Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .kiro/steering/release-notes.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,27 @@ Both files are updated in the **same release pass** from the same source of comm

---

## Match Depth to Release Size

Release depth scales with what actually shipped — not every release earns a long writeup. We expect to cut patches frequently (potentially several per day), so a small patch must stay **short and digestible**, while a feature or minor release earns the full narrative treatment described later in this doc.

Decide the tier first, then write to it:

| Release type | SemVer | What's in it | `RELEASE_NOTES.md` depth | `CHANGELOG.md` depth |
|---|---|---|---|---|
| **Patch** | `x.y.Z` | Bug fixes, security/dep bumps, CI/CD, docs, internal refactors — no new user-facing capability | **Brief.** A 2-4 sentence Highlights paragraph + compact per-category bullets + a one-paragraph deployment note. **No** feature spotlights, **no** per-layer (backend/frontend/infra) subsections, **no** test-coverage section. Aim for a screen or less. | One-line bullets per change, grouped by category. A one-sentence lead paragraph is enough. |
| **Minor / feature** | `x.Y.0` | New features, endpoints, pages, or capabilities | **Deep.** Full treatment: Highlights, one feature spotlight per major feature with backend/frontend/infrastructure/test-coverage subsections, then per-category bullets. | Spotlight-worthy items get a richer bullet; everything else one line. Narrative stays in `RELEASE_NOTES.md`. |
| **Major** | `X.0.0` | Breaking changes, architecture shifts, migrations | **Deepest.** Everything above plus a prominent migration/upgrade section and breaking-change callouts. | Breaking changes prefixed `**Breaking:**` with migration pointers. |

Rules of thumb:

- **Don't pad a patch.** If the release is three CI/CD commits and a dependency bump, the notes should be a screen or less. Resist inventing spotlights or test-coverage line counts that don't matter.
- **Don't starve a feature.** A new capability still gets a spotlight with the what/why/how and the file/endpoint/class detail this audience expects — brevity-for-patches is not license to thin out feature notes.
- **The category bullets (🔒 / 📦 / 🔧 / 🐛 / …) are the same in both tiers.** The difference is whether they're preceded by narrative spotlights (feature) or stand alone (patch).
- **When in doubt, size the notes to the largest single change in the release.** One real feature among ten chores makes it a feature release for write-up purposes.

---

## Branch Model & Why This Is Hard

This repo uses a squash-merge workflow: `develop` accumulates feature branches via merge commits, and when a release is cut, `develop` is squash-merged into `main`. This means `main` and `develop` have **divergent git histories** — you cannot do a simple `git log main..develop` to get a clean diff. Commit SHAs on `main` don't correspond to anything on `develop`.
Expand Down Expand Up @@ -113,6 +134,8 @@ When drafting `RELEASE_NOTES.md`, lead with the outcome, then explain the mechan

The new release goes at the **top** of the file. Do not modify previous release sections.

> **Patch releases use the short form.** The full section order and feature-spotlight template below describe a **feature / minor or major** release. For a patch (see *Match Depth to Release Size*), keep only the **Header**, a short **Highlights** paragraph, the relevant **per-category bullets**, and **Deployment notes** — omit feature spotlights, per-layer subsections, and the test-coverage section.

### Header

```markdown
Expand Down
20 changes: 20 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,26 @@ All notable changes to this project are documented in this file. Format follows

For narrative release notes written for operators and product owners, see [RELEASE_NOTES.md](RELEASE_NOTES.md).

## [1.0.3] - 2026-06-30

Maintenance patch: CI/CD pipeline cleanup, re-enabled path-scoped auto-deploys, and a dependency/CodeQL sweep. No application code or user-facing behavior changes; upgrade in place.

### 🔒 Security

- Removed unused imports flagged by CodeQL: `Optional` in `agents/main_agent/agent_types.py`, `ssm` in `app-api/app-api-environment.ts` (#526)

### 📦 Dependencies

- **backend:** `joserfc` 1.6.3 → 1.7.2 (`backend/uv.lock`) and 1.6.5 → 1.7.2 (`scripts/backup-data/uv.lock`); remediates Dependabot GHSA-wphv-vfrh-23q5 / CVE-2026-48990 (#526)

### 🔧 CI/CD

- Serialize `platform.yml` and `backend.yml` under one repo-global concurrency group (`deploy-<ref>`) so a CloudFormation deploy and the API-driven backend code deploys can't run concurrently and stomp the same ECS service / AgentCore Runtime / Lambda; frontend stays independent, `cancel-in-progress` stays false (#525)
- Re-enabled push-triggered, path-scoped deploys for platform, backend, and frontend (develop → development env, main → production) after being `workflow_dispatch`-only since v1.0.0; each trigger is scoped to its own surface (#524)
- Extracted duplicated test gates into a reusable `tests.yml`, wired into `ci`, `platform`, `backend`, `frontend-deploy`, and `nightly-deploy-pipeline`; render the reusable test-gate job names statically so skipped single-suite callers no longer show raw `${{ }}` expressions as labels (#524, #526)
- Pruned dead nightly tracks (AI coverage analysis, merge-validation) and orphaned scripts (`ai-coverage-analysis.py`, `promote-ecr-image.sh`); removed the dead `source-project-prefix` input (#524)
- `docs-deploy` now publishes from `main` (was `develop`); fork-gated `docs-deploy` and `release` so forks syncing `main` don't auto-publish or auto-create releases (#524)

## [1.0.2] - 2026-06-29

Second patch on the 1.0.0 single-stack architecture. Headlined by **restoring tool use in assistant chats** (reverting the 1.0.0 knowledge-base-only change), plus a CodeQL security-hardening sweep, remediation of 6 Dependabot alerts, and a nightly-pipeline fix. No migration; upgrade in place.
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@
**An open-source, production-ready Generative AI platform for institutions**
*Built by Boise State University, designed for everyone.*

[![Release](https://img.shields.io/badge/Release-v1.0.2-6366f1?style=flat&logo=github&logoColor=white)](RELEASE_NOTES.md)
[![Release](https://img.shields.io/badge/Release-v1.0.3-6366f1?style=flat&logo=github&logoColor=white)](RELEASE_NOTES.md)
[![Nightly](https://github.com/Boise-State-Development/agentcore-public-stack/actions/workflows/nightly.yml/badge.svg)](https://github.com/Boise-State-Development/agentcore-public-stack/actions/workflows/nightly.yml)

![Python](https://img.shields.io/badge/Python-3.13+-3776AB?style=flat&logo=python&logoColor=white)
Expand Down Expand Up @@ -296,7 +296,7 @@ agentcore-public-stack/

See [RELEASE_NOTES.md](RELEASE_NOTES.md) for the full changelog, including new features, bug fixes, platform upgrades, and deployment notes for each release.

**Current release:** v1.0.2
**Current release:** v1.0.3

---

Expand Down
33 changes: 33 additions & 0 deletions RELEASE_NOTES.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,36 @@
# Release Notes — v1.0.3

**Release Date:** June 30, 2026
**Previous Release:** v1.0.2 (June 29, 2026)

---

> ⚠️ **Upgrading from a beta?** 1.0.3 is an in-place upgrade from 1.0.0/1.0.1/1.0.2 with no migration. Moving from any pre-1.0.0 beta is still the destructive backup → teardown → redeploy → restore migration described in the [1.0.0 notes](#upgrading-an-existing-deployment). Brand-new deployments need none of this.

---

## Highlights

v1.0.3 is a maintenance patch — no application code or user-facing behavior changes. It's almost entirely **CI/CD pipeline work**: platform and backend deploys are now serialized through a shared concurrency group so they can't race each other onto the same ECS service / AgentCore Runtime / Lambda, push-triggered (path-scoped) auto-deploys are back on for the platform/backend/frontend workflows, and the duplicated test gates are consolidated into one reusable workflow. Rounding it out is a small dependency + CodeQL sweep (a `joserfc` CVE patch and a couple of unused-import removals). Operators on 1.0.x upgrade in place with no migration.

## 🔒 Security & 📦 Dependencies

- `joserfc` 1.6.3 → 1.7.2 (backend) and 1.6.5 → 1.7.2 (backup-data tooling), remediating Dependabot GHSA-wphv-vfrh-23q5 / CVE-2026-48990. (#526)
- Removed unused imports flagged by CodeQL — `Optional` in `agents/main_agent/agent_types.py`, `ssm` in `app-api/app-api-environment.ts`. (#526)

## 🔧 CI/CD

- **Serialized deploys.** `platform.yml` and `backend.yml` now share one repo-global concurrency group (`deploy-<ref>`), so a CloudFormation deploy and the API-driven backend code deploys queue instead of running at once and stomping the same ECS service / AgentCore Runtime / Lambda. Frontend stays independent; `cancel-in-progress` stays false. (#525)
- **Auto-deploy restored.** Push-triggered, path-scoped deploys are re-enabled for platform/backend/frontend (develop → development, main → production) after being manual-dispatch-only since v1.0.0. Each trigger is scoped to its own surface so unrelated changes don't redeploy. (#524)
- **Reusable test gates.** Duplicated test jobs are extracted into a shared `tests.yml` consumed by `ci`, `platform`, `backend`, `frontend-deploy`, and `nightly-deploy-pipeline`; skipped single-suite callers now render correct job labels instead of raw `${{ }}` expressions. (#524, #526)
- **Pipeline cleanup.** Pruned dead nightly tracks (AI coverage analysis, merge-validation) and orphaned scripts; `docs-deploy` now publishes from `main` (was `develop`), and `docs-deploy`/`release` are fork-gated so forks syncing `main` don't auto-publish or auto-release. (#524)

## 🚀 Deployment notes

In-place patch on the single-stack `PlatformStack` — no new infrastructure, env vars, or migration. The only operator-visible change is to CI/CD behavior: pushes to `develop`/`main` once again auto-deploy (path-scoped), and platform vs. backend deploys now queue rather than run concurrently.

---

# Release Notes — v1.0.2

**Release Date:** June 29, 2026
Expand Down
2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.0.2
1.0.3
2 changes: 1 addition & 1 deletion backend/pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"

[project]
name = "agentcore-stack"
version = "1.0.2"
version = "1.0.3"
requires-python = ">=3.10"
description = "Multi-agent conversational AI system with AWS Bedrock AgentCore"
readme = "README.md"
Expand Down
2 changes: 1 addition & 1 deletion backend/uv.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions frontend/ai.client/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion frontend/ai.client/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "ai.client",
"version": "1.0.2",
"version": "1.0.3",
"scripts": {
"ng": "ng",
"start": "ng serve",
Expand Down
4 changes: 2 additions & 2 deletions infrastructure/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion infrastructure/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "infrastructure",
"version": "1.0.2",
"version": "1.0.3",
"bin": {
"infrastructure": "bin/infrastructure.js"
},
Expand Down
Loading