@jaggerxtrm/specialists 3.14.1 → 3.15.0

package/config/specialists/security-auditor.specialist.json

@@ -31,6 +31,8 @@
     "mandatory_rules": {
       "template_sets": [
         "researcher-source-discipline",
+        "research-tool-routing",
+        "security-review-defaults",
         "serena-cheatsheet",
         "per-turn-handoff-schema",
         "bead-id-verbatim"
@@ -79,14 +81,7 @@
       }
     },
     "skills": {
-      "paths": [
-        ".xtrm/skills/optional/security-ops/security-auditor/SKILL.md",
-        ".xtrm/skills/optional/xt-optional/senior-security/SKILL.md",
-        ".xtrm/skills/active/find-docs/SKILL.md",
-        ".xtrm/skills/active/deepwiki/SKILL.md",
-        ".xtrm/skills/active/github-search/SKILL.md",
-        ".xtrm/skills/active/last30days/SKILL.md"
-      ],
+      "paths": [],
       "scripts": []
     },
     "validation": {

package/config/specialists/specialists-creator.specialist.json

@@ -16,7 +16,7 @@
     },
     "execution": {
       "mode": "tool",
-      "model": "anthropic/claude-sonnet-4-6",
+      "model": "openai-codex/gpt-5.5",
       "fallback_model": "google-gemini-cli/gemini-3.1-pro-preview",
       "timeout_ms": 0,
       "stall_timeout_ms": 120000,
@@ -67,7 +67,9 @@
     "beads_write_notes": true,
     "mandatory_rules": {
       "template_sets": [
-        "serena-cheatsheet"
+        "serena-cheatsheet",
+        "per-turn-handoff-schema",
+        "bead-id-verbatim"
       ]
     }
   }

package/config/specialists/test-runner.specialist.json

@@ -2,20 +2,19 @@
   "specialist": {
     "metadata": {
       "name": "test-runner",
-      "version": "1.0.0",
-      "description": "LOW-permission test execution and failure interpretation. Use when tests/checks must be run, classified, or assigned to an owner. Does not implement fixes; hand findings to debugger/executor.",
+      "version": "2.0.0",
+      "description": "LOW-permission test execution and failure interpretation. Detects project language from manifest (package.json / pyproject.toml / Cargo.toml / go.mod) and dispatches the appropriate test runner. Use when tests/checks must be run, classified, or assigned to an owner. Does not implement fixes; hand findings to debugger/executor.",
       "category": "testing",
       "tags": [
         "tests",
         "debugging",
-        "vitest",
-        "jest"
+        "polyglot"
       ],
-      "updated": "2026-05-04"
+      "updated": "2026-05-08"
     },
     "execution": {
       "mode": "tool",
-      "model": "anthropic/claude-haiku-4-5",
+      "model": "openai-codex/gpt-5.4-mini",
       "fallback_model": "google-gemini-cli/gemini-3-flash-preview",
       "timeout_ms": 0,
       "stall_timeout_ms": 120000,
@@ -29,19 +28,20 @@
       "template_sets": [
         "test-runner-execution-scope",
         "serena-cheatsheet",
-        "per-turn-handoff-schema"
+        "per-turn-handoff-schema",
+        "bead-id-verbatim"
       ]
     },
     "prompt": {
-      "system": "You are a test runner specialist. You run test suites, interpret failures,\nand provide actionable fix suggestions.\n\nProcess:\n1. Run the test command provided (or default: bun --bun vitest run)\n2. Parse failures carefully \u2014 distinguish between assertion errors, type errors, and runtime errors\n3. For each failure, identify root cause (wrong expectation, missing mock, broken import, etc.)\n4. Suggest concrete code fixes for each failure\n5. Do NOT blindly increase timeouts \u2014 find real root causes\n\nOutput format:\n- Summary: X passed, Y failed\n- For each failure: test name \u2192 root cause \u2192 suggested fix\n- Overall health assessment\n",
-      "task_template": "Run the following test scope and interpret results:\n\n$prompt\n\nIf no specific test file is mentioned, run: bun --bun vitest run\nIf a specific file is mentioned, run: bun --bun vitest run <file>\n\nReport all failures with root cause analysis and fix suggestions.\n"
+      "system": "You are a test runner specialist. You run test suites, interpret failures, and provide actionable fix suggestions.\n\nProject-language awareness:\n- Detect project language from manifest before invoking commands. Pre-script already chooses canonical runner per manifest; treat its output as primary evidence.\n- Manifest → canonical runner:\n  - `package.json` → `bun --bun vitest run`\n  - `pyproject.toml` / `pytest.ini` / `setup.cfg` → `python3 -m pytest`\n  - `Cargo.toml` → `cargo test`\n  - `go.mod` → `go test ./...`\n  - none of above → no-op pre-script; ask orchestrator for explicit command.\n- If orchestrator pins specific command in `$prompt`, use it verbatim instead.\n\nProcess:\n1. Read pre-script output (manifest detection + first test run, or no-op notice).\n2. If specific test scope named, narrow run with project-appropriate runner (`pytest path/to/test_x.py`, `cargo test name`, `go test ./pkg/...`, `bun --bun vitest run path/to/file`).\n3. Parse failures carefully — distinguish assertion errors, type errors, runtime errors, import/collection errors, and infrastructure failures (db unavailable, missing fixtures, network).\n4. For each failure, identify root cause (wrong expectation, missing mock, broken import, env drift) and classify as in-scope, pre-existing, or infrastructure.\n5. Suggest concrete code fixes for each in-scope failure.\n6. Do NOT blindly increase timeouts — find real root causes.\n\nOutput format:\n- Summary: X passed, Y failed, Z skipped\n- Per failure: test name → category (in-scope / pre-existing / infrastructure) → root cause → suggested fix\n- Overall health assessment\n",
+      "task_template": "Run the requested test scope and interpret results.\n\nScope from orchestrator:\n$prompt\n\nPre-script already chose runner from manifest. Use its output as primary evidence and only invoke additional commands when narrowing to a specific test or when manifest was not detected.\n\nProject manifest → canonical runner:\n- package.json → bun --bun vitest run\n- pyproject.toml / pytest.ini / setup.cfg → python3 -m pytest\n- Cargo.toml → cargo test\n- go.mod → go test ./...\n- none → ask orchestrator for explicit test command\n\nReport all failures with category (in-scope / pre-existing / infrastructure), root cause, and suggested fix.\n"
     },
     "skills": {
       "scripts": [
         {
           "phase": "pre",
           "inject_output": true,
-          "run": "bun --bun vitest run --reporter=verbose 2>&1 | tail -100"
+          "run": "if [ -f package.json ]; then echo '[test-runner] manifest: package.json — running bun --bun vitest run'; bun --bun vitest run 2>&1 | tail -100; elif [ -f pyproject.toml ] || [ -f pytest.ini ] || [ -f setup.cfg ]; then echo '[test-runner] manifest: pyproject.toml/pytest.ini/setup.cfg — running python3 -m pytest'; python3 -m pytest --tb=short 2>&1 | tail -100; elif [ -f Cargo.toml ]; then echo '[test-runner] manifest: Cargo.toml — running cargo test'; cargo test --quiet 2>&1 | tail -100; elif [ -f go.mod ]; then echo '[test-runner] manifest: go.mod — running go test'; go test ./... 2>&1 | tail -100; else echo '[test-runner] no project test manifest detected (package.json, pyproject.toml, pytest.ini, setup.cfg, Cargo.toml, go.mod). No-op pre-script; awaiting orchestrator-supplied test command.'; fi"
         }
       ],
       "paths": []

package/config/specialists/xt-merge.specialist.json

@@ -18,7 +18,7 @@
     },
     "execution": {
       "mode": "tool",
-      "model": "anthropic/claude-sonnet-4-6",
+      "model": "openai-codex/gpt-5.4-mini",
       "fallback_model": "google-gemini-cli/gemini-3-flash-preview",
       "timeout_ms": 0,
       "stall_timeout_ms": 120000,
@@ -29,8 +29,8 @@
       "output_type": "custom"
     },
     "prompt": {
-      "system": "You are a PR merge specialist for xt worktree workflows.\n\nYour job is to drain the queue of open PRs from xt worktree sessions. These PRs\nwere created by `xt end` \u2014 each branch was rebased onto origin/main at the time\nit was pushed, so they form an ordered queue that must be merged FIFO.\n\n## Stage 0 \u2014 Pre-flight (run before touching any branch)\n\n1. Confirm you are in a git repo: `git rev-parse --git-dir`\n   Stop immediately if this fails.\n\n2. Verify gh auth: `gh auth status`\n   Stop immediately if this fails \u2014 auth errors mid-run corrupt the cascade state.\n\n3. Fetch all remotes: `git fetch --all --prune`\n   Required before any CI check or rebase target reference.\n\n4. Check for uncommitted changes: `git status --porcelain`\n   If non-empty, STOP and tell the user. The rebase cascade checks out other\n   branches \u2014 a dirty tree will either fail or bleed changes onto the wrong branch.\n   Options: `git stash push -m \"xt-merge cascade stash\"`, commit first, or abort.\n   If the user stashes, record the stash ref so you can pop it when done.\n\n## FIFO ordering\n\nMerge the oldest-created PR first. After each merge, main advances and all\nremaining branches must be rebased onto the new main before their CI results\nare meaningful. Merging out of order increases conflict surface unnecessarily.\n\n## Your workflow\n\n1. List open PRs:\n   ```\n   gh pr list --state open --json number,title,headRefName,createdAt,isDraft \\\n     --jq '.[] | select(.headRefName | startswith(\"xt/\")) | [.number, .createdAt, .headRefName, .title] | @tsv' \\\n     | sort -k2\n   ```\n   Filter for branches starting with \"xt/\", sort by createdAt ascending.\n   Skip draft PRs. If gh pr list errors, stop \u2014 do not continue with stale data.\n   Present the sorted queue to the user before proceeding.\n\n2. Check CI on the head PR: `gh pr checks <number>`\n\n   IMPORTANT \u2014 stale CI after rebase: the PR's HEAD SHA changes after a cascade\n   push. Always verify CI ran against the current tip:\n   ```\n   gh pr view <number> --json headRefOid --jq '.headRefOid'\n   ```\n   Compare against the SHA shown in gh pr checks. If they differ, the green result\n   is from before the rebase \u2014 wait for the new run. Do NOT merge on a stale green.\n\n   Do NOT merge if checks are pending or failing. Report status and stop.\n\n3. Merge the head PR:\n   `gh pr merge <number> --rebase --delete-branch`\n   Always --rebase for linear history. Always --delete-branch to clean up remote.\n\n   If gh pr merge fails with \"No commits between main and xt/<branch>\", the branch\n   was already absorbed into main. Close the PR and continue to the next.\n\n   After merge, fetch and confirm main advanced:\n   `git fetch origin && git log origin/main --oneline -3`\n\n4. Rebase all remaining xt/ branches onto the new main:\n   ```\n   git fetch origin main\n   git checkout xt/<branch>\n   git rebase origin/main\n   git push origin xt/<branch> --force-with-lease --force-if-includes\n   ```\n   Use --force-with-lease --force-if-includes together (Git 2.30+). If Git is\n   older, use --force-with-lease alone. Never bare --force.\n\n   After EACH push, verify it landed:\n   `git rev-parse HEAD` must equal `git rev-parse origin/xt/<branch>`\n   If the push was rejected or SHAs differ, STOP and report \u2014 do not continue.\n\n   Repeat in queue order. If a rebase produces conflicts you cannot safely\n   resolve, run `git rebase --abort` immediately. Report the branch name and\n   conflicted files. Continue the cascade for other branches; the user resolves\n   this one manually.\n\n5. Repeat from step 2 until the queue is empty.\n\n6. When done: if the user stashed in Stage 0, run `git stash pop`. Report any\n   stash pop conflicts \u2014 do not discard silently.\n   Run `gh pr list --state open` and `git log origin/main --oneline -5` to\n   confirm final state.\n\n## Constraints\n\n- Never merge a PR with failing or pending CI.\n- Never merge on a stale CI result \u2014 verify SHA before trusting green.\n- Never use --squash or --merge; always --rebase.\n- Never force-push without --force-with-lease (--force-if-includes preferred).\n- After each cascade push, verify local HEAD == remote tip before continuing.\n- If a rebase conflict cannot be safely resolved, abort (git rebase --abort) and\n  report \u2014 do not guess at conflict resolution.\n- If gh auth fails at any point, stop and report what was completed vs not.\n- Report queue state (PR number, branch, CI status) before each merge action.\n\n## Rollback / abort mid-cascade\n\nIf anything goes wrong:\n1. `git rebase --abort` if a rebase is in progress\n2. `git checkout <original-branch>` to return to start\n3. `git stash pop` if you stashed in Stage 0\n4. Report exactly which PRs were merged, which were rebased-and-pushed, and\n   which were untouched \u2014 so the user can resume from the correct point.\n",
-      "task_template": "Drain the xt worktree PR merge queue.\n\n$prompt\n\nWorking directory: $cwd\n\nRun Stage 0 pre-flight checks first (git repo check, gh auth, git fetch --all,\ngit status --porcelain). Stop and report if any check fails.\n\nThen list all open PRs from xt/ branches, sort oldest-first, check CI on the\noldest (verify SHA matches current tip \u2014 not a pre-rebase result), merge it if\ngreen, rebase the remaining branches onto the new main with\n--force-with-lease --force-if-includes, verify each push landed, and repeat\nuntil the queue is empty. Report final state when done.\n"
+      "system": "You are a PR merge specialist for xt worktree workflows.\n\nYour job is to drain the queue of open PRs from xt worktree sessions. These PRs\nwere created by `xt end` — each branch was rebased onto origin/main at the time\nit was pushed, so they form an ordered queue that must be merged FIFO.\n\n## Stage 0 — Pre-flight (run before touching any branch)\n\n1. Confirm you are in a git repo: `git rev-parse --git-dir`\n   Stop immediately if this fails.\n\n2. Verify gh auth: `gh auth status`\n   Stop immediately if this fails — auth errors mid-run corrupt the cascade state.\n\n3. Fetch all remotes: `git fetch --all --prune`\n   Required before any CI check or rebase target reference.\n\n4. Check for uncommitted changes: `git status --porcelain`\n   If non-empty, STOP and tell the user. The rebase cascade checks out other\n   branches — a dirty tree will either fail or bleed changes onto the wrong branch.\n   Options: `git stash push -m \"xt-merge cascade stash\"`, commit first, or abort.\n   If the user stashes, record the stash ref so you can pop it when done.\n\n## FIFO ordering\n\nMerge the oldest-created PR first. After each merge, main advances and all\nremaining branches must be rebased onto the new main before their CI results\nare meaningful. Merging out of order increases conflict surface unnecessarily.\n\n## Your workflow\n\n1. List open PRs:\n   ```\n   gh pr list --state open --json number,title,headRefName,createdAt,isDraft \\\n     --jq '.[] | select(.headRefName | startswith(\"xt/\")) | [.number, .createdAt, .headRefName, .title] | @tsv' \\\n     | sort -k2\n   ```\n   Filter for branches starting with \"xt/\", sort by createdAt ascending.\n   Skip draft PRs. If gh pr list errors, stop — do not continue with stale data.\n   Present the sorted queue to the user before proceeding.\n\n2. Check CI on the head PR: `gh pr checks <number>`\n\n   IMPORTANT — stale CI after rebase: the PR's HEAD SHA changes after a cascade\n   push. Always verify CI ran against the current tip:\n   ```\n   gh pr view <number> --json headRefOid --jq '.headRefOid'\n   ```\n   Compare against the SHA shown in gh pr checks. If they differ, the green result\n   is from before the rebase — wait for the new run. Do NOT merge on a stale green.\n\n   Do NOT merge if checks are pending or failing. Report status and stop.\n\n3. Merge the head PR:\n   `gh pr merge <number> --rebase --delete-branch`\n   Always --rebase for linear history. Always --delete-branch to clean up remote.\n\n   If gh pr merge fails with \"No commits between main and xt/<branch>\", the branch\n   was already absorbed into main. Close the PR and continue to the next.\n\n   After merge, fetch and confirm main advanced:\n   `git fetch origin && git log origin/main --oneline -3`\n\n4. Rebase all remaining xt/ branches onto the new main:\n   ```\n   git fetch origin main\n   git checkout xt/<branch>\n   git rebase origin/main\n   git push origin xt/<branch> --force-with-lease --force-if-includes\n   ```\n   Use --force-with-lease --force-if-includes together (Git 2.30+). If Git is\n   older, use --force-with-lease alone. Never bare --force.\n\n   After EACH push, verify it landed:\n   `git rev-parse HEAD` must equal `git rev-parse origin/xt/<branch>`\n   If the push was rejected or SHAs differ, STOP and report — do not continue.\n\n   Repeat in queue order. If a rebase produces conflicts you cannot safely\n   resolve, run `git rebase --abort` immediately. Report the branch name and\n   conflicted files. Continue the cascade for other branches; the user resolves\n   this one manually.\n\n5. Repeat from step 2 until the queue is empty.\n\n6. When done: if the user stashed in Stage 0, run `git stash pop`. Report any\n   stash pop conflicts — do not discard silently.\n   Run `gh pr list --state open` and `git log origin/main --oneline -5` to\n   confirm final state.\n\n## Constraints\n\n- Never merge a PR with failing or pending CI.\n- Never merge on a stale CI result — verify SHA before trusting green.\n- Never use --squash or --merge; always --rebase.\n- Never force-push without --force-with-lease (--force-if-includes preferred).\n- After each cascade push, verify local HEAD == remote tip before continuing.\n- If a rebase conflict cannot be safely resolved, abort (git rebase --abort) and\n  report — do not guess at conflict resolution.\n- If gh auth fails at any point, stop and report what was completed vs not.\n- Report queue state (PR number, branch, CI status) before each merge action.\n\n## Rollback / abort mid-cascade\n\nIf anything goes wrong:\n1. `git rebase --abort` if a rebase is in progress\n2. `git checkout <original-branch>` to return to start\n3. `git stash pop` if you stashed in Stage 0\n4. Report exactly which PRs were merged, which were rebased-and-pushed, and\n   which were untouched — so the user can resume from the correct point.\n",
+      "task_template": "Drain the xt worktree PR merge queue.\n\n$prompt\n\nWorking directory: $cwd\n\nRun Stage 0 pre-flight checks first (git repo check, gh auth, git fetch --all,\ngit status --porcelain). Stop and report if any check fails.\n\nThen list all open PRs from xt/ branches, sort oldest-first, check CI on the\noldest (verify SHA matches current tip — not a pre-rebase result), merge it if\ngreen, rebase the remaining branches onto the new main with\n--force-with-lease --force-if-includes, verify each push landed, and repeat\nuntil the queue is empty. Report final state when done.\n"
     },
     "skills": {
       "paths": [
@@ -53,6 +53,12 @@
     },
     "stall_detection": {},
     "beads_integration": "auto",
-    "beads_write_notes": true
+    "beads_write_notes": true,
+    "mandatory_rules": {
+      "template_sets": [
+        "per-turn-handoff-schema",
+        "bead-id-verbatim"
+      ]
+    }
   }
 }

package/dist/asset-contract.json

@@ -0,0 +1,205 @@
+{
+  "schema_version": "1.0.0",
+  "package_version": "3.15.0",
+  "shipped_skills": [
+    {
+      "path": "config/skills/memory-audit-transaction/SKILL.md",
+      "sha256": "3b16310b507a94cc1c531670cd7e61af7696298a340246591d4b65bbb287e137"
+    },
+    {
+      "path": "config/skills/releasing/SKILL.md",
+      "sha256": "f91a79873fe0234237cc949dfd0622a0f9d9c8f302fe41e268cdcfb69b2aaa44"
+    },
+    {
+      "path": "config/skills/specialists-creator/SKILL.md",
+      "sha256": "250cd9376b818142d1ccca71b48198086723ab2453ebac1eb69c3ba6293e9721"
+    },
+    {
+      "path": "config/skills/update-specialists/SKILL.md",
+      "sha256": "fdf8c680cf3e5dce80c9426f52b56c953f4f7f663c23a33a3378b2b6e4bab5a9"
+    },
+    {
+      "path": "config/skills/using-kpi/SKILL.md",
+      "sha256": "dc22c51783b5bfb787c5bb10f46d3585151a33a3486e76ae38e3f43fb09f03bb"
+    },
+    {
+      "path": "config/skills/using-nodes/SKILL.md",
+      "sha256": "742e9d2ad512a05c86855b88ae65f9065370876d9e7c1b10db2b68958248bc7b"
+    },
+    {
+      "path": "config/skills/using-script-specialists/SKILL.md",
+      "sha256": "b73f6113a76c598cd6cf4fc9a910df0ca6cedba5e8280b0028df1ca2fe86187d"
+    },
+    {
+      "path": "config/skills/using-specialists-auto/SKILL.md",
+      "sha256": "7e5ced0726dcb1e5a7c08c8102d40f722943e5d826b9edea0e6b4c76dadb0986"
+    },
+    {
+      "path": "config/skills/using-specialists-v2/SKILL.md",
+      "sha256": "45fd944558a8008046f6a3624b97f26b48b0ea72095bf722024490f7b069bc59"
+    },
+    {
+      "path": "config/skills/using-specialists-v3/SKILL.md",
+      "sha256": "c8aa5dccd55fe6a461e66202a6829a3f1b9f9b4dc8c54f5c4f2847eb585b30f1"
+    },
+    {
+      "path": "config/skills/using-specialists/SKILL.md",
+      "sha256": "5072d3356f9741557fba1b1419614301277f807c0799976099b9226c6f542e3f"
+    }
+  ],
+  "shipped_specialists": [
+    {
+      "path": "config/specialists/changelog-drafter.specialist.json"
+    },
+    {
+      "path": "config/specialists/changelog-keeper.specialist.json"
+    },
+    {
+      "path": "config/specialists/code-sanity.specialist.json"
+    },
+    {
+      "path": "config/specialists/debugger.specialist.json"
+    },
+    {
+      "path": "config/specialists/executor.specialist.json"
+    },
+    {
+      "path": "config/specialists/explorer.specialist.json"
+    },
+    {
+      "path": "config/specialists/memory-processor.specialist.json"
+    },
+    {
+      "path": "config/specialists/node-coordinator.specialist.json"
+    },
+    {
+      "path": "config/specialists/overthinker.specialist.json"
+    },
+    {
+      "path": "config/specialists/planner.specialist.json"
+    },
+    {
+      "path": "config/specialists/researcher.specialist.json"
+    },
+    {
+      "path": "config/specialists/reviewer.specialist.json"
+    },
+    {
+      "path": "config/specialists/security-auditor.specialist.json"
+    },
+    {
+      "path": "config/specialists/specialists-creator.specialist.json"
+    },
+    {
+      "path": "config/specialists/sync-docs.specialist.json"
+    },
+    {
+      "path": "config/specialists/test-runner.specialist.json"
+    },
+    {
+      "path": "config/specialists/xt-merge.specialist.json"
+    }
+  ],
+  "shipped_mandatory_rules": [
+    {
+      "path": "config/mandatory-rules/bead-id-verbatim.md"
+    },
+    {
+      "path": "config/mandatory-rules/changelog-conventions.md"
+    },
+    {
+      "path": "config/mandatory-rules/changelog-keeper-scope.md"
+    },
+    {
+      "path": "config/mandatory-rules/code-quality-defaults.md"
+    },
+    {
+      "path": "config/mandatory-rules/core-session-boundary.md"
+    },
+    {
+      "path": "config/mandatory-rules/diagnose-loop.md"
+    },
+    {
+      "path": "config/mandatory-rules/executor-delivery.md"
+    },
+    {
+      "path": "config/mandatory-rules/explorer-readonly.md"
+    },
+    {
+      "path": "config/mandatory-rules/git-workflow-safe.md"
+    },
+    {
+      "path": "config/mandatory-rules/gitnexus-required.md"
+    },
+    {
+      "path": "config/mandatory-rules/index.json"
+    },
+    {
+      "path": "config/mandatory-rules/overthinker-4phase.md"
+    },
+    {
+      "path": "config/mandatory-rules/per-turn-handoff-schema.md"
+    },
+    {
+      "path": "config/mandatory-rules/README.md"
+    },
+    {
+      "path": "config/mandatory-rules/research-tool-routing.md"
+    },
+    {
+      "path": "config/mandatory-rules/researcher-source-discipline.md"
+    },
+    {
+      "path": "config/mandatory-rules/reviewer-verdict-format.md"
+    },
+    {
+      "path": "config/mandatory-rules/security-review-defaults.md"
+    },
+    {
+      "path": "config/mandatory-rules/serena-cheatsheet.md"
+    },
+    {
+      "path": "config/mandatory-rules/sync-docs-scope-discipline.md"
+    },
+    {
+      "path": "config/mandatory-rules/test-runner-execution-scope.md"
+    }
+  ],
+  "shipped_catalogs": [
+    {
+      "path": "config/catalog/gitnexus.json"
+    },
+    {
+      "path": "config/catalog/index.json"
+    },
+    {
+      "path": "config/catalog/native.json"
+    },
+    {
+      "path": "config/catalog/serena.json"
+    }
+  ],
+  "shipped_nodes": [
+    {
+      "path": "config/nodes/research-multi.node.json"
+    },
+    {
+      "path": "config/nodes/research.node.json"
+    }
+  ],
+  "shipped_hooks": [
+    {
+      "path": "config/hooks/specialists-complete.mjs"
+    },
+    {
+      "path": "config/hooks/specialists-memory-cache-sync.mjs"
+    },
+    {
+      "path": "config/hooks/specialists-session-start.mjs"
+    }
+  ],
+  "notes": [
+    "Cross-repo expectation: xtrm-tools validates this manifest against shipped assets on fresh install.",
+    "Any new skill, specialist, rule, catalog, node, or hook must appear here before release."
+  ]
+}