Skip to main content

Release 0.5.2 — RAG Access Control and Gateway Routing

Sri Aradhyula
Sri Aradhyula

Released: 2026-05-29 Chart: oci://ghcr.io/cnoe-io/charts/ai-platform-engineering:0.5.2 Previous release: 0.5.1

Highlights

0.5.2 completes the OpenFGA relationship-based access model for RAG and Knowledge Bases — knowledge bases can now be shared with teams, every Knowledge sidebar tab is gated on a real OpenFGA capability, and the RAG server and BFF enforce deny-by-default. AgentGateway gains an MCP route bridge so platform MCP endpoints (including the built-in Knowledge Base server) can be rendered straight from Helm, and the default now routes all gateway-managed MCP servers through the gateway. Keycloak adds strict client-secret reconciliation for production installs and a migration-health panel in the admin UI, while a RAG ingestor SSRF fix and pinned TLS dependencies harden the web loader.

What's New

Knowledge Base & RAG Access Control

  • Complete RAG OpenFGA access model — adds knowledge-base sharing, per-resource gates, and RAG server/BFF enforcement, plus data_source and mcp_tool universal OpenFGA types and a BFF list filter; the Graph tab is gated on any-KB-readable and Knowledge sidebar tabs render per-tab gates with empty states (#1591)
  • Route capabilities in the canonical model — OpenFGA consolidates to a single canonical chart model artifact and adds organization route-capability relations for fine-grained application gates (#1592)
  • Deny-by-default cleanup — removes legacy RAG group fallback propagation from setup and migration docs so local and Helm installs stay aligned with deny-by-default OpenFGA behavior (#1601)

AgentGateway MCP Routing

  • MCP route bridge for RBAC runtimes — a config bridge syncs compose MCP routes, and Helm now renders MCP route targets including a built-in knowledgeBaseTarget and arbitrary extraMcpTargets (one AgentgatewayBackend + HTTPRoute per entry, /mcp/<id> → static host:port) (#1595)
  • Secret-backed backend auth env — new agentgateway.extraEnv / extraEnvFrom let the standalone AgentGateway config resolve backend-auth placeholders (e.g. GITHUB_PERSONAL_ACCESS_TOKEN, GITLAB_PERSONAL_ACCESS_TOKEN) from Kubernetes secrets (#1595)
  • CRD-free routing by default — new global.agentgateway.routingMode defaults to static, which renders the standalone proxy's config (one /mcp/<id> route/backend per target) instead of Gateway API/AgentGateway custom resources. Enabling AgentGateway therefore no longer requires the gateway.networking.k8s.io/agentgateway.dev CRDs or a controller, keeping helm diff/helm upgrade clean on clusters you do not own; MCP endpoints stay discoverable via the proxy admin /config endpoint consumed by the UI discover/sync flow. Set routingMode: gateway-api to opt back into the controller-managed Gateway data plane (#1629)

Authentication & Keycloak

  • Strict client-secret reconciliation — managed Keycloak client secrets are reconciled for production installs, with strict-secret test coverage and updated Slack bot Keycloak helper behavior (#1593)
  • Keycloak migration health surfaces — new migration-health summary APIs, an admin UI panel, and header/release signals for diagnosing realm migration state (#1597)
  • withAuth routes mapped to RBAC capabilities — protected BFF route groups now map to explicit OpenFGA capabilities and require Slack/Webex resource read access before returning access-check details (#1594)
  • Centralized local-dev auth bypass — a single dev-auth provider replaces the CAIPE_UNSAFE_RBAC_BYPASS checks that were scattered across the API middleware, RAG proxy, OpenFGA helpers, and admin/UI gates; the bypass admin principal is returned only when SSO_ENABLED=false, ALLOW_DEV_ADMIN_WHEN_SSO_DISABLED=true, and CAIPE_UNSAFE_RBAC_BYPASS=true are all set outside production (#1613)

Admin UI

  • Slack onboarding redesign — the admin Slack experience is reorganized into Configured / Onboard / Advanced tabs (#1613)
  • Hardened ReBAC assignment — ReBAC assignment operations in the admin UI are hardened and the OpenFGA inspector uses exact tuple filters (#1613)

AI Review

  • Overhauled review rubrics — the default AI Review rubric for agent system prompts expands from 7 to 11 criteria (adding negative-constraints, failure-mode-handling, prompt-injection-resistance, and more), and the SKILL.md rubric expands to 11 criteria emphasizing trigger conditions, actionable instructions, and bounded scope; weights now reflect real importance (#1608)

Configuration Defaults

  • Bedrock AI assist defaults to Claude Haiku 4.5 — local setup and AI assist fallbacks now default to Claude Haiku 4.5 on Bedrock; the stale Claude 3.5 Bedrock seed model is removed while Sonnet remains available as an explicit option (#1605)

Bug Fixes

  • dynamic-agents: forward caller bearer tokens through MCP httpx clients so user JWTs reach downstream MCP servers (#1598)
  • dynamic-agents: show an inline required-field message (with TeamPicker ARIA hooks) when creating a dynamic agent without an owner team (#1606)
  • credentials: align the OAuth service factory and Mongo envelope-store defaults (#1600)
  • keycloak: correctly type the management-permissions enabled flag (#1597)
  • setup-caipe: honor declined prompts — ENABLE_INGRESS=false and ENABLE_METALLB=false are now set when the user answers "No", instead of always installing both (#1587)
  • setup-caipe: use the native Anthropic model ID for Claude Haiku 4.5 — the previous -v1:0 Bedrock inference-profile suffix was rejected by the native Anthropic API (#1542)

Security

  • rag-ingestors: block SSRF by rejecting non-public web-loader start and redirect URLs, and pin Twisted for TLS compatibility, with regression coverage (#1599)

Breaking Changes

No breaking changes. Drop-in upgrade from 0.5.1.

Known Issues

None known at this time.

Upgrade

helm upgrade ai-platform-engineering \
  oci://ghcr.io/cnoe-io/charts/ai-platform-engineering \
  --version 0.5.2 \
  -f your-values.yaml

Upgrade Guide: 0.5.1 → 0.5.2

Overview

0.5.2 is a drop-in upgrade — no values.yaml edits are required. The chart adds new optional AgentGateway routing keys (all with working defaults) and changes one default: gateway-managed MCP servers now route through AgentGateway by default. The bulk of the release is RAG/Knowledge Base OpenFGA access control and Keycloak hardening, none of which require values changes for existing deployments.

Helm Values Changes

No breaking Helm values changes between 0.5.1 and 0.5.2. The diff is limited to new optional AgentGateway keys and one changed default.

New Optional: AgentGateway MCP Routing

KeyDefaultDescription
global.agentgateway.knowledgeBaseTarget.enabledtrueRender a built-in Knowledge Base MCP route aligned with the RAG server MCP backend
global.agentgateway.knowledgeBaseTarget.hostrag-server.{{ .Release.Namespace }}.svc.cluster.localUpstream host for the Knowledge Base MCP route
global.agentgateway.knowledgeBaseTarget.port9446Upstream port
global.agentgateway.knowledgeBaseTarget.protocolStreamableHTTPMCP transport protocol
global.agentgateway.knowledgeBaseTarget.pathPrefix/mcp/knowledge-baseRoute path prefix
global.agentgateway.extraMcpTargets[]Additional MCP routes not rendered from agent-* subcharts; one AgentgatewayBackend + HTTPRoute per entry
agentgateway.extraEnv[]Secret-backed env for backend-auth placeholders in the standalone AgentGateway config
agentgateway.extraEnvFrom[]envFrom sources for the AgentGateway container

These default to safe values; no action is required unless you want to route additional platform MCP endpoints or wire backend-auth secrets (e.g. GITHUB_PERSONAL_ACCESS_TOKEN).

Default Changed: AgentGateway MCP Server IDs

Affected key: dynamic-agents config AGENT_GATEWAY_MCP_SERVER_IDS

Before (0.5.1):

AGENT_GATEWAY_MCP_SERVER_IDS: "jira"

After (0.5.2):

AGENT_GATEWAY_MCP_SERVER_IDS: "all"

Action: None required. "all" only applies to gateway-managed MCP rows; manual/direct MCP rows keep their stored endpoint so tool names still reflect their real upstreams. If you previously relied on only Jira being routed through the shared AgentGateway backend, pin this back to "jira" (or your explicit list) in your dynamic-agents config.

Data Migrations

No MongoDB schema or data migrations required. The RAG OpenFGA access model and route capabilities are reconciled by the chart; deny-by-default behavior applies once the canonical model is loaded.

Upgrade Runbook

1. Update chart version

helm upgrade ai-platform-engineering \
  oci://ghcr.io/cnoe-io/charts/ai-platform-engineering \
  --version 0.5.2 \
  -f your-values.yaml

2. (Optional) Pin AgentGateway MCP routing

If you do not want all gateway-managed MCP servers routed through AgentGateway, set AGENT_GATEWAY_MCP_SERVER_IDS back to an explicit list in your dynamic-agents config. To route extra platform MCP endpoints, populate global.agentgateway.extraMcpTargets.

3. Verify

kubectl get pods -n <namespace>

# Confirm the Knowledge Base MCP route / AgentGateway backend is healthy
kubectl get httproute -n <namespace> | grep mcp

Check that OpenFGA-gated Knowledge sidebar tabs and Graph access resolve as expected for your teams — KBs now require explicit sharing under deny-by-default.

Full Values Diff

Raw diff (0.5.1 → 0.5.2)
--- /tmp/vf-0.5.2.yaml	2026-05-29 09:12:26
+++ /tmp/vt-0.5.2.yaml	2026-05-29 09:12:28
@@ -132,6 +132,28 @@
       serviceName: "ai-platform-engineering-openfga-authz-bridge"
       serviceNamespace: ""
       port: 9100
+    # Built-in Knowledge Base MCP route. This keeps the Dynamic Agents
+    # `knowledge-base` MCP server ID aligned with the RAG server MCP backend
+    # when AgentGateway is enabled in the umbrella chart.
+    knowledgeBaseTarget:
+      enabled: true
+      host: "rag-server.{{ .Release.Namespace }}.svc.cluster.local"
+      port: 9446
+      protocol: StreamableHTTP
+      pathPrefix: /mcp/knowledge-base
+    # Additional MCP routes that are not rendered from `agent-*` subcharts.
+    # Use this for platform MCP endpoints such as RAG/Knowledge Base.
+    # Each item renders one AgentgatewayBackend and one HTTPRoute:
+    #   /mcp/<id> -> static host:port using the requested MCP protocol.
+    #
+    # Example:
+    # extraMcpTargets:
+    #   - id: knowledge-base
+    #     host: "{{ .Release.Name }}-rag-server.{{ .Release.Namespace }}.svc.cluster.local"
+    #     port: 9446
+    #     protocol: StreamableHTTP
+    #     pathPrefix: /mcp/knowledge-base
+    extraMcpTargets: []
 
   # OpenFGA service discovery defaults for CAIPE components that perform
   # relationship-based authorization or reconciliation.
@@ -145,6 +167,23 @@
     repository: cr.agentgateway.dev/agentgateway
     tag: v1.1.0
     pullPolicy: IfNotPresent
+  # Secret-backed environment for backend auth placeholders used by the
+  # standalone AgentGateway config, for example:
+  #   backendAuth:
+  #     key: "$GITHUB_PERSONAL_ACCESS_TOKEN"
+  #     key: "$GITLAB_PERSONAL_ACCESS_TOKEN"
+  extraEnv: []
+  # - name: GITHUB_PERSONAL_ACCESS_TOKEN
+  #   valueFrom:
+  #     secretKeyRef:
+  #       name: github-mcp-secret
+  #       key: GITHUB_PERSONAL_ACCESS_TOKEN
+  # - name: GITLAB_PERSONAL_ACCESS_TOKEN
+  #   valueFrom:
+  #     secretKeyRef:
+  #       name: gitlab-mcp-secret
+  #       key: GITLAB_PERSONAL_ACCESS_TOKEN
+  extraEnvFrom: []
 
   # LangGraph Redis for checkpoint and cross-thread store persistence.
   # Two deployment options:
@@ -1056,9 +1095,9 @@
     CREDENTIAL_API_URL: "http://ai-platform-engineering-caipe-ui:3000/api/credentials"
     CREDENTIAL_SERVICE_AUDIENCE: "caipe-credential-service"
     USE_IMPERSONATION_TOKENS: "false"
-    # MCP server IDs routed through the shared AgentGateway backend.
-    # Other MCP servers keep direct endpoints so tool names reflect real upstreams.
-    AGENT_GATEWAY_MCP_SERVER_IDS: "jira"
+    # MCP server IDs routed through AgentGateway. "all" only applies to
+    # gateway-managed MCP rows; manual/direct MCP rows keep their stored endpoint.
+    AGENT_GATEWAY_MCP_SERVER_IDS: "all"
     # LLM configuration (override if needed)
     # LLM_PROVIDER: "openai"
     # LLM_MODEL: "gpt-4o"