diff --git a/.github/agents/Managment.agent.md b/.github/agents/Managment.agent.md index 7d97e15b..6123ef7e 100644 --- a/.github/agents/Managment.agent.md +++ b/.github/agents/Managment.agent.md @@ -88,7 +88,7 @@ The task is not complete until ALL of the following pass with zero issues: 5. **Linting**: All language-specific linters must pass -**Your Role**: You delegate implementation to subagents, but YOU are responsible for verifying they completed the Definition of Done. Do not accept "DONE" from a subagent until you have confirmed they ran coverage tests and type checks explicitly. +**Your Role**: You delegate implementation to subagents, but YOU are responsible for verifying they completed the Definition of Done. Do not accept "DONE" from a subagent until you have confirmed they ran coverage tests, type checks, and security scans explicitly. **Critical Note**: Leaving this unfinished prevents commit, push, and leaves users open to security concerns. All issues must be fixed regardless of whether they are unrelated to the original task. This rule must never be skipped. It is non-negotiable anytime any bit of code is added or changed. diff --git a/.github/agents/QA_Security.agent.md b/.github/agents/QA_Security.agent.md index 43145c00..499cf198 100644 --- a/.github/agents/QA_Security.agent.md +++ b/.github/agents/QA_Security.agent.md @@ -35,8 +35,8 @@ Your job is to act as an ADVERSARY. The Developer says "it works"; your job is t - **Cleanup**: If the test was temporary, delete it. If it's valuable, keep it. - -When Trivy reports CVEs in container dependencies (especially Caddy transitive deps): + +When Trivy or CodeQLreports CVEs in container dependencies (especially Caddy transitive deps): 1. **Triage**: Determine if CVE is in OUR code or a DEPENDENCY. - If ours: Fix immediately. @@ -68,24 +68,25 @@ When Trivy reports CVEs in container dependencies (especially Caddy transitive d The task is not complete until ALL of the following pass with zero issues: -1. **Coverage Tests (MANDATORY - Run Explicitly)**: +1. **Security Scans**: + - CodeQL: Run as VS Code task or via GitHub Actions + - Trivy: Run as VS Code task or via Docker + - Zero issues allowed + +2. **Coverage Tests (MANDATORY - Run Explicitly)**: - **Backend**: Run VS Code task "Test: Backend with Coverage" or execute `scripts/go-test-coverage.sh` - **Frontend**: Run VS Code task "Test: Frontend with Coverage" or execute `scripts/frontend-test-coverage.sh` - **Why**: These are in manual stage of pre-commit for performance. You MUST run them via VS Code tasks or scripts. - Minimum coverage: 85% for both backend and frontend. - All tests must pass with zero failures. -2. **Type Safety (Frontend)**: +3. **Type Safety (Frontend)**: - Run VS Code task "Lint: TypeScript Check" or execute `cd frontend && npm run type-check` - **Why**: This check is in manual stage of pre-commit for performance. You MUST run it explicitly. - Fix all type errors immediately. -3. **Pre-commit Hooks**: Run `pre-commit run --all-files` (this runs fast hooks only; coverage was verified in step 1) +4. **Pre-commit Hooks**: Run `pre-commit run --all-files` (this runs fast hooks only; coverage was verified in step 1) -4. **Security Scans**: - - CodeQL: Run as VS Code task or via GitHub Actions - - Trivy: Run as VS Code task or via Docker - - Zero issues allowed 5. **Linting**: All language-specific linters must pass (Go vet, ESLint, markdownlint) diff --git a/.github/instructions/copilot-instructions.md b/.github/instructions/copilot-instructions.md index ae121f47..72b6384f 100644 --- a/.github/instructions/copilot-instructions.md +++ b/.github/instructions/copilot-instructions.md @@ -80,12 +80,17 @@ Before proposing ANY code change or fix, you must build a mental map of the feat Before marking an implementation task as complete, perform the following in order: -1. **Pre-Commit Triage**: Run `pre-commit run --all-files`. +1. **Security Scans**: Run all security scans and ensure zero vulnerabilities. + - **CodeQL**: Run as VS Code task or use Skill. + - **Trivy**: Run as VS Code task or use Skill. + - **Zero issues allowed**. + +2. **Pre-Commit Triage**: Run `pre-commit run --all-files`. - If errors occur, **fix them immediately**. - If logic errors occur, analyze and propose a fix. - Do not output code that violates pre-commit standards. -2. **Coverage Testing** (MANDATORY - Non-negotiable): +3. **Coverage Testing** (MANDATORY - Non-negotiable): - **Backend Changes**: Run the VS Code task "Test: Backend with Coverage" or execute `scripts/go-test-coverage.sh`. - Minimum coverage: 85% (set via `CHARON_MIN_COVERAGE` or `CPM_MIN_COVERAGE`). - If coverage drops below threshold, write additional tests to restore coverage. @@ -97,16 +102,16 @@ Before marking an implementation task as complete, perform the following in orde - **Critical**: Coverage tests are NOT run by default pre-commit hooks (they are in manual stage for performance). You MUST run them explicitly via VS Code tasks or scripts before completing any task. - **Why**: CI enforces coverage in GitHub Actions. Local verification prevents CI failures and maintains code quality. -3. **Type Safety** (Frontend only): +4. **Type Safety** (Frontend only): - Run the VS Code task "Lint: TypeScript Check" or execute `cd frontend && npm run type-check`. - Fix all type errors immediately. This is non-negotiable. - This check is also in manual stage for performance but MUST be run before completion. -4. **Verify Build**: Ensure the backend compiles and the frontend builds without errors. +5. **Verify Build**: Ensure the backend compiles and the frontend builds without errors. - Backend: `cd backend && go build ./...` - Frontend: `cd frontend && npm run build` -5. **Clean Up**: Ensure no debug print statements or commented-out blocks remain. +6. **Clean Up**: Ensure no debug print statements or commented-out blocks remain. - Remove `console.log`, `fmt.Println`, and similar debugging statements. - Delete commented-out code blocks. - Remove unused imports.