update scope value to support new exporter path#235
Conversation
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
There was a problem hiding this comment.
Pull request overview
Updates the runtime’s production observability authentication scope to align with the newer Agent365 observability exporter endpoint/path, and adds snapshot tests + guidance to prevent future drift between these coupled settings.
Changes:
- Update
PROD_OBSERVABILITY_SCOPEto theAgent365.Observability.OtelWritepermission scope. - Add snapshot tests that pin
DEFAULT_ENDPOINT_URL,PROD_OBSERVABILITY_SCOPE, andbuild_export_url()path patterns together. - Document the “update-in-lockstep” requirement in
CLAUDE.md.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| tests/observability/core/test_export_config_consistency.py | Adds snapshot tests to detect configuration drift between endpoint, scope, and export URL paths. |
| libraries/microsoft-agents-a365-runtime/microsoft_agents_a365/runtime/environment_utils.py | Updates the production observability auth scope constant to the new permission scope. |
| CLAUDE.md | Documents that endpoint, scope, and URL path must be reviewed/updated together. |
There was a problem hiding this comment.
PR Review (Automated)
This one-line scope change in environment_utils.py swaps the OAuth scope used for observability exporter authentication from the Power Platform first-party resource to an Agent365-specific AAD application. The diff is small and includes a consistency test, but it is a silent breaking change for any deployed agent: tenants that have admin-consented to the old scope but not the new one will fail token acquisition at export time with no fallback. Recommend gating behind a feature flag or coordinating a CHANGELOG/migration note so downstream consumers can pre-consent to the new app registration before the switch lands.
Review Dimensions
| Dimension | Score | Findings |
|---|---|---|
| Monorepo / Core+Extensions / Namespace Package Layout | 5/5 | 0 |
| Python Standards (copyright, type hints, no Any, async naming) | 5/5 | 0 |
| Centralized uv Constraint Discipline | 5/5 | 0 |
| Observability / OpenTelemetry Correctness | 4/5 | 0 |
| Test Coverage & Quality (pytest / markers / mirror structure) | 4/5 | 0 |
| Public-API / SDK Backwards Compatibility | 2/5 | 1 |
| Scope & Simplicity | 5/5 | 0 |
| Security Posture | 4/5 | 0 |
Concerns
High — PROD_OBSERVABILITY_SCOPE change silently alters authentication target for all consumers [Flagged by: copilot]
- File:
libraries/microsoft-agents-a365-runtime/microsoft_agents_a365/runtime/environment_utils.py:11 - Mechanism: The scope changed from
https://api.powerplatform.com/.default(Power Platform first-party resource) toapi://9b975845-388f-4429-889e-eab1ef63949c/Agent365.Observability.OtelWrite(Agent365-specific AAD app). Any deployed agent using the SDK will now request a token for a completely different AAD resource. Environments that have admin-consented for the old scope but not the new one will fail authentication at export time with no fallback. - Suggestion: Document the migration in a CHANGELOG / MIGRATION guide, and consider gating behind a feature flag or version bump so consumers can admin-consent the new app registration before the switch takes effect.
Automated review | Verdict: CHANGES_REQUESTED | Confidence: 78% | Reviewers: claude + copilot
Task
Update the runtime to return the new scope
Result