Skip to content

Add stdio transport mode for safe-inputs MCP server#5817

Merged
pelikhan merged 5 commits into
mainfrom
copilot/add-mode-for-safe-inputs
Dec 8, 2025
Merged

Add stdio transport mode for safe-inputs MCP server#5817
pelikhan merged 5 commits into
mainfrom
copilot/add-mode-for-safe-inputs

Conversation

Copilot AI commented Dec 8, 2025

Copy link
Copy Markdown
Contributor

Adds a configurable mode field to safe-inputs that allows the MCP server to run within the AWF firewall using stdio transport instead of as a separate HTTP service.

Changes

  • Added mode field to safe-inputs configuration with values "http" (default) or "stdio"
  • Stdio mode: MCP server started by agent via stdio transport, runs within firewall
    • MCP config: type: "stdio", command: "node", args: ["/tmp/gh-aw/safe-inputs/mcp-server.cjs"]
    • Entry point uses startSafeInputsServer()
    • No HTTP server setup steps generated
  • HTTP mode: Maintains existing behavior for backward compatibility
    • MCP config: type: "http", url: "http://host.docker.internal:${PORT}"
    • Entry point uses startHttpServer()
    • Separate HTTP server step with port/API key generation
  • Schema updates: JSON schemas allow mode property, pattern regex excludes "mode" from tool names
  • Enabled stdio mode for smoke-copilot workflow via shared/gh.md

Usage

---
safe-inputs:
  mode: stdio  # Run within firewall using stdio transport
  gh:
    description: "Execute gh CLI commands"
    inputs:
      args:
        type: string
        required: true
    env:
      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    run: gh $INPUT_ARGS
---

Omitting mode defaults to "http" for backward compatibility.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/user
    • Triggering command: /usr/bin/gh gh api user --jq .login -json GO111MODULE ir GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile env d-artifact.git d-artifact.git /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login action.git GO111MODULE 1/x64/bin/node by/2d2c7a5149acfnode GOMOD -d/gh-aw go env 4b82ac6d18922b48 -d/gh-aw 1593003/b201/vet.cfg GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login .git .git 6f4186579cd7cae5e68b087f4a6313c0443/log.json GOINSECURE GOMOD GOMODCACHE go env f/tags/v6 GO111MODULE (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

Add a configurable "mode" to safe inputs where it runs within the awf firewall. In other words, the safeinputs MCP server is started by the agent using the stdio transport and not as a step in the action job.

Enable this mode for "smoke copilot" agentic workflow


💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 4 commits December 8, 2025 05:04
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add configurable mode for safe inputs in AWF firewall Add stdio transport mode for safe-inputs MCP server Dec 8, 2025
Copilot AI requested a review from pelikhan December 8, 2025 05:35
@pelikhan pelikhan marked this pull request as ready for review December 8, 2025 07:05
@pelikhan pelikhan merged commit c9dba82 into main Dec 8, 2025
5 checks passed
@pelikhan pelikhan deleted the copilot/add-mode-for-safe-inputs branch December 8, 2025 07:05
lpcox added a commit that referenced this pull request Jul 2, 2026
Picks up the pre-shutdown squid log chmod fix (#5817) which resolves
artifact permission errors on ARC/DinD runners.
lpcox added a commit that referenced this pull request Jul 2, 2026
… build-tools image (#42906)

* fix: pre-create rw mount source directories for ARC/DinD

AWF validates that --mount host paths exist before starting containers.
On ARC/DinD, the compiler emits mounts for ${RUNNER_TEMP}/gh-aw/home and
${RUNNER_TEMP}/gh-aw/sandbox/agent which may not exist yet (only the parent
${RUNNER_TEMP}/gh-aw/ is created by actions/setup).

Add mkdir -p for these directories in the generated shell script, right
after the DOCKER_HOST detection probe and before the AWF invocation.

Error seen in canary run 28566765653:
  Invalid volume mount: ...gh-aw/home:...gh-aw/home:rw
  Reason: Host path does not exist: ...gh-aw/home

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* fix: install Docker Compose plugin for ARC/DinD topology

ARC/DinD runners may not have the Docker Compose v2 CLI plugin
pre-installed. AWF requires 'docker compose' to orchestrate its
containers (squid-proxy, agent, api-proxy).

Add a generated step that downloads and installs docker-compose
v2.36.2 into $DOCKER_CONFIG/cli-plugins/ before the AWF invocation.

Error seen in canary: 'unknown shorthand flag: -d in -d' when AWF
tried to run 'docker compose up -d'.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* fix: include build-tools sysroot image in download step for ARC/DinD

AWF uses --pull never when starting containers, so all images must be
pre-downloaded. The build-tools image (used as the sysroot-stage init
container on arc-dind topology) was missing from the download list,
causing: 'No such image: ghcr.io/github/gh-aw-firewall/build-tools:0.27.21'

Add build-tools to collectDockerImages() when arc-dind topology is active.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* fix: ensure Node.js and Copilot CLI are at daemon-visible paths for ARC/DinD

On ARC runners, setup-node may find a pre-cached node at the original
tool cache (/home/runner/_work/_tool/) which is NOT under RUNNER_TEMP
and therefore not bind-mounted into the AWF container. Add a step after
runtime setup that copies node to the redirected tool cache if needed.

Also add a step to copy the Copilot CLI binary from /usr/local/bin
(where install_copilot_cli.sh places it) to ${RUNNER_TEMP}/gh-aw/bin/
which is the daemon-visible path the AWF command references.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* fix: copy prompts to daemon-visible path and fix prompt-file ref for ARC/DinD

On ARC/DinD, /tmp/gh-aw/ is on the runner's filesystem but NOT visible to
the Docker daemon. The activation job writes prompt files to
/tmp/gh-aw/aw-prompts/, but AWF can only access daemon-visible paths.

Two fixes:
1. Copy /tmp/gh-aw/aw-prompts/ to ${RUNNER_TEMP}/gh-aw/aw-prompts/ before
   AWF invocation (in the arcDindDockerHostProbe preamble)
2. Change --prompt-file path in copilot engine from /tmp/gh-aw/... to
   ${RUNNER_TEMP}/gh-aw/... when arc-dind topology is active

Other engines (Claude, Codex) have the same hardcoded /tmp/ path and will
need similar fixes for arc-dind support.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* test: add unit tests for build-tools image in collectDockerImages for arc-dind

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* fix: use daemon-visible paths for firewall logs/artifacts on ARC/DinD

The post-run steps (firewall log parsing, artifact upload) used hardcoded
/tmp/gh-aw/sandbox/firewall/ paths. On ARC/DinD, AWF writes logs to
${RUNNER_TEMP}/gh-aw/sandbox/firewall/ (daemon-visible). This mismatch
caused 'No log sources found' errors and empty artifact uploads.

Fix generateFirewallLogParsingStep(), generateSquidLogsUploadStep(), and
the unified artifact path list to use ${RUNNER_TEMP} paths when arc-dind
topology is active.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* fix: use Actions expressions for ARC/DinD firewall log paths in env/with blocks

${RUNNER_TEMP} is a shell variable that only expands in `run:` blocks.
In `env:` and `with:` blocks, GitHub Actions only expands ${{ }}
expressions. The firewall log summary step and artifact upload paths
were using ${RUNNER_TEMP} which was passed as a literal string, causing
'No log sources found' even though AWF_LOGS_DIR was set.

Fix: use ${{ runner.temp }} in env/with contexts for ARC/DinD topology.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>

* Apply remaining changes

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

* bump DefaultFirewallVersion to v0.27.22

Picks up the pre-shutdown squid log chmod fix (#5817) which resolves
artifact permission errors on ARC/DinD runners.

* test: update wasm golden files after merge with main

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

---------

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants