The Repository Becomes the Agent Risk Ledger
A June 2026 arXiv paper treats the repository, not the individual coding agent, as the place where agentic software risk becomes measurable.
Risk Moves Into the Repository
A coding agent does not act in an empty room. It opens a pull request into a branch that is already moving, touches files other contributors also understand imperfectly, waits on review, collides with continuous integration, and may arrive alongside other automated changes. The agent can pass a local task while the repository absorbs cost somewhere else.
That changes the governance question. A team still needs to evaluate tools, prompts, permissions, and harnesses, but operational risk may only become visible after those parts meet the shared codebase. The useful ledger is the repository record: what changed, what else changed, who reviewed it, how often it conflicted, and whether the project can still explain the result.
The Paper Frame
The source is Daniel Russo's Govern the Repository, Not the Agent: Measuring Ecosystem-Level Risk in AI-Native Software, arXiv:2606.28235v1 [cs.SE], posted June 26, 2026. The paper studies agent-authored pull requests through AIDev, a dataset covering OpenAI Codex, Devin, GitHub Copilot, Cursor, and Claude Code activity on GitHub.
Russo's empirical claim is not that one named agent is good or bad. It is that agentic software risk can be non-reducible: after accounting for contribution size, author, repository attributes, and agent identity, a large remainder of integration friction still sits at the repository level. The paper tests that claim on more than 930,000 agent-authored pull requests with a matched human-authored baseline.
What Friction Measures
Integration friction is the cost of absorbing a contribution into a codebase that other contributors are changing at the same time. The paper observes it through repository process traces: slow resolution, deliberation, repeated review, conflicts, and close or reject outcomes. A pull request can satisfy its immediate issue and still add friction if it lands where the base branch changed underneath it.
This is why the repository is the right unit of analysis. The same diff can be easy in a quiet project and expensive in a fast-moving one. The same agent can be manageable in a narrow module and disruptive in a heavily edited file. The risk is not only generated code quality. It is the coupling between generated code, branch tempo, review capacity, ownership, and institutional memory.
The Non-Reducible Signal
The paper uses multilevel models with repository-level random intercepts. Its operational measure is the intraclass correlation, or ICC: the share of outcome variation attached to the repository rather than to one pull request after controls. In plain language, the model asks how much friction remains a property of the project once the observable contribution-level facts have been subtracted.
The headline result is blunt. Russo reports that about half of friction variation stays at the repository level and that the signal survives full controls. In the same repositories, agent-authored contributions concentrate repository-level friction more than human-authored ones. For resolution latency, the paper reports an agent ICC of 0.30 against a human ICC of 0.16, with the gap holding after controls for codebase size, age, task shape, process maturity, and merge path.
The Wrong Control Knob
A tempting response is to count agents. If three coding agents are active in one repository, perhaps the count itself is the danger. Russo tests that simpler story and finds a different pattern. The paper reports that friction tracks the evolving base branch more than the number of distinct agents, and that in comparable activity subsets the repository-level ICC for resolution latency is lower in multi-agent repositories than in single-agent repositories.
The practical control is therefore tempo and coupling, not a ceremonial headcount. Merge queues, batch-size limits, rebase requirements, module ownership, and review routing matter because they act where friction forms. A project can have one agent and still be fragile if the agent writes into high-churn areas with weak review. A project can have several agents and stay governable if their changes are scoped, serialized, and attached to visible ownership.
Governance Reading
The repository risk ledger should record more than the final merged diff. For agent-authored work, the minimum receipt should include the agent or tool label, prompt or task source where disclosure is possible, base-branch churn during the pull request, touched modules, test and CI state, review path, auto-merge status, unresolved comments, conflict history, and human owner sign-off.
That ledger turns anxiety about "AI code" into an operational question. Which paths absorb agent changes without delay? Which modules turn automated patches into review debt? Which agents are harmless in documentation but costly in core infrastructure? Which repositories need slower merge tempo before they need a different model? The governance unit becomes the local system that receives the work.
Limits and Failure Modes
The paper is careful about scope. It studies open-source repositories and five agents visible in AIDev, so the result may not transfer unchanged to closed enterprise repositories, smaller teams, or future orchestration patterns. It also notes an attribution limit: Copilot and Devin act through dedicated bot accounts, while Codex, Cursor, and Claude Code may act through the human operator's GitHub account, which makes some interactions only partly observable.
The statistic is evidence of concentration, not a full causal explanation. A high repository-level ICC tells a maintainer where friction is clustering; it does not by itself say which policy will fix it. The paper moves the evaluation bar: do not accept an agent as safe for software work merely because it performs well on detached tasks. Test it where its effects will accumulate.
Audit Receipt
The audit-grade sentence is: Russo's arXiv:2606.28235 measures integration friction in AI-native software and reports that a substantial, agent-specific share of that friction is concentrated at the repository level after contribution, author, agent, and repository controls.
The receipt is: a coding-agent deployment claim should be accepted only when the repository-level evidence is visible, including branch churn, review burden, conflict history, auto-merge policy, owner accountability, measurement window, comparison baseline, and limitations of attribution.
Sources
- Daniel Russo, Govern the Repository, Not the Agent: Measuring Ecosystem-Level Risk in AI-Native Software, arXiv:2606.28235v1 [cs.SE], posted June 26, 2026.
- Primary versions checked: experimental HTML and PDF.
- Related pages: The Coding Agent Becomes the Maintainer, The Contributor Ladder Becomes the Agent Queue, and The PR Narrative Becomes the Merge Gate.