* Add copilot-pr-autopilot skill
Skill that drives any GitHub pull request through repeated rounds of
Copilot Code Review until the agent has either resolved every thread
or explicitly escalated it to the human. Triggered via GraphQL (no
@copilot mention needed), triages every open thread with a fix /
decline / escalate rubric, replies and resolves each thread citing
the pushed SHA, then re-triggers until HEAD is reviewed with zero
threads awaiting the agent's reply.
Includes step scripts (01 request-review, 02 check-review-status,
03 list-open-threads, 08 reply-and-resolve, 10 cleanup-outdated),
shared library (_lib.ps1) with gh-CLI wrappers (Invoke-Gh,
Invoke-GhGraphQL, ConvertFrom-GhJson, Assert-GhReady), reply
templates, and reference docs for each step.
Repo-agnostic. Requires gh CLI on PATH and repo Triage/Write for
full autopilot; external PR authors get single-iteration mode with
manual re-trigger via the UI re-request button or a substantive
push.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address review: split per-step references + add recap-gate circuit breaker
- Fix#1: give steps 1/7/10 their own reference files
(01-request-review.md, 07-commit-push.md, 10-cleanup.md); trim the
inline bodies out of orchestration.md so it stays cross-cutting only.
- Fix#3: add a recurring round-cap & recap gate to 09-convergence.md —
default STOP every 10th round, recap all prior rounds, detect drift
(out-of-scope / over-engineering / wrong-direction / belongs-in-separate-PR)
with CONTINUE / REVERT-AND-SHIP / HAND-OFF verdicts. Agent reasoning,
no new script.
- Surface the gate from SKILL.md and orchestration.md; regenerate
docs/README.skills.md. Markdown-only change; scripts unchanged.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs(copilot-pr-autopilot): surface recap gate in decision pseudo-code; clarify Copilot+human convergence and round definition
- Inject the round-cap recap gate into the '## Decision: loop back or exit'
pseudo-code else-branch so an agent following the code block (not just the
prose) runs the STOP-every-10th-round check before looping.
- Broaden the 'never terminal' paragraph: non-convergence is driven by a
Copilot finding OR a human review comment (this skill handles both); the
loop ends only when there are no new comments from either source AND every
open thread (Copilot or human) has an agent reply/escalation.
- Define a 'round' explicitly as one execution of step 1 (01-request-review),
i.e. one Copilot-review trigger — the cap counts review rounds, not tool
calls or fix edits.
Markdown-only; no script changes.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* copilot-pr-autopilot: make recap-gate round count deterministic
Add 09-review-round.ps1: counts Copilot Code Review submissions straight
from the PR's API history (full GraphQL pagination), so the recap-gate
trigger is a derived number, not a fallible agent mental tally. This
removes the exact failure mode the skill exists to survive — a count
drifting across a long run (the real 156-round case).
The script reports Round + RecapDue (Round % RecapInterval == 0) only;
it never stops the loop or picks the verdict. CONTINUE / REVERT-AND-SHIP
/ HAND-OFF stays agent reasoning. 09-convergence.md updated to reference
the deterministic count while preserving 'no script stops the loop' and
'non-convergence = Copilot finding OR human comment'.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Regenerate docs/README.skills.md for copilot-pr-autopilot (add 09-review-round.ps1)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add canvas schema and extension submission checks
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* fix: use namespace import for js-yaml
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
* Fix contributors page build markup
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
* Address PR feedback on canvas schema validation
- Add ajv-cli@5 as a pinned devDependency; install via npm ci in CI instead of npx --yes
- Fix screenshot path regex to prevent .. traversal segments
- Validate canvas.schema.json is parseable JSON even on schema-only PRs
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Harden canvas extension workflow against injection attacks
Switch from newline to null-terminated git diff output (git diff -z) so filenames
containing newlines are read atomically, matching the existing skill-check.yml pattern.
Add an allowlist regex guard on the extracted extension directory name immediately after
it is parsed from git diff output. Any name not matching ^[a-z0-9][a-z0-9-]*$ (e.g.
names containing dollar signs, parentheses, spaces, or other shell metacharacters) is
silently skipped before being used anywhere in the script.
Add a matching allowlist guard on each screenshot path extracted from canvas.json before
the file-existence check, so a crafted manifest cannot supply a path with shell
metacharacters or traversal segments even after the schema check passes.
Follows the same defence-in-depth pattern introduced after the injection PoCs in #1236
and #1240.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Replace ajv-cli with in-repo schema validator
- Remove ajv-cli to avoid vulnerable/deprecated transitive dependencies
- Add eng/validate-json-schema.mjs using ajv + ajv-formats
- Update validate-canvas-extensions workflow to use local script
- Use npm ci --ignore-scripts in PR validation job
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Switch skill CI checks to vally lint
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Adding Vally to allowed words
* case sensitivity
* Migrate external plugin quality gates from skill-validator to vally lint
Replace the downloaded skill-validator binary with
px @microsoft/vally-cli lint
in the external plugin quality gates pipeline:
- Remove downloadSkillValidator() and SKILL_VALIDATOR_ARCHIVE_URL constant
- Replace uildSkillValidatorArgs() +
unSkillValidatorGate() with
uildVallyLintArgs() +
unVallyLintGate() that run
px vally-cli lint
per resolved skill directory (falling back to the full plugin root when no
specific skill paths can be resolved from plugin.json)
- Rename result keys skill_validator_status / skill_validator_output
to ally_lint_status / ally_lint_output throughout both
ng/external-plugin-quality-gates.mjs and ng/external-plugin-intake.mjs
- Update PR comment markdown to show 'vally lint' instead of 'skill-validator'
- Update CONTRIBUTING.md prose references accordingly
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Use @microsoft/vally library directly instead of vally-cli subprocess
Replace the npx-spawned vally-cli process with a direct call to the
@microsoft/vally core library in the external plugin quality gates scripts:
- Add @microsoft/vally as a devDependency in package.json
- Import runLint and LintConsoleReporter from @microsoft/vally
- Replace runVallyLintGate() process spawn with async API call:
- runLint({ rootPath }) returns structured LintResults
- LintConsoleReporter with a Writable capture stream collects
text output without printing to stdout
- Make runExternalPluginQualityGates() async (propagated to
runExternalPluginPrQualityGates() and both main entry points)
- Use Promise.all in runExternalPluginPrQualityGates() for parallel
plugin checks
- Fix remaining skill_validator_status reference in pr-quality-gates
summary string (now vally-lint=...) and YAML workflow table header
- Add 'npm install @microsoft/vally' step to both calling workflows
This removes a layer of indirection (Node -> npx -> CLI -> library)
and replaces it with a direct in-process library call, which is faster,
more reliable, and gives structured access to lint results.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* create-implementation-plan: require unique identifiers (#1989)
The skill template tells the agent to use REQ-, TASK-, GOAL-, and
similar prefixed identifiers, but never says they have to be unique
or how to check. @basilevs reported plans coming back with duplicate
TASK IDs and proposed three POSIX one-liners that catch the two real
collision modes (table rows and bullet declarations) plus a broad
diagnostic scan.
Document the uniqueness rule under the existing Template Validation
Rules, then add a new "Identifier Uniqueness Check" section with all
three bash commands and instructions on which must come back empty
before the plan is finalized.
DEP-* references intentionally allowed in multiple sections per the
reporter's note.
Closes#1989.
* codespell: ignore GUD identifier prefix (#1989)
Upstream skills/create-implementation-plan/SKILL.md already uses
GUD-001 in the template body. Codespell currently slips past it on
word-boundary, but the regex alternation (GUD|RISK|...) added in the
previous commit on this branch makes codespell flag it as a misspelling
of GOOD.
GUD is the documented "Guideline" identifier prefix alongside REQ,
SEC, CON, PAT, etc. Add it to the ignore-words-list, matching the
pattern every other technical-token exemption in .codespellrc uses.
* create-implementation-plan: clarify declaration vs reference (#1989 review)
basilevs flagged that calling out DEP-* specifically was misleading,
because any identifier can appear as a reference. A TASK body can
cite a REQ, one TASK can cite another, and so on. The original
phrasing made it sound like DEP-* was the only prefix allowed to
recur.
Rewrite the rule to lead with "uniquely declared":
- Define declaration as the leading bullet/cell ID (e.g., the table
row in Implementation Phase N, or '- **REQ-001**:').
- Say explicitly that references elsewhere in the plan are expected
and not collisions, with concrete examples (TASK citing REQ,
TASK citing TASK, Dependencies pointing at a DEP declared upstream).
- Tighten the check intro to call (1) and (2) declaration-targeted
gates and (3) a broad informational scan that will see references.
Bash checks unchanged; they already encode the declaration-vs-reference
distinction via the table-cell and bullet-prefix anchors.
* azure-devops-cli: handle long comments on Windows (#2061)
On Windows 'az' is a cmd.exe batch wrapper capped at ~8191 characters,
so a long --discussion / --description value silently truncates or
fails. Document three verified ways out so the coding agent doesn't
waste 3-5 turns falling back to raw token retrieval and REST:
1. azps.ps1 in PowerShell on Windows. Same Azure CLI, invoked through
the Python entry point with no cmd.exe length cap. Pair with
'Get-Content -Raw' so the body lives in a variable, not on the
command line.
2. Native --file-path flags where Azure CLI offers them. Applies to
'az devops wiki page create' and 'az devops wiki page update', both
documented with --encoding.
3. 'az devops invoke --in-file' as the universal escape hatch for
commands with no --file-path (work-item --discussion, PR
--description). Documented example posts to the work item
comments REST endpoint with api-version 7.0-preview.3.
The earlier draft suggested the Azure CLI '@<file>' convention as a
generic substitute for inline string args. The official docs only
document it for JSON parameters and the CLI source uses
'get_file_json' specifically, so the claim is removed and replaced
with an explicit warning not to rely on it for plain string args.
Files touched:
- skills/azure-devops-cli/SKILL.md: new 'Posting long comments on
Windows' section with shell-detection table and three verified
options.
- skills/azure-devops-cli/references/boards-and-iterations.md: short
pointer at each --discussion example back to SKILL.md, plus an
inline PowerShell snippet.
Closes#2061.
* azure-devops-cli: move long-comments guidance to reference file (#2061 review)
aaronpowell asked for the Windows long-comments section to live as a
reference file rather than inline in SKILL.md, so the token weight
isn't always loaded into the agent's context.
- Move the "Posting long comments on Windows" section to a new
references/long-comments-on-windows.md verbatim.
- Strip the section from SKILL.md (56 fewer lines in the always-loaded
surface).
- Add the new file to the Reference Files table in SKILL.md with a
one-line "when to read" hint covering --discussion, --description,
and --content failures on Windows.
- Update the two pointer comments in references/boards-and-iterations.md
to point at the new reference file instead of the SKILL.md section.
docs/README.skills.md regenerated by 'npm run build' to pick up the
new reference file in the skill's bundled assets column.
* Refresh 6 stale instruction files flagged in #2133
Targeted refresh:
- blazor: C# 13 to C# 14. Drop the Visual Studio Enterprise mandate so contributors on VS Code or Rider aren't blocked by a paid SKU. Swap VS-only profiling for dotnet-trace and dotnet-counters.
- copilot-thought-logging: narrow applyTo from '**' to '**/Copilot-Processing.md'. Replace 9 Windows backslash paths with POSIX './Copilot-Processing.md' so the workflow works on macOS and Linux.
- genaiscript: drop the "avoid exception handlers or error checking" line. Replace it with: handle errors at I/O and external API boundaries, let unexpected exceptions surface.
- memory-bank: add the required 'description' frontmatter field (was a validation failure). Narrow applyTo from '**' to 'memory-bank/**'. Add an opt-in note so contributors know auxiliary files land in the workspace root.
Minor modernization:
- azure-functions-typescript: Node.js v20 to v22 LTS.
- localization: relative '../../issues' disclaimer link to absolute https://github.com/github/awesome-copilot/issues so it resolves regardless of the localized doc's path.
docs/README.instructions.md regenerated by 'npm run build' to pick up the new memory-bank description.
* revert applyTo narrow on copilot-thought-logging (#2133 review)
aaronpowell flagged that narrowing applyTo from '**' to
'**/Copilot-Processing.md' inverts the instruction. The instruction
tells Copilot to CREATE Copilot-Processing.md when handling any user
request, so it must apply globally, not only when that file is
already open.
Restore applyTo to '**'. Keep the POSIX path fixes (backslash to
'./Copilot-Processing.md') and the other 5 file fixes in this PR
unchanged.
---------
Co-authored-by: Aaron Powell <me@aaron-powell.com>
* Add Site Studio canvas extension
Site Studio is a canvas extension for planning, drafting, and tracking a
personal website section by section. It gives you and your agent a shared
dashboard with a status board, an autosaving content editor (with AI-draft
and [Sample: ...] placeholders), and a live feed of every change and milestone.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address Copilot review feedback
Robustness, prototype-pollution safety, and accessibility fixes from the
Copilot code review on #2117:
- Add "ai_request" to VALID_CHANGE_TYPES so log_change accepts the change
type the server itself emits (e.g. /api/request-generation).
- Bound the git branch lookup with timeout + maxBuffer so a hung git can't
block the extension process and canvas UI.
- Serialize state persistence via a promise queue and snapshot state
synchronously, so concurrent mutations can't clobber newer state on disk.
- Enforce a maximum request body size in readBodyJson to avoid unbounded
memory use on the loopback server.
- Guard the /events handler against a missing/closed instance instead of
throwing when servers.get(instanceId) is undefined.
- Reject unsafe field names (__proto__, prototype, constructor) in
upsertSectionContent and use an own-property check in deleteSectionContent
to prevent prototype pollution.
- Make the "Generate with AI" info tooltip reachable by keyboard and screen
readers (focusable, labelled) instead of mouse-hover only.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: ayangupt <ayangupt@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs: update Learning Hub with CLI v1.0.64-1.0.65 features
Add five missing features from the past week's CLI releases:
- HTTP(S) proxy user setting (v1.0.64)
- /every command and /loop alias for in-session scheduled prompts (v1.0.64)
- Inline image rendering in the terminal (v1.0.64)
- Autopilot auto-handles elicitation/permission prompts (v1.0.64)
- Shell command history accessible in normal mode via up/down and Ctrl+R (v1.0.65)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs: consolidate /every, /loop, /after docs and remove duplicate section
- Merge the duplicate /every+/loop section (added at line 640) into the
existing first-occurrence at line 521
- Add /after command documentation (from PR #2148 suggestion)
- Add example of /every invoking slash commands (/every 1d /chronicle standup)
- Add Ctrl+C as alternative to /every stop
- Add Experimental callout for /every, /loop, and /after
- Update lastUpdated to 2026-06-29
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
Retarget instructions/astro.instructions.md to Astro 7 and
instructions/svelte.instructions.md to Svelte 5 / SvelteKit 2, fix
outdated APIs, add current stable feature guidance, and trim non-code
(setup, deployment, testing-workflow, recap) content so each file
focuses solely on code structure and best practices.
Regenerated docs/README.instructions.md via npm start.
Co-authored-by: GeekTrainer <GeekTrainer@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The `name` frontmatter was `AWS CloudWatch Investigation`, which violated the Agent Skills spec and failed `npm run skill:validate` on main: name must be lowercase letters, numbers, and hyphens and must match the folder name (`aws-cloudwatch-investigation`). Correct the name and regenerate docs/README.skills.md so the validator passes (365/365) and the skills table renders consistently with every other entry.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- creating-effective-skills: add 'copilot skill' CLI subcommand for
listing, adding, and removing skills (v1.0.65); add '/skill' alias
- automating-with-hooks: document userPromptSubmitted additionalContext
injection into model-facing prompt (v1.0.65); update hook events table
- copilot-configuration-basics: add opt-in CI check status bar indicator
for current branch (v1.0.65)
- building-custom-agents: add note that /security-review is now available
to all users without --experimental (v1.0.64)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Show "by @handle" on each canvas extension card and in the details
modal, linking to the contributor's GitHub profile. Author metadata
lives in each extension's canvas.json (and external.json for external
extensions), where the rest of the canvas metadata is stored.
- Store author {name, url} in canvas.json / external.json
- Read author from canvas.json in the website data generator and emit
it to extensions.json
- Render the GitHub @handle, derived from the profile URL, as the link
text, with the contributor's name as the link title
- Escape the sanitized author URL before interpolating it into href
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Now that main is the contributor branch and staged is retired,
no new PRs will target staged. The check-pr-target guard is
no longer needed.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Load open issues from the current repository instead of hardcoded SignalBox data, preserve board metadata across refreshes, and expose filter state through canvas actions/API.
Update the canvas UI and metadata to Repository Issues Kanban, add multi-label OR filtering controls, and surface repo detection/fetch errors in the board.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Prototype extension details modal
- Add detail popup modal for extension cards with full metadata and gallery
- Implement image gallery with thumbnail strip and main image selection
- Add modal styling and positioning in global.css
- Connect card click handlers to open modal with extension data
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fix accessibility issues with modal focus restoration
- Add missing listing-cards-page class to agents.astro page root
- Pass focusable button element to openCardDetailsModal instead of article
- Fixes focus restoration for keyboard users when closing modal
- Applied fix across all listing pages (agents, instructions, hooks, plugins, skills, workflows)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address remaining PR review feedback
- Fix extension modal ARIA state by setting aria-current to "true" and removing it when inactive
- Use focusable .resource-preview as modal trigger for extension thumbnail/click/keyboard paths
- Extract shared multi-select helpers into pages/select-utils.ts and reuse across instructions/hooks/plugins/workflows
- Remove unused card-model.ts to avoid dead/overlapping type definitions
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sanitize URL input before embedding it in Copilot handoff prompts in both bash and PowerShell hook scripts to prevent command/prompt injection from untrusted link text.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: add technical job search instructions for CV tailoring, cover letters, and offer evaluation
* chore: regenerate README.instructions.md after adding job search instructions
* refactor: convert technical-job-search from instruction to skill
Per reviewer feedback, instructions load on every turn and waste tokens
for content that is only useful during active job search sessions. A skill
is opted into explicitly, making this a better fit.
- Remove instructions/technical-job-search.instructions.md
- Add skills/technical-job-search/SKILL.md with equivalent content
- Update docs/README.instructions.md and docs/README.skills.md
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* chore: regenerate README.skills.md
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
* new hook fix-broken-links
* codespell: add ans for variable short for answer
* update: scripts hand off alternative url to copilot cmd
* codespell: add ext. arcade-canvas/game/phaser.min.js
* Apply suggestions from code review
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* update: rm em-dash from hook scripts
---------
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
The workflow was using the pull_request trigger which restricts
GITHUB_TOKEN to read-only for fork PRs, causing the sync-pr-state
job to fail with 403 when trying to add labels.
Switching to pull_request_target runs the workflow in the base
repo context so declared permissions (issues: write, pull-requests:
write) are honoured for cross-repository PRs.
The workflow is safe to use pull_request_target because:
- detect-changed-plugins reads files via the GitHub API only (no checkout)
- run-quality-gates checks out the trusted staged branch, not the PR head
- sync-pr-state also checks out the staged branch
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Load PRs from the active workspace repo instead of the extension directory, surface PR load errors in the canvas UI, and add MediaPipe CDN fallbacks for better runtime reliability.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>