diff --git a/.github/aw/agentic-chat.md b/.github/aw/agentic-chat.md
index a336ea9aa9..79b1f92fc9 100644
--- a/.github/aw/agentic-chat.md
+++ b/.github/aw/agentic-chat.md
@@ -1,11 +1,11 @@
 ---
 name: agentic-chat
-description: AI assistant for creating clear, actionable task descriptions for GitHub Copilot agents
+description: AI assistant for creating clear, actionable task descriptions for GitHub Copilot coding agent
 ---
 
 # Agentic Task Description Assistant
 
-You are an AI assistant specialized in helping users create clear, actionable task descriptions for GitHub Copilot agents that work with GitHub Agentic Workflows (gh-aw).
+You are an AI assistant specialized in helping users create clear, actionable task descriptions for GitHub Copilot coding agent that work with GitHub Agentic Workflows (gh-aw).
 
 ## Required Knowledge
 
diff --git a/.github/aw/debug-agentic-workflow.md b/.github/aw/debug-agentic-workflow.md
index 8dbe27ca05..d268b06517 100644
--- a/.github/aw/debug-agentic-workflow.md
+++ b/.github/aw/debug-agentic-workflow.md
@@ -66,7 +66,7 @@ Report back with specific findings and actionable fixes.
 > [!NOTE]
 > **Alternative: agentic-workflows Tool**
 >
-> If `gh aw` is not authenticated (e.g., running in a Copilot agent environment without GitHub CLI auth), use the corresponding tools from the **agentic-workflows** tool instead:
+> If `gh aw` is not authenticated (e.g., running in a Copilot coding agent environment without GitHub CLI auth), use the corresponding tools from the **agentic-workflows** tool instead:
 > - `status` tool → equivalent to `gh aw status`
 > - `compile` tool → equivalent to `gh aw compile`
 > - `logs` tool → equivalent to `gh aw logs`
diff --git a/.github/aw/github-agentic-workflows.md b/.github/aw/github-agentic-workflows.md
index 6c1d5b3537..796bc3b9dd 100644
--- a/.github/aw/github-agentic-workflows.md
+++ b/.github/aw/github-agentic-workflows.md
@@ -736,7 +736,7 @@ The YAML frontmatter supports these fields:
         max: 10                         # Optional: max autofixes (default: 10)
     ```
     Provides automated fixes for code scanning alerts.
-  - `create-agent-session:` - Create GitHub Copilot agent sessions
+  - `create-agent-session:` - Create GitHub Copilot coding agent sessions
     ```yaml
     safe-outputs:
       create-agent-session:
@@ -744,7 +744,7 @@ The YAML frontmatter supports these fields:
         target-repo: "owner/repo"       # Optional: cross-repository
     ```
     Requires PAT as `COPILOT_GITHUB_TOKEN`. Note: `create-agent-task` is deprecated (use `create-agent-session`).
-  - `assign-to-agent:` - Assign Copilot agents to issues
+  - `assign-to-agent:` - Assign Copilot coding agent to issues
     ```yaml
     safe-outputs:
       assign-to-agent:
diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml
index 6c9a4979b9..69c4730313 100644
--- a/.github/workflows/copilot-agent-analysis.lock.yml
+++ b/.github/workflows/copilot-agent-analysis.lock.yml
@@ -21,7 +21,7 @@
 #
 # For more information: https://github.github.com/gh-aw/introduction/overview/
 #
-# Analyzes GitHub Copilot agent usage patterns in pull requests to provide insights on agent effectiveness and behavior
+# Analyzes GitHub Copilot coding agent usage patterns in pull requests to provide insights on agent effectiveness and behavior
 #
 # Resolved workflow manifest:
 #   Imports:
@@ -30,7 +30,7 @@
 #     - shared/mood.md
 #     - shared/reporting.md
 #
-# frontmatter-hash: 7ab09aa2c72d1dc010110d7ac8ad24c689601553f85c0c0554d6b7b897e9a090
+# frontmatter-hash: 49e233a6fddc68b01bfb552844d10705384860956cebc90df11ae53e16d11dc9
 
 name: "Copilot Agent PR Analysis"
 "on":
@@ -1119,7 +1119,7 @@ jobs:
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           WORKFLOW_NAME: "Copilot Agent PR Analysis"
-          WORKFLOW_DESCRIPTION: "Analyzes GitHub Copilot agent usage patterns in pull requests to provide insights on agent effectiveness and behavior"
+          WORKFLOW_DESCRIPTION: "Analyzes GitHub Copilot coding agent usage patterns in pull requests to provide insights on agent effectiveness and behavior"
           HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
         with:
           script: |
diff --git a/.github/workflows/copilot-agent-analysis.md b/.github/workflows/copilot-agent-analysis.md
index 83e5b938a7..6eaa3e4320 100644
--- a/.github/workflows/copilot-agent-analysis.md
+++ b/.github/workflows/copilot-agent-analysis.md
@@ -1,6 +1,6 @@
 ---
 name: Copilot Agent PR Analysis
-description: Analyzes GitHub Copilot agent usage patterns in pull requests to provide insights on agent effectiveness and behavior
+description: Analyzes GitHub Copilot coding agent usage patterns in pull requests to provide insights on agent effectiveness and behavior
 on:
   schedule:
     # Every day at 6pm UTC
@@ -466,7 +466,7 @@ The "Agent Task Texts" section should include a table showing all PRs created in
 
 ### No PRs in Last 24 Hours
 If no PRs were created by Copilot in the last 24 hours:
-- Create a minimal discussion: "No Copilot agent activity in the last 24 hours."
+- Create a minimal discussion: "No Copilot coding agent activity in the last 24 hours."
 - Update repo memory with zero counts
 - Keep it to 2-3 sentences max
 
diff --git a/.github/workflows/copilot-pr-merged-report.md b/.github/workflows/copilot-pr-merged-report.md
index b9742d0d31..e769373506 100644
--- a/.github/workflows/copilot-pr-merged-report.md
+++ b/.github/workflows/copilot-pr-merged-report.md
@@ -45,7 +45,7 @@ timeout-minutes: 10
 
 # Daily Copilot PR Merged Report
 
-You are an AI analytics agent that generates daily reports on GitHub Copilot agent pull requests that were **merged** in the last 24 hours.
+You are an AI analytics agent that generates daily reports on GitHub Copilot coding agent pull requests that were **merged** in the last 24 hours.
 
 ## Mission
 
@@ -82,7 +82,7 @@ safeinputs-gh with args: "pr list --repo ${{ github.repository }} --search \"hea
 ```
 
 This searches for:
-- PRs from branches starting with `copilot/` (Copilot agent PRs)
+- PRs from branches starting with `copilot/` (Copilot coding agent PRs)
 - PRs that are merged
 - PRs merged in the last 24 hours
 - Returns: PR number, title, merge timestamp, additions, deletions, files changed, URL
@@ -283,7 +283,7 @@ If no Copilot PRs were merged in the last 24 hours:
 ```markdown
 # 🤖 Daily Copilot PR Merged Report - [DATE]
 
-No Copilot agent pull requests were merged in the last 24 hours.
+No Copilot coding agent pull requests were merged in the last 24 hours.
 
 ---
 _Generated by Copilot PR Merged Report (Run: [${{ github.run_id }}](...))_
diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml
index d6497e846c..a1e75d7d4c 100644
--- a/.github/workflows/copilot-session-insights.lock.yml
+++ b/.github/workflows/copilot-session-insights.lock.yml
@@ -21,7 +21,7 @@
 #
 # For more information: https://github.github.com/gh-aw/introduction/overview/
 #
-# Analyzes GitHub Copilot agent sessions to provide detailed insights on usage patterns, success rates, and performance metrics
+# Analyzes GitHub Copilot coding agent sessions to provide detailed insights on usage patterns, success rates, and performance metrics
 #
 # Resolved workflow manifest:
 #   Imports:
@@ -33,7 +33,7 @@
 #     - shared/session-analysis-charts.md
 #     - shared/session-analysis-strategies.md
 #
-# frontmatter-hash: 1b2864370d65c60ed768cb2e794d2b20256ec84f3ce347aca33dbbd2e8032bdd
+# frontmatter-hash: 750804c6a2a89dc635b4c6e1216950672e3620fb95c1202f3aa34b1d798cfcca
 
 name: "Copilot Session Insights"
 "on":
@@ -346,7 +346,7 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         name: Fetch Copilot session data
-        run: "# Create output directories\nmkdir -p /tmp/gh-aw/session-data\nmkdir -p /tmp/gh-aw/session-data/logs\nmkdir -p /tmp/gh-aw/cache-memory\n\n# Get today's date for cache identification\nTODAY=$(date '+%Y-%m-%d')\nCACHE_DIR=\"/tmp/gh-aw/cache-memory\"\n\n# Check if cached data exists from today\nif [ -f \"$CACHE_DIR/copilot-sessions-${TODAY}.json\" ] && [ -s \"$CACHE_DIR/copilot-sessions-${TODAY}.json\" ]; then\n  echo \"✓ Found cached session data from ${TODAY}\"\n  cp \"$CACHE_DIR/copilot-sessions-${TODAY}.json\" /tmp/gh-aw/session-data/sessions-list.json\n  \n  # Regenerate schema if missing\n  if [ ! -f \"$CACHE_DIR/copilot-sessions-${TODAY}-schema.json\" ]; then\n    /tmp/gh-aw/jqschema.sh < /tmp/gh-aw/session-data/sessions-list.json > \"$CACHE_DIR/copilot-sessions-${TODAY}-schema.json\"\n  fi\n  cp \"$CACHE_DIR/copilot-sessions-${TODAY}-schema.json\" /tmp/gh-aw/session-data/sessions-schema.json\n  \n  # Restore cached log files if they exist\n  if [ -d \"$CACHE_DIR/session-logs-${TODAY}\" ]; then\n    echo \"✓ Found cached session logs from ${TODAY}\"\n    cp -r \"$CACHE_DIR/session-logs-${TODAY}\"/* /tmp/gh-aw/session-data/logs/ 2>/dev/null || true\n    echo \"Restored $(find /tmp/gh-aw/session-data/logs -type f | wc -l) session log files from cache\"\n  fi\n  \n  echo \"Using cached data from ${TODAY}\"\n  echo \"Total sessions in cache: $(jq 'length' /tmp/gh-aw/session-data/sessions-list.json)\"\nelse\n  echo \"⬇ Downloading fresh session data...\"\n  \n  # Calculate date 30 days ago\n  DATE_30_DAYS_AGO=$(date -d '30 days ago' '+%Y-%m-%d' 2>/dev/null || date -v-30d '+%Y-%m-%d')\n\n  # Search for workflow runs from copilot/* branches\n  # This fetches GitHub Copilot agent task runs by searching for workflow runs on copilot/* branches\n  echo \"Fetching Copilot agent workflow runs from the last 30 days...\"\n  \n  # Get workflow runs from copilot/* branches\n  gh api \"repos/${{ github.repository }}/actions/runs\" \\\n    --paginate \\\n    --jq \".workflow_runs[] | select(.head_branch | startswith(\\\"copilot/\\\")) | select(.created_at >= \\\"${DATE_30_DAYS_AGO}\\\") | {id, name, head_branch, created_at, updated_at, status, conclusion, html_url}\" \\\n    | jq -s '.[0:50]' \\\n    > /tmp/gh-aw/session-data/sessions-list.json\n\n  # Generate schema for reference\n  /tmp/gh-aw/jqschema.sh < /tmp/gh-aw/session-data/sessions-list.json > /tmp/gh-aw/session-data/sessions-schema.json\n\n  # Download conversation logs using gh agent-task command (limit to first 50)\n  SESSION_COUNT=$(jq 'length' /tmp/gh-aw/session-data/sessions-list.json)\n  echo \"Downloading conversation logs for $SESSION_COUNT sessions...\"\n  \n  # Use gh agent-task to fetch session logs with conversation transcripts\n  # Extract session numbers from head_branch (format: copilot/issue-123 or copilot/task-456)\n  # The number is the issue/task/PR number that the gh agent-task command uses\n  jq -r '.[].head_branch' /tmp/gh-aw/session-data/sessions-list.json | while read -r branch; do\n    if [ -n \"$branch\" ]; then\n      # Extract number from branch name (e.g., copilot/issue-123 -> 123)\n      # This is the session identifier used by gh agent-task\n      session_number=$(echo \"$branch\" | sed 's/copilot\\///' | sed 's/[^0-9]//g')\n      \n      if [ -n \"$session_number\" ]; then\n        echo \"Downloading conversation log for session #$session_number (branch: $branch)\"\n        \n        # Use gh agent-task view --log to get conversation transcript\n        # This contains the agent's internal monologue, tool calls, and reasoning\n        gh agent-task view --repo \"${{ github.repository }}\" \"$session_number\" --log \\\n          > \"/tmp/gh-aw/session-data/logs/${session_number}-conversation.txt\" 2>&1 || {\n          echo \"Warning: Could not fetch conversation log for session #$session_number\"\n          # If gh agent-task fails, fall back to downloading GitHub Actions logs\n          # This ensures we have some data even if agent-task command is unavailable\n          run_id=$(jq -r \".[] | select(.head_branch == \\\"$branch\\\") | .id\" /tmp/gh-aw/session-data/sessions-list.json)\n          if [ -n \"$run_id\" ]; then\n            echo \"Falling back to GitHub Actions logs for run ID: $run_id\"\n            gh api \"repos/${{ github.repository }}/actions/runs/${run_id}/logs\" \\\n              > \"/tmp/gh-aw/session-data/logs/${session_number}-actions.zip\" 2>&1 || true\n            \n            if [ -f \"/tmp/gh-aw/session-data/logs/${session_number}-actions.zip\" ] && [ -s \"/tmp/gh-aw/session-data/logs/${session_number}-actions.zip\" ]; then\n              unzip -q \"/tmp/gh-aw/session-data/logs/${session_number}-actions.zip\" -d \"/tmp/gh-aw/session-data/logs/${session_number}/\" 2>/dev/null || true\n              rm \"/tmp/gh-aw/session-data/logs/${session_number}-actions.zip\"\n            fi\n          fi\n        }\n      fi\n    fi\n  done\n  \n  LOG_COUNT=$(find /tmp/gh-aw/session-data/logs/ -type f -name \"*-conversation.txt\" | wc -l)\n  echo \"Conversation logs downloaded: $LOG_COUNT session logs\"\n  \n  FALLBACK_COUNT=$(find /tmp/gh-aw/session-data/logs/ -type d -mindepth 1 | wc -l)\n  if [ \"$FALLBACK_COUNT\" -gt 0 ]; then\n    echo \"Fallback GitHub Actions logs: $FALLBACK_COUNT sessions\"\n  fi\n\n  # Store in cache with today's date\n  cp /tmp/gh-aw/session-data/sessions-list.json \"$CACHE_DIR/copilot-sessions-${TODAY}.json\"\n  cp /tmp/gh-aw/session-data/sessions-schema.json \"$CACHE_DIR/copilot-sessions-${TODAY}-schema.json\"\n  \n  # Cache the log files\n  mkdir -p \"$CACHE_DIR/session-logs-${TODAY}\"\n  cp -r /tmp/gh-aw/session-data/logs/* \"$CACHE_DIR/session-logs-${TODAY}/\" 2>/dev/null || true\n\n  echo \"✓ Session data saved to cache: copilot-sessions-${TODAY}.json\"\n  echo \"Total sessions found: $(jq 'length' /tmp/gh-aw/session-data/sessions-list.json)\"\nfi\n\n# Always ensure data is available at expected locations for backward compatibility\necho \"Session data available at: /tmp/gh-aw/session-data/sessions-list.json\"\necho \"Schema available at: /tmp/gh-aw/session-data/sessions-schema.json\"\necho \"Logs available at: /tmp/gh-aw/session-data/logs/\"\n\n# Set outputs for downstream use\necho \"sessions_count=$(jq 'length' /tmp/gh-aw/session-data/sessions-list.json)\" >> \"$GITHUB_OUTPUT\""
+        run: "# Create output directories\nmkdir -p /tmp/gh-aw/session-data\nmkdir -p /tmp/gh-aw/session-data/logs\nmkdir -p /tmp/gh-aw/cache-memory\n\n# Get today's date for cache identification\nTODAY=$(date '+%Y-%m-%d')\nCACHE_DIR=\"/tmp/gh-aw/cache-memory\"\n\n# Check if cached data exists from today\nif [ -f \"$CACHE_DIR/copilot-sessions-${TODAY}.json\" ] && [ -s \"$CACHE_DIR/copilot-sessions-${TODAY}.json\" ]; then\n  echo \"✓ Found cached session data from ${TODAY}\"\n  cp \"$CACHE_DIR/copilot-sessions-${TODAY}.json\" /tmp/gh-aw/session-data/sessions-list.json\n  \n  # Regenerate schema if missing\n  if [ ! -f \"$CACHE_DIR/copilot-sessions-${TODAY}-schema.json\" ]; then\n    /tmp/gh-aw/jqschema.sh < /tmp/gh-aw/session-data/sessions-list.json > \"$CACHE_DIR/copilot-sessions-${TODAY}-schema.json\"\n  fi\n  cp \"$CACHE_DIR/copilot-sessions-${TODAY}-schema.json\" /tmp/gh-aw/session-data/sessions-schema.json\n  \n  # Restore cached log files if they exist\n  if [ -d \"$CACHE_DIR/session-logs-${TODAY}\" ]; then\n    echo \"✓ Found cached session logs from ${TODAY}\"\n    cp -r \"$CACHE_DIR/session-logs-${TODAY}\"/* /tmp/gh-aw/session-data/logs/ 2>/dev/null || true\n    echo \"Restored $(find /tmp/gh-aw/session-data/logs -type f | wc -l) session log files from cache\"\n  fi\n  \n  echo \"Using cached data from ${TODAY}\"\n  echo \"Total sessions in cache: $(jq 'length' /tmp/gh-aw/session-data/sessions-list.json)\"\nelse\n  echo \"⬇ Downloading fresh session data...\"\n  \n  # Calculate date 30 days ago\n  DATE_30_DAYS_AGO=$(date -d '30 days ago' '+%Y-%m-%d' 2>/dev/null || date -v-30d '+%Y-%m-%d')\n\n  # Search for workflow runs from copilot/* branches\n  # This fetches GitHub Copilot coding agent task runs by searching for workflow runs on copilot/* branches\n  echo \"Fetching Copilot coding agent workflow runs from the last 30 days...\"\n  \n  # Get workflow runs from copilot/* branches\n  gh api \"repos/${{ github.repository }}/actions/runs\" \\\n    --paginate \\\n    --jq \".workflow_runs[] | select(.head_branch | startswith(\\\"copilot/\\\")) | select(.created_at >= \\\"${DATE_30_DAYS_AGO}\\\") | {id, name, head_branch, created_at, updated_at, status, conclusion, html_url}\" \\\n    | jq -s '.[0:50]' \\\n    > /tmp/gh-aw/session-data/sessions-list.json\n\n  # Generate schema for reference\n  /tmp/gh-aw/jqschema.sh < /tmp/gh-aw/session-data/sessions-list.json > /tmp/gh-aw/session-data/sessions-schema.json\n\n  # Download conversation logs using gh agent-task command (limit to first 50)\n  SESSION_COUNT=$(jq 'length' /tmp/gh-aw/session-data/sessions-list.json)\n  echo \"Downloading conversation logs for $SESSION_COUNT sessions...\"\n  \n  # Use gh agent-task to fetch session logs with conversation transcripts\n  # Extract session numbers from head_branch (format: copilot/issue-123 or copilot/task-456)\n  # The number is the issue/task/PR number that the gh agent-task command uses\n  jq -r '.[].head_branch' /tmp/gh-aw/session-data/sessions-list.json | while read -r branch; do\n    if [ -n \"$branch\" ]; then\n      # Extract number from branch name (e.g., copilot/issue-123 -> 123)\n      # This is the session identifier used by gh agent-task\n      session_number=$(echo \"$branch\" | sed 's/copilot\\///' | sed 's/[^0-9]//g')\n      \n      if [ -n \"$session_number\" ]; then\n        echo \"Downloading conversation log for session #$session_number (branch: $branch)\"\n        \n        # Use gh agent-task view --log to get conversation transcript\n        # This contains the agent's internal monologue, tool calls, and reasoning\n        gh agent-task view --repo \"${{ github.repository }}\" \"$session_number\" --log \\\n          > \"/tmp/gh-aw/session-data/logs/${session_number}-conversation.txt\" 2>&1 || {\n          echo \"Warning: Could not fetch conversation log for session #$session_number\"\n          # If gh agent-task fails, fall back to downloading GitHub Actions logs\n          # This ensures we have some data even if agent-task command is unavailable\n          run_id=$(jq -r \".[] | select(.head_branch == \\\"$branch\\\") | .id\" /tmp/gh-aw/session-data/sessions-list.json)\n          if [ -n \"$run_id\" ]; then\n            echo \"Falling back to GitHub Actions logs for run ID: $run_id\"\n            gh api \"repos/${{ github.repository }}/actions/runs/${run_id}/logs\" \\\n              > \"/tmp/gh-aw/session-data/logs/${session_number}-actions.zip\" 2>&1 || true\n            \n            if [ -f \"/tmp/gh-aw/session-data/logs/${session_number}-actions.zip\" ] && [ -s \"/tmp/gh-aw/session-data/logs/${session_number}-actions.zip\" ]; then\n              unzip -q \"/tmp/gh-aw/session-data/logs/${session_number}-actions.zip\" -d \"/tmp/gh-aw/session-data/logs/${session_number}/\" 2>/dev/null || true\n              rm \"/tmp/gh-aw/session-data/logs/${session_number}-actions.zip\"\n            fi\n          fi\n        }\n      fi\n    fi\n  done\n  \n  LOG_COUNT=$(find /tmp/gh-aw/session-data/logs/ -type f -name \"*-conversation.txt\" | wc -l)\n  echo \"Conversation logs downloaded: $LOG_COUNT session logs\"\n  \n  FALLBACK_COUNT=$(find /tmp/gh-aw/session-data/logs/ -type d -mindepth 1 | wc -l)\n  if [ \"$FALLBACK_COUNT\" -gt 0 ]; then\n    echo \"Fallback GitHub Actions logs: $FALLBACK_COUNT sessions\"\n  fi\n\n  # Store in cache with today's date\n  cp /tmp/gh-aw/session-data/sessions-list.json \"$CACHE_DIR/copilot-sessions-${TODAY}.json\"\n  cp /tmp/gh-aw/session-data/sessions-schema.json \"$CACHE_DIR/copilot-sessions-${TODAY}-schema.json\"\n  \n  # Cache the log files\n  mkdir -p \"$CACHE_DIR/session-logs-${TODAY}\"\n  cp -r /tmp/gh-aw/session-data/logs/* \"$CACHE_DIR/session-logs-${TODAY}/\" 2>/dev/null || true\n\n  echo \"✓ Session data saved to cache: copilot-sessions-${TODAY}.json\"\n  echo \"Total sessions found: $(jq 'length' /tmp/gh-aw/session-data/sessions-list.json)\"\nfi\n\n# Always ensure data is available at expected locations for backward compatibility\necho \"Session data available at: /tmp/gh-aw/session-data/sessions-list.json\"\necho \"Schema available at: /tmp/gh-aw/session-data/sessions-schema.json\"\necho \"Logs available at: /tmp/gh-aw/session-data/logs/\"\n\n# Set outputs for downstream use\necho \"sessions_count=$(jq 'length' /tmp/gh-aw/session-data/sessions-list.json)\" >> \"$GITHUB_OUTPUT\""
       - name: Setup Python environment
         run: "# Create working directory for Python scripts\nmkdir -p /tmp/gh-aw/python\nmkdir -p /tmp/gh-aw/python/data\nmkdir -p /tmp/gh-aw/python/charts\nmkdir -p /tmp/gh-aw/python/artifacts\n\necho \"Python environment setup complete\"\necho \"Working directory: /tmp/gh-aw/python\"\necho \"Data directory: /tmp/gh-aw/python/data\"\necho \"Charts directory: /tmp/gh-aw/python/charts\"\necho \"Artifacts directory: /tmp/gh-aw/python/artifacts\"\n"
       - name: Install Python scientific libraries
@@ -1174,7 +1174,7 @@ jobs:
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           WORKFLOW_NAME: "Copilot Session Insights"
-          WORKFLOW_DESCRIPTION: "Analyzes GitHub Copilot agent sessions to provide detailed insights on usage patterns, success rates, and performance metrics"
+          WORKFLOW_DESCRIPTION: "Analyzes GitHub Copilot coding agent sessions to provide detailed insights on usage patterns, success rates, and performance metrics"
           HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
         with:
           script: |
diff --git a/.github/workflows/copilot-session-insights.md b/.github/workflows/copilot-session-insights.md
index 7b9ef8b41c..7c3323365d 100644
--- a/.github/workflows/copilot-session-insights.md
+++ b/.github/workflows/copilot-session-insights.md
@@ -1,6 +1,6 @@
 ---
 name: Copilot Session Insights
-description: Analyzes GitHub Copilot agent sessions to provide detailed insights on usage patterns, success rates, and performance metrics
+description: Analyzes GitHub Copilot coding agent sessions to provide detailed insights on usage patterns, success rates, and performance metrics
 on:
   schedule:
     # Daily at 8:00 AM Pacific Time (16:00 UTC)
@@ -58,13 +58,13 @@ timeout-minutes: 20
 
 ---
 
-# Copilot Agent Session Analysis
+# Copilot coding agent Session Analysis
 
-You are an AI analytics agent specializing in analyzing Copilot agent sessions to extract insights, identify behavioral patterns, and recommend improvements.
+You are an AI analytics agent specializing in analyzing Copilot coding agent sessions to extract insights, identify behavioral patterns, and recommend improvements.
 
 ## Mission
 
-Analyze approximately 50 Copilot agent sessions to identify:
+Analyze approximately 50 Copilot coding agent sessions to identify:
 - Behavioral patterns and inefficiencies
 - Success factors and failure signals
 - Prompt quality indicators
@@ -493,7 +493,7 @@ If approaching timeout:
 
 A successful analysis includes:
 
-- ✅ Analyzed ~50 Copilot agent sessions
+- ✅ Analyzed ~50 Copilot coding agent sessions
 - ✅ Calculated key metrics (completion rate, duration, quality)
 - ✅ Identified success factors and failure signals
 - ✅ Generated actionable recommendations
diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml
index c9cdf446c6..d4f0e8e60c 100644
--- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml
+++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml
@@ -440,12 +440,12 @@ jobs:
               "name": "create_issue"
             },
             {
-              "description": "Create a GitHub Copilot agent session to delegate coding work. Use this when you need another Copilot agent to implement code changes, fix bugs, or complete development tasks. The task becomes a new issue that triggers the Copilot coding agent. For non-coding tasks or manual work items, use create_issue instead. CONSTRAINTS: Maximum 3 agent task(s) can be created.",
+              "description": "Create a GitHub Copilot coding agent session to delegate coding work. Use this when you need another Copilot coding agent to implement code changes, fix bugs, or complete development tasks. The task becomes a new issue that triggers the Copilot coding agent. For non-coding tasks or manual work items, use create_issue instead. CONSTRAINTS: Maximum 3 agent task(s) can be created.",
               "inputSchema": {
                 "additionalProperties": false,
                 "properties": {
                   "body": {
-                    "description": "Clear, detailed task description for the Copilot agent. Include specific files to modify, expected behavior, acceptance criteria, and any constraints. The description should be actionable and self-contained.",
+                    "description": "Clear, detailed task description for the Copilot coding agent. Include specific files to modify, expected behavior, acceptance criteria, and any constraints. The description should be actionable and self-contained.",
                     "type": "string"
                   }
                 },
@@ -1184,7 +1184,7 @@ jobs:
         env:
           GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
         with:
-          github-token: ${{ secrets.COPILOT_GITHUB_TOKEN || secrets.GH_AW_GITHUB_TOKEN }}
+          github-token: ${{ secrets.COPILOT_GITHUB_TOKEN }}
           script: |
             const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
             setupGlobals(core, github, context, exec, io);
diff --git a/.github/workflows/daily-mcp-concurrency-analysis.md b/.github/workflows/daily-mcp-concurrency-analysis.md
index 30701f5af6..33efc89436 100644
--- a/.github/workflows/daily-mcp-concurrency-analysis.md
+++ b/.github/workflows/daily-mcp-concurrency-analysis.md
@@ -393,7 +393,7 @@ describe('${TOOL_NAME} concurrency safety', () => {
 
 #### Optionally Create Agent Session
 
-For CRITICAL or HIGH severity issues, consider creating a Copilot agent session:
+For CRITICAL or HIGH severity issues, consider creating a Copilot coding agent session:
 
 ```markdown
 Fix the concurrency safety issue in \`${TOOL_NAME}\` tool.
diff --git a/.github/workflows/daily-safe-outputs-conformance.md b/.github/workflows/daily-safe-outputs-conformance.md
index 88a760de9d..a7e079a352 100644
--- a/.github/workflows/daily-safe-outputs-conformance.md
+++ b/.github/workflows/daily-safe-outputs-conformance.md
@@ -47,7 +47,7 @@ Your mission is to:
    - Clear description of the conformance violation
    - Severity level and check ID
    - Specific files or code locations affected
-   - Actionable remediation steps suitable for Copilot agent assignment
+   - Actionable remediation steps suitable for Copilot coding agent assignment
 4. Close older issues from previous runs (auto-handled by expires: 1d and close-older-issues: true)
 
 ## Phase 1: Run Conformance Checks
@@ -127,7 +127,7 @@ Example: `SEC-001: Agent job in workflow X has write permissions`
 
 ## Remediation Steps
 
-This task can be assigned to a Copilot agent with the following steps:
+This task can be assigned to a Copilot coding agent with the following steps:
 
 1. [Specific action 1]
 2. [Specific action 2]
diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml
index d35def1b55..f8dc8b5895 100644
--- a/.github/workflows/issue-monster.lock.yml
+++ b/.github/workflows/issue-monster.lock.yml
@@ -21,13 +21,13 @@
 #
 # For more information: https://github.github.com/gh-aw/introduction/overview/
 #
-# The Cookie Monster of issues - assigns issues to Copilot agents one at a time
+# The Cookie Monster of issues - assigns issues to Copilot coding agent one at a time
 #
 # Resolved workflow manifest:
 #   Imports:
 #     - shared/mood.md
 #
-# frontmatter-hash: 499084bba53b33d3d6741037f0e2e17178fb144120241576df249aaa6f511842
+# frontmatter-hash: dc34e052a20e5b53d141cd9277e9497b52ffebc098737e1b728e4ed3bf5a71bc
 
 name: "Issue Monster"
 "on":
@@ -429,14 +429,14 @@ jobs:
                     "type": "string"
                   },
                   "issue_number": {
-                    "description": "Issue number to assign the Copilot agent to. This is the numeric ID from the GitHub URL (e.g., 234 in github.com/owner/repo/issues/234). Can also be a temporary_id (e.g., 'aw_abc123', 'aw_Test123') from an issue created earlier in the same workflow run. The issue should contain clear, actionable requirements. Either issue_number or pull_number must be provided, but not both.",
+                    "description": "Issue number to assign the Copilot coding agent to. This is the numeric ID from the GitHub URL (e.g., 234 in github.com/owner/repo/issues/234). Can also be a temporary_id (e.g., 'aw_abc123', 'aw_Test123') from an issue created earlier in the same workflow run. The issue should contain clear, actionable requirements. Either issue_number or pull_number must be provided, but not both.",
                     "type": [
                       "number",
                       "string"
                     ]
                   },
                   "pull_number": {
-                    "description": "Pull request number to assign the Copilot agent to. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/pull/456). Either issue_number or pull_number must be provided, but not both.",
+                    "description": "Pull request number to assign the Copilot coding agent to. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/pull/456). Either issue_number or pull_number must be provided, but not both.",
                     "type": [
                       "number",
                       "string"
@@ -1000,7 +1000,7 @@ jobs:
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           WORKFLOW_NAME: "Issue Monster"
-          WORKFLOW_DESCRIPTION: "The Cookie Monster of issues - assigns issues to Copilot agents one at a time"
+          WORKFLOW_DESCRIPTION: "The Cookie Monster of issues - assigns issues to Copilot coding agent one at a time"
           HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
         with:
           script: |
@@ -1444,7 +1444,7 @@ jobs:
                     return false;
                   }
 
-                  // Exclude issues with open PRs from Copilot agent
+                  // Exclude issues with open PRs from Copilot coding agent
                   const openCopilotPRs = issue.linkedPRs?.filter(pr => 
                     pr.state === 'OPEN' && 
                     (pr.author === 'copilot-swe-agent' || pr.author?.includes('copilot'))
diff --git a/.github/workflows/issue-monster.md b/.github/workflows/issue-monster.md
index df26ae4ca2..ec4e7a7664 100644
--- a/.github/workflows/issue-monster.md
+++ b/.github/workflows/issue-monster.md
@@ -1,6 +1,6 @@
 ---
 name: Issue Monster
-description: The Cookie Monster of issues - assigns issues to Copilot agents one at a time
+description: The Cookie Monster of issues - assigns issues to Copilot coding agent one at a time
 on:
   workflow_dispatch:
   schedule: every 30m
@@ -273,7 +273,7 @@ jobs:
                     return false;
                   }
                   
-                  // Exclude issues with open PRs from Copilot agent
+                  // Exclude issues with open PRs from Copilot coding agent
                   const openCopilotPRs = issue.linkedPRs?.filter(pr => 
                     pr.state === 'OPEN' && 
                     (pr.author === 'copilot-swe-agent' || pr.author?.includes('copilot'))
@@ -383,11 +383,11 @@ imports:
 
 # Issue Monster 🍪
 
-You are the **Issue Monster** - the Cookie Monster of issues! You love eating (resolving) issues by assigning them to Copilot agents for resolution.
+You are the **Issue Monster** - the Cookie Monster of issues! You love eating (resolving) issues by assigning them to Copilot coding agent for resolution.
 
 ## Your Mission
 
-Find up to three issues that need work and assign them to the Copilot agent for resolution. You work methodically, processing up to three separate issues at a time every hour, ensuring they are completely different in topic to avoid conflicts.
+Find up to three issues that need work and assign them to the Copilot coding agent for resolution. You work methodically, processing up to three separate issues at a time every hour, ensuring they are completely different in topic to avoid conflicts.
 
 ## Current Context
 
@@ -412,7 +412,7 @@ The issue search has already been performed in a previous job with smart filteri
 - ✅ Excluded issues that already have assignees
 - ✅ Excluded issues that have sub-issues (parent/organizing issues)
 - ✅ Excluded issues with closed or merged PRs (treating those as complete)
-- ✅ Excluded issues with open PRs from Copilot agent (already being worked on)
+- ✅ Excluded issues with open PRs from Copilot coding agent (already being worked on)
 - ✅ Prioritized issues with labels: good-first-issue, bug, security, documentation, enhancement, feature, performance, tech-debt, refactoring
 
 **Scoring System:**
@@ -510,7 +510,7 @@ For each selected issue (which has already been pre-filtered to ensure no open/c
 
 ### 5. Assign Issues to Copilot Agent
 
-For each selected issue, use the `assign_to_agent` tool from the `safeoutputs` MCP server to assign the Copilot agent:
+For each selected issue, use the `assign_to_agent` tool from the `safeoutputs` MCP server to assign the Copilot coding agent:
 
 ```
 safeoutputs/assign_to_agent(issue_number=<issue_number>, agent="copilot")
@@ -518,7 +518,7 @@ safeoutputs/assign_to_agent(issue_number=<issue_number>, agent="copilot")
 
 Do not use GitHub tools for this assignment. The `assign_to_agent` tool will handle the actual assignment.
 
-The Copilot agent will:
+The Copilot coding agent will:
 1. Analyze the issue and related context
 2. Generate the necessary code changes
 3. Create a pull request with the fix
@@ -529,7 +529,7 @@ The Copilot agent will:
 For each issue you assign, use the `add_comment` tool from the `safeoutputs` MCP server to add a comment:
 
 ```
-safeoutputs/add_comment(item_number=<issue_number>, body="🍪 **Issue Monster has assigned this to Copilot!**\n\nI've identified this issue as a good candidate for automated resolution and assigned it to the Copilot agent.\n\nThe Copilot agent will analyze the issue and create a pull request with the fix.\n\nOm nom nom! 🍪")
+safeoutputs/add_comment(item_number=<issue_number>, body="🍪 **Issue Monster has assigned this to Copilot!**\n\nI've identified this issue as a good candidate for automated resolution and assigned it to the Copilot coding agent.\n\nThe Copilot coding agent will analyze the issue and create a pull request with the fix.\n\nOm nom nom! 🍪")
 ```
 
 **Important**: You must specify the `item_number` parameter with the issue number you're commenting on. This workflow runs on a schedule without a triggering issue, so the target must be explicitly specified.
@@ -555,13 +555,13 @@ A successful run means:
 5. The search already excluded issues that already have assignees
 6. The search already excluded issues that have sub-issues (parent/organizing issues are not tasks)
 7. The search already excluded issues with closed or merged PRs (treated as complete)
-8. The search already excluded issues with open PRs from Copilot agent (already being worked on)
+8. The search already excluded issues with open PRs from Copilot coding agent (already being worked on)
 9. Issues are sorted by priority score (good-first-issue, bug, security, etc. get higher scores)
 10. For "task" or "plan" issues: You checked for parent issues and sibling sub-issue PRs if necessary
 11. You selected up to three appropriate issues from the top of the priority list that are completely separate in topic
 12. You read and understood each issue
 13. You verified that the selected issues don't have overlapping concerns or file changes
-14. You assigned each issue to the Copilot agent using `assign_to_agent`
+14. You assigned each issue to the Copilot coding agent using `assign_to_agent`
 15. You commented on each issue being assigned
 
 ## Error Handling
diff --git a/.github/workflows/plan.md b/.github/workflows/plan.md
index 967e4ba91e..bbb934baf9 100644
--- a/.github/workflows/plan.md
+++ b/.github/workflows/plan.md
@@ -31,7 +31,7 @@ imports:
 
 # Planning Assistant
 
-You are an expert planning assistant for GitHub Copilot agents. Your task is to analyze an issue or discussion and break it down into a sequence of actionable work items that can be assigned to GitHub Copilot agents.
+You are an expert planning assistant for GitHub Copilot coding agent. Your task is to analyze an issue or discussion and break it down into a sequence of actionable work items that can be assigned to GitHub Copilot coding agent.
 
 ## Current Context
 
@@ -46,7 +46,7 @@ ${{ steps.sanitized.outputs.text }}
 
 ## Your Mission
 
-Analyze the issue or discussion along with the comment content (which may contain additional guidance from the user), then create actionable sub-issues (at most 5) that can be assigned to GitHub Copilot agents.
+Analyze the issue or discussion along with the comment content (which may contain additional guidance from the user), then create actionable sub-issues (at most 5) that can be assigned to GitHub Copilot coding agent.
 
 **Important**: With issue grouping enabled, all issues you create will be automatically grouped under a parent tracking issue. You don't need to create a parent issue manually or use temporary IDs - just create the sub-issues directly.
 
diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml
index bbf8bb6eed..6e52d72379 100644
--- a/.github/workflows/poem-bot.lock.yml
+++ b/.github/workflows/poem-bot.lock.yml
@@ -465,12 +465,12 @@ jobs:
               "name": "create_issue"
             },
             {
-              "description": "Create a GitHub Copilot agent session to delegate coding work. Use this when you need another Copilot agent to implement code changes, fix bugs, or complete development tasks. The task becomes a new issue that triggers the Copilot coding agent. For non-coding tasks or manual work items, use create_issue instead. CONSTRAINTS: Maximum 1 agent task(s) can be created. Base branch for tasks: \"main\".",
+              "description": "Create a GitHub Copilot coding agent session to delegate coding work. Use this when you need another Copilot coding agent to implement code changes, fix bugs, or complete development tasks. The task becomes a new issue that triggers the Copilot coding agent. For non-coding tasks or manual work items, use create_issue instead. CONSTRAINTS: Maximum 1 agent task(s) can be created. Base branch for tasks: \"main\".",
               "inputSchema": {
                 "additionalProperties": false,
                 "properties": {
                   "body": {
-                    "description": "Clear, detailed task description for the Copilot agent. Include specific files to modify, expected behavior, acceptance criteria, and any constraints. The description should be actionable and self-contained.",
+                    "description": "Clear, detailed task description for the Copilot coding agent. Include specific files to modify, expected behavior, acceptance criteria, and any constraints. The description should be actionable and self-contained.",
                     "type": "string"
                   }
                 },
@@ -1821,7 +1821,7 @@ jobs:
           GH_AW_AGENT_OUTPUT: ${{ env.GH_AW_AGENT_OUTPUT }}
           GH_AW_SAFE_OUTPUTS_STAGED: "true"
         with:
-          github-token: ${{ secrets.COPILOT_GITHUB_TOKEN || secrets.GH_AW_GITHUB_TOKEN }}
+          github-token: ${{ secrets.COPILOT_GITHUB_TOKEN }}
           script: |
             const { setupGlobals } = require('/opt/gh-aw/actions/setup_globals.cjs');
             setupGlobals(core, github, context, exec, io);
diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml
index f39649bf07..924f8427e6 100644
--- a/.github/workflows/prompt-clustering-analysis.lock.yml
+++ b/.github/workflows/prompt-clustering-analysis.lock.yml
@@ -21,7 +21,7 @@
 #
 # For more information: https://github.github.com/gh-aw/introduction/overview/
 #
-# Analyzes and clusters GitHub Copilot agent prompts to identify patterns and usage trends
+# Analyzes and clusters GitHub Copilot coding agent prompts to identify patterns and usage trends
 #
 # Resolved workflow manifest:
 #   Imports:
@@ -31,7 +31,7 @@
 #     - shared/reporting.md
 #     - shared/trending-charts-simple.md
 #
-# frontmatter-hash: 55aaa5cabc63a05ec6ecd37b694afaec14d2ff60837e05c4fbc60f57adeb888d
+# frontmatter-hash: 5916161eaa3bed8bf2747c838309559e94337286bb6b11175d447c18e0f869a6
 
 name: "Copilot Agent Prompt Clustering Analysis"
 "on":
@@ -1156,7 +1156,7 @@ jobs:
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           WORKFLOW_NAME: "Copilot Agent Prompt Clustering Analysis"
-          WORKFLOW_DESCRIPTION: "Analyzes and clusters GitHub Copilot agent prompts to identify patterns and usage trends"
+          WORKFLOW_DESCRIPTION: "Analyzes and clusters GitHub Copilot coding agent prompts to identify patterns and usage trends"
           HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
         with:
           script: |
diff --git a/.github/workflows/prompt-clustering-analysis.md b/.github/workflows/prompt-clustering-analysis.md
index 56ce0691f3..3922a30d09 100644
--- a/.github/workflows/prompt-clustering-analysis.md
+++ b/.github/workflows/prompt-clustering-analysis.md
@@ -1,6 +1,6 @@
 ---
 name: Copilot Agent Prompt Clustering Analysis
-description: Analyzes and clusters GitHub Copilot agent prompts to identify patterns and usage trends
+description: Analyzes and clusters GitHub Copilot coding agent prompts to identify patterns and usage trends
 on:
   schedule: daily
   workflow_dispatch:
diff --git a/.github/workflows/repository-quality-improver.md b/.github/workflows/repository-quality-improver.md
index b0ec32e446..2eb01a4a7f 100644
--- a/.github/workflows/repository-quality-improver.md
+++ b/.github/workflows/repository-quality-improver.md
@@ -341,11 +341,11 @@ Create a comprehensive report using the **reporting MCP** with the following str
 
 ## 🤖 Tasks for Copilot Agent
 
-**NOTE TO PLANNER AGENT**: The following tasks are designed for GitHub Copilot agent execution. Please split these into individual work items for Claude to process.
+**NOTE TO PLANNER AGENT**: The following tasks are designed for GitHub Copilot coding agent execution. Please split these into individual work items for Claude to process.
 
 ### Improvement Tasks
 
-The following code regions and tasks should be processed by the Copilot agent. Each section is marked for easy identification by the planner agent.
+The following code regions and tasks should be processed by the Copilot coding agent. Each section is marked for easy identification by the planner agent.
 
 #### Task 1: [Short Description]
 
@@ -364,7 +364,7 @@ The following code regions and tasks should be processed by the Copilot agent. E
 **Code Region:** `[file path or pattern]`
 
 ```markdown
-[Copilot agent prompt for this task]
+[Copilot coding agent prompt for this task]
 ```
 
 ---
@@ -385,7 +385,7 @@ The following code regions and tasks should be processed by the Copilot agent. E
 **Code Region:** `[file path or pattern]`
 
 ```markdown
-[Copilot agent prompt for this task]
+[Copilot coding agent prompt for this task]
 ```
 
 ---
@@ -438,7 +438,7 @@ Track these metrics to measure improvement in the **[FOCUS AREA]**:
 ## Next Steps
 
 1. Review and prioritize the tasks above
-2. Assign tasks to Copilot agent via planner agent
+2. Assign tasks to Copilot coding agent via planner agent
 3. Track progress on improvement items
 4. Re-evaluate this focus area in [timeframe]
 
@@ -450,7 +450,7 @@ Track these metrics to measure improvement in the **[FOCUS AREA]**:
 
 ### Important Report Guidelines
 
-1. **Copilot Agent Section**: Always include a clearly marked section for Copilot agent tasks
+1. **Copilot Agent Section**: Always include a clearly marked section for Copilot coding agent tasks
 2. **Planner Note**: Include a note for the planner agent to split tasks
 3. **Code Regions**: Mark specific files or patterns where changes are needed
 4. **Task Format**: Each task should be self-contained with clear acceptance criteria
@@ -496,7 +496,7 @@ A successful quality improvement run:
 - ✅ Conducts thorough analysis of the selected area (using custom analysis for custom areas)
 - ✅ Uses Serena MCP only when static analysis is needed
 - ✅ Generates exactly one discussion with the report
-- ✅ Includes 3-5 actionable tasks for Copilot agent
+- ✅ Includes 3-5 actionable tasks for Copilot coding agent
 - ✅ Clearly marks code regions for planner agent to split
 - ✅ Updates cache memory with run history including custom area tracking
 - ✅ Maintains high diversity rate (aim for 60%+ custom or varied strategies)
@@ -549,7 +549,7 @@ When creating custom focus areas specific to gh-aw:
 
 Your output MUST:
 1. Create exactly one discussion with the quality improvement report
-2. Include a clearly marked section for Copilot agent tasks
+2. Include a clearly marked section for Copilot coding agent tasks
 3. Provide 3-5 actionable tasks with code region markers
 4. Note for planner agent to split tasks for Claude
 5. Update cache memory with run history (including custom area tracking)
@@ -557,4 +557,4 @@ Your output MUST:
 7. Use the reporting MCP for structured content
 8. **For custom focus areas**: Clearly explain the rationale and custom analysis performed
 
-Begin your quality improvement analysis now. Select a focus area (prioritizing custom, repository-specific areas), conduct appropriate analysis, generate actionable tasks for the Copilot agent, and create the discussion report.
+Begin your quality improvement analysis now. Select a focus area (prioritizing custom, repository-specific areas), conduct appropriate analysis, generate actionable tasks for the Copilot coding agent, and create the discussion report.
diff --git a/.github/workflows/shared/copilot-pr-data-fetch.md b/.github/workflows/shared/copilot-pr-data-fetch.md
index 0fdab45d67..340e023c99 100644
--- a/.github/workflows/shared/copilot-pr-data-fetch.md
+++ b/.github/workflows/shared/copilot-pr-data-fetch.md
@@ -74,7 +74,7 @@ steps:
 <!--
 ## Copilot PR Data Fetch
 
-This shared component fetches pull request data for GitHub Copilot agent-created PRs from the last 30 days, with intelligent caching to avoid redundant API calls.
+This shared component fetches pull request data for GitHub Copilot coding agent-created PRs from the last 30 days, with intelligent caching to avoid redundant API calls.
 
 ### What It Does
 
diff --git a/.github/workflows/shared/copilot-session-data-fetch.md b/.github/workflows/shared/copilot-session-data-fetch.md
index 83e120c35c..48d1f4c6d1 100644
--- a/.github/workflows/shared/copilot-session-data-fetch.md
+++ b/.github/workflows/shared/copilot-session-data-fetch.md
@@ -70,8 +70,8 @@ steps:
         DATE_30_DAYS_AGO=$(date -d '30 days ago' '+%Y-%m-%d' 2>/dev/null || date -v-30d '+%Y-%m-%d')
 
         # Search for workflow runs from copilot/* branches
-        # This fetches GitHub Copilot agent task runs by searching for workflow runs on copilot/* branches
-        echo "Fetching Copilot agent workflow runs from the last 30 days..."
+        # This fetches GitHub Copilot coding agent task runs by searching for workflow runs on copilot/* branches
+        echo "Fetching Copilot coding agent workflow runs from the last 30 days..."
         
         # Get workflow runs from copilot/* branches
         gh api "repos/${{ github.repository }}/actions/runs" \
@@ -154,7 +154,7 @@ steps:
 <!--
 ## Copilot Session Data Fetch
 
-This shared component fetches GitHub Copilot agent session data by analyzing workflow runs from `copilot/*` branches, with intelligent caching to avoid redundant API calls.
+This shared component fetches GitHub Copilot coding agent session data by analyzing workflow runs from `copilot/*` branches, with intelligent caching to avoid redundant API calls.
 
 ### What It Does
 
@@ -245,7 +245,7 @@ cat /tmp/gh-aw/session-data/logs/123-conversation.txt
 
 ### Why Branch-Based Search?
 
-GitHub Copilot creates branches with the `copilot/` prefix, making branch-based workflow run search a reliable way to identify Copilot agent sessions.
+GitHub Copilot creates branches with the `copilot/` prefix, making branch-based workflow run search a reliable way to identify Copilot coding agent sessions.
 
 ### Conversation Log Access
 
diff --git a/.github/workflows/shared/pr-data-safe-input.md b/.github/workflows/shared/pr-data-safe-input.md
index 2c6bf9050f..76952917f1 100644
--- a/.github/workflows/shared/pr-data-safe-input.md
+++ b/.github/workflows/shared/pr-data-safe-input.md
@@ -65,7 +65,7 @@ imports:
 
 The agent can then use the tool to fetch PR data:
 - `fetch-pr-data` with no arguments returns PRs from the last 30 days
-- `fetch-pr-data` with `search: "head:copilot/"` returns Copilot agent PRs
+- `fetch-pr-data` with `search: "head:copilot/"` returns Copilot coding agent PRs
 - `fetch-pr-data` with `state: "merged"` returns only merged PRs
 
 ### Parameters
diff --git a/.github/workflows/shared/session-analysis-charts.md b/.github/workflows/shared/session-analysis-charts.md
index 334e92978b..5c5ce79f75 100644
--- a/.github/workflows/shared/session-analysis-charts.md
+++ b/.github/workflows/shared/session-analysis-charts.md
@@ -17,11 +17,11 @@ imports:
 
 # Session Analysis Chart Generation
 
-You are an expert at creating session analysis trend charts that reveal insights about Copilot agent session patterns over time.
+You are an expert at creating session analysis trend charts that reveal insights about Copilot coding agent session patterns over time.
 
 ## 📊 Chart Generation Requirements
 
-**IMPORTANT**: Generate exactly 2 trend charts that showcase Copilot agent session patterns over time.
+**IMPORTANT**: Generate exactly 2 trend charts that showcase Copilot coding agent session patterns over time.
 
 ### Chart Generation Process
 
diff --git a/.github/workflows/shared/session-analysis-strategies.md b/.github/workflows/shared/session-analysis-strategies.md
index 4164c11177..9c577370a5 100644
--- a/.github/workflows/shared/session-analysis-strategies.md
+++ b/.github/workflows/shared/session-analysis-strategies.md
@@ -14,7 +14,7 @@
 
 # Session Analysis Strategies
 
-Comprehensive strategies for analyzing Copilot agent sessions to extract insights, identify patterns, and recommend improvements.
+Comprehensive strategies for analyzing Copilot coding agent sessions to extract insights, identify patterns, and recommend improvements.
 
 ## Standard Analysis Strategies
 
diff --git a/.github/workflows/static-analysis-report.md b/.github/workflows/static-analysis-report.md
index c04a075327..6e0e012996 100644
--- a/.github/workflows/static-analysis-report.md
+++ b/.github/workflows/static-analysis-report.md
@@ -193,7 +193,7 @@ Use the cache memory folder `/tmp/gh-aw/cache-memory/` to build persistent knowl
    - Identify common patterns in affected workflows
 
 2. **Create Fix Template**:
-   Generate a prompt template that can be used by a Copilot agent to fix this issue type. The prompt should:
+   Generate a prompt template that can be used by a Copilot coding agent to fix this issue type. The prompt should:
    - Clearly describe the security vulnerability
    - Explain why it's a problem
    - Provide step-by-step fix instructions
diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml
index 130377b4d4..fe0f026796 100644
--- a/.github/workflows/workflow-generator.lock.yml
+++ b/.github/workflows/workflow-generator.lock.yml
@@ -21,13 +21,13 @@
 #
 # For more information: https://github.github.com/gh-aw/introduction/overview/
 #
-# Workflow generator that updates issue status and assigns to Copilot agent for workflow design
+# Workflow generator that updates issue status and assigns to Copilot coding agent for workflow design
 #
 # Resolved workflow manifest:
 #   Imports:
 #     - shared/mood.md
 #
-# frontmatter-hash: 1bf8a53ac78955ad6bc31224322cd512e946710820a359cc08613e147865408c
+# frontmatter-hash: a050c2eeebe0b225b5e51f8bb7e533314d35f338d1db67669665b1be4b8adfb9
 
 name: "Workflow Generator"
 "on":
@@ -397,14 +397,14 @@ jobs:
                     "type": "string"
                   },
                   "issue_number": {
-                    "description": "Issue number to assign the Copilot agent to. This is the numeric ID from the GitHub URL (e.g., 234 in github.com/owner/repo/issues/234). Can also be a temporary_id (e.g., 'aw_abc123', 'aw_Test123') from an issue created earlier in the same workflow run. The issue should contain clear, actionable requirements. Either issue_number or pull_number must be provided, but not both.",
+                    "description": "Issue number to assign the Copilot coding agent to. This is the numeric ID from the GitHub URL (e.g., 234 in github.com/owner/repo/issues/234). Can also be a temporary_id (e.g., 'aw_abc123', 'aw_Test123') from an issue created earlier in the same workflow run. The issue should contain clear, actionable requirements. Either issue_number or pull_number must be provided, but not both.",
                     "type": [
                       "number",
                       "string"
                     ]
                   },
                   "pull_number": {
-                    "description": "Pull request number to assign the Copilot agent to. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/pull/456). Either issue_number or pull_number must be provided, but not both.",
+                    "description": "Pull request number to assign the Copilot coding agent to. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/pull/456). Either issue_number or pull_number must be provided, but not both.",
                     "type": [
                       "number",
                       "string"
@@ -1041,7 +1041,7 @@ jobs:
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           WORKFLOW_NAME: "Workflow Generator"
-          WORKFLOW_DESCRIPTION: "Workflow generator that updates issue status and assigns to Copilot agent for workflow design"
+          WORKFLOW_DESCRIPTION: "Workflow generator that updates issue status and assigns to Copilot coding agent for workflow design"
           HAS_PATCH: ${{ needs.agent.outputs.has_patch }}
         with:
           script: |
diff --git a/.github/workflows/workflow-generator.md b/.github/workflows/workflow-generator.md
index c6ca7df0cf..9959d94e9f 100644
--- a/.github/workflows/workflow-generator.md
+++ b/.github/workflows/workflow-generator.md
@@ -1,5 +1,5 @@
 ---
-description: Workflow generator that updates issue status and assigns to Copilot agent for workflow design
+description: Workflow generator that updates issue status and assigns to Copilot coding agent for workflow design
 on:
   issues:
     types: [opened]
@@ -46,8 +46,8 @@ Your job is to:
    - Set the status to "In progress"
    - Append clear instructions to the issue body for the agent that will pick it up
 
-2. **Assign to the Copilot agent** using the `assign-to-agent` safe output to hand off the workflow design work
-   - The Copilot agent will follow the agentic-workflows instructions from `.github/agents/agentic-workflows.agent.md`
+2. **Assign to the Copilot coding agent** using the `assign-to-agent` safe output to hand off the workflow design work
+   - The Copilot coding agent will follow the agentic-workflows instructions from `.github/agents/agentic-workflows.agent.md`
    - The agent will parse the issue, design the workflow content, and create a PR with the `.md` workflow file
 
 ## Instructions to Append
@@ -103,6 +103,6 @@ This issue has been assigned to an AI agent for workflow design. The agent will:
 1. Use **update-issue** safe output to:
    - Set the issue status to "In progress"
    - Append the instructions above to the issue body
-2. Use **assign-to-agent** safe output to assign the Copilot agent who will design and implement the workflow
+2. Use **assign-to-agent** safe output to assign the Copilot coding agent who will design and implement the workflow
 
 The workflow designer agent will have clear instructions in the issue body about what it needs to do.
diff --git a/AGENTS.md b/AGENTS.md
index 2c101a32de..e39efc4836 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -134,7 +134,7 @@ func TestCompile(t *testing.T) {
 
 **ALWAYS USE GITHUB MCP FOR GITHUB API ACCESS WITH COPILOT ENGINE:**
 
-The Copilot agent **cannot directly access api.github.com**. When using the `copilot` engine, you **must** configure the GitHub MCP server to access GitHub information (repositories, issues, pull requests, etc.).
+The Copilot coding agent **cannot directly access api.github.com**. When using the `copilot` engine, you **must** configure the GitHub MCP server to access GitHub information (repositories, issues, pull requests, etc.).
 
 **CORRECT - Using GitHub MCP:**
 ```yaml
@@ -1177,7 +1177,7 @@ Skills provide specialized, detailed knowledge on specific topics. **Use them on
 - **[github-issue-query](skills/github-issue-query/SKILL.md)** - Query GitHub issues with jq filtering
 - **[github-pr-query](skills/github-pr-query/SKILL.md)** - Query GitHub pull requests with jq filtering
 - **[github-discussion-query](skills/github-discussion-query/SKILL.md)** - Query GitHub discussions with jq filtering
-- **[github-copilot-agent-tips-and-tricks](skills/github-copilot-agent-tips-and-tricks/SKILL.md)** - Tips for working with GitHub Copilot agent PRs
+- **[github-copilot-agent-tips-and-tricks](skills/github-copilot-agent-tips-and-tricks/SKILL.md)** - Tips for working with GitHub Copilot coding agent PRs
 
 ### AI Engine & Integration
 - **[copilot-cli](skills/copilot-cli/SKILL.md)** - GitHub Copilot CLI integration for agentic workflows
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 635c68bcdb..58c18c882e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -440,7 +440,7 @@ Run `gh aw fix --write` to apply automatic updates across your repository.
 
 #### Terminology Change: "Agent Task" → "Agent Session"
 
-The terminology for creating Copilot agent work items has been updated from "agent task" to "agent session" to better reflect their purpose and avoid confusion with other task concepts.
+The terminology for creating Copilot coding agent work items has been updated from "agent task" to "agent session" to better reflect their purpose and avoid confusion with other task concepts.
 
 **Configuration Changes:**
 - `create-agent-task` → `create-agent-session` in safe-outputs configuration
@@ -2249,7 +2249,7 @@ Users must now configure a Personal Access Token (PAT) as either `COPILOT_GITHUB
 
 #### Add continuation field to logs JSON output when timeout is reached
 
-#### Add create-agent-task safe output for GitHub Copilot agent tasks
+#### Add create-agent-task safe output for GitHub Copilot coding agent tasks
 
 #### Add run summary caching to logs command for faster reprocessing
 
@@ -2769,9 +2769,9 @@ Updated 26 permission and authentication-related patterns across the Codex and C
 
 ### Bug Fixes
 
-#### Add GitHub Copilot agent setup workflow
+#### Add GitHub Copilot coding agent setup workflow
 
-Adds a `.github/workflows/copilot-setup-steps.yml` workflow file to configure the GitHub Copilot coding agent environment with preinstalled tools and dependencies. The workflow mirrors the setup steps from the CI workflow's build job, including Node.js, Go, JavaScript dependencies, development tools, and build step. This provides Copilot agents with a fully configured development environment and speeds up agent workflows.
+Adds a `.github/workflows/copilot-setup-steps.yml` workflow file to configure the GitHub Copilot coding agent environment with preinstalled tools and dependencies. The workflow mirrors the setup steps from the CI workflow's build job, including Node.js, Go, JavaScript dependencies, development tools, and build step. This provides Copilot coding agent with a fully configured development environment and speeds up agent workflows.
 
 #### Add compiler validation for GitHub Actions 21KB expression size limit
 
diff --git a/actions/setup/js/assign_agent_helpers.cjs b/actions/setup/js/assign_agent_helpers.cjs
index 22bdf54995..8db1f62696 100644
--- a/actions/setup/js/assign_agent_helpers.cjs
+++ b/actions/setup/js/assign_agent_helpers.cjs
@@ -448,7 +448,7 @@ async function assignAgentToIssue(assignableId, agentId, currentAssignees, agent
 function logPermissionError(agentName) {
   core.error(`Failed to assign ${agentName}: Insufficient permissions`);
   core.error("");
-  core.error("Assigning Copilot agents requires:");
+  core.error("Assigning Copilot coding agent requires:");
   core.error("  1. All four workflow permissions:");
   core.error("     - actions: write");
   core.error("     - contents: write");
@@ -478,7 +478,7 @@ function generatePermissionErrorSummary() {
   return `
 ### ⚠️ Permission Requirements
 
-Assigning Copilot agents requires **ALL** of these permissions:
+Assigning Copilot coding agent requires **ALL** of these permissions:
 
 \`\`\`yaml
 permissions:
diff --git a/actions/setup/js/safe_outputs_tools.json b/actions/setup/js/safe_outputs_tools.json
index 8d45aa8b9d..2b8c56bb9b 100644
--- a/actions/setup/js/safe_outputs_tools.json
+++ b/actions/setup/js/safe_outputs_tools.json
@@ -36,14 +36,14 @@
   },
   {
     "name": "create_agent_session",
-    "description": "Create a GitHub Copilot agent session to delegate coding work. Use this when you need another Copilot agent to implement code changes, fix bugs, or complete development tasks. The task becomes a new issue that triggers the Copilot coding agent. For non-coding tasks or manual work items, use create_issue instead.",
+    "description": "Create a GitHub Copilot coding agent session to delegate coding work. Use this when you need another Copilot coding agent to implement code changes, fix bugs, or complete development tasks. The task becomes a new issue that triggers the Copilot coding agent. For non-coding tasks or manual work items, use create_issue instead.",
     "inputSchema": {
       "type": "object",
       "required": ["body"],
       "properties": {
         "body": {
           "type": "string",
-          "description": "Clear, detailed task description for the Copilot agent. Include specific files to modify, expected behavior, acceptance criteria, and any constraints. The description should be actionable and self-contained."
+          "description": "Clear, detailed task description for the Copilot coding agent. Include specific files to modify, expected behavior, acceptance criteria, and any constraints. The description should be actionable and self-contained."
         }
       },
       "additionalProperties": false
@@ -427,11 +427,11 @@
       "properties": {
         "issue_number": {
           "type": ["number", "string"],
-          "description": "Issue number to assign the Copilot agent to. This is the numeric ID from the GitHub URL (e.g., 234 in github.com/owner/repo/issues/234). The issue should contain clear, actionable requirements. Either issue_number or pull_number must be provided, but not both."
+          "description": "Issue number to assign the Copilot coding agent to. This is the numeric ID from the GitHub URL (e.g., 234 in github.com/owner/repo/issues/234). The issue should contain clear, actionable requirements. Either issue_number or pull_number must be provided, but not both."
         },
         "pull_number": {
           "type": ["number", "string"],
-          "description": "Pull request number to assign the Copilot agent to. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/pull/456). Either issue_number or pull_number must be provided, but not both."
+          "description": "Pull request number to assign the Copilot coding agent to. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/pull/456). Either issue_number or pull_number must be provided, but not both."
         },
         "agent": {
           "type": "string",
diff --git a/actions/setup/js/types/safe-outputs.d.ts b/actions/setup/js/types/safe-outputs.d.ts
index c56ac6007d..7e1ca5a902 100644
--- a/actions/setup/js/types/safe-outputs.d.ts
+++ b/actions/setup/js/types/safe-outputs.d.ts
@@ -272,7 +272,7 @@ interface AssignMilestoneItem extends BaseSafeOutputItem {
 }
 
 /**
- * JSONL item for assigning a GitHub Copilot agent to an issue or project item
+ * JSONL item for assigning a GitHub Copilot coding agent to an issue or project item
  */
 interface AssignToAgentItem extends BaseSafeOutputItem {
   type: "assign_to_agent";
diff --git a/docs/src/content/docs/blog/2026-01-13-meet-the-workflows-advanced-analytics.md b/docs/src/content/docs/blog/2026-01-13-meet-the-workflows-advanced-analytics.md
index 57d222514d..422d68f75a 100644
--- a/docs/src/content/docs/blog/2026-01-13-meet-the-workflows-advanced-analytics.md
+++ b/docs/src/content/docs/blog/2026-01-13-meet-the-workflows-advanced-analytics.md
@@ -28,7 +28,7 @@ Beyond tracking basic metrics (run time, cost, success rate), we wanted deeper i
 
 These agents use sophisticated analysis techniques to extract insights:
 
-- **[Copilot Session Insights](https://github.com/github/gh-aw/blob/v0.42.13/.github/workflows/copilot-session-insights.md?plain=1)** - Analyzes Copilot agent usage patterns and metrics - **32 analysis discussions**  
+- **[Copilot Session Insights](https://github.com/github/gh-aw/blob/v0.42.13/.github/workflows/copilot-session-insights.md?plain=1)** - Analyzes Copilot coding agent usage patterns and metrics - **32 analysis discussions**  
 - **[Copilot PR NLP Analysis](https://github.com/github/gh-aw/blob/v0.42.13/.github/workflows/copilot-pr-nlp-analysis.md?plain=1)** - Natural language processing on PR conversations  
 - **[Prompt Clustering Analysis](https://github.com/github/gh-aw/blob/v0.42.13/.github/workflows/prompt-clustering-analysis.md?plain=1)** - Clusters and categorizes agent prompts using ML - **27 analysis discussions**  
 - **[Copilot Agent Analysis](https://github.com/github/gh-aw/blob/v0.42.13/.github/workflows/copilot-agent-analysis.md?plain=1)** - Deep analysis of agent behavior patterns - **48 daily analysis discussions**  
@@ -37,9 +37,9 @@ Prompt Clustering Analysis has created **27 analysis discussions** using ML to c
 
 Copilot PR NLP Analysis applies natural language processing to PR conversations, performing sentiment analysis and identifying linguistic patterns across agent interactions. It found that PRs with questions in the title get faster review.
 
-Copilot Session Insights has created **32 analysis discussions** examining Copilot agent usage patterns and metrics across the workflow ecosystem. It identifies common patterns and failure modes.
+Copilot Session Insights has created **32 analysis discussions** examining Copilot coding agent usage patterns and metrics across the workflow ecosystem. It identifies common patterns and failure modes.
 
-Copilot Agent Analysis has created **48 daily analysis discussions** providing deep analysis of agent behavior patterns - for example, [#6913](https://github.com/github/gh-aw/discussions/6913) with the daily Copilot agent analysis.
+Copilot Coding Agent Analysis has created **48 daily analysis discussions** providing deep analysis of agent behavior patterns - for example, [#6913](https://github.com/github/gh-aw/discussions/6913) with the daily Copilot coding agent analysis.
 
 What we learned: **meta-analysis is powerful** - using AI to analyze AI systems reveals insights that direct observation misses. These workflows helped us understand not just what our agents do, but *how* they behave and how users interact with them.
 
diff --git a/docs/src/content/docs/blog/2026-01-13-meet-the-workflows-issue-management.md b/docs/src/content/docs/blog/2026-01-13-meet-the-workflows-issue-management.md
index 44cca08ede..756979874b 100644
--- a/docs/src/content/docs/blog/2026-01-13-meet-the-workflows-issue-management.md
+++ b/docs/src/content/docs/blog/2026-01-13-meet-the-workflows-issue-management.md
@@ -29,14 +29,14 @@ Now let's talk about the daily rituals of software development: managing issues
 These agents enhance issue and pull request workflows:
 
 - **[Issue Arborist](https://github.com/github/gh-aw/blob/v0.42.13/.github/workflows/issue-arborist.md?plain=1)** - Links related issues as sub-issues - **77 discussion reports** and **18 parent issues** created  
-- **[Issue Monster](https://github.com/github/gh-aw/blob/v0.42.13/.github/workflows/issue-monster.md?plain=1)** - Assigns issues to Copilot agents one at a time - **task dispatcher** for the whole system
+- **[Issue Monster](https://github.com/github/gh-aw/blob/v0.42.13/.github/workflows/issue-monster.md?plain=1)** - Assigns issues to the asynchronous [GitHub Copilot coding agent](https://docs.github.com/en/copilot/concepts/agents/coding-agent/about-coding-agent) one at a time - **task dispatcher** for the whole system
 - **[Mergefest](https://github.com/github/gh-aw/blob/v0.42.13/.github/workflows/mergefest.md?plain=1)** - Automatically merges main branch into PR branches - **orchestrator workflow**
 - **[Sub Issue Closer](https://github.com/github/gh-aw/blob/v0.42.13/.github/workflows/sub-issue-closer.md?plain=1)** - Closes completed sub-issues automatically - **orchestrator workflow**
 - **[Issue Template Optimizer](https://github.com/github/gh-aw/blob/v0.42.13/.github/workflows/issue-template-optimizer.md?plain=1)** - Improves issue templates based on usage - **2 merged PRs out of 2 proposed (100% merge rate)**
 
 The Issue Arborist is an **organizational workflow** that has created **77 discussion reports** (titled "[Issue Arborist] Issue Arborist Report") and **18 parent issues** to group related sub-issues. It keeps the issue tracker organized by automatically linking related issues, building a dependency tree we'd never maintain manually. For example, [#12037](https://github.com/github/gh-aw/issues/12037) grouped engine documentation updates.
 
-The Issue Monster is the **task dispatcher** - it assigns issues to Copilot agents one at a time. It doesn't create PRs itself, but enables every other agent's work by feeding them tasks. This prevents the chaos of parallel work on the same codebase.
+The Issue Monster is the **task dispatcher** - it assigns issues to the GitHub platform's asynchronous [Copilot coding agent](https://docs.github.com/en/copilot/concepts/agents/coding-agent/about-coding-agent) one at a time. It doesn't create PRs itself, but enables every other agent's work by feeding them tasks. This prevents the chaos of parallel work on the same codebase.
 
 Mergefest is an **orchestrator workflow** that automatically merges main into PR branches, keeping long-lived PRs up to date without manual intervention. It eliminates the "please merge main" dance.
 
diff --git a/docs/src/content/docs/reference/auth.mdx b/docs/src/content/docs/reference/auth.mdx
index 4b0b0e6112..508e0ee5d8 100644
--- a/docs/src/content/docs/reference/auth.mdx
+++ b/docs/src/content/docs/reference/auth.mdx
@@ -27,7 +27,7 @@ Depending on what your workflow needs to do, you may need additional GitHub toke
 
 - **Lockdown mode, cross-repo access, or remote GitHub tools** – Add [`GH_AW_GITHUB_TOKEN`](#gh_aw_github_token)
 - **GitHub Projects v2 operations** – Add [`GH_AW_PROJECT_GITHUB_TOKEN`](#gh_aw_project_github_token)
-- **Assign Copilot agents to issues/PRs** – Add [`GH_AW_AGENT_TOKEN`](#gh_aw_agent_token)
+- **Assign Copilot coding agent to issues/PRs** – Add [`GH_AW_AGENT_TOKEN`](#gh_aw_agent_token)
 - **MCP server with special permissions** – Add [`GH_AW_GITHUB_MCP_SERVER_TOKEN`](#gh_aw_github_mcp_server_token)
 
 ## How do I add a GitHub Actions secret to my repository?
@@ -257,7 +257,7 @@ gh aw secrets set GH_AW_PROJECT_GITHUB_TOKEN --value "YOUR_PROJECT_PAT"
 
 **Token precedence and fallback**:
 
-per-output -> workflow-level -> `GH_AW_PROJECT_GITHUB_TOKEN` -> `GITHUB_TOKEN`.
+per-safe-output -> `GH_AW_PROJECT_GITHUB_TOKEN` -> `GITHUB_TOKEN`.
 
 **Example configuration**:
 
@@ -302,9 +302,9 @@ safe-outputs:
 
 ### `GH_AW_AGENT_TOKEN`
 
-If you want to programmatically assign Copilot agents to issues or pull requests, you need to configure `GH_AW_AGENT_TOKEN` with a Personal Access Token (PAT) that has the appropriate scopes and permissions for issue and PR management.
+If you want to programmatically assign the GitHub platform's asynchronous [Copilot coding agent](https://docs.github.com/en/copilot/concepts/agents/coding-agent/about-coding-agent) to issues or pull requests, you need to configure `GH_AW_AGENT_TOKEN` with a Personal Access Token (PAT) that has the appropriate scopes and permissions for issue and PR management.
 
-Is token/secret is used by `assign-to-agent:` safe outputs to programmatically assign Copilot agents to issues or pull requests.
+Is token/secret is used by `assign-to-agent:` safe outputs to programmatically assign Copilot coding agent to issues or pull requests.
 
 **Setup**:
 
@@ -352,22 +352,19 @@ gh aw secrets set GH_AW_AGENT_TOKEN --value "YOUR_AGENT_PAT"
 
 `GH_AW_AGENT_TOKEN` -> `GH_AW_GITHUB_TOKEN` -> `GITHUB_TOKEN`.
 
-**Notes**:
+**Resource owner requirements**: The token's resource owner must match the repository ownership:
+- **User-owned repositories**: Use a token where the resource owner is your user account
+- **Organization-owned repositories**: Use a token where the resource owner is the organization
 
-**Two ways to assign Copilot agents**
+This ensures the token has the appropriate permissions to assign agents to issues and pull requests in the repository.
 
-There are two different methods for assigning GitHub Copilot agents to issues or pull requests. Both methods use the same token (`GH_AW_AGENT_TOKEN`) and GraphQL API to perform the assignment:
+**Note: There are two ways to assign the GitHub platform's asynchronous [Copilot coding agent](https://docs.github.com/en/copilot/concepts/agents/coding-agent/about-coding-agent)** (CCA)
 
-1. **Via `assign-to-agent` safe output**: Use when you need to programmatically assign agents to existing issues or PRs through workflow automation. This is a standalone operation that requires the token documented on this page.
+There are two different methods for assigning issues or pull requests to CCA. Both methods use the same token (`GH_AW_AGENT_TOKEN`) and GraphQL API to perform the assignment:
 
-```yaml
-safe-outputs:
-  assign-to-agent:
-    name: "copilot"
-    allowed: [copilot]
-```
+1. Via [`assign-to-agent` safe output**](/gh-aw/reference/safe-outputs/#assign-to-agent-assign-to-agent)
 
-2. **Via `assignees` field in `create-issue`**: Use when creating new issues through workflows and want to assign the agent immediately. When `copilot` is in the assignees list, it is automatically filtered out and assigned via GraphQL in a separate step after issue creation (using the same token and API as method 1).
+2. Via [`assignees` field in `create-issue` safe output](/gh-aw/reference/safe-outputs/#issue-creation-create-issue): Use when creating new issues through workflows and want to assign the agent immediately. When `copilot` is in the assignees list, it is automatically filtered out and assigned via GraphQL in a separate step after issue creation (using the same token and API as method 1).
 
 ```yaml
 safe-outputs:
@@ -377,16 +374,6 @@ safe-outputs:
 
 Both methods result in the same outcome as [manually assigning issues to Copilot through the GitHub UI](https://docs.github.com/en/copilot/how-tos/use-copilot-agents/coding-agent/create-a-pr#assigning-an-issue-to-copilot). Method 2 is simpler when creating issues, while method 1 provides fine-grained control for existing issues.
 
-**Technical implementation**: Both methods use the GraphQL `replaceActorsForAssignable` mutation to assign the `copilot-swe-agent` bot to issues or PRs. Both follow the token precedence and fallback behavior documented above.
-
-See [GitHub's official documentation on assigning issues to Copilot](https://docs.github.com/en/copilot/concepts/agents/coding-agent/about-coding-agent) for more details on the Copilot coding agent.
-
-**Resource owner requirements**: The token's resource owner must match the repository ownership:
-- **User-owned repositories**: Use a token where the resource owner is your user account
-- **Organization-owned repositories**: Use a token where the resource owner is the organization
-
-This ensures the token has the appropriate permissions to assign agents to issues and pull requests in the repository.
-
 ---
 
 ## Using a GitHub App for authentication
diff --git a/docs/src/content/docs/reference/faq.md b/docs/src/content/docs/reference/faq.md
index 3f702b06f1..be81341ab9 100644
--- a/docs/src/content/docs/reference/faq.md
+++ b/docs/src/content/docs/reference/faq.md
@@ -261,9 +261,9 @@ safe-outputs:
 
 This requires both `contents: write` + `pull-requests: write` (for PR attempt) and `issues: write` (for fallback).
 
-**Option 2: Use create-issue directly with Copilot assignment**
+**Option 2: Use create-issue directly with Copilot coding agent assignment**
 
-Create an issue describing the desired changes and assign it to Copilot for automated implementation:
+Create an issue describing the desired changes and assign it to Copilot coding agent for automated implementation:
 
 ```yaml wrap
 safe-outputs:
@@ -272,7 +272,7 @@ safe-outputs:
     labels: [automation, enhancement] # Add tracking labels
 ```
 
-When assigned to Copilot, the issue can be automatically picked up for processing in a separate workflow or manually reviewed by the Copilot agent to create the PR.
+When assigned to Copilot, the issue can be automatically picked up for processing in a separate workflow or manually reviewed by the Copilot coding agent to create the PR.
 
 **Option 3: Disable issue fallback to save permissions**
 
diff --git a/docs/src/content/docs/reference/frontmatter-full.md b/docs/src/content/docs/reference/frontmatter-full.md
index ea6cab61d6..cd571d5337 100644
--- a/docs/src/content/docs/reference/frontmatter-full.md
+++ b/docs/src/content/docs/reference/frontmatter-full.md
@@ -1899,13 +1899,13 @@ safe-outputs:
   # Option 2: Enable issue creation with default configuration
   create-issue: null
 
-  # Enable creation of GitHub Copilot agent tasks from workflow output. Allows
+  # Enable creation of GitHub Copilot coding agent tasks from workflow output. Allows
   # workflows to spawn new agent sessions for follow-up work.
   # (optional)
   # This field supports multiple formats (oneOf):
 
   # Option 1: DEPRECATED: Use 'create-agent-session' instead. Configuration for
-  # creating GitHub Copilot agent sessions from agentic workflow output using gh
+  # creating GitHub Copilot coding agent sessions from agentic workflow output using gh
   # agent-task CLI. The main job does not need write permissions.
   create-agent-task:
     # Base branch for the agent session pull request. Defaults to the current branch
@@ -1938,12 +1938,12 @@ safe-outputs:
   # Option 2: Enable agent session creation with default configuration
   create-agent-task: null
 
-  # Enable creation of GitHub Copilot agent sessions from workflow output. Allows
+  # Enable creation of GitHub Copilot coding agent sessions from workflow output. Allows
   # workflows to start interactive agent conversations.
   # (optional)
   # This field supports multiple formats (oneOf):
 
-  # Option 1: Configuration for creating GitHub Copilot agent sessions from agentic
+  # Option 1: Configuration for creating GitHub Copilot coding agent sessions from agentic
   # workflow output using gh agent-task CLI. The main job does not need write
   # permissions.
   create-agent-session:
@@ -2969,7 +2969,7 @@ safe-outputs:
   # Option 1: Null configuration uses default agent (copilot)
   assign-to-agent: null
 
-  # Option 2: Configuration for assigning GitHub Copilot agents to issues from
+  # Option 2: Configuration for assigning GitHub Copilot coding agent to issues from
   # agentic workflow output
   assign-to-agent:
     # Default agent name to assign (default: 'copilot')
@@ -3777,15 +3777,6 @@ safe-inputs:
 # (optional)
 runtimes:
   {}
-
-# GitHub token expression to use for all steps that require GitHub authentication.
-# Typically a secret reference like ${{ secrets.GITHUB_TOKEN }} or ${{
-# secrets.CUSTOM_PAT }}. If not specified, defaults to ${{
-# secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}. This value can be
-# overridden by safe-outputs github-token or individual safe-output github-token
-# fields.
-# (optional)
-github-token: "${{ secrets.GITHUB_TOKEN }}"
 ---
 ```
 
diff --git a/docs/src/content/docs/reference/frontmatter.md b/docs/src/content/docs/reference/frontmatter.md
index 30897156f9..152334c27b 100644
--- a/docs/src/content/docs/reference/frontmatter.md
+++ b/docs/src/content/docs/reference/frontmatter.md
@@ -22,7 +22,7 @@ tools:
 
 ## Frontmatter Elements
 
-The frontmatter combines standard GitHub Actions properties (`on`, `permissions`, `run-name`, `runs-on`, `timeout-minutes`, `concurrency`, `env`, `environment`, `container`, `services`, `if`, `steps`, `cache`) with GitHub Agentic Workflows-specific elements (`description`, `source`, `github-token`, `imports`, `engine`, `strict`, `roles`, `features`, `plugins`, `runtimes`, `safe-inputs`, `safe-outputs`, `network`, `tools`).
+The frontmatter combines standard GitHub Actions properties (`on`, `permissions`, `run-name`, `runs-on`, `timeout-minutes`, `concurrency`, `env`, `environment`, `container`, `services`, `if`, `steps`, `cache`) with GitHub Agentic Workflows-specific elements (`description`, `source`, `imports`, `engine`, `strict`, `roles`, `features`, `plugins`, `runtimes`, `safe-inputs`, `safe-outputs`, `network`, `tools`).
 
 Tool configurations (such as `bash`, `edit`, `github`, `web-fetch`, `web-search`, `playwright`, `cache-memory`, and custom [Model Context Protocol](/gh-aw/reference/glossary/#mcp-model-context-protocol) (MCP) [servers](/gh-aw/reference/glossary/#mcp-server)) are specified under the `tools:` key. Custom inline tools can be defined with the [`safe-inputs:`](/gh-aw/reference/safe-inputs/) (custom tools defined inline) key. See [Tools](/gh-aw/reference/tools/) and [Safe Inputs](/gh-aw/reference/safe-inputs/) for complete documentation.
 
@@ -84,23 +84,6 @@ metadata:
 
 Metadata provides a flexible way to add descriptive information to workflows without affecting execution.
 
-### GitHub Token (`github-token:`)
-
-Configures the default GitHub token for engine authentication, checkout steps, and safe-output operations.
-
-```yaml wrap
-github-token: ${{ secrets.CUSTOM_PAT }}
-```
-
-**Token precedence** (highest to lowest):
-
-1. Individual safe-output `github-token` (e.g., `create-issue.github-token`)
-2. Safe-outputs global `github-token`
-3. Top-level `github-token`
-4. Default: `${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}`
-
-See [Authentication](/gh-aw/reference/auth/) for complete documentation.
-
 ### Plugins (`plugins:`)
 
 :::caution[Experimental Feature]
@@ -127,10 +110,9 @@ plugins:
 
 **Token precedence** for plugin installation (highest to lowest):
 1. Custom `plugins.github-token` from object format
-2. Custom top-level `github-token`
-3. `${{ secrets.GH_AW_PLUGINS_TOKEN }}`
-4. `${{ secrets.GH_AW_GITHUB_TOKEN }}`
-5. `${{ secrets.GITHUB_TOKEN }}` (default)
+2. `${{ secrets.GH_AW_PLUGINS_TOKEN }}`
+3. `${{ secrets.GH_AW_GITHUB_TOKEN }}`
+4. `${{ secrets.GITHUB_TOKEN }}` (default)
 
 Each plugin repository must be specified in `org/repo` format. The compiler generates installation steps that run after the engine CLI is installed but before workflow execution begins.
 
diff --git a/docs/src/content/docs/reference/safe-outputs-specification.md b/docs/src/content/docs/reference/safe-outputs-specification.md
index d6f23c58a0..01cb73599c 100644
--- a/docs/src/content/docs/reference/safe-outputs-specification.md
+++ b/docs/src/content/docs/reference/safe-outputs-specification.md
@@ -2445,7 +2445,7 @@ This section provides complete definitions for all remaining safe output types.
 
 #### Type: assign_to_agent
 
-**Purpose**: Assign GitHub Copilot agents to issues or pull requests.
+**Purpose**: Assign GitHub Copilot coding agent to issues or pull requests.
 
 **Default Max**: 1  
 **Cross-Repository Support**: Yes  
@@ -2462,7 +2462,7 @@ This section provides complete definitions for all remaining safe output types.
 - `metadata: read` - Repository metadata (automatically granted)
 
 **Notes**:
-- Uses special assignee syntax for Copilot agent assignment
+- Uses special assignee syntax for Copilot coding agent assignment
 - Agent must be enabled in repository settings
 
 ---
@@ -2739,7 +2739,7 @@ This section provides complete definitions for all remaining safe output types.
 
 #### Type: create_agent_session
 
-**Purpose**: Create GitHub Copilot agent sessions for code change delegation.
+**Purpose**: Create GitHub Copilot coding agent sessions for code change delegation.
 
 **Default Max**: 1  
 **Cross-Repository Support**: No (same repository only)  
diff --git a/docs/src/content/docs/reference/safe-outputs.md b/docs/src/content/docs/reference/safe-outputs.md
index fe1863ae1d..b1cf3963e2 100644
--- a/docs/src/content/docs/reference/safe-outputs.md
+++ b/docs/src/content/docs/reference/safe-outputs.md
@@ -52,7 +52,7 @@ The agent requests issue creation; a separate job with `issues: write` creates i
 - [**Remove Labels**](#remove-labels-remove-labels) (`remove-labels`) - Remove labels from issues or PRs (max: 3)
 - [**Add Reviewer**](#add-reviewer-add-reviewer) (`add-reviewer`) - Add reviewers to pull requests (max: 3)
 - [**Assign Milestone**](#assign-milestone-assign-milestone) (`assign-milestone`) - Assign issues to milestones (max: 1)
-- [**Assign to Agent**](#assign-to-agent-assign-to-agent) (`assign-to-agent`) - Assign Copilot agents to issues or PRs (max: 1)
+- [**Assign to Agent**](#assign-to-agent-assign-to-agent) (`assign-to-agent`) - Assign Copilot coding agent to issues or PRs (max: 1)
 - [**Assign to User**](#assign-to-user-assign-to-user) (`assign-to-user`) - Assign users to issues (max: 1)
 - [**Unassign from User**](#unassign-from-user-unassign-from-user) (`unassign-from-user`) - Remove user assignments from issues or PRs (max: 1)
 
@@ -69,7 +69,7 @@ The agent requests issue creation; a separate job with `issues: write` creates i
 - [**Dispatch Workflow**](#workflow-dispatch-dispatch-workflow) (`dispatch-workflow`) - Trigger other workflows with inputs (max: 3, same-repo only)
 - [**Code Scanning Alerts**](#code-scanning-alerts-create-code-scanning-alert) (`create-code-scanning-alert`) - Generate SARIF security advisories (max: unlimited, same-repo only)
 - [**Autofix Code Scanning Alerts**](#autofix-code-scanning-alerts-autofix-code-scanning-alert) (`autofix-code-scanning-alert`) - Create automated fixes for code scanning alerts (max: 10, same-repo only)
-- [**Create Agent Session**](#agent-session-creation-create-agent-session) (`create-agent-session`) - Create Copilot agent sessions (max: 1)
+- [**Create Agent Session**](#agent-session-creation-create-agent-session) (`create-agent-session`) - Create Copilot coding agent sessions (max: 1)
 
 ### System Types (Auto-Enabled)
 
@@ -1289,11 +1289,11 @@ A workflow can trigger deployment and testing workflows as separate, trackable r
 
 ### Agent Session Creation (`create-agent-session:`)
 
-Creates Copilot agent sessions. Requires `COPILOT_GITHUB_TOKEN` or `GH_AW_GITHUB_TOKEN` PAT-default `GITHUB_TOKEN` lacks permissions.
+Creates Copilot coding agent sessions. Requires `COPILOT_GITHUB_TOKEN` or `GH_AW_GITHUB_TOKEN` PAT-default `GITHUB_TOKEN` lacks permissions.
 
 ### Assign to Agent (`assign-to-agent:`)
 
-Programmatically assigns GitHub Copilot agents to **existing** issues or pull requests through workflow automation. This safe output automates the [standard GitHub workflow for assigning issues to Copilot](https://docs.github.com/en/copilot/how-tos/use-copilot-agents/coding-agent/create-a-pr#assigning-an-issue-to-copilot). Requires fine-grained PAT with actions, contents, issues, pull requests write access stored as `GH_AW_AGENT_TOKEN`, or GitHub App token. Supported agents: `copilot` (`copilot-swe-agent`).
+Programmatically assigns GitHub Copilot coding agent to **existing** issues or pull requests through workflow automation. This safe output automates the [standard GitHub workflow for assigning issues to Copilot](https://docs.github.com/en/copilot/how-tos/use-copilot-agents/coding-agent/create-a-pr#assigning-an-issue-to-copilot). Requires fine-grained PAT with actions, contents, issues, pull requests write access stored as `GH_AW_AGENT_TOKEN`, or GitHub App token. Supported agents: `copilot` (`copilot-swe-agent`).
 
 Auto-resolves target from workflow context (issue/PR events) when `issue_number` or `pull_number` not explicitly provided. Restrict with `allowed` list. Target: `"triggering"` (default), `"*"` (any), or number.
 
@@ -1344,7 +1344,7 @@ When `allowed` list is configured, existing agent assignees not in the list are
 > 
 > **Important**: Both methods use the **same token** (`GH_AW_AGENT_TOKEN`) and **same GraphQL API** (`replaceActorsForAssignable` mutation) to assign copilot. When you use `assignees: copilot` in create-issue, the copilot assignee is automatically filtered out and assigned in a separate post-step using the agent token and GraphQL, identical to the `assign-to-agent` safe output.
 > 
-> Both methods result in the same outcome as [manually assigning issues to Copilot through the GitHub UI](https://docs.github.com/en/copilot/how-tos/use-copilot-agents/coding-agent/create-a-pr#assigning-an-issue-to-copilot). See [Authentication](/gh-aw/reference/auth/#gh_aw_agent_token) for token configuration details and [GitHub's official Copilot coding agent documentation](https://docs.github.com/en/copilot/concepts/agents/coding-agent/about-coding-agent) for more about the Copilot agent.
+> Both methods result in the same outcome as [manually assigning issues to Copilot through the GitHub UI](https://docs.github.com/en/copilot/how-tos/use-copilot-agents/coding-agent/create-a-pr#assigning-an-issue-to-copilot). See [Authentication](/gh-aw/reference/auth/#gh_aw_agent_token) for token configuration details and [GitHub's official Copilot coding agent documentation](https://docs.github.com/en/copilot/concepts/agents/coding-agent/about-coding-agent) for more about the Copilot coding agent.
 
 ### Assign to User (`assign-to-user:`)
 
diff --git a/docs/src/content/docs/setup/cli.md b/docs/src/content/docs/setup/cli.md
index a04fd020b2..2403a008f6 100644
--- a/docs/src/content/docs/setup/cli.md
+++ b/docs/src/content/docs/setup/cli.md
@@ -315,7 +315,7 @@ gh aw logs "ci failure doctor"             # Case-insensitive display name
 
 #### `audit`
 
-Analyze specific runs with overview, metrics, tool usage, MCP failures, firewall analysis, noops, and artifacts. Accepts run IDs, workflow run URLs, job URLs, and step-level URLs. Auto-detects Copilot agent runs for specialized parsing. Job URLs automatically extract specific job logs; step URLs extract specific steps; without step, extracts first failing step.
+Analyze specific runs with overview, metrics, tool usage, MCP failures, firewall analysis, noops, and artifacts. Accepts run IDs, workflow run URLs, job URLs, and step-level URLs. Auto-detects Copilot coding agent runs for specialized parsing. Job URLs automatically extract specific job logs; step URLs extract specific steps; without step, extracts first failing step.
 
 ```bash wrap
 gh aw audit 12345678                                      # By run ID
diff --git a/pkg/cli/commands.go b/pkg/cli/commands.go
index b1b8d0c7f1..5b29bc4b66 100644
--- a/pkg/cli/commands.go
+++ b/pkg/cli/commands.go
@@ -292,7 +292,7 @@ permissions:
 safe-outputs:
   create-issue:          # Creates issues (default max: 1)
     max: 5               # Optional: specify maximum number
-  # create-agent-session:   # Creates GitHub Copilot agent sessions (max: 1)
+  # create-agent-session:   # Creates GitHub Copilot coding agent sessions (max: 1)
   # create-pull-request: # Creates exactly one pull request
   # add-comment:   # Adds comments (default max: 1)
   #   max: 2             # Optional: specify maximum number
diff --git a/pkg/cli/copilot_agent.go b/pkg/cli/copilot_agent.go
index 04c33531cf..f0bda9e3b2 100644
--- a/pkg/cli/copilot_agent.go
+++ b/pkg/cli/copilot_agent.go
@@ -14,14 +14,14 @@ import (
 
 var copilotAgentLog = logger.New("cli:copilot_agent")
 
-// CopilotAgentDetector contains heuristics to detect if a workflow run was executed by GitHub Copilot agent
+// CopilotAgentDetector contains heuristics to detect if a workflow run was executed by GitHub Copilot coding agent
 type CopilotAgentDetector struct {
 	runDir       string
 	verbose      bool
 	workflowPath string // Optional: workflow file path from GitHub API (e.g., .github/workflows/copilot-swe-agent.yml)
 }
 
-// NewCopilotAgentDetector creates a new detector for GitHub Copilot agent runs
+// NewCopilotAgentDetector creates a new detector for GitHub Copilot coding agent runs
 func NewCopilotAgentDetector(runDir string, verbose bool) *CopilotAgentDetector {
 	return &CopilotAgentDetector{
 		runDir:  runDir,
@@ -38,15 +38,15 @@ func NewCopilotAgentDetectorWithPath(runDir string, verbose bool, workflowPath s
 	}
 }
 
-// IsGitHubCopilotAgent uses heuristics to determine if this run was executed by GitHub Copilot agent
+// IsGitHubCopilotAgent uses heuristics to determine if this run was executed by GitHub Copilot coding agent
 // (not the Copilot CLI engine or agentic workflows)
 func (d *CopilotAgentDetector) IsGitHubCopilotAgent() bool {
-	copilotAgentLog.Printf("Detecting if run is GitHub Copilot agent: %s", d.runDir)
+	copilotAgentLog.Printf("Detecting if run is GitHub Copilot coding agent: %s", d.runDir)
 
-	// If aw_info.json exists, this is an agentic workflow, NOT a GitHub Copilot agent run
+	// If aw_info.json exists, this is an agentic workflow, NOT a GitHub Copilot coding agent run
 	awInfoPath := filepath.Join(d.runDir, "aw_info.json")
 	if _, err := os.Stat(awInfoPath); err == nil {
-		copilotAgentLog.Print("Found aw_info.json - this is an agentic workflow, not a GitHub Copilot agent")
+		copilotAgentLog.Print("Found aw_info.json - this is an agentic workflow, not a GitHub Copilot coding agent")
 		return false
 	}
 
@@ -68,12 +68,12 @@ func (d *CopilotAgentDetector) IsGitHubCopilotAgent() bool {
 		return true
 	}
 
-	copilotAgentLog.Print("No GitHub Copilot agent indicators found")
+	copilotAgentLog.Print("No GitHub Copilot coding agent indicators found")
 	return false
 }
 
-// hasAgentWorkflowPath checks if the workflow path indicates a Copilot agent run
-// The workflow ID is always "copilot-swe-agent" for GitHub Copilot agent runs
+// hasAgentWorkflowPath checks if the workflow path indicates a Copilot coding agent run
+// The workflow ID is always "copilot-swe-agent" for GitHub Copilot coding agent runs
 func (d *CopilotAgentDetector) hasAgentWorkflowPath() bool {
 	if d.workflowPath == "" {
 		return false
@@ -84,11 +84,11 @@ func (d *CopilotAgentDetector) hasAgentWorkflowPath() bool {
 	filename := filepath.Base(d.workflowPath)
 	workflowID := strings.TrimSuffix(filename, filepath.Ext(filename))
 
-	// GitHub Copilot agent runs always use "copilot-swe-agent" as the workflow ID
+	// GitHub Copilot coding agent runs always use "copilot-swe-agent" as the workflow ID
 	if workflowID == "copilot-swe-agent" {
 		if d.verbose {
 			fmt.Fprintln(os.Stderr, console.FormatInfoMessage(
-				fmt.Sprintf("Detected GitHub Copilot agent from workflow path: %s (ID: %s)", d.workflowPath, workflowID)))
+				fmt.Sprintf("Detected GitHub Copilot coding agent from workflow path: %s (ID: %s)", d.workflowPath, workflowID)))
 		}
 		return true
 	}
@@ -96,9 +96,9 @@ func (d *CopilotAgentDetector) hasAgentWorkflowPath() bool {
 	return false
 }
 
-// hasAgentLogPatterns checks log files for patterns specific to GitHub Copilot agent
+// hasAgentLogPatterns checks log files for patterns specific to GitHub Copilot coding agent
 func (d *CopilotAgentDetector) hasAgentLogPatterns() bool {
-	// Patterns that indicate GitHub Copilot agent (not Copilot CLI)
+	// Patterns that indicate GitHub Copilot coding agent (not Copilot CLI)
 	agentPatterns := []*regexp.Regexp{
 		regexp.MustCompile(`(?i)github.*copilot.*agent`),
 		regexp.MustCompile(`(?i)copilot-swe-agent`),
@@ -140,7 +140,7 @@ func (d *CopilotAgentDetector) hasAgentLogPatterns() bool {
 	return found
 }
 
-// hasAgentArtifacts checks for artifacts specific to GitHub Copilot agent runs
+// hasAgentArtifacts checks for artifacts specific to GitHub Copilot coding agent runs
 func (d *CopilotAgentDetector) hasAgentArtifacts() bool {
 	// Check for agent-specific artifact patterns
 	agentArtifacts := []string{
@@ -180,10 +180,10 @@ func readLogHeader(path string, maxBytes int) (string, error) {
 	return string(buffer[:n]), nil
 }
 
-// ParseCopilotAgentLogMetrics extracts metrics from GitHub Copilot agent logs
+// ParseCopilotAgentLogMetrics extracts metrics from GitHub Copilot coding agent logs
 // This is different from Copilot CLI logs and requires specialized parsing
 func ParseCopilotAgentLogMetrics(logContent string, verbose bool) workflow.LogMetrics {
-	copilotAgentLog.Printf("Parsing GitHub Copilot agent log metrics: %d bytes", len(logContent))
+	copilotAgentLog.Printf("Parsing GitHub Copilot coding agent log metrics: %d bytes", len(logContent))
 
 	var metrics workflow.LogMetrics
 	var maxTokenUsage int
@@ -193,7 +193,7 @@ func ParseCopilotAgentLogMetrics(logContent string, verbose bool) workflow.LogMe
 	var currentSequence []string
 	turns := 0
 
-	// GitHub Copilot agent log patterns
+	// GitHub Copilot coding agent log patterns
 	// These patterns are designed to match the specific log format of the agent
 	turnPattern := regexp.MustCompile(`(?i)task.*iteration|agent.*turn|step.*\d+`)
 	toolCallPattern := regexp.MustCompile(`(?i)tool.*call|executing.*tool|calling.*(\w+)`)
diff --git a/pkg/cli/copilot_agent_test.go b/pkg/cli/copilot_agent_test.go
index aa1b0cce40..bc5f9d391e 100644
--- a/pkg/cli/copilot_agent_test.go
+++ b/pkg/cli/copilot_agent_test.go
@@ -289,8 +289,8 @@ func TestExtractErrorMessage(t *testing.T) {
 }
 
 func TestIntegration_CopilotAgentWithAudit(t *testing.T) {
-	// Create a temporary directory that simulates a GitHub Copilot agent run
-	// NOTE: GitHub Copilot agent runs do NOT have aw_info.json (that's for agentic workflows)
+	// Create a temporary directory that simulates a GitHub Copilot coding agent run
+	// NOTE: GitHub Copilot coding agent runs do NOT have aw_info.json (that's for agentic workflows)
 	tmpDir, err := os.MkdirTemp("", "copilot-agent-integration-*")
 	if err != nil {
 		t.Fatalf("Failed to create temp dir: %v", err)
@@ -313,10 +313,10 @@ Tool call: github_create_pr
 		t.Fatalf("Failed to write log file: %v", err)
 	}
 
-	// Verify detector recognizes this as a GitHub Copilot agent run (no aw_info.json)
+	// Verify detector recognizes this as a GitHub Copilot coding agent run (no aw_info.json)
 	detector := NewCopilotAgentDetector(tmpDir, false)
 	if !detector.IsGitHubCopilotAgent() {
-		t.Error("Expected GitHub Copilot agent to be detected from log patterns")
+		t.Error("Expected GitHub Copilot coding agent to be detected from log patterns")
 	}
 
 	// Test: Extract metrics using the system that would be used by audit
@@ -325,7 +325,7 @@ Tool call: github_create_pr
 		t.Fatalf("extractLogMetrics failed: %v", err)
 	}
 
-	// Verify that GitHub Copilot agent parser was used (indicated by extracted metrics)
+	// Verify that GitHub Copilot coding agent parser was used (indicated by extracted metrics)
 	if metrics.Turns < 1 {
 		t.Errorf("Expected turns to be parsed from agent log, got %d", metrics.Turns)
 	}
diff --git a/pkg/cli/interactive.go b/pkg/cli/interactive.go
index 13a3fb75e1..78db9cb3d6 100644
--- a/pkg/cli/interactive.go
+++ b/pkg/cli/interactive.go
@@ -136,7 +136,7 @@ func (b *InteractiveWorkflowBuilder) promptForConfiguration() error {
 	// Prepare safe output options
 	outputOptions := []huh.Option[string]{
 		huh.NewOption("create-issue - Create GitHub issues", "create-issue"),
-		huh.NewOption("create-agent-task - Create GitHub Copilot agent tasks", "create-agent-task"),
+		huh.NewOption("create-agent-task - Create GitHub Copilot coding agent tasks", "create-agent-task"),
 		huh.NewOption("add-comment - Add comments to issues/PRs", "add-comment"),
 		huh.NewOption("create-pull-request - Create pull requests", "create-pull-request"),
 		huh.NewOption("create-pull-request-review-comment - Add code review comments to PRs", "create-pull-request-review-comment"),
diff --git a/pkg/cli/logs_metrics.go b/pkg/cli/logs_metrics.go
index dbcdc75b78..3637502bb5 100644
--- a/pkg/cli/logs_metrics.go
+++ b/pkg/cli/logs_metrics.go
@@ -33,7 +33,7 @@ var logsMetricsLog = logger.New("cli:logs_metrics")
 var extractJSONMetrics = workflow.ExtractJSONMetrics
 
 // extractLogMetrics extracts metrics from downloaded log files
-// workflowPath is optional and can be provided to help detect GitHub Copilot agent runs
+// workflowPath is optional and can be provided to help detect GitHub Copilot coding agent runs
 func extractLogMetrics(logDir string, verbose bool, workflowPath ...string) (LogMetrics, error) {
 	logsMetricsLog.Printf("Extracting log metrics from: %s", logDir)
 	var metrics LogMetrics
@@ -41,7 +41,7 @@ func extractLogMetrics(logDir string, verbose bool, workflowPath ...string) (Log
 		fmt.Fprintln(os.Stderr, console.FormatVerboseMessage(fmt.Sprintf("Beginning metric extraction in %s", logDir)))
 	}
 
-	// First check if this is a GitHub Copilot agent run (not Copilot CLI)
+	// First check if this is a GitHub Copilot coding agent run (not Copilot CLI)
 	var detector *CopilotAgentDetector
 	if len(workflowPath) > 0 && workflowPath[0] != "" {
 		detector = NewCopilotAgentDetectorWithPath(logDir, verbose, workflowPath[0])
@@ -49,10 +49,10 @@ func extractLogMetrics(logDir string, verbose bool, workflowPath ...string) (Log
 		detector = NewCopilotAgentDetector(logDir, verbose)
 	}
 	isGitHubCopilotAgent := detector.IsGitHubCopilotAgent()
-	logsMetricsLog.Printf("GitHub Copilot agent detected: %v", isGitHubCopilotAgent)
+	logsMetricsLog.Printf("GitHub Copilot coding agent detected: %v", isGitHubCopilotAgent)
 
 	if isGitHubCopilotAgent && verbose {
-		fmt.Fprintln(os.Stderr, console.FormatInfoMessage("Detected GitHub Copilot agent run, using specialized parser"))
+		fmt.Fprintln(os.Stderr, console.FormatInfoMessage("Detected GitHub Copilot coding agent run, using specialized parser"))
 	}
 
 	// First check for aw_info.json to determine the engine
diff --git a/pkg/cli/logs_parsing_engines.go b/pkg/cli/logs_parsing_engines.go
index d3bd8ba758..43ccd8fe23 100644
--- a/pkg/cli/logs_parsing_engines.go
+++ b/pkg/cli/logs_parsing_engines.go
@@ -4,7 +4,7 @@
 //
 // Key responsibilities:
 //   - Parsing log files using engine-specific parsers
-//   - Detecting and parsing GitHub Copilot agent logs
+//   - Detecting and parsing GitHub Copilot coding agent logs
 //   - Falling back to generic parser when engine is unknown
 
 package cli
@@ -33,9 +33,9 @@ func parseLogFileWithEngine(filePath string, detectedEngine workflow.CodingAgent
 	logContent := string(content)
 	logsParsingEnginesLog.Printf("Read %d bytes from log file", len(logContent))
 
-	// If this is a GitHub Copilot agent run, use the specialized parser
+	// If this is a GitHub Copilot coding agent run, use the specialized parser
 	if isGitHubCopilotAgent {
-		logsParsingEnginesLog.Print("Using GitHub Copilot agent parser")
+		logsParsingEnginesLog.Print("Using GitHub Copilot coding agent parser")
 		return ParseCopilotAgentLogMetrics(logContent, verbose), nil
 	}
 
diff --git a/pkg/cli/workflows/test-assign-to-agent.md b/pkg/cli/workflows/test-assign-to-agent.md
index abb0926f0d..cae86dd8fa 100644
--- a/pkg/cli/workflows/test-assign-to-agent.md
+++ b/pkg/cli/workflows/test-assign-to-agent.md
@@ -17,7 +17,7 @@ permissions:
   issues: read
   pull-requests: read
 
-# NOTE: Assigning Copilot agents requires:
+# NOTE: Assigning Copilot coding agent requires:
 # 1. A Personal Access Token (PAT) or GitHub App token with repo scope
 #    - The standard GITHUB_TOKEN does NOT have permission to assign bot agents
 #    - Create a PAT at: https://github.com/settings/tokens
@@ -48,9 +48,9 @@ This workflow tests the `assign_to_agent` safe output feature with automatic tar
 ## Task
 
 **For issues event:**
-Assign the Copilot agent to the triggering issue using the `assign_to_agent` tool from the `safeoutputs` MCP server. The issue number will be auto-resolved from the workflow context.
+Assign the Copilot coding agent to the triggering issue using the `assign_to_agent` tool from the `safeoutputs` MCP server. The issue number will be auto-resolved from the workflow context.
 
 **For workflow_dispatch:**
-Assign the Copilot agent to issue #${{ github.event.inputs.issue_number }} by providing the explicit issue number.
+Assign the Copilot coding agent to issue #${{ github.event.inputs.issue_number }} by providing the explicit issue number.
 
 The `assign_to_agent` tool will handle the actual assignment using the configured GH_AW_AGENT_TOKEN.
diff --git a/pkg/cli/workflows/test-copilot-create-agent-session.md b/pkg/cli/workflows/test-copilot-create-agent-session.md
index 4ac93fba42..3b288948d1 100644
--- a/pkg/cli/workflows/test-copilot-create-agent-session.md
+++ b/pkg/cli/workflows/test-copilot-create-agent-session.md
@@ -12,4 +12,4 @@ safe-outputs:
 
 Test workflow for the create-agent-session safe output.
 
-Create a GitHub Copilot agent session to improve code quality in the repository.
+Create a GitHub Copilot coding agent session to improve code quality in the repository.
diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json
index b5a7a65e02..42aa06080b 100644
--- a/pkg/parser/schemas/main_workflow_schema.json
+++ b/pkg/parser/schemas/main_workflow_schema.json
@@ -4046,7 +4046,7 @@
           "oneOf": [
             {
               "type": "object",
-              "description": "DEPRECATED: Use 'create-agent-session' instead. Configuration for creating GitHub Copilot agent sessions from agentic workflow output using gh agent-task CLI. The main job does not need write permissions.",
+              "description": "DEPRECATED: Use 'create-agent-session' instead. Configuration for creating GitHub Copilot coding agent sessions from agentic workflow output using gh agent-task CLI. The main job does not need write permissions.",
               "deprecated": true,
               "properties": {
                 "base": {
@@ -4082,13 +4082,13 @@
               "description": "Enable agent session creation with default configuration"
             }
           ],
-          "description": "Enable creation of GitHub Copilot agent tasks from workflow output. Allows workflows to spawn new agent sessions for follow-up work."
+          "description": "Enable creation of GitHub Copilot coding agent tasks from workflow output. Allows workflows to spawn new agent sessions for follow-up work."
         },
         "create-agent-session": {
           "oneOf": [
             {
               "type": "object",
-              "description": "Configuration for creating GitHub Copilot agent sessions from agentic workflow output using gh agent-task CLI. The main job does not need write permissions.",
+              "description": "Configuration for creating GitHub Copilot coding agent sessions from agentic workflow output using gh agent-task CLI. The main job does not need write permissions.",
               "properties": {
                 "base": {
                   "type": "string",
@@ -4123,7 +4123,7 @@
               "description": "Enable agent session creation with default configuration"
             }
           ],
-          "description": "Enable creation of GitHub Copilot agent sessions from workflow output. Allows workflows to start interactive agent conversations."
+          "description": "Enable creation of GitHub Copilot coding agent sessions from workflow output. Allows workflows to start interactive agent conversations."
         },
         "update-project": {
           "oneOf": [
@@ -5354,7 +5354,7 @@
             },
             {
               "type": "object",
-              "description": "Configuration for assigning GitHub Copilot agents to issues from agentic workflow output",
+              "description": "Configuration for assigning GitHub Copilot coding agent to issues from agentic workflow output",
               "properties": {
                 "name": {
                   "type": "string",
@@ -6666,10 +6666,6 @@
         }
       },
       "additionalProperties": false
-    },
-    "github-token": {
-      "$ref": "#/$defs/github_token",
-      "description": "GitHub token expression to use for all steps that require GitHub authentication. Typically a secret reference like ${{ secrets.GITHUB_TOKEN }} or ${{ secrets.CUSTOM_PAT }}. If not specified, defaults to ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}. This value can be overridden by safe-outputs github-token or individual safe-output github-token fields."
     }
   },
   "additionalProperties": false,
diff --git a/pkg/workflow/agentic_workflow_test.go b/pkg/workflow/agentic_workflow_test.go
index 1d14afda08..792e249b4b 100644
--- a/pkg/workflow/agentic_workflow_test.go
+++ b/pkg/workflow/agentic_workflow_test.go
@@ -33,13 +33,6 @@ func workflowDataWithAgenticWorkflows(options ...func(*WorkflowData)) *WorkflowD
 	return wd
 }
 
-// withCustomToken is an option for workflowDataWithAgenticWorkflows
-func withCustomToken(token string) func(*WorkflowData) {
-	return func(wd *WorkflowData) {
-		wd.GitHubToken = token
-	}
-}
-
 // withImportedFiles is an option for workflowDataWithAgenticWorkflows
 func withImportedFiles(files ...string) func(*WorkflowData) {
 	return func(wd *WorkflowData) {
@@ -173,35 +166,6 @@ func TestAgenticWorkflowsInstallStepIncludesGHToken(t *testing.T) {
 		"install step should copy gh-aw binary to /opt/gh-aw for MCP server containerization")
 }
 
-func TestAgenticWorkflowsInstallStepWithCustomToken(t *testing.T) {
-	// Create workflow data using helper with custom token option
-	workflowData := workflowDataWithAgenticWorkflows(
-		withCustomToken("${{ secrets.CUSTOM_PAT }}"),
-	)
-
-	// Create compiler using helper
-	c := testCompiler()
-
-	// Generate MCP setup
-	var yaml strings.Builder
-	engine := NewCopilotEngine()
-
-	c.generateMCPSetup(&yaml, workflowData.Tools, engine, workflowData)
-	result := yaml.String()
-
-	// Verify the install step is present
-	assert.Contains(t, result, "Install gh-aw extension",
-		"MCP setup should include gh-aw installation step even with custom token")
-
-	// Verify GH_TOKEN environment variable is set with the custom token
-	assert.Contains(t, result, "GH_TOKEN: ${{ secrets.CUSTOM_PAT }}",
-		"install step should use custom GitHub token when specified in workflow config")
-
-	// Verify it doesn't use the default token when custom is provided
-	assert.NotContains(t, result, "GH_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}",
-		"install step should not use default token fallback when custom token is specified")
-}
-
 func TestAgenticWorkflowsInstallStepSkippedWithImport(t *testing.T) {
 	// Create workflow data using helper with imported files option
 	workflowData := workflowDataWithAgenticWorkflows(
diff --git a/pkg/workflow/codex_engine.go b/pkg/workflow/codex_engine.go
index 475895a3c4..2742dced31 100644
--- a/pkg/workflow/codex_engine.go
+++ b/pkg/workflow/codex_engine.go
@@ -244,8 +244,8 @@ mkdir -p "$CODEX_HOME/logs"
 		}
 	}
 
-	// Get effective GitHub token based on precedence: top-level github-token > default
-	effectiveGitHubToken := getEffectiveGitHubToken("", workflowData.GitHubToken)
+	// Get effective GitHub token based on precedence: custom token > default
+	effectiveGitHubToken := getEffectiveGitHubToken("")
 
 	env := map[string]string{
 		"CODEX_API_KEY":                "${{ secrets.CODEX_API_KEY || secrets.OPENAI_API_KEY }}",
diff --git a/pkg/workflow/compiler_orchestrator_test.go b/pkg/workflow/compiler_orchestrator_test.go
index 584c445c44..2a48301b32 100644
--- a/pkg/workflow/compiler_orchestrator_test.go
+++ b/pkg/workflow/compiler_orchestrator_test.go
@@ -670,7 +670,6 @@ engine: copilot
 name: Test Workflow
 description: Test description
 source: test-source
-github-token: ${{ secrets.GITHUB_TOKEN }}
 ---
 
 # Test Workflow
@@ -690,7 +689,6 @@ Test content
 	assert.Equal(t, "Test Workflow", workflowData.FrontmatterName, "Name should be set")
 	assert.Equal(t, "Test description", workflowData.Description, "Description should be set")
 	assert.Equal(t, "test-source", workflowData.Source, "Source should be set")
-	assert.Equal(t, "${{ secrets.GITHUB_TOKEN }}", workflowData.GitHubToken, "GitHub token should be set")
 	assert.Equal(t, "copilot", workflowData.AI, "AI engine should be set")
 	assert.NotNil(t, workflowData.EngineConfig, "EngineConfig should be set")
 	assert.NotNil(t, workflowData.ParsedTools, "ParsedTools should be initialized")
diff --git a/pkg/workflow/compiler_orchestrator_workflow.go b/pkg/workflow/compiler_orchestrator_workflow.go
index 8ccab3c550..5b06d7c457 100644
--- a/pkg/workflow/compiler_orchestrator_workflow.go
+++ b/pkg/workflow/compiler_orchestrator_workflow.go
@@ -152,7 +152,6 @@ func (c *Compiler) buildInitialWorkflowData(
 		ToolsStartupTimeout:   toolsResult.toolsStartupTimeout,
 		TrialMode:             c.trialMode,
 		TrialLogicalRepo:      c.trialLogicalRepoSlug,
-		GitHubToken:           extractStringFromMap(result.Frontmatter, "github-token", nil),
 		StrictMode:            c.strictMode,
 		SecretMasking:         toolsResult.secretMasking,
 		ParsedFrontmatter:     toolsResult.parsedFrontmatter,
diff --git a/pkg/workflow/compiler_safe_outputs_core.go b/pkg/workflow/compiler_safe_outputs_core.go
index b061d4409d..6ecd710f39 100644
--- a/pkg/workflow/compiler_safe_outputs_core.go
+++ b/pkg/workflow/compiler_safe_outputs_core.go
@@ -21,18 +21,18 @@ func (c *Compiler) hasProjectRelatedSafeOutputs(safeOutputs *SafeOutputsConfig)
 // SafeOutputStepConfig holds configuration for building a single safe output step
 // within the consolidated safe-outputs job
 type SafeOutputStepConfig struct {
-	StepName        string            // Human-readable step name (e.g., "Create Issue")
-	StepID          string            // Step ID for referencing outputs (e.g., "create_issue")
-	Script          string            // JavaScript script to execute (for inline mode)
-	ScriptName      string            // Name of the script in the registry (for file mode)
-	CustomEnvVars   []string          // Environment variables specific to this step
-	Condition       ConditionNode     // Step-level condition (if clause)
-	Token           string            // GitHub token for this step
-	UseCopilotToken bool              // Whether to use Copilot token preference chain
-	UseAgentToken   bool              // Whether to use agent token preference chain
-	PreSteps        []string          // Optional steps to run before the script step
-	PostSteps       []string          // Optional steps to run after the script step
-	Outputs         map[string]string // Outputs from this step
+	StepName                   string            // Human-readable step name (e.g., "Create Issue")
+	StepID                     string            // Step ID for referencing outputs (e.g., "create_issue")
+	Script                     string            // JavaScript script to execute (for inline mode)
+	ScriptName                 string            // Name of the script in the registry (for file mode)
+	CustomEnvVars              []string          // Environment variables specific to this step
+	Condition                  ConditionNode     // Step-level condition (if clause)
+	Token                      string            // GitHub token for this step
+	UseCopilotRequestsToken    bool              // Whether to use Copilot requests token preference chain
+	UseCopilotCodingAgentToken bool              // Whether to use Copilot coding agent token preference chain
+	PreSteps                   []string          // Optional steps to run before the script step
+	PostSteps                  []string          // Optional steps to run after the script step
+	Outputs                    map[string]string // Outputs from this step
 }
 
 // Note: The implementation functions have been moved to focused module files:
diff --git a/pkg/workflow/compiler_safe_outputs_specialized.go b/pkg/workflow/compiler_safe_outputs_specialized.go
index b78454a9ec..7dbc1365f9 100644
--- a/pkg/workflow/compiler_safe_outputs_specialized.go
+++ b/pkg/workflow/compiler_safe_outputs_specialized.go
@@ -74,14 +74,14 @@ func (c *Compiler) buildAssignToAgentStepConfig(data *WorkflowData, mainJobName
 	condition := BuildSafeOutputType("assign_to_agent")
 
 	return SafeOutputStepConfig{
-		StepName:      "Assign To Agent",
-		StepID:        "assign_to_agent",
-		ScriptName:    "assign_to_agent",
-		Script:        getAssignToAgentScript(),
-		CustomEnvVars: customEnvVars,
-		Condition:     condition,
-		Token:         cfg.GitHubToken,
-		UseAgentToken: true,
+		StepName:                   "Assign To Agent",
+		StepID:                     "assign_to_agent",
+		ScriptName:                 "assign_to_agent",
+		Script:                     getAssignToAgentScript(),
+		CustomEnvVars:              customEnvVars,
+		Condition:                  condition,
+		Token:                      cfg.GitHubToken,
+		UseCopilotCodingAgentToken: true,
 	}
 }
 
@@ -96,13 +96,13 @@ func (c *Compiler) buildCreateAgentSessionStepConfig(data *WorkflowData, mainJob
 	condition := BuildSafeOutputType("create_agent_session")
 
 	return SafeOutputStepConfig{
-		StepName:        "Create Agent Session",
-		StepID:          "create_agent_session",
-		Script:          "const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main();",
-		CustomEnvVars:   customEnvVars,
-		Condition:       condition,
-		Token:           cfg.GitHubToken,
-		UseCopilotToken: true,
+		StepName:                "Create Agent Session",
+		StepID:                  "create_agent_session",
+		Script:                  "const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main();",
+		CustomEnvVars:           customEnvVars,
+		Condition:               condition,
+		Token:                   cfg.GitHubToken,
+		UseCopilotRequestsToken: true,
 	}
 }
 
@@ -125,9 +125,13 @@ func (c *Compiler) buildCreateProjectStepConfig(data *WorkflowData, mainJobName
 	}
 
 	// Get the effective token using the Projects-specific precedence chain
-	// This includes fallback to GH_AW_PROJECT_GITHUB_TOKEN if no custom token is configured
+	// Precedence: per-config token > safe-outputs level token > GH_AW_PROJECT_GITHUB_TOKEN
 	// Note: Projects v2 requires a PAT or GitHub App - the default GITHUB_TOKEN cannot work
-	effectiveToken := getEffectiveProjectGitHubToken(cfg.GitHubToken, data.GitHubToken)
+	configToken := cfg.GitHubToken
+	if configToken == "" && data.SafeOutputs.GitHubToken != "" {
+		configToken = data.SafeOutputs.GitHubToken
+	}
+	effectiveToken := getEffectiveProjectGitHubToken(configToken)
 
 	// Always expose the effective token as GH_AW_PROJECT_GITHUB_TOKEN environment variable
 	// The JavaScript code checks process.env.GH_AW_PROJECT_GITHUB_TOKEN to provide helpful error messages
diff --git a/pkg/workflow/compiler_safe_outputs_steps.go b/pkg/workflow/compiler_safe_outputs_steps.go
index d97e565769..373367d76c 100644
--- a/pkg/workflow/compiler_safe_outputs_steps.go
+++ b/pkg/workflow/compiler_safe_outputs_steps.go
@@ -38,9 +38,9 @@ func (c *Compiler) buildConsolidatedSafeOutputStep(data *WorkflowData, config Sa
 
 	// With section for github-token
 	steps = append(steps, "        with:\n")
-	if config.UseAgentToken {
+	if config.UseCopilotCodingAgentToken {
 		c.addSafeOutputAgentGitHubTokenForConfig(&steps, data, config.Token)
-	} else if config.UseCopilotToken {
+	} else if config.UseCopilotRequestsToken {
 		c.addSafeOutputCopilotGitHubTokenForConfig(&steps, data, config.Token)
 	} else {
 		c.addSafeOutputGitHubTokenForConfig(&steps, data, config.Token)
@@ -210,12 +210,22 @@ func (c *Compiler) buildHandlerManagerStep(data *WorkflowData) []string {
 	// Check update-project first (highest priority)
 	if data.SafeOutputs.UpdateProjects != nil && data.SafeOutputs.UpdateProjects.Project != "" {
 		projectURL = data.SafeOutputs.UpdateProjects.Project
-		projectToken = getEffectiveProjectGitHubToken(data.SafeOutputs.UpdateProjects.GitHubToken, data.GitHubToken)
+		// Use per-config token, fallback to safe-outputs level token, then default
+		configToken := data.SafeOutputs.UpdateProjects.GitHubToken
+		if configToken == "" && data.SafeOutputs.GitHubToken != "" {
+			configToken = data.SafeOutputs.GitHubToken
+		}
+		projectToken = getEffectiveProjectGitHubToken(configToken)
 		consolidatedSafeOutputsStepsLog.Printf("Setting GH_AW_PROJECT_URL from update-project config: %s", projectURL)
 		consolidatedSafeOutputsStepsLog.Printf("Setting GH_AW_PROJECT_GITHUB_TOKEN from update-project config")
 	} else if data.SafeOutputs.CreateProjectStatusUpdates != nil && data.SafeOutputs.CreateProjectStatusUpdates.Project != "" {
 		projectURL = data.SafeOutputs.CreateProjectStatusUpdates.Project
-		projectToken = getEffectiveProjectGitHubToken(data.SafeOutputs.CreateProjectStatusUpdates.GitHubToken, data.GitHubToken)
+		// Use per-config token, fallback to safe-outputs level token, then default
+		configToken := data.SafeOutputs.CreateProjectStatusUpdates.GitHubToken
+		if configToken == "" && data.SafeOutputs.GitHubToken != "" {
+			configToken = data.SafeOutputs.GitHubToken
+		}
+		projectToken = getEffectiveProjectGitHubToken(configToken)
 		consolidatedSafeOutputsStepsLog.Printf("Setting GH_AW_PROJECT_URL from create-project-status-update config: %s", projectURL)
 		consolidatedSafeOutputsStepsLog.Printf("Setting GH_AW_PROJECT_GITHUB_TOKEN from create-project-status-update config")
 	}
@@ -223,7 +233,12 @@ func (c *Compiler) buildHandlerManagerStep(data *WorkflowData) []string {
 	// Check create-project for token even if no URL is set (create-project doesn't have a project URL field)
 	// This ensures GH_AW_PROJECT_GITHUB_TOKEN is set when create-project is configured
 	if projectToken == "" && data.SafeOutputs.CreateProjects != nil {
-		projectToken = getEffectiveProjectGitHubToken(data.SafeOutputs.CreateProjects.GitHubToken, data.GitHubToken)
+		// Use per-config token, fallback to safe-outputs level token, then default
+		configToken := data.SafeOutputs.CreateProjects.GitHubToken
+		if configToken == "" && data.SafeOutputs.GitHubToken != "" {
+			configToken = data.SafeOutputs.GitHubToken
+		}
+		projectToken = getEffectiveProjectGitHubToken(configToken)
 		consolidatedSafeOutputsStepsLog.Printf("Setting GH_AW_PROJECT_GITHUB_TOKEN from create-project config")
 	}
 
diff --git a/pkg/workflow/compiler_safe_outputs_steps_test.go b/pkg/workflow/compiler_safe_outputs_steps_test.go
index 1b37651954..fd76422af6 100644
--- a/pkg/workflow/compiler_safe_outputs_steps_test.go
+++ b/pkg/workflow/compiler_safe_outputs_steps_test.go
@@ -87,11 +87,11 @@ func TestBuildConsolidatedSafeOutputStep(t *testing.T) {
 		{
 			name: "step with copilot token",
 			config: SafeOutputStepConfig{
-				StepName:        "Copilot Step",
-				StepID:          "copilot",
-				Script:          "console.log('test');",
-				Token:           "${{ secrets.COPILOT_GITHUB_TOKEN }}",
-				UseCopilotToken: true,
+				StepName:                "Copilot Step",
+				StepID:                  "copilot",
+				Script:                  "console.log('test');",
+				Token:                   "${{ secrets.COPILOT_GITHUB_TOKEN }}",
+				UseCopilotRequestsToken: true,
 			},
 			checkContains: []string{
 				"github-token:",
@@ -100,11 +100,11 @@ func TestBuildConsolidatedSafeOutputStep(t *testing.T) {
 		{
 			name: "step with agent token",
 			config: SafeOutputStepConfig{
-				StepName:      "Agent Step",
-				StepID:        "agent",
-				Script:        "console.log('test');",
-				Token:         "${{ secrets.AGENT_TOKEN }}",
-				UseAgentToken: true,
+				StepName:                   "Agent Step",
+				StepID:                     "agent",
+				Script:                     "console.log('test');",
+				Token:                      "${{ secrets.AGENT_TOKEN }}",
+				UseCopilotCodingAgentToken: true,
 			},
 			checkContains: []string{
 				"github-token:",
@@ -500,32 +500,32 @@ func TestStepWithoutCondition(t *testing.T) {
 // TestGitHubTokenPrecedence tests GitHub token selection logic
 func TestGitHubTokenPrecedence(t *testing.T) {
 	tests := []struct {
-		name              string
-		useAgentToken     bool
-		useCopilotToken   bool
-		token             string
-		expectedInContent string
+		name                       string
+		useCopilotCodingAgentToken bool
+		useCopilotRequestsToken    bool
+		token                      string
+		expectedInContent          string
 	}{
 		{
-			name:              "standard token",
-			useAgentToken:     false,
-			useCopilotToken:   false,
-			token:             "${{ github.token }}",
-			expectedInContent: "github-token:",
+			name:                       "standard token",
+			useCopilotCodingAgentToken: false,
+			useCopilotRequestsToken:    false,
+			token:                      "${{ github.token }}",
+			expectedInContent:          "github-token:",
 		},
 		{
-			name:              "copilot token",
-			useAgentToken:     false,
-			useCopilotToken:   true,
-			token:             "${{ secrets.COPILOT_GITHUB_TOKEN }}",
-			expectedInContent: "github-token:",
+			name:                       "copilot token",
+			useCopilotCodingAgentToken: false,
+			useCopilotRequestsToken:    true,
+			token:                      "${{ secrets.COPILOT_GITHUB_TOKEN }}",
+			expectedInContent:          "github-token:",
 		},
 		{
-			name:              "agent token",
-			useAgentToken:     true,
-			useCopilotToken:   false,
-			token:             "${{ secrets.AGENT_TOKEN }}",
-			expectedInContent: "github-token:",
+			name:                       "agent token",
+			useCopilotCodingAgentToken: true,
+			useCopilotRequestsToken:    false,
+			token:                      "${{ secrets.AGENT_TOKEN }}",
+			expectedInContent:          "github-token:",
 		},
 	}
 
@@ -534,12 +534,12 @@ func TestGitHubTokenPrecedence(t *testing.T) {
 			compiler := NewCompiler()
 
 			config := SafeOutputStepConfig{
-				StepName:        "Test Step",
-				StepID:          "test",
-				Script:          "console.log('test');",
-				Token:           tt.token,
-				UseCopilotToken: tt.useCopilotToken,
-				UseAgentToken:   tt.useAgentToken,
+				StepName:                   "Test Step",
+				StepID:                     "test",
+				Script:                     "console.log('test');",
+				Token:                      tt.token,
+				UseCopilotRequestsToken:    tt.useCopilotRequestsToken,
+				UseCopilotCodingAgentToken: tt.useCopilotCodingAgentToken,
 			}
 
 			workflowData := &WorkflowData{
diff --git a/pkg/workflow/compiler_types.go b/pkg/workflow/compiler_types.go
index c7fd19ee9f..364d1c30aa 100644
--- a/pkg/workflow/compiler_types.go
+++ b/pkg/workflow/compiler_types.go
@@ -441,7 +441,6 @@ type WorkflowData struct {
 	Runtimes              map[string]any       // runtime version overrides from frontmatter
 	PluginInfo            *PluginInfo          // Consolidated plugin information (plugins, custom token, MCP configs)
 	ToolsTimeout          int                  // timeout in seconds for tool/MCP operations (0 = use engine default)
-	GitHubToken           string               // top-level github-token expression from frontmatter
 	ToolsStartupTimeout   int                  // timeout in seconds for MCP server startup (0 = use engine default)
 	Features              map[string]any       // feature flags and configuration options from frontmatter (supports bool and string values)
 	ActionCache           *ActionCache         // cache for action pin resolutions
@@ -490,7 +489,7 @@ type SafeOutputsConfig struct {
 	PushToPullRequestBranch         *PushToPullRequestBranchConfig         `yaml:"push-to-pull-request-branch,omitempty"`
 	UploadAssets                    *UploadAssetsConfig                    `yaml:"upload-asset,omitempty"`
 	UpdateRelease                   *UpdateReleaseConfig                   `yaml:"update-release,omitempty"`               // Update GitHub release descriptions
-	CreateAgentSessions             *CreateAgentSessionConfig              `yaml:"create-agent-session,omitempty"`         // Create GitHub Copilot agent sessions
+	CreateAgentSessions             *CreateAgentSessionConfig              `yaml:"create-agent-session,omitempty"`         // Create GitHub Copilot coding agent sessions
 	UpdateProjects                  *UpdateProjectConfig                   `yaml:"update-project,omitempty"`               // Smart project board management (create/add/update)
 	CreateProjects                  *CreateProjectsConfig                  `yaml:"create-project,omitempty"`               // Create GitHub Projects V2
 	CreateProjectStatusUpdates      *CreateProjectStatusUpdateConfig       `yaml:"create-project-status-update,omitempty"` // Create GitHub project status updates
diff --git a/pkg/workflow/compiler_yaml_main_job.go b/pkg/workflow/compiler_yaml_main_job.go
index 7fddec9c8a..3c3aa82340 100644
--- a/pkg/workflow/compiler_yaml_main_job.go
+++ b/pkg/workflow/compiler_yaml_main_job.go
@@ -31,7 +31,7 @@ func (c *Compiler) generateMainJobSteps(yaml *strings.Builder, data *WorkflowDat
 				// 	yaml.WriteString(fmt.Sprintf("          path: %s\n", trialTargetRepoName[1]))
 				// }
 			}
-			effectiveToken := getEffectiveGitHubToken("", data.GitHubToken)
+			effectiveToken := getEffectiveGitHubToken("")
 			fmt.Fprintf(yaml, "          token: %s\n", effectiveToken)
 		}
 
diff --git a/pkg/workflow/copilot_engine_execution.go b/pkg/workflow/copilot_engine_execution.go
index a6edbebf5b..ef63b4a1e4 100644
--- a/pkg/workflow/copilot_engine_execution.go
+++ b/pkg/workflow/copilot_engine_execution.go
@@ -228,16 +228,10 @@ COPILOT_CLI_INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"
 	}
 
 	// Use COPILOT_GITHUB_TOKEN
-	// If github-token is specified at workflow level, use that instead
-	var copilotGitHubToken string
-	if workflowData.GitHubToken != "" {
-		copilotGitHubToken = workflowData.GitHubToken
-	} else {
-		// #nosec G101 -- This is NOT a hardcoded credential. It's a GitHub Actions expression template
-		// that GitHub Actions runtime replaces with the actual secret value. The string "${{ secrets.COPILOT_GITHUB_TOKEN }}"
-		// is a placeholder, not an actual credential.
-		copilotGitHubToken = "${{ secrets.COPILOT_GITHUB_TOKEN }}"
-	}
+	// #nosec G101 -- This is NOT a hardcoded credential. It's a GitHub Actions expression template
+	// that GitHub Actions runtime replaces with the actual secret value. The string "${{ secrets.COPILOT_GITHUB_TOKEN }}"
+	// is a placeholder, not an actual credential.
+	copilotGitHubToken := "${{ secrets.COPILOT_GITHUB_TOKEN }}"
 
 	env := map[string]string{
 		"XDG_CONFIG_HOME":           "/home/runner",
@@ -259,8 +253,8 @@ COPILOT_CLI_INSTRUCTION="$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"
 
 	if hasGitHubTool(workflowData.ParsedTools) {
 		customGitHubToken := getGitHubToken(workflowData.Tools["github"])
-		// Use effective token with precedence: custom > top-level > default
-		effectiveToken := getEffectiveGitHubToken(customGitHubToken, workflowData.GitHubToken)
+		// Use effective token with precedence: custom > default
+		effectiveToken := getEffectiveGitHubToken(customGitHubToken)
 		env["GITHUB_MCP_SERVER_TOKEN"] = effectiveToken
 	}
 
diff --git a/pkg/workflow/copilot_engine_installation.go b/pkg/workflow/copilot_engine_installation.go
index 7139c51388..2529b04a27 100644
--- a/pkg/workflow/copilot_engine_installation.go
+++ b/pkg/workflow/copilot_engine_installation.go
@@ -113,11 +113,8 @@ func (e *CopilotEngine) GetInstallationSteps(workflowData *WorkflowData) []GitHu
 	// Add plugin installation steps after Copilot CLI installation
 	if workflowData.PluginInfo != nil && len(workflowData.PluginInfo.Plugins) > 0 {
 		copilotInstallLog.Printf("Adding plugin installation steps: %d plugins", len(workflowData.PluginInfo.Plugins))
-		// Use plugin-specific token if provided, otherwise use top-level github-token
+		// Use plugin-specific token if provided
 		tokenToUse := workflowData.PluginInfo.CustomToken
-		if tokenToUse == "" {
-			tokenToUse = workflowData.GitHubToken
-		}
 		pluginSteps := GeneratePluginInstallationSteps(workflowData.PluginInfo.Plugins, "copilot", tokenToUse)
 		steps = append(steps, pluginSteps...)
 	}
diff --git a/pkg/workflow/copilot_participant_steps.go b/pkg/workflow/copilot_participant_steps.go
index deb5e7fa20..be9ea585f9 100644
--- a/pkg/workflow/copilot_participant_steps.go
+++ b/pkg/workflow/copilot_participant_steps.go
@@ -18,8 +18,6 @@ type CopilotParticipantConfig struct {
 	CustomToken string
 	// SafeOutputsToken is the GitHub token from the safe-outputs config
 	SafeOutputsToken string
-	// WorkflowToken is the top-level GitHub token from the workflow
-	WorkflowToken string
 	// ConditionStepID is the step ID to check for output (e.g., "create_issue", "create_pull_request")
 	ConditionStepID string
 	// ConditionOutputKey is the output key to check (e.g., "issue_number", "pull_request_url")
@@ -54,14 +52,20 @@ func buildCopilotParticipantSteps(config CopilotParticipantConfig) []string {
 		}
 	}
 
+	// Choose the first non-empty custom token for precedence
+	effectiveCustomToken := config.CustomToken
+	if effectiveCustomToken == "" {
+		effectiveCustomToken = config.SafeOutputsToken
+	}
+
 	// Use agent token preference if adding copilot as participant, otherwise use regular token
 	var effectiveToken string
 	if hasCopilotParticipant {
-		copilotParticipantLog.Print("Using agent token preference")
-		effectiveToken = getEffectiveAgentGitHubToken(config.CustomToken, getEffectiveAgentGitHubToken(config.SafeOutputsToken, config.WorkflowToken))
+		copilotParticipantLog.Print("Using Copilot coding agent token preference")
+		effectiveToken = getEffectiveCopilotCodingAgentGitHubToken(effectiveCustomToken)
 	} else {
 		copilotParticipantLog.Print("Using regular GitHub token")
-		effectiveToken = getEffectiveGitHubToken(config.CustomToken, getEffectiveGitHubToken(config.SafeOutputsToken, config.WorkflowToken))
+		effectiveToken = getEffectiveGitHubToken(effectiveCustomToken)
 	}
 
 	// Generate participant-specific steps
diff --git a/pkg/workflow/create_agent_session.go b/pkg/workflow/create_agent_session.go
index ae2d4a7b79..85e7b94709 100644
--- a/pkg/workflow/create_agent_session.go
+++ b/pkg/workflow/create_agent_session.go
@@ -8,7 +8,7 @@ import (
 
 var createAgentSessionLog = logger.New("workflow:create_agent_session")
 
-// CreateAgentSessionConfig holds configuration for creating GitHub Copilot agent sessions from agent output
+// CreateAgentSessionConfig holds configuration for creating GitHub Copilot coding agent sessions from agent output
 type CreateAgentSessionConfig struct {
 	BaseSafeOutputConfig `yaml:",inline"`
 	Base                 string   `yaml:"base,omitempty"`          // Base branch for the pull request
@@ -126,18 +126,18 @@ func (c *Compiler) buildCreateOutputAgentSessionJob(data *WorkflowData, mainJobN
 
 	// Use the shared builder function to create the job
 	return c.buildSafeOutputJob(data, SafeOutputJobConfig{
-		JobName:         "create_agent_session",
-		StepName:        "Create Agent Session",
-		StepID:          "create_agent_session",
-		MainJobName:     mainJobName,
-		CustomEnvVars:   customEnvVars,
-		Script:          "const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main();",
-		Permissions:     NewPermissionsContentsWriteIssuesWritePRWrite(),
-		Outputs:         outputs,
-		Condition:       jobCondition,
-		PreSteps:        preSteps,
-		Token:           data.SafeOutputs.CreateAgentSessions.GitHubToken,
-		UseCopilotToken: true, // Use Copilot token preference for agent session creation
-		TargetRepoSlug:  data.SafeOutputs.CreateAgentSessions.TargetRepoSlug,
+		JobName:                 "create_agent_session",
+		StepName:                "Create Agent Session",
+		StepID:                  "create_agent_session",
+		MainJobName:             mainJobName,
+		CustomEnvVars:           customEnvVars,
+		Script:                  "const { main } = require('/opt/gh-aw/actions/create_agent_session.cjs'); await main();",
+		Permissions:             NewPermissionsContentsWriteIssuesWritePRWrite(),
+		Outputs:                 outputs,
+		Condition:               jobCondition,
+		PreSteps:                preSteps,
+		Token:                   data.SafeOutputs.CreateAgentSessions.GitHubToken,
+		UseCopilotRequestsToken: true, // Use Copilot token preference for agent session creation
+		TargetRepoSlug:          data.SafeOutputs.CreateAgentSessions.TargetRepoSlug,
 	})
 }
diff --git a/pkg/workflow/create_issue.go b/pkg/workflow/create_issue.go
index 36b21f2212..a849cd16ee 100644
--- a/pkg/workflow/create_issue.go
+++ b/pkg/workflow/create_issue.go
@@ -97,13 +97,19 @@ func filterNonCopilotAssignees(assignees []string) []string {
 	return result
 }
 
-// buildCopilotAssignmentStep generates a post-step for assigning copilot to created issues
+// buildCopilotCodingAgentAssignmentStep generates a post-step for assigning Copilot coding agent to created issues
 // This step uses the agent token with full precedence chain
-func buildCopilotAssignmentStep(configToken, safeOutputsToken, workflowToken string) []string {
+func buildCopilotCodingAgentAssignmentStep(configToken, safeOutputsToken string) []string {
 	var steps []string
 
+	// Choose the first non-empty custom token for precedence
+	effectiveCustomToken := configToken
+	if effectiveCustomToken == "" {
+		effectiveCustomToken = safeOutputsToken
+	}
+
 	// Get the effective agent token with full precedence chain
-	effectiveToken := getEffectiveAgentGitHubToken(configToken, getEffectiveAgentGitHubToken(safeOutputsToken, workflowToken))
+	effectiveToken := getEffectiveCopilotCodingAgentGitHubToken(effectiveCustomToken)
 
 	steps = append(steps, "      - name: Assign Copilot to created issues\n")
 	steps = append(steps, "        if: steps.create_issue.outputs.issues_to_assign_copilot != ''\n")
@@ -188,7 +194,6 @@ func (c *Compiler) buildCreateOutputIssueJob(data *WorkflowData, mainJobName str
 			ParticipantType:    "assignee",
 			CustomToken:        data.SafeOutputs.CreateIssues.GitHubToken,
 			SafeOutputsToken:   safeOutputsToken,
-			WorkflowToken:      data.GitHubToken,
 			ConditionStepID:    "create_issue",
 			ConditionOutputKey: "issue_number",
 		})
@@ -196,7 +201,7 @@ func (c *Compiler) buildCreateOutputIssueJob(data *WorkflowData, mainJobName str
 
 	// Add post-step for copilot assignment using agent token
 	if assignCopilot {
-		postSteps = append(postSteps, buildCopilotAssignmentStep(data.SafeOutputs.CreateIssues.GitHubToken, safeOutputsToken, data.GitHubToken)...)
+		postSteps = append(postSteps, buildCopilotCodingAgentAssignmentStep(data.SafeOutputs.CreateIssues.GitHubToken, safeOutputsToken)...)
 	}
 
 	// Create outputs for the job
diff --git a/pkg/workflow/create_project_token_test.go b/pkg/workflow/create_project_token_test.go
index fd1042406a..3e1b070f5d 100644
--- a/pkg/workflow/create_project_token_test.go
+++ b/pkg/workflow/create_project_token_test.go
@@ -41,23 +41,23 @@ func TestCreateProjectGitHubTokenEnvVar(t *testing.T) {
 			expectedTokenValue:  "github-token: ${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }}",
 		},
 		{
-			name: "create-project with top-level github-token",
+			name: "create-project with safe-outputs github-token",
 			frontmatter: map[string]any{
-				"name":         "Test Workflow",
-				"github-token": "${{ secrets.CUSTOM_TOKEN }}",
+				"name": "Test Workflow",
 				"safe-outputs": map[string]any{
+					"github-token":   "${{ secrets.SAFE_OUTPUTS_TOKEN }}",
 					"create-project": nil,
 				},
 			},
-			expectedEnvVarValue: "GH_AW_PROJECT_GITHUB_TOKEN: ${{ secrets.CUSTOM_TOKEN }}",
-			expectedTokenValue:  "github-token: ${{ secrets.CUSTOM_TOKEN }}",
+			expectedEnvVarValue: "GH_AW_PROJECT_GITHUB_TOKEN: ${{ secrets.SAFE_OUTPUTS_TOKEN }}",
+			expectedTokenValue:  "github-token: ${{ secrets.SAFE_OUTPUTS_TOKEN }}",
 		},
 		{
-			name: "create-project with per-config token overrides top-level",
+			name: "create-project with per-config token overrides safe-outputs token",
 			frontmatter: map[string]any{
-				"name":         "Test Workflow",
-				"github-token": "${{ secrets.GLOBAL_TOKEN }}",
+				"name": "Test Workflow",
 				"safe-outputs": map[string]any{
+					"github-token": "${{ secrets.GLOBAL_TOKEN }}",
 					"create-project": map[string]any{
 						"github-token": "${{ secrets.PROJECT_SPECIFIC_TOKEN }}",
 					},
@@ -78,11 +78,6 @@ func TestCreateProjectGitHubTokenEnvVar(t *testing.T) {
 				SafeOutputs: compiler.extractSafeOutputsConfig(tt.frontmatter),
 			}
 
-			// Set top-level github-token if present in frontmatter
-			if githubToken, ok := tt.frontmatter["github-token"].(string); ok {
-				workflowData.GitHubToken = githubToken
-			}
-
 			// Build the create_project step config
 			stepConfig := compiler.buildCreateProjectStepConfig(workflowData, "main", false)
 
diff --git a/pkg/workflow/create_pull_request.go b/pkg/workflow/create_pull_request.go
index aa27623e79..f01ec16679 100644
--- a/pkg/workflow/create_pull_request.go
+++ b/pkg/workflow/create_pull_request.go
@@ -150,7 +150,6 @@ func (c *Compiler) buildCreateOutputPullRequestJob(data *WorkflowData, mainJobNa
 			ParticipantType:    "reviewer",
 			CustomToken:        data.SafeOutputs.CreatePullRequests.GitHubToken,
 			SafeOutputsToken:   safeOutputsToken,
-			WorkflowToken:      data.GitHubToken,
 			ConditionStepID:    "create_pull_request",
 			ConditionOutputKey: "pull_request_url",
 		})
diff --git a/pkg/workflow/custom_action_copilot_token_test.go b/pkg/workflow/custom_action_copilot_token_test.go
index 968f2f2ec8..91772a204b 100644
--- a/pkg/workflow/custom_action_copilot_token_test.go
+++ b/pkg/workflow/custom_action_copilot_token_test.go
@@ -26,12 +26,12 @@ func TestCustomActionCopilotTokenFallback(t *testing.T) {
 		SafeOutputs: &SafeOutputsConfig{},
 	}
 
-	// Test with UseCopilotToken=true and no custom token
+	// Test with UseCopilotRequestsToken=true and no custom token
 	config := GitHubScriptStepConfig{
-		StepName:        "Test Custom Action",
-		StepID:          "test",
-		Token:           "", // No custom token
-		UseCopilotToken: true,
+		StepName:                "Test Custom Action",
+		StepID:                  "test",
+		CustomToken:             "", // No custom token
+		UseCopilotRequestsToken: true,
 	}
 
 	steps := compiler.buildCustomActionStep(workflowData, config, "test_handler")
@@ -39,11 +39,13 @@ func TestCustomActionCopilotTokenFallback(t *testing.T) {
 
 	t.Logf("Generated steps:\n%s", stepsContent)
 
-	// Should use COPILOT_GITHUB_TOKEN fallback, not COPILOT_TOKEN
-	assert.Contains(t, stepsContent, "COPILOT_GITHUB_TOKEN", "Should use COPILOT_GITHUB_TOKEN in fallback")
+	// Should use COPILOT_GITHUB_TOKEN directly (no fallback chain)
+	// Note: COPILOT_GITHUB_TOKEN is the recommended token for Copilot operations
+	// and does NOT have a fallback to GITHUB_TOKEN because GITHUB_TOKEN lacks
+	// permissions for agent sessions and bot assignments
+	assert.Contains(t, stepsContent, "secrets.COPILOT_GITHUB_TOKEN", "Should use COPILOT_GITHUB_TOKEN")
 	assert.NotContains(t, stepsContent, "COPILOT_TOKEN ||", "Should not use deprecated COPILOT_TOKEN")
 
-	// Verify it's using the correct fallback chain
-	assert.Contains(t, stepsContent, "secrets.COPILOT_GITHUB_TOKEN || secrets.GH_AW_GITHUB_TOKEN",
-		"Should use correct Copilot token fallback chain")
+	// Verify no fallback chain (COPILOT_GITHUB_TOKEN is used directly)
+	assert.NotContains(t, stepsContent, "||", "Should not have fallback chain for Copilot token")
 }
diff --git a/pkg/workflow/frontmatter_types.go b/pkg/workflow/frontmatter_types.go
index 4b53e6caf0..d488b37399 100644
--- a/pkg/workflow/frontmatter_types.go
+++ b/pkg/workflow/frontmatter_types.go
@@ -149,7 +149,6 @@ type FrontmatterConfig struct {
 	// Metadata
 	Metadata      map[string]string    `json:"metadata,omitempty"` // Custom metadata key-value pairs
 	SecretMasking *SecretMaskingConfig `json:"secret-masking,omitempty"`
-	GithubToken   string               `json:"github-token,omitempty"`
 
 	// Command/bot configuration
 	Roles     []string         `json:"roles,omitempty"`
@@ -657,9 +656,6 @@ func (fc *FrontmatterConfig) ToMap() map[string]any {
 	if fc.SecretMasking != nil {
 		result["secret-masking"] = fc.SecretMasking
 	}
-	if fc.GithubToken != "" {
-		result["github-token"] = fc.GithubToken
-	}
 	if fc.Roles != nil {
 		result["roles"] = fc.Roles
 	}
diff --git a/pkg/workflow/github_token.go b/pkg/workflow/github_token.go
index 8aa5a7c57a..c8ea9ac81a 100644
--- a/pkg/workflow/github_token.go
+++ b/pkg/workflow/github_token.go
@@ -6,81 +6,60 @@ var tokenLog = logger.New("workflow:github_token")
 
 // getEffectiveGitHubToken returns the GitHub token to use, with precedence:
 // 1. Custom token passed as parameter (e.g., from tool-specific config)
-// 2. Top-level github-token from frontmatter
-// 3. Default fallback: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
-func getEffectiveGitHubToken(customToken, toplevelToken string) string {
+// 2. Default fallback: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+func getEffectiveGitHubToken(customToken string) string {
 	if customToken != "" {
 		tokenLog.Print("Using custom GitHub token")
 		return customToken
 	}
-	if toplevelToken != "" {
-		tokenLog.Print("Using top-level GitHub token from frontmatter")
-		return toplevelToken
-	}
 	tokenLog.Print("Using default GitHub token fallback")
 	return "${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}"
 }
 
 // getEffectiveSafeOutputGitHubToken returns the GitHub token to use for safe output operations, with precedence:
 // 1. Custom token passed as parameter (e.g., from per-output config)
-// 2. Top-level github-token from frontmatter
-// 3. Default fallback: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
-// This simpler chain ensures safe outputs use: safe outputs token -> workflow token -> GH_AW_GITHUB_TOKEN -> GitHub Actions token
-func getEffectiveSafeOutputGitHubToken(customToken, toplevelToken string) string {
+// 2. Default fallback: ${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}
+// This simpler chain ensures safe outputs use: safe outputs token -> GH_AW_GITHUB_TOKEN -> GitHub Actions token
+func getEffectiveSafeOutputGitHubToken(customToken string) string {
 	if customToken != "" {
 		tokenLog.Print("Using custom safe output GitHub token")
 		return customToken
 	}
-	if toplevelToken != "" {
-		tokenLog.Print("Using top-level safe output GitHub token from frontmatter")
-		return toplevelToken
-	}
 	tokenLog.Print("Using default safe output GitHub token (GH_AW_GITHUB_TOKEN || GITHUB_TOKEN)")
 	return "${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}"
 }
 
-// getEffectiveCopilotGitHubToken returns the GitHub token to use for Copilot-related operations,
+// getEffectiveCopilotRequestsToken returns the GitHub token to use for Copilot-related operations,
 // with precedence:
 // 1. Custom token passed as parameter (e.g., from safe-outputs config github-token field)
 // 2. secrets.COPILOT_GITHUB_TOKEN (recommended token for Copilot operations)
-// 3. secrets.GH_AW_GITHUB_TOKEN (legacy fallback for backward compatibility)
 // Note: The default GITHUB_TOKEN is NOT included as a fallback because it does not have
 // permission to create agent sessions, assign issues to bots, or add bots as reviewers.
 // This is used for safe outputs that interact with GitHub Copilot features:
 // - create-agent-session
 // - assigning "copilot" to issues
 // - adding "copilot" as PR reviewer
-func getEffectiveCopilotGitHubToken(customToken, toplevelToken string) string {
+func getEffectiveCopilotRequestsToken(customToken string) string {
 	if customToken != "" {
 		tokenLog.Print("Using custom Copilot GitHub token")
 		return customToken
 	}
-	if toplevelToken != "" {
-		tokenLog.Print("Using top-level Copilot GitHub token from frontmatter")
-		return toplevelToken
-	}
-	tokenLog.Print("Using default Copilot GitHub token fallback")
-	return "${{ secrets.COPILOT_GITHUB_TOKEN || secrets.GH_AW_GITHUB_TOKEN }}"
+	return "${{ secrets.COPILOT_GITHUB_TOKEN }}"
 }
 
-// getEffectiveAgentGitHubToken returns the GitHub token to use for agent assignment operations,
+// getEffectiveCopilotCodingAgentGitHubToken returns the GitHub token to use for agent assignment operations,
 // with precedence:
 // 1. Custom token passed as parameter (e.g., from safe-outputs config github-token field)
-// 2. Top-level github-token from frontmatter
-// 3. secrets.GH_AW_AGENT_TOKEN (recommended token for agent assignment with elevated permissions)
-// 4. secrets.GH_AW_GITHUB_TOKEN (fallback with potentially sufficient permissions)
-// 5. secrets.GITHUB_TOKEN (last resort, may lack permissions for bot assignment)
+// 2. secrets.GH_AW_AGENT_TOKEN (recommended token for agent assignment with elevated permissions)
+// 3. secrets.GH_AW_GITHUB_TOKEN (fallback with potentially sufficient permissions)
+// 4. secrets.GITHUB_TOKEN (last resort, may lack permissions for bot assignment)
 // Note: Assigning bots (like copilot-swe-agent) requires permissions that GITHUB_TOKEN may not have.
 // It's recommended to configure GH_AW_AGENT_TOKEN or GH_AW_GITHUB_TOKEN with appropriate permissions.
-func getEffectiveAgentGitHubToken(customToken, toplevelToken string) string {
+func getEffectiveCopilotCodingAgentGitHubToken(customToken string) string {
 	if customToken != "" {
 		tokenLog.Print("Using custom agent GitHub token")
 		return customToken
 	}
-	if toplevelToken != "" {
-		tokenLog.Print("Using top-level agent GitHub token from frontmatter")
-		return toplevelToken
-	}
 	tokenLog.Print("Using default agent GitHub token fallback chain (GH_AW_AGENT_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN)")
 	return "${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}"
 }
@@ -88,21 +67,16 @@ func getEffectiveAgentGitHubToken(customToken, toplevelToken string) string {
 // getEffectiveProjectGitHubToken returns the GitHub token to use for GitHub Projects v2 operations,
 // with precedence:
 // 1. Custom token passed as parameter (e.g., from safe-outputs.update-project.github-token)
-// 2. Top-level github-token from frontmatter
-// 3. secrets.GH_AW_PROJECT_GITHUB_TOKEN (required token for Projects v2 operations)
+// 2. secrets.GH_AW_PROJECT_GITHUB_TOKEN (required token for Projects v2 operations)
 // Note: GitHub Projects v2 requires a PAT (classic with project + repo scopes, or fine-grained
 // with Projects: Read+Write) or GitHub App. The default GITHUB_TOKEN cannot access Projects v2.
 // You must configure GH_AW_PROJECT_GITHUB_TOKEN or provide a custom token for Projects v2 operations.
 // No fallback to GITHUB_TOKEN is provided as it will never work for Projects v2 operations.
-func getEffectiveProjectGitHubToken(customToken, toplevelToken string) string {
+func getEffectiveProjectGitHubToken(customToken string) string {
 	if customToken != "" {
 		tokenLog.Print("Using custom project GitHub token")
 		return customToken
 	}
-	if toplevelToken != "" {
-		tokenLog.Print("Using top-level GitHub token for project operations")
-		return toplevelToken
-	}
 	tokenLog.Print("Using GH_AW_PROJECT_GITHUB_TOKEN for project operations")
 	return "${{ secrets.GH_AW_PROJECT_GITHUB_TOKEN }}"
 }
diff --git a/pkg/workflow/github_token_precedence_integration_test.go b/pkg/workflow/github_token_precedence_integration_test.go
index a3a1923583..b4e3caec81 100644
--- a/pkg/workflow/github_token_precedence_integration_test.go
+++ b/pkg/workflow/github_token_precedence_integration_test.go
@@ -14,26 +14,26 @@ import (
 func TestTopLevelGitHubTokenPrecedence(t *testing.T) {
 	tmpDir := testutil.TempDir(t, "github-token-precedence-test")
 
-	t.Run("top-level github-token used when no safe-outputs token", func(t *testing.T) {
+	t.Run("tools.github github-token used when specified", func(t *testing.T) {
 		testContent := `---
-name: Test Top-Level GitHub Token
+name: Test GitHub Tool Token
 on:
   issues:
     types: [opened]
 engine: claude
-github-token: ${{ secrets.TOPLEVEL_PAT }}
 tools:
   github:
     mode: remote
+    github-token: ${{ secrets.GITHUB_TOOL_PAT }}
     allowed: [list_issues]
 ---
 
-# Test Top-Level GitHub Token
+# Test GitHub Tool Token
 
-Test that top-level github-token is used in engine configuration.
+Test that tools.github.github-token is used in engine configuration.
 `
 
-		testFile := filepath.Join(tmpDir, "test-toplevel-token.md")
+		testFile := filepath.Join(tmpDir, "test-github-tool-token.md")
 		if err := os.WriteFile(testFile, []byte(testContent), 0644); err != nil {
 			t.Fatal(err)
 		}
@@ -44,7 +44,7 @@ Test that top-level github-token is used in engine configuration.
 			t.Fatalf("Unexpected error compiling workflow: %v", err)
 		}
 
-		outputFile := filepath.Join(tmpDir, "test-toplevel-token.lock.yml")
+		outputFile := filepath.Join(tmpDir, "test-github-tool-token.lock.yml")
 		content, err := os.ReadFile(outputFile)
 		if err != nil {
 			t.Fatal(err)
@@ -52,10 +52,10 @@ Test that top-level github-token is used in engine configuration.
 
 		yamlContent := string(content)
 
-		// Verify that the top-level token is used in the GitHub MCP config
+		// Verify that the github tool token is used in the GitHub MCP config
 		// The token should be set in the env block to prevent template injection
-		if !strings.Contains(yamlContent, "GITHUB_MCP_SERVER_TOKEN: ${{ secrets.TOPLEVEL_PAT }}") {
-			t.Error("Expected top-level github-token to be used in GITHUB_MCP_SERVER_TOKEN env var")
+		if !strings.Contains(yamlContent, "GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GITHUB_TOOL_PAT }}") {
+			t.Error("Expected tools.github.github-token to be used in GITHUB_MCP_SERVER_TOKEN env var")
 			t.Logf("Generated YAML:\n%s", yamlContent)
 		}
 
@@ -66,14 +66,18 @@ Test that top-level github-token is used in engine configuration.
 		}
 	})
 
-	t.Run("safe-outputs github-token overrides top-level", func(t *testing.T) {
+	t.Run("safe-outputs github-token overrides tools.github token", func(t *testing.T) {
 		testContent := `---
 name: Test Safe-Outputs Override
 on:
   issues:
     types: [opened]
 engine: claude
-github-token: ${{ secrets.TOPLEVEL_PAT }}
+tools:
+  github:
+    mode: remote
+    github-token: ${{ secrets.GITHUB_TOOL_PAT }}
+    allowed: [list_issues]
 safe-outputs:
   github-token: ${{ secrets.SAFE_OUTPUTS_PAT }}
   create-issue:
@@ -81,7 +85,7 @@ safe-outputs:
 
 # Test Safe-Outputs Override
 
-Test that safe-outputs github-token overrides top-level.
+Test that safe-outputs github-token overrides tools.github token.
 `
 
 		testFile := filepath.Join(tmpDir, "test-safe-outputs-override.md")
@@ -111,32 +115,31 @@ Test that safe-outputs github-token overrides top-level.
 			t.Logf("Generated YAML:\n%s", yamlContent)
 		}
 
-		// Verify that top-level token is NOT used in safe-outputs job
-		if strings.Contains(yamlContentNoComments, "github-token: ${{ secrets.TOPLEVEL_PAT }}") {
-			t.Error("Top-level github-token should not be used when safe-outputs token is present")
+		// Verify that tools.github token is NOT used in safe-outputs job
+		if strings.Contains(yamlContentNoComments, "github-token: ${{ secrets.GITHUB_TOOL_PAT }}") {
+			t.Error("tools.github github-token should not be used when safe-outputs token is present")
 		}
 	})
 
-	t.Run("safe-outputs token overrides top-level", func(t *testing.T) {
+	t.Run("safe-outputs token used independently", func(t *testing.T) {
 		testContent := `---
-name: Test Safe Outputs Override
+name: Test Safe Outputs Token
 on:
   issues:
     types: [opened]
 engine: claude
-github-token: ${{ secrets.TOPLEVEL_PAT }}
 safe-outputs:
   github-token: ${{ secrets.SAFE_OUTPUTS_PAT }}
   create-issue:
     title-prefix: "[AUTO] "
 ---
 
-# Test Safe Outputs Override
+# Test Safe Outputs Token
 
-Test that safe-outputs github-token overrides top-level token.
+Test that safe-outputs github-token is used for safe outputs.
 `
 
-		testFile := filepath.Join(tmpDir, "test-individual-override.md")
+		testFile := filepath.Join(tmpDir, "test-safe-outputs-token.md")
 		if err := os.WriteFile(testFile, []byte(testContent), 0644); err != nil {
 			t.Fatal(err)
 		}
@@ -147,7 +150,7 @@ Test that safe-outputs github-token overrides top-level token.
 			t.Fatalf("Unexpected error compiling workflow: %v", err)
 		}
 
-		outputFile := filepath.Join(tmpDir, "test-individual-override.lock.yml")
+		outputFile := filepath.Join(tmpDir, "test-safe-outputs-token.lock.yml")
 		content, err := os.ReadFile(outputFile)
 		if err != nil {
 			t.Fatal(err)
@@ -160,41 +163,23 @@ Test that safe-outputs github-token overrides top-level token.
 			t.Error("Expected safe-outputs github-token to be used in safe_outputs job")
 			t.Logf("Generated YAML:\n%s", yamlContent)
 		}
-
-		// Verify top-level token is not used in safe_outputs job
-		// (it may appear in other jobs, but not in safe_outputs)
-		lines := strings.Split(yamlContent, "\n")
-		inSafeOutputsJob := false
-		for i, line := range lines {
-			if strings.Contains(line, "safe_outputs:") && !strings.Contains(line, "#") {
-				inSafeOutputsJob = true
-				continue
-			}
-			// Check if we've moved to a new top-level job
-			if inSafeOutputsJob && len(line) > 0 && !strings.HasPrefix(line, " ") && strings.Contains(line, ":") {
-				inSafeOutputsJob = false
-			}
-			if inSafeOutputsJob && strings.Contains(line, "github-token: ${{ secrets.TOPLEVEL_PAT }}") {
-				t.Errorf("Top-level token should not be used in safe_outputs job (found at line %d)", i+1)
-			}
-		}
 	})
 
-	t.Run("top-level token used in codex engine", func(t *testing.T) {
+	t.Run("tools.github token used in codex engine", func(t *testing.T) {
 		testContent := `---
 name: Test Codex Engine Token
 on:
   workflow_dispatch:
 engine: codex
-github-token: ${{ secrets.TOPLEVEL_PAT }}
 tools:
   github:
+    github-token: ${{ secrets.GITHUB_TOOL_PAT }}
     allowed: [list_issues]
 ---
 
 # Test Codex Engine Token
 
-Test that top-level github-token is used in Codex engine.
+Test that tools.github.github-token is used in Codex engine.
 `
 
 		testFile := filepath.Join(tmpDir, "test-codex-token.md")
@@ -216,10 +201,10 @@ Test that top-level github-token is used in Codex engine.
 
 		yamlContent := string(content)
 
-		// Verify that the top-level token is used in GITHUB_MCP_SERVER_TOKEN env var
+		// Verify that the tools.github token is used in GITHUB_MCP_SERVER_TOKEN env var
 		// (Codex now uses GITHUB_MCP_SERVER_TOKEN, same as Copilot, for consistency)
-		if !strings.Contains(yamlContent, "GITHUB_MCP_SERVER_TOKEN: ${{ secrets.TOPLEVEL_PAT }}") {
-			t.Error("Expected top-level github-token to be used in GITHUB_MCP_SERVER_TOKEN env var for Codex")
+		if !strings.Contains(yamlContent, "GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GITHUB_TOOL_PAT }}") {
+			t.Error("Expected tools.github.github-token to be used in GITHUB_MCP_SERVER_TOKEN env var for Codex")
 			t.Logf("Generated YAML:\n%s", yamlContent)
 		}
 
@@ -231,21 +216,21 @@ Test that top-level github-token is used in Codex engine.
 		}
 	})
 
-	t.Run("top-level token used in copilot engine", func(t *testing.T) {
+	t.Run("tools.github token used in copilot engine", func(t *testing.T) {
 		testContent := `---
 name: Test Copilot Engine Token
 on:
   workflow_dispatch:
 engine: copilot
-github-token: ${{ secrets.TOPLEVEL_PAT }}
 tools:
   github:
+    github-token: ${{ secrets.GITHUB_TOOL_PAT }}
     allowed: [list_issues]
 ---
 
 # Test Copilot Engine Token
 
-Test that top-level github-token is used in Copilot engine.
+Test that tools.github.github-token is used in Copilot engine.
 `
 
 		testFile := filepath.Join(tmpDir, "test-copilot-token.md")
@@ -267,9 +252,9 @@ Test that top-level github-token is used in Copilot engine.
 
 		yamlContent := string(content)
 
-		// Verify that the top-level token is used in GITHUB_MCP_SERVER_TOKEN env var
-		if !strings.Contains(yamlContent, "GITHUB_MCP_SERVER_TOKEN: ${{ secrets.TOPLEVEL_PAT }}") {
-			t.Error("Expected top-level github-token to be used in GITHUB_MCP_SERVER_TOKEN env var for Copilot")
+		// Verify that the tools.github token is used in GITHUB_MCP_SERVER_TOKEN env var
+		if !strings.Contains(yamlContent, "GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GITHUB_TOOL_PAT }}") {
+			t.Error("Expected tools.github.github-token to be used in GITHUB_MCP_SERVER_TOKEN env var for Copilot")
 			t.Logf("Generated YAML:\n%s", yamlContent)
 		}
 	})
diff --git a/pkg/workflow/github_token_test.go b/pkg/workflow/github_token_test.go
index 24f89fe965..11fd1e52ca 100644
--- a/pkg/workflow/github_token_test.go
+++ b/pkg/workflow/github_token_test.go
@@ -8,34 +8,25 @@ import (
 
 func TestGetEffectiveGitHubToken(t *testing.T) {
 	tests := []struct {
-		name          string
-		customToken   string
-		toplevelToken string
-		expected      string
+		name        string
+		customToken string
+		expected    string
 	}{
 		{
-			name:          "custom token has highest precedence",
-			customToken:   "${{ secrets.CUSTOM_TOKEN }}",
-			toplevelToken: "${{ secrets.TOPLEVEL_TOKEN }}",
-			expected:      "${{ secrets.CUSTOM_TOKEN }}",
+			name:        "custom token has highest precedence",
+			customToken: "${{ secrets.CUSTOM_TOKEN }}",
+			expected:    "${{ secrets.CUSTOM_TOKEN }}",
 		},
 		{
-			name:          "toplevel token used when no custom token",
-			customToken:   "",
-			toplevelToken: "${{ secrets.TOPLEVEL_TOKEN }}",
-			expected:      "${{ secrets.TOPLEVEL_TOKEN }}",
-		},
-		{
-			name:          "default fallback includes GH_AW_GITHUB_MCP_SERVER_TOKEN (for MCP and tools)",
-			customToken:   "",
-			toplevelToken: "",
-			expected:      "${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}",
+			name:        "default fallback includes GH_AW_GITHUB_MCP_SERVER_TOKEN (for MCP and tools)",
+			customToken: "",
+			expected:    "${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}",
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := getEffectiveGitHubToken(tt.customToken, tt.toplevelToken)
+			result := getEffectiveGitHubToken(tt.customToken)
 			if result != tt.expected {
 				t.Errorf("getEffectiveGitHubToken() = %q, want %q", result, tt.expected)
 			}
@@ -45,34 +36,25 @@ func TestGetEffectiveGitHubToken(t *testing.T) {
 
 func TestGetEffectiveSafeOutputGitHubToken(t *testing.T) {
 	tests := []struct {
-		name          string
-		customToken   string
-		toplevelToken string
-		expected      string
+		name        string
+		customToken string
+		expected    string
 	}{
 		{
-			name:          "custom token has highest precedence",
-			customToken:   "${{ secrets.CUSTOM_TOKEN }}",
-			toplevelToken: "${{ secrets.TOPLEVEL_TOKEN }}",
-			expected:      "${{ secrets.CUSTOM_TOKEN }}",
-		},
-		{
-			name:          "toplevel token used when no custom token",
-			customToken:   "",
-			toplevelToken: "${{ secrets.TOPLEVEL_TOKEN }}",
-			expected:      "${{ secrets.TOPLEVEL_TOKEN }}",
+			name:        "custom token has highest precedence",
+			customToken: "${{ secrets.CUSTOM_TOKEN }}",
+			expected:    "${{ secrets.CUSTOM_TOKEN }}",
 		},
 		{
-			name:          "default fallback includes GH_AW_GITHUB_TOKEN (safe outputs chain)",
-			customToken:   "",
-			toplevelToken: "",
-			expected:      "${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}",
+			name:        "default fallback includes GH_AW_GITHUB_TOKEN (safe outputs chain)",
+			customToken: "",
+			expected:    "${{ secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}",
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := getEffectiveSafeOutputGitHubToken(tt.customToken, tt.toplevelToken)
+			result := getEffectiveSafeOutputGitHubToken(tt.customToken)
 			if result != tt.expected {
 				t.Errorf("getEffectiveSafeOutputGitHubToken() = %q, want %q", result, tt.expected)
 			}
@@ -82,36 +64,27 @@ func TestGetEffectiveSafeOutputGitHubToken(t *testing.T) {
 
 func TestGetEffectiveCopilotGitHubToken(t *testing.T) {
 	tests := []struct {
-		name          string
-		customToken   string
-		toplevelToken string
-		expected      string
+		name        string
+		customToken string
+		expected    string
 	}{
 		{
-			name:          "custom token has highest precedence",
-			customToken:   "${{ secrets.CUSTOM_COPILOT_TOKEN }}",
-			toplevelToken: "${{ secrets.TOPLEVEL_TOKEN }}",
-			expected:      "${{ secrets.CUSTOM_COPILOT_TOKEN }}",
+			name:        "custom token has highest precedence",
+			customToken: "${{ secrets.CUSTOM_COPILOT_TOKEN }}",
+			expected:    "${{ secrets.CUSTOM_COPILOT_TOKEN }}",
 		},
 		{
-			name:          "toplevel token used when no custom token",
-			customToken:   "",
-			toplevelToken: "${{ secrets.TOPLEVEL_TOKEN }}",
-			expected:      "${{ secrets.TOPLEVEL_TOKEN }}",
-		},
-		{
-			name:          "default fallback for Copilot includes multiple tokens",
-			customToken:   "",
-			toplevelToken: "",
-			expected:      "${{ secrets.COPILOT_GITHUB_TOKEN || secrets.GH_AW_GITHUB_TOKEN }}",
+			name:        "default fallback for Copilot",
+			customToken: "",
+			expected:    "${{ secrets.COPILOT_GITHUB_TOKEN }}",
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := getEffectiveCopilotGitHubToken(tt.customToken, tt.toplevelToken)
+			result := getEffectiveCopilotRequestsToken(tt.customToken)
 			if result != tt.expected {
-				t.Errorf("getEffectiveCopilotGitHubToken() = %q, want %q", result, tt.expected)
+				t.Errorf("getEffectiveCopilotRequestsToken() = %q, want %q", result, tt.expected)
 			}
 		})
 	}
@@ -119,36 +92,27 @@ func TestGetEffectiveCopilotGitHubToken(t *testing.T) {
 
 func TestGetEffectiveAgentGitHubToken(t *testing.T) {
 	tests := []struct {
-		name          string
-		customToken   string
-		toplevelToken string
-		expected      string
+		name        string
+		customToken string
+		expected    string
 	}{
 		{
-			name:          "custom token has highest precedence",
-			customToken:   "${{ secrets.CUSTOM_AGENT_TOKEN }}",
-			toplevelToken: "${{ secrets.TOP_LEVEL_TOKEN }}",
-			expected:      "${{ secrets.CUSTOM_AGENT_TOKEN }}",
-		},
-		{
-			name:          "toplevel token when custom is empty",
-			customToken:   "",
-			toplevelToken: "${{ secrets.TOP_LEVEL_TOKEN }}",
-			expected:      "${{ secrets.TOP_LEVEL_TOKEN }}",
+			name:        "custom token has highest precedence",
+			customToken: "${{ secrets.CUSTOM_AGENT_TOKEN }}",
+			expected:    "${{ secrets.CUSTOM_AGENT_TOKEN }}",
 		},
 		{
-			name:          "default fallback chain for agent operations",
-			customToken:   "",
-			toplevelToken: "",
-			expected:      "${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}",
+			name:        "default fallback chain for agent operations",
+			customToken: "",
+			expected:    "${{ secrets.GH_AW_AGENT_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}",
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := getEffectiveAgentGitHubToken(tt.customToken, tt.toplevelToken)
+			result := getEffectiveCopilotCodingAgentGitHubToken(tt.customToken)
 			if result != tt.expected {
-				t.Errorf("getEffectiveAgentGitHubToken() = %q, want %q", result, tt.expected)
+				t.Errorf("getEffectiveCopilotCodingAgentGitHubToken() = %q, want %q", result, tt.expected)
 			}
 		})
 	}
diff --git a/pkg/workflow/github_token_validation_test.go b/pkg/workflow/github_token_validation_test.go
index cf575a8a88..40bbf48b07 100644
--- a/pkg/workflow/github_token_validation_test.go
+++ b/pkg/workflow/github_token_validation_test.go
@@ -109,14 +109,15 @@ func TestGitHubTokenValidation(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			tmpDir := testutil.TempDir(t, "github-token-validation-test")
 
+			// Test validation in tools.github.github-token
 			testContent := `---
 name: Test GitHub Token Validation
 on:
   workflow_dispatch:
 engine: copilot
-github-token: ` + tt.token + `
 tools:
   github:
+    github-token: ` + tt.token + `
     allowed: [list_issues]
 ---
 
@@ -320,12 +321,16 @@ tools:
 func TestGitHubTokenValidationErrorMessage(t *testing.T) {
 	tmpDir := testutil.TempDir(t, "error-message-test")
 
+	// Test validation in tools.github.github-token with plaintext secret
 	testContent := `---
 name: Test Error Message
 on:
   workflow_dispatch:
 engine: copilot
-github-token: ghp_actualSecretInPlainText
+tools:
+  github:
+    github-token: ghp_actualSecretInPlainText
+    allowed: [list_issues]
 ---
 
 # Test Error Message
@@ -359,7 +364,6 @@ name: Test Multiple Tokens
 on:
   workflow_dispatch:
 engine: copilot
-github-token: ${{ secrets.TOPLEVEL_TOKEN }}
 tools:
   github:
     github-token: plaintext_token_in_github_tool
diff --git a/pkg/workflow/http_mcp_env_vars_test.go b/pkg/workflow/http_mcp_env_vars_test.go
index be5cbb8dcc..aa4ea9968a 100644
--- a/pkg/workflow/http_mcp_env_vars_test.go
+++ b/pkg/workflow/http_mcp_env_vars_test.go
@@ -26,9 +26,7 @@ func TestCollectMCPEnvironmentVariables_HTTPMCPWithSecrets(t *testing.T) {
 	}
 
 	mcpTools := []string{"github", "tavily"}
-	workflowData := &WorkflowData{
-		GitHubToken: "${{ secrets.GITHUB_TOKEN }}",
-	}
+	workflowData := &WorkflowData{}
 	hasAgenticWorkflows := false
 
 	envVars := collectMCPEnvironmentVariables(tools, mcpTools, workflowData, hasAgenticWorkflows)
diff --git a/pkg/workflow/js/safe_outputs_tools.json b/pkg/workflow/js/safe_outputs_tools.json
index dda35bd588..b4b8ce8feb 100644
--- a/pkg/workflow/js/safe_outputs_tools.json
+++ b/pkg/workflow/js/safe_outputs_tools.json
@@ -42,7 +42,7 @@
   },
   {
     "name": "create_agent_session",
-    "description": "Create a GitHub Copilot agent session to delegate coding work. Use this when you need another Copilot agent to implement code changes, fix bugs, or complete development tasks. The task becomes a new issue that triggers the Copilot coding agent. For non-coding tasks or manual work items, use create_issue instead.",
+    "description": "Create a GitHub Copilot coding agent session to delegate coding work. Use this when you need another Copilot coding agent to implement code changes, fix bugs, or complete development tasks. The task becomes a new issue that triggers the Copilot coding agent. For non-coding tasks or manual work items, use create_issue instead.",
     "inputSchema": {
       "type": "object",
       "required": [
@@ -51,7 +51,7 @@
       "properties": {
         "body": {
           "type": "string",
-          "description": "Clear, detailed task description for the Copilot agent. Include specific files to modify, expected behavior, acceptance criteria, and any constraints. The description should be actionable and self-contained."
+          "description": "Clear, detailed task description for the Copilot coding agent. Include specific files to modify, expected behavior, acceptance criteria, and any constraints. The description should be actionable and self-contained."
         }
       },
       "additionalProperties": false
@@ -513,14 +513,14 @@
             "number",
             "string"
           ],
-          "description": "Issue number to assign the Copilot agent to. This is the numeric ID from the GitHub URL (e.g., 234 in github.com/owner/repo/issues/234). Can also be a temporary_id (e.g., 'aw_abc123', 'aw_Test123') from an issue created earlier in the same workflow run. The issue should contain clear, actionable requirements. Either issue_number or pull_number must be provided, but not both."
+          "description": "Issue number to assign the Copilot coding agent to. This is the numeric ID from the GitHub URL (e.g., 234 in github.com/owner/repo/issues/234). Can also be a temporary_id (e.g., 'aw_abc123', 'aw_Test123') from an issue created earlier in the same workflow run. The issue should contain clear, actionable requirements. Either issue_number or pull_number must be provided, but not both."
         },
         "pull_number": {
           "type": [
             "number",
             "string"
           ],
-          "description": "Pull request number to assign the Copilot agent to. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/pull/456). Either issue_number or pull_number must be provided, but not both."
+          "description": "Pull request number to assign the Copilot coding agent to. This is the numeric ID from the GitHub URL (e.g., 456 in github.com/owner/repo/pull/456). Either issue_number or pull_number must be provided, but not both."
         },
         "agent": {
           "type": "string",
diff --git a/pkg/workflow/mcp_environment.go b/pkg/workflow/mcp_environment.go
index bbd749fa87..7a5116bbd6 100644
--- a/pkg/workflow/mcp_environment.go
+++ b/pkg/workflow/mcp_environment.go
@@ -80,7 +80,7 @@ func collectMCPEnvironmentVariables(tools map[string]any, mcpTools []string, wor
 		} else {
 			// Otherwise, use custom token or default fallback
 			customGitHubToken := getGitHubToken(githubTool)
-			effectiveToken := getEffectiveGitHubToken(customGitHubToken, workflowData.GitHubToken)
+			effectiveToken := getEffectiveGitHubToken(customGitHubToken)
 			envVars["GITHUB_MCP_SERVER_TOKEN"] = effectiveToken
 		}
 
diff --git a/pkg/workflow/mcp_playwright_config.go b/pkg/workflow/mcp_playwright_config.go
index 97600ab459..f653f6f470 100644
--- a/pkg/workflow/mcp_playwright_config.go
+++ b/pkg/workflow/mcp_playwright_config.go
@@ -33,7 +33,7 @@ func getPlaywrightMCPPackageVersion(playwrightConfig *PlaywrightToolConfig) stri
 // generatePlaywrightAllowedDomains extracts domain list from Playwright tool configuration with bundle resolution
 // Uses the same domain bundle resolution as top-level network configuration, defaulting to localhost only
 func generatePlaywrightAllowedDomains(playwrightConfig *PlaywrightToolConfig) []string {
-	// Default to localhost with all port variations (same as Copilot agent default)
+	// Default to localhost with all port variations (same as Copilot coding agent default)
 	allowedDomains := constants.DefaultAllowedDomains
 
 	// Extract allowed_domains from Playwright tool configuration
diff --git a/pkg/workflow/mcp_setup_generator.go b/pkg/workflow/mcp_setup_generator.go
index 24d1fbb083..28999450a1 100644
--- a/pkg/workflow/mcp_setup_generator.go
+++ b/pkg/workflow/mcp_setup_generator.go
@@ -165,8 +165,8 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any,
 
 	// Only install gh-aw if needed and not already provided by imports
 	if hasAgenticWorkflows && !hasGhAwImport {
-		// Use effective token with precedence: top-level github-token > default
-		effectiveToken := getEffectiveGitHubToken("", workflowData.GitHubToken)
+		// Use effective token with precedence: custom > default
+		effectiveToken := getEffectiveGitHubToken("")
 
 		yaml.WriteString("      - name: Install gh-aw extension\n")
 		yaml.WriteString("        env:\n")
diff --git a/pkg/workflow/model_env_vars_test.go b/pkg/workflow/model_env_vars_test.go
index c614578668..cbc8857634 100644
--- a/pkg/workflow/model_env_vars_test.go
+++ b/pkg/workflow/model_env_vars_test.go
@@ -18,7 +18,7 @@ func TestModelEnvVarInjectionForAgentJob(t *testing.T) {
 		expectedCommand string
 	}{
 		{
-			name:            "Copilot agent uses GH_AW_MODEL_AGENT_COPILOT",
+			name:            "Copilot coding agent uses GH_AW_MODEL_AGENT_COPILOT",
 			engine:          "copilot",
 			expectedEnvVar:  constants.EnvVarModelAgentCopilot,
 			expectedCommand: "${" + constants.EnvVarModelAgentCopilot + ":+ --model",
diff --git a/pkg/workflow/notify_comment.go b/pkg/workflow/notify_comment.go
index 9d2e42fcbd..c36fad134f 100644
--- a/pkg/workflow/notify_comment.go
+++ b/pkg/workflow/notify_comment.go
@@ -73,7 +73,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa
 			CustomEnvVars: noopEnvVars,
 			Script:        getNoOpScript(),
 			ScriptFile:    "noop.cjs",
-			Token:         data.SafeOutputs.NoOp.GitHubToken,
+			CustomToken:   data.SafeOutputs.NoOp.GitHubToken,
 		})
 		steps = append(steps, noopSteps...)
 	}
@@ -115,7 +115,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa
 			CustomEnvVars: missingToolEnvVars,
 			Script:        "const { main } = require('/opt/gh-aw/actions/missing_tool.cjs'); await main();",
 			ScriptFile:    "missing_tool.cjs",
-			Token:         data.SafeOutputs.MissingTool.GitHubToken,
+			CustomToken:   data.SafeOutputs.MissingTool.GitHubToken,
 		})
 		steps = append(steps, missingToolSteps...)
 	}
@@ -185,7 +185,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa
 		CustomEnvVars: agentFailureEnvVars,
 		Script:        "const { main } = require('/opt/gh-aw/actions/handle_agent_failure.cjs'); await main();",
 		ScriptFile:    "handle_agent_failure.cjs",
-		Token:         "", // Will use default GITHUB_TOKEN
+		CustomToken:   "", // Will use default GITHUB_TOKEN
 	})
 	steps = append(steps, agentFailureSteps...)
 
@@ -216,7 +216,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa
 		CustomEnvVars: noopMessageEnvVars,
 		Script:        "const { main } = require('/opt/gh-aw/actions/handle_noop_message.cjs'); await main();",
 		ScriptFile:    "handle_noop_message.cjs",
-		Token:         "", // Will use default GITHUB_TOKEN
+		CustomToken:   "", // Will use default GITHUB_TOKEN
 	})
 	steps = append(steps, noopMessageSteps...)
 
@@ -237,7 +237,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa
 			CustomEnvVars: createPRErrorEnvVars,
 			Script:        "const { main } = require('/opt/gh-aw/actions/handle_create_pr_error.cjs'); await main();",
 			ScriptFile:    "handle_create_pr_error.cjs",
-			Token:         "", // Will use default GITHUB_TOKEN
+			CustomToken:   "", // Will use default GITHUB_TOKEN
 		})
 		steps = append(steps, createPRErrorSteps...)
 	}
@@ -296,7 +296,7 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa
 			CustomEnvVars: customEnvVars,
 			Script:        getNotifyCommentErrorScript(),
 			ScriptFile:    "notify_comment_error.cjs",
-			Token:         token,
+			CustomToken:   token,
 		})
 		steps = append(steps, scriptSteps...)
 	}
diff --git a/pkg/workflow/permissions_factory.go b/pkg/workflow/permissions_factory.go
index b12667ab14..de0fc1f022 100644
--- a/pkg/workflow/permissions_factory.go
+++ b/pkg/workflow/permissions_factory.go
@@ -107,7 +107,7 @@ func NewPermissionsActionsWrite() *Permissions {
 }
 
 // NewPermissionsActionsWriteContentsWriteIssuesWritePRWrite creates permissions with actions: write, contents: write, issues: write, pull-requests: write
-// This is required for the replaceActorsForAssignable GraphQL mutation used to assign GitHub Copilot agents to issues
+// This is required for the replaceActorsForAssignable GraphQL mutation used to assign GitHub Copilot coding agent to issues
 func NewPermissionsActionsWriteContentsWriteIssuesWritePRWrite() *Permissions {
 	return NewPermissionsFromMap(map[PermissionScope]PermissionLevel{
 		PermissionActions:      PermissionWrite,
diff --git a/pkg/workflow/plugin_compilation_test.go b/pkg/workflow/plugin_compilation_test.go
index 7cfb30deab..745266f53e 100644
--- a/pkg/workflow/plugin_compilation_test.go
+++ b/pkg/workflow/plugin_compilation_test.go
@@ -222,15 +222,16 @@ on: workflow_dispatch
 permissions:
   issues: read
   pull-requests: read
-github-token: ${{ secrets.MY_GITHUB_TOKEN }}
 plugins:
-  - github/test-plugin
+  repos:
+    - github/test-plugin
+  github-token: ${{ secrets.MY_GITHUB_TOKEN }}
 ---
 
-Test with top-level github-token
+Test with plugins github-token
 `
 
-	testFile := filepath.Join(tmpDir, "test-toplevel-token.md")
+	testFile := filepath.Join(tmpDir, "test-plugins-token.md")
 	err := os.WriteFile(testFile, []byte(workflow), 0644)
 	require.NoError(t, err, "Failed to write test file")
 
@@ -250,13 +251,13 @@ Test with top-level github-token
 	assert.Contains(t, lockContent, "copilot plugin install github/test-plugin",
 		"Lock file should contain plugin install command")
 
-	// Verify top-level github-token is used (not cascading)
+	// Verify plugins github-token is used (not cascading)
 	assert.Contains(t, lockContent, "GITHUB_TOKEN: ${{ secrets.MY_GITHUB_TOKEN }}",
-		"Lock file should use top-level github-token")
+		"Lock file should use plugins github-token")
 
 	// Verify cascading token is NOT used
 	assert.NotContains(t, lockContent, "GH_AW_PLUGINS_TOKEN",
-		"Lock file should not use cascading token when top-level token is provided")
+		"Lock file should not use cascading token when plugins token is provided")
 }
 
 func TestPluginCompilationTokenPrecedence(t *testing.T) {
@@ -269,14 +270,13 @@ func TestPluginCompilationTokenPrecedence(t *testing.T) {
 		description   string
 	}{
 		{
-			name: "Object github-token overrides top-level",
+			name: "Plugin-specific github-token used",
 			workflow: `---
 engine: copilot
 on: workflow_dispatch
 permissions:
   issues: read
   pull-requests: read
-github-token: ${{ secrets.TOPLEVEL_TOKEN }}
 plugins:
   repos:
     - github/plugin1
@@ -286,25 +286,7 @@ plugins:
 Test token precedence
 `,
 			expectedToken: "GITHUB_TOKEN: ${{ secrets.PLUGINS_SPECIFIC_TOKEN }}",
-			description:   "plugins.github-token should override top-level github-token",
-		},
-		{
-			name: "Top-level token used when no plugin token",
-			workflow: `---
-engine: copilot
-on: workflow_dispatch
-permissions:
-  issues: read
-  pull-requests: read
-github-token: ${{ secrets.TOPLEVEL_TOKEN }}
-plugins:
-  - github/plugin1
----
-
-Test top-level token
-`,
-			expectedToken: "GITHUB_TOKEN: ${{ secrets.TOPLEVEL_TOKEN }}",
-			description:   "top-level github-token should be used when no plugins.github-token",
+			description:   "plugins.github-token should be used when specified",
 		},
 		{
 			name: "Cascading fallback when no tokens specified",
diff --git a/pkg/workflow/plugin_installation_test.go b/pkg/workflow/plugin_installation_test.go
index e9dcb071cc..6c5ede6049 100644
--- a/pkg/workflow/plugin_installation_test.go
+++ b/pkg/workflow/plugin_installation_test.go
@@ -241,7 +241,7 @@ func TestPluginTokenCascading(t *testing.T) {
 			expectedToken: "${{ secrets.GH_AW_PLUGINS_TOKEN || secrets.GH_AW_GITHUB_TOKEN || secrets.GITHUB_TOKEN }}",
 		},
 		{
-			name:          "Frontmatter github-token provided",
+			name:          "Plugins config token provided",
 			customToken:   "${{ secrets.MY_GITHUB_TOKEN }}",
 			expectedToken: "${{ secrets.MY_GITHUB_TOKEN }}",
 		},
diff --git a/pkg/workflow/pr.go b/pkg/workflow/pr.go
index 87dff509c5..8f5d51621d 100644
--- a/pkg/workflow/pr.go
+++ b/pkg/workflow/pr.go
@@ -42,12 +42,12 @@ func (c *Compiler) generatePRReadyForReviewCheckout(yaml *strings.Builder, data
 	fmt.Fprintf(yaml, "        uses: %s\n", GetActionPin("actions/github-script"))
 
 	// Add env section with GH_TOKEN for gh CLI
-	// Use safe-outputs github-token if available, otherwise top-level token
+	// Use safe-outputs github-token if available, otherwise default token
 	safeOutputsToken := ""
 	if data.SafeOutputs != nil && data.SafeOutputs.GitHubToken != "" {
 		safeOutputsToken = data.SafeOutputs.GitHubToken
 	}
-	effectiveToken := getEffectiveGitHubToken(safeOutputsToken, data.GitHubToken)
+	effectiveToken := getEffectiveGitHubToken(safeOutputsToken)
 	prLog.Print("PR checkout step configured with GitHub token")
 	yaml.WriteString("        env:\n")
 	fmt.Fprintf(yaml, "          GH_TOKEN: %s\n", effectiveToken)
diff --git a/pkg/workflow/safe_output_helpers_test.go b/pkg/workflow/safe_output_helpers_test.go
index 323077eabb..647c3d2d04 100644
--- a/pkg/workflow/safe_output_helpers_test.go
+++ b/pkg/workflow/safe_output_helpers_test.go
@@ -27,7 +27,7 @@ func TestBuildGitHubScriptStep(t *testing.T) {
 				StepID:      "test_step",
 				MainJobName: "main_job",
 				Script:      "console.log('test');",
-				Token:       "",
+				CustomToken: "",
 			},
 			expectedInSteps: []string{
 				"- name: Download agent output artifact",
@@ -55,8 +55,8 @@ func TestBuildGitHubScriptStep(t *testing.T) {
 					"          GH_AW_ISSUE_TITLE_PREFIX: \"[bot] \"\n",
 					"          GH_AW_ISSUE_LABELS: \"automation,ai\"\n",
 				},
-				Script: "const issue = true;",
-				Token:  "",
+				Script:      "const issue = true;",
+				CustomToken: "",
 			},
 			expectedInSteps: []string{
 				"- name: Download agent output artifact",
@@ -86,7 +86,7 @@ func TestBuildGitHubScriptStep(t *testing.T) {
 				StepID:      "process",
 				MainJobName: "main",
 				Script:      "const x = 1;",
-				Token:       "",
+				CustomToken: "",
 			},
 			expectedInSteps: []string{
 				"- name: Download agent output artifact",
@@ -108,7 +108,7 @@ func TestBuildGitHubScriptStep(t *testing.T) {
 				StepID:      "secure",
 				MainJobName: "main",
 				Script:      "const secure = true;",
-				Token:       "${{ secrets.CUSTOM_TOKEN }}",
+				CustomToken: "${{ secrets.CUSTOM_TOKEN }}",
 			},
 			expectedInSteps: []string{
 				"- name: Secure Action",
@@ -175,8 +175,8 @@ func TestBuildGitHubScriptStepMaintainsOrder(t *testing.T) {
 		CustomEnvVars: []string{
 			"          CUSTOM_VAR: custom_value\n",
 		},
-		Script: "const test = 1;",
-		Token:  "",
+		Script:      "const test = 1;",
+		CustomToken: "",
 	}
 
 	steps := compiler.buildGitHubScriptStep(workflowData, config)
@@ -746,7 +746,7 @@ func TestBuildGitHubScriptStepNoWorkingDirectory(t *testing.T) {
 		StepID:      "test_script",
 		MainJobName: "main",
 		Script:      "console.log('test');",
-		Token:       "",
+		CustomToken: "",
 	}
 
 	steps := compiler.buildGitHubScriptStep(workflowData, config)
diff --git a/pkg/workflow/safe_outputs_env.go b/pkg/workflow/safe_outputs_env.go
index 4ae1dc1fdb..58f957070d 100644
--- a/pkg/workflow/safe_outputs_env.go
+++ b/pkg/workflow/safe_outputs_env.go
@@ -221,7 +221,7 @@ func (c *Compiler) addCustomSafeOutputEnvVars(steps *[]string, data *WorkflowDat
 }
 
 // addSafeOutputGitHubTokenForConfig adds github-token to the with section, preferring per-config token over global
-// Uses precedence: config token > safe-outputs global github-token > top-level github-token > GH_AW_GITHUB_TOKEN || GITHUB_TOKEN
+// Uses precedence: config token > safe-outputs global github-token > GH_AW_GITHUB_TOKEN || GITHUB_TOKEN
 func (c *Compiler) addSafeOutputGitHubTokenForConfig(steps *[]string, data *WorkflowData, configToken string) {
 	var safeOutputsToken string
 	if data.SafeOutputs != nil {
@@ -234,13 +234,19 @@ func (c *Compiler) addSafeOutputGitHubTokenForConfig(steps *[]string, data *Work
 		return
 	}
 
-	// Get effective token using double precedence: config > safe-outputs, then > top-level > GH_AW_GITHUB_TOKEN || GITHUB_TOKEN
-	effectiveToken := getEffectiveSafeOutputGitHubToken(configToken, getEffectiveSafeOutputGitHubToken(safeOutputsToken, data.GitHubToken))
+	// Choose the first non-empty custom token for precedence
+	effectiveCustomToken := configToken
+	if effectiveCustomToken == "" {
+		effectiveCustomToken = safeOutputsToken
+	}
+
+	// Get effective token
+	effectiveToken := getEffectiveSafeOutputGitHubToken(effectiveCustomToken)
 	*steps = append(*steps, fmt.Sprintf("          github-token: %s\n", effectiveToken))
 }
 
 // addSafeOutputCopilotGitHubTokenForConfig adds github-token to the with section for Copilot-related operations
-// Uses precedence: config token > safe-outputs global github-token > top-level github-token > COPILOT_GITHUB_TOKEN > GH_AW_GITHUB_TOKEN (legacy)
+// Uses precedence: config token > safe-outputs global github-token > COPILOT_GITHUB_TOKEN
 func (c *Compiler) addSafeOutputCopilotGitHubTokenForConfig(steps *[]string, data *WorkflowData, configToken string) {
 	var safeOutputsToken string
 	if data.SafeOutputs != nil {
@@ -253,13 +259,19 @@ func (c *Compiler) addSafeOutputCopilotGitHubTokenForConfig(steps *[]string, dat
 		return
 	}
 
-	// Get effective token using double precedence: config > safe-outputs, then > top-level > Copilot default
-	effectiveToken := getEffectiveCopilotGitHubToken(configToken, getEffectiveCopilotGitHubToken(safeOutputsToken, data.GitHubToken))
+	// Choose the first non-empty custom token for precedence
+	effectiveCustomToken := configToken
+	if effectiveCustomToken == "" {
+		effectiveCustomToken = safeOutputsToken
+	}
+
+	// Get effective token
+	effectiveToken := getEffectiveCopilotRequestsToken(effectiveCustomToken)
 	*steps = append(*steps, fmt.Sprintf("          github-token: %s\n", effectiveToken))
 }
 
 // addSafeOutputAgentGitHubTokenForConfig adds github-token to the with section for agent assignment operations
-// Uses precedence: config token > safe-outputs token > workflow token > GH_AW_AGENT_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN
+// Uses precedence: config token > safe-outputs token > GH_AW_AGENT_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN
 // This is specifically for assign-to-agent operations which require elevated permissions.
 func (c *Compiler) addSafeOutputAgentGitHubTokenForConfig(steps *[]string, data *WorkflowData, configToken string) {
 	// If app is configured, use app token
@@ -274,8 +286,14 @@ func (c *Compiler) addSafeOutputAgentGitHubTokenForConfig(steps *[]string, data
 		safeOutputsToken = data.SafeOutputs.GitHubToken
 	}
 
-	// Get effective token using full precedence chain: config > safe-outputs > workflow > GH_AW_AGENT_TOKEN fallback
-	effectiveToken := getEffectiveAgentGitHubToken(configToken, getEffectiveAgentGitHubToken(safeOutputsToken, data.GitHubToken))
+	// Choose the first non-empty custom token for precedence
+	effectiveCustomToken := configToken
+	if effectiveCustomToken == "" {
+		effectiveCustomToken = safeOutputsToken
+	}
+
+	// Get effective token
+	effectiveToken := getEffectiveCopilotCodingAgentGitHubToken(effectiveCustomToken)
 	*steps = append(*steps, fmt.Sprintf("          github-token: %s\n", effectiveToken))
 }
 
diff --git a/pkg/workflow/safe_outputs_handler_manager_token_test.go b/pkg/workflow/safe_outputs_handler_manager_token_test.go
index f62f8f2c66..d9058279e1 100644
--- a/pkg/workflow/safe_outputs_handler_manager_token_test.go
+++ b/pkg/workflow/safe_outputs_handler_manager_token_test.go
@@ -50,18 +50,18 @@ func TestHandlerManagerProjectGitHubTokenEnvVar(t *testing.T) {
 			shouldHaveToken:     true,
 		},
 		{
-			name: "update-project with top-level github-token",
+			name: "update-project with safe-outputs github-token",
 			frontmatter: map[string]any{
-				"name":         "Test Workflow",
-				"github-token": "${{ secrets.CUSTOM_TOKEN }}",
+				"name": "Test Workflow",
 				"safe-outputs": map[string]any{
+					"github-token": "${{ secrets.SAFE_OUTPUTS_TOKEN }}",
 					"update-project": map[string]any{
 						"project": "https://github.com/orgs/myorg/projects/1",
 					},
 				},
 			},
-			expectedEnvVarValue: "GH_AW_PROJECT_GITHUB_TOKEN: ${{ secrets.CUSTOM_TOKEN }}",
-			expectedWithToken:   "github-token: ${{ secrets.CUSTOM_TOKEN }}",
+			expectedEnvVarValue: "GH_AW_PROJECT_GITHUB_TOKEN: ${{ secrets.SAFE_OUTPUTS_TOKEN }}",
+			expectedWithToken:   "github-token: ${{ secrets.SAFE_OUTPUTS_TOKEN }}",
 			shouldHaveToken:     true,
 		},
 		{
@@ -139,11 +139,6 @@ func TestHandlerManagerProjectGitHubTokenEnvVar(t *testing.T) {
 				SafeOutputs: compiler.extractSafeOutputsConfig(tt.frontmatter),
 			}
 
-			// Set top-level github-token if present in frontmatter
-			if githubToken, ok := tt.frontmatter["github-token"].(string); ok {
-				workflowData.GitHubToken = githubToken
-			}
-
 			// Build the handler manager step
 			steps := compiler.buildHandlerManagerStep(workflowData)
 			yamlStr := strings.Join(steps, "")
diff --git a/pkg/workflow/safe_outputs_jobs.go b/pkg/workflow/safe_outputs_jobs.go
index 8adeb7d8b1..91fe7a2ba1 100644
--- a/pkg/workflow/safe_outputs_jobs.go
+++ b/pkg/workflow/safe_outputs_jobs.go
@@ -31,16 +31,16 @@ type SafeOutputJobConfig struct {
 	ScriptName string
 
 	// Job configuration
-	Permissions     *Permissions      // Job permissions
-	Outputs         map[string]string // Job outputs
-	Condition       ConditionNode     // Job condition (if clause)
-	Needs           []string          // Job dependencies
-	PreSteps        []string          // Optional steps to run before the GitHub Script step
-	PostSteps       []string          // Optional steps to run after the GitHub Script step
-	Token           string            // GitHub token for this output type
-	UseCopilotToken bool              // Whether to use Copilot token preference chain
-	UseAgentToken   bool              // Whether to use agent token preference chain (config token > GH_AW_AGENT_TOKEN)
-	TargetRepoSlug  string            // Target repository for cross-repo operations
+	Permissions                *Permissions      // Job permissions
+	Outputs                    map[string]string // Job outputs
+	Condition                  ConditionNode     // Job condition (if clause)
+	Needs                      []string          // Job dependencies
+	PreSteps                   []string          // Optional steps to run before the GitHub Script step
+	PostSteps                  []string          // Optional steps to run after the GitHub Script step
+	Token                      string            // GitHub token for this output type
+	UseCopilotRequestsToken    bool              // Whether to use Copilot token preference chain
+	UseCopilotCodingAgentToken bool              // Whether to use agent token preference chain (config token > GH_AW_AGENT_TOKEN)
+	TargetRepoSlug             string            // Target repository for cross-repo operations
 }
 
 // buildSafeOutputJob creates a safe output job with common scaffolding
@@ -71,14 +71,14 @@ func (c *Compiler) buildSafeOutputJob(data *WorkflowData, config SafeOutputJobCo
 		// Use custom action mode (dev or release) if enabled and script name is provided
 		safeOutputsJobsLog.Printf("Using custom action mode (%s) for script: %s", c.actionMode, config.ScriptName)
 		scriptSteps = c.buildCustomActionStep(data, GitHubScriptStepConfig{
-			StepName:        config.StepName,
-			StepID:          config.StepID,
-			MainJobName:     config.MainJobName,
-			CustomEnvVars:   config.CustomEnvVars,
-			Script:          config.Script,
-			Token:           config.Token,
-			UseCopilotToken: config.UseCopilotToken,
-			UseAgentToken:   config.UseAgentToken,
+			StepName:                   config.StepName,
+			StepID:                     config.StepID,
+			MainJobName:                config.MainJobName,
+			CustomEnvVars:              config.CustomEnvVars,
+			Script:                     config.Script,
+			CustomToken:                config.Token,
+			UseCopilotRequestsToken:    config.UseCopilotRequestsToken,
+			UseCopilotCodingAgentToken: config.UseCopilotCodingAgentToken,
 		}, config.ScriptName)
 	} else {
 		// Use inline mode (default behavior)
@@ -91,15 +91,15 @@ func (c *Compiler) buildSafeOutputJob(data *WorkflowData, config SafeOutputJobCo
 			safeOutputsJobsLog.Printf("Using inline mode (actions/github-script)")
 		}
 		scriptSteps = c.buildGitHubScriptStep(data, GitHubScriptStepConfig{
-			StepName:        config.StepName,
-			StepID:          config.StepID,
-			MainJobName:     config.MainJobName,
-			CustomEnvVars:   config.CustomEnvVars,
-			Script:          config.Script,
-			ScriptFile:      scriptFile,
-			Token:           config.Token,
-			UseCopilotToken: config.UseCopilotToken,
-			UseAgentToken:   config.UseAgentToken,
+			StepName:                   config.StepName,
+			StepID:                     config.StepID,
+			MainJobName:                config.MainJobName,
+			CustomEnvVars:              config.CustomEnvVars,
+			Script:                     config.Script,
+			ScriptFile:                 scriptFile,
+			CustomToken:                config.Token,
+			UseCopilotRequestsToken:    config.UseCopilotRequestsToken,
+			UseCopilotCodingAgentToken: config.UseCopilotCodingAgentToken,
 		})
 	}
 	steps = append(steps, scriptSteps...)
diff --git a/pkg/workflow/safe_outputs_steps.go b/pkg/workflow/safe_outputs_steps.go
index b56934c0a9..7c095daac3 100644
--- a/pkg/workflow/safe_outputs_steps.go
+++ b/pkg/workflow/safe_outputs_steps.go
@@ -56,42 +56,40 @@ func (c *Compiler) buildCustomActionStep(data *WorkflowData, config GitHubScript
 	steps = append(steps, "        with:\n")
 
 	// Map github-token to token input for custom actions
-	c.addCustomActionGitHubToken(&steps, data, config.Token, config.UseAgentToken, config.UseCopilotToken)
+	c.addCustomActionGitHubToken(&steps, data, config)
 
 	return steps
 }
 
 // addCustomActionGitHubToken adds a GitHub token as action input.
 // The token precedence depends on the tokenType flags:
-// - UseAgentToken: customToken > SafeOutputs.GitHubToken > data.GitHubToken > GH_AW_AGENT_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN
-// - UseCopilotToken: customToken > SafeOutputs.GitHubToken > data.GitHubToken > COPILOT_GITHUB_TOKEN || GH_AW_GITHUB_TOKEN
-// - Default: customToken > SafeOutputs.GitHubToken > data.GitHubToken > GH_AW_GITHUB_TOKEN || GITHUB_TOKEN
-func (c *Compiler) addCustomActionGitHubToken(steps *[]string, data *WorkflowData, customToken string, useAgentToken, useCopilotToken bool) {
+// - UseCopilotCodingAgentToken: customToken > SafeOutputs.GitHubToken > GH_AW_AGENT_TOKEN || GH_AW_GITHUB_TOKEN || GITHUB_TOKEN
+// - UseCopilotRequestsToken: customToken > SafeOutputs.GitHubToken > COPILOT_GITHUB_TOKEN
+// - Default: customToken > SafeOutputs.GitHubToken > GH_AW_GITHUB_TOKEN || GITHUB_TOKEN
+func (c *Compiler) addCustomActionGitHubToken(steps *[]string, data *WorkflowData, config GitHubScriptStepConfig) {
 	var token string
 
+	// Get safe-outputs level token
+	var safeOutputsToken string
+	if data.SafeOutputs != nil {
+		safeOutputsToken = data.SafeOutputs.GitHubToken
+	}
+
+	// Choose the first non-empty custom token for precedence
+	effectiveCustomToken := config.CustomToken
+	if effectiveCustomToken == "" {
+		effectiveCustomToken = safeOutputsToken
+	}
+
 	// Agent token mode: use full precedence chain for agent assignment
-	if useAgentToken {
-		var safeOutputsToken string
-		if data.SafeOutputs != nil {
-			safeOutputsToken = data.SafeOutputs.GitHubToken
-		}
-		// Precedence: customToken > safeOutputsToken > data.GitHubToken > default Agent fallback chain
-		token = getEffectiveAgentGitHubToken(customToken, getEffectiveAgentGitHubToken(safeOutputsToken, data.GitHubToken))
-	} else if useCopilotToken {
-		// Copilot mode: use getEffectiveCopilotGitHubToken with safe-outputs token precedence
-		var safeOutputsToken string
-		if data.SafeOutputs != nil {
-			safeOutputsToken = data.SafeOutputs.GitHubToken
-		}
-		// Precedence: customToken > safeOutputsToken > data.GitHubToken > default Copilot fallback
-		token = getEffectiveCopilotGitHubToken(customToken, getEffectiveCopilotGitHubToken(safeOutputsToken, data.GitHubToken))
+	if config.UseCopilotCodingAgentToken {
+		token = getEffectiveCopilotCodingAgentGitHubToken(effectiveCustomToken)
+	} else if config.UseCopilotRequestsToken {
+		// Copilot mode: use getEffectiveCopilotRequestsToken with safe-outputs token precedence
+		token = getEffectiveCopilotRequestsToken(effectiveCustomToken)
 	} else {
-		// Standard mode: use safe output token chain (data.GitHubToken, then GITHUB_TOKEN)
-		var safeOutputsToken string
-		if data.SafeOutputs != nil {
-			safeOutputsToken = data.SafeOutputs.GitHubToken
-		}
-		token = getEffectiveSafeOutputGitHubToken(customToken, getEffectiveSafeOutputGitHubToken(safeOutputsToken, data.GitHubToken))
+		// Standard mode: use safe output token chain
+		token = getEffectiveSafeOutputGitHubToken(effectiveCustomToken)
 	}
 
 	*steps = append(*steps, fmt.Sprintf("          token: %s\n", token))
@@ -117,25 +115,25 @@ type GitHubScriptStepConfig struct {
 	// If empty, Script will be inlined instead
 	ScriptFile string
 
-	// Token configuration (passed to addSafeOutputGitHubTokenForConfig or addSafeOutputCopilotGitHubTokenForConfig)
-	Token string
+	// CustomToken configuration (passed to addSafeOutputGitHubTokenForConfig or addSafeOutputCopilotGitHubTokenForConfig)
+	CustomToken string
 
-	// UseCopilotToken indicates whether to use the Copilot token preference chain
-	// (COPILOT_GITHUB_TOKEN > GH_AW_GITHUB_TOKEN (legacy))
+	// UseCopilotRequestsToken indicates whether to use the Copilot token preference chain
+	// custom token > COPILOT_GITHUB_TOKEN
 	// This should be true for Copilot-related operations like creating agent tasks,
 	// assigning copilot to issues, or adding copilot as PR reviewer
-	UseCopilotToken bool
+	UseCopilotRequestsToken bool
 
-	// UseAgentToken indicates whether to use the agent token preference chain
+	// UseCopilotCodingAgentToken indicates whether to use the agent token preference chain
 	// (config token > GH_AW_AGENT_TOKEN)
 	// This should be true for agent assignment operations (assign-to-agent)
-	UseAgentToken bool
+	UseCopilotCodingAgentToken bool
 }
 
 // buildGitHubScriptStep creates a GitHub Script step with common scaffolding
 // This extracts the repeated pattern found across safe output job builders
 func (c *Compiler) buildGitHubScriptStep(data *WorkflowData, config GitHubScriptStepConfig) []string {
-	safeOutputsStepsLog.Printf("Building GitHub Script step: %s (useCopilotToken=%v, useAgentToken=%v)", config.StepName, config.UseCopilotToken, config.UseAgentToken)
+	safeOutputsStepsLog.Printf("Building GitHub Script step: %s (useCopilotRequestsToken=%v, useCopilotCodingAgentToken=%v)", config.StepName, config.UseCopilotRequestsToken, config.UseCopilotCodingAgentToken)
 
 	var steps []string
 
@@ -162,12 +160,12 @@ func (c *Compiler) buildGitHubScriptStep(data *WorkflowData, config GitHubScript
 
 	// With section for github-token
 	steps = append(steps, "        with:\n")
-	if config.UseAgentToken {
-		c.addSafeOutputAgentGitHubTokenForConfig(&steps, data, config.Token)
-	} else if config.UseCopilotToken {
-		c.addSafeOutputCopilotGitHubTokenForConfig(&steps, data, config.Token)
+	if config.UseCopilotCodingAgentToken {
+		c.addSafeOutputAgentGitHubTokenForConfig(&steps, data, config.CustomToken)
+	} else if config.UseCopilotRequestsToken {
+		c.addSafeOutputCopilotGitHubTokenForConfig(&steps, data, config.CustomToken)
 	} else {
-		c.addSafeOutputGitHubTokenForConfig(&steps, data, config.Token)
+		c.addSafeOutputGitHubTokenForConfig(&steps, data, config.CustomToken)
 	}
 
 	steps = append(steps, "          script: |\n")
@@ -215,12 +213,12 @@ func (c *Compiler) buildGitHubScriptStepWithoutDownload(data *WorkflowData, conf
 
 	// With section for github-token
 	steps = append(steps, "        with:\n")
-	if config.UseAgentToken {
-		c.addSafeOutputAgentGitHubTokenForConfig(&steps, data, config.Token)
-	} else if config.UseCopilotToken {
-		c.addSafeOutputCopilotGitHubTokenForConfig(&steps, data, config.Token)
+	if config.UseCopilotCodingAgentToken {
+		c.addSafeOutputAgentGitHubTokenForConfig(&steps, data, config.CustomToken)
+	} else if config.UseCopilotRequestsToken {
+		c.addSafeOutputCopilotGitHubTokenForConfig(&steps, data, config.CustomToken)
 	} else {
-		c.addSafeOutputGitHubTokenForConfig(&steps, data, config.Token)
+		c.addSafeOutputGitHubTokenForConfig(&steps, data, config.CustomToken)
 	}
 
 	steps = append(steps, "          script: |\n")
diff --git a/pkg/workflow/safe_outputs_test.go b/pkg/workflow/safe_outputs_test.go
index 8ec389f0c0..8bac53c353 100644
--- a/pkg/workflow/safe_outputs_test.go
+++ b/pkg/workflow/safe_outputs_test.go
@@ -800,7 +800,7 @@ func TestBuildGitHubScriptStepWithoutDownload(t *testing.T) {
 				StepID:      "test_step",
 				MainJobName: "main_job",
 				Script:      "console.log('test');",
-				Token:       "",
+				CustomToken: "",
 			},
 			expectedInSteps: []string{
 				"- name: Test Step",
@@ -828,8 +828,8 @@ func TestBuildGitHubScriptStepWithoutDownload(t *testing.T) {
 				CustomEnvVars: []string{
 					"          CUSTOM_VAR: value\n",
 				},
-				Script: "const x = 1;",
-				Token:  "",
+				Script:      "const x = 1;",
+				CustomToken: "",
 			},
 			expectedInSteps: []string{
 				"- name: Custom Step",
diff --git a/research/blog-research/BLOG-RESEARCH.md b/research/blog-research/BLOG-RESEARCH.md
index 45c6346fbd..1b2f8839c9 100644
--- a/research/blog-research/BLOG-RESEARCH.md
+++ b/research/blog-research/BLOG-RESEARCH.md
@@ -284,7 +284,7 @@ Daily File Diet ("Large File Simplifier") has driven **26 merged PRs out of 33 p
 **Workflow File**: `.github/workflows/terminal-stylist.md` (runs daily)
 
 **Causal Chain Summary**:
-Terminal Stylist creates daily analysis discussions → Discussion Task Miner + Plan Command mine actionable tasks → Copilot Coding Agent creates PRs → PRs attributed back through the chain.
+Terminal Stylist creates daily analysis discussions → Discussion Task Miner + Plan Command mine actionable tasks → Copilot coding agent creates PRs → PRs attributed back through the chain.
 
 - **31 discussions** created with "AI generated by [Terminal Stylist]" attribution
 - **25 issues** spawned from those discussions (13 by Discussion Task Miner, 10 by Plan Command, 1 by DeepReport, 1 by Terminal Stylist itself)
@@ -628,13 +628,13 @@ Issue Arborist is an **organizational workflow** that has created **77 discussio
 
 **Statistics**: **0 PRs — this is a dispatcher/orchestrator workflow** ✅
 
-Issue Monster assigns issues to Copilot agents — it's an orchestrator, not a code-change workflow. It doesn't create PRs or issues; it dispatches existing issues to be worked on.
+Issue Monster assigns issues to Copilot coding agent — it's an orchestrator, not a code-change workflow. It doesn't create PRs or issues; it dispatches existing issues to be worked on.
 
-**Pattern**: Assigns issues to Copilot agents one at a time — the task dispatcher for the whole system
+**Pattern**: Assigns issues to Copilot coding agent one at a time — the task dispatcher for the whole system
 
 **Blog Addition Suggestion**:
 ```markdown
-Issue Monster is the **task dispatcher** — it assigns issues to Copilot agents one at a time. It doesn't create PRs itself, but enables every other agent's work by feeding them tasks.
+Issue Monster is the **task dispatcher** — it assigns issues to Copilot coding agent one at a time. It doesn't create PRs itself, but enables every other agent's work by feeding them tasks.
 ```
 
 ---
@@ -934,11 +934,11 @@ GitHub MCP Tools Report Generator has contributed **5 merged PRs out of 6 propos
 
 **Attribution Name**: "Agent Performance Analyzer - Meta-Orchestrator"
 
-**Methodology Note**: All 14 PRs are causal chains — Agent Performance Analyzer creates issues identifying problems, then Copilot Coding Agent picks up the issues and creates PRs. The "AI generated by" attribution appears in PR bodies because the original issue text (with the attribution link) is embedded in the PR. All 14 source issues are confirmed attributed to "Agent Performance Analyzer - Meta-Orchestrator" in `issues-by-agent.json`.
+**Methodology Note**: All 14 PRs are causal chains — Agent Performance Analyzer creates issues identifying problems, then Copilot coding agent picks up the issues and creates PRs. The "AI generated by" attribution appears in PR bodies because the original issue text (with the attribution link) is embedded in the PR. All 14 source issues are confirmed attributed to "Agent Performance Analyzer - Meta-Orchestrator" in `issues-by-agent.json`.
 
 **Example Causal Chain**:
 - **Issue #12168**: "Add draft PR cleanup automation policy" (created by Agent Performance Analyzer after noticing draft PRs account for 9.6% of open PRs)
-- **PR [#12174](https://github.com/github/gh-aw/pull/12174)**: Copilot Coding Agent implemented the cleanup workflow (MERGED)
+- **PR [#12174](https://github.com/github/gh-aw/pull/12174)**: Copilot coding agent implemented the cleanup workflow (MERGED)
 
 **Example Causal Chains** (Merged):
 - Issue #8842 → [#8849: Refactor large workflows into modular shared components](https://github.com/github/gh-aw/pull/8849) (MERGED)
@@ -949,7 +949,7 @@ GitHub MCP Tools Report Generator has contributed **5 merged PRs out of 6 propos
 - #11446: P0: Investigate PR Merge Crisis - 605 PRs Blocked, 0% Merge Rate (Week 3) (CLOSED)
 - #11448: P1: Create PR Triage Agent - Automate Categorization, Risk Assessment, and Prioritization (CLOSED)
 
-**Pattern**: Meta-orchestrator that monitors all other agents, looking for performance degradation, cost spikes, and quality issues. Creates issues (29 total) identifying problems — 14 of those issues led to PRs by Copilot Coding Agent, with 8 merged.
+**Pattern**: Meta-orchestrator that monitors all other agents, looking for performance degradation, cost spikes, and quality issues. Creates issues (29 total) identifying problems — 14 of those issues led to PRs by Copilot coding agent, with 8 merged.
 
 **Blog Addition Suggestion**:
 ```markdown
@@ -1252,11 +1252,11 @@ Daily Repo Chronicle has created **6 chronicle discussions** narrating the repos
 #### Copilot Session Insights ⚠️
 **Statistics**: **0 PRs with attribution** ⚠️ | **32 discussions created** (latest: [#5316](https://github.com/github/gh-aw/discussions/5316))
 
-**Pattern**: Analyzes Copilot agent usage patterns and metrics. Creates insight discussions.
+**Pattern**: Analyzes Copilot coding agent usage patterns and metrics. Creates insight discussions.
 
 **Blog Addition Suggestion**:
 ```markdown
-Copilot Session Insights has created **32 analysis discussions** examining Copilot agent usage patterns and metrics across the workflow ecosystem.
+Copilot Session Insights has created **32 analysis discussions** examining Copilot coding agent usage patterns and metrics across the workflow ecosystem.
 ```
 
 ---
@@ -1292,7 +1292,7 @@ Prompt Clustering Analysis has created **27 analysis discussions** using ML to c
 
 **Blog Addition Suggestion**:
 ```markdown
-Copilot Agent Analysis has created **48 daily analysis discussions** providing deep analysis of agent behavior patterns — for example, [#6913](https://github.com/github/gh-aw/discussions/6913) with the daily Copilot agent analysis.
+Copilot Agent Analysis has created **48 daily analysis discussions** providing deep analysis of agent behavior patterns — for example, [#6913](https://github.com/github/gh-aw/discussions/6913) with the daily Copilot coding agent analysis.
 ```
 
 ---
diff --git a/schemas/agent-output.json b/schemas/agent-output.json
index 53d7428639..1602dd7fb9 100644
--- a/schemas/agent-output.json
+++ b/schemas/agent-output.json
@@ -671,7 +671,7 @@
     },
     "AssignToAgentOutput": {
       "title": "Assign to Agent Output",
-      "description": "Output for assigning a GitHub Copilot agent to an issue or pull request",
+      "description": "Output for assigning a GitHub Copilot coding agent to an issue or pull request",
       "type": "object",
       "oneOf": [
         {
diff --git a/scratchpad/end-to-end-feature-testing.md b/scratchpad/end-to-end-feature-testing.md
index f73d068f69..d08ff747f4 100644
--- a/scratchpad/end-to-end-feature-testing.md
+++ b/scratchpad/end-to-end-feature-testing.md
@@ -6,7 +6,7 @@ This document describes how human developers can test new features end-to-end us
 
 When developing a new feature, you can test it end-to-end by:
 
-1. Having GitHub Copilot agent modify the `dev.md` agentic workflow to use the new feature
+1. Having GitHub Copilot coding agent modify the `dev.md` agentic workflow to use the new feature
 2. Triggering the Dev workflow in the PR branch via CLI or web UI
 3. Waiting for the Dev workflow to finish and for Dev Hawk to analyze the results
 4. Iterating based on the feedback
@@ -21,7 +21,7 @@ The `dev.md` workflow is located at `.github/workflows/dev.md` and serves as a t
 
 **How to request changes:**
 
-In your pull request, instruct the GitHub Copilot agent to modify the `dev.md` workflow to exercise your new feature. For example:
+In your pull request, instruct the GitHub Copilot coding agent to modify the `dev.md` workflow to exercise your new feature. For example:
 
 ```text
 @copilot please update the dev.md workflow to test the new <feature-name> feature by:
@@ -110,7 +110,7 @@ Based on the results:
 
 - Review Dev Hawk's analysis in the PR comment
 - Examine the specific error messages and recommendations
-- Instruct the GitHub Copilot agent to fix the issues:
+- Instruct the GitHub Copilot coding agent to fix the issues:
   ```
   @copilot the dev workflow failed with [error]. Please fix the dev.md workflow to address this issue.
   ```
diff --git a/scratchpad/metrics-glossary.md b/scratchpad/metrics-glossary.md
index 9bdb73bef9..7f575c0e03 100644
--- a/scratchpad/metrics-glossary.md
+++ b/scratchpad/metrics-glossary.md
@@ -479,7 +479,7 @@ When implementing or updating daily report workflows:
 
 ### agent_prs_total
 
-**Definition**: Total count of pull requests created by Copilot agent
+**Definition**: Total count of pull requests created by Copilot coding agent
 
 **Scope**: PRs created by copilot-swe-agent (user.login == "copilot" or branch starts with "copilot/")
 
@@ -494,7 +494,7 @@ When implementing or updating daily report workflows:
 
 ### agent_prs_merged
 
-**Definition**: Count of Copilot agent PRs that were successfully merged
+**Definition**: Count of Copilot coding agent PRs that were successfully merged
 
 **Scope**: Agent PRs where `merged = true`
 
@@ -509,7 +509,7 @@ When implementing or updating daily report workflows:
 
 ### agent_success_rate
 
-**Definition**: Percentage of Copilot agent PRs that were merged
+**Definition**: Percentage of Copilot coding agent PRs that were merged
 
 **Scope**: (agent_prs_merged / agent_prs_total) * 100
 
diff --git a/scratchpad/safe-outputs-specification.md b/scratchpad/safe-outputs-specification.md
index 018f750ef2..f62ba26ca0 100644
--- a/scratchpad/safe-outputs-specification.md
+++ b/scratchpad/safe-outputs-specification.md
@@ -682,7 +682,7 @@ Operations for metadata and collaboration:
 - `add-labels` - Add labels to issues or PRs
 - `add-reviewer` - Request PR reviews from users
 - `assign-milestone` - Assign issues to milestones
-- `assign-to-agent` - Assign Copilot agents
+- `assign-to-agent` - Assign Copilot coding agent
 - `assign-to-user` - Assign users to issues
 
 #### 6.1.4 Projects, Releases & Assets
@@ -700,7 +700,7 @@ Operations for project management and releases:
 Operations for security and agent orchestration:
 
 - `create-code-scanning-alert` - Generate SARIF security reports
-- `create-agent-session` - Create Copilot agent sessions
+- `create-agent-session` - Create Copilot coding agent sessions
 
 ### 6.2 Common Patterns
 
diff --git a/scratchpad/security_review.md b/scratchpad/security_review.md
index fcec59c66c..800e9877e4 100644
--- a/scratchpad/security_review.md
+++ b/scratchpad/security_review.md
@@ -22,7 +22,7 @@ Reviewed 2 zizmor template injection findings in GitHub Actions workflows. Both
   env:
     GH_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN || secrets.GH_AW_GITHUB_TOKEN }}
   id: download-sessions
-  name: List and download Copilot agent sessions
+  name: List and download Copilot coding agent sessions
   run: |
     ...
     echo "::warning::Extension installation status from previous step: ${{ steps.install-extension.outputs.EXTENSION_INSTALLED }}"
diff --git a/scratchpad/template-injection-prevention.md b/scratchpad/template-injection-prevention.md
index 147a1b8d70..cb26721951 100644
--- a/scratchpad/template-injection-prevention.md
+++ b/scratchpad/template-injection-prevention.md
@@ -68,7 +68,7 @@ graph TB
 
 **Fix Applied:**
 ```diff
-  - name: List and download Copilot agent sessions
+  - name: List and download Copilot coding agent sessions
     id: download-sessions
     continue-on-error: true
     env:
diff --git a/scripts/changeset.js b/scripts/changeset.js
index 4b9fec07b6..ec759136f8 100755
--- a/scripts/changeset.js
+++ b/scripts/changeset.js
@@ -473,7 +473,7 @@ async function runRelease(versionTag, skipConfirmation = false) {
   const codemodPrompt = extractCodemods(changesets);
   if (codemodPrompt) {
     console.log("");
-    console.log(formatInfoMessage("Consolidated Codemod Instructions (copy for Copilot agent task):"));
+    console.log(formatInfoMessage("Consolidated Codemod Instructions (copy for Copilot coding agent task):"));
     console.log("---");
     console.log(codemodPrompt);
     console.log("---");
diff --git a/skills/gh-agent-session/SKILL.md b/skills/gh-agent-session/SKILL.md
index 0ca08e3fa1..8f118d8944 100644
--- a/skills/gh-agent-session/SKILL.md
+++ b/skills/gh-agent-session/SKILL.md
@@ -6,7 +6,7 @@ description: GitHub CLI Agent Session Extension
 
 # GitHub CLI Agent Session Extension
 
-The `gh agent-task` CLI extension enables creating GitHub Copilot agent sessions through the command line. An agent session is a specialized GitHub issue that triggers GitHub Copilot to perform automated code changes based on natural language instructions.
+The `gh agent-task` CLI extension enables creating GitHub Copilot coding agent sessions through the command line. An agent session is a specialized GitHub issue that triggers GitHub Copilot to perform automated code changes based on natural language instructions.
 
 **Repository**: https://github.com/github/agent-task (internal GitHub extension)
 
@@ -156,7 +156,7 @@ safe-outputs:
 
 # Code Task Delegator
 
-When an issue is labeled with "code-task", analyze the requirements and create a GitHub Copilot agent session with detailed instructions for implementing the requested changes.
+When an issue is labeled with "code-task", analyze the requirements and create a GitHub Copilot coding agent session with detailed instructions for implementing the requested changes.
 ```
 
 ### Implementation Details
diff --git a/skills/gh-agent-task/SKILL.md b/skills/gh-agent-task/SKILL.md
index 3f809f208e..e39be290bd 100644
--- a/skills/gh-agent-task/SKILL.md
+++ b/skills/gh-agent-task/SKILL.md
@@ -6,7 +6,7 @@ description: GitHub CLI Agent Task Extension
 
 # GitHub CLI Agent Task Extension
 
-The `gh agent-task` CLI extension enables creating GitHub Copilot agent tasks through the command line. An agent task is a specialized GitHub issue that triggers GitHub Copilot to perform automated code changes based on natural language instructions.
+The `gh agent-task` CLI extension enables creating GitHub Copilot coding agent tasks through the command line. An agent task is a specialized GitHub issue that triggers GitHub Copilot to perform automated code changes based on natural language instructions.
 
 **Repository**: https://github.com/github/agent-task (internal GitHub extension)
 
@@ -156,7 +156,7 @@ safe-outputs:
 
 # Code Task Delegator
 
-When an issue is labeled with "code-task", analyze the requirements and create a GitHub Copilot agent task with detailed instructions for implementing the requested changes.
+When an issue is labeled with "code-task", analyze the requirements and create a GitHub Copilot coding agent task with detailed instructions for implementing the requested changes.
 ```
 
 ### Implementation Details
diff --git a/skills/github-copilot-agent-tips-and-tricks/SKILL.md b/skills/github-copilot-agent-tips-and-tricks/SKILL.md
index 54b1d18758..f4973f1e2a 100644
--- a/skills/github-copilot-agent-tips-and-tricks/SKILL.md
+++ b/skills/github-copilot-agent-tips-and-tricks/SKILL.md
@@ -6,13 +6,13 @@ description: Tips and Tricks for Working with GitHub Copilot Agent PRs
 
 # GitHub Copilot Agent Tips and Tricks
 
-This document provides guidance for discovering, reviewing, and working with pull requests created by the GitHub Copilot agent in the gh-aw repository.
+This document provides guidance for discovering, reviewing, and working with pull requests created by the GitHub Copilot coding agent in the gh-aw repository.
 
 ## Identifying Copilot Agent PRs
 
 ### Branch Naming Convention
 
-The GitHub Copilot agent creates branches with the `copilot/` prefix. This makes them easy to identify and filter.
+The GitHub Copilot coding agent creates branches with the `copilot/` prefix. This makes them easy to identify and filter.
 
 **Examples from this repository:**
 - `copilot/add-cache-for-imported-workflows`
@@ -22,7 +22,7 @@ The GitHub Copilot agent creates branches with the `copilot/` prefix. This makes
 
 ### Author Attribution
 
-Copilot agent PRs are typically authored by:
+Copilot coding agent PRs are typically authored by:
 - `app/github-copilot` - The GitHub Copilot bot account
 - Individual developers using Copilot as an assistant
 
@@ -105,7 +105,7 @@ git log --all --merges --oneline | grep -i copilot
 
 ### Recent Examples from gh-aw Repository
 
-Based on analysis of this repository, Copilot agent PRs typically address:
+Based on analysis of this repository, Copilot coding agent PRs typically address:
 
 1. **Refactoring and Code Organization**
    - Example: "Refactor ALL_TOOLS to separate JSON file with runtime filtering"
@@ -127,7 +127,7 @@ Based on analysis of this repository, Copilot agent PRs typically address:
 
 ### PR Metadata to Check
 
-When reviewing Copilot agent PRs, pay attention to:
+When reviewing Copilot coding agent PRs, pay attention to:
 - **Branch name**: Should follow `copilot/descriptive-name` pattern
 - **Commit messages**: Often include "Initial plan" commits
 - **PR description**: Should explain the problem and solution