Release 0.4.13 — Workflow Service and Default Agent

May 18, 2026

Released: 2026-05-18 Chart: oci://ghcr.io/cnoe-io/charts/ai-platform-engineering:0.4.13 Previous release: 0.4.12

Highlights

0.4.13 introduces the Workflow Service — a multi-step orchestration engine with a ReactFlow visual editor, fire-and-forget execution, HITL interrupts, and config-driven seeding that runs natively inside the Next.js UI. It also adds a configurable default agent so new chats can open against a chosen dynamic agent instead of the supervisor, an AI Review module that grades skills and agent prompts against an admin rubric, and a curl builtin tool for dynamic agents to call write APIs. Security hardening closes a class of SSRF-prone URL fetches across RAG ingestion and agent fetch tools.

What's New

Workflow Service

Workflow editor and execution engine — new ReactFlow-based visual editor with step configuration, YAML export/import, and template-variable support; a fire-and-forget execution engine with step context injection, artifact capture (user_prompt.txt, tool_calls.txt, agent_output.txt), error.txt detection, and human-in-the-loop interrupt/resume (#1418)
Config-driven seeding — workflows defined in app-config.yaml are upserted on startup as read-only (lock icon, disabled forms, warning banner) (#1418)
Workflow tools for agents — dynamic agents can trigger and monitor workflows via builtin tools; runs surface as cards with status badges (pending, running, waiting_for_input, completed, failed, cancelled), auto-expiry, and file cleanup (#1418)
Langfuse session grouping — workflow steps are grouped under a single Langfuse session for end-to-end observability (#1418)
Feature gating — the Workflows tab is gated behind WORKFLOWS_ENABLED and the Task Builder tab behind TASK_BUILDER_ENABLED, so both stay hidden unless explicitly turned on (#1418)

Configurable Default Agent

Default agent for new chats — an admin-only Settings dropdown (and the new DEFAULT_AGENT_ID Helm key) lets you bootstrap new chats against a specific dynamic agent. Resolution order is MongoDB platform_config → DEFAULT_AGENT_ID env var → supervisor fallback, so existing deployments are unaffected by default (#1441)

AI Review

Skill and agent prompt grading — a new AI Review module grades skill SKILL.md files and dynamic-agent system prompts against an admin-configurable rubric. Each criterion runs as its own LLM call, verdicts aggregate into a weighted A–F score, and results surface as GitHub-style inline comments with click-to-apply fixes. Reviews are hash-cached so unchanged content reuses the prior verdict (#1433)

Dynamic Agents

curl builtin tool — dynamic agents can now make PUT/POST/PATCH/DELETE calls (the existing fetch_url tool is GET-only). Disabled by default and gated behind the same domain ACL and https-only guards as fetch_url; enable via builtin_tools.curl.enabled: true (#1413)

RAG

Slack retention window fix — Slack documents now anchor fresh_until to the message post time (message_ts + lookback_days) instead of ingestion time, giving a true rolling retention window instead of expiring historical messages ~36h after ingestion (#1435)

Bug Fixes

rag: expand the default trusted network CIDRs and remove the init-failure sleep (#1435)
slack-bot: skip bot thread replies to prevent duplicate responses (#1417)
dynamic-agents: emit TOOL_CALL_RESULT for MCP tools that return list-type content (#1418)

Security

SSRF hardening — public-routable host validation added to RAG sanitize_url, dynamic-agent fetch_url, the shared multi-agent fetch_url_tool, and the new curl tool; hostnames resolving to private, link-local, CGNAT, loopback, or reserved IPs are rejected. Redirect following is now validated per-hop, and a SSRFProtectionMiddleware was added to the Scrapy downloader pipeline so redirect-generated requests are blocked too (#1431)
Dependency CVE bumps — upgraded cnoe-agent-utils to 0.4.0, fixed a langchain-openai CVE, and refreshed vulnerable Python/npm dependency locks to clear Dependabot alerts (#1418)

Breaking Changes

No breaking changes. Drop-in upgrade from 0.4.12.

Known Issues

None known at this time.

Upgrade

helm upgrade ai-platform-engineering \
  oci://ghcr.io/cnoe-io/charts/ai-platform-engineering \
  --version 0.4.13 \
  -f your-values.yaml

Upgrade Guide: 0.4.12 → 0.4.13

Overview

0.4.13 is a drop-in upgrade. The only Helm values change is a single new optional key (DEFAULT_AGENT_ID) that defaults to empty and preserves existing behaviour — new chats continue to open against the supervisor unless you opt in. The Workflows and Task Builder tabs are gated behind env-var feature flags and stay hidden until enabled.

Helm Values Changes

One new optional field was added under caipe-ui.config. No existing keys were renamed, removed, or changed.

New Optional: Default Agent

Env Var / Key	Default	Description
`DEFAULT_AGENT_ID`	`""` (supervisor)	Bootstrap default agent for new chats. Set to a dynamic agent ID to pre-configure the default without manual admin action. Overridden at runtime by Admin → Settings.

To pre-configure a default agent at deploy time:

caipe-ui:
  config:
    DEFAULT_AGENT_ID: "<dynamic-agent-id>"

A runtime value set via Admin → Settings (stored in the MongoDB platform_config collection) takes precedence over this env var.

Optional: Feature Flags

The Workflows and Task Builder tabs are off by default. Enable them through the UI config when ready:

caipe-ui:
  config:
    WORKFLOWS_ENABLED: "true"
    TASK_BUILDER_ENABLED: "true"

Data Migrations

No MongoDB schema or data migrations are required. The platform_config and workflow collections self-initialize on first use.

Upgrade Runbook

1. Update chart version

helm upgrade ai-platform-engineering \
  oci://ghcr.io/cnoe-io/charts/ai-platform-engineering \
  --version 0.4.13 \
  -f your-values.yaml

2. (Optional) Configure default agent and feature flags

Add DEFAULT_AGENT_ID to caipe-ui.config to bootstrap a default agent, and/or set WORKFLOWS_ENABLED / TASK_BUILDER_ENABLED to surface those tabs.

3. Verify

kubectl get pods -n <namespace>

Full Values Diff

Raw diff (0.4.12 → 0.4.13)

--- values-0.4.12.yaml
+++ values-0.4.13.yaml
@@ -686,6 +686,10 @@
   config:
     # CAIPE Supervisor URL - automatically configured to use the supervisor-agent service
     A2A_BASE_URL: "http://ai-platform-engineering-supervisor-agent:8000"
+    # Bootstrap default agent for new chats. Overridden at runtime by Admin → Settings UI.
+    # Set to a dynamic agent ID to pre-configure the default without manual admin action.
+    # Leave empty to use the supervisor (Platform Engineer) as default.
+    DEFAULT_AGENT_ID: ""
     # Skills template directory (mounted from ConfigMap)
     SKILLS_DIR: "/app/data/skills"
     # Live-skills skill template (mounted from ConfigMap "skills-live-skills").

Highlights​

What's New​

Workflow Service​

Configurable Default Agent​

AI Review​

Dynamic Agents​

RAG​

Bug Fixes​

Security​

Breaking Changes​

Known Issues​

Upgrade​

Upgrade Guide: 0.4.12 → 0.4.13​

Overview​

Helm Values Changes​

New Optional: Default Agent​

Optional: Feature Flags​

Data Migrations​

Upgrade Runbook​

1. Update chart version​

2. (Optional) Configure default agent and feature flags​

3. Verify​

Full Values Diff​