feat(agents): security-planner SSSC parity (stacked on PR A and #1497)#1642
Open
WilliamBerryiii wants to merge 23 commits into
Open
feat(agents): security-planner SSSC parity (stacked on PR A and #1497)#1642WilliamBerryiii wants to merge 23 commits into
WilliamBerryiii wants to merge 23 commits into
Conversation
…idation Bring the SSSC Planner to feature parity with the RAI Planner across identity, disclaimers, footers, phase prompts, handoff signing, validation, and docs. Changes by RAI #1287 category: 1. Identity and state — Update sssc-identity.instructions.md to add signingRequested, signingManifestPath, and disclaimer acknowledgment fields in the state schema; add a JSON schema (sssc-state.schema.json) for validation; align session recovery and orchestration language with RAI. 2. Disclaimer infrastructure — Register sssc-full-disclaimer in .github/config/disclaimers.yml so the SSSC handoff renders the same professional-review notice tier RAI uses. 3. Footer tier — Add sssc-handoff-with-disclaimer to .github/config/footer-with-review.yml (Tier 1 + checkbox + Tier 2 disclaimer, scoped to .github/instructions/security/sssc-*); rename the companion RAI tier human-facing-with-disclaimer to rai-handoff-with-disclaimer for naming symmetry. 4. Phase instructions and prompts — Refresh sssc-{assessment,gap-analysis, standards,backlog,handoff}.instructions.md and sssc-{capture,from-brd, from-prd,from-security-plan}.prompt.md for the parity flow, signing prompts, and disclaimer wiring. 5. Handoff signing — Update sssc-handoff.instructions.md Phase 6 to invoke pwsh scripts/security/Sign-PlannerArtifacts.ps1 with the SSSC manifest and to record signingRequested / signingManifestPath in state. 6. Signing script and tests — Add scripts/security/Sign-PlannerArtifacts.ps1 (planner-agnostic cosign wrapper) plus scripts/tests/security/Sign-PlannerArtifacts.Tests.ps1. 7. Validation — Extend scripts/tests/linting/Validate-PlannerArtifacts.Tests.ps1 to cover the new SSSC tier, the renamed RAI tier, and the JSON schema. 8. Documentation and generated outputs — Update sssc-planner.agent.md, the docs/agents/sssc-planning overview, collection markdown for hve-core-all, project-planning, and security, regenerate the matching plugins/ READMEs, and add SSSC terms to .cspell.json. Validation: targeted Pester suite Validate-PlannerArtifacts.Tests.ps1 = 31/31 PASS; lint:yaml, lint:md, lint:ps, lint:frontmatter, lint:collections-metadata, lint:marketplace, lint:version-consistency, lint:permissions, lint:dependency-pinning, lint:py, spell-check, plugin:validate all PASS. 🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.
…ction descriptions 🔧 - Generated by Copilot
…able-formatter 🎨 - Generated by Copilot
…th Pester coverage - replace npm script with pwsh wrapper at scripts/linting/Format-MarkdownTables.ps1 - add 13 Pester tests covering empty repo, no-git, formatted/unformatted tables, dot-prefixed dirs, verbose mode - guard PS7 Start-Process flush race with WaitForExit + size-check retry + ReadAllText - surface stdout/stderr byte counts via Should -Because for diagnosability 🧪 - Generated by Copilot
- regenerate vulnerability and principle indexes across owasp-* and secure-by-design skill references - reformat tables in CUSTOM-AGENTS, instructions README, pull-request instructions - reformat skill READMEs (powerpoint corpus, video-to-gif examples, jql-reference, pr-reference REFERENCE) - reformat workflow README and doc-update-check tables 📐 - Generated by Copilot
- Replace removed outputPreferences references with userPreferences.targetSystem to match sssc-state.schema.json 🔒 - Generated by Copilot
…orecardProjection) - Replace removed adoptionPlaybook/executiveSummary references with the current sbom and scorecardProjection state slots 🔒 - Generated by Copilot
…-state schema - Move signingRequested under state and expand userPreferences to the five fields defined by sssc-state.schema.json 🔒 - Generated by Copilot
…ce test cleanup catch - Anchor repo-root boundary check on the OS directory separator to avoid prefix matches across sibling paths - Replace empty catch in Test-Format-MarkdownTables junction cleanup with Write-Verbose to satisfy PSAvoidUsingEmptyCatchBlock 🔒 - Generated by Copilot
- Add Node 24 setup with npm cache and npm ci so the Pester job has the toolchain expected by the test fixtures 🔒 - Generated by Copilot
…ADMEs - Bump ms.date to 2026-05-01 to clear freshness check warnings on these long-stable docs 🔒 - Generated by Copilot
🔒 - Generated by Copilot
…-parity # Conflicts: # .cspell.json # package.json
🔒 - Generated by Copilot
…oration-first planner openers Introduces a shared coaching-patterns instruction (applyTo rai/security/sssc plans) that encodes exploration-first opener conventions adapted from Design Thinking research methods. Bundles it into hve-core-all, project-planning, and security collections and regenerates plugin outputs. Adds a structural test asserting the file's frontmatter and nine canonical H2 sections.
…ner to sssc-planner Aligns the SSSC Planner with the RAI Planner's exploration-first coaching model. Updates the planner agent, identity/assessment/backlog instructions, and the four SSSC prompts (capture, from-brd, from-prd, from-security-plan) to share a single Phase 1 opener pattern, phase-gate transitions, and SSOT references. Adds a test asserting the inline state schema preserves five canonical context keys.
Introduces canonical JSON schema for Security Planner state.json with three lifecycle fixtures (phase-1 minimal, phase-4 mid, phase-6 complete) and a Pester contract suite. Asserts byte-identical disclaimerShownAt property definitions between security-state and rai-state schemas for cross-planner parity. Also adopts the local superset of ai-artifact-config.schema.json to resolve the cross-PR schema conflict. Signed-off-by: williamberryiii <wberry@microsoft.com>
Brings the security-planner agent, its supporting instructions, and the shared RAI capture-coaching guidance up to the same phase-gate, state, and question-cadence parity established by the sssc-planner work in PR #1497. Bundles the planner-startup, cadence, risk-grid, and schema test suites that guard those conventions. Stacked on PR #1638 (security-state-schema); intended to merge after the PR #1497 -> PR A cascade completes.
34 tasks
Adds a Common Pitfalls row to docs/rpi/task-reviewer.md so reviewers expand `-ForEach` arity before flagging a Pester suite as undersized, and annotates the five planner-linter test files with explicit effective-case-count `.NOTES` so the same false positive doesn't recur on visual inspection. Addresses CR-01 and MJ-01 from the phase-3.1 validation log on PR #1642.
This was referenced May 24, 2026
WilliamBerryiii
force-pushed
the
stack/security-state-schema
branch
from
7312381 to
f170c50
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings the
security-planneragent, its supporting instructions, and the shared RAI capture-coaching guidance up to the same phase-gate, state, and question-cadence parity established by thesssc-plannerwork in PR #1497. Bundles the planner-startup, cadence Rule 5 ordering, risk-grid grammar, and state-schema test suites that guard those conventions going forward.Stacking
stack/security-state-schema(PR feat(planning): add Security Planner state schema with contract suite and fixtures #1638, "PR A")Changes
Modified (10):
.github/agents/security/security-planner.agent.md.github/instructions/security/identity.instructions.md.github/instructions/security/security-model.instructions.md.github/instructions/security/backlog-handoff.instructions.md.github/instructions/rai-planning/rai-capture-coaching.instructions.md.github/prompts/security/security-capture.prompt.md.github/prompts/security/security-plan-from-prd.prompt.mdplugins/hve-core-all/README.md(auto-regen)plugins/project-planning/README.md(auto-regen)plugins/security/README.md(auto-regen)Added (5 Pester suites):
scripts/tests/linting/Test-PlannerStateSchema.Tests.ps1— 8 testsscripts/tests/linting/Test-PlannerStateSchemas.Tests.ps1— 4 testsscripts/tests/linting/Test-CadenceRule5Ordering.Tests.ps1— 2 testsscripts/tests/linting/Test-PlannerStartupBlocks.Tests.ps1— 6 testsscripts/tests/linting/Test-RiskGridGrammar.Tests.ps1— 7 testsValidation
npm run plugin:validatenpm run lint:mdnpm run lint:frontmatternpm run lint:md-linksnpm run lint:psTest-PlannerStateSchemaTest-PlannerStateSchemasTest-CadenceRule5OrderingTest-PlannerStartupBlocksTest-RiskGridGrammarNotes for Reviewers
disclaimerShownAt: nullin identity state schema — Adds one line to the inline state schema inidentity.instructions.mdso the canonical state shape declares the field with a default. Full Disclaimer/Attribution Protocol prose that consumes the field remains in PR C (feat(instructions)!: disclaimer SSOT migration (stacked on #1497) #1639). Three-way overlap with PR feat(instructions)!: disclaimer SSOT migration (stacked on #1497) #1639 on this file is expected.Test-PlannerStateSchemas.Tests.ps1assertion direction — Authored draft usedShould -Not -Contain 'disclaimerShownAt'against therequiredarrays. Per plan decision DD-06/ID-02 (.copilot-tracking/plans/2026-05-22/stacked-prs-from-pr-1497-plan.instructions.mdline 41), the snapshot demotion ofdisclaimerShownAt/signingManifestPathfromrequiredwas rejected for uniformity acrosssecurity-state,rai-state, andsssc-stateschemas. Flipped both assertions toShould -Containso the test now affirms the documented uniformity decision. Schemas themselves are unchanged.Auto-regenerated plugin READMEs —
plugins/hve-core-all/README.md,plugins/project-planning/README.md, andplugins/security/README.mdreflect descriptive SSSC text drift produced bynpm run plugin:generate. Benign; produced by tooling.Sandbox/environment note — All Pester suites and pwsh-yaml-dependent lints (
plugin:generate,plugin:validate,lint:frontmatter,lint:md-links,lint:ps) require unsandboxed execution because thePowerShell-Yamlmodule is installed under~/.local/share/powershell/Modules.Merge Order
This PR is part of a 5-PR stack split from PR #1497. Merge in this order:
feat(scripts): security-planner state schema(base)feat(prompts): RAI disclaimer/attribution protocol(independent of B, but lands before B for review continuity)feat(agents): security-planner SSSC parity(depends on feat(planning): add Security Planner state schema with contract suite and fixtures #1638)Independent of the above sequence:
feat(scripts): risk-grid grammar enforcement(no shared files)chore(plugins): regenerated plugin READMEs(tooling output only)After #1638 and #1639 merge, rebase this branch onto
mainbefore merging.