symbols: add opt-in Managed Identity support for symbol server auth#58
Merged
Conversation
Add ManagedIdentityEnabled setting (ProtoMember 26, default false) to SymbolFileSourceSettings. Refactor PDBDebugInfoProvider static credential chain into BuildAndSetCredentialChain(bool) + public ReinitializeCredentials(settings) to allow runtime reconfiguration after settings load (static ctor runs before settings are available). When ManagedIdentityEnabled=true, use ManagedIdentityCredential exclusively (no developer/browser creds) for headless Azure deployments. When false (default), use the existing full developer chain unchanged. Expose useManagedIdentity parameter on MCP server OpenTrace tool for headless/Azure callers like BigRedPerfAI. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds opt-in Azure Managed Identity support for symbol server authentication so headless/Azure callers (e.g. via the MCP server) can download PDBs without interactive browser auth. The credential chain in PDBDebugInfoProvider is refactored so it can be rebuilt at runtime once application settings are available, and a new MCP OpenTrace parameter selects the MI-only chain.
Changes:
- New
ManagedIdentityEnabledsetting onSymbolFileSourceSettings(ProtoMember 26, default false). PDBDebugInfoProviderstatic credential setup refactored intoBuildAndSetCredentialChain+ thread-safeReinitializeCredentials; MI-only chain when enabled, full developer chain otherwise.- MCP
OpenTracegains auseManagedIdentityparameter that flows intoSymbolFileSourceSettingsand triggersReinitializeCredentials.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/ProfileExplorerCore/Settings/SymbolFileSourceSettings.cs | Adds ManagedIdentityEnabled proto-serialized option. |
| src/ProfileExplorerCore/Binary/PDBDebugInfoProvider.cs | Refactors credential chain construction; adds runtime reinit and lock for thread-safety. |
| src/ProfileExplorer.McpServer/Program.cs | Exposes useManagedIdentity parameter on OpenTrace, propagates to settings and reinitializes credentials. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ivberg
approved these changes
May 28, 2026
jhpohovey
approved these changes
May 29, 2026
- PDBDebugInfoProvider: read MANAGED_IDENTITY_CLIENT_ID env var to configure user-assigned managed identity when useManagedIdentity=true; previously used system-assigned MI which doesn't exist on Azure Batch nodes - McpActionExecutor: accept useManagedIdentity param in OpenTraceAsync; call PDBDebugInfoProvider.ReinitializeCredentials before trace load; force-add symweb to symbol paths on Batch nodes (which are not domain-joined and would otherwise only have the public MSDL server) - IMcpActionExecutor/ProfileExplorerMcpServer/Program: wire useManagedIdentity flag through MCP interface and JSON RPC handler - DiagnosticLogger: minor diagnostic improvements - ProfileExplorerUI.csproj: dependency updates for Azure.Identity Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add symbolPath parameter to IMcpActionExecutor.OpenTraceAsync and the open_trace MCP tool, allowing callers to explicitly supply symbol server paths rather than having PE infer them from environment heuristics. - McpActionExecutor now clones App.Settings.SymbolSettings as the base (preserving user-configured paths, rejection caches, etc.) and overlays the caller-supplied symbolPath and useManagedIdentity flag. Replaces the previous approach of constructing fresh settings and force-adding symweb when useManagedIdentity was true. - Remove Console.Error noise from PDBDebugInfoProvider credential init. - Update MockMcpActionExecutor signature to match interface. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…FILE_EXPLORER_LOG_DIR PE was hardcoded to check AZ_BATCH_TASK_WORKING_DIR for the log directory, making it Batch-specific. Replace with a generic PROFILE_EXPLORER_LOG_DIR env var. Callers (e.g. FUN AI on Batch) can set it to whatever path is appropriate for their environment. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Allow callers to override the diagnostic log directory via --log-dir <path> instead of relying on the PROFILE_EXPLORER_LOG_DIR environment variable being set externally. The arg is parsed before the first DiagnosticLogger call so Initialize() picks up the override naturally. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace custom CopyNativeDependencies MSBuild target (which only copied to build output) with Content items using CopyToPublishDirectory so capstone.dll, msdia140.dll, and tree-sitter DLLs are included when running dotnet publish. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Path.GetDirectoryName strips '//server' from 'srv*https://server' as a UNC-like path component, leaving just 'srv*https:'. Bypass TryGetDirectoryName for symbol server paths (starting with 'srv*'). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
PE stores decorated MSVC names (e.g. ?ProcessComposition@CComposition@@UEAAXXZ) in FunctionDebugInfo.Name, but callers pass human-readable demangled names (e.g. CComposition::ProcessComposition) from Kusto telemetry. FindFunction now builds a lazy per-trace dictionary mapping demangled names back to IRTextFunction, using PDBDebugInfoProvider.DemangleFunctionName with OnlyName|NoReturnType|NoSpecialKeywords options. The lookup order is: 1. Exact decorated name match 2. Exact demangled name match (via lazy dict) 3. Exact hex placeholder match 4. Contains on demangled name 5. Contains on decorated/hex name DemangledFunctionLookup is cleared in ProfileSession.Reset() so it rebuilds fresh on each new trace load. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Revert the McpServer.csproj native dependency change from Content items back to the original NativeDependency/CopyNativeDependencies pattern. Add a matching CopyNativeDependenciesOnPublish target that runs AfterTargets='Publish' to copy native DLLs (capstone, msdia140, tree-sitter) to \, ensuring they are included in self-contained win-x64 publish outputs used for Azure Batch deployment. Also revert unrelated ProfileExplorerUI.csproj changes (version bump and publish\ exclusion). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add FunctionNameDemanglingTests covering: - Non-decorated names pass through unchanged (plain C, hex placeholders, null/empty) - Decorated MSVC names demangle correctly with default options - OnlyName|NoReturnType|NoSpecialKeywords options (the exact flags used by FindFunction) produce a scoped name matching what Kusto callers supply Wire managed identity into ProfileExplorer.exe startup path: - App.OnStartup now calls PDBDebugInfoProvider.ReinitializeCredentials after LoadApplicationSettings so that ManagedIdentityEnabled from saved user settings is applied at launch, not just when OpenTrace is driven via MCP. Previously the static credential chain always started as the interactive chain regardless of saved settings. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
ivberg
approved these changes
Jun 4, 2026
trgibeau
added a commit
that referenced
this pull request
Jun 24, 2026
Resolve FindFunction conflict in McpServer by adapting main's demangled-name lookup feature to the branch's ProfileFunctionId model. Auto-merge keeps main's Managed Identity symbol auth (#58) alongside the PdbSymbolProvider refactor.
trgibeau
added a commit
that referenced
this pull request
Jul 2, 2026
Resolve FindFunction conflict in McpServer by adapting main's demangled-name lookup feature to the branch's ProfileFunctionId model. Auto-merge keeps main's Managed Identity symbol auth (#58) alongside the PdbSymbolProvider refactor.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds opt-in Azure Managed Identity support for symbol server authentication, enabling headless/Azure deployments (e.g. BigRedPerfAI) to download PDB symbols without interactive browser auth.
Changes
\SymbolFileSourceSettings.cs\
\PDBDebugInfoProvider.cs\
\Program.cs\ (MCP server)
Notes