Feature/mcp governance#2510
Open
ashishrp-aws wants to merge 262 commits into
Open
Conversation
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## feature/mcp-governance-dev #2510 +/- ##
==============================================================
- Coverage 62.42% 58.06% -4.37%
==============================================================
Files 270 281 +11
Lines 61790 70570 +8780
Branches 4069 4246 +177
==============================================================
+ Hits 38571 40973 +2402
- Misses 23136 29511 +6375
- Partials 83 86 +3
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: aws-toolkit-automation <>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: aws-toolkit-automation <>
* Atx riv final (#2520) * feat: add atx fes integration for transform profiles * feat: implement Transform profile discovery via ATX FES with cache clearing * fix: remove unsupported eu-central-1 region from ATX FES endpoints * feat: add separate flow for RTS and ATX listavailableprofile api * fix: remove profile handling from atxnettransformserver * feat: separating qdev and aws transform * fix: fixing unit tests * fix: adding tests * fix: updating as per langugae server runtime updates * feat: add starttranform and workspace * feat: added getTransformInfo and its support methods * fix: with new runtimes * feat: add stopjob support * merged stopjob and added upload plan * chore: force use of new runtimes * fix: completed getting plan, worklogs, and final artifact * chore: deleting unused RPC messages * feat: added list worklogs before planning * fix: remove unused methods --------- Co-authored-by: Pranav Firake <pranavfi@amazon.com> Co-authored-by: pranav firake <pranav.firake7@gmail.com> Co-authored-by: Jordan Miao <gzmiao@amazon.com> * fix: adding atxcredentials details * fix: updating plan for completed status * fix: separating aws atx and q credentials storage * fix: changed customer_output to customer_input * fix: added new atx-fes-client models to allow CUSTOMER_INPUT types * fix: multiple accounts token auth * fix: auto-sync transform profiles using TransformConfigurationServer and prevent us-east-1 defaults * fix: set default fallback transform request from net 8 to net 10 * fix: changed back q flow to net 8, added target framework to create job requests * fix: updates aws-server-runtimes to 0.3.8 and added Syd endpoint to constants * fix: maintaining backwards compatibility * fix: fixing failing test * fix: fixing tests * fix: get endpoints by stage * fix: regex for appUrl not handling gamma stage and return default region * fix: fix for initInstance and moved init of atx servers to be after base server is initialized * fix: fixing tests * fix: fixing tests * fix: fixing tests * chore: bumping lsp version to 0.3.8 * chore: revert naming from Q back to codewhisperer * chore: deleting stale function * chore: updating folder * fix: changed transformserver to log caught errors instead of throwing * chore: reverting changes and adding todo * fix: tests with changes * fix: tests with changes * chore: removing debug logs --------- Co-authored-by: Pranav Firake <pranavfi@amazon.com> Co-authored-by: pranav firake <pranav.firake7@gmail.com> Co-authored-by: Jordan Miao <gzmiao@amazon.com> Co-authored-by: Sherry Lu <75588211+XiaoxuanLu@users.noreply.github.com> Co-authored-by: Chris Long <longachr@amazon.com>
* chore(release): release packages from branch main * fix(release): update package-lock.json * fix(release): manually update versions in packages --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Manodnya Bhoite <manodnyb@amazon.com>
Co-authored-by: aws-toolkit-automation <>
Co-authored-by: Pranav Firake <pranavfi@amazon.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: aws-toolkit-automation <>
* feat: use dynamic token limits from listAvailableModels API * fix: dependency issues * refactor: encapsulate model ID and token limits in session
* fix: corrected plan upload extension type * fix: updated plan path for failed validation and fixed profile update bugs
* feat(netTransform): add workspace description support to createWorkspace * feat(netTransform): add debug logging for createWorkspace request * feat(netTransform): include workspace description in listWorkspaces response * fix(netTransform): include description when adding new workspace to list * feat(netTransform): add ListJobs API * feat(netTransform): add debug logging to ListJobs * fix(netTransform): register ListJobs command * fix(netTransform): add ClientSource to ListJobs response * updated objective data * fix(netTransform): treat CREATED with failureReason as FAILED * debug: add logging for job status and failureReason * revert: remove speculative stuck job logic, keep ClientSource * feat(netTransform): add pagination to ListJobs to fetch all jobs * feat: added setting breakpoint functionality * feat: added setting breakpoint functionality * fix: renamed breakpont to checkpoint * feat: add applicationUrl to ListWorkspaces response * refactor: atx get plan now returns in its own class definition * Fix: Extract workspaces array from listWorkspaces result * feat: added ability to handle step hitls for checkpointing * fix: changed step hitl folder * fix: changed plan detection and changed model name to match toolkit * feat: added handling checkpoint for user action * feat: added polling for step hitl task to close * feat: added step artifact download and extract capability * fix: fixed step status check for artifact download * feat: added apply changes capabilities * fix: get checkpoints during HITL * feat: adding chat apis commands to FES for transform * feat: added chatty agent support * fix: updated elastic gumby client * fix: updated job status to EXECUTING and addes metadata for file changes * fix: increasing wait time to 5 mins for chat messages * fix: increasing wait time to 15 mins for chat messages * feat: added 2 way sync * fix: downloads diff for all interactive modes * feat: added 2 way sync capability * fix: changed from submit to update hitl * fix: added inprogress status for stephitl * feat: add artifactdownload and listartifact command * fix: download artifact as zip without extracting * fix: remove excessive logging * fix: update hitl with empty file changes * fix: fixing hard coded job status for transform * fix: excluded artifacts from listartifacts for download with no file names * fix: removed unnecessary hitl handling * feat: adding timestamp to worklogs * feat: add job dashboard and report download commands with per-repo and job-level reports * fix: add missing closing brace in AtxDownloadArtifactResponse * fix: downloaded file names * fix: download artifacts * fix: allows list messages to accept timestamp as strings * feat: adding hitl for build verification * added command for uploading custom plan * updated the chatty agent id * fix: removed on failure mode, combined with interactive * fix: hitl for dotnet build * fix: changed check for completed step to depth 2 steps only * fix: hitl for dotnet build * fix: hitl artifact fix * fix: hitls with non zip artifacts * feat: added support to upload any file (#2707) Co-authored-by: Zhengan Pan <zhenganp@amazon.com> * feat: add local build verification LSP bridge for build/fix loop (#2715) - Add CompleteLocalBuildHitl request/response types in atxModels - Add completeLocalBuildHitl command handler in atxNetTransformServer - Update atxTransformHandler with downloadCompletedStepArtifacts pipeline: polls for SUCCEEDED depth-2 steps, downloads checkpoint ZIPs, extracts diffs and metadata, applies file changes to customer source tree - Add HITL probe logging during EXECUTING state for diagnostic visibility - Log orchestrator agent override when ATX_ORCHESTRATOR_AGENT env var is set Co-authored-by: Aman Prakash <apaman@amazon.com> * fix: fixing write lock on worklogs json (#2720) Co-authored-by: pranavfi <pranavfi@amazon.com> * feat: add retry logic and error notification for diff apply failures * feat: add backward compatibility for prod IDE via handler routing (#2722) * feat: add backward compatibility for prod IDE via handler routing * fix: route handlers per-request to survive lsp reinit * fix: fixed the transformation hub status (#2725) * feat: Karsraja atx handler coverage (#2723) * test(amazonq): add unit tests for atx getTransformInfo * test(amazonq): add unit tests for atx getTransformationPlan and tree helpers * test(amazonq): add unit tests for atx updateWorkspace and applyChanges * test(amazonq): add unit tests for atx setCheckpoints, getHitlAgentArtifact and getJobDashboard * test(amazonq): add unit tests for atx startTransform and lifecycle helpers * test(amazonq): add unit tests for atx workspace, job, artifact and hitl helpers * test(amazonq): add unit tests for atx upload flows, polling and small wrappers * test(amazonq): add unit tests for atx hitl state branches and fs helpers * test(amazonq): add unit tests for atx private helpers and edge cases * test(amazonq): add edge-case unit tests to push atx coverage past 82% * fix(amazonq): annotate test baseRequest literals as any to satisfy strict tsc * test(amazonq): add routing tests for atx server per-request handler dispatch --------- Co-authored-by: Jordan Miao <gzmiao@amazon.com> Co-authored-by: Pranav Firake <pranavfi@amazon.com> Co-authored-by: Zhengan Pan <zhenganp@amazon.com> Co-authored-by: aws-toolkit-automation <43144436+aws-toolkit-automation@users.noreply.github.com> Co-authored-by: Aman Prakash <56380782+amanprak@users.noreply.github.com> Co-authored-by: Aman Prakash <apaman@amazon.com> Co-authored-by: Pranav Firake <pranav.firake7@gmail.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: aws-toolkit-automation <>
…2718) (#2730) Add error handling to onFileClicked to catch exceptions from showDocument when the target file doesn't exist. Fix resolveAbsolutePath to verify the file exists in the prompts directory before returning the path, preventing incorrect fallback for .md files created by fsWrite. Use description as fullPath fallback in the chat-client file list mapping so fsWrite file links resolve correctly without duplicating path data. Fixes: aws/amazon-q-vscode#59 Co-authored-by: aws-toolkit-automation <43144436+aws-toolkit-automation@users.noreply.github.com>
* fix: add postMessage origin check to prevent cross-origin XSS Reject messages whose origin does not match window.location.origin in handleInboundMessage. Without this check, a malicious page could send crafted postMessage events to the chat iframe and achieve DOM XSS/RCE. All supported host environments (VS Code, JetBrains, Visual Studio webviews, SageMaker JupyterLab) deliver messages same-origin, so legitimate traffic is unaffected. Ref: P389799154 * fix: clean up message event listeners between tests Each beforeEach was adding a new message handler via createChat() without removing the previous one. Stale handlers piled up and all fired on dispatchEvent, causing the generic command test to timeout under CI load (multiple handlers triggering handleChatPrompt simultaneously). Now afterEach removes the handler registered during that test's setup. --------- Co-authored-by: Boyu <bywang@amazon.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
…wser (#2740) * fix: allow empty/null origin in postMessage check for Eclipse SWT Browser (#2736) * fix: allow empty/null origin in postMessage check for Eclipse SWT Browser Eclipse's SWT Browser widget loads the chat UI via file:// protocol, causing postMessage events to arrive with an empty string or "null" origin. The strict same-origin check added in 0dabdea rejected these messages, silently breaking chat in Eclipse — the backend returns a valid response but it never reaches the UI. Allow empty-string and "null" origins (which are what file:// and sandboxed opaque-origin contexts report) while still blocking real cross-origin attacks from HTTP(S) pages. Fixes aws/amazon-q-eclipse#555 Ref: P437110601 * fix: flip origin check to block-known-bad (only reject HTTP(S) cross-origin) Instead of allowlisting specific origins, only reject messages from real HTTP(S) cross-origin pages. This handles Eclipse (and any future non-HTTP host) without needing to know their exact origin value. The check now passes through messages with empty, "null", file://, or any non-HTTP origin — only blocking actual cross-origin HTTP(S) attacks. * test(chat-client): avoid leaking mynah-ui state from origin-check tests (#2741) The new origin-check tests dispatched real SEND_TO_PROMPT messages, which exercised mynah-ui DOM code (addToUserPrompt) on the shared global JSDOM. On slow CI runners this accumulated state pushed an unrelated mynah-ui test ('should create a new tab if current tab is loading') over its 10s timeout. Switch to an unknown command and assert via the rejection warn() spy so the origin-check logic still runs without touching mynah-ui. --------- Co-authored-by: Boyu <bywang@amazon.com>
…2746) The 'should create a new tab if current tab is loading' test in mynahUi.test.ts intermittently exceeds its 10s timeout on CI runners. The sibling test already takes ~8.5s, so 10s leaves no margin. Increase timeout to 30s to prevent flaky failures.
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: aws-toolkit-automation <>
…2742) Replace string-only path.resolve with fs.promises.realpath in requiresPathAcceptance, with an ENOENT fallback to realpath the parent directory plus basename for paths that don't exist yet (e.g., when the agent is creating a new file). This ensures workspace-boundary checks operate on the canonical resolved path rather than the literal input, so paths whose targets resolve outside the workspace are evaluated correctly. Adds a regression test exercising symlink resolution against the real filesystem.
Co-authored-by: aws-toolkit-automation <>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
19 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Solution
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.