Feat/llm video gen

[tallate]

1. diff model default provider is together_video
2. support veo gen video by multi reference_images
3. /cost display fix

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces significant enhancements to the video generation capabilities by integrating 'together_video' as the new default provider and enabling the use of multiple reference images for more nuanced video creation. Additionally, it includes a minor but helpful update to the display of token usage in cost reports, improving clarity for users tracking resource consumption.

Highlights

• Default Video Generation Provider: The default diffusion model provider has been updated from 'openai' to 'together_video' across the configuration and console settings.
• Multi-Reference Image Support for Video Generation: The video generation functionality now supports providing multiple reference images, enhancing the control over video creation. This includes updates to agent definitions, invocation formats, and backend processing for image handling and MIME type inference.
• Cost Display Format Improvement: The display format for input and output tokens in the history and cost reporting has been refined for better readability.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• aworld-cli/src/aworld_cli/console.py
  • Updated the default diffusion provider from 'openai' to 'together_video' in the console configuration.
• aworld-cli/src/aworld_cli/core/config.py
  • Modified the core configuration to set 'together_video' as the default diffusion provider.
• aworld-cli/src/aworld_cli/history.py
  • Adjusted the display format for input and output tokens in the history output from '↑X / ↓Y' to 'in X / out Y'.
• aworld-cli/src/aworld_cli/inner_plugins/smllc/agents/aworld_agent.py
  • Removed the media_comprehension sub-agent from the agent definitions.
  • Updated the video_creator tool definition to include support for reference_images.
• aworld-cli/src/aworld_cli/inner_plugins/smllc/agents/video_creator/video_creator.py
  • Updated the invocation format documentation for video_creator to explicitly mention reference_images as a supported key.
• aworld/agents/video_agent.py
  • Implemented logic to extract and process multiple reference_images from observation info.
  • Converted reference_images to base64 format for submission to the video generation provider.
  • Forwarded processed reference_images to the extra keyword arguments for the provider.
• aworld/models/ant_video_provider.py
  • Added imports for base64 and mimetypes.
  • Introduced _VEO_ALLOWED_IMAGE_MIMES and _IMAGE_MAGIC for image MIME type inference.
  • Implemented _infer_image_mime_from_bytes to determine image MIME types from byte signatures.
  • Created _parse_image_for_veo_payload to handle various image inputs (data URLs, base64, file paths) and return base64 string and MIME type for Veo.
  • Updated _RESOLUTION_MAP to use '480p', '720p', '1080p' strings instead of 'WxH' for Veo resolutions.
  • Refactored build_submit_payload to utilize _parse_image_for_veo_payload for robust image handling.
  • Modified build_submit_payload to include mimeType alongside bytesBase64Encoded for image payloads.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds support for multi-reference image video generation, changes the default diffusion provider, and fixes a display issue. However, it introduces a significant security vulnerability (LFI) in the video generation provider logic due to a lack of path validation when reading local files based on LLM-supplied paths, posing a high risk. Additionally, there are opportunities to improve code clarity, maintainability, and robustness, specifically concerning a confusing variable name, a broad exception catch, and a redundant condition.

[gemini-code-assist]

The function _parse_image_for_veo_payload is vulnerable to Local File Inclusion (LFI) / Path Traversal. It uses VideoGenProviderBase.read_file_as_base64(image_path) to read a file from a path provided in the image_path argument, which is derived from untrusted LLM output (via tool call arguments). An attacker can use prompt injection to force the LLM to provide a malicious path (e.g., /etc/passwd), allowing the attacker to read arbitrary files from the system that the process has access to. The base64-encoded content is then sent to the video generation provider, which could lead to data exfiltration.

    if not b64_str and image_path:
        # TODO: Implement strict path validation here.
        # Ensure image_path is within an allowed directory and does not contain traversal sequences.
        b64_str = VideoGenProviderBase.read_file_as_base64(image_path)

[gemini-code-assist]

The loop variable image_url in this list comprehension shadows the outer variable image_url defined on line 194. While this is functionally correct in Python 3 due to list comprehensions having their own scope, it is very confusing to read and maintain. A future reader could easily mistake this for a bug where the outer image_url is being used repeatedly. To improve clarity, please use a different name for the loop variable.

Suggested change

	reference_images = [
	_resolve_image_url_to_base64(image_url)
	for image_url in reference_images
	]
	reference_images = [
	_resolve_image_url_to_base64(ref_image_url)
	for ref_image_url in reference_images
	]

[gemini-code-assist]

The condition sig != b"RIFF" is redundant because the _IMAGE_MAGIC dictionary does not contain a b"RIFF" key. This check can be removed to simplify the code and improve clarity.

        if data.startswith(sig):

[gemini-code-assist]

Using a bare except Exception: is risky as it can swallow any error, including ones you didn't anticipate (like KeyboardInterrupt), making debugging harder. Please narrow the exception type to only what you expect from the try block, such as errors related to base64 decoding (e.g., binascii.Error). This helps ensure that other unexpected errors are not accidentally hidden.