@event4u/agent-config 2.25.0 → 3.0.0

package/.agent-src/skills/rule-refactor/SKILL.md

@@ -0,0 +1,157 @@
+---
+name: rule-refactor
+description: "Use when the rule set is over the Augment budget, when a new rule would breach it, or when asked to audit / merge / prune rules — runs the audit pipeline and proposes a verdict per rule."
+source: package
+domain: process
+workspaces:
+  - agent-config-maintainer
+packs:
+  - meta
+lifecycle: active
+trust:
+  level: core
+  confidence: high
+  human_review_required: false
+install:
+  default: true
+  removable: false
+---
+
+<!-- cloud_safe: degrade -->
+
+# rule-refactor
+
+## When to use
+
+* `measure_augment_budget --check` fails (utilisation ≥ 0.95)
+* A new rule would push the budget over 0.95 — caught by the budget
+  gate in [`rule-writing`](../rule-writing/SKILL.md)
+* User says "audit rules", "rule cleanup", "rules over budget",
+  "prune rules", "merge rules", "rule system review"
+* Periodic governance pass after a batch of rule additions
+
+Do NOT use this skill for:
+
+* Editing a single rule's content → [`rule-writing`](../rule-writing/SKILL.md)
+* Picking always vs auto for one new rule → [`rule-writing`](../rule-writing/SKILL.md)
+
+## Iron Law
+
+**Threshold-lift is forbidden.** When the budget breaches, the
+content must shrink — not the gate. Loosening `FAIL_THRESHOLD` in
+`scripts/measure_augment_budget.py` to make CI pass is an explicit
+anti-pattern. The only valid budget-growth move is an ADR that
+raises `TOTAL_CAP`.
+
+## Procedure
+
+### 1. Inspect the current budget state
+
+```bash
+python3 scripts/measure_augment_budget.py --json > /tmp/budget-before.json
+python3 scripts/measure_rule_budget.py --json > /tmp/rule-budget-before.json
+```
+
+### 2. Run the audit pipeline
+
+The audit infrastructure already exists — compose it:
+
+```bash
+python3 scripts/audit_auto_rules.py      # → agents/runtime/reports/auto-rules-audit.{json,md}
+python3 scripts/audit_overlap.py         # → appends overlap pairs to the MD
+python3 scripts/audit_likelihood.py      # → agents/runtime/reports/auto-rules-likelihood.json
+```
+
+Then read `agents/runtime/reports/auto-rules-audit.md` end-to-end.
+
+### 3. Categorise every flagged rule
+
+For each rule the audit surfaces (overlap pair, low-likelihood, oversized,
+or the new addition that triggered this skill), assign exactly one verdict:
+
+| Verdict | Test |
+|---|---|
+| **keep** | Iron-Law / always-on safety net, no overlap, fires often |
+| **merge** | ≥ 2 rules same domain, near-identical triggers, overlap ≥ 0.4 |
+| **delete** | Never fires (low-likelihood + no path/keyword hit in 30 days), or fully subsumed by a skill |
+| **move-to-context** | Body is reference material (tables, mechanics, examples) — the obligation is short, the rest is lookup |
+| **promote-to-skill** | Body has numbered steps / a workflow — not a constraint |
+
+### 4. Present the verdict table to the user
+
+One Markdown table, one row per flagged rule, **before** any file
+change. User approves the list. No silent edits.
+
+### 5. Apply approved changes
+
+For each approved verdict:
+
+* **merge** → rewrite the surviving rule to cover both domains;
+  delete the absorbed one; update any `routes_to:` references.
+* **delete** → remove the file from `.agent-src.uncompressed/rules/`
+  and the corresponding `.agent-src/rules/` projection.
+* **move-to-context** → extract the body into
+  `.agent-src.uncompressed/contexts/<area>/<name>.md`, replace the
+  rule body with the obligation + a `load_context:` pointer.
+* **promote-to-skill** → create
+  `.agent-src.uncompressed/skills/<name>/SKILL.md`, replace the rule
+  with an auto-trigger stub that routes to it (or delete the rule
+  entirely if the skill's own trigger suffices).
+
+### 6. Re-validate
+
+```bash
+bash scripts/compress.sh --sync
+python3 scripts/compress.py --generate-tools
+python3 scripts/measure_augment_budget.py --check   # must exit 0
+python3 scripts/skill_linter.py --all               # 0 FAIL
+```
+
+Then run your package's full CI pipeline (see `Taskfile.yml` for the
+canonical sequence) before pushing.
+
+### 7. Record the delta
+
+Append a snapshot to `agents/.augment-budget-history.jsonl`:
+
+```bash
+python3 scripts/measure_augment_budget.py --trend-append
+```
+
+Commit the cleanup as a separate chunk from any rule-add commits so
+the history shows "added X" + "cleaned up Y" as distinct steps.
+
+## Output format
+
+1. Verdict table (approved by user) at the top of the cleanup PR description
+2. Per-verdict commits (one per merge / delete / move / promote group)
+3. Final `measure_augment_budget --check` output showing utilisation < 0.95
+4. Trend snapshot recorded
+
+## Gotchas
+
+* Do NOT raise `FAIL_THRESHOLD` to dodge the audit
+* Do NOT delete a rule that has a `routes_to:` pointer without
+  updating the pointer's source
+* Do NOT merge rules across tier boundaries (e.g. tier-1 always
+  with a tier-3 stub) without surfacing the tier collapse to the user
+* Do NOT skip the trend-append — the history is what tells future
+  agents how the cap was managed
+
+## Do NOT
+
+* Do NOT loosen the budget gate
+* Do NOT touch the cap (`TOTAL_CAP`) without an ADR
+* Do NOT apply changes before user approves the verdict table
+* Do NOT delete the rule-refactor audit reports — they're the
+  artifact reviewers cite
+
+## Cloud Behavior
+
+On cloud surfaces, the audit scripts are not reachable. The skill
+still applies — prose-only:
+
+* Inspect the rule list (frontmatter + descriptions) and propose the
+  verdict table from reading alone.
+* Tell the user to run the audit scripts locally before applying.
+* Do not attempt to call any script.

package/.agent-src/skills/rule-writing/SKILL.md

@@ -3,6 +3,18 @@ name: rule-writing
 description: "Use when creating or editing a rule in .agent-src.uncompressed/rules/ — trigger wording, always vs auto classification, size budget — even when the user just says 'add a rule for X'."
 source: package
 domain: process
+workspaces:
+  - agent-config-maintainer
+packs:
+  - meta
+lifecycle: active
+trust:
+  level: core
+  confidence: high
+  human_review_required: false
+install:
+  default: true
+  removable: false
 ---
 
 <!-- cloud_safe: degrade -->
@@ -129,12 +141,38 @@ the PR or split by responsibility.
 * Run the full CI pipeline locally (see `Taskfile.yml` in this repo for
   the script list) — must exit 0 except for tolerated warnings.
 
+### 5b. Budget-discipline gate — hard stop
+
+After validation, before declaring the rule done, run:
+
+```bash
+python3 scripts/measure_augment_budget.py --check
+```
+
+If utilisation is `≥ 0.95` (or the check exits non-zero), **STOP** and
+invoke [`rule-refactor`](../rule-refactor/SKILL.md). Do NOT:
+
+* Trim the new rule further to "just fit" — if it needs that body to
+  do its job, the rule is right and the rule set around it is wrong.
+* Raise `FAIL_THRESHOLD` in `scripts/measure_augment_budget.py` —
+  threshold-lift is explicitly forbidden (see the
+  [`validation-budget`](../../rules/validation-budget.md) rule and
+  the `rule-refactor` Iron Law).
+* Promote an always-rule to auto to dodge the cap if the rule's
+  semantics require always-on visibility — that breaks the rule, not
+  the budget.
+
+The discipline: budget pressure is the signal that the rule **set**
+needs a cleanup pass, not that the new rule needs to be smaller. The
+`rule-refactor` skill runs the audit and proposes merge / delete /
+move-to-context / promote-to-skill so the new rule earns its space.
+
 ### 6. Governance baseline (when introducing a new linter check)
 
 **Advisory, reviewer-checked — no CI gate.** When the same PR adds a
-new check to `scripts/skill_linter.py` (or strengthens an existing one)
-such that previously-clean rules now warn, the PR body MUST record the
-pre-existing violations on `main` in a Markdown table:
+new check to `scripts/skill_linter.py` (or strengthens an existing
+one) such that previously-clean rules now warn, the PR body MUST
+record the pre-existing violations on `main` in a Markdown table:
 
 ```markdown
 ### Pre-existing baseline (informational)
@@ -144,11 +182,11 @@ pre-existing violations on `main` in a Markdown table:
 | {new_code} | N | (a) genuine fix · (b) accept · (c) check too aggressive |
 ```
 
-Forward-only: the new check applies to **the rule under review** and to
-**future** edits. The baseline table is informational so reviewers can
-distinguish genuine debt from acceptable carry-overs without diffing the
-full lint output. See `agents/analysis/lint-warning-triage.md` for the
-3-bucket reference.
+Forward-only: the new check applies to **the rule under review** and
+to **future** edits. The baseline table is informational so reviewers
+can distinguish genuine debt from acceptable carry-overs without
+diffing the full lint output. See
+`agents/evidence/analysis/lint-warning-triage.md` for the 3-bucket reference.
 
 ## Frontmatter shape
 

package/.agent-src/skills/runway-cognition/SKILL.md

@@ -7,8 +7,18 @@ source: package
 domain: process
 context_spine: [org-stage, fiscal-period, product]
 recommended_for_user_types: [founder, finance]
-
-
+workspaces:
+  - finance
+packs:
+  - finance-basic
+lifecycle: active
+trust:
+  level: professional
+  confidence: high
+  human_review_required: false
+install:
+  default: true
+  removable: true
 ---
 
 # runway-cognition

package/.agent-src/skills/scenario-modeling/SKILL.md

@@ -7,8 +7,18 @@ source: package
 domain: process
 context_spine: [org-stage, fiscal-period, product]
 recommended_for_user_types: [founder, finance]
-
-
+workspaces:
+  - finance
+packs:
+  - finance-advanced
+lifecycle: active
+trust:
+  level: core
+  confidence: high
+  human_review_required: false
+install:
+  default: false
+  removable: true
 ---
 
 # scenario-modeling

package/.agent-src/skills/scene-expander/SKILL.md

@@ -5,6 +5,18 @@ personas:
   - hollywood-director
 source: package
 domain: product
+workspaces:
+  - small-business
+packs:
+  - ai-video
+lifecycle: experimental
+trust:
+  level: experimental
+  confidence: high
+  human_review_required: false
+install:
+  default: false
+  removable: true
 ---
 
 # scene-expander
@@ -44,7 +56,7 @@ Do NOT use when:
    (live-action with VFX) → `hollywood-director`; record VFX intent
    in ENVIRONMENT.
 3. Check for an existing `character.json` lock under
-   `agents/ai-video/<project>/characters/`.
+   `agents/reference/ai-video/<project>/characters/`.
 
 ### Step 1: Emit the 12 blocks
 
@@ -127,11 +139,11 @@ Any "no" → revise that block.
 
 The 12-block Cinematic Scene Blueprint is the policy choke point — every downstream skill (`motion-choreographer`, `video-director`) inherits whatever the blueprint encodes. Before emitting:
 
-- [`agents/policies/media/likeness.md`](../../../agents/policies/media/likeness.md) — when the SUBJECT block names or visually identifies a real person.
-- [`agents/policies/media/public-figures.md`](../../../agents/policies/media/public-figures.md) — when the SUBJECT block is a recognised public figure.
-- [`agents/policies/media/brand-impersonation.md`](../../../agents/policies/media/brand-impersonation.md) — when STYLE / ENVIRONMENT references a recognised brand's visual identity.
-- [`agents/policies/media/style.md`](../../../agents/policies/media/style.md) — when STYLE anchors to a named living artist or studio as the primary signature.
-- [`agents/policies/media/disclosure.md`](../../../agents/policies/media/disclosure.md) — every distributed blueprint output carries the AI-generation disclosure downstream.
+- [`agents/settings/policies/media/likeness.md`](../../../agents/settings/policies/media/likeness.md) — when the SUBJECT block names or visually identifies a real person.
+- [`agents/settings/policies/media/public-figures.md`](../../../agents/settings/policies/media/public-figures.md) — when the SUBJECT block is a recognised public figure.
+- [`agents/settings/policies/media/brand-impersonation.md`](../../../agents/settings/policies/media/brand-impersonation.md) — when STYLE / ENVIRONMENT references a recognised brand's visual identity.
+- [`agents/settings/policies/media/style.md`](../../../agents/settings/policies/media/style.md) — when STYLE anchors to a named living artist or studio as the primary signature.
+- [`agents/settings/policies/media/disclosure.md`](../../../agents/settings/policies/media/disclosure.md) — every distributed blueprint output carries the AI-generation disclosure downstream.
 
 Refuse-and-surface at the blueprint layer; do not push policy questions down to the adapter.
 

package/.agent-src/skills/script-writing/SKILL.md

@@ -3,6 +3,18 @@ name: script-writing
 description: "Use when adding or editing any script under `scripts/` — `--quiet` flag, `_lib/script_output` helpers, silent Taskfile wiring, Iron-Law carve-outs — even when you just say 'add a check script for X'."
 source: package
 domain: process
+workspaces:
+  - agent-config-maintainer
+packs:
+  - meta
+lifecycle: active
+trust:
+  level: core
+  confidence: high
+  human_review_required: false
+install:
+  default: true
+  removable: false
 ---
 
 <!-- cloud_safe: degrade -->
@@ -20,7 +32,7 @@ Do NOT use this skill when:
 
 * The content is a one-off / archival under `scripts/ai_council/one_off_archive/` — those carry an `_one_off_` prefix and are exempt from the verbosity convention
 * The content is a shell entrypoint with secret prompts (install-keys, release confirms) → see § 3 Iron-Law carve-outs
-* The content is a `.mjs` / Node script under `scripts/cost/` — different runtime; convention covered in `agents/contexts/cost-tracking.md`
+* The content is a `.mjs` / Node script under `scripts/cost/` — different runtime; convention covered in `agents/settings/contexts/cost-tracking.md`
 
 ## Script vs other writers — critical test
 

package/.agent-src/skills/secrets-management/SKILL.md

@@ -7,8 +7,18 @@ status: active
 refresh_trigger: "A cited provider deprecates an auth method, OR External Secrets Operator ships a major version with breaking CRD changes, OR ≥30% of cited scanner tools change their gate semantics."
 sunset_criterion: "When provider docs (Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) all converge on a single rotation + scanning standard AND consumer projects no longer cite this skill in PR reviews for two consecutive review cycles."
 recommended_for_user_types: [ops, developer]
-
-
+workspaces:
+  - engineering
+packs:
+  - engineering-base
+lifecycle: active
+trust:
+  level: core
+  confidence: high
+  human_review_required: false
+install:
+  default: true
+  removable: false
 ---
 
 # secrets-management
@@ -142,5 +152,5 @@ Telemetry / APM     → strip from request/response captures; allowlist headers.
   - External Secrets Operator: https://external-secrets.io/
   - GitHub secret scanning: https://docs.github.com/en/code-security/secret-scanning · gitleaks: https://github.com/gitleaks/gitleaks · TruffleHog: https://github.com/trufflesecurity/trufflehog
 - Cross-linked: [`aws-infrastructure`](../aws-infrastructure/SKILL.md), [`security-audit`](../security-audit/SKILL.md), [`threat-modeling`](../threat-modeling/SKILL.md), [`security`](../security/SKILL.md).
-- Provenance registry: `agents/contexts/skills-provenance.yml` (entry: `secrets-management`).
+- Provenance registry: `agents/settings/contexts/skills-provenance.yml` (entry: `secrets-management`).
 - Iron-Law floor: `verify-before-complete`, `skill-quality`, `non-destructive-by-default`.

package/.agent-src/skills/security/SKILL.md

@@ -1,8 +1,20 @@
 ---
 name: security
-description: "Use when applying security best practices — authentication, authorization via Policies, CSRF protection, input sanitization, rate limiting, or secure coding."
+description: "Use when applying security best practices — authentication, authorization, CSRF protection, input sanitization, rate limiting, or secure coding — stack-agnostic."
 source: package
 domain: quality
+workspaces:
+  - engineering
+packs:
+  - engineering-base
+lifecycle: active
+trust:
+  level: core
+  confidence: high
+  human_review_required: false
+install:
+  default: true
+  removable: false
 ---
 
 # security
@@ -13,65 +25,74 @@ Use when implementing authentication, authorization, or any security-sensitive f
 
 Do NOT use when:
 
-* Validation logic only — route to [`laravel-validation`](../laravel-validation/SKILL.md)
-* Full security audit — route to [`security-audit`](../security-audit/SKILL.md)
-* You need a pre-implementation threat model — route to
-  [`threat-modeling`](../threat-modeling/SKILL.md)
-* You need end-to-end authorization analysis — route to
-  [`authz-review`](../authz-review/SKILL.md)
+* Validation logic only — route to the project's validation carve-out ([`laravel-validation`](../laravel-validation/SKILL.md) for Laravel; otherwise the framework-native primitive — Zod / class-validator, Pydantic, struct-tag validators).
+* Full security audit — route to [`security-audit`](../security-audit/SKILL.md).
+* You need a pre-implementation threat model — route to [`threat-modeling`](../threat-modeling/SKILL.md).
+* You need end-to-end authorization analysis — route to [`authz-review`](../authz-review/SKILL.md).
 
-## Procedure: Implement security for a feature
+## Stack-specific carve-outs
+
+The procedure below is stack-agnostic. For framework-specific primitives (Laravel Policies / Gates / FormRequests, Symfony voters, NestJS guards, Next.js middleware), defer to:
+
+| Stack | Carve-out |
+|---|---|
+| Laravel | [`laravel`](../laravel/SKILL.md), [`laravel-validation`](../laravel-validation/SKILL.md), [`laravel-middleware`](../laravel-middleware/SKILL.md) |
+| Symfony | [`symfony-workflow`](../symfony-workflow/SKILL.md) |
+| Next.js / TS | [`nextjs-patterns`](../nextjs-patterns/SKILL.md) |
+
+## Procedure: Implement security for a feature (stack-neutral)
 
 ### Step 0: Inspect
 
-1. Read `agents/authentication.md` for auth flow.
-2. Read `agents/gates.md` for gate/policy patterns.
-3. Check existing policies in `app/Policies/`.
+1. Read the project's auth doc (`agents/authentication.md`, `docs/auth.md`, or framework docs).
+2. Read the project's authorization doc (gates / policies / voters / guards).
+3. Locate existing authorization rules in the project's idiomatic location (Laravel `app/Policies/`, Symfony `src/Security/Voter/`, NestJS `*.guard.ts`).
 
 ### Step 1: Authentication
 
-- Check auth setup: `tymon/jwt-auth` or `laravel/sanctum`.
-- Check `config/auth.php` for guards and providers.
-- Customer identification happens after auth — see `multi-tenancy` skill.
+- Identify the auth mechanism in use (session, JWT, OAuth, API token) — read the framework's auth config (`config/auth.php`, `next-auth.config.ts`, Symfony `security.yaml`, FastAPI dependency).
+- Check guard / strategy / provider configuration.
+- Multi-tenant identification happens **after** authentication — see [`multi-tenancy`](../multi-tenancy/SKILL.md).
 
 ### Step 2: Authorization
 
-1. Create policy in `app/Policies/` if needed.
-2. Use in FormRequest `authorize()` or controller `$this->authorize()`.
-3. Check `agents/gates.md` for non-model gates.
+1. Create / locate the authz rule in the framework's idiomatic primitive (Policy, voter, guard, middleware, route dependency).
+2. Apply it at the request boundary (FormRequest `authorize()`, controller / route-handler dependency, middleware chain).
+3. Cover non-model gates (cross-aggregate rules) — keep them centralised, not scattered across handlers.
 
 ### Step 3: Review for adversarial
 
-For security-sensitive changes, run `adversarial-review` skill.
+For security-sensitive changes, run [`adversarial-review`](../adversarial-review/SKILL.md).
 Focus on: attack surface, trusting user input, authorization gaps.
 
 ## Conventions
 
-→ See guideline `php/security.md` for auth, SQL injection, XSS, CSRF, headers, session, mass assignment.
+→ For PHP / Laravel specifics (auth helpers, mass assignment, Blade escaping, CSRF middleware): see guideline `docs/guidelines/php/security.md`.
+→ For other stacks, follow the framework's hardening guide and the carve-outs above.
 
 ### Validate
 
-- Verify all user input is validated via FormRequest before use.
-- Confirm authorization check exists (Policy or Gate) for every state-changing action.
-- Check that no raw user input reaches SQL, HTML output, or shell commands.
-- Run PHPStan — must pass (catches type-safety issues that enable injection).
+- Verify all user input is validated at the boundary via the framework's primitive — never trust raw request data.
+- Confirm an authorization check exists for every state-changing action.
+- Check that no raw user input reaches SQL, HTML output, shell commands, or template renderers without escaping.
+- Run the project's type-checker — must pass (catches type-safety issues that enable injection).
 
 ## Output format
 
-1. Security-hardened code with auth, validation, and sanitization
-2. Policy class for authorization if needed
+1. Security-hardened code with auth, input validation at the boundary, and output encoding.
+2. Authorization rule (Policy / voter / guard / middleware) co-located with the route.
 
 ## Gotcha
 
 - Validation ensures format, not intent — don't trust input after validation alone.
-- `Gate::authorize()` throws, `Gate::allows()` returns bool — choose based on error handling.
-- Rate limiting: ALL public endpoints, not just login.
+- "Throw" vs "boolean" authz APIs behave differently (`Gate::authorize()` throws vs `Gate::allows()` returns bool in Laravel; `CanActivate` in NestJS throws; FastAPI dependencies throw `HTTPException`). Pick based on how the framework expects failure to surface.
+- Rate-limit ALL public endpoints, not just login.
 - Never log passwords, tokens, or API keys.
 
 ## Do NOT
 
-- Do NOT bypass FormRequest validation in controllers.
-- Do NOT use `$request->all()` for mass assignment — use `$request->validated()`.
+- Do NOT bypass the framework's request-validation primitive inside handlers.
+- Do NOT bulk-bind raw request payloads to ORM entities without an explicit allow-list (`$fillable` / `$guarded`, DTO mapping, Pydantic model).
 - Do NOT store plaintext passwords or secrets in the database.
 - Do NOT expose internal error details in production API responses.
 

package/.agent-src/skills/security-audit/SKILL.md

@@ -3,6 +3,18 @@ name: security-audit
 description: "ONLY when user explicitly requests: security audit, vulnerability scan, or penetration test review. NOT for regular feature work."
 source: package
 domain: quality
+workspaces:
+  - engineering
+packs:
+  - engineering-base
+lifecycle: active
+trust:
+  level: core
+  confidence: high
+  human_review_required: false
+install:
+  default: true
+  removable: false
 ---
 
 # security-audit

package/.agent-src/skills/sentry-integration/SKILL.md

@@ -3,6 +3,18 @@ name: sentry-integration
 description: "Use when the user shares a Sentry URL, says "check Sentry", or wants to investigate production errors. Uses Sentry MCP tools for deep analysis."
 source: package
 domain: devops
+workspaces:
+  - engineering
+packs:
+  - engineering-base
+lifecycle: active
+trust:
+  level: core
+  confidence: high
+  human_review_required: false
+install:
+  default: true
+  removable: false
 ---
 
 # Sentry Skill

package/.agent-src/skills/sequential-thinking/SKILL.md

@@ -3,6 +3,18 @@ name: sequential-thinking
 description: "ONLY when user explicitly requests: step-by-step reasoning, structured problem decomposition, or iterative analysis. NOT for regular coding tasks."
 source: package
 domain: process
+workspaces:
+  - agent-config-maintainer
+packs:
+  - meta
+lifecycle: active
+trust:
+  level: core
+  confidence: high
+  human_review_required: false
+install:
+  default: true
+  removable: false
 ---
 
 # sequential-thinking

package/.agent-src/skills/skill-improvement-pipeline/SKILL.md

@@ -7,6 +7,18 @@ execution:
   type: assisted
   handler: internal
   allowed_tools: []
+workspaces:
+  - agent-config-maintainer
+packs:
+  - meta
+lifecycle: active
+trust:
+  level: core
+  confidence: high
+  human_review_required: false
+install:
+  default: true
+  removable: false
 ---
 
 # skill-improvement-pipeline

package/.agent-src/skills/skill-management/SKILL.md

@@ -7,6 +7,18 @@ execution:
   type: assisted
   handler: internal
   allowed_tools: []
+workspaces:
+  - agent-config-maintainer
+packs:
+  - meta
+lifecycle: active
+trust:
+  level: core
+  confidence: high
+  human_review_required: false
+install:
+  default: true
+  removable: false
 ---
 
 # skill-management

package/.agent-src/skills/skill-reviewer/SKILL.md

@@ -7,6 +7,18 @@ execution:
   type: assisted
   handler: internal
   allowed_tools: []
+workspaces:
+  - agent-config-maintainer
+packs:
+  - meta
+lifecycle: active
+trust:
+  level: core
+  confidence: high
+  human_review_required: false
+install:
+  default: true
+  removable: false
 ---
 
 # Skill Reviewer
@@ -193,7 +205,7 @@ Before scoring the 5 Killers, verify structure:
 ```markdown
 | Skill | K1 Desc | K2 Over | K3 Obvious | K4 Gotcha | K5 Size | K6 Pointer | K7 Analysis | Verdict |
 |---|---|---|---|---|---|---|---|---|
-| dto-creator | ❌ | ✅ | ✅ | ⚠️ | ✅ | ✅ | ✅ | Fix description |
+| laravel-dto | ❌ | ✅ | ✅ | ⚠️ | ✅ | ✅ | ✅ | Fix description |
 ```
 
 ## Output format

package/.agent-src/skills/skill-writing/SKILL.md

@@ -4,6 +4,18 @@ description: "Use when deciding 'should this be a skill or a rule?', creating/im
 source: project
 domain: process
 meta_skill: true
+workspaces:
+  - agent-config-maintainer
+packs:
+  - meta
+lifecycle: active
+trust:
+  level: core
+  confidence: high
+  human_review_required: false
+install:
+  default: true
+  removable: false
 ---
 
 # skill-writing