Lab — Remote MCP + allow list + Actions trigger + escalation
Lab — Remote MCP + allow list + Actions trigger + escalation
Bu derste neler öğreneceksin
- Bir test repo'sunda Copilot custom agent'a remote MCP server bağlamayı uygulamak
- Allow list ile sadece izinli MCP tool'lara erişim sınırlamayı görmek
- Agent'ı issue event'i ile tetikleyip branch + PR açtırmak
- Bilinçli hata senaryosunda retry → rollback → escalation zincirini gözlemlemek
Tahmini süre: 40 dakika. Domain 2’nin tüm bullet’larını birden uygulayan lab. Bunu yapmak en ağır domain’i ezberletir.
Ön koşul
- GitHub hesabı + Copilot subscription (custom agent için)
- Modül 2’nin lab’ı (Domain 1) bitmiş olmalı — pattern tanıdık
ghCLI + Git kurulu
Adım 1: Test repo (3 dk)
gh repo create gh600-d2-lab --public --clone
cd gh600-d2-lab
echo "# GH-600 Domain 2 Lab — Remote MCP" > README.md
git add README.md && git commit -m "init" && git push -u origin main
Adım 2: Copilot agent + MCP allow list yapılandırma (8 dk)
GitHub Copilot custom agent ayarı (org seviyesinden yapılır veya
repo-seviye .github/copilot-agents.yml ile):
mkdir -p .github
cat > .github/copilot-agents.yml <<'EOF'
agents:
- id: triage-agent
description: "Triage and patch agent for issues labeled 'auto-fix'"
trigger:
event: issues
label: auto-fix
mcp:
servers:
- id: github-remote
type: remote
url: https://api.github.com/mcp
auth:
token_source: GITHUB_TOKEN
allow_list:
# Read-only GitHub operations
- "github-remote:get_issue"
- "github-remote:list_pull_requests"
- "github-remote:get_file"
# Write operations (scoped)
- "github-remote:create_branch"
- "github-remote:create_pull_request"
- "github-remote:create_pull_request_comment"
# Explicitly EXCLUDED (deny-by-default):
# - github-remote:delete_repository
# - github-remote:delete_branch (main)
# - github-remote:transfer_repository
permissions:
contents: write
pull-requests: write
issues: write
scope:
repos:
- "*/gh600-d2-lab" # sadece bu repo
branches:
deny:
- "main" # main'e direkt yazma yok
EOF
git add .github/copilot-agents.yml
git commit -m "feat: triage-agent with MCP allow list"
git push
Adım 3: Actions workflow — agent invocation (8 dk)
mkdir -p .github/workflows
cat > .github/workflows/agent-invoke.yml <<'EOF'
name: triage-agent-invoke
on:
issues:
types: [labeled]
permissions:
contents: write
pull-requests: write
issues: write
jobs:
invoke:
if: github.event.label.name == 'auto-fix'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Create branch
id: branch
run: |
BRANCH="fix/issue-${{ github.event.issue.number }}"
echo "name=$BRANCH" >> $GITHUB_OUTPUT
git checkout -b "$BRANCH"
- name: Invoke Copilot triage-agent
id: agent
run: |
# Burada Copilot SDK CLI veya benzeri çağrılır
# Lab amaçlı şimdilik dummy patch
echo "# Auto-fix for issue #${{ github.event.issue.number }}" > AGENT_NOTE.md
echo "Plan: investigate, patch, test" >> AGENT_NOTE.md
- name: Commit + push + PR
run: |
git config user.name "triage-agent"
git config user.email "bot@example.com"
git add AGENT_NOTE.md
git commit -m "fix: auto-triage for #${{ github.event.issue.number }}"
git push -u origin "${{ steps.branch.outputs.name }}"
gh pr create \
--title "Auto-fix issue #${{ github.event.issue.number }}" \
--body "Generated by triage-agent.\n\nPlan in AGENT_NOTE.md.\n\nClose #${{ github.event.issue.number }}"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
EOF
git add .github/workflows/agent-invoke.yml
git commit -m "ci: agent-invoke workflow on auto-fix label"
git push
Adım 4: Escalation workflow (5 dk)
cat > .github/workflows/agent-escalate.yml <<'EOF'
name: agent-escalate
on:
workflow_run:
workflows: ["triage-agent-invoke"]
types: [completed]
permissions:
issues: write
jobs:
escalate:
if: github.event.workflow_run.conclusion == 'failure'
runs-on: ubuntu-latest
steps:
- uses: actions/github-script@v7
with:
script: |
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: `🚨 Agent escalation: ${context.payload.workflow_run.name} failed`,
body: [
`Agent workflow failed and could not auto-recover.`,
``,
`**Workflow:** ${context.payload.workflow_run.name}`,
`**Run ID:** ${context.payload.workflow_run.id}`,
`**URL:** ${context.payload.workflow_run.html_url}`,
``,
`**Next steps:**`,
`- Inspect logs to classify root cause (reasoning / tool misuse / context-env)`,
`- Decide: revise instructions, narrow tool access, or fix context`,
`- Re-run with fix or rollback agent changes`,
].join('\n'),
labels: ['agent-escalation', 'priority/high']
});
EOF
git add .github/workflows/agent-escalate.yml
git commit -m "ci: agent-escalate on workflow failure"
git push
Adım 5: Happy path test (5 dk)
# Issue oluştur (auto-fix label ile)
gh issue create --title "Test agent invocation" --body "Test body" --label "auto-fix"
Eğer “auto-fix” label’ı yoksa önce oluştur:
gh label create auto-fix --color FFA500 --description "Trigger triage-agent"
Sonra Actions tab’inde triage-agent-invoke çalışmasını gör. Branch
oluşturuldu, PR açıldı, agent note commit’lendi. ✓
Adım 6: Bilinçli hata senaryosu (10 dk)
Workflow’da bir komutu yanlış yap (örn. gh pr create yerine
gh pr xyz). Yeni issue aç (label auto-fix). Workflow fail olur →
agent-escalate workflow’u tetiklenir → escalation issue açılır. ✓
# Eski workflow'u boz:
sed -i 's/gh pr create/gh pr xyz/' .github/workflows/agent-invoke.yml
git add .github/workflows/agent-invoke.yml
git commit -m "test: break agent-invoke to trigger escalation"
git push
# Yeni test issue:
gh issue create --title "Escalation test" --body "Should fail" --label "auto-fix"
Actions tab’inde:
triage-agent-invoke✗ failagent-escalate✓ tetiklendi → yeni issue açıldı ”🚨 Agent escalation”
Düzeltme:
sed -i 's/gh pr xyz/gh pr create/' .github/workflows/agent-invoke.yml
git add .github/workflows/agent-invoke.yml
git commit -m "fix: restore agent-invoke"
git push
Lab özeti — Domain 2 bullet’ları
| Bullet | Lab adımı |
|---|---|
d2-tools-identify-required | Allow list’te sadece görev için gereken tool’lar |
d2-tools-permissions | Workflow permissions + agent permissions |
d2-mcp-add-as-tool | copilot-agents.yml mcp.servers |
d2-mcp-github-remote | github-remote server tipi |
d2-mcp-allow-lists | allow_list deny-by-default |
d2-env-repo-scope | scope.repos: ["*/gh600-d2-lab"] |
d2-env-branch-scope | scope.branches.deny: ["main"] |
d2-env-ci-invocation | agent-invoke.yml on issues.labeled |
d2-env-autonomous-actions | branch + PR oluşturma |
d2-safe-escalation | agent-escalate.yml on workflow_run failure |
d2-safe-traceability | Actions logs + commit + PR + escalation issue |
Cleanup
gh repo delete gh600-d2-lab --confirm
Sırada ne var?
Domain 3 — Memory & state modülüne geçiyoruz. Lab değil, daha çok kavramsal pattern’ler.