Builds on galaxyproject#22615's integrated UserToolSource validation. The producer
agent runs with output_retries=0 so the reflection loop owns the retry
and can pass a structured error list back to the prompt rather than
pydantic-ai's generic 'try again' message.

Two opt-in loops on top of pydantic validation:

- Validator-driven retry (default on): if the producer's output fails
  validation, _produce_tool returns the formatted error list, and
  process() re-calls the producer once with those errors prefixed to
  the prompt. Cap of one retry; if it still fails, the agent returns
  a low-confidence validation_failed response.
- Quality critic + refine (default off): an LLM critic agent reviews
  the validated tool for clarity (description, labels, help text) and
  idiomaticity (defaults, exposed options, container choice) -- the
  fuzzy dimensions pydantic can't see. If the critic flags significant
  issues (should_refine=true), the producer is re-rolled once with
  the critique. Cap of one refine; if refinement breaks validation,
  the original tool is kept rather than ship something worse.

Both gates live under inference_services.custom_tool:
validator_retry_enabled (default true) and quality_critic_enabled
(default false). Defaulting the critic off keeps the cost neutral for
deployments that don't opt in -- the critic doubles tool-creation
latency / spend when enabled.

The 170-line process() method got factored into named helpers
(capability check, structured-output extraction, validation-failed
response, success response, model-error handlers) to keep the
reflection control flow readable.

Mirrors galaxyproject#22615's relaxed output discovery -- a UserToolSource with a
shell_command must claim its outputs via from_work_dir or
discover_datasets, but the prompt only mentioned the former. The
producer was occasionally generating tools that pattern-matched on
output names in the command, which the integrated validator now
correctly rejects.

Pre-commit's markdown formatter also normalized the YAML example
indentation in the same file.

Reviewer feedback on galaxyproject#22615: the container regex/prefix shape check is a
linter concern, not a tool source validation concern, and applies to any
ToolSource (not just YAML). Pull the shape check off
`UserToolSource._check_container_shape` and surface it as a new
`ContainerImageShape` linter under `galaxy.tool_util.linters.containers`,
discovered automatically by the existing lint framework
(`lint_tool_types = ["*"]`). The linter walks
`tool_source.parse_requirements()` and warns on identifiers that do not
match a recognized prefix or `<image>[:<tag>]` shape.

For Galaxy User Defined tools, enforcement is unconditional: the
unprivileged tools API and the `CustomToolAgent` both call a new
`lint_user_tool_source` helper after pydantic validation succeeds and
block creation if WARN+ messages are returned.

The not-empty/whitespace check on `container` stays on the pydantic
model — that is a basic field validity check rather than a "shape"
concern. Container-shape tests move from
`test_user_tool_source_validation.py` to a new
`test_container_shape_lint.py` covering both the linter and the helper.

Builds on galaxyproject#22615's integrated UserToolSource validation. The producer
agent runs with output_retries=0 so the reflection loop owns the retry
and can pass a structured error list back to the prompt rather than
pydantic-ai's generic 'try again' message.

Two opt-in loops on top of pydantic validation:

- Validator-driven retry (default on): if the producer's output fails
  validation, _produce_tool returns the formatted error list, and
  process() re-calls the producer once with those errors prefixed to
  the prompt. Cap of one retry; if it still fails, the agent returns
  a low-confidence validation_failed response.
- Quality critic + refine (default off): an LLM critic agent reviews
  the validated tool for clarity (description, labels, help text) and
  idiomaticity (defaults, exposed options, container choice) -- the
  fuzzy dimensions pydantic can't see. If the critic flags significant
  issues (should_refine=true), the producer is re-rolled once with
  the critique. Cap of one refine; if refinement breaks validation,
  the original tool is kept rather than ship something worse.

Both gates live under inference_services.custom_tool:
validator_retry_enabled (default true) and quality_critic_enabled
(default false). Defaulting the critic off keeps the cost neutral for
deployments that don't opt in -- the critic doubles tool-creation
latency / spend when enabled.

The 170-line process() method got factored into named helpers
(capability check, structured-output extraction, validation-failed
response, success response, model-error handlers) to keep the
reflection control flow readable.

Mirrors galaxyproject#22615's relaxed output discovery -- a UserToolSource with a
shell_command must claim its outputs via from_work_dir or
discover_datasets, but the prompt only mentioned the former. The
producer was occasionally generating tools that pattern-matched on
output names in the command, which the integrated validator now
correctly rejects.

Pre-commit's markdown formatter also normalized the YAML example
indentation in the same file.

Reviewer feedback on #22615: the container regex/prefix shape check is a
linter concern, not a tool source validation concern, and applies to any
ToolSource (not just YAML). Pull the shape check off
`UserToolSource._check_container_shape` and surface it as a new
`ContainerImageShape` linter under `galaxy.tool_util.linters.containers`,
discovered automatically by the existing lint framework
(`lint_tool_types = ["*"]`). The linter walks
`tool_source.parse_requirements()` and warns on identifiers that do not
match a recognized prefix or `<image>[:<tag>]` shape.

For Galaxy User Defined tools, enforcement is unconditional: the
unprivileged tools API and the `CustomToolAgent` both call a new
`lint_user_tool_source` helper after pydantic validation succeeds and
block creation if WARN+ messages are returned.

The not-empty/whitespace check on `container` stays on the pydantic
model — that is a basic field validity check rather than a "shape"
concern. Container-shape tests move from
`test_user_tool_source_validation.py` to a new
`test_container_shape_lint.py` covering both the linter and the helper.

Builds on #22615's integrated UserToolSource validation. The producer
agent runs with output_retries=0 so the reflection loop owns the retry
and can pass a structured error list back to the prompt rather than
pydantic-ai's generic 'try again' message.

Two opt-in loops on top of pydantic validation:

- Validator-driven retry (default on): if the producer's output fails
  validation, _produce_tool returns the formatted error list, and
  process() re-calls the producer once with those errors prefixed to
  the prompt. Cap of one retry; if it still fails, the agent returns
  a low-confidence validation_failed response.
- Quality critic + refine (default off): an LLM critic agent reviews
  the validated tool for clarity (description, labels, help text) and
  idiomaticity (defaults, exposed options, container choice) -- the
  fuzzy dimensions pydantic can't see. If the critic flags significant
  issues (should_refine=true), the producer is re-rolled once with
  the critique. Cap of one refine; if refinement breaks validation,
  the original tool is kept rather than ship something worse.

Both gates live under inference_services.custom_tool:
validator_retry_enabled (default true) and quality_critic_enabled
(default false). Defaulting the critic off keeps the cost neutral for
deployments that don't opt in -- the critic doubles tool-creation
latency / spend when enabled.

The 170-line process() method got factored into named helpers
(capability check, structured-output extraction, validation-failed
response, success response, model-error handlers) to keep the
reflection control flow readable.

Mirrors #22615's relaxed output discovery -- a UserToolSource with a
shell_command must claim its outputs via from_work_dir or
discover_datasets, but the prompt only mentioned the former. The
producer was occasionally generating tools that pattern-matched on
output names in the command, which the integrated validator now
correctly rejects.

Pre-commit's markdown formatter also normalized the YAML example
indentation in the same file.

Reviewer feedback on #22615: the container regex/prefix shape check is a
linter concern, not a tool source validation concern, and applies to any
ToolSource (not just YAML). Pull the shape check off
`UserToolSource._check_container_shape` and surface it as a new
`ContainerImageShape` linter under `galaxy.tool_util.linters.containers`,
discovered automatically by the existing lint framework
(`lint_tool_types = ["*"]`). The linter walks
`tool_source.parse_requirements()` and warns on identifiers that do not
match a recognized prefix or `<image>[:<tag>]` shape.

For Galaxy User Defined tools, enforcement is unconditional: the
unprivileged tools API and the `CustomToolAgent` both call a new
`lint_user_tool_source` helper after pydantic validation succeeds and
block creation if WARN+ messages are returned.

The not-empty/whitespace check on `container` stays on the pydantic
model — that is a basic field validity check rather than a "shape"
concern. Container-shape tests move from
`test_user_tool_source_validation.py` to a new
`test_container_shape_lint.py` covering both the linter and the helper.

Builds on #22615's integrated UserToolSource validation. The producer
agent runs with output_retries=0 so the reflection loop owns the retry
and can pass a structured error list back to the prompt rather than
pydantic-ai's generic 'try again' message.

Two opt-in loops on top of pydantic validation:

- Validator-driven retry (default on): if the producer's output fails
  validation, _produce_tool returns the formatted error list, and
  process() re-calls the producer once with those errors prefixed to
  the prompt. Cap of one retry; if it still fails, the agent returns
  a low-confidence validation_failed response.
- Quality critic + refine (default off): an LLM critic agent reviews
  the validated tool for clarity (description, labels, help text) and
  idiomaticity (defaults, exposed options, container choice) -- the
  fuzzy dimensions pydantic can't see. If the critic flags significant
  issues (should_refine=true), the producer is re-rolled once with
  the critique. Cap of one refine; if refinement breaks validation,
  the original tool is kept rather than ship something worse.

Both gates live under inference_services.custom_tool:
validator_retry_enabled (default true) and quality_critic_enabled
(default false). Defaulting the critic off keeps the cost neutral for
deployments that don't opt in -- the critic doubles tool-creation
latency / spend when enabled.

The 170-line process() method got factored into named helpers
(capability check, structured-output extraction, validation-failed
response, success response, model-error handlers) to keep the
reflection control flow readable.

Mirrors #22615's relaxed output discovery -- a UserToolSource with a
shell_command must claim its outputs via from_work_dir or
discover_datasets, but the prompt only mentioned the former. The
producer was occasionally generating tools that pattern-matched on
output names in the command, which the integrated validator now
correctly rejects.

Pre-commit's markdown formatter also normalized the YAML example
indentation in the same file.

Reviewer feedback on #22615: the container regex/prefix shape check is a
linter concern, not a tool source validation concern, and applies to any
ToolSource (not just YAML). Pull the shape check off
`UserToolSource._check_container_shape` and surface it as a new
`ContainerImageShape` linter under `galaxy.tool_util.linters.containers`,
discovered automatically by the existing lint framework
(`lint_tool_types = ["*"]`). The linter walks
`tool_source.parse_requirements()` and warns on identifiers that do not
match a recognized prefix or `<image>[:<tag>]` shape.

For Galaxy User Defined tools, enforcement is unconditional: the
unprivileged tools API and the `CustomToolAgent` both call a new
`lint_user_tool_source` helper after pydantic validation succeeds and
block creation if WARN+ messages are returned.

The not-empty/whitespace check on `container` stays on the pydantic
model — that is a basic field validity check rather than a "shape"
concern. Container-shape tests move from
`test_user_tool_source_validation.py` to a new
`test_container_shape_lint.py` covering both the linter and the helper.

Builds on #22615's integrated UserToolSource validation. The producer
agent runs with output_retries=0 so the reflection loop owns the retry
and can pass a structured error list back to the prompt rather than
pydantic-ai's generic 'try again' message.

Two opt-in loops on top of pydantic validation:

- Validator-driven retry (default on): if the producer's output fails
  validation, _produce_tool returns the formatted error list, and
  process() re-calls the producer once with those errors prefixed to
  the prompt. Cap of one retry; if it still fails, the agent returns
  a low-confidence validation_failed response.
- Quality critic + refine (default off): an LLM critic agent reviews
  the validated tool for clarity (description, labels, help text) and
  idiomaticity (defaults, exposed options, container choice) -- the
  fuzzy dimensions pydantic can't see. If the critic flags significant
  issues (should_refine=true), the producer is re-rolled once with
  the critique. Cap of one refine; if refinement breaks validation,
  the original tool is kept rather than ship something worse.

Both gates live under inference_services.custom_tool:
validator_retry_enabled (default true) and quality_critic_enabled
(default false). Defaulting the critic off keeps the cost neutral for
deployments that don't opt in -- the critic doubles tool-creation
latency / spend when enabled.

The 170-line process() method got factored into named helpers
(capability check, structured-output extraction, validation-failed
response, success response, model-error handlers) to keep the
reflection control flow readable.

Mirrors #22615's relaxed output discovery -- a UserToolSource with a
shell_command must claim its outputs via from_work_dir or
discover_datasets, but the prompt only mentioned the former. The
producer was occasionally generating tools that pattern-matched on
output names in the command, which the integrated validator now
correctly rejects.

Pre-commit's markdown formatter also normalized the YAML example
indentation in the same file.