@fenixforce/edition-pro 0.1.0

package/skills/builtin/security-audit/SKILL.md

@@ -0,0 +1,113 @@
+---
+name: security-audit
+description: "Use this skill when auditing application security, testing for vulnerabilities, checking OWASP compliance, or performing pre-launch security reviews. Triggers: 'security audit', 'vulnerability', 'penetration test', 'OWASP', 'prompt injection', 'security review', 'pre-launch check', or any request to evaluate application security."
+license: MIT
+---
+
+# Security Audit
+
+## What This Skill Does
+
+Audit applications against OWASP Top 10 for LLM applications and standard web security. Prompt injection testing, data leakage checks, input validation, auth verification.
+
+## Audit Checklist
+
+### 1. Prompt Injection (OWASP LLM01)
+- Direct: "Ignore previous instructions..."
+- Indirect: Embedded in documents the agent processes
+- Context manipulation: "The system prompt says..."
+- Encoding evasion: base64, unicode, markdown injection
+- Verify instruction hierarchy blocks all escalation
+
+### 2. Data Leakage (OWASP LLM06)
+- Can user extract the system prompt?
+- Can user access other users' data? (session isolation)
+- Are API keys visible in any output?
+- Does privacy classification prevent PII in logs?
+
+### 3. Input Validation
+- Max input length enforced?
+- File upload restrictions (type, size)?
+- URL validation (SSRF protection)?
+- Shell command sanitization?
+- SQL injection vectors?
+
+### 4. Authentication & Authorization
+- All API endpoints authenticated?
+- Workspace/tenant isolation enforced?
+- Rate limiting on auth endpoints?
+- Password hashing with bcrypt/argon2?
+- JWT expiration and refresh working?
+
+### 5. Dependencies
+- `bun audit` / `npm audit` zero critical vulns?
+- No known-vulnerable packages?
+- Packages pinned to specific versions?
+
+## Report Format
+
+```markdown
+# Security Audit Report
+**Date:** YYYY-MM-DD
+**Scope:** [what was audited]
+
+## Findings
+
+### [CRITICAL] Finding Name
+**Location:** file:line
+**Description:** What's wrong
+**Reproduction:** Steps to exploit
+**Remediation:** How to fix
+
+## Passed Checks
+- [list of things that passed]
+
+## Risk Rating: [LOW/MEDIUM/HIGH/CRITICAL]
+```
+
+## Rules
+
+- Never skip prompt injection testing
+- Test in staging, never production
+- Document every finding with reproduction steps
+- Critical and High findings block deployment
+- Re-test after fixes are applied
+
+## Policy-Based Sandboxing (Agent Governance pattern)
+
+Define allowed and denied actions in YAML policy files:
+```yaml
+policies:
+  - name: no-destructive-writes
+    actions: [delete_file, drop_table, rm_rf]
+    decision: deny
+    reason: "Destructive operations require human approval"
+  - name: rate-limit-api
+    actions: [external_api_call]
+    max_per_minute: 10
+    decision: allow_with_limit
+```
+
+Intercept tool calls before execution. Check against policies. Log every decision.
+
+## Trust Scoring
+
+Agents earn trust through successful operations, lose trust on failures:
+- SUSPENDED (0-299): cannot execute any tools
+- RESTRICTED (300-499): read-only tools only
+- BASIC (500-699): standard tool access
+- TRUSTED (700-899): elevated access
+- PRIVILEGED (900-1000): full access including destructive operations
+
+Scoring: +10 for successful operations, -20 for failures, -100 for security violations.
+
+## Delegation Chains
+
+When Agent A delegates to Agent B, B's permissions must be a strict subset of A's. Scope narrows at each delegation level. An agent cannot grant permissions it doesn't have.
+
+## Dry-Run Harness
+
+For any action with real-world consequences (deploy, send email, delete data):
+1. **Propose**: list all side effects the action will have
+2. **Review**: surface logs, expected outcomes, reversibility
+3. **Execute**: only after explicit approval

package/skills/builtin/security-self-audit/SKILL.md

@@ -0,0 +1,311 @@
+# Security Self-Audit Skill
+
+## Trigger
+Activate when: user mentions "security audit", "check security", "audit deployment", "security hardening", "what vulnerabilities", "run security check", "security posture", "security review".
+
+## Overview
+Comprehensive read-only audit of the Fenix deployment's security posture across 12 domains. Generates a structured severity report with specific remediations. **Never modifies configuration — read-only analysis only.**
+
+---
+
+## Audit Procedure
+
+For each of the 12 domains below, follow this pattern:
+1. **Check** — Run the detection command(s) to assess the domain
+2. **Compare** — Compare findings against the secure baseline
+3. **Score** — Assign severity: CRITICAL / HIGH / MEDIUM / PASSED
+4. **Remediate** — Provide specific remediation steps if not PASSED
+
+Present findings in this format:
+```
+🔴 CRITICAL: [domain] — [finding] → [remediation]
+🟠 HIGH: [domain] — [finding] → [remediation]
+🟡 MEDIUM: [domain] — [finding] → [remediation]
+✅ PASSED: [domain]
+```
+
+End with a summary line:
+```
+Summary: N critical, N high, N medium, N passed
+```
+
+---
+
+## Domain 1: Gateway Exposure
+
+**Check:** Examine server configuration files for network binding and authentication settings.
+- Read the main server/gateway config (e.g., `config.yaml`, `server.ts`, `.env`)
+- Look for `host`, `bind`, `listen` directives
+- Check for authentication tokens and API key requirements
+
+**Baseline:**
+- Server binds to `127.0.0.1` or `0.0.0.0` behind a reverse proxy with TLS
+- All API endpoints require authentication (token, API key, or session)
+- No exposed debug/admin endpoints without auth
+
+**CRITICAL if:** Server binds to `0.0.0.0` without TLS or auth on any endpoint
+**HIGH if:** Debug endpoints (healthz, metrics, admin) are unauthenticated
+**MEDIUM if:** Auth is present but uses weak/default tokens
+
+**Remediation:** Bind to loopback, put behind reverse proxy with TLS, require auth on all endpoints.
+
+---
+
+## Domain 2: DM / Channel Access Policy
+
+**Check:** Review channel configuration for direct message handling.
+- Look for DM/direct-message config in workspace settings
+- Check if DM access is allowlisted or open to all users
+
+**Baseline:**
+- DM access restricted to allowlisted users
+- Unknown users receive a rejection message, not silent processing
+
+**HIGH if:** DMs from unknown users are processed without allowlist
+**MEDIUM if:** DM allowlist exists but includes wildcard or overly broad patterns
+
+**Remediation:** Configure explicit DM allowlist. Reject unknown users with informative message.
+
+---
+
+## Domain 3: Group Access Control
+
+**Check:** Review group channel configuration.
+- Look for mention gating and channel allowlist settings
+- Check if the agent responds to all messages or only mentions
+
+**Baseline:**
+- Agent only responds to @mentions in group channels
+- Channel allowlist limits which channels the agent operates in
+- Non-allowlisted channels are ignored entirely
+
+**HIGH if:** Agent responds to all messages in group channels (no mention gating)
+**MEDIUM if:** Mention gating exists but channel allowlist is missing or overly broad
+
+**Remediation:** Enable mention gating. Configure channel allowlist. Set fallback to ignore.
+
+---
+
+## Domain 4: Credential Security
+
+**Check:** Examine credential storage and access patterns.
+- Check file permissions on credential files (`.env`, `credentials.json`, keyfiles)
+- Look for plaintext secrets in config files vs. environment variables
+- Check if encrypted credential storage is used
+
+**Baseline:**
+- Credential files have `600` permissions (owner read/write only)
+- No plaintext secrets in config files — all via env vars or encrypted storage
+- API keys rotated on a regular schedule
+
+**CRITICAL if:** Credentials stored in plaintext in committed config files
+**HIGH if:** Credential files have world-readable permissions (644 or 755)
+**MEDIUM if:** Credentials in env vars but `.env` file has loose permissions
+
+**Remediation:** Move secrets to env vars or encrypted storage. Set file permissions to 600. Add `.env` to `.gitignore`.
+
+---
+
+## Domain 5: Browser Control Exposure
+
+**Check:** If browser/puppeteer control is enabled, check its configuration.
+- Look for browser automation config (Puppeteer, Playwright, Selenium)
+- Check if remote debugging port is exposed
+- Verify HTTPS requirements for browser-fetched content
+
+**Baseline:**
+- Browser remote debugging disabled or bound to loopback only
+- Browser auth tokens required for WebSocket connections
+- HTTPS enforced for all browser navigation
+
+**CRITICAL if:** Remote debugging port exposed on non-loopback interface without auth
+**HIGH if:** Browser navigates to HTTP URLs without user confirmation
+**MEDIUM if:** Browser automation enabled but no sandbox flags
+
+**Remediation:** Bind debugging to loopback. Require auth. Enable `--no-sandbox` only in containers. Enforce HTTPS.
+
+---
+
+## Domain 6: Network Bind and Proxy Config
+
+**Check:** Review all network listeners and proxy configurations.
+- Find all `listen`, `bind`, `port` directives
+- Check for reverse proxy configuration (nginx, caddy, traefik)
+- Verify TLS termination settings
+
+**Baseline:**
+- Application binds to loopback (`127.0.0.1`)
+- Reverse proxy handles TLS termination and public exposure
+- No direct public exposure of application ports
+
+**CRITICAL if:** Application ports directly exposed to public internet without TLS
+**HIGH if:** Proxy configured but TLS not enforced (allows HTTP fallback)
+**MEDIUM if:** Internal services communicate without TLS (acceptable in isolated networks)
+
+**Remediation:** Put behind reverse proxy. Enforce TLS. Bind application to loopback.
+
+---
+
+## Domain 7: Tool Access and Sandboxing
+
+**Check:** Review tool access configuration and sandbox settings.
+- Check which tools are enabled and their permission levels
+- Look for workspace boundary enforcement
+- Verify bash command restrictions
+
+**Baseline:**
+- Tools restricted to workspace directory
+- Bash commands filtered through dangerous command blocker
+- File operations sandboxed to workspace root
+- MCP tools explicitly allowlisted
+
+**HIGH if:** Tools can access files outside workspace without restriction
+**HIGH if:** Bash commands not filtered through safety guard rails
+**MEDIUM if:** MCP tools auto-approved without explicit allowlist
+
+**Remediation:** Enable workspace boundary enforcement. Activate guard rails. Require explicit MCP tool approval.
+
+---
+
+## Domain 8: File Permissions and Disk Hygiene
+
+**Check:** Audit file permissions for sensitive directories.
+- Check permissions on workspace config directory
+- Verify log file permissions
+- Look for temp files with sensitive content
+
+**Baseline:**
+- Config directories: `700` (owner only)
+- Config files: `600` (owner read/write)
+- Log files: `640` or stricter
+- No sensitive content in `/tmp` with world-readable permissions
+
+**HIGH if:** Config directories are world-readable (755 with sensitive files)
+**MEDIUM if:** Log files contain sensitive data and are broadly readable
+
+**Remediation:** Set directories to 700, files to 600. Rotate and restrict log access. Clean temp files.
+
+---
+
+## Domain 9: Plugin Trust
+
+**Check:** Review installed plugins/extensions and their trust status.
+- List all registered extensions and MCP servers
+- Check for explicit allowlist configuration
+- Verify extension versions are current
+
+**Baseline:**
+- All extensions explicitly allowlisted in workspace config
+- No auto-installed or auto-updated plugins
+- Extension versions pinned and reviewed
+
+**HIGH if:** Extensions auto-install without explicit approval
+**MEDIUM if:** Extensions are allowlisted but versions are not pinned
+**MEDIUM if:** Outdated extensions with known vulnerabilities
+
+**Remediation:** Require explicit extension allowlist. Pin versions. Review and update regularly.
+
+---
+
+## Domain 10: Logging and Redaction
+
+**Check:** Review logging configuration for sensitive data handling.
+- Check if tool outputs containing secrets are redacted in logs
+- Verify log retention and access policies
+- Look for PII in log output
+
+**Baseline:**
+- Secret patterns (API keys, tokens, passwords) redacted before logging
+- Logs stored with restricted access (not world-readable)
+- Log retention policy configured (not indefinite)
+
+**HIGH if:** Secrets appear in plaintext in log files
+**MEDIUM if:** Logs are not redacted but access is restricted
+**MEDIUM if:** No log retention policy (unbounded growth with potential sensitive data)
+
+**Remediation:** Enable secret redaction in log pipeline. Set retention policy. Restrict log file access.
+
+---
+
+## Domain 11: Prompt Injection Protection
+
+**Check:** Review untrusted content handling configuration.
+- Check if content wrapper is enabled for external sources
+- Verify mention gating in group contexts
+- Look for injection pattern detection in security engine
+
+**Baseline:**
+- Untrusted content wrapped in XML delimiters before LLM context injection
+- Mention gating active in group channels
+- Security engine prompt injection detector enabled
+- Standing instruction against following wrapped content
+
+**CRITICAL if:** No content wrapping and agent processes external web content
+**HIGH if:** Content wrapping disabled but agent fetches URLs
+**MEDIUM if:** Content wrapping enabled but mention gating disabled in groups
+
+**Remediation:** Enable content wrapper extension. Activate mention gating. Verify security engine is running all modules.
+
+---
+
+## Domain 12: Dangerous Command Blocking
+
+**Check:** Review the dangerous command deny list.
+- Check guard rails configuration for blocked commands
+- Verify coverage of destructive operations
+- Test that bypass patterns (encoding, aliasing) are covered
+
+**Baseline:**
+- Deny list covers: `rm -rf /`, `git reset --hard`, `DROP TABLE`, `git push --force`, `chmod 777`, `mkfs`, `dd` to devices
+- Guard rails registered at priority 0 (fires before all extensions)
+- No bypass through command aliasing or encoding
+
+**HIGH if:** Dangerous command blocker is disabled or not registered
+**MEDIUM if:** Deny list is active but incomplete (missing key destructive commands)
+**MEDIUM if:** Commands can bypass via aliasing (e.g., `\rm`, backtick substitution)
+
+**Remediation:** Ensure guard-rails extension is registered. Review and expand deny list. Test bypass patterns.
+
+---
+
+## Adding New Audit Domains
+
+To extend this audit with new domains, follow this pattern:
+
+```
+## Domain N: [Name]
+
+**Check:** [What to examine and which commands/files to inspect]
+
+**Baseline:** [What secure configuration looks like]
+
+**CRITICAL/HIGH/MEDIUM if:** [Specific conditions for each severity]
+
+**Remediation:** [Specific steps to fix each finding]
+```
+
+Register the new domain in the audit loop and assign a domain number for tracking.
+
+---
+
+## Output Template
+
+After completing all 12 domain checks, present the full report:
+
+```
+# Security Audit Report
+Generated: [timestamp]
+Workspace: [workspace path]
+
+[Individual domain findings, sorted by severity]
+
+---
+Summary: N critical, N high, N medium, N passed (out of 12 domains)
+
+## Recommended Priority Actions
+1. [Most critical remediation]
+2. [Second most critical]
+3. [Third most critical]
+```
+
+**IMPORTANT:** This audit is read-only. Never modify configuration files, change permissions, or alter settings during the audit. Only report findings and recommend remediations for the user to apply.

package/skills/builtin/self-evolving-agent/SKILL.md

@@ -0,0 +1,28 @@
+# Self-Evolving Agent
+## Pattern
+1. User provides a high-level goal
+2. Workflow Generator analyzes the goal, decomposes into subtasks
+3. For each subtask, an agent is configured with appropriate role, tools, and prompt
+4. Agents execute in the generated workflow order
+5. Output verified (code extraction, test execution)
+6. If verification fails, workflow is regenerated with adjustments
+
+## Implementation
+```typescript
+// Goal → Workflow → Agents → Execution → Verification
+const workflow = await generateWorkflow(goal);  // LLM decomposes goal
+const agents = await configureAgents(workflow);  // Create agent per subtask
+const output = await executeWorkflow(agents);     // Run in order
+const verified = await verify(output, goal);      // Check against goal
+if (!verified) {
+  // Adjust and retry
+  const feedback = await analyzeFailed(output, goal);
+  const revisedWorkflow = await generateWorkflow(goal, feedback);
+}
+```
+
+## Rules
+- Generated workflows must be inspectable before execution
+- Each generated agent has explicit scope boundaries
+- Verification is mandatory (self-generated agents need more scrutiny, not less)
+- Maximum 2 regeneration attempts before escalating to user

package/skills/builtin/self-improvement-loop/SKILL.md

@@ -0,0 +1,58 @@
+# Self-Improvement Loop
+
+## Cycle: Generate -> Critique -> Revise
+
+### Generate (Junior role)
+Produce first draft. Good enough to critique, doesn't need to be perfect.
+
+### Critique (Senior role)
+Evaluate against rubric. Score each dimension 1-5 with reasoning BEFORE the score (prevents anchoring). Provide specific, actionable feedback.
+
+### Revise
+Incorporate feedback. Address each critique point. Produce improved version.
+
+### Loop
+Repeat until quality threshold met (4+ on all dimensions) or 3 iterations. Diminishing returns after 3 rounds.
+
+## Rubric Dimensions
+
+| Dimension | 1 (Poor) | 3 (OK) | 5 (Excellent) |
+|-----------|----------|--------|---------------|
+| Accuracy | Errors present | Mostly correct | Fully correct |
+| Completeness | Major gaps | Covers basics | Comprehensive |
+| Clarity | Confusing | Understandable | Crystal clear |
+| Actionability | No next steps | Some guidance | Specific steps |
+
+## Output Format
+
+```markdown
+## Iteration 1
+### Draft
+[Generated content]
+
+### Critique
+**Accuracy**: [reasoning] -> Score: [N/5]
+**Completeness**: [reasoning] -> Score: [N/5]
+**Clarity**: [reasoning] -> Score: [N/5]
+**Actionability**: [reasoning] -> Score: [N/5]
+**Specific feedback**: [actionable improvements]
+
+### Revision
+[Revised content addressing each critique point]
+
+## Iteration 2
+...
+
+## Final Output
+[Best version with scores]
+```
+
+## Persistent Learning
+
+Save high-quality final outputs (score 4+) as reference examples. Future tasks can reference these examples for consistent quality.
+
+## Rules
+
+- Critique must be specific ("paragraph 3 lacks evidence" not "needs improvement")
+- Each revision must address every critique point
+- Stop after 3 iterations regardless (diminishing returns)

package/skills/builtin/semantic-search/SKILL.md

@@ -0,0 +1,93 @@
+---
+name: semantic-search
+description: "Use this skill when implementing embedding-based search, vector similarity, RAG pipelines, or search relevance tuning. Triggers: 'semantic search', 'embeddings', 'vector search', 'similarity search', 'RAG', 'retrieval augmented', 'pgvector', or requests involving meaning-based content retrieval."
+license: MIT
+---
+
+# Semantic Search
+
+## What This Skill Does
+
+Implement embedding-based search for meaning-aware content retrieval. Vector storage, similarity computation, hybrid search (vector + keyword), and relevance tuning.
+
+## Architecture
+
+```
+Query -> Embed -> Vector Search -> Rerank -> Return Results
+                     |
+              Vector Store (pgvector)
+```
+
+## pgvector Setup
+
+```sql
+CREATE EXTENSION IF NOT EXISTS vector;
+
+CREATE TABLE documents (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  content TEXT NOT NULL,
+  embedding vector(1536),  -- Dimension matches your model
+  metadata JSONB DEFAULT '{}',
+  created_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+CREATE INDEX idx_documents_embedding
+  ON documents USING ivfflat (embedding vector_cosine_ops)
+  WITH (lists = 100);
+```
+
+## Search Query
+
+```sql
+SELECT id, content, metadata,
+  1 - (embedding <=> $1::vector) AS similarity
+FROM documents
+WHERE 1 - (embedding <=> $1::vector) > 0.7
+ORDER BY embedding <=> $1::vector
+LIMIT 10;
+```
+
+## Hybrid Search (Vector + Keyword)
+
+```sql
+-- RRF (Reciprocal Rank Fusion) combining vector and full-text search
+WITH vector_results AS (
+  SELECT id, ROW_NUMBER() OVER (ORDER BY embedding <=> $1::vector) AS rank
+  FROM documents LIMIT 20
+),
+text_results AS (
+  SELECT id, ROW_NUMBER() OVER (ORDER BY ts_rank(tsv, query) DESC) AS rank
+  FROM documents, plainto_tsquery($2) query
+  WHERE tsv @@ query LIMIT 20
+)
+SELECT COALESCE(v.id, t.id) AS id,
+  COALESCE(1.0/(60+v.rank), 0) + COALESCE(1.0/(60+t.rank), 0) AS rrf_score
+FROM vector_results v FULL JOIN text_results t ON v.id = t.id
+ORDER BY rrf_score DESC LIMIT 10;
+```
+
+## Rules
+
+- Chunk documents by semantic boundaries (paragraphs, sections), not fixed token counts
+- Store chunk metadata (source, page, section) for attribution
+- Set a similarity threshold (0.7+ for most use cases) to filter irrelevant results
+- Use hybrid search (vector + keyword) for better recall than either alone
+- Rerank results with a cross-encoder for precision-critical applications
+- Monitor search quality with user feedback signals
+
+## Corrective RAG (Self-Correcting Retrieval)
+
+After retrieving results, grade their relevance before generating an answer:
+1. Retrieve top-K results from vector store
+2. Grade each result: RELEVANT or IRRELEVANT (lightweight LLM call or heuristic)
+3. If majority IRRELEVANT: fall back to web search
+4. Generate answer from best available sources (vector results + web results)
+5. Never serve an answer from irrelevant retrievals
+
+## Multi-Source Routing
+
+When multiple knowledge bases exist, classify the query first:
+- Technical questions -> code documentation store
+- Business questions -> internal docs store
+- General questions -> web search
+- Ambiguous -> query multiple sources, merge with reciprocal rank fusion (RRF)

package/skills/builtin/seo-audit-team/SKILL.md

@@ -0,0 +1,27 @@
+# SEO Audit Team
+## Pipeline
+1. **Page Auditor**: scrape target URL, extract structural audit (headings, meta tags, images, links, page speed indicators, keyword density)
+2. **SERP Analyst**: search the primary keyword, analyze top-ranking competitors (what they do differently)
+3. **Optimization Advisor**: synthesize audit + SERP data into prioritized recommendations
+
+## Output: Prioritized Report
+```markdown
+## Page Audit: [URL]
+
+### Critical Issues (fix immediately)
+1. [Issue with specific fix]
+
+### High Priority (fix this week)
+1. [Issue with specific fix]
+
+### Opportunities (competitive advantages to gain)
+1. [Opportunity with implementation guidance]
+
+### Already Good
+[Things the page does well]
+```
+
+## Rules
+- Every recommendation includes a specific fix, not just the problem
+- Prioritize by impact on rankings
+- Compare against actual SERP competitors, not generic best practices

package/skills/builtin/seo-optimization/SKILL.md

@@ -0,0 +1,49 @@
+---
+name: seo-optimization
+description: "Use this skill when the user asks about SEO, search engine optimization, keyword research, meta tags, content structure for search, or improving search rankings. Triggers: 'SEO', 'search engine', 'keywords', 'meta tags', 'Google ranking', 'search traffic', 'organic traffic', or requests to improve content discoverability."
+license: MIT
+---
+
+# SEO Optimization
+
+## What This Skill Does
+
+Optimize content and pages for search engines. Keyword strategy, on-page SEO, meta tags, content structure, technical SEO basics.
+
+## On-Page SEO Checklist
+
+- Title tag: 50-60 characters, primary keyword near the front
+- Meta description: 150-160 characters, includes keyword, compelling
+- H1: one per page, includes primary keyword
+- H2-H3: include secondary keywords naturally
+- URL: short, hyphenated, includes keyword
+- First 100 words: include primary keyword
+- Image alt text: descriptive, includes keyword where natural
+- Internal links: 2-5 per page to related content
+- External links: 1-3 to authoritative sources
+
+## Content Structure for Search
+
+- Answer the search query in the first 2 paragraphs (featured snippet targeting)
+- Use question-based subheadings ("How to...", "What is...", "Why does...")
+- Include a table of contents for long content
+- Lists and tables for scannable information
+- 1500+ words for competitive topics, 800+ for niche topics
+
+## Technical SEO
+
+- Page speed: under 3 seconds load time
+- Mobile-friendly: responsive design, touch targets 44px+
+- HTTPS: mandatory
+- Canonical URLs to prevent duplicate content
+- Structured data (JSON-LD) for rich snippets
+- XML sitemap submitted to search console
+- robots.txt configured correctly
+
+## Rules
+
+- Write for users first, optimize for search second
+- One primary keyword per page, 2-4 secondary keywords
+- Never keyword stuff (use natural language)
+- Update old content rather than creating duplicate pages
+- Monitor rankings and adjust strategy quarterly