Package:
@microsoft/agent-governance-copilot-cli· Time: 15 minutes · Prerequisites: Node.js 22+, GitHub Copilot CLI with extensions enabled
This tutorial shows how to install the AGT Copilot CLI governance package, confirm the extension is active, and exercise the guarded repo triage scenario.
- install the production Copilot CLI governance package
- confirm the local extension is loaded
- run prompt, tool, and tool-output checks
- compare the results against the scenario expectations
npx @microsoft/agent-governance-copilot-cli installIf you want to preserve an existing user policy, run the install without --force-policy. If you
want to reset to the packaged baseline, add:
npx @microsoft/agent-governance-copilot-cli install --force-policyTo refresh an existing AGT-managed install after pulling a newer package build:
npx @microsoft/agent-governance-copilot-cli update
npx @microsoft/agent-governance-copilot-cli update --force-policyAdd the extension flags to your Copilot CLI settings if they are not already present:
{
"experimental": true,
"experimental_flags": ["EXTENSIONS"]
}Reload Copilot CLI:
/clear
/agt status
At this point /agt status should report:
- the active policy source
- the vendored SDK source
- the audit path
- the configured prompt defense floor
Open the scenario from the repo:
Then run the scenario in order:
- paste
prompts/prompt-injection.txt - paste
prompts/unsafe-bootstrap.txt - run
/agt check "<contents of tool-output/poisoned-web-content.txt>" - compare against
expected-outcomes.md
For a proof-oriented threat matrix and evidence checklist, also see:
When developing from the repo, you can also use the local package directly:
cd agent-governance-copilot-cli
npm install
node ./bin/agt-copilot.mjs installCheck:
- the extension exists under
~/.copilot/extensions/agt-global-policy - extensions are enabled in Copilot CLI settings
- you reloaded Copilot CLI with
/clear
Run:
agt-copilot doctorDoctor validates:
- extension installation state
- AGT install manifest presence
- vendored SDK presence
- user policy parseability and supported schema version
- installed extension version versus the package version you are running
- Copilot CLI extension settings
If doctor reports an invalid policy, remove ~/.copilot/agt/policy.json or set
AGT_COPILOT_POLICY_PATH to a valid replacement before reloading Copilot CLI.
The example repo path includes ready-to-copy policy profiles:
examples/copilot-cli-agt/config/profiles/strict.jsonexamples/copilot-cli-agt/config/profiles/balanced.jsonexamples/copilot-cli-agt/config/profiles/advisory.json
For example:
Copy-Item .\examples\copilot-cli-agt\config\profiles\balanced.json $HOME\.copilot\agt\policy.json -ForceThen reload Copilot CLI with /clear and inspect the result with /agt status.
You can also manage policy files directly with the installer CLI:
agt-copilot policy path
agt-copilot policy validate
agt-copilot policy apply --profile balancedThis package requires a working Node runtime. If node --version fails, install Node.js LTS and
retry the package install.
- customize
~/.copilot/agt/policy.jsonfor your team baseline - re-run the scenario in
advisorymode - inspect the audit log at
~/.copilot/agt/audit-log.json