Commit Graph

2155 Commits

  • Python: add agent-framework-hosting-mcp channel (#6305)
    * feat(python): add agent-framework-hosting-mcp channel
    
    Add a hosting channel that exposes the host target (agent or workflow)
    as a single Model Context Protocol tool over Streamable HTTP. The tool
    invocation routes through the host pipeline (ChannelContext.run/
    run_stream) so sessions, linking, and run/response hooks apply. Maps the
    MCP request context to a ChannelSession isolation key and ChannelIdentity,
    and forwards streaming output as MCP progress notifications.
    
    Includes tests, README, and workspace registration.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Address MCP hosting channel review feedback
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: add agent-framework-hosting-a2a channel (#6306)
    * feat(python): add agent-framework-hosting-a2a channel
    
    Add a hosting channel that exposes the host target (agent or workflow)
    as a peer agent over the Agent-to-Agent (A2A) protocol (JSON-RPC plus a
    served agent card). Requests are handled by a host-routed
    HostAgentExecutor that drives the host pipeline (ChannelContext.run/
    run_stream) instead of wrapping the target directly, so sessions,
    linking, and run/response hooks apply. Maps the A2A conversation/context
    id to a ChannelSession isolation key and the caller to a ChannelIdentity;
    streaming emits incremental task artifacts.
    
    Includes tests, README, and workspace registration.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Address A2A hosting channel review feedback
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Simplify Python hosting core (#6492)
    Remove linking, multicast, durable delivery, and host push machinery from the v1 hosting core. Keep those scenarios in a proposed follow-up ADR and update channel packages, samples, docs, tests, and workspace metadata around the smaller host/channel contract.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: feat(python): cross-channel hosting improvements (endpoint paths, Activity push, Telegram/Teams fixes) (#6307)
    * Update hosting channel endpoint paths
    
    Treat channel paths as concrete endpoint paths so built-in channels can be mounted at their defaults or at the app root without sample-specific subclasses. Update docs, tests, and the Foundry Telegram Invocations sample accordingly.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Add push support to ActivityProtocolChannel
    
    Implement the ChannelPush protocol so the Activity Protocol channel can
    receive cross-channel fan-out (ResponseTarget.all_linked) and echo_input
    replay as a non-originating destination:
    
    - Add push() that reconstructs a proactive Bot Framework activity (bot/user
      swap) from the stored conversation reference and POSTs it to
      /v3/conversations/{id}/activities.
    - Record a ChannelIdentity (service_url, conversation, bot, user, channel_id,
      locale) on ChannelRequest.identity so the host registers the channel under
      its isolation key for fan-out resolution.
    - Route the streaming path through deliver_response so Activity-originated
      turns broadcast like Telegram/Discord.
    - Add tests for push delivery, service_url validation, ChannelPush instance
      check, and inbound identity recording.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Don't delete Telegram webhook on shutdown by default
    
    The TelegramChannel deleted its webhook on shutdown in webhook mode. During
    a rolling redeploy the new revision registers the webhook on startup, then
    the old revision's shutdown deletes it, silently breaking inbound delivery
    until the next boot. setWebhook is overwriting/idempotent, so startup
    re-asserts the webhook every boot and no teardown is needed.
    
    Add a delete_webhook_on_shutdown flag (default False) so teardown is opt-in
    for ephemeral deployments, and leave the webhook in place otherwise.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Fix Activity channel streaming on non-Teams channels (405 on updateActivity)
    
    The Activity Protocol channel streamed replies the Teams way: POST a
    placeholder, then PUT-edit it as tokens arrive. Only Teams supports the
    updateActivity REST op; Web Chat, Direct Line and the Emulator return
    405 Method Not Allowed on the PUT, so the user saw only the placeholder.
    
    Gate the placeholder+edit flow on edit-capable channels (msteams). Other
    channels now buffer the stream and POST a single final message, mirroring
    the non-streaming path's fan-out and response-hook semantics. Also add a
    defensive 405 fallback inside the Teams edit loop so an unexpected 405
    can never strand the user on the placeholder.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(hosting-activity-protocol): don't parse Teams inline attachment content as a URI
    
    Teams message activities include a text/html attachment whose inline
    `content` is raw HTML (not a URL). _parse_activity fell back to
    `attachment["content"]` and passed it to Content.from_uri, raising
    ContentError ("URI must contain a scheme") and failing the whole turn,
    so Teams users got no response.
    
    Only treat `contentUrl` as a URI, require an absolute scheme, and skip
    unparseable attachments defensively instead of failing the message.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * feat(hosting-activity-protocol): native slash-command dispatch for Teams/Activity
    
    Add a commands= parameter to ActivityProtocolChannel that intercepts a
    leading /command (after stripping the bot's own @mention) and dispatches
    to ChannelCommand handlers, mirroring the Telegram channel. Unknown
    commands fall through to the agent. The channel run_hook is applied to
    command requests so handlers observe the same resolved isolation key as
    ordinary messages, and handler errors are swallowed (200, no Bot Service
    retry of non-idempotent commands).
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * feat(hosting): silent attributed Telegram echoes + Teams markdown rendering
    
    - hosting-telegram: send cross-channel input echoes with disable_notification
      (silent) and detect echo payloads so they aren't re-broadcast.
    - hosting-activity-protocol: render outbound + push activities as textFormat
      'markdown' so Teams shows formatted replies (enables per-channel variants).
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(hosting-activity-protocol): address PR #6307 review feedback
    
    Consult the host delivery pipeline even for empty streamed replies so
    ResponseTarget.none is honoured and non-originating fan-out is consulted
    instead of always emitting an originating "(no response)" message. Applies
    to both the progressive-edit (Teams) and buffered (Web Chat/Direct Line)
    streaming paths.
    
    Re-validate service_url against the allow-list in push(): the identity is
    read from a persisted store and push runs out-of-band, so the captured
    service_url must be re-checked before a bearer token is sent.
    
    Adds tests for empty-stream host consultation/suppression on both streaming
    paths and for push rejecting a disallowed service_url.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: add agent-framework-hosting-discord channel (#6081)
    * Add Discord hosting channel
    
    Add an alpha agent-framework-hosting-discord package backed by Discord HTTP Interactions. The channel verifies signed slash-command requests, registers commands, runs hosted agents and ChannelCommand handlers, supports originating response hooks, streams by editing the original interaction response, and can push through Discord channel ids.
    
    Factor standard channel response-hook context application into hosting core so both host fan-out and originating channel replies use one helper.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Address Discord review chunking feedback
    
    Ensure Discord command replies are chunked and streaming preview edits stay under Discord's content limit while final streamed replies continue through the chunked reply path.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * small fix in init
    
    * updated lock
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: add hosting Channels sample apps (#5645)
    * samples(hosting): add hosting Channels sample apps under samples/04-hosting/af-hosting
    
    Adds five end-to-end sample apps under
    ``python/samples/04-hosting/af-hosting/`` that exercise the
    ``agent-framework-hosting`` Channels stack from the simplest single-channel
    case up to a multi-channel deployment with cross-channel identity linking.
    
    Samples (ordered by complexity)
    -------------------------------
    
    * ``foundry_hosted_agent/`` — minimal Responses + Invocations host with a
      Foundry-backed agent and ``FoundryHostedAgentHistoryProvider``.
      ``agd``-deployable; bundles a ``Dockerfile`` and
      ``scripts/vendor-packages.sh`` that copies workspace packages into
      ``_vendor/`` for self-contained builds. ``_vendor/`` is gitignored.
    * ``local_responses/`` — single-channel Responses host with a
      ``run_hook`` that strips caller-supplied options and forces a
      reasoning preset. Demonstrates the hook seam over the uniform
      ``ChannelRequest`` envelope.
    * ``local_responses_workflow/`` — Responses + Invocations exposing a
      three-agent workflow with per-conversation checkpoint storage.
    * ``local_telegram/`` — Responses + Telegram with a ``@tool``,
      ``FileHistoryProvider``, hooks, and a ``ResponseTarget`` multicast
      variant (``call_server_multicast.py``) that pushes a single Responses
      reply to a separate Telegram chat.
    * ``local_identity_link/`` — full surface: Responses + Invocations +
      Telegram + Activity Protocol (Teams) + the ``EntraIdentityLinkChannel``
      sidecar. Resolves per-channel ids onto a single Entra object id so a
      user's history follows them across surfaces.
    
    Notes
    -----
    
    * Samples that use Telegram/Teams via Activity Protocol depend on the
      renamed ``agent-framework-hosting-activity-protocol`` package (see the
      PR-5 series).
    * All samples use ``[tool.uv.sources]`` editable workspace deps, except
      ``foundry_hosted_agent/`` which uses the ``./_vendor/`` self-contained
      layout for ``azd`` Docker builds.
    * Each sample includes a ``README.md`` with run instructions and an
      ``app.py`` ASGI entrypoint plus a ``call_server.py`` client harness.
    
    Depends on the prior hosting PRs (foundry-hosted-agent refactor +
    hosting-core + the per-channel packages). After those merge, this
    branch can be rebased onto ``main`` cleanly.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * samples(hosting): point sample deps at the feature/python-hosting GitHub branch
    
    Switches every sample's ``[tool.uv.sources]`` from in-monorepo
    editable path deps (which only resolve when running inside the
    agent-framework workspace) to git refs targeting the
    ``feature/python-hosting`` branch on
    ``microsoft/agent-framework``. Samples now install standalone outside
    the monorepo while the ``agent-framework-hosting*`` packages are still
    pre-PyPI; once they publish, the ``[tool.uv.sources]`` block can be
    dropped and the declared deps resolve from PyPI.
    
    Cleanup
    -------
    
    * Drops ``foundry_hosted_agent/scripts/vendor-packages.sh``,
      ``_vendor/`` from ``.gitignore``, the ``hooks.prepackage`` block in
      ``azure.yaml`` and the ``COPY _vendor/`` step in the Dockerfile —
      vendoring is no longer needed because git refs make the deps
      network-resolvable from any context.
    * Drops obsolete ``workspace.pyproject.toml`` reference and ``scripts/``
      / ``workspace.pyproject.toml`` entries from
      ``Dockerfile.dockerignore``.
    * Updates the foundry sample's Dockerfile to ``uv sync --no-dev``
      (no ``--frozen``) so it locks fresh against the GitHub-hosted deps
      at build time.
    * Drops every committed ``uv.lock`` because the resolver needs network
      access to ``feature/python-hosting`` to lock — they regenerate the
      first time a user runs ``uv sync`` after the branch lands.
    * Refreshes the per-sample READMEs to mention the GitHub install path
      instead of "in-tree workspace packages".
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * samples(hosting): address PR #5645 review comments
    
    - foundry_hosted_agent/call_server.py: replace hard-coded
      project_endpoint and service_session_id with FOUNDRY_PROJECT_ENDPOINT,
      FOUNDRY_HOSTED_AGENT_NAME, and optional FOUNDRY_HOSTED_SESSION_ID
      environment variables. Session-id is now optional so the sample
      exercises the new-conversation path by default.
    
    - local_identity_link/app.py:
      * make_telegram_hook: apply the reasoning bump regardless of
        identity-link state (the previous early-return on linked chats
        silently dropped the high-effort preset for the very flow the
        sample exists to demonstrate).
      * make_responses_hook: add a prominent DEV-ONLY warning that the
        client-supplied entra_oid shortcut bypasses identity verification
        and must be replaced by a JWT validator in production.
      * /link command: early-return when chat_id is missing instead of
        minting an authorize URL keyed on "telegram:None" (which would
        poison the link store with a binding any future chat_id-less
        update would collapse onto).
      * Switch ENTRA_CERT_PATH / ENTRA_CERT_PASSWORD env vars to the
        longer ENTRA_CERTIFICATE_PATH / ENTRA_CERTIFICATE_PASSWORD names
        that the README already documents.
      * channels: Sequence[Channel] -> list[Channel] (the next line
        appends, which a Sequence type doesn't expose).
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * chore(hosting-samples): apply sample formatting
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(hosting-samples): guard command input text
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: add agent-framework-hosting-entra identity-link helpers (#5644)
    * feat(hosting-entra): add Entra (Azure AD) identity-linking channel
    
    New ``agent-framework-hosting-entra`` package implementing a Microsoft
    Entra OAuth-based identity-linking channel for the Hosting framework.
    Mounts a small set of routes (``/entra/login``, ``/entra/callback``,
    ``/entra/whoami``) that walk a user through an Entra/Azure AD
    authorization-code flow and stick the resulting verified identity
    (``oid`` / ``email`` / ``tid``) onto the host's identity table so
    later requests on any other channel (Responses, Telegram, …) can be
    linked to the same user.
    
    Surface (re-exported from ``agent_framework_hosting_entra``):
    
    - ``EntraChannel`` -- concrete ``Channel`` implementation. Owns the
      three Starlette routes, signs/verifies short-lived ``state`` tokens
      to bind the round-trip to the originating channel, exchanges the
      authorization code for an ID token via MSAL, and writes the
      verified identity into the host's identity store via the standard
      ``ChannelIdentity`` plumbing so cross-channel push (e.g. send a
      Telegram message to the user who completed the link from
      Responses) works without the channels having to coordinate
      directly.
    - 14 unit tests covering route wiring, ``state`` issue / verify,
      callback exchange happy + failure paths, and identity-store write.
    
    Registers the package in ``python/pyproject.toml``
    ``[tool.uv.sources]`` and adds the matching pyright
    ``executionEnvironments`` entry. Stacks on PR-2 (Hosting core);
    independent of PR-3 / PR-4 / PR-6.
    
    The cross-channel sample (``local_identity_link/``) that demonstrates
    this end-to-end alongside Responses + Telegram lands in PR-8 (samples).
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(hosting-entra): close IDOR + reflected-XSS + open-redirect on the OAuth flow
    
    Three SECURITY-CRITICAL fixes flagged in round-2 review.
    
    1. IDOR on /auth/start (3198518308). Without authentication the
       endpoint accepted (channel, channel_id) from the query string and
       bound *whoever signed in* to that pair. An attacker could bind
       their own Entra oid to a victim's per-channel id (e.g.
       `telegram:<victim_chat_id>`), redirecting all of the victim's
       future inbound traffic to the attacker's isolation key.
    
       Fix: introduce link_token_secret + mint_start_url(channel, id, ...).
       When set, /auth/start requires `exp` + `sig` (HMAC-SHA256 over
       `channel|channel_id|expires_at`) before issuing the redirect.
       Channels that hand out start URLs (a Telegram /link command after
       verifying the inbound webhook signature) call mint_start_url so
       the token proves the (channel, id) pair was authorised by the
       channel that owns the surface. Unsigned mode is opt-in and logs a
       loud WARNING at startup *and* on every accepted request.
    
    2. Reflected XSS on /auth/callback (3198520256, 3198527896). `error`,
       `error_description`, channel_key (from the unauthenticated /start
       query), and `upn` (from a Graph response) flowed straight into the
       text/html response body unescaped. With the IDOR above, an
       attacker could stash `<script>` payloads in `channel` or `id` and
       serve them from the auth host's origin (full XSS on the auth
       surface — cookies/storage of anything else mounted there).
    
       Fix: html.escape() every value before HTML output.
    
    3. Open redirect on `return_to` (3198524746). Accepted any URL.
    
       Fix: `_validate_return_to` allows only relative paths starting
       with `/` (and not `//`) or absolute URLs whose host equals the
       configured `public_base_url` host. Validated at /start mint time
       AND defensively re-validated at /callback before redirect.
    
    12 new tests cover signed-token rejection (missing/forged/expired),
    mint helper requirements, startup warning visibility, XSS escaping
    on both error and success paths, and the open-redirect allowlist
    (external rejected, relative accepted, same-origin accepted,
    protocol-relative `//evil.example/` rejected).
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * test(hosting): drop redundant @pytest.mark.asyncio decorators
    
    asyncio_mode = "auto" is configured in pyproject.toml across the
    hosting packages, so individual @pytest.mark.asyncio decorators are
    unnecessary.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: add agent-framework-hosting-activity-protocol channel (#5641)
    * feat(hosting-activity-protocol): rename Bot Framework channel to ActivityProtocolChannel
    
    The existing Bot-Framework-via-Azure-Bot-Service channel was previously
    shipped under the name ``hosting-teams`` / ``TeamsChannel``. That name
    is misleading for what the channel actually does -- it speaks the Bot
    Framework Activity Protocol against Azure Bot Service, which fans out
    across MS Teams, Slack, Webex, Telegram-via-Bot-Service, etc., and does
    not provide any Teams-specific affordances.
    
    This PR renames the package atomically and frees the ``hosting-teams``
    name for a future Teams-native channel built on
    ``microsoft-teams-apps`` (PR-5b, spec req #28).
    
    Renames (all in one commit):
    
    - Package: ``agent-framework-hosting-teams`` ->
      ``agent-framework-hosting-activity-protocol``
    - Module: ``agent_framework_hosting_teams`` ->
      ``agent_framework_hosting_activity_protocol``
    - Channel class: ``TeamsChannel`` -> ``ActivityProtocolChannel``
    - Helper: ``teams_isolation_key`` -> ``activity_protocol_isolation_key``
      (isolation key prefix ``teams:`` -> ``activity:``)
    - Channel name: ``"teams"`` -> ``"activity"``; default mount path
      ``/teams`` -> ``/activity``
    - Internal helper: ``_parse_teams_activity`` -> ``_parse_activity``
    - Worker task name + a couple of error strings updated for consistency
    
    Updates README.md and the module docstring to call out:
    
    - this is the channel-neutral Activity Protocol channel,
    - it surfaces what every Bot-Service-connected channel has in common
      (text in / text out),
    - a forthcoming ``agent-framework-hosting-teams`` package will layer
      Teams-specific affordances (adaptive cards, message extensions,
      dialogs, SSO, ...) on the same Bot Service transport.
    
    Workspace: registers ``agent-framework-hosting-activity-protocol`` in
    ``python/pyproject.toml`` and adds the matching pyright
    ``executionEnvironments`` entry.
    
    Behavior is unchanged. Pyright + mypy clean, 11 tests pass.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * review: address PR-5 round 2 feedback
    
    - security (#3198327004): add `service_url_allowed_hosts` constructor
      option (default `botframework.com` + `smba.trafficmanager.net`) and
      reject inbound activities whose `serviceUrl` host falls outside it
      with HTTP 400 — without this gate a malicious caller could redirect
      outbound replies (and the attached bearer token) to an
      attacker-controlled host
    - security (#3198324219): add `inbound_auth_validator` async callback;
      log a loud WARNING at startup when no validator AND no operator
      reverse-proxy is configured so the dev-mode bypass cannot
      accidentally ship to production. Document the contract: prototype
      intentionally does not ship JWT validation (out of scope); operators
      must plug a validator or terminate auth in front of the channel
    - retry semantics (#3198328746): distinguish transient outbound
      failures (httpx network errors, non-2xx from Bot Service) — return
      502 so Bot Service retries — from deterministic agent failures —
      return 200 so Bot Service does not retry the same broken activity
      in a loop
    - bug (#3198330424): fix the placeholder-failure deadlock. When
      `send_initial_placeholder` fails, `activity_id` stays `None`, the
      edit-worker loop exit condition (`accumulated == last_sent`) is
      unreachable while no PUT is possible, and the worker would deadlock
      on `wake.wait()` forever after `worker_done` is set. Now: skip the
      worker entirely on placeholder failure and POST a single final
      activity at the end with whatever accumulated
    - tests (#3198334465, #3187178091, #3198336045): add coverage for
      - `_is_service_url_allowed` allow/deny matrix + webhook 400 on
        disallowed serviceUrl
      - `inbound_auth_validator` allow/deny/raises paths
      - outbound `Authorization: Bearer <token>` header presence in
        production mode and absence in dev mode
      - the streaming path (`_stream_to_conversation`): placeholder +
        final edit, placeholder-failure fallback (with timeout guard
        against deadlock regression), and empty-stream `(no response)`
        placeholder replacement
      - retry-signal differentiation: outbound `httpx.ConnectError` →
        502; deterministic `ValueError` from the agent → 200
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * test(hosting): drop redundant @pytest.mark.asyncio decorators
    
    asyncio_mode = "auto" is configured in pyproject.toml across the
    hosting packages, so individual @pytest.mark.asyncio decorators are
    unnecessary.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * feat(hosting-activity-protocol): add response hooks
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs(hosting-activity-protocol): mark constructor keyword args
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: add agent-framework-hosting-telegram channel (#5643)
    * feat(hosting-telegram): add Telegram channel package
    
    New ``agent-framework-hosting-telegram`` package implementing the
    Telegram Bot API channel for the Hosting framework. Mounts a webhook
    endpoint (``POST /telegram/webhook``) and an in-process polling loop
    onto an ``AgentFrameworkHost`` and translates Telegram ``Update``
    payloads to/from the channel-neutral ``ChannelRequest`` /
    ``HostedRunResult`` plumbing.
    
    Surface (re-exported from ``agent_framework_hosting_telegram``):
    
    - ``TelegramChannel`` -- concrete ``Channel`` implementation. Owns the
      webhook route + an optional ``getUpdates`` long-polling lifespan,
      parses Telegram ``Update``s into ``ChannelRequest`` (text, photo,
      document, voice, callback_query, …), runs the optional
      ``ChannelRunHook``, calls back into the ``ChannelContext`` to invoke
      the agent target, and posts the response back via
      ``sendMessage`` / ``sendChatAction`` / ``answerCallbackQuery`` on the
      Telegram Bot API. Honours ``DeliveryReport.include_originating`` so
      cross-channel pushes can target the originating Telegram chat
      without double-acking.
    - Native fields the channel doesn't lift onto ``ChannelRequest`` (e.g.
      ``chat.type``, ``message.message_id``, ``callback_query.data``) are
      attached to ``ChannelRequest.attributes`` so a ``ChannelRunHook``
      can pick them up via the standard ``protocol_request=`` kwarg.
    - 13 unit tests covering route wiring, ``Update`` parsing across the
      common content shapes, hook composition, and originating vs
      non-originating delivery branches.
    
    Registers the package in ``python/pyproject.toml``
    ``[tool.uv.sources]`` and adds the matching pyright
    ``executionEnvironments`` entry. Stacks on PR-2 (Hosting core);
    independent of PR-3 / PR-4.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(hosting-telegram): preserve in-chat ordering, ack-before-run, drain shutdown
    
    - Replace per-update task fan-out with per-chat asyncio.Queue + worker.
      Telegram only guarantees update ordering up to getUpdates; the
      previous code spawned one task per update, which broke ordering for
      adjacent updates in the same chat. Updates are now serialised per
      chat_id (so /start then "what's the weather" can't race) while
      different chats still process in parallel.
    
    - Webhook handler now acks (200) immediately and runs the agent in
      the per-chat worker. Telegram redelivers any update the webhook
      doesn't 200 within ~60 seconds, so a streamed agent reply that runs
      longer than that previously triggered a retry storm and duplicate
      replies.
    
    - _on_shutdown now drains everything: poll task → per-chat workers →
      webhook-spawned dispatcher tasks (the new ack-before-run path), then
      deletes the webhook + closes the HTTP client. Previously webhook
      tasks were not tracked at all, so an in-flight agent invocation
      could leak past app shutdown.
    
    - _enqueue_update extracts chat_id from message / edited_message /
      callback_query; updates with no resolvable chat fall back to a
      one-shot dispatcher task that's still tracked in _update_tasks for
      shutdown.
    
    - Webhook handler now also returns 400 on malformed JSON / non-object
      payloads instead of crashing the request.
    
    4 new tests cover per-chat serial ordering, parallel-across-chats
    isolation, ack-before-run latency, and shutdown drain.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * test(hosting): drop redundant @pytest.mark.asyncio decorators
    
    asyncio_mode = "auto" is configured in pyproject.toml across the
    hosting packages, so individual @pytest.mark.asyncio decorators are
    unnecessary.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(hosting-telegram): adapt push tests to hosted run result wrapper
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * feat(hosting-telegram): add response hooks
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: add agent-framework-hosting-invocations channel (#5640)
    * feat(hosting-invocations): add Invocations channel package
    
    New ``agent-framework-hosting-invocations`` package implementing the
    "Invocations" HTTP channel for the Hosting framework -- a lightweight
    JSON-over-HTTP shape (``POST /invocations``) for callers that want a
    single request/response without committing to the full OpenAI Responses
    envelope. Mounts onto an ``AgentFrameworkHost`` like any other channel.
    
    Surface (re-exported from ``agent_framework_hosting_invocations``):
    
    - ``InvocationsChannel`` -- concrete ``Channel`` implementation. Owns
      the Starlette route, parses inbound JSON into a ``ChannelRequest``
      (``input`` / ``session`` / ``metadata`` / ``options``), runs the
      optional ``ChannelRunHook``, calls back into the ``ChannelContext``
      to invoke the agent target, and returns a flat JSON envelope (or an
      SSE stream when ``stream=true``).
    - 8 unit tests covering route wiring, isolation-key passthrough, hook
      composition, sync vs streaming paths, and ack-only behaviour for
      non-originating ``DeliveryReport``s.
    
    Registers the package in ``python/pyproject.toml`` ``[tool.uv.sources]``
    and adds the matching pyright ``executionEnvironments`` entry.
    
    Independent of PR-3 (Responses); both depend only on PR-2 (Hosting
    core).
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * review: address PR-4 round 2 feedback
    
    - expand `_stream` docstring to call out the HTTP-200 + `event: error`
      SSE contract (status committed before generator runs; hard failures
      surface as the first SSE frame, not an HTTP code)
    - split chunked text on full-line terminators via `splitlines()` so
      embedded `\r` / `\r\n` no longer leak into `data:` framing on the
      wire, breaking EventSource consumers
    - on `get_final_response()` failure, emit `event: error` instead of
      silently swallowing — finalize is what triggers
      history-provider persistence on the agent side, so a 5xx /
      disk-full / context-provider error must reach the client
    - add tests covering `stream_transform_hook` (rewrite, drop, async),
      CRLF-in-chunk framing, and the finalize-error → no-`[DONE]` contract
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs(hosting-invocations): rename stale ChatMessage docstring reference to Message
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(hosting-invocations): adapt to hosted run result wrapper
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * feat(hosting-invocations): add response hooks
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: add agent-framework-hosting-responses channel (#5639)
    * feat(hosting-responses): add OpenAI Responses-shaped channel package
    
    New ``agent-framework-hosting-responses`` package implementing the
    OpenAI Responses-shaped HTTP channel for the Hosting framework. Mounts
    ``POST /responses`` (and a ``/responses/{response_id}`` GET) onto an
    ``AgentFrameworkHost`` and translates the OpenAI Responses wire shape
    to/from the channel-neutral ``ChannelRequest`` / ``HostedRunResult``
    plumbing.
    
    Surface (re-exported from ``agent_framework_hosting_responses``):
    
    - ``ResponsesChannel`` -- concrete ``Channel`` implementation. Owns the
      Starlette route(s), parses inbound JSON into ``ChannelRequest``, runs
      the optional ``ChannelRunHook``, calls back into the
      ``ChannelContext`` to invoke the agent target, builds Responses
      envelopes (sync JSON or SSE), and respects
      ``DeliveryReport.include_originating`` so cross-channel push routes
      only ack to the originating Responses caller.
    - The minted ``response_id`` is propagated via the host's ContextVar
      machinery so storage-side history providers (e.g.
      ``FoundryHostedAgentHistoryProvider``) persist envelopes against the
      same id the channel returns.
    - 48 unit tests covering route wiring, parsing of each Responses input
      shape, hook composition, sync vs streaming paths, and originating
      vs non-originating delivery branches.
    
    Registers the package in ``python/pyproject.toml`` ``[tool.uv.sources]``
    and adds the matching pyright ``executionEnvironments`` entry.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * review: address PR-3 round 2 feedback
    
    - consume IsolationKeys.chat_key from the host-bound contextvar instead
      of the raw `x-agent-chat-isolation-key` header off the wire so the
      host's ASGI isolation middleware (or any operator-supplied
      replacement) is the authoritative point at which the caller is
      authenticated and the bucket key is established
    - expand `response_id_factory` docstring to call out partition
      co-location vs. partition-ownership enforcement: the channel forwards
      `previous_response_id` as a hint to the factory; the storage layer
      validates the embedded partition against the bound user/chat
      isolation keys
    - on mid-stream failure, call `deliver_response` with the accumulated
      text before emitting `response.failed` so host-side history /
      push-channel state stays consistent with the partial deltas the
      client already saw
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs(hosting-responses): fix quickstart to use current Agent API
    
    ChatAgent was renamed to Agent and ChatMessage to Message. Update the
    README quickstart to use client.as_agent(...) and refresh the stale
    docstring reference in _channel.py.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(hosting-responses): adapt to hosted run result wrapper
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * feat(hosting-responses): add response hooks
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(hosting-responses): keep instructions in chat options
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: refactor FoundryHostedAgentHistoryProvider onto Foundry SDK (#5637)
    * refactor(foundry_hosting): build FoundryHostedAgentHistoryProvider on azure.ai.agentserver SDK
    
    Rebuilds the Foundry hosted-agent history provider on top of
    ``azure.ai.agentserver``'s ``FoundryStorageProvider`` instead of the
    in-house ``_HttpStorageBackend``. Splits the monolithic ``_responses.py``
    into focused modules:
    
    - ``_history_provider.py`` — new ``FoundryHostedAgentHistoryProvider``
      that talks to the SDK's ``FoundryStorageProvider``, threads
      ``response_id`` / ``previous_response_id`` through ``ContextVar``s via
      ``bind_request_context``, and lifts host-bound isolation keys
      (``x-agent-{user,chat}-isolation-key``) from the optional
      ``agent_framework_hosting`` package into a provider-local
      ``IsolationContext`` so the storage layer carries the correct
      partition keys without channels having to know about them.
    - ``_shared.py`` — extracts all SDK ``Item`` / ``OutputItem`` ↔
      framework ``Message`` conversion helpers into one place so both
      ``_responses.py`` and the new history provider can share them.
      Restores ``_convert_file_data`` for inline ``input_file`` payloads,
      and the hosted-MCP routing for ``custom_tool_call_output`` items
      whose ``call_id`` carries the ``mcp_*`` prefix.
    - ``_ids.py`` — shared id helpers.
    - ``_responses.py`` — shrinks ~700 lines, re-exports converters for
      back-compat with existing tests.
    - ``tests/test_history_provider.py`` — exercises the new provider
      against a fake SDK backend; the host-isolation test is gated on the
      optional ``agent_framework_hosting`` import.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * feat(foundry_hosting): add local_storage_root for file-based dev history
    
    Adds an optional `local_storage_root: str | Path | None` parameter to
    `FoundryHostedAgentHistoryProvider`. When set and the provider is
    running outside a Foundry Hosted Agent container, conversations are
    persisted to JSONL files via `agent_framework.FileHistoryProvider`
    laid out as:
    
      {root}/{user_key or '~none'}/{chat_key or '~none'}/{session_id}.jsonl
    
    Hosted mode (FOUNDRY_HOSTING_ENVIRONMENT set) ignores the option with a
    one-time INFO log so Foundry storage always wins on the platform. The
    in-memory fallback is unchanged when the option is omitted.
    
    Path safety: isolation segments are validated against the same character
    allowlist FileHistoryProvider uses for session-id stems and
    base64-url-encoded with a reserved "~iso-" prefix when unsafe. "~none"
    sentinel for missing keys can never collide with a real isolation key
    (real keys starting with "~" are encoded). The resolved target dir is
    also re-checked to be inside the configured root.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(foundry_hosting): address PR-1 review comments
    
    - _shared.py:_capture_raw narrows `except Exception` to `except TypeError`
      and emits a WARNING with traceback so the lossy fallback to a
      synthesized round-trip is observable. Mirrors the reviewer suggestion.
    
    - _history_provider.py:save_messages narrows `except Exception` to
      `except FoundryStorageError` so only storage-validation failures
      (4xx/5xx, opaque server errors) are swallowed. Network / TLS / auth
      / payload-builder bugs propagate so the caller can retry / alert.
      Adds an instance-level `failed_writes` counter operators can poll
      for silent-drop visibility.
    
    - _history_provider.py id-stamping loop: drops the
      `contextlib.suppress(AttributeError, TypeError)` around
      `item.id = new_id` so SDK contract changes surface in the test
      suite instead of silently corrupting the chain (the storage backend
      rejects the entire `create_response` with HTTP 500 when synthetic
      prefix-based ids leak through). `import contextlib` removed.
    
    - tests:
      * Unit-cover `foundry_response_id` / `foundry_response_id_factory` /
        `foundry_item_id` so SDK `IdGenerator` contract changes are caught
        locally.
      * Cover the `save_messages` wire payload: required-by-storage fields
        (`background`, `parallel_tool_calls`, `instructions`,
        `agent_reference`), env-var-driven stamping (`FOUNDRY_AGENT_NAME` /
        `FOUNDRY_AGENT_VERSION` / `FOUNDRY_AGENT_SESSION_ID` /
        `MODEL_DEPLOYMENT_NAME` with `AZURE_AI_MODEL_DEPLOYMENT_NAME`
        fallback), and the rule that `model` / `agent_session_id` /
        `agent_reference.version` are omitted (not stamped to `None`) when
        their env vars are unset.
      * Cover the `FOUNDRY_AGENT_SESSION_ID` last-resort chain anchor on
        both the get and save paths, including the prefix gate that blocks
        non-`caresp_*`/`resp_*` values from reaching storage, and the
        precedence rule that a host binding wins over the env.
      * Replace the old `test_save_messages_swallows_backend_errors` with
        two tests asserting the new contract: storage errors are swallowed
        and bump `failed_writes`; everything else propagates and leaves the
        counter at zero.
    
    141 unit tests pass; mypy + pyright + ruff clean.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(foundry_hosting): address PR-1 round-2 review comments
    
    - Hosted detection now delegates to AgentConfig.from_env().is_hosted so
      a future Foundry SDK rename of FOUNDRY_HOSTING_ENVIRONMENT propagates
      automatically; drop the local _ENV_FOUNDRY_HOSTING_ENVIRONMENT
      constant.
    - Drop the FOUNDRY_AGENT_SESSION_ID fallback in both get_messages and
      save_messages: per the SDK it identifies the *container instance*,
      not the conversation, so chaining off it would silently merge
      unrelated conversations across container restarts. The host-bound
      previous_response_id (set by ResponsesChannel) is the only
      authoritative anchor; the env value is still stamped into the
      persisted envelope's agent_session_id for operator correlation.
    - Update module docstring + replace TestFoundryAgentSessionIdAnchor
      with assertions for the new contract (env var ignored as anchor,
      still stamped onto persisted envelope, host binding wins).
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * refactor(foundry_hosting): reconcile with upstream main (#5851, #5666)
    
    Brings the FoundryHostedAgentHistoryProvider refactor branch back into
    sync with the foundry_hosting changes that have landed on upstream
    main since PR-1 was opened:
    
    * #5851 (path traversal in checkpoint storage, CWE-22).
      The workflow-host code in ``_responses.py`` builds a
      ``FileCheckpointStorage`` from a caller-controlled ``context_id``
      (``previous_response_id`` / ``conversation_id`` / ``response_id``).
      Switch both call sites to route through
      ``_checkpoint_storage_for_context``, which rejects separators,
      NUL bytes, drive letters, absolute paths, and all-dot segments,
      and enforces ``is_relative_to(root)`` before any directory is
      created.
    
    * #5666 (function approval flow).
      Make the SDK-Item → AF-Message conversion helpers in ``_shared.py``
      async and accept an optional ``approval_storage`` keyword:
    
      - ``_items_to_messages`` / ``_item_to_message`` /
        ``_item_to_message_inner``
      - ``_output_items_to_messages`` / ``_output_item_to_message`` /
        ``_output_item_to_message_inner``
    
      For ``mcp_approval_request`` / ``mcp_approval_response`` items the
      helpers now load the original function-call Content from the
      approval storage (via ``ApprovalStorage.load_approval_request``)
      instead of synthesising a placeholder. This matches upstream
      semantics and lets approval round-trips reconstruct the real
      payload.
    
      The ``ApprovalStorage`` Protocol moves to ``_shared.py`` so the
      conversion helpers can reference it without pulling in
      ``_responses.py`` (which would create a circular import). The
      concrete ``InMemoryFunctionApprovalStorage`` and
      ``FileBasedFunctionApprovalStorage`` stay in ``_responses.py``
      next to the host that owns them, and re-export
      ``ApprovalStorage`` from ``_shared`` for compatibility.
    
      The workflow-host streaming path passes its own
      ``self._approval_storage`` into ``_to_outputs`` so approval
      requests are saved at emit time.
    
    * Bump ``_history_provider.FoundryHostedAgentHistoryProvider.get_messages``
      to ``await`` the now-async ``_output_items_to_messages`` call.
    
    No public API change beyond the new keyword-only ``approval_storage``
    parameter on the four conversion entry points.
    
    Validation:
    - uv run poe check-packages -P foundry_hosting (lint + pyright clean)
    - uv run poe mypy -P foundry_hosting (clean)
    - uv run poe test -P foundry_hosting (183 passed, 1 skipped)
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: add agent-framework-hosting core package (#5638)
    * feat(hosting): add agent-framework-hosting core package
    
    New ``agent-framework-hosting`` package implementing ADR 0026 / SPEC-002:
    the channel-neutral host that lets a single ``Agent`` (or ``Workflow``)
    fan out across multiple wire protocols ("channels") behind one Starlette
    ASGI app.
    
    Surface (re-exported from ``agent_framework_hosting``):
    
    - ``AgentFrameworkHost`` — wraps a hostable target, mounts channels onto
      an ASGI app, owns per-isolation-key ``AgentSession`` reuse, threads
      request context (``response_id`` / ``previous_response_id``) into
      context providers via an ``ExitStack`` of ``bind_request_context``
      calls, and exposes an opt-in Hypercorn ``serve()`` helper (extra
      ``[serve]``).
    - ``Channel`` protocol + ``ChannelContribution`` — the surface a channel
      package implements (routes, lifespans, identity hooks, …).
    - ``ChannelRequest`` / ``ChannelSession`` / ``ChannelIdentity`` /
      ``ChannelPush`` / ``ChannelCommand[Context]`` / ``ChannelRunHook`` /
      ``ChannelStreamTransformHook`` / ``DeliveryReport`` /
      ``HostedRunResult`` / ``ResponseTarget`` / ``ResponseTargetKind`` /
      ``apply_run_hook`` — channel-side dataclasses + helpers.
    - ``IsolationKeys`` + ``ISOLATION_HEADER_USER`` / ``..._CHAT`` +
      ``get/set/reset_current_isolation_keys`` — the host's ASGI middleware
      reads the ``x-agent-{user,chat}-isolation-key`` headers off each
      inbound request and exposes them to the agent stack via a
      ``ContextVar`` so storage-side providers (e.g.
      ``FoundryHostedAgentHistoryProvider``) can apply per-tenant
      partitioning without channels having to forward anything.
    
    Includes 45 unit tests covering the host, channel contributions,
    isolation contextvar, and shared types. Registers the package in
    ``python/pyproject.toml`` ``[tool.uv.sources]`` and adds the matching
    pyright ``executionEnvironments`` entry for tests.
    
    Hypercorn is an optional dependency (``[serve]`` extra); the soft import
    in ``serve()`` is annotated for pyright since it isn't on the default
    install.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(hosting): address PR-2 review comments
    
    Source-code changes
    - _suppress_already_consumed: narrow contract — RuntimeError now logs
      at WARNING with exc_info; non-RuntimeError still logs at exception().
      Docstring clarifies that any non-clean teardown is observable.
    - _BoundResponseStream: add aclose() and route __await__ through
      get_final_response() so the binding is always released — fixes
      contextvar leak when channels abandon the stream or use the
      await-the-stream convenience.
    - Lifespan: aggregate startup/shutdown callback errors; every callback
      runs, all failures are logged with their qualname, and the first
      error is re-raised so Starlette still aborts boot.
    - _build_run_kwargs: switch session-cache write to dict.setdefault so
      concurrent racers cannot orphan a session if create_session ever
      yields.
    - _deliver_response: introduce DeliveryReport.failed for push outages
      vs explicit "no link" drops; an outage no longer triggers an
      originating fallback so the channel can decide degraded behaviour.
    
    Test additions
    - tests/test_isolation.py (new): full coverage of IsolationKeys, the
      contextvar helpers, header constants, and end-to-end ASGI
      middleware lift / reset / passthrough.
    - tests/test_host.py: TestBindRequestContext, TestBoundResponseStream
      (aclose / __await__ / __getattr__ forwarding / double-close
      idempotency), TestWrapInputListMessages (list[Message] LAST
      precedence), TestLifespanAggregation (startup + shutdown).
    - tests/test_types.py: TestApplyRunHook (sync/async/None), and
      TestDeliveryReport (new failed field).
    - Updated test_push_exception_marks_skipped ->
      test_push_exception_lands_in_failed_no_fallback to match the new
      delivery contract.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(hosting): address PR-2 round-2 review comments
    
    - Refactor workflow checkpoint restoration into shared helpers
      (_restore_workflow_checkpoint for blocking; the streaming sibling
      drains the rehydration stream) so the blocking and streaming paths
      rehydrate identically — clarifies the previously inline _maybe_restore
      by hoisting the pattern next to the blocking call site.
    - Document that blocking workflow output is text-only by design;
      richer modalities ride the streaming AgentResponseUpdate channel,
      which preserves all content parts.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * review: address PR-4 _host.py round 2 feedback
    
    These review comments were filed on PR-4 (#5640) but target lines that
    live in the hosting-core package (PR-2 / #5638), so the fixes land here
    and PR-4's stack will pick them up on rebase.
    
    - _suppress_already_consumed: narrow the RuntimeError catch to the two
      documented benign messages (`Inner stream not available`, `Event loop
      is closed`); any other RuntimeError now logs at ERROR with a full
      traceback so executor bugs / runner-context state errors / checkpoint
      RuntimeErrors during the post-run flush no longer masquerade as
      benign cleanup noise. Still no propagation (we're in an
      async-generator finally during teardown) — see the docstring.
    - _restore_workflow_checkpoint{,_streaming}: log a WARNING when a
      non-None latest checkpoint drains to zero events, so a stale or
      partially-written checkpoint_id surfaces as an operator signal
      instead of a silent state-loss.
    
    (The `deliver_response` "no destinations resolvable" vs "every
    destination errored" concern raised in 3198268038 is already addressed
    by the existing `failed` vs `skipped` distinction surfaced through
    `DeliveryReport.failed` — see lines 1080-1102 and the
    `DeliveryReport` docstring.)
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(hosting): reject path-traversal patterns in checkpoint isolation_key
    
    The host's `_resolve_checkpoint_storage` joined `request.session.isolation_key`
    directly into the configured `checkpoint_location`. The key is caller-
    controlled — sourced from inbound headers (`x-agent-{user,chat}-isolation-key`
    injected by the Foundry runtime), from channel-supplied derivations such as
    `telegram:<chat_id>` / `entra:<oid>`, or from values set by a channel
    `run_hook`. A value like `../../../etc/foo` or an absolute path would let
    the resulting checkpoint directory escape the configured root (CWE-22).
    This matches the path-traversal class fixed upstream in #5851 for the
    foundry_hosting checkpoint storage.
    
    New `_checkpoint_path_for_isolation_key(root, isolation_key)` helper:
    
    - Uses a denylist (not allowlist) so legitimate namespaced keys
      (`telegram:42`, `entra:abc-def`) continue to pass through unmodified.
    - Rejects path separators (`/`, `\`), NUL, all-dot reductions (`.`, `..`,
      `...`, ...), absolute paths (`os.path.isabs`), and drive-letter prefixes
      (`os.path.splitdrive` plus an explicit `^[A-Za-z]:` check so payloads
      crafted on a POSIX host still fail closed if the resulting directory
      ever round-trips to Windows storage).
    - After joining, resolves both sides and verifies
      `target.is_relative_to(root)` as defence-in-depth.
    
    `_resolve_checkpoint_storage` now logs a WARNING and returns `None` for
    invalid keys rather than crashing the request — checkpointing is best-
    effort and we prefer dropping it to letting one malformed key abort an
    otherwise valid agent run.
    
    Tests:
    
    - `TestCheckpointPathForIsolationKey` exercises the helper directly with
      legitimate keys (alphanumeric, `:`-namespaced, dotted, 200-char), all
      rejected traversal patterns from #5851's MSRC repro list, and
      non-string input.
    - `TestHostWorkflowCheckpointingPathTraversal` verifies the end-to-end
      request path: a traversal key (`../escape`) and an in-key separator
      (`evil/sub`) both produce a successful agent response with no files
      written under `checkpoint_location`, and the traversal case logs a
      WARNING citing `isolation_key`.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(hosting): address PR-2 round-3 review feedback + add response hooks
    
    Round-3 review comment fixes:
    
    - _types.py: drop the _EMPTY_MAPPING sentinel; ChannelIdentity.attributes
      uses plain dict() as the default — simpler, no extra symbol to track.
    - _host.py: drop the local `import asyncio` + `from typing import cast as
      _cast` inside `serve()`; rely on the module-level imports.
    - _host.py: switch `_log_incoming` to structured `extra={...}` payloads
      for both INFO and DEBUG so log aggregators get queryable fields.
    - _host.py: delete `_flat_context_providers` and stop descending into a
      `.providers` attribute. Aggregator providers (AggregateContextProvider /
      ContextProviderBase) are responsible for forwarding `response_context`
      to their children themselves; the host treats whatever
      `agent.context_providers` exposes as the final, flat list.
    - _host.py: stop collapsing agent / workflow output to text. `_invoke`
      forwards `AgentResponse.messages` (and `raw_response`) on the
      `HostedRunResult`. `_invoke_workflow` builds a per-event message list
      via a new `_workflow_output_to_messages` helper that preserves
      AgentResponse / AgentResponseUpdate / Message / Content branches and
      falls back to text only for arbitrary objects.
    - _host.py: `_workflow_event_to_update` carries Content payloads through
      unchanged so multi-modal workflow outputs (images, function-call
      metadata, ...) survive into channels.
    
    New features (per design discussion in the PR thread):
    
    - HostedRunResult: rebuilt around `messages: list[Message]` with
      `.text` / `.contents` as projections, a `raw_response` slot for the
      underlying AgentResponse, and a `replace(messages=..., raw_response=...)`
      clone helper used by the delivery layer for per-destination isolation.
      The `HostedRunResult(text="...")` ctor is preserved as a back-compat
      shim that synthesises a single assistant text message.
    - ResponseTarget: gain `echo_input: bool = False` (also exposed on
      `.channel(name, *, echo_input=...)` / `.channels([...], *, echo_input=...)`).
      When set, the host pushes the originating user message to each
      non-originating destination before the agent reply. Channels can
      filter or transform echoes via their response_hook.
    - DeliveryReport: add `echoed` / `echo_failed` tuples to surface
      per-destination outcomes of the new echo phase. Echo failures do not
      abort the corresponding response push on the same destination.
    - ChannelResponseHook + ChannelResponseContext + apply_response_hook:
      duck-typed `response_hook` attribute on channels for per-destination
      post-processing. Receives a clone of the HostedRunResult and a
      context carrying the request, channel name, destination identity,
      originating flag, and `is_echo` phase flag. Channels stay
      modality-aware (text-only wires flatten via the hook; card-capable
      channels render structured contents directly).
    - _deliver_response: clone-before-hook fan-out so a hook mutating one
      channel's payload cannot leak into another destination's view.
    
    Tests:
    
    - Update _FakeAgentResponse to expose `.messages` (single assistant text
      message synthesised from `text`) so existing tests pass unchanged on
      the new multi-modal _invoke path.
    - Replace the obsolete `test_bind_descends_one_level_into_providers_attribute`
      with a regression guard asserting the host does NOT descend into
      `.providers` (matches new contract).
    - New tests for HostedRunResult multi-modal preservation, echo_input
      fan-out with success + failure, response_hook applied per destination,
      per-destination mutation isolation, and is_echo phase observability.
    
    Docs:
    
    - spec 002: rewrite Canonical flow with the new input → run_hook → host
      → target → wrap → per-destination clone → response_hook → push
      pipeline; document multi-modality contract and per-destination
      cloning; add `echo_input` row to ResponseTarget table; rewrite
      HostedRunResult/HostedStreamResult row; add ChannelResponseHook /
      ChannelResponseContext / apply_response_hook table; log decisions
      Q28 (no host-side text collapse), Q29 (duck-typed response_hook),
      Q30 (opt-in `echo_input` on ResponseTarget).
    - ADR 0026: add ChannelResponseHook + multi-modality bullets;
      surface `echo_input` on the ResponseTarget bullet.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(hosting): drop HostedRunResult(text=...) back-compat shim; use from_text()
    
    Pre-release cleanup — no released callers to break, so consolidate on one
    canonical entry point plus a classmethod for the ergonomic
    single-text-message case:
    
    - HostedRunResult.__init__ takes ``messages`` positionally (required); no
      more ``text=`` kwarg overload, no more "synthesise an empty message
      when no args" path.
    - New HostedRunResult.from_text(text, *, role="assistant", raw_response=None)
      classmethod for the common "wrap a single text content as one message"
      case (tests, channels emitting plain strings, the echo-input phase
      wrapping a user's text turn).
    - ``_build_echo_payload`` uses ``HostedRunResult.from_text(raw, role="user")``
      for the ``str`` and fallback branches; the other branches use the plain
      ctor with explicit ``Message`` lists.
    - Tests rewritten to use ``from_text("reply")`` everywhere
      ``HostedRunResult(text="reply")`` appeared. Added an explicit
      ``test_from_text_role_kwarg_overrides_default`` regression guard.
    - spec 002: HostedRunResult row updated to describe the
      ``from_text(text, *, role="assistant")`` classmethod instead of the
      removed back-compat shim.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * refactor(hosting-core): reshape HostedRunResult into generic typed envelope
    
    Replace the flattened multi-modal HostedRunResult (carrying
    messages/raw_response/.text projections) with a typed generic
    envelope around the target's full-fidelity output:
    
      class HostedRunResult(Generic[TResult]):
          result: TResult
          session: AgentSession | None
    
    - Agent targets produce HostedRunResult[AgentResponse]; channels
      read result.messages, result.text, result.value, result.response_id,
      result.usage_details directly off the underlying response.
    - Workflow targets produce HostedRunResult[WorkflowRunResult];
      channels iterate result.get_outputs() and inspect
      result.get_final_state() themselves (the host no longer collapses
      workflow outputs onto a synthesised message list).
    - The echo-input phase synthesises a HostedRunResult[AgentResponse]
      wrapping the user's turn so the same per-destination delivery
      machinery applies.
    - replace() is now {result, session} only; the host's clone is
      shallow — channels that need to mutate result itself are
      responsible for their own deep copy.
    
    Rationale: the earlier shape pre-shaped target output (collapsing
    workflows onto a Message list, losing per-executor outputs, final
    state, and structured value affordances). Carrying the target output
    unchanged keeps the host modality-agnostic, gives channel authors
    static typing where they want it, and removes 30+ lines of
    host-side projection helpers.
    
    Also updates ADR 0026 + spec 002 (Q3, Q28, Q29 amended; new Q31
    captures the generic-envelope decision and rationale).
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs(hosting-core): document echo vs response distinction for push channels
    
    The host already encodes the echo-vs-response phase via the
    underlying Message.role on the pushed HostedRunResult:
    
    - echo phase: payload.result.messages[*].role == "user"
    - response phase: payload.result.messages[*].role == "assistant"
    
    Both pushes go through the same ChannelPush.push(identity, payload)
    entry point. Channels distinguish either by inspecting role (which
    works for any push-capable channel) or — when a response_hook is
    wired — by branching on ChannelResponseContext.is_echo directly.
    
    Expand the ChannelPush Protocol docstring to make this discoverable
    for channel implementers (esp. chat bots that cannot impersonate
    the user on their wire and need to render echoes as quoted /
    prefixed blocks rather than as bot replies).
    
    Mirror the explanation into the spec's echo_input section.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs(hosting-core): fix quickstart to use current Agent API
    
    ChatAgent was renamed to Agent and the preferred construction pattern
    is client.as_agent(...). Also drop the sibling channel import so the
    snippet imports only modules declared as dependencies of this package;
    point readers at the sibling packages instead.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * test(hosting-core): drop redundant @pytest.mark.asyncio decorators
    
    asyncio_mode = "auto" is configured in pyproject.toml, so individual
    @pytest.mark.asyncio decorators are unnecessary.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs(hosting): add authorization profiles + IdentityAllowlist seam to ADR/spec
    
    Composes `require_link` + `allowlist` into three named profiles (open,
    forced-link, allowlist) with the allowlist itself keyed on either the
    channel-native id (pre-link) or a verified IdP claim (post-link), plus
    `AnyOf`/`AllOf` combinators for mixed setups. Lifts the design into
    an explicit host seam (`host.authorize(...)` → `AuthorizationOutcome`
    of `Allowed` / `LinkRequired` / `Denied`) instead of leaving each
    channel to roll its own.
    
    Key contract bits:
    - Tri-state `AllowlistDecision` (ALLOW / DENY / ABSTAIN) so claim-based
      lists can ABSTAIN until claims are available without composition
      silently flipping that into DENY.
    - `AuthorizationContext` carries explicit `phase` + `claim_source`
      so allowlists can tell pre-link from post-link without overloading
      `verified_claims is None`.
    - Channel-side `allowlist: ... | Literal["inherit"] | None` with an
      explicit inheritance sentinel, so the host-level `default_allowlist`
      is opt-out, not opt-in.
    - Construction-time validator rejects silent-deny configurations
      (`LinkedClaimAllowlist` without a claim source) with a typed
      `ChannelConfigurationError`.
    - Group-chat denial mirrors the existing `LinkChallenge` DM-redirect
      pattern; only the redacted `user_message` reaches the wire,
      structured `log_details` stay in telemetry.
    
    Ships in two waves: the Protocol + `NativeIdAllowlist` + config
    validator land with the next core PR ahead of the linker; the full
    pipeline + `LinkedClaimAllowlist` enforcement land with the
    `IdentityLinker` core PR.
    
    Updates: ADR 0026 (summary bullet + conceptual-API table row + resolved
    Q16), spec 002 (new req #22, renumbered v1 fast-follow #23..#29 and
    stretch #30..#31, new "Authorization profiles and the IdentityAllowlist
    seam" subsection, inbound-ownership row, resolved Q32, follow-up entry).
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * feat(hosting): add DurableTaskRunner seam + runtime_mode auto-detect
    
    Introduces the explicit long-running vs ephemeral runtime distinction
    and a generic DurableTaskRunner Protocol that owns non-originating
    push dispatch — collapsing the previous deliveries[] per-destination
    state machine, SupportsDeliveryTracking provider capability, and
    Foundry update_item service ask down to a single immutable
    intended_targets[] write on the message.
    
    Spec / ADR:
    - New §"Runtime modes" with auto-detect markers + defaults matrix.
    - Rewrites §"Delivery tracking" → §"Intended targets + durable
      delivery": intent-only on the message, operational state lives in
      the runner.
    - New §"Durable task runner" defining DurableTaskRunner / RetryPolicy
      / TaskHandle / TaskStatus.
    - Drops §SupportsDeliveryTracking and §Foundry update_item gap.
    - Resolved Qs: 12, 18, 21, 26 revised; new 17/18/19 (ADR) and
      33/34/35 (spec).
    
    Code:
    - New _runner.py with InProcessTaskRunner (asyncio + bounded retry,
      bounded terminal-status cache, register-after-start guard,
      shutdown drain).
    - _host.py: runtime_mode + durable_task_runner ctor params;
      auto-detect via FOUNDRY_HOSTING_ENVIRONMENT /
      AZURE_FUNCTIONS_ENVIRONMENT / AWS_LAMBDA_FUNCTION_NAME;
      HOSTING_PUSH_TASK_NAME handler registered eagerly so
      _deliver_response can be called outside the lifespan;
      _handle_push_task does echo-then-response inline per destination;
      _deliver_response now schedules one task per destination via the
      runner (DeliveryReport.pushed = scheduled; .failed = schedule-time
      outage only).
    - _types.py: new DurableTaskRunner Protocol + RetryPolicy /
      TaskHandle / TaskStatus; DeliveryReport drops echoed /
      echo_failed (echo outcome owned by the runner).
    - __init__.py exports the new public surface.
    
    Tests: 132 passing, 90% coverage. New test_runner.py covers
    InProcessTaskRunner success/retry/terminal-failure/cancellation/
    register-after-start, runtime-mode auto-detect with synthetic env,
    and the warning-on-ephemeral-without-runner path. test_host.py
    delivery tests use a sync runner fake for deterministic assertions
    and validate the new "schedule succeeded vs runner backend
    unreachable" semantics.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * feat(hosting): rubber-duck round-5 — strict ephemeral, codec seam, allowlist Wave-1, drop DeliveryReport
    
    Adopts the rubber-duck-approved package of changes from the round-5
    review of PR #5638 (modulo DeliveryReport.failed — the value type is
    removed entirely now that durable delivery covers the failure
    surface, per user direction).
    
    Code:
    - Drop DeliveryReport value type; host-internal _deliver_response
      returns bool. Failure observability is now logs (in-process) /
      runner backend (durable adapters).
    - Strict ephemeral default: ephemeral runtime_mode with the default
      in-process runner raises RuntimeError; opt-in via
      allow_in_process_runner=True (warns).
    - ChannelPushCodec Protocol + DurableTaskPayloadMode enum +
      _validate_runner_codec_pairing so JSON-mode runners can be safely
      paired with channels via codecs; _handle_push_task accepts both
      object- and JSON-envelope shapes.
    - ResponseTarget.identity(...) / .identities([...]) builders +
      IDENTITIES kind for explicit caller-supplied recipients; field
      rename identities → _target_identities (private) with a
      target_identities property to resolve the classmethod collision.
    - Intent-only audit: _annotate_intended_targets writes
      hosting.intended_targets / skipped_targets / includes_originating /
      originating_channel onto assistant messages — single immutable
      write per the runner-owned operational-state model.
    - InProcessTaskRunner: 2-phase drain on shutdown
      (shutdown_grace_seconds, default 5.0) so a clean shutdown does not
      abandon work mid-retry; payload_mode = OBJECT class-level.
    - Echo idempotency: _handle_push_task tracks an echo_done cursor on
      runner-owned task state so a retry that fires after the echo
      phase succeeded does not double-echo.
    
    Wave-1 authorization seam (full landing):
    - New _authorization.py with AllowlistDecision tri-state,
      AuthorizationContext, IdentityAllowlist Protocol, AllowAll /
      NativeIdAllowlist (with async loader cache + channel-scope ABSTAIN) /
      LinkedClaimAllowlist (raise-until-Wave-2) / AnyOfAllowlists /
      AllOfAllowlists / CallableAllowlist built-ins, Allowed /
      LinkRequired / Denied outcomes, ChannelConfigurationError.
    - Host(default_allowlist=..., identity_linker=...) + per-channel
      allowlist parameter with 'inherit' / None semantics.
    - _validate_channel_authorization enforces all three rules at
      construction: claim-source requirement, linker presence for
      require_link=True (elevated from no-op — must not ship
      unenforced), and NativeIdAllowlist(channel=...) typo detection.
      Combinator-walking via _flatten_allowlists catches nested
      misconfigs.
    - host.authorize(...) for the native-id pipeline: open path returns
      Allowed with auto-issued <channel>:<native_id> isolation key (or
      the existing key when the identity has been seen); ABSTAIN on a
      claim-required allowlist maps to
      Denied(reason_code='allowlist_requires_link') until Wave 2 wires
      the linker to convert it to LinkRequired.
    
    Spec / ADR:
    - docs/specs/002-python-hosting-channels.md: Wave-1 status updated
      to reflect the linker-presence rule elevation and the
      host.authorize landing; new sub-sections (codec contract, drain,
      echo cursor); Qs 18 / 21 DeliveryReport references purged; new
      resolved Qs 36–40 covering the strict-ephemeral default, codec
      contract, DeliveryReport removal, echo cursor, and drain.
    - docs/decisions/0026-hosting-channels.md: Q12 DeliveryReport
      reference purged; Q16 updated to reflect Wave-1 landing; new
      resolved Qs 20 (codec contract) + 21 (strict ephemeral / drain /
      echo cursor).
    
    Tests:
    - New tests/test_authorization.py (35 cases) covering every Wave-1
      built-in, the three validator rules, combinator decision
      semantics, and host.authorize across open / allow / deny /
      abstain-with-claim-dep / abstain-without-claim-dep paths plus
      existing-key reuse and verified-claims propagation.
    - tests/test_host.py: TestDeliverResponse rewritten for the bool
      return + runner.scheduled-count assertions; new tests for
      IDENTITIES variant + echo idempotency.
    - tests/test_runner.py: strict-ephemeral now expects RuntimeError;
      allow_in_process_runner opt-in tests; shutdown drain test;
      payload_mode default test.
    - tests/test_types.py: TestDeliveryReport removed; new
      TestDurableTaskPayloadMode + TestResponseTargetIdentities.
    
    Validation: 178 tests pass, 91% coverage, fmt + lint + pyright +
    mypy clean.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs(hosting): add mermaid flow diagrams to ADR, spec, README
    
    Insert the 10 hosting flow diagrams reviewed in
    python/.user/hosting-diagrams.md into the public docs:
    
    - README: runtime topology (1a) + cross-link to the spec for the
      richer set.
    - ADR: runtime topology, channel contribution shape, and authorization
      decision (1a, 1b, 3) at the end of 'Conceptual API shape'.
    - Spec: all 10 diagrams — 1a/1b at the top of API Surface, 2 in
      Canonical flow, 3 in Authorization profiles, 4-7 in Scenarios 6-8,
      8 in Codec contract, 9 in Echo idempotency, 10 in Scenario 9.
    
    Doc-only; no API or behaviour change.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * feat(hosting): add opt-in disk persistence via state_dir
    
    Long-running hosts (always-on container, single-VM bot, local dev) lose
    state on every restart today. Add an opt-in disk persistence layer under
    a new `state_dir` constructor parameter on `AgentFrameworkHost` that
    survives process restarts without taking on a heavyweight database
    dependency.
    
    Backed by `diskcache` (installed via the new `[disk]` optional extra).
    An OS-level advisory file lock guarantees single-owner semantics so two
    hosts pointed at the same directory cannot double-execute scheduled
    pushes.
    
    What persists when `state_dir` is set:
    
    - Pending durable-task records — scheduled-but-not-yet-completed pushes
      replay on the next host startup via `InProcessTaskRunner.resume()`.
      Records that crashed mid-attempt resume with the already-consumed
      retry budget (no full-budget re-grant).
    - `_session_aliases` — per-isolation-key session-id rewrites.
    - `_active` — most-recently-active channel per isolation key.
    - `_identities` — `ChannelIdentity` rows for fan-out targeting,
      including nested mutations of the form
      `self._identities[ik][channel] = identity`.
    
    The `state_dir` parameter accepts any of:
    
    - `None` — today's purely in-memory behaviour.
    - `str` / `PathLike` — single root; host auto-creates `runner/` and
      `sessions/` subfolders.
    - `HostStatePaths` TypedDict / plain mapping — per-component overrides
      routed to different roots. Unknown keys raise `ValueError` to surface
      typos early.
    
    Unpicklable push payloads raise `PushPayloadNotPicklable` eagerly from
    `schedule()` so issues surface at the call site rather than on the
    next restart. Corrupt on-disk records are quarantined-and-logged; the
    runner never crashes on resume.
    
    Live `AgentSession` objects stay in memory and are rehydrated lazily
    by the history provider on the next turn.
    
    - New modules: `_persistence.py` (lock + normalisation),
      `_state_store.py` (session-bookkeeping store).
    - Runner rewrite: 4-state model (`pending` / `succeeded` / `failed`
      / `cancelled`); the transient `running` state was a bug that caused
      resume to skip records that crashed mid-handler.
    - New tests: `test_runner_disk.py` (8 tests), `test_host_disk.py` (8
      tests). 194 passed total. pyright + mypy + ruff clean.
    - README: new "Optional disk persistence" section with code samples.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * feat(hosting): add checkpoints to state_dir + fix host docstring
    
    Three related polish changes on top of the disk-persistence landing:
    
    1. Extend `state_dir` to cover workflow checkpoints. Adds
       `checkpoints` as a third `HostStatePaths` key. Single-path form
       (`state_dir="/foo"`) now also auto-derives `/foo/checkpoints/`
       for workflow targets (equivalent to passing
       `checkpoint_location="/foo/checkpoints"`). The mapping form lets
       workflow callers opt out by omitting the key, or route checkpoints
       to a different volume.
    
       Conflict / precedence rules:
       * Explicit `checkpoint_location` always wins over the state_dir
         derived path; a warning surfaces the double-config.
       * Single-path `state_dir` + non-Workflow target → checkpoints path
         silently ignored (no eager directory creation either).
       * Mapping form with `checkpoints` + non-Workflow target → warn
         (almost certainly dead config).
       * Derived path with a workflow that already has its own
         `checkpoint_storage` → same `RuntimeError` as the explicit
         parameter triggers, so ownership stays unambiguous.
    
       Checkpoint persistence uses `FileCheckpointStorage` from the
       framework core — no extra dependency. Only `runner` and
       `sessions` require the `[disk]` extra.
    
    2. Move `AgentFrameworkHost.__init__` parameter docs from `Args:` to
       `Keyword Args:` for every parameter after the `*`. Only `target`
       remains under `Args:`. Brings the docstring in line with the
       actual signature (the params have always been keyword-only).
    
    3. `HostStatePaths` already existed as a TypedDict but did not cover
       `checkpoints`; updated to document the new key with the same
       per-attribute docstring style as `runner` / `sessions` so editors
       can surface help on the keys.
    
    Validation: 201 tests pass (was 194; +7 checkpoint integration tests
    in test_host_disk.py). pyright + mypy + ruff + bandit clean.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * feat(hosting): add core IdentityLinker authorization seam
    
    Fold the core IdentityLinker pieces into the hosting-core PR so the
    authorization surface no longer has a deferred Wave-2 placeholder.
    Provider-specific linkers (for example Entra OAuth helpers) can now plug
    into core without core depending on an IdP SDK.
    
    Core additions:
    - Add LinkChallenge, LinkedIdentity, LinkResolution, and IdentityLinker.
      IdentityLinker.resolve(identity) is a single-call decision that returns
      either a linked identity with verified claims or a challenge the channel
      can render.
    - Enable LinkedClaimAllowlist end-to-end. It now abstains pre-link and
      allows/denies post-link against verified claims, including multi-valued
      claims such as groups.
    - Add AuthPolicy factories for common allowlist shapes.
    - Extend Allowed with verified_claims and claim_source for audit/telemetry
      without requiring callers to re-derive how the decision was made.
    
    Host behavior:
    - identity_linker is now typed as IdentityLinker | None.
    - authorize() supports open, native-id, forced-link, and linked-claim
      profiles end-to-end.
    - require_link=True resolves via the linker and returns LinkRequired when
      the identity is not linked.
    - claim-based allowlists use channel-emitted verified_claims when present,
      or linker-resolved claims otherwise.
    - authorize() remains decision-only and does not mutate _identities/_active;
      identity registry writes remain on the actual request execution path.
    
    Docs/tests:
    - Remove Wave-1/Wave-2 language from core/spec/ADR surfaces touched here.
    - Update the spec/ADR to describe the core linker seam and provider-specific
      linker packages.
    - Add authorization tests for linker challenges, linked identities, linked
      claim allowlists, channel-emitted claims, AuthPolicy factories, and the
      no-mutation contract.
    
    Validation: 214 tests pass, pyright/mypy/ruff clean.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * feat(hosting): add link-store path to state_dir
    
    Identity linking introduces host-adjacent state that needs the same state_dir treatment as runner, session, and checkpoint state. Add a links component to the host state paths so applications and linker packages have a typed, discoverable persistence location.
    
    Changes:
    - Extend HostStatePaths with links and include it in state_dir normalization (state_dir/links/ for the single-path form).
    - Add SupportsLinkStorePath, an optional protocol for identity linkers that accept a host-provided link-store path.
    - AgentFrameworkHost now offers state_dir links to compatible linkers, warns when an explicit links path is supplied without a linker, and warns when the configured linker manages persistence directly instead of implementing SupportsLinkStorePath.
    - Update README and spec text to document the link-store component and clarify that concrete linkers still own the storage format.
    - Add disk-state tests for compatible, missing, and non-configurable linkers.
    
    Validation: 217 tests pass, pyright/mypy/ruff clean.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: Channel spec (#5549)
    * first iteration of channel spec
    
    * added deny link setup
    
    * clarify invocation hook role and dedupe ADR/spec
    
    ADR 0026:
    - Tighten Decision Outcome Summary so each concept is mentioned once;
      defer full definitions to the Terminology section.
    - Update ChannelInvocationHook bullet to match the clarified gap #7
      language (uniform ChannelRequest envelope, hook timing, illustrative
      examples).
    - Drop Decision Drivers bullets that just restated Business Goals;
      cross-link to the goals section instead.
    - Replace the More Information bullet list with a pointer to Non-Goals.
    
    Spec 002:
    - Trim requirement #21 to point at the canonical LinkPolicy section
      instead of restating the full contract.
    - Add a #linkpolicy-and-trust_level subsection anchor for cross-refs.
    - Trim the Terminology LinkPolicy entry's two-hosts caveat (canonical
      version stays in the Key Types section).
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * updated adr and spec
    
    * Update hosting channels ADR and spec
    
    - Document FoundryHostedAgentHistoryProvider roundtrip of additional_properties namespaces via the agent_framework container key on stored OutputItems.
    - Add Foundry storage gap subsection capturing the update_item service ask required for post-push delivery_tracking[] mutation.
    - Triage open questions: 18 resolved (now in a Resolved Questions decisions log), 3 notes-updated, 6 unchanged. Capture spec-body follow-ups implied by the resolutions in a new Decisions-driven follow-ups subsection.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Refine hosting ADR + spec: A2A/MCP-tool channels, store-parameter matrix, open-question pass
    
    - Surface A2A and MCP-tool channels as explicitly designed-in but fast-follow work after the first Responses + Invocations + Telegram release. Updated ADR business goals, non-goals, and More Information; added spec reqs #25 (A2AChannel) and #26 (MCPToolChannel) under v1 Fast Follow; renumbered the WhatsApp/Teams entry to #27.
    - New 'The Responses store parameter' subsection in the spec: 2x3 destination matrix making explicit that 'store' has no canonical meaning at the hosted-agent layer — the developer decides what it maps to across service-side, hosted-agent storage, and caller-side. Includes design properties on forwarding-vs-mapping, per-deployment documentation responsibility, and richer storage vocabulary via OpenAI's extra_body.
    - Fixed contradicting spec text that previously claimed ResponsesChannel maps store=False to session_mode=disabled by default; updated channel options table, session_mode terminology entry, and Scenario 3 prose/comment to match the new model.
    - Renamed FoundryHistoryProvider -> FoundryHostedAgentHistoryProvider throughout the spec (9 occurrences) so the name reinforces the intended hosted-agent use case.
    - ADR open-questions pass: walked through all 15 entries with the user. 13 resolved (moved to a new 'Resolved Questions (decisions log)' table), 2 kept open with refined wording (Q6 'Channel' GA name, Q14 Responses WS subprotocol). Added a 'Decisions-driven follow-ups' bullet list capturing the spec-body / sample edits implied by the resolutions.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Hosting ADR + spec: rename Teams channel to Activity Protocol, add multi-user conversation design
    
    - Rename the planned Teams channel to ActivityChannel (package agent-framework-hosting-activity). Promoted to req #27 (v1 fast follow) alongside A2A and MCP-tool, with native translations from Activity Protocol objects to AF types so the contract is explicit rather than implicit through Invocations. Channel sits behind Azure Bot Service, which fronts Teams / Web Chat / Slack / etc. Naming reserves a TeamsChannel name for any future direct-to-Teams transport that bypasses Bot Service (now stretch req #28 with WhatsApp). ResponseTarget channel ids and JSON examples updated from "teams" to "activity". Appendix B updated to acknowledge that ActivityChannel deliberately reuses the Bot Service connector model (the no-connector stance applies to the rest of the channel set).
    
    - Add first-class design for multi-user surfaces (Telegram groups / supergroups / forum topics; Activity Protocol groupChat and team channels). Cleanly separate user identity (ChannelIdentity.native_id = from.id / from.aadObjectId) from conversation locator (ChannelRequest.conversation_id = chat.id (+ message_thread_id / replyToId)). New per-channel options: conversation_scope (per_user / per_user_per_conversation (default in groups) / per_conversation) and accept_in_group addressing rule (mention_only (default) / command_only / mention_or_command / all). Specifies originating reply must include conversation + thread locator, ChannelPush behavior in groups, link-ceremony privacy (challenges redirected to user DMs), and the Activity-channel mapping for personal / groupChat / channel conversationType plus Teams replyToId threading. Broadcast Telegram Channels and adaptive-card Invoke activity flows scoped as fast follow.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs(hosting): rename RunHandle → ContinuationToken; HostStateStore (file-based v1); align agentserver dependency posture
    
    - Rename RunHandle → ContinuationToken (opaque URL-safe `token` field) throughout
      ADR + spec; update routes to /{continuation_token}; spec out equivalent
      continuation-token support for the Invocations channel (Q20 done).
    - Introduce HostStateStore as the single persistence seam for host-execution
      metadata (continuation tokens, identity-link grants, last-seen records).
      V1 default: FileHostStateStore (atomic JSON-per-record under ./.af-hosting/,
      per-namespace TTLs) — background runs and link grants now survive host
      restarts. InMemoryHostStateStore for tests; pluggable Cosmos / SQL / Redis
      remain v1 fast follow under req #23. Closes Q9, Q11, Q14.
    - Drop blanket "no agentserver dependency" claims. Hosting core is still
      independent of agentserver, but channel packages MAY consume lower-level
      building blocks (notably the Foundry response-store SDK that
      FoundryHostedAgentHistoryProvider builds on).
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs(hosting): swap Scenarios 6 and 7 so the linker comes before cross-channel continuity
    
    Scenario 6 (cross-channel continuity) previously forward-referenced Scenario 7
    (linker) twice, since continuity depends on the link/merge ceremony. Invert the
    order so the linker scenario establishes the mechanism first and the continuity
    scenario builds on it. Update internal cross-references, the require_link
    section anchor, and Scenario 8's prerequisites/comment to match. Also tightened
    the new Scenario 7's closing note to point at HostStateStore (file-based
    default) for cross-host continuity, and dropped a stale MfaIdentityLinker
    reference from the linker variants paragraph (Q13 dropped MFA from phase 1).
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs(hosting): rewrite Scenario 7 as trusted-relay + add ResponseTarget.identities
    
    The previous Scenario 7 (cross-channel chat continuity) implied two independent
    auto-issued isolation_keys would converge by themselves — they don't, that
    needs a linker. Replace with a more realistic and complementary scenario:
    a trusted server-side application backend exposes Responses + Telegram against
    the same agent and uses extra_body to carry app-internal identity hints
    (app_user_id, push_to_telegram_chat_id) that a Responses run_hook translates
    into both an isolation_key promotion and a push to a known Telegram chat.
    Includes a closing variant pointing back at Scenario 6's linker for the
    no-app-table flow.
    
    Adds the ResponseTarget.identities([ChannelIdentity(...)]) variant to the
    type table and req #12 to support 'caller already knows the channel-native
    recipient' delivery without going through the link store. Bypasses the link
    store but still consults LinkPolicy per delivery.
    
    Drops MfaIdentityLinker references from req #11, req #24, and the linker
    helpers table (Q13 had already dropped MFA from phase 1; the spec body just
    hadn't caught up). Marks ADR Q8 follow-up done.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs(hosting): wire FileCheckpointStorage into Scenario 9 + show resume-from-checkpoint flow
    
    Scenario 9 now builds the workflow with a FileCheckpointStorage so executor
    frames are persisted across runs, and demonstrates how the run_hook surfaces
    a caller-supplied resume_from_checkpoint into request.attributes so the host's
    workflow dispatch can pass it to Workflow.run(checkpoint_id=...). Closing
    paragraph clarifies that CheckpointStorage is workflow-runtime state, kept
    structurally separate from HostStateStore and ContextProvider — three
    protocols that MAY share a backend but stay independently typed.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs(hosting): emphasize result richness in Scenario 10 (channels are not limited to result.text)
    
    Add a 'Result is rich, not just text' callout under the channel-authoring
    sample. Inventories the typed Contents on the underlying AgentRunResult
    (TextContent, DataContent, UriContent, FunctionCallContent /
    FunctionResultContent, HostedFile/VectorStoreContent, UsageContent,
    TextReasoningContent, ErrorContent + additional_properties), the typed
    structured output via result.value, and shows concrete examples per channel
    shape: Telegram (MarkdownV2 + sendPhoto/sendAudio + inline keyboards),
    Responses (full content-list round-trip), chat UI (GFM/HTML +
    collapsible tool/reasoning panels), voice (TTS + earcons), typed RPC
    (result.value first). result.text is positioned as a convenience for
    single-string channels, not the contract.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * spec: add TeamsChannel (microsoft/teams.py) as fast-follow req #28
    
    Add a Teams-native channel package built on the MIT-licensed
    microsoft/teams.py SDK as fast-follow alongside the generic
    ActivityChannel (req #27). Where ActivityChannel targets the
    generic Activity Protocol surface, TeamsChannel exploits
    Teams-specific affordances the generic protocol does not surface
    natively: Adaptive Cards (typed builder), streamed replies,
    AI-generated badge, feedback controls + form, suggested-prompt
    chips, inline citations, modal Dialogs, Message Extensions
    (action / search / link unfurling), proactive / targeted /
    threaded messages, and SSO via MSAL.
    
    Mounts the SDK's App into the host's Starlette app via a custom
    HttpServerAdapter; reuses the same host-tracked-session family
    as ActivityChannel (from.aadObjectId -> ChannelIdentity). The
    SDK already ships a 'Build an agent using Microsoft Agent
    Framework' guide so the integration story is direct.
    
    Renumber the WhatsApp / direct-to-Teams stretch item to req #29
    and clarify its 'direct-to-Teams' placeholder is a future
    transport that bypasses both Bot Service and the teams.py SDK.
    
    Add the SDK to Dependencies & Commitment Status as a proposed
    runtime dep of agent-framework-hosting-teams.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * spec: clarify direct-to-Teams stretch as speculative (no Bot Service)
    
    Split the WhatsApp + direct-to-Teams stretch entry into two
    distinct items and reword the direct-to-Teams item to be honest
    about its current feasibility:
    
    - It MUST not rely on Azure Bot Service (otherwise it is just
      ActivityChannel / TeamsChannel under a different name).
    - No such transport is publicly available today: Graph chat APIs
      and microsoft/teams.py both ultimately route through Bot Service
      for the bot-as-conversation-participant pattern.
    - The slot is kept on the roadmap to preserve the naming line in
      case Microsoft ships a Bot-Service-free transport (native Teams
      REST/RPC, a Graph subscription strong enough to drive both
      inbound and outbound message flow, ...).
    - Reaffirm TeamsChannel (req #28) as the canonical Teams channel
      until then.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * spec: clarify TeamsChannel still rides on Bot Service in v1; add audience table
    
    Make explicit that TeamsChannel (req #28) uses Azure Bot Service
    in v1 — the microsoft/teams.py SDK is a higher-level Pythonic
    wrapper over the same Activity Protocol pipeline that
    ActivityChannel exposes raw. The difference is what the developer
    writes against, not the network path. A Bot-Service-free Teams
    transport is not currently possible and stays tracked as the
    speculative req #30.
    
    Add the ActivityChannel vs TeamsChannel audience comparison table
    to req #28 so the choice is obvious to readers:
    - ActivityChannel: maximum portability across all Bot Service-fronted channels.
    - TeamsChannel: Teams-first deployments wanting Cards / Dialogs /
      Message Extensions / citations / feedback / suggested prompts /
      SSO out of the box.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: bump package versions for 1.6.0 release (#6017)
    * Python: bump package versions for 1.6.0 release
    
    - Released cohort (agent-framework, core, openai, foundry): 1.5.0 -> 1.6.0
    - Beta packages (21 packages): 1.0.0b260519 -> 1.0.0b260521
    - Alpha packages (azure-contentunderstanding, foundry-hosting, gemini, monty): 1.0.0a260518/19 -> 1.0.0a260521
    - ag-ui stays at 1.0.0rc2, orchestrations at 1.0.0rc1 (dependency bounds updated)
    - Inter-package dependency lower bounds updated (>=1.5.0,<2 -> >=1.6.0,<2)
    - Update CHANGELOG compare links
    - uv.lock refreshed
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Address review: bump RC packages, add shell tool to changelog
    
    - ag-ui: 1.0.0rc2 -> 1.0.0rc3
    - orchestrations: 1.0.0rc1 -> 1.0.0rc2
    - Add shell tool (#5664) to CHANGELOG
    - uv.lock refreshed
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • .NET: Fix declarative workflow regressions for hosted agents (#5905)
    * Fix declarative workflow regressions for hosted agents
    
    Three regressions surfaced when running a declarative workflow as a
    Foundry hosted agent. Together they caused every condition group to fall
    through to elseActions and the raw agent JSON to leak to the caller.
    
    1. AgentProviderExtensions.InvokeAgentAsync forced autoSend to true
       whenever the agent ran on the workflow conversation, which overrode
       the explicit autoSend: false declared in workflow.yaml and streamed
       the raw structured-output JSON straight to the user. Honor the
       caller-supplied autoSend instead.
    
    2. IWorkflowContextExtensions.ReadState / QueueStateUpdateAsync /
       QueueStateResetAsync took the variable name and namespace alias
       directly from PropertyPath.VariableName / NamespaceAlias. Against
       Microsoft.Agents.ObjectModel 2026.2.4.1 those properties return null
       for a dotted reference such as `Local.Triage` even when
       SegmentCount == 2 and IsValid == true, so every assignment threw
       ArgumentNullException via Throw.IfNull. Fall back to Segments() to
       reconstruct the name and alias when the parser returns null.
    
    3. The same ObjectModel version no longer recognizes the user-facing
       `Local` scope alias: VariableScopeNames.IsValidName(`Local`)
       returns false and GetNamespaceFromName(`Local`) returns Unknown, so
       the declarative interpreter's IsManagedScope check fails and the
       State.Set call is silently skipped. Translate the `Local` alias to
       its canonical `Topic` form before forwarding to
       QueueStateUpdateAsync; WorkflowFormulaState.Bind continues to expose
       it as `Local` to PowerFx.
    
    Verified end-to-end against a deployed Foundry hosted agent: the
    declarative triage workflow now routes Technical / Billing / General
    inputs correctly and only the autoSend-eligible messages reach the
    caller.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Hosted-agent HITL: persist session across previous_response_id chains; run approved local AIFunctions
    
    Two regressions hit declarative workflows that use require_approval=true when
    the client chains turns via previous_response_id (no conversation_id):
    
    1. AgentFrameworkResponseHandler keyed the AgentSession store solely on
       conversation_id, so when only previous_response_id was present the
       StateBag (which holds ToolApprovalIdMap) was discarded after each turn.
       The next turn then threw 'No approval mapping recorded for wire id ...'
       in InputConverter.ConvertMcpApprovalResponse.
    
       Fix: fall back to previous_response_id on load and to context.ResponseId
       on save so the response-id chain becomes a valid session key. Conversation
       id remains preferred when present.
    
    2. InvokeFunctionToolExecutor.CaptureResponseAsync only acted on
       FunctionResultContent. In the hosted Foundry path the approval response
       arrives as a ToolApprovalResponseContent with no FunctionResultContent,
       so the local AIFunction never ran and downstream PropertyPath/SendActivity
       consumers (e.g. {Local.RefundResult}) saw empty values.
    
       Fix: when no FunctionResultContent matches but an approved
       ToolApprovalResponseContent does, look up the registered AIFunction by
       name on agentProvider.Functions and invoke it with the evaluated
       arguments, surfacing the result through the existing assignment path.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Apply PropertyPath workaround to initialization path; share + tidy helpers
    
    Address PR #5905 review feedback:
    
    * Move the PropertyPath VariableName/NamespaceAlias fallback and 'Local'
      -> 'Topic' scope remap into a shared internal PropertyPathExtensions
      helper. Materializes Segments() once, names the magic 'Local' alias
      as a const, and carries a TODO referencing the tracking issue.
    
    * Apply the same helper in WorkflowDiagnostics.InitializeDefaults so a
      declared default for a dotted variable like 'Local.Triage' is no
      longer silently skipped at workflow startup (closes the gap flagged
      by the reviewer: runtime ReadState/QueueStateUpdateAsync worked but
      state.Initialize did not).
    
    * Restore the previous strict failure mode on namespace alias by
      wrapping GetNamespaceAlias() in Throw.IfNull at call sites so a
      malformed single-segment path keeps failing fast rather than
      silently passing null to State.Get/Set.
    
    All 821 unit tests pass.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Add tests for AgentProviderExtensions.InvokeAgentAsync autoSend behavior
    
    Covers the autoSend regression fix: when the agent runs on the workflow conversation with autoSend=false, no AgentResponseUpdateEvent or AgentResponseEvent is added to the context. Also covers autoSend=true (events emitted) and autoSend=false on a non-workflow conversation.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Surface SendActivity output via AgentResponseUpdateEvent
    
    SendActivityExecutor previously only emitted the activity text via YieldOutputAsync, which the runtime converts to an AgentResponseEvent. WorkflowSession gates AgentResponseEvent behind includeWorkflowOutputsInResponse, so when a host opts out of summary outputs (the default for AsAIAgent) the SendActivity reply is silently dropped.
    
    Mirror the pattern used by AgentProviderExtensions for autoSend agent invocations: also emit an AgentResponseUpdateEvent, which WorkflowSession yields unconditionally. This makes SendActivity reliably reach chat-protocol clients without requiring includeWorkflowOutputsInResponse = true (which would also duplicate autoSend agent output).
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Revert previous_response_id session-key fallback
    
    The fallback let a session be keyed by an unbroken previous_response_id chain,
    but conversation_id is the right way to thread state across turns: it survives
    shared/branched chains (e.g. when another agent generates a response in between)
    and is the documented model for stateful clients. Restore conversation_id as the
    sole session key and rely on the client to thread it. The InvokeFunctionTool
    approval/local-function half of 1baf4af4d remains.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Set Foundry ProductContext per-executor instead of via PropertyPath workaround
    
    ObjectModel 2026.2.4.1 resolves PropertyPath.VariableName / NamespaceAlias and VariableScopeNames.IsValidName against AsyncLocal<ProductContext> at access time. In hosted-agent scenarios each HTTP request runs on a fresh async context where that AsyncLocal is default, so dotted refs like Local.Triage returned null and the Local scope alias was rejected.
    
    Replace the PropertyPathExtensions helper (which papered over both symptoms) with a single WorkflowDiagnostics.SetFoundryProduct() call at the entry of DeclarativeActionExecutor.HandleAsync. The set writes to the request's logical async context before any code reads PropertyPath, letting the existing parser and scope resolver work as designed.
    
    Validated: 824/824 declarative unit tests pass; technical/billing/general routes all dispatch correctly against a deployed Foundry hosted agent.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Address review feedback on InvokeFunctionToolExecutor
    
    - Surface registered-function lookup failures and invocation exceptions via FunctionResultContent.Exception instead of returning the error text as a successful Result, so downstream {Local.X} assignments can distinguish failures from successes.
    
    - Use AIJsonUtilities.DefaultOptions to JSON-serialize non-string function results (matching FunctionInvokingChatClient / ToolBridge), so complex types stay consumable by PropertyPath consumers instead of degrading to Object.ToString().
    
    - Drop the explicit System. prefix on StringComparison / Exception now that the file imports System.
    
    - Add AutoSendTrueOnExternalConversationEmitsResponseEventsAndCopiesMessagesAsync to cover the (autoSend: true, external conversation) quadrant, asserting that response events are emitted and that messages are mirrored to the workflow conversation.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Honor AutoSendIsDefaultValue when computing autoSend
    
    AzureAgentOutput.AutoSend and InvokeToolOutput.AutoSend in
    Microsoft.Agents.ObjectModel 2026.2.4.1 are never null — they
    return a literal-false default when the YAML omits the field.
    The previous null check in Get/AutoSendValue therefore always
    fell through to evaluating the literal false, so every action
    whose YAML had any output block but no explicit autoSend was
    treated as autoSend = false. This was previously masked by
    `autoSend |= isWorkflowConversation` in AgentProviderExtensions
    (removed earlier in this PR to honor explicit autoSend: false),
    which silently re-enabled autoSend on the workflow conversation.
    
    Use AutoSendIsDefaultValue to distinguish an explicit autoSend
    value from the implicit default and treat the implicit default
    as true, restoring the historical behavior for ValidateCaseAsync
    InvokeAgent.yaml (3 InvokeAzureAgent actions, last one captures
    to Local.RatingResponse via output.messages with no autoSend
    specified) while keeping the hosted-agent fix that honors an
    explicit autoSend: false.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Ben Thomas <25218250+alliscode@users.noreply.github.com>
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: Shell tool with support for local and Docker (#5664)
    * feat(tools): add cross-OS LocalShellTool in new agent-framework-tools package
    
    Introduces a safe, cross-OS local shell tool as the first citizen of a new
    
    agent-framework-tools workspace package. Supports persistent (default) and
    
    stateless modes across pwsh/powershell.exe/bash/sh, with policy denylist,
    
    allowlist, approval gating, process-tree kill on timeout, output truncation,
    
    and audit hooks. Integrates with existing provider get_shell_tool(func=...)
    
    factories via FunctionTool kind='shell'.
    
    See docs/decisions/0026-builtin-tools-local-shell.md for the full design.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * feat(tools): security hardening for LocalShellTool
    
    Codifies what LocalShellTool does and does not defend against, and
    
    delegates the security-relevant lifecycle primitive to a battle-tested
    
    library instead of hand-rolled per-OS code.
    
    Changes:
    
    - Adopt psutil for cross-OS process-tree termination (executor + session).
    
      Replaces hand-rolled taskkill/killpg with one canonical implementation.
    
    - Resolve taskkill.exe to absolute %SystemRoot%\System32 path so PATH
    
      poisoning cannot redirect us to an attacker-supplied binary.
    
    - Reframe ShellPolicy docstring + ADR + README: denylist is a guardrail,
    
      not a security boundary.
    
    - Require acknowledge_unsafe=True to set approval_mode='never_require',
    
      making the unsafe path explicitly opt-in with a self-documenting name.
    
    - Add tests/test_security.py codifying named CVE-style cases. Defenses
    
      we DO claim are asserted; non-defenses (denylist bypasses via
    
      backslash insertion, variable expansion, interpreter escape, base64,
    
      alternative tools, PowerShell-native verbs) are documented as
    
      expected-to-pass tests so residual risk stays visible.
    
    - Add Threat Model + Confidence Strategy sections to ADR 0026.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * feat(tools): add DockerShellTool sandboxed shell tier
    
    Adds a container-backed shell executor as the recommended pattern for untrusted-input shell workflows. The container provides the security boundary (--network none, non-root user, --read-only, --cap-drop ALL, no-new-privileges, memory/pids limits, tmpfs /tmp), so approval gating is optional unlike LocalShellTool.
    
    Also introduces a ShellExecutor Protocol so callers can plug in custom backends (Firecracker, SSH, WASI) without forking the framework.
    
    Removes the planned HyperlightShellExecutor follow-up from ADR 0026: Hyperlight is a WASM code sandbox with no kernel/userland/shell binary, so a Hyperlight-backed shell is not viable. Docker is the realistic sandbox tier for shell.
    
    Tests: 11 unit tests for argv builders + lifecycle (no Docker daemon required); 3 integration tests gated on is_docker_available().
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(tools): backport shell-tool fixes from .NET parity review
    
    Applies the applicable subset of bug fixes accumulated during the
    .NET shell-tool PR review (microsoft/agent-framework#5604) to the
    Python shell tool.
    
    A1 - Quote workdir safely in _maybe_reanchor
    
      Previously _tool.py used double-quote interpolation when emitting
      the cd/Set-Location prefix, which expanded $VAR, $(), and backticks
      in the workdir path. A workdir containing shell metacharacters could
      trigger arbitrary command execution before the user command ran.
    
      Replaced with single-quote escaping helpers _quote_posix and
      _quote_powershell that emit literal-string forms safe for both
      hosts.
    
    A5/A6 - Consolidate truncation to a single byte-aware helper
    
      Extracted a shared truncate_head_tail / truncate_text_head_tail
      helper in _truncate.py. The new implementation distributes odd
      caps so head receives floor(cap/2) and tail receives ceil(cap/2)
      bytes, matching the .NET round-9 fix and ensuring no input bytes
      are silently dropped on the boundary.
    
      _session.py previously truncated by Python str length while the
      caller passed _max_output_bytes - the unit mismatch is now gone:
      raw byte buffers go through truncate_head_tail and decoded text
      goes through truncate_text_head_tail.
    
    Unit tests added for the truncate and quote helpers.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs(tools): tone down narrative and overconfident comments in shell tool
    
    The shell tool's docstrings and comments contained two patterns that
    the .NET review pushed back on:
    
    - Narrative framing about implementation history ("hard-won",
      "we sidestep", "design inspiration: ...", competitor framework
      name-drops in module docstrings).
    - Overstated security guarantees ("battle-tested",
      "reasonable for untrusted input", "recommended executor for any
      agent that runs commands from untrusted input",
      "destructive commands are blocked", "safe local shell tool",
      "blocks shell injection").
    
    Rewrites the affected docstrings and comments to describe what the
    code does in neutral terms. Behaviour is unchanged.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * feat(tools): add ShellEnvironmentProvider for the Python shell tool
    
    Ports the .NET ShellEnvironmentProvider as a Python ContextProvider
    so agents using LocalShellTool or DockerShellTool can be primed with
    an accurate description of the shell they're talking to (family,
    version, OS, working directory, and which CLIs are available).
    
    The provider runs probes through any ShellExecutor, caches the
    resulting snapshot, and on every before_run extends the session
    instructions with a markdown block describing the shell idiom to
    use. A failed first probe leaves the cache empty so the next call
    retries (no permanent poisoning).
    
    Probe failures from a narrow set of expected error types
    (ShellCommandError, ShellExecutionError, ShellTimeoutError, and
    asyncio.TimeoutError from the per-probe timeout) are recorded as
    None fields in the snapshot. Other exceptions propagate. Tool
    names are validated against ^[A-Za-z0-9._-]+$ before being
    interpolated into a probe command.
    
    Includes 12 unit tests covering happy path, stderr fallback,
    timeout handling, expected/unexpected exception paths, malicious
    tool name rejection, case-insensitive deduplication, retry after
    failure, concurrent first-callers sharing one probe, and the
    default and custom formatter paths.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs(tools): document ShellEnvironmentProvider and finish comment cleanup
    
    Add a README section introducing ShellEnvironmentProvider, soften two remaining overconfident security-boundary comments in _executor_base.py and the DockerShellTool class docstring, and add a sample (shell_with_environment_provider.py) that demonstrates the provider in stateless and persistent modes.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * refactor(tools): move shell samples to python/samples/02-agents/tools
    
    The repository convention is to host samples under python/samples/ rather than inside the package directory. Move the two net-new shell samples (allow-list and environment-provider) to python/samples/02-agents/tools/ and drop the in-package samples/ directory; the existing top-level providers/openai/client_with_local_shell.py already covers the basic LocalShellTool walkthrough.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * test(tools): cover confine_workdir default and ShellResult.format_for_model
    
    Two new tests in test_local_shell_tool.py exercise the default confine_workdir=True behaviour on POSIX and PowerShell, asserting that 'cd' inside one persistent-mode call does not leak into the next. A new test_shell_result.py module provides direct unit coverage for every conditional branch of ShellResult.format_for_model (stdout, truncated, stderr, timed_out, exit_code) so regressions in the LLM-facing format are caught immediately.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(tools): address PR #5664 review feedback
    
    - _tool.py: detect PowerShell via is_powershell() helper instead of basename string match
    
    - _environment.py: use public ContextProvider import (no private _ prefix)
    
    - _session.py: trim _stdout_buf/_stderr_buf after copying to avoid unbounded retention across calls
    
    - _docker.py: short-circuit start()/close() in stateless mode; add configurable shell kwarg (default bash, e.g. 'sh' for alpine)
    
    - tests: parenthesized multi-line assert; alpine integration tests now pass shell='sh'
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(tools): satisfy CI quality gates
    
    - pyupgrade: drop quoted self-class refs in __aenter__/method annotations
    
    - ruff format: reflow long lines per workspace style
    
    - pyright: assert psutil non-None in optional-import branch; lowercase mutable module globals; annotate _approval_mode as Literal so tool() Literal-typed kwarg is accepted; add ... body to ShellExecutor.run protocol; remove unused deprecated _kill_tree wrapper
    
    - tests: skip docker integration tests on win32 (Windows containers don't support --read-only / alpine images)
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Remove DEFAULT_DENYLIST; document single-session ownership; fix bandit findings
    
    Mirrors the .NET PR #5604 cleanup:
    
    - Remove DEFAULT_DENYLIST from ShellPolicy. ShellPolicy() now ships with an empty deny-list; operators opt into site-specific patterns explicitly. No major agent framework uses regex matching as a primary security control; AutoGen v2 removed theirs. Approval gating + sandbox tier remain the real boundaries.
    
    - Rewrite module / class docstrings to frame ShellPolicy as a UX pre-filter, not a security control.
    
    - Add Single-session ownership paragraphs to ShellExecutor, ShellSession, LocalShellTool, and DockerShellTool: a persistent-mode tool is owned by exactly one conversation / agent session; do not share across users or concurrent conversations.
    
    - Tests now supply explicit deny patterns instead of relying on a default.
    
    - Address Pre-commit Hooks (bandit) CI failures: convert internal-invariant asserts to explicit RuntimeError, annotate intentional subprocess/shell usage with # nosec, document container-internal /tmp paths.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Address PR #5664 round-2 review feedback
    
    Deny-list documentation drift:
    
    - README and the OpenAI/local-shell sample no longer claim a built-in deny-list of destructive commands. ShellPolicy is described as an optional, operator-supplied UX pre-filter; the real boundaries remain approval gating and the sandbox tier.
    
    Behavioural fixes called out in review:
    
    - ShellPolicy.evaluate() now denies empty / whitespace-only commands explicitly instead of returning allow with no rationale.
    
    - truncate_head_tail() raises ValueError for cap <= 0 instead of silently returning the full input with truncated=False, which previously could defeat output-capping in callers that mis-configured the budget.
    
    - LocalShellTool.as_function() / DockerShellTool.as_function() return the ShellCommandError text directly so the model sees a single, non-redundant 'Command rejected by policy: …' message instead of the prior duplicated 'Command blocked by policy: Command rejected …' wrapping.
    
    - ShellSession POSIX sentinel trailer now snapshots and restores the prior errexit (set -e) state around the trailer, so a user 'set -e' in the persistent shell is no longer permanently disabled by the next run().
    
    Tests:
    
    - New test_shell_parse_rc.py covers the full _parse_rc() edge-case surface (zero, positive, negative, CRLF, no newline, missing prefix, empty input, non-digits, trailing garbage, partial digits).
    
    - test_policy.py asserts the new empty-command deny.
    
    - test_shell_truncate_and_quote.py asserts ValueError for cap=0 and cap<0.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Address PR review feedback for shell tool
    
    - _resolve.py: reject empty/whitespace shell override string
    - _tool.py / _docker.py: mode-aware default tool description (persistent vs stateless)
    - _tool.py: fix misleading workdir docstring (re-anchor, not blocking)
    - _types.py: emit stream-agnostic [output truncated] marker
    - _policy.py: declare _denies/_allows as dataclass fields
    - _environment.py: use $(pwd) instead of $PWD in POSIX probe
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Address PR review feedback: shell override flag + probe timeout safety
    
    - _resolve.py: in stateless mode, ensure shell overrides end with -c/-Command so commands aren't misinterpreted as script-file paths.
    - ShellExecutor.run / LocalShellTool.run / DockerShellTool.run now accept an optional 	imeout kwarg; ShellEnvironmentProvider drops the outer asyncio.wait_for and lets the executor enforce the probe timeout internally, so cancellation no longer risks leaving a hung subprocess or corrupted session.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Address review feedback: docker isolation + lifecycle robustness
    
    - pyproject.toml: bump agent-framework-core minimum from 1.2.0 to 1.2.2 to align with the rest of the workspace.
    - _docker.py: validate extra_run_args at construction time and reject flags that would dismantle the isolation defaults (--privileged, --cap-add, --security-opt, --network/--net, -v/--volume/--mount, --device, --pid, --ipc, --userns, --user, --read-only, --tmpfs, --add-host, --gpus, --cgroupns, --device-cgroup-rule); also documented the warning on the docstring.
    - _docker._stop_container: retry docker rm -f once and log a warning/error when it does not succeed, so operators can audit leaked containers instead of getting a silent success.
    - _docker._run_stateless timeout path: fall back to docker rm -f when docker kill fails or times out (--rm only reaps on clean exit), and log instead of silently swallowing communicate() errors.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: alliscode <bentho@microsoft.com>
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    Co-authored-by: alliscode <25218250+alliscode@users.noreply.github.com>
  • .NET: Surface x-ms-served-model header as ChatResponse.ModelId for Foundry agents (#5979)
    * .NET: Surface x-ms-served-model header as ChatResponse.ModelId for Foundry agents
    
    Mirrors Python PR #5910. Adds an internal SCM PipelinePolicy that reads the x-ms-served-model HTTP response header on Azure OpenAI Responses calls and writes it into an AsyncLocal box. A DelegatingChatClient sits between OpenTelemetry and the MEAI OpenAIResponsesChatClient and overwrites ChatResponse.ModelId with the served snapshot so OTel spans report the actual model rather than the deployment alias. Wired through all AsAIAgent paths in Microsoft.Agents.AI.Foundry.
    
    * .NET: Fix line endings and BOM on ResponsesAgentServedModelTests
    
    * .NET: Address Copilot review on Foundry served-model PR
    
    - Restore previous ServedModelScope in finally to avoid AsyncLocal leak into caller execution context.
    - Make served-model integration test assertion robust to deployment names that already match the snapshot pattern.
    - Broaden UnitTests csproj comment to cover all conditional removals (net8.0+ requirement).
    
    * .NET: Split ServedModelTests into per-SUT files with regions
    
    Split the combined ServedModelTests.cs into one test class per SUT:
    
    - ServedModelScopeTests.cs (AsyncLocal carrier)
    - ServedModelPolicyTests.cs (SCM pipeline policy)
    - ServedModelChatClientTests.cs (delegating client, with regions for Non-streaming / Streaming / End-to-end)
    
    Shared helpers and fake clients moved into ServedModelTestHelpers.cs.
    
    Csproj net8.0+ exclusion list updated accordingly.
    
    * .NET: Consolidate served-model logic into FoundryChatClient
    
    Move x-ms-served-model header capture from the standalone ServedModelChatClient
    decorator directly into FoundryChatClient, eliminating a separate wrapper that
    had to be applied at every Foundry entry point via WireServedModel().
    
    - Register ServedModelPolicy in FoundryChatClient constructors (alongside the
      existing AgentFrameworkUserAgentPolicy registration)
    - Add StrongBox push/read logic to FoundryChatClient.GetResponseAsync and
      GetStreamingResponseAsync
    - Delete ServedModelChatClient.cs and its unit tests
    - Remove WireServedModel() from FoundryAgent and AIProjectClientExtensions
    - Update ServedModelPolicy/Scope XML docs to reference FoundryChatClient
    - Simplify ServedModelTestHelpers to use FoundryChatClient directly
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: Prevent duplicate system instructions in Python telemetry (#5981)
    * Initial plan
    
    * Fix duplicated system instructions in Python telemetry
    
    * Clarify telemetry message filtering
    
    * test: cover separate and in-history system messages
    
    * Clarify observability message logging split
    
    * Simplify observability logging serialization
    
    * Harden observability regression test
    
    * Reuse observability span message serialization
    
    * Clarify observability logging loops
    
    * Polish observability message serialization
    
    * Tighten observability zip checks
    
    * Refactor observability message capture loop
    
    * Fix telemetry logging for separate system instructions
    
    * Refine observability OTEL message typing
    
    * Restore prepended-instruction logging path in _capture_messages
    
    * Revert logging change in _capture_messages; keep chat-history-only logging
    
    ---------
    
    Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
  • .NET: Add shell support to the HarnessAgent (#6005)
    * Add shell support to the HarnessAgent
    
    * Address PR comments
    
    * Address PR comments
  • Python: feat(a2a): use non-streaming transport and return_immediately for background ops (#5963)
    * feat(a2a): use non-streaming transport and return_immediately for background ops
    
    When stream=False, use a client configured with streaming=False so the
    SDK sends a single HTTP POST to message/send instead of opening an SSE
    connection via message/stream. This matches the A2A protocol's design:
    non-streaming calls use direct request/response, streaming calls use
    Server-Sent Events.
    
    Also sets return_immediately=background on SendMessageConfiguration so
    the server respects the caller's intent for background operations.
    
    Changes:
    - Create separate streaming and non-streaming internal clients (sharing
      the same httpx connection pool) to match protocol transport semantics
    - Select non-streaming client for run(stream=False) calls
    - Add SendMessageConfiguration with return_immediately=background
    - Fallback to streaming client when non-streaming unavailable (e.g. user
      provides their own client via constructor)
    - Add tests for client selection and return_immediately behavior
    
    Resolves microsoft/agent-framework#5936
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix: address PR review feedback
    
    - Initialize last_request in MockA2AClient.__init__ for explicit state
    - Use 'is not None' instead of truthiness for _non_streaming_client check
    - Assert return_immediately propagates through non-streaming client path
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix: only set configuration when background=True
    
    Only attach SendMessageConfiguration to the request when background=True,
    keeping requests minimal and preserving server-side defaults for normal
    (foreground) operations. This follows the framework pattern of only
    setting optional fields when they have meaningful values.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix: only set return_immediately for non-streaming background ops
    
    Per the A2A spec, return_immediately only applies to message/send
    (non-streaming). It has no effect on streaming operations. Only set
    the configuration field when both background=True and stream=False.
    
    Adds test verifying streaming+background does not set return_immediately.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • .NET: Add additional openai specific error observers and move them to openai project (#6004)
    * Add additional openai specific error observers and move them to openai project
    
    * Address PR comments
  • .NET: Add background agents support to HarnessAgent (#5977)
    * Add background agents support to HarnessAgent
    
    * Add unit tests
    
    * Address PR comments
  • .NET: Promote FoundryChatClient to public, add file/vector-store helpers and ToPromptAgentAsync converter (#5940)
    * Consolidate Foundry chat client decorators into FoundryChatClient
    
    - Replace AzureAIProjectChatClient and AzureAIProjectResponsesChatClient with a single internal sealed FoundryChatClient that covers three modes (pure responses, server-side agent reference, hosted agent endpoint).
    - Rename AzureAIProjectChatClientExtensions to AIProjectClientExtensions to reflect that it extends AIProjectClient.
    - All four AsAIAgent extension overloads and both FoundryAgent constructors now construct FoundryChatClient internally so the microsoft.foundry telemetry tag is uniform across paths.
    - Introduce AgentFrameworkUserAgentPolicy that stamps agent-framework-dotnet/{version} on outbound requests, mirroring the Python agent-framework-python/{version} contract.
    - Delete the Foundry-local MeaiUserAgentPolicy duplicate; rely on MEAI 10.5.1 to stamp MEAI/{version} automatically.
    - HostedAgentUserAgentPolicy keeps the combined foundry-hosting/agent-framework-dotnet/{version} segment (Python parity) and upgrades the bare segment in place to avoid duplication.
    - Tests reorganized: FoundryChatClientTests, AIProjectClientExtensionsTests, AgentFrameworkUserAgentPolicyTests, MeaiAutoUserAgentVerificationTests, plus in-place upgrade unit tests in HostedOutboundUserAgentTests.
    
    * Promote FoundryChatClient to public; add file/vector-store helpers and ToPromptAgentAsync converter
    
    - Promote FoundryChatClient from internal sealed to public sealed for Python parity, so .NET developers can hold and pass a FoundryChatClient directly the way Python developers do.
    - Mode 3 (hosted agent endpoint) now materializes an AIProjectClient from the parsed project root, making GetService<AIProjectClient>() non-null across all three construction modes. This eliminates the per-mode asymmetry that previously hid project-level helpers from agents constructed via an agent endpoint URL.
    - Add four new instance methods on FoundryChatClient mirroring Python's spec: UploadFileAsync, DeleteFileAsync, CreateVectorStoreAsync (bundles upload + create + wait), DeleteVectorStoreAsync. Single overload each, path-only inputs to start; additional overloads can be added later without breaking callers. All are Experimental, consistent with the rest of the Foundry package.
    - Add ToPromptAgentAsync extension methods on ChatClientAgent and FoundryAgent for the agent-to-prompt-agent converter described in the Foundry spec. Mode 1 (responses API) synthesizes a DeclarativeAgentDefinition from the agent's ChatOptions; mode 2 (server-side agent reference, version, or record) returns the cached or freshly fetched Definition; mode 3 throws InvalidOperationException because no local definition exists to convert.
    - Strict AITool to ResponseTool mapping for mode 1: AIFunction becomes CreateFunctionTool with the function's JSON schema; AITool instances that wrap a ResponseTool unwrap via GetService(typeof(ResponseTool)); anything else throws InvalidOperationException naming the offending tool type. Matches the Python spec's unsupported-tools-raise-ValueError contract.
    - New unit tests: FoundryChatClientVectorStoreTests (22 tests covering all four helpers across the three FoundryChatClient construction modes plus validation and cancellation), FoundryPromptAgentConverterTests (16 tests covering both extension entry points across mode 1 synthesis, mode 2 cached and fetched paths, all failure modes, and a Python-parity guard asserting both extensions produce equivalent definitions for equivalent inputs), plus four new tests in FoundryChatClientTests for the mode 3 AIProjectClient materialization.
    
    * Stop building duplicate ProjectOpenAIClient in FoundryAgent agent-endpoint ctor
    
    After Plan #2's mode-3 AIProjectClient materialization, the inner FoundryChatClient already exposes a project-level AIProjectClient (via GetService) that internally provides the project-level ProjectOpenAIClient via GetProjectOpenAIClient(). FoundryAgent's agent-endpoint constructor was still independently constructing a second project-level ProjectOpenAIClient via the now-redundant CreateProjectLevelOpenAIClientFromAgentEndpoint helper — two handles to the same logical resource.
    
    Refactor: the agent-endpoint constructor now reads the inner FoundryChatClient's materialized AIProjectClient via base.GetService(typeof(AIProjectClient)) and derives the project-level ProjectOpenAIClient from it. The dead helper on both FoundryAgent (private static wrapper) and FoundryChatClient (the actual implementation) is removed. The user-supplied per-agent ClientPipelineOptions primitives (Transport, RetryPolicy, NetworkTimeout, UserAgentApplicationId) are propagated into the materialized AIProjectClientOptions so test-injected transports and explicit retry / timeout / user-agent settings reach the project-level pipeline — preserving the behavior the dead helper used to provide.
    
    Updated AgentEndpointConstructor_GetServiceAIProjectClient_ReturnsNull to its now-correct counterpart AgentEndpointConstructor_GetServiceAIProjectClient_ReturnsNonNull, since after Plan #2 the agent-endpoint ctor surfaces a non-null AIProjectClient (per user direction in Plan #2 Q2).
    
    * Strip duplicated AIProjectClient/ProjectOpenAIClient state from FoundryAgent
    
    Both _aiProjectClient and _projectOpenAIClient fields on FoundryAgent were redundant:
    
    - _aiProjectClient: FoundryAgent's GetService<AIProjectClient> override returned this field, but DelegatingAIAgent.GetService → ChatClientAgent.GetService → FoundryChatClient.GetService<AIProjectClient> already returns the same instance through the delegating chain. Field + override are pure duplication.
    
    - _projectOpenAIClient: only used by FoundryAgent's own GetService<ProjectOpenAIClient> override and by CreateConversationSessionAsync. Per user direction, ProjectOpenAIClient is no longer exposed via GetService on either FoundryChatClient or FoundryAgent — callers retrieve it from the AIProjectClient themselves (aiProjectClient.GetProjectOpenAIClient()) the same way the framework does internally. This eliminates the mode-3 asymmetry where the chat client's stored ProjectOpenAIClient was per-agent (URL /agents/{name}/endpoint/protocols/openai) while the agent's was project-level.
    
    Refactor:
    - Delete both fields on FoundryAgent and the GetService override.
    - Delete the ProjectOpenAIClient branch from FoundryChatClient.GetService.
    - CreateConversationSessionAsync now resolves AIProjectClient at call time via this.GetService<AIProjectClient>() and derives the conversations client from it.
    - Update FoundryChatClient tests that asserted on GetService<ProjectOpenAIClient> to assert Null (deliberate removal).
    - Update FoundryAgent tests AgentEndpointConstructor_GetServiceProjectOpenAIClient_ReturnsNonNull and ProjectEndpointConstructor_GetServiceProjectOpenAIClient_ReturnsNonNull to ...ReturnsNull, and rewrite AgentEndpointConstructor_PropagatesUserAgentApplicationId_ToProjectLevelClient to look up AIProjectClient instead.
    
    No production code (only tests) referenced GetService<ProjectOpenAIClient>, so this is a safe surface reduction. Net: 30 insertions, 61 deletions; FoundryAgent shrinks to a pure delegator with only the two convenience methods (CreateSessionAsync, CreateConversationSessionAsync) on top of the delegating chain.
    
    * Rename FoundryChatClient.HostedAgentName to AgentName and populate it for mode 2
    
    The previous name implied a mode 3 only property tied to the hosted-agent endpoint URL. Today only hosted endpoints surface this name, but conceptually an agent name exists for every server-side agent the client talks to. Renaming to AgentName makes the property general-purpose and ready for future modes where the same chat client may target other server-side agent shapes that are not necessarily 'hosted'.
    
    Mode 2 (server-side agent reference) now mirrors AgentReference.Name into AgentName so callers have a uniform handle regardless of construction mode:
    
    * Mode 1 (pure responses): AgentName is null. There is no agent.
    * Mode 2 (AgentReference): AgentName == AgentReference.Name.
    * Mode 3 (agent endpoint URL): AgentName is parsed from the URL segment as before.
    
    Converter discriminator update: FoundryPromptAgentConverter previously used 'HostedAgentName is not null' to detect mode 3 and reject it. Now that mode 2 also populates AgentName, the mode 3 guard moves to the end of the resolution chain and uses the unambiguous 'AgentName is set AND no AgentReference exists' test. The user-visible error message and behavior are preserved.
    
    Dead-state cleanup spotted during format verify:
    
    * IDE0052 surfaced that FoundryChatClient._projectOpenAIClient is never read since the prior refactor stopped exposing ProjectOpenAIClient via GetService and rewired CreateConversationSessionAsync to resolve the AIProjectClient through the delegating chain. The field is deleted and its three ctor assignments removed.
    * HostedAgentEndpointInner.PerAgentClient only existed to plumb the per-agent ProjectOpenAIClient into that now-deleted field, so the property and its ctor parameter are removed. The local 'perAgentClient' variable inside BuildHostedAgentEndpointInner is still needed to derive the inner IChatClient, but no longer escapes the helper.
    
    Tests:
    
    * Mode1_PureResponses_ReturnsNullForAgentSpecificServices now also asserts AgentName is null.
    * New Mode2_AgentReference_PopulatesAgentNameFromAgentReference asserts the mode 2 mirror.
    * Mode3_HostedAgentEndpoint_ParsesAgentNameFromUrl renamed assertion target HostedAgentName to AgentName.
    
    Verification: 335/335 net10.0, 273/273 net472 Foundry unit; 229/229 Foundry.Hosting unit; format-verify (WSL2 + Docker mcr.microsoft.com/dotnet/sdk:10.0) clean on Microsoft.Agents.AI.Foundry.
    
    * Adopt canonical mode names: Responses Agent, Prompt Agent, Agent Endpoint
    
    Three FoundryChatClient construction modes now have one canonical noun used everywhere.
    
    * Responses Agent (Mode 1): inline ChatClientAgent, project-level Responses API, no server-side def.
    * Prompt Agent (Mode 2): server-side ProjectsAgentDefinition invoked by AgentReference.
    * Agent Endpoint (Mode 3): per-agent URL /agents/{name}/endpoint/protocols/openai. Hosted-or-not.
    
    'Hosted' stays the kind of agent (Microsoft.Agents.AI.Foundry.Hosting). Not synonym of Mode 3.
    
    Rings:
    1. XML docs + error messages use canonical names. en-GB to en-US: centralises, synthesise.
    2. HostedAgentEndpointInner -> AgentEndpointInner, BuildHostedAgentEndpointInner -> BuildAgentEndpointInner.
    3. Tests: Mode1_PureResponses_* -> Mode1_ResponsesAgent_*, Mode2_AgentReference_* -> Mode2_PromptAgent_*, Mode3_HostedAgentEndpoint_* -> Mode3_AgentEndpoint_*.
    
    Pure rename. No behavior change. 335/335 net10 + 273/273 net472 unit, format clean.
    
    * Address PR #5940 design feedback (Q-A through Q-F)
    
    Q-A: poll vector store til status leaves InProgress before return. Exp backoff 250ms-2s. Honor cancel.
    Q-B: try/catch upload loop. Mid-fail = best-effort DeleteFileAsync on already-uploaded ids. Swallow cleanup errors.
    Q-C: pinned AgentReference.Version uses GetAgentVersionAsync. Empty/whitespace/'latest' = GetLatest path.
    Q-D: HostedAgentUserAgentPolicy detects existing combined 'foundry-hosting/...' segment. No double prefix.
    Q-E: mode-3 vector-store test uses fake transport. No DNS to example.com.
    Q-F: no shim. Class always [Experimental] (since 8015e00f5, before dotnet-1.0.0). No compat contract. Callers rename to AIProjectClientExtensions.
    
    Rebase onto origin/main reconciliation: aad20c2b3 added public AsAIAgent(this AIProjectClient, Uri agentEndpoint, ...) extension that calls an internal FoundryAgent(AIProjectClient, Uri, ...) ctor. Reintroduced that ctor + a new FoundryChatClient(AIProjectClient, Uri, ProjectOpenAIClientOptions?) overload that reuses the supplied AIProjectClient's pipeline (via GetProjectResponsesClientForAgentEndpoint) instead of stamping a fresh credential.
    
    Verified: 346/346 net10 + 284/284 net472 Foundry unit, 230/230 Foundry.Hosting unit, format clean.
    
    * Add FoundryAgent helper extensions: UploadFile/DeleteFile/CreateVectorStore/DeleteVectorStore
    
    4 thin forwarders on FoundryAgent that route to the inner FoundryChatClient's helpers via agent.GetService<FoundryChatClient>().X(). Live in existing FoundryAgentExtensions.cs alongside ToPromptAgentAsync.
    
    Throws InvalidOperationException when agent does not expose a FoundryChatClient via GetService (same pattern as ToPromptAgentAsync).
    
    Unit tests: FoundryAgentExtensionsTests covers all 4 forwarders + null-agent ArgumentNullException for each. 8 new tests, 354/354 net10 + 292/292 net472.
    
    Integration tests: parallel FoundryAgentExtensionsTests under Foundry.IntegrationTests mirrors the existing CreateAgent_CreatesAgentWithVectorStoresAsync shape (upload -> create vector store -> FileSearch tool answers question -> cleanup), but routes every helper call through the new FoundryAgent extensions. 4 new IT tests, all verified pass live against the real Foundry project (12-30s each). Skipped by default like the existing vector-store IT.
    
    * Address Sergey's PR review comments
    
    #1 (FoundryAgent.cs:139): drop unused aiProjectClient param from internal FoundryAgent(AIProjectClient, ChatClientAgent) ctor. Was discarded after null-check. Inner FoundryChatClient already surfaces AIProjectClient via GetService. 3 call sites in AIProjectClientExtensions updated.
    
    #2 (FoundryChatClient.cs:376): add pollingTimeout param to CreateVectorStoreAsync. Defaults to 5 min, configurable, Timeout.InfiniteTimeSpan disables. Throws TimeoutException with vector store id and elapsed seconds when bound exceeded. CancellationToken still wins. New unit test PollingTimeout_ThrowsTimeoutExceptionAsync. FoundryAgentExtensions forwarder updated to plumb the new param.
    
    Verified: 355/355 net10 + 293/293 net472 Foundry unit, 230/230 Foundry.Hosting unit, format clean.
  • Python: feat(foundry): add experimental hosted tool factories on FoundryChatClient (#5958)
    * feat(foundry): add experimental hosted tool factories on FoundryChatClient
    
    Adds eight new `@experimental` static factory methods on `FoundryChatClient`
    covering Foundry-hosted tools that previously had no helper:
    
    - get_azure_ai_search_tool
    - get_sharepoint_tool
    - get_fabric_tool
    - get_memory_search_tool
    - get_computer_use_tool
    - get_browser_automation_tool
    - get_bing_custom_search_tool
    - get_a2a_tool
    
    All factories are marked with the new `ExperimentalFeature.FOUNDRY_TOOLS` tag
    and resolve the underlying `azure-ai-projects` preview classes lazily through
    a `_require_sdk_class` helper so older SDK versions still import cleanly and
    fail with a clear `ImportError` only on use.
    
    Tests cover each factory's return type and field wiring, the experimental
    metadata, and the missing-SDK-class fallback.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * test(foundry): address review comments on tool-factory tests
    
    * Skip preview-tool tests gracefully (`_skip_if_sdk_class_missing`) when
      the installed `azure-ai-projects` does not expose the required preview
      class, matching the lazy-import guard in production code so the test
      suite stays green on older SDK installs.
    * Add `filterwarnings("ignore::FutureWarning")` to each new tool-factory
      test (and the parametrized metadata test) so they remain stable under
      strict warning configurations \u2014 the global dedup in
      `_feature_stage._WARNED_FEATURES` makes `pytest.warns` brittle across
      ordered runs.
    * Use `monkeypatch.setattr(..., None, raising=False)` instead of
      `delattr` in the missing-SDK-class test so it works for modules that
      implement PEP 562 `__getattr__`.
    * Split the long `get_bing_custom_search_tool` return into two lines for
      readability.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix(foundry): harden tool-factory kwargs against silent override
    
    * Reorder the dict-literal kwargs assembly in get_azure_ai_search_tool,
      get_memory_search_tool, and get_bing_custom_search_tool so explicit
      parameters always take precedence over **kwargs (matching the safe
      pattern already used in get_a2a_tool). This prevents a caller
      passing `project_connection_id`, `index_name`, `memory_store_name`,
      `scope`, or `instance_name` through `**kwargs` from silently
      overriding the explicit security-sensitive arguments.
    * Update the README experimental note to reflect once-per-feature-id
      dedup semantics of `_feature_stage._WARNED_FEATURES` rather than
      claiming a per-factory "first use" warning.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * feat(foundry): split FOUNDRY_TOOLS / FOUNDRY_PREVIEW_TOOLS, add bing-grounding
    
    - Add ExperimentalFeature.FOUNDRY_PREVIEW_TOOLS to distinguish wrappers around
      preview Foundry SDK tool classes (Sharepoint/Fabric/Memory/ComputerUse/
      BrowserAutomation/BingCustomSearch/A2A) from FOUNDRY_TOOLS, which is for
      GA-SDK wrappers that are simply new in agent-framework-foundry
      (AzureAISearch, BingGrounding).
    - Add get_bing_grounding_tool factory and a 'Choosing a web grounding tool'
      comparison block on get_web_search_tool / get_bing_grounding_tool /
      get_bing_custom_search_tool docstrings.
    - Drop the _require_sdk_class lazy resolver: every guarded class is available
      at azure-ai-projects>=2.1.0 (the package floor), so import them eagerly.
      Concrete return types replace 'Any'.
    - README: split the experimental factories into two tables, one per feature
      flag, with a note explaining the distinction.
    - Tests: split into FOUNDRY_TOOLS / FOUNDRY_PREVIEW_TOOLS factory cases;
      drop the obsolete missing-SDK-class ImportError test.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • ci: pin third-party GitHub Actions to commit SHAs (#5972)
    Replaces every floating tag in our workflow and composite action files
    with an immutable 40-character commit SHA, keeping the original `# vX`
    comment so Dependabot can still propose version bumps. 186 occurrences
    across 25 workflows and 2 composite actions.
    
    Also widens the github-actions Dependabot entry to use the plural
    `directories` key with `/.github/actions/*` so composite actions under
    `.github/actions/<name>/action.yml` are kept up to date. Previously
    Dependabot only scanned `.github/workflows` and the repo-root
    `action.yml`, leaving our `python-setup` and `sample-validation-setup`
    composite actions unmaintained.
  • Python: Show more authentication methods in Foundry Toolbox MCP (#5719)
    * Show more authentication methods in Foundry Toolbox MCP
    
    * Remove hardcoded toolbox version num
    
    * Add Foundry MCP OAuth consent handling
    
    * Use message instead of the dedicated item type
    
    * Go back to using OAuthConsentRequestOutputItem
    
    * WIP: sample testing
    
    * Update error code
    
    * Address review on Foundry Toolbox MCP samples
    
    Reviewed feedback addressed:
    
    - Drop the branch-pinned `git+https://...@feature/...` entries from
      `04_foundry_toolbox/requirements.txt`; restore the simple comment + `mcp`
      runtime dep. The git pins were only useful while iterating on the PR and
      shouldn't ship. (eavanvalkenburg)
    
    - Fix the `/toolsets/` typo in both `04_foundry_toolbox/README.md` and
      `06_files/README.md`. Verified empirically against the
      research_toolbox in the test workspace: the toolbox MCP gateway lives at
      `/toolboxes/{name}/mcp?api-version=v1` and requires the
      `Foundry-Features: Toolboxes=V1Preview` header. `/toolsets/{name}/mcp`
      returns 403 with `preview_feature_required: Toolsets=V1Preview` (a
      different opt-in feature).
    
    - Wrap `httpx.AsyncClient(...)` in `async with ... as http_client:` in both
      samples so the connection pool is cleaned up. (Copilot reviewer)
    
    - Make the `TOOLBOX_NAME` env var consistent in both samples. Previously the
      tool name silently fell back to `"toolbox"` when `TOOLBOX_NAME` was unset,
      but `resolve_toolbox_endpoint()` still required `TOOLBOX_NAME` and would
      raise `KeyError`. The samples now resolve the endpoint once and derive the
      tool name from the resolved URL when `TOOLBOX_NAME` isn't set, so the
      local tool name always matches the upstream toolbox identity regardless
      of which env var the user set. (Copilot reviewer)
    
    - Rename `_responses.is_consent_error` to `consent_url_from_error`: the
      helper returns `str | None` (the consent URL), not a bool, so the new
      name matches behavior. Update the test class accordingly. (eavanvalkenburg)
    
    - Tighten `_handle_inner_agent`'s lazy-entry catch from `Exception` to
      `AgentFrameworkException`, the type the MCP layer actually wraps consent
      errors in via `MCPStreamableHTTPTool.__aenter__` →
      `ToolExecutionException(inner_exception=mcp_error)`. Network failures,
      cancellations, and other non-framework exceptions now propagate normally
      instead of being briefly caught and re-raised. The test helper
      `_make_consent_error` is updated to use `ToolExecutionException` so it
      matches the real-world wrapping. (eavanvalkenburg)
    
    - Clarify the `github_pat` description in `agent.manifest.yaml` to note
      it's only needed when the PAT-based connection (`github-mcp-pat-conn`)
      is chosen; users selecting the OAuth2 connection (`github-mcp-oauth-conn`)
      can leave it empty. (Copilot reviewer)
    
    Validation: ran both samples end-to-end against a real Foundry toolbox
    (`research_toolbox`) -- the samples connect successfully and the agent
    lists the toolbox's MCP tools (`api_specs___fetch_azure_rest_api_docs`,
    etc.). `uv run poe test -P foundry_hosting` passes (119 tests), pyright +
    mypy clean.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs: fix broken Foundry samples link in 04_foundry_toolbox README
    
    The previous URL pointed to an old location of the toolbox supported-scenarios
    doc; the doc moved to /samples/python/hosted-agents/SUPPORTED_TOOLBOX_SCENARIOS.md
    and the old /samples/python/toolbox/azd path now 404s.
    
    Caught by the markdown-link-check CI step.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Eduard van Valkenburg <eavanvalkenburg@users.noreply.github.com>
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • [BREAKING] Python: Enable instrumentation by default (#5865)
    * Enable instrumentation by default
    
    * Update samples
    
    * Optimization when span is not recording
    
    * Address Copilot comments
    
    * Revert uv.lock
    
    * Add warning
    
    * Formatting
    
    * Fix mypy
    
    * Add disable_instrumentation() with sticky user-intent semantics
    
    Add a public disable_instrumentation() entry point so users can explicitly opt
    out of Agent Framework telemetry, with a sticky-disable flag that makes the
    user's intent "leading" — no framework code path (foundry's
    configure_azure_monitor, configure_otel_providers, enable_instrumentation,
    enable_sensitive_telemetry, or direct OBSERVABILITY_SETTINGS.enable_*
    writes) can re-enable instrumentation until the user explicitly clears the
    disable with enable_instrumentation(force=True) /
    enable_sensitive_telemetry(force=True).
    
    Also addresses the two remaining unresolved review threads on the PR:
    1. test_observability_settings_defaults_instrumentation_true pins the new
       "ENABLE_INSTRUMENTATION defaults to True when env unset" behavior.
    2. test_enable_instrumentation_reads_env_sensitive_data restores coverage
       for the post-import load_dotenv() fallback path.
    
    Implementation:
    - ObservabilitySettings.enable_instrumentation / enable_sensitive_data become
      properties backed by _enable_*. While _user_disabled is True, the getters
      return False and the setters drop True writes (defense in depth so third-
      party writes can't subvert the disable).
    - Public is_user_disabled read-only property lets integrations (e.g. foundry's
      configure_azure_monitor) cheaply check the disable state without poking at
      privates.
    - enable_instrumentation() and enable_sensitive_telemetry() short-circuit with
      an info log when disabled; gain a force=True kwarg that clears the disable.
    - configure_otel_providers() still creates providers / exporters / views so a
      later force-enable can use them, but logs an info message when called while
      disabled.
    - Foundry's FoundryChatClient.configure_azure_monitor and
      FoundryAgent.configure_azure_monitor early-return when the user has
      disabled, so Azure Monitor's global providers aren't installed unnecessarily.
    
    Tests: 11 new tests covering default-on, env re-read at call time, sticky
    behavior against each re-enable surface (enable_instrumentation,
    enable_sensitive_telemetry, configure_otel_providers, direct attribute
    writes), force=True override, re-arming the disable, and the __all__ export.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs: document disable_instrumentation() and force=True paths
    
    Add a "Disabling instrumentation" section to the observability sample README
    that walks through:
    
    - The distinction between the ENABLE_INSTRUMENTATION env var (initial,
      non-sticky) and disable_instrumentation() (process-wide, sticky).
    - Why the sticky semantics matter: framework integrations like
      FoundryChatClient.configure_azure_monitor() can call
      enable_instrumentation() as part of their setup, and the user's opt-out
      needs to win.
    - All five surfaces guarded by the sticky disable (property reads, public
      enable functions, configure_otel_providers, direct attribute writes,
      is_user_disabled-aware integrations).
    - The force=True escape hatch on both enable_instrumentation() and
      enable_sensitive_telemetry().
    - How third-party integrations should consult OBSERVABILITY_SETTINGS.is_user_disabled.
    - The limits of the disable (does not tear down existing providers /
      in-flight spans / third-party instrumentation, does not persist across
      processes).
    
    Cross-links the new section from the ENABLE_INSTRUMENTATION row in the env
    vars table.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs: soften disable_instrumentation() overclaim about telemetry guarantees
    
    Replace 'no telemetry will be emitted no matter what' (which is too strong,
    since callers can still pass force=True or mutate private attributes) with
    language framing the disable as a user-intent contract that library and
    framework code is expected to honor: the framework actively short-circuits
    the public enable paths, force=True and private-attribute writes are
    acknowledged as out-of-contract escape hatches that integrations should
    not use on the user's behalf.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs: correct observability Dependencies section
    
    - opentelemetry-sdk is no longer a hard dependency; it is lazily imported by
      create_resource(), create_metric_views(), and configure_otel_providers()
      with a clear ImportError when missing. Day-to-day instrumentation works
      with opentelemetry-api alone provided some other component configures the
      global OpenTelemetry providers (Azure Monitor, an APM agent, application
      bootstrap, etc.).
    - opentelemetry-semantic-conventions-ai is no longer used anywhere in the
      source; remove it from the listed dependencies.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * docs: replace stale observability migration guide with current PR's only relevant migration
    
    The old guide documented the move away from setup_observability(otlp_endpoint=...)
    which was an earlier-release API change unrelated to this PR and stale enough that
    it's more confusing than helpful at this point. Replace it with a short note on the
    single migration this PR introduces: callers of
    enable_instrumentation(enable_sensitive_data=True) should switch to
    enable_sensitive_telemetry(). Cross-link to the Disabling instrumentation section
    for the rare 'force on without enabling sensitive data' use case where
    enable_instrumentation() still applies.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Eduard van Valkenburg <eavanvalkenburg@users.noreply.github.com>
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: Skip MCP prompt loading when unsupported (#5370)
    * Python: Skip MCP prompt loading when unsupported
    
    * Fix MCP pagination pyright checks
    
    * Simplify MCP support flag checks
  • .NET: Add A2AAgentOptions and align A2AAgent constructors with ChatClientAgent pattern (#5954)
    * .NET: Add A2AAgentOptions and align A2AAgent constructors with ChatClientAgent pattern
    
    Adds a new A2AAgentOptions class (Id, Name, Description, Clone) and an options-based constructor on A2AAgent, mirroring ChatClientAgent/ChatClientAgentOptions. The existing parameter-based constructor is preserved for backward compatibility and now delegates to the options-based one.
    
    Extension methods are extended with options-based overloads:
    
    - A2AClientExtensions.AsAIAgent(IA2AClient, A2AAgentOptions, ...)
    
    - A2AAgentCardExtensions.AsAIAgent(AgentCard, A2AAgentOptions, ...)
    
    - A2ACardResolverExtensions.GetAIAgentAsync(A2ACardResolver, A2AAgentOptions, ...)
    
    For card-based creation, user-supplied options override values from the agent card; Name and Description fall back to card values when not set.
    
    Options are cloned when stored on the agent to prevent post-construction mutation, matching the ChatClientAgent pattern.
    
    Resolves #5870.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Address PR review comments
    
    - Add Throw.IfNull(client) in A2AClientExtensions.AsAIAgent
    
    - Add Throw.IfNull(card) in A2AAgentCardExtensions.AsAIAgent
    
    - Clarify httpClient docs in A2ACardResolverExtensions.GetAIAgentAsync: it applies to the created A2A client, not to card discovery
    
    - Rename test methods from GetAIAgent_* to AsAIAgent_* to match the API under test
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: feat: add agent-framework-monty (Monty-backed CodeAct provider) (#5915)
    * Python: feat: add agent-framework-monty (Monty-backed CodeAct)
    
    New alpha package that wraps pydantic-monty (a Rust-based Python
    interpreter) behind the same CodeAct API surface as
    agent-framework-hyperlight, so users can swap providers with minimal
    code change.
    
    Public API (agent_framework_monty):
    - MontyCodeActProvider — ContextProvider that injects a run-scoped
      execute_code tool plus dynamic CodeAct instructions.
    - MontyExecuteCodeTool — standalone FunctionTool for mixed-tool agents
      or manual static wiring.
    - FileMount / FileMountInput / MountMode — public types mirroring the
      Hyperlight names, with Monty's mode (read-only/read-write/overlay)
      and write_bytes_limit on FileMount.
    
    Constructor kwargs (both classes) mirror Hyperlight where possible:
    tools, approval_mode, workspace_root, file_mounts; plus a Monty-only
    resource_limits forwarding ResourceLimits to Monty.start().
    
    Filesystem flow:
    - workspace_root auto-mounts at /input (read-write), matching Hyperlight.
    - file_mounts accepts string shorthand, (host, mount) tuple, or
      FileMount with mode + write cap.
    - Files written under read-write mounts are scanned post-execution and
      returned as Content.from_data items (mirrors Hyperlight /output).
    - overlay mounts buffer writes in-memory; read-only mounts reject writes.
    
    Internals:
    - _monty_bridge.InlineCodeBridge ports the inline (non-durable) bridge
      from anthonychu/maf-codeact-monty-python; handles FunctionSnapshot /
      FutureSnapshot pause/resume, dispatches direct typed calls + the
      call_tool fallback, forwards mount/limits to Monty.start(...).
    - generate_type_stubs emits per-tool stubs so Monty's `ty` type-checker
      rejects bad calls before any host tool runs.
    
    Alpha-policy compliance (per python-package-management skill):
    - Added agent-framework-monty = { workspace = true } to root
      pyproject.toml.
    - Added row to python/PACKAGE_STATUS.md.
    - Added monty entry under Experimental in python/AGENTS.md.
    - NOT added to core[all]; NO agent_framework.monty lazy shim (deferred
      to beta promotion).
    
    Samples (three sets, import from agent_framework_monty directly):
    - samples/02-agents/context_providers/code_act/monty_code_act.py
      (provider pattern) + updated local README.
    - samples/02-agents/tools/monty_code_interpreter/ (standalone +
      manual-wiring + README).
    - samples/04-hosting/foundry-hosted-agents/responses/11_monty_codeact/
      (full hosted-agent layout with uv-based pyproject.toml + Dockerfile,
      Azure Monitor wiring via APPLICATIONINSIGHTS_CONNECTION_STRING +
      enable_instrumentation, ENABLE_INSTRUMENTATION and
      ENABLE_SENSITIVE_DATA env vars). The alpha wheel is vendored into
      ./wheels/ (gitignored) via vendor-wheel.sh; new row added to the
      parent Responses-API README.
    
    Tests:
    - 28 hermetic unit tests (stubbed pydantic_monty).
    - 18 integration tests marked @pytest.mark.integration, auto-skipped
      when pydantic_monty is unimportable; exercise the real Monty
      runtime: print round-trip, last-expression value, direct typed
      tool dispatch, call_tool fallback, async tool, asyncio.gather
      parallelism, ty type-check rejection, OS blocked by default,
      workspace_root read+write capture, read-only / overlay mount
      semantics, resource_limits.max_duration_secs abort, approval
      gating end-to-end, full Agent run with a scripted chat client.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Python: fix: monty FileMount test compares against the normalized POSIX path
    
    The shorthand string mount goes through _normalize_mount_path, which
    rewrites Windows drive letters like 'C:\\Users\\...' into
    '/C:/Users/...' (POSIX-style). The Windows CI runners surfaced this
    because tmp_path resolves to a backslashed Windows path; the test was
    comparing against the raw str(host_a) instead of the normalized form.
    
    Compare against _normalize_mount_path(str(host_a)) so the assertion is
    platform-independent.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Python: fix: address PR #5915 review feedback
    
    - _execute_code_tool docstring: clarify that the Monty backend supports
      scoped filesystem access via workspace_root / file_mounts (blocked by
      default).
    - _to_monty_mount: import pydantic_monty lazily through load_monty so
      missing-dependency errors surface as the same actionable RuntimeError
      the rest of the package raises (not a bare ImportError at module load).
      Renamed _load_monty -> load_monty for the same reason.
    - _python_type_repr: emit None for type(None) instead of Any, and
      normalize both typing.Union[...] and PEP-604 X | Y to PEP-604 syntax
      so Optional[X] / Union[..., None] / -> None signatures round-trip
      correctly through ty validation. Added a regression test.
    - _PrintCollector: track a running character count instead of
      recomputing sum(len(c) for c in self.chunks) per callback. Eliminates
      the O(n^2) cost on print-heavy code.
    - Instructions: mention that the value of the final expression is also
      returned alongside captured stdout (matches actual behavior).
    - 11_monty_codeact Dockerfile: pin ghcr.io/astral-sh/uv to 0.11.6
      instead of :latest for reproducible builds.
    - 11_monty_codeact README: replace the bare "see parent README" pointer
      with sample-specific steps (./vendor-wheel.sh + uv sync + uv run),
      since the sample uses pyproject.toml + a vendored wheel rather than
      requirements.txt.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Python: sample: 11_monty_codeact installs agent-framework-monty from PyPI
    
    Drop the vendored-wheel scaffolding now that agent-framework-monty is on
    PyPI as an alpha (1.0.0a*) release:
    
    - pyproject.toml: remove [tool.uv.sources] override; keep [tool.uv]
      prerelease = "allow" so uv pulls the alpha automatically.
    - Dockerfile: drop the COPY wheels/ step.
    - README: drop the ./vendor-wheel.sh setup step and the
      not-yet-on-PyPI warning.
    - Delete vendor-wheel.sh and the gitignored wheels/ directory.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Python: fix(monty): harden post-execution file capture against symlink escape
    
    Same class of issue as the MSRC-reported Hyperlight finding: the
    post-execution capture walked workspace_root with Path.rglob() +
    is_file() + read_bytes() - all of which follow symlinks. An attacker
    who controls the workspace (cloned repo, extracted archive, shared
    workspace) could pre-place `workspace/leak.txt -> /etc/passwd` or
    `workspace/outside_dir -> /etc/` and have host files surface as
    captured Content items.
    
    Monty's mount layer already rejects symlink reads from inside the
    sandbox across all three modes (verified empirically), so the runtime
    path was safe. This commit closes the post-execution scan path.
    
    Changes:
    - New `_iter_real_files(root)` walker that uses iterdir() +
      is_symlink() to skip symlinks at every directory level and yields
      only real files. Replaces the previous `host_root.rglob("*")` calls
      in both `_snapshot_writable_mounts` and `_capture_written_files`.
    - Use `Path.lstat()` instead of `Path.stat()` so size/mtime can never
      be taken from a symlink target.
    - Three new integration tests reproducing the MSRC attack shape
      against the workspace_root flow: symlink-to-file outside workspace,
      symlink-to-directory outside workspace, and a guard ensuring
      legitimate sandbox writes are still captured when symlinks are
      present.
    
    Per user request, hyperlight is untouched in this commit (separate fix).
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Python: fix(monty): skip symlink regression tests when unsupported
    
    Apply the same Windows-CI safety guard as the hyperlight fix in PR #5919:
    the three symlink integration tests create symlinks via Path.symlink_to(),
    which fails with OSError / NotImplementedError on unprivileged Windows
    runners. Add a local _symlinks_supported helper (mirroring the one in
    packages/core/tests/core/test_skills.py) and pytest.skip when symlinks
    aren't available, so the tests no longer fail for environment reasons.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Python: fix(monty): address PR #5915 follow-up review feedback
    
    - _invoke_tool: drop the inspect.iscoroutinefunction(...) branch and
      always `await self.tool_map[name](**kwargs)`. Every entry in
      tool_map is `partial(FunctionTool.invoke, skip_parsing=True)` and
      FunctionTool.invoke is `async def`, so the branching was dead code -
      and on Python versions affected by cpython#98590,
      iscoroutinefunction(partial(bound_async_method, ...)) returns False,
      causing the bridge to take the asyncio.to_thread path, return an
      unawaited coroutine, and surface it as a JSON-serialization failure
      for every tool call. Added a regression test
      test_invoke_tool_awaits_partial_wrapped_async_method.
    
    - generate_type_stubs: skip tools whose name is not a valid Python
      identifier or is a Python keyword. FunctionTool.name has no upstream
      validation, so a name like "weird-name" produced a syntax error in
      the stubs and a name like "broken\n    pass\nasync def injected"
      would inject arbitrary stub source. Non-identifier names stay
      reachable via `call_tool("weird-name", ...)` at runtime; they just
      don't get type-checked stubs. Added regression test
      test_generate_type_stubs_skips_non_identifier_tool_names.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: Bump Python package versions for a release (#5964)
    * Bump Python package versions to 1.5.0 for a release
    
    * Promote orchestrations to 1.0.0rc1
    
    * ci(python-setup): merge dynamic exclude into existing workspace exclude
    
    The python-setup action injected exclude = [...] verbatim into
    [tool.uv.workspace], producing a duplicate 'exclude' key when the
    section already had a static exclude. Scope the rewrite to the
    [tool.uv.workspace] section and append the package to the existing
    array when present; idempotent if the package is already excluded.
    
    * Address Copilot review feedback: raise inter-package floors to 1.5.0
    
    - foundry, foundry-local: agent-framework-openai >=1.4.0 -> >=1.5.0
    - azure-contentunderstanding: agent-framework-foundry >=1.4.0 -> >=1.5.0
    - azurefunctions: pin agent-framework-durabletask to >=1.0.0b260519,<2
    
    Keeps lockstep cohort consistent and avoids mixed 1.4.x / 1.5.0 installs.
    
    * Re-include azurefunctions and durabletask in the uv workspace
    
    The pinned durabletask>=1.4.0 floor is enough to make resolution succeed;
    the workspace exclude was over-correction and broke CI samples and pyright
    type-checking (re-exports in agent_framework/azure/__init__.pyi plus
    samples/04-hosting/{azure_functions,durabletask}/ could not resolve their
    imports). Dropping them from agent-framework-core[all] still stands so the
    metapackage does not pull them.
    
    * Restore azurefunctions and durabletask in agent-framework-core[all]
    
    The durabletask floor pin keeps users on the safe 1.4.0, so they are once
    again included in the metapackage. Update CHANGELOG to reflect the pin
    rather than an [all] removal.
    
    * Raise uvicorn ceiling in ag-ui and devui to allow 0.42+
    
    The root override-dependencies pins uvicorn[standard]>=0.34.0 (no upper)
    and the workspace lock resolves to 0.47.0. The package ceiling <0.42.0
    meant the workspace was no longer testing the declared supported range.
    Bump to <1 so the lock fits within the declared bounds.
    
    Also picked up by validate-dependency-bounds: refresh stale orchestrations
    RC pin in devui dev deps.
  • ci(python-setup): drop -U upgrade flag from uv sync (#5961)
    The shared composite action ran `uv sync --all-packages --all-extras
    --dev -U` on every job, which upgrades every dependency to the latest
    compatible version instead of using the pinned versions in `uv.lock`.
    
    That is currently producing a hard resolver failure on every CI job:
    
        No solution found when resolving dependencies for split
        (markers: python_full_version >= '3.11' and sys_platform == 'darwin')
        Because there are no versions of durabletask and
        agent-framework-durabletask depends on durabletask>=1.3.0,<2,
        we can conclude that agent-framework-durabletask's requirements
        are unsatisfiable.
    
    Dropping `-U` makes the install use the workspace lockfile, which is
    what is reproducible locally and what we publish releases against.
    Upgrades should be opt-in (via a scheduled job or a separate workflow)
    rather than implicit on every CI run.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • .NET: Reduce re-rendering in harness console (#5953)
    * Reduce re-rendering in harness console
    
    * Address PR comments
    
    * Fix broken merge
  • .NET: Harness code act skill sample (#5930)
    * Add sample that shows code execution and skills together
    
    * Use nuget for python module path
    
    * Update readme.
    
    * Fix formatting.
    
    * Reduce flashing in rendering.
    
    * Improve screen clearing for Powershell
    
    * Add a couple of small UX fixes
  • Remove duplicate pop in InMemoryCacheProvider.remove (#5795)
    The second self._cache.pop(key, None) call is a guaranteed no-op: the first pop has already removed the key (or returned None), and there is no await between the two statements that could allow another coroutine to re-add it. Removing the dead line clarifies intent without changing behavior.
  • Python: fix: hyperlight skips symlinks when staging sandbox input (#5919)
    * Python: fix(hyperlight): skip symlinks when staging files into the sandbox
    
    The helpers that populate the sandbox input tree (``_copy_path`` and the
    ``_path_tree_signature`` walker used for cache invalidation) relied on
    ``Path.is_file()``, ``Path.is_dir()`` and ``shutil.copy2`` - all of which
    follow symlinks by default. When the source tree contains symlinks, that
    let entries from outside the configured input source surface inside the
    sandbox.
    
    Harden both code paths to never follow symlinks:
    
    - ``_copy_path`` now bails out via ``Path.is_symlink()`` before any
      ``is_dir()`` / ``is_file()`` check, skips non-regular files, and uses
      ``shutil.copy2(..., follow_symlinks=False)`` as defense in depth.
    - New ``_iter_real_entries`` walker replaces the previous ``Path.rglob``
      call inside ``_path_tree_signature`` (rglob follows directory symlinks).
    - ``_path_tree_signature`` switches to ``Path.lstat()`` so size/mtime are
      never read through a symlink target.
    
    Added regression tests covering:
    
    - A pre-placed file symlink in ``workspace_root`` (top level).
    - A pre-placed directory symlink in ``workspace_root``.
    - A nested file symlink inside a real subdirectory.
    - ``_path_tree_signature`` ignoring symlinks so the cache key reflects only
      what is actually staged.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Python: fix(hyperlight): address PR #5919 review feedback
    
    - _iter_real_entries now yields directories and regular files only,
      skipping non-regular entries (sockets/FIFOs/devices). Keeps the
      cache-key signature consistent with what _copy_path actually stages.
    - The four new symlink regression tests skip when the platform does not
      support symlink creation (e.g. unprivileged Windows runners), via a
      local _symlinks_supported helper modelled on the one in
      packages/core/tests/core/test_skills.py. Prevents OSError /
      NotImplementedError from failing CI jobs that have nothing to do with
      the change under test.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Python: fix(hyperlight): address PR #5919 follow-up review feedback
    
    - _copy_path docstring: narrow the scope to "symlink entries present in
      the source tree at rest" and explicitly call out that the copy is NOT
      atomic with respect to concurrent mutation of the source tree.
      Callers who need that stronger guarantee should snapshot their
      workspace before passing it in. Avoids overpromising on a TOCTOU
      window that pathlib cannot express; closing it properly would need
      fd-based traversal (O_NOFOLLOW | O_DIRECTORY + os.scandir(fd)) with
      a separate Windows story, which is out of scope for this targeted
      fix.
    
    - _path_tree_signature: drop the `if path.is_symlink(): return ()`
      short-circuit. Resolve a symlink root to its real target before
      walking instead. The public construction flow already resolves
      workspace_root / file_mounts[].host_path up front so this never
      affected user-facing code, but the short-circuit was misleading and
      would have produced an empty, stable signature for any direct
      caller that builds a _RunConfig without going through the public
      constructor. Defense in depth: even if a future call site forgets
      to resolve the root, the cache key still reflects real contents.
    
    - Added regression test
      test_path_tree_signature_walks_through_symlinked_root: a symlinked
      workspace root must produce a non-empty signature, AND the signature
      must change when the real target's contents change so the cache key
      actually invalidates.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: Record actual served model from Azure OpenAI (#5910)
    * Record actual served model as response model for Azure OpenAI
    
    * Formatting
    
    * Fix tests
    
    * Fix pipeline error
    
    * Comments
    
    * Address review: surface served model via ChatResponse.model
    
    Apply blocking review feedback from PR #5910:
    
    - Use ChatResponse.model / ChatResponseUpdate.model as the source of truth
      for the Azure x-ms-served-model header value, instead of stashing it in
      additional_properties and overriding it again in observability.
      Observability already reads response.model; the chat client now overwrites
      it post-parse when the served-model header is present. Empirically the
      Azure Responses API returns the deployment alias in body.model and the
      actual snapshot (e.g. gpt-5-nano-2025-08-07) in this header.
    
    - Move the AZURE_OPENAI_SERVED_MODEL_HEADER constant out of observability.py
      and into RawOpenAIChatClient (as the SERVED_MODEL_HEADER ClassVar). The
      header is Azure-OpenAI-Responses-API-specific so observability does not
      need to know about it.
    
    - Revert the streaming text_format path to client.responses.stream(...) and
      drop the _pydantic_model_to_text_format_param helper. That helper imported
      from openai.lib._parsing._responses (a private SDK path) and the swap to
      responses.create(stream=True) dropped client-side output_parsed for
      structured-output streaming. The streaming-with-text_format path is the
      only one that does not surface the served-model header - documented inline.
    
    - Wrap the raw streaming responses in async with so the underlying socket
      closes deterministically (continuation_token retrieve + create paths).
    
    - Fix the empty-string / whitespace-only header at the source by stripping
      in _extract_served_model and returning None when nothing remains.
    
    - Revert unrelated formatting-only churn in _skills.py and test_mcp.py.
    
    - Update unit tests to assert against chat_response.model / update.model
      and add an aggregated streaming assertion plus a pin that the
      streaming-with-text_format path does not get the header.
    
    Verified end-to-end against Azure OpenAI Responses API: deployment alias
    gpt-5-nano now reports gpt-5-nano-2025-08-07 as ChatResponse.model in both
    the non-streaming and streaming paths.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix: preserve streaming structured output finalization
    
    Agent-Logs-Url: https://github.com/microsoft/agent-framework/sessions/f62076ef-558d-49e8-8fe2-f38d527c9639
    
    Co-authored-by: eavanvalkenburg <13749212+eavanvalkenburg@users.noreply.github.com>
    
    * refactor: name streaming response finalizer
    
    Agent-Logs-Url: https://github.com/microsoft/agent-framework/sessions/f62076ef-558d-49e8-8fe2-f38d527c9639
    
    Co-authored-by: eavanvalkenburg <13749212+eavanvalkenburg@users.noreply.github.com>
    
    * fix: capture streaming response format after prepare
    
    Agent-Logs-Url: https://github.com/microsoft/agent-framework/sessions/f62076ef-558d-49e8-8fe2-f38d527c9639
    
    Co-authored-by: eavanvalkenburg <13749212+eavanvalkenburg@users.noreply.github.com>
    
    * refactor: clarify streaming response format capture
    
    Agent-Logs-Url: https://github.com/microsoft/agent-framework/sessions/f62076ef-558d-49e8-8fe2-f38d527c9639
    
    Co-authored-by: eavanvalkenburg <13749212+eavanvalkenburg@users.noreply.github.com>
    
    * test: use public API for streaming structured output
    
    Agent-Logs-Url: https://github.com/microsoft/agent-framework/sessions/f62076ef-558d-49e8-8fe2-f38d527c9639
    
    Co-authored-by: eavanvalkenburg <13749212+eavanvalkenburg@users.noreply.github.com>
    
    * Inline the served-model header override at its two call sites
    
    The `_apply_served_model_header` helper was a 1-line wrapper around
    `_extract_served_model`. Inlining the `if served_model is not None: ...`
    matches the pattern already used in the streaming paths and folds the
    explanatory docstring onto `_extract_served_model` (which is now the
    single place that knows about the header).
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    ---------
    
    Co-authored-by: Eduard van Valkenburg <eavanvalkenburg@users.noreply.github.com>
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
    Co-authored-by: eavanvalkenburg <13749212+eavanvalkenburg@users.noreply.github.com>
  • Python: Improve the handling of intermediate outputs for workflows and orchestrations (#5623)
    * Improve the handling of intermediate outputs for workflows and orchestrations
    
    * Address PR review feedback on intermediate output forwarding
    
    - Switch workflow.as_agent() forwarding to an explicit allowlist of {output,
      intermediate, data, request_info} so orchestration-internal events
      (group_chat, handoff_sent, magentic_orchestrator) stay inside the workflow
      instead of leaking into agent responses via str(data) coercion.
    - Stop raising on intermediate AgentResponseUpdate in non-streaming run();
      surface the partial as a Message with text_reasoning content. The defensive
      raise still applies to terminal output events, where Update payloads would
      corrupt message ordering.
    - Extend the DevUI workflow-event mapper so intermediate yields wrapping
      plain strings, Messages, and list[Message] render as visible output items
      instead of generic completed-trace events.
    - Add orchestration coverage for GroupChat, Handoff, and Magentic builders
      (default vs intermediate_outputs=True; structural where end-to-end is heavy).
    
    * Lift output-designation policy into a value type
    
    Replace the ``Workflow._output_executors`` list and the
    ``RunnerContext.should_label_as_intermediate`` Protocol method with a single
    immutable ``OutputDesignation`` value type owned by ``Workflow``. Thread the
    designation as a parameter through the existing call chain (Runner ->
    EdgeRunner -> Executor -> WorkflowContext) so ``yield_output`` consults the
    threaded snapshot directly rather than calling back into the runner context.
    
    Removes the ``InProcRunnerContext._workflow`` back-reference and the
    ``WorkflowBuilder.build()`` assignment that wired it up. Adds the public
    predicate ``Workflow.is_terminal_executor(executor_id)`` for external
    observers; ``OutputDesignation`` itself stays package-internal.
    
    Key decisions
    - ``OutputDesignation.designated`` is ``frozenset[str] | None`` -- ``None``
      preserves legacy "every yield is type='output'" behavior, any frozenset
      (including empty) opts into strict mode. The ``DeprecationWarning`` for
      legacy mode at build time is unchanged.
    - ``output_designation`` is an optional parameter on ``Runner``,
      ``EdgeRunner.send_message``, ``EdgeRunner._execute_on_target``,
      ``Executor.execute``, ``Executor._create_context_for_handler``, and
      ``WorkflowContext.__init__``. Each defaults to legacy ``OutputDesignation()``
      so direct callers (Azure Functions ``CapturingRunnerContext``,
      ``test_runner`` recording fixtures) keep working without ceremony.
    - The workflow-level filter in ``_run_core`` reads ``self._output_designation``
      live, preserving today's semantics where mutating the designation after
      build still affects subsequent runs (used by two existing tests).
    - ``Workflow.to_dict()`` continues to emit ``"output_executors":
      list[str] | None`` (sorted from the frozenset). Checkpoint format unchanged.
    
    Files changed
    - _workflow.py: add ``OutputDesignation`` dataclass; replace
      ``_output_executors`` with ``_output_designation``; add
      ``is_terminal_executor``; delete ``_should_yield_output_event``.
    - _runner_context.py: drop ``should_label_as_intermediate`` Protocol method
      and ``InProcRunnerContext`` impl; drop ``_workflow`` back-reference.
    - _workflow_builder.py: remove ``context._workflow = workflow`` assignment.
    - _runner.py, _edge_runner.py, _executor.py, _workflow_context.py: thread
      ``output_designation`` parameter through the call chain.
    - tests/workflow/test_output_designation.py (new): three-state coverage of
      the value type plus the public predicate delegation.
    - tests/workflow/test_workflow_builder.py, test_validation.py,
      test_workflow.py, test_runner.py and
      orchestrations/tests/test_orchestration_intermediate_vs_terminal.py:
      switch probes from ``_output_executors`` set checks to
      ``get_output_executors`` / ``is_terminal_executor``; update two
      post-build mutation tests to set ``_output_designation`` instead.
    
    Verification
    - core/tests/workflow/, orchestrations/tests/, azurefunctions/tests/:
      1119 passed, 42 skipped, 2 xfailed.
    - ``uv run poe lint``: clean.
    - ``uv run poe typing``: only the pre-existing
      ``_AGENT_FORWARDED_EVENT_TYPES`` pyright warning from 394bcd607 remains.
    
    Notes for next iteration
    - The builder's own ``_output_executors`` attribute (``list[Executor |
      SupportsAgentRun]``) is intentionally untouched; the issue scoped the
      rename to the workflow attribute.
    - Adjacent review candidates (twin ``WorkflowAgent`` translators,
      ``_AGENT_FORWARDED_EVENT_TYPES`` kind classifier,
      ``_event_origin_context`` ContextVar removal, ``WorkflowEvent`` ADT
      split, legacy-mode removal) remain out of scope.
    
    * Add explicit workflow output designation
    
    Key decisions
    
    - Extend the internal OutputDesignation value type from terminal-only membership to output/intermediate/hidden classification. Legacy mode remains outputs=None, so workflows built without output_executors or intermediate_executors still label every yield_output as type='output'.
    
    - WorkflowBuilder now accepts intermediate_executors. Providing either designation enters explicit mode; output executors emit output, intermediate executors emit intermediate, and unlisted yield_output payloads are hidden from caller-facing events while remaining in executor_completed data.
    
    - Empty explicit designation, duplicate entries, overlaps, unknown executors, and designated executors without workflow output annotations fail build validation. Existing orchestration builders pass intermediate-capable participants through intermediate_executors to preserve current intermediate_outputs behavior until participant-oriented designation lands.
    
    Files changed
    
    - packages/core/agent_framework/_workflows/_workflow.py, _workflow_builder.py, _workflow_context.py, _validation.py, _events.py
    
    - packages/core/tests/workflow/test_output_designation.py, test_output_executors_contract.py, test_strict_mode_event_labeling.py, test_validation.py, test_workflow.py, test_workflow_agent_intermediate.py
    
    - packages/orchestrations/agent_framework_orchestrations/_sequential.py, _concurrent.py, _group_chat.py, _magentic.py
    
    - packages/core/AGENTS.md
    
    Verification
    
    - uv run pytest packages/core/tests/workflow packages/orchestrations/tests packages/devui/tests/devui/test_mapper.py -q
    
    - uv run pytest packages/azurefunctions/tests -q
    
    - uv run poe lint
    
    - uv run poe typing fails only on pre-existing packages/core/agent_framework/_workflows/_agent.py _AGENT_FORWARDED_EVENT_TYPES private-use pyright error.
    
    Notes for next iteration
    
    - issues/03-core-workflow-explicit-designation.md was moved to issues/done but issues/ remains untracked and intentionally excluded from this commit.
    
    - Slice 4 should tighten workflow.as_agent() mapping for hidden emissions and streaming-only update payloads; Slice 5 should replace orchestration intermediate_outputs with participant-oriented designation.
    
    * Tighten workflow-as-agent output mapping
    
    Key decisions
    
    - Treat AgentResponseUpdate as a streaming-only payload across the workflow.as_agent() adapter, so non-streaming agent runs now reject both terminal output and intermediate workflow events carrying updates.
    - Keep streaming classification behavior explicit: terminal update payloads remain normal text content, while intermediate update payloads are rewritten to text_reasoning content.
    - Add explicit-mode coverage proving hidden yield_output emissions do not appear in non-streaming AgentResponse messages or streaming AgentResponseUpdate chunks.
    
    Files changed
    
    - packages/core/agent_framework/_workflows/_agent.py
    - packages/core/tests/workflow/test_workflow_agent_intermediate.py
    
    Verification
    
    - uv run pytest packages/core/tests/workflow/test_workflow_agent_intermediate.py -q
    - uv run pytest packages/core/tests/workflow/test_workflow_agent.py packages/core/tests/workflow/test_workflow_agent_intermediate.py -q
    - uv run pytest packages/core/tests/workflow packages/orchestrations/tests packages/devui/tests/devui/test_mapper.py -q
    - uv run poe lint
    - uv run poe typing fails only on the pre-existing packages/core/agent_framework/_workflows/_agent.py _AGENT_FORWARDED_EVENT_TYPES private-use pyright error.
    
    Blockers or notes for next iteration
    
    - issues/04-workflow-as-agent-output-mapping.md was moved to issues/done/ but issues/ remains untracked and intentionally excluded from this commit.
    - Slice 5 should replace orchestration intermediate_outputs with participant-oriented designation.
    
    * Add orchestration participant output designation
    
    Key decisions
    
    - Replace orchestration intermediate_outputs with participant-oriented output_participants and intermediate_participants across Sequential, Concurrent, GroupChat, Magentic, and Handoff builders.
    - Keep synthetic final executors terminal by default for Concurrent, GroupChat, and Magentic; keep Sequential's final participant terminal by default; keep Handoff participants terminal by default.
    - Centralize participant designation validation for empty explicit designation, duplicates, overlaps, and unknown participants, then map validated participants to workflow output/intermediate executors.
    
    Files changed
    
    - packages/orchestrations/agent_framework_orchestrations/_participant_designation.py
    - packages/orchestrations/agent_framework_orchestrations/_sequential.py
    - packages/orchestrations/agent_framework_orchestrations/_concurrent.py
    - packages/orchestrations/agent_framework_orchestrations/_group_chat.py
    - packages/orchestrations/agent_framework_orchestrations/_magentic.py
    - packages/orchestrations/agent_framework_orchestrations/_handoff.py
    - packages/orchestrations/tests/test_orchestration_intermediate_vs_terminal.py
    - packages/orchestrations/tests/test_magentic.py
    
    Blockers or notes for next iteration
    
    - issues/05-orchestration-participant-designation.md was moved to issues/done/ but issues/ remains untracked and intentionally excluded from this commit.
    - Slice 7 should migrate samples and docs away from intermediate_outputs to the new participant designation API.
    - uv run poe typing still fails only on the pre-existing packages/core/agent_framework/_workflows/_agent.py _AGENT_FORWARDED_EVENT_TYPES private-use pyright error.
    
    * Migrate samples to explicit output designation
    
    Key decisions
    
    - Replace sample usage of the removed orchestration intermediate_outputs boolean with participant-oriented intermediate_participants designation.
    - Update raw workflow guidance to show output_executors together with intermediate_executors, and document that unlisted yields are hidden in explicit designation mode.
    - Keep orchestration final outputs terminal while streaming designated participant responses as intermediate progress, including workflow.as_agent() samples where intermediates map to text_reasoning content.
    - Refresh workflow and orchestration README guidance plus the changelog reference so public docs no longer point users at intermediate_outputs.
    
    Files changed
    
    - CHANGELOG.md
    - packages/orchestrations/README.md
    - samples/README.md
    - samples/03-workflows/README.md
    - samples/03-workflows/control-flow/intermediate_vs_terminal_outputs.py
    - samples/03-workflows/orchestrations/README.md
    - samples/03-workflows/orchestrations/group_chat_agent_manager.py
    - samples/03-workflows/orchestrations/group_chat_philosophical_debate.py
    - samples/03-workflows/orchestrations/group_chat_simple_selector.py
    - samples/03-workflows/orchestrations/magentic.py
    - samples/03-workflows/orchestrations/magentic_human_plan_review.py
    - samples/03-workflows/orchestrations/sequential_chain_only_agent_responses.py
    - samples/03-workflows/agents/group_chat_workflow_as_agent.py
    - samples/03-workflows/agents/magentic_workflow_as_agent.py
    - samples/03-workflows/agents/sequential_workflow_as_agent.py
    - samples/semantic-kernel-migration/orchestrations/group_chat.py
    - samples/semantic-kernel-migration/orchestrations/magentic.py
    
    Blockers or notes for next iteration
    
    - issues/07-samples-and-docs-explicit-output-designation.md was moved to issues/done/ but issues/ remains untracked and intentionally excluded from this commit.
    - issues/06-devui-intermediate-event-rendering.md remains present and appears already satisfied by existing DevUI mapper/tests from the prior implementation slice.
    - PRD-explicit-workflow-output-designation.md remains untracked and intentionally excluded from this commit.
    
    * Render DevUI intermediate workflow outputs
    
    Key decisions
    
    - Preserve workflow output designation metadata on visible DevUI output messages and text deltas so intermediate/data emissions remain distinguishable from terminal output.
    - Render intermediate workflow message items in the execution timeline using executor metadata, while excluding them from the final workflow result aggregation.
    - Keep terminal output message rendering unchanged and retain legacy data events on the intermediate compatibility path.
    
    Files changed
    
    - packages/devui/agent_framework_devui/_mapper.py
    - packages/devui/frontend/src/components/features/workflow/execution-timeline.tsx
    - packages/devui/frontend/src/components/features/workflow/workflow-view.tsx
    - packages/devui/frontend/src/types/openai.ts
    - packages/devui/tests/devui/test_mapper.py
    
    Blockers or notes for next iteration
    
    - issues/06-devui-intermediate-event-rendering.md was moved to issues/done/ but issues/ remains untracked and intentionally excluded from this commit.
    - PRD-explicit-workflow-output-designation.md remains untracked and intentionally excluded from this commit.
    - uv run poe typing still fails only on the pre-existing packages/core/agent_framework/_workflows/_agent.py _AGENT_FORWARDED_EVENT_TYPES private-use pyright error.
    
    * Fix mypy
    
    * Clarify orchestration participant output config
    
    * Rename participant output kwargs for clarity
    
    output_participants -> final_output_from, intermediate_participants ->
    intermediate_output_from. The old names read like categories of
    participant; the new names make it clear the kwarg designates which
    participants' outputs surface as final vs. intermediate events.
    
    * Rename core workflow output kwargs with deprecation shim
    
    Adds final_output_from / intermediate_output_from as canonical kwargs on
    Workflow and WorkflowBuilder. Old output_executors / intermediate_executors
    kwargs continue to work but emit DeprecationWarning via a shared coalesce
    helper that also rejects supplying both. Wire-format keys in to_dict()
    stay as output_executors / intermediate_executors so checkpoint
    compatibility is preserved.
    
    Internal call sites in orchestrations and samples updated to the new
    names so users following sample code learn the canonical vocabulary;
    legacy callers still work with a one-shot warning.
    
    * Suppress pyright reportPrivateUsage on cross-module sentinel import
    
    * Update docstrings
    
    * Propagate sub-workflow intermediate outputs, fix handoff/sequential intermediate-only designation, and shore up tests, sample, and docstrings around the intermediate output contract.
    
    * Add canonical workflow output_from selection
    
    Key decisions:\n- Make output_from the canonical workflow-output allow-list and keep output_executors/final_output_from as deprecated compatibility aliases.\n- Treat empty output_from/intermediate_output_from lists as explicit selections and keep validation responsible for empty, duplicate, overlap, and unknown selections.\n- Remove the branch-only public intermediate_executors WorkflowBuilder kwarg while preserving legacy wire keys in to_dict().\n\nFiles changed:\n- packages/core/agent_framework/_workflows/_workflow.py\n- packages/core/agent_framework/_workflows/_workflow_builder.py\n- packages/core/agent_framework/_workflows/_workflow_context.py\n- packages/core/agent_framework/_workflows/_agent.py\n- packages/core/agent_framework/_workflows/_agent_executor.py\n- packages/core/tests/workflow/* output-selection coverage updates\n- packages/core/AGENTS.md\n- issues/done/001-canonical-list-based-output-selection.md\n\nBlockers/notes:\n- Orchestration builders still pass final_output_from internally; follow-up issue 004 should migrate them to output_from.\n- Legacy omitted-selection behavior and explicit all/all_other literals are left for issues 002 and 003.
    
    * Add explicit all workflow output selection
    
    Key decisions:
    - Treat output_from='all' as an explicit workflow-output selection sentinel and expand it at build time to executors with declared workflow output types.
    - Keep omitted output selections in legacy all-output mode with a deprecation warning that names output_from and intermediate_output_from and points to output_from='all'.
    - Reject intermediate_output_from='all' at construction because the all-output literal is output-only for this issue.
    
    Files changed:
    - packages/core/agent_framework/_workflows/_workflow_builder.py
    - packages/core/tests/workflow/test_output_executors_contract.py
    - issues/done/002-explicit-all-output-and-legacy-migration.md
    
    Blockers/notes:
    - all_other intermediate-output selection remains for issue 003.
    - Workflow-as-agent/orchestration parity remains for issue 004.
    
    * Add all-other intermediate output selection
    
    Key decisions:
    - Treat intermediate_output_from='all_other' as an explicit intermediate-output selection sentinel and expand it at build time after the workflow graph is complete.
    - Expand all_other to output-capable executors not selected by output_from; omitted or empty output_from selects no workflow outputs, while output_from='all' leaves an empty intermediate selection.
    - Keep output_from='all_other' invalid so all_other remains intermediate-output-only and runtime classification still receives concrete executor-id sets.
    
    Files changed:
    - packages/core/agent_framework/_workflows/_workflow_builder.py
    - packages/core/tests/workflow/test_output_executors_contract.py
    - issues/done/003-all-other-intermediate-output-selection.md
    
    Blockers/notes:
    - Workflow-as-agent and orchestration parity remains for issue 004.
    - Full documentation updates remain for issue 005.
    
    * Add orchestration output selection parity
    
    Key decisions:
    - Expose output_from on sequential, concurrent, group chat, handoff, and magentic builders while keeping final_output_from as a deprecated compatibility alias.
    - Resolve orchestration participant selections through the same explicit rules as workflows: output_from='all', intermediate_output_from='all_other', hidden unselected participant payloads, and overlap/duplicate/unknown/invalid-literal validation.
    - Continue preserving documented orchestration defaults by always designating each pattern's terminal internal executor where applicable.
    
    Files changed:
    - packages/orchestrations/agent_framework_orchestrations/_participant_output_config.py
    - packages/orchestrations/agent_framework_orchestrations/_sequential.py
    - packages/orchestrations/agent_framework_orchestrations/_concurrent.py
    - packages/orchestrations/agent_framework_orchestrations/_group_chat.py
    - packages/orchestrations/agent_framework_orchestrations/_handoff.py
    - packages/orchestrations/agent_framework_orchestrations/_magentic.py
    - packages/orchestrations/agent_framework_orchestrations/_orchestration_request_info.py
    - packages/orchestrations/tests/test_orchestration_intermediate_vs_terminal.py
    - issues/done/004-workflow-as-agent-and-orchestration-parity.md
    
    Blockers/notes:
    - Full documentation and sample migration wording remains for issue 005.
    - Existing tests that intentionally use final_output_from now emit the new deprecation warning.
    
    * Document workflow output selection contract
    
    Key decisions:
    - Use Workflow Output and Intermediate Output as the developer-facing terms for selected caller-facing emissions.
    - Document output_from and intermediate_output_from as the canonical API, with output_from as an allow-list and unselected payloads hidden unless explicitly selected as intermediate.
    - Add scenario and invalid-selection tables for workflow and orchestration docs, including legacy omission warnings, output_from='all', intermediate_output_from='all_other', list selections, invalid literals, overlap, duplicates, unknown selections, and empty explicit selections.
    - Migrate samples away from final_output_from and output_executors except where compatibility aliases are explicitly documented.
    
    Files changed:
    - packages/core/AGENTS.md
    - packages/orchestrations/README.md
    - packages/orchestrations/agent_framework_orchestrations/_handoff.py
    - packages/orchestrations/agent_framework_orchestrations/_sequential.py
    - samples/03-workflows/README.md
    - samples/03-workflows/control-flow/intermediate_vs_terminal_outputs.py
    - samples/03-workflows/human-in-the-loop/agents_with_approval_requests.py
    - samples/03-workflows/orchestrations/README.md
    - samples/04-hosting/foundry-hosted-agents/responses/05_workflows/main.py
    - scripts/sample_validation/create_dynamic_workflow_executor.py
    - issues/done/005-document-output-selection-contract.md
    
    Blockers/notes:
    - Direct full Ruff on scripts/sample_validation/create_dynamic_workflow_executor.py still reports pre-existing docstring/print/line-length issues outside this docs migration; syntax-focused checks for changed files pass.
    - No remaining AFK issue files are present under issues/.
    
    * Latest updates
    
    * Typing fixes
    
    * Cleanup
  • .NET: Delegate MCP ContentBlock to AIContent conversion to the MCP SDK (#5903)
    * Add sample for invoking Foundry Toolbox tools from declarative workflows
    
    * Addressed initial PR comments.
    
    * Delegate MCP ContentBlock to AIContent conversion to the MCP SDK
    
    * Addressed additional properties metadata in the conversion fallback.
  • .NET: Bump Azure.AI.Projects to 2.1.0-beta.2 and add agent-endpoint AsAIAgent path (#5899)
    * .NET: Bump Azure.AI.Projects to 2.1.0-beta.2 and add agent-endpoint AsAIAgent path
    
    Bumps Azure.AI.Projects to 2.1.0-beta.2 with the matching transitive pins (Azure.Core 1.55.0, System.ClientModel 1.11.0).
    
    Foundry agent endpoint plumbing:
    * FoundryAgent now routes the agent-endpoint constructor through the new GetProjectResponsesClientForAgentEndpoint helper.
    * Adds an internal FoundryAgent ctor that takes an existing AIProjectClient plus a parsed agent endpoint so the public extension does not need to construct a second project client.
    * Adds public AIProjectClient.AsAIAgent(Uri agentEndpoint, ...) extension. This is the path consumer samples are expected to use for hosted agents because version selection happens server-side.
    * Trims the dangling "If you want to construct a FoundryAgent against a project endpoint..." sentence from ParseAgentEndpoint.
    
    Unit tests:
    * Four new tests in AzureAIProjectChatClientExtensionsTests cover the AIProjectClient.AsAIAgent(Uri agentEndpoint, ...) overload. 263/263 pass.
    
    Consumer samples (Using-Samples):
    * SimpleAgent and SessionFilesClient now read AZURE_AI_PROJECT_ENDPOINT and AZURE_AI_AGENT_NAME (both required, throw on missing), derive the agent endpoint with new Uri($"{projectEndpoint}/agents/{agentName}/endpoint/protocols/openai"), then call aiProjectClient.AsAIAgent(agentEndpoint, ...).
    * SessionFilesClient README updated.
    
    Contributor samples (responses/*):
    * New HostedContributorRouteExtensions.MapDevTemporaryLocalAgentEndpoint() wildcard route extension so localhost contributor servers accept the per-agent OpenAI endpoint shape the production Hosted runtime exposes.
    * All 11 contributor Program.cs files call MapDevTemporaryLocalAgentEndpoint() with a contributor-only warning comment.
    * Hosted-Files and Hosted-AzureSearchRag were importing Hosted_Shared_Contributor_Setup but never calling AddDevTemporaryLocalContributorSetup(). Both now call it so HostedSessionIsolationKeyProvider resolves correctly in dev.
    * Hosted-AzureSearchRag, Hosted-Files, Hosted-MemoryAgent csprojs drop stale VersionOverride="2.1.0-beta.1" pins.
    * Hosted-AzureSearchRag and Hosted-Files csprojs add ProjectReference to Hosted_Shared_Contributor_Setup.
    * Hosted-Observability/.dockerignore removed the out/ exclusion that was blocking COPY out/ . in Dockerfile.contributor.
    
    Verified:
    * Full solution-scoped build of changed projects: green.
    * Scoped CI-parity dotnet format via WSL2 + Docker (mcr.microsoft.com/dotnet/sdk:10.0) over every changed csproj: clean.
    * Foundry unit tests: 263/263.
    * Contributor docker smoke for 8 hosted samples (publish + docker build + docker run + curl POST to the wildcard route): HTTP 200 / 500 with route matched.
    * End-to-end smoke against the real Azure Foundry project with a fresh bearer token: Hosted-Files contributor container served HTTP 200, the agent invoked ListBundledFiles, and returned the expected file name.
    
    * Address PR review: forward pipeline settings; add UTs
    
    - CreateProjectClientOptions also carries RetryPolicy, NetworkTimeout, ClientLoggingOptions, MessageLoggingPolicy (was Transport+UserAgentApplicationId only).
    
    - Make CreateProjectClientOptions internal so tests can verify the copy directly.
    
    - Add AsAIAgent(Uri) UTs covering tools forwarding to inner ChatOptions and null tools handling.
    
    - Add CreateProjectClientOptions UTs covering null caller and full pipeline-settings copy.
  • .NET: Add ability to export/import sessions in harness console (#5920)
    * Add ability to export/import sessions in harness console
    
    * Address PR comments
  • .NET: Add otel file logging and switch samples to projects client with store=true (#5924)
    * Add otel file logging and switch samples to projects client with store=true
    
    * Fix formatting and remove rogue file
  • .NET: Require TODO finish reason and rename SubAgents to BackgroundAgents (#5902)
    * Require TODO finish reason and rename SubAgents to BackgroundAgents
    
    * Address PR comments