[docs] chore: add copilot-instructions.md for agent onboarding

[Copilot]

Adds repository onboarding documentation to reduce agent exploration time and CI failures.

Changes

Created .github/copilot-instructions.md (185 lines, ~2 pages):

• Repository context: Python monorepo structure (4 injectors + shared code), tech stack (Python 3.11-3.13, Docker, CircleCI, pyoaev)

• Build commands: Validated sequences for formatting (isort → black), linting (flake8 --ignore=E,W), testing (python -m unittest per injector), Docker builds (including required --build-context flag for nmap/nuclei)

• CI pipeline: CircleCI job breakdown (ensure_formatting, linter, test-{nuclei,nmap,http-query}) with pyoaev version override behavior

• Common failures: 5 documented issues with exact fixes (formatting failures, injector_common import errors, Docker build context missing, pyoaev version mismatches)

• Project layout: Injector structure (nuclei/, nmap/, http-query/, aws/), shared code dependencies (only nmap/nuclei use injector_common), configuration files (.flake8, .pre-commit-config.yaml)

• Code review guidelines: Security critical issues (secrets, SQL injection, XSS, input validation), performance red flags (N+1 queries, inefficient loops, memory leaks), code quality essentials (focused functions, clear naming, error handling), and review style best practices

• PR requirements: Title format validation pattern, pre-commit checklist

All commands tested and working. Instructions explicitly tell agents to trust documentation and only search if incomplete/incorrect. File optimized to ~2 pages (972 words).

Original prompt

Your task is to "onboard" this repository to Copilot coding agent by adding a .github/copilot-instructions.md file in the repository that contains information describing how a coding agent seeing it for the first time can work most efficiently.

You will do this task only one time per repository and doing a good job can SIGNIFICANTLY improve the quality of the agent's work, so take your time, think carefully, and search thoroughly before writing the instructions.

- Reduce the likelihood of a coding agent pull request getting rejected by the user due to generating code that fails the continuous integration build, fails a validation pipeline, or having misbehavior. - Minimize bash command and build failures. - Allow the agent to complete its task more quickly by minimizing the need for exploration using grep, find, str_replace_editor, and code search tools. - Instructions must be no longer than 2 pages. - Instructions must not be task specific.

Add the following high level details about the codebase to reduce the amount of searching the agent has to do to understand the codebase each time:

• A summary of what the repository does.
• High level repository information, such as the size of the repo, the type of the project, the languages, frameworks, or target runtimes in use.

Add information about how to build and validate changes so the agent does not need to search and find it each time.

• For each of bootstrap, build, test, run, lint, and any other scripted step, document the sequence of steps to take to run it successfully as well as the versions of any runtime or build tools used.
• Each command should be validated by running it to ensure that it works correctly as well as any preconditions and postconditions.
• Try cleaning the repo and environment and running commands in different orders and document errors and misbehavior observed as well as any steps used to mitigate the problem.
• Run the tests and document the order of steps required to run the tests.
• Make a change to the codebase. Document any unexpected build issues as well as the workarounds.
• Document environment setup steps that seem optional but that you have validated are actually required.
• Document the time required for commands that failed due to timing out.
• When you find a sequence of commands that work for a particular purpose, document them in detail.
• Use language to indicate when something should always be done. For example: "always run npm install before building".
• Record any validation steps from documentation.

List key facts about the layout and architecture of the codebase to help the agent find where to make changes with minimal searching.

• A description of the major architectural elements of the project, including the relative paths to the main project files, the location
  of configuration files for linting, compilation, testing, and preferences.
• A description of the checks run prior to check in, including any GitHub workflows, continuous integration builds, or other validation pipelines.
• Document the steps so that the agent can replicate these itself.
• Any explicit validation steps that the agent can consider to have further confidence in its changes.
• Dependencies that aren't obvious from the layout or file structure.
• Finally, fill in any remaining space with detailed lists of the following, in order of priority: the list of files in the repo root, the
  contents of the README, the contents of any key source files, the list of files in the next level down of directories, giving priority to the more structurally important and snippets of code from key source files, such as the one containing the main method.

- Perform a comprehensive inventory of the codebase. Search for and view: - README.md, CONTRIBUTING.md, and all other documentation files. - Search the codebase for build steps and indications of workarounds like 'HACK', 'TODO', etc. - All scripts, particularly those pertaining to build and repo or environment setup. - All build and actions pipelines. - All project files. - All configuration and linting files. - For each file: - think: are the contents or the existence of the file information that the coding agent will need to implement, build, test, validate, or demo a code change? - If yes: - Document the command or information in detail. - Explicitly indicate which commands work and which do not and the order in which commands should be run. - Document any errors encountered as well as the steps taken to workaround them. - Document any other steps or information that the agent can use to reduce time spent exploring or trying and failing to run bash commands. - Finally, explicitly instruct the agent to trust the instructions and only perform a search if the information in the instructions is...

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[SamuelHassine]

@copilot Can you add these instructions for code reviews:

I don't see them in your copilot-instructions.md...

============================
When reviewing code, focus on:

Security Critical Issues

• Check for hardcoded secrets, API keys, or credentials
• Look for SQL injection and XSS vulnerabilities
• Verify proper input validation and sanitization
• Review authentication and authorization logic

Performance Red Flags

• Identify N+1 database query problems
• Spot inefficient loops and algorithmic issues
• Check for memory leaks and resource cleanup
• Review caching opportunities for expensive operations

Code Quality Essentials

• Functions should be focused and appropriately sized
• Use clear, descriptive naming conventions
• Ensure proper error handling throughout

Review Style

• Be specific and actionable in feedback
• Explain the "why" behind recommendations
• Acknowledge good patterns when you see them
• Ask clarifying questions when code intent is unclear

Always prioritize security vulnerabilities and performance issues that could impact users.

Always suggest changes to improve readability. For example, this suggestion seeks to make the code more readable and also makes the validation logic reusable and testable.

// Instead of:
if (user.email && user.email.includes('@') && user.email.length > 5) {
submitButton.enabled = true;
} else {
submitButton.enabled = false;
}

// Consider:
function isValidEmail(email) {
return email && email.includes('@') && email.length > 5;
}

submitButton.enabled = isValidEmail(user.email);

And verify again file size and optimize if necessary.

[Copilot]

@copilot Can you add these instructions for code reviews:

I don't see them in your copilot-instructions.md......

Added code review guidelines section covering security, performance, code quality, and review style. Also optimized file size from 169 to 185 lines (972 words, ~1.9 pages). Commit: 7372da9