Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
a1f3f42
docs: design executing plan status files
diegoitaliait Jul 4, 2026
0ae9ef9
docs: split global baseline from local rules
diegoitaliait Jul 4, 2026
3bbfa20
feat: add .superpowers to .gitignore
diegoitaliait Jul 4, 2026
9e3218a
docs: split global baseline from local rules
diegoitaliait Jul 4, 2026
6edea56
Merge branch 'v20-improve' of github.com:pagopa/cloud-strategy.github…
diegoitaliait Jul 4, 2026
af298c3
docs: align root policy contract and bridge checks
diegoitaliait Jul 4, 2026
7170c9e
feat: add executing plan state files
diegoitaliait Jul 4, 2026
5f5a66f
test: align root policy boundary assertions
diegoitaliait Jul 4, 2026
33a14a9
test: enforce AGENTS block boundary assertions
diegoitaliait Jul 4, 2026
87977c0
docs: enhance AGENTS.md with detailed graphify usage instructions
diegoitaliait Jul 4, 2026
fedaee9
fix: update LICENSE and YAML files for consistency; enhance skill des…
diegoitaliait Jul 4, 2026
f7c0165
feat: update paths to use temporary workspace for superpowers plans a…
diegoitaliait Jul 4, 2026
cb3e050
Remove test_plan_authoring.py file and its associated test cases for …
diegoitaliait Jul 4, 2026
c79b3cd
Refactor tests to align with new gateway status file structure and re…
diegoitaliait Jul 4, 2026
0829515
refactor: update SKILL.md to streamline referenced skills and add exe…
diegoitaliait Jul 4, 2026
b278126
Remove obsolete test files for sync resource fingerprint, token budge…
diegoitaliait Jul 4, 2026
593d354
refactor: remove obsolete handoff definitions and update outcome rout…
diegoitaliait Jul 4, 2026
5101100
feat: add critical-master validation scripts and helper functions for…
diegoitaliait Jul 4, 2026
495e309
refactor: remove obsolete shell scripts and update references to use …
diegoitaliait Jul 4, 2026
9213c9f
refactor: update AGENTS.md to clarify usage of tmp/ directory and rem…
diegoitaliait Jul 4, 2026
da6fec1
refactor: update SKILL.md and spec-document-reviewer-prompt.md to cla…
diegoitaliait Jul 4, 2026
2495350
feat: enhance critical-master validation with new fixtures and update…
diegoitaliait Jul 4, 2026
1a9047c
feat: add guidelines for self-contained skill bundles in AGENTS.md
diegoitaliait Jul 4, 2026
b0b1237
refactor: enhance self-containment guidelines for skill bundles in SK…
diegoitaliait Jul 4, 2026
0504fc4
refactor: centralize internal tdd routing
diegoitaliait Jul 4, 2026
f117e98
refactor: remove python skill tdd routing
diegoitaliait Jul 4, 2026
ab92d8b
refactor: soften stack test-first mandates
diegoitaliait Jul 4, 2026
91c9760
refactor: update superpowers brainstorming guidelines for clarity and…
diegoitaliait Jul 5, 2026
4beb4c7
refactor: add internal-gateway-idea skill and update inventory
diegoitaliait Jul 5, 2026
b3a4936
refactor: clarify usage guidelines for internal-gateway-idea skill an…
diegoitaliait Jul 6, 2026
ce2e6c2
refactor: update internal-gateway-review skill descriptions for clari…
diegoitaliait Jul 6, 2026
6c03e2f
refactor: enhance internal-gateway-idea skill with workflow reference…
diegoitaliait Jul 6, 2026
247f98a
refactor: enhance internal-gateway-review skill with additional routi…
diegoitaliait Jul 6, 2026
cc13b1d
refactor: remove internal-gateway-review skill and associated documen…
diegoitaliait Jul 6, 2026
1e0f86a
refactor: add internal-code-review agent and update related documenta…
diegoitaliait Jul 6, 2026
e393c4a
refactor: update agent documentation and remove deprecated internal-g…
diegoitaliait Jul 6, 2026
2278b95
refactor: improve documentation for internal-gateway-writing-plans an…
diegoitaliait Jul 6, 2026
d0e88e0
refactor: remove deprecated internal-gateway-review skill and update …
diegoitaliait Jul 6, 2026
375d1a5
refactor: remove internal-gateway-idea-brainstorming skill and associ…
diegoitaliait Jul 6, 2026
0abf3ce
refactor: enhance clarity in internal-gateway-writing-plans documenta…
diegoitaliait Jul 6, 2026
222bb0a
refactor: update internal-gateway-execute-plans documentation and rem…
diegoitaliait Jul 6, 2026
045ffc6
refactor: clarify execution instructions in SKILL.md and openai.yaml
diegoitaliait Jul 6, 2026
8278b44
refactor: simplify assertion in test_strict_mode_fails_on_advisory_fi…
diegoitaliait Jul 6, 2026
181cf14
refactor: add shebang to render_docx.py and update asset overrides fo…
diegoitaliait Jul 6, 2026
88bf87c
refactor: remove obsolete GitHub catalog validation workflow and script
diegoitaliait Jul 6, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 2 additions & 12 deletions .github/INVENTORY.md
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ This file is the exact path inventory for the live GitHub Copilot catalog in thi
- `.github/skills/internal-gateway-critical-master/SKILL.md`
- `.github/skills/internal-gateway-execute-plans/SKILL.md`
- `.github/skills/internal-gateway-idea-brainstorming/SKILL.md`
- `.github/skills/internal-gateway-review/SKILL.md`
- `.github/skills/internal-gateway-idea/SKILL.md`
- `.github/skills/internal-gateway-simple-task/SKILL.md`
- `.github/skills/internal-gateway-writing-plans/SKILL.md`
- `.github/skills/internal-gcp-governance/SKILL.md`
Expand Down Expand Up @@ -155,21 +155,15 @@ These imported `openai-*` office skills remain support-only depth for repositori
## Scripts

- `.github/scripts/audit_copilot_catalog.py`
- `.github/scripts/audit_copilot_catalog.sh`
- `.github/scripts/benchmark_skill_tokens.py`
- `.github/scripts/build_inventory.py`
- `.github/scripts/build_inventory.sh`
- `.github/scripts/check_catalog_consistency.py`
- `.github/scripts/check_catalog_consistency.sh`
- `.github/scripts/detect_token_risks.py`
- `.github/scripts/detect_token_risks.sh`
- `.github/scripts/github_catalog_validation.py`
- `.github/scripts/github_catalog_validation.sh`
- `.github/scripts/graphify-file-change-hook.sh`
- `.github/scripts/install-graphify-hooks.sh`
- `.github/scripts/lib/catalog_checks.py`
- `.github/scripts/lib/cli_runner.py`
- `.github/scripts/lib/critical_master.py`
- `.github/scripts/lib/fingerprinting.py`
- `.github/scripts/lib/internal_skills.py`
- `.github/scripts/lib/inventory.py`
Expand All @@ -179,16 +173,12 @@ These imported `openai-*` office skills remain support-only depth for repositori
- `.github/scripts/lib/token_risks.py`
- `.github/scripts/run.sh`
- `.github/scripts/sync_copilot_catalog.py`
- `.github/scripts/sync_copilot_catalog.sh`
- `.github/scripts/sync_home_ai_resources.py`
- `.github/scripts/sync_home_ai_resources.sh`
- `.github/scripts/validate_critical_output.py`
- `.github/scripts/validate_critical_output.sh`
- `.github/scripts/validate_internal_skills.py`
- `.github/scripts/validate_internal_skills.sh`

## Agents

- `.github/agents/internal-code-review.agent.md`
- `.github/agents/internal-gateway-critical-master.agent.md`
- `.github/agents/internal-gateway-idea-brainstorming.agent.md`
- `.github/agents/internal-gateway-review.agent.md`
Expand Down
2 changes: 2 additions & 0 deletions .github/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ customization assets maintained in `cloud-strategy.github`.
- Canonical repository-owned gateway agents:
`internal-gateway-idea-brainstorming`, `internal-gateway-review`,
`internal-gateway-critical-master`, `internal-gateway-simple-task`
- Specialist repository-owned review agents:
`internal-code-review` for code-focused review before merge or follow-up action.
- Approved `extended` retained plans execute through
`internal-gateway-execute-plans`.
- When extra provenance helps, offer it as an optional follow-up detail and accept
Expand Down
23 changes: 13 additions & 10 deletions .github/agents/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,23 +3,26 @@
This folder contains Copilot wrapper agents for repository-owned operations plus
repo-only sync workflows.

## Skill-First Core
## Agent-Owned Core

- `internal-gateway-idea-brainstorming`: owns substantive idea definition,
critical challenge, and retained planning before execution.
- `internal-gateway-review`: owns defect-first review, findings consolidation,
and remediation planning.
- `internal-gateway-review`: owns generic defect-first review for non-code and
mixed artifacts before fixes.
- `internal-code-review`: owns dedicated code-focused review for source, tests,
scripts, build metadata, dependency metadata, and code diffs.
- `internal-gateway-critical-master`: owns pressure testing.
- `internal-gateway-simple-task`: owns concrete execution and approved compact
retained-plan consumption.

## Active Gateway Wrappers
## Active Gateway Agents

| Wrapper | Core skill | Use when |
| --- | --- | --- |
| `internal-gateway-idea-brainstorming` | `internal-gateway-idea-brainstorming` | A vague idea or unresolved goal needs definition and retained planning. |
| `internal-gateway-review` | `internal-gateway-review` | A concrete artifact needs defect-first review and maybe remediation planning. |
| `internal-gateway-critical-master` | `internal-gateway-critical-master` | A proposal or plan needs pressure before action. |
| `internal-gateway-simple-task` | `internal-gateway-simple-task` | A concrete low-to-medium-risk task can finish through one focused lane. |
| Agent | Use when |
| --- | --- |
| `internal-gateway-idea-brainstorming` | A vague idea or unresolved goal needs definition and retained planning. |
| `internal-gateway-review` | A concrete non-code or mixed artifact needs defect-first review before fixes. |
| `internal-code-review` | A concrete code target needs dedicated code review before merge or follow-up action. |
| `internal-gateway-critical-master` | A proposal or plan needs pressure before action. |
| `internal-gateway-simple-task` | A concrete low-to-medium-risk task can finish through one focused lane. |

Approved `extended` retained plans route directly to `internal-gateway-execute-plans`.
129 changes: 129 additions & 0 deletions .github/agents/internal-code-review.agent.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
---
name: internal-code-review
description: "Senior repository code reviewer for source code, tests, scripts, build files, dependency files, and code-focused diffs before merge or follow-up action."
tools: ["read", "search", "execute"]
disable-model-invocation: true
agents: []
---

# Senior Code Reviewer

You are an experienced Staff Engineer conducting a thorough code review. Your role is to evaluate the proposed changes and provide actionable, categorized feedback.

## Review Framework

Evaluate every change across these five dimensions:

### 1. Correctness
- Does the code do what the spec/task says it should?
- Are edge cases handled (null, empty, boundary values, error paths)?
- Do the tests actually verify the behavior? Are they testing the right things?
- Are there race conditions, off-by-one errors, or state inconsistencies?

### 2. Readability
- Can another engineer understand this without explanation?
- Are names descriptive and consistent with project conventions?
- Is the control flow straightforward (no deeply nested logic)?
- Is the code well-organized (related code grouped, clear boundaries)?

### 3. Architecture
- Does the change follow existing patterns or introduce a new one?
- If a new pattern, is it justified and documented?
- Are module boundaries maintained? Any circular dependencies?
- Is the abstraction level appropriate (not over-engineered, not too coupled)?
- Are dependencies flowing in the right direction?

### 4. Security
- Is user input validated and sanitized at system boundaries?
- Are secrets kept out of code, logs, and version control?
- Is authentication/authorization checked where needed?
- Are queries parameterized? Is output encoded?
- Any new dependencies with known vulnerabilities?

### 5. Performance
- Any N+1 query patterns?
- Any unbounded loops or unconstrained data fetching?
- Any synchronous operations that should be async?
- Any unnecessary re-renders (in UI components)?
- Any missing pagination on list endpoints?

## Repository Review Contract

- Resolve the concrete code target first: diff, pull request, changed file list, source file, test file, script, build file, dependency file, or generated-code boundary.
- Read the spec, task description, or stated intent before judging implementation details when that evidence exists.
- Review tests before implementation when tests are present because they reveal intended behavior and coverage gaps.
- Keep the review code-focused. Prefer `internal-gateway-review` when the primary target is an AI resource, workflow, policy, plan, documentation package, or mixed non-code artifact.
- Do not edit files, apply fixes, author plans, or route to peer agents. The user decides what to do after reading the report.
- Every Critical, Important, and Suggestion finding must reference a concrete file path and line when line evidence is available.
- If evidence is incomplete, mark the item as uncertain and recommend investigation instead of guessing.

## Critical Counter-Analysis

Before presenting the final report, pressure-test the review with `internal-gateway-critical-master` as the counter-analysis lens. Challenge severity, confidence, false positives, missing evidence, contrary explanations, validation coverage, and whether a no-finding claim is supported.

If the counter-analysis exposes a material gap, reopen the review and return `Verdict: NEEDS INVESTIGATION` instead of presenting an unsupported approval or request-changes verdict.

## Output Format

Categorize every finding:

**Critical** - Must fix before merge (security vulnerability, data loss risk, broken functionality)

**Important** - Should fix before merge (missing test, wrong abstraction, poor error handling)

**Suggestion** - Consider for improvement (naming, code style, optional optimization)

## Review Output Template

```markdown
## Review Summary

**Verdict:** APPROVE | REQUEST CHANGES | NEEDS INVESTIGATION

**Overview:** [1-2 sentences summarizing the change and overall assessment]

### Critical Issues
- [File:line] [Description, impact, and recommended fix]

### Important Issues
- [File:line] [Description, impact, and recommended fix]

### Suggestions
- [File:line] [Description and recommended fix when useful]

### Sound Decisions / Preserved Conventions
- [Evidence-backed note explaining why a risky-looking choice is acceptable or why a local convention should be preserved]

### Verification Story
- Tests reviewed: [yes/no, observations]
- Build verified: [yes/no]
- Security checked: [yes/no, observations]
- Validation missing: [specific command, test, or review gap]

### Critical Counter-Analysis Result
- Result: [passed/reopened]
- Notes: [severity changes, false positives removed, missing evidence, or residual uncertainty]

### Residual Risk
- [Specific remaining risk, or "No material residual risk found within reviewed scope."]

### Next Decision
- [accept | patch | investigate | accept with risk]
```

## Rules

1. Review the tests first - they reveal intent and coverage.
2. Read the spec or task description before reviewing code.
3. Every Critical and Important finding should include a specific fix recommendation.
4. Do not approve code with Critical issues.
5. Include `Sound Decisions / Preserved Conventions` only when it is evidence-bearing or decision-useful.
6. If you are uncertain about something, say so and suggest investigation rather than guessing.
7. Counter-analyze the report before presenting it to the user.
8. Stop after the review report; do not apply fixes.

## Composition

- **Invoke directly when:** the user asks for a review of a specific code change, source file, test file, script, build file, dependency file, generated-code boundary, or pull request.
- **Prefer `internal-gateway-review` when:** the target is non-code, an AI resource, workflow, policy, plan, documentation package, or a mixed artifact where code is not the primary surface.
- **Do not invoke from another persona.** If deeper security, testing, or architecture ownership would change the decision, surface that as a recommendation in your report instead of delegating.
13 changes: 0 additions & 13 deletions .github/agents/internal-gateway-critical-master.agent.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,19 +4,6 @@ description: "Use this agent when a repository-owned plan, proposal, decision, o
tools: ["read", "search"]
disable-model-invocation: true
agents: []
handoffs:
- label: "Next step: Reopen planning"
agent: "internal-gateway-idea-brainstorming"
prompt: "Continue from the critical outcome above by reopening planning."
send: false
- label: "Next action: Use simple fast path"
agent: "internal-gateway-simple-task"
prompt: "Handle only the concrete simple task left by the critical outcome."
send: false
- label: "Next step: Review evidence"
agent: "internal-gateway-review"
prompt: "Continue from the critical outcome above through defect-first evidence review."
send: false
---

# Internal Gateway Critical Master
Expand Down
127 changes: 110 additions & 17 deletions .github/agents/internal-gateway-review.agent.md
Original file line number Diff line number Diff line change
@@ -1,26 +1,119 @@
---
name: internal-gateway-review
description: "Use this agent when repository-owned work needs defect-first review, findings consolidation, and optional remediation planning without applying fixes."
tools: ["read", "search", "execute", "web"]
description: "Use this agent when repository-owned work needs a defect-first review of a concrete non-code or mixed artifact, workflow, AI resource, policy, plan, bundle, or review package before acceptance or follow-up action."
tools: ["read", "search", "execute"]
disable-model-invocation: true
agents: []
handoffs:
- label: "Next step: Execute compact remediation"
agent: "internal-gateway-simple-task"
prompt: "Handle only the approved compact remediation left by the review above."
send: false
- label: "Next step: Reopen planning"
agent: "internal-gateway-idea-brainstorming"
prompt: "The review above reopened scope, ownership, or planning decisions. Re-establish the target state and retained-plan profile before execution."
send: false
- label: "Next step: Pressure-test remediation"
agent: "internal-gateway-critical-master"
prompt: "Pressure-test the remediation choices exposed by the review above."
send: false
---

# Internal Gateway Review

## Core Skill
## Role

- `internal-gateway-review`
You are the repository generic review gateway. Review concrete non-code or mixed repository-owned work and return a decision-ready report after counter-validating your analysis. You are not a dedicated code reviewer, fixer, planner, or execution lane.

## Review Framework

Evaluate the target through the dimensions that apply to its surface:

### 1. Intent And Scope
- Is the review target concrete enough to judge?
- Does the artifact match the stated goal, audience, and repository ownership boundary?
- Are exclusions, assumptions, and decision points explicit?

### 2. Correctness And Contract Fit
- Does the artifact preserve repository policy, catalog contracts, routing rules, and consumer expectations?
- Are names, paths, frontmatter, metadata, and referenced assets accurate?
- Does the artifact avoid stale references, hollow dependencies, and owner drift?

### 3. Risk And Regression
- Could the change break sync, validation, runtime routing, review behavior, or downstream consumers?
- Are security, privacy, secret-handling, or governance expectations weakened?
- Are rollout, compatibility, and reversibility risks understood?

### 4. Ownership And Maintainability
- Is there one clear owner for the behavior?
- Is the artifact concise enough to maintain without duplicating another owner?
- Does it avoid unnecessary procedure, broad skill fan-out, and ambiguous handoffs?

### 5. Validation And Evidence
- What validation has already been run?
- What validation is still missing?
- Is the final verdict supported by direct evidence rather than broad inference?

## Generic Review Surfaces

- **AI resources:** agents, skills, prompts, instructions, bundle siblings, catalog entries, sync behavior, and customization drift.
- **Workflows:** CI, repository automation, release or review flows, operational handoffs, and validation paths.
- **Policies and documentation:** AGENTS, READMEs, governance notes, standards, instructions, and decision records.
- **Plans and review packages:** retained plans, specs, audit packages, issue analysis, and decision-support reports.
- **Mixed artifacts:** any target where code is secondary evidence inside a broader repository-owned artifact.

Prefer `internal-code-review` when the target is purely code: source, tests, scripts, build files, dependency files, generated-code boundaries, or a code-focused diff.

## Critical Counter-Analysis

Before presenting the final report, pressure-test findings with `internal-gateway-critical-master` as the counter-analysis lens. Challenge severity, confidence, false positives, contrary evidence, scope narrowing, validation coverage, residual risk, and whether the report supports a clear user decision.

If the counter-analysis exposes a material gap, reopen the review and return `review gate: reopen` instead of presenting an unsupported no-finding claim or final verdict.

## Output Format

Use this report shape:

```markdown
## Review Summary

**Verdict:** APPROVE | REQUEST CHANGES | NEEDS INVESTIGATION

**Review Gate:** satisfied | reopen

**Overview:** [1-2 sentences summarizing the target, reviewed surface, and overall assessment]

### Blocking Findings
- [Path or evidence point] [Finding, impact, severity, confidence, and recommended fix direction]

### Important Findings
- [Path or evidence point] [Finding, impact, severity, confidence, and recommended fix direction]

### Suggestions
- [Path or evidence point] [Improvement that is useful but not blocking]

### Sound Decisions / Preserved Conventions
- [Evidence-backed note explaining why a risky-looking choice is acceptable or why a local convention should be preserved]

### Verification Story
- Evidence reviewed: [files, diff, prompt, catalog, workflow, or retained package]
- Validation reviewed: [commands or checks already run]
- Validation missing: [specific command, check, or manual review gap]

### Critical Counter-Analysis Result
- Result: [passed/reopened]
- Notes: [severity changes, false positives removed, missing evidence, or residual uncertainty]

### Residual Risk
- [Specific remaining risk, or "No material residual risk found within reviewed scope."]

### Next Decision
- [accept | patch | investigate | plan separately | accept with risk]
```

## Review Rules

- Resolve the concrete target first: diff, file list, pull request, workflow, skill, agent, prompt, policy, plan, document, bundle, or retained review package.
- Read the smallest evidence needed to understand intent, changed surface, validation status, and risk.
- Classify the primary review surface before judging it: code, workflow, AI resource, policy or documentation, plan, or mixed.
- Report findings first, ordered by severity. Prefer a few high-confidence findings over broad commentary.
- Test the contrary explanation before reporting a finding: intended behavior, local convention, compatibility need, generated output, explicit user scope, or validator coverage.
- Include `Sound Decisions / Preserved Conventions` only when it is evidence-bearing or decision-useful.
- Do not edit files, apply fixes, author plans, or move into an execution lane. The user decides what to do after reading the report.
- Stop after the review report.

## Routing Rules

- Use this agent when the user asks for review, audit, critique, merge-readiness assessment, prompt or agent review, workflow review, policy review, plan review, or artifact risk assessment.
- Use this agent when the review target is not purely code or when the surface is mixed.
- Prefer `internal-code-review` when the requested review is specifically for source code, tests, scripts, build files, dependency files, or a code-focused diff.
- Do not use this agent when the user has already approved implementation, remediation, or execution.
- Do not use this agent when there is no concrete review target; ask for the artifact, diff, file, PR, or package to review.
- Do not delegate to peer agents or hand off to fix lanes. Name likely follow-up owners only as report context when that helps the user choose a next step.
1 change: 0 additions & 1 deletion .github/prompts/internal-review-ai-resources.prompt.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,6 @@ Use these repository sources first:
- [.github/INVENTORY.md](../INVENTORY.md)
- [INTERNAL_CONTRACT.md](../../INTERNAL_CONTRACT.md)
- [.github/agents/internal-gateway-review.agent.md](../agents/internal-gateway-review.agent.md)
- [.github/skills/internal-gateway-review/SKILL.md](../skills/internal-gateway-review/SKILL.md)
- [.github/skills/internal-ai-resource-review/SKILL.md](../skills/internal-ai-resource-review/SKILL.md)

Then use `internal-ai-resource-review` as the reusable qualitative owner for
Expand Down
Loading