This repository contains the hands-on project completed as part of the Google Codelab: Vibecode and Secure an AI Agent Lifecycle with Antigravity and TDD.
The goal of this project is to demonstrate "shifting security left" during the lifecycle of an AI agent by using Google's Agent Development Kit (ADK) 2.0 and integrating automated security gating tools like Pre-commit and Semgrep directly into the development workflow.
-
AI Shopping Assistant: A retail store AI agent prototype scaffolded via
agents-cli. The assistant helps customers redeem discount codes and manage purchases. -
In-Memory Discount Code Redemption Tool:
- Implements a single-use code redemption tool (redeem_discount_code) for predefined retail codes (
WELCOME50,SUMMER20). - Ensures codes can only be redeemed once globally.
- Restricts redemption to registered user IDs (e.g.,
user123,alice,bob,customer_vip).
- Implements a single-use code redemption tool (redeem_discount_code) for predefined retail codes (
-
Dynamic API Key Routing & Security:
- The Gemini model initialization in app/agent.py is configured to retrieve keys dynamically from the environment (
GEMINI_API_KEYorGOOGLE_API_KEY). - Implements dynamic routing logic to prevent
403 PERMISSION_DENIEDerrors by forcing Google AI Studio usage (vertexai=False) when an API key is present, and gracefully falling back to Vertex AI (via ADC) when no API key is specified.
- The Gemini model initialization in app/agent.py is configured to retrieve keys dynamically from the environment (
-
Git Pre-commit Security Gating:
- Integrates local Semgrep checks and pre-commit formatting/yaml checks via .pre-commit-config.yaml.
- Prevents unvalidated code containing hardcoded credentials or bad formatting from being committed to repository history.
-
Threat Modeling & Outcome-Based Tests:
- Includes a stride-threat-model analyzing potential threats and trust boundaries of the assistant.
- Implemented an outcome-based security test suite in tests/test_agent.py verifying all security boundary conditions and edge cases.
secure-agent-lab/
├── README.md # This summary of the hands-on project
├── prompt.md # Keep tracking of used prompts
├── threat_model.md # STRIDE threat modeling documentation
└── shopping-assistant/ # Scaffolded ADK 2.0 agent project
├── .pre-commit-config.yaml # Pre-commit hook configurations
├── pyproject.toml # Project metadata and dependencies
├── app/
│ ├── agent.py # CustomGemini class & redeem_discount_code tool
│ └── fast_api_app.py # FastAPI exposure of the agent
└── tests/
├── test_agent.py # Outcome-based security & guardrails test suite
└── unit/
└── test_discount_redemption.py # Unit tests for the redemption logic
Make sure you have uv installed. If not, follow the uv installation guide.
Navigate to the agent directory and run the ADK install command to sync Python environments and install tools (pre-commit, semgrep, etc.):
cd shopping-assistant
agents-cli installTest the core agent behavior, mock tool flows, and boundary conditions:
uv run pytest tests/test_agent.py
uv run pytest tests/unit/Execute the security scanning and formatting checks manually on all files:
uv run pre-commit run --all-filesNote: The pre-commit checks will automatically run whenever you execute a git commit command.