Feature Request: Plan Mode Tool-Layer Enforcement

[KalebCole]

Describe the feature or problem you'd like to solve

Currently, plan mode ([[PLAN]] prefix or /plan command) relies solely on system prompt instructions to prevent file modifications. However, the model can still invoke write tools (edit, create, powershell) if its reasoning overrides the instructions. This creates a false sense of safety - users expect plan mode to be read-only, but it's only instructionally discouraged, not architecturally enforced. Real-world example: While in plan mode, I asked the agent to fix a CLI path issue. Instead of adding it to the plan, the agent edited SKILL.md, created a batch wrapper, and modified my PATH - all because its reasoning deemed these actions helpful despite plan mode being active.

Proposed solution

Implement Claude Code-style plan mode where write/execute tools are blocked at the permission layer, not just discouraged via instructions.

How it would work:

• When plan mode is active, the tool execution layer rejects calls to prohibited tools
• Only read-only tools are permitted: view, grep, glob, task (explore), ask_user
• Write tools return an error: "Blocked: Plan mode is active. Exit plan mode to proceed."
• The model cannot bypass this regardless of reasoning

Benefits:

1. True safety - Plan mode becomes architecturally safe, not just instructionally encouraged
2. User trust - Users can confidently explore codebases knowing nothing will be modified
3. Team workflows - Safe for code reviews, architecture planning, and onboarding to unfamiliar repos
4. Parity with Claude Code - Matches user expectations from similar tools

Example prompts or workflows

1. Safe codebase exploration

   • User: [[PLAN]] How does the authentication system work in this repo?
   • Agent reads files, traces code paths, explains architecture
   • ✅ No risk of accidental modifications

2. Planning a refactor

   • User: [[PLAN]] I want to migrate from REST to GraphQL. Create a plan.
   • Agent analyzes current API, proposes migration steps, identifies affected files
   • ✅ Plan saved to session folder, no code touched

3. Architecture review

   • User: [[PLAN]] Review this PR and identify potential issues
   • Agent examines diff, flags concerns, suggests improvements
   • ✅ Cannot accidentally push comments or approve

4. Onboarding to new codebase

   • User: [[PLAN]] I'm new to this repo. Walk me through the structure.
   • Agent explores directories, reads key files, explains patterns
   • ✅ Safe even if user accidentally asks for changes

5. Dependency analysis

   • User: [[PLAN]] What would break if I upgrade React to v19?
   • Agent searches for breaking changes, identifies affected components
   • ✅ Cannot accidentally run npm install or modify package.json

Additional context

Reference implementation: Claude Code implements plan mode with tool-layer enforcement. Tools are blocked at the infrastructure layer - they literally won't execute regardless of model reasoning. This is the gold standard for safe planning modes.

Current workaround: Users can add instructions to ~/.copilot/copilot-instructions.md explicitly listing allowed/prohibited tools in plan mode. However, this is fragile - the model can still override instructions if reasoning is compelling enough.

Impact: This would make Copilot CLI significantly safer for enterprise and team use cases where accidental modifications could cause real harm.