Skip to main content

GitHub Copilot SDK Deep Dive: CopilotClientMode

By default, the CopilotClient starts in CopilotCli mode. That means the full Copilot CLI persona is active — which includes a lot:

  • All built-in tools available (subject to the ToolSet filtering you do per session)
  • Host integration enabled: the CLI picks up your local ~/.copilot/ config, agents directory, plugins, and AGENTS.md files if they exist
  • The default system prompt with the full Copilot identity
  • Co-author trailers added to git commits
  • Storage backed by the local filesystem at the default path

For a developer using the SDK on their own machine to automate their own workflows, this is perfect. The agent behaves exactly like Copilot CLI would interactively. Context flows in from their environment, their local agent configs are respected, their Copilot persona is preserved.

The multi-tenant problem

The moment you start running the SDK as a service — where one process handles sessions for multiple users or tenants — default mode becomes a liability.

The core issue is state leakage. The CLI in default mode reads and writes to shared locations:

  • Plugins installed locally
  • Custom agent configurations in ~/.copilot/agents/
  • Session storage and compaction state
  • Co-author identity from git config
  • Any AGENTS.md files in the working directory

If Tenant A's session runs and picks up a plugin that happens to be installed locally, and Tenant B's session does not, you have inconsistent behavior. Worse, if you are running sessions on behalf of end users, you absolutely do not want their sessions inheriting configuration from whoever deployed the service.

This is the exact problem CopilotClientMode.Empty was built to solve.

CopilotClientMode.Empty: a clean slate

Empty mode strips the client down to a controlled baseline:

  • No built-in tools by default — you opt in explicitly via ToolSet
  • Host integration disabled — no plugin scanning, no local agent discovery, no AGENTS.md pickup
  • System prompt sanitized — the default Copilot identity and persona sections are cleared
  • Storage is explicit — you provide BaseDirectory; there is no fallback to a shared default path
  • Co-author trailers suppressed — no user-specific identity bleeds into git activity

The result is a client that starts from nothing and only has what you explicitly give it. Every session created from this client is isolated from the host environment.

await using var client = new CopilotClient(new CopilotClientOptions
{
    Mode = CopilotClientMode.Empty,
    BaseDirectory = $"/tmp/tenants/{tenantId}", // per-tenant isolation
});

await using var session = await client.CreateSessionAsync(new SessionConfig
{
    OnPermissionRequest = PermissionHandler.ApproveAll,
    // Explicitly opt in to the tools this tenant's sessions should have
    AvailableTools = new ToolSet()
        .AddBuiltIn(BuiltInTools.Isolated) // sandboxed file operations only
        .AddMcp("*"),                       // MCP tools you have configured
    // Explicitly exclude anything you want to block regardless of MCP config
    ExcludedTools = new ToolSet()
        .AddMcp("github-delete_repository"),
    // Your system prompt — you own it entirely in Empty mode
    SystemMessage = new SystemMessageConfig
    {
        Mode = SystemMessageMode.Replace,
        Content = $"You are the AI assistant for {tenantId}. ..."
    }
});

Notice BuiltInTools.Isolated in the AvailableTools call. In Empty mode the built-in tool catalog does not automatically include anything — you have to be explicit. Isolated is a named subset that provides sandboxed file read/write without shell access, which is typically the right starting point for a service handling external users.

The BaseDirectory requirement

In Cli mode, the CLI uses a shared local path for its storage. In Empty mode you must supply BaseDirectory explicitly — the SDK will not fall back to a shared path.

This is a deliberate forcing function. The per-tenant directory is where the CLI writes its session compaction state, context caches, and any other runtime storage it needs. By requiring you to specify it, the SDK ensures you have thought about isolation. Two clients running with the same BaseDirectory would share state — which is exactly what you are trying to avoid.

A practical pattern is a path keyed to the tenant or user identifier:

var client = new CopilotClient(new CopilotClientOptions
{
    Mode = CopilotClientMode.Empty,
    BaseDirectory = Path.Combine(baseStoragePath, tenantId.ToString()),
});

If you are running sessions ephemerally (fire a task, get a result, done), you may want to clean up the directory afterward. The SDK does not do this for you.

When to use which mode

CopilotClientMode.CopilotCli— you are building personal tooling, developer automation, or anything where the person running the code is also the person whose environment the agent should respect. Local CLI config, plugins, agent definitions, the full persona — all of this is desirable and expected.

CopilotClientMode.Empty — you are building a service. You have multiple users or tenants, and their sessions must be isolated from each other and from the host environment. You want full control over what the agent can do, what it looks like, and where it stores state. Every capability is opt-in.

The distinction maps cleanly to the deployment context: developer tool vs. hosted service.

Labels:

Popular posts from this blog

Podman– Command execution failed with exit code 125

After updating WSL on one of the developer machines, Podman failed to work. When we took a look through Podman Desktop, we noticed that Podman had stopped running and returned the following error message: Error: Command execution failed with exit code 125 Here are the steps we tried to fix the issue: We started by running podman info to get some extra details on what could be wrong: >podman info OS: windows/amd64 provider: wsl version: 5.3.1 Cannot connect to Podman. Please verify your connection to the Linux system using `podman system connection list`, or try `podman machine init` and `podman machine start` to manage a new Linux VM Error: unable to connect to Podman socket: failed to connect: dial tcp 127.0.0.1:2655: connectex: No connection could be made because the target machine actively refused it. That makes sense as the podman VM was not running. Let’s check the VM: >podman machine list NAME         ...
Read more

Azure DevOps/ GitHub emoji

I’m really bad at remembering emoji’s. So here is cheat sheet with all emoji’s that can be used in tools that support the github emoji markdown markup: All credits go to rcaviers who created this list.
Read more

VS Code Planning mode

After the introduction of Plan mode in Visual Studio , it now also found its way into VS Code. Planning mode, or as I like to call it 'Hannibal mode', extends GitHub Copilot's Agent Mode capabilities to handle larger, multi-step coding tasks with a structured approach. Instead of jumping straight into code generation, Planning mode creates a detailed execution plan. If you want more details, have a look at my previous post . Putting plan mode into action VS Code takes a different approach compared to Visual Studio when using plan mode. Instead of a configuration setting that you can activate but have limited control over, planning is available as a separate chat mode/agent: I like this approach better than how Visual Studio does it as you have explicit control when plan mode is activated. Instead of immediately diving into execution, the plan agent creates a plan and asks some follow up questions: You can further edit the plan by clicking on ‘Open in Editor’: ...
Read more