Skip to content

fix: align tool allow lists with gh-aw #279

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jamesadevine merged 3 commits into from
Apr 21, 2026
Merged

fix: align tool allow lists with gh-aw #279

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f061b4e
fix: align tool allow lists with gh-aw
jamesadevine Apr 21, 2026
9c83842
fix: address review feedback on tool allow list comments
jamesadevine Apr 21, 2026
25f795b
fix: address remaining review feedback on tool allow lists
jamesadevine Apr 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 7 additions & 9 deletions AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -393,24 +393,20 @@ The `tools` field controls which tools are available to the agent. Both sub-fiel

#### Default Bash Command Allow-list

When `tools.bash` is omitted, the agent can invoke the following shell commands:

```
cat, date, echo, grep, head, ls, pwd, sort, tail, uniq, wc, yq
```
When `tools.bash` is omitted, the agent defaults to **unrestricted bash access** (`--allow-all-tools`). This matches gh-aw's sandbox behavior — since ado-aw agents always run inside the AWF sandbox, all tools are allowed by default.

#### Configuring Bash Access

```yaml
# Default: safe built-in command list (bash field omitted)
# Default: unrestricted bash access (bash field omitted → --allow-all-tools)
tools:
edit: true

# Unrestricted bash access (use with caution)
# Explicit unrestricted bash (same as default) — also accepts "*"
tools:
bash: [":*"]

# Explicit command allow-list
# Explicit command allow-list (restricts to named commands only)
tools:
bash: ["cat", "ls", "grep", "find"]

Expand Down Expand Up @@ -637,8 +633,10 @@ Should be replaced with the human-readable name from the front matter (e.g., "Da
Additional params provided to copilot CLI. The compiler generates:
- `--model <model>` - AI model from `engine` front matter field (default: claude-opus-4.5)
- `--no-ask-user` - Prevents interactive prompts
- `--allow-tool <tool>` - Explicitly allows specific tools (github, safeoutputs, write, shell commands like cat, date, echo, grep, head, ls, pwd, sort, tail, uniq, wc, yq)
- `--disable-builtin-mcps` - Disables all built-in Copilot CLI MCPs (single flag, no argument)
- `--allow-all-tools` - When bash is omitted (default) or has a wildcard (`":*"` or `"*"`), allows all tools instead of individual `--allow-tool` flags
- `--allow-tool <tool>` - When bash is NOT wildcard, explicitly allows configured tools (github, safeoutputs, write, and shell commands from the `bash:` field plus any runtime-required commands)
- `--allow-all-paths` - When `edit` tool is enabled (default), allows the agent to write to any file path

MCP servers are handled entirely by the MCP Gateway (MCPG) and are not passed as copilot CLI params.

Expand Down
Loading
Loading