Skip to content

Chore mcp copilot updates#21

Merged
Jeymz merged 2 commits into
Robotti-io:mainfrom
Jeymz:chore-mcp_copilot_updates
Jan 27, 2026
Merged

Chore mcp copilot updates#21
Jeymz merged 2 commits into
Robotti-io:mainfrom
Jeymz:chore-mcp_copilot_updates

Conversation

@Jeymz

@Jeymz Jeymz commented Jan 27, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR expands the repo’s Copilot/MCP security content by adding new MCP-focused agent profiles and prompt templates, plus new Content-Security-Policy (CSP) prompts and supporting documentation updates.

Why

  • Provide stronger, security-focused Copilot guidance that is easy to consume via MCP.
  • Add CSP authoring/review prompts to help teams ship safer frontend policies.
  • Improve repo consistency and “hygiene” around prompts/instructions layout.

What changed

  • Added MCP-focused GitHub Copilot agent profiles under .github/agents (tooling + orchestration oriented).
  • Added MCP prompt templates under .github/prompts (e.g., tool creation, server auditing, HTTP basics, refactoring consistency, adding tests).
  • Added new CSP prompts:
    • add-content-security-policy.prompt.md (CSP generation)
    • csp-review.prompt.md (CSP review)
  • Updated documentation for consistency and discoverability (README + prompts docs + copilot instructions).
  • Added MCP server development path instructions under .github/instructions.
  • Minor consistency touch-ups across skill SKILL.md files.
  • Repo hygiene:
    • .gitignore tweak
    • Dockerfile tweak
    • Removed intentionally-insecure sample files under tests (various language snippets)

Risk

Low. Primarily new documentation/prompts and organizational scaffolding; also removes insecure test fixtures.

Jeymz added 2 commits January 26, 2026 13:27
- Add MCP-focused agent profiles (protocol, tools, security, orchestrator)
- Add MCP server development instructions and helper prompts
- Ignore VS Code workspace settings in git
- Set Docker default server.ssl=false
- Remove insecure sample test snippets
- Add new prompt templates for CSP rollout and CSP review
- Add a prompts index README and update the main prompt catalogue
- Clarify Node.js secure guidance: prefer contextual output encoding over sanitization
- Normalize skill docs with top-level headings for consistent rendering
@Jeymz Jeymz self-assigned this Jan 27, 2026
@Jeymz Jeymz added documentation Improvements or additions to documentation enhancement New feature or request labels Jan 27, 2026
@Jeymz Jeymz requested a review from Copilot January 27, 2026 01:22

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances the repository's security-focused Copilot/MCP capabilities by adding MCP-specific agent profiles, prompt templates, and Content Security Policy (CSP) tooling, while also performing repository cleanup.

Changes:

  • Added MCP-focused agents and prompts for server development, tooling, and security hardening
  • Introduced CSP authoring and review prompt templates
  • Removed intentionally insecure test fixture files
  • Updated documentation for consistency and discoverability

Reviewed changes

Copilot reviewed 30 out of 31 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
tests/weak-auth-flow.ts Removed insecure test fixture demonstrating JWT and CSRF vulnerabilities
tests/unsafe-deserialization.py Removed insecure test fixture showing unsafe deserialization patterns
tests/secret-hardcode.js Removed insecure test fixture with hardcoded credentials
tests/overtrusted-genai-snippet.js Removed insecure test fixture demonstrating AI hallucination risks
tests/logs-sensitive-data.go Removed insecure test fixture logging sensitive data
tests/insecure-api.cs Removed insecure test fixture using deprecated crypto
skills/*/SKILL.md Added H1 heading for consistency across skill documentation
prompts/csp-review.prompt.md Added CSP review prompt with comprehensive evaluation criteria
prompts/add-content-security-policy.prompt.md Added CSP implementation prompt with rollout guidance
prompts/README.md Created prompt catalog documentation
copilot-instructions.md Clarified XSS prevention guidance to emphasize output encoding over sanitization
README.md Updated with CSP prompts and added context about prompt location
Dockerfile Added server.ssl environment variable configuration
.github/prompts/*.prompt.md Added MCP-specific prompts for tooling, auditing, and testing
.github/instructions/mcp-server.development.instructions.md Added path-specific development rules for MCP server code
.github/agents/*.agent.md Added MCP agent profiles for orchestration, protocol, tooling, and security

Comment thread copilot-instructions.md

- Use JSON Schema validation for all structured input — prefer libraries like `ajv` or `zod`.
- Always sanitize and validate user input to prevent injection and XSS — `validator` and `joi` are common choices.
- Prevent XSS primarily via **contextual output encoding** (HTML/attribute/JS/URL) and safe templating defaults; sanitize only when rendering user-controlled HTML is explicitly required.

Copilot AI Jan 27, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The updated guidance correctly emphasizes contextual output encoding as the primary XSS defense, which is a significant improvement. However, consider adding a brief example or reference to what "safe templating defaults" means in practice (e.g., auto-escaping in template engines like EJS, Handlebars, or React). This would make the guidance more actionable for developers unfamiliar with the concept.

Suggested change
- Prevent XSS primarily via **contextual output encoding** (HTML/attribute/JS/URL) and safe templating defaults; sanitize only when rendering user-controlled HTML is explicitly required.
- Prevent XSS primarily via **contextual output encoding** (HTML/attribute/JS/URL) and safe templating defaults (e.g., auto-escaping in EJS/Handlebars templates or React JSX by default); sanitize only when rendering user-controlled HTML is explicitly required.

Copilot uses AI. Check for mistakes.
Comment thread Dockerfile
@@ -2,6 +2,7 @@ FROM node:lts-bullseye-slim

ENV NODE_ENV=production
ENV server.port=8080

Copilot AI Jan 27, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting server.ssl=false as a default environment variable in the Dockerfile creates an insecure default configuration. Even for development/demo purposes, this promotes deploying without TLS. Consider either removing this line to require explicit configuration, setting it to true by default with a comment explaining how to override for local development, or adding a prominent comment warning that this must be changed for production deployments.

Suggested change
ENV server.port=8080
ENV server.port=8080
# WARNING: TLS is disabled by default for this image.
# This setting is ONLY appropriate for local development or when TLS is
# terminated by a trusted reverse proxy/load balancer in front of this service.
# For any production deployment, you MUST override this value to `true`, e.g.:
# docker run -e server.ssl=true ...

Copilot uses AI. Check for mistakes.
@Jeymz Jeymz merged commit fefe9f2 into Robotti-io:main Jan 27, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants