Skip to content

feat(agents): add 'endpoint show' command and auth-change warning#8574

Merged
v1212 merged 5 commits into
Azure:mainfrom
v1212:jw/endpoint-show-and-auth-warning
Jun 10, 2026
Merged

feat(agents): add 'endpoint show' command and auth-change warning#8574
v1212 merged 5 commits into
Azure:mainfrom
v1212:jw/endpoint-show-and-auth-warning

Conversation

@v1212

@v1212 v1212 commented Jun 9, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds two UX improvements to the existing azd ai agent endpoint update command, which already supports PATCH on agents.

azd deploy vs azd ai agent endpoint update

azd deploy azd ai agent endpoint update
What it does Creates a new agent version (new code/model/instructions) Patches endpoint metadata without creating a new version
Triggers deployment Yes (container rebuild, provisioning) No (instant, Cosmos DB update only)
Changes definition Yes (model, instructions, tools, code) No
Changes routing/auth/card Only at initial create Yes -- this is its purpose
Typical use Ship new agent logic Enable a2a/mcp, set canary traffic, configure auth
Time Minutes (build + provision) Seconds

Existing PATCH capabilities (already implemented)

azd ai agent endpoint update reads agent.yaml and patches the live agent. The user manually edits agent.yaml, then runs the command. It supports all 4 PATCH scenarios:

Scenario agent.yaml field Example value
Protocol enablement agent_endpoint.protocols [responses, a2a, mcp]
Traffic routing / Canary agent_endpoint.version_selector @latest: 80%, v1: 20%
Authorization config agent_endpoint.authorization_schemes Entra / Header isolation
Agent Card (A2A discovery) agent_card description + skills

What this PR adds (gap fixes)

1. azd ai agent endpoint show [name]

Displays the current live endpoint configuration. Example output:

`
Agent: patch-poc-resp

Protocols: responses, a2a, mcp

Version Selector:
@latest 80%
1 20%

Authorization:
Type: Entra
Isolation: Header

Agent Card:
Version: 2.0
Description: Updated echo agent
Skills:
- Echo: Echoes user input
- Stream Echo: Streaming echo
`

JSON output (--output json):
json { "name": "json-test-agent", "agent_endpoint": { "version_selector": { "version_selection_rules": [ { "type": "FixedRatio", "agent_version": "@latest", "traffic_percentage": 100 } ] }, "protocols": ["responses"], "authorization_schemes": [ { "type": "Entra", "isolation_key_source": { "kind": "Entra" } } ] }, "agent_card": null }

2. Auth-change breaking-change warning

When endpoint update detects isolation_key_source is changing (e.g., Entra to Header):

`
WARNING: Changing isolation key source from "Entra" to "Header".
This is a BREAKING CHANGE -- all existing API callers must immediately
update their requests to match the new authorization scheme.
Callers must include the "x-ms-user-isolation-key" header, or they will receive 400 errors.

Continue? [y/N]
`

--force skips the prompt.

Implementation

  • endpoint_show.go (new): registered as azd ai agent endpoint show
  • endpoint_show_test.go (new): unit tests for table/JSON output and isolation helpers
  • update.go: added --force flag + warnIfAuthChange() that GETs current agent and compares auth config before PATCHing
  • models.go: added AgentEndpoint and AgentCard fields to AgentObject

Testing

=== RUN TestPrintEndpointTable_FullConfig --- PASS: TestPrintEndpointTable_FullConfig (0.00s) === RUN TestPrintEndpointTable_NilEndpoint --- PASS: TestPrintEndpointTable_NilEndpoint (0.00s) === RUN TestPrintEndpointJSON --- PASS: TestPrintEndpointJSON (0.00s) === RUN TestGetIsolationKind --- PASS: TestGetIsolationKind (0.00s) --- PASS: TestGetIsolationKind/nil_endpoint (0.00s) --- PASS: TestGetIsolationKind/empty_schemes (0.00s) --- PASS: TestGetIsolationKind/entra (0.00s) --- PASS: TestGetIsolationKind/header (0.00s) === RUN TestPatchAgent_Success --- PASS: TestPatchAgent_Success (0.00s) === RUN TestPatchAgent_OmitsNilFields --- PASS: TestPatchAgent_OmitsNilFields (0.00s) PASS

  • All extension tests pass (go test ./...)
  • go vet clean
  • Binary builds successfully

Fixes #8573

- Add 'azd ai agent endpoint show' to display current endpoint
  configuration (protocols, version selector, auth, agent card)
- Add breaking-change warning to 'endpoint update' when authorization
  scheme isolation_key_source is changing (especially Entra → Header)
- Add AgentEndpoint and AgentCard fields to AgentObject model so
  GET responses include endpoint configuration
- Warning can be skipped with --force flag

Fixes Azure#8573

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds UX improvements to the Azure AI Agents extension’s endpoint management: a new azd ai agent endpoint show command for inspecting live endpoint/card configuration (including --output json), and a breaking-change warning + confirmation flow when endpoint update changes authorization_schemes.isolation_key_source (with --force to skip prompts).

Changes:

  • Extend the agent API AgentObject model to include agent_endpoint and agent_card.
  • Add new endpoint show command to render endpoint + card details (table or JSON).
  • Add --force flag plus auth-change warning/confirmation logic to endpoint update.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
cli/azd/extensions/azure.ai.agents/internal/pkg/agents/agent_api/models.go Extends AgentObject to include endpoint and card fields returned by the service.
cli/azd/extensions/azure.ai.agents/internal/cmd/update.go Registers the new show subcommand; adds --force and auth-change warning/confirmation to endpoint updates.
cli/azd/extensions/azure.ai.agents/internal/cmd/endpoint_show.go New command implementation for displaying live endpoint/card configuration (table/JSON).

Comment thread cli/azd/extensions/azure.ai.agents/internal/cmd/endpoint_show.go
Comment thread cli/azd/extensions/azure.ai.agents/internal/cmd/endpoint_show.go
Comment thread cli/azd/extensions/azure.ai.agents/internal/cmd/update.go
Comment thread cli/azd/extensions/azure.ai.agents/internal/cmd/update.go
@github-actions github-actions Bot added the ext-agents azure.ai.agents extension label Jun 9, 2026
Jian Wu and others added 3 commits June 9, 2026 14:33
Test printEndpointTable (full + nil config), printEndpointJSON,
and getIsolationKind helper.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Show '(not specified)' when IsolationKeySource is nil instead of
  defaulting to 'Entra' (misleading for non-Entra schemes)
- Only ignore 404 in warnIfAuthChange; propagate other errors (network,
  auth, server-side) so the warning isn't silently skipped
- Handle fmt.Scanln errors in confirmation prompt; suggest --force for
  non-interactive terminals
- Add test case for nil isolation source

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@v1212 v1212 force-pushed the jw/endpoint-show-and-auth-warning branch from 0f44aa7 to b602f61 Compare June 9, 2026 07:26
Add RegisterFlagOptions with allowed values [json, table] to match
the pattern used by 'agent show' and other commands.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@v1212 v1212 merged commit 916b877 into Azure:main Jun 10, 2026
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ext-agents azure.ai.agents extension

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(agents): add 'azd ai agent endpoint show' and auth-change warning

3 participants