Copilot CLI Agentic Workflows¶
Terminal-native agentic coding with GitHub Copilot CLI — interactive and headless modes, graduated authorization, delegation to cloud agents, and MCP integration in the terminal.
Operating Modes¶
Copilot CLI (GA February 2026) provides two operating modes for all paid Copilot subscribers (GitHub Changelog):
Interactive mode (copilot) — conversational sessions where the agent reads files, runs commands, and edits code with human approval at each step.
Programmatic mode (copilot -p "<prompt>") — single-command headless execution for CI/CD and scripting pipelines (GitHub Blog).
Authorization Model¶
Copilot CLI uses a graduated permission model (GitHub Blog):
| Level | Flag | Behavior |
|---|---|---|
| Manual approval (default) | — | Prompt before each tool use; approve-once, approve-session, or reject |
| Granular allow | --allow-tool 'shell(COMMAND)' |
Auto-approve specific commands |
| Granular deny | --deny-tool 'TOOL(command)' |
Block specific tools; deny takes precedence over allow |
| Full auto-approval | --allow-all-tools |
Skip all permission prompts |
Deny rules are evaluated after allow rules, so --deny-tool overrides any matching --allow-tool and reduces allow-list creep. The veto is not absolute: PromptArmor disclosed a bypass in Feb 2026 where env curl ... | env sh evades the allowlist because env is auto-approved and the validator treats curl and sh as arguments, not commands; GitHub closed it as a "known issue" (PromptArmor; Microsoft Security, May 2026). Treat the allowlist as one layer of defense-in-depth, not a containment boundary.
For headless scripting, combine programmatic mode with tool restrictions:
copilot -p "Run the test suite and fix failures" \
--allow-tool 'shell(npm test)' \
--allow-tool 'shell(git commit *)'
Use --allow-all-tools only inside containers with bounded blast radius (GitHub Blog).
Plan Mode¶
Activated via Shift+Tab, plan mode restricts the agent to analysis without execution: Copilot reads the request, asks clarifying questions, and builds a structured plan before writing code (GitHub Docs).
- Exploration — understand a codebase before committing to an approach
- Review — inspect proposed changes as diffs before approving
Delegation to Cloud Agents¶
/delegate dispatches work to the cloud coding agent for async execution via GitHub Actions, which opens PRs for review while the developer continues locally (GitHub Blog); /resume switches between local and remote sessions.
Slash Commands¶
Commands are grouped into five categories (GitHub Blog: Cheat Sheet): session management (/clear, /session, /exit), directory access (/add-dir, /list-dirs, /cwd), configuration (/model, /terminal-setup, /reset-allowed-tools), external services (/agent, /delegate, /mcp, /share), and discovery (/help, /feedback).
Custom Agents in the CLI¶
Custom agents work across CLI, IDE, and github.com; /agent lists and selects them for the current session and can bundle specialized MCP tools for domain-specific tasks (GitHub Blog).
MCP in the Terminal¶
Copilot CLI ships with the GitHub MCP server built in for repo queries, issue lookups, and PR management. Custom servers are managed via /mcp [show|add|edit|delete|disable|enable], and --deny-tool 'My-MCP-Server(tool_name)' scopes permissions per MCP tool (GitHub Changelog).
Code Review from the CLI¶
Since March 2026, Copilot code review can be requested from the gh CLI (GitHub Changelog):
# Add Copilot as a reviewer on the current PR
gh pr edit --add-reviewer @copilot
This triggers the agentic code review architecture without leaving the terminal.
Session Management¶
Auto-compaction compresses conversation history at 95% context window capacity for extended sessions (GitHub Changelog), and repository memory persists conventions across sessions.
Example¶
Hardening a CI pipeline with minimal blast radius — use programmatic mode with scoped tool permissions so the agent can run tests and commit fixes but cannot push to remote or modify pipeline configuration:
copilot -p "Run the test suite, identify failing tests, and fix them" \
--allow-tool 'shell(npm test)' \
--allow-tool 'shell(git add *)' \
--allow-tool 'shell(git commit *)' \
--deny-tool 'shell(git push)'
Push is blocked even if a broader allow rule would otherwise permit it. For exploratory work, omit -p and use interactive mode with Shift+Tab plan mode first to validate the approach.
When This Backfires¶
--allow-all-toolsoutside containers — grants full shell access; a prompt injection or hallucinated command can modify files, install packages, or push commits without review. Restrict to containerized CI environments where blast radius is bounded.- Validator bypass via shell indirection —
env curl ... | env shevades the auto-approve allowlist and GitHub has declined to patch it; pair--deny-toolwith sandboxing and egress controls (see Authorization Model above). - Headless mode with underspecified prompts — programmatic mode exits after the first attempt and cannot ask clarifying questions; ambiguous prompts produce partial or incorrect results with no opportunity for course correction.
- Context window exhaustion on large codebases — auto-compaction at 95% capacity can lose earlier context that constrains later decisions; long refactoring sessions may contradict earlier choices made before compaction.
/delegatelatency mismatch — cloud agent execution via GitHub Actions takes minutes to hours; delegating time-sensitive tasks introduces a latency gap that breaks flow if the developer expects synchronous completion.- Usage caps on parallel workflows — as of April 2026, GitHub tightened session and weekly token limits on Pro plans and explicitly warned that parallelized commands like
/fleetconsume tokens heavily enough to exhaust weekly quotas; agentic CLI workflows that fan out across monorepos can stall when limits hit, and Opus models were removed from Pro entirely (GitHub Blog).
Key Takeaways¶
- Interactive and programmatic modes serve different needs — exploration versus automation
--allow-tool/--deny-toolenables precise permission scoping for both modes/delegatebridges local CLI work and async cloud execution- Plan mode (
Shift+Tab) separates analysis from execution gh pr edit --add-reviewer @copilotrequests agentic code review from the terminal- Programmatic mode with tool restrictions makes Copilot CLI viable for CI/CD