Modül 3 · Domain 2 — Tool & MCP (%20-25, EN AĞIR) · ⏱ 40 dakika (uygulamalı)

Lab — Remote MCP + allow list + Actions trigger + escalation

Lab — Remote MCP + allow list + Actions trigger + escalation

Bu derste neler öğreneceksin

  • Bir test repo'sunda Copilot custom agent'a remote MCP server bağlamayı uygulamak
  • Allow list ile sadece izinli MCP tool'lara erişim sınırlamayı görmek
  • Agent'ı issue event'i ile tetikleyip branch + PR açtırmak
  • Bilinçli hata senaryosunda retry → rollback → escalation zincirini gözlemlemek

Tahmini süre: 40 dakika. Domain 2’nin tüm bullet’larını birden uygulayan lab. Bunu yapmak en ağır domain’i ezberletir.

Ön koşul

  • GitHub hesabı + Copilot subscription (custom agent için)
  • Modül 2’nin lab’ı (Domain 1) bitmiş olmalı — pattern tanıdık
  • gh CLI + Git kurulu

Adım 1: Test repo (3 dk)

gh repo create gh600-d2-lab --public --clone
cd gh600-d2-lab
echo "# GH-600 Domain 2 Lab — Remote MCP" > README.md
git add README.md && git commit -m "init" && git push -u origin main

Adım 2: Copilot agent + MCP allow list yapılandırma (8 dk)

GitHub Copilot custom agent ayarı (org seviyesinden yapılır veya repo-seviye .github/copilot-agents.yml ile):

mkdir -p .github
cat > .github/copilot-agents.yml <<'EOF'
agents:
  - id: triage-agent
    description: "Triage and patch agent for issues labeled 'auto-fix'"
    trigger:
      event: issues
      label: auto-fix
    mcp:
      servers:
        - id: github-remote
          type: remote
          url: https://api.github.com/mcp
          auth:
            token_source: GITHUB_TOKEN
      allow_list:
        # Read-only GitHub operations
        - "github-remote:get_issue"
        - "github-remote:list_pull_requests"
        - "github-remote:get_file"
        # Write operations (scoped)
        - "github-remote:create_branch"
        - "github-remote:create_pull_request"
        - "github-remote:create_pull_request_comment"
        # Explicitly EXCLUDED (deny-by-default):
        # - github-remote:delete_repository
        # - github-remote:delete_branch (main)
        # - github-remote:transfer_repository
    permissions:
      contents: write
      pull-requests: write
      issues: write
    scope:
      repos:
        - "*/gh600-d2-lab"   # sadece bu repo
      branches:
        deny:
          - "main"           # main'e direkt yazma yok
EOF
git add .github/copilot-agents.yml
git commit -m "feat: triage-agent with MCP allow list"
git push

Adım 3: Actions workflow — agent invocation (8 dk)

mkdir -p .github/workflows
cat > .github/workflows/agent-invoke.yml <<'EOF'
name: triage-agent-invoke
on:
  issues:
    types: [labeled]
permissions:
  contents: write
  pull-requests: write
  issues: write
jobs:
  invoke:
    if: github.event.label.name == 'auto-fix'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Create branch
        id: branch
        run: |
          BRANCH="fix/issue-${{ github.event.issue.number }}"
          echo "name=$BRANCH" >> $GITHUB_OUTPUT
          git checkout -b "$BRANCH"

      - name: Invoke Copilot triage-agent
        id: agent
        run: |
          # Burada Copilot SDK CLI veya benzeri çağrılır
          # Lab amaçlı şimdilik dummy patch
          echo "# Auto-fix for issue #${{ github.event.issue.number }}" > AGENT_NOTE.md
          echo "Plan: investigate, patch, test" >> AGENT_NOTE.md

      - name: Commit + push + PR
        run: |
          git config user.name "triage-agent"
          git config user.email "bot@example.com"
          git add AGENT_NOTE.md
          git commit -m "fix: auto-triage for #${{ github.event.issue.number }}"
          git push -u origin "${{ steps.branch.outputs.name }}"
          gh pr create \
            --title "Auto-fix issue #${{ github.event.issue.number }}" \
            --body "Generated by triage-agent.\n\nPlan in AGENT_NOTE.md.\n\nClose #${{ github.event.issue.number }}"
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
EOF
git add .github/workflows/agent-invoke.yml
git commit -m "ci: agent-invoke workflow on auto-fix label"
git push

Adım 4: Escalation workflow (5 dk)

cat > .github/workflows/agent-escalate.yml <<'EOF'
name: agent-escalate
on:
  workflow_run:
    workflows: ["triage-agent-invoke"]
    types: [completed]
permissions:
  issues: write
jobs:
  escalate:
    if: github.event.workflow_run.conclusion == 'failure'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/github-script@v7
        with:
          script: |
            await github.rest.issues.create({
              owner: context.repo.owner,
              repo: context.repo.repo,
              title: `🚨 Agent escalation: ${context.payload.workflow_run.name} failed`,
              body: [
                `Agent workflow failed and could not auto-recover.`,
                ``,
                `**Workflow:** ${context.payload.workflow_run.name}`,
                `**Run ID:** ${context.payload.workflow_run.id}`,
                `**URL:** ${context.payload.workflow_run.html_url}`,
                ``,
                `**Next steps:**`,
                `- Inspect logs to classify root cause (reasoning / tool misuse / context-env)`,
                `- Decide: revise instructions, narrow tool access, or fix context`,
                `- Re-run with fix or rollback agent changes`,
              ].join('\n'),
              labels: ['agent-escalation', 'priority/high']
            });
EOF
git add .github/workflows/agent-escalate.yml
git commit -m "ci: agent-escalate on workflow failure"
git push

Adım 5: Happy path test (5 dk)

# Issue oluştur (auto-fix label ile)
gh issue create --title "Test agent invocation" --body "Test body" --label "auto-fix"

Eğer “auto-fix” label’ı yoksa önce oluştur:

gh label create auto-fix --color FFA500 --description "Trigger triage-agent"

Sonra Actions tab’inde triage-agent-invoke çalışmasını gör. Branch oluşturuldu, PR açıldı, agent note commit’lendi. ✓

Adım 6: Bilinçli hata senaryosu (10 dk)

Workflow’da bir komutu yanlış yap (örn. gh pr create yerine gh pr xyz). Yeni issue aç (label auto-fix). Workflow fail olur → agent-escalate workflow’u tetiklenir → escalation issue açılır. ✓

# Eski workflow'u boz:
sed -i 's/gh pr create/gh pr xyz/' .github/workflows/agent-invoke.yml
git add .github/workflows/agent-invoke.yml
git commit -m "test: break agent-invoke to trigger escalation"
git push

# Yeni test issue:
gh issue create --title "Escalation test" --body "Should fail" --label "auto-fix"

Actions tab’inde:

  • triage-agent-invoke ✗ fail
  • agent-escalate ✓ tetiklendi → yeni issue açıldı ”🚨 Agent escalation”

Düzeltme:

sed -i 's/gh pr xyz/gh pr create/' .github/workflows/agent-invoke.yml
git add .github/workflows/agent-invoke.yml
git commit -m "fix: restore agent-invoke"
git push

Lab özeti — Domain 2 bullet’ları

BulletLab adımı
d2-tools-identify-requiredAllow list’te sadece görev için gereken tool’lar
d2-tools-permissionsWorkflow permissions + agent permissions
d2-mcp-add-as-toolcopilot-agents.yml mcp.servers
d2-mcp-github-remotegithub-remote server tipi
d2-mcp-allow-listsallow_list deny-by-default
d2-env-repo-scopescope.repos: ["*/gh600-d2-lab"]
d2-env-branch-scopescope.branches.deny: ["main"]
d2-env-ci-invocationagent-invoke.yml on issues.labeled
d2-env-autonomous-actionsbranch + PR oluşturma
d2-safe-escalationagent-escalate.yml on workflow_run failure
d2-safe-traceabilityActions logs + commit + PR + escalation issue

Cleanup

gh repo delete gh600-d2-lab --confirm

Sırada ne var?

Domain 3 — Memory & state modülüne geçiyoruz. Lab değil, daha çok kavramsal pattern’ler.