Skip to content

feat(agents): align sssc planner with rai parity, add signing and validation #1497

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
WilliamBerryiii wants to merge 12 commits into
base: main
Choose a base branch
from
Open

feat(agents): align sssc planner with rai parity, add signing and validation #1497

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
10c65a5
feat(agents): align sssc planner with rai parity, add signing and val…
WilliamBerryiii Apr 30, 2026
04f6681
Merge remote-tracking branch 'origin/main' into feat/sssc-planner-rai…
WilliamBerryiii Apr 30, 2026
4572030
chore(plugins): regenerate plugin readmes for sssc command and instru…
WilliamBerryiii May 1, 2026
cf2081a
style(instructions): reformat sssc-gap-analysis tables per markdown-t…
WilliamBerryiii May 1, 2026
ef28214
feat(scripts): wire format:tables to Format-MarkdownTables wrapper wi…
WilliamBerryiii May 1, 2026
d4d5ebb
style(docs): reformat markdown tables via Format-MarkdownTables wrapper
WilliamBerryiii May 1, 2026
ec02add
fix(prompts): align SSSC capture/from-* prompts with sssc-state schema
WilliamBerryiii May 2, 2026
902d9ce
fix(agents): align sssc-planner agent with sssc-state schema (sbom/sc…
WilliamBerryiii May 2, 2026
147973b
fix(instructions): align SSSC handoff/identity instructions with sssc…
WilliamBerryiii May 2, 2026
dfba547
fix(scripts): tighten Sign-PlannerArtifacts repo-root guard and silen…
WilliamBerryiii May 2, 2026
dcee864
ci(workflows): install npm dependencies before running Pester tests
WilliamBerryiii May 2, 2026
c99e5ba
chore: refresh stale ms.date on workflows and video-to-gif example RE…
WilliamBerryiii May 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion .cspell.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,13 @@
"whiteboarding",
"ˈpræksɪs",
"πρᾶξις",
"agentic"
"agentic",
"sssc",
"SSSC",
"SLSA",
"Sigstore",
"cosign",
"scorecard"
],
"reporters": [
"default",
Expand Down
68 changes: 34 additions & 34 deletions .github/CUSTOM-AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,30 +38,30 @@ Select from the **agent picker dropdown** in the Chat view:

The Research-Plan-Implement (RPI) workflow provides a structured approach to complex development tasks.

| Agent | Purpose | Key Constraint |
|----------------------|-------------------------------------------------------------------|------------------------------------------------|
| **rpi-agent** | Autonomous agent with subagent delegation for complex tasks | Requires a subagent tool enabled |
| **task-researcher** | Produces research documents with evidence-based recommendations | Research-only; never plans or implements |
| **task-planner** | Creates 3-file plan sets (plan, details, prompt) | Requires research first; never implements code |
| **task-implementor** | Executes implementation plans with subagent delegation | Requires completed plan files |
| **task-reviewer** | Validates implementation against research and plan specifications | Requires research/plan artifacts |
| Agent | Purpose | Key Constraint |
|----------------------|-------------------------------------------------------------------------------------------------------|-----------------------------------------------------------|
| **rpi-agent** | Autonomous agent with subagent delegation for complex tasks | Requires a subagent tool enabled |
| **task-researcher** | Produces research documents with evidence-based recommendations | Research-only; never plans or implements |
| **task-planner** | Creates 3-file plan sets (plan, details, prompt) | Requires research first; never implements code |
| **task-implementor** | Executes implementation plans with subagent delegation | Requires completed plan files |
| **task-reviewer** | Validates implementation against research and plan specifications | Requires research/plan artifacts |
| **task-challenger** | Adversarial questioning agent that interrogates completed implementations with What/Why/How questions | Experimental; no suggestions, hints, or leading questions |

### Documentation and Planning Agents

| Agent | Purpose | Key Constraint |
|----------------------------------|------------------------------------------------------------------------------|-------------------------------------------------------|
| **adr-creation** | Interactive ADR coaching with guided discovery | Socratic coaching approach |
| **brd-builder** | Creates Business Requirements Documents with reference integration | Solution-agnostic requirements focus |
| **doc-ops** | Documentation operations and maintenance | Does not modify source code |
| **meeting-analyst** | Analyzes meeting transcripts to extract product requirements via work-iq-mcp | Experimental; requires work-iq-mcp EULA; transcripts may contain PII and confidential data, analysis files are unencrypted on disk |
| **prd-builder** | Creates Product Requirements Documents through guided Q&A | Iterative questioning; state-tracked sessions |
| **product-manager-advisor** | Requirements discovery, story quality, and prioritization guidance | Principles over format; delegates to prd/brd builders |
| **security-planner** | STRIDE-based security model analysis with standards mapping and backlog handoff | Six-phase conversational workflow; experimental |
| **sssc-planner** | Supply chain security assessment with 6-phase workflow against OpenSSF Scorecard, SLSA, Sigstore, and SBOM | Six-phase conversational workflow; experimental |
| **rai-planner** | Responsible AI assessment with 6-phase workflow against Microsoft Responsible AI Impact Assessment Guide and NIST AI RMF | Six-phase conversational workflow; experimental |
| **system-architecture-reviewer** | Reviews system designs for trade-offs and ADR alignment | Scoped review; delegates security concerns |
| **ux-ui-designer** | JTBD analysis, user journey mapping, and accessibility requirements | Research artifacts only; visual design in Figma |
| Agent | Purpose | Key Constraint |
|----------------------------------|--------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------|
| **adr-creation** | Interactive ADR coaching with guided discovery | Socratic coaching approach |
| **brd-builder** | Creates Business Requirements Documents with reference integration | Solution-agnostic requirements focus |
| **doc-ops** | Documentation operations and maintenance | Does not modify source code |
| **meeting-analyst** | Analyzes meeting transcripts to extract product requirements via work-iq-mcp | Experimental; requires work-iq-mcp EULA; transcripts may contain PII and confidential data, analysis files are unencrypted on disk |
| **prd-builder** | Creates Product Requirements Documents through guided Q&A | Iterative questioning; state-tracked sessions |
| **product-manager-advisor** | Requirements discovery, story quality, and prioritization guidance | Principles over format; delegates to prd/brd builders |
| **security-planner** | STRIDE-based security model analysis with standards mapping and backlog handoff | Six-phase conversational workflow; experimental |
| **sssc-planner** | Supply chain security assessment with 6-phase workflow against OpenSSF Scorecard, SLSA, Sigstore, and SBOM | Six-phase conversational workflow; experimental |
| **rai-planner** | Responsible AI assessment with 6-phase workflow against Microsoft Responsible AI Impact Assessment Guide and NIST AI RMF | Six-phase conversational workflow; experimental |
| **system-architecture-reviewer** | Reviews system designs for trade-offs and ADR alignment | Scoped review; delegates security concerns |
| **ux-ui-designer** | JTBD analysis, user journey mapping, and accessibility requirements | Research artifacts only; visual design in Figma |

### Utility Agents

Expand All @@ -71,14 +71,14 @@ The Research-Plan-Implement (RPI) workflow provides a structured approach to com

### Code and Review Agents

| Agent | Purpose | Key Constraint |
|--------------------------------|------------------------------------------------------------------|-------------------------------------------------------|
| **pr-review** | 4-phase PR review with tracking artifacts | Review-only; never modifies code |
| **prompt-builder** | Engineers and validates instruction/prompt files | Dual-persona system with auto-testing |
| **security-reviewer** | OWASP vulnerability assessment with subagent-driven verification | Delegates all reference reading to subagents |
| **code-review-functional** | Pre-PR branch diff reviewer for functional correctness and logic gaps | Review-only; five focus areas; optional artifact save |
| **code-review-full** | Orchestrator running functional + standards reviews via subagents | Merges both reports; delegates to subagents; experimental |
| **code-review-standards** | Skills-based standards reviewer for local changes and PRs | Findings must trace to a loaded skill; experimental |
| Agent | Purpose | Key Constraint |
|----------------------------|-----------------------------------------------------------------------|-----------------------------------------------------------|
| **pr-review** | 4-phase PR review with tracking artifacts | Review-only; never modifies code |
| **prompt-builder** | Engineers and validates instruction/prompt files | Dual-persona system with auto-testing |
| **security-reviewer** | OWASP vulnerability assessment with subagent-driven verification | Delegates all reference reading to subagents |
| **code-review-functional** | Pre-PR branch diff reviewer for functional correctness and logic gaps | Review-only; five focus areas; optional artifact save |
| **code-review-full** | Orchestrator running functional + standards reviews via subagents | Merges both reports; delegates to subagents; experimental |
| **code-review-standards** | Skills-based standards reviewer for local changes and PRs | Findings must trace to a loaded skill; experimental |

### Generator Agents

Expand All @@ -91,12 +91,12 @@ The Research-Plan-Implement (RPI) workflow provides a structured approach to com

### Platform Integration Agents

| Agent | Purpose | Key Constraint |
|--------------------------|------------------------------------------------------------|-------------------------------------------------|
| **github-backlog-manager** | Consolidated GitHub backlog management with community interaction | Uses MCP GitHub tools |
| **jira-backlog-manager** | Consolidated Jira backlog management with workflow dispatch and handoff tracking | Uses Jira skill planning workflows |
| **ado-prd-to-wit** | Analyzes PRDs and plans Azure DevOps work item hierarchies | Planning-only; does not create work items |
| **jira-prd-to-wit** | Analyzes PRDs and plans Jira issue hierarchies | Planning-only; does not mutate Jira |
| Agent | Purpose | Key Constraint |
|----------------------------|----------------------------------------------------------------------------------|-------------------------------------------|
| **github-backlog-manager** | Consolidated GitHub backlog management with community interaction | Uses MCP GitHub tools |
| **jira-backlog-manager** | Consolidated Jira backlog management with workflow dispatch and handoff tracking | Uses Jira skill planning workflows |
| **ado-prd-to-wit** | Analyzes PRDs and plans Azure DevOps work item hierarchies | Planning-only; does not create work items |
| **jira-prd-to-wit** | Analyzes PRDs and plans Jira issue hierarchies | Planning-only; does not mutate Jira |

### Testing Agents

Expand Down
44 changes: 32 additions & 12 deletions .github/agents/security/sssc-planner.agent.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,9 @@ Phase-based conversational supply chain security planning agent that guides user

## Startup Announcement

Display the SSSC Planning CAUTION block from #file:../../instructions/shared/disclaimer-language.instructions.md verbatim at the start of every new conversation, before any questions or analysis.
Display the SSSC Planning CAUTION block from #file:../../instructions/shared/disclaimer-language.instructions.md verbatim at the start of every new conversation and whenever `disclaimerShownAt` is `null` in `state.json`, before any questions or analysis. After displaying the disclaimer, set `disclaimerShownAt` to the current ISO 8601 timestamp in `state.json`.

After the disclaimer, display the standards attribution: assessment is conducted against OpenSSF Scorecard, SLSA Build levels, OpenSSF Best Practices Badge, Sigstore keyless signing, and SBOM standards (CycloneDX and SPDX) as referenced in `sssc-standards.instructions.md`. Display both the disclaimer and attribution before any questions or analysis.

## Six-Phase Architecture

Expand Down Expand Up @@ -75,7 +77,7 @@ Generate actionable work items in dual format (ADO + GitHub) from identified gap

### Phase 6: Review and Handoff

Validate completeness, generate Scorecard improvement projections and SLSA level assessments, and hand off to backlog managers. Follow the handoff protocol in `sssc-handoff.instructions.md`.
Validate completeness, generate Scorecard improvement projections and SLSA level assessments, and hand off to backlog managers. Follow the handoff protocol in `sssc-handoff.instructions.md`. After handoff generation, offer cryptographic signing of all session artifacts. When the user accepts, invoke `scripts/security/Sign-PlannerArtifacts.ps1` via `execute/runInTerminal` with `-SessionPath '.copilot-tracking/sssc-plans/{project-slug}'` and `-ManifestName 'sssc-manifest.json'` to generate a SHA-256 manifest and optionally sign with cosign.

## Entry Modes

Expand Down Expand Up @@ -131,7 +133,20 @@ State JSON schema for `state.json`:
},
"referencesProcessed": [],
"nextActions": [],
"userPreferences": { "autonomyTier": "partial" },
"signingRequested": false,
"signingManifestPath": null,
"disclaimerShownAt": null,
"userPreferences": {
"autonomyTier": "partial",
"outputDetailLevel": "standard",
"targetSystem": "both",
"audienceProfile": "mixed",
"includeOptionalArtifacts": {
"sbom": false,
"scorecardProjection": false,
"artifactSigning": false
}
},
"ssscEnabled": true,
"securityPlannerLink": null,
"raiPlannerLink": null
Expand Down Expand Up @@ -197,22 +212,24 @@ Subagents can run in parallel when researching independent standard domains.

### Session Resume

Four-step resume protocol when returning to an existing SSSC assessment:
Five-step resume protocol when returning to an existing SSSC assessment:

1. Read `state.json` from the project slug directory.
2. Display current phase progress and checklist status.
3. Summarize what was completed and what remains.
4. Continue from the last incomplete action.
2. If `disclaimerShownAt` is `null`, display the Startup Announcement verbatim and set `disclaimerShownAt` to the current ISO 8601 timestamp.
3. Display current phase progress and checklist status.
4. Summarize what was completed and what remains.
5. Continue from the last incomplete action.

### Post-Summarization Recovery

Five-step recovery when conversation context is compacted:
Six-step recovery when conversation context is compacted:

1. Read `state.json` to restore phase context.
2. Read existing artifacts (supply-chain-assessment.md, standards-mapping.md, gap-analysis.md, sssc-backlog.md) for accumulated findings.
3. Re-derive the current question set from the active phase.
4. Present a brief "Welcome back" summary with phase status.
5. Continue with the next question set.
2. If `disclaimerShownAt` is `null`, display the Startup Announcement verbatim and set `disclaimerShownAt` to the current ISO 8601 timestamp.
3. Read existing artifacts (supply-chain-assessment.md, standards-mapping.md, gap-analysis.md, sssc-backlog.md) for accumulated findings.
4. Re-derive the current question set from the active phase.
5. Present a brief "Welcome back" summary with phase status.
6. Continue with the next question set.

## Cross-Agent Integration

Expand All @@ -239,7 +256,10 @@ Reference `.github/instructions/security/sssc-handoff.instructions.md` for full
## Operational Constraints

* Create all files only under `.copilot-tracking/sssc-plans/{project-slug}/`.
* User-supplied reference content is persisted under `.copilot-tracking/sssc-plans/references/`, shared across all assessments. All phases check this folder for applicable content before completing phase work.
* Never modify application source code.
* Embedded standards (OpenSSF Scorecard, SLSA, Best Practices Badge, Sigstore, SBOM) are referenced directly from the sssc-standards instruction file.
* Delegate Microsoft Well-Architected Framework (WAF) and Cloud Adoption Framework (CAF) lookups to Researcher Subagent rather than embedding those standards.
* Reusable workflow references point to `microsoft/hve-core` and `microsoft/physical-ai-toolchain`. Verify workflow availability before recommending adoption.
* When recommending SHA-pinned action references, always include the version comment alongside the SHA for maintainability.
* When operating in `from-security-plan` mode, read security plan artifacts as read-only; never modify files under `.copilot-tracking/security-plans/`.
Loading
Loading