Files
Roger Barreto 9faf52de4f .NET: Hosted-Files sample + AgentSessionFiles SDK companion + integration test (#5698)
* .NET: Add Hosted-Files sample + alpha AgentSessionFiles SDK companion + integration test

Closes #5691

- Hosted-Files server sample (mirrors python 06_files): 3 local tools reading
  the per-session \C:\Users\rbarreto sandbox volume.
- SessionFilesClient REPL companion: code-first equivalent of
  zd ai agent files upload using the alpha
  Azure.AI.Projects.AgentSessionFiles SDK (upload/ls/download/rm + session
  lifecycle with isolation key).
- session-files scenario added to the Foundry.Hosting.IntegrationTests
  multi-scenario harness (PR #5598): SessionFilesHostedAgentFixture +
  SessionFilesHostedAgentTests.UploadAndAgentReadsFileAsync, end-to-end
  validating upload then agent-reads-file (agent_session_id pinned via
  CreateResponseOptions.Patch). Bundled testdata is linked from the sample
  so there is a single source of truth.

* .NET: Hosted-Files: REPL companion now demonstrates file-as-knowledge end-to-end

Adds an 'ask <prompt>' command to SessionFilesClient that pins
agent_session_id (via CreateResponseOptions.Patch) so the agent invoked from
the REPL reads files this REPL just uploaded. Surfaces the file content as
agent knowledge in the same in-process loop instead of telling the user to
shell out to azd ai agent invoke.

* .NET: Reshape Hosted-Files sample - bake files into image, SessionFilesClient becomes thin chat REPL

The previous SessionFilesClient leaned on the alpha AgentSessionFiles SDK
to upload files at runtime, which made it diverge from the canonical
Using-Samples shape (SimpleAgent / SimpleInvocationsAgent: tiny chat REPLs).

This change:

- Bakes the sample resources/ directory into the published output via a
  Content Include in HostedFiles.csproj. Inside the container the files live
  at /app/resources/. Two local function tools (ListFiles, ReadFile) surface
  them to the model.
- Reshapes SessionFilesClient as a thin FoundryAgent chat REPL, identical
  shape to SimpleAgent. AGENT_ENDPOINT + AGENT_NAME, that is it.
- Demo flow: user asks 'Give me the total revenue in the contoso file' and
  the agent answers with the figure read from its bundled file. Validated
  end-to-end locally against Hosted-Files on http://localhost:60419.
- Bypasses SampleEnvironment alias on optional env vars to avoid stdin
  prompts when running unattended.

The Foundry.Hosting.IntegrationTests session-files scenario continues to
validate the alpha AgentSessionFiles SDK end-to-end (upload + agent reads
from session HOME) and is unchanged.

* .NET: Foundry.Hosting.IntegrationTests TestContainer - constrain session-files tools to $HOME

Addresses the path-traversal review comment on the session-files scenario:
ResolveSessionPath in TestContainer used to allow absolute paths and ..
traversals, which (when chained with indirect prompt injection in an
uploaded file) would let the model read or list arbitrary container files
via the ReadFile / ListFiles tools.

Mirrors the canonicalize + StartsWith(home) pattern from the framework's
own FileSystemAgentFileStore.ResolveSafePath: rejects rooted paths, calls
Path.GetFullPath, and verifies the result stays under $HOME, throwing
ArgumentException otherwise.

The Hosted-Files sample is already safe (uses Path.GetFileName which strips
any directory component) so no change there. The integration test continues
to upload and read 'contoso_q1_2026_report.txt', a single relative filename
which passes the new validation unchanged.

* .NET: SessionFilesHostedAgentTests - shrink to alpha SDK round-trip

The previous test attempted to pin agent_session_id into the /responses
payload via JsonPatch so the agent would read the file uploaded through
AgentSessionFiles. The Foundry alpha service now consistently rejects the
explicit-session-id pin with HTTP 400 conflict on /responses, regardless
of whether the session was pre-created via AgentAdministrationClient or
left to be auto-provisioned, so the agent leg of the test is no longer
reachable from the SDK surface.

Reshape the test to exercise what the alpha SDK actually guarantees:
create session, upload, list (assert presence + size), download (assert
deterministic token), delete (assert removed), cleanup. Everything stays
inside Azure.AI.Projects.Agents.AgentSessionFiles.

Verified live against tao-foundry-prj:
  UploadListDownloadAndDeleteAsync passed in 30s.
  Full Foundry.Hosting.IntegrationTests run: 25 total, 6 passed, 19
  skipped (existing placeholders), 0 failed.

* .NET: SessionFilesHostedAgentTests - rewrite as upload-then-FoundryAgent.RunAsync e2e

Per review feedback the integration test must validate the hosted agent
itself: client uploads a file via the alpha AgentSessionFiles SDK, then
FoundryAgent.RunAsync invokes the deployed agent and the agent's
container-side ReadFile tool surfaces the uploaded file content into the
response.

Test flow:
  1. agent.RunAsync(warmup) - platform provisions a per-session container.
  2. AgentAdministrationClient.GetSessionsAsync(latest) - resolve the
     just-provisioned agent_session_id.
  3. AgentSessionFiles.UploadSessionFileAsync - upload contoso file to
     that session, asserts BytesWritten + GetSessionFiles listing.
  4. agent.RunAsync(real prompt, options=PreviousResponseId chain) -
     chained to warmup so the platform routes back to the same container.
  5. Assert response contains '1,482.6' (deterministic token from file).
  6. Best-effort cleanup.

The test is annotated with [Fact(Skip=...)] right now: the Foundry alpha
service consistently returns HTTP 400 conflict on /responses requests
that link to a prior session via previous_response_id, conversation_id,
or agent_session_id pinning - verified across multiple retries with
multiple chaining strategies. Without that link we cannot route the
second invocation to the same container the file was uploaded to. When
the platform regression is resolved, removing the Skip will exercise
the full flow.

Full Foundry.Hosting.IntegrationTests run with this change: 25 total,
5 passed, 20 skipped (existing placeholders + this one), 0 failed.

* .NET: SessionFilesHostedAgentTests - end-to-end upload-then-FoundryAgent.RunAsync now passes

The blocker was a routing problem combined with a platform race:

1. Routing two /responses calls to the same per-session container.
   - agent_session_id pin in body -> 400 (platform treats it as create)
   - conversation_id created at project root -> 404 at agent endpoint
   - previous_response_id chain -> different session
   The working answer is to create the conversation on a per-agent
   ProjectOpenAIClient (AgentName option, URL becomes
   /agents/{name}/endpoint/protocols/openai/conversations) and pass that
   conversation_id on both calls. Both then resolve to the SAME
   x-agent-session-id (verified by capturing the response header).

2. Race after AgentSessionFiles upload. The upload mutates session/
   conversation revision; a /responses call issued immediately after
   400-conflicts with 'modified concurrently. Please retry.' Bounded
   exponential retry handles it (5 attempts, 2*attempt seconds).

Test flow:
  1. Create per-agent OpenAI client + ProjectConversationsClient + ProjectResponsesClient.
  2. CreateProjectConversationAsync on the per-agent client.
  3. Warm-up agent.RunAsync(prompt, ChatOptions { ConversationId = ... })
     - captures x-agent-session-id from the response header via a custom pipeline policy.
  4. AgentSessionFiles.UploadSessionFileAsync to that session id.
  5. ProjectResponsesClient.CreateResponseAsync (raw, retry-on-conflict)
     with the same conversation_id -> routes back to the same container.
  6. Assert response contains '1,482.6' (deterministic token from file).
  7. Cleanup: delete file, leave session for TTL.

Verified live against tao-foundry-prj:
  UploadedFile_IsReadByHostedAgentAsync passed in 24.9s.
  Full Foundry.Hosting.IntegrationTests run: 25 total, 6 passed, 19
  skipped (existing placeholders), 0 failed.

* .NET: address Copilot PR review findings

- agent.manifest.yaml: description + tags now reflect bundled-files agent (image-baked /app/resources), not the obsolete session-sandbox tools the prior shape claimed.
- SessionFilesHostedAgentTests: wrap test body in try/finally to call DeleteConversationAsync on the conversation we created (matches HappyPathHostedAgentTests pattern; prevents conversation leakage across runs).
- ResponseHeaderCapturePolicy: drop unused LastRequestBody capture left over from diagnosis.

Test still passes live (40s).

* .NET: Hosted-Files: split into bundled vs session-file tool pairs

The previous Hosted-Files agent only exposed bundled (image-baked) file
knowledge. The platform also surfaces session-uploaded files at \C:\Users\rbarreto
inside the per-session container per container-image-spec.md line 172
(verified live by SessionFilesHostedAgentTests). The sample now teaches
both patterns.

Two distinct tool pairs, each scoped to its own root:

  Bundled (image-baked):    ListBundledFiles, ReadBundledFile
                            -> /app/resources/ (BUNDLED_FILES_DIR override)

  Session-uploaded (\C:\Users\rbarreto): ListSessionFiles, ReadSessionFile
                            -> \C:\Users\rbarreto (default /home/session per container spec)

Security model -- distinct tools, distinct sandboxes:
  - Tool input is a fileName, not a path. Schema-level: model cannot
    request directories or traversals.
  - Path.GetFileName(input) strips any directory components.
  - Path.GetFullPath + StartsWith(root) check rejects anything outside
    the tool's root, mirroring FileSystemAgentFileStore.ResolveSafePath.
  - Read-only, non-recursive listing. No glob, no '..'.
  - Failures non-revealing: 'File <name> not found in <scope>.'

The two roots are physically isolated (image-baked vs platform-mounted
per-session volume). A bundled-root tool can never reach a session file
and vice-versa, even if the implementation has a bug.

README updated to document both flows, the security pattern, and cite
the container-image-spec.md line 172 contract for \C:\Users\rbarreto. Live IT
SessionFilesHostedAgentTests.UploadedFile_IsReadByHostedAgentAsync
re-passed in 42s after the change (TestContainer is unchanged; the
sample-agent split does not affect the IT).

* .NET: Hosted-Files README - fix broken relative link to IT (4..5 dots)
2026-05-11 11:56:58 +00:00

6.6 KiB

Hosted-Files

A hosted agent that demonstrates two distinct file knowledge sources through scoped, security-hardened tools:

  • Bundled files (image-baked) — files the author packages with the agent at build time. Live at /app/resources/ inside the container, copied from this project's resources/ folder via the csproj <Content Include="resources\**\*" CopyToOutputDirectory="PreserveNewest" /> rule.
  • Session files (per-session $HOME volume) — files the user uploads at runtime via the alpha Azure.AI.Projects.AgentSessionFiles SDK. Live at $HOME inside the per-session container. The Foundry platform sets HOME=/home/session by default and roots the session-files API there per container-image-spec.md line 172: "If you use the session files API, $HOME is also the base path for those operations; any paths given in those API endpoints will be relative to $HOME."

Tool surface

Each source is exposed via its own tool pair, rooted at its own directory. The model picks by intent.

Tool Source Root
ListBundledFiles Bundled (image-baked) /app/resources/
ReadBundledFile Bundled (image-baked) /app/resources/
ListSessionFiles Session-uploaded $HOME (/home/session)
ReadSessionFile Session-uploaded $HOME (/home/session)

Security model — distinct tools, distinct sandboxes

Each tool takes a fileName (no directory components allowed) and enforces three layers of defence inside the implementation:

  1. Path.GetFileName(input) strips any directory parts from the model-supplied name. "../../etc/passwd" becomes "passwd".
  2. Path.GetFullPath(Combine(root, name)) canonicalises the path.
  3. fullPath.StartsWith(root + DirectorySeparatorChar) rejects anything that resolves outside the tool's root.

Failures return a controlled "File '<input>' not found in <scope>." rather than throwing or exposing the canonical path.

This is why the agent has four narrowly-scoped tools instead of a single ReadFile(path):

  • Smaller per-tool attack surface. Each tool has one purpose, one root, and no path-typed parameter. Even a buggy implementation can only leak its own directory.
  • Cross-boundary access is impossible by schema. A prompt-injection attempt to make the bundled tool read a session path (or vice versa) does not even compile in the tool schema the model sees.
  • Read-only, non-recursive listing. No write tools, no glob, no ...

Companion

Using-Samples/SessionFilesClient — a thin chat REPL (same shape as SimpleAgent) that points at the deployed Hosted-Files endpoint via FoundryAgent and lets you ask questions whose answers come from either file source.

Live proof of the session-files contract

The end-to-end alpha-SDK round trip (client uploads via AgentSessionFiles.UploadSessionFileAsync → file arrives at $HOME/<name> inside the per-session container → agent's ReadSessionFile tool reads it → response quotes the verbatim contents) is exercised live by SessionFilesHostedAgentTests.UploadedFile_IsReadByHostedAgentAsync against the matching session-files scenario in the integration test container.

Prerequisites

  • .NET 10 SDK
  • An Azure AI Foundry project with a deployed model (e.g., gpt-4o)
  • Azure CLI logged in (az login)

Configuration

Copy the template and fill in your project endpoint:

cp .env.example .env

Edit .env:

AZURE_AI_PROJECT_ENDPOINT=https://<your-account>.services.ai.azure.com/api/projects/<your-project>
ASPNETCORE_URLS=http://+:8088
ASPNETCORE_ENVIRONMENT=Development
AZURE_AI_MODEL_DEPLOYMENT_NAME=gpt-4o

.env is gitignored. The .env.example template is checked in as a reference.

Running directly (contributors)

cd dotnet/samples/04-hosting/FoundryHostedAgents/responses/Hosted-Files
AGENT_NAME=hosted-files dotnet run

The agent starts on http://localhost:8088.

Try it from the SessionFilesClient REPL

Bundled files (works against any deployment, including local)

cd ../Using-Samples/SessionFilesClient
$env:AGENT_ENDPOINT = "http://localhost:8088"
$env:AGENT_NAME = "hosted-files"
dotnet run

You> What is the total revenue in the contoso file?
Agent> The contoso file reports total revenue of "$1,482.6M".

The agent calls ListBundledFiles, sees contoso_q1_2026_report.txt, calls ReadBundledFile("contoso_q1_2026_report.txt") (which resolves under /app/resources/), and quotes the figure verbatim.

Session files (against a deployed agent)

Upload a file to a specific session via azd ai agent files upload or via the alpha AgentSessionFiles SDK (see the integration test for the SDK call), then ask the agent about it. The agent's ReadSessionFile tool reads from $HOME and surfaces the content the same way.

Running with Docker

This project uses ProjectReference, so use Dockerfile.contributor which takes a pre-published output:

dotnet publish -c Debug -f net10.0 -r linux-musl-x64 --self-contained false -o out
docker build -f Dockerfile.contributor -t hosted-files .

export AZURE_BEARER_TOKEN=$(az account get-access-token --resource https://ai.azure.com --query accessToken -o tsv)
docker run --rm -p 8088:8088 \
  -e AGENT_NAME=hosted-files \
  -e AZURE_BEARER_TOKEN=$AZURE_BEARER_TOKEN \
  --env-file .env \
  hosted-files

The bundled resources/ folder is part of the published output and ships inside the image.

NuGet package users

If consuming the Agent Framework as a NuGet package, use the standard Dockerfile instead of Dockerfile.contributor and switch the ProjectReference entries in HostedFiles.csproj to PackageReference (commented section in the csproj).

Adding more bundled files

Drop additional text files into resources/. The csproj <Content Include="resources\**\*" CopyToOutputDirectory="PreserveNewest" /> rule picks them up on the next dotnet build / docker build.

Overrides

Env var Purpose Default
BUNDLED_FILES_DIR Override the bundled-files root the tools read from. <process base dir>/resources (/app/resources/ in container)
HOME The per-session sandbox volume root the session-files tools read from. Set by the Foundry platform; can be overridden for local testing. /home/session