@event4u/agent-config 1.28.0 → 1.31.0

package/.agent-src/skills/repomix-packer/SKILL.md

@@ -0,0 +1,135 @@
+---
+name: repomix-packer
+description: "Use when packaging a codebase to a single AI-friendly file for LLM analysis — local or remote, XML/Markdown/JSON, token counting, gitignore filtering, peer-side `repomix` CLI."
+source: package
+---
+
+> **Pinned upstream:** `repomix` CLI (npm: `repomix`, brew: `repomix`). Re-verify per minor bump. Repomix is an **optional dependency** — this skill never installs it silently.
+
+# repomix-packer
+
+Wraps the upstream [`yamadashy/repomix`](https://github.com/yamadashy/repomix) CLI for codebase-snapshot workflows: pack a local or remote repo into a single XML / Markdown / JSON file with token counts and secret detection, then feed it to an LLM for review, audit, or migration scoping.
+
+## When to use
+
+- Producing an LLM-ingestible snapshot of a repo (or a sub-tree) for review or audit.
+- Comparing two branches by packaging each and diffing the snapshots.
+- Pulling a remote third-party library into context without cloning.
+- Pre-flighting a token budget before sending a codebase to an LLM.
+
+Do NOT use when:
+
+- You only need a few specific files — read them directly with `view`.
+- The snapshot will only feed a non-text format (PDF, image, audio) — route to [`markitdown`](../markitdown/SKILL.md).
+- The repo is sensitive and `--no-security-check` would be needed — STOP, route to a human.
+
+## Procedure: Snapshot a repo for LLM review
+
+### 1. Inspect: verify `repomix` is installed (peer-side)
+
+```bash
+repomix --version
+```
+
+If the binary is missing, surface one of the install recipes and STOP — do not install silently:
+
+```bash
+# npm (preferred for project-local installs)
+npm install -g repomix
+
+# Homebrew (macOS / Linux)
+brew install repomix
+```
+
+### 2. Decide local vs remote
+
+```bash
+# Local: pack the current directory.
+repomix
+
+# Remote shorthand: owner/repo
+npx repomix --remote owner/repo
+
+# Remote URL with a pinned commit
+npx repomix --remote https://github.com/owner/repo/commit/<sha>
+```
+
+### 3. Filter the snapshot to the smallest useful slice
+
+```bash
+# Include patterns
+repomix --include "src/**/*.php,*.md"
+
+# Add ignore patterns on top of .gitignore
+repomix -i "tests/**,*.test.js"
+
+# Strip comments to save tokens
+repomix --remove-comments
+```
+
+### 4. Pick the output format and destination
+
+```bash
+repomix --style markdown -o snapshot.md   # human-readable
+repomix --style xml -o snapshot.xml       # default; clearest separators for LLMs
+repomix --style json -o snapshot.json     # programmatic post-processing
+repomix --copy                            # also copy to clipboard
+```
+
+### 5. Verify token budget and secrets
+
+Repomix prints per-file and total token counts and runs Secretlint on the output. Check the totals against the target LLM context window:
+
+| Model              | Approx context |
+|--------------------|----------------|
+| Claude Sonnet 4.5  | ~200K tokens   |
+| GPT-4 family       | ~128K tokens   |
+| GPT-3.5            | ~16K tokens    |
+
+If Secretlint flags anything, STOP — sanitize the input or add the offending paths to `.repomixignore` before re-packing. Never use `--no-security-check` on an unfamiliar codebase.
+
+### 6. Hand the snapshot to the consumer skill
+
+Most workflows that call this skill pass the snapshot to:
+
+- A code-review pass — pair with [`judge-bug-hunter`](../judge-bug-hunter/SKILL.md) or [`judge-security-auditor`](../judge-security-auditor/SKILL.md).
+- Reference-repo analysis — route to [`analyze-reference-repo`](../../commands/analyze-reference-repo.md).
+- Migration scoping — route to [`blast-radius-analyzer`](../blast-radius-analyzer/SKILL.md).
+
+Cite the snapshot path so the consumer skill can read it.
+
+## Output format
+
+1. The repomix invocation (one shell line, with all filters and the output path).
+2. The output file path + format + total token count.
+3. Any Secretlint findings, verbatim. Empty section if none.
+
+## Gotcha
+
+- `--copy` puts the entire snapshot on the clipboard — surprising on large repos. Prefer `-o <path>` for anything > a few KB.
+- `--no-gitignore` plus a wildcard include can pull in `.env`, `vendor/`, `node_modules/` — never combine without a tight `--include` first.
+- Remote `npx repomix --remote owner/repo` defaults to the latest commit on the default branch — pin a commit SHA when reproducing a previous snapshot.
+- Token counts are LLM-tokenizer estimates, not exact — leave a 10–15% headroom under the model's documented context window.
+
+## Do NOT
+
+- Do NOT run `repomix --no-security-check` on an unfamiliar codebase.
+- Do NOT install repomix silently — surface the recipe and let the consumer install it.
+- Do NOT commit `repomix-output.*` artifacts — add the pattern to `.gitignore`.
+- Do NOT package `.env`, key material, or `.git/` — adjust `.repomixignore` first.
+- Do NOT vendor repomix into the repo — it is a peer-side CLI.
+
+## Auto-trigger keywords
+
+- repomix
+- pack codebase
+- repository snapshot
+- llm context bundle
+- codebase to single file
+
+## Provenance
+
+- Upstream tool: https://github.com/yamadashy/repomix (MIT).
+- Adopted from: `Microck/ordinary-claude-skills@8f5c83174f7aa683b4ddc7433150471983b93131:skills_all/repomix/SKILL.md` (MIT, © 2025 Microck) — wrapper-style adoption, no upstream code vendored.
+- Provenance registry: `agents/contexts/skills-provenance.yml` (entry: `repomix`).
+- Iron-Law floor: `non-destructive-by-default`, `missing-tool-handling`, `tool-safety`.

package/.agent-src/skills/roadmap-writing/SKILL.md

@@ -131,6 +131,11 @@ to every roadmap you author.
   template rule 13 + [`scope-control`](../../rules/scope-control.md#git-operations--permission-gated).
 * Plan automatic branch switches mid-roadmap (template rule 14).
 * Ship a phase without checkboxes (`roadmap-progress-sync` Iron Law #2).
+* Write merge, push, or commit steps into the roadmap. Roadmaps plan
+  **work**; merge / push / commit are delivery decisions owned by the
+  user (`commit-policy` Iron Law). A roadmap is "implementation-complete"
+  once its checkboxes are ticked and verification has been run — merge
+  timing is tracked outside the roadmap.
 * Use ALL-CAPS Iron-Law fenced blocks — those belong in
   [`kernel-membership`](../../../docs/contracts/kernel-membership.md)-listed
   rules, not roadmaps.
@@ -149,6 +154,10 @@ to every roadmap you author.
 - **Author-during-execution branch switches** — the agent should not
   propose a new branch mid-roadmap; that decision is fenced to
   authoring time.
+- **Merge / commit steps in roadmap body** — checkboxes like
+  "merge PR #X" or "commit phase Y" couple roadmap closure to git
+  operations the user has not authorized. Roadmap completion is
+  decoupled from delivery; ship-the-PR is its own decision.
 
 ## Examples
 

package/.agent-src/skills/rule-writing/SKILL.md

@@ -128,6 +128,27 @@ the PR or split by responsibility.
 * Run the full CI pipeline locally (see `Taskfile.yml` in this repo for
   the script list) — must exit 0 except for tolerated warnings.
 
+### 6. Governance baseline (when introducing a new linter check)
+
+**Advisory, reviewer-checked — no CI gate.** When the same PR adds a
+new check to `scripts/skill_linter.py` (or strengthens an existing one)
+such that previously-clean rules now warn, the PR body MUST record the
+pre-existing violations on `main` in a Markdown table:
+
+```markdown
+### Pre-existing baseline (informational)
+
+| Code | Count on main | Bucket |
+|---|---:|---|
+| {new_code} | N | (a) genuine fix · (b) accept · (c) check too aggressive |
+```
+
+Forward-only: the new check applies to **the rule under review** and to
+**future** edits. The baseline table is informational so reviewers can
+distinguish genuine debt from acceptable carry-overs without diffing the
+full lint output. See `agents/analysis/lint-warning-triage.md` for the
+3-bucket reference.
+
 ## Frontmatter shape
 
 ```yaml

package/.agent-src/skills/secrets-management/SKILL.md

@@ -0,0 +1,142 @@
+---
+name: secrets-management
+description: "Use when picking a secrets store, designing rotation, or wiring scanning gates — multi-cloud (Vault, AWS, Azure, GCP), CI, and Kubernetes — decision framework, provider deep-dives externalized."
+source: package
+status: active
+refresh_trigger: "A cited provider deprecates an auth method, OR External Secrets Operator ships a major version with breaking CRD changes, OR ≥30% of cited scanner tools change their gate semantics."
+sunset_criterion: "When provider docs (Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) all converge on a single rotation + scanning standard AND consumer projects no longer cite this skill in PR reviews for two consecutive review cycles."
+---
+
+# secrets-management
+
+Decision framework for storing, rotating, and scanning secrets across cloud, CI, and Kubernetes. **Provider deep-dives live upstream** (links in § Provenance) — this skill is the predicate, not the per-vendor cookbook. Sunset-policy compliant.
+
+## When to use
+
+- Designing where a new secret lives (env var, Vault, AWS Secrets Manager, Azure KV, GCP SM, GitHub/GitLab CI, k8s).
+- Reviewing a diff that introduces a credential, API key, signing key, or DB password.
+- Setting up secret rotation for an existing application.
+- Wiring secret-scanning gates into pre-commit, CI, or org-policy.
+
+Do NOT use when:
+
+- The secret is project-AWS-only and `aws-infrastructure` already covers the placement — route there.
+- The work is a security audit of running code — route to [`security-audit`](../security-audit/SKILL.md) or [`threat-modeling`](../threat-modeling/SKILL.md).
+- The decision is which cipher to use for at-rest encryption — read the provider's KMS docs directly.
+
+## Decision framework
+
+### Step 1 — Pick the store
+
+```
+Ephemeral, dev-only, never leaves the laptop  → .env (gitignored). Stop.
+Single-cloud, single-app                       → that cloud's native store
+                                                  (AWS Secrets Manager / Azure Key Vault /
+                                                  GCP Secret Manager).
+Multi-cloud OR on-prem hybrid                  → HashiCorp Vault (or cloud-agnostic equivalent).
+CI-only (deploy keys, signing tokens)          → GitHub/GitLab repo+environment secrets;
+                                                  scope to environment (production/staging).
+Kubernetes workload secrets                    → External Secrets Operator pulling from
+                                                  the canonical store above; never hand-rolled
+                                                  k8s `Secret` objects committed to git.
+Cross-tenant / cross-org shared secret         → don't. Re-architect; shared secrets are an
+                                                  outage and a breach class on their own.
+```
+
+### Step 2 — Pick the access pattern
+
+```
+Application reads at boot                      → fetch once, hold in memory; re-fetch on rotation event.
+Application reads per-request                  → cache with TTL ≤ rotation period / 2.
+Short-lived workload (Lambda, Job)             → fetch per-invocation; rely on platform IAM.
+Long-lived workload                            → leased / dynamic credentials (Vault DB engine,
+                                                  AWS IAM role) — never static creds.
+Human access                                   → no shared logins; per-user identity + audit.
+```
+
+### Step 3 — Define the rotation contract
+
+Every secret MUST have:
+
+- **Owner** — team/person responsible for rotation; tracked in code or runbook.
+- **Period** — calendar trigger (e.g. 90 days for static creds, hours/minutes for dynamic).
+- **Mechanism** — automated (Lambda + Secrets Manager rotation, Vault dynamic secret, IAM role) or documented manual procedure.
+- **Verification** — post-rotation health check; alert if old credential still observed in use after rotation grace window.
+
+Static secrets without a rotation mechanism are a deferred incident — refuse to merge.
+
+### Step 4 — Wire the scanning gates
+
+Three layers, all required:
+
+```
+Pre-commit  → gitleaks / TruffleHog / detect-secrets pre-commit hook.
+CI          → server-side scan on every PR; block merge on high-confidence finding.
+Org policy  → push-protection at the SCM (GitHub Advanced Security secret scanning,
+              GitLab Secret Detection); rotate any leaked secret immediately.
+```
+
+A leaked secret is rotated, not deleted. Git history retention defeats deletion.
+
+### Step 5 — Egress controls
+
+```
+Logs                → mask before write; CI runners must mark secrets as masked.
+Stack traces        → never include secret values; sanitize at the boundary.
+Error responses     → never echo the secret back, even on failure.
+Telemetry / APM     → strip from request/response captures; allowlist headers.
+```
+
+## Procedure: Apply to a new secret
+
+1. **Inspect** the existing secret inventory and IaC for store conventions; run Step 1 and lock the store decision in code/IaC.
+2. Define the access pattern (Step 2); choose static-vs-dynamic explicitly.
+3. Write the rotation contract (Step 3) into the runbook **before** the secret ships.
+4. Verify the three scanning gates (Step 4) cover the repo.
+5. Audit egress paths (Step 5) for the new secret class.
+6. Hand the design to a reviewer; cite this skill.
+
+## Output format
+
+1. Secret-inventory entry: name · store · access-pattern · owner · rotation-period · mechanism.
+2. Scanner-gate matrix: layer · tool · scope · failure mode.
+3. Egress-control checklist with sign-off per category.
+
+## Gotcha
+
+- "We rotate in Secrets Manager" — but the application caches the value forever. Cache TTL must be ≤ rotation grace.
+- External Secrets Operator pulls into a k8s `Secret`; that Secret is base64, **not encrypted**. Threat-model node access accordingly.
+- GitHub environment secrets are NOT available on `pull_request` events from forks — designs that rely on them silently break for external contributors.
+- Vault dynamic creds expire faster than long-running connection pools assume; close + re-acquire on lease near-expiry, don't wait for the failure.
+- Pre-commit scanners fire only when developers install the hook — CI scanners are the load-bearing gate.
+
+## Do NOT
+
+- Do NOT commit a secret, even to a private repo. Rotate any leaked secret; deletion does not work.
+- Do NOT pass secrets via CLI args (`ps` exposes them) — use env or stdin.
+- Do NOT echo secrets in logs, stack traces, error responses, or APM captures.
+- Do NOT hand-roll Kubernetes `Secret` objects committed to git — use External Secrets Operator.
+- Do NOT inline the per-provider cookbooks into this skill — externalize per Sunset Policy.
+
+## Auto-trigger keywords
+
+- secrets management
+- secret rotation
+- vault / aws secrets manager / azure key vault / gcp secret manager
+- external secrets operator
+- secret scanning / gitleaks / trufflehog
+- credential leak
+
+## Provenance
+
+- Adopted from: `Microck/ordinary-claude-skills@8f5c83174f7aa683b4ddc7433150471983b93131:skills_all/secrets-management/SKILL.md` (MIT, © 2025 Microck) — **Sunset Policy applied**: 346-line provider cookbook reduced to a ~140-line decision framework; per-provider deep-dives externalized to upstream docs below.
+- Externalized provider docs:
+  - HashiCorp Vault: https://developer.hashicorp.com/vault/docs · https://developer.hashicorp.com/vault/docs/secrets/databases
+  - AWS Secrets Manager: https://docs.aws.amazon.com/secretsmanager/ · rotation: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html
+  - Azure Key Vault: https://learn.microsoft.com/en-us/azure/key-vault/general/
+  - GCP Secret Manager: https://cloud.google.com/secret-manager/docs
+  - External Secrets Operator: https://external-secrets.io/
+  - GitHub secret scanning: https://docs.github.com/en/code-security/secret-scanning · gitleaks: https://github.com/gitleaks/gitleaks · TruffleHog: https://github.com/trufflesecurity/trufflehog
+- Cross-linked: [`aws-infrastructure`](../aws-infrastructure/SKILL.md), [`security-audit`](../security-audit/SKILL.md), [`threat-modeling`](../threat-modeling/SKILL.md), [`security`](../security/SKILL.md).
+- Provenance registry: `agents/contexts/skills-provenance.yml` (entry: `secrets-management`).
+- Iron-Law floor: `verify-before-complete`, `skill-quality`, `non-destructive-by-default`.

package/.agent-src/skills/skill-writing/SKILL.md

@@ -59,6 +59,25 @@ Ask: **"Does the model need this to do its job correctly?"**
 * If the model knows it but does it wrong in THIS project → **Rule or Guideline**
 * If the model needs a multi-step workflow to get it right → **Skill**
 
+### Skills and commands share the `.claude/skills/` namespace
+
+Skills (`.agent-src.uncompressed/skills/{name}/SKILL.md`) AND commands
+(`.agent-src.uncompressed/commands/{name}.md`) both project into
+`.claude/skills/` (`scripts/compress.py` → `generate_claude_skills` +
+`generate_claude_commands`). Claude treats the directory as native
+skills.
+
+* Same-name collision: skill wins, command is skipped
+  (`generate_claude_commands` honors this). Don't reuse a command's
+  slug for a skill unless the command should retire.
+* Both compete on `description` for routing. A weak skill description
+  is shadowed by a stronger same-domain command — and vice versa.
+  Trigger phrasing must be precise (§ 1b below).
+* Workflow has both "user types `/foo`" path AND "model picks this up
+  from intent" path → author the skill first, let the command delegate
+  via `skills:` frontmatter. Two artifacts with the same trigger
+  surface fight each other in the router.
+
 ### When "Nothing" is the right answer
 
 Do NOT create a skill or rule for:

package/.agent-src/skills/testing-anti-patterns/SKILL.md

@@ -0,0 +1,152 @@
+---
+name: testing-anti-patterns
+description: "Use BEFORE writing or changing tests, adding mocks, or putting test-only methods on production classes — five Iron Laws and gates against mocking-the-mock, production pollution, silent partial mocks."
+source: package
+---
+
+# testing-anti-patterns
+
+Tests must verify real behavior, not mock behavior. Mocks isolate; they are not the thing under test. This skill is the **prevention** layer; [`judge-test-coverage`](../judge-test-coverage/SKILL.md) catches what slips through afterwards.
+
+## When to use
+
+- About to write a new test that mocks a collaborator.
+- Tempted to add a method to a production class purely for test cleanup.
+- Mock setup is becoming longer than the test logic itself.
+- A test passes but you cannot explain *what real behavior* it verified.
+- Code review of a diff that adds mocks — run the gates below before approving.
+
+Do NOT use when:
+
+- You need to *write* tests (no anti-pattern present yet) — route to [`pest-testing`](../pest-testing/SKILL.md) or [`test-driven-development`](../test-driven-development/SKILL.md).
+- The test failure is a real bug — route to [`systematic-debugging`](../systematic-debugging/SKILL.md).
+- You need overall coverage assessment of a finished diff — route to [`judge-test-coverage`](../judge-test-coverage/SKILL.md).
+
+## The Iron Laws
+
+```
+1. NEVER test mock behavior — assert on real component behavior.
+2. NEVER add test-only methods to production classes — put them in test utilities.
+3. NEVER mock without understanding the dependency chain — observe first, mock minimally.
+4. NEVER ship partial mocks — mirror the real response shape completely.
+5. NEVER treat tests as an afterthought — write the failing test first.
+```
+
+## Procedure: Run the gate before each anti-pattern
+
+### 1. Inspect the diff before any new mock
+
+Before writing or extending a test, **inspect** the code under test and identify which collaborators are real, which are mocked, and which produce side effects the assertion depends on. Open the file, read the dependency chain, and write the chain down. Do not start mocking until the chain is on paper.
+
+### Anti-Pattern 1 — Asserting on mock elements
+
+Symptom: `expect(screen.getByTestId('sidebar-mock')).toBeInTheDocument()` or `$this->assertSee('mock-sidebar')`. Test passes when the mock is present, fails when it is not — proves nothing about the component.
+
+Gate:
+
+```
+BEFORE asserting on any mocked element / id / class:
+  Ask: "Am I asserting that the mock exists, or that the component behaves correctly?"
+
+  IF asserting that the mock exists:
+    STOP — delete the assertion or unmock the dependency.
+    Replace with a behavior assertion (role, output, side effect).
+```
+
+### Anti-Pattern 2 — Test-only methods in production classes
+
+Symptom: `Session::destroy()` only ever called from `tearDown`. Production class polluted with code dangerous in production.
+
+Gate:
+
+```
+BEFORE adding any method to a production class:
+  Ask: "Is this only used by tests?"
+  IF yes:
+    STOP — move it to a test utility / trait / helper.
+  Ask: "Does this class own this resource's lifecycle?"
+  IF no:
+    STOP — wrong class for this method.
+```
+
+Replacement: a `tests/Support/cleanupSession.php` helper or a trait used only by test classes.
+
+### Anti-Pattern 3 — Mocking without understanding
+
+Symptom: A mocked method had a side effect the test depended on (e.g. wrote config). Mock kills the side effect; the test passes for the wrong reason or fails mysteriously.
+
+Gate:
+
+```
+BEFORE mocking any method:
+  STOP — do not mock yet.
+  1. List the side effects the real method produces.
+  2. List which of those side effects the test actually depends on.
+  3. If the test depends on any of them, mock at a *lower* level (the slow / external bit), preserving the necessary behavior.
+  IF unsure:
+    Run the test with the real implementation FIRST. Observe what fails.
+    THEN mock minimally, just below the failing seam.
+
+  Red flags:
+    - "I'll mock this just to be safe."
+    - "This might be slow, better mock it."
+    - You cannot draw the dependency chain.
+```
+
+### Anti-Pattern 4 — Partial / incomplete mocks
+
+Symptom: Mock returns only the fields the immediate test reads. Downstream code accesses an absent field and the test passes; integration breaks.
+
+Iron Rule: mock the **complete** response shape that the real API returns, not just the fields your assertion uses. If you cannot enumerate the shape, you should not mock.
+
+```
+BEFORE creating a mock response object:
+  1. Examine the real response (docs, recorded fixture, type definition).
+  2. Include EVERY documented field — even ones the test does not read.
+  3. If the shape is unknown, capture a real response into `tests/fixtures/` instead of inventing one.
+```
+
+**Concrete capture tools** for recording the real shape: `curl -s <url> | jq '.'` against a staging endpoint, Postman's "Save Response", Laravel's `Http::fake()` in record mode, or a Playwright network-trace export. Filter the captured payload with `jq` / `grep` to keep only the fields your fixture documents — **do not** dump unredacted secrets into `tests/fixtures/`.
+
+### Anti-Pattern 5 — Tests as an afterthought
+
+Symptom: "Implementation complete, ready for testing." Implementation went in without tests. TDD was skipped, anti-patterns 1–4 are now likely.
+
+Gate: a feature is not complete until a failing-then-passing test cycle ran for it. Route to [`test-driven-development`](../test-driven-development/SKILL.md).
+
+## Output format
+
+1. The mocking decision recorded as a one-line comment in the test file (`// mock at <seam>: <reason>`).
+2. The replacement test (or refactor) once an anti-pattern is identified.
+3. If a test-only method moved out of production, the diff must show both the deletion and the test-utility addition.
+
+## Gotcha
+
+- Vague-test asserts (`assertTrue($result)`) hide mock-behavior assertions — flag any test where the assertion does not name an observable behavior.
+- A "complete" mock that mirrors a v1 API silently rots when v2 ships — link mock fixtures to a real recorded response and re-record on schema changes.
+- Layer 3 environment guards from [`defense-in-depth`](../defense-in-depth/SKILL.md) often expose anti-pattern 2: if a production guard fires only in tests, the test setup is wrong, not the guard.
+- Long mock setups (> 50% of the test) are a signal that integration tests would be simpler — consider it before piling on more mocks.
+- **Diagnose, do not brute-force.** If a test fails after a mock change, **never guess** at another mock tweak — drop a debugger / Xdebug breakpoint at the seam, observe the real call shape, then mock minimally. Two retries without a root-cause hypothesis = STOP and rethink.
+
+## Do NOT
+
+- Do NOT add `*-mock` test ids to production templates.
+- Do NOT extend a production class to expose internals "just for testing".
+- Do NOT mock a method whose side effects the test depends on without reading the implementation.
+- Do NOT invent mock data shapes from memory — record from the real source.
+- Do NOT mark a story complete until at least one test was watched failing first.
+
+## Auto-trigger keywords
+
+- testing anti-patterns
+- mock behavior
+- test-only method
+- partial mock
+- mock without understanding
+
+## Provenance
+
+- Adopted from: `Microck/ordinary-claude-skills@8f5c83174f7aa683b4ddc7433150471983b93131:skills_all/testing-anti-patterns/SKILL.md` (MIT, © 2025 Microck).
+- Cross-linked: [`pest-testing`](../pest-testing/SKILL.md), [`test-driven-development`](../test-driven-development/SKILL.md), [`judge-test-coverage`](../judge-test-coverage/SKILL.md).
+- Provenance registry: `agents/contexts/skills-provenance.yml` (entry: `testing-anti-patterns`).
+- Iron-Law floor: `verify-before-complete`, `skill-quality`.

package/.agent-src/templates/AGENTS.md

@@ -1,25 +1,24 @@
 # {{project_name}}
 
 <!--
-  AGENTS.md entry point for AI coding agents. Installed by
-  `event4u/agent-config`. Fill placeholders (or run `/copilot-agents-init`)
-  and delete this comment. Keep thin; bulk prose belongs in the linked guide.
+  Fill placeholders or run `/agents init`, then delete this
+  comment. Iron Law — capability bullets, not path lists; paths rot.
+  Tool stubs (`CLAUDE.md`, `GEMINI.md`, `.cursorrules`) link here.
+  Anatomy + recipes: `.augment/contexts/contracts/agents-md-anatomy.md`.
 -->
 
-{{project_description}}
+> {{project_description}}
 
 ## Layers
 
-| Layer | Location | Purpose |
+| Layer | Location | Edits |
 |---|---|---|
-| **Shared package** | `.augment/`, `.agent-src/` | Installed skills / rules / commands — do not hand-edit |
-| **Project overrides** | `agents/overrides/` | Customizations of shared resources |
-| **Project docs** | `agents/` | Architecture, features, roadmaps, sessions, contexts |
-| **Agent settings** | `.agent-settings.yml` | Project-specific config consumed by skills |
+| Installed package | `.augment/`, `.agent-src/` | hands-off — managed by `event4u/agent-config` |
+| Project layer | `agents/`, `agents/overrides/`, `.agent-settings.yml` | your customizations and config |
 
 ## Pointers
 
-- **Filling out this AGENTS.md** — tech-stack / dev-setup / testing / quality / project-structure templates plus `/work` + `/implement-ticket` entry flow and multi-agent matrix: [`.augment/contexts/contracts/consumer-agents-md-guide.md`](.augment/contexts/contracts/consumer-agents-md-guide.md).
+- **Filling out this AGENTS.md** — section templates, capability bullets, multi-agent entry flow, monorepo per-package layout: [`.augment/contexts/contracts/consumer-agents-md-guide.md`](.augment/contexts/contracts/consumer-agents-md-guide.md).
 - **Behavior rules (always active)** — Iron Laws and routed rules that fire automatically while you work in this project: [`.augment/rules/`](.augment/rules/).
 - **Skills (on-demand expertise)** — domain skills surfaced by description; invoked when their trigger fires: [`.augment/skills/`](.augment/skills/).
 - **Commands (workflows)** — slash-commands the agent runs end-to-end (`/work`, `/implement-ticket`, `/commit`, `/create-pr`, …): [`.augment/commands/`](.augment/commands/).

package/.claude-plugin/marketplace.json

@@ -6,7 +6,7 @@
   },
   "metadata": {
     "description": "Shared agent configuration \u2014 skills for AI coding tools (Claude Code, Augment, Cursor, Cline, Windsurf, Gemini CLI).",
-    "version": "1.28.0"
+    "version": "1.31.0"
   },
   "plugins": [
     {
@@ -22,9 +22,9 @@
         "./.claude/skills/agent-status",
         "./.claude/skills/agents",
         "./.claude/skills/agents-audit",
-        "./.claude/skills/agents-cleanup",
+        "./.claude/skills/agents-init",
         "./.claude/skills/agents-md-thin-root",
-        "./.claude/skills/agents-prepare",
+        "./.claude/skills/agents-optimize",
         "./.claude/skills/ai-council",
         "./.claude/skills/analysis-autonomous-mode",
         "./.claude/skills/analysis-skill-router",
@@ -33,6 +33,7 @@
         "./.claude/skills/api-endpoint",
         "./.claude/skills/api-testing",
         "./.claude/skills/artisan-commands",
+        "./.claude/skills/async-python-patterns",
         "./.claude/skills/authz-review",
         "./.claude/skills/aws-infrastructure",
         "./.claude/skills/blade-ui",
@@ -63,10 +64,7 @@
         "./.claude/skills/context-document",
         "./.claude/skills/context-refactor",
         "./.claude/skills/conventional-commits-writing",
-        "./.claude/skills/copilot-agents",
-        "./.claude/skills/copilot-agents-init",
         "./.claude/skills/copilot-agents-optimization",
-        "./.claude/skills/copilot-agents-optimize",
         "./.claude/skills/copilot-config",
         "./.claude/skills/cost-report",
         "./.claude/skills/council",
@@ -81,6 +79,7 @@
         "./.claude/skills/database",
         "./.claude/skills/dcf-modeling",
         "./.claude/skills/deep-reading-analyst",
+        "./.claude/skills/defense-in-depth",
         "./.claude/skills/dependency-upgrade",
         "./.claude/skills/description-assist",
         "./.claude/skills/design-review",
@@ -91,6 +90,7 @@
         "./.claude/skills/e2e-heal",
         "./.claude/skills/e2e-plan",
         "./.claude/skills/eloquent",
+        "./.claude/skills/error-handling-patterns",
         "./.claude/skills/estimate-ticket",
         "./.claude/skills/existing-ui-audit",
         "./.claude/skills/fe-design",
@@ -146,6 +146,7 @@
         "./.claude/skills/logging-monitoring",
         "./.claude/skills/markitdown",
         "./.claude/skills/mcp",
+        "./.claude/skills/mcp-builder",
         "./.claude/skills/md-language-check",
         "./.claude/skills/memory",
         "./.claude/skills/memory-add",
@@ -165,7 +166,7 @@
         "./.claude/skills/onboard",
         "./.claude/skills/openapi",
         "./.claude/skills/optimize",
-        "./.claude/skills/optimize-agents",
+        "./.claude/skills/optimize-agents-dir",
         "./.claude/skills/optimize-augmentignore",
         "./.claude/skills/optimize-prompt",
         "./.claude/skills/optimize-rtk",
@@ -197,6 +198,7 @@
         "./.claude/skills/project-analyzer",
         "./.claude/skills/project-docs",
         "./.claude/skills/project-health",
+        "./.claude/skills/prompt-engineering-patterns",
         "./.claude/skills/prompt-optimizer",
         "./.claude/skills/quality-fix",
         "./.claude/skills/quality-tools",
@@ -208,6 +210,7 @@
         "./.claude/skills/receiving-code-review",
         "./.claude/skills/refine-prompt",
         "./.claude/skills/refine-ticket",
+        "./.claude/skills/repomix-packer",
         "./.claude/skills/requesting-code-review",
         "./.claude/skills/research",
         "./.claude/skills/review-changes",
@@ -225,6 +228,7 @@
         "./.claude/skills/rule-compliance-audit",
         "./.claude/skills/rule-writing",
         "./.claude/skills/script-writing",
+        "./.claude/skills/secrets-management",
         "./.claude/skills/security",
         "./.claude/skills/security-audit",
         "./.claude/skills/sentry-integration",
@@ -244,6 +248,7 @@
         "./.claude/skills/terragrunt",
         "./.claude/skills/test-driven-development",
         "./.claude/skills/test-performance",
+        "./.claude/skills/testing-anti-patterns",
         "./.claude/skills/tests",
         "./.claude/skills/tests-create",
         "./.claude/skills/tests-execute",

package/AGENTS.md

@@ -19,8 +19,7 @@ task ci                # full pipeline — green before PR
 - **Package self-orientation** — identity, four-wing cognition map, repo layout, tech stack, key-rules table, telemetry, command-suggester: [`docs/contracts/package-self-orientation.md`](docs/contracts/package-self-orientation.md).
 - **Kernel + Router** — 9 always-loaded Iron-Law rules, tier-1 / tier-2 routing, cost profiles, per-rule char caps enforced by `task lint-rule-budget`: [`kernel-membership`](docs/contracts/kernel-membership.md) + [`rule-router`](docs/contracts/rule-router.md).
 - **Multi-tool projection** — Augment, Claude Code, Cursor, Cline, Windsurf, Gemini CLI, Claude.ai bundle pipeline that ships from `.agent-src/` to consumer surfaces: [`docs/architecture.md`](docs/architecture.md#cloud-bundle-pipeline).
-- **Iron-Law rules when editing this repo** — portability, source-of-truth, skill-quality: [`augment-portability`](.agent-src/rules/augment-portability.md), [`augment-source-of-truth`](.agent-src/rules/augment-source-of-truth.md), [`skill-quality`](.agent-src/rules/skill-quality.md).
-- **Thin-Root contract** governing **this** file (cap, pointer ratio, emergency-triage block) — read before editing AGENTS.md: [`agents-md-thin-root`](.agent-src/skills/agents-md-thin-root/SKILL.md).
+- **Editing this repo** — Iron-Law rules (portability, source-of-truth, skill-quality) and the Thin-Root contract (caps · pointer-ratio · triage block) governing AGENTS.md: [`augment-portability`](.agent-src/rules/augment-portability.md), [`augment-source-of-truth`](.agent-src/rules/augment-source-of-truth.md), [`skill-quality`](.agent-src/rules/skill-quality.md), [`agents-md-thin-root`](.agent-src/skills/agents-md-thin-root/SKILL.md).
 - **Consumer story + architecture deep-dive** — what the package does for installers and how it ships: [`README.md`](README.md), [`docs/architecture.md`](docs/architecture.md).
 
 ## Emergency triage — read this when nothing else is reachable