Release v6.5.0 into Main

.devcontainer/post_create_command.sh

@@ -3,22 +3,21 @@
 pwd
 
 sudo apt-get update -y
-sudo apt-get install -y jq yq
+sudo apt-get install -y jq
 
-make createPythonEnvironment
+python3 -m venv .venv
 . .venv/bin/activate
 echo "source .venv/bin/activate" >> ~/.bashrc
 echo "source .venv/bin/activate" >> ~/.zshrc
 
-echo "alias deploylisa='make clean && npm ci && make deploy HEADLESS=true'" >> ~/.bashrc
-echo "alias deploylisa='make clean && npm ci && make deploy HEADLESS=true'" >> ~/.zshrc
+echo "alias deploylisa='npm run clean && npm ci && HEADLESS=true npm run deploy'" >> ~/.bashrc
+echo "alias deploylisa='npm run clean && npm ci && HEADLESS=true npm run deploy'" >> ~/.zshrc
 
 python -m pip install --upgrade pip
-pip3 install yq huggingface_hub s5cmd
-make installPythonRequirements
+pip3 install huggingface_hub s5cmd
+npm run install:python
 
-make createTypeScriptEnvironment
-make installTypeScriptRequirements
+npm install
 
 git config --unset-all core.hooksPath
 pre-commit install

.github/workflows/code.deploy.demo.yml

@@ -40,12 +40,18 @@ jobs:
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
         with:
           node-version: 24.x
-      - name: Install CDK dependencies
+      - name: Install dependencies
         run: |
           npm ci
+          pip install -r requirements-dev.txt
+          pip install -e ./lisa-sdk
+          pip install -e lib/serve/mcp-workbench
       - name: Deploy LISA
         run: |
-          make deploy HEADLESS=true
+          npm run deploy
+        env:
+          HEADLESS: "true"
+          SKIP_INSTALL: "true"
   SendSlackNotification:
     name: Send Slack Notification
     needs: [ DeployLISA ]

.github/workflows/code.deploy.dev.yml

@@ -40,12 +40,18 @@ jobs:
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
         with:
           node-version: 24.x
-      - name: Install CDK dependencies
+      - name: Install dependencies
         run: |
           npm ci
+          pip install -r requirements-dev.txt
+          pip install -e ./lisa-sdk
+          pip install -e lib/serve/mcp-workbench
       - name: Deploy LISA
         run: |
-          make deploy HEADLESS=true
+          npm run deploy
+        env:
+          HEADLESS: "true"
+          SKIP_INSTALL: "true"
   SendSlackNotification:
     name: Send Slack Notification
     needs: [ DeployLISA ]

.github/workflows/code.e2e-full-test.weekly.yml

@@ -0,0 +1,82 @@
+name: Weekly Full E2E Tests
+
+on:
+  schedule:
+    - cron: '0 2 * * 0'  # Every Sunday at 02:00 UTC
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: 'Branch or tag to test against'
+        required: false
+        default: 'develop'
+        type: string
+  workflow_call:
+    inputs:
+      ref:
+        description: 'Branch or tag to test against'
+        required: false
+        default: 'develop'
+        type: string
+
+permissions:
+  contents: read
+
+env:
+  SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+
+jobs:
+  notify_full_e2e_start:
+    name: Starting Full E2E Tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Send "Full E2E Tests Starting" to Slack
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2
+        env:
+          SLACK_TITLE: 'Full E2E Tests Starting'
+          MSG_MINIMAL: true
+          SLACK_MESSAGE: 'Full E2E test suite has started on ref `${{ inputs.ref || github.ref_name }}`...'
+
+  full-e2e:
+    name: Run Full E2E Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
+        with:
+          ref: ${{ inputs.ref || 'develop' }}
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
+        with:
+          node-version: '24'
+          cache: 'npm'
+      - name: Install base dependencies
+        run: npm ci
+      - name: Run Cypress Full E2E Suite
+        env:
+          ADMIN_USER_NAME: ${{ secrets.ADMIN_USER_NAME }}
+          ADMIN_PASSWORD: ${{ secrets.ADMIN_PASSWORD }}
+          USER_NAME: ${{ secrets.USER_NAME }}
+          USER_PASSWORD: ${{ secrets.USER_PASSWORD }}
+        run: npx cypress run --config-file cypress/cypress.e2e.config.ts
+      - name: Archive Cypress videos & screenshots
+        if: always()
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
+        with:
+          name: cypress-full-e2e-artifacts
+          path: |
+            cypress/videos/e2e
+            cypress/screenshots/e2e
+
+  notify_full_e2e_end:
+    name: Full E2E Tests Finished
+    runs-on: ubuntu-latest
+    needs: full-e2e
+    if: always()
+    steps:
+      - name: Notify Full E2E results to Slack
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2
+        env:
+          SLACK_COLOR: ${{ needs.full-e2e.result == 'success' && 'good' || 'danger' }}
+          SLACK_TITLE: 'Full E2E Tests Finished'
+          MSG_MINIMAL: false
+          SLACK_MESSAGE: ${{ needs.full-e2e.result == 'success' && format('Full E2E test suite passed on ref `{0}`.', inputs.ref || github.ref_name) || format('<!here> Full E2E test suite {0} on ref `{1}`.', needs.full-e2e.result, inputs.ref || github.ref_name) }}

.github/workflows/code.end-to-end-test.nightly.yml

@@ -1,4 +1,4 @@
-name: Nightly E2E Tests
+name: Nightly E2E Health Check
 
 on:
   schedule:
@@ -19,18 +19,18 @@ jobs:
       - name: Send “E2E Tests Starting” to Slack
         uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2
         env:
-          SLACK_TITLE: 'E2E Tests Starting'
+          SLACK_TITLE: 'Nightly E2E Health Check Starting'
           MSG_MINIMAL: true
-          SLACK_MESSAGE: 'E2E tests have started…'
+          SLACK_MESSAGE: 'Nightly E2E health check (quick specs) has started...'
 
   e2e:
     name: 🏃‍♀️ Run E2E Tests
     runs-on: ubuntu-latest
-    needs: notify_e2e_start
+    timeout-minutes: 15
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
         with:
-            ref: develop
+          ref: develop
       - name: Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v4
         with:
@@ -44,9 +44,14 @@ jobs:
           ADMIN_PASSWORD: ${{ secrets.ADMIN_PASSWORD }}
           USER_NAME: ${{ secrets.USER_NAME }}
           USER_PASSWORD: ${{ secrets.USER_PASSWORD }}
-        run: npx cypress run --config-file cypress/cypress.e2e.config.ts
+        # Quick specs only — excludes 000-cleanup and bedrock-model-workflow (long-running infra tests).
+        # Update this list when adding new quick E2E specs.
+        run: >-
+          npx cypress run
+          --config-file cypress/cypress.e2e.config.ts
+          --spec "cypress/src/e2e/specs/admin.e2e.spec.ts,cypress/src/e2e/specs/user.e2e.spec.ts,cypress/src/e2e/specs/chat.e2e.spec.ts,cypress/src/e2e/specs/bedrock-quick.e2e.spec.ts"
       - name: Archive Cypress videos & screenshots
-        if: failure() || always()
+        if: always()
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v4
         with:
           name: cypress-e2e-artifacts
@@ -64,8 +69,6 @@ jobs:
         uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2
         env:
           SLACK_COLOR: ${{ needs.e2e.result == 'success' && 'good' || 'danger' }}
-          SLACK_TITLE: 'E2E Tests Finished'
+          SLACK_TITLE: 'Nightly E2E Health Check Finished'
           MSG_MINIMAL: false
-          SLACK_MESSAGE_ON_SUCCESS: '✅ E2E tests passed on branch `${{ github.ref_name }}`.'
-          SLACK_MESSAGE_ON_FAILURE: '<!here> ❌ E2E tests failed on branch `${{ github.ref_name }}`.'
-          SLACK_MESSAGE: 'E2E tests completed with status `${{ job.status }}`.'
+          SLACK_MESSAGE: ${{ needs.e2e.result == 'success' && format('Nightly E2E health check passed on branch `{0}`.', github.ref_name) || format('<!here> Nightly E2E health check {0} on branch `{1}`.', needs.e2e.result, github.ref_name) }}

.github/workflows/code.release.branch.yml

@@ -96,3 +96,11 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
           GITHUB_TOKEN: ${{ secrets.LEAD_ACCESS_TOKEN }}
+
+  run_full_e2e:
+    name: Run Full E2E on Release Branch
+    needs: MakeNewReleaseBranch
+    uses: ./.github/workflows/code.e2e-full-test.weekly.yml
+    with:
+      ref: release/${{ github.event.inputs.release_tag }}
+    secrets: inherit # pragma: allowlist secret

.github/workflows/test-and-lint.yml

@@ -64,22 +64,14 @@ jobs:
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v5
       with:
         python-version: "3.13"
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        # Try hash-verified install first, fall back to regular
-        if [ -f "requirements-dev-hashes.txt" ]; then
-          pip install --require-hashes -r requirements-dev-hashes.txt
-        else
-          pip install -r requirements-dev.txt
-        fi
-        pip install -e ./lisa-sdk
+    - name: Install Python dependencies
+      run: npm run install:python
     - name: Run tests
       env:
         ACCOUNT_NUMBER: '012345678901'
         REGION: us-east-1
       run: |
-        make test-coverage
+        npm run test:python:coverage
   pre-commit:
       name: Run All Pre-Commit
       needs: [send_starting_slack_notification]

.gitignore

@@ -18,6 +18,8 @@ __pycache__/
 *.key
 *.pem
 TIKTOKEN_CACHE
+# Ignore only top-level docs directory, not lib/docs
+/docs/
 
 # CDK asset staging directory
 .cdk.staging

.pre-commit-config.yaml

@@ -7,9 +7,9 @@ repos:
     - id: verify-config
       name: Verify config file
       description: Verify config file to check if certain parameters are empty
-      entry: scripts/verify-config.sh
+      entry: node scripts/verify-config.mjs
       verbose: true
-      language: script
+      language: system
       files: config-base.yaml
 
 - repo: https://github.com/PyCQA/bandit
@@ -90,7 +90,7 @@ repos:
       args:
         - --max-line-length=120
         - --extend-immutable-calls=Query,fastapi.Depends,fastapi.params.Depends
-        - --ignore=B008,B042,E203,W503 # Ignore error for function calls in argument defaults and exception __init__ args
+        - --ignore=B008,B042,E203,E704,W503 # Ignore error for function calls in argument defaults and exception __init__ args
       exclude: ^(__init__.py$|.*\/__init__.py$|test/cdk/stacks/__baselines__/)
 
 

CHANGELOG.md

@@ -1,3 +1,43 @@
+# v6.5.0
+
+## Key Features
+
+### Self-Service RAG Administration
+
+A new RAG Admin role gives designated users full control over RAG repository operations, document ingestion, collection management, and pipeline configuration without granting full system administrator privileges. This reduces the operational bottleneck where every RAG change required a system administrator. Self-service RAG is especially useful in multi-tenant environments.
+
+### Operations Metrics Dashboard
+
+New dashboard reports track metrics across models and clusters, including inference latency, token usage, and batch ingestion job status. For example, customers can use the new input/output token reports to derive costs across users, groups, and models. This is useful for multi-tenant environments with a variety of end-user orgs. Also, model containers publish Prometheus metrics for vLLM, TEI, and TGI, and batch ingestion jobs report totals and failures for RAG document ingestion.
+
+### Integrating Externally Deployed Models
+
+Administrators can register deployed models that are not LISA-managed by providing a URL that can be accessed from the LiteLLM ECS cluster. These models appear and behave like other models in the platform.
+
+### AWS Session Credentials
+
+LISA now lets you attach AWS credentials to a chat session. While that session is active, MCP tools can use those credentials to call AWS APIs, so tool-based workflows can reach AWS resources in the same context as the conversation instead of requiring separate per-tool setup.
+
+An example of a tool using this can be seen: lib/serve/mcp-workbench/src/examples/sample_tools/aws_operator_tools.py
+
+## Other Key Changes
+
+- Updated OpenSearch for new RAG collections to the latest supported version and indexing engine (existing collections continue to work as before)
+- Introduced optional audit logging for input/output from requests to LISA with opt-in and filtering
+- Implemented a deployment Lambda to ensure configured models are present in LiteLLM
+- Split Cypress E2E workflows into nightly health checks and weekly full suite runs, with API-based resource cleanup between runs
+- Updated LiteLLM to version 1.82.4
+
+## Acknowledgements
+* @bedanley
+* @drduhe
+* @Ernest-Gray
+* @estohlmann
+* @gingerknight
+* @jmharold
+
+**Full Changelog**: https://github.com/awslabs/LISA/compare/v6.4.0..v6.5.0
+
 # v6.4.0
 
 ## Key Features