# Assembled Notebook â€” Secret & Key Flow Agents
_Generated 2025-11-08T02:13:14.994652Z_

> Synthesized from your **Secret & Key Flow** Mermaid diagram. Only runnable Python is produced.


In [None]:
# %% [SETUP]
!pip install -U semantic-kernel
!pip -q uninstall -y pydrive2

In [None]:
# %% [SETUP-ENV]
import os, getpass
os.environ.setdefault('AZURE_OPENAI_ENDPOINT', 'https://4th-openai-resource.openai.azure.com')
os.environ.setdefault('AZURE_OPENAI_DEPLOYMENT', 'gpt-35-turbo')
os.environ.setdefault('AZURE_OPENAI_API_VERSION', '2024-10-21')
if not os.getenv('AZURE_OPENAI_API_KEY'):
    os.environ['AZURE_OPENAI_API_KEY'] = getpass.getpass('Enter AZURE_OPENAI_API_KEY (hidden): ').strip()
print('Azure OpenAI env ready (key is session-only).')

In [None]:
# %% [KERNEL]
import os
from semantic_kernel import Kernel
from semantic_kernel.connectors.ai.open_ai import AzureChatCompletion

kernel = Kernel()

service = AzureChatCompletion(
    service_id='azure',
    api_key=os.getenv('AZURE_OPENAI_API_KEY'),
    deployment_name=os.getenv('AZURE_OPENAI_DEPLOYMENT'),
    endpoint=os.getenv('AZURE_OPENAI_ENDPOINT'),
)
kernel.add_service(service)
print('Kernel ready (Azure OpenAI)')

In [None]:
# %% [TOOLS]

def tool_secret_scanner_check(**kwargs):
    """Secret scanner to block commits of keys (CI)."""
    safe_kwargs = dict(kwargs)
    if 'secret_value' in safe_kwargs: safe_kwargs['secret_value'] = '***MASKED***'
    return "stub:secret_scanner_check " + str(safe_kwargs)

def tool_kv_reference_injection(**kwargs):
    """Inject Key Vault reference @Microsoft.KeyVault(...) into app settings."""
    safe_kwargs = dict(kwargs)
    if 'secret_value' in safe_kwargs: safe_kwargs['secret_value'] = '***MASKED***'
    return "stub:kv_reference_injection " + str(safe_kwargs)

def tool_managed_identity_assert(**kwargs):
    """Assert Managed Identity binding for workload (App/Functions)."""
    safe_kwargs = dict(kwargs)
    if 'secret_value' in safe_kwargs: safe_kwargs['secret_value'] = '***MASKED***'
    return "stub:managed_identity_assert " + str(safe_kwargs)

def tool_rbac_check_assign(**kwargs):
    """Ensure RBAC role: Key Vault Secrets User on MI."""
    safe_kwargs = dict(kwargs)
    if 'secret_value' in safe_kwargs: safe_kwargs['secret_value'] = '***MASKED***'
    return "stub:rbac_check_assign " + str(safe_kwargs)

def tool_kv_get_secret(**kwargs):
    """Retrieve secret value by name (simulated; never logs secret)."""
    safe_kwargs = dict(kwargs)
    if 'secret_value' in safe_kwargs: safe_kwargs['secret_value'] = '***MASKED***'
    return "stub:kv_get_secret " + str(safe_kwargs)

def tool_kv_rotate_version(**kwargs):
    """Rotate secret to new version and purge old versions (simulated)."""
    safe_kwargs = dict(kwargs)
    if 'secret_value' in safe_kwargs: safe_kwargs['secret_value'] = '***MASKED***'
    return "stub:kv_rotate_version " + str(safe_kwargs)

def tool_kv_access_log(**kwargs):
    """Emit Key Vault access audit record (no secrets)."""
    safe_kwargs = dict(kwargs)
    if 'secret_value' in safe_kwargs: safe_kwargs['secret_value'] = '***MASKED***'
    return "stub:kv_access_log " + str(safe_kwargs)

def tool_aad_token_preferred(**kwargs):
    """Use AAD token for service call instead of key (AOAI preferred)."""
    safe_kwargs = dict(kwargs)
    if 'secret_value' in safe_kwargs: safe_kwargs['secret_value'] = '***MASKED***'
    return "stub:aad_token_preferred " + str(safe_kwargs)

def tool_apim_outbound_policy(**kwargs):
    """APIM policy enforces outbound and blocks key exfil."""
    safe_kwargs = dict(kwargs)
    if 'secret_value' in safe_kwargs: safe_kwargs['secret_value'] = '***MASKED***'
    return "stub:apim_outbound_policy " + str(safe_kwargs)

def tool_aoai_call_via_pe(**kwargs):
    """Call Azure OpenAI via Private Endpoint (simulated)"""
    safe_kwargs = dict(kwargs)
    if 'secret_value' in safe_kwargs: safe_kwargs['secret_value'] = '***MASKED***'
    return "stub:aoai_call_via_pe " + str(safe_kwargs)

def tool_search_call_via_pe(**kwargs):
    """Call Azure AI Search via Private Endpoint (simulated)"""
    safe_kwargs = dict(kwargs)
    if 'secret_value' in safe_kwargs: safe_kwargs['secret_value'] = '***MASKED***'
    return "stub:search_call_via_pe " + str(safe_kwargs)


TOOLS = {

    'tool_secret_scanner_check': tool_secret_scanner_check,

    'tool_kv_reference_injection': tool_kv_reference_injection,

    'tool_managed_identity_assert': tool_managed_identity_assert,

    'tool_rbac_check_assign': tool_rbac_check_assign,

    'tool_kv_get_secret': tool_kv_get_secret,

    'tool_kv_rotate_version': tool_kv_rotate_version,

    'tool_kv_access_log': tool_kv_access_log,

    'tool_aad_token_preferred': tool_aad_token_preferred,

    'tool_apim_outbound_policy': tool_apim_outbound_policy,

    'tool_aoai_call_via_pe': tool_aoai_call_via_pe,

    'tool_search_call_via_pe': tool_search_call_via_pe,

}
print('Tools:', list(TOOLS.keys()))

In [None]:
# %% [AGENTS]

class Agent_devsec_ci:
"
        "    def __init__(self, kernel):
"
        "        self.kernel = kernel
"
        "        self.name = "DevSec CI"
"
        "        self.system_message = "Enforce secret scanning and Key Vault references in CI/CD."
"
        "        self.skills = ["tool_secret_scanner_check", "tool_kv_reference_injection", "tool_kv_access_log"]
"
        "    async def run(self, user_text: str) -> str:
"
        "        try:
"
        "            result = await self.kernel.invoke_prompt(self.system_message + "\n\nUser: " + user_text)
"
        "            return str(result)
"
        "        except Exception as e:
"
        "            return f"[DevSec CI stub] Adjust SK call. Error: {e}"
"
        "    def available_tools(self):
"
        "        return [t for t in self.skills if t in TOOLS]
"
        "    def call(self, tool_name: str, **kwargs):
"
        "        fn = TOOLS.get(tool_name)
"
        "        if not fn:
"
        "            raise ValueError(f"Tool not found: {tool_name}")
"
        "        return fn(**kwargs)
"

class Agent_identity_broker:
"
        "    def __init__(self, kernel):
"
        "        self.kernel = kernel
"
        "        self.name = "Identity Broker"
"
        "        self.system_message = "Bind Managed Identities and assign Key Vault RBAC."
"
        "        self.skills = ["tool_managed_identity_assert", "tool_rbac_check_assign", "tool_kv_access_log"]
"
        "    async def run(self, user_text: str) -> str:
"
        "        try:
"
        "            result = await self.kernel.invoke_prompt(self.system_message + "\n\nUser: " + user_text)
"
        "            return str(result)
"
        "        except Exception as e:
"
        "            return f"[Identity Broker stub] Adjust SK call. Error: {e}"
"
        "    def available_tools(self):
"
        "        return [t for t in self.skills if t in TOOLS]
"
        "    def call(self, tool_name: str, **kwargs):
"
        "        fn = TOOLS.get(tool_name)
"
        "        if not fn:
"
        "            raise ValueError(f"Tool not found: {tool_name}")
"
        "        return fn(**kwargs)
"

class Agent_keyvault_broker:
"
        "    def __init__(self, kernel):
"
        "        self.kernel = kernel
"
        "        self.name = "Key Vault Broker"
"
        "        self.system_message = "Broker secret retrieval and rotation; never expose raw values."
"
        "        self.skills = ["tool_kv_get_secret", "tool_kv_rotate_version", "tool_kv_access_log"]
"
        "    async def run(self, user_text: str) -> str:
"
        "        try:
"
        "            result = await self.kernel.invoke_prompt(self.system_message + "\n\nUser: " + user_text)
"
        "            return str(result)
"
        "        except Exception as e:
"
        "            return f"[Key Vault Broker stub] Adjust SK call. Error: {e}"
"
        "    def available_tools(self):
"
        "        return [t for t in self.skills if t in TOOLS]
"
        "    def call(self, tool_name: str, **kwargs):
"
        "        fn = TOOLS.get(tool_name)
"
        "        if not fn:
"
        "            raise ValueError(f"Tool not found: {tool_name}")
"
        "        return fn(**kwargs)
"

class Agent_runtime_orchestrator:
"
        "    def __init__(self, kernel):
"
        "        self.kernel = kernel
"
        "        self.name = "Runtime Orchestrator"
"
        "        self.system_message = "Route runtime calls to services; prefer AAD tokens over keys."
"
        "        self.skills = ["tool_aad_token_preferred", "tool_apim_outbound_policy", "tool_kv_access_log"]
"
        "    async def run(self, user_text: str) -> str:
"
        "        try:
"
        "            result = await self.kernel.invoke_prompt(self.system_message + "\n\nUser: " + user_text)
"
        "            return str(result)
"
        "        except Exception as e:
"
        "            return f"[Runtime Orchestrator stub] Adjust SK call. Error: {e}"
"
        "    def available_tools(self):
"
        "        return [t for t in self.skills if t in TOOLS]
"
        "    def call(self, tool_name: str, **kwargs):
"
        "        fn = TOOLS.get(tool_name)
"
        "        if not fn:
"
        "            raise ValueError(f"Tool not found: {tool_name}")
"
        "        return fn(**kwargs)
"

class Agent_data_plane_caller:
"
        "    def __init__(self, kernel):
"
        "        self.kernel = kernel
"
        "        self.name = "Data Plane Caller"
"
        "        self.system_message = "Call AOAI/Search via Private Endpoints only."
"
        "        self.skills = ["tool_aoai_call_via_pe", "tool_search_call_via_pe", "tool_kv_access_log"]
"
        "    async def run(self, user_text: str) -> str:
"
        "        try:
"
        "            result = await self.kernel.invoke_prompt(self.system_message + "\n\nUser: " + user_text)
"
        "            return str(result)
"
        "        except Exception as e:
"
        "            return f"[Data Plane Caller stub] Adjust SK call. Error: {e}"
"
        "    def available_tools(self):
"
        "        return [t for t in self.skills if t in TOOLS]
"
        "    def call(self, tool_name: str, **kwargs):
"
        "        fn = TOOLS.get(tool_name)
"
        "        if not fn:
"
        "            raise ValueError(f"Tool not found: {tool_name}")
"
        "        return fn(**kwargs)
"


# Instances

agent_devsec_ci = Agent_devsec_ci(kernel)

agent_identity_broker = Agent_identity_broker(kernel)

agent_keyvault_broker = Agent_keyvault_broker(kernel)

agent_runtime_orchestrator = Agent_runtime_orchestrator(kernel)

agent_data_plane_caller = Agent_data_plane_caller(kernel)

print('Agents:', ['agent_devsec_ci', 'agent_identity_broker', 'agent_keyvault_broker', 'agent_runtime_orchestrator', 'agent_data_plane_caller'])

In [None]:
# %% [WIRES]
WIRES = {
  "DevSec CI": {
    "tools": [
      "tool_secret_scanner_check",
      "tool_kv_reference_injection",
      "tool_kv_access_log"
    ]
  },
  "Identity Broker": {
    "tools": [
      "tool_managed_identity_assert",
      "tool_rbac_check_assign",
      "tool_kv_access_log"
    ]
  },
  "Key Vault Broker": {
    "tools": [
      "tool_kv_get_secret",
      "tool_kv_rotate_version",
      "tool_kv_access_log"
    ]
  },
  "Runtime Orchestrator": {
    "tools": [
      "tool_aad_token_preferred",
      "tool_apim_outbound_policy",
      "tool_kv_access_log"
    ]
  },
  "Data Plane Caller": {
    "tools": [
      "tool_aoai_call_via_pe",
      "tool_search_call_via_pe",
      "tool_kv_access_log"
    ]
  }
}
print('Wiring entries:', len(WIRES))

In [None]:

# %% [DEMO]
import os, getpass, types, asyncio
from semantic_kernel import Kernel
from semantic_kernel.connectors.ai.open_ai import AzureChatCompletion
os.environ.setdefault("AZURE_OPENAI_ENDPOINT",    "https://4th-openai-resource.openai.azure.com")
os.environ.setdefault("AZURE_OPENAI_DEPLOYMENT",  "gpt-35-turbo")
os.environ.setdefault("AZURE_OPENAI_API_VERSION", "2024-10-21")
if not os.getenv("AZURE_OPENAI_API_KEY"):
    os.environ["AZURE_OPENAI_API_KEY"] = getpass.getpass("Enter AZURE_OPENAI_API_KEY (hidden): ").strip()
try:
    kernel
except NameError:
    kernel = Kernel()
try:
    kernel.remove_service("azure")
except Exception:
    pass
kernel.add_service(AzureChatCompletion(
    service_id="azure",
    api_key=os.getenv("AZURE_OPENAI_API_KEY"),
    deployment_name=os.getenv("AZURE_OPENAI_DEPLOYMENT"),
    endpoint=os.getenv("AZURE_OPENAI_ENDPOINT"),
    api_version=os.getenv("AZURE_OPENAI_API_VERSION"),
))
async def _run_with_azure(self, user_text: str):
    prompt = (getattr(self, "system_message", "") or "") + "\\n\\nUser: " + str(user_text)
    result = await self.kernel.invoke_prompt(prompt, service_id="azure")
    return str(result)
patched = []
for name, obj in list(globals().items()):
    if name.startswith("agent_"):
        try:
            obj.kernel = kernel
            obj.run = types.MethodType(_run_with_azure, obj)
            patched.append(name)
        except Exception:
            pass
print("Patched run() for:", patched if patched else "(none)")
async def demo():
    ci  = globals().get("agent_devsec_ci")
    idb = globals().get("agent_identity_broker")
    kvb = globals().get("agent_keyvault_broker")
    rto = globals().get("agent_runtime_orchestrator")
    dpc = globals().get("agent_data_plane_caller")
    if ci:
        print(ci.call("tool_secret_scanner_check", repo="contoso/app", commit="abc123"))
        print(ci.call("tool_kv_reference_injection", setting="AOAI_API_KEY", ref="@Microsoft.KeyVault(SecretUri=...)"))
    if idb:
        print(idb.call("tool_managed_identity_assert", resource="appsvc", identity="system-assigned"))
        print(idb.call("tool_rbac_check_assign", role="Key Vault Secrets User", scope="/subscriptions/.../resourceGroups/.../providers/Microsoft.KeyVault/vaults/kv-01"))
    if kvb:
        print(kvb.call("tool_kv_get_secret", name="AOAI_API_KEY", secret_value="REDACTED"))
        print(kvb.call("tool_kv_rotate_version", name="AOAI_API_KEY", action="rotate"))
    if rto:
        print(rto.call("tool_aad_token_preferred", service="AOAI", reason="avoid key usage"))
        print(rto.call("tool_apim_outbound_policy", policy="block-key-in-response", product="external"))
    if dpc:
        print(dpc.call("tool_aoai_call_via_pe", prompt="hello world"))
        print(dpc.call("tool_search_call_via_pe", index="docs", query="kv references"))
    print("LLM demo:")
    if dpc:
        try:
            out = await dpc.run("Summarize how Key Vault + MI + rotation mitigate secret leakage risks.")
            print(out)
        except Exception as e:
            print("[demo] invoke failed:", e)
await demo()
