All notable changes to the Fullstack AgentCore Solution Template (FAST) will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- AgentCore Policy Integration — Full user identity propagation from frontend JWT through M2M tokens to Cedar policy evaluation at AgentCore Gateway
- Cedar Policy Engine and lifecycle management via Custom Resource Lambda (
infra-cdk/lambdas/cedar-policy/) - Cognito V3 Pre-Token Generation Lambda for injecting custom claims into M2M tokens (
infra-cdk/lambdas/pretoken-v3/) - Cedar policy file with custom claim-based access control — two versions for allow/deny testing (
gateway/policies/policy.cedar) - Cognito ESSENTIALS tier for V3 Pre-Token Lambda trigger support
- Direct Cognito
/oauth2/tokencall withaws_client_metadatafor user identity propagation across all 6 agent patterns - Alternative
@requires_access_tokendecorator approach documented and commented out in each pattern'stools/gateway.py - Long-Term Memory — Configurable long-term semantic memory for Strands-based agents via
use_long_term_memoryinconfig.yaml - LTM
top_kandrelevance_scoreparameters exposed in config - Context Management Guide (
docs/CONTEXT_MANAGEMENT.md) — Sliding window, summarization, LangGraph middleware, and custom hook-based approaches - Session Management Guide (
docs/SESSION_MANAGEMENT.md) — Three patterns: AgentCore Memory only, Memory + DynamoDB, and S3SessionManager - Identity propagation and Cedar policy documentation (
docs/IDENTITY_POLICY.md) - Cedar policy syntax, capabilities, and reference documentation (
docs/CEDAR_POLICY_GUIDE.md) - Identity provider swap and Gateway interceptors guide (
docs/REPLACING_COGNITO.md) ListGatewayTargetsIAM permission for Cedar Policy Lambda to support policy creation validationCheckAuthorizePermissionson Gateway Role for Policy Engine attachment- CodeBuild deployment documentation for CloudFormation teardown
- Updated architecture diagram with latest logos (
docs/architecture-diagram/FAST-architecture-20260403.png)
- All 6 agent patterns updated to pass
user_idto Gateway client for identity-aware M2M tokens - Pre-Token Lambda rewritten to use
USER_ROLE_MAPdictionary keyed by Cognitosub(UUID) instead of email-based if/else logic - AG-UI Strands agent refactored to build agent directly in entrypoint with optional Memory support
- AG-UI LangGraph agent simplified entrypoint
- Documentation updated to use UUID placeholders instead of email addresses (
docs/IDENTITY_POLICY.md,docs/CEDAR_POLICY_GUIDE.md,docs/REPLACING_COGNITO.md) - NAT Gateway documentation updated in
docs/DEPLOYMENT.mdfor VPC mode with identity propagation - CodeBuild deploy script updated to package tracked files only with ephemeral resources
- Consolidated
.prettierrcto top-level - Root
README.mdarchitecture flow and project structure updated
- AG-UI Strands agent session memory recall restored with durable AgentCore Memory
- Cedar policy never matching due to email-based substring matching against UUID identifiers
- Cedar policy name shortened to stay within 48-character API limit
- ZIP packager: permissive pattern directory reader with recursive subdirectory support
- ZIP packager: added
patterns/utils/to deployment package - ZIP packager: renamed repo-root
tools/toagentcore_tools/to avoid conflict with pattern'stools/directory - ZIP packager: dynamic entry point detection instead of hardcoded
basic_agent.py - Cognito domain creation ordering to resolve "Internal error from downstream service" with newer CDK versions
langgraph>=1.1.5version bump to fixServerInfoimport errorcopilotkit>=0.1.84version bump to fix compatibility with newer langgraph- Added placeholder graph in
ActorAwareLangGraphAgent.__init__for newer copilotkit validation - Frontend: reset UUID when a new chat is initiated
- CodeBuild deploy script removed git dependency
- Bumped
honofrom 4.12.14 to 4.12.23 in frontend - Bumped
react-routerandreact-router-domin frontend - Bumped
vitestfrom 4.0.18 to 4.1.0 in frontend - Bumped
js-cookiefrom 3.0.5 to 3.0.7 in frontend - Bumped
qsfrom 6.14.2 to 6.15.2 in frontend - Bumped
postcssfrom 8.5.6 to 8.5.14 in frontend - Bumped
fast-urifrom 3.1.0 to 3.1.2 in frontend - Bumped
fast-xml-parserand@aws-sdk/xml-builderin frontend - Bumped
lodashfrom 4.17.23 to 4.18.1 in frontend - Bumped
ip-addressandexpress-rate-limitin frontend - Bumped
yamlfrom 2.8.2 to 2.8.3 in infra-cdk - Bumped
picomatchin frontend and infra-cdk
- AG-UI agent patterns for both Strands and LangGraph (
patterns/agui-strands-agent/,patterns/agui-langgraph-agent/) with tool support (Gateway, Code Interpreter) - AG-UI streaming parser in frontend (
frontend/src/lib/agentcore-client/parsers/agui.ts) - AG-UI integration documentation (
docs/AGUI_INTEGRATION.md) - AgentCore Evaluations integration guide (
docs/AGENTCORE_EVALUATIONS_GUIDE.md) - X-Ray VPC endpoint to private VPC deployment documentation
- Restructured existing Strands and LangGraph agent patterns with modular
tools/directories for Gateway and Code Interpreter - Simplified
basic_agent.pyandlanggraph_agent.pyby extracting tool definitions into separate modules - Updated OpenTelemetry distro version across all agent pattern Dockerfiles
- API Gateway cache encryption at rest enabled in both CDK and Terraform
- ASH PR comment artifact consolidation and dependabot auto-merge workflow trigger
- Security scanner false positive suppressions (nosemgrep/nosec) for CDK path operations, JWT decode, and zip-packager urlopen
- Added USER directive to
Dockerfile.frontend.dev(CKV_DOCKER_3)
- Updated
tj-actions/changed-filesto v47.0.5 (CVE fix for GHSA-mrrh-fwg8-r2c3 and GHSA-mcph-m25j-8j63) - Bumped
fast-xml-parserand@aws-sdk/xml-builderin frontend - Bumped
flattedfrom 3.3.3 to 3.4.2 in frontend - Bumped
langgraphin patterns/langgraph-single-agent
- Claude Agent SDK agent pattern (
patterns/claude-agent-sdk/) with single-agent and multi-agent variants - AgentCore client library (
frontend/src/lib/agentcore-client/) with SSE streaming and parsers for Strands, LangGraph, and Bedrock Converse agents - Inline tool call rendering with message segments approach in the frontend
- Markdown rendering with syntax highlighting and copy button for chat messages
- Tool renderer registry and default
ToolCallDisplaycomponent for extensible tool output rendering - Streaming documentation update (
docs/STREAMING.md) with new parser architecture and event flow - Local Docker testing for AgentCore with Docker Compose support (
docker/) - GitHub repo-stats workflow for daily traffic tracking
- ASH (Automated Security Helper) scan workflows for PR and full repository scanning
- Dependabot auto-merge and PR labeler GitHub Actions workflows
- JS/TS and Python linting workflows for pull requests
- Prettier configuration and formatting for frontend source files
- Prettier added to Makefile lint pipeline and frontend dev dependencies
- READMEs for strands, langgraph, and claude-agent-sdk agent patterns
- Permission boundary for CodeBuild temporary IAM role
- VPC deployment mode (
network_mode: VPC) for deploying AgentCore Runtime into an existing user-provided VPC for private network isolation - VPC configuration in
config.yamlwithvpc_id,subnet_ids, and optionalsecurity_group_ids - VPC configuration validation in
ConfigManagerfor required fields when VPC mode is enabled buildNetworkConfiguration()method in backend stack to import existing VPC, subnets, and security groups- VPC deployment documentation in
docs/DEPLOYMENT.mdincluding required VPC endpoints, subnet requirements, and traffic flow explanation - CodeBuild-based deployment script (
scripts/deploy-with-codebuild.py) that enables deploying FAST without requiring Docker - [Terraform] Full Terraform infrastructure alternative to CDK (
infra-terraform/) with modules for Amplify Hosting, Cognito, and Backend (Runtime, Gateway, Memory, Feedback API, SSM) - [Terraform] Support for both Docker and Zip deployment types via
deployment_typevariable - [Terraform] OAuth2 Credential Provider support
- [Terraform] VPC deployment mode with input/output parity to CDK
- [Terraform] Dedicated scripts for frontend deployment (
deploy-frontend.py,deploy-frontend.sh), Docker image build (build-and-push-image.sh), and agent testing (test-agent.py) - [Terraform] S3 backend configuration example (
backend.tf.example) for remote state management - [Terraform] Version bump playbook (
TF_VERSION_BUMP_PLAYBOOK.md) with independent versioning scheme - OAuth2 Credential Provider Lambda handler (
infra-cdk/lambdas/oauth2-provider/index.py) for lifecycle management with Create, Update, and Delete support - AgentCore Identity OAuth2 integration via
@requires_access_tokendecorator in agent patterns - Token refresh helpers (
_fetch_gateway_token) in both Strands and LangGraph agents for fresh token retrieval - Decorator comment explaining OAuth2 Credential Provider and Token Vault caching behavior
- Runtime environment variable
GATEWAY_CREDENTIAL_PROVIDER_NAMEfor OAuth2 provider lookup - OAuth2 Credential Provider and Token Vault IAM permissions to agent runtime role
- Scoped Secrets Manager IAM permissions to agent runtime role for OAuth2 secrets
docs/RUNTIME_GATEWAY_AUTH.md- Comprehensive documentation of the M2M authentication workflow between AgentCore Runtime and Gateway, covering both deployment (OAuth2 provider registration) and runtime (token retrieval and validation) phases- Updated architecture diagram (
docs/architecture-diagram/FAST-architecture-20260302.png) illustrating OAuth2 M2M authentication flow with Token Vault and OAuth2 Credential Provider
- Removed
userIdfrom client invocation — user identity now extracted server-side from JWT to prevent impersonation via prompt injection - Split claude-agent-sdk into single-agent and multi-agent pattern variants
- Frontend switched from
access_tokentoid_tokenfor AgentCore authentication (access_tokenlacks requiredaudclaim) - Removed old JS service files, replaced by new
agentcore-clientlibrary - Migrated Gateway authentication to AgentCore SDK
@requires_access_tokendecorator - Simplified agent code in
patterns/strands-single-agent/basic_agent.pyandpatterns/langgraph-single-agent/langgraph_agent.py - Use
cr.Providerpattern for OAuth2 provider to avoid IAM propagation delays - Implemented scoped IAM permissions for OAuth2 provider, Token Vault, and Secrets Manager
- Updated OAuth2 Custom Resource to pass secret ARN for enhanced security (secret retrieved at Lambda runtime)
- Modified agent token handling to fetch fresh tokens on reconnection (Strands) and per-request (LangGraph)
- Moved Secrets Manager permissions from base
AgentCoreRoleutility class to backend-stack.ts for better separation of concerns - Updated
README.mdto reference new architecture diagram and clarify OAuth2 M2M authentication flow descriptions - Updated
test-scripts/README.mdto remove Docker container testing documentation - Updated contributing docs to use
mainbranch instead ofdevelop
- Docker container testing script (
test-scripts/test-agent-docker.py) - Docker testing documentation (
docs/LOCAL_DOCKER_TESTING.md) - Manual OAuth2 functions from
patterns/utils/auth.py(get_gateway_access_token(),get_secret()) - Manual token fetching logic from agent code
- Direct Secrets Manager access from agents
- Wildcard Secrets Manager IAM permissions from base
AgentCoreRoleutility class - Old JS service files (replaced by
agentcore-clientlibrary)
- LangGraph plain string content handling in
AIMessageChunk - Test-agent
user_idbug, added streaming parser and dynamic tool name lookup to test scripts - Frontend build issues: unused
sessionIdparam and excluded test directory fromtsc - Repo-stats workflow failing on forks
- Real VPC/subnet IDs replaced with placeholders in
config.yaml - Backend agent entrypoints
- Docker Compose v2 syntax and outdated
userIdreferences in docs - JWT auth compatibility, Vite host binding, and credential docs
- Stale token errors in agents by implementing fresh token retrieval on MCP Gateway reconnection (Strands) and per-request (LangGraph)
- IAM permission scoping to prevent overly broad wildcard access
- Removed
iam:PutRolePolicyfrom CodeBuild permission boundary, addedcdk bootstrap, fixed region detection - Resolved all ESLint warnings in frontend
- CI: pinned
tj-actions/changed-filesto SHA and bumped Node to 20
- Enhanced security by delegating OAuth2 token management to AgentCore Identity service
- Improved token lifecycle management with automatic refresh and error handling via Token Vault
- Bumped
honofrom 4.11.9 to 4.12.7 in frontend - Bumped
@hono/node-serverin frontend - Bumped
rollupfrom 4.56.0 to 4.59.0 in frontend - Bumped
minimatchin frontend andaws-cdk-libin infra-cdk - Bumped
fast-xml-parserand@aws-sdk/xml-builderin frontend and infra-cdk - Bumped
qsfrom 6.14.1 to 6.14.2 in frontend - Bumped
langgraphin patterns/langgraph-single-agent - Bumped
@aws-sdk/client-bedrock-agentcorein infra-cdk
- Vite as build tool with optimized development server and production builds
- React Router (react-router-dom v6) for client-side routing
- Frontend test suite with unit tests and property-based tests using Vitest
- New application entry points:
main.tsx,App.tsx, and route components - Vite configuration with code splitting and optimized chunk strategy
- TypeScript configuration optimized for Vite bundler
- Environment variable type definitions for Vite (
vite-env.d.ts) - Minimal IAM policy for CDK deployment
- Migrated frontend from Next.js 16 (App Router) to Vite + React + React Router stack
- Replaced Next.js build system with Vite for faster builds and simpler configuration
- Updated environment variable prefix from
NEXT_PUBLIC_*toVITE_* - Migrated environment variable access from
process.envtoimport.meta.env - Restructured application entry points from Next.js layout/page pattern to explicit React rendering
- Moved global styles from
app/globals.csstosrc/styles/globals.css - Updated npm scripts:
devnow runs Vite,buildruns TypeScript check + Vite build - Updated ESLint configuration to remove Next.js-specific rules
- Updated frontend README with Vite-specific instructions and development workflow
- Bumped
vitefrom 5.4.21 to 7.3.1 - Bumped
fast-xml-parserandaws-amplifyin frontend - Bumped
@modelcontextprotocol/sdkfrom 1.25.1 to 1.26.0 - Bumped
honofrom 4.11.3 to 4.11.7 - Bumped
lodashfrom 4.17.21 to 4.17.23 - Bumped
@smithy/config-resolverandaws-amplifyin frontend
- Next.js framework and dependencies (
next,eslint-config-next) - Next.js configuration file (
next.config.ts) - Next.js App Router file structure (
app/layout.tsx,app/page.tsx) - Next.js-specific build artifacts and references
- Open source release
- Zip deployment type for AgentCore runtime
- MkDocs documentation system with automated builds
- Enhanced CI/CD security scanning configuration
- Updated LangGraph version to address security vulnerability
- Upgraded to Cognito's new managed login UI
- Improved documentation structure and navigation
- Updated frontend dependencies to latest versions
- CloudWatch Logs permissions for AgentCore runtime
- Security scan execution to run on all branches
- Documentation links and structure issues
- CI/CD pipeline configuration for proper security scanning
- Updated GitLab references to GitHub for open source release
- Updated internal AWS references to generic paths
- Upgraded Python version requirement from 3.8 to 3.11
- Replaced bash frontend deployment script with cross-platform Python script
- Improved deployment documentation with clearer prerequisites
- API Gateway CloudWatch logs role creation issue
- Enhanced error handling in frontend deployment script
- Added explicit AWS credentials validation before deployment
- CONTRIBUTORS.md file listing project contributors
- Docker runtime requirement clarification in deployment docs
- Renamed project from "GenAIID AgentCore Starter Pack (GASP)" to "Fullstack AgentCore Solution Template (FAST)"
- Updated all documentation, code comments, and configuration files to use new naming
- Updated repository URLs and package names to reflect new branding
- Improved configuration management to require explicit config.yaml file
- Fixed Cognito domain prefix to use lowercase for compatibility
- Removed hardcoded default values in configuration manager
- AgentCore Code Interpreter direct integration with comprehensive documentation
- Reusable Code Interpreter tools for cross-pattern compatibility
- Updated architecture diagrams to include Code Interpreter integration
- Restructured Code Interpreter implementation for better reusability across agent patterns
- Streamlined documentation and updated README for improved clarity
- Removed unused description parameter from execute_python function
- CRITICAL: Updated React to 19.2.1 and Next.js to 16.0.7 to address CVE-2025-55182 (CVSS 10.0)
- Fixed React Server Components remote code execution vulnerability
- AgentCore Code Interpreter deployment issues
- Linting issues in Code Interpreter files
- Various code review feedback items
- Comprehensive security enhancements for backend infrastructure
- SSL/TLS enforcement for S3 staging bucket requests
- S3 access logging for staging bucket
- Comprehensive CloudWatch logging for API Gateway
- Error handling for Secrets Manager operations in test scripts
- Migrated from custom resource to CDK L1 constructs for Gateway
- Switched machine client secret storage from SSM to Secrets Manager
- Improved Dockerfile healthcheck and build caching
- Restricted Secrets Manager IAM permissions to specific secrets
- Typo fix in top level FAST stack description
- Updated version references from 0.0.1 to 0.1.0 in infra-cdk/package.json
- Removed unused imports
- Enhanced error handling for Secrets Manager operations
- Implemented comprehensive security controls across infrastructure
- Added proper access logging and monitoring
- Initial release of Fullstack AgentCore Solution Template
- Full-stack React frontend with Next.js, TypeScript, and Tailwind CSS
- AgentCore backend integration with multiple agent providers
- AWS Cognito authentication with JWT support
- CDK infrastructure deployment
- Strands and LangGraph agent pattern support
- Gateway integration with tool support
- Memory integration capabilities
- Streaming support
- Comprehensive documentation and deployment guides