docs: update Learning Hub for Copilot CLI v1.0.37–v1.0.40 changes (#1610)

- automating-with-hooks.md: Add prompt mode security gate note (v1.0.40)
  — repo hooks and workspace MCP are disabled by default in -p prompt mode;
    users must opt in via GITHUB_COPILOT_PROMPT_MODE_REPO_HOOKS and
    GITHUB_COPILOT_PROMPT_MODE_WORKSPACE_MCP env vars

- agents-and-subagents.md: Add /research orchestrator/subagent note (v1.0.40)
  and prompt mode security cross-reference for /fleet -p examples

- building-custom-agents.md: Document ACP agent list/switch capability (v1.0.40)
  — ACP clients can now list and switch custom agents via agent config option

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

website/src/content/docs/learning-hub/agents-and-subagents.md

@@ -3,7 +3,7 @@ title: 'Agents and Subagents'
 description: 'Learn how delegated subagents differ from primary agents, when to use them, and how to launch them in VS Code and Copilot CLI.'
 authors:
   - GitHub Copilot Learning Hub Team
-lastUpdated: 2026-04-02
+lastUpdated: 2026-05-04
 estimatedReadingTime: '9 minutes'
 tags:
   - agents
@@ -123,6 +123,8 @@ For non-interactive execution:
 copilot -p "/fleet Update the auth docs, refactor the auth service, and add related tests." --no-ask-user
 ```
 
+> **Prompt mode and repo hooks (v1.0.40+)**: When using `copilot -p "..."` (prompt mode), repository hooks are disabled by default for security. If your `/fleet` workflow relies on hooks (e.g., auto-formatting or lint checks after edits), opt in by setting `GITHUB_COPILOT_PROMPT_MODE_REPO_HOOKS=true` before running. See [Automating with Hooks](../automating-with-hooks/) for details.
+
 The important behavior is different from a single chat turn:
 
 - the orchestrator plans work items first
@@ -146,6 +148,8 @@ Run parallel subagents for different lenses - correctness, security, code qualit
 
 Use one subagent to gather facts and another to implement with those facts. This pattern is especially helpful when you want the main thread to stay free of exploratory noise.
 
+The built-in **`/research`** command uses this orchestrator/subagent model automatically (v1.0.40+): it spawns an orchestrator that breaks the topic into research threads, runs them in parallel as subagents, and synthesizes the findings into a structured report. This means you get deeper and more reliable results than a single-turn query provides — without having to set up the multi-agent pattern yourself.
+
 ## Repository examples you can inspect
 
 This repository already includes a few useful examples of delegation-related syntax:

website/src/content/docs/learning-hub/automating-with-hooks.md

@@ -3,7 +3,7 @@ title: 'Automating with Hooks'
 description: 'Learn how to use hooks to automate lifecycle events like formatting, linting, and governance checks during Copilot agent sessions.'
 authors:
   - GitHub Copilot Learning Hub Team
-lastUpdated: 2026-04-28
+lastUpdated: 2026-05-04
 estimatedReadingTime: '8 minutes'
 tags:
   - hooks
@@ -273,6 +273,12 @@ exit 1     # deny (let the user decide interactively)
 
 > **Security note**: Use `PermissionRequest` hooks carefully. Blanket auto-approval in non-CI environments removes an important safety check. Scope the auto-approval logic precisely (e.g., only in CI, only for specific tools).
 
+> **Prompt mode security (v1.0.40+)**: When running the CLI in **prompt mode** (`copilot -p "..."`) — the non-interactive mode commonly used in CI pipelines — repo hooks are **disabled by default** for security. To opt in to repo hooks in prompt mode, set the environment variable `GITHUB_COPILOT_PROMPT_MODE_REPO_HOOKS=true` before running the command:
+> ```bash
+> GITHUB_COPILOT_PROMPT_MODE_REPO_HOOKS=true copilot -p "..." --no-ask-user
+> ```
+> This is a secure-by-default change: it prevents untrusted repository hooks from firing silently when a user runs a quick prompt command in an unfamiliar repository. Similarly, workspace MCP servers are disabled in prompt mode by default; opt in with `GITHUB_COPILOT_PROMPT_MODE_WORKSPACE_MCP=true`.
+
 ### Handling Tool Failures with postToolUseFailure
 
 The `postToolUseFailure` hook fires when a tool call fails with an error — distinct from `postToolUse`, which only fires on success. Use it to log errors, send failure alerts, or implement retry logic:

website/src/content/docs/learning-hub/building-custom-agents.md

@@ -3,7 +3,7 @@ title: 'Building Custom Agents'
 description: 'Learn how to create specialized GitHub Copilot agents with custom personas, tool integrations, and domain expertise.'
 authors:
   - GitHub Copilot Learning Hub Team
-lastUpdated: 2026-02-26
+lastUpdated: 2026-05-04
 estimatedReadingTime: '10 minutes'
 tags:
   - agents
@@ -264,6 +264,8 @@ Keep agents focused—one persona per file. If you find an agent trying to do to
 
 A: In VS Code, open Copilot Chat and use the agent picker dropdown at the top of the chat panel. Your custom agents appear alongside built-in options. You can also `@mention` an agent by name.
 
+In Copilot CLI, custom agents are discoverable via the agent picker inside a session. Clients that integrate with Copilot CLI using the **Agent Coordination Protocol (ACP)** can also list available custom agents and switch between them programmatically via the `agent` session configuration option (v1.0.40+). This allows tools like Zed, Neovim plugins, and CI pipelines driving Copilot via ACP to surface the agent picker and switch agents without requiring a slash command.
+
 **Q: Can agents use skills?**
 
 A: Yes. Agents can discover and invoke skills during a conversation based on the user's intent. Skills extend what an agent can do without bloating the agent's own instructions.