| name | ai-development-governance |
| description | AI-augmented development controls, GitHub Copilot governance, LLM security, AI-generated code review per Hack23 Secure Development Policy |
| license | MIT |
AI Development Governance Skill
Context
This skill applies when:
- Using GitHub Copilot or other AI coding assistants
- Reviewing AI-generated code
- Implementing AI-augmented development workflows
- Creating custom Copilot agents and skills
- Securing AI/LLM integrations
- Documenting AI usage in development process
This skill enforces Hack23 Secure Development Policy Section 🤖 for responsible AI-assisted development.
Rules
1. AI as Proposal Generator, Not Authority (Policy Section 🤖.1)
- Human Review Required: All AI-generated code MUST be reviewed by human developer
- Understanding Required: Developer MUST understand what AI-generated code does
- No Blind Acceptance: Never merge AI suggestions without verification
- Test AI Code: All AI-generated code requires tests with 80%+ coverage
- Security Review: AI-generated security code requires additional security review
2. PR Review Requirements (Policy Section 🤖.2)
- AI Disclosure: PRs with significant AI-generated code MUST be labeled
- Code Ownership: Developer submitting PR owns the code, regardless of AI generation
- Review Standards: Same review standards apply to AI-generated and human-written code
- Security Validation: Security-critical AI code requires security team approval
- No Bypass: AI assistance does NOT reduce review requirements
3. Curator-Agent as Tooling Change (Policy Section 🤖.3)
- Agent Purpose: Custom agents provide specialized expertise, not replace human judgment
- Skill Integration: Skills teach patterns, developers validate appropriateness
- Agent Transparency: Document which agents/skills were used
- Agent Limitations: Understand agent limitations and potential biases
- Agent Testing: Test agent-generated code as rigorously as any other code
4. Security Requirements (Policy Section 🤖.4)
- No Secrets in Prompts: Never include secrets, API keys, or credentials in AI prompts
- Data Classification: Don't share classified or sensitive data with AI
- Code Review: AI-generated security controls require expert security review
- Vulnerability Scanning: Run CodeQL/SAST on all AI-generated code
- ISMS Compliance: AI-generated code MUST comply with all ISMS policies
Examples
✅ Good Pattern: AI-Generated Code with Proper Review
export async function searchMEPsByCountry(country: string): Promise<MEP[]> {
const CountrySchema = z.string()
.length(2, 'Country code must be 2 characters')
.regex(/^[A-Z]{2}$/, 'Country code must be uppercase')
.refine(
(code) => EU_MEMBER_STATES.has(code),
{ message: 'Not a valid EU member state' }
);
const validatedCountry = CountrySchema.parse(country);
const cacheKey = `meps:country:${validatedCountry}`;
const cached = mepCache.get(cacheKey);
if (cached) {
auditLog.record({
eventType: AuditEventType.CACHE_HIT,
subject: cacheKey,
outcome: 'success',
});
return cached;
}
await rateLimiter.waitForSlot();
const response = await fetch(
`https://data.europarl.europa.eu/api/v2/meps?country=${validatedCountry}`,
{
headers: {
'Accept': 'application/json',
'User-Agent': 'European-Parliament-MCP-Server/1.0',
},
}
);
if (!response.ok) {
auditLog.recordAPIError(response.status, validatedCountry);
throw new APIError(`EP API error: ${response.status}`);
}
const meps = await response.json();
mepCache.set(cacheKey, meps);
auditLog.recordPersonalDataAccess(
'system',
`meps:country:${validatedCountry}`,
'Country-based MEP search'
);
return meps;
}
describe('searchMEPsByCountry', () => {
it('should validate country code format', async () => {
await expect(searchMEPsByCountry('USA')).rejects.toThrow('Not a valid EU member state');
});
it('should reject lowercase country codes', async () => {
await expect(searchMEPsByCountry('de')).rejects.toThrow('Country code must be uppercase');
});
it('should use cache on subsequent requests', async () => {
vi.mock('./api', () => ({
fetchMEPs: vi.fn().mockResolvedValue([{ id: 1, country: 'DE' }])
}));
await searchMEPsByCountry('DE');
await searchMEPsByCountry('DE');
const apiMock = await import('./api');
expect(apiMock.fetchMEPs).toHaveBeenCalledTimes(1);
});
it('should log GDPR access', async () => {
const logSpy = vi.spyOn(auditLog, 'recordPersonalDataAccess');
await searchMEPsByCountry('DE');
expect(logSpy).toHaveBeenCalledWith(
'system',
'meps:country:DE',
'Country-based MEP search'
);
});
});
Pull Request Description:
## AI-Generated Code Disclosure
**AI Tool Used**: GitHub Copilot
**AI Contribution**: ~60% (initial implementation, test structure)
**Human Review**: All code reviewed, enhanced security, added GDPR logging
**Security Review**: ✅ Approved by security@hack23.com
**Test Coverage**: 95% (4 passing tests)
### Human Enhancements
- Added EU member state validation
- Added rate limiting
- Enhanced error handling
- Added GDPR audit logging
- Added security-focused test case
### Review Checklist
- [x] Code understood and validated
- [x] Security controls verified
- [x] Tests pass with 80%+ coverage
- [x] ISMS compliance validated
- [x] No secrets or sensitive data
- [x] Documentation complete
Policy Reference: Secure Development Policy Section 🤖
✅ Good Pattern: Custom Copilot Agent with Governance
---
name: example-agent
description: Example agent with proper governance
tools: ["view", "edit", "create"]
---
# Example Agent
**AI Governance Notice**: This agent uses AI to generate code suggestions. All suggestions MUST be reviewed by human developers per [Secure Development Policy Section 🤖](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md#ai-augmented-development-controls).
## Core Expertise
You specialize in X, Y, Z.
## Rules
1. **Security First**: All code must follow security-by-design principles
2. **ISMS Compliance**: Reference appropriate ISMS policies
3. **Test Coverage**: Generate tests achieving 80%+ coverage
4. **Human Review**: Remind users to review all generated code
5. **Evidence Links**: Provide evidence links to policy compliance
## Remember
**ALWAYS:**
- ✅ Generate code that follows ISMS policies
- ✅ Include comprehensive tests
- ✅ Document security considerations
- ✅ Reference evidence in Hack23 repos
- ✅ Remind users to review AI-generated code
**NEVER:**
- ❌ Include secrets or credentials
- ❌ Skip input validation
- ❌ Generate code without tests
- ❌ Bypass security controls
- ❌ Claim AI-generated code is perfect
---
**Governance**: This agent's output requires human review per AI Development Governance policy.
✅ Good Pattern: AI Security Validation Checklist
# AI-Generated Code Security Review Checklist
**Project**: European Parliament MCP Server
**PR**: #123
**AI Tool**: GitHub Copilot
**Date**: 2026-02-16
## Pre-Merge Security Validation
### Code Understanding
- [ ] Developer understands all AI-generated code
- [ ] Code purpose and logic documented
- [ ] Edge cases identified and handled
### Security Controls
- [ ] Input validation with Zod schemas
- [ ] No hardcoded secrets or credentials
- [ ] Error handling doesn't expose sensitive data
- [ ] Audit logging for security events
- [ ] Rate limiting implemented where needed
### ISMS Compliance
- [ ] Follows security-by-design principles
- [ ] Aligns with threat model
- [ ] Implements defense-in-depth
- [ ] Complies with GDPR (if handling personal data)
- [ ] References appropriate ISMS policies
### Testing
- [ ] Unit tests achieve 80%+ coverage
- [ ] Security test cases included
- [ ] Edge cases tested
- [ ] Error paths tested
- [ ] Integration tests passing
### Code Quality
- [ ] TypeScript strict mode compliant
- [ ] ESLint passing with no warnings
- [ ] Code follows project conventions
- [ ] Documentation complete (JSDoc)
- [ ] No TODO or FIXME comments
### Vulnerability Scanning
- [ ] CodeQL scan passing
- [ ] npm audit shows zero vulnerabilities
- [ ] Dependency licenses approved
- [ ] SAST tools report no issues
## Security Review Sign-Off
- [ ] Reviewed by: ___________________
- [ ] Date: ___________________
- [ ] Security concerns: None / [Document concerns]
- [ ] Approval: ✅ Approved / ❌ Requires changes
## Post-Merge Monitoring
- [ ] Monitor for runtime errors
- [ ] Track performance metrics
- [ ] Review audit logs for anomalies
- [ ] Schedule follow-up review in 30 days
Policy Reference: Secure Development Policy Section 🤖.2
✅ Good Pattern: AI-Generated Code Documentation
export class EPAPIRateLimiter {
}
Anti-Patterns
❌ Bad: Blindly Accepting AI Code
export async function handleUserData(data: any) {
return await processData(data);
}
Why: Violates AI Development Governance - no review, no validation, no tests
❌ Bad: Including Secrets in AI Prompts
Prompt to Copilot: "Create API client with API key abc123xyz456"
Why: Violates Policy Section 🤖.4 - Never share secrets with AI
❌ Bad: No AI Disclosure
# Pull Request
Changed the search function.
Why: Violates transparency - significant AI-generated code must be disclosed
Evidence Portfolio
Reference Implementations
-
European Parliament MCP Server
-
Citizen Intelligence Agency (CIA)
-
Black Trigram Game
Policy Documents
GitHub Copilot Integration
Custom Agents Best Practices
- Clear Purpose: Each agent has specific expertise
- Security Focus: Security controls in all agent instructions
- Evidence Links: Reference Hack23 repos for patterns
- Human Review Reminder: Always remind users to review
- ISMS Alignment: All agents reference ISMS policies
Skills Best Practices
- Pattern-Based: Teach patterns, not specific solutions
- Auto-Activation: Skills activate based on context
- Evidence-Backed: Include working examples from real repos
- Compliance-Focused: Map patterns to ISMS policies
- Test-Driven: Include testing patterns
AI Development Checklist
ISMS Compliance
This skill enforces:
- AI-001: AI as proposal generator principle (human accepts or rejects)
- AI-002: PR-review requirements for AI-generated code
- AI-003: Custom-agent governance (definition, scope, minimal privilege)
- AI-004: AI security requirements (prompt-injection resistance, output filtering)
- AI-005: Provenance — every AI-assisted change traceable to prompt + reviewer
Policy References
Primary:
Related: