Agent can self-terminate via broad process-kill pipelines (silent session loss)

[cinnamon-msft]

Summary

The agent can accidentally kill its own host process (and tear down its session) when it runs broad process-killing commands that match Copilot CLI''s own node (or dotnet) processes. The system prompt does call out that name-based killing is disallowed, but it''s easy for the model to slip — and when it does, the only signal the model sees is The execution of this tool, or a previous tool was interrupted., which doesn''t make it obvious why.

It would be much friendlier if the CLI either prevented this class of self-termination outright, or surfaced a clear, attributable error when it happens.

Repro (what just happened to me)

While working on a .NET Aspire app on Windows, I needed to stop a running AppHost so I could rebuild it. I ran (paraphrased):

Get-Process | Where-Object {
  $_.ProcessName -in ''node'',''dotnet'' -and
  $_.StartTime -gt (Get-Date).AddHours(-3)
} | ForEach-Object { <kill> -Id $_.Id -Force -ErrorAction SilentlyContinue }

That filter matched every recent node and dotnet process — including the node process running Copilot CLI itself (and/or the dotnet process under it). My next two tool calls in a row both came back as The execution of this tool, or a previous tool was interrupted. with no other context. From the model''s point of view it just looked like a flaky tool. The user had to nudge me with "are you there" before I realized what had happened.

I had done the same thing on a prior turn and gotten the same interruption pattern, so this is reproducible and easy to fall into.

What''s in the system prompt today

When terminating processes, always use the kill cmdlet with -Id <PID> and a specific process ID. Commands that kill by name, or taskkill /IM, or other name-based process killing commands are not allowed.

This guidance is correct but:

1. It only covers -Name / /IM. The dangerous case I hit was Get-Process | Where-Object {...} | <kill> — same hazard, different syntax. Same for Where-Object/Select-Object chains, Get-CimInstance Win32_Process | Invoke-CimMethod -Name Terminate, pkill, killall, wmic process where ... call terminate, etc.
2. It''s purely an instruction; nothing actually stops the model from running the dangerous form.
3. When the model does the wrong thing, the failure mode (silent session/tool interruption) gives it no signal to learn from mid-conversation.

Suggested fixes (any of these would help)

1. Refuse / hard-block PowerShell pipelines and shell commands whose final step is a process-killer that didn''t start from a single literal -Id <int> (or PID known to belong to a child the agent itself launched). Block at minimum: kill cmdlets without a literal -Id, taskkill /IM, taskkill /F /T /PID <copilot-pid>, pkill, killall, kill -9 -1, wmic process where ... call terminate, Get-CimInstance Win32_Process ... Invoke-CimMethod ... Terminate, and any pipeline whose terminal stage is one of the above.
2. Self-protect: before executing such a command, walk up the parent process tree from the shell PID and refuse if any of the matched PIDs are the CLI itself, its parent, or another live PowerShell session belonging to the same Copilot CLI.
3. Surface a clear error when the shell session dies mid-tool-call (e.g. process killed, exit code from signal, unexpected EOF on stdin/stdout). Right now the model just sees The execution of this tool, or a previous tool was interrupted. — promote that to something like The PowerShell host for shellId <X> was terminated externally (exit reason: <...>). This often happens when a process-killing command matched the Copilot CLI itself. Avoid pipelines that filter Get-Process and pipe into a kill cmdlet; pass a specific PID instead.
4. Expand the system-prompt guidance to give a positive pattern, e.g.: identify the specific PID first with Get-Process -Id <pid>, confirm it is not Copilot CLI''s own PID or an ancestor, then call the kill cmdlet with that single PID. Never use a Where-Object / Select-Object filter that could match more than one process.

Environment

• Copilot CLI version: 1.0.39
• OS: Windows 11 Enterprise Insider Preview (10.0.26220)
• Shell: PowerShell (default Copilot CLI tool)