Merge main into feature/mcp-governance-dev#2513
Open
aws-toolkit-automation wants to merge 113 commits intofeature/mcp-governance-devfrom
Open
Merge main into feature/mcp-governance-dev#2513aws-toolkit-automation wants to merge 113 commits intofeature/mcp-governance-devfrom
aws-toolkit-automation wants to merge 113 commits intofeature/mcp-governance-devfrom
Conversation
* feat: add MCP registry service and validator for governance (#2433) * feat: add MCP registry service and validator for governance * fix: fix for unit tests * fix: fix for using httpUtils with proxy agent * feat: add MCP registry validation and server config conversion (#2440) * feat: add MCP registry validation and server config conversion * fix: fix for mcpManager failures * feat: implement MCP registry service with validation, error handling, and synchronization (#2443) * feat(amazonq): add MCP registry sync, enterprise validation. (#2450) * feat(amazonq): add MCP registry sync, enterprise validation, ACG support, version caching * fix: fix for test failures * fix: removed Agentcore check * feat: add OCI registry support, improve MCP initialization flow (#2465) * feat: add OCI registry support, improve MCP initialization flow, and enhance registry validation * fix: fix for failing tests * fix: fix to make registryActive non-optional * fix(amazonq): separate server discovery from init (#2480) * fix(amazonq): separate server discovery from init and improve error handling * fix: update package-lock.json * fix: fix for delete, save and cancel buttons for registry mcps * fix: fix to add addiotnal header and variables to registry mcps * fix: fix for failing registryUrl tests * fix: move OCI environment variables to config.env and correct mcpRegistryUrl property name (#2486) * fix: fix for arguments for local docker mcp servers (#2489) * fix: fix for env variables for local docker mcp servers * fix: imporve readability for oci check * feat: add Docker env var support and enable timeout config for MCP (#2494) * feat: add Docker env var support and enable timeout config for MCP registry servers * fix: fix for unit tests * fix: fix for compilation failure * fix(amazonq): fix for server refresh * fix: fix for server refresh * fix: fix for server init * fix: fix to add the mcp command in logs (#2499) * fix: fix to add the mcp command in logs * fix: fix to add stderr logs * fix: fix to provide error messages for removed errors from registry (#2511) * fix: fix upgarde the lsp version to 1.47.0 * fix: fix to provide server error messages for removed errors * revert: revert package-lock.json changes * Revert "fix: fix upgarde the lsp version to 1.47.0" This reverts commit 4086962. * revert: revert for check interval * fix: fix for failing unit tests --------- Co-authored-by: aws-toolkit-automation <43144436+aws-toolkit-automation@users.noreply.github.com> Co-authored-by: Richard Li <742829+rli@users.noreply.github.com>
* chore(release): release packages from branch main * fix: fix for dependency failures * fix: fix for install failures --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Ashish Reddy Podduturi <ashishrp@amazon.com>
Co-authored-by: aws-toolkit-automation <>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: aws-toolkit-automation <>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: aws-toolkit-automation <>
* Atx riv final (#2520) * feat: add atx fes integration for transform profiles * feat: implement Transform profile discovery via ATX FES with cache clearing * fix: remove unsupported eu-central-1 region from ATX FES endpoints * feat: add separate flow for RTS and ATX listavailableprofile api * fix: remove profile handling from atxnettransformserver * feat: separating qdev and aws transform * fix: fixing unit tests * fix: adding tests * fix: updating as per langugae server runtime updates * feat: add starttranform and workspace * feat: added getTransformInfo and its support methods * fix: with new runtimes * feat: add stopjob support * merged stopjob and added upload plan * chore: force use of new runtimes * fix: completed getting plan, worklogs, and final artifact * chore: deleting unused RPC messages * feat: added list worklogs before planning * fix: remove unused methods --------- Co-authored-by: Pranav Firake <pranavfi@amazon.com> Co-authored-by: pranav firake <pranav.firake7@gmail.com> Co-authored-by: Jordan Miao <gzmiao@amazon.com> * fix: adding atxcredentials details * fix: updating plan for completed status * fix: separating aws atx and q credentials storage * fix: changed customer_output to customer_input * fix: added new atx-fes-client models to allow CUSTOMER_INPUT types * fix: multiple accounts token auth * fix: auto-sync transform profiles using TransformConfigurationServer and prevent us-east-1 defaults * fix: set default fallback transform request from net 8 to net 10 * fix: changed back q flow to net 8, added target framework to create job requests * fix: updates aws-server-runtimes to 0.3.8 and added Syd endpoint to constants * fix: maintaining backwards compatibility * fix: fixing failing test * fix: fixing tests * fix: get endpoints by stage * fix: regex for appUrl not handling gamma stage and return default region * fix: fix for initInstance and moved init of atx servers to be after base server is initialized * fix: fixing tests * fix: fixing tests * fix: fixing tests * chore: bumping lsp version to 0.3.8 * chore: revert naming from Q back to codewhisperer * chore: deleting stale function * chore: updating folder * fix: changed transformserver to log caught errors instead of throwing * chore: reverting changes and adding todo * fix: tests with changes * fix: tests with changes * chore: removing debug logs --------- Co-authored-by: Pranav Firake <pranavfi@amazon.com> Co-authored-by: pranav firake <pranav.firake7@gmail.com> Co-authored-by: Jordan Miao <gzmiao@amazon.com> Co-authored-by: Sherry Lu <75588211+XiaoxuanLu@users.noreply.github.com> Co-authored-by: Chris Long <longachr@amazon.com>
* chore(release): release packages from branch main * fix(release): update package-lock.json * fix(release): manually update versions in packages --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Manodnya Bhoite <manodnyb@amazon.com>
Co-authored-by: aws-toolkit-automation <>
Co-authored-by: Pranav Firake <pranavfi@amazon.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: aws-toolkit-automation <>
* feat: use dynamic token limits from listAvailableModels API * fix: dependency issues * refactor: encapsulate model ID and token limits in session
* fix: corrected plan upload extension type * fix: updated plan path for failed validation and fixed profile update bugs
* refactor: removed unreferenced code and refactored log messages * refactor: removed test for unused methods * fix: reverted error string messaging
…tests (#2547) * refactor: moved common utility functions to a single file for transform handlers * refactor: addressed comments * fix: fixed uncaught error problem with worklogs * fix: format changes
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: chungjac <chungjac@amazon.com>
Co-authored-by: aws-toolkit-automation <>
## Problem transitive dependency `ansi-regex@2.1.1` was introduced with #654 associated CVE link https://nvd.nist.gov/vuln/detail/CVE-2021-3807 ``` (base) ➜ runtimes git:(main) npm ls registry-js @amzn/monorepo-language-server-runtimes@1.0.0 /Volumes/workplace/ide/language-server-runtimes └─┬ @aws/language-server-runtimes@0.3.9 -> ./runtimes └── registry-js@1.16.1 (base) ➜ runtimes git:(main) npm ls ansi-regex @amzn/monorepo-language-server-runtimes@1.0.0 /Volumes/workplace/ide/language-server-runtimes └─┬ @aws/language-server-runtimes@0.3.9 -> ./runtimes ├─┬ copyfiles@2.4.1 │ └─┬ yargs@16.2.0 │ └─┬ cliui@7.0.4 │ └─┬ strip-ansi@6.0.1 │ └── ansi-regex@5.0.1 └─┬ registry-js@1.16.1 └─┬ prebuild-install@5.3.6 └─┬ npmlog@4.1.2 └─┬ gauge@2.7.4 └─┬ strip-ansi@3.0.1 └── ansi-regex@2.1.1 ``` ## Solution use `winreg` Microsoft winreg example https://github.com/microsoft/azure-pipelines-tasks-common-packages/blob/680f186a1e10568b1493503c81d403220a2eeb22/common-npm-packages/webdeployment-common/msdeployutility.ts#L311-L320 ## npm ls ``` (base) ➜ runtimes git:(security-v2) npm ls registry-js @amzn/monorepo-language-server-runtimes@1.0.0 /Volumes/workplace/ide/language-server-runtimes └── (empty) ``` ``` (base) ➜ runtimes git:(security-v2) npm ls ansi-regex @amzn/monorepo-language-server-runtimes@1.0.0 /Volumes/workplace/ide/language-server-runtimes └─┬ @aws/language-server-runtimes@0.3.9 -> ./runtimes └─┬ copyfiles@2.4.1 └─┬ yargs@16.2.0 └─┬ cliui@7.0.4 └─┬ strip-ansi@6.0.1 └── ansi-regex@5.0.1 ```
* fix: fix for mcp servers refresh * fix: fix for failing unit tests
* feat: add websearch tool (#2540) * feat: add webfetch tool (#2542) * feat: add webfetch tool * fix: typo * fix: remove snippets from web search (#2543) * fix: filter out invalid urls (#2546) --------- Co-authored-by: aws-toolkit-automation <43144436+aws-toolkit-automation@users.noreply.github.com>
…ation (#2555) * feat: add alphabetical sorting for MCP registry servers and improve URL validation * fix: fix for failing unit test
* feat: update SMAI clients to use SM_AI_STUDIO_IDE origin * fix: apply prettier formatting to utils.ts * fix: formatting issues * test: add tests for full coverage * ci: trigger CI rerun
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: aws-toolkit-automation <>
* fix: adding missing package related fields to transform response to ide * fix: removing comments * fix: removing uxComponentId from response and adding exists check for file paths * fix: adding support for missing package hitl submission * fix: adding Missing package Analysis flag for backward compatibility * fix: handle empty hitls array and add hitl response logging * fix: moving IncludeMissingPackageAnalysis to StartTransformRequest --------- Co-authored-by: Karthik Rajanna <karsraja@amazon.com> Co-authored-by: invictus <149003065+ashishrp-aws@users.noreply.github.com>
…indexing bundle to AWSVectorConsolasLocalWorkspaceIndexing `d6762f8b` (#2629) * fix: support stripped indexing folder in bundled LSP and also update indexing bundle * fix: show @workspace as 'failed' instead of 'pending' when native modules missing * Revert "fix: show @workspace as 'failed' instead of 'pending' when native modules missing" This reverts commit 5e37380.
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: aws-toolkit-automation <>
* fix: bump @aws/language-server-runtimes to 0.3.15 Regenerate lockfile to pick up 0.3.15 which removes mac-ca (CVE-2026-22036) and registry-js (CVE-2021-3807) from the dependency tree. * update package-lock.json * style: fix prettier formatting
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: aws-toolkit-automation <>
* fix: rules created in default file is not workin * fix: rules created in default file is not working Use dependency injection for McpManager.getResources() in AdditionalContextProvider to avoid pulling node:process and node:stream into the webworker webpack bundle, which caused packaging to fail with UnhandledSchemeError. * fix: rules created in default file is not working Use dependency injection for McpManager.getResources() in AdditionalContextProvider to avoid pulling node:process and node:stream into the webworker webpack bundle, which caused packaging to fail with UnhandledSchemeError. Co-authored-by: aws-toolkit-automation <43144436+aws-toolkit-automation@users.noreply.github.com>
* fix: rules created in default file is not working (#2652) * fix: rules created in default file is not workin * fix: rules created in default file is not working Use dependency injection for McpManager.getResources() in AdditionalContextProvider to avoid pulling node:process and node:stream into the webworker webpack bundle, which caused packaging to fail with UnhandledSchemeError. * fix: rules created in default file is not working Use dependency injection for McpManager.getResources() in AdditionalContextProvider to avoid pulling node:process and node:stream into the webworker webpack bundle, which caused packaging to fail with UnhandledSchemeError. * fix: deduplicate rules in multi workspace mode (#2659) * fix: rules created in default file is not workin * fix: rules created in default file is not working Use dependency injection for McpManager.getResources() in AdditionalContextProvider to avoid pulling node:process and node:stream into the webworker webpack bundle, which caused packaging to fail with UnhandledSchemeError. * fix: rules created in default file is not working Use dependency injection for McpManager.getResources() in AdditionalContextProvider to avoid pulling node:process and node:stream into the webworker webpack bundle, which caused packaging to fail with UnhandledSchemeError. * fix: rules created in default file is not working Use dependency injection for McpManager.getResources() in AdditionalContextProvider to avoid pulling node:process and node:stream into the webworker webpack bundle, which caused packaging to fail with UnhandledSchemeError. --------- Co-authored-by: aws-toolkit-automation <43144436+aws-toolkit-automation@users.noreply.github.com>
…vent (#2665) (#2668) Add a dedicated boolean metric to distinguish @workspace usage from regular folder context in telemetry. Previously both were counted under cwsprChatFolderContextCount with no way to differentiate. The metric is true when the user uses @workspace (inline or pinned), false otherwise. Wired through the existing triggerContext.hasWorkspace flag into the telemetry pipeline. Co-authored-by: aws-toolkit-automation <43144436+aws-toolkit-automation@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: aws-toolkit-automation <>
…nToken API calls (#2680) * fix: cache subscription status to prevent excessive CreateSubscriptionToken API calls setPaidTierMode() was calling getSubscriptionStatus() (which invokes CreateSubscriptionToken) on every tab add and tab change event, even though the subscription status rarely changes during a session. With the upcoming Kiro/Stripe integration requiring a lower throttle limit (0.25 TPS), these redundant calls would cause both unnecessary and legitimate requests to be throttled. Now, when setPaidTierMode() is called without an explicit mode, it reuses the cached #paidTierMode if already known, and only calls the API on the first invocation when the status is still unknown. Resolves: V1880021966 * test: add test * fix: deduplicate concurrent getSubscriptionStatus calls with a stored promise The previous cache only helped after the first getSubscriptionStatus() resolved. If multiple tabs opened before that promise settled, each would see #paidTierMode as falsy and fire its own API call — the burst this fix is meant to prevent. Store the in-flight promise in #subscriptionStatusPromise so all concurrent setPaidTierMode(!mode) callers attach to the same request. The promise is cleared on error (allowing a retry) and alongside #paidTierMode on configuration updates. Also adds a test that verifies 5 rapid tab-adds result in only one API call.
* feat(amazonq): align mcp oauth client with mcp sdk auth patterns * fix(amazonq): log errors in OAuth discovery catch blocks instead of silently swallowing
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: aws-toolkit-automation <>
* perf(amazonq): cap context command payload and throttle indexing updates - Cap context commands sent to webview at 10,000 items - Throttle onIndexingInProgressChanged with 500ms coalescing - Cache full item list before applying cap for reuse - Add preservation property-based tests - Update unit tests for throttle behavior * chore: error * fix: newly added files are not be loaded * fix: bugfix * perf: handle context commands in server * perf: add server-side filtering for context commands in large repos * chore: bump language-server-runtimes, runtimes-types, and mynah-ui * chore: remove redundant debug log * fix: filter out externally deleted files from context command results Files deleted outside the IDE (e.g. git revert/checkout) were not removed from the cached context commands because LSP workspace file operation events only fire for IDE-initiated deletions. Add an fs.existsSync check when returning results to the client so stale entries are excluded regardless of how the file was removed. * chore: remove debug logs from context commands and indexing paths * fix: scope filterContextCommandsResponse to requesting tab Previously, filter responses updated contextCommands in all tabs, causing a search in one tab to overwrite the default list in others. Track the originating tabId and scope the store update accordingly. * fix: address PR review feedback for context command filtering
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* chore: bump agentic version: 1.64.0 * fix: reserve folder budget in initial context command cap (#2693) * fix: reserve folder budget in initial context command cap The initial sendContextCommands push is capped at 1000 items, but the flat slice(0, 1000) starves folders when files dominate the list. In large repos (212k+ items), the first 1000 are almost all files, so @folder shows no children until the user types a search term. Partition items by type and reserve 10% of the cap budget for folders before filling the rest with files and code symbols. This ensures @folder always has children on first load. The filter handler already searches the full uncapped cache, so this only affects the initial push. * test: add folder budget tests for processContextCommandUpdate Verify that the initial context command cap reserves slots for folders: - folders are included when items exceed the cap - all folders included when fewer than budget - total items don't exceed CONTEXT_COMMAND_PAYLOAD_CAP - small payloads pass through unchanged * fix: apply cap to empty-search filter response to preserve @folder When onFilterContextCommands fires with an empty searchTerm (user navigated back or cleared search), the handler was returning ALL cached items (212k+) with no cap. This massive response overwrote the tab's contextCommands store, and subsequent @folder clicks showed an empty list because the store structure was inconsistent. Apply the same cap+budget logic as processContextCommandUpdate so the empty-search response matches the initial push structure. * refactor: remove stale context command cache, always pull fresh from indexer The cachedContextCommands field was a separate copy of the indexer's data that could get out of sync — causing @folder to show empty after searches overwrote the store, and stale items to persist after file operations. Remove the cache entirely. The indexer (local-indexing) is the single source of truth. The filter handler now calls getFreshItems() on every request, and processContextCommandUpdate receives items directly from the indexer callbacks. The cap+budget logic is extracted into capItems() and shared between the initial push and the empty-search filter path. * fix: restore base context commands on empty filter instead of round-tripping After a search filtered the context commands, the store held the filtered set. Subsequent @Folder/@file clicks read from this stale store and showed only the previous search results. When onContextCommandFilter fires with an empty searchTerm (user cleared search or navigated back), restore contextCommandGroups directly to the store instead of sending a request to the server. This keeps the store consistent with the base set and avoids the round-trip latency. * fix: prevent sendContextCommands from resetting active filter tab sendContextCommands is a server push that fires on indexing changes and overwrites contextCommands for ALL tabs. This reset the picker while the user was browsing @Folder/@file sub-menus, causing the 6-10 second snap-back to the main menu. Skip the store update for tabs with an active filter session (lastFilterTabId). Clear the guard on tab change, tab remove, and chat prompt submission so it doesn't persist. * fix: restore base contextCommands after filter response via microtask filterContextCommandsResponse updates the store with filtered results so the picker's store listener can refresh. But this left the store with stale filtered data, causing @Folder/@file to show previous search results on subsequent navigation. After updating the store for the picker, schedule a microtask to restore contextCommandGroups (the base set) back to the store. The picker captures filtered items synchronously during updateStore, so the microtask restore doesn't affect the current display but ensures sub-menu navigation reads from the full base set. * fix: restore filterContextCommandsResponse store update Now that mynah-ui preserves baseContextCommands separately from the store's contextCommands, the filter response can safely update the store again. The picker uses the filtered data for display while sub-menu navigation reads from the base snapshot. * chore: patch * test: cover getFreshItems and registerFilterHandler empty-search - 3 tests for getFreshItems: getInstance reject, getContextCommandItems reject, success path. - 2 tests for registerFilterHandler empty-search path: applies capItems folder budget when called with empty searchTerm and when called with a whitespace-only searchTerm. * fix: reserve code symbol budget in capItems The previous capItems partitioned items into folders vs nonFolders, where nonFolders included both files AND code symbols sharing the same 900-slot budget. In file-heavy repos (e.g. Linux kernel: 212k+ items) files dominate the input order so code symbols are silently dropped from the initial picker view, even though typing a search term still finds them via the non-empty filter path. Replace the 2-way partition with a 3-way 10/10/80 split (folders / code / files). Slack from an under-filled folder or code budget flows into the file budget via the subtraction below. Mirrors the existing folder-budget fix pattern. Add 5 tests: - code symbols included when items exceed cap - all code symbols preserved when fewer than budget - 100/100/800 split when all three categories overflow - code not starved when files come first in input (regression case) - empty-search filter handler also reserves the code budget * fix: bump context command payload cap from 1000 to 2000 Double both CONTEXT_COMMAND_PAYLOAD_CAP and MAX_FILTER_RESULTS so the initial picker view and the typed-search filter response can return up to 2000 items each. The 10/10/80 budget split now yields 200 folders / 200 code / 1600 files instead of 100 / 100 / 800. The bottleneck under load is fs.existsSync over the full ~212k indexer item set, not the cap; doubling the cap adds <50KB to the LSP payload and a few ms to map/render but is otherwise negligible. mynah-ui's DetailedListWrapper virtualizes by visible block, so 2x items don't add proportional render cost. Update all 8 affected test assertions to the new expected counts. * chore: bump @aws/mynah-ui to ^4.40.1 Pulls in the latest mynah-ui patch release. See https://github.com/aws/mynah-ui/releases/tag/v4.40.1 * fix: switch capItems split to 500/500/1000 (25/25/50) Folders and code symbols each get 25% of the cap (500), files get 50% (1000). Previously the 10/10/80 split (200/200/1600) tilted heavily toward files; the new split gives folders and code symbols a fair share of the initial picker view in folder- and symbol-rich repos. This only affects the **empty-search** picker view (no search term). The non-empty filter path still scores against the full fresh indexer set in registerFilterHandler — typing a search term will find any folder, file, or code symbol regardless of whether it fit into the cap. Test inputs scaled up to 600-800 per category so the new 500-slot budget is actually exercised. All 24 tests pass. * test: drop stale cachedContextCommands assertion in preservation test The property-based test 'processContextCommandUpdate sends all items and caches them for small payloads' has been failing in CI since commit 79e6e75 (refactor: remove stale context command cache, always pull fresh from indexer). That refactor deleted the cachedContextCommands field, but this preservation test still asserted that (provider as any).cachedContextCommands === items, which now always evaluates to undefined !== items and fails on the empty-array counterexample. Drop the cache assertion. The test now verifies the still-meaningful contract: processContextCommandUpdate dispatches exactly one sendContextCommands call with a contextCommandGroups payload. Local repro: npx mocha --require ts-node/register 'src/language-server/agenticChat/context/contextCommandsProvider*.test.ts' → 28 passing. --------- Co-authored-by: aws-toolkit-automation <>
…on (#2695) Add null check for workspaceFolderManager at the top of updateConfiguration() to prevent TypeError when didChangeConfiguration fires before onInitialized completes. Also add diagnostic logging for config update flow. Context: V2160933004
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
18 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automatic merge failed
Command line hint
To perform the merge from the command line, you could do something like the following (where "origin" is the name of the remote in your local git repo):