GitHub Copilot: Zero to Hero – The Complete 2026 Field Guide

# VS Code - install from Extensions panel (search "GitHub Copilot")
# or from terminal:
code --install-extension GitHub.copilot
code --install-extension GitHub.copilot-chat

# Copilot CLI - terminal-native agentic mode
npm install -g @github/copilot
copilot auth login

# GitHub CLI with Copilot extension
gh extension install github/gh-copilot
gh copilot --help

# VS Code - install from Extensions panel (search "GitHub Copilot")
# or from terminal:
code --install-extension GitHub.copilot
code --install-extension GitHub.copilot-chat

# Copilot CLI - terminal-native agentic mode
npm install -g @github/copilot
copilot auth login

# GitHub CLI with Copilot extension
gh extension install github/gh-copilot
gh copilot --help

# Start an interactive session
copilot

# Reference files with @ inside the session
> Review @src/service/PaymentService.ts for correctness
> Now fix the issues you found
> Run the tests and show me what fails

# Start an interactive session
copilot

# Reference files with @ inside the session
> Review @src/service/PaymentService.ts for correctness
> Now fix the issues you found
> Run the tests and show me what fails

# Toggle plan mode with Shift+Tab inside an interactive session
Shift+Tab     # Enter plan mode

# Copilot presents a blueprint before acting:
Plan:
  1. Read src/service/PaymentService.ts for current structure
  2. Create src/repositories/PaymentRepository.ts with interface
  3. Refactor PaymentService to inject the repository
  4. Update 3 call sites: auth.ts, admin.ts, checkout.ts
  5. Run tests to verify no regressions

  Press Enter to proceed, or describe a change to the plan.

# Shift+Tab again switches to autopilot (executes without step approval)

# Toggle plan mode with Shift+Tab inside an interactive session
Shift+Tab     # Enter plan mode

# Copilot presents a blueprint before acting:
Plan:
  1. Read src/service/PaymentService.ts for current structure
  2. Create src/repositories/PaymentRepository.ts with interface
  3. Refactor PaymentService to inject the repository
  4. Update 3 call sites: auth.ts, admin.ts, checkout.ts
  5. Run tests to verify no regressions

  Press Enter to proceed, or describe a change to the plan.

# Shift+Tab again switches to autopilot (executes without step approval)

# Execute and exit
copilot -p "review @src/service/PaymentService.ts for correctness"

# Pipe test failures for analysis
npm test 2>&1 | copilot -p "diagnose these test failures"

# Pipe test failures for fixes
npm test 2>&1 | copilot -p "fix all failing tests" --allow-tool 'shell(npm)'

# Pipe git diff for automated review
git diff HEAD~1 | copilot -p "review this diff for bugs and security issues"

# Generate a PR description
git diff main...HEAD | copilot -p "write a clear PR description"

# JSON output for scripts
copilot -p "list all TODO comments in src/" --output-format json

# Execute and exit
copilot -p "review @src/service/PaymentService.ts for correctness"

# Pipe test failures for analysis
npm test 2>&1 | copilot -p "diagnose these test failures"

# Pipe test failures for fixes
npm test 2>&1 | copilot -p "fix all failing tests" --allow-tool 'shell(npm)'

# Pipe git diff for automated review
git diff HEAD~1 | copilot -p "review this diff for bugs and security issues"

# Generate a PR description
git diff main...HEAD | copilot -p "write a clear PR description"

# JSON output for scripts
copilot -p "list all TODO comments in src/" --output-format json

# Reference a single file
> Review @src/service/PaymentService.ts for anti-patterns

# Reference a whole directory
> Analyse @src/domain/ and explain the data model

# Reference multiple files in one prompt
> Compare @src/service/TransferService.ts and @src/service/PaymentService.ts
> and suggest which patterns from Payment should be applied to Transfer

# Reference a config file
> Given @CLAUDE.md, does @src/api/routes.ts follow our architecture rules?

# Reference a single file
> Review @src/service/PaymentService.ts for anti-patterns

# Reference a whole directory
> Analyse @src/domain/ and explain the data model

# Reference multiple files in one prompt
> Compare @src/service/TransferService.ts and @src/service/PaymentService.ts
> and suggest which patterns from Payment should be applied to Transfer

# Reference a config file
> Given @CLAUDE.md, does @src/api/routes.ts follow our architecture rules?

# VS Code Copilot Chat context variables
@workspace          # Indexed workspace representation
@terminal           # Current terminal output (test failures, build errors)

#file:path/to/file  # Full content of a specific file
#selection          # Currently selected text in the editor
#codebase           # Semantic search across the entire codebase
#sym:SymbolName     # Definition and all usages of a symbol

# VS Code Copilot Chat context variables
@workspace          # Indexed workspace representation
@terminal           # Current terminal output (test failures, build errors)

#file:path/to/file  # Full content of a specific file
#selection          # Currently selected text in the editor
#codebase           # Semantic search across the entire codebase
#sym:SymbolName     # Definition and all usages of a symbol

# Resume the most recent session
copilot --continue

# Pick from a list of previous sessions
copilot --resume

# Context management commands inside an interactive session
/clear      # Clear history, start fresh (system context stays)
/compact    # Compress history and continue (no context lost)
/status     # Show current token usage

# Session persistence (on by default)
copilot config set session.persist false   # Disable cross-session memory

# Resume the most recent session
copilot --continue

# Pick from a list of previous sessions
copilot --resume

# Context management commands inside an interactive session
/clear      # Clear history, start fresh (system context stays)
/compact    # Compress history and continue (no context lost)
/status     # Show current token usage

# Session persistence (on by default)
copilot config set session.persist false   # Disable cross-session memory

# Pipe test failures to Copilot for fixes (language-agnostic)
npm test 2>&1 | copilot -p "fix all failing tests"
# or: pytest 2>&1 | copilot -p "fix all failing tests"
# or: go test ./... 2>&1 | copilot -p "fix all failing tests"

# Review staged diff before committing
git diff --staged | copilot -p "review for correctness and security issues"

# Generate PR description from diff
git diff main...HEAD | copilot -p "write a clear PR description"

# Update changelog
git log v1.0.0..HEAD --oneline | copilot -p "write a CHANGELOG entry"

# Pipe test failures to Copilot for fixes (language-agnostic)
npm test 2>&1 | copilot -p "fix all failing tests"
# or: pytest 2>&1 | copilot -p "fix all failing tests"
# or: go test ./... 2>&1 | copilot -p "fix all failing tests"

# Review staged diff before committing
git diff --staged | copilot -p "review for correctness and security issues"

# Generate PR description from diff
git diff main...HEAD | copilot -p "write a clear PR description"

# Update changelog
git log v1.0.0..HEAD --oneline | copilot -p "write a CHANGELOG entry"

# your-project - Copilot Instructions

## Stack
Language:   [Language + version]
Framework:  [Primary framework + version]
Database:   [DB + query layer]
Test runner:[Framework]
Build:      [Build tool]
Lint/format:[Tool + config location]

## Architecture - ALWAYS respect these boundaries
[2-3 sentences describing layers and their rules.
E.g.: "Three-layer: routes -> services -> repositories.
All business logic lives in services/. No DB queries outside repositories/."]

## Conventions - ALWAYS
- [Your pattern, e.g. "use async/await, never raw Promises"]
- [Naming rule, e.g. "camelCase for variables, PascalCase for classes"]
- [Error handling, e.g. "use Result types for expected errors, throw for unexpected"]

## Conventions - NEVER
- [Anti-pattern #1, e.g. "never use any in TypeScript"]
- [Anti-pattern #2, e.g. "never put business logic in route handlers"]
- [Anti-pattern #3, e.g. "never commit console.log statements"]

## Build and Run
- build:  [command]
- test:   [command]
- lint:   [command]
- format: [command]

## Security
[Key rules for your domain, e.g. "never log PII or payment card data"]

# your-project - Copilot Instructions

## Stack
Language:   [Language + version]
Framework:  [Primary framework + version]
Database:   [DB + query layer]
Test runner:[Framework]
Build:      [Build tool]
Lint/format:[Tool + config location]

## Architecture - ALWAYS respect these boundaries
[2-3 sentences describing layers and their rules.
E.g.: "Three-layer: routes -> services -> repositories.
All business logic lives in services/. No DB queries outside repositories/."]

## Conventions - ALWAYS
- [Your pattern, e.g. "use async/await, never raw Promises"]
- [Naming rule, e.g. "camelCase for variables, PascalCase for classes"]
- [Error handling, e.g. "use Result types for expected errors, throw for unexpected"]

## Conventions - NEVER
- [Anti-pattern #1, e.g. "never use any in TypeScript"]
- [Anti-pattern #2, e.g. "never put business logic in route handlers"]
- [Anti-pattern #3, e.g. "never commit console.log statements"]

## Build and Run
- build:  [command]
- test:   [command]
- lint:   [command]
- format: [command]

## Security
[Key rules for your domain, e.g. "never log PII or payment card data"]

---
applyTo: "**/*.ts"
---
# TypeScript Coding Standards

## Type system
- Prefer specific types over 'any'. Use 'unknown' when the type is genuinely unknown.
- Use strict null checks. Handle null and undefined explicitly.
- Use type aliases for complex types, interfaces for object shapes.

## Error handling
- Use Result<T, E> or a typed Either pattern for expected errors
- Never silently swallow errors with empty catch blocks
- Log the error before re-throwing or transforming it

## Testing
- Every exported function needs at least one happy-path and one error-path test
- Use factories for test data, not inline object literals
- Mock at the boundary: mock HTTP clients and DB adapters, not internal services

---
applyTo: "**/*.ts"
---
# TypeScript Coding Standards

## Type system
- Prefer specific types over 'any'. Use 'unknown' when the type is genuinely unknown.
- Use strict null checks. Handle null and undefined explicitly.
- Use type aliases for complex types, interfaces for object shapes.

## Error handling
- Use Result<T, E> or a typed Either pattern for expected errors
- Never silently swallow errors with empty catch blocks
- Log the error before re-throwing or transforming it

## Testing
- Every exported function needs at least one happy-path and one error-path test
- Use factories for test data, not inline object literals
- Mock at the boundary: mock HTTP clients and DB adapters, not internal services

---
applyTo: "tests/**"
excludeAgent: "code-review"
---
# Testing Standards
# (excluded from code-review agent which has its own checklist)

## Test structure
- Arrange-Act-Assert: keep sections clearly separated
- One assertion concept per test: do not assert five things in one it() block
- Test names describe behaviour, not implementation:
  "returns error when amount is negative" not "test_paymentValidator"

## Test data
- Use factory functions for shared test objects
- Do not share mutable state between tests
- Clean up side effects in afterEach/teardown

---
applyTo: "tests/**"
excludeAgent: "code-review"
---
# Testing Standards
# (excluded from code-review agent which has its own checklist)

## Test structure
- Arrange-Act-Assert: keep sections clearly separated
- One assertion concept per test: do not assert five things in one it() block
- Test names describe behaviour, not implementation:
  "returns error when amount is negative" not "test_paymentValidator"

## Test data
- Use factory functions for shared test objects
- Do not share mutable state between tests
- Clean up side effects in afterEach/teardown

# AGENTS.md

## Environment setup
The agent runs in a clean Ubuntu environment. Before any task:
1. Run: [your install command, e.g. npm install]
2. Run: [your build command] and verify zero errors

## Build and test commands
- build:  [command]
- test:   [command]
- lint:   [command]
- format: [command]

## Architecture constraints
See .github/copilot-instructions.md for full layer rules.
Critical: NEVER place business logic outside of [your services layer].

## Security constraints - unconditional
1. NEVER modify .github/workflows/ files
2. NEVER change authentication or session handling code
3. NEVER log raw user data, passwords, or payment information
4. NEVER add dependencies without noting them in the PR description
5. If a required secret is missing, STOP and explain in a PR comment

## Definition of done
A task is complete when:
1. All tests pass
2. Lint passes with zero warnings
3. A draft PR is open referencing the issue number

# AGENTS.md

## Environment setup
The agent runs in a clean Ubuntu environment. Before any task:
1. Run: [your install command, e.g. npm install]
2. Run: [your build command] and verify zero errors

## Build and test commands
- build:  [command]
- test:   [command]
- lint:   [command]
- format: [command]

## Architecture constraints
See .github/copilot-instructions.md for full layer rules.
Critical: NEVER place business logic outside of [your services layer].

## Security constraints - unconditional
1. NEVER modify .github/workflows/ files
2. NEVER change authentication or session handling code
3. NEVER log raw user data, passwords, or payment information
4. NEVER add dependencies without noting them in the PR description
5. If a required secret is missing, STOP and explain in a PR comment

## Definition of done
A task is complete when:
1. All tests pass
2. Lint passes with zero warnings
3. A draft PR is open referencing the issue number

# .github/prompts/review.prompt.md
---
mode: agent
description: Code review for the current file using team conventions
---

Review the current file against our conventions in .github/copilot-instructions.md.

## Check for

### Correctness
- Logic matches the stated intent
- Edge cases handled (null, empty, boundary values)
- No off-by-one errors or unsafe type assumptions

### Code quality
- Functions are focused and well-named
- Error handling is consistent with our patterns
- Test coverage exists for happy path and at least one error path

### Security
- No hardcoded credentials, API keys, or secrets
- All external input is validated before use
- No SQL queries built from string concatenation

## Output format
For each issue: file + line, severity (Critical / High / Medium / Low),
description, and a concrete fix with example code.
Conclude: APPROVE / REQUEST CHANGES.

# .github/prompts/review.prompt.md
---
mode: agent
description: Code review for the current file using team conventions
---

Review the current file against our conventions in .github/copilot-instructions.md.

## Check for

### Correctness
- Logic matches the stated intent
- Edge cases handled (null, empty, boundary values)
- No off-by-one errors or unsafe type assumptions

### Code quality
- Functions are focused and well-named
- Error handling is consistent with our patterns
- Test coverage exists for happy path and at least one error path

### Security
- No hardcoded credentials, API keys, or secrets
- All external input is validated before use
- No SQL queries built from string concatenation

## Output format
For each issue: file + line, severity (Critical / High / Medium / Low),
description, and a concrete fix with example code.
Conclude: APPROVE / REQUEST CHANGES.

# .github/agents/unit-test.agent.md
---
name: unit-test
description: |
  Generates unit tests for a source file.
  Usage: @unit-test <path/to/File.ts>
model: claude-opus-4-5
tools: [read_file, write_file, run_command]
---

You are a test specialist. When given a file path:

1. Read the file and identify all exported functions and classes
2. For each function generate:
   - At least one happy-path test
   - At least one error-path or edge-case test
   - One property-based test where the function is pure
3. Use the test framework defined in .github/copilot-instructions.md
4. Place the test file at the mirrored path in the tests/ directory
5. Run the test suite to verify all tests compile and pass
6. Report: functions covered, tests written, any failures

# .github/agents/unit-test.agent.md
---
name: unit-test
description: |
  Generates unit tests for a source file.
  Usage: @unit-test <path/to/File.ts>
model: claude-opus-4-5
tools: [read_file, write_file, run_command]
---

You are a test specialist. When given a file path:

1. Read the file and identify all exported functions and classes
2. For each function generate:
   - At least one happy-path test
   - At least one error-path or edge-case test
   - One property-based test where the function is pure
3. Use the test framework defined in .github/copilot-instructions.md
4. Place the test file at the mirrored path in the tests/ directory
5. Run the test suite to verify all tests compile and pass
6. Report: functions covered, tests written, any failures

# Project-level skills (committed, shared across team)
.github/skills/skill-name/SKILL.md

# Personal skills (available across all projects on your machine)
~/.config/copilot/skills/skill-name/SKILL.md

# Install from the Awesome Copilot marketplace
copilot plugin install <skill-name>@awesome-copilot

# Project-level skills (committed, shared across team)
.github/skills/skill-name/SKILL.md

# Personal skills (available across all projects on your machine)
~/.config/copilot/skills/skill-name/SKILL.md

# Install from the Awesome Copilot marketplace
copilot plugin install <skill-name>@awesome-copilot

# .github/skills/code-review/SKILL.md
---
name: code-review
description: |
  Performs a comprehensive code review. Auto-invoke when the user
  asks to review, check, or audit any code or file.
triggers:
  - "review"
  - "check"
  - "audit"
  - "code quality"
version: 1.0
---

## Code review checklist

### Correctness
- [ ] Logic matches the stated intent
- [ ] Edge cases are handled (null, undefined, empty collections)
- [ ] No off-by-one errors or boundary issues

### Security
- [ ] No hardcoded credentials, tokens, or secrets
- [ ] All external input is validated before use
- [ ] No injection risks (SQL, command, path traversal)

### Code quality
- [ ] Functions are focused on a single responsibility
- [ ] Names are clear and descriptive
- [ ] Error handling is consistent with the project conventions in copilot-instructions.md

## Output format
For each issue: file + line, severity, description, concrete fix with code example.
Summary: APPROVE or REQUEST CHANGES.

# .github/skills/code-review/SKILL.md
---
name: code-review
description: |
  Performs a comprehensive code review. Auto-invoke when the user
  asks to review, check, or audit any code or file.
triggers:
  - "review"
  - "check"
  - "audit"
  - "code quality"
version: 1.0
---

## Code review checklist

### Correctness
- [ ] Logic matches the stated intent
- [ ] Edge cases are handled (null, undefined, empty collections)
- [ ] No off-by-one errors or boundary issues

### Security
- [ ] No hardcoded credentials, tokens, or secrets
- [ ] All external input is validated before use
- [ ] No injection risks (SQL, command, path traversal)

### Code quality
- [ ] Functions are focused on a single responsibility
- [ ] Names are clear and descriptive
- [ ] Error handling is consistent with the project conventions in copilot-instructions.md

## Output format
For each issue: file + line, severity, description, concrete fix with code example.
Summary: APPROVE or REQUEST CHANGES.

# .github/skills/commit-message/SKILL.md
---
name: commit-message
description: |
  Generates a conventional commit message from staged changes.
  Auto-invoke when the user asks for a commit message or wants to commit.
triggers:
  - "commit message"
  - "git commit"
  - "conventional commit"
---

Generate a conventional commit message for the staged changes.

Format: type(scope): short description

Types: feat, fix, docs, style, refactor, test, chore
Scope: the component affected (service, db, api, config)

Rules:
- Subject line max 72 characters
- Use imperative mood ("add" not "added")
- Reference issue number if mentioned in the prompt
- If breaking change, add BREAKING CHANGE: in the footer

# .github/skills/commit-message/SKILL.md
---
name: commit-message
description: |
  Generates a conventional commit message from staged changes.
  Auto-invoke when the user asks for a commit message or wants to commit.
triggers:
  - "commit message"
  - "git commit"
  - "conventional commit"
---

Generate a conventional commit message for the staged changes.

Format: type(scope): short description

Types: feat, fix, docs, style, refactor, test, chore
Scope: the component affected (service, db, api, config)

Rules:
- Subject line max 72 characters
- Use imperative mood ("add" not "added")
- Reference issue number if mentioned in the prompt
- If breaking change, add BREAKING CHANGE: in the footer

# ~/.copilot/config.json - permanently trusted directories
{
  "trusted_folders": [
    "/home/you/projects/your-project",
    "/home/you/projects/internal-tools"
  ]
}

# Config location:
# macOS/Linux: ~/.copilot/config.json
# Windows:     $HOME\.copilot\config.json
# Override:    set XDG_CONFIG_HOME environment variable

# ~/.copilot/config.json - permanently trusted directories
{
  "trusted_folders": [
    "/home/you/projects/your-project",
    "/home/you/projects/internal-tools"
  ]
}

# Config location:
# macOS/Linux: ~/.copilot/config.json
# Windows:     $HOME\.copilot\config.json
# Override:    set XDG_CONFIG_HOME environment variable

# Allow all tools without individual prompts
copilot -p "run tests and fix failures" --allow-all-tools

# Allow specific tools
copilot --allow-tool 'shell'            # any shell command
copilot --allow-tool 'write'            # file writes without approval
copilot --allow-tool 'github-mcp'       # all tools from GitHub MCP server

# Deny specific tools (takes precedence over allow)
copilot --deny-tool 'shell(rm)'         # block all rm commands
copilot --deny-tool 'shell(git push)'   # block git push
copilot --deny-tool 'My-Server(tool)'   # block a specific MCP tool

# Allow everything except dangerous shell ops (safe CI pattern)
copilot --allow-all-tools \
        --deny-tool 'shell(rm)' \
        --deny-tool 'shell(git push)'

# Restrict to an exact set of tools (all others blocked)
copilot --available-tools 'shell(npm),shell(git),write'

# Allow all tools, paths, and URLs (sandboxed environments only)
copilot --allow-all
# alias:
copilot --yolo

# Allow all tools without individual prompts
copilot -p "run tests and fix failures" --allow-all-tools

# Allow specific tools
copilot --allow-tool 'shell'            # any shell command
copilot --allow-tool 'write'            # file writes without approval
copilot --allow-tool 'github-mcp'       # all tools from GitHub MCP server

# Deny specific tools (takes precedence over allow)
copilot --deny-tool 'shell(rm)'         # block all rm commands
copilot --deny-tool 'shell(git push)'   # block git push
copilot --deny-tool 'My-Server(tool)'   # block a specific MCP tool

# Allow everything except dangerous shell ops (safe CI pattern)
copilot --allow-all-tools \
        --deny-tool 'shell(rm)' \
        --deny-tool 'shell(git push)'

# Restrict to an exact set of tools (all others blocked)
copilot --available-tools 'shell(npm),shell(git),write'

# Allow all tools, paths, and URLs (sandboxed environments only)
copilot --allow-all
# alias:
copilot --yolo

# Pre-approve specific domains
copilot --allow-url github.com
copilot --allow-url docs.yourtech.io

# Deny specific domains
copilot --deny-url pastebin.com

# Persistent URL config in ~/.copilot/config.json
{
  "allowed_urls": ["github.com", "docs.yourtech.io"],
  "denied_urls":  ["pastebin.com", "transfer.sh"]
}

# Interactive session commands
/allow-all    # Enable all tools, paths, and URLs
/yolo         # Alias for /allow-all

# Pre-approve specific domains
copilot --allow-url github.com
copilot --allow-url docs.yourtech.io

# Deny specific domains
copilot --deny-url pastebin.com

# Persistent URL config in ~/.copilot/config.json
{
  "allowed_urls": ["github.com", "docs.yourtech.io"],
  "denied_urls":  ["pastebin.com", "transfer.sh"]
}

# Interactive session commands
/allow-all    # Enable all tools, paths, and URLs
/yolo         # Alias for /allow-all

# Method 1: Assign Copilot to a GitHub Issue
# Open the issue > Assignees > select "Copilot"

# Method 2: Copilot Chat on GitHub.com
# "@github create a PR for issue #47"

# Method 3: Copilot CLI
gh copilot agent run --issue 47

# Method 4: GitHub Actions workflow trigger
gh workflow run copilot-fix.yml -f issue_number=47

# Method 1: Assign Copilot to a GitHub Issue
# Open the issue > Assignees > select "Copilot"

# Method 2: Copilot Chat on GitHub.com
# "@github create a PR for issue #47"

# Method 3: Copilot CLI
gh copilot agent run --issue 47

# Method 4: GitHub Actions workflow trigger
gh workflow run copilot-fix.yml -f issue_number=47

# Weak issue - agent will guess and likely be wrong
Title: Add caching

# Strong issue - agent has everything it needs
Title: Add response caching to GET /api/products endpoint

## Context
GET /api/products is called ~10k times/minute. The underlying DB query
takes 200ms and results change at most once per hour.

## Implementation
- Use the existing cache client at src/cache/RedisClient.ts
- Cache key: products:all
- TTL: 3600 seconds (1 hour)
- Invalidate on any write to the products table
- Layer: db/ for cache access, service/ for invalidation

## Files to touch
- src/db/ProductRepository.ts  (add cache read/write)
- src/service/ProductService.ts (add cache invalidation on write)

## Done when
- All tests pass
- Cache hit returns in under 5ms (verify in integration test)
- Draft PR open referencing this issue number

# Weak issue - agent will guess and likely be wrong
Title: Add caching

# Strong issue - agent has everything it needs
Title: Add response caching to GET /api/products endpoint

## Context
GET /api/products is called ~10k times/minute. The underlying DB query
takes 200ms and results change at most once per hour.

## Implementation
- Use the existing cache client at src/cache/RedisClient.ts
- Cache key: products:all
- TTL: 3600 seconds (1 hour)
- Invalidate on any write to the products table
- Layer: db/ for cache access, service/ for invalidation

## Files to touch
- src/db/ProductRepository.ts  (add cache read/write)
- src/service/ProductService.ts (add cache invalidation on write)

## Done when
- All tests pass
- Cache hit returns in under 5ms (verify in integration test)
- Draft PR open referencing this issue number

name: Copilot PR Review
on:
  pull_request:
    types: [opened, synchronize]

jobs:
  copilot-review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Review with Copilot
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          git diff origin/${{ github.base_ref }}...HEAD | \
          copilot -p \
            "Review this diff. Flag bugs, security issues, and violations
             of our conventions from .github/copilot-instructions.md.
             Be specific: file + line + fix for each issue." \
            --allow-tool 'shell' > review.txt
      - name: Post review
        uses: actions/github-script@v7
        with:
          script: |
            const r = require('fs').readFileSync('review.txt', 'utf8');
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `## Copilot Code Review\n\n${r}`
            });

name: Copilot PR Review
on:
  pull_request:
    types: [opened, synchronize]

jobs:
  copilot-review:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Review with Copilot
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          git diff origin/${{ github.base_ref }}...HEAD | \
          copilot -p \
            "Review this diff. Flag bugs, security issues, and violations
             of our conventions from .github/copilot-instructions.md.
             Be specific: file + line + fix for each issue." \
            --allow-tool 'shell' > review.txt
      - name: Post review
        uses: actions/github-script@v7
        with:
          script: |
            const r = require('fs').readFileSync('review.txt', 'utf8');
            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `## Copilot Code Review\n\n${r}`
            });

name: Nightly Security Audit
on:
  schedule:
    - cron: '0 2 * * *'

jobs:
  audit:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      issues: write
    steps:
      - uses: actions/checkout@v4
      - name: Run dependency audit
        run: npm audit --json > audit.json || true
      - name: Analyse with Copilot
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          cat audit.json | \
          copilot -p \
            "Analyse these dependency vulnerabilities. For each Critical/High:
             package, severity, CVE, and recommended fix action." \
            --allow-tool 'shell' > analysis.txt
      - name: Open issue if vulnerabilities found
        uses: actions/github-script@v7
        with:
          script: |
            const a = require('fs').readFileSync('analysis.txt', 'utf8');
            if (a.includes('Critical') || a.includes('High')) {
              github.rest.issues.create({
                owner: context.repo.owner, repo: context.repo.repo,
                title: `Security audit ${new Date().toISOString().split('T')[0]}`,
                body: a, labels: ['security', 'automated']
              });
            }

name: Nightly Security Audit
on:
  schedule:
    - cron: '0 2 * * *'

jobs:
  audit:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      issues: write
    steps:
      - uses: actions/checkout@v4
      - name: Run dependency audit
        run: npm audit --json > audit.json || true
      - name: Analyse with Copilot
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          cat audit.json | \
          copilot -p \
            "Analyse these dependency vulnerabilities. For each Critical/High:
             package, severity, CVE, and recommended fix action." \
            --allow-tool 'shell' > analysis.txt
      - name: Open issue if vulnerabilities found
        uses: actions/github-script@v7
        with:
          script: |
            const a = require('fs').readFileSync('analysis.txt', 'utf8');
            if (a.includes('Critical') || a.includes('High')) {
              github.rest.issues.create({
                owner: context.repo.owner, repo: context.repo.repo,
                title: `Security audit ${new Date().toISOString().split('T')[0]}`,
                body: a, labels: ['security', 'automated']
              });
            }

// .vscode/mcp.json - MCP servers for VS Code agent mode
{
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "env": { "GITHUB_TOKEN": "${env:GITHUB_TOKEN}" }
    },
    "postgres": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-postgres",
               "postgresql://localhost:5432/${env:DB_NAME}"]
    },
    "playwright": {
      "command": "npx",
      "args": ["-y", "@playwright/mcp"]
    }
  }
}

// .vscode/mcp.json - MCP servers for VS Code agent mode
{
  "mcpServers": {
    "github": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-github"],
      "env": { "GITHUB_TOKEN": "${env:GITHUB_TOKEN}" }
    },
    "postgres": {
      "command": "npx",
      "args": ["-y", "@modelcontextprotocol/server-postgres",
               "postgresql://localhost:5432/${env:DB_NAME}"]
    },
    "playwright": {
      "command": "npx",
      "args": ["-y", "@playwright/mcp"]
    }
  }
}

# Switch models in Copilot CLI
/model                       # Open model picker
/model gpt-4.1               # Fast implementation tasks
/model claude-opus-4-5       # Complex refactors, architecture decisions
/model o3                    # Deep debugging, concurrency issues

# Plan mode: review intent before execution
Shift+Tab    # Enter plan mode
Shift+Tab    # Again to switch to autopilot mode

# Switch models in Copilot CLI
/model                       # Open model picker
/model gpt-4.1               # Fast implementation tasks
/model claude-opus-4-5       # Complex refactors, architecture decisions
/model o3                    # Deep debugging, concurrency issues

# Plan mode: review intent before execution
Shift+Tab    # Enter plan mode
Shift+Tab    # Again to switch to autopilot mode

# /fleet: parallel subagents on the same task
/fleet "review this module for correctness, performance, and security"
# Spawns 3 agents simultaneously:
#   Agent 1: correctness review
#   Agent 2: performance analysis
#   Agent 3: security audit
# Results synthesised into one consolidated report

# Fleet with different models for multiple perspectives
/fleet --models gpt-4.1,claude-opus-4-5 \
  "design the caching layer for this feature - I want two perspectives"

# /fleet: parallel subagents on the same task
/fleet "review this module for correctness, performance, and security"
# Spawns 3 agents simultaneously:
#   Agent 1: correctness review
#   Agent 2: performance analysis
#   Agent 3: security audit
# Results synthesised into one consolidated report

# Fleet with different models for multiple perspectives
/fleet --models gpt-4.1,claude-opus-4-5 \
  "design the caching layer for this feature - I want two perspectives"