Python: Allow opting out of FileAccessProvider tool approval#6879
Merged
westey-m merged 1 commit intoJul 2, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds first-class configuration to opt out of host approval for FileAccessProvider tools in the Python harness, enabling unattended file operations without requiring ToolApprovalMiddleware auto-approval rules.
Changes:
- Add
disable_readonly_tool_approval/disable_write_tool_approvalflags toFileAccessProviderand wire them into tool registration. - Expose the same knobs on
create_harness_agent(file_access_disable_readonly_tool_approval,file_access_disable_write_tool_approval) and thread them through context-provider assembly. - Add/extend unit tests and update
AGENTS.mddocumentation for the new approval behavior.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| python/packages/core/agent_framework/_harness/_file_access.py | Implements per-tool-group approval opt-out and updates provider documentation. |
| python/packages/core/agent_framework/_harness/_agent.py | Exposes new file-access approval flags via create_harness_agent and wires them into provider construction. |
| python/packages/core/tests/core/test_harness_file_access.py | Adds coverage validating approval modes for read-only vs write tool groups under different opt-out combinations. |
| python/packages/core/tests/core/test_harness_agent.py | Adds coverage ensuring create_harness_agent forwards the new flags to FileAccessProvider. |
| python/packages/core/AGENTS.md | Documents the new opt-out flags and how they affect approval behavior. |
Comments suppressed due to low confidence (1)
python/packages/core/agent_framework/_harness/_file_access.py:1223
- The class docstring now documents optional approval opt-outs, but the docstrings for
read_only_tools_auto_approval_ruleandall_tools_auto_approval_rulestill state that FileAccessProvider tools "always require approval" (see lines 1351 and 1379). With the newdisable_*_tool_approvalflags, that statement is no longer always true; please update those method docstrings to reflect the new behavior (e.g., "by default" or "when approval is enabled").
By default all tools require approval: each is registered with
``approval_mode="always_require"`` so the host must approve every file
operation the model proposes. In the auto-invocation flow this means the
model's calls to these tools are converted into
``function_approval_request`` items and the tool does **not** execute until
the host supplies a matching ``function_approval_response``. Consumers that
Contributor
Python Test Coverage Report •
Python Unit Test Overview
|
|||||||||||||||||||||||||||||||||||
eavanvalkenburg
approved these changes
Jul 2, 2026
giles17
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation & Context
FileAccessProviderregisters every tool withapproval_mode="always_require", so each file operation the model proposes must be approved by the host. The only way to run unattended was to install auto-approval rules at theToolApprovalMiddlewarelevel — which means bubbling all the way up the stack and back down again just to avoid an approval that the provider forced in the first place. This adds a first-class, source-level opt-out so callers can disable approval directly on the provider (and viacreate_harness_agent).Description & Review Guide
What are the major changes?
FileAccessProvidergains two constructor flags:disable_readonly_tool_approval— controls the read-only tools (file_access_read,file_access_ls,file_access_grep).disable_write_tool_approval— controls the write tools (file_access_write,file_access_delete,file_access_replace,file_access_replace_lines).approval_mode="never_require"; otherwise the existingalways_requireis used. The approval mode is computed once inbefore_runand threaded into each@tool(...)registration.create_harness_agentexposes the same options prefixed withfile_access_(file_access_disable_readonly_tool_approval,file_access_disable_write_tool_approval), threaded through_assemble_context_providersinto the provider construction (ignored whendisable_file_access=True, matching the sibling flags).FileAccessProviderclass docstring,create_harness_agentdocstrings, andpackages/core/AGENTS.md.What is the impact of these changes?
False, so behavior is unchanged (all tools still require approval) unless a caller opts out. Not a breaking change.What do you want reviewers to focus on?
Note: this covers
FileAccessProvideronly.SkillsProvider(the other provider that forces approval) is being updated separately.FileMemoryProvideralready usesnever_require, and MCP/Agentalready expose configurable approval.Related Issue
Fixes #6876
Contribution Checklist
breaking changelabel (or add "[BREAKING]" to the title prefix, before or after any language prefix) — a workflow keeps the label and title prefix in sync automatically.