GitHubSecurityLab
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/codeql.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/publish-to-testpypi.yaml‎
Lines changed: 37 additions & 17 deletions b/‎.github/workflows/publish-to-testpypi.yaml‎
Lines changed: 37 additions & 17 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/release.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/smoketest.yaml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/smoketest.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md‎
Lines changed: 43 additions & 8 deletions b/‎README.md‎
Lines changed: 43 additions & 8 deletions
diff --git a/‎examples/model_configs/model_config.yaml‎
Lines changed: 4 additions & 2 deletions b/‎examples/model_configs/model_config.yaml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎examples/model_configs/responses_api.yaml‎
Lines changed: 1 addition & 1 deletion b/‎examples/model_configs/responses_api.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎pyproject.toml‎
Lines changed: 14 additions & 4 deletions b/‎pyproject.toml‎
Lines changed: 14 additions & 4 deletions
diff --git a/‎src/seclab_taskflow_agent/__init__.py‎
Lines changed: 2 additions & 0 deletions b/‎src/seclab_taskflow_agent/__init__.py‎
Lines changed: 2 additions & 0 deletions
@@ -16,12 +16,12 @@ jobs:
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
-        python-version: ['3.11', '3.13'] # the one we have in the Codespace + the latest supported one by PyO3.
+        python-version: ['3.11', '3.14'] # the one we have in the Codespace + the latest one supported by Python 3.
       fail-fast: false  # Continue testing other version(s) if one fails
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
 
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v6
 
@@ -29,7 +29,7 @@ jobs:
             build-mode: none
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@v6
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v4
 
@@ -3,22 +3,17 @@ name: Publish Pre-Release to TestPyPI
 on: workflow_dispatch
 
 jobs:
-  publish:
-    name: Build
+  build:
+    name: Build distribution
     runs-on: ubuntu-latest
-
-    # This environment is required as an input to pypa/gh-action-pypi-publish
-    environment:
-      name: testpypi
-      url: https://test.pypi.org/p/seclab-taskflow-agent
+    outputs:
+      release_name: ${{ steps.create_version_number.outputs.RELEASE_NAME }}
 
     env:
       GITHUB_REPO: ${{ github.repository }}
 
     permissions:
-      contents: write
-      id-token: write  # For trusted publishing
-      attestations: write  # For artifact attestation
+      contents: read
 
     steps:
     - name: Checkout repository
@@ -29,7 +24,7 @@ jobs:
     - name: Set up Python
       uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
-        python-version: "3.13"
+        python-version: "3.14"
 
     - name: Install Hatch
       run: pip install --upgrade hatch
@@ -52,17 +47,42 @@ jobs:
     - name: Build the wheel
       run: python3 -m hatch build
 
-    - name: Attest build provenance
-      uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
-      with:
-        subject-path: ./dist/*
-
     - name: Upload artifacts
       uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: python-package-distributions
         path: ./dist/
 
+  publish:
+    name: Publish to TestPyPI
+    needs: build
+    runs-on: ubuntu-latest
+
+    # This environment is required as an input to pypa/gh-action-pypi-publish
+    environment:
+      name: testpypi
+      url: https://test.pypi.org/p/seclab-taskflow-agent
+
+    env:
+      GITHUB_REPO: ${{ github.repository }}
+
+    permissions:
+      contents: write
+      id-token: write  # For trusted publishing
+      attestations: write  # For artifact attestation
+
+    steps:
+    - name: Download distribution artifacts
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: python-package-distributions
+        path: ./dist/
+
+    - name: Attest build provenance
+      uses: actions/attest@v4.1.0 # immutable release
+      with:
+        subject-path: ./dist/*
+
     - name: Publish to TestPyPI
       uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
       with:
@@ -72,5 +92,5 @@ jobs:
     - name: Create GitHub Release
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        RELEASE_NAME: ${{ steps.create_version_number.outputs.RELEASE_NAME }}
+        RELEASE_NAME: ${{ needs.build.outputs.release_name }}
       run: gh release create $RELEASE_NAME dist/* --repo $GITHUB_REPO --prerelease --generate-notes
@@ -24,10 +24,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.11'
 
@@ -40,7 +40,7 @@ jobs:
           echo "digest=$DIGEST" >> $GITHUB_OUTPUT
 
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@v3
+        uses: actions/attest-build-provenance@v4
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.USER }}/${{ env.IMAGE_NAME }}
           subject-digest: '${{ steps.docker_build.outputs.digest }}'
 
@@ -31,7 +31,7 @@ jobs:
 
       - name: Setup Python
         if: steps.branch-deploy.outputs.continue == 'true'
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.11'
 
 
@@ -24,23 +24,23 @@ You can find a detailed overview of the taskflow grammar [here](doc/GRAMMAR.md)
 ```
 ┌─────────────────────────────────────────────────────┐
 │                   CLI (cli.py)                      │
-│  Typer-based entry point: -p, -t, -l, -g, --resume │
+│  Typer-based entry point: -p, -t, -l, -g, --resume  │
 └─────────────────────┬───────────────────────────────┘
                       │
 ┌─────────────────────▼───────────────────────────────┐
-│              Runner (runner.py)                      │
-│  Taskflow execution loop, model resolution,          │
-│  template rendering, session checkpointing           │
+│              Runner (runner.py)                     │
+│  Taskflow execution loop, model resolution,         │
+│  template rendering, session checkpointing          │
 └─────────────────────┬───────────────────────────────┘
                       │
 ┌─────────────────────▼───────────────────────────────┐
-│          MCP Lifecycle (mcp_lifecycle.py)            │
-│  Server connection, cleanup, process management      │
+│          MCP Lifecycle (mcp_lifecycle.py)           │
+│  Server connection, cleanup, process management     │
 └─────────────────────┬───────────────────────────────┘
                       │
 ┌─────────────────────▼───────────────────────────────┐
-│            Agent (agent.py)                          │
-│  TaskAgent wrapper, hooks, OpenAI Agents SDK bridge  │
+│            Agent (agent.py)                         │
+│  TaskAgent wrapper, hooks, OpenAI Agents SDK bridge │
 └─────────────────────────────────────────────────────┘
 
 Supporting modules:
@@ -81,6 +81,41 @@ Per-model `model_settings` can include:
 - **`endpoint`** — API base URL override for this model
 - **`token`** — name of an environment variable containing the API key
 
+### Backends
+
+The runner can drive two SDKs behind a common interface:
+
+- **`openai_agents`** (default) — the OpenAI Agents Python SDK. Supports
+  multi-personality handoffs, both `chat_completions` and `responses`
+  `api_type`, `temperature`, `parallel_tool_calls`,
+  `exclude_from_context`, and MCP over stdio, SSE, and streamable HTTP.
+- **`copilot_sdk`** (optional, `pip install seclab-taskflow-agent[copilot]`)
+  — the GitHub Copilot Python SDK. Supports streaming, `reasoning_effort`,
+  MCP over stdio/SSE/HTTP, and per-tool permission gating. The SDK
+  selects its own wire protocol per model, so the YAML `api_type` field
+  is not honoured; multi-personality handoffs, `temperature`, and
+  `parallel_tool_calls` are likewise not available. Taskflows that use
+  unsupported fields fail at load time with a `BackendCapabilityError`
+  naming the offending field.
+
+Selection precedence:
+
+1. `backend:` field in the model config document.
+2. `SECLAB_TASKFLOW_BACKEND` environment variable.
+3. Endpoint auto-default (`api.githubcopilot.com` prefers `copilot_sdk`
+   when the optional dependency is installed).
+4. `openai_agents`.
+
+```yaml
+seclab-taskflow-agent:
+  version: "1.0"
+  filetype: model_config
+backend: copilot_sdk
+models:
+  fast: gpt-5-mini
+  slow: claude-opus-4.6
+```
+
 ### Session Recovery
 
 Taskflow runs are automatically checkpointed at the task level. If a task
 
@@ -5,5 +5,7 @@ seclab-taskflow-agent:
   version: "1.0"
   filetype: model_config
 models:
-  gpt_default: gpt-4.1
-
+  gpt_default: gpt-5.4-mini
+model_settings:
+  gpt_default:
+    api_type: responses
@@ -9,7 +9,7 @@ seclab-taskflow-agent:
   version: "1.0"
   filetype: model_config
 models:
-  gpt_responses: gpt-5.1
+  gpt_responses: gpt-5.4
 model_settings:
   gpt_responses:
     api_type: responses
 
@@ -28,6 +28,7 @@ classifiers = [
   "Programming Language :: Python :: 3.11",
   "Programming Language :: Python :: 3.12",
   "Programming Language :: Python :: 3.13",
+  "Programming Language :: Python :: 3.14",
   "Programming Language :: Python :: Implementation :: CPython",
   "Programming Language :: Python :: Implementation :: PyPy",
   "Intended Audience :: Developers",
@@ -86,9 +87,9 @@ dependencies = [
   "platformdirs==4.5.0",
   "pluggy==1.6.0",
   "pycparser==2.23",
-  "pydantic==2.11.7",
-  "pydantic-settings==2.10.1",
-  "pydantic_core==2.33.2",
+  "pydantic==2.13.3",
+  "pydantic-settings==2.14.0",
+  "pydantic_core==2.46.3",
   "Pygments==2.20.0",
   "pyperclip==1.9.0",
   "python-dotenv==1.1.1",
@@ -112,7 +113,7 @@ dependencies = [
   "tqdm==4.67.1",
   "typer==0.16.0",
   "types-requests==2.32.4.20250611",
-  "typing-inspection==0.4.1",
+  "typing-inspection==0.4.2",
   "typing_extensions==4.15.0",
   "ujson==5.12.0",
   "urllib3==2.6.3",
@@ -123,6 +124,15 @@ dependencies = [
 [project.scripts]
 seclab-taskflow-agent = "seclab_taskflow_agent.cli:app"
 
+[project.optional-dependencies]
+# Pulls in the GitHub Copilot SDK (public preview) so the copilot_sdk
+# backend can be selected. Requires Python >= 3.11. Pinned to the
+# 0.2.x line because the SDK may ship breaking changes between minor
+# versions while still in preview.
+copilot = [
+  "github-copilot-sdk>=0.2.2,<0.3",
+]
+
 [project.urls]
 Source = "https://github.com/GitHubSecurityLab/seclab-taskflow-agent"
 Issues = "https://github.com/GitHubSecurityLab/seclab-taskflow-agent/issues"
 
@@ -26,6 +26,7 @@
 __all__ = [
     "ApiType",
     "AvailableTools",
+    "BackendSdk",
     "TaskAgent",
     "TaskRunHooks",
     "TaskAgentHooks",
@@ -41,6 +42,7 @@
 from .available_tools import AvailableTools
 from .models import (
     ApiType,
+    BackendSdk,
     ModelConfigDocument,
     PersonalityDocument,
     PromptDocument,