Feature: allow restricting Copilot CLI built-in tools via frontmatter

[deyaaeldeen]

Summary

The compiled awf command always includes --allow-all-tools and --allow-all-paths, giving the agent unrestricted access to all Copilot CLI built-in tools (file read, file write, file edit, terminal/bash, etc.). There's no frontmatter option to restrict which built-in tools are available.

Why this matters

For review-only agents (e.g., documentation reviewers), the agent only needs to read files and post review comments. It doesn't need file-write or file-edit capabilities. Granting --allow-all-tools unnecessarily expands the attack surface for prompt injection — a manipulated agent could write files to disk even when the workflow author only intended it to read.

Relevant lock file context

# archie.lock.yml ~line 639
sudo -E awf --env-all --container-workdir "\${GITHUB_WORKSPACE}" \\
  --allow-all-tools \\
  --allow-all-paths \\
  --enable-host-access \\
  -- /bin/bash -c '/usr/local/bin/copilot ...'

Proposed solution

Add a frontmatter key to control which Copilot CLI built-in tools are enabled:

tools:
  copilot:
    allow: [read, bash]  # only file-read and bash, no file-write/edit

Or alternatively, a deny-list:

tools:
  copilot:
    deny: [write, edit]  # disable file modification tools

This would compile to --allow-tools read,bash (or equivalent) instead of --allow-all-tools.

Impact

All gh-aw workflows currently get --allow-all-tools regardless of their actual needs. This is especially relevant for pull_request_target workflows operating on untrusted PR content.

Environment

• gh-aw v0.64.1

[pelikhan]

Use

tools
bash: []