diff --git a/.kiro/steering/release-notes.md b/.kiro/steering/release-notes.md index f1647740..c2cd8609 100644 --- a/.kiro/steering/release-notes.md +++ b/.kiro/steering/release-notes.md @@ -16,6 +16,27 @@ Both files are updated in the **same release pass** from the same source of comm --- +## Match Depth to Release Size + +Release depth scales with what actually shipped — not every release earns a long writeup. We expect to cut patches frequently (potentially several per day), so a small patch must stay **short and digestible**, while a feature or minor release earns the full narrative treatment described later in this doc. + +Decide the tier first, then write to it: + +| Release type | SemVer | What's in it | `RELEASE_NOTES.md` depth | `CHANGELOG.md` depth | +|---|---|---|---|---| +| **Patch** | `x.y.Z` | Bug fixes, security/dep bumps, CI/CD, docs, internal refactors — no new user-facing capability | **Brief.** A 2-4 sentence Highlights paragraph + compact per-category bullets + a one-paragraph deployment note. **No** feature spotlights, **no** per-layer (backend/frontend/infra) subsections, **no** test-coverage section. Aim for a screen or less. | One-line bullets per change, grouped by category. A one-sentence lead paragraph is enough. | +| **Minor / feature** | `x.Y.0` | New features, endpoints, pages, or capabilities | **Deep.** Full treatment: Highlights, one feature spotlight per major feature with backend/frontend/infrastructure/test-coverage subsections, then per-category bullets. | Spotlight-worthy items get a richer bullet; everything else one line. Narrative stays in `RELEASE_NOTES.md`. | +| **Major** | `X.0.0` | Breaking changes, architecture shifts, migrations | **Deepest.** Everything above plus a prominent migration/upgrade section and breaking-change callouts. | Breaking changes prefixed `**Breaking:**` with migration pointers. | + +Rules of thumb: + +- **Don't pad a patch.** If the release is three CI/CD commits and a dependency bump, the notes should be a screen or less. Resist inventing spotlights or test-coverage line counts that don't matter. +- **Don't starve a feature.** A new capability still gets a spotlight with the what/why/how and the file/endpoint/class detail this audience expects — brevity-for-patches is not license to thin out feature notes. +- **The category bullets (🔒 / 📦 / 🔧 / 🐛 / …) are the same in both tiers.** The difference is whether they're preceded by narrative spotlights (feature) or stand alone (patch). +- **When in doubt, size the notes to the largest single change in the release.** One real feature among ten chores makes it a feature release for write-up purposes. + +--- + ## Branch Model & Why This Is Hard This repo uses a squash-merge workflow: `develop` accumulates feature branches via merge commits, and when a release is cut, `develop` is squash-merged into `main`. This means `main` and `develop` have **divergent git histories** — you cannot do a simple `git log main..develop` to get a clean diff. Commit SHAs on `main` don't correspond to anything on `develop`. @@ -113,6 +134,8 @@ When drafting `RELEASE_NOTES.md`, lead with the outcome, then explain the mechan The new release goes at the **top** of the file. Do not modify previous release sections. +> **Patch releases use the short form.** The full section order and feature-spotlight template below describe a **feature / minor or major** release. For a patch (see *Match Depth to Release Size*), keep only the **Header**, a short **Highlights** paragraph, the relevant **per-category bullets**, and **Deployment notes** — omit feature spotlights, per-layer subsections, and the test-coverage section. + ### Header ```markdown diff --git a/CHANGELOG.md b/CHANGELOG.md index b9ac5091..da6d816a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,26 @@ All notable changes to this project are documented in this file. Format follows For narrative release notes written for operators and product owners, see [RELEASE_NOTES.md](RELEASE_NOTES.md). +## [1.0.3] - 2026-06-30 + +Maintenance patch: CI/CD pipeline cleanup, re-enabled path-scoped auto-deploys, and a dependency/CodeQL sweep. No application code or user-facing behavior changes; upgrade in place. + +### 🔒 Security + +- Removed unused imports flagged by CodeQL: `Optional` in `agents/main_agent/agent_types.py`, `ssm` in `app-api/app-api-environment.ts` (#526) + +### 📦 Dependencies + +- **backend:** `joserfc` 1.6.3 → 1.7.2 (`backend/uv.lock`) and 1.6.5 → 1.7.2 (`scripts/backup-data/uv.lock`); remediates Dependabot GHSA-wphv-vfrh-23q5 / CVE-2026-48990 (#526) + +### 🔧 CI/CD + +- Serialize `platform.yml` and `backend.yml` under one repo-global concurrency group (`deploy-`) so a CloudFormation deploy and the API-driven backend code deploys can't run concurrently and stomp the same ECS service / AgentCore Runtime / Lambda; frontend stays independent, `cancel-in-progress` stays false (#525) +- Re-enabled push-triggered, path-scoped deploys for platform, backend, and frontend (develop → development env, main → production) after being `workflow_dispatch`-only since v1.0.0; each trigger is scoped to its own surface (#524) +- Extracted duplicated test gates into a reusable `tests.yml`, wired into `ci`, `platform`, `backend`, `frontend-deploy`, and `nightly-deploy-pipeline`; render the reusable test-gate job names statically so skipped single-suite callers no longer show raw `${{ }}` expressions as labels (#524, #526) +- Pruned dead nightly tracks (AI coverage analysis, merge-validation) and orphaned scripts (`ai-coverage-analysis.py`, `promote-ecr-image.sh`); removed the dead `source-project-prefix` input (#524) +- `docs-deploy` now publishes from `main` (was `develop`); fork-gated `docs-deploy` and `release` so forks syncing `main` don't auto-publish or auto-create releases (#524) + ## [1.0.2] - 2026-06-29 Second patch on the 1.0.0 single-stack architecture. Headlined by **restoring tool use in assistant chats** (reverting the 1.0.0 knowledge-base-only change), plus a CodeQL security-hardening sweep, remediation of 6 Dependabot alerts, and a nightly-pipeline fix. No migration; upgrade in place. diff --git a/README.md b/README.md index 129dbd34..5571891c 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ **An open-source, production-ready Generative AI platform for institutions** *Built by Boise State University, designed for everyone.* -[![Release](https://img.shields.io/badge/Release-v1.0.2-6366f1?style=flat&logo=github&logoColor=white)](RELEASE_NOTES.md) +[![Release](https://img.shields.io/badge/Release-v1.0.3-6366f1?style=flat&logo=github&logoColor=white)](RELEASE_NOTES.md) [![Nightly](https://github.com/Boise-State-Development/agentcore-public-stack/actions/workflows/nightly.yml/badge.svg)](https://github.com/Boise-State-Development/agentcore-public-stack/actions/workflows/nightly.yml) ![Python](https://img.shields.io/badge/Python-3.13+-3776AB?style=flat&logo=python&logoColor=white) @@ -296,7 +296,7 @@ agentcore-public-stack/ See [RELEASE_NOTES.md](RELEASE_NOTES.md) for the full changelog, including new features, bug fixes, platform upgrades, and deployment notes for each release. -**Current release:** v1.0.2 +**Current release:** v1.0.3 --- diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 2bb7ab01..4a318580 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,3 +1,36 @@ +# Release Notes — v1.0.3 + +**Release Date:** June 30, 2026 +**Previous Release:** v1.0.2 (June 29, 2026) + +--- + +> ⚠️ **Upgrading from a beta?** 1.0.3 is an in-place upgrade from 1.0.0/1.0.1/1.0.2 with no migration. Moving from any pre-1.0.0 beta is still the destructive backup → teardown → redeploy → restore migration described in the [1.0.0 notes](#upgrading-an-existing-deployment). Brand-new deployments need none of this. + +--- + +## Highlights + +v1.0.3 is a maintenance patch — no application code or user-facing behavior changes. It's almost entirely **CI/CD pipeline work**: platform and backend deploys are now serialized through a shared concurrency group so they can't race each other onto the same ECS service / AgentCore Runtime / Lambda, push-triggered (path-scoped) auto-deploys are back on for the platform/backend/frontend workflows, and the duplicated test gates are consolidated into one reusable workflow. Rounding it out is a small dependency + CodeQL sweep (a `joserfc` CVE patch and a couple of unused-import removals). Operators on 1.0.x upgrade in place with no migration. + +## 🔒 Security & 📦 Dependencies + +- `joserfc` 1.6.3 → 1.7.2 (backend) and 1.6.5 → 1.7.2 (backup-data tooling), remediating Dependabot GHSA-wphv-vfrh-23q5 / CVE-2026-48990. (#526) +- Removed unused imports flagged by CodeQL — `Optional` in `agents/main_agent/agent_types.py`, `ssm` in `app-api/app-api-environment.ts`. (#526) + +## 🔧 CI/CD + +- **Serialized deploys.** `platform.yml` and `backend.yml` now share one repo-global concurrency group (`deploy-`), so a CloudFormation deploy and the API-driven backend code deploys queue instead of running at once and stomping the same ECS service / AgentCore Runtime / Lambda. Frontend stays independent; `cancel-in-progress` stays false. (#525) +- **Auto-deploy restored.** Push-triggered, path-scoped deploys are re-enabled for platform/backend/frontend (develop → development, main → production) after being manual-dispatch-only since v1.0.0. Each trigger is scoped to its own surface so unrelated changes don't redeploy. (#524) +- **Reusable test gates.** Duplicated test jobs are extracted into a shared `tests.yml` consumed by `ci`, `platform`, `backend`, `frontend-deploy`, and `nightly-deploy-pipeline`; skipped single-suite callers now render correct job labels instead of raw `${{ }}` expressions. (#524, #526) +- **Pipeline cleanup.** Pruned dead nightly tracks (AI coverage analysis, merge-validation) and orphaned scripts; `docs-deploy` now publishes from `main` (was `develop`), and `docs-deploy`/`release` are fork-gated so forks syncing `main` don't auto-publish or auto-release. (#524) + +## 🚀 Deployment notes + +In-place patch on the single-stack `PlatformStack` — no new infrastructure, env vars, or migration. The only operator-visible change is to CI/CD behavior: pushes to `develop`/`main` once again auto-deploy (path-scoped), and platform vs. backend deploys now queue rather than run concurrently. + +--- + # Release Notes — v1.0.2 **Release Date:** June 29, 2026 diff --git a/VERSION b/VERSION index 6d7de6e6..21e8796a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.0.2 +1.0.3 diff --git a/backend/pyproject.toml b/backend/pyproject.toml index 98ed0e0c..f2bb88ab 100644 --- a/backend/pyproject.toml +++ b/backend/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta" [project] name = "agentcore-stack" -version = "1.0.2" +version = "1.0.3" requires-python = ">=3.10" description = "Multi-agent conversational AI system with AWS Bedrock AgentCore" readme = "README.md" diff --git a/backend/uv.lock b/backend/uv.lock index ebc659c2..5af1a6a4 100644 --- a/backend/uv.lock +++ b/backend/uv.lock @@ -12,7 +12,7 @@ resolution-markers = [ [[package]] name = "agentcore-stack" -version = "1.0.2" +version = "1.0.3" source = { editable = "." } dependencies = [ { name = "aiofiles" }, diff --git a/frontend/ai.client/package-lock.json b/frontend/ai.client/package-lock.json index 9b3bcf4f..d290dec9 100644 --- a/frontend/ai.client/package-lock.json +++ b/frontend/ai.client/package-lock.json @@ -1,12 +1,12 @@ { "name": "ai.client", - "version": "1.0.2", + "version": "1.0.3", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "ai.client", - "version": "1.0.2", + "version": "1.0.3", "dependencies": { "@angular/cdk": "21.2.14", "@angular/common": "21.2.17", diff --git a/frontend/ai.client/package.json b/frontend/ai.client/package.json index aaeeb08f..ef7f986f 100644 --- a/frontend/ai.client/package.json +++ b/frontend/ai.client/package.json @@ -1,6 +1,6 @@ { "name": "ai.client", - "version": "1.0.2", + "version": "1.0.3", "scripts": { "ng": "ng", "start": "ng serve", diff --git a/infrastructure/package-lock.json b/infrastructure/package-lock.json index f036d6db..bfc7ce12 100644 --- a/infrastructure/package-lock.json +++ b/infrastructure/package-lock.json @@ -1,12 +1,12 @@ { "name": "infrastructure", - "version": "1.0.2", + "version": "1.0.3", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "infrastructure", - "version": "1.0.2", + "version": "1.0.3", "dependencies": { "aws-cdk-lib": "2.260.0", "constructs": "10.6.0" diff --git a/infrastructure/package.json b/infrastructure/package.json index 3685a3e7..2edef91b 100644 --- a/infrastructure/package.json +++ b/infrastructure/package.json @@ -1,6 +1,6 @@ { "name": "infrastructure", - "version": "1.0.2", + "version": "1.0.3", "bin": { "infrastructure": "bin/infrastructure.js" },