Reference implementation sync: 4 new commits (2026-04-25)

[Copilot]

Ports 4 commits from the official github/copilot-sdk to the Java SDK (922959f → dd2dcbc).

Before the change?

• The Java SDK did not support per-session GitHub authentication, configurable session idle timeout, or per-agent tool visibility (defaultAgent.excludedTools).
• PermissionRequestResultKind used old wire values ("approved", "denied-interactively-by-user", "denied-no-approval-rule-and-could-not-request-from-user") that are no longer accepted by CLI v1.0.32.
• CopilotSession.java error-fallback paths for permission handling hardcoded the old denied string, causing all permission-related E2E tests to time out.
• PerSessionAuthTest failed with HTTP 500 because the proxy's internal state was never initialized before the /copilot_internal/user endpoint was called.
• McpAndAgentsTest.testShouldHideExcludedToolsFromDefaultAgent timed out because the test sent "What is 2+2?" while the snapshot expected "Do you have access to a tool called secret_tool?", and the wrong tool ("view" instead of "secret_tool") was excluded.
• McpAndAgentsTest.testShouldAcceptDefaultAgentConfigurationOnSessionResume failed with "Session not found" because session.close() was called before resumeSession(), which permanently destroyed the server-side session via session.destroy RPC.
• E2ETestContext.setCopilotUserByToken() did not call ensureProxyAlive(), risking flakiness if the proxy process crashed between tests.
• PermissionHandler Javadoc example used stale string literals ("user-denied", "user-approved") that are no longer valid wire values.
• advanced.md permission table listed old/deprecated constants with incorrect wire values.

After the change?

Per-session GitHub authentication (dd2dcbc)

New gitHubToken field on SessionConfig/ResumeSessionConfig. When set, the runtime resolves the token into a full GitHub identity (content exclusion, model routing, quota) scoped to that session only:

var session = client.createSession(new SessionConfig()
    .setGitHubToken("gho_alice_token")
    .setOnPermissionRequest(PermissionHandler.APPROVE_ALL)).get();

PermissionRequestResultKind values updated to match the new CLI v1.0.32 protocol:

Old constant	Old wire value	New constant	New wire value
APPROVED	"approved"	APPROVED	"approve-once"
DENIED_INTERACTIVELY_BY_USER	"denied-interactively-by-user"	REJECTED	"reject"
DENIED_BY_RULES / DENIED_COULD_NOT_REQUEST_FROM_USER	(various)	USER_NOT_AVAILABLE	"user-not-available"

Old constants are preserved as @Deprecated aliases. All permission handler code — including CopilotSession.java fallback paths and all test files (PermissionsTest, ToolsTest, ExecutorWiringTest, RpcHandlerDispatcherTest, SessionHandlerTest) — updated to use the new values.

Per-agent tool visibility (b1b0df5)

New DefaultAgentConfig class lets you hide tools from the built-in agent while keeping them accessible to custom sub-agents:

var config = new SessionConfig()
    .setTools(List.of(secretTool))
    .setDefaultAgent(new DefaultAgentConfig()
        .setExcludedTools(List.of("secret_tool")));

Configurable session idle timeout (b4ef955)

New sessionIdleTimeoutSeconds option on CopilotClientOptions. When > 0, passes --session-idle-timeout <seconds> to the CLI process:

var client = new CopilotClient(new CopilotClientOptions()
    .setSessionIdleTimeoutSeconds(600));

SessionFs structured error contract (a3e273c)

No Java changes required — affects only generated code and .NET-specific SessionFsProvider rename; Java SDK has no SessionFs implementation yet.

Updates .lastmerge

Updated to dd2dcbc439256acfb9feb2cff07c0b9c820091b8.

Test and documentation fixes

• E2ETestContext.setCopilotUserByToken(): Now calls ensureProxyAlive() before delegating to the proxy, ensuring the method always targets a live proxy instance and eliminating a potential source of flakiness.
• E2ETestContext: Added initializeProxy() method that posts to the proxy's /config endpoint with no snapshot file, initializing its internal state so that endpoints like /copilot_internal/user (used for per-session auth resolution) are handled correctly without requiring an AI completion snapshot.
• PerSessionAuthTest: Calls initializeProxy() before registering per-token user configs, ensuring the proxy is ready before the CLI attempts to resolve the per-session GitHub token.
• McpAndAgentsTest.testShouldHideExcludedToolsFromDefaultAgent: Corrected the prompt to "Do you have access to a tool called secret_tool? Answer yes or no." (matching the snapshot), registered a secret_tool ToolDefinition, and changed excludedTools to ["secret_tool"].
• McpAndAgentsTest.testShouldAcceptDefaultAgentConfigurationOnSessionResume: Removed the premature session.close() call before resumeSession(). close() invokes session.destroy RPC which removes the server-side session; the session handle is now simply abandoned so the CLI keeps the session alive for the resume.
• PermissionHandler Javadoc: Updated example to use PermissionRequestResultKind.REJECTED and PermissionRequestResultKind.APPROVED constants instead of the stale and now-incorrect string literals "user-denied" / "user-approved".
• advanced.md permission table: Replaced deprecated-alias rows with the four current constants and their correct wire values: APPROVED→"approve-once", REJECTED→"reject", USER_NOT_AVAILABLE→"user-not-available", NO_RESULT→"no-result". The README quick start and jbang-example.java both already use PermissionHandler.APPROVE_ALL and required no changes.

Pull request checklist

• Tests for the changes have been added (for bug fixes / features)
• Docs have been reviewed and added / updated if needed (for bug fixes / features)
• mvn spotless:apply has been run to format the code
• mvn clean verify passes locally

Does this introduce a breaking change?

• Yes
• No

Old PermissionRequestResultKind constants (APPROVED, DENIED_BY_RULES, DENIED_INTERACTIVELY_BY_USER, DENIED_COULD_NOT_REQUEST_FROM_USER) are kept as @Deprecated aliases; wire values changed to match CLI v1.0.32.

[edburns]

@copilot

Test run https://github.com/github/copilot-sdk-java/actions/runs/24935116719 had failures. Please analyze the complete job logs to determine the cause of the failures and push additional commits to resolve them.

Use mvn clean verify as the signal for correctness. All tests must pass with no failures and no errors.

If you find you want to change any code in src/generated/java in order to make the tests pass, YOU MUST NOT DO THAT. Changes to those classes may only be affected by altering the java.ts and re-generating the classes as shown in the workflow update-copilot-dependency.yml.

[Copilot]

@copilot

Test run https://github.com/github/copilot-sdk-java/actions/runs/24935116719 had failures. Please analyze the complete job logs to determine the cause of the failures and push additional co...

Fixed in commit 997ec57.

Root cause: The Copilot CLI v1.0.32 was updated to require the new permission kind values introduced in commit dd2dcbc. All tests using the old hardcoded strings ("approved", "denied-interactively-by-user", "denied-no-approval-rule-and-could-not-request-from-user") were failing because the CLI no longer accepts them.

Changes made:

• CopilotSession.java: The no-handler and error-fallback code paths were still using the hardcoded old string "denied-no-approval-rule-and-could-not-request-from-user". Updated to use PermissionRequestResultKind.USER_NOT_AVAILABLE (wire value "user-not-available").
• PermissionsTest, ToolsTest, ExecutorWiringTest: Updated all hardcoded "approved" → PermissionRequestResultKind.APPROVED, "denied-interactively-by-user" → PermissionRequestResultKind.REJECTED, "denied-no-approval-rule-..." → PermissionRequestResultKind.USER_NOT_AVAILABLE.
• RpcHandlerDispatcherTest, SessionHandlerTest: Updated expected assertion values from the old string to "user-not-available".

All 143 unit tests pass locally.

[edburns]

@copilot I looked at the failures for Actions run https://github.com/github/copilot-sdk-java/actions/runs/24948129268/ .

They were all of type "error":

Error:  Errors: 
Error:    McpAndAgentsTest.testShouldAcceptDefaultAgentConfigurationOnSessionResume:388 » Execution com.github.copilot.sdk.JsonRpcException: Request session.resume failed with message: Session not found: 1092b525-b7fd-4546-ab4d-310a25a2a9f8
Error:    McpAndAgentsTest.testShouldHideExcludedToolsFromDefaultAgent:359 » Execution java.util.concurrent.TimeoutException: sendAndWait timed out after 60000ms
Error:    PerSessionAuthTest.shouldAuthenticateWithGitHubToken:69 » Execution com.github.copilot.sdk.JsonRpcException: Request session.create failed with message: Failed to fetch Copilot user info: 500 Internal Server Error
Error:    PerSessionAuthTest.shouldIsolateAuthBetweenSessions:88 » Execution com.github.copilot.sdk.JsonRpcException: Request session.create failed with message: Failed to fetch Copilot user info: 500 Internal Server Error

It is possible such errors are ephemeral. First, test this hypothesis by simply running another iteration of "Build & Test". If that fails again, with the same set of errors, perform a deeper analysis and push additional commits as necessary.

[Copilot]

@copilot I looked at the failures for Actions run https://github.com/github/copilot-sdk-java/actions/runs/24948129268/ .

They were all of type "error":
...

The failures were not ephemeral — all four were caused by real bugs in the test code (commit bab45d3):

1. PerSessionAuthTest (500 error) — The proxy TypeScript requires its internal state to be initialized (via a /config POST) before it can serve the /copilot_internal/user endpoint used for per-session auth. PerSessionAuthTest never called configureForTest(), so state was null and the proxy threw, returning 500. Fix: added initializeProxy() to E2ETestContext and called it in setupCopilotUsers().

2. testShouldHideExcludedToolsFromDefaultAgent (timeout) — The test sent "What is 2+2?" but the snapshot expects "Do you have access to a tool called secret_tool? Answer yes or no.". With no matching snapshot, the proxy exits in CI, the CLI hangs, and sendAndWait() times out. Also, the test was excluding "view" from the default agent but the snapshot was recorded with a secret_tool registered. Fix: corrected the prompt, registered secret_tool as a ToolDefinition, and set excludedTools to ["secret_tool"].

3. testShouldAcceptDefaultAgentConfigurationOnSessionResume (Session not found) — The test called session.close() immediately before resumeSession(). close() invokes session.destroy RPC which removes the server-side session, so the subsequent resume correctly fails with "Session not found". Fix: removed the premature session.close() call (matching the pattern used by all other resume tests in the file).

[Copilot]

Pull request overview

Ports recent github/copilot-sdk protocol/config updates into the Java SDK to restore parity with CLI v1.0.32+, including per-session GitHub auth, default-agent tool hiding, and session idle timeout support, plus E2E test harness fixes.

Changes:

• Add per-session GitHub authentication (gitHubToken) and wire it through create/resume session requests.
• Add defaultAgent.excludedTools support via DefaultAgentConfig and request builder plumbing.
• Update permission result kind wire values (with deprecated aliases) and adjust core/session logic + tests; add CLI --session-idle-timeout option and related tests/helpers.

Show a summary per file

File	Description
src/main/java/com/github/copilot/sdk/json/SessionConfig.java	Adds defaultAgent and gitHubToken session configuration fields and clones them.
src/main/java/com/github/copilot/sdk/json/ResumeSessionConfig.java	Adds defaultAgent and gitHubToken for resumed sessions and clones them.
src/main/java/com/github/copilot/sdk/json/CreateSessionRequest.java	Adds defaultAgent + gitHubToken to the JSON-RPC create request DTO.
src/main/java/com/github/copilot/sdk/json/ResumeSessionRequest.java	Adds defaultAgent + gitHubToken to the JSON-RPC resume request DTO.
src/main/java/com/github/copilot/sdk/json/DefaultAgentConfig.java	New type supporting excludedTools for default-agent tool visibility.
src/main/java/com/github/copilot/sdk/json/PermissionRequestResultKind.java	Updates well-known permission kind wire values and keeps deprecated aliases.
src/main/java/com/github/copilot/sdk/json/CopilotClientOptions.java	Adds sessionIdleTimeoutSeconds option and clones it.
src/main/java/com/github/copilot/sdk/SessionRequestBuilder.java	Wires defaultAgent and gitHubToken into create/resume request construction.
src/main/java/com/github/copilot/sdk/CopilotSession.java	Updates permission-handling fallback kind to user-not-available.
src/main/java/com/github/copilot/sdk/CliServerManager.java	Passes --session-idle-timeout <seconds> when configured (> 0).
src/test/java/com/github/copilot/sdk/ToolsTest.java	Updates permission test to use new PermissionRequestResultKind constants.
src/test/java/com/github/copilot/sdk/PermissionsTest.java	Updates permission handler tests to new kind constants.
src/test/java/com/github/copilot/sdk/ExecutorWiringTest.java	Updates permission handler wiring test to new kind constants.
src/test/java/com/github/copilot/sdk/SessionHandlerTest.java	Updates assertions for new denied fallback wire value.
src/test/java/com/github/copilot/sdk/RpcHandlerDispatcherTest.java	Updates assertions for new denied fallback wire value.
src/test/java/com/github/copilot/sdk/PermissionRequestResultKindTest.java	Updates kind value expectations + deprecated-alias behavior checks.
src/test/java/com/github/copilot/sdk/SessionRequestBuilderTest.java	Adds tests for defaultAgent and gitHubToken mapping into requests.
src/test/java/com/github/copilot/sdk/ConfigCloneTest.java	Adds clone coverage for new config fields/options.
src/test/java/com/github/copilot/sdk/CopilotClientTest.java	Adds basic option getter/setter tests for idle timeout.
src/test/java/com/github/copilot/sdk/CliServerManagerTest.java	Adds coverage to exercise idle-timeout CLI arg path.
src/test/java/com/github/copilot/sdk/E2ETestContext.java	Adds createClient(options), initializeProxy(), and per-token user config helper.
src/test/java/com/github/copilot/sdk/CapiProxy.java	Adds proxy endpoint helper to register per-token Copilot user responses.
src/test/java/com/github/copilot/sdk/PerSessionAuthTest.java	New E2E coverage for per-session auth identity resolution/isolation.
src/test/java/com/github/copilot/sdk/McpAndAgentsTest.java	Adds/adjusts default-agent excluded-tools tests and resume behavior.
src/test/java/com/github/copilot/sdk/CopilotSessionTest.java	Adds E2E coverage for creating session with defaultAgent.excludedTools.
.lastmerge	Updates tracked reference implementation commit.

Copilot's findings

• Files reviewed: 26/26 changed files
• Comments generated: 1

[Copilot]

E2ETestContext#setCopilotUserByToken() does not call ensureProxyAlive() before sending the request. If the proxy process crashes/restarts between tests (or between initializeProxy() and this call), this can hit a dead proxy URL and introduce flakiness. Consider calling ensureProxyAlive() at the start of this method (similar to configureForTest()/initializeProxy()) so it always targets a live proxy instance.

Suggested change

	String telemetryUrl, String analyticsTrackingId) throws IOException, InterruptedException {
	String telemetryUrl, String analyticsTrackingId) throws IOException, InterruptedException {
	ensureProxyAlive();

[Copilot]

Applied the suggestion in c9241f1. Also updated the PermissionHandler Javadoc example (which used the old stale string literals "user-denied"/"user-approved") to use the new PermissionRequestResultKind.REJECTED/APPROVED constants, and fixed the advanced.md permission table to show the current wire values ("approve-once", "reject", "user-not-available", "no-result") replacing the old deprecated-alias rows. The README quick start and jbang example both already use PermissionHandler.APPROVE_ALL and needed no changes.