@integrity-labs/agt-cli 0.28.128 → 0.28.130

package/dist/{chunk-O55BMAX7.js → chunk-RTSX4A54.js}

@@ -22,7 +22,7 @@ import {
   resolveConnectivityProbe,
   worseConnectivityOutcome,
   wrapScheduledTaskPrompt
-} from "./chunk-NCRDTQ54.js";
+} from "./chunk-RIT2OY5S.js";
 
 // ../../packages/core/dist/integrations/registry.js
 var INTEGRATION_REGISTRY = [
@@ -3043,35 +3043,39 @@ you MUST use the Augmented MCP tools \u2014 never write to
 ### Always confirm scope before creating
 
 Before invoking \`skill_create\`, ask the user: **"Should this skill be
-agent-scoped (only this agent uses it) or team-scoped (every agent on
-the team can install it)?"** Default to agent scope when the user
-just says "create a skill" without specifying. Confirming up-front
-avoids the two-call dance where you try team scope, get refused by
-\`charter.tools.skills.write_team\`, and then fall back to agent \u2014
-once the user has answered, you make a single deliberate call.
+agent-scoped (only this agent uses it), team-scoped (every agent on
+the team), or organization-scoped (every team in the org)?"** Default
+to agent scope when the user just says "create a skill" without
+specifying. Agent-scoped skills install immediately. Team- and
+organization-scoped skills are scanned for security on create: a clean
+scan auto-publishes them to the shared catalog; a finding at or above
+the configured severity threshold holds them as a draft for operator
+review.
 
 ### Quote the review link in your reply
 
-\`skill_create\` returns a \`review_url\` field when the skill lands as
-a draft awaiting operator review. Quote that URL back to the user in
+\`skill_create\` returns a \`review_url\` field when a shared skill lands
+as a draft awaiting operator review (the security scan flagged it, or
+the scanner was unavailable). Quote that URL back to the user in
 your reply (e.g. \`"Created \u2014 review here: <url>"\`) so the operator
 can one-click navigate to the Pending Skills card and publish or
 reject without hunting through the queue.
 
 ### Why this matters
 
-Skills authored via the MCP land in the team-scoped
-\`skill_definitions\` registry, so every agent on the team picks them
-up on next refresh, the manager re-provisions them on the agent's host,
-and operators see them in the webapp's pending-skills queue for review.
-Files written to local \`.claude/skills/\` get wiped the next time the
-manager rebuilds the provision tree, never reach other agents, and
-bypass the operator-review workflow entirely.
+Skills authored via the MCP land in the shared
+\`skill_definitions\` registry, so the skill propagates to every agent in
+scope on next refresh, the manager re-provisions them on the agent's host,
+and operators retain visibility (clean shared publishes are announced;
+flagged ones queue for review). Files written to local
+\`.claude/skills/\` get wiped the next time the manager rebuilds the
+provision tree, never reach other agents, and bypass scanning and
+operator review entirely.
 
-If your charter doesn't authorise team-scope skill writes
-(\`charter.tools.skills.write_team\` is false), the MCP call will be
-refused server-side \u2014 surface that error to the user rather than
-falling back to a local-disk write.
+If an operator has revoked this agent's shared-scope authoring
+(\`charter.tools.skills.shared_authoring\` is false), team- and
+organization-scope calls will be refused server-side \u2014 surface that
+error to the user rather than falling back to a local-disk write.
 
 `;
 }
@@ -7688,7 +7692,7 @@ function requireHost() {
 }
 
 // src/lib/api-client.ts
-var agtCliVersion = true ? "0.28.128" : "dev";
+var agtCliVersion = true ? "0.28.130" : "dev";
 var lastConfigHash = null;
 function setConfigHash(hash) {
   lastConfigHash = hash && hash.length > 0 ? hash : null;
@@ -8985,4 +8989,4 @@ export {
   managerInstallSystemUnitCommand,
   managerUninstallSystemUnitCommand
 };
-//# sourceMappingURL=chunk-O55BMAX7.js.map
+//# sourceMappingURL=chunk-RTSX4A54.js.map