Repository instructions are now part of the system
Copilot coding agent does not receive only a loose issue. It can use custom instructions, AGENTS.md, path-specific instructions and MCP servers. That improves context, but also turns instruction files into part of the execution chain.
For AI-built SaaS, the question is not only whether the agent generates code. The question is whether it received limits for auth, billing, data, uploads, admin, deploys and tests.
Practical policy
- Custom instructions should say how to test and how to prove the change.
- AGENTS.md should not contain secrets, tokens, private URLs or paid prompts.
- Path-specific instructions need to be consistent to avoid conflicts.
- MCP should expose only tools needed for the task.
- GitHub tokens and integrations should follow least privilege.
- Agent PRs need required CI and human review.
- Stripe, webhook, tenant, storage or auth changes deserve Risk Review when real customers are affected.
Where founders get caught
The agent opens a nice PR, the UI appears to work and nobody notices that a broad backend rule slipped in. In a paid product, that can mean premium access released too early, cross-customer data or duplicate delivery.
Use the Promptbook to evaluate the flow before escalating. Use Risk Review when the Copilot agent changes money, permissions, data or critical integrations.
Sources
Custom instructions are power. In an agent that opens PRs, power without policy becomes hard-to-audit change.
