Files
Eduard van Valkenburg c1cc6ee6df Python: Enforce approval_mode in Claude and GitHub Copilot agents (#5562)
* Python: Enforce approval_mode in Claude and GitHub Copilot agents

Tools declared with approval_mode="always_require" were bypassed by the
ClaudeAgent and GitHubCopilotAgent because their SDK-managed tool-calling
loops invoke FunctionTool.invoke() directly via package-supplied handlers,
skipping the standard _try_execute_function_calls approval gate.

Per discussion on #5494, the fix lives in the agents (not in FunctionTool):
any flag added to the tool itself can be spoofed by code with the same
level of access, so the security boundary is the agent that owns the
tool-calling loop.

- Add on_function_approval option to ClaudeAgentOptions and
  GitHubCopilotOptions. Callback receives a FunctionCallContent describing
  the pending call and returns bool (sync or async).
- Gate FunctionTool.invoke() inside each agent's existing tool-handler
  closure when approval_mode == "always_require". Default policy is deny;
  callbacks that raise also deny safely.
- Deny path returns a tool-error to the model (Claude: text content;
  Copilot: ToolResult(result_type="failure", error="approval_denied"))
  so the LLM can react gracefully instead of silently failing.
- Tests for both agents covering: deny by default, sync False, sync True,
  async True, callback-raises -> deny, no-op for never_require tools.
- Samples demonstrating sync, async, and deny-by-default flows for both
  agents.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address PR review: preserve empty arg dicts, reject runtime approval override

- _resolve_function_approval no longer collapses {} into None when building
  the FunctionCallContent passed to the callback (Claude + Copilot).
- Claude _apply_runtime_options and Copilot _run_impl/_stream_updates now
  raise ValueError if on_function_approval is supplied via per-run options,
  instead of silently ignoring it. Approval policy must be set at agent
  construction time.
- Drop unnecessary # type: ignore[attr-defined] on Content.name/.arguments
  in samples (Content is a unified class with both attributes defined).
- Add regression tests for the new runtime-options validation.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* warning when non callback handler and approval needed

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
c1cc6ee6df ยท 2026-05-01 14:11:28 +00:00
History
..

Provider Samples Overview

This directory groups provider-specific samples for Agent Framework.

Folder What you will find
anthropic/ Anthropic Claude samples using both AnthropicClient and ClaudeAgent, including tools, MCP, sessions, and Foundry Anthropic integration.
amazon/ AWS Bedrock samples using BedrockChatClient, including tool-enabled agent usage.
azure/ Azure OpenAI chat completion samples using OpenAIChatCompletionClient, including basic usage, explicit configuration, tools, and sessions.
copilotstudio/ Microsoft Copilot Studio agent samples, including required environment/app registration setup and explicit authentication patterns.
custom/ Framework extensibility samples for building custom BaseAgent and BaseChatClient implementations, including layer-composition guidance.
foundry/ Microsoft Foundry and Foundry Local samples using FoundryChatClient, FoundryAgent, RawFoundryAgentChatClient, and FoundryLocalClient for hosted agents, Responses API, local inference, tools, MCP, and sessions.
github_copilot/ GitHubCopilotAgent samples showing basic usage, session handling, permission-scoped shell/file/url access, and MCP integration.
ollama/ Local Ollama samples using OllamaChatClient (recommended) plus OpenAI-compatible Ollama setup, including reasoning and multimodal examples.
openai/ OpenAI provider samples for Chat and Chat Completion clients, including tools, structured output, sessions, MCP, web search, and multimodal tasks.

Each folder has its own README with setup requirements and file-by-file details.