docs: Correct Copilot agent configuration and add comprehensive ISMS policy references

.github/agents/README.md

@@ -245,21 +245,33 @@ This workflow defines the complete development environment setup including:
 **Tools & Versions**:
 - Java 25 (Temurin distribution)
 - Maven 3.9.9
+- Ant (for application-specific build tasks)
 - PostgreSQL 16 with extensions (pg_stat_statements, pgaudit, pgcrypto)
 - Graphviz for documentation
 - Build tools (fakeroot, devscripts, debhelper)
 
+**Build Systems**:
+- **Maven**: Multi-module project build (parent-pom/pom.xml)
+  - `mvn clean install -Prelease-site,all-modules`
+  - `mvn clean test jacoco:report`
+  - `mvn dependency-check:check`
+- **Ant**: Application-specific tasks (citizen-intelligence-agency/build.xml)
+  - `ant clean-install-notest` - Fast build without tests
+  - `ant unit-test` - Run unit tests
+  - `ant start` - Start the application
+  - `ant check-updates` - Check dependency updates
+  - `ant site-cia` - Generate documentation
+
 **Database Configuration**:
 - SSL/TLS enabled with certificate-based encryption
 - Prepared transactions enabled (max: 100)
 - IPv6 loopback access configured
 - Required extensions loaded and verified
 
-**Build & Test Steps**:
-- Maven dependency caching
-- Build command: `mvn clean install -Prelease-site,all-modules`
-- Database schema loading and verification
-- Application startup validation on port 28443
+**Application Startup**:
+- Port: 28443 (HTTPS)
+- MAVEN_OPTS for startup: `-Xmx8192m` with Java module exports
+- Database schema loaded from service.data.impl/src/main/resources/full_schema.sql
 
 **Workflow Permissions** (Important for understanding access scope):
 ```yaml
@@ -278,56 +290,52 @@ permissions:
   statuses: read
 ```
 
-### 3. MCP Configuration
-**File**: [.github/copilot-mcp-config.json](../copilot-mcp-config.json)
-
-Model Context Protocol configuration providing:
-
-**Available MCP Servers**:
-- `github`: Repository operations, issues, PRs, workflows (via `@modelcontextprotocol/server-github`)
-- `filesystem`: Local file system access to `/home/runner/work/cia/cia`
-- `postgres`: Database integration (when available)
-- `git`: Git operations for version control
-
-**Project Metadata**:
-- Technology stack details (Java 25, Spring, Vaadin, Hibernate, PostgreSQL)
-- Architecture type: multi-module Maven
-- Testing frameworks: JUnit 5, Mockito, Selenium
-- Security tools: Spring Security, OWASP Dependency Check, CodeQL
-
-**Build Commands**:
-- `clean`, `compile`, `test`, `install`, `package`, `site`
-- `cleanInstall`: `mvn clean install`
-- `skipTests`: `mvn clean install -DskipTests`
-- `coverage`: `mvn clean test jacoco:report`
-- `dependencyCheck`: `mvn dependency-check:check`
-
-**Coding Standards & Security Rules**:
-- Java 21 language features (records, pattern matching, switch expressions, text blocks)
-- Spring conventions (constructor injection, proper annotations, transaction management)
-- JPA guidelines (proper entity design, fetch types, avoiding N+1)
-- Security rules (never commit secrets, validate inputs, use parameterized queries, sanitize output)
-- Testing requirements (unit tests for all new functionality, maintain coverage levels)
-
-**External API Integrations**:
-- Swedish Parliament (Riksdagen) API
-- Swedish Election Authority
-- World Bank Open Data
-- Swedish Financial Management Authority
-
 ### Why These Files Matter
 
 Reading these files ensures agents:
 1. ✅ Understand the actual development environment and available tools
 2. ✅ Know which permissions are available for GitHub operations
-3. ✅ Can reference correct build commands and testing procedures
+3. ✅ Can reference correct build commands (Maven and Ant) and testing procedures
 4. ✅ Follow established coding standards and security practices
 5. ✅ Understand the project architecture and technology stack
 6. ✅ Are aware of database configuration and requirements
-7. ✅ Can properly coordinate with MCP servers and external APIs
+7. ✅ Align with 2026 ISMS v3.2 compliance requirements (ISO 27001:2022, NIST CSF 2.0, CIS Controls v8.1)
 
 **Each agent profile now includes a standardized section instructing them to read these files at the start of each task.** This ensures consistent awareness of project context across all specialized agents.
 
+## 🔐 ISMS Compliance & Security (2026)
+
+All agents and development practices align with **[Hack23 ISMS](https://github.com/Hack23/ISMS-PUBLIC)**:
+
+### Compliance Frameworks
+- **ISO 27001:2022** - All Annex A controls implemented
+- **NIST CSF 2.0** - Complete framework alignment
+- **CIS Controls v8.1** - Critical security controls coverage
+- **GDPR** - Swedish data protection compliance
+- **NIS2 Directive** - EU cybersecurity requirements
+- **EU Cyber Resilience Act** - Product security conformity
+
+### Key Security Practices
+- ✅ **Secrets Management**: All credentials via environment variables or external config
+- ✅ **Dependency Security**: OWASP Dependency Check before adding dependencies
+- ✅ **Code Quality**: SonarCloud Quality Gate enforcement
+- ✅ **Security Scanning**: CodeQL, ZAP, and dependency checks in CI/CD
+- ✅ **Supply Chain Security**: OpenSSF Scorecard monitoring [![CIA](https://api.securityscorecards.dev/projects/github.com/Hack23/cia/badge)](https://scorecard.dev/viewer/?uri=github.com/Hack23/cia)
+- ✅ **Encryption**: TLS 1.3, AES-256, proper key management
+
+### Security Resources
+- [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md) - Security-integrated SDLC, 80% line coverage, 70% branch coverage
+- [Information Security Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md) - Overall security governance framework
+- [Cryptography Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Cryptography_Policy.md) - TLS 1.3, AES-256 encryption standards
+- [Access Control Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Access_Control_Policy.md) - Zero-trust identity and authorization
+- [Data Classification Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md) - Information handling requirements
+- [Privacy Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Privacy_Policy.md) - GDPR-compliant privacy framework
+- [Incident Response Plan](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Incident_Response_Plan.md) - Security event handling
+- [Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md) - Open source business model governance
+- [Compliance Checklist](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Compliance_Checklist.md) - Multi-framework compliance tracking
+- [Risk Register](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Risk_Register.md) - Risk identification and treatment
+- [Vulnerability Management](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Vulnerability_Management.md) - Systematic security testing
+
 ## 📚 Using These Profiles
 
 ### 👨‍💻 For Developers

.github/agents/business-development-specialist.md

@@ -12,19 +12,21 @@ You are a Business Development Specialist for the Citizen Intelligence Agency pr
 
 1. **Project Context**: Read [README.md](/README.md) for comprehensive project overview, mission, features, and documentation links
 2. **Environment Setup**: Read [.github/workflows/copilot-setup-steps.yml](/.github/workflows/copilot-setup-steps.yml) to understand:
-   - Available tools (Java 25, Maven 3.9.9, PostgreSQL 16, Graphviz)
+   - Available tools (Java 25, Maven 3.9.9, Ant, PostgreSQL 16, Graphviz)
    - Database configuration (SSL, extensions, prepared transactions)
-   - Build commands and validation steps
+   - Build commands and validation steps (Maven and Ant build.xml targets)
    - Testing and deployment procedures
    - Workflow permissions (contents:read, issues:write, pull-requests:write, etc.)
-3. **MCP Configuration**: Read [.github/copilot-mcp-config.json](/.github/copilot-mcp-config.json) for:
-   - Available MCP servers (github, filesystem, postgres, git)
-   - Project context and architecture metadata
-   - Build commands and quality tools
-   - Coding standards and security rules
-   - External API integrations
-
-These files provide critical context about the development environment, available tools, project structure, and operational constraints. Always consult them to ensure your recommendations and actions are compatible with the actual project setup.
+3. **MCP Configuration**: Build system uses Maven (parent-pom/pom.xml) and Ant (citizen-intelligence-agency/build.xml)
+
+**ISMS Alignment (2026)**: This project follows [Hack23 ISMS](https://github.com/Hack23/ISMS-PUBLIC) with ISO 27001:2022, NIST CSF 2.0, and CIS Controls v8.1 compliance.
+
+**Key ISMS Policies for Business Development**:
+- [Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md) - Open source business model governance
+- [Privacy Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Privacy_Policy.md) - GDPR compliance framework
+- [ISMS Transparency Plan](https://github.com/Hack23/ISMS-PUBLIC/blob/main/ISMS_Transparency_Plan.md) - Public disclosure strategy
+
+These files provide critical context about the development environment, available tools, project structure, and operational constraints.
 
 ## Core Expertise
 

.github/agents/intelligence-operative.md

@@ -12,19 +12,21 @@ You are a Political Analyst, Intelligence Operative, and Psychological Operation
 
 1. **Project Context**: Read [README.md](/README.md) for comprehensive project overview, mission, features, and documentation links
 2. **Environment Setup**: Read [.github/workflows/copilot-setup-steps.yml](/.github/workflows/copilot-setup-steps.yml) to understand:
-   - Available tools (Java 25, Maven 3.9.9, PostgreSQL 16, Graphviz)
+   - Available tools (Java 25, Maven 3.9.9, Ant, PostgreSQL 16, Graphviz)
    - Database configuration (SSL, extensions, prepared transactions)
-   - Build commands and validation steps
+   - Build commands and validation steps (Maven and Ant build.xml targets)
    - Testing and deployment procedures
    - Workflow permissions (contents:read, issues:write, pull-requests:write, etc.)
-3. **MCP Configuration**: Read [.github/copilot-mcp-config.json](/.github/copilot-mcp-config.json) for:
-   - Available MCP servers (github, filesystem, postgres, git)
-   - Project context and architecture metadata
-   - Build commands and quality tools
-   - Coding standards and security rules
-   - External API integrations
-
-These files provide critical context about the development environment, available tools, project structure, and operational constraints. Always consult them to ensure your recommendations and actions are compatible with the actual project setup.
+3. **MCP Configuration**: Build system uses Maven (parent-pom/pom.xml) and Ant (citizen-intelligence-agency/build.xml)
+
+**ISMS Alignment (2026)**: This project follows [Hack23 ISMS](https://github.com/Hack23/ISMS-PUBLIC) with ISO 27001:2022, NIST CSF 2.0, and CIS Controls v8.1 compliance.
+
+**Key ISMS Policies for Intelligence Analysis**:
+- [Data Classification Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md) - Information handling and sensitivity classification
+- [Privacy Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Privacy_Policy.md) - GDPR-compliant data protection
+- [Information Security Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md) - Overall security governance
+
+These files provide critical context about the development environment, available tools, project structure, and operational constraints.
 
 ## Core Expertise
 

.github/agents/marketing-specialist.md

@@ -12,19 +12,21 @@ You are a Marketing Specialist for the Citizen Intelligence Agency project, focu
 
 1. **Project Context**: Read [README.md](/README.md) for comprehensive project overview, mission, features, and documentation links
 2. **Environment Setup**: Read [.github/workflows/copilot-setup-steps.yml](/.github/workflows/copilot-setup-steps.yml) to understand:
-   - Available tools (Java 25, Maven 3.9.9, PostgreSQL 16, Graphviz)
+   - Available tools (Java 25, Maven 3.9.9, Ant, PostgreSQL 16, Graphviz)
    - Database configuration (SSL, extensions, prepared transactions)
-   - Build commands and validation steps
+   - Build commands and validation steps (Maven and Ant build.xml targets)
    - Testing and deployment procedures
    - Workflow permissions (contents:read, issues:write, pull-requests:write, etc.)
-3. **MCP Configuration**: Read [.github/copilot-mcp-config.json](/.github/copilot-mcp-config.json) for:
-   - Available MCP servers (github, filesystem, postgres, git)
-   - Project context and architecture metadata
-   - Build commands and quality tools
-   - Coding standards and security rules
-   - External API integrations
-
-These files provide critical context about the development environment, available tools, project structure, and operational constraints. Always consult them to ensure your recommendations and actions are compatible with the actual project setup.
+3. **MCP Configuration**: Build system uses Maven (parent-pom/pom.xml) and Ant (citizen-intelligence-agency/build.xml)
+
+**ISMS Alignment (2026)**: This project follows [Hack23 ISMS](https://github.com/Hack23/ISMS-PUBLIC) with ISO 27001:2022, NIST CSF 2.0, and CIS Controls v8.1 compliance.
+
+**Key ISMS Policies for Marketing**:
+- [Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md) - Open source business model and transparency
+- [Privacy Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Privacy_Policy.md) - User data protection and GDPR compliance
+- [ISMS Transparency Plan](https://github.com/Hack23/ISMS-PUBLIC/blob/main/ISMS_Transparency_Plan.md) - Public communication strategy
+
+These files provide critical context about the development environment, available tools, project structure, and operational constraints.
 
 ## Core Expertise
 

.github/agents/stack-specialist.md

@@ -12,19 +12,22 @@ You are a Stack Specialist for the Citizen Intelligence Agency project with deep
 
 1. **Project Context**: Read [README.md](/README.md) for comprehensive project overview, mission, features, and documentation links
 2. **Environment Setup**: Read [.github/workflows/copilot-setup-steps.yml](/.github/workflows/copilot-setup-steps.yml) to understand:
-   - Available tools (Java 25, Maven 3.9.9, PostgreSQL 16, Graphviz)
+   - Available tools (Java 25, Maven 3.9.9, Ant, PostgreSQL 16, Graphviz)
    - Database configuration (SSL, extensions, prepared transactions)
-   - Build commands and validation steps
+   - Build commands and validation steps (Maven and Ant build.xml targets)
    - Testing and deployment procedures
    - Workflow permissions (contents:read, issues:write, pull-requests:write, etc.)
-3. **MCP Configuration**: Read [.github/copilot-mcp-config.json](/.github/copilot-mcp-config.json) for:
-   - Available MCP servers (github, filesystem, postgres, git)
-   - Project context and architecture metadata
-   - Build commands and quality tools
-   - Coding standards and security rules
-   - External API integrations
 
-These files provide critical context about the development environment, available tools, project structure, and operational constraints. Always consult them to ensure your recommendations and actions are compatible with the actual project setup.
+**ISMS Alignment (2026)**: This project follows [Hack23 ISMS](https://github.com/Hack23/ISMS-PUBLIC) with ISO 27001:2022, NIST CSF 2.0, and CIS Controls v8.1 compliance.
+
+**Key ISMS Policies for Development**:
+- [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md) - Security-integrated SDLC, 80% line coverage, 70% branch coverage requirements
+- [Cryptography Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Cryptography_Policy.md) - TLS 1.3, AES-256 encryption standards
+- [Access Control Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Access_Control_Policy.md) - Zero-trust identity and authorization
+- [Data Classification Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md) - Information handling requirements
+- [Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md) - Open source business model governance
+
+These files provide critical context about the development environment, available tools, project structure, and operational constraints.
 
 ## Core Expertise
 
@@ -64,6 +67,54 @@ These files provide critical context about the development environment, availabl
 
 ## Best Practices
 
+### Build System (Maven + Ant)
+
+The project uses both Maven and Ant for building:
+
+**Maven Build Commands** (from parent-pom/):
+```bash
+# Full build with all profiles (CI/CD)
+mvn clean install -Prelease-site,all-modules -DskipTests
+
+# Run tests with coverage
+mvn clean test jacoco:report
+
+# Security vulnerability scan
+mvn dependency-check:check
+```
+
+**Ant Build Commands** (from citizen-intelligence-agency/build.xml):
+```bash
+# Clean install without tests
+ant clean-install-notest
+
+# Run unit tests
+ant unit-test
+
+# Start the application
+ant start
+
+# Check for dependency updates
+ant check-updates
+
+# Check for plugin updates
+ant check-plugin-updates
+
+# Generate site documentation
+ant site-cia
+```
+
+**Key Build Configuration**:
+- **Maven**: Multi-module project with parent-pom/pom.xml
+- **Ant**: Application-specific tasks in citizen-intelligence-agency/build.xml
+- **JaCoCo** (0.8.14): Code coverage reporting
+- **OWASP Dependency Check**: Vulnerability scanning
+- **SonarCloud**: Code quality analysis (sonarcloud.io/dashboard?id=Hack23_cia)
+
+**Environment Variables**:
+- `MAVEN_OPTS`: `-server -Xmx2048m -Xms2048m` (for builds)
+- `MAVEN_OPTS`: `-server -Xmx8192m -Xms2048m` (for application startup with Java module exports)
+
 ### Spring Development
 - Use constructor injection for required dependencies
 - Apply `@Transactional` at service layer, not DAO layer
@@ -93,6 +144,13 @@ These files provide critical context about the development environment, availabl
 - Follow principle of least privilege
 
 ### Testing
+
+**Coverage Requirements** (per [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md)):
+- **Minimum 80% line coverage** across all modules
+- **Minimum 70% branch coverage** across all modules
+- JaCoCo reports: `target/site/jacoco/index.html`
+
+**Testing Strategy**:
 - Write tests for all new functionality
 - Mock external dependencies
 - Use test data builders for complex entities