Conversation
โฆbest practices Agent-Logs-Url: https://github.com/Hack23/blacktrigram/sessions/45e0cafb-538a-44ae-ba59-fecf6b6792f3 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
โฆx 12 missing frontmatters; update agents/skills README with ISMS map Agent-Logs-Url: https://github.com/Hack23/blacktrigram/sessions/45e0cafb-538a-44ae-ba59-fecf6b6792f3 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
pethers
April 17, 2026 18:51
View session
Contributor
Dependency Reviewโ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
github-actions
bot
added
documentation
Contributor
There was a problem hiding this comment.
Pull request overview
Deepens Hack23 ISMS policy integration across repository-level Copilot agents and skills, adds the previously referenced-but-missing OSS governance and threat modeling skills, and standardizes YAML frontmatter across skills for consistent metadata.
Changes:
- Rewrites/expands repo agents to include explicit ISMS policy mapping, updated Copilot coding-agent workflow patterns, and standardized
tools: ["*"]. - Adds new skills for open-source-governance and threat-modeling-enforcement, and registers them in the skills catalog.
- Adds YAML frontmatter to multiple existing skills and updates skills/agents index docs to reflect the expanded catalog.
Reviewed changes
Copilot reviewed 26 out of 26 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/skills/vulnerability-management/SKILL.md | Adds YAML frontmatter metadata for vulnerability management skill. |
| .github/skills/typescript-strict-patterns/SKILL.md | Adds YAML frontmatter metadata for strict TypeScript enforcement skill. |
| .github/skills/threat-modeling-enforcement/SKILL.md | Introduces new threat modeling skill (STRIDE/MITRE/attack trees) and required artifacts. |
| .github/skills/secrets-management/SKILL.md | Adds YAML frontmatter metadata for secrets handling skill. |
| .github/skills/risk-assessment-frameworks/SKILL.md | Adds YAML frontmatter metadata for risk assessment skill. |
| .github/skills/open-source-governance/SKILL.md | Introduces new OSS governance skill (licenses, Scorecard, SBOM/SLSA, pinned actions/deps). |
| .github/skills/input-validation/SKILL.md | Adds YAML frontmatter metadata for boundary input validation skill. |
| .github/skills/incident-response/SKILL.md | Adds YAML frontmatter metadata for incident response skill. |
| .github/skills/gdpr-compliance/SKILL.md | Adds YAML frontmatter metadata for GDPR/NIS2/CRA-oriented compliance skill. |
| .github/skills/documentation-standards/SKILL.md | Adds YAML frontmatter metadata for documentation standards skill. |
| .github/skills/data-protection/SKILL.md | Adds YAML frontmatter metadata for data protection skill. |
| .github/skills/code-quality-excellence/SKILL.md | Adds YAML frontmatter metadata for code quality skill. |
| .github/skills/ai-governance/SKILL.md | Adds YAML frontmatter metadata for AI governance skill. |
| .github/skills/accessibility-wcag-patterns/SKILL.md | Adds YAML frontmatter metadata for WCAG accessibility skill. |
| .github/skills/README.md | Updates skill catalog: adds ISMS policy map, registers new skills, version bump. |
| .github/agents/testing-agent.md | Enhances testing agent guidance with ISMS-linked security testing patterns and updated stack references. |
| .github/agents/test-engineer.md | Expands CI/testing gate strategy (SAST/SCA/licensing/Scorecard) and coverage threshold guidance. |
| .github/agents/task-agent.md | Updates orchestration agent to document modern Copilot coding-agent workflows and adds ISMS policy map. |
| .github/agents/security-specialist.md | Expands supply-chain + application security guidance with ISMS policy stewardship and EU alignment. |
| .github/agents/korean-martial-arts-expert.md | Broadens martial arts scope and adds governance/safety framing and authenticity standards. |
| .github/agents/game-developer.md | Updates game-dev agent with deterministic loop/physics guidance, observability, and ISMS references. |
| .github/agents/frontend-specialist.md | Strengthens secure UI boundary rules, WCAG guidance, and ISMS references for frontend work. |
| .github/agents/documentation-writer.md | Expands documentation portfolio expectations (C4 current/future) and ISMS traceability requirements. |
| .github/agents/coding-agent.md | Updates coding agent with explicit ISMS alignment, secure coding standards, and updated project structure guidance. |
| .github/agents/code-review-agent.md | Expands review checklist to include ISMS policy references and supply-chain/security/a11y gates. |
| .github/agents/README.md | Updates agent catalog to reflect 29 skills, ISMS policy integration, and session-level MCP configuration guidance. |
Comment on lines
+45
to
+56
| const FIXED_STEP = 1 / 60; | ||
| const MAX_DELTA = 1 / 30; // clamp to prevent spiral-of-death | ||
| let accumulator = 0; | ||
|
|
||
| ``` | ||
| useFrame((state, delta) => { | ||
| const dt = Math.min(delta, 0.05); // clamp to prevent spiral-of-death | ||
| const dt = Math.min(delta, MAX_DELTA); | ||
| accumulator += dt; | ||
| while (accumulator >= FIXED_STEP) { | ||
| physicsStep(FIXED_STEP); // deterministic physics | ||
| physicsStep(FIXED_STEP); // deterministic physics | ||
| accumulator -= FIXED_STEP; | ||
| } | ||
| interpolateRender(accumulator / FIXED_STEP); // smooth visual | ||
| interpolateRender(accumulator / FIXED_STEP); |
There was a problem hiding this comment.
The fixed-timestep useFrame example uses a plain let accumulator = 0; in the snippet. In a React component this value can reset on re-render and can also be confusing about lifetime/ownership. Consider modeling accumulator as a ref (and similarly any step state) so the example is copy-paste safe and matches React+R3F patterns for persistent mutable state.
|
|
||
| ### ๐๏ธ Architecture & Documentation | ||
|
|
||
| #### 13. [c4-architecture-documentation](./c4-architecture-documentation/SKILL.md) |
There was a problem hiding this comment.
The skill catalog numbering is now duplicated: after adding items "#### 13" and "#### 14" in the Security & Compliance section, the Architecture & Documentation section still starts at "#### 13" / "#### 14". This makes cross-references ambiguous and will drift further as new skills are added. Consider renumbering subsequent sections to keep a single monotonic sequence across the whole catalog (or remove the numeric prefixes entirely and rely on headings/anchors).
Suggested change
| #### 13. [c4-architecture-documentation](./c4-architecture-documentation/SKILL.md) | |
| #### 15. [c4-architecture-documentation](./c4-architecture-documentation/SKILL.md) |
Contributor
๐ธ Automated UI Screenshots๐ Screenshots Captured (8)
๐ฆ Download Screenshots๐ฅ Download all screenshots from workflow artifacts
๐ค Generated by Playwright automation |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Repo-level agents were shallow on ISMS policy context, missed modern Copilot coding-agent features, and referenced two skills (
open-source-governance,threat-modeling-enforcement) that didn't exist. 12 skills also lacked YAML frontmatter.Agents (10 rewritten,
tools: ["*"], nomcp-serversblock, all < 10 KB)task-agentโ documentsassign_copilot_to_issue/create_pull_request_with_copilotwithbase_ref,custom_instructions,custom_agent; stacked-PR chaining;get_copilot_job_statuscoding-agent/frontend-specialistโ OWASP Top 10, CWE Top 25, input validation at boundaries, nodangerouslySetInnerHTMLwith user data, CSP-friendly patternsgame-developerโ fixed-timestep physics, delta clamping, seeded PRNG for deterministic combat, resource disposaltesting-agent/test-engineerโ SAST/DAST/SCA gates, per-module coverage thresholds, regression test for every remediated CVE, pinned actionssecurity-specialistโ OSSF Scorecard โฅ 8 targets, license allow-list, CRA/NIS2/GDPR/EU AI Act, incident SLAscode-review-agentโ security checklist tied to Secure Development Policy ยง3.3/ยง3.4documentation-writerโ full 12-doc C4 portfolio (current + future), ISMS evidence currencykorean-martial-arts-expertโ 11 martial arts, safety framing, educational vs how-to-harm distinctionSkills (29 total)
skills/open-source-governance/SKILL.mdโ license allow-list, OSSF Scorecard posture, pinned deps + pinned actions (SHA), CycloneDX SBOM, signed releases, community-respect rules; ISO 27001 A.5.19โ22, NIST CSF GV.SC, CIS 2/7/16, SLSA L3, EU CRA Annex Iskills/threat-modeling-enforcement/SKILL.mdโ STRIDE per trust boundary, MITRE ATT&CK mapping (web + T1195.x supply chain), attack trees in Mermaid, DFD currency rules, quarterly + post-incident cadenceai-governance,accessibility-wcag-patterns,code-quality-excellence,data-protection,documentation-standards,gdpr-compliance,incident-response,input-validation,risk-assessment-frameworks,secrets-management,typescript-strict-patterns,vulnerability-management)Index docs
agents/README.mdโ corrected MCP description (session-level via.github/copilot-mcp.json, not per-agent frontmatter), normalized all Tool Access rows to["*"], added ISMS policy table, removed stale MCP mermaid; kept < 30 KBskills/README.mdโ added ISMS Policy Map, registered the two new skills (chore(deps-dev): bump typescript-eslint from 8.32.1 to 8.33.0ย #13, Add IntroScreen and TrainingScreen components with testsย #14), bumped to v2.1Frontmatter shape used for repo-level agents
No
mcp-serversblock โ MCP is session-level, uniform across agents.