All notable changes to the Fullstack AgentCore Solution Template (FAST) will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Updated architecture diagram with latest logos (
docs/architecture-diagram/FAST-architecture-20260403.png)
- AG-UI agent patterns for both Strands and LangGraph (
patterns/agui-strands-agent/,patterns/agui-langgraph-agent/) with tool support (Gateway, Code Interpreter) - AG-UI streaming parser in frontend (
frontend/src/lib/agentcore-client/parsers/agui.ts) - AG-UI integration documentation (
docs/AGUI_INTEGRATION.md) - AgentCore Evaluations integration guide (
docs/AGENTCORE_EVALUATIONS_GUIDE.md) - X-Ray VPC endpoint to private VPC deployment documentation
- Restructured existing Strands and LangGraph agent patterns with modular
tools/directories for Gateway and Code Interpreter - Simplified
basic_agent.pyandlanggraph_agent.pyby extracting tool definitions into separate modules - Updated OpenTelemetry distro version across all agent pattern Dockerfiles
- API Gateway cache encryption at rest enabled in both CDK and Terraform
- ASH PR comment artifact consolidation and dependabot auto-merge workflow trigger
- Security scanner false positive suppressions (nosemgrep/nosec) for CDK path operations, JWT decode, and zip-packager urlopen
- Added USER directive to
Dockerfile.frontend.dev(CKV_DOCKER_3)
- Updated
tj-actions/changed-filesto v47.0.5 (CVE fix for GHSA-mrrh-fwg8-r2c3 and GHSA-mcph-m25j-8j63) - Bumped
fast-xml-parserand@aws-sdk/xml-builderin frontend - Bumped
flattedfrom 3.3.3 to 3.4.2 in frontend - Bumped
langgraphin patterns/langgraph-single-agent
- Claude Agent SDK agent pattern (
patterns/claude-agent-sdk/) with single-agent and multi-agent variants - AgentCore client library (
frontend/src/lib/agentcore-client/) with SSE streaming and parsers for Strands, LangGraph, and Bedrock Converse agents - Inline tool call rendering with message segments approach in the frontend
- Markdown rendering with syntax highlighting and copy button for chat messages
- Tool renderer registry and default
ToolCallDisplaycomponent for extensible tool output rendering - Streaming documentation update (
docs/STREAMING.md) with new parser architecture and event flow - Local Docker testing for AgentCore with Docker Compose support (
docker/) - GitHub repo-stats workflow for daily traffic tracking
- ASH (Automated Security Helper) scan workflows for PR and full repository scanning
- Dependabot auto-merge and PR labeler GitHub Actions workflows
- JS/TS and Python linting workflows for pull requests
- Prettier configuration and formatting for frontend source files
- Prettier added to Makefile lint pipeline and frontend dev dependencies
- READMEs for strands, langgraph, and claude-agent-sdk agent patterns
- Permission boundary for CodeBuild temporary IAM role
- VPC deployment mode (
network_mode: VPC) for deploying AgentCore Runtime into an existing user-provided VPC for private network isolation - VPC configuration in
config.yamlwithvpc_id,subnet_ids, and optionalsecurity_group_ids - VPC configuration validation in
ConfigManagerfor required fields when VPC mode is enabled buildNetworkConfiguration()method in backend stack to import existing VPC, subnets, and security groups- VPC deployment documentation in
docs/DEPLOYMENT.mdincluding required VPC endpoints, subnet requirements, and traffic flow explanation - CodeBuild-based deployment script (
scripts/deploy-with-codebuild.py) that enables deploying FAST without requiring Docker - [Terraform] Full Terraform infrastructure alternative to CDK (
infra-terraform/) with modules for Amplify Hosting, Cognito, and Backend (Runtime, Gateway, Memory, Feedback API, SSM) - [Terraform] Support for both Docker and Zip deployment types via
deployment_typevariable - [Terraform] OAuth2 Credential Provider support
- [Terraform] VPC deployment mode with input/output parity to CDK
- [Terraform] Dedicated scripts for frontend deployment (
deploy-frontend.py,deploy-frontend.sh), Docker image build (build-and-push-image.sh), and agent testing (test-agent.py) - [Terraform] S3 backend configuration example (
backend.tf.example) for remote state management - [Terraform] Version bump playbook (
TF_VERSION_BUMP_PLAYBOOK.md) with independent versioning scheme - OAuth2 Credential Provider Lambda handler (
infra-cdk/lambdas/oauth2-provider/index.py) for lifecycle management with Create, Update, and Delete support - AgentCore Identity OAuth2 integration via
@requires_access_tokendecorator in agent patterns - Token refresh helpers (
_fetch_gateway_token) in both Strands and LangGraph agents for fresh token retrieval - Decorator comment explaining OAuth2 Credential Provider and Token Vault caching behavior
- Runtime environment variable
GATEWAY_CREDENTIAL_PROVIDER_NAMEfor OAuth2 provider lookup - OAuth2 Credential Provider and Token Vault IAM permissions to agent runtime role
- Scoped Secrets Manager IAM permissions to agent runtime role for OAuth2 secrets
docs/RUNTIME_GATEWAY_AUTH.md- Comprehensive documentation of the M2M authentication workflow between AgentCore Runtime and Gateway, covering both deployment (OAuth2 provider registration) and runtime (token retrieval and validation) phases- Updated architecture diagram (
docs/architecture-diagram/FAST-architecture-20260302.png) illustrating OAuth2 M2M authentication flow with Token Vault and OAuth2 Credential Provider
- Removed
userIdfrom client invocation — user identity now extracted server-side from JWT to prevent impersonation via prompt injection - Split claude-agent-sdk into single-agent and multi-agent pattern variants
- Frontend switched from
access_tokentoid_tokenfor AgentCore authentication (access_tokenlacks requiredaudclaim) - Removed old JS service files, replaced by new
agentcore-clientlibrary - Migrated Gateway authentication to AgentCore SDK
@requires_access_tokendecorator - Simplified agent code in
patterns/strands-single-agent/basic_agent.pyandpatterns/langgraph-single-agent/langgraph_agent.py - Use
cr.Providerpattern for OAuth2 provider to avoid IAM propagation delays - Implemented scoped IAM permissions for OAuth2 provider, Token Vault, and Secrets Manager
- Updated OAuth2 Custom Resource to pass secret ARN for enhanced security (secret retrieved at Lambda runtime)
- Modified agent token handling to fetch fresh tokens on reconnection (Strands) and per-request (LangGraph)
- Moved Secrets Manager permissions from base
AgentCoreRoleutility class to backend-stack.ts for better separation of concerns - Updated
README.mdto reference new architecture diagram and clarify OAuth2 M2M authentication flow descriptions - Updated
test-scripts/README.mdto remove Docker container testing documentation - Updated contributing docs to use
mainbranch instead ofdevelop
- Docker container testing script (
test-scripts/test-agent-docker.py) - Docker testing documentation (
docs/LOCAL_DOCKER_TESTING.md) - Manual OAuth2 functions from
patterns/utils/auth.py(get_gateway_access_token(),get_secret()) - Manual token fetching logic from agent code
- Direct Secrets Manager access from agents
- Wildcard Secrets Manager IAM permissions from base
AgentCoreRoleutility class - Old JS service files (replaced by
agentcore-clientlibrary)
- LangGraph plain string content handling in
AIMessageChunk - Test-agent
user_idbug, added streaming parser and dynamic tool name lookup to test scripts - Frontend build issues: unused
sessionIdparam and excluded test directory fromtsc - Repo-stats workflow failing on forks
- Real VPC/subnet IDs replaced with placeholders in
config.yaml - Backend agent entrypoints
- Docker Compose v2 syntax and outdated
userIdreferences in docs - JWT auth compatibility, Vite host binding, and credential docs
- Stale token errors in agents by implementing fresh token retrieval on MCP Gateway reconnection (Strands) and per-request (LangGraph)
- IAM permission scoping to prevent overly broad wildcard access
- Removed
iam:PutRolePolicyfrom CodeBuild permission boundary, addedcdk bootstrap, fixed region detection - Resolved all ESLint warnings in frontend
- CI: pinned
tj-actions/changed-filesto SHA and bumped Node to 20
- Enhanced security by delegating OAuth2 token management to AgentCore Identity service
- Improved token lifecycle management with automatic refresh and error handling via Token Vault
- Bumped
honofrom 4.11.9 to 4.12.7 in frontend - Bumped
@hono/node-serverin frontend - Bumped
rollupfrom 4.56.0 to 4.59.0 in frontend - Bumped
minimatchin frontend andaws-cdk-libin infra-cdk - Bumped
fast-xml-parserand@aws-sdk/xml-builderin frontend and infra-cdk - Bumped
qsfrom 6.14.1 to 6.14.2 in frontend - Bumped
langgraphin patterns/langgraph-single-agent - Bumped
@aws-sdk/client-bedrock-agentcorein infra-cdk
- Vite as build tool with optimized development server and production builds
- React Router (react-router-dom v6) for client-side routing
- Frontend test suite with unit tests and property-based tests using Vitest
- New application entry points:
main.tsx,App.tsx, and route components - Vite configuration with code splitting and optimized chunk strategy
- TypeScript configuration optimized for Vite bundler
- Environment variable type definitions for Vite (
vite-env.d.ts) - Minimal IAM policy for CDK deployment
- Migrated frontend from Next.js 16 (App Router) to Vite + React + React Router stack
- Replaced Next.js build system with Vite for faster builds and simpler configuration
- Updated environment variable prefix from
NEXT_PUBLIC_*toVITE_* - Migrated environment variable access from
process.envtoimport.meta.env - Restructured application entry points from Next.js layout/page pattern to explicit React rendering
- Moved global styles from
app/globals.csstosrc/styles/globals.css - Updated npm scripts:
devnow runs Vite,buildruns TypeScript check + Vite build - Updated ESLint configuration to remove Next.js-specific rules
- Updated frontend README with Vite-specific instructions and development workflow
- Bumped
vitefrom 5.4.21 to 7.3.1 - Bumped
fast-xml-parserandaws-amplifyin frontend - Bumped
@modelcontextprotocol/sdkfrom 1.25.1 to 1.26.0 - Bumped
honofrom 4.11.3 to 4.11.7 - Bumped
lodashfrom 4.17.21 to 4.17.23 - Bumped
@smithy/config-resolverandaws-amplifyin frontend
- Next.js framework and dependencies (
next,eslint-config-next) - Next.js configuration file (
next.config.ts) - Next.js App Router file structure (
app/layout.tsx,app/page.tsx) - Next.js-specific build artifacts and references
- Open source release
- Zip deployment type for AgentCore runtime
- MkDocs documentation system with automated builds
- Enhanced CI/CD security scanning configuration
- Updated LangGraph version to address security vulnerability
- Upgraded to Cognito's new managed login UI
- Improved documentation structure and navigation
- Updated frontend dependencies to latest versions
- CloudWatch Logs permissions for AgentCore runtime
- Security scan execution to run on all branches
- Documentation links and structure issues
- CI/CD pipeline configuration for proper security scanning
- Updated GitLab references to GitHub for open source release
- Updated internal AWS references to generic paths
- Upgraded Python version requirement from 3.8 to 3.11
- Replaced bash frontend deployment script with cross-platform Python script
- Improved deployment documentation with clearer prerequisites
- API Gateway CloudWatch logs role creation issue
- Enhanced error handling in frontend deployment script
- Added explicit AWS credentials validation before deployment
- CONTRIBUTORS.md file listing project contributors
- Docker runtime requirement clarification in deployment docs
- Renamed project from "GenAIID AgentCore Starter Pack (GASP)" to "Fullstack AgentCore Solution Template (FAST)"
- Updated all documentation, code comments, and configuration files to use new naming
- Updated repository URLs and package names to reflect new branding
- Improved configuration management to require explicit config.yaml file
- Fixed Cognito domain prefix to use lowercase for compatibility
- Removed hardcoded default values in configuration manager
- AgentCore Code Interpreter direct integration with comprehensive documentation
- Reusable Code Interpreter tools for cross-pattern compatibility
- Updated architecture diagrams to include Code Interpreter integration
- Restructured Code Interpreter implementation for better reusability across agent patterns
- Streamlined documentation and updated README for improved clarity
- Removed unused description parameter from execute_python function
- CRITICAL: Updated React to 19.2.1 and Next.js to 16.0.7 to address CVE-2025-55182 (CVSS 10.0)
- Fixed React Server Components remote code execution vulnerability
- AgentCore Code Interpreter deployment issues
- Linting issues in Code Interpreter files
- Various code review feedback items
- Comprehensive security enhancements for backend infrastructure
- SSL/TLS enforcement for S3 staging bucket requests
- S3 access logging for staging bucket
- Comprehensive CloudWatch logging for API Gateway
- Error handling for Secrets Manager operations in test scripts
- Migrated from custom resource to CDK L1 constructs for Gateway
- Switched machine client secret storage from SSM to Secrets Manager
- Improved Dockerfile healthcheck and build caching
- Restricted Secrets Manager IAM permissions to specific secrets
- Typo fix in top level FAST stack description
- Updated version references from 0.0.1 to 0.1.0 in infra-cdk/package.json
- Removed unused imports
- Enhanced error handling for Secrets Manager operations
- Implemented comprehensive security controls across infrastructure
- Added proper access logging and monitoring
- Initial release of Fullstack AgentCore Solution Template
- Full-stack React frontend with Next.js, TypeScript, and Tailwind CSS
- AgentCore backend integration with multiple agent providers
- AWS Cognito authentication with JWT support
- CDK infrastructure deployment
- Strands and LangGraph agent pattern support
- Gateway integration with tool support
- Memory integration capabilities
- Streaming support
- Comprehensive documentation and deployment guides