From 3978bda9616ef10ae9d6667afd28dcf78c6a2392 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 17 Mar 2026 18:19:56 +0000
Subject: [PATCH 1/3] Initial plan


From c4fd0593a508cedd3f122bce3fae255abd25d5b9 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 17 Mar 2026 18:32:48 +0000
Subject: [PATCH 2/3] fix: align 1ES template shared steps with standalone by
 replacing Agency CLI with Copilot CLI

Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>
---
 src/compile/common.rs   |  5 ---
 src/compile/onees.rs    |  5 +--
 templates/1es-base.yml  | 12 +++----
 tests/compiler_tests.rs | 72 +++++++++++++++++++++++++++++++++++++++++
 4 files changed, 81 insertions(+), 13 deletions(-)

diff --git a/src/compile/common.rs b/src/compile/common.rs
index dae4c17..51b2048 100644
--- a/src/compile/common.rs
+++ b/src/compile/common.rs
@@ -465,11 +465,6 @@ pub const AWF_VERSION: &str = "0.23.1";
 /// See: https://pkgs.dev.azure.com/msazuresphere/_packaging/Guardian1ESPTUpstreamOrgFeed/nuget/v3/index.json
 pub const COPILOT_CLI_VERSION: &str = "1.0.6";
 
-/// Version of the Agency CLI (agency.linux-x64) NuGet package to install in 1ES pipelines.
-/// Update this when upgrading to a new Agency CLI release.
-/// See: https://pkgs.dev.azure.com/msazuresphere/_packaging/Guardian1ESPTUpstreamOrgFeed/nuget/v3/index.json
-pub const AGENCY_CLI_VERSION: &str = "2026.1.22.4";
-
 /// Generate source path for the execute command.
 ///
 /// Returns a path using `{{ workspace }}` as the base, which gets resolved
diff --git a/src/compile/onees.rs b/src/compile/onees.rs
index 14b2023..4257445 100644
--- a/src/compile/onees.rs
+++ b/src/compile/onees.rs
@@ -17,7 +17,7 @@ use std::path::Path;
 
 use super::Compiler;
 use super::common::{
-    self, AGENCY_CLI_VERSION, AWF_VERSION, DEFAULT_POOL, compute_effective_workspace, generate_copilot_params,
+    self, AWF_VERSION, COPILOT_CLI_VERSION, DEFAULT_POOL, compute_effective_workspace, generate_copilot_params,
     generate_acquire_ado_token, generate_checkout_self, generate_checkout_steps,
     generate_ci_trigger, generate_copilot_ado_env, generate_executor_ado_env,
     generate_pipeline_path, generate_pipeline_resources, generate_pr_trigger,
@@ -139,7 +139,7 @@ displayName: "Finalize""#,
             ("{{ compiler_version }}", compiler_version),
             // No-op for 1ES (template doesn't use AWF), but included for forward-compatibility
             ("{{ firewall_version }}", AWF_VERSION),
-            ("{{ agency_version }}", AGENCY_CLI_VERSION),
+            ("{{ copilot_version }}", COPILOT_CLI_VERSION),
             ("{{ pool }}", &pool),
             ("{{ schedule }}", &schedule),
             ("{{ pr_trigger }}", &pr_trigger),
@@ -163,6 +163,7 @@ displayName: "Finalize""#,
             ("{{ source_path }}", &source_path),
             ("{{ pipeline_path }}", &pipeline_path),
             ("{{ working_directory }}", &working_directory),
+            ("{{ workspace }}", &working_directory),
             ("{{ agency_params }}", &agency_params),
             ("{{ acquire_ado_token }}", &acquire_read_token),
             ("{{ copilot_ado_env }}", &copilot_ado_env),
diff --git a/templates/1es-base.yml b/templates/1es-base.yml
index 51015fb..56162be 100644
--- a/templates/1es-base.yml
+++ b/templates/1es-base.yml
@@ -159,15 +159,15 @@ extends:
                 displayName: "Authenticate NuGet Feed"
 
               - task: NuGetCommand@2
-                displayName: "Install Agency CLI"
+                displayName: "Install Copilot CLI"
                 inputs:
                   command: 'custom'
-                  arguments: 'install agency.linux-x64 -Source "https://pkgs.dev.azure.com/msazuresphere/_packaging/Guardian1ESPTUpstreamOrgFeed/nuget/v3/index.json" -Version {{ agency_version }} -OutputDirectory $(Agent.TempDirectory)/tools -ExcludeVersion -NonInteractive'
+                  arguments: 'install Microsoft.Copilot.CLI.linux-x64 -Source "https://pkgs.dev.azure.com/msazuresphere/_packaging/Guardian1ESPTUpstreamOrgFeed/nuget/v3/index.json" -Version {{ copilot_version }} -OutputDirectory $(Agent.TempDirectory)/tools -ExcludeVersion -NonInteractive'
 
               - bash: |
                   ls -la "$(Agent.TempDirectory)/tools"
-                  echo "##vso[task.prependpath]$(Agent.TempDirectory)/tools/agency.linux-x64"
-                displayName: Add agency to PATH
+                  echo "##vso[task.prependpath]$(Agent.TempDirectory)/tools/Microsoft.Copilot.CLI.linux-x64"
+                displayName: Add copilot to PATH
 
               - bash: |
                   COMPILER_VERSION="{{ compiler_version }}"
@@ -189,7 +189,7 @@ extends:
 
               - bash: |
                   mkdir -p {{ working_directory }}/safe_outputs
-                  # Copy safe outputs from AgencyArtifact if they exist
+                  # Copy safe outputs from artifact if they exist
                   if [ -f "$(Pipeline.Workspace)/AgencyArtifact/safe_outputs.ndjson" ]; then
                     cp "$(Pipeline.Workspace)/AgencyArtifact/safe_outputs.ndjson" {{ working_directory }}/safe_outputs/
                   fi
@@ -230,7 +230,7 @@ extends:
                   THREAT_OUTPUT_FILE="$(Agent.TempDirectory)/threat-analysis-output.txt"
 
                   # Use $(cat file) like gh-aw does - the command is executed directly, not via a variable
-                  agency copilot --prompt "$(cat $(Agent.TempDirectory)/threat-analysis-prompt.md)" {{ agency_params }} > "$THREAT_OUTPUT_FILE" 2>&1
+                  copilot --prompt "$(cat $(Agent.TempDirectory)/threat-analysis-prompt.md)" {{ agency_params }} > "$THREAT_OUTPUT_FILE" 2>&1
                   AGENT_EXIT_CODE=$?
 
                   echo "=== Threat Analysis Output (sanitized) ==="
diff --git a/tests/compiler_tests.rs b/tests/compiler_tests.rs
index 01af66f..fefd570 100644
--- a/tests/compiler_tests.rs
+++ b/tests/compiler_tests.rs
@@ -784,3 +784,75 @@ Do something.
 
     let _ = fs::remove_dir_all(&temp_dir);
 }
+
+/// Test that the 1ES fixture compiles correctly with no unreplaced markers
+/// and uses Copilot CLI (not Agency CLI) in custom jobs
+#[test]
+fn test_1es_compiled_output_no_unreplaced_markers() {
+    let temp_dir = std::env::temp_dir().join(format!(
+        "agentic-pipeline-1es-markers-{}",
+        std::process::id()
+    ));
+    fs::create_dir_all(&temp_dir).expect("Failed to create temp directory");
+
+    let fixture_path = PathBuf::from(env!("CARGO_MANIFEST_DIR"))
+        .join("tests")
+        .join("fixtures")
+        .join("1es-test-agent.md");
+
+    let output_path = temp_dir.join("1es-test-agent.yml");
+
+    // Run the compiler binary
+    let binary_path = PathBuf::from(env!("CARGO_BIN_EXE_ado-aw"));
+    let output = std::process::Command::new(&binary_path)
+        .args([
+            "compile",
+            fixture_path.to_str().unwrap(),
+            "-o",
+            output_path.to_str().unwrap(),
+        ])
+        .output()
+        .expect("Failed to run compiler");
+
+    assert!(
+        output.status.success(),
+        "1ES compiler should succeed: {}",
+        String::from_utf8_lossy(&output.stderr)
+    );
+    assert!(output_path.exists(), "Compiled 1ES YAML should exist");
+
+    let compiled = fs::read_to_string(&output_path).expect("Should read compiled YAML");
+
+    // Verify no unreplaced {{ markers }} remain (excluding ${{ }} which are ADO expressions)
+    for line in compiled.lines() {
+        let stripped = line.replace("${{", "");
+        assert!(
+            !stripped.contains("{{ "),
+            "1ES compiled output should not contain unreplaced marker: {}",
+            line.trim()
+        );
+    }
+
+    // Verify the compiler version was correctly substituted
+    let version = env!("CARGO_PKG_VERSION");
+    assert!(
+        compiled.contains(version),
+        "1ES compiled output should contain compiler version {version}"
+    );
+
+    // Verify 1ES template uses Copilot CLI, not Agency CLI
+    assert!(
+        compiled.contains("Microsoft.Copilot.CLI.linux-x64"),
+        "1ES template should install Copilot CLI"
+    );
+    assert!(
+        !compiled.contains("install agency.linux-x64"),
+        "1ES template should not install Agency CLI"
+    );
+    assert!(
+        !compiled.contains("agency copilot"),
+        "1ES template should not invoke 'agency copilot' command"
+    );
+
+    let _ = fs::remove_dir_all(&temp_dir);
+}

From 9827d937b89047f11051d00e34a6e1bad0788595 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 17 Mar 2026 18:33:54 +0000
Subject: [PATCH 3/3] fix: restore AgencyArtifact comment to match 1ES platform
 artifact name

Co-authored-by: jamesadevine <4742697+jamesadevine@users.noreply.github.com>
---
 templates/1es-base.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/1es-base.yml b/templates/1es-base.yml
index 56162be..ca1385c 100644
--- a/templates/1es-base.yml
+++ b/templates/1es-base.yml
@@ -189,7 +189,7 @@ extends:
 
               - bash: |
                   mkdir -p {{ working_directory }}/safe_outputs
-                  # Copy safe outputs from artifact if they exist
+                  # Copy safe outputs from AgencyArtifact if they exist
                   if [ -f "$(Pipeline.Workspace)/AgencyArtifact/safe_outputs.ndjson" ]; then
                     cp "$(Pipeline.Workspace)/AgencyArtifact/safe_outputs.ndjson" {{ working_directory }}/safe_outputs/
                   fi