Remove the read-only role override from the PR duplicate check so gh-aw pre-activation gates unsupported actors before the PR checkout step runs.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
- Add /mcp list command (shows attached servers mid-turn) to understanding-mcp-servers
- Add stayInAutopilot setting to CLI settings table in copilot-configuration-basics
- Add auto allow-all mode (LLM judge-based approval) to copilot-configuration-basics
- Add kimi-k2.7-code model to the model selection table in building-custom-agents
- Update lastUpdated dates on all three modified pages
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(website): remediate WCAG accessibility issues and add axe regression guardrail
Fixes accessibility violations found by an axe-core sweep of every website
page in both light and dark themes:
- aria-allowed-role (WCAG 1.3.1, 4.1.2): the shared resource card rendered
an <article> with role="listitem", which is not an allowed role for that
element. Switched the wrapper to a <div role="listitem"> so the listitem
role is valid (affected every card, e.g. #arcade-canvas on /extensions/).
- aria-required-children (WCAG 1.3.1): removed role="list" from the tools,
contributors, and cookbook containers whose children are not list items.
- nested-interactive (WCAG 4.1.2): removed tabIndex=0 from extension cards
and rendered the author as a non-interactive span so no interactive
control is nested inside another (the author link remains in the modal).
- color-contrast (WCAG 1.4.3): gave .btn-primary explicit white text with an
AA-compliant hover (#7326d6), and bumped the dark-theme secondary text gray
(--sl-color-gray-3) to #84849c (5.32:1) so ToC / meta / footer text passes.
Adds a checked-in regression guardrail:
- website/scripts/a11y-audit.mjs runs axe-core over all routes in both themes
against the production build and fails on critical/serious violations only
(moderate/minor are reported but non-blocking). Transitions/animations are
disabled before sampling so axe measures settled, steady-state colors
instead of mid-theme-transition frames.
- Adds npm scripts (website:a11y at the root, a11y in website/) and README
docs. The matching Build Website CI step is proposed in the PR description
(omitted from this commit because the authoring token lacks workflow scope).
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* fix(website): harden a11y audit per PR review
- Fail fast when a route navigation returns a non-2xx response, so the
guardrail can't silently pass against a broken/missing route (page.goto
resolves even for 4xx/5xx).
- Launch the Astro preview server via `node <astro-bin>` instead of
`spawn(..., { shell: true })`. Removing the shell layer keeps signal
delivery / detached-PGID shutdown predictable; resolving Astro's bin and
running it with process.execPath also avoids the EINVAL that modern Node
raises when spawning the npx.cmd shim without a shell on Windows.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: David Pine <7679720+IEvangelist@users.noreply.github.com>
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Canvas extensions (accessibility-kanban, where-was-i) resolved git state
against the extension's install directory or the session-state folder
instead of the repo the session was opened in. This broke repo/branch
detection for user-scoped installs and worktrees ("unknown/unknown",
"detached HEAD"). Both now read the active session's working directory
from the canvas request context on open and on each action, so they
follow whichever project/worktree opened them.
where-was-i also re-gathers context on open when the saved branch is
blank, so it never opens stuck on stale data.
Also compress oversized extension preview images (pngquant, with a mild
resize for the photographic arcade-canvas art) so every preview.png is
comfortably under the installer's inline-byte cap that was blocking
release-notes-showcase from installing.
Update release-notes-showcase author to Kayla Cinnamon.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Remove pluginRoots property from marketplace.json
The pluginRoots property is not used by install tooling and was only
informational about the extension/plugin source directories. Removing it
simplifies the marketplace.json structure while maintaining all functionality.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Migrate java-modernization-studio to plugin.json and update validation workflow
- Create .github/plugin/plugin.json for java-modernization-studio extension
- Remove legacy canvas.json from java-modernization-studio
- Update validate-canvas-extensions.yml workflow to check for plugin.json instead of canvas.json
- Update workflow to trigger on .schemas/plugin.schema.json changes (instead of canvas.schema.json)
- Remove schema validation logic that relied on canvas.schema.json
- All 12 extensions now use plugin.json for metadata
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Add extensions field to all extension plugin.json files
Per https://github.com/github/copilot-agent-runtime/pull/9929, plugins that ship
extensions need to include an extensions field specifying where the extension code
is located. All 12 extensions now have extensions set to '.' to reference the
current directory where extension.mjs is located.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Enforce convention-based extension metadata and remove x-awesome-copilot
- Remove x-awesome-copilot.screenshots from all extension plugin.json files
- Enforce logo=assets/preview.png convention for all extensions
- Enforce extensions=. per copilot-agent-runtime#9929
- Update validate-plugins.mjs to enforce conventions
- Update validate-canvas-extensions.yml workflow with convention checks
- Update AGENTS.md and CONTRIBUTING.md documentation
All 12 extensions validated successfully.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Use standard plugin validation for extensions
Remove the custom extension schema and schema validation helper, and
validate extension plugin.json files through the existing plugin validator
instead. Update workflows to stop depending on the removed schema.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Add pester-should-migration skill (experimental)
Companion to the pester-migration skill. Focuses on the optional move from
the classic v5 `Should -Be` assertion syntax to the new v6 `Should-*`
assertions (e.g. `Should -Be` -> `Should-Be`). Includes a full
operator-by-operator mapping and the behavioral gotchas (negation as a
separate command, BeExactly -> Should-BeString -CaseSensitive, truthy/falsy
vs strict bool, BeNullOrEmpty split, collections, pipeline unwrapping).
Marked experimental/preview: verified against Pester 6.0.0-rc2; the new
Should-* assertions may still change before the 6.0 release.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Trim experimental status callout in pester-should-migration
Address review feedback: drop the time-based, human-oriented preview guidance (release-candidate timing, "as of mid-2026", release-notes link) from the status callout, keeping a lean experimental marker. The agent has no concept of time, so that prose is just extra tokens.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Awesome Copilot Community <awesome-copilot-community@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
* Initial plan
* Fix PR duplicate check not running on external contributor submissions
Add forks: [\"*\"] and roles: all to pr-duplicate-check.md so the
agentic workflow runs for all PR authors, including external contributors
submitting from forks. Previously, the generated lock.yml contained:
- A fork repository check blocking all fork PRs from running
- A team membership check (admin/maintainer/write) blocking external contributors
Recompiled with gh aw compile to regenerate pr-duplicate-check.lock.yml.
The pre_activation job (which held the membership gate) is now removed,
and the activation job runs unconditionally for all pull_request events.
Closes#2121
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* fixing a bunch of warnings on all the agentic workflows
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Reframe the external catalog entry to reflect the plugin's polyglot
test-generation pipeline (.NET/C#, Python, TypeScript/JavaScript, Java, Go,
Ruby, Rust, C++, Kotlin, Swift, PowerShell) and add polyglot keywords so
non-.NET developers can discover it. Mirrors the dotnet/skills 0.2.0 bump.
Edits the source (plugins/external.json) and regenerates the generated
.github/plugin/marketplace.json via npm run build. source stays unpinned
(tracks main), so no behavior change.
* Add pester-migration skill
A self-contained, experimental skill that helps upgrade PowerShell Pester
test suites across major versions (v3->v4, v4->v5, v5->v6). One router
SKILL.md plus per-jump references. The v5->v6 guidance tracks Pester 6,
which is still a release candidate.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Regenerate skills index for pester-migration
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address review feedback on pester-migration skill
- Pin the stable-v5 install to -MaximumVersion 5.99.99 so it keeps
installing v5 after Pester 6 goes GA (SKILL.md).
- Make the baseline run command version-agnostic (bare Invoke-Pester)
and note that parameters differ across majors (SKILL.md).
- Replace the '->' mapping arrows inside powershell fences with
comment + valid replacement lines so snippets are copy/paste-safe
(SKILL.md v5->v6 cheat sheet, v5-to-v6.md, and v3-to-v4.md).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address review: scope -SkipPublisherCheck, trim status callout, order references
- Drop -SkipPublisherCheck from the default install commands; scope it to
Windows PowerShell 5.1 (installing over the OS's Microsoft-signed built-in
Pester 3) per pester.dev install docs, instead of an unconditional default.
- Trim the experimental status callout: keep the preview marker, drop the
date-based, human-oriented wording.
- Reorder the References table into version progression order (v3->v4, v4->v5,
v5->v6).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: nohwnd <jakub@jares.cz>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
Document three new CLI commands from Copilot CLI v1.0.66 (2026-06-30):
- /pr auto: self-paced loop that fixes one failing item per run and
paces around CI to drive a PR to green
- /pr automerge: extends /pr auto to continue until the PR is fully
merged (CI passes, reviews approved, PR merged)
- /chronicle skills review: interactive review flow for agent-proposed
draft skill changes (accept, reject, or defer each draft)
Changes:
- copilot-configuration-basics.md: add /pr auto + /pr automerge section
in CLI Session Commands, extend /chronicle section with skills review
subcommand
- creating-effective-skills.md: add Q&A entry for /chronicle skills review
in the Common Questions section
Sources:
- https://github.com/github/copilot-cli/commit/c802cc3f06ffd2a57968cf8efabd3d550650ac5e
(changelog for v1.0.66)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
* Add Java Modernization Studio canvas extension
A canvas extension that drives the GitHub Copilot App Modernization for Java workflow from an interactive dashboard: environment readiness checks, repo assessment, prioritized plan/progress, validation gates (CVE scan, test generation), and one-click predefined-task runs — all grounded in the repo's real artifacts (.appmod/assessment.json, plan.md, progress.md). Includes a node:test suite (109 tests) for the grounding logic.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com>
* Secure cockpit loopback server with a per-instance token
Address Copilot review feedback on the Java Modernization Studio canvas:
- Mint a per-instance secret in createInstanceServer, embed it in the
iframe URL, and validate it on every loopback request (/, /state,
/events, /action). Other local processes can no longer read repo
state or dispatch agent actions just by guessing the random port.
Mirrors the existing diagram-viewer token pattern; the client echoes
the token from its boot payload. The guard is a no-op when no token is
set, so direct makeHandler unit tests are unaffected.
- Handle async request-handler rejections in createServer with a .catch
that returns 500 and logs, instead of leaking an unhandled rejection
that could destabilize the extension process.
- Tests: token guard 403s unauthenticated /, /state, /events and
/action and allows valid-token requests; the end-to-end test asserts
the tokenized URL and a tokenless 403.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Fix CI: add preview screenshot and clear codespell hits
Add the required assets/preview.png screenshot for the canvas-extension
validator, and resolve two codespell findings in the cockpit:
rename the planSim helper's `nd` variable to `notDone` and reword a
catalog comment to avoid the `invokable`/`invocable` flag.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Harden cockpit loopback server per Copilot review
Address the second-round Copilot review comments on the loopback server:
- broadcast(): drop an SSE client whose write() throws instead of keeping
it in the Set, so a uncleanly-disconnected client can't cause repeated
exceptions or leak dead entries on every subsequent broadcast.
- POST /action: treat a malformed JSON body or a missing/invalid "kind"
as a 400 client error (with an application/json body) instead of a 200
carrying { ok:false, error:"Unknown action: undefined" }.
- Handler catch: set Content-Type: application/json on the 500 error
response so it is consistent with the other JSON routes.
Adds four tests covering dead-client eviction, the two 400 paths, and the
JSON-typed 500. Full suite: 115 passing.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com>
* Add canvas.json gallery metadata for Java Modernization Studio
Aaron requested a canvas.json so the awesome-copilot website/gallery can
list this extension. Generated via `npm run website:data`
(writePerExtensionCanvasManifests), which derives id/name/description/
version/keywords/screenshots from package.json + the createCanvas source +
assets, and carries the author through. Output committed verbatim so a CI
regeneration produces no diff.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com>
* Add author tag to package.json
Declare the author in the package manifest (object form, matching the
author already carried in canvas.json so it includes the profile URL).
The published gallery sources author from canvas.json; this adds the
conventional npm author tag to package.json for completeness. Verified
`npm run website:data` still emits the author on the extensions record
and leaves canvas.json byte-identical.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com>
---------
Signed-off-by: Ayan Gupta <74832088+ayangupt@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add copilot-pr-autopilot skill
Skill that drives any GitHub pull request through repeated rounds of
Copilot Code Review until the agent has either resolved every thread
or explicitly escalated it to the human. Triggered via GraphQL (no
@copilot mention needed), triages every open thread with a fix /
decline / escalate rubric, replies and resolves each thread citing
the pushed SHA, then re-triggers until HEAD is reviewed with zero
threads awaiting the agent's reply.
Includes step scripts (01 request-review, 02 check-review-status,
03 list-open-threads, 08 reply-and-resolve, 10 cleanup-outdated),
shared library (_lib.ps1) with gh-CLI wrappers (Invoke-Gh,
Invoke-GhGraphQL, ConvertFrom-GhJson, Assert-GhReady), reply
templates, and reference docs for each step.
Repo-agnostic. Requires gh CLI on PATH and repo Triage/Write for
full autopilot; external PR authors get single-iteration mode with
manual re-trigger via the UI re-request button or a substantive
push.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address review: split per-step references + add recap-gate circuit breaker
- Fix#1: give steps 1/7/10 their own reference files
(01-request-review.md, 07-commit-push.md, 10-cleanup.md); trim the
inline bodies out of orchestration.md so it stays cross-cutting only.
- Fix#3: add a recurring round-cap & recap gate to 09-convergence.md —
default STOP every 10th round, recap all prior rounds, detect drift
(out-of-scope / over-engineering / wrong-direction / belongs-in-separate-PR)
with CONTINUE / REVERT-AND-SHIP / HAND-OFF verdicts. Agent reasoning,
no new script.
- Surface the gate from SKILL.md and orchestration.md; regenerate
docs/README.skills.md. Markdown-only change; scripts unchanged.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs(copilot-pr-autopilot): surface recap gate in decision pseudo-code; clarify Copilot+human convergence and round definition
- Inject the round-cap recap gate into the '## Decision: loop back or exit'
pseudo-code else-branch so an agent following the code block (not just the
prose) runs the STOP-every-10th-round check before looping.
- Broaden the 'never terminal' paragraph: non-convergence is driven by a
Copilot finding OR a human review comment (this skill handles both); the
loop ends only when there are no new comments from either source AND every
open thread (Copilot or human) has an agent reply/escalation.
- Define a 'round' explicitly as one execution of step 1 (01-request-review),
i.e. one Copilot-review trigger — the cap counts review rounds, not tool
calls or fix edits.
Markdown-only; no script changes.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* copilot-pr-autopilot: make recap-gate round count deterministic
Add 09-review-round.ps1: counts Copilot Code Review submissions straight
from the PR's API history (full GraphQL pagination), so the recap-gate
trigger is a derived number, not a fallible agent mental tally. This
removes the exact failure mode the skill exists to survive — a count
drifting across a long run (the real 156-round case).
The script reports Round + RecapDue (Round % RecapInterval == 0) only;
it never stops the loop or picks the verdict. CONTINUE / REVERT-AND-SHIP
/ HAND-OFF stays agent reasoning. 09-convergence.md updated to reference
the deterministic count while preserving 'no script stops the loop' and
'non-convergence = Copilot finding OR human comment'.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Regenerate docs/README.skills.md for copilot-pr-autopilot (add 09-review-round.ps1)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add canvas schema and extension submission checks
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* fix: use namespace import for js-yaml
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
* Fix contributors page build markup
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
* Address PR feedback on canvas schema validation
- Add ajv-cli@5 as a pinned devDependency; install via npm ci in CI instead of npx --yes
- Fix screenshot path regex to prevent .. traversal segments
- Validate canvas.schema.json is parseable JSON even on schema-only PRs
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Harden canvas extension workflow against injection attacks
Switch from newline to null-terminated git diff output (git diff -z) so filenames
containing newlines are read atomically, matching the existing skill-check.yml pattern.
Add an allowlist regex guard on the extracted extension directory name immediately after
it is parsed from git diff output. Any name not matching ^[a-z0-9][a-z0-9-]*$ (e.g.
names containing dollar signs, parentheses, spaces, or other shell metacharacters) is
silently skipped before being used anywhere in the script.
Add a matching allowlist guard on each screenshot path extracted from canvas.json before
the file-existence check, so a crafted manifest cannot supply a path with shell
metacharacters or traversal segments even after the schema check passes.
Follows the same defence-in-depth pattern introduced after the injection PoCs in #1236
and #1240.
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Replace ajv-cli with in-repo schema validator
- Remove ajv-cli to avoid vulnerable/deprecated transitive dependencies
- Add eng/validate-json-schema.mjs using ajv + ajv-formats
- Update validate-canvas-extensions workflow to use local script
- Use npm ci --ignore-scripts in PR validation job
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: aaronpowell <434140+aaronpowell@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Switch skill CI checks to vally lint
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Adding Vally to allowed words
* case sensitivity
* Migrate external plugin quality gates from skill-validator to vally lint
Replace the downloaded skill-validator binary with
px @microsoft/vally-cli lint
in the external plugin quality gates pipeline:
- Remove downloadSkillValidator() and SKILL_VALIDATOR_ARCHIVE_URL constant
- Replace uildSkillValidatorArgs() +
unSkillValidatorGate() with
uildVallyLintArgs() +
unVallyLintGate() that run
px vally-cli lint
per resolved skill directory (falling back to the full plugin root when no
specific skill paths can be resolved from plugin.json)
- Rename result keys skill_validator_status / skill_validator_output
to ally_lint_status / ally_lint_output throughout both
ng/external-plugin-quality-gates.mjs and ng/external-plugin-intake.mjs
- Update PR comment markdown to show 'vally lint' instead of 'skill-validator'
- Update CONTRIBUTING.md prose references accordingly
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Use @microsoft/vally library directly instead of vally-cli subprocess
Replace the npx-spawned vally-cli process with a direct call to the
@microsoft/vally core library in the external plugin quality gates scripts:
- Add @microsoft/vally as a devDependency in package.json
- Import runLint and LintConsoleReporter from @microsoft/vally
- Replace runVallyLintGate() process spawn with async API call:
- runLint({ rootPath }) returns structured LintResults
- LintConsoleReporter with a Writable capture stream collects
text output without printing to stdout
- Make runExternalPluginQualityGates() async (propagated to
runExternalPluginPrQualityGates() and both main entry points)
- Use Promise.all in runExternalPluginPrQualityGates() for parallel
plugin checks
- Fix remaining skill_validator_status reference in pr-quality-gates
summary string (now vally-lint=...) and YAML workflow table header
- Add 'npm install @microsoft/vally' step to both calling workflows
This removes a layer of indirection (Node -> npx -> CLI -> library)
and replaces it with a direct in-process library call, which is faster,
more reliable, and gives structured access to lint results.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* create-implementation-plan: require unique identifiers (#1989)
The skill template tells the agent to use REQ-, TASK-, GOAL-, and
similar prefixed identifiers, but never says they have to be unique
or how to check. @basilevs reported plans coming back with duplicate
TASK IDs and proposed three POSIX one-liners that catch the two real
collision modes (table rows and bullet declarations) plus a broad
diagnostic scan.
Document the uniqueness rule under the existing Template Validation
Rules, then add a new "Identifier Uniqueness Check" section with all
three bash commands and instructions on which must come back empty
before the plan is finalized.
DEP-* references intentionally allowed in multiple sections per the
reporter's note.
Closes#1989.
* codespell: ignore GUD identifier prefix (#1989)
Upstream skills/create-implementation-plan/SKILL.md already uses
GUD-001 in the template body. Codespell currently slips past it on
word-boundary, but the regex alternation (GUD|RISK|...) added in the
previous commit on this branch makes codespell flag it as a misspelling
of GOOD.
GUD is the documented "Guideline" identifier prefix alongside REQ,
SEC, CON, PAT, etc. Add it to the ignore-words-list, matching the
pattern every other technical-token exemption in .codespellrc uses.
* create-implementation-plan: clarify declaration vs reference (#1989 review)
basilevs flagged that calling out DEP-* specifically was misleading,
because any identifier can appear as a reference. A TASK body can
cite a REQ, one TASK can cite another, and so on. The original
phrasing made it sound like DEP-* was the only prefix allowed to
recur.
Rewrite the rule to lead with "uniquely declared":
- Define declaration as the leading bullet/cell ID (e.g., the table
row in Implementation Phase N, or '- **REQ-001**:').
- Say explicitly that references elsewhere in the plan are expected
and not collisions, with concrete examples (TASK citing REQ,
TASK citing TASK, Dependencies pointing at a DEP declared upstream).
- Tighten the check intro to call (1) and (2) declaration-targeted
gates and (3) a broad informational scan that will see references.
Bash checks unchanged; they already encode the declaration-vs-reference
distinction via the table-cell and bullet-prefix anchors.
* azure-devops-cli: handle long comments on Windows (#2061)
On Windows 'az' is a cmd.exe batch wrapper capped at ~8191 characters,
so a long --discussion / --description value silently truncates or
fails. Document three verified ways out so the coding agent doesn't
waste 3-5 turns falling back to raw token retrieval and REST:
1. azps.ps1 in PowerShell on Windows. Same Azure CLI, invoked through
the Python entry point with no cmd.exe length cap. Pair with
'Get-Content -Raw' so the body lives in a variable, not on the
command line.
2. Native --file-path flags where Azure CLI offers them. Applies to
'az devops wiki page create' and 'az devops wiki page update', both
documented with --encoding.
3. 'az devops invoke --in-file' as the universal escape hatch for
commands with no --file-path (work-item --discussion, PR
--description). Documented example posts to the work item
comments REST endpoint with api-version 7.0-preview.3.
The earlier draft suggested the Azure CLI '@<file>' convention as a
generic substitute for inline string args. The official docs only
document it for JSON parameters and the CLI source uses
'get_file_json' specifically, so the claim is removed and replaced
with an explicit warning not to rely on it for plain string args.
Files touched:
- skills/azure-devops-cli/SKILL.md: new 'Posting long comments on
Windows' section with shell-detection table and three verified
options.
- skills/azure-devops-cli/references/boards-and-iterations.md: short
pointer at each --discussion example back to SKILL.md, plus an
inline PowerShell snippet.
Closes#2061.
* azure-devops-cli: move long-comments guidance to reference file (#2061 review)
aaronpowell asked for the Windows long-comments section to live as a
reference file rather than inline in SKILL.md, so the token weight
isn't always loaded into the agent's context.
- Move the "Posting long comments on Windows" section to a new
references/long-comments-on-windows.md verbatim.
- Strip the section from SKILL.md (56 fewer lines in the always-loaded
surface).
- Add the new file to the Reference Files table in SKILL.md with a
one-line "when to read" hint covering --discussion, --description,
and --content failures on Windows.
- Update the two pointer comments in references/boards-and-iterations.md
to point at the new reference file instead of the SKILL.md section.
docs/README.skills.md regenerated by 'npm run build' to pick up the
new reference file in the skill's bundled assets column.
* Refresh 6 stale instruction files flagged in #2133
Targeted refresh:
- blazor: C# 13 to C# 14. Drop the Visual Studio Enterprise mandate so contributors on VS Code or Rider aren't blocked by a paid SKU. Swap VS-only profiling for dotnet-trace and dotnet-counters.
- copilot-thought-logging: narrow applyTo from '**' to '**/Copilot-Processing.md'. Replace 9 Windows backslash paths with POSIX './Copilot-Processing.md' so the workflow works on macOS and Linux.
- genaiscript: drop the "avoid exception handlers or error checking" line. Replace it with: handle errors at I/O and external API boundaries, let unexpected exceptions surface.
- memory-bank: add the required 'description' frontmatter field (was a validation failure). Narrow applyTo from '**' to 'memory-bank/**'. Add an opt-in note so contributors know auxiliary files land in the workspace root.
Minor modernization:
- azure-functions-typescript: Node.js v20 to v22 LTS.
- localization: relative '../../issues' disclaimer link to absolute https://github.com/github/awesome-copilot/issues so it resolves regardless of the localized doc's path.
docs/README.instructions.md regenerated by 'npm run build' to pick up the new memory-bank description.
* revert applyTo narrow on copilot-thought-logging (#2133 review)
aaronpowell flagged that narrowing applyTo from '**' to
'**/Copilot-Processing.md' inverts the instruction. The instruction
tells Copilot to CREATE Copilot-Processing.md when handling any user
request, so it must apply globally, not only when that file is
already open.
Restore applyTo to '**'. Keep the POSIX path fixes (backslash to
'./Copilot-Processing.md') and the other 5 file fixes in this PR
unchanged.
---------
Co-authored-by: Aaron Powell <me@aaron-powell.com>
* Add Site Studio canvas extension
Site Studio is a canvas extension for planning, drafting, and tracking a
personal website section by section. It gives you and your agent a shared
dashboard with a status board, an autosaving content editor (with AI-draft
and [Sample: ...] placeholders), and a live feed of every change and milestone.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address Copilot review feedback
Robustness, prototype-pollution safety, and accessibility fixes from the
Copilot code review on #2117:
- Add "ai_request" to VALID_CHANGE_TYPES so log_change accepts the change
type the server itself emits (e.g. /api/request-generation).
- Bound the git branch lookup with timeout + maxBuffer so a hung git can't
block the extension process and canvas UI.
- Serialize state persistence via a promise queue and snapshot state
synchronously, so concurrent mutations can't clobber newer state on disk.
- Enforce a maximum request body size in readBodyJson to avoid unbounded
memory use on the loopback server.
- Guard the /events handler against a missing/closed instance instead of
throwing when servers.get(instanceId) is undefined.
- Reject unsafe field names (__proto__, prototype, constructor) in
upsertSectionContent and use an own-property check in deleteSectionContent
to prevent prototype pollution.
- Make the "Generate with AI" info tooltip reachable by keyboard and screen
readers (focusable, labelled) instead of mouse-hover only.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: ayangupt <ayangupt@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs: update Learning Hub with CLI v1.0.64-1.0.65 features
Add five missing features from the past week's CLI releases:
- HTTP(S) proxy user setting (v1.0.64)
- /every command and /loop alias for in-session scheduled prompts (v1.0.64)
- Inline image rendering in the terminal (v1.0.64)
- Autopilot auto-handles elicitation/permission prompts (v1.0.64)
- Shell command history accessible in normal mode via up/down and Ctrl+R (v1.0.65)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs: consolidate /every, /loop, /after docs and remove duplicate section
- Merge the duplicate /every+/loop section (added at line 640) into the
existing first-occurrence at line 521
- Add /after command documentation (from PR #2148 suggestion)
- Add example of /every invoking slash commands (/every 1d /chronicle standup)
- Add Ctrl+C as alternative to /every stop
- Add Experimental callout for /every, /loop, and /after
- Update lastUpdated to 2026-06-29
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
Retarget instructions/astro.instructions.md to Astro 7 and
instructions/svelte.instructions.md to Svelte 5 / SvelteKit 2, fix
outdated APIs, add current stable feature guidance, and trim non-code
(setup, deployment, testing-workflow, recap) content so each file
focuses solely on code structure and best practices.
Regenerated docs/README.instructions.md via npm start.
Co-authored-by: GeekTrainer <GeekTrainer@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The `name` frontmatter was `AWS CloudWatch Investigation`, which violated the Agent Skills spec and failed `npm run skill:validate` on main: name must be lowercase letters, numbers, and hyphens and must match the folder name (`aws-cloudwatch-investigation`). Correct the name and regenerate docs/README.skills.md so the validator passes (365/365) and the skills table renders consistently with every other entry.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- creating-effective-skills: add 'copilot skill' CLI subcommand for
listing, adding, and removing skills (v1.0.65); add '/skill' alias
- automating-with-hooks: document userPromptSubmitted additionalContext
injection into model-facing prompt (v1.0.65); update hook events table
- copilot-configuration-basics: add opt-in CI check status bar indicator
for current branch (v1.0.65)
- building-custom-agents: add note that /security-review is now available
to all users without --experimental (v1.0.64)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Show "by @handle" on each canvas extension card and in the details
modal, linking to the contributor's GitHub profile. Author metadata
lives in each extension's canvas.json (and external.json for external
extensions), where the rest of the canvas metadata is stored.
- Store author {name, url} in canvas.json / external.json
- Read author from canvas.json in the website data generator and emit
it to extensions.json
- Render the GitHub @handle, derived from the profile URL, as the link
text, with the contributor's name as the link title
- Escape the sanitized author URL before interpolating it into href
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Now that main is the contributor branch and staged is retired,
no new PRs will target staged. The check-pr-target guard is
no longer needed.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>