* Switch skill CI checks to vally lint
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Adding Vally to allowed words
* case sensitivity
* Migrate external plugin quality gates from skill-validator to vally lint
Replace the downloaded skill-validator binary with
px @microsoft/vally-cli lint
in the external plugin quality gates pipeline:
- Remove downloadSkillValidator() and SKILL_VALIDATOR_ARCHIVE_URL constant
- Replace uildSkillValidatorArgs() +
unSkillValidatorGate() with
uildVallyLintArgs() +
unVallyLintGate() that run
px vally-cli lint
per resolved skill directory (falling back to the full plugin root when no
specific skill paths can be resolved from plugin.json)
- Rename result keys skill_validator_status / skill_validator_output
to ally_lint_status / ally_lint_output throughout both
ng/external-plugin-quality-gates.mjs and ng/external-plugin-intake.mjs
- Update PR comment markdown to show 'vally lint' instead of 'skill-validator'
- Update CONTRIBUTING.md prose references accordingly
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Use @microsoft/vally library directly instead of vally-cli subprocess
Replace the npx-spawned vally-cli process with a direct call to the
@microsoft/vally core library in the external plugin quality gates scripts:
- Add @microsoft/vally as a devDependency in package.json
- Import runLint and LintConsoleReporter from @microsoft/vally
- Replace runVallyLintGate() process spawn with async API call:
- runLint({ rootPath }) returns structured LintResults
- LintConsoleReporter with a Writable capture stream collects
text output without printing to stdout
- Make runExternalPluginQualityGates() async (propagated to
runExternalPluginPrQualityGates() and both main entry points)
- Use Promise.all in runExternalPluginPrQualityGates() for parallel
plugin checks
- Fix remaining skill_validator_status reference in pr-quality-gates
summary string (now vally-lint=...) and YAML workflow table header
- Add 'npm install @microsoft/vally' step to both calling workflows
This removes a layer of indirection (Node -> npx -> CLI -> library)
and replaces it with a direct in-process library call, which is faster,
more reliable, and gives structured access to lint results.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* create-implementation-plan: require unique identifiers (#1989)
The skill template tells the agent to use REQ-, TASK-, GOAL-, and
similar prefixed identifiers, but never says they have to be unique
or how to check. @basilevs reported plans coming back with duplicate
TASK IDs and proposed three POSIX one-liners that catch the two real
collision modes (table rows and bullet declarations) plus a broad
diagnostic scan.
Document the uniqueness rule under the existing Template Validation
Rules, then add a new "Identifier Uniqueness Check" section with all
three bash commands and instructions on which must come back empty
before the plan is finalized.
DEP-* references intentionally allowed in multiple sections per the
reporter's note.
Closes#1989.
* codespell: ignore GUD identifier prefix (#1989)
Upstream skills/create-implementation-plan/SKILL.md already uses
GUD-001 in the template body. Codespell currently slips past it on
word-boundary, but the regex alternation (GUD|RISK|...) added in the
previous commit on this branch makes codespell flag it as a misspelling
of GOOD.
GUD is the documented "Guideline" identifier prefix alongside REQ,
SEC, CON, PAT, etc. Add it to the ignore-words-list, matching the
pattern every other technical-token exemption in .codespellrc uses.
* create-implementation-plan: clarify declaration vs reference (#1989 review)
basilevs flagged that calling out DEP-* specifically was misleading,
because any identifier can appear as a reference. A TASK body can
cite a REQ, one TASK can cite another, and so on. The original
phrasing made it sound like DEP-* was the only prefix allowed to
recur.
Rewrite the rule to lead with "uniquely declared":
- Define declaration as the leading bullet/cell ID (e.g., the table
row in Implementation Phase N, or '- **REQ-001**:').
- Say explicitly that references elsewhere in the plan are expected
and not collisions, with concrete examples (TASK citing REQ,
TASK citing TASK, Dependencies pointing at a DEP declared upstream).
- Tighten the check intro to call (1) and (2) declaration-targeted
gates and (3) a broad informational scan that will see references.
Bash checks unchanged; they already encode the declaration-vs-reference
distinction via the table-cell and bullet-prefix anchors.
* new hook fix-broken-links
* codespell: add ans for variable short for answer
* update: scripts hand off alternative url to copilot cmd
* codespell: add ext. arcade-canvas/game/phaser.min.js
* Apply suggestions from code review
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* update: rm em-dash from hook scripts
---------
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* feat: add Azure resource naming conventions based on Microsoft CAF
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* docs: update Azure naming conventions with additional resource type patterns and constraints
Co-authored-by: Copilot <copilot@github.com>
* docs: add CAF acronym to ignore-words-list in codespell configuration
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <copilot@github.com>
* feat(instructions): update security, a11y, and performance to 2025-2026 standards
Security: OWASP 2025 (55 anti-patterns, AI/LLM section, 6 frameworks)
Accessibility: WCAG 2.2 AA (38 anti-patterns, legal context EAA/ADA, 4 frameworks)
Performance: CWV (50 anti-patterns, Next.js 16, Angular 20, modern APIs)
* fix(instructions): use globalThis.scheduler to prevent ReferenceError
Access scheduler via globalThis to safely handle environments where
the Scheduling API is not declared as a global variable.
* fix(instructions): correct regex patterns and harden SSRF example
- AU1: anchor jwt.verify lookahead inside parentheses
- AU2: anchor jwt.sign lookahead, add expiresIn alternative
- AU7: fix greedy .* before negative lookahead in OAuth state check
- I5: resolve all DNS records, add TOCTOU production note
- K2: add closing delimiters and multi-digit support to tabindex regex
* fix(instructions): enhance SSRF IP validation with IPv4-mapped IPv6
Normalize IPv4-mapped IPv6 addresses (::ffff:127.0.0.1) before
checking private ranges, preventing bypass via mapped addresses.
* fix(instructions): add noscript fallback for deferred CSS pattern
Without JS, the media="print" + onload pattern leaves the stylesheet
inactive. The noscript tag loads it normally when JS is disabled.
* fix(instructions): add execFileSync to I3 command injection detection
The BAD example uses execFileSync but the regex only matched exec,
execSync, and execFile — missing the sync variant.
* fix(instructions): cover full IPv6 link-local range in SSRF check
fe80::/10 spans fe80-febf (fe8*, fe9*, fea*, feb*). Previous regex
only matched fe80::. Also use normalized variable for consistency.
* fix(instructions): adjust SSRF wording and downgrade reduced-motion severity
- SSRF: replace "full DNS/IP validation" with accurate wording that
acknowledges TOCTOU limitation
- V5: downgrade prefers-reduced-motion from IMPORTANT to SUGGESTION,
remove 2.2.2 (A) reference since it's an AAA enhancement
* fix(instructions): rename AU4 heading to include SHA-256
The heading said "Weak Password Hash (MD5/SHA1)" but the detection
regex and BAD example both use SHA-256. Renamed to "Fast Hash for
Passwords" which better describes the actual anti-pattern.
* fix(instructions): clarify WCAG 2.2 SC 4.1.1 status as obsolete
SC 4.1.1 Parsing is still present in the WCAG 2.2 spec but marked
as obsolete (always satisfied). Changed wording from "removed" to
"obsolete" for accuracy.
* fix(instructions): rename I1 example vars to avoid TS redeclaration
Copy-pasting the I1 SQL injection example as a single block failed with a
TypeScript redeclaration error because both BAD and GOOD snippets used
`const result`. Rename to `unsafeResult`/`safeResult` so the block remains
copy-pasteable into a single scope.
* fix(instructions): migrate I3 example to async execFile with bounds
The I3 command injection example used `execFileSync` in both BAD and GOOD
paths, which (a) redeclared `const output` in the same block and (b) blocks
the Node event loop in server handlers, amplifying DoS impact.
Switch the GOOD/BEST paths to a promisified `execFile` call with explicit
`timeout` and `maxBuffer` bounds, and rename variables to
`unsafeOutput`/`safeOutput` so the snippet stays copy-pasteable. Add a
trailing note recommending async child_process APIs for server code.
* fix(instructions): align AU6 heading with session fixation example
The AU6 heading claimed "Session Not Invalidated on Password Change" but
the mitigation example showed `req.session.regenerate`, which is the
canonical defense against session fixation on login rather than bulk
invalidation after a credential change.
Rename the anti-pattern to "Missing Session Regeneration on Login (Session
Fixation)" so it matches the example, and add a trailing note pointing to
the complementary practice of invalidating other active sessions for the
user on password change (e.g., via a `tokenVersion` counter).
* fix(instructions): make L1 critical CSS pattern CSP-compatible
The L1 "GOOD" snippet relied on an inline `onload="this.media='all'"`
handler on a `<link>` tag. Under a strict CSP that disallows
`'unsafe-inline'` / `script-src-attr 'unsafe-inline'`, inline event
handlers are blocked, so the stylesheet would never activate and users
would hit a styling regression.
Replace the pattern with build-time critical CSS extraction
(Critters/Beasties/Next.js `optimizeCss`) plus a normal
`<link rel="preload" as="style">` and standard `<link rel="stylesheet">`.
Add a trailing note explaining why the older inline-onload trick breaks
under strict CSP and how to defer non-critical CSS with an external
script when deferral is truly needed.
* Add 9 Arize LLM observability skills
Add skills for Arize AI platform covering trace export, instrumentation,
datasets, experiments, evaluators, AI provider integrations, annotations,
prompt optimization, and deep linking to the Arize UI.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Add 3 Phoenix AI observability skills
Add skills for Phoenix (Arize open-source) covering CLI debugging,
LLM evaluation workflows, and OpenInference tracing/instrumentation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Ignoring intentional bad spelling
* Fix CI: remove .DS_Store from generated skills README and add codespell ignore
Remove .DS_Store artifact from winmd-api-search asset listing in generated
README.skills.md so it matches the CI Linux build output. Add queston to
codespell ignore list (intentional misspelling example in arize-dataset skill).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Add arize-ax and phoenix plugins
Bundle the 9 Arize skills into an arize-ax plugin and the 3 Phoenix
skills into a phoenix plugin for easier installation as single packages.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Fix skill folder structures to match source repos
Move arize supporting files from references/ to root level and rename
phoenix references/ to rules/ to exactly match the original source
repository folder structures.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Fixing file locations
* Fixing readme
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>