…ssistant agents (#14057)

### Description

Adds `function_choice_behavior` parameter to Azure AI and OpenAI
Assistant agents, aligning them with the existing Responses agent and
Chat Completion agent APIs.

### Changes

- Add `function_choice_behavior` parameter to
`invoke`/`invoke_stream`/`get_response` on both `AzureAIAgent` and
`OpenAIAssistantAgent` public APIs
- Add `function_choice_behavior` parameter to internal
`AzureAIAgentThreadActions` and `AssistantThreadActions`
`invoke`/`invoke_stream` methods
- Support `tools` parameter override for SDK-level tools
(CodeInterpreter, FileSearch, etc.)
- Filter kernel functions based on `FunctionChoiceBehavior`
configuration
- Validate that only `Auto` type with auto-invoke enabled is supported
- Fix `_get_tools` in OpenAI path to use passed `kernel` parameter
instead of `agent.kernel`
- Add comprehensive unit tests for both thread actions and public agent
APIs

---------

Co-authored-by: Copilot <[email protected]>

Pin MessagePack to 3.1.7 to resolve NU1903 error for known vulnerability
in transitive dependency 2.5.192 brought in by Aspire packages.

---------

Co-authored-by: Copilot <[email protected]>

…llable parameters (#13635)

## Summary

- Fixes `InsertNullTypeIfRequired()` producing duplicate `"null"`
entries in JSON Schema type arrays (e.g., `["string", "null", "null"]`)
for `Nullable<T>` parameters with `= null` defaults
- Replaces reference-equality guard (`JsonArray.Contains()`) with
value-based `.Any()` check
- Adds 3 regression tests covering both trigger paths and positive
insertion

## Root Cause

`InsertNullTypeIfRequired()` in `OpenAIFunction.cs` uses
`jsonArray.Contains(NullType)` to check for existing `"null"` entries
before adding one. `JsonArray.Contains()` compares `JsonNode` objects by
reference equality — `JsonNode` does not override `Equals()`. The
`NullType` constant (`"null"`) creates a new `JsonNode` on implicit
conversion, so the guard always fails and `"null"` is always added as a
duplicate.

For `Nullable<T>` parameters with `= null` defaults,
`AIJsonUtilities.CreateJsonSchema()` correctly produces `["string",
"null"]`. The strict-mode sanitizer then attempts to add `"null"` again
— the broken guard lets it through, producing `["string", "null",
"null"]`.

Two trigger paths reach the same bug:
1. Optional parameters (`IsRequired = false`) → `insertNullType = true`
2. Schemas with `"nullable": true` keyword

## Changes

| File | Change |
|------|--------|
| `dotnet/src/Connectors/Connectors.OpenAI/Core/OpenAIFunction.cs` |
Replace `jsonArray.Contains(NullType)` with value-based `.Any()` check
(follows existing pattern in `NormalizeAdditionalProperties`) |
|
`dotnet/src/Connectors/Connectors.OpenAI.UnitTests/Core/OpenAIFunctionTests.cs`
| 3 new tests: duplicate prevention for optional params, duplicate
prevention for `nullable` keyword, positive case (null inserted when
absent) |

## Testing

- 3 new unit tests added covering:
- `ItDoesNotInsertDuplicateNullInTypeArrayForOptionalParameter` — schema
with pre-existing `["string", "null"]` + `IsRequired = false`
- `ItDoesNotInsertDuplicateNullInTypeArrayForNullableKeyword` — schema
with `"nullable": true` + `IsRequired = true`
- `ItInsertsNullInTypeArrayWhenAbsent` — schema with `["string"]` only →
`"null"` correctly added

Fixes #13527

---------

Co-authored-by: Claude Opus 4.6 <[email protected]>
Co-authored-by: SergeyMenshykh <[email protected]>
Co-authored-by: SergeyMenshykh <[email protected]>
Co-authored-by: Copilot <[email protected]>

…Python) (#14086)

## Motivation and Context

Closes #14085.

The .NET and Python OpenAPI plugins select operations using the raw
OpenAPI path, but build the runtime request URL from a canonicalized
path. Encoded dot-segments such as `/resources/%2e%2e/admin` pass an
`OperationSelectionPredicate` path check, yet `System.Uri` (.NET) and
`urljoin` (Python) collapse them to a different route at request time.
The selected path and the actual request target can therefore diverge.

## Description

- **.NET** (`RestApiOperation.ValidatePathSegments`): decodes each path
segment until stable (handling double encoding like `%252e` and encoded
separators `%2f`/`%5c`) before rejecting canonical `.` or `..` segments.
- **Python** (`RestApiOperation.build_path`): adds equivalent
decode-then-reject validation before the URL is built.

Regression tests on both stacks cover literal and encoded dot-segments,
mixed case, encoded slashes, and double encoding, plus negative tests
confirming legitimate encoded characters still work.

Test results:
- .NET: 482/482 `Functions.UnitTests` OpenApi tests pass.
- Python: 109/109 `openapi_plugin` unit tests pass.

## Contribution Checklist

- [x] The code builds clean without any errors or warnings
- [x] The PR follows the SK Contribution Guidelines
- [x] All unit tests pass, and I have added new tests where possible
- [x] I didn't break anyone 😄

### Motivation and Context

Bump Python version to 1.43.1 for a release.

<!-- Thank you for your contribution to the semantic-kernel repo!
Please help reviewers and future users, providing the following
information:
  1. Why is this change required?
  2. What problem does it solve?
  3. What scenario does it contribute to?
  4. If it fixes an open issue, please link to the issue here.
-->

### Description

Bump Python version to 1.43.1 for a release.

<!-- Describe your changes, the overall approach, the underlying design.
These notes will help understanding how your code works. Thanks! -->

### Contribution Checklist

<!-- Before submitting this PR, please make sure: -->

- [X] The code builds clean without any errors or warnings
- [X] The PR follows the [SK Contribution
Guidelines](https://github.com/microsoft/semantic-kernel/blob/main/CONTRIBUTING.md)
and the [pre-submission formatting
script](https://github.com/microsoft/semantic-kernel/blob/main/CONTRIBUTING.md#development-scripts)
raises no violations
- [X] All unit tests pass, and I have added new tests where possible
- [X] I didn't break anyone 😄