font.getbbox() returns (left, top, right, bottom), so text line height must
be bottom - top (bbox[3] - bbox[1]). The label placement code used
bbox[3] - bbox[0] (bottom - left), mixing an x-coordinate into a height and
producing a slightly wrong label-box height (empirically off by 0-4px
depending on font). The debug heatmap labeling in the same module already
uses the correct bbox[3] - bbox[1], so this brings placement in line.
Port the app workspace and runtime session inventory fixes from the personal James Hub canvas into the generic Work Hub extension. This lets the cleanup and recent-session surfaces read current app workspaces before falling back to the legacy session store.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add APNG Studio canvas extension
APNG Studio is an interactive GitHub Copilot canvas extension for building
Animated PNG (APNG) files from frames: draw or upload frames, tune per-frame
timing and compositing, preview live, send the result to a phone by QR, and
export an animated .png.
Adds extensions/apng-studio/ with the required .github/plugin/plugin.json and
assets/preview.png, and regenerates .github/plugin/marketplace.json.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address review feedback for APNG Studio
Security and robustness (extension.mjs):
- Reject "." and ".." project ids so canvas/action input cannot resolve
outside artifacts/.
- Bound request bodies (1 MiB JSON, 40 MiB frame upload); return 413 when
exceeded.
- Reject malformed JSON with 400 instead of coercing to {}, so a truncated
body cannot trigger destructive routes such as /frames/clear.
- Scope shares per project so one canvas cannot rotate or stop another's
share; the LAN server is shared and torn down once no shares remain.
- get_state treats hiddenFirst as active only with >=2 frames, matching the
encoder, so a single-frame project reports the correct duration.
Accessibility (web/):
- Expose Pen/Eraser state with aria-pressed and keep it in sync in setTool.
- Mark the toast as an aria-live status region.
Packaging:
- Add extensions/apng-studio/.gitignore with artifacts/ so the documented
runtime-data exclusion holds for this extension.
- Update the README install section to reference the committed awesome-copilot
extension path.
Regenerated .github/plugin/marketplace.json.
* Use "GitHub Copilot app" wording
Update the plugin description (and regenerated marketplace entry) to refer to
the host as the GitHub Copilot app.
* Address deeper review for APNG Studio
Security:
- Require a per-server access token on every loopback data/mutation request
(minted per canvas server, carried in the iframe URL, attached to every
renderer request). Static assets stay public. Blocks a local process or
cross-origin page from reading state or driving mutations.
Concurrency and durability:
- Serialize the load-mutate-save cycle per project; dedupe concurrent first
loads; write project.json via temp file + rename.
Lifecycle:
- Track SSE clients per instance and end them before server.close().
- Stop a project's LAN share only when no other panel references it.
Correctness:
- Report exact numerator/denominator total duration; handle pointercancel.
QR and accessibility:
- Place QR version bits least-significant-bit first (versions 7-10).
- Associate delay/fps/dispose/blend labels with their inputs via for=.
* Address deeper concurrency and validation review for APNG Studio
- Run assemble() under the project lock; add_color_frame renders and appends
within one lock.
- Validate uploaded frames (PNG chunk scan, size + dimension checks) before
writing; first frame stores real dimensions; CanvasError maps to 400.
- Validate move delta; clear frames in memory before deleting files.
- Route the open-handler rename through applySettings.
- Deduplicate LAN share startup; clean up if the canvas closes mid-start.
- End SSE streams before server.close(); skip dead streams in broadcast.
- Exact fractional duration; drawing surface stays >= 1px; refresh state before
re-seeding "start from last frame".
* Address review: PNG format validation, share bind, limits, a11y
- Validate uploaded frames are 8-bit RGBA non-interlaced PNGs (standard
compression/filter); reject formats the codec can't encode.
- Cap projects at 600 frames (add + duplicate).
- Bind the LAN share server to the private address, not 0.0.0.0; require a
private address and rebind when it changes while idle; build the URL from the
bound address.
- Align width/height inputs and clampSize to the 2048 maximum.
- Size the drawing surface by width + aspect ratio for narrow panels.
- set_frame with an unknown frameId returns a validation error.
* Address review: encoded-byte budget, timing modes, id keys, load errors
- 256 MiB aggregate encoded-byte budget (add + duplicate); per-frame size
tracked and backfilled on load, so a frame count alone no longer bounds
assembly memory.
- Frame timing is one exclusive mode (delayMs | fps | delayNum/delayDen);
combinations are rejected instead of producing hybrid delays.
- Collision-resistant project storage keys: safe ids are used verbatim (existing
projects still load) and only unsafe ids get a hash suffix, so "foo/bar" and
"foo?bar" can't share a directory.
- Load only treats a missing file as a new project; other read/parse errors
surface instead of silently overwriting real data.
- Share server binds to a real LAN interface (skips virtual/VPN/container,
prefers physical NICs and common ranges).
- Generated export names get millisecond + random suffix to avoid same-second
overwrite.
- PNG validator accepts the encoder's Uint8Array so agent solid-color frames
aren't rejected.
* Address review: crash-safe frame writes, server startup, APNG first frame
- Write the PNG before mutating project metadata on add/duplicate, and delete
after persisting, so an interrupted disk op can't dangle a reference or
advance unsaved state.
- Evict a project from the in-memory cache if its save fails, so a transient
write error can't desync the live session from disk.
- Reject on the loopback server's listen error and drop a half-initialized
instance so startup failures clean up and can retry.
- Normalize APNG dispose_op PREVIOUS to BACKGROUND on the first animated frame
(spec requirement).
- Release decoded ImageBitmaps after use so a large upload batch doesn't retain
native image memory.
- Surface otherwise-silent async UI failures via a toast; check the state
response is ok before parsing it.
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(website): dedicated agent detail pages instead of modal
Replace the popup/modal viewer for agents with dedicated per-agent pages at /agent/<id>/ for real URLs and better deep linking.
- Build-time rendered docs (marked + gray-matter) with a details sidebar
- Sidebar Actions card: Install split-button (VS Code/Insiders/Download/Copy markdown), Share, View on GitHub
- Cards now link natively via anchors (no modal); card-render gains optional href (backward compatible for other types)
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* feat(website): dedicated instruction detail pages + shared detail layout
Extend the dedicated detail-page pattern (introduced for agents) to
instructions, and factor the shared behavior/styles out for reuse:
- Add instruction/[id].astro with build-time markdown render, breadcrumb,
install split-button (VS Code/Insiders/Download/Copy markdown), Share,
View on GitHub, and a details sidebar (Applies to / Source / Last updated)
plus collapsible frontmatter.
- Extract shared client behavior into resource-detail.ts (renamed from
agent-detail.ts) keyed on [data-resource-detail].
- Move detail-page CSS into global.css under .resource-detail-page.
- Point the agent detail page at the shared script/styles.
- Instruction cards now link to /instruction/<id>/ and the modal is removed
from the instructions listing.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* refactor(website): extract shared detail-page components
Break the agent and instruction detail pages down into reusable Astro
components under src/components/pages: Breadcrumb, Header, Main, Sidebar,
SidebarChips, InstallButtons, and RawMarkdown. Both detail pages now
compose these components instead of duplicating markup.
Fix RawMarkdown to read the `markdown` prop (matching both call sites) and
emit exact text via set:text, which restores the Copy markdown action that
had silently broken when the hidden textarea stopped rendering.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* refactor(website): share detail-page build logic in lib/detail-page
Both detail pages duplicated the install/GitHub URL builders, the
build-time markdown read+render, and the last-updated formatting. Move all
of it into a DOM-free build-time helper (src/lib/detail-page.ts) exposing
loadDetailPage(item, type), and reduce each [id].astro to a single call plus
its type-specific chip data.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add dedicated skill detail pages with multi-file browser
Migrate skills from the popup/modal viewer to dedicated per-item pages
(/skill/<id>/) matching the agent and instruction detail pages.
Skills need a few skill-specific mechanics:
- Install via `gh skills install github/awesome-copilot <id>` (copyable),
since skills have no VS Code install URL.
- Download ZIP for the multi-file skill contents.
- A file browser that defaults to SKILL.md and lets you inspect other
files, with Shiki syntax highlighting for code and marked-rendered
markdown. SKILL.md is embedded (rendered + raw) at build time; other
files are lazy-fetched on demand and cached. Deep links via #file=.
Also fixes a production build regression in the shared detail-page
helper: repoRoot now resolves via process.cwd() instead of import.meta
.url, which resolved incorrectly once bundled and silently returned
empty markdown (breaking rendered docs + copy-markdown for agents and
instructions too).
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Replace skill file list with a dropdown selector
The two-column file browser (side list + content pane) was cramped,
splitting the already-narrow main column in half. Replace the side list
with a dropdown in the file view header so the content pane spans the
full width.
- Multi-file skills get a <select> grouped by folder via <optgroup>,
SKILL.md first. Single-file skills keep a static filename label.
- Client script drives selection from the <select> change event instead
of the removed file buttons; deep links, copy-file, Download ZIP, and
Share all read the file list from the select options.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Fix skill sidebar card overflowing its column
The install command in the actions card used white-space: nowrap, which
gave the grid tracks a large min-content size. Grid items default to
min-width: auto (won't shrink below content), so the actions card grew
past the 352px sidebar, making it look wider than the agent/instruction
sidebars. Add min-width: 0 down the sidebar grid chain so the command
box stays within the column and scrolls horizontally instead.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Make skill file content pane grow to full page height
Remove the fixed max-height/overflow on .skill-file-content so file
content flows to natural height and the page scrolls, instead of a
nested inner scroll region. Shiki <pre> keeps its own horizontal scroll.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Center-align skill file picker label with the select
Reset the Starlight-injected margin-top on .skill-file-select so the
'File' label and the dropdown share a common vertical midline.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Render code files edge-to-edge in skill file viewer
For code files, drop the container padding and the pre border/radius so
the highlighted code fills the full column width. Markdown files keep
their padded, bordered layout. Toggled via an is-code class on the
content pane based on the selected file kind.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add dedicated detail pages for hooks with a reusable file browser
Hooks had no good install path (manual copy or ZIP), so mirror the
Skills dedicated-page pattern: a multi-file browser plus a Download ZIP
action, replacing the modal on the hooks listing.
Generalise the Skills-specific file browser so both resource types share
one implementation:
- Rename SkillFileBrowser.astro -> FileBrowser.astro with neutral props.
- Rename skill-detail.ts -> file-browser.ts with neutral data attributes
(data-file-browser-page, data-bundle-id, data-primary-file).
- Rescope install-slot styles under a shared .bundle-detail-page class.
- generate-website-data: rename getSkillFiles -> getFolderFiles and emit a
files[] + readmeFileName for each hook.
Hooks list cards now deep-link to /hook/<id>/ instead of opening a modal.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add dedicated detail pages for workflows
Migrate agentic workflows from the popup/modal viewer to dedicated per-item pages (/workflow/<id>/) with deep linking, matching the pattern used for agents, instructions, skills, and hooks.
Workflows are single .md files, so they reuse the single-file detail components (Main, Sidebar, Header, Breadcrumb, RawMarkdown) and the resource-detail client script. Since workflows have no VS Code install, the install slot instead documents the gh aw CLI flow and offers Download + Copy markdown actions.
Also rescope the shared install-slot CSS from .bundle-detail-page to .detail-actions-card so skill, hook, and workflow pages share it without a page-specific class, and drop the now-unused bundle-detail-page class from the skill and hook pages.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Format workflow install note
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add dedicated plugin detail pages
Replace the plugins modal with dedicated /plugin/<id>/ pages that deep link, render the bundled README, and surface an Included items section linking each constituent agent/skill/instruction/hook to its own detail page (falling back to GitHub for items without a page, e.g. extensions).
- generate-website-data: resolve plugin items to detail URLs + titles, add readmeFile for local and extension-derived plugins
- new IncludedItems component groups bundled resources by kind
- plugin/[id].astro handles local, extension-derived, and external plugins with VS Code + CLI install actions
- resource-detail: copy-install handler shared with detail pages
- plugins list cards now deep link; modal wiring removed
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Show plugin version, ref, and commit in detail sidebar
Capture version from plugin.json (local + extension-derived) and external.json, and surface it in the plugin detail Details card. For external plugins, also show the pinned source ref and short commit SHA when present.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add dedicated canvas extension detail pages with preview gallery
Replace the extensions modal with per-extension pages at /extension/<id>/,
mirroring the skill/plugin detail layout. Each page shows a preview image
gallery, README docs (or an About fallback), and a sidebar with install
actions and details (version, canvas ID, keywords, author, commit).
- generate-website-data.mjs: emit readmeFile for extensions
- extensions-render.ts: deep-link cards to detail pages
- extensions.ts: strip modal/gallery wiring, keep filter/sort/copy actions
- resource-detail.ts: add copy-install-url action
- extension-gallery.ts: thumbnail switching for multi-image previews
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add VS Code Insiders and GitHub Copilot app install links
Introduce a shared PluginInstall component used by both plugin and canvas
extension detail pages. It renders a split-button dropdown deep-linking into
VS Code, VS Code Insiders, and the GitHub Copilot app (ghapp://), plus the
CLI command for internal items.
- Internal plugins/extensions: ghapp://plugins/install?source=<id>@awesome-copilot
- External plugins: ghapp://plugins/marketplace/add?source=<owner/repo>
- ghapp source values are URL-encoded per the app's deep-link contract
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Make GitHub Copilot app the default install option
Promote the ghapp:// deep link to the primary split-button action and list
it first in the dropdown, ahead of VS Code and VS Code Insiders.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Ignoring impeccable files
* Make Extensions grid Copy Install a direct Copilot app install
Replace the CLI-command copy button on extension cards with an
'Install in Copilot app' deep link (ghapp://plugins/install) for internal
extensions, matching the detail page. External extensions keep the Copy URL
fallback since they have no Copilot app install path.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Address PR review feedback on detail pages
- Remove DOM innerHTML read/write round trip in file browser cache
(CodeQL js/xss-through-dom); seed primary file from raw text and
render lazily.
- Use Shiki dual light/dark themes in the file browser and add dark
mode CSS overrides.
- Guard decodeURIComponent for #file= deep links against malformed
percent-encoding.
- Slugify SidebarChips title before using it in the tag class name.
- Use a neutral aria-label on the shared detail Sidebar.
- URL-encode the external plugin source in VS Code and Insiders
install links.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Prevent client-side path traversal in file deep links
Addresses the CSPT-to-XSS class reported in github/open-source#1739.
A '#file=' hash value containing '../' sequences could resolve outside
the awesome-copilot repo prefix once normalized by fetch, loading
attacker-controlled content that was then rendered into the page.
- Add isSafeRepoFilePath() and enforce it at the raw-URL choke point
(getRawGitHubUrl, fetchFileContent, downloadFile, getVSCodeInstallUrl),
so no consumer can escape the repo prefix.
- Validate the decoded '#file=' path in the modal hash handler and guard
its decodeURIComponent against malformed input.
The new hash-based file browser already restricts deep links to an
allowlist of build-time file descriptors; the choke-point guard is an
additional backstop.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Fix accessibility violations on resource detail pages
Run the a11y audit against the new detail pages and resolve every
critical/serious axe violation it surfaced:
- Nest the detail column as a <div> instead of a second <main>, fixing the
duplicate/non-top-level/non-unique landmark rules on every detail page.
- Add a shared enhanceMarkdownA11y() helper that makes rendered <pre>/<table>
blocks keyboard focusable and gives task-list checkboxes a state-based
accessible name; apply it at build time and in the client file browser.
- Make Shiki-highlighted code and install-command <code> blocks focusable.
- Underline links inside rendered docs and install notes so they are
distinguishable without color, overriding the global #main-content reset.
- Extend the a11y audit to cover one representative page per detail type.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Fix file browser GitHub URL handling
Encode selected file paths before assigning GitHub detail links and render load errors with DOM APIs so DOM-derived file names are not reinterpreted as markup.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Address PR review feedback on detail pages and file browser
- Deep-link plugin extension items to their /extension/<id>/ detail pages:
generate canvas extensions before building the resource index, and index
extensions (by id and folder basename) so resolvePluginItem can resolve them.
- Render image files in the bundle file browser via an <img> tag built from the
safe raw URL instead of decoding binary assets as UTF-8 text; skip the
copy-file action for images.
- Use a neutral 'Install' heading on internal plugin and extension pages so the
split-button primary label accurately communicates the target.
- Warn (with the file path) when readResourceMarkdown fails instead of swallowing
the error silently, keeping the build unbroken.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Address PR review feedback on install links, dropdown a11y, and ZIP downloads
- externalRepoUrl (plugin detail pages) now builds the 'View on GitHub' tree
URL from the pinned source.ref or source.sha, falling back to main only when
neither is present, so the link matches the sidebar Ref/Commit chips.
- Install split-button dropdown on resource detail pages is now keyboard
accessible: opening focuses the first item, ArrowUp/ArrowDown wrap, Home/End
jump, and Escape closes and restores focus to the toggle, mirroring modal.ts.
- downloadZipBundle fetches each file as an ArrayBuffer and hands it to JSZip so
binary assets (PNG/JPG/etc.) are preserved instead of corrupted by UTF-8 text
decoding.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Address PR review feedback on external repo links and workflow install note
- externalRepoUrl now uses a pinned source.ref/sha even when the external
plugin has no path, returning /tree/<ref> so "View on GitHub" points at the
pinned revision and stays consistent with the sidebar Ref/Commit chips.
- Reflow the workflow install note so each inline code and link element stays on
a single line (using explicit whitespace expressions for word spacing),
removing the split end-tag artifacts while preserving the exact rendered text
and spacing.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Harden repo path validation and fix Included Items file links
- isSafeRepoFilePath now fails closed on any "%" so percent-encoded dot-segments
(%2e%2e and double-encoded %252e%252e) cannot be normalized back into path
traversal by the browser URL parser during fetch, and also rejects "." and
empty path segments. Legitimate repo paths never contain these.
- IncludedItems githubHref now links file paths via /blob/ and directories via
/tree/, detecting files by a trailing extension on the last path segment, so
the fallback links for agent/instruction/command items no longer 404.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Harden detail pages: sanitize markdown, fix search deep-links and external URLs
Addresses rubber-duck review items 1-5 for the detail-page migration:
1. Sanitize rendered markdown as untrusted HTML. Add isomorphic
sanitize-html helper (isomorphic-dompurify) applied in the build-time
pipeline (detail-page.ts) and the client file browser before a11y
enhancement, so marked output can no longer inject scripts/handlers.
2. Point Pagefind search results at canonical /type/id/ detail pages
instead of inert #file= listing hashes for types that have a detail page.
3. Sanitize external/generated URLs on plugin and extension detail pages
and their render scripts so only http(s) links are emitted.
4. Add a shared externalRepoUrl helper that pins GitHub links to the
source ref/sha (preferring sha) with encoded path segments, replacing
the duplicated always-main logic in the pages, modal, and renderers.
5. Handle #file= hash navigation after initial load in the file browser
via a hashchange listener.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Detail pages: clickable filter chips + code-block copy buttons (#2255)
* Add clickable filter chips on detail pages
Turn read-only metadata chips into navigation: tags (hooks/plugins),
keywords (extensions), and extensions (instructions) now link to their
list page pre-filtered by that value (e.g. /hooks/?tag=testing).
SidebarChips gains optional filterBase/filterParam props; when both are
set each chip renders as an <a> with an aria-label and hover/focus
styling, otherwise it stays a plain <span>. Agent/skill/workflow chips
are unchanged. Filtering was verified end to end against each list
page's existing query-param handling.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add copy buttons to documentation code blocks
Detail-page markdown is rendered as plain <pre><code> with no syntax
highlighter, so code and config snippets had no copy affordance. Add a
hover-revealed copy button to every code block in the rendered docs:
copies to the clipboard, shows a toast, and swaps to a check icon for
confirmation. Buttons are keyboard-accessible, always visible on touch
devices, and respect reduced-motion. The sidebar frontmatter block is
left untouched.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Fix detail-page GitHub links, empty-state link contrast, and file cache
Addresses four PR review comments on the detail-page migration:
- skill/hook detail pages: build the sidebar "View on GitHub" link from a
/tree/main base instead of /blob/main, since item.path is a directory and
/blob/<dir> URLs 404. The FileBrowser githubBase stays on /blob for
individual file links.
- global.css: include .detail-empty a in the underline override so links in
empty-state notes stay distinguishable without relying on color alone
(WCAG 1.4.1 / axe link-in-text-block).
- file-browser.ts: seed the primary file's cache with its already-rendered
(frontmatter-stripped) HTML in addition to raw text, so re-selecting the
primary file after navigating away no longer re-renders the raw source and
surfaces frontmatter. Copy still uses the full raw text.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com>
* Add arch plugin (architecture + modernization skills)
Add the `arch` plugin with two skills:
- `arch:document` — produce a single, cited architecture document for a
locally-cloned repo, reading files on disk only.
- `arch:modernize` — generate a phased modernization plan, auto-running the
document workflow first when no architecture doc exists.
Skill sources live in top-level skills/ and are referenced declaratively
from plugins/arch/.github/plugin/plugin.json, per the repo's plugin model.
Regenerated docs/README.plugins.md, docs/README.skills.md and marketplace.json.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Merge arch skills into single doc-and-modernize skill
Collapse the document and modernize skills into one standalone skill
(doc-and-modernize) with Documentation and Modernization modes, keeping
the plugin named arch. Modernization mode now runs the Documentation
workflow inline instead of invoking a separate arch:document skill,
fixing standalone-install cross-skill references. Reframe Documentation
mode as local-first (remote/API lookups are a flagged last resort)
rather than local-only. Regenerate docs and marketplace.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address PR review: list skill by bare ID in arch README
Use 'doc-and-modernize' (repo convention) instead of the namespaced
'arch:doc-and-modernize', noting it surfaces as arch:doc-and-modernize
when installed via the plugin.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address PR review: use non-HTML placeholder in instructions template
Change plain-text <PROJECT NAME> to [PROJECT NAME] in the header and
first paragraph so Markdown renderers don't parse it as an HTML tag and
drop it. The code-span `<N>` on the phase line is unaffected.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address PR review + fix codespell CI failure
- Fix codespell: pre-empts -> preempts in the instructions template
- Consistent terminology: replace 'research step/workflow' with
'Documentation mode' in SKILL.md, README, and plugin.json description
- Fix run-on: add 'that' before 'Modernization mode must surface'
- Regenerate docs/marketplace for the updated plugin description
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address PR review feedback
- Instruct redacting credentials/tokens from git remote URLs before recording
- CI enforcement: ask user or mark [UNVERIFIED]; remote lookup is flagged last resort
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: samqbush <samqbush@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Renames the skill so its name makes the source-code-review scope explicit and
distinct from the existing config-focused `mcp-security-audit` skill (the
duplicate-detection check flagged the shared `mcp-security-` prefix; it is
advisory only). Also sharpens the description's first line to lead with
"implementation source code of MCP servers, clients, and tool handlers".
- Rename folder skills/mcp-security-baseline -> skills/mcp-implementation-security-review
- Update name field and H1 heading to match
- Regenerate docs/README.skills.md
Co-authored-by: Swetha Kumar <16600902+Swethakumar1@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Per v1.0.69-3 (2026-07-07), the /allow-all auto mode now requires
experimental features to be active (/experimental on or --experimental).
The previous AUTO_APPROVAL env var approach has been removed.
Update the auto allow-all mode note in Copilot Configuration Basics
to document the experimental mode requirement and activation steps.
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add foundry-hosted-agent-copilotkit skill (development-focused)
Reworked from PR #2090 feedback: drops all scaffolding/sample-template
content and focuses on ongoing development with CopilotKit + AG-UI +
Azure AI Foundry hosted agents — adding/gating tools, human-in-the-loop
approvals, generative UI and shared state, event-stream debugging,
pre-1.0 dependency upgrades, and the hosted-agent deploy loop.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
* Add HITL code examples to foundry-hosted-agent-copilotkit skill
Address review feedback: the .NET approval paragraph was prose-only.
Add a .NET snippet from the official Step04_HumanInLoop sample and
correct the type/behavior (ToolApprovalRequestContent; convert—not
remove—the request_approval call/result). Also add live-verified
Python snippets for hosted-agent approval-forwarding (#6652) and the
previous_response_id #6851 guard.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Add mcp-security-baseline skill
An Agent Skill that reviews MCP server and client source code against a security
baseline (5 controls, 7 RCE vectors, OWASP MCP Top 10) and produces a compliance
report with file/line evidence. Complements mcp-security-audit, which checks
.mcp.json configuration.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address review feedback: remove ignored keywords field, link MCP spec
- Remove the top-level `keywords` field: it is not a recognized skill
front-matter field and is ignored (skills are indexed for search by
name + description only). The keyword terms are already present in the
description, so discovery is unaffected.
- Link the MCP 2025-03-26 specification at the protocol-version check so
the agent has it for quick reference.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address review feedback: fix unsafe-deserialization example, link current MCP spec
- Change the unsafe-deserialization example from `yaml.load(..., Loader=yaml.FullLoader)`
to `Loader=yaml.UnsafeLoader` to reflect genuinely unsafe usage.
- Add a link to the current MCP spec revision (2025-11-25) alongside the 2025-03-26
baseline on the protocol-version check.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Swetha Kumar <16600902+Swethakumar1@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
Stop the accessibility kanban extension from persisting raw refresh failure details to browser-visible state. Use a generic safe error message for clients, clear any previously persisted detailed refresh errors during state normalization, and keep detailed diagnostics server-side via console logging.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add Tiny Tool Town submission canvas
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add generated description choices
Resolve picker opens from the active session working directory so linked worktrees work without an explicit repository path.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Address Tiny Tool review comments
Detect root .csproj files as build signals and hide canvas access tokens from the visible URL after first load.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Address latest Tiny Tool review comments
Handle root-relative README images, preserve drafts during refresh, and suppress GitHub mentions before public issue creation.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Address canvas shutdown and CSP review
Close all canvas servers during shutdown, use nonce-based CSP, make theme optional, and hide decorative preview dots from assistive tech.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Remove the read-only role override from the PR duplicate check so gh-aw pre-activation gates unsupported actors before the PR checkout step runs.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
- Add /mcp list command (shows attached servers mid-turn) to understanding-mcp-servers
- Add stayInAutopilot setting to CLI settings table in copilot-configuration-basics
- Add auto allow-all mode (LLM judge-based approval) to copilot-configuration-basics
- Add kimi-k2.7-code model to the model selection table in building-custom-agents
- Update lastUpdated dates on all three modified pages
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(website): remediate WCAG accessibility issues and add axe regression guardrail
Fixes accessibility violations found by an axe-core sweep of every website
page in both light and dark themes:
- aria-allowed-role (WCAG 1.3.1, 4.1.2): the shared resource card rendered
an <article> with role="listitem", which is not an allowed role for that
element. Switched the wrapper to a <div role="listitem"> so the listitem
role is valid (affected every card, e.g. #arcade-canvas on /extensions/).
- aria-required-children (WCAG 1.3.1): removed role="list" from the tools,
contributors, and cookbook containers whose children are not list items.
- nested-interactive (WCAG 4.1.2): removed tabIndex=0 from extension cards
and rendered the author as a non-interactive span so no interactive
control is nested inside another (the author link remains in the modal).
- color-contrast (WCAG 1.4.3): gave .btn-primary explicit white text with an
AA-compliant hover (#7326d6), and bumped the dark-theme secondary text gray
(--sl-color-gray-3) to #84849c (5.32:1) so ToC / meta / footer text passes.
Adds a checked-in regression guardrail:
- website/scripts/a11y-audit.mjs runs axe-core over all routes in both themes
against the production build and fails on critical/serious violations only
(moderate/minor are reported but non-blocking). Transitions/animations are
disabled before sampling so axe measures settled, steady-state colors
instead of mid-theme-transition frames.
- Adds npm scripts (website:a11y at the root, a11y in website/) and README
docs. The matching Build Website CI step is proposed in the PR description
(omitted from this commit because the authoring token lacks workflow scope).
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* fix(website): harden a11y audit per PR review
- Fail fast when a route navigation returns a non-2xx response, so the
guardrail can't silently pass against a broken/missing route (page.goto
resolves even for 4xx/5xx).
- Launch the Astro preview server via `node <astro-bin>` instead of
`spawn(..., { shell: true })`. Removing the shell layer keeps signal
delivery / detached-PGID shutdown predictable; resolving Astro's bin and
running it with process.execPath also avoids the EINVAL that modern Node
raises when spawning the npx.cmd shim without a shell on Windows.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: David Pine <7679720+IEvangelist@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Canvas extensions (accessibility-kanban, where-was-i) resolved git state
against the extension's install directory or the session-state folder
instead of the repo the session was opened in. This broke repo/branch
detection for user-scoped installs and worktrees ("unknown/unknown",
"detached HEAD"). Both now read the active session's working directory
from the canvas request context on open and on each action, so they
follow whichever project/worktree opened them.
where-was-i also re-gathers context on open when the saved branch is
blank, so it never opens stuck on stale data.
Also compress oversized extension preview images (pngquant, with a mild
resize for the photographic arcade-canvas art) so every preview.png is
comfortably under the installer's inline-byte cap that was blocking
release-notes-showcase from installing.
Update release-notes-showcase author to Kayla Cinnamon.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Remove pluginRoots property from marketplace.json
The pluginRoots property is not used by install tooling and was only
informational about the extension/plugin source directories. Removing it
simplifies the marketplace.json structure while maintaining all functionality.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Migrate java-modernization-studio to plugin.json and update validation workflow
- Create .github/plugin/plugin.json for java-modernization-studio extension
- Remove legacy canvas.json from java-modernization-studio
- Update validate-canvas-extensions.yml workflow to check for plugin.json instead of canvas.json
- Update workflow to trigger on .schemas/plugin.schema.json changes (instead of canvas.schema.json)
- Remove schema validation logic that relied on canvas.schema.json
- All 12 extensions now use plugin.json for metadata
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add extensions field to all extension plugin.json files
Per https://github.com/github/copilot-agent-runtime/pull/9929, plugins that ship
extensions need to include an extensions field specifying where the extension code
is located. All 12 extensions now have extensions set to '.' to reference the
current directory where extension.mjs is located.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Enforce convention-based extension metadata and remove x-awesome-copilot
- Remove x-awesome-copilot.screenshots from all extension plugin.json files
- Enforce logo=assets/preview.png convention for all extensions
- Enforce extensions=. per copilot-agent-runtime#9929
- Update validate-plugins.mjs to enforce conventions
- Update validate-canvas-extensions.yml workflow with convention checks
- Update AGENTS.md and CONTRIBUTING.md documentation
All 12 extensions validated successfully.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Use standard plugin validation for extensions
Remove the custom extension schema and schema validation helper, and
validate extension plugin.json files through the existing plugin validator
instead. Update workflows to stop depending on the removed schema.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Add pester-should-migration skill (experimental)
Companion to the pester-migration skill. Focuses on the optional move from
the classic v5 `Should -Be` assertion syntax to the new v6 `Should-*`
assertions (e.g. `Should -Be` -> `Should-Be`). Includes a full
operator-by-operator mapping and the behavioral gotchas (negation as a
separate command, BeExactly -> Should-BeString -CaseSensitive, truthy/falsy
vs strict bool, BeNullOrEmpty split, collections, pipeline unwrapping).
Marked experimental/preview: verified against Pester 6.0.0-rc2; the new
Should-* assertions may still change before the 6.0 release.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Trim experimental status callout in pester-should-migration
Address review feedback: drop the time-based, human-oriented preview guidance (release-candidate timing, "as of mid-2026", release-notes link) from the status callout, keeping a lean experimental marker. The agent has no concept of time, so that prose is just extra tokens.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Awesome Copilot Community <awesome-copilot-community@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
* Initial plan
* Fix PR duplicate check not running on external contributor submissions
Add forks: [\"*\"] and roles: all to pr-duplicate-check.md so the
agentic workflow runs for all PR authors, including external contributors
submitting from forks. Previously, the generated lock.yml contained:
- A fork repository check blocking all fork PRs from running
- A team membership check (admin/maintainer/write) blocking external contributors
Recompiled with gh aw compile to regenerate pr-duplicate-check.lock.yml.
The pre_activation job (which held the membership gate) is now removed,
and the activation job runs unconditionally for all pull_request events.
Closes#2121
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* fixing a bunch of warnings on all the agentic workflows
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Reframe the external catalog entry to reflect the plugin's polyglot
test-generation pipeline (.NET/C#, Python, TypeScript/JavaScript, Java, Go,
Ruby, Rust, C++, Kotlin, Swift, PowerShell) and add polyglot keywords so
non-.NET developers can discover it. Mirrors the dotnet/skills 0.2.0 bump.
Edits the source (plugins/external.json) and regenerates the generated
.github/plugin/marketplace.json via npm run build. source stays unpinned
(tracks main), so no behavior change.
* Add pester-migration skill
A self-contained, experimental skill that helps upgrade PowerShell Pester
test suites across major versions (v3->v4, v4->v5, v5->v6). One router
SKILL.md plus per-jump references. The v5->v6 guidance tracks Pester 6,
which is still a release candidate.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Regenerate skills index for pester-migration
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address review feedback on pester-migration skill
- Pin the stable-v5 install to -MaximumVersion 5.99.99 so it keeps
installing v5 after Pester 6 goes GA (SKILL.md).
- Make the baseline run command version-agnostic (bare Invoke-Pester)
and note that parameters differ across majors (SKILL.md).
- Replace the '->' mapping arrows inside powershell fences with
comment + valid replacement lines so snippets are copy/paste-safe
(SKILL.md v5->v6 cheat sheet, v5-to-v6.md, and v3-to-v4.md).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address review: scope -SkipPublisherCheck, trim status callout, order references
- Drop -SkipPublisherCheck from the default install commands; scope it to
Windows PowerShell 5.1 (installing over the OS's Microsoft-signed built-in
Pester 3) per pester.dev install docs, instead of an unconditional default.
- Trim the experimental status callout: keep the preview marker, drop the
date-based, human-oriented wording.
- Reorder the References table into version progression order (v3->v4, v4->v5,
v5->v6).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: nohwnd <jakub@jares.cz>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
Document three new CLI commands from Copilot CLI v1.0.66 (2026-06-30):
- /pr auto: self-paced loop that fixes one failing item per run and
paces around CI to drive a PR to green
- /pr automerge: extends /pr auto to continue until the PR is fully
merged (CI passes, reviews approved, PR merged)
- /chronicle skills review: interactive review flow for agent-proposed
draft skill changes (accept, reject, or defer each draft)
Changes:
- copilot-configuration-basics.md: add /pr auto + /pr automerge section
in CLI Session Commands, extend /chronicle section with skills review
subcommand
- creating-effective-skills.md: add Q&A entry for /chronicle skills review
in the Common Questions section
Sources:
- https://github.com/github/copilot-cli/commit/c802cc3f06ffd2a57968cf8efabd3d550650ac5e
(changelog for v1.0.66)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>