Skip to content

[pull] main from CopilotKit:main#298

Merged
pull[bot] merged 9 commits into
TheTechOddBug:mainfrom
CopilotKit:main
May 29, 2026
Merged

[pull] main from CopilotKit:main#298
pull[bot] merged 9 commits into
TheTechOddBug:mainfrom
CopilotKit:main

Conversation

@pull

@pull pull Bot commented May 29, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

BenTaylorDev and others added 9 commits May 27, 2026 22:31
…App Context + expose_state)

langgraph-api auto-copies the entire config.configurable dict into runtime.context. That dict
carries the CopilotKit-internal transport key `copilotkit_forwarded_headers`, populated solely
to drive the httpx header-forwarding hook (it is not user-visible state). The middleware's
before_agent step then rendered runtime.context into the LLM prompt as an "App Context" system
message, and the expose_state path could surface the same key via the state note — either path
leaks transport headers into the prompt body and, under strict fixture matching (D6/aimock),
changes the request payload and breaks the match.

Fix: hard-exclude `copilotkit_forwarded_headers` from both render paths. The App Context
renderer strips the reserved key before serialization, and the expose_state allowlist applies
the same exclusion so an explicit allow cannot reintroduce the leak. The httpx hook is
unchanged, so the key still reaches aimock as an HTTP header — pure conveyance, no body
pollution.

Adds red-green unit coverage for both paths (App Context strip, expose_state default + allowlist).
## Summary
- Redirected the remaining broken legacy docs URLs to their current
shell-docs locations, including `copilot-suggestions`, `integrations`,
`integrations/built-in-agent`, `telemetry`, and
`learn/tutorials/multi-conversation-chat`.
- Ported the missing telemetry page into the built-in-agent docs and
added it to the sidebar.
- Added the missing `useCapabilities` reference page, restored
`migrate/1.10.X`, and taught shell-docs to resolve docs stored under
route-group folders like `(other)`.
- Added DeepAgents to the framework picker and docs navigation so
framework redirects resolve cleanly.

## Testing
- `npm run test` passed.
- `npm run typecheck` passed.
- `npm run lint` passed with existing unrelated warnings.
- Verified the local shell-docs preview serves the new canonical pages
and returns the expected redirect targets for the legacy URLs.
…5096)

## Summary

- **Root cause**: `langgraph-api` auto-copies the entire
`config.configurable` dict into `runtime.context`. That dict carries the
CopilotKit-internal transport key `copilotkit_forwarded_headers`,
populated solely to drive the httpx header-forwarding hook. The
middleware's `before_agent` step renders `runtime.context` into the LLM
prompt as an "App Context" system message, and the `expose_state` path
can surface the same key via the state note — both leak transport
headers into the prompt body.
- **Symptom**: under strict fixture matching (D6 / aimock), the leaked
headers change the request payload and the match fails (503). Prompts
are also polluted with transport metadata that the user never set.
- **Fix**: hard-exclude `copilotkit_forwarded_headers` from both render
paths. The App Context renderer strips the reserved key before
serialization; the `expose_state` allowlist applies the same exclusion
so an explicit allow cannot reintroduce the leak. The httpx
header-forwarding hook is unchanged — the key still reaches downstream
as an HTTP header. Pure conveyance, no body pollution.

## Why

This is part of the D6 langgraph-python header-conveyance work. Header
conveyance to aimock already works via the httpx hook, but the same
forwarded-headers dict was leaking into the prompt body via
langgraph-api's `configurable` → `context` auto-copy. That broke aimock
strict fixture matching and polluted prompts. The reserved key
`copilotkit_forwarded_headers` is now transport-only.

## Test plan

- Red-green unit tests added for both paths:
  - App Context renderer strips `copilotkit_forwarded_headers`.
- `expose_state` default-deny strips it; explicit-allow allowlist also
strips it.
- Full `sdk-python` suite green: **181 passed, 11 skipped, 0 failed**.
- Middleware test file: **51 passed**.
- Proven end-to-end locally via the D6 1-pill
(`langgraph-python:agentic-chat`, 3/3 turns green). aimock journal
confirms the header arrives on the request, no App Context leak appears
in the prompt body, and the fixture matches.

## Known follow-ups (NOT in this PR)

- The OpenAI Responses API (`/v1/responses`) path does not currently
carry forwarded headers — a separate, pre-existing conveyance gap
affecting reasoning-model demos. Tracked separately.
- Full D6 rollout also requires the `@copilotkit/runtime` release
carrying `@ag-ui/langgraph` 0.0.34. Not bundled here.

This PR does **not** claim full D6 parity — it closes the prompt-leak
half of the conveyance work.
Releases copilotkit Python SDK 0.1.93 to PyPI, shipping the App Context
forwarded-headers strip (#5096).

Bumps sdk-python/pyproject.toml. Merging triggers the
publish-release.yml PyPI lane (OIDC trusted publisher).

Note: uv.lock not regenerated — this is a poetry-managed project without
a [project] table, so `uv lock` is not applicable. `uv sync --dry-run`
confirms the existing lock is consistent. Only sdk-python/pyproject.toml
changes, which is the exact trigger the publish workflow keys on.
## Release monorepo v1.59.0

**Scope:** `monorepo` | **Bump:** `minor`

---

### How this release process works

1. **This PR was created automatically** by the "release / create-pr"
workflow.
   It bumped the `monorepo` packages to `1.59.0`
   and generated AI-enhanced release notes.

2. **CI runs on this PR** — the full test suite (unit tests, lint, type
checks, build)
   must pass before merging. This is the review gate.

3. **Review the release notes** in `release-notes.md` in this PR.
If a Notion draft was created, you can edit the release notes there
before merging.

4. **When this PR is merged**, the `release / publish` workflow
automatically:
   - Builds all packages
   - Publishes the `monorepo` packages to npm at version `1.59.0`
   - Creates git tag `monorepo/v1.59.0`
   - Creates a GitHub Release with the final release notes

### Before merging

- [ ] CI is green (tests, lint, types, build)
- [ ] Version bumps look correct
- [ ] Release notes are accurate (edit in Notion if a draft was created)

---

> **Do not merge until CI is fully green.** The full test suite runs
automatically on this PR.
@pull pull Bot locked and limited conversation to collaborators May 29, 2026
@pull pull Bot added the ⤵️ pull label May 29, 2026
@pull pull Bot merged commit b26272c into TheTechOddBug:main May 29, 2026
4 of 28 checks passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants