Enable missing-tool safe output by default when safe-outputs is configured

[Copilot]

Overview

This PR enables the missing-tool safe output by default whenever safe-outputs: is configured in an agentic workflow. Users can now benefit from automatic tool limitation reporting without explicit configuration, while still having the option to opt-out using missing-tool: false.

Problem

Previously, workflows had to explicitly configure missing-tool to track unavailable tools or permission errors:

safe-outputs:
  create-issue:
  missing-tool:  # Had to explicitly enable
    max: 10

This meant users weren't getting visibility into tool limitations unless they knew to configure this feature.

Solution

Default Behavior: When safe-outputs: is configured, missing-tool is automatically enabled with default settings (unlimited max).

# Before: Required explicit configuration
safe-outputs:
  create-issue:
  missing-tool:

# After: Automatically enabled
safe-outputs:
  create-issue:  # missing-tool is now enabled by default!

Explicit Disable: Users who don't want missing-tool reporting can disable it:

safe-outputs:
  create-issue:
  missing-tool: false  # Explicitly opt-out

Permission Error Detection: The existing engine implementations already automatically detect and report tools that failed due to insufficient permissions. This PR enhances the documentation to clarify this capability.

Changes

Core Implementation

• pkg/workflow/missing_tool.go: Updated parseMissingToolConfig() to handle boolean false value for explicit disabling
• pkg/workflow/safe_outputs.go: Modified extractSafeOutputsConfig() to enable missing-tool by default when safe-outputs section exists
• pkg/parser/schemas/main_workflow_schema.json: Added boolean schema support to allow missing-tool: false

Tests

• Added test case for default enabling when safe-outputs exists
• Added test case for explicit disable with missing-tool: false
• Added test case for boolean false in config parsing
• All existing tests continue to pass

Documentation

• Updated safe-outputs reference documentation to reflect new default behavior
• Added section explaining explicit disable option
• Enhanced explanation of automatic permission error detection
• Updated table to indicate missing-tool is enabled by default

Workflow Compilation

• Recompiled all 44 workflow files
• Workflows with safe-outputs now include missing_tool job automatically
• Existing workflows with explicit configuration continue to work unchanged

Benefits

1. Better Visibility: Users automatically get insights into tool limitations without configuration
2. Permission Debugging: Automatic detection and reporting of permission-related failures helps identify configuration issues
3. Zero Config: Works out of the box with any safe-outputs configuration
4. Opt-out Available: Users can disable if not needed for specific workflows
5. Knowledge Building: Helps identify patterns in tool availability and permission issues across workflows

Backward Compatibility

✅ Existing workflows with explicit missing-tool configuration continue to work unchanged
✅ Workflows without safe-outputs are not affected
✅ New default only applies when safe-outputs: section exists
✅ Users can opt-out with missing-tool: false

Testing

• ✅ All unit tests pass (including new test cases)
• ✅ All integration tests pass
• ✅ All lint and formatting checks pass
• ✅ All 44 workflows compile successfully
• ✅ Manual testing confirms correct behavior for both default and disabled modes

Original prompt

The safe outputs missing-tool should be enabled by default. And it can be turned off by setting missing-tool false.

The description of missing tool should also accept tool that did not have permissions to run.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.