microsoft · WilliamBerryiii · May 23, 2026
@@ -16,6 +16,23 @@ Core responsibilities:
 
 Voice: clear, methodical, and security-focused. Communicate with professional authority while keeping guidance accessible and actionable.
 
+## Disclaimer and Attribution Protocol
+
+### Session Start Display
+
+On the first turn of any Security Planner session, display the canonical Security Planning disclaimer block defined in [.github/instructions/shared/disclaimer-language.instructions.md](../shared/disclaimer-language.instructions.md) verbatim. Record the display by setting `state.disclaimerShownAt` to an ISO 8601 timestamp. Do not advance to any phase work before the disclaimer is shown for the session.
+
+### Exit Point Reminder
+
+At each of the following exit points, re-surface a brief one-line professional-review reminder. Use the canonical wording in [.github/instructions/shared/disclaimer-language.instructions.md](../shared/disclaimer-language.instructions.md) (Security Planning section) for the reminder text.
+
+1. **Phase 6 completion (handoff success path)** — Display the reminder immediately before presenting the final handoff summary.
+2. **Compact handoff** — Display the reminder when the orchestrator hands off to ADO or GitHub backlog workflows.
+3. **Error exit** — Display the reminder on any unrecoverable error path before terminating the session.
+4. **User-initiated exit** — Display the reminder when the user explicitly stops the session or switches agents.
+
+Each reminder must state that the generated plan is AI-assisted and requires professional security review before execution.
+
 ## Six-Phase Definitions
 
 Each phase has entry criteria, activities, exit criteria, artifacts produced, and a defined transition.

@@ -7,6 +7,20 @@ applyTo: '**/.copilot-tracking/rai-plans/**, **/.copilot-tracking/security-plans
 
 Planning agents that generate assessments requiring professional review display a CAUTION block during startup. Each section contains the verbatim disclaimer for the corresponding planner. Prompt files and agents reference the appropriate section via `#file:` to ensure consistent presentation across all entry points.
 
+<!--
+Authoring contract (parsed by scripts/linting/Validate-PlannerArtifacts.ps1):
+
+- Each planner gets exactly one H2 section. The first whitespace-delimited word of the heading, lowercased, is the slug. Examples: "RAI Planning" -> "rai"; "Security Planning" -> "security"; "SSSC Planning" -> "sssc".
+- The slug derives three downstream identifiers used by ai-artifact footer validation:
+  - planner key: `{slug}-planner`
+  - disclaimer id: `{slug}-full-disclaimer`
+  - disclaimer label: `{heading} Disclaimer` (full heading, not slug)
+- Each H2 section must contain exactly one `> [!CAUTION]` blockquote. Only the first CAUTION block in a section is extracted; additional CAUTION blocks within the same H2 are ignored.
+- The CAUTION block's prose should begin with `**Disclaimer:**` (the trailing colon is optional). This prefix is stripped before the text is matched against artifact footers; prose without it is retained verbatim.
+- Multi-line blockquote prose is joined with single spaces. Keep wrapping natural for source readability.
+-->
+
+
 ## RAI Planning
 
 > [!CAUTION]

@@ -141,10 +141,10 @@ Use this edition when you want access to everything without choosing a focused c
 | **security-review-llm**                         | Runs OWASP LLM and Agentic vulnerability assessments with codebase profiling for context                                                         |
 | **security-review-sbd**                         | Runs a Secure by Design principles assessment based on UK and Australian government guidance                                                     |
 | **security-review-web**                         | Runs an OWASP Top 10 web vulnerability assessment without codebase profiling                                                                     |
-| **sssc-capture**                                | Start a new SSSC assessment via guided conversation using the SSSC Planner agent in capture mode                                                 |
-| **sssc-from-brd**                               | Start an SSSC assessment from existing BRD artifacts using the SSSC Planner agent                                                                |
-| **sssc-from-prd**                               | Start an SSSC assessment from existing PRD artifacts using the SSSC Planner agent                                                                |
-| **sssc-from-security-plan**                     | Extend a Security Planner assessment with supply chain coverage using the SSSC Planner agent                                                     |
+| **sssc-capture**                                | Initiate supply chain security planning from existing knowledge using the SSSC Planner agent in capture mode                                     |
+| **sssc-from-brd**                               | Initiate supply chain security planning from existing BRD artifacts using the SSSC Planner agent in from-brd mode                                |
+| **sssc-from-prd**                               | Initiate supply chain security planning from existing PRD artifacts using the SSSC Planner agent in from-prd mode                                |
+| **sssc-from-security-plan**                     | Extend a Security Planner assessment with supply chain coverage using the SSSC Planner agent in from-security-plan mode                          |
 | **synth-data-generate**                         | Generate comprehensive synthetic data for any specified subject with realistic patterns and relationships                                        |
 | **task-challenge**                              | Adversarial What/Why/How interrogation of completed implementation artifacts                                                                     |
 | **task-implement**                              | Locates and executes implementation plans using Task Implementor                                                                                 |
@@ -255,7 +255,7 @@ Use this edition when you want access to everything without choosing a focused c
 | **security/sssc-gap-analysis**                           | Phase 4 gap comparison, adoption categorization, and effort sizing for SSSC Planner.                                                                                                                                                                        |
 | **security/sssc-handoff**                                | Phase 6 backlog handoff protocol with Scorecard projections and dual-format output for SSSC Planner.                                                                                                                                                        |
 | **security/sssc-identity**                               | Identity and orchestration instructions for the SSSC Planner agent. Contains six-phase workflow, state.json schema, session recovery, and question cadence.                                                                                                 |
-| **security/sssc-standards**                              | Phase 3 OpenSSF Scorecard, SLSA, Best Practices Badge, Sigstore, and SBOM standards mapping for SSSC Planner.                                                                                                                                               |
+| **security/sssc-standards**                              | Phase 3 OpenSSF Scorecard, SLSA v1.0, OpenSSF Best Practices Badge, Sigstore (cosign), and NTIA SBOM minimum elements standards mapping for SSSC Planner.                                                                                                   |
 | **security/standards-mapping**                           | Embedded OWASP and NIST security standards with researcher subagent delegation for CIS, WAF, CAF, and other runtime lookups                                                                                                                                 |
 | **shared/coaching-patterns**                             | Shared exploration-first coaching patterns for planning agents (RAI, security, SSSC) adapted from Design Thinking research methods                                                                                                                          |
 | **shared/disclaimer-language**                           | Centralized disclaimer language for AI-assisted planning agents requiring professional review acknowledgment                                                                                                                                                |

@@ -46,10 +46,10 @@ Create architecture decision records, requirements documents, and diagrams - all
 | **risk-register**               | Creates a concise and well-structured qualitative risk register using a Probability × Impact (P×I) risk matrix.                                 |
 | **security-capture**            | Initiate security planning from existing notes or knowledge using the Security Planner agent in capture mode                                    |
 | **security-plan-from-prd**      | Initiate security planning from PRD/BRD artifacts using the Security Planner agent in from-prd mode                                             |
-| **sssc-capture**                | Start a new SSSC assessment via guided conversation using the SSSC Planner agent in capture mode                                                |
-| **sssc-from-brd**               | Start an SSSC assessment from existing BRD artifacts using the SSSC Planner agent                                                               |
-| **sssc-from-prd**               | Start an SSSC assessment from existing PRD artifacts using the SSSC Planner agent                                                               |
-| **sssc-from-security-plan**     | Extend a Security Planner assessment with supply chain coverage using the SSSC Planner agent                                                    |
+| **sssc-capture**                | Initiate supply chain security planning from existing knowledge using the SSSC Planner agent in capture mode                                    |
+| **sssc-from-brd**               | Initiate supply chain security planning from existing BRD artifacts using the SSSC Planner agent in from-brd mode                               |
+| **sssc-from-prd**               | Initiate supply chain security planning from existing PRD artifacts using the SSSC Planner agent in from-prd mode                               |
+| **sssc-from-security-plan**     | Extend a Security Planner assessment with supply chain coverage using the SSSC Planner agent in from-security-plan mode                         |
 
 ### Instructions
 
@@ -71,7 +71,7 @@ Create architecture decision records, requirements documents, and diagrams - all
 | **security/sssc-gap-analysis**           | Phase 4 gap comparison, adoption categorization, and effort sizing for SSSC Planner.                                                                                                                                                                        |
 | **security/sssc-handoff**                | Phase 6 backlog handoff protocol with Scorecard projections and dual-format output for SSSC Planner.                                                                                                                                                        |
 | **security/sssc-identity**               | Identity and orchestration instructions for the SSSC Planner agent. Contains six-phase workflow, state.json schema, session recovery, and question cadence.                                                                                                 |
-| **security/sssc-standards**              | Phase 3 OpenSSF Scorecard, SLSA, Best Practices Badge, Sigstore, and SBOM standards mapping for SSSC Planner.                                                                                                                                               |
+| **security/sssc-standards**              | Phase 3 OpenSSF Scorecard, SLSA v1.0, OpenSSF Best Practices Badge, Sigstore (cosign), and NTIA SBOM minimum elements standards mapping for SSSC Planner.                                                                                                   |
 | **security/standards-mapping**           | Embedded OWASP and NIST security standards with researcher subagent delegation for CIS, WAF, CAF, and other runtime lookups                                                                                                                                 |
 | **shared/coaching-patterns**             | Shared exploration-first coaching patterns for planning agents (RAI, security, SSSC) adapted from Design Thinking research methods                                                                                                                          |
 | **shared/disclaimer-language**           | Centralized disclaimer language for AI-assisted planning agents requiring professional review acknowledgment                                                                                                                                                |