Skip to content

Comments

feat: deny-by-default permissions, add PermissionHandler::approveAll()#8

Merged
kawax merged 2 commits intomainfrom
copilot/update-official-sdk-permissions
Feb 19, 2026
Merged

feat: deny-by-default permissions, add PermissionHandler::approveAll()#8
kawax merged 2 commits intomainfrom
copilot/update-official-sdk-permissions

Conversation

Copy link
Contributor

Copilot AI commented Feb 19, 2026
edited
Loading

Sync with official SDK PR github/copilot-sdk#509. requestPermission is now always true — tool operations (file writes, shell commands, URL fetches, MCP calls) are denied by default unless an onPermissionRequest handler is provided.

Changes

  • src/Client.php: requestPermission hardcoded to true in both createSession() and resumeSession() (was conditional on handler presence)
  • src/Support/PermissionHandler.php: New class with approveAll() static method, matching the official SDK's PermissionHandler.ApproveAll / approveAll pattern
  • docs/jp/permission-request.md: Rewritten to lead with deny-by-default explanation and PermissionHandler::approveAll() usage
  • tests/Unit/Support/PermissionHandlerTest.php: Coverage for the new handler

Migration

use Revolution\Copilot\Support\PermissionHandler;
use Revolution\Copilot\Types\SessionConfig;

// Auto-approve all (equivalent to previous default behavior)
$config = new SessionConfig(
    onPermissionRequest: PermissionHandler::approveAll(),
);

// Or granular control by kind
$config = new SessionConfig(
    onPermissionRequest: function (array $request, array $invocation) {
        return match ($request['kind']) {
            'read' => ['kind' => 'approved'],
            default => ['kind' => 'denied-interactively-by-user'],
        };
    },
);

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/copilot_internal/user
    • Triggering command: /home/REDACTED/.local/bin/copilot copilot --headless --stdio --log-level info (http block)
    • Triggering command: /home/REDACTED/.local/bin/copilot copilot --headless --stdio --log-level info /sadc stty n/stty (http block)
    • Triggering command: /home/REDACTED/.local/bin/copilot copilot --headless --stdio --log-level info pilot-sdk/vendor/bin/stty stty ndor/bin/stty (http block)

If you need me to access, download, or install something from one of these locations, you can either:

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@kawax
feat: deny-by-default permissions, add PermissionHandler::approveAll()
97fe688 
Follow official SDK PR #509: requestPermission is now always true,
and PermissionHandler::approveAll() provides a convenience handler.

Co-authored-by: kawax <1502086+kawax@users.noreply.github.com>
Copilot AI changed the title [WIP] Update official SDK and adjust permission handling feat: deny-by-default permissions, add PermissionHandler::approveAll() Feb 19, 2026
Copilot AI requested a review from kawax February 19, 2026 13:23
@kawax kawax marked this pull request as ready for review February 19, 2026 13:37
@kawax kawax merged commit 73403b7 into main Feb 19, 2026
5 checks passed
@kawax kawax deleted the copilot/update-official-sdk-permissions branch February 19, 2026 13:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kawax kawax Awaiting requested review from kawax

Assignees

@kawax kawax

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kawax