* feat(cdk): reorganize CDK samples into python/ and typescript/ folders
- Move existing Python CDK samples to cdk/python/
- Add TypeScript CDK samples folder with knowledge-base-rag-agent
- Update cdk/README.md with language comparison table
- Update parent README with new paths and TypeScript mention
- Add cdk/python/README.md for Python-specific guidance
🤖 Assisted by Amazon Q Developer
* docs: add Jerad Engebreth to CONTRIBUTORS.md
🤖 Assisted by Amazon Q Developer
* fix(cdk/typescript): document known vulnerabilities and fix npm workspaces build
- Add Known Dependency Vulnerabilities section to README documenting
upstream issues in aws-amplify (fast-xml-parser, lodash)
- Add build/test scripts to Lambda layer package.json to fix npm
workspaces build command
🤖 Assisted by Amazon Q Developer
* fix(security): add HEALTHCHECK and non-root USER to Dockerfile
- Add HEALTHCHECK instruction for container orchestration
- Create non-root appuser for security best practices
- Addresses CKV_DOCKER_2, CKV_DOCKER_3 security findings
* fix(security): address CodeQL findings for insecure randomness and HTML sanitization
- Replace Math.random() with crypto.randomBytes() for session ID generation
- Use iterative sanitization loop to handle nested/obfuscated HTML tags
- Addresses CodeQL insecure randomness and incomplete sanitization findings
* fix(security): improve HTML sanitization to address CodeQL findings
- Handle closing tags with spaces like </script >
- Add data: and vbscript: URL scheme blocking
- Use tag-based approach instead of content-matching regex
- Add more dangerous tags (form, input, button, etc.)
* remove unused import
* fix(lint): fix import ordering and remove extra blank lines
- Sort imports alphabetically (logging before os)
- Remove extra blank line in knowledge_base.py
- Consistent import grouping (stdlib, then third-party)
* fix(security): use HTML entity encoding instead of regex-based sanitization
- Replace regex-based tag stripping with HTML entity encoding
- Encode all special characters (&, <, >, ", ', /, `, =)
- This approach is CodeQL-compliant and more secure
- Regex-based HTML filtering is inherently flawed
* fix(lint): add __all__ to fix F401 unused import warnings
- Add __all__ exports to infra_utils/__init__.py files
- Explicitly declares AgentCoreRole as public API
* style: apply ruff formatting to all Python files in 04-infrastructure-as-code
- Format 32 Python files with ruff
- Includes CDK Python samples, Terraform samples, and TypeScript agent code
* refactor: rename project from bedrock-agentcore-template to knowledge-base-rag-agent
- Update package.json names for root and infrastructure packages
- Update README and docs with new project name and paths
- Update CloudWatch, SNS, KMS, and Cognito resource names
- Regenerate package-lock.json with new package names
* refactor: complete project rename to knowledge-base-rag-agent
- Update README title and all documentation headers
- Update TypeScript stack descriptions and resource names
- Update Python agent module docstrings
- Update Dockerfile header comment
- Update Lambda function package description
- Rename runtime to knowledge_base_rag_agent
- Rename memory to knowledge_base_rag_agent_memory
- Rename API to Knowledge Base RAG Agent API
- Update Secrets Manager secret name
* fix: correct Docker references and fix Lambda bundling
- Update README and docs to clarify Docker is for AgentCore Runtime container, not Lambda bundling
- Add @aws-lambda-powertools/logger dependency for Lambda function
- Add esbuild as dev dependency for NodejsFunction bundling
- Fix S3 bucket deployment to use single deployment with auto content-type detection
- Deploy config.json separately with prune:false to preserve other files
---------
Co-authored-by: Jerad Engebreth <awsjerad@amazon.com>
Jerad