Daylily-Informatics
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 0 deletions b/‎.gitignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎AGENTS.md‎
Lines changed: 1 addition & 1 deletion b/‎AGENTS.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎QUICKSTART.md‎
Lines changed: 6 additions & 5 deletions b/‎QUICKSTART.md‎
Lines changed: 6 additions & 5 deletions
diff --git a/‎README.md‎
Lines changed: 7 additions & 6 deletions b/‎README.md‎
Lines changed: 7 additions & 6 deletions
diff --git a/‎certs/.hold‎ b/‎certs/.hold‎
diff --git a/‎functions/hub_api/.env.local‎
Lines changed: 10 additions & 10 deletions b/‎functions/hub_api/.env.local‎
Lines changed: 10 additions & 10 deletions
diff --git a/‎functions/hub_api/run_local.py‎
Lines changed: 15 additions & 1 deletion b/‎functions/hub_api/run_local.py‎
Lines changed: 15 additions & 1 deletion
diff --git a/‎functions/hub_api/test_login_local.py‎
Lines changed: 13 additions & 2 deletions b/‎functions/hub_api/test_login_local.py‎
Lines changed: 13 additions & 2 deletions
diff --git a/‎layers/shared/python/agent_hub/cognito.py‎
Lines changed: 6 additions & 2 deletions b/‎layers/shared/python/agent_hub/cognito.py‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎marvain_activate‎
Lines changed: 9 additions & 1 deletion b/‎marvain_activate‎
Lines changed: 9 additions & 1 deletion
@@ -8,6 +8,9 @@ samconfig.toml
 # Local marvain CLI config (may contain device tokens)
 marvain.yaml
 
+# Local SSL certificates for HTTPS development
+certs/
+
 # C extensions
 *.so
 
 
@@ -1,4 +1,4 @@
-# ALWAYS RUN THIS: source marvain_activate when in the repo root directory and when starting a new terminal so you have the cli tools available. AND try to source .env as well, if present.
+# ALWAYS RUN THIS: source marvain_activate when in the repo root directory and when starting a new terminal so you have the cli tools available. 
 
 use AWS_PROFILE=daylily and AWS_REGION=us-east-1 and AWS_DEFAULT_REGION=us-east-1
 
@@ -67,18 +67,19 @@ If `AuditBucket` deletion fails due to Object Lock retention, the “from scratc
 ### 2.1 Remove local config (this deletes your saved device token)
 
 Config default path:
-- `${XDG_CONFIG_HOME:-~/.config}/marvain/marvain.yaml`
+- `${XDG_CONFIG_HOME:-~/.config}/marvain/marvain-config.yaml`
 
 If you want to keep a copy of the token/config, back it up first.
 
 <augment_code_snippet mode="EXCERPT">
 ````sh
 # OPTIONAL backup
-cp -v "${XDG_CONFIG_HOME:-$HOME/.config}/marvain/marvain.yaml" \
-  "${XDG_CONFIG_HOME:-$HOME/.config}/marvain/marvain.yaml.bak" 2>/dev/null || true
+cp -v "${XDG_CONFIG_HOME:-$HOME/.config}/marvain/marvain-config.yaml" \
+  "${XDG_CONFIG_HOME:-$HOME/.config}/marvain/marvain-config.yaml.bak" 2>/dev/null || true
 
-# Delete config (XDG + legacy)
-rm -f "${XDG_CONFIG_HOME:-$HOME/.config}/marvain/marvain.yaml" \
+# Delete config (canonical + legacy)
+rm -f "${XDG_CONFIG_HOME:-$HOME/.config}/marvain/marvain-config.yaml" \
+      "${XDG_CONFIG_HOME:-$HOME/.config}/marvain/marvain.yaml" \
       "${XDG_CONFIG_HOME:-$HOME/.config}/marvain/config.yaml" \
       "$HOME/.marvain/config.yaml"
 ````
 
@@ -132,11 +132,12 @@ If `AuditBucket` deletion fails due to Object Lock retention, the practical “r
 
 ```sh
 # OPTIONAL: backup first
-cp -v "${XDG_CONFIG_HOME:-$HOME/.config}/marvain/marvain.yaml" \
-  "${XDG_CONFIG_HOME:-$HOME/.config}/marvain/marvain.yaml.bak" 2>/dev/null || true
+cp -v "${XDG_CONFIG_HOME:-$HOME/.config}/marvain/marvain-config.yaml" \
+  "${XDG_CONFIG_HOME:-$HOME/.config}/marvain/marvain-config.yaml.bak" 2>/dev/null || true
 
-# Delete config (XDG + legacy fallbacks)
-rm -f "${XDG_CONFIG_HOME:-$HOME/.config}/marvain/marvain.yaml" \
+# Delete config (canonical + legacy fallbacks)
+rm -f "${XDG_CONFIG_HOME:-$HOME/.config}/marvain/marvain-config.yaml" \
+      "${XDG_CONFIG_HOME:-$HOME/.config}/marvain/marvain.yaml" \
       "${XDG_CONFIG_HOME:-$HOME/.config}/marvain/config.yaml" \
       "$HOME/.marvain/config.yaml"
 ```
@@ -186,7 +187,7 @@ Notes:
 
 Notes:
 
-- `marvain config init` writes to `${XDG_CONFIG_HOME:-~/.config}/marvain/marvain.yaml` by default.
+- `marvain config init` writes to `${XDG_CONFIG_HOME:-~/.config}/marvain/marvain-config.yaml` by default.
 - Treat that config as **secret** once you run `marvain bootstrap` (it will store a device token).
 - If you choose to write a repo-local config (e.g. `--write marvain.yaml`), it is gitignored.
 
@@ -208,7 +209,7 @@ Notes:
 The GUI runs locally on your machine and connects to deployed AWS resources (Aurora, Cognito, S3).
 
 ```bash
-# Write stack outputs to .env.local config
+# Write stack outputs to marvain-config.yaml
 ./bin/marvain monitor outputs --write-config
 
 # Start the local GUI server (background mode, default)
 
@@ -2,24 +2,24 @@
 # These values point to the deployed AWS resources
 
 # Database (Aurora Serverless v2 with Data API)
-DB_RESOURCE_ARN=arn:aws:rds:us-east-1:670484050738:cluster:marvain-john-major-dev-auroracluster-58dmuasoghuv
-DB_SECRET_ARN=arn:aws:secretsmanager:us-east-1:670484050738:secret:marvain-john-major-dev/db-credentials-zoY5wV
+DB_RESOURCE_ARN=arn:aws:rds:us-east-1:670484050738:cluster:marvain-john-major-dev-auroracluster-senbqqgdczo6
+DB_SECRET_ARN=arn:aws:secretsmanager:us-east-1:670484050738:secret:marvain-john-major-dev/db-credentials-VGvfQ4
 DB_NAME=agenthub
 
 # Cognito
 COGNITO_REGION=us-east-1
-COGNITO_USER_POOL_ID=us-east-1_vGmWnreMU
-COGNITO_APP_CLIENT_ID=7njmj42lc6p2qf6mgsua05miua
+COGNITO_USER_POOL_ID=us-east-1_13G7tqlGg
+COGNITO_APP_CLIENT_ID=2uoaljh5qbj7ha9noc6h0bpv66
 COGNITO_DOMAIN=marvain-dev.auth.us-east-1.amazoncognito.com
-COGNITO_REDIRECT_URI=http://localhost:8084/auth/callback
+COGNITO_REDIRECT_URI=https://localhost:8084/auth/callback
 
 # Session (for local dev, use a static key; in Lambda, SESSION_SECRET_ARN is used)
 SESSION_SECRET_KEY=local-dev-session-secret-key-change-in-production-123456
 
 # Secrets Manager
-ADMIN_SECRET_ARN=arn:aws:secretsmanager:us-east-1:670484050738:secret:marvain-john-major-dev/admin-api-key-rRWQF7
-OPENAI_SECRET_ARN=arn:aws:secretsmanager:us-east-1:670484050738:secret:marvain-john-major-dev/openai-JNurv6
-LIVEKIT_SECRET_ARN=arn:aws:secretsmanager:us-east-1:670484050738:secret:marvain-john-major-dev/livekit-3qohPq
+ADMIN_SECRET_ARN=arn:aws:secretsmanager:us-east-1:670484050738:secret:marvain-john-major-dev/admin-api-key-MJSw2D
+OPENAI_SECRET_ARN=arn:aws:secretsmanager:us-east-1:670484050738:secret:marvain-john-major-dev/openai-4Clbx3
+LIVEKIT_SECRET_ARN=arn:aws:secretsmanager:us-east-1:670484050738:secret:marvain-john-major-dev/livekit-BsdyYY
 
 # LiveKit
 LIVEKIT_URL=wss://marvain-dev-fo5ki513.livekit.cloud
@@ -29,8 +29,8 @@ TRANSCRIPT_QUEUE_URL=
 ACTION_QUEUE_URL=
 
 # S3 Buckets
-AUDIT_BUCKET=marvain-john-major-dev-auditbucket-miz3vbanlu3i
-ARTIFACT_BUCKET=marvain-john-major-dev-artifactbucket-0mjzoilnzult
+AUDIT_BUCKET=marvain-john-major-dev-auditbucket-zobrgbyrmgjb
+ARTIFACT_BUCKET=marvain-john-major-dev-artifactbucket-zg3clkrefcko
 
 # Logging
 LOG_LEVEL=DEBUG
 
@@ -1,14 +1,28 @@
 #!/usr/bin/env python3
-"""Local development runner for Hub API with environment loading."""
+"""Local development runner for Hub API with environment loading.
+
+DEPRECATED: Use `marvain gui start` or `marvain gui run` instead.
+Those commands read configuration from marvain-config.yaml and don't require
+a .env.local file.
+
+This script is kept for backward compatibility and requires manual creation
+of a .env.local file in this directory.
+"""
 
 import os
 import sys
 from pathlib import Path
 
 # Load environment variables from .env.local BEFORE importing anything else
+# DEPRECATED: New code should use marvain-config.yaml via CLI
 from dotenv import load_dotenv
 
 env_file = Path(__file__).parent / ".env.local"
+if not env_file.exists():
+    print("ERROR: .env.local not found.", file=sys.stderr)
+    print("DEPRECATED: This script is deprecated.", file=sys.stderr)
+    print("Use 'marvain gui start' instead (reads from marvain-config.yaml).", file=sys.stderr)
+    sys.exit(1)
 load_dotenv(env_file)
 
 # Ensure AWS_REGION is set for boto3
 
@@ -1,13 +1,24 @@
 #!/usr/bin/env python3
-"""Test the login flow locally without needing full AWS infrastructure."""
+"""Test the login flow locally without needing full AWS infrastructure.
+
+DEPRECATED: This script requires a .env.local file which is no longer the
+standard configuration approach. Configuration should be in marvain-config.yaml.
+Use `marvain gui start` for local development instead.
+"""
 
 import os
 import sys
 from pathlib import Path
 from dotenv import load_dotenv
 
-# Load environment variables
+# Load environment variables from .env.local
+# DEPRECATED: New code should use marvain-config.yaml via CLI
 env_file = Path(__file__).parent / ".env.local"
+if not env_file.exists():
+    print("ERROR: .env.local not found.", file=sys.stderr)
+    print("DEPRECATED: This script is deprecated.", file=sys.stderr)
+    print("Use 'marvain gui start' instead (reads from marvain-config.yaml).", file=sys.stderr)
+    sys.exit(1)
 load_dotenv(env_file)
 
 # Set AWS region
 
@@ -119,14 +119,18 @@ def build_logout_url(cfg: HubConfig, redirect_uri: str | None = None) -> str:
     if not cfg.cognito_logout_url or not cfg.cognito_user_pool_client_id:
         raise CognitoAuthError("Cognito is not fully configured")
 
-    # Default to base URL (without /auth/callback)
+    # Default to /logged-out page (must be registered in Cognito LogoutURLs)
     logout_target = redirect_uri
     if not logout_target and cfg.cognito_redirect_uri:
-        logout_target = cfg.cognito_redirect_uri.replace("/auth/callback", "")
+        # Replace /auth/callback with /logged-out
+        logout_target = cfg.cognito_redirect_uri.replace("/auth/callback", "/logged-out")
 
     params = {
         "client_id": cfg.cognito_user_pool_client_id,
+        # Cognito logout endpoint accepts both 'logout_uri' and 'redirect_uri'
+        # but some versions require 'redirect_uri', so we include both for compatibility
         "logout_uri": logout_target or "",
+        "redirect_uri": logout_target or "",
     }
     return f"{cfg.cognito_logout_url}?{urlencode(params)}"
 
 
@@ -74,15 +74,22 @@ fi
 
 _MARVAIN_REPO_CFG="$_MARVAIN_ROOT/marvain.yaml"
 _MARVAIN_XDG_HOME="${XDG_CONFIG_HOME:-$HOME/.config}"
-_MARVAIN_USER_CFG="$_MARVAIN_XDG_HOME/marvain/marvain.yaml"
+# Primary canonical config location
+_MARVAIN_USER_CFG="$_MARVAIN_XDG_HOME/marvain/marvain-config.yaml"
+# Legacy locations (backward compatibility)
+_MARVAIN_USER_CFG_OLD="$_MARVAIN_XDG_HOME/marvain/marvain.yaml"
 _MARVAIN_USER_CFG_LEGACY="$HOME/.marvain/config.yaml"
 
 if [ -f "$_MARVAIN_REPO_CFG" ]; then
   _marvain_log INFO "Found repo config: $_MARVAIN_REPO_CFG"
 elif [ -f "$_MARVAIN_USER_CFG" ]; then
   _marvain_log INFO "Found user config: $_MARVAIN_USER_CFG"
+elif [ -f "$_MARVAIN_USER_CFG_OLD" ]; then
+  _marvain_log INFO "Found user config (legacy): $_MARVAIN_USER_CFG_OLD"
+  _marvain_log WARN "Consider migrating to: $_MARVAIN_USER_CFG"
 elif [ -f "$_MARVAIN_USER_CFG_LEGACY" ]; then
   _marvain_log INFO "Found user config (legacy): $_MARVAIN_USER_CFG_LEGACY"
+  _marvain_log WARN "Consider migrating to: $_MARVAIN_USER_CFG"
 else
   _marvain_log INFO "No config found. Create one via: marvain config init"
 fi
@@ -103,4 +110,5 @@ unset _MARVAIN_CONDA_FILE
 unset _MARVAIN_REPO_CFG
 unset _MARVAIN_XDG_HOME
 unset _MARVAIN_USER_CFG
+unset _MARVAIN_USER_CFG_OLD
 unset _MARVAIN_USER_CFG_LEGACY
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-# ALWAYS RUN THIS: source marvain_activate when in the repo root directory and when starting a new terminal so you have the cli tools available. AND try to source .env as well, if present.`
	`1`	`+# ALWAYS RUN THIS: source marvain_activate when in the repo root directory and when starting a new terminal so you have the cli tools available.`
`2`	`2`
`3`	`3`	`use AWS_PROFILE=daylily and AWS_REGION=us-east-1 and AWS_DEFAULT_REGION=us-east-1`
`4`	`4`