update unit test

.ci/quickstart_test/go.integration.cloudbuild.yaml

@@ -23,18 +23,13 @@ steps:
       - |
         set -ex
         export VERSION=$(cat ./cmd/version.txt)
-        chmod +x .ci/sample_tests/run_tests.sh
-        .ci/sample_tests/run_tests.sh
+        chmod +x .ci/quickstart_test/run_go_tests.sh
+        .ci/quickstart_test/run_go_tests.sh
     env:
       - 'CLOUD_SQL_INSTANCE=${_CLOUD_SQL_INSTANCE}'
       - 'GCP_PROJECT=${_GCP_PROJECT}'
       - 'DATABASE_NAME=${_DATABASE_NAME}'
       - 'DB_USER=${_DB_USER}'
-      - 'TARGET_ROOT=docs/en/getting-started/quickstart/go'
-      - 'TARGET_LANG=go'
-      - 'TABLE_NAME=hotels_go'
-      - 'SQL_FILE=.ci/sample_tests/setup_hotels.sql'
-      - 'AGENT_FILE_PATTERN=quickstart.go'
     secretEnv: ['TOOLS_YAML_CONTENT', 'GOOGLE_API_KEY', 'DB_PASSWORD']
 
 availableSecrets:

.ci/quickstart_test/js.integration.cloudbuild.yaml

@@ -23,18 +23,13 @@ steps:
       - |
         set -ex
         export VERSION=$(cat ./cmd/version.txt)
-        chmod +x .ci/sample_tests/run_tests.sh
-        .ci/sample_tests/run_tests.sh
+        chmod +x .ci/quickstart_test/run_js_tests.sh
+        .ci/quickstart_test/run_js_tests.sh
     env:
       - 'CLOUD_SQL_INSTANCE=${_CLOUD_SQL_INSTANCE}'
       - 'GCP_PROJECT=${_GCP_PROJECT}'
       - 'DATABASE_NAME=${_DATABASE_NAME}'
       - 'DB_USER=${_DB_USER}'
-      - 'TARGET_ROOT=docs/en/getting-started/quickstart/js'
-      - 'TARGET_LANG=js'
-      - 'TABLE_NAME=hotels_js'
-      - 'SQL_FILE=.ci/sample_tests/setup_hotels.sql'
-      - 'AGENT_FILE_PATTERN=quickstart.js'
     secretEnv: ['TOOLS_YAML_CONTENT', 'GOOGLE_API_KEY', 'DB_PASSWORD']
 
 availableSecrets:

.ci/quickstart_test/py.integration.cloudbuild.yaml

@@ -23,18 +23,13 @@ steps:
       - |
         set -ex
         export VERSION=$(cat ./cmd/version.txt)
-        chmod +x .ci/sample_tests/run_py_tests.sh
-        .ci/sample_tests/run_py_tests.sh
+        chmod +x .ci/quickstart_test/run_py_tests.sh
+        .ci/quickstart_test/run_py_tests.sh
     env:
       - 'CLOUD_SQL_INSTANCE=${_CLOUD_SQL_INSTANCE}'
       - 'GCP_PROJECT=${_GCP_PROJECT}'
       - 'DATABASE_NAME=${_DATABASE_NAME}'
       - 'DB_USER=${_DB_USER}'
-      - 'TARGET_ROOT=docs/en/getting-started/quickstart/python'
-      - 'TARGET_LANG=python'
-      - 'TABLE_NAME=hotels_python'
-      - 'SQL_FILE=.ci/sample_tests/setup_hotels.sql'
-      - 'AGENT_FILE_PATTERN=quickstart.py'
     secretEnv: ['TOOLS_YAML_CONTENT', 'GOOGLE_API_KEY', 'DB_PASSWORD']
 
 availableSecrets:

.ci/quickstart_test/run_go_tests.sh

@@ -0,0 +1,125 @@
+# Copyright 2025 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#!/bin/bash
+
+set -e
+
+TABLE_NAME="hotels_go"
+QUICKSTART_GO_DIR="docs/en/getting-started/quickstart/go"
+SQL_FILE=".ci/quickstart_test/setup_hotels_sample.sql"
+
+PROXY_PID=""
+TOOLBOX_PID=""
+
+install_system_packages() {
+  apt-get update && apt-get install -y \
+    postgresql-client \
+    wget \
+    gettext-base  \
+    netcat-openbsd
+}
+
+start_cloud_sql_proxy() {
+  wget "https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v2.10.0/cloud-sql-proxy.linux.amd64" -O /usr/local/bin/cloud-sql-proxy
+  chmod +x /usr/local/bin/cloud-sql-proxy
+  cloud-sql-proxy "${CLOUD_SQL_INSTANCE}" &
+  PROXY_PID=$!
+
+  for i in {1..30}; do
+    if nc -z 127.0.0.1 5432; then
+      echo "Cloud SQL Proxy is up and running."
+      return
+    fi
+    sleep 1
+  done
+
+  echo "Cloud SQL Proxy failed to start within the timeout period."
+  exit 1
+}
+
+setup_toolbox() {
+  TOOLBOX_YAML="/tools.yaml"
+  echo "${TOOLS_YAML_CONTENT}" > "$TOOLBOX_YAML"
+  if [ ! -f "$TOOLBOX_YAML" ]; then echo "Failed to create tools.yaml"; exit 1; fi
+  wget "https://storage.googleapis.com/genai-toolbox/v${VERSION}/linux/amd64/toolbox" -O "/toolbox"
+  chmod +x "/toolbox"
+  /toolbox --tools-file "$TOOLBOX_YAML" &
+  TOOLBOX_PID=$!
+  sleep 2
+}
+
+setup_orch_table() {
+  export TABLE_NAME
+  envsubst < "$SQL_FILE" | psql -h "$PGHOST" -p "$PGPORT" -U "$DB_USER" -d "$DATABASE_NAME"
+}
+
+run_orch_test() {
+  local orch_dir="$1"
+  local orch_name
+  orch_name=$(basename "$orch_dir")
+
+  if [ "$orch_name" == "openAI" ]; then
+      echo -e "\nSkipping framework '${orch_name}': Temporarily excluded."
+      return
+  fi
+
+  (
+    set -e
+    setup_orch_table
+
+    echo "--- Preparing module for $orch_name ---"
+    cd "$orch_dir"
+
+    if [ -f "go.mod" ]; then
+      go mod tidy
+    fi
+
+    cd ..
+
+    export ORCH_NAME="$orch_name"
+
+    echo "--- Running tests for $orch_name ---"
+    go test -v ./...
+  )
+}
+
+cleanup_all() {
+  echo "--- Final cleanup: Shutting down processes and dropping table ---"
+  if [ -n "$TOOLBOX_PID" ]; then
+    kill $TOOLBOX_PID || true
+  fi
+  if [ -n "$PROXY_PID" ]; then
+    kill $PROXY_PID || true
+  fi
+}
+trap cleanup_all EXIT
+
+# Main script execution
+install_system_packages
+start_cloud_sql_proxy
+
+export PGHOST=127.0.0.1
+export PGPORT=5432
+export PGPASSWORD="$DB_PASSWORD"
+export GOOGLE_API_KEY="$GOOGLE_API_KEY"
+
+setup_toolbox
+
+for ORCH_DIR in "$QUICKSTART_GO_DIR"/*/; do
+  if [ ! -d "$ORCH_DIR" ]; then
+    continue
+  fi
+  run_orch_test "$ORCH_DIR"
+done

.ci/quickstart_test/run_js_tests.sh

@@ -0,0 +1,125 @@
+# Copyright 2025 Google LLC
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#      http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#!/bin/bash
+
+set -e
+
+TABLE_NAME="hotels_js"
+QUICKSTART_JS_DIR="docs/en/getting-started/quickstart/js"
+SQL_FILE=".ci/quickstart_test/setup_hotels_sample.sql"
+
+# Initialize process IDs to empty at the top of the script
+PROXY_PID=""
+TOOLBOX_PID=""
+
+install_system_packages() {
+  apt-get update && apt-get install -y \
+    postgresql-client \
+    wget \
+    gettext-base  \
+    netcat-openbsd
+}
+
+start_cloud_sql_proxy() {
+  wget "https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v2.10.0/cloud-sql-proxy.linux.amd64" -O /usr/local/bin/cloud-sql-proxy
+  chmod +x /usr/local/bin/cloud-sql-proxy
+  cloud-sql-proxy "${CLOUD_SQL_INSTANCE}" &
+  PROXY_PID=$!
+
+  for i in {1..30}; do
+    if nc -z 127.0.0.1 5432; then
+      echo "Cloud SQL Proxy is up and running."
+      return
+    fi
+    sleep 1
+  done
+
+  echo "Cloud SQL Proxy failed to start within the timeout period."
+  exit 1
+}
+
+setup_toolbox() {
+  TOOLBOX_YAML="/tools.yaml"
+  echo "${TOOLS_YAML_CONTENT}" > "$TOOLBOX_YAML"
+  if [ ! -f "$TOOLBOX_YAML" ]; then echo "Failed to create tools.yaml"; exit 1; fi
+  wget "https://storage.googleapis.com/genai-toolbox/v${VERSION}/linux/amd64/toolbox" -O "/toolbox"
+  chmod +x "/toolbox"
+  /toolbox --tools-file "$TOOLBOX_YAML" &
+  TOOLBOX_PID=$!
+  sleep 2
+}
+
+setup_orch_table() {
+  export TABLE_NAME
+  envsubst < "$SQL_FILE" | psql -h "$PGHOST" -p "$PGPORT" -U "$DB_USER" -d "$DATABASE_NAME"
+}
+
+run_orch_test() {
+  local orch_dir="$1"
+  local orch_name
+  orch_name=$(basename "$orch_dir")
+
+  (
+    set -e
+    echo "--- Preparing environment for $orch_name ---"
+    setup_orch_table
+
+    cd "$orch_dir"
+    echo "Installing dependencies for $orch_name..."
+    if [ -f "package-lock.json" ]; then
+      npm ci
+    else
+      npm install
+    fi
+
+    cd ..
+
+    echo "--- Running tests for $orch_name ---"
+    export ORCH_NAME="$orch_name"
+    node --test quickstart.test.js
+
+    echo "--- Cleaning environment for $orch_name ---"
+    rm -rf "${orch_name}/node_modules"
+  )
+}
+
+cleanup_all() {
+  echo "--- Final cleanup: Shutting down processes and dropping table ---"
+  if [ -n "$TOOLBOX_PID" ]; then
+    kill $TOOLBOX_PID || true
+  fi
+  if [ -n "$PROXY_PID" ]; then
+    kill $PROXY_PID || true
+  fi
+}
+trap cleanup_all EXIT
+
+# Main script execution
+install_system_packages
+start_cloud_sql_proxy
+
+export PGHOST=127.0.0.1
+export PGPORT=5432
+export PGPASSWORD="$DB_PASSWORD"
+export GOOGLE_API_KEY="$GOOGLE_API_KEY"
+
+setup_toolbox
+
+for ORCH_DIR in "$QUICKSTART_JS_DIR"/*/; do
+  if [ ! -d "$ORCH_DIR" ]; then
+    continue
+  fi
+  run_orch_test "$ORCH_DIR"
+done

.ci/quickstart_test/run_py_tests.sh

@@ -0,0 +1,115 @@
+# Copyright 2025 Google LLC
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#      http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#!/bin/bash
+
+set -e
+
+TABLE_NAME="hotels_python"
+QUICKSTART_PYTHON_DIR="docs/en/getting-started/quickstart/python"
+SQL_FILE=".ci/quickstart_test/setup_hotels_sample.sql"
+
+PROXY_PID=""
+TOOLBOX_PID=""
+
+install_system_packages() {
+  apt-get update && apt-get install -y \
+    postgresql-client \
+    python3-venv \
+    wget \
+    gettext-base  \
+    netcat-openbsd
+}
+
+start_cloud_sql_proxy() {
+  wget "https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v2.10.0/cloud-sql-proxy.linux.amd64" -O /usr/local/bin/cloud-sql-proxy
+  chmod +x /usr/local/bin/cloud-sql-proxy
+  cloud-sql-proxy "${CLOUD_SQL_INSTANCE}" &
+  PROXY_PID=$!
+
+  for i in {1..30}; do
+    if nc -z 127.0.0.1 5432; then
+      echo "Cloud SQL Proxy is up and running."
+      return
+    fi
+    sleep 1
+  done
+
+  echo "Cloud SQL Proxy failed to start within the timeout period."
+  exit 1
+}
+
+setup_toolbox() {
+  TOOLBOX_YAML="/tools.yaml"
+  echo "${TOOLS_YAML_CONTENT}" > "$TOOLBOX_YAML"
+  if [ ! -f "$TOOLBOX_YAML" ]; then echo "Failed to create tools.yaml"; exit 1; fi
+  wget "https://storage.googleapis.com/genai-toolbox/v${VERSION}/linux/amd64/toolbox" -O "/toolbox"
+  chmod +x "/toolbox"
+  /toolbox --tools-file "$TOOLBOX_YAML" &
+  TOOLBOX_PID=$!
+  sleep 2
+}
+
+setup_orch_table() {
+  export TABLE_NAME
+  envsubst < "$SQL_FILE" | psql -h "$PGHOST" -p "$PGPORT" -U "$DB_USER" -d "$DATABASE_NAME"
+}
+
+run_orch_test() {
+  local orch_dir="$1"
+  local orch_name
+  orch_name=$(basename "$orch_dir")
+  (
+    set -e
+    setup_orch_table
+    cd "$orch_dir"
+    local VENV_DIR=".venv"
+    python3 -m venv "$VENV_DIR"
+    source "$VENV_DIR/bin/activate"
+    pip install -r requirements.txt
+    echo "--- Running tests for $orch_name ---"
+    cd ..
+    ORCH_NAME="$orch_name" pytest
+    rm -rf "$VENV_DIR"
+  )
+}
+
+cleanup_all() {
+  echo "--- Final cleanup: Shutting down processes and dropping table ---"
+  if [ -n "$TOOLBOX_PID" ]; then
+    kill $TOOLBOX_PID || true
+  fi
+  if [ -n "$PROXY_PID" ]; then
+    kill $PROXY_PID || true
+  fi
+}
+trap cleanup_all EXIT
+
+# Main script execution
+install_system_packages
+start_cloud_sql_proxy
+
+export PGHOST=127.0.0.1
+export PGPORT=5432
+export PGPASSWORD="$DB_PASSWORD"
+export GOOGLE_API_KEY="$GOOGLE_API_KEY"
+
+setup_toolbox
+
+for ORCH_DIR in "$QUICKSTART_PYTHON_DIR"/*/; do
+  if [ ! -d "$ORCH_DIR" ]; then
+    continue
+  fi
+  run_orch_test "$ORCH_DIR"
+done

.ci/sample_tests/pre_post_processing/py.integration.cloudbuild.yaml

@@ -1,57 +0,0 @@
-# Copyright 2026 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-steps:
-  - name: "${_IMAGE}"
-    id: "py-pre-post-processing-test"
-    entrypoint: "bash"
-    args:
-      - -c
-      - |
-        set -ex
-        chmod +x .ci/sample_tests/run_tests.sh
-        .ci/sample_tests/run_tests.sh
-    env:
-      - "CLOUD_SQL_INSTANCE=${_CLOUD_SQL_INSTANCE}"
-      - "GCP_PROJECT=${_GCP_PROJECT}"
-      - "DATABASE_NAME=${_DATABASE_NAME}"
-      - "DB_USER=${_DB_USER}"
-      - "TARGET_ROOT=${_TARGET_ROOT}"
-      - "TARGET_LANG=${_TARGET_LANG}"
-      - "TABLE_NAME=${_TABLE_NAME}"
-      - "SQL_FILE=${_SQL_FILE}"
-      - "AGENT_FILE_PATTERN=${_AGENT_FILE_PATTERN}"
-    secretEnv: ["TOOLS_YAML_CONTENT", "GOOGLE_API_KEY", "DB_PASSWORD"]
-
-availableSecrets:
-  secretManager:
-    - versionName: projects/${_GCP_PROJECT}/secrets/${_TOOLS_YAML_SECRET}/versions/5
-      env: "TOOLS_YAML_CONTENT"
-    - versionName: projects/${_GCP_PROJECT_NUMBER}/secrets/${_API_KEY_SECRET}/versions/latest
-      env: "GOOGLE_API_KEY"
-    - versionName: projects/${_GCP_PROJECT}/secrets/${_DB_PASS_SECRET}/versions/latest
-      env: "DB_PASSWORD"
-
-timeout: 1200s
-
-substitutions:
-  _TARGET_LANG: "python"
-  _IMAGE: "gcr.io/google.com/cloudsdktool/cloud-sdk:537.0.0"
-  _TARGET_ROOT: "docs/en/samples/pre_post_processing/python"
-  _TABLE_NAME: "hotels_py_pre_post_processing"
-  _SQL_FILE: ".ci/sample_tests/setup_hotels.sql"
-  _AGENT_FILE_PATTERN: "agent.py"
-
-options:
-  logging: CLOUD_LOGGING_ONLY

.ci/sample_tests/run_tests.sh

@@ -1,202 +0,0 @@
-# Copyright 2026 Google LLC
-# 
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-# 
-#      http://www.apache.org/licenses/LICENSE-2.0
-# 
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -e
-
-# --- Configuration (from Environment Variables) ---
-# TARGET_ROOT: The directory to search for tests (e.g., docs/en/getting-started/quickstart/js)
-# TARGET_LANG: python, js, go
-# TABLE_NAME: Database table name to use
-# SQL_FILE: Path to the SQL setup file
-# AGENT_FILE_PATTERN: Filename to look for (e.g., quickstart.js or agent.py)
-
-VERSION=$(cat ./cmd/version.txt)
-
-# Process IDs & Logs
-PROXY_PID=""
-TOOLBOX_PID=""
-PROXY_LOG="cloud_sql_proxy.log"
-TOOLBOX_LOG="toolbox_server.log"
-
-install_system_packages() {
-  echo "Installing system packages..."
-  apt-get update && apt-get install -y \
-    postgresql-client \
-    wget \
-    gettext-base  \
-    netcat-openbsd
-    
-  if [[ "$TARGET_LANG" == "python" ]]; then
-    apt-get install -y python3-venv
-  fi
-}
-
-start_cloud_sql_proxy() {
-  echo "Starting Cloud SQL Proxy..."
-  wget -q "https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v2.10.0/cloud-sql-proxy.linux.amd64" -O /usr/local/bin/cloud-sql-proxy
-  chmod +x /usr/local/bin/cloud-sql-proxy
-  cloud-sql-proxy "${CLOUD_SQL_INSTANCE}" > "$PROXY_LOG" 2>&1 &
-  PROXY_PID=$!
-
-  # Health Check
-  for i in {1..30}; do
-    if nc -z 127.0.0.1 5432; then
-      echo "Cloud SQL Proxy is up and running."
-      return
-    fi
-    sleep 1
-  done
-  echo "ERROR: Cloud SQL Proxy failed to start. Logs:"
-  cat "$PROXY_LOG"
-  exit 1
-}
-
-setup_toolbox() {
-  echo "Setting up Toolbox server..."
-  TOOLBOX_YAML="/tools.yaml"
-  echo "${TOOLS_YAML_CONTENT}" > "$TOOLBOX_YAML"
-  wget -q "https://storage.googleapis.com/genai-toolbox/v${VERSION}/linux/amd64/toolbox" -O "/toolbox"
-  chmod +x "/toolbox"
-  /toolbox --tools-file "$TOOLBOX_YAML" > "$TOOLBOX_LOG" 2>&1 &
-  TOOLBOX_PID=$!
-  
-  # Health Check
-  for i in {1..15}; do
-    if nc -z 127.0.0.1 5000; then
-      echo "Toolbox server is up and running."
-      return
-    fi
-    sleep 1
-  done
-  echo "ERROR: Toolbox server failed to start. Logs:"
-  cat "$TOOLBOX_LOG"
-  exit 1
-}
-
-setup_db_table() {
-  echo "Setting up database table $TABLE_NAME using $SQL_FILE..."
-  export TABLE_NAME
-  envsubst < "$SQL_FILE" | psql -h 127.0.0.1 -p 5432 -U "$DB_USER" -d "$DATABASE_NAME"
-}
-
-run_python_test() {
-  local dir=$1
-  local name=$(basename "$dir")
-  echo "--- Running Python Test: $name ---"
-  (
-    cd "$dir"
-    python3 -m venv .venv
-    source .venv/bin/activate
-    pip install -q -r requirements.txt pytest
-    
-    cd ..
-    local test_file=$(find . -maxdepth 1 -name "*test.py" | head -n 1)
-    if [ -n "$test_file" ]; then
-        echo "Found native test: $test_file. Running pytest..."
-        export ORCH_NAME="$name"
-        export PYTHONPATH="../"
-        pytest "$test_file"
-    else
-        echo "No native test found. running agent directly..."
-        export PYTHONPATH="../"
-        python3 "${name}/${AGENT_FILE_PATTERN}"
-    fi
-    rm -rf "${name}/.venv"
-  )
-}
-
-run_js_test() {
-  local dir=$1
-  local name=$(basename "$dir")
-  echo "--- Running JS Test: $name ---"
-  (
-    cd "$dir"
-    if [ -f "package-lock.json" ]; then npm ci -q; else npm install -q; fi
-    
-    cd ..
-    # Looking for a JS test file in the parent directory
-    local test_file=$(find . -maxdepth 1 -name "*test.js" | head -n 1)
-    if [ -n "$test_file" ]; then
-        echo "Found native test: $test_file. Running node --test..."
-        export ORCH_NAME="$name"
-        node --test "$test_file"
-    else
-        echo "No native test found. running agent directly..."
-        node "${name}/${AGENT_FILE_PATTERN}"
-    fi
-    rm -rf "${name}/node_modules"
-  )
-}
-
-run_go_test() {
-  local dir=$1
-  local name=$(basename "$dir")
-
-  if [ "$name" == "openAI" ]; then
-      echo -e "\nSkipping framework '${name}': Temporarily excluded."
-      return
-  fi
-
-  echo "--- Running Go Test: $name ---"
-  (
-    cd "$dir"
-    if [ -f "go.mod" ]; then
-      go mod tidy
-    fi
-    
-    cd ..
-    local test_file=$(find . -maxdepth 1 -name "*test.go" | head -n 1)
-    if [ -n "$test_file" ]; then
-        echo "Found native test: $test_file. Running go test..."
-        export ORCH_NAME="$name"
-        go test -v ./...
-    else
-        echo "No native test found. running agent directly..."
-        cd "$name"
-        go run "."
-    fi
-  )
-}
-
-cleanup() {
-  echo "Cleaning up background processes..."
-  [ -n "$TOOLBOX_PID" ] && kill "$TOOLBOX_PID" || true
-  [ -n "$PROXY_PID" ] && kill "$PROXY_PID" || true
-}
-trap cleanup EXIT
-
-# --- Execution ---
-install_system_packages
-start_cloud_sql_proxy
-
-export PGHOST=127.0.0.1
-export PGPORT=5432
-export PGPASSWORD="$DB_PASSWORD"
-export GOOGLE_API_KEY="$GOOGLE_API_KEY"
-
-setup_toolbox
-setup_db_table
-
-echo "Scanning $TARGET_ROOT for tests with pattern $AGENT_FILE_PATTERN..."
-
-find "$TARGET_ROOT" -name "$AGENT_FILE_PATTERN" | while read -r agent_file; do
-    sample_dir=$(dirname "$agent_file")
-    if [[ "$TARGET_LANG" == "python" ]]; then
-        run_python_test "$sample_dir"
-    elif [[ "$TARGET_LANG" == "js" ]]; then
-        run_js_test "$sample_dir"
-    elif [[ "$TARGET_LANG" == "go" ]]; then
-        run_go_test "$sample_dir"
-    fi
-done

docs/en/getting-started/quickstart/js/genkit/quickstart.js

@@ -53,7 +53,7 @@ export async function main() {
 
   for (const query of queries) {
     conversationHistory.push({ role: "user", content: [{ text: query }] });
-    let response = await ai.generate({
+    const response = await ai.generate({
       messages: conversationHistory,
       tools: tools,
     });

docs/en/how-to/invoke_tool.md

@@ -13,12 +13,12 @@ The `invoke` command allows you to invoke tools defined in your configuration di
 
 {{< notice tip >}}
 **Keep configurations minimal:** The `invoke` command initializes *all* resources (sources, tools, etc.) defined in your configuration files during execution. To ensure fast response times, consider using a minimal configuration file containing only the tools you need for the specific invocation.
-{{< /notice >}}
+{{< notice tip >}}
 
-## Before you begin
+## Prerequisites
 
-1. Make sure you have the `toolbox` binary installed or built.
-2. Make sure you have a valid tool configuration file (e.g., `tools.yaml`).
+- You have the `toolbox` binary installed or built.
+- You have a valid tool configuration file (e.g., `tools.yaml`).
 
 ## Basic Usage
 

docs/en/samples/pre_post_processing/_index.md

@@ -1,47 +0,0 @@
----
-title: "Pre and Post processing"
-type: docs
-weight: 1
-description: >
-  Pre and Post processing in GenAI applications.
----
-
-Pre and post processing allow developers to intercept and modify interactions between the agent and its tools or the user.
-
-> **Note**: These capabilities are typically features of **orchestration frameworks** (like LangChain, LangGraph, or Agent Builder) rather than the Toolbox SDK itself. However, Toolbox tools are designed to fully leverage these framework capabilities to support robust, secure, and compliant agent architectures.
-
-## Types of Processing
-
-### Pre-processing
-
-Pre-processing occurs before a tool is executed or an agent processes a message. Key types include:
-
-- **Input Sanitization & Redaction**: Detecting and masking sensitive information (like PII) in user queries or tool arguments to prevent it from being logged or sent to unauthorized systems.
-- **Business Logic Validation**: Verifying that the proposed action complies with business rules (e.g., ensuring a requested hotel stay does not exceed 14 days, or checking if a user has sufficient permission).
-- **Security Guardrails**: Analyzing inputs for potential prompt injection attacks or malicious payloads.
-
-### Post-processing
-
-Post-processing occurs after a tool has executed or the model has generated a response. Key types include:
-
-- **Response Enrichment**: Injecting additional data into the tool output that wasn't part of the raw API response (e.g., calculating loyalty points earned based on the booking value).
-- **Output Formatting**: Transforming raw data (like JSON or XML) into a more human-readable or model-friendly format to improve the agent's understanding.
-- **Compliance Auditing**: Logging the final outcome of transactions, including the original request and the result, to a secure audit trail.
-
-## Processing Scopes
-
-While processing logic can be applied at various levels (Agent, Model, Tool), this guide primarily focuses on **Tool Level** processing, which is most relevant for granular control over tool execution.
-
-### Tool Level (Primary Focus)
-
-Wraps individual tool executions. This is best for logic specific to a single tool or a set of tools.
-
-- **Scope**: Intercepts the raw inputs (arguments) to a tool and its outputs.
-- **Use Cases**: Argument validation, output formatting, specific privacy rules for sensitive tools.
-
-### Comparison with Other Levels
-
-It is helpful to understand how tool-level processing differs from other scopes:
-
-- **Model Level**: Intercepts individual calls to the LLM (prompts and responses). Unlike tool-level, this applies globally to all text sent/received, making it better for global PII redaction or token tracking.
-- **Agent Level**: Wraps the high-level execution loop (e.g., a "turn" in the conversation). Unlike tool-level, this envelopes the entire turn (user input to final response), making it suitable for session management or end-to-end auditing.

docs/en/samples/pre_post_processing/golden.txt

@@ -1,4 +0,0 @@
-Final Client Response:
-AI:
-Loyalty Points
-POLICY CHECK: Intercepting 'update-hotel'

docs/en/samples/pre_post_processing/python.md

@@ -1,31 +0,0 @@
----
-title: "(Python) Pre and post processing"
-type: docs
-weight: 4
-description: >
-  How to add pre and post processing to your Python toolbox applications.
----
-
-## Prerequisites
-
-This tutorial assumes that you have set up a basic toolbox application as described in the [local quickstart](../../getting-started/local_quickstart).
-
-This guide demonstrates how to implement these patterns in your Toolbox applications.
-
-## Implementation
-
-{{< tabpane persist=header >}}
-{{% tab header="ADK" text=true %}}
-Coming soon.
-{{% /tab %}}
-{{% tab header="Langchain" text=true %}}
-The following example demonstrates how to use `ToolboxClient` with LangChain's middleware to implement pre and post processing for tool calls.
-
-```py
-{{< include "python/langchain/agent.py" >}}
-```
-
-For more information, see the [LangChain Middleware documentation](https://docs.langchain.com/oss/python/langchain/middleware/custom#wrap-style-hooks).
-You can also add model-level (`wrap_model`) and agent-level (`before_agent`, `after_agent`) hooks to intercept messages at different stages of the execution loop. See the [LangChain Middleware documentation](https://docs.langchain.com/oss/python/langchain/middleware/custom#wrap-style-hooks) for details on these additional hook types.
-{{% /tab %}}
-{{< /tabpane >}}

docs/en/samples/pre_post_processing/python/__init__.py

@@ -1,4 +0,0 @@
-# This file makes the 'pre_post_processing/python' directory a Python package.
-
-# You can include any package-level initialization logic here if needed.
-# For now, this file is empty.

docs/en/samples/pre_post_processing/python/agent_test.py

@@ -1,59 +0,0 @@
-# Copyright 2026 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import asyncio
-import importlib
-import os
-from pathlib import Path
-
-import pytest
-
-ORCH_NAME = os.environ.get("ORCH_NAME")
-module_path = f"python.{ORCH_NAME}.agent"
-agent = importlib.import_module(module_path)
-
-
-@pytest.fixture(scope="module")
-def golden_keywords():
-    """Loads expected keywords from the golden.txt file."""
-    golden_file_path = Path(__file__).resolve().parent.parent / "golden.txt"
-    if not golden_file_path.exists():
-        pytest.fail(f"Golden file not found: {golden_file_path}")
-    try:
-        with open(golden_file_path, "r") as f:
-            return [line.strip() for line in f.readlines() if line.strip()]
-    except Exception as e:
-        pytest.fail(f"Could not read golden.txt: {e}")
-
-
-# --- Execution Tests ---
-class TestExecution:
-    """Test framework execution and output validation."""
-
-    @pytest.fixture(scope="function")
-    def script_output(self, capsys):
-        """Run the agent function and return its output."""
-        asyncio.run(agent.main())
-        return capsys.readouterr()
-
-    def test_script_runs_without_errors(self, script_output):
-        """Test that the script runs and produces no stderr."""
-        assert script_output.err == "", f"Script produced stderr: {script_output.err}"
-
-    def test_keywords_in_output(self, script_output, golden_keywords):
-        """Test that expected keywords are present in the script's output."""
-        output = script_output.out
-        print(f"\nAgent Output:\n{output}\n")
-        missing_keywords = [kw for kw in golden_keywords if kw not in output]
-        assert not missing_keywords, f"Missing keywords in output: {missing_keywords}"

docs/en/samples/pre_post_processing/python/langchain/__init__.py

@@ -1 +0,0 @@
-# Empty init for package resolution

docs/en/samples/pre_post_processing/python/langchain/agent.py

@@ -1,120 +0,0 @@
-# Copyright 2026 Google LLC
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import asyncio
-from datetime import datetime
-
-from langchain.agents import create_agent
-from langchain.agents.middleware import wrap_tool_call
-from langchain_core.messages import ToolMessage
-from langchain_google_vertexai import ChatVertexAI
-from toolbox_langchain import ToolboxClient
-
-system_prompt = """
-  You're a helpful hotel assistant. You handle hotel searching, booking and
-  cancellations. When the user searches for a hotel, mention it's name, id,
-  location and price tier. Always mention hotel ids while performing any
-  searches. This is very important for any operations. For any bookings or
-  cancellations, please provide the appropriate confirmation. Be sure to
-  update checkin or checkout dates if mentioned by the user.
-  Don't ask for confirmations from the user.
-"""
-
-
-# Pre processing
-@wrap_tool_call
-async def enforce_business_rules(request, handler):
-    """
-    Business Logic Validation:
-    Enforces max stay duration (e.g., max 14 days).
-    """
-    tool_call = request.tool_call
-    name = tool_call["name"]
-    args = tool_call["args"]
-
-    print(f"POLICY CHECK: Intercepting '{name}'")
-
-    if name == "update-hotel":
-        if "checkin_date" in args and "checkout_date" in args:
-            try:
-                start = datetime.fromisoformat(args["checkin_date"])
-                end = datetime.fromisoformat(args["checkout_date"])
-                duration = (end - start).days
-
-                if duration > 14:
-                    print("BLOCKED: Stay too long")
-                    return ToolMessage(
-                        content="Error: Maximum stay duration is 14 days.",
-                        tool_call_id=tool_call["id"],
-                    )
-            except ValueError:
-                pass  # Ignore invalid date formats
-
-    return await handler(request)
-
-
-# Post processing
-@wrap_tool_call
-async def enrich_response(request, handler):
-    """
-    Post-Processing & Enrichment:
-    Adds loyalty points information to successful bookings.
-    Standardizes output format.
-    """
-    result = await handler(request)
-
-    if isinstance(result, ToolMessage):
-        content = str(result.content)
-        tool_name = request.tool_call["name"]
-
-        if tool_name == "book-hotel" and "Error" not in content:
-            loyalty_bonus = 500
-            result.content = f"Booking Confirmed!\n You earned {loyalty_bonus} Loyalty Points with this stay.\n\nSystem Details: {content}"
-
-    return result
-
-
-async def main():
-    async with ToolboxClient("http://127.0.0.1:5000") as client:
-        tools = await client.aload_toolset("my-toolset")
-        model = ChatVertexAI(model="gemini-2.5-flash")
-        agent = create_agent(
-            system_prompt=system_prompt,
-            model=model,
-            tools=tools,
-            middleware=[enforce_business_rules, enrich_response],
-        )
-
-        user_input = "Book hotel with id 3."
-        response = await agent.ainvoke(
-            {"messages": [{"role": "user", "content": user_input}]}
-        )
-
-        print("-" * 50)
-        print("Final Client Response:")
-        last_ai_msg = response["messages"][-1].content
-        print(f"AI: {last_ai_msg}")
-
-        # Test Pre-processing
-        print("-" * 50)
-        user_input = "Update my hotel with id 3 with checkin date 2025-01-18 and checkout date 2025-01-20"
-        response = await agent.ainvoke(
-            {"messages": [{"role": "user", "content": user_input}]}
-        )
-        last_ai_msg = response["messages"][-1].content
-        print(f"AI: {last_ai_msg}")
-
-
-if __name__ == "__main__":
-    asyncio.run(main())

docs/en/samples/pre_post_processing/python/langchain/requirements.txt

@@ -1,3 +0,0 @@
-langchain==1.2.6
-langchain-google-vertexai==3.2.2
-toolbox-langchain==0.5.8

internal/server/api.go

@@ -19,7 +19,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"strings"
 
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
@@ -234,10 +233,11 @@ func toolInvokeHandler(s *Server, w http.ResponseWriter, r *http.Request) {
 
 	params, err := parameters.ParseParams(tool.GetParameters(), data, claimsFromAuth)
 	if err != nil {
-		// If auth error, return 401
-		if errors.Is(err, util.ErrUnauthorized) {
+		// If auth error, return 401 or 403
+		var clientServerErr *util.ClientServerError
+		if errors.As(err, &clientServerErr) && (clientServerErr.Code == http.StatusUnauthorized || clientServerErr.Code == http.StatusForbidden) {
 			s.logger.DebugContext(ctx, fmt.Sprintf("error parsing authenticated parameters from ID token: %s", err))
-			_ = render.Render(w, r, newErrResponse(err, http.StatusUnauthorized))
+			_ = render.Render(w, r, newErrResponse(err, clientServerErr.Code))
 			return
 		}
 		err = fmt.Errorf("provided parameters were invalid: %w", err)
@@ -259,34 +259,49 @@ func toolInvokeHandler(s *Server, w http.ResponseWriter, r *http.Request) {
 
 	// Determine what error to return to the users.
 	if err != nil {
-		errStr := err.Error()
-		var statusCode int
+		var tbErr util.ToolboxError
 
-		// Upstream API auth error propagation
-		switch {
-		case strings.Contains(errStr, "Error 401"):
-			statusCode = http.StatusUnauthorized
-		case strings.Contains(errStr, "Error 403"):
-			statusCode = http.StatusForbidden
-		}
+		if errors.As(err, &tbErr) {
+			switch tbErr.Category() {
+			case util.CategoryAgent:
+				// Agent Errors -> 200 OK
+				s.logger.DebugContext(ctx, fmt.Sprintf("Tool invocation agent error: %v", err))
+				_ = render.Render(w, r, newErrResponse(err, http.StatusOK))
+				return
 
-		if statusCode == http.StatusUnauthorized || statusCode == http.StatusForbidden {
-			if clientAuth {
-				// Propagate the original 401/403 error.
-				s.logger.DebugContext(ctx, fmt.Sprintf("error invoking tool. Client credentials lack authorization to the source: %v", err))
+			case util.CategoryServer:
+				// Server Errors -> Check the specific code inside
+				var clientServerErr *util.ClientServerError
+				statusCode := http.StatusInternalServerError // Default to 500
+
+				if errors.As(err, &clientServerErr) {
+					if clientServerErr.Code != 0 {
+						statusCode = clientServerErr.Code
+					}
+				}
+
+				// Process auth error
+				if statusCode == http.StatusUnauthorized || statusCode == http.StatusForbidden {
+					if clientAuth {
+						// Token error, pass through 401/403
+						s.logger.DebugContext(ctx, fmt.Sprintf("Client credentials lack authorization: %v", err))
+						_ = render.Render(w, r, newErrResponse(err, statusCode))
+						return
+					}
+					// ADC/Config error, return 500
+					statusCode = http.StatusInternalServerError
+				}
+
+				s.logger.ErrorContext(ctx, fmt.Sprintf("Tool invocation server error: %v", err))
 				_ = render.Render(w, r, newErrResponse(err, statusCode))
 				return
 			}
-			// ADC lacking permission or credentials configuration error.
-			internalErr := fmt.Errorf("unexpected auth error occured during Tool invocation: %w", err)
-			s.logger.ErrorContext(ctx, internalErr.Error())
-			_ = render.Render(w, r, newErrResponse(internalErr, http.StatusInternalServerError))
+		} else {
+			// Unknown error -> 500
+			s.logger.ErrorContext(ctx, fmt.Sprintf("Tool invocation unknown error: %v", err))
+			_ = render.Render(w, r, newErrResponse(err, http.StatusInternalServerError))
 			return
 		}
-		err = fmt.Errorf("error while invoking tool: %w", err)
-		s.logger.DebugContext(ctx, err.Error())
-		_ = render.Render(w, r, newErrResponse(err, http.StatusBadRequest))
-		return
 	}
 
 	resMarshal, err := json.Marshal(res)

internal/server/mcp.go

@@ -23,7 +23,6 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"strings"
 	"sync"
 	"time"
 
@@ -444,15 +443,12 @@ func httpHandler(s *Server, w http.ResponseWriter, r *http.Request) {
 		code := rpcResponse.Error.Code
 		switch code {
 		case jsonrpc.INTERNAL_ERROR:
+			// Map Internal RPC Error (-32603) to HTTP 500
 			w.WriteHeader(http.StatusInternalServerError)
 		case jsonrpc.INVALID_REQUEST:
-			errStr := err.Error()
-			if errors.Is(err, util.ErrUnauthorized) {
-				w.WriteHeader(http.StatusUnauthorized)
-			} else if strings.Contains(errStr, "Error 401") {
-				w.WriteHeader(http.StatusUnauthorized)
-			} else if strings.Contains(errStr, "Error 403") {
-				w.WriteHeader(http.StatusForbidden)
+			var clientServerErr *util.ClientServerError
+			if errors.As(err, &clientServerErr) {
+				w.WriteHeader(clientServerErr.Code)
 			}
 		}
 	}

internal/server/mcp/v20241105/method.go

@@ -21,7 +21,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"strings"
 
 	"github.com/googleapis/genai-toolbox/internal/prompts"
 	"github.com/googleapis/genai-toolbox/internal/server/mcp/jsonrpc"
@@ -124,7 +123,12 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, resourceMgr *re
 	}
 	if clientAuth {
 		if accessToken == "" {
-			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, "missing access token in the 'Authorization' header", nil), util.ErrUnauthorized
+			errMsg := "missing access token in the 'Authorization' header"
+			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, errMsg, nil), util.NewClientServerError(
+				errMsg,
+				http.StatusUnauthorized,
+				nil,
+			)
 		}
 	}
 
@@ -172,7 +176,11 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, resourceMgr *re
 	// Check if any of the specified auth services is verified
 	isAuthorized := tool.Authorized(verifiedAuthServices)
 	if !isAuthorized {
-		err = fmt.Errorf("unauthorized Tool call: Please make sure your specify correct auth headers: %w", util.ErrUnauthorized)
+		err = util.NewClientServerError(
+			"unauthorized Tool call: Please make sure you specify correct auth headers",
+			http.StatusUnauthorized,
+			nil,
+		)
 		return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
 	}
 	logger.DebugContext(ctx, "tool invocation authorized")
@@ -194,30 +202,44 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, resourceMgr *re
 	// run tool invocation and generate response.
 	results, err := tool.Invoke(ctx, resourceMgr, params, accessToken)
 	if err != nil {
-		errStr := err.Error()
-		// Missing authService tokens.
-		if errors.Is(err, util.ErrUnauthorized) {
-			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
-		}
-		// Upstream auth error
-		if strings.Contains(errStr, "Error 401") || strings.Contains(errStr, "Error 403") {
-			if clientAuth {
-				// Error with client credentials should pass down to the client
-				return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+		var tbErr util.ToolboxError
+
+		if errors.As(err, &tbErr) {
+			switch tbErr.Category() {
+			case util.CategoryAgent:
+				// MCP - Tool execution error
+				// Return SUCCESS but with IsError: true
+				text := TextContent{
+					Type: "text",
+					Text: err.Error(),
+				}
+				return jsonrpc.JSONRPCResponse{
+					Jsonrpc: jsonrpc.JSONRPC_VERSION,
+					Id:      id,
+					Result:  CallToolResult{Content: []TextContent{text}, IsError: true},
+				}, nil
+
+			case util.CategoryServer:
+				// MCP Spec - Protocol error
+				// Return JSON-RPC ERROR
+				var clientServerErr *util.ClientServerError
+				rpcCode := jsonrpc.INTERNAL_ERROR // Default to Internal Error (-32603)
+
+				if errors.As(err, &clientServerErr) {
+					if clientServerErr.Code == http.StatusUnauthorized || clientServerErr.Code == http.StatusForbidden {
+						if clientAuth {
+							rpcCode = jsonrpc.INVALID_REQUEST
+						} else {
+							rpcCode = jsonrpc.INTERNAL_ERROR
+						}
+					}
+				}
+				return jsonrpc.NewError(id, rpcCode, err.Error(), nil), err
 			}
-			// Auth error with ADC should raise internal 500 error
+		} else {
+			// Unknown error -> 500
 			return jsonrpc.NewError(id, jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
 		}
-
-		text := TextContent{
-			Type: "text",
-			Text: err.Error(),
-		}
-		return jsonrpc.JSONRPCResponse{
-			Jsonrpc: jsonrpc.JSONRPC_VERSION,
-			Id:      id,
-			Result:  CallToolResult{Content: []TextContent{text}, IsError: true},
-		}, nil
 	}
 
 	content := make([]TextContent, 0)

internal/server/mcp/v20250326/method.go

@@ -21,7 +21,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"strings"
 
 	"github.com/googleapis/genai-toolbox/internal/prompts"
 	"github.com/googleapis/genai-toolbox/internal/server/mcp/jsonrpc"
@@ -124,7 +123,12 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, resourceMgr *re
 	}
 	if clientAuth {
 		if accessToken == "" {
-			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, "missing access token in the 'Authorization' header", nil), util.ErrUnauthorized
+			errMsg := "missing access token in the 'Authorization' header"
+			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, errMsg, nil), util.NewClientServerError(
+				errMsg,
+				http.StatusUnauthorized,
+				nil,
+			)
 		}
 	}
 
@@ -172,7 +176,11 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, resourceMgr *re
 	// Check if any of the specified auth services is verified
 	isAuthorized := tool.Authorized(verifiedAuthServices)
 	if !isAuthorized {
-		err = fmt.Errorf("unauthorized Tool call: Please make sure your specify correct auth headers: %w", util.ErrUnauthorized)
+		err = util.NewClientServerError(
+			"unauthorized Tool call: Please make sure you specify correct auth headers",
+			http.StatusUnauthorized,
+			nil,
+		)
 		return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
 	}
 	logger.DebugContext(ctx, "tool invocation authorized")
@@ -194,31 +202,45 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, resourceMgr *re
 	// run tool invocation and generate response.
 	results, err := tool.Invoke(ctx, resourceMgr, params, accessToken)
 	if err != nil {
-		errStr := err.Error()
-		// Missing authService tokens.
-		if errors.Is(err, util.ErrUnauthorized) {
-			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
-		}
-		// Upstream auth error
-		if strings.Contains(errStr, "Error 401") || strings.Contains(errStr, "Error 403") {
-			if clientAuth {
-				// Error with client credentials should pass down to the client
-				return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+		var tbErr util.ToolboxError
+
+		if errors.As(err, &tbErr) {
+			switch tbErr.Category() {
+			case util.CategoryAgent:
+				// MCP - Tool execution error
+				// Return SUCCESS but with IsError: true
+				text := TextContent{
+					Type: "text",
+					Text: err.Error(),
+				}
+				return jsonrpc.JSONRPCResponse{
+					Jsonrpc: jsonrpc.JSONRPC_VERSION,
+					Id:      id,
+					Result:  CallToolResult{Content: []TextContent{text}, IsError: true},
+				}, nil
+
+			case util.CategoryServer:
+				// MCP Spec - Protocol error
+				// Return JSON-RPC ERROR
+				var clientServerErr *util.ClientServerError
+				rpcCode := jsonrpc.INTERNAL_ERROR // Default to Internal Error (-32603)
+
+				if errors.As(err, &clientServerErr) {
+					if clientServerErr.Code == http.StatusUnauthorized || clientServerErr.Code == http.StatusForbidden {
+						if clientAuth {
+							rpcCode = jsonrpc.INVALID_REQUEST
+						} else {
+							rpcCode = jsonrpc.INTERNAL_ERROR
+						}
+					}
+				}
+				return jsonrpc.NewError(id, rpcCode, err.Error(), nil), err
 			}
-			// Auth error with ADC should raise internal 500 error
+		} else {
+			// Unknown error -> 500
 			return jsonrpc.NewError(id, jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
 		}
-		text := TextContent{
-			Type: "text",
-			Text: err.Error(),
-		}
-		return jsonrpc.JSONRPCResponse{
-			Jsonrpc: jsonrpc.JSONRPC_VERSION,
-			Id:      id,
-			Result:  CallToolResult{Content: []TextContent{text}, IsError: true},
-		}, nil
 	}
-
 	content := make([]TextContent, 0)
 
 	sliceRes, ok := results.([]any)

internal/server/mcp/v20250618/method.go

@@ -21,7 +21,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"strings"
 
 	"github.com/googleapis/genai-toolbox/internal/prompts"
 	"github.com/googleapis/genai-toolbox/internal/server/mcp/jsonrpc"
@@ -117,7 +116,12 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, resourceMgr *re
 	}
 	if clientAuth {
 		if accessToken == "" {
-			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, "missing access token in the 'Authorization' header", nil), util.ErrUnauthorized
+			errMsg := "missing access token in the 'Authorization' header"
+			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, errMsg, nil), util.NewClientServerError(
+				errMsg,
+				http.StatusUnauthorized,
+				nil,
+			)
 		}
 	}
 
@@ -165,7 +169,11 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, resourceMgr *re
 	// Check if any of the specified auth services is verified
 	isAuthorized := tool.Authorized(verifiedAuthServices)
 	if !isAuthorized {
-		err = fmt.Errorf("unauthorized Tool call: Please make sure your specify correct auth headers: %w", util.ErrUnauthorized)
+		err = util.NewClientServerError(
+			"unauthorized Tool call: Please make sure you specify correct auth headers",
+			http.StatusUnauthorized,
+			nil,
+		)
 		return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
 	}
 	logger.DebugContext(ctx, "tool invocation authorized")
@@ -187,29 +195,44 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, resourceMgr *re
 	// run tool invocation and generate response.
 	results, err := tool.Invoke(ctx, resourceMgr, params, accessToken)
 	if err != nil {
-		errStr := err.Error()
-		// Missing authService tokens.
-		if errors.Is(err, util.ErrUnauthorized) {
-			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
-		}
-		// Upstream auth error
-		if strings.Contains(errStr, "Error 401") || strings.Contains(errStr, "Error 403") {
-			if clientAuth {
-				// Error with client credentials should pass down to the client
-				return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+		var tbErr util.ToolboxError
+
+		if errors.As(err, &tbErr) {
+			switch tbErr.Category() {
+			case util.CategoryAgent:
+				// MCP - Tool execution error
+				// Return SUCCESS but with IsError: true
+				text := TextContent{
+					Type: "text",
+					Text: err.Error(),
+				}
+				return jsonrpc.JSONRPCResponse{
+					Jsonrpc: jsonrpc.JSONRPC_VERSION,
+					Id:      id,
+					Result:  CallToolResult{Content: []TextContent{text}, IsError: true},
+				}, nil
+
+			case util.CategoryServer:
+				// MCP Spec - Protocol error
+				// Return JSON-RPC ERROR
+				var clientServerErr *util.ClientServerError
+				rpcCode := jsonrpc.INTERNAL_ERROR // Default to Internal Error (-32603)
+
+				if errors.As(err, &clientServerErr) {
+					if clientServerErr.Code == http.StatusUnauthorized || clientServerErr.Code == http.StatusForbidden {
+						if clientAuth {
+							rpcCode = jsonrpc.INVALID_REQUEST
+						} else {
+							rpcCode = jsonrpc.INTERNAL_ERROR
+						}
+					}
+				}
+				return jsonrpc.NewError(id, rpcCode, err.Error(), nil), err
 			}
-			// Auth error with ADC should raise internal 500 error
+		} else {
+			// Unknown error -> 500
 			return jsonrpc.NewError(id, jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
 		}
-		text := TextContent{
-			Type: "text",
-			Text: err.Error(),
-		}
-		return jsonrpc.JSONRPCResponse{
-			Jsonrpc: jsonrpc.JSONRPC_VERSION,
-			Id:      id,
-			Result:  CallToolResult{Content: []TextContent{text}, IsError: true},
-		}, nil
 	}
 
 	content := make([]TextContent, 0)

internal/server/mcp/v20251125/method.go

@@ -21,7 +21,6 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
-	"strings"
 
 	"github.com/googleapis/genai-toolbox/internal/prompts"
 	"github.com/googleapis/genai-toolbox/internal/server/mcp/jsonrpc"
@@ -117,7 +116,12 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, resourceMgr *re
 	}
 	if clientAuth {
 		if accessToken == "" {
-			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, "missing access token in the 'Authorization' header", nil), util.ErrUnauthorized
+			errMsg := "missing access token in the 'Authorization' header"
+			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, errMsg, nil), util.NewClientServerError(
+				errMsg,
+				http.StatusUnauthorized,
+				nil,
+			)
 		}
 	}
 
@@ -165,7 +169,11 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, resourceMgr *re
 	// Check if any of the specified auth services is verified
 	isAuthorized := tool.Authorized(verifiedAuthServices)
 	if !isAuthorized {
-		err = fmt.Errorf("unauthorized Tool call: Please make sure your specify correct auth headers: %w", util.ErrUnauthorized)
+		err = util.NewClientServerError(
+			"unauthorized Tool call: Please make sure you specify correct auth headers",
+			http.StatusUnauthorized,
+			nil,
+		)
 		return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
 	}
 	logger.DebugContext(ctx, "tool invocation authorized")
@@ -187,29 +195,44 @@ func toolsCallHandler(ctx context.Context, id jsonrpc.RequestId, resourceMgr *re
 	// run tool invocation and generate response.
 	results, err := tool.Invoke(ctx, resourceMgr, params, accessToken)
 	if err != nil {
-		errStr := err.Error()
-		// Missing authService tokens.
-		if errors.Is(err, util.ErrUnauthorized) {
-			return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
-		}
-		// Upstream auth error
-		if strings.Contains(errStr, "Error 401") || strings.Contains(errStr, "Error 403") {
-			if clientAuth {
-				// Error with client credentials should pass down to the client
-				return jsonrpc.NewError(id, jsonrpc.INVALID_REQUEST, err.Error(), nil), err
+		var tbErr util.ToolboxError
+
+		if errors.As(err, &tbErr) {
+			switch tbErr.Category() {
+			case util.CategoryAgent:
+				// MCP - Tool execution error
+				// Return SUCCESS but with IsError: true
+				text := TextContent{
+					Type: "text",
+					Text: err.Error(),
+				}
+				return jsonrpc.JSONRPCResponse{
+					Jsonrpc: jsonrpc.JSONRPC_VERSION,
+					Id:      id,
+					Result:  CallToolResult{Content: []TextContent{text}, IsError: true},
+				}, nil
+
+			case util.CategoryServer:
+				// MCP Spec - Protocol error
+				// Return JSON-RPC ERROR
+				var clientServerErr *util.ClientServerError
+				rpcCode := jsonrpc.INTERNAL_ERROR // Default to Internal Error (-32603)
+
+				if errors.As(err, &clientServerErr) {
+					if clientServerErr.Code == http.StatusUnauthorized || clientServerErr.Code == http.StatusForbidden {
+						if clientAuth {
+							rpcCode = jsonrpc.INVALID_REQUEST
+						} else {
+							rpcCode = jsonrpc.INTERNAL_ERROR
+						}
+					}
+				}
+				return jsonrpc.NewError(id, rpcCode, err.Error(), nil), err
 			}
-			// Auth error with ADC should raise internal 500 error
+		} else {
+			// Unknown error -> 500
 			return jsonrpc.NewError(id, jsonrpc.INTERNAL_ERROR, err.Error(), nil), err
 		}
-		text := TextContent{
-			Type: "text",
-			Text: err.Error(),
-		}
-		return jsonrpc.JSONRPCResponse{
-			Jsonrpc: jsonrpc.JSONRPC_VERSION,
-			Id:      id,
-			Result:  CallToolResult{Content: []TextContent{text}, IsError: true},
-		}, nil
 	}
 
 	content := make([]TextContent, 0)

internal/server/mcp_test.go

@@ -231,7 +231,7 @@ func TestMcpEndpointWithoutInitialized(t *testing.T) {
 				"id":      "tools-call-tool4",
 				"error": map[string]any{
 					"code":    -32600.0,
-					"message": "unauthorized Tool call: Please make sure your specify correct auth headers: unauthorized",
+					"message": "unauthorized Tool call: Please make sure you specify correct auth headers: <nil>",
 				},
 			},
 		},
@@ -834,7 +834,7 @@ func TestMcpEndpoint(t *testing.T) {
 						"id":      "tools-call-tool4",
 						"error": map[string]any{
 							"code":    -32600.0,
-							"message": "unauthorized Tool call: Please make sure your specify correct auth headers: unauthorized",
+							"message": "unauthorized Tool call: Please make sure you specify correct auth headers: <nil>",
 						},
 					},
 				},

internal/tools/bigquery/bigqueryconversationalanalytics/bigqueryconversationalanalytics.go

@@ -184,7 +184,7 @@ func (t Tool) Invoke(ctx context.Context, resourceMgr tools.SourceProvider, para
 	if source.UseClientAuthorization() {
 		// Use client-side access token
 		if accessToken == "" {
-			return nil, fmt.Errorf("tool is configured for client OAuth but no token was provided in the request header: %w", util.ErrUnauthorized)
+			return nil, util.NewClientServerError("tool is configured for client OAuth but no token was provided in the request header", http.StatusUnauthorized, nil)
 		}
 		tokenStr, err = accessToken.ParseBearerToken()
 		if err != nil {

internal/tools/tools.go

@@ -17,6 +17,7 @@ package tools
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"slices"
 	"strings"
 
@@ -80,7 +81,7 @@ type AccessToken string
 func (token AccessToken) ParseBearerToken() (string, error) {
 	headerParts := strings.Split(string(token), " ")
 	if len(headerParts) != 2 || strings.ToLower(headerParts[0]) != "bearer" {
-		return "", fmt.Errorf("authorization header must be in the format 'Bearer <token>': %w", util.ErrUnauthorized)
+		return "", util.NewClientServerError("authorization header must be in the format 'Bearer <token>'", http.StatusUnauthorized, nil)
 	}
 	return headerParts[1], nil
 }

internal/util/errors.go

@@ -0,0 +1,61 @@
+// Copyright 2026 Google LLC
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package util
+
+import "fmt"
+
+type ErrorCategory string
+
+const (
+	CategoryAgent  ErrorCategory = "AGENT_ERROR"
+	CategoryServer ErrorCategory = "SERVER_ERROR"
+)
+
+// ToolboxError is the interface all custom errors must satisfy
+type ToolboxError interface {
+	error
+	Category() ErrorCategory
+}
+
+// Agent Errors return 200 to the sender
+type AgentError struct {
+	Msg   string
+	Cause error
+}
+
+func (e *AgentError) Error() string { return e.Msg }
+
+func (e *AgentError) Category() ErrorCategory { return CategoryAgent }
+
+func (e *AgentError) Unwrap() error { return e.Cause }
+
+func NewAgentError(msg string, cause error) *AgentError {
+	return &AgentError{Msg: msg, Cause: cause}
+}
+
+// ClientServerError returns 4XX/5XX error code
+type ClientServerError struct {
+	Msg   string
+	Code  int
+	Cause error
+}
+
+func (e *ClientServerError) Error() string { return fmt.Sprintf("%s: %v", e.Msg, e.Cause) }
+
+func (e *ClientServerError) Category() ErrorCategory { return CategoryServer }
+
+func (e *ClientServerError) Unwrap() error { return e.Cause }
+
+func NewClientServerError(msg string, code int, cause error) *ClientServerError {
+	return &ClientServerError{Msg: msg, Code: code, Cause: cause}
+}

internal/util/parameters/parameters.go

@@ -19,6 +19,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net/http"
 	"reflect"
 	"regexp"
 	"slices"
@@ -118,7 +119,7 @@ func parseFromAuthService(paramAuthServices []ParamAuthService, claimsMap map[st
 		}
 		return v, nil
 	}
-	return nil, fmt.Errorf("missing or invalid authentication header: %w", util.ErrUnauthorized)
+	return nil, util.NewClientServerError("missing or invalid authentication header", http.StatusUnauthorized, nil)
 }
 
 // CheckParamRequired checks if a parameter is required based on the required and default field.

internal/util/util.go

@@ -17,7 +17,6 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -188,5 +187,3 @@ func InstrumentationFromContext(ctx context.Context) (*telemetry.Instrumentation
 	}
 	return nil, fmt.Errorf("unable to retrieve instrumentation")
 }
-
-var ErrUnauthorized = errors.New("unauthorized")