Fix: Validate reserved keywords in checkpoint serialization and verify types during deserialization

[Copilot]

Motivation and Context

Reserved checkpoint markers (__af_model__ and __af_dataclass__) used for polymorphic serialization could be spoofed by arbitrary dicts, causing incorrect type instantiation during deserialization. Additionally, deserialization didn't verify that loaded classes actually matched their claimed type (dataclass or model protocol).

Description

Serialization validation:

• Raise ValueError if a dict contains reserved marker keys with a value key (the marker pattern)

# Now raises ValueError
encode_checkpoint_value({
    "__af_dataclass__": "some.module:FakeClass",
    "value": {"field": "spoofed"}
})

Deserialization validation:

• Verify DATACLASS_MARKER classes are actually dataclass types via isinstance(cls, type) and is_dataclass(cls)
• Verify MODEL_MARKER classes support model protocol (to_dict/from_dict or to_json/from_json pairs)
• Return raw decoded value instead of attempting instantiation when validation fails

Refactoring:

• Extract _class_supports_model_protocol(cls) helper; _supports_model_protocol(obj) now delegates to it

Contribution Checklist

• The code builds clean without any errors or warnings
• The PR follows the Contribution Guidelines
• All unit tests pass, and I have added new tests where possible
• Is this a breaking change? If yes, add "[BREAKING]" prefix to the title of the PR.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Python: [Bug]: Workflow checkpoint serialization and deserialization reserved keywords allow overwrite</issue_title>
<issue_description>### Description

When serializing workflow state to a checkpoint, we use two reserved keywords (__af_dataclass__ and __af_model__) to achieve polymorphic serialization.

However, we don't check for if these reserved keywords are present in objects that neither dataclasses nor Pydantic models. This leads to potential issue during deserialization where we'd mistakenly deserialize a Json into an incorrect type. We also don't check if a class is really a dataclass or a Pydantic model during deserialization.

Implement fixes for:

1. Do not allow values to contain the reserved keyword during serialization.
2. Check if a class is really a dataclass or a Pydantic model during deserialization.

Related modules

https://github.com/microsoft/agent-framework/blob/main/python/packages/core/agent_framework/_workflows/_checkpoint_encoding.py

Package Versions

agent-framework-core

Python Version

No response

Additional Context

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Python: [Bug]: Workflow checkpoint serialization and deserialization reserved keywords allow overwrite #3225

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.