feat(agents): add RAI Planner, enhance SSSC Planner, and redesign Security Planner

[WilliamBerryiii]

Pull Request

Description

Added a new RAI Planner agent, enhanced the SSSC Planner agent, and redesigned the existing Security Planner agent. All three agents follow a 6-phase orchestration pattern with dedicated instruction files, prompt entry points, and dual-format backlog handoff (ADO and GitHub). Namespaced work item IDs prevent collisions across planners.

What Changed

Agents: Added rai-planner.agent.md and security-planner.agent.md. Enhanced sssc-planner.agent.md with handoff buttons, web tool access, flattened state schema, and entry mode documentation. Deleted the previous security-plan-creator.agent.md and renamed the agent to Security Planner with a redesigned 6-phase STRIDE risk-surface analysis workflow. The RAI Planner implements a 6-phase RAI risk assessment workflow referencing Microsoft RAI Standard v2 and NIST AI RMF 1.0. Updated cross-references in implementation-validator.agent.md and system-architecture-reviewer.agent.md.

Instructions: Added 11 instruction files — 6 for RAI planning (identity, sensitive uses, standards mapping, security model, impact assessment, backlog handoff) and 5 for security planning (identity, operational buckets, standards mapping, security model, backlog handoff). Enhanced 6 SSSC instruction files (identity, assessment, standards, gap analysis, backlog, handoff) with flattened state schema, entry mode documentation, namespaced IDs, and explicit state transition rules. All files use proper YAML frontmatter with applyTo patterns targeting .copilot-tracking/ session paths.

Prompts: Added 5 prompt files — 3 for RAI planning (rai-capture, rai-plan-from-prd, rai-plan-from-security-plan) and 2 for security planning (security-capture, security-plan-from-prd). All prompts use the ${input:project-slug} variable.

Collections: Updated 8 collection manifests (experimental, project-planning, hve-core-all, data-science, security-planning, security) to include the new artifacts. Added SSSC and RAI planners to the security collection for comprehensive security coverage. Added caution notices for RAI and security collections. All new entries tagged maturity: experimental.

Documentation: Added 13 new Docusaurus pages across docs/agents/rai-planning/ and docs/agents/security-planning/, covering agent overviews, phase references, entry modes, handoff pipelines, and motivation. Updated 19 existing documentation files to reference the new agents and align terminology.

Infrastructure: Updated general-technical.txt with new terminology, refreshed CUSTOM-AGENTS.md with agent listings, and updated SECURITY.md references.

Plugins: Regenerated plugin symlinks and READMEs across 5 plugin directories. Security and security-planning plugins now list SSSC and RAI planners with full agent, command, and instruction tables.

Cross-Cutting Patterns

• Renamed security-plan-creator to security-planner consistently across agents, collections, plugins, and documentation
• Shifted terminology from threat models to risk surfaces / security models across the security domain
• All three agents use .copilot-tracking/ paths for session state management
• Security Planner detects AI/ML components and sets an raiEnabled flag for RAI Planner integration
• All three agents produce dual-format (ADO and GitHub) backlog output
• Namespaced work item IDs prevent cross-planner collisions: WI-SEC-{NNN} / {{SEC-TEMP-N}} (Security), WI-SSSC-{NNN} / {{SSSC-TEMP-N}} (SSSC), WI-RAI-{NNN} / {{RAI-TEMP-N}} (RAI)
• Flattened state schemas across all three planners with boolean completion flags and explicit state transition rules
• Default autonomy tier set to partial in all planner userPreferences

Related Issue(s)

No linked issues.

Type of Change

Select all that apply:

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)
• New feature (non-breaking change adding functionality)
• Breaking change (fix or feature causing existing functionality to change)
• Documentation update

Infrastructure & Configuration:

• GitHub Actions workflow
• Linting configuration (markdown, PowerShell, etc.)
• Security configuration (N/A — no files under scripts/security/ changed)
• DevContainer configuration
• Dependency update

AI Artifacts:

• Reviewed contribution with prompt-builder agent and addressed all feedback
• Copilot instructions (.github/instructions/*.instructions.md)
• Copilot prompt (.github/prompts/*.prompt.md)
• Copilot agent (.github/agents/*.agent.md)
• Copilot skill (.github/skills/*/SKILL.md)

Note for AI Artifact Contributors:

• Agents: Research, indexing/referencing other project (using standard VS Code GitHub Copilot/MCP tools), planning, and general implementation agents likely already exist. Review .github/agents/ before creating new ones.
• Skills: Must include both bash and PowerShell scripts. See Skills.
• Model Versions: Only contributions targeting the latest Anthropic and OpenAI models will be accepted. Older model versions (e.g., GPT-3.5, Claude 3) will be rejected.
• See Agents Not Accepted and Model Version Requirements.

Other:

• Script/automation (.ps1, .sh, .py) (N/A — no script files changed)
• Other (please describe):

Sample Prompts (for AI Artifact Contributions)

RAI Planner

User Request:

Start an RAI plan for my new customer-facing ML recommendation service.

Execution Flow:

1. User invokes the rai-capture prompt with a project slug.
2. The RAI Planner agent initializes session state at .copilot-tracking/rai-plans/{slug}/.
3. Phases execute sequentially: Identify → Sensitive Uses → Standards Mapping → Security Model → Impact Assessment → Backlog Handoff.
4. The agent uses the Researcher Subagent for NIST AI RMF and Microsoft RAI Standard v2 framework lookups.
5. FWD-scored impact findings are generated and organized by risk category.

Output Artifacts:

• .copilot-tracking/rai-plans/{slug}/phase-01-identity.md — System identification
• .copilot-tracking/rai-plans/{slug}/phase-02-sensitive-uses.md — Sensitive uses assessment
• .copilot-tracking/rai-plans/{slug}/phase-03-standards.md — Standards mapping
• .copilot-tracking/rai-plans/{slug}/phase-04-security-model.md — Security model analysis
• .copilot-tracking/rai-plans/{slug}/phase-05-impact.md — Impact assessment
• .copilot-tracking/rai-plans/{slug}/phase-06-backlog.md — Dual-format backlog (ADO + GitHub)

Success Indicators:

• All 6 phases complete with structured markdown output
• FWD scores assigned to each impact finding
• Backlog handoff generates both ADO and GitHub work item formats
• Session state persists for recovery and iteration

Security Planner

User Request:

Create a security plan for our Azure-hosted IoT gateway service.

Execution Flow:

1. User invokes the security-capture prompt with a project slug.
2. The Security Planner agent initializes session state at .copilot-tracking/security-plans/{slug}/.
3. Phase 1 (Discover) scans the codebase for components and classifies them into operational buckets.
4. Phases 2–5 perform STRIDE-based risk analysis per bucket, standards mapping, and impact assessment.
5. Phase 6 generates dual-format backlog output.
6. If AI/ML components are detected, the agent sets raiEnabled: true and recommends follow-up with the RAI Planner.

Output Artifacts:

• .copilot-tracking/security-plans/{slug}/phase-01-discovery.md — Component discovery
• .copilot-tracking/security-plans/{slug}/phase-02-buckets.md — Operational bucket classification
• .copilot-tracking/security-plans/{slug}/phase-03-standards.md — Standards mapping
• .copilot-tracking/security-plans/{slug}/phase-04-security-model.md — STRIDE security model
• .copilot-tracking/security-plans/{slug}/phase-05-impact.md — Impact assessment
• .copilot-tracking/security-plans/{slug}/phase-06-backlog.md — Dual-format backlog (ADO + GitHub)

Success Indicators:

• All components classified into 7+1 operational buckets
• STRIDE threat analysis generated for each bucket
• Standards mapping references OWASP, NIST, and CIS frameworks
• When AI/ML components detected, raiEnabled flag is set and RAI Planner handoff recommended
• Backlog handoff generates both ADO and GitHub work item formats

SSSC Planner

User Request:

Assess our repository's supply chain security posture against OpenSSF standards.

Execution Flow:

1. User invokes the sssc-capture prompt with a project slug.
2. The SSSC Planner agent initializes session state at .copilot-tracking/sssc-plans/{slug}/.
3. Phase 1 (Scoping) discovers project scope, technology stack, package managers, CI/CD platform, and compliance targets.
4. Phase 2 (Assessment) inventories 27 supply chain capabilities against OpenSSF Scorecard, SLSA, and SBOM standards.
5. Phase 3 (Standards) maps gaps to standard-specific requirements.
6. Phase 4 (Gap Analysis) categorizes adoption status and sizes remediation effort.
7. Phase 5 (Backlog) generates prioritized work items referencing reusable workflows from hve-core and microsoft/physical-ai-toolchain.
8. Phase 6 (Handoff) produces Scorecard score projections and dual-format output.

Output Artifacts:

• .copilot-tracking/sssc-plans/{slug}/state.json — Session state
• .copilot-tracking/sssc-plans/{slug}/sssc-plan.md — Comprehensive SSSC plan
• Dual-format backlog files (ADO and/or GitHub)

Success Indicators:

• All 27 supply chain capabilities assessed
• Gap analysis with adoption categorization and effort sizing
• Scorecard score projections for each check
• Backlog handoff generates both ADO and GitHub work item formats
• Handoff buttons enable session compaction and Security Planner cross-reference

Testing

Check	Command	Status
Markdown linting	npm run lint:md	✅ Pass
Spell checking	npm run spell-check	✅ Pass
Frontmatter validation	npm run lint:frontmatter	✅ Pass (after remediation)
Skill structure validation	npm run validate:skills	✅ Pass
Link validation	npm run lint:md-links	✅ Pass
PowerShell analysis	npm run lint:ps	✅ Pass
Plugin freshness	npm run plugin:generate	✅ Pass

Remediation Applied: Frontmatter validation initially found 12 errors in documentation files under docs/agents/rai-planning/ and docs/agents/security-planning/ — YAML list items used * instead of -. Fixed all 12 files and regenerated plugins. Manual testing was not performed. All validation is automated via npm scripts.

Checklist

Required Checks

• Documentation is updated (if applicable)
• Files follow existing naming conventions
• Changes are backwards compatible (if applicable)
• Tests added for new functionality (N/A — no test files in changes)

AI Artifact Contributions

• Used /prompt-analyze to review contribution
• Addressed all feedback from prompt-builder review
• Verified contribution follows common standards and type-specific requirements

Required Automated Checks

The following validation commands must pass before merging:

• Markdown linting: npm run lint:md
• Spell checking: npm run spell-check
• Frontmatter validation: npm run lint:frontmatter
• Skill structure validation: npm run validate:skills
• Link validation: npm run lint:md-links
• PowerShell analysis: npm run lint:ps
• Plugin freshness: npm run plugin:generate

GHCP Artifact Maturity

Warning

This PR includes experimental GHCP artifacts that may have breaking changes.

• .github/agents/rai-planning/rai-planner.agent.md
• .github/agents/security-planning/sssc-planner.agent.md
• .github/agents/security/security-planner.agent.md
• .github/instructions/rai-planning/rai-identity.instructions.md
• .github/instructions/rai-planning/rai-sensitive-uses.instructions.md
• .github/instructions/rai-planning/rai-standards.instructions.md
• .github/instructions/rai-planning/rai-security-model.instructions.md
• .github/instructions/rai-planning/rai-impact-assessment.instructions.md
• .github/instructions/rai-planning/rai-backlog-handoff.instructions.md
• .github/instructions/rai-planning/rai-capture-coaching.instructions.md
• .github/instructions/security-planning/identity.instructions.md
• .github/instructions/security-planning/operational-buckets.instructions.md
• .github/instructions/security-planning/standards-mapping.instructions.md
• .github/instructions/security-planning/security-model.instructions.md
• .github/instructions/security-planning/backlog-handoff.instructions.md
• .github/instructions/sssc-planning/sssc-identity.instructions.md
• .github/instructions/sssc-planning/sssc-assessment.instructions.md
• .github/instructions/sssc-planning/sssc-standards.instructions.md
• .github/instructions/sssc-planning/sssc-gap-analysis.instructions.md
• .github/instructions/sssc-planning/sssc-backlog.instructions.md
• .github/instructions/sssc-planning/sssc-handoff.instructions.md
• .github/prompts/rai-planning/rai-capture.prompt.md
• .github/prompts/rai-planning/rai-plan-from-prd.prompt.md
• .github/prompts/rai-planning/rai-plan-from-security-plan.prompt.md
• .github/prompts/security/security-capture.prompt.md
• .github/prompts/security/security-plan-from-prd.prompt.md
• .github/prompts/security-planning/sssc-capture.prompt.md
• .github/prompts/security-planning/sssc-from-prd.prompt.md
• .github/prompts/security-planning/sssc-from-brd.prompt.md
• .github/prompts/security-planning/sssc-from-security-plan.prompt.md

File	Type	Maturity	Notes
.github/agents/rai-planning/rai-planner.agent.md	Agent	⚠️ experimental	Pre-release only
.github/agents/security-planning/sssc-planner.agent.md	Agent	⚠️ experimental	Enhanced
.github/agents/security/security-planner.agent.md	Agent	⚠️ experimental	Pre-release only
.github/agents/hve-core/subagents/implementation-validator.agent.md	Agent	✅ stable	Cross-reference updates
.github/agents/project-planning/system-architecture-reviewer.agent.md	Agent	✅ stable	Cross-reference updates
.github/instructions/rai-planning/rai-identity.instructions.md	Instructions	⚠️ experimental	Pre-release only
.github/instructions/rai-planning/rai-sensitive-uses.instructions.md	Instructions	⚠️ experimental	Pre-release only
.github/instructions/rai-planning/rai-standards.instructions.md	Instructions	⚠️ experimental	Pre-release only
.github/instructions/rai-planning/rai-security-model.instructions.md	Instructions	⚠️ experimental	Pre-release only
.github/instructions/rai-planning/rai-impact-assessment.instructions.md	Instructions	⚠️ experimental	Pre-release only
.github/instructions/rai-planning/rai-backlog-handoff.instructions.md	Instructions	⚠️ experimental	Pre-release only
.github/instructions/rai-planning/rai-capture-coaching.instructions.md	Instructions	⚠️ experimental	Pre-release only
.github/instructions/security-planning/identity.instructions.md	Instructions	⚠️ experimental	Pre-release only
.github/instructions/security-planning/operational-buckets.instructions.md	Instructions	⚠️ experimental	Pre-release only
.github/instructions/security-planning/standards-mapping.instructions.md	Instructions	⚠️ experimental	Pre-release only
.github/instructions/security-planning/security-model.instructions.md	Instructions	⚠️ experimental	Pre-release only
.github/instructions/security-planning/backlog-handoff.instructions.md	Instructions	⚠️ experimental	Pre-release only
.github/instructions/sssc-planning/sssc-identity.instructions.md	Instructions	⚠️ experimental	Enhanced
.github/instructions/sssc-planning/sssc-assessment.instructions.md	Instructions	⚠️ experimental	Enhanced
.github/instructions/sssc-planning/sssc-standards.instructions.md	Instructions	⚠️ experimental	Enhanced
.github/instructions/sssc-planning/sssc-gap-analysis.instructions.md	Instructions	⚠️ experimental	Enhanced
.github/instructions/sssc-planning/sssc-backlog.instructions.md	Instructions	⚠️ experimental	Enhanced
.github/instructions/sssc-planning/sssc-handoff.instructions.md	Instructions	⚠️ experimental	Enhanced
.github/prompts/rai-planning/rai-capture.prompt.md	Prompt	⚠️ experimental	Pre-release only
.github/prompts/rai-planning/rai-plan-from-prd.prompt.md	Prompt	⚠️ experimental	Pre-release only
.github/prompts/rai-planning/rai-plan-from-security-plan.prompt.md	Prompt	⚠️ experimental	Pre-release only
.github/prompts/security/security-capture.prompt.md	Prompt	⚠️ experimental	Pre-release only
.github/prompts/security/security-plan-from-prd.prompt.md	Prompt	⚠️ experimental	Pre-release only
.github/prompts/security-planning/sssc-capture.prompt.md	Prompt	⚠️ experimental	Pre-release only
.github/prompts/security-planning/sssc-from-prd.prompt.md	Prompt	⚠️ experimental	Pre-release only
.github/prompts/security-planning/sssc-from-brd.prompt.md	Prompt	⚠️ experimental	Pre-release only
.github/prompts/security-planning/sssc-from-security-plan.prompt.md	Prompt	⚠️ experimental	Pre-release only
.github/skills/installer/hve-core-installer/SKILL.md	Skill	✅ stable	Reference updates

GHCP Maturity Acknowledgment

• I acknowledge this PR includes non-stable GHCP artifacts
• Non-stable artifacts are intentional for this change

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[microsoft-github-policy-service]

You are not allowed to delete the mandatory files in this repo.

_{Total execution time: 5.34 seconds}

[katriendg]

@WilliamBerryiii I know this is a draft one, but wanted to highlight we have a backlog item to rename security-planning collection to security to include the new agents and skills for OWASP and security reviewer - issue #792 . Should one take precedence?

[raymond-nassar]

RAI Table-Stakes Checklist review. These comments are framed as questions to the author for consideration. Items are mapped from a vendor-neutral Responsible AI checklist evaluation.

[WilliamBerryiii]

@chaosdinosaur - do you have similar thoughts on the security side of this as @raymond-nassar? I'm also thinking that this PR needs a "secure software supply chain"(SSSC) agent that does all the same things but for build/CI systems.

@raymond-nassar - this feedback is incredible .. I'm pulling it all into some research docs to make updates on both the RAI and security side ... and will use that to inform the SSSC agent build out.

[auyidi1]

see review comments

[raymond-nassar]

@chaosdinosaur - do you have similar thoughts on the security side of this as @raymond-nassar? I'm also thinking that this PR needs a "secure software supply chain"(SSSC) agent that does all the same things but for build/CI systems.

@raymond-nassar - this feedback is incredible .. I'm pulling it all into some research docs to make updates on both the RAI and security side ... and will use that to inform the SSSC agent build out.

Glad that this helped! I made a Responsible AI "Table-Stakes" Checklist that didn't include things that only applied within Microsoft. This included a lot of items that I'm learned from reviewing a few dozen Impact Assessments. I then used that checklist with the pr-review agent to find any gaps that might exist with the RAI Planner's approach.

Here is a copy of the checklist I created:

Responsible AI Table‑Stakes Checklist (Vendor‑Neutral)

1. Purpose & Scope Definition

• Clearly document the intended use(s) of the AI system.
• Explicitly state non‑intended or out‑of‑scope uses.
• Identify primary users and affected stakeholders (including indirect or downstream impacts).
• Describe the deployment context (e.g., decision support vs. automation, internal vs. external).

---

2. Risk & Impact Screening

• Assess whether the system could:
  • Affect legal status, rights, safety, or access to essential services.
  • Cause physical, psychological, financial, or reputational harm.
• Identify high‑risk or sensitive use scenarios early.
• Document assumptions about acceptable vs. unacceptable risk.

---

3. Input Guardrails

• Validate inputs for:
  • Type, format, length, and structure.
  • Unsupported or ambiguous requests.
• Implement safeguards against:
  • Out‑of‑scope prompts or misuse.
  • Inputs that could lead to harmful or misleading outputs.
• Fail safely when inputs cannot be handled responsibly.

---

4. Output Guardrails

• Apply post‑processing checks to:
  • Prevent harmful, misleading, or policy‑violating content.
  • Reduce hallucinations or overconfident assertions.
• Use clear refusal or safe‑completion patterns when appropriate.
• Avoid language that implies unjustified certainty or authority.

---

5. Human Oversight & Control

• Define where human review, approval, or override is required.
• Clearly state which decisions the AI must not make autonomously.
• Ensure humans have the authority and context to intervene meaningfully.

---

6. Transparency to Users

• Clearly disclose when users are interacting with an AI system.
• Inform users when content is AI‑generated, summarized, ranked, or transformed.
• Avoid “silent AI” in user workflows.

---

7. Transparency Documentation (e.g., FAQ or Model Card)

• Explain in plain language:
  • What the system does and does not do.
  • High‑level how it works.
  • Known limitations and common failure modes.
• Provide guidance on:
  • Appropriate use.
  • How to report errors, concerns, or harms.

---

8. Appropriate Reliance Guidance

• Clarify whether outputs are:
  • Advisory vs. authoritative.
  • Suitable for high‑stakes decisions.
• Tell users when independent verification is required.
• Warn against over‑reliance or misuse.

---

9. Data Considerations

• Document:
  • Data sources and provenance.
  • Known gaps, biases, or representational limits.
• Ensure data suitability aligns with:
  • Intended use.
  • Target populations and deployment geography.

---

10. Evaluation & Monitoring

• Define success metrics and harm‑related metrics.
• Identify foreseeable failure modes (e.g., false positives/negatives).
• Establish a plan for:
  • Post‑deployment monitoring.
  • User feedback and incident response.
  • Iterative improvement.

---

11. Accountability & Documentation

• Maintain a written record of:
  • Identified risks and mitigations.
  • Design decisions and tradeoffs.
  • Ownership for monitoring and issue resolution.
• Ensure accountability is assigned to real roles, not abstractions.

[WilliamBerryiii]

Review Comment Resolution Summary

We addressed every substantive review comment in this PR. Here is the consolidated status.

raymond-nassar (12 threads, all addressed)

Thread	Concern	Resolution
RI-01	Intended vs. out-of-scope uses	Separated into explicit categories in rai-identity.instructions.md line 21 and Phase 1 state fields at line 171
RI-03/04	Input/output guardrail verification	Added Guardrail Verification Checklist to rai-impact-assessment.instructions.md lines 69-93 with three subsections
RI-05	Autonomous decision exclusion list	Added autonomous decision boundaries to Phase 1 scoping at rai-identity.instructions.md line 21
RI-06	AI disclosure beyond deception risk	Promoted transparency and disclosure to standalone screening category at rai-sensitive-uses.instructions.md line 22
RI-07	Transparency note template	Added optional Transparency Note Outline artifact to rai-backlog-handoff.instructions.md lines 327-365
RI-08	Appropriate reliance assessment	Added trust calibration, human-in-the-loop, and over/under-reliance assessment to rai-planner.agent.md line 72
RI-09	Data representativeness	Added representativeness and demographic coverage to Phase 1 scoping at rai-identity.instructions.md line 21
RI-10	Consolidated monitoring plan	Added Monitoring Summary artifact to rai-backlog-handoff.instructions.md lines 369-382
RI-11	RAI owner field in work items	Added RAI Owner field to ADO template (line 132) and GitHub template (line 174) in rai-backlog-handoff.instructions.md
PR-OBS-01	Instruction file count mismatch	Fixed to "Seven instruction files" at rai-planner.agent.md line 176; all seven listed
PR-OBS-02	Filename clarification	Confirmed rai-security-model is the settled name, exists at the correct path, referenced consistently
PR-OBS-05	Security planner handoffs frontmatter	Added handoffs: block to security-planner.agent.md line 15 with RAI Planner entry

auyidi1 (7 threads, all addressed)

Thread	Concern	Resolution
Double words (line 5)	Duplicate "security security"	Fixed, removed duplicate wording
Double words (line 14)	Duplicate "security security"	Fixed alongside the other instance
Terminology	AI-specific security model naming	Intentional distinction from STRIDE-based Security Planner scope
Stale workflow	CUSTOM-AGENTS.md currency	Confirmed current: line 300 states "No blueprint infrastructure requirement"
Autonomy tier	Consistent defaults	Both files default to "partial" consistently
RAI prompts (data-science)	Collection completeness	All three RAI prompts present in data-science.collection.yml
RAI prompts (project-planning)	Collection completeness	All three RAI prompts present in project-planning.collection.yml

General Comments

Comment	Resolution
@katriendg: directory rename (#792)	Keeping security-planning in this PR; rename lands in a follow-on PR
Dependency Review bot	Passed, no vulnerabilities
MandatoryFiles bot	Automated policy gate, unrelated to PR content

All 19 review threads have individual replies with specific file and line references. Each thread should be resolvable.

[raymond-nassar]

PR-OBS-03 (Low): Phase 1 Question Template Wording Inconsistency

The Phase-Specific Question Templates section here still uses intended and unintended use contexts for Phase 1, while rai-identity.instructions.md (the authoritative instruction file) correctly uses intended use contexts, out-of-scope and prohibited use contexts, autonomous decision boundaries and human-only decision requirements.

Since the instruction file is the primary reference and was updated per RI-01/RI-05, this agent-level shorthand should be updated to match — or at minimum use intended and out-of-scope use contexts to avoid re-introducing the conflation between "unintended" and "out-of-scope" that RI-01 addressed.

[raymond-nassar]

I left one additional comment addressing a minor inconsistency that was discovered during my last review. Besides that, I am really excited to see this go live.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.88%. Comparing base (d337e1d) to head (8a06cce).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #979      +/-   ##
==========================================
- Coverage   86.90%   86.88%   -0.02%     
==========================================
  Files          59       59              
  Lines        8774     8770       -4     
==========================================
- Hits         7625     7620       -5     
- Misses       1149     1150       +1     

Flag	Coverage Δ
pester	85.32% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[katriendg]

@WilliLam I've done merge conflict resolution and gave a check to valid references. Did a few doc updates, and small changes to some wording, hope those are OK - Updated SSSC references in state schema and documentation and in the agents:

• update sscpPlanFile to ssscPlanFile in state schema
• change sscpEnabled to ssscEnabled for consistency

We should be good to merge. This is in experimental so we can safely merge this in to get additional feedback through extension usage, and collapse/edit the security & security-planning collections as we see most fit in the future iterations.