Skip to content

fix(instructions): prevent local-only paths from leaking into GitHub issues #488

New issue
New issue
Closed
#489
Closed
fix(instructions): prevent local-only paths from leaking into GitHub issues#488
#489
Assignees
katriendg
Labels
bugSomething isn't working
Milestone
v2.3.0
@katriendg

Description

@katriendg
katriendg
opened on Feb 12, 2026

Component

Instruction Files

Bug Description

The GitHub backlog management pipeline (agent, discovery, planning, and update instructions) allows
.copilot-tracking/ file paths and internal planning reference IDs (IS[NNN]) to appear in issue
bodies, comments, and field values uploaded to GitHub. These references point to gitignored,
workspace-local files or internal planning identifiers that are meaningless to anyone reading the
issue on GitHub.

Root Cause

Two categories of internal references leak into GitHub-bound content:

  1. Local-only paths: The discovery workflow instructed agents to "Include source references
    (document path and section) in issue body content" with no guard against .copilot-tracking/
    paths. No downstream validation in the planning specification or execution workflow caught these
    references before they reached the GitHub API.

  2. Planning reference IDs: The discovery workflow uses IS[NNN] identifiers (e.g., IS001a,
    IS002b) as internal cross-references between planned issues during discovery and planning
    phases. These references flow through to mcp_github_issue_write without resolution to actual
    issue numbers or descriptive text. The existing {{TEMP-N}} placeholder system handles
    structural references (parent-child linking) but does not cover semantic IS[NNN]
    cross-references embedded in prose.

Expected Behavior

  • Local-only file paths (anything under .copilot-tracking/) never appear in content uploaded to
    GitHub. When a workflow references local research or analysis files, the relevant findings are
    extracted and inlined into the issue body instead of linking to the local path.
  • Planning reference IDs (IS[NNN]) never appear in content uploaded to GitHub. When an issue body
    references other planned issues, the reference is resolved to an actual GitHub issue number,
    replaced with a descriptive phrase, or removed for self-references.

Steps to Reproduce

  1. Use the github-backlog-manager agent with the discovery workflow (Path B, artifact-driven).
  2. Provide an artifact that resides in .copilot-tracking/research/ as a source document.
  3. Allow the agent to compose and create a GitHub issue from the discovered requirements.
  4. The resulting issue body contains a direct path reference to the .copilot-tracking/ file and
    unresolved IS[NNN] cross-references, both invalid on GitHub.

Additional Context

Affected Files

File Role in the bug
.github/instructions/github-backlog-planning.instructions.md No rule preventing local-only paths or planning reference IDs from reaching GitHub-bound content
.github/instructions/github-backlog-discovery.instructions.md Instructs agents to include source references without path validation; no IS-reference prevention
.github/instructions/github-backlog-update.instructions.md No pre-API-call validation for .copilot-tracking/ paths or IS[NNN] references in issue content
.github/instructions/github-backlog-triage.instructions.md No pre-API-call guard for local paths or planning reference IDs
.github/agents/github-backlog-manager.agent.md No core directive prohibiting local-only paths or planning reference IDs in GitHub-bound content

Acceptance Criteria

  • The planning specification defines a Local-Only Path Guard that prevents .copilot-tracking/ paths from appearing in any GitHub-bound content.
  • The planning specification defines a Planning Reference ID Guard that prevents IS[NNN] references from appearing in any GitHub-bound content, with autonomy-tier-aware confirmation behavior.
  • The discovery workflow restricts source references in issue bodies to repository-committed paths only, inlining extracted details for local-only sources.
  • The discovery workflow prohibits embedding IS[NNN] references in issue body content destined for GitHub, directing agents to use {{TEMP-N}} placeholders or descriptive phrases instead.
  • The execution workflow validates all issue body and comment content for .copilot-tracking/ paths before API calls.
  • The execution workflow validates all issue body and comment content for IS[NNN] planning reference IDs before API calls, resolving them per the Planning Reference ID Guard.
  • The execution workflow verifies no unresolved IS[NNN] references remain at the Step 2 checkpoint, catching references newly resolvable after {{TEMP-N}} mapping.
  • The triage workflow scans for local paths and planning reference IDs before composing GitHub API calls.
  • The backlog manager agent includes core directives prohibiting both .copilot-tracking/ paths and IS[NNN] references in GitHub-bound content.
  • Both guards respect the Three-Tier Autonomy Model: Full Autonomy logs and proceeds automatically; Partial and Manual tiers gate on user confirmation.
  • Planning files (issue-analysis.md, planning-log.md, issues-plan.md) may still reference .copilot-tracking/ paths and IS[NNN] identifiers since they remain local.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions