feat(08-agents): 08-10b hosted Copilot SDK agent on the 1:N multi account (APIM-direct)#19
Merged
Conversation
… account Self-contained "B" variant of 08-10: the GitHub Copilot SDK container hosted on the shared aif-spoke-multi account, taking inference from the APIM core gateway. The container points DIRECTLY at the gateway (api-key auth, bare reasoning model gpt-5-mini) rather than through a Foundry project connection. Foundry's connection model-gateway (BYO model via an ApiManagement connection) is supported only for prompt agents, so a hosted agent's Responses call through a connection/deployment model string fails with DeploymentNotFound. A reasoning model is required because the Copilot CLI's Responses protocol carries encrypted reasoning content that gpt-4.1-mini rejects. - main.py: additive, env-driven APIM-direct provider branch (active only when APIM_BASE_URL + APIM_KEY are set); the standalone 08-10 path is unchanged. - infra: project + ACR on the existing shared account, no connection, no local model deployment, so the rg-foundry-multi deny-model-deployments policy holds. - self-contained: own src/ and data/, no dependency on 08-10. - tutorial notebook keeps redacted outputs, with rendered Markdown tables and chart. Adds repo notebook-output scrubbing tooling: scripts/scrub_notebooks.py and a .githooks/pre-commit hook that keeps the canonical demo suffix and resource names, maps subscription/tenant/principal UUIDs to the all-zeros placeholder, and redacts keys, UPNs, and session ids per the CONTRIBUTING.md notebook-output policy. Release 0.8.12.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
08-10b-hosted-copilot-sdk-agent-multi(release0.8.12): the self-contained "B" variant of08-10. The GitHub Copilot SDK container is hosted on the existing sharedaif-spoke-multi(1:N) account and takes its inference from the APIM core gateway.The key finding
The container points directly at the APIM gateway (provider
base_url = <apim>/openai, gateway subscription key in theapi-keyheader, bare reasoning modelgpt-5-mini) rather than through a Foundry project connection.ApiManagementconnection) is supported only for prompt agents. A hosted agent calling the Responses API through aconnection/deploymentmodel string forwards the qualified name upstream and fails withDeploymentNotFound.gpt-4.1-minirejects (Encrypted content is not supported).gpt-5-miniis deployed on the gateway backend (aif-core).What's in it
main.py: additive, env-driven APIM-direct provider branch (active only whenAPIM_BASE_URL+APIM_KEYare set). The standalone08-10path is unchanged.infra/main.bicep: project + ACR on the existing shared account. No connection, no local model deployment, so therg-foundry-multideny-model-deploymentspolicy is untouched. Agent RBAC is AcrPull + Foundry User only.src/anddata/, no dependency on08-10.Repo tooling (also added)
scripts/scrub_notebooks.py+.githooks/pre-commit: scrub Azure secrets/identifiers from notebook outputs on commit, following theCONTRIBUTING.mdnotebook-output policy (keep the canonical demo suffix and resource names; map subscription/tenant/principal UUIDs to the all-zeros placeholder; redact keys, UPNs, and session ids). Enable withgit config core.hooksPath .githooks.Tradeoff
The gateway subscription key is injected as a container env var. The
08-10b-00doc notes Key Vault and managed-identity-to-APIM as hardening paths.Notes
08-11) is intentionally held out of this release (no Claude quota in the target subscription to validate it end to end).