Skip to content

Python: Update runtime handling#14135

Open
SergeyMenshykh wants to merge 2 commits into
microsoft:mainfrom
SergeyMenshykh:sergeymenshykh-python-runtime-hardening
Open

Python: Update runtime handling#14135
SergeyMenshykh wants to merge 2 commits into
microsoft:mainfrom
SergeyMenshykh:sergeymenshykh-python-runtime-hardening

Conversation

@SergeyMenshykh

Copy link
Copy Markdown
Contributor

This PR updates Python runtime handling and related tests.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 3, 2026 18:43
@SergeyMenshykh SergeyMenshykh requested a review from a team as a code owner July 3, 2026 18:43
@giles17 giles17 added the python Pull requests for the Python Semantic Kernel label Jul 3, 2026
@SergeyMenshykh SergeyMenshykh self-assigned this Jul 3, 2026
@SergeyMenshykh SergeyMenshykh moved this to In Review in Agent Framework Jul 3, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens Python runtime behavior around function resolution and remote invocation so defaults are safer (fail-closed) while still preserving existing functionality via explicit opt-ins and clearer diagnostics.

Changes:

  • Kernel.get_function(None, name) now detects ambiguity across plugins, logs a warning, and deterministically resolves to the first-registered match.
  • MCP sampling now denies by default when no consent callback is configured, with an explicit sampling_auto_approve=True opt-in.
  • OpenAI Realtime function-call handling now fails closed when function-choice behavior isn’t configured, preventing unallowlisted invocation while still returning a safe result event.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
python/semantic_kernel/functions/kernel_function_extension.py Adds ambiguity detection + warning when resolving bare function names across plugins.
python/tests/unit/kernel/test_kernel.py Adds coverage for bare-name function lookup (single match and ambiguous warning).
python/semantic_kernel/connectors/mcp.py Introduces sampling_auto_approve and changes default sampling behavior to deny without explicit consent/opt-in.
python/tests/unit/connectors/mcp/test_mcp.py Updates tests to reflect deny-by-default and adds test for opt-in auto-approve warning.
python/semantic_kernel/connectors/ai/open_ai/services/_open_ai_realtime.py Prevents function invocation when no function-choice behavior exists (allowlist can’t be enforced) and simplifies receive loop.
python/tests/unit/connectors/ai/open_ai/services/test_openai_realtime.py Adds coverage verifying the realtime path does not invoke functions when settings are missing.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Python Test Coverage

Python Test Coverage Report •
FileStmtsMissCoverMissing
kernel.py2365875%149, 160, 164, 320–321, 323, 412, 418–419, 423–424, 477–481, 483–484, 497–506, 508, 510–511, 513–533, 535–540
connectors
   mcp.py46820556%81, 86, 98, 108–117, 124–125, 128–129, 138–139, 146, 160–167, 175–179, 181–182, 184, 193, 301–307, 342–344, 349–351, 365–366, 369–370, 378–380, 424–425, 427, 429, 431–437, 441–443, 445–455, 459–460, 464–465, 469, 471, 475–476, 480, 488, 503, 518–526, 545–546, 561–562, 581–582, 585–586, 589–594, 598–599, 602–603, 606–612, 696, 698, 775, 777, 779, 781, 860, 862, 864, 866, 868, 936, 979–984, 986–989, 994, 1047, 1049, 1052, 1066, 1086–1088, 1103–1107, 1110–1113, 1116–1118, 1122–1126, 1129–1130, 1139–1140, 1142–1144, 1158–1159, 1161–1162, 1164–1166, 1169, 1176–1179, 1187, 1192–1197, 1202, 1204, 1207–1209
connectors/ai/open_ai/services
   _open_ai_realtime.py4609878%288, 290, 292, 329, 384, 392, 436–440, 464–467, 580–581, 584–585, 595, 603–606, 613, 615, 618–619, 669–672, 681–684, 696–697, 740–742, 744–745, 748–749, 752, 763, 765, 767–769, 808–809, 816–818, 837, 845–847, 849–851, 853–856, 863–865, 873–874, 878–882, 905–906, 911–913, 948, 951, 954–957, 962–964, 967–973
functions
   kernel_function_extension.py135199%42
TOTAL28914565380% 

Python Unit Test Overview

Tests Skipped Failures Errors Time
4056 23 💤 0 ❌ 0 🔥 1m 54s ⏱️

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Flagged issue

python/semantic_kernel/connectors/mcp.py:395-405 now denies sampling when no callback is configured, but the existing sampling sample at python/samples/concepts/mcp/agent_with_mcp_sampling.py:46-55 creates MCPStdioPlugin(...) without sampling_consent_callback or sampling_auto_approve. That sample code path will now return ErrorData(message="Sampling denied: no consent callback configured.") instead of exercising MCP sampling.


Source: automated DevFlow PR review

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated Code Review

Reviewers: 5 | Confidence: 91%

✓ Correctness

This PR implements three security-hardening changes: (1) fail-closed for realtime function calls without function choice behavior, (2) deny-by-default for MCP sampling requests without a consent callback, and (3) ambiguity warnings when resolving bare function names across multiple plugins. All changes are logically correct, properly tested, and backward-compatible (with the intended breaking change for MCP users who relied on implicit auto-approve being mitigated by the new sampling_auto_approve flag).

✓ Security Reliability

This PR makes three well-designed security improvements: fail-closed function invocation in OpenAI Realtime when no allowlist (function_choice_behavior) is configured, default-deny for MCP sampling requests without a consent callback, and an ambiguity warning for bare function-name lookups. The implementations are correct, properly tested, and do not introduce new security or reliability concerns.

✓ Test Coverage

Test coverage for this PR is generally strong. All three production code changes (realtime fail-closed, MCP deny-by-default, kernel ambiguous lookup) have corresponding tests with meaningful assertions. One gap exists: the realtime fail-closed guard is only tested when _current_settings is None, but not when _current_settings exists with a None function_choice_behavior — a distinct code path that reaches the same security check.

✓ Failure Modes

This PR hardens three failure paths: (1) the OpenAI realtime handler now fails closed when no function_choice_behavior is configured, preventing unauthenticated function execution; (2) MCP sampling requests are denied by default unless explicitly opted in via sampling_auto_approve; (3) ambiguous bare-name function lookups log a warning. All three changes are well-tested and correctly implemented with no new failure modes introduced.

✗ Design Approach

The MCP default-deny change is directionally reasonable, but in its current form it breaks an existing in-repo sampling workflow: the agent_with_mcp_sampling.py sample still constructs MCPStdioPlugin without either a consent callback or the new opt-in flag, so the sampling request path it demonstrates is now rejected by default.

Flagged Issues

  • python/semantic_kernel/connectors/mcp.py:395-405 now denies sampling when no callback is configured, but the existing sampling sample at python/samples/concepts/mcp/agent_with_mcp_sampling.py:46-55 creates MCPStdioPlugin(...) without sampling_consent_callback or sampling_auto_approve. That sample code path will now return ErrorData(message="Sampling denied: no consent callback configured.") instead of exercising MCP sampling.

Suggestions

  • Update the affected sampling sample(s) such as python/samples/concepts/mcp/agent_with_mcp_sampling.py:46-55 to pass an explicit consent policy (sampling_auto_approve=True or a callback), or otherwise preserve compatibility for that documented code path before flipping the library default at python/semantic_kernel/connectors/mcp.py:395-405.

Automated review by SergeyMenshykh's agents

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

python Pull requests for the Python Semantic Kernel

Projects

Status: In Review

Development

Successfully merging this pull request may close these issues.

3 participants