Menu
Shared work-item templates and conventions for ADO and GitHub backlog handoff across the RAI, Security, SSSC, and Accessibility planners
WAI-ARIA Authoring Practices Guide (APG) design pattern knowledge base for accessibility assessment
W3C Making Content Usable for People with Cognitive and Learning Disabilities (COGA) knowledge base for accessibility assessment
European EN 301 549 V3.2.1 ICT Accessibility Standard knowledge base for accessibility assessment
US Section 508 ICT Accessibility Standards (revised 2017) knowledge base for accessibility assessment
WCAG 2.2 success criteria knowledge base for accessibility assessment
Foundational Python best practices, idioms, and code quality fundamentals
| name | backlog-templates |
| description | Shared work-item templates and conventions for ADO and GitHub backlog handoff across the RAI, Security, SSSC, and Accessibility planners |
| license | MIT |
| user-invocable | true |
| compatibility | {"hosts":["vscode","github-coding-agent"]} |
| metadata | {"authors":["microsoft/hve-core"],"spec_version":"1.0.0","last_updated":"2026-05-09"} |
Shared reference for ADO and GitHub work-item template generation, content sanitization, autonomy-tier vocabulary, disclaimer-block placement, and work-item ID conventions used by every planner that emits a backlog handoff.
Planners that emit Phase-final backlog work items all need the same dual-format template skeletons, the same content sanitization rules, and the same convention for where to assign work-item IDs. This skill consolidates those shared pieces so each planner instruction file can reference one source instead of restating them.
Callers:
.github/instructions/rai-planning/rai-backlog-handoff.instructions.md).github/instructions/security/backlog-handoff.instructions.md).github/instructions/security/sssc-backlog.instructions.md).github/instructions/accessibility/accessibility-backlog-handoff.instructions.md)What stays per-planner (NOT in this skill):
accessibility-backlog-handoff.instructions.md by the L7 disclaimer lever).ADO description fields use HTML and embed a planner-specific field block plus a verbatim disclaimer blockquote. Parameterize the skeleton with the planner ID prefix and per-planner field set.
Skeleton:
<div>
<h3>{Domain} Control: {control_name}</h3>
<!-- planner-specific field block goes here -->
<h4>Implementation</h4>
<p>{implementation_details}</p>
<h4>Acceptance Criteria</h4>
<ul>
<li>{criterion_1}</li>
<li>{criterion_2}</li>
</ul>
<blockquote>
<p><strong>Note</strong> — The author created this content with assistance from AI. All outputs should be reviewed and validated by a qualified {role} reviewer before use.</p>
<ul><li><input type="checkbox" disabled /> Reviewed and validated by a qualified {role} reviewer</li></ul>
</blockquote>
</div>
Worked example (Security Planner):
<div>
<h3>Security Control: {mitigation_name}</h3>
<p><strong>Threat:</strong> {threat_id} - {threat_description}</p>
<p><strong>Bucket:</strong> {bucket_name}</p>
<p><strong>Standards:</strong> {owasp_ref}, {nist_ref}</p>
<h4>Implementation</h4>
<p>{implementation_details}</p>
<h4>Acceptance Criteria</h4>
<ul>
<li>{criterion_1}</li>
<li>{criterion_2}</li>
</ul>
</div>
Each planner substitutes its own field block (NIST characteristic + threat + control surface for RAI; framework + criterion + surface + personas + evidence + tradeoff for Accessibility; supply-chain control + Scorecard check + adoption type for SSSC).
Planner-specific ADO description field block (the keys substituted into the <!-- planner-specific field block goes here --> slot):
characteristic, subcategory, principle, maturity_level, tradeoff_ref (when applicable).threat_id, stride_category, bucket, risk_level.framework, criterion, surface, wcag_level, severity, category, risk_tier, tradeoff_ref (when applicable). Add an assistive-technology validation note when severity is critical or major.GitHub issues use a YAML metadata header followed by a markdown body. Temporary IDs of the form {{<PREFIX>-TEMP-N}} are replaced with real issue numbers on creation.
Canonical YAML metadata header:
---
id: "{{<PREFIX>-TEMP-N}}"
planner: {rai|security|sssc|accessibility}
priority: {Critical|High|Medium|Low}
standards: ["{standard_id_1}", "{standard_id_2}"]
evidence_refs: ["{evidence_id_1}"]
cross_planner_refs: ["{wi_id_1}"]
---
Planner-specific augmentation fields (added to the same YAML block, not replacing it):
characteristic, subcategory, principle, maturity_level, tradeoff_ref, horizon, standards.threat_id, stride_category, risk_level, bucket, standards.scorecard_check, risk_level, adoption_type, effort, standards.framework, criterion, surface, wcag_level, severity, category, risk_tier, tradeoff_ref, standards.Markdown body skeleton:
## {Domain} Control: {control_name}
{planner_specific_summary_lines}
### Implementation
{implementation_details}
### Acceptance Criteria
* [ ] {criterion_1}
* [ ] {criterion_2}
The disclaimer blockquote from the ADO template is reused verbatim at the end of the markdown body for parity across formats.
| Field | Purpose | Required | Per-planner override |
|---|---|---|---|
| Title | Bracket-tag prefix + concise description | Yes | Title prefix differs ([Security], [RAI], [A11Y][{framework}]). |
| Description | HTML body per the ADO template skeleton | Yes | Field block contents differ. |
| AcceptanceCriteria | Verifiable checks | Yes | Accessibility adds assistive-technology validation when required. |
| Tags | Domain tags + applicable property tags | Yes | Tag vocabulary differs (CIA triad, RAI principles, WCAG level, etc.). |
| Priority | Derived from risk or severity | Yes | Mapping table per planner. |
| Iteration | Iteration path supplied by user | Optional | Empty defaults to backlog refinement. |
| AreaPath | Project area supplied by user | Yes | Required for ADO emission across all planners. |
| Parent | Epic or Feature parent reference | Optional | Set when seed maps into the planner-specific hierarchy. |
| Field | Purpose | Required | Per-planner override |
|---|---|---|---|
| title | Bracket-tag prefix + concise description | Yes | Title prefix differs (matches ADO Title convention). |
| body | Markdown body per the GitHub template | Yes | YAML header augmentation and body summary lines differ. |
| labels | Lowercased domain + property labels | Yes | Label vocabulary differs; strip prefix: form when colons are disallowed. |
| milestone | Planning milestone if one exists | Optional | Each planner may target a domain milestone; otherwise leave unset. |
| assignees | Owner role suggestion | Optional | Default to TBD — assign during backlog refinement. |
Apply these five rules to every work item before emission to ADO or GitHub. Sanitization runs after rendering and before MCP-driven creation.
.copilot-tracking/ with a descriptive phrase such as {domain} plan artifacts (for example, security plan artifacts, accessibility plan artifacts).state.noticeLog entry per sanitized artifact with noticeType: "sanitization", source: "<planner-handoff-instruction-path>", the artifact path, and the sanitization rules that fired.Debug-mode output retained under .copilot-tracking/<planner-domain>/{slug}/debug/ keeps full paths and never reaches external-facing work items.
Three tiers control how rendered work items reach the target backlog system. The canonical vocabulary is manual / supervised / autonomous.
manual — The planner emits a backlog handoff file under .copilot-tracking/. The user creates each work item in the target system independently. No MCP tool invocations.supervised — The planner drafts rendered work items in .copilot-tracking/, presents each batch of 5 to 10 items for user review, and only invokes MCP creation tools on user approval. This is the default tier.autonomous — The planner invokes MCP creation tools directly on the sanitized batch after the user pre-approves the run. All items are created in a single operation.Cross-reference mapping for planners that use divergent vocabularies. Each planner persists the selected value in its session state under userPreferences.autonomyTier using its own vocabulary; this table is the single source of truth for cross-planner equivalence.
| Canonical (this skill) | Accessibility (seed schema) | Security | RAI | SSSC |
|---|---|---|---|---|
| autonomous | autonomous | Full | Full | Full |
| supervised (default) | supervised | Partial | Partial | Partial (default) |
| manual | manual | Manual | Manual | Guided |
Notes:
autonomyTier field is the persisted form.Guided as the lowest-autonomy tier label. Treat Guided and Manual as equivalent across planners for cross-reference and reporting.Every backlog handoff artifact (handoff summary, ADO output file, GitHub output file) emits a disclaimer block verbatim at the end of the file. The block is the source of authority that the planner emission was AI-assisted and requires qualified human review before execution.
Source-of-truth split for the disclaimer text:
.github/instructions/shared/disclaimer-language.instructions.md under the corresponding planner section..github/instructions/accessibility/accessibility-backlog-handoff.instructions.md under the Planning Disclaimer heading. The L7 disclaimer lever pins the accessibility disclaimer to that file. Do not move it to shared/disclaimer-language.instructions.md.Placement rules:
state.disclaimerShownAt to the ISO 8601 timestamp at first emission within a session.state.noticeLog entry per emission with noticeType: "handoff-disclaimer", source: "<authoritative-instruction-path>", and the artifact path.This skill intentionally does not reproduce the disclaimer text. Read it from the authoritative source above at emission time so updates to the canonical text propagate without skill edits.
Work items use the format WI-{PREFIX}-{NNN} where the prefix identifies the originating planner and {NNN} is a zero-padded monotonic sequence scoped to the plan slug.
| Planner | ADO prefix | GitHub temp ID |
|---|---|---|
| RAI | WI-RAI- | {{RAI-TEMP-N}} |
| Security | WI-SEC- | {{SEC-TEMP-N}} |
| SSSC | WI-SSSC- | {{SSSC-TEMP-N}} |
| Accessibility | WI-A11Y- | {{A11Y-TEMP-N}} |
Rules:
state.noticeLog for traceability.Accessibility-Ref: WI-A11Y-{NNN}, Security-Ref: WI-SEC-{NNN}, RAI-Ref: WI-RAI-{NNN}, SSSC-Ref: WI-SSSC-{NNN}.Internal reference IDs (T-{BUCKET}-{NNN} for threats, EV-A11Y-{NNN} for evidence, SEED-A11Y-{NNN} for seeds, TO-A11Y-{NNN} for tradeoffs) remain scoped to their owning planner and are out of scope for this skill.
🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.