* feat(instructions): update security, a11y, and performance to 2025-2026 standards
Security: OWASP 2025 (55 anti-patterns, AI/LLM section, 6 frameworks)
Accessibility: WCAG 2.2 AA (38 anti-patterns, legal context EAA/ADA, 4 frameworks)
Performance: CWV (50 anti-patterns, Next.js 16, Angular 20, modern APIs)
* fix(instructions): use globalThis.scheduler to prevent ReferenceError
Access scheduler via globalThis to safely handle environments where
the Scheduling API is not declared as a global variable.
* fix(instructions): correct regex patterns and harden SSRF example
- AU1: anchor jwt.verify lookahead inside parentheses
- AU2: anchor jwt.sign lookahead, add expiresIn alternative
- AU7: fix greedy .* before negative lookahead in OAuth state check
- I5: resolve all DNS records, add TOCTOU production note
- K2: add closing delimiters and multi-digit support to tabindex regex
* fix(instructions): enhance SSRF IP validation with IPv4-mapped IPv6
Normalize IPv4-mapped IPv6 addresses (::ffff:127.0.0.1) before
checking private ranges, preventing bypass via mapped addresses.
* fix(instructions): add noscript fallback for deferred CSS pattern
Without JS, the media="print" + onload pattern leaves the stylesheet
inactive. The noscript tag loads it normally when JS is disabled.
* fix(instructions): add execFileSync to I3 command injection detection
The BAD example uses execFileSync but the regex only matched exec,
execSync, and execFile — missing the sync variant.
* fix(instructions): cover full IPv6 link-local range in SSRF check
fe80::/10 spans fe80-febf (fe8*, fe9*, fea*, feb*). Previous regex
only matched fe80::. Also use normalized variable for consistency.
* fix(instructions): adjust SSRF wording and downgrade reduced-motion severity
- SSRF: replace "full DNS/IP validation" with accurate wording that
acknowledges TOCTOU limitation
- V5: downgrade prefers-reduced-motion from IMPORTANT to SUGGESTION,
remove 2.2.2 (A) reference since it's an AAA enhancement
* fix(instructions): rename AU4 heading to include SHA-256
The heading said "Weak Password Hash (MD5/SHA1)" but the detection
regex and BAD example both use SHA-256. Renamed to "Fast Hash for
Passwords" which better describes the actual anti-pattern.
* fix(instructions): clarify WCAG 2.2 SC 4.1.1 status as obsolete
SC 4.1.1 Parsing is still present in the WCAG 2.2 spec but marked
as obsolete (always satisfied). Changed wording from "removed" to
"obsolete" for accuracy.
* fix(instructions): rename I1 example vars to avoid TS redeclaration
Copy-pasting the I1 SQL injection example as a single block failed with a
TypeScript redeclaration error because both BAD and GOOD snippets used
`const result`. Rename to `unsafeResult`/`safeResult` so the block remains
copy-pasteable into a single scope.
* fix(instructions): migrate I3 example to async execFile with bounds
The I3 command injection example used `execFileSync` in both BAD and GOOD
paths, which (a) redeclared `const output` in the same block and (b) blocks
the Node event loop in server handlers, amplifying DoS impact.
Switch the GOOD/BEST paths to a promisified `execFile` call with explicit
`timeout` and `maxBuffer` bounds, and rename variables to
`unsafeOutput`/`safeOutput` so the snippet stays copy-pasteable. Add a
trailing note recommending async child_process APIs for server code.
* fix(instructions): align AU6 heading with session fixation example
The AU6 heading claimed "Session Not Invalidated on Password Change" but
the mitigation example showed `req.session.regenerate`, which is the
canonical defense against session fixation on login rather than bulk
invalidation after a credential change.
Rename the anti-pattern to "Missing Session Regeneration on Login (Session
Fixation)" so it matches the example, and add a trailing note pointing to
the complementary practice of invalidating other active sessions for the
user on password change (e.g., via a `tokenVersion` counter).
* fix(instructions): make L1 critical CSS pattern CSP-compatible
The L1 "GOOD" snippet relied on an inline `onload="this.media='all'"`
handler on a `<link>` tag. Under a strict CSP that disallows
`'unsafe-inline'` / `script-src-attr 'unsafe-inline'`, inline event
handlers are blocked, so the stylesheet would never activate and users
would hit a styling regression.
Replace the pattern with build-time critical CSS extraction
(Critters/Beasties/Next.js `optimizeCss`) plus a normal
`<link rel="preload" as="style">` and standard `<link rel="stylesheet">`.
Add a trailing note explaining why the older inline-onload trick breaks
under strict CSP and how to defer non-critical CSS with an external
script when deferral is truly needed.
* Improve agent skills instructions with quality authoring patterns
Add practical, platform-agnostic authoring guidance to
agent-skills.instructions.md based on community best practices:
- Expand applyTo to cover all skills/**/SKILL.md paths
- Add writing guidance for every recommended body section with examples
(When to Use, Prerequisites, Step-by-Step Workflows, Gotchas,
Troubleshooting, References)
- Add 'Writing High-Impact Skills' section with 5 principles:
- Focus on what the agent doesn't know
- Context budget awareness for descriptions
- Gotchas as highest-signal content
- Flexible guidelines over rigid steps
- Progressive disclosure for large skills
- Fix description constraints: add 10-char minimum, single-quote wrapping
- Reconcile Step-by-Step Workflows with Flexible Guidelines advice
- Consolidate Workflow Execution Pattern under Common Patterns
- Standardize terminology (agent vs AI agent)
- Align line thresholds (200 soft / 500 hard)
- Update validation checklist with new quality criteria
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Update instructions/agent-skills.instructions.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Address PR review: make instructions platform-agnostic
- Replace 'GitHub Copilot'-specific language with generic 'the agent'
- Add skills/<skill-name>/ to Directory Structure table for repo layouts
- Fix relative path in flexible guidelines example (./references/)
- Update description and intro to be platform-neutral
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Revert terminology changes per reviewer feedback
Restore 'Copilot' and 'AI agent' terminology to match
the original doc's conventions. Keep new substantive content
(Writing High-Impact Skills, Gotchas, expanded examples).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
* Update powershell.instructions.md
## Description
### Error Handling
- Update to the `powershell.instructions.md` file. Now includes less error handling in the examples. This means when using the instructions file the output script contains less of the structured error handling, however the output scripts are easier for beginners and powershell novices to read and understand.
### Switch parameter
- Updates to using the switch parameters should now prevent default values data type being a bool
- Using no default value is the way in PowerShell. Defaults to a false value and shouldn't be set to a true value. Although a note has been added to show the correct syntax that requires type casting
### Examples updates
- Now includes a better demonstration of using the `WhatIf` parameter via `$PSCmdlet.ShouldProcesss`
- Full Example: End-to-End Cmdlet Pattern updated with the `$Force` & `$PSCmdlet.ShouldContinue` pattern
* Update instructions/powershell.instructions.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Update instructions/powershell.instructions.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Update instructions/powershell.instructions.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Update ShouldProcess and ShouldContinue guidance
Clarified ShouldProcess and ShouldContinue usage in PowerShell instructions.
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Add draw-io diagram generator skill for awesome github copilot
* Add comprehensive shape libraries and style reference documentation for draw.io
- Introduced a new markdown file for draw.io shape libraries detailing various built-in shapes, their style keys, and usage.
- Added a complete style reference for `<mxCell>` elements, including universal style keys, shape-specific keys, edge styles, and color palettes.
- Included examples for common styles and shapes to aid users in creating diagrams effectively.
* Add draw-io diagram validation and shape addition scripts
* Add new diagram templates for flowchart, sequence, and UML class diagrams
- Created a flowchart template with a structured layout including start, steps, decision points, and end.
- Added a sequence diagram template illustrating interactions between a client, API server, and database with activation boxes and message arrows.
- Introduced a UML class diagram template featuring an interface, classes, attributes, methods, and relationships, including composition and realization.
* Add draw-io diagram generator skill to README with detailed usage instructions and bundled assets
* Add draw.io instructions with workflow, XML structure rules, style conventions, and validation checklist
* Add draw.io diagram standards to README instructions for enhanced diagram creation and editing
* Moving diagram templates to assets/ to follow agentskills structure
- Moved flowchart template with start, steps, decision points, and end nodes.
- Moved sequence diagram template illustrating interactions between a client, API server, and database.
- Moved UML class diagram template featuring an interface, classes, attributes, methods, and relationships.
* Clarify installation instructions for draw.io VS Code extension in SKILL.md
* Apply permission handler requirements across Copilot SDK docs
Co-authored-by: jamesmontemagno <1676321+jamesmontemagno@users.noreply.github.com>
Agent-Logs-Url: https://github.com/jamesmontemagno/awesome-copilot/sessions/adf27a88-92f8-4ca6-b3fe-1204e3bb9963
* Polish permission update formatting in SDK examples
Co-authored-by: jamesmontemagno <1676321+jamesmontemagno@users.noreply.github.com>
Agent-Logs-Url: https://github.com/jamesmontemagno/awesome-copilot/sessions/adf27a88-92f8-4ca6-b3fe-1204e3bb9963
* Fix review comments on SDK permission handling PR
Address 5 review comments from PR #1103:
1. Fix invalid object literal syntax (stray comma) in resumeSession
example in copilot-sdk-nodejs.instructions.md
2. Replace unused PermissionHandler import with actual usage in
cookbook/copilot-sdk/python/recipe/ralph_loop.py (was using
inline lambda instead)
3. Replace unused approveAll import with actual usage in
cookbook/copilot-sdk/nodejs/recipe/ralph-loop.ts (was using
inline handler instead)
4. Add missing PermissionHandler import to 4 Python code snippets
in skills/copilot-sdk/SKILL.md that reference it without importing
5. Add missing approveAll import to 3 TypeScript code snippets
in skills/copilot-sdk/SKILL.md that reference it without importing
* Refactor session creation to improve code formatting and consistency across SDK examples
* Fix formatting: split multi-property lines and put closing braces on own lines
Address review comments on PR #1107:
- Split OnPermissionRequest + Model onto separate lines in Go, C#, TypeScript
- Put closing }); on its own line consistently across all examples
- Fix indentation in SKILL.md Quick Start, CLI URL, Error Handling sections
- Fix cookbook Go multiple-sessions and error-handling formatting
- Fix ralph-loop.md TypeScript indentation
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: jamesmontemagno <1676321+jamesmontemagno@users.noreply.github.com>
* Removed 'infer' option and replaced it with 'user-invocable' and 'disable-model-invocation'.
* Clarified the purpose of new options for better usability.
* Updated guidelines to reflect changes in agent invocation behavior.
* Cleaned up some tool names
* Removing some instructionsThese instructions are no longer useful as the knowledge the add is already well handled by frontier models, so the instructions potentially provide conflicting or incorrect information to the agent while it undertakes a task
* Improved the skill to be more explicit on how to use playwright
* Removing a skill that is of low value
The information captured in this skill is mostly just what is found in the links that are at the top of the references, and thus the model will already have that knowledge available to it, meaning that the skill will potentially provide conflicting guidance to the agent as it works
* Updating readmes
Add tools for maximizing GitHub Copilot effectiveness through better
context management:
- Instructions: Guidelines for structuring code so Copilot understands it
- Agent: Context Architect - plans multi-file changes by mapping dependencies
- Prompts:
- context-map: Map all affected files before changes
- what-context-needed: Ask Copilot what files it needs
- refactor-plan: Create phased refactor plans with rollback steps
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Updated accessibility instructions to improve clarity and specificity regarding coding practices for accessibility, including keyboard navigation and semantic structure.
