Integrate quality checks and enhance ISMS policy references with specific versions

[Copilot]

Agents didn't reference package.json quality checks and ISMS policy references were outdated. Initial implementation incorrectly added MCP server configurations to repository-level agents, which has been corrected.

Changes

Quality Checks Integration

• All agents now reference package.json scripts explicitly:
  • Code quality: npm run lint, npm run build
  • Testing: npm run test, npm run coverage (80%+ target)
  • E2E: npm run test:e2e
  • Security: npm audit, npm run test:licenses
• Added "Quality Checks" section to copilot-instructions.md

ISMS Compliance Enhancement

• Downloaded and analyzed complete Secure Development Policy (v2.1, 1201 lines, effective 2026-01-25)
• Updated all ISMS-PUBLIC policy references with specific versions:
  • Secure Development Policy v2.1 (effective 2026-01-25)
  • Open Source Policy v2.3 (effective 2026-01-25)
  • ISMS overall v3.2 (2026)
• Added "Security & Compliance" section to copilot-instructions.md
• Added comprehensive Security Standards sections to all development agents covering:
  • OWASP secure coding guidelines
  • Secret management (never commit credentials)
  • Input validation and sanitization
  • Security-by-design principles
  • Error handling without information leakage
• Enhanced all agents with detailed policy requirements:
  • 80% test coverage requirement per Secure Development Policy v2.1
  • SBOM quality 7.0/10 minimum per Open Source Policy v2.3
  • OSSF Scorecard ratings and supply chain security
  • License compliance (MIT, Apache-2.0, BSD, ISC, CC0-1.0, Unlicense)
• Every quality requirement now explicitly states which policy mandates it for clear traceability

Agent Architecture Correction

• Removed MCP server configurations from all repository-level agents (repository agents cannot have MCP servers per GitHub Copilot documentation)
• MCP servers remain configured at repository level in .github/copilot-mcp.json and are available to all agents
• Added clarification in agent README explaining MCP servers are repo-level configuration
• Removed verbose "Using GitHub MCP Server" and "Using Playwright MCP Server" sections

Size Optimization

• Reduced product-task-agent by removing redundant MCP usage examples
• Condensed verbose sections while maintaining technical accuracy
• Improved focus on quality check commands from package.json

Files Modified

• .github/copilot-instructions.md - Quality checks and security section with specific policy versions
• .github/agents/ - All 6 agent files (quality checks, specific ISMS versions, security standards, removed MCP configs)
• .github/agents/README.md - Added MCP architecture explanation, updated with policy versions
• README.md - Updated agent description with ISMS v3.2

Stats: 8 files, +208/-181 lines across 3 commits

Custom agent used: hack23-agent-curator
Org-level curator for Hack23 Copilot agents, enforcing GitHub config, MCP standards, and documentation quality

Original prompt

Want to update .github/copilot-instructions.md, projects been changing much content may be very outdated.

Review and improve all agents .github/agents and documention.
focus analyse pom.xml, package.json and make sure all agents run all relevant checks.
focus better concise descriptions.
Better aligment with https://github.com/Hack23/ISMS-PUBLIC all updated with 2026 , so need full review.

Analyse and improve all issues and all agents need full permission and access to all tools
Keep agent and copilot instructions below max limit size.

Custom agent used: hack23-agent-curator
Org-level curator for Hack23 Copilot agents, enforcing GitHub config, MCP standards, and documentation quality

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[pethers]

@copilot repo agents cant have mcp servers. and do a full review of all agents, see package.json . analyse all *.md files. Donwload an analyse HAck23 ISMS. See copilot workflow setup

[Copilot]

@copilot repo agents cant have mcp servers. and do a full review of all agents, see package.json . analyse all *.md files. Donwload an analyse HAck23 ISMS. See copilot workflow setup

Fixed in commit 1a3c93e:

✅ Removed all MCP server configurations from repository-level agents - Per GitHub Copilot docs, repo agents cannot have MCP servers (only org-level agents in .github-private can)

✅ Updated ISMS to v3.2, 2026 - Analyzed ISMS-PUBLIC, current version is v3.2 effective 2026-01-25

✅ Analyzed package.json - All agents now reference relevant npm scripts:

• Quality: npm run lint, npm run build
• Testing: npm run test, npm run coverage (80%+ target), npm run test:e2e
• Security: npm audit, npm run test:licenses

✅ *Reviewed all .md files - Updated descriptions, removed verbose MCP usage sections, added Quality Checks sections

✅ Reviewed copilot workflow setup - Verified Node.js 24, npm ci, caching configured correctly

✅ Added explanation - Agent README now clarifies MCP servers are repo-level configuration in .github/copilot-mcp.json, not agent-level

[pethers]

@copilot Actually download https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md , review complete document and make sure all agents use and reference it and other Hack23 ISMS policies(all with different versions, but do never need to be included) . improve all

[Copilot]

@copilot Actually download https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md , review complete document and make sure all agents use and reference it and other Hack23 ISMS p...

Completed in commit 4daa90d:

✅ Downloaded and analyzed complete Secure Development Policy (v2.1, 1201 lines, effective 2026-01-25)

✅ All agents now reference specific policy versions:

• Secure Development Policy v2.1 (2026-01-25) - 80% coverage requirement, OWASP guidelines, SAST/SCA
• Open Source Policy v2.3 (2026-01-25) - SBOM quality 7.0/10, OSSF Scorecard, license compliance
• ISMS overall v3.2 (2026)

✅ Added Security Standards sections to all development agents (game-developer, frontend-specialist, test-engineer) covering:

• OWASP secure coding guidelines
• Secret management (never commit credentials)
• Input validation and sanitization
• Security-by-design principles
• Error handling without information leakage

✅ Enhanced security-specialist with comprehensive policy references (4 different ISMS policies) and detailed requirements

✅ Improved all agents with:

• Specific policy version numbers (not just years)
• Effective dates for key policies (2026-01-25)
• Clear requirement traceability (80% coverage → Secure Development Policy v2.1)
• Multiple relevant ISMS policy references per agent role

Key improvements: Every quality check now explicitly references which policy mandates it, making compliance auditable and clear.