Changes before error encountered

Copilot · pethers · web-flow · commit 10bdd8f30701 · 2026-04-17T13:40:54.000Z
Agent-Logs-Url: https://github.com/Hack23/cia-compliance-manager/sessions/dc678e9a-9ea9-4abe-b7d0-b3e25fb4e575 Co-authored-by: pethers <1726836+pethers@users.noreply.github.com>
diff --git a/.github/agents/code-review-agent.md b/.github/agents/code-review-agent.md
@@ -65,3 +65,35 @@ src/components/  - common/*, charts/*, widgets/*
 
 ## Feedback Style
 Be specific, actionable, and constructive. Reference existing code when suggesting reuse. Prioritize: 🔴 Security > 🟠 Type Safety > 🟡 Reusability > 🟢 Style.
+
+## Secure Development Policy Review Gates
+
+Every PR review MUST verify these gates from [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md):
+
+| Gate | Reviewer Check |
+|------|----------------|
+| **Threat model** | Sensitive logic has documented STRIDE analysis (PR body or `SECURITY_ARCHITECTURE.md`) |
+| **Input validation** | All boundaries validated + sanitized (prefer allowlists) |
+| **Secret hygiene** | No tokens, keys, PII in diff, logs, test fixtures, or source maps |
+| **Dependency hygiene** | New deps licence-compliant (Open Source Policy) and vulnerability-free |
+| **Tests as evidence** | 80%+ coverage, 100% on security-critical paths; negative/abuse tests present |
+| **ISMS mapping** | PR body cites applicable ISO 27001 / NIST CSF / CIS controls |
+| **Change management** | Breaking changes/migrations documented; CHANGELOG updated |
+
+## Policy Cross-Reference
+
+| When reviewing… | Cite this policy |
+|-----------------|------------------|
+| Any code change | [Information Security Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md), [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md) |
+| New/updated dependency | [Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md), [Third Party Management](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Third_Party_Management.md) |
+| Crypto / key handling | [Cryptography Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Cryptography_Policy.md) |
+| Access / auth code | [Access Control Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Access_Control_Policy.md) |
+| Data handling change | [Data Classification](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md), [Privacy Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Privacy_Policy.md) |
+| AI-assisted / generated code | [AI Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/AI_Policy.md), [OWASP LLM Security](https://github.com/Hack23/ISMS-PUBLIC/blob/main/OWASP_LLM_Security_Policy.md) |
+
+## Copilot Coding Agent Review Notes
+
+When a PR was produced by Copilot coding agent (via `assign_copilot_to_issue` or `create_pull_request_with_copilot`):
+- Verify the `custom_instructions` were honored (no `any`, 80%+ cov, policy mapping)
+- Check `base_ref` correctness for stacked PRs — no accidental cross-branch changes
+- Treat generated tests with the same rigor as human-authored tests
diff --git a/.github/agents/product-task-agent.md b/.github/agents/product-task-agent.md
@@ -1,7 +1,7 @@
 ---
 name: product-task-agent
 description: Expert product task coordinator for CIA Compliance Manager, creating GitHub issues and optimizing quality, UX, and ISMS alignment
-tools: ["view", "edit", "create", "bash", "search_code", "custom-agent", "github-create_issue", "github-list_issues", "github-update_issue", "github-search_issues", "github-add_issue_comment", "playwright-browser_snapshot", "playwright-browser_take_screenshot", "playwright-browser_navigate", "playwright-browser_click", "assign_copilot_to_issue", "get_copilot_job_status"]
+tools: ["*"]
 ---
 
 # Product Task Agent
@@ -97,21 +97,77 @@ TypeScript 6.0.2 · React 19.x · Vite 8 · Vitest 4.x · Cypress 15.x · Node 
 
 ## Copilot Assignment (MCP Tool Examples)
 
-These examples show how to use GitHub MCP tools to assign issues to Copilot coding agent:
+These examples show how to use GitHub MCP tools to assign issues to Copilot coding agent. The repo-level agent definition itself does **not** embed MCP server configuration — MCP servers are configured centrally in `.github/copilot-mcp.json`.
 
-### Assign to Copilot Coding Agent
+### 1. Basic Assignment (REST fallback)
+```javascript
+github-update_issue({
+  owner: "Hack23", repo: "cia-compliance-manager",
+  issue_number: ISSUE_NUMBER,
+  assignees: ["copilot-swe-agent[bot]"]
+})
+```
+
+### 2. Advanced Assignment with `base_ref` + `custom_instructions`
 ```javascript
-// MCP tool: assign_copilot_to_issue
 assign_copilot_to_issue({
   owner: "Hack23", repo: "cia-compliance-manager",
   issue_number: ISSUE_NUMBER,
-  base_ref: "main",
-  custom_instructions: "Follow .github/copilot-instructions.md. Ensure 80%+ coverage."
+  base_ref: "main",                     // or "feature/<name>" for feature branch work
+  custom_instructions: `
+    - Follow .github/copilot-instructions.md + .github/skills/
+    - No any types, 80%+ coverage, JSDoc for public APIs
+    - Map changes to ISMS controls (ISO 27001, NIST CSF 2.0, CIS v8)
+    - Reference Secure_Development_Policy.md for SDLC gates
+  `
 })
 ```
 
-### Track Progress
+### 3. Direct PR Creation with `create_pull_request_with_copilot`
+```javascript
+create_pull_request_with_copilot({
+  owner: "Hack23", repo: "cia-compliance-manager",
+  title: "feat: add widget X",
+  problem_statement: "Implement widget X per issue #NNN — include tests, JSDoc, ISMS mapping",
+  base_ref: "main"
+})
+```
+
+### 4. Stacked / Sequential PRs
+```javascript
+// Step 1: models
+const pr1 = create_pull_request_with_copilot({ /* base_ref: "main" */ })
+// Step 2: services, stacked on step 1 branch
+const pr2 = assign_copilot_to_issue({ /* base_ref: pr1.branch */ })
+// Step 3: UI, stacked on step 2
+const pr3 = create_pull_request_with_copilot({ /* base_ref: pr2.branch */ })
+```
+
+### 5. Track Progress
 ```javascript
-// MCP tool: get_copilot_job_status
 get_copilot_job_status({ owner: "Hack23", repo: "cia-compliance-manager", id: JOB_ID })
+// status: queued | in_progress | completed | failed → includes pull_request_url when done
 ```
+
+## Policy Alignment
+
+Every issue created MUST link to relevant ISMS policies so traceability from issue → PR → control is preserved:
+
+| Policy | When to Reference |
+|--------|-------------------|
+| [Information Security Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md) | Any change with CIA triad impact |
+| [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md) | All code/SDLC changes |
+| [Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md) | Dependencies, licensing, community contributions |
+| [Vulnerability Management](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Vulnerability_Management.md) | Security fixes and SLAs |
+| [AI Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/AI_Policy.md) | AI/ML features or Copilot automation changes |
+| [Data Classification](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md) | Features touching user data |
+
+## Agent Handoff Matrix
+
+| Issue Type | Suggested Assignee(s) |
+|------------|-----------------------|
+| Security vulnerability | `@security-compliance-agent` → `@testing-agent` → `@code-review-agent` |
+| New React component/widget | `@typescript-react-agent` → `@testing-agent` → `@documentation-agent` |
+| Documentation/architecture | `@documentation-agent` → `@code-review-agent` |
+| Test coverage gap | `@testing-agent` → `@code-review-agent` |
+| Performance regression | `@typescript-react-agent` → `@testing-agent` |
diff --git a/.github/agents/security-compliance-agent.md b/.github/agents/security-compliance-agent.md
@@ -79,7 +79,69 @@ src/types/cia.ts                 - SecurityLevel type definitions
 ```
 
 ## ISMS Policies
+- [Information Security Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md) — Overarching ISMS governance
 - [Secure Development](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md)
-- [Information Security](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md)
+- [Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md)
+- [Threat Modeling](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Threat_Modeling.md)
+- [Vulnerability Management](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Vulnerability_Management.md)
+- [Cryptography Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Cryptography_Policy.md)
 - [Access Control](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Access_Control_Policy.md)
-- [AI Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/AI_Policy.md)
+- [Data Classification](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md)
+- [Privacy Policy (GDPR)](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Privacy_Policy.md)
+- [Incident Response](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Incident_Response_Plan.md)
+- [Change Management](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Change_Management.md)
+- [AI Policy (EU AI Act)](https://github.com/Hack23/ISMS-PUBLIC/blob/main/AI_Policy.md)
+- [OWASP LLM Security](https://github.com/Hack23/ISMS-PUBLIC/blob/main/OWASP_LLM_Security_Policy.md)
+- [CRA Conformity Assessment](https://github.com/Hack23/ISMS-PUBLIC/blob/main/CRA_Conformity_Assessment_Process.md)
+
+## Secure SDLC Phase Gates (Secure Development Policy)
+
+Every change must satisfy the gate corresponding to its lifecycle phase:
+
+| Phase | Gate | Evidence |
+|-------|------|----------|
+| **Plan** | Threat model documented (STRIDE), policy mapping in issue | Issue body links policy + CIA impact |
+| **Design** | Architecture decision recorded, data classification assigned | Updated C4 diagrams / `docs/architecture/` |
+| **Build** | Static checks pass (`npm run lint`, strict TS, Knip) | CI green, `no any`, JSDoc for public APIs |
+| **Test** | 80%+ coverage, 100% on security-critical paths, a11y tests | Coverage report, Cypress E2E, `axe` checks |
+| **Review** | Peer + security review, CodeQL/Dependabot clean | PR approval, scan results |
+| **Release** | SBOM generated, provenance attested, CHANGELOG updated | `release.yml` artifacts, SLSA provenance |
+| **Operate** | Monitoring, vulnerability SLA tracking, incident ready | Dependabot, ZAP, incident runbook |
+
+## Information Security Policy Mapping
+
+All security review comments should cite the **specific clause** being enforced. Quick-reference mapping:
+
+| Policy Clause Focus | Skill / Check |
+|---------------------|---------------|
+| Information classification & handling | `classification-framework.md`, `data-protection.md` |
+| Access control & least privilege | `security-by-design.md` § auth |
+| Cryptography & key management | Approved algorithms only, no custom crypto |
+| Secure development & change management | Secure SDLC gates above, PR checks |
+| Vulnerability & patch management | Vulnerability SLAs (Crit 24h / High 7d / Med 30d / Low 90d) |
+| Logging, monitoring & audit | Non-sensitive logs, no PII in errors |
+| Third-party / supply chain | Dependabot, FOSSA, OpenSSF Scorecard |
+| Incident response | Follow Incident_Response_Plan.md runbook |
+
+## Copilot Coding Agent (Security Tasks)
+
+For security fixes use `assign_copilot_to_issue` or `create_pull_request_with_copilot` with explicit security guardrails in `custom_instructions`:
+
+```javascript
+assign_copilot_to_issue({
+  owner: "Hack23", repo: "cia-compliance-manager",
+  issue_number: ISSUE,
+  base_ref: "main",
+  custom_instructions: `
+    SECURITY TASK — MUST:
+    - Follow Secure_Development_Policy + Information_Security_Policy
+    - Apply defense in depth; validate inputs at boundaries
+    - 100% test coverage for modified security-critical code
+    - Add negative/abuse tests; assert safe error messages
+    - Update threat model in docs/architecture/SECURITY_ARCHITECTURE.md
+    - Map fix to ISO 27001 / NIST CSF / CIS controls in PR body
+  `
+})
+```
+
+Track with `get_copilot_job_status`. For stacked security remediation use `base_ref: "copilot/issue-<NNN>"` to build on a prior PR's branch.
diff --git a/.github/agents/testing-agent.md b/.github/agents/testing-agent.md
@@ -86,3 +86,34 @@ npx cypress run           # E2E tests
 - Use `describe` blocks for logical grouping
 - One assertion concept per test (multiple `expect` OK if related)
 - No network calls in unit tests — mock all external dependencies
+
+## Policy Alignment (Test Evidence)
+
+Tests provide **audit evidence** for ISMS controls. Map test suites to policies:
+
+| Policy / Control | Test Obligation |
+|------------------|-----------------|
+| [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md) | Every security-critical function has negative/abuse tests (100% cov) |
+| [Information Security Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md) | CIA-triad assertions: confidentiality (no leaks), integrity (no mutation), availability (graceful fallback) |
+| [Vulnerability Management](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Vulnerability_Management.md) | Regression tests for every fixed CVE / security alert |
+| [Privacy Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Privacy_Policy.md) | Error-path tests asserting no PII / secrets in messages or logs |
+| [Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md) | SBOM & license checks enforced in CI, not skipped |
+
+## Abuse / Negative Test Patterns (SHOULD)
+- Oversized inputs (DoS surface)
+- Malformed UTF-8 / unicode edge cases
+- XSS vectors in any user-visible string field
+- Unexpected `null` / `undefined` at every boundary
+- Parallel / out-of-order state transitions
+
+## Accessibility Testing (WCAG 2.1 AA)
+- Cypress + `cypress-axe` for E2E a11y assertions on every critical flow
+- Component-level: assert semantic roles, labels, keyboard focus ordering
+- Verify `aria-live` regions announce updates for dynamic widgets
+
+## Copilot Coding Agent (Test Tasks)
+When delegating test-writing via `assign_copilot_to_issue`, include in `custom_instructions`:
+- “Follow `.github/skills/testing-excellence.md`, AAA pattern, colocated tests”
+- “Achieve ≥ 80% (100% on security-critical paths); no skipped tests”
+- “Add negative/abuse tests for every new validator or boundary”
+Use `get_copilot_job_status` to confirm coverage target met before merge.
diff --git a/.github/agents/typescript-react-agent.md b/.github/agents/typescript-react-agent.md
@@ -65,4 +65,25 @@ npm run lint         # ESLint 10.x flat config
 npm run build        # Vite production build (includes TypeScript strict checks)
 npm run build:lib    # Library build (vite.config.lib.ts + tsconfig.lib.json)
 npm run knip         # Dead code detection
+npm run test         # Vitest (run before commit)
 ```
+
+## Policy Alignment (SDLC)
+
+Every implementation task MUST honor:
+- [Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md) — threat model sensitive code, validate inputs, no secrets in source
+- [Information Security Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md) — map feature to CIA impact, apply least privilege
+- [Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md) — check license/provenance before adding deps; prefer existing in-tree utilities
+- [Data Classification](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md) — classify new data structures (Public / Internal / Confidential / Restricted)
+- [AI Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/AI_Policy.md) — when using AI-assisted code, keep humans in the loop and review generated code
+
+## Security Hotspots in React Code
+- ❌ No `eval`, `new Function`, `dangerouslySetInnerHTML` with unsanitized content, or `innerHTML`
+- ❌ No secrets, tokens, or PII in client-side code, source maps, or logs
+- ✅ Sanitize anything rendered from external data; encode before DOM insertion
+- ✅ Validate props with TypeScript + runtime guards from `src/utils/typeGuards.ts`
+- ✅ Use Content Security Policy directives already configured in `vite.config.ts`
+
+## Copilot Coding Agent Handoff
+
+When coordinated by `@product-task-agent` via `assign_copilot_to_issue` / `create_pull_request_with_copilot`, honor the `base_ref` given (for stacked PRs) and the `custom_instructions`. Emit progress so `get_copilot_job_status` returns meaningful state. Use existing `src/` conventions — do not scaffold parallel structures.
