Copilot CLI 1.0.46 Makes Read-Only Agent Authority a Product Decision

Copilot CLI v1.0.46 is the kind of release that looks small until you run coding agents for a real team. The headline change is not a new model, a flashy agent mode, or a benchmark claim. It is a permission-default decision: read-only GitHub CLI commands such as list, view, status, and diff are now auto-approved without prompting the user. That is a tiny UX improvement with a real governance lesson. The future of agent security is not “ask before everything.” It is classifying authority precisely enough that approvals stay rare, meaningful, and observable.

GitHub published Copilot CLI v1.0.46 on May 12, 2026 at 20:53:50 UTC, according to the GitHub Releases API. The release also adds a warning when the installed CLI version is deprecated and “premium model access may be lost,” fixes PowerShell startup when pwsh is installed as a .NET global tool shim, wraps long lines in diff view instead of truncating them, and prevents sessions from crashing mid-turn with ERR_HTTP2_INVALID_SESSION. Useful, not glamorous. But the read-only auto-approval change is the part worth reading twice.

A coding agent that has to ask before every gh pr view, gh issue list, gh pr diff, or status check trains users to click approve reflexively. That is worse than a narrower automatic permission. Approval fatigue is a security bug wearing a productivity hat. If a command truly cannot mutate state, letting the agent inspect issue metadata, PR status, and diffs without interruption can make the remaining approval prompts more meaningful. Humans should be interrupted when authority changes, not when the agent wants to read the thing it needs to reason about.

Read-only does not mean harmless

The catch is that “read-only” is a mutation category, not a complete risk category. Read operations can expose private repo names, issue contents, customer references, branch names, vulnerability details, unreleased product plans, CI logs, internal incident narratives, and pull-request diffs that contain secrets by accident. In many organizations, the sensitive action is not writing to GitHub. It is pulling the wrong private context into an agent conversation, a model request, a trace, or an exported log.

That distinction is where teams should mature their permission models. Agent authority needs at least three buckets: mutation risk, disclosure risk, and downstream retention risk. Mutation risk asks whether the tool can change state. Disclosure risk asks what the tool can read and whether the agent should see it. Retention risk asks where that context goes after the tool call: model provider, local transcript, observability backend, audit log, or exported trace. A read-only command may be safe on mutation and still dangerous on disclosure or retention.

This is not academic. An agent inspecting a public open-source PR is a different risk from an agent inspecting a private security advisory, a customer escalation issue, or a production incident branch. The command shape may be identical. The context is not. Teams that treat all read-only gh commands as equivalent will eventually discover that their agent governance is really just a write-protection policy with a blind spot.

Observability is becoming the control plane

The adjacent Copilot telemetry work makes v1.0.46 more interesting. Microsoft’s VS Code Copilot monitoring docs say Copilot Chat can export traces, metrics, and events through OpenTelemetry, including LLM calls, tool executions, token usage, agent invocation duration, edit acceptance, lines-of-code counts, pull requests created via the CLI agent, and cloud or remote agent sessions. The docs also say Copilot CLI background-agent traces include subagents, permissions, hooks, and tool calls, while terminal CLI sessions appear as independent root traces under the github-copilot service.

That is the right direction. Teams do not merely need the final patch. They need to know what the agent asked, which tools it called, what authority it used, how much it cost, what the human accepted, and where the result went. When an agent does something strange, “the model decided” is not an incident report. A trace with tool calls, permissions, token metrics, and acceptance signals gets you closer to a debuggable system.

The relevant OpenTelemetry GenAI metric named in both Copilot’s telemetry docs and the broader semantic conventions is gen_ai.client.operation.duration. That sounds like plumbing, because it is. But plumbing becomes product once teams route real work through agents. Duration, token counts, tool-call counts, approval points, and subagent spans are the raw material for policy: which tasks are too expensive, which tools cause stalls, which workflows need stricter approvals, which model routes are wasteful, and which automations produce useful work versus noise.

The sharp edge is content capture. Copilot’s OTel content capture is off by default. If enabled, it can include code, file contents, prompts, system prompts, tool schemas, tool arguments, and tool results. That may be necessary in a lab when debugging agent behavior. It is a bad casual default in production unless the telemetry backend is approved for source code and secrets-adjacent material. The same trace that explains a bad run can become a compliance incident if it exports private repo content to an observability vendor without the right controls.

The deprecation warning is also more than housekeeping. “Premium model access may be lost” means agent CLIs are now part of model-access lifecycle management. Copilot is not a single static product; it is a bundle of CLI versions, IDE extensions, cloud agents, partner models, billing pools, org policies, and telemetry paths. If an old CLI silently loses access to a premium model, developers experience it as flaky agent quality or random capability loss. Platform teams should treat agent CLIs like production-adjacent developer dependencies: pin versions, define update windows, test model access after upgrades, and include them in environment drift checks.

The practical policy is not complicated. Document which gh commands are safe automatic reads. Decide whether private issue and PR data may enter agent context. Keep content capture off unless there is a time-boxed debugging need. Export traces only to approved backends. Require human approval for mutations even when read-only inspection is automatic. Add agent CLI versions to managed dev-environment checks. And when reviewing an agent incident, ask three questions separately: what did it write, what did it read, and where did that information go?

Copilot CLI v1.0.46 will not be remembered as a major release. It should be remembered as a useful permission-design footnote. Prompting before every action is not security; it is a way to manufacture inattentive humans. The better path is narrower automatic authority, explicit mutation gates, disclosure-aware policy, and traces good enough to reconstruct the run after the fact. Boring? Yes. Also the part that decides whether coding agents become infrastructure or just another trust-me demo.

Sources: GitHub Copilot CLI v1.0.46, VS Code Copilot monitoring docs, GitHub Copilot agents docs, OpenTelemetry GenAI semantic conventions