docs: design spec for azd ai connection direct commands#8138
docs: design spec for azd ai connection direct commands#8138Nathandrake229 wants to merge 6 commits into
Conversation
Add design specification for the azure.ai.connection extension and azd ai agent run secret injection, covering: - New standalone extension (namespace: ai.connection) for connection CRUD - Hybrid API architecture: ARM SDK for CRUD + data-plane for credentials - Full 5-level project endpoint resolution cascade - ARM resource ID discovery via data-plane bootstrap GET - Agent run --secret, --secret-from-env, --secret-from-keyvault flags - Error handling, output formatting, and registry entry Spec source: coreai-microsoft/foundrysdk_specs#165 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- list/show output includes credential reference strings for agent.yaml - azd ai agent run resolves connection credential references at startup - Developer can copy reference strings directly into agent.yaml Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Nathandrake229
requested review from
JeffreyCA,
hemarina,
jongio,
rajeshkamal5050,
tg-msft,
vhvb1989,
wbreza and
weikanglim
as code owners
There was a problem hiding this comment.
Pull request overview
Adds a new design specification document for planned “direct commands” around Foundry connections (azd ai connection / azure.ai.connection extension) and for secret injection enhancements to azd ai agent run in the existing azure.ai.agents extension.
Changes:
- Introduces a comprehensive design spec covering command surface, endpoint resolution, and hybrid ARM + data-plane API usage.
- Describes proposed flags and behaviors for agent-run secret injection (literal/env/Key Vault) and connection credential reference resolution.
- Documents proposed extension structure, error handling approach, and output formatting conventions.
- Fix GET to POST for getConnectionWithCredentials (it is a POST) - Align buildCredentialReferences with ConnectionCredentials struct - Fix resolveConnectionReferences to handle credential types correctly - Add metadata capability to extension.yaml - Use azdClient.Prompt().Confirm() instead of fmt.Scanln for delete - Standardize resolveProjectEndpoint signature to (ctx, cmd) - Fix CRUD commands to use resolveConnectionContext pattern - Add validation to parseKeyValuePairs for malformed input - Align Connection model with actual data-plane response shape Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
📋 Prioritization NoteThanks for the contribution! The linked issue isn't in the current milestone yet. |
jongio
left a comment
jongio
left a comment
There was a problem hiding this comment.
A few systemic issues need attention before implementation. The Copilot bot's inline comments cover additional internal inconsistencies (POST vs GET, Credentials shape, parseKeyValuePairs error handling) that are all valid.
-
CI is failing - cspell-lint reports 39 unknown words. See inline comment on line 3.
-
CRUD commands skip ARM context resolution - Section 4.4 defines
resolveConnectionContextas "the shared context that every command uses," but onlydeleteactually calls it. Thecreate,update,show, andlistexamples callresolveProjectEndpoint+NewARMClient(endpoint, cred)directly, which can't work sinceNewARMClientneeds subscription/rg/account/project (per section 5.8). -
Endpoint resolution cascade diverges from azure.ai.agents - The 5-level cascade adds global config and
FOUNDRY_PROJECT_ENDPOINTenv var steps that the agents extension doesn't have. If this is a deliberate design choice for standalone usability, call it out explicitly. Two extensions in theai.*namespace resolving endpoints differently will confuse users. -
Bootstrap API call on every invocation -
discoverARMContexthits the data-plane on every command to extract subscription/rg. Consider caching in azd global config after first resolution. The agents extension usesconfig_store.gofor similar per-endpoint state. -
Registry entry format doesn't match actual registry.json - See inline comment on line 1633.
|
|
||
| ### 4.4 Full Connection Context Resolution | ||
|
|
||
| Putting it all together — the shared context that every command uses: |
There was a problem hiding this comment.
[HIGH] Only delete uses resolveConnectionContext - other commands can't work as written
Section 4.4 describes this as "the shared context that every command uses," but the create (line 806), update (line 891), show, and list command examples bypass it entirely. They call resolveProjectEndpoint + NewARMClient(endpoint, cred) directly, which can't work because NewARMClient (defined in section 5.8) requires (subscriptionID, rg, account, project, cred).
All commands that touch the ARM API should use resolveConnectionContext or an equivalent that provides the ARM resource ID components.
There was a problem hiding this comment.
Fixed in commit 83b9d63. All five CRUD commands (create, update, delete, show, list) now use resolveConnectionContext(ctx, cmd). No direct NewARMClient calls from command code.
There was a problem hiding this comment.
Confirmed - all 5 CRUD commands now route through resolveConnectionContext. Looks correct.
|
|
||
| After the extension is built and published, add to `cli/azd/extensions/registry.json`: | ||
|
|
||
| ```json |
There was a problem hiding this comment.
[MEDIUM] Registry entry format doesn't match actual registry.json
The actual registry.json uses:
- A top-level
"schemaVersion": "1.0"field - An
"extensions"array (not an object keyed by extension ID) - Each entry has an
"id"field and a"versions"array (not an object)
Check cli/azd/extensions/registry.json for the actual format.
There was a problem hiding this comment.
Fixed in commit 83b9d63. Updated to match actual registry.json format -- schemaVersion at top level, extensions as array, versions as array.
There was a problem hiding this comment.
No longer applicable since connections are part of the agents extension now. No separate registry entry needed.
- Remove agent run --secret flags (connections are the secret store) - Add --kind filter caveat (client-side only, needs API confirmation) - Change default output format from json to table - Fix cspell ignore list - Add note on endpoint resolution divergence from existing pattern - Add ARM context caching optimization - Fix all CRUD commands to use resolveConnectionContext - Fix registry.json format to match actual schema Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- ARM supports server-side category filtering (validated: ?category=RemoteTool) - Data-plane ignores filter params (always returns all connections) - ARM PUT is unconditional upsert (silently overwrites existing connections) - create without --force now does a pre-check GET to detect duplicates - Updated ARM client List to use server-side category filter option Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Move from separate extension to inside azure.ai.agents (per John's review) - Follow PR #8100 pattern: namespace ai, sibling subcommand groups - Connection code in internal/connections/ (self-contained, no agent imports) - Clarify connection commands don't modify YAML files - Clarify run.go credential resolution is additive to existing env var handling - Add namespace conflict with other ai.* extensions as open item - Update registry section (no separate entry needed) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jongio
left a comment
jongio
left a comment
There was a problem hiding this comment.
Incremental review covering 3 new commits since my last pass.
Prior findings:
resolveConnectionContextnot used by all commands: fixed, all 5 CRUD commands use it now- Registry entry format: no longer applicable (connections embedded in agents extension)
- Bootstrap API caching: added
- Endpoint resolution divergence: intentional per spec requirement, documented
The restructuring to embed connections inside the agents extension addresses the "not a new extension" feedback well. The internal/connections/ package being self-contained with zero imports from internal/agents/ is a clean separation that supports future extraction if needed.
One concern below about the namespace change that affects the command-tree design in sections 2 and 5.
| ```yaml | ||
| # yaml-language-server: $schema=../extension.schema.json | ||
| id: azure.ai.agents | ||
| namespace: ai |
There was a problem hiding this comment.
Changing to namespace: ai will conflict with three existing extensions that use ai.* namespaces:
azure.ai.models(namespace:ai.models)azure.ai.finetune(namespace:ai.finetuning)microsoft.azd.ai.builder(namespace:ai.builder)
The framework's namespacesConflict check in cmd/extension_namespace_test.go explicitly tests that ai vs ai.agent is a conflict (lines 31-45). Same logic applies to ai vs ai.models, etc. The routing in cmd/extensions.go mounts namespace: ai as an extension command at the ai node, blocking other extensions from using it as a routing prefix.
John's feedback was "still remain in its own namespace," which reads as keeping ai.agent or ai.connection rather than claiming the ai root.
Two options that don't need framework changes:
- Keep
namespace: ai.agentand mount connections as sub-commands (azd ai agent connection ...) - Register connections via a thin wrapper extension at
ai.connectionthat imports the shared code from the agents directory (one codebase, two entry points)
Open question #8 flags this, but since it drives the entire command-tree design in sections 2 and 5, it should be resolved before the spec is implementation-ready.
| displayName: Foundry AI (Preview) | ||
| description: Manage agents and connections in Microsoft Foundry. (Preview) | ||
| usage: azd ai <command> [options] | ||
| version: 0.1.30-preview |
There was a problem hiding this comment.
The current agents extension on main is at 0.1.31-preview but the spec shows 0.1.30-preview. Should be updated to match or exceed the current version.
Summary
Adds the design specification for the
azure.ai.connectionextension andazd ai agent runsecret injection.Spec source: https://github.com/coreai-microsoft/foundrysdk_specs/pull/165
What's in the design spec
New Extension:
azure.ai.connection(namespace:ai.connection)Agent Run Secrets (
azure.ai.agentsextension)Open Items
8 tracked items including API endpoint confirmation, enum finalization, and a resolution order contradiction in the requirement spec.
Files changed
cli/azd/docs/design/azure-ai-direct-commands.md— New design specification