feat(prompts): add security review prompts

[obrocki]

Pull Request

Description

Added five security review prompt files under .github/prompts/security/ that delegate to the Security Reviewer agent. Each prompt pre-configures a specific mode or skill selection for simplified user invocation of OWASP vulnerability assessments. Registered all prompts in security and hve-core-all collections with maturity: experimental and regenerated plugin outputs.

Related Issue(s)

Closes #797

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Workflow or CI/CD changes
• Linting or formatting changes
• Security-related changes
• DevContainer changes
• Dependency updates
• Copilot instructions (.instructions.md)
• Copilot prompts (.prompt.md)
• Copilot agents (.agent.md)
• Copilot skills (SKILL.md)
• Scripts or automation (scripts/)
• Other: _____

Note

AI artifact contributions should be reviewed against the prompt-builder instructions for convention compliance.

Sample Prompts

User Request

/security-review
/security-review-diff
/security-review-web componentPath
/security-review-llm componentPath
/security-review-plan path/to/plan.md

Execution Flow

Each prompt delegates to the Security Reviewer agent with pre-configured inputs:

• security-review invokes the full orchestrator in audit mode with automatic codebase profiling and OWASP skill detection.
• security-review-diff hard-sets diff mode, uses the pr-reference skill to discover changed files, and auto-selects skills from profiling.
• security-review-web bypasses codebase profiling entirely via the target-skill fast-path, applying only owasp-top-10.
• security-review-llm overrides skill selection with owasp-llm, owasp-agentic while the profiler still runs for codebase context.
• security-review-plan hard-sets plan mode, analyzing implementation plan documents for pre-implementation security risks and outputting PLAN_REPORT_V1 format.

Output Artifacts

• Vulnerability reports written to .copilot-tracking/security/ (audit/diff modes produce VULN_REPORT_V1; plan mode produces PLAN_REPORT_V1)

Success Indicators

• Each prompt resolves to the Security Reviewer agent and executes the expected mode/skill configuration without user intervention beyond the initial invocation.

Testing

• Validated all 5 prompt files pass npm run lint:frontmatter (374 files, 0 errors)
• Validated collection metadata via npm run lint:collections-metadata (11 collections, 0 errors)
• Regenerated plugin outputs via npm run plugin:generate (security collection: 19 items, hve-core-all: 179 items)
• Verified 10 plugin command symlinks created (5 per collection)
• Ran npm run lint:all (all steps pass except pre-existing lint:py environment issue unrelated to this PR)

Checklist

Required Checks

• Documentation has been updated (if applicable)
• File naming follows existing conventions
• Changes are backwards compatible (or breaking changes are documented)
• Tests have been added/updated (if applicable)

AI Artifact Contributions

• Reviewed against prompt-builder instructions
• Feedback from prompt testing addressed

Required Automated Checks

• npm run lint:md
• npm run spell-check
• npm run lint:frontmatter
• npm run validate:skills
• npm run lint:md-links
• npm run lint:ps
• npm run plugin:generate

Security Considerations

• No sensitive data (API keys, tokens, credentials) included
• Dependencies reviewed for known vulnerabilities (N/A)
• Changes follow principle of least privilege (N/A)

Additional Notes

Prompt	Mode	Skills	Profiling
security-review	audit (default)	Auto-detected	Yes
security-review-diff	diff	Auto-detected	Yes
security-review-web	audit	owasp-top-10 only	No (fast-path)
security-review-llm	audit	owasp-llm + owasp-agentic	Yes (context only)
security-review-plan	plan	Auto-detected	Yes

Collections updated: security.collection.yml, hve-core-all.collection.yml (5 entries each, maturity: experimental)

Plugin outputs regenerated: 10 symlinks under plugins/security/commands/ and plugins/hve-core-all/commands/

GHCP Maturity

Caution

This PR contains experimental GHCP artifacts. Experimental artifacts are early-stage and may change significantly.

Artifact	Kind	Maturity
security-review.prompt.md	prompt	experimental
security-review-diff.prompt.md	prompt	experimental
security-review-llm.prompt.md	prompt	experimental
security-review-plan.prompt.md	prompt	experimental
security-review-web.prompt.md	prompt	experimental

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.78%. Comparing base (4229df1) to head (5f93a7d).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1118      +/-   ##
==========================================
- Coverage   86.91%   86.78%   -0.14%     
==========================================
  Files          59       59              
  Lines        8752     8688      -64     
==========================================
- Hits         7607     7540      -67     
- Misses       1145     1148       +3     

Flag	Coverage Δ
pester	85.34% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 4 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[WilliamBerryiii]

@obrocki - have you checked out: #1008

[JasonTheDeveloper]

@obrocki - have you checked out: #1008

That PR (#1008) didn't introduce the prompt files required by #979 as that PR was already getting pretty massive and I felt bad for @katriendg 😅 This PR complaments #1008

[katriendg]

Thanks @obrocki for doing this work, and I need to apologize for some of the changes I will be suggesting here.

Issue #797 was written before the Security Reviewer agent (PR #1008) merged. The issue acceptance criteria list 5 separate prompts, but now that the agent supports mode={audit|diff|plan} as a first-class argument, the -diff and -plan prompts are redundant with the main security-review prompt's mode parameter. Now that we have a better view on prompt > to agent calls, these changes will make it more finetuned and relevant.
The recommendation is to reduce from 5 prompts to 3.

Again, apologies for the scope change mid-flight, I will update the issue itself, and then posting a few comments around optimizations we could do. I also realize the issue did not list the entire set of docs to update.

A post-PR issue for the entire security reviewer agent(s) and prompt will be added to cover documentation additions.

[katriendg]

Looking at the prompts, which are intended for easy / based command to prefill a prompt & swtich to the agent, I believe we can simplify some of the files and make them focused on what they are intending to do for the user: set a baseline of a prompt the user does not have to type in themselves and switch to the right agent.

Given that, I am suggesting some changes. With that, we also need to:

• Update the readme for the new prompts in .github/prompts/README.md
• Update the collections when we remove the two prompt files I mentioned in another comment
• Revalidate the collections
• Regenerate the plugins

[katriendg]

Thanks @obrocki for the changes. I believe we can merge this in to accompany the security agent in the next pre-release push. With every artifact as experimental we can use a testing phase for user feedback and tweak as we get usage data.