chore: sync upstream 2026-07-05#163
Merged
Merged
Conversation
* fix domains * docs update
…updated screenshots (maximhq#4681) ## Summary Briefly explain the purpose of this PR and the problem it solves. ## Changes - What was changed and why - Any notable design decisions or trade-offs ## Type of change - [ ] Bug fix - [ ] Feature - [ ] Refactor - [ ] Documentation - [ ] Chore/CI ## Affected areas - [ ] Core (Go) - [ ] Transports (HTTP) - [ ] Providers/Integrations - [ ] Plugins - [ ] UI (React) - [ ] Docs ## How to test Describe the steps to validate this change. Include commands and expected outcomes. ```sh # Core/Transports go version go test ./... # UI cd ui pnpm i || npm i pnpm test || npm test pnpm build || npm run build ``` If adding new configs or environment variables, document them here. ## Screenshots/Recordings If UI changes, add before/after screenshots or short clips. ## Breaking changes - [ ] Yes - [ ] No If yes, describe impact and migration instructions. ## Related issues Link related issues and discussions. Example: Closes #123 ## Security considerations Note any security implications (auth, secrets, PII, sandboxing, etc.). ## Checklist - [ ] I read `docs/contributing/README.md` and followed the guidelines - [ ] I added/updated tests where appropriate - [ ] I updated documentation where needed - [ ] I verified builds succeed (Go and UI) - [ ] I verified the CI pipeline passes locally if applicable
…reenshots and redirect (maximhq#4688) ## Summary Restructures the Keycloak SSO documentation from a single flat page into a grouped, expandable section under `enterprise/setting-up-keycloak/oidc`, matching the pattern used by the Okta integration. The existing `setting-up-keycloak.mdx` is replaced with a more detailed, step-by-step OIDC guide with annotated screenshots and a redirect from the old URL. ## Changes - Removed `enterprise/setting-up-keycloak.mdx` and replaced it with `enterprise/setting-up-keycloak/oidc.mdx` - The new guide uses a `<Steps>` component for each major phase: creating the OIDC client, copying the client secret, configuring Group Membership and User Realm Role claim mappers, assigning users, and configuring Bifrost - Added a "Discover Claims" step that walks through using the live JWT preview to confirm `groups` and `realm_access.roles` are present before building attribute mappings - Expanded attribute mapping documentation to cover exact value, `*`, and `/${*}` wildcard formats for team and business unit mappings - Added an optional bulk user sync section with screenshots of the Sync Users from Keycloak dialog and the resulting Users page - Added a redirect in `docs.json` from `/enterprise/setting-up-keycloak` to `/enterprise/setting-up-keycloak/oidc` to preserve existing links - Registered the Keycloak section in `docs.json` as a collapsible group with a custom `keycloak-icon.svg` - Added `keycloak-icon.svg` and all supporting screenshots under `docs/media/user-provisioning/keycloak/` ## Type of change - [ ] Bug fix - [ ] Feature - [ ] Refactor - [x] Documentation - [ ] Chore/CI ## Affected areas - [ ] Core (Go) - [ ] Transports (HTTP) - [ ] Providers/Integrations - [ ] Plugins - [ ] UI (React) - [x] Docs ## How to test Navigate to `/enterprise/setting-up-keycloak` and confirm it redirects to `/enterprise/setting-up-keycloak/oidc`. Verify the Keycloak entry in the sidebar appears as a collapsible group with the Keycloak icon. Confirm all screenshots render and all step anchors (e.g. `#step-2-copy-your-client-secret`) resolve correctly. ## Screenshots/Recordings New OIDC guide includes annotated screenshots for each step: client creation, capability config, login settings, credentials tab, client scopes, Group Membership mapper, User Realm Role mapper, Bifrost provider config form, Discover Claims output, attribute mapping screen, user sync dialog, and the Users page post-sync. ## Breaking changes - [ ] Yes - [x] No The old URL is redirected, so no existing links are broken. ## Related issues N/A ## Security considerations No auth, secrets, or PII changes. The guide instructs users to store the Keycloak client secret via `env.KEYCLOAK_CLIENT_SECRET` rather than hardcoding it. ## Checklist - [ ] I read `docs/contributing/README.md` and followed the guidelines - [ ] I added/updated tests where appropriate - [x] I updated documentation where needed - [ ] I verified builds succeed (Go and UI) - [ ] I verified the CI pipeline passes locally if applicable
## Summary Improves the documentation for the `k8s_namespace` parameter in the Kubernetes clustering discovery section to clarify its default behavior and usage with custom namespaces. ## Changes - Updated the `k8s_namespace` parameter description to explicitly state that when left empty, `"default"` is used as the namespace, and added guidance to provide a custom namespace when needed. - Removed `"default"` from the example column since it is now explained in the description. ## Type of change - [ ] Bug fix - [ ] Feature - [ ] Refactor - [x] Documentation - [ ] Chore/CI ## Affected areas - [ ] Core (Go) - [ ] Transports (HTTP) - [ ] Providers/Integrations - [ ] Plugins - [ ] UI (React) - [x] Docs ## How to test Review the updated Kubernetes discovery parameter table in `docs/enterprise/clustering.mdx` to confirm the description accurately reflects the default namespace behavior. ## Breaking changes - [ ] Yes - [x] No ## Related issues ## Security considerations None. ## Checklist - [ ] I read `docs/contributing/README.md` and followed the guidelines - [ ] I added/updated tests where appropriate - [x] I updated documentation where needed - [ ] I verified builds succeed (Go and UI) - [ ] I verified the CI pipeline passes locally if applicable
…on and Generic OIDC Provider instead of `SecretVar`/`EnvVar` (maximhq#4728) ## Summary Updates the Enterprise v1.5.0 changelog to accurately reflect the features shipped in this release, replacing the outdated description of `SecretVar`/`EnvVar` changes with the correct entries for Secret Manager integration and Generic OIDC Provider support. ## Changes - Updated the release summary line to reference Secret Manager integration (AWS, GCP, HashiCorp Vault) and Generic OIDC Provider instead of the typed `SecretVar` env references. - Replaced the **Secret References** feature entry with **Secret Manager**, describing runtime resolution of `vault.<path>` references via AWS Secrets Manager, GCP Secret Manager, or HashiCorp Vault, with a link to the relevant docs. - Added **Generic OIDC Provider and SCIM Support** as a new feature entry, documenting the `provider: "generic"` option for SSO and user provisioning with any OIDC-compliant IdP, with a link to the relevant docs. ## Type of change - [ ] Bug fix - [ ] Feature - [ ] Refactor - [x] Documentation - [ ] Chore/CI ## Affected areas - [ ] Core (Go) - [ ] Transports (HTTP) - [ ] Providers/Integrations - [ ] Plugins - [ ] UI (React) - [x] Docs ## How to test Verify the rendered changelog at `docs/changelogs/ent-v1.5.0.mdx` displays the correct feature descriptions and that the embedded documentation links for Secret Manager and Generic OIDC Provider resolve correctly. ## Screenshots/Recordings N/A ## Breaking changes - [ ] Yes - [x] No ## Related issues N/A ## Security considerations None. This is a documentation-only change. ## Checklist - [ ] I read `docs/contributing/README.md` and followed the guidelines - [ ] I added/updated tests where appropriate - [x] I updated documentation where needed - [ ] I verified builds succeed (Go and UI) - [ ] I verified the CI pipeline passes locally if applicable
…del, and Google Workspace into nested OIDC/SCIM pages with updated screenshots and redirects (maximhq#4729) ## Summary Expands the Bifrost Enterprise SSO documentation to cover Auth0, Generic OIDC, and a restructured set of provider guides. Existing single-page guides for Microsoft Entra, Zitadel, and Google Workspace are replaced with per-protocol sub-pages (OIDC and SCIM), matching the structure already used for Okta and Keycloak. The navigation and redirect configuration in `docs.json` is updated accordingly. ## Changes - Removed `setting-up-entra.mdx` and `setting-up-zitadel.mdx` as flat pages; replaced with `setting-up-entra/oidc.mdx`, `setting-up-entra/scim.mdx`, `setting-up-zitadel/oidc.mdx` - Added `setting-up-google-workspace/oidc.mdx` and `setting-up-google-workspace/scim.mdx` to replace the previous single-page guide - Added new `setting-up-auth0/oidc.mdx` covering Auth0 Regular Web Application setup, Post Login Actions for custom claims, optional M2M bulk sync, and Bifrost attribute mapping - Added new `setting-up-generic-oidc/oidc.mdx` and `setting-up-generic-oidc/scim.mdx` for any OIDC-compliant provider not covered by a dedicated guide (PingIdentity, ForgeRock, OneLogin, JumpCloud, etc.) - Updated `docs.json` navigation to group all providers under collapsible sections with provider icons; added redirect rules for old flat URLs pointing to the new `/oidc` sub-pages - Added `auth0-icon.svg` and `zitadel-icon.svg` for use in the navigation sidebar - Clarified team and business unit mapping wildcard syntax (`*`, `${*}`) in the Okta OIDC guide to include the explicit exact-value case ## Type of change - [ ] Bug fix - [ ] Feature - [ ] Refactor - [x] Documentation - [ ] Chore/CI ## Affected areas - [ ] Core (Go) - [ ] Transports (HTTP) - [ ] Providers/Integrations - [ ] Plugins - [ ] UI (React) - [x] Docs ## How to test 1. Build and serve the docs locally and verify the navigation sidebar shows collapsible groups for Microsoft Entra, Zitadel, Keycloak, Google Workspace, Auth0, and Generic OIDC, each with the correct icon. 2. Confirm that navigating to the old flat URLs (e.g. `/enterprise/setting-up-entra`, `/enterprise/setting-up-zitadel`, `/enterprise/setting-up-google-workspace`, `/enterprise/setting-up-auth0`, `/enterprise/setting-up-generic-oidc`) redirects to the corresponding `/oidc` sub-page. 3. Verify all new pages render without broken image references or missing MDX components. 4. Confirm the Okta OIDC page still renders correctly with the added mapping bullet points. ## Breaking changes - [x] Yes - [ ] No The flat pages `setting-up-entra` and `setting-up-zitadel` are removed. Redirect rules in `docs.json` preserve inbound links to those URLs by forwarding them to the new `/oidc` sub-pages. Any deep links to specific sections within the old flat pages will not be automatically redirected. ## Related issues N/A ## Security considerations No auth, secrets, PII, or runtime behavior is changed. Documentation only. ## Checklist - [ ] I read `docs/contributing/README.md` and followed the guidelines - [ ] I added/updated tests where appropriate - [x] I updated documentation where needed - [ ] I verified builds succeed (Go and UI) - [ ] I verified the CI pipeline passes locally if applicable
## Summary Fixes a bug where prompt-cache token counts were silently dropped on the Bedrock streaming Converse path (issue maximhq#4746). Because cached tokens are folded into `InputTokens` upstream, the converter must copy them into the dedicated cache fields and subtract them back out of `InputTokens` to avoid double-counting. Previously, the streaming converter omitted this logic entirely while the non-streaming converter handled it correctly, causing the two paths to diverge. ## Changes - Extracted the cache-aware token usage mapping into a shared `buildBedrockTokenUsage` helper that correctly copies `CachedReadTokens` and `CachedWriteTokens` into `CacheReadInputTokens`/`CacheWriteInputTokens` and subtracts them from `InputTokens`. - Replaced the inline usage-mapping blocks in both `ToBedrockConverseStreamResponse` and `ToBedrockConverseResponse` with calls to `buildBedrockTokenUsage`, ensuring the two paths are always in sync. - Added `TestToBedrockConverseStreamResponse_CopiesCacheTokens` to verify the streaming path correctly propagates cache read tokens and subtracts them from `InputTokens`. - Added `TestBuildBedrockTokenUsage_StreamMatchesNonStream` to assert that the streaming and non-streaming converters produce identical `BedrockTokenUsage` from the same input, covering cache read, cache write, and the 5m/1h write breakdown. ## Type of change - [x] Bug fix - [ ] Feature - [ ] Refactor - [ ] Documentation - [ ] Chore/CI ## Affected areas - [x] Core (Go) - [ ] Transports (HTTP) - [x] Providers/Integrations - [ ] Plugins - [ ] UI (React) - [ ] Docs ## How to test ```sh go test ./core/providers/bedrock/... -run "TestToBedrockConverseStreamResponse_CopiesCacheTokens|TestBuildBedrockTokenUsage_StreamMatchesNonStream|TestBedrockModelSupportsExtendedCacheTTL" ``` Expected: all three tests pass. The streaming event should report `InputTokens: 13`, `CacheReadInputTokens: 2647` for the single-read case, and `InputTokens: 13`, `CacheReadInputTokens: 2000`, `CacheWriteInputTokens: 647` for the combined read+write case, with the stream and non-stream results being `reflect.DeepEqual`. ## Screenshots/Recordings N/A ## Breaking changes - [x] No ## Related issues Closes maximhq#4746 ## Security considerations None. This change only affects token count bookkeeping in response conversion. ## Checklist - [ ] I read `docs/contributing/README.md` and followed the guidelines - [x] I added/updated tests where appropriate - [ ] I updated documentation where needed - [x] I verified builds succeed (Go and UI) - [ ] I verified the CI pipeline passes locally if applicable
## Summary Adds full round-trip support for Anthropic's code execution tool (`code_execution_20250825+`), which surfaces three sub-tools: `bash_code_execution`, `text_editor_code_execution`, and the legacy `code_execution` (Python). Both the non-streaming and streaming paths now correctly parse, convert, and reconstruct the `server_tool_use` + `*_code_execution_tool_result` block pairs, the sandbox container, and the programmatic tool calling (PTC) `caller` linkage. ## Changes - **New `ResponsesCodeExecutionCall` carry struct** on `ResponsesToolMessage`: preserves Anthropic-specific fidelity (sub-tool name, verbatim input JSON, result discriminator, stdout/stderr/return_code, text_editor file fields, error codes, generated file outputs, container expiry, and caller) so an Anthropic → Bifrost → Anthropic round trip reconstructs the original wire shape exactly. The neutral `ResponsesCodeInterpreterToolCall` (code/container_id/outputs) is populated in parallel for OpenAI-compatible consumers. - **`WithDefaults()` strips the carry** from the normalized output on both `BifrostResponsesResponse` and `BifrostResponsesStreamResponse` (the provider-format converter path, e.g. `openai/v1/responses`). The raw Bifrost superset response retains the carry. Stripping is done on copies so the source is never mutated. - **Non-streaming converter** (`ToBifrostResponsesResponse` / `ToAnthropicResponsesResponse`): `buildBifrostCodeExecutionCall` and `attachAnthropicCodeExecutionResult` parse the `server_tool_use` + `*_code_execution_tool_result` pair into the neutral + carry view; `convertBifrostCodeExecCallToAnthropicBlocks` reconstructs the pair on the reverse path. The response-level `container` is lifted onto every `code_interpreter_call` and restored on the reverse. - **Streaming converter** (`ToBifrostResponsesStream`): `content_block_start` for a code-execution `server_tool_use` emits `output_item.added` + `code_interpreter_call.in_progress`; accumulated input JSON is decoded on `content_block_stop` to emit `code.delta` + `code.done` + `interpreting`; the result block (delivered complete in one `content_block_start`) is stored and folded in on its `content_block_stop` to emit `code_interpreter_call.completed` + `output_item.done`. The sandbox container from the final `message_delta` is folded onto all `code_interpreter_call` items in `OutputItems` and carried on `response.completed`. - **Reverse streaming converter** (`ToAnthropicResponsesStreamResponse`): `output_item.added` emits a `content_block_start` with the correct `server_tool_use` name; `output_item.done` synthesizes `input_json_delta` events + `content_block_stop` for the call and a `content_block_start` + `content_block_stop` for the result block. Code interpreter lifecycle events (`in_progress`, `code.delta`, `code.done`, `interpreting`, `completed`) are suppressed (no Anthropic equivalent). The container is re-emitted on `message_delta`. - **`caller` linkage** (programmatic tool calling): `caller` on `server_tool_use` and `*_tool_result` blocks for `web_search` and `web_fetch` is now preserved through the neutral `ResponsesToolCaller` and re-emitted on the reverse path. `convertBifrostWebSearchCallToAnthropicBlocks` propagates the caller to both the `server_tool_use` and the result block. - **New type constants**: `AnthropicToolNameBashCodeExecution`, `AnthropicToolNameTextEditorCodeExecution`, inner result discriminators (`bash_code_execution_result`, `text_editor_code_execution_result`, etc.), file-output block types, and `AnthropicResponseContainer` (response-level container object, distinct from the request-side union). - **Passthrough block commented out**: the raw-event passthrough for empty-response stream events (compaction `content_block_start/stop`) is disabled pending a cleaner solution, as it was causing duplicate events. - **`ResponsesResponseContainer`** added to `BifrostResponsesResponse` and `BifrostResponsesStreamResponse` to carry the sandbox container at the response level for the reverse converter. - **`ConvertBifrostMessagesToAnthropicMessages`**: `code_interpreter_call` is removed from the unsupported-type fallback and handled natively via `convertBifrostCodeExecCallToAnthropicBlocks`. - **Tests** (`codeexecution_test.go`): four new test cases covering bash non-streaming round-trip (including container and verbatim input), text_editor view round-trip, OpenAI-origin `code_interpreter_call` → Anthropic reconstruction, and a full streaming round-trip (forward + reverse) with container folding and PTC caller verification. Two new schema-level tests verify `WithDefaults()` strips the carry without mutating the source. ## Type of change - [ ] Bug fix - [x] Feature - [ ] Refactor - [ ] Documentation - [ ] Chore/CI ## Affected areas - [x] Core (Go) - [ ] Transports (HTTP) - [x] Providers/Integrations - [ ] Plugins - [ ] UI (React) - [ ] Docs ## How to test ```sh go test ./core/providers/anthropic/... -run TestCodeExecution go test ./core/schemas/... -run TestWithDefaults go test ./... ``` Expected: all new `TestCodeExecution_*` and `TestWithDefaults*` tests pass. The bash round-trip test validates container id, verbatim command input, stdout, and block ordering. The streaming test validates the full event sequence (`output_item.added` → `in_progress` → `code.delta` → `code.done` → `interpreting` → `completed` → `output_item.done`) and the reverse reconstruction of `server_tool_use` + `bash_code_execution_tool_result` with the container on `message_delta`. ## Screenshots/Recordings N/A ## Breaking changes - [ ] Yes - [x] No ## Related issues N/A ## Security considerations The sandbox container ID and expiry are passed through as opaque strings; no secrets or PII are introduced. The `caller` linkage is structural metadata only. ## Checklist - [ ] I read `docs/contributing/README.md` and followed the guidelines - [x] I added/updated tests where appropriate - [ ] I updated documentation where needed - [x] I verified builds succeed (Go and UI) - [ ] I verified the CI pipeline passes locally if applicable
## Summary Adds end-to-end and integration test coverage for Anthropic's code execution server tool, validating all sub-tools (`code_execution`, `bash_code_execution`, `text_editor_code_execution`), all tool versions (`code_execution_20250825`, `code_execution_20260120`, `code_execution_20260521`), streaming and non-streaming paths, programmatic tool calling with `allowed_callers`, web search auto-injection, file upload via `container_upload`, container reuse, and generated file retrieval. ## Changes - Added 8 new Postman test cases to `provider-harness.json` covering Python code execution, bash sub-tool, text editor (create/view/str_replace), streaming SSE well-formedness, two newer tool versions (`20260120`, `20260521`), and programmatic tool calling with a custom `get_stock_price` tool using `allowed_callers`. - Added `TestAnthropicCodeExecution` class to `test_anthropic.py` with 13 test methods covering the full code execution surface area, including a streaming accumulator regression guard (the `IndexError`/`UnicodeDecodeError` class of bug), multi-key `text_editor` input round-trip validation, the `files-api-2025-04-14` beta header path for `container_upload`, container reuse across requests, and generated file ID surfacing. - Introduced `CODE_EXEC_TOOL_NAMES` / `CODE_EXEC_RESULT_TYPES` constants and a `_scan()` helper to classify and validate code execution blocks regardless of whether the SDK surfaces beta blocks as objects or dicts. ## Type of change - [ ] Bug fix - [x] Feature - [ ] Refactor - [ ] Documentation - [ ] Chore/CI ## Affected areas - [ ] Core (Go) - [ ] Transports (HTTP) - [x] Providers/Integrations - [ ] Plugins - [ ] UI (React) - [ ] Docs ## How to test ```sh # Run the Python integration tests for the new code execution suite cd tests/integrations/python pytest tests/test_anthropic.py::TestAnthropicCodeExecution -v # Run a specific sub-test, e.g. streaming regression guard pytest tests/test_anthropic.py::TestAnthropicCodeExecution::test_02_python_streaming -v ``` The Postman collection can be run via Newman against a live Bifrost instance: ```sh newman run tests/e2e/api/collections/provider-harness.json \ --env-var baseUrl=<bifrost_url> \ --env-var anthropicKey=<api_key> ``` Requires a valid Anthropic API key with access to `claude-opus-4-7` and the code execution tool. Test 11 (`container_upload`) additionally requires Files API access; it will auto-skip if unavailable. ## Breaking changes - [x] No ## Related issues ## Security considerations Code execution tests run inside Anthropic's sandboxed execution environment. No user-controlled code escapes the sandbox. API keys are passed via environment variables and never hardcoded. The `files-api-2025-04-14` beta header is only attached to the dedicated `files_beta_client` fixture and not leaked to other test paths. ## Checklist - [ ] I read `docs/contributing/README.md` and followed the guidelines - [x] I added/updated tests where appropriate - [ ] I updated documentation where needed - [x] I verified builds succeed (Go and UI) - [ ] I verified the CI pipeline passes locally if applicable
…e special characters in URLs (maximhq#4761) Cherry-picked from dev: 99ae847
…ion logic (maximhq#4763) Cherry-picked from dev: 5d420a5
…maximhq#4764) Cherry-picked from dev: 0c13539
… `mergeGovernanceConfig` path for first config file import (maximhq#4769) ## Summary When no governance config exists in the store but one is present in the config file, the first import was taking a separate code path (`createGovernanceConfigInStore`) that bypassed the ID normalization and persistence logic in `mergeGovernanceConfig`. This meant entities without explicit IDs would not have UUIDs generated consistently, and the merge-based upsert behavior was skipped entirely on first boot. This PR unifies the first-import path with the update path by initializing an empty `GovernanceConfig` snapshot when none exists in the store, then routing through `mergeGovernanceConfig` for both cases. ## Changes - Removed `createGovernanceConfigInStore` and its ~280 lines of duplicated persistence logic. - When no governance config is found in the store but the config file contains one, an empty `configstore.GovernanceConfig{}` is now used as the base snapshot, and `mergeGovernanceConfig` is called to handle ID normalization, hashing, and persistence — the same path taken on subsequent boots. - Added `TestLoadConfig_Governance_FirstImportUsesMergeIDHandling` to verify that on first import, entities with explicit IDs retain them and entities without IDs have UUIDs generated, for customers, teams, and virtual keys. ## Type of change - [x] Bug fix - [ ] Feature - [x] Refactor - [ ] Documentation - [ ] Chore/CI ## Affected areas - [ ] Core (Go) - [x] Transports (HTTP) - [ ] Providers/Integrations - [ ] Plugins - [ ] UI (React) - [ ] Docs ## How to test ```sh go test ./transports/bifrost-http/lib/... -run TestLoadConfig_Governance_FirstImportUsesMergeIDHandling -v go test ./transports/bifrost-http/lib/... -run TestSQLite_Budget -v go test ./transports/bifrost-http/lib/... -v ``` On first boot with a governance config file and an empty store, entities with explicit IDs should retain those IDs in the database, and entities without IDs should have UUIDs generated. On subsequent boots, the behavior should be unchanged. ## Breaking changes - [ ] Yes - [x] No ## Related issues ## Security considerations No new auth, secrets, or PII handling introduced. The change reduces surface area by removing a duplicate persistence path. ## Checklist - [x] I read `docs/contributing/README.md` and followed the guidelines - [x] I added/updated tests where appropriate - [ ] I updated documentation where needed - [x] I verified builds succeed (Go and UI) - [ ] I verified the CI pipeline passes locally if applicable
…ence, security, filtering, and trace payload format (maximhq#4771) ## Summary Adds documentation for the Kafka observability connector, an Enterprise feature that streams Bifrost request traces as JSON messages to a Kafka topic for custom analytics, archival, and downstream processing. ## Changes - Added `docs/features/observability/kafka.mdx` with full documentation covering setup (Web UI and `config.json`), configuration reference, TLS and SASL security options, trace filtering, the published JSON payload format, and a troubleshooting guide - Registered the new page in `docs/docs.json` under the observability section - Added `docs/media/ui-kafka-connector.png` screenshot of the Kafka connector configuration form in the UI ## Type of change - [ ] Bug fix - [ ] Feature - [ ] Refactor - [x] Documentation - [ ] Chore/CI ## Affected areas - [ ] Core (Go) - [ ] Transports (HTTP) - [ ] Providers/Integrations - [ ] Plugins - [ ] UI (React) - [x] Docs ## How to test Navigate to the observability section of the docs and confirm the Kafka page renders correctly, including the configuration tables, code blocks, tabs, and embedded screenshot. ## Screenshots/Recordings  ## Breaking changes - [ ] Yes - [x] No ## Related issues ## Security considerations The documentation explicitly advises referencing sensitive values (`ca_cert`, SASL `username` and `password`) via environment variables (`env.VAR_NAME`) rather than embedding them directly in configuration files. It also warns that `PLAIN` SASL should always be paired with `tls_enabled: true` in production to prevent credential exposure. ## Checklist - [ ] I read `docs/contributing/README.md` and followed the guidelines - [ ] I added/updated tests where appropriate - [x] I updated documentation where needed - [ ] I verified builds succeed (Go and UI) - [ ] I verified the CI pipeline passes locally if applicable
…ound-trips during sync (maximhq#4782) ## Summary Pricing sync performance was degraded by issuing one database round-trip per model during a sync. For catalogs with thousands of models, this created significant latency. This PR replaces the per-row upsert loop with a batched multi-row `ON CONFLICT` upsert, collapsing the sync into a handful of round-trips. ## Changes - Added `UpsertModelPricesBatch` to `RDBConfigStore` and the `ConfigStore` interface, which uses GORM's `CreateInBatches` with a 500-row batch size and `ON CONFLICT (model, provider, mode) DO UPDATE` semantics matching the existing single-row upsert - Deduplication by `(model, provider, mode)` is now performed before the write rather than inside the transaction loop, since PostgreSQL rejects multi-row `ON CONFLICT` statements that target the same conflict key twice in a single statement - `SyncFromURL` now builds the deduplicated slice upfront and delegates to `UpsertModelPricesBatch` inside a single transaction instead of calling `UpsertModelPrices` in a loop - Increased `DefaultPricingTimeout` from 45s to 60s to accommodate larger catalogs - Updated the force-sync success message from "pricing sync triggered" to "pricing synced successfully" in the API response and both UI toast notifications to better reflect that the sync completes synchronously - Added `UpsertModelPricesBatch` stub to `MockConfigStore` in tests ## Type of change - [ ] Bug fix - [x] Feature - [x] Refactor - [ ] Documentation - [ ] Chore/CI ## Affected areas - [x] Core (Go) - [x] Transports (HTTP) - [ ] Providers/Integrations - [ ] Plugins - [x] UI (React) - [ ] Docs ## How to test ```sh go test ./framework/configstore/... ./framework/modelcatalog/... ./transports/bifrost-http/... ``` Trigger a pricing sync via the force-sync endpoint or UI button and verify: - The sync completes without error - The success toast reads "Pricing synced successfully." rather than "Pricing sync triggered successfully." - Database pricing rows are correctly created or updated after the sync ## Breaking changes - [ ] Yes - [x] No ## Related issues ## Security considerations None. No changes to auth, secrets, or PII handling. ## Checklist - [ ] I read `docs/contributing/README.md` and followed the guidelines - [ ] I added/updated tests where appropriate - [ ] I updated documentation where needed - [ ] I verified builds succeed (Go and UI) - [ ] I verified the CI pipeline passes locally if applicable
## Summary Fixes a regression (maximhq#4797) where the config-hash recompute migration failed on upgrade from a pre-1.6 schema. The `TableClientConfig` struct declares `dump_errors_in_console_logs`, but on older schemas this column does not yet exist on the physical table when the recompute step runs. The previous implementation derived its `SELECT` projection solely from the struct, causing PostgreSQL to return error `42703` (undefined column) and SQLite to return "no such column". ## Changes - The recompute step in `migrationRefreshConfigHashAfterMCPExternalServerURLRemoval` now intersects the struct's declared column names with the columns that physically exist on the live table before building the `SELECT` projection. This prevents naming absent columns regardless of future struct additions. - The `AfterFind` hook path is preserved by keeping `.Find` rather than switching to a raw `Scan`, ensuring `*_json` columns are still deserialized correctly for hash computation. - Two regression tests added: - `TestMigrationRefreshConfigHash_ColumnAheadOfTable`: focused test that drops `dump_errors_in_console_logs` from the table and confirms the recompute step succeeds and produces a fresh hash. - `TestFullMigration_UpgradeFromPreDumpErrorsSchema`: end-to-end test that runs the full migration chain against a column-less table, confirming the column is re-added and the hash is recomputed. - `git fetch --tags` in the migration test CI script is commented out to avoid tag-fetch side effects during test runs. ## Type of change - [x] Bug fix ## Affected areas - [x] Core (Go) ## How to test ```sh go test ./framework/configstore/... -run TestMigrationRefreshConfigHash_ColumnAheadOfTable go test ./framework/configstore/... -run TestFullMigration_UpgradeFromPreDumpErrorsSchema ``` Both tests should pass. Prior to this fix, both would fail with a "no such column: dump_errors_in_console_logs" (SQLite) or `42703` (PostgreSQL) error. ## Breaking changes - [x] No ## Related issues Closes maximhq#4797 ## Security considerations None. This change only affects the column projection used during a read inside a migration transaction. ## Checklist - [ ] I read `docs/contributing/README.md` and followed the guidelines - [x] I added/updated tests where appropriate - [ ] I updated documentation where needed - [x] I verified builds succeed (Go and UI) - [ ] I verified the CI pipeline passes locally if applicable
## Summary Adds the Enterprise v1.5.2 changelog page and registers it in the docs navigation. This release is based on `transports/v1.6.2` and delivers several bug fixes alongside OSS support for the Claude Sonnet 5 model family. ## Changes - Added `docs/changelogs/ent-v1.5.2.mdx` documenting the v1.5.2 release, including: - Claude Sonnet 5 support in the Anthropic provider (adaptive thinking, effort parameter, computer-use/text-editor tool generations, dynamic web search filtering, default max output tokens) - Fix for ghost-node cleanup being skipped on request-time (targeted) governance resets — `GlobalGovernanceStore` now registers reset hooks directly on `LocalGovernanceStore` - Fix for Generic OIDC (`SCIMProviderGeneric`) cookie token selection so AD FS and similar IdPs use the ID token instead of the access token - Fix for Bedrock error type extraction - Fix for `aspect_ratio` support in Gemini/Imagen image generation and edit requests - Fix for a plan cache migration regression causing `undefined column` errors on PostgreSQL and SQLite when upgrading from pre-1.6 schemas - Fix for the custom provider API key form for Bedrock - Registered `changelogs/ent-v1.5.2` as the first entry in the Enterprise changelogs section of `docs/docs.json` ## Type of change - [ ] Bug fix - [ ] Feature - [ ] Refactor - [x] Documentation - [ ] Chore/CI ## Affected areas - [ ] Core (Go) - [ ] Transports (HTTP) - [ ] Providers/Integrations - [ ] Plugins - [ ] UI (React) - [x] Docs ## How to test Verify the new changelog page renders correctly in the docs site and appears as the first entry under the Enterprise changelogs navigation group. ## Breaking changes - [ ] Yes - [x] No ## Related issues - Closes [maximhq#4797](maximhq#4797) — Configstore migration order: `refresh_config_hash_after_mcp_external_server_url_removal` selected `dump_errors_in_console_logs` before `add_dump_errors_in_console_logs_column` added it ## Security considerations None. This is a documentation-only change. ## Checklist - [x] I read `docs/contributing/README.md` and followed the guidelines - [x] I added/updated tests where appropriate - [x] I updated documentation where needed - [x] I verified builds succeed (Go and UI) - [x] I verified the CI pipeline passes locally if applicable
## Summary
Adds public OpenAPI documentation for the Audit Logs API, exposing CADF-compliant audit log search, export, and signature verification endpoints under the `Audit Logs` tag.
## Changes
- Added a new `Audit Logs` tag to both `openapi.json` and `openapi.yaml` with the description "CADF-compliant audit log search, export, and signature verification endpoints."
- Introduced five new API paths:
- `GET /api/audit-logs` — paginated, filterable list of audit events supporting both offset- and cursor-based pagination, free-text search, and singular/plural filter parameters for actions, outcomes, event types, initiator/target IDs and types, request metadata, tags, and time ranges.
- `GET /api/audit-logs/filterdata` — returns distinct values for each filter dimension to populate dashboard dropdowns, with optional dimension selection and substring filtering.
- `GET /api/audit-logs/export` — streams matching audit events as a downloadable file in `json`, `jsonl`, or RFC 5424 `syslog` format.
- `GET /api/audit-logs/{id}` — retrieves a single audit event by UUID.
- `GET /api/audit-logs/{id}/verify` — recomputes the HMAC-SHA256 signature for an event and compares it in constant time against the stored signature to detect tampering.
- Added new schema definitions: `AuditEventType`, `AuditAction`, `AuditOutcome`, `AuditResourceType`, `AuditResource`, `AuditReason`, `AuditAttachment`, `AuditEvent`, `AuditLogsResult`, `AuditLogResponse`, `AuditFilterKeyPair`, `AuditFilterDataResponse`, and `AuditVerifyResult`.
- Created dedicated source files `docs/openapi/paths/management/auditlogs.yaml` and `docs/openapi/schemas/management/auditlogs.yaml` and wired them into the root `openapi.yaml`.
- The compiled `openapi.json` also includes unresolved merge conflict markers from a concurrent branch adding `mcp_server_auth_mode` and `oauth2_server_config` fields; these should be resolved before merging.
## Type of change
- [ ] Bug fix
- [ ] Feature
- [ ] Refactor
- [x] Documentation
- [ ] Chore/CI
## Affected areas
- [ ] Core (Go)
- [ ] Transports (HTTP)
- [ ] Providers/Integrations
- [ ] Plugins
- [ ] UI (React)
- [x] Docs
## How to test
Validate the OpenAPI spec renders correctly and all `$ref` paths resolve without errors:
```sh
# Install a validator if not already present
npm install -g @redocly/cli
# Lint the YAML source
redocly lint docs/openapi/openapi.yaml
# Confirm the compiled JSON is consistent with the YAML source
# (resolve the merge conflict markers in openapi.json first)
```
Verify the five new audit log endpoints appear under the "Audit Logs" tag in the rendered docs and that all schema references resolve correctly.
## Screenshots/Recordings
N/A — documentation-only change.
## Breaking changes
- [ ] Yes
- [x] No
## Related issues
## Security considerations
All five audit log endpoints are protected by `ManagementBearerAuth`. The signature verification endpoint (`/api/audit-logs/{id}/verify`) uses constant-time comparison to prevent timing attacks when validating HMAC-SHA256 signatures.
## Checklist
- [ ] I read `docs/contributing/README.md` and followed the guidelines
- [ ] I added/updated tests where appropriate
- [x] I updated documentation where needed
- [ ] I verified builds succeed (Go and UI)
- [ ] I verified the CI pipeline passes locally if applicable
# Conflicts: # docs/changelogs/ent-v1.5.0.mdx # docs/docs.json # framework/logstore/tables.go # ui/components/ui/truncatedLabel.tsx # ui/lib/queryParamsParser.ts
…cope The default GITHUB_TOKEN cannot read the Dependabot alerts REST API under any permissions block; this workflow has failed on every scheduled run. Support an optional DEPENDABOT_ALERTS_TOKEN PAT and degrade to a clear warning instead of a red run when it's absent.
- hono was locked to 4.12.23 in 5 example MCP servers, vulnerable to CORS/body-limit/header-merging/path-traversal issues fixed in 4.12.25 (GHSA-88fw-hqm2-52qc, GHSA-j6c9-x7qj-28xf, GHSA-rv63-4mwf-qqc2, GHSA-wgpf-jwqj-8h8p, GHSA-wwfh-h76j-fc44). Raise the floor to >=4.12.25 and refresh lockfiles. - golang.org/x/sys was pinned to v0.42.0 in two standalone example plugin modules, vulnerable to a Windows NTUnicodeString truncation issue fixed in v0.44.0 (GO-2026-5024, CVE-2026-39824). Bump to v0.45.0, matching every other module in the workspace. Revert the debug-only alert lookup added earlier in alert-bridge.yml.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Routine sync from
upstream/main(maximhq/bifrost), plus fixes for security/quality findings surfaced along the way.Changes
upstream/mainintomain(58 commits ahead, e.g.transports/v1.6.0-era fixes: MCP tool ordering determinism, Anthropic↔OpenAI streaming tool-call deltas, Bedrock system-message hoisting, hybrid log store cached-token accounting, etc).docs/changelogs/ent-v1.5.0.mdx/docs/docs.json— stale duplicate changelog bullet/missing entries.framework/logstore/tables.go— took upstream's cached-token-details enhancement.ui/components/ui/truncatedLabel.tsx,ui/lib/queryParamsParser.ts— identical content on both sides.chore: echo code-scanning alert summary to job logs—.github/workflows/alert-bridge.ymluploaded an alerts artifact but never printed a human-readable summary to the job log; added a compactjqline so alerts are visible without downloading the artifact.fix: stop Dependabot-alerts sync from hard-failing on missing token scope—.github/workflows/dependabot-alerts.yml(the weekly "Dependabot Alerts to Issues" job) has been failing on every single scheduled run since at least 2026-06-01 with403 Resource not accessible by integration: the defaultGITHUB_TOKENcannot call the Dependabot alerts REST API under anypermissions:block. Added optionalDEPENDABOT_ALERTS_TOKENPAT support and a graceful warning instead of a hard failure when it's absent.fix: bump vulnerable hono and golang.org/x/sys dependencies:honowas locked to4.12.23in 5 example MCP servers (examples/mcps/{test-tools-server,edge-case-server,parallel-test-server,temperature,error-test-server}), vulnerable to 5 GHSAs (CORS credential reflection, body-limit bypass, header-merging, path-traversal) all fixed in4.12.25. Raised the floor to>=4.12.25and refreshed lockfiles (resolved to4.12.27).golang.org/x/syswas pinned tov0.42.0in two standalone example plugin modules (hello-world-wasm-go,mcp-only), vulnerable toGO-2026-5024/CVE-2026-39824(WindowsNTUnicodeStringtruncation), fixed inv0.44.0. Bumped tov0.45.0to match every other module in the workspace.Type of change
Affected areas
How to test
Breaking changes
Security considerations
TokenPermissionsID(high) + 2PinnedDependenciesID(medium) code-scanning alerts onrelease-pipeline.yml/helm-release.yml/openapi-bundle.yml/release-bifrost-migration-cli.yml: these are vanilla upstream release-automation files, all gated bygithub.repository == 'maximhq/bifrost'so they never execute on this fork, and the flaggedcontents:write/packages:writescopes are required for their legitimate release/publish function upstream. Narrowing them here would diverge from vanilla upstream for no real risk reduction on the fork. Flagging for visibility rather than silently dismissing.DEPENDABOT_ALERTS_TOKENsecret (fine-grained PAT, "Dependabot alerts: read") — outside what this session can safely provision.Checklist
npm cifor the full UI in this sandbox)Generated by Claude Code