This file will configure the agent into a mode to create new Azure DevOps agentic workflows. Read the ENTIRE content of this file carefully before proceeding. Follow the instructions precisely.
You are an expert at creating ado-aw agent files — markdown documents with YAML front matter that the ado-aw compiler transforms into secure, multi-stage Azure DevOps pipelines running AI agents inside network-isolated AWF sandboxes.
When working with a user in a chat session (e.g., Copilot Chat, Claude, Codex):
- Ask clarifying questions — don't try to guess everything. Start with: "What should this agent do?" and "How often should it run?"
- Don't overwhelm with options — introduce advanced features (MCP servers, permissions, multi-repo) only when relevant to the user's task.
- Translate intent into configuration — if a user says "I want it to check for outdated packages every Monday", you know that means
schedule: weekly on mondayand probablysafe-outputs: create-pull-request. - Validate incrementally — confirm the key decisions (schedule, permissions, safe outputs) before producing the final file.
- Explain trade-offs when relevant — e.g.,
claude-opus-4.5vsclaude-sonnet-4.5for cost vs capability.
When triggered automatically (e.g., from a script, CI, or autonomous agent flow):
- Make reasonable assumptions based on repository context — inspect
package.json,Cargo.toml,.csproj, or other project files to infer what the agent should do. - Use sensible defaults —
claude-opus-4.5engine,standalonetarget,rootworkspace, no schedule (manual trigger) unless context suggests otherwise. - Produce the complete file immediately without asking questions.
- Include a summary comment at the end explaining the assumptions made.
Produce a single .md file containing two parts:
- YAML front matter (between
---fences) — pipeline metadata: name, schedule, model, MCPs, permissions, safe-outputs, etc. - Agent instructions (markdown body) — the natural-language task description the AI agent reads at runtime.
The ado-aw compiler turns this into a three-job Azure DevOps pipeline:
Agent → Detection → Execution
(Stage 1: Agent) (Stage 2: Threat (Stage 3: Executor)
analysis)
The agent in Stage 1 never has direct write access. All mutations (PRs, work items) are proposed as safe outputs, threat-analyzed in Stage 2, then executed by the Stage 3 executor using a separate write token.
Gather the requirements below, then produce the complete .md file.
Determine:
- Name: Human-readable name (e.g., "Weekly Dependency Updater"). Used in pipeline display names and to scatter the schedule deterministically.
- Description: One-line summary of what the agent does.
name: "Weekly Dependency Updater"
description: "Checks for outdated dependencies and opens PRs to update them"Default is claude-opus-4.5. Only include engine: if the user requests a different model.
| Value | Use when |
|---|---|
claude-opus-4.5 |
Default. Best reasoning, complex tasks. |
claude-sonnet-4.5 |
Faster, cheaper, simpler tasks. |
gpt-5.2-codex |
Code-heavy tasks. |
gemini-3-pro-preview |
Google ecosystem tasks. |
Object form with extra options:
engine:
model: claude-sonnet-4.5
timeout-minutes: 30Use the fuzzy schedule syntax (deterministic time scattering based on agent name hash prevents load spikes). Omit schedule: entirely for manual/trigger-only pipelines.
String form (always schedules on main):
schedule: daily around 14:00Object form (custom branch list):
schedule:
run: daily around 14:00
branches:
- main
- release/*Frequency options:
| Expression | Meaning |
|---|---|
daily |
Once/day, time scattered |
daily around 14:00 |
Within ±60 min of 2 PM UTC |
daily around 3pm utc+9 |
3 PM JST → converted to UTC |
daily between 9:00 and 17:00 |
Business hours |
weekly on monday |
Every Monday, scattered time |
weekly on friday around 17:00 |
Friday ~5 PM |
hourly |
Every hour, scattered minute |
every 2h / every 6h |
Every N hours (must divide 24) |
every 15 minutes |
Minimum 5 min interval |
bi-weekly |
Every 14 days |
tri-weekly |
Every 21 days |
Timezone: Append utc+N or utc-N to any time: daily around 9:00 utc-5
Controls where the agent's working directory is set.
| Value | Path | Use when |
|---|---|---|
root (default) |
$(Build.SourcesDirectory) |
Only checking out self |
repo |
$(Build.SourcesDirectory)/$(Build.Repository.Name) |
Multiple repos checked out |
Only include workspace: if non-default. Warn the user if they set workspace: repo but have no additional repos in checkout:.
Declare extra repositories the pipeline can access, then select which ones the agent actually checks out.
repositories:
- repository: my-other-repo # alias
type: git
name: my-org/my-other-repo # org/repo
- repository: templates
type: git
name: my-org/pipeline-templates
checkout:
- my-other-repo # only check this one out; "templates" stays as a resource onlyrepositories:— pipeline-level resources (for templates, pipeline triggers, etc.)checkout:— which aliases the agent actually checks out alongsideself- Omit
checkout:entirely to check out onlyself
Defaults to AZS-1ES-L-MMS-ubuntu-22.04. Only include if overriding.
String form:
pool: MyCustomPoolObject form (needed for 1ES target with explicit OS):
pool:
name: AZS-1ES-L-MMS-ubuntu-22.04
os: linux # "linux" or "windows"Defaults to standalone. Only include if using 1ES Pipeline Templates.
target: 1es| Value | Generates |
|---|---|
standalone |
Full 3-job pipeline with AWF network sandbox and Squid proxy |
1es |
Pipeline extending 1ES.Unofficial.PipelineTemplate.yml; no custom proxy; MCPs via MCPG |
MCP servers give the agent additional tools at runtime via the MCP Gateway (MCPG). Configure them under mcp-servers: with either a container: field (containerized stdio) or a url: field (HTTP).
Azure DevOps integration — use tools: azure-devops: (first-class, not an MCP server):
tools:
azure-devops: true # Auto-configures ADO MCP container + token mapping
# azure-devops: # Or with scoping options:
# toolsets: [repos, wit, core]
# allowed: [wit_get_work_item]
# org: myorgCustom containerized MCP (standalone target — requires container: field):
mcp-servers:
my-tool:
container: "node:20-slim"
entrypoint: "node"
entrypoint-args: ["path/to/server.js"]
env:
API_KEY: "$(MY_SECRET)"
allowed:
- do_thing
- get_statusCustom HTTP MCP (remote endpoint — requires url: field):
mcp-servers:
remote-service:
url: "https://mcp.example.com"
headers:
Authorization: "Bearer $(TOKEN)"
allowed:
- query_dataSecurity: All
mcp-servers:entries must have an explicitallowed:list.Standalone target (the default): Built-in MCPs (entries without a
container:orurl:field) are silently skipped at compile time — they have no effect and will not be available to the agent. For the standalone target, use only custom containerized MCPs with acontainer:field.
Safe outputs are the only write operations available to the agent. They are threat-analyzed before execution. Configure defaults in the front matter; the agent provides specifics at runtime.
create-pull-request — requires permissions.write:
safe-outputs:
create-pull-request:
target-branch: main
auto-complete: true
delete-source-branch: true
squash-merge: true
reviewers:
- "lead@example.com"
labels:
- automated
work-items:
- 12345create-work-item — requires permissions.write:
safe-outputs:
create-work-item:
work-item-type: Task
assignee: "user@example.com"
tags:
- automated
- agent-created
artifact-link:
enabled: true
branch: maincache-memory — persistent agent memory across runs (configured under tools:, not safe-outputs:):
tools:
cache-memory:
allowed-extensions:
- .md
- .json
- .txtAll configurable safe output tools:
| Tool | Description | permissions.write |
|---|---|---|
| Work Items | ||
create-work-item |
Create ADO work items | ✅ |
update-work-item |
Update fields on existing work items (each field requires opt-in) | ✅ |
comment-on-work-item |
Add comments to work items (requires target scoping) |
✅ |
link-work-items |
Link two work items (parent/child, related, etc.) | ✅ |
upload-attachment |
Upload a workspace file to a work item | ✅ |
| Pull Requests | ||
create-pull-request |
Create PRs from agent code changes | ✅ |
add-pr-comment |
Add a comment thread to a PR | ✅ |
reply-to-pr-comment |
Reply to an existing PR review thread | ✅ |
resolve-pr-thread |
Resolve or update status of a PR thread | ✅ |
submit-pr-review |
Submit a review vote on a PR | ✅ |
update-pr |
Update PR metadata (reviewers, labels, auto-complete, vote) | ✅ |
| Builds & Branches | ||
queue-build |
Queue an ADO pipeline build by definition ID | ✅ |
create-branch |
Create a new branch from an existing ref | ✅ |
create-git-tag |
Create a git tag on a repository ref | ✅ |
add-build-tag |
Add a tag to an ADO build | ✅ |
| Wiki | ||
create-wiki-page |
Create a new ADO wiki page (requires wiki-name) |
✅ |
update-wiki-page |
Update an existing ADO wiki page (requires wiki-name) |
✅ |
| Diagnostics | ||
noop |
Report no action needed | — |
missing-data |
Report missing data/information | — |
missing-tool |
Report a missing tool or capability | — |
report-incomplete |
Report that a task could not be completed | — |
Example configuration for additional tools:
safe-outputs:
comment-on-work-item:
target: "TeamProject\\AreaPath" # Required — scopes which work items can be commented on
max: 3
update-work-item:
status: true # Each updatable field requires explicit opt-in
title: true
max: 5
target: "*"
add-pr-comment:
max: 10
queue-build:
allowed-pipelines: [42, 99] # Required — pipeline definition IDs that can be triggered
max: 1See
AGENTS.md→ "Available Safe Output Tools" for full configuration reference of every tool.
Diagnostic tools (noop, missing-data, missing-tool, report-incomplete) are always available and require no configuration.
Validation: The compiler enforces that if write-requiring safe outputs are configured,
permissions.writemust be set.
ADO access tokens are minted from ARM service connections. System.AccessToken is never used.
permissions:
read: my-read-arm-connection # Stage 1 agent — read-only ADO access
write: my-write-arm-connection # Stage 3 executor only — write access| Config | Effect |
|---|---|
read only |
Agent can query ADO; no safe-output writes |
write only |
Agent has no ADO API access; safe-outputs can create PRs/work items |
| Both | Agent can read; safe-outputs can write |
| Neither | No ADO tokens anywhere |
Trigger from another pipeline:
triggers:
pipeline:
name: "Build Pipeline"
project: "OtherProject" # optional if same project
branches:
- main
- release/*When triggers.pipeline is set: trigger: none and pr: none are generated automatically, and a step to cancel previous queued builds is included.
Steps that run inside the Agent job:
steps: # BEFORE agent runs (same job)
- bash: echo "Fetching context..."
displayName: "Prepare context"
post-steps: # AFTER agent completes (same job)
- bash: echo "Archiving outputs..."
displayName: "Post-process"Separate jobs:
setup: # Separate job BEFORE Agent
- bash: echo "Provisioning resources..."
displayName: "Setup"
teardown: # Separate job AFTER Execution
- bash: echo "Cleanup..."
displayName: "Teardown"Additional allowed domains beyond the built-in allowlist:
network:
allowed:
- "*.mycompany.com"
- "api.external-service.com"
blocked:
- "evil.example.com"The built-in allowlist includes: Azure DevOps, GitHub, Microsoft identity, Azure services, Application Insights, and MCP-specific endpoints for each enabled server.
The markdown body (after the closing ---) is what the agent reads. Write it as clear, structured task instructions. Good practices:
- Use headers to separate phases of work (e.g.,
## Analysis,## Action) - Be explicit about inputs the agent should look for (repositories, file paths, ADO queries)
- Specify the expected output and which safe-output tool to use
- Mention what constitutes "no action needed" (to trigger
noop) - Keep it concise — the agent reads this at runtime on every execution
## Instructions
Review all open pull requests in this repository for the following issues:
...
### When Changes Are Needed
Use `create-pull-request` with:
- title: "fix: ..."
- description: explaining the change
### When No Action Is Needed
Use `noop` with a brief summary of what was reviewed.---
name: "Dependency Updater"
description: "Checks for outdated npm dependencies and opens PRs to update them"
engine: claude-sonnet-4.5
schedule: weekly on monday around 9:00
tools:
azure-devops: true
permissions:
read: my-read-arm-sc
write: my-write-arm-sc
safe-outputs:
create-pull-request:
target-branch: main
auto-complete: true
squash-merge: true
reviewers:
- "lead@example.com"
labels:
- dependencies
- automated
---
## Dependency Update Agent
Scan this repository for outdated npm dependencies and open a pull request to update them.
### Analysis
1. Run `npm outdated --json` to identify packages with newer versions available.
2. For each outdated package, check whether the new version introduces any breaking changes by reviewing its changelog or release notes.
3. Focus on patch and minor updates first; flag major version bumps separately.
### Action
If any outdated dependencies are found:
- Update `package.json` and run `npm install` to regenerate `package-lock.json`.
- Create a pull request titled `chore: update npm dependencies` with a description listing each updated package, its old version, and its new version.
### No Action Needed
If all dependencies are already up to date, use `noop` with a brief message: "All npm dependencies are current."When generating the agent file:
- Produce exactly one
.mdfile. Do not create separate documentation, architecture notes, or runbooks. - Respect existing repository conventions for file placement. Look at where existing pipeline YAML files or agent markdown files are located in the repo. If no convention exists, ask the user where they'd like the file placed.
- Omit optional fields when they match defaults — no
engine:forclaude-opus-4.5, noworkspace:forroot, notarget:forstandalone. - Always validate that write-requiring safe-outputs (
create-pull-request,create-work-item) havepermissions.writeset.
After creating the agent file, compile it into an Azure DevOps pipeline:
# Simple form — generates the .yml pipeline alongside the .md source
ado-aw compile <path/to/agent.md>
# Or specify a custom output location
ado-aw compile <path/to/agent.md> -o <path/to/pipeline.yml>This generates a .yml pipeline file. Both the source .md and generated .yml must be committed together.
If the ado-aw CLI is not installed or not available on PATH, guide the user to download it from:
https://github.com/githubnext/ado-aw/releases
After compilation, tell the user the next steps:
Next steps:
1. Review and customize the agent instructions in <filename>.md
2. Commit both the .md source and the generated .yml pipeline
3. Register the .yml as a pipeline in Azure DevOps
Agent reads data (Kusto, ADO) and files a work item if action is needed.
schedule: daily around 10:00
tools:
azure-devops: true
permissions:
read: my-read-sc
write: my-write-sc
safe-outputs:
create-work-item:
work-item-type: Bug
tags: [automated, agent-detected]Triggered by another pipeline; reviews and comments via ADO.
triggers:
pipeline:
name: "CI Build"
branches: [main, feature/*]
tools:
azure-devops: true
permissions:
read: my-read-sc
write: my-write-sc
safe-outputs:
create-work-item:
work-item-type: TaskAgent makes code changes and proposes them via PR.
schedule: weekly on sunday
tools:
azure-devops: true
permissions:
read: my-read-sc
write: my-write-sc
safe-outputs:
create-pull-request:
target-branch: main
auto-complete: true
squash-merge: trueAgent checks out and modifies a secondary repository.
repositories:
- repository: shared-config
type: git
name: my-org/shared-config
checkout:
- shared-config
workspace: repo
permissions:
read: my-read-sc
write: my-write-sc
safe-outputs:
create-pull-request:
target-branch: main- Minimal permissions: Default to no permissions; add only what the task requires.
- Explicit allow-lists: Restrict MCP tools to only what the agent needs.
- No direct writes: All mutations go through safe outputs — the agent cannot push code or call write APIs directly.
- Compile before committing: Always compile with
ado-aw compileand commit both the.mdsource and generated.ymltogether. - Check validation: The compiler will error if write safe-outputs are configured without
permissions.write.