Commit Graph

13 Commits

  • Python: Restrict persisted checkpoint deserialization by default (#4941)
    * Harden Python checkpoint persistence defaults
    
    Add RestrictedUnpickler to _checkpoint_encoding.py that limits which
    types may be instantiated during pickle deserialization.  By default
    FileCheckpointStorage now uses the restricted unpickler, allowing only:
    
    - Built-in Python value types (primitives, datetime, uuid, decimal,
      collections, etc.)
    - All agent_framework.* internal types
    - Additional types specified via the new allowed_checkpoint_types
      parameter on FileCheckpointStorage
    
    This narrows the default type surface area for persisted checkpoints
    while keeping framework-owned scenarios working without extra
    configuration.  Developers can extend the allowed set by passing
    "module:qualname" strings to allowed_checkpoint_types.
    
    The decode_checkpoint_value function retains backward-compatible
    unrestricted behavior when called without the new allowed_types kwarg.
    
    Fixes #4894
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix: resolve mypy no-any-return error in checkpoint encoding
    
    Add explicit type annotation for super().find_class() return value
    to satisfy mypy's no-any-return check.
    
    Fixes #4894
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Simplify find_class return in _RestrictedUnpickler (#4894)
    
    Remove unnecessary intermediate variable and apply # noqa: S301 # nosec
    directly on the super().find_class() call, matching the established
    pattern used on the pickle.loads() call in the same file.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Address review feedback for #4894: Python: Harden Python checkpoint persistence defaults
    
    * Restore # noqa: S301 on line 102 of _checkpoint_encoding.py (#4894)
    
    The review feedback correctly identified that removing the # noqa: S301
    suppression from the find_class return statement would cause a ruff S301
    lint failure, since the project enables bandit ("S") rules. This
    restores consistency with lines 82 and 246 in the same file.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Address review feedback for #4894: Python: Harden Python checkpoint persistence defaults
    
    * Address PR review comments on checkpoint encoding (#4894)
    
    - Move module docstring to proper position after __future__ import
    - Fix find_class return type annotation to type[Any]
    - Add missing # noqa: S301 pragma on find_class return
    - Improve error message to reference both allowed_types param and
      FileCheckpointStorage.allowed_checkpoint_types
    - Add -> None return annotation to FileCheckpointStorage.__init__
    - Replace tempfile.mktemp with TemporaryDirectory in test
    - Replace contextlib.suppress with pytest.raises for precise assertion
    - Remove unused contextlib import
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Address PR #4941 review comments: fix docstring position and return type
    
    - Move module docstring before 'from __future__' import so it populates
      __doc__ (comment #4)
    - Change find_class return annotation from type[Any] to type to avoid
      misleading callers about non-type returns like copyreg._reconstructor
      (comment #2)
    
    Comments #1, #3, #5, #6, #7, #8 were already addressed in the current code.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Address review feedback for #4894: review comment fixes
    
    * fix: use pickle.UnpicklingError in RestrictedUnpickler and improve docstring (#4894)
    
    - Change _RestrictedUnpickler.find_class to raise pickle.UnpicklingError
      instead of WorkflowCheckpointException, since it is pickle-level concern
      that gets wrapped by the caller in _base64_to_unpickle.
    - Remove now-unnecessary WorkflowCheckpointException re-raise in
      _base64_to_unpickle (pickle.UnpicklingError is caught by the generic
      except Exception handler and wrapped).
    - Expand decode_checkpoint_value docstring to show a concrete example of
      the module:qualname format with a user-defined class.
    - Add regression test verifying find_class raises pickle.UnpicklingError.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix: address PR #4941 review comments for checkpoint encoding
    
    - Comment 1 (line 103): Already resolved in prior commit — _RestrictedUnpickler
      now raises pickle.UnpicklingError instead of WorkflowCheckpointException.
    
    - Comment 2 (line 140): Add concrete usage examples to decode_checkpoint_value
      docstring showing both direct allowed_types usage and FileCheckpointStorage
      allowed_checkpoint_types usage. Rename 'SafeState' to 'MyState' across all
      docstrings for consistency, making it clear this is a user-defined class name.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix: replace deprecated 'builtin' repo with pre-commit-hooks in pre-commit config
    
    pre-commit 4.x no longer supports 'repo: builtin'. Merge those hooks into
    the existing pre-commit-hooks repo entry.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * style: apply pyupgrade formatting to docstring example
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix: resolve pre-commit hook paths for monorepo git root
    
    The poe-check and bandit hooks referenced paths relative to python/
    but pre-commit runs hooks from the git root (monorepo root). Fix
    poe-check entry to cd into python/ first, and update bandit config
    path to python/pyproject.toml.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Fix pre-commit config paths for prek --cd python execution
    
    Revert bandit config path from 'python/pyproject.toml' to 'pyproject.toml'
    and poe-check entry from explicit 'cd python' wrapper to direct invocation,
    since prek --cd python already sets the working directory to python/.
    
    Also apply ruff formatting fixes to cosmos checkpoint storage files.
    
    Fixes #4894
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * fix: add builtins:getattr to checkpoint deserialization allowlist
    
    Pickle uses builtins:getattr to reconstruct enum members (e.g.,
    WorkflowMessage.type which is a MessageType enum). Without it in the
    allowlist, checkpoint roundtrip tests fail with
    WorkflowCheckpointException.
    
    Fixes #4894
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * Address review feedback for #4894: review comment fixes
    
    ---------
    
    Co-authored-by: Copilot <copilot@github.com>
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: Simplify Python Poe tasks and unify package selectors (#4722)
    * updated automation tasks and commands, with alias for the time being
    
    * Restore aggregate test exclusions
    
    Preserve the legacy all-tests scope for test --all by excluding lab and devui from the default aggregate sweep, while still allowing explicit package selection. Also ignore hidden/generated test directories such as .mypy_cache during aggregate discovery.
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
    
    * updated versions in pre-commit
    
    ---------
    
    Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
  • Python: Fix prek runner duplication and add skills (#3791)
    * Python: fix prek runner running fmt/lint in all packages on core change
    
    When a core package file changed, run_tasks_in_changed_packages.py ran
    fmt, lint, and pyright in ALL 22 packages (66 tasks). Only type-checking
    tasks (pyright, mypy) need to propagate to all packages since type
    changes in core affect downstream packages. File-local tasks (fmt, lint)
    only need to run in packages with actual file changes.
    
    This reduces a core-only change from 66 tasks to 24 tasks (2 local +
    22 pyright).
    
    Also adds no-commit-to-branch builtin hook to protect the main branch
    from direct commits.
    
    * Python: add agent skills extracted from AGENTS.md and coding standards
    
    Add 5 skills to python/.github/skills/ following the Agent Skills format:
    - python-development: coding standards, type annotations, docstrings, logging
    - python-testing: test structure, fixtures, running tests, async mode
    - python-code-quality: linting, formatting, type checking, prek hooks, CI
    - python-package-management: monorepo structure, lazy loading, versioning
    - python-samples: sample structure, PEP 723, documentation guidelines
    
    * Python: deduplicate AGENTS.md and instructions with agent skills
    
    * updated skills
    
    * fixes from review
    
    * Python: increase timeout for web search integration test
  • Python: replace pre-commit with prek, add PEP 723 script deps, clean up dev dependencies (#3748)
    * python: replace pre-commit with prek, add PEP 723 script deps, clean up dev dependencies
    
    - Replace pre-commit with prek (Rust-native, faster pre-commit alternative)
    - Move supported hooks to repo: builtin for zero-clone speed
    - Add new builtin hooks: trailing-whitespace, check-merge-conflict, detect-private-key, check-added-large-files
    - Update all hook versions to latest (pre-commit-hooks v6, pyupgrade v3.21.2, bandit 1.9.3, uv-pre-commit 0.10.0)
    - Add PEP 723 inline script metadata to 34 samples with external deps
    - Remove autogen-agentchat/autogen-ext from dev deps (now declared per-sample)
    - Remove unused dev deps: pytest-env, tomli-w
    - Add agent-framework-core>=1.0.0b260130 lower bound to all 21 packages
    - Update CI workflow to use j178/prek-action
    - Update docs: DEV_SETUP.md, AGENTS.md, CODING_STANDARD.md, SAMPLE_GUIDELINES.md
    
    * updated lock
    
    * python: fix prek config paths for local execution and CI workflow
    
    Remove global 'files: ^python/' filter and strip python/ prefix from all path patterns in .pre-commit-config.yaml so prek finds files when run from the python/ directory. Update CI workflow to use --cd python instead of --config path. Include trailing whitespace fixes and dev dependency cleanup.
    
    * python: move helper scripts to scripts/ folder and exclude from checks
    
    * python: exclude AGENTS.md from prek markdown code lint
    
    * python: exclude AGENTS.md and azure_ai_search sample from markdown lint
    
    * fix m365 sample
    
    * python: ignore CPY rule for samples with PEP 723 headers
    
    * fix in dev_setup
    
    * python: replace aiofiles with regular open in samples
    
    * python: suppress reportUnusedImport in markdown code block checker
    
    * python: use samples pyright config for markdown code block checker
    
    Write a temp pyrightconfig.json matching pyrightconfig.samples.json rules (typeCheckingMode=off, only reportMissingImports and reportAttributeAccessIssue). Filter output to only fail on these rules since syntax-level errors (top-level await, undefined vars) are expected in README documentation snippets.
    
    * python: use markdown-code-lint with fixed globs instead of prek file list
    
    The prek-markdown-code-lint task received all changed files including non-README markdown and files with pre-existing broken imports. Replace with the standard markdown-code-lint task which uses the correct glob patterns (README.md, packages/**/README.md, samples/**/*.md).
    
    * python: exclude READMEs with pre-existing broken imports from markdown lint
    
    * python: fix broken README code snippets instead of excluding them
    
    - ag-ui: replace TextContent (removed) with content.type == 'text'
    - durabletask: fix import path to durabletask.worker.TaskHubGrpcWorker
    - orchestrations: use constructor params instead of .participants() method
    - observability: mark deprecated code blocks as plain text, filter
      reportMissingImports to agent_framework modules only
    - remove README excludes from markdown-code-lint task
    
    * add revision to gaia download
    
    * feat(python): parallelize checks across packages
    
    Run (package × task) cross-product in parallel using ThreadPoolExecutor
    and subprocesses. Key changes:
    
    - Add scripts/task_runner.py with shared parallel execution engine
    - Update run_tasks_in_packages_if_exists.py to accept multiple tasks
    - Update run_tasks_in_changed_packages.py with --files flag and parallel support
    - Add check-packages poe task (fmt+lint+pyright+mypy in parallel)
    - Add prek-markdown-code-lint and prek-samples-check with change detection
    - Split CI code quality workflow into parallel prek and mypy jobs
    - Update DEV_SETUP.md to document new parallel behavior
    
    Core package changes still trigger checks on all packages.
    
    * feat(ci): split code quality into 4 parallel jobs
    
    Split the single prek job into parallel jobs:
    - pre-commit-hooks: lightweight hooks (SKIP=poe-check)
    - package-checks: fmt/lint/pyright/mypy via check-packages
    - samples-markdown: samples-lint, samples-syntax, markdown-code-lint
    - mypy: change-detected mypy checks
    
    All 4 jobs run concurrently (×2 Python versions = 8 runners).
    
    * feat(ci): use only Python 3.10 for code quality checks
    
    * refactor(python): add future annotations and remove quoted types
    
    Add `from __future__ import annotations` to 93 package files that
    used quoted string annotations, then run pyupgrade --py310-plus to
    remove the now-unnecessary quotes.
    
    Fixes https://github.com/microsoft/agent-framework/issues/3578
  • Python: Add samples syntax checking with pyright (#3710)
    * Add samples syntax checking with pyright
    
    - Add pyrightconfig.samples.json with relaxed type checking but import validation
    - Add samples-syntax poe task to check samples for syntax and import errors
    - Add samples-syntax to check and pre-commit-check tasks
    - Fix 78 sample errors:
      - Update workflow builder imports to use agent_framework_orchestrations
      - Change content type isinstance checks to content.type comparisons
      - Use Content factory methods instead of removed content type classes
      - Fix TypedDict access patterns for Annotation
      - Fix various API mismatches (normalize_messages, ChatMessage.text, role)
    
    * fixed a bunch of samples and tweaks to pre-commit
    
    * updated lock
    
    * updated lock
    
    * fixes
    
    * added lint to samples
  • Python: pre-commit improvements (#2222)
    * pre-commit improvements
    
    * updated lock
    
    * fix for globbing
    
    * reuse logic for mypy
    
    * updated ci-mypy
  • Python: feat: Add ChatKit integration with a sample application (#1273)
    * feat: Add ChatKit integration with a new frontend application
    
    - Created a new frontend application using React and Vite for the ChatKit integration.
    - Added essential files including package.json, vite.config.ts, and Tailwind CSS configuration.
    - Implemented core components: App, Home, ChatKitPanel, ThemeToggle, and hooks for color scheme management.
    - Established SQLite-based store implementation for ChatKit data persistence in store.py.
    - Integrated theme toggling functionality for light and dark modes.
    - Set up ESLint and TypeScript configurations for better development experience.
    
    * git ignore
    
    * fix mypy
    
    * add mising file
    
    * minimal frontend for chatkit sample
    
    * update ignore files
    
    * version
    
    * set python version lowerbound on chatkit
    
    * update project settings for chatkit
    
    * update setup
    
    * update setup
    
    * update setup
    
    * update setup
    
    * weather widget
    
    * add select city widget sample
    
    * remove widget helper
    
    * update chatkit to include file attachments and cover more thread item types
    
    * update readme with mermaid diagram
    
    * update diagram
    
    * update instructions
    
    * update chatkit dependency
    
    * fix converter imports
    
    * move to demos/
    
    * move to demos/ -- rename references
    
    * support multiple session instead of using global variable in sample
    
    * support chunk streaming
    
    * fix tests
    
    * Update python/samples/demos/chatkit-integration/store.py
    
    Co-authored-by: Evan Mattson <35585003+moonbox3@users.noreply.github.com>
    
    * use local host
    
    ---------
    
    Co-authored-by: Evan Mattson <35585003+moonbox3@users.noreply.github.com>
  • Python: Introduce Agent Framework Lab with GAIA Benchmark and Lighting project for RL (#719)
    * prepare eval package
    
    * add gaia benchmark to eval package
    
    * update telemetry
    
    * renaming
    
    * organization
    
    * organize into namespace packages; rename to labs
    
    * update cookie cutter instruction
    
    * update gaia runner
    
    * use temp directory
    
    * Rename "labs" --> "lab"
    
    * update
    
    * update gaia sample
    
    * update status
    
    * Add lighting project
    
    * Add listing for lighting
  • Python: added ChatClientBase with function calling (#147)
    * added ChatClientBase with function calling
    
    * streaming update
    
    * fixed typing
    
    * test setup
    
    * small update
    
    * src setup
    
    * removed src, updated test naming
    
    * fixed test command
    
    * alolow args
    
    * updated test run
    
    * added unit test folder to azure
    
    * added init and unit test to azure
    
    * added other cross tests
    
    * restructured
    
    * reset test run
    
    * fix name
    
    * removed always
    
    * updated test
    
    * extend pytest.xml locations
    
    * run surface always
    
    * added decorators for FC and marked tests
    
    * fixed mypy settings and added tests
    
    * fix override import
    
    * removed import
  • Python: added poe setup and docs (#131)
    * added poe setup and docs
    
    * smaller bandit exclude
    
    * updated poe
    
    * updated naming
    
    * added something in samples
    
    * exclude docs from bandit
    
    * updated readme
    
    * removed ds_store
    
    * updated readme
  • feat: Model Client and associated Content Types (#53)
    * feat: ModelClient and content types
    
    * refactor: Pythonify ChatResponseFormat and ChatRole
    
    * feat: Add guardrail interfaces
    
    * refactor: Remove CancellationToken
    
    * feat: Solidify the Usage APIs
    
    * Adds well-known keys for additional_counts, and guidance for how to avoid collisions between providers
    * Implement sum-aggregation for usage
    
    * refactor: Move AITool out of model_client
    
    * refactor: Copy editing
    
    * fix: CI checks (pyupgrade, ruff, etc.)
    
    * ci: Fix pre-commit to use pyright in  uv venv
    
    The existing pyright precommit hook inside of python-pyright is no longer being maintained by the owner (see  https://github.com/RobertCraigie/pyright-python/issues/265)
    
    The fix is to define the hook ourselves, relying on `uv run` to drive it. In order for that to work right we need to use the "system" language to break out of the sandbox.
    
    * fix: Pyright error fixes
    
    * docs: Update models and types design docs
    
    * Python: Refinement of content types and model client  (#112)
    
    * refinement of structure and buildup
    with ports from semantigen
    
    * refined the data and uri contents
    
    * refined chat response and updates
    
    * moved things and added tests
    
    * moved out of src folder
    
    * fixed imports and tests
    
    * small tweaks
    
    * missing build system
    
    * upgrade
    
    * add mypy
    
    * fixed typing for types
    
    * fix tests
    
    * fixed tool
    
    * disable json checks on vscode
    
    * remove print
    
    ---------
    
    Co-authored-by: Eduard van Valkenburg <eavanvalkenburg@users.noreply.github.com>
    Co-authored-by: eavanvalkenburg <github@vanvalkenburg.eu>
  • Python: package setup with logger (#125)
    * package setup with logger
    
    * set config once
    
    * add unit test workflow
    
    * updated naming of workflows
    
    * add mypy check
    
    * renamed job
    
    * smaller name
    
    * ignore certain files for ruff
    
    * remove assignment
    
    * fix ruff config
    
    * removed pyright from pre-commit
    
    * fixed logging test
    
    * fix mypy setup
    
    * mypy fix
    
    * mypy
    
    * mypy
  • Add initial skeleton of package, including tooling setup and CI (#4)
    * Add initial skeleton of package, including tooling setup and CI
    
    * update workflow
    
    * update uv
    
    * add bandit