feat(agents): align sssc planner with rai parity, add signing and validation

[WilliamBerryiii]

Description

Brings the SSSC Planner to parity with the RAI Planner across consent gating, footer-with-review enforcement, artifact signing, state persistence, and entry-mode prompt structure.

Highlights:

• Disclaimer gate — sssc-planner now offers a first-turn disclaimer (sssc-full-disclaimer) and persists disclaimerShownAt in state.json.
• State schema (NEW) — scripts/linting/schemas/sssc-state.schema.json (JSON Schema draft 2020-12) formalizes 16 required fields, entryMode enum [capture, from-prd, from-brd, from-security-plan], currentPhase 1–6, and userPreferences (autonomy tier, output detail level, target system, audience profile, optional artifacts).
• State field expansion — 17 → 20 fields. Added signingRequested, signingManifestPath, disclaimerShownAt. Mirrored in docs/agents/agent-overview.md.
• Signing extension — scripts/security/Sign-PlannerArtifacts.ps1 gains a BySessionPath parameter set with -SessionPath and -ManifestName, while preserving the existing -ProjectSlug behavior. Manifest output now includes sessionPath.
• Footer-with-review classification — Renamed human-facing-with-disclaimer → rai-handoff-with-disclaimer; added sssc-handoff-with-disclaimer scoped to .github/instructions/security/sssc-*.instructions.md.
• Prompt restructure — Four entry-mode prompts (capture, from-prd, from-brd, from-security-plan) restructured with consistent Startup → Pre-Scan → Output Preferences → Scope Extraction → Initialization → Phase 1 Entry. From-* modes fall back to capture when zero artifacts are discovered. Switched bare {project-slug} → ${input:project-slug}.
• Tests — Validate-PlannerArtifacts.Tests.ps1 and Sign-PlannerArtifacts.Tests.ps1 updated for the rename, the new SSSC tier, and the new sessionPath manifest field.
• Collections / plugins / docs — Synchronized SSSC prompt descriptions across hve-core-all, project-planning, and security collection manifests; regenerated plugin READMEs.

Related Issue(s)

N/A

Type of Change

Code & Documentation:

• New feature (non-breaking change adding functionality)
• Documentation update

Infrastructure & Configuration:

• Linting configuration (markdown, PowerShell, etc.)

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)

Other:

• Script/automation (.ps1, .sh, .py)

Sample Prompts (for AI Artifact Contributions)

User Request:

"Plan supply chain security for my repo, capture mode."

Or, with an existing artifact:

"Use this PRD to start an SSSC plan."

Execution Flow:

1. User invokes @sssc-planner (or one of the entry-mode prompts: sssc-capture, sssc-from-prd, sssc-from-brd, sssc-from-security-plan).
2. Startup — Agent presents the full SSSC disclaimer (first turn only), captures consent, and stamps disclaimerShownAt. Standards announcement (OpenSSF Scorecard, SLSA v1.0, OpenSSF Best Practices Badge, Sigstore, NTIA SBOM) is shown.
3. Pre-Scan — Agent searches .copilot-tracking/ and docs/ for the relevant entry artifact (PRD, BRD, or Security Plan). from-* modes fall back to capture when zero artifacts are found.
4. Output Preferences — Agent confirms backlog target (ADO / GitHub / both / custom).
5. Scope Extraction — Tech stack, package managers, CI platform, release strategy, compliance targets.
6. Initialization — state.json is written, conforming to sssc-state.schema.json, preserving disclaimerShownAt.
7. Phase 1 Entry — Eight question topics with ❓ / ✅ / ❌ markers begin.
8. At handoff, user may invoke Sign-PlannerArtifacts.ps1 -SessionPath .copilot-tracking/sssc-plans/<slug> to sign artifacts via cosign; manifest path is recorded back to state.json.

Output Artifacts:

.copilot-tracking/sssc-plans/<project-slug>/
├── state.json                  # validates against sssc-state.schema.json
├── phase-1-scoping.md
├── phase-2-assessment.md
├── phase-3-standards.md
├── phase-4-gap-analysis.md
├── phase-5-backlog.md
├── phase-6-handoff.md
└── artifact-manifest.json      # produced by Sign-PlannerArtifacts.ps1

state.json excerpt:

{
  "$schema": "../../../scripts/linting/schemas/sssc-state.schema.json",
  "projectSlug": "my-project",
  "entryMode": "from-prd",
  "currentPhase": 1,
  "disclaimerShownAt": "2025-01-15T10:30:00Z",
  "signingRequested": false,
  "signingManifestPath": null,
  "userPreferences": { "targetSystem": "github", "autonomyTier": "guided" }
}

Success Indicators:

• state.json validates against scripts/linting/schemas/sssc-state.schema.json.
• disclaimerShownAt is present and stable across re-entry.
• Footer-with-review enforcement applies the sssc-handoff-with-disclaimer tier to all .github/instructions/security/sssc-*.instructions.md outputs.
• npm run test:ps -- -TestPath scripts/tests/linting/Validate-PlannerArtifacts.Tests.ps1 passes the new SSSC cases.
• npm run test:ps -- -TestPath scripts/tests/security/Sign-PlannerArtifacts.Tests.ps1 passes with the new sessionPath manifest field.

Testing

• npm run lint:md — pass
• npm run spell-check — pass (new SSSC vocabulary added to .cspell.json)
• npm run lint:frontmatter — pass
• npm run validate:skills — pass (no skill changes)
• npm run lint:md-links — pass
• npm run lint:ps — pass
• npm run plugin:generate — regenerated; no drift
• npm run test:ps -- -TestPath scripts/tests/linting/Validate-PlannerArtifacts.Tests.ps1 — pass
• npm run test:ps -- -TestPath scripts/tests/security/Sign-PlannerArtifacts.Tests.ps1 — pass

Checklist

Required Checks

• Documentation is updated (agent-overview.md, plugin READMEs, collection markdown)
• Files follow existing naming conventions
• Changes are backwards compatible (signing param sets are additive; footer rename is internal)
• Tests added for new functionality (SSSC disclaimer + tier; sessionPath field)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate
• Docusaurus tests: npm run docs:test

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues — none added
• Security-related scripts follow the principle of least privilege — Sign-PlannerArtifacts.ps1 only reads under the supplied session path and writes a single manifest file

Additional Notes

sssc-planner is maturity: experimental in collections/security.collection.yml; no maturity tier change in this PR. The footer-with-review rename (human-facing-with-disclaimer → rai-handoff-with-disclaimer) is internal to .github/instructions/shared/footer-with-review.yml and the corresponding Pester fixture; no published artifact referenced the old classification key.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 27.27273% with 32 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.16%. Comparing base (5bedf80) to head (c99e5ba).

Files with missing lines	Patch %	Lines
scripts/linting/Format-MarkdownTables.ps1	0.00%	26 Missing ⚠️
scripts/security/Sign-PlannerArtifacts.ps1	66.66%	6 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1497      +/-   ##
==========================================
- Coverage   87.41%   87.16%   -0.25%     
==========================================
  Files          68       69       +1     
  Lines       10302    10341      +39     
==========================================
+ Hits         9005     9014       +9     
- Misses       1297     1327      +30     

Flag	Coverage Δ
pester	84.41% <27.27%> (-0.34%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
scripts/security/Sign-PlannerArtifacts.ps1	86.30% <66.66%> (-7.04%)	⬇️
scripts/linting/Format-MarkdownTables.ps1	0.00% <0.00%> (ø)

... and 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Advisory review, this PR is from a maintainer. Findings are informational only.

---

Review Summary

This PR delivers a well-structured parity update that brings the SSSC Planner in line with the RAI Planner's architecture: consistent disclaimer tier handling, the new BySessionPath cosign-signing flow, a formal JSON Schema for state.json, and full prompt rewrites for all five entry modes. The overall design and implementation quality is high.

Six informational findings are noted below; the two schema-alignment issues are the most worth addressing before merge since they could cause runtime validation failures.

---

Issue Alignment

The PR description states "N/A" for Related Issue(s). No GitHub issue is linked. While acceptable for maintainer-driven changes, linking an issue (even a tracking issue) is recommended so change intent is traceable over time.

---

PR Template Compliance

• ✅ Description is filled in with clear intent and file-level changes.
• ✅ Type of Change checkboxes are checked and match the actual diff (Copilot agent, prompt, instructions, script, schema).
• ⚠️ Related Issue(s) is "N/A" — no linked issue.
• ✅ Testing section references npm run test:ps.
• ✅ Checklist items are checked.

---

Coding Standards

PowerShell (Sign-PlannerArtifacts.ps1)

The new BySessionPath parameter set follows existing patterns correctly: copyright header, #Requires, CmdletBinding, [OutputType()], $ErrorActionPreference = 'Stop', and comment-based help are all in order. One path-separator edge case is noted in the inline comment at line 183.

Prompt Files (sssc-capture.prompt.md, sssc-from-prd.prompt.md, sssc-from-brd.prompt.md, sssc-from-security-plan.prompt.md)

All four entry-mode prompts reference outputPreferences as a state.json key. This field does not exist in the new sssc-state.schema.json, which uses "additionalProperties": false. The correct path is userPreferences.targetSystem. See inline comments on sssc-capture.prompt.md:43 and sssc-from-prd.prompt.md:52; the same correction applies to the BRD and security-plan variants.

Instructions Files

• sssc-handoff.instructions.md:105 references userPreferences.signingRequested, but signingRequested is a top-level field in the schema, not nested under userPreferences. See inline comment.
• sssc-identity.instructions.md:120 shows a userPreferences template with only autonomyTier; the schema now requires five fields. See inline comment.

---

Code Quality

• sssc-state.schema.json: Well-formed JSON Schema draft 2020-12. The 16 required fields, entryMode enum, and userPreferences sub-schema with five required fields are consistent with the agent file's sample state. disclaimerShownAt and signingManifestPath are correctly omitted from required (nullable). No issues found.
• Test files: Both Validate-PlannerArtifacts.Tests.ps1 and Sign-PlannerArtifacts.Tests.ps1 follow Pester 5 conventions. The rename from human-facing-with-disclaimer to rai-handoff-with-disclaimer and the new sssc-handoff-with-disclaimer tier are covered by the updated tests.
• Footer config files: The tiered footer design (sssc-*.instructions.md scoped to both agentic and human-facing) mirrors the established RAI pattern. The configuration looks intentional and correct.

---

Action Items

#	File	Line	Severity	Summary
1	sssc-capture.prompt.md	43	Medium	outputPreferences key doesn't exist in schema; use userPreferences.targetSystem
2	sssc-from-prd.prompt.md	52	Medium	Same outputPreferences schema mismatch
3	sssc-from-brd.prompt.md	~52	Medium	Same outputPreferences schema mismatch (not separately commented)
4	sssc-from-security-plan.prompt.md	~52	Medium	Same outputPreferences schema mismatch (not separately commented)
5	sssc-handoff.instructions.md	105	Medium	userPreferences.signingRequested → top-level signingRequested
6	sssc-identity.instructions.md	120	Low	Stale userPreferences example missing 4 required fields
7	sssc-capture.prompt.md	55	Low	"up to 5 questions" but 8 topics listed — ambiguous grouping intent
8	Sign-PlannerArtifacts.ps1	183	Low	Windows path-separator edge case in StartsWith comparison

Generated by PR Review for issue #1497 · ● 2.4M

[github-actions]

Advisory review, this PR is from a maintainer. Findings are informational only.

Review Overview

This PR delivers a solid parity pass for the SSSC planner — the new JSON schema, signing script improvements, and four-prompt alignment are all well-structured additions. The inline comments flag a schema/documentation drift that would cause runtime validation failures if left unaddressed, and a gap in test coverage for the new BySessionPath parameter set.

---

Issue Alignment

No issue is linked (Related Issue(s): N/A). Not blocking in advisory mode, but linking an issue would help trace the RAI parity motivation for this work.

---

PR Template Compliance

✅ Description is thorough and accurate.
✅ Type of Change checkboxes correctly reflect the diff (instructions, prompts, agent, script/automation).
✅ Testing section is comprehensive.
✅ Required Automated Checks all marked.

---

Coding Standards

No violations found against the matched instruction files (powershell.instructions.md, pester.instructions.md, prompt-builder.instructions.md). Script structure, copyright headers, CmdletBinding, ErrorActionPreference, and comment-based help all comply.

---

Code Quality Findings

⚠️ HIGH — Schema/doc drift: wrong includeOptionalArtifacts field names in agent example

.github/agents/security/sssc-planner.agent.md lines 144–146 document adoptionPlaybook and executiveSummary inside includeOptionalArtifacts. The new sssc-state.schema.json defines this object with additionalProperties: false and requires sbom, scorecardProjection, and artifactSigning. An agent following the embedded example would produce a state.json that fails schema validation. See inline comment on line 146.

⚠️ HIGH — outputPreferences not a valid root state.json key (all four entry prompts)

All four entry-mode prompts instruct the agent to write outputPreferences to state.json. The schema has additionalProperties: false at the root with no outputPreferences property. Every state write following these prompts would fail validation. The correct target is userPreferences.targetSystem. See inline comments on each prompt file.

💡 MEDIUM — disclaimerShownAt and signingManifestPath absent from required

Both fields are always initialised at state creation but are not listed in required. A state file missing these keys still passes schema validation, which could silently surface undefined to agent logic that expects at least null. See inline comment on sssc-state.schema.json line 24.

💡 MEDIUM — BySessionPath parameter set has no test coverage

Sign-PlannerArtifacts.Tests.ps1 was updated to expect sessionPath in the manifest but no tests exercise the new BySessionPath invocation path, its absolute/relative path resolution, or sessionLabel derivation. See inline comment on line 215.

---

Action Items

1. Fix includeOptionalArtifacts example in sssc-planner.agent.md to use sbom, scorecardProjection, artifactSigning.
2. Replace outputPreferences instructions in all four prompts with userPreferences.targetSystem.
3. Consider adding disclaimerShownAt and signingManifestPath to the schema required array.
4. Consider adding BySessionPath test scenarios to Sign-PlannerArtifacts.Tests.ps1.

Generated by PR Review for issue #1497 · ● 3.7M

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/setup-node	48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e	🟢 5.4	Details Check Score Reason Code-Review 🟢 6 Found 16/23 approved changesets -- score normalized to 6 Binary-Artifacts 🟢 9 binaries present in source code Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 7 9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• .github/workflows/pester-tests.yml

[github-actions]

Advisory review, this PR is from a maintainer. Findings are informational only.

---

Review Summary

This run reviews the two new commits added since the previous automated reviews — the Format-MarkdownTables.ps1 wrapper script and the table-reformatting pass — and confirms the current state of all findings from prior runs.

The two HIGH schema-drift issues flagged in earlier reviews remain unresolved and are the most important items to address before merge, as they will cause state.json files written by the agent to fail schema validation at runtime.

---

Issue Alignment

Related Issue(s): N/A. No linked issue. Not blocking in advisory mode, but linking a tracking issue would help trace the motivation over time.

---

PR Template Compliance

✅ Description is thorough and accurate.
✅ Type of Change checkboxes match the diff.
✅ Testing section is comprehensive and all checks are marked.
✅ AI Artifact Contributions checklist is present; prompt-builder review items are left unchecked per author's choice.

---

Coding Standards

Format-MarkdownTables.ps1 (new file)

The script follows copyright headers, #Requires, CmdletBinding, and $ErrorActionPreference = 'Stop' conventions. Two minor deviations from powershell.instructions.md are noted in the inline comment (line 99): missing main execution guard and missing #region/#endregion markers. Low risk.

---

Code Quality — Persistent Schema Drift

⚠️ HIGH — outputPreferences key invalid in all four entry-mode prompts

sssc-capture.prompt.md (line 43), sssc-from-prd.prompt.md (line 52), sssc-from-brd.prompt.md (line 52), and sssc-from-security-plan.prompt.md (line 48) all instruct the agent to write outputPreferences into state.json. The schema defines "additionalProperties": false at the root with no such property. Every state write following these prompts produces an invalid document. Correct key: userPreferences.targetSystem.

⚠️ HIGH — includeOptionalArtifacts example in sssc-planner.agent.md uses wrong field names

Lines 144–146 use adoptionPlaybook and executiveSummary. The schema's includeOptionalArtifacts sub-object requires exactly sbom, scorecardProjection, and artifactSigning with "additionalProperties": false. The stale example will cause schema validation failure.

💡 MEDIUM — userPreferences.signingRequested should be top-level signingRequested

sssc-handoff.instructions.md line 105 references a non-existent nested path. signingRequested is a root-level field.

💡 MEDIUM — BySessionPath parameter set has no test coverage

Sign-PlannerArtifacts.Tests.ps1 verifies the sessionPath manifest field appears but no test exercises the BySessionPath code path, absolute/relative path resolution, or sessionLabel derivation.

💡 LOW — userPreferences example in sssc-identity.instructions.md is incomplete

Line 120 shows only autonomyTier; the schema requires all five userPreferences fields.

---

Action Items

#	File	Line	Severity	Status
1	sssc-capture.prompt.md (+ 3 sibling prompts)	43/52/52/48	⚠️ HIGH	Unresolved
2	sssc-planner.agent.md	144–146	⚠️ HIGH	Unresolved
3	sssc-handoff.instructions.md	105	💡 MEDIUM	Unresolved
4	Sign-PlannerArtifacts.Tests.ps1	215	💡 MEDIUM	Unresolved
5	sssc-identity.instructions.md	120	💡 LOW	Unresolved
6	Format-MarkdownTables.ps1	99	💡 LOW	New

Generated by PR Review for issue #1497 · ● 3.1M

[github-actions]

Advisory review, this PR is from a maintainer. Findings are informational only.

---

Review Summary: feat/sssc-planner-rai-parity

This PR aligns the SSSC Planner with the RAI Planner feature-set parity: disclaimer gating, session signing, structured state schema, and consistent prompt structure. The overall shape of the change is sound and the implementation is detailed. Five advisory observations are noted below.

---

Issue Alignment

• No linked issue: The PR correctly states "Related Issue(s): N/A". No substantive misalignment concerns follow from this.

---

PR Template Compliance

• AI Artifact review checkboxes unchecked: The PR modifies .agent.md, .prompt.md, and .instructions.md files. The template's AI Artifact Contributions checklist ("Used /prompt-analyze to review contribution" and "Addressed all feedback from prompt-builder review") is unchecked. These are manual attestation items that require human action before merging.

---

Coding Standards

Format-MarkdownTables.ps1 — Missing invocation guard and region blocks

Per powershell.instructions.md, the main execution block must be wrapped in if ($MyInvocation.InvocationName -ne '.') and organized with #region/#endregion. The script currently puts all execution directly at module scope. See inline comment at line 42.

Test-Format-MarkdownTables.Tests.ps1 — Two observations

1. throw in BeforeAll (line 11): Throws abort the suite as an error rather than a skip, giving cryptic failures for contributors who haven't run npm install. See inline comment.
2. -Tag 'Unit' (line 151): The tests launch subprocesses, require node_modules, and mutate the filesystem—integration-test characteristics. The tag should reflect that. See inline comment.

---

Code Quality

Sign-PlannerArtifacts.Tests.ps1 — Missing coverage for BySessionPath

The new BySessionPath parameter set introduces path-resolution logic, manifest naming, and parameter-set mutual exclusivity—all untested. For a signing script that produces security attestation manifests, coverage gaps here are worth closing. See inline comment at line 215.

disclaimers.yml — Shared applies-to artifact names

Both rai-planner and sssc-planner disclaimers map to handoff-summary and compact-handoff-summary. Disambiguation relies on the validation tool cross-referencing tier scopes from footer-with-review.yml. If the lookup is artifact-name-only, both disclaimers apply simultaneously. Adding an explicit scope field to disclaimer entries would make the intent self-documenting. See inline comment at line 33.

---

What Looks Good

• pester-tests.yml correctly pins actions/setup-node to a full commit SHA with a version comment — fully compliant with workflow conventions.
• Sign-PlannerArtifacts.ps1 session-path computation handles absolute paths, trailing separators, and repo-root edge cases cleanly.
• sssc-state.schema.json uses additionalProperties: false consistently throughout and correctly models nullable fields (disclaimerShownAt, signingManifestPath) using ["string", "null"].
• The four SSSC prompt files have been restructured consistently with parallel startup/scope/phase-entry sections matching RAI parity.

---

Action items for the author:

1. Check the AI Artifact Contributions checklist items in the PR description.
2. Consider wrapping main execution in Format-MarkdownTables.ps1 with an invocation guard and region blocks.
3. Replace throw in Test-Format-MarkdownTables.Tests.ps1 BeforeAll with a skip-friendly guard.
4. Reconsider -Tag 'Unit' on the Format-MarkdownTables describe block given its integration-test dependencies.
5. Add BySessionPath parameter set tests to Sign-PlannerArtifacts.Tests.ps1.
6. Evaluate whether disclaimers.yml entries need a scope field for explicit disambiguation.

Generated by PR Review for issue #1497 · ● 5M

[katriendg]

Reviewed for cross-agent consistency, packaging sync, schema accuracy, and prompt-builder repetition rules. Detailed inline comments above; high-level summary below.

Findings

ID	Severity	Theme
RI-1	High	Four prompts cross-reference a Disclaimer and Attribution Protocol section that does not exist in sssc-identity.instructions.md
RI-2	High	Resume Protocol step counts diverge between sssc-planner.agent.md (5/6) and sssc-identity.instructions.md (still 4/5)
RI-3	Medium	Startup, Output Preferences, Pre-Scan supporting context, and one Phase 1 question are duplicated verbatim across the four entry-mode prompts (~150 lines), violating prompt-builder.instructions.md line 37
RI-4	Medium	sssc-state.schema.json requires signingRequested but not signingManifestPath or disclaimerShownAt, although the agent always writes them on init
RI-5	Low	docs/agents/sssc-planning/agent-overview.md userPreferences row is stale (manual autonomy tier no longer exists; structured object not described)
RI-6	Trivia	PR description says the footer-with-review file lives under .github/instructions/shared/; actual path is .github/config/footer-with-review.yml
RI-7	Low	sssc-state.schema.json is referenced via $schema only — no validator runs against produced state.json files. Same is true of rai-state.schema.json, so parity is preserved; flagging as a follow-up

Strengths

• Footer-with-review rename (human-facing-with-disclaimer → rai-handoff-with-disclaimer) is clean — zero stale references repo-wide, tests and config updated together.
• Sign-PlannerArtifacts.ps1 parameter sets (ByProjectSlug vs BySessionPath) are backward-compatible; the new sessionPath manifest field uses an OS-agnostic forward-slash relative path.
• pester-tests.yml correctly adds actions/setup-node + npm ci because the new Format-MarkdownTables.ps1 depends on node_modules. Action SHA pinning with version comment respected.
• SSSC standards rename (SLSA v1.0, NTIA SBOM minimum elements, Sigstore (cosign)) propagates consistently through frontmatter, three collection manifests, and three plugin READMEs.
• sssc-full-disclaimer wording correctly substitutes "OpenSSF Scorecard evaluators / SLSA auditors / supply chain security review boards" for the RAI legal/compliance equivalents.
• Tests cover the new SSSC handoff tier (pass + fail) and the sessionPath manifest field.

[bindsi]

/review

[github-actions]

✅ PR Review completed successfully!

[github-actions]

Advisory review — this PR is from a maintainer. Findings are informational only.

---

Overview

This PR brings the SSSC Planner to parity with the RAI Planner by adding disclaimer gating, a formal JSON Schema for state.json, BySessionPath signing support, footer-with-review classification, and restructured entry-mode prompts. The scope is well-described, testing evidence is thorough, and the implementation is consistent with existing RAI Planner patterns.

---

Issue Alignment

⚠️ No linked issue. The Related Issue(s) section is marked "N/A". For a change of this scope (46 files, cross-cutting agent/schema/script/test/collection changes), a tracking issue or epic would aid future auditability and release notes. This is informational only for a maintainer PR.

---

PR Template Compliance

⚠️ The AI Artifact Contributions checklist items — "Used /prompt-analyze to review contribution" and "Addressed all feedback from prompt-builder review" — are both unchecked. The PR description doesn't explain why these were skipped. Per the template, contributions checking AI artifact boxes should complete this workflow.

---

Coding Standards

✅ PowerShell follows powershell.instructions.md conventions (copyright header, #Requires -Version 7.0, CmdletBinding, [OutputType], comment-based help).

✅ JSON Schema uses draft 2020-12 and is structurally correct. The additionalProperties: false on the root object and on $defs entries prevents schema drift.

✅ Prompt frontmatter uses description, agent fields correctly and the ${input:project-slug} variable syntax is consistent.

---

Code Quality

Three advisory observations are posted as inline comments:

1. disclaimerShownAt absent from schema required (sssc-state.schema.json:23) — signingRequested is required but disclaimerShownAt is not, creating an asymmetry. Legacy sessions without the key may behave differently from sessions with null, depending on LLM key-missing interpretation.

2. git ls-files --others includes untracked files (Format-MarkdownTables.ps1:44) — undocumented behaviour; CI -Check mode could flag drift on uncommitted drafts.

3. BySessionPath parameter set lacks dedicated tests (Sign-PlannerArtifacts.Tests.ps1:215) — relative path resolution, absolute path branching, and custom ManifestName are not exercised.

---

Action Items

None are blocking for a maintainer PR. If you'd like to address any of the inline observations:

• Add disclaimerShownAt to the schema required array (or explicitly document the absent-vs-null equivalence in the schema description).
• Drop --others in CI or document the untracked-file scope in .DESCRIPTION.
• Add a BySessionPath test block to Sign-PlannerArtifacts.Tests.ps1.

Generated by PR Review for issue #1497 · ● 2.6M