* feat: add azure-functions-csharp.instructions.md
Added guidelines and best practices for building Azure Functions in C# using the isolated worker model.
* feat: add azure-durable-functions-csharp.instructions.md
Added guidelines and best practices for building Azure Durable Functions in C# using the isolated worker model.
* docs: add config & testing sections to durable functions instructions
Added detailed configuration and testing guidelines for Azure Durable Functions in C#.
* Fix capitalization in applyTo path for local.settings.json
Changed Local.settings.json to local.settings.json in the applyTo directive to match the actual filename used in Azure Functions projects.
* update through npm build
* feat(instructions): update security, a11y, and performance to 2025-2026 standards
Security: OWASP 2025 (55 anti-patterns, AI/LLM section, 6 frameworks)
Accessibility: WCAG 2.2 AA (38 anti-patterns, legal context EAA/ADA, 4 frameworks)
Performance: CWV (50 anti-patterns, Next.js 16, Angular 20, modern APIs)
* fix(instructions): use globalThis.scheduler to prevent ReferenceError
Access scheduler via globalThis to safely handle environments where
the Scheduling API is not declared as a global variable.
* fix(instructions): correct regex patterns and harden SSRF example
- AU1: anchor jwt.verify lookahead inside parentheses
- AU2: anchor jwt.sign lookahead, add expiresIn alternative
- AU7: fix greedy .* before negative lookahead in OAuth state check
- I5: resolve all DNS records, add TOCTOU production note
- K2: add closing delimiters and multi-digit support to tabindex regex
* fix(instructions): enhance SSRF IP validation with IPv4-mapped IPv6
Normalize IPv4-mapped IPv6 addresses (::ffff:127.0.0.1) before
checking private ranges, preventing bypass via mapped addresses.
* fix(instructions): add noscript fallback for deferred CSS pattern
Without JS, the media="print" + onload pattern leaves the stylesheet
inactive. The noscript tag loads it normally when JS is disabled.
* fix(instructions): add execFileSync to I3 command injection detection
The BAD example uses execFileSync but the regex only matched exec,
execSync, and execFile — missing the sync variant.
* fix(instructions): cover full IPv6 link-local range in SSRF check
fe80::/10 spans fe80-febf (fe8*, fe9*, fea*, feb*). Previous regex
only matched fe80::. Also use normalized variable for consistency.
* fix(instructions): adjust SSRF wording and downgrade reduced-motion severity
- SSRF: replace "full DNS/IP validation" with accurate wording that
acknowledges TOCTOU limitation
- V5: downgrade prefers-reduced-motion from IMPORTANT to SUGGESTION,
remove 2.2.2 (A) reference since it's an AAA enhancement
* fix(instructions): rename AU4 heading to include SHA-256
The heading said "Weak Password Hash (MD5/SHA1)" but the detection
regex and BAD example both use SHA-256. Renamed to "Fast Hash for
Passwords" which better describes the actual anti-pattern.
* fix(instructions): clarify WCAG 2.2 SC 4.1.1 status as obsolete
SC 4.1.1 Parsing is still present in the WCAG 2.2 spec but marked
as obsolete (always satisfied). Changed wording from "removed" to
"obsolete" for accuracy.
* fix(instructions): rename I1 example vars to avoid TS redeclaration
Copy-pasting the I1 SQL injection example as a single block failed with a
TypeScript redeclaration error because both BAD and GOOD snippets used
`const result`. Rename to `unsafeResult`/`safeResult` so the block remains
copy-pasteable into a single scope.
* fix(instructions): migrate I3 example to async execFile with bounds
The I3 command injection example used `execFileSync` in both BAD and GOOD
paths, which (a) redeclared `const output` in the same block and (b) blocks
the Node event loop in server handlers, amplifying DoS impact.
Switch the GOOD/BEST paths to a promisified `execFile` call with explicit
`timeout` and `maxBuffer` bounds, and rename variables to
`unsafeOutput`/`safeOutput` so the snippet stays copy-pasteable. Add a
trailing note recommending async child_process APIs for server code.
* fix(instructions): align AU6 heading with session fixation example
The AU6 heading claimed "Session Not Invalidated on Password Change" but
the mitigation example showed `req.session.regenerate`, which is the
canonical defense against session fixation on login rather than bulk
invalidation after a credential change.
Rename the anti-pattern to "Missing Session Regeneration on Login (Session
Fixation)" so it matches the example, and add a trailing note pointing to
the complementary practice of invalidating other active sessions for the
user on password change (e.g., via a `tokenVersion` counter).
* fix(instructions): make L1 critical CSS pattern CSP-compatible
The L1 "GOOD" snippet relied on an inline `onload="this.media='all'"`
handler on a `<link>` tag. Under a strict CSP that disallows
`'unsafe-inline'` / `script-src-attr 'unsafe-inline'`, inline event
handlers are blocked, so the stylesheet would never activate and users
would hit a styling regression.
Replace the pattern with build-time critical CSS extraction
(Critters/Beasties/Next.js `optimizeCss`) plus a normal
`<link rel="preload" as="style">` and standard `<link rel="stylesheet">`.
Add a trailing note explaining why the older inline-onload trick breaks
under strict CSP and how to defer non-critical CSS with an external
script when deferral is truly needed.
The tools field used non-standard names (codebase, terminalCommand,
fetch_webpage) that are not recognized as valid tool aliases. Per the
custom agents configuration docs, unrecognized tool names are silently
ignored, which effectively gave Ember zero tools.
Removing the tools field entirely enables all available tools by default,
which is the correct behavior for a general-purpose AI partner agent.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
LSP servers are only loaded on Copilot CLI startup, so the user
must exit and re-launch for the new configuration to take effect.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Rewrite description to emphasize code intelligence capabilities
(go-to-definition, find-references, hover) so the coding agent
triggers the skill when it needs deeper code understanding, while
still matching explicit LSP setup/configuration requests.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace pylsp primary + pyright alternative with a single pyright
recommendation for Python. Go already correctly recommends gopls.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Replace csharp-ls/OmniSharp with roslyn-language-server in the .NET
section, matching the official dotnet/skills reference configuration.
Addresses review feedback from @aaronpowell in PR #1272.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Improve agent skills instructions with quality authoring patterns
Add practical, platform-agnostic authoring guidance to
agent-skills.instructions.md based on community best practices:
- Expand applyTo to cover all skills/**/SKILL.md paths
- Add writing guidance for every recommended body section with examples
(When to Use, Prerequisites, Step-by-Step Workflows, Gotchas,
Troubleshooting, References)
- Add 'Writing High-Impact Skills' section with 5 principles:
- Focus on what the agent doesn't know
- Context budget awareness for descriptions
- Gotchas as highest-signal content
- Flexible guidelines over rigid steps
- Progressive disclosure for large skills
- Fix description constraints: add 10-char minimum, single-quote wrapping
- Reconcile Step-by-Step Workflows with Flexible Guidelines advice
- Consolidate Workflow Execution Pattern under Common Patterns
- Standardize terminology (agent vs AI agent)
- Align line thresholds (200 soft / 500 hard)
- Update validation checklist with new quality criteria
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Update instructions/agent-skills.instructions.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Address PR review: make instructions platform-agnostic
- Replace 'GitHub Copilot'-specific language with generic 'the agent'
- Add skills/<skill-name>/ to Directory Structure table for repo layouts
- Fix relative path in flexible guidelines example (./references/)
- Update description and intro to be platform-neutral
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Revert terminology changes per reviewer feedback
Restore 'Copilot' and 'AI agent' terminology to match
the original doc's conventions. Keep new substantive content
(Writing High-Impact Skills, Gotchas, expanded examples).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Aaron Powell <me@aaron-powell.com>
- Adds React 18 and 19 migration orchestration plugins
- Introduces comprehensive upgrade toolkits for migrating legacy React 16/17 and 18 codebases to React 18.3.1 and 19, respectively. Each plugin bundles specialized agents and skills for exhaustive audit, dependency management, class/component API migration, test suite transformation, and batching regression fixes.
- The React 18 toolkit targets class-component-heavy apps, ensures safe lifecycle and context transitions, resolves dependency blockers, and fully automates test migrations including Enzyme removal. The React 19 toolkit addresses breaking changes such as removal of legacy APIs, defaultProps on function components, and forwardRef, while enforcing a gated, memory-resumable migration pipeline.
- Both plugins update documentation, plugin registries, and skill references to support reliable, repeatable enterprise-scale React migrations.
- Add PermissionRequest hook event to automating-with-hooks.md with
practical CI example (new in v1.0.16)
- Add Ctrl+Q / Ctrl+Enter queue shortcut note to copilot-configuration-basics.md
(Ctrl+D no longer queues as of v1.0.15)
- Add extraKnownMarketplaces config setting to installing-and-using-plugins.md
(old 'marketplaces' setting removed in v1.0.16)
- Update lastUpdated dates on all three files
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat(orchestrator): add Discuss Phase and PRD creation workflow
- Introduce Discuss Phase for medium/complex objectives, generating context‑aware options and logging architectural decisions
- Add PRD creation step after discussion, storing the PRD in docs/prd.yaml
- Refactor Phase 1 to pass task clarifications to researchers
- Update Phase 2 planning to include multi‑plan selection for complex tasks and verification with gem‑reviewer
- Enhance Phase 3 execution loop with wave integration checks and conflict filtering
* feat(gem-team): bump version to 1.3.3 and refine description with Discuss Phase and PRD compliance verification
* chore(release): bump marketplace version to 1.3.4
- Update `marketplace.json` version from `1.3.3` to `1.3.4`.
- Refine `gem-browser-tester.agent.md`:
- Replace "UUIDs" typo with correct spelling.
- Adjust wording and formatting for clarity.
- Update JSON code fences to use ````jsonc````.
- Modify workflow description to reference `AGENTS.md` when present.
- Refine `gem-devops.agent.md`:
- Align expertise list formatting.
- Standardize tool list syntax with back‑ticks.
- Minor wording improvements.
- Increase retry attempts in `gem-browser-tester.agent.md` from 2 to 3 attempts.
- Minor typographical and formatting corrections across agent documentation.
* refactor: rename prd_path to project_prd_path in agent configurations
- Updated gem-orchestrator.agent.md to use `project_prd_path` instead of `prd_path` in task definitions and delegation logic.
- Updated gem-planner.agent.md to reference `project_prd_path` and clarify PRD reading.
- Updated gem-researcher.agent.md to use `project_prd_path` and adjust PRD consumption logic.
- Applied minor wording improvements and consistency fixes across the orchestrator, planner, and researcher documentation.
* feat(plugin): expand marketplace description, bump version to 1.4.0; revamp gem-browser-tester agent documentation with clearer role, expertise, and workflow specifications.
* chore: remove outdated plugin metadata fields from README.plugins.md and plugin.json
* feat(tooling): bump marketplace version to 1.5.0 and refine validation thresholds
- Update marketplace.json version from 1.4.0 to 1.5.0
- Adjust validation criteria in gem-browser-tester.agent.md to trigger additional tests when coverage < 0.85 or confidence < 0.85
- Refine accessibility compliance description, adding runtime validation and SPEC‑based accessibility notes- Add new gem-code-simplifier.agent.md documentation for code refactoring
- Update README and plugin metadata to reflect version change and new tooling
* docs: improve bug‑fix delegation description and delegation‑first guidance in gem‑orchestrator.agent.md
- Clarified the two‑step diagnostic‑then‑fix flow for bug fixes using gem‑debugger and gem‑implementer.
- Updated the “Delegation First” checklist to stress that **no** task, however small, should be performed directly by the orchestrator, emphasizing sub‑agent delegation and retry/escalation strategy.
* feat(gem-browser-tester): add flow testing support and refine workflow
- Update description to include “flow testing” and “user journey” among triggers.
- Expand expertise list to cover flow testing and visual regression.
- Revise knowledge sources and workflow to detail initialization, setup, flow execution, and teardown.
- Introduce comprehensive step types (navigate, interact, assert, branch, extract, wait, screenshot) with explicit wait strategies.
- Implement baseline screenshot comparison for visual regression.
- Restructure execution pattern to manage flow context and multi‑step user journeys.
* feat: add performance, design, responsive checks
* feat(styling): add priority-based styling hierarchy and validation rules
* feat: incorporate lint rule recommendations and update agent routing for ESLint rule handling
* chore(release): bump marketplace version to 1.5.4
* docs: Simplify readme
* chore: Add mobile specific agents and disable user invocation flags
* feat(architecture): add mobile agents and refactor diagram
* feat(readme): add recommended LLM column to agent team roles
* docs: Update readme
---------
Co-authored-by: Aaron Powell <me@aaron-powell.com>
* feat: add Salesforce Development plugin bundling Apex, Flow, LWC/Aura, and Visualforce agents
* feat: improve Salesforce plugin agents and add 3 quality skills
- Rewrote all 4 agent files with specific, actionable Salesforce guidance:
- salesforce-apex-triggers: added discovery phase, pattern selection matrix,
PNB test coverage standard, modern Apex idioms (safe nav, null coalescing,
WITH USER_MODE, Assert.*), TAF awareness, anti-patterns table with risks,
and structured output format
- salesforce-aura-lwc: major expansion — PICKLES methodology, data access
pattern selection table, SLDS 2 compliance, WCAG 2.1 AA accessibility
requirements, component communication rules, Jest test requirements, and
output format
- salesforce-flow: major expansion — automation tool confirmation step, flow
type selection matrix, bulk safety rules (no DML/Get Records in loops),
fault connector requirements, Transform element guidance, deployment
safety steps, and output format
- salesforce-visualforce: major expansion — controller pattern selection,
security requirements (CSRF, XSS, FLS/CRUD, SOQL injection), view state
management, performance rules, and output format
- Added 3 new skills to the plugin:
- salesforce-apex-quality: Apex guardrails, governor limit patterns, sharing
model, CRUD/FLS enforcement, injection prevention, PNB testing checklist,
trigger architecture rules, and code examples
- salesforce-flow-design: flow type selection, bulk safety patterns with
correct and incorrect examples, fault path requirements, automation density
checks, screen flow UX guidelines, and deployment safety steps
- salesforce-component-standards: LWC data access patterns, SLDS 2 styling,
accessibility (WCAG 2.1 AA), component communication, Jest requirements,
Aura event design, and Visualforce XSS/CSRF/FLS/view-state standards
- Updated plugin.json v1.0.0 → v1.1.0 with explicit agent paths and skill refs
* fix: resolve codespell error and README drift in Salesforce plugin
- Fix 'ntegrate' codespell false positive in salesforce-aura-lwc agent:
rewrote PICKLES acronym bullets from letter-prefixed (**I**ntegrate)
to full words (**Integrate**) so codespell reads the full word correctly
- Regenerate docs/README.plugins.md to match current build output
(table column padding was updated by the build script)
* fix: regenerate README after rebasing on latest staged
- **New skill: flowstudio-power-automate-monitoring** — flow health, failure
rates, maker inventory, Power Apps, environment/connection counts via
FlowStudio MCP cached store tools.
- **New skill: flowstudio-power-automate-governance** — 10 CoE-aligned
governance workflows: compliance review, orphan detection, archive scoring,
connector audit, notification management, classification/tagging, maker
offboarding, security review, environment governance, governance dashboard.
- **Updated flowstudio-power-automate-debug** — purely live API tools (no
store dependencies), mandatory action output inspection step, resubmit
clarified as working for ALL trigger types.
- **Updated flowstudio-power-automate-build** — Step 1 uses list_live_flows
(not list_store_flows) for the duplicate check, resubmit-first testing.
- **Updated flowstudio-power-automate-mcp** — store tool catalog, response
shapes verified against real API calls, set_store_flow_state shape fix.
- Plugin version bumped to 2.0.0, all 5 skills listed in plugin.json.
- Generated docs regenerated via npm start.
All response shapes verified against real FlowStudio MCP API calls.
All 10 governance workflows validated with real tenant data.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds plugins/ember/ with plugin.json and README.md so Ember
appears as an installable plugin in the awesome-copilot
marketplace. The agent and skill files already exist at the
repo root from PR #1324.
Ran npm run plugin:validate (passes) and npm start to
regenerate README and marketplace.json.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Update powershell.instructions.md
## Description
### Error Handling
- Update to the `powershell.instructions.md` file. Now includes less error handling in the examples. This means when using the instructions file the output script contains less of the structured error handling, however the output scripts are easier for beginners and powershell novices to read and understand.
### Switch parameter
- Updates to using the switch parameters should now prevent default values data type being a bool
- Using no default value is the way in PowerShell. Defaults to a false value and shouldn't be set to a true value. Although a note has been added to show the correct syntax that requires type casting
### Examples updates
- Now includes a better demonstration of using the `WhatIf` parameter via `$PSCmdlet.ShouldProcesss`
- Full Example: End-to-End Cmdlet Pattern updated with the `$Force` & `$PSCmdlet.ShouldContinue` pattern
* Update instructions/powershell.instructions.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Update instructions/powershell.instructions.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Update instructions/powershell.instructions.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
* Update ShouldProcess and ShouldContinue guidance
Clarified ShouldProcess and ShouldContinue usage in PowerShell instructions.
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Fix compilation errors and documentation inaccuracies in Java cookbook
recipes against the actual SDK API:
- MultipleSessions: Replace non-existent destroy() with close()
- AccessibilityReport: Replace non-existent McpServerConfig class with
Map<String, Object> (the actual type accepted by setMcpServers)
- error-handling.md: Replace non-existent session.addTool(),
ToolDefinition.builder(), and ToolResultObject with actual SDK APIs
(ToolDefinition.create(), SessionConfig.setTools(),
CompletableFuture<Object> return type)
All 7 recipes now compile successfully with jbang build.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add complete Java cookbook matching the pattern of existing .NET, Go,
Node.js, and Python cookbooks. All 7 recipes included:
- Ralph Loop: Autonomous AI task loops with JBang
- Error Handling: try-with-resources, ExecutionException, timeouts
- Multiple Sessions: Parallel sessions with CompletableFuture
- Managing Local Files: AI-powered file organization
- PR Visualization: Interactive PR age charts
- Persisting Sessions: Save/resume with custom IDs
- Accessibility Report: WCAG reports via Playwright MCP
Each recipe includes both markdown documentation and a standalone
JBang-runnable Java file in recipe/.
