Files
Eduard van Valkenburg c1cc6ee6df Python: Enforce approval_mode in Claude and GitHub Copilot agents (#5562)
* Python: Enforce approval_mode in Claude and GitHub Copilot agents

Tools declared with approval_mode="always_require" were bypassed by the
ClaudeAgent and GitHubCopilotAgent because their SDK-managed tool-calling
loops invoke FunctionTool.invoke() directly via package-supplied handlers,
skipping the standard _try_execute_function_calls approval gate.

Per discussion on #5494, the fix lives in the agents (not in FunctionTool):
any flag added to the tool itself can be spoofed by code with the same
level of access, so the security boundary is the agent that owns the
tool-calling loop.

- Add on_function_approval option to ClaudeAgentOptions and
  GitHubCopilotOptions. Callback receives a FunctionCallContent describing
  the pending call and returns bool (sync or async).
- Gate FunctionTool.invoke() inside each agent's existing tool-handler
  closure when approval_mode == "always_require". Default policy is deny;
  callbacks that raise also deny safely.
- Deny path returns a tool-error to the model (Claude: text content;
  Copilot: ToolResult(result_type="failure", error="approval_denied"))
  so the LLM can react gracefully instead of silently failing.
- Tests for both agents covering: deny by default, sync False, sync True,
  async True, callback-raises -> deny, no-op for never_require tools.
- Samples demonstrating sync, async, and deny-by-default flows for both
  agents.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address PR review: preserve empty arg dicts, reject runtime approval override

- _resolve_function_approval no longer collapses {} into None when building
  the FunctionCallContent passed to the callback (Claude + Copilot).
- Claude _apply_runtime_options and Copilot _run_impl/_stream_updates now
  raise ValueError if on_function_approval is supplied via per-run options,
  instead of silently ignoring it. Approval policy must be set at agent
  construction time.
- Drop unnecessary # type: ignore[attr-defined] on Content.name/.arguments
  in samples (Content is a unified class with both attributes defined).
- Add regression tests for the new runtime-options validation.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* warning when non callback handler and approval needed

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
c1cc6ee6df ยท 2026-05-01 14:11:28 +00:00
History
..

GitHub Copilot Agent Examples

This directory contains examples demonstrating how to use the GitHubCopilotAgent from the Microsoft Agent Framework.

Security Note: These examples demonstrate various permission types (shell, read, write, url). Only enable permissions that are necessary for your use case. Each permission grants the agent additional capabilities that could affect your system.

Prerequisites

  1. GitHub Copilot CLI: Install and authenticate the Copilot CLI
  2. GitHub Copilot Subscription: An active GitHub Copilot subscription
  3. Install the package:
    pip install agent-framework-github-copilot --pre
    

Environment Variables

The following environment variables can be configured:

Variable Description Default
GITHUB_COPILOT_CLI_PATH Path to the Copilot CLI executable copilot
GITHUB_COPILOT_MODEL Model to use (e.g., "gpt-5", "claude-sonnet-4") Server default
GITHUB_COPILOT_TIMEOUT Request timeout in seconds 60
GITHUB_COPILOT_LOG_LEVEL CLI log level info

Observability

GitHubCopilotAgent has OpenTelemetry tracing built-in. To enable it, call configure_otel_providers() before running the agent:

from agent_framework.observability import configure_otel_providers
from agent_framework.github import GitHubCopilotAgent

configure_otel_providers(enable_console_exporters=True)

async with GitHubCopilotAgent() as agent:
    response = await agent.run("Hello!")

See the observability samples for full examples with OTLP exporters.

Examples

File Description
github_copilot_basic.py The simplest way to create an agent using GitHubCopilotAgent. Demonstrates both streaming and non-streaming responses with function tools.
github_copilot_with_session.py Shows session management with automatic creation, persistence via session objects, and resuming sessions by ID.
github_copilot_with_shell.py Shows how to enable shell command execution permissions. Demonstrates running system commands like listing files and getting system information.
github_copilot_with_file_operations.py Shows how to enable file read and write permissions. Demonstrates reading file contents and creating new files.
github_copilot_with_url.py Shows how to enable URL fetching permissions. Demonstrates fetching and processing web content.
github_copilot_with_mcp.py Shows how to configure MCP (Model Context Protocol) servers, including local (stdio) and remote (HTTP) servers.
github_copilot_with_multiple_permissions.py Shows how to combine multiple permission types for complex tasks that require shell, read, and write access.