feat(agents): upgrade ADR Planner with phased identity and adr-author skill

[WilliamBerryiii]

Pull Request

Description

This PR introduces a phase-gated ADR Planner alongside its execution surfaces — a new adr-author skill, an lint:adr-consistency PowerShell module, four supporting instruction files, and the documentation, packaging, and validation plumbing required to ship them. The ADR Planner aligns with the repository's peer planners (RAI, Security, SSSC) by adopting a Frame → Decide → Govern phase model with deterministic state transitions, structured handoffs to backlog automation, and a reusable BYO-template contract.

The change spans agent prompts, an executable skill (Python + PowerShell), a Pester-tested lint module, Docusaurus documentation, collection manifests, and generated plugin/extension outputs. Reviewers should pay particular attention to the _safe_resolve path-traversal hardening, atomic lineage operations in the skill, the closed-enum frontmatter schema (intentionally constrained), and the GHCP Maturity advisory in the section below.

Multi-area PR: subsections below are grouped by significance — security & breaking changes first, then features, refactors, tests, documentation, and distribution.

Security & Breaking Changes

• Path-traversal hardening (adr-author skill): added _safe_resolve to anchor every resolved path inside the configured repo_root before any filesystem write, applied across adr_create.py, adr_advance.py, adr_update.py, and adr_render.py. Mitigates the canonical "../../../etc/passwd"-style traversal class for skill-issued I/O.
• Atomic lineage operations: ADR creation and supersedes/relates-to updates write through temp-file + os.replace swap, eliminating partial-write corruption when interrupted mid-mutation.
• Closed-enum ADR frontmatter (status, kind, plus required id, title, date, deciders): backwards-incompatible for hand-authored ADRs that previously used free-form values, but no pre-existing ADRs in this repository use the legacy shape — the seed ADR 0001-record-architecture-decisions.md is new in this PR. lint:adr-consistency enforces the schema.
• Subprocess discipline: every subprocess.run call uses argument-list form, check=True, and explicit cwd/env; no shell strings.

New Features

• Phase-gated ADR Planner agent (.github/agents/project-planning/adr-creation.agent.md): restructured into Frame → Decide → Govern phases. Each phase has explicit entry/exit gates, a per-turn six-step protocol, and a deterministic state machine persisted to a session JSON document.
• Four ADR Planner instructions (.github/instructions/project-planning/):
  • adr-identity.instructions.md — phase machine, autonomy tiers, canonical state.json schema.
  • adr-standards.instructions.md — embedded MADR v4.0.0 (CC0) template, Y-Statement formula (Zimmermann/Zdun, six-slot), status taxonomy, naming rules, ASR trigger schema, Microsoft-attributed paraphrases.
  • adr-byo-template.instructions.md — two-layer config resolution, .adr-config.yml schema, template frontmatter contract, adopt-template lifecycle.
  • adr-handoff.instructions.md — Govern-phase handoff protocol, peer-agent routing heuristics, dual-format (ADO + GitHub) work item templates.
• adr-author skill (.github/skills/project-planning/adr-author/): Python-first executable skill with five scripts (adr_create.py, adr_advance.py, adr_update.py, adr_render.py, adr_validate.py), four bundled templates (madr-v4 CC0, y-statement six-slot, diagram-ascii ~25 LOC, diagram-mermaid ~15 LOC, frontmatter-overlay 40 LOC), and JSON schemas for state/lineage validation. Includes pyproject.toml with pyyaml, jsonschema, and atheris (fuzz harness, isolated dependency group).
• lint:adr-consistency PowerShell module (scripts/linting/AdrConsistency/): nine ADR-CONSISTENCY rules covering frontmatter completeness, status taxonomy compliance, lineage symmetry (supersedes/superseded-by, relates-to bidirectionality), filename-to-id parity, and ASR coverage. Three submodules (Parser, Rules, CLI), four JSON schemas, and a top-level Validate-AdrConsistency.ps1 entry point.

Refactors

• Peer planner alignment: Security Planner, SSSC Planner, and RAI Planner agent files updated to reference the new ADR handoff contract (decision routing now flows ADR → peer planners via the shared handoff template).
• Shared disclaimer instruction (.github/instructions/shared/disclaimer-language.instructions.md): added the ADR Planner to the planning-agent disclaimer scope (applyTo glob extended to **/.copilot-tracking/adr-plans/** and **/docs/planning/adrs/**).
• Frontmatter validator schemas (scripts/linting/schemas/): registered new schemas for ADR identity, standards, BYO template, and handoff instructions.

Tests & Activation Harness

• Pester (scripts/tests/linting/Test-AdrConsistency.Tests.ps1): 27 cases covering all nine ADR-CONSISTENCY rules, edge cases for symmetric lineage, and error-path coverage for malformed frontmatter.
• pytest (.github/skills/project-planning/adr-author/tests/): 45–55 cases covering create/advance/update/render/validate flows, _safe_resolve boundary tests, atomic-write rollback simulation, and template adoption.
• Atheris fuzz harness (tests/fuzz_harness.py): three corpus directories (corpus/frontmatter/, corpus/lineage/, corpus/state/) seeding inputs to the parser and lineage validator.
• Activation harness (scripts/tests/activation/Test-AdrAuthorActivation.Tests.ps1): four scenarios validating the skill installs, registers, and invokes from a fresh session. LF normalization fix included so fingerprints match across Windows and Linux runners.

Documentation

• Seed ADR: docs/planning/adrs/0001-record-architecture-decisions.md (MADR v4 format), establishing the repository's first architectural decision record and demonstrating expected frontmatter, body sections, and lineage usage.
• Planner documentation: new pages under docs/planning/adrs/ covering the three-phase workflow, BYO template adoption, handoff to ADO/GitHub backlogs, and the maturity disclaimer.
• Docusaurus integration: sidebar entries, redirect for the legacy agent path, and link validation under npm run docs:test.
• Contributing updates: docs/contributing/skills.md and docs/contributing/custom-agents.md updated to reference the new artifacts.

Distribution & Packaging

• Collection manifest: collections/project-planning.collection.yml lists the new agent, four instructions, and the skill (all marked maturity: experimental).
• Plugin regeneration: plugins/project-planning/ outputs regenerated via npm run plugin:generate.
• Extension packaging: extension/package.project-planning.json and extension/README.project-planning.md regenerated via npm run extension:prepare.
• .markdownlint, .cspell.json, frontmatter validator excludes: extended to cover ADR template files, fixture data, and the templates/ subdirectory of the skill.

Related Issue(s)

None.

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py)
• Other (please describe):

Sample Prompts (for AI Artifact Contributions)

User Request:

@adr-creation help me capture an ADR for adopting JSON Schema validation in the ADR Planner skill, replacing the prior ad-hoc dict checks.

Execution Flow:

1. Frame phase: Planner reads .adr-config.yml (or prompts to bootstrap one), determines the next ADR number from existing entries in docs/planning/adrs/, classifies the decision against the ASR trigger schema, asks scope-sharpening questions per the autonomy tier, and persists the session to .copilot-tracking/adr-plans/<id>/state.json.
2. Decide phase: Planner walks the user through context, drivers, considered options (with Y-Statement scaffolding for each), evaluates trade-offs against quality attributes, drafts the decision and consequences, and updates state.json after each gate.
3. Govern phase: Planner runs the embedded post-generation checklist (frontmatter completeness, lineage symmetry, ASR coverage, naming compliance), invokes lint:adr-consistency, generates the dual-format backlog handoff (ADO + GitHub work item bodies), and routes peer-agent recommendations (Security/SSSC/RAI) when triggered.

Output Artifacts:

• docs/planning/adrs/0042-adopt-json-schema-validation.md (MADR v4 format) — preview of generated frontmatter:

  ---
  id: "0042"
  title: "Adopt JSON Schema validation in adr-author"
  status: "accepted"
  date: "2025-11-04"
  deciders: ["@adr-author-maintainers"]
  kind: "library-adoption"
  supersedes: []
  superseded-by: []
  relates-to: ["0001"]
  ---

• .copilot-tracking/adr-plans/0042/state.json — phase machine state, autonomy tier, gate results.

• .copilot-tracking/adr-plans/0042/handoff/ — ADO and GitHub work item bodies generated by the Govern phase.

Success Indicators:

• npm run lint:adr-consistency exits 0 with no findings against the new ADR.
• npm run validate:skills passes for adr-author.
• npm run docs:test (Docusaurus) renders the new ADR with correct sidebar placement and lineage cross-links.
• state.json shows phase: "govern" and gates.govern.complete: true.

For detailed contribution requirements, see:

• Common Standards: docs/contributing/ai-artifacts-common.md - Shared standards for XML blocks, markdown quality, RFC 2119, validation, and testing
• Agents: docs/contributing/custom-agents.md - Agent configurations with tools and behavior patterns
• Prompts: docs/contributing/prompts.md - Workflow-specific guidance with template variables
• Instructions: docs/contributing/instructions.md - Technology-specific standards with glob patterns
• Skills: docs/contributing/skills.md - Task execution utilities with cross-platform scripts

Testing

Local validation evidence and command results will be appended after the Step 7 automated-check run. Coverage at the source level:

• Pester (scripts/tests/linting/Test-AdrConsistency.Tests.ps1): 27 cases — all nine ADR-CONSISTENCY rules, lineage symmetry edge cases, malformed-frontmatter error paths.
• pytest (.github/skills/project-planning/adr-author/tests/): 45–55 cases — create/advance/update/render/validate flows, _safe_resolve boundary tests, atomic-write rollback, template adoption.
• Atheris fuzz harness: three corpus directories seeded for parser and lineage validator (separate fuzz dependency group; not run by default).
• Activation harness (scripts/tests/activation/Test-AdrAuthorActivation.Tests.ps1): four end-to-end install/register/invoke scenarios with cross-platform LF-normalized fingerprints.

The eight repository-required automated checks plus lint:adr-consistency will be run before merge — results recorded in the checklist below.

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (if applicable)

Backwards compatibility: net-new feature surface; the closed-enum frontmatter schema is intentionally constrained and applies only to ADRs authored under the new contract. No pre-existing ADRs in this repository are affected.

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md — PASS (199 files, 0 errors)
• Spell checking: npm run spell-check — PASS (879 files checked, 0 issues)
• Frontmatter validation: npm run lint:frontmatter — PASS (555 files, 0 warnings, 0 errors) after adding the standard Copilot footer to .github/skills/project-planning/adr-author/tests/corpus/README.md
• Skill structure validation: npm run validate:skills — PASS (21 skills, 0 errors, 0 warnings)
• Link validation: npm run lint:md-links — PASS-out-of-scope. All 7 failing files are pre-existing and outside this PR's diff (verified via git diff --name-only origin/main...HEAD): .github/skills/security/secure-by-design/SKILL.md, docs/agents/code-review/README.md, docs/agents/rai-planning/agent-overview.md, docs/agents/rai-planning/phase-reference.md, docs/architecture/README.md, docs/getting-started/collections.md, docs/getting-started/mcp-configuration.md.
• PowerShell analysis: npm run lint:ps — PASS (all files passed PSScriptAnalyzer)
• Plugin freshness: npm run plugin:generate — PASS (13 plugins generated, no working-tree changes produced)
• Docusaurus tests: npm run docs:test — PASS (7 suites, 102 tests)

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege

Dependency review: the adr-author skill declares pyyaml, jsonschema, and (in an isolated fuzz group) atheris. All three are widely used, actively maintained packages. No top-level package.json dependencies were added or upgraded.

Privilege scope: no security-domain scripts were modified; the checkbox is left unchecked because it does not apply to this PR rather than to flag a concern.

Hardening landed in this PR: _safe_resolve (path-traversal mitigation) and atomic lineage operations (temp-file + os.replace) — both detailed in the Security & Breaking Changes section above.

GHCP Maturity

Warning

This PR ships AI artifacts at experimental maturity. Reviewers and downstream consumers should treat the ADR Planner, its supporting instructions, and the adr-author skill as evolving surfaces likely to change before they reach stable maturity. Acknowledge the maturity expectations below before merge.

Artifact	Type	Maturity	Notes
.github/agents/project-planning/adr-creation.agent.md	Agent	experimental	Phase machine and autonomy tiers will be refined as real-world ADR sessions surface gaps.
.github/instructions/project-planning/adr-identity.instructions.md	Instruction	experimental	Canonical state.json schema may evolve; consumers should pin to a tagged release.
.github/instructions/project-planning/adr-standards.instructions.md	Instruction	experimental	Embedded MADR v4 / Y-Statement scaffolding is stable upstream; embedding shape may change.
.github/instructions/project-planning/adr-byo-template.instructions.md	Instruction	experimental	Two-layer config resolution and template adoption lifecycle are subject to revision.
.github/instructions/project-planning/adr-handoff.instructions.md	Instruction	experimental	Dual-format work item templates align with current ADO/GitHub schemas; field mapping may shift.
.github/skills/project-planning/adr-author/	Skill	experimental	Python entry points, JSON schemas, and bundled templates are versioned as a unit.

GHCP Maturity Acknowledgment

• I acknowledge the experimental maturity of every AI artifact in this PR.
• I have communicated maturity expectations to downstream consumers (collection, plugin, extension).

Additional Notes

• PR is stacked: this branch (feat/adr-planner-upgrade-v2) is stacked on PR feat(scripts)(settings): add ADR consistency lint infrastructure #1552. Merge order matters; rebase will be required if PR feat(scripts)(settings): add ADR consistency lint infrastructure #1552 changes during review.
• Deferred deps: npm audit surfaces advisories against fast-uri (transitive). These are tracked separately and intentionally deferred from this PR per maintainer direction.
• Reviewer deep-dive material: a 20 KB consolidated subagent review log is preserved at .copilot-tracking/pr/pr-reference-log.md (covers branch snapshot, security analysis, feature inventory, refactor map, test matrix, documentation diff, distribution diff, cross-cutting themes, risks, and validation requirements). It is intentionally untracked and exists only for reviewer convenience.
• Generated outputs: plugins/project-planning/, extension/package.project-planning.json, and extension/README.project-planning.md are regenerated outputs — do not edit by hand; rerun npm run plugin:generate and npm run extension:prepare if the source manifests change during review.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
pip/atheris	3.0.0	🟢 5.9	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 7 Found 23/30 approved changesets -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege SAST ⚠️ 0 no SAST tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 10 security policy file detected
pip/attrs	26.1.0	Unknown	Unknown
pip/colorama	0.4.6	Unknown	Unknown
pip/coverage	7.14.0	Unknown	Unknown
pip/iniconfig	2.3.0	Unknown	Unknown
pip/jsonschema	4.26.0	Unknown	Unknown
pip/jsonschema-specifications	2025.9.1	Unknown	Unknown
pip/packaging	26.2	Unknown	Unknown
pip/pluggy	1.6.0	Unknown	Unknown
pip/pygments	2.20.0	Unknown	Unknown
pip/pytest	9.0.3	Unknown	Unknown
pip/pytest-cov	7.1.0	Unknown	Unknown
pip/pytest-mock	3.15.1	Unknown	Unknown
pip/pyyaml	6.0.3	Unknown	Unknown
pip/referencing	0.37.0	Unknown	Unknown
pip/rpds-py	0.30.0	Unknown	Unknown
pip/ruff	0.15.12	Unknown	Unknown
pip/tomli	2.4.1	Unknown	Unknown
pip/typing-extensions	4.15.0	Unknown	Unknown
pip/atheris	3.0.0	🟢 5.9	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 7 Found 23/30 approved changesets -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege SAST ⚠️ 0 no SAST tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 10 security policy file detected
pip/attrs	26.1.0	Unknown	Unknown
pip/colorama	0.4.6	Unknown	Unknown
pip/coverage	7.14.0	Unknown	Unknown
pip/iniconfig	2.3.0	Unknown	Unknown
pip/jsonschema	4.26.0	Unknown	Unknown
pip/jsonschema-specifications	2025.9.1	Unknown	Unknown
pip/packaging	26.2	Unknown	Unknown
pip/pluggy	1.6.0	Unknown	Unknown
pip/pygments	2.20.0	Unknown	Unknown
pip/pytest	9.0.3	Unknown	Unknown
pip/pytest-cov	7.1.0	Unknown	Unknown
pip/pytest-mock	3.15.1	Unknown	Unknown
pip/pyyaml	6.0.3	Unknown	Unknown
pip/referencing	0.37.0	Unknown	Unknown
pip/rpds-py	0.30.0	Unknown	Unknown
pip/ruff	0.15.12	Unknown	Unknown
pip/tomli	2.4.1	Unknown	Unknown
pip/typing-extensions	4.15.0	Unknown	Unknown

Scanned Files

• .github/skills/project-planning/adr-author/uv.lock
• plugins/hve-core-all/skills/project-planning/adr-author/uv.lock

[codecov-commenter]

Codecov Report

❌ Patch coverage is 75.57726% with 275 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.54%. Comparing base (35e5924) to head (797aba4).

Files with missing lines	Patch %	Lines
scripts/linting/Validate-AdrConsistency.ps1	0.00%	104 Missing ⚠️
...lanning/adr-author/scripts/validate_frontmatter.py	77.69%	60 Missing ⚠️
...ject-planning/adr-author/scripts/update_lineage.py	81.31%	34 Missing ⚠️
scripts/linting/Validate-MarkdownFrontmatter.ps1	31.25%	22 Missing ⚠️
scripts/linting/Modules/AdrConsistency.psm1	92.07%	18 Missing ⚠️
...ect-planning/adr-author/scripts/render_template.py	81.92%	15 Missing ⚠️
...-planning/adr-author/scripts/normalize_template.py	83.13%	14 Missing ⚠️
scripts/linting/Modules/AdrBodyParser.psm1	93.04%	8 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1554      +/-   ##
==========================================
- Coverage   85.50%   82.54%   -2.97%     
==========================================
  Files          82       66      -16     
  Lines       11805     8586    -3219     
==========================================
- Hits        10094     7087    -3007     
+ Misses       1711     1499     -212     

Flag	Coverage Δ
pester	82.73% <70.13%> (-0.94%)	⬇️
pytest	80.06% <80.06%> (-8.63%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
scripts/linting/Modules/FrontmatterValidation.psm1	96.07% <100.00%> (+0.02%)	⬆️
scripts/linting/Validate-SkillStructure.ps1	94.46% <100.00%> (ø)
scripts/plugins/Generate-Plugins.ps1	72.67% <100.00%> (ø)
scripts/linting/Modules/AdrBodyParser.psm1	93.04% <93.04%> (ø)
...-planning/adr-author/scripts/normalize_template.py	83.13% <83.13%> (ø)
...ect-planning/adr-author/scripts/render_template.py	81.92% <81.92%> (ø)
scripts/linting/Modules/AdrConsistency.psm1	92.07% <92.07%> (ø)
scripts/linting/Validate-MarkdownFrontmatter.ps1	73.26% <31.25%> (-4.97%)	⬇️
...ject-planning/adr-author/scripts/update_lineage.py	81.31% <81.31%> (ø)
...lanning/adr-author/scripts/validate_frontmatter.py	77.69% <77.69%> (ø)
... and 1 more

... and 24 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[katriendg]

Thanks for this thorough restructure! The phased Frame → Decide → Govern architecture is well-designed, and the alignment with peer planners is solid. Python scripts have proper path-traversal guards, the pyproject.toml meets all Coding Agent Environment requirements (ruff, pytest, fuzz harness, fuzz dependency group), and the atomic supersession lineage handling is clean.

A few prompt-builder convention and distribution portability items noted inline — mostly frontmatter alignment and replacing .github/ repo-root-relative paths with relative or semantic references so the artifacts resolve correctly when distributed via Extension or Plugin.

[katriendg]

Prompt-builder frontmatter alignment (RI-01 through RI-06)

Several fields diverge from the conventions in prompt-builder.instructions.md and from peer planners (Security, RAI, SSSC):

1. name: ADR Creator — The H1 says # ADR Planner and adr-identity.instructions.md names it "ADR Planner". Suggest aligning to ADR Planner.

2. description: — Attribution suffix should be - Brought to you by microsoft/hve-core (dash prefix, no trailing period).

3. tools: — Uses legacy names (edit, search, runCommands, etc.). Peer planners use the newer granular names (read, edit/createFile, edit/editFiles, execute/runInTerminal, search, web, agent).

4. agents: — Should use the human-readable name from the subagent’s name: frontmatter, not a glob path. All peer planners use - Researcher Subagent.

5. handoffs: — Should use structured objects with label, agent, and optionally prompt/send — not bare file paths. See RAI Planner and SSSC Planner for the pattern.

Suggested:

name: ADR Planner
description: 'ADR Planner: phase-gated planner producing standards-aligned Architecture Decision Records (Frame, Decide, Govern) - Brought to you by microsoft/hve-core'
tools:
  - read
  - edit/createFile
  - edit/editFiles
  - execute/runInTerminal
  - search
  - web
  - agent
agents:
  - Researcher Subagent
handoffs:
  - label: "Task Planner"
    agent: Task Planner
  - label: "RAI Planner"
    agent: RAI Planner
  - label: "Security Planner"
    agent: Security Planner

[WilliamBerryiii]

Thanks for the review. Item-by-item:

RI-01 (name → "ADR Planner") — Declined. Canonical name is "ADR Creator" across the codebase: H1 and name: line of .github/instructions/project-planning/adr-identity.instructions.md, this agent's H1, the Handoff Peers table in .github/instructions/project-planning/adr-handoff.instructions.md, .github/skills/project-planning/adr-author/SKILL.md, and ~20 other references. "ADR Planner" doesn't appear anywhere — happy to revisit if you can point at the source.

RI-02 (description suffix) — Applied. handoff. Brought to you by microsoft/hve-core. → handoff - Brought to you by microsoft/hve-core (dash prefix, no trailing period).

RI-03 (tools granular) — Already satisfied before this review (commit 8573a30d). Current frontmatter: read, edit/createFile, edit/createDirectory, edit/editFiles, execute/runInTerminal, execute/getTerminalOutput, search, web, agent. No legacy names remain.

RI-04 (agents human-readable) — Already satisfied: agents: - Researcher Subagent. No glob path present.

RI-05 (structured handoffs) — Applied. Added handoffs: frontmatter for the three documented Govern-phase peers (Task Planner, RAI Planner, Security Planner) per the Handoff Peers table in adr-handoff.instructions.md. Frontmatter declares availability; body text retains the instruction-driven language because dispatch is conditional on Govern-phase findings.

[WilliamBerryiii]

Thanks for the review. Item-by-item:

RI-01 (name → "ADR Planner") — Declined. Canonical name is "ADR Creator" across the codebase: H1 and name: line of .github/instructions/project-planning/adr-identity.instructions.md, this agent's H1, the Handoff Peers table in .github/instructions/project-planning/adr-handoff.instructions.md, .github/skills/project-planning/adr-author/SKILL.md, and ~20 other references. "ADR Planner" doesn't appear anywhere — happy to revisit if you can point at the source.

RI-02 (description suffix) — Applied. handoff. Brought to you by microsoft/hve-core. → handoff - Brought to you by microsoft/hve-core (dash prefix, no trailing period).

RI-03 (tools granular) — Already satisfied before this review (commit 8573a30d). Current frontmatter: read, edit/createFile, edit/createDirectory, edit/editFiles, execute/runInTerminal, execute/getTerminalOutput, search, web, agent. No legacy names remain.

RI-04 (agents human-readable) — Already satisfied: agents: - Researcher Subagent. No glob path present.

RI-05 (structured handoffs) — Applied. Added handoffs: frontmatter for the three documented Govern-phase peers (Task Planner, RAI Planner, Security Planner) per the Handoff Peers table in adr-handoff.instructions.md. Frontmatter declares availability; body text retains the instruction-driven language because dispatch is conditional on Govern-phase findings.

[github-actions]

Dependency Review

New Python Skill: adr-author (pyproject.toml)

All newly introduced Python dependencies were reviewed against the four dependency review dimensions.

New Dependencies

Dependency	Group	Pinning	License	Assessment
pyyaml>=6	runtime	floor-pinned	MIT	✅ Widely used, actively maintained, no known CVEs at v6+. No existing YAML library in the repo skill surface to duplicate.
jsonschema>=4	runtime	floor-pinned	MIT	✅ Widely used, actively maintained. No existing JSON Schema library in the skill surface.
ruff>=0.6	dev	floor-pinned	MIT	✅ Already the repo-wide Python linter (npm run lint:py). Consistent choice.
pytest>=8	dev	floor-pinned	MIT	✅ Standard test framework, consistent with other Python skills in the repo.
pytest-mock>=3	dev	floor-pinned	MIT	✅ Standard mocking extension.
pytest-cov>=5	dev	floor-pinned	MIT	✅ Standard coverage extension.
atheris>=3.0	fuzz (isolated)	floor-pinned	Apache-2.0	✅ Apache-2.0 is compatible with the project's MIT license. Correctly isolated in a separate fuzz dependency group (not installed by default, manylinux-only wheels excluded from macOS as noted).

All runtime and dev licenses are MIT-compatible. No dependency duplicates existing skill functionality. No new top-level package.json runtime or dev dependencies were introduced.

Version Updates

No existing dependencies were bumped in this PR.

SHA Pinning Compliance

No GitHub Actions workflow files, .devcontainer/ files, or copilot-setup-steps.yml were modified by this PR. SHA pinning compliance is not in scope for this change.

Devcontainer / Setup Alignment

No devcontainer or copilot-setup-steps.yml changes were made. No synchronization review required.

---

Verdict: No issues found. All safety checks pass.

Note

🔒 Integrity filter blocked 1 item

The following item was blocked because it doesn't meet the GitHub integrity level.

• #1554 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

Generated by Dependabot PR Review for issue #1554 · ● 468.9K