Skip to content

feat(azdext): add integration helpers for keyvault and config#1

Closed
jongio wants to merge 6 commits intofeature/ext-p1-core-primitivesfrom
feature/ext-pr2-6945
Closed

feat(azdext): add integration helpers for keyvault and config#1
jongio wants to merge 6 commits intofeature/ext-p1-core-primitivesfrom
feature/ext-pr2-6945

Conversation

@jongio
Copy link
Owner

@jongio jongio commented Mar 2, 2026
edited
Loading

Summary

  • Add extension framework integration helpers for Key Vault resolution and config operations.
  • Includes lint/security follow-up fixes validated locally.

Why

Links

Stack position

  • Base: feature/ext-p1-core-primitives
  • Head: feature/ext-pr2-6945

Stack / Merge Plan (Uber Plan)

This PR is Step 2 of 6 in the full rollout.

Required merge order

  1. Azure/azure-dev#6856 (Step 1)
  2. feat(azdext): add integration helpers for keyvault and config (Step 2) ← current PR
  3. feat(azdext): add output and logging helpers (Step 3)
  4. feat(azdext): add security validation and ssrf guard (Step 4)
  5. feat(azdext): add runtime utility helpers (Step 5)
  6. chore(azdext): apply post-6856 cleanup (Step 6)

How to land this safely

  • Merge strictly in the order above.
  • After each merge, rebase/merge forward so the next PR only contains net-new changes.
  • Do not skip steps; each PR depends on prior stack layers.

jongio and others added 4 commits March 1, 2026 20:18
@jongio
feat(azdext): add integration helpers for keyvault and config
7cd510c 
Implements Azure#6945 (P1-5/P1-6).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
fix: resolve PR2 lint issues
7506603 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
security: harden keyvault/config helpers against hack scan findings
d6e39f8 
- config_helper: sanitize config key inputs, add bounds validation
- config_helper_test: test coverage for sanitization paths
- keyvault_resolver: tighten secret name validation
- Propagate core fixes: mcp_security, pagination, resilient_http_client
@jongio
fix(azdext): correct default error reason for non-HTTP keyvault failures
958d4f5 
Non-HTTP errors (network timeout, DNS failure, context canceled) from
GetSecret were incorrectly classified as ResolveReasonAccessDenied.
Changed default to ResolveReasonServiceError so callers get accurate
error classification and don't mistake transport errors for auth issues.

Updated TestResolve_NonResponseError to verify the corrected behavior.
This was referenced Mar 2, 2026
Closed
Closed
Closed
Closed
Merged
jongio and others added 2 commits March 2, 2026 13:00
@jongio
fix: address profile review findings for stacked PR
587f3e9 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
fix(azdext): remediate hack findings
507eeb7 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jongio added a commit that referenced this pull request Mar 5, 2026
@jongio
fix: address PR review feedback from wbreza
9a58381 
- Prepend custom scope rules before defaults so overrides work (#1)
- Redact URL query params in ScopeDetectorError to prevent leaking secrets (#2)
- Add versioned User-Agent string, make configurable via ResilientClientOptions (#3)
- Set done=true on Collect truncation to prevent surprise continuation (#4)
- Add azdext SDK version constant (version.go)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jongio added a commit that referenced this pull request Mar 6, 2026
@jongio
feat(azdext): add P1 core extension primitives and hardening (Azure#6954
40ca1b4 
)

* feat(azdext): add P1 core extension primitives

Implements Azure#6944 core primitives for token provider, scope detection, resilient HTTP client, and pagination with tests.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(azdext): harden P1 primitives after quality review

Addresses MQ findings for Azure#6944: bounded response reads, nextLink SSRF protections, retry/body semantics, token-over-http guard, deterministic scope rules, and added regression tests.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* chore: fix preflight blockers for PR1

Apply required gofmt and cspell updates so mage preflight passes for draft PR Azure#6954.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* security: harden core primitives against hack scan findings

- mcp_security: tighten input validation and error handling
- pagination: add bounds checking on page parameters
- resilient_http_client: strengthen TLS config and timeout enforcement
- resilient_http_client_test: add security-path test coverage

* fix: address profile review findings for stacked PR

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(azdext): satisfy lint and cspell checks

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(azdext): remediate hack findings

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address copilot review feedback on PR 6954

- block hostname redirects that resolve to private/loopback IPs\n- return explicit nil-client error in stdHTTPDoer path\n- honor MaxRetries=0 as no retries; use negative as default sentinel\n- update TokenProvider usage snippet to current API\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address follow-up Copilot feedback on PR 6954

- tighten backoff jitter upper bound\n- require absolute HTTPS nextLink\n- return explicit oversized page response error\n- align OnBlocked docs with implemented actions\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* chore: retrigger CI for PR Azure#6954

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* chore: retrigger CI for transient external failures

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(azdext): address actionable main PR review items

- remove mutable redirect lookup test hook via injected helper
- document scope detector servicebus ambiguity and ACR scope semantics
- use slices.Sort for deterministic custom rule ordering
- clarify TokenProvider usage guidance

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(azdext): address remaining maintainer review items

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* chore(agents): remove unrelated whitespace-only changes

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(azdext): redact blocked URL details in policy callback path

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(azdext): add x-ms-client-request-id and align resilient headers

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address PR review feedback from wbreza

- Prepend custom scope rules before defaults so overrides work (#1)
- Redact URL query params in ScopeDetectorError to prevent leaking secrets (#2)
- Add versioned User-Agent string, make configurable via ResilientClientOptions (#3)
- Set done=true on Collect truncation to prevent surprise continuation (#4)
- Add azdext SDK version constant (version.go)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
Copy link
Owner Author

jongio commented Mar 6, 2026

Consolidated into single PR: Azure#7025

@jongio jongio closed this Mar 6, 2026
jongio added a commit that referenced this pull request Mar 13, 2026
@jongio
fix: address Copilot review feedback
179f60c 
- Use merged_at instead of merged for reliable merge detection (thread #1)
- Expand isDocOnlyPr to handle doc-adjacent assets (thread #2)
- Replace N+1 API calls with git.getTree for doc inventory (thread #3)
- Fix README trigger types to match actual workflow config (thread #5)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jongio added a commit that referenced this pull request Mar 13, 2026
@jongio
security: comprehensive hardening from red team assessment
5b28419 
- Pin actions to commit SHAs (actions/checkout, azure/login)
- Cap all_open/list mode to MAX_PRS_PER_RUN=20
- Cap AI output: MAX_REASON_LENGTH=200, MAX_SUMMARY_LENGTH=500
- Add MAX_IMPACTS=15 to limit AI-generated impact count
- Add MAX_CONTENT_SIZE_BYTES=50KB per doc file
- Sanitize doc manifest content (titles, topics, headings)
- Reject unknown repos from AI output (not just warn)
- Validate repo format with regex (owner/repo)
- Block path traversal in AI-returned paths
- Sanitize PR title in log output (strip control chars)
- Strip HTML from existing PR body in closeCompanionPrs
- Remove error messages from tracking comment (prevent data leak)
- Upper-bound PR number input to 999999
- Rename TRUSTED_DOC_INVENTORY to DOC_INVENTORY tag

Red team findings addressed: #2, #5, Azure#6, Azure#8, Azure#9, Azure#10, Azure#11
Admin items remaining: #1 (env gating), #3 (token scope), #4 (OIDC vars)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wbreza wbreza Awaiting requested review from wbreza wbreza will be requested when the pull request is marked ready for review wbreza is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jongio