From 8d7eb163d8b8c14c4ad0beedae96244ee63da287 Mon Sep 17 00:00:00 2001 From: Varvara Strizhkova Date: Thu, 4 Jun 2026 10:31:56 +0200 Subject: [PATCH 1/7] feat(agents): add Security Auditor for plan-vs-repo gap analysis MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Introduces a new top-level Security Auditor agent that compares an existing Security Planner artifact set to current repository state and produces a single gap-analysis report. Reuses Security Reviewer in audit mode for current-state scanning. Read-only against plan artifacts and source code. Key design decisions: - Hybrid scoping. Does not pass targetSkill or specificSkills so Reviewer auto-profiles and can surface skills absent from the original plan (enables newly-introduced-threat and AI/supply-chain handoff detection). - Planning-artifact exclusions enforced locally in the auditor only. Excludes .copilot-tracking/, docs/planning/, docs/adrs/, and .github/agents|prompts|instructions|skills/ plus *.prompt.md, *.agent.md, *.instructions.md, SKILL.md globs. Security Reviewer behavior is unchanged for other callers (e.g. /security-review). - Exclusions are visible by default in four places: startup announcement, entry prompt, report section 2, and completion block (Filtered findings count always printed). - Sequence-suffixed output: security-audit-YYYY-MM-DD-NNN.md under .copilot-tracking/security-audits//. - Excluded from project-planning collection on purpose. This is a repo-state developer workflow, not a planning entry point. - Handoffs (Security Planner refresh, SSSC Planner, RAI Planner) are recommendations only with send: false. Never auto-dispatched. Registers the agent and prompt in security and hve-core-all collections. Not added to project-planning. Fixes #336 🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers. --- .../agents/security/security-auditor.agent.md | 200 ++++++++++++++++++ .../security-audit-from-plan.prompt.md | 40 ++++ collections/hve-core-all.collection.yml | 6 + collections/security.collection.yml | 7 + 4 files changed, 253 insertions(+) create mode 100644 .github/agents/security/security-auditor.agent.md create mode 100644 .github/prompts/security/security-audit-from-plan.prompt.md diff --git a/.github/agents/security/security-auditor.agent.md b/.github/agents/security/security-auditor.agent.md new file mode 100644 index 000000000..02b50b1e9 --- /dev/null +++ b/.github/agents/security/security-auditor.agent.md @@ -0,0 +1,200 @@ +--- +name: Security Auditor +description: "Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact - Brought to you by microsoft/hve-core" +agents: + - Security Reviewer + - Researcher Subagent +tools: + - agent + - read + - edit/createFile + - edit/createDirectory + - search/codebase + - search/fileSearch +user-invocable: true +disable-model-invocation: true +handoffs: + - label: "Security Planner (refresh plan)" + agent: Security Planner + prompt: /security-capture + send: false + - label: "SSSC Planner (supply chain gaps)" + agent: SSSC Planner + prompt: /sssc-from-security-plan + send: false + - label: "RAI Planner (new AI components)" + agent: RAI Planner + prompt: /rai-plan-from-security-plan + send: false +--- + +# Security Auditor + +Compare an existing Security Planner artifact set to the current state of the repository and produce a single gap-analysis report. Reuses `Security Reviewer` for current-state scanning. Read-only against plan artifacts and source code. + +## Startup Announcement + +Display the **Security Planning** CAUTION block from #file:../../instructions/shared/disclaimer-language.instructions.md verbatim at the start of every new conversation, before any discovery or analysis. + +Immediately after the CAUTION block, display the following **Default Exclusions** notice verbatim so the user knows which paths are excluded before any scan runs: + +> **Default exclusions in effect.** Planning and agent-customization artifacts are excluded from audit findings: +> - Paths: `.copilot-tracking/**`, `docs/planning/**`, `docs/adrs/**`, `.github/agents/**`, `.github/prompts/**`, `.github/instructions/**`, `.github/skills/**` +> - File globs: `*.prompt.md`, `*.agent.md`, `*.instructions.md`, `SKILL.md` +> +> To override, pass `scope=` explicitly. Overlapping user scope wins and is reported as a warning. + +## Purpose + +* Read an existing security plan under `.copilot-tracking/security-plans//` without modifying it. +* Delegate current-state assessment to `Security Reviewer` rather than re-implementing scanning. +* Synthesize a gap report that separates validated controls, drift, residual risks, new threats, and obsolete plan items. +* Recommend next handoffs (Security Planner refresh, SSSC, RAI). Never auto-dispatch. + +## Inputs + +* (Optional) `projectSlug`: Slug under `.copilot-tracking/security-plans/`. +* (Optional) `planPath`: Explicit path to a plan directory. Takes precedence over `projectSlug`. +* (Optional) `scope`: Additional path filter passed to `Security Reviewer`. When omitted, the auditor derives scope hints from the plan's component inventory. +* (Optional) `priorReport`: Prior `Security Reviewer` report path. Passed through for incremental comparison context only. + +## Output Artifact + +Single file written under `.copilot-tracking/security-audits//`. + +* Filename pattern: `security-audit-{{YYYY-MM-DD}}-{{NNN}}.md`. +* Sequence number resolution: list existing audits in the project directory for today's date, take the highest `{{NNN}}`, increment by one, zero-pad to three digits. Start at `001` when none exist. +* Create the directory if missing using `edit/createDirectory`. + +The auditor writes only this artifact. It does not write under `.copilot-tracking/security-plans/`, `.copilot-tracking/security/`, or any source path. + +## Plan Resolution Order + +Resolve the source plan deterministically: + +1. If `planPath` is provided and the directory contains `state.json`, use it. +2. Else if `projectSlug` is provided, use `.copilot-tracking/security-plans//` when it contains `state.json`. +3. Else scan `.copilot-tracking/security-plans/*/state.json`: + * Zero matches: stop. Direct the user to run `/security-capture` or `/security-plan-from-prd` first. Do not proceed without a baseline plan. + * One match: use it. Confirm the slug with the user before proceeding. + * Multiple matches: list candidates with slug and last-modified time and ask the user to choose. + +## Plan Extraction Checklist + +After resolving the plan, extract and hold the following in context. Cite each item by its plan-side identifier in the final report. + +* Operational buckets and component inventory. +* Standards mappings per bucket (OWASP, NIST, CIS, WAF, CAF). +* Threats identified using `T-{BUCKET}-{NNN}` IDs. +* Planned mitigations and control placements. +* Backlog items (`WI-SEC-{NNN}` and `{{SEC-TEMP-N}}`). +* `state.json` fields: `aiComponents`, `raiEnabled`, `raiScope`, `raiTier`, `handoffGenerated`. +* Documented assumptions, residual risks, and unresolved items. + +If the plan is incomplete (for example, `currentPhase < 4` or no security model artifact), record a "baseline incomplete" note and limit the audit to categories supported by available evidence. Do not invent plan content. + +## Reviewer Invocation Contract + +Invoke `Security Reviewer` as a subagent with `runSubagent`. Use hybrid scoping: + +* `mode`: `audit`. +* `scope`: `${input:scope}` when provided, otherwise a path list derived from the plan's component inventory. When neither yields a usable scope, omit and let Reviewer profile the full repo. +* `priorReport`: pass through `${input:priorReport}` when provided. +* Do **not** pass `targetSkill` or a specific-skills list. Reviewer must auto-profile so that skills absent from the original plan can still surface (this is what makes "New threats" and AI/supply-chain handoff detection possible). + +### Planning-Artifact Exclusions + +`Security Reviewer` in `audit` mode does not exclude planning or agent-customization artifacts on its own. To prevent noisy findings against non-application content, the auditor enforces exclusions before invoking Reviewer: + +* When building a scope hint from the plan's component inventory, **omit** any path under `.copilot-tracking/`, `docs/planning/`, `docs/adrs/`, `.github/agents/`, `.github/prompts/`, `.github/instructions/`, or `.github/skills/`. +* When `${input:scope}` is provided, accept it as-is but log a warning if it overlaps any excluded prefix above. The user's explicit scope wins; do not silently rewrite it. +* When neither a user scope nor a derivable plan scope exists and Reviewer must auto-profile the full repo, append the following directive to the Reviewer prompt: *"Exclude planning and agent-customization artifacts from findings: `.copilot-tracking/**`, `docs/planning/**`, `docs/adrs/**`, `.github/agents/**`, `.github/prompts/**`, `.github/instructions/**`, `.github/skills/**`, and any `*.prompt.md`, `*.agent.md`, `*.instructions.md`, `SKILL.md` files. These are out of scope for repository-state security auditing."* +* If any post-audit finding still cites an excluded path, drop it from all delta categories and note the count in the audit summary under a "Filtered findings" line. + +This exclusion is local to `Security Auditor` and does not change `Security Reviewer` behavior for other callers (e.g., `/security-review`). + +Capture from Reviewer: + +* The applicable skills list it selected. +* The report file path it returned. +* Findings classified by status and severity. + +Compare Reviewer's applicable skills list to skills implied by the plan's standards mappings. Any skill Reviewer ran that the plan did not consider is a signal feeding the "Newly introduced threats" section and, when relevant, the RAI or SSSC handoff recommendation. + +## Comparison Model + +Apply these delta categories. Every entry must cite both the plan-side reference (threat ID, WI ID, bucket, or control name) and the Reviewer finding ID where applicable. + +| Category | Definition | +|---------------------------|---------------------------------------------------------------------------------------------| +| Validated controls | Control exists in plan and evidence of its implementation exists in the current repo scan. | +| Control drift | Control expected by plan is missing, weaker, or inconsistent with current evidence. | +| Residual planned risk | Plan already identified the risk and it remains open per current findings. | +| Newly introduced threats | Current Reviewer finding is not represented anywhere in the plan. | +| Obsolete plan items | Plan item no longer matches current architecture, removed components, or stale standards. | + +## Report Format + +Write the gap report with these sections in this fixed order: + +1. **Security plan source** — resolved plan path, slug, `currentPhase`, last-modified timestamp, baseline-completeness note. +2. **Current repository audit source** — Reviewer report path, mode, scope used, applicable skills selected by Reviewer, and which of those skills were absent from the plan. Include a `Default exclusions applied` sub-block listing the excluded path prefixes and file globs, plus an `Exclusion overrides` line noting any user-provided scope that overlapped an excluded prefix. +3. **Validated controls** — table with columns: Plan reference, Control, Evidence (Reviewer finding ID), Notes. +4. **Control drift and regressions** — table with columns: Plan reference, Expected control, Observed state, Reviewer finding ID, Severity. +5. **Residual open risks** — table with columns: Plan threat ID, Description, Reviewer finding ID, Severity, Recommended action. +6. **Newly introduced threats** — table with columns: Reviewer finding ID, Skill, Title, Severity, Affected bucket (if mappable), Recommended action. +7. **Obsolete plan items** — table with columns: Plan reference, Reason obsolete, Recommended disposition. +8. **Recommended plan updates** — bullet list scoped to changes the user should make in the plan artifacts (do not edit them automatically). +9. **Recommended backlog deltas** — bullet list of suggested new, updated, or closed backlog items in the plan's existing ID scheme. +10. **Suggested next handoffs** — explicit list of recommended handoffs with rationale (see Handoff Rules). Do not dispatch. + +Include a top-of-report summary line with counts per category, the baseline-completeness flag, and a "Filtered findings" count when any Reviewer findings were dropped by the planning-artifact exclusion rules. + +## Handoff Rules + +Recommend only. The user invokes any next agent themselves. + +* **Security Planner refresh** (`/security-capture`) — when "Control drift" or "Obsolete plan items" is non-empty, or when the baseline is incomplete. +* **SSSC Planner** (`/sssc-from-security-plan`) — when newly introduced threats relate to dependency integrity, build integrity, SBOM, provenance, or artifact signing, and `handoffGenerated.sssc` is absent or false. +* **RAI Planner** (`/rai-plan-from-security-plan`) — when Reviewer selected an AI-related skill (e.g., `owasp-llm`, `owasp-agentic`, `owasp-mcp`) that is not reflected in the plan's `aiComponents`/`raiEnabled` state, or when new AI-specific threats appear. + +## Operational Constraints + +* Plan artifacts under `.copilot-tracking/security-plans/**` are **read-only**. Never modify `state.json`, plan markdown, security model, or backlog files. +* Reviewer artifacts under `.copilot-tracking/security/**` are **read-only**. +* Application source code is **read-only**. +* Write only under `.copilot-tracking/security-audits//`. +* Do not call SSSC Planner, RAI Planner, or Security Planner directly. Recommendations only. +* This agent is **not** part of the `project-planning` collection on purpose: it is a repo-state developer workflow, not a PRD/BRD/ADR planning workflow. Do not advertise it as a planning entry point. + +## Required Steps + +1. **Setup** — render the disclaimer block. Set today's date. Compute the audit artifact path with sequence number. +2. **Resolve plan** — apply Plan Resolution Order. If unresolved, stop and direct to Security Planner. +3. **Extract plan facts** — apply the Plan Extraction Checklist. Flag baseline incompleteness. +4. **Invoke Reviewer** — apply the Reviewer Invocation Contract. Wait for the report path and findings. +5. **Compare** — apply the Comparison Model. Populate each delta category. +6. **Write report** — create the audit artifact using the Report Format. Use only `edit/createFile`. +7. **Summarize and recommend** — display the audit summary with category counts and the explicit recommended-handoff list. + +## Required Protocol + +1. Execute Required Steps in order. +2. Treat all plan and reviewer artifacts as read-only at every step. +3. When a Reviewer response is incomplete or missing the report path, ask Reviewer to retry once. If it still fails, stop and report the failure rather than synthesizing findings. +4. Never modify application source code regardless of finding severity. +5. Do not include secrets, credentials, internal URLs, or PII in the audit artifact. +6. Do not auto-dispatch any handoff. Surface recommendations only. + +## Response Format + +End each audit run with a single completion block: + +* Audit artifact path. +* Source plan path and slug. +* Reviewer report path. +* Counts for: validated controls, control drift, residual risks, new threats, obsolete items. +* `Filtered findings: N` — count of Reviewer findings dropped by the planning-artifact exclusion rules (always print; `0` when none). +* `Default exclusions: ON` (always) plus a one-line summary of excluded path prefixes. If `${input:scope}` overlapped an excluded prefix, append `(user-scope override: )`. +* Baseline-completeness flag. +* Recommended handoffs with one-line rationale each. diff --git a/.github/prompts/security/security-audit-from-plan.prompt.md b/.github/prompts/security/security-audit-from-plan.prompt.md new file mode 100644 index 000000000..88c48d36d --- /dev/null +++ b/.github/prompts/security/security-audit-from-plan.prompt.md @@ -0,0 +1,40 @@ +--- +name: security-audit-from-plan +agent: Security Auditor +description: "Audits an existing security plan against current repo state and produces a gap-analysis artifact - Brought to you by microsoft/hve-core" +argument-hint: "[projectSlug=] [planPath=.copilot-tracking/security-plans/] [scope=path/to/dir] [priorReport=path]" +--- + +# Security Audit from Plan + +> [!CAUTION] +> **Disclaimer:** This prompt is an assistive tool only. It does not replace professional security review boards, penetration testing teams, compliance auditors, or other qualified human reviewers. The gap analysis it produces consists of suggested observations and considerations to support a user's own internal security review. All findings, drift assessments, and handoff recommendations must be independently reviewed and validated by appropriate security and compliance reviewers before use. + +Activate the `Security Auditor` agent to compare an existing security plan to the current state of the repository and emit a gap-analysis artifact. The auditor reuses `Security Reviewer` for current-state scanning, never modifies plan artifacts or source code, and only writes under `.copilot-tracking/security-audits/`. + +## Default Exclusions + +Planning and agent-customization artifacts are **excluded by default** from audit findings. The auditor announces this before scanning and records it in every report. + +* Excluded paths: `.copilot-tracking/**`, `docs/planning/**`, `docs/adrs/**`, `.github/agents/**`, `.github/prompts/**`, `.github/instructions/**`, `.github/skills/**` +* Excluded file globs: `*.prompt.md`, `*.agent.md`, `*.instructions.md`, `SKILL.md` +* To override, pass `${input:scope}` pointing at any of the above. The user-provided scope wins and is reported as a warning. + +## Inputs + +* `${input:projectSlug}`: (Optional) Slug under `.copilot-tracking/security-plans/`. The agent uses it for plan resolution and audit artifact directory naming. +* `${input:planPath}`: (Optional) Explicit path to a plan directory containing `state.json`. Takes precedence over `projectSlug`. +* `${input:scope}`: (Optional) Path filter passed through to `Security Reviewer`. When omitted, the agent derives a scope hint from the plan's component inventory and lets Reviewer auto-profile. +* `${input:priorReport}`: (Optional) Prior `Security Reviewer` report path to provide incremental comparison context. + +## Requirements + +1. Resolve the source plan using the agent's Plan Resolution Order. When no plan exists, stop and direct the user to run `/security-capture` or `/security-plan-from-prd` first. Never proceed without a baseline plan. +2. Invoke `Security Reviewer` in `audit` mode. Do not pass `targetSkill` or a specific-skills list — Reviewer must auto-profile so that skills absent from the original plan can still surface as newly introduced threats or AI/supply-chain handoff signals. +3. Apply the agent's Comparison Model and write a single gap-analysis report at `.copilot-tracking/security-audits//security-audit-{{YYYY-MM-DD}}-{{NNN}}.md` using the fixed Report Format sections. +4. Treat `.copilot-tracking/security-plans/**`, `.copilot-tracking/security/**`, and all application source code as read-only. +5. End with a completion block listing the audit path, counts per delta category, baseline-completeness flag, and recommended handoffs. Do not auto-dispatch Security Planner, SSSC Planner, or RAI Planner. + +## Scope Note + +This prompt is intentionally **not** part of the `project-planning` collection. It is a repository-state developer workflow that operates on existing planning artifacts, not a planning entry point. Use `/security-capture` or `/security-plan-from-prd` to create or extend a plan. diff --git a/collections/hve-core-all.collection.yml b/collections/hve-core-all.collection.yml index e2407c5da..a367efc27 100644 --- a/collections/hve-core-all.collection.yml +++ b/collections/hve-core-all.collection.yml @@ -113,6 +113,9 @@ items: - path: .github/agents/security/security-reviewer.agent.md kind: agent maturity: experimental +- path: .github/agents/security/security-auditor.agent.md + kind: agent + maturity: experimental - path: .github/agents/security/sssc-planner.agent.md kind: agent maturity: experimental @@ -293,6 +296,9 @@ items: - path: .github/prompts/security/security-review.prompt.md kind: prompt maturity: experimental +- path: .github/prompts/security/security-audit-from-plan.prompt.md + kind: prompt + maturity: experimental - path: .github/prompts/security/sssc-capture.prompt.md kind: prompt maturity: experimental diff --git a/collections/security.collection.yml b/collections/security.collection.yml index cf238629c..c84ef3be9 100644 --- a/collections/security.collection.yml +++ b/collections/security.collection.yml @@ -31,6 +31,9 @@ items: - path: .github/agents/security/security-reviewer.agent.md kind: agent maturity: experimental + - path: .github/agents/security/security-auditor.agent.md + kind: agent + maturity: experimental - path: .github/agents/security/subagents/codebase-profiler.agent.md kind: agent maturity: experimental @@ -98,6 +101,10 @@ items: - path: .github/prompts/security/security-review-sbd.prompt.md kind: prompt maturity: experimental + # Security Auditor Prompts + - path: .github/prompts/security/security-audit-from-plan.prompt.md + kind: prompt + maturity: experimental # SSSC Planner Prompts - path: .github/prompts/security/sssc-capture.prompt.md kind: prompt From 26e4b6a844ceb7aa2256cf3646b22ca46f83cb7d Mon Sep 17 00:00:00 2001 From: Varvara Strizhkova Date: Thu, 4 Jun 2026 11:41:48 +0200 Subject: [PATCH 2/7] chore(plugins): regenerate plugins for security-auditor agent Run npm run plugin:generate and npm run extension:prepare to update collection manifests, plugin outputs, and table formatting after adding the Security Auditor agent and prompt. --- .github/agents/security/security-auditor.agent.md | 14 +++++++------- collections/gitlab.collection.md | 10 ++++++---- collections/hve-core-all.collection.yml | 12 ++++++------ .../agents/security/security-auditor.md | 1 + .../commands/security/security-audit-from-plan.md | 1 + .../security/agents/security/security-auditor.md | 1 + .../commands/security/security-audit-from-plan.md | 1 + 7 files changed, 23 insertions(+), 17 deletions(-) create mode 120000 plugins/hve-core-all/agents/security/security-auditor.md create mode 120000 plugins/hve-core-all/commands/security/security-audit-from-plan.md create mode 120000 plugins/security/agents/security/security-auditor.md create mode 120000 plugins/security/commands/security/security-audit-from-plan.md diff --git a/.github/agents/security/security-auditor.agent.md b/.github/agents/security/security-auditor.agent.md index 02b50b1e9..bfc510ddf 100644 --- a/.github/agents/security/security-auditor.agent.md +++ b/.github/agents/security/security-auditor.agent.md @@ -125,13 +125,13 @@ Compare Reviewer's applicable skills list to skills implied by the plan's standa Apply these delta categories. Every entry must cite both the plan-side reference (threat ID, WI ID, bucket, or control name) and the Reviewer finding ID where applicable. -| Category | Definition | -|---------------------------|---------------------------------------------------------------------------------------------| -| Validated controls | Control exists in plan and evidence of its implementation exists in the current repo scan. | -| Control drift | Control expected by plan is missing, weaker, or inconsistent with current evidence. | -| Residual planned risk | Plan already identified the risk and it remains open per current findings. | -| Newly introduced threats | Current Reviewer finding is not represented anywhere in the plan. | -| Obsolete plan items | Plan item no longer matches current architecture, removed components, or stale standards. | +| Category | Definition | +|--------------------------|--------------------------------------------------------------------------------------------| +| Validated controls | Control exists in plan and evidence of its implementation exists in the current repo scan. | +| Control drift | Control expected by plan is missing, weaker, or inconsistent with current evidence. | +| Residual planned risk | Plan already identified the risk and it remains open per current findings. | +| Newly introduced threats | Current Reviewer finding is not represented anywhere in the plan. | +| Obsolete plan items | Plan item no longer matches current architecture, removed components, or stale standards. | ## Report Format diff --git a/collections/gitlab.collection.md b/collections/gitlab.collection.md index 818844896..060249031 100644 --- a/collections/gitlab.collection.md +++ b/collections/gitlab.collection.md @@ -6,16 +6,18 @@ Use GitLab merge request and pipeline workflows from VS Code through a focused P +## Included Artifacts + ### Instructions -| Name | Description | -|------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Name | Description | +|------|-------------| | **shared/hve-core-location** | Important: hve-core is the repository containing this instruction file; Guidance: if a referenced prompt, instructions, agent, or script is missing in the current directory, fall back to this hve-core location by walking up this file's directory tree. | ### Skills -| Name | Description | -|------------|--------------------------------------------------------------| +| Name | Description | +|------|-------------| | **gitlab** | Manage GitLab merge requests and pipelines with a Python CLI | diff --git a/collections/hve-core-all.collection.yml b/collections/hve-core-all.collection.yml index a367efc27..a441aa840 100644 --- a/collections/hve-core-all.collection.yml +++ b/collections/hve-core-all.collection.yml @@ -107,13 +107,13 @@ items: - path: .github/agents/rai-planning/rai-planner.agent.md kind: agent maturity: experimental -- path: .github/agents/security/security-planner.agent.md +- path: .github/agents/security/security-auditor.agent.md kind: agent maturity: experimental -- path: .github/agents/security/security-reviewer.agent.md +- path: .github/agents/security/security-planner.agent.md kind: agent maturity: experimental -- path: .github/agents/security/security-auditor.agent.md +- path: .github/agents/security/security-reviewer.agent.md kind: agent maturity: experimental - path: .github/agents/security/sssc-planner.agent.md @@ -278,6 +278,9 @@ items: - path: .github/prompts/security/risk-register.prompt.md kind: prompt maturity: experimental +- path: .github/prompts/security/security-audit-from-plan.prompt.md + kind: prompt + maturity: experimental - path: .github/prompts/security/security-capture.prompt.md kind: prompt maturity: experimental @@ -296,9 +299,6 @@ items: - path: .github/prompts/security/security-review.prompt.md kind: prompt maturity: experimental -- path: .github/prompts/security/security-audit-from-plan.prompt.md - kind: prompt - maturity: experimental - path: .github/prompts/security/sssc-capture.prompt.md kind: prompt maturity: experimental diff --git a/plugins/hve-core-all/agents/security/security-auditor.md b/plugins/hve-core-all/agents/security/security-auditor.md new file mode 120000 index 000000000..8b023d9ae --- /dev/null +++ b/plugins/hve-core-all/agents/security/security-auditor.md @@ -0,0 +1 @@ +../../../../.github/agents/security/security-auditor.agent.md \ No newline at end of file diff --git a/plugins/hve-core-all/commands/security/security-audit-from-plan.md b/plugins/hve-core-all/commands/security/security-audit-from-plan.md new file mode 120000 index 000000000..d9eb063da --- /dev/null +++ b/plugins/hve-core-all/commands/security/security-audit-from-plan.md @@ -0,0 +1 @@ +../../../../.github/prompts/security/security-audit-from-plan.prompt.md \ No newline at end of file diff --git a/plugins/security/agents/security/security-auditor.md b/plugins/security/agents/security/security-auditor.md new file mode 120000 index 000000000..8b023d9ae --- /dev/null +++ b/plugins/security/agents/security/security-auditor.md @@ -0,0 +1 @@ +../../../../.github/agents/security/security-auditor.agent.md \ No newline at end of file diff --git a/plugins/security/commands/security/security-audit-from-plan.md b/plugins/security/commands/security/security-audit-from-plan.md new file mode 120000 index 000000000..d9eb063da --- /dev/null +++ b/plugins/security/commands/security/security-audit-from-plan.md @@ -0,0 +1 @@ +../../../../.github/prompts/security/security-audit-from-plan.prompt.md \ No newline at end of file From 7112f0ea4347f6ec545f1ca84dec50ae18540027 Mon Sep 17 00:00:00 2001 From: Varvara Strizhkova Date: Thu, 4 Jun 2026 13:16:03 +0200 Subject: [PATCH 3/7] fix(plugins): restore collection markdown intro and refresh activation baseline The previous run of 'npm run extension:prepare' inserted a duplicate '## Included Artifacts' heading into every collections/*.collection.md file (the heading already exists in the intro section), tripping MD024 in markdown lint and breaking table formatting in security.collection.md. Reverted the affected collection markdown files and regenerated via 'npm run plugin:generate' only, which produces the auto-generated artifact sections without the duplicate heading. Also refreshed scripts/agents/activation-harness/baseline.json, which drifted when the prior commit's markdown-table-formatter pass rewrote .github/skills/project-planning/adr-author/SKILL.md (loaded by the GovernEntry and AdoptTemplate scenarios). --- collections/ado.collection.md | 8 ++++---- collections/data-science.collection.md | 2 +- collections/github.collection.md | 8 ++++---- collections/gitlab.collection.md | 10 ++++------ 4 files changed, 13 insertions(+), 15 deletions(-) diff --git a/collections/ado.collection.md b/collections/ado.collection.md index a8ab9d5b0..8a7bda012 100644 --- a/collections/ado.collection.md +++ b/collections/ado.collection.md @@ -33,12 +33,12 @@ Manage Azure DevOps work items, monitor builds, create pull requests, and conver |-----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **ado/ado-backlog-sprint** | Sprint planning workflow for Azure DevOps iterations with coverage analysis, capacity tracking, and gap detection | | **ado/ado-backlog-triage** | Triage workflow for Azure DevOps work items with field classification, iteration assignment, and duplicate detection | -| **ado/ado-create-pull-request** | Azure DevOps pull request creation with work item discovery, reviewer identification, and automated linking | -| **ado/ado-get-build-info** | Azure DevOps build information: status, logs, and details from a PR, build ID, or branch name | +| **ado/ado-create-pull-request** | Required protocol for creating Azure DevOps pull requests with work item discovery, reviewer identification, and automated linking. | +| **ado/ado-get-build-info** | Required instructions for anything related to Azure Devops or ado build information including status, logs, or details from provided pullrequest (PR), build Id, or branch name. | | **ado/ado-interaction-templates** | Work item description and comment templates for consistent Azure DevOps content formatting | | **ado/ado-update-wit-items** | Work item creation and update protocol using MCP ADO tools with handoff tracking | -| **ado/ado-wit-discovery** | Azure DevOps work item discovery via user assignment or artifact analysis with planning file output | -| **ado/ado-wit-planning** | Azure DevOps work item planning files, templates, field definitions, and search protocols | +| **ado/ado-wit-discovery** | Protocol for discovering Azure DevOps work items via user assignment or artifact analysis with planning file output | +| **ado/ado-wit-planning** | Reference specification for Azure DevOps work item planning files, templates, field definitions, and search protocols | | **shared/hve-core-location** | Important: hve-core is the repository containing this instruction file; Guidance: if a referenced prompt, instructions, agent, or script is missing in the current directory, fall back to this hve-core location by walking up this file's directory tree. | ### Skills diff --git a/collections/data-science.collection.md b/collections/data-science.collection.md index 736c6e368..035269284 100644 --- a/collections/data-science.collection.md +++ b/collections/data-science.collection.md @@ -34,7 +34,7 @@ Generate data specifications, Jupyter notebooks, and Streamlit dashboards from n | Name | Description | |------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **coding-standards/python-script** | Python scripting conventions | +| **coding-standards/python-script** | Instructions for Python scripting implementation | | **coding-standards/uv-projects** | Create and manage Python virtual environments using uv commands | | **rai-planning/rai-backlog-handoff** | RAI review and backlog handoff for Phase 6: review rubric, RAI review summary, dual-format backlog generation | | **rai-planning/rai-capture-coaching** | Exploration-first questioning techniques for RAI capture mode adapted from Design Thinking research methods | diff --git a/collections/github.collection.md b/collections/github.collection.md index 2beb23489..368f8a193 100644 --- a/collections/github.collection.md +++ b/collections/github.collection.md @@ -28,10 +28,10 @@ Manage GitHub issue backlogs with agents for discovery, triage, sprint planning, | Name | Description | |-------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **github/community-interaction** | Community interaction voice, tone, and response templates for GitHub-facing agents and prompts | -| **github/github-backlog-discovery** | GitHub issue backlog discovery: artifact-driven, user-centric, search-based | -| **github/github-backlog-planning** | GitHub backlog management: planning files, search protocols, similarity assessment, and state persistence | -| **github/github-backlog-triage** | GitHub issue backlog triage: label suggestion, milestone assignment, and duplicate detection | -| **github/github-backlog-update** | GitHub issue backlog execution: consumes planning handoffs and runs issue operations | +| **github/github-backlog-discovery** | Discovery protocol for GitHub backlog management - artifact-driven, user-centric, and search-based issue discovery | +| **github/github-backlog-planning** | Reference specification for GitHub backlog management tooling - planning files, search protocols, similarity assessment, and state persistence | +| **github/github-backlog-triage** | Triage workflow for GitHub issue backlog management - automated label suggestion, milestone assignment, and duplicate detection | +| **github/github-backlog-update** | Execution workflow for GitHub issue backlog management - consumes planning handoffs and executes issue operations | | **shared/hve-core-location** | Important: hve-core is the repository containing this instruction file; Guidance: if a referenced prompt, instructions, agent, or script is missing in the current directory, fall back to this hve-core location by walking up this file's directory tree. | ### Skills diff --git a/collections/gitlab.collection.md b/collections/gitlab.collection.md index 060249031..818844896 100644 --- a/collections/gitlab.collection.md +++ b/collections/gitlab.collection.md @@ -6,18 +6,16 @@ Use GitLab merge request and pipeline workflows from VS Code through a focused P -## Included Artifacts - ### Instructions -| Name | Description | -|------|-------------| +| Name | Description | +|------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **shared/hve-core-location** | Important: hve-core is the repository containing this instruction file; Guidance: if a referenced prompt, instructions, agent, or script is missing in the current directory, fall back to this hve-core location by walking up this file's directory tree. | ### Skills -| Name | Description | -|------|-------------| +| Name | Description | +|------------|--------------------------------------------------------------| | **gitlab** | Manage GitLab merge requests and pipelines with a Python CLI | From 79927e62ed0f79647144009bcd2a0ab1c556f0c4 Mon Sep 17 00:00:00 2001 From: Varvara Strizhkova Date: Thu, 4 Jun 2026 16:40:12 +0200 Subject: [PATCH 4/7] improving the agents --- .../agents/security/security-auditor.agent.md | 36 +++++++++++++++---- .../security-audit-from-plan.prompt.md | 2 +- 2 files changed, 30 insertions(+), 8 deletions(-) diff --git a/.github/agents/security/security-auditor.agent.md b/.github/agents/security/security-auditor.agent.md index bfc510ddf..c8fa7920b 100644 --- a/.github/agents/security/security-auditor.agent.md +++ b/.github/agents/security/security-auditor.agent.md @@ -6,7 +6,7 @@ agents: - Researcher Subagent tools: - agent - - read + - read/readFile - edit/createFile - edit/createDirectory - search/codebase @@ -55,7 +55,7 @@ Immediately after the CAUTION block, display the following **Default Exclusions* * (Optional) `projectSlug`: Slug under `.copilot-tracking/security-plans/`. * (Optional) `planPath`: Explicit path to a plan directory. Takes precedence over `projectSlug`. -* (Optional) `scope`: Additional path filter passed to `Security Reviewer`. When omitted, the auditor derives scope hints from the plan's component inventory. +* (Optional) `scope`: Pass-through scope hint forwarded to `Security Reviewer` as-is. When omitted, the auditor derives a scope hint from the plan's component inventory. Overlap with default-excluded prefixes is honored with a warning; the user's scope is never silently rewritten. * (Optional) `priorReport`: Prior `Security Reviewer` report path. Passed through for incremental comparison context only. ## Output Artifact @@ -64,13 +64,14 @@ Single file written under `.copilot-tracking/security-audits//`. * Filename pattern: `security-audit-{{YYYY-MM-DD}}-{{NNN}}.md`. * Sequence number resolution: list existing audits in the project directory for today's date, take the highest `{{NNN}}`, increment by one, zero-pad to three digits. Start at `001` when none exist. +* Concurrency safety: if the computed file path already exists at write time (concurrent run on the same slug and date), increment `{{NNN}}` and retry until creation succeeds. Cap at `999`; if exhausted, stop with an error rather than overwriting. * Create the directory if missing using `edit/createDirectory`. The auditor writes only this artifact. It does not write under `.copilot-tracking/security-plans/`, `.copilot-tracking/security/`, or any source path. ## Plan Resolution Order -Resolve the source plan deterministically: +Resolve the source plan with interactive disambiguation only on ties: 1. If `planPath` is provided and the directory contains `state.json`, use it. 2. Else if `projectSlug` is provided, use `.copilot-tracking/security-plans//` when it contains `state.json`. @@ -93,6 +94,13 @@ After resolving the plan, extract and hold the following in context. Cite each i If the plan is incomplete (for example, `currentPhase < 4` or no security model artifact), record a "baseline incomplete" note and limit the audit to categories supported by available evidence. Do not invent plan content. +### Schema-Drift Handling + +The planner may evolve `state.json` between releases. Treat every field in the checklist as best-effort: + +* If a required key is missing, malformed, or has an unexpected type, log a `schema-drift` note naming the key, degrade to baseline-incomplete, and skip any delta category that depends on that key. +* Never infer values from siblings or defaults. A missing `aiComponents` array suppresses the RAI signal rather than treating it as empty; a missing `handoffGenerated` map suppresses the SSSC handoff-state check rather than treating it as `false`. + ## Reviewer Invocation Contract Invoke `Security Reviewer` as a subagent with `runSubagent`. Use hybrid scoping: @@ -108,8 +116,7 @@ Invoke `Security Reviewer` as a subagent with `runSubagent`. Use hybrid scoping: * When building a scope hint from the plan's component inventory, **omit** any path under `.copilot-tracking/`, `docs/planning/`, `docs/adrs/`, `.github/agents/`, `.github/prompts/`, `.github/instructions/`, or `.github/skills/`. * When `${input:scope}` is provided, accept it as-is but log a warning if it overlaps any excluded prefix above. The user's explicit scope wins; do not silently rewrite it. -* When neither a user scope nor a derivable plan scope exists and Reviewer must auto-profile the full repo, append the following directive to the Reviewer prompt: *"Exclude planning and agent-customization artifacts from findings: `.copilot-tracking/**`, `docs/planning/**`, `docs/adrs/**`, `.github/agents/**`, `.github/prompts/**`, `.github/instructions/**`, `.github/skills/**`, and any `*.prompt.md`, `*.agent.md`, `*.instructions.md`, `SKILL.md` files. These are out of scope for repository-state security auditing."* -* If any post-audit finding still cites an excluded path, drop it from all delta categories and note the count in the audit summary under a "Filtered findings" line. +* Post-audit filtering is the contractual enforcement point: after Reviewer returns findings, drop every finding whose location matches an excluded path prefix or file glob from all delta categories, and report the dropped count under "Filtered findings" in the audit summary. Do not rely on free-text directives appended to Reviewer prompts; `Security Reviewer` does not contractually honor them. This exclusion is local to `Security Auditor` and does not change `Security Reviewer` behavior for other callers (e.g., `/security-review`). @@ -121,6 +128,21 @@ Capture from Reviewer: Compare Reviewer's applicable skills list to skills implied by the plan's standards mappings. Any skill Reviewer ran that the plan did not consider is a signal feeding the "Newly introduced threats" section and, when relevant, the RAI or SSSC handoff recommendation. +### Skill-to-Plan-Facet Mapping + +Use this normative mapping when classifying Reviewer-selected skills against plan facets. A skill counts as "absent from the plan" when none of its expected plan facets are present. + +| Reviewer skill | Expected plan facets | Handoff signal | +|----------------------------------------------------------------|-----------------------------------------------------------------------------------|------------------| +| `owasp-top-10` | Web application bucket with OWASP Web Top 10 standards mapping | Security Planner | +| `owasp-infrastructure` | Infrastructure or platform bucket with OWASP Infrastructure or CIS mapping | Security Planner | +| `owasp-cicd` | CI/CD or build bucket with OWASP CI/CD mapping | SSSC Planner | +| `secure-by-design` | Cross-cutting design principles mapping | Security Planner | +| `owasp-llm`, `owasp-agentic`, `owasp-mcp` | Non-empty `aiComponents` array and `raiEnabled: true` | RAI Planner | +| Any supply-chain skill (SBOM, provenance, signing, dependency) | CI/CD or build bucket with SLSA, SBOM, Sigstore, or dependency-integrity controls | SSSC Planner | + +When Reviewer selects a skill whose expected facets are all absent, list the skill in Section 2 under "Skills absent from the plan" and emit the corresponding handoff signal. + ## Comparison Model Apply these delta categories. Every entry must cite both the plan-side reference (threat ID, WI ID, bucket, or control name) and the Reviewer finding ID where applicable. @@ -155,8 +177,8 @@ Include a top-of-report summary line with counts per category, the baseline-comp Recommend only. The user invokes any next agent themselves. * **Security Planner refresh** (`/security-capture`) — when "Control drift" or "Obsolete plan items" is non-empty, or when the baseline is incomplete. -* **SSSC Planner** (`/sssc-from-security-plan`) — when newly introduced threats relate to dependency integrity, build integrity, SBOM, provenance, or artifact signing, and `handoffGenerated.sssc` is absent or false. -* **RAI Planner** (`/rai-plan-from-security-plan`) — when Reviewer selected an AI-related skill (e.g., `owasp-llm`, `owasp-agentic`, `owasp-mcp`) that is not reflected in the plan's `aiComponents`/`raiEnabled` state, or when new AI-specific threats appear. +* **SSSC Planner** (`/sssc-from-security-plan`) — when newly introduced threats relate to dependency integrity, build integrity, SBOM, provenance, or artifact signing (per the Skill-to-Plan-Facet Mapping), **and** no SSSC plan exists at `.copilot-tracking/sssc-plans//state.json`. Detect plan presence with `search/fileSearch`; do not rely on planner-side `handoffGenerated` flags, which do not track SSSC handoff state. +* **RAI Planner** (`/rai-plan-from-security-plan`) — when Reviewer selected an AI-related skill (`owasp-llm`, `owasp-agentic`, `owasp-mcp`) and the plan's `aiComponents` array is missing or empty or `raiEnabled` is not `true`, **or** when no RAI plan exists at `.copilot-tracking/rai-plans//state.json` and any AI-specific threat is present. Apply Schema-Drift Handling: when `aiComponents` is missing entirely (not empty), suppress this signal rather than treating absence as a trigger. ## Operational Constraints diff --git a/.github/prompts/security/security-audit-from-plan.prompt.md b/.github/prompts/security/security-audit-from-plan.prompt.md index 88c48d36d..a56fe4c8e 100644 --- a/.github/prompts/security/security-audit-from-plan.prompt.md +++ b/.github/prompts/security/security-audit-from-plan.prompt.md @@ -24,7 +24,7 @@ Planning and agent-customization artifacts are **excluded by default** from audi * `${input:projectSlug}`: (Optional) Slug under `.copilot-tracking/security-plans/`. The agent uses it for plan resolution and audit artifact directory naming. * `${input:planPath}`: (Optional) Explicit path to a plan directory containing `state.json`. Takes precedence over `projectSlug`. -* `${input:scope}`: (Optional) Path filter passed through to `Security Reviewer`. When omitted, the agent derives a scope hint from the plan's component inventory and lets Reviewer auto-profile. +* `${input:scope}`: (Optional) Pass-through scope hint forwarded to `Security Reviewer` as-is. When omitted, the agent derives a scope hint from the plan's component inventory and lets Reviewer auto-profile. Overlap with default-excluded prefixes is honored and warned; the user's scope is never silently rewritten. * `${input:priorReport}`: (Optional) Prior `Security Reviewer` report path to provide incremental comparison context. ## Requirements From 16329cebd44654d28cfd03de97cedf116178c50d Mon Sep 17 00:00:00 2001 From: Varvara Strizhkova Date: Thu, 4 Jun 2026 18:08:38 +0200 Subject: [PATCH 5/7] resolve scope and contract gaps in security-auditor --- .../agents/security/security-auditor.agent.md | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/.github/agents/security/security-auditor.agent.md b/.github/agents/security/security-auditor.agent.md index c8fa7920b..e0b7f0a33 100644 --- a/.github/agents/security/security-auditor.agent.md +++ b/.github/agents/security/security-auditor.agent.md @@ -3,7 +3,6 @@ name: Security Auditor description: "Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact - Brought to you by microsoft/hve-core" agents: - Security Reviewer - - Researcher Subagent tools: - agent - read/readFile @@ -77,7 +76,7 @@ Resolve the source plan with interactive disambiguation only on ties: 2. Else if `projectSlug` is provided, use `.copilot-tracking/security-plans//` when it contains `state.json`. 3. Else scan `.copilot-tracking/security-plans/*/state.json`: * Zero matches: stop. Direct the user to run `/security-capture` or `/security-plan-from-prd` first. Do not proceed without a baseline plan. - * One match: use it. Confirm the slug with the user before proceeding. + * One match: use it. Confirm the slug with the user before proceeding. If the user declines, stop and offer to accept an explicit `planPath` or `projectSlug` on the next invocation. Do not auto-select a different plan. * Multiple matches: list candidates with slug and last-modified time and ask the user to choose. ## Plan Extraction Checklist @@ -115,16 +114,18 @@ Invoke `Security Reviewer` as a subagent with `runSubagent`. Use hybrid scoping: `Security Reviewer` in `audit` mode does not exclude planning or agent-customization artifacts on its own. To prevent noisy findings against non-application content, the auditor enforces exclusions before invoking Reviewer: * When building a scope hint from the plan's component inventory, **omit** any path under `.copilot-tracking/`, `docs/planning/`, `docs/adrs/`, `.github/agents/`, `.github/prompts/`, `.github/instructions/`, or `.github/skills/`. -* When `${input:scope}` is provided, accept it as-is but log a warning if it overlaps any excluded prefix above. The user's explicit scope wins; do not silently rewrite it. -* Post-audit filtering is the contractual enforcement point: after Reviewer returns findings, drop every finding whose location matches an excluded path prefix or file glob from all delta categories, and report the dropped count under "Filtered findings" in the audit summary. Do not rely on free-text directives appended to Reviewer prompts; `Security Reviewer` does not contractually honor them. +* When `${input:scope}` is provided, accept it as-is but log a warning if it overlaps any excluded prefix above. The user's explicit scope wins; do not silently rewrite it. Record each overlapping prefix as an **opted-in prefix** for this run. +* Post-audit filtering is the contractual enforcement point: after Reviewer returns findings, drop every finding whose location matches an excluded path prefix or file glob from all delta categories, **except** findings located under an opted-in prefix (from the rule above), which are retained. Report the dropped count under "Filtered findings" and list any opted-in prefixes under "Exclusion overrides" in the audit summary. Do not rely on free-text directives appended to Reviewer prompts; `Security Reviewer` does not contractually honor them. This exclusion is local to `Security Auditor` and does not change `Security Reviewer` behavior for other callers (e.g., `/security-review`). -Capture from Reviewer: +Capture from Reviewer via its **Scan Completion Format** (defined in the `security-reviewer-formats` skill, `references/completion-formats.md`): -* The applicable skills list it selected. -* The report file path it returned. -* Findings classified by status and severity. +* `REPORT_FILE_PATH` — the path to the written report. Treat this as the authoritative source of per-finding detail. +* `SKILLS_ASSESSED` — the comma-separated applicable-skills list Reviewer selected. +* Severity and summary counts from the completion message. + +The completion message does not enumerate individual finding IDs. Read the report at `REPORT_FILE_PATH` to obtain per-finding rows (ID, status, severity, location) for classification. If the completion message omits `REPORT_FILE_PATH` or the report file is unreadable, apply the retry-once protocol in Required Protocol before stopping. Compare Reviewer's applicable skills list to skills implied by the plan's standards mappings. Any skill Reviewer ran that the plan did not consider is a signal feeding the "Newly introduced threats" section and, when relevant, the RAI or SSSC handoff recommendation. @@ -160,7 +161,7 @@ Apply these delta categories. Every entry must cite both the plan-side reference Write the gap report with these sections in this fixed order: 1. **Security plan source** — resolved plan path, slug, `currentPhase`, last-modified timestamp, baseline-completeness note. -2. **Current repository audit source** — Reviewer report path, mode, scope used, applicable skills selected by Reviewer, and which of those skills were absent from the plan. Include a `Default exclusions applied` sub-block listing the excluded path prefixes and file globs, plus an `Exclusion overrides` line noting any user-provided scope that overlapped an excluded prefix. +2. **Current repository audit source** — Reviewer report path, mode, scope used, and applicable skills selected by Reviewer. Include a `Skills absent from the plan` sub-block listing each Reviewer-selected skill whose expected plan facets are all absent (per the Skill-to-Plan-Facet Mapping). Include a `Default exclusions applied` sub-block listing the excluded path prefixes and file globs, plus an `Exclusion overrides` line noting any user-provided scope that overlapped an excluded prefix and the opted-in prefixes retained as a result. 3. **Validated controls** — table with columns: Plan reference, Control, Evidence (Reviewer finding ID), Notes. 4. **Control drift and regressions** — table with columns: Plan reference, Expected control, Observed state, Reviewer finding ID, Severity. 5. **Residual open risks** — table with columns: Plan threat ID, Description, Reviewer finding ID, Severity, Recommended action. @@ -217,6 +218,6 @@ End each audit run with a single completion block: * Reviewer report path. * Counts for: validated controls, control drift, residual risks, new threats, obsolete items. * `Filtered findings: N` — count of Reviewer findings dropped by the planning-artifact exclusion rules (always print; `0` when none). -* `Default exclusions: ON` (always) plus a one-line summary of excluded path prefixes. If `${input:scope}` overlapped an excluded prefix, append `(user-scope override: )`. +* `Default exclusions: ON` (always) plus a one-line summary of excluded path prefixes. If `${input:scope}` overlapped an excluded prefix, append `(user-scope override: — retained)` to signal that findings under that prefix were kept rather than filtered. * Baseline-completeness flag. * Recommended handoffs with one-line rationale each. From 5f144c0995ec673e08deae6d07d180d5a880d2f4 Mon Sep 17 00:00:00 2001 From: Varvara Strizhkova Date: Tue, 9 Jun 2026 11:50:38 +0200 Subject: [PATCH 6/7] style(collections): apply markdown-table-formatter padding --- collections/ado.collection.md | 8 ++++---- collections/data-science.collection.md | 2 +- collections/github.collection.md | 8 ++++---- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/collections/ado.collection.md b/collections/ado.collection.md index 8a7bda012..a8ab9d5b0 100644 --- a/collections/ado.collection.md +++ b/collections/ado.collection.md @@ -33,12 +33,12 @@ Manage Azure DevOps work items, monitor builds, create pull requests, and conver |-----------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **ado/ado-backlog-sprint** | Sprint planning workflow for Azure DevOps iterations with coverage analysis, capacity tracking, and gap detection | | **ado/ado-backlog-triage** | Triage workflow for Azure DevOps work items with field classification, iteration assignment, and duplicate detection | -| **ado/ado-create-pull-request** | Required protocol for creating Azure DevOps pull requests with work item discovery, reviewer identification, and automated linking. | -| **ado/ado-get-build-info** | Required instructions for anything related to Azure Devops or ado build information including status, logs, or details from provided pullrequest (PR), build Id, or branch name. | +| **ado/ado-create-pull-request** | Azure DevOps pull request creation with work item discovery, reviewer identification, and automated linking | +| **ado/ado-get-build-info** | Azure DevOps build information: status, logs, and details from a PR, build ID, or branch name | | **ado/ado-interaction-templates** | Work item description and comment templates for consistent Azure DevOps content formatting | | **ado/ado-update-wit-items** | Work item creation and update protocol using MCP ADO tools with handoff tracking | -| **ado/ado-wit-discovery** | Protocol for discovering Azure DevOps work items via user assignment or artifact analysis with planning file output | -| **ado/ado-wit-planning** | Reference specification for Azure DevOps work item planning files, templates, field definitions, and search protocols | +| **ado/ado-wit-discovery** | Azure DevOps work item discovery via user assignment or artifact analysis with planning file output | +| **ado/ado-wit-planning** | Azure DevOps work item planning files, templates, field definitions, and search protocols | | **shared/hve-core-location** | Important: hve-core is the repository containing this instruction file; Guidance: if a referenced prompt, instructions, agent, or script is missing in the current directory, fall back to this hve-core location by walking up this file's directory tree. | ### Skills diff --git a/collections/data-science.collection.md b/collections/data-science.collection.md index 035269284..736c6e368 100644 --- a/collections/data-science.collection.md +++ b/collections/data-science.collection.md @@ -34,7 +34,7 @@ Generate data specifications, Jupyter notebooks, and Streamlit dashboards from n | Name | Description | |------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **coding-standards/python-script** | Instructions for Python scripting implementation | +| **coding-standards/python-script** | Python scripting conventions | | **coding-standards/uv-projects** | Create and manage Python virtual environments using uv commands | | **rai-planning/rai-backlog-handoff** | RAI review and backlog handoff for Phase 6: review rubric, RAI review summary, dual-format backlog generation | | **rai-planning/rai-capture-coaching** | Exploration-first questioning techniques for RAI capture mode adapted from Design Thinking research methods | diff --git a/collections/github.collection.md b/collections/github.collection.md index 368f8a193..2beb23489 100644 --- a/collections/github.collection.md +++ b/collections/github.collection.md @@ -28,10 +28,10 @@ Manage GitHub issue backlogs with agents for discovery, triage, sprint planning, | Name | Description | |-------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **github/community-interaction** | Community interaction voice, tone, and response templates for GitHub-facing agents and prompts | -| **github/github-backlog-discovery** | Discovery protocol for GitHub backlog management - artifact-driven, user-centric, and search-based issue discovery | -| **github/github-backlog-planning** | Reference specification for GitHub backlog management tooling - planning files, search protocols, similarity assessment, and state persistence | -| **github/github-backlog-triage** | Triage workflow for GitHub issue backlog management - automated label suggestion, milestone assignment, and duplicate detection | -| **github/github-backlog-update** | Execution workflow for GitHub issue backlog management - consumes planning handoffs and executes issue operations | +| **github/github-backlog-discovery** | GitHub issue backlog discovery: artifact-driven, user-centric, search-based | +| **github/github-backlog-planning** | GitHub backlog management: planning files, search protocols, similarity assessment, and state persistence | +| **github/github-backlog-triage** | GitHub issue backlog triage: label suggestion, milestone assignment, and duplicate detection | +| **github/github-backlog-update** | GitHub issue backlog execution: consumes planning handoffs and runs issue operations | | **shared/hve-core-location** | Important: hve-core is the repository containing this instruction file; Guidance: if a referenced prompt, instructions, agent, or script is missing in the current directory, fall back to this hve-core location by walking up this file's directory tree. | ### Skills From 96e98149fc360e24606b6db8b5325119950f9e8c Mon Sep 17 00:00:00 2001 From: Varvara Strizhkova Date: Thu, 11 Jun 2026 08:38:28 +0200 Subject: [PATCH 7/7] rebase --- .github/agents/security/security-auditor.agent.md | 2 +- .../prompts/security/security-audit-from-plan.prompt.md | 2 +- .vscode/settings.json | 7 ++++++- collections/hve-core-all.collection.md | 2 ++ collections/security.collection.md | 2 ++ plugins/hve-core-all/README.md | 4 ++++ plugins/security/README.md | 4 ++++ 7 files changed, 20 insertions(+), 3 deletions(-) diff --git a/.github/agents/security/security-auditor.agent.md b/.github/agents/security/security-auditor.agent.md index e0b7f0a33..936418dc6 100644 --- a/.github/agents/security/security-auditor.agent.md +++ b/.github/agents/security/security-auditor.agent.md @@ -1,6 +1,6 @@ --- name: Security Auditor -description: "Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact - Brought to you by microsoft/hve-core" +description: "Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact" agents: - Security Reviewer tools: diff --git a/.github/prompts/security/security-audit-from-plan.prompt.md b/.github/prompts/security/security-audit-from-plan.prompt.md index a56fe4c8e..f4c971008 100644 --- a/.github/prompts/security/security-audit-from-plan.prompt.md +++ b/.github/prompts/security/security-audit-from-plan.prompt.md @@ -1,7 +1,7 @@ --- name: security-audit-from-plan agent: Security Auditor -description: "Audits an existing security plan against current repo state and produces a gap-analysis artifact - Brought to you by microsoft/hve-core" +description: "Audits an existing security plan against current repo state and produces a gap-analysis artifact" argument-hint: "[projectSlug=] [planPath=.copilot-tracking/security-plans/] [scope=path/to/dir] [priorReport=path]" --- diff --git a/.vscode/settings.json b/.vscode/settings.json index c72e59d2b..2f9549819 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -26,7 +26,9 @@ }, "json.schemas": [ { - "fileMatch": [".copilot-tracking/rai-plans/*/state.json"], + "fileMatch": [ + ".copilot-tracking/rai-plans/*/state.json" + ], "url": "./scripts/linting/schemas/rai-state.schema.json" }, { @@ -88,4 +90,7 @@ "file": ".github/instructions/hve-core/commit-message.instructions.md" } ], + "chat.tools.terminal.autoApprove": { + "git stash": true + }, } diff --git a/collections/hve-core-all.collection.md b/collections/hve-core-all.collection.md index dabb4d16a..260778844 100644 --- a/collections/hve-core-all.collection.md +++ b/collections/hve-core-all.collection.md @@ -60,6 +60,7 @@ Use this edition when you want access to everything without choosing a focused c | **researcher-subagent** | Research subagent using search, read, web-fetch, GitHub repo, and MCP tools | | **rpi-agent** | Autonomous RPI orchestrator running Research → Plan → Implement → Review → Discover phases with specialized subagents | | **rpi-validator** | Validates a Changes Log against the Implementation Plan, Planning Log, and Research Documents for a specific plan phase | +| **security-auditor** | Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact | | **security-planner** | Phase-based security planner producing security models, standards mappings, and backlog handoffs with AI/ML detection and RAI Planner integration | | **security-reviewer** | Security skill assessment orchestrator for codebase profiling and vulnerability reporting | | **skill-assessor** | Assesses a single security skill against the codebase and returns structured findings | @@ -132,6 +133,7 @@ Use this edition when you want access to everything without choosing a focused c | **rai-plan-from-security-plan** | Start responsible AI assessment planning from a completed Security Plan using the RAI Planner agent in from-security-plan mode (recommended) | | **risk-register** | Create a qualitative risk register using a Probability × Impact (P×I) matrix | | **rpi** | Autonomous Research-Plan-Implement-Review-Discover workflow for completing tasks | +| **security-audit-from-plan** | Audits an existing security plan against current repo state and produces a gap-analysis artifact | | **security-capture** | Start security planning from existing notes using the Security Planner agent (capture mode) | | **security-plan-from-prd** | Start security planning from PRD/BRD artifacts using the Security Planner agent (from-prd mode) | | **security-review** | Run an OWASP vulnerability assessment against the current codebase | diff --git a/collections/security.collection.md b/collections/security.collection.md index 666ef0d33..de3f9195b 100644 --- a/collections/security.collection.md +++ b/collections/security.collection.md @@ -18,6 +18,7 @@ Security review, planning, incident response, risk assessment, vulnerability ana | **rai-planner** | Responsible AI assessment planner evaluating against NIST AI RMF 1.0, producing an RAI security model, impact assessment, control surface catalog, and backlog handoff | | **report-generator** | Collates verified security skill findings into a comprehensive vulnerability report | | **researcher-subagent** | Research subagent using search, read, web-fetch, GitHub repo, and MCP tools | +| **security-auditor** | Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact | | **security-planner** | Phase-based security planner producing security models, standards mappings, and backlog handoffs with AI/ML detection and RAI Planner integration | | **security-reviewer** | Security skill assessment orchestrator for codebase profiling and vulnerability reporting | | **skill-assessor** | Assesses a single security skill against the codebase and returns structured findings | @@ -32,6 +33,7 @@ Security review, planning, incident response, risk assessment, vulnerability ana | **rai-plan-from-prd** | Start responsible AI assessment planning from PRD/BRD artifacts using the RAI Planner agent in from-prd mode | | **rai-plan-from-security-plan** | Start responsible AI assessment planning from a completed Security Plan using the RAI Planner agent in from-security-plan mode (recommended) | | **risk-register** | Create a qualitative risk register using a Probability × Impact (P×I) matrix | +| **security-audit-from-plan** | Audits an existing security plan against current repo state and produces a gap-analysis artifact | | **security-capture** | Start security planning from existing notes using the Security Planner agent (capture mode) | | **security-plan-from-prd** | Start security planning from PRD/BRD artifacts using the Security Planner agent (from-prd mode) | | **security-review** | Run an OWASP vulnerability assessment against the current codebase | diff --git a/plugins/hve-core-all/README.md b/plugins/hve-core-all/README.md index 0f661539f..c3093e40e 100644 --- a/plugins/hve-core-all/README.md +++ b/plugins/hve-core-all/README.md @@ -65,6 +65,7 @@ Use this edition when you want access to everything without choosing a focused c | **researcher-subagent** | Research subagent using search, read, web-fetch, GitHub repo, and MCP tools | | **rpi-agent** | Autonomous RPI orchestrator running Research → Plan → Implement → Review → Discover phases with specialized subagents | | **rpi-validator** | Validates a Changes Log against the Implementation Plan, Planning Log, and Research Documents for a specific plan phase | +| **security-auditor** | Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact | | **security-planner** | Phase-based security planner producing security models, standards mappings, and backlog handoffs with AI/ML detection and RAI Planner integration | | **security-reviewer** | Security skill assessment orchestrator for codebase profiling and vulnerability reporting | | **skill-assessor** | Assesses a single security skill against the codebase and returns structured findings | @@ -137,6 +138,7 @@ Use this edition when you want access to everything without choosing a focused c | **rai-plan-from-security-plan** | Start responsible AI assessment planning from a completed Security Plan using the RAI Planner agent in from-security-plan mode (recommended) | | **risk-register** | Create a qualitative risk register using a Probability × Impact (P×I) matrix | | **rpi** | Autonomous Research-Plan-Implement-Review-Discover workflow for completing tasks | +| **security-audit-from-plan** | Audits an existing security plan against current repo state and produces a gap-analysis artifact | | **security-capture** | Start security planning from existing notes using the Security Planner agent (capture mode) | | **security-plan-from-prd** | Start security planning from PRD/BRD artifacts using the Security Planner agent (from-prd mode) | | **security-review** | Run an OWASP vulnerability assessment against the current codebase | @@ -383,6 +385,7 @@ copilot plugin install hve-core-all@hve-core | system-architecture-reviewer | System architecture reviewer for design trade-offs, ADR creation, and well-architected alignment | | ux-ui-designer | UX research specialist for Jobs-to-be-Done analysis, user journey mapping, and accessibility requirements | | rai-planner | Responsible AI assessment planner evaluating against NIST AI RMF 1.0, producing an RAI security model, impact assessment, control surface catalog, and backlog handoff | +| security-auditor | Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact | | security-planner | Phase-based security planner producing security models, standards mappings, and backlog handoffs with AI/ML detection and RAI Planner integration | | security-reviewer | Security skill assessment orchestrator for codebase profiling and vulnerability reporting | | sssc-planner | Six-phase repository supply chain security assessment against OpenSSF Scorecard, SLSA, Sigstore, and SBOM standards, producing a prioritized backlog of reusable workflows. | @@ -456,6 +459,7 @@ copilot plugin install hve-core-all@hve-core | rai-plan-from-security-plan | Start responsible AI assessment planning from a completed Security Plan using the RAI Planner agent in from-security-plan mode (recommended) | | incident-response | Run an incident response workflow for Azure operations scenarios | | risk-register | Create a qualitative risk register using a Probability × Impact (P×I) matrix | +| security-audit-from-plan | Audits an existing security plan against current repo state and produces a gap-analysis artifact | | security-capture | Start security planning from existing notes using the Security Planner agent (capture mode) | | security-plan-from-prd | Start security planning from PRD/BRD artifacts using the Security Planner agent (from-prd mode) | | security-review-llm | Run OWASP LLM and Agentic vulnerability assessments with codebase profiling | diff --git a/plugins/security/README.md b/plugins/security/README.md index 2c9208838..8c58300f9 100644 --- a/plugins/security/README.md +++ b/plugins/security/README.md @@ -26,6 +26,7 @@ Security review, planning, incident response, risk assessment, vulnerability ana | **rai-planner** | Responsible AI assessment planner evaluating against NIST AI RMF 1.0, producing an RAI security model, impact assessment, control surface catalog, and backlog handoff | | **report-generator** | Collates verified security skill findings into a comprehensive vulnerability report | | **researcher-subagent** | Research subagent using search, read, web-fetch, GitHub repo, and MCP tools | +| **security-auditor** | Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact | | **security-planner** | Phase-based security planner producing security models, standards mappings, and backlog handoffs with AI/ML detection and RAI Planner integration | | **security-reviewer** | Security skill assessment orchestrator for codebase profiling and vulnerability reporting | | **skill-assessor** | Assesses a single security skill against the codebase and returns structured findings | @@ -40,6 +41,7 @@ Security review, planning, incident response, risk assessment, vulnerability ana | **rai-plan-from-prd** | Start responsible AI assessment planning from PRD/BRD artifacts using the RAI Planner agent in from-prd mode | | **rai-plan-from-security-plan** | Start responsible AI assessment planning from a completed Security Plan using the RAI Planner agent in from-security-plan mode (recommended) | | **risk-register** | Create a qualitative risk register using a Probability × Impact (P×I) matrix | +| **security-audit-from-plan** | Audits an existing security plan against current repo state and produces a gap-analysis artifact | | **security-capture** | Start security planning from existing notes using the Security Planner agent (capture mode) | | **security-plan-from-prd** | Start security planning from PRD/BRD artifacts using the Security Planner agent (from-prd mode) | | **security-review** | Run an OWASP vulnerability assessment against the current codebase | @@ -114,6 +116,7 @@ copilot plugin install security@hve-core | rai-planner | Responsible AI assessment planner evaluating against NIST AI RMF 1.0, producing an RAI security model, impact assessment, control surface catalog, and backlog handoff | | researcher-subagent | Research subagent using search, read, web-fetch, GitHub repo, and MCP tools | | security-reviewer | Security skill assessment orchestrator for codebase profiling and vulnerability reporting | +| security-auditor | Audits an existing security plan against a fresh current-state assessment and produces a gap-analysis artifact | | codebase-profiler | Scans the repository to build a technology profile and select applicable security skills | | finding-deep-verifier | Deep adversarial verification of FAIL and PARTIAL findings for a single security skill | | report-generator | Collates verified security skill findings into a comprehensive vulnerability report | @@ -131,6 +134,7 @@ copilot plugin install security@hve-core | security-review-llm | Run OWASP LLM and Agentic vulnerability assessments with codebase profiling | | security-review-web | Run an OWASP Top 10 web vulnerability assessment without codebase profiling | | security-review-sbd | Run a Secure by Design principles assessment per UK and Australian government guidance | +| security-audit-from-plan | Audits an existing security plan against current repo state and produces a gap-analysis artifact | | sssc-capture | Start supply chain security planning from existing knowledge using the SSSC Planner agent in capture mode | | sssc-from-prd | Start supply chain security planning from PRD artifacts using the SSSC Planner agent in from-prd mode | | sssc-from-brd | Start supply chain security planning from BRD artifacts using the SSSC Planner agent in from-brd mode |