Add internal text embedding system

[robertopc1]

Why make this change?

Internal DAB system for text embedding/vectorization to support future parameter substitution and Redis semantic search features.

What is this change?

Configuration (runtime.embeddings)

enabled: Master toggle (default: true)
provider: azure-openai | openai
base-url, api-key, model: Provider connection (supports @env())
api-version, dimensions, timeout-ms: Optional tuning
endpoint.enabled/path/roles: Optional REST endpoint at configured path (default: /embed)
health.enabled/threshold-ms/test-text/expected-dimensions: Health check config
Core Components

IEmbeddingService with TryEmbedAsync() pattern - returns result objects, no exceptions
EmbeddingService - HTTP client with FusionCache L1 (24h TTL, SHA256 hash keys with provider/model included)
EmbeddingsOptionsConverterFactory - Custom JSON deserializer with env var replacement
EmbeddingTelemetryHelper - OpenTelemetry metrics/spans for latency, cache hits, dimensions
EmbeddingController - REST endpoint for /embed with role-based authorization
Health Check Implementation ✅

HealthCheckHelper.UpdateEmbeddingsHealthCheckResultsAsync() - Executes test embedding with threshold validation
Validates response time against health.threshold-ms
Validates dimensions against health.expected-dimensions if specified
Reports Healthy/Unhealthy status in comprehensive health check report
ConfigurationDetails includes Embeddings and EmbeddingsEndpoint status
REST Endpoint Implementation ✅

EmbeddingController serves POST requests at configured path (default: /embed)
Accepts plain text input and returns comma-separated float values (plain text)
Role-based authorization using X-MS-API-ROLE header
In development mode, defaults to anonymous access
In production mode, requires explicit role configuration
Validation & Safety

Constructor validates Azure OpenAI requires model/deployment name
Constructor validates required fields (BaseUrl, ApiKey)
Cache keys include provider and model to prevent collisions
Validates non-empty embedding arrays from API responses
Telemetry Integration

TryEmbedAsync and TryEmbedBatchAsync instrumented with activity spans and metrics
Cache hit/miss tracking in batch operations
API call duration and error tracking
Integration Points

Health check report includes embeddings status in comprehensive checks
Hot reload via EMBEDDINGS_CONFIG_CHANGED event
Startup logging when embeddings configured
CLI: dab configure --runtime.embeddings.*
Code Organization

Azure.DataApiBuilder.Config.ObjectModel.Embeddings - Config models
Azure.DataApiBuilder.Core.Services.Embeddings - Service, telemetry, interface
Azure.DataApiBuilder.Service.Controllers - EmbeddingController

How was this tested?

• Integration Tests
• [x ] Unit Tests

Sample Request(s)

{
"runtime": {
"embeddings": {
"enabled": true,
"provider": "azure-openai",
"base-url": "@env('EMBEDDINGS_ENDPOINT')",
"api-key": "@env('EMBEDDINGS_API_KEY')",
"model": "text-embedding-ada-002",
"endpoint": {
"enabled": true,
"path": "/embed",
"roles": ["authenticated"]
},
"health": {
"enabled": true,
"threshold-ms": 5000,
"test-text": "health check"
}
}
}
}
Embed Endpoint:

curl -X POST http://localhost:5000/embed
-H "Content-Type: text/plain"
-H "X-MS-API-ROLE: authenticated"
-d "Hello, world!"

Response:

0.123456,0.234567,0.345678,...

[Copilot]

Pull request overview

Adds a new internal embeddings/vectorization subsystem to DAB, including runtime configuration (runtime.embeddings), an HTTP-backed embedding service with caching/telemetry, an optional REST endpoint, and health-check reporting integration.

Changes:

• Introduces EmbeddingsOptions config models + JSON schema + custom converter and runtime validation.
• Adds IEmbeddingService/EmbeddingService (OpenAI/Azure OpenAI) with FusionCache L1 caching and OpenTelemetry instrumentation.
• Integrates embeddings status into health reporting and adds a new /embed-style endpoint controller plus CLI configuration flags.

Reviewed changes

Copilot reviewed 24 out of 24 changed files in this pull request and generated 15 comments.

Show a summary per file

File	Description
src/Service/Startup.cs	Registers embeddings services/options and wires embeddings into service startup logging.
src/Service/HealthCheck/Model/ConfigurationDetails.cs	Extends health check configuration details to include embeddings flags.
src/Service/HealthCheck/HealthCheckHelper.cs	Adds embeddings health check execution + reporting.
src/Service/Controllers/EmbeddingController.cs	New REST endpoint controller for embedding generation.
src/Service.Tests/UnitTests/EmbeddingsOptionsTests.cs	Unit tests for embeddings config deserialization/serialization and env var replacement.
src/Service.Tests/UnitTests/EmbeddingServiceTests.cs	Unit tests for EmbeddingService option behaviors and disabled-path failures.
src/Service.Tests/UnitTests/ConfigValidationUnitTests.cs	Adds validation test coverage for embeddings config constraints.
src/Core/Services/Embeddings/IEmbeddingService.cs	Defines embeddings service contract + result types.
src/Core/Services/Embeddings/EmbeddingTelemetryHelper.cs	Adds embeddings-specific metrics and tracing helpers.
src/Core/Services/Embeddings/EmbeddingService.cs	Implements embedding calls, caching, and telemetry hooks.
src/Core/Configurations/RuntimeConfigValidator.cs	Adds validation for runtime.embeddings settings (URLs, required fields, endpoint conflicts, etc.).
src/Config/RuntimeConfigLoader.cs	Registers the embeddings JSON converter in runtime config serialization options.
src/Config/ObjectModel/RuntimeOptions.cs	Adds Embeddings to runtime options and exposes IsEmbeddingsConfigured.
src/Config/ObjectModel/Embeddings/EmbeddingsOptions.cs	New embeddings config model with defaults and “effective” helper properties.
src/Config/ObjectModel/Embeddings/EmbeddingsHealthCheckConfig.cs	New embeddings health-check config model.
src/Config/ObjectModel/Embeddings/EmbeddingsEndpointOptions.cs	New embeddings endpoint config + role checks.
src/Config/ObjectModel/Embeddings/EmbeddingProviderType.cs	Defines supported providers (azure-openai, openai).
src/Config/HotReloadEventHandler.cs	Registers a new embeddings-related hot-reload event slot.
src/Config/HealthCheck/HealthCheckConstants.cs	Adds an “embedding” health-check tag constant.
src/Config/DabConfigEvents.cs	Adds an embeddings service config-changed event constant.
src/Config/Converters/EmbeddingsOptionsConverterFactory.cs	Custom JSON converter for embeddings config.
src/Cli/ConfigGenerator.cs	Adds config generation/update flow for embeddings options.
src/Cli/Commands/ConfigureOptions.cs	Adds CLI flags for runtime.embeddings.* configuration.
schemas/dab.draft.schema.json	Adds JSON schema definition for runtime.embeddings.

[Copilot]

Pull request overview

Copilot reviewed 23 out of 23 changed files in this pull request and generated 8 comments.

[Copilot]

No tests found for EmbeddingController. The controller includes significant logic that should be tested:

• Route matching and path validation
• Authorization checks (role-based access control)
• Development vs production mode behavior
• Request body parsing (plain text and JSON)
• Empty request body validation
• Service availability checks
• Error response handling
• Integration with IEmbeddingService

Add unit tests or integration tests for the EmbeddingController to ensure the endpoint behaves correctly under various scenarios.

[Copilot]

The cache key generation does not include the dimensions parameter, which can affect the embedding output. If a user changes the dimensions configuration for the same provider/model/text combination, they will get the cached embedding with the old dimensions instead of generating a new one with the updated dimensions.

Consider including the dimensions value (if user-provided) in the cache key to ensure cache keys are unique per configuration: $"{_options.Provider}:{_options.EffectiveModel}:{_options.Dimensions}:{text}"

[Copilot]

The controller uses a catch-all route pattern [Route("embed/{*route}")] but then manually validates the full request path matches the configured endpoint path. This approach has a potential issue:

If the configured path is NOT /embed (e.g., /vectorize), the route won't match at all because the route template is hardcoded to embed/{*route}. The controller will never be invoked for paths like /vectorize.

The comment on line 26 mentions using "embed" prefix to avoid conflicts, but this creates a mismatch between the route template and the configurable endpoint path. Either:

1. Make the route template dynamic based on configuration, or
2. Document that the endpoint path MUST start with /embed regardless of configuration, or
3. Use a different routing approach that can handle arbitrary paths

This is a fundamental design issue that prevents the endpoint.path configuration from working as intended.

[Copilot]

The controller reads the entire request body into memory without any size limit using ReadToEndAsync(). This creates a potential denial-of-service (DoS) vulnerability where an attacker could send extremely large text payloads to consume server memory.

Add a maximum request body size limit check before reading the body. Consider using Request.ContentLength to validate the size, or use a streaming approach with a limited buffer size. A reasonable limit might be a few MB, depending on the expected use case for embedding requests.

[Copilot]

Syntax error: Missing comma at the end of line 35 after the Embeddings parameter. This will cause a compilation error. The Embeddings parameter should end with a comma before the Compression parameter.

Suggested change

	EmbeddingsOptions? Embeddings = null)
	EmbeddingsOptions? Embeddings = null,

[JerryNixon]

A lot of good work here!

[JerryNixon]

The route embed/{*route} tells ASP.NET “send any request that starts with /embed/ here, and capture everything after it,” but the code then does a strict check that Request.Path must exactly equal endpointOptions.EffectivePath, which means most /embed/... requests will be rejected unless they match one exact configured path; this makes the {*route} catch-all effectively useless and makes configuration easy to get wrong because the real routing rules are split between the attribute and a manual runtime check, pick one approach: either make routing match the configured path using endpoint routing (and remove the manual path equality check), or keep a fixed /embed/... route and use the {*route} value consistently instead of comparing full paths.