Back to Signal Feed
CodeTracked since May 20, 2026

AGOR upgrades @github/copilot-sdk to v0.3.0 with session-scoped identity and per-agent control

The PR’s strongest concrete change is the bump of @github/copilot-sdk from 0.2.2 to 0.3.0, enabling Copilot session-level authentication and finer-grained per-agent control (including tool visibility/skill injection and sub-agent streaming metadata) for integrations that build multi-agent workflows.

@github/copilot-sdkAGORv0.3.0per-session authentication

What Happened

  • The PR’s strongest concrete change is the bump of @github/copilot-sdk from 0.2.2 to 0.3.0, enabling Copilot session-level authentication and finer-grained per-agent control (including tool visibility/skill injection and sub-agent streaming metadata) for integrations that build multi-agent workflows.
  • The PR’s strongest concrete change is the bump of @github/copilot-sdk from 0.2.2 to 0.3.0, enabling Copilot session-level authentication and finer-grained per-agent control (including tool visibility/skill injection and sub-agent streaming metadata) for integrations that build multi-agent workflows.
  • 1 evidence item attached for review.

What is Different

Before

Scattered source updates, isolated context, and manual follow-up across multiple feeds.

Now

Updated the Copilot SDK dependency in AGOR’s agent-sdks bundle from 0.2.2 to 0.3.0 so client integrations can use session-scoped GitHub identity and per-agent capability controls, including excluded tools and injected skills, instead of relying on a single process-level identity and flat agent behavior.

Why Track This

Why It Matters

Developers running AGOR-based agent orchestrations can separate credentials and permissions by session and by sub-agent, which helps prevent accidental cross-user actions, quota mixing, and tool misuse in multi-user or multi-agent automation flows. The practical follow-up is to watch for any session reuse paths or stream consumers that still assume one identity and root-agent-only event IDs, because the new model changes how identity, permissions, and streaming events are associated and could break existing assumptions during rollout.

Impact

Developers running AGOR-based agent orchestrations can separate credentials and permissions by session and by sub-agent, which helps prevent accidental cross-user actions, quota mixing, and tool misuse in multi-user or multi-agent automation flows. The practical follow-up is to watch for any session reuse paths or stream consumers that still assume one identity and root-agent-only event IDs, because the new model changes how identity, permissions, and streaming events are associated and could break existing assumptions during rollout.

What To Watch Next

  • Watch whether @github/copilot-sdk becomes a repeated pattern.
  • Track follow-up changes around Agent Orchestration Platforms.
  • Compare future signals against this evidence trail.
  • Re-check risk flags: session_level_auth_misconfiguration, subagent_streaming_event_breakage.
Open Topic TimelineOpen Technical EventOpen Original Sourcesession_level_auth_misconfiguration / subagent_streaming_event_breakage / legacy_client_tool_routing_regression / multi_agent_permission_overlap

Supporting Evidence

GITHUB PULL REQUESTHigh Trust

preset-io/agor PR #1204: chore(deps): bump the agent-sdks group across 1 directory with 6 updates

AGOR dependency refresh #1204 is notable mainly for upgrading @github/copilot-sdk to v0.3.0, which changes how sessions and agent permissions are represented.