# Building AI Agent Bot With RAG, Langchain, and Reasoning Engine From Scratch

In [1]:
from IPython.display import display, Markdown

from langchain.agents.format_scratchpad import format_to_openai_function_messages
from langchain.agents import tool
from langchain.pydantic_v1 import BaseModel, Field

from langchain.memory import ChatMessageHistory
from langchain_community.chat_message_histories import ChatMessageHistory
from langchain_core.chat_history import BaseChatMessageHistory

from langchain.prompts import (
    ChatPromptTemplate,
    HumanMessagePromptTemplate,
    MessagesPlaceholder,
    SystemMessagePromptTemplate,
)

from vertexai.preview import reasoning_engines
from langchain_google_vertexai import HarmBlockThreshold, HarmCategory
import requests

In [4]:
# constan definitions
# USE_CLOUDSQL = False
USE_CLOUDSQL = True

project_id = "imrenagi-gemini-experiment" #change this to your project id
region = "us-central1" #change this to project location
gemini_embedding_model = "text-embedding-004"
gemini_llm_model = "gemini-1.5-pro-001"
staging_bucket_name = "courses-imrenagicom-agent"
staging_bucket_uri = f"gs://{staging_bucket_name}"

cloudrun_services = !gcloud run services describe courses-api --region=us-central1 --format='value(status.url)'
api_base_url = cloudrun_services[0]
# api_base_url = "localhost:8080"

if not USE_CLOUDSQL:
    # use pgvector docker image for local development
    database_password = "pyconapac"
    database_name = "pyconapac"
    database_user = "pyconapac"
    database_host = "localhost"
else:
    # use cloudsql credential if you want to use cloudsql
    instance_name="pyconapac-demo"
    database_password = 'testing'
    database_name = 'testing'
    database_user = 'testing'


assert database_name, "⚠️ Please provide a database name"
assert database_user, "⚠️ Please provide a database user"
assert database_password, "⚠️ Please provide a database password"

if USE_CLOUDSQL:
    # get the ip address of the cloudsql instance
    ip_addresses = !gcloud sql instances describe {instance_name} --format="value(ipAddresses[0].ipAddress)"
    database_host = ip_addresses[0]

db_conn_string = f"postgres://{database_user}:{database_password}@{database_host}:5432/{database_name}"

embeddings_table_name = "course_content_embeddings"

print(f"db connection: {db_conn_string}")
print(f"api base url: {api_base_url}")

db connection: postgres://testing:testing@35.232.5.157:5432/testing
api base url: https://courses-api-uzttxm4diq-uc.a.run.app


In [5]:
import vertexai
vertexai.init(project=project_id, location=region, staging_bucket=staging_bucket_uri)

from langchain_google_vertexai import VertexAIEmbeddings
embeddings_service = VertexAIEmbeddings(model_name=gemini_embedding_model)

In [6]:
from langchain_google_cloud_sql_pg import PostgresLoader, PostgresEngine, Column

pg_engine = PostgresEngine.from_instance(
    project_id=project_id,
    instance=instance_name,
    region=region,
    database=database_name,
    user=database_password,
    password=database_password,
)

from langchain_google_vertexai import VertexAIEmbeddings
from langchain_google_cloud_sql_pg import PostgresVectorStore

sample_vector_table_name = "course_content_embeddings"

vector_store = PostgresVectorStore.create_sync(
            pg_engine,
            table_name=embeddings_table_name,
            embedding_service=embeddings_service,
        )
retriever = vector_store.as_retriever(search_kwargs={"k": 10})

In [12]:
@tool
def search_course_content(query: str) -> str:
    """Explain about software security course materials."""        
    result = str(retriever.invoke(query))
    return result

In [13]:
search_course_content.invoke("best practices for forgot password") 

'[Document(metadata={\'course_content_id\': 5, \'title\': \'Authorization Cheat Sheet\'}, page_content=\'- **Robustness**. In large projects or when numerous roles are present, it is easy to miss or improperly perform role checks ([OWASP C7: Enforce Access Controls](https://owasp.org/www-project-proactive-controls/v3/en/c7-enforce-access-controls)). This can result in both too much and too little access. This is especially true in RBAC implementations where a role hierarchy is not present and multiples role checks must be chained to have the desired impact (i.e. ( `if(user.hasAnyRole("SUPERUSER", "ADMIN", "ACCT_MANAGER")` ))).\\n- **Speed**. In RBAC, "role explosion" can occur when a system defines too many roles. If users send their credential and roles through means like HTTP headers, which have size limits, there may not be enough space to include all of the user\\\'s roles. A viable workaround to this problem is to only send the user ID, and then the application retrieves the user\

In [9]:
class CourseAPIClient:
  def __init__(self, url=api_base_url):
    self.url = url
    
  def list_courses(self):
      response = requests.get(f"{self.url}/courses")
      return response.json()

  def get_course(self, course_name):
      response = requests.get(f"{self.url}/courses/{course_name}")
      return response.json()

  def create_order(self, course, user_name, user_email):
      payload = {
          "course": course,
          "user_name": user_name,
          "user_email": user_email
      }
      response = requests.post(f"{self.url}/orders", json=payload)
      return response.json()

  def get_order(self, order_id):
      response = requests.get(f"{self.url}/orders/{order_id}")
      return response.json()

  def pay_order(self, order_id):
      response = requests.post(f"{self.url}/orders/{order_id}:pay")
      return response.json()

  def get_payment_page_url(self, order_id):
      return f"{self.url}/orders/{order_id}/payment"

In [11]:
from typing import List

@tool
def list_courses() -> List[str]:
  """List all available courses sold on the platform."""
  client = CourseAPIClient()
  return client.list_courses()

In [14]:
class GetCourseInput(BaseModel):
    course: str = Field(description="name of the course. this is the unique identifier of the course. it typically contains the course title with dashes, all in lowercase.")

@tool("get-course-tool", args_schema=GetCourseInput)
def get_course(course: str) -> str:
  """Get course details by course name. course name is the unique identifier of the course. it typically contains the course title with dashes.
  This function can be used to get course details such as course price, etc."""
  client = CourseAPIClient()
  return client.get_course(course)

In [15]:
class CreateOrderInput(BaseModel):
    course: str = Field(description="name of the course. this is the unique identifier of the course. it typically contains the course title with dashes, all in lowercase.")
    user_name: str = Field(description="name of the user who is purchasing the course .")
    user_email: str = Field(description="email of the user who is purchasing the course.")

@tool("create-order-tool", args_schema=CreateOrderInput)
def create_order(course: str, user_name: str, user_email: str) -> str:
  """Create order for a course. This function can be used to create an order for a course. When this function returns successfully, it will return payment url to user to make payment. """
  client = CourseAPIClient()
  
  print(f"Creating order for course: {course}, user_name: {user_name}, user_email: {user_email}")
  
  res = client.create_order(course, user_name, user_email)
  print(res)
  order_id = res["order_id"]
  payment_url = f"{api_base_url}/orders/{order_id}/payment"
  return f"Order number {order_id} created successfully. Payment URL: {payment_url}"

In [16]:
create_order.invoke({"course":"software-security", "user_name":"John Doe", "user_email":"imre@gmail.com"}) 

Creating order for course: software-security, user_name: John Doe, user_email: imre@gmail.com


{'order_id': '32b4f337-dec9-4e6a-bce8-f421a1e450f6'}


'Order number 32b4f337-dec9-4e6a-bce8-f421a1e450f6 created successfully. Payment URL: https://courses-api-uzttxm4diq-uc.a.run.app/orders/32b4f337-dec9-4e6a-bce8-f421a1e450f6/payment'

In [17]:
class GetOrderInput(BaseModel):
    order_number: str = Field(description="order number identifier. this is a unique identifier in uuid format.")

@tool("get-order-tool", args_schema=GetOrderInput)
def get_order(order_number: str) -> str:
  """Get order by using order number. This function can be used to get order details such as payment status to check whether the order has been paid or not. If user already paid the course, say thanks"""
  client = CourseAPIClient()
  return client.get_order(order_number)

In [18]:
tools = [search_course_content, list_courses, get_course, create_order, get_order]

In [19]:
prompt = {
    "chat_history": lambda x: x["history"],
    "input": lambda x: x["input"],
    "agent_scratchpad": (
        lambda x: format_to_openai_function_messages(x["intermediate_steps"])
    ),
} | ChatPromptTemplate(
  messages = [
    SystemMessagePromptTemplate.from_template("""
      You are a bot assistant that sells online course about software security. You only use information provided from datastore or tools. You can provide the information that is relevant to the user's question or the summary of the content. If they ask about the content, you can give them more detail about the content. If the user seems interested, you may suggest the user to enroll in the course. 
      """),
    MessagesPlaceholder(variable_name="chat_history", optional=True),
    HumanMessagePromptTemplate.from_template("Use tools to answer this questions: {input}"),
    MessagesPlaceholder(variable_name="agent_scratchpad"),
  ]
)

In [20]:
store = {}
def get_session_history(session_id: str) -> BaseChatMessageHistory:
    if session_id not in store:
        store[session_id] = ChatMessageHistory()
    return store[session_id]

In [21]:
## Model safety settings
safety_settings = {
    HarmCategory.HARM_CATEGORY_UNSPECIFIED: HarmBlockThreshold.BLOCK_ONLY_HIGH,
    HarmCategory.HARM_CATEGORY_SEXUALLY_EXPLICIT: HarmBlockThreshold.BLOCK_ONLY_HIGH,
    HarmCategory.HARM_CATEGORY_HARASSMENT: HarmBlockThreshold.BLOCK_ONLY_HIGH,
    HarmCategory.HARM_CATEGORY_DANGEROUS_CONTENT: HarmBlockThreshold.BLOCK_ONLY_HIGH,
    HarmCategory.HARM_CATEGORY_HATE_SPEECH: HarmBlockThreshold.BLOCK_ONLY_HIGH,
}

## Model parameters
model_kwargs = {
    "temperature": 0.5,
    "safety_settings": safety_settings,
}

agent = reasoning_engines.LangchainAgent(
    model=gemini_llm_model,
    tools=tools,
    prompt=prompt,    
    chat_history=get_session_history,
    agent_executor_kwargs={
      "return_intermediate_steps": True,
    },
    model_kwargs=model_kwargs,
    enable_tracing=True,
)

In [22]:
import uuid

# Generate a UUID for the session ID
session_id = str(uuid.uuid4())
print(f"Generated session ID: {session_id}")

Generated session ID: c39807d4-4fb8-4bcc-8797-bf939aefcb06


In [23]:
response = agent.query(
  input="Can you please share what are being taught on this course?",
  config={"configurable": {"session_id": session_id}},
)
display(Markdown(response["output"]))

This course teaches various aspects of software security, from secure authentication and authorization mechanisms to proper password management. 

Let me give you some more details:

*   **Authentication:** You'll learn about best practices for features like change password and email update. The course covers topics like TLS for password transmission, password strength controls, and avoiding common pitfalls in form design.
*   **Password Storage:** This section dives into securely storing passwords using robust hashing algorithms and salt generation. You'll understand the importance of handling international characters and avoiding common vulnerabilities. 
*   **REST Security:** You'll explore securing REST APIs using headers like 'Cache-Control' and 'Content-Security-Policy' to prevent unauthorized access and data leakage.
*   **Forgot Password:** This part covers secure ways to implement a 'Forgot Password' feature, including using secure tokens, email verification, and preventing common vulnerabilities like Host Header Injection.
*   **Authorization:** You'll learn about different authorization mechanisms like RBAC and ABAC, understanding their strengths and weaknesses in various scenarios.

This is just a glimpse of what's covered in the course.  Are you interested in enrolling to learn more about building secure software? 


In [24]:
response = agent.query(
  input="Does it teach about how to design a forgot password system securely?",
  config={"configurable": {"session_id": session_id}},
)
display(Markdown(response["output"]))

Yes, the course covers how to design a secure forgot password system. It explains how to securely handle password reset requests, generate and verify tokens, and update passwords while preventing vulnerabilities. 


In [25]:
response = agent.query(
  input="How much this course costs?",
  config={"configurable": {"session_id": session_id}},
)
display(Markdown(response["output"]))

The "Software Security" course costs $100 USD. Would you like to enroll? 


In [26]:
response = agent.query(
  input="Yes. I want to enroll",
  config={"configurable": {"session_id": session_id}},
)
display(Markdown(response["output"]))

Great! What is your name and email address? I can create an order for you. 



In [27]:
response = agent.query(
  input="",Mulyono, mulyono@gmail.com
  config={"configurable": {"session_id": session_id}},
)
display(Markdown(response["output"]))

Span has more then 32 attributes, some will be truncated


Creating order for course: software-security, user_name: Mulyono, user_email: mulyono@gmail.com
{'order_id': '5856d2c5-e09e-42b9-920e-296362507483'}


Span has more then 32 attributes, some will be truncated


Thank you Mulyono! I have created an order for you. Your order number is 5856d2c5-e09e-42b9-920e-296362507483. You can make the payment through this link: https://courses-api-uzttxm4diq-uc.a.run.app/orders/5856d2c5-e09e-42b9-920e-296362507483/payment


In [28]:
response = agent.query(
  input="I have made the payment. Can you please check?",
  config={"configurable": {"session_id": session_id}},
)
display(Markdown(response["output"]))

Span has more then 32 attributes, some will be truncated
Span has more then 32 attributes, some will be truncated


Thank you for your payment, Mulyono! You now have access to the course. Happy learning! 


# Deploying the Agent on Vertex AI

Deploying is as simple as calling `create()` method. We will provide the agent here and some dependencies required to run the agent.

In [30]:
remote_agent = reasoning_engines.ReasoningEngine.create(
    agent,
    # requirements=[
    #     "google-cloud-aiplatform==1.69.0",
    #     "google-cloud-aiplatform[langchain]",
    #     "google-cloud-aiplatform[reasoningengine]",
    #     "langchain==0.2.16",
    #     "langchain_core==0.2.39",
    #     "langchain_community==0.2.17",
    #     "langchain-google-vertexai==1.0.10",
    #     "cloudpickle==3.1.0",
    #     "pydantic==2.9.2",
    #     "langchain-google-community==1.0.8",
    #     "google-cloud-discoveryengine==0.12.3",
    #     "nest-asyncio",
    #     "asyncio==3.4.3",
    #     "asyncpg==0.29.0",
    #     "cloud-sql-python-connector[asyncpg]==1.12.1",        
    #     "langchain-google-cloud-sql-pg==0.11.0",
    #     "numpy",
    #     "pandas",
    #     "pgvector==0.3.5",
    #     "psycopg2-binary==2.9.9",
    #     "requests"
    # ],
    requirements="requirements.txt",
    display_name="course-agent",
    sys_version="3.11",
)

remote_agent

 

Using bucket courses-imrenagicom-agent


TypeError: cannot pickle 'weakref.ReferenceType' object

### Grant Discovery Engine Editor access to Reasoning Engine service account

Before you send queries to your remote agent, you'll need to grant the **Discovery Engine Editor** role to the Reasoning Engine service account.

After you've completed this step, you remote agent will be able to retrieve documents from the data store that you created in Vertex AI Search:

In [None]:
# Retrieve the project number associated with your project ID
from googleapiclient import discovery
service = discovery.build("cloudresourcemanager", "v1")
request = service.projects().get(projectId=project_id)
response = request.execute()
project_number = response["projectNumber"]
project_number

In [None]:
# Add a new role binding to the IAM policy
!gcloud projects add-iam-policy-binding {project_id} \
    --member=serviceAccount:service-{project_number}@gcp-sa-aiplatform-re.iam.gserviceaccount.com \
    --role=roles/discoveryengine.editor

!gcloud projects add-iam-policy-binding {project_id} \
    --member=serviceAccount:service-{project_number}@gcp-sa-aiplatform-re.iam.gserviceaccount.com \
    --role="roles/cloudsql.client"

!gcloud projects add-iam-policy-binding {project_id} \
    --member=serviceAccount:service-{project_number}@gcp-sa-aiplatform-re.iam.gserviceaccount.com \
    --role="roles/run.invoker"


In [None]:
### Test your remotely deployed agent

In [None]:
# # Testing the remote agent
# response = remote_agent.query(
#   input="Imre and imre@gmail.com",
#   config={"configurable": {"session_id": "test1235"}},
# )
# display(Markdown(response["output"]))

# Clean Up

Don't forget to clean up the resources after you are done with the agent.

In [None]:
reasoning_engines.ReasoningEngine.list()

[]

In [None]:
remote_agent = reasoning_engines.ReasoningEngine('projects/896489987664/locations/us-central1/reasoningEngines/6601028008515993600')

remote_agent.delete()

Deleting ReasoningEngine : projects/896489987664/locations/us-central1/reasoningEngines/6601028008515993600
ReasoningEngine deleted. . Resource name: projects/896489987664/locations/us-central1/reasoningEngines/6601028008515993600
Deleting ReasoningEngine resource: projects/896489987664/locations/us-central1/reasoningEngines/6601028008515993600
Delete ReasoningEngine backing LRO: projects/896489987664/locations/us-central1/operations/3607192708055040000
ReasoningEngine resource projects/896489987664/locations/us-central1/reasoningEngines/6601028008515993600 deleted.


In [None]:
print(remote_agent.query(input="movies about engineers"))

Here are some movies about engineers:

* **Space Cowboys (2000)**: A retired engineer agrees to help NASA prevent a Russian satellite from falling to Earth.
* **The Machinist (2004)**: A factory worker begins to question his sanity after a prolonged bout of insomnia.
* **Back to Q82 (2019)**: An inventor's daughter drives his time-traveling car back to 1982.
