* Add pr-dashboard skill and plugin
Adds a self-contained PR dashboard skill that generates and opens a
rich HTML dashboard in the browser showing GitHub pull requests for a
given date range and role filter.
- Skill: skills/pr-dashboard/ — bundles pr-dashboard-cli.mjs,
dashboard.html, and lib/utils.mjs
- Plugin: plugins/pr-dashboard/ — makes it installable via
`copilot skill install pr-dashboard@awesome-copilot`
Requires GitHub CLI (gh) installed and authenticated.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Restore README.instructions.md to upstream sort order
macOS locale sorts Japanese/Korean C# entries differently than Linux CI.
Restore to the upstream/staged version since we don't add any instructions.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Address PR review comments
- Fix regex character class bug: [-to]+ → (?:-|to) alternation in utils.mjs
- Fix 'last week' to return previous calendar week (Mon–Sun) not last 7 days
- Remove unused formatHumanDate and buildMarkdown exports from utils.mjs
- Fix ghApi error handling: rethrow with helpful message instead of silently
returning parsed JSON on failure (prevents silent auth errors)
- Add pagination to searchIssues (up to 1000 results across pages)
- Add rel="noopener noreferrer" to target=_blank links in generated rows
- HTML-escape fallback template content in renderHtml to prevent injection
- Move escapeHtml to module level so it's available before renderHtml body
- Neutralise dashboard.html template: placeholder title/h1/meta/stats/tbody
- Empty __md and filename in template (CLI populates at runtime)
- Add aria-label to search input and status/review selects
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* remove newline
* Regenerate docs/README.instructions.md
* refactor(pr-dashboard): move scripts/assets per skills spec, remove plugin
- Move pr-dashboard-cli.mjs and lib/utils.mjs into scripts/ per skills spec
- Move dashboard.html into assets/ per skills spec
- Update CLI template path and SKILL.md script path reference
- Remove plugins/pr-dashboard (redundant now that gh skills install works)
- Clean up marketplace.json and docs/README.plugins.md
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add ai-team-orchestration plugin: multi-agent dev team with Producer, Dev Team, QA agents
* fix: use kebab-case agent names to match filenames
* fix: regenerate README after agent name change
* fix: address Copilot review — add edit tools to Producer/QA, use GitHub closing keywords
* fix: update agent tools to official VS Code tool set names
Replace outdated/nonexistent tool names with current official tool sets:
- Producer: search, read, edit, web (removed nonexistent githubRepo)
- Dev Team: search, read, edit, execute, web (replaced runCommands, problems, usages, etc.)
- QA: search, read, edit, execute, web (removed nonexistent findTestFiles, runTests)
Ref: https://code.visualstudio.com/docs/copilot/reference/copilot-vscode-features#_chat-tools
* fix: remove frontmatter from plugin README per reviewer feedback
---------
Co-authored-by: Aaron Powell <me@aaron-powell.com>
* Add migration guide from javax to jakarta namespace
This document provides a comprehensive guide for migrating Java code from the javax namespace to the jakarta namespace, including steps for scanning, updating dependencies, and verifying the migration.
* Add javax to jakarta migration skill entry
* fix: correct link for adding agents in CONTRIBUTING.md
removing outdated prompts-link
* feat: add Terminal Helper agent for PowerShell and Bash command assistance
* fix: rename task to validate-plugins and update command details
as collections are outdated
https://github.com/github/awesome-copilot/pull/717
* update name format for terminal helper to lowercase
* update scope description for terminal context clarity
* Add vardoger-analyze skill
Made-with: Cursor
* fix Copilot session-state path in vardoger-analyze SKILL.md
* add numbered workflow overview to satisfy skill-validator
The dotnet/skills validator's NumberedStepRegex (^\d+\.\s, multiline)
only matches ordered list items at line start, not ### numbered
headings, so the previous '### 1. …' layout triggered the
'No numbered workflow steps' warning on PR #1461. Keep the existing
step headings for structure and add a short numbered Workflow
summary that the regex picks up.
* regenerate docs/README.skills.md for vardoger-analyze
* Add resemble-detect skill
Deepfake detection and media safety skill using Resemble AI — detects
AI-generated audio, images, video, and text with confidence scores,
traces audio source platforms, applies and reads watermarks, verifies
speaker identity, and extracts media intelligence (speaker, emotion,
misinformation signals).
Packaged as SKILL.md + LICENSE (Apache-2.0). Generated docs updated
via npm start per CONTRIBUTING.md.
* resemble-detect: trim body under 500 lines + add compatibility
Moves detailed request/response schemas from SKILL.md into
references/api-reference.md, bringing the SKILL body from 557 to
282 lines (validator hard cap is 500). Core decision-making content
— capability decision tree, score interpretation, workflows, red
flags — stays in the body where the agent needs it at query time.
Also adds a compatibility field to frontmatter per review feedback:
surfaces the RESEMBLE_API_KEY requirement and the public-HTTPS-URL
constraint upfront.
* Fix resemble-detect skill metadata
* Add files via upload
What it does:
Converts student-provided PDFs/notes + a syllabus into concise, exam-ready outputs per topic — definitions, key points, keywords, diagrams, and ready-to-write exam sentences.
Features:
MCQ vs written exam mode
Triage mode with priority ordering for time-constrained students
Missing input handling
Cross-references between related topics
Practice question per topic
* Move exam-ready skill into skills folder and update index
* feat: move to xml top tags for ebtter llm parsing and structure
- Orchestrator is now purely an orchestrator
- Added new calrify phase for immediate user erequest understanding and task parsing before workflow
- Enforce review/ critic to plan instea dof 3x plan generation retries for better error handling and self-correction
- Add hins to all agents
- Optimize defitons for simplicity/ conciseness while maintaining clarity
* feat(critic): add holistic review and final review enhancements
* feat(skills,agents): add LinkedIn post formatter skill and writer agent
Add self-contained LinkedIn post formatting skill with Unicode bold/italic
character mapping and engagement-optimized post structure patterns.
Add LinkedIn Post Writer agent for transforming raw content into
copy-paste-ready LinkedIn posts. No external service dependencies.
* fix: address Copilot review comments on PR #1392
- Correct Unicode range header to include digit range (U+1D7EC–U+1D7F5)
- Add explicit instruction to load references/unicode-charmap.md
- Fix LinkedIn casing in README.agents.md (Linkedin → LinkedIn)
* fix: use display name for LinkedIn agent to preserve brand casing
The name field now uses 'LinkedIn Post Writer' instead of the slug
format, ensuring the auto-generated README table shows correct casing.
---------
Co-authored-by: Shailesh Mishra <shaileshmishra@example.com>
* feat: add code-tour skill for AI-generated CodeTour walkthroughs
* fix: trim SKILL.md from 645 to 432 lines (under 500 limit)
Reduce persona table to top 10, condense verbose examples and notes,
trim redundant anti-patterns, compress step type docs and PR recipe.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: run npm run build to update README with code-tour skill
Addresses review feedback from @aaronpowell
* fix: add missing scripts/ and references/ files referenced in SKILL.md
Addresses reviewer feedback — SKILL.md referenced bundled files
(validate_tour.py, generate_from_docs.py, codetour-schema.json,
examples.md) that were not included in the PR.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
* fix: run npm run build to update skills README with new assets
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: add azure-functions-csharp.instructions.md
Added guidelines and best practices for building Azure Functions in C# using the isolated worker model.
* feat: add azure-durable-functions-csharp.instructions.md
Added guidelines and best practices for building Azure Durable Functions in C# using the isolated worker model.
* docs: add config & testing sections to durable functions instructions
Added detailed configuration and testing guidelines for Azure Durable Functions in C#.
* Fix capitalization in applyTo path for local.settings.json
Changed Local.settings.json to local.settings.json in the applyTo directive to match the actual filename used in Azure Functions projects.
* update through npm build
* feat(instructions): update security, a11y, and performance to 2025-2026 standards
Security: OWASP 2025 (55 anti-patterns, AI/LLM section, 6 frameworks)
Accessibility: WCAG 2.2 AA (38 anti-patterns, legal context EAA/ADA, 4 frameworks)
Performance: CWV (50 anti-patterns, Next.js 16, Angular 20, modern APIs)
* fix(instructions): use globalThis.scheduler to prevent ReferenceError
Access scheduler via globalThis to safely handle environments where
the Scheduling API is not declared as a global variable.
* fix(instructions): correct regex patterns and harden SSRF example
- AU1: anchor jwt.verify lookahead inside parentheses
- AU2: anchor jwt.sign lookahead, add expiresIn alternative
- AU7: fix greedy .* before negative lookahead in OAuth state check
- I5: resolve all DNS records, add TOCTOU production note
- K2: add closing delimiters and multi-digit support to tabindex regex
* fix(instructions): enhance SSRF IP validation with IPv4-mapped IPv6
Normalize IPv4-mapped IPv6 addresses (::ffff:127.0.0.1) before
checking private ranges, preventing bypass via mapped addresses.
* fix(instructions): add noscript fallback for deferred CSS pattern
Without JS, the media="print" + onload pattern leaves the stylesheet
inactive. The noscript tag loads it normally when JS is disabled.
* fix(instructions): add execFileSync to I3 command injection detection
The BAD example uses execFileSync but the regex only matched exec,
execSync, and execFile — missing the sync variant.
* fix(instructions): cover full IPv6 link-local range in SSRF check
fe80::/10 spans fe80-febf (fe8*, fe9*, fea*, feb*). Previous regex
only matched fe80::. Also use normalized variable for consistency.
* fix(instructions): adjust SSRF wording and downgrade reduced-motion severity
- SSRF: replace "full DNS/IP validation" with accurate wording that
acknowledges TOCTOU limitation
- V5: downgrade prefers-reduced-motion from IMPORTANT to SUGGESTION,
remove 2.2.2 (A) reference since it's an AAA enhancement
* fix(instructions): rename AU4 heading to include SHA-256
The heading said "Weak Password Hash (MD5/SHA1)" but the detection
regex and BAD example both use SHA-256. Renamed to "Fast Hash for
Passwords" which better describes the actual anti-pattern.
* fix(instructions): clarify WCAG 2.2 SC 4.1.1 status as obsolete
SC 4.1.1 Parsing is still present in the WCAG 2.2 spec but marked
as obsolete (always satisfied). Changed wording from "removed" to
"obsolete" for accuracy.
* fix(instructions): rename I1 example vars to avoid TS redeclaration
Copy-pasting the I1 SQL injection example as a single block failed with a
TypeScript redeclaration error because both BAD and GOOD snippets used
`const result`. Rename to `unsafeResult`/`safeResult` so the block remains
copy-pasteable into a single scope.
* fix(instructions): migrate I3 example to async execFile with bounds
The I3 command injection example used `execFileSync` in both BAD and GOOD
paths, which (a) redeclared `const output` in the same block and (b) blocks
the Node event loop in server handlers, amplifying DoS impact.
Switch the GOOD/BEST paths to a promisified `execFile` call with explicit
`timeout` and `maxBuffer` bounds, and rename variables to
`unsafeOutput`/`safeOutput` so the snippet stays copy-pasteable. Add a
trailing note recommending async child_process APIs for server code.
* fix(instructions): align AU6 heading with session fixation example
The AU6 heading claimed "Session Not Invalidated on Password Change" but
the mitigation example showed `req.session.regenerate`, which is the
canonical defense against session fixation on login rather than bulk
invalidation after a credential change.
Rename the anti-pattern to "Missing Session Regeneration on Login (Session
Fixation)" so it matches the example, and add a trailing note pointing to
the complementary practice of invalidating other active sessions for the
user on password change (e.g., via a `tokenVersion` counter).
* fix(instructions): make L1 critical CSS pattern CSP-compatible
The L1 "GOOD" snippet relied on an inline `onload="this.media='all'"`
handler on a `<link>` tag. Under a strict CSP that disallows
`'unsafe-inline'` / `script-src-attr 'unsafe-inline'`, inline event
handlers are blocked, so the stylesheet would never activate and users
would hit a styling regression.
Replace the pattern with build-time critical CSS extraction
(Critters/Beasties/Next.js `optimizeCss`) plus a normal
`<link rel="preload" as="style">` and standard `<link rel="stylesheet">`.
Add a trailing note explaining why the older inline-onload trick breaks
under strict CSP and how to defer non-critical CSS with an external
script when deferral is truly needed.
- Adds React 18 and 19 migration orchestration plugins
- Introduces comprehensive upgrade toolkits for migrating legacy React 16/17 and 18 codebases to React 18.3.1 and 19, respectively. Each plugin bundles specialized agents and skills for exhaustive audit, dependency management, class/component API migration, test suite transformation, and batching regression fixes.
- The React 18 toolkit targets class-component-heavy apps, ensures safe lifecycle and context transitions, resolves dependency blockers, and fully automates test migrations including Enzyme removal. The React 19 toolkit addresses breaking changes such as removal of legacy APIs, defaultProps on function components, and forwardRef, while enforcing a gated, memory-resumable migration pipeline.
- Both plugins update documentation, plugin registries, and skill references to support reliable, repeatable enterprise-scale React migrations.
