AHP: opt into SDK managed-settings self-fetch#323651
Draft
joshspicer wants to merge 1 commit into
Draft
Conversation
Pass selfFetchManagedSettings:true in session.create params so the runtime self-fetches enterprise bypass-permissions policy from the GitHub managed_settings endpoint at session bootstrap. The runtime enforces the result fail-closed before the first turn. Requires: github/copilot-agent-runtime#agents/managed-settings-sdk-capability
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Agent Host (AHP) Copilot session launcher to opt Copilot SDK sessions into runtime-managed enterprise policy enforcement by enabling the SDK/session flag for self-fetching managed settings at bootstrap time.
Changes:
- Enable
selfFetchManagedSettings: truein the session config built byCopilotSessionLauncher. - Document (in-code) that the runtime will self-fetch managed settings and enforce them before the first turn.
Show a summary per file
| File | Description |
|---|---|
| src/vs/platform/agentHost/node/copilot/copilotSessionLauncher.ts | Adds selfFetchManagedSettings: true to the SDK session config built during session launch. |
Review details
- Files reviewed: 1/1 changed files
- Comments generated: 1
- Review effort level: Low
Comment on lines
+413
to
+417
| // Opt the runtime into self-fetching enterprise managed settings | ||
| // (bypass-permissions policy) at session bootstrap. The runtime uses | ||
| // the session's gitHubToken to call /copilot_internal/managed_settings | ||
| // and enforces the result fail-closed before the first turn. | ||
| // Declared in copilotSdkAugmentation.d.ts pending SDK type update. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
AHP: opt into SDK managed-settings self-fetch
The Agent Host (AHP) Copilot session launcher now passes
selfFetchManagedSettings: truewhen creating a Copilot SDK session, so the runtime self-fetches and enforces enterprise managed settings (bypass-permissions policy) using the session's GitHub token — without VS Code having to implement the enforcement itself.Change
src/vs/platform/agentHost/node/copilot/copilotSessionLauncher.ts— setselfFetchManagedSettings: truein_buildSessionConfig. The runtime calls/copilot_internal/managed_settings+ device MDM and enforces the result fail-closed before the first turn.The flag is typed via the SDK's
SessionConfigBase(see the SDK PR below); no enforcement logic lives in VS Code.Validation
Verified end-to-end: AHP-spawned Copilot sessions self-fetched the enterprise server policy (
disableBypassPermissionsMode: "disable") and disabled bypass-permissions mode (bypassDisabled=true) across 3/3 sessions;/allow-allis rejected by runtime policy.Related PRs