PyPI package metadata and source availability for `google-agents-cli`

[ftnext]

Hi team,

Thank you for providing google-agents-cli — it’s a very interesting project.

I have a question / concern regarding the packaging and metadata of the PyPI distribution.

Observations

• The PyPI package appears to be distributed as a pre-built wheel only (no sdist available).

• The GitHub repository mainly contains skills and documentation, but does not include the CLI implementation itself.

• The README mentions that the CLI is distributed as a pre-built wheel rather than as source. ¹

• The PyPI metadata includes Requires-Dist, so dependencies can be inspected after the fact, but:

  • there is no visible pyproject.toml or equivalent packaging configuration
  • there is no clear source-of-truth repository for the CLI implementation
  • there are no Project URLs linking to CLI source code

Concern

Because of this, it is difficult to:

• audit the CLI implementation
• understand how the dependency set is defined and maintained
• review dependency changes over time
• trace the relationship between source and distributed artifact

This makes me hesitant to install or recommend the package in security-sensitive environments.

Questions

Is this packaging approach intentional?

If so, is there a recommended way to:

• inspect the CLI source code corresponding to a given release?
• verify how dependencies are defined (e.g., the equivalent of pyproject.toml)?

Suggestions

Would it be possible to provide one or more of the following?

• an sdist for google-agents-cli
• the pyproject.toml (or equivalent packaging metadata) used to build the wheel
• a public source repository or archive for the CLI implementation
• Project URLs in PyPI metadata pointing to the relevant sources

Thanks in advance for any clarification!

Footnotes

1. https://github.com/google/agents-cli/tree/v0.1.1#contributing ↩

[dewitt]

Thank you for starting this conversation, @ftnext. I want to acknowledge the questions you raised here and talk a bit about our current thinking on this.

First, we agree entirely about the importance of visible code, both for auditability and transparency. Indeed, the wheels that we distribute via PyPI (link) should contain the source .py files with Apache license headers for exactly that reason.

We can look into additionally distributing a standalone sdist tarball and pyproject.toml if that helps folks with some degree of reproducibility here. (Though note our build, signing, and release process is on internal Google infrastructure at this time, so that may limit formal verification.)

As to the question—why not a public git repo for the source?—we are not necessarily opposed to that in the long term. For now however, and for the near-term future, we have observed a drastic uptick in low-quality, drive-by PRs in our communty projects. especially over the several months. This results in a very poor signal-to-noise ratio of inbound requests to the team, distracting from delivering the valuable parts of the project itself. We also want to make sure we have the direction, scope, and implementation of the codebase tightly aligned and clearly established first, without getting pulled in too many conflicting directions too early on.

Again, thank you for kicking this discussion off. Let's keep this issue open as we iterate on the project artifacts and work out a plan that works best for agents-cli adopters.

[ftnext]

Hi @dewitt -san, thank you for the response.

In the meantime, as a personal interim workaround for my own auditing needs, I have set up an unofficial source mirror of the wheel contents in a personal repository:
https://github.com/ftnext/agents-cli-source-mirror

The repository:

• is clearly labeled as unofficial and not affiliated with Google,
• imports each release by extracting the published wheel as-is (no source modifications, license headers and LICENSE preserved),
• uses one git tag per release so diffs across versions can be inspected with standard tooling,
• will be archived once an official sdist or source repository becomes available.

Looking forward to whatever shape the official artifacts take. Happy to keep this issue open in the meantime.

Thanks again!

[dewitt]

Thank you for sharing your project. I respect and appreciate the work that you are putting into it, and understand the rationale behind it.

For others reading this: just note the obvious disclaimer that Google can't vouch for the provenance of the files in this unofficial mirror, so please do your own byte-for-byte comparison with the files distributed in the wheel if verifiability is critical for your use own case.

I'll update this thread if/when we provide an official source mirror. In the meantime, thank you @ftnext-san for your contribution, and for sharing it here publicly.