Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1216 commits
Select commit Hold shift + click to select a range
8df8c14
fix: add CDK_DOMAIN_NAME and CDK_CORS_ORIGINS to all workflow jobs
colinmxs Apr 3, 2026
256468c
fix: seed system_admin JWT mapping on startup (additive, non-destruct…
colinmxs Apr 3, 2026
a4c7bd5
fix: make bootstrap script sole owner of RBAC role seeding
colinmxs Apr 3, 2026
d63671d
feat: show required Cognito redirect URI on auth provider form
colinmxs Apr 3, 2026
988d858
chore: bump version to 1.0.0-beta.21
colinmxs Apr 3, 2026
91e3313
fix: show validation summary on model form, uncomment Add Model and B…
colinmxs Apr 3, 2026
fa67a4e
fix: correct ExposedHeaders → ExposeHeaders in RAG CORS Lambda
colinmxs Apr 3, 2026
de5f506
chore: update dependencies across frontend and infrastructure
colinmxs Apr 3, 2026
3d0f964
chore: make frontend install script executable and add CDK dependencies
colinmxs Apr 4, 2026
a7e4cf3
ci: add CORS environment variables to nightly deploy pipeline
colinmxs Apr 4, 2026
8739299
chore(deps)(deps): bump the aws-cdk group (#126)
dependabot[bot] Apr 6, 2026
6fed093
ci: add CDK_CORS_ORIGINS to nightly deploy and guard SSM parameter cr…
colinmxs Apr 6, 2026
617118b
refactor(auth): migrate authentication to Cognito-managed flows
colinmxs Apr 6, 2026
c771186
test(auth): add providerSub field to user service mock
colinmxs Apr 6, 2026
5c7feee
chore(deps)(deps-dev): bump the infra-minor-patch group (#127)
dependabot[bot] Apr 6, 2026
70b73bb
chore(deps)(deps): bump the angular group (#128)
dependabot[bot] Apr 6, 2026
a1eca1d
chore(deps)(deps): bump the frontend-minor-patch group (#131)
dependabot[bot] Apr 6, 2026
22b03d2
docs: remove code review token storage documentation
colinmxs Apr 7, 2026
6454ce3
feat(auth): support JSON array format for custom:roles claim
colinmxs Apr 7, 2026
70db319
feat(auth): enrich user roles from stored profile during token enrich…
colinmxs Apr 7, 2026
9ea91e9
feat(auth): invalidate user profile cache on profile sync
colinmxs Apr 7, 2026
5f4ca67
feat(rbac): allow jwt_role_mappings updates on system_admin role
colinmxs Apr 7, 2026
844e650
test(rbac): update system_admin protection to strip fields
colinmxs Apr 7, 2026
eba1e9b
feat(rbac): increase role priority maximum value to 1000
colinmxs Apr 8, 2026
f8986ac
chore(deps)(deps-dev): bump @analogjs/vitest-angular (#133)
dependabot[bot] Apr 8, 2026
759f6aa
chore(deps)(deps-dev): bump @analogjs/vite-plugin-angular (#132)
dependabot[bot] Apr 8, 2026
3323d0a
chore(release): bump version to v1.0.0-beta.22
colinmxs Apr 8, 2026
9fb851c
chore(deps,ci): upgrade dependencies and fix workflow security issues
colinmxs Apr 8, 2026
7d8124c
merge: main into develop (resolve beta.19/beta.20 squash-merge diverg…
colinmxs Apr 8, 2026
67bb99c
chore: remove codeql-alerts.json file
colinmxs Apr 8, 2026
b66485c
test(session): update compaction config defaults and fix integration …
colinmxs Apr 8, 2026
67c24a3
test(session): enhance session manager fixture with initialize() mock…
colinmxs Apr 8, 2026
343989e
Release 1.0.0-beta.22: Cognito-native auth, CORS unification, RBAC co…
colinmxs Apr 9, 2026
7b73cdb
refactor: centralize env vars and magic strings into config/constants…
philmerrell Apr 11, 2026
bd8602a
refactor: extract BaseAgent ABC and ChatAgent from MainAgent (#140)
philmerrell Apr 11, 2026
ea14e09
feat: add agent type registry and create_agent() factory (#141)
philmerrell Apr 11, 2026
c4f1efa
feat: add progressive skill disclosure system with SkillAgent (#142)
philmerrell Apr 11, 2026
e150a55
feat: add VoiceAgent with BidiAgent for speech-to-speech interaction …
philmerrell Apr 11, 2026
6f71d3d
feat: add approval hooks for gating dangerous tool operations (#144)
philmerrell Apr 11, 2026
4b22beb
feat: add WebSocket voice route and bidi dependency for VoiceAgent (#…
philmerrell Apr 13, 2026
71d0cb5
feat: WebSocket voice streaming with AgentCore auth support (#155)
philmerrell Apr 13, 2026
9af7915
feat: WebSocket voice streaming with AgentCore auth and protocol conf…
philmerrell Apr 13, 2026
4816b51
fix: include bidi dependency in uv sync commands for Inference API Do…
philmerrell Apr 13, 2026
407c414
fix: improve AgentCore connection detection in voice stream handling …
philmerrell Apr 13, 2026
e7c5702
fix: align voice WebSocket with reference architecture accept-first p…
philmerrell Apr 13, 2026
b082f6a
docs: add Voice Mode to Key Features in README (#160)
philmerrell Apr 14, 2026
29b9623
Add E2E Testing #117 (#171)
ofilson Apr 21, 2026
36bfb37
update tests to verify dependencies
Apr 21, 2026
8019bb8
fix test error
Apr 21, 2026
c2ea1eb
commit new e2e package-lock
Apr 22, 2026
23df835
get right url for e2e tests
Apr 22, 2026
2549b1a
add resilience for delete-failed state
Apr 22, 2026
54da9e7
fix test
Apr 23, 2026
84dd276
make testing subdomain
Apr 23, 2026
b3436f3
remember dynamic cloudfront url and add to callback urls
Apr 23, 2026
d04f808
feat: external MCP connectors via AgentCore Identity (#174)
philmerrell Apr 27, 2026
0968d38
refactor: drop tool catalog sync, make form the only entry point (#176)
philmerrell Apr 27, 2026
aec2ff1
fix: source ToolAccessService catalog from DynamoDB (#177)
philmerrell Apr 27, 2026
90f29b5
update seed bootstrap data and documentation (#178)
philmerrell Apr 27, 2026
2508ce1
fix: grant CreateTokenVault and wire OAuth providers table to app-api…
philmerrell Apr 27, 2026
386fa6e
create cognito accounts in nightly
Apr 27, 2026
07bd4b4
Merge branch 'develop' of https://github.com/Boise-State-Development/…
Apr 27, 2026
f8bf68b
get rid of email username param
Apr 27, 2026
980bbe5
update comments
Apr 27, 2026
ae37cad
refactor: move connector consent flows from inference-api to app-api …
philmerrell Apr 27, 2026
019dd0f
refactor: flip connector frontend call sites to app-api (#181)
philmerrell Apr 27, 2026
ccb6ba6
fix: grant app-api task role permission to delete AgentCore OAuth sec…
philmerrell Apr 27, 2026
c986bdf
fix: look up runtime workload identity via SDK custom resource (#185)
philmerrell Apr 27, 2026
f0123e9
fix: grant app-api task role full AgentCore OAuth secret lifecycle pe…
philmerrell Apr 27, 2026
f708157
Add cloudfront to API CORS
Apr 27, 2026
0d21c60
fix: share an explicit workload identity between inference-api and ap…
philmerrell Apr 27, 2026
056671b
fix: send bare /oauth-complete in connector OAuth2CallbackUrl header …
philmerrell Apr 27, 2026
06d9f73
fix: grant GetSecretValue on AgentCore OAuth provider secrets (#189)
philmerrell Apr 27, 2026
7ae3723
fix: inject OAuth2CallbackUrl env fallback for runtime-stripped heade…
philmerrell Apr 27, 2026
ced624b
chore(deps)(deps): bump the actions-minor-patch group across 1 direct…
dependabot[bot] Apr 28, 2026
41c3788
chore(deps)(deps): bump the python-minor-patch group across 1 directo…
dependabot[bot] Apr 28, 2026
a222dba
feat: route chat turns through agent_type factory (#191)
philmerrell Apr 29, 2026
9bbe193
feat: per-tool MCP approval gate driven by tool catalog (#192)
philmerrell Apr 29, 2026
80d5333
fix e2e test error
Apr 29, 2026
6894152
feat: open ngx-markdown links in new tab (#193)
philmerrell Apr 29, 2026
de72315
fix: gate session metadata creation on GSI lookup (#194)
philmerrell Apr 29, 2026
b5f2f56
feat: Add copy agent response button (#195)
philmerrell Apr 29, 2026
870025f
add seed script to e2e workflow
Apr 29, 2026
1271611
Merge branch 'develop' of https://github.com/Boise-State-Development/…
Apr 29, 2026
bc1ac5f
add CDK_AWS_ACCOUNT as e2e variable.
Apr 29, 2026
558f4d3
feat: Release v1.0.0-beta.23 with voice streaming and multi-agent arc…
colinmxs Apr 29, 2026
7281cd1
Merge branch 'main' into develop (resolve conflicts for beta.23 release)
colinmxs Apr 29, 2026
fceb507
chore: regenerate package-lock.json files for v1.0.0-beta.23
colinmxs Apr 29, 2026
3f9f5f5
chore(deps)(deps): bump the frontend-minor-patch group across 1 direc…
dependabot[bot] Apr 29, 2026
0b26011
chore(deps)(deps-dev): bump @analogjs/vitest-angular (#154)
dependabot[bot] Apr 29, 2026
f4789d2
chore(deps)(deps): bump the aws-cdk group across 1 directory with 2 u…
dependabot[bot] Apr 29, 2026
6c4325b
chore(deps)(deps-dev): bump @analogjs/vite-plugin-angular (#153)
dependabot[bot] Apr 29, 2026
5764775
Merge main into develop, resolve conflicts keeping develop's package …
colinmxs Apr 30, 2026
2f7a2e1
fix: resolve Dependabot security alerts across frontend and backend (…
colinmxs Apr 30, 2026
8d4d3cd
fix: move shared modules out of app_api to complete service decouplin…
colinmxs Apr 30, 2026
4ac4984
add default role to seed
Apr 30, 2026
2d5ff88
Merge branch 'develop' of https://github.com/Boise-State-Development/…
Apr 30, 2026
49795f1
adjust tests for nightly success.
Apr 30, 2026
fc06c69
chore(deps)(deps): bump the angular group across 1 directory with 10 …
dependabot[bot] May 1, 2026
4d2505d
chore(deps)(deps-dev): bump @types/node (#147)
dependabot[bot] May 1, 2026
9223a67
feat(documents): add XLSX-specific chunker for improved tabular data …
DerrickF May 1, 2026
5afa9a5
feat(embeddings): implement batch processing for S3 Vector storage
DerrickF May 1, 2026
b954c22
ci(rag-ingestion): add shared embeddings to workflow path filters
DerrickF May 1, 2026
d1bd3bd
feat(documents): improve XLSX header detection to skip title/banner rows
DerrickF May 1, 2026
04e6e7e
fix(chat): align resume cache key with original turn so paused agent …
philmerrell May 2, 2026
1df0d19
fix(costs): coerce cost_delta to a finite Decimal in summary writers …
philmerrell May 2, 2026
c70b4af
feat: per-model inference parameters with extended thinking (#203)
philmerrell May 2, 2026
59edc58
fix(oauth): let Google refresh path run instead of forcing hourly rec…
philmerrell May 2, 2026
7af2be8
feat(infra): provision BFF token-handler resources (Phase 1) (#212)
philmerrell May 2, 2026
4aec51e
feat(auth): add dormant BFF token-handler backend infra (Phase 2) (#213)
philmerrell May 2, 2026
9c1e024
test(oauth): scrub AGENTCORE_RUNTIME_WORKLOAD_NAME in agentcore-ident…
philmerrell May 2, 2026
73be72c
feat(auth): add BFF Token Handler auth routes (Phase 3) (#215)
philmerrell May 2, 2026
3d92ed3
fix(chat): own httpx client lifecycle so api-converse SSE streams flu…
philmerrell May 2, 2026
cc4ee5c
feat(chat): add BFF chat SSE proxy (Phase 4) (#216)
philmerrell May 2, 2026
93e5d52
feat(auth): add dormant BFF SessionService (Phase 5) (#218)
philmerrell May 2, 2026
6bee091
feat(auth): BFF Token Handler cutover (Phase 6 a/b/c) (#219)
philmerrell May 2, 2026
c185e7b
feat(auth): BFF Token Handler hard cutover (Phase 7) (#221)
philmerrell May 3, 2026
50192b6
fix(infra): unblock dev deploy (cognito URL parsing + CloudFront read…
philmerrell May 3, 2026
bd033c9
fix(ci): always build frontend with Angular production config (#224)
philmerrell May 3, 2026
520c094
fix(test): absorb stray resource() loader request in cost.service.spe…
philmerrell May 3, 2026
b929dcd
fix(auth): bounce logout through Cognito Hosted UI to clear upstream …
philmerrell May 3, 2026
6c65a6d
fix(auth): harden BFF session bootstrap and login flow (#226)
philmerrell May 3, 2026
3f30b18
fix(auth): land anonymous users on SPA /auth/login instead of Cognito…
philmerrell May 3, 2026
9de2ee9
fix(ci): pass CDK_CERTIFICATE_ARN to frontend synth/deploy jobs (#229)
philmerrell May 3, 2026
2269aac
fix(infra): scope SPA fallback to S3 so /api/* 4xx responses pass thr…
philmerrell May 3, 2026
a9dfcad
fix(chat): URL-encode runtime ARN + add qualifier on BFF proxy (#231)
philmerrell May 3, 2026
7c0b2b0
fix(auth): slide BFF session lifetime + harden refresh-token rotation…
philmerrell May 4, 2026
0d799c2
feat(voice): BFF WebSocket-ticket proxy for voice mode (#211) (#233)
philmerrell May 4, 2026
75dc2e1
feat(chat): add per-conversation cost + context-window badge (#223)
philmerrell May 4, 2026
d7fb160
feat(compaction): surface compaction events with refresh-survival (#243)
philmerrell May 4, 2026
6e9c71e
update e2e tests for weekend commits.
May 4, 2026
104d80f
Merge branch 'develop' of https://github.com/Boise-State-Development/…
May 4, 2026
18bd8ca
fix(oauth): always send prompt=consent on Google initiate-consent (#245)
philmerrell May 4, 2026
43e7894
feat(login): frosted-glass card with primary-color blob backdrop (#246)
philmerrell May 5, 2026
5fcf45a
nightly fixes
May 5, 2026
b48c567
Merge branch 'develop' of https://github.com/Boise-State-Development/…
May 5, 2026
33f4b01
account for admin first boot in e2e
May 5, 2026
8d9dfd4
fixing nightly e2e tests
May 5, 2026
574dafc
add some logging to find issue
May 5, 2026
0515ace
chore: update release notes strategy (#248)
colinmxs May 6, 2026
9f22bed
fix: resolve open CodeQL and Dependabot alerts (#247)
colinmxs May 6, 2026
6ac5f37
chore(deps)(deps-dev): bump types-aiofiles in /backend (#242)
dependabot[bot] May 6, 2026
df0675d
Release 1.0.0-beta.24: BFF Token Handler, voice WS-ticket proxy, per-…
colinmxs May 6, 2026
62e6737
feat(auth): lava-lamp parallax backdrop on login + first-boot (#255)
philmerrell May 7, 2026
82fe37c
feat(attachments): rich previews for file attachments in user message…
philmerrell May 7, 2026
f88ce7e
feat(agents): spreadsheet analysis tools for Code Interpreter integra…
DerrickF May 7, 2026
95b5e52
feat(inference-api): add S3 read access for spreadsheet analysis tool
DerrickF May 7, 2026
21903d6
feat(inference-api): expand Code Interpreter IAM permissions and docu…
DerrickF May 7, 2026
65b7dee
feat(session): fix assistant persistence across message turns and ses…
DerrickF May 8, 2026
3291bd7
feat(session): fix assistant persistence by storing in preferences an…
DerrickF May 8, 2026
d89acb4
feat(agents): add guidance for handling disabled tools in system prompt
DerrickF May 8, 2026
1756a22
feat(attachments): render markdown previews and modal viewer for .md …
philmerrell May 8, 2026
e2687b6
feat(attachments): server-rendered PDF page-1 thumbnails (#263)
philmerrell May 8, 2026
0ab90bb
feat(spreadsheet-analysis): improve file handling and error guidance …
DerrickF May 8, 2026
55bae89
Merge branch 'develop' of https://github.com/Boise-State-Development/…
DerrickF May 8, 2026
bd6a4bc
Merge remote-tracking branch 'origin/main' into develop
colinmxs May 8, 2026
dbeb6cb
Fix/bff middleware event loop blocking (#264)
colinmxs May 9, 2026
fa82000
chore(deps): upgrade strands-agents to 1.39.0 (#265)
philmerrell May 9, 2026
7b238db
fix(token-accounting): correct per-message cost and context-window se…
philmerrell May 9, 2026
38a63d8
fix(auth): make lava-lamp backdrop dark-mode aware on login & first-b…
philmerrell May 9, 2026
14352ba
feat(auth): add SKIP_AUTH=true local-dev bypass with allowlist guard …
philmerrell May 9, 2026
3229872
fix(bff): cross-task cookie-codec & refresh-lock correctness (#273)
philmerrell May 9, 2026
00fc1c0
fix(bff): replace KMS-wrap data-key bootstrap with Secrets-Manager-ge…
philmerrell May 10, 2026
74141e9
fix(bff): tighten cross-task refresh-lock release + absolute-lifetime…
philmerrell May 10, 2026
1015bb8
feat(auth): centralize 401 redirect + proactive session detection (#277)
philmerrell May 10, 2026
d900f9f
chore(kaizen): scaffold kaizen-research + kaizen-review-prep skills +…
philmerrell May 10, 2026
4521dfc
chore(kaizen): add FastMCP source + security posture lens + library-n…
philmerrell May 10, 2026
bb83d4b
chore(kaizen): scope refinement — remove security lens, add Agentic U…
philmerrell May 11, 2026
0887add
chore(kaizen): add capability-unlock lens + AgentCore BYO filesystem …
philmerrell May 11, 2026
74bfe2f
Release/v1.0.0 beta.25 (#282) (#286)
colinmxs May 12, 2026
ff9a1f2
feat(spreadsheet-analysis): add multi-sheet XLSX support with defensi…
DerrickF May 12, 2026
5f849e1
Merge branch 'develop' of https://github.com/Boise-State-Development/…
DerrickF May 12, 2026
155069c
docs(env): update BFF cookie encryption architecture documentation
DerrickF May 12, 2026
7b86eed
test(spreadsheet-analysis): add comprehensive unit test suite
DerrickF May 12, 2026
745bd84
Fix e2e testing in nightly (#290)
ofilson May 12, 2026
70e8705
feat(spreadsheet-analysis): convert sync file operations to async
DerrickF May 13, 2026
f81f361
Merge branch 'develop' of https://github.com/Boise-State-Development/…
DerrickF May 13, 2026
b246576
feat(chat): apply user default model preference at chat time
DerrickF May 13, 2026
5eedd92
chore: restrict contributions and disable Dependabot version-update P…
colinmxs May 13, 2026
55047c5
chore(kaizen): add initial scoping document for MCP Apps Host Rendere…
philmerrell May 14, 2026
f6cae8d
docs(env): document BFF_COOKIE_DATA_KEY_SECRET_ARN in .env.example (#…
philmerrell May 14, 2026
1bc8002
chore(auth): remove dead Bearer-only auth from app_api post-BFF migra…
philmerrell May 14, 2026
48809c4
feat(admin): admin-managed user-menu links (#298)
philmerrell May 14, 2026
2b0698f
feat(frontend): copy-to-clipboard button on chat code blocks (#299)
philmerrell May 14, 2026
57a7a5a
feat(admin): persistent shell layout with grouped sidebar nav (#300)
philmerrell May 15, 2026
d1c09cf
feat(sidebar): denser session list with skeleton and entry animation …
philmerrell May 15, 2026
11a0e2b
fix(admin): distinguish links in user-menu-link modal and preview (#303)
philmerrell May 15, 2026
dcd8469
chore(kaizen): weekly research scan 2026-05-15 (#302)
philmerrell May 15, 2026
166b69e
chore(kaizen): weekly review prep 2026-05-15 (#304)
philmerrell May 15, 2026
cd16e3f
feat(admin): widen shell and fix sidebar label wrapping (#305)
philmerrell May 15, 2026
943babc
feat(infra): scaffold artifacts stack foundation (#306)
philmerrell May 15, 2026
68e233b
fix(workflows): pass artifact env vars through every consumer workflo…
philmerrell May 15, 2026
eb7c113
docs(artifacts): correct cert-reuse guidance for subdomain primaries …
philmerrell May 15, 2026
2308fae
feat(artifacts): implement render Lambda token verification and conte…
philmerrell May 15, 2026
913668b
feat(artifacts): add app-api render-token minter endpoint (#310)
philmerrell May 15, 2026
d19a8f1
feat(artifacts): add create_artifact / update_artifact agent tools (#…
philmerrell May 16, 2026
3c792c7
feat(artifacts): add SPA artifact panel + artifact SSE event (#312)
philmerrell May 16, 2026
8affdc6
feat(artifacts): configurable extra CSP frame-ancestors (#314)
philmerrell May 16, 2026
a0b7f1c
fix(admin): gate admin user-menu-links resource to stop duplicate loa…
philmerrell May 16, 2026
7cca7b1
feat(artifacts): stream live tool output into the tool rail (#316)
philmerrell May 16, 2026
94bd51f
feat(artifacts): anchor artifact cards inline to their producing mess…
philmerrell May 16, 2026
2244e95
feat(artifacts): support Markdown content type in artifact tool (#318)
philmerrell May 16, 2026
9c9cbd1
feat(artifacts): dock artifact panel beside chat, resizable, redesign…
philmerrell May 16, 2026
75f9f8a
feat(artifacts): full-width inline card + download button on card and…
philmerrell May 17, 2026
372a88b
feat(artifacts): add preview/code toggle with syntax-highlighted sour…
philmerrell May 17, 2026
1d0fae6
fix(artifacts): scope artifact card z-index with isolation:isolate (#…
philmerrell May 17, 2026
6815830
feat(artifacts): per-version history cards + panel version picker (#324)
philmerrell May 17, 2026
4828b63
feat(artifacts): auto-open panel on create, skeleton loader, latest-v…
philmerrell May 17, 2026
e0598a7
fix(artifacts): allow jsdelivr/unpkg CDNs so Chart.js artifacts rende…
philmerrell May 17, 2026
2cf5935
fix(docker): bump pinned curl to 8.14.1-2+deb13u3 (unblock dev deploy…
philmerrell May 17, 2026
f15130a
feat(chat): recoverable max_tokens truncation with Continue affordanc…
philmerrell May 17, 2026
a204242
fix(inference): coerce integer inference params to int and harden thi…
philmerrell May 17, 2026
de92dad
Harden max_tokens inference params: int coercion + model-ceiling cap …
philmerrell May 17, 2026
3567b18
feat(inference): admin-configurable effort + model-aware adaptive thi…
philmerrell May 18, 2026
a13b00e
feat(admin): redesign model views as compact expandable rows (#332)
philmerrell May 18, 2026
e67ccce
feat(chat): autofocus message input on session load and switch (#333)
philmerrell May 18, 2026
ccffa22
feat(seed): register artifact tools as default public tools (#334)
philmerrell May 18, 2026
3ff70c3
feat(admin): redesign tools catalog and form to match model views (#335)
philmerrell May 18, 2026
e1362c7
fix(frontend): bake real version into deploy builds (#336)
philmerrell May 18, 2026
fbd8635
chore(deps): bump bedrock-agentcore 1.6.4 -> 1.9.1 (+ coupled boto3 1…
philmerrell May 18, 2026
bc16420
kaizen bundle: /ping reap fix + A2A guard + research URL cleanup (#338)
philmerrell May 18, 2026
a24754d
refactor(chat): lift tool-result rendering into a signal-backed rende…
philmerrell May 18, 2026
26b5e69
chore(deps): bump strands-agents 1.39.0 -> 1.40.0 (#340)
philmerrell May 18, 2026
3049816
chore(kaizen): resolve queue items + log decisions (2026-05-15 review…
philmerrell May 18, 2026
ebb542c
feat(infra): add MCP Apps sandbox-proxy origin (CDK) (#343)
philmerrell May 19, 2026
2cd5e11
feat(agents): advertise MCP Apps UI extension on initialize + filter …
philmerrell May 19, 2026
f9ef90a
feat(agents): emit ui_resource SSE via resources/read fetch path (MCP…
philmerrell May 19, 2026
0a4ecd0
feat(agents): add sandboxOrigin to ui_resource + fix permissions shap…
philmerrell May 19, 2026
1877baa
feat(chat): MCP Apps PR #4 — <mcp-app-frame> + postMessage bridge (#346)
philmerrell May 19, 2026
9273c64
feat(mcp-apps): PR #5 — app-initiated tools/call proxying + event bro…
philmerrell May 19, 2026
4b1f334
feat(mcp-apps): PR #6 — ui/message, ui/update-model-context, frontend…
philmerrell May 19, 2026
7749f15
test(infra): enumerate DynamoDB tables instead of hard-coded count (#…
philmerrell May 19, 2026
649a4ea
feat(mcp-apps): PR #7 — dogfood + flip AGENTCORE_MCP_APPS_HOST_ENABLE…
philmerrell May 19, 2026
0feab9d
fix(mcp-apps): unblock App rendering — blob iframe, first-class block…
philmerrell May 19, 2026
ff072ed
fix(mcp-apps): align outer CSP + inner mount to ext-apps basic-host r…
philmerrell May 19, 2026
74cdcfc
feat(mcp-apps): dynamic per-resource CSP for the sandbox proxy (#355)
philmerrell May 19, 2026
b8cd64a
fix(mcp-apps): shorten CFN Comment to fit the 128-char AWS cap (#356)
philmerrell May 19, 2026
fa6c93a
fix(mcp-apps): shorten RHP Comment to fit the same 128-char AWS cap (…
philmerrell May 19, 2026
99524b7
fix(mcp-apps): decode URL-encoded ?csp= in sandbox CFN, add x-csp-deb…
philmerrell May 20, 2026
47ff1d3
chore(mcp-apps): remove x-csp-debug diagnostic from sandbox CFN (#359)
philmerrell May 20, 2026
51466c1
fix(mcp-apps): give inner App iframe allow-same-origin to match basic…
philmerrell May 20, 2026
bf4c216
Add backup tool and document architecture rules for Copilot CLI (#361)
colinmxs May 20, 2026
8f253b1
release: v1.0.0-beta.26 (#362)
colinmxs May 20, 2026
b1f701e
docs: release notes and changelog for v1.0.0-beta.27
colinmxs May 20, 2026
7b4729c
Merge remote-tracking branch 'origin/main' into release/v1.0.0-beta.27
colinmxs May 20, 2026
4d273a4
docs: rewrite release notes and changelog for v1.0.0-beta.27
colinmxs May 20, 2026
1d21476
fix: SHA-pin actions/checkout and astral-sh/setup-uv in backup-data.y…
Copilot May 20, 2026
d779544
ci(backup-data): update runner to ubuntu-24.04
colinmxs May 20, 2026
2a6c25d
Merge branch 'release/v1.0.0-beta.27' of https://github.com/Boise-Sta…
colinmxs May 20, 2026
8f780cb
ci(backup-data): fix indentation in workflow file
colinmxs May 20, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 5 additions & 7 deletions .claude/skills/kaizen-research/SKILL.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,7 @@ Friday early morning (~6am MT). `kaizen-review-prep` runs ~2 hours later (~8am M
### External (web — last 7 days unless noted)

1. **AWS Bedrock + AgentCore "What's New"**
- https://aws.amazon.com/about-aws/whats-new/recent/feed/
- https://aws.amazon.com/bedrock/whats-new/
- https://aws.amazon.com/about-aws/whats-new/recent/feed/ (canonical AWS What's New RSS — filter entries for Bedrock/AgentCore)
- https://aws.amazon.com/blogs/machine-learning/ (filter: bedrock, agentcore)
- Filter to: Bedrock, AgentCore, Bedrock Agents, Knowledge Bases, Guardrails, model availability/region/quota changes.

Expand Down Expand Up @@ -71,25 +70,24 @@ Friday early morning (~6am MT). `kaizen-review-prep` runs ~2 hours later (~8am M

6. **Agent harness patterns**
- https://www.anthropic.com/engineering (Claude Code, agent design posts)
- https://docs.claude.com/en/docs/claude-code/release-notes
- https://github.com/anthropics/claude-code/blob/main/CHANGELOG.md
- LangChain / LlamaIndex / Pydantic-AI release notes — for ideas, not adoption.

7. **AWS Bedrock pricing + quota**
- https://aws.amazon.com/bedrock/pricing/
- Note any model price/quota changes that could shift architecture choices in this repo (e.g., model selection in `inference_api`).

8. **AgentCore SDK / starter-toolkit issues**
- https://github.com/aws/amazon-bedrock-agentcore-sdk-python/issues
- https://github.com/aws/amazon-bedrock-agentcore-starter-toolkit/issues
- https://github.com/aws/bedrock-agentcore-sdk-python/issues
- https://github.com/aws/bedrock-agentcore-starter-toolkit/issues
- Early-signal bugs/limits other users hit before we do.

9. **Community signal (filtered)**
- HN search: `site:news.ycombinator.com bedrock OR agentcore OR strands OR "claude code"` (last 7 days)
- r/LocalLLaMA, r/MachineLearning — agent-harness critiques and patterns surface here before vendor blogs.

10. **Anthropic cookbook + courses**
10. **Anthropic cookbook**
- https://github.com/anthropics/anthropic-cookbook
- https://github.com/anthropics/courses
- Worked examples often outpace docs — especially for caching, tool use, and agent loops.

11. **Seasonal sources** (only when in window)
Expand Down
4 changes: 4 additions & 0 deletions .github/ACTIONS-REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,10 @@ GitHub provides two mechanisms for storing configuration values:
| CDK_APP_API_ENABLED | Variable | No | `true` | App API | Enable/disable App API stack deployment |
| CDK_APP_API_MAX_CAPACITY | Variable | No | `10` | Infrastructure, App API | Maximum App API tasks for auto-scaling |
| CDK_APP_API_MEMORY | Variable | No | `1024` | Infrastructure, App API | Memory (MB) for App API ECS task (512, 1024, 2048, 4096, 8192) |
| CDK_ARTIFACTS_CERTIFICATE_ARN | Variable | No | None | Artifacts | ACM certificate ARN that covers `artifacts.{CDK_DOMAIN_NAME}`. **Must be in `us-east-1`** regardless of deployment region. Required when `CDK_ARTIFACTS_ENABLED=true`. Reuse `CDK_FRONTEND_CERTIFICATE_ARN` **only when `CDK_DOMAIN_NAME` is the apex** — TLS wildcards are one label deep, so `*.example.com` covers `artifacts.example.com` but not `artifacts.alpha.example.com`. When `CDK_DOMAIN_NAME` is a subdomain, issue a dedicated `us-east-1` cert for `*.{CDK_DOMAIN_NAME}`. |
| CDK_ARTIFACTS_ENABLED | Variable | No | `false` | Artifacts, Infrastructure, App API, Inference API, Frontend | Enable iframe-isolated artifact rendering. Toggling on provisions a DDB metadata table, S3 content bucket, CloudFront + Lambda render service, and the supporting IAM grants / env vars on the consumer stacks. |
| CDK_ARTIFACTS_EXTRA_FRAME_ANCESTORS | Variable | No | None | Artifacts | Comma-separated extra origins (beyond `https://{CDK_DOMAIN_NAME}`) permitted to embed artifact iframes via CSP `frame-ancestors` — e.g. `http://localhost:4200` for a local SPA pointed at this deployment. Applied to both the CloudFront response-headers policy and the render Lambda's CSP. **Leave unset in production**: every listed origin can frame users' artifacts (still render-token gated, but a real loosening on a shared environment). |
| CDK_ARTIFACTS_RETENTION_DAYS | Variable | No | `90` | Artifacts | Days after which soft-deleted artifacts (objects tagged `lifecycle-class=deleted`) are reaped by the S3 lifecycle rule. |
| CDK_ASSISTANTS_CORS_ORIGINS | Variable | No | None | Infrastructure | Additional CORS origins for the assistants module only (appended to global CORS origins) |
| CDK_AWS_ACCOUNT | Variable | Yes | None | All | 12-digit AWS account ID for CDK deployment |
| CDK_CERTIFICATE_ARN | Variable | No | None | Infrastructure | ACM certificate ARN for HTTPS on ALB |
Expand Down
1 change: 1 addition & 0 deletions .github/README-ACTIONS.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ Deploy a production-ready multi-agent AI platform to your AWS account in about 4
|-----------|-------------|
| **VPC + ALB + ECS** | Networking, load balancer, and container orchestration |
| **Fine-Tuning** *(optional)* | SageMaker training/inference infrastructure, S3 artifact storage, DynamoDB job tracking |
| **Artifacts** *(optional)* | Iframe-isolated artifact rendering (DDB metadata, S3 content, CloudFront at `artifacts.{domain}`, Lambda render service) |
| **RAG Ingestion** | Document ingestion pipeline for retrieval-augmented generation |
| **Inference API** | Strands Agent runtime powered by AWS Bedrock AgentCore |
| **App API** | Backend REST API for chat, sessions, admin, and auth |
Expand Down
84 changes: 84 additions & 0 deletions .github/copilot-instructions.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
# Copilot Instructions — AgentCore Public Stack

Production multi-agent conversational AI platform built on AWS Bedrock AgentCore + Strands Agents. Monorepo with four top-level packages: `backend/` (Python 3.13, FastAPI), `frontend/ai.client/` (Angular 21 + Analog.js), `infrastructure/` (AWS CDK, TypeScript), and `scripts/`.

Authoritative deeper docs: `CLAUDE.MD` (architecture), `CONTRIBUTING.md` (setup), `.kiro/steering/` and `.claude/skills/` (topic-specific patterns — CDK, Tailwind, Angular signals, CORS, release notes, versioning).

## Build, Test, Lint

### Backend (`cd backend`)
```bash
uv sync --extra agentcore --extra dev
uv run python -m pytest tests/ -v
uv run python -m pytest tests/path/to/test_file.py::test_name -v # single test
uv run black src/ && uv run ruff check src/ && uv run mypy src/
# Run services locally:
cd src/apis/app_api && uv run python main.py # port 8000
cd src/apis/inference_api && uv run python main.py # port 8001
```

### Frontend (`cd frontend/ai.client`)
```bash
npm ci
npm run start # dev server on 4200
npm test # Vitest via Analog.js
npx vitest run path/to/file.spec.ts # single test file
npx eslint src/ && npx prettier --check src/
```

### Infrastructure (`cd infrastructure`)
```bash
npm ci && npm run build
npx cdk synth # validates stacks
npx cdk deploy --all
npm test -- test/stack-dependencies.test.ts # verifies new stacks are registered
```

## Architecture — the big picture

- **Three independent backend consumers** of `apis.shared`: `app_api`, `inference_api`, and `agents/`. They must **never import from each other** — only from `apis.shared`. Enforced by `backend/tests/architecture/test_import_boundaries.py`.
- **Inference API runs inside an AgentCore Runtime container.** The runtime data plane only proxies `POST /invocations` and `GET /ping` — any other route returns 404 in cloud (works locally because `localhost:8001` bypasses the gateway). User-facing CRUD endpoints **belong in app-api**, not inference-api. To get workload context on app-api, use the `AGENTCORE_RUNTIME_WORKLOAD_NAME` mint fallback in `apis/shared/oauth/agentcore_identity.py`.
- **Deploy order** (cross-stack SSM references): Infrastructure → (Gateway, RAG Ingestion, SageMaker Fine-Tuning, Artifacts, MCP Sandbox in parallel) → Inference API → App API → Frontend. App API reads `runtime-workload-identity-name` from SSM, published by Inference API.
- **Errors stream as assistant messages over SSE**, not HTTP error codes. See SSE event table in `CLAUDE.MD` (`message_start`, `content_block_*`, `tool_use`/`tool_result`, `ui_resource`, `stream_error`, `oauth_required`, `compaction`, `done`).
- **Multi-protocol tools:** direct/AWS-SDK tools live in `agents/main_agent/tools/`; remote tools come via MCP+SigV4 (Gateway Lambda) or A2A (Runtime). A2A is currently **client-only**; if exposing an A2A server, `capabilities` must include `streaming=True` or clients hang.
- **Frontend is signal-based** throughout (`signal()`, `computed()`). API shapes are defined by backend routes; matching TS interfaces must be updated in the same PR as breaking backend changes.

## Conventions specific to this repo

- **Auth on `apis/app_api/` routes** uses `Depends(get_current_user_from_session)` (cookie-based) or `Depends(require_admin)`. The SPA sends an httpOnly session cookie, **not** `Authorization: Bearer`. Bearer-only deps on user-facing routes cause a 401 → redirect loop. Exceptions: `auth/api_keys/` (X-API-Key) and `voice/` (voice-ticket cookie) — do not template off these.
- **Admin endpoints** go under `/admin/<domain>/`, user-facing under `/<domain>/`.
- **Exact dependency pins only** — no `^`, `~`, or `>=` anywhere (Python, npm, CDK).
- **Never install new packages without explicit user approval.**
- **Branch from `develop`**, never `main`. PRs target `develop`; `main` advances only via squash-merge releases. Branch naming: `feature/<short-description>`. Sign commits with `git commit -s` (DCO).
- **Conventional commits** (`feat:`, `fix:`, `chore:`, ...), one logical change per commit.
- **No `print()` in backend** — use `logging`. Python: `snake_case` / `PascalCase`, type hints required. TS: strict mode, no `any` unless unavoidable.

## File placement

| Change | Location |
|---|---|
| New API route | `backend/src/apis/app_api/<domain>/` |
| Admin endpoint | `backend/src/apis/app_api/admin/<domain>/` |
| New agent tool | `backend/src/agents/main_agent/tools/` + register in `__init__.py` |
| Shared backend code | `backend/src/apis/shared/<domain>/` |
| Lambda for an infra stack | `backend/src/lambdas/<lambda-name>/` (not part of `apis/` boundary) |
| Angular page | `frontend/ai.client/src/app/<feature>/` |
| New CDK stack | `infrastructure/lib/<stack-name>-stack.ts` — also register in `test/stack-dependencies.test.ts` with a tier, add `scripts/stack-<name>/`, add a workflow under `.github/workflows/`, update `.github/docs/deploy/step-04-deploy.md` |

## Debugging cheatsheet

- **Tool not appearing:** check `__init__.py` export, RBAC permissions, `enabled_tools`, ToolRegistry.
- **Session not persisting:** check AgentCore Memory config, `session_id`, `TurnBasedSessionManager` flush.
- **SSE stream disconnecting:** check the 600s timeout, client connection, quota-exceeded events.
- **Local inference-api route works, cloud returns 404:** the route isn't `/invocations` or `/ping` — move it to app-api (see Architecture).

## Topic deep-dives

Before non-trivial work in these areas, consult the matching skill/steering doc:

- CDK stacks/constructs → `.claude/skills/cdk-infrastructure/` and `.kiro/steering/cdk-*.md`
- Angular components/signals → `.claude/skills/angualar-best-practices/` and `.kiro/steering/angular-*.md`
- Tailwind v4 / a11y → `.claude/skills/tailwind-ui/` and `.kiro/steering/tailwind-*.md`
- CORS across stacks → `.claude/skills/cors-deployment/SKILL.md`
- Release notes / CHANGELOG → `.claude/skills/release-notes/SKILL.md`
- Version bumps → `.claude/skills/versioning/SKILL.md`
7 changes: 7 additions & 0 deletions .github/docs/deploy/step-02-aws-setup.md
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,13 @@ This allows the certificate to cover subdomains like `api.example.com` and `app.
- `ALB Certificate ARN` (e.g. `arn:aws:acm:us-west-2:123456789012:certificate/abc-123`)
- `CloudFront Certificate ARN` (e.g. `arn:aws:acm:us-east-1:123456789012:certificate/def-456`)

> [!IMPORTANT]
> **If you plan to enable the optional Artifacts stack, mind the wildcard depth.** A TLS wildcard covers **exactly one** label — `*.example.com` matches `artifacts.example.com` but **not** `artifacts.alpha.example.com`.
> - If `CDK_DOMAIN_NAME` is your **apex** (e.g. `example.com`), the artifact origin is `artifacts.example.com` and the existing `*.example.com` CloudFront cert covers it — reuse that cert ARN, no third certificate needed.
> - If `CDK_DOMAIN_NAME` is **already a subdomain** (e.g. `alpha.example.com`), the artifact origin is `artifacts.alpha.example.com`, which `*.example.com` does **not** cover. Issue a dedicated `us-east-1` cert for `*.alpha.example.com` (or exactly `artifacts.alpha.example.com`) and use that ARN for `CDK_ARTIFACTS_CERTIFICATE_ARN`.
>
> Verify before deploying: `aws acm describe-certificate --region us-east-1 --certificate-arn <arn> --query 'Certificate.SubjectAlternativeNames'` should list a SAN that matches `artifacts.{CDK_DOMAIN_NAME}`.

<details>
<summary>My certificate is stuck in "Pending validation"</summary>

Expand Down
3 changes: 3 additions & 0 deletions .github/docs/deploy/step-03-github-config.md
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,9 @@ This prefix is prepended to all AWS resource names to avoid conflicts. Use somet
| Variable Name | Default | Description |
|---------------|---------|-------------|
| `CDK_FINE_TUNING_ENABLED` | `false` | Set to `true` to enable the SageMaker Fine-Tuning stack. Must be set before running the fine-tuning deployment workflow in Step 4. |
| `CDK_ARTIFACTS_ENABLED` | `false` | Set to `true` to enable iframe-isolated artifact rendering. Provisions the artifacts CloudFront origin, DDB table, S3 bucket, and Lambda. Requires `CDK_ARTIFACTS_CERTIFICATE_ARN`. |
| `CDK_ARTIFACTS_CERTIFICATE_ARN` | — | ACM certificate ARN that covers `artifacts.{CDK_DOMAIN_NAME}`. **Must be in `us-east-1`** (CloudFront requirement). Reuse `CDK_FRONTEND_CERTIFICATE_ARN` **only if `CDK_DOMAIN_NAME` is your apex** (a `*.example.com` cert covers `artifacts.example.com`). If `CDK_DOMAIN_NAME` is itself a subdomain (e.g. `alpha.example.com`), wildcards are one label deep so `*.example.com` does **not** cover `artifacts.alpha.example.com` — issue a dedicated `us-east-1` cert for `*.alpha.example.com`. See [Step 2c](./step-02-aws-setup.md#2c-create-acm-certificates). |
| `CDK_ARTIFACTS_EXTRA_FRAME_ANCESTORS` | — | Comma-separated extra origins (beyond `https://{CDK_DOMAIN_NAME}`) allowed to embed artifact iframes via CSP `frame-ancestors` — applied to both the CloudFront response-headers policy and the render Lambda. Set to `http://localhost:4200` to point a local SPA at this deployment. **Leave unset in production**: every listed origin can frame your users' artifacts (still render-token gated, but a real loosening on a shared environment). Prefer a one-off `cdk deploy '*ArtifactsStack*'` with this exported over committing it as a CI variable. |

---

Expand Down
Loading
Loading