Merge master into feature/model-selection#8729
Open
aws-toolkit-automation wants to merge 286 commits into
Open
Merge master into feature/model-selection#8729aws-toolkit-automation wants to merge 286 commits into
aws-toolkit-automation wants to merge 286 commits into
Conversation
…allback LSP (#8591) ## Problem When users behind corporate proxies/firewalls can't download the LSP from CDN, the extension falls back to a bundled LSP. The bundled LSP currently excludes the entire indexing/ folder (~200MB), which means @file, @folder, and @code context commands don't work for these users. ## Solution Instead of deleting the entire `indexing` folder during bundling, selectively strip only the heavy platform-specific files that aren't needed for context commands: - dist/bin/ — ONNX native binaries (25MB) - dist/build/ — faiss native binaries (11MB) - models/ — CodeSage ONNX model (124MB) This keeps extension.js, lspServer.js, tree-sitter WASMs (~30MB uncompressed, ~3MB compressed in VSIX), which is everything needed for @file, @folder, @code, and BM25 cross-file context. VSIX size impact: +3MB (19MB → 22MB) Depends on aws/language-servers#2629: (CDN must have the updated indexing library)
…o for reconnection (#8641)" (#8646) This reverts commit f3a9935. ## Problem ## Solution --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license.
## Problem - The HyperPod reconnection system (HyperpodReconnectionManager, HyperpodConnectionMonitor, getHyperpodSession route) added complexity and reliability issues that blocked a stable Cursor release. Additionally, when a SageMaker space is disconnected/stopped, Cursor's remote-SSH extension retries the connection indefinitely — each failed attempt opens a browser error page, resulting in a flood of popup windows. ## Solution - Removed the HyperPod reconnection layer (HyperpodReconnectionManager, HyperpodConnectionMonitor, getHyperpodSession route) in favor of using the existing SageMaker connection flow with presigned URLs - Refactored prepareDevEnvConnection to use an options object instead of 15+ positional parameters - Consolidated duplicated code: parseArn, WriteQueue, removeKnownHost, SSH hostname sanitization - Added Cursor IDE detection (getIdeType) and IDE-specific SSH prefix (smc_) - Added server-side retry cap (max 8 attempts) on the /get_session route to suppress browser popup storms during Cursor's unlimited SSH reconnection retries - Generalized the macOS IDE process detection pattern to support future VS Code forks without code changes ## Testing - Local testing with vsix on both VS Code and Cursor - Verified side panel (lc) and deeplink (dl) connection paths - Confirmed retry cap suppresses popups after 8 attempts while allowing recovery on successful reconnection - Tested on macOS and Win11 --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license. --------- Co-authored-by: Laxman Reddy <141967714+laileni-aws@users.noreply.github.com>
## Problem - detected issue in smus deeplink where it would get stuck in "opening" the remote window and eventually crash after timeout - deeplink URL lacked a URL encoding which allowed query param cell-number (base64-encoded SSM session token) to convert from spec char '+' to spaces when re-appended to web socket url. this caused mismatch > corrupted token ## Solution - wrap cell-number with encodeURIComponent() which will keep spec char as is after re-appending ## Testing - Locally tested with vsix - Confirmed with SMUS --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license.
…o from skipped Cursor IDE commit
…etIdeInfo from skipped Cursor IDE commit" This reverts commit 5cf95ee.
…nges/next-release, scripts, .gitignore)
…azonq wording change
…ideProcessPatterns export
fix(toolkit): Merge from main
build(toolkits): merge release candidate version rc-20260611
…eeplink metric - Record awsAccount/awsRegion on all sagemaker_* telemetry spans (openRemoteConnection, stopSpace, filterSpaces, deeplinkConnect) - Separate HyperPod deeplink into its own hyperpod_deeplinkConnect metric so it doesn't pollute Jorus dashboard data - Skip default awsAccount injection when already set by span.record()
…8809) A fresh AWS Toolkit install showed a notification suggesting to install Amazon Q ("Try Amazon Q, a generative AI assistant, with chat and code suggestions."). Per the Amazon Q Developer end-of-support announcement (new signups end 2026-05-15, end of support 2027-04-30), remove the prompt. Removes handleAmazonQInstall() and its call site in activate(), plus the now-unused ExtStartUpSources, VSCODE_EXTENSION_ID, and isExtensionInstalled imports. The Amazon Q explorer tree nodes are intentionally left unchanged (separate UI surface, out of scope for this issue).
…n-q-install-prompt fix(amazonq): remove "Try Amazon Q" install prompt from AWS Toolkit (#8809)
Problem: The getAsTable() function renders Redshift query results (column names, cell values, and connection params) directly into HTML without encoding. An attacker with INSERT privileges on a shared Redshift table can inject JavaScript that executes when another user queries the table from a Redshift SQL Notebook (CWE-79, stored XSS to RCE). Solution: - Strengthen the shared encodeHTML() utility in textUtilities.ts to also encode &, ", and ' (previously only < and >). - Use encodeHTML() in getAsTable() for all dynamic values interpolated into the HTML output.
fix(redshift): sanitize HTML in notebook query results
…nput, which could lead to unintentional path traversal outside the expected directory
fix: Audit codebase and fix uses of path.join with unsanitized user input
ci: fix Windows build by upgrading node-gyp for Visual Studio 2026
Add changelog entry for path traversal validation fix
…try-account-id fix(sagemaker): update metrics for Jorus dashboard
build(amazonq): merge release candidate version rc-20260624
## Problem Users are unable to utilise a customised self-hosted ide-specific threat composer deployment within vs-code unless within a private network with customised dns resolution, due to the hardcoded URL for the ide-threat-composer editor resources. Benefit of leveraging a self-hosted deployment of threat composer is users can include customised threat/mitigation packs - outlined [here](https://github.com/awslabs/threat-composer/blob/main/docs/WEB-APP.md#customising-reference-data-in-your-build). ## Solution Added a configurable VS-Code setting `aws.threatComposer.cdn` that allows users to override the default `cdn` value 'https://ide-toolkits.threat-composer.aws.dev'. ## Testing Change is minimal: 2 files changed ## Caveats Does require the users self-hosted version to update the content security policy in their deployment of the ide variant of [threat-composesr](https://github.com/awslabs/threat-composer) but that seems a reasonable expectation. ```bash sed -i -e `s|https://ide-toolkits.threat-composer.aws.dev|<cdn>/|g` ./threat-composer/packages/threat-composer/public/index.html sed -i -e `s|data:|data: <cdn>/|g` ./threat-composer/packages/threat-composer/public/index.html ``` --- - Treat all work as PUBLIC. Private `feature/x` branches will not be squash-merged at release time. - Your code changes must meet the guidelines in [CONTRIBUTING.md](https://github.com/aws/aws-toolkit-vscode/blob/master/CONTRIBUTING.md#guidelines). - License: I confirm that my contribution is made under the terms of the Apache 2.0 license.
The type annotation used 'configurationChangeEvent' (lowercase c) instead of the correct 'ConfigurationChangeEvent' (uppercase C), causing TS2724 compilation errors across all CI checks. Also fixes prettier formatting issues introduced in the same commit.
fix(threatcomposer): fix ConfigurationChangeEvent type casing
feat(sagemaker): Added the validation for refresh url and updated the uri handler
build(amazonq): merge release candidate version rc-20260701
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Automatic merge failed
Command line hint
To perform the merge from the command line, you could do something like the following (where "origin" is the name of the remote in your local git repo):