* Re-connecting should be part of DCP request retry

* Simplify implementation

* Additional test

* Update patch version

* Improve comment

* Test improvements

Make sure files used by tests are created in isolated location and deleted no matter test outcome

* Optimizing the read for the kubeconfig file

#18093)

* Use build artifact downloader for npm summaries

The release pipeline consumes npm validation summaries from source builds that published them as build/container artifacts. Download them with DownloadBuildArtifacts instead of the pipeline artifact shortcut so existing source builds can be released without re-spinning.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Fix npm preflight success exit code

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Allow either required npm publish owner

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Improve npm CLI package metadata

* Remove npm README launcher implementation detail

* Relax npm ESRP approver validation

* Require npm ESRP publish aliases

* Address npm release validation review feedback

* Simplify npm publish skip parameters

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Fix CLI E2E package version selection

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Use explicit package version without prerelease flag

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Match exact local hive package files

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Handle CLI update prompt in channel E2E

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Wait past CLI update prompt in channel E2E

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address npm release review feedback

- Extract npm package READMEs into separate template files and render them
  via a shared Expand-Template helper instead of inline here-strings.
- Move the npm ESRP alias validation into eng/scripts/validate-npm-release-aliases.ps1
  (dot-sourceable) with executable unit tests covering empty/whitespace owners,
  multiple approvers, missing required owner, owner/approver overlap, non-Microsoft
  email rejection, @microsoft.com stripping, and effective-set emission. The release
  job runs with checkout: none, so the helpers stay mirrored inline and a test keeps
  the two copies in sync.
- Forward NpmPublishOwners/NpmPublishApprovers to the validation step via env: so
  operator-supplied values are treated as data, not interpolated into the inline script.
- Give NpmPublishOwners/NpmPublishApprovers/NpmRegistryPropagationDelayMinutes working
  defaults and mark them [Advanced] so an unattended queue submission passes validation.
- Replace pack-script source-text assertions with tests that run the script across all
  supported RIDs and assert the generated package.json, package map, and READMEs.
- Clarify the local-hive vs --prerelease comment in KubernetesDeployTestHelpers.
- Update the npm-cli-package spec to describe the new parameter defaults and validation script.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Fix npm CLI README markdown lint

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Harden npm release alias validation

Reject unsafe alias values before emitting Azure Pipelines logging commands and keep the inline release-pipeline validation body covered by the script sync test. Also clarify npm self-update README wording.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Fix npm release pipeline env expansion

Quote queue-time npm release alias parameters when forwarding them through the validation step environment so Azure Pipelines treats the values as strings during release-job expansion.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Avoid object expressions in release pipeline scripts

Compute installer-only logging inside PowerShell instead of embedding a template function result in the inline script scalar, which Azure Pipelines reports as an Object-to-String conversion error at powershell: |.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Use standard MicroBuild release job context

Remove the unsupported templateContext.mb.publish.feedSource object from ReleaseJob; dnceng release-job expansion reports it as an Object-to-String conversion failure at the first powershell step.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Download release artifacts explicitly

Avoid passing current-pipeline artifact objects through ReleaseJob templateContext.inputs; download the prepared artifacts explicitly at the start of ReleaseJob to bypass dnceng release-job object conversion during YAML expansion.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Avoid wildcard template expression in release script

Remove the literal ${{ parameters.* }} text from an inline PowerShell comment because Azure Pipelines expands template expressions inside block scalars and treats the wildcard as the parameters object.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Jose Perez Rodriguez <joperezr@microsoft.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

… MCP tools (#18150)

* Filter resources with resource.excludeFromMcp from CLI MCP tools

Resources marked with the resource.excludeFromMcp property are now
excluded from all MCP tool results:
- ListResourcesTool filters them from resource listings
- ListConsoleLogsTool and ExecuteResourceCommandTool reject requests
  targeting excluded resources
- ListStructuredLogsTool, ListTracesTool, and ListTraceStructuredLogsTool
  filter out telemetry from excluded resources
- McpResourceToolRefreshService skips excluded resources

Added McpToolHelpers with IsExcludedFromMcp, CheckResourceExcludedAsync,
GetExcludedResourceNamesAsync, and GetResourceNotAvailableMessage helpers.

Includes comprehensive unit tests covering all filtering scenarios.

* Add ListTraceStructuredLogsTool exclusion tests and E2E test

- Add two tests for ListTraceStructuredLogsTool filtering:
  - FiltersExcludedResourceLogs: verifies excluded resource logs are
    removed from trace-scoped structured log results
  - ReturnsAllLogs_WhenNoResourcesExcluded: verifies no filtering when
    no resources are excluded
- Add doesNotContainMarker parameter to CallAgentMcpToolAsync helper
- Add AgentMcpExcludeFromMcpTests E2E test that verifies list_resources
  excludes resources marked with ExcludeFromMcp()

* Use quoted markers in E2E test for precise JSON matching

* Avoid redundant connection lookup in exclusion checks

Add overloads of CheckResourceExcludedAsync and GetExcludedResourceNamesAsync
that accept IAppHostAuxiliaryBackchannel directly. Update ListConsoleLogsTool
and ExecuteResourceCommandTool to use the connection they already obtained,
eliminating a redundant GetSelectedConnectionAsync + GetResourceSnapshotsAsync
call per request.

* Use StringComparers.ResourceName and extract CreateExcludedResult helper

* Fix AgentMcpExcludeFromMcp E2E test: disable Redis cache

The test was timing out because the Redis container's health check
never passed in the Docker-in-Docker CI environment, causing
webfrontend (which has WaitFor(cache)) to stay stuck in Waiting state.

Redis is irrelevant to this test — it only verifies ExcludeFromMcp()
filtering. Disabling Redis removes the container dependency.

---------

Co-authored-by: James Newton-King <james@newtonking.com>