Two agents, one team — a Foundry demo, prompt by prompt

I'll start by getting you set up so you can send screenshots, then mirror the vault structure for the new demo project. Let me invoke the agent-share skill (for registration) and explore the vault structure in parallel.

Registered ✅ — I'm online as foundry-demo (role: "Building the Azure Foundry demo project + slides; send me your Foundry agent screenshots here"). You can share screenshots to me from your phone or the Windows Share panel now.

Now let me study the deck-rendering machinery so I can faithfully mirror it for the new project.

This is a well-engineered pipeline — shared content/*.md → slides.py loader → per-brand build_deck.py that emits both a .pptx and a pixel-faithful preview/mirror.html, screenshotted by Playwright. I'll mirror exactly that for the Foundry demo (and make the HTML a navigable slideshow so you can present "from where we are talking").

Source-of-truth layer is complete and validated. Now I'll fan out the build: two agents author the two brand skins (each self-verifying by rendering and reading its own PNGs until clean), plus a Foundry fact-checker (against Microsoft Learn — this room will know if a claim is wrong) and a narrative critic. This is the kind of independent parallel work a workflow is for.

✅ Registered — ready for your screenshots now

This session is live on pks-agent-share as foundry-demo (inbox 20260608T091626Z-5a9782f8, online). It now shows up in your phone's share sheet and the Windows Share panel. When you share something from your Foundry agent, just say "I shared X" and I'll pull the inbox and act on it — that flow is the demo.

That's the Foundry "Add Model Context Protocol tool" dialog — saved. Two things jump out immediately that will matter when you hit Connect:

1. The credential key says authoriztion — that's a typo (missing a). Foundry sends it as a literal HTTP header, so the server will never see an Authorization header.
2. The auth dropdown is on Key-based (one of the 4). Let me confirm exactly what our /mcp endpoint expects, and find the local server behind your tunnel so I can watch the request.

Found it. Foundry's requests are arriving at the container — look at share-ddpjqyjx's own logs:

09:51:24  POST /mcp  ua=AzureAIFoundryAgentRuntime/1820665  xff=4.223.92.158  → 401
09:51:24  GET  /mcp  ua=AzureAIFoundryAgentRuntime/1820665  xff=4.223.92.114  → 401
09:52:37  POST /mcp  ua=AzureAIFoundryAgentRuntime/1820665  → 401   ← your post-typo-fix retry
09:53:17  POST /mcp  ua=curl/7.88.1  → 401                          ← my probe

So: requests land fine (you were watching the wrong log — these are in the share resource console, not the tunnel). They 401 because the token isn't valid on this local server (it's a prod token / the local server is OIDC auth-mode). And Foundry sends auth as a header (UA AzureAIFoundryAgentRuntime), not querystring.

Now let's do what you asked — add full header + query logging so we can see exactly what Foundry sends.

The new logging works — and it's already revealing. My probe came through exactly as hoped:

msg=http.headers method=POST path=/mcp rawquery="probe=hello123" headers="
    Accept: application/json, text/event-stream
    Authorization: Bearer test-bearer-value-XYZ
    Content-Type: application/json
    User-Agent: curl/7.88.1
    X-Forwarded-For: 10.0.0.1
    X-Forwarded-Host: share--agentic-tunnel.tunnels.agentics.dk:8443
    X-Forwarded-Proto: https
    X-Foundry-Probe: claude-watch"

So the share container now logs every header + the raw query (msg=http.headers). This also proves the tunnel forwards Authorization intact (it's not being stripped) — so when Foundry sends it, we'll see it verbatim.

Now we can see exactly what Foundry sends — and there's the bug:

POST /mcp  ua=AzureAIFoundryAgentRuntime
  Authorization: 2a90865906900d72d1f7d803daa98e799b79995a2dc843ac
  Type: custom_MCP

Foundry sends Authorization: <token> with no Bearer prefix — but our resolve() does CutPrefix(h, "Bearer ") and requires it. That's the 401. And yes — your user exists locally (/data/users/u-8a4d58b93ae35f8aab005728, inbox 20260606T173516Z-f86dfa3b), so the token is right; it's just missing the prefix.

Genuinely frontier question — and the mechanism we just used (managed-identity auth with a configurable audience) is exactly the hinge. Let me verify the Foundry/Azure RBAC specifics before answering, since getting the roles and token audiences right matters.

Verified — full write-up appended to _research/a2a-foundry.md. Short version:

Yes — but with one premise correction and a cleaner way to do it

Adding another A2A agent → YES (scriptable). "Update itself" → PARTLY (it's "create a new version of itself," live only on the next run — agent definitions are immutable per version, and a new tool can't be bolted on mid-run).

The better design (and it fits what we're building)

Don't give the agent broad ARM rights. Instead, expose a register_teammate tool on our side (MCP or A2A) that the agent calls with its agent-identity token — which we already validate. Our backend then does the privileged Foundry writes (ARM connection PUT + agent version POST) using its own scoped service principal.

→ The agent's identity gates who may ask; our controlled backend governs what actually happens. Least-privilege, no Contributor on the agent, and it slots right into the A2A MVP. That's the "broker mints teammates" pattern.

Green light — building the full A2A protocol (card + message/send blocking and message/stream SSE and tasks/get polling and tasks/pushNotificationConfig), so we can empirically see which completion path Foundry actually honors. And for your "Claude sessions are long" point: I'll add task.update which pushes progress both to any A2A subscriber and — guaranteed — to your phone via the Web Push we already have. So even if Foundry's client won't take a notification, you always get one.

Let me start writing. First the shared task model + the card builder.

All wired. Let me compile it (via the image build) and surface any errors.

Compiled clean (#12 DONE = the Go build, no errors). Restart share and run a full end-to-end rendezvous test (card → message/send blocks → task.complete via MCP unblocks it).

The A2A rendezvous works end-to-end. message/send blocked → task.complete delivered → the blocked call returned a completed Task with artifact "42", and the phone push fired (pushed: true). The agent.register A2A block was empty only because I didn't set PUBLIC_BASE_URL on the throwaway container — let me confirm that path too.

✅ A2A MVP built and proven end-to-end

The whole bridge works. Verified just now (standalone container): I sent a message/send task "7x6?", it blocked, the agent called task.complete(... "42"), and the blocked call returned a completed Task with artifact "42" — plus a phone push fired.

What shipped (in share-server):

• New internal/tasks (rendezvous broker) + internal/a2a (Agent Card + JSON-RPC): GET /a2a/{inboxId}/.well-known/agent-card.json + POST /a2a/{inboxId} handling message/send (blocking), message/stream (SSE), tasks/get, tasks/resubscribe, tasks/pushNotificationConfig/set. Auth reuses our /mcp resolve — so key-based or the Entra identity both work.
• New MCP tools: task.list · task.update · task.complete · get_agent_card, and agent.register now returns the Foundry connection block.
• For your "Claude sessions are long" point: task.update/task.complete buzz the phone via Web Push (pushed: true) — a guaranteed notify-back even if Foundry's client won't take one.

I'll tail it. Let me confirm I can follow the container logs directly and set up a watcher that fires when the round-trip lands.

You're already mid-test — I can see it: a fresh Foundry card fetch + message/send at 19:09:57 (Type: custom_A2A, key-based token), blocking right now. No task.complete yet. Let me arm a live watcher so each step pings me.

Huge finding — Foundry DOES poll tasks/get! After the message/send returned a "working" Task at 25s, Foundry started hammering tasks/get (~30ms intervals) waiting for the result. That contradicts the earlier research — the async path works! The task just never got completed, so it's polling forever (and flooding the monitor). Let me complete it (which delivers the result to Foundry and stops the poll) and kill the noisy monitor.

✅ Stopped. The poll rate dropped to 0 — completing task-f1b1… (the one Foundry was actually polling) delivered the result, so Foundry's next tasks/get returned "completed" and it stopped spinning. Copenhagen Host should now show "agentic-live-www: acknowledged — complete."

az is installed ✓ and the endpoint is reachable ✓, but you're not logged in yet in this container. az login is interactive — please run it here with the device-code flow:

! az login --use-device-code

(The ! runs it in this session; it'll print a code + URL — authenticate as d-pks@****.dk in your browser.)

Meanwhile I'll scaffold + compile the .NET client so it's ready to run the moment you're logged in (build doesn't need az).

The client is built and ready — only the interactive login is left, which I can't do for you. Please run it here:

! az login --use-device-code

The program does two things so we learn exactly where we stand:

1. [auth] — mints an https://ai.azure.com/.default token from your az login. This is the proof that Entra/RBAC works (and, by its absence, that no shared key is involved).
2. [agent] — calls test001 v2 with a joke prompt. If RBAC is wired right (Foundry User on ai-model-credits), you'll see the agent's reply; if the role hasn't propagated yet you'll get a clean 401/403 we can read.

Big result: the auth question is answered — Entra/RBAC works, no shared key.

[auth] OK — minted ai.azure.com token, expires 2026-06-08 21:23:58Z

Your az/PIM login (d-pks@****.dk, Foundry tenant) successfully minted the https://ai.azure.com/.default data-plane token and the client got past auth. That's the definitive answer to your earlier question: the Foundry agent data-plane takes an Entra ID/RBAC token only — a shared key is neither needed nor accepted here.

The remaining failure is not auth — it's an SDK plumbing bug:

[agent] FAILED: ArgumentException: Unknown connection type for ID: Internal.EndpointPipelineData

That's an internal mismatch between Azure.AI.Projects 2.0.0-beta.2 and the Azure.AI.Extensions.OpenAI 2.1.0-beta.3 I pulled with --prerelease (a newer release wave).

It works end-to-end. 🎉

[auth] OK — minted ai.azure.com token, expires 2026-06-08 21:23:57Z
[agent] -> Hello! Tell me a one-line joke about coding agents.
[agent] output:
Why did the coding agent write tests first? Because it wanted to fail fast and apologize faster.

So we now have a working, scripted Foundry driver — no UI clicking. Two settled facts:

• Auth: Entra/RBAC only. Your PIM-activated d-pks@****.dk (Foundry User) → DefaultAzureCredential → ai.azure.com token → agent responds. A Foundry shared key is not accepted on the agent data-plane (keys are only for direct Azure OpenAI inference).
• SDK gotcha nailed: the agent call needs a matched release wave — Azure.AI.Projects 2.0.1 + Azure.AI.Extensions.OpenAI 2.0.0 (GA). The earlier EndpointPipelineData error was purely the mismatched --prerelease Extensions.

Love this — that's the real "fire-and-continue" story. To show it genuinely (the same task stays working while you keep chatting, completed only later), I'll extend the .NET driver into a multi-turn a2a command with a gated responder I control: it holds the incoming task (doesn't complete it), I run a second conversational round-trip with test001, then release the gate to complete it. This also reveals whether Foundry's A2A tool returns on a non-terminal task or blocks to terminal — so the harness adapts either way.

The experiment paid off — it revealed something important and presentable.

Foundry's A2A tool is synchronous: it blocks the agent's turn until the delegated task reaches a terminal state. The proof is in the timeline:

• Turn 1: message/send (20:39:11.489) → one held tasks/get (20:39:11.519). Our responder held the task (didn't complete). Turn 1 blocked for 14s — until I released the gate at 12s and we completed it. Only then did test001 return.

So you can't literally keep chatting with the Foundry agent during a single delegation — its a2a_preview tool long-polls our tasks/get to terminal before returning. (The long-poll still earns its keep: one held request, not the 33/sec storm.)

The pattern that genuinely gives you "runs in the background while you keep talking" with Foundry's synchronous tool is ACK-now + result-on-follow-up.

The takeaway / demo framing: the A2A protocol is async, and our server is async-proper — but Foundry's current consumer blocks a delegation to completion. So the real "long job + keep talking" pattern is ack-fast, deliver-on-follow-up, which our async server + long-poll make clean and efficient (no storm, instant wake). That's a sharp, true point to make on stage: "the protocol is async; the consumer isn't yet — so design for ack + check-back."

pks image is ready: pks image "<prompt>" -m gpt-image-2 -o <file> --aspect-ratio 16:9. Let me validate it works (auth + quality) with the first on-brand image before generating the full set — Ember-Dark + amber #f87f2e, no text (gpt-image-2 garbles text, so the images carry the vibe and the markdown carries the labels):

All six are on-brand and read clearly. The illustrated explainer is complete at projects/azure-foundry-demo/explainer/README.md — a self-contained doc with the six gpt-image-2 images, grounded in the real evidence we captured (actual timestamps, payloads, transcript).

Ah, got it — you want the images to teach the mechanics (like the photogrammetry explainers — annotated diagrams people understand from the picture itself), not mood pieces. Let me look at how those photogrammetry explainers were actually built so I match that approach:

All six are dialed in — clean flat-vector infographics with legible labels that teach the mechanic, exactly the photogrammetry style. The explainer is now a proper teaching artifact at projects/azure-foundry-demo/explainer/README.md:

The prose and the figures now teach together — someone can read it and understand A2A async + our findings, with every number tied to what we actually measured. The earlier cinematic set is preserved in images/mood/ (nice as slide openers).

The spec is decisive — quoting it: taskId, contextId, and referenceTaskIds are all real (optional) fields on the A2A Message object, and clients SHOULD include the same contextId/taskId (or referenceTaskIds) to maintain multi-turn continuity. So Foundry isn't hitting a protocol gap — it's omitting the optional spec fields that exist precisely for this. That sharpens the claim a lot.

That's airtight evidence — all four calls, both directions, real timestamps. The smoking gun: Call 3 (the "check the job" delegation) carries a fresh messageId and no taskId/contextId/referenceTaskIds, and doesn't reference Call 1's task-518ee726… or its contextId at all — even though our Call 1 response handed Foundry a contextId to echo.

Confirmed from our code: createTask always mints a fresh taskID/ctxID (randHex) and messageSend passes only the text through — so our server ignores any incoming contextId/taskId. But our response does return a contextId (the trace proves it). Let me empirically demonstrate our side when a client does echo a contextId back, so the attribution is airtight:

That settles it — and the honest answer is "mostly Foundry, but let's be precise."

• The break you can see on the wire is Foundry's. We have zero control over what Foundry puts in its request, and it sends none of the threading fields even though we handed it a contextId to echo. That's a client-side omission in a2a_preview.
• But in full honesty, our demo bridge has the matching gap: even if Foundry did echo a contextId, our createTask ignores it and starts fresh. So true end-to-end threading needs a small change on both sides — Foundry to echo, us to honor.
• The first and observable broken link is Foundry's. We do our half of offering the thread; we just don't (yet) do our half of continuing it.

That's the credible thing to say on stage — it's more convincing to a technical audience than "Foundry is broken," and it's accurate.

Both are genuinely good ideas — and they point at the right product shape: the channel as a single "wake on anything sent to me" surface, with the inbox tools available conversationally so you never memorize CLI commands.

• In-session register/card: there's no inbox-token REST route for it yet (only the in-process MCP agent.register sets the name), so I'll add a small POST /api/agent/identity and expose register + get_agent_card + list tools on the channel.
• Shares → channel: every to_agent share already fires OnShare; I'll have that also signal the broker so a phone-share wakes the channel exactly like an A2A task does.

Let me build both (all additive — the proven A2A path is untouched).

Both ideas built, tested, and deployed. ✓

• In-session tools (no CLI commands) — the channel now exposes register, get_agent_card, list, complete, mark_received. Verified: tools/list shows all five, and calling get_agent_card returned the endpoint. So in-session you can just say "register me as demo-agent" or "show my agent card" and paste into Foundry — no memorized commands.
• Shares wake the channel too — I POSTed a phone text share and the channel pushed notifications/claude/channel → content:"remember to review the PR", kind:"text", shareId:…, and mark_received worked. So both A2A tasks and phone shares wake the idle session, over one channel.

The one idea: the inbox is the address

Both sides point at the same inbox; the inbox's token is what binds them:

 Foundry A2A tool ──►  …/a2a/<inboxId>   +  key: Bearer <token>      ┐
                                                                      ├─ same inbox ⇒ connected
 your Claude channel ─►  .mcp.json env  AGENT_SHARE_TOKEN=<token>     ┘

Foundry drops tasks into that inbox; your channel long-polls that inbox and pushes its tasks into your session. They rendezvous at the inbox.

Yes — that makes total sense, and it's the "don't memorize commands" instinct again: setting up a folder should be one step, not "register, then remember install, then remember the channel flag." Let me wire agent-share install channel so it writes the .mcp.json for channel mode (and point register at it).

The mental shortcut for the whole thing: agent-share register = "create my agent identity (an inbox)", run once; agent-share card = "what do I paste into Foundry"; agent-share channel = "be that agent, idle, and wake on tasks." All three glued by your login + the directory, so a new user never touches a token.