VS Code Copilot Integration

GitHub Copilot’s agent mode in VS Code connects to MCP servers defined in a mcp.json file. The Agent Receipts proxy wraps any MCP server transparently — Copilot doesn’t know or care that the proxy is there.

Agent mode required

MCP tools are only available in Copilot Chat’s Agent mode (pick it from the mode dropdown in the Chat view). Ask mode and Edit mode do not call MCP tools.

Approval workflow

The default policy includes a pause_high_risk rule. If the proxy runs without -http, the listener is off and paused calls fail fast with -32003. To approve high-risk calls interactively, pass -http 127.0.0.1:<port> and run an approver — see Approval Server.

Secrets: use inputs, not literals

VS Code’s mcp.json is plaintext on disk (and .vscode/mcp.json is usually committed). Never write a token as a literal string. VS Code’s inputs mechanism prompts for the value once and keeps it out of the file — that’s the pattern used below. A secret-manager wrapper (op run, …) works too, as shown in the Claude Desktop guide.

Prerequisites

• mcp-proxy installed

• agent-receipts-daemon installed, initialised, and running — it holds the signing key and writes every receipt

• VS Code with GitHub Copilot (a recent version with MCP support)

• The MCP server you want to audit. The examples below wrap GitHub’s official MCP server:

  brew install github-mcp-server

  This puts a github-mcp-server binary on your $PATH. Verify with which github-mcp-server.

Start the daemon

The proxy holds no signing key of its own — agent-receipts-daemon owns the key and writes every receipt (ADR-0010). Initialise the key once and start the daemon before launching VS Code:

agent-receipts-daemon --init   # one-time: generates the Ed25519 signing key pair
agent-receipts-daemon          # start the daemon (listens on a Unix socket)

The proxy reaches the daemon over its default platform socket automatically. See Daemon Setup for install options and socket paths.

Configure mcp.json

Create .vscode/mcp.json in your workspace (or run MCP: Open User Configuration from the Command Palette for a global config). VS Code’s MCP schema uses a top-level servers key — not mcpServers — plus an optional inputs array for prompted values.

Use absolute paths for command and the wrapped server binary. Print them first:

echo "proxy:  $(which mcp-proxy)"
echo "server: $(which github-mcp-server)"

{
  "inputs": [
    {
      "type": "promptString",
      "id": "github-token",
      "description": "GitHub Personal Access Token",
      "password": true
    }
  ],
  "servers": {
    "github-audited": {
      "type": "stdio",
      "command": "/Users/YOU/go/bin/mcp-proxy",
      "args": [
        "-name", "github",
        "-issuer-name", "VS Code Copilot",
        "-operator-id", "did:web:github.com",
        "-operator-name", "GitHub",
        "/opt/homebrew/bin/github-mcp-server", "stdio"
      ],
      "env": {
        "GITHUB_PERSONAL_ACCESS_TOKEN": "${input:github-token}"
      }
    }
  }
}

${input:github-token} resolves to the value VS Code prompts for the first time the server starts; the token never lands in the file. You can also reference ${workspaceFolder} and ${env:VARNAME} in this config.

-issuer-name, -operator-id, and -operator-name stamp each signed receipt so you can tell which client made a given call when reviewing a shared store — setting -issuer-name to VS Code Copilot here (and to Claude Code, Codex, etc. in the other guides) is what distinguishes them at audit time.

Click the Start code lens that appears above the server entry in mcp.json (or run MCP: List Servers → your server → Start). VS Code prompts for the token, then shows the server as running. Open Copilot Chat in Agent mode and confirm the proxied server’s tools appear in the tools picker.

Verifying receipts

The daemon signs and stores every tool call. After making calls through Copilot, query and verify the store with the agent-receipts CLI (installed alongside the daemon). It opens the database read-only, so it is safe to run while the daemon is writing:

# List recent receipts (newest first)
agent-receipts list

# Verify the chain's signatures and hash links
agent-receipts verify \
  --public-key ~/.local/share/agent-receipts/signing.key.pub

$ agent-receipts list
SEQ  TIMESTAMP             CHAIN    TOOL / ACTION TYPE
4    2026-04-24T02:05:19Z  default  get_file_contents
3    2026-04-24T01:58:45Z  default  create_or_update_file
2    2026-04-24T01:56:12Z  default  list_pull_requests
1    2026-04-24T01:45:07Z  default  list_issues

agent-receipts verify prints Chain default: VALID (4 receipts) when signatures and hash links are intact. Inspect a single receipt — including its action type, risk level, and parameters hash — with agent-receipts show <seq>. See the CLI reference for all subcommands.

Gotchas

servers, not mcpServers. VS Code’s mcp.json uses the servers key. A config copied from a Claude Desktop / Cursor example (which use mcpServers) will silently fail to register. Each stdio entry needs "type": "stdio".

Absolute paths. Point command at the full path to mcp-proxy (find it with which mcp-proxy) and use the full path to the wrapped server binary, so the launch doesn’t depend on a resolved PATH.

Tools only appear in Agent mode. If Copilot isn’t calling the tools, confirm the Chat view is in Agent mode and that the server shows as started under MCP: List Servers.

No receipts appearing? The daemon must be running before VS Code starts the proxied server, or emits fail. Confirm with pgrep agent-receipts-daemon, and see the daemon troubleshooting guide. If you run the daemon on a non-default socket, set AGENTRECEIPTS_SOCKET for both the daemon and the proxy.

Want human-in-the-loop approvals? Opt in with -http. The approval listener is off by default. Add -http 127.0.0.1:<port> to args and run an approver — see Approval Server. Without it, a paused call fails immediately with -32003.