πŸ€– Custom Agent Profiles

April 17, 2026 Β· View on GitHub

This directory contains repository-level GitHub Copilot custom agents for the Citizen Intelligence Agency platform. Each agent provides domain-specific expertise and enforces the Hack23 Information Security Policy (ISP) and its supporting ISMS policies.

Scope: These are repository-level agents (.github/agents/*.md). Per Hack23 policy, repo-level agents do not declare mcp-servers: blocks β€” MCP configuration is handled by the environment via .github/copilot-mcp-config.json. All agents declare tools: ["*"] so the Copilot runtime can grant full tool access.

πŸ“‹ Agent Overview

AgentExpertisePrimary Use
task-agentProduct quality, GitHub issues, Copilot orchestration, ISMSIssue engineering, quality analysis, Copilot task delegation (base_ref, stacked PRs)
stack-specialistJava 21/26, Spring, Vaadin, Hibernate/JPA, PostgreSQL 18, Maven 3.9.15Implementation, refactoring, debugging, SDLC security gates
ui-enhancement-specialistVaadin, data visualization, WCAG 2.1 AA, secure rendering, privacy-by-designUI/UX improvements, charts, accessibility, XSS-safe components
intelligence-operativePolitical science, OSINT, intelligence analysis, risk frameworks, Swedish politicsAnalytical frameworks, data source integration, classified intelligence products
business-development-specialistStrategic planning, partnerships, revenue models, market expansionBusiness strategy, licensing, partner due-diligence
marketing-specialistDigital marketing, content strategy, community building, brand positioningNeutral, privacy-respecting storytelling; OSS posture marketing

πŸš€ Usage

Agents are automatically available in GitHub Copilot conversations. Reference them by name:

@task-agent Analyze SonarCloud results and create prioritized improvement issues
@task-agent Assign issue #8033 to Copilot on branch feature/isp-integration with custom instructions
@stack-specialist How should I implement a new JPA entity for committee membership?
@ui-enhancement-specialist Review this Vaadin view for WCAG 2.1 AA compliance
@intelligence-operative Design a risk scoring framework for politician financial disclosures
@business-development-specialist Evaluate a partnership request from an academic institution
@marketing-specialist Draft a release announcement for the new risk dashboard

πŸ—οΈ Agent Architecture β€” Shared Principles

All agents follow these common principles:

  1. Context-aware β€” read README.md, copilot-instructions.md, copilot-setup-steps.yml, and copilot-mcp-config.json before work
  2. ISP-first β€” the Hack23 Information Security Policy is the apex β€” every change defers to it
  3. Skills-integrated β€” reference the .github/skills/ library (80 skills, see skills README)
  4. Evidence-based β€” recommendations grounded in data, metrics, scanner output, ISMS controls
  5. Security-first β€” align with Secure Development Policy, Open Source Policy, Secrets Management, Cryptography Policy, Access Control
  6. Classification-aware β€” every artefact is labelled per CLASSIFICATION
  7. Non-partisan β€” outputs analyse all parties / politicians with equal rigor
  8. Human-in-the-loop β€” Critical / High security changes require human approval

πŸ—ΊοΈ ISMS Policy Γ— Agent Matrix

Every agent has explicit responsibility for specific ISMS policies. The Information Security Policy (ISP) is the apex for all.

Policytask-agentstack-specialistui-enhancementintelligence-operativebusiness-devmarketing
Information Security Policy (Apex)βœ…βœ…βœ…βœ…βœ…βœ…
Secure Development Policyβœ…βœ…βœ…β—‹β—‹β—‹
Open Source Policyβœ…βœ…β—‹β—‹βœ…βœ…
Secrets Management Policyβœ…βœ…β—‹β—‹β—‹β—‹
Cryptography Policyβ—‹βœ…β—‹β—‹β—‹β—‹
Access Control Policyβœ…βœ…βœ…β—‹β—‹β—‹
CLASSIFICATIONβœ…βœ…βœ…βœ…βœ…βœ…
Data Protection Policyβœ…βœ…βœ…βœ…βœ…βœ…
Privacy Policyβ—‹β—‹βœ…βœ…β—‹βœ…
Vulnerability Managementβœ…βœ…β—‹β—‹β—‹βœ…
Change Managementβœ…βœ…β—‹β—‹βœ…β—‹
Third Party Managementβ—‹βœ…β—‹β—‹βœ…β—‹
Incident Response Planβœ…βœ…β—‹βœ…β—‹βœ…
Threat Modelingβœ…βœ…βœ…β—‹β—‹β—‹
AI Policyβœ…βœ…βœ…βœ…βœ…βœ…
Information Security Strategyβ—‹β—‹β—‹βœ…βœ…βœ…

Legend: βœ… primary owner / must comply Β· β—‹ secondary / consult as needed

πŸ”— Top Skills per Agent

For the full 80-skill library, see .github/skills/README.md.

task-agent

  • hack23-information-security-policy, hack23-isms-compliance, secure-development-policy, open-source-policy
  • vulnerability-management, code-quality-checks, testing-strategy-enforcement, product-quality-analysis
  • issue-triage-workflow, product-management-patterns
  • playwright-ui-testing, accessibility-wcag-patterns
  • github-actions-workflows, github-agentic-workflows, ai-governance

stack-specialist

  • hack23-information-security-policy, secure-development-policy, secrets-management, cryptography-policy
  • spring-framework-patterns, jpa-hibernate-optimization, postgresql-operations
  • maven-build-management, github-actions-workflows, ci-cd-security
  • unit-testing-patterns, integration-testing, performance-optimization, api-integration
  • secure-code-review, input-validation, threat-modeling, vulnerability-management

ui-enhancement-specialist

  • hack23-information-security-policy, secure-development-policy
  • vaadin-component-design, ui-ux-design-system
  • accessibility-wcag-patterns, data-visualization-principles, advanced-data-visualization
  • playwright-ui-testing, e2e-testing, input-validation
  • data-protection, gdpr-compliance, classification-framework-enforcement, performance-optimization

intelligence-operative

  • hack23-information-security-policy
  • swedish-political-system, political-science-analysis, electoral-analysis, legislative-monitoring
  • osint-methodologies, intelligence-analysis-techniques, behavioral-analysis
  • risk-assessment-frameworks, risk-assessment-methodology, strategic-communication-analysis, data-science-for-intelligence
  • data-protection, gdpr-compliance, classification-framework-enforcement, ai-governance
  • european-parliament-api, cia-data-integration

business-development-specialist

  • hack23-information-security-policy, information-security-strategy
  • business-model-canvas, product-management-patterns
  • open-source-policy, compliance-frameworks, hack23-isms-compliance
  • gdpr-compliance, data-protection, cia-data-integration, european-parliament-api

marketing-specialist

  • hack23-information-security-policy
  • seo-best-practices, documentation-standards, contribution-guidelines
  • open-source-policy, data-visualization-principles, accessibility-wcag-patterns
  • gdpr-compliance, data-protection, ai-governance

πŸ“ Agent File Format

Each repository-level agent file uses this structure:

---
name: agent-name                                    # kebab-case, unique
description: One-sentence role summary (≀200 chars)
tools: ["*"]                                        # always allow all tools
---
# Role header + mission
**Always read first:** …context files…
## Core Expertise
## ISMS Policy Integration        ← explicit mapping table
## (Domain-specific sections)
## Agent Handoff Matrix           ← who to delegate to
## Boundaries β€” Must NOT Do       ← red-lines
## Skills I Primarily Use
## Remember                       ← bullet key reminders

Repository agents do not include mcp-servers:. MCP configuration lives in .github/copilot-mcp-config.json and is applied by the Copilot runtime.