From cfb01ba7701af386e49cb2c1531081a504a30532 Mon Sep 17 00:00:00 2001 From: Manfred Riem <15701806+mnriem@users.noreply.github.com> Date: Fri, 19 Jun 2026 14:16:29 -0500 Subject: [PATCH] docs: strengthen agent disclosure to cover commits and per-round comments Expand the AGENTS.md PR-review section into a continuous disclosure policy. Disclosure is no longer a one-time PR-body event: - Commits: require an Assisted-by: (autonomous|supervised) trailer on every agent-authored commit; ban hiding agent authorship behind the operator's git identity; preserve tool-generated Co-authored-by lines. - Comments: re-state agent identity each review round. - Anti-patterns: forbid replying "Done"/pushing fixes seconds after a review trigger without disclosure, and claiming human review for automated commits. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- AGENTS.md | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/AGENTS.md b/AGENTS.md index 4f0c9912a8..d21db4f426 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -423,15 +423,37 @@ When an issue exists, include its number immediately after the prefix — this i --- -## Responding to PR Review Comments +## Agent Disclosure for PRs, Comments, and Commits + +Disclosure is **continuous**, not a one-time event. A single AI-disclosure paragraph in the PR body does **not** cover the commits and replies you add during review rounds. Each of the following must independently attest to agent authorship. + +### Commits + +- **Every commit you author must carry an `Assisted-by:` trailer** identifying the agent and whether it acted autonomously or under direct human supervision, for example: + + ``` + Assisted-by: GitHub Copilot (model: , autonomous) + ``` + + Use `supervised` instead of `autonomous` only when a human actually authored or line-by-line reviewed the change before it was committed. +- **Never push solo-authored commits that hide agent authorship behind the operator's git identity.** If an agent generated the change, the trailer must say so even when the commit is attributed to a human account. +- Preserve any tool-generated `Co-authored-by:` trailers (e.g. Copilot Autofix) — do not strip them to make a commit look hand-written. + +### Comments - If you are an agent working on behalf of a human, **disclose your identity in your PR comment** — name the agent (and model, if applicable) and the human you are acting for (e.g., "Posted on behalf of @user by GitHub Copilot (model: <name-if-known>)"). +- **Re-state agent identity in each review-round summary comment.** A prior PR-body disclosure does not cover later comments or commits. - Post **one** top-level summary comment per review round listing what changed and the commit SHA. Do not reply on every individual comment. - Reply inline only when context is needed (disagreement, deferral, non-obvious fix). Keep it to a sentence or two. - **Never click "Resolve conversation"** — that belongs to the reviewer or PR author. - No emoji, no celebratory framing, no checklist mirroring the reviewer's items, no restating what the reviewer wrote. - Re-request review once per round (when all feedback is addressed), not after every intermediate push. +### Anti-patterns (do not do these) + +- **Do not** reply "Done" or push a "fix" within seconds/minutes of a review event without disclosing that the response or commit was agent-generated. Speed of turnaround is not a substitute for attestation — a near-instant tested code change is itself a signal of automation and must be disclosed as such. +- **Do not** claim "reviewed, tested, and understood by me" for commits that were authored and pushed automatically in response to a review trigger. If the loop is automated, disclose it as automated. + --- ## Common Pitfalls