Skip permission RPC response when resolvedByHook is true

MackinnonBuck · Copilot · MackinnonBuck · commit 8638ca6dabee · 2026-04-03T11:19:34.000-07:00
When the runtime resolves a permission request via a permissionRequest
hook, it sets resolvedByHook=true on the broadcast event. The SDK
broadcast handlers were unconditionally invoking the permission handler
and sending an RPC response, causing duplicate/invalid responses.

Add a guard in all four SDKs (Node, Python, Go, .NET) to skip the
permission handler and RPC response when resolvedByHook is set, while
still allowing event subscribers to observe the event.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/dotnet/src/Session.cs b/dotnet/src/Session.cs
@@ -456,6 +456,9 @@ private async Task HandleBroadcastEventAsync(SessionEvent sessionEvent)
                         if (string.IsNullOrEmpty(data.RequestId) || data.PermissionRequest is null)
                             return;
 
+                        if (data.ResolvedByHook == true)
+                            return; // Already resolved by a permissionRequest hook; no client action needed.
+
                         var handler = _permissionHandler;
                         if (handler is null)
                             return; // This client doesn't handle permissions; another client will.
diff --git a/go/session.go b/go/session.go
@@ -915,6 +915,9 @@ func (s *Session) handleBroadcastEvent(event SessionEvent) {
 		if requestID == nil || event.Data.PermissionRequest == nil {
 			return
 		}
+		if event.Data.ResolvedByHook != nil && *event.Data.ResolvedByHook {
+			return // Already resolved by a permissionRequest hook; no client action needed.
+		}
 		handler := s.getPermissionHandler()
 		if handler == nil {
 			return
diff --git a/nodejs/src/session.ts b/nodejs/src/session.ts
@@ -408,10 +408,14 @@ export class CopilotSession {
                 );
             }
         } else if (event.type === "permission.requested") {
-            const { requestId, permissionRequest } = event.data as {
+            const { requestId, permissionRequest, resolvedByHook } = event.data as {
                 requestId: string;
                 permissionRequest: PermissionRequest;
+                resolvedByHook?: boolean;
             };
+            if (resolvedByHook) {
+                return; // Already resolved by a permissionRequest hook; no client action needed.
+            }
             if (this.permissionHandler) {
                 void this._executePermissionAndRespond(requestId, permissionRequest);
             }
diff --git a/python/copilot/session.py b/python/copilot/session.py
@@ -1224,6 +1224,10 @@ def _handle_broadcast_event(self, event: SessionEvent) -> None:
             if not request_id or not permission_request:
                 return
 
+            resolved_by_hook = getattr(event.data, "resolved_by_hook", None)
+            if resolved_by_hook:
+                return  # Already resolved by a permissionRequest hook; no client action needed.
+
             with self._permission_handler_lock:
                 perm_handler = self._permission_handler
             if not perm_handler:
