feat(agents): add standards code review agent and full review orchestrator#1174
Merged
katriendg merged 13 commits intomicrosoft:mainfrom Apr 1, 2026
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1174 +/- ##
==========================================
- Coverage 87.72% 87.71% -0.02%
==========================================
Files 61 61
Lines 9318 9318
==========================================
- Hits 8174 8173 -1
- Misses 1144 1145 +1
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new skills-driven standards code review agent plus a “full” orchestrator prompt, and wires both into the coding-standards and hve-core-all collections/plugins alongside shared diff/artifact protocols.
Changes:
- Introduces
standards-code-reviewagent andfull-code-revieworchestrator prompt. - Adds shared instruction files for diff computation and review artifact persistence (plus skills-discovery instructions for planning contexts).
- Updates
coding-standardsandhve-core-allcollections and plugin manifests/READMEs to expose the new artifacts.
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/agents/code-review/standards-code-review.agent.md | New standards-based reviewer agent that dynamically discovers and applies skills |
| .github/prompts/code-review/full-code-review.prompt.md | New prompt that orchestrates functional + standards reviews and merges results |
| .github/instructions/code-review/diff-computation.instructions.md | New shared protocol describing how reviewers compute diffs and lock scope |
| .github/instructions/code-review/review-artifacts.instructions.md | New shared protocol for persisting review output + metadata into .copilot-tracking/ |
| .github/instructions/skills-discovery.instructions.md | Adds planning-time guidance for discovering and referencing skills |
| collections/coding-standards.collection.yml | Registers new agent/prompt/instructions in the coding-standards collection |
| collections/coding-standards.collection.md | Updates collection description to include the new reviewer and prompt |
| collections/hve-core-all.collection.yml | Registers new agent/prompt/instructions in the hve-core-all collection |
| plugins/coding-standards/agents/standards-code-review.md | Plugin link/entry for the new standards agent |
| plugins/coding-standards/commands/full-code-review.md | Plugin link/entry for the new full-code-review command |
| plugins/coding-standards/instructions/diff-computation.md | Plugin link/entry for diff computation instructions |
| plugins/coding-standards/instructions/review-artifacts.md | Plugin link/entry for review artifact persistence instructions |
| plugins/coding-standards/README.md | Documents the new agent/command/instructions in the plugin README |
| plugins/hve-core-all/agents/standards-code-review.md | Plugin link/entry for the new standards agent |
| plugins/hve-core-all/commands/full-code-review.md | Plugin link/entry for the new full-code-review command |
| plugins/hve-core-all/instructions/diff-computation.md | Plugin link/entry for diff computation instructions |
| plugins/hve-core-all/instructions/review-artifacts.md | Plugin link/entry for review artifact persistence instructions |
| plugins/hve-core-all/README.md | Documents the new agent/command/instructions in the plugin README |
| plugins/coding-standards/instructions/review-artifacts.md | Plugin link/entry for review artifact persistence instructions |
katriendg
reviewed
Mar 31, 2026
Contributor
katriendg
left a comment
katriendg
left a comment
There was a problem hiding this comment.
Thanks a lot @erikschlegel - I have left a few notes as we discussed offline. The skill loading was discussed offline so I did not add it here.
Apologies for the pace of changes we have had here and the extra changes you had to apply before getting it to the first merge. Almost there now!
For ensuring we have our users with the custom installation modes also get this skill location discovered by Copilot, we will also need to update the HVE Core installer skill itself, and some associated docs. Once you rename your folder, the below should be Copilot updating it all for you based on the below prompt:
======
Installer SKILL.md** (skills/installer/hve-core-installer/SKILL.md) — two locations need updating:
-
Settings Configuration prose (line ~381): The explanation that describes how the installer enumerates folders for
chat.agentSkillsLocationsalready says to list collection-level folders under.github/skills/. No prose change needed becausecoding-standardswill simply be a new folder that the installer discovers automatically when it enumerates the directory. However, the explanatory examples only citesharedas an example — update the example to mentionshared,coding-standards,security, etc. so the installer has clear reference. -
Settings template block (inside
<!-- <settings-template> -->): Add the new entry:"chat.agentSkillsLocations": { "<PREFIX>/.github/skills": true, "<PREFIX>/.github/skills/shared": true, "<PREFIX>/.github/skills/coding-standards": true }
-
Method 4 (Codespaces) devcontainer.json block: Add the same entry with the
/workspaces/hve-core/prefix.
3. Docs installation method files — each of the following embeds a chat.agentSkillsLocations block that needs coding-standards added:
| File | Current entries | Add |
|---|---|---|
docs/getting-started/methods/peer-clone.md |
../hve-core/.github/skills, ../hve-core/.github/skills/shared |
"../hve-core/.github/skills/coding-standards": true |
docs/getting-started/methods/submodule.md |
lib/hve-core/.github/skills, lib/hve-core/.github/skills/shared, .github/skills |
"lib/hve-core/.github/skills/coding-standards": true |
docs/getting-started/methods/git-ignored.md |
.hve-core/.github/skills, .hve-core/.github/skills/shared (×2 blocks) |
".hve-core/.github/skills/coding-standards": true in each block |
docs/getting-started/methods/mounted.md |
/workspaces/hve-core/.github/skills, /workspaces/hve-core/.github/skills/shared (×2 blocks) |
"/workspaces/hve-core/.github/skills/coding-standards": true in each block |
docs/getting-started/methods/codespaces.md |
/workspaces/hve-core/.github/skills, /workspaces/hve-core/.github/skills/shared (×4 blocks including dual-env variants) |
Add in all blocks; dual-env block also needs "../hve-core/.github/skills/coding-standards": true |
docs/getting-started/methods/multi-root.md |
/workspaces/hve-core/.github/skills, /workspaces/hve-core/.github/skills/shared, My Project/.github/skills |
"/workspaces/hve-core/.github/skills/coding-standards": true |
docs/customization/environment.md |
.github/skills, .github/skills/shared |
".github/skills/coding-standards": true |
Note: The same pattern applies to any future skill collection folder added under .github/skills/. Each new collection folder requires a corresponding entry in all of these locations. This can be noted as a contributor checklist item in the skills contributing guide.
Contributor
Author
These comments have been addressed @katriendg . I also overhauled the skill load strategy for |
…full orchestrator Add three code review agents and supporting infrastructure: - Code Review Standards: skills-based reviewer applying project coding standards - Code Review Functional: pre-PR reviewer for logic, edge cases, error handling - Code Review Full: orchestrator running both reviews and merging reports Include diff computation and review artifact persistence instructions, prompt files, collection registrations, and regenerated plugins.
…gents - add severity-floor verdict rules to standards agent and output format template - add metadata preservation, dedup verification, and count checks to orchestrator - align reviewer field to kebab-case convention in review-artifacts instructions - add single-subagent clause to orchestrator verdict determination 🔧 - Generated by Copilot
- merge skill loading strategy into Step 3 as sub-protocol - extract no-skills reduced output contract into Special Cases - consolidate verdict determination with no-skills cross-reference - remove scope rules duplicated from diff-computation.instructions.md - reorder sections to canonical pattern and fix em dashes 🔧 - Generated by Copilot
…undational skill - replace hardcoded shared/ and utils.py references with portable anti-pattern descriptions 🔧 - Generated by Copilot
…and contributor guidance - add code-style-patterns.md with examples for naming, imports, type hints, docstrings, and error handling - rename foundational-coding-guidelines.md to design-principles.md and update frontmatter - split anti-patterns section into security baselines, pythonic idioms, and maintainability - add contributing section with extension conventions - promote reference links to standalone table with coverage mapping - soften opinionated items: keyword-only args, comprehensions qualifier, complexity thresholds - add class member ordering, docstring, and type safety checklist items 🔧 - Generated by Copilot
- convert severity rubric from bolded-prefix list to table - promote core checklist and references from H3 to H2 - remove before/after overpromises in references table, frontmatter, and subtitle - soften contributing section reference file description - condense checklist bullets and tighten wording throughout 🔧 - Generated by Copilot
… guide - Add docs/agents/code-review/ with overview README and language-skills page - Include architecture diagram, usage flow chart, skill loading sequence, and skill stacking diagrams (Mermaid) - Document all three agents, prompt invocation, verdict scale, and artifact persistence - Cover built-in python-foundational skill, complementary instructions, and enterprise skill authoring with stacking examples - Update agent catalog README with Code Review row and section - Add dataclasses, httpx, pydantic, Pythonic, finserv to cspell dictionaries
…cations, and rewrite skill discovery - Rename .github/skills/python-standards -> coding-standards to match collection name - Add coding-standards entry to all 15 agentSkillsLocations blocks across 8 docs - Rewrite Step 3 in code-review-standards agent with deterministic built-in catalog and scoped consumer skill search instead of unreliable **/SKILL.md glob - Add code-review-full agent to CUSTOM-AGENTS.md summary table and details - Update language-skills doc to reflect two-layer skill loading model - Update collection YAMLs, settings.json, and regenerate plugins
erikschlegel
force-pushed
the
feat/agents/code-review-standards
branch
from
35ff715 to
3139fb0
Compare
Contributor
Author
|
Please let me know if the latest commit addresses your questions @katriendg |
…or skill resolution
Map extensions to skill names in the built-in catalog and resolve
paths via the naming convention .github/skills/coding-standards/{name}/SKILL.md.
Update language-skills docs to match.
erikschlegel
force-pushed
the
feat/agents/code-review-standards
branch
from
3139fb0 to
14e6664
Compare
Contributor
Author
|
JFYI, the |
Member
|
I'm re-running the failed build job ... pretty sure this was transitive; but we'll see in a few. [Edit]: yup this was transitive. |
katriendg
approved these changes
Apr 1, 2026
Contributor
katriendg
left a comment
katriendg
left a comment
There was a problem hiding this comment.
Thank you @erikschlegel for the iterations and work. This is good for merging now.
This was referenced Apr 1, 2026
WilliamBerryiii
pushed a commit
that referenced
this pull request
Apr 2, 2026
## Pre-Release 3.3.41 ### ✨ Features - add agentic workflows for automated issue triage, implementation, PR review, dependency review, and doc-staleness detection (#1219) - consolidate package-lock.json version sync into Update-VersionFiles.ps1 (#1240) - add standards code review agent and full review orchestrator (#1174) - standardize pytest-mock as Python mocking framework (#1170) - add Jira backlog workflows and Jira/GitLab skills (#978) - add centralized version bump script and supply-chain attestation (#1183) ### 🐛 Bug Fixes - replace invalid bare tool names with official tool identifiers (#1198) - fix broken links and remove orphaned reference in code review docs (#1257) - exclude Python env dirs from skill validation warnings (#1255) - pin happy-dom and serialize-javascript to resolve Dependabot vulnerabilities (#1253) - remove Mermaid diagram and add missing collection cards (#1247) - disable MCP servers by default to prevent token limit errors (#1144) - sync package-lock.json after pre-release version bump (#1236) - separate mermaid node declarations and add dynamic diagram generation with tests (#1215) - replace anchor links in meeting-analyst with bold text references (#1201) - remove recursive symlinks in jira and gitlab skill directories (#1233) - validate-installation scripts now check .github/skills directory (#1010) (#1206) - resolve npm audit vulnerabilities via dependency overrides (#1200) - add post-release triggers to scorecard workflow (#1186) - add missing .md extensions to relative links in agent documentation (#1180) ### 📚 Documentation - CLI getting-started: clarify plugin install commands as alternatives (-all vs base) (#1251) ### ♻️ Refactoring - align agent and prompt folder names to collection identifier (#1210) ### 🔧 Maintenance - streamline RAI Planner phase structure and documentation (#1273) - bump happy-dom from 20.8.8 to 20.8.9 in /docs/docusaurus (#1237) - pre-release 3.3.27 (#1191) - bump pygments from 2.19.2 to 2.20.0 in /.github/skills/gitlab/gitlab (#1234) - bump path-to-regexp from 0.1.12 to 0.1.13 in /docs/docusaurus (#1226) - bump the github-actions group with 4 updates (#1231) - add missing folders and alphabetize location lists (#1193) - bump brace-expansion (#1224) - bump handlebars from 4.7.8 to 4.7.9 in /docs/docusaurus (#1217) - bump brace-expansion from 5.0.3 to 5.0.5 in /docs/docusaurus (#1213) - pre-release 3.3.10 (#1187) - bump markdownlint-cli2 from 0.21.0 to 0.22.0 in the npm-dependencies group (#1175) - bump the github-actions group with 3 updates (#1176) - pre-release 3.3.1 (#1165) --- *Managed automatically by pre-release workflow.* Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
WilliamBerryiii
pushed a commit
that referenced
this pull request
Apr 24, 2026
## Pre-Release 3.3.101 ### ✨ Features - add removed maturity tier and retire owasp-docker (#1444) - add evaluation dataset creator (#1279) - align RAI planner with guide, remove scoring, improve UX (#1287) - add PSGallery staleness check and BOM cleanup (#1379) - ISA-95 network planner agent (#1177) - auto-generate collection.md with maturity filtering (#1316) - add folder-consistency check and standardize WARN outp… (#1350) - add synth-data-generate prompt to data-science collection (#1419) - add canonical deck workflow and customer-card rendering for design thinking (#1413) - add Figma MCP integration for DT artifact export (#1222) - introduce `owasp-docker` (#1245) - replace hve-core-specific references with portable discovery-based language (#1335) - introduce `owasp-cicd` (#1246) - add secure-by-design knowledge skill (#1223) - introduce `owasp-infrastructure` (#1244) - introduce `owasp-mcp` (#1207) - add OutputPath parameter to Invoke-LinkLanguageCheck.ps1 (#1229) - add -OutputPath parameter to Validate-SkillStructure.ps1 (#1225) - add maintainer-only skip-review label guard (#1293) - add extension collections overview and integrate into getting started flow (#950) - add agentic workflows for automated issue triage, implementation, PR review, dependency review, and doc-staleness detection (#1219) - consolidate package-lock.json version sync into Update-VersionFiles.ps1 (#1240) - add standards code review agent and full review orchestrator (#1174) - standardize pytest-mock as Python mocking framework (#1170) - add Jira backlog workflows and Jira/GitLab skills (#978) - add centralized version bump script and supply-chain attestation (#1183) ### 🐛 Bug Fixes - pin PowerShell-Yaml to 0.4.7 across all install sites (#1378) - close fork-PR/workflow-file-PR secret-strip gap and normalize upload-artifact version (#1421) - replace stream-based lookahead with array indexing in list-changed-files.sh (#1376) - centralize ISO 8601 timestamp regex in CIHelpers (#1343) - update stale documentation date in release-process.md (#1363) - pin basic-ftp to 5.3.0 to resolve GHSA-rp42-5vxx-qpwr (#1374) - add bot filter to dependency PR review workflow (#1362) - resolve pip-audit findings in powerpoint, gitlab, and jira skill lock files (#1360) - standardize Timestamp JSON key casing across all lint result files (#1314) - add synchronize trigger to PR Review workflow (#1323) - standardize timestamp in Validate-SkillStructure.ps1 to use Get-StandardTimestamp (#1280) - add parallel subagent dispatch and structured JSON contracts to code-review-full (#1304) - standardize timestamp in SecurityHelpers.psm1 to use Get-StandardTimestamp (#1284) - standardize timestamps in Test-DependencyPinning.ps1 and SecurityClasses.psm1 (#1282) - derive collection artifact counts from YAML at build time (#1275) - standardize timestamp in FrontmatterValidation.psm1 to use Get-StandardTimestamp (#1285) - standardize timestamp in Markdown-Link-Check.ps1 to use Get-StandardTimestamp (#1283) - escape hyphens in Mermaid diagram on Collections page (#1262) - add summary timestamp to PSScriptAnalyzer output (#1211) - fix plugin compatibility and robustness for coding-standards code review agents (#1289) - standardize timestamp in Test-CopyrightHeaders.ps1 to use Get-StandardTimestamp (#1278) - standardize timestamp in Invoke-YamlLint.ps1 to use Get-StandardTimestamp (#1270) - standardize timestamp in Invoke-LinkLanguageCheck.ps1 to use Get-StandardTimestamp (#1264) - fix dependency-review path filters and sparse-checkout cone mode (#1259) - replace invalid bare tool names with official tool identifiers (#1198) - fix broken links and remove orphaned reference in code review docs (#1257) - exclude Python env dirs from skill validation warnings (#1255) - pin happy-dom and serialize-javascript to resolve Dependabot vulnerabilities (#1253) - remove Mermaid diagram and add missing collection cards (#1247) - disable MCP servers by default to prevent token limit errors (#1144) - sync package-lock.json after pre-release version bump (#1236) - separate mermaid node declarations and add dynamic diagram generation with tests (#1215) - replace anchor links in meeting-analyst with bold text references (#1201) - remove recursive symlinks in jira and gitlab skill directories (#1233) - validate-installation scripts now check .github/skills directory (#1010) (#1206) - resolve npm audit vulnerabilities via dependency overrides (#1200) - add post-release triggers to scorecard workflow (#1186) - add missing .md extensions to relative links in agent documentation (#1180) ### 📚 Documentation - broaden Security Review description beyond OWASP (#1385) - document maintainer advisory mode and skip-review label guard (#1386) - document ExcludePaths/OutputPath for Invoke-LinkLanguageCheck (#1383) - CLI getting-started: clarify plugin install commands as alternatives (-all vs base) (#1251) ### ♻️ Refactoring - align agent and prompt folder names to collection identifier (#1210) ### 🔧 Maintenance - pin PSScriptAnalyzer to 1.25.0 and sync stale workflow version comments (#1389) - bump lxml from 6.0.2 to 6.1.0 in /.github/skills/experimental/powerpoint (#1424) - bump @vscode/vsce from 3.7.1 to 3.9.1 in the npm-dependencies group (#1390) - bump the github-actions group across 1 directory with 7 updates (#1391) - bump follow-redirects from 1.15.11 to 1.16.0 in /docs/docusaurus (#1356) - upgrade Node.js from 20 to 24 and bump cspell to v10 (#1353) - bump basic-ftp from 5.2.0 to 5.2.1 (#1324) - update github/gh-aw-actions requirement to 536ea1bad8c6715d098a9dc1afea8d403733acfe in the github-actions group across 1 directory (#1298) - update security instruction attributions and compliance (#1294) - bump the npm-dependencies group with 2 updates (#1297) - pre-release 3.3.41 (#1252) - streamline RAI Planner phase structure and documentation (#1273) - bump happy-dom from 20.8.8 to 20.8.9 in /docs/docusaurus (#1237) - pre-release 3.3.27 (#1191) - bump pygments from 2.19.2 to 2.20.0 in /.github/skills/gitlab/gitlab (#1234) - bump path-to-regexp from 0.1.12 to 0.1.13 in /docs/docusaurus (#1226) - bump the github-actions group with 4 updates (#1231) - add missing folders and alphabetize location lists (#1193) - bump brace-expansion (#1224) - bump handlebars from 4.7.8 to 4.7.9 in /docs/docusaurus (#1217) - bump brace-expansion from 5.0.3 to 5.0.5 in /docs/docusaurus (#1213) - pre-release 3.3.10 (#1187) - bump markdownlint-cli2 from 0.21.0 to 0.22.0 in the npm-dependencies group (#1175) - bump the github-actions group with 3 updates (#1176) - pre-release 3.3.1 (#1165) --- *Managed automatically by pre-release workflow.* Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add the standards-based code review agent, full-code-review orchestration prompt, and shared instruction files for diff computation, review artifact persistence, and skills discovery.
What's included
standards-code-review.agent.md— Skills-based code reviewer that enforces project-defined coding standards via dynamic skill loading. Discovers skills at runtime by scanning.github/skills/{collection-id}/{skill-name}/SKILL.mdfrontmatter metadata. Language-agnostic by design.full-code-review.prompt.md— Orchestrator prompt that runs bothfunctional-code-reviewandstandards-code-reviewagents in a single pass, deduplicates findings, and produces a merged report with the stricter verdict.diff-computation.instructions.md— Shared diff computation protocol (branch detection, per-commit file collection, multi-author handling, large diff thresholds, non-source artifact filtering) extracted to eliminate duplication between agent and prompt.review-artifacts.instructions.md— Shared persistence protocol for review artifacts (folder structure,metadata.jsonschema, verdict normalization, writing rules).coding-standardsandhve-core-all.Related Issue(s)
Related to #1112
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md)Sample Prompts (for AI Artifact Contributions)
User Request:
Execution Flow:
diff-computation.instructions.md, filters non-source artifacts..github/skills/for allSKILL.mdfiles, reads frontmatternameanddescription, selects up to 8 relevant skills based on diff content (file types, imports, patterns).AIAA-123,AB#456), the agent prompts for the story definition, extracts acceptance criteria, and appends a coverage table marking each criterion as Implemented, Partial, or Not found.review.mdandmetadata.jsonto.copilot-tracking/code-reviews/<sanitized-branch>/perreview-artifacts.instructions.md.For
full-code-review, Steps 2-4 run twice (functional agent + standards agent) on the same pre-computed diff, then a merged report deduplicates findings and uses the stricter verdict. Acceptance criteria coverage (Step 5) is included in the standards agent's output when a story reference is provided.Output Artifacts:
{ "schema_version": "1", "branch": "feat/my-feature", "head_commit": "abc123...", "reviewed_at": "2026-03-22T20:00:00Z", "verdict": "request_changes", "files_changed": ["src/api.py", "src/models.py"], "findings_count": { "critical": 1, "high": 2, "medium": 3, "low": 1 }, "reviewer": "standards-code-review" }Success Indicators:
metadata.jsonverdict matches the review's Overall VerdictTesting
/prompt-analyzetwice with all findings addressed/prompt-refactorto eliminate duplication (~105 lines net reduction via shared instructions extraction)full-code-reviewend-to-end producing a 25-finding merged reportnpm run lint:all✅npm run lint:md-links✅npm run validate:copyright✅ (148/148 files, 100%)npm run spell-check✅ (281 files, 0 issues)npm run plugin:generate✅ (12 plugins, 0 errors)npm run plugin:validate✅ (0 errors)npm run lint:collections-metadata✅ (0 errors)Checklist
Required Checks
AI Artifact Contributions
/prompt-analyzeto review contributionprompt-builderreviewRequired Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run validate:skillsnpm run lint:md-linksnpm run lint:psnpm run plugin:generateSecurity Considerations
Additional Notes
python/core/python-basics/SKILL.md) that the standards agent loads at review time. Without those skills, the agent will display the "functional-code-reviewagent's artifact save mechanism uses.copilot-tracking/reviews/instead of the sharedreview-artifacts.instructions.mdprotocol. Aligning this is tracked separately.full-code-review.prompt.mdfrontmatter originally includedagents: [functional-code-review, standards-code-review]but was simplified during iteration — agents are referenced by glob path in the prompt body instead.