Skip to content

chore: compliance gaps, security, and quality improvements#2

Open
metyatech wants to merge 1 commit intomainfrom
chore/compliance-gaps
Open

chore: compliance gaps, security, and quality improvements#2
metyatech wants to merge 1 commit intomainfrom
chore/compliance-gaps

Conversation

@metyatech
Copy link
Owner

@metyatech metyatech commented Mar 7, 2026

This PR addresses several compliance gaps and improves the repository's security and quality standards.

Changes

  • AGENTS.md Compliance: Updated AGENTS.md and CLAUDE.md to the latest rules via compose-agentsmd.
  • Task Tracking: Added .tasks.jsonl using task-tracker to persist task state across sessions.
  • Security Analysis: Added CodeQL analysis and Dependabot for automated vulnerability and dependency scanning.
  • Skill Verification: Added a tests/ directory with example 'good' and 'bad' plans to provide a baseline for skill verification and improve documentation.
  • README Update: Linked the new examples in the README.md.

Verification

  • markdownlint passed for all newly added and modified files.
  • compose-agentsmd --compose completed successfully.
  • Manually verified that the new examples align with SKILL.md criteria.

@metyatech
chore: bring repo into compliance with AGENTS.md and improve security…
92da410 
…/quality

- Updated AGENTS.md and CLAUDE.md to latest rules via compose-agentsmd.
- Added .tasks.jsonl with task-tracker.
- Added CodeQL analysis and Dependabot for automated security and quality checks.
- Added a tests/ directory with example good/bad plans to improve skill documentation and baseline verification.
- Updated README.md to link to these examples.
Copilot AI review requested due to automatic review settings March 7, 2026 04:06
@metyatech
Copy link
Owner Author

metyatech commented Mar 7, 2026

Completed compliance and security improvements.

Summary of Changes

  • Updated AGENTS.md and CLAUDE.md to the latest rules.
  • Added .tasks.jsonl for persistent task tracking.
  • Added CodeQL and Dependabot for automated security analysis.
  • Added tests/ directory with example 'good' and 'bad' plans to improve skill documentation and provide a baseline for verification.
  • Updated README.md to link to these examples.

Copilot AI reviewed Mar 7, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to close compliance gaps and improve baseline security/quality tooling by adding repo scanning automation and providing documented “good/bad” review-plan examples for skill verification.

Changes:

  • Add CodeQL workflow and Dependabot configuration for automated security scanning.
  • Add a committed task-tracker state file (.tasks.jsonl) for cross-session task persistence.
  • Add a tests/ directory with example “good” and “bad” plans and link them from the main README.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
tests/examples/good-plan.md Adds an example “approved” plan and review output.
tests/examples/bad-plan.md Adds an example “flagged” plan and review output.
tests/README.md Documents how to use the examples for consistent reviews.
README.md Links readers to the new tests/ examples.
AGENTS.md Regenerated/updated rule composition with additional operational guidance.
.tasks.jsonl Adds persisted task state for task-tracker.
.github/workflows/codeql-analysis.yml Adds CodeQL scanning workflow.
.github/dependabot.yml Adds Dependabot update configuration.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

README.md
See the [tests/](tests/) directory for examples of:

- **Good plans**: That meet all criteria and are APPROVED.
- **Bad plans**: That fail criteria (missing verification, known error patterns) and are FLAGed.
Copy link

Copilot AI Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FLAGed is an awkward/incorrect inflection when referring to the decision label FLAG. Consider changing to FLAGGED (or flagged) for clearer English while still keeping the FLAG keyword recognizable.

Suggested change
- **Bad plans**: That fail criteria (missing verification, known error patterns) and are FLAGed.
- **Bad plans**: That fail criteria (missing verification, known error patterns) and are FLAGGED.

Copilot uses AI. Check for mistakes.
tests/README.md
## Structure

- `examples/good-plan.md`: A plan that meets all criteria and is APPROVED.
- `examples/bad-plan.md`: A plan that fails criteria (missing verification, known error patterns) and is FLAGed.
Copy link

Copilot AI Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FLAGed is an awkward/incorrect inflection when referring to the decision label FLAG. Consider changing to FLAGGED (or flagged) for clearer English while still keeping the FLAG keyword recognizable.

Suggested change
- `examples/bad-plan.md`: A plan that fails criteria (missing verification, known error patterns) and is FLAGed.
- `examples/bad-plan.md`: A plan that fails criteria (missing verification, known error patterns) and is FLAGGED.

Copilot uses AI. Check for mistakes.
.github/workflows/codeql-analysis.yml
strategy:
fail-fast: false
matrix:
language: [ 'javascript' ]
Copy link

Copilot AI Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This repo currently contains no .js/.ts sources (only docs/config), so running CodeQL with language: javascript will likely produce no useful results (and may fail depending on CodeQL extraction). Consider switching to language: actions to analyze GitHub Actions workflows, or remove the workflow until there is a supported language to scan.

Suggested change
language: [ 'javascript' ]
language: [ 'actions' ]

Copilot uses AI. Check for mistakes.
.github/dependabot.yml
Comment on lines +3 to +6
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
Copy link

Copilot AI Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot is configured for the npm ecosystem in /, but the repository doesn't currently have a package.json/lockfile. This will cause Dependabot runs to error. Either remove the npm entry, or add the expected npm manifests so Dependabot can operate.

Suggested change
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"

Copilot uses AI. Check for mistakes.
AGENTS.md
Source: github:metyatech/agent-rules@HEAD/rules/global/autonomous-operations.md

# Autonomous operations
# Autonomous operations
Copy link

Copilot AI Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The heading on this line appears to include a leading Unicode BOM character (U+FEFF) before # (it renders as #). This can cause subtle diffs and tooling issues; please remove the BOM so the line starts with a plain #.

Suggested change
# Autonomous operations
# Autonomous operations

Copilot uses AI. Check for mistakes.
@metyatech metyatech self-assigned this Mar 7, 2026
@metyatech
Copy link
Owner Author

metyatech commented Mar 7, 2026

Agent runner idle completed.

Repo: metyatech/skill-user-proxy
Engine: gemini-flash
Notify: @metyatech

Summary:
(missing)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@metyatech metyatech

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@metyatech