AI Spark: Governed Entry Point for AI in Regulated Environments

V12 major release: Upgrade the CAP Agent runtime from CAP V11 to CAP V12. Drop-in replacement for V11 Marketplace deployments; CloudFormation template URL, parameters, environment variables, EFS mount shape, ALB health check, and Console connection workflow are unchanged. Existing V11 stacks pick up V12 on their next stack update.

feat: Jetty 9.4 upgraded to Jetty 12.1.8 with the Jakarta EE 11 environment. Servlet API moves from javax.servlet 4.0 to jakarta.servlet 6.1. This brings the CAP Agent runtime onto the current generation of Eclipse Foundation supported releases. The javax.servlet 4.0 line reached end of life in 2023 and stopped receiving security updates from upstream.

feat: Java 21 LTS Virtual Threads on HTTP ingress. HTTP request handlers now run on JDK 21 virtual threads via Jetty's threadpool-virtual module. Previous releases were capped by the default 200 OS thread limit on ingress. Virtual threads remove that ceiling and let a single CAP Agent service tens of thousands of concurrent rule-bearing requests without operator tuning. Existing rule code is unchanged; virtual thread scheduling is transparent to extensions.

Security fix: CVE-2025-49146 (HIGH, pgjdbc insecure authentication in channel binding) and CVE-2026-42198 (HIGH, pgjdbc client-side denial of service when negotiating SCRAM-SHA-256 authentication). The bundled PostgreSQL JDBC driver is upgraded from 42.7.4 to 42.7.11. Affects customers who connect their CAP Agent to AWS RDS PostgreSQL via the supplied DBPassword secret.

fix: Reduced container attack surface by pruning the Jetty 12 distribution at image build time. The upstream Jetty tarball ships every Jakarta EE environment (ee8, ee9, ee10, ee11) plus optional features (websocket, JASPI, CDI, OpenID, HTTP/3, demo webapps, Hazelcast / Infinispan / GCloud session managers, ALPN, JMX). The CAP Agent only requires ee11 with HTTP/1.1, deployment, annotations, plus, virtual thread pool, and forwarded request handling. The Dockerfile now removes approximately 80 unused JARs at build time. The compressed image is approximately 181 MB.

fix: Cleaner agent startup logs. Two cosmetic WARN blocks are removed. The AnnotationParser "scanned from multiple locations" block (126 WARN lines per restart) was caused by a redundant uber-jar that shaded the jakarta.servlet API alongside Jetty's own copy; the uber-jar is no longer included. The DigesterFactory "cannot find XMLSchema.dtd" block (3 WARN lines per startup) was emitted by Jetty's repackaged Tomcat Jasper compiler, which the CAP Agent does not use; the Jasper module is no longer enabled. A healthy CAP Agent launch now logs zero WARN, zero ERROR.

fix: Cold boot time reduced from approximately 5.5 seconds to approximately 3.5 seconds, primarily by removing the unused Jasper compiler initializer from the startup path.

Compatibility: No breaking changes for existing customers. CloudFormation template URL, task definition shape, environment variables (S3_GOLD_MASTER, DB_HOST, DB_PORT, DB_NAME, DB_USER, DB_PASSWORD secret), EFS mount path, port mappings (8080 web, 20001 management), ALB health check path, and CAP Console connection workflow are all unchanged from V11. CAP rulesets and extensions deployed on V11 agents will run unchanged on V12 agents.

Documentation: https://docs.tomorrowx.com  Support: help@tomorrowx.dev