Release 0.4.8 — AWS MCP Server and PSS Baseline

May 6, 2026

Released: 2026-05-06 Chart: oci://ghcr.io/cnoe-io/charts/ai-platform-engineering:0.4.8 Previous release: 0.4.7

Highlights

0.4.8 introduces a new AWS MCP server, configurable call-limit middlewares for the supervisor, and Kubernetes Pod Security Standards Baseline compliance across all Helm charts. A tracing fix resolves silent OTLP batch drops to Langfuse caused by oversized spans, and several long-standing compatibility and correctness bugs are resolved.

What's New

AWS MCP Server

mcp-aws agent — new FastMCP server exposing aws_cli_execute and eks_kubectl_execute as MCP tools over HTTP/SSE; supports opt-in INSTALL_AWS_CLI=true / INSTALL_KUBECTL=true Docker build args; automatically built as ghcr.io/cnoe-io/mcp-aws (#1324)

Supervisor Call-Limit Middlewares

ToolCallLimitMiddleware — caps total tool invocations per run via TOOL_CALL_LIMIT env var; prevents agents from hammering external tools in a loop
ModelCallLimitMiddleware — caps total LLM inference calls per run via MODEL_CALL_LIMIT env var; prevents infinite reasoning loops
SummarizationMiddleware (opt-in) — compresses conversation history when approaching token/message thresholds; uses the same model as the supervisor
All limits individually toggleable and configurable via env vars / Helm configmap (#1319)

Kubernetes Pod Security Standards

PSS Baseline compliance — all Helm chart subcharts now set default securityContext satisfying the PSS Baseline profile; Restricted profile requirements met except readOnlyRootFilesystem (left false for agents that write to the filesystem at runtime) (#1337)

Skills Gateway

Admin scan override — force-trigger a skills scan from the admin UI without waiting for the scheduled interval
Hub-crawl pagination and caps — GitLab tree API now paginated up to max_tree_pages; GitHub truncated: true flag detected; both providers surface truncation status in the UI
Live crawl console — real-time crawl output visible in the admin UI (#1338)

Bug Fixes

tracing: surgical content scrubbing in a new SkillScrubberSpanProcessor removes skill/workflow content from OTLP spans before export; hard cap on span attribute size prevents 413 drops to Langfuse (#1330)
mcp: remove trailing slash from default HTTP MCP path — FastMCP issues a 307 redirect for /mcp/; streamable-http clients do not follow redirects, causing tool-load failures on startup (#1339)
ui: suppress synthetic "Task <status> (ID: ...)" filler messages in chat — these placeholders from A2A Task events with no artifacts were showing as actual agent output (#1275)
slack-bot: use correct Slack mention syntax for subteam/usergroup IDs (<!subteam^{id}>) vs individual users (<@{id}>) in escalation messages (#1341)
setup: replace bash 4+ case conversion (${var,,}) with POSIX-compatible tr — fixes silent failures on macOS bash 3.2 for back-navigation and "all" agent selection (#1340)

Breaking Changes

No breaking changes. Drop-in upgrade from 0.4.7.

Known Issues

None known at this time.

Upgrade

helm upgrade ai-platform-engineering \
  oci://ghcr.io/cnoe-io/charts/ai-platform-engineering \
  --version 0.4.8 \
  -f your-values.yaml

Upgrade Guide: 0.4.7 → 0.4.8

Overview

0.4.8 adds the AWS MCP server, supervisor call-limit middlewares, and Kubernetes PSS Baseline security contexts across all charts. No Helm values changes are required for existing deployments — the new middlewares default to disabled and PSS security contexts are applied automatically.

Helm Values Changes

No breaking Helm values changes between 0.4.7 and 0.4.8. Drop-in upgrade — no values.yaml edits required.

New Optional: Supervisor Call Limits

Two new environment variables (configurable via supervisor-agent.config in your values file) control per-run limits:

Env Var	Default	Description
`TOOL_CALL_LIMIT`	`0` (disabled)	Max tool invocations per run; `0` = unlimited
`MODEL_CALL_LIMIT`	`0` (disabled)	Max LLM inference calls per run; `0` = unlimited
`SUMMARIZATION_ENABLED`	`false`	Enable history summarization when approaching token limits

To enable limits in your values.yaml:

supervisor-agent:
  config:
    TOOL_CALL_LIMIT: "50"
    MODEL_CALL_LIMIT: "20"

PSS Baseline Security Contexts

All chart subcharts now set default securityContext values satisfying the Kubernetes PSS Baseline profile. For operators running readOnlyRootFilesystem: true in a custom policy, note that this is intentionally left false because several agents write to the filesystem at runtime. No values.yaml changes are needed.

Data Migrations

No MongoDB schema or data migrations required.

Upgrade Runbook

1. Update chart version

helm upgrade ai-platform-engineering \
  oci://ghcr.io/cnoe-io/charts/ai-platform-engineering \
  --version 0.4.8 \
  -f your-values.yaml

2. (Optional) Enable call limits

Add TOOL_CALL_LIMIT and/or MODEL_CALL_LIMIT to your supervisor-agent.config block if you want to cap agent run lengths.

3. Verify

kubectl get pods -n <namespace>

# Confirm mcp-aws is running (if you include it in your agent config)
kubectl get deploy -n <namespace> | grep mcp-aws

Check that no pods are blocked by PSS admission — existing charts already have compatible defaults.

Highlights​

What's New​

AWS MCP Server​

Supervisor Call-Limit Middlewares​

Kubernetes Pod Security Standards​

Skills Gateway​

Bug Fixes​

Breaking Changes​

Known Issues​

Upgrade​

Upgrade Guide: 0.4.7 → 0.4.8​

Overview​

Helm Values Changes​

New Optional: Supervisor Call Limits​

PSS Baseline Security Contexts​

Data Migrations​

Upgrade Runbook​

1. Update chart version​

2. (Optional) Enable call limits​

3. Verify​