@@ -7,5 +7,5 @@
   "integration_type": "device",
   "iot_class": "local_push",
   "loggers": ["anthemav"],
-  "requirements": ["anthemav==1.4.2"]
+  "requirements": ["anthemav==1.4.1"]
 }

homeassistant/components/anthemav/media_player.py

@@ -12,7 +12,7 @@ from homeassistant.components.media_player import (
 )
 from homeassistant.const import CONF_MAC, CONF_MODEL
 from homeassistant.core import HomeAssistant, callback
-from homeassistant.helpers.device_registry import CONNECTION_NETWORK_MAC, DeviceInfo
+from homeassistant.helpers.device_registry import DeviceInfo
 from homeassistant.helpers.dispatcher import async_dispatcher_connect
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback
 
@@ -87,12 +87,9 @@ class AnthemAVR(MediaPlayerEntity):
                 via_device=(DOMAIN, mac_address),
             )
         else:
-            # Zone 1 is the physical receiver that owns the network MAC; higher
-            # zones are via_device children and carry no connection.
             self._attr_unique_id = mac_address
             self._attr_device_info = DeviceInfo(
                 identifiers={(DOMAIN, mac_address)},
-                connections={(CONNECTION_NETWORK_MAC, mac_address)},
                 name=name,
                 manufacturer=MANUFACTURER,
                 model=model,

homeassistant/components/anthropic/__init__.py

@@ -178,6 +178,10 @@ async def async_migrate_entry(hass: HomeAssistant, entry: AnthropicConfigEntry)
     """Migrate entry."""
     LOGGER.debug("Migrating from version %s:%s", entry.version, entry.minor_version)
 
+    if entry.version > 2:
+        # This means the user has downgraded from a future version
+        return False
+
     if entry.version == 2 and entry.minor_version == 1:
         # Correct broken device migration in Home Assistant Core 2025.7.0b0-2025.7.0b1
         device_registry = dr.async_get(hass)

homeassistant/components/anthropic/coordinator.py

@@ -1,6 +1,7 @@
 """Coordinator for the Anthropic integration."""
 
 import datetime
+import re
 
 import anthropic
 
@@ -19,12 +20,15 @@ UPDATE_INTERVAL_DISCONNECTED = datetime.timedelta(minutes=1)
 type AnthropicConfigEntry = ConfigEntry[AnthropicCoordinator]
 
 
+_model_short_form = re.compile(r"[^\d]-\d$")
+
+
 @callback
 def model_alias(model_id: str) -> str:
     """Resolve alias from versioned model name."""
     if model_id[-2:-1] != "-" and not model_id.endswith("-preview"):
         model_id = model_id[:-9]
-    if model_id.endswith("-4"):
+    if _model_short_form.search(model_id):
         return model_id + "-0"
     return model_id
 

homeassistant/components/anthropic/manifest.json

@@ -9,5 +9,5 @@
   "integration_type": "service",
   "iot_class": "cloud_polling",
   "quality_scale": "silver",
-  "requirements": ["anthropic==0.108.0"]
+  "requirements": ["anthropic==0.96.0"]
 }

homeassistant/components/anthropic/quality_scale.yaml

@@ -52,7 +52,10 @@ rules:
     status: exempt
     comment: |
       Service integration, no discovery.
-  docs-data-update: done
+  docs-data-update:
+    status: exempt
+    comment: |
+      No data updates.
   docs-examples: done
   docs-known-limitations: done
   docs-supported-devices: done

homeassistant/components/anthropic/repairs.py

@@ -65,18 +65,18 @@ class ModelDeprecatedRepairFlow(RepairsFlow):
             ]
             self._model_list_cache[entry.entry_id] = model_list
 
-        family = (
-            model.removeprefix("claude-")
-            .removesuffix("-preview")
-            .translate(str.maketrans("", "", "0123456789-."))
-            or "haiku"
-        )
+        if "opus" in model:
+            family = "claude-opus"
+        elif "sonnet" in model:
+            family = "claude-sonnet"
+        else:
+            family = "claude-haiku"
 
         suggested_model = next(
             (
                 model_option["value"]
                 for model_option in sorted(
-                    (m for m in model_list if f"claude-{family}" in m["value"]),
+                    (m for m in model_list if family in m["value"]),
                     key=lambda x: x["value"],
                     reverse=True,
                 )

homeassistant/components/api/__init__.py

@@ -59,6 +59,7 @@ ATTR_EXTERNAL_URL = "external_url"
 ATTR_INTERNAL_URL = "internal_url"
 ATTR_LOCATION_NAME = "location_name"
 ATTR_INSTALLATION_TYPE = "installation_type"
+ATTR_REQUIRES_API_PASSWORD = "requires_api_password"
 ATTR_UUID = "uuid"
 ATTR_VERSION = "version"
 

homeassistant/components/aprilaire/coordinator.py

@@ -193,7 +193,6 @@ class AprilaireCoordinator(BaseDataUpdateCoordinatorProtocol):
 
         device_info = DeviceInfo(
             identifiers={(DOMAIN, self.unique_id)},
-            connections={(dr.CONNECTION_NETWORK_MAC, data[Attribute.MAC_ADDRESS])},
             name=self.create_device_name(data),
             manufacturer="Aprilaire",
         )

homeassistant/components/aquacell/config_flow.py

@@ -1,6 +1,5 @@
 """Config flow for Aquacell integration."""
 
-from collections.abc import Mapping
 from datetime import datetime
 import logging
 from typing import Any
@@ -32,12 +31,6 @@ DATA_SCHEMA = vol.Schema(
     }
 )
 
-STEP_REAUTH_SCHEMA = vol.Schema(
-    {
-        vol.Required(CONF_PASSWORD): str,
-    }
-)
-
 
 class AquaCellConfigFlow(ConfigFlow, domain=DOMAIN):
     """Handle a config flow for Aquacell."""
@@ -84,48 +77,3 @@ class AquaCellConfigFlow(ConfigFlow, domain=DOMAIN):
             data_schema=DATA_SCHEMA,
             errors=errors,
         )
-
-    async def async_step_reauth(
-        self, entry_data: Mapping[str, Any]
-    ) -> ConfigFlowResult:
-        """Perform reauth upon an API authentication error."""
-        return await self.async_step_reauth_confirm()
-
-    async def async_step_reauth_confirm(
-        self, user_input: dict[str, Any] | None = None
-    ) -> ConfigFlowResult:
-        """Confirm reauth dialog."""
-        errors: dict[str, str] = {}
-        reauth_entry = self._get_reauth_entry()
-        if user_input is not None:
-            session = async_get_clientsession(self.hass)
-            api = AquacellApi(
-                session, reauth_entry.data.get(CONF_BRAND, Brand.AQUACELL)
-            )
-            try:
-                refresh_token = await api.authenticate(
-                    reauth_entry.data[CONF_EMAIL], user_input[CONF_PASSWORD]
-                )
-            except ApiException, TimeoutError:
-                errors["base"] = "cannot_connect"
-            except AuthenticationFailed:
-                errors["base"] = "invalid_auth"
-            except Exception:
-                _LOGGER.exception("Unexpected exception")
-                errors["base"] = "unknown"
-            else:
-                return self.async_update_reload_and_abort(
-                    reauth_entry,
-                    data_updates={
-                        CONF_PASSWORD: user_input[CONF_PASSWORD],
-                        CONF_REFRESH_TOKEN: refresh_token,
-                        CONF_REFRESH_TOKEN_CREATION_TIME: datetime.now().timestamp(),
-                    },
-                )
-
-        return self.async_show_form(
-            step_id="reauth_confirm",
-            data_schema=STEP_REAUTH_SCHEMA,
-            description_placeholders={"email": reauth_entry.data[CONF_EMAIL]},
-            errors=errors,
-        )

homeassistant/components/aquacell/coordinator.py

@@ -14,7 +14,7 @@ from aioaquacell import (
 from homeassistant.config_entries import ConfigEntry
 from homeassistant.const import CONF_EMAIL, CONF_PASSWORD
 from homeassistant.core import HomeAssistant
-from homeassistant.exceptions import ConfigEntryAuthFailed
+from homeassistant.exceptions import ConfigEntryError
 from homeassistant.helpers.update_coordinator import DataUpdateCoordinator, UpdateFailed
 
 from .const import (
@@ -79,7 +79,7 @@ class AquacellCoordinator(DataUpdateCoordinator[dict[str, Softener]]):
 
                 softeners = await self.aquacell_api.get_all_softeners()
             except AuthenticationFailed as err:
-                raise ConfigEntryAuthFailed from err
+                raise ConfigEntryError from err
             except (AquacellApiException, TimeoutError) as err:
                 raise UpdateFailed(f"Error communicating with API: {err}") from err
 

homeassistant/components/aquacell/strings.json

@@ -1,8 +1,7 @@
 {
   "config": {
     "abort": {
-      "already_configured": "[%key:common::config_flow::abort::already_configured_device%]",
-      "reauth_successful": "[%key:common::config_flow::abort::reauth_successful%]"
+      "already_configured": "[%key:common::config_flow::abort::already_configured_device%]"
     },
     "error": {
       "cannot_connect": "[%key:common::config_flow::error::cannot_connect%]",
@@ -10,13 +9,6 @@
       "unknown": "[%key:common::config_flow::error::unknown%]"
     },
     "step": {
-      "reauth_confirm": {
-        "data": {
-          "password": "[%key:common::config_flow::data::password%]"
-        },
-        "description": "The password for {email} is no longer valid. Enter your current softener mobile app password to reconnect.",
-        "title": "[%key:common::config_flow::title::reauth%]"
-      },
       "user": {
         "data": {
           "brand": "Brand",

homeassistant/components/aqvify/__init__.py

@@ -1,28 +0,0 @@
-"""The Aqvify integration."""
-
-import logging
-
-from homeassistant.const import Platform
-from homeassistant.core import HomeAssistant
-
-from .coordinator import AqvifyConfigEntry, AqvifyCoordinator
-
-_LOGGER = logging.getLogger(__name__)
-PLATFORMS: list[Platform] = [Platform.SENSOR]
-
-
-async def async_setup_entry(hass: HomeAssistant, entry: AqvifyConfigEntry) -> bool:
-    """Set up Aqvify from a config entry."""
-
-    coordinator = AqvifyCoordinator(hass, entry)
-    await coordinator.async_config_entry_first_refresh()
-    entry.runtime_data = coordinator
-
-    await hass.config_entries.async_forward_entry_setups(entry, PLATFORMS)
-
-    return True
-
-
-async def async_unload_entry(hass: HomeAssistant, entry: AqvifyConfigEntry) -> bool:
-    """Unload Aqvify config entry."""
-    return await hass.config_entries.async_unload_platforms(entry, PLATFORMS)

homeassistant/components/aqvify/config_flow.py

@@ -1,113 +0,0 @@
-"""Config flow for the Aqvify integration."""
-
-from collections.abc import Mapping
-import logging
-from typing import Any
-
-from aiohttp import ClientResponseError
-from pyaqvify import AqvifyAPI, AqvifyAuthException
-import voluptuous as vol
-
-from homeassistant.config_entries import (
-    SOURCE_RECONFIGURE,
-    ConfigFlow,
-    ConfigFlowResult,
-)
-from homeassistant.const import CONF_API_KEY
-from homeassistant.helpers.aiohttp_client import async_get_clientsession
-
-from .const import DOMAIN
-
-_LOGGER = logging.getLogger(__name__)
-
-STEP_USER_DATA_SCHEMA = vol.Schema(
-    {
-        vol.Required(CONF_API_KEY): str,
-    }
-)
-
-
-class AqvifyConfigFlow(ConfigFlow, domain=DOMAIN):
-    """Handle a config flow for Aqvify."""
-
-    VERSION = 1
-
-    async def async_step_user(
-        self, user_input: dict[str, Any] | None = None
-    ) -> ConfigFlowResult:
-        """Handle the initial step."""
-        errors: dict[str, str] = {}
-        if user_input is not None:
-            hub = AqvifyAPI(
-                user_input[CONF_API_KEY],
-                websession=async_get_clientsession(self.hass),
-            )
-            try:
-                account_data = await hub.async_get_account_id()
-            except AqvifyAuthException:
-                errors["base"] = "invalid_auth"
-            except ClientResponseError:
-                errors["base"] = "cannot_connect"
-            except Exception:
-                _LOGGER.exception("Unexpected exception")
-                errors["base"] = "unknown"
-            else:
-                await self.async_set_unique_id(account_data.account_id)
-                if self.source == SOURCE_RECONFIGURE:
-                    self._abort_if_unique_id_mismatch()
-                    return self.async_update_reload_and_abort(
-                        self._get_reconfigure_entry(), data_updates=user_input
-                    )
-                self._abort_if_unique_id_configured()
-                return self.async_create_entry(title="Aqvify", data=user_input)
-
-        return self.async_show_form(
-            step_id="user",
-            data_schema=STEP_USER_DATA_SCHEMA,
-            errors=errors,
-            description_placeholders={
-                "aqvify_url": "https://app.aqvify.com/User",
-            },
-        )
-
-    async def async_step_reauth(
-        self, entry_data: Mapping[str, Any]
-    ) -> ConfigFlowResult:
-        """Perform reauth upon an API authentication error."""
-
-        return await self.async_step_reauth_confirm()
-
-    async def async_step_reauth_confirm(
-        self, user_input: dict[str, Any] | None = None
-    ) -> ConfigFlowResult:
-        """Handle re-authentication confirmation."""
-        errors = {}
-
-        if user_input is not None:
-            api_client = AqvifyAPI(
-                user_input[CONF_API_KEY],
-                websession=async_get_clientsession(self.hass),
-            )
-            try:
-                account_data = await api_client.async_get_account_id()
-            except AqvifyAuthException:
-                errors["base"] = "invalid_auth"
-            except ClientResponseError:
-                errors["base"] = "cannot_connect"
-            else:
-                await self.async_set_unique_id(account_data.account_id)
-                self._abort_if_unique_id_mismatch()
-                return self.async_update_reload_and_abort(
-                    self._get_reauth_entry(), data_updates=user_input
-                )
-        return self.async_show_form(
-            step_id="reauth_confirm",
-            data_schema=STEP_USER_DATA_SCHEMA,
-            errors=errors,
-        )
-
-    async def async_step_reconfigure(
-        self, user_input: Mapping[str, Any] | None = None
-    ) -> ConfigFlowResult:
-        """User initiated reconfiguration."""
-        return await self.async_step_user()

homeassistant/components/aqvify/const.py

@@ -1,3 +0,0 @@
-"""Constants for the Aqvify integration."""
-
-DOMAIN = "aqvify"

homeassistant/components/aqvify/coordinator.py

@@ -1,154 +0,0 @@
-"""Coordinator for Aqvify integration."""
-
-from dataclasses import dataclass
-from datetime import timedelta
-import logging
-
-from aiohttp import ClientResponseError
-from pyaqvify import AqvifyAPI, AqvifyAuthException, AqvifyDeviceData, AqvifyDevices
-
-from homeassistant.config_entries import ConfigEntry
-from homeassistant.const import CONF_API_KEY
-from homeassistant.core import HomeAssistant
-from homeassistant.exceptions import ConfigEntryAuthFailed, ConfigEntryNotReady
-from homeassistant.helpers.aiohttp_client import async_get_clientsession
-import homeassistant.helpers.device_registry as dr
-from homeassistant.helpers.update_coordinator import DataUpdateCoordinator, UpdateFailed
-
-from .const import DOMAIN
-
-_LOGGER = logging.getLogger(__name__)
-
-UPDATE_INTERVAL = timedelta(seconds=60)
-
-type AqvifyConfigEntry = ConfigEntry[AqvifyCoordinator]
-
-
-@dataclass
-class AqvifyCoordinatorData:
-    """Data class for storing coordinator data."""
-
-    devices: AqvifyDevices
-    device_data: dict[str, AqvifyDeviceData]
-
-
-class AqvifyCoordinator(DataUpdateCoordinator[AqvifyCoordinatorData]):
-    """Data update coordinator for Aqvify devices."""
-
-    config_entry: AqvifyConfigEntry
-
-    def __init__(self, hass: HomeAssistant, entry: AqvifyConfigEntry) -> None:
-        """Initialize the Aqvify data update coordinator."""
-        super().__init__(
-            hass,
-            logger=_LOGGER,
-            name=DOMAIN,
-            update_interval=UPDATE_INTERVAL,
-            config_entry=entry,
-        )
-
-        self.api_client = AqvifyAPI(
-            entry.data[CONF_API_KEY], websession=async_get_clientsession(hass)
-        )
-        self.previous_devices: set[str] = set()
-
-    async def _async_setup(self) -> None:
-        """Set up the coordinator."""
-        try:
-            await self.api_client.async_get_account_id()
-        except AqvifyAuthException:
-            raise ConfigEntryAuthFailed(
-                translation_domain=DOMAIN,
-                translation_key="invalid_api_key",
-            ) from None
-        except ClientResponseError as err:
-            raise ConfigEntryNotReady(
-                translation_domain=DOMAIN,
-                translation_key="api_error",
-                translation_placeholders={
-                    "entry": self.config_entry.title,
-                },
-            ) from err
-        except TimeoutError as err:
-            raise ConfigEntryNotReady(
-                translation_domain=DOMAIN,
-                translation_key="api_timeout",
-                translation_placeholders={
-                    "entry": self.config_entry.title,
-                },
-            ) from err
-
-    async def _async_update_data(self) -> AqvifyCoordinatorData:
-        """Fetch device state."""
-        try:
-            devices = await self.api_client.async_get_devices()
-        except AqvifyAuthException:
-            raise ConfigEntryAuthFailed(
-                translation_domain=DOMAIN,
-                translation_key="invalid_api_key",
-            ) from None
-        except ClientResponseError as err:
-            raise UpdateFailed(
-                translation_domain=DOMAIN,
-                translation_key="api_error",
-                translation_placeholders={
-                    "entry": self.config_entry.title,
-                },
-            ) from err
-        except TimeoutError as err:
-            raise UpdateFailed(
-                translation_domain=DOMAIN,
-                translation_key="api_timeout",
-                translation_placeholders={
-                    "entry": self.config_entry.title,
-                },
-            ) from err
-
-        current_devices = set(devices.devices.keys())
-        if stale_devices := self.previous_devices - current_devices:
-            account_id = self.config_entry.unique_id
-            device_registry = dr.async_get(self.hass)
-            for device_id in stale_devices:
-                device = device_registry.async_get_device(
-                    identifiers={(DOMAIN, f"{account_id}_{device_id}")}
-                )
-                if device:
-                    device_registry.async_update_device(
-                        device_id=device.id,
-                        remove_config_entry_id=self.config_entry.entry_id,
-                    )
-        self.previous_devices = current_devices
-
-        device_data = {}
-        for aqvify_device in devices.devices.values():
-            try:
-                device_key = str(aqvify_device.device_key)
-                device_data[
-                    device_key
-                ] = await self.api_client.async_get_device_latest_data(device_key)
-            except AqvifyAuthException:
-                raise ConfigEntryAuthFailed(
-                    translation_domain=DOMAIN,
-                    translation_key="invalid_api_key",
-                ) from None
-            except ClientResponseError as err:
-                raise UpdateFailed(
-                    translation_domain=DOMAIN,
-                    translation_key="api_error",
-                    translation_placeholders={
-                        "entry": self.config_entry.title,
-                    },
-                ) from err
-            except TimeoutError as err:
-                raise UpdateFailed(
-                    translation_domain=DOMAIN,
-                    translation_key="api_timeout",
-                    translation_placeholders={
-                        "entry": self.config_entry.title,
-                    },
-                ) from err
-
-        return AqvifyCoordinatorData(
-            devices=devices,
-            device_data=device_data,
-        )

homeassistant/components/aqvify/diagnostics.py

@@ -1,30 +0,0 @@
-"""Diagnostics platform for Aqvify integration."""
-
-from typing import Any
-
-from homeassistant.components.diagnostics import async_redact_data
-from homeassistant.const import CONF_API_KEY
-from homeassistant.core import HomeAssistant
-
-from .coordinator import AqvifyConfigEntry
-
-TO_REDACT = [CONF_API_KEY]
-TO_REDACT_AQVIFY = ["name"]
-
-
-async def async_get_config_entry_diagnostics(
-    hass: HomeAssistant, entry: AqvifyConfigEntry
-) -> dict[str, Any]:
-    """Return diagnostics for a config entry."""
-
-    device_list_raw_data = entry.runtime_data.data.devices.raw
-    device_data_raw_data = {
-        key: device.raw_data
-        for key, device in entry.runtime_data.data.device_data.items()
-    }
-
-    return {
-        "entry_data": async_redact_data(entry.data, TO_REDACT),
-        "devices": async_redact_data(device_list_raw_data, TO_REDACT_AQVIFY),
-        "device_data": device_data_raw_data,
-    }

homeassistant/components/aqvify/entity.py

@@ -1,35 +0,0 @@
-"""Defines a base Aqvify entity."""
-
-from homeassistant.helpers.device_registry import DeviceInfo
-from homeassistant.helpers.entity import EntityDescription
-from homeassistant.helpers.update_coordinator import CoordinatorEntity
-
-from .const import DOMAIN
-from .coordinator import AqvifyCoordinator
-
-
-class AqvifyBaseEntity(CoordinatorEntity[AqvifyCoordinator]):
-    """Defines a base Aqvify entity."""
-
-    _attr_has_entity_name = True
-
-    def __init__(
-        self,
-        coordinator: AqvifyCoordinator,
-        description: EntityDescription,
-        device_key: str,
-    ) -> None:
-        """Initialize the Aqvify entity."""
-        super().__init__(coordinator)
-
-        account_id = self.coordinator.config_entry.unique_id
-        self.device_key = device_key
-        self._attr_device_info = DeviceInfo(
-            identifiers={(DOMAIN, f"{account_id}_{device_key}")},
-            name=coordinator.data.devices.devices[device_key].name,
-            manufacturer="Aqvify",
-            configuration_url="https://app.aqvify.com",
-            serial_number=device_key,
-        )
-        self._attr_unique_id = f"{account_id}_{device_key}_{description.key}"
-        self.entity_description = description

homeassistant/components/aqvify/icons.json

@@ -1,12 +0,0 @@
-{
-  "entity": {
-    "sensor": {
-      "meter_value": {
-        "default": "mdi:waves-arrow-up"
-      },
-      "water_level": {
-        "default": "mdi:waves"
-      }
-    }
-  }
-}

homeassistant/components/aqvify/manifest.json

@@ -1,12 +0,0 @@
-{
-  "domain": "aqvify",
-  "name": "Aqvify",
-  "codeowners": ["@astrandb"],
-  "config_flow": true,
-  "documentation": "https://www.home-assistant.io/integrations/aqvify",
-  "integration_type": "hub",
-  "iot_class": "cloud_polling",
-  "loggers": ["pyaqvify"],
-  "quality_scale": "silver",
-  "requirements": ["pyaqvify==0.0.10"]
-}

homeassistant/components/aqvify/quality_scale.yaml

@@ -1,81 +0,0 @@
-rules:
-  # Bronze
-  action-setup:
-    status: exempt
-    comment: |
-      No actions in this integration.
-  appropriate-polling: done
-  brands: done
-  common-modules: done
-  config-flow-test-coverage: done
-  config-flow: done
-  dependency-transparency: done
-  docs-actions:
-    status: exempt
-    comment: |
-      The integration does not provide any actions.
-  docs-high-level-description: done
-  docs-installation-instructions: done
-  docs-removal-instructions: done
-  entity-event-setup:
-    status: exempt
-    comment: |
-      Entities of this integration do not explicitly subscribe to events.
-  entity-unique-id: done
-  has-entity-name: done
-  runtime-data: done
-  test-before-configure: done
-  test-before-setup: done
-  unique-config-entry: done
-
-  # Silver
-  action-exceptions:
-    status: exempt
-    comment: |
-      The integration does not provide any actions.
-  config-entry-unloading: done
-  docs-configuration-parameters:
-    status: exempt
-    comment: |
-      There are no configuration options.
-  docs-installation-parameters: done
-  entity-unavailable:
-    status: done
-    comment: |
-      Handled by coordinator.
-  integration-owner: done
-  log-when-unavailable:
-    status: done
-    comment: |
-      Handled by coordinator.
-  parallel-updates: done
-  reauthentication-flow: done
-  test-coverage: done
-
-  # Gold
-  devices: todo
-  diagnostics: todo
-  discovery-update-info: todo
-  discovery: todo
-  docs-data-update: todo
-  docs-examples: todo
-  docs-known-limitations: todo
-  docs-supported-devices: todo
-  docs-supported-functions: todo
-  docs-troubleshooting: todo
-  docs-use-cases: todo
-  dynamic-devices: todo
-  entity-category: todo
-  entity-device-class: todo
-  entity-disabled-by-default: todo
-  entity-translations: todo
-  exception-translations: todo
-  icon-translations: done
-  reconfiguration-flow: todo
-  repair-issues: todo
-  stale-devices: todo
-
-  # Platinum
-  async-dependency: todo
-  inject-websession: todo
-  strict-typing: todo

homeassistant/components/aqvify/sensor.py

@@ -1,79 +0,0 @@
-"""Sensor platform for Aqvify integration."""
-
-from collections.abc import Callable
-from dataclasses import dataclass
-from datetime import datetime
-
-from pyaqvify import AqvifyDeviceData
-
-from homeassistant.components.sensor import (
-    SensorDeviceClass,
-    SensorEntity,
-    SensorEntityDescription,
-    SensorStateClass,
-    StateType,
-)
-from homeassistant.const import UnitOfLength
-from homeassistant.core import HomeAssistant
-from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback
-
-from .coordinator import AqvifyConfigEntry
-from .entity import AqvifyBaseEntity
-
-# Coordinator is used to centralize the data updates.
-PARALLEL_UPDATES = 0
-
-
-@dataclass(frozen=True, kw_only=True)
-class AqvifySensorEntityDescription(SensorEntityDescription):
-    """Description of an Aqvify sensor entity."""
-
-    value_fn: Callable[[AqvifyDeviceData], float | int | None]
-
-
-ENTITIES: tuple[AqvifySensorEntityDescription, ...] = (
-    AqvifySensorEntityDescription(
-        key="meter_value",
-        translation_key="meter_value",
-        native_unit_of_measurement=UnitOfLength.METERS,
-        state_class=SensorStateClass.MEASUREMENT,
-        device_class=SensorDeviceClass.DISTANCE,
-        suggested_display_precision=2,
-        value_fn=lambda value: value.meter_value,
-    ),
-    AqvifySensorEntityDescription(
-        key="water_level",
-        translation_key="water_level",
-        native_unit_of_measurement=UnitOfLength.METERS,
-        state_class=SensorStateClass.MEASUREMENT,
-        device_class=SensorDeviceClass.DISTANCE,
-        suggested_display_precision=2,
-        value_fn=lambda value: value.water_level,
-    ),
-)
-
-
-async def async_setup_entry(
-    hass: HomeAssistant,
-    entry: AqvifyConfigEntry,
-    async_add_entities: AddConfigEntryEntitiesCallback,
-) -> None:
-    """Set up Aqvify sensor entities from a config entry."""
-    async_add_entities(
-        AqvifySensor(entry.runtime_data, description, device_key)
-        for description in ENTITIES
-        for device_key in entry.runtime_data.data.devices.devices
-    )
-
-
-class AqvifySensor(AqvifyBaseEntity, SensorEntity):
-    """Representation of an Aqvify sensor entity."""
-
-    entity_description: AqvifySensorEntityDescription
-
-    @property
-    def native_value(self) -> StateType | datetime | None:
-        """Return the state of the sensor."""
-        return self.entity_description.value_fn(
-            self.coordinator.data.device_data[self.device_key]
-        )

homeassistant/components/aqvify/strings.json

@@ -1,56 +0,0 @@
-{
-  "config": {
-    "abort": {
-      "already_configured": "[%key:common::config_flow::abort::already_configured_device%]",
-      "reauth_successful": "[%key:common::config_flow::abort::reauth_successful%]",
-      "reconfigure_successful": "[%key:common::config_flow::abort::reconfigure_successful%]",
-      "unique_id_mismatch": "The entered API key corresponds to a different account."
-    },
-    "error": {
-      "cannot_connect": "[%key:common::config_flow::error::cannot_connect%]",
-      "invalid_auth": "[%key:common::config_flow::error::invalid_auth%]",
-      "unknown": "[%key:common::config_flow::error::unknown%]"
-    },
-    "step": {
-      "reauth_confirm": {
-        "data": {
-          "api_key": "[%key:common::config_flow::data::api_key%]"
-        },
-        "data_description": {
-          "api_key": "[%key:component::aqvify::config::step::user::data_description::api_key%]"
-        },
-        "description": "Reauthentication required. Please enter your updated API key."
-      },
-      "user": {
-        "data": {
-          "api_key": "[%key:common::config_flow::data::api_key%]"
-        },
-        "data_description": {
-          "api_key": "Your Aqvify API key"
-        },
-        "description": "Navigate to your [Aqvify account]({aqvify_url}), copy your API key, and paste it below."
-      }
-    }
-  },
-  "entity": {
-    "sensor": {
-      "meter_value": {
-        "name": "Meter value"
-      },
-      "water_level": {
-        "name": "Water level"
-      }
-    }
-  },
-  "exceptions": {
-    "api_error": {
-      "message": "An error occurred while communicating with the Aqvify API for {entry}"
-    },
-    "api_timeout": {
-      "message": "Timeout occurred while communicating with the Aqvify API for {entry}"
-    },
-    "invalid_api_key": {
-      "message": "Invalid API key. Please verify your API key and try to reauthenticate."
-    }
-  }
-}

homeassistant/components/aranet/sensor.py

@@ -31,7 +31,7 @@ from homeassistant.const import (
     UnitOfTime,
 )
 from homeassistant.core import HomeAssistant
-from homeassistant.helpers.device_registry import CONNECTION_BLUETOOTH, DeviceInfo
+from homeassistant.helpers.device_registry import DeviceInfo
 from homeassistant.helpers.entity import EntityDescription
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback
 
@@ -144,9 +144,7 @@ def _sensor_device_info_to_hass(
     adv: Aranet4Advertisement,
 ) -> DeviceInfo:
     """Convert a sensor device info to hass device info."""
-    hass_device_info = DeviceInfo(
-        connections={(CONNECTION_BLUETOOTH, adv.device.address)}
-    )
+    hass_device_info = DeviceInfo({})
     if adv.readings and adv.readings.name:
         hass_device_info[ATTR_NAME] = adv.readings.name
         hass_device_info[ATTR_MANUFACTURER] = ARANET_MANUFACTURER_NAME

homeassistant/components/assist_pipeline/pipeline.py

@@ -1816,11 +1816,6 @@ class PipelineInput:
                             await self.run.text_to_speech(tts_input)
 
         except PipelineError as err:
-            if self.run.tts_stream:
-                # Clean up TTS stream
-                self.run.tts_stream.delete()
-                self.run.tts_stream = None
-
             self.run.process_event(
                 PipelineEvent(
                     PipelineEventType.ERROR,
@@ -1890,17 +1885,15 @@ class PipelineInput:
         ):
             prepare_tasks.append(self.run.prepare_recognize_intent(self.session))
 
-        if prepare_tasks:
-            await asyncio.gather(*prepare_tasks)
-
-        # Do TTS prepare separately so we don't create a ResultStream if the
-        # pipeline is invalid.
         if (
             start_stage_index
             <= PIPELINE_STAGE_ORDER.index(PipelineStage.TTS)
             <= end_stage_index
         ):
-            await self.run.prepare_text_to_speech()
+            prepare_tasks.append(self.run.prepare_text_to_speech())
+
+        if prepare_tasks:
+            await asyncio.gather(*prepare_tasks)
 
 
 class PipelinePreferred(CollectionError):

homeassistant/components/assist_satellite/__init__.py

@@ -3,11 +3,8 @@
 from dataclasses import asdict
 import logging
 from pathlib import Path
-import re
 from typing import Any
 
-from hassil.parse_expression import parse_sentence
-from hassil.parser import ParseError
 from hassil.util import (
     PUNCTUATION_END,
     PUNCTUATION_END_WORD,
@@ -167,7 +164,6 @@ async def async_setup(hass: HomeAssistant, config: ConfigType) -> bool:
                             [cv.string],
                             has_one_non_empty_item,
                             has_no_punctuation,
-                            is_valid_sentence,
                         ),
                     }
                 ],
@@ -205,8 +201,6 @@ async def async_unload_entry(hass: HomeAssistant, entry: ConfigEntry) -> bool:
 def has_no_punctuation(value: list[str]) -> list[str]:
     """Validate result does not contain punctuation."""
     for sentence in value:
-        # Exclude {list_references} which may contain punctuation characters.
-        sentence = _remove_list_references(sentence)
         if (
             PUNCTUATION_START.search(sentence)
             or PUNCTUATION_END.search(sentence)
@@ -218,21 +212,6 @@ def has_no_punctuation(value: list[str]) -> list[str]:
     return value
 
 
-def _remove_list_references(sentence: str) -> str:
-    """Remove {list_references} from a sentence for linting."""
-    return re.sub(r"(?<!\\)\{[^{}]*\}", "", sentence)
-
-
-def is_valid_sentence(value: list[str]) -> list[str]:
-    """Validate result can be parsed by hassil."""
-    for sentence in value:
-        try:
-            parse_sentence(sentence)
-        except ParseError as err:
-            raise vol.Invalid(f"invalid sentence: {err}") from err
-    return value
-
-
 def has_one_non_empty_item(value: list[str]) -> list[str]:
     """Validate result has at least one item."""
     if len(value) < 1:

homeassistant/components/assist_satellite/manifest.json

@@ -6,5 +6,5 @@
   "documentation": "https://www.home-assistant.io/integrations/assist_satellite",
   "integration_type": "entity",
   "quality_scale": "internal",
-  "requirements": ["hassil==3.8.0"]
+  "requirements": ["hassil==3.6.0"]
 }

homeassistant/components/aten_pe/manifest.json

@@ -5,5 +5,5 @@
   "documentation": "https://www.home-assistant.io/integrations/aten_pe",
   "iot_class": "local_polling",
   "quality_scale": "legacy",
-  "requirements": ["atenpdu==0.3.6"]
+  "requirements": ["atenpdu==0.3.2"]
 }

homeassistant/components/august/manifest.json

@@ -30,5 +30,5 @@
   "integration_type": "hub",
   "iot_class": "cloud_push",
   "loggers": ["pubnub", "yalexs"],
-  "requirements": ["yalexs==9.2.7", "yalexs-ble==3.3.1"]
+  "requirements": ["yalexs==9.2.7", "yalexs-ble==3.3.0"]
 }

homeassistant/components/bang_olufsen/manifest.json

@@ -6,6 +6,6 @@
   "documentation": "https://www.home-assistant.io/integrations/bang_olufsen",
   "integration_type": "device",
   "iot_class": "local_push",
-  "requirements": ["mozart-api==6.2.0.44.0"],
+  "requirements": ["mozart-api==5.3.1.108.2"],
   "zeroconf": ["_bangolufsen._tcp.local."]
 }

homeassistant/components/blebox/__init__.py

@@ -1,7 +1,9 @@
 """The BleBox devices integration."""
 
+import logging
+
 from blebox_uniapi.box import Box
-from blebox_uniapi.error import ConnectionError, Error, HttpError, UnauthorizedRequest
+from blebox_uniapi.error import Error
 from blebox_uniapi.session import ApiHost
 
 from homeassistant.const import (
@@ -12,16 +14,14 @@ from homeassistant.const import (
     Platform,
 )
 from homeassistant.core import HomeAssistant
-from homeassistant.exceptions import (
-    ConfigEntryAuthFailed,
-    ConfigEntryError,
-    ConfigEntryNotReady,
-)
+from homeassistant.exceptions import ConfigEntryNotReady
 
 from .const import DEFAULT_SETUP_TIMEOUT
 from .coordinator import BleBoxConfigEntry, BleBoxCoordinator
 from .helpers import get_maybe_authenticated_session
 
+_LOGGER = logging.getLogger(__name__)
+
 PLATFORMS = [
     Platform.BINARY_SENSOR,
     Platform.BUTTON,
@@ -50,15 +50,9 @@ async def async_setup_entry(hass: HomeAssistant, entry: BleBoxConfigEntry) -> bo
 
     try:
         product = await Box.async_from_host(api_host)
-    except UnauthorizedRequest as ex:
-        raise ConfigEntryAuthFailed from ex
-    except (
-        ConnectionError,
-        HttpError,
-    ) as ex:
-        raise ConfigEntryNotReady from ex
     except Error as ex:
-        raise ConfigEntryError from ex
+        _LOGGER.error("Identify failed at %s:%d (%s)", api_host.host, api_host.port, ex)
+        raise ConfigEntryNotReady from ex
 
     coordinator = BleBoxCoordinator(hass, entry, product)
     await coordinator.async_config_entry_first_refresh()

homeassistant/components/blebox/binary_sensor.py

@@ -25,9 +25,6 @@ BINARY_SENSOR_TYPES = (
         key="open",
         device_class=BinarySensorDeviceClass.WINDOW,
     ),
-    BinarySensorEntityDescription(
-        key="input",
-    ),
 )
 
 
@@ -59,8 +56,6 @@ class BleBoxBinarySensorEntity(BleBoxEntity[BinarySensorFeature], BinarySensorEn
         """Initialize a BleBox binary sensor feature."""
         super().__init__(coordinator, feature)
         self.entity_description = description
-        if feature.name:
-            self._attr_name = feature.name
 
     @property
     def is_on(self) -> bool:

homeassistant/components/blebox/button.py

@@ -41,8 +41,6 @@ async def async_setup_entry(
 class BleBoxButtonEntity(BleBoxEntity[blebox_uniapi.button.Button], ButtonEntity):
     """Representation of BleBox buttons."""
 
-    _attr_name = None
-
     def __init__(
         self, coordinator: BleBoxCoordinator, feature: blebox_uniapi.button.Button
     ) -> None:

homeassistant/components/blebox/climate.py

@@ -51,7 +51,6 @@ async def async_setup_entry(
 class BleBoxClimateEntity(BleBoxEntity[blebox_uniapi.climate.Climate], ClimateEntity):
     """Representation of a BleBox climate feature (saunaBox)."""
 
-    _attr_name = None
     _attr_supported_features = (
         ClimateEntityFeature.TARGET_TEMPERATURE
         | ClimateEntityFeature.TURN_OFF

homeassistant/components/blebox/config_flow.py

@@ -1,6 +1,5 @@
 """Config flow for BleBox devices integration."""
 
-from collections.abc import Mapping
 import logging
 from typing import Any
 
@@ -17,7 +16,6 @@ import voluptuous as vol
 from homeassistant.config_entries import ConfigFlow, ConfigFlowResult
 from homeassistant.const import CONF_HOST, CONF_PASSWORD, CONF_PORT, CONF_USERNAME
 from homeassistant.helpers.aiohttp_client import async_get_clientsession
-from homeassistant.helpers.service_info.dhcp import DhcpServiceInfo
 from homeassistant.helpers.service_info.zeroconf import ZeroconfServiceInfo
 
 from . import get_maybe_authenticated_session
@@ -28,7 +26,6 @@ from .const import (
     DEFAULT_PORT,
     DEFAULT_SETUP_TIMEOUT,
     DOMAIN,
-    INVALID_AUTH,
     UNKNOWN,
     UNSUPPORTED_VERSION,
 )
@@ -49,7 +46,6 @@ STEP_SCHEMA = vol.Schema(
 LOG_MSG = {
     UNSUPPORTED_VERSION: "Outdated firmware",
     CANNOT_CONNECT: "Failed to identify device",
-    INVALID_AUTH: "Authentication failed",
     UNKNOWN: "Unknown error while identifying device",
 }
 
@@ -76,21 +72,6 @@ class BleBoxConfigFlow(ConfigFlow, domain=DOMAIN):
             description_placeholders={"address": f"{host}:{port}"},
         )
 
-    async def _async_box_from_host_or_abort(
-        self, api_host: ApiHost
-    ) -> Box | ConfigFlowResult:
-        """Try to connect to the device; return product or an abort result."""
-        try:
-            return await Box.async_from_host(api_host)
-        except UnsupportedBoxVersion:
-            return self.async_abort(reason="unsupported_device_version")
-        except UnsupportedBoxResponse:
-            return self.async_abort(reason="unsupported_device_response")
-        except UnauthorizedRequest:
-            return self.async_abort(reason="authorization_required")
-        except Error:
-            return self.async_abort(reason="cannot_connect")
-
     async def _async_from_host_or_form(
         self, api_host: ApiHost, user_input: dict[str, Any], step_id: str
     ) -> tuple[Box, None] | tuple[None, ConfigFlowResult]:
@@ -106,7 +87,7 @@ class BleBoxConfigFlow(ConfigFlow, domain=DOMAIN):
             )
         except UnauthorizedRequest as ex:
             return None, self.handle_step_exception(
-                ex, schema, host, port, INVALID_AUTH, _LOGGER.error, step_id
+                ex, schema, host, port, CANNOT_CONNECT, _LOGGER.error, step_id
             )
         except Error as ex:
             return None, self.handle_step_exception(
@@ -117,50 +98,43 @@ class BleBoxConfigFlow(ConfigFlow, domain=DOMAIN):
                 ex, schema, host, port, UNKNOWN, _LOGGER.error, step_id
             )
 
-    async def _async_handle_discovery(self, host: str, port: int) -> ConfigFlowResult:
-        """Handle discovery by IP and port; probe device then confirm with the user."""
-        self.device_config["host"] = host
-        self.device_config["port"] = port
-
-        websession = async_get_clientsession(self.hass)
-        api_host = ApiHost(
-            host, port, DEFAULT_SETUP_TIMEOUT, websession, self.hass.loop, _LOGGER
-        )
-
-        result = await self._async_box_from_host_or_abort(api_host)
-        if not isinstance(result, Box):
-            return result
-        product = result
-
-        self.device_config["name"] = product.name
-        # Check if configured but IP changed since
-        await self.async_set_unique_id(product.unique_id)
-        self._abort_if_unique_id_configured(updates={CONF_HOST: host})
-        self.context.update(
-            {
-                "title_placeholders": {
-                    "name": self.device_config["name"],
-                    "host": host,
-                },
-                "configuration_url": f"http://{host}",
-            }
-        )
-        return await self.async_step_confirm_discovery()
-
-    async def async_step_dhcp(
-        self, discovery_info: DhcpServiceInfo
-    ) -> ConfigFlowResult:
-        """Handle DHCP discovery."""
-        return await self._async_handle_discovery(discovery_info.ip, DEFAULT_PORT)
-
     async def async_step_zeroconf(
         self, discovery_info: ZeroconfServiceInfo
     ) -> ConfigFlowResult:
         """Handle zeroconf discovery."""
-        return await self._async_handle_discovery(
-            discovery_info.host, discovery_info.port or DEFAULT_PORT
+        hass = self.hass
+        ipaddress = (discovery_info.host, discovery_info.port)
+        self.device_config["host"] = discovery_info.host
+        self.device_config["port"] = discovery_info.port
+
+        websession = async_get_clientsession(hass)
+
+        api_host = ApiHost(
+            *ipaddress, DEFAULT_SETUP_TIMEOUT, websession, hass.loop, _LOGGER
         )
 
+        try:
+            product = await Box.async_from_host(api_host)
+        except UnsupportedBoxVersion:
+            return self.async_abort(reason="unsupported_device_version")
+        except UnsupportedBoxResponse:
+            return self.async_abort(reason="unsupported_device_response")
+
+        self.device_config["name"] = product.name
+        # Check if configured but IP changed since
+        await self.async_set_unique_id(product.unique_id)
+        self._abort_if_unique_id_configured(updates={CONF_HOST: discovery_info.host})
+        self.context.update(
+            {
+                "title_placeholders": {
+                    "name": self.device_config["name"],
+                    "host": self.device_config["host"],
+                },
+                "configuration_url": f"http://{discovery_info.host}",
+            }
+        )
+        return await self.async_step_confirm_discovery()
+
     async def async_step_confirm_discovery(
         self, user_input: dict[str, Any] | None = None
     ) -> ConfigFlowResult:
@@ -179,6 +153,7 @@ class BleBoxConfigFlow(ConfigFlow, domain=DOMAIN):
             description_placeholders={
                 "name": self.device_config["name"],
                 "host": self.device_config["host"],
+                "port": self.device_config["port"],
             },
         )
 
@@ -271,58 +246,3 @@ class BleBoxConfigFlow(ConfigFlow, domain=DOMAIN):
             reconfigure_entry,
             data_updates=data_updates,
         )
-
-    async def async_step_reauth(
-        self, entry_data: Mapping[str, Any]
-    ) -> ConfigFlowResult:
-        """Handle reauthentication upon an API authentication error."""
-        self.context["title_placeholders"] = {
-            "name": self._get_reauth_entry().title,
-            "host": entry_data[CONF_HOST],
-        }
-        return await self.async_step_reauth_confirm()
-
-    async def async_step_reauth_confirm(
-        self, user_input: dict[str, Any] | None = None
-    ) -> ConfigFlowResult:
-        """Handle reauthentication confirmation."""
-        errors: dict[str, str] = {}
-        reauth_entry = self._get_reauth_entry()
-        host = reauth_entry.data[CONF_HOST]
-        port = reauth_entry.data[CONF_PORT]
-
-        if user_input is not None:
-            username = user_input.get(CONF_USERNAME)
-            password = user_input.get(CONF_PASSWORD)
-            websession = get_maybe_authenticated_session(self.hass, password, username)
-            api_host = ApiHost(
-                host, port, DEFAULT_SETUP_TIMEOUT, websession, self.hass.loop, _LOGGER
-            )
-            try:
-                await Box.async_from_host(api_host)
-            except UnauthorizedRequest:
-                errors["base"] = INVALID_AUTH
-            except Error:
-                errors["base"] = CANNOT_CONNECT
-            except RuntimeError:
-                errors["base"] = UNKNOWN
-            else:
-                return self.async_update_reload_and_abort(
-                    reauth_entry,
-                    data_updates={
-                        CONF_USERNAME: username,
-                        CONF_PASSWORD: password,
-                    },
-                )
-
-        return self.async_show_form(
-            step_id="reauth_confirm",
-            data_schema=vol.Schema(
-                {
-                    vol.Inclusive(CONF_USERNAME, "auth"): str,
-                    vol.Inclusive(CONF_PASSWORD, "auth"): str,
-                }
-            ),
-            errors=errors,
-            description_placeholders={"address": f"{host}:{port}"},
-        )

homeassistant/components/blebox/const.py

@@ -7,7 +7,6 @@ DEFAULT_SETUP_TIMEOUT = 10
 # translation strings
 ADDRESS_ALREADY_CONFIGURED = "address_already_configured"
 CANNOT_CONNECT = "cannot_connect"
-INVALID_AUTH = "invalid_auth"
 UNSUPPORTED_VERSION = "unsupported_version"
 UNKNOWN = "unknown"
 
@@ -25,13 +24,3 @@ OPEN_STATUS: dict[int, str] = {
 
 LIGHT_MAX_KELVINS = 6500  # 154 Mireds
 LIGHT_MIN_KELVINS = 2700  # 370 Mireds
-
-CO2_LEVEL: dict[int, str] = {
-    0: "excellent",
-    1: "good",
-    2: "acceptable",
-    3: "medium",
-    4: "poor",
-    5: "unhealthy",
-    6: "hazardous",
-}

homeassistant/components/blebox/coordinator.py

@@ -4,11 +4,10 @@ from datetime import timedelta
 import logging
 
 from blebox_uniapi.box import Box
-from blebox_uniapi.error import Error, UnauthorizedRequest
+from blebox_uniapi.error import Error
 
 from homeassistant.config_entries import ConfigEntry
 from homeassistant.core import HomeAssistant
-from homeassistant.exceptions import ConfigEntryAuthFailed
 from homeassistant.helpers.update_coordinator import DataUpdateCoordinator, UpdateFailed
 
 from .const import DOMAIN
@@ -41,8 +40,6 @@ class BleBoxCoordinator(DataUpdateCoordinator[None]):
         """Fetch data from the BleBox device."""
         try:
             await self.box.async_update_data()
-        except UnauthorizedRequest as err:
-            raise ConfigEntryAuthFailed from err
         except Error as err:
             raise UpdateFailed(
                 translation_domain=DOMAIN,

homeassistant/components/blebox/cover.py

@@ -74,8 +74,6 @@ async def async_setup_entry(
 class BleBoxCoverEntity(BleBoxEntity[blebox_uniapi.cover.Cover], CoverEntity):
     """Representation of a BleBox cover feature."""
 
-    _attr_name = None
-
     def __init__(
         self, coordinator: BleBoxCoordinator, feature: blebox_uniapi.cover.Cover
     ) -> None:
@@ -92,10 +90,10 @@ class BleBoxCoverEntity(BleBoxEntity[blebox_uniapi.cover.Cover], CoverEntity):
 
         if feature.has_tilt:
             self._attr_supported_features |= (
-                CoverEntityFeature.OPEN_TILT | CoverEntityFeature.CLOSE_TILT
+                CoverEntityFeature.SET_TILT_POSITION
+                | CoverEntityFeature.OPEN_TILT
+                | CoverEntityFeature.CLOSE_TILT
             )
-            if feature.is_calibrated:
-                self._attr_supported_features |= CoverEntityFeature.SET_TILT_POSITION
 
         if feature.tilt_only:
             self._attr_supported_features &= ~(

homeassistant/components/blebox/entity.py

@@ -12,12 +12,11 @@ from .coordinator import BleBoxCoordinator
 class BleBoxEntity[_FeatureT: Feature](CoordinatorEntity[BleBoxCoordinator]):
     """Implements a common class for entities representing a BleBox feature."""
 
-    _attr_has_entity_name = True
-
     def __init__(self, coordinator: BleBoxCoordinator, feature: _FeatureT) -> None:
         """Initialize a BleBox entity."""
         super().__init__(coordinator)
         self._feature = feature
+        self._attr_name = feature.full_name
         self._attr_unique_id = feature.unique_id
         product = feature.product
         self._attr_device_info = DeviceInfo(

homeassistant/components/blebox/icons.json

@@ -18,12 +18,6 @@
       }
     },
     "sensor": {
-      "co2_level": {
-        "default": "mdi:molecule-co2"
-      },
-      "open_status": {
-        "default": "mdi:window-open"
-      },
       "power_consumption": {
         "default": "mdi:lightning-bolt"
       }

homeassistant/components/blebox/light.py

@@ -71,11 +71,6 @@ class BleBoxLightEntity(BleBoxEntity[blebox_uniapi.light.Light], LightEntity):
         super().__init__(coordinator, feature)
         if feature.effect_list:
             self._attr_supported_features = LightEntityFeature.EFFECT
-        if feature.index is not None:
-            self._attr_translation_key = "channel"
-            self._attr_translation_placeholders = {"index": str(feature.index + 1)}
-        else:
-            self._attr_name = None
 
     @property
     def is_on(self) -> bool:

homeassistant/components/blebox/manifest.json

@@ -3,49 +3,10 @@
   "name": "BleBox devices",
   "codeowners": ["@bbx-a", "@swistakm", "@bkobus-bbx"],
   "config_flow": true,
-  "dhcp": [
-    { "hostname": "rollergate*" },
-    { "hostname": "gatebox*" },
-    { "hostname": "doorbox*" },
-    { "hostname": "shutterbox*" },
-    { "hostname": "switchbox*" },
-    { "hostname": "dimmerbox*" },
-    { "hostname": "dacbox*" },
-    { "hostname": "wlightbox*" },
-    { "hostname": "pixelbox*" },
-    { "hostname": "saunabox*" },
-    { "hostname": "thermobox*" },
-    { "hostname": "tempsensor*" },
-    { "hostname": "energymeter*" },
-    { "hostname": "airsensor*" },
-    { "hostname": "humiditysensor*" },
-    { "hostname": "rainsensor*" },
-    { "hostname": "floodsensor*" },
-    { "hostname": "luxsensor*" },
-    { "hostname": "inputsensor*" },
-    { "hostname": "opensensor*" },
-    { "hostname": "windsensor*" },
-    { "hostname": "co2sensor*" },
-    { "hostname": "simongo*" },
-    { "hostname": "sabaj-k-smrt*" },
-    { "hostname": "rico*" },
-    { "hostname": "smartrollergate*" },
-    { "hostname": "darco_ero_32ws_0*" },
-    { "hostname": "pergoladc*" },
-    { "hostname": "seltsmartscreen*" },
-    { "hostname": "seltvenetianblind*" },
-    { "hostname": "doorunitbox*" },
-    { "hostname": "drutexsmart*" },
-    { "hostname": "swingatecontroller*" },
-    { "hostname": "windowopener*" },
-    { "hostname": "smartawning*" },
-    { "hostname": "smartshade*" },
-    { "hostname": "smartshutter*" }
-  ],
   "documentation": "https://www.home-assistant.io/integrations/blebox",
   "integration_type": "device",
   "iot_class": "local_polling",
   "loggers": ["blebox_uniapi"],
-  "requirements": ["blebox-uniapi==2.5.5"],
+  "requirements": ["blebox-uniapi==2.5.4"],
   "zeroconf": ["_bbxsrv._tcp.local."]
 }

homeassistant/components/blebox/sensor.py

@@ -1,6 +1,5 @@
 """BleBox sensor entities."""
 
-from collections import Counter
 from collections.abc import Callable
 from dataclasses import dataclass
 from datetime import datetime
@@ -15,7 +14,6 @@ from homeassistant.components.sensor import (
 )
 from homeassistant.const import (
     CONCENTRATION_MICROGRAMS_PER_CUBIC_METER,
-    CONCENTRATION_PARTS_PER_MILLION,
     LIGHT_LUX,
     PERCENTAGE,
     UnitOfApparentPower,
@@ -24,7 +22,6 @@ from homeassistant.const import (
     UnitOfEnergy,
     UnitOfFrequency,
     UnitOfPower,
-    UnitOfReactiveEnergy,
     UnitOfReactivePower,
     UnitOfSpeed,
     UnitOfTemperature,
@@ -34,7 +31,7 @@ from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback
 from homeassistant.helpers.typing import StateType
 
 from . import BleBoxConfigEntry
-from .const import CO2_LEVEL, OPEN_STATUS
+from .const import OPEN_STATUS
 from .coordinator import BleBoxCoordinator
 from .entity import BleBoxEntity
 
@@ -53,26 +50,21 @@ SENSOR_TYPES: tuple[BleBoxSensorEntityDescription, ...] = (
         key="pm1",
         device_class=SensorDeviceClass.PM1,
         native_unit_of_measurement=CONCENTRATION_MICROGRAMS_PER_CUBIC_METER,
-        state_class=SensorStateClass.MEASUREMENT,
     ),
     BleBoxSensorEntityDescription(
         key="pm2_5",
         device_class=SensorDeviceClass.PM25,
         native_unit_of_measurement=CONCENTRATION_MICROGRAMS_PER_CUBIC_METER,
-        state_class=SensorStateClass.MEASUREMENT,
     ),
     BleBoxSensorEntityDescription(
         key="pm10",
         device_class=SensorDeviceClass.PM10,
         native_unit_of_measurement=CONCENTRATION_MICROGRAMS_PER_CUBIC_METER,
-        state_class=SensorStateClass.MEASUREMENT,
     ),
     BleBoxSensorEntityDescription(
         key="temperature",
-        translation_key="temperature",
         device_class=SensorDeviceClass.TEMPERATURE,
         native_unit_of_measurement=UnitOfTemperature.CELSIUS,
-        state_class=SensorStateClass.MEASUREMENT,
     ),
     BleBoxSensorEntityDescription(
         key="powerConsumption",
@@ -84,110 +76,65 @@ SENSOR_TYPES: tuple[BleBoxSensorEntityDescription, ...] = (
         key="humidity",
         device_class=SensorDeviceClass.HUMIDITY,
         native_unit_of_measurement=PERCENTAGE,
-        state_class=SensorStateClass.MEASUREMENT,
     ),
     BleBoxSensorEntityDescription(
         key="wind",
         device_class=SensorDeviceClass.WIND_SPEED,
         native_unit_of_measurement=UnitOfSpeed.METERS_PER_SECOND,
-        state_class=SensorStateClass.MEASUREMENT,
     ),
     BleBoxSensorEntityDescription(
         key="illuminance",
         device_class=SensorDeviceClass.ILLUMINANCE,
         native_unit_of_measurement=LIGHT_LUX,
-        state_class=SensorStateClass.MEASUREMENT,
-    ),
-    BleBoxSensorEntityDescription(
-        key="forwardReactiveEnergy",
-        translation_key="forward_reactive_energy",
-        device_class=SensorDeviceClass.REACTIVE_ENERGY,
-        native_unit_of_measurement=UnitOfReactiveEnergy.KILO_VOLT_AMPERE_REACTIVE_HOUR,
-        state_class=SensorStateClass.TOTAL_INCREASING,
-    ),
-    BleBoxSensorEntityDescription(
-        key="reverseReactiveEnergy",
-        translation_key="reverse_reactive_energy",
-        device_class=SensorDeviceClass.REACTIVE_ENERGY,
-        native_unit_of_measurement=UnitOfReactiveEnergy.KILO_VOLT_AMPERE_REACTIVE_HOUR,
-        state_class=SensorStateClass.TOTAL_INCREASING,
     ),
     BleBoxSensorEntityDescription(
         key="forwardActiveEnergy",
-        translation_key="forward_active_energy",
         device_class=SensorDeviceClass.ENERGY,
         native_unit_of_measurement=UnitOfEnergy.KILO_WATT_HOUR,
-        state_class=SensorStateClass.TOTAL_INCREASING,
     ),
     BleBoxSensorEntityDescription(
         key="reverseActiveEnergy",
-        translation_key="reverse_active_energy",
         device_class=SensorDeviceClass.ENERGY,
         native_unit_of_measurement=UnitOfEnergy.KILO_WATT_HOUR,
-        state_class=SensorStateClass.TOTAL_INCREASING,
     ),
     BleBoxSensorEntityDescription(
         key="reactivePower",
-        translation_key="reactive_power",
-        device_class=SensorDeviceClass.REACTIVE_POWER,
+        device_class=SensorDeviceClass.POWER,
         native_unit_of_measurement=UnitOfReactivePower.VOLT_AMPERE_REACTIVE,
-        state_class=SensorStateClass.MEASUREMENT,
     ),
     BleBoxSensorEntityDescription(
         key="activePower",
-        translation_key="active_power",
         device_class=SensorDeviceClass.POWER,
         native_unit_of_measurement=UnitOfPower.WATT,
-        state_class=SensorStateClass.MEASUREMENT,
     ),
     BleBoxSensorEntityDescription(
         key="apparentPower",
-        translation_key="apparent_power",
         device_class=SensorDeviceClass.APPARENT_POWER,
         native_unit_of_measurement=UnitOfApparentPower.VOLT_AMPERE,
-        state_class=SensorStateClass.MEASUREMENT,
     ),
     BleBoxSensorEntityDescription(
         key="voltage",
-        translation_key="voltage",
         device_class=SensorDeviceClass.VOLTAGE,
         native_unit_of_measurement=UnitOfElectricPotential.VOLT,
-        state_class=SensorStateClass.MEASUREMENT,
     ),
     BleBoxSensorEntityDescription(
         key="current",
-        translation_key="current",
         device_class=SensorDeviceClass.CURRENT,
         native_unit_of_measurement=UnitOfElectricCurrent.MILLIAMPERE,
-        state_class=SensorStateClass.MEASUREMENT,
     ),
     BleBoxSensorEntityDescription(
         key="frequency",
-        translation_key="frequency",
         device_class=SensorDeviceClass.FREQUENCY,
         native_unit_of_measurement=UnitOfFrequency.HERTZ,
-        state_class=SensorStateClass.MEASUREMENT,
     ),
     BleBoxSensorEntityDescription(
         key="openStatus",
         translation_key="open_status",
         device_class=SensorDeviceClass.ENUM,
+        icon="mdi:window-open",
         options=list(OPEN_STATUS.values()),
         value_fn=lambda v: OPEN_STATUS.get(int(v)) if v is not None else None,
     ),
-    BleBoxSensorEntityDescription(
-        key="co2",
-        device_class=SensorDeviceClass.CO2,
-        native_unit_of_measurement=CONCENTRATION_PARTS_PER_MILLION,
-        state_class=SensorStateClass.MEASUREMENT,
-    ),
-    BleBoxSensorEntityDescription(
-        key="co2Definition",
-        translation_key="co2_level",
-        device_class=SensorDeviceClass.ENUM,
-        options=list(CO2_LEVEL.values()),
-        value_fn=lambda v: CO2_LEVEL.get(int(v)) if v is not None else None,
-    ),
 )
 
 
@@ -197,20 +144,10 @@ async def async_setup_entry(
     async_add_entities: AddConfigEntryEntitiesCallback,
 ) -> None:
     """Set up a BleBox entry."""
-
     coordinator = config_entry.runtime_data
-    features = coordinator.box.features.get("sensors", [])
-    counts = Counter(f.device_class for f in features)
     entities = [
-        BleBoxSensorEntity(
-            coordinator,
-            feature,
-            description,
-            feature.index
-            if counts[feature.device_class] > 1 and feature.index
-            else None,
-        )
-        for feature in features
+        BleBoxSensorEntity(coordinator, feature, description)
+        for feature in coordinator.box.features.get("sensors", [])
         for description in SENSOR_TYPES
         if description.key == feature.device_class
     ]
@@ -227,16 +164,10 @@ class BleBoxSensorEntity(BleBoxEntity[blebox_uniapi.sensor.BaseSensor], SensorEn
         coordinator: BleBoxCoordinator,
         feature: blebox_uniapi.sensor.BaseSensor,
         description: BleBoxSensorEntityDescription,
-        index: int | None = None,
     ) -> None:
         """Initialize a BleBox sensor feature."""
         super().__init__(coordinator, feature)
         self.entity_description = description
-        if feature.name:
-            self._attr_name = feature.name
-        elif index is not None and description.translation_key:
-            self._attr_translation_key = f"{description.translation_key}_n"
-            self._attr_translation_placeholders = {"index": str(index)}
 
     @property
     def native_value(self) -> StateType:

homeassistant/components/blebox/strings.json

@@ -3,38 +3,16 @@
     "abort": {
       "address_already_configured": "A BleBox device is already configured at {address}.",
       "already_configured": "[%key:common::config_flow::abort::already_configured_device%]",
-      "authorization_required": "The BleBox device requires authentication.",
-      "cannot_connect": "[%key:common::config_flow::error::cannot_connect%]",
-      "reauth_successful": "[%key:common::config_flow::abort::reauth_successful%]",
       "reconfigure_successful": "[%key:common::config_flow::abort::reconfigure_successful%]",
-      "unique_id_mismatch": "The device identifier does not match the previously configured device.",
-      "unsupported_device_response": "The BleBox device returned an unrecognized response.",
-      "unsupported_device_version": "[%key:component::blebox::config::error::unsupported_version%]"
+      "unique_id_mismatch": "The device identifier does not match the previously configured device."
     },
     "error": {
       "cannot_connect": "[%key:common::config_flow::error::cannot_connect%]",
-      "invalid_auth": "[%key:common::config_flow::error::invalid_auth%]",
       "unknown": "[%key:common::config_flow::error::unknown%]",
       "unsupported_version": "BleBox device has outdated firmware. Please upgrade it first."
     },
     "flow_title": "{name} ({host})",
     "step": {
-      "confirm_discovery": {
-        "description": "Do you want to add the BleBox device **{name}** at `{host}` to Home Assistant?",
-        "title": "BleBox device discovered"
-      },
-      "reauth_confirm": {
-        "data": {
-          "password": "[%key:common::config_flow::data::password%]",
-          "username": "[%key:common::config_flow::data::username%]"
-        },
-        "data_description": {
-          "password": "The password for your BleBox device.",
-          "username": "The username for your BleBox device."
-        },
-        "description": "Enter credentials for the BleBox device at {address}.",
-        "title": "Reauthenticate your BleBox device"
-      },
       "reconfigure": {
         "data": {
           "host": "[%key:common::config_flow::data::ip%]",
@@ -52,48 +30,14 @@
           "port": "[%key:common::config_flow::data::port%]",
           "username": "[%key:common::config_flow::data::username%]"
         },
-        "data_description": {
-          "host": "The IP address of your BleBox device.",
-          "password": "The password for your BleBox device.",
-          "port": "The port of your BleBox device.",
-          "username": "The username for your BleBox device."
-        },
         "description": "Set up your BleBox to integrate with Home Assistant.",
         "title": "Set up your BleBox device"
       }
     }
   },
   "entity": {
-    "light": { "channel": { "name": "Channel {index}" } },
     "sensor": {
-      "active_power": { "name": "Active power" },
-      "active_power_n": { "name": "Active power {index}" },
-      "apparent_power": { "name": "Apparent power" },
-      "apparent_power_n": { "name": "Apparent power {index}" },
-      "co2_level": {
-        "name": "Carbon dioxide level",
-        "state": {
-          "acceptable": "Acceptable",
-          "excellent": "Excellent",
-          "good": "Good",
-          "hazardous": "Hazardous",
-          "medium": "Medium",
-          "poor": "Poor",
-          "unhealthy": "Unhealthy"
-        }
-      },
-      "current": { "name": "Current" },
-      "current_n": { "name": "Current {index}" },
-      "forward_active_energy": { "name": "Forward active energy" },
-      "forward_active_energy_n": { "name": "Forward active energy {index}" },
-      "forward_reactive_energy": { "name": "Forward reactive energy" },
-      "forward_reactive_energy_n": {
-        "name": "Forward reactive energy {index}"
-      },
-      "frequency": { "name": "Frequency" },
-      "frequency_n": { "name": "Frequency {index}" },
       "open_status": {
-        "name": "Open status",
         "state": {
           "ajar": "Ajar",
           "closed": "[%key:common::state::closed%]",
@@ -101,20 +45,7 @@
           "open": "[%key:common::state::open%]",
           "unclosed_or_unlocked": "Unclosed or unlocked"
         }
-      },
-      "power_consumption": { "name": "Energy last hour" },
-      "reactive_power": { "name": "Reactive power" },
-      "reactive_power_n": { "name": "Reactive power {index}" },
-      "reverse_active_energy": { "name": "Reverse active energy" },
-      "reverse_active_energy_n": { "name": "Reverse active energy {index}" },
-      "reverse_reactive_energy": { "name": "Reverse reactive energy" },
-      "reverse_reactive_energy_n": {
-        "name": "Reverse reactive energy {index}"
-      },
-      "temperature": { "name": "Temperature" },
-      "temperature_n": { "name": "Temperature {index}" },
-      "voltage": { "name": "Voltage" },
-      "voltage_n": { "name": "Voltage {index}" }
+      }
     }
   },
   "exceptions": {

homeassistant/components/blebox/switch.py

@@ -9,7 +9,6 @@ from homeassistant.core import HomeAssistant
 from homeassistant.helpers.entity_platform import AddConfigEntryEntitiesCallback
 
 from . import BleBoxConfigEntry
-from .coordinator import BleBoxCoordinator
 from .entity import BleBoxEntity
 from .util import blebox_command
 
@@ -35,16 +34,6 @@ class BleBoxSwitchEntity(BleBoxEntity[blebox_uniapi.switch.Switch], SwitchEntity
 
     _attr_device_class = SwitchDeviceClass.SWITCH
 
-    _attr_name = None
-
-    def __init__(
-        self, coordinator: BleBoxCoordinator, feature: blebox_uniapi.switch.Switch
-    ) -> None:
-        """Initialize a BleBox switch feature."""
-        super().__init__(coordinator, feature)
-        if feature.name:
-            self._attr_name = feature.name
-
     @property
     def is_on(self) -> bool | None:
         """Return whether switch is on."""

homeassistant/components/blink/camera.py

@@ -169,7 +169,9 @@ class BlinkCamera(CoordinatorEntity[BlinkUpdateCoordinator], Camera):
         try:
             await self._camera.save_recent_clips(output_dir=file_path)
         except OSError as err:
+            # pylint: disable-next=home-assistant-exception-message-with-translation
             raise ServiceValidationError(
+                str(err),
                 translation_domain=DOMAIN,
                 translation_key="cant_write",
             ) from err
@@ -189,7 +191,9 @@ class BlinkCamera(CoordinatorEntity[BlinkUpdateCoordinator], Camera):
         try:
             await self._camera.video_to_file(filename)
         except OSError as err:
+            # pylint: disable-next=home-assistant-exception-message-with-translation
             raise ServiceValidationError(
+                str(err),
                 translation_domain=DOMAIN,
                 translation_key="cant_write",
             ) from err

homeassistant/components/blink/manifest.json

@@ -21,5 +21,5 @@
   "integration_type": "hub",
   "iot_class": "cloud_polling",
   "loggers": ["blinkpy"],
-  "requirements": ["blinkpy==0.25.6"]
+  "requirements": ["blinkpy==0.25.2"]
 }

homeassistant/components/blink/strings.json

@@ -26,12 +26,6 @@
         "description": "The credentials for {username} need to be updated",
         "title": "Re-authenticate Blink"
       },
-      "reconfigure": {
-        "data": {
-          "password": "[%key:common::config_flow::data::password%]",
-          "username": "[%key:common::config_flow::data::username%]"
-        }
-      },
       "user": {
         "data": {
           "password": "[%key:common::config_flow::data::password%]",
@@ -60,7 +54,7 @@
   },
   "exceptions": {
     "cant_write": {
-      "message": "Can't write to file, check logs for details."
+      "message": "Can't write to file."
     },
     "failed_arm": {
       "message": "Blink failed to arm camera."

homeassistant/components/blue_current/manifest.json

@@ -7,5 +7,5 @@
   "integration_type": "hub",
   "iot_class": "cloud_push",
   "loggers": ["bluecurrent_api"],
-  "requirements": ["bluecurrent-api==1.3.3"]
+  "requirements": ["bluecurrent-api==1.3.2"]
 }

homeassistant/components/bluesound/button.py

@@ -105,7 +105,7 @@ class BluesoundButton(CoordinatorEntity[BluesoundCoordinator], ButtonEntity):
         if port == DEFAULT_PORT:
             self._attr_device_info = DeviceInfo(
                 identifiers={(DOMAIN, format_mac(sync_status.mac))},
-                connections={(CONNECTION_NETWORK_MAC, sync_status.mac)},
+                connections={(CONNECTION_NETWORK_MAC, format_mac(sync_status.mac))},
                 name=sync_status.name,
                 manufacturer=sync_status.brand,
                 model=sync_status.model_name,

homeassistant/components/bluesound/manifest.json

@@ -7,7 +7,7 @@
   "documentation": "https://www.home-assistant.io/integrations/bluesound",
   "integration_type": "device",
   "iot_class": "local_polling",
-  "requirements": ["pyblu==2.0.8"],
+  "requirements": ["pyblu==2.0.6"],
   "zeroconf": [
     {
       "type": "_musc._tcp.local."

homeassistant/components/bluesound/media_player.py

@@ -118,7 +118,7 @@ class BluesoundPlayer(CoordinatorEntity[BluesoundCoordinator], MediaPlayerEntity
         if port == DEFAULT_PORT:
             self._attr_device_info = DeviceInfo(
                 identifiers={(DOMAIN, format_mac(sync_status.mac))},
-                connections={(CONNECTION_NETWORK_MAC, sync_status.mac)},
+                connections={(CONNECTION_NETWORK_MAC, format_mac(sync_status.mac))},
                 name=sync_status.name,
                 manufacturer=sync_status.brand,
                 model=sync_status.model_name,

homeassistant/components/bluetooth/api.py

@@ -6,7 +6,6 @@ These APIs are the only documented way to interact with the bluetooth integratio
 import asyncio
 from asyncio import Future
 from collections.abc import Callable, Iterable
-from contextlib import ExitStack
 from typing import TYPE_CHECKING, cast
 
 from bleak import BleakScanner
@@ -179,20 +178,15 @@ async def async_process_advertisements(
         if not done.done() and callback(service_info):
             done.set_result(service_info)
 
-    manager = _get_manager(hass)
-
-    with ExitStack() as stack:
-        unload = manager.async_register_callback(
-            _async_discovered_device, match_dict, mode
-        )
-        stack.callback(unload)
-
-        if mode == BluetoothScanningMode.ACTIVE:
-            task = hass.async_create_task(manager.async_request_active_scan(timeout))
-            stack.callback(task.cancel)
+    unload = _get_manager(hass).async_register_callback(
+        _async_discovered_device, match_dict, mode, scan_duration=timeout
+    )
 
+    try:
         async with asyncio.timeout(timeout):
             return await done
+    finally:
+        unload()
 
 
 @hass_callback

homeassistant/components/bluetooth/manifest.json

@@ -21,6 +21,6 @@
     "bluetooth-auto-recovery==1.6.4",
     "bluetooth-data-tools==1.29.18",
     "dbus-fast==5.0.16",
-    "habluetooth==6.8.3"
+    "habluetooth==6.8.1"
   ]
 }

homeassistant/components/bosch_shc/__init__.py

@@ -55,7 +55,7 @@ async def async_setup_entry(hass: HomeAssistant, entry: BoschConfigEntry) -> boo
     device_registry = dr.async_get(hass)
     device_registry.async_get_or_create(
         config_entry_id=entry.entry_id,
-        connections={(dr.CONNECTION_NETWORK_MAC, shc_info.unique_id)},
+        connections={(dr.CONNECTION_NETWORK_MAC, dr.format_mac(shc_info.unique_id))},
         identifiers={(DOMAIN, shc_info.unique_id)},
         manufacturer="Bosch",
         name=entry.title,

homeassistant/components/bosch_shc/manifest.json

@@ -8,7 +8,7 @@
   "integration_type": "hub",
   "iot_class": "local_push",
   "loggers": ["boschshcpy"],
-  "requirements": ["boschshcpy==0.2.111"],
+  "requirements": ["boschshcpy==0.2.107"],
   "zeroconf": [
     {
       "name": "bosch shc*",

homeassistant/components/bring/todo.py

@@ -125,7 +125,7 @@ class BringTodoListEntity(BringBaseEntity, TodoListEntity):
         await self.coordinator.async_refresh()
 
     async def async_update_todo_item(self, item: TodoItem) -> None:
-        """Update an item in the To-do list.
+        """Update an item to the To-do list.
 
         Bring has an internal 'recent' list which we want to use instead of a todo list
         status, therefore completed todo list items are matched to the recent list and

homeassistant/components/broadlink/device.py

@@ -118,14 +118,7 @@ class BroadlinkDevice[_ApiT: blk.Device = blk.Device]:
             return False
 
         except (NetworkTimeoutError, OSError) as err:
-            raise ConfigEntryNotReady(
-                translation_domain=DOMAIN,
-                translation_key="connect_failed",
-                translation_placeholders={
-                    "host": api.host[0],
-                    "error": str(err),
-                },
-            ) from err
+            raise ConfigEntryNotReady from err
 
         except BroadlinkException as err:
             _LOGGER.error(

homeassistant/components/broadlink/manifest.json

@@ -1,7 +1,7 @@
 {
   "domain": "broadlink",
   "name": "Broadlink",
-  "codeowners": ["@danielhiversen", "@felipediel", "@L-I-Am"],
+  "codeowners": ["@danielhiversen", "@felipediel", "@L-I-Am", "@eifinger"],
   "config_flow": true,
   "dhcp": [
     {

homeassistant/components/broadlink/strings.json

@@ -89,9 +89,6 @@
     }
   },
   "exceptions": {
-    "connect_failed": {
-      "message": "Failed to connect to the device at {host}: {error}"
-    },
     "frequency_not_supported": {
       "message": "Broadlink devices cannot transmit on {frequency} MHz"
     },

homeassistant/components/bsblan/__init__.py

@@ -31,7 +31,11 @@ from homeassistant.exceptions import (
 )
 from homeassistant.helpers import config_validation as cv, device_registry as dr
 from homeassistant.helpers.aiohttp_client import async_get_clientsession
-from homeassistant.helpers.device_registry import CONNECTION_NETWORK_MAC, DeviceInfo
+from homeassistant.helpers.device_registry import (
+    CONNECTION_NETWORK_MAC,
+    DeviceInfo,
+    format_mac,
+)
 from homeassistant.helpers.typing import ConfigType
 
 from .const import (
@@ -71,7 +75,7 @@ def get_bsblan_device_info(
     """Build DeviceInfo for the main BSB-LAN controller device."""
     return DeviceInfo(
         identifiers={(DOMAIN, device.MAC)},
-        connections={(CONNECTION_NETWORK_MAC, device.MAC)},
+        connections={(CONNECTION_NETWORK_MAC, format_mac(device.MAC))},
         name=device.name,
         manufacturer="BSBLAN Inc.",
         model=(
@@ -226,6 +230,10 @@ async def async_migrate_entry(hass: HomeAssistant, entry: BSBLanConfigEntry) ->
         entry.minor_version,
     )
 
+    if entry.version > 1:
+        # Downgraded from a future version; cannot migrate.
+        return False
+
     # 1.1 -> 1.2: Add CONF_HEATING_CIRCUITS. Attempt to discover available
     # heating circuits from the device; fall back to [1] (pre-multi-circuit
     # default) if the device is unreachable or the endpoint is unsupported.

homeassistant/components/bsblan/climate.py

@@ -183,6 +183,7 @@ class BSBLANClimate(BSBLanCircuitEntity, ClimateEntity):
         try:
             await self.coordinator.client.thermostat(**data, circuit=self._circuit)
         except BSBLANError as err:
+            # pylint: disable-next=home-assistant-exception-message-with-translation
             raise HomeAssistantError(
                 translation_domain=DOMAIN,
                 translation_key="set_data_error",

homeassistant/components/bthome/manifest.json

@@ -20,5 +20,5 @@
   "dependencies": ["bluetooth_adapters"],
   "documentation": "https://www.home-assistant.io/integrations/bthome",
   "iot_class": "local_push",
-  "requirements": ["bthome-ble==3.23.4"]
+  "requirements": ["bthome-ble==3.23.2"]
 }

homeassistant/components/buienradar/manifest.json

@@ -7,5 +7,5 @@
   "integration_type": "service",
   "iot_class": "cloud_polling",
   "loggers": ["buienradar", "vincenty"],
-  "requirements": ["buienradar==1.0.9"]
+  "requirements": ["buienradar==1.0.6"]
 }

homeassistant/components/calendar/__init__.py

@@ -24,7 +24,7 @@ from homeassistant.components.websocket_api import (
     ActiveConnection,
 )
 from homeassistant.config_entries import ConfigEntry
-from homeassistant.const import CONF_EVENT, STATE_OFF, STATE_ON
+from homeassistant.const import STATE_OFF, STATE_ON
 from homeassistant.core import (
     CALLBACK_TYPE,
     HomeAssistant,
@@ -45,6 +45,7 @@ from homeassistant.util import dt as dt_util
 from homeassistant.util.json import JsonValueType
 
 from .const import (
+    CONF_EVENT,
     DATA_COMPONENT,
     DOMAIN,
     EVENT_DESCRIPTION,