[pull] main from CopilotKit:main#298
Merged
Merged
Conversation
…App Context + expose_state) langgraph-api auto-copies the entire config.configurable dict into runtime.context. That dict carries the CopilotKit-internal transport key `copilotkit_forwarded_headers`, populated solely to drive the httpx header-forwarding hook (it is not user-visible state). The middleware's before_agent step then rendered runtime.context into the LLM prompt as an "App Context" system message, and the expose_state path could surface the same key via the state note — either path leaks transport headers into the prompt body and, under strict fixture matching (D6/aimock), changes the request payload and breaks the match. Fix: hard-exclude `copilotkit_forwarded_headers` from both render paths. The App Context renderer strips the reserved key before serialization, and the expose_state allowlist applies the same exclusion so an explicit allow cannot reintroduce the leak. The httpx hook is unchanged, so the key still reaches aimock as an HTTP header — pure conveyance, no body pollution. Adds red-green unit coverage for both paths (App Context strip, expose_state default + allowlist).
## Summary - Redirected the remaining broken legacy docs URLs to their current shell-docs locations, including `copilot-suggestions`, `integrations`, `integrations/built-in-agent`, `telemetry`, and `learn/tutorials/multi-conversation-chat`. - Ported the missing telemetry page into the built-in-agent docs and added it to the sidebar. - Added the missing `useCapabilities` reference page, restored `migrate/1.10.X`, and taught shell-docs to resolve docs stored under route-group folders like `(other)`. - Added DeepAgents to the framework picker and docs navigation so framework redirects resolve cleanly. ## Testing - `npm run test` passed. - `npm run typecheck` passed. - `npm run lint` passed with existing unrelated warnings. - Verified the local shell-docs preview serves the new canonical pages and returns the expected redirect targets for the legacy URLs.
…5096) ## Summary - **Root cause**: `langgraph-api` auto-copies the entire `config.configurable` dict into `runtime.context`. That dict carries the CopilotKit-internal transport key `copilotkit_forwarded_headers`, populated solely to drive the httpx header-forwarding hook. The middleware's `before_agent` step renders `runtime.context` into the LLM prompt as an "App Context" system message, and the `expose_state` path can surface the same key via the state note — both leak transport headers into the prompt body. - **Symptom**: under strict fixture matching (D6 / aimock), the leaked headers change the request payload and the match fails (503). Prompts are also polluted with transport metadata that the user never set. - **Fix**: hard-exclude `copilotkit_forwarded_headers` from both render paths. The App Context renderer strips the reserved key before serialization; the `expose_state` allowlist applies the same exclusion so an explicit allow cannot reintroduce the leak. The httpx header-forwarding hook is unchanged — the key still reaches downstream as an HTTP header. Pure conveyance, no body pollution. ## Why This is part of the D6 langgraph-python header-conveyance work. Header conveyance to aimock already works via the httpx hook, but the same forwarded-headers dict was leaking into the prompt body via langgraph-api's `configurable` → `context` auto-copy. That broke aimock strict fixture matching and polluted prompts. The reserved key `copilotkit_forwarded_headers` is now transport-only. ## Test plan - Red-green unit tests added for both paths: - App Context renderer strips `copilotkit_forwarded_headers`. - `expose_state` default-deny strips it; explicit-allow allowlist also strips it. - Full `sdk-python` suite green: **181 passed, 11 skipped, 0 failed**. - Middleware test file: **51 passed**. - Proven end-to-end locally via the D6 1-pill (`langgraph-python:agentic-chat`, 3/3 turns green). aimock journal confirms the header arrives on the request, no App Context leak appears in the prompt body, and the fixture matches. ## Known follow-ups (NOT in this PR) - The OpenAI Responses API (`/v1/responses`) path does not currently carry forwarded headers — a separate, pre-existing conveyance gap affecting reasoning-model demos. Tracked separately. - Full D6 rollout also requires the `@copilotkit/runtime` release carrying `@ag-ui/langgraph` 0.0.34. Not bundled here. This PR does **not** claim full D6 parity — it closes the prompt-leak half of the conveyance work.
Releases copilotkit Python SDK 0.1.93 to PyPI, shipping the App Context forwarded-headers strip (#5096). Bumps sdk-python/pyproject.toml. Merging triggers the publish-release.yml PyPI lane (OIDC trusted publisher). Note: uv.lock not regenerated — this is a poetry-managed project without a [project] table, so `uv lock` is not applicable. `uv sync --dry-run` confirms the existing lock is consistent. Only sdk-python/pyproject.toml changes, which is the exact trigger the publish workflow keys on.
## Release monorepo v1.59.0 **Scope:** `monorepo` | **Bump:** `minor` --- ### How this release process works 1. **This PR was created automatically** by the "release / create-pr" workflow. It bumped the `monorepo` packages to `1.59.0` and generated AI-enhanced release notes. 2. **CI runs on this PR** — the full test suite (unit tests, lint, type checks, build) must pass before merging. This is the review gate. 3. **Review the release notes** in `release-notes.md` in this PR. If a Notion draft was created, you can edit the release notes there before merging. 4. **When this PR is merged**, the `release / publish` workflow automatically: - Builds all packages - Publishes the `monorepo` packages to npm at version `1.59.0` - Creates git tag `monorepo/v1.59.0` - Creates a GitHub Release with the final release notes ### Before merging - [ ] CI is green (tests, lint, types, build) - [ ] Version bumps look correct - [ ] Release notes are accurate (edit in Notion if a draft was created) --- > **Do not merge until CI is fully green.** The full test suite runs automatically on this PR.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )