From e9dab72e62f7f22ad301ad8be0cb600521ff8485 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Mar 2026 18:34:24 +0000 Subject: [PATCH 01/10] Initial plan From c4e110a3ae20da49994bbc9f5e565538b8c4ab6e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 6 Mar 2026 18:35:11 +0000 Subject: [PATCH 02/10] chore: add symlink from .claude-plugin/marketplace.json to .github/plugin/marketplace.json Co-authored-by: JasonEtco <10660468+JasonEtco@users.noreply.github.com> --- .claude-plugin/marketplace.json | 1 + 1 file changed, 1 insertion(+) create mode 120000 .claude-plugin/marketplace.json diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json new file mode 120000 index 0000000..599da46 --- /dev/null +++ b/.claude-plugin/marketplace.json @@ -0,0 +1 @@ +../.github/plugin/marketplace.json \ No newline at end of file From 539526e1573537c0c6e9275dbbc7a2089fe55329 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien?= Date: Fri, 6 Mar 2026 18:46:22 +0000 Subject: [PATCH 03/10] Fix marketplace source paths to use relative ./ prefix --- .github/plugin/marketplace.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/plugin/marketplace.json b/.github/plugin/marketplace.json index a348df1..196c064 100644 --- a/.github/plugin/marketplace.json +++ b/.github/plugin/marketplace.json @@ -11,7 +11,7 @@ "plugins": [ { "name": "workiq", - "source": "plugins/workiq", + "source": "./plugins/workiq", "description": "WorkIQ plugin for GitHub Copilot.", "version": "1.0.0", "skills": [ @@ -20,7 +20,7 @@ }, { "name": "spark", - "source": "plugins/spark", + "source": "./plugins/spark", "description": "Spark plugin for GitHub Copilot.", "version": "1.0.0", "skills": [ From 9b7eea1c66b64d58f8104596018a44fc15ad128d Mon Sep 17 00:00:00 2001 From: Jason Etcovitch Date: Mon, 16 Mar 2026 12:19:55 -0400 Subject: [PATCH 04/10] Add READMEs for spark and workiq plugins Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- plugins/spark/README.md | 33 +++++++++++++++++++++++++++++++++ plugins/workiq/README.md | 27 +++++++++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 plugins/spark/README.md create mode 100644 plugins/workiq/README.md diff --git a/plugins/spark/README.md b/plugins/spark/README.md new file mode 100644 index 0000000..ce9581d --- /dev/null +++ b/plugins/spark/README.md @@ -0,0 +1,33 @@ +# Spark + +Comprehensive guidance for building modern web applications with opinionated defaults for tech stack, design system, and code standards. + +## What it does + +Spark helps you quickly bootstrap high-quality web applications by providing: + +- Pre-vetted technology stack choices with multiple complexity-based variations +- An opinionated design philosophy and system +- Step-by-step setup workflows +- Design and performance optimization guidance + +## Skills + +### `spark-app-template` + +Activated when a user wants to create a new web application, dashboard, or interactive interface. Provides guidance on: + +- **Tech stack** — Vite, React 19+, TypeScript, Tailwind CSS v4+, shadcn/ui, TanStack Router & Query +- **Design system** — Typography pairings, OKLCH color palettes, spatial composition, micro-interactions +- **Stack variations** — Pre-configured stacks tailored to app complexity (default web app, content showcase, data dashboard, complex application) +- **Performance** — Core Web Vitals targets, React Compiler setup, optimization checklists +- **Component patterns** — Common shadcn compositions and usage patterns + +## Stack variations + +| Stack | Use case | +| --- | --- | +| **Default Web App** | General-purpose tools, utilities, simple CRUD, MVPs, prototypes | +| **Content Showcase** | Marketing sites, portfolios, blogs, documentation | +| **Data Dashboard** | Analytics dashboards, admin panels, BI tools, monitoring | +| **Complex Application** | SaaS platforms, enterprise tools, multi-view apps | diff --git a/plugins/workiq/README.md b/plugins/workiq/README.md new file mode 100644 index 0000000..d0d4438 --- /dev/null +++ b/plugins/workiq/README.md @@ -0,0 +1,27 @@ +# WorkIQ + +Workplace intelligence plugin that connects AI agents to Microsoft 365 Copilot, providing access to organizational data from Outlook, Teams, SharePoint, OneDrive, and Calendar. + +## What it does + +WorkIQ grounds AI assistance in real workplace context by querying Microsoft 365 data sources. It enables agents to answer questions about: + +- **Emails & messages** — Find and summarize email threads and Teams conversations +- **Meetings** — Retrieve decisions, action items, and context from calendar events +- **Documents** — Locate specs, design docs, and files across SharePoint and OneDrive +- **People** — Identify subject-matter experts, project owners, and organizational relationships +- **Priorities** — Surface what colleagues are focused on, team goals, and project status + +## Skills + +### `workiq` + +Activated when a user asks about workplace context — what someone said, meeting outcomes, document locations, team priorities, or organizational knowledge. Uses the `ask_work_iq` MCP tool to query Microsoft 365 Copilot with natural language questions. + +## MCP server + +WorkIQ includes an MCP server configuration (`.mcp.json`) that runs the `@microsoft/workiq` package. Authentication is automatic using the connected user's existing Microsoft 365 credentials. + +## Requirements + +- Microsoft 365 account with Copilot access From 70f391a20aa3a9819a87020cb28d53dab9791f8b Mon Sep 17 00:00:00 2001 From: Jason Etcovitch Date: Mon, 16 Mar 2026 12:23:52 -0400 Subject: [PATCH 05/10] Enrich WorkIQ README with upstream package context Add data type query examples, prerequisites, admin consent info, and link to the @microsoft/workiq MCP server package. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- plugins/workiq/README.md | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/plugins/workiq/README.md b/plugins/workiq/README.md index d0d4438..a2c9eab 100644 --- a/plugins/workiq/README.md +++ b/plugins/workiq/README.md @@ -2,15 +2,21 @@ Workplace intelligence plugin that connects AI agents to Microsoft 365 Copilot, providing access to organizational data from Outlook, Teams, SharePoint, OneDrive, and Calendar. +Powered by the [`@microsoft/workiq`](https://github.com/microsoft/work-iq-mcp) MCP server. + +> ⚠️ **Public Preview:** Features and APIs may change. + ## What it does WorkIQ grounds AI assistance in real workplace context by querying Microsoft 365 data sources. It enables agents to answer questions about: -- **Emails & messages** — Find and summarize email threads and Teams conversations -- **Meetings** — Retrieve decisions, action items, and context from calendar events -- **Documents** — Locate specs, design docs, and files across SharePoint and OneDrive -- **People** — Identify subject-matter experts, project owners, and organizational relationships -- **Priorities** — Surface what colleagues are focused on, team goals, and project status +| Data type | Example questions | +| --- | --- | +| **Emails** | "What did John say about the proposal?" | +| **Meetings** | "What's on my calendar tomorrow?" | +| **Documents** | "Find my recent PowerPoint presentations" | +| **Teams** | "Summarize today's messages in the Engineering channel" | +| **People** | "Who is working on Project Alpha?" | ## Skills @@ -20,8 +26,15 @@ Activated when a user asks about workplace context — what someone said, meetin ## MCP server -WorkIQ includes an MCP server configuration (`.mcp.json`) that runs the `@microsoft/workiq` package. Authentication is automatic using the connected user's existing Microsoft 365 credentials. +WorkIQ includes an MCP server configuration (`.mcp.json`) that runs the [`@microsoft/workiq`](https://www.npmjs.com/package/@microsoft/workiq) package. Authentication is automatic using the connected user's existing Microsoft 365 credentials. + +## Prerequisites + +- **Node.js 18+** — [Download from nodejs.org](https://nodejs.org/) +- **Microsoft 365 account** with Copilot access + +## Admin consent -## Requirements +To access Microsoft 365 tenant data, the WorkIQ MCP server needs permissions that require administrative rights on the tenant. On first access, a consent dialog appears. If you are not an administrator, contact your tenant administrator to grant access. -- Microsoft 365 account with Copilot access +For more information, see Microsoft's [User and Admin Consent Overview](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/user-admin-consent-overview). From a71ffb64139dc3359a9b0b3b37929eb0635c047f Mon Sep 17 00:00:00 2001 From: Greg Beaty Date: Tue, 17 Mar 2026 09:12:09 -0400 Subject: [PATCH 06/10] Add GHAS plugin with secret scanning skill --- .github/plugin/marketplace.json | 9 + plugins/advanced-security/README.md | 17 ++ .../skills/secret-scanning/SKILL.md | 200 ++++++++++++++++++ 3 files changed, 226 insertions(+) create mode 100644 plugins/advanced-security/README.md create mode 100644 plugins/advanced-security/skills/secret-scanning/SKILL.md diff --git a/.github/plugin/marketplace.json b/.github/plugin/marketplace.json index 196c064..58367d5 100644 --- a/.github/plugin/marketplace.json +++ b/.github/plugin/marketplace.json @@ -26,6 +26,15 @@ "skills": [ "./skills/spark" ] + }, + { + "name": "advanced-security", + "source": "./plugins/advanced-security", + "description": "Advanced Security plugin for GitHub Copilot.", + "version": "1.0.0", + "skills": [ + "./skills/secret-scanning" + ] } ] } \ No newline at end of file diff --git a/plugins/advanced-security/README.md b/plugins/advanced-security/README.md new file mode 100644 index 0000000..46ef01b --- /dev/null +++ b/plugins/advanced-security/README.md @@ -0,0 +1,17 @@ +# Advanced Security + +Security-focused plugin that brings GitHub Advanced Security capabilities into AI coding workflows through skills and MCP integrations. + +## What it does + +Advanced Security helps agents identify and prevent credential exposure during development by: + +- Scanning code snippets, files, and git changes for potential secrets +- Using GitHub secret detection patterns through MCP tooling +- Supporting pre-commit checks to catch leaked credentials early + +## Skills + +### `secret-scanning` + +Activated when a user asks to check code, files, or git changes for exposed credentials. Uses the `run_secret_scanning` MCP tool to scan content for potential secrets before code is committed. diff --git a/plugins/advanced-security/skills/secret-scanning/SKILL.md b/plugins/advanced-security/skills/secret-scanning/SKILL.md new file mode 100644 index 0000000..a32d9ec --- /dev/null +++ b/plugins/advanced-security/skills/secret-scanning/SKILL.md @@ -0,0 +1,200 @@ +--- +name: secret-scanning +description: Scan files, content, or recent changes for secrets such as API keys, passwords, tokens, and credentials using the GitHub MCP Server's run_secret_scanning tool. +metadata: + agents: + supported: + - GitHub Copilot Coding Agent + - Cursor + - Codex + - Claude Code + requires: + mcp_server: github + mcp_tool: run_secret_scanning +allowed-tools: Bash(git:*) Glob Grep Read +--- + +# Secret Scanning Skill + +## Overview + +This skill uses the GitHub MCP Server's `run_secret_scanning` tool to detect secrets in content, files, or git changes. It helps identify sensitive material like API keys, passwords, and credentials that could pose a security risk if exposed. + +### What counts as a secret? + +In this context, values that grant access, impersonate a user or service, sign requests, or decrypt protected data are generally treated as secrets. + +Treat these as high-confidence secret material: + +- Access tokens, API keys, and bearer credentials +- Passwords, database DSNs with embedded credentials, and SMTP auth values +- Private keys, signing keys, certificates with private key blocks, and SSH keys +- OAuth client secrets, refresh tokens, and webhook secrets +- Cloud credentials (AWS/GCP/Azure) and CI/CD deployment credentials + +Prefer context, not just regex: + +- Values near names like `password`, `token`, `secret`, `client_secret`, `private_key`, or `authorization` are higher risk +- Long high-entropy strings in config files, scripts, and test fixtures deserve review even if unlabeled +- Treat uncertain findings as sensitive until verified + +Not everything that looks random is a secret. Example placeholders such as `YOUR_API_KEY_HERE`, obvious test stubs, and documented sample values can be false positives. + +### Why this is important + +This skill scans for secrets that could compromise security if leaked. A committed secret can persist in git history, trigger incident response, and block deployment at push protection checks. + +**Important**: Only use this skill when a user explicitly asks to scan content or check for secrets. Do not run secret scanning unprompted or as part of general workflows. + +## Common Scenarios + +| User goal | How to respond | Tools needed | +| -------------------------------------- | -------------------- | ------------------ | +| Check a config snippet or code paste | Scan as content | MCP | +| Check a specific file in the repo | Read file, then scan | Read + MCP | +| Check all staged changes before commit | Get diff, then scan | Bash(git:\*) + MCP | + +## Installation + +### Prerequisites & Inputs + +**GitHub MCP Server**: The skill requires the GitHub MCP Server with the `run_secret_scanning` tool enabled. + +Configure in your MCP settings: + +```json +{ + "mcpServers": { + "github": { + "type": "http", + "url": "https://api.githubcopilot.com/mcp/" + } + } +} +``` + +> **Note:** Cursor uses `servers` instead of `mcpServers` as the top-level key. + +**Required information for scanning**: + +- **Repository owner**: Usually available from `git remote get-url origin` or ask the user +- **Repository name**: Usually available from `git remote get-url origin` or ask the user +- **Content to scan**: Either a code snippet from the user, file content (read using the `Read` tool), or git diff output (from `git diff`) + +If the user doesn't provide repository owner and repository name, ask for them before running the scan. + +**What NOT to scan**: By default, avoid scanning large generated or vendor content (for example: `node_modules/`, build artifacts, compiled assets, or other machine-generated files) for performance and noise reduction. Files listed in `.gitignore` may still contain secrets (such as `.env` or local config), so only skip them if the user agrees; if the user explicitly asks to scan them, include them in the scan. + +### Scan Content + +**When to use**: The user provides text or code snippets they want checked for secrets. + +**How**: Use the `run_secret_scanning` tool with the content as input (as a single-item array). + +**Example** + +``` +You: Check if this config snippet has secrets +User provides: +DB_PASSWORD=MyP@ssw0rd123 +API_KEY=abc123xyz + +Agent: I'll scan that for secrets. + + ⚠️ Found 2 potential secret(s): + 1. DB_PASSWORD value looks like a password + 2. API_KEY value looks like an API key + + Consider replacing hardcoded values with environment variables. +``` + +### Scan File(s) + +**When to use**: The user asks to check specific files in the repository for secrets. + +**How**: Use the `Read` tool to get file contents, then pass them to `run_secret_scanning`. + +**Example (secrets found)** + +``` +You: Check if config.py has secrets +Agent: I'll read and scan that file. + + ⚠️ Found 1 potential secret: + - Line 10: database_password value looks like a password + + Suggestion: Move to environment variable or .env file. +``` + +**Example (no secrets found)** + +``` +You: Check if utils.js has any secrets +Agent: I'll read and scan that file. + + ✅ No secrets detected in utils.js +``` + +### Scan Staged Changes + +**When to use**: The user wants to check git staged changes for secrets before committing. + +**How**: Use `git diff --cached` to get staged content, then pass it to `run_secret_scanning`. + +**Example (clean)** + +``` +You: Check my staged changes for secrets before I commit +Agent: I'll scan your staged changes. + + ✅ No secrets found in staged changes. Safe to commit. +``` + +**Example (secrets detected)** + +``` +You: Scan my staged changes +Agent: I'll check your staged changes. + + ⚠️ Found 1 potential secret in staged changes: + - database.js line 5: password value looks like a credential + + Suggestion: Unstage that change, move the credential to env vars, and restage. +``` + +## How the Scan Works + +When you call `run_secret_scanning`: + +- **Input**: File contents to scan (passed as an array of strings), plus repository owner and name +- **Process**: GitHub's secret detection scans for patterns and context that match known secret types +- **Output**: List of potential secrets found with locations and confidence indicators + +The tool works on content you provide. It doesn't need push access or special GitHub permissions. + +## Scanning Transparency + +### How Your Content Is Processed + +When you request a scan, file contents are sent to GitHub's secret detection infrastructure. The scanning happens server-side against GitHub's known secret patterns. Scan results are returned without retaining the content on GitHub servers beyond the scan request. + +### What to Do With Results + +If secrets are found: + +- **Obvious hardcoded values**: Move them to environment variables or `.env` files +- **Config files**: Check if `example.env` or documentation exists that shows the expected structure +- **Already committed**: If the secret was already pushed, credential rotation may be needed (outside this skill's scope) + +If no secrets are found: + +- The scan completed successfully +- Check the output format in the scan result to make sure coverage was complete + +## Learn More + +For more details on secret scanning, credential management, and GitHub security features: + +- [GitHub Secret Scanning Docs](https://docs.github.com/en/code-security/secret-scanning): How to enable and use secret scanning on repositories +- [Credential Management Best Practices](https://docs.github.com/en/code-security/secret-scanning/about-secret-scanning): Guidance on handling credentials safely +- [GitHub Push Protection](https://docs.github.com/en/code-security/secret-scanning/working-with-push-protection): Preventing secrets from reaching your repository From 55c99a58b8b339d8172634bd2e84ab9284ea63d3 Mon Sep 17 00:00:00 2001 From: Igor Holt Date: Mon, 20 Apr 2026 01:03:53 -0400 Subject: [PATCH 07/10] feat(community): add ambient-submit skill Signed-off-by: Igor Holt --- plugins/ambient-submit/README.md | 20 ++ .../skills/ambient-submit/SKILL.md | 243 ++++++++++++++++++ 2 files changed, 263 insertions(+) create mode 100644 plugins/ambient-submit/README.md create mode 100644 plugins/ambient-submit/skills/ambient-submit/SKILL.md diff --git a/plugins/ambient-submit/README.md b/plugins/ambient-submit/README.md new file mode 100644 index 0000000..528a639 --- /dev/null +++ b/plugins/ambient-submit/README.md @@ -0,0 +1,20 @@ +# Ambient Submit + +Claude surface adapter for the Genesis Conductor Ambient Agent Access Layer. + +## What it does + +Natural language task submission to specialized agents (kiro, codex, claude, gemini, copilot). Routes requests based on intent, constructs TaskEnvelopes, and returns task_id + routing confirmation. + +## Skills + +### `ambient-submit` + +Activated when user says "run in background", "submit to GC", "let kiro handle", "queue this job", or describes async work for specialized agents. + +## Configuration + +| Variable | Default | Required | +|----------|---------|----------| +| `AMBIENT_API_KEY` | — | Yes | +| `AMBIENT_BASE_URL` | `https://gc-ambient-gateway.iholt.workers.dev` | No | diff --git a/plugins/ambient-submit/skills/ambient-submit/SKILL.md b/plugins/ambient-submit/skills/ambient-submit/SKILL.md new file mode 100644 index 0000000..ef71a01 --- /dev/null +++ b/plugins/ambient-submit/skills/ambient-submit/SKILL.md @@ -0,0 +1,243 @@ +--- +name: ambient-submit +description: >- + Submit tasks to the Genesis Conductor Ambient Agent Access Layer from natural + language, and check job status. Trigger this skill whenever the user says + "run this in the background", "submit to GC", "let kiro handle", "let codex + handle", "ambient execute", "queue this job", "submit this task", "route to + the agent", or describes any work that should execute asynchronously via a + specialized agent (kiro, codex, claude, gemini, copilot). Also trigger for + job status checks: "what's the status of", "check job", "poll progress", + "is it done yet". This skill IS the Claude surface adapter for the Ambient + Access Layer - it resolves request_type, constructs a valid TaskEnvelope, + POSTs to the Ambient API, and returns task_id + routing confirmation. No + setup required beyond AMBIENT_API_KEY. +--- + +# ambient-submit + +Claude surface adapter for the Genesis Conductor Ambient Agent Access Layer. + +Natural language in → TaskEnvelope constructed → job queued → task_id + routing confirmation out. + +--- + +## Config + +| Variable | Default | Required | +|----------|---------|----------| +| `AMBIENT_API_KEY` | — | Yes — ask user if not in context | +| `AMBIENT_BASE_URL` | `https://optimization-inversion.genesisconductor.io` | No | + +If `AMBIENT_API_KEY` is absent, tell the user: "Set `AMBIENT_API_KEY` in your environment or paste it here." Do not proceed without it. + +--- + +## Step 1 — Parse Intent + +Extract from natural language: + +**request_type** — resolve via routing table: + +| NL signal | request_type | primaryAgent | requiresApproval | policyTier | +|-----------|-------------|--------------|-----------------|------------| +| "implement from spec", "spec-driven", "from the spec" | `implement_feature_from_spec` | kiro | false | standard | +| "implement", "build", "code", "develop" (no spec mention) | `implement_feature` | kiro | false | standard | +| "security fix", "vulnerability", "patch CVE", "remediate" | `security_fix` | codex | true | prod_sensitive | +| "architecture review", "design review", "review system" | `deep_architecture_review` | claude | false | standard | +| "GCP", "gcloud", "cloud ops", "provision infra", "firestore", "cloud run" | `gcp_ops` | gemini | true | prod_sensitive | +| "suggest inline", "editor suggestion", "quick autocomplete", "complete this code", "inline fix", "copilot this" | `inline_suggestion` | copilot | false | standard | +| "deploy", "release", "push to prod", "cut release" | `deploy` | kiro | true | prod_sensitive | +| anything else | `implement_feature` | kiro | true | standard | + +**priority** — infer from signal words: +- `critical` — "urgent", "ASAP", "blocking", "critical", "now" +- `high` — "high priority", "important", "soon", "today" +- `low` — "low priority", "whenever", "no rush", "background" +- `normal` — default (no signal) + +**candidate_agents** — explicit override if user names an agent: "let kiro handle", "use codex", "route to gemini" → set `candidate_agents: []` + +**context_refs** — extract repo/spec references: "the nexus-membrane spec", "repo: ambient-access-layer", "spec: membrane-v1" → format as `["repo:", "spec:"]` + +**title** — synthesize a concise imperative title from the request (max 80 chars). Example: "Implement Nexus Membrane dependency provisioning" + +--- + +## Step 2 — Construct TaskEnvelope + +```json +{ + "task_id": "", + "workspace_id": "", + "source_surface": "claude", + "request_type": "", + "title": "", + "description": "", + "requested_by": "claude-surface", + "context_refs": [""], + "priority": "", + "requires_approval": , + "candidate_agents": [""], + "policy_tier": "" +} +``` + +Omit `context_refs` and `candidate_agents` if empty rather than sending `[]`. + +--- + +## Step 3 — POST to API + +``` +POST {AMBIENT_BASE_URL}/v1/tasks +Authorization: Bearer {AMBIENT_API_KEY} +Content-Type: application/json + + +``` + +**Expected 201 response:** +```json +{ + "task_id": "tsk_xxxxxxxx", + "job_id": "job_xxxxxxxx", + "workspace_id": "ws_genesis", + "status": "pending" +} +``` + +Cache `task_id → workspace_id` in-session on every successful submission. Used by the approval shortcut — no secondary fetch needed. + +**Error handling:** + +| HTTP | Action | +|------|--------| +| 401 | Tell user: "API key rejected. Verify AMBIENT_API_KEY." | +| 400 | Show validation error from response body. Ask user to clarify input. | +| 404 | Tell user: "Endpoint not found. Verify AMBIENT_BASE_URL." | +| 5xx | Tell user: "Server error. Retry or check Worker logs." | +| Network failure | Tell user: "Could not reach {AMBIENT_BASE_URL}. Verify the Worker is deployed." | + +--- + +## Step 4 — Present Confirmation + +Output this block on successful submission: + +``` +✅ Task queued + +task_id: tsk_xxxxxxxx +job_id: job_xxxxxxxx +workspace_id: ws_genesis +agent: kiro +request_type: implement_feature_from_spec +policy_tier: standard +requires_approval: false +priority: high +status: pending +``` + +If `requires_approval: true`, append: +``` +⚠️ This task requires approval before execution. + Run: ambient approve + Or say: "approve the pending task" +``` + +--- + +## Step 5 — Job Status (on demand) + +Trigger when user asks: "check status", "what's happening with", "poll job", "is it done", "show progress". + +``` +GET {AMBIENT_BASE_URL}/v1/jobs?task_id={task_id} +Authorization: Bearer {AMBIENT_API_KEY} +``` + +Or by explicit job_id: +``` +GET {AMBIENT_BASE_URL}/v1/jobs/{job_id} +Authorization: Bearer {AMBIENT_API_KEY} +``` + +Present: +``` +📊 Job status + +job_id: job_xxxxxxxx +agent: kiro +status: running +stage: provisioning +progress: 42% +updated: 2026-04-09T00:15:00Z +``` + +If `status: blocked`, always prompt: "This job is blocked. Say 'approve the pending task' or check approvals." + +--- + +## Approval shortcut (optional, in-skill) + +If `requires_approval: true` and user says "approve it" / "go ahead" / "approve the pending task": + +Fetch the `approval_id` from the job record: +``` +GET {AMBIENT_BASE_URL}/v1/jobs/{job_id} +Authorization: Bearer {AMBIENT_API_KEY} +``` +Extract `approval_id` from the response, then: + +``` +POST {AMBIENT_BASE_URL}/v1/approvals/{approval_id}/approve +Authorization: Bearer {AMBIENT_API_KEY} +Content-Type: application/json +{} +``` + +Confirm: `✅ Approved. Job will resume.` + +For state projection checks, use the cached `workspace_id` from the 201 response — no secondary fetch needed: +``` +GET {AMBIENT_BASE_URL}/v1/state/{workspace_id} ← workspace_id from in-session cache +``` +If cache miss (fresh session), extract `workspace_id` from `GET /v1/tasks/{task_id}`. + +--- + +## What this skill does NOT do (v1 scope) + +- No artifact retrieval (v1.5 — `GET /v1/tasks/:id/artifacts`) +- No state projection display beyond job status +- No webhook registration +- No workspace management + +If user asks for these, respond: "That's in the v1.5 adapter scope. For now: task_id `{id}` is queued and I can poll job status on request." + +--- + +## Example interactions + +**Submit:** +> "Let kiro implement the Nexus Membrane dependency spec — this is blocking deploy, treat it urgent" + +→ request_type: `implement_feature_from_spec`, agent: `kiro` (explicit), priority: `critical`, policy_tier: `standard`, requires_approval: `false` + +--- + +**Submit with prod risk:** +> "Deploy ambient-access-layer to production" + +→ request_type: `deploy`, agent: `kiro`, priority: `normal`, policy_tier: `prod_sensitive`, requires_approval: `true` + +→ Output includes approval warning. + +--- + +**Status check:** +> "What's the status of tsk_a3f9c21b?" + +→ GET /v1/jobs?task_id=tsk_a3f9c21b → present job status block. + From 3aa24105751dbceee42ee62321a3abea81bb98a1 Mon Sep 17 00:00:00 2001 From: Igor Holt Date: Sun, 17 May 2026 22:08:00 -0400 Subject: [PATCH 08/10] Update README.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- plugins/ambient-submit/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/ambient-submit/README.md b/plugins/ambient-submit/README.md index 528a639..86a2f5b 100644 --- a/plugins/ambient-submit/README.md +++ b/plugins/ambient-submit/README.md @@ -17,4 +17,4 @@ Activated when user says "run in background", "submit to GC", "let kiro handle", | Variable | Default | Required | |----------|---------|----------| | `AMBIENT_API_KEY` | — | Yes | -| `AMBIENT_BASE_URL` | `https://gc-ambient-gateway.iholt.workers.dev` | No | +| `AMBIENT_BASE_URL` | `https://optimization-inversion.genesisconductor.io` | No | From 504ddf7f7d8d690bf8ee8f4fea1cc22b19f92cb6 Mon Sep 17 00:00:00 2001 From: Igor Holt Date: Sun, 17 May 2026 22:08:07 -0400 Subject: [PATCH 09/10] Update SKILL.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- plugins/ambient-submit/skills/ambient-submit/SKILL.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/ambient-submit/skills/ambient-submit/SKILL.md b/plugins/ambient-submit/skills/ambient-submit/SKILL.md index ef71a01..5605e9f 100644 --- a/plugins/ambient-submit/skills/ambient-submit/SKILL.md +++ b/plugins/ambient-submit/skills/ambient-submit/SKILL.md @@ -27,7 +27,7 @@ Natural language in → TaskEnvelope constructed → job queued → task_id + ro | Variable | Default | Required | |----------|---------|----------| | `AMBIENT_API_KEY` | — | Yes — ask user if not in context | -| `AMBIENT_BASE_URL` | `https://optimization-inversion.genesisconductor.io` | No | +| `AMBIENT_BASE_URL` | `https://gc-ambient-gateway.iholt.workers.dev` | No | If `AMBIENT_API_KEY` is absent, tell the user: "Set `AMBIENT_API_KEY` in your environment or paste it here." Do not proceed without it. From 7a92d89fb874e29cd730d78fb27242e285d2d008 Mon Sep 17 00:00:00 2001 From: Igor Holt Date: Sun, 17 May 2026 22:08:23 -0400 Subject: [PATCH 10/10] Update SKILL.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- plugins/ambient-submit/skills/ambient-submit/SKILL.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/plugins/ambient-submit/skills/ambient-submit/SKILL.md b/plugins/ambient-submit/skills/ambient-submit/SKILL.md index 5605e9f..96425c6 100644 --- a/plugins/ambient-submit/skills/ambient-submit/SKILL.md +++ b/plugins/ambient-submit/skills/ambient-submit/SKILL.md @@ -142,8 +142,7 @@ status: pending If `requires_approval: true`, append: ``` ⚠️ This task requires approval before execution. - Run: ambient approve - Or say: "approve the pending task" + Say: "approve the pending task" ``` ---