Added selfcontained support.#7
Merged
Merged
Conversation
75c8349 to
d306064
Compare
d306064 to
72fa34f
Compare
- Enhanced CopyRuntimeFiles method in MsixService.cs to include additional file types and improved logging. - Deleted unused app.manifest.selfcontained.xml template file.
… change this to generate on the fly later.
…d merging and cleanup of temporary files.
nmetulev
added a commit
that referenced
this pull request
Apr 29, 2026
## Summary
Adds a multi-dimensional **PR / feature review skill** for contributors
working on this repo. Inspired by the `microsoft-ui-reactor` reviewer
pipeline, but pared down to a single `SKILL.md` the orchestrating
Copilot CLI agent reads — no PowerShell scripts, no manager workflow, no
auto-apply. Findings are printed to stdout; the contributor decides what
to act on.
## What's added
`
.github/skills/ ← new dev-facing skills folder
README.md ← index, distinguishes from .github/plugin/
pr-review/
SKILL.md ← orchestrator workflow
dimensions/
_shared-contract.md ← finding schema + Team Lead Test
security.md
correctness.md
cli-ux.md
alternative-solution.md
test-coverage.md
docs-and-samples.md
packaging.md
multi-model.md
`
Plus a short pointer in `README.md`'s Contributing section.
## How it works
1. **Resolves the diff scope.** Supports four scopes:
- `branch` (default) — committed work vs `origin/main`
- `working` — uncommitted (`git diff HEAD` + untracked file contents)
- `staged` — `git diff --cached`
- `all` — committed + uncommitted, concatenated with a separator
Auto-detects from working-tree state; asks the user when ambiguous.
2. **Diff-size guardrail.** >50 files prompts the user before fanning
out.
3. **Fans out 7 parallel sub-agents** via the `task` tool, one per
dimension. Each prompt is self-contained: diff + area classification +
shared output contract + dimension instructions.
4. **Multi-model cross-check** runs after #1–#7 and re-evaluates the
critical/high findings using a different model family than the
orchestrator.
5. **Consolidates** — dedupe, sort, assign IDs (C1/H1/M1/L1), mark each
critical/high as confirmed/disputed.
6. **Prints stdout report** with Summary + Coverage table + Findings
list + Details + per-dimension "what I checked" notes.
## Dimensions covered
| # | Dimension | Catches |
|---|-----------|---------|
| 1 | security | `Process.Start` injection, path traversal, secrets,
cert handling, manifest XML via regex, network exposure |
| 2 | correctness & edge cases | null/empty inputs, async/cancellation,
manifest auto-detect order, parser config, logger-bypass for Debug/Info
|
| 3 | CLI UX & usability | option naming, defaults, help text, error
messages, `--verbose`/`--quiet`/`--json` discipline, exit codes |
| 4 | alternative-solution | duplication of `AppxManifestDocument`,
`ManifestHelper`, `PriService`, `SelectorService`; service-pattern
choice; file-size limits |
| 5 | test coverage | `WinApp.Cli.Tests` xUnit gaps, Pester
`test.Tests.ps1` for samples, `test-samples.yml` matrix entries |
| 6 | docs & samples sync | `docs/usage.md`, `docs/guides/`, `samples/`,
`docs/fragments/skills/`, `.github/plugin/agents/winapp.agent.md`, stale
`cli-schema.json` / `winapp-commands.ts` |
| 7 | packaging & release impact | npm wrapper forwarding, NuGet
`WinAppManifestPath` contract, VSC extension parity, version.json drift,
MSBuild glob conventions |
| 8 | multi-model cross-check | hallucinated line refs, severity
disputes, blind spots between Claude / GPT model families |
## Signal-to-noise
The shared **Team Lead Test** (adopted from the reactor reviewer) is
mandatory: every finding must be one a senior maintainer would keep in a
real PR review. Style nits, formatting, and anything
analyzers/`EnforceCodeStyleInBuild` already catch are dropped. Severity
auto-escalations baked in (`BinaryFormatter` = critical, `Process.Start`
w/ unsanitized input = high, hardcoded creds = high, manifest regex =
medium, etc.).
## How to use
Once merged, contributors can ask Copilot CLI (or any agent that reads
skill files):
- *"review my PR"* → `branch` scope
- *"review my uncommitted changes"* → `working` scope
- *"review what I'm about to commit"* → `staged` scope
- *"review everything including uncommitted"* → `all` scope
- *"review my branch vs `release/2.0`"* → custom base
## Not in scope (intentional)
- No PowerShell orchestrator script — the agent does the orchestration.
- No file output — stdout only.
- No auto-apply of fixes — contributor decides.
- No build/test execution — flags staleness without running
`build-cli.ps1` or test suites.
## Smoke test
Validated cross-references: every dimension referenced in `SKILL.md` has
a fragment file; no orphans; no missing fragments. The skill itself has
not yet been exercised against a real diff — first real run will likely
want one tuning pass.
Co-authored-by: Nikola Metulev <711864+nmetulev@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
nmetulev
added a commit
that referenced
this pull request
Jul 12, 2026
…iewer round 2) Address the 12 remaining reviewer round-2 findings on top of cc727d8. All are inside W2 scope (schema, conformance gate, docs, golden traces, scan/CI). No runtime work built; deferred-runtime areas (W1 transport / W8 security) are softened in docs with explicit "deferred" notes rather than implemented. Tooling / gate depth: - #2 Deepen golden validation: ConformTrace now requires jsonrpc "2.0" on every message, rejects result+error together, correlates error ids (not just results) to a prior request, and validates payloads RECURSIVELY against the contract via ValidateObject/ValidateValue/ValidateScalar — nested $ref objects, enum value sets, and array element types, not just top-level names. - #4 Assert golden trace count > 0 (an empty golden dir no longer passes vacuously). - #5 gen Validator.CheckType now runs CheckField over each object type's properties, so a dangling $ref inside an object type is flagged (was silent). - #8 New golden traces 04-07 (HotReload lifecycle, Resource+Diagnostics, Selection +Security, describe/set/cancel lifecycle). New golden-coverage check requires every command+event to be exercised by at least one trace (all 40 covered). - #10 wdxp.schema.json root closed (additionalProperties:false) + $schema property; new protocol/scripts/validate-schema.py (draft 2020-12 guard) wired into CI. - #11 check-public-appropriateness.ps1 broadened to also scan specs/winapp-devtools-*.md and AGENTS.md (excludes the csproj agent's file by design). - #15 Extract shared Wdxp.Gen.SchemaPaths.FindUp; gen + conformance both call it. Schema / contract consistency: - #7 Outcome invariant narrowed to transactional apply/commit; ephemeral Property.set/setPreview return the resulting PropertyValue (schema + envelope §6 + README). - #12 Security.authenticate now returns token (+optional expiresAt) so the reconnect token param has a source; envelope §7 softened to "host-defined, finalized in W8". - #13 envelope §3/§7 document the pre-auth trust boundary (CurrentUserOnly pipe ACL) and what target binding grants before authenticate. - #14 ids pinned to string protocol-wide (envelope §2, enforced in ConformTrace); NodeHandle.handle integer -> string (decimal-encoded uint64, no >2^53 precision loss); goldens 02/03 handles updated to strings. - #6 envelope §1/§3 clarify per-target pipe vs pre-bind discovery; cross-target discovery marked W1/phase-3 deferred. - README: de-hardcode the check count, Applied->applied casing, schema-guard note. Verified: Release build 0 warnings; conformance PASS (10/10) with recursive validation + full coverage; negative tests prove teeth (missing jsonrpc, numeric id, result+error, unknown/enum field, dangling $ref, closed-root schema guard); python schema guard PASS (+rejects stray key); license headers + broadened scrub scan green. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com> Copilot-Session: d376fce1-8858-45ae-a496-245835e5879f
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.