Address feedback from Copilot

Author: pamelafox

.dockerignore

@@ -2,3 +2,14 @@
 .venv
 .logfire
 .devcontainer
+infra
+
+# Common Python and development files to exclude
+__pycache__
+*.pyc
+*.pyo
+*.egg-info
+.pytest_cache
+.ruff_cache
+.env
+.git

agents/Dockerfile

@@ -14,7 +14,8 @@ COPY --from=ghcr.io/astral-sh/uv:0.9.14 /uv /uvx /bin/
 WORKDIR /code
 
 # Copy dependency files and install dependencies (for layer caching)
-# Note: We avoid --mount=type=cache since Azure Container Apps remote build doesn't support BuildKit
+# Note: We can't use --mount=type=cache since Azure Container Apps remote build doesn't support BuildKit:
+# https://github.com/Azure/acr/issues/721
 COPY uv.lock pyproject.toml ./
 RUN uv sync --locked --no-install-project
 

infra/core/host/container-apps.bicep

@@ -15,6 +15,8 @@ param subnetResourceId string = ''
 
 param usePrivateIngress bool = true
 
+param usePrivateAcr bool = false
+
 module containerAppsEnvironment 'container-apps-environment.bicep' = {
   name: '${name}-container-apps-environment'
   params: {
@@ -36,6 +38,7 @@ module containerRegistry 'container-registry.bicep' = {
     location: location
     tags: tags
     useVnet: !empty(vnetName)
+    usePrivateAcr: usePrivateAcr
   }
 }
 

infra/core/host/container-registry.bicep

@@ -10,8 +10,8 @@ param encryption object = {
   status: 'disabled'
 }
 param networkRuleBypassOptions string = 'AzureServices'
-param publicNetworkAccess string = 'Enabled' // Keep public access enabled for pushing images from local machine
 param useVnet bool = false // Determines if VNet integration is enabled
+param usePrivateAcr bool = false // Determines if public network access should be disabled
 param sku object = {
   name: useVnet ? 'Premium' : 'Standard' // Use Premium if VNet is required, otherwise Standard
 }
@@ -32,7 +32,7 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-pr
     dataEndpointEnabled: dataEndpointEnabled
     encryption: encryption
     networkRuleBypassOptions: networkRuleBypassOptions
-    publicNetworkAccess: publicNetworkAccess
+    publicNetworkAccess: usePrivateAcr ? 'Disabled' : 'Enabled'
     zoneRedundancy: zoneRedundancy
   }
 }

infra/main.bicep

@@ -46,6 +46,12 @@ param useVnet bool = false
 @description('Flag to enable or disable public ingress')
 param usePrivateIngress bool = false
 
+@description('Flag to restrict ACR public network access (requires VPN for local image push when true)')
+param usePrivateAcr bool = false
+
+@description('Flag to restrict Log Analytics public query access for increased security')
+param usePrivateLogAnalytics bool = false
+
 var resourceToken = toLower(uniqueString(subscription().id, name, location))
 var tags = { 'azd-env-name': name }
 
@@ -152,7 +158,7 @@ module logAnalyticsWorkspace 'br/public:avm/res/operational-insights/workspace:0
     skuName: 'PerGB2018'
     dataRetention: 30
     publicNetworkAccessForIngestion: useVnet ? 'Disabled' : 'Enabled'
-    publicNetworkAccessForQuery: 'Enabled' // Keep public query access for debugging - change to 'Disabled' for more security
+    publicNetworkAccessForQuery: usePrivateLogAnalytics ? 'Disabled' : 'Enabled'
     useResourcePermissions: true
   }
 }
@@ -554,7 +560,7 @@ module monitorPrivateLinkScope 'br/public:avm/res/insights/private-link-scope:0.
     tags: tags
     accessModeSettings: {
       ingestionAccessMode: 'PrivateOnly'
-      queryAccessMode: 'Open' // Allow public queries for debugging - change to 'PrivateOnly' for more security
+      queryAccessMode: usePrivateLogAnalytics ? 'PrivateOnly' : 'Open'
     }
     scopedResources: [
       {
@@ -606,6 +612,7 @@ module containerApps 'core/host/container-apps.bicep' = {
     vnetName: useVnet ? virtualNetwork!.outputs.name : ''
     subnetName: useVnet ? virtualNetwork!.outputs.subnetNames[0] : ''
     usePrivateIngress: usePrivateIngress
+    usePrivateAcr: usePrivateAcr
   }
 }
 

infra/main.parameters.json

@@ -20,6 +20,12 @@
       "usePrivateIngress": {
         "value": "${USE_PRIVATE_INGRESS=false}"
       },
+      "usePrivateAcr": {
+        "value": "${USE_PRIVATE_ACR=false}"
+      },
+      "usePrivateLogAnalytics": {
+        "value": "${USE_PRIVATE_LOGANALYTICS=false}"
+      },
       "serverExists": {
         "value": "${SERVICE_SERVER_RESOURCE_EXISTS=false}"
       },

infra/server.bicep

@@ -74,9 +74,9 @@ module app 'core/host/container-app-upsert.bicep' = {
           path: '/health'
           port: 8000
         }
-        initialDelaySeconds: 3
+        initialDelaySeconds: 10
         periodSeconds: 3
-        failureThreshold: 30
+        failureThreshold: 60
       }
       {
         type: 'Readiness'

servers/Dockerfile

@@ -14,7 +14,8 @@ COPY --from=ghcr.io/astral-sh/uv:0.9.14 /uv /uvx /bin/
 WORKDIR /code
 
 # Copy dependency files and install dependencies (for layer caching)
-# Note: We avoid --mount=type=cache since Azure Container Apps remote build doesn't support BuildKit
+# Note: We can't use --mount=type=cache since Azure Container Apps remote build doesn't support BuildKit:
+# https://github.com/Azure/acr/issues/721
 COPY uv.lock pyproject.toml ./
 RUN uv sync --locked --no-install-project
 

servers/deployed_mcp.py

@@ -66,7 +66,17 @@
 
 
 @mcp.custom_route("/health", methods=["GET"])
-async def health_check(request):
+async def health_check(_request):
+    """
+    Health check endpoint for service availability.
+
+    This endpoint is used by Azure Container Apps health probes to verify that the service is running.
+    Returns a JSON response with the following format:
+        {
+            "status": "healthy",
+            "service": "mcp-server"
+        }
+    """
     return JSONResponse({"status": "healthy", "service": "mcp-server"})