Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1357 commits
Select commit Hold shift + click to select a range
6ac5f37
chore(deps)(deps-dev): bump types-aiofiles in /backend (#242)
dependabot[bot] May 6, 2026
df0675d
Release 1.0.0-beta.24: BFF Token Handler, voice WS-ticket proxy, per-…
colinmxs May 6, 2026
62e6737
feat(auth): lava-lamp parallax backdrop on login + first-boot (#255)
philmerrell May 7, 2026
82fe37c
feat(attachments): rich previews for file attachments in user message…
philmerrell May 7, 2026
f88ce7e
feat(agents): spreadsheet analysis tools for Code Interpreter integra…
DerrickF May 7, 2026
95b5e52
feat(inference-api): add S3 read access for spreadsheet analysis tool
DerrickF May 7, 2026
21903d6
feat(inference-api): expand Code Interpreter IAM permissions and docu…
DerrickF May 7, 2026
65b7dee
feat(session): fix assistant persistence across message turns and ses…
DerrickF May 8, 2026
3291bd7
feat(session): fix assistant persistence by storing in preferences an…
DerrickF May 8, 2026
d89acb4
feat(agents): add guidance for handling disabled tools in system prompt
DerrickF May 8, 2026
1756a22
feat(attachments): render markdown previews and modal viewer for .md …
philmerrell May 8, 2026
e2687b6
feat(attachments): server-rendered PDF page-1 thumbnails (#263)
philmerrell May 8, 2026
0ab90bb
feat(spreadsheet-analysis): improve file handling and error guidance …
DerrickF May 8, 2026
55bae89
Merge branch 'develop' of https://github.com/Boise-State-Development/…
DerrickF May 8, 2026
bd6a4bc
Merge remote-tracking branch 'origin/main' into develop
colinmxs May 8, 2026
dbeb6cb
Fix/bff middleware event loop blocking (#264)
colinmxs May 9, 2026
fa82000
chore(deps): upgrade strands-agents to 1.39.0 (#265)
philmerrell May 9, 2026
7b238db
fix(token-accounting): correct per-message cost and context-window se…
philmerrell May 9, 2026
38a63d8
fix(auth): make lava-lamp backdrop dark-mode aware on login & first-b…
philmerrell May 9, 2026
14352ba
feat(auth): add SKIP_AUTH=true local-dev bypass with allowlist guard …
philmerrell May 9, 2026
3229872
fix(bff): cross-task cookie-codec & refresh-lock correctness (#273)
philmerrell May 9, 2026
00fc1c0
fix(bff): replace KMS-wrap data-key bootstrap with Secrets-Manager-ge…
philmerrell May 10, 2026
74141e9
fix(bff): tighten cross-task refresh-lock release + absolute-lifetime…
philmerrell May 10, 2026
1015bb8
feat(auth): centralize 401 redirect + proactive session detection (#277)
philmerrell May 10, 2026
d900f9f
chore(kaizen): scaffold kaizen-research + kaizen-review-prep skills +…
philmerrell May 10, 2026
4521dfc
chore(kaizen): add FastMCP source + security posture lens + library-n…
philmerrell May 10, 2026
bb83d4b
chore(kaizen): scope refinement — remove security lens, add Agentic U…
philmerrell May 11, 2026
0887add
chore(kaizen): add capability-unlock lens + AgentCore BYO filesystem …
philmerrell May 11, 2026
74bfe2f
Release/v1.0.0 beta.25 (#282) (#286)
colinmxs May 12, 2026
ff9a1f2
feat(spreadsheet-analysis): add multi-sheet XLSX support with defensi…
DerrickF May 12, 2026
5f849e1
Merge branch 'develop' of https://github.com/Boise-State-Development/…
DerrickF May 12, 2026
155069c
docs(env): update BFF cookie encryption architecture documentation
DerrickF May 12, 2026
7b86eed
test(spreadsheet-analysis): add comprehensive unit test suite
DerrickF May 12, 2026
745bd84
Fix e2e testing in nightly (#290)
ofilson May 12, 2026
70e8705
feat(spreadsheet-analysis): convert sync file operations to async
DerrickF May 13, 2026
f81f361
Merge branch 'develop' of https://github.com/Boise-State-Development/…
DerrickF May 13, 2026
b246576
feat(chat): apply user default model preference at chat time
DerrickF May 13, 2026
5eedd92
chore: restrict contributions and disable Dependabot version-update P…
colinmxs May 13, 2026
55047c5
chore(kaizen): add initial scoping document for MCP Apps Host Rendere…
philmerrell May 14, 2026
f6cae8d
docs(env): document BFF_COOKIE_DATA_KEY_SECRET_ARN in .env.example (#…
philmerrell May 14, 2026
1bc8002
chore(auth): remove dead Bearer-only auth from app_api post-BFF migra…
philmerrell May 14, 2026
48809c4
feat(admin): admin-managed user-menu links (#298)
philmerrell May 14, 2026
2b0698f
feat(frontend): copy-to-clipboard button on chat code blocks (#299)
philmerrell May 14, 2026
57a7a5a
feat(admin): persistent shell layout with grouped sidebar nav (#300)
philmerrell May 15, 2026
d1c09cf
feat(sidebar): denser session list with skeleton and entry animation …
philmerrell May 15, 2026
11a0e2b
fix(admin): distinguish links in user-menu-link modal and preview (#303)
philmerrell May 15, 2026
dcd8469
chore(kaizen): weekly research scan 2026-05-15 (#302)
philmerrell May 15, 2026
166b69e
chore(kaizen): weekly review prep 2026-05-15 (#304)
philmerrell May 15, 2026
cd16e3f
feat(admin): widen shell and fix sidebar label wrapping (#305)
philmerrell May 15, 2026
943babc
feat(infra): scaffold artifacts stack foundation (#306)
philmerrell May 15, 2026
68e233b
fix(workflows): pass artifact env vars through every consumer workflo…
philmerrell May 15, 2026
eb7c113
docs(artifacts): correct cert-reuse guidance for subdomain primaries …
philmerrell May 15, 2026
2308fae
feat(artifacts): implement render Lambda token verification and conte…
philmerrell May 15, 2026
913668b
feat(artifacts): add app-api render-token minter endpoint (#310)
philmerrell May 15, 2026
d19a8f1
feat(artifacts): add create_artifact / update_artifact agent tools (#…
philmerrell May 16, 2026
3c792c7
feat(artifacts): add SPA artifact panel + artifact SSE event (#312)
philmerrell May 16, 2026
8affdc6
feat(artifacts): configurable extra CSP frame-ancestors (#314)
philmerrell May 16, 2026
a0b7f1c
fix(admin): gate admin user-menu-links resource to stop duplicate loa…
philmerrell May 16, 2026
7cca7b1
feat(artifacts): stream live tool output into the tool rail (#316)
philmerrell May 16, 2026
94bd51f
feat(artifacts): anchor artifact cards inline to their producing mess…
philmerrell May 16, 2026
2244e95
feat(artifacts): support Markdown content type in artifact tool (#318)
philmerrell May 16, 2026
9c9cbd1
feat(artifacts): dock artifact panel beside chat, resizable, redesign…
philmerrell May 16, 2026
75f9f8a
feat(artifacts): full-width inline card + download button on card and…
philmerrell May 17, 2026
372a88b
feat(artifacts): add preview/code toggle with syntax-highlighted sour…
philmerrell May 17, 2026
1d0fae6
fix(artifacts): scope artifact card z-index with isolation:isolate (#…
philmerrell May 17, 2026
6815830
feat(artifacts): per-version history cards + panel version picker (#324)
philmerrell May 17, 2026
4828b63
feat(artifacts): auto-open panel on create, skeleton loader, latest-v…
philmerrell May 17, 2026
e0598a7
fix(artifacts): allow jsdelivr/unpkg CDNs so Chart.js artifacts rende…
philmerrell May 17, 2026
2cf5935
fix(docker): bump pinned curl to 8.14.1-2+deb13u3 (unblock dev deploy…
philmerrell May 17, 2026
f15130a
feat(chat): recoverable max_tokens truncation with Continue affordanc…
philmerrell May 17, 2026
a204242
fix(inference): coerce integer inference params to int and harden thi…
philmerrell May 17, 2026
de92dad
Harden max_tokens inference params: int coercion + model-ceiling cap …
philmerrell May 17, 2026
3567b18
feat(inference): admin-configurable effort + model-aware adaptive thi…
philmerrell May 18, 2026
a13b00e
feat(admin): redesign model views as compact expandable rows (#332)
philmerrell May 18, 2026
e67ccce
feat(chat): autofocus message input on session load and switch (#333)
philmerrell May 18, 2026
ccffa22
feat(seed): register artifact tools as default public tools (#334)
philmerrell May 18, 2026
3ff70c3
feat(admin): redesign tools catalog and form to match model views (#335)
philmerrell May 18, 2026
e1362c7
fix(frontend): bake real version into deploy builds (#336)
philmerrell May 18, 2026
fbd8635
chore(deps): bump bedrock-agentcore 1.6.4 -> 1.9.1 (+ coupled boto3 1…
philmerrell May 18, 2026
bc16420
kaizen bundle: /ping reap fix + A2A guard + research URL cleanup (#338)
philmerrell May 18, 2026
a24754d
refactor(chat): lift tool-result rendering into a signal-backed rende…
philmerrell May 18, 2026
26b5e69
chore(deps): bump strands-agents 1.39.0 -> 1.40.0 (#340)
philmerrell May 18, 2026
3049816
chore(kaizen): resolve queue items + log decisions (2026-05-15 review…
philmerrell May 18, 2026
ebb542c
feat(infra): add MCP Apps sandbox-proxy origin (CDK) (#343)
philmerrell May 19, 2026
2cd5e11
feat(agents): advertise MCP Apps UI extension on initialize + filter …
philmerrell May 19, 2026
f9ef90a
feat(agents): emit ui_resource SSE via resources/read fetch path (MCP…
philmerrell May 19, 2026
0a4ecd0
feat(agents): add sandboxOrigin to ui_resource + fix permissions shap…
philmerrell May 19, 2026
1877baa
feat(chat): MCP Apps PR #4 — <mcp-app-frame> + postMessage bridge (#346)
philmerrell May 19, 2026
9273c64
feat(mcp-apps): PR #5 — app-initiated tools/call proxying + event bro…
philmerrell May 19, 2026
4b1f334
feat(mcp-apps): PR #6 — ui/message, ui/update-model-context, frontend…
philmerrell May 19, 2026
7749f15
test(infra): enumerate DynamoDB tables instead of hard-coded count (#…
philmerrell May 19, 2026
649a4ea
feat(mcp-apps): PR #7 — dogfood + flip AGENTCORE_MCP_APPS_HOST_ENABLE…
philmerrell May 19, 2026
0feab9d
fix(mcp-apps): unblock App rendering — blob iframe, first-class block…
philmerrell May 19, 2026
ff072ed
fix(mcp-apps): align outer CSP + inner mount to ext-apps basic-host r…
philmerrell May 19, 2026
74cdcfc
feat(mcp-apps): dynamic per-resource CSP for the sandbox proxy (#355)
philmerrell May 19, 2026
b8cd64a
fix(mcp-apps): shorten CFN Comment to fit the 128-char AWS cap (#356)
philmerrell May 19, 2026
fa6c93a
fix(mcp-apps): shorten RHP Comment to fit the same 128-char AWS cap (…
philmerrell May 19, 2026
99524b7
fix(mcp-apps): decode URL-encoded ?csp= in sandbox CFN, add x-csp-deb…
philmerrell May 20, 2026
47ff1d3
chore(mcp-apps): remove x-csp-debug diagnostic from sandbox CFN (#359)
philmerrell May 20, 2026
51466c1
fix(mcp-apps): give inner App iframe allow-same-origin to match basic…
philmerrell May 20, 2026
bf4c216
Add backup tool and document architecture rules for Copilot CLI (#361)
colinmxs May 20, 2026
8f253b1
release: v1.0.0-beta.26 (#362)
colinmxs May 20, 2026
448de24
Release/v1.0.0 beta.27 (#365)
colinmxs May 21, 2026
789a8af
feat(file-sources): add file-source adapter framework (#366)
philmerrell May 21, 2026
2239137
feat(file-sources): map connectors to file-source adapters (#367)
philmerrell May 21, 2026
3fc2ec0
test(frontend): use provideHttpClient/provideHttpClientTesting in ser…
philmerrell May 21, 2026
4a9394f
Release/v1.0.0 beta.27 (#369)
colinmxs May 21, 2026
514161e
docs(kaizen): record MCP Apps host renderer initiative as resolved (#…
philmerrell May 21, 2026
3a43ca8
feat(file-sources): add browse/search/import endpoints (#371)
philmerrell May 22, 2026
a1c75b3
feat(file-sources): add file-source browser to the assistant editor (…
philmerrell May 22, 2026
a72198a
fix(file-sources): send OAuth2CallbackUrl header on file-source calls…
philmerrell May 22, 2026
26a0e28
fix(file-sources): resolve connector tokens with consent-matched cust…
philmerrell May 22, 2026
717ffc9
chore(kaizen): weekly research scan 2026-05-22 (#375)
philmerrell May 22, 2026
aa1b007
chore(kaizen): weekly review prep 2026-05-22 (#376)
philmerrell May 22, 2026
5a88c1c
Redesign assistant editor and file-connector UX (#377)
philmerrell May 22, 2026
06ef667
feat(assistants): start OAuth consent from the editor connector button
philmerrell May 23, 2026
2c38475
feat(web-sources): crawl websites into an assistant's knowledge base …
philmerrell May 23, 2026
b280c8e
refactor(assistant-editor): inline knowledge-base row + connector ske…
philmerrell May 23, 2026
4378580
feat(assistants): download uploaded documents from editor (#380)
philmerrell May 23, 2026
2f937b1
feat(assistant-editor): tailor chat input controls for the preview (#…
philmerrell May 23, 2026
f5ab078
feat(assistants): ground consumer chat in knowledge base only (#382)
philmerrell May 23, 2026
74c15ee
feat(assistants): add viewer/editor permissions to shared assistants …
philmerrell May 24, 2026
8cae47d
feat(assistants): viewer/editor share permissions UI (#113) (#384)
philmerrell May 24, 2026
c9ed75c
chore(kaizen): track LibreChat in weekly research scan (#385)
philmerrell May 24, 2026
7d3cfb2
chore(frontend): drop unused RouterLink imports on admin pages (#386)
philmerrell May 24, 2026
070dc21
style(model-settings): align slide-over with list/form design tokens …
philmerrell May 24, 2026
8de6d86
fix(streaming): stop double-wrapping classified force_stop errors (#388)
philmerrell May 25, 2026
143aed2
fix(streaming): persist synthetic error messages so they survive refr…
philmerrell May 25, 2026
861ceb6
refactor(streaming): drop dead force_stop classifier from coordinator…
philmerrell May 26, 2026
7684e12
feat(devcontainer): reproducible dev container with all toolchains pi…
colinmxs May 26, 2026
95d51d9
feat: add teardown workflow to destroy all CDK stacks (#392)
colinmxs May 26, 2026
cef7045
feat(admin): curated model catalog with provider logos (#393)
philmerrell May 27, 2026
9fc37a1
fix(admin): managed-models list ghosting + delete modal + loading sta…
philmerrell May 27, 2026
10c9f2a
fix(admin): model form redesign tokens + edit-mode loading indicator …
philmerrell May 27, 2026
b7c3bb6
feat(spreadsheet-analysis): fail-fast size guard on analyze_spreadshe…
DerrickF May 28, 2026
9d4a523
feat(spreadsheet-analysis): fail-fast size guard on analyze_spreadshe…
DerrickF May 28, 2026
42eaea1
fix(manage-sessions): replace 'x of x selected' with 'x items selecte…
DerrickF May 28, 2026
8b2d6fe
fix(file-upload): fix duplicate document name error misclassified as …
DerrickF May 28, 2026
e7ecf02
chore(kaizen): add opencode as a tracked research source (#406)
philmerrell May 29, 2026
72547dc
chore(kaizen): weekly research scan 2026-05-29 (#407)
philmerrell May 29, 2026
325f50c
chore(kaizen): weekly review prep 2026-05-29 (#408)
philmerrell May 29, 2026
fd6198a
fix(mcp-apps): fill App iframe height + support fullscreen display mo…
philmerrell May 29, 2026
18394ae
fix(mcp-apps): make fullscreen iframe a true full-viewport overlay (#…
philmerrell May 30, 2026
c38f03e
fix(messages): stop entry animation retaining a transform that traps …
philmerrell May 30, 2026
90bf4cf
feat(mcp-apps): persist UI resources so the mcp-app-frame survives a …
philmerrell May 31, 2026
a8d82ba
fix(mcp-apps): align sandbox proxy <meta> CSP with the header (unbloc…
philmerrell May 31, 2026
bdca737
chore(sessions): remove dead duplicate app_api sessions messages serv…
philmerrell May 31, 2026
61b02d5
docs(mcp-apps): scope moving persisted UI-resource HTML to S3 + conte…
philmerrell May 31, 2026
714c50c
feat(mcp-apps): stream partial tool input for progressive App renderi…
philmerrell Jun 1, 2026
6c9404a
feat(mcp-apps): fullscreen title bar for the App frame, header contra…
philmerrell Jun 2, 2026
e0f7eff
Feature/stack architecture simplification (#396)
colinmxs Jun 2, 2026
3e6343d
fix(infra): align SSM image-tag contract on full ECR URIs + 2 deploy …
colinmxs Jun 2, 2026
4b07901
fix(infra): publish SSM params required by restore tooling + lambda d…
colinmxs Jun 2, 2026
8de1f08
fix(restore): base64-decode B/BS values before TypeDeserializer (#422)
colinmxs Jun 2, 2026
98281cb
fix(restore): bump boto3 max_pool_connections + rename 'Backend Stack…
colinmxs Jun 2, 2026
1b0f249
fix(restore): cross-pool federated-user migration — safe usernames + …
colinmxs Jun 2, 2026
730a5a1
feat(infra): grant AgentCore runtime role bedrock:CountTokens (#428)
philmerrell Jun 3, 2026
883462b
chore(infra): stop tsc from littering compiled test artifacts (#429)
philmerrell Jun 3, 2026
f13dcbe
feat(agents): native Bedrock CountTokens for context attribution (inf…
philmerrell Jun 3, 2026
d78da94
feat(agents): per-turn context attribution breakdown over SSE (#431)
philmerrell Jun 3, 2026
269ccba
feat(frontend): show per-turn context breakdown badge (#433)
philmerrell Jun 3, 2026
e8eb9aa
feat(docs): scaffold Starlight docs site with GitHub Pages deploy (#432)
philmerrell Jun 3, 2026
78faf17
fix(infra): restore MCP sandbox cert deploy var + guard against silen…
philmerrell Jun 3, 2026
e1a7254
fix(test): make config.test env handling hermetic per test (#435)
philmerrell Jun 3, 2026
7ca5c91
docs(deploy): document MCP sandbox cert for fresh deploys; drop dead …
philmerrell Jun 3, 2026
861ef3e
docs(actions): make config reference reflect single PlatformStack (#437)
philmerrell Jun 3, 2026
a23e3a7
fix(infra): re-deploy artifact-render code when the live Lambda drift…
philmerrell Jun 3, 2026
6370640
Conversation Modes - Admin Created System Prompts - Opt In (#411)
DerrickF Jun 3, 2026
190f9c7
ci: re-enable push triggers on deploy workflows
DerrickF Jun 3, 2026
dcb1b7f
feat(docs): restyle docs-site with frosted-glass brand theme (#440)
philmerrell Jun 4, 2026
595f9f2
style(docs): make header GitHub icon neutral and larger (#441)
philmerrell Jun 4, 2026
8df9a15
feat(docs): flesh out the docs-site introduction page (#442)
philmerrell Jun 4, 2026
e294207
Add shared security helpers for URL validation, ownership checks, and…
colinmxs Jun 4, 2026
b9ee9c2
docs(docs-site): write the Deployment section and consolidate Install…
philmerrell Jun 5, 2026
6eaabcf
docs(docs-site): brand redesign + architecture overview page with AWS…
philmerrell Jun 5, 2026
7d4be64
chore(kaizen): weekly research scan 2026-06-05 (#446)
philmerrell Jun 5, 2026
b74c2fa
chore(kaizen): weekly review prep 2026-06-05 (#447)
philmerrell Jun 5, 2026
3ada469
docs(specs): plan for an eval-grade quick-deploy agent skill (#448)
philmerrell Jun 5, 2026
cf613b1
Validate role mappings and shorten role-cache invalidation window
colinmxs Jun 5, 2026
0e04373
Apply static AST policy to user-supplied diagram and analysis code
colinmxs Jun 5, 2026
d5dcb60
feat(tools): add MCPGatewayConfig model for Gateway target registrati…
philmerrell Jun 5, 2026
18734d1
feat(infra): publish gateway id SSM param + app-api Gateway target IA…
philmerrell Jun 5, 2026
6da6fa2
feat(tools): Gateway target service + admin route lifecycle (#419) (#…
philmerrell Jun 5, 2026
d12341a
feat(admin): Gateway target admin form for protocol=mcp (#419) (#455)
philmerrell Jun 5, 2026
f8a600f
feat(tools): AGENTCORE_GATEWAY_ID env override for local/CI testing (…
philmerrell Jun 5, 2026
25add9e
Bind persisted roles to JWT in profile-sync handler (#458)
colinmxs Jun 5, 2026
470dc5c
feat(tools): Gateway MCP targets — self-service registration, agent w…
philmerrell Jun 6, 2026
ba8bcca
docs(docs-site): add API Keys + Admin section to nav, flesh out Tools…
philmerrell Jun 6, 2026
30e4e05
docs(specs): add admin-managed Skills with RBAC + tool binding design…
philmerrell Jun 9, 2026
0ebc9f9
feat(skills): shared data layer for admin-managed skills (PR-1) (#461)
philmerrell Jun 9, 2026
0fee1e0
feat(skills): RBAC extension — grant skills to roles (PR-2) (#462)
philmerrell Jun 9, 2026
a334959
feat(skills): admin API for skill authoring + role grants (PR-3) (#463)
philmerrell Jun 9, 2026
7ab9b4a
docs(specs): re-scope admin Skills to reference material; defer scrip…
philmerrell Jun 10, 2026
f2d1c7a
feat(skills): S3-backed reference-file data layer for admin Skills (P…
philmerrell Jun 10, 2026
93e75d7
feat(skills): admin frontend for authoring skills + reference files (…
philmerrell Jun 10, 2026
12a6445
feat(skills): runtime — DB-backed load + RBAC + skills_hash + local b…
philmerrell Jun 10, 2026
db4bf56
feat(skills): runtime MCP-tool folding + reference-file disclosure + …
philmerrell Jun 10, 2026
cb8253d
feat: per-tool MCP enablement (skills binding + model settings) (#469)
philmerrell Jun 10, 2026
0b11494
feat(skills): flip default agent_type to "skill" (PR-7) (#470)
philmerrell Jun 10, 2026
f55857f
feat(agent): re-enable Strands Bedrock auto prompt caching (#471)
philmerrell Jun 11, 2026
a7869be
docs(env): document missing backend env vars in .env.example (#472)
philmerrell Jun 11, 2026
f16cdc3
feat(settings): platform chat-mode settings foundation (skills-mode P…
philmerrell Jun 11, 2026
5a7180c
add time info to user messages on hover
Jun 11, 2026
6c94b4e
feat(skills): user skills surface + chat-mode policy enforcement (ski…
philmerrell Jun 11, 2026
447afde
chore(kaizen): weekly research scan 2026-06-12 (#475)
philmerrell Jun 12, 2026
9ed37a5
feat(spa): skills mode UX — mode toggle, skills picker, request wirin…
philmerrell Jun 12, 2026
33bc402
fix(agents): raise OAuth consent interrupt for skill-folded external …
philmerrell Jun 12, 2026
5373d00
fix(agents): gate skill-folded external MCP tools behind the approval…
philmerrell Jun 12, 2026
02b81a8
feat: add Amazon Bedrock Mantle as a model provider (#479)
philmerrell Jun 13, 2026
12defcf
Bind persisted email to the validated session in profile-sync handler
colinmxs Jun 16, 2026
b089d56
Wrap user-supplied system prompts with a platform safety floor
colinmxs Jun 16, 2026
f1cb0ae
Route fetch_url_content through the shared URL validator
colinmxs Jun 16, 2026
a478455
Reject session-metadata PUT when session id is owned by another user
colinmxs Jun 16, 2026
8819aef
Scope SigV4 signing on outbound MCP requests to recognized AWS endpoints
colinmxs Jun 16, 2026
a02aae9
fix(backup/restore): include S3 Vectors index in the snapshot loop (#…
colinmxs Jun 16, 2026
d2b9502
feat(docs): add full-screen maintenance page (#482)
philmerrell Jun 17, 2026
aec6eec
feat(docs): remove action buttons from maintenance page (#483)
philmerrell Jun 17, 2026
fab77f7
Tighten admin-route input handling and data-layer ownership edges (#484)
colinmxs Jun 17, 2026
6e19ef3
ci(artifacts): plumb CDK_ARTIFACTS_EXTRA_FRAME_ANCESTORS through depl…
philmerrell Jun 17, 2026
7cb9047
Sanitize admin error paths and pin viewer-facing TLS to 1.2+ baseline
colinmxs Jun 17, 2026
7e43976
fix(skills): resolve and persist subset-scoped external MCP tool bind…
philmerrell Jun 18, 2026
ff7a2c0
fix(deps): remediate all 22 HIGH Dependabot findings (#487)
colinmxs Jun 18, 2026
61ce767
Fix/dependabot quick fixes (#488)
colinmxs Jun 18, 2026
888722d
Fix/dependabot quick fixes (#489)
colinmxs Jun 18, 2026
e24ec9f
ci: add pull_request test gate (backend/frontend/infra) (#490)
colinmxs Jun 18, 2026
62e7d02
fix(infra): shared CloudFront cert + consistent domain/cert handling …
colinmxs Jun 19, 2026
26b99ee
Fix/cdk cli version and deploy node pin (#492)
colinmxs Jun 19, 2026
0f06374
Fix/deploy fixes (#494)
colinmxs Jun 19, 2026
28d7db8
fix(infra): restore stable IAM role names for AgentCore execution rol…
colinmxs Jun 19, 2026
55344bb
fix(ci): build arm64 images on native ARM runners (#496)
colinmxs Jun 19, 2026
a453c84
feat(skills): gate skills feature behind SKILLS_ENABLED flag (default…
philmerrell Jun 22, 2026
3855767
feat(tools): forward admin OIDC token on MCP tool discovery (#498)
philmerrell Jun 23, 2026
d387586
fix(nightly): auto-teardown ephemeral nightly deploys; fix teardown f…
colinmxs Jun 23, 2026
4963129
fix(app-api): grant secretsmanager:PutSecretValue on auth-provider se…
colinmxs Jun 23, 2026
044bfbd
Fix/nightly (#500)
colinmxs Jun 23, 2026
f3aad52
docs(infra): correct stale SSM comment on mcp-sandbox origin wiring (…
philmerrell Jun 23, 2026
f159be3
chore(kaizen): weekly research scan 2026-06-19 (#493)
philmerrell Jun 23, 2026
af7ee1c
fix(mcp-apps): accept spec-array content in ui/message (#503)
philmerrell Jun 24, 2026
c783087
fix(mcp-apps): retry transient TLS/connect failures on MCP client sta…
philmerrell Jun 24, 2026
a58a66d
fix(mcp-apps): give widget ui/message turns the loading + scroll affo…
philmerrell Jun 24, 2026
9e1d6c5
feat(connectors): scaffold export-target adapters for saving conversa…
philmerrell Jun 25, 2026
4c5bf94
feat(export-targets): Google Drive export adapter + transcript render…
philmerrell Jun 25, 2026
7483229
feat(export-targets): export endpoint + conversation-export receipts …
philmerrell Jun 26, 2026
41711ef
feat(export-targets): "Save to…" conversation export SPA + admin mapp…
philmerrell Jun 26, 2026
73421b7
feat(export-targets): destination folder picker for "Save to…" (PR-5)…
philmerrell Jun 26, 2026
9252b0c
feat(infra): support external (cross-account) Route53 hosted zones (#…
colinmxs Jun 26, 2026
270dce4
Release/1.0.0 (#513)
colinmxs Jun 26, 2026
d93ad76
Backmerge/main into develop (#514)
colinmxs Jun 26, 2026
517b4b1
chore(release): prepare v1.0.1
colinmxs Jun 26, 2026
de75c99
Merge origin/main into release/1.0.1 (reunify squash-diverged history)
colinmxs Jun 26, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .github/ACTIONS-REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ GitHub provides two mechanisms for storing configuration values:
| CDK_CERTIFICATE_ARN | Variable | No | None | Platform | ACM certificate ARN for HTTPS on the ALB. Must be in the **deployment region** (not us-east-1). |
| CDK_CLOUDFRONT_CERTIFICATE_ARN | Variable | No | None | Platform | Shared ACM certificate ARN for all CloudFront origins (SPA, artifacts, mcp-sandbox). **Must be in `us-east-1`** and cover `{CDK_DOMAIN_NAME}` + `*.{CDK_DOMAIN_NAME}`. Each CloudFront origin falls back to this when its section-specific cert var is unset, so one wildcard satisfies all three. **Effectively required for any deploy with `CDK_DOMAIN_NAME` set** (unless every per-origin cert var is supplied individually) — a domained deploy with no effective CloudFront cert fails at `cdk synth`. |
| CDK_CORS_ORIGINS | Variable | No | None | All | Additional CORS origins appended to the auto-derived `https://{CDK_DOMAIN_NAME}`. Comma-separated. Use for localhost during local dev (e.g., `http://localhost:4200`) or extra domains. |
| CDK_DOMAIN_NAME | Variable | No | None | All | Primary domain name (e.g., 'alpha.boisestate.ai'). Auto-applied as `https://{value}` to CORS origins platform-wide. This is the primary mechanism for CORS configuration. |
| CDK_DOMAIN_NAME | Variable | No | None | All | Primary domain name (e.g., `dev.boisestate.ai` for a dev stack, or `boisestate.ai` for an apex production stack). Auto-applied as `https://{value}` to CORS origins platform-wide. This is the primary mechanism for CORS configuration. |
| CDK_FILE_UPLOAD_CORS_ORIGINS | Variable | No | None | Platform | Additional CORS origins for the file upload S3 bucket only (appended to global CORS origins) |
| CDK_FILE_UPLOAD_MAX_SIZE_MB | Variable | No | `10` | Platform | Maximum file upload size in megabytes |
| CDK_FINE_TUNING_CORS_ORIGINS | Variable | No | None | SageMaker Fine-Tuning | Additional CORS origins for the fine-tuning S3 bucket only (appended to global CORS origins) |
Expand All @@ -62,6 +62,7 @@ GitHub provides two mechanisms for storing configuration values:
| CDK_INFERENCE_API_ENABLED | Variable | No | `true` | Inference API | Enable/disable Inference API deployment |
| CDK_INFERENCE_API_MAX_CAPACITY | Variable | No | `5` | Inference API | Maximum Inference API runtime instances for auto-scaling |
| CDK_INFERENCE_API_MEMORY | Variable | No | `2048` | Inference API | Memory (MB) for Inference API AgentCore Runtime (512, 1024, 2048, 4096, 8192) |
| CDK_MANAGE_DNS_RECORDS | Variable | No | `true` | Platform | Whether CDK creates the Route53 ALIAS/A records for the SPA, ALB, artifacts, and mcp-sandbox origins. Set to `false` when the hosted zone for `CDK_DOMAIN_NAME` lives in a **different AWS account** (or is otherwise managed out-of-band): the stack still attaches the custom domain + ACM cert to every origin but skips the in-account `HostedZone.fromLookup` + record creation that would fail cross-account. In that mode the deploy emits CfnOutputs (`*-dns-record-name` / `*-dns-alias-target`) with the record name and alias target for each origin so an operator can create the records manually. ACM certs still live in the **deploy** account (CloudFront in `us-east-1`, ALB in the deploy region); validate them via DNS records added by hand in the zone's account. |
| CDK_MCP_SANDBOX_CERTIFICATE_ARN | Variable | No | Falls back to `CDK_CLOUDFRONT_CERTIFICATE_ARN` | MCP Sandbox | **Optional override** for the MCP Apps sandbox origin (`mcp-sandbox.{CDK_DOMAIN_NAME}`) cert — the cross-origin shell the SPA frames MCP Apps in. Leave unset to use the shared `CDK_CLOUDFRONT_CERTIFICATE_ARN`; set only to give this origin a different cert. **Must be in `us-east-1`.** An effective cert (this or the shared var) is required for a domained deploy — without it the proxy would land on the CloudFront default domain with no Route 53 ALIAS and MCP Apps fail to load, so synth fails instead. |
| CDK_MCP_SANDBOX_EXTRA_FRAME_ANCESTORS | Variable | No | None | MCP Sandbox | Comma-separated extra origins (beyond `https://{CDK_DOMAIN_NAME}`) permitted to embed the MCP Apps sandbox proxy via CSP `frame-ancestors` — e.g. `http://localhost:4200` for a local SPA pointed at this deployment. **Leave unset in production.** |
| CDK_PRODUCTION | Variable | No | `true` | Frontend | Production environment flag (affects runtime config generation) |
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/nightly-deploy-pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,9 @@ jobs:
CDK_CLOUDFRONT_CERTIFICATE_ARN: ""
CDK_HOSTED_ZONE_DOMAIN: ${{ vars.CDK_HOSTED_ZONE_DOMAIN }}
CDK_RETAIN_DATA_ON_DELETE: false
# Ephemeral nightly deploys in-account, so manage DNS records in-account.
# See platform.yml — set "false" for cross-account hosted zones. Defaults true.
CDK_MANAGE_DNS_RECORDS: true
CDK_ARTIFACTS_CERTIFICATE_ARN: ""
CDK_ARTIFACTS_EXTRA_FRAME_ANCESTORS: ""
CDK_FRONTEND_CERTIFICATE_ARN: ""
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/platform.yml
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,11 @@ jobs:
# three. A section-specific var still overrides per origin.
CDK_CLOUDFRONT_CERTIFICATE_ARN: ${{ vars.CDK_CLOUDFRONT_CERTIFICATE_ARN }}
CDK_RETAIN_DATA_ON_DELETE: ${{ vars.CDK_RETAIN_DATA_ON_DELETE }}
# Whether CDK creates Route53 records for the SPA/ALB/artifacts/mcp-sandbox
# origins. Set to "false" when the hosted zone for CDK_DOMAIN_NAME lives in
# a different AWS account (records are then created manually from the
# deploy's CfnOutputs). Defaults to true.
CDK_MANAGE_DNS_RECORDS: ${{ vars.CDK_MANAGE_DNS_RECORDS }}
CDK_HOSTED_ZONE_DOMAIN: ${{ vars.CDK_HOSTED_ZONE_DOMAIN }}
CDK_COGNITO_DOMAIN_PREFIX: ${{ vars.CDK_COGNITO_DOMAIN_PREFIX }}
CDK_COGNITO_CALLBACK_URLS: ${{ vars.CDK_COGNITO_CALLBACK_URLS }}
Expand Down
13 changes: 13 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,19 @@ All notable changes to this project are documented in this file. Format follows

For narrative release notes written for operators and product owners, see [RELEASE_NOTES.md](RELEASE_NOTES.md).

## [1.0.1] - 2026-06-26

First patch on top of the 1.0.0 general-availability release. Adds the ability to **save a conversation to a connected app** ("Save to…", with Google Drive as the reference export target) and **support for external (cross-account) Route53 hosted zones**. Both additions are additive and off by default until configured; existing 1.0.0 deployments upgrade in place with no migration.

### 🚀 Added

- **Save conversations to connected apps ("Save to…")** — push a full conversation transcript out to a connected app as a native Google Doc, Markdown, or plain-text file. New `apis.app_api.export_targets` package: `ExportTargetAdapter` contract + code-shipped registry mirroring the read-side `FileSourceAdapter` pattern, a `GoogleDriveAdapter` reference target, and a transcript renderer. User routes `GET /export-targets` (catalog with per-connector `connected`/`supportedFormats`/`browsable`) and `POST /sessions/{id}/export` (renders + creates the document via the user's own AgentCore Identity token; `409`→consent, `503`→workload misconfig). Admin `GET /admin/export-target-adapters` + new `OAuthProvider.export_target_adapter_id` mapping; `ExportReceipt` persisted to session metadata. SPA `ExportDialogComponent` + `ExportService`, a "Save to…" action on the conversation list, and an admin connector-form adapter dropdown (#507, #508, #509, #510, #511)
- **External (cross-account) Route53 hosted zones** — new optional `manageDnsRecords` flag (env `CDK_MANAGE_DNS_RECORDS`, context `manageDnsRecords`; defaults to `true`). When `false`, the SPA, ALB, artifacts, and mcp-sandbox origins still attach their custom domain + ACM cert but skip the in-account `HostedZone.fromLookup` + ALIAS/A record creation (which fails when the zone is in another account), emitting `CfnOutput` record-name/alias-target pairs per origin so an operator can create the records by hand. Plumbed through `load-env.sh`, the `platform.yml`/`teardown.yml`/`nightly-deploy-pipeline.yml` workflows, and the deployment docs (#512)

### 🧪 Test coverage

- 1,400+ lines of new export-target tests: `test_export_routes.py`, `test_export_target_service.py`, `test_export_google_drive.py`, `test_export_render.py`, `test_export_target_adapters_admin.py` (backend); `export-dialog.component.spec.ts`, `export.service.spec.ts` (frontend)

## [1.0.0] - 2026-06-24

The **1.0.0 general-availability release** — the platform graduates from beta to a stable, single-stack architecture. The CDK app collapses from nine CloudFormation stacks into one `PlatformStack` with a platform-as-bootstrap code-deploy model; admin-curated Conversation Modes, external file-source connectors and website crawling for assistant knowledge bases, self-service AgentCore Gateway MCP target registration, a curated model catalog with the new Amazon Bedrock Mantle provider, per-turn context attribution, a Starlight documentation site, and a full backup/restore DR toolchain all ship; plus a coordinated security-hardening sweep and remediation of all 22 HIGH Dependabot findings.
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
**An open-source, production-ready Generative AI platform for institutions**
*Built by Boise State University, designed for everyone.*

[![Release](https://img.shields.io/badge/Release-v1.0.0-6366f1?style=flat&logo=github&logoColor=white)](RELEASE_NOTES.md)
[![Release](https://img.shields.io/badge/Release-v1.0.1-6366f1?style=flat&logo=github&logoColor=white)](RELEASE_NOTES.md)
[![Nightly](https://github.com/Boise-State-Development/agentcore-public-stack/actions/workflows/nightly.yml/badge.svg)](https://github.com/Boise-State-Development/agentcore-public-stack/actions/workflows/nightly.yml)

![Python](https://img.shields.io/badge/Python-3.13+-3776AB?style=flat&logo=python&logoColor=white)
Expand Down Expand Up @@ -296,7 +296,7 @@ agentcore-public-stack/

See [RELEASE_NOTES.md](RELEASE_NOTES.md) for the full changelog, including new features, bug fixes, platform upgrades, and deployment notes for each release.

**Current release:** v1.0.0
**Current release:** v1.0.1

---

Expand Down
61 changes: 61 additions & 0 deletions RELEASE_NOTES.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,64 @@
# Release Notes — v1.0.1

**Release Date:** June 26, 2026
**Previous Release:** v1.0.0 (June 24, 2026)

---

> ⚠️ **Coming from a pre-1.0.0 (beta) deployment? Read the 1.0.0 release notes first.** 1.0.1 lands just two days after 1.0.0, so most operators haven't deployed 1.0.0 yet. There is **no special upgrade path for 1.0.1 itself** — if you're already on 1.0.0 you upgrade in place with no migration. But 1.0.0 was the single-stack consolidation, and upgrading **from any beta** to 1.0.0 (and therefore to 1.0.1) is a **destructive backup → teardown → redeploy → restore migration**, not an in-place `cdk deploy`. If you haven't already worked through it, do that before deploying 1.0.1: see [**Upgrading an existing deployment** (1.0.0 notes)](#upgrading-an-existing-deployment) below, or the published guide at <https://boise-state-development.github.io/agentcore-public-stack/deployment/upgrade/>. **Brand-new deployments need none of this.**

---

## Highlights

v1.0.1 is the first patch on top of the 1.0.0 general-availability release, and it ships two operator- and user-facing additions. **Save conversations to connected apps** ("Save to…") extends the existing connector/adapter pattern in the write direction: a user can push a full conversation transcript out to an app they've connected — Google Drive is the reference destination — as a native Google Doc, Markdown, or plain-text file, reusing the same OAuth consent, RBAC visibility, and AgentCore Identity token flow as document import. **External (cross-account) Route53 hosted zones** lets deployments whose DNS zone lives in a different AWS account (or is managed out-of-band) stand up the full platform without the deploy failing on an in-account hosted-zone lookup. No action is required for existing 1.0.0 deployments; both features are additive.

---

## Save conversations to connected apps ("Save to…")

The platform already lets a user connect an app and pull documents **into** an assistant's knowledge base. v1.0.1 adds the opposite direction: save a conversation transcript **out** to a connected app. The architectural move is to split the existing connector pattern into a direction-agnostic **auth layer** (`OAuthProvider` + AgentCore Identity + consent UX, reused as-is) and a direction-specific **capability layer** — a new `ExportTargetAdapter` registry mirroring the read-side `FileSourceAdapter` registry. Google Drive is the first export target; adding OneDrive / SharePoint / Dropbox later is "write one adapter class, register it, and have an admin map a connector." (#507, #508, #509, #510, #511)

### Backend

- New `apis.app_api.export_targets` package: an `ExportTargetAdapter` contract (`adapter.py`), a code-shipped `registry`, the reference `adapters/google_drive.py` (creates a Drive file via the user's own token), a `render.py` transcript renderer (native Google Doc / Markdown / plain text), `models.py` (`ExportFormat`, `ExportInclude`, `ExportTargetError`), and `service.py` (connector resolution, RBAC visibility gate, AgentCore Identity token mint with consent/`503` handling).
- User-facing routes (`export_targets/routes.py`, on **app-api** — the inference-API boundary only proxies `/invocations` + `/ping`): `GET /export-targets` returns the catalog the "Save to…" dialog reads (per-connector `connected` state, `supportedFormats`, and a `browsable` flag for the folder picker), and `POST /sessions/{id}/export` renders the full transcript (paged, with a runaway guard) and creates the document via the resolved adapter. A `409` signals the user must complete OAuth consent; a `503` signals workload/callback misconfiguration.
- Admin mapping: new `GET /admin/export-target-adapters` plus an `OAuthProvider.export_target_adapter_id` field — a connector becomes an export target only once an admin maps it to a shipped adapter. Export receipts are persisted to session metadata (`ExportReceipt` on `sessions/models.py`, written best-effort by `add_export_receipt`) so the SPA can reflect "saved" state.

### Frontend

- New `ExportDialogComponent` (the "Save to…" dialog: connector picker, format picker driven by `supportedFormats`, optional destination-folder picker reusing the file-source browse dialog) and an `ExportService` (`session/services/export/`). A "Save to…" action is added to the conversation list (`session-list`). Admin connector form gains an export-target-adapter mapping dropdown.

### Test coverage

1,400+ lines of new tests: `test_export_routes.py`, `test_export_target_service.py`, `test_export_google_drive.py`, `test_export_render.py`, and `test_export_target_adapters_admin.py` on the backend; `export-dialog.component.spec.ts` and `export.service.spec.ts` on the frontend.

## External (cross-account) Route53 hosted zones

Deployments where the Route53 hosted zone for `domainName` lives in a **different AWS account** — or is otherwise managed out-of-band — previously failed: the stack's in-account `HostedZone.fromLookup` + ALIAS/A record creation cannot reach a zone it doesn't own. v1.0.1 makes DNS record management optional so these deployments succeed, with the platform emitting the records an operator needs to create by hand. (#512)

### Infrastructure

- New `manageDnsRecords` config flag (env `CDK_MANAGE_DNS_RECORDS`, context `manageDnsRecords`; **defaults to `true`**, so existing single-account deployments are unaffected). Loaded in `infrastructure/lib/config.ts` and threaded into the four custom-domain origins.
- When `manageDnsRecords=false`, the SPA, ALB, artifacts, and mcp-sandbox constructs still attach the custom domain + ACM certificate to each origin but **skip** the in-account `HostedZone.fromLookup` and ALIAS/A record creation. Instead each origin emits `CfnOutput`s with the **record name** and **alias target** (e.g. `AlbDnsRecordName`/`AlbDnsAliasTarget`, `FrontendDnsRecordName`, `ArtifactsDnsRecordName`/`ArtifactsDnsAliasTarget`, `McpSandboxDnsRecordName`/`McpSandboxDnsAliasTarget`) so an operator can create the records manually in the owning account.

### CI/CD

- `CDK_MANAGE_DNS_RECORDS` plumbed end-to-end: exported and passed as a `--context` flag in `scripts/common/load-env.sh`, and added to the job-level `env:` of the `platform.yml`, `teardown.yml`, and `nightly-deploy-pipeline.yml` workflows. The nightly smoke test reads it as well.

### Docs

- Deployment docs updated for the cross-account workflow — `docs-site` (environments, platform-cdk, troubleshooting) and `.github/docs/deploy/` (GitHub config, troubleshooting) plus `.github/ACTIONS-REFERENCE.md`.

## 🚀 Deployment notes

v1.0.1 is a patch release on the single-stack `PlatformStack` architecture introduced in 1.0.0. Operators already on 1.0.0 upgrade in place — there is **no migration**. Both features are additive and off by default until configured.

- **Save to… (export targets):** opt-in. An admin maps an existing connector (e.g. the Google Drive connector) to the `google-drive` export-target adapter from the admin connector form; until a connector is mapped, the "Save to…" dialog shows no destinations. No new infrastructure or env vars.
- **Cross-account DNS:** if your hosted zone is in the **same** AWS account as the deployment (the default), no action is required — `manageDnsRecords` defaults to `true` and behavior is unchanged. If your zone lives in a **different** account (or you manage DNS out-of-band), set `CDK_MANAGE_DNS_RECORDS=false` (GitHub Actions Variable), then after the deploy read the `*DnsRecordName` / `*DnsAliasTarget` CloudFormation outputs and create the matching ALIAS/A records in the owning account for the SPA, ALB, artifacts, and mcp-sandbox origins.

---

# Release Notes — v1.0.0

**Release Date:** June 24, 2026
Expand Down
2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.0.0
1.0.1
2 changes: 1 addition & 1 deletion backend/pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"

[project]
name = "agentcore-stack"
version = "1.0.0"
version = "1.0.1"
requires-python = ">=3.10"
description = "Multi-agent conversational AI system with AWS Bedrock AgentCore"
readme = "README.md"
Expand Down
1 change: 1 addition & 0 deletions backend/src/apis/app_api/admin/export_targets/__init__.py
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
"""Admin surface for export-target adapter discovery."""
Loading