Merge branch 'main' into copilot/add-checksum-validation-install-gh-aw

Author: pelikhan

.changeset/patch-copilot-driver-null-type-tool-call-fresh-restart.md

@@ -44,13 +44,6 @@ The codebase exhibits several well-organized patterns that should be emulated:
 - `create_code_scanning_alert.go` - Code scanning alert creation
 - `create_agent_task.go` - Agent task creation logic
 
-**Why it works**:
-- Clear separation of concerns
-- Enables quick location of specific functionality
-- Prevents files from becoming too large
-- Facilitates parallel development
-- Makes testing straightforward
-
 #### 2. Engine Separation Pattern
 
 **Pattern**: Each AI engine has its own file with shared helpers in `engine_helpers.go`
@@ -62,12 +55,6 @@ The codebase exhibits several well-organized patterns that should be emulated:
 - `custom_engine.go` (300 lines) - Custom engine support
 - `engine_helpers.go` (424 lines) - Shared engine utilities
 
-**Why it works**:
-- Engine-specific logic is isolated
-- Shared code is centralized
-- Allows addition of new engines without affecting existing ones
-- Clear boundaries reduce merge conflicts
-
 #### 3. Test Organization Pattern
 
 **Pattern**: Tests live alongside implementation files with descriptive names
@@ -77,12 +64,6 @@ The codebase exhibits several well-organized patterns that should be emulated:
 - Integration tests: `feature_integration_test.go`
 - Specific scenario tests: `feature_scenario_test.go`
 
-**Why it works**:
-- Tests are co-located with implementation
-- Clear test purpose from filename
-- Encourages comprehensive testing
-- Separates integration from unit tests
-
 ### File Creation Decision Tree
 
 ```mermaid
@@ -450,15 +431,6 @@ graph TD
 | **Fuzz Tests** | Find edge cases | `*_fuzz_test.go` | Continuous |
 | **Benchmark Tests** | Performance tracking | `*_benchmark_test.go` | Pre-release |
 
-### Test Maintenance
-
-The testing framework is designed to be:
-- **Self-validating**: The validation script ensures all tests work correctly
-- **Comprehensive**: Covers all aspects of functionality and interface design
-- **Maintainable**: Clear structure and documentation for future updates
-- **Scalable**: Tests can be added incrementally as functionality is implemented
-- **Security-focused**: Security regression tests prevent reintroduction of vulnerabilities
-
 ### Visual Regression Testing
 
 Visual regression tests ensure console output formatting remains consistent across code changes. The system uses golden files to capture expected output for table layouts, box rendering, tree structures, and error formatting.
@@ -581,14 +553,6 @@ graph TD
 | **Workflow Health Manager** | `workflow-health-manager.md` | Monitor workflow health | Daily |
 | **Agent Performance Analyzer** | `agent-performance-analyzer.md` | Analyze agent quality | Daily |
 
-**Key Capabilities**:
-- Cross-workflow coordination
-- Workflow health monitoring
-- Performance trend analysis
-- Strategic priority management
-- Proactive maintenance
-- Quality assessment
-
 **Implementation**: See scratchpad/agents/hierarchical-agents.md and `.github/workflows/` meta-orchestrator files
 
 ---
@@ -794,59 +758,4 @@ If **two or more** closed PRs already exist on the same topic:
 
 ---
 
-## Additional Documentation
-
-For detailed specifications, see individual files in `scratchpad/`:
-
-### Architecture & Organization
-- [Code Organization Patterns](../../scratchpad/code-organization.md)
-- [Validation Architecture](../../scratchpad/validation-architecture.md)
-- [Layout System](../../scratchpad/layout.md)
-- [Go Type Patterns](../../scratchpad/go-type-patterns.md)
-
-### Core Features
-- [Safe Output Messages Design](../../scratchpad/safe-output-messages.md)
-- [Repo-Memory System](../../scratchpad/repo-memory.md)
-- [MCP Gateway](../../scratchpad/mcp-gateway.md)
-- [MCP Logs Guardrails](../../scratchpad/mcp_logs_guardrails.md)
-- [Custom Actions Build](../../scratchpad/actions.md)
-
-### Testing & Quality
-- [Testing Framework](../../scratchpad/testing.md)
-- [Visual Regression Testing](../../scratchpad/visual-regression-testing.md)
-- [End-to-End Feature Testing](../../scratchpad/end-to-end-feature-testing.md)
-- [Security Review](../../scratchpad/security_review.md)
-- [GoSec Integration](../../scratchpad/gosec.md)
-
-### Security & Standards
-- [GitHub Actions Security](../../scratchpad/github-actions-security-best-practices.md)
-- [Template Injection Prevention](../../scratchpad/template-injection-prevention.md)
-- [String Sanitization](../../scratchpad/string-sanitization-normalization.md)
-- [Schema Validation](../../scratchpad/schema-validation.md)
-
-### Development Guidelines
-- [Capitalization Guidelines](../../scratchpad/capitalization.md)
-- [Breaking Change Rules](../../scratchpad/breaking-cli-rules.md)
-- [CLI Command Patterns](../../scratchpad/cli-command-patterns.md)
-- [Styles Guide](../../scratchpad/styles-guide.md)
-- [Changesets](../../scratchpad/changesets.md)
-- [Labels](../../scratchpad/labels.md)
-
-### Advanced Topics
-- [Hierarchical Agents](../../scratchpad/agents/hierarchical-agents.md)
-- [Hierarchical Agents Quickstart](../../scratchpad/agents/hierarchical-agents-quickstart.md)
-- [Gastown Multi-Agent Orchestration](../../scratchpad/gastown.md)
-- [mdflow Comparison](../../scratchpad/mdflow-comparison.md)
-- [mdflow Deep Research](../../scratchpad/mdflow.md)
-
-### Technical Details
-- [YAML Version Gotchas](../../scratchpad/yaml-version-gotchas.md)
-- [Validation Refactoring](../../scratchpad/validation-refactoring.md)
-- [Workflow Refactoring Patterns](../../scratchpad/workflow-refactoring-patterns.md)
-- [Safe Output Handlers Refactoring](../../scratchpad/safe-output-handlers-refactoring.md)
-- [Artifact Naming Compatibility](../../scratchpad/artifact-naming-compatibility.md)
-- [Safe Output Environment Variables](../../scratchpad/safe-output-environment-variables.md)
-
----
-
 **Last Updated**: 2026-04-28

.changeset/patch-emit-awf-config-json.md

@@ -32,10 +32,8 @@ Before assisting users, load and understand these instruction files from the gh-
 - Let the coding agent determine implementation details
 
 ### 3. Problem Decomposition
-Break down tasks into clear, actionable steps:
 
-#### Step Structure
-Provide clear, actionable steps that include:
+Steps must include:
 - What needs to be done
 - Expected inputs and outputs
 - Constraints or considerations
@@ -68,8 +66,6 @@ When creating task descriptions, follow this structure:
 
 ## Pseudo-Code Guidelines
 
-When pseudo-code is necessary to clarify logic:
-
 **Allowed**:
 ```
 IF condition THEN
@@ -98,33 +94,15 @@ When you provide the final task description for the user to use, wrap it in **5
 
 **Important**: The task title must start with "create a github agentic workflow that:" to trigger loading the appropriate instructions.
 
-This allows users to:
-1. Select the entire content between the 5-backtick blocks
-2. Copy it directly
-3. Paste it into a GitHub issue, pull request, or workflow file
-
 ## Interaction Guidelines
 
-1. **Clarify Requirements**: Ask questions to understand the user's needs before generating a task description
+1. **Clarify Requirements**: Ask about expected outcome, available context (repository, issue numbers), constraints, and tools needed (GitHub API, web search, file editing, etc.)
 2. **Validate Understanding**: Summarize what you understand before creating the specification
 3. **Iterate**: Be prepared to refine the task description based on user feedback
 4. **Stay Focused**: Keep discussions centered on task specification, not implementation
 5. **Reference Documentation**: Cite the loaded instruction files when relevant
 6. **Summarize Updates**: On each chat turn after the initial request, provide a brief summary of the updates or changes provided by the user in the previous message, rather than re-reading the entire markdown content unless explicitly requested
 
-## Example Interaction Flow
-
-1. User describes a problem or task
-2. You ask clarifying questions about:
-   - Expected outcome
-   - Available context (repository, issue numbers, etc.)
-   - Constraints or requirements
-   - Tools needed (GitHub API, web search, file editing, etc.)
-3. You summarize your understanding
-4. You generate a structured task description
-5. You present it wrapped in 5 backticks for easy copy/paste
-6. On subsequent turns, begin by summarizing the user's latest updates before making changes
-
 ## Terminology
 
 Use correct terminology from the gh-aw project (see dictation instructions):

.changeset/patch-fix-continue-auth-failure.md

@@ -0,0 +1,143 @@
+---
+description: Guide for leveraging skills (SKILL.md files) in agentic workflows — hint strategy and fusion strategy
+---
+
+# Skills in Agentic Workflows
+
+Consult this file when you want a workflow to take advantage of skills — domain-specific knowledge files (`SKILL.md`) that live in the repository under `skills/` or `.github/skills/`.
+
+---
+
+## Detecting Skills
+
+At runtime, find skill files with:
+
+```bash
+find "${GITHUB_WORKSPACE}" -name "SKILL.md" -maxdepth 6
+```
+
+List available skills and their locations before deciding which strategy to apply.
+
+---
+
+## Strategy 1 — Hint (Generalist)
+
+**Use when**: The task strategy is not fully known at authoring time, or when the agent must adapt to whatever skills are available.
+
+The workflow prompt hints that skills exist and asks the agent to discover and apply the relevant ones itself. The agent decides which skill files to read and how much of each to use.
+
+**Pattern**:
+
+```markdown
+If the repository contains `SKILL.md` files under `skills/`, check which ones are
+relevant to this task. For each relevant skill, read its content and apply the
+guidance it provides.
+```
+
+**When to prefer this**:
+- The task domain is broad or open-ended
+- You don't know at authoring time which skills will exist
+- You want the agent to self-select relevant skills from a growing library
+- The overhead of reading an extra file is acceptable
+
+**Tradeoff**: The agent may read and summarise more skill content than needed, which costs context tokens and can dilute focus.
+
+---
+
+## Strategy 2 — Fusion (Ultra-Cognitive)
+
+**Use when**: You know exactly which skill (or which part of a skill) is needed, and you want to minimise context overhead.
+
+Extract and inline **only the specific sections** of the skill content that the agent needs. Do not paste the entire SKILL.md; identify the minimal fragment, then remix it into the workflow prompt so the agent receives precise, surgical guidance without loading the full file.
+
+**Pattern**:
+
+```markdown
+<!-- gh-skill-fusion: skills/github-mcp-server/SKILL.md#authentication -->
+
+When calling GitHub MCP tools, use the pre-configured token already injected into the
+environment. Never prompt the user for credentials.
+```
+
+**When to prefer this**:
+- You know exactly which skill section applies
+- Context budget is limited (long prompts or many tools already registered)
+- The workflow runs frequently and latency matters
+- You want deterministic, stable behaviour without dynamic skill discovery
+
+**Tradeoff**: Requires manual authoring effort. If the upstream skill changes, the fused fragment must be updated by hand.
+
+---
+
+## Choosing Between the Two Strategies
+
+| Factor | Hint | Fusion |
+|---|---|---|
+| **Task domain** | Broad / unknown | Narrow / well-defined |
+| **Skill set** | Grows dynamically | Known and stable |
+| **Context budget** | Generous | Tight |
+| **Maintenance burden** | Low (agent self-selects) | Higher (manual sync with source) |
+| **Determinism** | Lower (agent chooses) | Higher (exact fragment) |
+| **Scale** | Poor (entire skills loaded) | Good (minimal content) |
+
+Fusion scales better because entire skills are never loaded. Prefer fusion when you know the task domain and the specific skill sections required.
+
+---
+
+## Example: Hint Strategy
+
+```markdown
+---
+on:
+  issues:
+    types: [opened]
+engine: copilot
+tools:
+  github:
+    toolsets: [issues]
+permissions:
+  issues: write
+---
+
+Triage the newly opened issue.
+
+If there are relevant skills under `skills/`, read them and apply their guidance.
+Focus on skills related to issue classification or project conventions.
+```
+
+---
+
+## Example: Fusion Strategy
+
+```markdown
+---
+on:
+  pull_request:
+    types: [opened, synchronize]
+engine: copilot
+tools:
+  github:
+    toolsets: [pull_requests]
+permissions:
+  pull-requests: write
+---
+
+Review the pull request for adherence to project conventions.
+
+<!-- Fused from skills/developer/SKILL.md#code-organization -->
+Prefer many smaller files grouped by functionality. Add new files for new features
+rather than extending existing ones. Keep validators under 300 lines; split when
+a single file covers more than one domain.
+<!-- End fusion -->
+
+Report findings as inline review comments.
+```
+
+---
+
+## Anti-Patterns
+
+- ❌ **Do not load entire skill files** when only one section is relevant — use fusion instead
+- ❌ **Do not hint without bounds** — if using the hint strategy, constrain the agent with a `maxdepth` and a relevance filter to avoid reading every SKILL.md in a large repo
+- ❌ **Do not paste skills verbatim** without adapting them to the workflow's context — fused fragments should read as natural prose, not as lifted documentation
+- ❌ **Do not hard-code skill file paths** in hints — use `find` so the prompt still works when skills are reorganised