fix: cleanup agent instances in a365 cleanup blueprint

[gwharris7]

This pull request introduces significant improvements to the blueprint cleanup process in the CLI tool, focusing on cascading deletion of agent instances and better handling/reporting of partial failures. The changes enhance user experience by previewing all resources that will be deleted, confirming destructive actions, and providing clear warnings and summaries if any resources could not be deleted. Additionally, several new methods were added to support querying and deleting agent instances and users, and the test code was updated for compatibility. This PR addresses issue #258.

Blueprint cleanup enhancements:

• The blueprint cleanup command now queries for all agent instances linked to a blueprint, shows a detailed preview of what will be deleted (including agentic users and identity service principals), and deletes these resources before deleting the blueprint itself. If any deletions fail, the user receives a summary of orphaned resources to clean up manually. [1] [2] [3] [4] [5]

• The command now uses an injected IConfirmationProvider for user confirmation, replacing direct Console.ReadLine calls, making the code more testable and consistent. [1] [2]

Agent instance management:

• Added a new AgentInstanceInfo record in Models/AgentInstanceInfo.cs to represent agent instances linked to a blueprint, including identity SP and optional agentic user.

• Introduced new methods in AgentBlueprintService to:

  • Query all agent instances for a given blueprint (GetAgentInstancesForBlueprintAsync)
  • Delete an agentic user (DeleteAgentUserAsync)
  • Made DeleteAgentBlueprintAsync and DeleteAgentIdentityAsync virtual for easier testing/mocking. [1] [2] [3]

Test updates:

• Updated tests to accommodate the new method signatures for endpoint deletion, adding the optional correlation ID parameter where appropriate. [1] [2] [3] [4] [5]

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[Copilot]

Pull request overview

This pull request enhances the blueprint cleanup process in the Agent365 DevTools CLI by implementing cascading deletion of agent instances and improving error handling for partial failures. When cleaning up a blueprint, the CLI now queries for all agent instances linked to that blueprint, presents a detailed preview of resources to be deleted (including agentic users and identity service principals), and deletes these resources before deleting the blueprint itself. If any deletions fail, the user receives a clear summary of orphaned resources that need manual cleanup.

Changes:

• Added AgentInstanceInfo model to represent agent instances with their identity SP and optional agentic user
• Enhanced AgentBlueprintService with methods to query and delete agent instances and users, with virtual modifiers for testability
• Updated blueprint cleanup command to cascade delete instances, use IConfirmationProvider for user confirmation, and provide detailed preview and orphan summaries
• Added comprehensive test coverage for the new cascading deletion behavior and proper resource disposal in test infrastructure

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
src/Microsoft.Agents.A365.DevTools.Cli/Models/AgentInstanceInfo.cs	New record to represent agent instances linked to a blueprint with identity SP ID, display name, and optional agentic user ID
src/Microsoft.Agents.A365.DevTools.Cli/Services/AgentBlueprintService.cs	Added methods to query agent instances, delete agentic users, and made deletion methods virtual for testability; includes placeholder API property names that need verification
src/Microsoft.Agents.A365.DevTools.Cli/Commands/CleanupCommand.cs	Enhanced blueprint cleanup to cascade delete instances with preview, confirmation, failure tracking, and orphan summaries; now uses IConfirmationProvider
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Services/AgentBlueprintServiceTests.cs	Added tests for querying and deleting agent instances/users; added Dispose implementation to FakeHttpMessageHandler for proper resource cleanup
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/CleanupCommandTests.cs	Added tests for cascading deletion behavior with instances, no instances, and partial failures; updated all mock calls to include optional correlationId parameter
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/CleanupCommandBotEndpointTests.cs	Updated mock setup to include optional correlationId parameter for endpoint deletion
src/Tests/Microsoft.Agents.A365.DevTools.Cli.Tests/Commands/BlueprintSubcommandTests.cs	Updated all mock calls and assertions to include optional correlationId parameter for endpoint deletion

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

[Copilot]

@gwharris7 I've opened a new pull request, #297, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.

[Copilot]

FetchAllPagesAsync silently breaks when GraphGetAsync returns null, which can yield incomplete/empty instance lists without any indication at the call site (GraphGetAsync also returns null on non-success). Consider logging a warning/error (including requestPath/status if available) when doc is null so cleanup preview doesn't misleadingly show zero instances on transient Graph failures.

Suggested change

	{
	{
	_logger.LogWarning(
	"Graph GET returned null for tenant {TenantId} on path {RequestPath}. " +
	"Stopping pagination and returning {ItemCount} items. This may indicate a transient Graph failure.",
	tenantId,
	requestPath,
	items.Count);

[Copilot]

If messaging endpoint deletion fails, the handler returns early, so any previously recorded instance deletion failures won't be summarized for the user. Consider calling PrintOrphanSummary before returning (or moving orphan reporting into a finally) so orphaned instance resources are always reported regardless of endpoint deletion outcome.

[Copilot]

PrintOrphanSummary always logs "Blueprint cleanup completed with warnings" and labels failed deletions as "orphaned". This method is also called when blueprint deletion fails, where cleanup did not complete and the remaining resources may not be orphaned (the blueprint still exists). Consider adjusting the wording based on whether the blueprint delete succeeded, or pass an explicit state flag into PrintOrphanSummary.

[Copilot]

This test comment says the two Graph queries "run in parallel", but GetAgentInstancesForBlueprintAsync now fetches SPs and users sequentially to avoid header races. Update the comment to match the current behavior so it doesn't mislead future maintainers.

[Copilot]

FakeHttpMessageHandler.Dispose only disposes HttpResponseMessage instances still in the queue. Any responses already dequeued in SendAsync (notably via GraphGetAsync, which doesn't dispose its responses) will not be disposed, so these tests can still leak HttpResponseMessage objects. Consider tracking all created/dequeued responses and disposing them in Dispose, or updating GraphGetAsync to dispose responses so the handler-level cleanup is reliable.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

[Copilot]

@gwharris7 I've opened a new pull request, #305, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

[sellakumaran]

1ES PT Branch Validation blocks official NuGet publish for GitHub‑hosted pipeline.

Scenario: one instance existed, its SP and agentic user were deleted successfully, but
then the blueprint deletion itself failed. Result: failedResources is empty, so
PrintOrphanSummary returns early. The user sees only "Blueprint deletion failed." with
no further guidance. The instances are already gone (their SP objects were deleted), but
the blueprint still exists in Entra ID. This is a partial-success state requiring explicit
user action.

  The test `CleanupBlueprint_WhenBlueprintDeletionFailsWithInstances_LogsWarning` (diff line
  ~739) exercises this exact path and only asserts that "Blueprint deletion failed." was
  logged, missing the guidance gap.

  Suggested fix: emit actionable guidance whenever blueprint deletion fails, regardless of
  orphaned resources:

  if (!deleted)
  {
      logger.LogWarning("");
      logger.LogWarning("Blueprint deletion failed. The blueprint still exists in Entra ID.");
      PrintOrphanSummary(logger, failedResources);
      if (!HasOrphanedResources(failedResources))
      {
          logger.LogWarning("All agent instances were deleted. Retry 'a365 cleanup blueprint' " +
              "or delete the blueprint manually via the Entra portal or Graph API.");
      }
      return;
  }      Scenario: one instance existed, its SP and agentic user were deleted successfully, but
  then the blueprint deletion itself failed. Result: `failedResources` is empty, so
  `PrintOrphanSummary` returns early. The user sees only "Blueprint deletion failed." with
  no further guidance. The instances are already gone (their SP objects were deleted), but
  the blueprint still exists in Entra ID. This is a partial-success state requiring explicit
  user action.


  Suggested fix: emit actionable guidance whenever blueprint deletion fails, regardless of
  orphaned resources:

  if (!deleted)
  {
      logger.LogWarning("");
      logger.LogWarning("Blueprint deletion failed. The blueprint still exists in Entra ID.");
      PrintOrphanSummary(logger, failedResources);
      if (!HasOrphanedResources(failedResources))
      {
          logger.LogWarning("All agent instances were deleted. Retry 'a365 cleanup blueprint' " +
              "or delete the blueprint manually via the Entra portal or Graph API.");
      }
      return;
  }

  Update `CleanupBlueprint_WhenBlueprintDeletionFailsWithInstances_LogsWarning` to assert
  that the retry guidance message is also emitted.

[sellakumaran]

Console.WriteLine() mixed with ILogger in new production code -- inconsistent output channel