Submission requirements
Problem summary
An ado-aw v0.43.0 workflow using Copilot CLI v1.0.69 cannot reliably invoke ado-aw's own generated safeoutputs MCP server without two manual .lock.yml edits:
- Add
isDefaultServer: true to the generated Copilot MCP configuration entry.
- Add an explicit
--allow-tool=safeoutputs argument even when ado-aw emits --allow-all-tools.
Without these edits, Copilot's third-party MCP policy treats the generated internal server as untrusted/not explicitly permitted. This is compiler-owned infrastructure, so workflow authors cannot represent either correction in source front matter; engine.args intentionally blocks compiler-controlled allow flags.
Reproduction details
Compile a workflow with ado-aw v0.43.0 using the Copilot engine, default wildcard tool access, and any safe output. The generated MCP conversion currently performs only these transformations:
.value.url |= sub("^http://[^/]+/"; "<gateway-prefix>/")
| .value.tools = ["*"]
The resulting safeoutputs entry lacks:
{
"isDefaultServer": true
}
The generated Copilot invocation ends in --allow-all-tools and omits an explicit SafeOutputs permission. Although SafeOutputsExtension declares copilot_allow_tools: ["safeoutputs"], engine.rs discards all individual tool grants whenever wildcard bash selects --allow-all-tools.
In a production workflow, adding both of the following manual changes restores SafeOutputs access:
.value.isDefaultServer = true
--allow-all-tools --allow-tool=safeoutputs
A fresh v0.43.0 compile removes both patches. Current origin/main retains the same converter and mutually exclusive allow-list logic; the post-v0.43 MCPG dependency bump does not generate Copilot trust metadata.
Expected behavior: ado-aw's compiler-owned SafeOutputs MCP is trusted and invokable with the generated Copilot configuration without lock-file edits.
Observed behavior: two non-source-representable patches are required.
Proposed next step
Treat SafeOutputs as compiler-owned trusted infrastructure in the Copilot MCP conversion by emitting isDefaultServer: true. Also verify Copilot CLI's current permission semantics and emit an explicit --allow-tool=safeoutputs grant when required, even on the --allow-all-tools path. Add an integration/snapshot test for the final Copilot command and generated mcp-config.json shape using the currently pinned Copilot CLI contract.
Submission requirements
.github/agents/ado-aw.agent.md.githubnext/ado-aw.Problem summary
An ado-aw v0.43.0 workflow using Copilot CLI v1.0.69 cannot reliably invoke ado-aw's own generated
safeoutputsMCP server without two manual.lock.ymledits:isDefaultServer: trueto the generated Copilot MCP configuration entry.--allow-tool=safeoutputsargument even when ado-aw emits--allow-all-tools.Without these edits, Copilot's third-party MCP policy treats the generated internal server as untrusted/not explicitly permitted. This is compiler-owned infrastructure, so workflow authors cannot represent either correction in source front matter;
engine.argsintentionally blocks compiler-controlled allow flags.Reproduction details
Compile a workflow with ado-aw v0.43.0 using the Copilot engine, default wildcard tool access, and any safe output. The generated MCP conversion currently performs only these transformations:
The resulting
safeoutputsentry lacks:{ "isDefaultServer": true }The generated Copilot invocation ends in
--allow-all-toolsand omits an explicit SafeOutputs permission. AlthoughSafeOutputsExtensiondeclarescopilot_allow_tools: ["safeoutputs"],engine.rsdiscards all individual tool grants whenever wildcard bash selects--allow-all-tools.In a production workflow, adding both of the following manual changes restores SafeOutputs access:
A fresh v0.43.0 compile removes both patches. Current
origin/mainretains the same converter and mutually exclusive allow-list logic; the post-v0.43 MCPG dependency bump does not generate Copilot trust metadata.Expected behavior: ado-aw's compiler-owned SafeOutputs MCP is trusted and invokable with the generated Copilot configuration without lock-file edits.
Observed behavior: two non-source-representable patches are required.
Proposed next step
Treat SafeOutputs as compiler-owned trusted infrastructure in the Copilot MCP conversion by emitting
isDefaultServer: true. Also verify Copilot CLI's current permission semantics and emit an explicit--allow-tool=safeoutputsgrant when required, even on the--allow-all-toolspath. Add an integration/snapshot test for the final Copilot command and generatedmcp-config.jsonshape using the currently pinned Copilot CLI contract.