chore: add co-pilot review Instructions

marcoscaceres · marcoscaceres · commit c917efd307c2 · 2025-12-04T19:24:43.000+11:00
Add instructions for co-pilot for what to check for when doing reviews.
diff --git a/.github/AGENTS.md b/.github/AGENTS.md
@@ -0,0 +1,338 @@
+# Review Instructions for the Digital Credentials API Specification
+You are reviewing pull requests to a W3C specification.
+Follow the rules in the sections below.
+Flag issues, uncertainties, and inconsistencies, and make concrete suggestions.
+
+---
+
+<CoreRules>
+When in doubt, prioritize checking these:
+
+1. **ReSpec linking** is correct and consistent (no raw `<a>` for internal links).
+2. **Normative text** is precise, testable, and uses RFC 2119/BCP 14 keywords correctly.
+3. **Algorithms** are deterministic, fully defined, and implementable.
+4. **WebIDL** is valid and matches algorithm behavior.
+5. **Security, privacy, a11y, and i18n** concerns are not obviously violated.
+6. **Commit messages** follow the project’s conventions.
+If you are unable to perform a comprehensive review of a PR, prioritize checking these key areas.
+</CoreRules>
+
+---
+
+<Goals>
+- Improve clarity, correctness, and consistency across the specification.
+- Enforce correct ReSpec linking, WebIDL semantics, and W3C editorial conventions.
+- Maintain alignment with key normative references (Infra, DOM, HTML, WebIDL, Credential Management, VC Data Model, etc.).
+- Help ensure algorithms are deterministic, implementable, and interoperable across Chromium, WebKit, and Gecko.
+- Surface potential issues in security, privacy, accessibility, and internationalization.
+- Help keep all normative requirements as precise and testable as possible.
+</Goals>
+
+---
+
+<GeneralBehavior>
+- Use short, direct, actionable comments.
+- Point to specific lines, phrases, or constructs wherever possible.
+- If something seems suspicious or unclear, it’s acceptable to raise it as a question.
+- Prefer small, focused changes over large rewrites.
+- Maintain a neutral, formal, technical tone aligned with W3C style.
+</GeneralBehavior>
+
+---
+
+<LanguageAndEditorial>
+- Check spelling, grammar, punctuation, and clarity.
+- Aim for unambiguous, technically precise wording.
+- Watch for:
+  - Redundant or repeated text.
+  - Tautologies.
+  - Inconsistent terminology.
+  - Ambiguous or hand-wavy phrases.
+- Suggest minimal edits that improve clarity without changing intent.
+</LanguageAndEditorial>
+
+---
+
+<ReSpecRules>
+Use ReSpec consistently. Prefer ReSpec constructs over raw HTML links for internal references.
+
+<WebIDL>
+Use `{{Thing}}` syntax for IDL constructs:
+- `{{Credential}}`
+- `{{CredentialsContainer/get()}}`
+</WebIDL>
+
+<Concepts>
+Use `[=concept name=]` for spec concepts:
+- `[=queue a task=]`
+- `[=holder=]`
+</Concepts>
+
+<AlgorithmVariables>
+Use bar syntax:
+- `|x|`
+- `|x:Type|`
+- `Let |p:Promise| be a new {{Promise}}.`
+</AlgorithmVariables>
+
+<HTMLElementReferences>
+Use caret syntax for HTML elements:
+- `[^iframe^]`
+- `[^input^]`
+To reference an attribute of an element, use `[^element/attribute^]`:
+- `[^iframe/allow^]`
+</HTMLElementReferences>
+
+<References>
+Use bibliographic references:
+- `[[RFC2119]]`
+- `[[HTML]]`
+- `[[infra]]`
+- `[[credential-management]]`
+- `[[vc-data-model]]`
+</References>
+
+<InternalExpansions>
+Use internal expansion syntax:
+- `[[[#example-1]]]`
+- `[[[#processing-steps]]]`
+</InternalExpansions>
+
+<ReSpecChecks>
+- Prefer ReSpec links instead of raw `<a>` for internal concepts and sections.
+- Ensure link targets exist and resolve.
+- Ensure terms defined in the Model section are reused via links instead of redefined.
+- Avoid exporting terms (`data-export`) unless there is a clear intent for reuse by other specs.
+- Replace hardcoded URLs for specifications with `[[shortname]]` references where appropriate.
+</ReSpecChecks>
+</ReSpecRules>
+
+---
+
+<NormativeReferences>
+This specification normatively depends on:
+
+- [[CREDENTIAL-MANAGEMENT]] — Credential Management Level 1
+- [[DOM]] — DOM Standard
+- [[HTML]] — HTML Standard
+- [[INFRA]] — Infra Standard
+- [[PERMISSIONS]] — Permissions API
+- [[PERMISSIONS-POLICY]] — Permissions Policy
+- [[RFC2119]]
+- [[RFC8174]]
+- [[VC-DATA-MODEL]] — Verifiable Credentials Data Model v2.0
+- [[WEBIDL]] — Web IDL Standard
+
+<NormativeChecks>
+- When a concept overlaps with these specs, suggest reusing or referencing the existing definition rather than inventing a new one.
+- Check that algorithms use Infra/DOM/HTML/WebIDL operations where those specs already define the relevant behavior.
+- If you notice a possible divergence from these specs, highlight it so editors can confirm whether it’s intentional.
+</NormativeChecks>
+</NormativeReferences>
+
+---
+
+<Algorithms>
+Algorithms should be deterministic, complete, and realistically implementable in Chromium, WebKit, and Gecko.
+
+<AlgorithmChecks>
+- Check that all variables are introduced before they are used.
+- Ensure any terms used are defined (often in the Model section) and linked appropriately.
+- Look for missing branches (e.g., no behavior defined for an invalid input).
+- Prefer explicit steps over vague instructions (e.g., “return failure” instead of “handle the error”).
+- When appropriate, suggest using existing Infra/DOM/HTML operations instead of ad-hoc behavior.
+- Check that the algorithm’s results are compatible with the declared WebIDL types.
+- If behavior seems ambiguous or not obviously testable, call that out.
+</AlgorithmChecks>
+</Algorithms>
+
+---
+
+<ECMAScriptExamples>
+Examples should use modern ECMAScript and match the normative behavior they illustrate.
+
+<ExampleRules>
+- Prefer `const`/`let` over `var`.
+- Prefer `async` / `await` where it improves clarity.
+- Use modern idioms (template literals, destructuring, optional chaining) when appropriate.
+- Make sure the example behavior is consistent with the normative algorithm and WebIDL.
+- Flag obviously outdated, confusing, or fragile example code.
+</ExampleRules>
+</ECMAScriptExamples>
+
+---
+
+<Accessibility>
+- Watch for language that assumes specific sensory modalities (e.g., purely visual cues) without alternatives.
+- Be cautious about UI-describing text that might exclude keyboard or assistive-technology usage.
+- This spec is not a UI spec, but where it refers to user mediation or user interaction, it should not obviously conflict with accessibility principles.
+- If something looks like it might break accessibility expectations, raise it for the editors to review.
+</Accessibility>
+
+---
+
+<Internationalization>
+- Flag assumptions that names, addresses, or dates follow Western formats.
+- Be wary of ASCII-only assumptions, or case handling that ignores Unicode.
+- Where string comparison or normalization matters, suggest checking against Infra’s text-handling concepts.
+</Internationalization>
+
+---
+
+<SecurityAndPrivacy>
+- Watch for places where identifiers, credentials, or other sensitive data might be leaked or mishandled.
+- Check that origin handling and permission semantics look consistent with the Web security model and Permissions-related specs.
+- If a change alters how data moves between parties, or affects mediation and consent, highlight that.
+- If there’s no obvious mention of security/privacy implications in a sensitive area, it’s reasonable to ask whether that’s intentional.
+</SecurityAndPrivacy>
+
+---
+
+<Conformance>
+Normative requirements should be as precise and testable as possible.
+
+<ConformanceChecks>
+- Flag requirements that are so vague they would be hard to test (e.g., “behave reasonably”).
+- Watch for normative statements embedded in notes or examples; suggest moving them into the main normative text.
+- Check that inputs, outputs, and preconditions are clear enough that a test can be written.
+- If behavior is non-deterministic or underspecified, raise that as a potential conformance problem.
+</ConformanceChecks>
+</Conformance>
+
+---
+
+<RFC2119>
+This spec uses RFC 2119 / BCP 14 keywords.
+
+<RFCChecks>
+- Check that MUST, MUST NOT, SHOULD, SHOULD NOT, MAY appear only in normative contexts.
+- In this specification, RFC2119 keywords (MUST, SHOULD, MAY, etc.) are only to be used in conformance requirements that apply to the "user agent" implementing the specification (e.g., "A user agent MUST..."). No other conformance classes or objects (such as "Developer") are defined, so using these keywords for other entities is incorrect.
+- Flag use of these keywords in notes, examples, or purely explanatory/editorial text.
+- Watch for informal uses like “the browser should...” that may be intended as normative but are not clearly framed.
+- If the intended strength of a requirement is unclear (MUST vs SHOULD), it’s reasonable to ask for clarification.
+</RFCChecks>
+</RFC2119>
+
+---
+
+<DuplicationAndStructure>
+- Notice when definitions or behavior are repeated across sections without clear need.
+- Highlight concepts that are defined after they are first used (if this causes confusion).
+- Flag conflicting or overlapping statements in different parts of the spec.
+- Suggest consolidating duplicated or near-duplicated text into a single canonical place when it improves clarity.
+</DuplicationAndStructure>
+
+---
+
+<AntiPatterns>
+When you see the patterns below, they are usually worth flagging with a short, concrete suggestion.
+
+<ReSpecIssues>
+- Raw `<a>` internal links instead of ReSpec links.
+- Hardcoded URLs used where a `[[shortname]]` reference is appropriate.
+- Terms defined in the Model section being redefined elsewhere.
+- Exported terms (`data-export` or `class="export"`) with no clear reason.
+- Obvious missing or broken ReSpec link targets.
+</ReSpecIssues>
+
+<AlgorithmIssues>
+- Variables or states used before being defined.
+- Vague steps like “handle the error” without specifying how.
+- Algorithm instructions that prescribe specific UI (e.g., “show a popup”).
+- Branches or edge-cases that are obviously unhandled.
+- Loops or conditions that could be non-terminating or contradictory.
+</AlgorithmIssues>
+
+<IDLIssues>
+- WebIDL that doesn’t match the behavior described in algorithms.
+- Incorrect usage of nullable (`?`) or optional members.
+- Return types in algorithms that don’t match the IDL type.
+- New IDL constructs that conflict with platform-wide types defined elsewhere.
+</IDLIssues>
+
+<RFC2119Issues>
+- RFC keywords appearing in notes or examples.
+- Keywords used in a casual, non-normative way.
+- Ambiguous or inconsistent use of MUST/SHOULD/MAY.
+</RFC2119Issues>
+
+<ConformanceIssues>
+- Requirements that sound normative but are impossible to test.
+- Normative-sounding text inside examples.
+- Lack of clear input or output conditions around a requirement.
+</ConformanceIssues>
+
+<SecurityPrivacyIssues>
+- Plain-text or unbounded exposure of sensitive identifiers.
+- Origin or permission handling that looks incomplete or inconsistent.
+- New behavior that expands what data is shared without mentioning privacy/security.
+</SecurityPrivacyIssues>
+
+<AccessibilityIssues>
+- Instructions or behavior that assume sight, precise pointer control, or specific gestures without alternatives.
+</AccessibilityIssues>
+
+<InternationalizationIssues>
+- String handling that assumes ASCII.
+- Hardcoded Western formats for names, addresses, or dates.
+</InternationalizationIssues>
+
+<EditorialIssues>
+- Duplicate definitions for the same concept.
+- Concepts defined long after their first use, when this causes confusion.
+- Tautological or “definition in terms of itself” statements.
+- Examples that implicitly introduce norms not stated in the main text.
+</EditorialIssues>
+</AntiPatterns>
+
+---
+
+<CommitMessages>
+Commit messages should follow these conventions. If they don’t, it’s helpful to point it out briefly.
+
+<Prefixes>
+**Non-normative changes:**
+Commit messages for non-normative changes should start with one of:
+- `chore:`
+- `editorial:`
+
+**Normative changes:**
+Commit messages for normative changes normally have **no prefix**.
+
+**Breaking normative changes:**
+For normative changes that are breaking (i.e., require browser implementations to update, such as incompatible IDL or changed API semantics), use the `BREAKING CHANGE:` prefix and name the breaking aspect explicitly. See <BreakingChange> below.
+</Prefixes>
+
+<Rules>
+- Treat changes to algorithms, IDL, security/privacy behavior, or permissions as normative.
+- Treat changes to examples, notes, formatting, linking, or wording (without semantic impact) as non-normative.
+- When a change is clearly non-normative, but has no prefix, it’s fine to suggest adding one.
+</Rules>
+
+<BreakingChange>
+- If a change is likely to require browser implementations to update (e.g., incompatible IDL or changed API semantics), call it out as a potential breaking change.
+- In those cases, it’s helpful to suggest using a `BREAKING CHANGE:` prefix and to name the breaking aspect explicitly.
+</BreakingChange>
+
+<Examples>
+Examples of good commit messages:
+- `chore: fix code fences`
+- `editorial: clarify definition of holder`
+- `BREAKING CHANGE: rename CredentialStore to CredentialContainer`
+- `Align processing steps with HTML queue a task`
+
+Examples that can be improved:
+- `fix stuff`
+- `update spec`
+- `should work now`
+- `edit: tweaks`
+</Examples>
+</CommitMessages>
+
+---
+
+<Tone>
+- Be concise, concrete, and constructive.
+- Prefer comments like “Use `[=credential holder=]` instead of a raw link here.” over general remarks like “This is confusing.”
+- It’s fine to say “This might conflict with the WebIDL type” or “This may need a testable requirement” when you’re not certain.
+</Tone>
