Skip to content

Release 1.0.0-beta.22: Cognito-native auth, CORS unification, RBAC co…#137

Merged
colinmxs merged 1 commit intodevelopfrom
main
Apr 9, 2026
Merged

Release 1.0.0-beta.22: Cognito-native auth, CORS unification, RBAC co…#137
colinmxs merged 1 commit intodevelopfrom
main

Conversation

@colinmxs
Copy link
Copy Markdown
Contributor

@colinmxs colinmxs commented Apr 9, 2026

…nsolidation, Trivy supply chain fix

⚠️ BREAKING CHANGE: Authentication replaced with AWS Cognito. The legacy generic OIDC implementation has been removed with no backward compatibility layer. Existing deployments must re-bootstrap.

Cognito First-Boot Authentication:

  • Cognito User Pool, App Client, and Domain provisioned in Infrastructure stack
  • CognitoJWTValidator replaces GenericOIDCJWTValidator
  • New system/ module for first-boot setup, Cognito user/group management
  • New cognito_idp_service for federated identity provider CRUD via Cognito IdP APIs
  • First-boot page with admin account creation (race-condition-safe DynamoDB writes)
  • Frontend auth flow rewritten for Cognito OAuth 2.0 + PKCE
  • Runtime-provisioner and runtime-updater Lambda functions removed (2,800+ lines)
  • Backend OIDC service, token exchange, and discovery endpoints removed (1,318 lines)
  • 2,057 lines of new Cognito test coverage (IdP service, JWT validator, first-boot, system)

RBAC Consolidation:

  • Single require_app_roles dependency replaces 6 role-checking functions/decorators
  • User roles enriched from stored DynamoDB profile during token processing
  • Profile cache invalidation on sync for immediate role updates
  • JSON array parsing for custom:roles claim (Entra ID compatibility)
  • jwt_role_mappings updates allowed on system_admin role

CORS Unification:

  • buildCorsOrigins() shared helper across all 6 CDK stacks
  • S3 CORS made conditional, ExposedHeaders→ExposeHeaders fix
  • Python APIs read CORS_ORIGINS env var (replaces allow_origins=['*'])

Security:

  • Trivy action upgraded v0.28.0→v0.35.0 — old SHA was compromised in March 2026 supply chain attack (GHSA-69fq-xp46-6x23)

CI/CD:

  • CDK_DOMAIN_NAME and CDK_CORS_ORIGINS added to all workflow jobs
  • App API synth-cdk actually skipped on PRs (guard was missing despite beta.20 docs)
  • SSM StringParameter creation guarded against empty values

Bootstrap:

  • seed_bootstrap_data.py sole owner of RBAC role seeding (removed from app startup)
  • system_admin role seeded with jwt_role_mappings=['system_admin']
  • Additive JWT mapping seeding for existing deployments

Documentation:

  • 54,665 lines of outdated specs and AI artifacts purged (121 files)

Dependencies:

  • Python: fastapi 0.135.3, uvicorn 0.44.0, boto3 1.42.83, strands-agents 1.34.1, bedrock-agentcore 1.6.0, google-genai 1.70.0, ruff 0.15.9, mypy 1.20.0
  • Frontend: Angular 21.2.7, katex 0.16.45, mermaid 11.14.0, Analog.js alpha.26
  • Infrastructure: aws-cdk-lib 2.248.0, aws-cdk 2.1117.0, ts-jest 29.4.9

@colinmxs
Release 1.0.0-beta.22: Cognito-native auth, CORS unification, RBAC co…
d2abc37 
…nsolidation, Trivy supply chain fix

⚠️ BREAKING CHANGE: Authentication replaced with AWS Cognito.
The legacy generic OIDC implementation has been removed with no
backward compatibility layer. Existing deployments must re-bootstrap.

Cognito First-Boot Authentication:
- Cognito User Pool, App Client, and Domain provisioned in Infrastructure stack
- CognitoJWTValidator replaces GenericOIDCJWTValidator
- New system/ module for first-boot setup, Cognito user/group management
- New cognito_idp_service for federated identity provider CRUD via Cognito IdP APIs
- First-boot page with admin account creation (race-condition-safe DynamoDB writes)
- Frontend auth flow rewritten for Cognito OAuth 2.0 + PKCE
- Runtime-provisioner and runtime-updater Lambda functions removed (2,800+ lines)
- Backend OIDC service, token exchange, and discovery endpoints removed (1,318 lines)
- 2,057 lines of new Cognito test coverage (IdP service, JWT validator, first-boot, system)

RBAC Consolidation:
- Single require_app_roles dependency replaces 6 role-checking functions/decorators
- User roles enriched from stored DynamoDB profile during token processing
- Profile cache invalidation on sync for immediate role updates
- JSON array parsing for custom:roles claim (Entra ID compatibility)
- jwt_role_mappings updates allowed on system_admin role

CORS Unification:
- buildCorsOrigins() shared helper across all 6 CDK stacks
- S3 CORS made conditional, ExposedHeaders→ExposeHeaders fix
- Python APIs read CORS_ORIGINS env var (replaces allow_origins=['*'])

Security:
- Trivy action upgraded v0.28.0→v0.35.0 — old SHA was compromised in
  March 2026 supply chain attack (GHSA-69fq-xp46-6x23)

CI/CD:
- CDK_DOMAIN_NAME and CDK_CORS_ORIGINS added to all workflow jobs
- App API synth-cdk actually skipped on PRs (guard was missing despite beta.20 docs)
- SSM StringParameter creation guarded against empty values

Bootstrap:
- seed_bootstrap_data.py sole owner of RBAC role seeding (removed from app startup)
- system_admin role seeded with jwt_role_mappings=['system_admin']
- Additive JWT mapping seeding for existing deployments

Documentation:
- 54,665 lines of outdated specs and AI artifacts purged (121 files)

Dependencies:
- Python: fastapi 0.135.3, uvicorn 0.44.0, boto3 1.42.83, strands-agents 1.34.1,
  bedrock-agentcore 1.6.0, google-genai 1.70.0, ruff 0.15.9, mypy 1.20.0
- Frontend: Angular 21.2.7, katex 0.16.45, mermaid 11.14.0, Analog.js alpha.26
- Infrastructure: aws-cdk-lib 2.248.0, aws-cdk 2.1117.0, ts-jest 29.4.9
@colinmxs colinmxs merged commit 343989e into develop Apr 9, 2026
59 of 67 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@colinmxs