Add Step 5a (state machine completeness analysis) and expand Step 6
with missing safeguard detection patterns. These catch two categories
of bugs that defensive pattern analysis alone misses: unhandled states
in lifecycle/status machines, and operations that commit users to
expensive work without adequate preview or termination conditions.
* feat: add GDPR-compliant engineering practices skill documentation
* Add GDPR compliance references for Security and Data Rights
- Introduced a comprehensive Security.md file detailing encryption, password hashing, secrets management, anonymization, cloud practices, CI/CD controls, and incident response protocols.
- Created a Data Rights.md file outlining user rights implementation, Record of Processing Activities (RoPA), consent management, sub-processor management, and DPIA triggers.
* Refine GDPR compliance documentation by removing unnecessary symbols and ensuring clarity in security and data rights references
* refactor: streamline description formatting in GDPR compliance skill documentation
---------
Co-authored-by: Aaron Powell <me@aaron-powell.com>
* feat(orchestrator): add Discuss Phase and PRD creation workflow
- Introduce Discuss Phase for medium/complex objectives, generating context‑aware options and logging architectural decisions
- Add PRD creation step after discussion, storing the PRD in docs/prd.yaml
- Refactor Phase 1 to pass task clarifications to researchers
- Update Phase 2 planning to include multi‑plan selection for complex tasks and verification with gem‑reviewer
- Enhance Phase 3 execution loop with wave integration checks and conflict filtering
* feat(gem-team): bump version to 1.3.3 and refine description with Discuss Phase and PRD compliance verification
* chore(release): bump marketplace version to 1.3.4
- Update `marketplace.json` version from `1.3.3` to `1.3.4`.
- Refine `gem-browser-tester.agent.md`:
- Replace "UUIDs" typo with correct spelling.
- Adjust wording and formatting for clarity.
- Update JSON code fences to use ````jsonc````.
- Modify workflow description to reference `AGENTS.md` when present.
- Refine `gem-devops.agent.md`:
- Align expertise list formatting.
- Standardize tool list syntax with back‑ticks.
- Minor wording improvements.
- Increase retry attempts in `gem-browser-tester.agent.md` from 2 to 3 attempts.
- Minor typographical and formatting corrections across agent documentation.
* refactor: rename prd_path to project_prd_path in agent configurations
- Updated gem-orchestrator.agent.md to use `project_prd_path` instead of `prd_path` in task definitions and delegation logic.
- Updated gem-planner.agent.md to reference `project_prd_path` and clarify PRD reading.
- Updated gem-researcher.agent.md to use `project_prd_path` and adjust PRD consumption logic.
- Applied minor wording improvements and consistency fixes across the orchestrator, planner, and researcher documentation.
* feat(plugin): expand marketplace description, bump version to 1.4.0; revamp gem-browser-tester agent documentation with clearer role, expertise, and workflow specifications.
* chore: remove outdated plugin metadata fields from README.plugins.md and plugin.json
* feat(tooling): bump marketplace version to 1.5.0 and refine validation thresholds
- Update marketplace.json version from 1.4.0 to 1.5.0
- Adjust validation criteria in gem-browser-tester.agent.md to trigger additional tests when coverage < 0.85 or confidence < 0.85
- Refine accessibility compliance description, adding runtime validation and SPEC‑based accessibility notes- Add new gem-code-simplifier.agent.md documentation for code refactoring
- Update README and plugin metadata to reflect version change and new tooling
* docs: improve bug‑fix delegation description and delegation‑first guidance in gem‑orchestrator.agent.md
- Clarified the two‑step diagnostic‑then‑fix flow for bug fixes using gem‑debugger and gem‑implementer.
- Updated the “Delegation First” checklist to stress that **no** task, however small, should be performed directly by the orchestrator, emphasizing sub‑agent delegation and retry/escalation strategy.
---------
Co-authored-by: Aaron Powell <me@aaron-powell.com>
* feat(orchestrator): add Discuss Phase and PRD creation workflow
- Introduce Discuss Phase for medium/complex objectives, generating context‑aware options and logging architectural decisions
- Add PRD creation step after discussion, storing the PRD in docs/prd.yaml
- Refactor Phase 1 to pass task clarifications to researchers
- Update Phase 2 planning to include multi‑plan selection for complex tasks and verification with gem‑reviewer
- Enhance Phase 3 execution loop with wave integration checks and conflict filtering
* feat(gem-team): bump version to 1.3.3 and refine description with Discuss Phase and PRD compliance verification
* chore(release): bump marketplace version to 1.3.4
- Update `marketplace.json` version from `1.3.3` to `1.3.4`.
- Refine `gem-browser-tester.agent.md`:
- Replace "UUIDs" typo with correct spelling.
- Adjust wording and formatting for clarity.
- Update JSON code fences to use ````jsonc````.
- Modify workflow description to reference `AGENTS.md` when present.
- Refine `gem-devops.agent.md`:
- Align expertise list formatting.
- Standardize tool list syntax with back‑ticks.
- Minor wording improvements.
- Increase retry attempts in `gem-browser-tester.agent.md` from 2 to 3 attempts.
- Minor typographical and formatting corrections across agent documentation.
* refactor: rename prd_path to project_prd_path in agent configurations
- Updated gem-orchestrator.agent.md to use `project_prd_path` instead of `prd_path` in task definitions and delegation logic.
- Updated gem-planner.agent.md to reference `project_prd_path` and clarify PRD reading.
- Updated gem-researcher.agent.md to use `project_prd_path` and adjust PRD consumption logic.
- Applied minor wording improvements and consistency fixes across the orchestrator, planner, and researcher documentation.
* feat(plugin): expand marketplace description, bump version to 1.4.0; revamp gem-browser-tester agent documentation with clearer role, expertise, and workflow specifications.
* chore: remove outdated plugin metadata fields from README.plugins.md and plugin.json
* Add threat-model-analyst skill: STRIDE-A threat modeling for repositories
Add a comprehensive threat model analysis skill that performs security audits
using STRIDE-A (STRIDE + Abuse) threat modeling, Zero Trust principles, and
defense-in-depth analysis.
Supports two modes:
- Single analysis: full STRIDE-A threat model producing architecture overviews,
DFD diagrams, prioritized findings, and executive assessments
- Incremental analysis: security posture diff between baseline report and current
code, producing standalone reports with embedded comparison
Includes bundled reference assets:
- Orchestrator workflows (full and incremental)
- Analysis principles and verification checklists
- Output format specifications and skeleton templates
- DFD diagram conventions and TMT element taxonomy
* Address PR review comments from Copilot reviewer
- Fix SKILL.md description: use single-quoted scalar, rename mode (2) to
'Incremental analysis' with accurate description
- Replace 'Compare Mode (Deprecated)' sections with 'Comparing Commits or
Reports' redirect (no deprecated language for first release)
- Fix skeleton-findings.md: move Tier 1 table rows under header, add
CONDITIONAL-EMPTY block after END-REPEAT (matching Tier 2/3 structure)
- Fix skeleton-threatmodel.md and skeleton-architecture.md: use 4-backtick
outer fences to avoid nested fence conflicts with inner mermaid fences
- Fix skeleton-incremental-html.md: correct section count from 9 to 8
- Fix output-formats.md: change status 'open' to 'Open' in JSON example,
move stride_category warning outside JSON fence as blockquote
- Fix incremental-orchestrator.md: replace stale compare-output-formats.md
reference with inline color conventions
- Regenerate docs/README.skills.md with updated description
* Address second round of Copilot review comments
- Fix diagram-conventions.md: bidirectional flow notation now uses <-->
matching orchestrator.md and DFD templates
- Fix tmt-element-taxonomy.md: normalize SE.DF.SSH/LDAP/LDAPS to use
SE.DF.TMCore.* prefix consistent with all other data flow IDs
- Fix output-formats.md: correct TMT category example from SQLDatabase
to SQL matching taxonomy, fix component type from 'datastore' to
'data_store' matching canonical enum, remove DaprSidecar from
inbound_from per no-standalone-sidecar rule
- Fix 5 skeleton files: clarify VERBATIM instruction to 'copy the
template content below (excluding the outer code fence)' to prevent
agents from wrapping output in markdown fences
- Genericize product-specific names in examples: replace edgerag with
myapp, BitNetManager with TaskProcessor, AzureLocalMCP with MyApp.Core,
AzureLocalInfra with OnPremInfra, MilvusVectorDB with VectorDB
* Address third round of Copilot review comments
- Fix diagram-conventions.md: second bidirectional two-arrow pattern in
Quick Reference section now uses <-->
- Fix incremental-orchestrator.md: renumber HTML sections 5-9 to 4-8
matching skeleton-incremental-html.md 8-section structure
- Fix output-formats.md: add incremental-comparison.html to File List
as conditional output for incremental mode
- Fix skeleton-inventory.md: add tmt_type, sidecars, and boundary_kind
fields to match output-formats.md JSON schema example
* Add draw-io diagram generator skill for awesome github copilot
* Add comprehensive shape libraries and style reference documentation for draw.io
- Introduced a new markdown file for draw.io shape libraries detailing various built-in shapes, their style keys, and usage.
- Added a complete style reference for `<mxCell>` elements, including universal style keys, shape-specific keys, edge styles, and color palettes.
- Included examples for common styles and shapes to aid users in creating diagrams effectively.
* Add draw-io diagram validation and shape addition scripts
* Add new diagram templates for flowchart, sequence, and UML class diagrams
- Created a flowchart template with a structured layout including start, steps, decision points, and end.
- Added a sequence diagram template illustrating interactions between a client, API server, and database with activation boxes and message arrows.
- Introduced a UML class diagram template featuring an interface, classes, attributes, methods, and relationships, including composition and realization.
* Add draw-io diagram generator skill to README with detailed usage instructions and bundled assets
* Add draw.io instructions with workflow, XML structure rules, style conventions, and validation checklist
* Add draw.io diagram standards to README instructions for enhanced diagram creation and editing
* Moving diagram templates to assets/ to follow agentskills structure
- Moved flowchart template with start, steps, decision points, and end nodes.
- Moved sequence diagram template illustrating interactions between a client, API server, and database.
- Moved UML class diagram template featuring an interface, classes, attributes, methods, and relationships.
* Clarify installation instructions for draw.io VS Code extension in SKILL.md
* Add roundup plugin: self-configuring status briefing generator
Adds a new plugin with two skills:
- roundup-setup: Interactive onboarding that learns the user's communication
style from examples, discovers available data sources, and builds audience
profiles. Writes a persistent config to ~/.config/roundup/config.md.
- roundup: Generates draft status briefings on demand by pulling from
configured sources (GitHub, M365, Slack, Google Workspace, etc.) and
synthesizing in the user's learned style for any defined audience.
Platform-agnostic by design -- adapts to whatever MCP tools are available
in the user's environment rather than assuming specific integrations.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address PR review comments
- Fix 'use roundup' help text to clarify multi-audience behavior instead
of referencing a nonexistent 'default audience'
- Split bundled 'who do you report to + who is on your team' into two
separate ask_user questions per the one-question-at-a-time rule
- Specify ~/Desktop as explicit save path with fallback prompt when
directory doesn't exist
- Tables in README verified as correct markdown (single | delimiters)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Improve example-pasting UX in setup flow
- Make 'paste the whole thing right here' explicit so users aren't
unsure about what/how much to paste
- Confirm receipt more clearly ('grabbed all of that')
- Reframe second example prompt to explain why a second helps
- Cap follow-up asks at two so it doesn't feel nagging
- Note that messy formatting is fine
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Reinforce that more examples = better output
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* feat: add Dotnet Self Learning Architect agent with comprehensive guidelines and strategies
* feat: update Dotnet Self-Learning Architect agent with enhanced model and toolset, and update .NET version in core expertise
* updating agent name to .NET Self-Learning Architect
* updating after npm build
* feat: add learning governance rules for lesson and memory management
Add an agent that handles the full lifecycle of upgrading GitHub Actions
JavaScript/TypeScript actions to newer Node.js runtime versions,
including action.yml changes, major version bumps, CI workflow updates,
documentation updates, and build validation.
* feat(orchestrator): add Discuss Phase and PRD creation workflow
- Introduce Discuss Phase for medium/complex objectives, generating context‑aware options and logging architectural decisions
- Add PRD creation step after discussion, storing the PRD in docs/prd.yaml
- Refactor Phase 1 to pass task clarifications to researchers
- Update Phase 2 planning to include multi‑plan selection for complex tasks and verification with gem‑reviewer
- Enhance Phase 3 execution loop with wave integration checks and conflict filtering
* feat(gem-team): bump version to 1.3.3 and refine description with Discuss Phase and PRD compliance verification
* feat: add .NET timezone handling guidance and reference materials
* feat: update Finland, Lithuania, Estonia timezone reference in index
* feat: remove Finland, Lithuania, Estonia timezone reference from index
* <think>The user wants me to generate a conventional format commit message based on the git diff output provided.
Let me analyze the changes:
1. **`.github/plugin/marketplace.json`**:
- Updated the "gem-team" plugin description to include "complexity-aware research, multi-plan selection for critical tasks"
- Updated version from "1.2.1" to "1.3.0"
2. **`agents/gem-browser-tester.agent.md`**:
- Added `<tools>` section with new tools: get_errors, mcp_io_github_chr_performance_start_trace, mcp_io_github_chr_performance_analyze_insight
- Modified the `<expertise>` section (moved closing tag)
- Updated `<input_format_guide>` to use proper JSON code block format
- Updated `<output_format_guide>` to add "needs_revision" status option and restructured JSON formatting
- Updated `<constraints>` section - significantly changed the guidelines
This appears to be an update to:
- Plugin marketplace version bump
- Browser tester agent improvements (new tools, updated workflow constraints, better formatting)
Let me generate a conventional commit message:
- Type: Could be "feat" for new features or "chore" for maintenance
- Scope: could be "marketplace" and "browser-tester"
- Message should describe the changes succinctly
Looking at the changes more carefully:
- Plugin version bump from 1.2.1 to 1.3.0 - this is a feature update
- New tools added to browser tester agent
- Updated constraints/workflow for browser tester
I'll create a commit message that captures the essence:
</think>
feat: update gem-team to v1.3.0 and enhance browser-tester agent
- Bump gem-team plugin version from 1.2.1 to 1.3.0 with updated description
- Add performance tracing and insight tools to browser-tester agent
- Refactor input/output format guides with proper JSON code blocks
- Update agent constraints with improved tool usage and batching guidelines
* fix: correct typo "suiteable" to "suitable" in agent documentation
- Introduced MockMvcTester for AssertJ-style assertions in Spring MVC testing.
- Added @RestClientTest for testing REST clients with MockRestServiceServer.
- Implemented RestTestClient as a modern alternative to TestRestTemplate.
- Documented migration steps from Spring Boot 3.x to 4.0, including dependency and annotation changes.
- Created an overview of test slices to guide testing strategies.
- Included Testcontainers setup for JDBC testing with PostgreSQL and MySQL.
- Enhanced @WebMvcTest documentation with examples for various HTTP methods and validation.
* Added one-shot feature planning agent
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Updated README.agents.md
* Remove pigd0g from contributors section
Removed pigd0g from the contributors list in README.md.
---------
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Tool Guardian Hook
Add Tool Guardian hook for blocking dangerous tool operations
Introduces a preToolUse hook that scans Copilot agent tool invocations
against ~20 threat patterns (destructive file ops, force pushes, DB drops,
permission abuse, network exfiltration) and blocks or warns before execution.
* Address review feedback: move hook to .github/, remove accidental log file
- Move hooks/tool-guardian/ to .github/hooks/tool-guardian/
- Remove accidentally committed guard.log
- Update all path references in README.md
* Move log directory to .github/, revert hook files back to
hooks/
- Revert hook files from .github/hooks/ back to hooks/tool-guardian/
- Update default log path to .github/logs/copilot/tool-guardian/
- Update all path references in README.md and hooks.json
* Add publish-to-pages agent skill
Agent skill that publishes presentations and web content to GitHub Pages.
Works with any AI coding agent (Copilot CLI, Claude Code, Gemini CLI, etc.)
Features:
- Converts PPTX and PDF with full formatting preservation
- Creates repo, enables Pages, returns live URL
- Zero config — just needs gh CLI
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* docs: update README.skills.md
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Source dataverse plugin from microsoft/Dataverse-skills
The Dataverse plugin was previously bundled locally with a single
mcp-configure skill. It is now sourced externally from
microsoft/Dataverse-skills, which provides the full skill set:
init, setup, metadata, python-sdk, solution, mcp-configure, and overview.
- marketplace.json: update dataverse entry to external source format
- external.json: add Dataverse entry alongside Azure
- plugins/dataverse/: remove local plugin directory (now external)
- skills/mcp-configure/: remove top-level copy (now in external plugin)
- docs/README.plugins.md: update dataverse row with external link
- docs/README.skills.md: note mcp-configure moved to external plugin
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Make dataverse plugin docs generic to avoid stale counts
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Remove mcp-configure from skills index — now in external plugin
External plugins don't list their skills in README.skills.md
(consistent with azure-skills).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Revert manual edits to generated files
marketplace.json, README.plugins.md, and README.skills.md are
auto-generated. External plugins are discovered via external.json
and merged into marketplace.json by generate-marketplace.mjs.
Matches the Azure external plugin pattern — no manual doc entries.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Regenerate marketplace.json and docs after external plugin change
Run npm run build to pick up the new external dataverse entry and
remove the old local one from generated files.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* New hook: secrets-scanner
Add a secrets-scanner hook that scans files modified during a Copilot
coding agent session for leaked secrets, credentials, and sensitive data.
The hook runs on sessionEnd and inspects files in one of three scopes:
- diff: only files changed in the current session (default)
- staged: only files currently staged in the git index
- all: every tracked file in the repository
Detected pattern categories:
- AWS access keys and secret keys
- GCP service account credentials
- Azure client secrets and storage connection strings
- GitHub personal access tokens
- Slack tokens (bot, user, webhook)
- Private key headers (RSA, EC, DSA, OpenSSH, PEM)
- Generic high-entropy bearer tokens
- Internal IP:port strings
Configurable via environment variables (SCAN_MODE, SCAN_SCOPE,
SECRETS_ALLOWLIST) so teams can tune for their workflow without
editing the script. Patterns are POSIX ERE (grep -E) compatible,
with no PCRE metacharacters, for portability across macOS and Linux.
Files: hooks.json, scan-secrets.sh, README.md
* refactor: move PATTERNS array to top of scan-secrets.sh for discoverability
Move the PATTERNS declaration to the top of the file so it is clearly
visible and easy to customize, as suggested in code review. Added a
descriptive header comment. No functional changes.
---------
Co-authored-by: Shehab Sherif <shehabsherif0@users.noreply.github.com>
* Removing a codex-specific agent (model deprecated) and removing model from blueprint mode
* Combining skills into a single skill with an internal decision tree
* Converting agents to skill with decision tree
Closes#998
* Converting agents to skill with decision tree"
Fixes#999
Add a reusable Agent Skill that installs npm packages in Docker sandbox
environments where virtiofs-mounted workspaces cause native binary crashes
(esbuild, lightningcss, rollup). The script installs on local ext4 and
symlinks node_modules back into the workspace.
- SKILL.md with spec-compliant frontmatter and documentation
- scripts/install.sh with security hardening (no eval, readonly paths)
- Updated docs/README.skills.md with new skill entry
Co-authored-by: GeekTrainer <GeekTrainer@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
