Skip to content

feat: adopt azdext SDK helpers — full extension framework migration#7

Merged
jongio merged 4 commits into
mainfrom
feature/ext-framework-sdk-helpers
Mar 2, 2026
Merged

feat: adopt azdext SDK helpers — full extension framework migration#7
jongio merged 4 commits into
mainfrom
feature/ext-framework-sdk-helpers

Conversation

@jongio

@jongio jongio commented Feb 26, 2026

Copy link
Copy Markdown
Owner

Summary

Migrates azd-rest to use the new \�zdext\ SDK helpers from Azure/azure-dev#6856, replacing hand-rolled boilerplate with the framework's built-in equivalents. Net result: -303 lines.

Depends on: Azure/azure-dev#6856 (merged)
Related: jongio/azd-core#22, jongio/azd-app#145

What changed

Root command (\

oot.go)
Before: Manual Cobra setup with PersistentPreRun for skill installation and OTel trace context injection.
After: \�zdext.NewExtensionRootCommand()\ — standard flags handled automatically. All 14 REST-specific flags and HTTP method subcommands preserved.

Metadata / Listen / Version commands

Before: Manual implementations.
After: \�zdext.NewMetadataCommand(), \�zdext.NewListenCommand(nil), \�zdext.NewVersionCommand().

MCP server + security (\mcp.go)

Before: ~150 lines of manual SSRF protection (blocked headers, blocked hosts, blocked CIDRs, \isBlockedIP(), \isBlockedURL()\ functions) + manual \server.NewMCPServer()\ + \�zdextutil.NewRateLimiter().
After: \�zdext.DefaultMCPSecurityPolicy()\ (metadata endpoints, private networks, HTTPS, sensitive headers — all built in) + \�zdext.NewMCPServerBuilder()\ with .WithRateLimit(10, 1.0)\ and .WithSecurityPolicy(policy).

All 6 MCP tool handlers

Before:
equest.RequireString()\ /
equest.GetString()\ (mcp-go native) + \mcp.NewToolResultError()\ / \mcp.NewToolResultText()\ + manual \isBlockedURL()\ calls + rate limiter check.
After: \�rgs.RequireString()\ / \�rgs.OptionalString()\ + \�zdext.MCPTextResult()\ / \MCPErrorResult()\ + \policy.CheckURL()\ / \policy.IsHeaderBlocked(). Rate limiting in builder.

Deleted code

  • \�lockedHeaders, \�lockedHosts, \�lockedCIDRs\ variables
  • \isBlockedIP(), \isBlockedURL()\ functions
  • Rate limiter variable and per-handler checks
  • Kept: \�alidateScopeURLMatch()\ (extension-specific), token provider caching

Impact

Metric Change
Files changed 10
Lines removed 620
Lines added 317
Net reduction -303 lines
Manual SSRF code Replaced with SDK policy
Rate limiter Removed (built into builder)

Testing

  • \go build ./...\ ✅
  • \go test ./...\ ✅

Migrates azd-rest to use the new azdext SDK helpers from Azure/azure-dev#6856,
replacing hand-rolled boilerplate with the framework's built-in equivalents.

Changes:
- Root command: NewExtensionRootCommand() replaces manual Cobra setup
- Metadata: NewMetadataCommand() replaces manual wrapper
- Listen: NewListenCommand() replaces manual gRPC setup
- Version: NewVersionCommand() replaces manual version command
- MCP server: NewMCPServerBuilder() with WithRateLimit() and WithSecurityPolicy()
- Security: DefaultMCPSecurityPolicy() replaces manual SSRF/blocked-hosts code
- Tool handlers: ToolArgs typed accessors replace mcp-go native methods
- Results: MCPTextResult/MCPErrorResult replace manual construction
- Deleted: Manual isBlockedIP/isBlockedURL/blockedCIDRs/blockedHosts code

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions

github-actions Bot commented Feb 26, 2026

Copy link
Copy Markdown
Contributor

🚀 Website Preview

Your PR preview was available here.

Preview has been cleaned up as the PR was closed.

@jongio

jongio commented Feb 26, 2026

Copy link
Copy Markdown
Owner Author

Blocked on next azd release. PR Azure/azure-dev#6856 (ext SDK helpers) merged to main but is not yet in a tagged release. Once the next azd version ships:

  1. Update go.mod to reference the new tagged version (replace the go.work local override)
  2. Run go mod tidy
  3. Verify build + tests
  4. Merge

Watching Azure/azure-dev for release notifications.

jongio and others added 2 commits February 27, 2026 23:29
Remove replace directive pointing at fork. Use official release
azure-dev-cli_1.23.7 which includes ext framework improvements (#6856)
and security fix (#6907).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Replace unsynchronized lazy init of securityPolicy with sync.Once
  to prevent data races under concurrent MCP tool calls
- Add setSecurityPolicyForTest/resetSecurityPolicyForTest helpers
  for safe test injection of custom policies
- Update github.com/mark3labs/mcp-go v0.44.0 -> v0.44.1
- Run go mod tidy

Co-authored-by: GitHub Copilot <175728472+Copilot@users.noreply.github.com>
github-actions Bot added a commit that referenced this pull request Feb 28, 2026
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions Bot added a commit that referenced this pull request Feb 28, 2026
@jongio jongio merged commit a4be26e into main Mar 2, 2026
10 checks passed
@jongio jongio deleted the feature/ext-framework-sdk-helpers branch March 2, 2026 16:27
github-actions Bot added a commit that referenced this pull request Mar 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant