Skip to content

Atmosphere 4.0.49

Choose a tag to compare

@github-actions github-actions released this 28 May 23:06
Immutable release. Only release title and notes can be modified.

Added

  • atmosphere-crewaiAgentRuntime for the
    CrewAI multi-agent framework via an
    out-of-process Python sidecar. First non-Java runtime adapter in the
    project; the boundary is HTTP + SSE for the request stream plus a
    loopback ToolCallbackServer for Java→Python tool RPC. Pins 9
    capabilities (TEXT_STREAMING, TOKEN_USAGE, AGENT_ORCHESTRATION,
    CANCELLATION, TOOL_CALLING, SYSTEM_PROMPT,
    STRUCTURED_OUTPUT, TOOL_APPROVAL, PER_REQUEST_RETRY) via
    CrewAiRuntimeContractTest + the capability snapshot (which now
    enumerates 12 runtimes). Like every other runtime, isAvailable()
    is config-gated — requires ATMOSPHERE_CREWAI_SIDECAR_URL pointing
    at a running sidecar that responds OK to GET /health.

  • modules/crewai/sidecar/ — companion Python package
    atmosphere-crewai-bridge (FastAPI + uvicorn + crewai 1.14)
    speaking the documented wire protocol. Materialises Java
    ToolDefinitions as crewai.tools.BaseTool subclasses via
    pydantic.create_model, injects them into agents, and threads
    context.systemPrompt() into each agent's backstory inside a
    delimited block. Ships with a working examples/ollama_crew.py
    factory that targets qwen2.5:0.5b (no API key required).

  • CLI runtime overlay (cli/runtime-overlays.json) for crewai, so
    atmosphere new my-app --template ai-chat --runtime crewai
    scaffolds with the dependency wired and the sidecar setup
    documented inline.

  • End-to-end validation captured at
    .harness/crewai-e2e-success.png: chrome-devtools drove
    /atmosphere/console/ against a real Ollama-backed crew; the
    browser rendered 25 tokens at 46.8 tok/s through the full chain
    WebSocket → @AiEndpoint(runtime=crewai) → HttpSseSidecarClient → atmosphere-crewai-bridge → crewai 1.14 → litellm → Ollama. Console
    zero errors, sidecar log confirms POST /v1/chat/completions HTTP/1.1 200 OK against the local Ollama instance.

  • modules/coordinator/journalevent-sourced execution log for
    the coordinator. Layers four additive pieces onto the existing
    CoordinationJournal SPI without breaking any of the 94 existing
    new CoordinationEvent.* call sites across coordinator / admin /
    checkpoint / integration-tests / samples:

    1. EventEnvelope(eventId, parentEventId, event) + default-method
      recordEnveloped / retrieveEnveloped on CoordinationJournal.
      JournalingAgentFleet threads parent IDs through every dispatch
      path (parallel / pipeline / route / proxy.call /
      callAsync / stream): CoordinationStartedAgentDispatched
      AgentCompleted/AgentFailedAgentEvaluated. Legacy
      record(event) callers continue working — events are wrapped as
      root envelopes with no parent.
    2. CoordinationProjection.from(journal, coordinationId) — pure
      read-only causal DAG built from retrieveEnveloped. Exposes
      roots(), children(eventId), walk(visitor), agents(),
      failedDispatches(), evaluations(). No execution, no LLM, no
      side effects.
    3. FileCoordinationJournal(Path) — append-only NDJSON file backend,
      one JSON object per line. Replays on start() into an in-memory
      index for queries; tolerates a truncated final line from a JVM
      kill mid-append (logs and skips). Single-writer locked appends;
      polymorphic ser/deser of the sealed CoordinationEvent hierarchy
      via a Jackson 3 mix-in so the event records stay annotation-free.
    4. CoordinationFork + new ForkCreated event variant — what-if
      branching primitive. fork.from(coordId, eventId).reason(...).with(altCall).execute(fleet)
      creates a new coordination id (or accepts an explicit one),
      records a ForkCreated envelope linking back to the parent event,
      and runs the alternate dispatch via
      JournalingAgentFleet.withCoordinationId(...). The parent
      coordination is immutable; the fork is a peer with its own future.
      Pre-flight check rejects unknown parentEventId with a fast
      IllegalArgumentException.

    Backed by 38 tests in modules/coordinator/src/test/java/.../journal/
    including a three-process integration test that runs a parallel
    coordination, restart-replays from disk, projects the DAG, forks an
    alternate, restart-replays again, and verifies both the original and
    the forked branch survive across two simulated JVM kills.
    modules/coordinator/README.md documents the new surface.

  • Cohere TOOL_CALL_DELTA streaming capability (3327425d50).
    CohereChatClient.handleToolCallDelta surfaces incremental tool-call
    argument fragments as they arrive, and CohereAgentRuntime
    (line 269) now declares TOOL_CALL_DELTA. The same honesty pass
    removed PROMPT_CACHING from Cohere — the v2 API exposes no
    prompt-cache control, so advertising it was Runtime-Truth drift; the
    capability snapshot was re-pinned accordingly.

  • Quarkus extension integration parity: five optional surfaces, each
    gated on classpath presence and covered by a dedicated build-step
    test (3327425d50). AtmosphereProcessor registers Cache, Health
    (HealthBuildItem), Micrometer metrics
    (AtmosphereMetricsProducer), OpenTelemetry tracing
    (AtmosphereTracingProducer), and governance metrics
    (AtmosphereGovernanceMetricsProducer) producers — see
    AtmosphereProcessor.java:432-510 and the
    Atmosphere{Cache,Health,Metrics,Tracing,GovernanceMetrics}BuildStepTest
    suite.

  • modules/quarkus-grpc — Quarkus gRPC bridge extension (runtime +
    deployment submodules) (3327425d50).

  • scripts/validate-no-beta-on-main.sh — push-time gate enforcing the
    release-frequency rule: pre-GA escape-hatch framing (beta annotations,
    hourglass deferral markers, phased planning labels, or roadmap-deferral
    prose) introduced relative to origin/main fails the build, so main
    stays release-ready (3327425d50).

Changed

  • Bumped JetBrains Koog 0.8.0 → 1.0.0 (4685a844bb, root pom
    koog.version) — Koog's first GA. The adapter configures via
    Koog 1.0's stable OpenAILLMClient / MultiLLMPromptExecutor
    (AtmosphereKoogAutoConfiguration.kt); the full Koog capability set
    (VISION, AUDIO, MULTI_MODAL, PROMPT_CACHING, TOOL_CALLING,
    TOOL_APPROVAL, …) is unchanged and re-pinned by
    KoogRuntimeContractTest + the capability snapshot.
  • Bumped langchain4j.version 1.14.0 → 1.15.0 (abd774f68d),
    logback-version 1.5.25 → 1.5.32 (58f2e6d373), and
    commons-lang3 3.18.0 → 3.20.0 (8dea5788ac).

Fixed

  • HttpSseSidecarClient now pins HttpClient.Version.HTTP_1_1. The
    JDK's java.net.http.HttpClient defaults to HTTP/2 for plain HTTP
    and attempts an Upgrade: h2c negotiation; uvicorn (the FastAPI
    host for the CrewAI sidecar) does not implement the h2c upgrade and
    the resulting request lands with an empty body, which FastAPI
    rejects as 422 Field required, loc=["body"], input=null. The
    bridge-test FakeSidecar (a
    com.sun.net.httpserver.HttpServer) tolerated the upgrade preamble
    and parsed the body anyway, so the bug only surfaced under real
    uvicorn — exactly the gap feedback_chrome_devtools_only.md warns
    about. Added a regression test
    (CrewAiAgentRuntimeBridgeTest.httpClient_pinnedToHttp11) that
    reflects into the client and asserts the version, so a future "just
    use the default HttpClient" refactor breaks the build before it
    breaks production. Drift recorded as .harness/drift-log.md #64.
  • Koog runtime reaches Gemini via Google's OpenAI-compatible base
    URL
    (87aa2cc824). Koog 1.0's native Google client ships only on a
    JVM-incompatible path, so AtmosphereKoogAutoConfiguration points the
    stable OpenAILLMClient at any OpenAI-compatible endpoint when
    atmosphere.koog.base-url / LLM_BASE_URL is set (e.g.
    https://generativelanguage.googleapis.com/v1beta/openai for
    gemini-2.5-flash). Regression-gated by
    AtmosphereKoogAutoConfigurationTest. Drift recorded as
    .harness/drift-log.md #77 — the 0.8.0 → 1.0.0 bump had been
    reported done on CI alone, which hid the dropped-Gemini regression.
  • Spring Boot JDK 26 long-term-memory disconnect hang resolved via
    an idle-reaper fallback (b2e9e09e71).
    LongTermMemoryHttpE2eTest's disconnect path intermittently hung on
    the JDK 26 lane because the WebSocket-close → onDisconnect lifecycle
    could be dropped under fork contention; an
    IdleResourceInterceptor-based reaper (platform-thread scheduler,
    maxInactiveActivity=5000) now fires the disconnect lifecycle
    independently, so suspended resources are reaped and facts persisted
    even when the close frame is lost. Drift recorded as
    .harness/drift-log.md #78#79 — an earlier 60s → 120s await bump was
    ineffective (a timeout cannot fix a hang).

Security

  • Bumped tomcat-embed-core 11.0.21 → 11.0.22 (root pom
    tomcat-version property) to close 7 Dependabot advisories — 3
    critical (security-constraint bypass GHSA-5m62-pw8w-7w9f,
    digest-auth bypass GHSA-h6fc-48rj-7qqh, HTTP/2 header validation
    GHSA-r29c-68gh-xp6x), 3 high (LockOutRealm case-sensitivity
    GHSA-5mp6-jrq3-r938, WebSocket auth-header exposure
    GHSA-fv25-8xcx-gqjc, WebDAV LOCK/PROPFIND unbounded read
    GHSA-gx5v-xp9w-j4cg), and 1 low (AJP secret non-constant-time
    compare GHSA-9m89-8frq-c98c). The pin stays scoped to
    tomcat-embed-core; tomcat-embed-el and tomcat-embed-websocket
    continue to follow each Spring Boot BOM (3.5.x keeps the 10.1.x
    line, 4.0.x stays on 11.0.x).
  • Bumped protobufjs 7.5.6 → 7.5.8 in
    modules/integration-tests/package.json + lockfile to close
    GHSA-jggg-4jg4-v7c6.
  • Dismissed 3 remaining open Dependabot alerts that have no in-tree
    fix path. Two org.json:json alerts (GHSA-3vqj-43w4-2q58,
    GHSA-4jq9-2xhw-jpx7) cited modules/runtime/pom.xml — a manifest
    that no longer exists; org.json:json was removed reactor-wide in
    commit 4f40968d4d (4.0.42-SNAPSHOT, "drop org.json:json — Jackson
    3 only"). Dismissed as not_used. One opentelemetry-api alert
    (GHSA-rcgg-9c38-7xpx / CVE-2026-45292, medium DoS via unbounded
    W3C Baggage Propagation) is blocked upstream: Quarkus 3.35.x and
    3.36.0 both ship OTel 1.60.1, and the samples/quarkus-ai-chat
    pin must follow the BOM to keep quarkus-micrometer-registry-prometheus
    working. Dismissed as tolerable_risk (sample, baggage propagation
    not enabled, Vert.x enforces the 8 KiB header limit recommended in
    the advisory). Re-evaluate when Quarkus's BOM picks up OTel 1.62+.