@raishin/vanguard-frontier-agentic 2.2.0 → 2.3.0

package/catalog/install-roles.json

@@ -981,6 +981,34 @@
         "legal-hr-routing-protocol",
         "legal-hr-risk-taxonomy"
       ]
+    },
+    "dotnet-application-review-engineer": {
+      "label": ".NET Application Review Engineer",
+      "description": "Static review of .NET applications: C# and runtime correctness, ASP.NET Core API architecture, authentication and authorization, EF Core data access, test quality, CI and NuGet supply-chain integrity, performance and Native AOT readiness, in-application OpenTelemetry wiring, and .NET Aspire cloud-native posture. A dotnet-maestro router plus nine static-review specialists; every agent reads source and sanitized configuration only and never builds, runs, migrates, or contacts a live system.",
+      "agents": [
+        "dotnet-maestro-agent",
+        "dotnet-csharp-runtime-review-agent",
+        "dotnet-aspnetcore-api-review-agent",
+        "dotnet-aspnetcore-identity-authz-review-agent",
+        "dotnet-efcore-data-access-review-agent",
+        "dotnet-testing-quality-review-agent",
+        "dotnet-supply-chain-review-agent",
+        "dotnet-performance-aot-review-agent",
+        "dotnet-observability-otel-review-agent",
+        "dotnet-aspire-cloud-native-review-agent"
+      ],
+      "skills": [
+        "dotnet-maestro",
+        "dotnet-csharp-runtime-review",
+        "dotnet-aspnetcore-api-review",
+        "dotnet-aspnetcore-identity-authz-review",
+        "dotnet-efcore-data-access-review",
+        "dotnet-testing-quality-review",
+        "dotnet-supply-chain-review",
+        "dotnet-performance-aot-review",
+        "dotnet-observability-otel-review",
+        "dotnet-aspire-cloud-native-review"
+      ]
     }
   }
 }

package/catalog/skill-manifest.json

@@ -4252,6 +4252,221 @@
         }
       ]
     },
+    {
+      "id": "dotnet-aspire-cloud-native-review",
+      "path": "skills/dotnet/dotnet-aspire-cloud-native-review",
+      "aggregate_sha256": "d10dc2743b319688c5b7120dc86be8e56ade05e6691f6a8cec29280c906b9c53",
+      "files": [
+        {
+          "path": "skills/dotnet/dotnet-aspire-cloud-native-review/SKILL.md",
+          "sha256": "f25d203e6f150048734712e89742a80b26fbf930102df44491ec0cfe7a1cbd66",
+          "bytes": 5335
+        },
+        {
+          "path": "skills/dotnet/dotnet-aspire-cloud-native-review/metadata.json",
+          "sha256": "f5d93fd1e80e66cd11e302f958c3f907536df6c35bc61713fafe96cf5a048e4f",
+          "bytes": 1466
+        },
+        {
+          "path": "skills/dotnet/dotnet-aspire-cloud-native-review/references/workflow-and-output.md",
+          "sha256": "a61c0b2e87e51429e24eba0f1dfbba97ad53bb582c5c3ad958690bab09668d86",
+          "bytes": 6167
+        }
+      ]
+    },
+    {
+      "id": "dotnet-aspnetcore-api-review",
+      "path": "skills/dotnet/dotnet-aspnetcore-api-review",
+      "aggregate_sha256": "9739a8e2fa6c07fd9c2990c11edd824b911bf1b15a8ab3d785e4412db883d7c6",
+      "files": [
+        {
+          "path": "skills/dotnet/dotnet-aspnetcore-api-review/SKILL.md",
+          "sha256": "4e6cecbf4ed115b52bcac5edb40d553a393075d11200ddd1658830dba4d505d6",
+          "bytes": 4902
+        },
+        {
+          "path": "skills/dotnet/dotnet-aspnetcore-api-review/metadata.json",
+          "sha256": "77e57f609a352cbf0ff6af7aa9ecb11e650b3112329bd3e8151362ddfb5bb22f",
+          "bytes": 1363
+        },
+        {
+          "path": "skills/dotnet/dotnet-aspnetcore-api-review/references/workflow-and-output.md",
+          "sha256": "16a7c97ff73c813d6e66fed5e1cd428c3560f76334e824eec45157ecb01b93cf",
+          "bytes": 5848
+        }
+      ]
+    },
+    {
+      "id": "dotnet-aspnetcore-identity-authz-review",
+      "path": "skills/dotnet/dotnet-aspnetcore-identity-authz-review",
+      "aggregate_sha256": "7c21a0081efcb9665df0dfd799a0cd4ed056cf38b9506d2e98be3c6de848f8e0",
+      "files": [
+        {
+          "path": "skills/dotnet/dotnet-aspnetcore-identity-authz-review/SKILL.md",
+          "sha256": "4400c634a75ab4575cfb6e5e71001565a022170facb8c82ea4a16e3befd54f25",
+          "bytes": 5446
+        },
+        {
+          "path": "skills/dotnet/dotnet-aspnetcore-identity-authz-review/metadata.json",
+          "sha256": "0b288e3065dbcec08f8a2361314041fd4000ef3567295ef7e8cda35f4525d39d",
+          "bytes": 1591
+        },
+        {
+          "path": "skills/dotnet/dotnet-aspnetcore-identity-authz-review/references/workflow-and-output.md",
+          "sha256": "30ff645c741e3491de7151753046abe6ced3279baccc6435ceffef36df44ea3a",
+          "bytes": 7233
+        }
+      ]
+    },
+    {
+      "id": "dotnet-csharp-runtime-review",
+      "path": "skills/dotnet/dotnet-csharp-runtime-review",
+      "aggregate_sha256": "6c162621f77ac00822fb128862e15ef19ca9d0ecad272c985bab9314921aef31",
+      "files": [
+        {
+          "path": "skills/dotnet/dotnet-csharp-runtime-review/SKILL.md",
+          "sha256": "255765ec7c47e2c1c8aba5fc58ea27accf0d73a8d2c675ec5005da64dd5b7fff",
+          "bytes": 4987
+        },
+        {
+          "path": "skills/dotnet/dotnet-csharp-runtime-review/metadata.json",
+          "sha256": "9b95682723fc49ea28d0ce037fba802b57160dbebd7357ed71025274e3b3529b",
+          "bytes": 1309
+        },
+        {
+          "path": "skills/dotnet/dotnet-csharp-runtime-review/references/workflow-and-output.md",
+          "sha256": "2a6acc5dc364afa4cc4afcab9205cd622fc5d05e958a0a414c64bfae8b0373de",
+          "bytes": 6912
+        }
+      ]
+    },
+    {
+      "id": "dotnet-efcore-data-access-review",
+      "path": "skills/dotnet/dotnet-efcore-data-access-review",
+      "aggregate_sha256": "9338e58d2efa495d3a5e15b7d2c38ae604cd8ea8de3220fdd3870d4acdc9708b",
+      "files": [
+        {
+          "path": "skills/dotnet/dotnet-efcore-data-access-review/SKILL.md",
+          "sha256": "216c440621caa1e878e5a1c4d0b1626792d43e4ac20f4005a68285fadced9511",
+          "bytes": 5357
+        },
+        {
+          "path": "skills/dotnet/dotnet-efcore-data-access-review/metadata.json",
+          "sha256": "08c243e1d3ad6b728a55b650e009942e0bbd6c9cb9a7407667b920249cb0a52b",
+          "bytes": 1320
+        },
+        {
+          "path": "skills/dotnet/dotnet-efcore-data-access-review/references/workflow-and-output.md",
+          "sha256": "037b619910f769ccb26b28d4cb618d7ad5d7abfde30074ebf50ba32fd37c8d3d",
+          "bytes": 6875
+        }
+      ]
+    },
+    {
+      "id": "dotnet-maestro",
+      "path": "skills/dotnet/dotnet-maestro",
+      "aggregate_sha256": "37b49d75f13dd887cbba383c3f79006aac2da44f5c61dc09c3a3008d240e2f69",
+      "files": [
+        {
+          "path": "skills/dotnet/dotnet-maestro/SKILL.md",
+          "sha256": "4f1c58ca17782e019f990e4e8f6f362914f2100adb18d3ae9ef29a3806c8d704",
+          "bytes": 8162
+        },
+        {
+          "path": "skills/dotnet/dotnet-maestro/metadata.json",
+          "sha256": "544af3af94ad7701761f6b6e485aad8dfde6355b1351ff1aab55d227d0c6cb17",
+          "bytes": 993
+        }
+      ]
+    },
+    {
+      "id": "dotnet-observability-otel-review",
+      "path": "skills/dotnet/dotnet-observability-otel-review",
+      "aggregate_sha256": "4752bb71732aa39dee3e64cdf3ef90572af276efd7ab50b565d6b74c2b80a50e",
+      "files": [
+        {
+          "path": "skills/dotnet/dotnet-observability-otel-review/SKILL.md",
+          "sha256": "658e8cbbcc3f97e9d76f07c6f9b6f3de7bb490582aff090bc2aa0fdcbbc3e02e",
+          "bytes": 5107
+        },
+        {
+          "path": "skills/dotnet/dotnet-observability-otel-review/metadata.json",
+          "sha256": "e12dcc1ddc42cbfe88064ca0baad9eaa7db3a4a70c0b97da62cb72b1fd0f73be",
+          "bytes": 1377
+        },
+        {
+          "path": "skills/dotnet/dotnet-observability-otel-review/references/workflow-and-output.md",
+          "sha256": "ee095c50d297bd3ee1d74bc68ea5847ee3e36a1a13b01c7e584118ee9c33b644",
+          "bytes": 6381
+        }
+      ]
+    },
+    {
+      "id": "dotnet-performance-aot-review",
+      "path": "skills/dotnet/dotnet-performance-aot-review",
+      "aggregate_sha256": "bbf4f825abe031da6d9e1dd73c25e6e2f9658a3605d3c161eec8f7c93fbaccae",
+      "files": [
+        {
+          "path": "skills/dotnet/dotnet-performance-aot-review/SKILL.md",
+          "sha256": "f67c3f6ec0823ede1049b887533f3404604aa6627b617f9bd80c56e4d9c81a4c",
+          "bytes": 5450
+        },
+        {
+          "path": "skills/dotnet/dotnet-performance-aot-review/metadata.json",
+          "sha256": "a779fc17716c7216141d1f05e40111bb00e6fb83961b83e06ab1544085f40c4f",
+          "bytes": 1264
+        },
+        {
+          "path": "skills/dotnet/dotnet-performance-aot-review/references/workflow-and-output.md",
+          "sha256": "37ee95c99b6d90973da593829f062a4a7bfdfa91ceadc2c6e1a6b4b4ded5a37d",
+          "bytes": 7755
+        }
+      ]
+    },
+    {
+      "id": "dotnet-supply-chain-review",
+      "path": "skills/dotnet/dotnet-supply-chain-review",
+      "aggregate_sha256": "67ec884c97820eab402c0578e91096b0e56661ab3fce97c3305dd956a18664f4",
+      "files": [
+        {
+          "path": "skills/dotnet/dotnet-supply-chain-review/SKILL.md",
+          "sha256": "1a878798891eebbe4bb774e7661e0a92975ca866e0cb71e873d0ed2af273cd5b",
+          "bytes": 5251
+        },
+        {
+          "path": "skills/dotnet/dotnet-supply-chain-review/metadata.json",
+          "sha256": "f31ec2b9d8d6081f0b1402070c4f6543abc7369712f66b6a21f09e7a6706908f",
+          "bytes": 1418
+        },
+        {
+          "path": "skills/dotnet/dotnet-supply-chain-review/references/workflow-and-output.md",
+          "sha256": "8483d2bceb9d7273bb91f8d22095c8b7c83fa757527f4078e38834ddca2677b1",
+          "bytes": 7623
+        }
+      ]
+    },
+    {
+      "id": "dotnet-testing-quality-review",
+      "path": "skills/dotnet/dotnet-testing-quality-review",
+      "aggregate_sha256": "9d6bd092ac50be6e2fc007a48c0a5cc479e14765c408469dfeab537117b8fd74",
+      "files": [
+        {
+          "path": "skills/dotnet/dotnet-testing-quality-review/SKILL.md",
+          "sha256": "aabdb603e7fb888bd2442b9d235d364c911586f5c1bb39a7566e3bce5bb076cc",
+          "bytes": 5025
+        },
+        {
+          "path": "skills/dotnet/dotnet-testing-quality-review/metadata.json",
+          "sha256": "372962a587678f058132964b73b7e30e4f33f230eebde51062004f01762e233c",
+          "bytes": 1224
+        },
+        {
+          "path": "skills/dotnet/dotnet-testing-quality-review/references/workflow-and-output.md",
+          "sha256": "37b95c6fdb10590263e8a9f316ae10a8df75b4a1186135994ead64e67b009150",
+          "bytes": 7122
+        }
+      ]
+    },
     {
       "id": "email-sender-authentication-review",
       "path": "skills/marketing/email-sender-authentication-review",
@@ -6034,7 +6249,7 @@
     {
       "id": "hr-risk-triage-review",
       "path": "skills/hr/hr-risk-triage-review",
-      "aggregate_sha256": "9b52c8961574232e814a97dd70e1a8b538ab5931127da8a2af30babb57fb6cbf",
+      "aggregate_sha256": "4936089413ccbfbe2d7174ae1d0f647c6a10535c386ccdfbe773ccf6de495d03",
       "files": [
         {
           "path": "skills/hr/hr-risk-triage-review/SKILL.md",
@@ -6043,8 +6258,8 @@
         },
         {
           "path": "skills/hr/hr-risk-triage-review/metadata.json",
-          "sha256": "4853a6f54430aca86a6d4966334253927d19c9c2b0cca5dafac887c3d30a110f",
-          "bytes": 1295
+          "sha256": "0783412c58ab6f322c1d6c00dbe85740e8e7ccab2574c62d530473e90acce37a",
+          "bytes": 1318
         },
         {
           "path": "skills/hr/hr-risk-triage-review/references/jurisdictions/australia.md",
@@ -7847,7 +8062,7 @@
     {
       "id": "legal-counsel-review",
       "path": "skills/legal/legal-counsel-review",
-      "aggregate_sha256": "ffb7d729219ed7eb00af4da74bdb435052f67fc35d99a95c38217a2db0d9d99d",
+      "aggregate_sha256": "266b7283c3aa9301ce57ae20187dc6e2c3f609378ebe4375b01367726d20a404",
       "files": [
         {
           "path": "skills/legal/legal-counsel-review/SKILL.md",
@@ -7856,8 +8071,8 @@
         },
         {
           "path": "skills/legal/legal-counsel-review/metadata.json",
-          "sha256": "38bda931f43fa4cfe567dd26f275b91b0357dedf11f97d283055027af1c3e4ac",
-          "bytes": 1328
+          "sha256": "9760fae332ed3b57c73870e6117116031b1d57b1adc7f499ece44cdf9398c2f2",
+          "bytes": 1354
         },
         {
           "path": "skills/legal/legal-counsel-review/references/jurisdictions/australia.md",

package/catalog/skills.json

@@ -3921,6 +3921,280 @@
     "author": "github: Raishin",
     "version": "0.1.0"
   },
+  {
+    "id": "dotnet-aspire-cloud-native-review",
+    "name": ".NET Aspire Cloud-Native Review",
+    "type": "skill",
+    "provider": "dotnet",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Static review of .NET Aspire AppHost and service-defaults projects for cloud-native readiness — health checks, service dependency wiring, resiliency policies, configuration and secret hygiene, and the boundary to a real deployment platform. Reads source and sanitized configuration only.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/dotnet/aspire/",
+      "https://learn.microsoft.com/en-us/dotnet/aspire/fundamentals/service-defaults",
+      "https://learn.microsoft.com/en-us/dotnet/aspire/fundamentals/app-host-overview",
+      "https://learn.microsoft.com/en-us/dotnet/aspire/fundamentals/health-checks"
+    ],
+    "security_notes": "Static review only — reads the AppHost project, ServiceDefaults, the Aspire manifest, and sanitized configuration; never runs the AppHost or deploys. Flags secrets committed in appsettings as critical. Never requests secrets, connection strings, or customer data; ask for sanitized appsettings with placeholders. Note: .NET Aspire APIs evolve quickly — keep last_verified current.",
+    "last_verified": "2026-05-19",
+    "path": "skills/dotnet/dotnet-aspire-cloud-native-review",
+    "version": "0.1.0",
+    "author": "github: Raishin"
+  },
+  {
+    "id": "dotnet-aspnetcore-api-review",
+    "name": ".NET ASP.NET Core API Review",
+    "type": "skill",
+    "provider": "dotnet",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Static review of ASP.NET Core HTTP API architecture — middleware ordering, dependency-injection lifetimes, CORS, model validation, API versioning, error responses, rate limiting, and health/readiness boundaries. Reads source and sanitized configuration only.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/aspnet/core/fundamentals/middleware/",
+      "https://learn.microsoft.com/en-us/aspnet/core/fundamentals/dependency-injection",
+      "https://learn.microsoft.com/en-us/aspnet/core/security/cors",
+      "https://learn.microsoft.com/en-us/aspnet/core/performance/rate-limit",
+      "https://learn.microsoft.com/en-us/aspnet/core/fundamentals/minimal-apis/security"
+    ],
+    "security_notes": "Static review only — reads source and sanitized configuration, never runs the app or calls endpoints. Never requests secrets, connection strings, tokens, signing keys, or customer data; ask for sanitized appsettings with placeholders.",
+    "last_verified": "2026-05-19",
+    "path": "skills/dotnet/dotnet-aspnetcore-api-review",
+    "version": "0.1.0",
+    "author": "github: Raishin"
+  },
+  {
+    "id": "dotnet-aspnetcore-identity-authz-review",
+    "name": ".NET ASP.NET Core Identity & AuthZ Review",
+    "type": "skill",
+    "provider": "dotnet",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Static review of ASP.NET Core authentication, authorization, identity boundaries, JWT token validation, cookie and session security, and multi-tenant isolation. Reads source and sanitized configuration only — never runs the app or contacts an identity provider.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/aspnet/core/security/",
+      "https://learn.microsoft.com/en-us/aspnet/core/security/authentication/configure-jwt-bearer-authentication",
+      "https://learn.microsoft.com/en-us/aspnet/core/security/authorization/introduction",
+      "https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies",
+      "https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie"
+    ],
+    "security_notes": "Static review only — reads source and sanitized configuration, never runs the application, mints or inspects tokens, or contacts an identity provider. Flags disabled token validation, anonymous state-changing endpoints, and client-supplied tenant claims as critical. Never requests secrets, signing keys, client secrets, tokens, connection strings, tenant identifiers, or customer data.",
+    "last_verified": "2026-05-19",
+    "path": "skills/dotnet/dotnet-aspnetcore-identity-authz-review",
+    "version": "0.1.0",
+    "author": "github: Raishin"
+  },
+  {
+    "id": "dotnet-csharp-runtime-review",
+    "name": ".NET C# & Runtime Review",
+    "type": "skill",
+    "provider": "dotnet",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Static review of C# language and runtime correctness — nullable reference types, async/await, cancellation, disposal, allocations on hot paths, LINQ misuse, and AOT/trimming hazards. Reads source only; never compiles or runs code.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/dotnet/csharp/",
+      "https://learn.microsoft.com/en-us/dotnet/standard/asynchronous-programming-patterns/",
+      "https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/builtin-types/nullable-reference-types",
+      "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/debug-threadpool-starvation",
+      "https://learn.microsoft.com/en-us/dotnet/core/deploying/trimming/trim-warnings"
+    ],
+    "security_notes": "Static review only — reads C# source and project files, never compiles, runs, or instruments code. Never requests secrets, connection strings, tokens, or customer data.",
+    "last_verified": "2026-05-19",
+    "path": "skills/dotnet/dotnet-csharp-runtime-review",
+    "version": "0.1.0",
+    "author": "github: Raishin"
+  },
+  {
+    "id": "dotnet-efcore-data-access-review",
+    "name": ".NET EF Core Data Access Review",
+    "type": "skill",
+    "provider": "dotnet",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Static review of EF Core data access — DbContext lifetime, N+1 queries, unbounded result sets, raw SQL injection surface, optimistic concurrency tokens, migration discipline, multi-tenant query filters, and connection resiliency. Reads source only.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/ef/core/",
+      "https://learn.microsoft.com/en-us/ef/core/dbcontext-configuration",
+      "https://learn.microsoft.com/en-us/ef/core/querying/single-split-queries",
+      "https://learn.microsoft.com/en-us/ef/core/miscellaneous/multitenancy",
+      "https://learn.microsoft.com/en-us/ef/core/saving/concurrency"
+    ],
+    "security_notes": "Static review only — reads DbContext classes, entity configuration, migrations, and query sites; never runs migrations, opens a database connection, or executes SQL. Never requests connection strings, database credentials, or customer data.",
+    "last_verified": "2026-05-19",
+    "path": "skills/dotnet/dotnet-efcore-data-access-review",
+    "version": "0.1.0",
+    "author": "github: Raishin"
+  },
+  {
+    "id": "dotnet-maestro",
+    "name": ".NET Maestro",
+    "type": "skill",
+    "provider": "dotnet",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Router skill for the .NET board. Classifies a .NET task and dispatches the narrowest specialist agent, or a parallel team of up to four for multi-domain tasks. Routes only — never answers .NET questions itself.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/dotnet/",
+      "https://learn.microsoft.com/en-us/aspnet/core/",
+      "https://learn.microsoft.com/en-us/ef/core/"
+    ],
+    "security_notes": "Routing only — performs no review itself, never runs code, never requests secrets, connection strings, tokens, tenant identifiers, or customer data. Every dispatched .NET specialist is static-review.",
+    "last_verified": "2026-05-19",
+    "path": "skills/dotnet/dotnet-maestro",
+    "version": "0.1.0",
+    "author": "github: Raishin"
+  },
+  {
+    "id": "dotnet-observability-otel-review",
+    "name": ".NET Observability & OpenTelemetry Review",
+    "type": "skill",
+    "provider": "dotnet",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Static review of in-application OpenTelemetry wiring in ASP.NET Core — SDK registration, trace context propagation, structured logging, correlation IDs, metrics instrumentation, sampling, and PII leakage in telemetry. Reads source and sanitized configuration only.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/observability-with-otel",
+      "https://learn.microsoft.com/en-us/dotnet/core/extensions/logging",
+      "https://learn.microsoft.com/en-us/aspnet/core/fundamentals/logging/",
+      "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/distributed-tracing"
+    ],
+    "security_notes": "Static review only — reads OpenTelemetry registration, logging configuration, and instrumentation source; never runs the app or contacts a telemetry backend. Flags PII in spans or logs as critical. Never requests secrets, tokens, or customer data; ask for sanitized appsettings with placeholders.",
+    "last_verified": "2026-05-19",
+    "path": "skills/dotnet/dotnet-observability-otel-review",
+    "version": "0.1.0",
+    "author": "github: Raishin"
+  },
+  {
+    "id": "dotnet-performance-aot-review",
+    "name": ".NET Performance, AOT & Trimming Review",
+    "type": "skill",
+    "provider": "dotnet",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Static, evidence-gated review of .NET performance posture, Native AOT, and trimming readiness — reflection and serialization hazards, hot-path allocations, and benchmark discipline. Any performance claim with no benchmark artifact is downgraded to inference.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/dotnet/core/deploying/native-aot/",
+      "https://learn.microsoft.com/en-us/dotnet/core/deploying/trimming/trim-self-contained",
+      "https://learn.microsoft.com/en-us/dotnet/core/deploying/trimming/trim-warnings",
+      "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/"
+    ],
+    "security_notes": "Static review only — reads project files, benchmark results, trim-warning output, and hot-path source; never runs the application, a benchmark, or a profiler. Never requests secrets or customer data.",
+    "last_verified": "2026-05-19",
+    "path": "skills/dotnet/dotnet-performance-aot-review",
+    "version": "0.1.0",
+    "author": "github: Raishin"
+  },
+  {
+    "id": "dotnet-supply-chain-review",
+    "name": ".NET Supply Chain Review",
+    "type": "skill",
+    "provider": "dotnet",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Static review of .NET CI/CD and NuGet supply-chain integrity — SDK pinning, package version pinning and lock files, feed trust, fork-PR secret exposure, vulnerability scanning, and build reproducibility. Reads workflow and project configuration only.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/nuget/",
+      "https://learn.microsoft.com/en-us/nuget/consume-packages/central-package-management",
+      "https://learn.microsoft.com/en-us/dotnet/core/tools/global-json",
+      "https://learn.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files",
+      "https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions"
+    ],
+    "security_notes": "Static review only — reads CI workflow files, global.json, Directory.Packages.props, NuGet.config, lock files, and publish profiles; never triggers a pipeline or restores packages. Flags secret exposure to fork-PR builds as critical. Never requests CI secrets, feed credentials, or signing keys.",
+    "last_verified": "2026-05-19",
+    "path": "skills/dotnet/dotnet-supply-chain-review",
+    "version": "0.1.0",
+    "author": "github: Raishin"
+  },
+  {
+    "id": "dotnet-testing-quality-review",
+    "name": ".NET Testing Quality Review",
+    "type": "skill",
+    "provider": "dotnet",
+    "harnesses": [
+      "codex",
+      "claude-code",
+      "cursor",
+      "gemini",
+      "kiro",
+      "other"
+    ],
+    "summary": "Static review of .NET test suites — detects assertion-free and tautological tests, over-mocking, coverage theater, weak isolation, flaky patterns, and missing negative or security tests across xUnit, NUnit, and MSTest. Reads test source only; never runs the suite.",
+    "source_type": "original",
+    "official_docs": [
+      "https://learn.microsoft.com/en-us/dotnet/core/testing/",
+      "https://learn.microsoft.com/en-us/dotnet/core/testing/unit-testing-best-practices",
+      "https://learn.microsoft.com/en-us/aspnet/core/test/integration-tests",
+      "https://learn.microsoft.com/en-us/aspnet/core/test/middleware"
+    ],
+    "security_notes": "Static review only — reads test projects, test source, and coverage configuration; never runs the test suite, a coverage tool, or a test container. Never requests secrets or customer data.",
+    "last_verified": "2026-05-19",
+    "path": "skills/dotnet/dotnet-testing-quality-review",
+    "version": "0.1.0",
+    "author": "github: Raishin"
+  },
   {
     "id": "email-sender-authentication-review",
     "name": "Email Sender Authentication Review",
@@ -5750,7 +6024,7 @@
     "id": "hr-risk-triage-review",
     "name": "HR Risk Triage Review",
     "type": "skill",
-    "provider": "generic",
+    "provider": "hr",
     "harnesses": [
       "codex",
       "claude-code",
@@ -7466,7 +7740,7 @@
     "id": "legal-counsel-review",
     "name": "Legal Counsel Review",
     "type": "skill",
-    "provider": "generic",
+    "provider": "legal",
     "harnesses": [
       "codex",
       "claude-code",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@raishin/vanguard-frontier-agentic",
-  "version": "2.2.0",
+  "version": "2.3.0",
   "description": "Cloud and zero-trust agentic workflow marketplace for skills, agents, rules, MCP references, and compliance-aware architecture.",
   "license": "Apache-2.0",
   "repository": {

package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "vanguard-frontier-agentic",
-  "version": "2.2.0",
+  "version": "2.3.0",
   "description": "Curated marketplace for cloud and zero-trust AI workflows. 331 agents, 286 skills, and rules across AWS, Azure, OCI, GCP, Alibaba Cloud, Huawei Cloud, Kubernetes, and Terraform.",
   "author": {
     "name": "Raishin",

package/schemas/agent.schema.json

@@ -49,7 +49,10 @@
         "kubernetes",
         "terraform",
         "multi-cloud",
-        "generic"
+        "generic",
+        "dotnet",
+        "hr",
+        "legal"
       ]
     },
     "harnesses": {

package/schemas/skill.schema.json

@@ -42,7 +42,10 @@
         "kubernetes",
         "terraform",
         "multi-cloud",
-        "generic"
+        "generic",
+        "dotnet",
+        "hr",
+        "legal"
       ]
     },
     "harnesses": {

package/scripts/export-marketplace-agents.mjs

@@ -304,8 +304,20 @@ function loadSkills() {
     for (const skill of fs.readdirSync(providerDir, { withFileTypes: true })) {
       if (!skill.isDirectory()) continue;
       const skillDir = path.join(providerDir, skill.name);
+      const metaFile = path.join(skillDir, "metadata.json");
       if (fs.existsSync(path.join(skillDir, "SKILL.md"))) {
-        byName.set(skill.name, { dir: skillDir, provider: provider.name });
+        let skillProvider = provider.name;
+        if (fs.existsSync(metaFile)) {
+          try {
+            const meta = JSON.parse(fs.readFileSync(metaFile, "utf8"));
+            if (meta.provider) {
+              skillProvider = meta.provider;
+            }
+          } catch (err) {
+            // Fall back to directory name if metadata.json is invalid.
+          }
+        }
+        byName.set(skill.name, { dir: skillDir, provider: skillProvider });
       }
     }
   }