microsoft/hve-core
Publicmirrored fromhttps://github.com/microsoft/hve-coreAvailable
docs/agents/security/agent-overview.md
127lines · modecode
| 1 | --- |
| 2 | title: Agent Overview |
| 3 | description: Architecture, state management, and operational details for the Security Planner agent |
| 4 | sidebar_position: 3 |
| 5 | sidebar_label: Agent Overview |
| 6 | keywords: |
| 7 | - security planner |
| 8 | - agent architecture |
| 9 | - state management |
| 10 | tags: |
| 11 | - agents |
| 12 | - security |
| 13 | author: Microsoft |
| 14 | ms.date: 2026-03-11 |
| 15 | ms.topic: reference |
| 16 | estimated_reading_time: 7 |
| 17 | --- |
| 18 | |
| 19 | The Security Planner is a phase-based conversational agent that produces security models, standards mappings, and backlog handoff artifacts. It detects AI/ML components during scoping and coordinates with the RAI Planner for responsible AI assessments. |
| 20 | |
| 21 | ## Architecture |
| 22 | |
| 23 | ```mermaid |
| 24 | flowchart TD |
| 25 | subgraph Agent |
| 26 | SP["Security Planner"] |
| 27 | RS["Researcher Subagent"] |
| 28 | end |
| 29 | |
| 30 | subgraph State |
| 31 | SJ["state.json"] |
| 32 | PF["Plan Files"] |
| 33 | end |
| 34 | |
| 35 | subgraph Instructions |
| 36 | I1["identity"] |
| 37 | I2["operational-buckets"] |
| 38 | I3["standards-mapping"] |
| 39 | I4["security-model"] |
| 40 | I5["backlog-handoff"] |
| 41 | end |
| 42 | |
| 43 | SP -->|"delegates"| RS |
| 44 | SP -->|"reads/writes"| SJ |
| 45 | SP -->|"generates"| PF |
| 46 | SP -->|"follows"| I1 & I2 & I3 & I4 & I5 |
| 47 | ``` |
| 48 | |
| 49 | The agent follows five instruction files, each scoped to a specific concern. The identity instructions govern overall behavior and state management. The remaining four files provide phase-specific guidance for bucket classification, standards mapping, security model analysis, and backlog generation. |
| 50 | |
| 51 | ## State Management |
| 52 | |
| 53 | All state lives in `.copilot-tracking/security-plans/{project-slug}/state.json`. The agent follows a six-step protocol on every turn: |
| 54 | |
| 55 | | Step | Action | |
| 56 | |-----------|------------------------------------------------------------------------| |
| 57 | | READ | Load the current state file | |
| 58 | | VALIDATE | Confirm the state schema is intact and the current phase is consistent | |
| 59 | | DETERMINE | Decide which phase and step to execute based on state and user input | |
| 60 | | EXECUTE | Perform the phase work (questions, analysis, artifact generation) | |
| 61 | | UPDATE | Modify the in-memory state to reflect completed work | |
| 62 | | WRITE | Persist the updated state back to the file | |
| 63 | |
| 64 | ### State Fields |
| 65 | |
| 66 | The state file tracks over 16 fields across scoping, analysis, and handoff concerns. |
| 67 | |
| 68 | | Field | Type | Description | |
| 69 | |------------------------|----------|-----------------------------------------------------| |
| 70 | | `projectSlug` | string | Kebab-case project identifier | |
| 71 | | `securityPlanFile` | string | Path to the main plan markdown file | |
| 72 | | `currentPhase` | number | Current phase (1-6) | |
| 73 | | `entryMode` | string | `from-prd` or `capture` | |
| 74 | | `bucketsCompleted` | string[] | Operational buckets that have been classified | |
| 75 | | `standardsMapped` | string[] | Buckets with completed standards mapping | |
| 76 | | `riskSurfaceStarted` | boolean | Whether Phase 4 threat modeling has begun | |
| 77 | | `handoffGenerated` | object | `{ado: boolean, github: boolean}` | |
| 78 | | `referencesProcessed` | string[] | Paths to PRD/BRD artifacts that were consumed | |
| 79 | | `nextActions` | string[] | Pending actions for the current or next phase | |
| 80 | | `userPreferences` | object | Autonomy preference: `full`, `partial`, or `manual` | |
| 81 | | `raiEnabled` | boolean | Whether AI/ML components were detected | |
| 82 | | `raiScope` | string | `none`, `lightweight`, or `full` | |
| 83 | | `raiTier` | string | `none`, `basic`, `standard`, or `comprehensive` | |
| 84 | | `raiPlannerDispatched` | boolean | Whether the RAI Planner handoff has been triggered | |
| 85 | | `aiComponents` | string[] | List of detected AI/ML components | |
| 86 | |
| 87 | ## Interaction Model |
| 88 | |
| 89 | The agent follows strict question rules during each phase: |
| 90 | |
| 91 | | Guardrail | Description | |
| 92 | |---------------------------------------|----------------------------------------------------------------------------------------------------| |
| 93 | | 3-5 questions per turn | Enough to make progress without overwhelming the user | |
| 94 | | Emoji checklists | Questions use ❓ for pending, ✅ for answered, and ❌ for blocked items | |
| 95 | | No phase advance without confirmation | The agent summarizes phase findings and asks for explicit approval before moving to the next phase | |
| 96 | |
| 97 | ## Session Resume |
| 98 | |
| 99 | When a conversation resumes from a prior session, the agent follows a four-step recovery protocol: |
| 100 | |
| 101 | 1. Read the state file from `.copilot-tracking/security-plans/{project-slug}/`. |
| 102 | 2. Validate that the state schema matches the expected version. |
| 103 | 3. Present a summary of completed phases and pending work. |
| 104 | 4. Continue from the current phase without re-asking answered questions. |
| 105 | |
| 106 | A five-step post-summarization recovery handles cases where conversation context was compacted by the chat system. |
| 107 | |
| 108 | ## Operational Constraints |
| 109 | |
| 110 | * All generated files are placed under `.copilot-tracking/security-plans/{project-slug}/`. |
| 111 | * The agent never modifies source code or files outside its tracking directory. |
| 112 | * The Researcher Subagent is dispatched only for WAF/CAF runtime lookups during Phase 3. |
| 113 | * RAI Planner handoff in Phase 6 provides the agent path and suggests the `from-security-plan` entry mode but does not force the user to continue. |
| 114 | |
| 115 | ## Related Files |
| 116 | |
| 117 | | File type | Location | |
| 118 | |--------------|--------------------------------------------------------------| |
| 119 | | Agent | `.github/agents/security/security-planner.agent.md` | |
| 120 | | Prompts | `.github/prompts/security/` | |
| 121 | | Instructions | `.github/instructions/security/` | |
| 122 | | State | `.copilot-tracking/security-plans/{project-slug}/state.json` | |
| 123 | |
| 124 | <!-- markdownlint-disable MD036 --> |
| 125 | *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, |
| 126 | then carefully refined by our team of discerning human reviewers.* |
| 127 | <!-- markdownlint-enable MD036 --> |
| 128 | |