Skip to content

Feature/mcp governance#2510

Open
ashishrp-aws wants to merge 303 commits into
feature/mcp-governance-devfrom
feature/mcp-governance
Open

Feature/mcp governance#2510
ashishrp-aws wants to merge 303 commits into
feature/mcp-governance-devfrom
feature/mcp-governance

Conversation

@ashishrp-aws

Copy link
Copy Markdown
Contributor

Problem

Solution

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@ashishrp-aws ashishrp-aws requested a review from a team as a code owner November 20, 2025 05:23
@codecov-commenter

codecov-commenter commented Nov 20, 2025

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 43.84663% with 2724 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.81%. Comparing base (47a8631) to head (90dcd07).
⚠️ Report is 3 commits behind head on feature/mcp-governance-dev.

Files with missing lines Patch % Lines
...e-server/netTransform/atxTransformHandlerLegacy.ts 12.60% 1380 Missing ⚠️
...c/language-server/agenticChat/tools/chatDb/util.ts 15.76% 203 Missing ⚠️
chat-client/src/client/utils.ts 25.60% 153 Missing and 1 partial ⚠️
...anguage-server/agenticChat/tools/mcp/mcpManager.ts 55.62% 150 Missing ⚠️
...guage-server/netTransform/atxNetTransformServer.ts 32.25% 147 Missing ⚠️
...rc/language-server/agenticChat/tools/toolServer.ts 0.00% 102 Missing ⚠️
...r/agenticChat/context/additionalContextProvider.ts 61.68% 81 Missing and 1 partial ⚠️
...language-server/agenticChat/tools/chatDb/chatDb.ts 48.29% 76 Missing ⚠️
...nguage-server/agenticChat/agenticChatController.ts 63.51% 54 Missing ⚠️
...ver/agenticChat/context/contextCommandsProvider.ts 64.18% 53 Missing ⚠️
... and 31 more
Additional details and impacted files
@@                      Coverage Diff                       @@
##           feature/mcp-governance-dev    #2510      +/-   ##
==============================================================
- Coverage                       60.79%   59.81%   -0.99%     
==============================================================
  Files                             280      281       +1     
  Lines                           65558    71134    +5576     
  Branches                         4204     4513     +309     
==============================================================
+ Hits                            39858    42550    +2692     
- Misses                          25616    28496    +2880     
- Partials                           84       88       +4     
Flag Coverage Δ
unittests 59.81% <43.84%> (-0.99%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

ashishrp-aws and others added 28 commits December 9, 2025 13:00
…ation (#2555)

* feat: add alphabetical sorting for MCP registry servers and improve URL validation

* fix: fix for failing unit test
* feat: update SMAI clients to use SM_AI_STUDIO_IDE origin

* fix: apply prettier formatting to utils.ts

* fix: formatting issues

* test: add tests for full coverage

* ci: trigger CI rerun
…2562)

* fix: prevent MCP server process duplicates with lightweight tracking

* fix: reduce excessive logging in MCP process deduplication

* fix: separate connection try-catch from process tracking
…es (#2564)

This reverts the web search functionality from commit 09c4769
while preserving the streaming client packages that contain
updated Origin type definitions needed by existing code.

Preserved files:
- core/codewhisperer-streaming/amzn-codewhisperer-streaming-1.0.0.tgz
- core/q-developer-streaming-client/amzn-amazon-q-developer-streaming-client-1.0.0.tgz
- package-lock.json
- server/aws-lsp-codewhisperer/package.json
* fix: remove s3 artifact upload and download timeout

* fix: update unit tests for s3 timeout removal

* fix: remove comment

---------

Co-authored-by: invictus <149003065+ashishrp-aws@users.noreply.github.com>
* chore(release): release packages from branch main

* chore: update package-lock.json from npm install (#2565)

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: invictus <149003065+ashishrp-aws@users.noreply.github.com>
Co-authored-by: aws-toolkit-automation <>
…nges on windows machine (#2568)

* fix: network connection error caused by server runtime dependency changes for windows users

* chore: update package-lock
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Shruti Sinha <44882001+shruti0085@users.noreply.github.com>
aws-toolkit-automation and others added 30 commits May 29, 2026 13:56
)

* feat(integ): rewrite ATX integ tests for new chatty-agent handler

Replaces the legacy DOTNET_IDE integ test flow with the new orchestrator
agent (chatty-agent) flow, matching the VS Toolkit IDE behavior.

Test changes:
- Use TCP socket transport with Buffer-based JSON-RPC parsing to correctly
  handle Content-Length (bytes) vs string length (characters) for UTF-8
- Add sendMessage trigger after startTransform with 30s delay
- Handle local-build-verification HITL with fake build result
- Send "Mark this job as complete" chat message to reach COMPLETED
- Poll without SolutionRootPath to avoid fetchWorklogs log flooding

Handler improvements:
- Add 30s request timeout to FES client via NodeHttpHandler
- Add 30s timeout to all got.get() S3 download calls in handler and utils

Tests validate: ListWorkspaces, CreateWorkspace, CreateJob,
CreateArtifactUploadUrl, CompleteArtifactUpload, StartJob, SendMessage,
GetJob, ListJobPlanSteps, ListHitlTasks, SubmitCriticalHitlTask, StopJob

* style: format integ test files with prettier

* fix: address PR review comments

- Clean up orphan process/server on connection timeout (lspClient.ts)
- Use import instead of require for NodeHttpHandler
- Use consistent expect().to.be.oneOf() pattern

---------

Co-authored-by: invictus <149003065+ashishrp-aws@users.noreply.github.com>
* feat: rejecting v1 agent jobs

* feat: rejecting v1 agent jobs

* feat: rejecting v1 agent jobs

* feat: rejecting v1 agent jobs

* feat: rejecting v1 agent jobs

* feat: rejecting v1 agent jobs

---------

Co-authored-by: pranavfi <pranavfi@amazon.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
* chore: bump agentic version: 1.70.0

* feat: renaming toolkit title (#2762)

Co-authored-by: pranavfi <pranavfi@amazon.com>

---------

Co-authored-by: aws-toolkit-automation <>
Co-authored-by: Pranav Firake <pranav.firake7@gmail.com>
Co-authored-by: pranavfi <pranavfi@amazon.com>
* docs(chat-client): document per-host postMessage origin behavior

Expand the handleInboundMessage JSDoc to describe how event.origin
differs across IDE host environments -- notably Eclipse on Windows
(Edge WebView2), which delivers an opaque empty/null origin for
browser.setText()-injected HTML. Add a CONTRIBUTING section requiring
chat-client message-handling and origin-validation changes to be
reviewed against every supported host environment, not just same-origin
hosts.

* docs(chat-client): add host environment summary to README

Add a concise table of how each IDE host embeds the chat webview
(rendering engine, asset scheme, resulting origin, and message-delivery
bridge) and note that inbound message-handling and origin-validation
changes must be validated against every host environment.
…etTransform) (#2765)

* fix(amazonq): preserve customer edits on checkpoint apply (DealerFx netTransform)

applyChanges() in the netTransform language server laid every backend
checkpoint diff onto the customer's solution with an unconditional
fs.copyFileSync, with no check for files the customer had edited locally since
the last apply. A later sync therefore silently overwrote manual fixes to an
already-transformed project — the DealerFx data-loss report (8h of NuGet fixes
clobbered by a retry).

The watermark needed to detect this already existed (getModifiedFilesSince-
Checkpoint, mtime > manifest.lastAppliedTimestamp) but was only consulted on
the UPLINK (updateWorkspace); the DOWNLINK (applyChanges) never looked at it.

Fix:
- applyChanges takes the jobId (optional, defaults to '' for back-compat) and
  computes the customer-modified set once up front. A single guard
  (shouldPreserveUserFile) runs before each write in all three loops
  (filesAdded / filesUpdated / filesMoved): if the destination exists, was
  edited by the customer since the last apply, and differs from the incoming
  bytes, the customer's file is preserved (write — and, for a move, the unlink
  — is skipped), backed up under {jobId}/checkpoints/conflict-backups/, and
  recorded in the new conflictedFiles return field. The transform's version
  remains in the checkpoint after/ dir, so neither side is lost.
- A byte-equal short-circuit (filesEqual) treats the agent's own identical
  re-emits as no-ops, so the per-job watermark never flags them as conflicts.
- The interactive downlink (downloadCompletedStepArtifacts) now calls
  saveLastAppliedTimestamp like the diff-artifact path already did; without it
  the watermark was absent there and the guard would be a no-op on the exact
  path DealerFx lost edits on.

Out of scope (deliberate): filesRemoved is left unguarded — deleting a
customer-edited file the transform intends to remove is a product/semantic
question, not a clobber. A true 3-way merge is infeasible client-side (no
before/ baseline ships in the checkpoint); first-apply on a virgin manifest is
unprotected by necessity.

Tests: 6 new cases in the existing applyChanges suite. 22/22 applyChanges
tests pass; compile clean.

* fix(amazonq): prevent duplicate applyChanges bypassing user-edit protection

downloadCompletedStepArtifacts loaded appliedSteps once before the loop.
When the diff-artifact path (downloadDiffArtifact) already applied the
same step earlier in the same getTransformInfo call, the stale snapshot
missed it — causing a redundant second applyChanges that ran after the
watermark was re-stamped, seeing 0 modified files and silently
overwriting the customer's edits.

Move loadAppliedCheckpoints inside the loop so each iteration reads
fresh state from disk.

* feat(amazonq): guard filesRemoved and filesMoved source against customer edits

Extend the user-edit preservation to two previously unguarded paths:

- filesRemoved: if the customer edited a file since the last apply and
  the transform wants to delete it, preserve the file on disk, back it
  up to conflict-backups/, and record the conflict.

- filesMoved (source): if the customer edited the move source, skip
  the entire move (no copy to target, no unlink of source), back up the
  source to conflict-backups/, and record the conflict. The existing
  move-target guard remains unchanged.

Tests: 3 new cases (move source preserved, remove preserved, remove
proceeds when untouched). 38/38 applyChanges tests pass.

* style: format atxTransformHandler.ts with prettier

---------

Co-authored-by: Jiayu Wang <wwangjy@amazon.com>
* feat(amazonq): make updateWorkspace self-resolve the correct review HITL server-side

When the client sends a stale or wrong stepId, the LSP now falls back to
resolving the real pending review step from the plan tree, and if that
misses (race where step already flipped to IN_PROGRESS), scans all active
HITLs for one with a -review tag. This makes the client stepId advisory
rather than load-bearing.

* fix(amazonq): reset watermark after uplink so retry checkpoint applies cleanly

After a successful updateWorkspace (customer edits uploaded to the
agent), reset the lastAppliedTimestamp watermark. This ensures the
incoming retry checkpoint isn't treated as a conflict — the customer
explicitly asked to retry, so they expect the agent's output on disk.

Also adds a second fallback to the C2-a step resolution: when the
plan-based resolution misses (step already flipped to IN_PROGRESS on
retry), scan all active HITLs for one with a -review tag. This covers
the race where the review HITL is still alive but the step status has
already transitioned.

* fix(amazonq): detect edits in not-yet-transformed projects for uplink

In a multi-project solution (A, B, C), if the customer edits Project B
while Project A is transforming, those edits have mtime < lastApplied-
Timestamp (set when A's checkpoint applied). The uplink missed them.

Fix: updateWorkspace now uses the job-start time (createdAt) as the
baseline for modified-file detection instead of lastAppliedTimestamp.
This catches all edits made since the transform began, regardless of
which project's checkpoint set the watermark. The conflict detection in
applyChanges still uses lastAppliedTimestamp (correct for that purpose).
hasApproval() previously matched a stored approval when EITHER the config
fingerprint OR the workspace hash matched (logical OR). This allowed an
approval granted in one workspace to be silently reused in a different
workspace that shipped an identical MCP server config, and allowed a
previously-trusted workspace to mutate its config without re-prompting.

Because MCP servers are spawned with cwd set to the requesting workspace,
reusing consent across workspaces executes attacker-controlled files with
the developer's privileges and no consent prompt (zero-prompt RCE).

Require all three of (serverName, fingerprint, workspaceHash) to match so
consent is bound to a specific workspace AND a specific config. The store
already records workspaceHash per approval, so no data migration is needed:
- cross-workspace reuse: blocked (workspaceHash differs)
- config mutation in same workspace: blocked (fingerprint differs)

Also scope removeApproval() to (serverName, workspaceHash) using its
previously-unused configPath argument, so removing a server in one workspace
no longer revokes consent for an identically-named server elsewhere.

Rewrites the two unit tests that previously asserted the insecure reuse
behavior and adds regression tests for per-workspace consent isolation and
per-workspace revocation.

Hardens against CVE-2026-12957.
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Laxman Reddy <141967714+laileni-aws@users.noreply.github.com>
Co-authored-by: aws-toolkit-automation <>
…isServer (#2772)

The QCodeAnalysisServer creates its own CodeWhispererServiceToken for the
code review tool, but it was passing `undefined` for userContext and
omitting the customUserAgent parameter entirely. This meant the SDK client
created for code review (CreateUploadUrl, StartCodeAnalysis, etc.) had no
IDE identifier in its user-agent header.

The server-side Kiro Enterprise subscription handler validates the
user-agent against an allowlist of known IDE clients. Without the IDE
identifier, the check fails with AccessDeniedException.

Fix: Pass getUserAgent() and makeUserContextObject() to the
CodeWhispererServiceToken constructor, matching the pattern used by
AmazonQTokenServiceManager.serviceFactory().

This affects all IDE plugins (VSCode, JetBrains, Eclipse, Visual Studio)
using the agentic code review tool with Kiro Enterprise subscriptions.

Fixes: P436405137
Bumping up language server runtime package versions:
- @aws/chat-client-ui-types: 0.1.68 → 0.1.71
- @aws/language-server-runtimes: 0.3.18 → 0.3.19
- @aws/language-server-runtimes-types: 0.1.64 → 0.1.65

Updated in chat-client and server/aws-lsp-codewhisperer.
Regenerated the corresponding package-lock.json entries.
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: aws-toolkit-automation <>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.