Skip to content

docs: design spec for azd ai connection direct commands#8138

Open
Nathandrake229 wants to merge 6 commits into
mainfrom
naman/azd-ai-connection-design-spec
Open

docs: design spec for azd ai connection direct commands#8138
Nathandrake229 wants to merge 6 commits into
mainfrom
naman/azd-ai-connection-design-spec

Conversation

@Nathandrake229
Copy link
Copy Markdown
Contributor

@Nathandrake229 Nathandrake229 commented May 11, 2026

Summary

Adds the design specification for the azure.ai.connection extension and azd ai agent run secret injection.

Spec source: https://github.com/coreai-microsoft/foundrysdk_specs/pull/165

What's in the design spec

New Extension: azure.ai.connection (namespace: ai.connection)

  • 11 commands: connection CRUD (create, update, delete, show, list) + metadata (set, remove, list) + key (set, remove, list)
  • Hybrid API architecture: ARM SDK for CRUD + data-plane for credential fetch — validated live
  • Full 5-level endpoint resolution: flag, azd env, global config, env var, structured error
  • ARM resource ID discovery: Bootstrap data-plane GET to extract subscription/resource group — enables standalone usage without an azd project
  • --from-file mutual exclusivity, --force dual semantics, --show-credentials opt-in
  • Standalone usability: Works outside azd projects with just a project endpoint URL

Agent Run Secrets (azure.ai.agents extension)

  • --secret KEY=VALUE, --secret-from-env KEY, --secret-from-keyvault KEY=vault-url (all repeatable)
  • Pure local operation — secrets injected as env vars into the spawned agent process

Open Items

8 tracked items including API endpoint confirmation, enum finalization, and a resolution order contradiction in the requirement spec.

Files changed

  • cli/azd/docs/design/azure-ai-direct-commands.md — New design specification

docs: add design spec for azd ai connection direct commands
e0643a6 
Add design specification for the azure.ai.connection extension and
azd ai agent run secret injection, covering:

- New standalone extension (namespace: ai.connection) for connection CRUD
- Hybrid API architecture: ARM SDK for CRUD + data-plane for credentials
- Full 5-level project endpoint resolution cascade
- ARM resource ID discovery via data-plane bootstrap GET
- Agent run --secret, --secret-from-env, --secret-from-keyvault flags
- Error handling, output formatting, and registry entry

Spec source: coreai-microsoft/foundrysdk_specs#165

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
docs: add credential reference strings and agent run resolution
59d8b76 
- list/show output includes credential reference strings for agent.yaml
- azd ai agent run resolves connection credential references at startup
- Developer can copy reference strings directly into agent.yaml

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@Nathandrake229 Nathandrake229 marked this pull request as ready for review May 11, 2026 18:11
Copilot AI review requested due to automatic review settings May 11, 2026 18:11
@Nathandrake229 Nathandrake229 mentioned this pull request May 11, 2026
Open
@Nathandrake229 Nathandrake229 linked an issue May 11, 2026 that may be closed by this pull request
Feature: Add ai.connection extension for CRUD on Connected Resources in Foundry Project #8139
Open
Copilot AI reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new design specification document for planned “direct commands” around Foundry connections (azd ai connection / azure.ai.connection extension) and for secret injection enhancements to azd ai agent run in the existing azure.ai.agents extension.

Changes:

  • Introduces a comprehensive design spec covering command surface, endpoint resolution, and hybrid ARM + data-plane API usage.
  • Describes proposed flags and behaviors for agent-run secret injection (literal/env/Key Vault) and connection credential reference resolution.
  • Documents proposed extension structure, error handling approach, and output formatting conventions.

Comment thread cli/azd/docs/design/azure-ai-direct-commands.md Outdated
Comment thread cli/azd/docs/design/azure-ai-direct-commands.md Outdated
Comment thread cli/azd/docs/design/azure-ai-direct-commands.md
Comment thread cli/azd/docs/design/azure-ai-direct-commands.md
Comment thread cli/azd/docs/design/azure-ai-direct-commands.md
Comment thread cli/azd/docs/design/azure-ai-direct-commands.md Outdated
Comment thread cli/azd/docs/design/azure-ai-direct-commands.md Outdated
Comment thread cli/azd/docs/design/azure-ai-direct-commands.md Outdated
Comment thread cli/azd/docs/design/azure-ai-direct-commands.md Outdated
Comment thread cli/azd/docs/design/azure-ai-direct-commands.md Outdated
docs: address review comments on design spec
0707add 
- Fix GET to POST for getConnectionWithCredentials (it is a POST)
- Align buildCredentialReferences with ConnectionCredentials struct
- Fix resolveConnectionReferences to handle credential types correctly
- Add metadata capability to extension.yaml
- Use azdClient.Prompt().Confirm() instead of fmt.Scanln for delete
- Standardize resolveProjectEndpoint signature to (ctx, cmd)
- Fix CRUD commands to use resolveConnectionContext pattern
- Add validation to parseKeyValuePairs for malformed input
- Align Connection model with actual data-plane response shape

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 11, 2026
edited
Loading

📋 Prioritization Note

Thanks for the contribution! The linked issue isn't in the current milestone yet.
Review may take a bit longer — reach out to @rajeshkamal5050 or @kristenwomack if you'd like to discuss prioritization.

jongio
jongio reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jongio jongio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few systemic issues need attention before implementation. The Copilot bot's inline comments cover additional internal inconsistencies (POST vs GET, Credentials shape, parseKeyValuePairs error handling) that are all valid.

  1. CI is failing - cspell-lint reports 39 unknown words. See inline comment on line 3.

  2. CRUD commands skip ARM context resolution - Section 4.4 defines resolveConnectionContext as "the shared context that every command uses," but only delete actually calls it. The create, update, show, and list examples call resolveProjectEndpoint + NewARMClient(endpoint, cred) directly, which can't work since NewARMClient needs subscription/rg/account/project (per section 5.8).

  3. Endpoint resolution cascade diverges from azure.ai.agents - The 5-level cascade adds global config and FOUNDRY_PROJECT_ENDPOINT env var steps that the agents extension doesn't have. If this is a deliberate design choice for standalone usability, call it out explicitly. Two extensions in the ai.* namespace resolving endpoints differently will confuse users.

  4. Bootstrap API call on every invocation - discoverARMContext hits the data-plane on every command to extract subscription/rg. Consider caching in azd global config after first resolution. The agents extension uses config_store.go for similar per-endpoint state.

  5. Registry entry format doesn't match actual registry.json - See inline comment on line 1633.

Comment thread cli/azd/docs/design/azure-ai-direct-commands.md Outdated
Comment thread cli/azd/docs/design/azure-ai-direct-commands.md
Comment thread cli/azd/docs/design/azure-ai-direct-commands.md
Comment thread cli/azd/docs/design/azure-ai-direct-commands.md

### 4.4 Full Connection Context Resolution

Putting it all together — the shared context that every command uses:
Copy link
Copy Markdown
Member

@jongio jongio May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[HIGH] Only delete uses resolveConnectionContext - other commands can't work as written

Section 4.4 describes this as "the shared context that every command uses," but the create (line 806), update (line 891), show, and list command examples bypass it entirely. They call resolveProjectEndpoint + NewARMClient(endpoint, cred) directly, which can't work because NewARMClient (defined in section 5.8) requires (subscriptionID, rg, account, project, cred).

All commands that touch the ARM API should use resolveConnectionContext or an equivalent that provides the ARM resource ID components.

Copy link
Copy Markdown
Contributor Author

@Nathandrake229 Nathandrake229 May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in commit 83b9d63. All five CRUD commands (create, update, delete, show, list) now use resolveConnectionContext(ctx, cmd). No direct NewARMClient calls from command code.

Comment thread cli/azd/docs/design/azure-ai-direct-commands.md Outdated

After the extension is built and published, add to `cli/azd/extensions/registry.json`:

```json
Copy link
Copy Markdown
Member

@jongio jongio May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] Registry entry format doesn't match actual registry.json

The actual registry.json uses:

  • A top-level "schemaVersion": "1.0" field
  • An "extensions" array (not an object keyed by extension ID)
  • Each entry has an "id" field and a "versions" array (not an object)

Check cli/azd/extensions/registry.json for the actual format.

Copy link
Copy Markdown
Contributor Author

@Nathandrake229 Nathandrake229 May 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in commit 83b9d63. Updated to match actual registry.json format -- schemaVersion at top level, extensions as array, versions as array.

therealjohn
therealjohn requested changes May 12, 2026
View reviewed changes
Comment thread cli/azd/docs/design/azure-ai-direct-commands.md Outdated
Comment thread cli/azd/docs/design/azure-ai-direct-commands.md Outdated
Comment thread cli/azd/docs/design/azure-ai-direct-commands.md
Comment thread cli/azd/docs/design/azure-ai-direct-commands.md Outdated
Naman Tyagi and others added 2 commits May 12, 2026 11:21
docs: address reviewer feedback on design spec
83b9d63 
- Remove agent run --secret flags (connections are the secret store)
- Add --kind filter caveat (client-side only, needs API confirmation)
- Change default output format from json to table
- Fix cspell ignore list
- Add note on endpoint resolution divergence from existing pattern
- Add ARM context caching optimization
- Fix all CRUD commands to use resolveConnectionContext
- Fix registry.json format to match actual schema

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
docs: update design spec with validated API findings
ed05f69 
- ARM supports server-side category filtering (validated: ?category=RemoteTool)
- Data-plane ignores filter params (always returns all connections)
- ARM PUT is unconditional upsert (silently overwrites existing connections)
- create without --force now does a pre-check GET to detect duplicates
- Updated ARM client List to use server-side category filter option

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@hund030 hund030 mentioned this pull request May 13, 2026
Open
docs: restructure design spec per PR #8100 pattern
1eb274d 
- Move from separate extension to inside azure.ai.agents (per John's review)
- Follow PR #8100 pattern: namespace ai, sibling subcommand groups
- Connection code in internal/connections/ (self-contained, no agent imports)
- Clarify connection commands don't modify YAML files
- Clarify run.go credential resolution is additive to existing env var handling
- Add namespace conflict with other ai.* extensions as open item
- Update registry section (no separate entry needed)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@therealjohn therealjohn therealjohn requested changes

@jongio jongio jongio left review comments

Copilot code review Copilot Copilot left review comments

@wbreza wbreza Awaiting requested review from wbreza wbreza is a code owner

@vhvb1989 vhvb1989 Awaiting requested review from vhvb1989 vhvb1989 is a code owner

@hemarina hemarina Awaiting requested review from hemarina hemarina is a code owner

@weikanglim weikanglim Awaiting requested review from weikanglim weikanglim is a code owner

@JeffreyCA JeffreyCA Awaiting requested review from JeffreyCA JeffreyCA is a code owner

@tg-msft tg-msft Awaiting requested review from tg-msft tg-msft is a code owner

@rajeshkamal5050 rajeshkamal5050 Awaiting requested review from rajeshkamal5050 rajeshkamal5050 is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

@Nathandrake229 Nathandrake229

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature: Add ai.connection extension for CRUD on Connected Resources in Foundry Project

4 participants

@Nathandrake229 @therealjohn @jongio