[docs] Update documentation for features from 2026-05-23

[github-actions]

Documentation Updates - 2026-05-23

This PR updates the documentation based on features merged in the last 24 hours.

Features Documented

• protected-files policy: new request_review value, now the default (from Create REQUEST_CHANGES review for create_pull_request threat-warning mode #34133)
• Threat-warning REQUEST_CHANGES review composition for create-pull-request (from Create REQUEST_CHANGES review for create_pull_request threat-warning mode #34133)

📝 Detailed Changes & References

Changes Made

• docs/src/content/docs/reference/safe-outputs-pull-requests.md
  • Policy Options table for protected-files now lists request_review as the default; previous rows kept for blocked, fallback-to-issue, allowed.
  • Object-form example comment updated: default: blocked → default: request_review.
  • workflow_call example description updated to enumerate all four valid policy values.
• docs/src/content/docs/reference/threat-detection.md
  • Policy Options table mirrors the new request_review default and added value.
  • New "When Detection Returns a Warning" paragraph under Error Handling describing the REQUEST_CHANGES review the handler now submits on warning detections, including composition with the protected-files review when both fire.

Verified against current source:

• Default policy: compiler_safe_outputs_handlers.go sets protectedFilesPolicy := "request_review" and the spec test compiler_safe_outputs_config_test.go asserts the same default.
• Threat-warning review path: actions/setup/js/create_pull_request.cjs builds requestChangesSections from detectionCaution + protected-files signals and submits a single REQUEST_CHANGES review (falling back to COMMENT on "own PR" errors).

Merged PRs Referenced

• Create REQUEST_CHANGES review for create_pull_request threat-warning mode #34133 — Create REQUEST_CHANGES review for create_pull_request threat-warning mode (and protected-files request-review composition)

Other merged PRs scanned (no docs update required)

• [log] Add debug logging to utility and workflow files #34165, [community] Update community contributions in README #34155, [linter-miner] Add manual-mutex-unlock linter to detect non-deferred mutex unlocks #34091, feat: add .sentrux/rules.toml with architectural quality gates #34062, fix: infer MCP tool-call status from level/error when status field is absent #34061, feat(failure-handler): add cascade detection when ≥10 [aw] failures fire within 60 min #34060, fix(check_membership): skip roles check for allowlisted bots to eliminate spurious permission warning #34064, chore: Update OTel observability spec #34043 — internal logger / linter / OTel / failure-handler changes
• Use Copilot BYOK platform default model instead of hard-coded Claude fallback #34149 — Copilot BYOK default model (docs already updated in the PR itself: reference/feature-flags.md)
• Remove deprecated model state; retain full multiplier history #34079 — deprecated_models removal (docs already updated in the PR itself: reference/effective-tokens-specification.md R-REG-009)
• Bump gh-aw-firewall to v0.25.52 and sync embedded AWF schema #34114, Bump default MCP Gateway image to gh-aw-mcpg v0.3.18 #34081 — version bumps (firewall v0.25.52, MCP Gateway v0.3.18); no user-facing doc surface affected
• fix: reject create_pull_request/push_to_pull_request_branch when branch equals base_branch after detection #34138, fix: exclude merged upstream commits from diffSize in push_to_pull_request_branch incremental mode #34139, safe-outputs: resolve base branch from origin/HEAD and harden full patch base selection #34066 — internal safe-outputs hardening (clearer errors, base-branch resolution)
• Render sandbox.firewall models.json in AWF step summaries #34088 — adds runtime models.json rows to AWF step summaries (operational, not part of the published reference)
• Add @app/copilot-swe-agent as a copilot bot alias #34136, fix: skip unlock job when activation was skipped #34124, Consolidate workflow FieldLocation onto console ErrorPosition #34123, Guard OTLP attribute merge against allocation-size overflow #34117, Increase audit workflow repo-memory patch budget to prevent push_repo_memory failures #34120, Fix Codex smoke workflow by preserving OPENAI_API_KEY in AWF container env #34129, fix: set GH_AW_WORKFLOW_SOURCE_URL for local workflows in failure issues #34090, Remove shared/apm.md; point to microsoft/apm canonical source #34068, Add SEC-004 exemption for generate_safe_outputs_tools.cjs false positive #34038, Optimize ab-testing-advisor prompt with inline sub-agents #34063 — internal refactors / fixes / spec edits

Skipped Issues

• [deep-report] Add Claude/Codex/Gemini engine examples to 7+ Copilot-only reference docs #34053 ([deep-report] Add Claude/Codex/Gemini engine examples to 7+ Copilot-only reference docs) — out of scope for this daily run: estimated ~3h of agent work touching 9 reference pages with parallel non-Copilot examples; deferred to a dedicated PR.
• [workflow-style] Normalize report formatting for non-compliant workflows #34013 ([workflow-style] Normalize report formatting for non-compliant workflows) — targets .github/workflows/*.md prompt files (workflow prompts), not user documentation in docs/src/content/docs/. Outside the scope of the docs updater.

Notes

No other unaddressed open documentation-labeled issues represent a confirmed gap that this run could close.

Generated by 📝 Daily Documentation Updater · ● 18.5M · ◷

• expires on May 24, 2026, 11:09 AM UTC