Skip to content

chore(deps)(deps): bump actions/setup-node from 5.0.0 to 6.3.0#100

Merged
colinmxs merged 1 commit into
developfrom
dependabot/github_actions/develop/actions/setup-node-6.3.0
Mar 31, 2026
Merged

chore(deps)(deps): bump actions/setup-node from 5.0.0 to 6.3.0#100
colinmxs merged 1 commit into
developfrom
dependabot/github_actions/develop/actions/setup-node-6.3.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 30, 2026

Copy link
Copy Markdown
Contributor

Bumps actions/setup-node from 5.0.0 to 6.3.0.

Release notes

Sourced from actions/setup-node's releases.

v6.3.0

What's Changed

Enhancements:

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

Bug fixes:

New Contributors

Full Changelog: actions/setup-node@v6...v6.3.0

v6.2.0

What's Changed

Documentation

Dependency updates:

New Contributors

Full Changelog: actions/setup-node@v6...v6.2.0

v6.1.0

What's Changed

Enhancement:

Dependency updates:

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5.0.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@a0853c2...53b8394)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Mar 30, 2026
@dependabot @github

dependabot Bot commented on behalf of github Mar 30, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: ci. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@colinmxs colinmxs added the ci label Mar 31, 2026
@colinmxs colinmxs merged commit c9ba4d4 into develop Mar 31, 2026
4 checks passed
@dependabot dependabot Bot deleted the dependabot/github_actions/develop/actions/setup-node-6.3.0 branch March 31, 2026 17:46
colinmxs added a commit that referenced this pull request May 11, 2026
* Potential fix for pull request finding 'Unused local variable'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for pull request finding 'Unused local variable'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* docs(readme): update version badges and tech stack to v1.0.0-beta.18

- Update release badge from v1.0.0-beta.17 to v1.0.0-beta.18
- Bump Tailwind CSS version from v4.1 to v4.2 in all references
- Update current release version in release notes section
- Reflect latest dependency versions in architecture and tech stack documentation

* feat(embeddings): add optional token validation bypass for search queries

- Add skip_token_validation parameter to generate_embeddings function
- Allow skipping tiktoken-based token validation for short inputs where tiktoken may not be installed
- Update search_assistant_knowledgebase to skip validation for query embeddings
- Enables embedding generation in environments where tiktoken is unavailable (e.g., search Lambda)

* refactor(embeddings): extract shared embedding logic to separate module

- Move core embedding generation and vector store operations to apis.shared.embeddings
- Create new shared bedrock_embeddings module with generate_embeddings, store_embeddings_in_s3, search_assistant_knowledgebase, and delete_vectors_for_document
- Extract vector search logic to new apis.shared.assistants.vector_search module
- Keep ingestion-specific token validation (tiktoken-based) in app_api embeddings module
- Update ingestion embeddings module to re-export shared functions for backward compatibility
- Simplify bedrock_embeddings in ingestion pipeline to focus on chunk validation and splitting
- Update imports across documents routes and rag_service to use new shared modules
- Reduces code duplication and establishes clear separation between shared RAG infrastructure and ingestion-specific concerns

* docs(release-notes): document v1.0.0-beta.19 features and fixes

- Add Angular production build optimization section explaining minification and tree-shaking enablement
- Document embeddings refactor extracting shared logic to apis.shared.embeddings module
- Add skip_token_validation parameter documentation for generate_embeddings function
- Update highlights section to mention Angular production build optimization
- Clarify CodeQL workflow improvements and unused import/variable cleanup
- Enable optimization flag in angular.json production configuration for reduced bundle size

* docs(release-notes): remove Angular optimization section and revert config

- Remove "Frontend Production Build Optimization" section from release notes
- Revert optimization flag removal from angular.json production configuration
- Align documentation with actual production build configuration state

* feat: add API Keys section to README for programmatic access to AI models

* fix(model_config): comment out caching configuration due to Bedrock limitations

* feat(create-training-job): enhance file upload with drag-and-drop support and update dataset upload instructions

* feat(create-training-job): add support for custom HuggingFace models and enhance model search functionality

* fix(test_model_config): remove caching mock and update test for Bedrock config caching behavior

* feat(create-training-job): add tests for custom HuggingFace model selection and submission

* feat: refactor session compaction and enable by default (#86)

* feat: update compaction configuration and enhance session manager tests

* fix: update tests for compaction defaults and commented-out caching

- Update compaction model test to expect enabled=True and protected_turns=3
- Fix caching test to reflect cache_config being commented out due to Bedrock limitations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(create-training-job): enhance file upload with drag-and-drop support and update dataset upload instructions

* feat(create-training-job): add support for custom HuggingFace models and enhance model search functionality

* fix(test_model_config): remove caching mock and update test for Bedrock config caching behavior

* feat(create-training-job): add tests for custom HuggingFace model selection and submission

* fix: update tests for compaction defaults and commented-out caching

- Update compaction model test to expect enabled=True and protected_turns=3
- Fix caching test to reflect cache_config being commented out due to Bedrock limitations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Signed-off-by: Phil Merrell <philmerrell@boisestate.edu>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* test(to_bedrock_config): add missing result assignment in caching disabled test

* Potential fix for code scanning alert no. 41: Clear-text logging of s… (#85)

* Potential fix for code scanning alert no. 41: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* ci: Add explicit read-only permissions to all workflows

- Add `permissions: contents: read` to 13 GitHub Actions workflows
- Workflows updated: app-api, bootstrap-data-seeding, codeql, frontend, gateway, inference-api, infrastructure, nightly-deploy-pipeline, nightly, rag-ingestion, release, sagemaker-fine-tuning, version-check
- Implements principle of least privilege by explicitly declaring minimal required permissions
- Improves security posture and aligns with GitHub Actions best practices

* fix(security): Redact sensitive information from logs

- Mask client ID in seed_auth_provider output, showing only first 8 characters
- Redact full Secrets ARN in seed_auth_provider, displaying only resource name
- Replace full exception objects with error codes in seed_bootstrap_data error messages
- Downgrade MCP client configuration logging from info to debug level
- Remove user ID from OAuth token retrieval and re-auth status log messages
- Add URL validation to OAuth callback redirect to prevent open redirect vulnerabilities
- Prevents accidental exposure of credentials and sensitive identifiers in application logs

* fix(security): Resolve remaining CodeQL clear-text logging alerts

- seed_auth_provider: Fully redact Secrets Manager ARN from output
- external_mcp_client: Remove server URL from logs, decouple oauth_token from log expressions
- oauth_tool_service: Isolate decrypted token into _try_get_token() to prevent taint bleed, use lazy log formatting
- config.ts: Remove AWS account ID and CORS origins from CDK config log output

* Potential fix for code scanning alert no. 499: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 496: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 498: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 497: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

---------

Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* feat(frontend): enable production optimization, branch-aware BUILD_CONFIG

- Remove optimization: false from base options (was blocking prod override)
- Production: optimization, no source maps, extract licenses
- Fix anyComponentStyle budget from 4kB to 200kB for Tailwind
- BUILD_CONFIG: main→production, develop→development, dispatch→manual input

Production build: 4.96 MB initial (871 KB gzip) vs 8.85 MB unoptimized

* fix: move Google Fonts import to index.html to prevent CI build failure

* ci: skip docker builds and CDK synth on pull requests

* implement conversation sharing. (#87)

* implement conversation sharing.

* Potential fix for code scanning alert no. 509: Log Injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: ofilson <SuperScorer911@gmail.com>

* Potential fix for code scanning alert no. 510: Log Injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: ofilson <SuperScorer911@gmail.com>

* fix github warnings

* fix log issue

---------

Signed-off-by: ofilson <SuperScorer911@gmail.com>
Co-authored-by: Oscar Filson <OSCARFILSON@boisestate.edu>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Allow for private share (only with yourself)

* release: v1.0.0-beta.19

* fix float error on sharing

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* ci: skip redundant stack dependency checks on PRs (keep infrastructure only)

* ci: skip install on PRs for rag-ingestion (no downstream jobs)

* ci: revert check-stack-deps skip on workflows with PR jobs, skip entire gateway/sagemaker on PRs

* fix(security): resolve CodeQL log-injection, unused-import, and unused-variable alerts

- Remove user-controlled values from 180 log f-strings (py/log-injection)
- Remove 87 unused Python imports (py/unused-import)
- Remove 27 unused JS/TS variables (js/unused-local-variable)
- Fix 3 useless assignments (js/useless-assignment-to-local)
- Fix 1 incompatible type comparison (js/comparison-between-incompatible-types)

* fix(tests): remove stale AgentCoreMemorySessionManager patch from session factory tests

The CodeQL commit removed the unused AgentCoreMemorySessionManager import
from session_factory.py, breaking two tests that patched it at that path.
Removed the unnecessary patch decorator since TurnBasedSessionManager was
already being patched separately.

* chore(docker): add shared embeddings module to rag-ingestion Lambda image

- Copy shared embeddings package to Lambda task root directory
- Add apis/__init__.py to ensure proper Python package structure
- Enable ingestion embeddings to access re-exported shared embeddings module
- Resolves import errors when bedrock_embeddings.py loads shared embeddings

* fix(quality): resolve all open CodeQL findings on develop

Empty excepts (5 fixes):
- url_fetcher: narrow bare except to Exception, add comment
- code_interpreter_diagram_tool: narrow bare except to Exception
- tool_result_processor: add explanatory comment to JSONDecodeError catch
- users/service: log warning on invalid pagination cursor
- event_formatter: log warning instead of silently swallowing errors

Catch BaseException (2 fixes):
- url_fetcher: narrowed to Exception (same fix as empty except)
- code_interpreter_diagram_tool: narrowed to Exception

Unreachable code (1 fix):
- stream_processor: remove dead if result_seen: break (never set to True)

Redundant assignment (1 fix):
- fine_tuning/routes: remove unused job = on create_inference_job

Print during import (1 fix):
- inference_api/main: replace print() with logging

Commented-out code (1 fix):
- inference_api/chat/models: remove commented InvocationRequest class

Unnecessary lambdas (2 fixes):
- job_repository, inference_repository: lambda v: int(v) → int

Unused local variables (13 fixes):
- Remove or rename: period, user_id, error_msg, matches, requested_set,
  exception_type, updated, limit, preferences, execution_output,
  next_month, next_year across 10 files

Unused imports (3 fixes):
- compaction_models: remove unused field import
- bedrock_embeddings: remove dead re-exports, clean up __init__.py
- timezone: use find_spec for pytz availability check

Cyclic import (1 fix):
- Move get_metadata_storage() factory from metadata_storage.py to
  storage/__init__.py, breaking the metadata_storage ↔ dynamodb_storage
  cycle. Update 3 callers to import from apis.app_api.storage.

Dismissed as false positives (11 alerts):
- 9x untrusted-checkout on nightly workflows (schedule/dispatch only)
- 1x non-iterable for-loop (Enum is iterable)
- 1x unused global _generic_validator_initialized (global stmt tracking)

* fix(deps): patch Dependabot security vulnerabilities

- requests 2.32.5 → 2.33.0 (insecure temp file reuse, CVE)
- picomatch 4.0.3 → 4.0.4 (frontend, ReDoS + method injection, via override)
- picomatch 2.3.1 → 2.3.2 (infrastructure, method injection, via override)
- diff 4.0.x → patched (infrastructure, DoS in parsePatch, via audit fix)

Unfixable:
- yaml 1.10.2 bundled inside aws-cdk-lib 2.244.0 (latest) — awaiting AWS CDK update
- Pygments 2.19.2 (latest) — no patched version released yet

* fix(rag-ingestion): ensure Lambda uses latest image digest on deploy

- Add FUNCTION_NAME variable to capture Lambda function identifier
- Update Lambda function code explicitly after image push to force digest refresh
- Add wait condition to ensure function update completes before deployment succeeds
- Remove outdated next steps logging that duplicated deployment completion message
- Resolve issue where CDK's SSM-resolved image tags don't trigger updates when underlying image layers change, causing CloudFormation to report no changes despite fresh image push

* fix share issues and icon tweaks

* release: v1.0.0-beta.20

* fix(rag-ingestion): restore shared embedding re-exports for Lambda handler

The CodeQL fix removed re-exports from bedrock_embeddings.py, but the
RAG ingestion Lambda handler imports generate_embeddings and
store_embeddings_in_s3 from embeddings.bedrock_embeddings (Lambda task
root path). Restored re-exports with __all__ and explanatory comments.

* feat(documents): add upload failure reporting and assistant cleanup

- Add ReportUploadFailureRequest model for client-side upload error reporting
- Implement POST /{document_id}/upload-failed endpoint to mark documents as failed
- Add update_document_status service function to update document status and error details
- Implement background cleanup of vectors and S3 objects when assistant is deleted
- Add delete_vectors_for_assistant function to remove embeddings from vector store
- Update document routes to import new models and service functions
- Add start.sh to .gitignore
- Update bedrock_embeddings to support vector deletion by assistant ID
- Enhance frontend document service to handle upload failure reporting
- Improve assistant deletion flow with proper resource cleanup and error handling

* feat(assistants): remove archive functionality and simplify deletion

- Remove archive_assistant service function and endpoint
- Simplify delete operation to single hard delete without archive option
- Remove include_archived query parameter from list assistants endpoint
- Remove ARCHIVED status from assistant status enum
- Update frontend assistant model and services to remove archive references
- Simplify assistant lifecycle by consolidating soft and hard delete into single delete operation
- Update API documentation and test examples to reflect deletion changes

* feat(frontend): upgrade Analog.js testing dependencies and remove vitest config

- Add @analogjs/vite-plugin-angular and @analogjs/vitest-angular v3.0.0-alpha.18
- Update package-lock.json with new dependency tree and transitive dependencies
- Remove vitest.config.ts in favor of Analog.js configuration
- Update app.config.spec.ts and tool-rail.component.spec.ts test files
- Modernize Angular testing setup with latest Analog.js tooling

* feat(documents): implement reliable deletion with soft-delete and cleanup retries

- Add deleting status to document lifecycle and TTL field for auto-expiry
- Create cleanup_service.py with retry logic for S3 vectors and source file deletion
- Implement soft-delete pattern: mark documents as deleting, return immediately, cleanup asynchronously
- Update search path to filter out non-complete documents and prevent stale results
- Add batch soft-delete for assistant deletion with background cleanup
- Implement deterministic vector key generation for reliable cleanup
- Add comprehensive property-based and integration tests for deletion flows
- Update RAG service to cross-check document status during search
- Configure DynamoDB TTL as backstop for failed cleanups (7-day expiry)
- Add Kiro spec documentation for reliable document deletion design

* test(assistants): remove archive assistant test and fix package dependencies

- Remove test_archive_assistant test case as archive functionality was removed
- Update package-lock.json to fix dependency flags for Angular DevKit and related packages
- Change chokidar dev flag to devOptional to reflect optional development dependency
- Remove unnecessary dev flags from multiple dependencies (ajv, chalk, cli-cursor, fast-deep-equal, and others)
- Align package metadata with current project configuration

* chore(frontend): pin Analog.js dependencies to exact versions

- Remove caret (^) version specifiers from @analogjs/vite-plugin-angular
- Remove caret (^) version specifiers from @analogjs/vitest-angular
- Lock both packages to 3.0.0-alpha.18 for consistent builds
- Prevent unexpected minor/patch updates that could introduce breaking changes

* chore(frontend): pin Analog.js devDependencies to exact versions

- Update @analogjs/vite-plugin-angular from ^3.0.0-alpha.18 to 3.0.0-alpha.18
- Update @analogjs/vitest-angular from ^3.0.0-alpha.18 to 3.0.0-alpha.18
- Remove caret (^) prefix to lock exact versions and ensure consistent builds

* feat(fine-tuning-dashboard): add informational section about fine-tuning and update icons

* chore(deps)(deps): bump the frontend-minor-patch group (#101)

Bumps the frontend-minor-patch group in /frontend/ai.client with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [@ng-icons/core](https://github.com/ng-icons/ng-icons) | `33.1.0` | `33.2.0` |
| [@ng-icons/heroicons](https://github.com/ng-icons/ng-icons) | `33.1.0` | `33.2.0` |
| [katex](https://github.com/KaTeX/KaTeX) | `0.16.33` | `0.16.44` |
| [marked](https://github.com/markedjs/marked) | `17.0.3` | `17.0.5` |
| [mermaid](https://github.com/mermaid-js/mermaid) | `11.12.3` | `11.13.0` |
| [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.2.1` | `4.2.2` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.0.18` | `4.1.2` |
| [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.8` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.1` | `4.2.2` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.18` | `4.1.2` |


Updates `@ng-icons/core` from 33.1.0 to 33.2.0
- [Release notes](https://github.com/ng-icons/ng-icons/releases)
- [Changelog](https://github.com/ng-icons/ng-icons/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ng-icons/ng-icons/commits/v33.2.0)

Updates `@ng-icons/heroicons` from 33.1.0 to 33.2.0
- [Release notes](https://github.com/ng-icons/ng-icons/releases)
- [Changelog](https://github.com/ng-icons/ng-icons/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ng-icons/ng-icons/commits/v33.2.0)

Updates `katex` from 0.16.33 to 0.16.44
- [Release notes](https://github.com/KaTeX/KaTeX/releases)
- [Changelog](https://github.com/KaTeX/KaTeX/blob/main/CHANGELOG.md)
- [Commits](https://github.com/KaTeX/KaTeX/compare/v0.16.33...v0.16.44)

Updates `marked` from 17.0.3 to 17.0.5
- [Release notes](https://github.com/markedjs/marked/releases)
- [Commits](https://github.com/markedjs/marked/compare/v17.0.3...v17.0.5)

Updates `mermaid` from 11.12.3 to 11.13.0
- [Release notes](https://github.com/mermaid-js/mermaid/releases)
- [Commits](https://github.com/mermaid-js/mermaid/compare/mermaid@11.12.3...mermaid@11.13.0)

Updates `@tailwindcss/postcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/@tailwindcss-postcss)

Updates `@vitest/coverage-v8` from 4.0.18 to 4.1.2
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/coverage-v8)

Updates `postcss` from 8.5.6 to 8.5.8
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/postcss/postcss/compare/8.5.6...8.5.8)

Updates `tailwindcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/tailwindcss)

Updates `vitest` from 4.0.18 to 4.1.2
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/vitest)

---
updated-dependencies:
- dependency-name: "@ng-icons/core"
  dependency-version: 33.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: "@ng-icons/heroicons"
  dependency-version: 33.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: katex
  dependency-version: 0.16.44
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: marked
  dependency-version: 17.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: mermaid
  dependency-version: 11.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: postcss
  dependency-version: 8.5.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: tailwindcss
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: vitest
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the aws-cdk group (#90)

Bumps the aws-cdk group in /infrastructure with 2 updates: [aws-cdk-lib](https://github.com/aws/aws-cdk/tree/HEAD/packages/aws-cdk-lib) and [aws-cdk](https://github.com/aws/aws-cdk-cli/tree/HEAD/packages/aws-cdk).


Updates `aws-cdk-lib` from 2.244.0 to 2.245.0
- [Release notes](https://github.com/aws/aws-cdk/releases)
- [Changelog](https://github.com/aws/aws-cdk/blob/main/CHANGELOG.v2.alpha.md)
- [Commits](https://github.com/aws/aws-cdk/commits/v2.245.0/packages/aws-cdk-lib)

Updates `aws-cdk` from 2.1113.0 to 2.1115.0
- [Release notes](https://github.com/aws/aws-cdk-cli/releases)
- [Commits](https://github.com/aws/aws-cdk-cli/commits/aws-cdk@v2.1115.0/packages/aws-cdk)

---
updated-dependencies:
- dependency-name: aws-cdk-lib
  dependency-version: 2.245.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-cdk
- dependency-name: aws-cdk
  dependency-version: 2.1115.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: aws-cdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump actions/setup-node from 5.0.0 to 6.3.0 (#100)

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5.0.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/a0853c24544627f65ddf259abe73b1d18a591444...53b83947a5a98c8d113130e565377fae1a50d02f)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump github/codeql-action (#95)

Bumps the actions-minor-patch group with 1 update: [github/codeql-action](https://github.com/github/codeql-action).


Updates `github/codeql-action` from 4.34.1 to 4.35.1
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/38697555549f1db7851b81482ff19f1fa5c4fedc...c10b8064de6f491fea524254123dbe5e09572f13)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump @types/node in /infrastructure (#94)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.10.1 to 25.5.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.5.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump jsdom in /frontend/ai.client (#102)

Bumps [jsdom](https://github.com/jsdom/jsdom) from 27.4.0 to 29.0.1.
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Commits](https://github.com/jsdom/jsdom/compare/v27.4.0...v29.0.1)

---
updated-dependencies:
- dependency-name: jsdom
  dependency-version: 29.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump ng2-charts in /frontend/ai.client (#105)

Bumps [ng2-charts](https://github.com/valor-software/ng2-charts) from 8.0.0 to 10.0.0.
- [Release notes](https://github.com/valor-software/ng2-charts/releases)
- [Commits](https://github.com/valor-software/ng2-charts/compare/v8.0.0...v10.0.0)

---
updated-dependencies:
- dependency-name: ng2-charts
  dependency-version: 10.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the angular group (#97)

Bumps the angular group in /frontend/ai.client with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [@angular/cdk](https://github.com/angular/components) | `21.2.3` | `21.2.4` |
| [@angular/common](https://github.com/angular/angular/tree/HEAD/packages/common) | `21.2.5` | `21.2.6` |
| [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler) | `21.2.5` | `21.2.6` |
| [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) | `21.2.5` | `21.2.6` |
| [@angular/forms](https://github.com/angular/angular/tree/HEAD/packages/forms) | `21.2.5` | `21.2.6` |
| [@angular/platform-browser](https://github.com/angular/angular/tree/HEAD/packages/platform-browser) | `21.2.5` | `21.2.6` |
| [@angular/router](https://github.com/angular/angular/tree/HEAD/packages/router) | `21.2.5` | `21.2.6` |
| [@angular/build](https://github.com/angular/angular-cli) | `21.2.3` | `21.2.5` |
| [@angular/cli](https://github.com/angular/angular-cli) | `21.2.3` | `21.2.5` |
| [@angular/compiler-cli](https://github.com/angular/angular/tree/HEAD/packages/compiler-cli) | `21.2.5` | `21.2.6` |


Updates `@angular/cdk` from 21.2.3 to 21.2.4
- [Release notes](https://github.com/angular/components/releases)
- [Changelog](https://github.com/angular/components/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/components/compare/v21.2.3...v21.2.4)

Updates `@angular/common` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/common)

Updates `@angular/compiler` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/compiler)

Updates `@angular/core` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/core)

Updates `@angular/forms` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/forms)

Updates `@angular/platform-browser` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/platform-browser)

Updates `@angular/router` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/router)

Updates `@angular/build` from 21.2.3 to 21.2.5
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular-cli/compare/v21.2.3...v21.2.5)

Updates `@angular/cli` from 21.2.3 to 21.2.5
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular-cli/compare/v21.2.3...v21.2.5)

Updates `@angular/compiler-cli` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/compiler-cli)

---
updated-dependencies:
- dependency-name: "@angular/cdk"
  dependency-version: 21.2.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/common"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/compiler"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/core"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/forms"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/platform-browser"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/router"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/build"
  dependency-version: 21.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/cli"
  dependency-version: 21.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/compiler-cli"
  dependency-version: 21.2.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump jest and @types/jest in /infrastructure (#92)

Bumps [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) and [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest). These dependencies needed to be updated together.

Updates `jest` from 29.7.0 to 30.3.0
- [Release notes](https://github.com/jestjs/jest/releases)
- [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jestjs/jest/commits/v30.3.0/packages/jest)

Updates `@types/jest` from 29.5.14 to 30.0.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

---
updated-dependencies:
- dependency-name: jest
  dependency-version: 30.3.0
  dependency-type: direct:development
  update-type: version-update:semver-major
- dependency-name: "@types/jest"
  dependency-version: 30.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* add conversation deleting handling for shared conversations + bug fix

* chore(deps)(deps): bump constructs (#91)

Bumps the infra-minor-patch group in /infrastructure with 1 update: [constructs](https://github.com/aws/constructs).


Updates `constructs` from 10.5.1 to 10.6.0
- [Release notes](https://github.com/aws/constructs/releases)
- [Commits](https://github.com/aws/constructs/compare/v10.5.1...v10.6.0)

---
updated-dependencies:
- dependency-name: constructs
  dependency-version: 10.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: infra-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat(messages): displayText support for RAG-augmented and file attachment messages (#107)

* feat(messages): add displayText support for RAG-augmented messages

- Add original_message parameter to stream_async and StreamCoordinator to preserve user input before RAG augmentation
- Store displayText in message metadata when original message differs from augmented version
- Add display_text field to MessageMetadata model with displayText alias for JSON serialization
- Update chat_stream route to pass original message when RAG augmentation is applied
- Enhance metadata retrieval to query both cost records (C#) and display text records (D#) from DynamoDB
- Add store_user_display_text function to persist original message text for clean UI display
- Update .gitignore to exclude local dev scripts (start.sh)
- Improves user experience by showing original unaugmented messages in conversation UI while maintaining RAG-enhanced context for agent processing

* feat(messages): add displayText support for file attachments and local runtime override

- Add LOCAL_RUNTIME_ENDPOINT_URL environment variable support for development runtime override in auth routes
- Extend displayText storage to handle file attachment content block modifications, not just RAG augmentation
- Add message_will_be_modified logic to determine when original message should be stored as displayText
- Implement showDebugOutput local settings signal for toggling debug information display
- Update user message component to display original text when displayText is available
- Add debug output toggle to chat preferences settings page
- Update session metadata documentation to clarify displayText usage for all prompt modifications
- Ensure original user message is preserved for UI display while augmented prompt remains in AgentCore Memory

* test(metadata): add displayText (D# record) tests for store and retrieval

* chore(deps): bump fast-check from 3.23.2 to 4.6.0

- Update fast-check to version 4.6.0 with caret constraint for minor/patch updates
- Update pure-rand dependency to 4.6.0's requirement of ^8.0.0 (from ^6.1.0)
- Increase minimum Node.js requirement from 8.0.0 to 12.17.0
- Migrate auth-pbt.spec.ts to use fast-check 4.x API (stringOf → string with unit parameter)

* chore(deps)(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (#99)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/b7c566a772e6b6bfb58ed0dc250532a479d7789f...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump actions/download-artifact from 7.0.0 to 8.0.1 (#98)

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7.0.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/37930b1c2abaa49bbe596cd826c3c89aef350131...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the python-minor-patch group in /backend with 10 updates (#96)

* chore(deps)(deps): bump the python-minor-patch group

Bumps the python-minor-patch group in /backend with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [uvicorn](https://github.com/Kludex/uvicorn) | `0.35.0` | `0.42.0` |
| [boto3](https://github.com/boto/boto3) | `1.42.73` | `1.42.78` |
| [strands-agents](https://github.com/strands-agents/sdk-python) | `1.32.0` | `1.33.0` |
| [strands-agents-tools](https://github.com/strands-agents/tools) | `0.2.23` | `0.3.0` |
| [aws-opentelemetry-distro](https://github.com/aws-observability/aws-otel-python-instrumentation) | `0.14.2` | `0.16.0` |
| [bedrock-agentcore](https://github.com/aws/bedrock-agentcore-sdk-python) | `1.4.7` | `1.4.8` |
| [openai](https://github.com/openai/openai-python) | `2.29.0` | `2.30.0` |
| [google-genai](https://github.com/googleapis/python-genai) | `1.68.0` | `1.69.0` |
| [hypothesis](https://github.com/HypothesisWorks/hypothesis) | `6.151.9` | `6.151.10` |
| [ruff](https://github.com/astral-sh/ruff) | `0.15.7` | `0.15.8` |


Updates `uvicorn` from 0.35.0 to 0.42.0
- [Release notes](https://github.com/Kludex/uvicorn/releases)
- [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md)
- [Commits](https://github.com/Kludex/uvicorn/compare/0.35.0...0.42.0)

Updates `boto3` from 1.42.73 to 1.42.78
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](https://github.com/boto/boto3/compare/1.42.73...1.42.78)

Updates `strands-agents` from 1.32.0 to 1.33.0
- [Release notes](https://github.com/strands-agents/sdk-python/releases)
- [Commits](https://github.com/strands-agents/sdk-python/compare/v1.32.0...v1.33.0)

Updates `strands-agents-tools` from 0.2.23 to 0.3.0
- [Release notes](https://github.com/strands-agents/tools/releases)
- [Commits](https://github.com/strands-agents/tools/compare/v0.2.23...v0.3.0)

Updates `aws-opentelemetry-distro` from 0.14.2 to 0.16.0
- [Release notes](https://github.com/aws-observability/aws-otel-python-instrumentation/releases)
- [Changelog](https://github.com/aws-observability/aws-otel-python-instrumentation/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws-observability/aws-otel-python-instrumentation/compare/v0.14.2...v0.16.0)

Updates `bedrock-agentcore` from 1.4.7 to 1.4.8
- [Release notes](https://github.com/aws/bedrock-agentcore-sdk-python/releases)
- [Changelog](https://github.com/aws/bedrock-agentcore-sdk-python/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/bedrock-agentcore-sdk-python/compare/v1.4.7...v1.4.8)

Updates `openai` from 2.29.0 to 2.30.0
- [Release notes](https://github.com/openai/openai-python/releases)
- [Changelog](https://github.com/openai/openai-python/blob/main/CHANGELOG.md)
- [Commits](https://github.com/openai/openai-python/compare/v2.29.0...v2.30.0)

Updates `google-genai` from 1.68.0 to 1.69.0
- [Release notes](https://github.com/googleapis/python-genai/releases)
- [Changelog](https://github.com/googleapis/python-genai/blob/main/CHANGELOG.md)
- [Commits](https://github.com/googleapis/python-genai/compare/v1.68.0...v1.69.0)

Updates `hypothesis` from 6.151.9 to 6.151.10
- [Release notes](https://github.com/HypothesisWorks/hypothesis/releases)
- [Commits](https://github.com/HypothesisWorks/hypothesis/compare/hypothesis-python-6.151.9...hypothesis-python-6.151.10)

Updates `ruff` from 0.15.7 to 0.15.8
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/0.15.7...0.15.8)

---
updated-dependencies:
- dependency-name: uvicorn
  dependency-version: 0.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: boto3
  dependency-version: 1.42.78
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: strands-agents
  dependency-version: 1.33.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: strands-agents-tools
  dependency-version: 0.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: aws-opentelemetry-distro
  dependency-version: 0.16.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: bedrock-agentcore
  dependency-version: 1.4.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: openai
  dependency-version: 2.30.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: google-genai
  dependency-version: 1.69.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: hypothesis
  dependency-version: 6.151.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: ruff
  dependency-version: 0.15.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore(deps): downgrade cachetools to 6.2.4

- Downgrade cachetools from 7.0.5 to 6.2.4 in backend dependencies
- Resolves compatibility issues with OAuth provider management

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* chore(deps): pin fast-check to exact version 4.6.0

- Remove caret (^) version constraint from fast-check dependency
- Update package.json to use exact version 4.6.0
- Update package-lock.json to reflect pinned version
- Ensure consistent dependency resolution across environments

* feat: add fine-tuning cost dashboard and user cost breakdown (#108)

* feat: add fine-tuning cost dashboard and user cost breakdown

- Introduced new models for cost dashboard and user cost breakdown in the admin API.
- Implemented endpoint to retrieve aggregated cost data for fine-tuning jobs.
- Enhanced fine-tuning access control to support default monthly quota hours for users without explicit grants.
- Added new routes and frontend components for displaying fine-tuning costs and usage statistics.
- Updated infrastructure configuration to include default quota hours for fine-tuning.
- Added tests to ensure proper functionality of new features and configurations.

* fix(logging): improve log message formatting for cost dashboard request

* fix(logging): sanitize period string in cost dashboard log message

* check in share conversations specs

* chore(docs): update versioning documentation and release notes for v1.0.0-beta.20

- Update versioning skill and rule documentation to include README.md version badge and "Current release" text in sync script scope
- Update Kiro steering guide to document README.md and lockfile updates in version sync process
- Bump version badge in README.md from v1.0.0-beta.19 to v1.0.0-beta.20
- Update "Current release" text in README.md to v1.0.0-beta.20
- Add comprehensive release notes for v1.0.0-beta.20 with highlights on document deletion, displayText system, fine-tuning cost dashboard, and dependency updates
- Ensure all AI assistant rule files reflect current versioning workflow

* ci(frontend): remove common scripts from workflow triggers and restrict CDK jobs to non-PR events

- Remove 'scripts/common/**' from push and pull_request trigger paths
- Add condition to synth-cdk job to skip execution on pull_request events
- Update test-cdk job condition to exclude pull_request events while preserving skip_tests logic
- Prevents unnecessary CDK synthesis and testing during pull requests to reduce workflow overhead

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Release 1.0.0-beta.20: Document soft-delete, displayText, fine-tuning costs, CodeQL remediation, dependency refresh (#118)

Reliable document deletion, displayText for RAG-augmented messages,
fine-tuning cost dashboard, assistant archive removal, and a full
dependency refresh across Python, npm, and GitHub Actions.

Features:
- Soft-delete document lifecycle with background cleanup, retry logic,
  DynamoDB TTL backstop, and search filtering for mid-deletion docs
- Upload failure reporting endpoint for client-side error tracking
- DisplayText system preserving original user messages when RAG
  augmentation or file attachments modify the prompt sent to the agent
- Debug output toggle in chat preferences for prompt inspection
- Fine-tuning cost dashboard with per-user breakdowns and default
  monthly quota hours
- Shared conversation cascade deletion on session delete

Removals:
- Assistant archive functionality (ARCHIVED status, archive endpoint,
  include_archived parameter) replaced with single delete operation

Security & Code Quality:
- All CodeQL findings resolved (180 log injection fixes, 5 silent
  exception fixes, cyclic import elimination, 13 unused variables)
- Four Dependabot security patches (requests, picomatch, diff)

CI/CD:
- CDK synth skipped on PRs for app-api and frontend workflows
- scripts/common/** removed from frontend workflow path triggers
- GitHub Actions bumped (upload-artifact v7, download-artifact v8,
  setup-node v6, codeql-action latest)

Testing:
- Analog.js testing migration for frontend (vitest config removed)
- fast-check v4.6.0 added for property-based frontend tests
- 4,200+ lines of new backend tests for document deletion flows

Tooling:
- sync-version.sh now auto-updates README badge and current release text
- Versioning steering docs updated across Kiro, Cursor, and Claude
- Release notes steering doc added (fileMatch on RELEASE_NOTES.md)

Dependencies:
- Python: uvicorn 0.42.0, strands-agents 1.33.0, strands-agents-tools
  0.3.0, aws-opentelemetry-distro 0.16.0, bedrock-agentcore 1.4.8,
  openai 2.30.0, cachetools downgraded to 6.2.4 for compatibility
- Frontend: Angular 21.2.6, @angular/cdk 21.2.4
- Infrastructure: aws-cdk group bumped, constructs bumped

* Purge outdated AI specs and documentation (#121)

* spring cleaning. AI spec file and outdated documentation purge

* spring cleanup --> purging old ai specs and outdated docs

---------

Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* Feat/cognito first boot auth (#125)

* feat: replace multi-step auth bootstrap with Cognito first-boot experience

- Add Cognito User Pool, App Client, and Domain to CDK infrastructure
- Implement first-boot backend with race-condition-safe DynamoDB writes
- Add CognitoJWTValidator replacing GenericOIDCJWTValidator
- Add federated identity provider management via Cognito IdP APIs
- Migrate frontend to Cognito OAuth 2.0 + PKCE flow
- Add first-boot setup page with admin account creation
- Update AgentCore Runtime to single Cognito JWT authorizer
- Remove runtime-provisioner and runtime-updater Lambdas
- Remove hardcoded Entra ID configuration from CDK and scripts
- Remove auth provider seeding from bootstrap workflow
- Wire SSM parameters across stacks for Cognito config
- Update GitHub Actions workflows for Cognito context values

* FOR TESTING ONLY< REVERT BEFORE MERGING

* Feat/cognito first boot auth (#123)

* test(auth-sweep): add system status endpoints to public route patterns

- Add /system/status to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- Add /system/first-boot to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- These endpoints should be accessible without authentication for system initialization and health checks

* chore(deps): add cognitoidp extra to moto dev dependency

- Add cognitoidp extra to moto[dynamodb] in pyproject.toml dev dependencies
- Update uv.lock to include cognitoidp extra across all moto references
- Add joserfc package as transitive dependency for cognitoidp support
- Enable Cognito IDP mocking capabilities for development and testing

* test(auth-guard,config-service): add missing service mocks and config properties

- Add SystemService mock to auth.guard.spec.ts test setup
- Import SystemService dependency in auth guard test file
- Add checkStatus mock method to systemService test double
- Register SystemService provider in TestBed configuration
- Add inferenceApiUrl property to validConfig test fixture in config.service.spec.ts
- Ensure test doubles accurately reflect service dependencies for proper test isolation

* feat(system-admin): add JWT role mapping for system_admin Cognito group

- Add JWT_MAPPING#system_admin item to DynamoDB during bootstrap seeding
- Update system_admin role jwtRoleMappings to include "system_admin" group
- Implement add_user_to_group method in CognitoService to manage group membership
- Add user to system_admin Cognito group during first_boot with rollback on failure
- Update test assertions to verify JWT mapping creation and role configuration
- Enables Cognito to include system_admin group in JWT cognito:groups claim for RBAC resolution

* feat(infrastructure): add Cognito user and group management permissions

- Add cognito-idp:AdminDeleteUser permission for user deletion operations
- Add cognito-idp:AdminAddUserToGroup permission for group membership management
- Add cognito-idp:CreateGroup permission for group creation operations
- Enables system admin functionality for managing Cognito user pools and groups

* refactor(auth): replace user email with name in logging and events

- Replace user.email with user.name in quota event recorder metadata
- Update admin cost dashboard logging to use user.name instead of email
- Update admin users routes logging to use user.name instead of email
- Update file upload routes logging to use user.name instead of email
- Update model routes logging to use user.name instead of email
- Update tools routes logging to use user.name instead of email
- Update OAuth routes logging to use user.name instead of email
- Update user models and routes logging to use user.name instead of email
- Update auth service and user service in frontend to use name field
- Standardize user identification across backend and frontend to use name for privacy and consistency

* feat(frontend): update logos and URL-encode inference API ARN

- Update logo-dark.png and logo-light.png assets
- Add URL encoding for ARN portion in inferenceApiUrl computed signal
- Prevent URL parsing errors caused by colons and slashes in AgentCore runtime ARNs
- Improve config service documentation with encoding behavior explanation

* fix(frontend): add /invocations path to inference API endpoints

- Update preview-chat.service.ts to include /invocations path in runtime endpoint URL
- Update chat-http.service.ts to include /invocations path in runtime endpoint URL
- Fixes inference API calls by using correct endpoint path with qualifier parameter

* feat(inference-api): add Authorization header to ALB request configuration

- Add requestHeaderConfiguration to ALB listener rule
- Include Authorization header in requestHeaderAllowlist
- Enable proper header propagation for authenticated requests to inference API

* refactor(auth): consolidate RBAC to AppRole-based authorization

- Replace multiple role-checking functions with single require_app_roles dependency
- Remove require_roles, require_all_roles, has_any_role, has_all_roles, and role-specific decorators (require_faculty, require_staff, require_developer, require_aws_ai_access)
- Update rbac.py to resolve permissions through AppRoleService instead of hardcoded JWT groups
- Simplify auth module exports to only expose require_app_roles and require_admin
- Update admin routes to remove unused role imports
- Add comprehensive docstring explaining AppRole system as single source of truth for permissions
- Update tests to reflect new authorization flow via AppRoleService

* feat(inference-api): add SSM parameters and environment variables to AgentCore runtime

- Import DynamoDB table names from SSM parameters for users, RBAC, auth, OAuth, quota, cost tracking, and file uploads
- Import S3 bucket and vector index names for RAG functionality
- Import gateway URL and frontend CORS origins from SSM parameters
- Add comprehensive environment variables to AgentCore runtime configuration including DynamoDB table mappings, authentication settings, OAuth configuration, AgentCore resource IDs, and directory paths
- Enable authentication and quota enforcement in runtime environment
- Configure frontend URL and CORS origins for cross-origin requests

* feat(inference-api): remove gateway URL parameter and simplify CORS origins

- Remove SSM parameter import for gateway URL from InferenceApiStack
- Remove GATEWAY_URL environment variable from AgentCore runtime configuration
- Replace SSM-imported CORS origins with config-based construction to avoid circular dependency between InferenceApiStack and FrontendStack
- Construct CORS origins dynamically from config.domainName (https://{domain}) with localhost fallback for development
- Eliminates circular dependency: InferenceApiStack ↔ FrontendStack by removing reliance on FrontendStack SSM parameters

* chore(frontend): update favicon and logo assets

- Remove redundant favicon PNG variants (android-chrome, apple-touch-icon, favicon-16x16, favicon-32x32)
- Update favicon.ico with new design
- Update logo-dark.png with refreshed branding
- Consolidate favicon assets to reduce redundancy and improve maintainability

* feat(inference-api): add AWS Marketplace permissions for Bedrock model access

- Add MarketplaceModelAccess policy statement to runtime execution role
- Grant aws-marketplace:ViewSubscriptions and aws-marketplace:Subscribe actions
- Enable foundation model access for marketplace-gated models like Anthropic Claude
- Required for subscription validation before Bedrock model invocation

* Release 1.0.0-beta.19: Conversation sharing, session compaction, fine-tuning enhancements, CI optimization

## Features
- Conversation sharing with public/email-restricted access via shareable URLs
- Session compaction enabled by default (100K token threshold, 3 protected turns)
- Fine-tuning: drag-and-drop dataset upload, custom HuggingFace model support

## Security
- Resolve all CodeQL clear-text logging alerts (secrets, tokens, ARNs redacted)
- OAuth redirect URL validation to prevent open redirects
- Explicit read-only permissions on all 13 GitHub Actions workflows

## Performance
- Frontend production build optimized: 8.85 MB → 4.96 MB (871 KB gzipped)
- PR workflows trimmed: skip Docker builds, CDK synth, and redundant jobs

## Infrastructure
- New shared-conversations DynamoDB table with SessionShare and OwnerShare GSIs
- Bedrock prompt caching temporarily disabled due to provider limitations

## Bug Fixes
- Google Fonts moved to index.html to fix CI build failure
- Private sharing support (owner-only shares)

* Release 1.0.0-beta.20: Document soft-delete, displayText, fine-tuning costs, CodeQL remediation, dependency refresh

Reliable document deletion, displayText for RAG-augmented messages,
fine-tuning cost dashboard, assistant archive removal, and a full
dependency refresh across Python, npm, and GitHub Actions.

Features:
- Soft-delete document lifecycle with background cleanup, retry logic,
  DynamoDB TTL backstop, and search filtering for mid-deletion docs
- Upload failure reporting endpoint for client-side error tracking
- DisplayText system preserving original user messages when RAG
  augmentation or file attachments modify the prompt sent to the agent
- Debug output toggle in chat preferences for prompt inspection
- Fine-tuning cost dashboard with per-user breakdowns and default
  monthly quota hours
- Shared conversation cascade deletion on session delete

Removals:
- Assistant archive functionality (ARCHIVED status, archive endpoint,
  include_archived parameter) replaced with single delete operation

Security & Code Quality:
- All CodeQL findings resolved (180 log injection fixes, 5 silent
  exception fixes, cyclic import elimination, 13 unused variables)
- Four Dependabot security patches (requests, picomatch, diff)

CI/CD:
- CDK synth skipped on PRs for app-api and frontend workflows
- scripts/common/** removed from frontend workflow path triggers
- GitHub Actions bumped (upload-artifact v7, download-artifact v8,
  setup-node v6, codeql-action latest)

Testing:
- Analog.js testing migration for frontend (vitest config removed)
- fast-check v4.6.0 added for property-based frontend tests
- 4,200+ lines of new backend tests for document deletion flows

Tooling:
- sync-version.sh now auto-updates README badge and current release text
- Versioning steering docs updated across Kiro, Cursor, and Claude
- Release notes steering doc added (fileMatch on RELEASE_NOTES.md)

Dependencies:
- Python: uvicorn 0.42.0, strands-agents 1.33.0, strands-agents-tools
  0.3.0, aws-opentelemetry-distro 0.16.0, bedrock-agentcore 1.4.8,
  openai 2.30.0, cachetools downgraded to 6.2.4 for compatibility
- Frontend: Angular 21.2.6, @angular/cdk 21.2.4
- Infrastructure: aws-cdk group bumped, constructs bumped

* refactor(inference-api): remove underscore prefix from containerImageUri variable

- Remove underscore prefix from containerImageUri variable name
- Improve code clarity by following standard naming conventions
- Variable is used throughout the stack and should follow public naming patterns

* chore(deps): add cognitoidp moto extra and update infrastructure tests

- Add cognitoidp extra to moto dependency in uv.lock for Cognito IDP mocking support
- Update moto dependency extras to include both cognitoidp and dynamodb
- Refactor IAM policy assertions in inference-api-stack tests to search both inline and managed policies
- Simplify policy verification logic to use findResources and filter by policy attributes
- Remove S3 bucket and S3 Vector Store test sections from app-api-stack tests
- Update test assertions to be more flexible with policy resource types

* chore(frontend): update favicon and logo assets

- Add Android Chrome favicon variants (192x192 and 512x512)
- Add Apple Touch Icon for iOS devices
- Add favicon sizes for 16x16 and 32x32 resolutions
- Update favicon.ico with new design
- Update logo-dark.png with refreshed branding
- Update logo-light.png with refreshed branding
- Improve cross-platform icon support and visual consistency

* fix(auth-providers): remove OIDC discovery endpoint and add JSON parsing error handling

- Remove POST /discover endpoint for OIDC endpoint discovery from admin routes
- Add try-except blocks to handle JSON parsing errors in AuthProviderRepository
- Gracefully default to empty dict when SecretString is invalid or malformed
- Improve resilience when retrieving auth provider secrets from AWS Secrets Manager

---------

Co-authored-by: Colin <colin@colin-os>

* Feat/cognito first boot auth (#124)

* test(auth-sweep): add system status endpoints to public route patterns

- Add /system/status to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- Add /system/first-boot to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- These endpoints should be accessible without authentication for system initialization and health checks

* chore(deps): add cognitoidp extra to moto dev dependency

- Add cognitoidp extra to moto[dynamodb] in pyproject.toml dev dependencies
- Update uv.lock to include cognitoidp extra across all moto references
- Add joserfc package as transitive dependency for cognitoidp support
- Enable Cognito IDP mocking capabilities for development and testing

* test(auth-guard,config-service): add missing service mocks and config properties

- Add SystemService mock to auth.guard.spec.ts test setup
- Import SystemService dependency in auth guard test file
- Add checkStatus mock method to systemService test double
- Register SystemService provider in TestBed configuration
- Add inferenceApiUrl property to validConfig test fixture in config.service.spec.ts
- Ensure test doubles accurately reflect service dependencies for proper test isolation

* feat(system-admin): add JWT role mapping for system_admin Cognito group

- Add JWT_MAPPING#system_admin item to DynamoDB during bootstrap seeding
- Update system_admin role jwtRoleMappings to include "system_admin" group
- Implement add_user_to_group method in CognitoService to manage group membership
- Add user to system_admin Cognito group during first_boot with rollback on failure
- Update test assertions to verify JWT mapping creation and role configuration
- Enables Cognito to include system_admin group in JWT cognito:groups claim for RBAC resolution

* feat(infrastructure): add Cognito user and group management permissions

- Add cognito-idp:AdminDeleteUser permission for user deletion oper…
colinmxs added a commit that referenced this pull request May 12, 2026
* Potential fix for pull request finding 'Unused local variable'




* Potential fix for pull request finding 'Unused local variable'




* docs(readme): update version badges and tech stack to v1.0.0-beta.18

- Update release badge from v1.0.0-beta.17 to v1.0.0-beta.18
- Bump Tailwind CSS version from v4.1 to v4.2 in all references
- Update current release version in release notes section
- Reflect latest dependency versions in architecture and tech stack documentation

* feat(embeddings): add optional token validation bypass for search queries

- Add skip_token_validation parameter to generate_embeddings function
- Allow skipping tiktoken-based token validation for short inputs where tiktoken may not be installed
- Update search_assistant_knowledgebase to skip validation for query embeddings
- Enables embedding generation in environments where tiktoken is unavailable (e.g., search Lambda)

* refactor(embeddings): extract shared embedding logic to separate module

- Move core embedding generation and vector store operations to apis.shared.embeddings
- Create new shared bedrock_embeddings module with generate_embeddings, store_embeddings_in_s3, search_assistant_knowledgebase, and delete_vectors_for_document
- Extract vector search logic to new apis.shared.assistants.vector_search module
- Keep ingestion-specific token validation (tiktoken-based) in app_api embeddings module
- Update ingestion embeddings module to re-export shared functions for backward compatibility
- Simplify bedrock_embeddings in ingestion pipeline to focus on chunk validation and splitting
- Update imports across documents routes and rag_service to use new shared modules
- Reduces code duplication and establishes clear separation between shared RAG infrastructure and ingestion-specific concerns

* docs(release-notes): document v1.0.0-beta.19 features and fixes

- Add Angular production build optimization section explaining minification and tree-shaking enablement
- Document embeddings refactor extracting shared logic to apis.shared.embeddings module
- Add skip_token_validation parameter documentation for generate_embeddings function
- Update highlights section to mention Angular production build optimization
- Clarify CodeQL workflow improvements and unused import/variable cleanup
- Enable optimization flag in angular.json production configuration for reduced bundle size

* docs(release-notes): remove Angular optimization section and revert config

- Remove "Frontend Production Build Optimization" section from release notes
- Revert optimization flag removal from angular.json production configuration
- Align documentation with actual production build configuration state

* feat: add API Keys section to README for programmatic access to AI models

* fix(model_config): comment out caching configuration due to Bedrock limitations

* feat(create-training-job): enhance file upload with drag-and-drop support and update dataset upload instructions

* feat(create-training-job): add support for custom HuggingFace models and enhance model search functionality

* fix(test_model_config): remove caching mock and update test for Bedrock config caching behavior

* feat(create-training-job): add tests for custom HuggingFace model selection and submission

* feat: refactor session compaction and enable by default (#86)

* feat: update compaction configuration and enhance session manager tests

* fix: update tests for compaction defaults and commented-out caching

- Update compaction model test to expect enabled=True and protected_turns=3
- Fix caching test to reflect cache_config being commented out due to Bedrock limitations



* feat(create-training-job): enhance file upload with drag-and-drop support and update dataset upload instructions

* feat(create-training-job): add support for custom HuggingFace models and enhance model search functionality

* fix(test_model_config): remove caching mock and update test for Bedrock config caching behavior

* feat(create-training-job): add tests for custom HuggingFace model selection and submission

* fix: update tests for compaction defaults and commented-out caching

- Update compaction model test to expect enabled=True and protected_turns=3
- Fix caching test to reflect cache_config being commented out due to Bedrock limitations



---------




* test(to_bedrock_config): add missing result assignment in caching disabled test

* Potential fix for code scanning alert no. 41: Clear-text logging of s… (#85)

* Potential fix for code scanning alert no. 41: Clear-text logging of sensitive information




* ci: Add explicit read-only permissions to all workflows

- Add `permissions: contents: read` to 13 GitHub Actions workflows
- Workflows updated: app-api, bootstrap-data-seeding, codeql, frontend, gateway, inference-api, infrastructure, nightly-deploy-pipeline, nightly, rag-ingestion, release, sagemaker-fine-tuning, version-check
- Implements principle of least privilege by explicitly declaring minimal required permissions
- Improves security posture and aligns with GitHub Actions best practices

* fix(security): Redact sensitive information from logs

- Mask client ID in seed_auth_provider output, showing only first 8 characters
- Redact full Secrets ARN in seed_auth_provider, displaying only resource name
- Replace full exception objects with error codes in seed_bootstrap_data error messages
- Downgrade MCP client configuration logging from info to debug level
- Remove user ID from OAuth token retrieval and re-auth status log messages
- Add URL validation to OAuth callback redirect to prevent open redirect vulnerabilities
- Prevents accidental exposure of credentials and sensitive identifiers in application logs

* fix(security): Resolve remaining CodeQL clear-text logging alerts

- seed_auth_provider: Fully redact Secrets Manager ARN from output
- external_mcp_client: Remove server URL from logs, decouple oauth_token from log expressions
- oauth_tool_service: Isolate decrypted token into _try_get_token() to prevent taint bleed, use lazy log formatting
- config.ts: Remove AWS account ID and CORS origins from CDK config log output

* Potential fix for code scanning alert no. 499: Clear-text logging of sensitive information




* Potential fix for code scanning alert no. 496: Clear-text logging of sensitive information




* Potential fix for code scanning alert no. 498: Clear-text logging of sensitive information




* Potential fix for code scanning alert no. 497: Clear-text logging of sensitive information




---------





* feat(frontend): enable production optimization, branch-aware BUILD_CONFIG

- Remove optimization: false from base options (was blocking prod override)
- Production: optimization, no source maps, extract licenses
- Fix anyComponentStyle budget from 4kB to 200kB for Tailwind
- BUILD_CONFIG: main→production, develop→development, dispatch→manual input

Production build: 4.96 MB initial (871 KB gzip) vs 8.85 MB unoptimized

* fix: move Google Fonts import to index.html to prevent CI build failure

* ci: skip docker builds and CDK synth on pull requests

* implement conversation sharing. (#87)

* implement conversation sharing.

* Potential fix for code scanning alert no. 509: Log Injection




* Potential fix for code scanning alert no. 510: Log Injection




* fix github warnings

* fix log issue

---------





* Allow for private share (only with yourself)

* release: v1.0.0-beta.19

* fix float error on sharing

* Apply suggestions from code review




* ci: skip redundant stack dependency checks on PRs (keep infrastructure only)

* ci: skip install on PRs for rag-ingestion (no downstream jobs)

* ci: revert check-stack-deps skip on workflows with PR jobs, skip entire gateway/sagemaker on PRs

* fix(security): resolve CodeQL log-injection, unused-import, and unused-variable alerts

- Remove user-controlled values from 180 log f-strings (py/log-injection)
- Remove 87 unused Python imports (py/unused-import)
- Remove 27 unused JS/TS variables (js/unused-local-variable)
- Fix 3 useless assignments (js/useless-assignment-to-local)
- Fix 1 incompatible type comparison (js/comparison-between-incompatible-types)

* fix(tests): remove stale AgentCoreMemorySessionManager patch from session factory tests

The CodeQL commit removed the unused AgentCoreMemorySessionManager import
from session_factory.py, breaking two tests that patched it at that path.
Removed the unnecessary patch decorator since TurnBasedSessionManager was
already being patched separately.

* chore(docker): add shared embeddings module to rag-ingestion Lambda image

- Copy shared embeddings package to Lambda task root directory
- Add apis/__init__.py to ensure proper Python package structure
- Enable ingestion embeddings to access re-exported shared embeddings module
- Resolves import errors when bedrock_embeddings.py loads shared embeddings

* fix(quality): resolve all open CodeQL findings on develop

Empty excepts (5 fixes):
- url_fetcher: narrow bare except to Exception, add comment
- code_interpreter_diagram_tool: narrow bare except to Exception
- tool_result_processor: add explanatory comment to JSONDecodeError catch
- users/service: log warning on invalid pagination cursor
- event_formatter: log warning instead of silently swallowing errors

Catch BaseException (2 fixes):
- url_fetcher: narrowed to Exception (same fix as empty except)
- code_interpreter_diagram_tool: narrowed to Exception

Unreachable code (1 fix):
- stream_processor: remove dead if result_seen: break (never set to True)

Redundant assignment (1 fix):
- fine_tuning/routes: remove unused job = on create_inference_job

Print during import (1 fix):
- inference_api/main: replace print() with logging

Commented-out code (1 fix):
- inference_api/chat/models: remove commented InvocationRequest class

Unnecessary lambdas (2 fixes):
- job_repository, inference_repository: lambda v: int(v) → int

Unused local variables (13 fixes):
- Remove or rename: period, user_id, error_msg, matches, requested_set,
  exception_type, updated, limit, preferences, execution_output,
  next_month, next_year across 10 files

Unused imports (3 fixes):
- compaction_models: remove unused field import
- bedrock_embeddings: remove dead re-exports, clean up __init__.py
- timezone: use find_spec for pytz availability check

Cyclic import (1 fix):
- Move get_metadata_storage() factory from metadata_storage.py to
  storage/__init__.py, breaking the metadata_storage ↔ dynamodb_storage
  cycle. Update 3 callers to import from apis.app_api.storage.

Dismissed as false positives (11 alerts):
- 9x untrusted-checkout on nightly workflows (schedule/dispatch only)
- 1x non-iterable for-loop (Enum is iterable)
- 1x unused global _generic_validator_initialized (global stmt tracking)

* fix(deps): patch Dependabot security vulnerabilities

- requests 2.32.5 → 2.33.0 (insecure temp file reuse, CVE)
- picomatch 4.0.3 → 4.0.4 (frontend, ReDoS + method injection, via override)
- picomatch 2.3.1 → 2.3.2 (infrastructure, method injection, via override)
- diff 4.0.x → patched (infrastructure, DoS in parsePatch, via audit fix)

Unfixable:
- yaml 1.10.2 bundled inside aws-cdk-lib 2.244.0 (latest) — awaiting AWS CDK update
- Pygments 2.19.2 (latest) — no patched version released yet

* fix(rag-ingestion): ensure Lambda uses latest image digest on deploy

- Add FUNCTION_NAME variable to capture Lambda function identifier
- Update Lambda function code explicitly after image push to force digest refresh
- Add wait condition to ensure function update completes before deployment succeeds
- Remove outdated next steps logging that duplicated deployment completion message
- Resolve issue where CDK's SSM-resolved image tags don't trigger updates when underlying image layers change, causing CloudFormation to report no changes despite fresh image push

* fix share issues and icon tweaks

* release: v1.0.0-beta.20

* fix(rag-ingestion): restore shared embedding re-exports for Lambda handler

The CodeQL fix removed re-exports from bedrock_embeddings.py, but the
RAG ingestion Lambda handler imports generate_embeddings and
store_embeddings_in_s3 from embeddings.bedrock_embeddings (Lambda task
root path). Restored re-exports with __all__ and explanatory comments.

* feat(documents): add upload failure reporting and assistant cleanup

- Add ReportUploadFailureRequest model for client-side upload error reporting
- Implement POST /{document_id}/upload-failed endpoint to mark documents as failed
- Add update_document_status service function to update document status and error details
- Implement background cleanup of vectors and S3 objects when assistant is deleted
- Add delete_vectors_for_assistant function to remove embeddings from vector store
- Update document routes to import new models and service functions
- Add start.sh to .gitignore
- Update bedrock_embeddings to support vector deletion by assistant ID
- Enhance frontend document service to handle upload failure reporting
- Improve assistant deletion flow with proper resource cleanup and error handling

* feat(assistants): remove archive functionality and simplify deletion

- Remove archive_assistant service function and endpoint
- Simplify delete operation to single hard delete without archive option
- Remove include_archived query parameter from list assistants endpoint
- Remove ARCHIVED status from assistant status enum
- Update frontend assistant model and services to remove archive references
- Simplify assistant lifecycle by consolidating soft and hard delete into single delete operation
- Update API documentation and test examples to reflect deletion changes

* feat(frontend): upgrade Analog.js testing dependencies and remove vitest config

- Add @analogjs/vite-plugin-angular and @analogjs/vitest-angular v3.0.0-alpha.18
- Update package-lock.json with new dependency tree and transitive dependencies
- Remove vitest.config.ts in favor of Analog.js configuration
- Update app.config.spec.ts and tool-rail.component.spec.ts test files
- Modernize Angular testing setup with latest Analog.js tooling

* feat(documents): implement reliable deletion with soft-delete and cleanup retries

- Add deleting status to document lifecycle and TTL field for auto-expiry
- Create cleanup_service.py with retry logic for S3 vectors and source file deletion
- Implement soft-delete pattern: mark documents as deleting, return immediately, cleanup asynchronously
- Update search path to filter out non-complete documents and prevent stale results
- Add batch soft-delete for assistant deletion with background cleanup
- Implement deterministic vector key generation for reliable cleanup
- Add comprehensive property-based and integration tests for deletion flows
- Update RAG service to cross-check document status during search
- Configure DynamoDB TTL as backstop for failed cleanups (7-day expiry)
- Add Kiro spec documentation for reliable document deletion design

* test(assistants): remove archive assistant test and fix package dependencies

- Remove test_archive_assistant test case as archive functionality was removed
- Update package-lock.json to fix dependency flags for Angular DevKit and related packages
- Change chokidar dev flag to devOptional to reflect optional development dependency
- Remove unnecessary dev flags from multiple dependencies (ajv, chalk, cli-cursor, fast-deep-equal, and others)
- Align package metadata with current project configuration

* chore(frontend): pin Analog.js dependencies to exact versions

- Remove caret (^) version specifiers from @analogjs/vite-plugin-angular
- Remove caret (^) version specifiers from @analogjs/vitest-angular
- Lock both packages to 3.0.0-alpha.18 for consistent builds
- Prevent unexpected minor/patch updates that could introduce breaking changes

* chore(frontend): pin Analog.js devDependencies to exact versions

- Update @analogjs/vite-plugin-angular from ^3.0.0-alpha.18 to 3.0.0-alpha.18
- Update @analogjs/vitest-angular from ^3.0.0-alpha.18 to 3.0.0-alpha.18
- Remove caret (^) prefix to lock exact versions and ensure consistent builds

* feat(fine-tuning-dashboard): add informational section about fine-tuning and update icons

* chore(deps)(deps): bump the frontend-minor-patch group (#101)

Bumps the frontend-minor-patch group in /frontend/ai.client with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [@ng-icons/core](https://github.com/ng-icons/ng-icons) | `33.1.0` | `33.2.0` |
| [@ng-icons/heroicons](https://github.com/ng-icons/ng-icons) | `33.1.0` | `33.2.0` |
| [katex](https://github.com/KaTeX/KaTeX) | `0.16.33` | `0.16.44` |
| [marked](https://github.com/markedjs/marked) | `17.0.3` | `17.0.5` |
| [mermaid](https://github.com/mermaid-js/mermaid) | `11.12.3` | `11.13.0` |
| [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.2.1` | `4.2.2` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.0.18` | `4.1.2` |
| [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.8` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.1` | `4.2.2` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.18` | `4.1.2` |


Updates `@ng-icons/core` from 33.1.0 to 33.2.0
- [Release notes](https://github.com/ng-icons/ng-icons/releases)
- [Changelog](https://github.com/ng-icons/ng-icons/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ng-icons/ng-icons/commits/v33.2.0)

Updates `@ng-icons/heroicons` from 33.1.0 to 33.2.0
- [Release notes](https://github.com/ng-icons/ng-icons/releases)
- [Changelog](https://github.com/ng-icons/ng-icons/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ng-icons/ng-icons/commits/v33.2.0)

Updates `katex` from 0.16.33 to 0.16.44
- [Release notes](https://github.com/KaTeX/KaTeX/releases)
- [Changelog](https://github.com/KaTeX/KaTeX/blob/main/CHANGELOG.md)
- [Commits](https://github.com/KaTeX/KaTeX/compare/v0.16.33...v0.16.44)

Updates `marked` from 17.0.3 to 17.0.5
- [Release notes](https://github.com/markedjs/marked/releases)
- [Commits](https://github.com/markedjs/marked/compare/v17.0.3...v17.0.5)

Updates `mermaid` from 11.12.3 to 11.13.0
- [Release notes](https://github.com/mermaid-js/mermaid/releases)
- [Commits](https://github.com/mermaid-js/mermaid/compare/mermaid@11.12.3...mermaid@11.13.0)

Updates `@tailwindcss/postcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/@tailwindcss-postcss)

Updates `@vitest/coverage-v8` from 4.0.18 to 4.1.2
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/coverage-v8)

Updates `postcss` from 8.5.6 to 8.5.8
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/postcss/postcss/compare/8.5.6...8.5.8)

Updates `tailwindcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/tailwindcss)

Updates `vitest` from 4.0.18 to 4.1.2
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/vitest)

---
updated-dependencies:
- dependency-name: "@ng-icons/core"
  dependency-version: 33.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: "@ng-icons/heroicons"
  dependency-version: 33.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: katex
  dependency-version: 0.16.44
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: marked
  dependency-version: 17.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: mermaid
  dependency-version: 11.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: postcss
  dependency-version: 8.5.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: tailwindcss
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: vitest
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
...




* chore(deps)(deps): bump the aws-cdk group (#90)

Bumps the aws-cdk group in /infrastructure with 2 updates: [aws-cdk-lib](https://github.com/aws/aws-cdk/tree/HEAD/packages/aws-cdk-lib) and [aws-cdk](https://github.com/aws/aws-cdk-cli/tree/HEAD/packages/aws-cdk).


Updates `aws-cdk-lib` from 2.244.0 to 2.245.0
- [Release notes](https://github.com/aws/aws-cdk/releases)
- [Changelog](https://github.com/aws/aws-cdk/blob/main/CHANGELOG.v2.alpha.md)
- [Commits](https://github.com/aws/aws-cdk/commits/v2.245.0/packages/aws-cdk-lib)

Updates `aws-cdk` from 2.1113.0 to 2.1115.0
- [Release notes](https://github.com/aws/aws-cdk-cli/releases)
- [Commits](https://github.com/aws/aws-cdk-cli/commits/aws-cdk@v2.1115.0/packages/aws-cdk)

---
updated-dependencies:
- dependency-name: aws-cdk-lib
  dependency-version: 2.245.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-cdk
- dependency-name: aws-cdk
  dependency-version: 2.1115.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: aws-cdk
...




* chore(deps)(deps): bump actions/setup-node from 5.0.0 to 6.3.0 (#100)

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5.0.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/a0853c24544627f65ddf259abe73b1d18a591444...53b83947a5a98c8d113130e565377fae1a50d02f)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...




* chore(deps)(deps): bump github/codeql-action (#95)

Bumps the actions-minor-patch group with 1 update: [github/codeql-action](https://github.com/github/codeql-action).


Updates `github/codeql-action` from 4.34.1 to 4.35.1
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/38697555549f1db7851b81482ff19f1fa5c4fedc...c10b8064de6f491fea524254123dbe5e09572f13)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
...




* chore(deps)(deps-dev): bump @types/node in /infrastructure (#94)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.10.1 to 25.5.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.5.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...




* chore(deps)(deps-dev): bump jsdom in /frontend/ai.client (#102)

Bumps [jsdom](https://github.com/jsdom/jsdom) from 27.4.0 to 29.0.1.
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Commits](https://github.com/jsdom/jsdom/compare/v27.4.0...v29.0.1)

---
updated-dependencies:
- dependency-name: jsdom
  dependency-version: 29.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
...




* chore(deps)(deps): bump ng2-charts in /frontend/ai.client (#105)

Bumps [ng2-charts](https://github.com/valor-software/ng2-charts) from 8.0.0 to 10.0.0.
- [Release notes](https://github.com/valor-software/ng2-charts/releases)
- [Commits](https://github.com/valor-software/ng2-charts/compare/v8.0.0...v10.0.0)

---
updated-dependencies:
- dependency-name: ng2-charts
  dependency-version: 10.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...




* chore(deps)(deps): bump the angular group (#97)

Bumps the angular group in /frontend/ai.client with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [@angular/cdk](https://github.com/angular/components) | `21.2.3` | `21.2.4` |
| [@angular/common](https://github.com/angular/angular/tree/HEAD/packages/common) | `21.2.5` | `21.2.6` |
| [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler) | `21.2.5` | `21.2.6` |
| [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) | `21.2.5` | `21.2.6` |
| [@angular/forms](https://github.com/angular/angular/tree/HEAD/packages/forms) | `21.2.5` | `21.2.6` |
| [@angular/platform-browser](https://github.com/angular/angular/tree/HEAD/packages/platform-browser) | `21.2.5` | `21.2.6` |
| [@angular/router](https://github.com/angular/angular/tree/HEAD/packages/router) | `21.2.5` | `21.2.6` |
| [@angular/build](https://github.com/angular/angular-cli) | `21.2.3` | `21.2.5` |
| [@angular/cli](https://github.com/angular/angular-cli) | `21.2.3` | `21.2.5` |
| [@angular/compiler-cli](https://github.com/angular/angular/tree/HEAD/packages/compiler-cli) | `21.2.5` | `21.2.6` |


Updates `@angular/cdk` from 21.2.3 to 21.2.4
- [Release notes](https://github.com/angular/components/releases)
- [Changelog](https://github.com/angular/components/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/components/compare/v21.2.3...v21.2.4)

Updates `@angular/common` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/common)

Updates `@angular/compiler` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/compiler)

Updates `@angular/core` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/core)

Updates `@angular/forms` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/forms)

Updates `@angular/platform-browser` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/platform-browser)

Updates `@angular/router` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/router)

Updates `@angular/build` from 21.2.3 to 21.2.5
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular-cli/compare/v21.2.3...v21.2.5)

Updates `@angular/cli` from 21.2.3 to 21.2.5
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular-cli/compare/v21.2.3...v21.2.5)

Updates `@angular/compiler-cli` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/compiler-cli)

---
updated-dependencies:
- dependency-name: "@angular/cdk"
  dependency-version: 21.2.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/common"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/compiler"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/core"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/forms"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/platform-browser"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/router"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/build"
  dependency-version: 21.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/cli"
  dependency-version: 21.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/compiler-cli"
  dependency-version: 21.2.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
...




* chore(deps)(deps-dev): bump jest and @types/jest in /infrastructure (#92)

Bumps [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) and [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest). These dependencies needed to be updated together.

Updates `jest` from 29.7.0 to 30.3.0
- [Release notes](https://github.com/jestjs/jest/releases)
- [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jestjs/jest/commits/v30.3.0/packages/jest)

Updates `@types/jest` from 29.5.14 to 30.0.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

---
updated-dependencies:
- dependency-name: jest
  dependency-version: 30.3.0
  dependency-type: direct:development
  update-type: version-update:semver-major
- dependency-name: "@types/jest"
  dependency-version: 30.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...




* add conversation deleting handling for shared conversations + bug fix

* chore(deps)(deps): bump constructs (#91)

Bumps the infra-minor-patch group in /infrastructure with 1 update: [constructs](https://github.com/aws/constructs).


Updates `constructs` from 10.5.1 to 10.6.0
- [Release notes](https://github.com/aws/constructs/releases)
- [Commits](https://github.com/aws/constructs/compare/v10.5.1...v10.6.0)

---
updated-dependencies:
- dependency-name: constructs
  dependency-version: 10.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: infra-minor-patch
...




* feat(messages): displayText support for RAG-augmented and file attachment messages (#107)

* feat(messages): add displayText support for RAG-augmented messages

- Add original_message parameter to stream_async and StreamCoordinator to preserve user input before RAG augmentation
- Store displayText in message metadata when original message differs from augmented version
- Add display_text field to MessageMetadata model with displayText alias for JSON serialization
- Update chat_stream route to pass original message when RAG augmentation is applied
- Enhance metadata retrieval to query both cost records (C#) and display text records (D#) from DynamoDB
- Add store_user_display_text function to persist original message text for clean UI display
- Update .gitignore to exclude local dev scripts (start.sh)
- Improves user experience by showing original unaugmented messages in conversation UI while maintaining RAG-enhanced context for agent processing

* feat(messages): add displayText support for file attachments and local runtime override

- Add LOCAL_RUNTIME_ENDPOINT_URL environment variable support for development runtime override in auth routes
- Extend displayText storage to handle file attachment content block modifications, not just RAG augmentation
- Add message_will_be_modified logic to determine when original message should be stored as displayText
- Implement showDebugOutput local settings signal for toggling debug information display
- Update user message component to display original text when displayText is available
- Add debug output toggle to chat preferences settings page
- Update session metadata documentation to clarify displayText usage for all prompt modifications
- Ensure original user message is preserved for UI display while augmented prompt remains in AgentCore Memory

* test(metadata): add displayText (D# record) tests for store and retrieval

* chore(deps): bump fast-check from 3.23.2 to 4.6.0

- Update fast-check to version 4.6.0 with caret constraint for minor/patch updates
- Update pure-rand dependency to 4.6.0's requirement of ^8.0.0 (from ^6.1.0)
- Increase minimum Node.js requirement from 8.0.0 to 12.17.0
- Migrate auth-pbt.spec.ts to use fast-check 4.x API (stringOf → string with unit parameter)

* chore(deps)(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (#99)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/b7c566a772e6b6bfb58ed0dc250532a479d7789f...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...




* chore(deps)(deps): bump actions/download-artifact from 7.0.0 to 8.0.1 (#98)

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7.0.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/37930b1c2abaa49bbe596cd826c3c89aef350131...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...




* chore(deps)(deps): bump the python-minor-patch group in /backend with 10 updates (#96)

* chore(deps)(deps): bump the python-minor-patch group

Bumps the python-minor-patch group in /backend with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [uvicorn](https://github.com/Kludex/uvicorn) | `0.35.0` | `0.42.0` |
| [boto3](https://github.com/boto/boto3) | `1.42.73` | `1.42.78` |
| [strands-agents](https://github.com/strands-agents/sdk-python) | `1.32.0` | `1.33.0` |
| [strands-agents-tools](https://github.com/strands-agents/tools) | `0.2.23` | `0.3.0` |
| [aws-opentelemetry-distro](https://github.com/aws-observability/aws-otel-python-instrumentation) | `0.14.2` | `0.16.0` |
| [bedrock-agentcore](https://github.com/aws/bedrock-agentcore-sdk-python) | `1.4.7` | `1.4.8` |
| [openai](https://github.com/openai/openai-python) | `2.29.0` | `2.30.0` |
| [google-genai](https://github.com/googleapis/python-genai) | `1.68.0` | `1.69.0` |
| [hypothesis](https://github.com/HypothesisWorks/hypothesis) | `6.151.9` | `6.151.10` |
| [ruff](https://github.com/astral-sh/ruff) | `0.15.7` | `0.15.8` |


Updates `uvicorn` from 0.35.0 to 0.42.0
- [Release notes](https://github.com/Kludex/uvicorn/releases)
- [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md)
- [Commits](https://github.com/Kludex/uvicorn/compare/0.35.0...0.42.0)

Updates `boto3` from 1.42.73 to 1.42.78
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](https://github.com/boto/boto3/compare/1.42.73...1.42.78)

Updates `strands-agents` from 1.32.0 to 1.33.0
- [Release notes](https://github.com/strands-agents/sdk-python/releases)
- [Commits](https://github.com/strands-agents/sdk-python/compare/v1.32.0...v1.33.0)

Updates `strands-agents-tools` from 0.2.23 to 0.3.0
- [Release notes](https://github.com/strands-agents/tools/releases)
- [Commits](https://github.com/strands-agents/tools/compare/v0.2.23...v0.3.0)

Updates `aws-opentelemetry-distro` from 0.14.2 to 0.16.0
- [Release notes](https://github.com/aws-observability/aws-otel-python-instrumentation/releases)
- [Changelog](https://github.com/aws-observability/aws-otel-python-instrumentation/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws-observability/aws-otel-python-instrumentation/compare/v0.14.2...v0.16.0)

Updates `bedrock-agentcore` from 1.4.7 to 1.4.8
- [Release notes](https://github.com/aws/bedrock-agentcore-sdk-python/releases)
- [Changelog](https://github.com/aws/bedrock-agentcore-sdk-python/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/bedrock-agentcore-sdk-python/compare/v1.4.7...v1.4.8)

Updates `openai` from 2.29.0 to 2.30.0
- [Release notes](https://github.com/openai/openai-python/releases)
- [Changelog](https://github.com/openai/openai-python/blob/main/CHANGELOG.md)
- [Commits](https://github.com/openai/openai-python/compare/v2.29.0...v2.30.0)

Updates `google-genai` from 1.68.0 to 1.69.0
- [Release notes](https://github.com/googleapis/python-genai/releases)
- [Changelog](https://github.com/googleapis/python-genai/blob/main/CHANGELOG.md)
- [Commits](https://github.com/googleapis/python-genai/compare/v1.68.0...v1.69.0)

Updates `hypothesis` from 6.151.9 to 6.151.10
- [Release notes](https://github.com/HypothesisWorks/hypothesis/releases)
- [Commits](https://github.com/HypothesisWorks/hypothesis/compare/hypothesis-python-6.151.9...hypothesis-python-6.151.10)

Updates `ruff` from 0.15.7 to 0.15.8
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/0.15.7...0.15.8)

---
updated-dependencies:
- dependency-name: uvicorn
  dependency-version: 0.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: boto3
  dependency-version: 1.42.78
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: strands-agents
  dependency-version: 1.33.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: strands-agents-tools
  dependency-version: 0.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: aws-opentelemetry-distro
  dependency-version: 0.16.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: bedrock-agentcore
  dependency-version: 1.4.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: openai
  dependency-version: 2.30.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: google-genai
  dependency-version: 1.69.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: hypothesis
  dependency-version: 6.151.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: ruff
  dependency-version: 0.15.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
...



* chore(deps): downgrade cachetools to 6.2.4

- Downgrade cachetools from 7.0.5 to 6.2.4 in backend dependencies
- Resolves compatibility issues with OAuth provider management

---------





* chore(deps): pin fast-check to exact version 4.6.0

- Remove caret (^) version constraint from fast-check dependency
- Update package.json to use exact version 4.6.0
- Update package-lock.json to reflect pinned version
- Ensure consistent dependency resolution across environments

* feat: add fine-tuning cost dashboard and user cost breakdown (#108)

* feat: add fine-tuning cost dashboard and user cost breakdown

- Introduced new models for cost dashboard and user cost breakdown in the admin API.
- Implemented endpoint to retrieve aggregated cost data for fine-tuning jobs.
- Enhanced fine-tuning access control to support default monthly quota hours for users without explicit grants.
- Added new routes and frontend components for displaying fine-tuning costs and usage statistics.
- Updated infrastructure configuration to include default quota hours for fine-tuning.
- Added tests to ensure proper functionality of new features and configurations.

* fix(logging): improve log message formatting for cost dashboard request

* fix(logging): sanitize period string in cost dashboard log message

* check in share conversations specs

* chore(docs): update versioning documentation and release notes for v1.0.0-beta.20

- Update versioning skill and rule documentation to include README.md version badge and "Current release" text in sync script scope
- Update Kiro steering guide to document README.md and lockfile updates in version sync process
- Bump version badge in README.md from v1.0.0-beta.19 to v1.0.0-beta.20
- Update "Current release" text in README.md to v1.0.0-beta.20
- Add comprehensive release notes for v1.0.0-beta.20 with highlights on document deletion, displayText system, fine-tuning cost dashboard, and dependency updates
- Ensure all AI assistant rule files reflect current versioning workflow

* ci(frontend): remove common scripts from workflow triggers and restrict CDK jobs to non-PR events

- Remove 'scripts/common/**' from push and pull_request trigger paths
- Add condition to synth-cdk job to skip execution on pull_request events
- Update test-cdk job condition to exclude pull_request events while preserving skip_tests logic
- Prevents unnecessary CDK synthesis and testing during pull requests to reduce workflow overhead

* Apply suggestions from code review




* Release 1.0.0-beta.20: Document soft-delete, displayText, fine-tuning costs, CodeQL remediation, dependency refresh (#118)

Reliable document deletion, displayText for RAG-augmented messages,
fine-tuning cost dashboard, assistant archive removal, and a full
dependency refresh across Python, npm, and GitHub Actions.

Features:
- Soft-delete document lifecycle with background cleanup, retry logic,
  DynamoDB TTL backstop, and search filtering for mid-deletion docs
- Upload failure reporting endpoint for client-side error tracking
- DisplayText system preserving original user messages when RAG
  augmentation or file attachments modify the prompt sent to the agent
- Debug output toggle in chat preferences for prompt inspection
- Fine-tuning cost dashboard with per-user breakdowns and default
  monthly quota hours
- Shared conversation cascade deletion on session delete

Removals:
- Assistant archive functionality (ARCHIVED status, archive endpoint,
  include_archived parameter) replaced with single delete operation

Security & Code Quality:
- All CodeQL findings resolved (180 log injection fixes, 5 silent
  exception fixes, cyclic import elimination, 13 unused variables)
- Four Dependabot security patches (requests, picomatch, diff)

CI/CD:
- CDK synth skipped on PRs for app-api and frontend workflows
- scripts/common/** removed from frontend workflow path triggers
- GitHub Actions bumped (upload-artifact v7, download-artifact v8,
  setup-node v6, codeql-action latest)

Testing:
- Analog.js testing migration for frontend (vitest config removed)
- fast-check v4.6.0 added for property-based frontend tests
- 4,200+ lines of new backend tests for document deletion flows

Tooling:
- sync-version.sh now auto-updates README badge and current release text
- Versioning steering docs updated across Kiro, Cursor, and Claude
- Release notes steering doc added (fileMatch on RELEASE_NOTES.md)

Dependencies:
- Python: uvicorn 0.42.0, strands-agents 1.33.0, strands-agents-tools
  0.3.0, aws-opentelemetry-distro 0.16.0, bedrock-agentcore 1.4.8,
  openai 2.30.0, cachetools downgraded to 6.2.4 for compatibility
- Frontend: Angular 21.2.6, @angular/cdk 21.2.4
- Infrastructure: aws-cdk group bumped, constructs bumped

* Purge outdated AI specs and documentation (#121)

* spring cleaning. AI spec file and outdated documentation purge

* spring cleanup --> purging old ai specs and outdated docs

---------



* Feat/cognito first boot auth (#125)

* feat: replace multi-step auth bootstrap with Cognito first-boot experience

- Add Cognito User Pool, App Client, and Domain to CDK infrastructure
- Implement first-boot backend with race-condition-safe DynamoDB writes
- Add CognitoJWTValidator replacing GenericOIDCJWTValidator
- Add federated identity provider management via Cognito IdP APIs
- Migrate frontend to Cognito OAuth 2.0 + PKCE flow
- Add first-boot setup page with admin account creation
- Update AgentCore Runtime to single Cognito JWT authorizer
- Remove runtime-provisioner and runtime-updater Lambdas
- Remove hardcoded Entra ID configuration from CDK and scripts
- Remove auth provider seeding from bootstrap workflow
- Wire SSM parameters across stacks for Cognito config
- Update GitHub Actions workflows for Cognito context values

* FOR TESTING ONLY< REVERT BEFORE MERGING

* Feat/cognito first boot auth (#123)

* test(auth-sweep): add system status endpoints to public route patterns

- Add /system/status to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- Add /system/first-boot to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- These endpoints should be accessible without authentication for system initialization and health checks

* chore(deps): add cognitoidp extra to moto dev dependency

- Add cognitoidp extra to moto[dynamodb] in pyproject.toml dev dependencies
- Update uv.lock to include cognitoidp extra across all moto references
- Add joserfc package as transitive dependency for cognitoidp support
- Enable Cognito IDP mocking capabilities for development and testing

* test(auth-guard,config-service): add missing service mocks and config properties

- Add SystemService mock to auth.guard.spec.ts test setup
- Import SystemService dependency in auth guard test file
- Add checkStatus mock method to systemService test double
- Register SystemService provider in TestBed configuration
- Add inferenceApiUrl property to validConfig test fixture in config.service.spec.ts
- Ensure test doubles accurately reflect service dependencies for proper test isolation

* feat(system-admin): add JWT role mapping for system_admin Cognito group

- Add JWT_MAPPING#system_admin item to DynamoDB during bootstrap seeding
- Update system_admin role jwtRoleMappings to include "system_admin" group
- Implement add_user_to_group method in CognitoService to manage group membership
- Add user to system_admin Cognito group during first_boot with rollback on failure
- Update test assertions to verify JWT mapping creation and role configuration
- Enables Cognito to include system_admin group in JWT cognito:groups claim for RBAC resolution

* feat(infrastructure): add Cognito user and group management permissions

- Add cognito-idp:AdminDeleteUser permission for user deletion operations
- Add cognito-idp:AdminAddUserToGroup permission for group membership management
- Add cognito-idp:CreateGroup permission for group creation operations
- Enables system admin functionality for managing Cognito user pools and groups

* refactor(auth): replace user email with name in logging and events

- Replace user.email with user.name in quota event recorder metadata
- Update admin cost dashboard logging to use user.name instead of email
- Update admin users routes logging to use user.name instead of email
- Update file upload routes logging to use user.name instead of email
- Update model routes logging to use user.name instead of email
- Update tools routes logging to use user.name instead of email
- Update OAuth routes logging to use user.name instead of email
- Update user models and routes logging to use user.name instead of email
- Update auth service and user service in frontend to use name field
- Standardize user identification across backend and frontend to use name for privacy and consistency

* feat(frontend): update logos and URL-encode inference API ARN

- Update logo-dark.png and logo-light.png assets
- Add URL encoding for ARN portion in inferenceApiUrl computed signal
- Prevent URL parsing errors caused by colons and slashes in AgentCore runtime ARNs
- Improve config service documentation with encoding behavior explanation

* fix(frontend): add /invocations path to inference API endpoints

- Update preview-chat.service.ts to include /invocations path in runtime endpoint URL
- Update chat-http.service.ts to include /invocations path in runtime endpoint URL
- Fixes inference API calls by using correct endpoint path with qualifier parameter

* feat(inference-api): add Authorization header to ALB request configuration

- Add requestHeaderConfiguration to ALB listener rule
- Include Authorization header in requestHeaderAllowlist
- Enable proper header propagation for authenticated requests to inference API

* refactor(auth): consolidate RBAC to AppRole-based authorization

- Replace multiple role-checking functions with single require_app_roles dependency
- Remove require_roles, require_all_roles, has_any_role, has_all_roles, and role-specific decorators (require_faculty, require_staff, require_developer, require_aws_ai_access)
- Update rbac.py to resolve permissions through AppRoleService instead of hardcoded JWT groups
- Simplify auth module exports to only expose require_app_roles and require_admin
- Update admin routes to remove unused role imports
- Add comprehensive docstring explaining AppRole system as single source of truth for permissions
- Update tests to reflect new authorization flow via AppRoleService

* feat(inference-api): add SSM parameters and environment variables to AgentCore runtime

- Import DynamoDB table names from SSM parameters for users, RBAC, auth, OAuth, quota, cost tracking, and file uploads
- Import S3 bucket and vector index names for RAG functionality
- Import gateway URL and frontend CORS origins from SSM parameters
- Add comprehensive environment variables to AgentCore runtime configuration including DynamoDB table mappings, authentication settings, OAuth configuration, AgentCore resource IDs, and directory paths
- Enable authentication and quota enforcement in runtime environment
- Configure frontend URL and CORS origins for cross-origin requests

* feat(inference-api): remove gateway URL parameter and simplify CORS origins

- Remove SSM parameter import for gateway URL from InferenceApiStack
- Remove GATEWAY_URL environment variable from AgentCore runtime configuration
- Replace SSM-imported CORS origins with config-based construction to avoid circular dependency between InferenceApiStack and FrontendStack
- Construct CORS origins dynamically from config.domainName (https://{domain}) with localhost fallback for development
- Eliminates circular dependency: InferenceApiStack ↔ FrontendStack by removing reliance on FrontendStack SSM parameters

* chore(frontend): update favicon and logo assets

- Remove redundant favicon PNG variants (android-chrome, apple-touch-icon, favicon-16x16, favicon-32x32)
- Update favicon.ico with new design
- Update logo-dark.png with refreshed branding
- Consolidate favicon assets to reduce redundancy and improve maintainability

* feat(inference-api): add AWS Marketplace permissions for Bedrock model access

- Add MarketplaceModelAccess policy statement to runtime execution role
- Grant aws-marketplace:ViewSubscriptions and aws-marketplace:Subscribe actions
- Enable foundation model access for marketplace-gated models like Anthropic Claude
- Required for subscription validation before Bedrock model invocation

* Release 1.0.0-beta.19: Conversation sharing, session compaction, fine-tuning enhancements, CI optimization

## Features
- Conversation sharing with public/email-restricted access via shareable URLs
- Session compaction enabled by default (100K token threshold, 3 protected turns)
- Fine-tuning: drag-and-drop dataset upload, custom HuggingFace model support

## Security
- Resolve all CodeQL clear-text logging alerts (secrets, tokens, ARNs redacted)
- OAuth redirect URL validation to prevent open redirects
- Explicit read-only permissions on all 13 GitHub Actions workflows

## Performance
- Frontend production build optimized: 8.85 MB → 4.96 MB (871 KB gzipped)
- PR workflows trimmed: skip Docker builds, CDK synth, and redundant jobs

## Infrastructure
- New shared-conversations DynamoDB table with SessionShare and OwnerShare GSIs
- Bedrock prompt caching temporarily disabled due to provider limitations

## Bug Fixes
- Google Fonts moved to index.html to fix CI build failure
- Private sharing support (owner-only shares)

* Release 1.0.0-beta.20: Document soft-delete, displayText, fine-tuning costs, CodeQL remediation, dependency refresh

Reliable document deletion, displayText for RAG-augmented messages,
fine-tuning cost dashboard, assistant archive removal, and a full
dependency refresh across Python, npm, and GitHub Actions.

Features:
- Soft-delete document lifecycle with background cleanup, retry logic,
  DynamoDB TTL backstop, and search filtering for mid-deletion docs
- Upload failure reporting endpoint for client-side error tracking
- DisplayText system preserving original user messages when RAG
  augmentation or file attachments modify the prompt sent to the agent
- Debug output toggle in chat preferences for prompt inspection
- Fine-tuning cost dashboard with per-user breakdowns and default
  monthly quota hours
- Shared conversation cascade deletion on session delete

Removals:
- Assistant archive functionality (ARCHIVED status, archive endpoint,
  include_archived parameter) replaced with single delete operation

Security & Code Quality:
- All CodeQL findings resolved (180 log injection fixes, 5 silent
  exception fixes, cyclic import elimination, 13 unused variables)
- Four Dependabot security patches (requests, picomatch, diff)

CI/CD:
- CDK synth skipped on PRs for app-api and frontend workflows
- scripts/common/** removed from frontend workflow path triggers
- GitHub Actions bumped (upload-artifact v7, download-artifact v8,
  setup-node v6, codeql-action latest)

Testing:
- Analog.js testing migration for frontend (vitest config removed)
- fast-check v4.6.0 added for property-based frontend tests
- 4,200+ lines of new backend tests for document deletion flows

Tooling:
- sync-version.sh now auto-updates README badge and current release text
- Versioning steering docs updated across Kiro, Cursor, and Claude
- Release notes steering doc added (fileMatch on RELEASE_NOTES.md)

Dependencies:
- Python: uvicorn 0.42.0, strands-agents 1.33.0, strands-agents-tools
  0.3.0, aws-opentelemetry-distro 0.16.0, bedrock-agentcore 1.4.8,
  openai 2.30.0, cachetools downgraded to 6.2.4 for compatibility
- Frontend: Angular 21.2.6, @angular/cdk 21.2.4
- Infrastructure: aws-cdk group bumped, constructs bumped

* refactor(inference-api): remove underscore prefix from containerImageUri variable

- Remove underscore prefix from containerImageUri variable name
- Improve code clarity by following standard naming conventions
- Variable is used throughout the stack and should follow public naming patterns

* chore(deps): add cognitoidp moto extra and update infrastructure tests

- Add cognitoidp extra to moto dependency in uv.lock for Cognito IDP mocking support
- Update moto dependency extras to include both cognitoidp and dynamodb
- Refactor IAM policy assertions in inference-api-stack tests to search both inline and managed policies
- Simplify policy verification logic to use findResources and filter by policy attributes
- Remove S3 bucket and S3 Vector Store test sections from app-api-stack tests
- Update test assertions to be more flexible with policy resource types

* chore(frontend): update favicon and logo assets

- Add Android Chrome favicon variants (192x192 and 512x512)
- Add Apple Touch Icon for iOS devices
- Add favicon sizes for 16x16 and 32x32 resolutions
- Update favicon.ico with new design
- Update logo-dark.png with refreshed branding
- Update logo-light.png with refreshed branding
- Improve cross-platform icon support and visual consistency

* fix(auth-providers): remove OIDC discovery endpoint and add JSON parsing error handling

- Remove POST /discover endpoint for OIDC endpoint discovery from admin routes
- Add try-except blocks to handle JSON parsing errors in AuthProviderRepository
- Gracefully default to empty dict when SecretString is invalid or malformed
- Improve resilience when retrieving auth provider secrets from AWS Secrets Manager

---------



* Feat/cognito first boot auth (#124)

* test(auth-sweep): add system status endpoints to public route patterns

- Add /system/status to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- Add /system/first-boot to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- These endpoints should be accessible without authentication for system initialization and health checks

* chore(deps): add cognitoidp extra to moto dev dependency

- Add cognitoidp extra to moto[dynamodb] in pyproject.toml dev dependencies
- Update uv.lock to include cognitoidp extra across all moto references
- Add joserfc package as transitive dependency for cognitoidp support
- Enable Cognito IDP mocking capabilities for development and testing

* test(auth-guard,config-service): add missing service mocks and config properties

- Add SystemService mock to auth.guard.spec.ts test setup
- Import SystemService dependency in auth guard test file
- Add checkStatus mock method to systemService test double
- Register SystemService provider in TestBed configuration
- Add inferenceApiUrl property to validConfig test fixture in config.service.spec.ts
- Ensure test doubles accurately reflect service dependencies for proper test isolation

* feat(system-admin): add JWT role mapping for system_admin Cognito group

- Add JWT_MAPPING#system_admin item to DynamoDB during bootstrap seeding
- Update system_admin role jwtRoleMappings to include "system_admin" group
- Implement add_user_to_group method in CognitoService to manage group membership
- Add user to system_admin Cognito group during first_boot with rollback on failure
- Update test assertions to verify JWT mapping creation and role configuration
- Enables Cognito to include system_admin group in JWT cognito:groups claim for RBAC resolution

* feat(infrastructure): add Cognito user and group management permissions

- Add cognito-idp:AdminDeleteUser permission for user deletion oper…

Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>
Signed-off-by: Phil Merrell <philmerrell@boisestate.edu>
Signed-off-by: ofilson <SuperScorer911@gmail.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>
Co-authored-by: derrickfink <derrickfink@boisestate.edu>
Co-authored-by: Phil Merrell <philmerrell@boisestate.edu>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: ofilson <SuperScorer911@gmail.com>
Co-authored-by: Oscar Filson <OSCARFILSON@boisestate.edu>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Derrick Fink <DerrickF@users.noreply.github.com>
Co-authored-by: Colin <colin@colin-os>
colinmxs added a commit that referenced this pull request May 14, 2026
* feat(create-training-job): enhance file upload with drag-and-drop support and update dataset upload instructions

* feat(create-training-job): add support for custom HuggingFace models and enhance model search functionality

* fix(test_model_config): remove caching mock and update test for Bedrock config caching behavior

* feat(create-training-job): add tests for custom HuggingFace model selection and submission

* feat: refactor session compaction and enable by default (#86)

* feat: update compaction configuration and enhance session manager tests

* fix: update tests for compaction defaults and commented-out caching

- Update compaction model test to expect enabled=True and protected_turns=3
- Fix caching test to reflect cache_config being commented out due to Bedrock limitations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(create-training-job): enhance file upload with drag-and-drop support and update dataset upload instructions

* feat(create-training-job): add support for custom HuggingFace models and enhance model search functionality

* fix(test_model_config): remove caching mock and update test for Bedrock config caching behavior

* feat(create-training-job): add tests for custom HuggingFace model selection and submission

* fix: update tests for compaction defaults and commented-out caching

- Update compaction model test to expect enabled=True and protected_turns=3
- Fix caching test to reflect cache_config being commented out due to Bedrock limitations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Signed-off-by: Phil Merrell <philmerrell@boisestate.edu>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* test(to_bedrock_config): add missing result assignment in caching disabled test

* Potential fix for code scanning alert no. 41: Clear-text logging of s… (#85)

* Potential fix for code scanning alert no. 41: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* ci: Add explicit read-only permissions to all workflows

- Add `permissions: contents: read` to 13 GitHub Actions workflows
- Workflows updated: app-api, bootstrap-data-seeding, codeql, frontend, gateway, inference-api, infrastructure, nightly-deploy-pipeline, nightly, rag-ingestion, release, sagemaker-fine-tuning, version-check
- Implements principle of least privilege by explicitly declaring minimal required permissions
- Improves security posture and aligns with GitHub Actions best practices

* fix(security): Redact sensitive information from logs

- Mask client ID in seed_auth_provider output, showing only first 8 characters
- Redact full Secrets ARN in seed_auth_provider, displaying only resource name
- Replace full exception objects with error codes in seed_bootstrap_data error messages
- Downgrade MCP client configuration logging from info to debug level
- Remove user ID from OAuth token retrieval and re-auth status log messages
- Add URL validation to OAuth callback redirect to prevent open redirect vulnerabilities
- Prevents accidental exposure of credentials and sensitive identifiers in application logs

* fix(security): Resolve remaining CodeQL clear-text logging alerts

- seed_auth_provider: Fully redact Secrets Manager ARN from output
- external_mcp_client: Remove server URL from logs, decouple oauth_token from log expressions
- oauth_tool_service: Isolate decrypted token into _try_get_token() to prevent taint bleed, use lazy log formatting
- config.ts: Remove AWS account ID and CORS origins from CDK config log output

* Potential fix for code scanning alert no. 499: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 496: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 498: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 497: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

---------

Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* feat(frontend): enable production optimization, branch-aware BUILD_CONFIG

- Remove optimization: false from base options (was blocking prod override)
- Production: optimization, no source maps, extract licenses
- Fix anyComponentStyle budget from 4kB to 200kB for Tailwind
- BUILD_CONFIG: main→production, develop→development, dispatch→manual input

Production build: 4.96 MB initial (871 KB gzip) vs 8.85 MB unoptimized

* fix: move Google Fonts import to index.html to prevent CI build failure

* ci: skip docker builds and CDK synth on pull requests

* implement conversation sharing. (#87)

* implement conversation sharing.

* Potential fix for code scanning alert no. 509: Log Injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: ofilson <SuperScorer911@gmail.com>

* Potential fix for code scanning alert no. 510: Log Injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: ofilson <SuperScorer911@gmail.com>

* fix github warnings

* fix log issue

---------

Signed-off-by: ofilson <SuperScorer911@gmail.com>
Co-authored-by: Oscar Filson <OSCARFILSON@boisestate.edu>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Allow for private share (only with yourself)

* release: v1.0.0-beta.19

* fix float error on sharing

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* ci: skip redundant stack dependency checks on PRs (keep infrastructure only)

* ci: skip install on PRs for rag-ingestion (no downstream jobs)

* ci: revert check-stack-deps skip on workflows with PR jobs, skip entire gateway/sagemaker on PRs

* fix(security): resolve CodeQL log-injection, unused-import, and unused-variable alerts

- Remove user-controlled values from 180 log f-strings (py/log-injection)
- Remove 87 unused Python imports (py/unused-import)
- Remove 27 unused JS/TS variables (js/unused-local-variable)
- Fix 3 useless assignments (js/useless-assignment-to-local)
- Fix 1 incompatible type comparison (js/comparison-between-incompatible-types)

* fix(tests): remove stale AgentCoreMemorySessionManager patch from session factory tests

The CodeQL commit removed the unused AgentCoreMemorySessionManager import
from session_factory.py, breaking two tests that patched it at that path.
Removed the unnecessary patch decorator since TurnBasedSessionManager was
already being patched separately.

* chore(docker): add shared embeddings module to rag-ingestion Lambda image

- Copy shared embeddings package to Lambda task root directory
- Add apis/__init__.py to ensure proper Python package structure
- Enable ingestion embeddings to access re-exported shared embeddings module
- Resolves import errors when bedrock_embeddings.py loads shared embeddings

* fix(quality): resolve all open CodeQL findings on develop

Empty excepts (5 fixes):
- url_fetcher: narrow bare except to Exception, add comment
- code_interpreter_diagram_tool: narrow bare except to Exception
- tool_result_processor: add explanatory comment to JSONDecodeError catch
- users/service: log warning on invalid pagination cursor
- event_formatter: log warning instead of silently swallowing errors

Catch BaseException (2 fixes):
- url_fetcher: narrowed to Exception (same fix as empty except)
- code_interpreter_diagram_tool: narrowed to Exception

Unreachable code (1 fix):
- stream_processor: remove dead if result_seen: break (never set to True)

Redundant assignment (1 fix):
- fine_tuning/routes: remove unused job = on create_inference_job

Print during import (1 fix):
- inference_api/main: replace print() with logging

Commented-out code (1 fix):
- inference_api/chat/models: remove commented InvocationRequest class

Unnecessary lambdas (2 fixes):
- job_repository, inference_repository: lambda v: int(v) → int

Unused local variables (13 fixes):
- Remove or rename: period, user_id, error_msg, matches, requested_set,
  exception_type, updated, limit, preferences, execution_output,
  next_month, next_year across 10 files

Unused imports (3 fixes):
- compaction_models: remove unused field import
- bedrock_embeddings: remove dead re-exports, clean up __init__.py
- timezone: use find_spec for pytz availability check

Cyclic import (1 fix):
- Move get_metadata_storage() factory from metadata_storage.py to
  storage/__init__.py, breaking the metadata_storage ↔ dynamodb_storage
  cycle. Update 3 callers to import from apis.app_api.storage.

Dismissed as false positives (11 alerts):
- 9x untrusted-checkout on nightly workflows (schedule/dispatch only)
- 1x non-iterable for-loop (Enum is iterable)
- 1x unused global _generic_validator_initialized (global stmt tracking)

* fix(deps): patch Dependabot security vulnerabilities

- requests 2.32.5 → 2.33.0 (insecure temp file reuse, CVE)
- picomatch 4.0.3 → 4.0.4 (frontend, ReDoS + method injection, via override)
- picomatch 2.3.1 → 2.3.2 (infrastructure, method injection, via override)
- diff 4.0.x → patched (infrastructure, DoS in parsePatch, via audit fix)

Unfixable:
- yaml 1.10.2 bundled inside aws-cdk-lib 2.244.0 (latest) — awaiting AWS CDK update
- Pygments 2.19.2 (latest) — no patched version released yet

* fix(rag-ingestion): ensure Lambda uses latest image digest on deploy

- Add FUNCTION_NAME variable to capture Lambda function identifier
- Update Lambda function code explicitly after image push to force digest refresh
- Add wait condition to ensure function update completes before deployment succeeds
- Remove outdated next steps logging that duplicated deployment completion message
- Resolve issue where CDK's SSM-resolved image tags don't trigger updates when underlying image layers change, causing CloudFormation to report no changes despite fresh image push

* fix share issues and icon tweaks

* release: v1.0.0-beta.20

* fix(rag-ingestion): restore shared embedding re-exports for Lambda handler

The CodeQL fix removed re-exports from bedrock_embeddings.py, but the
RAG ingestion Lambda handler imports generate_embeddings and
store_embeddings_in_s3 from embeddings.bedrock_embeddings (Lambda task
root path). Restored re-exports with __all__ and explanatory comments.

* feat(documents): add upload failure reporting and assistant cleanup

- Add ReportUploadFailureRequest model for client-side upload error reporting
- Implement POST /{document_id}/upload-failed endpoint to mark documents as failed
- Add update_document_status service function to update document status and error details
- Implement background cleanup of vectors and S3 objects when assistant is deleted
- Add delete_vectors_for_assistant function to remove embeddings from vector store
- Update document routes to import new models and service functions
- Add start.sh to .gitignore
- Update bedrock_embeddings to support vector deletion by assistant ID
- Enhance frontend document service to handle upload failure reporting
- Improve assistant deletion flow with proper resource cleanup and error handling

* feat(assistants): remove archive functionality and simplify deletion

- Remove archive_assistant service function and endpoint
- Simplify delete operation to single hard delete without archive option
- Remove include_archived query parameter from list assistants endpoint
- Remove ARCHIVED status from assistant status enum
- Update frontend assistant model and services to remove archive references
- Simplify assistant lifecycle by consolidating soft and hard delete into single delete operation
- Update API documentation and test examples to reflect deletion changes

* feat(frontend): upgrade Analog.js testing dependencies and remove vitest config

- Add @analogjs/vite-plugin-angular and @analogjs/vitest-angular v3.0.0-alpha.18
- Update package-lock.json with new dependency tree and transitive dependencies
- Remove vitest.config.ts in favor of Analog.js configuration
- Update app.config.spec.ts and tool-rail.component.spec.ts test files
- Modernize Angular testing setup with latest Analog.js tooling

* feat(documents): implement reliable deletion with soft-delete and cleanup retries

- Add deleting status to document lifecycle and TTL field for auto-expiry
- Create cleanup_service.py with retry logic for S3 vectors and source file deletion
- Implement soft-delete pattern: mark documents as deleting, return immediately, cleanup asynchronously
- Update search path to filter out non-complete documents and prevent stale results
- Add batch soft-delete for assistant deletion with background cleanup
- Implement deterministic vector key generation for reliable cleanup
- Add comprehensive property-based and integration tests for deletion flows
- Update RAG service to cross-check document status during search
- Configure DynamoDB TTL as backstop for failed cleanups (7-day expiry)
- Add Kiro spec documentation for reliable document deletion design

* test(assistants): remove archive assistant test and fix package dependencies

- Remove test_archive_assistant test case as archive functionality was removed
- Update package-lock.json to fix dependency flags for Angular DevKit and related packages
- Change chokidar dev flag to devOptional to reflect optional development dependency
- Remove unnecessary dev flags from multiple dependencies (ajv, chalk, cli-cursor, fast-deep-equal, and others)
- Align package metadata with current project configuration

* chore(frontend): pin Analog.js dependencies to exact versions

- Remove caret (^) version specifiers from @analogjs/vite-plugin-angular
- Remove caret (^) version specifiers from @analogjs/vitest-angular
- Lock both packages to 3.0.0-alpha.18 for consistent builds
- Prevent unexpected minor/patch updates that could introduce breaking changes

* chore(frontend): pin Analog.js devDependencies to exact versions

- Update @analogjs/vite-plugin-angular from ^3.0.0-alpha.18 to 3.0.0-alpha.18
- Update @analogjs/vitest-angular from ^3.0.0-alpha.18 to 3.0.0-alpha.18
- Remove caret (^) prefix to lock exact versions and ensure consistent builds

* feat(fine-tuning-dashboard): add informational section about fine-tuning and update icons

* chore(deps)(deps): bump the frontend-minor-patch group (#101)

Bumps the frontend-minor-patch group in /frontend/ai.client with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [@ng-icons/core](https://github.com/ng-icons/ng-icons) | `33.1.0` | `33.2.0` |
| [@ng-icons/heroicons](https://github.com/ng-icons/ng-icons) | `33.1.0` | `33.2.0` |
| [katex](https://github.com/KaTeX/KaTeX) | `0.16.33` | `0.16.44` |
| [marked](https://github.com/markedjs/marked) | `17.0.3` | `17.0.5` |
| [mermaid](https://github.com/mermaid-js/mermaid) | `11.12.3` | `11.13.0` |
| [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.2.1` | `4.2.2` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.0.18` | `4.1.2` |
| [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.8` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.1` | `4.2.2` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.18` | `4.1.2` |


Updates `@ng-icons/core` from 33.1.0 to 33.2.0
- [Release notes](https://github.com/ng-icons/ng-icons/releases)
- [Changelog](https://github.com/ng-icons/ng-icons/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ng-icons/ng-icons/commits/v33.2.0)

Updates `@ng-icons/heroicons` from 33.1.0 to 33.2.0
- [Release notes](https://github.com/ng-icons/ng-icons/releases)
- [Changelog](https://github.com/ng-icons/ng-icons/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ng-icons/ng-icons/commits/v33.2.0)

Updates `katex` from 0.16.33 to 0.16.44
- [Release notes](https://github.com/KaTeX/KaTeX/releases)
- [Changelog](https://github.com/KaTeX/KaTeX/blob/main/CHANGELOG.md)
- [Commits](https://github.com/KaTeX/KaTeX/compare/v0.16.33...v0.16.44)

Updates `marked` from 17.0.3 to 17.0.5
- [Release notes](https://github.com/markedjs/marked/releases)
- [Commits](https://github.com/markedjs/marked/compare/v17.0.3...v17.0.5)

Updates `mermaid` from 11.12.3 to 11.13.0
- [Release notes](https://github.com/mermaid-js/mermaid/releases)
- [Commits](https://github.com/mermaid-js/mermaid/compare/mermaid@11.12.3...mermaid@11.13.0)

Updates `@tailwindcss/postcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/@tailwindcss-postcss)

Updates `@vitest/coverage-v8` from 4.0.18 to 4.1.2
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/coverage-v8)

Updates `postcss` from 8.5.6 to 8.5.8
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/postcss/postcss/compare/8.5.6...8.5.8)

Updates `tailwindcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/tailwindcss)

Updates `vitest` from 4.0.18 to 4.1.2
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/vitest)

---
updated-dependencies:
- dependency-name: "@ng-icons/core"
  dependency-version: 33.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: "@ng-icons/heroicons"
  dependency-version: 33.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: katex
  dependency-version: 0.16.44
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: marked
  dependency-version: 17.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: mermaid
  dependency-version: 11.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: postcss
  dependency-version: 8.5.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: tailwindcss
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: vitest
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the aws-cdk group (#90)

Bumps the aws-cdk group in /infrastructure with 2 updates: [aws-cdk-lib](https://github.com/aws/aws-cdk/tree/HEAD/packages/aws-cdk-lib) and [aws-cdk](https://github.com/aws/aws-cdk-cli/tree/HEAD/packages/aws-cdk).


Updates `aws-cdk-lib` from 2.244.0 to 2.245.0
- [Release notes](https://github.com/aws/aws-cdk/releases)
- [Changelog](https://github.com/aws/aws-cdk/blob/main/CHANGELOG.v2.alpha.md)
- [Commits](https://github.com/aws/aws-cdk/commits/v2.245.0/packages/aws-cdk-lib)

Updates `aws-cdk` from 2.1113.0 to 2.1115.0
- [Release notes](https://github.com/aws/aws-cdk-cli/releases)
- [Commits](https://github.com/aws/aws-cdk-cli/commits/aws-cdk@v2.1115.0/packages/aws-cdk)

---
updated-dependencies:
- dependency-name: aws-cdk-lib
  dependency-version: 2.245.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-cdk
- dependency-name: aws-cdk
  dependency-version: 2.1115.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: aws-cdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump actions/setup-node from 5.0.0 to 6.3.0 (#100)

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5.0.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/a0853c24544627f65ddf259abe73b1d18a591444...53b83947a5a98c8d113130e565377fae1a50d02f)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump github/codeql-action (#95)

Bumps the actions-minor-patch group with 1 update: [github/codeql-action](https://github.com/github/codeql-action).


Updates `github/codeql-action` from 4.34.1 to 4.35.1
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/38697555549f1db7851b81482ff19f1fa5c4fedc...c10b8064de6f491fea524254123dbe5e09572f13)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump @types/node in /infrastructure (#94)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.10.1 to 25.5.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.5.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump jsdom in /frontend/ai.client (#102)

Bumps [jsdom](https://github.com/jsdom/jsdom) from 27.4.0 to 29.0.1.
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Commits](https://github.com/jsdom/jsdom/compare/v27.4.0...v29.0.1)

---
updated-dependencies:
- dependency-name: jsdom
  dependency-version: 29.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump ng2-charts in /frontend/ai.client (#105)

Bumps [ng2-charts](https://github.com/valor-software/ng2-charts) from 8.0.0 to 10.0.0.
- [Release notes](https://github.com/valor-software/ng2-charts/releases)
- [Commits](https://github.com/valor-software/ng2-charts/compare/v8.0.0...v10.0.0)

---
updated-dependencies:
- dependency-name: ng2-charts
  dependency-version: 10.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the angular group (#97)

Bumps the angular group in /frontend/ai.client with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [@angular/cdk](https://github.com/angular/components) | `21.2.3` | `21.2.4` |
| [@angular/common](https://github.com/angular/angular/tree/HEAD/packages/common) | `21.2.5` | `21.2.6` |
| [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler) | `21.2.5` | `21.2.6` |
| [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) | `21.2.5` | `21.2.6` |
| [@angular/forms](https://github.com/angular/angular/tree/HEAD/packages/forms) | `21.2.5` | `21.2.6` |
| [@angular/platform-browser](https://github.com/angular/angular/tree/HEAD/packages/platform-browser) | `21.2.5` | `21.2.6` |
| [@angular/router](https://github.com/angular/angular/tree/HEAD/packages/router) | `21.2.5` | `21.2.6` |
| [@angular/build](https://github.com/angular/angular-cli) | `21.2.3` | `21.2.5` |
| [@angular/cli](https://github.com/angular/angular-cli) | `21.2.3` | `21.2.5` |
| [@angular/compiler-cli](https://github.com/angular/angular/tree/HEAD/packages/compiler-cli) | `21.2.5` | `21.2.6` |


Updates `@angular/cdk` from 21.2.3 to 21.2.4
- [Release notes](https://github.com/angular/components/releases)
- [Changelog](https://github.com/angular/components/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/components/compare/v21.2.3...v21.2.4)

Updates `@angular/common` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/common)

Updates `@angular/compiler` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/compiler)

Updates `@angular/core` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/core)

Updates `@angular/forms` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/forms)

Updates `@angular/platform-browser` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/platform-browser)

Updates `@angular/router` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/router)

Updates `@angular/build` from 21.2.3 to 21.2.5
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular-cli/compare/v21.2.3...v21.2.5)

Updates `@angular/cli` from 21.2.3 to 21.2.5
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular-cli/compare/v21.2.3...v21.2.5)

Updates `@angular/compiler-cli` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/compiler-cli)

---
updated-dependencies:
- dependency-name: "@angular/cdk"
  dependency-version: 21.2.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/common"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/compiler"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/core"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/forms"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/platform-browser"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/router"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/build"
  dependency-version: 21.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/cli"
  dependency-version: 21.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/compiler-cli"
  dependency-version: 21.2.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump jest and @types/jest in /infrastructure (#92)

Bumps [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) and [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest). These dependencies needed to be updated together.

Updates `jest` from 29.7.0 to 30.3.0
- [Release notes](https://github.com/jestjs/jest/releases)
- [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jestjs/jest/commits/v30.3.0/packages/jest)

Updates `@types/jest` from 29.5.14 to 30.0.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

---
updated-dependencies:
- dependency-name: jest
  dependency-version: 30.3.0
  dependency-type: direct:development
  update-type: version-update:semver-major
- dependency-name: "@types/jest"
  dependency-version: 30.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* add conversation deleting handling for shared conversations + bug fix

* chore(deps)(deps): bump constructs (#91)

Bumps the infra-minor-patch group in /infrastructure with 1 update: [constructs](https://github.com/aws/constructs).


Updates `constructs` from 10.5.1 to 10.6.0
- [Release notes](https://github.com/aws/constructs/releases)
- [Commits](https://github.com/aws/constructs/compare/v10.5.1...v10.6.0)

---
updated-dependencies:
- dependency-name: constructs
  dependency-version: 10.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: infra-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat(messages): displayText support for RAG-augmented and file attachment messages (#107)

* feat(messages): add displayText support for RAG-augmented messages

- Add original_message parameter to stream_async and StreamCoordinator to preserve user input before RAG augmentation
- Store displayText in message metadata when original message differs from augmented version
- Add display_text field to MessageMetadata model with displayText alias for JSON serialization
- Update chat_stream route to pass original message when RAG augmentation is applied
- Enhance metadata retrieval to query both cost records (C#) and display text records (D#) from DynamoDB
- Add store_user_display_text function to persist original message text for clean UI display
- Update .gitignore to exclude local dev scripts (start.sh)
- Improves user experience by showing original unaugmented messages in conversation UI while maintaining RAG-enhanced context for agent processing

* feat(messages): add displayText support for file attachments and local runtime override

- Add LOCAL_RUNTIME_ENDPOINT_URL environment variable support for development runtime override in auth routes
- Extend displayText storage to handle file attachment content block modifications, not just RAG augmentation
- Add message_will_be_modified logic to determine when original message should be stored as displayText
- Implement showDebugOutput local settings signal for toggling debug information display
- Update user message component to display original text when displayText is available
- Add debug output toggle to chat preferences settings page
- Update session metadata documentation to clarify displayText usage for all prompt modifications
- Ensure original user message is preserved for UI display while augmented prompt remains in AgentCore Memory

* test(metadata): add displayText (D# record) tests for store and retrieval

* chore(deps): bump fast-check from 3.23.2 to 4.6.0

- Update fast-check to version 4.6.0 with caret constraint for minor/patch updates
- Update pure-rand dependency to 4.6.0's requirement of ^8.0.0 (from ^6.1.0)
- Increase minimum Node.js requirement from 8.0.0 to 12.17.0
- Migrate auth-pbt.spec.ts to use fast-check 4.x API (stringOf → string with unit parameter)

* chore(deps)(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (#99)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/b7c566a772e6b6bfb58ed0dc250532a479d7789f...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump actions/download-artifact from 7.0.0 to 8.0.1 (#98)

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7.0.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/37930b1c2abaa49bbe596cd826c3c89aef350131...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the python-minor-patch group in /backend with 10 updates (#96)

* chore(deps)(deps): bump the python-minor-patch group

Bumps the python-minor-patch group in /backend with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [uvicorn](https://github.com/Kludex/uvicorn) | `0.35.0` | `0.42.0` |
| [boto3](https://github.com/boto/boto3) | `1.42.73` | `1.42.78` |
| [strands-agents](https://github.com/strands-agents/sdk-python) | `1.32.0` | `1.33.0` |
| [strands-agents-tools](https://github.com/strands-agents/tools) | `0.2.23` | `0.3.0` |
| [aws-opentelemetry-distro](https://github.com/aws-observability/aws-otel-python-instrumentation) | `0.14.2` | `0.16.0` |
| [bedrock-agentcore](https://github.com/aws/bedrock-agentcore-sdk-python) | `1.4.7` | `1.4.8` |
| [openai](https://github.com/openai/openai-python) | `2.29.0` | `2.30.0` |
| [google-genai](https://github.com/googleapis/python-genai) | `1.68.0` | `1.69.0` |
| [hypothesis](https://github.com/HypothesisWorks/hypothesis) | `6.151.9` | `6.151.10` |
| [ruff](https://github.com/astral-sh/ruff) | `0.15.7` | `0.15.8` |


Updates `uvicorn` from 0.35.0 to 0.42.0
- [Release notes](https://github.com/Kludex/uvicorn/releases)
- [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md)
- [Commits](https://github.com/Kludex/uvicorn/compare/0.35.0...0.42.0)

Updates `boto3` from 1.42.73 to 1.42.78
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](https://github.com/boto/boto3/compare/1.42.73...1.42.78)

Updates `strands-agents` from 1.32.0 to 1.33.0
- [Release notes](https://github.com/strands-agents/sdk-python/releases)
- [Commits](https://github.com/strands-agents/sdk-python/compare/v1.32.0...v1.33.0)

Updates `strands-agents-tools` from 0.2.23 to 0.3.0
- [Release notes](https://github.com/strands-agents/tools/releases)
- [Commits](https://github.com/strands-agents/tools/compare/v0.2.23...v0.3.0)

Updates `aws-opentelemetry-distro` from 0.14.2 to 0.16.0
- [Release notes](https://github.com/aws-observability/aws-otel-python-instrumentation/releases)
- [Changelog](https://github.com/aws-observability/aws-otel-python-instrumentation/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws-observability/aws-otel-python-instrumentation/compare/v0.14.2...v0.16.0)

Updates `bedrock-agentcore` from 1.4.7 to 1.4.8
- [Release notes](https://github.com/aws/bedrock-agentcore-sdk-python/releases)
- [Changelog](https://github.com/aws/bedrock-agentcore-sdk-python/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/bedrock-agentcore-sdk-python/compare/v1.4.7...v1.4.8)

Updates `openai` from 2.29.0 to 2.30.0
- [Release notes](https://github.com/openai/openai-python/releases)
- [Changelog](https://github.com/openai/openai-python/blob/main/CHANGELOG.md)
- [Commits](https://github.com/openai/openai-python/compare/v2.29.0...v2.30.0)

Updates `google-genai` from 1.68.0 to 1.69.0
- [Release notes](https://github.com/googleapis/python-genai/releases)
- [Changelog](https://github.com/googleapis/python-genai/blob/main/CHANGELOG.md)
- [Commits](https://github.com/googleapis/python-genai/compare/v1.68.0...v1.69.0)

Updates `hypothesis` from 6.151.9 to 6.151.10
- [Release notes](https://github.com/HypothesisWorks/hypothesis/releases)
- [Commits](https://github.com/HypothesisWorks/hypothesis/compare/hypothesis-python-6.151.9...hypothesis-python-6.151.10)

Updates `ruff` from 0.15.7 to 0.15.8
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/0.15.7...0.15.8)

---
updated-dependencies:
- dependency-name: uvicorn
  dependency-version: 0.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: boto3
  dependency-version: 1.42.78
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: strands-agents
  dependency-version: 1.33.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: strands-agents-tools
  dependency-version: 0.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: aws-opentelemetry-distro
  dependency-version: 0.16.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: bedrock-agentcore
  dependency-version: 1.4.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: openai
  dependency-version: 2.30.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: google-genai
  dependency-version: 1.69.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: hypothesis
  dependency-version: 6.151.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: ruff
  dependency-version: 0.15.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore(deps): downgrade cachetools to 6.2.4

- Downgrade cachetools from 7.0.5 to 6.2.4 in backend dependencies
- Resolves compatibility issues with OAuth provider management

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* chore(deps): pin fast-check to exact version 4.6.0

- Remove caret (^) version constraint from fast-check dependency
- Update package.json to use exact version 4.6.0
- Update package-lock.json to reflect pinned version
- Ensure consistent dependency resolution across environments

* feat: add fine-tuning cost dashboard and user cost breakdown (#108)

* feat: add fine-tuning cost dashboard and user cost breakdown

- Introduced new models for cost dashboard and user cost breakdown in the admin API.
- Implemented endpoint to retrieve aggregated cost data for fine-tuning jobs.
- Enhanced fine-tuning access control to support default monthly quota hours for users without explicit grants.
- Added new routes and frontend components for displaying fine-tuning costs and usage statistics.
- Updated infrastructure configuration to include default quota hours for fine-tuning.
- Added tests to ensure proper functionality of new features and configurations.

* fix(logging): improve log message formatting for cost dashboard request

* fix(logging): sanitize period string in cost dashboard log message

* check in share conversations specs

* chore(docs): update versioning documentation and release notes for v1.0.0-beta.20

- Update versioning skill and rule documentation to include README.md version badge and "Current release" text in sync script scope
- Update Kiro steering guide to document README.md and lockfile updates in version sync process
- Bump version badge in README.md from v1.0.0-beta.19 to v1.0.0-beta.20
- Update "Current release" text in README.md to v1.0.0-beta.20
- Add comprehensive release notes for v1.0.0-beta.20 with highlights on document deletion, displayText system, fine-tuning cost dashboard, and dependency updates
- Ensure all AI assistant rule files reflect current versioning workflow

* ci(frontend): remove common scripts from workflow triggers and restrict CDK jobs to non-PR events

- Remove 'scripts/common/**' from push and pull_request trigger paths
- Add condition to synth-cdk job to skip execution on pull_request events
- Update test-cdk job condition to exclude pull_request events while preserving skip_tests logic
- Prevents unnecessary CDK synthesis and testing during pull requests to reduce workflow overhead

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Release 1.0.0-beta.20: Document soft-delete, displayText, fine-tuning costs, CodeQL remediation, dependency refresh (#118)

Reliable document deletion, displayText for RAG-augmented messages,
fine-tuning cost dashboard, assistant archive removal, and a full
dependency refresh across Python, npm, and GitHub Actions.

Features:
- Soft-delete document lifecycle with background cleanup, retry logic,
  DynamoDB TTL backstop, and search filtering for mid-deletion docs
- Upload failure reporting endpoint for client-side error tracking
- DisplayText system preserving original user messages when RAG
  augmentation or file attachments modify the prompt sent to the agent
- Debug output toggle in chat preferences for prompt inspection
- Fine-tuning cost dashboard with per-user breakdowns and default
  monthly quota hours
- Shared conversation cascade deletion on session delete

Removals:
- Assistant archive functionality (ARCHIVED status, archive endpoint,
  include_archived parameter) replaced with single delete operation

Security & Code Quality:
- All CodeQL findings resolved (180 log injection fixes, 5 silent
  exception fixes, cyclic import elimination, 13 unused variables)
- Four Dependabot security patches (requests, picomatch, diff)

CI/CD:
- CDK synth skipped on PRs for app-api and frontend workflows
- scripts/common/** removed from frontend workflow path triggers
- GitHub Actions bumped (upload-artifact v7, download-artifact v8,
  setup-node v6, codeql-action latest)

Testing:
- Analog.js testing migration for frontend (vitest config removed)
- fast-check v4.6.0 added for property-based frontend tests
- 4,200+ lines of new backend tests for document deletion flows

Tooling:
- sync-version.sh now auto-updates README badge and current release text
- Versioning steering docs updated across Kiro, Cursor, and Claude
- Release notes steering doc added (fileMatch on RELEASE_NOTES.md)

Dependencies:
- Python: uvicorn 0.42.0, strands-agents 1.33.0, strands-agents-tools
  0.3.0, aws-opentelemetry-distro 0.16.0, bedrock-agentcore 1.4.8,
  openai 2.30.0, cachetools downgraded to 6.2.4 for compatibility
- Frontend: Angular 21.2.6, @angular/cdk 21.2.4
- Infrastructure: aws-cdk group bumped, constructs bumped

* Purge outdated AI specs and documentation (#121)

* spring cleaning. AI spec file and outdated documentation purge

* spring cleanup --> purging old ai specs and outdated docs

---------

Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* Feat/cognito first boot auth (#125)

* feat: replace multi-step auth bootstrap with Cognito first-boot experience

- Add Cognito User Pool, App Client, and Domain to CDK infrastructure
- Implement first-boot backend with race-condition-safe DynamoDB writes
- Add CognitoJWTValidator replacing GenericOIDCJWTValidator
- Add federated identity provider management via Cognito IdP APIs
- Migrate frontend to Cognito OAuth 2.0 + PKCE flow
- Add first-boot setup page with admin account creation
- Update AgentCore Runtime to single Cognito JWT authorizer
- Remove runtime-provisioner and runtime-updater Lambdas
- Remove hardcoded Entra ID configuration from CDK and scripts
- Remove auth provider seeding from bootstrap workflow
- Wire SSM parameters across stacks for Cognito config
- Update GitHub Actions workflows for Cognito context values

* FOR TESTING ONLY< REVERT BEFORE MERGING

* Feat/cognito first boot auth (#123)

* test(auth-sweep): add system status endpoints to public route patterns

- Add /system/status to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- Add /system/first-boot to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- These endpoints should be accessible without authentication for system initialization and health checks

* chore(deps): add cognitoidp extra to moto dev dependency

- Add cognitoidp extra to moto[dynamodb] in pyproject.toml dev dependencies
- Update uv.lock to include cognitoidp extra across all moto references
- Add joserfc package as transitive dependency for cognitoidp support
- Enable Cognito IDP mocking capabilities for development and testing

* test(auth-guard,config-service): add missing service mocks and config properties

- Add SystemService mock to auth.guard.spec.ts test setup
- Import SystemService dependency in auth guard test file
- Add checkStatus mock method to systemService test double
- Register SystemService provider in TestBed configuration
- Add inferenceApiUrl property to validConfig test fixture in config.service.spec.ts
- Ensure test doubles accurately reflect service dependencies for proper test isolation

* feat(system-admin): add JWT role mapping for system_admin Cognito group

- Add JWT_MAPPING#system_admin item to DynamoDB during bootstrap seeding
- Update system_admin role jwtRoleMappings to include "system_admin" group
- Implement add_user_to_group method in CognitoService to manage group membership
- Add user to system_admin Cognito group during first_boot with rollback on failure
- Update test assertions to verify JWT mapping creation and role configuration
- Enables Cognito to include system_admin group in JWT cognito:groups claim for RBAC resolution

* feat(infrastructure): add Cognito user and group management permissions

- Add cognito-idp:AdminDeleteUser permission for user deletion operations
- Add cognito-idp:AdminAddUserToGroup permission for group membership management
- Add cognito-idp:CreateGroup permission for group creation operations
- Enables system admin functionality for managing Cognito user pools and groups

* refactor(auth): replace user email with name in logging and events

- Replace user.email with user.name in quota event recorder metadata
- Update admin cost dashboard logging to use user.name instead of email
- Update admin users routes logging to use user.name instead of email
- Update file upload routes logging to use user.name instead of email
- Update model routes logging to use user.name instead of email
- Update tools routes logging to use user.name instead of email
- Update OAuth routes logging to use user.name instead of email
- Update user models and routes logging to use user.name instead of email
- Update auth service and user service in frontend to use name field
- Standardize user identification across backend and frontend to use name for privacy and consistency

* feat(frontend): update logos and URL-encode inference API ARN

- Update logo-dark.png and logo-light.png assets
- Add URL encoding for ARN portion in inferenceApiUrl computed signal
- Prevent URL parsing errors caused by colons and slashes in AgentCore runtime ARNs
- Improve config service documentation with encoding behavior explanation

* fix(frontend): add /invocations path to inference API endpoints

- Update preview-chat.service.ts to include /invocations path in runtime endpoint URL
- Update chat-http.service.ts to include /invocations path in runtime endpoint URL
- Fixes inference API calls by using correct endpoint path with qualifier parameter

* feat(inference-api): add Authorization header to ALB request configuration

- Add requestHeaderConfiguration to ALB listener rule
- Include Authorization header in requestHeaderAllowlist
- Enable proper header propagation for authenticated requests to inference API

* refactor(auth): consolidate RBAC to AppRole-based authorization

- Replace multiple role-checking functions with single require_app_roles dependency
- Remove require_roles, require_all_roles, has_any_role, has_all_roles, and role-specific decorators (require_faculty, require_staff, require_developer, require_aws_ai_access)
- Update rbac.py to resolve permissions through AppRoleService instead of hardcoded JWT groups
- Simplify auth module exports to only expose require_app_roles and require_admin
- Update admin routes to remove unused role imports
- Add comprehensive docstring explaining AppRole system as single source of truth for permissions
- Update tests to reflect new authorization flow via AppRoleService

* feat(inference-api): add SSM parameters and environment variables to AgentCore runtime

- Import DynamoDB table names from SSM parameters for users, RBAC, auth, OAuth, quota, cost tracking, and file uploads
- Import S3 bucket and vector index names for RAG functionality
- Import gateway URL and frontend CORS origins from SSM parameters
- Add comprehensive environment variables to AgentCore runtime configuration including DynamoDB table mappings, authentication settings, OAuth configuration, AgentCore resource IDs, and directory paths
- Enable authentication and quota enforcement in runtime environment
- Configure frontend URL and CORS origins for cross-origin requests

* feat(inference-api): remove gateway URL parameter and simplify CORS origins

- Remove SSM parameter import for gateway URL from InferenceApiStack
- Remove GATEWAY_URL environment variable from AgentCore runtime configuration
- Replace SSM-imported CORS origins with config-based construction to avoid circular dependency between InferenceApiStack and FrontendStack
- Construct CORS origins dynamically from config.domainName (https://{domain}) with localhost fallback for development
- Eliminates circular dependency: InferenceApiStack ↔ FrontendStack by removing reliance on FrontendStack SSM parameters

* chore(frontend): update favicon and logo assets

- Remove redundant favicon PNG variants (android-chrome, apple-touch-icon, favicon-16x16, favicon-32x32)
- Update favicon.ico with new design
- Update logo-dark.png with refreshed branding
- Consolidate favicon assets to reduce redundancy and improve maintainability

* feat(inference-api): add AWS Marketplace permissions for Bedrock model access

- Add MarketplaceModelAccess policy statement to runtime execution role
- Grant aws-marketplace:ViewSubscriptions and aws-marketplace:Subscribe actions
- Enable foundation model access for marketplace-gated models like Anthropic Claude
- Required for subscription validation before Bedrock model invocation

* Release 1.0.0-beta.19: Conversation sharing, session compaction, fine-tuning enhancements, CI optimization

## Features
- Conversation sharing with public/email-restricted access via shareable URLs
- Session compaction enabled by default (100K token threshold, 3 protected turns)
- Fine-tuning: drag-and-drop dataset upload, custom HuggingFace model support

## Security
- Resolve all CodeQL clear-text logging alerts (secrets, tokens, ARNs redacted)
- OAuth redirect URL validation to prevent open redirects
- Explicit read-only permissions on all 13 GitHub Actions workflows

## Performance
- Frontend production build optimized: 8.85 MB → 4.96 MB (871 KB gzipped)
- PR workflows trimmed: skip Docker builds, CDK synth, and redundant jobs

## Infrastructure
- New shared-conversations DynamoDB table with SessionShare and OwnerShare GSIs
- Bedrock prompt caching temporarily disabled due to provider limitations

## Bug Fixes
- Google Fonts moved to index.html to fix CI build failure
- Private sharing support (owner-only shares)

* Release 1.0.0-beta.20: Document soft-delete, displayText, fine-tuning costs, CodeQL remediation, dependency refresh

Reliable document deletion, displayText for RAG-augmented messages,
fine-tuning cost dashboard, assistant archive removal, and a full
dependency refresh across Python, npm, and GitHub Actions.

Features:
- Soft-delete document lifecycle with background cleanup, retry logic,
  DynamoDB TTL backstop, and search filtering for mid-deletion docs
- Upload failure reporting endpoint for client-side error tracking
- DisplayText system preserving original user messages when RAG
  augmentation or file attachments modify the prompt sent to the agent
- Debug output toggle in chat preferences for prompt inspection
- Fine-tuning cost dashboard with per-user breakdowns and default
  monthly quota hours
- Shared conversation cascade deletion on session delete

Removals:
- Assistant archive functionality (ARCHIVED status, archive endpoint,
  include_archived parameter) replaced with single delete operation

Security & Code Quality:
- All CodeQL findings resolved (180 log injection fixes, 5 silent
  exception fixes, cyclic import elimination, 13 unused variables)
- Four Dependabot security patches (requests, picomatch, diff)

CI/CD:
- CDK synth skipped on PRs for app-api and frontend workflows
- scripts/common/** removed from frontend workflow path triggers
- GitHub Actions bumped (upload-artifact v7, download-artifact v8,
  setup-node v6, codeql-action latest)

Testing:
- Analog.js testing migration for frontend (vitest config removed)
- fast-check v4.6.0 added for property-based frontend tests
- 4,200+ lines of new backend tests for document deletion flows

Tooling:
- sync-version.sh now auto-updates README badge and current release text
- Versioning steering docs updated across Kiro, Cursor, and Claude
- Release notes steering doc added (fileMatch on RELEASE_NOTES.md)

Dependencies:
- Python: uvicorn 0.42.0, strands-agents 1.33.0, strands-agents-tools
  0.3.0, aws-opentelemetry-distro 0.16.0, bedrock-agentcore 1.4.8,
  openai 2.30.0, cachetools downgraded to 6.2.4 for compatibility
- Frontend: Angular 21.2.6, @angular/cdk 21.2.4
- Infrastructure: aws-cdk group bumped, constructs bumped

* refactor(inference-api): remove underscore prefix from containerImageUri variable

- Remove underscore prefix from containerImageUri variable name
- Improve code clarity by following standard naming conventions
- Variable is used throughout the stack and should follow public naming patterns

* chore(deps): add cognitoidp moto extra and update infrastructure tests

- Add cognitoidp extra to moto dependency in uv.lock for Cognito IDP mocking support
- Update moto dependency extras to include both cognitoidp and dynamodb
- Refactor IAM policy assertions in inference-api-stack tests to search both inline and managed policies
- Simplify policy verification logic to use findResources and filter by policy attributes
- Remove S3 bucket and S3 Vector Store test sections from app-api-stack tests
- Update test assertions to be more flexible with policy resource types

* chore(frontend): update favicon and logo assets

- Add Android Chrome favicon variants (192x192 and 512x512)
- Add Apple Touch Icon for iOS devices
- Add favicon sizes for 16x16 and 32x32 resolutions
- Update favicon.ico with new design
- Update logo-dark.png with refreshed branding
- Update logo-light.png with refreshed branding
- Improve cross-platform icon support and visual consistency

* fix(auth-providers): remove OIDC discovery endpoint and add JSON parsing error handling

- Remove POST /discover endpoint for OIDC endpoint discovery from admin routes
- Add try-except blocks to handle JSON parsing errors in AuthProviderRepository
- Gracefully default to empty dict when SecretString is invalid or malformed
- Improve resilience when retrieving auth provider secrets from AWS Secrets Manager

---------

Co-authored-by: Colin <colin@colin-os>

* Feat/cognito first boot auth (#124)

* test(auth-sweep): add system status endpoints to public route patterns

- Add /system/status to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- Add /system/first-boot to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- These endpoints should be accessible without authentication for system initialization and health checks

* chore(deps): add cognitoidp extra to moto dev dependency

- Add cognitoidp extra to moto[dynamodb] in pyproject.toml dev dependencies
- Update uv.lock to include cognitoidp extra across all moto references
- Add joserfc package as transitive dependency for cognitoidp support
- Enable Cognito IDP mocking capabilities for development and testing

* test(auth-guard,config-service): add missing service mocks and config properties

- Add SystemService mock to auth.guard.spec.ts test setup
- Import SystemService dependency in auth guard test file
- Add checkStatus mock method to systemService test double
- Register SystemService provider in TestBed configuration
- Add inferenceApiUrl property to validConfig test fixture in config.service.spec.ts
- Ensure test doubles accurately reflect service dependencies for proper test isolation

* feat(system-admin): add JWT role mapping for system_admin Cognito group

- Add JWT_MAPPING#system_admin item to DynamoDB during bootstrap seeding
- Update system_admin role jwtRoleMappings to include "system_admin" group
- Implement add_user_to_group method in CognitoService to manage group membership
- Add user to system_admin Cognito group during first_boot with rollback on failure
- Update test assertions to verify JWT mapping creation and role configuration
- Enables Cognito to include system_admin group in JWT cognito:groups claim for RBAC resolution

* feat(infrastructure): add Cognito user and group management permissions

- Add cognito-idp:AdminDeleteUser permission for user deletion operations
- Add cognito-idp:AdminAddUserToGroup permission for group membership management
- Add cognito-idp:CreateGroup permission for group creation operations
- Enables system admin functionality for managing Cognito user pools and groups

* refactor(auth): replace user email with name in logging and events

- Replace user.email with user.name in quota event recorder metadata
- Update admin cost dashboard logging to use user.name instead of email
- Update admin users routes logging to use user.name instead of email
- Update file upload routes logging to use user.name instead of email
- Update model routes logging to use user.name instead of email
- Update tools routes logging to use user.name instead of email
- Update OAuth routes logging to use user.name instead of email
- Update user models and routes logging to use user.name instead of email
- Update auth service and user service in frontend to use name field
- Standardize user identification across backend and frontend to use name for privacy and consistency

* feat(frontend): update logos and URL-encode inference API ARN

- Update logo-dark.png and logo-light.png assets
- Add URL encoding for ARN portion in inferenceApiUrl computed signal
- Prevent URL parsing errors caused by colons and slashes in AgentCore runtime ARNs
- Improve config service documentation with encoding behavior explanation

* fix(frontend): add /invocations path to inference API endpoints

- Update preview-chat.service.ts to include /invocations path in runtime endpoint URL
- Update chat-http.service.ts to include /invocations path in runtime endpoint URL
- Fixes inference API calls by using correct endpoint path with qualifier parameter

* feat(inference-api): add Authorization header to ALB request configuration

- Add requestHeaderConfiguration to ALB listener rule
- Include Authorization header in requestHeaderAllowlist
- Enable proper header propagation for authenticated requests to inference API

* refactor(auth): consolidate RBAC to AppRole-based authorization

- Replace multiple role-checking functions with single require_app_roles dependency
- Remove require_roles, require_all_roles, has_any_role, has_all_roles, and role-specific decorators (require_faculty, require_staff, require_developer, require_aws_ai_access)
- Update rbac.py to resolve permissions through AppRoleService instead of hardcoded JWT groups
- Simplify auth module exports to only expose require_app_roles and require_admin
- Update admin routes to remove unused role imports
- Add comprehensive docstring explaining AppRole system as single source of truth for permissions
- Update tests to reflect new authorization flow via AppRoleService

* feat(inference-api): add SSM parameters and environment variables to AgentCore runtime

- Import DynamoDB table names from SSM parameters for users, RBAC, auth, OAuth, quota, cost tracking, and file uploads
- Import S3 bucket and vector index names for RAG functionality
- Import gateway URL and frontend CORS origins from SSM parameters
- Add comprehensive environment variables to AgentCore runtime configuration including DynamoDB table mappings, authentication settings, OAuth configuration, AgentCore resource I…
colinmxs added a commit that referenced this pull request May 21, 2026
* Release/v1.0.0 beta.25 (#282)

* Potential fix for pull request finding 'Unused local variable'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for pull request finding 'Unused local variable'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* docs(readme): update version badges and tech stack to v1.0.0-beta.18

- Update release badge from v1.0.0-beta.17 to v1.0.0-beta.18
- Bump Tailwind CSS version from v4.1 to v4.2 in all references
- Update current release version in release notes section
- Reflect latest dependency versions in architecture and tech stack documentation

* feat(embeddings): add optional token validation bypass for search queries

- Add skip_token_validation parameter to generate_embeddings function
- Allow skipping tiktoken-based token validation for short inputs where tiktoken may not be installed
- Update search_assistant_knowledgebase to skip validation for query embeddings
- Enables embedding generation in environments where tiktoken is unavailable (e.g., search Lambda)

* refactor(embeddings): extract shared embedding logic to separate module

- Move core embedding generation and vector store operations to apis.shared.embeddings
- Create new shared bedrock_embeddings module with generate_embeddings, store_embeddings_in_s3, search_assistant_knowledgebase, and delete_vectors_for_document
- Extract vector search logic to new apis.shared.assistants.vector_search module
- Keep ingestion-specific token validation (tiktoken-based) in app_api embeddings module
- Update ingestion embeddings module to re-export shared functions for backward compatibility
- Simplify bedrock_embeddings in ingestion pipeline to focus on chunk validation and splitting
- Update imports across documents routes and rag_service to use new shared modules
- Reduces code duplication and establishes clear separation between shared RAG infrastructure and ingestion-specific concerns

* docs(release-notes): document v1.0.0-beta.19 features and fixes

- Add Angular production build optimization section explaining minification and tree-shaking enablement
- Document embeddings refactor extracting shared logic to apis.shared.embeddings module
- Add skip_token_validation parameter documentation for generate_embeddings function
- Update highlights section to mention Angular production build optimization
- Clarify CodeQL workflow improvements and unused import/variable cleanup
- Enable optimization flag in angular.json production configuration for reduced bundle size

* docs(release-notes): remove Angular optimization section and revert config

- Remove "Frontend Production Build Optimization" section from release notes
- Revert optimization flag removal from angular.json production configuration
- Align documentation with actual production build configuration state

* feat: add API Keys section to README for programmatic access to AI models

* fix(model_config): comment out caching configuration due to Bedrock limitations

* feat(create-training-job): enhance file upload with drag-and-drop support and update dataset upload instructions

* feat(create-training-job): add support for custom HuggingFace models and enhance model search functionality

* fix(test_model_config): remove caching mock and update test for Bedrock config caching behavior

* feat(create-training-job): add tests for custom HuggingFace model selection and submission

* feat: refactor session compaction and enable by default (#86)

* feat: update compaction configuration and enhance session manager tests

* fix: update tests for compaction defaults and commented-out caching

- Update compaction model test to expect enabled=True and protected_turns=3
- Fix caching test to reflect cache_config being commented out due to Bedrock limitations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(create-training-job): enhance file upload with drag-and-drop support and update dataset upload instructions

* feat(create-training-job): add support for custom HuggingFace models and enhance model search functionality

* fix(test_model_config): remove caching mock and update test for Bedrock config caching behavior

* feat(create-training-job): add tests for custom HuggingFace model selection and submission

* fix: update tests for compaction defaults and commented-out caching

- Update compaction model test to expect enabled=True and protected_turns=3
- Fix caching test to reflect cache_config being commented out due to Bedrock limitations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Signed-off-by: Phil Merrell <philmerrell@boisestate.edu>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* test(to_bedrock_config): add missing result assignment in caching disabled test

* Potential fix for code scanning alert no. 41: Clear-text logging of s… (#85)

* Potential fix for code scanning alert no. 41: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* ci: Add explicit read-only permissions to all workflows

- Add `permissions: contents: read` to 13 GitHub Actions workflows
- Workflows updated: app-api, bootstrap-data-seeding, codeql, frontend, gateway, inference-api, infrastructure, nightly-deploy-pipeline, nightly, rag-ingestion, release, sagemaker-fine-tuning, version-check
- Implements principle of least privilege by explicitly declaring minimal required permissions
- Improves security posture and aligns with GitHub Actions best practices

* fix(security): Redact sensitive information from logs

- Mask client ID in seed_auth_provider output, showing only first 8 characters
- Redact full Secrets ARN in seed_auth_provider, displaying only resource name
- Replace full exception objects with error codes in seed_bootstrap_data error messages
- Downgrade MCP client configuration logging from info to debug level
- Remove user ID from OAuth token retrieval and re-auth status log messages
- Add URL validation to OAuth callback redirect to prevent open redirect vulnerabilities
- Prevents accidental exposure of credentials and sensitive identifiers in application logs

* fix(security): Resolve remaining CodeQL clear-text logging alerts

- seed_auth_provider: Fully redact Secrets Manager ARN from output
- external_mcp_client: Remove server URL from logs, decouple oauth_token from log expressions
- oauth_tool_service: Isolate decrypted token into _try_get_token() to prevent taint bleed, use lazy log formatting
- config.ts: Remove AWS account ID and CORS origins from CDK config log output

* Potential fix for code scanning alert no. 499: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 496: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 498: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 497: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

---------

Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* feat(frontend): enable production optimization, branch-aware BUILD_CONFIG

- Remove optimization: false from base options (was blocking prod override)
- Production: optimization, no source maps, extract licenses
- Fix anyComponentStyle budget from 4kB to 200kB for Tailwind
- BUILD_CONFIG: main→production, develop→development, dispatch→manual input

Production build: 4.96 MB initial (871 KB gzip) vs 8.85 MB unoptimized

* fix: move Google Fonts import to index.html to prevent CI build failure

* ci: skip docker builds and CDK synth on pull requests

* implement conversation sharing. (#87)

* implement conversation sharing.

* Potential fix for code scanning alert no. 509: Log Injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: ofilson <SuperScorer911@gmail.com>

* Potential fix for code scanning alert no. 510: Log Injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: ofilson <SuperScorer911@gmail.com>

* fix github warnings

* fix log issue

---------

Signed-off-by: ofilson <SuperScorer911@gmail.com>
Co-authored-by: Oscar Filson <OSCARFILSON@boisestate.edu>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Allow for private share (only with yourself)

* release: v1.0.0-beta.19

* fix float error on sharing

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* ci: skip redundant stack dependency checks on PRs (keep infrastructure only)

* ci: skip install on PRs for rag-ingestion (no downstream jobs)

* ci: revert check-stack-deps skip on workflows with PR jobs, skip entire gateway/sagemaker on PRs

* fix(security): resolve CodeQL log-injection, unused-import, and unused-variable alerts

- Remove user-controlled values from 180 log f-strings (py/log-injection)
- Remove 87 unused Python imports (py/unused-import)
- Remove 27 unused JS/TS variables (js/unused-local-variable)
- Fix 3 useless assignments (js/useless-assignment-to-local)
- Fix 1 incompatible type comparison (js/comparison-between-incompatible-types)

* fix(tests): remove stale AgentCoreMemorySessionManager patch from session factory tests

The CodeQL commit removed the unused AgentCoreMemorySessionManager import
from session_factory.py, breaking two tests that patched it at that path.
Removed the unnecessary patch decorator since TurnBasedSessionManager was
already being patched separately.

* chore(docker): add shared embeddings module to rag-ingestion Lambda image

- Copy shared embeddings package to Lambda task root directory
- Add apis/__init__.py to ensure proper Python package structure
- Enable ingestion embeddings to access re-exported shared embeddings module
- Resolves import errors when bedrock_embeddings.py loads shared embeddings

* fix(quality): resolve all open CodeQL findings on develop

Empty excepts (5 fixes):
- url_fetcher: narrow bare except to Exception, add comment
- code_interpreter_diagram_tool: narrow bare except to Exception
- tool_result_processor: add explanatory comment to JSONDecodeError catch
- users/service: log warning on invalid pagination cursor
- event_formatter: log warning instead of silently swallowing errors

Catch BaseException (2 fixes):
- url_fetcher: narrowed to Exception (same fix as empty except)
- code_interpreter_diagram_tool: narrowed to Exception

Unreachable code (1 fix):
- stream_processor: remove dead if result_seen: break (never set to True)

Redundant assignment (1 fix):
- fine_tuning/routes: remove unused job = on create_inference_job

Print during import (1 fix):
- inference_api/main: replace print() with logging

Commented-out code (1 fix):
- inference_api/chat/models: remove commented InvocationRequest class

Unnecessary lambdas (2 fixes):
- job_repository, inference_repository: lambda v: int(v) → int

Unused local variables (13 fixes):
- Remove or rename: period, user_id, error_msg, matches, requested_set,
  exception_type, updated, limit, preferences, execution_output,
  next_month, next_year across 10 files

Unused imports (3 fixes):
- compaction_models: remove unused field import
- bedrock_embeddings: remove dead re-exports, clean up __init__.py
- timezone: use find_spec for pytz availability check

Cyclic import (1 fix):
- Move get_metadata_storage() factory from metadata_storage.py to
  storage/__init__.py, breaking the metadata_storage ↔ dynamodb_storage
  cycle. Update 3 callers to import from apis.app_api.storage.

Dismissed as false positives (11 alerts):
- 9x untrusted-checkout on nightly workflows (schedule/dispatch only)
- 1x non-iterable for-loop (Enum is iterable)
- 1x unused global _generic_validator_initialized (global stmt tracking)

* fix(deps): patch Dependabot security vulnerabilities

- requests 2.32.5 → 2.33.0 (insecure temp file reuse, CVE)
- picomatch 4.0.3 → 4.0.4 (frontend, ReDoS + method injection, via override)
- picomatch 2.3.1 → 2.3.2 (infrastructure, method injection, via override)
- diff 4.0.x → patched (infrastructure, DoS in parsePatch, via audit fix)

Unfixable:
- yaml 1.10.2 bundled inside aws-cdk-lib 2.244.0 (latest) — awaiting AWS CDK update
- Pygments 2.19.2 (latest) — no patched version released yet

* fix(rag-ingestion): ensure Lambda uses latest image digest on deploy

- Add FUNCTION_NAME variable to capture Lambda function identifier
- Update Lambda function code explicitly after image push to force digest refresh
- Add wait condition to ensure function update completes before deployment succeeds
- Remove outdated next steps logging that duplicated deployment completion message
- Resolve issue where CDK's SSM-resolved image tags don't trigger updates when underlying image layers change, causing CloudFormation to report no changes despite fresh image push

* fix share issues and icon tweaks

* release: v1.0.0-beta.20

* fix(rag-ingestion): restore shared embedding re-exports for Lambda handler

The CodeQL fix removed re-exports from bedrock_embeddings.py, but the
RAG ingestion Lambda handler imports generate_embeddings and
store_embeddings_in_s3 from embeddings.bedrock_embeddings (Lambda task
root path). Restored re-exports with __all__ and explanatory comments.

* feat(documents): add upload failure reporting and assistant cleanup

- Add ReportUploadFailureRequest model for client-side upload error reporting
- Implement POST /{document_id}/upload-failed endpoint to mark documents as failed
- Add update_document_status service function to update document status and error details
- Implement background cleanup of vectors and S3 objects when assistant is deleted
- Add delete_vectors_for_assistant function to remove embeddings from vector store
- Update document routes to import new models and service functions
- Add start.sh to .gitignore
- Update bedrock_embeddings to support vector deletion by assistant ID
- Enhance frontend document service to handle upload failure reporting
- Improve assistant deletion flow with proper resource cleanup and error handling

* feat(assistants): remove archive functionality and simplify deletion

- Remove archive_assistant service function and endpoint
- Simplify delete operation to single hard delete without archive option
- Remove include_archived query parameter from list assistants endpoint
- Remove ARCHIVED status from assistant status enum
- Update frontend assistant model and services to remove archive references
- Simplify assistant lifecycle by consolidating soft and hard delete into single delete operation
- Update API documentation and test examples to reflect deletion changes

* feat(frontend): upgrade Analog.js testing dependencies and remove vitest config

- Add @analogjs/vite-plugin-angular and @analogjs/vitest-angular v3.0.0-alpha.18
- Update package-lock.json with new dependency tree and transitive dependencies
- Remove vitest.config.ts in favor of Analog.js configuration
- Update app.config.spec.ts and tool-rail.component.spec.ts test files
- Modernize Angular testing setup with latest Analog.js tooling

* feat(documents): implement reliable deletion with soft-delete and cleanup retries

- Add deleting status to document lifecycle and TTL field for auto-expiry
- Create cleanup_service.py with retry logic for S3 vectors and source file deletion
- Implement soft-delete pattern: mark documents as deleting, return immediately, cleanup asynchronously
- Update search path to filter out non-complete documents and prevent stale results
- Add batch soft-delete for assistant deletion with background cleanup
- Implement deterministic vector key generation for reliable cleanup
- Add comprehensive property-based and integration tests for deletion flows
- Update RAG service to cross-check document status during search
- Configure DynamoDB TTL as backstop for failed cleanups (7-day expiry)
- Add Kiro spec documentation for reliable document deletion design

* test(assistants): remove archive assistant test and fix package dependencies

- Remove test_archive_assistant test case as archive functionality was removed
- Update package-lock.json to fix dependency flags for Angular DevKit and related packages
- Change chokidar dev flag to devOptional to reflect optional development dependency
- Remove unnecessary dev flags from multiple dependencies (ajv, chalk, cli-cursor, fast-deep-equal, and others)
- Align package metadata with current project configuration

* chore(frontend): pin Analog.js dependencies to exact versions

- Remove caret (^) version specifiers from @analogjs/vite-plugin-angular
- Remove caret (^) version specifiers from @analogjs/vitest-angular
- Lock both packages to 3.0.0-alpha.18 for consistent builds
- Prevent unexpected minor/patch updates that could introduce breaking changes

* chore(frontend): pin Analog.js devDependencies to exact versions

- Update @analogjs/vite-plugin-angular from ^3.0.0-alpha.18 to 3.0.0-alpha.18
- Update @analogjs/vitest-angular from ^3.0.0-alpha.18 to 3.0.0-alpha.18
- Remove caret (^) prefix to lock exact versions and ensure consistent builds

* feat(fine-tuning-dashboard): add informational section about fine-tuning and update icons

* chore(deps)(deps): bump the frontend-minor-patch group (#101)

Bumps the frontend-minor-patch group in /frontend/ai.client with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [@ng-icons/core](https://github.com/ng-icons/ng-icons) | `33.1.0` | `33.2.0` |
| [@ng-icons/heroicons](https://github.com/ng-icons/ng-icons) | `33.1.0` | `33.2.0` |
| [katex](https://github.com/KaTeX/KaTeX) | `0.16.33` | `0.16.44` |
| [marked](https://github.com/markedjs/marked) | `17.0.3` | `17.0.5` |
| [mermaid](https://github.com/mermaid-js/mermaid) | `11.12.3` | `11.13.0` |
| [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.2.1` | `4.2.2` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.0.18` | `4.1.2` |
| [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.8` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.1` | `4.2.2` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.18` | `4.1.2` |


Updates `@ng-icons/core` from 33.1.0 to 33.2.0
- [Release notes](https://github.com/ng-icons/ng-icons/releases)
- [Changelog](https://github.com/ng-icons/ng-icons/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ng-icons/ng-icons/commits/v33.2.0)

Updates `@ng-icons/heroicons` from 33.1.0 to 33.2.0
- [Release notes](https://github.com/ng-icons/ng-icons/releases)
- [Changelog](https://github.com/ng-icons/ng-icons/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ng-icons/ng-icons/commits/v33.2.0)

Updates `katex` from 0.16.33 to 0.16.44
- [Release notes](https://github.com/KaTeX/KaTeX/releases)
- [Changelog](https://github.com/KaTeX/KaTeX/blob/main/CHANGELOG.md)
- [Commits](https://github.com/KaTeX/KaTeX/compare/v0.16.33...v0.16.44)

Updates `marked` from 17.0.3 to 17.0.5
- [Release notes](https://github.com/markedjs/marked/releases)
- [Commits](https://github.com/markedjs/marked/compare/v17.0.3...v17.0.5)

Updates `mermaid` from 11.12.3 to 11.13.0
- [Release notes](https://github.com/mermaid-js/mermaid/releases)
- [Commits](https://github.com/mermaid-js/mermaid/compare/mermaid@11.12.3...mermaid@11.13.0)

Updates `@tailwindcss/postcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/@tailwindcss-postcss)

Updates `@vitest/coverage-v8` from 4.0.18 to 4.1.2
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/coverage-v8)

Updates `postcss` from 8.5.6 to 8.5.8
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/postcss/postcss/compare/8.5.6...8.5.8)

Updates `tailwindcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/tailwindcss)

Updates `vitest` from 4.0.18 to 4.1.2
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/vitest)

---
updated-dependencies:
- dependency-name: "@ng-icons/core"
  dependency-version: 33.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: "@ng-icons/heroicons"
  dependency-version: 33.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: katex
  dependency-version: 0.16.44
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: marked
  dependency-version: 17.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: mermaid
  dependency-version: 11.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: postcss
  dependency-version: 8.5.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: tailwindcss
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: vitest
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the aws-cdk group (#90)

Bumps the aws-cdk group in /infrastructure with 2 updates: [aws-cdk-lib](https://github.com/aws/aws-cdk/tree/HEAD/packages/aws-cdk-lib) and [aws-cdk](https://github.com/aws/aws-cdk-cli/tree/HEAD/packages/aws-cdk).


Updates `aws-cdk-lib` from 2.244.0 to 2.245.0
- [Release notes](https://github.com/aws/aws-cdk/releases)
- [Changelog](https://github.com/aws/aws-cdk/blob/main/CHANGELOG.v2.alpha.md)
- [Commits](https://github.com/aws/aws-cdk/commits/v2.245.0/packages/aws-cdk-lib)

Updates `aws-cdk` from 2.1113.0 to 2.1115.0
- [Release notes](https://github.com/aws/aws-cdk-cli/releases)
- [Commits](https://github.com/aws/aws-cdk-cli/commits/aws-cdk@v2.1115.0/packages/aws-cdk)

---
updated-dependencies:
- dependency-name: aws-cdk-lib
  dependency-version: 2.245.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-cdk
- dependency-name: aws-cdk
  dependency-version: 2.1115.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: aws-cdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump actions/setup-node from 5.0.0 to 6.3.0 (#100)

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5.0.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/a0853c24544627f65ddf259abe73b1d18a591444...53b83947a5a98c8d113130e565377fae1a50d02f)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump github/codeql-action (#95)

Bumps the actions-minor-patch group with 1 update: [github/codeql-action](https://github.com/github/codeql-action).


Updates `github/codeql-action` from 4.34.1 to 4.35.1
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/38697555549f1db7851b81482ff19f1fa5c4fedc...c10b8064de6f491fea524254123dbe5e09572f13)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump @types/node in /infrastructure (#94)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.10.1 to 25.5.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.5.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump jsdom in /frontend/ai.client (#102)

Bumps [jsdom](https://github.com/jsdom/jsdom) from 27.4.0 to 29.0.1.
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Commits](https://github.com/jsdom/jsdom/compare/v27.4.0...v29.0.1)

---
updated-dependencies:
- dependency-name: jsdom
  dependency-version: 29.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump ng2-charts in /frontend/ai.client (#105)

Bumps [ng2-charts](https://github.com/valor-software/ng2-charts) from 8.0.0 to 10.0.0.
- [Release notes](https://github.com/valor-software/ng2-charts/releases)
- [Commits](https://github.com/valor-software/ng2-charts/compare/v8.0.0...v10.0.0)

---
updated-dependencies:
- dependency-name: ng2-charts
  dependency-version: 10.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the angular group (#97)

Bumps the angular group in /frontend/ai.client with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [@angular/cdk](https://github.com/angular/components) | `21.2.3` | `21.2.4` |
| [@angular/common](https://github.com/angular/angular/tree/HEAD/packages/common) | `21.2.5` | `21.2.6` |
| [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler) | `21.2.5` | `21.2.6` |
| [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) | `21.2.5` | `21.2.6` |
| [@angular/forms](https://github.com/angular/angular/tree/HEAD/packages/forms) | `21.2.5` | `21.2.6` |
| [@angular/platform-browser](https://github.com/angular/angular/tree/HEAD/packages/platform-browser) | `21.2.5` | `21.2.6` |
| [@angular/router](https://github.com/angular/angular/tree/HEAD/packages/router) | `21.2.5` | `21.2.6` |
| [@angular/build](https://github.com/angular/angular-cli) | `21.2.3` | `21.2.5` |
| [@angular/cli](https://github.com/angular/angular-cli) | `21.2.3` | `21.2.5` |
| [@angular/compiler-cli](https://github.com/angular/angular/tree/HEAD/packages/compiler-cli) | `21.2.5` | `21.2.6` |


Updates `@angular/cdk` from 21.2.3 to 21.2.4
- [Release notes](https://github.com/angular/components/releases)
- [Changelog](https://github.com/angular/components/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/components/compare/v21.2.3...v21.2.4)

Updates `@angular/common` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/common)

Updates `@angular/compiler` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/compiler)

Updates `@angular/core` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/core)

Updates `@angular/forms` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/forms)

Updates `@angular/platform-browser` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/platform-browser)

Updates `@angular/router` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/router)

Updates `@angular/build` from 21.2.3 to 21.2.5
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular-cli/compare/v21.2.3...v21.2.5)

Updates `@angular/cli` from 21.2.3 to 21.2.5
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular-cli/compare/v21.2.3...v21.2.5)

Updates `@angular/compiler-cli` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/compiler-cli)

---
updated-dependencies:
- dependency-name: "@angular/cdk"
  dependency-version: 21.2.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/common"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/compiler"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/core"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/forms"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/platform-browser"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/router"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/build"
  dependency-version: 21.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/cli"
  dependency-version: 21.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/compiler-cli"
  dependency-version: 21.2.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump jest and @types/jest in /infrastructure (#92)

Bumps [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) and [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest). These dependencies needed to be updated together.

Updates `jest` from 29.7.0 to 30.3.0
- [Release notes](https://github.com/jestjs/jest/releases)
- [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jestjs/jest/commits/v30.3.0/packages/jest)

Updates `@types/jest` from 29.5.14 to 30.0.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

---
updated-dependencies:
- dependency-name: jest
  dependency-version: 30.3.0
  dependency-type: direct:development
  update-type: version-update:semver-major
- dependency-name: "@types/jest"
  dependency-version: 30.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* add conversation deleting handling for shared conversations + bug fix

* chore(deps)(deps): bump constructs (#91)

Bumps the infra-minor-patch group in /infrastructure with 1 update: [constructs](https://github.com/aws/constructs).


Updates `constructs` from 10.5.1 to 10.6.0
- [Release notes](https://github.com/aws/constructs/releases)
- [Commits](https://github.com/aws/constructs/compare/v10.5.1...v10.6.0)

---
updated-dependencies:
- dependency-name: constructs
  dependency-version: 10.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: infra-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat(messages): displayText support for RAG-augmented and file attachment messages (#107)

* feat(messages): add displayText support for RAG-augmented messages

- Add original_message parameter to stream_async and StreamCoordinator to preserve user input before RAG augmentation
- Store displayText in message metadata when original message differs from augmented version
- Add display_text field to MessageMetadata model with displayText alias for JSON serialization
- Update chat_stream route to pass original message when RAG augmentation is applied
- Enhance metadata retrieval to query both cost records (C#) and display text records (D#) from DynamoDB
- Add store_user_display_text function to persist original message text for clean UI display
- Update .gitignore to exclude local dev scripts (start.sh)
- Improves user experience by showing original unaugmented messages in conversation UI while maintaining RAG-enhanced context for agent processing

* feat(messages): add displayText support for file attachments and local runtime override

- Add LOCAL_RUNTIME_ENDPOINT_URL environment variable support for development runtime override in auth routes
- Extend displayText storage to handle file attachment content block modifications, not just RAG augmentation
- Add message_will_be_modified logic to determine when original message should be stored as displayText
- Implement showDebugOutput local settings signal for toggling debug information display
- Update user message component to display original text when displayText is available
- Add debug output toggle to chat preferences settings page
- Update session metadata documentation to clarify displayText usage for all prompt modifications
- Ensure original user message is preserved for UI display while augmented prompt remains in AgentCore Memory

* test(metadata): add displayText (D# record) tests for store and retrieval

* chore(deps): bump fast-check from 3.23.2 to 4.6.0

- Update fast-check to version 4.6.0 with caret constraint for minor/patch updates
- Update pure-rand dependency to 4.6.0's requirement of ^8.0.0 (from ^6.1.0)
- Increase minimum Node.js requirement from 8.0.0 to 12.17.0
- Migrate auth-pbt.spec.ts to use fast-check 4.x API (stringOf → string with unit parameter)

* chore(deps)(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (#99)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/b7c566a772e6b6bfb58ed0dc250532a479d7789f...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump actions/download-artifact from 7.0.0 to 8.0.1 (#98)

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7.0.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/37930b1c2abaa49bbe596cd826c3c89aef350131...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the python-minor-patch group in /backend with 10 updates (#96)

* chore(deps)(deps): bump the python-minor-patch group

Bumps the python-minor-patch group in /backend with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [uvicorn](https://github.com/Kludex/uvicorn) | `0.35.0` | `0.42.0` |
| [boto3](https://github.com/boto/boto3) | `1.42.73` | `1.42.78` |
| [strands-agents](https://github.com/strands-agents/sdk-python) | `1.32.0` | `1.33.0` |
| [strands-agents-tools](https://github.com/strands-agents/tools) | `0.2.23` | `0.3.0` |
| [aws-opentelemetry-distro](https://github.com/aws-observability/aws-otel-python-instrumentation) | `0.14.2` | `0.16.0` |
| [bedrock-agentcore](https://github.com/aws/bedrock-agentcore-sdk-python) | `1.4.7` | `1.4.8` |
| [openai](https://github.com/openai/openai-python) | `2.29.0` | `2.30.0` |
| [google-genai](https://github.com/googleapis/python-genai) | `1.68.0` | `1.69.0` |
| [hypothesis](https://github.com/HypothesisWorks/hypothesis) | `6.151.9` | `6.151.10` |
| [ruff](https://github.com/astral-sh/ruff) | `0.15.7` | `0.15.8` |


Updates `uvicorn` from 0.35.0 to 0.42.0
- [Release notes](https://github.com/Kludex/uvicorn/releases)
- [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md)
- [Commits](https://github.com/Kludex/uvicorn/compare/0.35.0...0.42.0)

Updates `boto3` from 1.42.73 to 1.42.78
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](https://github.com/boto/boto3/compare/1.42.73...1.42.78)

Updates `strands-agents` from 1.32.0 to 1.33.0
- [Release notes](https://github.com/strands-agents/sdk-python/releases)
- [Commits](https://github.com/strands-agents/sdk-python/compare/v1.32.0...v1.33.0)

Updates `strands-agents-tools` from 0.2.23 to 0.3.0
- [Release notes](https://github.com/strands-agents/tools/releases)
- [Commits](https://github.com/strands-agents/tools/compare/v0.2.23...v0.3.0)

Updates `aws-opentelemetry-distro` from 0.14.2 to 0.16.0
- [Release notes](https://github.com/aws-observability/aws-otel-python-instrumentation/releases)
- [Changelog](https://github.com/aws-observability/aws-otel-python-instrumentation/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws-observability/aws-otel-python-instrumentation/compare/v0.14.2...v0.16.0)

Updates `bedrock-agentcore` from 1.4.7 to 1.4.8
- [Release notes](https://github.com/aws/bedrock-agentcore-sdk-python/releases)
- [Changelog](https://github.com/aws/bedrock-agentcore-sdk-python/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/bedrock-agentcore-sdk-python/compare/v1.4.7...v1.4.8)

Updates `openai` from 2.29.0 to 2.30.0
- [Release notes](https://github.com/openai/openai-python/releases)
- [Changelog](https://github.com/openai/openai-python/blob/main/CHANGELOG.md)
- [Commits](https://github.com/openai/openai-python/compare/v2.29.0...v2.30.0)

Updates `google-genai` from 1.68.0 to 1.69.0
- [Release notes](https://github.com/googleapis/python-genai/releases)
- [Changelog](https://github.com/googleapis/python-genai/blob/main/CHANGELOG.md)
- [Commits](https://github.com/googleapis/python-genai/compare/v1.68.0...v1.69.0)

Updates `hypothesis` from 6.151.9 to 6.151.10
- [Release notes](https://github.com/HypothesisWorks/hypothesis/releases)
- [Commits](https://github.com/HypothesisWorks/hypothesis/compare/hypothesis-python-6.151.9...hypothesis-python-6.151.10)

Updates `ruff` from 0.15.7 to 0.15.8
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/0.15.7...0.15.8)

---
updated-dependencies:
- dependency-name: uvicorn
  dependency-version: 0.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: boto3
  dependency-version: 1.42.78
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: strands-agents
  dependency-version: 1.33.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: strands-agents-tools
  dependency-version: 0.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: aws-opentelemetry-distro
  dependency-version: 0.16.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: bedrock-agentcore
  dependency-version: 1.4.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: openai
  dependency-version: 2.30.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: google-genai
  dependency-version: 1.69.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: hypothesis
  dependency-version: 6.151.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: ruff
  dependency-version: 0.15.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore(deps): downgrade cachetools to 6.2.4

- Downgrade cachetools from 7.0.5 to 6.2.4 in backend dependencies
- Resolves compatibility issues with OAuth provider management

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* chore(deps): pin fast-check to exact version 4.6.0

- Remove caret (^) version constraint from fast-check dependency
- Update package.json to use exact version 4.6.0
- Update package-lock.json to reflect pinned version
- Ensure consistent dependency resolution across environments

* feat: add fine-tuning cost dashboard and user cost breakdown (#108)

* feat: add fine-tuning cost dashboard and user cost breakdown

- Introduced new models for cost dashboard and user cost breakdown in the admin API.
- Implemented endpoint to retrieve aggregated cost data for fine-tuning jobs.
- Enhanced fine-tuning access control to support default monthly quota hours for users without explicit grants.
- Added new routes and frontend components for displaying fine-tuning costs and usage statistics.
- Updated infrastructure configuration to include default quota hours for fine-tuning.
- Added tests to ensure proper functionality of new features and configurations.

* fix(logging): improve log message formatting for cost dashboard request

* fix(logging): sanitize period string in cost dashboard log message

* check in share conversations specs

* chore(docs): update versioning documentation and release notes for v1.0.0-beta.20

- Update versioning skill and rule documentation to include README.md version badge and "Current release" text in sync script scope
- Update Kiro steering guide to document README.md and lockfile updates in version sync process
- Bump version badge in README.md from v1.0.0-beta.19 to v1.0.0-beta.20
- Update "Current release" text in README.md to v1.0.0-beta.20
- Add comprehensive release notes for v1.0.0-beta.20 with highlights on document deletion, displayText system, fine-tuning cost dashboard, and dependency updates
- Ensure all AI assistant rule files reflect current versioning workflow

* ci(frontend): remove common scripts from workflow triggers and restrict CDK jobs to non-PR events

- Remove 'scripts/common/**' from push and pull_request trigger paths
- Add condition to synth-cdk job to skip execution on pull_request events
- Update test-cdk job condition to exclude pull_request events while preserving skip_tests logic
- Prevents unnecessary CDK synthesis and testing during pull requests to reduce workflow overhead

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Release 1.0.0-beta.20: Document soft-delete, displayText, fine-tuning costs, CodeQL remediation, dependency refresh (#118)

Reliable document deletion, displayText for RAG-augmented messages,
fine-tuning cost dashboard, assistant archive removal, and a full
dependency refresh across Python, npm, and GitHub Actions.

Features:
- Soft-delete document lifecycle with background cleanup, retry logic,
  DynamoDB TTL backstop, and search filtering for mid-deletion docs
- Upload failure reporting endpoint for client-side error tracking
- DisplayText system preserving original user messages when RAG
  augmentation or file attachments modify the prompt sent to the agent
- Debug output toggle in chat preferences for prompt inspection
- Fine-tuning cost dashboard with per-user breakdowns and default
  monthly quota hours
- Shared conversation cascade deletion on session delete

Removals:
- Assistant archive functionality (ARCHIVED status, archive endpoint,
  include_archived parameter) replaced with single delete operation

Security & Code Quality:
- All CodeQL findings resolved (180 log injection fixes, 5 silent
  exception fixes, cyclic import elimination, 13 unused variables)
- Four Dependabot security patches (requests, picomatch, diff)

CI/CD:
- CDK synth skipped on PRs for app-api and frontend workflows
- scripts/common/** removed from frontend workflow path triggers
- GitHub Actions bumped (upload-artifact v7, download-artifact v8,
  setup-node v6, codeql-action latest)

Testing:
- Analog.js testing migration for frontend (vitest config removed)
- fast-check v4.6.0 added for property-based frontend tests
- 4,200+ lines of new backend tests for document deletion flows

Tooling:
- sync-version.sh now auto-updates README badge and current release text
- Versioning steering docs updated across Kiro, Cursor, and Claude
- Release notes steering doc added (fileMatch on RELEASE_NOTES.md)

Dependencies:
- Python: uvicorn 0.42.0, strands-agents 1.33.0, strands-agents-tools
  0.3.0, aws-opentelemetry-distro 0.16.0, bedrock-agentcore 1.4.8,
  openai 2.30.0, cachetools downgraded to 6.2.4 for compatibility
- Frontend: Angular 21.2.6, @angular/cdk 21.2.4
- Infrastructure: aws-cdk group bumped, constructs bumped

* Purge outdated AI specs and documentation (#121)

* spring cleaning. AI spec file and outdated documentation purge

* spring cleanup --> purging old ai specs and outdated docs

---------

Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* Feat/cognito first boot auth (#125)

* feat: replace multi-step auth bootstrap with Cognito first-boot experience

- Add Cognito User Pool, App Client, and Domain to CDK infrastructure
- Implement first-boot backend with race-condition-safe DynamoDB writes
- Add CognitoJWTValidator replacing GenericOIDCJWTValidator
- Add federated identity provider management via Cognito IdP APIs
- Migrate frontend to Cognito OAuth 2.0 + PKCE flow
- Add first-boot setup page with admin account creation
- Update AgentCore Runtime to single Cognito JWT authorizer
- Remove runtime-provisioner and runtime-updater Lambdas
- Remove hardcoded Entra ID configuration from CDK and scripts
- Remove auth provider seeding from bootstrap workflow
- Wire SSM parameters across stacks for Cognito config
- Update GitHub Actions workflows for Cognito context values

* FOR TESTING ONLY< REVERT BEFORE MERGING

* Feat/cognito first boot auth (#123)

* test(auth-sweep): add system status endpoints to public route patterns

- Add /system/status to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- Add /system/first-boot to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- These endpoints should be accessible without authentication for system initialization and health checks

* chore(deps): add cognitoidp extra to moto dev dependency

- Add cognitoidp extra to moto[dynamodb] in pyproject.toml dev dependencies
- Update uv.lock to include cognitoidp extra across all moto references
- Add joserfc package as transitive dependency for cognitoidp support
- Enable Cognito IDP mocking capabilities for development and testing

* test(auth-guard,config-service): add missing service mocks and config properties

- Add SystemService mock to auth.guard.spec.ts test setup
- Import SystemService dependency in auth guard test file
- Add checkStatus mock method to systemService test double
- Register SystemService provider in TestBed configuration
- Add inferenceApiUrl property to validConfig test fixture in config.service.spec.ts
- Ensure test doubles accurately reflect service dependencies for proper test isolation

* feat(system-admin): add JWT role mapping for system_admin Cognito group

- Add JWT_MAPPING#system_admin item to DynamoDB during bootstrap seeding
- Update system_admin role jwtRoleMappings to include "system_admin" group
- Implement add_user_to_group method in CognitoService to manage group membership
- Add user to system_admin Cognito group during first_boot with rollback on failure
- Update test assertions to verify JWT mapping creation and role configuration
- Enables Cognito to include system_admin group in JWT cognito:groups claim for RBAC resolution

* feat(infrastructure): add Cognito user and group management permissions

- Add cognito-idp:AdminDeleteUser permission for user deletion operations
- Add cognito-idp:AdminAddUserToGroup permission for group membership management
- Add cognito-idp:CreateGroup permission for group creation operations
- Enables system admin functionality for managing Cognito user pools and groups

* refactor(auth): replace user email with name in logging and events

- Replace user.email with user.name in quota event recorder metadata
- Update admin cost dashboard logging to use user.name instead of email
- Update admin users routes logging to use user.name instead of email
- Update file upload routes logging to use user.name instead of email
- Update model routes logging to use user.name instead of email
- Update tools routes logging to use user.name instead of email
- Update OAuth routes logging to use user.name instead of email
- Update user models and routes logging to use user.name instead of email
- Update auth service and user service in frontend to use name field
- Standardize user identification across backend and frontend to use name for privacy and consistency

* feat(frontend): update logos and URL-encode inference API ARN

- Update logo-dark.png and logo-light.png assets
- Add URL encoding for ARN portion in inferenceApiUrl computed signal
- Prevent URL parsing errors caused by colons and slashes in AgentCore runtime ARNs
- Improve config service documentation with encoding behavior explanation

* fix(frontend): add /invocations path to inference API endpoints

- Update preview-chat.service.ts to include /invocations path in runtime endpoint URL
- Update chat-http.service.ts to include /invocations path in runtime endpoint URL
- Fixes inference API calls by using correct endpoint path with qualifier parameter

* feat(inference-api): add Authorization header to ALB request configuration

- Add requestHeaderConfiguration to ALB listener rule
- Include Authorization header in requestHeaderAllowlist
- Enable proper header propagation for authenticated requests to inference API

* refactor(auth): consolidate RBAC to AppRole-based authorization

- Replace multiple role-checking functions with single require_app_roles dependency
- Remove require_roles, require_all_roles, has_any_role, has_all_roles, and role-specific decorators (require_faculty, require_staff, require_developer, require_aws_ai_access)
- Update rbac.py to resolve permissions through AppRoleService instead of hardcoded JWT groups
- Simplify auth module exports to only expose require_app_roles and require_admin
- Update admin routes to remove unused role imports
- Add comprehensive docstring explaining AppRole system as single source of truth for permissions
- Update tests to reflect new authorization flow via AppRoleService

* feat(inference-api): add SSM parameters and environment variables to AgentCore runtime

- Import DynamoDB table names from SSM parameters for users, RBAC, auth, OAuth, quota, cost tracking, and file uploads
- Import S3 bucket and vector index names for RAG functionality
- Import gateway URL and frontend CORS origins from SSM parameters
- Add comprehensive environment variables to AgentCore runtime configuration including DynamoDB table mappings, authentication settings, OAuth configuration, AgentCore resource IDs, and directory paths
- Enable authentication and quota enforcement in runtime environment
- Configure frontend URL and CORS origins for cross-origin requests

* feat(inference-api): remove gateway URL parameter and simplify CORS origins

- Remove SSM parameter import for gateway URL from InferenceApiStack
- Remove GATEWAY_URL environment variable from AgentCore runtime configuration
- Replace SSM-imported CORS origins with config-based construction to avoid circular dependency between InferenceApiStack and FrontendStack
- Construct CORS origins dynamically from config.domainName (https://{domain}) with localhost fallback for development
- Eliminates circular dependency: InferenceApiStack ↔ FrontendStack by removing reliance on FrontendStack SSM parameters

* chore(frontend): update favicon and logo assets

- Remove redundant favicon PNG variants (android-chrome, apple-touch-icon, favicon-16x16, favicon-32x32)
- Update favicon.ico with new design
- Update logo-dark.png with refreshed branding
- Consolidate favicon assets to reduce redundancy and improve maintainability

* feat(inference-api): add AWS Marketplace permissions for Bedrock model access

- Add MarketplaceModelAccess policy statement to runtime execution role
- Grant aws-marketplace:ViewSubscriptions and aws-marketplace:Subscribe actions
- Enable foundation model access for marketplace-gated models like Anthropic Claude
- Required for subscription validation before Bedrock model invocation

* Release 1.0.0-beta.19: Conversation sharing, session compaction, fine-tuning enhancements, CI optimization

## Features
- Conversation sharing with public/email-restricted access via shareable URLs
- Session compaction enabled by default (100K token threshold, 3 protected turns)
- Fine-tuning: drag-and-drop dataset upload, custom HuggingFace model support

## Security
- Resolve all CodeQL clear-text logging alerts (secrets, tokens, ARNs redacted)
- OAuth redirect URL validation to prevent open redirects
- Explicit read-only permissions on all 13 GitHub Actions workflows

## Performance
- Frontend production build optimized: 8.85 MB → 4.96 MB (871 KB gzipped)
- PR workflows trimmed: skip Docker builds, CDK synth, and redundant jobs

## Infrastructure
- New shared-conversations DynamoDB table with SessionShare and OwnerShare GSIs
- Bedrock prompt caching temporarily disabled due to provider limitations

## Bug Fixes
- Google Fonts moved to index.html to fix CI build failure
- Private sharing support (owner-only shares)

* Release 1.0.0-beta.20: Document soft-delete, displayText, fine-tuning costs, CodeQL remediation, dependency refresh

Reliable document deletion, displayText for RAG-augmented messages,
fine-tuning cost dashboard, assistant archive removal, and a full
dependency refresh across Python, npm, and GitHub Actions.

Features:
- Soft-delete document lifecycle with background cleanup, retry logic,
  DynamoDB TTL backstop, and search filtering for mid-deletion docs
- Upload failure reporting endpoint for client-side error tracking
- DisplayText system preserving original user messages when RAG
  augmentation or file attachments modify the prompt sent to the agent
- Debug output toggle in chat preferences for prompt inspection
- Fine-tuning cost dashboard with per-user breakdowns and default
  monthly quota hours
- Shared conversation cascade deletion on session delete

Removals:
- Assistant archive functionality (ARCHIVED status, archive endpoint,
  include_archived parameter) replaced with single delete operation

Security & Code Quality:
- All CodeQL findings resolved (180 log injection fixes, 5 silent
  exception fixes, cyclic import elimination, 13 unused variables)
- Four Dependabot security patches (requests, picomatch, diff)

CI/CD:
- CDK synth skipped on PRs for app-api and frontend workflows
- scripts/common/** removed from frontend workflow path triggers
- GitHub Actions bumped (upload-artifact v7, download-artifact v8,
  setup-node v6, codeql-action latest)

Testing:
- Analog.js testing migration for frontend (vitest config removed)
- fast-check v4.6.0 added for property-based frontend tests
- 4,200+ lines of new backend tests for document deletion flows

Tooling:
- sync-version.sh now auto-updates README badge and current release text
- Versioning steering docs updated across Kiro, Cursor, and Claude
- Release notes steering doc added (fileMatch on RELEASE_NOTES.md)

Dependencies:
- Python: uvicorn 0.42.0, strands-agents 1.33.0, strands-agents-tools
  0.3.0, aws-opentelemetry-distro 0.16.0, bedrock-agentcore 1.4.8,
  openai 2.30.0, cachetools downgraded to 6.2.4 for compatibility
- Frontend: Angular 21.2.6, @angular/cdk 21.2.4
- Infrastructure: aws-cdk group bumped, constructs bumped

* refactor(inference-api): remove underscore prefix from containerImageUri variable

- Remove underscore prefix from containerImageUri variable name
- Improve code clarity by following standard naming conventions
- Variable is used throughout the stack and should follow public naming patterns

* chore(deps): add cognitoidp moto extra and update infrastructure tests

- Add cognitoidp extra to moto dependency in uv.lock for Cognito IDP mocking support
- Update moto dependency extras to include both cognitoidp and dynamodb
- Refactor IAM policy assertions in inference-api-stack tests to search both inline and managed policies
- Simplify policy verification logic to use findResources and filter by policy attributes
- Remove S3 bucket and S3 Vector Store test sections from app-api-stack tests
- Update test assertions to be more flexible with policy resource types

* chore(frontend): update favicon and logo assets

- Add Android Chrome favicon variants (192x192 and 512x512)
- Add Apple Touch Icon for iOS devices
- Add favicon sizes for 16x16 and 32x32 resolutions
- Update favicon.ico with new design
- Update logo-dark.png with refreshed branding
- Update logo-light.png with refreshed branding
- Improve cross-platform icon support and visual consistency

* fix(auth-providers): remove OIDC discovery endpoint and add JSON parsing error handling

- Remove POST /discover endpoint for OIDC endpoint discovery from admin routes
- Add try-except blocks to handle JSON parsing errors in AuthProviderRepository
- Gracefully default to empty dict when SecretString is invalid or malformed
- Improve resilience when retrieving auth provider secrets from AWS Secrets Manager

---------

Co-authored-by: Colin <colin@colin-os>

* Feat/cognito first boot auth (#124)

* test(auth-sweep): add system status endpoints to public route patterns

- Add /system/status to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- Add /system/first-boot to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- These endpoints should be accessible without authentication for system initialization and health checks

* chore(deps): add cognitoidp extra to moto dev dependency

- Add cognitoidp extra to moto[dynamodb] in pyproject.toml dev dependencies
- Update uv.lock to include cognitoidp extra across all moto references
- Add joserfc package as transitive dependency for cognitoidp support
- Enable Cognito IDP mocking capabilities for development and testing

* test(auth-guard,config-service): add missing service mocks and config properties

- Add SystemService mock to auth.guard.spec.ts test setup
- Import SystemService dependency in auth guard test file
- Add checkStatus mock method to systemService test double
- Register SystemService provider in TestBed configuration
- Add inferenceApiUrl property to validConfig test fixture in config.service.spec.ts
- Ensure test doubles accurately reflect service dependencies for proper test isolation

* feat(system-admin): add JWT role mapping for system_admin Cognito group

- Add JWT_MAPPING#system_admin item to DynamoDB during bootstrap seeding
- Update system_admin role jwtRoleMappings to include "system_admin" group
- Implement add_user_to_group method in CognitoService to manage group membership
- Add user to system_admin Cognito group during first_boot with rollback on failure
- Update test assertions to verify JWT mapping creation and role configuration
- Enables Cognito to include system_admin group in JWT cognito:groups claim for RBAC resolution

* feat(infrastructure): add Cognito user and group management permissions

- Add cognito-idp:AdminDeleteUser …
colinmxs added a commit that referenced this pull request May 21, 2026
* Release/v1.0.0 beta.25 (#282)

* Potential fix for pull request finding 'Unused local variable'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for pull request finding 'Unused local variable'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* docs(readme): update version badges and tech stack to v1.0.0-beta.18

- Update release badge from v1.0.0-beta.17 to v1.0.0-beta.18
- Bump Tailwind CSS version from v4.1 to v4.2 in all references
- Update current release version in release notes section
- Reflect latest dependency versions in architecture and tech stack documentation

* feat(embeddings): add optional token validation bypass for search queries

- Add skip_token_validation parameter to generate_embeddings function
- Allow skipping tiktoken-based token validation for short inputs where tiktoken may not be installed
- Update search_assistant_knowledgebase to skip validation for query embeddings
- Enables embedding generation in environments where tiktoken is unavailable (e.g., search Lambda)

* refactor(embeddings): extract shared embedding logic to separate module

- Move core embedding generation and vector store operations to apis.shared.embeddings
- Create new shared bedrock_embeddings module with generate_embeddings, store_embeddings_in_s3, search_assistant_knowledgebase, and delete_vectors_for_document
- Extract vector search logic to new apis.shared.assistants.vector_search module
- Keep ingestion-specific token validation (tiktoken-based) in app_api embeddings module
- Update ingestion embeddings module to re-export shared functions for backward compatibility
- Simplify bedrock_embeddings in ingestion pipeline to focus on chunk validation and splitting
- Update imports across documents routes and rag_service to use new shared modules
- Reduces code duplication and establishes clear separation between shared RAG infrastructure and ingestion-specific concerns

* docs(release-notes): document v1.0.0-beta.19 features and fixes

- Add Angular production build optimization section explaining minification and tree-shaking enablement
- Document embeddings refactor extracting shared logic to apis.shared.embeddings module
- Add skip_token_validation parameter documentation for generate_embeddings function
- Update highlights section to mention Angular production build optimization
- Clarify CodeQL workflow improvements and unused import/variable cleanup
- Enable optimization flag in angular.json production configuration for reduced bundle size

* docs(release-notes): remove Angular optimization section and revert config

- Remove "Frontend Production Build Optimization" section from release notes
- Revert optimization flag removal from angular.json production configuration
- Align documentation with actual production build configuration state

* feat: add API Keys section to README for programmatic access to AI models

* fix(model_config): comment out caching configuration due to Bedrock limitations

* feat(create-training-job): enhance file upload with drag-and-drop support and update dataset upload instructions

* feat(create-training-job): add support for custom HuggingFace models and enhance model search functionality

* fix(test_model_config): remove caching mock and update test for Bedrock config caching behavior

* feat(create-training-job): add tests for custom HuggingFace model selection and submission

* feat: refactor session compaction and enable by default (#86)

* feat: update compaction configuration and enhance session manager tests

* fix: update tests for compaction defaults and commented-out caching

- Update compaction model test to expect enabled=True and protected_turns=3
- Fix caching test to reflect cache_config being commented out due to Bedrock limitations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(create-training-job): enhance file upload with drag-and-drop support and update dataset upload instructions

* feat(create-training-job): add support for custom HuggingFace models and enhance model search functionality

* fix(test_model_config): remove caching mock and update test for Bedrock config caching behavior

* feat(create-training-job): add tests for custom HuggingFace model selection and submission

* fix: update tests for compaction defaults and commented-out caching

- Update compaction model test to expect enabled=True and protected_turns=3
- Fix caching test to reflect cache_config being commented out due to Bedrock limitations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Signed-off-by: Phil Merrell <philmerrell@boisestate.edu>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* test(to_bedrock_config): add missing result assignment in caching disabled test

* Potential fix for code scanning alert no. 41: Clear-text logging of s… (#85)

* Potential fix for code scanning alert no. 41: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* ci: Add explicit read-only permissions to all workflows

- Add `permissions: contents: read` to 13 GitHub Actions workflows
- Workflows updated: app-api, bootstrap-data-seeding, codeql, frontend, gateway, inference-api, infrastructure, nightly-deploy-pipeline, nightly, rag-ingestion, release, sagemaker-fine-tuning, version-check
- Implements principle of least privilege by explicitly declaring minimal required permissions
- Improves security posture and aligns with GitHub Actions best practices

* fix(security): Redact sensitive information from logs

- Mask client ID in seed_auth_provider output, showing only first 8 characters
- Redact full Secrets ARN in seed_auth_provider, displaying only resource name
- Replace full exception objects with error codes in seed_bootstrap_data error messages
- Downgrade MCP client configuration logging from info to debug level
- Remove user ID from OAuth token retrieval and re-auth status log messages
- Add URL validation to OAuth callback redirect to prevent open redirect vulnerabilities
- Prevents accidental exposure of credentials and sensitive identifiers in application logs

* fix(security): Resolve remaining CodeQL clear-text logging alerts

- seed_auth_provider: Fully redact Secrets Manager ARN from output
- external_mcp_client: Remove server URL from logs, decouple oauth_token from log expressions
- oauth_tool_service: Isolate decrypted token into _try_get_token() to prevent taint bleed, use lazy log formatting
- config.ts: Remove AWS account ID and CORS origins from CDK config log output

* Potential fix for code scanning alert no. 499: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 496: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 498: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 497: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

---------

Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* feat(frontend): enable production optimization, branch-aware BUILD_CONFIG

- Remove optimization: false from base options (was blocking prod override)
- Production: optimization, no source maps, extract licenses
- Fix anyComponentStyle budget from 4kB to 200kB for Tailwind
- BUILD_CONFIG: main→production, develop→development, dispatch→manual input

Production build: 4.96 MB initial (871 KB gzip) vs 8.85 MB unoptimized

* fix: move Google Fonts import to index.html to prevent CI build failure

* ci: skip docker builds and CDK synth on pull requests

* implement conversation sharing. (#87)

* implement conversation sharing.

* Potential fix for code scanning alert no. 509: Log Injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: ofilson <SuperScorer911@gmail.com>

* Potential fix for code scanning alert no. 510: Log Injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: ofilson <SuperScorer911@gmail.com>

* fix github warnings

* fix log issue

---------

Signed-off-by: ofilson <SuperScorer911@gmail.com>
Co-authored-by: Oscar Filson <OSCARFILSON@boisestate.edu>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Allow for private share (only with yourself)

* release: v1.0.0-beta.19

* fix float error on sharing

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* ci: skip redundant stack dependency checks on PRs (keep infrastructure only)

* ci: skip install on PRs for rag-ingestion (no downstream jobs)

* ci: revert check-stack-deps skip on workflows with PR jobs, skip entire gateway/sagemaker on PRs

* fix(security): resolve CodeQL log-injection, unused-import, and unused-variable alerts

- Remove user-controlled values from 180 log f-strings (py/log-injection)
- Remove 87 unused Python imports (py/unused-import)
- Remove 27 unused JS/TS variables (js/unused-local-variable)
- Fix 3 useless assignments (js/useless-assignment-to-local)
- Fix 1 incompatible type comparison (js/comparison-between-incompatible-types)

* fix(tests): remove stale AgentCoreMemorySessionManager patch from session factory tests

The CodeQL commit removed the unused AgentCoreMemorySessionManager import
from session_factory.py, breaking two tests that patched it at that path.
Removed the unnecessary patch decorator since TurnBasedSessionManager was
already being patched separately.

* chore(docker): add shared embeddings module to rag-ingestion Lambda image

- Copy shared embeddings package to Lambda task root directory
- Add apis/__init__.py to ensure proper Python package structure
- Enable ingestion embeddings to access re-exported shared embeddings module
- Resolves import errors when bedrock_embeddings.py loads shared embeddings

* fix(quality): resolve all open CodeQL findings on develop

Empty excepts (5 fixes):
- url_fetcher: narrow bare except to Exception, add comment
- code_interpreter_diagram_tool: narrow bare except to Exception
- tool_result_processor: add explanatory comment to JSONDecodeError catch
- users/service: log warning on invalid pagination cursor
- event_formatter: log warning instead of silently swallowing errors

Catch BaseException (2 fixes):
- url_fetcher: narrowed to Exception (same fix as empty except)
- code_interpreter_diagram_tool: narrowed to Exception

Unreachable code (1 fix):
- stream_processor: remove dead if result_seen: break (never set to True)

Redundant assignment (1 fix):
- fine_tuning/routes: remove unused job = on create_inference_job

Print during import (1 fix):
- inference_api/main: replace print() with logging

Commented-out code (1 fix):
- inference_api/chat/models: remove commented InvocationRequest class

Unnecessary lambdas (2 fixes):
- job_repository, inference_repository: lambda v: int(v) → int

Unused local variables (13 fixes):
- Remove or rename: period, user_id, error_msg, matches, requested_set,
  exception_type, updated, limit, preferences, execution_output,
  next_month, next_year across 10 files

Unused imports (3 fixes):
- compaction_models: remove unused field import
- bedrock_embeddings: remove dead re-exports, clean up __init__.py
- timezone: use find_spec for pytz availability check

Cyclic import (1 fix):
- Move get_metadata_storage() factory from metadata_storage.py to
  storage/__init__.py, breaking the metadata_storage ↔ dynamodb_storage
  cycle. Update 3 callers to import from apis.app_api.storage.

Dismissed as false positives (11 alerts):
- 9x untrusted-checkout on nightly workflows (schedule/dispatch only)
- 1x non-iterable for-loop (Enum is iterable)
- 1x unused global _generic_validator_initialized (global stmt tracking)

* fix(deps): patch Dependabot security vulnerabilities

- requests 2.32.5 → 2.33.0 (insecure temp file reuse, CVE)
- picomatch 4.0.3 → 4.0.4 (frontend, ReDoS + method injection, via override)
- picomatch 2.3.1 → 2.3.2 (infrastructure, method injection, via override)
- diff 4.0.x → patched (infrastructure, DoS in parsePatch, via audit fix)

Unfixable:
- yaml 1.10.2 bundled inside aws-cdk-lib 2.244.0 (latest) — awaiting AWS CDK update
- Pygments 2.19.2 (latest) — no patched version released yet

* fix(rag-ingestion): ensure Lambda uses latest image digest on deploy

- Add FUNCTION_NAME variable to capture Lambda function identifier
- Update Lambda function code explicitly after image push to force digest refresh
- Add wait condition to ensure function update completes before deployment succeeds
- Remove outdated next steps logging that duplicated deployment completion message
- Resolve issue where CDK's SSM-resolved image tags don't trigger updates when underlying image layers change, causing CloudFormation to report no changes despite fresh image push

* fix share issues and icon tweaks

* release: v1.0.0-beta.20

* fix(rag-ingestion): restore shared embedding re-exports for Lambda handler

The CodeQL fix removed re-exports from bedrock_embeddings.py, but the
RAG ingestion Lambda handler imports generate_embeddings and
store_embeddings_in_s3 from embeddings.bedrock_embeddings (Lambda task
root path). Restored re-exports with __all__ and explanatory comments.

* feat(documents): add upload failure reporting and assistant cleanup

- Add ReportUploadFailureRequest model for client-side upload error reporting
- Implement POST /{document_id}/upload-failed endpoint to mark documents as failed
- Add update_document_status service function to update document status and error details
- Implement background cleanup of vectors and S3 objects when assistant is deleted
- Add delete_vectors_for_assistant function to remove embeddings from vector store
- Update document routes to import new models and service functions
- Add start.sh to .gitignore
- Update bedrock_embeddings to support vector deletion by assistant ID
- Enhance frontend document service to handle upload failure reporting
- Improve assistant deletion flow with proper resource cleanup and error handling

* feat(assistants): remove archive functionality and simplify deletion

- Remove archive_assistant service function and endpoint
- Simplify delete operation to single hard delete without archive option
- Remove include_archived query parameter from list assistants endpoint
- Remove ARCHIVED status from assistant status enum
- Update frontend assistant model and services to remove archive references
- Simplify assistant lifecycle by consolidating soft and hard delete into single delete operation
- Update API documentation and test examples to reflect deletion changes

* feat(frontend): upgrade Analog.js testing dependencies and remove vitest config

- Add @analogjs/vite-plugin-angular and @analogjs/vitest-angular v3.0.0-alpha.18
- Update package-lock.json with new dependency tree and transitive dependencies
- Remove vitest.config.ts in favor of Analog.js configuration
- Update app.config.spec.ts and tool-rail.component.spec.ts test files
- Modernize Angular testing setup with latest Analog.js tooling

* feat(documents): implement reliable deletion with soft-delete and cleanup retries

- Add deleting status to document lifecycle and TTL field for auto-expiry
- Create cleanup_service.py with retry logic for S3 vectors and source file deletion
- Implement soft-delete pattern: mark documents as deleting, return immediately, cleanup asynchronously
- Update search path to filter out non-complete documents and prevent stale results
- Add batch soft-delete for assistant deletion with background cleanup
- Implement deterministic vector key generation for reliable cleanup
- Add comprehensive property-based and integration tests for deletion flows
- Update RAG service to cross-check document status during search
- Configure DynamoDB TTL as backstop for failed cleanups (7-day expiry)
- Add Kiro spec documentation for reliable document deletion design

* test(assistants): remove archive assistant test and fix package dependencies

- Remove test_archive_assistant test case as archive functionality was removed
- Update package-lock.json to fix dependency flags for Angular DevKit and related packages
- Change chokidar dev flag to devOptional to reflect optional development dependency
- Remove unnecessary dev flags from multiple dependencies (ajv, chalk, cli-cursor, fast-deep-equal, and others)
- Align package metadata with current project configuration

* chore(frontend): pin Analog.js dependencies to exact versions

- Remove caret (^) version specifiers from @analogjs/vite-plugin-angular
- Remove caret (^) version specifiers from @analogjs/vitest-angular
- Lock both packages to 3.0.0-alpha.18 for consistent builds
- Prevent unexpected minor/patch updates that could introduce breaking changes

* chore(frontend): pin Analog.js devDependencies to exact versions

- Update @analogjs/vite-plugin-angular from ^3.0.0-alpha.18 to 3.0.0-alpha.18
- Update @analogjs/vitest-angular from ^3.0.0-alpha.18 to 3.0.0-alpha.18
- Remove caret (^) prefix to lock exact versions and ensure consistent builds

* feat(fine-tuning-dashboard): add informational section about fine-tuning and update icons

* chore(deps)(deps): bump the frontend-minor-patch group (#101)

Bumps the frontend-minor-patch group in /frontend/ai.client with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [@ng-icons/core](https://github.com/ng-icons/ng-icons) | `33.1.0` | `33.2.0` |
| [@ng-icons/heroicons](https://github.com/ng-icons/ng-icons) | `33.1.0` | `33.2.0` |
| [katex](https://github.com/KaTeX/KaTeX) | `0.16.33` | `0.16.44` |
| [marked](https://github.com/markedjs/marked) | `17.0.3` | `17.0.5` |
| [mermaid](https://github.com/mermaid-js/mermaid) | `11.12.3` | `11.13.0` |
| [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.2.1` | `4.2.2` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.0.18` | `4.1.2` |
| [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.8` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.1` | `4.2.2` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.18` | `4.1.2` |


Updates `@ng-icons/core` from 33.1.0 to 33.2.0
- [Release notes](https://github.com/ng-icons/ng-icons/releases)
- [Changelog](https://github.com/ng-icons/ng-icons/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ng-icons/ng-icons/commits/v33.2.0)

Updates `@ng-icons/heroicons` from 33.1.0 to 33.2.0
- [Release notes](https://github.com/ng-icons/ng-icons/releases)
- [Changelog](https://github.com/ng-icons/ng-icons/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ng-icons/ng-icons/commits/v33.2.0)

Updates `katex` from 0.16.33 to 0.16.44
- [Release notes](https://github.com/KaTeX/KaTeX/releases)
- [Changelog](https://github.com/KaTeX/KaTeX/blob/main/CHANGELOG.md)
- [Commits](https://github.com/KaTeX/KaTeX/compare/v0.16.33...v0.16.44)

Updates `marked` from 17.0.3 to 17.0.5
- [Release notes](https://github.com/markedjs/marked/releases)
- [Commits](https://github.com/markedjs/marked/compare/v17.0.3...v17.0.5)

Updates `mermaid` from 11.12.3 to 11.13.0
- [Release notes](https://github.com/mermaid-js/mermaid/releases)
- [Commits](https://github.com/mermaid-js/mermaid/compare/mermaid@11.12.3...mermaid@11.13.0)

Updates `@tailwindcss/postcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/@tailwindcss-postcss)

Updates `@vitest/coverage-v8` from 4.0.18 to 4.1.2
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/coverage-v8)

Updates `postcss` from 8.5.6 to 8.5.8
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/postcss/postcss/compare/8.5.6...8.5.8)

Updates `tailwindcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/tailwindcss)

Updates `vitest` from 4.0.18 to 4.1.2
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/vitest)

---
updated-dependencies:
- dependency-name: "@ng-icons/core"
  dependency-version: 33.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: "@ng-icons/heroicons"
  dependency-version: 33.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: katex
  dependency-version: 0.16.44
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: marked
  dependency-version: 17.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: mermaid
  dependency-version: 11.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: postcss
  dependency-version: 8.5.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: tailwindcss
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: vitest
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the aws-cdk group (#90)

Bumps the aws-cdk group in /infrastructure with 2 updates: [aws-cdk-lib](https://github.com/aws/aws-cdk/tree/HEAD/packages/aws-cdk-lib) and [aws-cdk](https://github.com/aws/aws-cdk-cli/tree/HEAD/packages/aws-cdk).


Updates `aws-cdk-lib` from 2.244.0 to 2.245.0
- [Release notes](https://github.com/aws/aws-cdk/releases)
- [Changelog](https://github.com/aws/aws-cdk/blob/main/CHANGELOG.v2.alpha.md)
- [Commits](https://github.com/aws/aws-cdk/commits/v2.245.0/packages/aws-cdk-lib)

Updates `aws-cdk` from 2.1113.0 to 2.1115.0
- [Release notes](https://github.com/aws/aws-cdk-cli/releases)
- [Commits](https://github.com/aws/aws-cdk-cli/commits/aws-cdk@v2.1115.0/packages/aws-cdk)

---
updated-dependencies:
- dependency-name: aws-cdk-lib
  dependency-version: 2.245.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-cdk
- dependency-name: aws-cdk
  dependency-version: 2.1115.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: aws-cdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump actions/setup-node from 5.0.0 to 6.3.0 (#100)

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5.0.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/a0853c24544627f65ddf259abe73b1d18a591444...53b83947a5a98c8d113130e565377fae1a50d02f)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump github/codeql-action (#95)

Bumps the actions-minor-patch group with 1 update: [github/codeql-action](https://github.com/github/codeql-action).


Updates `github/codeql-action` from 4.34.1 to 4.35.1
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/38697555549f1db7851b81482ff19f1fa5c4fedc...c10b8064de6f491fea524254123dbe5e09572f13)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump @types/node in /infrastructure (#94)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.10.1 to 25.5.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.5.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump jsdom in /frontend/ai.client (#102)

Bumps [jsdom](https://github.com/jsdom/jsdom) from 27.4.0 to 29.0.1.
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Commits](https://github.com/jsdom/jsdom/compare/v27.4.0...v29.0.1)

---
updated-dependencies:
- dependency-name: jsdom
  dependency-version: 29.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump ng2-charts in /frontend/ai.client (#105)

Bumps [ng2-charts](https://github.com/valor-software/ng2-charts) from 8.0.0 to 10.0.0.
- [Release notes](https://github.com/valor-software/ng2-charts/releases)
- [Commits](https://github.com/valor-software/ng2-charts/compare/v8.0.0...v10.0.0)

---
updated-dependencies:
- dependency-name: ng2-charts
  dependency-version: 10.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the angular group (#97)

Bumps the angular group in /frontend/ai.client with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [@angular/cdk](https://github.com/angular/components) | `21.2.3` | `21.2.4` |
| [@angular/common](https://github.com/angular/angular/tree/HEAD/packages/common) | `21.2.5` | `21.2.6` |
| [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler) | `21.2.5` | `21.2.6` |
| [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) | `21.2.5` | `21.2.6` |
| [@angular/forms](https://github.com/angular/angular/tree/HEAD/packages/forms) | `21.2.5` | `21.2.6` |
| [@angular/platform-browser](https://github.com/angular/angular/tree/HEAD/packages/platform-browser) | `21.2.5` | `21.2.6` |
| [@angular/router](https://github.com/angular/angular/tree/HEAD/packages/router) | `21.2.5` | `21.2.6` |
| [@angular/build](https://github.com/angular/angular-cli) | `21.2.3` | `21.2.5` |
| [@angular/cli](https://github.com/angular/angular-cli) | `21.2.3` | `21.2.5` |
| [@angular/compiler-cli](https://github.com/angular/angular/tree/HEAD/packages/compiler-cli) | `21.2.5` | `21.2.6` |


Updates `@angular/cdk` from 21.2.3 to 21.2.4
- [Release notes](https://github.com/angular/components/releases)
- [Changelog](https://github.com/angular/components/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/components/compare/v21.2.3...v21.2.4)

Updates `@angular/common` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/common)

Updates `@angular/compiler` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/compiler)

Updates `@angular/core` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/core)

Updates `@angular/forms` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/forms)

Updates `@angular/platform-browser` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/platform-browser)

Updates `@angular/router` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/router)

Updates `@angular/build` from 21.2.3 to 21.2.5
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular-cli/compare/v21.2.3...v21.2.5)

Updates `@angular/cli` from 21.2.3 to 21.2.5
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular-cli/compare/v21.2.3...v21.2.5)

Updates `@angular/compiler-cli` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/compiler-cli)

---
updated-dependencies:
- dependency-name: "@angular/cdk"
  dependency-version: 21.2.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/common"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/compiler"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/core"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/forms"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/platform-browser"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/router"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/build"
  dependency-version: 21.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/cli"
  dependency-version: 21.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/compiler-cli"
  dependency-version: 21.2.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump jest and @types/jest in /infrastructure (#92)

Bumps [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) and [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest). These dependencies needed to be updated together.

Updates `jest` from 29.7.0 to 30.3.0
- [Release notes](https://github.com/jestjs/jest/releases)
- [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jestjs/jest/commits/v30.3.0/packages/jest)

Updates `@types/jest` from 29.5.14 to 30.0.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

---
updated-dependencies:
- dependency-name: jest
  dependency-version: 30.3.0
  dependency-type: direct:development
  update-type: version-update:semver-major
- dependency-name: "@types/jest"
  dependency-version: 30.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* add conversation deleting handling for shared conversations + bug fix

* chore(deps)(deps): bump constructs (#91)

Bumps the infra-minor-patch group in /infrastructure with 1 update: [constructs](https://github.com/aws/constructs).


Updates `constructs` from 10.5.1 to 10.6.0
- [Release notes](https://github.com/aws/constructs/releases)
- [Commits](https://github.com/aws/constructs/compare/v10.5.1...v10.6.0)

---
updated-dependencies:
- dependency-name: constructs
  dependency-version: 10.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: infra-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat(messages): displayText support for RAG-augmented and file attachment messages (#107)

* feat(messages): add displayText support for RAG-augmented messages

- Add original_message parameter to stream_async and StreamCoordinator to preserve user input before RAG augmentation
- Store displayText in message metadata when original message differs from augmented version
- Add display_text field to MessageMetadata model with displayText alias for JSON serialization
- Update chat_stream route to pass original message when RAG augmentation is applied
- Enhance metadata retrieval to query both cost records (C#) and display text records (D#) from DynamoDB
- Add store_user_display_text function to persist original message text for clean UI display
- Update .gitignore to exclude local dev scripts (start.sh)
- Improves user experience by showing original unaugmented messages in conversation UI while maintaining RAG-enhanced context for agent processing

* feat(messages): add displayText support for file attachments and local runtime override

- Add LOCAL_RUNTIME_ENDPOINT_URL environment variable support for development runtime override in auth routes
- Extend displayText storage to handle file attachment content block modifications, not just RAG augmentation
- Add message_will_be_modified logic to determine when original message should be stored as displayText
- Implement showDebugOutput local settings signal for toggling debug information display
- Update user message component to display original text when displayText is available
- Add debug output toggle to chat preferences settings page
- Update session metadata documentation to clarify displayText usage for all prompt modifications
- Ensure original user message is preserved for UI display while augmented prompt remains in AgentCore Memory

* test(metadata): add displayText (D# record) tests for store and retrieval

* chore(deps): bump fast-check from 3.23.2 to 4.6.0

- Update fast-check to version 4.6.0 with caret constraint for minor/patch updates
- Update pure-rand dependency to 4.6.0's requirement of ^8.0.0 (from ^6.1.0)
- Increase minimum Node.js requirement from 8.0.0 to 12.17.0
- Migrate auth-pbt.spec.ts to use fast-check 4.x API (stringOf → string with unit parameter)

* chore(deps)(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (#99)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/b7c566a772e6b6bfb58ed0dc250532a479d7789f...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump actions/download-artifact from 7.0.0 to 8.0.1 (#98)

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7.0.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/37930b1c2abaa49bbe596cd826c3c89aef350131...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the python-minor-patch group in /backend with 10 updates (#96)

* chore(deps)(deps): bump the python-minor-patch group

Bumps the python-minor-patch group in /backend with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [uvicorn](https://github.com/Kludex/uvicorn) | `0.35.0` | `0.42.0` |
| [boto3](https://github.com/boto/boto3) | `1.42.73` | `1.42.78` |
| [strands-agents](https://github.com/strands-agents/sdk-python) | `1.32.0` | `1.33.0` |
| [strands-agents-tools](https://github.com/strands-agents/tools) | `0.2.23` | `0.3.0` |
| [aws-opentelemetry-distro](https://github.com/aws-observability/aws-otel-python-instrumentation) | `0.14.2` | `0.16.0` |
| [bedrock-agentcore](https://github.com/aws/bedrock-agentcore-sdk-python) | `1.4.7` | `1.4.8` |
| [openai](https://github.com/openai/openai-python) | `2.29.0` | `2.30.0` |
| [google-genai](https://github.com/googleapis/python-genai) | `1.68.0` | `1.69.0` |
| [hypothesis](https://github.com/HypothesisWorks/hypothesis) | `6.151.9` | `6.151.10` |
| [ruff](https://github.com/astral-sh/ruff) | `0.15.7` | `0.15.8` |


Updates `uvicorn` from 0.35.0 to 0.42.0
- [Release notes](https://github.com/Kludex/uvicorn/releases)
- [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md)
- [Commits](https://github.com/Kludex/uvicorn/compare/0.35.0...0.42.0)

Updates `boto3` from 1.42.73 to 1.42.78
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](https://github.com/boto/boto3/compare/1.42.73...1.42.78)

Updates `strands-agents` from 1.32.0 to 1.33.0
- [Release notes](https://github.com/strands-agents/sdk-python/releases)
- [Commits](https://github.com/strands-agents/sdk-python/compare/v1.32.0...v1.33.0)

Updates `strands-agents-tools` from 0.2.23 to 0.3.0
- [Release notes](https://github.com/strands-agents/tools/releases)
- [Commits](https://github.com/strands-agents/tools/compare/v0.2.23...v0.3.0)

Updates `aws-opentelemetry-distro` from 0.14.2 to 0.16.0
- [Release notes](https://github.com/aws-observability/aws-otel-python-instrumentation/releases)
- [Changelog](https://github.com/aws-observability/aws-otel-python-instrumentation/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws-observability/aws-otel-python-instrumentation/compare/v0.14.2...v0.16.0)

Updates `bedrock-agentcore` from 1.4.7 to 1.4.8
- [Release notes](https://github.com/aws/bedrock-agentcore-sdk-python/releases)
- [Changelog](https://github.com/aws/bedrock-agentcore-sdk-python/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/bedrock-agentcore-sdk-python/compare/v1.4.7...v1.4.8)

Updates `openai` from 2.29.0 to 2.30.0
- [Release notes](https://github.com/openai/openai-python/releases)
- [Changelog](https://github.com/openai/openai-python/blob/main/CHANGELOG.md)
- [Commits](https://github.com/openai/openai-python/compare/v2.29.0...v2.30.0)

Updates `google-genai` from 1.68.0 to 1.69.0
- [Release notes](https://github.com/googleapis/python-genai/releases)
- [Changelog](https://github.com/googleapis/python-genai/blob/main/CHANGELOG.md)
- [Commits](https://github.com/googleapis/python-genai/compare/v1.68.0...v1.69.0)

Updates `hypothesis` from 6.151.9 to 6.151.10
- [Release notes](https://github.com/HypothesisWorks/hypothesis/releases)
- [Commits](https://github.com/HypothesisWorks/hypothesis/compare/hypothesis-python-6.151.9...hypothesis-python-6.151.10)

Updates `ruff` from 0.15.7 to 0.15.8
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/0.15.7...0.15.8)

---
updated-dependencies:
- dependency-name: uvicorn
  dependency-version: 0.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: boto3
  dependency-version: 1.42.78
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: strands-agents
  dependency-version: 1.33.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: strands-agents-tools
  dependency-version: 0.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: aws-opentelemetry-distro
  dependency-version: 0.16.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: bedrock-agentcore
  dependency-version: 1.4.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: openai
  dependency-version: 2.30.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: google-genai
  dependency-version: 1.69.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: hypothesis
  dependency-version: 6.151.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: ruff
  dependency-version: 0.15.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore(deps): downgrade cachetools to 6.2.4

- Downgrade cachetools from 7.0.5 to 6.2.4 in backend dependencies
- Resolves compatibility issues with OAuth provider management

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* chore(deps): pin fast-check to exact version 4.6.0

- Remove caret (^) version constraint from fast-check dependency
- Update package.json to use exact version 4.6.0
- Update package-lock.json to reflect pinned version
- Ensure consistent dependency resolution across environments

* feat: add fine-tuning cost dashboard and user cost breakdown (#108)

* feat: add fine-tuning cost dashboard and user cost breakdown

- Introduced new models for cost dashboard and user cost breakdown in the admin API.
- Implemented endpoint to retrieve aggregated cost data for fine-tuning jobs.
- Enhanced fine-tuning access control to support default monthly quota hours for users without explicit grants.
- Added new routes and frontend components for displaying fine-tuning costs and usage statistics.
- Updated infrastructure configuration to include default quota hours for fine-tuning.
- Added tests to ensure proper functionality of new features and configurations.

* fix(logging): improve log message formatting for cost dashboard request

* fix(logging): sanitize period string in cost dashboard log message

* check in share conversations specs

* chore(docs): update versioning documentation and release notes for v1.0.0-beta.20

- Update versioning skill and rule documentation to include README.md version badge and "Current release" text in sync script scope
- Update Kiro steering guide to document README.md and lockfile updates in version sync process
- Bump version badge in README.md from v1.0.0-beta.19 to v1.0.0-beta.20
- Update "Current release" text in README.md to v1.0.0-beta.20
- Add comprehensive release notes for v1.0.0-beta.20 with highlights on document deletion, displayText system, fine-tuning cost dashboard, and dependency updates
- Ensure all AI assistant rule files reflect current versioning workflow

* ci(frontend): remove common scripts from workflow triggers and restrict CDK jobs to non-PR events

- Remove 'scripts/common/**' from push and pull_request trigger paths
- Add condition to synth-cdk job to skip execution on pull_request events
- Update test-cdk job condition to exclude pull_request events while preserving skip_tests logic
- Prevents unnecessary CDK synthesis and testing during pull requests to reduce workflow overhead

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Release 1.0.0-beta.20: Document soft-delete, displayText, fine-tuning costs, CodeQL remediation, dependency refresh (#118)

Reliable document deletion, displayText for RAG-augmented messages,
fine-tuning cost dashboard, assistant archive removal, and a full
dependency refresh across Python, npm, and GitHub Actions.

Features:
- Soft-delete document lifecycle with background cleanup, retry logic,
  DynamoDB TTL backstop, and search filtering for mid-deletion docs
- Upload failure reporting endpoint for client-side error tracking
- DisplayText system preserving original user messages when RAG
  augmentation or file attachments modify the prompt sent to the agent
- Debug output toggle in chat preferences for prompt inspection
- Fine-tuning cost dashboard with per-user breakdowns and default
  monthly quota hours
- Shared conversation cascade deletion on session delete

Removals:
- Assistant archive functionality (ARCHIVED status, archive endpoint,
  include_archived parameter) replaced with single delete operation

Security & Code Quality:
- All CodeQL findings resolved (180 log injection fixes, 5 silent
  exception fixes, cyclic import elimination, 13 unused variables)
- Four Dependabot security patches (requests, picomatch, diff)

CI/CD:
- CDK synth skipped on PRs for app-api and frontend workflows
- scripts/common/** removed from frontend workflow path triggers
- GitHub Actions bumped (upload-artifact v7, download-artifact v8,
  setup-node v6, codeql-action latest)

Testing:
- Analog.js testing migration for frontend (vitest config removed)
- fast-check v4.6.0 added for property-based frontend tests
- 4,200+ lines of new backend tests for document deletion flows

Tooling:
- sync-version.sh now auto-updates README badge and current release text
- Versioning steering docs updated across Kiro, Cursor, and Claude
- Release notes steering doc added (fileMatch on RELEASE_NOTES.md)

Dependencies:
- Python: uvicorn 0.42.0, strands-agents 1.33.0, strands-agents-tools
  0.3.0, aws-opentelemetry-distro 0.16.0, bedrock-agentcore 1.4.8,
  openai 2.30.0, cachetools downgraded to 6.2.4 for compatibility
- Frontend: Angular 21.2.6, @angular/cdk 21.2.4
- Infrastructure: aws-cdk group bumped, constructs bumped

* Purge outdated AI specs and documentation (#121)

* spring cleaning. AI spec file and outdated documentation purge

* spring cleanup --> purging old ai specs and outdated docs

---------

Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* Feat/cognito first boot auth (#125)

* feat: replace multi-step auth bootstrap with Cognito first-boot experience

- Add Cognito User Pool, App Client, and Domain to CDK infrastructure
- Implement first-boot backend with race-condition-safe DynamoDB writes
- Add CognitoJWTValidator replacing GenericOIDCJWTValidator
- Add federated identity provider management via Cognito IdP APIs
- Migrate frontend to Cognito OAuth 2.0 + PKCE flow
- Add first-boot setup page with admin account creation
- Update AgentCore Runtime to single Cognito JWT authorizer
- Remove runtime-provisioner and runtime-updater Lambdas
- Remove hardcoded Entra ID configuration from CDK and scripts
- Remove auth provider seeding from bootstrap workflow
- Wire SSM parameters across stacks for Cognito config
- Update GitHub Actions workflows for Cognito context values

* FOR TESTING ONLY< REVERT BEFORE MERGING

* Feat/cognito first boot auth (#123)

* test(auth-sweep): add system status endpoints to public route patterns

- Add /system/status to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- Add /system/first-boot to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- These endpoints should be accessible without authentication for system initialization and health checks

* chore(deps): add cognitoidp extra to moto dev dependency

- Add cognitoidp extra to moto[dynamodb] in pyproject.toml dev dependencies
- Update uv.lock to include cognitoidp extra across all moto references
- Add joserfc package as transitive dependency for cognitoidp support
- Enable Cognito IDP mocking capabilities for development and testing

* test(auth-guard,config-service): add missing service mocks and config properties

- Add SystemService mock to auth.guard.spec.ts test setup
- Import SystemService dependency in auth guard test file
- Add checkStatus mock method to systemService test double
- Register SystemService provider in TestBed configuration
- Add inferenceApiUrl property to validConfig test fixture in config.service.spec.ts
- Ensure test doubles accurately reflect service dependencies for proper test isolation

* feat(system-admin): add JWT role mapping for system_admin Cognito group

- Add JWT_MAPPING#system_admin item to DynamoDB during bootstrap seeding
- Update system_admin role jwtRoleMappings to include "system_admin" group
- Implement add_user_to_group method in CognitoService to manage group membership
- Add user to system_admin Cognito group during first_boot with rollback on failure
- Update test assertions to verify JWT mapping creation and role configuration
- Enables Cognito to include system_admin group in JWT cognito:groups claim for RBAC resolution

* feat(infrastructure): add Cognito user and group management permissions

- Add cognito-idp:AdminDeleteUser permission for user deletion operations
- Add cognito-idp:AdminAddUserToGroup permission for group membership management
- Add cognito-idp:CreateGroup permission for group creation operations
- Enables system admin functionality for managing Cognito user pools and groups

* refactor(auth): replace user email with name in logging and events

- Replace user.email with user.name in quota event recorder metadata
- Update admin cost dashboard logging to use user.name instead of email
- Update admin users routes logging to use user.name instead of email
- Update file upload routes logging to use user.name instead of email
- Update model routes logging to use user.name instead of email
- Update tools routes logging to use user.name instead of email
- Update OAuth routes logging to use user.name instead of email
- Update user models and routes logging to use user.name instead of email
- Update auth service and user service in frontend to use name field
- Standardize user identification across backend and frontend to use name for privacy and consistency

* feat(frontend): update logos and URL-encode inference API ARN

- Update logo-dark.png and logo-light.png assets
- Add URL encoding for ARN portion in inferenceApiUrl computed signal
- Prevent URL parsing errors caused by colons and slashes in AgentCore runtime ARNs
- Improve config service documentation with encoding behavior explanation

* fix(frontend): add /invocations path to inference API endpoints

- Update preview-chat.service.ts to include /invocations path in runtime endpoint URL
- Update chat-http.service.ts to include /invocations path in runtime endpoint URL
- Fixes inference API calls by using correct endpoint path with qualifier parameter

* feat(inference-api): add Authorization header to ALB request configuration

- Add requestHeaderConfiguration to ALB listener rule
- Include Authorization header in requestHeaderAllowlist
- Enable proper header propagation for authenticated requests to inference API

* refactor(auth): consolidate RBAC to AppRole-based authorization

- Replace multiple role-checking functions with single require_app_roles dependency
- Remove require_roles, require_all_roles, has_any_role, has_all_roles, and role-specific decorators (require_faculty, require_staff, require_developer, require_aws_ai_access)
- Update rbac.py to resolve permissions through AppRoleService instead of hardcoded JWT groups
- Simplify auth module exports to only expose require_app_roles and require_admin
- Update admin routes to remove unused role imports
- Add comprehensive docstring explaining AppRole system as single source of truth for permissions
- Update tests to reflect new authorization flow via AppRoleService

* feat(inference-api): add SSM parameters and environment variables to AgentCore runtime

- Import DynamoDB table names from SSM parameters for users, RBAC, auth, OAuth, quota, cost tracking, and file uploads
- Import S3 bucket and vector index names for RAG functionality
- Import gateway URL and frontend CORS origins from SSM parameters
- Add comprehensive environment variables to AgentCore runtime configuration including DynamoDB table mappings, authentication settings, OAuth configuration, AgentCore resource IDs, and directory paths
- Enable authentication and quota enforcement in runtime environment
- Configure frontend URL and CORS origins for cross-origin requests

* feat(inference-api): remove gateway URL parameter and simplify CORS origins

- Remove SSM parameter import for gateway URL from InferenceApiStack
- Remove GATEWAY_URL environment variable from AgentCore runtime configuration
- Replace SSM-imported CORS origins with config-based construction to avoid circular dependency between InferenceApiStack and FrontendStack
- Construct CORS origins dynamically from config.domainName (https://{domain}) with localhost fallback for development
- Eliminates circular dependency: InferenceApiStack ↔ FrontendStack by removing reliance on FrontendStack SSM parameters

* chore(frontend): update favicon and logo assets

- Remove redundant favicon PNG variants (android-chrome, apple-touch-icon, favicon-16x16, favicon-32x32)
- Update favicon.ico with new design
- Update logo-dark.png with refreshed branding
- Consolidate favicon assets to reduce redundancy and improve maintainability

* feat(inference-api): add AWS Marketplace permissions for Bedrock model access

- Add MarketplaceModelAccess policy statement to runtime execution role
- Grant aws-marketplace:ViewSubscriptions and aws-marketplace:Subscribe actions
- Enable foundation model access for marketplace-gated models like Anthropic Claude
- Required for subscription validation before Bedrock model invocation

* Release 1.0.0-beta.19: Conversation sharing, session compaction, fine-tuning enhancements, CI optimization

## Features
- Conversation sharing with public/email-restricted access via shareable URLs
- Session compaction enabled by default (100K token threshold, 3 protected turns)
- Fine-tuning: drag-and-drop dataset upload, custom HuggingFace model support

## Security
- Resolve all CodeQL clear-text logging alerts (secrets, tokens, ARNs redacted)
- OAuth redirect URL validation to prevent open redirects
- Explicit read-only permissions on all 13 GitHub Actions workflows

## Performance
- Frontend production build optimized: 8.85 MB → 4.96 MB (871 KB gzipped)
- PR workflows trimmed: skip Docker builds, CDK synth, and redundant jobs

## Infrastructure
- New shared-conversations DynamoDB table with SessionShare and OwnerShare GSIs
- Bedrock prompt caching temporarily disabled due to provider limitations

## Bug Fixes
- Google Fonts moved to index.html to fix CI build failure
- Private sharing support (owner-only shares)

* Release 1.0.0-beta.20: Document soft-delete, displayText, fine-tuning costs, CodeQL remediation, dependency refresh

Reliable document deletion, displayText for RAG-augmented messages,
fine-tuning cost dashboard, assistant archive removal, and a full
dependency refresh across Python, npm, and GitHub Actions.

Features:
- Soft-delete document lifecycle with background cleanup, retry logic,
  DynamoDB TTL backstop, and search filtering for mid-deletion docs
- Upload failure reporting endpoint for client-side error tracking
- DisplayText system preserving original user messages when RAG
  augmentation or file attachments modify the prompt sent to the agent
- Debug output toggle in chat preferences for prompt inspection
- Fine-tuning cost dashboard with per-user breakdowns and default
  monthly quota hours
- Shared conversation cascade deletion on session delete

Removals:
- Assistant archive functionality (ARCHIVED status, archive endpoint,
  include_archived parameter) replaced with single delete operation

Security & Code Quality:
- All CodeQL findings resolved (180 log injection fixes, 5 silent
  exception fixes, cyclic import elimination, 13 unused variables)
- Four Dependabot security patches (requests, picomatch, diff)

CI/CD:
- CDK synth skipped on PRs for app-api and frontend workflows
- scripts/common/** removed from frontend workflow path triggers
- GitHub Actions bumped (upload-artifact v7, download-artifact v8,
  setup-node v6, codeql-action latest)

Testing:
- Analog.js testing migration for frontend (vitest config removed)
- fast-check v4.6.0 added for property-based frontend tests
- 4,200+ lines of new backend tests for document deletion flows

Tooling:
- sync-version.sh now auto-updates README badge and current release text
- Versioning steering docs updated across Kiro, Cursor, and Claude
- Release notes steering doc added (fileMatch on RELEASE_NOTES.md)

Dependencies:
- Python: uvicorn 0.42.0, strands-agents 1.33.0, strands-agents-tools
  0.3.0, aws-opentelemetry-distro 0.16.0, bedrock-agentcore 1.4.8,
  openai 2.30.0, cachetools downgraded to 6.2.4 for compatibility
- Frontend: Angular 21.2.6, @angular/cdk 21.2.4
- Infrastructure: aws-cdk group bumped, constructs bumped

* refactor(inference-api): remove underscore prefix from containerImageUri variable

- Remove underscore prefix from containerImageUri variable name
- Improve code clarity by following standard naming conventions
- Variable is used throughout the stack and should follow public naming patterns

* chore(deps): add cognitoidp moto extra and update infrastructure tests

- Add cognitoidp extra to moto dependency in uv.lock for Cognito IDP mocking support
- Update moto dependency extras to include both cognitoidp and dynamodb
- Refactor IAM policy assertions in inference-api-stack tests to search both inline and managed policies
- Simplify policy verification logic to use findResources and filter by policy attributes
- Remove S3 bucket and S3 Vector Store test sections from app-api-stack tests
- Update test assertions to be more flexible with policy resource types

* chore(frontend): update favicon and logo assets

- Add Android Chrome favicon variants (192x192 and 512x512)
- Add Apple Touch Icon for iOS devices
- Add favicon sizes for 16x16 and 32x32 resolutions
- Update favicon.ico with new design
- Update logo-dark.png with refreshed branding
- Update logo-light.png with refreshed branding
- Improve cross-platform icon support and visual consistency

* fix(auth-providers): remove OIDC discovery endpoint and add JSON parsing error handling

- Remove POST /discover endpoint for OIDC endpoint discovery from admin routes
- Add try-except blocks to handle JSON parsing errors in AuthProviderRepository
- Gracefully default to empty dict when SecretString is invalid or malformed
- Improve resilience when retrieving auth provider secrets from AWS Secrets Manager

---------

Co-authored-by: Colin <colin@colin-os>

* Feat/cognito first boot auth (#124)

* test(auth-sweep): add system status endpoints to public route patterns

- Add /system/status to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- Add /system/first-boot to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- These endpoints should be accessible without authentication for system initialization and health checks

* chore(deps): add cognitoidp extra to moto dev dependency

- Add cognitoidp extra to moto[dynamodb] in pyproject.toml dev dependencies
- Update uv.lock to include cognitoidp extra across all moto references
- Add joserfc package as transitive dependency for cognitoidp support
- Enable Cognito IDP mocking capabilities for development and testing

* test(auth-guard,config-service): add missing service mocks and config properties

- Add SystemService mock to auth.guard.spec.ts test setup
- Import SystemService dependency in auth guard test file
- Add checkStatus mock method to systemService test double
- Register SystemService provider in TestBed configuration
- Add inferenceApiUrl property to validConfig test fixture in config.service.spec.ts
- Ensure test doubles accurately reflect service dependencies for proper test isolation

* feat(system-admin): add JWT role mapping for system_admin Cognito group

- Add JWT_MAPPING#system_admin item to DynamoDB during bootstrap seeding
- Update system_admin role jwtRoleMappings to include "system_admin" group
- Implement add_user_to_group method in CognitoService to manage group membership
- Add user to system_admin Cognito group during first_boot with rollback on failure
- Update test assertions to verify JWT mapping creation and role configuration
- Enables Cognito to include system_admin group in JWT cognito:groups claim for RBAC resolution

* feat(infrastructure): add Cognito user and group management permissions

- Add cognito-idp:AdminDeleteUser …
colinmxs added a commit that referenced this pull request Jun 26, 2026
* Release/v1.0.0 beta.25 (#282)

* Potential fix for pull request finding 'Unused local variable'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for pull request finding 'Unused local variable'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* docs(readme): update version badges and tech stack to v1.0.0-beta.18

- Update release badge from v1.0.0-beta.17 to v1.0.0-beta.18
- Bump Tailwind CSS version from v4.1 to v4.2 in all references
- Update current release version in release notes section
- Reflect latest dependency versions in architecture and tech stack documentation

* feat(embeddings): add optional token validation bypass for search queries

- Add skip_token_validation parameter to generate_embeddings function
- Allow skipping tiktoken-based token validation for short inputs where tiktoken may not be installed
- Update search_assistant_knowledgebase to skip validation for query embeddings
- Enables embedding generation in environments where tiktoken is unavailable (e.g., search Lambda)

* refactor(embeddings): extract shared embedding logic to separate module

- Move core embedding generation and vector store operations to apis.shared.embeddings
- Create new shared bedrock_embeddings module with generate_embeddings, store_embeddings_in_s3, search_assistant_knowledgebase, and delete_vectors_for_document
- Extract vector search logic to new apis.shared.assistants.vector_search module
- Keep ingestion-specific token validation (tiktoken-based) in app_api embeddings module
- Update ingestion embeddings module to re-export shared functions for backward compatibility
- Simplify bedrock_embeddings in ingestion pipeline to focus on chunk validation and splitting
- Update imports across documents routes and rag_service to use new shared modules
- Reduces code duplication and establishes clear separation between shared RAG infrastructure and ingestion-specific concerns

* docs(release-notes): document v1.0.0-beta.19 features and fixes

- Add Angular production build optimization section explaining minification and tree-shaking enablement
- Document embeddings refactor extracting shared logic to apis.shared.embeddings module
- Add skip_token_validation parameter documentation for generate_embeddings function
- Update highlights section to mention Angular production build optimization
- Clarify CodeQL workflow improvements and unused import/variable cleanup
- Enable optimization flag in angular.json production configuration for reduced bundle size

* docs(release-notes): remove Angular optimization section and revert config

- Remove "Frontend Production Build Optimization" section from release notes
- Revert optimization flag removal from angular.json production configuration
- Align documentation with actual production build configuration state

* feat: add API Keys section to README for programmatic access to AI models

* fix(model_config): comment out caching configuration due to Bedrock limitations

* feat(create-training-job): enhance file upload with drag-and-drop support and update dataset upload instructions

* feat(create-training-job): add support for custom HuggingFace models and enhance model search functionality

* fix(test_model_config): remove caching mock and update test for Bedrock config caching behavior

* feat(create-training-job): add tests for custom HuggingFace model selection and submission

* feat: refactor session compaction and enable by default (#86)

* feat: update compaction configuration and enhance session manager tests

* fix: update tests for compaction defaults and commented-out caching

- Update compaction model test to expect enabled=True and protected_turns=3
- Fix caching test to reflect cache_config being commented out due to Bedrock limitations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(create-training-job): enhance file upload with drag-and-drop support and update dataset upload instructions

* feat(create-training-job): add support for custom HuggingFace models and enhance model search functionality

* fix(test_model_config): remove caching mock and update test for Bedrock config caching behavior

* feat(create-training-job): add tests for custom HuggingFace model selection and submission

* fix: update tests for compaction defaults and commented-out caching

- Update compaction model test to expect enabled=True and protected_turns=3
- Fix caching test to reflect cache_config being commented out due to Bedrock limitations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Signed-off-by: Phil Merrell <philmerrell@boisestate.edu>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* test(to_bedrock_config): add missing result assignment in caching disabled test

* Potential fix for code scanning alert no. 41: Clear-text logging of s… (#85)

* Potential fix for code scanning alert no. 41: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* ci: Add explicit read-only permissions to all workflows

- Add `permissions: contents: read` to 13 GitHub Actions workflows
- Workflows updated: app-api, bootstrap-data-seeding, codeql, frontend, gateway, inference-api, infrastructure, nightly-deploy-pipeline, nightly, rag-ingestion, release, sagemaker-fine-tuning, version-check
- Implements principle of least privilege by explicitly declaring minimal required permissions
- Improves security posture and aligns with GitHub Actions best practices

* fix(security): Redact sensitive information from logs

- Mask client ID in seed_auth_provider output, showing only first 8 characters
- Redact full Secrets ARN in seed_auth_provider, displaying only resource name
- Replace full exception objects with error codes in seed_bootstrap_data error messages
- Downgrade MCP client configuration logging from info to debug level
- Remove user ID from OAuth token retrieval and re-auth status log messages
- Add URL validation to OAuth callback redirect to prevent open redirect vulnerabilities
- Prevents accidental exposure of credentials and sensitive identifiers in application logs

* fix(security): Resolve remaining CodeQL clear-text logging alerts

- seed_auth_provider: Fully redact Secrets Manager ARN from output
- external_mcp_client: Remove server URL from logs, decouple oauth_token from log expressions
- oauth_tool_service: Isolate decrypted token into _try_get_token() to prevent taint bleed, use lazy log formatting
- config.ts: Remove AWS account ID and CORS origins from CDK config log output

* Potential fix for code scanning alert no. 499: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 496: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 498: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 497: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

---------

Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* feat(frontend): enable production optimization, branch-aware BUILD_CONFIG

- Remove optimization: false from base options (was blocking prod override)
- Production: optimization, no source maps, extract licenses
- Fix anyComponentStyle budget from 4kB to 200kB for Tailwind
- BUILD_CONFIG: main→production, develop→development, dispatch→manual input

Production build: 4.96 MB initial (871 KB gzip) vs 8.85 MB unoptimized

* fix: move Google Fonts import to index.html to prevent CI build failure

* ci: skip docker builds and CDK synth on pull requests

* implement conversation sharing. (#87)

* implement conversation sharing.

* Potential fix for code scanning alert no. 509: Log Injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: ofilson <SuperScorer911@gmail.com>

* Potential fix for code scanning alert no. 510: Log Injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: ofilson <SuperScorer911@gmail.com>

* fix github warnings

* fix log issue

---------

Signed-off-by: ofilson <SuperScorer911@gmail.com>
Co-authored-by: Oscar Filson <OSCARFILSON@boisestate.edu>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Allow for private share (only with yourself)

* release: v1.0.0-beta.19

* fix float error on sharing

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* ci: skip redundant stack dependency checks on PRs (keep infrastructure only)

* ci: skip install on PRs for rag-ingestion (no downstream jobs)

* ci: revert check-stack-deps skip on workflows with PR jobs, skip entire gateway/sagemaker on PRs

* fix(security): resolve CodeQL log-injection, unused-import, and unused-variable alerts

- Remove user-controlled values from 180 log f-strings (py/log-injection)
- Remove 87 unused Python imports (py/unused-import)
- Remove 27 unused JS/TS variables (js/unused-local-variable)
- Fix 3 useless assignments (js/useless-assignment-to-local)
- Fix 1 incompatible type comparison (js/comparison-between-incompatible-types)

* fix(tests): remove stale AgentCoreMemorySessionManager patch from session factory tests

The CodeQL commit removed the unused AgentCoreMemorySessionManager import
from session_factory.py, breaking two tests that patched it at that path.
Removed the unnecessary patch decorator since TurnBasedSessionManager was
already being patched separately.

* chore(docker): add shared embeddings module to rag-ingestion Lambda image

- Copy shared embeddings package to Lambda task root directory
- Add apis/__init__.py to ensure proper Python package structure
- Enable ingestion embeddings to access re-exported shared embeddings module
- Resolves import errors when bedrock_embeddings.py loads shared embeddings

* fix(quality): resolve all open CodeQL findings on develop

Empty excepts (5 fixes):
- url_fetcher: narrow bare except to Exception, add comment
- code_interpreter_diagram_tool: narrow bare except to Exception
- tool_result_processor: add explanatory comment to JSONDecodeError catch
- users/service: log warning on invalid pagination cursor
- event_formatter: log warning instead of silently swallowing errors

Catch BaseException (2 fixes):
- url_fetcher: narrowed to Exception (same fix as empty except)
- code_interpreter_diagram_tool: narrowed to Exception

Unreachable code (1 fix):
- stream_processor: remove dead if result_seen: break (never set to True)

Redundant assignment (1 fix):
- fine_tuning/routes: remove unused job = on create_inference_job

Print during import (1 fix):
- inference_api/main: replace print() with logging

Commented-out code (1 fix):
- inference_api/chat/models: remove commented InvocationRequest class

Unnecessary lambdas (2 fixes):
- job_repository, inference_repository: lambda v: int(v) → int

Unused local variables (13 fixes):
- Remove or rename: period, user_id, error_msg, matches, requested_set,
  exception_type, updated, limit, preferences, execution_output,
  next_month, next_year across 10 files

Unused imports (3 fixes):
- compaction_models: remove unused field import
- bedrock_embeddings: remove dead re-exports, clean up __init__.py
- timezone: use find_spec for pytz availability check

Cyclic import (1 fix):
- Move get_metadata_storage() factory from metadata_storage.py to
  storage/__init__.py, breaking the metadata_storage ↔ dynamodb_storage
  cycle. Update 3 callers to import from apis.app_api.storage.

Dismissed as false positives (11 alerts):
- 9x untrusted-checkout on nightly workflows (schedule/dispatch only)
- 1x non-iterable for-loop (Enum is iterable)
- 1x unused global _generic_validator_initialized (global stmt tracking)

* fix(deps): patch Dependabot security vulnerabilities

- requests 2.32.5 → 2.33.0 (insecure temp file reuse, CVE)
- picomatch 4.0.3 → 4.0.4 (frontend, ReDoS + method injection, via override)
- picomatch 2.3.1 → 2.3.2 (infrastructure, method injection, via override)
- diff 4.0.x → patched (infrastructure, DoS in parsePatch, via audit fix)

Unfixable:
- yaml 1.10.2 bundled inside aws-cdk-lib 2.244.0 (latest) — awaiting AWS CDK update
- Pygments 2.19.2 (latest) — no patched version released yet

* fix(rag-ingestion): ensure Lambda uses latest image digest on deploy

- Add FUNCTION_NAME variable to capture Lambda function identifier
- Update Lambda function code explicitly after image push to force digest refresh
- Add wait condition to ensure function update completes before deployment succeeds
- Remove outdated next steps logging that duplicated deployment completion message
- Resolve issue where CDK's SSM-resolved image tags don't trigger updates when underlying image layers change, causing CloudFormation to report no changes despite fresh image push

* fix share issues and icon tweaks

* release: v1.0.0-beta.20

* fix(rag-ingestion): restore shared embedding re-exports for Lambda handler

The CodeQL fix removed re-exports from bedrock_embeddings.py, but the
RAG ingestion Lambda handler imports generate_embeddings and
store_embeddings_in_s3 from embeddings.bedrock_embeddings (Lambda task
root path). Restored re-exports with __all__ and explanatory comments.

* feat(documents): add upload failure reporting and assistant cleanup

- Add ReportUploadFailureRequest model for client-side upload error reporting
- Implement POST /{document_id}/upload-failed endpoint to mark documents as failed
- Add update_document_status service function to update document status and error details
- Implement background cleanup of vectors and S3 objects when assistant is deleted
- Add delete_vectors_for_assistant function to remove embeddings from vector store
- Update document routes to import new models and service functions
- Add start.sh to .gitignore
- Update bedrock_embeddings to support vector deletion by assistant ID
- Enhance frontend document service to handle upload failure reporting
- Improve assistant deletion flow with proper resource cleanup and error handling

* feat(assistants): remove archive functionality and simplify deletion

- Remove archive_assistant service function and endpoint
- Simplify delete operation to single hard delete without archive option
- Remove include_archived query parameter from list assistants endpoint
- Remove ARCHIVED status from assistant status enum
- Update frontend assistant model and services to remove archive references
- Simplify assistant lifecycle by consolidating soft and hard delete into single delete operation
- Update API documentation and test examples to reflect deletion changes

* feat(frontend): upgrade Analog.js testing dependencies and remove vitest config

- Add @analogjs/vite-plugin-angular and @analogjs/vitest-angular v3.0.0-alpha.18
- Update package-lock.json with new dependency tree and transitive dependencies
- Remove vitest.config.ts in favor of Analog.js configuration
- Update app.config.spec.ts and tool-rail.component.spec.ts test files
- Modernize Angular testing setup with latest Analog.js tooling

* feat(documents): implement reliable deletion with soft-delete and cleanup retries

- Add deleting status to document lifecycle and TTL field for auto-expiry
- Create cleanup_service.py with retry logic for S3 vectors and source file deletion
- Implement soft-delete pattern: mark documents as deleting, return immediately, cleanup asynchronously
- Update search path to filter out non-complete documents and prevent stale results
- Add batch soft-delete for assistant deletion with background cleanup
- Implement deterministic vector key generation for reliable cleanup
- Add comprehensive property-based and integration tests for deletion flows
- Update RAG service to cross-check document status during search
- Configure DynamoDB TTL as backstop for failed cleanups (7-day expiry)
- Add Kiro spec documentation for reliable document deletion design

* test(assistants): remove archive assistant test and fix package dependencies

- Remove test_archive_assistant test case as archive functionality was removed
- Update package-lock.json to fix dependency flags for Angular DevKit and related packages
- Change chokidar dev flag to devOptional to reflect optional development dependency
- Remove unnecessary dev flags from multiple dependencies (ajv, chalk, cli-cursor, fast-deep-equal, and others)
- Align package metadata with current project configuration

* chore(frontend): pin Analog.js dependencies to exact versions

- Remove caret (^) version specifiers from @analogjs/vite-plugin-angular
- Remove caret (^) version specifiers from @analogjs/vitest-angular
- Lock both packages to 3.0.0-alpha.18 for consistent builds
- Prevent unexpected minor/patch updates that could introduce breaking changes

* chore(frontend): pin Analog.js devDependencies to exact versions

- Update @analogjs/vite-plugin-angular from ^3.0.0-alpha.18 to 3.0.0-alpha.18
- Update @analogjs/vitest-angular from ^3.0.0-alpha.18 to 3.0.0-alpha.18
- Remove caret (^) prefix to lock exact versions and ensure consistent builds

* feat(fine-tuning-dashboard): add informational section about fine-tuning and update icons

* chore(deps)(deps): bump the frontend-minor-patch group (#101)

Bumps the frontend-minor-patch group in /frontend/ai.client with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [@ng-icons/core](https://github.com/ng-icons/ng-icons) | `33.1.0` | `33.2.0` |
| [@ng-icons/heroicons](https://github.com/ng-icons/ng-icons) | `33.1.0` | `33.2.0` |
| [katex](https://github.com/KaTeX/KaTeX) | `0.16.33` | `0.16.44` |
| [marked](https://github.com/markedjs/marked) | `17.0.3` | `17.0.5` |
| [mermaid](https://github.com/mermaid-js/mermaid) | `11.12.3` | `11.13.0` |
| [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.2.1` | `4.2.2` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.0.18` | `4.1.2` |
| [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.8` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.1` | `4.2.2` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.18` | `4.1.2` |


Updates `@ng-icons/core` from 33.1.0 to 33.2.0
- [Release notes](https://github.com/ng-icons/ng-icons/releases)
- [Changelog](https://github.com/ng-icons/ng-icons/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ng-icons/ng-icons/commits/v33.2.0)

Updates `@ng-icons/heroicons` from 33.1.0 to 33.2.0
- [Release notes](https://github.com/ng-icons/ng-icons/releases)
- [Changelog](https://github.com/ng-icons/ng-icons/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ng-icons/ng-icons/commits/v33.2.0)

Updates `katex` from 0.16.33 to 0.16.44
- [Release notes](https://github.com/KaTeX/KaTeX/releases)
- [Changelog](https://github.com/KaTeX/KaTeX/blob/main/CHANGELOG.md)
- [Commits](https://github.com/KaTeX/KaTeX/compare/v0.16.33...v0.16.44)

Updates `marked` from 17.0.3 to 17.0.5
- [Release notes](https://github.com/markedjs/marked/releases)
- [Commits](https://github.com/markedjs/marked/compare/v17.0.3...v17.0.5)

Updates `mermaid` from 11.12.3 to 11.13.0
- [Release notes](https://github.com/mermaid-js/mermaid/releases)
- [Commits](https://github.com/mermaid-js/mermaid/compare/mermaid@11.12.3...mermaid@11.13.0)

Updates `@tailwindcss/postcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/@tailwindcss-postcss)

Updates `@vitest/coverage-v8` from 4.0.18 to 4.1.2
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/coverage-v8)

Updates `postcss` from 8.5.6 to 8.5.8
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/postcss/postcss/compare/8.5.6...8.5.8)

Updates `tailwindcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/tailwindcss)

Updates `vitest` from 4.0.18 to 4.1.2
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/vitest)

---
updated-dependencies:
- dependency-name: "@ng-icons/core"
  dependency-version: 33.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: "@ng-icons/heroicons"
  dependency-version: 33.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: katex
  dependency-version: 0.16.44
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: marked
  dependency-version: 17.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: mermaid
  dependency-version: 11.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: postcss
  dependency-version: 8.5.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: tailwindcss
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: vitest
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the aws-cdk group (#90)

Bumps the aws-cdk group in /infrastructure with 2 updates: [aws-cdk-lib](https://github.com/aws/aws-cdk/tree/HEAD/packages/aws-cdk-lib) and [aws-cdk](https://github.com/aws/aws-cdk-cli/tree/HEAD/packages/aws-cdk).


Updates `aws-cdk-lib` from 2.244.0 to 2.245.0
- [Release notes](https://github.com/aws/aws-cdk/releases)
- [Changelog](https://github.com/aws/aws-cdk/blob/main/CHANGELOG.v2.alpha.md)
- [Commits](https://github.com/aws/aws-cdk/commits/v2.245.0/packages/aws-cdk-lib)

Updates `aws-cdk` from 2.1113.0 to 2.1115.0
- [Release notes](https://github.com/aws/aws-cdk-cli/releases)
- [Commits](https://github.com/aws/aws-cdk-cli/commits/aws-cdk@v2.1115.0/packages/aws-cdk)

---
updated-dependencies:
- dependency-name: aws-cdk-lib
  dependency-version: 2.245.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-cdk
- dependency-name: aws-cdk
  dependency-version: 2.1115.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: aws-cdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump actions/setup-node from 5.0.0 to 6.3.0 (#100)

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5.0.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/a0853c24544627f65ddf259abe73b1d18a591444...53b83947a5a98c8d113130e565377fae1a50d02f)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump github/codeql-action (#95)

Bumps the actions-minor-patch group with 1 update: [github/codeql-action](https://github.com/github/codeql-action).


Updates `github/codeql-action` from 4.34.1 to 4.35.1
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/38697555549f1db7851b81482ff19f1fa5c4fedc...c10b8064de6f491fea524254123dbe5e09572f13)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump @types/node in /infrastructure (#94)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.10.1 to 25.5.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.5.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump jsdom in /frontend/ai.client (#102)

Bumps [jsdom](https://github.com/jsdom/jsdom) from 27.4.0 to 29.0.1.
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Commits](https://github.com/jsdom/jsdom/compare/v27.4.0...v29.0.1)

---
updated-dependencies:
- dependency-name: jsdom
  dependency-version: 29.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump ng2-charts in /frontend/ai.client (#105)

Bumps [ng2-charts](https://github.com/valor-software/ng2-charts) from 8.0.0 to 10.0.0.
- [Release notes](https://github.com/valor-software/ng2-charts/releases)
- [Commits](https://github.com/valor-software/ng2-charts/compare/v8.0.0...v10.0.0)

---
updated-dependencies:
- dependency-name: ng2-charts
  dependency-version: 10.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the angular group (#97)

Bumps the angular group in /frontend/ai.client with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [@angular/cdk](https://github.com/angular/components) | `21.2.3` | `21.2.4` |
| [@angular/common](https://github.com/angular/angular/tree/HEAD/packages/common) | `21.2.5` | `21.2.6` |
| [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler) | `21.2.5` | `21.2.6` |
| [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) | `21.2.5` | `21.2.6` |
| [@angular/forms](https://github.com/angular/angular/tree/HEAD/packages/forms) | `21.2.5` | `21.2.6` |
| [@angular/platform-browser](https://github.com/angular/angular/tree/HEAD/packages/platform-browser) | `21.2.5` | `21.2.6` |
| [@angular/router](https://github.com/angular/angular/tree/HEAD/packages/router) | `21.2.5` | `21.2.6` |
| [@angular/build](https://github.com/angular/angular-cli) | `21.2.3` | `21.2.5` |
| [@angular/cli](https://github.com/angular/angular-cli) | `21.2.3` | `21.2.5` |
| [@angular/compiler-cli](https://github.com/angular/angular/tree/HEAD/packages/compiler-cli) | `21.2.5` | `21.2.6` |


Updates `@angular/cdk` from 21.2.3 to 21.2.4
- [Release notes](https://github.com/angular/components/releases)
- [Changelog](https://github.com/angular/components/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/components/compare/v21.2.3...v21.2.4)

Updates `@angular/common` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/common)

Updates `@angular/compiler` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/compiler)

Updates `@angular/core` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/core)

Updates `@angular/forms` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/forms)

Updates `@angular/platform-browser` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/platform-browser)

Updates `@angular/router` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/router)

Updates `@angular/build` from 21.2.3 to 21.2.5
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular-cli/compare/v21.2.3...v21.2.5)

Updates `@angular/cli` from 21.2.3 to 21.2.5
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular-cli/compare/v21.2.3...v21.2.5)

Updates `@angular/compiler-cli` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/compiler-cli)

---
updated-dependencies:
- dependency-name: "@angular/cdk"
  dependency-version: 21.2.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/common"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/compiler"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/core"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/forms"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/platform-browser"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/router"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/build"
  dependency-version: 21.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/cli"
  dependency-version: 21.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/compiler-cli"
  dependency-version: 21.2.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump jest and @types/jest in /infrastructure (#92)

Bumps [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) and [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest). These dependencies needed to be updated together.

Updates `jest` from 29.7.0 to 30.3.0
- [Release notes](https://github.com/jestjs/jest/releases)
- [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jestjs/jest/commits/v30.3.0/packages/jest)

Updates `@types/jest` from 29.5.14 to 30.0.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

---
updated-dependencies:
- dependency-name: jest
  dependency-version: 30.3.0
  dependency-type: direct:development
  update-type: version-update:semver-major
- dependency-name: "@types/jest"
  dependency-version: 30.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* add conversation deleting handling for shared conversations + bug fix

* chore(deps)(deps): bump constructs (#91)

Bumps the infra-minor-patch group in /infrastructure with 1 update: [constructs](https://github.com/aws/constructs).


Updates `constructs` from 10.5.1 to 10.6.0
- [Release notes](https://github.com/aws/constructs/releases)
- [Commits](https://github.com/aws/constructs/compare/v10.5.1...v10.6.0)

---
updated-dependencies:
- dependency-name: constructs
  dependency-version: 10.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: infra-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat(messages): displayText support for RAG-augmented and file attachment messages (#107)

* feat(messages): add displayText support for RAG-augmented messages

- Add original_message parameter to stream_async and StreamCoordinator to preserve user input before RAG augmentation
- Store displayText in message metadata when original message differs from augmented version
- Add display_text field to MessageMetadata model with displayText alias for JSON serialization
- Update chat_stream route to pass original message when RAG augmentation is applied
- Enhance metadata retrieval to query both cost records (C#) and display text records (D#) from DynamoDB
- Add store_user_display_text function to persist original message text for clean UI display
- Update .gitignore to exclude local dev scripts (start.sh)
- Improves user experience by showing original unaugmented messages in conversation UI while maintaining RAG-enhanced context for agent processing

* feat(messages): add displayText support for file attachments and local runtime override

- Add LOCAL_RUNTIME_ENDPOINT_URL environment variable support for development runtime override in auth routes
- Extend displayText storage to handle file attachment content block modifications, not just RAG augmentation
- Add message_will_be_modified logic to determine when original message should be stored as displayText
- Implement showDebugOutput local settings signal for toggling debug information display
- Update user message component to display original text when displayText is available
- Add debug output toggle to chat preferences settings page
- Update session metadata documentation to clarify displayText usage for all prompt modifications
- Ensure original user message is preserved for UI display while augmented prompt remains in AgentCore Memory

* test(metadata): add displayText (D# record) tests for store and retrieval

* chore(deps): bump fast-check from 3.23.2 to 4.6.0

- Update fast-check to version 4.6.0 with caret constraint for minor/patch updates
- Update pure-rand dependency to 4.6.0's requirement of ^8.0.0 (from ^6.1.0)
- Increase minimum Node.js requirement from 8.0.0 to 12.17.0
- Migrate auth-pbt.spec.ts to use fast-check 4.x API (stringOf → string with unit parameter)

* chore(deps)(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (#99)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/b7c566a772e6b6bfb58ed0dc250532a479d7789f...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump actions/download-artifact from 7.0.0 to 8.0.1 (#98)

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7.0.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/37930b1c2abaa49bbe596cd826c3c89aef350131...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the python-minor-patch group in /backend with 10 updates (#96)

* chore(deps)(deps): bump the python-minor-patch group

Bumps the python-minor-patch group in /backend with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [uvicorn](https://github.com/Kludex/uvicorn) | `0.35.0` | `0.42.0` |
| [boto3](https://github.com/boto/boto3) | `1.42.73` | `1.42.78` |
| [strands-agents](https://github.com/strands-agents/sdk-python) | `1.32.0` | `1.33.0` |
| [strands-agents-tools](https://github.com/strands-agents/tools) | `0.2.23` | `0.3.0` |
| [aws-opentelemetry-distro](https://github.com/aws-observability/aws-otel-python-instrumentation) | `0.14.2` | `0.16.0` |
| [bedrock-agentcore](https://github.com/aws/bedrock-agentcore-sdk-python) | `1.4.7` | `1.4.8` |
| [openai](https://github.com/openai/openai-python) | `2.29.0` | `2.30.0` |
| [google-genai](https://github.com/googleapis/python-genai) | `1.68.0` | `1.69.0` |
| [hypothesis](https://github.com/HypothesisWorks/hypothesis) | `6.151.9` | `6.151.10` |
| [ruff](https://github.com/astral-sh/ruff) | `0.15.7` | `0.15.8` |


Updates `uvicorn` from 0.35.0 to 0.42.0
- [Release notes](https://github.com/Kludex/uvicorn/releases)
- [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md)
- [Commits](https://github.com/Kludex/uvicorn/compare/0.35.0...0.42.0)

Updates `boto3` from 1.42.73 to 1.42.78
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](https://github.com/boto/boto3/compare/1.42.73...1.42.78)

Updates `strands-agents` from 1.32.0 to 1.33.0
- [Release notes](https://github.com/strands-agents/sdk-python/releases)
- [Commits](https://github.com/strands-agents/sdk-python/compare/v1.32.0...v1.33.0)

Updates `strands-agents-tools` from 0.2.23 to 0.3.0
- [Release notes](https://github.com/strands-agents/tools/releases)
- [Commits](https://github.com/strands-agents/tools/compare/v0.2.23...v0.3.0)

Updates `aws-opentelemetry-distro` from 0.14.2 to 0.16.0
- [Release notes](https://github.com/aws-observability/aws-otel-python-instrumentation/releases)
- [Changelog](https://github.com/aws-observability/aws-otel-python-instrumentation/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws-observability/aws-otel-python-instrumentation/compare/v0.14.2...v0.16.0)

Updates `bedrock-agentcore` from 1.4.7 to 1.4.8
- [Release notes](https://github.com/aws/bedrock-agentcore-sdk-python/releases)
- [Changelog](https://github.com/aws/bedrock-agentcore-sdk-python/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/bedrock-agentcore-sdk-python/compare/v1.4.7...v1.4.8)

Updates `openai` from 2.29.0 to 2.30.0
- [Release notes](https://github.com/openai/openai-python/releases)
- [Changelog](https://github.com/openai/openai-python/blob/main/CHANGELOG.md)
- [Commits](https://github.com/openai/openai-python/compare/v2.29.0...v2.30.0)

Updates `google-genai` from 1.68.0 to 1.69.0
- [Release notes](https://github.com/googleapis/python-genai/releases)
- [Changelog](https://github.com/googleapis/python-genai/blob/main/CHANGELOG.md)
- [Commits](https://github.com/googleapis/python-genai/compare/v1.68.0...v1.69.0)

Updates `hypothesis` from 6.151.9 to 6.151.10
- [Release notes](https://github.com/HypothesisWorks/hypothesis/releases)
- [Commits](https://github.com/HypothesisWorks/hypothesis/compare/hypothesis-python-6.151.9...hypothesis-python-6.151.10)

Updates `ruff` from 0.15.7 to 0.15.8
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/0.15.7...0.15.8)

---
updated-dependencies:
- dependency-name: uvicorn
  dependency-version: 0.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: boto3
  dependency-version: 1.42.78
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: strands-agents
  dependency-version: 1.33.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: strands-agents-tools
  dependency-version: 0.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: aws-opentelemetry-distro
  dependency-version: 0.16.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: bedrock-agentcore
  dependency-version: 1.4.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: openai
  dependency-version: 2.30.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: google-genai
  dependency-version: 1.69.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: hypothesis
  dependency-version: 6.151.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: ruff
  dependency-version: 0.15.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore(deps): downgrade cachetools to 6.2.4

- Downgrade cachetools from 7.0.5 to 6.2.4 in backend dependencies
- Resolves compatibility issues with OAuth provider management

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* chore(deps): pin fast-check to exact version 4.6.0

- Remove caret (^) version constraint from fast-check dependency
- Update package.json to use exact version 4.6.0
- Update package-lock.json to reflect pinned version
- Ensure consistent dependency resolution across environments

* feat: add fine-tuning cost dashboard and user cost breakdown (#108)

* feat: add fine-tuning cost dashboard and user cost breakdown

- Introduced new models for cost dashboard and user cost breakdown in the admin API.
- Implemented endpoint to retrieve aggregated cost data for fine-tuning jobs.
- Enhanced fine-tuning access control to support default monthly quota hours for users without explicit grants.
- Added new routes and frontend components for displaying fine-tuning costs and usage statistics.
- Updated infrastructure configuration to include default quota hours for fine-tuning.
- Added tests to ensure proper functionality of new features and configurations.

* fix(logging): improve log message formatting for cost dashboard request

* fix(logging): sanitize period string in cost dashboard log message

* check in share conversations specs

* chore(docs): update versioning documentation and release notes for v1.0.0-beta.20

- Update versioning skill and rule documentation to include README.md version badge and "Current release" text in sync script scope
- Update Kiro steering guide to document README.md and lockfile updates in version sync process
- Bump version badge in README.md from v1.0.0-beta.19 to v1.0.0-beta.20
- Update "Current release" text in README.md to v1.0.0-beta.20
- Add comprehensive release notes for v1.0.0-beta.20 with highlights on document deletion, displayText system, fine-tuning cost dashboard, and dependency updates
- Ensure all AI assistant rule files reflect current versioning workflow

* ci(frontend): remove common scripts from workflow triggers and restrict CDK jobs to non-PR events

- Remove 'scripts/common/**' from push and pull_request trigger paths
- Add condition to synth-cdk job to skip execution on pull_request events
- Update test-cdk job condition to exclude pull_request events while preserving skip_tests logic
- Prevents unnecessary CDK synthesis and testing during pull requests to reduce workflow overhead

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Release 1.0.0-beta.20: Document soft-delete, displayText, fine-tuning costs, CodeQL remediation, dependency refresh (#118)

Reliable document deletion, displayText for RAG-augmented messages,
fine-tuning cost dashboard, assistant archive removal, and a full
dependency refresh across Python, npm, and GitHub Actions.

Features:
- Soft-delete document lifecycle with background cleanup, retry logic,
  DynamoDB TTL backstop, and search filtering for mid-deletion docs
- Upload failure reporting endpoint for client-side error tracking
- DisplayText system preserving original user messages when RAG
  augmentation or file attachments modify the prompt sent to the agent
- Debug output toggle in chat preferences for prompt inspection
- Fine-tuning cost dashboard with per-user breakdowns and default
  monthly quota hours
- Shared conversation cascade deletion on session delete

Removals:
- Assistant archive functionality (ARCHIVED status, archive endpoint,
  include_archived parameter) replaced with single delete operation

Security & Code Quality:
- All CodeQL findings resolved (180 log injection fixes, 5 silent
  exception fixes, cyclic import elimination, 13 unused variables)
- Four Dependabot security patches (requests, picomatch, diff)

CI/CD:
- CDK synth skipped on PRs for app-api and frontend workflows
- scripts/common/** removed from frontend workflow path triggers
- GitHub Actions bumped (upload-artifact v7, download-artifact v8,
  setup-node v6, codeql-action latest)

Testing:
- Analog.js testing migration for frontend (vitest config removed)
- fast-check v4.6.0 added for property-based frontend tests
- 4,200+ lines of new backend tests for document deletion flows

Tooling:
- sync-version.sh now auto-updates README badge and current release text
- Versioning steering docs updated across Kiro, Cursor, and Claude
- Release notes steering doc added (fileMatch on RELEASE_NOTES.md)

Dependencies:
- Python: uvicorn 0.42.0, strands-agents 1.33.0, strands-agents-tools
  0.3.0, aws-opentelemetry-distro 0.16.0, bedrock-agentcore 1.4.8,
  openai 2.30.0, cachetools downgraded to 6.2.4 for compatibility
- Frontend: Angular 21.2.6, @angular/cdk 21.2.4
- Infrastructure: aws-cdk group bumped, constructs bumped

* Purge outdated AI specs and documentation (#121)

* spring cleaning. AI spec file and outdated documentation purge

* spring cleanup --> purging old ai specs and outdated docs

---------

Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* Feat/cognito first boot auth (#125)

* feat: replace multi-step auth bootstrap with Cognito first-boot experience

- Add Cognito User Pool, App Client, and Domain to CDK infrastructure
- Implement first-boot backend with race-condition-safe DynamoDB writes
- Add CognitoJWTValidator replacing GenericOIDCJWTValidator
- Add federated identity provider management via Cognito IdP APIs
- Migrate frontend to Cognito OAuth 2.0 + PKCE flow
- Add first-boot setup page with admin account creation
- Update AgentCore Runtime to single Cognito JWT authorizer
- Remove runtime-provisioner and runtime-updater Lambdas
- Remove hardcoded Entra ID configuration from CDK and scripts
- Remove auth provider seeding from bootstrap workflow
- Wire SSM parameters across stacks for Cognito config
- Update GitHub Actions workflows for Cognito context values

* FOR TESTING ONLY< REVERT BEFORE MERGING

* Feat/cognito first boot auth (#123)

* test(auth-sweep): add system status endpoints to public route patterns

- Add /system/status to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- Add /system/first-boot to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- These endpoints should be accessible without authentication for system initialization and health checks

* chore(deps): add cognitoidp extra to moto dev dependency

- Add cognitoidp extra to moto[dynamodb] in pyproject.toml dev dependencies
- Update uv.lock to include cognitoidp extra across all moto references
- Add joserfc package as transitive dependency for cognitoidp support
- Enable Cognito IDP mocking capabilities for development and testing

* test(auth-guard,config-service): add missing service mocks and config properties

- Add SystemService mock to auth.guard.spec.ts test setup
- Import SystemService dependency in auth guard test file
- Add checkStatus mock method to systemService test double
- Register SystemService provider in TestBed configuration
- Add inferenceApiUrl property to validConfig test fixture in config.service.spec.ts
- Ensure test doubles accurately reflect service dependencies for proper test isolation

* feat(system-admin): add JWT role mapping for system_admin Cognito group

- Add JWT_MAPPING#system_admin item to DynamoDB during bootstrap seeding
- Update system_admin role jwtRoleMappings to include "system_admin" group
- Implement add_user_to_group method in CognitoService to manage group membership
- Add user to system_admin Cognito group during first_boot with rollback on failure
- Update test assertions to verify JWT mapping creation and role configuration
- Enables Cognito to include system_admin group in JWT cognito:groups claim for RBAC resolution

* feat(infrastructure): add Cognito user and group management permissions

- Add cognito-idp:AdminDeleteUser permission for user deletion operations
- Add cognito-idp:AdminAddUserToGroup permission for group membership management
- Add cognito-idp:CreateGroup permission for group creation operations
- Enables system admin functionality for managing Cognito user pools and groups

* refactor(auth): replace user email with name in logging and events

- Replace user.email with user.name in quota event recorder metadata
- Update admin cost dashboard logging to use user.name instead of email
- Update admin users routes logging to use user.name instead of email
- Update file upload routes logging to use user.name instead of email
- Update model routes logging to use user.name instead of email
- Update tools routes logging to use user.name instead of email
- Update OAuth routes logging to use user.name instead of email
- Update user models and routes logging to use user.name instead of email
- Update auth service and user service in frontend to use name field
- Standardize user identification across backend and frontend to use name for privacy and consistency

* feat(frontend): update logos and URL-encode inference API ARN

- Update logo-dark.png and logo-light.png assets
- Add URL encoding for ARN portion in inferenceApiUrl computed signal
- Prevent URL parsing errors caused by colons and slashes in AgentCore runtime ARNs
- Improve config service documentation with encoding behavior explanation

* fix(frontend): add /invocations path to inference API endpoints

- Update preview-chat.service.ts to include /invocations path in runtime endpoint URL
- Update chat-http.service.ts to include /invocations path in runtime endpoint URL
- Fixes inference API calls by using correct endpoint path with qualifier parameter

* feat(inference-api): add Authorization header to ALB request configuration

- Add requestHeaderConfiguration to ALB listener rule
- Include Authorization header in requestHeaderAllowlist
- Enable proper header propagation for authenticated requests to inference API

* refactor(auth): consolidate RBAC to AppRole-based authorization

- Replace multiple role-checking functions with single require_app_roles dependency
- Remove require_roles, require_all_roles, has_any_role, has_all_roles, and role-specific decorators (require_faculty, require_staff, require_developer, require_aws_ai_access)
- Update rbac.py to resolve permissions through AppRoleService instead of hardcoded JWT groups
- Simplify auth module exports to only expose require_app_roles and require_admin
- Update admin routes to remove unused role imports
- Add comprehensive docstring explaining AppRole system as single source of truth for permissions
- Update tests to reflect new authorization flow via AppRoleService

* feat(inference-api): add SSM parameters and environment variables to AgentCore runtime

- Import DynamoDB table names from SSM parameters for users, RBAC, auth, OAuth, quota, cost tracking, and file uploads
- Import S3 bucket and vector index names for RAG functionality
- Import gateway URL and frontend CORS origins from SSM parameters
- Add comprehensive environment variables to AgentCore runtime configuration including DynamoDB table mappings, authentication settings, OAuth configuration, AgentCore resource IDs, and directory paths
- Enable authentication and quota enforcement in runtime environment
- Configure frontend URL and CORS origins for cross-origin requests

* feat(inference-api): remove gateway URL parameter and simplify CORS origins

- Remove SSM parameter import for gateway URL from InferenceApiStack
- Remove GATEWAY_URL environment variable from AgentCore runtime configuration
- Replace SSM-imported CORS origins with config-based construction to avoid circular dependency between InferenceApiStack and FrontendStack
- Construct CORS origins dynamically from config.domainName (https://{domain}) with localhost fallback for development
- Eliminates circular dependency: InferenceApiStack ↔ FrontendStack by removing reliance on FrontendStack SSM parameters

* chore(frontend): update favicon and logo assets

- Remove redundant favicon PNG variants (android-chrome, apple-touch-icon, favicon-16x16, favicon-32x32)
- Update favicon.ico with new design
- Update logo-dark.png with refreshed branding
- Consolidate favicon assets to reduce redundancy and improve maintainability

* feat(inference-api): add AWS Marketplace permissions for Bedrock model access

- Add MarketplaceModelAccess policy statement to runtime execution role
- Grant aws-marketplace:ViewSubscriptions and aws-marketplace:Subscribe actions
- Enable foundation model access for marketplace-gated models like Anthropic Claude
- Required for subscription validation before Bedrock model invocation

* Release 1.0.0-beta.19: Conversation sharing, session compaction, fine-tuning enhancements, CI optimization

## Features
- Conversation sharing with public/email-restricted access via shareable URLs
- Session compaction enabled by default (100K token threshold, 3 protected turns)
- Fine-tuning: drag-and-drop dataset upload, custom HuggingFace model support

## Security
- Resolve all CodeQL clear-text logging alerts (secrets, tokens, ARNs redacted)
- OAuth redirect URL validation to prevent open redirects
- Explicit read-only permissions on all 13 GitHub Actions workflows

## Performance
- Frontend production build optimized: 8.85 MB → 4.96 MB (871 KB gzipped)
- PR workflows trimmed: skip Docker builds, CDK synth, and redundant jobs

## Infrastructure
- New shared-conversations DynamoDB table with SessionShare and OwnerShare GSIs
- Bedrock prompt caching temporarily disabled due to provider limitations

## Bug Fixes
- Google Fonts moved to index.html to fix CI build failure
- Private sharing support (owner-only shares)

* Release 1.0.0-beta.20: Document soft-delete, displayText, fine-tuning costs, CodeQL remediation, dependency refresh

Reliable document deletion, displayText for RAG-augmented messages,
fine-tuning cost dashboard, assistant archive removal, and a full
dependency refresh across Python, npm, and GitHub Actions.

Features:
- Soft-delete document lifecycle with background cleanup, retry logic,
  DynamoDB TTL backstop, and search filtering for mid-deletion docs
- Upload failure reporting endpoint for client-side error tracking
- DisplayText system preserving original user messages when RAG
  augmentation or file attachments modify the prompt sent to the agent
- Debug output toggle in chat preferences for prompt inspection
- Fine-tuning cost dashboard with per-user breakdowns and default
  monthly quota hours
- Shared conversation cascade deletion on session delete

Removals:
- Assistant archive functionality (ARCHIVED status, archive endpoint,
  include_archived parameter) replaced with single delete operation

Security & Code Quality:
- All CodeQL findings resolved (180 log injection fixes, 5 silent
  exception fixes, cyclic import elimination, 13 unused variables)
- Four Dependabot security patches (requests, picomatch, diff)

CI/CD:
- CDK synth skipped on PRs for app-api and frontend workflows
- scripts/common/** removed from frontend workflow path triggers
- GitHub Actions bumped (upload-artifact v7, download-artifact v8,
  setup-node v6, codeql-action latest)

Testing:
- Analog.js testing migration for frontend (vitest config removed)
- fast-check v4.6.0 added for property-based frontend tests
- 4,200+ lines of new backend tests for document deletion flows

Tooling:
- sync-version.sh now auto-updates README badge and current release text
- Versioning steering docs updated across Kiro, Cursor, and Claude
- Release notes steering doc added (fileMatch on RELEASE_NOTES.md)

Dependencies:
- Python: uvicorn 0.42.0, strands-agents 1.33.0, strands-agents-tools
  0.3.0, aws-opentelemetry-distro 0.16.0, bedrock-agentcore 1.4.8,
  openai 2.30.0, cachetools downgraded to 6.2.4 for compatibility
- Frontend: Angular 21.2.6, @angular/cdk 21.2.4
- Infrastructure: aws-cdk group bumped, constructs bumped

* refactor(inference-api): remove underscore prefix from containerImageUri variable

- Remove underscore prefix from containerImageUri variable name
- Improve code clarity by following standard naming conventions
- Variable is used throughout the stack and should follow public naming patterns

* chore(deps): add cognitoidp moto extra and update infrastructure tests

- Add cognitoidp extra to moto dependency in uv.lock for Cognito IDP mocking support
- Update moto dependency extras to include both cognitoidp and dynamodb
- Refactor IAM policy assertions in inference-api-stack tests to search both inline and managed policies
- Simplify policy verification logic to use findResources and filter by policy attributes
- Remove S3 bucket and S3 Vector Store test sections from app-api-stack tests
- Update test assertions to be more flexible with policy resource types

* chore(frontend): update favicon and logo assets

- Add Android Chrome favicon variants (192x192 and 512x512)
- Add Apple Touch Icon for iOS devices
- Add favicon sizes for 16x16 and 32x32 resolutions
- Update favicon.ico with new design
- Update logo-dark.png with refreshed branding
- Update logo-light.png with refreshed branding
- Improve cross-platform icon support and visual consistency

* fix(auth-providers): remove OIDC discovery endpoint and add JSON parsing error handling

- Remove POST /discover endpoint for OIDC endpoint discovery from admin routes
- Add try-except blocks to handle JSON parsing errors in AuthProviderRepository
- Gracefully default to empty dict when SecretString is invalid or malformed
- Improve resilience when retrieving auth provider secrets from AWS Secrets Manager

---------

Co-authored-by: Colin <colin@colin-os>

* Feat/cognito first boot auth (#124)

* test(auth-sweep): add system status endpoints to public route patterns

- Add /system/status to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- Add /system/first-boot to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- These endpoints should be accessible without authentication for system initialization and health checks

* chore(deps): add cognitoidp extra to moto dev dependency

- Add cognitoidp extra to moto[dynamodb] in pyproject.toml dev dependencies
- Update uv.lock to include cognitoidp extra across all moto references
- Add joserfc package as transitive dependency for cognitoidp support
- Enable Cognito IDP mocking capabilities for development and testing

* test(auth-guard,config-service): add missing service mocks and config properties

- Add SystemService mock to auth.guard.spec.ts test setup
- Import SystemService dependency in auth guard test file
- Add checkStatus mock method to systemService test double
- Register SystemService provider in TestBed configuration
- Add inferenceApiUrl property to validConfig test fixture in config.service.spec.ts
- Ensure test doubles accurately reflect service dependencies for proper test isolation

* feat(system-admin): add JWT role mapping for system_admin Cognito group

- Add JWT_MAPPING#system_admin item to DynamoDB during bootstrap seeding
- Update system_admin role jwtRoleMappings to include "system_admin" group
- Implement add_user_to_group method in CognitoService to manage group membership
- Add user to system_admin Cognito group during first_boot with rollback on failure
- Update test assertions to verify JWT mapping creation and role configuration
- Enables Cognito to include system_admin group in JWT cognito:groups claim for RBAC resolution

* feat(infrastructure): add Cognito user and group management permissions

- Add cognito-idp:AdminDeleteUser permissio…
colinmxs added a commit that referenced this pull request Jun 26, 2026
* Release/v1.0.0 beta.25 (#282)

* Potential fix for pull request finding 'Unused local variable'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for pull request finding 'Unused local variable'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* docs(readme): update version badges and tech stack to v1.0.0-beta.18

- Update release badge from v1.0.0-beta.17 to v1.0.0-beta.18
- Bump Tailwind CSS version from v4.1 to v4.2 in all references
- Update current release version in release notes section
- Reflect latest dependency versions in architecture and tech stack documentation

* feat(embeddings): add optional token validation bypass for search queries

- Add skip_token_validation parameter to generate_embeddings function
- Allow skipping tiktoken-based token validation for short inputs where tiktoken may not be installed
- Update search_assistant_knowledgebase to skip validation for query embeddings
- Enables embedding generation in environments where tiktoken is unavailable (e.g., search Lambda)

* refactor(embeddings): extract shared embedding logic to separate module

- Move core embedding generation and vector store operations to apis.shared.embeddings
- Create new shared bedrock_embeddings module with generate_embeddings, store_embeddings_in_s3, search_assistant_knowledgebase, and delete_vectors_for_document
- Extract vector search logic to new apis.shared.assistants.vector_search module
- Keep ingestion-specific token validation (tiktoken-based) in app_api embeddings module
- Update ingestion embeddings module to re-export shared functions for backward compatibility
- Simplify bedrock_embeddings in ingestion pipeline to focus on chunk validation and splitting
- Update imports across documents routes and rag_service to use new shared modules
- Reduces code duplication and establishes clear separation between shared RAG infrastructure and ingestion-specific concerns

* docs(release-notes): document v1.0.0-beta.19 features and fixes

- Add Angular production build optimization section explaining minification and tree-shaking enablement
- Document embeddings refactor extracting shared logic to apis.shared.embeddings module
- Add skip_token_validation parameter documentation for generate_embeddings function
- Update highlights section to mention Angular production build optimization
- Clarify CodeQL workflow improvements and unused import/variable cleanup
- Enable optimization flag in angular.json production configuration for reduced bundle size

* docs(release-notes): remove Angular optimization section and revert config

- Remove "Frontend Production Build Optimization" section from release notes
- Revert optimization flag removal from angular.json production configuration
- Align documentation with actual production build configuration state

* feat: add API Keys section to README for programmatic access to AI models

* fix(model_config): comment out caching configuration due to Bedrock limitations

* feat(create-training-job): enhance file upload with drag-and-drop support and update dataset upload instructions

* feat(create-training-job): add support for custom HuggingFace models and enhance model search functionality

* fix(test_model_config): remove caching mock and update test for Bedrock config caching behavior

* feat(create-training-job): add tests for custom HuggingFace model selection and submission

* feat: refactor session compaction and enable by default (#86)

* feat: update compaction configuration and enhance session manager tests

* fix: update tests for compaction defaults and commented-out caching

- Update compaction model test to expect enabled=True and protected_turns=3
- Fix caching test to reflect cache_config being commented out due to Bedrock limitations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(create-training-job): enhance file upload with drag-and-drop support and update dataset upload instructions

* feat(create-training-job): add support for custom HuggingFace models and enhance model search functionality

* fix(test_model_config): remove caching mock and update test for Bedrock config caching behavior

* feat(create-training-job): add tests for custom HuggingFace model selection and submission

* fix: update tests for compaction defaults and commented-out caching

- Update compaction model test to expect enabled=True and protected_turns=3
- Fix caching test to reflect cache_config being commented out due to Bedrock limitations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Signed-off-by: Phil Merrell <philmerrell@boisestate.edu>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* test(to_bedrock_config): add missing result assignment in caching disabled test

* Potential fix for code scanning alert no. 41: Clear-text logging of s… (#85)

* Potential fix for code scanning alert no. 41: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* ci: Add explicit read-only permissions to all workflows

- Add `permissions: contents: read` to 13 GitHub Actions workflows
- Workflows updated: app-api, bootstrap-data-seeding, codeql, frontend, gateway, inference-api, infrastructure, nightly-deploy-pipeline, nightly, rag-ingestion, release, sagemaker-fine-tuning, version-check
- Implements principle of least privilege by explicitly declaring minimal required permissions
- Improves security posture and aligns with GitHub Actions best practices

* fix(security): Redact sensitive information from logs

- Mask client ID in seed_auth_provider output, showing only first 8 characters
- Redact full Secrets ARN in seed_auth_provider, displaying only resource name
- Replace full exception objects with error codes in seed_bootstrap_data error messages
- Downgrade MCP client configuration logging from info to debug level
- Remove user ID from OAuth token retrieval and re-auth status log messages
- Add URL validation to OAuth callback redirect to prevent open redirect vulnerabilities
- Prevents accidental exposure of credentials and sensitive identifiers in application logs

* fix(security): Resolve remaining CodeQL clear-text logging alerts

- seed_auth_provider: Fully redact Secrets Manager ARN from output
- external_mcp_client: Remove server URL from logs, decouple oauth_token from log expressions
- oauth_tool_service: Isolate decrypted token into _try_get_token() to prevent taint bleed, use lazy log formatting
- config.ts: Remove AWS account ID and CORS origins from CDK config log output

* Potential fix for code scanning alert no. 499: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 496: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 498: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 497: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

---------

Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* feat(frontend): enable production optimization, branch-aware BUILD_CONFIG

- Remove optimization: false from base options (was blocking prod override)
- Production: optimization, no source maps, extract licenses
- Fix anyComponentStyle budget from 4kB to 200kB for Tailwind
- BUILD_CONFIG: main→production, develop→development, dispatch→manual input

Production build: 4.96 MB initial (871 KB gzip) vs 8.85 MB unoptimized

* fix: move Google Fonts import to index.html to prevent CI build failure

* ci: skip docker builds and CDK synth on pull requests

* implement conversation sharing. (#87)

* implement conversation sharing.

* Potential fix for code scanning alert no. 509: Log Injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: ofilson <SuperScorer911@gmail.com>

* Potential fix for code scanning alert no. 510: Log Injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: ofilson <SuperScorer911@gmail.com>

* fix github warnings

* fix log issue

---------

Signed-off-by: ofilson <SuperScorer911@gmail.com>
Co-authored-by: Oscar Filson <OSCARFILSON@boisestate.edu>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Allow for private share (only with yourself)

* release: v1.0.0-beta.19

* fix float error on sharing

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* ci: skip redundant stack dependency checks on PRs (keep infrastructure only)

* ci: skip install on PRs for rag-ingestion (no downstream jobs)

* ci: revert check-stack-deps skip on workflows with PR jobs, skip entire gateway/sagemaker on PRs

* fix(security): resolve CodeQL log-injection, unused-import, and unused-variable alerts

- Remove user-controlled values from 180 log f-strings (py/log-injection)
- Remove 87 unused Python imports (py/unused-import)
- Remove 27 unused JS/TS variables (js/unused-local-variable)
- Fix 3 useless assignments (js/useless-assignment-to-local)
- Fix 1 incompatible type comparison (js/comparison-between-incompatible-types)

* fix(tests): remove stale AgentCoreMemorySessionManager patch from session factory tests

The CodeQL commit removed the unused AgentCoreMemorySessionManager import
from session_factory.py, breaking two tests that patched it at that path.
Removed the unnecessary patch decorator since TurnBasedSessionManager was
already being patched separately.

* chore(docker): add shared embeddings module to rag-ingestion Lambda image

- Copy shared embeddings package to Lambda task root directory
- Add apis/__init__.py to ensure proper Python package structure
- Enable ingestion embeddings to access re-exported shared embeddings module
- Resolves import errors when bedrock_embeddings.py loads shared embeddings

* fix(quality): resolve all open CodeQL findings on develop

Empty excepts (5 fixes):
- url_fetcher: narrow bare except to Exception, add comment
- code_interpreter_diagram_tool: narrow bare except to Exception
- tool_result_processor: add explanatory comment to JSONDecodeError catch
- users/service: log warning on invalid pagination cursor
- event_formatter: log warning instead of silently swallowing errors

Catch BaseException (2 fixes):
- url_fetcher: narrowed to Exception (same fix as empty except)
- code_interpreter_diagram_tool: narrowed to Exception

Unreachable code (1 fix):
- stream_processor: remove dead if result_seen: break (never set to True)

Redundant assignment (1 fix):
- fine_tuning/routes: remove unused job = on create_inference_job

Print during import (1 fix):
- inference_api/main: replace print() with logging

Commented-out code (1 fix):
- inference_api/chat/models: remove commented InvocationRequest class

Unnecessary lambdas (2 fixes):
- job_repository, inference_repository: lambda v: int(v) → int

Unused local variables (13 fixes):
- Remove or rename: period, user_id, error_msg, matches, requested_set,
  exception_type, updated, limit, preferences, execution_output,
  next_month, next_year across 10 files

Unused imports (3 fixes):
- compaction_models: remove unused field import
- bedrock_embeddings: remove dead re-exports, clean up __init__.py
- timezone: use find_spec for pytz availability check

Cyclic import (1 fix):
- Move get_metadata_storage() factory from metadata_storage.py to
  storage/__init__.py, breaking the metadata_storage ↔ dynamodb_storage
  cycle. Update 3 callers to import from apis.app_api.storage.

Dismissed as false positives (11 alerts):
- 9x untrusted-checkout on nightly workflows (schedule/dispatch only)
- 1x non-iterable for-loop (Enum is iterable)
- 1x unused global _generic_validator_initialized (global stmt tracking)

* fix(deps): patch Dependabot security vulnerabilities

- requests 2.32.5 → 2.33.0 (insecure temp file reuse, CVE)
- picomatch 4.0.3 → 4.0.4 (frontend, ReDoS + method injection, via override)
- picomatch 2.3.1 → 2.3.2 (infrastructure, method injection, via override)
- diff 4.0.x → patched (infrastructure, DoS in parsePatch, via audit fix)

Unfixable:
- yaml 1.10.2 bundled inside aws-cdk-lib 2.244.0 (latest) — awaiting AWS CDK update
- Pygments 2.19.2 (latest) — no patched version released yet

* fix(rag-ingestion): ensure Lambda uses latest image digest on deploy

- Add FUNCTION_NAME variable to capture Lambda function identifier
- Update Lambda function code explicitly after image push to force digest refresh
- Add wait condition to ensure function update completes before deployment succeeds
- Remove outdated next steps logging that duplicated deployment completion message
- Resolve issue where CDK's SSM-resolved image tags don't trigger updates when underlying image layers change, causing CloudFormation to report no changes despite fresh image push

* fix share issues and icon tweaks

* release: v1.0.0-beta.20

* fix(rag-ingestion): restore shared embedding re-exports for Lambda handler

The CodeQL fix removed re-exports from bedrock_embeddings.py, but the
RAG ingestion Lambda handler imports generate_embeddings and
store_embeddings_in_s3 from embeddings.bedrock_embeddings (Lambda task
root path). Restored re-exports with __all__ and explanatory comments.

* feat(documents): add upload failure reporting and assistant cleanup

- Add ReportUploadFailureRequest model for client-side upload error reporting
- Implement POST /{document_id}/upload-failed endpoint to mark documents as failed
- Add update_document_status service function to update document status and error details
- Implement background cleanup of vectors and S3 objects when assistant is deleted
- Add delete_vectors_for_assistant function to remove embeddings from vector store
- Update document routes to import new models and service functions
- Add start.sh to .gitignore
- Update bedrock_embeddings to support vector deletion by assistant ID
- Enhance frontend document service to handle upload failure reporting
- Improve assistant deletion flow with proper resource cleanup and error handling

* feat(assistants): remove archive functionality and simplify deletion

- Remove archive_assistant service function and endpoint
- Simplify delete operation to single hard delete without archive option
- Remove include_archived query parameter from list assistants endpoint
- Remove ARCHIVED status from assistant status enum
- Update frontend assistant model and services to remove archive references
- Simplify assistant lifecycle by consolidating soft and hard delete into single delete operation
- Update API documentation and test examples to reflect deletion changes

* feat(frontend): upgrade Analog.js testing dependencies and remove vitest config

- Add @analogjs/vite-plugin-angular and @analogjs/vitest-angular v3.0.0-alpha.18
- Update package-lock.json with new dependency tree and transitive dependencies
- Remove vitest.config.ts in favor of Analog.js configuration
- Update app.config.spec.ts and tool-rail.component.spec.ts test files
- Modernize Angular testing setup with latest Analog.js tooling

* feat(documents): implement reliable deletion with soft-delete and cleanup retries

- Add deleting status to document lifecycle and TTL field for auto-expiry
- Create cleanup_service.py with retry logic for S3 vectors and source file deletion
- Implement soft-delete pattern: mark documents as deleting, return immediately, cleanup asynchronously
- Update search path to filter out non-complete documents and prevent stale results
- Add batch soft-delete for assistant deletion with background cleanup
- Implement deterministic vector key generation for reliable cleanup
- Add comprehensive property-based and integration tests for deletion flows
- Update RAG service to cross-check document status during search
- Configure DynamoDB TTL as backstop for failed cleanups (7-day expiry)
- Add Kiro spec documentation for reliable document deletion design

* test(assistants): remove archive assistant test and fix package dependencies

- Remove test_archive_assistant test case as archive functionality was removed
- Update package-lock.json to fix dependency flags for Angular DevKit and related packages
- Change chokidar dev flag to devOptional to reflect optional development dependency
- Remove unnecessary dev flags from multiple dependencies (ajv, chalk, cli-cursor, fast-deep-equal, and others)
- Align package metadata with current project configuration

* chore(frontend): pin Analog.js dependencies to exact versions

- Remove caret (^) version specifiers from @analogjs/vite-plugin-angular
- Remove caret (^) version specifiers from @analogjs/vitest-angular
- Lock both packages to 3.0.0-alpha.18 for consistent builds
- Prevent unexpected minor/patch updates that could introduce breaking changes

* chore(frontend): pin Analog.js devDependencies to exact versions

- Update @analogjs/vite-plugin-angular from ^3.0.0-alpha.18 to 3.0.0-alpha.18
- Update @analogjs/vitest-angular from ^3.0.0-alpha.18 to 3.0.0-alpha.18
- Remove caret (^) prefix to lock exact versions and ensure consistent builds

* feat(fine-tuning-dashboard): add informational section about fine-tuning and update icons

* chore(deps)(deps): bump the frontend-minor-patch group (#101)

Bumps the frontend-minor-patch group in /frontend/ai.client with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [@ng-icons/core](https://github.com/ng-icons/ng-icons) | `33.1.0` | `33.2.0` |
| [@ng-icons/heroicons](https://github.com/ng-icons/ng-icons) | `33.1.0` | `33.2.0` |
| [katex](https://github.com/KaTeX/KaTeX) | `0.16.33` | `0.16.44` |
| [marked](https://github.com/markedjs/marked) | `17.0.3` | `17.0.5` |
| [mermaid](https://github.com/mermaid-js/mermaid) | `11.12.3` | `11.13.0` |
| [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.2.1` | `4.2.2` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.0.18` | `4.1.2` |
| [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.8` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.1` | `4.2.2` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.18` | `4.1.2` |


Updates `@ng-icons/core` from 33.1.0 to 33.2.0
- [Release notes](https://github.com/ng-icons/ng-icons/releases)
- [Changelog](https://github.com/ng-icons/ng-icons/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ng-icons/ng-icons/commits/v33.2.0)

Updates `@ng-icons/heroicons` from 33.1.0 to 33.2.0
- [Release notes](https://github.com/ng-icons/ng-icons/releases)
- [Changelog](https://github.com/ng-icons/ng-icons/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ng-icons/ng-icons/commits/v33.2.0)

Updates `katex` from 0.16.33 to 0.16.44
- [Release notes](https://github.com/KaTeX/KaTeX/releases)
- [Changelog](https://github.com/KaTeX/KaTeX/blob/main/CHANGELOG.md)
- [Commits](https://github.com/KaTeX/KaTeX/compare/v0.16.33...v0.16.44)

Updates `marked` from 17.0.3 to 17.0.5
- [Release notes](https://github.com/markedjs/marked/releases)
- [Commits](https://github.com/markedjs/marked/compare/v17.0.3...v17.0.5)

Updates `mermaid` from 11.12.3 to 11.13.0
- [Release notes](https://github.com/mermaid-js/mermaid/releases)
- [Commits](https://github.com/mermaid-js/mermaid/compare/mermaid@11.12.3...mermaid@11.13.0)

Updates `@tailwindcss/postcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/@tailwindcss-postcss)

Updates `@vitest/coverage-v8` from 4.0.18 to 4.1.2
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/coverage-v8)

Updates `postcss` from 8.5.6 to 8.5.8
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/postcss/postcss/compare/8.5.6...8.5.8)

Updates `tailwindcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/tailwindcss)

Updates `vitest` from 4.0.18 to 4.1.2
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/vitest)

---
updated-dependencies:
- dependency-name: "@ng-icons/core"
  dependency-version: 33.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: "@ng-icons/heroicons"
  dependency-version: 33.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: katex
  dependency-version: 0.16.44
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: marked
  dependency-version: 17.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: mermaid
  dependency-version: 11.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: postcss
  dependency-version: 8.5.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: tailwindcss
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: vitest
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the aws-cdk group (#90)

Bumps the aws-cdk group in /infrastructure with 2 updates: [aws-cdk-lib](https://github.com/aws/aws-cdk/tree/HEAD/packages/aws-cdk-lib) and [aws-cdk](https://github.com/aws/aws-cdk-cli/tree/HEAD/packages/aws-cdk).


Updates `aws-cdk-lib` from 2.244.0 to 2.245.0
- [Release notes](https://github.com/aws/aws-cdk/releases)
- [Changelog](https://github.com/aws/aws-cdk/blob/main/CHANGELOG.v2.alpha.md)
- [Commits](https://github.com/aws/aws-cdk/commits/v2.245.0/packages/aws-cdk-lib)

Updates `aws-cdk` from 2.1113.0 to 2.1115.0
- [Release notes](https://github.com/aws/aws-cdk-cli/releases)
- [Commits](https://github.com/aws/aws-cdk-cli/commits/aws-cdk@v2.1115.0/packages/aws-cdk)

---
updated-dependencies:
- dependency-name: aws-cdk-lib
  dependency-version: 2.245.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-cdk
- dependency-name: aws-cdk
  dependency-version: 2.1115.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: aws-cdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump actions/setup-node from 5.0.0 to 6.3.0 (#100)

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5.0.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/a0853c24544627f65ddf259abe73b1d18a591444...53b83947a5a98c8d113130e565377fae1a50d02f)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump github/codeql-action (#95)

Bumps the actions-minor-patch group with 1 update: [github/codeql-action](https://github.com/github/codeql-action).


Updates `github/codeql-action` from 4.34.1 to 4.35.1
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/38697555549f1db7851b81482ff19f1fa5c4fedc...c10b8064de6f491fea524254123dbe5e09572f13)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump @types/node in /infrastructure (#94)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.10.1 to 25.5.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.5.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump jsdom in /frontend/ai.client (#102)

Bumps [jsdom](https://github.com/jsdom/jsdom) from 27.4.0 to 29.0.1.
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Commits](https://github.com/jsdom/jsdom/compare/v27.4.0...v29.0.1)

---
updated-dependencies:
- dependency-name: jsdom
  dependency-version: 29.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump ng2-charts in /frontend/ai.client (#105)

Bumps [ng2-charts](https://github.com/valor-software/ng2-charts) from 8.0.0 to 10.0.0.
- [Release notes](https://github.com/valor-software/ng2-charts/releases)
- [Commits](https://github.com/valor-software/ng2-charts/compare/v8.0.0...v10.0.0)

---
updated-dependencies:
- dependency-name: ng2-charts
  dependency-version: 10.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the angular group (#97)

Bumps the angular group in /frontend/ai.client with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [@angular/cdk](https://github.com/angular/components) | `21.2.3` | `21.2.4` |
| [@angular/common](https://github.com/angular/angular/tree/HEAD/packages/common) | `21.2.5` | `21.2.6` |
| [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler) | `21.2.5` | `21.2.6` |
| [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) | `21.2.5` | `21.2.6` |
| [@angular/forms](https://github.com/angular/angular/tree/HEAD/packages/forms) | `21.2.5` | `21.2.6` |
| [@angular/platform-browser](https://github.com/angular/angular/tree/HEAD/packages/platform-browser) | `21.2.5` | `21.2.6` |
| [@angular/router](https://github.com/angular/angular/tree/HEAD/packages/router) | `21.2.5` | `21.2.6` |
| [@angular/build](https://github.com/angular/angular-cli) | `21.2.3` | `21.2.5` |
| [@angular/cli](https://github.com/angular/angular-cli) | `21.2.3` | `21.2.5` |
| [@angular/compiler-cli](https://github.com/angular/angular/tree/HEAD/packages/compiler-cli) | `21.2.5` | `21.2.6` |


Updates `@angular/cdk` from 21.2.3 to 21.2.4
- [Release notes](https://github.com/angular/components/releases)
- [Changelog](https://github.com/angular/components/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/components/compare/v21.2.3...v21.2.4)

Updates `@angular/common` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/common)

Updates `@angular/compiler` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/compiler)

Updates `@angular/core` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/core)

Updates `@angular/forms` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/forms)

Updates `@angular/platform-browser` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/platform-browser)

Updates `@angular/router` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/router)

Updates `@angular/build` from 21.2.3 to 21.2.5
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular-cli/compare/v21.2.3...v21.2.5)

Updates `@angular/cli` from 21.2.3 to 21.2.5
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular-cli/compare/v21.2.3...v21.2.5)

Updates `@angular/compiler-cli` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/compiler-cli)

---
updated-dependencies:
- dependency-name: "@angular/cdk"
  dependency-version: 21.2.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/common"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/compiler"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/core"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/forms"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/platform-browser"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/router"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/build"
  dependency-version: 21.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/cli"
  dependency-version: 21.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/compiler-cli"
  dependency-version: 21.2.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump jest and @types/jest in /infrastructure (#92)

Bumps [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) and [@types/jest](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/jest). These dependencies needed to be updated together.

Updates `jest` from 29.7.0 to 30.3.0
- [Release notes](https://github.com/jestjs/jest/releases)
- [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jestjs/jest/commits/v30.3.0/packages/jest)

Updates `@types/jest` from 29.5.14 to 30.0.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/jest)

---
updated-dependencies:
- dependency-name: jest
  dependency-version: 30.3.0
  dependency-type: direct:development
  update-type: version-update:semver-major
- dependency-name: "@types/jest"
  dependency-version: 30.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* add conversation deleting handling for shared conversations + bug fix

* chore(deps)(deps): bump constructs (#91)

Bumps the infra-minor-patch group in /infrastructure with 1 update: [constructs](https://github.com/aws/constructs).


Updates `constructs` from 10.5.1 to 10.6.0
- [Release notes](https://github.com/aws/constructs/releases)
- [Commits](https://github.com/aws/constructs/compare/v10.5.1...v10.6.0)

---
updated-dependencies:
- dependency-name: constructs
  dependency-version: 10.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: infra-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat(messages): displayText support for RAG-augmented and file attachment messages (#107)

* feat(messages): add displayText support for RAG-augmented messages

- Add original_message parameter to stream_async and StreamCoordinator to preserve user input before RAG augmentation
- Store displayText in message metadata when original message differs from augmented version
- Add display_text field to MessageMetadata model with displayText alias for JSON serialization
- Update chat_stream route to pass original message when RAG augmentation is applied
- Enhance metadata retrieval to query both cost records (C#) and display text records (D#) from DynamoDB
- Add store_user_display_text function to persist original message text for clean UI display
- Update .gitignore to exclude local dev scripts (start.sh)
- Improves user experience by showing original unaugmented messages in conversation UI while maintaining RAG-enhanced context for agent processing

* feat(messages): add displayText support for file attachments and local runtime override

- Add LOCAL_RUNTIME_ENDPOINT_URL environment variable support for development runtime override in auth routes
- Extend displayText storage to handle file attachment content block modifications, not just RAG augmentation
- Add message_will_be_modified logic to determine when original message should be stored as displayText
- Implement showDebugOutput local settings signal for toggling debug information display
- Update user message component to display original text when displayText is available
- Add debug output toggle to chat preferences settings page
- Update session metadata documentation to clarify displayText usage for all prompt modifications
- Ensure original user message is preserved for UI display while augmented prompt remains in AgentCore Memory

* test(metadata): add displayText (D# record) tests for store and retrieval

* chore(deps): bump fast-check from 3.23.2 to 4.6.0

- Update fast-check to version 4.6.0 with caret constraint for minor/patch updates
- Update pure-rand dependency to 4.6.0's requirement of ^8.0.0 (from ^6.1.0)
- Increase minimum Node.js requirement from 8.0.0 to 12.17.0
- Migrate auth-pbt.spec.ts to use fast-check 4.x API (stringOf → string with unit parameter)

* chore(deps)(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 (#99)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 6.0.0 to 7.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/b7c566a772e6b6bfb58ed0dc250532a479d7789f...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump actions/download-artifact from 7.0.0 to 8.0.1 (#98)

Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 7.0.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/37930b1c2abaa49bbe596cd826c3c89aef350131...3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the python-minor-patch group in /backend with 10 updates (#96)

* chore(deps)(deps): bump the python-minor-patch group

Bumps the python-minor-patch group in /backend with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [uvicorn](https://github.com/Kludex/uvicorn) | `0.35.0` | `0.42.0` |
| [boto3](https://github.com/boto/boto3) | `1.42.73` | `1.42.78` |
| [strands-agents](https://github.com/strands-agents/sdk-python) | `1.32.0` | `1.33.0` |
| [strands-agents-tools](https://github.com/strands-agents/tools) | `0.2.23` | `0.3.0` |
| [aws-opentelemetry-distro](https://github.com/aws-observability/aws-otel-python-instrumentation) | `0.14.2` | `0.16.0` |
| [bedrock-agentcore](https://github.com/aws/bedrock-agentcore-sdk-python) | `1.4.7` | `1.4.8` |
| [openai](https://github.com/openai/openai-python) | `2.29.0` | `2.30.0` |
| [google-genai](https://github.com/googleapis/python-genai) | `1.68.0` | `1.69.0` |
| [hypothesis](https://github.com/HypothesisWorks/hypothesis) | `6.151.9` | `6.151.10` |
| [ruff](https://github.com/astral-sh/ruff) | `0.15.7` | `0.15.8` |


Updates `uvicorn` from 0.35.0 to 0.42.0
- [Release notes](https://github.com/Kludex/uvicorn/releases)
- [Changelog](https://github.com/Kludex/uvicorn/blob/main/docs/release-notes.md)
- [Commits](https://github.com/Kludex/uvicorn/compare/0.35.0...0.42.0)

Updates `boto3` from 1.42.73 to 1.42.78
- [Release notes](https://github.com/boto/boto3/releases)
- [Commits](https://github.com/boto/boto3/compare/1.42.73...1.42.78)

Updates `strands-agents` from 1.32.0 to 1.33.0
- [Release notes](https://github.com/strands-agents/sdk-python/releases)
- [Commits](https://github.com/strands-agents/sdk-python/compare/v1.32.0...v1.33.0)

Updates `strands-agents-tools` from 0.2.23 to 0.3.0
- [Release notes](https://github.com/strands-agents/tools/releases)
- [Commits](https://github.com/strands-agents/tools/compare/v0.2.23...v0.3.0)

Updates `aws-opentelemetry-distro` from 0.14.2 to 0.16.0
- [Release notes](https://github.com/aws-observability/aws-otel-python-instrumentation/releases)
- [Changelog](https://github.com/aws-observability/aws-otel-python-instrumentation/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws-observability/aws-otel-python-instrumentation/compare/v0.14.2...v0.16.0)

Updates `bedrock-agentcore` from 1.4.7 to 1.4.8
- [Release notes](https://github.com/aws/bedrock-agentcore-sdk-python/releases)
- [Changelog](https://github.com/aws/bedrock-agentcore-sdk-python/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/bedrock-agentcore-sdk-python/compare/v1.4.7...v1.4.8)

Updates `openai` from 2.29.0 to 2.30.0
- [Release notes](https://github.com/openai/openai-python/releases)
- [Changelog](https://github.com/openai/openai-python/blob/main/CHANGELOG.md)
- [Commits](https://github.com/openai/openai-python/compare/v2.29.0...v2.30.0)

Updates `google-genai` from 1.68.0 to 1.69.0
- [Release notes](https://github.com/googleapis/python-genai/releases)
- [Changelog](https://github.com/googleapis/python-genai/blob/main/CHANGELOG.md)
- [Commits](https://github.com/googleapis/python-genai/compare/v1.68.0...v1.69.0)

Updates `hypothesis` from 6.151.9 to 6.151.10
- [Release notes](https://github.com/HypothesisWorks/hypothesis/releases)
- [Commits](https://github.com/HypothesisWorks/hypothesis/compare/hypothesis-python-6.151.9...hypothesis-python-6.151.10)

Updates `ruff` from 0.15.7 to 0.15.8
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/0.15.7...0.15.8)

---
updated-dependencies:
- dependency-name: uvicorn
  dependency-version: 0.42.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: boto3
  dependency-version: 1.42.78
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: strands-agents
  dependency-version: 1.33.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: strands-agents-tools
  dependency-version: 0.3.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: aws-opentelemetry-distro
  dependency-version: 0.16.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: bedrock-agentcore
  dependency-version: 1.4.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: openai
  dependency-version: 2.30.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: google-genai
  dependency-version: 1.69.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: python-minor-patch
- dependency-name: hypothesis
  dependency-version: 6.151.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
- dependency-name: ruff
  dependency-version: 0.15.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: python-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore(deps): downgrade cachetools to 6.2.4

- Downgrade cachetools from 7.0.5 to 6.2.4 in backend dependencies
- Resolves compatibility issues with OAuth provider management

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* chore(deps): pin fast-check to exact version 4.6.0

- Remove caret (^) version constraint from fast-check dependency
- Update package.json to use exact version 4.6.0
- Update package-lock.json to reflect pinned version
- Ensure consistent dependency resolution across environments

* feat: add fine-tuning cost dashboard and user cost breakdown (#108)

* feat: add fine-tuning cost dashboard and user cost breakdown

- Introduced new models for cost dashboard and user cost breakdown in the admin API.
- Implemented endpoint to retrieve aggregated cost data for fine-tuning jobs.
- Enhanced fine-tuning access control to support default monthly quota hours for users without explicit grants.
- Added new routes and frontend components for displaying fine-tuning costs and usage statistics.
- Updated infrastructure configuration to include default quota hours for fine-tuning.
- Added tests to ensure proper functionality of new features and configurations.

* fix(logging): improve log message formatting for cost dashboard request

* fix(logging): sanitize period string in cost dashboard log message

* check in share conversations specs

* chore(docs): update versioning documentation and release notes for v1.0.0-beta.20

- Update versioning skill and rule documentation to include README.md version badge and "Current release" text in sync script scope
- Update Kiro steering guide to document README.md and lockfile updates in version sync process
- Bump version badge in README.md from v1.0.0-beta.19 to v1.0.0-beta.20
- Update "Current release" text in README.md to v1.0.0-beta.20
- Add comprehensive release notes for v1.0.0-beta.20 with highlights on document deletion, displayText system, fine-tuning cost dashboard, and dependency updates
- Ensure all AI assistant rule files reflect current versioning workflow

* ci(frontend): remove common scripts from workflow triggers and restrict CDK jobs to non-PR events

- Remove 'scripts/common/**' from push and pull_request trigger paths
- Add condition to synth-cdk job to skip execution on pull_request events
- Update test-cdk job condition to exclude pull_request events while preserving skip_tests logic
- Prevents unnecessary CDK synthesis and testing during pull requests to reduce workflow overhead

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Release 1.0.0-beta.20: Document soft-delete, displayText, fine-tuning costs, CodeQL remediation, dependency refresh (#118)

Reliable document deletion, displayText for RAG-augmented messages,
fine-tuning cost dashboard, assistant archive removal, and a full
dependency refresh across Python, npm, and GitHub Actions.

Features:
- Soft-delete document lifecycle with background cleanup, retry logic,
  DynamoDB TTL backstop, and search filtering for mid-deletion docs
- Upload failure reporting endpoint for client-side error tracking
- DisplayText system preserving original user messages when RAG
  augmentation or file attachments modify the prompt sent to the agent
- Debug output toggle in chat preferences for prompt inspection
- Fine-tuning cost dashboard with per-user breakdowns and default
  monthly quota hours
- Shared conversation cascade deletion on session delete

Removals:
- Assistant archive functionality (ARCHIVED status, archive endpoint,
  include_archived parameter) replaced with single delete operation

Security & Code Quality:
- All CodeQL findings resolved (180 log injection fixes, 5 silent
  exception fixes, cyclic import elimination, 13 unused variables)
- Four Dependabot security patches (requests, picomatch, diff)

CI/CD:
- CDK synth skipped on PRs for app-api and frontend workflows
- scripts/common/** removed from frontend workflow path triggers
- GitHub Actions bumped (upload-artifact v7, download-artifact v8,
  setup-node v6, codeql-action latest)

Testing:
- Analog.js testing migration for frontend (vitest config removed)
- fast-check v4.6.0 added for property-based frontend tests
- 4,200+ lines of new backend tests for document deletion flows

Tooling:
- sync-version.sh now auto-updates README badge and current release text
- Versioning steering docs updated across Kiro, Cursor, and Claude
- Release notes steering doc added (fileMatch on RELEASE_NOTES.md)

Dependencies:
- Python: uvicorn 0.42.0, strands-agents 1.33.0, strands-agents-tools
  0.3.0, aws-opentelemetry-distro 0.16.0, bedrock-agentcore 1.4.8,
  openai 2.30.0, cachetools downgraded to 6.2.4 for compatibility
- Frontend: Angular 21.2.6, @angular/cdk 21.2.4
- Infrastructure: aws-cdk group bumped, constructs bumped

* Purge outdated AI specs and documentation (#121)

* spring cleaning. AI spec file and outdated documentation purge

* spring cleanup --> purging old ai specs and outdated docs

---------

Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* Feat/cognito first boot auth (#125)

* feat: replace multi-step auth bootstrap with Cognito first-boot experience

- Add Cognito User Pool, App Client, and Domain to CDK infrastructure
- Implement first-boot backend with race-condition-safe DynamoDB writes
- Add CognitoJWTValidator replacing GenericOIDCJWTValidator
- Add federated identity provider management via Cognito IdP APIs
- Migrate frontend to Cognito OAuth 2.0 + PKCE flow
- Add first-boot setup page with admin account creation
- Update AgentCore Runtime to single Cognito JWT authorizer
- Remove runtime-provisioner and runtime-updater Lambdas
- Remove hardcoded Entra ID configuration from CDK and scripts
- Remove auth provider seeding from bootstrap workflow
- Wire SSM parameters across stacks for Cognito config
- Update GitHub Actions workflows for Cognito context values

* FOR TESTING ONLY< REVERT BEFORE MERGING

* Feat/cognito first boot auth (#123)

* test(auth-sweep): add system status endpoints to public route patterns

- Add /system/status to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- Add /system/first-boot to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- These endpoints should be accessible without authentication for system initialization and health checks

* chore(deps): add cognitoidp extra to moto dev dependency

- Add cognitoidp extra to moto[dynamodb] in pyproject.toml dev dependencies
- Update uv.lock to include cognitoidp extra across all moto references
- Add joserfc package as transitive dependency for cognitoidp support
- Enable Cognito IDP mocking capabilities for development and testing

* test(auth-guard,config-service): add missing service mocks and config properties

- Add SystemService mock to auth.guard.spec.ts test setup
- Import SystemService dependency in auth guard test file
- Add checkStatus mock method to systemService test double
- Register SystemService provider in TestBed configuration
- Add inferenceApiUrl property to validConfig test fixture in config.service.spec.ts
- Ensure test doubles accurately reflect service dependencies for proper test isolation

* feat(system-admin): add JWT role mapping for system_admin Cognito group

- Add JWT_MAPPING#system_admin item to DynamoDB during bootstrap seeding
- Update system_admin role jwtRoleMappings to include "system_admin" group
- Implement add_user_to_group method in CognitoService to manage group membership
- Add user to system_admin Cognito group during first_boot with rollback on failure
- Update test assertions to verify JWT mapping creation and role configuration
- Enables Cognito to include system_admin group in JWT cognito:groups claim for RBAC resolution

* feat(infrastructure): add Cognito user and group management permissions

- Add cognito-idp:AdminDeleteUser permission for user deletion operations
- Add cognito-idp:AdminAddUserToGroup permission for group membership management
- Add cognito-idp:CreateGroup permission for group creation operations
- Enables system admin functionality for managing Cognito user pools and groups

* refactor(auth): replace user email with name in logging and events

- Replace user.email with user.name in quota event recorder metadata
- Update admin cost dashboard logging to use user.name instead of email
- Update admin users routes logging to use user.name instead of email
- Update file upload routes logging to use user.name instead of email
- Update model routes logging to use user.name instead of email
- Update tools routes logging to use user.name instead of email
- Update OAuth routes logging to use user.name instead of email
- Update user models and routes logging to use user.name instead of email
- Update auth service and user service in frontend to use name field
- Standardize user identification across backend and frontend to use name for privacy and consistency

* feat(frontend): update logos and URL-encode inference API ARN

- Update logo-dark.png and logo-light.png assets
- Add URL encoding for ARN portion in inferenceApiUrl computed signal
- Prevent URL parsing errors caused by colons and slashes in AgentCore runtime ARNs
- Improve config service documentation with encoding behavior explanation

* fix(frontend): add /invocations path to inference API endpoints

- Update preview-chat.service.ts to include /invocations path in runtime endpoint URL
- Update chat-http.service.ts to include /invocations path in runtime endpoint URL
- Fixes inference API calls by using correct endpoint path with qualifier parameter

* feat(inference-api): add Authorization header to ALB request configuration

- Add requestHeaderConfiguration to ALB listener rule
- Include Authorization header in requestHeaderAllowlist
- Enable proper header propagation for authenticated requests to inference API

* refactor(auth): consolidate RBAC to AppRole-based authorization

- Replace multiple role-checking functions with single require_app_roles dependency
- Remove require_roles, require_all_roles, has_any_role, has_all_roles, and role-specific decorators (require_faculty, require_staff, require_developer, require_aws_ai_access)
- Update rbac.py to resolve permissions through AppRoleService instead of hardcoded JWT groups
- Simplify auth module exports to only expose require_app_roles and require_admin
- Update admin routes to remove unused role imports
- Add comprehensive docstring explaining AppRole system as single source of truth for permissions
- Update tests to reflect new authorization flow via AppRoleService

* feat(inference-api): add SSM parameters and environment variables to AgentCore runtime

- Import DynamoDB table names from SSM parameters for users, RBAC, auth, OAuth, quota, cost tracking, and file uploads
- Import S3 bucket and vector index names for RAG functionality
- Import gateway URL and frontend CORS origins from SSM parameters
- Add comprehensive environment variables to AgentCore runtime configuration including DynamoDB table mappings, authentication settings, OAuth configuration, AgentCore resource IDs, and directory paths
- Enable authentication and quota enforcement in runtime environment
- Configure frontend URL and CORS origins for cross-origin requests

* feat(inference-api): remove gateway URL parameter and simplify CORS origins

- Remove SSM parameter import for gateway URL from InferenceApiStack
- Remove GATEWAY_URL environment variable from AgentCore runtime configuration
- Replace SSM-imported CORS origins with config-based construction to avoid circular dependency between InferenceApiStack and FrontendStack
- Construct CORS origins dynamically from config.domainName (https://{domain}) with localhost fallback for development
- Eliminates circular dependency: InferenceApiStack ↔ FrontendStack by removing reliance on FrontendStack SSM parameters

* chore(frontend): update favicon and logo assets

- Remove redundant favicon PNG variants (android-chrome, apple-touch-icon, favicon-16x16, favicon-32x32)
- Update favicon.ico with new design
- Update logo-dark.png with refreshed branding
- Consolidate favicon assets to reduce redundancy and improve maintainability

* feat(inference-api): add AWS Marketplace permissions for Bedrock model access

- Add MarketplaceModelAccess policy statement to runtime execution role
- Grant aws-marketplace:ViewSubscriptions and aws-marketplace:Subscribe actions
- Enable foundation model access for marketplace-gated models like Anthropic Claude
- Required for subscription validation before Bedrock model invocation

* Release 1.0.0-beta.19: Conversation sharing, session compaction, fine-tuning enhancements, CI optimization

## Features
- Conversation sharing with public/email-restricted access via shareable URLs
- Session compaction enabled by default (100K token threshold, 3 protected turns)
- Fine-tuning: drag-and-drop dataset upload, custom HuggingFace model support

## Security
- Resolve all CodeQL clear-text logging alerts (secrets, tokens, ARNs redacted)
- OAuth redirect URL validation to prevent open redirects
- Explicit read-only permissions on all 13 GitHub Actions workflows

## Performance
- Frontend production build optimized: 8.85 MB → 4.96 MB (871 KB gzipped)
- PR workflows trimmed: skip Docker builds, CDK synth, and redundant jobs

## Infrastructure
- New shared-conversations DynamoDB table with SessionShare and OwnerShare GSIs
- Bedrock prompt caching temporarily disabled due to provider limitations

## Bug Fixes
- Google Fonts moved to index.html to fix CI build failure
- Private sharing support (owner-only shares)

* Release 1.0.0-beta.20: Document soft-delete, displayText, fine-tuning costs, CodeQL remediation, dependency refresh

Reliable document deletion, displayText for RAG-augmented messages,
fine-tuning cost dashboard, assistant archive removal, and a full
dependency refresh across Python, npm, and GitHub Actions.

Features:
- Soft-delete document lifecycle with background cleanup, retry logic,
  DynamoDB TTL backstop, and search filtering for mid-deletion docs
- Upload failure reporting endpoint for client-side error tracking
- DisplayText system preserving original user messages when RAG
  augmentation or file attachments modify the prompt sent to the agent
- Debug output toggle in chat preferences for prompt inspection
- Fine-tuning cost dashboard with per-user breakdowns and default
  monthly quota hours
- Shared conversation cascade deletion on session delete

Removals:
- Assistant archive functionality (ARCHIVED status, archive endpoint,
  include_archived parameter) replaced with single delete operation

Security & Code Quality:
- All CodeQL findings resolved (180 log injection fixes, 5 silent
  exception fixes, cyclic import elimination, 13 unused variables)
- Four Dependabot security patches (requests, picomatch, diff)

CI/CD:
- CDK synth skipped on PRs for app-api and frontend workflows
- scripts/common/** removed from frontend workflow path triggers
- GitHub Actions bumped (upload-artifact v7, download-artifact v8,
  setup-node v6, codeql-action latest)

Testing:
- Analog.js testing migration for frontend (vitest config removed)
- fast-check v4.6.0 added for property-based frontend tests
- 4,200+ lines of new backend tests for document deletion flows

Tooling:
- sync-version.sh now auto-updates README badge and current release text
- Versioning steering docs updated across Kiro, Cursor, and Claude
- Release notes steering doc added (fileMatch on RELEASE_NOTES.md)

Dependencies:
- Python: uvicorn 0.42.0, strands-agents 1.33.0, strands-agents-tools
  0.3.0, aws-opentelemetry-distro 0.16.0, bedrock-agentcore 1.4.8,
  openai 2.30.0, cachetools downgraded to 6.2.4 for compatibility
- Frontend: Angular 21.2.6, @angular/cdk 21.2.4
- Infrastructure: aws-cdk group bumped, constructs bumped

* refactor(inference-api): remove underscore prefix from containerImageUri variable

- Remove underscore prefix from containerImageUri variable name
- Improve code clarity by following standard naming conventions
- Variable is used throughout the stack and should follow public naming patterns

* chore(deps): add cognitoidp moto extra and update infrastructure tests

- Add cognitoidp extra to moto dependency in uv.lock for Cognito IDP mocking support
- Update moto dependency extras to include both cognitoidp and dynamodb
- Refactor IAM policy assertions in inference-api-stack tests to search both inline and managed policies
- Simplify policy verification logic to use findResources and filter by policy attributes
- Remove S3 bucket and S3 Vector Store test sections from app-api-stack tests
- Update test assertions to be more flexible with policy resource types

* chore(frontend): update favicon and logo assets

- Add Android Chrome favicon variants (192x192 and 512x512)
- Add Apple Touch Icon for iOS devices
- Add favicon sizes for 16x16 and 32x32 resolutions
- Update favicon.ico with new design
- Update logo-dark.png with refreshed branding
- Update logo-light.png with refreshed branding
- Improve cross-platform icon support and visual consistency

* fix(auth-providers): remove OIDC discovery endpoint and add JSON parsing error handling

- Remove POST /discover endpoint for OIDC endpoint discovery from admin routes
- Add try-except blocks to handle JSON parsing errors in AuthProviderRepository
- Gracefully default to empty dict when SecretString is invalid or malformed
- Improve resilience when retrieving auth provider secrets from AWS Secrets Manager

---------

Co-authored-by: Colin <colin@colin-os>

* Feat/cognito first boot auth (#124)

* test(auth-sweep): add system status endpoints to public route patterns

- Add /system/status to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- Add /system/first-boot to PUBLIC_ROUTE_PATTERNS for unauthenticated access
- These endpoints should be accessible without authentication for system initialization and health checks

* chore(deps): add cognitoidp extra to moto dev dependency

- Add cognitoidp extra to moto[dynamodb] in pyproject.toml dev dependencies
- Update uv.lock to include cognitoidp extra across all moto references
- Add joserfc package as transitive dependency for cognitoidp support
- Enable Cognito IDP mocking capabilities for development and testing

* test(auth-guard,config-service): add missing service mocks and config properties

- Add SystemService mock to auth.guard.spec.ts test setup
- Import SystemService dependency in auth guard test file
- Add checkStatus mock method to systemService test double
- Register SystemService provider in TestBed configuration
- Add inferenceApiUrl property to validConfig test fixture in config.service.spec.ts
- Ensure test doubles accurately reflect service dependencies for proper test isolation

* feat(system-admin): add JWT role mapping for system_admin Cognito group

- Add JWT_MAPPING#system_admin item to DynamoDB during bootstrap seeding
- Update system_admin role jwtRoleMappings to include "system_admin" group
- Implement add_user_to_group method in CognitoService to manage group membership
- Add user to system_admin Cognito group during first_boot with rollback on failure
- Update test assertions to verify JWT mapping creation and role configuration
- Enables Cognito to include system_admin group in JWT cognito:groups claim for RBAC resolution

* feat(infrastructure): add Cognito user and group management permissions

- Add cognito-idp:AdminDelete…
philmerrell added a commit that referenced this pull request Jul 10, 2026
* Fix/dependabot quick fixes (#489)

* fix(deps): remediate all 22 HIGH Dependabot findings

Bumps vulnerable dependencies across backend, scripts, and frontend to
patched versions. All 22 open HIGH-severity Dependabot alerts addressed.

Backend (pyproject.toml + uv.lock):
- cryptography 47.0.0 -> 48.0.1 (GHSA-537c-gmf6-5ccf)
- starlette 1.0.0 -> 1.3.1 (CVE-2026-48818, CVE-2026-54283)
- python-multipart 0.0.27 -> 0.0.30 (CVE-2026-53539)
- pyjwt[crypto] 2.12.1 -> 2.13.0 (CVE-2026-48526)
- urllib3 pinned 2.7.0 (CVE-2026-44431, CVE-2026-44432)

Scripts (backup-data, restore-data):
- add uv constraint cryptography>=48.0.1 -> 49.0.0 (GHSA-537c-gmf6-5ccf)

Frontend (package.json + package-lock.json):
- @angular/* framework 21.2.11 -> 21.2.17 (CVE-2026-50170/50171/54266/54267/54268)
  (cdk 21.2.14, build/cli 21.2.16 -- latest existing patch for those packages)
- hono override -> 4.12.26 (CVE-2026-54290)
- piscina override -> 5.2.0 (CVE-2026-55388)
- undici override -> 7.28.0 (CVE-2026-9697)
- vite override -> 8.0.16 (CVE-2026-53571)

Verified: backend pytest 3935 passed/3 skipped; frontend build OK;
frontend unit tests 1216 passed. All locked versions >= patched thresholds.

* fix(deps): remediate easy MEDIUM/LOW Dependabot findings

Straightforward in-range/direct dependency bumps for remaining alerts.
Risky or blocked findings deliberately left out (see below).

Backend (pyproject.toml + uv.lock):
- aiohttp 3.13.5 -> 3.14.1
- authlib 1.7.0 -> 1.7.1
- python-multipart 0.0.30 -> 0.0.31
- idna pinned 3.15 (transitive)

Scripts (backup-data, restore-data):
- pytest 8.4.2 -> 9.0.3 (dev)

Frontend (package.json + package-lock.json):
- mermaid 11.14.0 -> 11.15.0 (direct)
- @babel/core override ">=7.29.6 <8.0.0" -> 7.29.7
  (bounded to 7.x; open-ended pulled babel 8 which broke the Angular build)

Infrastructure (package-lock.json, lock-only):
- @babel/core -> 7.29.7 (within range)

Deliberately NOT included (not "easy"):
- esbuild 0.28.1: pinned by vite 8; override risks build breakage (low sev)
- js-yaml 4.2.0: major bump (consumers pin ^3)
- dompurify: one alert has no patched version published
- infra fast-uri (HIGH) / brace-expansion / js-yaml: bundled inside
  aws-cdk-lib@2.251.0/node_modules; npm overrides can't reach them.
  Requires an aws-cdk-lib upgrade -- separate, deliberate change.

Verified: backend pytest 3935 passed/3 skipped; frontend build OK +
1216 unit tests passed; infra tsc build OK + 396 jest tests passed.

* fix(deps): upgrade aws-cdk-lib 2.251.0 -> 2.260.0 to clear bundled CVEs

The remaining infra Dependabot HIGH/MEDIUM alerts were in deps bundled
inside aws-cdk-lib's own node_modules (unreachable by npm overrides):
- fast-uri 3.1.0 -> 3.1.2 (HIGH, 2 advisories) — bundled via ajv
- brace-expansion 5.0.5 -> 5.0.6 (MEDIUM) — bundled via minimatch

Bumping aws-cdk-lib to 2.260.0 (latest 2.x) re-bundles both at patched
versions. constructs 10.6.0 already satisfies the ^10.5.0 peer (unchanged).

Verified: infra tsc build clean; jest 396 passed/18 suites (full
PlatformStack construction + Template.fromStack assertions, no template
regressions). cdk-lib v2 minor bump, backward compatible.

* ci: add pull_request test gate (backend/frontend/infra) (#490)

The deploy workflows (backend.yml, platform.yml, frontend-deploy.yml) only
run on push to develop/main and run their test jobs as a pre-deploy gate,
so unit tests never executed on the PR itself. PRs into develop ran only
skip-auth-guard.

Adds .github/workflows/ci.yml triggered on pull_request -> [develop, main]
with three parallel test jobs reusing the existing commands:
- test-backend:  uv sync + uv run pytest tests/
- test-frontend: npm ci + npm run test:ci (vitest)
- test-infra:    npm ci + npx jest

No build/deploy/AWS steps — deploys stay push-only. Actions are SHA-pinned
with the shared checkout SHA, runners pinned to ubuntu-24.04, and
cancel-in-progress: true (safe; no CDK deploy). Conforms to all
tests/supply_chain checks (31 passed).

* fix(infra): shared CloudFront cert + consistent domain/cert handling across edge origins (#491)

Collapse the three-separate-cert first-deploy footgun into one shared
wildcard, and make cert handling consistent and fail-loud across all
CloudFront origins.

- config.ts: add CDK_CLOUDFRONT_CERTIFICATE_ARN (top-level
  cloudfrontCertificateArn). frontend/artifacts/mcpSandbox certs fall
  back to it when their section-specific ARN is unset; section-specific
  wins. ALB cert stays separate (region-specific). One us-east-1 wildcard
  ({domain}+*.{domain}) now satisfies all three origins.
- artifacts-distribution-construct: add domain-set-but-cert-missing guard
  mirroring mcp-sandbox (replaces the false 'config.ts already enforced'
  comment + opaque fromCertificateArn(undefined) crash), and add a
  domain-less fallback to the CloudFront default domain so domain-less
  synth no longer crashes with 'reading startsWith'.
- load-env.sh: forward cloudfrontCertificateArn + mcpSandbox.certificateArn
  context params (were missing, breaking the cdk.context.json path).
- workflows: wire CDK_CLOUDFRONT_CERTIFICATE_ARN job-level env in
  platform / nightly / teardown.
- docs: step-02/step-03/ACTIONS-REFERENCE recommend the single shared
  cert and reframe per-origin vars as optional overrides; troubleshooting
  entry for the synth cert-guard failure.
- tests: CloudFront cert resolution (config), artifacts cert guard +
  domain-less fallback, and end-to-end shared-cert PlatformStack synth.
  Full infra suite: 20 suites / 406 tests green.

* Fix/cdk cli version and deploy node pin (#492)

* fix(infra): bump aws-cdk CLI 2.1120.0 -> 2.1128.0 to match aws-cdk-lib 2.260.0

aws-cdk-lib 2.260.0 emits cloud-assembly schema 54.0.0, but the pinned
aws-cdk CLI (2.1120.0) only reads up to schema 53 — so synth/deploy
failed with 'CDK CLI is not compatible with the CDK library ... Maximum
schema version supported is 53.x.x, but found 54.0.0. You need at least
CLI version 2.1128.0'. The library was bumped without bumping the CLI.

Scripts invoke 'npx cdk', which resolves the local aws-cdk devDependency
on the CI runner, so bumping the pin + regenerating the lockfile is the
fix. Also bump the devcontainer global CDK pin (Dockerfile) and the
version tables (README, dev-environment steering) that are documented to
track package.json, so the interactive 'cdk' in the container doesn't
drift and reproduce the same error locally.

Verified in the devcontainer: npx cdk --version -> 2.1128.0; a synth of
an aws-cdk-lib 2.260.0 assembly (manifest schema 54.0.0) is read by the
2.1128.0 CLI with exit 0; full infra suite 20 suites / 406 tests green.

* ci(platform): pin Node 22 in the PlatformStack deploy jobs

The deploy jobs in platform.yml and nightly-deploy-pipeline.yml were the
only jobs without actions/setup-node — they ran scripts/platform/deploy.sh
(which does npm ci + cdk via deploy.sh -> scripts/cdk/install.sh) on the
runner's ambient Node instead of the Node 22 every other job and the
devcontainer pin. Add setup-node (node 22 + npm cache) so the deploy
toolchain is pinned and reproducible.

Note: deps were already being installed (deploy.sh calls install.sh ->
npm ci); the recent schema-mismatch failure was the stale aws-cdk pin
(2.1120.0), fixed in 4339f261 by bumping to 2.1128.0. This change is the
toolchain-pinning gap the #396 refactor left in the deploy jobs.

* Fix/deploy fixes (#494)

* fix(infra): auto-generate IAM role names to avoid first-deploy collisions

Drop explicit roleName from the AgentCore memory/code-interpreter/browser/
gateway/runtime execution roles and the SageMaker execution role. Fixed
physical names collide with orphaned roles left by a rolled-back/partial
deploy. Every consumer references these roles by .roleArn (or resolves them
at runtime via GetGateway / SAGEMAKER_EXECUTION_ROLE_ARN), so auto-generated
names are safe.

* chore(infra): replace deprecated pointInTimeRecovery with pointInTimeRecoverySpecification

Silences the aws_dynamodb.TableOptions#pointInTimeRecovery deprecation
warnings across all DynamoDB table constructs. Synthesized CloudFormation
output is unchanged (still PointInTimeRecoveryEnabled: true).

* fix(deploy): re-seed image-tag SSM param when the referenced ECR image is missing

The seed guard skipped any URI-shaped value, trusting the build pipeline.
But image-tag params are not CFN-managed and survive teardown, so a stale
project-repo URI could outlive its ECR repo and break the AgentCore Runtime
/ ECS task def with 'repository does not exist'. Verify the image actually
exists (ecr describe-images) before skipping; otherwise overwrite with the
bootstrap URI.

* fix(infra): grant Cognito group + delete actions for first-boot admin setup

Add cognito-idp:CreateGroup and AdminAddUserToGroup (the first-boot flow
creates the system_admin group and adds the initial admin) plus
AdminDeleteUser (so the rollback path doesn't orphan a Cognito user and
block retry with UsernameExistsException) to the app-api task role.

* fix(infra): restore stable IAM role names for AgentCore execution roles (#495)

Reverts the roleName removal from 7107cf98 for the AgentCore memory/
code-interpreter/browser/gateway/runtime and SageMaker execution roles.

Auto-generating these names is unsafe on an already-deployed stack: the
role ARN feeds create-only properties on the AgentCore resources
(BrowserCustom/CodeInterpreterCustom executionRoleArn, Memory
memoryExecutionRoleArn, Gateway/Runtime roleArn). Renaming the role
replaces it (new ARN) -> forces replacement of the dependent AgentCore
resource -> CFN re-creates it with the same create-only Name -> 'already
exists' collision -> UPDATE_ROLLBACK. Confirmed via ai-sbmt-api-PlatformStack
events (BrowserCustom/CodeInterpreterCustom DELETE_COMPLETE with empty
PhysicalResourceId during rollback).

Orphaned fixed-name roles on a *fresh* deploy are handled by deleting the
orphans before deploying, not by renaming. Added comments on each role to
prevent re-introducing the auto-name change.

* fix(ci): build arm64 images on native ARM runners (#496)

The RAG ingestion Lambda and AgentCore Runtime are arm64, but the
post-refactor backend.yml ran their build jobs on amd64 (ubuntu-24.04).
inference-api compensated with QEMU emulation (platform: linux/arm64);
rag-ingestion had neither the platform input nor a build-one.sh PLATFORM,
so it produced an amd64 image -> the arm64 Lambda failed every invoke with
Runtime.InvalidEntrypoint (file uploads stuck 'uploading', no embeddings).

Restore the pre-refactor (main) approach: build both arm images on native
ubuntu-24.04-arm runners instead of emulating on amd64.

- backend.yml: build-inference-api and build-rag-ingestion -> runs-on
  ubuntu-24.04-arm; drop the QEMU-triggering platform input from
  inference-api (native build needs no emulation).
- build-one.sh: rag-ingestion PLATFORM=linux/arm64 (explicit native build).

Deploy jobs stay on ubuntu-24.04 (API-only, no docker build). Note: the
stale amd64 rag-ingestion ECR image must be deleted once so the content-hash
build doesn't skip the corrected arm64 build.

* feat(skills): gate skills feature behind SKILLS_ENABLED flag (default off) (#497)

* feat(skills): gate skills feature behind SKILLS_ENABLED flag (default off)

Defer the skills feature (user picker, admin catalog, skills mode) for a
release without removing any merged code. A new
apis/shared/feature_flags.py::skills_enabled() reads SKILLS_ENABLED
(default false), mirroring the FINE_TUNING_ENABLED precedent. Deployed
environments go dark automatically because the env var is absent; set
SKILLS_ENABLED=true on both app-api and inference-api to re-enable.

Gated surfaces (code and data left intact):
- app-api main.py: user-facing skills router mounted only when enabled.
- app-api admin/routes.py: admin skills + chat-mode-policy routers gated.
- app-api system/routes.py: GET /system/chat-settings reports chat/no-toggle/
  skillsEnabled:false when off (new skills_enabled field on the response).
- inference-api chat/routes.py: force skill -> chat when off (voice/other
  agent types untouched).
- SPA: ChatModeService.skillsEnabled drives admin nav hide; mode toggle and
  skills section auto-hide via allowModeToggle:false; SkillService eager load
  gated by an effect so a disabled env never fires the now-404 GET /skills/.

Tests default off; skills-mode tests opt in via SKILLS_ENABLED=true and new
off-behavior tests cover the forced-chat path and admin mount gating.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* test(model-settings): mock Skill/ChatMode services to stop teardown rejection

model-settings.spec instantiated the real SkillService and ChatModeService,
which fire /skills/ (now via an effect) and /system/chat-settings on
construction. With no httpMock those requests fail asynchronously, and the
SKILLS_ENABLED change shifted the timing so a console.error landed during
worker teardown — surfacing as an unhandled EnvironmentTeardownError that
failed the vitest run with exit 1 even though all 1218 tests passed.

Provide minimal mocks for both services so the spec fires no stray async
work. Full suite exits 0.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* feat(tools): forward admin OIDC token on MCP tool discovery (#498)

The admin "discover from server" button signs its request as the app-api
task role (SigV4, service=lambda), but that role has no
lambda:InvokeFunctionUrl — only inference-api does. Against an
AuthType=AWS_IAM Lambda Function URL the signed request is rejected with
403, which surfaces during MCP client init as an anyio TaskGroup
ExceptionGroup and falls through to a generic 502.

For same-team MCP servers that validate a forwarded user JWT (Lambda URL
AuthType=NONE), discovery should mirror the runtime forward_auth_token
path and sign with the admin's own OIDC token instead of SigV4. Add a
forward_auth_token flag to MCPDiscoverRequest; when set, the discover
route forwards admin.raw_token as the bearer (400 if unavailable) and
skips SigV4. Provider-gated OAuth (3LO) discovery is still rejected — the
admin session can't supply an end-user provider token.

Wire the flag through the admin tool form's discover call so the existing
"Forward app authentication token" checkbox governs discovery too.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* fix(nightly): auto-teardown ephemeral nightly deploys; fix teardown for single-stack (#499)

Reconcile the nightly pipeline and teardown scripts with the single
PlatformStack, API-driven-deploy architecture.

nightly-deploy-pipeline.yml: restore the workflow_call input contract the
orchestrator still passes (ref, project-prefix, alb-subdomain, skip-teardown,
label, source-project-prefix, run-e2e). Every job now checks out inputs.ref and
deploys to the ephemeral inputs.project-prefix (never the shared environment).
Add an always() teardown job (needs all deploy/test jobs, gated on
skip-teardown) so every nightly stack is destroyed even on partial/failed
deploys -- no paying for idle resources. Ephemeral env runs with no custom
domain and an unset CDK_COGNITO_DOMAIN_PREFIX (defaults to the unique prefix).

scripts/nightly/teardown.sh: delete <prefix>-PlatformStack via cloudformation
delete-stack + wait (was a dead cdk-destroy loop over removed per-stack names).

scripts/teardown/destroy.sh: add PlatformStack to the foundation phase while
keeping legacy InfrastructureStack/app-stack handling, so the manual teardown
works for both single-stack and legacy deployments.

* fix(app-api): grant secretsmanager:PutSecretValue on auth-provider secret (#501)

The admin auth-providers endpoints (POST/DELETE /admin/auth-providers) write
the provider client-secret bag back to the auth-provider-secrets secret via
PutSecretValue (apis/shared/auth_providers/repository.py), but the App API
task role was only granted GetSecretValue. Configuring/removing an auth
provider failed with AccessDeniedException on secretsmanager:PutSecretValue.

Add a least-privilege PutSecretValue statement scoped to just the
auth-provider-secrets secret (trailing wildcard matches the random ARN
suffix). No other runtime-written secret needs this.

* Fix/nightly (#500)

* fix(nightly): auto-teardown ephemeral nightly deploys; fix teardown for single-stack

Reconcile the nightly pipeline and teardown scripts with the single
PlatformStack, API-driven-deploy architecture.

nightly-deploy-pipeline.yml: restore the workflow_call input contract the
orchestrator still passes (ref, project-prefix, alb-subdomain, skip-teardown,
label, source-project-prefix, run-e2e). Every job now checks out inputs.ref and
deploys to the ephemeral inputs.project-prefix (never the shared environment).
Add an always() teardown job (needs all deploy/test jobs, gated on
skip-teardown) so every nightly stack is destroyed even on partial/failed
deploys -- no paying for idle resources. Ephemeral env runs with no custom
domain and an unset CDK_COGNITO_DOMAIN_PREFIX (defaults to the unique prefix).

scripts/nightly/teardown.sh: delete <prefix>-PlatformStack via cloudformation
delete-stack + wait (was a dead cdk-destroy loop over removed per-stack names).

scripts/teardown/destroy.sh: add PlatformStack to the foundation phase while
keeping legacy InfrastructureStack/app-stack handling, so the manual teardown
works for both single-stack and legacy deployments.

* fix(nightly): restore test-infra/backend/frontend gates in deploy pipeline

The pipeline rewrite for ephemeral auto-teardown dropped the per-pipeline
test gates, breaking infrastructure/test/repo-shape.test.ts which requires:
  - build-*/code-deploy-* jobs gate on test-backend
  - deploy-frontend gates on test-frontend
  - deploy-platform gates on test-infra

Re-add the three test jobs (checking out inputs.ref) and the needs edges,
keeping the input-driven ephemeral deploy + always() teardown intact. Also
add the test jobs to teardown's needs so teardown waits for the whole graph.

Verified: npx jest repo-shape passes (49/49); both nightly workflow YAMLs
parse and all orchestrator calls pass only declared inputs.

* docs(infra): correct stale SSM comment on mcp-sandbox origin wiring (#502)

The McpSandboxDistributionConstruct doc comment claimed it publishes the
proxy origin to SSM at `/{prefix}/mcp-sandbox/origin`. That was true of the
pre-#396 standalone McpSandboxStack, but the single-stack consolidation
dropped the SSM publication: the origin is now exposed as `proxyOrigin` and
threaded through PlatformComputeRefs straight into inference-api's
`AGENTCORE_MCP_APPS_SANDBOX_ORIGIN` env var. The stale comment misleads
anyone debugging the sandbox (a missing SSM param looks like a broken
deploy when it is expected). Update the comment to match the code.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* chore(kaizen): weekly research scan 2026-06-19 (#493)

Generated by the kaizen-research skill. Top 5 ideas appended to
docs/kaizen/review-queue.md for the kaizen-review-prep run later this morning.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(mcp-apps): accept spec-array content in ui/message (#503)

The ui/message bridge handler read `params.content` as a single block
({type,text}), but per SEP-1865 / the ext-apps SDK the View sends an ARRAY
of content blocks (content: [{type:'text',text}]). Every spec-compliant
widget message was therefore rejected with -32000 "Invalid ui/message
params" (e.g. an MCP App's app.sendMessage()).

Read `content` as an array and concatenate its text blocks (mirrors the
ui/update-model-context handler). Update MessageParams to the array shape,
fix the two bridge specs that sent single objects, and add a multi-block
concatenation regression test.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* fix(mcp-apps): retry transient TLS/connect failures on MCP client start (#504)

A single TLS handshake blip (e.g. SSLV3_ALERT_HANDSHAKE_FAILURE from a
TLS-inspecting middlebox) or connection reset when starting an external
MCP client otherwise fails the whole agent build: Strands' start() raises
MCPClientInitializationError, the tool fails to load, and agent creation
errors out for the user.

UICapableMCPClient.start() now retries transient transport failures —
ConnectError/SSLError/timeouts, detected by walking the
MCPClientInitializationError -> ExceptionGroup -> httpx.ConnectError chain
— up to 3 attempts with exponential backoff. Non-transient errors (bad
URL, auth, protocol) are re-raised on the first attempt. Strands resets
its init future + background thread on failure (stop()), so re-invoking
start() is safe. Covers both external and gateway clients.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* fix(mcp-apps): give widget ui/message turns the loading + scroll affordances (#505)

A user turn initiated by an MCP App widget (ui/message → submitChatRequest)
appeared in the conversation but skipped the two affordances the composer
path triggers: the loading indicator (the page sets chatLoading before
submitting) and the scroll-to-top of the new user message (chat-container's
post-submit setTimeout). The widget delegate called the service directly,
bypassing the chat-input → chat-container → page chain.

- ChatStateService: add a `scrollToLastUserTick` signal + `requestScrollToLastUser()`.
- ChatContainer: react to the tick by scrolling the last user message to the
  top (mirrors onMessageSubmitted; skips the initial 0 so it doesn't scroll on
  mount).
- mcp-app-frame widget delegate: set chatLoading(true) and request the scroll
  around submitChatRequest (the user message is added synchronously inside it).

The composer path is untouched (it keeps its own setTimeout scroll), so no
existing behavior changes.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* feat(connectors): scaffold export-target adapters for saving conversations to connected apps (#507)

Extends the connector/adapter pattern that powers Google Drive document
import (read) to the write direction, so a connector can also be a
*destination* a user saves content to (e.g. saving a conversation
transcript to Drive). This is PR-1 of the plan in
docs/specs/conversation-export-connectors.md: data + capability scaffold
only, no user-facing behavior yet.

The connector auth layer (OAuthProvider + AgentCore Identity + consent UX)
is direction-agnostic and reused unchanged; only the capability layer is
new. Rather than bolting a write method onto the read-shaped
FileSourceAdapter, this adds a parallel ExportTargetAdapter registry.

- Add export_target_adapter_id to OAuthProvider (model, Dynamo
  serializers, repository apply_metadata_update) and the
  Create/Update/Response API models, mirroring file_source_adapter_id. A
  connector may now be both a file source and an export target.
- New apis/app_api/export_targets/ package: ExportTargetAdapter contract,
  ExportTargetMetadata (with supported_formats), ExportFormat /
  ExportDestination / CreatedFile models, and an ExportTargetRegistry
  singleton (intentionally empty until the Google Drive export adapter
  lands in PR-2).
- New admin GET /admin/export-target-adapters endpoint and
  _validate_export_target_adapter enforced on connector create/update.
- Tests mirror the file-source adapter tests, using a stub adapter under a
  test-only key so it never collides with the future shipped adapter.

Full backend suite green (3978 passed, 3 skipped).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* feat(export-targets): Google Drive export adapter + transcript renderer (#508)

PR-2 of the Save Conversations to Connected Apps feature
(docs/specs/conversation-export-connectors.md). Builds the write-side
capability on top of PR-1's scaffold: the first ExportTargetAdapter, the
transcript renderer, and the connector resolve/token helpers. Still no
user-facing endpoint — that lands in PR-3.

- GoogleDriveExportAdapter (drive.file scope, least privilege): multipart
  /related upload to /upload/drive/v3/files. GOOGLE_DOC uploads an HTML body
  against the Google Doc MIME type (Drive converts to a native Doc);
  MARKDOWN uploads a plain .md file. When no destination folder is given,
  find-or-creates a single app folder ("AI Conversations", overridable via
  EXPORT_DRIVE_FOLDER_NAME) — which works under drive.file because the
  search only matches the app's own files. Now registered in the registry.
- render.py: pure render_transcript(title, messages, fmt, include) ->
  RenderedDocument. Markdown is the intermediate representation; GOOGLE_DOC
  converts it to HTML via markdown-it-py (already a dependency), so Markdown
  structure maps to real Docs styling. Honors the ExportInclude checkboxes
  (tool calls / images / citations on; reasoning / timestamps off). Raw HTML
  in message text is escaped, not injected (CommonMark's default passthrough
  is forced off).
- service.py: resolve_export_target / require_export_target_token /
  http_error_for_export_target_error, mirroring the file-source service
  (404 not-a-target, 403 RBAC, 409 not-connected, 503 no-workload).
- ExportInclude model added; PR-1 admin tests updated now the registry ships
  the Drive adapter.

PDF is deferred: no PDF renderer is in the dependency set, so the Drive
adapter advertises only google_doc + markdown for now.

Tests: render, Drive adapter (httpx.MockTransport), and service helpers.
Full backend suite green (4012 passed, 3 skipped).

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* feat(export-targets): export endpoint + conversation-export receipts (#508 follow-up) (#509)

Add the PR-3 export endpoint for saving a conversation transcript out to a
connected app (Google Drive being the first export target):

- POST /sessions/{session_id}/export — ownership check, resolve connector to
  export-target adapter, validate the requested format against the adapter,
  mint the user's OAuth token (409 = consent needed, the SPA's retry hook),
  page the full transcript, render it, and create the document. Adapter
  failures map to 502/403/404.
- GET /export-targets — catalog mirroring GET /file-sources, surfacing per
  connector `connected` and `supportedFormats` so the SPA dialog can build
  its connector + format pickers without extra backend work.

Persist an export receipt on the session (spec R-2):

- ExportReceipt model + export_receipts on SessionMetadata and
  SessionMetadataResponse so a "Saved · Open" affordance survives a reload.
- add_export_receipt: race-free list_append/if_not_exists writer mirroring
  add_pending_interrupt; best-effort so a metadata write never fails an
  export that already succeeded.

Tests: 16 route cases (catalog gating/connected/formats; export success +
receipt; multi-page transcript ordering; 404/403/409/503/422/502 matrix).
Full backend suite green.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* feat(export-targets): "Save to…" conversation export SPA + admin mapping dropdown (PR-4) (#510)

Frontend for the conversation-export feature: a "Save to…" action that pushes
a conversation transcript out to a connected app (Google Drive first), plus
the admin surface to map a connector as an export target.

Save-to dialog (session/):
- ExportService + ExportError client for GET /export-targets and
  POST /sessions/{id}/export (mirrors FileSourceService: OAuth2CallbackUrl
  header, suppressed error toast, HTTP-status-carrying error).
- ExportDialogComponent (CDK dialog): destination picker, format choice gated
  by each connector's supportedFormats, include-checkbox group (messages
  locked on; tool calls / images / citations on; reasoning / timestamps off).
  A not-connected or 409-expired destination runs the shared OAuth consent
  popup and retries the save automatically; success shows "Open in <app>".
- "Save to…" item wired into the session-list overflow menu beside Share.

Admin mapping dropdown (admin/connectors/):
- exportTargetAdapterId on the connector model + create/update requests, an
  Export-target adapter resource over GET /admin/export-target-adapters, and
  an "Export Target" dropdown on the connector form with the same
  provider-compatibility filter, scope-coverage warning, and tri-state save
  semantics as the file-source dropdown.

Tests: export.service.spec (4) + export-dialog.component.spec (6) covering
catalog load, auto-select, save success, include toggles, and the
consent-then-retry path. Production build + affected specs green.

Depends on the app-api export endpoints in #509 for the runtime save path;
the admin dropdown works against the already-merged admin adapter endpoint.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* feat(export-targets): destination folder picker for "Save to…" (PR-5) (#511)

Reuse the import file-source browse dialog as a destination folder picker so
a conversation export can target a specific Drive folder instead of only the
default app folder. Unblocked by the combined-scope Drive connector (D-4):
`drive.readonly` lets the existing roots/browse endpoints power the picker,
`drive.file` writes the file — `parentId` already flowed through the export
endpoint and request.

Backend
- Add a `browsable` flag to the `GET /export-targets` catalog, computed from
  the connector's `file_source_adapter_id` + the file-source registry. Only a
  connector that is also a shipped file source can back the picker; export-only
  connectors hide it and keep landing in the app folder.

Frontend
- Generalize `file-source-browser-dialog` with a `mode: 'import' | 'pick-folder'`.
  In pick-folder mode it shows folders only, tracks the current folder name
  client-side, and closes with a `FolderSelection` ("Use this folder"). Import
  mode is unchanged.
- Wire the picker into the export dialog: a "Folder" row (shown only for
  browsable targets) opens the picker and threads the chosen `parentId` into the
  save request; default stays the app folder. A successful pick reconciles the
  connected flag.

Tests: backend export-route catalog (browsable true/false/unshipped); picker
specs for both dialogs. Full AOT build + architecture import-boundary tests
green.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

* feat(infra): support external (cross-account) Route53 hosted zones (#512)

Add a manageDnsRecords flag (CDK_MANAGE_DNS_RECORDS env / manageDnsRecords
context, default true). When false, the stack still attaches the custom
domain + ACM cert to the ALB, SPA, artifacts, and mcp-sandbox origins but
skips the in-account HostedZone.fromLookup + record creation that would
fail when the zone for domainName lives in another AWS account. In that
mode each origin emits CfnOutputs with the record name and alias target so
an operator can create the records by hand.

- config.ts: add manageDnsRecords to AppConfig + loadConfig, log it
- zones/alb-dns + spa/artifacts/mcp-sandbox distribution constructs: guard
  record creation, emit manual-DNS CfnOutputs when unmanaged
- load-env.sh: export + validate CDK_MANAGE_DNS_RECORDS
- workflows (platform, nightly): pass the flag through
- cdk.context.json + test mock-config: add the field
- docs: document external-R53 deployment

Co-authored-by: Colin <colin@boisestate.edu>

* Release/1.0.0 (#513)

* Release/v1.0.0 beta.25 (#282)

* Potential fix for pull request finding 'Unused local variable'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for pull request finding 'Unused local variable'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* docs(readme): update version badges and tech stack to v1.0.0-beta.18

- Update release badge from v1.0.0-beta.17 to v1.0.0-beta.18
- Bump Tailwind CSS version from v4.1 to v4.2 in all references
- Update current release version in release notes section
- Reflect latest dependency versions in architecture and tech stack documentation

* feat(embeddings): add optional token validation bypass for search queries

- Add skip_token_validation parameter to generate_embeddings function
- Allow skipping tiktoken-based token validation for short inputs where tiktoken may not be installed
- Update search_assistant_knowledgebase to skip validation for query embeddings
- Enables embedding generation in environments where tiktoken is unavailable (e.g., search Lambda)

* refactor(embeddings): extract shared embedding logic to separate module

- Move core embedding generation and vector store operations to apis.shared.embeddings
- Create new shared bedrock_embeddings module with generate_embeddings, store_embeddings_in_s3, search_assistant_knowledgebase, and delete_vectors_for_document
- Extract vector search logic to new apis.shared.assistants.vector_search module
- Keep ingestion-specific token validation (tiktoken-based) in app_api embeddings module
- Update ingestion embeddings module to re-export shared functions for backward compatibility
- Simplify bedrock_embeddings in ingestion pipeline to focus on chunk validation and splitting
- Update imports across documents routes and rag_service to use new shared modules
- Reduces code duplication and establishes clear separation between shared RAG infrastructure and ingestion-specific concerns

* docs(release-notes): document v1.0.0-beta.19 features and fixes

- Add Angular production build optimization section explaining minification and tree-shaking enablement
- Document embeddings refactor extracting shared logic to apis.shared.embeddings module
- Add skip_token_validation parameter documentation for generate_embeddings function
- Update highlights section to mention Angular production build optimization
- Clarify CodeQL workflow improvements and unused import/variable cleanup
- Enable optimization flag in angular.json production configuration for reduced bundle size

* docs(release-notes): remove Angular optimization section and revert config

- Remove "Frontend Production Build Optimization" section from release notes
- Revert optimization flag removal from angular.json production configuration
- Align documentation with actual production build configuration state

* feat: add API Keys section to README for programmatic access to AI models

* fix(model_config): comment out caching configuration due to Bedrock limitations

* feat(create-training-job): enhance file upload with drag-and-drop support and update dataset upload instructions

* feat(create-training-job): add support for custom HuggingFace models and enhance model search functionality

* fix(test_model_config): remove caching mock and update test for Bedrock config caching behavior

* feat(create-training-job): add tests for custom HuggingFace model selection and submission

* feat: refactor session compaction and enable by default (#86)

* feat: update compaction configuration and enhance session manager tests

* fix: update tests for compaction defaults and commented-out caching

- Update compaction model test to expect enabled=True and protected_turns=3
- Fix caching test to reflect cache_config being commented out due to Bedrock limitations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(create-training-job): enhance file upload with drag-and-drop support and update dataset upload instructions

* feat(create-training-job): add support for custom HuggingFace models and enhance model search functionality

* fix(test_model_config): remove caching mock and update test for Bedrock config caching behavior

* feat(create-training-job): add tests for custom HuggingFace model selection and submission

* fix: update tests for compaction defaults and commented-out caching

- Update compaction model test to expect enabled=True and protected_turns=3
- Fix caching test to reflect cache_config being commented out due to Bedrock limitations

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Signed-off-by: Phil Merrell <philmerrell@boisestate.edu>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* test(to_bedrock_config): add missing result assignment in caching disabled test

* Potential fix for code scanning alert no. 41: Clear-text logging of s… (#85)

* Potential fix for code scanning alert no. 41: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* ci: Add explicit read-only permissions to all workflows

- Add `permissions: contents: read` to 13 GitHub Actions workflows
- Workflows updated: app-api, bootstrap-data-seeding, codeql, frontend, gateway, inference-api, infrastructure, nightly-deploy-pipeline, nightly, rag-ingestion, release, sagemaker-fine-tuning, version-check
- Implements principle of least privilege by explicitly declaring minimal required permissions
- Improves security posture and aligns with GitHub Actions best practices

* fix(security): Redact sensitive information from logs

- Mask client ID in seed_auth_provider output, showing only first 8 characters
- Redact full Secrets ARN in seed_auth_provider, displaying only resource name
- Replace full exception objects with error codes in seed_bootstrap_data error messages
- Downgrade MCP client configuration logging from info to debug level
- Remove user ID from OAuth token retrieval and re-auth status log messages
- Add URL validation to OAuth callback redirect to prevent open redirect vulnerabilities
- Prevents accidental exposure of credentials and sensitive identifiers in application logs

* fix(security): Resolve remaining CodeQL clear-text logging alerts

- seed_auth_provider: Fully redact Secrets Manager ARN from output
- external_mcp_client: Remove server URL from logs, decouple oauth_token from log expressions
- oauth_tool_service: Isolate decrypted token into _try_get_token() to prevent taint bleed, use lazy log formatting
- config.ts: Remove AWS account ID and CORS origins from CDK config log output

* Potential fix for code scanning alert no. 499: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 496: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 498: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* Potential fix for code scanning alert no. 497: Clear-text logging of sensitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

---------

Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: colinmxs <colinmxs@users.noreply.github.com>

* feat(frontend): enable production optimization, branch-aware BUILD_CONFIG

- Remove optimization: false from base options (was blocking prod override)
- Production: optimization, no source maps, extract licenses
- Fix anyComponentStyle budget from 4kB to 200kB for Tailwind
- BUILD_CONFIG: main→production, develop→development, dispatch→manual input

Production build: 4.96 MB initial (871 KB gzip) vs 8.85 MB unoptimized

* fix: move Google Fonts import to index.html to prevent CI build failure

* ci: skip docker builds and CDK synth on pull requests

* implement conversation sharing. (#87)

* implement conversation sharing.

* Potential fix for code scanning alert no. 509: Log Injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: ofilson <SuperScorer911@gmail.com>

* Potential fix for code scanning alert no. 510: Log Injection

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: ofilson <SuperScorer911@gmail.com>

* fix github warnings

* fix log issue

---------

Signed-off-by: ofilson <SuperScorer911@gmail.com>
Co-authored-by: Oscar Filson <OSCARFILSON@boisestate.edu>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Allow for private share (only with yourself)

* release: v1.0.0-beta.19

* fix float error on sharing

* Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Signed-off-by: Colin Smith <7762103+colinmxs@users.noreply.github.com>

* ci: skip redundant stack dependency checks on PRs (keep infrastructure only)

* ci: skip install on PRs for rag-ingestion (no downstream jobs)

* ci: revert check-stack-deps skip on workflows with PR jobs, skip entire gateway/sagemaker on PRs

* fix(security): resolve CodeQL log-injection, unused-import, and unused-variable alerts

- Remove user-controlled values from 180 log f-strings (py/log-injection)
- Remove 87 unused Python imports (py/unused-import)
- Remove 27 unused JS/TS variables (js/unused-local-variable)
- Fix 3 useless assignments (js/useless-assignment-to-local)
- Fix 1 incompatible type comparison (js/comparison-between-incompatible-types)

* fix(tests): remove stale AgentCoreMemorySessionManager patch from session factory tests

The CodeQL commit removed the unused AgentCoreMemorySessionManager import
from session_factory.py, breaking two tests that patched it at that path.
Removed the unnecessary patch decorator since TurnBasedSessionManager was
already being patched separately.

* chore(docker): add shared embeddings module to rag-ingestion Lambda image

- Copy shared embeddings package to Lambda task root directory
- Add apis/__init__.py to ensure proper Python package structure
- Enable ingestion embeddings to access re-exported shared embeddings module
- Resolves import errors when bedrock_embeddings.py loads shared embeddings

* fix(quality): resolve all open CodeQL findings on develop

Empty excepts (5 fixes):
- url_fetcher: narrow bare except to Exception, add comment
- code_interpreter_diagram_tool: narrow bare except to Exception
- tool_result_processor: add explanatory comment to JSONDecodeError catch
- users/service: log warning on invalid pagination cursor
- event_formatter: log warning instead of silently swallowing errors

Catch BaseException (2 fixes):
- url_fetcher: narrowed to Exception (same fix as empty except)
- code_interpreter_diagram_tool: narrowed to Exception

Unreachable code (1 fix):
- stream_processor: remove dead if result_seen: break (never set to True)

Redundant assignment (1 fix):
- fine_tuning/routes: remove unused job = on create_inference_job

Print during import (1 fix):
- inference_api/main: replace print() with logging

Commented-out code (1 fix):
- inference_api/chat/models: remove commented InvocationRequest class

Unnecessary lambdas (2 fixes):
- job_repository, inference_repository: lambda v: int(v) → int

Unused local variables (13 fixes):
- Remove or rename: period, user_id, error_msg, matches, requested_set,
  exception_type, updated, limit, preferences, execution_output,
  next_month, next_year across 10 files

Unused imports (3 fixes):
- compaction_models: remove unused field import
- bedrock_embeddings: remove dead re-exports, clean up __init__.py
- timezone: use find_spec for pytz availability check

Cyclic import (1 fix):
- Move get_metadata_storage() factory from metadata_storage.py to
  storage/__init__.py, breaking the metadata_storage ↔ dynamodb_storage
  cycle. Update 3 callers to import from apis.app_api.storage.

Dismissed as false positives (11 alerts):
- 9x untrusted-checkout on nightly workflows (schedule/dispatch only)
- 1x non-iterable for-loop (Enum is iterable)
- 1x unused global _generic_validator_initialized (global stmt tracking)

* fix(deps): patch Dependabot security vulnerabilities

- requests 2.32.5 → 2.33.0 (insecure temp file reuse, CVE)
- picomatch 4.0.3 → 4.0.4 (frontend, ReDoS + method injection, via override)
- picomatch 2.3.1 → 2.3.2 (infrastructure, method injection, via override)
- diff 4.0.x → patched (infrastructure, DoS in parsePatch, via audit fix)

Unfixable:
- yaml 1.10.2 bundled inside aws-cdk-lib 2.244.0 (latest) — awaiting AWS CDK update
- Pygments 2.19.2 (latest) — no patched version released yet

* fix(rag-ingestion): ensure Lambda uses latest image digest on deploy

- Add FUNCTION_NAME variable to capture Lambda function identifier
- Update Lambda function code explicitly after image push to force digest refresh
- Add wait condition to ensure function update completes before deployment succeeds
- Remove outdated next steps logging that duplicated deployment completion message
- Resolve issue where CDK's SSM-resolved image tags don't trigger updates when underlying image layers change, causing CloudFormation to report no changes despite fresh image push

* fix share issues and icon tweaks

* release: v1.0.0-beta.20

* fix(rag-ingestion): restore shared embedding re-exports for Lambda handler

The CodeQL fix removed re-exports from bedrock_embeddings.py, but the
RAG ingestion Lambda handler imports generate_embeddings and
store_embeddings_in_s3 from embeddings.bedrock_embeddings (Lambda task
root path). Restored re-exports with __all__ and explanatory comments.

* feat(documents): add upload failure reporting and assistant cleanup

- Add ReportUploadFailureRequest model for client-side upload error reporting
- Implement POST /{document_id}/upload-failed endpoint to mark documents as failed
- Add update_document_status service function to update document status and error details
- Implement background cleanup of vectors and S3 objects when assistant is deleted
- Add delete_vectors_for_assistant function to remove embeddings from vector store
- Update document routes to import new models and service functions
- Add start.sh to .gitignore
- Update bedrock_embeddings to support vector deletion by assistant ID
- Enhance frontend document service to handle upload failure reporting
- Improve assistant deletion flow with proper resource cleanup and error handling

* feat(assistants): remove archive functionality and simplify deletion

- Remove archive_assistant service function and endpoint
- Simplify delete operation to single hard delete without archive option
- Remove include_archived query parameter from list assistants endpoint
- Remove ARCHIVED status from assistant status enum
- Update frontend assistant model and services to remove archive references
- Simplify assistant lifecycle by consolidating soft and hard delete into single delete operation
- Update API documentation and test examples to reflect deletion changes

* feat(frontend): upgrade Analog.js testing dependencies and remove vitest config

- Add @analogjs/vite-plugin-angular and @analogjs/vitest-angular v3.0.0-alpha.18
- Update package-lock.json with new dependency tree and transitive dependencies
- Remove vitest.config.ts in favor of Analog.js configuration
- Update app.config.spec.ts and tool-rail.component.spec.ts test files
- Modernize Angular testing setup with latest Analog.js tooling

* feat(documents): implement reliable deletion with soft-delete and cleanup retries

- Add deleting status to document lifecycle and TTL field for auto-expiry
- Create cleanup_service.py with retry logic for S3 vectors and source file deletion
- Implement soft-delete pattern: mark documents as deleting, return immediately, cleanup asynchronously
- Update search path to filter out non-complete documents and prevent stale results
- Add batch soft-delete for assistant deletion with background cleanup
- Implement deterministic vector key generation for reliable cleanup
- Add comprehensive property-based and integration tests for deletion flows
- Update RAG service to cross-check document status during search
- Configure DynamoDB TTL as backstop for failed cleanups (7-day expiry)
- Add Kiro spec documentation for reliable document deletion design

* test(assistants): remove archive assistant test and fix package dependencies

- Remove test_archive_assistant test case as archive functionality was removed
- Update package-lock.json to fix dependency flags for Angular DevKit and related packages
- Change chokidar dev flag to devOptional to reflect optional development dependency
- Remove unnecessary dev flags from multiple dependencies (ajv, chalk, cli-cursor, fast-deep-equal, and others)
- Align package metadata with current project configuration

* chore(frontend): pin Analog.js dependencies to exact versions

- Remove caret (^) version specifiers from @analogjs/vite-plugin-angular
- Remove caret (^) version specifiers from @analogjs/vitest-angular
- Lock both packages to 3.0.0-alpha.18 for consistent builds
- Prevent unexpected minor/patch updates that could introduce breaking changes

* chore(frontend): pin Analog.js devDependencies to exact versions

- Update @analogjs/vite-plugin-angular from ^3.0.0-alpha.18 to 3.0.0-alpha.18
- Update @analogjs/vitest-angular from ^3.0.0-alpha.18 to 3.0.0-alpha.18
- Remove caret (^) prefix to lock exact versions and ensure consistent builds

* feat(fine-tuning-dashboard): add informational section about fine-tuning and update icons

* chore(deps)(deps): bump the frontend-minor-patch group (#101)

Bumps the frontend-minor-patch group in /frontend/ai.client with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [@ng-icons/core](https://github.com/ng-icons/ng-icons) | `33.1.0` | `33.2.0` |
| [@ng-icons/heroicons](https://github.com/ng-icons/ng-icons) | `33.1.0` | `33.2.0` |
| [katex](https://github.com/KaTeX/KaTeX) | `0.16.33` | `0.16.44` |
| [marked](https://github.com/markedjs/marked) | `17.0.3` | `17.0.5` |
| [mermaid](https://github.com/mermaid-js/mermaid) | `11.12.3` | `11.13.0` |
| [@tailwindcss/postcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/@tailwindcss-postcss) | `4.2.1` | `4.2.2` |
| [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) | `4.0.18` | `4.1.2` |
| [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.8` |
| [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) | `4.2.1` | `4.2.2` |
| [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest) | `4.0.18` | `4.1.2` |


Updates `@ng-icons/core` from 33.1.0 to 33.2.0
- [Release notes](https://github.com/ng-icons/ng-icons/releases)
- [Changelog](https://github.com/ng-icons/ng-icons/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ng-icons/ng-icons/commits/v33.2.0)

Updates `@ng-icons/heroicons` from 33.1.0 to 33.2.0
- [Release notes](https://github.com/ng-icons/ng-icons/releases)
- [Changelog](https://github.com/ng-icons/ng-icons/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ng-icons/ng-icons/commits/v33.2.0)

Updates `katex` from 0.16.33 to 0.16.44
- [Release notes](https://github.com/KaTeX/KaTeX/releases)
- [Changelog](https://github.com/KaTeX/KaTeX/blob/main/CHANGELOG.md)
- [Commits](https://github.com/KaTeX/KaTeX/compare/v0.16.33...v0.16.44)

Updates `marked` from 17.0.3 to 17.0.5
- [Release notes](https://github.com/markedjs/marked/releases)
- [Commits](https://github.com/markedjs/marked/compare/v17.0.3...v17.0.5)

Updates `mermaid` from 11.12.3 to 11.13.0
- [Release notes](https://github.com/mermaid-js/mermaid/releases)
- [Commits](https://github.com/mermaid-js/mermaid/compare/mermaid@11.12.3...mermaid@11.13.0)

Updates `@tailwindcss/postcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/@tailwindcss-postcss)

Updates `@vitest/coverage-v8` from 4.0.18 to 4.1.2
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/coverage-v8)

Updates `postcss` from 8.5.6 to 8.5.8
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/postcss/postcss/compare/8.5.6...8.5.8)

Updates `tailwindcss` from 4.2.1 to 4.2.2
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.2.2/packages/tailwindcss)

Updates `vitest` from 4.0.18 to 4.1.2
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.1.2/packages/vitest)

---
updated-dependencies:
- dependency-name: "@ng-icons/core"
  dependency-version: 33.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: "@ng-icons/heroicons"
  dependency-version: 33.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: katex
  dependency-version: 0.16.44
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: marked
  dependency-version: 17.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: mermaid
  dependency-version: 11.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: "@tailwindcss/postcss"
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
- dependency-name: postcss
  dependency-version: 8.5.8
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: tailwindcss
  dependency-version: 4.2.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: frontend-minor-patch
- dependency-name: vitest
  dependency-version: 4.1.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: frontend-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the aws-cdk group (#90)

Bumps the aws-cdk group in /infrastructure with 2 updates: [aws-cdk-lib](https://github.com/aws/aws-cdk/tree/HEAD/packages/aws-cdk-lib) and [aws-cdk](https://github.com/aws/aws-cdk-cli/tree/HEAD/packages/aws-cdk).


Updates `aws-cdk-lib` from 2.244.0 to 2.245.0
- [Release notes](https://github.com/aws/aws-cdk/releases)
- [Changelog](https://github.com/aws/aws-cdk/blob/main/CHANGELOG.v2.alpha.md)
- [Commits](https://github.com/aws/aws-cdk/commits/v2.245.0/packages/aws-cdk-lib)

Updates `aws-cdk` from 2.1113.0 to 2.1115.0
- [Release notes](https://github.com/aws/aws-cdk-cli/releases)
- [Commits](https://github.com/aws/aws-cdk-cli/commits/aws-cdk@v2.1115.0/packages/aws-cdk)

---
updated-dependencies:
- dependency-name: aws-cdk-lib
  dependency-version: 2.245.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: aws-cdk
- dependency-name: aws-cdk
  dependency-version: 2.1115.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: aws-cdk
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump actions/setup-node from 5.0.0 to 6.3.0 (#100)

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 5.0.0 to 6.3.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/a0853c24544627f65ddf259abe73b1d18a591444...53b83947a5a98c8d113130e565377fae1a50d02f)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump github/codeql-action (#95)

Bumps the actions-minor-patch group with 1 update: [github/codeql-action](https://github.com/github/codeql-action).


Updates `github/codeql-action` from 4.34.1 to 4.35.1
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/38697555549f1db7851b81482ff19f1fa5c4fedc...c10b8064de6f491fea524254123dbe5e09572f13)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-minor-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump @types/node in /infrastructure (#94)

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 24.10.1 to 25.5.0.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.5.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps-dev): bump jsdom in /frontend/ai.client (#102)

Bumps [jsdom](https://github.com/jsdom/jsdom) from 27.4.0 to 29.0.1.
- [Release notes](https://github.com/jsdom/jsdom/releases)
- [Commits](https://github.com/jsdom/jsdom/compare/v27.4.0...v29.0.1)

---
updated-dependencies:
- dependency-name: jsdom
  dependency-version: 29.0.1
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump ng2-charts in /frontend/ai.client (#105)

Bumps [ng2-charts](https://github.com/valor-software/ng2-charts) from 8.0.0 to 10.0.0.
- [Release notes](https://github.com/valor-software/ng2-charts/releases)
- [Commits](https://github.com/valor-software/ng2-charts/compare/v8.0.0...v10.0.0)

---
updated-dependencies:
- dependency-name: ng2-charts
  dependency-version: 10.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps)(deps): bump the angular group (#97)

Bumps the angular group in /frontend/ai.client with 10 updates:

| Package | From | To |
| --- | --- | --- |
| [@angular/cdk](https://github.com/angular/components) | `21.2.3` | `21.2.4` |
| [@angular/common](https://github.com/angular/angular/tree/HEAD/packages/common) | `21.2.5` | `21.2.6` |
| [@angular/compiler](https://github.com/angular/angular/tree/HEAD/packages/compiler) | `21.2.5` | `21.2.6` |
| [@angular/core](https://github.com/angular/angular/tree/HEAD/packages/core) | `21.2.5` | `21.2.6` |
| [@angular/forms](https://github.com/angular/angular/tree/HEAD/packages/forms) | `21.2.5` | `21.2.6` |
| [@angular/platform-browser](https://github.com/angular/angular/tree/HEAD/packages/platform-browser) | `21.2.5` | `21.2.6` |
| [@angular/router](https://github.com/angular/angular/tree/HEAD/packages/router) | `21.2.5` | `21.2.6` |
| [@angular/build](https://github.com/angular/angular-cli) | `21.2.3` | `21.2.5` |
| [@angular/cli](https://github.com/angular/angular-cli) | `21.2.3` | `21.2.5` |
| [@angular/compiler-cli](https://github.com/angular/angular/tree/HEAD/packages/compiler-cli) | `21.2.5` | `21.2.6` |


Updates `@angular/cdk` from 21.2.3 to 21.2.4
- [Release notes](https://github.com/angular/components/releases)
- [Changelog](https://github.com/angular/components/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/components/compare/v21.2.3...v21.2.4)

Updates `@angular/common` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/common)

Updates `@angular/compiler` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/compiler)

Updates `@angular/core` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/core)

Updates `@angular/forms` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/forms)

Updates `@angular/platform-browser` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/platform-browser)

Updates `@angular/router` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/router)

Updates `@angular/build` from 21.2.3 to 21.2.5
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular-cli/compare/v21.2.3...v21.2.5)

Updates `@angular/cli` from 21.2.3 to 21.2.5
- [Release notes](https://github.com/angular/angular-cli/releases)
- [Changelog](https://github.com/angular/angular-cli/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular-cli/compare/v21.2.3...v21.2.5)

Updates `@angular/compiler-cli` from 21.2.5 to 21.2.6
- [Release notes](https://github.com/angular/angular/releases)
- [Changelog](https://github.com/angular/angular/blob/main/CHANGELOG.md)
- [Commits](https://github.com/angular/angular/commits/v21.2.6/packages/compiler-cli)

---
updated-dependencies:
- dependency-name: "@angular/cdk"
  dependency-version: 21.2.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/common"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/compiler"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/core"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/forms"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/platform-browser"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/router"
  dependency-version: 21.2.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/build"
  dependency-version: 21.2.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: angular
- dependency-name: "@angular/cli"
  dependency-version: 21.2.5
  d…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant