feat: adopt azdext SDK helpers — full extension framework migration#7
Merged
Conversation
Migrates azd-rest to use the new azdext SDK helpers from Azure/azure-dev#6856, replacing hand-rolled boilerplate with the framework's built-in equivalents. Changes: - Root command: NewExtensionRootCommand() replaces manual Cobra setup - Metadata: NewMetadataCommand() replaces manual wrapper - Listen: NewListenCommand() replaces manual gRPC setup - Version: NewVersionCommand() replaces manual version command - MCP server: NewMCPServerBuilder() with WithRateLimit() and WithSecurityPolicy() - Security: DefaultMCPSecurityPolicy() replaces manual SSRF/blocked-hosts code - Tool handlers: ToolArgs typed accessors replace mcp-go native methods - Results: MCPTextResult/MCPErrorResult replace manual construction - Deleted: Manual isBlockedIP/isBlockedURL/blockedCIDRs/blockedHosts code Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
🚀 Website Preview
Preview has been cleaned up as the PR was closed. |
This was referenced Feb 26, 2026
Owner
Author
|
Blocked on next azd release. PR Azure/azure-dev#6856 (ext SDK helpers) merged to main but is not yet in a tagged release. Once the next azd version ships:
Watching Azure/azure-dev for release notifications. |
Remove replace directive pointing at fork. Use official release azure-dev-cli_1.23.7 which includes ext framework improvements (#6856) and security fix (#6907). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Replace unsynchronized lazy init of securityPolicy with sync.Once to prevent data races under concurrent MCP tool calls - Add setSecurityPolicyForTest/resetSecurityPolicyForTest helpers for safe test injection of custom policies - Update github.com/mark3labs/mcp-go v0.44.0 -> v0.44.1 - Run go mod tidy Co-authored-by: GitHub Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Migrates azd-rest to use the new \�zdext\ SDK helpers from Azure/azure-dev#6856, replacing hand-rolled boilerplate with the framework's built-in equivalents. Net result: -303 lines.
Depends on: Azure/azure-dev#6856 (merged)
Related: jongio/azd-core#22, jongio/azd-app#145
What changed
Root command (\
oot.go)
Before: Manual Cobra setup with PersistentPreRun for skill installation and OTel trace context injection.
After: \�zdext.NewExtensionRootCommand()\ — standard flags handled automatically. All 14 REST-specific flags and HTTP method subcommands preserved.
Metadata / Listen / Version commands
Before: Manual implementations.
After: \�zdext.NewMetadataCommand(), \�zdext.NewListenCommand(nil), \�zdext.NewVersionCommand().
MCP server + security (\mcp.go)
Before: ~150 lines of manual SSRF protection (blocked headers, blocked hosts, blocked CIDRs, \isBlockedIP(), \isBlockedURL()\ functions) + manual \server.NewMCPServer()\ + \�zdextutil.NewRateLimiter().
After: \�zdext.DefaultMCPSecurityPolicy()\ (metadata endpoints, private networks, HTTPS, sensitive headers — all built in) + \�zdext.NewMCPServerBuilder()\ with .WithRateLimit(10, 1.0)\ and .WithSecurityPolicy(policy).
All 6 MCP tool handlers
Before:
equest.RequireString()\ /
equest.GetString()\ (mcp-go native) + \mcp.NewToolResultError()\ / \mcp.NewToolResultText()\ + manual \isBlockedURL()\ calls + rate limiter check.
After: \�rgs.RequireString()\ / \�rgs.OptionalString()\ + \�zdext.MCPTextResult()\ / \MCPErrorResult()\ + \policy.CheckURL()\ / \policy.IsHeaderBlocked(). Rate limiting in builder.
Deleted code
Impact
Testing