Skip to content

feat: add azdextutil shared library for azd extension framework#20

Merged
jongio merged 8 commits intomainfrom
azdextimprove
Feb 23, 2026
Merged

feat: add azdextutil shared library for azd extension framework#20
jongio merged 8 commits intomainfrom
azdextimprove

Conversation

@jongio
Copy link
Copy Markdown
Owner

@jongio jongio commented Feb 23, 2026

Summary

Adds the azdextutil package - a shared utility library that all azd extensions use for common extension framework functionality. Also hardens the security package with symlink-safe path validation.

What's New

azdextutil/ package (NEW)

  • Rate limiting - NewRateLimiter() / CheckRateLimit() for MCP tool rate limiting
  • MCP helpers - GetArgsMap(), GetStringParam(), MarshalToolResult() for MCP tool handlers
  • Security helpers - ValidateShellName(), GetProjectDir()
  • Deprecated wrappers - SetupTracingFromEnv() -> use azdext.NewContext(), GenerateMetadataFromCobra() -> use azdext.GenerateExtensionMetadata(), ValidatePath() -> use security.ValidatePathWithinBases()

security/ package (ENHANCED)

  • ValidatePathWithinBases() - New function that resolves symlinks on BOTH the target path AND base directories (prevents symlink bypass)
  • SanitizeScriptName() - Added missing shell metacharacters: quotes, backslash, hash

Test Coverage

  • azdextutil: 90.2% coverage (12 tests)
  • security: 82.1% coverage

Changes

  • 12 files changed, 2425 insertions(+), 2 deletions(-)

jongio and others added 7 commits February 22, 2026 08:19
@jongio
feat: add azdextutil package for extension framework helpers
c067897 
Shared utilities for azd extension development:
- GenerateMetadataFromCobra: lightweight metadata generation from Cobra commands
- NewMetadataCommand: standard hidden metadata command factory
- RateLimiter: token bucket rate limiter for MCP tools
- ValidatePath/ValidateShellName: security validation helpers
- SetupTracingFromEnv/GetTraceContext: distributed tracing context propagation
- GetProjectDir: safe project directory resolution

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
refactor: deprecate azdextutil functions that overlap with azdext SDK
f38c505 
- Deprecate SetupTracingFromEnv/GetTraceContext -> use azdext.NewContext()
- Deprecate GenerateMetadataFromCobra/NewMetadataCommand -> use azdext.GenerateExtensionMetadata()
- Deprecate azdextutil.ValidatePath -> use security.ValidatePathWithinBases()
- Add security.ValidatePathWithinBases() with base directory containment
- All deprecated functions kept for backwards compatibility

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
feat: add shared MCP helper functions to azdextutil
d6efbb1 
- GetArgsMap: extract arguments from MCP tool requests
- GetStringParam: safely extract string parameters
- MarshalToolResult: JSON marshal to MCP result

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
fix: resolve base directory symlinks in ValidatePathWithinBases
02acd37 
- EvalSymlinks on base directories for consistent comparison with resolved target path
- Add security warning to deprecated ValidatePath about silent symlink error handling

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
fix: add missing shell metacharacters, fix MarshalToolResult error
830df9c 
- SanitizeScriptName now blocks quotes, backslash, and comment char
- MarshalToolResult returns actual error instead of nil on marshal failure

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
test: improve azdextutil and security test coverage to >=80%
e18aacf 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio
fix: resolve golangci-lint errors (errcheck + staticcheck ST1021)
efe1b40 
- Fix deprecated type comments to start with type name per ST1021
- Check error return of fmt.Fprintln in metadata.go
- Check error return of os.WriteFile in security_test.go

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Feb 23, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 83.79888% with 29 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.63%. Comparing base (6a09e7a) to head (df3319c).

Files with missing lines Patch % Lines
azdextutil/security.go 72.09% 6 Missing and 6 partials ⚠️
security/security.go 69.44% 5 Missing and 6 partials ⚠️
azdextutil/metadata.go 88.00% 3 Missing and 3 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main      #20      +/-   ##
==========================================
+ Coverage   73.14%   73.63%   +0.49%     
==========================================
  Files          39       44       +5     
  Lines        3649     3827     +178     
==========================================
+ Hits         2669     2818     +149     
- Misses        796      810      +14     
- Partials      184      199      +15
Flag Coverage Δ
unittests 73.63% <83.79%> (+0.49%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@jongio
fix: resolve macOS symlink test failure and gofmt formatting
df3319c 
- Fix ValidatePathWithinBases to resolve parent symlinks for non-existent
  files (handles macOS /var -> /private/var)
- Run gofmt on azdextutil package (CRLF -> LF)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jongio jongio merged commit 39a75ce into main Feb 23, 2026
8 checks passed
@jongio jongio deleted the azdextimprove branch February 23, 2026 04:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jongio @codecov-commenter