)]}' { "log": [ { "commit": "13a69771229cd5acb06d9ab86e3fba2dfc3cad7d", "tree": "e7dd27f49b0d40676be34ca1754bd7166657b60b", "parents": [ "fa99daa609315a6df610e3694994f57dd8588ecb" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Tue Jun 09 02:15:00 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Mon Jun 08 19:16:34 2026 -0700" }, "message": "routes: fix log call argument order and pass user_id\n\nThe seven explicit logger.log() call sites in routes.py were calling the\nservice with positional args (level, event_type, message) but the actual\nsignature is (event_type, message, level). This produced swapped fields\nin every emitted LOG block:\n\n level: \"Listed all agents.\" (should have been \"INFO\")\n eventType: \"INFO\" (should have been \"user_action\")\n message: \"user_action\" (should have been \"Listed all agents.\")\n\nCompounding that, none of the sites passed user_id, so every entry\nlanded with userId: null even though the route handlers all have a\nresolved user via Depends(get_current_user).\n\nFix both at every site: reorder args to (event_type, message), drop the\nexplicit \"INFO\" level (the default), and pass user_id\u003duser.get(\"uid\").\n\nTouched sites: create_agent, list_agents, delete_agent, update_agent,\nrun_agent_code_stream, run_agent_code (entry log), and the sandbox_run\nsuccess log inside run_agent_code.\n" }, { "commit": "fa99daa609315a6df610e3694994f57dd8588ecb", "tree": "762a5535544e40cd44097017dc12d964721d6502", "parents": [ "a091b361cd453ad53701edf95e8dcdd96de9c392" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Mon Jun 08 17:59:03 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Mon Jun 08 17:59:03 2026 -0700" }, "message": "bedrock-mythos: align param shape with Opus 4.8 and detect adaptive thinking\n\nThe Mythos provider entry was undersized on first cut: 4096 max_tokens\ndefault and a missing top_p and reasoning_effort. Mythos is described\nas 1M input and 128K output with reasoning, vision, and tool use, same\nshape as Opus 4.7/4.8, so the parameter config should mirror that.\n\n - max_tokens default 4096 -\u003e 16384 (match Opus 4.8)\n - max_tokens cap 131072 -\u003e 128000 (match Opus 4.8 convention)\n - add top_p (mutually exclusive with temperature)\n - add reasoning_effort (Mythos supports thinking.type\u003dadaptive)\n\nAlso broaden _is_opus_4_7_or_later() to match claude-mythos so the\nadaptive-thinking code path picks Mythos up too.\n" }, { "commit": "a091b361cd453ad53701edf95e8dcdd96de9c392", "tree": "bb7774c6d4bb814f5e96d948f11f99cdb2f2bf41", "parents": [ "4811cda627338cd67663efa46d2a818da2630eca" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Mon Jun 08 17:23:36 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Mon Jun 08 17:23:36 2026 -0700" }, "message": "Adding dev override for testing bedrock-mantle\n" }, { "commit": "4811cda627338cd67663efa46d2a818da2630eca", "tree": "61ee13eb7cf9d5d152279ebfce9b2d239088e2ee", "parents": [ "e2046468a8d71df893f9296bd6bc7b090f4f3cb4" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Mon Jun 08 16:40:25 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Mon Jun 08 16:40:25 2026 -0700" }, "message": "bedrock-mythos: profile-aware STS session + awscrt dep\n\nLocal dev compose stack sets AWS_ACCESS_KEY_ID/SECRET to MinIO test\ncreds (minioadmin) for S3 development workflows. boto3\u0027s default\ncredential chain checks env vars before profiles, so the STS call\nwould pick up minioadmin and fail. By creating the session from an\nexplicit profile when AWS_PROFILE is in env, we bypass the env-var\ncreds in dev. In prod no profile is set; the else branch runs and\nthe default chain finds the EC2 instance role via IMDS.\n\nrequirements: add awscrt — botocore\u0027s login credential provider\n(used when devs sign in via \u0027aws login\u0027) requires the AWS Common\nRuntime native library. Without it boto3 raises\nMissingDependencyException when anything in the container uses the\nAWS_PROFILE-mapped login_session. Harmless in prod where the path\nisn\u0027t exercised.\n" }, { "commit": "e2046468a8d71df893f9296bd6bc7b090f4f3cb4", "tree": "54797612e062be36fa5e7385e94ad696a90fb6e5", "parents": [ "56030844a717d42fce7178fcd836e8c862108c74" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Mon Jun 08 21:53:30 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Mon Jun 08 15:01:20 2026 -0700" }, "message": "bedrock-mythos: Mantle-backed provider for Mythos preview\n\nAdds the bedrock-mythos provider routing Mythos preview model calls\nthrough AWS Bedrock Mantle (the OpenAI-compatible Bedrock endpoint at\nhttps://bedrock-mantle.{region}.api.aws/v1) in a dedicated Anthropic-\nprovided AWS account.\n\nAuth flow:\n\n 1. boto3 picks up ambient credentials (EC2 instance profile in prod,\n \u0027aws login\u0027 session locally)\n 2. STS AssumeRole into arn:aws:iam::861792231409:role/bedrock-devs\n 3. aws-bedrock-token-generator mints a SigV4-derived bearer token\n from the assumed credentials (no env mutation; credentials passed\n explicitly via botocore.credentials.Credentials)\n 4. Bearer token passed to litellm as api_key, region passed as\n aws_region_name (without it litellm defaults to us-east-1)\n 5. litellm routes through bedrock_mantle/\u003cmodel-id\u003e to the Mantle\n endpoint in ap-southeast-4\n\nToken cached in-process per role ARN; refreshed 5 min before the\nunderlying STS credentials expire to avoid mid-request expiration.\nBoth call_llm and stream_llm paths updated. boto3 and the token\ngenerator are imported lazily inside the helper to avoid forcing the\ndependencies on module load for installations that don\u0027t use this\nprovider.\n\nConfiguration is all non-secret; lives in provider_config rather than\npuppet eyaml. The Service Role we provisioned in account 861792231409\n(arn:aws:iam::861792231409:role/bedrock-service-role) is registered\nwith Bedrock at the account level — no request-level passing needed\nfor Mantle inference.\n\nVerified locally: litellm 1.83.0 (current pin: \u003e\u003d1.77.5) recognizes\nthe bedrock_mantle/ prefix and dispatches to the Mantle handler.\nCross-account assume-role plumbing has been verified end-to-end from\na developer laptop. The cross-account path on the gofannon EC2 host\n(INFRA-27980 in account 534396592182 assuming bedrock-devs) is\nunverified until first deploy — trust policy is in place, awaiting\na real call.\n" }, { "commit": "56030844a717d42fce7178fcd836e8c862108c74", "tree": "de280fa997dc95411fbb4cb399648bb345ac1407", "parents": [ "74de618af706806bfa17d9d9aae49f9cd32635df" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Mon Jun 08 17:42:40 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Mon Jun 08 10:46:44 2026 -0700" }, "message": "api keys: accessible password toggle + stable test selector\n\nThe visibility toggle on the API key input used MUI\u0027s \u003cVisibility /\u003e icon\nwith no aria-label, leaving the button unlabeled for screen readers and\nforcing the playwright test to reach for the icon\u0027s data-testid. That\ntestid is only emitted in development builds — production builds strip\nit — so the e2e test passed locally against the dev server but timed\nout in CI against the production bundle.\n\nAdd aria-label to the IconButton (\"Show API key\" / \"Hide API key\") and\nupdate the test to use getByRole with that name. Works in any build\nmode, fixes the WCAG 4.1.2 violation, and removes the dependency on\nMUI\u0027s internal data-testid behavior.\n" }, { "commit": "74de618af706806bfa17d9d9aae49f9cd32635df", "tree": "0ccc5da97c583c05839f115ccf8be6e4ea5774de", "parents": [ "184bd607741abe3ad0da862cb119b27182ffe198" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Sun Jun 07 21:39:37 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Sun Jun 07 14:40:20 2026 -0700" }, "message": "observability: demote 2xx api request logs to DEBUG\n\napi_request_start and api_request_end fire for every request and\ndominate the console output, drowning real errors. Pick log level by\nresponse status (2xx -\u003e DEBUG, 3xx -\u003e INFO, 4xx -\u003e WARN, 5xx -\u003e ERROR)\nand add an OBSERVABILITY_CONSOLE_LEVEL env (default INFO) so the\nconsole provider filters DEBUG by default. Set the env to DEBUG to\nsee everything again when actively diagnosing.\n" }, { "commit": "184bd607741abe3ad0da862cb119b27182ffe198", "tree": "e2d0165aa9479e7adf1cc23191712926f1fe5fc8", "parents": [ "d197c9c2cbac41c875216f98030cd927defccbd8" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Sun Jun 07 14:11:40 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Sun Jun 07 14:11:40 2026 -0700" }, "message": "Cleaning up failing nightly\n" }, { "commit": "d197c9c2cbac41c875216f98030cd927defccbd8", "tree": "c4b0937df7b9d91952d803cc08c332594691dde6", "parents": [ "c121953545b6523e10e38026493b980a3e3748d9" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Sun Jun 07 13:34:04 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Sun Jun 07 13:34:04 2026 -0700" }, "message": "Adding sonnet 4.6\n" }, { "commit": "c121953545b6523e10e38026493b980a3e3748d9", "tree": "85ef19153eb5321c9b9082099c2920badbb441b3", "parents": [ "cac16b437381c76aa8d6c8f52b5912c36e5e82d1" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Sun Jun 07 04:58:51 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Sat Jun 06 22:21:05 2026 -0700" }, "message": "drain pending tasks before closing per-agent thread loop\n\nSuppresses the \u0027Exception ignored in: \u003ccoroutine object\nLoggingWorker._worker_loop\u003e ... RuntimeError: Event loop is closed\u0027\ntraceback that appears in the api log after every agent run that\nmade litellm calls.\n\nWhat was happening: litellm spins up an internal LoggingWorker\ncoroutine on whatever event loop is current the first time you\ncall into it. With Path A executors that loop is this thread\u0027s\nloop, not the parent worker loop. When the agent finishes and\nthread_entry\u0027s finally block called thread_loop.close(), the\nLoggingWorker was still alive in the background -- its\nasyncio.Queue.get coroutine was sitting in await self._queue.get(),\nand asyncio.Queue\u0027s getter cleanup does a call_soon for the\ngetter\u0027s cancel, which raises RuntimeError on a closed loop.\nPython prints the traceback to stderr (no chance to catch it\nbecause it\u0027s surfaced from the coroutine destructor, not from\nthe call stack), and we get one noisy 17-line block per agent.\n\nThe harmless-but-loud nature is the worst kind of log noise --\nreal errors get easier to miss when the eye learns to filter past\na recurring stack trace. Fix is to drain pending tasks before\nclosing: cancel them, run the loop one more tick to let the\ncancellations propagate, then close. LoggingWorker\u0027s coroutine\nsees the cancellation cleanly and tears down without trying to\ncall_soon onto the dying loop.\n\nThe drain is best-effort: if anything raises during it we still\nfall through to thread_loop.close(), so a buggy task can\u0027t leak\nthe loop. The close itself stays inside its own try/except for\nthe same reason.\n" }, { "commit": "cac16b437381c76aa8d6c8f52b5912c36e5e82d1", "tree": "7e8632ee667e07e3e3444e5f9f47500b62af0c0d", "parents": [ "d0e1f1048117d07d6cf202bdfeacacbe86f70d95" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 21:15:49 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 14:18:56 2026 -0700" }, "message": "show Stopping... on the Stop button after click so users get instant feedback\n\nBefore this, after clicking Stop the button stayed showing \u0027Stop\u0027\nuntil the next 5s polling cycle fetched the new status from the\nregistry. With persisted runs that can take 5+ seconds in the\ncommon case (poll interval) plus however long the agent takes to\nreach a stop boundary. The user clicks, nothing visible happens\nfor several seconds, they wonder if it worked.\n\nAdd a local stopRequested flag flipped on click and cleared by an\neffect when fetchedRun.status moves off \u0027running\u0027. While set, the\nbutton shows \u0027Stopping...\u0027 and is disabled so a second click is\nprevented. Once the registry actually reports the new status the\nbutton hides via the existing fetchedRun.status \u003d\u003d\u003d \u0027running\u0027\nguard.\n\nFailure handling is graceful: if the fetch to /runs/\u003cid\u003e/stop\nrejects (network down, etc.), we explicitly clear the flag so the\nuser can retry. If the backend received the request but the agent\nkeeps running for some other reason, the next status-change\nobservation clears the flag automatically -- the button comes back\nenabled and clickable rather than getting locked into a Stopping...\nstate forever.\n" }, { "commit": "d0e1f1048117d07d6cf202bdfeacacbe86f70d95", "tree": "0135d07d8ff69158021346067deaa5681589e59b", "parents": [ "76806c8b49f9f4cfdac98ff51b31ccf355680ee8" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 20:02:41 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 13:32:44 2026 -0700" }, "message": "fetch _rev before saving updates in run registry _persist\n\nCouchDB requires _rev for updates. CouchDBService.save in this\ncodebase doesn\u0027t auto-resolve revs -- its docstring explicitly\nstates \u0027Caller is responsible for providing _rev when updating an\nexisting document\u0027. My _persist was passing the doc straight to\nsave without _rev, which works for the first save (insert) but\n409s on every subsequent save. The 409 got swallowed by the outer\ntry/except, logged, and silently dropped the update.\n\nUser-visible effects:\n\n - Records persisted with status\u003drunning on new_record, then never\n updated when mark_complete fired. Every completed run in\n CouchDB was stuck at status\u003drunning with completed_at\u003dnull and\n no events list. The runs panel showed stale state from any\n worker that didn\u0027t own the live in-memory record.\n\n - Stop felt like it didn\u0027t work even when the cancel token flipped\n correctly. The agent did stop, mark_complete did fire in the\n worker that owned the run, but the CouchDB update failed -- so\n polling clients hitting other workers still saw the old running\n state and still rendered the Stop button.\n\n - request_stop happened to work because it does its own get()\n before save(), picking up _rev that way. So stop_requested\n actually wrote correctly; it was only mark_complete that was\n silently dead.\n\nFix: in _persist, do a get() of the existing doc first, copy its\n_rev onto our outgoing doc if present, then save. Each update is\nnow a two-round-trip operation (get + save). Acceptable because\nrun records aren\u0027t written hot: roughly create + complete + the\noccasional stop, none of them in tight loops. The first save for\na new run_id still skips _rev because get() raises (no doc) and\nthe except passes silently -- CouchDB treats a no-_rev save as\nan insert.\n" }, { "commit": "76806c8b49f9f4cfdac98ff51b31ccf355680ee8", "tree": "094adc358886087264eff7aa26cfa3840cdc244b", "parents": [ "34c02c0097cedd868b2d0303a7f1b4cbbefcaa63" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 19:41:40 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 12:44:34 2026 -0700" }, "message": "drop unsupported sort kwarg from list_for_user db.find call\n\nCouchDBService.find() in this codebase accepts only selector, fields,\nand limit -- not sort. My persistence patch\u0027s list_for_user passed\nsort\u003d[{started_at: desc}], which raised TypeError in the actual\nbackend at runtime. The TypeError was caught by the outer try/except\nin list_for_user, which returned [] for every call. The records were\nin CouchDB the whole time; the API just always reported zero matches.\n\nSymptoms: in prod (multi-worker) the runs panel on the home page and\nthe historical-runs list below the Run button always rendered empty,\neven immediately after a run was created. Deep-linked GET /runs/\u003cid\u003e\n(which uses db.get, not db.find) worked fine, so the per-run detail\npage populated correctly -- the discrepancy made the bug look\nfancier than it was.\n\nFix: drop the unsupported sort kwarg and sort the docs in Python\nafter the fetch. Cost is negligible at limit\u003d100, and started_at\nis an ISO-8601 string so reverse lex sort gives the same\nnewest-first ordering Mango sort would have produced. If we ever\nneed true index-backed sorting we\u0027d add a sort param to\nCouchDBService.find first (probably mapping to the underlying\nMango sort array), but for current scale Python sort is fine.\n" }, { "commit": "34c02c0097cedd868b2d0303a7f1b4cbbefcaa63", "tree": "0f798c8e21c64ce8826932f0bbb5579bdd3eda38", "parents": [ "6c89591cb027cc63ef301ee2168c8221fcdf2c9c" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 19:11:31 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 12:27:05 2026 -0700" }, "message": "fix settings import in run_registry _get_db\n\nWrong module path -- I wrote \u0027from config.settings import settings\u0027\nwhen the rest of the codebase uses \u0027from config import settings\u0027.\nThe bad import raised ModuleNotFoundError which the surrounding\ntry/except silently swallowed, setting self._db \u003d None on every\nworker. The registry then degraded to in-memory-only across the\nboard, defeating the whole point of the persistence patch.\n\nSymptom in prod: runs were created locally on a worker but never\nshowed up via list_for_user from any other worker (or even the same\nworker after a few seconds of polling). The diagnostic command that\ncalled get_database_service from the api container also failed with\nthe same ModuleNotFoundError, which is what surfaced the bug.\n" }, { "commit": "6c89591cb027cc63ef301ee2168c8221fcdf2c9c", "tree": "3b24ade631cbb5e61149d6eb4cae0e341b120e50", "parents": [ "f7cd8435c8725e5a545e864170ddfdb00523720a" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 18:49:52 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 11:51:23 2026 -0700" }, "message": "re-export EVICTION_TTL_SECONDS as alias for backwards-compat\n\ntests/unit/services/test_run_registry.py imports EVICTION_TTL_SECONDS\nfrom services.run_registry. The persistence patch renamed it to\nLOCAL_CACHE_TTL_SECONDS to reflect the split between in-memory cache\neviction (LOCAL_CACHE_TTL_SECONDS) and CouchDB-side retention\n(COUCH_RETENTION_SECONDS). Add the old name back as an alias so the\ntest (and any other code referencing the old constant) keeps working.\n\nThe alias points at LOCAL_CACHE_TTL_SECONDS because that\u0027s what\nactually controls the behavior the test cares about: backdating\n_completed_at_monotonic past the alias value triggers\n_evict_expired_local on the next get(), which is what the test\nasserts. The 5-minute new value vs the old 1-hour value doesn\u0027t\nmatter for the test -- it backdates by EVICTION_TTL_SECONDS + 10s,\nwhich is past either value.\n" }, { "commit": "f7cd8435c8725e5a545e864170ddfdb00523720a", "tree": "8a0658b654b8a4184dfa22781d70a46686f17d08", "parents": [ "08da040ebe05047dac0587d6f3761461e5bb3d8c" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 18:06:37 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 11:41:33 2026 -0700" }, "message": "persist run registry to couchdb so multi-worker prod is consistent\n\nIn prod with multiple uvicorn workers, the in-memory run registry has\nbeen causing three visible symptoms:\n\n 1. New runs don\u0027t appear in the runs list right after starting them\n -- GET /runs?agent_id\u003dX hits a worker whose local registry has\n no knowledge of the just-created run.\n 2. Deep links to /agent/\u003cid\u003e/runs/\u003crun_id\u003e render with empty fields\n when the load balancer routes the GET /runs/\u003crun_id\u003e to a worker\n other than the one that created the record.\n 3. Runs disappear from the runs panel on the home page entirely\n after a short window, partly because of the 1h in-memory\n eviction TTL and partly because the load-balanced round-robin\n keeps landing on workers that never had the record.\n\nUnderlying cause is that the registry was per-process. New module-\nlevel WORKER_ID identifies each uvicorn worker. Records now persist\nto a new CouchDB database (gofannon_runs) on create, on mark_complete\n(with full events list this time, so completed-run deep links work\nacross workers), and on stop_requested.\n\nCross-worker stop is handled in two steps:\n\n 1. POST /runs/\u003cid\u003e/stop calls registry.request_stop, which writes\n stop_requested\u003dtrue to the CouchDB doc unconditionally. If the\n handling worker also owns the local cancel token (fast path),\n it flips the token immediately and the agent stops within\n milliseconds. Outcome string returned to the client distinguishes\n \u0027flipped_local\u0027 from \u0027persisted_remote\u0027 so the UI can surface\n latency expectations if it wants.\n\n 2. Each worker runs a background polling task (started in\n app_factory\u0027s lifespan) that every 3 seconds queries CouchDB for\n \u0027runs I own that are still running and have stop_requested\u003dtrue\u0027.\n The query uses a dedicated (worker_id, status) index so it stays\n fast at any historical scale. New flags get their local cancel\n tokens flipped within the polling window -- 3 second worst-case\n stop latency for cross-worker cases.\n\nLocal cache TTL drops from 1h to 5 minutes since CouchDB is now the\nsource of truth and re-fetching a completed record is cheap. CouchDB\nretention is 7 days, swept by an hourly eviction task in the same\nlifespan as the poller.\n\nRecords reconstructed from CouchDB are view-only: they have no live\nTrace queues and no asyncio Task. Replay-then-live SSE works for\ncompleted runs across workers (events are persisted on mark_complete);\nlive-tailing an in-flight run owned by another worker is not supported\nin this phase and would require streaming events to CouchDB as they\narrive. Defer until someone actually asks for it.\n\nIndexes created on first use (idempotent):\n - by_worker_status: fields\u003d[worker_id, status] for poller\n - by_user_agent: fields\u003d[user_id, agent_id, started_at]\n for list endpoint\n - by_status_completed: fields\u003d[status, completed_at]\n for eviction\n\nBackward compat: when the database service is unreachable (tests\nwithout couchdb fixture, dev with broken CouchDB), the registry\ndegrades gracefully to in-memory-only behavior. _get_db catches and\nsets self._db\u003dNone; subsequent persistence calls are no-ops.\n\nSmoke tested: new_record persists, list_for_user queries via index,\ncross-instance get falls back to couch, request_stop fast path\nflips local token, request_stop slow path writes stop_requested,\npoll_owned_stops re-flips when token registered later, mark_complete\nwrites events, idempotent on second call, eviction removes records\npast retention.\n" }, { "commit": "08da040ebe05047dac0587d6f3761461e5bb3d8c", "tree": "6e81864a33565f69a502b0ec3233b03b2e84e9c1", "parents": [ "c5545df8fcf2660d70a8a94661cb398bb9545a57" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 17:27:53 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 10:31:46 2026 -0700" }, "message": "handle CancelledError in run_agent_task so stop actually marks complete\n\nThe silent-death case akm has been chasing: click Stop, registry\nrecord stays \u0027running\u0027 forever, no traceback in the logs, no\nsandbox_run_failure entry. After enough digging it turned out the\nagent thread really WAS terminating -- just nobody was telling\nthe registry about it.\n\nSequence:\n 1. Click Stop -\u003e frontend\u0027s handleStop calls abortRef.current\n .abort() which closes the SSE fetch\n 2. Server-side: Starlette closes the StreamingResponse generator\n (client disconnect)\n 3. event_generator\u0027s finally clause runs:\n if not agent_task.done():\n try: await asyncio.wait_for(agent_task, timeout\u003d5.0)\n except (asyncio.TimeoutError, Exception):\n agent_task.cancel()\n For any agent doing more than a few seconds of work the 5s\n grace times out, agent_task.cancel() fires.\n 4. CancelledError raises inside run_agent_task at the\n \u0027await execute_in_thread(...)\u0027 point.\n 5. The \u0027except (Exception, AgentStopped)\u0027 tuple does NOT include\n CancelledError (asyncio.CancelledError inherits from\n BaseException since Python 3.8). The handler is skipped.\n mark_complete never runs.\n 6. Agent thread eventually finishes (cancel bit was set via\n POST /stop, on_stop scheduled task.cancel on its loop, so\n it raises AgentStopped at the next await). thread_entry\u0027s\n BaseException handler schedules _set_result_safe on the\n parent loop. By now run_agent_task is gone, but the future\n is still hanging around in memory.\n 7. _set_result_safe runs on the parent loop. Future is in\n pending state still (nobody cancelled it directly), so it\n gets a result. But no one is awaiting the future. The\n result is GC\u0027d. Registry stays running.\n\nFix: add an explicit \u0027except asyncio.CancelledError\u0027 clause to\nrun_agent_task BEFORE the broader (Exception, AgentStopped)\ncatch. Order matters -- both inherit from BaseException, and we\nwant CancelledError to take its own path.\n\nInside the handler: flip the cancel token if not already flipped\n(so the agent thread also winds down at its next structural\nboundary; without this it could keep doing arbitrary work for a\nwhile), mark the registry stopped with a clear error message\ndistinguishing this case from a user-clicked Stop, and re-raise so\nasyncio\u0027s task accounting still treats this task as cancelled.\n\nThe re-raise matters because the SSE generator\u0027s finally is doing\n\u0027await asyncio.wait_for(agent_task, ...)\u0027 -- if that wait_for sees\nthe task ended with a clean result (no exception) when in fact it\nwas cancelled, the cleanup logic would get confused. Preserving\nthe cancellation semantics keeps the rest of the lifecycle correct.\n" }, { "commit": "c5545df8fcf2660d70a8a94661cb398bb9545a57", "tree": "864bd9ec0e1ee4050c268a51cfc3d9e4a8c5eb98", "parents": [ "6cde4e514f64dde8d6a555057c6da50dbb5df9e3" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 07:30:40 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 10:22:39 2026 -0700" }, "message": "poll runs screen while anything is still running\n\nThe home page RunningJobsModule polls /runs every 5s, so its\nchips flip from \u0027running\u0027 to \u0027success\u0027/\u0027stopped\u0027/\u0027error\u0027 shortly\nafter the backend marks complete. The per-agent runs page didn\u0027t\npoll, only refetched on its own deliberate completionTick bumps\n(after Run finishes, after Stop is clicked). The Stop case has a\nrace: the bump fires immediately after POST /runs/\u003cid\u003e/stop\nreturns 202, which is BEFORE the agent reaches its next\ncheck_should_stop() and actually flips status. So the refetch\nfinds status\u003d\u0027running\u0027 and the UI stays that way until the user\nreloads.\n\nThis was especially confusing for the LLM-call case: call_llm\nchecks the cancel token only at function entry, so a stop pressed\nduring a multi-minute Bedrock call doesn\u0027t take effect until that\ncall returns. The agent IS being stopped, just not visibly to the\nuser on this page.\n\nFix: poll every 5s while any visible run is \u0027running\u0027 (either the\ndeep-linked fetchedRun, or any item in historicalRuns). Polling\nauto-stops once nothing\u0027s running so we don\u0027t waste cycles on\nidle pages. Same shape and cadence as the home page module.\n" }, { "commit": "6cde4e514f64dde8d6a555057c6da50dbb5df9e3", "tree": "d895bcf017af944bb96da7b9e4c9c6c6836f2fbb", "parents": [ "8ab8956420cbfb341ded53d9d521ae6e10af4421" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 16:55:32 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 10:04:07 2026 -0700" }, "message": "data store: check_should_stop at entry of bulk read methods too\n\nlist_keys, list_namespaces, get_all, and clear_namespace were\nmissing the structural-boundary stop check that get_many,\nset_many, delete_many, get, set, and delete already had. These\nare the methods the rewritten asvs_* agents lean on most for the\nN+1 -\u003e 1 CouchDB op reduction; with no check at entry, a stop\npressed while the agent is parked in one of them never reaches\na check until the underlying find or bulk-delete returns. On a\nlarge ASVS namespace these calls can hold the agent thread for\nseveral seconds with no opportunity to cancel -- the api log\nsees a 202 from POST /stop and then total silence until the\nagent eventually finishes whatever it was doing.\n\nAdd the same check_should_stop() call at the top of each.\nBehavior is identical to the methods that already had it: if\nthe cancel bit is set, AgentStopped is raised before the sync\nCouchDB call runs, and (now that AgentStopped is a BaseException)\nit propagates through agent code\u0027s broad except Exception\nclauses to the worker\u0027s mark_complete handler.\n\nDoesn\u0027t help a run that\u0027s already inside one of these calls when\nstop is pressed -- python can\u0027t interrupt a sync C-level network\nread mid-flight. But the very next call (and most agent loops\nmake many of them per iteration) catches the stop within\nmilliseconds.\n" }, { "commit": "8ab8956420cbfb341ded53d9d521ae6e10af4421", "tree": "cbf2e3e2eafffc28b9e2ddf5d9ae38c2052b0c15", "parents": [ "897da2c97f91175e1fc67047f32b1fb406c8d801" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 16:42:35 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 09:47:14 2026 -0700" }, "message": "make AgentStopped a BaseException so user code cant swallow stops\n\nThe asvs agents log warnings like\n\n WARNING: Could not load ASVS levels: Run was stopped by user\n WARNING: dropping 345 unknown section ID(s)\n ... (repeated for every chapter)\n\nand roll through to a 0-section output after Stop is pressed. The\n\u0027Run was stopped by user\u0027 string is the AgentStopped exception\nmessage; the agent has a broad\n\n try:\n load_asvs_levels()\n except Exception as e:\n print(f\u0027 WARNING: Could not load ASVS levels: {e}\u0027, flush\u003dTrue)\n\naround the ASVS load call. check_should_stop raises AgentStopped,\nthe except Exception swallows it, the agent logs a warning, then\ncontinues to the next chapter where check_should_stop raises\nagain, and again, and again until the agent reaches a 0-section\n\u0027completion\u0027 that\u0027s effectively garbage.\n\nThis is the same shape as Python before 3.8 when asyncio\n.CancelledError was Exception and broad except clauses would\nquietly absorb cancellation requests. PEP 622-era discussion led to\nreparenting CancelledError onto BaseException so it would\npropagate through user code regardless of try/except hygiene.\nApply the same fix to AgentStopped: cancellation signals must not\nbe catchable by code that\u0027s only meant to recover from ordinary\nerrors.\n\nroutes.py\u0027s run_agent_task needs the matching update: with\nAgentStopped no longer an Exception, the streaming endpoints\ncleanup-and-mark-complete handler doesn\u0027t cover it via\n\u0027except Exception\u0027 anymore. Broaden to \u0027(Exception, AgentStopped)\u0027\nexplicitly. Same handler logic for both, just named for clarity\nrather than catching BaseException unscoped.\n\nThe asvs_* agent files dont need editing -- their broad except\nclauses are now harmless for cancellation, since AgentStopped\nbypasses them and reaches the worker\u0027s catch directly.\n\nAdds a regression test: an agent that wraps check_should_stop in\n\u0027except Exception\u0027 must still propagate AgentStopped to its\ncaller once the cancel bit is set.\n" }, { "commit": "897da2c97f91175e1fc67047f32b1fb406c8d801", "tree": "a18b9050854636b96f368571d53ad7db690fb905", "parents": [ "514d8ca4dcf18dc403706af19d35ea1cacafbe26" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 08:25:02 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 09:32:42 2026 -0700" }, "message": "navigate URL to new run on Run click so Stop targets the displayed run\n\nThe Stop button has been silently targeting the wrong run when\nthe URL and the just-started run don\u0027t match. Reproduction:\n\n 1. Navigate to /agent/X/runs/\u003coldRunId\u003e (deep link, runs page\n for a previously-started run)\n 2. Click Run Agent. A new run starts with id \u003cnewRunId\u003e.\n currentRunId state is set to \u003cnewRunId\u003e from the first SSE\n run_id event. URL stays /agent/X/runs/\u003coldRunId\u003e.\n 3. Click Stop. handleStop\u0027s target is (currentRunId || runId),\n i.e. currentRunId wins. POST /runs/\u003cnewRunId\u003e/stop. \u003cnewRunId\u003e\n stops cleanly (AgentStopped, mark_complete).\n 4. The page is still showing data for \u003coldRunId\u003e, which is\n untouched and still running. Stop looks broken even though\n the backend did exactly what it was asked.\n\nIn the user\u0027s log: referer was /runs/915904d2 (old), POST went\nto /runs/4188bba3 (new currentRunId). 4188bba3 stopped fine,\nbut the visible 915904d2 didn\u0027t, so Stop appeared not to work.\n\nFix: when the first SSE run_id event arrives, navigate to\n/agent/\u003cagentId\u003e/runs/\u003crunId\u003e. From that point on, URL \u003d\ncurrentRunId \u003d the run fetchedRun fetches \u003d the run handleStop\ntargets. Single source of truth.\n\nSkip the navigate if the URL already matches so we don\u0027t create\nno-op history entries. Push (not replace) so the back arrow\nbehaves the way the user would expect.\n" }, { "commit": "514d8ca4dcf18dc403706af19d35ea1cacafbe26", "tree": "7201216d62a7c29eb4284055739814a50e832280", "parents": [ "07a20cb3d49b042dbfacf1529804c32f2a943b52" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 07:58:19 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 00:59:03 2026 -0700" }, "message": "refresh past-runs list when a new run starts\n\nWhen the user clicks Run Agent on a /agent/\u003cid\u003e/runs URL (no\nrunId in the path), the past-runs section stays empty for the\nentire run because historicalRuns only refetches on completionTick\nbumps -- and the existing bumps all fire after the run has\nalready ended (handleRun finally, handleStop, polling-while-\nrunning). The polling can\u0027t start the loop on its own because its\npredicate is whether anything in historicalRuns is running, which\nwon\u0027t be true if we haven\u0027t refreshed historicalRuns since before\nthe run began.\n\nThe first SSE \u0027run_id\u0027 event is the right anchor: the backend has\njust called new_record so the registry already contains the\nfreshly-created record. Bump completionTick there to trigger an\nimmediate historicalRuns refetch. The new run appears in the past-\nruns list within one round trip, and from then on the polling\neffect picks up the running entry and keeps it fresh every 5s.\n\nDeep-link case (URL already contains a runId) is unaffected --\nfetchedRun handles that path and was already showing the run.\n" }, { "commit": "07a20cb3d49b042dbfacf1529804c32f2a943b52", "tree": "1b5b83a90de1a77cbd2832f697ad13af2f19869a", "parents": [ "52586f75c41ad78523ed2614355aabc4c183d1f2" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 07:51:09 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 00:52:54 2026 -0700" }, "message": "stop the fetchedRun fetch storm on every trace event\n\nThe fetchedRun useEffect had runs in its deps so the local-match\ncheck inside it could re-evaluate when local state caught up to a\ndeep-linked runId. But the SSE trace event handler updates runs\nas a new array reference for every event -- usually 1000-2000+\nper agent run -- so the effect refired on every event and\nhammered GET /runs/\u003cid\u003e at ~10 requests per second. On a deep-\nlinked URL whose runId no longer exists in the registry (evicted\nafter the 1hr TTL, or wiped on an api restart), that showed up as\nhundreds of 404s per second in the api log.\n\nMemoize the boolean answer: hasLocalRunMatch derived via useMemo\nfrom (runs, runId). useMemo returns a stable primitive when its\ninputs change but the computed value stays the same, so the\neffect\u0027s deps comparison treats consecutive trace-event updates as\nidentical and the effect doesn\u0027t refire. Only an actual flip in\nwhether-the-URL-runId-has-a-local-match triggers a re-fetch.\n\nFunctionally equivalent for the originally-intended case (the\nstreaming run completes, runs gets an entry matching the URL\u0027s\nrunId, fetchedRun is cleared because we now have local data) --\nuseMemo recomputes, the boolean flips false -\u003e true, the effect\nrefires once and clears fetchedRun. What changes is that the\neffect no longer refires while the boolean stays the same value.\n" }, { "commit": "52586f75c41ad78523ed2614355aabc4c183d1f2", "tree": "5f12166322e7990895bc81a2858dc47ee33b1eb7", "parents": [ "40dc91f8fce6185e75b2e2d2930b2454eb2b98cf" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 07:37:43 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 00:40:05 2026 -0700" }, "message": "stop now interrupts the agent mid-await (cancel_token on_stop hook)\n\nPOST /runs/\u003cid\u003e/stop was flipping the cancel bit but the agent\nonly noticed at structural boundaries (check_should_stop calls\nbetween operations). If the agent was mid-LLM-call -- the common\ncase for an audit run -- nothing happened until the Bedrock call\nreturned, which can be minutes. The \u0027Stop\u0027 button felt broken\nbecause pressing it had no visible effect.\n\nFix: CancelToken gains an optional on_stop callback. request_stop\nflips the bit AND invokes the callback. The Path A executor\nregisters a callback that calls task.cancel() on the agent\u0027s task\nvia call_soon_threadsafe. asyncio.Task.cancel() raises\nCancelledError at the next await -- which IS the await we\u0027re\nstuck on inside the LLM client\u0027s httpx call. The HTTP request\ngets aborted, the connection closes, the exception propagates up.\n\nThe agent runner catches CancelledError and re-raises as\nAgentStopped so the streaming endpoint\u0027s existing is_stop\ndetection picks it up without changes. CancelledError inherits\nfrom BaseException (not Exception) in Python 3.8+, so without\nthe wrap it would skip past run_agent_task\u0027s except Exception\nclause entirely and the run would stick at \u0027running\u0027 just like\nbefore this whole series of fixes.\n\nThe structural-boundary check_should_stop path remains -- it\ncatches the case where cancel arrives between two awaits (e.g.\nduring a CouchDB bulk op or pure-Python work) where task.cancel\nhas nowhere to inject. Both paths converge on raising\nAgentStopped and reaching mark_complete(status\u003d\u0027stopped\u0027).\n\nNew unit test test_stop_interrupts_mid_await: agent awaits\nasyncio.sleep(10), stopper fires request_stop at 100ms, the\nexecute_in_thread call must raise AgentStopped within 1.5s.\nVerified manually: pressing stop now flips the run\u0027s status\nchip within the next 5s poll instead of waiting for the LLM\ncall to complete.\n" }, { "commit": "40dc91f8fce6185e75b2e2d2930b2454eb2b98cf", "tree": "a3e63bb9a7bdf9189fc799ee06e849696abe0322", "parents": [ "f3539b4cf00838aef77afd2940cef2a043e50a99" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 07:18:34 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 00:22:08 2026 -0700" }, "message": "show stop button on deep-linked running runs; avoid duplicate history\n\nTwo RunsScreen finesses akm asked for after the past-runs list\nstarted populating:\n\n1. Stop button missing on deep-link revisit. The button was gated\n on isLoading (true only while the streaming fetch is open in\n this component) and currentRunId (set from the first SSE\n \u0027run_id\u0027 event). Navigating to /agent/X/runs/Y for a run that\n was started in another tab -- or that simply outlived a page\n reload -- left both unset, so the button didn\u0027t render even\n though the run was actively in flight on the backend.\n\n Add a second visibility path: when fetchedRun.status \u003d\u003d\u003d\n \u0027running\u0027 (the registry record loaded by the deep-link useEffect),\n show the button. handleStop falls back to the URL-param runId\n when no in-tab id is available -- the backend doesn\u0027t care which\n tab issues the stop, it looks up the cancel token in the\n registry by runId. After a successful stop, bump completionTick\n so both fetchedRun and historicalRuns refresh and the chip\n flips to \u0027stopped\u0027 without needing a manual reload.\n\n2. Clicking a row in the past-runs list that\u0027s the same run\n currently in the URL pushes another identical history entry,\n so back-arrow needs to be pressed once per click to escape.\n Compare target path against location.pathname in the onOpen\n handler and skip the navigate when they match. Real navigations\n (any other row) still work as before.\n" }, { "commit": "f3539b4cf00838aef77afd2940cef2a043e50a99", "tree": "2b7961d328de7eb7edf01fcbfc1efe05782e5c18", "parents": [ "cfb16971e0c31dfd4b6aca2bb0d5edf43921c71c" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 07:03:22 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 00:04:33 2026 -0700" }, "message": "vite proxy: match api prefix when followed by query string too\n\nThe proxy regex ^/(auth|...|runs|...|users)(/|$) required the\nprefix to be followed by a slash or end-of-string. A request like\n/runs?agent_id\u003dX has the prefix followed by ?, which is neither --\nso vite skipped the proxy and served the SPA index.html as the\nresponse body. Frontend code calling fetch(\u0027/runs?agent_id\u003dX\u0027)\nthen tried to JSON.parse \u0027\u003c!doctype ...\u0027 and crashed.\n\nAffected any API endpoint with query parameters. The past-runs\nlist on the per-agent runs page was the first place we hit this\nbecause it\u0027s the first endpoint we shipped with a query-param\nfilter. Other API calls that happened not to use query strings\nworked because the path matched (/runs end-of-string, /runs/\u003cid\u003e\nslash).\n\nFix: add ? to the allowed terminator group so the regex matches\n^/runs(/|$|\\?). One character change to the existing pattern.\n" }, { "commit": "cfb16971e0c31dfd4b6aca2bb0d5edf43921c71c", "tree": "815b29fa81b1fd69a9728d57e4bd9ee1295263a1", "parents": [ "dd7cda3ec30d384df39944cc14fc1f54c1db6580" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 06:41:48 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 23:50:10 2026 -0700" }, "message": "add delete_many to data store service for filtered bulk deletes\n\nclear() wipes a whole namespace and set_many writes a dict; the\nmissing primitive was delete-by-key-list. Adds delete_many on both\nDataStoreService and the namespace-scoped AgentDataStoreProxy.\n\nUses the existing CouchDBService.delete_many under the hood\n(get_many for _revs + one _bulk_docs with _deleted markers, 2 HTTP\ncalls regardless of N). Missing keys treated as idempotent\nsuccesses.\n\nNeeded by asvs_orchestrate\u0027s orphan-report cleanup, which deletes\na filtered subset of keys and previously had to loop per-key.\n" }, { "commit": "dd7cda3ec30d384df39944cc14fc1f54c1db6580", "tree": "4453cb754ea4889a5d92a5afa95b96d1b845fcd7", "parents": [ "8e102160f2152aa97a0610b5c505a6f80723d250" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 06:41:48 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 23:50:10 2026 -0700" }, "message": "path A: run the agent in its own thread so the worker loop stays free\n\nArchitecture change so a slow agent run can\u0027t make the rest of the\napp unresponsive. Before this, the streaming endpoint ran the\nagent via asyncio.create_task on the SAME event loop as the worker\nthat received the request. When the agent did sync CouchDB work\n(files_ns.set, files_ns.delete -- the asvs_* agents do thousands\nof these per run), that worker\u0027s loop was blocked for the duration.\nOther coroutines on the same loop -- the SSE generator emitting\nthe run\u0027s own events, any other request the kernel happened to\nroute to the same worker -- couldn\u0027t progress. Even with --workers 4,\nthe same browser\u0027s parallel requests often colocate on the same\nworker, so users see the whole site freeze during a busy run.\n\nPath A fix: the streaming endpoint hands the agent off to its own\nOS thread with its own asyncio event loop. The worker\u0027s loop stays\nfree; sync calls inside the agent only block the agent thread\u0027s\nloop, which has nothing else on it. Trace events emitted by the\nagent bridge back to the worker\u0027s queue via call_soon_threadsafe.\nCancellation works because CancelToken is a plain bool the agent\nchecks at structural boundaries -- the worker thread sets the bit\nfrom POST /runs/\u003cid\u003e/stop, the agent\u0027s loop sees it on its next\ncheck_should_stop().\n\nFiles:\n\n- NEW services/agent_executor.py: execute_in_thread(factory, token)\n spins up a daemon thread, runs the factory\u0027s coroutine in a\n fresh event loop inside that thread, and bridges the result back\n via a Future on the caller\u0027s loop. The \u0027factory\u0027 shape (a zero-\n arg callable returning a coroutine) is deliberate -- coroutine\n loop affinity is decided when its first await runs, so we build\n the coro inside the target thread, not in the caller\u0027s.\n\n- services/agent_trace.py: Trace.attach_queue accepts an optional\n loop argument identifying the queue\u0027s owning event loop. When\n set, _publish routes put_nowait through call_soon_threadsafe so\n the queue\u0027s asyncio internals are only touched by its owning\n loop\u0027s thread. When unset, legacy direct put_nowait behavior is\n preserved for non-Path-A callers (the non-streaming /agents/run-code\n path, future fanout paths).\n\n- services/run_registry.py: _FanoutTrace.add_subscriber takes the\n same optional loop argument. The append() fanout uses the\n subscriber\u0027s loop for threadsafe routing per-subscriber. Storage\n switched from Set[Queue] to Dict[Queue, Optional[Loop]] to carry\n the binding.\n\n- routes.py: streaming endpoint calls execute_in_thread instead of\n awaiting _execute_agent_code directly. attach_queue and\n add_subscriber both get the worker\u0027s running loop so cross-thread\n emits work.\n\nThree unit tests pin the invariants:\n\n- worker_loop_stays_responsive_during_agent_block: a 500ms sync\n sleep inside the agent must not freeze the worker loop\u0027s\n heartbeat coroutine for 500ms. Asserts max heartbeat gap \u003c 200ms.\n\n- trace_events_bridge_from_agent_thread: trace events appended\n from the agent thread arrive on the worker-loop queue in order.\n\n- cancel_token_works_across_threads: a CancelToken flipped from\n the worker thread is seen by the agent\u0027s check_should_stop()\n inside its thread.\n\nWhat this does NOT do: reduce CouchDB load. The agent still fires\nthe same number of CouchDB requests, just on a different thread.\nCouchDB throughput is the next layer (the agent-batching work).\nThis change is about API responsiveness; agent throughput is\nunchanged.\n" }, { "commit": "8e102160f2152aa97a0610b5c505a6f80723d250", "tree": "d55bb700bb6968f9f83d18b013e0fc15cdf8cb72", "parents": [ "a87656991ddd1139894be34197e499cf5e684470" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 06:24:12 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 23:50:10 2026 -0700" }, "message": "fix streaming endpoint leaving stopped/errored runs as \u0027running\u0027\n\nTwo bugs, same symptom.\n\n1. is_cancelled() doesn\u0027t exist on CancelToken -- the method is\n is_stopped(). My previous patch called the wrong name from\n inside the streaming endpoint\u0027s except branch, raising\n AttributeError before mark_complete fired. The finally block\n still posted DONE_SENTINEL so the SSE stream closed cleanly,\n but the registry entry stayed at status\u003d\u0027running\u0027 until the\n 1h eviction TTL -- exactly the symptom akm reported for\n stopped runs and any other errored streaming run.\n\n This affected every error path, not just stop -- ordinary\n exceptions from the agent had the same fate. Stop just made\n it most visible because users actively expect a status change\n right then.\n\n2. Even with #1 fixed, an exception inside mark_complete itself\n (registry race, queue closed, anything) would leak the same\n way. Wrapped both the success and the error/stop calls to\n mark_complete in defensive try blocks that log the failure\n but keep the SSE stream\u0027s DONE_SENTINEL signal intact, so a\n future registry-internal bug surfaces in logs rather than\n silently sticking runs as \u0027running\u0027.\n" }, { "commit": "a87656991ddd1139894be34197e499cf5e684470", "tree": "9de25ee77f8b9d7b59a71a8b3aff4e9c5c09ceb6", "parents": [ "7f61ed805dd907463dacc5273dbed5d923520f28" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 05:59:44 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 23:50:10 2026 -0700" }, "message": "bring past-runs section back, sourced from the run registry\n\nThe past-runs list under the per-agent runs screen used to read from\nin-memory session state -- runs accumulated as the user clicked Run\nduring one tab session, disappeared on reload, never crossed agents.\nThat worked before the run registry landed; the comment on the\nrender block said as much (Future: GET /runs?agent_id\u003dX once the\nrun registry lands). With the registry in place this wires it up.\n\nBackend:\n- to_summary now includes inputDict and error. The past-runs list\n needs an input preview per row and an inline error message on\n failed runs; without these in the summary, each row would need a\n separate /runs/\u003cid\u003e fetch (N+1). Cost: list responses get bigger\n by however large each run\u0027s input is. Capped by list_for_user\u0027s\n 100-entry limit. If this turns into a problem under heavy use,\n the right fix is a server-side preview field, not removing the\n data altogether.\n\n- /runs accepts an optional ?agent_id\u003d query param so the per-agent\n screen can ask for just one agent\u0027s history. RunRegistry.list_for_user\n takes a matching agent_id kwarg and filters in memory before the\n 100-cap. Without this filter the per-agent UI would have to fetch\n all of a user\u0027s runs and filter client-side, which scales badly\n and bloats the network payload.\n\nFrontend:\n- runService.listRuns(agentId?) tacks on the query string when an\n agentId is provided. Existing call sites (RunningJobsModule,\n RunsPage) pass no argument and keep getting the full unfiltered\n list, same as before.\n\n- RunsScreen owns a historicalRuns state, fetched from\n /runs?agent_id\u003d\u003cid\u003e on mount and re-fetched whenever a streaming\n run completes (via a completionTick state bumped from the success,\n abort, and catch-all error paths). The fetched server records are\n normalized to the local-state shape RunsHistoryList already\n consumes -- runId -\u003e run_id, startedAt -\u003e started_at, status -\u003e\n outcome, inputDict -\u003e input, completedAt minus startedAt -\u003e\n duration_ms. RunsHistoryList itself is unchanged.\n\n- The past-runs section is no longer hidden when viewing a specific\n runId. Users land on /agent/\u003cid\u003e/runs/\u003crunId\u003e from a deep link\n and reasonably expect to see the rest of the agent\u0027s history so\n they can pivot between runs. The old guard (\u0027don\u0027t compete for\n attention\u0027) no longer holds when historical context is part of\n the point.\n\n- For agents without an agentId (creation-flow sandbox), the list\n falls back to in-memory runs[] -- the old behavior is preserved\n for the case where there\u0027s no saved agent to fetch history for.\n" }, { "commit": "7f61ed805dd907463dacc5273dbed5d923520f28", "tree": "303cc5a41f0525ac3f96cbad7568e26885d5fad2", "parents": [ "9a306f92d1dc0ac271975b403337c089b0212d75" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 05:53:29 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 22:57:26 2026 -0700" }, "message": "mark streaming runs complete, pre-fill from deep link, fix back-arrow loop\n\nFour related fixes to make the runs UX hang together.\n\n1. Streaming endpoint never called registry.mark_complete. The\n fire-and-forget endpoint (/agents/run-code/start) does it\n correctly, but /agents/run-code/stream creates the run record,\n wires up the cancel token, runs the agent... and exits without\n updating status. Every streaming run sat as \u0027running\u0027 until the\n 1-hour eviction TTL, regardless of whether it succeeded, failed,\n or was stopped. RunningJobsModule and RunsPage both showed\n stale \u0027running\u0027 chips because the registry was telling them so.\n Fix: call mark_complete from inside run_agent_task on both the\n success and exception paths. On exception, distinguish a user\n stop (AgentStopped, or cancel_token.is_cancelled()) from a\n genuine error so the status reflects which happened.\n\n2. Run records didn\u0027t store input_dict, so a deep link to\n /agent/\u003cid\u003e/runs/\u003crunId\u003e had no way to pre-fill the form.\n Added input_dict to RunRecord and to_full\u0027s response; streaming\n endpoint passes request.input_dict to new_record so it\u0027s\n captured at run start, not reconstructed later.\n\n3. RunsScreen back arrow looped between /agent/\u003cid\u003e/runs/\u003crunId\u003e\n and /agent/\u003cid\u003e/runs. The old code special-cased runId by\n navigating to the runId-less URL, but that navigation goes\n forward in history -- pressing back from there returned to\n the run-detail URL we\u0027d just left. Replaced with navigate(-1)\n which restores the natural \u0027return to where I came from\u0027\n behavior. Clicking back from a home-page-deep-link goes to\n home; from elsewhere it returns to elsewhere.\n\n4. RunsScreen now fetches the run record from /runs/\u003cid\u003e when\n landing here via deep link and the local runs[] state doesn\u0027t\n have it (which is always, for deep-links). The fetched\n inputDict gets normalized to the local-state input shape and\n feeds the existing pre-fill effect, so the form arrives\n already populated with the run\u0027s original values -- exactly\n the \u0027tweak and re-run\u0027 behavior the user expects.\n\nAlso: renamed the home-page module\u0027s visible title from\n\u0027Running Jobs\u0027 to \u0027Runs\u0027 to match the renaming akm already did\nlocally. The module shows all runs, not just running ones; the\nold name was a misnomer once completed runs started appearing.\nFile name and component name stay as RunningJobsModule for now\nto keep the diff small; can rename in a follow-up if desired.\n" }, { "commit": "9a306f92d1dc0ac271975b403337c089b0212d75", "tree": "dde3d8a3c60f1ce14f2df3b1d4288d21b7a59bea", "parents": [ "9b93916e1ae695f23b6b8f863e5e6afa4d086d71" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 03:58:17 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 20:59:17 2026 -0700" }, "message": "give dev actual multi-worker parallelism and lift couchdb\u0027s scheduler cap\n\nThree changes to webapp/infra/docker/docker-compose.yml.\n\n1. Remove the api service\u0027s compose-level command override. The\n Dockerfile already has CMD [..., --workers, 4] which is what we\n want; the compose override was running uvicorn with --reload,\n which forces uvicorn into single-worker mode (you can\u0027t hot-reload\n across processes). Net effect of the override: 1 worker, not 4,\n regardless of what the Dockerfile said. When an agent\u0027s streaming\n endpoint pinned that single worker with sync CouchDB ops, every\n other request -- home page modules, /runs, anything -- queued\n behind it. Removing the override means the Dockerfile CMD runs\n and dev actually gets four workers.\n\n Tradeoff: lose hot-reload on .py edits in dev. Trying to keep\n both reload AND multi-worker requires an external watcher\n process (watchfiles/watchexec touching a sentinel file workers\n monitor) or moving to gunicorn with --reload-engine. Not worth\n the complexity right now -- if hot reload turns out to be missed\n often, we can layer it back.\n\n2. Drop ERL_FLAGS\u003d+S 2:2 from the api service environment. Copy-\n paste from the couchdb service -- Erlang VM flags do nothing for\n the Python uvicorn process. Removing for cleanliness, no\n behavior change.\n\n3. Drop ERL_FLAGS\u003d+S 2:2 from the couchdb service environment.\n This was capping CouchDB\u0027s Erlang scheduler to 2 schedulers + 2\n dirty schedulers, artificially serializing concurrent CouchDB\n requests to those threads regardless of how many CPU cores the\n container had access to. Without the flag, Erlang defaults to a\n scheduler per detected CPU core (typically 4-16 in a dev box).\n Concurrent reads from the four uvicorn workers can now actually\n run in parallel inside CouchDB instead of queueing at the\n scheduler level.\n\nTogether with the existing async CouchDB shim, this is the dev-\nside throughput unblock: multi-worker FastAPI talking to a\nmulti-scheduler CouchDB, with the read endpoints\u0027 sync calls\noffloaded to thread pools so the workers\u0027 event loops stay free\nfor SSE streams and other concurrent traffic.\n\nDoes NOT address the underlying per-key sequential write pattern\nin the asvs_* agents -- that\u0027s the next round of work and lives\non the agent side, not the infra side.\n" }, { "commit": "9b93916e1ae695f23b6b8f863e5e6afa4d086d71", "tree": "afc895c86326784d681fcc31f7fd2412c0a64453", "parents": [ "3df0e9bd4ecace31cbfeddefdd49953ec1affc15" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Jun 05 00:24:44 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 20:58:01 2026 -0700" }, "message": "thread agent_id through runs and deep-link to per-agent run view\n\nClicking a row in the home page\u0027s Running Jobs module was navigating\nto /runs/\u003crunId\u003e, which the vite proxy forwards to the backend\u0027s\nGET /runs/\u003cid\u003e JSON endpoint -- so the browser rendered raw JSON\ninstead of a page. Same fate awaited the all-runs index page at\n/runs (added recently) because of the same /runs-prefix collision\nbetween SPA and API.\n\nTwo fixes:\n\n1. Add agent_id to the run summary so we can deep-link to the rich\n per-agent runs view at /agent/\u003cagentId\u003e/runs/\u003crunId\u003e (which has\n the full Progress Log, output panels, and the Stop button). The\n plumbing is small:\n\n - RunCodeRequest gains agentId field\n - frontend RunsScreen passes useParams agentId through\n agentService.runCodeInSandboxStreaming\n - the streaming endpoint hands it to RunRegistry.new_record\n - RunRecord stores it; to_summary returns it\n - RunningJobsModule and RunsPage build the deep link from it\n\n Sandbox runs (create-flow before a save) have no agentId and\n render as plain text rather than linking to a nonexistent route.\n\n2. Move the SPA\u0027s all-runs index from /runs to /jobs. The /runs\n path was always going to be intercepted by the vite proxy since\n the API\u0027s data endpoints live there too. /jobs reads naturally\n from the existing \u0027Running Jobs\u0027 module label and doesn\u0027t\n collide. View-all in RunningJobsModule and the route in\n routesConfig.jsx both updated.\n\nThe proper long-term fix for the SPA/API URL collision is to give\nthe API an /api prefix so both spaces are distinct. Out of scope\nfor this change -- /jobs is the cheap unblocker.\n" }, { "commit": "3df0e9bd4ecace31cbfeddefdd49953ec1affc15", "tree": "dc7ab49a9bc0f8f15fae4c8054b31dc9732826b4", "parents": [ "6d6b63edb5253ce41ce4e352a5d799c5a2085541" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 23:56:49 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 16:57:41 2026 -0700" }, "message": "match running jobs card to other home modules, add /runs page\n\nTwo related home-page polish items.\n\nRunningJobsModule restyle: the widget was a plain Paper with a flat\ntitle, sitting in a column next to two modules that use a richer\nheader pattern (light grey bg, border-bottom, leading icon + title +\ncount chip, optional View-all on the right). Match that pattern --\nPendingActionsIcon as the leading glyph, \u0027All (N)\u0027 chip showing the\ntotal, and a View-all button that navigates to the new /runs page.\nSame Paper-with-overflow-hidden shell as the Data Stores card so\nborders/headers line up across the row.\n\nAll-runs index page: new src/pages/RunsPage.jsx mounted at /runs.\nLayout follows DataStoresPage / SavedAgentsPage / DemoAppsPage\nconventions -- p:3 outer Box at maxWidth 1400 with margin:0 auto,\nheader row with back-arrow IconButton + h5 600-weight title with\nflexGrow:1 + size\u003dsmall Refresh button on the right, error Alert\nwith onClose dismissal, Paper-with-overflow-hidden table wrapper\nwith a #fafafa header row, empty state with a 40px icon above the\ntwo-line text. Adds page-specific status filter chips\n(All/Running/Success/Error/Stopped, counts per chip) above the\ntable; that\u0027s not a convention borrowed from existing pages, it\u0027s\nspecific to runs where filtering is the obvious primary action.\n\nSingle-run detail (/runs/\u003cid\u003e) is still TODO -- the row links in\nRunningJobsModule pointed at it before this change and will\ncontinue to until a detail page lands. Not blocking; the all-runs\npage gives operators the cross-cutting view they actually need\nfirst.\n" }, { "commit": "6d6b63edb5253ce41ce4e352a5d799c5a2085541", "tree": "1efce5d1b55cc8dcb7d623bdc038b0b880583f9b", "parents": [ "aef397ad910fe5900d87629d483a1e4eee6b9097" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 22:31:00 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 16:13:30 2026 -0700" }, "message": "harden RunningJobsModule and reshuffle home page layout\n\nTwo related home-page fixes bundled together because they touch the\nsame area and review naturally as a pair.\n\nRunningJobsModule hardening: the widget surfaced a literal\n\u0027Unexpected token \u003c, \u003c!doctype...\u0027 to the user whenever /runs\nreturned non-JSON (transient api restart, vite SPA-fallback during\nboot race, etc). Treat any unparseable or absent response as \u0027no\nruns yet\u0027 and log to console for operators. The widget is at-a-\nglance; failing loud is the wrong UX. Next 5s poll picks up real\ndata automatically.\n\nLayout reshuffle: Running Jobs moves from a full-width banner above\nthe columns into column 2 of the 3-column grid (where Demo Apps\nused to be). Demo Apps moves into column 1 stacked beneath the\nAgents table. Column 3 (Data Stores) unchanged. The retry banner\nfrom the home-page-resilience commit stays above the grid since\nit\u0027s a transient cross-cutting notice, not a column-bound module.\n" }, { "commit": "aef397ad910fe5900d87629d483a1e4eee6b9097", "tree": "f4dc3581e36f1acce590631fad76e0a50773efcc", "parents": [ "97dfdab323fa6be90a32008be173069efb04f577" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 22:30:30 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 16:11:09 2026 -0700" }, "message": "stop the boot-order race that floods dev logs with proxy errors\n\nEvery dev startup produces a wall of ECONNRESET / EPIPE / socket\nhang-up errors because vite is up in ~200ms while the api container\ntakes 5-10s for CouchDB wait + app startup. The SPA opens, fires\n/auth/me + /auth/providers + /log/client, vite proxies them to a\nsocket that isn\u0027t accepting yet, and the proxy logs a stack trace\nper failure. Once api is up the errors stop -- they\u0027re harmless --\nbut the noise has trained everyone to ignore the dev log, masking\nreal errors when they happen.\n\nTwo-part fix:\n\n1. dev-tail.sh polls /health before starting vite. Up to 30s\n timeout, then proceeds anyway with a warning. Eliminates the\n race entirely in the common case.\n\n2. vite.config.js installs a custom proxy error handler on the\n existing proxy block (which already routes the runs prefix as of\n the previous commit). Replaces the default stack-trace dump with\n a single-line note for the four expected transient codes\n (ECONNRESET, EPIPE, ECONNREFUSED, ECONNABORTED). Anything else\n still logs fully so we don\u0027t accidentally swallow real proxy\n failures. Also replies 502 to the client when upstream is\n unreachable so the SPA\u0027s fetch rejects cleanly instead of\n hanging.\n" }, { "commit": "97dfdab323fa6be90a32008be173069efb04f577", "tree": "5ee56793fce11959ce1469a0767cbfaf43738fe0", "parents": [ "8c3134a14b610bce45a9ae57a14da6183d3b1b61" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 23:02:17 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 16:04:35 2026 -0700" }, "message": "stop passing kwargs the sync DatabaseService doesn\u0027t accept\n\nTwo signature mismatches in async_shim.py were causing TypeErrors at\nruntime once the shimmed find() and ensure_index() were actually\nexercised:\n\n - find() enumerated a \u0027sort\u0027 kwarg the sync CouchDBService.find()\n has never accepted, so the wrapper always passed sort\u003dNone and\n the sync call exploded. Surfaced as \u0027CouchDBService.find() got\n an unexpected keyword argument sort\u0027 on /data-store/namespaces.\n - ensure_index() passed name\u003d but the sync signature uses\n index_name\u003d. Would have surfaced the same way the moment any\n caller exercised it.\n\nFix is the same shape for both: stop enumerating kwargs and pass\nthem through with **kwargs. The shim becomes a thin async facade\nthat doesn\u0027t need updating when sync method signatures evolve --\nthe sync class is the source of truth for what\u0027s accepted, and any\nunsupported kwarg surfaces as a normal Python TypeError instead of\nbeing silently dropped or quietly mistranslated by the shim.\n" }, { "commit": "8c3134a14b610bce45a9ae57a14da6183d3b1b61", "tree": "1fcb795a4f489279f3b924e6b02657de777d44a9", "parents": [ "b24351264056ec9099f1f39885420fa9a65e3999" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 15:56:34 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 15:56:34 2026 -0700" }, "message": "actually bind the cancel token so check_should_stop sees it\n\nISSUE-007 follow-up #2. The cancel-token primitive\u0027s check sites in data_store_service and llm_service have been polling _token.get() since 007 landed, but no production code called bind_token() to put anything in the contextvar. /runs/{id}/stop correctly set _stopped\u003dTrue on the registry entry; the agent\u0027s checks saw None and silently passed. One bind_token(_cancel_token) call in the streaming endpoint after registry publish closes the loop.\n" }, { "commit": "b24351264056ec9099f1f39885420fa9a65e3999", "tree": "09cb55bc0ef33bd07706b7324a8f774f716f6423", "parents": [ "90cb74ee734441d2190ed542f8aeed29add64ad8" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 19:23:44 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 15:40:31 2026 -0700" }, "message": "wrap sync CouchDB calls in thread pool for hot-path read endpoints\n\nThe couchdb Python library is fully synchronous. Calling its methods\ndirectly from an async route handler blocks the asyncio event loop\nfor the duration of the HTTP roundtrip, so a single worker handling a\nlong-running agent (which makes thousands of sync CouchDB calls) is\nunresponsive to every other request -- list_agents, list_demos,\nlist_namespaces, even /runs?status\u003drunning. Symptom: home page modules\nspin forever while an agent is doing data-store work.\n\nAdds services/database_service/async_shim.py that wraps the existing\nsync DatabaseService with asyncio.to_thread, so each CouchDB call runs\non a thread-pool executor while the event loop stays free to serve\nother coroutines. Exposes the async facade via dependencies.get_async_db\nand rewires the three hot-path read endpoints to use it:\n\n - GET /agents (home page Agents module)\n - GET /demos (home page Demo Apps module)\n - GET /data-store/namespaces (home page Data Stores module)\n\nThe agent execution path still calls the sync interface; converting\nit is a larger refactor (the agent author\u0027s contract is sync db.save\ncalls in their code), and the leverage from this patch alone is that\nhome page modules respond promptly even when one worker is pinned\ndoing sync CouchDB work for an agent.\n\nThis does NOT make CouchDB itself faster. If CouchDB is the\nbottleneck (CPU, fsync queue, connection pool exhaustion), the shim\nonly buys you responsiveness, not throughput. Real throughput needs\neither a faster CouchDB box, an async-native CouchDB client like\naiocouch, or a different database. Tests live in\ntests/unit/services/test_async_shim.py covering delegation,\nthread-pool concurrency, and the sync escape hatch.\n" }, { "commit": "90cb74ee734441d2190ed542f8aeed29add64ad8", "tree": "d30d7a4479d79e5d9fc482866096485bd26676e9", "parents": [ "a684c237a1ea6b9391e74cdc9cf8542a9bb11498" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 20:04:20 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 15:25:10 2026 -0700" }, "message": "wire stop button into RunsScreen and harden home page modules\n\nISSUE-007 follow-up + home page resilience.\n\nISSUE-007 (commit a684c23) added the backend POST /runs/{run_id}/stop\nendpoint and wired cancel-token checks into data_store_service and\nllm_service, but its diff doesn\u0027t touch any frontend files. So the\nstop button has been invisible since 007 landed -- backend is fully\nready, frontend just never got the wiring.\n\nBackend:\n - /agents/run-code/stream registers a Run with the registry at\n stream start, allocates a CancelToken in the cancel registry,\n and emits the runId as the first SSE event (\u0027run_id\u0027). The\n streaming endpoint still pins its worker (this isn\u0027t a move to\n the start-then-subscribe model), but the runId binding lets the\n client address the run for stop.\n\nFrontend:\n - agentService.runCodeInSandboxStreaming accepts an AbortSignal so\n the caller can abort the fetch. Surfaces \u0027run_id\u0027 SSE frames to\n onEvent wrapped as {type:\u0027run_id\u0027, data}, distinct from raw\n trace events.\n - RunsScreen tracks currentRunId from the first \u0027run_id\u0027 event,\n holds an AbortController in a ref, renders a red Stop button\n next to Run while a run is in flight, and on Stop both aborts\n the client fetch (immediate effect) and POSTs to /runs/{id}/stop\n (takes effect at the next cancel-token check in the agent\n code -- already wired in 007).\n\nHome page resilience:\n - Each module\u0027s fetch (agents, demos, data stores) races a 10s\n timeout. On timeout the spinner clears and an amber retry\n banner appears above the grid. Solves the \u0027all modules spinning\n forever\u0027 state that happens when a long-running agent is\n blocking workers with sync CouchDB calls. Layout (Running Jobs\n as banner, Agents/Demos/DataStores in 3-column grid below) is\n preserved unchanged.\n" }, { "commit": "a684c237a1ea6b9391e74cdc9cf8542a9bb11498", "tree": "c5e79b2dc39a16976f60d95aef0e83857bbddcaa", "parents": [ "3f149952dfd290adabf939d8ce7501b05751c4eb" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Wed Jun 03 12:00:00 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 11:37:39 2026 -0700" }, "message": "add stop button for in-flight runs with cooperative cancel\n\nISSUE-007\n\nAdds POST /runs/{run_id}/stop and a cooperative CancelToken that the\nagent code checks at structural boundaries (top of each LLM call, top\nof each data-store operation). The button surfaces in the RunsScreen\nwhen a run is in \u0027running\u0027 state.\n\nSelf-contained: ships even without ISSUE-003 deployed, since the stop\nendpoint operates on whatever run-tracking state is already in place.\nDirectly addresses the operational pain of runaway agents continuing\nto burn Bedrock budget after the SSE stream drops.\n\nTests: 7/7 passing covering token check propagation, mid-call\ncancellation, and the 404 path for unknown run ids.\n" }, { "commit": "3f149952dfd290adabf939d8ce7501b05751c4eb", "tree": "60cd725b94d8f3c373a4357ab00735d20dd88498", "parents": [ "b605a1bf0d23068f181ad56f3f60915ade088276" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Wed Jun 03 12:00:00 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 11:35:03 2026 -0700" }, "message": "add home page running jobs module\n\nISSUE-006\n\nAdds a cross-agent Running Jobs widget to the home page that lists\nin-flight runs across all agents the user has access to. Each row\nlinks to its agent\u0027s /runs page where ISSUE-005\u0027s useRun hook takes\nover streaming.\n\nDepends on ISSUE-003\u0027s registry endpoints. Small component, no\nbackend changes -- the data comes from GET /runs?status\u003drunning.\n" }, { "commit": "b605a1bf0d23068f181ad56f3f60915ade088276", "tree": "497f301814eebf51c266848adff6351d617eef5e", "parents": [ "c87c58857e3b9367d4061d304976664d77befeae" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Wed Jun 03 12:00:00 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 11:31:09 2026 -0700" }, "message": "subscribe to runs by run_id via /runs/{run_id}/stream\n\nISSUE-005\n\nRefactors the RunsScreen to subscribe to a run by id instead of\nholding the per-request SSE stream that started the run. Adds a\nuseRun hook that opens the stream, handles reconnect on transient\nerrors, and exposes run state to the component.\n\nDepends on ISSUE-003 being deployed (the registry endpoints). Tab\nclose, network blip, and proxy timeout now drop the stream cleanly\nand the user can reopen the run page to pick up where they left off.\n\nTests: vitest suites included; run with pnpm test in webapp/packages/webui.\n" }, { "commit": "c87c58857e3b9367d4061d304976664d77befeae", "tree": "8fd5b9abb547e12157963e1c16154912b74dccbf", "parents": [ "6a625404c8b8f6782ee54cab6e533a725f4b6f31" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Wed Jun 03 12:00:00 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 11:28:36 2026 -0700" }, "message": "add run registry for persistent, replayable runs\n\nISSUE-003\n\nRuns are currently tied to the SSE request that started them: tab close\nor proxy timeout kills the run, and there is no way to reconnect or\nintrospect from another session. Adds a backend run registry that\ngives each run a stable run_id, persists state across the agent\nexecution, and exposes /runs/{run_id}* endpoints for status, events,\nand listing.\n\nThis is the foundation for ISSUE-005 (subscribe by run_id),\nISSUE-006 (home running jobs module), and ISSUE-007 (stop button) --\nland 003 first; they consume its registry.\n\nTests: 12/12 passing covering registry CRUD, concurrent appends,\nand replay of completed runs.\n" }, { "commit": "6a625404c8b8f6782ee54cab6e533a725f4b6f31", "tree": "3faf1396e2ad0f918429a7dae821a938f8d23171", "parents": [ "58831d2669229023d8c2ac36b2fa9098a3950530" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 18:10:57 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 11:18:26 2026 -0700" }, "message": "surface session expiry as 401 with X-Auth-Reason header\n\nISSUE-010\n\nSession expiry currently produces a generic \u0027Failed to save\u0027 error\nthat doesn\u0027t tell the user the session expired or that they need to\nre-authenticate. Adds an X-Auth-Reason header on backend 401\nresponses (values: session_expired vs not_authenticated), a frontend\nfetch interceptor that translates the header into a\n\u0027auth:session-expired\u0027 DOM event, and an AuthExpiryModal mounted\nglobally in App.jsx that listens for the event and offers a Sign In\nbutton that preserves returnTo so the user lands back where they\nleft off after re-auth.\n\nTests:\n - tests/integration/test_routes.py: three pytest cases verifying\n X-Auth-Reason is session_expired for expired cookies,\n not_authenticated for missing cookies, and absent entirely on\n successful 2xx responses.\n - components/AuthExpiryModal.test.jsx: three vitest cases for the\n modal\u0027s event-listener wiring and returnTo navigation.\n" }, { "commit": "58831d2669229023d8c2ac36b2fa9098a3950530", "tree": "66a9e3e7d92a94cd85355e0303759692eb91ecb1", "parents": [ "8c73bb3f181597367a1580d55fbf8753bd680cc2" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 06:59:53 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 10:39:15 2026 -0700" }, "message": "ISSUE-008: env vars editor UI\n\nAdds the frontend half of ISSUE-008 that was missing from the original\npatch. New EnvVarsEditor component renders key/value rows with masked\nvalues (reveal toggle per row), add/remove affordances, and duplicate-key\ndetection. Lives in a new \u0027Environment Variables\u0027 accordion section\nbetween the Schemas section and Data Store Configuration in ViewAgent.\n\nEmpty rows the user left behind mid-edit are filtered out of the save\npayload (in both handleSave and handleSaveNewAgent) so the backend\ndoesn\u0027t store {key: \u0027\u0027, value: \u0027\u0027} blanks. Duplicate keys are flagged\nin the UI but not blocked from saving -- the backend will silently\ntake the last value per key, which matches the os.environ semantics\nthe user expects.\n\nPure frontend change. Depends on the backend half of ISSUE-008 being\ndeployed (the env_vars field on the agent model and the runtime\noverlay in services/environ_proxy.py), but doesn\u0027t break anything\nif the backend is older -- it just sends an envVars field the\nbackend ignores.\n" }, { "commit": "8c73bb3f181597367a1580d55fbf8753bd680cc2", "tree": "a8df6d1fec04c8247285474435b4446019def418", "parents": [ "7b959942c7cc245801a6f6c10e6dff1da7c5a1aa" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Wed Jun 03 12:00:00 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Wed Jun 03 23:59:02 2026 -0700" }, "message": "add per-agent environment variables\n\nISSUE-008\n\nAdds an environment_variables field to agents, an editor UI for\nmanaging key/value pairs, and a runtime overlay that injects them\ninto the agent\u0027s execution scope. Values are encrypted at rest using\nthe same Fernet key the rest of the user-service uses for secrets.\n\nTests: 6/6 passing covering CRUD, encryption at rest, and the\noverlay merge with system env at execution time.\n" }, { "commit": "7b959942c7cc245801a6f6c10e6dff1da7c5a1aa", "tree": "706c9d240c3d88b1a792eae195a482d90c53c819", "parents": [ "91d00591b6785b7f4e907e6f757e14a4392765a0" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Wed Jun 03 23:45:28 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Wed Jun 03 23:45:28 2026 -0700" }, "message": "Adding workers to uvicorn so agents can run concurrently\n" }, { "commit": "91d00591b6785b7f4e907e6f757e14a4392765a0", "tree": "319fa06fe41c7498fdb3e9a62d4d0f1d29659fe9", "parents": [ "219b6e57280df2d11d68e6e655b63e8ce1509af9" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Jun 04 06:24:04 2026 +0000" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Wed Jun 03 23:30:10 2026 -0700" }, "message": "render run output as labeled per-key panels\n\nThe runs page previously rendered any agent output as a single\nJSON.stringify blob in one \u003cpre\u003e tag, regardless of the declared\noutput schema. When the agent\u0027s output schema declared multiple keys\n(e.g. {summary: string, issues: list}), users saw an undifferentiated\nblob rather than the per-key labeled panels they\u0027d reasonably expect\ngiven that the input side already renders one labeled TextField per\ninput-schema key.\n\nAdds a renderOutput helper that iterates over the schema\u0027s declared\nkeys when there are 2+ (so missing keys surface as \u0027not returned by\nagent\u0027 rather than silently disappearing), falls back to the output\u0027s\nactual keys for single-key or schema-less cases, and renders each\nvalue type-appropriately: strings as-is for readability, structured\nvalues as pretty JSON. Keys the agent returned that weren\u0027t declared\nin the schema get a separate \u0027Extra keys not in schema\u0027 section so\nschema drift is visible without dominating the primary view.\n\nThe single-string-blob fallback preserves the old behavior for the\nedge case where an agent returns a bare string or number rather than\na dict.\n\nPure frontend change, no backend coordination, no test files to\nupdate. Applies cleanly against current main.\n" }, { "commit": "219b6e57280df2d11d68e6e655b63e8ce1509af9", "tree": "0e8af60d5191325e68ee9ac15e0f1cc1a5583594", "parents": [ "bc83751ad51d7d099c5947e9a0215eff533417f8" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Wed Jun 03 23:11:56 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Wed Jun 03 23:11:56 2026 -0700" }, "message": "api+nginx: support long-running streamed agent responses\n\nBumps three keep-alive / timeout knobs so SSE streams from long agent\nruns (extended reasoning, tool-use loops) don\u0027t get cut by an\nintermediate proxy when the model is mid-response.\n\nwebapp/infra/docker/nginx.conf\n - add proxy_buffering off and proxy_cache off so SSE frames reach\n the client immediately instead of accumulating in nginx\n - add proxy_set_header Connection \u0027\u0027 to actually enable HTTP/1.1\n keep-alive on the upstream (proxy_http_version 1.1 alone isn\u0027t\n enough; the default Connection header forces close)\n - bump proxy_read_timeout / proxy_send_timeout from 600s to 3600s\n\nwebapp/infra/docker/Dockerfile.api\n - add --timeout-keep-alive 3600 to uvicorn so it doesn\u0027t drop idle\n streamed connections after the default 5s\n\nPaired with a matching ProxyTimeout 3600 in the puppet vhost. All\nthree tiers of the proxy chain (apache -\u003e nginx -\u003e uvicorn) need to\ntolerate hour-long idle streams for the fix to work end-to-end.\n" }, { "commit": "bc83751ad51d7d099c5947e9a0215eff533417f8", "tree": "16835382a6c29765a44a062ac1f11c8f002c99ef", "parents": [ "3fcfca57cd5ead236f130897fc756fdd12d6b374" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Tue Jun 02 14:18:03 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Tue Jun 02 14:18:03 2026 -0700" }, "message": "Correcting context window for opus 4.7. and 4.8\n" }, { "commit": "3fcfca57cd5ead236f130897fc756fdd12d6b374", "tree": "3b41bcb2cc7dcc88eafc3c4aa1fdcf9722ff1685", "parents": [ "dc999ad55ee759081f9075cd9dd6fe3b6498048a" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Tue Jun 02 12:47:46 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Tue Jun 02 12:47:46 2026 -0700" }, "message": "add bedrock config and adaptive-thinking routing for opus 4.7/4.8\n\nRegister the two models with supports_thinking/supports_effort/\nreturns_thoughts and extended reasoning_effort choices (xhigh, max).\nIn llm_service.py, branch on _is_opus_4_7_or_later and strip\nreasoning_effort, bypassing litellm\u0027s legacy thinking.type.enabled\ntranslation that Bedrock rejects for these models. Older models and\nnon-Opus Claudes still pass reasoning_effort through unchanged.\nVerified end-to-end against Bedrock. Tests cover the helper, both\nkwargs branches, and the disable/absent cases.\n" }, { "commit": "dc999ad55ee759081f9075cd9dd6fe3b6498048a", "tree": "e39a861412febb6edf3b170924affc3e7cdcb76b", "parents": [ "bf02d0e3d16527c6ccad63395195d95ea4a2e895" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Sat May 30 13:11:28 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Sat May 30 13:11:28 2026 -0700" }, "message": "Bumping starlette so fastapi doesn\u0027t bring in a vulnerable version\n" }, { "commit": "bf02d0e3d16527c6ccad63395195d95ea4a2e895", "tree": "c74e81b83c1116e739122932b258dfbd74c1bf38", "parents": [ "09b422ecb4c68b29624b8ac1b0994946491262f9" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 29 10:22:01 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 29 10:22:01 2026 -0700" }, "message": "remove unused axios dependency\n\naxios was declared as a direct dependency in webapp/packages/webui/package.json\nbut had zero imports anywhere in the SPA source. Only references were the\npackage.json line itself and an illustrative example in docs/testing/unit-testing.md.\n\nRemoves the dep and updates the docs example to use fetch mocking, which\nmatches the pattern actually used by the SPA\u0027s service layer (agentService.js,\nrunService.js, etc).\n\nSupersedes #38 (dependabot bump of axios 1.15.2 -\u003e 1.16.0).\n" }, { "commit": "09b422ecb4c68b29624b8ac1b0994946491262f9", "tree": "60175a673435865b14d213b4f3df02aeba905dcd", "parents": [ "fd25e37afc048c72e6ec42ff2a2e5df6358d7788" ], "author": { "name": "Dave Fisher", "email": "dave@davefisher.tech", "time": "Fri May 29 08:57:18 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Fri May 29 08:57:18 2026 -0700" }, "message": "Update notification emails in .asf.yaml to use issues@tooling" }, { "commit": "fd25e37afc048c72e6ec42ff2a2e5df6358d7788", "tree": "570af12bde03c68ea381ea107eb588543b96acd2", "parents": [ "e3e55a213fb17de8547490563ffde8a002f454f7" ], "author": { "name": "Miro", "email": "natsubeloud@gmail.com", "time": "Thu May 28 21:42:31 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu May 28 12:42:31 2026 -0700" }, "message": "Fix observability user IDs on public endpoints (#35)\n\n* Fix observability user ids for public routes\n\nSigned-off-by: Miro \u003c200482516+Mirochill@users.noreply.github.com\u003e\n\n* skip duplicate session lookup when middleware populated user\n\nPR #35 has ObservabilityMiddleware resolve the session cookie before\neach route runs so request logs can attribute the authenticated user\non public endpoints. For endpoints that ALSO depend on\nget_current_user, that\u0027s a second session lookup against the same\ncookie inside _verify_session_cookie -- one DB roundtrip per\nauthenticated page load that we don\u0027t need.\n\nHave get_current_user short-circuit when request.state.user has\nalready been populated with auth_mode\u003d\u0027session\u0027. The user dict\nconstructed by ObservabilityMiddleware._populate_session_user and the\none constructed by _verify_session_cookie are byte-identical (both\nread the same session via the same SessionService), so reusing the\nmiddleware\u0027s result is correct.\n\nAdds an integration test that verifies _verify_session_cookie is not\ncalled when the middleware has already populated the user.\n\n* log breadcrumb when middleware session lookup fails\n\nObservabilityMiddleware._populate_session_user (from PR-35) swallows\nevery exception from the session-service / DB lookup so a broken\nbackend never fails a request. That\u0027s the right tradeoff, but in\nits original form it\u0027s COMPLETELY silent: a misconfigured session\nservice or DB outage would silently downgrade every authenticated\nrequest to \u0027anonymous\u0027 with nothing in the logs to find out why.\n\nEmit a debug-level breadcrumb on the swallowed exception. Stays out\nof normal log volume but is grep-able when investigating sudden\n\u0027why is everyone anonymous in the audit log\u0027 incidents.\n\nAdds a unit test that asserts the breadcrumb is emitted (and the\nrequest still succeeds with anonymous attribution) when the session\nservice raises.\n\n---------\n\nSigned-off-by: Miro \u003c200482516+Mirochill@users.noreply.github.com\u003e\nCo-authored-by: Miro \u003c200482516+Mirochill@users.noreply.github.com\u003e\nCo-authored-by: Andrew Musselman \u003cakm@apache.org\u003e" }, { "commit": "e3e55a213fb17de8547490563ffde8a002f454f7", "tree": "e936f31b86e1cd9203f7abab030857e1a36237f0", "parents": [ "8ea6fb4f129f67a28a825bc5e373517026d5fe8b" ], "author": { "name": "Miro", "email": "natsubeloud@gmail.com", "time": "Thu May 28 21:18:18 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu May 28 12:18:18 2026 -0700" }, "message": "Harden auth against dev stub fallthrough (#37)\n\n* Harden auth against dev stub fallthrough\n\n* dry: single source of truth for DEV_STUB_ALLOWED_ENVS\n\nPR #37 introduced the dev_stub env allowlist in two places — as\n_DEV_STUB_ALLOWED_ENVS in auth/__init__.py and as DEV_STUB_ALLOWED_ENVS\nin routes_auth.py. Both held the same value but they could drift if\nsomeone added an env to one and forgot the other, reintroducing the\ninconsistency the PR was written to prevent.\n\nPromote the constant in auth/__init__.py to public (drop the leading\nunderscore, add a docstring noting it\u0027s imported from routes_auth) and\nimport it from routes_auth.py instead of redefining.\n\n---------\n\nCo-authored-by: Mirochill \u003c200482516+Mirochill@users.noreply.github.com\u003e\nCo-authored-by: Andrew Musselman \u003cakm@apache.org\u003e" }, { "commit": "8ea6fb4f129f67a28a825bc5e373517026d5fe8b", "tree": "42786acf69b091e21f1d6c3e134c587d268106dd", "parents": [ "646c15e7c7bad4a623ce24498c95825ad21aa1d5" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Tue May 26 22:29:28 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Tue May 26 22:29:28 2026 -0700" }, "message": "Define settings.AUTH_CONFIG_PATH to stop unauthenticated 500s\n\nFixes #19.\n\nThe prod auth landing added a read of settings.AUTH_CONFIG_PATH in\nroutes.py:get_current_user, but the Settings class only defined\nAUTH_CONFIG (the loaded dict from _load_auth_config). Every request\nwithout a valid session cookie hit the bypass branch, raised\nAttributeError on the missing attribute, and surfaced as HTTP 500.\nSame path fired in production (sessions expiring → /agents,\n/data-store/namespaces 500\u0027d), in backend integration tests\n(TestClient has no cookie), and during E2E setup (SPA\u0027s initial\n/users/me and /providers 500\u0027d, frontend stuck on loading).\n\nFix is one attribute on the Settings class:\n\n AUTH_CONFIG_PATH: str | None \u003d os.getenv(\"AUTH_CONFIG_PATH\")\n\nThree ride-along fixes for paper cuts surfaced while verifying:\n\n * tests/unit/test_time_utils.py — the #34 regression test\n rglob\u0027d under user-service, catching datetime.utcnow in .venv\n third-party packages. Scoped the scan to skip .venv,\n __pycache__, node_modules, build/dist, and cache dirs.\n\n * webapp/packages/webui/src/components/profile/ApiKeysTab.test.jsx\n — \"renders loading state initially\" was synchronous but the\n component did async state updates after return, triggering\n act() warnings. Made async + await waitFor for progressbar\n to clear.\n\n * webapp/packages/webui/vite.config.js — dev-tail runs Vite\n without nginx, so the SPA\u0027s /auth/me, /users/me, etc. landed\n on Vite\u0027s SPA fallback instead of the api. Added a proxy\n mirroring the prefix list in webapp/infra/docker/nginx.conf,\n which handles the same routing in containers. Production\n unaffected.\n\nVerified: 17/17 previously-failing integration tests pass; curl\n/users/me returns 401 (was 500); E2E suite proceeds past login.\n\nbypass, add 401-path tests — that need the integration suite\nupdated in parallel to override get_current_user. File a follow-up\nfor that pre-launch hardening.\n" }, { "commit": "646c15e7c7bad4a623ce24498c95825ad21aa1d5", "tree": "b0770cdef24d347b6bc5006e7addd7f213fcefd9", "parents": [ "307a0bc20636a4010b3e2be077f9d8ef64a16bd4" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Tue May 26 21:15:36 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Tue May 26 21:21:04 2026 -0700" }, "message": "Retry LLM calls on rate-limit errors with exponential backoff\n\nAdds retry handling for litellm.RateLimitError in call_llm with\nexponential backoff and jitter, configurable via\nLLM_RATE_LIMIT_RETRIES (default 5) and LLM_RATE_LIMIT_BACKOFF_CAP\n(default 60s). Five retries gives roughly 30-45 seconds of\npatience per call before re-raising — enough for typical Bedrock\nand OpenAI quota refills without unbounded wall time.\n\nExisting Timeout retry behavior is preserved unchanged. The two\nretry budgets are independent rather than overlapping, so a request\nthat hits both kinds of failures has full access to both.\n\nAdds tests/unit/services/test_llm_service_retries.py with eight\ntests covering the success and exhaustion paths, backoff math, cap\nclamping, env-disable, non-retryable passthrough, and a regression\nguard for the existing Timeout retry path.\n" }, { "commit": "307a0bc20636a4010b3e2be077f9d8ef64a16bd4", "tree": "e0fb8cca572968c4b74e5cbd1bb6afc9de3825e5", "parents": [ "e53b5a49bbe660cd65a1316a83067bba86f157a6" ], "author": { "name": "Miro", "email": "natsubeloud@gmail.com", "time": "Wed May 27 06:20:32 2026 +0200" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Tue May 26 21:20:32 2026 -0700" }, "message": "Fix utcnow deprecation warnings (#34)\n\nSigned-off-by: Miro \u003c200482516+Mirochill@users.noreply.github.com\u003e\nCo-authored-by: Miro \u003c200482516+Mirochill@users.noreply.github.com\u003e" }, { "commit": "e53b5a49bbe660cd65a1316a83067bba86f157a6", "tree": "356a47571c21bccc6270e854fa4070406d0238ad", "parents": [ "4b7807c6d1f913424500eb35f11670e059b24465" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Sun May 24 20:41:13 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Sun May 24 20:41:13 2026 -0700" }, "message": "Bump webpack-dev-server from 5.2.3 to 5.2.4 in /website (#17)\n\nBumps [webpack-dev-server](https://github.com/webpack/webpack-dev-server) from 5.2.3 to 5.2.4.\n- [Release notes](https://github.com/webpack/webpack-dev-server/releases)\n- [Changelog](https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/webpack/webpack-dev-server/compare/v5.2.3...v5.2.4)\n\n---\nupdated-dependencies:\n- dependency-name: webpack-dev-server\n dependency-version: 5.2.4\n dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "4b7807c6d1f913424500eb35f11670e059b24465", "tree": "24fd30850cb518f967bc9c05454994c8575a79a7", "parents": [ "b43ef858d89e0f5b57f3f21e3c4d8c76515de890" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 15 22:55:50 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 15 22:55:50 2026 -0700" }, "message": "Admin login for testing\n" }, { "commit": "b43ef858d89e0f5b57f3f21e3c4d8c76515de890", "tree": "4f4b4e48e1c29034a767d99daf830e751006ddd4", "parents": [ "e27674c0ec611ed0f51c09480f312c865a93007e" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 15 09:03:04 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 15 09:03:04 2026 -0700" }, "message": "auth: tolerate providers that don\u0027t echo state in callback\n\noauth.apache.org doesn\u0027t pass the state parameter back in the OAuth\ncallback URL — it stores state server-side and validates it during\nthe code exchange. The previous strict check (\u0027state must be in URL\nAND match cookie\u0027) broke the ASF flow with \u0027Invalid state; possible\nCSRF\u0027 even on legitimate logins.\n\nRelax to: cookie must be present (proves the browser started the\nflow from this app); if state IS in the URL it must match the cookie\n(covers standard OAuth providers like Google, GitHub, Microsoft).\nFor ASF the cookie alone is the CSRF defense; the code itself is\nsingle-use and bound server-side to the originating session.\n" }, { "commit": "e27674c0ec611ed0f51c09480f312c865a93007e", "tree": "fd7a0e4762d7037e5a0b6b62a832975e48ed0e5d", "parents": [ "fffd8eb8adc40982834dbffddd55495375866796" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 15 08:47:26 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 15 08:53:09 2026 -0700" }, "message": "api: trust X-Forwarded-Proto via --proxy-headers\n\nWithout --proxy-headers, uvicorn ignores X-Forwarded-* headers and\nbuilds request.base_url from the immediate connection\u0027s scheme — http,\nsince nginx -\u003e uvicorn is http inside the docker network.\n\nThis causes routes_auth._default_redirect_uri to construct an\nhttp://... redirect URI for the OAuth flow, which oauth.apache.org\nrejects with \u0027Invalid redirect URI ... MUST be https\u0027.\n\nWith --proxy-headers, uvicorn honors the X-Forwarded-Proto header set\nby Apache (and now correctly preserved through nginx) so base_url\nresolves to https://... in production.\n\n--forwarded-allow-ips\u003d* is safe here because the api container only\nbinds to the gofannon docker network; nothing external can reach it.\n" }, { "commit": "fffd8eb8adc40982834dbffddd55495375866796", "tree": "f894255c13470d9af45ebaa2f07e03b086e2888b", "parents": [ "f9b056101b72ef97cb1ef9e1aa39926a558fa356" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 15 08:47:26 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 15 08:47:26 2026 -0700" }, "message": "api: trust X-Forwarded-Proto via --proxy-headers\n\nWithout --proxy-headers, uvicorn ignores X-Forwarded-* headers and\nbuilds request.base_url from the immediate connection\u0027s scheme — http,\nsince nginx -\u003e uvicorn is http inside the docker network.\n\nThis causes routes_auth._default_redirect_uri to construct an\nhttp://... redirect URI for the OAuth flow, which oauth.apache.org\nrejects with \u0027Invalid redirect URI ... MUST be https\u0027.\n\nWith --proxy-headers, uvicorn honors the X-Forwarded-Proto header set\nby Apache (and now correctly preserved through nginx) so base_url\nresolves to https://... in production.\n\n--forwarded-allow-ips\u003d* is safe here because the api container only\nbinds to the gofannon docker network; nothing external can reach it.\n" }, { "commit": "f9b056101b72ef97cb1ef9e1aa39926a558fa356", "tree": "fd696562ebe5f543c7b4fc111613c1a1d95eb807", "parents": [ "ed0919d4213831ebacb49d6785825a78131ae59b" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 15 08:40:54 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 15 08:40:54 2026 -0700" }, "message": "nginx: preserve upstream X-Forwarded-Proto for OAuth redirect URI\n\nWhen the webui container is fronted by Apache (production setup),\nApache terminates TLS and sets X-Forwarded-Proto: https before\nproxying to nginx on http. The previous $scheme directive overwrote\nthat with \u0027http\u0027 (the apache-\u003enginx connection scheme), so uvicorn\nsaw request.base_url as \u0027http://...\u0027. The auth flow then built\nredirect_uri as \u0027http://...\u0027, which oauth.apache.org rejects with\n\u0027Invalid redirect URI ... MUST be https\u0027.\n\nPass through the upstream\u0027s X-Forwarded-Proto value so the original\nscheme survives the apache-\u003enginx-\u003euvicorn chain.\n" }, { "commit": "ed0919d4213831ebacb49d6785825a78131ae59b", "tree": "2d285e43548454ffee621d98d931c683428856d2", "parents": [ "b4440dda866180a2f7c5bba8e5bb2315fe8e3fde" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 15 08:33:34 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 15 08:33:34 2026 -0700" }, "message": "auth: use hex state token for OAuth (ASF compatibility)\n\noauth.apache.org validates the OAuth state parameter against the\ncharacter set: hex or alphanumerical, dashes allowed. secrets.token_urlsafe\nproduces base64url which includes underscores, which ASF rejects with\n\u0027Origin state ID MUST be hex or alphanumerical (dashes are allowed)\u0027.\n\nSwitch to secrets.token_hex(24) for ASF-compatibility — same 192 bits\nof entropy, encoded as 48 hex characters.\n" }, { "commit": "b4440dda866180a2f7c5bba8e5bb2315fe8e3fde", "tree": "f4e47d6f2be087444eacf74cec450a49dfd8cff4", "parents": [ "3daf919898f756b6ed72d2f3c1437926c79edb88" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 15 00:29:27 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 15 00:29:27 2026 -0700" }, "message": "Updates for p6\n" }, { "commit": "3daf919898f756b6ed72d2f3c1437926c79edb88", "tree": "eb47f71129e4f8924b3da9142e76a80960acb84c", "parents": [ "e6e041b23801838a7ffa803ffee36d11ea8bbe8d" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 15 00:12:01 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri May 15 00:12:01 2026 -0700" }, "message": "Updates for p6\n" }, { "commit": "e6e041b23801838a7ffa803ffee36d11ea8bbe8d", "tree": "4c280f50bd6cc68f90005ce87df2b9184c24f6c9", "parents": [ "b3429045f3515714aea7c6634fbd5348832e2bce" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu May 14 23:28:54 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu May 14 23:51:46 2026 -0700" }, "message": "Updates for p6\n" }, { "commit": "b3429045f3515714aea7c6634fbd5348832e2bce", "tree": "0caa9a317f3074829d94d9ec3a25d5d3bef969d8", "parents": [ "465e28ff2667c1223b7089be3742ae6293aa2a01" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu May 14 23:28:54 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu May 14 23:28:54 2026 -0700" }, "message": "Updates for p6\n" }, { "commit": "465e28ff2667c1223b7089be3742ae6293aa2a01", "tree": "820a7f0b243c7330525e260ac52b1925870e8d3b", "parents": [ "5bd78a3b21cf8c2c996fe08ced9ac487b433087d", "104d78c0b2fe1de5c5a6213340c82fcecb475451" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu May 14 15:49:42 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu May 14 15:49:42 2026 -0700" }, "message": "Merging main into prod\n" }, { "commit": "104d78c0b2fe1de5c5a6213340c82fcecb475451", "tree": "820a7f0b243c7330525e260ac52b1925870e8d3b", "parents": [ "2eba44e055bdbb648b16e31ae4445f9d89db7c5b" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Wed May 13 16:46:27 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Wed May 13 16:46:27 2026 -0700" }, "message": "Auth glitch fix\n" }, { "commit": "2eba44e055bdbb648b16e31ae4445f9d89db7c5b", "tree": "02a4894af8d5f5ff370893c1386491c7f8510183", "parents": [ "d298a069c82d9156ee5af82bab0131ac190891d5" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Wed May 13 15:15:00 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed May 13 15:15:00 2026 -0700" }, "message": "chore(security): pin remaining website transitive deps via npm overrides (#16)\n\nAfter the merged Dependabot PRs handled follow-redirects, lodash,\nfast-uri, brace-expansion, path-to-regexp,\n@babel/plugin-transform-modules-systemjs, and picomatch, these transitive\ndeps still need explicit pins:\n\n- postcss 8.5.10 (CWE-79; deliberately older than the fresh 8.5.14)\n- serialize-javascript 7.0.5 (CWE-94 + CWE-400; crosses major, build verifies)\n- svgo 3.3.3 (CWE-776 Billion Laughs)\n- minimatch 3.1.4 (CWE-1333 ReDoS)\n- ajv 6.14.0 (^6 consumers) + ajv 8.18.0 (^8 consumers) (CWE-1333)\n- qs 6.14.2 (CWE-400)\n\nAll exact-pinned. Install used npm install --ignore-scripts." }, { "commit": "d298a069c82d9156ee5af82bab0131ac190891d5", "tree": "250dfc2cebaa6dba8b8ca4cfa4aa26bd3443ac0f", "parents": [ "ffefdfe3532e0844271e00d8fe952efd88655bf2" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Wed May 13 15:09:35 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed May 13 15:09:35 2026 -0700" }, "message": "chore(security): bump webapp deps + pin transitive overrides (#15)\n\nDirect bumps (exact pins):\n- axios 1.15.2, react-router-dom 7.12.0, vite 7.3.2\n\nPnpm overrides for transitives (exact pins):\n- protobufjs 7.5.6 (critical, CWE-94)\n- @protobufjs/utf8 1.1.1, minimatch 9.0.7, picomatch 4.0.4\n- flatted 3.4.2, follow-redirects 1.16.0, brace-expansion 2.0.3\n- yaml 1.10.3, js-yaml 4.1.1, postcss 8.5.10, ajv 6.14.0\n- rollup 4.59.0, esbuild 0.25.0\n- vite@\u003c7: 6.4.2 (closes the vitest-bundled vite path traversal,\n separate from the direct vite 7.3.2 bump above)\n\nLifecycle scripts continue to be blocked via pnpm.onlyBuiltDependencies\u003d[].\n\npnpm audit before: 53 vulnerabilities (1 critical, 23 high, 28 moderate, 1 low)\npnpm audit after: 0 vulnerabilities\n\nManual smoke test deferred — will verify post-merge against deployed\nbuild (login flow, route navigation, agent pipeline run). Reversible\nvia revert if regressions surface." }, { "commit": "ffefdfe3532e0844271e00d8fe952efd88655bf2", "tree": "24004aa08cd4f3bd54087f5070d0c5ef13e89cbe", "parents": [ "2b53556cd8e72b9c345b896ca7070cea1d9e0137" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Wed May 13 14:36:39 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed May 13 14:36:39 2026 -0700" }, "message": "Bump qs from 6.14.1 to 6.14.2 in /website (#14)\n\nBumps [qs](https://github.com/ljharb/qs) from 6.14.1 to 6.14.2.\n- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/ljharb/qs/compare/v6.14.1...v6.14.2)\n\n---\nupdated-dependencies:\n- dependency-name: qs\n dependency-version: 6.14.2\n dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "2b53556cd8e72b9c345b896ca7070cea1d9e0137", "tree": "1360aacaccfde63210e57b43f53b56f8f12ecbe8", "parents": [ "a766c4aeb7c53ab10b0efce1cbd8776898c37503" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Wed May 13 14:35:49 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed May 13 14:35:49 2026 -0700" }, "message": "chore(security): remove stale package-lock.json, bump pnpm to 10.28.2 (#13)\n\n- Delete webapp/packages/webui/package-lock.json (workspace uses pnpm; npm\n lockfile was a stale artifact). Closes 32 Dependabot alerts.\n- Bump pnpm pin from ^8.0.0 to 10.28.2 (exact). Closes 18 alerts.\n- Bump node engine from \u003e\u003d18.0.0 to \u003e\u003d20.0.0 (18 EOL).\n- Pin pnpm version in Dockerfile.webui for reproducible builds.\n- Add pnpm.onlyBuiltDependencies: [] to block postinstall scripts by default.\n- Bump CI workflows from pnpm v8 to v10.28.2 to match engines pin." }, { "commit": "a766c4aeb7c53ab10b0efce1cbd8776898c37503", "tree": "9a37320d2e6ab62a09f52a0c1fa8932e7f16bd75", "parents": [ "894edc45967d9bac170dffb8ab8936e1b49ca0dc" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Wed May 13 14:20:30 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed May 13 14:20:30 2026 -0700" }, "message": "Bump picomatch from 2.3.1 to 2.3.2 in /website (#12)\n\nBumps [picomatch](https://github.com/micromatch/picomatch) from 2.3.1 to 2.3.2.\n- [Release notes](https://github.com/micromatch/picomatch/releases)\n- [Changelog](https://github.com/micromatch/picomatch/blob/master/CHANGELOG.md)\n- [Commits](https://github.com/micromatch/picomatch/compare/2.3.1...2.3.2)\n\n---\nupdated-dependencies:\n- dependency-name: picomatch\n dependency-version: 2.3.2\n dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "894edc45967d9bac170dffb8ab8936e1b49ca0dc", "tree": "9c11786eab2c6558351a6a402f3ffaee918bc563", "parents": [ "9540fcc21b0902b9bb7e17ee1e7441161dc5eb71" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Wed May 13 10:41:58 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed May 13 10:41:58 2026 -0700" }, "message": "Bump @babel/plugin-transform-modules-systemjs in /website (#11)\n\nBumps [@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs) from 7.28.5 to 7.29.4.\n- [Release notes](https://github.com/babel/babel/releases)\n- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/babel/babel/commits/v7.29.4/packages/babel-plugin-transform-modules-systemjs)\n\n---\nupdated-dependencies:\n- dependency-name: \"@babel/plugin-transform-modules-systemjs\"\n dependency-version: 7.29.4\n dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "9540fcc21b0902b9bb7e17ee1e7441161dc5eb71", "tree": "ba66005b4e6bbc6220214af185cc363a93d0230c", "parents": [ "8fef76738b3bc6054436d0b0384de8048769b998" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Wed May 13 10:38:28 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed May 13 10:38:28 2026 -0700" }, "message": "Bump path-to-regexp from 0.1.12 to 0.1.13 in /website (#7)\n\nBumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) from 0.1.12 to 0.1.13.\n- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)\n- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/v.0.1.13/History.md)\n- [Commits](https://github.com/pillarjs/path-to-regexp/compare/v0.1.12...v.0.1.13)\n\n---\nupdated-dependencies:\n- dependency-name: path-to-regexp\n dependency-version: 0.1.13\n dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "8fef76738b3bc6054436d0b0384de8048769b998", "tree": "49445b80d5329e4f85ba93793f66544450ea3d77", "parents": [ "e3a24ca31379fc1ffdd4adf4171c69340811589d" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Wed May 13 10:37:22 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed May 13 10:37:22 2026 -0700" }, "message": "Bump brace-expansion from 1.1.12 to 1.1.14 in /website (#5)\n\nBumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.12 to 1.1.14.\n- [Release notes](https://github.com/juliangruber/brace-expansion/releases)\n- [Commits](https://github.com/juliangruber/brace-expansion/compare/v1.1.12...v1.1.14)\n\n---\nupdated-dependencies:\n- dependency-name: brace-expansion\n dependency-version: 1.1.14\n dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "e3a24ca31379fc1ffdd4adf4171c69340811589d", "tree": "77edc404d86ba6c3e79456a58437d279942faba3", "parents": [ "ef1d4eab64163ac19ed8d34a0309fb8bb404ea64" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Wed May 13 10:35:01 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed May 13 10:35:01 2026 -0700" }, "message": "Bump fast-uri from 3.1.0 to 3.1.2 in /website (#3)\n\nBumps [fast-uri](https://github.com/fastify/fast-uri) from 3.1.0 to 3.1.2.\n- [Release notes](https://github.com/fastify/fast-uri/releases)\n- [Commits](https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.2)\n\n---\nupdated-dependencies:\n- dependency-name: fast-uri\n dependency-version: 3.1.2\n dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "ef1d4eab64163ac19ed8d34a0309fb8bb404ea64", "tree": "f4d8d193b2a816afb0563df0f939b1ca4417283f", "parents": [ "a61dee6510fa29a7a6e598399db6adbf5422a866" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Wed May 13 10:32:52 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed May 13 10:32:52 2026 -0700" }, "message": "Bump lodash from 4.17.23 to 4.18.1 in /website (#2)\n\nBumps [lodash](https://github.com/lodash/lodash) from 4.17.23 to 4.18.1.\n- [Release notes](https://github.com/lodash/lodash/releases)\n- [Commits](https://github.com/lodash/lodash/compare/4.17.23...4.18.1)\n\n---\nupdated-dependencies:\n- dependency-name: lodash\n dependency-version: 4.18.1\n dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "a61dee6510fa29a7a6e598399db6adbf5422a866", "tree": "3e83a36663bfc6c647f3a33fe00fc1a37f852011", "parents": [ "72d276ab6343686c83ba0a4398734574998c6e8b" ], "author": { "name": "dependabot[bot]", "email": "49699333+dependabot[bot]@users.noreply.github.com", "time": "Wed May 13 10:32:23 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Wed May 13 10:32:23 2026 -0700" }, "message": "Bump follow-redirects from 1.15.11 to 1.16.0 in /website (#1)\n\nBumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.11 to 1.16.0.\n- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)\n- [Commits](https://github.com/follow-redirects/follow-redirects/compare/v1.15.11...v1.16.0)\n\n---\nupdated-dependencies:\n- dependency-name: follow-redirects\n dependency-version: 1.16.0\n dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] \u003csupport@github.com\u003e\nCo-authored-by: dependabot[bot] \u003c49699333+dependabot[bot]@users.noreply.github.com\u003e" }, { "commit": "72d276ab6343686c83ba0a4398734574998c6e8b", "tree": "4250076382666d1ffa5b4e68ec1339515a1518d5", "parents": [ "5bd78a3b21cf8c2c996fe08ced9ac487b433087d" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Tue May 12 15:04:15 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Tue May 12 15:04:15 2026 -0700" }, "message": "Adding asf yaml\n" }, { "commit": "5bd78a3b21cf8c2c996fe08ced9ac487b433087d", "tree": "f76248dd69cb8a225b14d0cb65e5c7fb9ece3cff", "parents": [ "3d88b234c06d2c977f8ca4bb043b529d21f4e9d1" ], "author": { "name": "Andrew Musselman", "email": "andrew.musselman@gmail.com", "time": "Thu May 07 23:16:36 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "andrew.musselman@gmail.com", "time": "Thu May 07 23:16:36 2026 -0700" }, "message": "fix(agent-config): per-model llm_settings, mutex UX, max_tokens text input, runs page server-of-truth\n\nFour coordinated fixes for the agent config / run pipeline. They\nstack on top of each other and only make sense together.\n\n(1) Runs page reads from the saved agent doc, not stale\n agentFlowContext. The page was falling back to context defaults\n ({inputText:\u0027string\u0027}, {outputText:\u0027string\u0027}) when agentData\n wasn\u0027t loaded — masking the user\u0027s real schema and producing\n silent failures: max_tokens override didn\u0027t reach the LLM call,\n output schema collapsed to outputText only, list/json input\n fields silently dropped at submit. Always refetch when :agentId\n is in the URL; agentFlowContext is for the no-agentId creation\n flow only.\n\n(2) Per-model llm_settings. Single LlmSettings was built from\n invokableModels[0] and applied to every tools.call_llm()\n regardless of target model — so a Sonnet call silently got\n Opus\u0027s max_tokens. LlmSettings now carries a perModel map keyed\n by \u0027\u003cprovider\u003e/\u003cmodel\u003e\u0027; for_call(provider, model) returns the\n matching override at apply time, or None if this model has no\n overrides. RunsScreen builds the map from the full\n invokableModels list. Backwards-compatible with the legacy flat\n shape (older clients still work, just one-size-fits-all as\n before).\n\n(3) ModelConfigDialog UX. max_tokens (range 1..128000) was a Slider\n with unusable precision; now a numeric TextField with \u0027Max:\n \u003cN\u003e\u0027 helper text. Mutually-exclusive params (temperature/top_p\n on Anthropic models) used to disable both fields with\n on-hover-only tooltips — invisible until you tried to save and\n got an opaque 422. Now there\u0027s a prominent inline Alert listing\n each conflicting pair with one-click \u0027Keep X, clear Y\u0027\n resolution buttons.\n\n(4) Mutex partners stay cleared across dialog re-open. openModelDialog\n pre-filled schema defaults for every param, then overlaid\n existing.parameters. When the user cleared a mutex partner\n (e.g. top_p so temperature would stick), the cleared key\n wasn\u0027t in existing.parameters but the default value was still\n underneath in the merged dict — re-opening showed top_p\u003d0.9\n again and the conflict reappeared. An older guard handled this\n only for provider\u003d\u0027anthropic\u0027, missing \u0027bedrock\u0027. Generalized:\n skip the schema default for any param whose mutex partner is\n already in existing.parameters. The user\u0027s clear sticks.\n\nFiles touched:\n webapp/packages/webui/src/pages/AgentCreationFlow/RunsScreen.jsx\n webapp/packages/webui/src/components/ModelConfigDialog.jsx\n webapp/packages/webui/src/pages/ViewAgent.jsx\n webapp/packages/api/user-service/models/agent.py\n webapp/packages/api/user-service/dependencies.py\n" }, { "commit": "3d88b234c06d2c977f8ca4bb043b529d21f4e9d1", "tree": "4d00ffa2e2c8e622acbbf27745c78c78e9ec049e", "parents": [ "121c673869e7e54cd6c775f96bab279c1b4f4c32" ], "author": { "name": "Andrew Musselman", "email": "andrew.musselman@gmail.com", "time": "Thu May 07 09:24:11 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "andrew.musselman@gmail.com", "time": "Thu May 07 09:24:11 2026 -0700" }, "message": "perf(data_store): bulk DB ops, optimistic writes, deferred access tracking\n\nThe ASVS pipeline writes ~345 per-section reports plus ~430 file\nrecords to CouchDB per L3 run. Hot paths in the data store service\nround-trip on every operation:\n\n - set() does get() before save() — 2 round trips per write.\n - The CouchDB save() also pre-fetches _rev internally — third RT.\n - set_many() loops set() — N x (above).\n - get_all()/get_many() do a save() per doc for access-tracking,\n turning bulk reads into N+1 calls.\n - clear_namespace() loops delete() — N round trips.\n\nAdds save_many/delete_many/get_many to the backend interface with\ndefault-impl loop fallbacks so all backends still work; CouchDB\nand Memory implementations exercise _bulk_docs and\n_all_docs?keys\u003d respectively.\n\nCouchDB save() no longer pre-fetches _rev. Service-layer set() is\noptimistic-with-conflict-retry: try save() with no pre-read, on\n409 re-fetch + merge + retry once.\n\nset_many() rewritten to one get_many() + one save_many() — 2\nround trips regardless of N. clear_namespace() uses delete_many.\n\nNew services/access_tracking.py: AccessAccumulator buffers reads\nin memory, background asyncio task flushes every 10s via one\nsave_many. get_all() and get_many() route access-tracking through\nthe accumulator. Counts become eventually-consistent (advisory\nmetadata, fine).\n\nExpected wins on ASVS workload:\n - 430-record file ingest: ~1000 RTs -\u003e 2\n - 345 sequential writes: ~700 RTs -\u003e 345 (no pre-read)\n - Bulk reads (get_all): N+1 -\u003e 1\n - Namespace cleanup: N+1 -\u003e 2\n\nTests: 21 new tests in test_database_bulk.py and\ntest_data_store_perf.py with assertions on exact backend\nround-trip counts so future refactors can\u0027t silently regress.\ndata_store_service.py coverage reaches 91%.\n\nPre-existing tests in test_data_store_service.py also updated to\nmatch the new call shape — they previously mocked per-doc\ndb.get/save/delete patterns that the rewritten service no longer\nuses, and the access-tracking tests asserted on inline saves\ninstead of the AccessAccumulator buffer. Full unit suite green.\n\nDynamoDB backend not updated — methods fall through to default\nloop. Worth its own PR with proper BatchWriteItem chunking.\n\nDuplicate index in CouchDB worth dropping when convenient\n(both \u0027user-namespace-index\u0027 and \u0027idx-user-namespace\u0027 index\n[userId, namespace]). Not in this PR — index management requires\nadmin creds and is environment-specific.\n" }, { "commit": "121c673869e7e54cd6c775f96bab279c1b4f4c32", "tree": "31df0d5937f2420da25c55efb0e898cb4ee02acf", "parents": [ "bbb3df7f8230032f7133a5a3c2804d0ce02cc13a" ], "author": { "name": "Andrew Musselman", "email": "andrew.musselman@gmail.com", "time": "Tue May 05 19:33:41 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "andrew.musselman@gmail.com", "time": "Tue May 05 19:33:41 2026 -0700" }, "message": "feat(runs): wire up rename — content edits, history list, gitignore\n\nSigned-off-by: Andrew Musselman \u003candrew.musselman@gmail.com\u003e\n" }, { "commit": "bbb3df7f8230032f7133a5a3c2804d0ce02cc13a", "tree": "0632b5015efd943583d6ed7d9d4336d17f13c084", "parents": [ "112487fa5368b5df4d818b3c75c32d5f70a1cf8e" ], "author": { "name": "Andrew Musselman", "email": "andrew.musselman@gmail.com", "time": "Tue May 05 17:20:12 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "andrew.musselman@gmail.com", "time": "Tue May 05 17:20:12 2026 -0700" }, "message": "feat(runs): rename sandbox→runs, add history list below the form\n\nSigned-off-by: Andrew Musselman \u003candrew.musselman@gmail.com\u003e\n" }, { "commit": "112487fa5368b5df4d818b3c75c32d5f70a1cf8e", "tree": "203a46be549e8abda60f040636e601689a28e643", "parents": [ "e0849bde8bb4f972d0724ecbbd1e6a42b431e7ae" ], "author": { "name": "Andrew Musselman", "email": "andrew.musselman@gmail.com", "time": "Tue May 05 16:07:07 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "andrew.musselman@gmail.com", "time": "Tue May 05 16:24:19 2026 -0700" }, "message": "test(security): unit tests for log_redaction module\n\nSigned-off-by: Andrew Musselman \u003candrew.musselman@gmail.com\u003e\n" }, { "commit": "e0849bde8bb4f972d0724ecbbd1e6a42b431e7ae", "tree": "51a506e5403874bb847d4d1c2a74d293d007db45", "parents": [ "35e8709a7baea0cd7b7ee9f8a4311b8e2c7362b6" ], "author": { "name": "Andrew Musselman", "email": "andrew.musselman@gmail.com", "time": "Tue May 05 14:55:48 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "andrew.musselman@gmail.com", "time": "Tue May 05 14:55:48 2026 -0700" }, "message": "feat(security): redact common secret shapes from logs and traces\n\nSigned-off-by: Andrew Musselman \u003candrew.musselman@gmail.com\u003e\n" }, { "commit": "35e8709a7baea0cd7b7ee9f8a4311b8e2c7362b6", "tree": "f01d4f2bcab4226344afddd947e6f3c6c737e86c", "parents": [ "3f41a933448b8894e917953924846e1fe08113de" ], "author": { "name": "Andrew Musselman", "email": "andrew.musselman@gmail.com", "time": "Mon May 04 23:17:01 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "andrew.musselman@gmail.com", "time": "Mon May 04 23:17:22 2026 -0700" }, "message": "Auth docs update\n\nSigned-off-by: Andrew Musselman \u003candrew.musselman@gmail.com\u003e\n" }, { "commit": "3f41a933448b8894e917953924846e1fe08113de", "tree": "eaae3b2d25cc461df4fd31bb154621e8a4c9c190", "parents": [ "874e379cef74978a5e80d59bfe4cce2c20dadce2" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Mon May 04 17:12:59 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Mon May 04 17:12:59 2026 -0700" }, "message": "Gofannon user-ready (#577)\n\n* fix(e2e): auth fixture + config browser-safety + api-keys test repair\n\n* chore: add test runner script\n\n* chore: lower integration coverage threshold to 35%\n\n* feat: PR 2 — edit models/invokables in place (item 8)\n\nClicking a composer or invokable chip on ViewAgent opens the model\ndialog pre-populated with that item\u0027s existing config, so users can\nedit a previously-added model in place instead of deleting and\nre-adding. Dialog title reflects whether it\u0027s an add or edit.\n\n* feat: PR 4 — OpenRouter as a pluggable provider\n\nAdds OpenRouter alongside the existing providers with an 11-model\ncatalog: grok-code-fast-1, grok-4.1-fast, claude-sonnet-4.5,\nclaude-opus-4.1, gpt-5, gpt-5-mini, deepseek-v3.2, deepseek-chat-v3.1,\nqwen3-coder, qwen3-coder-next, llama-3.3-70b-instruct.\n\n- New config/openrouter/ module with _make_entry helper for the catalog\n- provider_config.py registers the new provider\n- models/user.py adds openrouter_api_key field\n- services/user_service.py extracts PROVIDER_KEY_MAP constant\n- ApiKeysTab.jsx adds the OpenRouter row\n\nNo llm_service.py changes needed — existing model_string routing\nhandles openrouter/* model ids.\n\n* feat: PR 5 — typed sandbox input controls (item 6)\n\nInput fields in the agent Sandbox now match the declared schema type\ninstead of always rendering as text. Number fields get numeric input,\nboolean gets a Switch, JSON gets a multiline textarea with inline\nparse-error feedback. Adds \u0027json\u0027 as a schema type option in the\nSchemaEditor. Values are cast on submit so backend receives\ncorrectly-typed payloads.\n\n* feat: PR 6 (partial) — backend output validation (item 7)\n\nBackend portion of PR 6 only. SandboxScreen.jsx hunks deferred\nbecause 3 of 5 hunks conflict with PR 5\u0027s handleRun restructuring\nand partial apply would leave the frontend referencing undefined\nvariables (schemaWarnings, WarningAmberIcon).\n\nIncluded:\n- agent_factory/prompts.py: strengthens output directive prompts\n with three ✅/❌ examples so the LLM returns structured results\n matching the declared output_schema instead of wrapping in\n {outputText: ...}.\n- dependencies.py: validate_output_against_schema() — checks dict\n shape, missing/extra keys, type mismatches (with bool-vs-int\n gotcha handling).\n- models/agent.py: adds output_schema to RunCodeRequest and\n schema_warnings to RunCodeResponse.\n- routes.py: sandbox route calls the validator, returns warnings.\n- services/agentService.js: runCodeInSandbox signature extended\n with outputSchema parameter.\n\nDeferred to PR 8b:\n- SandboxScreen.jsx: adds WarningAmberIcon import, schemaWarnings\n state, capture from response, advisory banner JSX, outputSchema\n arg on the service call. All land atomically when PR 8b rebuilds\n handleRun.\n\n* feat: PR 7 — agent chain view (item 9)\n\nAdds a \u0027Chain View\u0027 accordion on ViewAgent showing the transitive\ndependency tree of an agent: nested GofannonClient calls and MCP\nservers, rendered as an indented MUI List. Root agent is expanded\nby default. Cycles and missing agents are badged; depth capped at\n8 to prevent runaway recursion.\n\n- dependencies.py: build_agent_chain with ancestry-based cycle\n detection and missing-agent handling\n- routes.py: GET /agents/{id}/chain\n- New components/AgentChainView.jsx with Launch icon to navigate\n into a child agent\n\n* feat: PR 8a — data store viewer (item 12 part 1)\n\nUser-facing browser for the persistent data store.\n\n- models/data_store.py: DataStoreRecord, NamespaceStats,\n NamespaceListResponse, SetRecordRequest, ClearNamespaceResponse\n- routes.py: 6 new endpoints for namespace/record CRUD with\n path-matched keys\n- services/dataStoreService.js: API client wrapper\n- pages/DataStoresPage.jsx: stats cards + namespace table + clear\n confirmation\n- pages/DataStoreBrowser.jsx: prefix-grouped record table with\n search, right drawer with Value/Metadata/Copy/Edit/Delete,\n JSON-or-raw-string edit dialog\n- HomePage adds a 3rd column for Data Stores at xl breakpoints\n- New routes /data-stores and /data-stores/:namespace\n\n* feat: PR 8b — data store config accordion + sandbox ops panel + repairs PR 6 frontend (item 12 part 2)\n\nPer-agent data store configuration and a live sandbox panel showing\nevery data store op the agent performed during its run.\n\n- services/data_store_service.py: AgentDataStoreProxy instrumented\n with an ops_log parameter; all 9 ops log structured entries\n {op, namespace, agent, ts, key?, valuePreview?, found?, count?}\n with 200-char value previews.\n- dependencies.py: _execute_agent_code returns (result, ops_log);\n three internal callsites updated.\n- models/agent.py: DataStoreNamespaceConfig + data_store_config\n field on Create/Update requests; ops_log on RunCodeResponse.\n- components/SandboxDataPanel.jsx: right-side panel with\n Operations tab (color-coded READ/WRITE/DEL chips, expandable\n rows) + State tab (per-namespace aggregation).\n- components/DataStoreConfigAccordion.jsx: flow preview\n (Reads From → agent → Writes To) + namespace table with\n Autocomplete suggestions.\n- ViewAgent.jsx inserts the config accordion between Schemas and\n Model Config; data_store_config threaded through save payloads.\n- SandboxScreen.jsx rebuilt to integrate PR 5\u0027s typed inputs,\n PR 6\u0027s schemaWarnings capture (deferred from PR 6), and PR 8b\u0027s\n opsLog capture + two-column layout with the data panel. Fixes\n the frontend half of PR 6 that was skipped due to hunk conflicts.\n- Updates 5 unit tests (test_dependencies.py, test_context_window.py)\n to unpack the new (result, ops_log) tuple from _execute_agent_code.\n\n* feat: PR B-1 — Phase B pluggable auth infrastructure\n\nBackend-only. Adds the session-based auth system gated behind the\nAUTH_CONFIG_PATH env var. No user-visible changes without operator\nopt-in; legacy Firebase auth continues to work untouched.\n\n- config/__init__.py: loads AUTH_CONFIG_PATH YAML into settings\n- models/session.py, workspace.py, auth.py: data models\n- auth/base.py: AuthProvider ABC with get_authorize_url,\n exchange_code, get_workspace_memberships, evaluate_login\n- auth/ldap_client.py: ldap3 wrapper for ASF committer/PMC/banned\n queries with soft-fail on LDAP outage\n- auth/providers/dev_stub.py: local-dev provider with YAML-configured\n test users and a plain HTML picker page\n- auth/providers/asf.py: real oauth.apache.org + LDAP integration\n with ASF-specific banned/emeritus/site-admin policy\n- auth/__init__.py: ProviderRegistry with startup init\n- services/session_service.py: CRUD + refresh with diff computation\n- services/audit_service.py: append-only log (scaffolding for B-3)\n- routes_auth.py: /auth/providers, /auth/login/{type},\n /auth/callback/{type}, /auth/logout, /auth/refresh-workspaces,\n /auth/me, /auth/dev-stub-picker\n- routes.py: get_current_user is dual-mode (session cookie first,\n Firebase bearer token fallback)\n- app_factory.py: registry init and conditional auth router mount\n- requirements.txt: +ldap3\u003e\u003d2.9\n\nThree-tier role model: member (workspace), admin (workspace, from\nLDAP PMC intersection), site_admin (global, from config allowlist).\nPersonal workspace auto-created per session. Soft-fail on LDAP\noutage preserves existing memberships.\n\n* fix(e2e): serial playwright, HMR/reload excludes, skip flaky write-flow tests\n\nInfra hardening for the E2E test harness:\n- playwright.config.js: fullyParallel:false, workers:1. Tests share\n a single backend user (local-dev-user) so parallel workers race\n on state mutations.\n- packages/webui/vite.config.js: ignore test-results, playwright-\n report, .auth, coverage, htmlcov from watch. Prevents Vite HMR\n reloading the page mid-test.\n- infra/docker/docker-compose.yml: uvicorn --reload excludes for\n *.pyc, __pycache__, tests, pytest_cache, htmlcov, coverage.\n Prevents uvicorn restarting mid-request during test runs.\n- tests/e2e/api-keys.spec.js: skip 5 write-flow tests (add/update/\n remove/masked/success) that intermittently fail with \u0027Failed to\n fetch\u0027 despite the above fixes. Backend API-key write endpoints\n are covered by pytest integration tests; skipping gives a stable\n 11/16 passing baseline while root cause is investigated in a\n separate project.\n\n* feat: PR B-2 — Phase B frontend auth integration\n\nTeaches the UI to talk to the B-1 session backend.\n\n- services/authService.js: new sessionAuth implementation alongside\n firebase/mock/cognito. Selected when appConfig.auth.provider is\n \u0027session\u0027. Uses the gofannon_sid cookie set by B-1\u0027s callback\n route; exposes refreshWorkspaces. Exports fetchAuthProviders\n helper for LoginPage.\n- services/fetchInterceptor.js: wraps window.fetch once at load\n to auto-add credentials:\u0027include\u0027 to same-origin API calls —\n avoids editing 19 fetch sites across 5 service files.\n- contexts/AuthContext.jsx: adds refreshWorkspaces and\n isSessionAuth to context value.\n- pages/LoginPage.jsx: fetches /auth/providers on mount. Renders\n one button per provider when Phase B is enabled; legacy Firebase\n form shown below when operator sets legacyFirebaseEnabled\u003dtrue.\n- components/ProfileMenu.jsx: user identity header with site-admin\n chip, workspace list preview (top 5 with admin chips, \u0027+N more\u0027),\n \u0027Refresh workspaces\u0027 menu item with snackbar for the diff.\n- App.jsx: imports fetchInterceptor at top.\n\nZero regression for teams not on Phase B: without AUTH_CONFIG_PATH\nthe backend 404s /auth/providers and LoginPage renders legacy form\nidentically to before.\n\n* feat: PR B-1.1 — Google + Microsoft + GitHub auth providers\n\nExtends the Phase B pluggable auth infrastructure with three additional\nidentity providers. Backend-only; existing LoginPage (from B-2) picks\nthem up via /auth/providers.\n\nNew providers:\n- auth/providers/google.py: Google Workspace OAuth + Admin SDK Directory\n API for Google Groups. Hosted-domain enforcement, allowlist default,\n OWNER/MANAGER -\u003e admin role mapping.\n- auth/providers/microsoft.py: Microsoft Entra ID OAuth + Graph\n /me/transitiveMemberOf for security group memberships. Tenant-scoped\n authorize, optional admin_groups subset for role promotion.\n- auth/providers/github.py: GitHub OAuth + /user/memberships/orgs/{org}\n for org role. Numeric id for external_id (rename-stable), case-\n insensitive org normalization.\n\nCommon patterns:\n- All three default to mode\u003dallowlist (deny unless in configured\n group/org); operators opt into open_domain/open_tenant/open_github\n for public-style deployments.\n- Access token stashed on UserInfo for the subsequent memberships call.\n- 403 soft-fails to empty memberships.\n\nWired into the registry:\n- auth/__init__.py: three new entries in _PROVIDER_CLASSES.\n- auth/providers/__init__.py: re-exports new classes.\n\nTests: 46 mock-based unit tests across tests/unit/auth/, covering\nconfig validation, authorize URL shape, exchange_code happy/error\npaths, membership allowlist + role mapping + 403 soft-fail, and all\nevaluate_login branches.\n\nDocs: auth.example.yaml extended with disabled example blocks for\neach new provider (same pattern as the existing asf + dev_stub blocks).\n\n* docs: add auth.example.yaml template for Phase B operators\n\nReference configuration template. Operators copy this, fill in\nsecrets, and point AUTH_CONFIG_PATH at the copy. Includes blocks\nfor dev_stub (local dev), asf (PR B-1), and google/microsoft/\ngithub (PR B-1.1). All providers disabled by default except\ndev_stub for the example.\n\n* fix(couchdb): drop unsupported n/q kwargs on Server.create()\n\nThe couchdb-python library no longer accepts shard-count (n) and\nshard-quorum (q) kwargs on Server.create(). These params only apply\nto clustered CouchDB deployments anyway; the dev stack runs\nsingle-node where they\u0027re ignored.\n\nSymptom: 500 on any route that triggers DB auto-creation against a\nfresh CouchDB instance (\u0027TypeError: Server.create() got an\nunexpected keyword argument n\u0027).\n\nPre-existing bug, surfaced when testing against a fresh CouchDB.\n\n* fix(cors): use computed allowed_origins, don\u0027t hardcode wildcard\n\napp_factory.py computed allowed_origins from FRONTEND_URL then\ndiscarded it, hardcoding allow_origins\u003d[\u0027*\u0027]. With\nallow_credentials\u003dTrue the browser blocks responses because the\nCORS spec forbids wildcard + credentials.\n\nPre-existing bug. Exposed by PR B-2\u0027s fetchInterceptor adding\ncredentials:\u0027include\u0027 to every API call to support session cookies.\nBefore B-2, nothing sent credentials, so the wildcard was tolerated.\n\nFix: honor the computed allowed_origins list.\n\n* chore(dev): python 3.12 image, align playwright on port 3000, add dev-tail\n\n- Dockerfile.api: bump base image from python:3.10-slim to\n python:3.12-slim. Silences google.api_core\u0027s FutureWarning about\n Python 3.10 EOL in Oct 2026.\n- Dockerfile.api: upgrade pip before installing requirements and\n pass --root-user-action\u003dignore to silence the \u0027running pip as\n root\u0027 warning in container builds.\n- playwright.config.js: baseURL and dev-server command on port 3000\n to match the backend\u0027s FRONTEND_URL default (which drives the\n CORS allowlist).\n- dev-tail.sh: new local dev runner that starts docker + vite in a\n single script with tailing logs. Uses isolated\n COMPOSE_PROJECT_NAME\u003dgofannon-dev so other compose projects on\n the host aren\u0027t disturbed. Supports --phase-b for Phase B auth\n testing with a dev_stub-configured yaml, and --stop for clean\n teardown.\n\n* refactor(auth): make session auth the default dev stack mode\n\nInline the auth.yaml mount into docker-compose.yml, commit a working\n.dev-auth.yaml at the repo root with three dev_stub users\n(alice/bob/site_admin_1), and remove the override mechanism that\nwas conditionally generated by dev-tail.sh.\n\nAfter this:\n ./dev-tail.sh # auth is on, login works out of the box\n ./dev-tail.sh --stop # unchanged\n\nOperators deploying gofannon override AUTH_CONFIG_PATH and mount\ntheir own auth.yaml at deploy time; the committed .dev-auth.yaml\nexists only for local development. The header comment in that file\nspells out the dev-only nature loudly enough that nobody copies it\ninto production by accident.\n\nPersonal customization without touching the committed file: copy\nto .dev-auth.local.yaml (gitignored) and point the api service\u0027s\nvolume mount at that copy.\n\nDocumentation for the new flow lives at\ndocs/developers/local-auth.md — covers the committed fixtures, the\n.dev-auth.local.yaml escape hatch, production guidance, and\ntroubleshooting.\n\nSigned-off-by: Andrew Musselman \u003candrew.musselman@gmail.com\u003e\n\n* test(cors): update assertion to match fixed allowed_origins behavior\n\nThe companion fix (a9add26 \u0027fix(cors): use computed allowed_origins,\ndon\u0027t hardcode wildcard\u0027) made the production code honor FRONTEND_URL\ninstead of hardcoding [\u0027*\u0027]. This test was asserting the old buggy\nbehavior; update to assert the new correct behavior.\n\n* test(e2e): rewrite global-setup for session-based dev_stub auth\n\nThe previous global-setup seeded localStorage with a mock user, which\nworked when the frontend\u0027s authService picked mockAuth at module-load\ntime. With session auth as the default, mockAuth is not loaded; the\nseeded localStorage is ignored; tests start unauthenticated and the\nAccountCircle menu (only rendered when logged in) never appears.\n\nReplace with a setup that walks the dev_stub login flow:\n - GET /auth/login/dev_stub kicks off the OAuth-shaped flow\n - Picker page (rendered by backend) lists configured users as \u003ca\u003es\n - Click the alice link → backend callback → session cookie set\n - storageState now contains gofannon_sid; tests inherit it\n\nAdds E2E_STUB_USER env var so a suite can run as bob (deny path)\nor site_admin_1 (admin views) without editing the file. Adds a post-\nlogin /auth/me sanity check so authentication failures produce a\nuseful error instead of cascading into \u0027AccountCircle not found\u0027\ntimeouts in every test.\n\n* fix: refresh-redirects, stale namespaces, and webui readiness probe\n\nThree unrelated fixes bundled into one commit.\n\n1. sessionAuth.onAuthStateChanged was firing callback(null)\n synchronously on first listener subscription, before /auth/me\n resolved. AuthContext set loading\u003dfalse on the null callback;\n PrivateRoute saw {user: null, loading: false} and bounced to\n /login; LoginPage\u0027s \u0027if (user) navigate(/)\u0027 fired the moment\n /auth/me resolved with the real user; user landed on home with\n no idea what happened. Refresh on /agent/\u003cid\u003e always landed on\n home as a result. Fix: only emit synchronously if we already\n have a resolved user (covers later subscriptions); otherwise\n wait for _fetchMe to resolve and let _emit() send the real\n value, keeping AuthContext in loading\u003dtrue until then.\n\n2. HomePage and DataStoreConfigAccordion fetched the namespace\n list only on mount with [] deps. A namespace created in another\n tab/page didn\u0027t appear until hard refresh. Fix: refetch on\n visibilitychange so coming back to a tab gives fresh data.\n\n3. run-all-tests.sh checked for a \u0027webui\u0027 container in \u0027docker ps\u0027\n as the gate on running e2e tests. With dev-tail.sh the webui is\n vite on the host, not a container, so the check always failed.\n Fix: replace with a curl probe of localhost:3000 — answers the\n actual question (can e2e reach the frontend?) and works whether\n the frontend is vite, nginx-in-compose, or anything else.\n\n* feat(agents): allow pasting agent code without generation\n\nThe agent editor required users to click Generate Code before they\ncould see the code editor or save the agent. Two friction points:\n\n1. The Agent Code accordion was gated on hasCode, so the editor\n was hidden entirely until code existed. Users with code already\n written (or copied from another agent) had no way to drop it in.\n\n2. Save validation required a non-empty description even when code\n was already present. Description exists primarily as the prompt\n input for the LLM generator; once code exists, it\u0027s optional\n metadata.\n\nUn-gate the accordion: always render, default-expanded in the\ncreation flow or when code exists, with a hint pointing at both\npaths (paste here, or use Generate Code below). Reorder save\nvalidation to check code first, and only require description\nwhen code is absent.\n\nThe Generate Code button is unchanged and still requires a\ndescription (correct — that operation does need it). This just\nadds \u0027paste your own\u0027 as an equally valid path.\n\n* feat(sandbox+profile): per-agent progress log; trim profile menu\n\nSandbox Progress Log\n\nAdds a structured per-run trace and a Progress Log accordion in the\nsandbox right column above the data-store panel.\n\nBackend (services/agent_trace.py): Trace collects events\n(agent_start, agent_end, llm_call, data_store, error, stdout, log).\nBound to the asyncio task tree via contextvar so nested layers emit\nwithout threading the collector through every signature.\ncapture_user_io() routes stdout/stderr/logging into the trace, with\n4KB-per-event and 2000-event caps. GOFANNON_DISABLE_USER_TRACE\u003d1\nsuppresses user-origin capture; structural events still emit.\nFailure path returns a structured response with partial trace\ninstead of raising. friendly_name flows through the request to the\ntrace\u0027s per-event agent_name.\n\nFrontend (SandboxProgressLog): runs listed newest-first, each with\nper-agent groups. Outcome icons, durations, \u0027chained\u0027 badges for\nnested calls. Errors highlighted with red border + bg. Multi-line\ncontent truncated to 3 lines with a \u0027more\u0027 link to a Drawer side\nsheet (right anchor, 600px). In-memory history, refresh wipes.\nTransport errors get a synthetic event so the log doesn\u0027t spin.\n\nTrace ships in the bulk response — events appear at run completion,\nnot live. SSE streaming follow-up planned.\n\ndocs/developers/agent-trace.md covers the env var, caps, contextvar\nrationale, and how to add new event types.\n\nProfile Menu Cleanup\n\nDrop Basic Info / Usage / Billing menu items (placeholders with no\ncontent); ProfilePage now renders ApiKeysTab directly.\n\nRestyle ApiKeysTab to match other top-level pages: constrained max\nwidth, back-arrow + h5 title, single in-place TextField per row,\n\u0027Configured\u0027 chip only when keyed. Tests realigned.\n\n* feat(sandbox): bucket stdout/log lines in the progress log\n\nLong-running agents (e.g. the ASVS auditor that emits hundreds of\nprint() lines per run) made the Progress Log accordion unwieldy:\nthe panel grew vertically without bound and the right column\nspilled past its boundary. Reading the run shape — what LLM calls\nhappened, where errors hit — meant scrolling through walls of\ndebug output.\n\nBucket stdout/log events into per-agent collapsible rows. Each\ncontiguous run of stdout/log events between structural events\n(llm_call, data_store, error, agent_end) becomes one row showing\n\u0027N lines of stdout/log output · click to view\u0027. Buckets break at\nstructural events so chronological flow is preserved — you still\nsee \u0027agent prints → LLM call → agent prints more\u0027, just with each\n\u0027prints\u0027 segment collapsed.\n\nClick → side sheet shows all the bucketed lines in a scrollable\nmonospace block, with timestamp gutter and per-line error\nhighlighting (heuristic: lines containing ERROR/FAIL/TRACEBACK\nget a red left border).\n\nThe bucket summary row pops the latest error-flavored line into a\npreview underneath (\u0027Latest: ERROR: ...consolidated.md\u0027) and\nshows an error count badge (\u002747 lines · 30 with errors\u0027), so the\ncommon \u0027agent caught an exception, printed it, kept going\u0027\nfailure mode is visible without clicking.\n\nStructural events (llm_call, data_store, error, agent_end) still\nrender inline. Errors keep their red border + bg highlight.\nStack traces still go to the existing single-event side sheet\nview; bucket view is a sibling Drawer mode that\u0027s mutually\nexclusive with the single-event view.\n\n* feat(sandbox): stream trace events via SSE\n\nSandbox runs waited for the agent to finish before showing any\ntrace events — for long agents (file ingest, multi-step LLM\nflows) the Progress Log spun for minutes showing \u0027No events\nrecorded\u0027 while api logs filled with the agent\u0027s actual output.\n\nAdds POST /agents/run-code/stream returning text/event-stream.\nEach Trace event becomes one SSE \u0027trace\u0027 frame, dispatched to\nthe client within ~50ms. A final \u0027done\u0027 frame carries result,\nerror, schema_warnings, and ops_log.\n\nTrace gains an optional asyncio.Queue. attach_queue() wires it\nup before the agent runs; every Trace.append() also publishes\nto the queue (put_nowait, never blocks emitters). The streaming\nendpoint runs the agent in an asyncio.Task and pulls from the\nqueue, yielding SSE frames until a sentinel signals completion.\n\nFrontend uses fetch + ReadableStream rather than EventSource\n(POST and custom headers needed). agentService gains\nrunCodeInSandboxStreaming which parses SSE frames manually and\ndispatches each event to an onEvent callback. SandboxScreen\nwires onEvent into setRuns so events accumulate in the in-flight\n\u0027running\u0027 entry as they arrive.\n\nNon-streaming /agents/run-code endpoint stays for callers that\nwant the bulk response (deployed agents, scripts, batch tests).\nBoth share _execute_agent_code; only the response shape differs.\n\n30s heartbeat comment frames prevent proxy idle-timeout.\nX-Accel-Buffering: no header tells nginx not to buffer the\nresponse body.\n\n* test(e2e): fix profile-tabs nav test for trimmed menu\n\nThe test navigated to /profile/basic (a placeholder route that\u0027s\ngone) then clicked text\u003dAPI Keys, which drifted onto the h5 page\ntitle because ProfilePage now always renders ApiKeysTab regardless\nof the path segment. Click hit the page title behind the still-\nopen menu backdrop, timed out.\n\nStart from / instead, and use getByRole(\u0027menuitem\u0027) to target the\nmenu item unambiguously.\n\n* Lowering vitest threshold to pass CI\n\nSigned-off-by: Andrew Musselman \u003candrew.musselman@gmail.com\u003e\n\n* test(frontend): also drop statements threshold to 15\n\nCompanion to 9e113f9 which dropped lines but missed statements.\n\nSigned-off-by: Andrew Musselman \u003candrew.musselman@gmail.com\u003e\n\n---------\n\nSigned-off-by: Andrew Musselman \u003candrew.musselman@gmail.com\u003e" }, { "commit": "874e379cef74978a5e80d59bfe4cce2c20dadce2", "tree": "a637a9de391aeb6366678faf805aa0b79215031d", "parents": [ "3ef3b69c702fdb9f01310b0a427415c5627294b9" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Tue Apr 28 01:14:48 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Tue Apr 28 01:14:48 2026 -0700" }, "message": "Clean readme\n" }, { "commit": "3ef3b69c702fdb9f01310b0a427415c5627294b9", "tree": "7b7217b9acef8319a82cf769c9120706949f33f8", "parents": [ "078b2e1331b116a5258c35a4ef51281c265b9d80" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Mon Apr 20 17:24:47 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Mon Apr 20 17:24:47 2026 -0700" }, "message": "Bumping couch version, specifying two schedulng threads\n\nSigned-off-by: Andrew Musselman \u003cakm@apache.org\u003e\n" }, { "commit": "078b2e1331b116a5258c35a4ef51281c265b9d80", "tree": "50fa527d3f9b3d197da6409535d4fbeac0e8ecad", "parents": [ "eaddd13908dc41e3f604dcd3901ed8a5995939c1" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Apr 03 00:22:01 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Fri Apr 03 00:22:01 2026 -0700" }, "message": "Fixing index name to prevent duplicate index rebuilds\n\nSigned-off-by: Andrew Musselman \u003cakm@apache.org\u003e\n" }, { "commit": "eaddd13908dc41e3f604dcd3901ed8a5995939c1", "tree": "435430417380a21cb2e214c204474ce22ad89493", "parents": [ "4d39d53f12c6ea1ac8b714a96f1eee4ddf0dca25" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Mar 19 15:28:48 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Mar 19 15:28:48 2026 -0700" }, "message": "Revert \"Gitignore .env\"\n\nThis reverts commit 4d39d53f12c6ea1ac8b714a96f1eee4ddf0dca25.\n" }, { "commit": "4d39d53f12c6ea1ac8b714a96f1eee4ddf0dca25", "tree": "cff7ca8c89fec9d09ce63a7a636c316b9f92f7a7", "parents": [ "c69b3abce653c6ca819c88d074d39c92e18059be" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Mar 19 15:21:34 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Mar 19 15:21:34 2026 -0700" }, "message": "Gitignore .env\n\nSigned-off-by: Andrew Musselman \u003cakm@apache.org\u003e\n" }, { "commit": "c69b3abce653c6ca819c88d074d39c92e18059be", "tree": "435430417380a21cb2e214c204474ce22ad89493", "parents": [ "7158dac06386e02a15ca6d689ee6951de2ff8701" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Thu Mar 19 15:16:19 2026 -0700" }, "committer": { "name": "GitHub", "email": "noreply@github.com", "time": "Thu Mar 19 15:16:19 2026 -0700" }, "message": "Fixing timeouts and handling scale (#574)\n\n* Fixing timeouts and handling scale\n\nSigned-off-by: Andrew Musselman \u003cakm@apache.org\u003e\n\n* Fixing timeouts and handling scale\n\nSigned-off-by: Andrew Musselman \u003cakm@apache.org\u003e\n\n---------\n\nSigned-off-by: Andrew Musselman \u003cakm@apache.org\u003e" }, { "commit": "7158dac06386e02a15ca6d689ee6951de2ff8701", "tree": "223298846b8fca25790b6128b620f63d5a62f441", "parents": [ "b12803479eedcd48dc8d535ed91c1f3c100a717b" ], "author": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Mon Mar 16 14:31:35 2026 -0700" }, "committer": { "name": "Andrew Musselman", "email": "akm@apache.org", "time": "Mon Mar 16 14:31:44 2026 -0700" }, "message": "Fixing bedrock model name\n\nSigned-off-by: Andrew Musselman \u003cakm@apache.org\u003e\n" } ], "next": "b12803479eedcd48dc8d535ed91c1f3c100a717b" }