[stale] [AGE-2476] Add sidebar changelog notifications

[jp-agenta]

[AGE-2476] Add sidebar changelog notifications

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

GitHub CI seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Copilot]

Pull Request Overview

This pull request implements a major refactoring focused on removing legacy code, consolidating database access patterns, and cleaning up deprecated migration files. The changes streamline the codebase by removing unused routers, models, and utilities while updating database session management patterns.

Key changes include:

• Removal of deprecated legacy applications, annotations, queries, testsets, evaluations, and invocations routers and services
• Consolidation of database engine usage from engine.core_session() to db_engine.get_core_session()
• Cleanup of multiple database migration files and data migration utilities
• Removal of blocked domains/emails functionality and associated PostHog feature flag logic
• Updates to entrypoint routing and middleware configuration

Reviewed Changes

Copilot reviewed 130 out of 3124 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
api/oss/src/apis/fastapi/applications/*	Removed legacy application router, models, and utilities
api/oss/src/apis/fastapi/annotations/*	Refactored annotations router with new implementation and added utility functions
api/oss/src/init.py	Removed blocked domains/emails checking logic and PostHog feature flag functionality
api/oss/docker/Dockerfile.*	Cleaned up Docker build steps removing SDK installation and cron setup
api/oss/databases/postgres/migrations/utils.py	Changed async functions to sync and updated database protocol handling
api/oss/databases/postgres/migrations/**/versions/*	Removed multiple migration files for evaluations, queries, testsets, and span fixes
api/oss/databases/postgres/migrations/runner.py	Removed migration runner script
api/oss/databases/postgres/migrations/core/data_migrations/*	Updated import paths and removed deprecated migration utilities
api/entrypoint.py	Restructured application initialization, removed legacy routers, simplified imports
api/ee/tests/manual/evaluations/sdk/*	Removed manual test files and notebooks
api/ee/src/utils/permissions.py	Uncommented API key permission checking function and added cache TTL
api/ee/src/utils/entitlements.py	Removed subscription caching logic
api/ee/src/services/*	Updated parameter names and database access patterns
api/ee/src/models/extended/deprecated_transfer_models.py	Renamed TestsetDB to TestSetDB

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Corrected spelling of 'recieve' to 'receive'.

[Copilot]

This generic Exception should be replaced with HTTPException to maintain consistency with the rest of the codebase and provide proper HTTP status codes to API consumers.

[Copilot]

Import path changed from oss.src.dbs.postgres.secrets.custom_fields to oss.src.dbs.secrets.custom_fields. Verify that this import path is correct and the module exists at this location.

Suggested change

	from oss.src.dbs.secrets.custom_fields import PGPString
	from oss.src.dbs.postgres.secrets.custom_fields import PGPString

[Copilot]

URL parameters are not properly encoded, which could lead to injection vulnerabilities or broken links. The removed quote() calls should be restored or URL parameters should be properly encoded using urllib.parse.urlencode() or similar.

[Copilot]

The function previously returned two values (existing_invitation, existing_role) but now only returns one. The conditional check at line 179 needs to handle the case where existing_invitation might be None differently, and the logic for handling existing roles appears to be lost.

Suggested change

	if not existing_invitation:
	# Check if the user already has a role in the workspace
	existing_role = await db_manager_ee.get_user_role_in_workspace_by_email(
	payload_invite.email, str(workspace.id)
	)
	if not existing_invitation and not existing_role:

The best way to fix this SSRF risk is to validate the evaluationId before constructing or sending the HTTP request. Since evaluationId is a path segment and apparently represents an evaluation UUID, we should:

• Permit only fixed, safe formats for evaluationId (e.g., UUID v4 or possible known formats).
• Implement validation on the client-side before using the value to construct the outgoing request.
• Reject or ignore any values that do not match the expected format, preventing path traversal or invalid resource lookups.

To implement the fix in the relevant file (web/oss/src/services/evaluations/api/index.ts), do the following:

• Import a well-established UUID validation library, such as validator's isUUID (since evaluationId likely should be a UUID).
• Add a validation step in fetchEvaluation, fetchEvaluationStatus, and fetchAllEvaluationScenarios functions to check that evaluationId is a valid UUID. If not, throw an error or return safely.
• If evaluationIds is an array (as in fetchAllComparisonResults), validate all elements.
• You do not need to validate server-side, but strong client-side validation makes exploitation much less likely.

---

How to fix:

• The best general fix is to strictly validate or sanitize the evaluationId received from untrusted sources before passing it into the backend API call. Ideally, this means enforcing that evaluationId matches the expected format (for example, a UUID, hex string, MongoDB ObjectId, or whatever the legitimate values are).
• We should implement this input validation as close as possible to where the untrusted value enters the system, but at minimum right before it is interpolated into the URL in the backend request.
• In the shown code, the responsible place is inside fetchLoadEvaluation (in web/oss/src/services/human-evaluations/api/index.ts)—here, validate evaluationId. If invalid, throw an error or return an error promise instead of making the backend request.

Specific steps:

• Add a helper function that validates whether a value is a valid evaluation ID (based on expected format, e.g., a 24-char hex for MongoDB ObjectIds, or otherwise a suitable regular expression).
• In fetchLoadEvaluation, before making the API call, check that evaluationId passes the validation. If not, throw an error or return a rejected promise.
• Optionally, you may also sanitize edge input earlier (in index.tsx), but it is critical that any place where a potentially unsafe value is sent to the backend, validation is enforced.
• If required, import a suitable validation helper or define a minimal regexp-based function inline.

---

To remediate SSRF risk, it is essential to validate or sanitize the user-supplied testset_id before it is interpolated into the request URL. Since testsetId is expected to be a valid string identifier for a testset, ideally a UUID or database identifier, the frontend can apply a whitelist validation (e.g., regex test for allowed identifier formats). This should occur before calling fetchTestset.
Specifically, in TestsetTable.tsx, we should check that testset_id is either:

• a non-empty string
• matches an explicit pattern (e.g., UUID, or alphanumeric, dashes/underscores)

If it does not match, either:

• refuse to make the API call (show error message/client-side fallback)
• use a placeholder/fallback value

Concretely, in TestsetTable.tsx, place logic prior to calling fetchTestset, to only allow testset_ids with allowed characters (e.g., /^[a-zA-Z0-9_-]+$/).
No changes to the API layer are required if this input is validated at the call-site.

---