Skip to content

feat(azdext): add output and logging helpers#2

Closed
jongio wants to merge 7 commits intofeature/ext-pr2-6945from
feature/ext-pr3-6946
Closed

feat(azdext): add output and logging helpers#2
jongio wants to merge 7 commits intofeature/ext-pr2-6945from
feature/ext-pr3-6946

Conversation

@jongio
Copy link
Owner

@jongio jongio commented Mar 2, 2026
edited
Loading

Summary

  • Add output and logging helpers for extension framework P2 scope.
  • Includes propagated lint/security fixes from lower stack layers.

Why

Links

Stack position

  • Base: feature/ext-pr2-6945
  • Head: feature/ext-pr3-6946

Stack / Merge Plan (Uber Plan)

This PR is Step 3 of 6 in the full rollout.

Required merge order

  1. Azure/azure-dev#6856 (Step 1)
  2. feat(azdext): add integration helpers for keyvault and config (Step 2)
  3. feat(azdext): add output and logging helpers (Step 3) ← current PR
  4. feat(azdext): add security validation and ssrf guard (Step 4)
  5. feat(azdext): add runtime utility helpers (Step 5)
  6. chore(azdext): apply post-6856 cleanup (Step 6)

How to land this safely

  • Merge strictly in the order above.
  • After each merge, rebase/merge forward so the next PR only contains net-new changes.
  • Do not skip steps; each PR depends on prior stack layers.

jongio and others added 5 commits March 1, 2026 20:19
@jongio
feat(azdext): add integration helpers for keyvault and config
cd7af9d 
Implements Azure#6945 (P1-5/P1-6).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
feat(azdext): add output and structured logging helpers
4c8d487 
Implements Azure#6946 (P2-1/P2-2).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
fix: resolve PR2 lint issues
644e6a2 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
security: propagate hack scan fixes to output/logging layer
5a0cdd9 
- Propagate core fixes: mcp_security, pagination, resilient_http_client
- Propagate helper fixes: config_helper, keyvault_resolver
@jongio
security: harden SSRF redirect, fix metadata bypass and retry-after o…
5ae737f 
…verflow

- SSRFSafeRedirect: add DNS resolution for hostname redirects (fail-closed)
  to prevent bypass via attacker-controlled DNS pointing to private IPs
- MCPSecurityPolicy.CheckURL: normalize IPv4-mapped IPv6 addresses before
  metadata host matching (blocks ::ffff:169.254.169.254 bypass)
- retryAfterFromResponse: cap parsed value before multiplication to prevent
  integer overflow that could bypass maxRetryAfterDuration
- keyvault_resolver: fix misleading error message about consecutive hyphens
- Add regression tests for all hardened paths
This was referenced Mar 2, 2026
Closed
Closed
Closed
Closed
Merged
jongio and others added 2 commits March 2, 2026 13:00
@jongio
fix: address profile review findings for stacked PR
afbb163 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
fix(azdext): remediate hack findings
486dba4 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jongio added a commit that referenced this pull request Mar 5, 2026
@jongio
fix: address PR review feedback from wbreza
9a58381 
- Prepend custom scope rules before defaults so overrides work (#1)
- Redact URL query params in ScopeDetectorError to prevent leaking secrets (#2)
- Add versioned User-Agent string, make configurable via ResilientClientOptions (#3)
- Set done=true on Collect truncation to prevent surprise continuation (#4)
- Add azdext SDK version constant (version.go)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jongio added a commit that referenced this pull request Mar 6, 2026
@jongio
feat(azdext): add P1 core extension primitives and hardening (Azure#6954
40ca1b4 
)

* feat(azdext): add P1 core extension primitives

Implements Azure#6944 core primitives for token provider, scope detection, resilient HTTP client, and pagination with tests.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(azdext): harden P1 primitives after quality review

Addresses MQ findings for Azure#6944: bounded response reads, nextLink SSRF protections, retry/body semantics, token-over-http guard, deterministic scope rules, and added regression tests.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* chore: fix preflight blockers for PR1

Apply required gofmt and cspell updates so mage preflight passes for draft PR Azure#6954.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* security: harden core primitives against hack scan findings

- mcp_security: tighten input validation and error handling
- pagination: add bounds checking on page parameters
- resilient_http_client: strengthen TLS config and timeout enforcement
- resilient_http_client_test: add security-path test coverage

* fix: address profile review findings for stacked PR

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(azdext): satisfy lint and cspell checks

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(azdext): remediate hack findings

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address copilot review feedback on PR 6954

- block hostname redirects that resolve to private/loopback IPs\n- return explicit nil-client error in stdHTTPDoer path\n- honor MaxRetries=0 as no retries; use negative as default sentinel\n- update TokenProvider usage snippet to current API\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address follow-up Copilot feedback on PR 6954

- tighten backoff jitter upper bound\n- require absolute HTTPS nextLink\n- return explicit oversized page response error\n- align OnBlocked docs with implemented actions\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* chore: retrigger CI for PR Azure#6954

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* chore: retrigger CI for transient external failures

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(azdext): address actionable main PR review items

- remove mutable redirect lookup test hook via injected helper
- document scope detector servicebus ambiguity and ACR scope semantics
- use slices.Sort for deterministic custom rule ordering
- clarify TokenProvider usage guidance

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(azdext): address remaining maintainer review items

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* chore(agents): remove unrelated whitespace-only changes

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(azdext): redact blocked URL details in policy callback path

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix(azdext): add x-ms-client-request-id and align resilient headers

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address PR review feedback from wbreza

- Prepend custom scope rules before defaults so overrides work (#1)
- Redact URL query params in ScopeDetectorError to prevent leaking secrets (#2)
- Add versioned User-Agent string, make configurable via ResilientClientOptions (#3)
- Set done=true on Collect truncation to prevent surprise continuation (#4)
- Add azdext SDK version constant (version.go)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
Copy link
Owner Author

jongio commented Mar 6, 2026

Consolidated into single PR: Azure#7025

@jongio jongio closed this Mar 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wbreza wbreza Awaiting requested review from wbreza wbreza will be requested when the pull request is marked ready for review wbreza is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jongio