dependabot[bot] opened a new pull request, #3260:
URL: https://github.com/apache/cxf/pull/3260

   Bumps 
[org.atmosphere:atmosphere-runtime](https://github.com/Atmosphere/atmosphere) 
from 3.1.0 to 4.0.56.
   <details>
   <summary>Release notes</summary>
   <p><em>Sourced from <a 
href="https://github.com/Atmosphere/atmosphere/releases";>org.atmosphere:atmosphere-runtime's
 releases</a>.</em></p>
   <blockquote>
   <h2>Atmosphere 4.0.56</h2>
   <h3>Added</h3>
   <ul>
   <li>guardrails + OBO + cost + run-registry AI bean parity with SB4</li>
   <li>config-driven AI routing parity with the SB4 starter</li>
   <li>install governance decision log out-of-box for the queryable audit 
trail</li>
   <li>warn on unauthenticated A2A endpoint + advertise declared security 
scheme</li>
   <li>make spring-boot-agui-chat a real AG-UI agent via the native bridge <a 
href="https://github.com/Agent";><code>@​Agent</code></a> + <a 
href="https://github.com/Prompt";><code>@​Prompt</code></a> + real <a 
href="https://github.com/AiTool";><code>@​AiTool</code></a> through 
session.stream() (demo fallback when no key); AiEvent-&gt;AgUiEvent over 
/atmosphere/agent/{name}/agui; replaces the scripted controller</li>
   <li>config-driven cost/latency/model routing rules in atmosphere.ai.routing 
extends F3a (content-only); compose order 
content-&gt;model-&gt;cost-&gt;latency; off-by-default + content behavior 
byte-identical</li>
   <li>emit experimental OTel GenAI semconv span attributes via GenAiTracer 
gen_ai.usage.<em>/request+response.model/operation/provider on the live span; 
fixes provider Runtime-Truth bug (real runtime name, not hardcoded atmosphere); 
legacy ai.tokens.</em> byte-identical</li>
   <li>add --routing flag to 'atmosphere new' for routing config scaffolding 
injects a commented atmosphere.ai.routing.* block into AI-template 
application.yml; off by default, rejected for non-AI templates</li>
   <li>wire real LongTermMemory cross-session recall into personal-assistant 
InMemoryLongTermMemory + LongTermMemoryInterceptor on the UpstreamMcpAgent <a 
href="https://github.com/AiEndpoint";><code>@​AiEndpoint</code></a> (no-arg 
interceptor + static holder pattern); makes the memory-bearing claim true</li>
   <li>opt-in RoutingLlmClient via atmosphere.ai.routing.enabled autoconfig 
wraps the resolved client with content-based routing rules; adds 
AiConfig.installClient seam; default-off byte-identical</li>
   <li>wire ApiKeyResolver into anthropic/cohere with provider env-var support 
renamed from CredentialResolver (clashed with AiGateway.CredentialResolver); 
per-provider precedence reads ANTHROPIC_API_KEY/COHERE_API_KEY, no 
cross-provider key leak</li>
   <li>add generation params (temperature/maxTokens/topP/stop) to LlmSettings 
wired to the wire for built-in/anthropic/spring-ai/langchain4j; honest 
per-runtime matrix in README; empty=byte-identical</li>
   <li>explicit prompt-cache-key tri-state replaces base-URL sniffing 
PromptCacheKeyMode AUTO/ENABLED/DISABLED on LlmSettings; AUTO preserves current 
per-path heuristics byte-for-byte</li>
   <li>store resolved apiKey on LlmSettings so apiKey() works for any client 
removes the OpenAiCompatibleClient-only instanceof; 4-arg constructor preserves 
old behavior; adds CredentialResolver precedence primitive</li>
   <li>provider-neutral model tier aliases (fast/frontier/reasoning) ModelTier 
resolves tier tokens to a concrete model by active provider; raw model strings 
pass through unchanged</li>
   <li>add provider-neutral configureNativeClient(Object) to 
AbstractAgentRuntime type-checked against nativeClientClassName(); 
provider-typed static setters remain the primary wiring path</li>
   </ul>
   <h3>Fixed</h3>
   <ul>
   <li>reachable agent bridge + keep response open during AG-UI streaming 
AgUiAgentBridge made public (cross-module reflective invoke from agui handler); 
handlePost joins the run thread so virtual-thread SSE writes don't hit a 
recycled response — fixes the agui-chat demo+UI e2e (only RUN_STARTED was 
reaching the wire)</li>
   <li>converge AUTO prompt-cache-key to one default-deny allow-list built-in 
and framework runtimes share CacheHint.endpointAcceptsPromptCacheKey; framework 
no longer emits on unknown hosts under AUTO (force via 
PromptCacheKeyMode.ENABLED)</li>
   <li>honor per-request ToolLoopPolicy in anthropic/cohere/langchain4j tool 
loops they hardcoded a 5-round cap and ignored maxIterations/onMaxIterations; 
now route through the shared ToolLoopGuard like the built-in (default behavior 
unchanged)</li>
   <li>make default model configurable, default claude-sonnet-4-6 adds 
anthropic.model system property; per-request and AiConfig models still win over 
the fallback</li>
   <li>version-bump touches only Atmosphere deps; regen SKILLCARDs</li>
   <li>repair rag-chat/mcp-server/browser-agent + SB3 Tomcat + stream 
errors</li>
   <li>restore real third-party dep versions clobbered by 4.0.x bump</li>
   </ul>
   <h3>Changed</h3>
   <ul>
   <li>pin deny-policy refusal on A2A and AG-UI bridges</li>
   <li>fail-closed Maven Central pre-check guards against version burn</li>
   <li>e2e proving config-driven routing is consumed on the wire</li>
   <li>attribute GenAI &quot;experimental&quot; to the OpenTelemetry spec, not 
the emitter GenAiTracer/MetricsCapturingSession Javadoc + README make clear the 
implementation is production code; only the upstream OTel GenAI convention is 
experimental</li>
   <li>document atmosphere new --routing flag and correct agui-chat sample row 
agui-chat is now a real <a 
href="https://github.com/Agent";><code>@​Agent</code></a> (LLM + <a 
href="https://github.com/AiTool";><code>@​AiTool</code></a> over the AG-UI 
native bridge), not scripted</li>
   <li>consolidate per-model-call observability into ModelCallScope replaces 
duplicated fireModelStart/End/Error + timing across 9 adapters and 2 Kotlin 
runtimes; event count/ordering unchanged (ADK start-time aligned to 
dispatch)</li>
   <li>unify tool-call accumulator across built-in, anthropic, cohere shared 
ToolCallAccumulator gains argumentsAsMap(); deletes the two private copies; 
built-in parse path unchanged</li>
   <li>extract AbstractSseLlmClient shared by Anthropic and Cohere clients 
collapses ~268 lines of duplicated HTTP/SSE plumbing (header filter, snippet 
read, data: loop, tool-schema) into one base; wire behavior byte-identical 
(black-box suites unchanged)</li>
   <li>add TokenUsage.fromCounts and migrate adapter usage translation 
collapses 11 hand-rolled null-guard/total-fallback sites; 2 sites now compute 
total=input+output instead of 0 when the provider omits total 
(regression-tested)</li>
   <li>hoist models() default into AbstractAgentRuntime removes 9 
byte-identical adapter overrides; koog (distinct logic) and the interface 
default unchanged</li>
   <li>fix cancel-test race by awaiting worker interrupt observation worker 
records the interrupt asynchronously; wait on a latch instead of reading the 
flag right after whenDone()</li>
   <li>correct AI doc/sample drift vs verified runtime capabilities embeddings 
5-&gt;7 runtimes, TOOL_CALL_DELTA Built-in+Cohere, ai.md classpath table, agui 
relabel, samples.json reattach</li>
   <li>bound playwright install with timeout to prevent multi-hour hangs</li>
   <li>both-layer regressions for the sweep failures (JUnit + Playwright)</li>
   <li>sync version stamp to 4.0.56-SNAPSHOT</li>
   <li>deep-link concept tables to docs site; fix verifier count</li>
   <li>bump version to 4.0.55</li>
   </ul>
   <!-- raw HTML omitted -->
   </blockquote>
   <p>... (truncated)</p>
   </details>
   <details>
   <summary>Changelog</summary>
   <p><em>Sourced from <a 
href="https://github.com/Atmosphere/atmosphere/blob/main/CHANGELOG.md";>org.atmosphere:atmosphere-runtime's
 changelog</a>.</em></p>
   <blockquote>
   <h2>[4.0.56] - 2026-06-23</h2>
   <h3>Added</h3>
   <ul>
   <li>guardrails + OBO + cost + run-registry AI bean parity with SB4</li>
   <li>config-driven AI routing parity with the SB4 starter</li>
   <li>install governance decision log out-of-box for the queryable audit 
trail</li>
   <li>warn on unauthenticated A2A endpoint + advertise declared security 
scheme</li>
   <li>make spring-boot-agui-chat a real AG-UI agent via the native bridge <a 
href="https://github.com/Agent";><code>@​Agent</code></a> + <a 
href="https://github.com/Prompt";><code>@​Prompt</code></a> + real <a 
href="https://github.com/AiTool";><code>@​AiTool</code></a> through 
session.stream() (demo fallback when no key); AiEvent-&gt;AgUiEvent over 
/atmosphere/agent/{name}/agui; replaces the scripted controller</li>
   <li>config-driven cost/latency/model routing rules in atmosphere.ai.routing 
extends F3a (content-only); compose order 
content-&gt;model-&gt;cost-&gt;latency; off-by-default + content behavior 
byte-identical</li>
   <li>emit experimental OTel GenAI semconv span attributes via GenAiTracer 
gen_ai.usage.<em>/request+response.model/operation/provider on the live span; 
fixes provider Runtime-Truth bug (real runtime name, not hardcoded atmosphere); 
legacy ai.tokens.</em> byte-identical</li>
   <li>add --routing flag to 'atmosphere new' for routing config scaffolding 
injects a commented atmosphere.ai.routing.* block into AI-template 
application.yml; off by default, rejected for non-AI templates</li>
   <li>wire real LongTermMemory cross-session recall into personal-assistant 
InMemoryLongTermMemory + LongTermMemoryInterceptor on the UpstreamMcpAgent <a 
href="https://github.com/AiEndpoint";><code>@​AiEndpoint</code></a> (no-arg 
interceptor + static holder pattern); makes the memory-bearing claim true</li>
   <li>opt-in RoutingLlmClient via atmosphere.ai.routing.enabled autoconfig 
wraps the resolved client with content-based routing rules; adds 
AiConfig.installClient seam; default-off byte-identical</li>
   <li>wire ApiKeyResolver into anthropic/cohere with provider env-var support 
renamed from CredentialResolver (clashed with AiGateway.CredentialResolver); 
per-provider precedence reads ANTHROPIC_API_KEY/COHERE_API_KEY, no 
cross-provider key leak</li>
   <li>add generation params (temperature/maxTokens/topP/stop) to LlmSettings 
wired to the wire for built-in/anthropic/spring-ai/langchain4j; honest 
per-runtime matrix in README; empty=byte-identical</li>
   <li>explicit prompt-cache-key tri-state replaces base-URL sniffing 
PromptCacheKeyMode AUTO/ENABLED/DISABLED on LlmSettings; AUTO preserves current 
per-path heuristics byte-for-byte</li>
   <li>store resolved apiKey on LlmSettings so apiKey() works for any client 
removes the OpenAiCompatibleClient-only instanceof; 4-arg constructor preserves 
old behavior; adds CredentialResolver precedence primitive</li>
   <li>provider-neutral model tier aliases (fast/frontier/reasoning) ModelTier 
resolves tier tokens to a concrete model by active provider; raw model strings 
pass through unchanged</li>
   <li>add provider-neutral configureNativeClient(Object) to 
AbstractAgentRuntime type-checked against nativeClientClassName(); 
provider-typed static setters remain the primary wiring path</li>
   </ul>
   <h3>Fixed</h3>
   <ul>
   <li>reachable agent bridge + keep response open during AG-UI streaming 
AgUiAgentBridge made public (cross-module reflective invoke from agui handler); 
handlePost joins the run thread so virtual-thread SSE writes don't hit a 
recycled response — fixes the agui-chat demo+UI e2e (only RUN_STARTED was 
reaching the wire)</li>
   <li>converge AUTO prompt-cache-key to one default-deny allow-list built-in 
and framework runtimes share CacheHint.endpointAcceptsPromptCacheKey; framework 
no longer emits on unknown hosts under AUTO (force via 
PromptCacheKeyMode.ENABLED)</li>
   <li>honor per-request ToolLoopPolicy in anthropic/cohere/langchain4j tool 
loops they hardcoded a 5-round cap and ignored maxIterations/onMaxIterations; 
now route through the shared ToolLoopGuard like the built-in (default behavior 
unchanged)</li>
   <li>make default model configurable, default claude-sonnet-4-6 adds 
anthropic.model system property; per-request and AiConfig models still win over 
the fallback</li>
   <li>version-bump touches only Atmosphere deps; regen SKILLCARDs</li>
   <li>repair rag-chat/mcp-server/browser-agent + SB3 Tomcat + stream 
errors</li>
   <li>restore real third-party dep versions clobbered by 4.0.x bump</li>
   </ul>
   <h3>Changed</h3>
   <ul>
   <li>pin deny-policy refusal on A2A and AG-UI bridges</li>
   <li>fail-closed Maven Central pre-check guards against version burn</li>
   <li>e2e proving config-driven routing is consumed on the wire</li>
   <li>attribute GenAI &quot;experimental&quot; to the OpenTelemetry spec, not 
the emitter GenAiTracer/MetricsCapturingSession Javadoc + README make clear the 
implementation is production code; only the upstream OTel GenAI convention is 
experimental</li>
   <li>document atmosphere new --routing flag and correct agui-chat sample row 
agui-chat is now a real <a 
href="https://github.com/Agent";><code>@​Agent</code></a> (LLM + <a 
href="https://github.com/AiTool";><code>@​AiTool</code></a> over the AG-UI 
native bridge), not scripted</li>
   <li>consolidate per-model-call observability into ModelCallScope replaces 
duplicated fireModelStart/End/Error + timing across 9 adapters and 2 Kotlin 
runtimes; event count/ordering unchanged (ADK start-time aligned to 
dispatch)</li>
   <li>unify tool-call accumulator across built-in, anthropic, cohere shared 
ToolCallAccumulator gains argumentsAsMap(); deletes the two private copies; 
built-in parse path unchanged</li>
   <li>extract AbstractSseLlmClient shared by Anthropic and Cohere clients 
collapses ~268 lines of duplicated HTTP/SSE plumbing (header filter, snippet 
read, data: loop, tool-schema) into one base; wire behavior byte-identical 
(black-box suites unchanged)</li>
   <li>add TokenUsage.fromCounts and migrate adapter usage translation 
collapses 11 hand-rolled null-guard/total-fallback sites; 2 sites now compute 
total=input+output instead of 0 when the provider omits total 
(regression-tested)</li>
   <li>hoist models() default into AbstractAgentRuntime removes 9 
byte-identical adapter overrides; koog (distinct logic) and the interface 
default unchanged</li>
   <li>fix cancel-test race by awaiting worker interrupt observation worker 
records the interrupt asynchronously; wait on a latch instead of reading the 
flag right after whenDone()</li>
   <li>correct AI doc/sample drift vs verified runtime capabilities embeddings 
5-&gt;7 runtimes, TOOL_CALL_DELTA Built-in+Cohere, ai.md classpath table, agui 
relabel, samples.json reattach</li>
   <li>bound playwright install with timeout to prevent multi-hour hangs</li>
   <li>both-layer regressions for the sweep failures (JUnit + Playwright)</li>
   <li>sync version stamp to 4.0.56-SNAPSHOT</li>
   <li>deep-link concept tables to docs site; fix verifier count</li>
   <li>bump version to 4.0.55</li>
   </ul>
   <!-- raw HTML omitted -->
   </blockquote>
   <p>... (truncated)</p>
   </details>
   <details>
   <summary>Commits</summary>
   <ul>
   <li><a 
href="https://github.com/Atmosphere/atmosphere/commit/9646c21950353664350196bab8773b5208f910a0";><code>9646c21</code></a>
 release: Atmosphere 4.0.56</li>
   <li><a 
href="https://github.com/Atmosphere/atmosphere/commit/9398b955adf08052b3af69d422953c334b4329ce";><code>9398b95</code></a>
 feat(spring-boot3): guardrails + OBO + cost + run-registry AI bean parity 
wit...</li>
   <li><a 
href="https://github.com/Atmosphere/atmosphere/commit/aa3c6f218db817174c1c3e8482ad4cc0ade914bb";><code>aa3c6f2</code></a>
 feat(spring-boot3): config-driven AI routing parity with the SB4 starter</li>
   <li><a 
href="https://github.com/Atmosphere/atmosphere/commit/7db7db95410f177a28d67b719c9970d485a816a1";><code>7db7db9</code></a>
 feat(admin): install governance decision log out-of-box for the queryable 
aud...</li>
   <li><a 
href="https://github.com/Atmosphere/atmosphere/commit/37c5364dc8fb1ccb2bacbdeb13280b92295010c9";><code>37c5364</code></a>
 test(governance): pin deny-policy refusal on A2A and AG-UI bridges</li>
   <li><a 
href="https://github.com/Atmosphere/atmosphere/commit/aa824bbc7ceaae90f320641ffc6f23e84c735628";><code>aa824bb</code></a>
 feat(a2a): warn on unauthenticated A2A endpoint + advertise declared 
security...</li>
   <li><a 
href="https://github.com/Atmosphere/atmosphere/commit/ea68116a1e71e57c4b1bb4109a03e9660fa4af77";><code>ea68116</code></a>
 ci(release): fail-closed Maven Central pre-check guards against version 
burn</li>
   <li><a 
href="https://github.com/Atmosphere/atmosphere/commit/4c93d485ba9e427798500b972cf8289b71b56c40";><code>4c93d48</code></a>
 test(spring-boot): e2e proving config-driven routing is consumed on the 
wire</li>
   <li><a 
href="https://github.com/Atmosphere/atmosphere/commit/460997b40cb316cf91e860d2057f9a2f28712608";><code>460997b</code></a>
 docs(ai): attribute GenAI &quot;experimental&quot; to the OpenTelemetry spec, 
not the e...</li>
   <li><a 
href="https://github.com/Atmosphere/atmosphere/commit/106b82a18d23ae5181de6c57f02880e1bc34e2fc";><code>106b82a</code></a>
 docs: document atmosphere new --routing flag and correct agui-chat sample 
row</li>
   <li>Additional commits viewable in <a 
href="https://github.com/Atmosphere/atmosphere/compare/atmosphere-project-3.1.0...atmosphere-4.0.56";>compare
 view</a></li>
   </ul>
   </details>
   <br />
   
   
   [![Dependabot compatibility 
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.atmosphere:atmosphere-runtime&package-manager=maven&previous-version=3.1.0&new-version=4.0.56)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't 
alter it yourself. You can also trigger a rebase manually by commenting 
`@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   <details>
   <summary>Dependabot commands and options</summary>
   <br />
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that 
have been made to it
   - `@dependabot show <dependency name> ignore conditions` will show all of 
the ignore conditions of the specified dependency
   - `@dependabot ignore this major version` will close this PR and stop 
Dependabot creating any more for this major version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop 
Dependabot creating any more for this minor version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop 
Dependabot creating any more for this dependency (unless you reopen the PR or 
upgrade to it yourself)
   
   
   </details>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to