Skip to content

Bump org.atmosphere:atmosphere-runtime from 3.1.0 to 4.0.44#3110

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/org.atmosphere-atmosphere-runtime-4.0.44
Open

Bump org.atmosphere:atmosphere-runtime from 3.1.0 to 4.0.44#3110
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/org.atmosphere-atmosphere-runtime-4.0.44

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 13, 2026

Bumps org.atmosphere:atmosphere-runtime from 3.1.0 to 4.0.44.

Release notes

Sourced from org.atmosphere:atmosphere-runtime's releases.

Atmosphere 4.0.44

Added

  • predictable-AI primitives — three framework-level capabilities that close gaps Bonér's "Herding LLMs" deck flagged for distributed-system reliability, all declared on every framework runtime so the matrix closes without @Beta shims:
    • BUDGET_ENFORCEMENT (a4fae39464) — new AiBudget value record (max input / output / total tokens, max steps, max wall clock) installed via pipeline.setDefaultBudget(...) or per-request ai.budget metadata. BudgetCapturingSession decorator slots into the AiPipeline session-decorator stack between metrics and guardrail layers; on breach it routes a typed AiBudgetExceededException extends AiException through session.error(...) and short-circuits subsequent send / usage / progress / emit / complete calls so the wire protocol's "one terminal frame" invariant holds. Distinct from org.atmosphere.ai.budget.StreamingTextBudgetManager (long-running per-tenant cumulative spend); this capability is the per-call death-spiral guard. 13 new unit tests cover every breach reason, default vs. per-request override, and the post-trip swallow. Wall-clock limits trip universally; token / step limits depend on TOKEN_USAGE (every runtime except Spring AI Alibaba honors both).
    • CONFIDENCE_SCORES (a4fae39464) — new AiConfidence record with OptionalDouble aggregate, List<TokenLogprob> tokens, and Source enum (LOGPROBS_NATIVE / MODEL_REPORTED_FIELD / HEURISTIC). StreamingSession.confidence(AiConfidence) default method auto-emits ai.confidence.aggregate / .source / .tokens metadata mirroring the usage(TokenUsage) convention; DelegatingStreamingSession gains the matching forwarding override. Universal model-reported path via the new AiConfidenceElicitation plus the ConfidenceCapturingSession decorator: pipeline appends an opt-in cue to the system prompt, decorator parses the model-emitted {"confidence": 0.x} field on stream completion (same regex shape as the existing ConfidenceThresholdGuardrail) and fires session.confidence ahead of the terminal frame. Decorator self-suppresses when a runtime already invoked confidence(...) directly with LOGPROBS_NATIVE. Skipped when structured-output mode is in play because the schema parser owns the response shape — callers add a confidence field to their record schema in that mode. 14 new unit tests cover record validation, the elicitation cue, parser fallbacks, runtime-explicit override, per-request override of the pipeline default, and the structured-output skip.
    • PASSIVATION (a4fae39464) — new AgentSnapshot record in modules/ai (persistable subset of AgentExecutionContext — message, system prompt, identity columns, history, JSON-clean metadata, response type name, reason, paused-at). New AgentPassivation static helper in modules/checkpoint with passivate(runtime, ctx, store, reason): String, resume(runtime, store, id, externalSignal, base, session), and loadSnapshot(store, id). resume merges the snapshot onto a caller-supplied base context (which carries the runtime references — tools, memory, listeners, retry policy — that don't survive a JVM restart) and re-runs runtime.execute(...); base wins on metadata-key collision so caller-injected refs (e.g. trace context) are not clobbered by stale snapshot values. Helper lives in modules/checkpoint rather than on AgentRuntime itself because modules/ai → modules/checkpoint introduces a ai → checkpoint → coordinator → ai cycle; the reverse direction is acyclic. Capability flag declared on every runtime — flag advertises "this runtime cooperates with AgentPassivation," honest because every runtime threads context.history() through its dispatch path so a resumed call observes the same conversation the paused call saw. 10 new unit tests cover snapshot round-trip, resume flow with external signal, signal-less replay of pending message, missing-checkpoint errors, metadata filtering (non-String values dropped pre-snapshot), metadata merge precedence, unique IDs across passivations, and null-arg rejection.

Changed

  • AiCapability enum gains 3 entries — total 20 capabilities (was 17). AbstractAgentRuntimeContractTest.expectedCapabilities() pin updated for all 9 framework runtimes: BuiltIn, Spring AI, LangChain4j, ADK, Embabel, Koog, AgentScope, Spring AI Alibaba, Semantic Kernel. BuiltInAgentRuntime capability count test bumped from 13 to 16. Capability matrix in modules/ai/README.md extended with BE / CS / PSV columns plus a "Predictable-AI primitives" section documenting each capability's decorator placement, source enum, and runtime-by-runtime caveats (Spring AI Alibaba's BUDGET_ENFORCEMENT is wall-clock-only because the runtime does not surface TOKEN_USAGE).

Tests

  • Playwright e2e coverage for the predictable-AI primitives (4be20c240c) — ai-budget-circuit-breaker.spec.ts, ai-confidence-elicitation.spec.ts, ai-passivation.spec.ts exercise the full AiPipeline session-decorator stack through Atmosphere's wire transport. Each spec drives a dedicated test handler (BudgetCircuitBreakerTestHandler / ConfidenceElicitationTestHandler / PassivationTestHandler) registered in AiFeatureTestServer so the harness sees AiBudgetExceededException on the wire's error frame, the ai.confidence.aggregate / .source / .tokens metadata frames the confidence(...) default sink emits, and the snapshot/resume round-trip across two sequential WebSocket connections. modules/integration-tests/pom.xml bumps atmosphere-checkpoint from test to compile scope so PassivationTestHandler can call AgentPassivation directly. modules/integration-tests/playwright.config.ts registers the three new spec project entries.

Fixed

  • CLI standalone-scaffold compile against the released parent POM (7383eb0ee2) — twenty samples/spring-boot-*/pom.xml files now declare <netty.version>4.2.13.Final</netty.version> in their own <properties> block so the sample is self-contained: scaffold-then-compile against the released org.atmosphere:atmosphere-project:4.0.43 parent (which predates the netty bump and therefore does not declare netty.version) no longer fails with Non-resolvable import POM: io.netty:netty-bom:pom:${netty.version}. cli/e2e-test-cli-runtime.sh also fixes a long-standing comment-vs-code drift: the script was exporting ATMOSPHERE_CLI_VERSION while cli/atmosphere only ever read ATMOSPHERE_VERSION_OVERRIDE, so the SNAPSHOT-against-SNAPSHOT lane silently degraded to release-pin coverage. Renaming the export aligns the script with the CLI's actual contract.

Atmosphere 4.0.43

Added

  • per-request runtime extension helpers (f1493c3f9c) — small attach(context, ...) / from(context) helpers (modeled on the existing CacheHint) that let callers stash framework-native composition objects in AgentExecutionContext.metadata(), so a runtime can apply them per-request without growing the unified AgentRuntime SPI with framework-specific knobs. Runtimes covered: SpringAiAdvisors (Spring AI Advisor chain — RAG / memory / guardrails / observability), LangChain4jAiServices (LangChain4j AiServices / TokenStream), KoogStrategy (Koog AIAgentGraphStrategy DSL), AdkRootAgent (ADK BaseAgent / SequentialAgent / ParallelAgent / LoopAgent topology), and ToolLoopPolicies (per-request ToolLoopPolicy honored by BuiltInAgentRuntime's OpenAI-compatible tool loop). The other shipped runtimes (AgentScope, Embabel, SemanticKernel, SpringAiAlibaba) do not yet have a per-request bridge — Embabel got native streaming via StreamingPromptRunnerBuilder.streaming().generateStream() in the same merge but no sidecar. Also added: AgentLifecycleListener.onModelStart / onModelEnd / onModelError hooks with fireXxx fan-out helpers, and AiEventForwardingListener adapter that translates lifecycle hooks to wire-format AiEvent.Progress frames (opt-in via context.withListeners(...)). Each bridge ships with a unit-level *BridgeTest proving the runtime honors the sidecar.

Fixed

  • Quarkus extension closes the /api/console/info parity gap — the bundled Atmosphere Console UI gets the same subtitle / endpoint / runtime / mode payload it gets from the Spring Boot starter, instead of falling through to the Vue defaults on a 404. New AtmosphereConsoleInfoServlet (HttpServlet, registered at build time via a second ServletBuildItem mapped to /api/console/info) reuses the same package-prefix mode-detection heuristic as AtmosphereConsoleInfoEndpoint (org.atmosphere.{ai,agent,coordinator}.*"ai", anything else including ManagedAtmosphereHandler"broadcast"). Endpoint auto-detection prefers the canonical /atmosphere/ai-chat when registered (samples like quarkus-ai-chat ship multiple @AiEndpoints), then /atmosphere/agent/*, then any other /atmosphere/*. New config keys quarkus.atmosphere.console-subtitle and quarkus.atmosphere.console-endpoint mirror the Spring atmosphere.console-subtitle / atmosphere.console-endpoint properties. JSON is hand-rolled so the runtime POM stays Jackson-free; AgentRuntimeResolver is reached via reflection so the servlet keeps no compile-time link to modules/ai. Empirically verified in chrome-devtools against quarkus-ai-chat/api/console/info now returns {"subtitle":"Runtime: langchain4j","endpoint":"/atmosphere/ai-chat","runtime":"langchain4j","mode":"ai"}, the Vue Console shows the runtime label in the header subtitle, and the cross-tab isolation matrix continues to pass on the Quarkus leg.
  • bundled Atmosphere Console now auto-detects AI vs. broadcast endpoints (c1e8e36c7b) — /api/console/info adds a mode field ("ai" for @AiEndpoint / @Agent / @Coordinator, "broadcast" for @ManagedService chats); AtmosphereConsoleInfoEndpoint#detectMode classifies via the registered handler's package prefix (org.atmosphere.{ai,agent,coordinator}.* → ai, everything else including ManagedAtmosphereHandler → broadcast), so the check stays compile-time independent of modules/ai and modules/agent. The Vue frontend swaps empty-state copy ("Start a conversation" + "AI assistant" → "Start a broadcast" + "every connected client on this endpoint will receive it") and the default subtitle ("Runtime: " → "Multi-client broadcast chat") based on the detected mode. Closes the misleading-UI half of the cross-tab leak follow-up: pre-fix, spring-boot-mcp-server and spring-boot-otel-chat rendered the AI-assistant copy despite being broadcast-shared by design. Empirically verified in chrome-devtools against both broadcast samples and spring-boot-ai-chat. Per-sample atmosphere.console-subtitle overrides still win over the mode-aware default. 5 new contract tests in AtmosphereConsoleInfoEndpointModeTest pin the four classification paths plus the override interaction.
  • cross-tab isolation matrix extended from 11 → 15 samples (c1e8e36c7b) — adds quarkus-ai-chat (cross-runtime parity, proves the targeted-dispatch fix from 1fbb0958f0 survives Quarkus's distinct QuarkusJSR356AsyncSupport path), spring-boot-checkpoint-agent (@Coordinator with analyzer/approver fleet + checkpoint store), spring-boot-ms-governance-chat (@AiEndpoint with @AgentScope classification interceptors stacked in front), and spring-boot-channels-chat (omnichannel @AiEndpoint with Telegram/Slack/WhatsApp/Messenger channel-bridge adapters). New fixture entries in e2e/fixtures/sample-server.ts for the checkpoint and ms-governance samples; quarkus-ai-chat reuses the existing fixture. Out-of-scope docstring corrected to remove spring-boot-channels-chat (it's actually an isolated @AiEndpoint, not a broadcast chat) and to explicitly tag spring-boot-a2a-agent as out-of-scope (A2A JSON-RPC has no two-tab Console scenario). All 15 cases pass locally in 3.5m.
  • OpenAiCompatibleClient Javadoc placement broke JDK 26 strict mode (28703ea064) — two stacked Javadoc blocks on forwardResponsesApiUsage raised documentation comment is not attached to any declaration under -Xlint:all -Werror on JDK 26 (silent on JDK 21). Merged into a single coherent block; CI: Core (JDK 21/26) green.
  • cli/samples.json and cli/atmosphere template map referenced deleted spring-boot-embabel-chat sample (3a9373e875) — cli/test-cli.sh failed with "samples missing README.md: spring-boot-embabel-chat". Entry removed from samples.json + template-map case statement.

Atmosphere 4.0.42

Added

  • atmosphere-verifier — plan-and-verify (Meijer "Guardians of the Agents") New module modules/verifier/ + sample samples/spring-boot-guarded-email-agent/ — sealed Workflow AST, ServiceLoader-discovered PlanVerifier chain (Allowlist/WellFormed/Capability/Taint/Automaton/SmtChecker SPI), @​Sink + @​RequiresCapability scanners, PlanAndVerify orchestrator, WorkflowExecutor with partial-env on failure, verify CLI; sample REST + UI exercises the inbox-exfiltration scenario end-to-end (refused before any tool fires) — 74 unit + 4 boot + 6 Playwright tests, all CI green on the feature branch.

Fixed

  • fail-closed verifier empty-chain, JSON-escape govern. deny, deflake wasync PlanAndVerify.withDefaults + VerifyCli runChain throw / emit chain-empty violations when ServiceLoader yields no providers (P1: silent fail-open under shading / native-image / fat-jar relocation); governance-deny tool result routes every interpolated field through ToolBridgeUtils.escapeJson via a new buildGovernanceDenyJson helper (P2: backslash/newline/control char break); ChatIntegrationTest.socketStatusTransitions polls for status transition rather than asserting in the same instant the OPEN handler fires (release-pipeline timing flake). 5 new verifier tests + 6 governance-JSON tests.

Changed

  • drop org.json:json — Jackson 3 only (CVE hygiene) RoomProtocolCodec + SimpleRestInterceptor migrated to tools.jackson; brace-balanced reader preserves SwaggerSocket header/body chunk semantics; ALLOW_SINGLE_QUOTES kept for wire compatibility; org.json removed from parent + 3 spring-boot samples.
  • bump version to 4.0.41
  • prepare for next development iteration 4.0.42-SNAPSHOT

... (truncated)

Changelog

Sourced from org.atmosphere:atmosphere-runtime's changelog.

[4.0.44] - 2026-05-08

Added

  • predictable-AI primitives — three framework-level capabilities that close gaps Bonér's "Herding LLMs" deck flagged for distributed-system reliability, all declared on every framework runtime so the matrix closes without @Beta shims:
    • BUDGET_ENFORCEMENT (a4fae39464) — new AiBudget value record (max input / output / total tokens, max steps, max wall clock) installed via pipeline.setDefaultBudget(...) or per-request ai.budget metadata. BudgetCapturingSession decorator slots into the AiPipeline session-decorator stack between metrics and guardrail layers; on breach it routes a typed AiBudgetExceededException extends AiException through session.error(...) and short-circuits subsequent send / usage / progress / emit / complete calls so the wire protocol's "one terminal frame" invariant holds. Distinct from org.atmosphere.ai.budget.StreamingTextBudgetManager (long-running per-tenant cumulative spend); this capability is the per-call death-spiral guard. 13 new unit tests cover every breach reason, default vs. per-request override, and the post-trip swallow. Wall-clock limits trip universally; token / step limits depend on TOKEN_USAGE (every runtime except Spring AI Alibaba honors both).
    • CONFIDENCE_SCORES (a4fae39464) — new AiConfidence record with OptionalDouble aggregate, List<TokenLogprob> tokens, and Source enum (LOGPROBS_NATIVE / MODEL_REPORTED_FIELD / HEURISTIC). StreamingSession.confidence(AiConfidence) default method auto-emits ai.confidence.aggregate / .source / .tokens metadata mirroring the usage(TokenUsage) convention; DelegatingStreamingSession gains the matching forwarding override. Universal model-reported path via the new AiConfidenceElicitation plus the ConfidenceCapturingSession decorator: pipeline appends an opt-in cue to the system prompt, decorator parses the model-emitted {"confidence": 0.x} field on stream completion (same regex shape as the existing ConfidenceThresholdGuardrail) and fires session.confidence ahead of the terminal frame. Decorator self-suppresses when a runtime already invoked confidence(...) directly with LOGPROBS_NATIVE. Skipped when structured-output mode is in play because the schema parser owns the response shape — callers add a confidence field to their record schema in that mode. 14 new unit tests cover record validation, the elicitation cue, parser fallbacks, runtime-explicit override, per-request override of the pipeline default, and the structured-output skip.
    • PASSIVATION (a4fae39464) — new AgentSnapshot record in modules/ai (persistable subset of AgentExecutionContext — message, system prompt, identity columns, history, JSON-clean metadata, response type name, reason, paused-at). New AgentPassivation static helper in modules/checkpoint with passivate(runtime, ctx, store, reason): String, resume(runtime, store, id, externalSignal, base, session), and loadSnapshot(store, id). resume merges the snapshot onto a caller-supplied base context (which carries the runtime references — tools, memory, listeners, retry policy — that don't survive a JVM restart) and re-runs runtime.execute(...); base wins on metadata-key collision so caller-injected refs (e.g. trace context) are not clobbered by stale snapshot values. Helper lives in modules/checkpoint rather than on AgentRuntime itself because modules/ai → modules/checkpoint introduces a ai → checkpoint → coordinator → ai cycle; the reverse direction is acyclic. Capability flag declared on every runtime — flag advertises "this runtime cooperates with AgentPassivation," honest because every runtime threads context.history() through its dispatch path so a resumed call observes the same conversation the paused call saw. 10 new unit tests cover snapshot round-trip, resume flow with external signal, signal-less replay of pending message, missing-checkpoint errors, metadata filtering (non-String values dropped pre-snapshot), metadata merge precedence, unique IDs across passivations, and null-arg rejection.

Changed

  • AiCapability enum gains 3 entries — total 20 capabilities (was 17). AbstractAgentRuntimeContractTest.expectedCapabilities() pin updated for all 9 framework runtimes: BuiltIn, Spring AI, LangChain4j, ADK, Embabel, Koog, AgentScope, Spring AI Alibaba, Semantic Kernel. BuiltInAgentRuntime capability count test bumped from 13 to 16. Capability matrix in modules/ai/README.md extended with BE / CS / PSV columns plus a "Predictable-AI primitives" section documenting each capability's decorator placement, source enum, and runtime-by-runtime caveats (Spring AI Alibaba's BUDGET_ENFORCEMENT is wall-clock-only because the runtime does not surface TOKEN_USAGE).

Tests

  • Playwright e2e coverage for the predictable-AI primitives (4be20c240c) — ai-budget-circuit-breaker.spec.ts, ai-confidence-elicitation.spec.ts, ai-passivation.spec.ts exercise the full AiPipeline session-decorator stack through Atmosphere's wire transport. Each spec drives a dedicated test handler (BudgetCircuitBreakerTestHandler / ConfidenceElicitationTestHandler / PassivationTestHandler) registered in AiFeatureTestServer so the harness sees AiBudgetExceededException on the wire's error frame, the ai.confidence.aggregate / .source / .tokens metadata frames the confidence(...) default sink emits, and the snapshot/resume round-trip across two sequential WebSocket connections. modules/integration-tests/pom.xml bumps atmosphere-checkpoint from test to compile scope so PassivationTestHandler can call AgentPassivation directly. modules/integration-tests/playwright.config.ts registers the three new spec project entries.

Fixed

  • CLI standalone-scaffold compile against the released parent POM (7383eb0ee2) — twenty samples/spring-boot-*/pom.xml files now declare <netty.version>4.2.13.Final</netty.version> in their own <properties> block so the sample is self-contained: scaffold-then-compile against the released org.atmosphere:atmosphere-project:4.0.43 parent (which predates the netty bump and therefore does not declare netty.version) no longer fails with Non-resolvable import POM: io.netty:netty-bom:pom:${netty.version}. cli/e2e-test-cli-runtime.sh also fixes a long-standing comment-vs-code drift: the script was exporting ATMOSPHERE_CLI_VERSION while cli/atmosphere only ever read ATMOSPHERE_VERSION_OVERRIDE, so the SNAPSHOT-against-SNAPSHOT lane silently degraded to release-pin coverage. Renaming the export aligns the script with the CLI's actual contract.

[4.0.43] - 2026-05-06

Added

  • per-request runtime extension helpers — small attach(context, ...) / from(context) helpers (modeled on the existing CacheHint) that let callers stash framework-native composition objects in AgentExecutionContext.metadata(), so a runtime can apply them per-request without growing the unified AgentRuntime SPI with framework-specific knobs. The matrix closes on 4.0.43: all eight framework runtimes have a sidecar — SpringAiAdvisors (Spring AI Advisor chain — RAG / memory / guardrails / observability), LangChain4jAiServices (LangChain4j AiServices / TokenStream), KoogStrategy (Koog AIAgentGraphStrategy DSL), AdkRootAgent (ADK BaseAgent / SequentialAgent / ParallelAgent / LoopAgent topology), EmbabelPromptRunner (UnaryOperator<PromptRunner> customizer applied AFTER default wiring), AgentScopeAgent (per-request ReActAgent), SemanticKernelInvocation (per-request InvocationContext — unlocks KernelHooks, withMaxAutoInvokeAttempts, custom PromptExecutionSettings), SpringAiAlibabaRunnableConfig (per-request Alibaba RunnableConfig for threadId/checkPointId/streamMode/metadata/store), plus the cross-runtime ToolLoopPolicies honored by BuiltInAgentRuntime's OpenAI-compatible tool loop. Initial five sidecars landed via f1493c3f9c; the remaining four runtimes plus the lifecycle hook fan-out below landed via eec98890fe. Also added: AgentLifecycleListener.onModelStart / onModelEnd / onModelError hooks with fireXxx fan-out helpers wired in all 8 framework runtimes (was Built-in only), and AiEventForwardingListener adapter that translates lifecycle hooks to wire-format AiEvent.Progress frames (opt-in via context.withListeners(...)). Each bridge ships with a unit-level *BridgeTest proving the runtime honors the sidecar.

Fixed

  • Quarkus extension closes the /api/console/info parity gap — the bundled Atmosphere Console UI gets the same subtitle / endpoint / runtime / mode payload it gets from the Spring Boot starter, instead of falling through to the Vue defaults on a 404. New AtmosphereConsoleInfoServlet (HttpServlet, registered at build time via a second ServletBuildItem mapped to /api/console/info) reuses the same package-prefix mode-detection heuristic as AtmosphereConsoleInfoEndpoint (org.atmosphere.{ai,agent,coordinator}.*"ai", anything else including ManagedAtmosphereHandler"broadcast"). Endpoint auto-detection prefers the canonical /atmosphere/ai-chat when registered (samples like quarkus-ai-chat ship multiple @AiEndpoints), then /atmosphere/agent/*, then any other /atmosphere/*. New config keys quarkus.atmosphere.console-subtitle and quarkus.atmosphere.console-endpoint mirror the Spring atmosphere.console-subtitle / atmosphere.console-endpoint properties. JSON is hand-rolled so the runtime POM stays Jackson-free; AgentRuntimeResolver is reached via reflection so the servlet keeps no compile-time link to modules/ai. Empirically verified in chrome-devtools against quarkus-ai-chat/api/console/info now returns {"subtitle":"Runtime: langchain4j","endpoint":"/atmosphere/ai-chat","runtime":"langchain4j","mode":"ai"}, the Vue Console shows the runtime label in the header subtitle, and the cross-tab isolation matrix continues to pass on the Quarkus leg.
  • bundled Atmosphere Console now auto-detects AI vs. broadcast endpoints (c1e8e36c7b) — /api/console/info adds a mode field ("ai" for @AiEndpoint / @Agent / @Coordinator, "broadcast" for @ManagedService chats); AtmosphereConsoleInfoEndpoint#detectMode classifies via the registered handler's package prefix (org.atmosphere.{ai,agent,coordinator}.* → ai, everything else including ManagedAtmosphereHandler → broadcast), so the check stays compile-time independent of modules/ai and modules/agent. The Vue frontend swaps empty-state copy ("Start a conversation" + "AI assistant" → "Start a broadcast" + "every connected client on this endpoint will receive it") and the default subtitle ("Runtime: " → "Multi-client broadcast chat") based on the detected mode. Closes the misleading-UI half of the cross-tab leak follow-up: pre-fix, spring-boot-mcp-server and spring-boot-otel-chat rendered the AI-assistant copy despite being broadcast-shared by design. Empirically verified in chrome-devtools against both broadcast samples and spring-boot-ai-chat. Per-sample atmosphere.console-subtitle overrides still win over the mode-aware default. 5 new contract tests in AtmosphereConsoleInfoEndpointModeTest pin the four classification paths plus the override interaction.
  • cross-tab isolation matrix extended from 11 → 15 samples (c1e8e36c7b) — adds quarkus-ai-chat (cross-runtime parity, proves the targeted-dispatch fix from 1fbb0958f0 survives Quarkus's distinct QuarkusJSR356AsyncSupport path), spring-boot-checkpoint-agent (@Coordinator with analyzer/approver fleet + checkpoint store), spring-boot-ms-governance-chat (@AiEndpoint with @AgentScope classification interceptors stacked in front), and spring-boot-channels-chat (omnichannel @AiEndpoint with Telegram/Slack/WhatsApp/Messenger channel-bridge adapters). New fixture entries in e2e/fixtures/sample-server.ts for the checkpoint and ms-governance samples; quarkus-ai-chat reuses the existing fixture. Out-of-scope docstring corrected to remove spring-boot-channels-chat (it's actually an isolated @AiEndpoint, not a broadcast chat) and to explicitly tag spring-boot-a2a-agent as out-of-scope (A2A JSON-RPC has no two-tab Console scenario). All 15 cases pass locally in 3.5m.
  • OpenAiCompatibleClient Javadoc placement broke JDK 26 strict mode (28703ea064) — two stacked Javadoc blocks on forwardResponsesApiUsage raised documentation comment is not attached to any declaration under -Xlint:all -Werror on JDK 26 (silent on JDK 21). Merged into a single coherent block; CI: Core (JDK 21/26) green.
  • cli/samples.json and cli/atmosphere template map referenced deleted spring-boot-embabel-chat sample (3a9373e875) — cli/test-cli.sh failed with "samples missing README.md: spring-boot-embabel-chat". Entry removed from samples.json + template-map case statement.

[4.0.42] - 2026-05-01

Added

  • atmosphere-verifier — plan-and-verify (Meijer "Guardians of the Agents") New module modules/verifier/ + sample samples/spring-boot-guarded-email-agent/ — sealed Workflow AST, ServiceLoader-discovered PlanVerifier chain (Allowlist/WellFormed/Capability/Taint/Automaton/SmtChecker SPI), @​Sink + @​RequiresCapability scanners, PlanAndVerify orchestrator, WorkflowExecutor with partial-env on failure, verify CLI; sample REST + UI exercises the inbox-exfiltration scenario end-to-end (refused before any tool fires) — 74 unit + 4 boot + 6 Playwright tests, all CI green on the feature branch.

Fixed

  • fail-closed verifier empty-chain, JSON-escape govern. deny, deflake wasync PlanAndVerify.withDefaults + VerifyCli runChain throw / emit chain-empty violations when ServiceLoader yields no providers (P1: silent fail-open under shading / native-image / fat-jar relocation); governance-deny tool result routes every interpolated field through ToolBridgeUtils.escapeJson via a new buildGovernanceDenyJson helper (P2: backslash/newline/control char break); ChatIntegrationTest.socketStatusTransitions polls for status transition rather than asserting in the same instant the OPEN handler fires (release-pipeline timing flake). 5 new verifier tests + 6 governance-JSON tests.

Changed

  • drop org.json:json — Jackson 3 only (CVE hygiene) RoomProtocolCodec + SimpleRestInterceptor migrated to tools.jackson; brace-balanced reader preserves SwaggerSocket header/body chunk semantics; ALLOW_SINGLE_QUOTES kept for wire compatibility; org.json removed from parent + 3 spring-boot samples.
  • bump version to 4.0.41
  • prepare for next development iteration 4.0.42-SNAPSHOT

... (truncated)

Commits
  • b05a0e5 release: Atmosphere 4.0.44
  • b175f5f fix(js): bump vi.waitFor timeout to 5s in 4 webtransport reconnect tests
  • 9341600 docs(changelog): cite squash hash + add e2e and CI-fix entries
  • 558f696 docs: add Honesty and Integrity guardrails to AGENTS.md
  • 7383eb0 fix(ci): self-contained netty.version + correct env-var name in CLI e2e
  • 4be20c2 test(ai): playwright e2e coverage for budget breaker, confidence, passivation
  • a4fae39 feat(ai): predictable-AI primitives — budget, confidence, passivation
  • 3944171 feat(mcp-client): outbound MCP — agents consume remote MCP server tools acros...
  • e3b4aaf ci(dependabot): ignore org.json:json security advisories
  • 0a5e101 test(ai): eliminate 10 contract-test skips + fix flaky cache threading test
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump org.atmosphere:atmosphere-runtime from 3.1.0 to 4.0.44
eccb464 
Bumps [org.atmosphere:atmosphere-runtime](https://github.com/Atmosphere/atmosphere) from 3.1.0 to 4.0.44.
- [Release notes](https://github.com/Atmosphere/atmosphere/releases)
- [Changelog](https://github.com/Atmosphere/atmosphere/blob/main/CHANGELOG.md)
- [Commits](Atmosphere/atmosphere@atmosphere-project-3.1.0...atmosphere-4.0.44)

---
updated-dependencies:
- dependency-name: org.atmosphere:atmosphere-runtime
  dependency-version: 4.0.44
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels May 13, 2026
@dependabot dependabot Bot mentioned this pull request May 13, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update Java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants