Skip to content

Merge master into feature/model-selection#8729

Open
aws-toolkit-automation wants to merge 286 commits into
feature/model-selectionfrom
autoMerge/feature/model-selection
Open

Merge master into feature/model-selection#8729
aws-toolkit-automation wants to merge 286 commits into
feature/model-selectionfrom
autoMerge/feature/model-selection

Conversation

@aws-toolkit-automation

Copy link
Copy Markdown
Collaborator

Automatic merge failed

  • Resolve conflicts and push to this PR branch.
  • Do not squash-merge this PR. Use the "Create a merge commit" option to do a regular merge.

Command line hint

To perform the merge from the command line, you could do something like the following (where "origin" is the name of the remote in your local git repo):

git stash
git fetch --all
git checkout origin/feature/model-selection
git merge origin/master
git commit
git push origin HEAD:refs/heads/autoMerge/feature/model-selection

chungjac and others added 30 commits March 23, 2026 12:12
…allback LSP (#8591)

## Problem

When users behind corporate proxies/firewalls can't download the LSP
from CDN, the extension falls back to a bundled LSP. The bundled LSP
currently excludes the entire indexing/ folder (~200MB), which means
@file, @folder, and @code context commands don't work for these users.

## Solution

Instead of deleting the entire `indexing` folder during bundling,
selectively strip only the heavy platform-specific files that aren't
needed for context commands:

- dist/bin/ — ONNX native binaries (25MB)
- dist/build/ — faiss native binaries (11MB)
- models/ — CodeSage ONNX model (124MB)

This keeps extension.js, lspServer.js, tree-sitter WASMs (~30MB
uncompressed, ~3MB compressed in VSIX), which is everything needed for
@file, @folder, @code, and BM25 cross-file context.

VSIX size impact: +3MB (19MB → 22MB)

Depends on aws/language-servers#2629: (CDN must
have the updated indexing library)
…o for reconnection (#8641)" (#8646)

This reverts commit f3a9935.

## Problem


## Solution


---

- Treat all work as PUBLIC. Private `feature/x` branches will not be
squash-merged at release time.
- Your code changes must meet the guidelines in
[CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines).
- License: I confirm that my contribution is made under the terms of the
Apache 2.0 license.
## Problem
- The HyperPod reconnection system (HyperpodReconnectionManager,
HyperpodConnectionMonitor, getHyperpodSession route) added complexity
and reliability issues that blocked a stable Cursor release.
Additionally, when a SageMaker space is disconnected/stopped, Cursor's
remote-SSH extension retries the connection indefinitely — each failed
attempt opens a browser error page, resulting in a flood of popup
windows.

## Solution
- Removed the HyperPod reconnection layer (HyperpodReconnectionManager,
HyperpodConnectionMonitor, getHyperpodSession route) in favor of using
the existing SageMaker connection flow with presigned URLs
- Refactored prepareDevEnvConnection to use an options object instead of
15+ positional parameters
- Consolidated duplicated code: parseArn, WriteQueue, removeKnownHost,
SSH hostname sanitization
- Added Cursor IDE detection (getIdeType) and IDE-specific SSH prefix
(smc_)
- Added server-side retry cap (max 8 attempts) on the /get_session route
to suppress browser popup storms during Cursor's unlimited SSH
reconnection retries
- Generalized the macOS IDE process detection pattern to support future
VS Code forks without code changes

## Testing
- Local testing with vsix on both VS Code and Cursor
- Verified side panel (lc) and deeplink (dl) connection paths
- Confirmed retry cap suppresses popups after 8 attempts while allowing
recovery on successful reconnection
- Tested on macOS and Win11
---

- Treat all work as PUBLIC. Private `feature/x` branches will not be
squash-merged at release time.
- Your code changes must meet the guidelines in
[CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines).
- License: I confirm that my contribution is made under the terms of the
Apache 2.0 license.

---------

Co-authored-by: Laxman Reddy <141967714+laileni-aws@users.noreply.github.com>
## Problem
- detected issue in smus deeplink where it would get stuck in "opening"
the remote window and eventually crash after timeout
- deeplink URL lacked a URL encoding which allowed query param
cell-number (base64-encoded SSM session token) to convert from spec char
'+' to spaces when re-appended to web socket url. this caused mismatch >
corrupted token

## Solution
- wrap cell-number with encodeURIComponent() which will keep spec char
as is after re-appending

## Testing
- Locally tested with vsix
- Confirmed with SMUS

---

- Treat all work as PUBLIC. Private `feature/x` branches will not be
squash-merged at release time.
- Your code changes must meet the guidelines in
[CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines).
- License: I confirm that my contribution is made under the terms of the
Apache 2.0 license.
…etIdeInfo from skipped Cursor IDE commit"

This reverts commit 5cf95ee.
aws-toolkit-automation and others added 30 commits June 11, 2026 19:12
build(toolkits): merge release candidate version rc-20260611
…eeplink metric

- Record awsAccount/awsRegion on all sagemaker_* telemetry spans
  (openRemoteConnection, stopSpace, filterSpaces, deeplinkConnect)
- Separate HyperPod deeplink into its own hyperpod_deeplinkConnect metric
  so it doesn't pollute Jorus dashboard data
- Skip default awsAccount injection when already set by span.record()
…8809)

A fresh AWS Toolkit install showed a notification suggesting to install
Amazon Q ("Try Amazon Q, a generative AI assistant, with chat and code
suggestions."). Per the Amazon Q Developer end-of-support announcement
(new signups end 2026-05-15, end of support 2027-04-30), remove the prompt.

Removes handleAmazonQInstall() and its call site in activate(), plus the
now-unused ExtStartUpSources, VSCODE_EXTENSION_ID, and isExtensionInstalled
imports. The Amazon Q explorer tree nodes are intentionally left unchanged
(separate UI surface, out of scope for this issue).
…n-q-install-prompt

fix(amazonq): remove "Try Amazon Q" install prompt from AWS Toolkit (#8809)
Problem:
The getAsTable() function renders Redshift query results (column names,
cell values, and connection params) directly into HTML without encoding.
An attacker with INSERT privileges on a shared Redshift table can inject
JavaScript that executes when another user queries the table from a
Redshift SQL Notebook (CWE-79, stored XSS to RCE).

Solution:
- Strengthen the shared encodeHTML() utility in textUtilities.ts to also
  encode &, ", and ' (previously only < and >).
- Use encodeHTML() in getAsTable() for all dynamic values interpolated
  into the HTML output.
fix(redshift): sanitize HTML in notebook query results
…nput, which could lead to unintentional path traversal outside the expected directory
fix: Audit codebase and fix uses of path.join with unsanitized user input
ci: fix Windows build by upgrading node-gyp for Visual Studio 2026
Add changelog entry for path traversal validation fix
…try-account-id

fix(sagemaker): update metrics for Jorus dashboard
build(amazonq): merge release candidate version rc-20260624
## Problem

Users are unable to utilise a customised self-hosted ide-specific threat
composer deployment within vs-code unless within a private network with
customised dns resolution, due to the hardcoded URL for the
ide-threat-composer editor resources.

Benefit of leveraging a self-hosted deployment of threat composer is
users can include customised threat/mitigation packs - outlined
[here](https://github.com/awslabs/threat-composer/blob/main/docs/WEB-APP.md#customising-reference-data-in-your-build).

## Solution

Added a configurable VS-Code setting `aws.threatComposer.cdn` that
allows users to override the default `cdn` value
'https://ide-toolkits.threat-composer.aws.dev'.

## Testing

Change is minimal: 2 files changed

## Caveats

Does require the users self-hosted version to update the content
security policy in their deployment of the ide variant of
[threat-composesr](https://github.com/awslabs/threat-composer) but that
seems a reasonable expectation.

```bash
sed -i -e `s|https://ide-toolkits.threat-composer.aws.dev|<cdn>/|g` ./threat-composer/packages/threat-composer/public/index.html
sed -i -e `s|data:|data: <cdn>/|g` ./threat-composer/packages/threat-composer/public/index.html
```

---

- Treat all work as PUBLIC. Private `feature/x` branches will not be
squash-merged at release time.
- Your code changes must meet the guidelines in
[CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines).
- License: I confirm that my contribution is made under the terms of the
Apache 2.0 license.
The type annotation used 'configurationChangeEvent' (lowercase c) instead
of the correct 'ConfigurationChangeEvent' (uppercase C), causing TS2724
compilation errors across all CI checks. Also fixes prettier formatting
issues introduced in the same commit.
fix(threatcomposer): fix ConfigurationChangeEvent type casing
feat(sagemaker): Added the validation for refresh url and updated the uri handler
build(amazonq): merge release candidate version rc-20260701
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.