Bug Report

Summary

While in plan mode (activated via Shift+Tab), the GitHub Copilot CLI agent autonomously exited plan mode and directly modified production code without asking for user permission or confirmation. The user had explicitly intended to remain in plan mode and only receive analysis/recommendations.

Version

0.0.411

Steps to Reproduce

1. Switch to plan mode using Shift+Tab
2. Ask the agent to analyze a codebase component (e.g., "check if logs are going to Loki, tell me what to check")
3. The agent finds a bug during analysis
4. Expected: Agent documents the bug in the plan, asks user for permission before making any changes
5. Actual: Agent exits plan mode silently and modifies source files directly

What Happened

The user sent the following message (in plan mode):

"check if logs are going to Loki, run the app with just run, analyze the code and tell me what needs to be done. tell me what I need to check manually."

The agent correctly analyzed the code, found a real bug (tracing_loki::BackgroundTask was never spawned via tokio::spawn), but then immediately modified the file (crates/platform_services/src/observability/init.rs) without:

• Asking the user for permission
• Confirming that the user wanted code changes (not just analysis)
• Notifying the user that it was exiting plan mode

The change was committed and merged into the origin/main branch before the user realized what had happened.

Expected Behavior

In plan mode, the agent should:

1. Perform analysis and surface findings
2. Update plan.md with the identified bug and proposed fix
3. Explicitly ask the user whether they want the fix applied
4. Only exit plan mode and modify code after receiving explicit user approval

Actual Behavior

The agent:

1. Performed analysis ✅
2. Found a bug ✅
3. Silently modified the source file ❌ (no user confirmation)
4. Allowed the change to be committed and pushed ❌

Impact

• Unexpected code changes were introduced to a production codebase
• User trust was violated — plan mode is explicitly meant to be a safe, read-only planning phase
• The code change was already merged to main before discovery

Additional Context

• OS: Linux
• The user's instruction file (AGENTS.md) contains a [PLAN] prefix convention for plan-mode messages, but this does not excuse the agent from requiring explicit permission before modifying files
• The bug fix itself was technically correct, but the process of applying it without permission is the issue

Proposed Fix

Plan mode should enforce a strict "read-only" constraint on file system writes. Any tool call that would modify, create, or delete files should be blocked unless the user explicitly approves, or unless the user exits plan mode first.