Merge branch 'staged' into brsingh/feature/java-instructions

Author: brijrajsingh

.codespellrc

@@ -46,9 +46,11 @@
 
 # queston - intentional misspelling example in skills/arize-dataset/SKILL.md demonstrating typo detection in field names
 
+# nin - MongoDB $nin operator in security instructions NoSQL injection detection regex
+
 # Vertexes - FreeCAD shape sub-elements used as property of obj.Shape
 
-ignore-words-list = numer,wit,aks,edn,ser,ois,gir,rouge,categor,aline,ative,afterall,deques,dateA,dateB,TE,FillIn,alle,vai,LOD,InOut,pixelX,aNULL,Wee,Sherif,queston,Vertexes
+ignore-words-list = numer,wit,aks,edn,ser,ois,gir,rouge,categor,aline,ative,afterall,deques,dateA,dateB,TE,FillIn,alle,vai,LOD,InOut,pixelX,aNULL,Wee,Sherif,queston,Vertexes,nin
 
 # Skip certain files and directories
 

.github/plugin/marketplace.json

@@ -325,7 +325,7 @@
     {
       "name": "modernize-dotnet",
       "description": "AI-powered .NET modernization and upgrade assistant. Helps upgrade .NET Framework and .NET applications to the latest versions of .NET.",
-      "version": "1.0.979-preview1",
+      "version": "1.0.1026-preview1",
       "author": {
         "name": "Microsoft",
         "url": "https://www.microsoft.com"
@@ -573,6 +573,31 @@
       "description": "Comprehensive collection of prompts, instructions, and resources for building declarative agents and API plugins using TypeSpec for Microsoft 365 Copilot extensibility.",
       "version": "1.0.0"
     },
+    {
+      "name": "whatidid",
+      "description": "Turn your Copilot sessions into proof of impact — research-grounded HTML reports with effort estimation, skills analysis, and ROI metrics from local session logs.",
+      "version": "1.0.0",
+      "author": {
+        "name": "Microsoft",
+        "url": "https://www.microsoft.com"
+      },
+      "homepage": "https://github.com/microsoft/What-I-Did-Copilot",
+      "keywords": [
+        "copilot",
+        "productivity",
+        "impact",
+        "report",
+        "estimation",
+        "roi",
+        "session-logs"
+      ],
+      "license": "MIT",
+      "repository": "https://github.com/microsoft/What-I-Did-Copilot",
+      "source": {
+        "source": "github",
+        "repo": "microsoft/What-I-Did-Copilot"
+      }
+    },
     {
       "name": "winui3-development",
       "source": "winui3-development",

.github/workflows/check-plugin-structure.yml

@@ -21,13 +21,50 @@ jobs:
         uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
           script: |
-            const { execSync } = require('child_process');
             const fs = require('fs');
             const path = require('path');
 
             const pluginsDir = 'plugins';
             const errors = [];
 
+            function findSymlinks(rootDir) {
+              const symlinks = [];
+              const dirsToScan = [rootDir];
+
+              while (dirsToScan.length > 0) {
+                const currentDir = dirsToScan.pop();
+                let entries;
+
+                try {
+                  entries = fs.readdirSync(currentDir, { withFileTypes: true });
+                } catch (error) {
+                  throw new Error(`Failed to read directory "${currentDir}": ${error.message}`);
+                }
+
+                for (const entry of entries) {
+                  const entryPath = path.join(currentDir, entry.name);
+                  let stat;
+
+                  try {
+                    stat = fs.lstatSync(entryPath);
+                  } catch (error) {
+                    throw new Error(`Failed to inspect "${entryPath}": ${error.message}`);
+                  }
+
+                  if (stat.isSymbolicLink()) {
+                    symlinks.push(entryPath);
+                    continue;
+                  }
+
+                  if (stat.isDirectory()) {
+                    dirsToScan.push(entryPath);
+                  }
+                }
+              }
+
+              return symlinks;
+            }
+
             if (!fs.existsSync(pluginsDir)) {
               console.log('No plugins directory found');
               return;
@@ -63,14 +100,15 @@ jobs:
                 }
               }
 
-              // Check for symlinks anywhere in the plugin directory
+              // Check for symlinks anywhere in the plugin directory without invoking a shell
               try {
-                const allFiles = execSync(`find "${pluginPath}" -type l`, { encoding: 'utf-8' }).trim();
-                if (allFiles) {
-                  errors.push(`${pluginPath} contains symlinks:\n${allFiles}`);
+                const symlinkPaths = findSymlinks(pluginPath);
+                if (symlinkPaths.length > 0) {
+                  const formattedPaths = symlinkPaths.map(filePath => `\`${filePath}\``).join(', ');
+                  errors.push(`${pluginPath} contains symlinks: ${formattedPaths}`);
                 }
-              } catch (e) {
-                // find returns non-zero if no matches, ignore
+              } catch (error) {
+                errors.push(`Failed to inspect ${pluginPath} for symlinks: ${error.message}`);
               }
             }
 

agents/github-actions-expert.agent.md

@@ -1,7 +1,7 @@
 ---
 name: 'GitHub Actions Expert'
 description: 'GitHub Actions specialist focused on secure CI/CD workflows, action pinning, OIDC authentication, permissions least privilege, and supply-chain security'
-tools: ['codebase', 'edit/editFiles', 'terminalCommand', 'search', 'githubRepo']
+tools: ['github/*', 'search/codebase', 'edit/editFiles', 'execute/runInTerminal', 'read/readFile', 'search/fileSearch']
 ---
 
 # GitHub Actions Expert

agents/tdd-green.agent.md

@@ -1,7 +1,7 @@
 ---
 description: 'Implement minimal code to satisfy GitHub issue requirements and make failing tests pass without over-engineering.'
 name: 'TDD Green Phase - Make Tests Pass Quickly'
-tools: ['github', 'findTestFiles', 'edit/editFiles', 'runTests', 'runCommands', 'codebase', 'filesystem', 'search', 'problems', 'testFailure', 'terminalLastCommand']
+tools: ['github/*', 'search/fileSearch', 'edit/editFiles', 'execute/runTests', 'execute/runInTerminal', 'execute/getTerminalOutput', 'execute/testFailure', 'read/readFile', 'read/terminalLastCommand', 'read/terminalSelection', 'read/problems', 'search/codebase']
 ---
 # TDD Green Phase - Make Tests Pass Quickly
 
@@ -34,11 +34,11 @@ Write the minimal code necessary to satisfy GitHub issue requirements and make f
 - **Simple solutions first** - Choose the most straightforward implementation path from issue context
 - **Defer complexity** - Don't anticipate requirements beyond current issue scope
 
-### C# Implementation Strategies
+### Implementation Strategies (Polyglot)
 - **Start with constants** - Return hard-coded values from issue examples initially
 - **Progress to conditionals** - Add if/else logic as more issue scenarios are tested
-- **Extract to methods** - Create simple helper methods when duplication emerges
-- **Use basic collections** - Simple List<T> or Dictionary<T,V> over complex data structures
+- **Extract to methods/functions** - Create simple helpers when duplication emerges
+- **Use basic collections** - Simple arrays, lists, or maps over complex data structures
 
 ## Execution Guidelines
 

agents/tdd-red.agent.md

@@ -1,7 +1,7 @@
 ---
 description: "Guide test-first development by writing failing tests that describe desired behaviour from GitHub issue context before implementation exists."
 name: "TDD Red Phase - Write Failing Tests First"
-tools: ["github", "findTestFiles", "edit/editFiles", "runTests", "runCommands", "codebase", "filesystem", "search", "problems", "testFailure", "terminalLastCommand"]
+tools: ["github/*", "search/fileSearch", "edit/editFiles", "execute/runTests", "execute/runInTerminal", "execute/getTerminalOutput", "execute/testFailure", "read/readFile", "read/terminalLastCommand", "read/terminalSelection", "read/problems", "search/codebase"]
 ---
 
 # TDD Red Phase - Write Failing Tests First
@@ -34,17 +34,19 @@ Focus on writing clear, specific failing tests that describe the desired behavio
 
 ### Test Quality Standards
 
-- **Descriptive test names** - Use clear, behaviour-focused naming like `Should_ReturnValidationError_When_EmailIsInvalid_Issue{number}`
+- **Descriptive test names** - Use clear, behaviour-focused naming like `returnsValidationError_whenEmailIsInvalid_issue{number}` (adapt casing to your language convention)
 - **AAA Pattern** - Structure tests with clear Arrange, Act, Assert sections
 - **Single assertion focus** - Each test should verify one specific outcome from issue criteria
 - **Edge cases first** - Consider boundary conditions mentioned in issue discussions
 
-### C# Test Patterns
+### Test Patterns (Polyglot)
 
-- Use **xUnit** with **FluentAssertions** for readable assertions
-- Apply **AutoFixture** for test data generation
-- Implement **Theory tests** for multiple input scenarios from issue examples
-- Create **custom assertions** for domain-specific validations outlined in issue
+- **JavaScript/TypeScript**: Use **Jest** or **Vitest** with `describe`/`it` blocks and `expect` assertions
+- **Python**: Use **pytest** with descriptive function names and `assert` statements
+- **Java/Kotlin**: Use **JUnit 5** with **AssertJ** for fluent assertions
+- **C#/.NET**: Use **xUnit** or **NUnit** with **FluentAssertions**
+- Apply parameterised/data-driven tests for multiple input scenarios from issue examples
+- Create shared test utilities for domain-specific validations outlined in issue
 
 ## Execution Guidelines
 

agents/tdd-refactor.agent.md

@@ -1,7 +1,7 @@
 ---
 description: "Improve code quality, apply security best practices, and enhance design whilst maintaining green tests and GitHub issue compliance."
 name: "TDD Refactor Phase - Improve Quality & Security"
-tools: ["github", "findTestFiles", "edit/editFiles", "runTests", "runCommands", "codebase", "filesystem", "search", "problems", "testFailure", "terminalLastCommand"]
+tools: ["github/*", "search/fileSearch", "edit/editFiles", "execute/runTests", "execute/runInTerminal", "execute/getTerminalOutput", "execute/testFailure", "read/readFile", "read/terminalLastCommand", "read/terminalSelection", "read/problems", "search/codebase"]
 ---
 
 # TDD Refactor Phase - Improve Quality & Security
@@ -39,24 +39,24 @@ Clean up code, apply security best practices, and enhance design whilst keeping
 - **Authentication/Authorisation** - Implement proper access controls if specified in issue
 - **Data protection** - Encrypt sensitive data, use secure connection strings
 - **Error handling** - Avoid information disclosure through exception details
-- **Dependency scanning** - Check for vulnerable NuGet packages
-- **Secrets management** - Use Azure Key Vault or user secrets, never hard-code credentials
+- **Dependency scanning** - Check for vulnerable packages (`npm audit`, `pip audit`, `dotnet list package --vulnerable`, etc.)
+- **Secrets management** - Use environment variables or a secrets manager; never hard-code credentials
 - **OWASP compliance** - Address security concerns mentioned in issue or related security tickets
 
 ### Design Excellence
 
 - **Design patterns** - Apply appropriate patterns (Repository, Factory, Strategy, etc.)
-- **Dependency injection** - Use DI container for loose coupling
-- **Configuration management** - Externalise settings using IOptions pattern
-- **Logging and monitoring** - Add structured logging with Serilog for issue troubleshooting
-- **Performance optimisation** - Use async/await, efficient collections, caching
+- **Dependency injection** - Use DI container or constructor injection for loose coupling
+- **Configuration management** - Externalise settings using environment variables or config files
+- **Logging and monitoring** - Add structured logging appropriate to your stack for issue troubleshooting
+- **Performance optimisation** - Use async/await or equivalent concurrency primitives, efficient collections, caching
 
-### C# Best Practices
+### Language Best Practices (Polyglot)
 
-- **Nullable reference types** - Enable and properly configure nullability
-- **Modern C# features** - Use pattern matching, switch expressions, records
-- **Memory efficiency** - Consider Span<T>, Memory<T> for performance-critical code
-- **Exception handling** - Use specific exception types, avoid catching Exception
+- **Null safety** - Enable strict null checks (TypeScript), nullable reference types (C#), or Optional types (Java/Kotlin)
+- **Modern language features** - Use pattern matching, destructuring, and idiomatic constructs for your language
+- **Memory & performance** - Apply language-specific optimisations only when profiling reveals a bottleneck
+- **Error handling** - Use specific error/exception types; avoid swallowing errors silently
 
 ## Security Checklist