fix(graph-query): sync CIClient.cypher params parity + document workspace binding#29
Merged
Merged
Conversation
…pace binding
The async AsyncCIClient.cypher() and the graph_query tool already forward `params` on main, but the SYNCHRONOUS CIClient.cypher() still hardcoded `params: {}` and did not accept a params argument. This brings the sync client to parity (accepts `params: dict[str, Any] | None = None`, forwards `params if params is not None else {}`), matching the async implementation exactly.
Documents verified server behavior in the graph_query tool's `params` input-schema description: the effective workspace is bound into the query as the $workspace parameter; a specific (non-"*") workspace overrides any `workspace` key supplied in params, while "*" (all-workspaces) leaves a caller-supplied `workspace` key untouched. (Verified against the server handler at context_intelligence_server/main.py:214-216 in microsoft/amplifier-context-intelligence.)
Adds 2 sync-client regression tests (params forwarding + backward-compat empty-dict default).
3 tasks
colombod
added a commit
that referenced
this pull request
Jun 29, 2026
Process-level singleton AzureCliCredential with lock-free in-memory cache
keyed by scope. Cache strategy:
- Single TokenCredential per process (no repeated az subprocess overhead)
- Dict read on cache hit (~0.002 ms), threading.Lock only on refresh
- Fail-loud on token refresh; reset() seam for test/switch scenarios
- AMPLIFIER_CONTEXT_INTELLIGENCE_TOKEN_REFRESH_MARGIN_S env var for TTL tuning
Eliminates ~487-913 ms-per-request az subprocess cost on hot path.
Measured on real EntraTokenAuth against live az:
- mount / build_auth_strategy(entra) x8: first 63.9 ms, rest 0.0015 ms
- headers() hot path: first 914 ms (real az), cached 0.0017 ms (~500,000x)
- 8 in-process subsessions sharing singleton: ONE az spawn (437 ms) + 7
cached (~0.0009 ms each) = 437 ms total (~9x over isolated, grows with N)
- cached bearer token still validates (HTTP 202 from server)
Council-approved conditional GO; implements all five conditions:
- Threading.Lock (loop-agnostic, not asyncio.Lock per COE)
- Scope + tenant keying (TB)
- Fail-loud on refresh (ROB + TB + UA)
- reset() seam + fake-credential injection (UA)
- Re-measured against real az (ROB's merge gate, GREEN)
Stale 'SDK refreshes' comment replaced with justification: measurement
proves the reversal necessary, and future engineers have evidence.
Relates to 146c8ea (dual auth design), b0f82e4 (entra wiring),
fc964eb (PR #29 server validation)
Generated with [Amplifier](https://github.com/microsoft/amplifier)
Co-Authored-By: Amplifier <240397093+microsoft-amplifier@users.noreply.github.com>
colombod
added a commit
that referenced
this pull request
Jun 29, 2026
Process-level singleton AzureCliCredential with lock-free in-memory cache
keyed by scope. Cache strategy:
- Single TokenCredential per process (no repeated az subprocess overhead)
- Dict read on cache hit (~0.002 ms), threading.Lock only on refresh
- Fail-loud on token refresh; reset() seam for test/switch scenarios
- AMPLIFIER_CONTEXT_INTELLIGENCE_TOKEN_REFRESH_MARGIN_S env var for TTL tuning
Eliminates ~487-913 ms-per-request az subprocess cost on hot path.
Measured on real EntraTokenAuth against live az:
- mount / build_auth_strategy(entra) x8: first 63.9 ms, rest 0.0015 ms
- headers() hot path: first 914 ms (real az), cached 0.0017 ms (~500,000x)
- 8 in-process subsessions sharing singleton: ONE az spawn (437 ms) + 7
cached (~0.0009 ms each) = 437 ms total (~9x over isolated, grows with N)
- cached bearer token still validates (HTTP 202 from server)
Council-approved conditional GO; implements all five conditions:
- Threading.Lock (loop-agnostic, not asyncio.Lock per COE)
- Scope + tenant keying (TB)
- Fail-loud on refresh (ROB + TB + UA)
- reset() seam + fake-credential injection (UA)
- Re-measured against real az (ROB's merge gate, GREEN)
Stale 'SDK refreshes' comment replaced with justification: measurement
proves the reversal necessary, and future engineers have evidence.
Relates to 146c8ea (dual auth design), b0f82e4 (entra wiring),
fc964eb (PR #29 server validation)
Generated with [Amplifier](https://github.com/microsoft/amplifier)
Co-Authored-By: Amplifier <240397093+microsoft-amplifier@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CIClient.cypher()(synchronous) now accepts an optionalparams: dict[str, Any] | None = Noneand forwards it in the/cypherPOST body (previously hardcoded to{}). The async client and thegraph_querytool already did this onmain; this closes the remaining gap so parameterized Cypher works through the sync client too. Additive and backward-compatible (defaults to{}).graph_querytool'sparamsinput-schema description now documents the server's actual workspace handling — the effective workspace is bound into the query as the$workspaceparameter; a specific (non-*) workspace overrides anyworkspacekey supplied insideparams, while*(all workspaces) passes a caller-suppliedworkspacekey through unchanged.Background
This was discovered while reviewing an out-of-tree fork's PR. The core
paramsend-to-end work already landed onmainfor the async path, but the synchronousCIClient.cypher()still droppedparams. The workspace-precedence note was verified directly against the server handler (context_intelligence_server/main.py:214-216):params = dict(body.params); if body.workspace is not None and body.workspace != "*": params["workspace"] = body.workspacethensession.run(body.query, params).Test Plan
test_cypher_forwards_params,test_cypher_default_params_is_empty_dict)tests/test_client.py: 52 passedtests/dtu/, not touched by this change)modules/tool-graph-querysuite: 29 passed