Add no-result permission handling for extensions (#802)

SteveSandersonMS · web-flow · commit df59a0ecb8ed · 2026-03-12T16:02:39.000Z
diff --git a/dotnet/src/Client.cs b/dotnet/src/Client.cs
@@ -54,6 +54,9 @@ namespace GitHub.Copilot.SDK;
 /// </example>
 public sealed partial class CopilotClient : IDisposable, IAsyncDisposable
 {
+    internal const string NoResultPermissionV2ErrorMessage =
+        "Permission handlers cannot return 'no-result' when connected to a protocol v2 server.";
+
     /// <summary>
     /// Minimum protocol version this SDK can communicate with.
     /// </summary>
@@ -1394,8 +1397,16 @@ public async Task<PermissionRequestResponseV2> OnPermissionRequestV2(string sess
             try
             {
                 var result = await session.HandlePermissionRequestAsync(permissionRequest);
+                if (result.Kind == new PermissionRequestResultKind("no-result"))
+                {
+                    throw new InvalidOperationException(NoResultPermissionV2ErrorMessage);
+                }
                 return new PermissionRequestResponseV2(result);
             }
+            catch (InvalidOperationException ex) when (ex.Message == NoResultPermissionV2ErrorMessage)
+            {
+                throw;
+            }
             catch (Exception)
             {
                 return new PermissionRequestResponseV2(new PermissionRequestResult
diff --git a/dotnet/src/Session.cs b/dotnet/src/Session.cs
@@ -467,6 +467,10 @@ private async Task ExecutePermissionAndRespondAsync(string requestId, Permission
             };
 
             var result = await handler(permissionRequest, invocation);
+            if (result.Kind == new PermissionRequestResultKind("no-result"))
+            {
+                return;
+            }
             await Rpc.Permissions.HandlePendingPermissionRequestAsync(requestId, result);
         }
         catch (Exception)
diff --git a/dotnet/src/Types.cs b/dotnet/src/Types.cs
@@ -350,6 +350,7 @@ public class PermissionRequestResult
     /// <item><description><c>"denied-by-rules"</c> — denied by configured permission rules.</description></item>
     /// <item><description><c>"denied-interactively-by-user"</c> — the user explicitly denied the request.</description></item>
     /// <item><description><c>"denied-no-approval-rule-and-could-not-request-from-user"</c> — no rule matched and user approval was unavailable.</description></item>
+    /// <item><description><c>"no-result"</c> — leave the pending permission request unanswered.</description></item>
     /// </list>
     /// </summary>
     [JsonPropertyName("kind")]
diff --git a/dotnet/test/PermissionRequestResultKindTests.cs b/dotnet/test/PermissionRequestResultKindTests.cs
@@ -21,6 +21,7 @@ public void WellKnownKinds_HaveExpectedValues()
         Assert.Equal("denied-by-rules", PermissionRequestResultKind.DeniedByRules.Value);
         Assert.Equal("denied-no-approval-rule-and-could-not-request-from-user", PermissionRequestResultKind.DeniedCouldNotRequestFromUser.Value);
         Assert.Equal("denied-interactively-by-user", PermissionRequestResultKind.DeniedInteractivelyByUser.Value);
+        Assert.Equal("no-result", new PermissionRequestResultKind("no-result").Value);
     }
 
     [Fact]
@@ -115,6 +116,7 @@ public void JsonRoundTrip_PreservesAllKinds()
             PermissionRequestResultKind.DeniedByRules,
             PermissionRequestResultKind.DeniedCouldNotRequestFromUser,
             PermissionRequestResultKind.DeniedInteractivelyByUser,
+            new PermissionRequestResultKind("no-result"),
         };
 
         foreach (var kind in kinds)
diff --git a/go/client.go b/go/client.go
@@ -51,6 +51,8 @@ import (
 	"github.com/github/copilot-sdk/go/rpc"
 )
 
+const noResultPermissionV2Error = "permission handlers cannot return 'no-result' when connected to a protocol v2 server"
+
 // Client manages the connection to the Copilot CLI server and provides session management.
 //
 // The Client can either spawn a CLI server process or connect to an existing server.
@@ -1531,6 +1533,9 @@ func (c *Client) handlePermissionRequestV2(req permissionRequestV2) (*permission
 			},
 		}, nil
 	}
+	if result.Kind == "no-result" {
+		return nil, &jsonrpc2.Error{Code: -32603, Message: noResultPermissionV2Error}
+	}
 
 	return &permissionResponseV2{Result: result}, nil
 }
diff --git a/go/session.go b/go/session.go
@@ -562,6 +562,9 @@ func (s *Session) executePermissionAndRespond(requestID string, permissionReques
 		})
 		return
 	}
+	if result.Kind == "no-result" {
+		return
+	}
 
 	s.RPC.Permissions.HandlePendingPermissionRequest(context.Background(), &rpc.SessionPermissionsHandlePendingPermissionRequestParams{
 		RequestID: requestID,
diff --git a/go/types_test.go b/go/types_test.go
@@ -15,6 +15,7 @@ func TestPermissionRequestResultKind_Constants(t *testing.T) {
 		{"DeniedByRules", PermissionRequestResultKindDeniedByRules, "denied-by-rules"},
 		{"DeniedCouldNotRequestFromUser", PermissionRequestResultKindDeniedCouldNotRequestFromUser, "denied-no-approval-rule-and-could-not-request-from-user"},
 		{"DeniedInteractivelyByUser", PermissionRequestResultKindDeniedInteractivelyByUser, "denied-interactively-by-user"},
+		{"NoResult", PermissionRequestResultKind("no-result"), "no-result"},
 	}
 
 	for _, tt := range tests {
@@ -42,6 +43,7 @@ func TestPermissionRequestResult_JSONRoundTrip(t *testing.T) {
 		{"DeniedByRules", PermissionRequestResultKindDeniedByRules},
 		{"DeniedCouldNotRequestFromUser", PermissionRequestResultKindDeniedCouldNotRequestFromUser},
 		{"DeniedInteractivelyByUser", PermissionRequestResultKindDeniedInteractivelyByUser},
+		{"NoResult", PermissionRequestResultKind("no-result")},
 		{"Custom", PermissionRequestResultKind("custom")},
 	}
 
diff --git a/nodejs/docs/agent-author.md b/nodejs/docs/agent-author.md
@@ -59,11 +59,9 @@ Discovery rules:
 ## Minimal Skeleton
 
 ```js
-import { approveAll } from "@github/copilot-sdk";
 import { joinSession } from "@github/copilot-sdk/extension";
 
 await joinSession({
-    onPermissionRequest: approveAll, // Required — handle permission requests
     tools: [],                     // Optional — custom tools
     hooks: {},                     // Optional — lifecycle hooks
 });
diff --git a/nodejs/docs/examples.md b/nodejs/docs/examples.md
@@ -7,11 +7,9 @@ A practical guide to writing extensions using the `@github/copilot-sdk` extensio
 Every extension starts with the same boilerplate:
 
 ```js
-import { approveAll } from "@github/copilot-sdk";
 import { joinSession } from "@github/copilot-sdk/extension";
 
 const session = await joinSession({
-    onPermissionRequest: approveAll,
     hooks: { /* ... */ },
     tools: [ /* ... */ ],
 });
@@ -33,7 +31,6 @@ Use `session.log()` to surface messages to the user in the CLI timeline:
 
 ```js
 const session = await joinSession({
-    onPermissionRequest: approveAll,
     hooks: {
         onSessionStart: async () => {
             await session.log("My extension loaded");
@@ -383,7 +380,6 @@ function copyToClipboard(text) {
 }
 
 const session = await joinSession({
-    onPermissionRequest: approveAll,
     hooks: {
         onUserPromptSubmitted: async (input) => {
             if (/\\bcopy\\b/i.test(input.prompt)) {
@@ -425,15 +421,12 @@ Correlate `tool.execution_start` / `tool.execution_complete` events by `toolCall
 ```js
 import { existsSync, watchFile, readFileSync } from "node:fs";
 import { join } from "node:path";
-import { approveAll } from "@github/copilot-sdk";
 import { joinSession } from "@github/copilot-sdk/extension";
 
 const agentEdits = new Set(); // toolCallIds for in-flight agent edits
 const recentAgentPaths = new Set(); // paths recently written by the agent
 
-const session = await joinSession({
-    onPermissionRequest: approveAll,
-});
+const session = await joinSession();
 
 const workspace = session.workspacePath; // e.g. ~/.copilot/session-state/<id>
 if (workspace) {
@@ -480,14 +473,11 @@ Filter out agent edits by tracking `tool.execution_start` / `tool.execution_comp
 ```js
 import { watch, readFileSync, statSync } from "node:fs";
 import { join, relative, resolve } from "node:path";
-import { approveAll } from "@github/copilot-sdk";
 import { joinSession } from "@github/copilot-sdk/extension";
 
 const agentEditPaths = new Set();
 
-const session = await joinSession({
-    onPermissionRequest: approveAll,
-});
+const session = await joinSession();
 
 const cwd = process.cwd();
 const IGNORE = new Set(["node_modules", ".git", "dist"]);
@@ -582,7 +572,6 @@ Register `onUserInputRequest` to enable the agent's `ask_user` tool:
 
 ```js
 const session = await joinSession({
-    onPermissionRequest: approveAll,
     onUserInputRequest: async (request) => {
         // request.question has the agent's question
         // request.choices has the options (if multiple choice)
@@ -599,7 +588,6 @@ An extension that combines tools, hooks, and events.
 
 ```js
 import { execFile, exec } from "node:child_process";
-import { approveAll } from "@github/copilot-sdk";
 import { joinSession } from "@github/copilot-sdk/extension";
 
 const isWindows = process.platform === "win32";
@@ -617,7 +605,6 @@ function openInEditor(filePath) {
 }
 
 const session = await joinSession({
-    onPermissionRequest: approveAll,
     hooks: {
         onUserPromptSubmitted: async (input) => {
             if (/\\bcopy this\\b/i.test(input.prompt)) {
diff --git a/nodejs/docs/extensions.md b/nodejs/docs/extensions.md
@@ -39,11 +39,9 @@ Extensions add custom tools, hooks, and behaviors to the Copilot CLI. They run a
 Extensions use `@github/copilot-sdk` for all interactions with the CLI:
 
 ```js
-import { approveAll } from "@github/copilot-sdk";
 import { joinSession } from "@github/copilot-sdk/extension";
 
 const session = await joinSession({
-    onPermissionRequest: approveAll,
     tools: [
         /* ... */
     ],
diff --git a/nodejs/src/client.ts b/nodejs/src/client.ts
@@ -25,7 +25,7 @@ import {
 } from "vscode-jsonrpc/node.js";
 import { createServerRpc } from "./generated/rpc.js";
 import { getSdkProtocolVersion } from "./sdkProtocolVersion.js";
-import { CopilotSession } from "./session.js";
+import { CopilotSession, NO_RESULT_PERMISSION_V2_ERROR } from "./session.js";
 import type {
     ConnectionState,
     CopilotClientOptions,
@@ -1604,7 +1604,10 @@ export class CopilotClient {
         try {
             const result = await session._handlePermissionRequestV2(params.permissionRequest);
             return { result };
-        } catch (_error) {
+        } catch (error) {
+            if (error instanceof Error && error.message === NO_RESULT_PERMISSION_V2_ERROR) {
+                throw error;
+            }
             return {
                 result: {
                     kind: "denied-no-approval-rule-and-could-not-request-from-user",
diff --git a/nodejs/src/extension.ts b/nodejs/src/extension.ts
@@ -4,7 +4,15 @@
 
 import { CopilotClient } from "./client.js";
 import type { CopilotSession } from "./session.js";
-import type { ResumeSessionConfig } from "./types.js";
+import type { PermissionHandler, PermissionRequestResult, ResumeSessionConfig } from "./types.js";
+
+const defaultJoinSessionPermissionHandler: PermissionHandler = (): PermissionRequestResult => ({
+    kind: "no-result",
+});
+
+export type JoinSessionConfig = Omit<ResumeSessionConfig, "onPermissionRequest"> & {
+    onPermissionRequest?: PermissionHandler;
+};
 
 /**
  * Joins the current foreground session.
@@ -14,16 +22,12 @@ import type { ResumeSessionConfig } from "./types.js";
  *
  * @example
  * ```typescript
- * import { approveAll } from "@github/copilot-sdk";
  * import { joinSession } from "@github/copilot-sdk/extension";
  *
- * const session = await joinSession({
- *   onPermissionRequest: approveAll,
- *   tools: [myTool],
- * });
+ * const session = await joinSession({ tools: [myTool] });
  * ```
  */
-export async function joinSession(config: ResumeSessionConfig): Promise<CopilotSession> {
+export async function joinSession(config: JoinSessionConfig = {}): Promise<CopilotSession> {
     const sessionId = process.env.SESSION_ID;
     if (!sessionId) {
         throw new Error(
@@ -34,6 +38,7 @@ export async function joinSession(config: ResumeSessionConfig): Promise<CopilotS
     const client = new CopilotClient({ isChildProcess: true });
     return client.resumeSession(sessionId, {
         ...config,
+        onPermissionRequest: config.onPermissionRequest ?? defaultJoinSessionPermissionHandler,
         disableResume: config.disableResume ?? true,
     });
 }
diff --git a/nodejs/src/session.ts b/nodejs/src/session.ts
@@ -28,6 +28,9 @@ import type {
     UserInputResponse,
 } from "./types.js";
 
+export const NO_RESULT_PERMISSION_V2_ERROR =
+    "Permission handlers cannot return 'no-result' when connected to a protocol v2 server.";
+
 /** Assistant message event - the final response from the assistant. */
 export type AssistantMessageEvent = Extract<SessionEvent, { type: "assistant.message" }>;
 
@@ -400,6 +403,9 @@ export class CopilotSession {
             const result = await this.permissionHandler!(permissionRequest, {
                 sessionId: this.sessionId,
             });
+            if (result.kind === "no-result") {
+                return;
+            }
             await this.rpc.permissions.handlePendingPermissionRequest({ requestId, result });
         } catch (_error) {
             try {
@@ -505,8 +511,14 @@ export class CopilotSession {
             const result = await this.permissionHandler(request as PermissionRequest, {
                 sessionId: this.sessionId,
             });
+            if (result.kind === "no-result") {
+                throw new Error(NO_RESULT_PERMISSION_V2_ERROR);
+            }
             return result;
-        } catch (_error) {
+        } catch (error) {
+            if (error instanceof Error && error.message === NO_RESULT_PERMISSION_V2_ERROR) {
+                throw error;
+            }
             return { kind: "denied-no-approval-rule-and-could-not-request-from-user" };
         }
     }
diff --git a/nodejs/src/types.ts b/nodejs/src/types.ts
@@ -241,7 +241,8 @@ export interface PermissionRequest {
 import type { SessionPermissionsHandlePendingPermissionRequestParams } from "./generated/rpc.js";
 
 export type PermissionRequestResult =
-    SessionPermissionsHandlePendingPermissionRequestParams["result"];
+    | SessionPermissionsHandlePendingPermissionRequestParams["result"]
+    | { kind: "no-result" };
 
 export type PermissionHandler = (
     request: PermissionRequest,
diff --git a/nodejs/test/client.test.ts b/nodejs/test/client.test.ts
@@ -26,6 +26,38 @@ describe("CopilotClient", () => {
         );
     });
 
+    it("does not respond to v3 permission requests when handler returns no-result", async () => {
+        const client = new CopilotClient();
+        await client.start();
+        onTestFinished(() => client.forceStop());
+
+        const session = await client.createSession({
+            onPermissionRequest: () => ({ kind: "no-result" }),
+        });
+        const spy = vi.spyOn(session.rpc.permissions, "handlePendingPermissionRequest");
+
+        await (session as any)._executePermissionAndRespond("request-1", { kind: "write" });
+
+        expect(spy).not.toHaveBeenCalled();
+    });
+
+    it("throws when a v2 permission handler returns no-result", async () => {
+        const client = new CopilotClient();
+        await client.start();
+        onTestFinished(() => client.forceStop());
+
+        const session = await client.createSession({
+            onPermissionRequest: () => ({ kind: "no-result" }),
+        });
+
+        await expect(
+            (client as any).handlePermissionRequestV2({
+                sessionId: session.sessionId,
+                permissionRequest: { kind: "write" },
+            })
+        ).rejects.toThrow(/protocol v2 server/);
+    });
+
     it("forwards clientName in session.create request", async () => {
         const client = new CopilotClient();
         await client.start();
diff --git a/nodejs/test/e2e/client.test.ts b/nodejs/test/e2e/client.test.ts
diff --git a/nodejs/test/extension.test.ts b/nodejs/test/extension.test.ts
diff --git a/python/copilot/client.py b/python/copilot/client.py
diff --git a/python/copilot/session.py b/python/copilot/session.py
diff --git a/python/copilot/types.py b/python/copilot/types.py
diff --git a/python/e2e/test_client.py b/python/e2e/test_client.py
diff --git a/python/test_client.py b/python/test_client.py

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,8 @@ import (`
`51`	`51`	`"github.com/github/copilot-sdk/go/rpc"`
`52`	`52`	`)`
`53`	`53`
	`54`	`+const noResultPermissionV2Error = "permission handlers cannot return 'no-result' when connected to a protocol v2 server"`
	`55`	`+`
`54`	`56`	`// Client manages the connection to the Copilot CLI server and provides session management.`
`55`	`57`	`//`
`56`	`58`	`// The Client can either spawn a CLI server process or connect to an existing server.`
`@@ -1531,6 +1533,9 @@ func (c Client) handlePermissionRequestV2(req permissionRequestV2) (permission`
`1531`	`1533`	`},`
`1532`	`1534`	`}, nil`
`1533`	`1535`	`}`
	`1536`	`+ if result.Kind == "no-result" {`
	`1537`	`+ return nil, &jsonrpc2.Error{Code: -32603, Message: noResultPermissionV2Error}`
	`1538`	`+ }`
`1534`	`1539`
`1535`	`1540`	`return &permissionResponseV2{Result: result}, nil`
`1536`	`1541`	`}`
Original file line number	Diff line number	Diff line change
`@@ -562,6 +562,9 @@ func (s *Session) executePermissionAndRespond(requestID string, permissionReques`
`562`	`562`	`})`
`563`	`563`	`return`
`564`	`564`	`}`
	`565`	`+ if result.Kind == "no-result" {`
	`566`	`+ return`
	`567`	`+ }`
`565`	`568`
`566`	`569`	`s.RPC.Permissions.HandlePendingPermissionRequest(context.Background(), &rpc.SessionPermissionsHandlePendingPermissionRequestParams{`
`567`	`570`	`RequestID: requestID,`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ func TestPermissionRequestResultKind_Constants(t *testing.T) {`
`15`	`15`	`{"DeniedByRules", PermissionRequestResultKindDeniedByRules, "denied-by-rules"},`
`16`	`16`	`{"DeniedCouldNotRequestFromUser", PermissionRequestResultKindDeniedCouldNotRequestFromUser, "denied-no-approval-rule-and-could-not-request-from-user"},`
`17`	`17`	`{"DeniedInteractivelyByUser", PermissionRequestResultKindDeniedInteractivelyByUser, "denied-interactively-by-user"},`
	`18`	`+ {"NoResult", PermissionRequestResultKind("no-result"), "no-result"},`
`18`	`19`	`}`
`19`	`20`
`20`	`21`	`for _, tt := range tests {`
`@@ -42,6 +43,7 @@ func TestPermissionRequestResult_JSONRoundTrip(t *testing.T) {`
`42`	`43`	`{"DeniedByRules", PermissionRequestResultKindDeniedByRules},`
`43`	`44`	`{"DeniedCouldNotRequestFromUser", PermissionRequestResultKindDeniedCouldNotRequestFromUser},`
`44`	`45`	`{"DeniedInteractivelyByUser", PermissionRequestResultKindDeniedInteractivelyByUser},`
	`46`	`+ {"NoResult", PermissionRequestResultKind("no-result")},`
`45`	`47`	`{"Custom", PermissionRequestResultKind("custom")},`
`46`	`48`	`}`
`47`	`49`