Files
Eduard van Valkenburg c1cc6ee6df Python: Enforce approval_mode in Claude and GitHub Copilot agents (#5562)
* Python: Enforce approval_mode in Claude and GitHub Copilot agents

Tools declared with approval_mode="always_require" were bypassed by the
ClaudeAgent and GitHubCopilotAgent because their SDK-managed tool-calling
loops invoke FunctionTool.invoke() directly via package-supplied handlers,
skipping the standard _try_execute_function_calls approval gate.

Per discussion on #5494, the fix lives in the agents (not in FunctionTool):
any flag added to the tool itself can be spoofed by code with the same
level of access, so the security boundary is the agent that owns the
tool-calling loop.

- Add on_function_approval option to ClaudeAgentOptions and
  GitHubCopilotOptions. Callback receives a FunctionCallContent describing
  the pending call and returns bool (sync or async).
- Gate FunctionTool.invoke() inside each agent's existing tool-handler
  closure when approval_mode == "always_require". Default policy is deny;
  callbacks that raise also deny safely.
- Deny path returns a tool-error to the model (Claude: text content;
  Copilot: ToolResult(result_type="failure", error="approval_denied"))
  so the LLM can react gracefully instead of silently failing.
- Tests for both agents covering: deny by default, sync False, sync True,
  async True, callback-raises -> deny, no-op for never_require tools.
- Samples demonstrating sync, async, and deny-by-default flows for both
  agents.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Address PR review: preserve empty arg dicts, reject runtime approval override

- _resolve_function_approval no longer collapses {} into None when building
  the FunctionCallContent passed to the callback (Claude + Copilot).
- Claude _apply_runtime_options and Copilot _run_impl/_stream_updates now
  raise ValueError if on_function_approval is supplied via per-run options,
  instead of silently ignoring it. Approval policy must be set at agent
  construction time.
- Drop unnecessary # type: ignore[attr-defined] on Content.name/.arguments
  in samples (Content is a unified class with both attributes defined).
- Add regression tests for the new runtime-options validation.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* warning when non callback handler and approval needed

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
c1cc6ee6df ยท 2026-05-01 14:11:28 +00:00
History
..

Anthropic Examples

This folder contains examples demonstrating how to use Anthropic's Claude models with the Agent Framework.

Anthropic Client Examples

File Description
anthropic_basic.py Demonstrates how to setup a simple agent using the AnthropicClient, with both streaming and non-streaming responses.
anthropic_advanced.py Shows advanced usage of the AnthropicClient, including hosted tools and thinking.
anthropic_skills.py Illustrates how to use Anthropic-managed Skills with an agent, including the Code Interpreter tool and file generation and saving.
anthropic_foundry.py Example of using Foundry's Anthropic integration with the Agent Framework.

Claude Agent Examples

File Description
anthropic_claude_basic.py Basic usage of ClaudeAgent with streaming, non-streaming, and custom tools.
anthropic_claude_with_tools.py Using built-in tools (Read, Glob, Grep, etc.).
anthropic_claude_with_shell.py Shell command execution with interactive permission handling.
anthropic_claude_with_multiple_permissions.py Combining multiple tools (Bash, Read, Write) with permission prompts.
anthropic_claude_with_url.py Fetching and processing web content with WebFetch.
anthropic_claude_with_mcp.py Local (stdio) and remote (HTTP) MCP server configuration.
anthropic_claude_with_session.py Session management, persistence, and resumption.

Environment Variables

Anthropic Client

  • ANTHROPIC_API_KEY: Your Anthropic API key (get one from Anthropic Console)
  • ANTHROPIC_CHAT_MODEL: The Claude model to use (e.g., claude-haiku-4-5, claude-sonnet-4-5-20250929)

Foundry

  • ANTHROPIC_FOUNDRY_API_KEY: Your Foundry Anthropic API key
  • ANTHROPIC_FOUNDRY_RESOURCE: Your Foundry resource name (for example my-foundry-resource)
  • ANTHROPIC_FOUNDRY_BASE_URL: Optional full Foundry Anthropic base URL alternative to ANTHROPIC_FOUNDRY_RESOURCE
  • ANTHROPIC_CHAT_MODEL: The Claude model to use in Foundry (e.g., claude-haiku-4-5)

Claude Agent

  • CLAUDE_AGENT_CLI_PATH: Path to the Claude Code CLI executable
  • CLAUDE_AGENT_MODEL: Model to use (sonnet, opus, haiku)
  • CLAUDE_AGENT_CWD: Working directory for Claude CLI
  • CLAUDE_AGENT_PERMISSION_MODE: Permission mode (default, acceptEdits, plan, bypassPermissions)
  • CLAUDE_AGENT_MAX_TURNS: Maximum number of conversation turns
  • CLAUDE_AGENT_MAX_BUDGET_USD: Maximum budget in USD