microsoft/hve-core
Publicmirrored fromhttps://github.com/microsoft/hve-coreAvailable
docs/agents/security/entry-modes.md
105lines · modecode
| 1 | --- |
| 2 | title: Entry Modes |
| 3 | description: Detailed guide to the Security Planner's From-PRD and capture entry modes, including prompt usage and workflow differences |
| 4 | sidebar_position: 4 |
| 5 | sidebar_label: Entry Modes |
| 6 | keywords: |
| 7 | - security planner |
| 8 | - entry modes |
| 9 | - from-prd |
| 10 | - capture |
| 11 | tags: |
| 12 | - agents |
| 13 | - security |
| 14 | author: Microsoft |
| 15 | ms.date: 2026-03-11 |
| 16 | ms.topic: how-to |
| 17 | estimated_reading_time: 5 |
| 18 | --- |
| 19 | |
| 20 | The Security Planner supports two entry modes that control how Phase 1 scoping begins. Each mode is activated through a dedicated prompt file that sets the initial state and determines how much context the agent gathers before starting the analysis. |
| 21 | |
| 22 | ## From-PRD Mode |
| 23 | |
| 24 | From-PRD mode seeds Phase 1 from PRD or BRD artifacts already present in the workspace. Use this mode when formal requirements documents exist under `.copilot-tracking/`. |
| 25 | |
| 26 | ### How It Works |
| 27 | |
| 28 | 1. The agent scans `.copilot-tracking/` for PRD and BRD files. |
| 29 | 2. Discovered artifacts are presented with ✅/❌ markers showing which were found. |
| 30 | 3. The agent extracts six categories of scope information: project purpose, technology stack, deployment model, data classification, compliance requirements, and AI/ML components. |
| 31 | 4. State is initialized with `entryMode: "from-prd"` and the extracted references stored in `referencesProcessed`. |
| 32 | 5. Phase 1 begins with a checklist of pre-filled items and 3-5 clarifying questions for gaps. |
| 33 | |
| 34 | ### Prompt File |
| 35 | |
| 36 | Activate From-PRD mode with the **Security Plan from PRD** prompt (`security-plan-from-prd.prompt.md`). This prompt accepts an optional `project-slug` input parameter. |
| 37 | |
| 38 | ```text |
| 39 | Inputs: |
| 40 | project-slug (optional) - Kebab-case project identifier |
| 41 | ``` |
| 42 | |
| 43 | ### When to Choose From-PRD Mode |
| 44 | |
| 45 | | Situation | Fit | |
| 46 | |----------------------------------------------------|-----| |
| 47 | | PRD or BRD artifacts exist in `.copilot-tracking/` | ✅ | |
| 48 | | Product requirements are well-documented | ✅ | |
| 49 | | Early-stage project without formal docs | ❌ | |
| 50 | | Quick exploration of the agent's workflow | ❌ | |
| 51 | |
| 52 | ## Capture Mode |
| 53 | |
| 54 | Capture mode starts with a blank Phase 1 interview. Use this mode when no formal requirements documents exist or when you want to walk through scoping from scratch. |
| 55 | |
| 56 | ### How It Works |
| 57 | |
| 58 | 1. The agent creates the project directory under `.copilot-tracking/security-plans/`. |
| 59 | 2. State is initialized with `entryMode: "capture"` and empty `referencesProcessed`. |
| 60 | 3. Phase 1 begins with a structured interview, asking 3-5 questions per turn. |
| 61 | 4. The agent accumulates scope information across multiple turns until the user confirms Phase 1 is complete. |
| 62 | |
| 63 | ### Prompt File |
| 64 | |
| 65 | Activate capture mode with the **Security Capture** prompt (`security-capture.prompt.md`). This prompt also accepts an optional `project-slug` input parameter. |
| 66 | |
| 67 | ```text |
| 68 | Inputs: |
| 69 | project-slug (optional) - Kebab-case project identifier |
| 70 | ``` |
| 71 | |
| 72 | If the user provides existing security notes or context in the initial message, the agent incorporates them into the interview rather than asking redundant questions. |
| 73 | |
| 74 | ### When to Choose Capture Mode |
| 75 | |
| 76 | | Situation | Fit | |
| 77 | |--------------------------------------------------|-----| |
| 78 | | No PRD or BRD artifacts available | ✅ | |
| 79 | | Team wants to explore the workflow interactively | ✅ | |
| 80 | | Existing informal notes to incorporate | ✅ | |
| 81 | | Well-documented project with formal artifacts | ❌ | |
| 82 | |
| 83 | ## Comparing the Two Modes |
| 84 | |
| 85 | Both modes converge at the same Phase 1 output. The difference is how much context the agent starts with. |
| 86 | |
| 87 | | Aspect | From-PRD | Capture | |
| 88 | |----------------------|--------------------------------------|-----------------------------| |
| 89 | | Initial context | Extracted from PRD/BRD | Gathered through interview | |
| 90 | | Number of questions | Fewer (gaps only) | More (full scope interview) | |
| 91 | | Time to Phase 2 | Faster | Slower but more thorough | |
| 92 | | State initialization | `entryMode: "from-prd"` | `entryMode: "capture"` | |
| 93 | | Best for | Projects with existing documentation | Projects in early stages | |
| 94 | |
| 95 | ## Switching Between Modes |
| 96 | |
| 97 | Entry mode is set once during Phase 1 initialization and cannot be changed mid-plan. To switch modes, start a new chat session with the other prompt file and a different project slug (or the same slug after removing the existing state directory). |
| 98 | |
| 99 | > [!NOTE] |
| 100 | > Both modes produce identical Phase 2-6 workflows. The choice only affects how Phase 1 scope is gathered. |
| 101 | |
| 102 | <!-- markdownlint-disable MD036 --> |
| 103 | *🤖 Crafted with precision by ✨Copilot following brilliant human instruction, |
| 104 | then carefully refined by our team of discerning human reviewers.* |
| 105 | <!-- markdownlint-enable MD036 --> |
| 106 | |