First impressions on this draft PR:

The three-part disclaimer formulation exceeds the baseline requirement: (1) covers legal, compliance, and ethics; (2) frames all outputs as suggestions; (3) establishes organizational policy precedence.

Replacing numerical scores with qualitative concern levels and maturity indicators strengthens the disclaimer posture. Qualitative assessments naturally invite human judgment.

Look forward to seeing this in action.

Files affected: All files containing the current disclaimer blockquote:

.github/agents/rai-planning/rai-planner.agent.md
.github/instructions/rai-planning/rai-identity.instructions.md (Session Start Display, Exit Point Reminder, State Creation)
.github/prompts/rai-planning/rai-capture.prompt.md
.github/prompts/rai-planning/rai-plan-from-prd.prompt.md
.github/prompts/rai-planning/rai-plan-from-security-plan.prompt.md

Current text:

This tool provides structured prompts and frameworks to support responsible AI planning. It is not a substitute for professional legal, compliance, or ethics review. All outputs are suggestions for human evaluation. Organizational RAI policies and applicable regulations take precedence.

Required text:

This agent is an assistive tool only. It does not provide legal, regulatory, or compliance advice and does not replace Responsible AI review boards, ethics committees, legal counsel, compliance teams, or other qualified human reviewers. The output consists of suggested actions and considerations to support a user's own internal review and decision‑making. All RAI assessments, sensitive use screenings, security models, and mitigation recommendations generated by this tool must be independently reviewed and validated by appropriate legal and compliance reviewers before use. Outputs from this tool do not constitute legal approval, compliance certification, or regulatory sign‑off.

Rationale:

The current disclaimer is too general and does not adequately protect against misinterpretation. The replacement version:

• Enumerates specific professional roles the tool does not replace (RAI review boards, ethics committees, legal counsel, compliance teams)
• Names the specific output types requiring validation (RAI assessments, sensitive use screenings, security models, mitigation recommendations)
• Explicitly excludes certification and sign-off — preventing misinterpretation as approval
• States a mandatory validation requirement ("must be independently reviewed and validated") rather than a softer suggestion
• Addresses regulatory advice directly ("does not provide legal, regulatory, or compliance advice")
• This change should be applied everywhere the current disclaimer blockquote appears, including the Session Start Display and Exit Point Reminder sections in rai-identity.instructions.md which govern when the disclaimer is shown to users.

Advisory review, this PR is from a maintainer. Findings are informational only.

Review Summary

This is a substantial, well-structured PR that delivers the RAI Planner redesign described in #1281 alongside a new AI artifact validation pipeline. The implementation quality is high: scripts follow PowerShell and Bash conventions, the new CI workflow is properly permission-scoped with pinned SHA dependencies, and the devcontainer cosign installation includes SHA verification. The testing table confirms all automated checks passed.

The findings below are template compliance and minor quality items.

Issue Alignment

✅ The PR addresses all acceptance criteria from #1281 (standards alignment, disclaimer text, UX improvements, output preferences, phase transitions). The implementation goes substantially beyond the 11-file scope described in the issue — 61 files are changed, including new CI infrastructure, scripts, devcontainer tooling, documentation, plugins, and collections.

⚠️ Scope expansion vs. issue scope: Issue #1281 described "11 files across .github/agents/rai-planning/, .github/instructions/rai-planning/, and .github/prompts/rai-planning/." The PR adds an entirely new AI artifact validation pipeline, artifact signing infrastructure, DevContainer tooling, and regenerates all 14 plugins. This is well-intentioned and well-documented, but represents significant undisclosed scope growth relative to the linked issue. Future large feature additions may benefit from a separate issue tracking the infrastructure work so reviewers and the changelog can reference it independently.

PR Template Compliance

⚠️ Security Considerations section absent: The PR template (.github/PULL_REQUEST_TEMPLATE.md) includes a required Security Considerations section with three checkboxes. This section is entirely missing from the PR description:

## Security Considerations
* [ ] This PR does not contain any sensitive or NDA information
* [ ] Any new dependencies have been reviewed for security issues
* [ ] Security-related scripts follow the principle of least privilege

This is especially relevant here since the PR adds scripts/security/Sign-RaiArtifacts.ps1, scripts/linting/Validate-AIArtifacts.ps1, and installs cosign in both the devcontainer and the Copilot coding agent environment.

⚠️ GHCP Maturity Acknowledgment checkboxes unchecked: The PR description includes the GHCP Maturity section but both acknowledgment checkboxes remain unchecked:

• [ ] I acknowledge this PR includes non-stable GHCP artifacts
• [ ] Non-stable artifacts are intentional for this change

⚠️ AI Artifact Contributions checklist unchecked: All three items under ### AI Artifact Contributions are unchecked. These are listed as required checks for AI artifact contributions:

• [ ] Used /prompt-analyze to review contribution
• [ ] Addressed all feedback from prompt-builder review
• [ ] Verified contribution follows common standards and type-specific requirements

⚠️ Required Automated Checks template mismatch: The PR's checklist omits two commands present in the current template and adds one that isn't:

• Missing from PR checklist: npm run plugin:generate, npm run docs:test
• Present in PR checklist but not in template: npm run lint:ai-artifacts

The testing table confirms plugin:generate was run and passed — the checklist just doesn't reflect it. Consider updating the PR description to align the Required Automated Checks with the current template, and (separately) the template itself may need updating to include npm run lint:ai-artifacts now that it has been added to lint:all.

GHCP Maturity Table Discrepancy

⚠️ rai-sensitive-uses-triggers.instructions.md is listed in the GHCP Artifact Maturity table but does not appear in the diff. The diff shows rai-risk-classification.instructions.md as added instead. If rai-sensitive-uses-triggers.instructions.md is an existing file not modified in this PR, it should be removed from the maturity table. If it was renamed, the rename may not be reflected correctly in the table.

PR Size

i️ 61 files were changed. The automated review guideline recommends splitting PRs larger than 50 files to maintain thorough reviewability. For a maintainer-driven feature PR like this, the size is understandable given the coordinated nature of the changes, but it's worth noting for future reference.

Code Quality

✅ Sign-RaiArtifacts.ps1 follows all PowerShell conventions: copyright header, #Requires -Version 7.0, comment-based help, [CmdletBinding()], typed parameters, $ErrorActionPreference = 'Stop', invocation guard, and region blocks.

✅ Validate-AIArtifacts.ps1 follows the same conventions consistently.

✅ on-create.sh cosign installation includes SHA verification consistent with the existing tool installation patterns.

✅ copilot-setup-steps.yml cosign step mirrors the devcontainer installation with SHA verification.

✅ ai-artifact-validation.yml is properly structured as a reusable workflow_call workflow with explicit permissions: contents: read at both workflow and job level, pinned SHA for actions/checkout, and persist-credentials: false.

💡 One inline comment was posted on ai-artifact-validation.yml regarding the unpinned PowerShell-Yaml module version in CI.

Action Items

1. Add the Security Considerations section back to the PR description and check the applicable boxes.
2. Check the GHCP Maturity Acknowledgment checkboxes.
3. Check or address the AI Artifact Contributions checklist items.
4. Align the Required Automated Checks checklist with the current template.
5. Resolve the rai-sensitive-uses-triggers.instructions.md entry in the GHCP Maturity table.
6. Consider pinning the PowerShell-Yaml module version in ai-artifact-validation.yml (and optionally in copilot-setup-steps.yml and on-create.sh for consistency).

Generated by PR Review for issue #1287 · ● 1.8M

Advisory review, this PR is from a maintainer. Findings are informational only.

PR Review — feat/rai-planner-guide-alignment

⚠️ PR Size Exceeds Reviewable Threshold

This PR contains 61 changed files, which exceeds the 50-file automated review threshold. A thorough automated review cannot be completed. The author is encouraged to consider splitting future large PRs into smaller, focused units to improve reviewability and reduce merge risk.

📋 Issue Alignment

Issue: #1281 — Align RAI Planner with Impact Assessment Guide and improve UX

✅ The PR closes #1281 and addresses the stated goals: guide alignment, UX improvements, disclaimer/attribution, and output preferences.

⚠️ Scope expansion noted: Issue #1281 scoped the work to 11 files across the rai-planning directories. This PR spans 61 files including CI workflows, scripts, plugins, collection metadata, devcontainer config, and a new AI artifact validation pipeline. While the PR description explains these additions clearly, the issue did not capture this broader scope. For transparency, consider updating issue #1281 or creating a follow-on issue to track the AI artifact validation work as a separate deliverable.

📝 PR Template Compliance

✅ Description is well-filled with detailed context, phase descriptions, output artifacts, and success indicators.

✅ Related Issue(s): Closes #1281 — valid reference.

✅ Type of Change: Multiple applicable boxes checked (New feature, Documentation update, GitHub Actions workflow, Security configuration, DevContainer configuration, Dependency update, Copilot instructions/prompts/agents, Script/automation).

❌ GHCP Maturity Acknowledgment checkboxes are unchecked. The PR correctly identifies 11 experimental GHCP artifacts and includes the maturity table, but neither acknowledgment checkbox is checked:

• [ ] I acknowledge this PR includes non-stable GHCP artifacts
• [ ] Non-stable artifacts are intentional for this change

These should be checked before merging.

❌ AI Artifact Contributions checklist is unchecked. All three items remain unchecked:

• [ ] Used /prompt-analyze to review contribution
• [ ] Addressed all feedback from prompt-builder review
• [ ] Verified contribution follows common standards and type-specific requirements

Per the PR template notes, AI Artifact Contributors are expected to complete the prompt-builder review process. If this was intentionally skipped, add a note explaining why.

❌ Required Automated Checks checklist is unchecked. All 7 validation commands (lint:md, spell-check, lint:frontmatter, validate:skills, lint:md-links, lint:ps, lint:ai-artifacts) remain unchecked in the checklist. The Testing table shows several validations passed, but the checklist items should be checked to confirm each specific command ran successfully.

🔍 Code Quality and Security (Partial — size limit reached)

Due to the 61-file size, a full code quality review was not performed. The items flagged above are based on PR metadata and description only.

📋 Action Items

1. ✅ Check the two GHCP Maturity Acknowledgment boxes.
2. ✅ Complete or explain the AI Artifact Contributions checklist items.
3. ✅ Check the Required Automated Checks boxes after confirming each command passes.
4. 💡 Consider whether the AI artifact validation pipeline work warrants its own issue/PR for traceability.

Generated by PR Review for issue #1287 · ● 675.6K

Good PR overall. Phase restructuring, scoring removal, guide alignment, and cosign infrastructure are well executed. Two items need resolution before merge: the indicator method inconsistency in rai-identity.instructions.md and the AI artifact validation scope mismatch that makes the CI job a no-op. Also, the GHCP Maturity table in the PR description references rai-sensitive-uses-triggers.instructions.md but that file was never added; the correct name is rai-risk-classification.instructions.md.

Advisory review, this PR is from a maintainer. Findings are informational only.

Overview

This PR significantly expands the RAI Planner system with a 5→6 phase restructuring, scoring model replacement, artifact signing infrastructure, and a new config-driven AI artifact validation pipeline. The implementation is thorough and well-documented. Three advisory findings are noted below.

Issue Alignment

Issue #1281 described a scope of 11 files across the rai-planning directories. This PR touches 77 files across agents, instructions, prompts, documentation, plugins, collection manifests, CI workflows, scripts, and the devcontainer. The expanded scope includes work that was not mentioned in the issue — specifically:

• Deletion of the standalone rai-planning collection (collections/rai-planning.collection.yml / .md)
• New CI validation workflow (ai-artifact-validation.yml)
• Artifact signing script and Pester test suite
• cosign installation in the devcontainer
• Changes to security-planner.agent.md and sssc-planner.agent.md

The issue acceptance criteria remain unchecked in the issue itself (though the PR description confirms they were satisfied). Consider closing the issue or updating acceptance criteria as the implementation has clearly moved well beyond the original 11-file scope.

The deletion of collections/rai-planning.collection.yml is a potentially breaking change for users who had the standalone rai-planning collection installed separately. The PR marks no checkboxes for "Breaking change," though this is arguable given the experimental maturity of the artifacts.

PR Template Compliance

Three sets of checkboxes in the PR template are unchecked and should be addressed before merge:

1. GHCP Maturity Acknowledgment — Both acknowledgment boxes under "GHCP Artifact Maturity" are unchecked ([ ] I acknowledge this PR includes non-stable GHCP artifacts / [ ] Non-stable artifacts are intentional for this change).
2. AI Artifact Contributions checklist — All three items (/prompt-analyze, prompt-builder review, and standards verification) are unchecked.
3. Required Automated Checks — All seven validation commands (lint:md, spell-check, lint:frontmatter, validate:skills, lint:md-links, lint:ps, lint:ai-artifacts) appear unchecked in the template, though the Testing table confirms they were run and passed.

Additionally, "Linting configuration" was not checked under Infrastructure & Configuration, though Validate-PlannerArtifacts.ps1 is wired into lint:all and constitutes a new linter.

Coding Standards

See the two inline comments for:

• scripts/security/Sign-PlannerArtifacts.ps1 line 31 — stale .EXAMPLE path referencing the pre-rename filename Sign-RaiArtifacts.ps1.
• scripts/linting/Validate-PlannerArtifacts.ps1 line 207 — Test-DisclaimerInContent is an exact duplicate of Test-FooterInContent; consider consolidating into a single helper.

Code Quality

• footer-with-review.yml scope mismatch — See inline comment on line 35–50. The CI workflow enforcing this config will always report 0 findings because instruction files never contain the generated footers. The enforcement gap is documented in the YAML but could mislead future maintainers. Consider a more explicit comment in the CI workflow or a fixture-based test.
• PR size (77 files) — While the changes are logically coherent, the PR spans many concern areas (RAI planner restructure, artifact signing, validation infra, collection reorganization). Future maintainers may find it easier to bisect issues if these are separated by concern.

Summary

No blocking issues. The stale example path and duplicate function are minor clean-up items; the template checkbox state and scope mismatch are housekeeping notes. The implementation quality is high across the new scripts, workflows, and instruction files.

Generated by PR Review for issue #1287 · ● 3.8M

Run this through the PR Review and did my own quick review. Things look great. Thank you for removing sensitive and restricted use cases from the RAI planner and including the disclaimers. No easy task and appreciate the effort.

Advisory review — this PR is from a maintainer. Findings are informational only.

Review Overview

This is a substantial, well-described PR that meaningfully expands the RAI Planner from a 5-phase to a 6-phase workflow, replaces numeric scoring with qualitative concern levels, and establishes a config-driven AI artifact validation pipeline. The implementation quality is generally high: SHA-pinned workflows, verified binary downloads, thorough Pester test coverage, and clear config-driven validation architecture. Findings below are informational for the author's awareness.

Issue Alignment

Linked issue: Closes #1281

The core issue acceptance criteria are addressed (phase restructuring, guide alignment, disclaimer/attribution, UX improvements, output customization). However, issue #1281 scoped the work to 11 files across three directories. This PR changes 80 files spanning agents, instructions, prompts, CI workflows, devcontainer config, collection manifests, plugins, documentation, scripts, and test suites.

The scope expansion is well-justified and thoroughly documented in the PR description, but the original issue has not been updated to reflect the broader intent. Consider updating issue #1281 to capture the full scope of what shipped, or noting this explicitly in the PR.

PR Template Compliance

Several required template sections are incomplete:

Security Considerations section missing — The template includes a Security Considerations section with three checkboxes. This entire section is absent from the PR body:

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues
• Security-related scripts follow the principle of least privilege

Given that this PR adds Sign-PlannerArtifacts.ps1 (handles cosign keyless signing), installs cosign in devcontainer and CI, and adds config files under .github/config/, this section is directly applicable and should be completed.

GHCP Maturity Acknowledgment checkboxes unchecked — The PR correctly identifies 11 experimental artifacts in the maturity table, but neither acknowledgment checkbox is checked:

• I acknowledge this PR includes non-stable GHCP artifacts
• Non-stable artifacts are intentional for this change

AI Artifact Contributions checklist unchecked — All three items remain unchecked despite the PR containing agents, prompts, and instructions:

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks unchecked — The testing table shows strong validation results, but the checklist checkboxes themselves are all unchecked. Additionally, two standard template checks (Plugin freshness: npm run plugin:generate and Docusaurus tests: npm run docs:test) have been replaced with AI artifact validation: npm run lint:ai-artifacts. The substitution is reasonable given the PR's focus, but deviates from the standard template.

Coding Standards

Applicable instruction files reviewed:

• .github/instructions/workflows.instructions.md (GitHub Actions conventions)
• .github/instructions/coding-standards/powershell.instructions.md (PowerShell conventions)
• .github/instructions/coding-standards/powershell-tests.instructions.md (Pester conventions)
• .github/instructions/coding-standards/bash.instructions.md (Bash conventions)

GitHub Actions workflows: ✅ All actions use full SHA pins with semantic version comments; explicit permissions: blocks are declared at both workflow and job level; persist-credentials: false is set where applicable; reusable workflows follow the established pattern.

PowerShell scripts: Mostly ✅. Validate-PlannerArtifacts.ps1 follows all conventions (copyright header, #Requires, comment-based help, [CmdletBinding()], $ErrorActionPreference = 'Stop', #region/#endregion, invocation guard). Sign-PlannerArtifacts.ps1 follows the same pattern with one doc bug (see inline comment on line 32).

Pester tests: ✅ Files follow #Requires -Modules Pester before copyright header; BeforeAll dot-sources scripts; -Tag 'Unit' present; $TestDrive used for isolation.

Bash (on-create.sh): ✅ set -euo pipefail; copyright header; checksum verification before installation; consistent error message format.

Code Quality

Two observations (see inline comments for line-level detail):

1. scripts/security/Sign-PlannerArtifacts.ps1 line 32 — First .EXAMPLE entry references the old script name Sign-RaiArtifacts.ps1. The second and third examples use the correct Sign-PlannerArtifacts.ps1. Simple one-line fix.

2. .github/workflows/copilot-setup-steps.yml — The cosign step (new in this PR) uses a defensive if ! guard for checksum verification with explicit exit 1. The pre-existing actionlint step uses an unguarded inline form. The cosign pattern is strictly safer; a follow-up to align actionlint would improve consistency.

Summary

No blocking issues identified. The two items requiring author action before merge are the missing Security Considerations section and the unchecked GHCP Maturity Acknowledgment checkboxes.

Generated by PR Review for issue #1287 · ● 3.4M

Advisory review, this PR is from a maintainer. Findings are informational only.

PR Review: feat(agents): align RAI planner with guide, remove scoring, improve UX

PR #1287 · 80 files changed · Author: WilliamBerryiii (MEMBER)

This is a broad, well-motivated PR that ships a cohesive set of improvements to the RAI planning agent, adds AI artifact signing and validation infrastructure, and cleans up associated collection manifests and plugin outputs. The implementation quality is generally high. The notes below are informational and do not block merging.

📋 Issue Alignment

Linked issue: Closes #1281

Issue #1281 described a focused change to "11 files across .github/agents/rai-planning/, .github/instructions/rai-planning/, and .github/prompts/rai-planning/." This PR delivers 80 changed files encompassing new CI workflows, PowerShell signing/validation scripts, Pester tests, package.json scripts, collections/ YAML and Markdown, plugins/ regeneration, and documentation.

The scope expansion is substantive and well-justified by the work being done, but issue #1281's description is now stale — it does not capture the CI infrastructure, signing pipeline, or collection/plugin changes that form a significant portion of the PR. Consider updating the issue body or closing it with a comment that summarizes the actual delivery scope, so the history remains accurate for future contributors.

No scope creep in the negative sense — the additional work is clearly additive and cohesive with the stated goal.

📝 PR Template Compliance

The PR description is detailed and well-written. Two template compliance gaps were identified:

1. GHCP Maturity Acknowledgment checkboxes are unchecked

The GHCP Maturity section was inserted (correctly — the PR includes experimental and preview artifacts) but both acknowledgment boxes remain [ ]:

- [ ] I acknowledge this PR includes non-stable GHCP artifacts
- [ ] Non-stable artifacts are intentional for this change
```

These should be checked before merge to confirm deliberate intent.

**2. AI Artifact Contributions checklist is unchecked**

The PR checks `[x] Copilot instructions`, `[x] Copilot prompt`, and `[x] Copilot agent` under Type of Change, which triggers the requirement (from PR template instructions) to also complete the AI Artifact Contributions checklist. All three items are currently `[ ]`:

```
- [ ] Used /prompt-analyze to review contribution
- [ ] Addressed all feedback from prompt-builder review  
- [ ] Verified contribution follows common standards and type-specific requirements

Check these or explicitly mark them N/A with a note if the prompt-builder review step was intentionally skipped.

🔍 PR Description Accuracy

Three file name discrepancies between the PR description and the actual committed files:

These don't affect the code, but keeping the description accurate helps reviewers and future readers correlate what was shipped.

🏗️ Coding Standards

.github/workflows/ compliance — ✅ No violations

• Third-party actions are SHA-pinned with version comments (actions/checkout@de0fac..., actions/upload-artifact@043fb4...) ✅
• Top-level and job-level permissions: blocks present ✅
• persist-credentials: false present ✅
• Runners: ubuntu-latest ✅

scripts/security/Sign-PlannerArtifacts.ps1 — ✅ Minor advisory

• Copyright header, shebang, #Requires -Version 7.0, [CmdletBinding()], $ErrorActionPreference = 'Stop', main invocation guard — all present ✅
• Get-ArtifactHash has abbreviated comment-based help (see inline comment, line 80)

scripts/linting/Validate-PlannerArtifacts.ps1 — ✅

• 636-line script follows all structural conventions ✅

🔒 Code Quality and Security

ai-artifact-validation.yml — Install-Module without checksum

The workflow installs [email protected] using Install-Module -RequiredVersion 0.4.7 -Force without hash/checksum verification. This contrasts with the cosign installation in copilot-setup-steps.yml which explicitly verifies a SHA256 digest after download.

For a module installed at CI runtime to validate artifact integrity, an unverified module installation is a minor inconsistency in the security posture. This is a low-severity advisory observation — PowerShell Gallery packages are not known malicious, and RequiredVersion pins the exact release — but if the validation workflow's trust model is important, consider pinning the module install to a verified hash (e.g., downloading the .nupkg and verifying before expanding).

copilot-setup-steps.yml — Redundant version print

cosign version is called at the end of the "Install cosign" step and again in a separate "Verify tool availability" step. This is harmless but generates duplicate output in CI logs. Consider removing the redundant call from the install step.

📏 PR Size Advisory

This PR changes 80 files, which exceeds the 50-file threshold noted in the review guidelines. The changes are logically cohesive and the scope expansion from the original issue is justified, so this is purely informational. Future PRs of this scope could consider sequencing infrastructure additions (CI workflows, signing) ahead of content changes in a separate preparatory PR for easier review.

✅ Summary

Overall this is a solid, well-structured PR. The RAI planner alignment looks coherent, the new signing/validation infrastructure follows established repository patterns, and the CI additions are correctly implemented. The items above are minor and informational:

1. Check GHCP Maturity Acknowledgment boxes in the PR description
2. Check or annotate AI Artifact Contributions checklist items
3. Correct script names in the PR description (Validate-PlannerArtifacts.ps1, Sign-PlannerArtifacts.ps1) and clarify the ai-artifact-validation.yml claim
4. Update issue #1281 to reflect the actual delivery scope
5. See inline comments for two minor code-level observations

Generated by PR Review for issue #1287 · ● 2.8M