.NET: (Durable): bind MCP threadId to the current agent and guard cross-agent session dispatch#6531
Open
kshyju wants to merge 2 commits into
Open
.NET: (Durable): bind MCP threadId to the current agent and guard cross-agent session dispatch#6531kshyju wants to merge 2 commits into
kshyju wants to merge 2 commits into
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Pull request overview
Aligns the Durable Azure Functions MCP tool dispatch path with the HTTP trigger path so the caller-supplied threadId is always treated as an opaque session key under the currently-dispatching agent, and adds a proxy-level guard to prevent cross-agent session dispatch.
Changes:
RunMcpToolAsyncnow constructsnew AgentSessionId(agentName, threadId)instead of parsing the agent name from the caller input.DurableAIAgentProxy.RunCoreAsyncnow rejects sessions whoseSessionId.Namedoesn’t match the proxy’s agent name (case-insensitive).- Adds unit tests covering the proxy guard and the “constructor treats key as opaque” invariant.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| dotnet/src/Microsoft.Agents.AI.Hosting.AzureFunctions/BuiltInFunctions.cs | Binds MCP threadId to the current agent name rather than parsing the agent name from the caller-provided string. |
| dotnet/src/Microsoft.Agents.AI.DurableTask/DurableAIAgentProxy.cs | Adds a defense-in-depth check to prevent dispatching a session for agent X through agent Y’s proxy. |
| dotnet/tests/Microsoft.Agents.AI.DurableTask.UnitTests/DurableAIAgentProxyTests.cs | Adds unit tests validating mismatch rejection + case-insensitive match behavior. |
| dotnet/tests/Microsoft.Agents.AI.DurableTask.UnitTests/AgentSessionIdTests.cs | Pins that the 2-arg AgentSessionId constructor treats the key as opaque (does not reinterpret serialized IDs). |
- Rename three test methods to include Async suffix (IDE1006 fix) - Add CHANGELOG entries for DurableTask and Hosting.AzureFunctions Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation & Context
The Azure Functions MCP tool dispatch path for durable agents (
BuiltInFunctions.RunMcpToolAsync) handled the caller-suppliedthreadIdargument differently from the HTTP trigger path (BuiltInFunctions.RunAgentHttpAsync):thread_idunder the current agent name:new AgentSessionId(agentName, threadIdValue).AgentSessionId.Parse(threadId), which extracts both the agent name and the key from the input string.Because of that asymmetry, the agent that actually executed under the MCP tool was determined by parsing the caller's
threadIdrather than by the MCP tool the caller invoked. This PR aligns the MCP path with the HTTP path so a session is always scoped to its dispatching agent, and adds a defense-in-depth guard at the proxy layer so the same invariant is enforced regardless of how the session reaches the proxy.Description & Review Guide
What are the major changes?
Microsoft.Agents.AI.Hosting.AzureFunctions/BuiltInFunctions.cs:RunMcpToolAsyncnow constructsnew AgentSessionId(agentName, threadId)instead ofAgentSessionId.Parse(threadId). This mirrorsRunAgentHttpAsyncand treats the caller-suppliedthreadIdas a session key under the current MCP tool's agent.Microsoft.Agents.AI.DurableTask/DurableAIAgentProxy.cs:RunCoreAsyncvalidates thatsession.SessionId.Namematches the proxy'sName(case-insensitive) before dispatching to the durable client. ThrowsArgumentException(paramName: "session")on mismatch with a clear message naming both agents.tests/Microsoft.Agents.AI.DurableTask.UnitTests/DurableAIAgentProxyTests.cs: three tests covering the proxy guard (rejects mismatch, allows match, case-insensitive). Uses a small privateStubDurableAgentClient; no additionalInternalsVisibleToattributes are added to the production assembly.tests/Microsoft.Agents.AI.DurableTask.UnitTests/AgentSessionIdTests.cs: addsConstructorTreatsKeyAsOpaqueValuepinning the invariant the primary fix relies on:new AgentSessionId(name, key)keepsNamefrom the first argument even when the key looks like a serialized session id.What is the impact of these changes?
AgentSessionIdstring (e.g.@dafx-<name>@<key>) and passed it as the MCPthreadIdwill now have that entire string treated as the session key under the current agent. Ordinary opaque-string-in / opaque-string-out usage is unaffected.DurableAIAgentProxy.RunCoreAsync.What do you want reviewers to focus on?
Namediffers from the dispatching agent's name from being executed by the wrong agent.DurableAIAgentProxy.RunCoreAsync(names only, no key) to confirm it's appropriately scoped.DurableAIAgentProxy: I avoided Moq for the internalIDurableAgentClientinterface (which would have required addingInternalsVisibleTo("DynamicProxyGenAssembly2")to the production csproj) by using a small hand-written stub inside the test class. Happy to switch if there is a stronger preference.Related Issue
Fixes #
Contribution Checklist
breaking changelabel (or add "[BREAKING]" to the title prefix, before or after any language prefix) - a workflow keeps the label and title prefix in sync automatically.Validation
dotnet build: clean on net8.0 / net9.0 / net10.0.dotnet test tests/Microsoft.Agents.AI.DurableTask.UnitTests: 405 / 405 pass (401 baseline + 4 new) across net8.0 / net9.0 / net10.0.dotnet test tests/Microsoft.Agents.AI.Hosting.AzureFunctions.UnitTests: 42 / 42 pass across net8.0 / net9.0 / net10.0.