Tools, integrations, and security
This chapter combines three concerns that are inseparable in an agent runtime:
- Which capabilities become model-visible tools?
- Which external systems contribute tools, prompts, hooks, or agents?
- Which trust boundaries approve, deny, redact, sandbox, or persist policy?
Read this chapter when the question is: why could the model do that, and what guarded the action?
Chapter ownership model
The chapter is organized around the lifecycle of an action, not around package names:
- Expose capability — decide which tools and integration-provided capabilities become visible to the model.
- Execute capability — run the selected tool through hooks, permissions, streaming, telemetry, and durable events.
- Constrain capability — apply path/URL/tool policies, redaction, content exclusion, sandboxing, and persisted configuration.
- Extend capability — let MCP servers, plugins, SDK extensions, IDE/LSP bridges, web access, and validation tools contribute new surfaces without bypassing the same guards.
If a page explains what is sent to the model as prompt/context, it belongs in Context and model loop. If it explains durable event replay or remote projection, it belongs in Sessions, persistence, and remote. This chapter owns the trust boundary between those two layers.
Source-anchor policy
This page is a chapter guide. Linked implementation pages carry concrete app.js anchors.
| Semantic alias | Minified anchor | Scope |
|---|---|---|
| Tools/integrations/security chapter | N/A — navigation page | Groups runtime tool assembly, execution, MCP/plugins/SDK/IDE/web integrations, permissions, redaction, hooks, sandboxing, and policy state. |
| Tool/security implementation pages | See linked source-anchor tables | Concrete bundle anchors live in the destination pages. |
Trust-boundary map
flowchart TD Session[Session options and model config] --> Assembly[Runtime tool assembly] MCP[MCP servers] --> Assembly Plugins[Plugins / SDK / IDE] --> Assembly Builtins[Built-in tools] --> Assembly Assembly --> Model[Model-visible schemas] Model --> Call[Tool call] Call --> Permission[Permission service] Permission --> Hooks[Hooks and policy] Hooks --> Exec[Tool execution] Exec --> Redaction[Content exclusion / redaction] Exec --> Sandbox[Sandbox / process boundary] Redaction --> Events[Events / telemetry / history] Sandbox --> Events
click Assembly "./runtime-tool-assembly-and-filtering/" "Open runtime tool assembly" click Exec "./built-in-tools-execution-events/" "Open tool execution" click MCP "./mcp-host-transport-and-tools/" "Open MCP support" click Permission "./tool-path-url-permissions/" "Open permission system" click Redaction "./content-exclusion-and-redaction/" "Open content exclusion" click Sandbox "./sandboxing/" "Open sandboxing"Primary reading order
| Order | Page | Tool/security question answered |
|---|---|---|
| 1 | Runtime tool assembly and filtering | How are built-ins, MCP, SDK extensions, plugins, custom agents, filters, deferred search, and gates assembled into the final toolset? |
| 2 | Built-in tools, execution events, and results | How do permission checks, hooks, execution events, streaming, telemetry, and history wrap a tool call? |
| 3 | Shell command execution events | How do Bash/PowerShell tools choose PTY/process backends, async/detached behavior, task tracking, and large-output handling? |
| 4 | MCP host, transports, and tools | How are MCP servers discovered, transported, authorized, filtered, and mapped into tools/resources/prompts/tasks? |
| 5 | Tool, path, and URL permissions | How do tool/path/URL/MCP/hook approval rules and precedence work? |
| 6 | Content exclusion and redaction | How do policy fetch/merge, filtered outputs, secret env vars, and redaction boundaries affect model-visible data? |
| 7 | Sandbox implementation | How does local command sandboxing route shell sessions through MXC helpers and filesystem policies? |
Boundary-by-boundary map
| Boundary | Primary page | What to verify there |
|---|---|---|
| Model-visible tool list | Runtime tool assembly and filtering | Tool candidates, filters, selected-agent rules, deferred loading, and session.tools_updated. |
| Tool call execution | Built-in tools, execution events, and results | Start/progress/partial/complete events, request processors, hooks, permissions, and replayable results. |
| Shell process boundary | Shell command execution events | PTY/process backend choice, sync/async/detach semantics, output buffers, background tasks, and notifications. |
| MCP protocol boundary | MCP host, transports, and tools | Config merge, local/HTTP/SSE transports, OAuth, instructions, tool flattening, and MCP task/progress events. |
| Approval boundary | Tool, path, and URL permissions | Deny/allow precedence, path/URL managers, session/location approvals, remote/ACP prompts, and allow-all toggles. |
| Data policy boundary | Content exclusion and redaction | Excluded paths, filtered outputs, secret env vars, and redaction layers before data becomes model-visible or support-visible. |
| Local sandbox boundary | Sandbox implementation | MXC adapter invocation, filesystem/network policy, platform constraints, and sandbox setting persistence. |
Integration providers
| Provider | Page | Runtime surface |
|---|---|---|
| Plugins | Plugins, extensions, and capabilities | Plugin caches, marketplaces, contributed skills/agents/hooks/MCP/LSP, and enablement state. |
| Programmatic SDK extensions | Copilot SDK extension bridge | @github/copilot-sdk extension discovery, joinSession(), management APIs, events, and trust boundaries. |
| IDE/LSP/editor bridges | IDE, LSP, and editor integration | IDE tools, selections, diagnostics, diffs, title sync, LSP config, and extension state. |
| Web/GitHub network access | Web search, URL fetching, and URL permissions | Built-in web fetch, GitHub MCP web search, URL allow/deny persistence, and web gates. |
| Validation/review tools | Coding-agent validation and review toolchain | Code review, CodeQL, secret scanning, advisory checks, budgets, and validation telemetry. |
Policy and persistence topics
- Integration config entrypoints maps root startup/config/auth entry points to the narrower implementation pages below.
- Hooks, events, and automation explains command/HTTP hooks, VS Code aliases, security restrictions, and lifecycle events.
- Settings and configuration persistence explains config roots, typed stores, settings overlays, URL/MCP/plugin/sandbox state, and migration behavior.
Handoffs
- Tool schemas and tool results feed the Context and model loop.
- Tool execution events and large output artifacts are persisted by Sessions, persistence, and remote.
- Hosted GitHub MCP policy and OIDC token injection are covered by Hosted agent ops.
- Agent-specific tool subsets and task handoff are covered by Agents and automation.
Navigation
Created and maintained by Yingting Huang.