@kontourai/flow-agents 1.1.0 → 1.3.0

package/src/flow-kit/validate.ts

@@ -2,7 +2,8 @@ import * as fs from "node:fs";
 import * as path from "node:path";
 import { readJson } from "../lib/fs.js";
 
-const ASSET_CLASSES = ["flows", "skills", "docs", "adapters", "evals", "assets"] as const;
+// Extension-only asset classes: validated by Flow Agents. Flows are validated by @kontourai/flow.
+const EXTENSION_ASSET_CLASSES = ["skills", "docs", "adapters", "evals", "assets"] as const;
 
 // Core container fields owned by kontourai/flow (flow-kit-container.schema.json).
 // agent-extension fields are skills, docs, adapters, evals, assets.
@@ -23,6 +24,47 @@ export interface KitConformanceLevel {
   k2: boolean;
 }
 
+/**
+ * Kit trust level — WHO vouches for a kit, orthogonal to the K-level capability axis.
+ *
+ * - "first-party": the kit is authored and published by Kontour (kontourai); its id is in the
+ *   FIRST_PARTY_KIT_IDS allowlist maintained in this repository. These kits are built, tested,
+ *   and distributed with the flow-agents package.
+ * - "verified": reserved for a future third-party verification process (e.g. self-certification
+ *   via the conformance kit + cryptographic attestation / Veritas claims). Not yet implemented.
+ * - "unverified": default for all kits not in the first-party allowlist. This says nothing about
+ *   the kit's quality — it only means Kontour has not vouched for it.
+ *
+ * The v2 path for "verified": cryptographic signing / attestation against the conformance kit
+ * and Veritas claims substrate is the natural next step and is intentionally deferred.
+ */
+export type KitTrustLevel = "first-party" | "verified" | "unverified";
+
+/**
+ * Allowlist of kit IDs that Kontour authors, tests, and ships with the flow-agents package.
+ *
+ * Criteria for inclusion:
+ *   1. The kit directory lives under kits/ in the kontourai/flow-agents repository.
+ *   2. The kit is published by @kontourai (npm package @kontourai/flow-agents).
+ *   3. Kontour owns and maintains the kit's content and release lifecycle.
+ *
+ * To add a new first-party kit: add its id here AND ensure it lives under kits/ in this repo.
+ * Third-party forks or community kits published elsewhere are NOT first-party, even if they
+ * share a similar id — first-party is tied to provenance in this specific repository.
+ */
+export const FIRST_PARTY_KIT_IDS: ReadonlySet<string> = new Set(["builder", "knowledge"]);
+
+/**
+ * Derive the trust level for a kit id.
+ *
+ * v1 determination: allowlist check against FIRST_PARTY_KIT_IDS.
+ * "verified" is reserved for future third-party verification (not yet granted to any kit).
+ */
+export function deriveKitTrust(kitId: string): KitTrustLevel {
+  if (FIRST_PARTY_KIT_IDS.has(kitId)) return "first-party";
+  return "unverified";
+}
+
 export interface KitTargetsResult {
   kit_id: string;
   kit_name: string;
@@ -31,49 +73,63 @@ export interface KitTargetsResult {
   targets: KitTargetConsumer[];
   /** Extension field namespaces that are not Flow or Flow Agents-owned. */
   third_party_extensions: string[];
+  /**
+   * Trust level: who vouches for this kit. Orthogonal to the K-level capability axis.
+   * "first-party" = Kontour-published; "verified" = reserved (future); "unverified" = default.
+   */
+  trust: KitTrustLevel;
+}
+
+// Lazy-loaded cache for validateKitContainer from @kontourai/flow.
+// list/status/activate are runtime ops that never call validation and must NOT load
+// @kontourai/flow (it is unresolvable in a standalone installed bundle).
+// Only validate/inspect (authoring ops) trigger this load.
+type ValidateKitContainerFn = (kitDir: string, manifest: Record<string, unknown>) => { valid: boolean; diagnostics: { severity: string; path: string; message: string }[] };
+let _validateKitContainerCache: ValidateKitContainerFn | null = null;
+
+async function loadValidateKitContainer(): Promise<ValidateKitContainerFn> {
+  if (_validateKitContainerCache) return _validateKitContainerCache;
+  let mod: { validateKitContainer?: unknown };
+  try {
+    mod = await import("@kontourai/flow") as { validateKitContainer?: unknown };
+  } catch (err) {
+    throw new Error(
+      "container validation requires @kontourai/flow; run from an npm-installed flow-agents workspace " +
+      `or use 'flow kit validate' (original error: ${(err as Error).message})`
+    );
+  }
+  if (typeof mod.validateKitContainer !== "function") {
+    throw new Error("@kontourai/flow did not export validateKitContainer");
+  }
+  _validateKitContainerCache = mod.validateKitContainer as ValidateKitContainerFn;
+  return _validateKitContainerCache;
 }
 
 /**
- * Validates that the manifest satisfies the core Flow Kit container contract
- * (as specified by kontourai/flow PR #67) with all agent-extension fields stripped.
- * Returns a list of violation messages (empty = valid).
+ * Delegates core Flow Kit container validation to @kontourai/flow's validateKitContainer.
+ * The container contract lives once, in Flow. Returns a list of violation messages (empty = valid).
  *
  * The degradation invariant: every Flow Agents Kit MUST remain a valid core
  * Flow Kit container when agent-extension fields are ignored.
+ *
+ * Loads @kontourai/flow lazily (on first call) so that runtime ops (list/status/activate)
+ * that never invoke validation can run in standalone installed bundles where
+ * @kontourai/flow is not present.
+ *
+ * @param kitDir  Real kit directory path for file-existence checks on flows[].path entries.
+ *                Pass the actual kit directory when available; pass "" for structural-only checks.
  */
-export function validateCoreContainer(manifest: Record<string, unknown>, label: string): string[] {
-  const errors: string[] = [];
-  if (manifest.schema_version !== "1.0") {
-    errors.push(`${label}: .schema_version must be "1.0"`);
-  }
-  if (typeof manifest.id !== "string" || !/^[a-z0-9][a-z0-9-]*$/.test(manifest.id)) {
-    errors.push(`${label}: .id must be a stable kebab-case string`);
-  }
-  if (typeof manifest.name !== "string" || !manifest.name.trim()) {
-    errors.push(`${label}: .name must be a non-empty string`);
-  }
-  if (!Array.isArray(manifest.flows) || manifest.flows.length === 0) {
-    errors.push(`${label}: .flows must be a non-empty list`);
-  } else {
-    manifest.flows.forEach((entry: unknown, index: number) => {
-      if (typeof entry !== "object" || entry === null) {
-        errors.push(`${label}: flows[${index}] must be an object`);
-        return;
-      }
-      const flow = entry as Record<string, unknown>;
-      if (typeof flow.id !== "string" || !flow.id) {
-        errors.push(`${label}: flows[${index}].id must be a string`);
-      }
-      if (typeof flow.path !== "string" || !flow.path) {
-        errors.push(`${label}: flows[${index}].path must be a string`);
-      }
-    });
-  }
-  return errors;
+async function delegateCoreContainerValidation(kitDir: string, manifest: Record<string, unknown>): Promise<string[]> {
+  const validateKitContainer = await loadValidateKitContainer();
+  const result = validateKitContainer(kitDir, manifest);
+  if (result.valid) return [];
+  return result.diagnostics
+    .filter((d) => d.severity === "error")
+    .map((d) => `${d.path}: ${d.message}`);
 }
 
 /**
- * Derives the consumer-target level (K0/K1/K2) and target audience list from
+ * Derives the consumer-target level (K0/K1/K2), target audience list, and trust level from
  * observable asset classes in the kit manifest. Does not require file I/O.
  *
  * Derivation rules (from kontourai/flow-agents#52 and Brian's layering review):
@@ -83,12 +139,21 @@ export function validateCoreContainer(manifest: Record<string, unknown>, label:
  *  - targets.flow: always present when K0 (any Flow consumer can evaluate gates).
  *  - targets.flow-agents: present when K1 (agent extension assets activate in >=1 harness).
  *  - third-party: any top-level keys that are not core fields and not Flow Agents extension classes.
+ *
+ * Trust derivation (from kontourai/flow-agents#79):
+ *  - "first-party": kit id is in FIRST_PARTY_KIT_IDS (Kontour-authored kits in this repo).
+ *  - "unverified": all other kits (default; "verified" is reserved for a future process).
+ *
+ * @param manifest  The kit.json manifest object.
+ * @param kitDir    Kit directory for flow file-existence checks. Defaults to "" (structural-only).
+ *                  Pass the real kit directory from `inspect` to get authoritative K0 validation.
  */
-export function deriveKitTargets(manifest: Record<string, unknown>): KitTargetsResult {
+export async function deriveKitTargets(manifest: Record<string, unknown>, kitDir = ""): Promise<KitTargetsResult> {
   const kitId = typeof manifest.id === "string" ? manifest.id : "<unknown>";
   const kitName = typeof manifest.name === "string" ? manifest.name : "<unknown>";
 
-  const coreErrors = validateCoreContainer(manifest, "kit.json");
+  // Delegate core container validation to @kontourai/flow.
+  const coreErrors = await delegateCoreContainerValidation(kitDir, manifest);
   const k0 = coreErrors.length === 0;
 
   const hasAgentExtension = AGENT_EXTENSION_CLASSES.size > 0 &&
@@ -110,16 +175,20 @@ export function deriveKitTargets(manifest: Record<string, unknown>): KitTargetsR
   if (k1) targets.push("flow-agents");
   for (const ns of thirdPartyExtensions) targets.push(ns);
 
+  // Derive trust level orthogonally to the K-level capability axis.
+  const trust = deriveKitTrust(kitId);
+
   return {
     kit_id: kitId,
     kit_name: kitName,
     conformance: { k0, k1, k2 },
     targets,
     third_party_extensions: thirdPartyExtensions,
+    trust,
   };
 }
 
-export function validateKitRepository(kitDir: string): string[] {
+export async function validateKitRepository(kitDir: string): Promise<string[]> {
   const errors: string[] = [];
   const manifestPath = path.join(kitDir, "kit.json");
   let manifest: Record<string, unknown>;
@@ -129,25 +198,17 @@ export function validateKitRepository(kitDir: string): string[] {
     errors.push(`${manifestPath}: invalid JSON: ${(error as Error).message}`);
     return errors;
   }
-  if (manifest.schema_version !== "1.0") errors.push(`${manifestPath}: .schema_version must be "1.0"`);
-  if (typeof manifest.id !== "string" || !/^[a-z0-9][a-z0-9-]*$/.test(manifest.id)) {
-    errors.push(`${manifestPath}: .id must be a stable kebab-case string`);
-  }
-  if (typeof manifest.name !== "string" || !manifest.name.trim()) errors.push(`${manifestPath}: .name must be a non-empty string`);
 
-  // Degradation invariant: every Flow Agents Kit must remain a valid core Flow Kit container
-  // when agent-extension fields are stripped. Strip extensions and re-validate core contract.
-  const coreManifest: Record<string, unknown> = {};
-  for (const key of Object.keys(manifest)) {
-    if (CORE_CONTAINER_FIELDS.has(key)) coreManifest[key] = manifest[key];
-  }
-  const coreErrors = validateCoreContainer(coreManifest, manifestPath);
-  for (const err of coreErrors) {
-    // Deduplicate: only add if not already covered by top-level checks above.
-    if (!errors.some((existing) => existing === err)) errors.push(err);
-  }
+  // Delegate core container validation (schema_version, id, name, flows including file
+  // existence) to @kontourai/flow — the container contract lives once, in Flow.
+  // This enforces the degradation invariant: a Flow Agents Kit must remain a valid
+  // core Flow Kit container when extension fields are stripped.
+  const coreErrors = await delegateCoreContainerValidation(kitDir, manifest);
+  for (const err of coreErrors) errors.push(err);
 
-  for (const section of ASSET_CLASSES) {
+  // Flow Agents extension validation: skills, docs, adapters, evals, assets.
+  // Flows are validated above by @kontourai/flow; only extension classes are checked here.
+  for (const section of EXTENSION_ASSET_CLASSES) {
     const entries = manifest[section];
     if (entries === undefined) continue;
     if (!Array.isArray(entries)) {
@@ -182,16 +243,15 @@ export function validateKitRepository(kitDir: string): string[] {
         return;
       }
       if (!fs.existsSync(resolved)) {
-        const noun = section === "flows" ? "Flow Definition" : "asset";
-        errors.push(`${manifestPath}: ${section}[${index}].path points at missing ${noun}: ${rel}`);
+        errors.push(`${manifestPath}: ${section}[${index}].path points at missing asset: ${rel}`);
       }
     });
   }
   return errors;
 }
 
-export function assertKitRepository(kitDir: string): Record<string, unknown> {
-  const errors = validateKitRepository(kitDir);
+export async function assertKitRepository(kitDir: string): Promise<Record<string, unknown>> {
+  const errors = await validateKitRepository(kitDir);
   if (errors.length) {
     const error = new Error("Flow Kit repository validation failed") as Error & { diagnostics?: string[] };
     error.diagnostics = errors;

package/src/tools/build-universal-bundles.ts

@@ -12,6 +12,57 @@ const textExtensions = new Set([".css", ".html", ".js", ".json", ".md", ".sh", "
 const dropDiagnostics: string[] = [];
 const printDiagnostics = !["0", "false", "no"].includes(String(process.env.FLOW_AGENTS_EXPORT_DIAGNOSTICS ?? "1").toLowerCase());
 
+/**
+ * Collect all skill source paths across skills/ and kit-owned skills.
+ * Returns an array of {name, src} pairs where name is the install name
+ * (same as the directory name) and src is the absolute SKILL.md path.
+ * Kit-owned skills are discovered by reading kit.json `skills` arrays;
+ * each entry's `path` is resolved relative to the kit directory.
+ */
+function collectAllSkills(): Array<{ name: string; src: string }> {
+  const results: Array<{ name: string; src: string }> = [];
+  const seen = new Set<string>();
+
+  // 1. Top-level skills/ directory (tools pending reclassification).
+  const skillsDir = path.join(root, "skills");
+  if (fs.existsSync(skillsDir)) {
+    for (const skill of fs.readdirSync(skillsDir).sort()) {
+      const skillPath = path.join(skillsDir, skill, "SKILL.md");
+      if (fs.existsSync(skillPath) && !seen.has(skill)) {
+        seen.add(skill);
+        results.push({ name: skill, src: skillPath });
+      }
+    }
+  }
+
+  // 2. Kit-owned skills declared in kits/<kit>/kit.json `skills` arrays.
+  const kitsDir = path.join(root, "kits");
+  if (fs.existsSync(kitsDir)) {
+    for (const kitName of fs.readdirSync(kitsDir).sort()) {
+      const kitJson = path.join(kitsDir, kitName, "kit.json");
+      if (!fs.existsSync(kitJson)) continue;
+      let kitManifest: Record<string, unknown>;
+      try { kitManifest = loadJson<Record<string, unknown>>(kitJson); } catch { continue; }
+      const skills = Array.isArray(kitManifest["skills"]) ? kitManifest["skills"] as unknown[] : [];
+      for (const entry of skills) {
+        if (typeof entry !== "object" || entry === null) continue;
+        const skillEntry = entry as Record<string, unknown>;
+        const relPath = typeof skillEntry["path"] === "string" ? skillEntry["path"] : null;
+        if (!relPath) continue;
+        // Derive install name from the directory containing SKILL.md (one level up).
+        const absPath = path.resolve(path.join(kitsDir, kitName), relPath);
+        const skillName = path.basename(path.dirname(absPath));
+        if (fs.existsSync(absPath) && !seen.has(skillName)) {
+          seen.add(skillName);
+          results.push({ name: skillName, src: absPath });
+        }
+      }
+    }
+  }
+
+  return results.sort((a, b) => a.name.localeCompare(b.name));
+}
+
 function resetDir(dir: string): void {
   fs.rmSync(dir, { recursive: true, force: true });
   fs.mkdirSync(dir, { recursive: true });
@@ -302,9 +353,8 @@ function buildClaudeCode(agents: Agent[]): void {
   copySharedContent(bundle, "claude-code", "<bundle-root>");
   writeText(path.join(bundle, manifest.claude_code.task_dir, ".gitkeep"), "");
   for (const spec of agents) writeText(path.join(bundle, ".claude/agents", `${spec.name}.md`), exportClaudeAgent(spec));
-  for (const skill of fs.readdirSync(path.join(root, "skills"))) {
-    const skillPath = path.join(root, "skills", skill, "SKILL.md");
-    if (fs.existsSync(skillPath)) writeText(path.join(bundle, ".claude/skills", skill, "SKILL.md"), sanitizeText(readText(skillPath), "claude-code", "<bundle-root>"));
+  for (const { name, src } of collectAllSkills()) {
+    writeText(path.join(bundle, ".claude/skills", name, "SKILL.md"), sanitizeText(readText(src), "claude-code", "<bundle-root>"));
   }
   writeText(path.join(bundle, ".claude/settings.json"), exportClaudeSettings());
   writeText(path.join(bundle, "AGENTS.md"), exportRootAgentsMd("Claude Code", agents, manifest.claude_code.task_dir));
@@ -324,9 +374,8 @@ function buildCodex(agents: Agent[]): void {
   for (const [profileName, profile] of Object.entries(manifest.codex.profiles ?? {})) writeText(path.join(bundle, ".codex", `${profileName}.config.toml`), exportCodexProfileConfig(profile as Record<string, unknown>, settings));
   writeText(path.join(bundle, ".codex/hooks.json"), exportCodexHooks());
   for (const spec of targetAgents) writeText(path.join(bundle, ".codex/agents", `${spec.name}.toml`), exportCodexAgent(spec));
-  for (const skill of fs.readdirSync(path.join(root, "skills"))) {
-    const skillPath = path.join(root, "skills", skill, "SKILL.md");
-    if (fs.existsSync(skillPath)) writeText(path.join(bundle, ".codex/skills", skill, "SKILL.md"), sanitizeText(readText(skillPath), "codex", "<bundle-root>"));
+  for (const { name, src } of collectAllSkills()) {
+    writeText(path.join(bundle, ".codex/skills", name, "SKILL.md"), sanitizeText(readText(src), "codex", "<bundle-root>"));
   }
   writeText(path.join(bundle, "AGENTS.md"), exportRootAgentsMd("Codex", targetAgents, manifest.codex.task_dir));
   writeText(path.join(bundle, "README.md"), exportTargetReadme("Codex", "bash install.sh /path/to/workspace"));
@@ -390,6 +439,7 @@ function exportOpencodePlugin(): string {
 
 import { spawnSync } from 'node:child_process';
 import { join, basename } from 'node:path';
+import { mkdirSync, writeFileSync } from 'node:fs';
 
 // opencode runs plugins inside its own compiled (Bun-based) binary, so
 // process.execPath points at opencode itself — spawning it with a script
@@ -400,6 +450,19 @@ const NODE_BIN = basename(process.execPath).startsWith('node') ? process.execPat
 export const FlowAgentsPlugin = async ({ project, client, $, directory, worktree }) => {
   const root = directory || process.cwd();
 
+  // Deterministic load marker. opencode invokes this factory at startup but
+  // does not reliably surface plugin console output to its log file, and its
+  // internal "loading plugin" message was dropped in opencode 1.17.x. Write a
+  // marker into the workspace telemetry dir so acceptance tests can confirm the
+  // plugin loaded without depending on opencode internals. Best-effort only.
+  try {
+    const telemetryDir = join(root, '.telemetry');
+    mkdirSync(telemetryDir, { recursive: true });
+    writeFileSync(join(telemetryDir, 'opencode-plugin.loaded'), 'flow-agents');
+  } catch (_err) {
+    // Marker is diagnostic only; never block plugin load on a write failure.
+  }
+
   // The hook scripts read the event payload from stdin; an empty stdin makes
   // the telemetry pipeline silently skip the emit (fail-open), so every spawn
   // must pass a payload (caught by live acceptance smoke 2026-06-11).
@@ -490,9 +553,8 @@ function buildOpencode(agents: Agent[]): void {
   for (const spec of agents) {
     writeText(path.join(bundle, ".opencode/agents", `${spec.name}.md`), exportOpencodeAgent(spec));
   }
-  for (const skill of fs.readdirSync(path.join(root, "skills"))) {
-    const skillPath = path.join(root, "skills", skill, "SKILL.md");
-    if (fs.existsSync(skillPath)) writeText(path.join(bundle, ".opencode/skills", skill, "SKILL.md"), sanitizeText(readText(skillPath), "opencode", "<bundle-root>"));
+  for (const { name, src } of collectAllSkills()) {
+    writeText(path.join(bundle, ".opencode/skills", name, "SKILL.md"), sanitizeText(readText(src), "opencode", "<bundle-root>"));
   }
   writeText(path.join(bundle, ".opencode/plugins/flow-agents.js"), exportOpencodePlugin());
   writeText(path.join(bundle, "opencode.json"), exportOpencodeConfig());
@@ -602,9 +664,8 @@ function buildPi(agents: Agent[]): void {
   writeText(path.join(bundle, manifest.pi.task_dir, ".gitkeep"), "");
   // pi has no named-subagent registry; agents are left canonical/unexported.
   // Skills are exported to .pi/skills/ (direct .md files supported in that dir).
-  for (const skill of fs.readdirSync(path.join(root, "skills"))) {
-    const skillPath = path.join(root, "skills", skill, "SKILL.md");
-    if (fs.existsSync(skillPath)) writeText(path.join(bundle, ".pi/skills", skill, "SKILL.md"), sanitizeText(readText(skillPath), "pi", "<bundle-root>"));
+  for (const { name, src } of collectAllSkills()) {
+    writeText(path.join(bundle, ".pi/skills", name, "SKILL.md"), sanitizeText(readText(src), "pi", "<bundle-root>"));
   }
   writeText(path.join(bundle, ".pi/extensions/flow-agents.ts"), exportPiExtension());
   writeText(path.join(bundle, "AGENTS.md"), exportRootAgentsMd("pi", agents, manifest.pi.task_dir));
@@ -617,7 +678,7 @@ function buildCatalog(agents: Agent[]): Record<string, unknown> {
   return {
     source_root: ".",
     agents: agents.slice().sort((a, b) => a.name.localeCompare(b.name)).map((spec) => spec.name),
-    skills: fs.readdirSync(path.join(root, "skills")).filter((name) => fs.existsSync(path.join(root, "skills", name, "SKILL.md"))).sort(),
+    skills: collectAllSkills().map(({ name }) => name),
     powers: fs.readdirSync(path.join(root, "powers")).filter((name) => fs.existsSync(path.join(root, "powers", name, "mcp.json"))).sort(),
     packs: packs.packs ?? [],
     kits: fs.existsSync(kitsCatalog) ? loadJson<Record<string, unknown>>(kitsCatalog).kits ?? [] : [],

package/src/tools/generate-context-map.ts

@@ -74,15 +74,45 @@ function repoShape(manifest: Record<string, unknown>): string[][] {
   return rows;
 }
 
+/** Collect all skill {name, absPath} pairs from skills/ and kit-owned skills. */
+function allSkillPaths(): Array<{ name: string; absPath: string }> {
+  const results: Array<{ name: string; absPath: string }> = [];
+  const seen = new Set<string>();
+  const skillsDir = path.join(root, "skills");
+  if (exists(skillsDir)) {
+    for (const name of fs.readdirSync(skillsDir).sort()) {
+      const absPath = path.join(skillsDir, name, "SKILL.md");
+      if (exists(absPath) && !seen.has(name)) { seen.add(name); results.push({ name, absPath }); }
+    }
+  }
+  const kitsDir = path.join(root, "kits");
+  if (exists(kitsDir)) {
+    for (const kitName of fs.readdirSync(kitsDir).sort()) {
+      const kitJson = path.join(kitsDir, kitName, "kit.json");
+      if (!exists(kitJson)) continue;
+      let kitManifest: Record<string, unknown>;
+      try { kitManifest = loadJson<Record<string, unknown>>(kitJson); } catch { continue; }
+      const skills = Array.isArray(kitManifest["skills"]) ? kitManifest["skills"] as unknown[] : [];
+      for (const entry of skills) {
+        if (typeof entry !== "object" || entry === null) continue;
+        const skillEntry = entry as Record<string, unknown>;
+        const relPath = typeof skillEntry["path"] === "string" ? skillEntry["path"] : null;
+        if (!relPath) continue;
+        const absPath = path.resolve(path.join(kitsDir, kitName), relPath);
+        const skillName = path.basename(path.dirname(absPath));
+        if (exists(absPath) && !seen.has(skillName)) { seen.add(skillName); results.push({ name: skillName, absPath }); }
+      }
+    }
+  }
+  return results.sort((a, b) => a.name.localeCompare(b.name));
+}
+
 function listSkillRows(): [string[][], string[][]] {
   const workflowRows: string[][] = [];
   const supportRows: string[][] = [];
-  const skillsDir = path.join(root, "skills");
-  for (const name of fs.readdirSync(skillsDir).sort()) {
-    const skillPath = path.join(skillsDir, name, "SKILL.md");
-    if (!exists(skillPath)) continue;
-    const meta = frontmatter(readText(skillPath));
-    const row = [meta.name ?? name, rel(skillPath), oneLine(meta.description ?? "")];
+  for (const { name, absPath } of allSkillPaths()) {
+    const meta = frontmatter(readText(absPath));
+    const row = [meta.name ?? name, rel(absPath), oneLine(meta.description ?? "")];
     if (workflowSkills.has(row[0])) workflowRows.push(row);
     else supportRows.push(row);
   }

package/src/tools/validate-source-tree.ts

@@ -37,7 +37,7 @@ const publicScriptWrappers = new Map<string, { target: string; significantLines:
   ] }],
   ["scripts/filter-installed-packs.js", { target: "../build/src/tools/filter-installed-packs.js", significantLines: ['import("../build/src/tools/filter-installed-packs.js").then(({ main }) => process.exit(main(process.argv.slice(2))));'] }],
   ["scripts/generate-context-map.js", { target: "../build/src/tools/generate-context-map.js", significantLines: ['import("../build/src/tools/generate-context-map.js").then(({ main }) => process.exit(main(process.argv.slice(2))));'] }],
-  ["scripts/flow-kit.js", { target: "../build/src/cli/flow-kit.js", significantLines: ['import("../build/src/cli/flow-kit.js").then(({ main }) => process.exit(main()));'] }],
+  ["scripts/kit.js", { target: "../build/src/cli/kit.js", significantLines: ['import("../build/src/cli/kit.js").then(({ main }) => main().then((code) => process.exit(code)));'] }],
   ["scripts/pull-work-provider.js", { target: "../build/src/cli/pull-work-provider.js", significantLines: ['import("../build/src/cli/pull-work-provider.js").then(({ main }) => process.exit(main()));'] }],
   ["scripts/effective-backlog-settings.js", { target: "../build/src/cli/effective-backlog-settings.js", significantLines: ['import("../build/src/cli/effective-backlog-settings.js").then(({ main }) => process.exit(main()));'] }],
   ["scripts/publish-change-helper.js", { target: "../build/src/cli/publish-change-helper.js", significantLines: ['import("../build/src/cli/publish-change-helper.js").then(({ main }) => process.exit(main()));'] }],
@@ -301,6 +301,28 @@ function validateAgentPaths(reporter: Reporter, manifest: any): void {
   }
 }
 function validateLegacyRefs(reporter: Reporter): void {
+  // Collect all kit-owned asset relative paths so legacy-ref scanning can skip matches
+  // that are subpaths of kit-owned assets. E.g. legacyRefRe matches "skills/plan-work/SKILL.md"
+  // within "kits/builder/skills/plan-work/SKILL.md"; the kit declares and validates these.
+  const kitOwnedSubPaths = new Set<string>();
+  const kitsDir = path.join(root, "kits");
+  if (fs.existsSync(kitsDir)) {
+    for (const kitName of fs.readdirSync(kitsDir)) {
+      const kitJson = path.join(kitsDir, kitName, "kit.json");
+      if (!fs.existsSync(kitJson)) continue;
+      try {
+        const kitManifest = loadJson<Record<string, unknown>>(kitJson);
+        for (const section of ["skills", "docs", "adapters", "evals", "assets"]) {
+          const entries = Array.isArray(kitManifest[section]) ? kitManifest[section] as unknown[] : [];
+          for (const entry of entries) {
+            if (typeof entry !== "object" || entry === null) continue;
+            const relPath = (entry as Record<string, unknown>)["path"];
+            if (typeof relPath === "string" && relPath) kitOwnedSubPaths.add(relPath);
+          }
+        }
+      } catch { /* skip invalid kit.json */ }
+    }
+  }
   for (const file of walkFiles(path.join(root, "evals")).sort()) {
     if (!textRefExtensions.has(path.extname(file))) continue;
     const parts = path.relative(path.join(root, "evals"), file).split(path.sep);
@@ -310,6 +332,10 @@ function validateLegacyRefs(reporter: Reporter): void {
       const ref = match[0].replace(/[.,)'"\]]+$/, "");
       if (/[{}$]/.test(ref)) continue;
       if (ref.split(/[\\/]/).includes("node_modules")) continue;
+      // Skip refs that are declared kit-owned asset paths or their parent directories
+      // (e.g. "skills/plan-work/SKILL.md" or "skills/plan-work" matched inside
+      // "kits/builder/skills/plan-work/SKILL.md" in eval files).
+      if (kitOwnedSubPaths.has(ref) || [...kitOwnedSubPaths].some((p) => p.startsWith(ref + "/"))) continue;
       const candidates = [path.join(root, ref), ...(ref.startsWith("evals/") ? [] : [path.join(root, "evals", ref)])];
       if (!candidates.some(fs.existsSync)) reporter.fail(`${rel(file)}: references missing source path: ${ref}`);
     }

package/scripts/flow-kit.js

@@ -1,2 +0,0 @@
-#!/usr/bin/env node
-import("../build/src/cli/flow-kit.js").then(({ main }) => process.exit(main()));

package/skills/context-budget/SKILL.md

@@ -1,40 +0,0 @@
----
-name: context-budget
-description: >-
-  Audit token overhead across Flow Agents bundles — agent specs, skills, context files,
-  MCP servers. Produces budget report with per-component breakdown and optimization suggestions.
----
-
-# Context Budget Audit
-
-Scan installed Flow Agents bundles and estimate token overhead per component. Produces a structured budget report with optimization suggestions.
-
-## Workflow
-
-### Phase 1: Inventory
-
-Run `bash context/scripts/context-budget/budget-scan.sh` to discover all loaded components. The script walks `~/.flow-agents/` and outputs JSON with per-bundle breakdowns.
-
-### Phase 2: Classify
-
-Bucket each component from the scan output:
-- **Always loaded**: context files matching package dependency patterns, skill frontmatter descriptions
-- **On-demand**: full SKILL.md body (loaded on skill activation), deferred context (`context/deferred/`)
-- **Per-agent**: agent-spec systemPrompt, agent-specific MCP servers
-
-### Phase 3: Detect Issues
-
-Flag problems from the scan data:
-- Heavy agent specs: systemPrompt > 200 lines
-- Bloated skill descriptions: frontmatter description > 30 words
-- MCP over-subscription: agent with > 10 MCP servers or > 50 total tools
-- Context bloat: any single context file > 100 lines
-- Deferred candidates: context files > 2% of model context that aren't safety/routing
-
-### Phase 4: Report
-
-Structured output:
-- Per-bundle breakdown (tokens by category)
-- Per-agent breakdown (what each agent loads at spawn)
-- Top-N optimization suggestions ranked by token savings
-- Use `--verbose` flag on budget-scan.sh for per-file token counts