feat(agents): add 'endpoint show' command and auth-change warning#8574
Merged
Conversation
- Add 'azd ai agent endpoint show' to display current endpoint configuration (protocols, version selector, auth, agent card) - Add breaking-change warning to 'endpoint update' when authorization scheme isolation_key_source is changing (especially Entra → Header) - Add AgentEndpoint and AgentCard fields to AgentObject model so GET responses include endpoint configuration - Warning can be skipped with --force flag Fixes Azure#8573 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds UX improvements to the Azure AI Agents extension’s endpoint management: a new azd ai agent endpoint show command for inspecting live endpoint/card configuration (including --output json), and a breaking-change warning + confirmation flow when endpoint update changes authorization_schemes.isolation_key_source (with --force to skip prompts).
Changes:
- Extend the agent API
AgentObjectmodel to includeagent_endpointandagent_card. - Add new
endpoint showcommand to render endpoint + card details (table or JSON). - Add
--forceflag plus auth-change warning/confirmation logic toendpoint update.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| cli/azd/extensions/azure.ai.agents/internal/pkg/agents/agent_api/models.go | Extends AgentObject to include endpoint and card fields returned by the service. |
| cli/azd/extensions/azure.ai.agents/internal/cmd/update.go | Registers the new show subcommand; adds --force and auth-change warning/confirmation to endpoint updates. |
| cli/azd/extensions/azure.ai.agents/internal/cmd/endpoint_show.go | New command implementation for displaying live endpoint/card configuration (table/JSON). |
Test printEndpointTable (full + nil config), printEndpointJSON, and getIsolationKind helper. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Show '(not specified)' when IsolationKeySource is nil instead of defaulting to 'Entra' (misleading for non-Entra schemes) - Only ignore 404 in warnIfAuthChange; propagate other errors (network, auth, server-side) so the warning isn't silently skipped - Handle fmt.Scanln errors in confirmation prompt; suggest --force for non-interactive terminals - Add test case for nil isolation source Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
0f44aa7 to
b602f61
Compare
Add RegisterFlagOptions with allowed values [json, table] to match the pattern used by 'agent show' and other commands. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
therealjohn
approved these changes
Jun 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds two UX improvements to the existing
azd ai agent endpoint updatecommand, which already supports PATCH on agents.azd deployvsazd ai agent endpoint updateazd deployazd ai agent endpoint updateExisting PATCH capabilities (already implemented)
azd ai agent endpoint updatereads agent.yaml and patches the live agent. The user manually edits agent.yaml, then runs the command. It supports all 4 PATCH scenarios:agent_endpoint.protocols[responses, a2a, mcp]agent_endpoint.version_selector@latest: 80%, v1: 20%agent_endpoint.authorization_schemesagent_cardWhat this PR adds (gap fixes)
1.
azd ai agent endpoint show [name]Displays the current live endpoint configuration. Example output:
`
Agent: patch-poc-resp
Protocols: responses, a2a, mcp
Version Selector:
@latest 80%
1 20%
Authorization:
Type: Entra
Isolation: Header
Agent Card:
Version: 2.0
Description: Updated echo agent
Skills:
- Echo: Echoes user input
- Stream Echo: Streaming echo
`
JSON output (
--output json):json { "name": "json-test-agent", "agent_endpoint": { "version_selector": { "version_selection_rules": [ { "type": "FixedRatio", "agent_version": "@latest", "traffic_percentage": 100 } ] }, "protocols": ["responses"], "authorization_schemes": [ { "type": "Entra", "isolation_key_source": { "kind": "Entra" } } ] }, "agent_card": null }2. Auth-change breaking-change warning
When
endpoint updatedetects isolation_key_source is changing (e.g., Entra to Header):`
WARNING: Changing isolation key source from "Entra" to "Header".
This is a BREAKING CHANGE -- all existing API callers must immediately
update their requests to match the new authorization scheme.
Callers must include the "x-ms-user-isolation-key" header, or they will receive 400 errors.
Continue? [y/N]
`
--forceskips the prompt.Implementation
endpoint_show.go(new): registered asazd ai agent endpoint showendpoint_show_test.go(new): unit tests for table/JSON output and isolation helpersupdate.go: added--forceflag +warnIfAuthChange()that GETs current agent and compares auth config before PATCHingmodels.go: addedAgentEndpointandAgentCardfields toAgentObjectTesting
=== RUN TestPrintEndpointTable_FullConfig --- PASS: TestPrintEndpointTable_FullConfig (0.00s) === RUN TestPrintEndpointTable_NilEndpoint --- PASS: TestPrintEndpointTable_NilEndpoint (0.00s) === RUN TestPrintEndpointJSON --- PASS: TestPrintEndpointJSON (0.00s) === RUN TestGetIsolationKind --- PASS: TestGetIsolationKind (0.00s) --- PASS: TestGetIsolationKind/nil_endpoint (0.00s) --- PASS: TestGetIsolationKind/empty_schemes (0.00s) --- PASS: TestGetIsolationKind/entra (0.00s) --- PASS: TestGetIsolationKind/header (0.00s) === RUN TestPatchAgent_Success --- PASS: TestPatchAgent_Success (0.00s) === RUN TestPatchAgent_OmitsNilFields --- PASS: TestPatchAgent_OmitsNilFields (0.00s) PASSgo test ./...)go vetcleanFixes #8573