Skip to content

feat(augment): add augment AI assistant workspace#2555

Open
rrbanda wants to merge 1 commit intoredhat-developer:mainfrom
rrbanda:feat/augment-workspace-v2
Open

feat(augment): add augment AI assistant workspace#2555
rrbanda wants to merge 1 commit intoredhat-developer:mainfrom
rrbanda:feat/augment-workspace-v2

Conversation

@rrbanda
Copy link

@rrbanda rrbanda commented Mar 16, 2026

Summary

Introduces the augment plugin workspace (workspaces/augment/) with three packages:

  • @red-hat-developer-hub/backstage-plugin-augment — Frontend chat interface with streaming responses, conversation history, multi-agent handoff visualization, and admin settings panel
  • @red-hat-developer-hub/backstage-plugin-augment-backend — Backend plugin providing the Responses API integration with Llama Stack, MCP server proxy, RAG document ingestion, and multi-agent orchestration
  • @red-hat-developer-hub/backstage-plugin-augment-common — Shared types, API refs, and permission definitions

Key capabilities

  • Multi-agent architecture — Router dispatches to specialist agents (Cluster Engineer for live OpenShift ops via MCP, Product Knowledge Specialist for Red Hat docs/KB/CVEs via RHOKP)
  • Streaming chat — SSE-based real-time response streaming with tool call visualization
  • MCP tool integration — Connects to external MCP servers (streamable-http/sse) with optional human-in-the-loop approval
  • RAG — Vector store-backed document retrieval with configurable chunking, hybrid search, and GitHub/directory/URL document sources
  • Security — Three modes (none, plugin-only via RBAC, full OAuth chain) with Keycloak integration
  • Safety guardrails — Llama Guard / Prompt Guard shield integration via Llama Stack safety API
  • RHDH dynamic plugin support — Frontend scalprum config and backend export for OCI-based dynamic plugin loading

Test plan

  • yarn build succeeds for all three packages (common, frontend, backend)
  • yarn test passes for backend unit tests
  • Dynamic plugin export produces valid dist-dynamic/ for both frontend (with dist-scalprum/plugin-manifest.json) and backend
  • Plugin loads in RHDH via OCI image with correct scalprum registration
  • Chat streaming works end-to-end with Llama Stack backend
  • Multi-agent handoff (router -> specialist -> router) completes with response
  • MCP tool calls execute and results render in chat UI

@rrbanda rrbanda requested review from a team as code owners March 16, 2026 10:45
@rhdh-gh-app
Copy link

rhdh-gh-app bot commented Mar 16, 2026

Important

This PR includes changes that affect public-facing API. Please ensure you are adding/updating documentation for new features or behavior.

Changed Packages

Package Name Package Path Changeset Bump Current Version
app workspaces/augment/packages/app none v0.0.0
backend workspaces/augment/packages/backend none v0.0.0
@red-hat-developer-hub/backstage-plugin-augment-backend workspaces/augment/plugins/augment-backend minor v0.1.0
@red-hat-developer-hub/backstage-plugin-augment-common workspaces/augment/plugins/augment-common minor v0.1.0
@red-hat-developer-hub/backstage-plugin-augment workspaces/augment/plugins/augment minor v0.1.0

@rhdh-gh-app
Copy link

rhdh-gh-app bot commented Mar 16, 2026

⚠️ CODEOWNERS Validation Failed

The following users are listed in CODEOWNERS but are not members of the rhdh-plugins-codeowners team:

rrbanda

An org admin needs to add the missing members to the team before this PR can be merged.

@rhdh-qodo-merge
Copy link

rhdh-qodo-merge bot commented Mar 16, 2026

Review Summary by Qodo

feat(augment): Add augment AI assistant workspace with multi-agent orchestration, streaming chat, RAG, and comprehensive test coverage

✨ Enhancement 🧪 Tests

Grey Divider

Walkthroughs

Description 
• Introduces the **augment** plugin workspace with three packages: frontend chat interface, backend
  plugin with Llama Stack integration, and shared types/APIs
• **Multi-agent architecture** with router dispatching to specialist agents (Cluster Engineer via
  MCP, Product Knowledge Specialist via RHOKP)
• **Streaming chat** with SSE-based real-time responses, tool call visualization, and
  human-in-the-loop approval workflow
• **MCP tool integration** connecting to external MCP servers with optional approval gates and SSRF
  protection
• **RAG capabilities** with vector store-backed document retrieval, hybrid search, and multiple
  document sources (GitHub, directory, URL)
• **Security modes** (none, plugin-only via RBAC, full OAuth chain) with Keycloak integration and
  three-layer permission enforcement
• **Safety guardrails** via Llama Guard/Prompt Guard shield integration through Llama Stack safety
  API
• **Comprehensive test coverage** including admin routes (1698 lines), multi-agent orchestration E2E
  (1451 lines), router endpoints (977 lines), ResponsesApiProvider (993 lines), stream event
  normalization (560 lines), and session/config management tests
• **Configuration system** with YAML baseline, database overrides, runtime resolution, and
  validation with sensible defaults
• **Frontend API client** with endpoints for chat, conversations, admin config, model management,
  RAG testing, and vector store operations
• **Dynamic plugin support** for RHDH with scalprum config and OCI-based plugin loading
Diagram 
flowchart LR
  User["User Chat Interface"]
  Frontend["Frontend Plugin<br/>Chat UI & Admin Panel"]
  API["API Client<br/>AugmentApi"]
  Backend["Backend Plugin<br/>ResponsesApiProvider"]
  LlamaStack["Llama Stack<br/>Multi-Agent Orchestrator"]
  MCP["MCP Servers<br/>Tool Execution"]
  RAG["RAG System<br/>Vector Store & Documents"]
  Config["Config System<br/>YAML + DB Overrides"]
  
  User -->|Chat Messages| Frontend
  Frontend -->|API Calls| API
  API -->|HTTP Requests| Backend
  Backend -->|Orchestration| LlamaStack
  LlamaStack -->|Tool Calls| MCP
  LlamaStack -->|Document Search| RAG
  Config -->|Runtime Config| Backend
  Backend -->|Streaming Responses| Frontend
  Frontend -->|Display Results| User
Loading

Grey Divider

File Changes

1. workspaces/augment/plugins/augment-backend/src/routes/adminRoutes.test.ts 🧪 Tests +1698/-0

Admin routes comprehensive integration test suite

• Comprehensive test suite for admin API routes with 1698 lines covering permission enforcement,
 config CRUD operations, document management, RAG functionality, vector store operations, and MCP
 server configuration
• Tests include mock setup with database, provider, and authentication services to validate admin
 endpoints return correct status codes and response structures
• Covers edge cases like duplicate document prevention, multi-vector-store management, SSRF
 protection for MCP URLs, and cache invalidation callbacks
• Validates config persistence, merging of database overrides with YAML defaults, and runtime
 propagation of changes to non-admin routes

workspaces/augment/plugins/augment-backend/src/routes/adminRoutes.test.ts

2. workspaces/augment/plugins/augment-backend/src/providers/llamastack/__tests__/multiAgent.e2e.test.ts 🧪 Tests +1451/-0

Multi-agent orchestration end-to-end integration tests

• End-to-end integration tests for multi-agent orchestration with 1451 lines validating the full
 chain from ResponsesApiCoordinator through AdkOrchestrator to HTTP responses
• Includes mock LlamaStack server implementation that simulates agent handoffs, tool calls,
 streaming responses, and error scenarios based on request instructions
• Tests single-agent chat, multi-agent handoff routing (triage → billing/technical), streaming with
 reasoning events, agent-as-tool error handling, and ZDR mode behavior
• Supports conditional real LlamaStack instance testing when LLAMASTACK_URL environment variable
 is set

workspaces/augment/plugins/augment-backend/src/providers/llamastack/tests/multiAgent.e2e.test.ts

3. workspaces/augment/plugins/augment-backend/src/services/ChatSessionService.test.ts 🧪 Tests +372/-0

Chat session service unit and integration tests

• Unit and integration tests for ChatSessionService with 372 lines covering session lifecycle
 operations (create, list, get, delete, update)
• Tests initialization error handling, session isolation between users, pagination with
 limit/offset, and timestamp management
• Validates database operations including conversation ID assignment, title updates, and touch
 operations for updating activity timestamps
• Uses in-memory SQLite database for isolated test execution

workspaces/augment/plugins/augment-backend/src/services/ChatSessionService.test.ts

View more (112)
4. workspaces/augment/plugins/augment-backend/.eslintrc.js ⚙️ Configuration changes +2/-0

ESLint configuration for augment backend plugin

• Minimal ESLint configuration file that delegates to Backstage CLI's standard eslint-factory
 configuration

workspaces/augment/plugins/augment-backend/.eslintrc.js

5. workspaces/augment/plugins/augment-backend/src/services/RuntimeConfigResolver.test.ts 🧪 Tests +1089/-0

RuntimeConfigResolver comprehensive unit test coverage

• Comprehensive test suite for RuntimeConfigResolver with 1089 lines covering YAML baseline
 config, database overrides, and caching behavior
• Tests validate override precedence for model, systemPrompt, baseUrl, boolean flags, and complex
 nested configs like vectorStoreConfig
• Includes tests for MCP server merging, safety/evaluation settings, graceful degradation on DB
 failures, and cache invalidation
• Validates type safety, concurrency handling, and cache snapshot isolation to prevent mutation
 corruption

workspaces/augment/plugins/augment-backend/src/services/RuntimeConfigResolver.test.ts

6. workspaces/augment/plugins/augment-backend/src/router.test.ts 🧪 Tests +977/-0

Router endpoint and security integration test suite

• Large test suite (977 lines) for Express router endpoints covering health, status, documents,
 branding, conversations, and chat
• Tests permission enforcement (RBAC), authentication failures, and security mode bypass scenarios
• Includes session management routes with CRUD operations, message retrieval, and cascade deletion
 of conversations
• Validates error handling (401/403/404/502 responses) and graceful degradation when services are
 unavailable

workspaces/augment/plugins/augment-backend/src/router.test.ts

7. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ResponsesApiProvider.test.ts 🧪 Tests +993/-0

ResponsesApiProvider integration and capability tests

• Extensive test suite (993 lines) for ResponsesApiProvider covering orchestrator, safety, and
 evaluation service initialization
• Tests chat/chatStream delegation, stream event normalization, and HITL approval event handling
 with responseId backfilling
• Validates RAG capabilities (document listing, vector store operations, search) and conversation
 management (create, list, get, delete)
• Includes model testing with connection validation, model discovery, and inference capability
 checks

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ResponsesApiProvider.test.ts

8. workspaces/augment/plugins/augment-backend/src/providers/responses-api/stream/StreamEventNormalizer.test.ts 🧪 Tests +560/-0

Stream event normalization and error sanitization tests

• Comprehensive test suite (560 lines) for normalizeLlamaStackEvent function handling LlamaStack
 event normalization
• Tests response lifecycle events (created, completed, failed), text/reasoning streaming, tool
 calls, and RAG file search results
• Validates MCP tool discovery, approval requests, and error sanitization to prevent URL/credential
 leakage in error messages
• Covers edge cases like malformed JSON, missing fields, and consecutive sanitization calls

workspaces/augment/plugins/augment-backend/src/providers/responses-api/stream/StreamEventNormalizer.test.ts

9. workspaces/augment/plugins/augment-common/.eslintrc.js ⚙️ Configuration changes +2/-0

ESLint configuration for augment-common package

• Minimal ESLint configuration file for the augment-common package
• Delegates to Backstage CLI's standard ESLint factory for consistent linting rules

workspaces/augment/plugins/augment-common/.eslintrc.js

10. workspaces/augment/plugins/augment-backend/src/providers/llamastack/config/ConfigLoader.ts ✨ Enhancement +889/-0

Configuration loader for Augment plugin with validation

• Comprehensive configuration loader for Augment plugin supporting Llama Stack, MCP servers,
 documents, security, and multi-agent orchestration
• Validates required configuration at startup with clear error messages and provides sensible
 defaults for optional fields
• Parses complex nested configs including tool choice, reasoning, hybrid search, document sources,
 and agent definitions
• Implements caching for agent configurations and detailed logging for debugging

workspaces/augment/plugins/augment-backend/src/providers/llamastack/config/ConfigLoader.ts

11. workspaces/augment/plugins/augment-backend/config.d.ts 📝 Documentation +1043/-0

TypeScript configuration schema with security and feature documentation

• TypeScript configuration schema defining all Augment plugin settings with comprehensive JSDoc
 documentation
• Documents three security modes (none, plugin-only, full) with examples and RBAC configuration
 guidance
• Defines schemas for Llama Stack, MCP servers, documents, safety, evaluation, branding, and
 multi-agent configurations
• Includes visibility annotations (frontend/backend/secret) for proper config exposure

workspaces/augment/plugins/augment-backend/config.d.ts

12. workspaces/augment/plugins/augment/src/components/StreamingMessage/StreamingMessage.reducer.test.ts 🧪 Tests +848/-0

Streaming message reducer test suite with comprehensive coverage

• Comprehensive test suite for streaming message state reducer covering lifecycle, tool calls, RAG,
 and approval events
• Tests phase transitions (connecting → thinking → generating → completed) and event handling for
 30+ event types
• Validates human-in-the-loop approval phase guard preventing state mutations during pending
 approval
• Covers edge cases, agent handoffs, and multi-turn conversation scenarios

workspaces/augment/plugins/augment/src/components/StreamingMessage/StreamingMessage.reducer.test.ts

13. workspaces/augment/plugins/augment/src/api/AugmentApi.ts ✨ Enhancement +1002/-0

Augment API client interface and implementation

• Complete API client interface and implementation for Augment frontend-to-backend communication
• Supports chat, streaming, conversation history, human-in-the-loop approvals, and chat sessions
• Includes admin endpoints for configuration, model management, RAG testing, safety/evaluation
 status, and vector store management
• Implements internal fetch helpers to eliminate boilerplate and organize endpoints into logical
 modules

workspaces/augment/plugins/augment/src/api/AugmentApi.ts

14. workspaces/augment/plugins/augment-backend/src/providers/responses-api/chat/chatUtils.ts ✨ Enhancement +47/-0

Chat utility functions for message extraction

• Utility functions for extracting user messages from chat requests
• Provides both optional (extractLastUserMessage) and required (requireLastUserMessage) variants
• Used by chat processing logic to access the latest user input for RAG and other operations

workspaces/augment/plugins/augment-backend/src/providers/responses-api/chat/chatUtils.ts

15. .github/CODEOWNERS Additional files +1/-0

...

.github/CODEOWNERS

16. workspaces/augment/.changeset/augment-initial-release.md Additional files +7/-0

...

workspaces/augment/.changeset/augment-initial-release.md

17. workspaces/augment/.changeset/config.json Additional files +14/-0

...

workspaces/augment/.changeset/config.json

18. workspaces/augment/.dockerignore Additional files +8/-0

...

workspaces/augment/.dockerignore

19. workspaces/augment/.eslintignore Additional files +1/-0

...

workspaces/augment/.eslintignore

20. workspaces/augment/.eslintrc.js Additional files +1/-0

...

workspaces/augment/.eslintrc.js

21. workspaces/augment/.prettierignore Additional files +8/-0

...

workspaces/augment/.prettierignore

22. workspaces/augment/README.md Additional files +29/-0

...

workspaces/augment/README.md

23. workspaces/augment/app-config.yaml Additional files +38/-0

...

workspaces/augment/app-config.yaml

24. workspaces/augment/backstage.json Additional files +1/-0

...

workspaces/augment/backstage.json

25. workspaces/augment/bcp.json Additional files +3/-0

...

workspaces/augment/bcp.json

26. workspaces/augment/catalog-info.yaml Additional files +9/-0

...

workspaces/augment/catalog-info.yaml

27. workspaces/augment/package.json Additional files +72/-0

...

workspaces/augment/package.json

28. workspaces/augment/packages/app/.eslintrc.js Additional files +1/-0

...

workspaces/augment/packages/app/.eslintrc.js

29. workspaces/augment/packages/app/knip-report.md Additional files +12/-0

...

workspaces/augment/packages/app/knip-report.md

30. workspaces/augment/packages/app/package.json Additional files +77/-0

...

workspaces/augment/packages/app/package.json

31. workspaces/augment/packages/app/public/index.html Additional files +60/-0

...

workspaces/augment/packages/app/public/index.html

32. workspaces/augment/packages/app/public/manifest.json Additional files +15/-0

...

workspaces/augment/packages/app/public/manifest.json

33. workspaces/augment/packages/app/public/robots.txt Additional files +2/-0

...

workspaces/augment/packages/app/public/robots.txt

34. workspaces/augment/packages/app/src/App.tsx Additional files +118/-0

...

workspaces/augment/packages/app/src/App.tsx

35. workspaces/augment/packages/app/src/apis.ts Additional files +34/-0

...

workspaces/augment/packages/app/src/apis.ts

36. workspaces/augment/packages/app/src/components/Root/LogoFull.tsx Additional files +51/-0

...

workspaces/augment/packages/app/src/components/Root/LogoFull.tsx

37. workspaces/augment/packages/app/src/components/Root/LogoIcon.tsx Additional files +51/-0

...

workspaces/augment/packages/app/src/components/Root/LogoIcon.tsx

38. workspaces/augment/packages/app/src/components/Root/Root.tsx Additional files +109/-0

...

workspaces/augment/packages/app/src/components/Root/Root.tsx

39. workspaces/augment/packages/app/src/components/Root/index.ts Additional files +16/-0

...

workspaces/augment/packages/app/src/components/Root/index.ts

40. workspaces/augment/packages/app/src/components/catalog/EntityPage.tsx Additional files +404/-0

...

workspaces/augment/packages/app/src/components/catalog/EntityPage.tsx

41. workspaces/augment/packages/app/src/components/search/SearchPage.tsx Additional files +138/-0

...

workspaces/augment/packages/app/src/components/search/SearchPage.tsx

42. workspaces/augment/packages/app/src/index.tsx Additional files +20/-0

...

workspaces/augment/packages/app/src/index.tsx

43. workspaces/augment/packages/backend/.eslintrc.js Additional files +1/-0

...

workspaces/augment/packages/backend/.eslintrc.js

44. workspaces/augment/packages/backend/knip-report.md Additional files +14/-0

...

workspaces/augment/packages/backend/knip-report.md

45. workspaces/augment/packages/backend/package.json Additional files +54/-0

...

workspaces/augment/packages/backend/package.json

46. workspaces/augment/packages/backend/src/index.ts Additional files +45/-0

...

workspaces/augment/packages/backend/src/index.ts

47. workspaces/augment/plugins/augment-backend/README.md Additional files +172/-0

...

workspaces/augment/plugins/augment-backend/README.md

48. workspaces/augment/plugins/augment-backend/dev/index.ts Additional files +38/-0

...

workspaces/augment/plugins/augment-backend/dev/index.ts

49. workspaces/augment/plugins/augment-backend/knip-report.md Additional files +14/-0

...

workspaces/augment/plugins/augment-backend/knip-report.md

50. workspaces/augment/plugins/augment-backend/package.json Additional files +81/-0

...

workspaces/augment/plugins/augment-backend/package.json

51. workspaces/augment/plugins/augment-backend/report.api.md Additional files +1031/-0

...

workspaces/augment/plugins/augment-backend/report.api.md

52. workspaces/augment/plugins/augment-backend/scripts/test-backend-curls.sh Additional files +918/-0

...

workspaces/augment/plugins/augment-backend/scripts/test-backend-curls.sh

53. workspaces/augment/plugins/augment-backend/src/constants.ts Additional files +233/-0

...

workspaces/augment/plugins/augment-backend/src/constants.ts

54. workspaces/augment/plugins/augment-backend/src/extensions.ts Additional files +78/-0

...

workspaces/augment/plugins/augment-backend/src/extensions.ts

55. workspaces/augment/plugins/augment-backend/src/index.ts Additional files +134/-0

...

workspaces/augment/plugins/augment-backend/src/index.ts

56. workspaces/augment/plugins/augment-backend/src/middleware/security.test.ts Additional files +521/-0

...

workspaces/augment/plugins/augment-backend/src/middleware/security.test.ts

57. workspaces/augment/plugins/augment-backend/src/middleware/security.ts Additional files +202/-0

...

workspaces/augment/plugins/augment-backend/src/middleware/security.ts

58. workspaces/augment/plugins/augment-backend/src/parsers/chatRequestParsers.test.ts Additional files +332/-0

...

workspaces/augment/plugins/augment-backend/src/parsers/chatRequestParsers.test.ts

59. workspaces/augment/plugins/augment-backend/src/parsers/chatRequestParsers.ts Additional files +151/-0

...

workspaces/augment/plugins/augment-backend/src/parsers/chatRequestParsers.ts

60. workspaces/augment/plugins/augment-backend/src/plugin.ts Additional files +278/-0

...

workspaces/augment/plugins/augment-backend/src/plugin.ts

61. workspaces/augment/plugins/augment-backend/src/providers/ProviderManager.test.ts Additional files +151/-0

...

workspaces/augment/plugins/augment-backend/src/providers/ProviderManager.test.ts

62. workspaces/augment/plugins/augment-backend/src/providers/ProviderManager.ts Additional files +127/-0

...

workspaces/augment/plugins/augment-backend/src/providers/ProviderManager.ts

63. workspaces/augment/plugins/augment-backend/src/providers/factory.ts Additional files +129/-0

...

workspaces/augment/plugins/augment-backend/src/providers/factory.ts

64. workspaces/augment/plugins/augment-backend/src/providers/index.ts Additional files +47/-0

...

workspaces/augment/plugins/augment-backend/src/providers/index.ts

65. workspaces/augment/plugins/augment-backend/src/providers/llamastack/AgentGraphManager.test.ts Additional files +280/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/AgentGraphManager.test.ts

66. workspaces/augment/plugins/augment-backend/src/providers/llamastack/AgentGraphManager.ts Additional files +204/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/AgentGraphManager.ts

67. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ApprovalContinuationExecutor.test.ts Additional files +509/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ApprovalContinuationExecutor.test.ts

68. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ApprovalContinuationExecutor.ts Additional files +18/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ApprovalContinuationExecutor.ts

69. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ApprovalHandler.test.ts Additional files +224/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ApprovalHandler.test.ts

70. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ApprovalHandler.ts Additional files +18/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ApprovalHandler.ts

71. workspaces/augment/plugins/augment-backend/src/providers/llamastack/BackendApprovalHandler.test.ts Additional files +210/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/BackendApprovalHandler.test.ts

72. workspaces/augment/plugins/augment-backend/src/providers/llamastack/BackendApprovalHandler.ts Additional files +399/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/BackendApprovalHandler.ts

73. workspaces/augment/plugins/augment-backend/src/providers/llamastack/BackendApprovalStore.ts Additional files +18/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/BackendApprovalStore.ts

74. workspaces/augment/plugins/augment-backend/src/providers/llamastack/BackendToolEvents.test.ts Additional files +102/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/BackendToolEvents.test.ts

75. workspaces/augment/plugins/augment-backend/src/providers/llamastack/BackendToolExecutor.ts Additional files +18/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/BackendToolExecutor.ts

76. workspaces/augment/plugins/augment-backend/src/providers/llamastack/BrandingConfigLoader.ts Additional files +17/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/BrandingConfigLoader.ts

77. workspaces/augment/plugins/augment-backend/src/providers/llamastack/CapabilityBuilders.test.ts Additional files +830/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/CapabilityBuilders.test.ts

78. workspaces/augment/plugins/augment-backend/src/providers/llamastack/CapabilityBuilders.ts Additional files +370/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/CapabilityBuilders.ts

79. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ChatDepsBuilder.test.ts Additional files +245/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ChatDepsBuilder.test.ts

80. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ChatDepsBuilder.ts Additional files +127/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ChatDepsBuilder.ts

81. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ClientManager.test.ts Additional files +221/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ClientManager.test.ts

82. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ClientManager.ts Additional files +149/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ClientManager.ts

83. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConfigLoader.test.ts Additional files +413/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConfigLoader.test.ts

84. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConfigLoader.ts Additional files +17/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConfigLoader.ts

85. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConfigResolutionService.test.ts Additional files +206/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConfigResolutionService.test.ts

86. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConfigResolutionService.ts Additional files +17/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConfigResolutionService.ts

87. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConversationFacade.test.ts Additional files +426/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConversationFacade.test.ts

88. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConversationFacade.ts Additional files +16/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConversationFacade.ts

89. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConversationHelpers.test.ts Additional files +236/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConversationHelpers.test.ts

90. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConversationHelpers.ts Additional files +16/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConversationHelpers.ts

91. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConversationRegistry.ts Additional files +18/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConversationRegistry.ts

92. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConversationService.test.ts Additional files +597/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConversationService.test.ts

93. workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConversationService.ts Additional files +16/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/ConversationService.ts

94. workspaces/augment/plugins/augment-backend/src/providers/llamastack/DocumentLister.test.ts Additional files +388/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/DocumentLister.test.ts

95. workspaces/augment/plugins/augment-backend/src/providers/llamastack/DocumentLister.ts Additional files +18/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/DocumentLister.ts

96. workspaces/augment/plugins/augment-backend/src/providers/llamastack/DocumentSyncService.test.ts Additional files +657/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/DocumentSyncService.test.ts

97. workspaces/augment/plugins/augment-backend/src/providers/llamastack/DocumentSyncService.ts Additional files +18/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/DocumentSyncService.ts

98. workspaces/augment/plugins/augment-backend/src/providers/llamastack/DocumentUploader.test.ts Additional files +339/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/DocumentUploader.test.ts

99. workspaces/augment/plugins/augment-backend/src/providers/llamastack/DocumentUploader.ts Additional files +18/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/DocumentUploader.ts

100. workspaces/augment/plugins/augment-backend/src/providers/llamastack/EvaluationService.test.ts Additional files +536/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/EvaluationService.test.ts

101. workspaces/augment/plugins/augment-backend/src/providers/llamastack/EvaluationService.ts Additional files +17/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/EvaluationService.ts

102. workspaces/augment/plugins/augment-backend/src/providers/llamastack/InputItemsNormalizer.test.ts Additional files +101/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/InputItemsNormalizer.test.ts

103. workspaces/augment/plugins/augment-backend/src/providers/llamastack/InputItemsNormalizer.ts Additional files +16/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/InputItemsNormalizer.ts

104. workspaces/augment/plugins/augment-backend/src/providers/llamastack/LlamaStackApiError.test.ts Additional files +143/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/LlamaStackApiError.test.ts

105. workspaces/augment/plugins/augment-backend/src/providers/llamastack/LlamaStackOrchestrator.test.ts Additional files +203/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/LlamaStackOrchestrator.test.ts

106. workspaces/augment/plugins/augment-backend/src/providers/llamastack/LlamaStackOrchestrator.ts Additional files +20/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/LlamaStackOrchestrator.ts

107. workspaces/augment/plugins/augment-backend/src/providers/llamastack/LlamaStackProvider.test.ts Additional files +887/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/LlamaStackProvider.test.ts

108. workspaces/augment/plugins/augment-backend/src/providers/llamastack/LlamaStackProvider.ts Additional files +20/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/LlamaStackProvider.ts

109. workspaces/augment/plugins/augment-backend/src/providers/llamastack/McpAuthService.test.ts Additional files +405/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/McpAuthService.test.ts

110. workspaces/augment/plugins/augment-backend/src/providers/llamastack/McpAuthService.ts Additional files +17/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/McpAuthService.ts

111. workspaces/augment/plugins/augment-backend/src/providers/llamastack/McpConfigLoader.ts Additional files +17/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/McpConfigLoader.ts

112. workspaces/augment/plugins/augment-backend/src/providers/llamastack/McpToolBuilder.ts Additional files +18/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/McpToolBuilder.ts

113. workspaces/augment/plugins/augment-backend/src/providers/llamastack/MessageProcessor.test.ts Additional files +619/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/MessageProcessor.test.ts

114. workspaces/augment/plugins/augment-backend/src/providers/llamastack/MessageProcessor.ts Additional files +16/-0

...

workspaces/augment/plugins/augment-backend/src/providers/llamastack/MessageProcessor.ts

115. Additional files not shown Additional files +0/-0

...

Additional files not shown

Grey Divider

Qodo Logo

@rhdh-qodo-merge
Copy link

rhdh-qodo-merge bot commented Mar 16, 2026
edited
Loading

Code Review by Qodo

🐞 Bugs (4) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider


Action required

1. SSRF via redirects 🐞 Bug ⛨ Security
Description 
Document URL ingestion performs an SSRF check on the initial URL but then fetches it without
restricting redirects or re-validating redirect targets, enabling a public URL to redirect to
private/internal addresses. This can result in the backend fetching and ingesting internal content
into the knowledge base.
Code

workspaces/augment/plugins/augment-backend/src/services/DocumentIngestionService.ts[R206-222]

+        const blockedReason = await isPrivateUrlWithDns(url);
+        if (blockedReason) {
+          this.logger.warn(
+            `Skipping URL ${url}: blocked by SSRF protection (${blockedReason})`,
+          );
+          continue;
+        }
+
+        this.logger.debug(`Fetching URL: ${url}`);
+
+        const response = await this.fetchUrl(url, source.headers || {});
+        if (!response.ok) {
+          throw new Error(`HTTP ${response.status}`);
+        }
+
+        const content = await response.text();
+        const fileName = extractFileNameFromUrl(url);
Evidence 
The ingestion path checks the URL once, then performs a network fetch; the shared fetch helper does
not set any redirect policy, and the SSRF guard only checks resolution at one point in time (and
even allows DNS resolution failures), so redirect-to-private and TOCTOU/DNS-rebind patterns are not
prevented by this implementation.

workspaces/augment/plugins/augment-backend/src/services/DocumentIngestionService.ts[201-231]
workspaces/augment/plugins/augment-backend/src/services/utils/http.ts[66-90]
workspaces/augment/plugins/augment-backend/src/services/utils/SsrfGuard.ts[83-110]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Document ingestion checks `isPrivateUrlWithDns(url)` once, but the subsequent fetch can still reach private/internal destinations via HTTP redirects and/or DNS TOCTOU (rebinding). This is a server-side request forgery gap.

### Issue Context
The SSRF guard is invoked before fetch, but the shared `fetchWithTlsControl` helper does not constrain redirect behavior or pin DNS results.

### Fix Focus Areas
- workspaces/augment/plugins/augment-backend/src/services/DocumentIngestionService.ts[201-232]
- workspaces/augment/plugins/augment-backend/src/services/utils/http.ts[66-90]
- workspaces/augment/plugins/augment-backend/src/services/utils/SsrfGuard.ts[83-110]

### Implementation notes (one viable approach)
1. In `fetchWithTlsControl`, set `redirect: &#x27;manual&#x27;` (or `&#x27;error&#x27;`).
2. In callers that must follow redirects, explicitly handle 3xx responses:
  - Extract and normalize the `Location` header into an absolute URL.
  - Run `isPrivateUrlWithDns()` on the redirect target.
  - Only then issue the next request (with a max redirect depth).
3. Consider DNS pinning for higher assurance (e.g., resolve once with `dns.lookup(..., { all: true })`, reject private IPs, and use an undici dispatcher/agent with a custom `lookup` that returns only the approved IPs).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

2. SSE backpressure ignored 🐞 Bug ⛯ Reliability
Description 
The SSE forwarder writes events even when res.write indicates backpressure, without
pausing/queuing until drain before writing subsequent events. This can cause unbounded buffering
and memory growth under slow clients, leading to process instability.
Code

workspaces/augment/plugins/augment-backend/src/routes/chatRoutes.ts[R116-127]

+    if (!clientDisconnectedRef.current) {
+      const payload = `data: ${JSON.stringify(event)}\n\n`;
+      const canContinue = res.write(payload);
+      const flushableRes = res as FlushableResponse;
+      if (flushableRes.flush) {
+        flushableRes.flush();
+      }
+      if (!canContinue) {
+        res.once('drain', () => {
+          /* backpressure relieved */
+        });
+      }
Evidence 
The forwarder checks the boolean return of res.write but does not gate subsequent writes; it only
registers a drain listener without any buffering/pausing mechanism, so future events will continue
writing into the already-backpressured response.

workspaces/augment/plugins/augment-backend/src/routes/chatRoutes.ts[80-132]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The SSE event forwarder detects backpressure (`res.write(...) === false`) but does not stop subsequent writes, which can lead to unbounded internal buffering for slow clients.

### Issue Context
`forward` is called for every stream event; it must either (a) pause writes until `drain`, or (b) queue events and flush them on `drain`, preferably with a size cap.

### Fix Focus Areas
- workspaces/augment/plugins/augment-backend/src/routes/chatRoutes.ts[76-132]

### Implementation notes (recommended)
- Replace direct `res.write` in `forward` with a small write-queue:
 - `queue.push(payload)`
 - `flushQueue()` writes while queue not empty and `res.write` returns true
 - if a write returns false, register a single `drain` handler that calls `flushQueue()`
 - cap queue length/bytes; if exceeded, abort the stream and return a `stream.error` to avoid OOM.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

3. Undeclared undici dependency 🐞 Bug ⛯ Reliability
Description 
The backend dynamically requires the undici package for TLS-skip fetch, but the augment-backend
package does not declare undici as a dependency. Enabling skipTlsVerify will fail at runtime
with a module-not-found error.
Code

workspaces/augment/plugins/augment-backend/src/services/utils/mcpClient.ts[R29-43]

+export function createTlsSkipFetch(): typeof globalThis.fetch {
+  // eslint-disable-next-line @typescript-eslint/no-require-imports, @backstage/no-undeclared-imports
+  const { Agent } = require('undici') as {
+    Agent: new (opts: Record<string, unknown>) => unknown;
+  };
+  const verifyTls = false; // NOSONAR — intentional: only invoked when skipTlsVerify config is true
+  const dispatcher = new Agent({
+    connect: { rejectUnauthorized: verifyTls },
+  });
+  return ((input: RequestInfo | URL, init?: RequestInit) => {
+    return globalThis.fetch(input, {
+      ...init,
+      dispatcher,
+    } as RequestInit);
+  }) as typeof globalThis.fetch;
Evidence 
createTlsSkipFetch uses require('undici'), but
@red-hat-developer-hub/backstage-plugin-augment-backend does not list undici in dependencies, so
the module may not be present when this package is installed/used independently.

workspaces/augment/plugins/augment-backend/src/services/utils/mcpClient.ts[29-43]
workspaces/augment/plugins/augment-backend/package.json[48-62]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`createTlsSkipFetch` calls `require(&#x27;undici&#x27;)` at runtime, but the package does not declare `undici` in its dependencies, risking runtime failure.

### Issue Context
This code path triggers when skip-TLS verification is enabled, which is explicitly supported by config.

### Fix Focus Areas
- workspaces/augment/plugins/augment-backend/src/services/utils/mcpClient.ts[29-44]
- workspaces/augment/plugins/augment-backend/package.json[48-62]

### Implementation notes
- Add `&quot;undici&quot;: &quot;^&lt;appropriate version&gt;&quot;` to `dependencies`.
- Optionally replace `require` with a normal import once dependency is declared, and remove the eslint suppression.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Remediation recommended

4. Admin list in logs 🐞 Bug ✧ Quality
Description 
The admin check logs the full adminUsers list and the requesting userRef at info level, exposing
privileged account identifiers to anyone with log access and generating unnecessary verbosity on
each admin request.
Code

workspaces/augment/plugins/augment-backend/src/middleware/security.ts[R167-175]

+    try {
+      const userRef = await getUserRef(req);
+      const isMatch = adminUsers.includes(userRef);
+      logger.info(
+        `checkIsAdmin: userRef="${userRef}", adminUsers=${JSON.stringify(
+          adminUsers,
+        )}, match=${isMatch}`,
+      );
+      return isMatch;
Evidence 
The middleware prints adminUsers via JSON.stringify in an info-level log line, which is
typically collected centrally and shared more broadly than security-sensitive configuration.

workspaces/augment/plugins/augment-backend/src/middleware/security.ts[168-175]

Agent prompt 
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Info-level logs include the full configured admin user list and the current user ref during admin checks.

### Issue Context
This data can be sensitive (privileged account enumeration) and creates unnecessary verbosity.

### Fix Focus Areas
- workspaces/augment/plugins/augment-backend/src/middleware/security.ts[167-174]

### Implementation notes
- Change `logger.info(...)` to `logger.debug(...)`.
- Remove `adminUsers=${JSON.stringify(adminUsers)}`; replace with `adminUsersCount=${adminUsers.length}` and `match=${isMatch}` (and optionally `userRef`).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Grey Divider

ⓘ The new review experience is currently in Beta. Learn more

Grey Divider

Qodo Logo

@rrbanda rrbanda force-pushed the feat/augment-workspace-v2 branch from c0f979f to 5a65089 Compare March 16, 2026 11:02
@rhdh-gh-app
Copy link

rhdh-gh-app bot commented Mar 16, 2026

⚠️ CODEOWNERS Validation Failed

The following users are listed in CODEOWNERS but are not members of the rhdh-plugins-codeowners team:

rrbanda

An org admin needs to add the missing members to the team before this PR can be merged.

@rrbanda
Copy link
Author

rrbanda commented Mar 16, 2026

SonarCloud Hotspot Analysis

The 119 security hotspots break down as:

Rule Count Description
S5332 87 "Using http protocol is insecure" — http://localhost:7007, http://llama-stack:8321 etc. in test files and config examples
S5852 11 Regex backtracking (review-and-dismiss for validated patterns)
S2245 2 Pseudorandom number generator (non-crypto use)
Other ~19 Misc review items

The 87 S5332 hits are all http:// URLs in test fixtures and app-config.yaml examples (e.g., http://localhost:7007). These cannot be changed to https:// without breaking tests or making config examples misleading. They are standard "review and dismiss" items on the SonarCloud dashboard.

Qodo bugs addressed in latest push:

  • SSRF via redirectsDocumentIngestionService.fetchUrl now uses redirect: 'manual' with SSRF re-validation on each hop
  • SSE backpressure — Event forwarder queues writes and respects drain events
  • Undeclared undici dependency — Added undici to package.json dependencies
  • Admin list in logs — Logs admin count instead of full entity ref list

@rrbanda rrbanda force-pushed the feat/augment-workspace-v2 branch 9 times, most recently from b9c2c4d to 74150fe Compare March 16, 2026 12:12
@rrbanda
feat(augment): add augment AI assistant workspace
6814749 
Introduces the augment plugin family (frontend, backend, common) under
workspaces/augment. Provides a chat interface backed by Llama Stack with
multi-agent orchestration, RAG, MCP tool calling, and configurable
safety guardrails.

Key capabilities:
- Multi-agent architecture with router, cluster-engineer, and
  product-knowledge specialist agents
- Streaming chat via SSE with conversation history
- MCP server integration for live OpenShift cluster operations
  and Red Hat knowledge platform queries
- Human-in-the-loop tool approval
- RHDH dynamic plugin support (frontend scalprum + backend)
- Configurable security modes (none, plugin-only, full)
- Response evaluation via Llama Stack Scoring API

Signed-off-by: Raghu Banda <rbanda@redhat.com>
@rrbanda rrbanda force-pushed the feat/augment-workspace-v2 branch from 74150fe to 6814749 Compare March 16, 2026 12:20
@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 16, 2026

Quality Gate Passed Quality Gate passed

Issues
634 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.7% Duplication on New Code

See analysis details on SonarQube Cloud

@pkliczewski
Copy link

pkliczewski commented Mar 16, 2026

please take a look @hopehadfield @alizard0 @durandom

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@rhdh-qodo-merge rhdh-qodo-merge[bot] rhdh-qodo-merge[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rrbanda @pkliczewski