dotnet
diff --git a/‎.CodeQL.yml‎
Lines changed: 41 additions & 1 deletion b/‎.CodeQL.yml‎
Lines changed: 41 additions & 1 deletion
diff --git a/‎.config/dotnet-tools.json‎
Lines changed: 1 addition & 1 deletion b/‎.config/dotnet-tools.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.devcontainer/devcontainer.json‎
Lines changed: 3 additions & 1 deletion b/‎.devcontainer/devcontainer.json‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.editorconfig‎
Lines changed: 4 additions & 0 deletions b/‎.editorconfig‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/copilot-instructions.md‎
Lines changed: 61 additions & 4 deletions b/‎.github/copilot-instructions.md‎
Lines changed: 61 additions & 4 deletions
@@ -1,5 +1,5 @@
 # This file configures CodeQL runs and TSA bug autofiling. For more information, see:
-# https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/codeql/troubleshooting/bugs/generated-library-code
+# https://eng.ms/docs/coreai/devdiv/one-engineering-system-1es/1es-docs/codeql/troubleshooting/bugs/generated-library-code
 # (Access restricted to Microsoft employees only.)
 
 path_classifiers:
@@ -15,3 +15,43 @@ path_classifiers:
     # files are generated as part of build-time checks in CMake and are not compiled
     # or linked into any product binaries.
     - artifacts/obj/**/CMakeFiles/**/CheckFunctionExists.c
+
+queries:
+  #
+  # REPO-WIDE RULE EXCLUSIONS
+  #
+  - exclude:
+      queryid:
+        # [Serializable] doesn't imply that a type is *safe* to [de]serialize; only that it is
+        # *possible* to do so. The rules below incorrectly assume we're trying to make a safety
+        # guarantee.
+        - "cs/dangerous-deserialization-routine"
+        - "cs/deserialization-of-pointer-type"
+        # We already have CodeQL + Roslyn rules running to detect usage of dangerous deserialization
+        # APIs. Those call sites are well-reviewed and don't benefit from extra alerts regarding
+        # the possibility of loading malicious code.
+        - "cs/deserialization-unexpected-subtypes"
+  #
+  # Don't warn about usage of non-compliant crypto within our own implementations or interop code,
+  # since the rule would noisily try to warn us about *ourselves*. These exclusions are scoped
+  # to just the crypto code itself. We still want alerts when consumers of crypto (even within this
+  # repo) try to use non-compliant primitives; those call sites must be manually inspected
+  # and suppressed if appropriate.
+  #
+  - exclude:
+      queryid:
+        - "cs/ecb-encryption"
+        - "cs/encryption-with-vulnerable-cipher-mode"
+        - "cs/weak-symmetric-algorithm"
+        - "cs/obsolete-password-key-derivation"
+        - "cs/cryptography/unapproved-usage-of-dsa"
+        - "cs/weak-crypto"
+        - "cs/weak-hmacs"
+        - "java/weak-crypto-algorithm-or-hash"
+      path:
+        - "src/libraries/Common/src/Interop/Windows/BCrypt/**"
+        - "src/libraries/Common/src/System/Security/Cryptography/**"
+        - "src/libraries/Microsoft.Bcl.Cryptography/**"
+        - "src/libraries/System.Security.Cryptography/**"
+        - "src/libraries/System.Security.Cryptography.*/**"
+        - "src/native/libs/System.Security.Cryptography.*/**"
@@ -15,7 +15,7 @@
       ]
     },
     "microsoft.dotnet.xharness.cli": {
-      "version": "11.0.0-prerelease.26064.3",
+      "version": "11.0.0-prerelease.26160.2",
       "commands": [
         "xharness"
       ]
 
@@ -14,7 +14,9 @@
 	},
 
 	"features": {
-		"ghcr.io/devcontainers/features/github-cli:1": {}
+		"ghcr.io/devcontainers/features/github-cli:1": {},
+		"ghcr.io/devcontainers/features/sshd:1": {},
+		"ghcr.io/devcontainers/features/copilot-cli:1": {}
 	},
 
 	// Configure tool-specific properties.
 
@@ -165,6 +165,10 @@ csharp_space_between_square_brackets = false
 # License header
 file_header_template = Licensed to the .NET Foundation under one or more agreements.\nThe .NET Foundation licenses this file to you under the MIT license.
 
+# xUnit1051: recommends TestContext.Current.CancellationToken (v3 pattern) which
+# is not yet adopted; suppress until a full v3 migration is performed.
+dotnet_diagnostic.xUnit1051.severity = none
+
 [src/libraries/System.Net.Http/src/System/Net/Http/{SocketsHttpHandler/Http3RequestStream.cs,BrowserHttpHandler/BrowserHttpHandler.cs}]
 # disable CA2025, the analyzer throws a NullReferenceException when processing this file: https://github.com/dotnet/roslyn-analyzers/issues/7652
 dotnet_diagnostic.CA2025.severity = none
 
@@ -1,5 +1,5 @@
 ---
-excludeAgent: code-review-agent
+excludeAgent: code-review
 ---
 
 **Any code you commit MUST compile, and new and existing tests related to the change MUST pass.**
@@ -8,7 +8,11 @@ You MUST make your best effort to ensure any code changes satisfy those criteria
 
 If you make code changes, do not complete without checking the relevant code builds and relevant tests still pass after the last edits you make. Do not simply assume that your changes fix test failures you see, actually build and run those tests again to confirm.
 
-Before completing, use the `code-review` skill to review your code changes. Any issues flagged as errors or warnings should be addressed before completing.
+When running under CCA and before completing, use the `code-review` skill to review your code changes. Any issues flagged as errors or warnings should be addressed before the task is considered complete.
+
+When NOT running under CCA, skip the `code-review` skill if the user has stated they will review the changes themselves.
+
+Before making changes to a directory, search for `README.md` files in that directory and its parent directories up to the repository root. Read any you find — they contain conventions, patterns, and architectural context relevant to your work.
 
 If the changes are intended to improve performance, or if they could negatively impact performance, use the `performance-benchmark` skill to validate the impact before completing.
 
@@ -25,6 +29,8 @@ In addition to the rules enforced by `.editorconfig`, you SHOULD:
 - Prefer `?.` if applicable (e.g. `scope?.Dispose()`).
 - Use `ObjectDisposedException.ThrowIf` where applicable.
 - When adding new unit tests, strongly prefer to add them to existing test code files rather than creating new code files.
+- When adding new test files, examine the directory structure of sibling tests first. Some test directories use flat files (e.g., `GCEvents.cs` alongside `GCEvents.csproj`) while others use per-test subdirectories. Match the existing convention.
+- When working with tests, look for `README.md` files along the directory hierarchy (starting from the test's directory and walking up). These contain build, run, and authoring guidance specific to that test area.
 - When adding new unit tests, avoid adding a regression comment citing a GitHub issue or PR number unless explicitly asked to include such information.
 - When writing tests, prefer using `[Theory]` with multiple data sources (like `[InlineData]` or `[MemberData]`) over multiple duplicative `[Fact]` methods. Fewer test methods that validate more inputs are better than many similar test methods.
 - If you add new code files, ensure they are listed in the csproj file (if other files in that folder are listed there) so they build.
@@ -34,6 +40,13 @@ In addition to the rules enforced by `.editorconfig`, you SHOULD:
 - For markdown (`.md`) files, ensure there is no trailing whitespace at the end of any line.
 - When adding XML documentation to APIs, follow the guidelines at [`docs.prompt.md`](/.github/prompts/docs.prompt.md).
 
+When NOT running under CCA, guidance for creating commits and pushing changes:
+
+- Never squash and force push unless explicitly instructed. Always push incremental commits on top of previous PR changes.
+- Never push to an active PR without being explicitly asked, even in autopilot/yolo mode. Always wait for explicit instruction to push.
+- Never chain commit and push in the same command. Always commit first, report what was committed, then wait for an explicit push instruction. This creates a mandatory decision point.
+- Prefer creating a new commit rather than amending an existing one. Exceptions: (1) explicitly asked to amend, or (2) the existing commit is obviously broken with something minor (e.g., typo or comment fix) and hasn't been pushed yet.
+
 ---
 
 # Building & Testing in dotnet/runtime
@@ -150,15 +163,58 @@ cd src/tests
 
 ### Runtime Tests
 
-**Build:**
+Subdirectories under `src/tests/` may contain `README.md` files with
+area-specific guidance (e.g., EventPipe test patterns).
+
+**Build all tests:**
 ```bash
 ./build.sh clr+libs -lc release -rc checked
 ./src/tests/build.sh checked
 ./src/tests/run.sh checked
 ```
 
+**Build a single test project** (path is relative to the repo root):
+```bash
+# Use -priority1 ("-Priority 1" on Windows) for tests with <CLRTestPriority>1</CLRTestPriority>,
+# otherwise the build silently reports "0 test projects" and builds nothing.
+src/tests/build.sh -Test tracing/eventpipe/eventsvalidation/GCEvents.csproj x64 Release -priority1
+```
+
+Other useful flags (run `src/tests/build.sh -h` for the full list):
+
+| Flag | Description |
+|------|-------------|
+| `-Test <path>` | Build one project |
+| `-Dir <path>` | Build all projects in a directory |
+| `-Tree <path>` | Build a subtree recursively |
+| `-priority1` (`-Priority 1` on Windows) | Include priority 1 tests |
+| `-GenerateLayoutOnly` | Generate Core_Root layout only |
+
+**Generate Core_Root layout** (required before running individual tests):
+```bash
+src/tests/build.sh -GenerateLayoutOnly x64 Release
+```
+
+**Run a single test:**
+```bash
+export CORE_ROOT=$(pwd)/artifacts/tests/coreclr/<os>.x64.Release/Tests/Core_Root
+cd artifacts/tests/coreclr/<os>.x64.Release/<test-path>/
+$CORE_ROOT/corerun <TestName>.dll
+# Exit code 100 = pass, any other value = fail.
+```
+
 ---
 
+## Adding new tests
+
+When creating a regression test for a bug fix:
+
+1. **Verify the test FAILS without the fix** — build and run against the unfixed code.
+2. **Verify the test PASSES with the fix** — apply the fix, rebuild, and run again.
+3. If the fix is not yet merged locally, manually apply the minimal changes from the PR/commit to verify.
+
+Do not mark a regression test task as complete until both conditions are confirmed.
+
 ## Troubleshooting
 
 | Error | Solution |
@@ -167,10 +223,11 @@ cd src/tests
 | "testhost" missing / FileNotFoundException | Run baseline build first (Step 2 above) |
 | Build timeout | Wait up to 40 min; only fail if no output for 5 min |
 | "Target does not exist" | Avoid specifying a target framework; the build will auto-select `$(NetCoreAppCurrent)` |
+| "0 test projects" after `build.sh -Test` | The test has `<CLRTestPriority>` > 0; add `-priority1` to the build command |
 
 **When reporting failures:** Include logs from `artifacts/log/` and console output for diagnostics.
 
-**Windows:** Use `build.cmd` instead of `build.sh`. Set PATH: `set PATH=%CD%\.dotnet;%PATH%`
+**Windows:** Use `build.cmd` instead of `build.sh`.
 
 ---
Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,7 @@`
`15`	`15`	`]`
`16`	`16`	`},`
`17`	`17`	`"microsoft.dotnet.xharness.cli": {`
`18`		`- "version": "11.0.0-prerelease.26064.3",`
	`18`	`+ "version": "11.0.0-prerelease.26160.2",`
`19`	`19`	`"commands": [`
`20`	`20`	`"xharness"`
`21`	`21`	`]`