Merge pull request #14261 from MicrosoftDocs/SirajShaik-MSFT/Validation-doc-update

[Doc Improvement] Validation doc updates Feb & March

Author: SirajShaik-MSFT

msteams-platform/assets/images/submission/validation-bot-valid-response-lowercase.png

@@ -127,6 +127,19 @@ You must ensure to meet the following guidelines for agents:
 
 [Back to top](#validation-guidelines-for-agents)
 
+## Agent to Agent Communication
+
+For utilising `worker_agents` property in your Declarative agent manifest, ensure [*Must fix*]
+
+* Only declarative agents can be referenced within `worker_agent` node of the manifest. Custom engine agents are currently not supported.
+* The description and disclaimer must clearly list all referenced worker agents and explicitly instruct users to acquire them where required.
+* The agent must provide meaningful standalone value, independent of any worker agents. This value must be clearly described in the agent description.
+* Each referenced worker agent must independently meet the minimum value bar and provide meaningful functionality on its own.
+* Any prompt that depends on a worker agent must fail gracefully if the worker agent has not been acquired.
+* If a parent agent references a worker agent published by a different publisher, the parent agent publisher remains responsible for handling integration issues, user experience gaps, and graceful failure behavior.
+
+[Back to top](#validation-guidelines-for-agents)
+
 ## Screenshots
 
 You must ensure to meet the following guidelines for agents:
@@ -292,34 +305,27 @@ For action scenarios, agents must share user disclosure and seek user confirmati
 * Action taken by a user must be correctly reflected in third-party service. [*Must fix*]
 * Modification requests by the user prior to confirmation of the action must be honored. [*Must fix*]
 * Highly consequential tasks such as bulk delete mustn't be supported. [*Good-to-fix*]
-* The declarative agent must provide confirmation prompts aligned with user-initiated actions, using clear language that explicitly seeks the user's permission. [*Must fix*]
+* For consequential actions, the declarative agent must provide confirmation prompts aligned with user-initiated actions, using clear language that explicitly seeks the user's permission. [*Must fix*]
 
-   Confirmation prompt can be set by using `body` property in the `Confirmation` object in the function's Function capabilities object in the manifest. For more information, see [customizing confirmation text](/microsoft-365-copilot/extensibility/api-plugin-confirmation-prompts?branch=main&branchFallbackFrom=public-preview#customizing-confirmation-text).
+   Confirmation body can be set by using `body` property in the `Confirmation` object in the function's Function capabilities object in the manifest. For more information, see [customizing confirmation text](/microsoft-365-copilot/extensibility/api-plugin-confirmation-prompts?branch=main&branchFallbackFrom=public-preview#customizing-confirmation-text).
 
    | Pass example | Fail example |
    | --- | --- |
    | For a function that searches tickets - "Do you want to allow searching in Contoso?" "Do you want to allow searching for tickets?" | Do you want to proceed?" --> Doesnt indicate what the function does. |
    | For a function that creates a new order "Do you want to proceed with creating a new order?" | Searches tickets" --> Doesn't seek permission |
    | For a function that creates a new ticket: "Do you want to proceed with creating a new ticket?" | "Creates tickets" --> Doesn't seek permission |
 
-* Consequential actions (Create, Update, or Delete API calls) must require explicit user permission before execution. To achieve this, for
+* Consequential actions that mutate a system must require explicit user permission before execution. To achieve this, for
   * Plugin action, `isConsequential` flag should be set to ‘true’ for such calls
   * MCP Server action, `readOnlyHint` annotation should be set to ‘false’ for such calls
+  * Obtaining user confirmation via a custom built CTA that clearly informs users about the action being performed
 
   For more details, see [overriding prompt behavior](/microsoft-365-copilot/extensibility/api-plugin-confirmation-prompts?branch=main&branchFallbackFrom=public-preview#overriding-prompt-behavior).
 
-   | Operation type | Actions | Expected value for `isConsequential` flag |
-   | --- | --- | --- |
-   | Create | Consequential | true |
-   | Read | Non-consequential | false or true |
-   | Update | Consequential | true |
-   | Delete | Consequential | true |
-
    | Command description | Consequential function? | Expected value for `isConsequential` flag |
    | --- | --- | --- |
-   | Returns a list of quest recommendations based on the user's interest. If there are no quote recommendations, then create a new one. | Yes | true |
+   | Returns a list of quote recommendations based on the user's interest. If there are no quote recommendations, then create a new one. | Yes | true |
    | Returns a list of meditation recommendations based on the user's preferences. | No | false or true |
-   | Returns a list of quest recommendations based on the user's interest. If there are no quote recommendations, then create a new one. | Yes | true |
 
 [Back to top](#validation-guidelines-for-agents)
 
@@ -419,6 +425,8 @@ A custom engine agent is a conversational Teams bot that must meet the following
 
 * An agent sending multiple messages must make sure that messages are not repetitive or redundant in nature.
 
+* Agents must implement safeguards to prevent attacks that attempt to manipulate or override system instructions, safety controls, or developer defined behavior.
+
 ## Graceful error handling
 
 All agents must handle the following scenarios gracefully, that is, the agent must reject the user request and provide a way forward: [*Must fix*]

msteams-platform/concepts/deploy-and-publish/appsource/prepare/review-copilot-validation-guidelines.md

@@ -461,6 +461,8 @@ Explore resources designed to help you with responsible Artificial Intelligence
 
    :::image type="content" source="../../../../assets/images/submission/teams-ai-library-description-guideline.png" alt-text="Screenshot shows the description for AI functionality.":::
 
+* Apps must implement safeguards to prevent attacks that attempt to manipulate or override system instructions, safety controls, or developer defined behavior.
+
 #### Apps using facial recognition capabilities
 
 > [!NOTE]
@@ -1121,6 +1123,10 @@ If your app includes a bot, ensure that it adheres to these guidelines.
 
 Analyzing user input and predicting user intent is difficult. Bot commands provide users a set of words or phrases for your bot to understand.
 
+* Bots must support functional enterprise workflows. If bot commands are declared in the manifest, both the `Title` and `Description` fields are mandatory and must be clearly defined and consistently aligned. The bot must enable the users to know about the value proposition of the app. Bot must respond with various workflows it supports on asking for help or value it provides. Bot must provide a valid response even when the user hasn’t logged into the apps.
+
+  :::image type="content" source="../../../../assets/images/submission/validation-bot-valid-response-lowercase.png" alt-text="Graphic shows an example of bot not providing a valid response for a command in lowercase or uppercase.":::
+
 * All commands that your bot supports must work correctly, including generic commands such as **Hi**, **Hello**, and **Help**. [*Must fix*]
 
   :::image type="content" source="../../../../assets/images/submission/validation-bot-commands-generic-response-pass.png" alt-text="Graphic shows an example of bot responding to generic commands.":::
@@ -1131,12 +1137,8 @@ Analyzing user input and predicting user intent is difficult. Bot commands provi
 
    :::image type="content" source="../../../../assets/images/submission/validation-bot-commands-deadend.png" alt-text="validation-bot-commands-dead-end":::
 
-* You must list at least one valid bot command in the `items.commands.title` section of the app manifest and add a suitable description that gives clarity to the user on the bot command and its usage. Bot commands listed in the `commandLists` section of the app manifest surface as prepopulated commands in the bot command menu and provide a way forward for the new user to interact with the bot. [*Good-to-fix*]
-
 * Bot response mustn't contain any official Microsoft product images or avatars. Use your own assets in your app. Use of Microsoft product images in your app isn't allowed. You may only copy, modify, distribute, display, license, or sell Microsoft copyrighted product images if you're granted explicit permission within the End-User License Agreement (EULA), license terms that accompany the content, or in the [Microsoft Trademark and Brand guidelines](https://www.microsoft.com/legal/intellectualproperty/trademarks). [*Must fix*]
 
-* Bots must respond to user commands without displaying a continuous loading indicator. [*Must fix*]
-
 * Bot help command response mustn't redirect the user outside Teams. Bot help command response can redirect user to a canvas within the Teams app or provide a way forward response in an Adaptive Card. [*Must fix*]
 
   :::image type="content" source="../../../../assets/images/submission/validation-bot-redirects-user-outside-teams.png" alt-text="Graphic shows an example of bot response redirecting user outside of Teams.":::
@@ -1163,10 +1165,6 @@ Analyzing user input and predicting user intent is difficult. Bot commands provi
 
 * Bots mustn't display a typing indicator after responding to the user command, but can display a typing indicator while responding to the user command. [*Must fix*]
 
-* Bots must provide a valid response to the **help** command typed in lowercase or uppercase that provides the user with a way forward or lets the user access the help content related to the bot usage. Bots must provide a valid response even when the user hasn't logged on to the app. [*Must fix*]
-
-   :::image type="content" source="../../../../assets/images/submission/validation-bot-valid-response-lowercase.png" alt-text="Graphic shows an example of bot not providing a valid response for a command in lowercase or uppercase.":::
-
    :::image type="content" source="../../../../assets/images/submission/validation-bot-valid-response-logged-app.png" alt-text="Graphic shows an example of a bot without a valid response when the user hasn't logged on to the app.":::
 
 * Bots must provide a valid response to **help** command.
@@ -1207,7 +1205,8 @@ Analyzing user input and predicting user intent is difficult. Bot commands provi
 
    Prompt starters help users start a conversation with your bot. To enable prompt starters, the `commands` property in app manifest needs to be defined.
 
-  * The bot must provide at least one command that enables the user to know about the value proposition of the app. [*Must fix*]
+  * The bot must enable the users to know about the value proposition of the app.
+  * Bot must respond with various workflows it supports on asking for help or value it provides.Bot must provide a valid response even when the user hasn’t logged into the apps. [*Must fix*]
   * Prompt starters or commands must be functional and return responses. [*Must fix*]
   * Command description must be coherent and clearly communicate value of the command. [*Must fix*]
   * Prompt starters or commands must be relevant to the app's functionality. [*Must fix*]