Skip to content

feat(run): support GitHub Copilot CLI as a first-class firma run agent#202

Merged
veeso merged 1 commit into
mainfrom
feat/fir-381-copilot-cli-firma-run-support
Jun 27, 2026
Merged

feat(run): support GitHub Copilot CLI as a first-class firma run agent#202
veeso merged 1 commit into
mainfrom
feat/fir-381-copilot-cli-firma-run-support

Conversation

@veeso

@veeso veeso commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

What changed

GitHub Copilot CLI is now a supported agent for firma run, at the same level as the existing Codex and Claude Code agents. You can wrap it with firma run --profile copilot (or just firma run -- copilot, which picks the right profile from the command name), and firma config --profile copilot sets up a working configuration for it.

The new profile handles three things that Copilot needs and that the generic profile got wrong:

  • Copilot keeps a small local database for its sessions. The default sandbox blocked the file deletes that database needs, which made Copilot fail with a disk error. The copilot profile allows them.
  • Copilot talks to the real GitHub servers. Those are now passed through untouched instead of being intercepted, so the connection is not broken.
  • Because Copilot reaches the real GitHub servers, the sandbox now trusts the normal set of public certificates in addition to the local one. Without this, Copilot rejected GitHub with an unknown certificate error.

It also passes the GitHub login tokens through to Copilot so it can authenticate, adds a documentation page and an example configuration, and includes a test that confirms firma run -- copilot selects the copilot profile automatically.

Why

People running Copilot CLI behind OpenFirma hit three separate failures (a database error, a broken GitHub connection, and a certificate error). This makes Copilot work out of the box with a single profile, without weakening the existing Codex and Claude Code setups, which keep their current behaviour unchanged.

Notes

  • Validated on Linux with the bwrap sandbox. The macOS and Windows compatibility backends are not validated for Copilot.
  • The gh copilot extension is not auto-detected because the command word is gh. For that form, pass --profile copilot explicitly.
  • The certificate change is opt-in per profile. Only the copilot profile turns it on; every other profile is untouched.

@veeso veeso force-pushed the feat/fir-381-copilot-cli-firma-run-support branch from 175d0c9 to 1bae628 Compare June 26, 2026 09:21
@veeso
feat(run): support GitHub Copilot CLI as a first-class firma run agent
7837370 
Add a built-in copilot profile, mapping, and firma config scaffold at
parity with codex/claude-code:

- AgentProfile::Copilot (provider github; copilot / copilot-cli names).
- Copilot managed seccomp baseline that permits filesystem.delete so
  Copilot's SQLite session store (~/.copilot/*.db) works.
- CaTrustMode profile field (default Sole); copilot uses AppendSystemRoots
  to inject system roots + firma-ca, fixing UnknownIssuer on real GitHub
  TLS. Other profiles keep the sole firma-ca bundle unchanged.
- copilot mapping with github MITM bypass hosts, emitted as
  https_mitm.bypass_hosts in the generated firma.toml.
- firma config --profile copilot scaffolds the copilot mapping, profile,
  and MITM bypass; firma run -- copilot auto-selects the profile.
- Example run profile, docs-site guide, llms.txt entry, and an
  auto-select integration test.
@veeso veeso force-pushed the feat/fir-381-copilot-cli-firma-run-support branch from 1bae628 to 7837370 Compare June 26, 2026 09:27
@codecov

codecov Bot commented Jun 26, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 89.71963% with 33 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
crates/firma-run/src/runtime.rs 79.54% 12 Missing and 15 partials ⚠️
crates/firma-run/src/config.rs 95.23% 1 Missing and 1 partial ⚠️
crates/firma-config/src/profile.rs 91.66% 1 Missing ⚠️
crates/firma-run/src/profile.rs 95.83% 1 Missing ⚠️
crates/firma/src/args/config.rs 95.00% 1 Missing ⚠️
crates/firma/src/services/config.rs 97.91% 0 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

@veeso veeso marked this pull request as ready for review June 26, 2026 09:34
@veeso veeso requested a review from a team June 26, 2026 09:42
@arges

arges commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

The gh copilot extension is not auto-detected because the command word is gh. For that form, pass --profile copilot explicitly.

I am curious about this comment. Is it because of how child execution is being detected or another issue?

@veeso

veeso commented Jun 27, 2026

Copy link
Copy Markdown
Contributor Author
  • The gh copilot extension is not auto-detected because the command word is gh. For that form, pass --profile copilot explicitly.

We just check the first argument, and checking arguments is not very reliable.
Anyway, not a problem, because basically nobody uses gh copilot, but just copilot.

@veeso veeso merged commit 09fe612 into main Jun 27, 2026
25 of 26 checks passed
@veeso veeso deleted the feat/fir-381-copilot-cli-firma-run-support branch June 27, 2026 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@veeso @arges