Skip to content

feat: enable real-time agent output streaming with VSO filtering #159

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jamesadevine merged 1 commit into from
Apr 13, 2026
Merged

feat: enable real-time agent output streaming with VSO filtering #159

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 8 additions & 7 deletions templates/1es-base.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,15 +228,16 @@ extends:
displayName: "Start network proxy"

- bash: |
THREAT_OUTPUT_FILE="$(Agent.TempDirectory)/threat-analysis-output.txt"
set -o pipefail

# Use $(cat file) like gh-aw does - the command is executed directly, not via a variable
copilot --prompt "$(cat $(Agent.TempDirectory)/threat-analysis-prompt.md)" {{ copilot_params }} > "$THREAT_OUTPUT_FILE" 2>&1
AGENT_EXIT_CODE=$?
THREAT_OUTPUT_FILE="$(Agent.TempDirectory)/threat-analysis-output.txt"

echo "=== Threat Analysis Output (sanitized) ==="
sed 's/##vso\[/## [SANITIZED] vso[/g' "$THREAT_OUTPUT_FILE"
echo "=== End Threat Analysis Output ==="
# Stream threat analysis output in real-time with VSO command filtering
copilot --prompt "$(cat $(Agent.TempDirectory)/threat-analysis-prompt.md)" {{ copilot_params }} \
2>&1 \
| sed -u 's/##vso\[/[VSO-FILTERED] vso[/g; s/##\[/[VSO-FILTERED] [/g' \
| tee "$THREAT_OUTPUT_FILE" \
&& AGENT_EXIT_CODE=0 || AGENT_EXIT_CODE=$?

exit $AGENT_EXIT_CODE
displayName: "Run threat analysis"
Expand Down
30 changes: 17 additions & 13 deletions templates/base.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -299,6 +299,10 @@ jobs:
# (MCPG and SafeOutputs) via host.docker.internal.
# AWF auto-mounts /tmp:/tmp:rw into the container, so copilot binary,
# agent prompt, and MCP config are placed under /tmp/awf-tools/.
# Stream agent output in real-time while filtering VSO commands.
# sed -u = unbuffered (line-by-line) so output appears immediately.
# tee writes to both stdout (ADO pipeline log) and the artifact file.
# pipefail (set above) ensures AWF's exit code propagates through the pipe.
sudo -E "$(Pipeline.Workspace)/awf/awf" \
--allow-domains {{ allowed_domains }} \
--skip-pull \
Expand All @@ -308,14 +312,11 @@ jobs:
--log-level info \
--proxy-logs-dir "$(Agent.TempDirectory)/staging/logs/firewall" \
-- '/tmp/awf-tools/copilot --prompt "$(cat /tmp/awf-tools/agent-prompt.md)" --additional-mcp-config @/tmp/awf-tools/mcp-config.json {{ copilot_params }}' \
> "$AGENT_OUTPUT_FILE" 2>&1 \
2>&1 \
| sed -u 's/##vso\[/[VSO-FILTERED] vso[/g; s/##\[/[VSO-FILTERED] [/g' \
| tee "$AGENT_OUTPUT_FILE" \
&& AGENT_EXIT_CODE=0 || AGENT_EXIT_CODE=$?

# Display sanitized output
echo "=== Agent Output (sanitized) ==="
sed 's/##vso\[/[SANITIZED] vso[/g' "$AGENT_OUTPUT_FILE"
echo "=== End Agent Output ==="

# Print firewall summary if available
if [ -x "$(Pipeline.Workspace)/awf/awf" ]; then
echo "=== Firewall Summary ==="
Expand Down Expand Up @@ -481,9 +482,12 @@ jobs:
displayName: "Setup agentic pipeline compiler"

- bash: |
set -o pipefail

# Run threat analysis with AWF network isolation
THREAT_OUTPUT_FILE="$(Agent.TempDirectory)/threat-analysis-output.txt"

# Stream threat analysis output in real-time with VSO command filtering
sudo -E "$(Pipeline.Workspace)/awf/awf" \
--allow-domains {{ allowed_domains }} \
--skip-pull \
Expand All @@ -492,13 +496,10 @@ jobs:
--log-level info \
--proxy-logs-dir "$(Agent.TempDirectory)/threat-analysis-logs/firewall" \
-- '/tmp/awf-tools/copilot --prompt "$(cat /tmp/awf-tools/threat-analysis-prompt.md)" {{ copilot_params }}' \
> "$THREAT_OUTPUT_FILE" 2>&1
AGENT_EXIT_CODE=$?

# Display sanitized output
echo "=== Threat Analysis Output (sanitized) ==="
sed 's/##vso\[/## [SANITIZED] vso[/g' "$THREAT_OUTPUT_FILE"
echo "=== End Threat Analysis Output ==="
2>&1 \
| sed -u 's/##vso\[/[VSO-FILTERED] vso[/g; s/##\[/[VSO-FILTERED] [/g' \
| tee "$THREAT_OUTPUT_FILE" \
&& AGENT_EXIT_CODE=0 || AGENT_EXIT_CODE=$?

exit $AGENT_EXIT_CODE
displayName: "Run threat analysis (AWF network isolated)"
Expand Down Expand Up @@ -643,6 +644,9 @@ jobs:
- bash: |
# Copy all logs to output directory for artifact upload
mkdir -p "$(Agent.TempDirectory)/staging/logs"
# Copy agent output log from analyzed_outputs for optimisation use
cp "$(Pipeline.Workspace)/analyzed_outputs_$(Build.BuildId)/logs/agent-output.txt" \
"$(Agent.TempDirectory)/staging/logs/agent-output.txt" 2>/dev/null || true
if [ -d ~/.copilot/logs ]; then
mkdir -p "$(Agent.TempDirectory)/staging/logs/copilot"
cp -r ~/.copilot/logs/* "$(Agent.TempDirectory)/staging/logs/copilot/" 2>/dev/null || true
Expand Down
Loading