sanitise the invocation id path param with a safe fallback

[alhudz]

Description

GET /invocations/{id} and the POST /invocations/{id}/cancel variant both run through _traced_invocation_endpoint, which is meant to validate the id with _sanitize_id before it reaches the x-agent-invocation-id response header and the request-scoped log and span fields.

Repro: request GET /invocations/bad~id (a character outside _VALID_ID_RE), or an id longer than _MAX_ID_LENGTH; the raw value comes straight back in the x-agent-invocation-id response header.
Cause: the call is _sanitize_id(raw_invocation_id, raw_invocation_id), so the rejected value is its own fallback and the length and character checks can never drop anything. _create_invocation_endpoint passes a generated UUID instead.
Fix: fall back to a fresh UUID, matching the create path, so a malformed id never reaches the header or the logs. Added a regression test for the invalid-character and over-length cases plus a valid-id passthrough.

All SDK Contribution checklist:

• The pull request does not introduce [breaking changes]
• CHANGELOG is updated for new features, bug fixes or other significant changes.
• I have read the contribution guidelines.

General Guidelines and Best Practices

• Title of the pull request is clear and informative.
• There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

• Pull request includes test coverage for the included changes.

[github-actions]

Thank you for your contribution @alhudz! We will review the pull request and get back to you soon.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Prevents malformed invocation_id path parameters from being reflected into the x-agent-invocation-id response header by sanitizing to a generated fallback, and adds regression tests plus a version/changelog bump.

Changes:

• Sanitize invocation_id from path params using a generated UUID fallback in traced invocation endpoints.
• Add async tests asserting malformed/overlong IDs are not echoed into response headers.
• Bump package version to 1.0.0b6 and document the fix in CHANGELOG.md.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
sdk/agentserver/azure-ai-agentserver-invocations/azure/ai/agentserver/invocations/_invocation.py	Switches path invocation_id sanitization fallback to a generated UUID to prevent reflection of malformed IDs.
sdk/agentserver/azure-ai-agentserver-invocations/tests/test_invocation_id_sanitization.py	Adds regression coverage for invocation id sanitization in response headers.
sdk/agentserver/azure-ai-agentserver-invocations/azure/ai/agentserver/invocations/_version.py	Bumps the prerelease version to 1.0.0b6.
sdk/agentserver/azure-ai-agentserver-invocations/CHANGELOG.md	Adds an Unreleased 1.0.0b6 entry describing the fix.