Throw AuthRequired from CopilotAgent.listSessions before auth#311293
Merged
roblourens merged 1 commit intomainfrom Apr 20, 2026
Merged
Throw AuthRequired from CopilotAgent.listSessions before auth#311293roblourens merged 1 commit intomainfrom
roblourens merged 1 commit intomainfrom
Conversation
Previously CopilotAgent.listSessions() and _listModels() silently returned [] when no token was available. This violated the AHP contract (protectedResources required: true mandates the server return AuthRequired -32007 when used unauthenticated) and caused agent-host sessions to not appear in the Agents sidebar on fresh the renderer cached the empty list and never retried untillaunch the user sent a message and the resulting sessionAdded notification forced a refresh. Both methods now go through _ensureClient(), which already throws the right ProtocolError. On the renderer side, LocalAgentHostSessionsProvider already had an autorun on authenticationPending that triggers _refreshSessions() once auth settles; that's the natural retry mechanism for the silent listSessions case (we don't want to interactively prompt the user just to render the that's only appropriate forsidebar createSession). (Written by Copilot) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
Screenshot ChangesBase: Changed (10)
|
| Before | After |
|---|---|
 |
 |
editor/inlineChatAffordance/InlineChatOverlay/Light
| Before | After |
|---|---|
 |
 |
agentSessionsViewer/CompletedRead/Dark
| Before | After |
|---|---|
 |
 |
agentSessionsViewer/CompletedRead/Light
| Before | After |
|---|---|
 |
 |
agentSessionsViewer/WithFileChangesList/Dark
| Before | After |
|---|---|
 |
 |
agentSessionsViewer/WithFileChangesList/Light
| Before | After |
|---|---|
 |
 |
agentSessionsViewer/CloudProvider/Dark
| Before | After |
|---|---|
 |
 |
agentSessionsViewer/CloudProvider/Light
| Before | After |
|---|---|
 |
 |
agentSessionsViewer/BackgroundProvider/Dark
| Before | After |
|---|---|
 |
 |
agentSessionsViewer/BackgroundProvider/Light
| Before | After |
|---|---|
 |
 |
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes an Agents sidebar startup issue where listSessions() could return an empty list before authentication completed, causing the renderer to cache “no sessions” and never retry. The change aligns Copilot’s agent-host implementation with the AHP authentication contract by throwing AuthRequired when unauthenticated, and adds a renderer-side eager refresh that waits for the initial auth pass to settle.
Changes:
- Server:
CopilotAgent.listSessions()/_listModels()now go through_ensureClient()and throwAuthRequiredwhen unauthenticated (instead of returning[]). - Renderer:
LocalAgentHostSessionsProvidereagerly refreshes sessions onceauthenticationPendingsettles. - Tests updated/added to validate the new auth-required behavior and the eager-refresh flow.
Show a summary per file
| File | Description |
|---|---|
| src/vs/platform/agentHost/node/copilot/copilotAgent.ts | Removes unauthenticated “return []” behavior so listSessions/_listModels correctly throw AuthRequired. |
| src/vs/platform/agentHost/test/node/copilotAgent.test.ts | Updates expectations to assert listSessions() rejects with AuthRequired before authentication. |
| src/vs/sessions/contrib/agentHost/browser/localAgentHostSessionsProvider.ts | Adds an autorun to refresh/populate the session cache after the initial auth pass settles. |
| src/vs/sessions/contrib/agentHost/test/browser/localAgentHostSessionsProvider.test.ts | Adds coverage for eager session population and for deferring the eager refresh until auth settles. |
Copilot's findings
- Files reviewed: 4/4 changed files
- Comments generated: 0
rebornix
approved these changes
Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Agent-host sessions returned by
listSessions()did not appear in the Agents sidebar on fresh launch. They only showed up after the user sent a message — at which point anotify/sessionAddedwould force the renderer to callgetSessions()again, which would then return the real list.Root cause
CopilotAgent.listSessions()(and_listModels()) silently returned[]whenever_githubTokenwas unset. On a fresh launch the renderer's eager_refreshSessions()ran before the auth token was resolved, so it cached an empty list.BaseAgentHostSessionsProvider._ensureSessionCache()is one-shot, so it never retried. On reload it appeared to work because the token was already cached and auth completed synchronously fast.This also violates the AHP contract — per
docs/specification/authentication.md, an agent declaringprotectedResourceswithrequired: trueMUST throwAuthRequired(-32007) when used unauthenticated, not lie by returning empty data.Fix
Server side (
copilotAgent.ts):listSessions()and_listModels()no longer early-return[]. They go through_ensureClient(), which already throwsProtocolError(AHP_AUTH_REQUIRED, ...)when no token is present._refreshModels()already guards on!_githubTokenand catches errors, so it remains correct.Renderer side (
localAgentHostSessionsProvider.ts):autorun(authenticationPending)triggers_refreshSessions()exactly once when auth settles. This is the natural retry mechanism for the silentlistSessionscase.catchin_refreshSessionsswallows the auth error — appropriate here, since unlikecreateSessionwe should NOT prompt the user to sign in just to render the sidebar._isAuthRequiredErrorpattern inagentHostSessionHandler.ts; it differs only in retry strategy:createSessionprompts interactively,listSessionswaits for the in-flight auth attempt to settle.Tests
copilotAgent.test.ts"returns empty models and throws AuthRequired for sessions before authentication" to expect the throw.localAgentHostSessionsProvider.test.tstests:eagerly populates and fires onDidChangeSessions after construction without a getSessions() calldefers eager session list fetch until authentication settles(Written by Copilot)