Python: [BREAKING] Harness: Switch FileAccess to opt-in#7094
Open
westey-m wants to merge 1 commit into
Open
Conversation
Contributor
Contributor
There was a problem hiding this comment.
Pull request overview
This PR makes Python harness file access least-privilege by switching create_harness_agent’s FileAccessProvider from enabled-by-default to opt-in, aligning behavior with the existing opt-in patterns (skills/background agents) and the corresponding .NET harness change.
Changes:
- Removed the
disable_file_accessoption and stopped creating an implicit{cwd}/workingfile-access store;FileAccessProvideris now added only whenfile_access_storeis provided. - Updated docs and type stubs to reflect the new opt-in semantics for file access (while keeping file memory default-on).
- Updated harness unit tests to assert file access is absent by default and present when a store is supplied (including approval-option coverage).
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| python/samples/02-agents/harness/build_your_own_claw/README.md | Updates sample documentation to describe file access as opt-in. |
| python/packages/core/tests/core/test_harness_agent.py | Adjusts harness assembly tests to validate opt-in file access behavior and approval flags. |
| python/packages/core/AGENTS.md | Updates framework docs to reflect opt-in wiring and removal of implicit {cwd}/working. |
| python/packages/core/agent_framework/_harness/_agent.pyi | Removes disable_file_access from the public stub signature. |
| python/packages/core/agent_framework/_harness/_agent.py | Implements opt-in FileAccessProvider wiring and updates docstrings accordingly. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation & Context
The Python
create_harness_agentenabled itsFileAccessProviderby default (opt-out viadisable_file_access), implicitly rooting aFileSystemAgentFileStoreat{cwd}/workingunless the caller disabled it. File access grants the agent read/write/delete tools over a working directory, so enabling it implicitly is surprising and violates least-privilege.As part of preparing the harness for release, file access is now opt-in: the
FileAccessProvideris only wired up when the caller deliberately supplies afile_access_store. This mirrors the existing opt-in pattern used forbackground_agentsandskills_*(presence of the value enables the provider; nodisable_*flag), and matches the .NET change in #7093.Description & Review Guide
What are the major changes?
create_harness_agent/_assemble_context_providers: removed thedisable_file_accessparameter; theFileAccessProvideris now added only whenfile_access_store is not None. No implicit{cwd}/workingdefault store is ever created.file_access_disable_write_tools,file_access_disable_readonly_tool_approval, andfile_access_disable_write_tool_approvalkwargs are retained and now only take effect whenfile_access_storeis set (the Python analogue of .NET'sFileAccessProviderOptions)..pyistub updated:FileAccessProvidermoved from the "on by default" list to the opt-in list;file_access_storedocumented as the enabler. File memory stays default-on.FileAccessProvideris absent by default; the disable test is replaced by a store-driven opt-in test; the approval/default-store tests are updated; redundantdisable_file_access=Truekwargs dropped.build_your_own_claw/README.mdandpackages/core/AGENTS.mdreworded to describe the opt-in behavior.What is the impact of these changes?
file_access_storeis supplied, anddisable_file_accessis removed. Samples that need file access already setfile_access_storeexplicitly.What do you want reviewers to focus on?
_assemble_context_providersand the doc/test updates that keep file access working where it is intended.Related Issue
Closes #7092. The .NET half was delivered in #7093 (which was linked as related, not closing, because the issue spans both languages); this PR completes the Python side.
Contribution Checklist
breaking changelabel (or add "[BREAKING]" to the title prefix, before or after any language prefix) — a workflow keeps the label and title prefix in sync automatically.