Sync plugin files from GitHub-Copilot-for-Azure (run 26286258078)

.github/plugins/azure-skills/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "azure",
   "description": "Microsoft Azure MCP and Skills integration for cloud resource management, deployments, and Azure services. Manage your Azure infrastructure, monitor applications, and deploy resources directly from Claude Code.",
-  "version": "1.1.44",
+  "version": "1.1.48",
   "author": {
     "name": "Microsoft",
     "url": "https://www.microsoft.com"

.github/plugins/azure-skills/.cursor-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "azure",
   "description": "Microsoft Azure MCP and Skills integration for cloud resource management, deployments, and Azure services. Manage your Azure infrastructure, monitor applications, and deploy resources directly from Cursor.",
-  "version": "1.1.44",
+  "version": "1.1.48",
   "author": {
     "name": "Microsoft",
     "url": "https://www.microsoft.com"

.github/plugins/azure-skills/.plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "azure",
   "description": "Microsoft Azure MCP and Skills integration for cloud resource management, deployments, and Azure services. Manage your Azure infrastructure, monitor applications, and deploy resources directly from your development environment.",
-  "version": "1.1.44",
+  "version": "1.1.48",
   "author": {
     "name": "Microsoft",
     "url": "https://www.microsoft.com"
@@ -21,5 +21,8 @@
   ],
   "skills": "./skills/",
   "mcpServers": "./.mcp.json",
-  "hooks": "./hooks/copilot-hooks.json"
+  "hooks": {
+    "paths": ["./hooks/copilot-hooks.json"],
+    "exclusive": true
+  }
 }

.github/plugins/azure-skills/CHANGELOG.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## 1.1.47
+
+- feat(azure-diagnostics/inspektor-gadget): Use correct filter for tcpdump gadget ([#2292](https://github.com/microsoft/GitHub-Copilot-for-Azure/pull/2292))
+
+## 1.1.46
+
+- feat(microsoft-foundry): add Tracing Insights API skill for automated anomaly detection ([#2276](https://github.com/microsoft/GitHub-Copilot-for-Azure/pull/2276))
+
+## 1.1.45
+
+- fix(microsoft-foundry): update integrate toolbox into hosted-agent flow ([#2264](https://github.com/microsoft/GitHub-Copilot-for-Azure/pull/2264))
+
 ## 1.1.41
 
 - fix: update foundry-agent invoke skill for invocations protocol ([#2154](https://github.com/microsoft/GitHub-Copilot-for-Azure/pull/2154))

.github/plugins/azure-skills/skills/azure-diagnostics/SKILL.md

@@ -4,7 +4,7 @@ description: "Debug Azure production issues on Azure using AppLens, Azure Monito
 license: MIT
 metadata:
   author: Microsoft
-  version: "1.1.5"
+  version: "1.1.6"
 ---
 
 # Azure Diagnostics

.github/plugins/azure-skills/skills/azure-diagnostics/troubleshooting/aks/references/inspektor-gadget.md

@@ -63,11 +63,11 @@ Outputs raw pcap-ng data. Pipe to `tcpdump` for readable output:
 kubectl debug --profile=sysadmin node/<node-name> --attach --quiet \
   --image=mcr.microsoft.com/oss/v2/inspektor-gadget/ig:<ig-version> \
   -- ig run tcpdump:<ig-version> -o pcap-ng --k8s-namespace <ns> --k8s-podname <pod> \
-     --timeout 30 --filter "port 80" \
+     --timeout 30 --pf "port 80" \
   | tcpdump -nvr -
 ```
 
-Use `--filter "<expr>"` for tcpdump filters (e.g., `port 80`, `host 10.0.0.1`). Output must be `-o pcap-ng` (not `-o json`).
+Use `--pf "<expr>"` for tcpdump filters (e.g., `port 80`, `host 10.0.0.1`). Output must be `-o pcap-ng` (not `-o json`).
 
 ### Process & Workload
 

.github/plugins/azure-skills/skills/microsoft-foundry/SKILL.md

@@ -4,7 +4,7 @@ description: "Deploy, evaluate, and manage Foundry agents end-to-end: Docker bui
 license: MIT
 metadata:
   author: Microsoft
-  version: "1.1.12"
+  version: "1.1.14"
 ---
 
 # Microsoft Foundry Skill

.github/plugins/azure-skills/skills/microsoft-foundry/foundry-agent/create/create-hosted.md

@@ -88,7 +88,7 @@ If the user has specified what they want the agent to do, choose the most releva
 
 If the requested combination does not have a real sample, say so clearly and suggest the nearest supported lane.
 
-> ⚠️ **Tools:** If the user wants an agent with tools (web search, AI search, code interpreter, MCP servers, etc.), select the `toolbox` samples. These samples include Foundry Toolbox integration in the sample code out of the box, but the user still needs an actual toolbox resource and must configure its endpoint/auth as described in [references/toolbox.md](references/toolbox.md) (see Step 1).
+> ⚠️ **Tools:** Hosted agents access tools through a **Foundry Toolbox MCP endpoint** — they do NOT wire tools directly. If the user wants an agent with tools (web search, AI search, code interpreter, MCP servers, etc.), select the `toolbox` samples (see [references/use-toolbox-in-hosted-agent.md#code-integration-patterns](references/use-toolbox-in-hosted-agent.md#code-integration-patterns)). These samples include Foundry Toolbox integration in the sample code out of the box, but the user still needs an actual toolbox resource — you'll resolve its endpoint in Step 6 (Verify Startup).
 
 ### Step 4: Download Sample Files
 
@@ -131,6 +131,7 @@ For nested directories, recursively fetch the GitHub contents API for entries wh
 
 1. Install dependencies (use virtual environment for Python)
 2. Ask user to provide values for `.env` variables if placeholders were used using `ask_user` tool.
+   - **If the agent uses tools / toolboxes**: resolve the toolbox endpoint per [references/use-toolbox-in-hosted-agent.md#resolve-toolbox-endpoint](references/use-toolbox-in-hosted-agent.md#resolve-toolbox-endpoint).
 3. Run the main entrypoint
 4. Fix startup errors and retry if needed
 5. Send a protocol-appropriate test request to the correct endpoint:
@@ -221,6 +222,7 @@ Modify the project's main entrypoint to wrap the existing agent with the adapter
 ### Step B4: Configure Environment
 
 1. Create or update a `.env` file with required environment variables (project endpoint, model deployment name, etc.)
+   - **If the agent uses tools / toolboxes**: resolve the toolbox endpoint per [references/use-toolbox-in-hosted-agent.md#resolve-toolbox-endpoint](references/use-toolbox-in-hosted-agent.md#resolve-toolbox-endpoint).
 2. For Python: ensure the code uses `load_dotenv(override=False)` so Foundry-injected environment variables are available at runtime.
 3. If the project uses Azure credentials: ensure Python uses `azure.identity.DefaultAzureCredential` for **local development**. In production, use `ManagedIdentityCredential`. See [auth-best-practices.md](../../references/auth-best-practices.md)
 
@@ -277,7 +279,7 @@ Apply these to both greenfield and brownfield projects:
 
 5. **Deploy handoff** — After the agent has been created and local verification succeeds, explicitly tell the user that they can deploy the agent if they want, and ask them to say `deploy agent to foundry` to continue with the deploy sub-skill.
 
-6. **Tool integration** — Hosted agents access tools through [Foundry Toolbox](references/toolbox.md), NOT by wiring tools directly. If the user needs tools (web search, AI search, code execution, MCP servers, etc.), follow the toolbox integration guide. The toolbox provides a single MCP-compatible endpoint that handles credential injection and tool discovery.
+6. **Tool integration** — Hosted agents access tools through [Foundry Toolbox](references/use-toolbox-in-hosted-agent.md), NOT by wiring tools directly. If the user needs tools (web search, AI search, code execution, file search, MCP servers, etc.), follow the toolbox integration guide. The toolbox provides a single MCP-compatible endpoint that handles credential injection and tool discovery.
 
 7. **Reserved environment variables** — The Foundry platform injects environment variables into every hosted agent container at startup. You MUST NOT generate, suggest, or configure any of these in `.env` files, `agent.yaml` `environment_variables`, or application code:
 

.github/plugins/azure-skills/skills/microsoft-foundry/foundry-agent/create/references/toolbox-reference.md

@@ -0,0 +1,102 @@
+# Toolbox Reference
+
+Endpoint format, MCP protocol details, authentication, OAuth consent handling, endpoint testing, and troubleshooting for Foundry Toolboxes.
+
+## Endpoint Format
+
+The toolbox MCP endpoint is constructed from the **project endpoint** + **toolbox name**:
+
+| Endpoint | URL |
+|----------|-----|
+| Latest version (default) | `{project_endpoint}/toolboxes/{toolbox_name}/mcp?api-version=v1` |
+| Specific version | `{project_endpoint}/toolboxes/{toolbox_name}/versions/{version}/mcp?api-version=v1` |
+
+- **Project endpoint** format: `https://<account>.services.ai.azure.com/api/projects/<project>`
+- The latest-version endpoint always serves the toolbox's `default_version`.
+- Use the specific-version endpoint to test a version before promoting it.
+- **Required header** on every request: `Foundry-Features: Toolboxes=V1Preview`
+- `?api-version=v1` query parameter is **required** — requests without it return HTTP 400.
+
+## MCP Protocol
+
+Toolboxes use **Model Context Protocol (MCP)** — JSON-RPC 2.0 over HTTP POST:
+
+- **`initialize`** — Handshake to establish an MCP session. Returns a `mcp-session-id` header to include in subsequent requests.
+- **`tools/list`** — Returns all available tools with names, descriptions, and input schemas.
+- **`tools/call`** — Invokes a tool with arguments and returns structured results.
+
+> `prompts/list` is **not supported** by the toolbox endpoint. Always pass `load_prompts=False` to MCP client constructors.
+
+## Authentication
+
+- **Agent → Toolbox:** Azure AD bearer token with scope `https://ai.azure.com/.default`, refreshed on every request.
+- **Toolbox → External Services:** Managed by the platform via project connections (API keys, OAuth, managed identity).
+
+## OAuth Consent Handling
+
+When a toolbox includes an OAuth-based MCP connection (e.g., GitHub OAuth), the first call triggers a `CONSENT_REQUIRED` error (MCP error code `-32006`). The error message contains the consent URL.
+
+**Agent code must handle this:**
+1. Catch MCP error code `-32006` from `tools/call` or during MCP session initialization.
+2. Extract the consent URL from the error message.
+3. Log the URL and surface it to the user (e.g., print to stdout or return in the agent response).
+4. After the user completes the OAuth flow in a browser, retry the call — subsequent calls succeed without re-prompting.
+
+> This is a one-time flow per user per OAuth connection in a project. The agent should not silently swallow this error.
+
+## Testing the Toolbox Endpoint
+
+Before running the full agent, verify the toolbox MCP endpoint works end-to-end. Use `az login` for authentication, then test the three MCP operations in order:
+
+**1. Get a bearer token:**
+```bash
+TOKEN=$(az account get-access-token --resource https://ai.azure.com --query accessToken -o tsv)
+TOOLBOX_URL="https://<account>.services.ai.azure.com/api/projects/<project>/toolboxes/<name>/mcp?api-version=v1"
+```
+
+**2. Initialize MCP session:**
+```bash
+curl -sS -X POST "$TOOLBOX_URL" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -H "Foundry-Features: Toolboxes=V1Preview" \
+  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"debug","version":"1.0.0"}}}' \
+  -D - | head -20
+```
+Save the `mcp-session-id` header from the response for subsequent calls.
+
+**3. List tools:**
+```bash
+curl -sS -X POST "$TOOLBOX_URL" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -H "Foundry-Features: Toolboxes=V1Preview" \
+  -H "mcp-session-id: <session-id-from-step-2>" \
+  -d '{"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}' | jq .
+```
+
+**Checklist:**
+- Response contains `result.tools[]` with `len > 0`
+- Each tool has `name`, `description`, and `inputSchema` with a `properties` field
+- MCP tool names for remote servers are prefixed with `server_label` (e.g., `myserver.get_info`)
+
+**4. Call a tool (optional):**
+```bash
+curl -sS -X POST "$TOOLBOX_URL" \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -H "Foundry-Features: Toolboxes=V1Preview" \
+  -H "mcp-session-id: <session-id-from-step-2>" \
+  -d '{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"<tool_name>","arguments":{"query":"test"}}}' | jq .
+```
+
+> For a Python-based debug client, see the `_McpToolboxClient` class in the [BYO toolbox sample `main.py`](https://github.com/microsoft-foundry/foundry-samples/blob/main/samples/python/hosted-agents/bring-your-own/responses/bring-your-own-toolbox/main.py) — it implements `initialize`, `list_tools`, and `call_tool` using raw `httpx` calls.
+
+## Troubleshooting
+
+| Error | Cause | Resolution |
+|-------|-------|------------|
+| CONSENT_REQUIRED (code -32006) | OAuth MCP connection needs user consent | Open consent URL in browser, complete OAuth flow, retry |
+| 401 on MCP calls | Expired token or wrong scope | Use scope `https://ai.azure.com/.default` and refresh token |
+| 500 on `prompts/list` | Not supported by toolbox endpoint | Pass `load_prompts=False` to MCP client constructor |
+| 500 with non-streaming `tools/call` | Non-streaming not supported | Always use `stream=True` for toolbox MCP tools |