feat(agents): align sssc planner with rai parity, add signing and validation

.cspell.json

@@ -77,7 +77,13 @@
     "whiteboarding",
     "ˈpræksɪs",
     "πρᾶξις",
-    "agentic"
+    "agentic",
+    "sssc",
+    "SSSC",
+    "SLSA",
+    "Sigstore",
+    "cosign",
+    "scorecard"
   ],
   "reporters": [
     "default",

.github/CUSTOM-AGENTS.md

@@ -38,30 +38,30 @@ Select from the **agent picker dropdown** in the Chat view:
 
 The Research-Plan-Implement (RPI) workflow provides a structured approach to complex development tasks.
 
-| Agent                | Purpose                                                           | Key Constraint                                 |
-|----------------------|-------------------------------------------------------------------|------------------------------------------------|
-| **rpi-agent**        | Autonomous agent with subagent delegation for complex tasks       | Requires a subagent tool enabled               |
-| **task-researcher**  | Produces research documents with evidence-based recommendations   | Research-only; never plans or implements       |
-| **task-planner**     | Creates 3-file plan sets (plan, details, prompt)                  | Requires research first; never implements code |
-| **task-implementor** | Executes implementation plans with subagent delegation            | Requires completed plan files                  |
-| **task-reviewer**    | Validates implementation against research and plan specifications | Requires research/plan artifacts               |
+| Agent                | Purpose                                                                                               | Key Constraint                                            |
+|----------------------|-------------------------------------------------------------------------------------------------------|-----------------------------------------------------------|
+| **rpi-agent**        | Autonomous agent with subagent delegation for complex tasks                                           | Requires a subagent tool enabled                          |
+| **task-researcher**  | Produces research documents with evidence-based recommendations                                       | Research-only; never plans or implements                  |
+| **task-planner**     | Creates 3-file plan sets (plan, details, prompt)                                                      | Requires research first; never implements code            |
+| **task-implementor** | Executes implementation plans with subagent delegation                                                | Requires completed plan files                             |
+| **task-reviewer**    | Validates implementation against research and plan specifications                                     | Requires research/plan artifacts                          |
 | **task-challenger**  | Adversarial questioning agent that interrogates completed implementations with What/Why/How questions | Experimental; no suggestions, hints, or leading questions |
 
 ### Documentation and Planning Agents
 
-| Agent                            | Purpose                                                                      | Key Constraint                                        |
-|----------------------------------|------------------------------------------------------------------------------|-------------------------------------------------------|
-| **adr-creation**                 | Interactive ADR coaching with guided discovery                               | Socratic coaching approach                            |
-| **brd-builder**                  | Creates Business Requirements Documents with reference integration           | Solution-agnostic requirements focus                  |
-| **doc-ops**                      | Documentation operations and maintenance                                     | Does not modify source code                           |
-| **meeting-analyst**              | Analyzes meeting transcripts to extract product requirements via work-iq-mcp | Experimental; requires work-iq-mcp EULA; transcripts may contain PII and confidential data, analysis files are unencrypted on disk |
-| **prd-builder**                  | Creates Product Requirements Documents through guided Q&A                    | Iterative questioning; state-tracked sessions         |
-| **product-manager-advisor**      | Requirements discovery, story quality, and prioritization guidance           | Principles over format; delegates to prd/brd builders |
-| **security-planner**             | STRIDE-based security model analysis with standards mapping and backlog handoff | Six-phase conversational workflow; experimental       |
-| **sssc-planner**                 | Supply chain security assessment with 6-phase workflow against OpenSSF Scorecard, SLSA, Sigstore, and SBOM | Six-phase conversational workflow; experimental       |
-| **rai-planner**                  | Responsible AI assessment with 6-phase workflow against Microsoft Responsible AI Impact Assessment Guide and NIST AI RMF | Six-phase conversational workflow; experimental       |
-| **system-architecture-reviewer** | Reviews system designs for trade-offs and ADR alignment                      | Scoped review; delegates security concerns            |
-| **ux-ui-designer**               | JTBD analysis, user journey mapping, and accessibility requirements          | Research artifacts only; visual design in Figma       |
+| Agent                            | Purpose                                                                                                                  | Key Constraint                                                                                                                     |
+|----------------------------------|--------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------|
+| **adr-creation**                 | Interactive ADR coaching with guided discovery                                                                           | Socratic coaching approach                                                                                                         |
+| **brd-builder**                  | Creates Business Requirements Documents with reference integration                                                       | Solution-agnostic requirements focus                                                                                               |
+| **doc-ops**                      | Documentation operations and maintenance                                                                                 | Does not modify source code                                                                                                        |
+| **meeting-analyst**              | Analyzes meeting transcripts to extract product requirements via work-iq-mcp                                             | Experimental; requires work-iq-mcp EULA; transcripts may contain PII and confidential data, analysis files are unencrypted on disk |
+| **prd-builder**                  | Creates Product Requirements Documents through guided Q&A                                                                | Iterative questioning; state-tracked sessions                                                                                      |
+| **product-manager-advisor**      | Requirements discovery, story quality, and prioritization guidance                                                       | Principles over format; delegates to prd/brd builders                                                                              |
+| **security-planner**             | STRIDE-based security model analysis with standards mapping and backlog handoff                                          | Six-phase conversational workflow; experimental                                                                                    |
+| **sssc-planner**                 | Supply chain security assessment with 6-phase workflow against OpenSSF Scorecard, SLSA, Sigstore, and SBOM               | Six-phase conversational workflow; experimental                                                                                    |
+| **rai-planner**                  | Responsible AI assessment with 6-phase workflow against Microsoft Responsible AI Impact Assessment Guide and NIST AI RMF | Six-phase conversational workflow; experimental                                                                                    |
+| **system-architecture-reviewer** | Reviews system designs for trade-offs and ADR alignment                                                                  | Scoped review; delegates security concerns                                                                                         |
+| **ux-ui-designer**               | JTBD analysis, user journey mapping, and accessibility requirements                                                      | Research artifacts only; visual design in Figma                                                                                    |
 
 ### Utility Agents
 
@@ -71,14 +71,14 @@ The Research-Plan-Implement (RPI) workflow provides a structured approach to com
 
 ### Code and Review Agents
 
-| Agent                          | Purpose                                                          | Key Constraint                                        |
-|--------------------------------|------------------------------------------------------------------|-------------------------------------------------------|
-| **pr-review**                  | 4-phase PR review with tracking artifacts                        | Review-only; never modifies code                      |
-| **prompt-builder**             | Engineers and validates instruction/prompt files                 | Dual-persona system with auto-testing                 |
-| **security-reviewer**          | OWASP vulnerability assessment with subagent-driven verification | Delegates all reference reading to subagents          |
-| **code-review-functional**     | Pre-PR branch diff reviewer for functional correctness and logic gaps | Review-only; five focus areas; optional artifact save |
-| **code-review-full**           | Orchestrator running functional + standards reviews via subagents     | Merges both reports; delegates to subagents; experimental |
-| **code-review-standards**      | Skills-based standards reviewer for local changes and PRs        | Findings must trace to a loaded skill; experimental   |
+| Agent                      | Purpose                                                               | Key Constraint                                            |
+|----------------------------|-----------------------------------------------------------------------|-----------------------------------------------------------|
+| **pr-review**              | 4-phase PR review with tracking artifacts                             | Review-only; never modifies code                          |
+| **prompt-builder**         | Engineers and validates instruction/prompt files                      | Dual-persona system with auto-testing                     |
+| **security-reviewer**      | OWASP vulnerability assessment with subagent-driven verification      | Delegates all reference reading to subagents              |
+| **code-review-functional** | Pre-PR branch diff reviewer for functional correctness and logic gaps | Review-only; five focus areas; optional artifact save     |
+| **code-review-full**       | Orchestrator running functional + standards reviews via subagents     | Merges both reports; delegates to subagents; experimental |
+| **code-review-standards**  | Skills-based standards reviewer for local changes and PRs             | Findings must trace to a loaded skill; experimental       |
 
 ### Generator Agents
 
@@ -91,12 +91,12 @@ The Research-Plan-Implement (RPI) workflow provides a structured approach to com
 
 ### Platform Integration Agents
 
-| Agent                    | Purpose                                                    | Key Constraint                                  |
-|--------------------------|------------------------------------------------------------|-------------------------------------------------|
-| **github-backlog-manager** | Consolidated GitHub backlog management with community interaction | Uses MCP GitHub tools                           |
-| **jira-backlog-manager** | Consolidated Jira backlog management with workflow dispatch and handoff tracking | Uses Jira skill planning workflows              |
-| **ado-prd-to-wit**       | Analyzes PRDs and plans Azure DevOps work item hierarchies | Planning-only; does not create work items       |
-| **jira-prd-to-wit**      | Analyzes PRDs and plans Jira issue hierarchies             | Planning-only; does not mutate Jira             |
+| Agent                      | Purpose                                                                          | Key Constraint                            |
+|----------------------------|----------------------------------------------------------------------------------|-------------------------------------------|
+| **github-backlog-manager** | Consolidated GitHub backlog management with community interaction                | Uses MCP GitHub tools                     |
+| **jira-backlog-manager**   | Consolidated Jira backlog management with workflow dispatch and handoff tracking | Uses Jira skill planning workflows        |
+| **ado-prd-to-wit**         | Analyzes PRDs and plans Azure DevOps work item hierarchies                       | Planning-only; does not create work items |
+| **jira-prd-to-wit**        | Analyzes PRDs and plans Jira issue hierarchies                                   | Planning-only; does not mutate Jira       |
 
 ### Testing Agents
 

.github/agents/security/sssc-planner.agent.md

@@ -34,7 +34,9 @@ Phase-based conversational supply chain security planning agent that guides user
 
 ## Startup Announcement
 
-Display the SSSC Planning CAUTION block from #file:../../instructions/shared/disclaimer-language.instructions.md verbatim at the start of every new conversation, before any questions or analysis.
+Display the SSSC Planning CAUTION block from #file:../../instructions/shared/disclaimer-language.instructions.md verbatim at the start of every new conversation and whenever `disclaimerShownAt` is `null` in `state.json`, before any questions or analysis. After displaying the disclaimer, set `disclaimerShownAt` to the current ISO 8601 timestamp in `state.json`.
+
+After the disclaimer, display the standards attribution: assessment is conducted against OpenSSF Scorecard, SLSA Build levels, OpenSSF Best Practices Badge, Sigstore keyless signing, and SBOM standards (CycloneDX and SPDX) as referenced in `sssc-standards.instructions.md`. Display both the disclaimer and attribution before any questions or analysis.
 
 ## Six-Phase Architecture
 
@@ -75,7 +77,7 @@ Generate actionable work items in dual format (ADO + GitHub) from identified gap
 
 ### Phase 6: Review and Handoff
 
-Validate completeness, generate Scorecard improvement projections and SLSA level assessments, and hand off to backlog managers. Follow the handoff protocol in `sssc-handoff.instructions.md`.
+Validate completeness, generate Scorecard improvement projections and SLSA level assessments, and hand off to backlog managers. Follow the handoff protocol in `sssc-handoff.instructions.md`. After handoff generation, offer cryptographic signing of all session artifacts. When the user accepts, invoke `scripts/security/Sign-PlannerArtifacts.ps1` via `execute/runInTerminal` with `-SessionPath '.copilot-tracking/sssc-plans/{project-slug}'` and `-ManifestName 'sssc-manifest.json'` to generate a SHA-256 manifest and optionally sign with cosign.
 
 ## Entry Modes
 
@@ -131,7 +133,20 @@ State JSON schema for `state.json`:
   },
   "referencesProcessed": [],
   "nextActions": [],
-  "userPreferences": { "autonomyTier": "partial" },
+  "signingRequested": false,
+  "signingManifestPath": null,
+  "disclaimerShownAt": null,
+  "userPreferences": {
+    "autonomyTier": "partial",
+    "outputDetailLevel": "standard",
+    "targetSystem": "both",
+    "audienceProfile": "mixed",
+    "includeOptionalArtifacts": {
+      "adoptionPlaybook": false,
+      "executiveSummary": false,
+      "artifactSigning": false
+    }
+  },
   "ssscEnabled": true,
   "securityPlannerLink": null,
   "raiPlannerLink": null
@@ -197,22 +212,24 @@ Subagents can run in parallel when researching independent standard domains.
 
 ### Session Resume
 
-Four-step resume protocol when returning to an existing SSSC assessment:
+Five-step resume protocol when returning to an existing SSSC assessment:
 
 1. Read `state.json` from the project slug directory.
-2. Display current phase progress and checklist status.
-3. Summarize what was completed and what remains.
-4. Continue from the last incomplete action.
+2. If `disclaimerShownAt` is `null`, display the Startup Announcement verbatim and set `disclaimerShownAt` to the current ISO 8601 timestamp.
+3. Display current phase progress and checklist status.
+4. Summarize what was completed and what remains.
+5. Continue from the last incomplete action.
 
 ### Post-Summarization Recovery
 
-Five-step recovery when conversation context is compacted:
+Six-step recovery when conversation context is compacted:
 
 1. Read `state.json` to restore phase context.
-2. Read existing artifacts (supply-chain-assessment.md, standards-mapping.md, gap-analysis.md, sssc-backlog.md) for accumulated findings.
-3. Re-derive the current question set from the active phase.
-4. Present a brief "Welcome back" summary with phase status.
-5. Continue with the next question set.
+2. If `disclaimerShownAt` is `null`, display the Startup Announcement verbatim and set `disclaimerShownAt` to the current ISO 8601 timestamp.
+3. Read existing artifacts (supply-chain-assessment.md, standards-mapping.md, gap-analysis.md, sssc-backlog.md) for accumulated findings.
+4. Re-derive the current question set from the active phase.
+5. Present a brief "Welcome back" summary with phase status.
+6. Continue with the next question set.
 
 ## Cross-Agent Integration
 
@@ -239,7 +256,10 @@ Reference `.github/instructions/security/sssc-handoff.instructions.md` for full
 ## Operational Constraints
 
 * Create all files only under `.copilot-tracking/sssc-plans/{project-slug}/`.
+* User-supplied reference content is persisted under `.copilot-tracking/sssc-plans/references/`, shared across all assessments. All phases check this folder for applicable content before completing phase work.
 * Never modify application source code.
+* Embedded standards (OpenSSF Scorecard, SLSA, Best Practices Badge, Sigstore, SBOM) are referenced directly from the sssc-standards instruction file.
 * Delegate Microsoft Well-Architected Framework (WAF) and Cloud Adoption Framework (CAF) lookups to Researcher Subagent rather than embedding those standards.
 * Reusable workflow references point to `microsoft/hve-core` and `microsoft/physical-ai-toolchain`. Verify workflow availability before recommending adoption.
 * When recommending SHA-pinned action references, always include the version comment alongside the SHA for maintainability.
+* When operating in `from-security-plan` mode, read security plan artifacts as read-only; never modify files under `.copilot-tracking/security-plans/`.