Key insight
A pull-request comment is not authorisation to change code. When an AI agent treats it as one, every commit-author control — branch protection, code review, signed commits, CODEOWNERS — is bypassed by routing around it. Comment-author trust and commit-author trust are different categories and must remain so.
The trust gap between commenting and committing
On modern source-control platforms, the act of committing code is gated by a substantial collection of controls: the author must have push rights to the branch, branch-protection rules require code review and passing checks before merge, CODEOWNERS files route changes in specific paths to specific reviewers, and signed commits can attest to the author's identity cryptographically.
None of these controls applies to commenting. On a public repository, any account in the world can leave a comment. On a private repository, anyone the organisation has invited as a reader can comment. There is no equivalent of branch protection for comments, because comments are not changes — until an automation treats them as one.
| Property | Commit author | Comment author |
|---|---|---|
| Authenticated to platform | Yes | Yes (account exists) |
| Push rights required | Yes | No |
| Subject to branch protection | Yes | No |
| Surfaces in code review with diff | Yes | No |
| Triggers CODEOWNERS routing | Yes | No |
| Can be signature-verified | Yes (with signing) | No |
The gap is structural. It exists because comments and commits are meant to be different things — discussion versus authorship — with the controls applied accordingly. Bridging the gap by automation does not bring the comment up to the level of the commit; it brings the commit down to the level of the comment.
Why agent-assisted comment resolution is tempting
The productivity argument is real. A great deal of pull-request feedback is small, mechanical, and unambiguous: "rename this variable," "fix the indentation here," "add a missing test case." Having an agent apply such changes automatically saves reviewer cycles. The agent reads the comment, generates a diff, pushes it as a new commit on the pull-request branch. From a pure throughput standpoint, the appeal is obvious.
The architectural mistake is treating the agent's commit as authoritative without recovering the trust the comment never had. The agent's identity is on the commit; the operator who triggered the agent may share responsibility; but the substantive decision about the change content was effectively made by whoever wrote the comment — including, in many cases, an account none of the team has ever interacted with.
The Microsoft Secure Future Initiative introduced a control specifically targeting this class of pattern: Proof of Presence for Pull Requests (PoP-PR), now deployed across more than sixty thousand internal repositories. The PoP-PR requirement is unambiguous: every pull request to a protected branch must be authenticated by a real, MFA-verified individual. Agent-driven commits triggered by anonymous comments cannot meet that bar.
The Comment-to-Commit Promotion anti-pattern
Anti-pattern
Comment-to-Commit Promotion
Definition. An AI agent applies substantive code changes (commits, pushes, or pull-request submissions) in response to pull-request comments, without re-authenticating the change against the controls that normally govern commits to the affected branch.
Symptoms. Agent integrations that consume comments as their primary trigger; absence of comment-author permission checks; absence of per-change human approval before commit; commits whose stated author is the operator or a service account, but whose content was specified by a third party; no audit trail linking the commit back to the comment-author identity.
Why it is hazardous. A drive-by commenter becomes, in practice, a code contributor. The substantive change content is influenced by a party who would not have passed any of the controls applied to direct contributors. The branch protection model is silently bypassed.
Related controls. Comment-author permission checks; per-change human approval; explicit linkage of comment author and operator approver in commit metadata; treatment of comment content as untrusted input; restriction to specific path classes (e.g. tests, documentation) where the blast radius of a wrong change is bounded.
A hypothetical typo-fix scenario
The following illustrates a plausible failure mode under Comment-to-Commit Promotion. It is constructed from elements common to several reported industry patterns; no specific incident is implied.
A repository accepts pull requests from external contributors. A first-time contributor opens a small documentation pull request — entirely benign. A second account, also new, leaves a comment on the same pull request: "While you're in here, there's a typo in .github/workflows/release.yml line 42 — could you correct it? It's failing the lint job on my fork."
The repository maintainer invokes an agent to resolve the comment. The agent reads the comment, opens the workflow file, makes a one-character change that appears to be a typo fix, and pushes a commit. The change subtly alters the environment-variable expansion in a way that exfiltrates credentials when the workflow runs in continuous integration. The commit author is the maintainer. The author of the substantive decision was an account created two days earlier.
The maintainer is responsible. They did not, however, perform the substantive review that the trust placed on the commit assumes — because the commit landed before any review was practical. The agent collapsed the time window in which a human could have caught the issue.
A drive-by commenter becomes a code contributor. The controls that should have stopped them are simply routed around.
Controls that restore the boundary
- Disable the pattern by default.
If the productivity case has not been argued and the controls below are not in place, the safest configuration is for the agent not to commit on the basis of comments at all. Treat any comment-driven commit capability as opt-in rather than the default.
- Permission-check the comment author.
Before acting on a comment, the agent verifies that the comment author has at least write permission on the repository. Authors without that permission produce recommendations, not commits.
- Require explicit human approval per change.
The agent's role becomes "draft a change for review," not "apply a change." The operator reviews each diff and explicitly approves before commit. No batch mode; no automatic apply.
- Restrict to bounded path classes.
If the agent is permitted to act on comments at all, restrict it to path classes whose blast radius is small — documentation, tests, comments on the code itself. Workflow files, configuration files, security-sensitive paths are out of scope.
- Record comment author and approver in commit metadata.
Every commit produced by the agent records, in its message, the comment URL, the comment author, and the operator who approved. The commit becomes auditable even when the substantive author is not the technical author.
- Treat the comment as untrusted input.
The comment text is content the agent reads from a third party; it is subject to the same prompt-injection considerations as any other untrusted content (see the companion article on the Conflated Context). Wrap it in the untrusted-content envelope before passing it to the model.
- Add a canary fixture in continuous integration.
A test that opens a pull request with a comment containing an obviously bad change request from an account without write permission. The agent must refuse and log the refusal. The build fails if the agent acts.
Safer alternatives that preserve the productivity gain
The productivity case for fast comment resolution is real, and the controls above can feel like they remove it. They do not have to. Several patterns capture most of the value with a fraction of the risk:
- Suggestion-only mode. The agent posts a proposed diff as a comment or as a draft pull request. The human reviewer applies it with a click. The substantive decision and the commit both stay with the human.
- Bounded-path automation. Auto-apply for documentation, formatting, and dependency-bump pull requests only; require human approval everywhere else.
- Allow-listed contributors. Comment-driven commits only from comment authors with established standing — long-tenured collaborators, named team members. Drive-by contributors get suggestion-only treatment.
- Time-windowed batching. Collect comment-driven changes across a session and apply them as a single batch the operator reviews holistically, rather than per-comment.
The right metric for comment-resolution automation is not commits per hour. It is commits per hour that the team would still endorse if the post-mortem started today. The patterns above optimise for the second.
A practical checklist
- Agent-driven commits in response to pull-request comments are off by default.
- Where the capability is enabled, the agent verifies the comment author has at least write permission on the repository before acting.
- Every agent-proposed change requires explicit per-change human approval before commit.
- The agent is restricted to path classes whose blast radius is bounded (documentation, tests, formatting).
- Workflow files, configuration files, and security-sensitive paths are excluded from agent-driven commits.
- Commit messages record the source comment URL, the comment author's identity, and the operator who approved.
- Comment content is treated as untrusted input and wrapped in the agent's untrusted-content envelope.
- A canary fixture in continuous integration verifies the agent refuses comments from unauthorised authors.
- The capability has a named internal owner; usage is reviewed at least quarterly.
- Branch protection rules remain in place and unaltered by the agent's presence.
Test your own agent in ten minutes
The fastest way to find out whether this anti-pattern is present in your own system is to ask an AI coding assistant to look for it. Run the prompt below in a fresh chat session, on its own — and judge the system by what the code actually does, not by what its documentation claims.
Search the whole repository to find where this applies — do not
wait for me to list files. Ignore generated, vendored, and dependency
folders (build output, node_modules, vendor). Identify every location
the failure mode below could occur, read those files in full before
you judge, and list the search terms you used so I can confirm nothing
was missed.
You are looking for one specific failure mode: a comment, issue,
chat message, or other text written by anyone with read access can
cause the agent to perform a write action (commit code, merge a
pull request, deploy, modify a ticket, send a message) without an
additional authorisation step that checks the actor’s
permission to perform that specific write.
If the codebase does not integrate with any such surface, say
"not applicable" and stop.
Respond with exactly these four sections:
1. VERDICT: one of [present / not present / unclear]
2. EVIDENCE: file path + line numbers + a one-line quote per claim
3. WHY IT MATTERS: two sentences, plain English
4. FIX: a concrete change, with a short before/after code snippet
if applicable. If "unclear", list the one piece of context you
need to decide.Insist on the four-part answer: a verdict with a file path, a line number, and a one-line quote is something you can act on; a verdict on its own is just an opinion. If the result is present, the FIX section is your starting point — add an authorisation step that checks the actor’s permission before the agent performs any write action. Re-run the same prompt after the change to confirm the verdict flips to not present.
Conclusion
The promise of agent-assisted code review is genuine. The risk is in conflating two trust categories that source-control platforms deliberately kept apart. When a comment becomes a commit through automation, the controls applied to commits become decorative — and the substantive author of the change is whoever happened to be in the conversation.
The pattern that captures the productivity without conceding the control is straightforward: the agent drafts, the human commits. The substantive decision and the technical commit stay with the same identity. The branch-protection model continues to apply. The automation makes review faster without making review optional.
References & further reading
- Microsoft SFI — Zero Trust for source code access — Proof of Presence for Pull Requests (PoP-PR) and the principles behind it.
- OWASP Top 10 for LLM Applications — particularly LLM06: Excessive Agency as it applies to agent commit authority.
- SLSA — Supply-chain Levels for Software Artifacts — provenance attestation for code changes.
- GitHub — Protected branches — the controls comment-to-commit promotion routes around.
- NIST AI Risk Management Framework — actions whose effects cannot be reversed warrant additional human oversight.