@skilly-hand/skilly-hand 0.15.0 → 0.16.0

package/CHANGELOG.md

@@ -16,6 +16,37 @@ All notable changes to this project are documented in this file.
 ### Removed
 - _None._
 
+## [0.16.0] - 2026-04-07
+[View on npm](https://www.npmjs.com/package/@skilly-hand/skilly-hand/v/0.16.0)
+
+### Added
+- _None._
+
+### Changed
+- _None._
+
+### Fixed
+- Added missing `output-optimizer` and `project-security` to the README catalog list.
+
+### Removed
+- _None._
+
+## [0.15.1] - 2026-04-07
+[View on npm](https://www.npmjs.com/package/@skilly-hand/skilly-hand/v/0.15.1)
+
+### Added
+- Added portable skill `output-optimizer` for compact interpreter modes that minimize response verbosity while preserving clarity and correctness.
+- Added portable skill `project-security` for scanning and enforcing security gates on commit, push, and publish workflows across GitHub, GitLab, npm, pnpm, yarn, and generic CI.
+
+### Changed
+- _None._
+
+### Fixed
+- _None._
+
+### Removed
+- _None._
+
 ## [0.15.0] - 2026-04-05
 [View on npm](https://www.npmjs.com/package/@skilly-hand/skilly-hand/v/0.15.0)
 
@@ -41,7 +72,7 @@ All notable changes to this project are documented in this file.
 
 - Removed "Clarification-First Planning Workflow" from `AGENTS.md` (superseded by refined workflows)
 
-## [0.14.0] - 2026-04-06
+## [0.14.0] - 2026-04-05
 [View on npm](https://www.npmjs.com/package/@skilly-hand/skilly-hand/v/0.14.0)
 
 ### Added
@@ -73,6 +104,8 @@ All notable changes to this project are documented in this file.
 
 ### Removed
 - _None._
+
+## [0.12.0] - 2026-04-05
 [View on npm](https://www.npmjs.com/package/@skilly-hand/skilly-hand/v/0.12.0)
 
 ### Added

package/README.md

@@ -73,9 +73,11 @@ The catalog currently includes:
 - `angular-guidelines`
 - `figma-mcp-0to1`
 - `frontend-design`
+- `output-optimizer`
+- `project-security`
 - `project-teacher`
-- `review-rangers`
 - `react-guidelines`
+- `review-rangers`
 - `skill-creator`
 - `spec-driven-development`
 - `test-driven-development`

package/catalog/README.md

@@ -8,8 +8,10 @@ Published portable skills consumed by the `skilly-hand` CLI.
 | `agents-root-orchestrator` | Author root AGENTS.md as a Where/What/When orchestrator that routes tasks and skill invocation clearly. | core, workflow, orchestration | all |
 | `angular-guidelines` | Guide Angular code generation and review using latest stable Angular verification and modern framework best practices. | angular, frontend, workflow, best-practices | all |
 | `figma-mcp-0to1` | Guide users from Figma MCP installation and authentication through first canvas creation, with function-level tool coverage and operational recovery patterns. | figma, mcp, workflow, design | all |
-| `frontend-design` | Project-aware frontend design skill that detects the existing tech stack, UI libraries, CSS variables, and design tokens before proposing any UI work. | frontend, design, workflow, ui | all |
-| `project-teacher` | Scan the active project and teach any concept, code path, or decision using verified information, interactive questions, and simple explanations. | core, workflow, education | all |
+| `frontend-design` | Project-aware frontend design skill that detects the existing tech stack, UI libraries, CSS variables, and design tokens before proposing any UI work. Supports greenfield projects via DESIGN.md context setup, and includes post-generation motion and visual refinement phases. | frontend, design, workflow, ui, motion, greenfield | all |
+| `output-optimizer` | Optimize output token consumption through compact interpreter modes with controlled expansion when complexity, ambiguity, or risk requires more detail. Trigger: minimizing response verbosity while preserving clarity and correctness. | core, workflow, efficiency, communication | all |
+| `project-security` | Scan project configuration and release surfaces for leak and security risks, and enforce security gates on commit, push, and publish workflows across GitHub, GitLab, npm, pnpm, yarn, and generic CI. Trigger: validating repository security posture, preventing secret leaks, or hardening delivery pipelines. | security, workflow, quality, core | all |
+| `project-teacher` | Scan the active project and teach any concept, code path, or decision using verified information, interactive questions, and simple explanations. Trigger: user asks to explain, understand, clarify, or learn about anything in the project or codebase. | core, workflow, education | all |
 | `react-guidelines` | Guide React code generation and review using latest stable React verification and modern framework best practices. | react, frontend, workflow, best-practices | all |
 | `review-rangers` | Review code, decisions, and artifacts through a multi-perspective committee and a domain expert safety guard, then synthesize a structured verdict. | core, workflow, review, quality | all |
 | `skill-creator` | Create and standardize AI skills with reusable structure, metadata rules, and templates. | core, workflow, authoring | all |

package/catalog/catalog-index.json

@@ -4,6 +4,8 @@
   "angular-guidelines",
   "figma-mcp-0to1",
   "frontend-design",
+  "output-optimizer",
+  "project-security",
   "project-teacher",
   "react-guidelines",
   "review-rangers",

package/catalog/skills/output-optimizer/SKILL.md

@@ -0,0 +1,159 @@
+# Output Optimizer Guide
+
+## When to Use
+
+Use this skill when:
+
+- You want compact responses to reduce output token usage.
+- You need deterministic output formats for repeated workflows.
+- You need concise communication without losing core clarity.
+- You want controlled detail expansion only when risk or ambiguity requires it.
+
+Do not use this skill for:
+
+- Cases where the user explicitly asks for long-form teaching or narrative detail.
+- Tasks that require extensive legal, medical, or compliance explanation by default.
+- Situations where a fixed external output schema already overrides style choices.
+
+---
+
+## Critical Patterns
+
+### Pattern 1: Activation and Precedence
+
+Apply modes in this order:
+
+1. If user writes `mode: <name>`, use that mode.
+2. If no explicit mode, infer from phrasing:
+- "keywords only" -> `machine`
+- "yes or no" / "binary" -> `binary-decision`
+- "json" / "structured output" -> `json-compact`
+- "step by step, concise" -> `step-brief`
+- "command style" / "minimal commands" -> `neandertal`
+- "toon format" -> `toon`
+3. If no strong signal, default to `step-brief` for human-readable compact output.
+
+Explicit mode always wins over inferred mode.
+
+### Pattern 2: Mode Contracts
+
+| Mode | Contract | Token Profile |
+| --- | --- | --- |
+| `neandertal` | Imperative command-like short phrases, no filler, minimal connectors. | Lowest human-readable |
+| `machine` | Keywords only, grouped by labels, no prose sentences. | Ultra-low |
+| `step-brief` | Numbered steps, each step max 3-4 short phrases. | Low with clarity |
+| `toon` | Exactly 4 blocks: `Title`, `Objective`, `Output`, `Next`. | Low and stable |
+| `json-compact` | Minimal stable JSON keys and short scalar values. | Low + parseable |
+| `binary-decision` | `yes` or `no` plus one short reason. | Ultra-low for triage |
+
+### Pattern 3: Complexity + Confidence Guard
+
+Default to compact output. Expand only when:
+
+1. Task complexity is moderate/high and concise output may cause mistakes.
+2. Requirements are ambiguous and short output cannot preserve correctness.
+3. Risk is elevated (security, production impact, irreversible operations).
+4. User explicitly asks for more detail.
+
+When expanding, keep structure compact and scoped to the needed clarification.
+
+### Pattern 4: Compression Rules
+
+Always prefer:
+
+- Specific nouns over long explanations.
+- One-pass direct answer over repeated restatement.
+- Bounded lists over paragraphs.
+- Deterministic templates where possible.
+
+Avoid:
+
+- Polite filler and redundant transitions.
+- Repeating the prompt unless needed for disambiguation.
+- Verbose caveats when risk is low.
+
+---
+
+## Decision Tree
+
+```text
+User provided `mode: <name>`?                 -> Use explicit mode
+No explicit mode, strong phrasing signal?     -> Infer mode from signal
+No explicit mode and no signal?               -> step-brief
+Task complexity/ambiguity/risk is high?       -> Expand within selected mode
+User asks for detail/clarification?           -> Expand within selected mode
+Otherwise                                     -> Keep compact output
+```
+
+---
+
+## Output Examples
+
+### Example 1: `neandertal`
+
+```text
+Check logs. Find error. Patch file. Run tests. Report result.
+```
+
+### Example 2: `machine`
+
+```text
+status:blocked
+cause:missing-env
+action:set-token,retry
+```
+
+### Example 3: `step-brief`
+
+```text
+1. Open config file. Find auth block. Confirm token key.
+2. Add missing key. Save file. Re-run command.
+3. Verify success output. Capture result. Share summary.
+```
+
+### Example 4: `toon`
+
+```text
+Title: Auth Fix
+Objective: Restore CLI login flow
+Output: Config key added, login passes
+Next: Run smoke check
+```
+
+### Example 5: `json-compact`
+
+```json
+{"status":"ok","mode":"json-compact","next":"deploy"}
+```
+
+### Example 6: `binary-decision`
+
+```text
+yes: tests pass on required suite
+```
+
+---
+
+## Prompt Patterns
+
+These are prompt fragments, not terminal commands.
+
+```text
+mode: neandertal
+mode: machine
+mode: step-brief
+mode: toon
+mode: json-compact
+mode: binary-decision
+```
+
+```text
+explain in detail
+```
+
+---
+
+## Resources
+
+- Mode protocol reference: [references/mode-protocols.md](references/mode-protocols.md)
+- Related complexity control: [../token-optimizer/SKILL.md](../token-optimizer/SKILL.md)

package/catalog/skills/output-optimizer/manifest.json

@@ -0,0 +1,33 @@
+{
+  "id": "output-optimizer",
+  "title": "Output Optimizer",
+  "description": "Optimize output token consumption through compact interpreter modes with controlled expansion when complexity, ambiguity, or risk requires more detail. Trigger: minimizing response verbosity while preserving clarity and correctness.",
+  "portable": true,
+  "tags": ["core", "workflow", "efficiency", "communication"],
+  "detectors": ["always"],
+  "detectionTriggers": ["always"],
+  "installsFor": ["all"],
+  "agentSupport": ["codex", "claude", "cursor", "gemini", "copilot", "antigravity", "windsurf", "trae"],
+  "skillMetadata": {
+    "author": "skilly-hand",
+    "last-edit": "2026-04-07",
+    "license": "Apache-2.0",
+    "version": "1.0.0",
+    "changelog": "Added a new portable output compression skill with deterministic interpreter modes and guarded detail expansion; reduces response token costs while preserving safety and clarity; affects response shaping workflows and catalog routing",
+    "auto-invoke": "When minimizing output verbosity or selecting compact communication modes",
+    "allowed-tools": [
+      "Read",
+      "Edit",
+      "Write",
+      "Glob",
+      "Grep",
+      "Bash",
+      "Task"
+    ]
+  },
+  "files": [
+    { "path": "SKILL.md", "kind": "instruction" },
+    { "path": "references/mode-protocols.md", "kind": "reference" }
+  ],
+  "dependencies": []
+}

package/catalog/skills/output-optimizer/references/mode-protocols.md

@@ -0,0 +1,76 @@
+# Output Optimizer Mode Protocols
+
+## Activation Protocol
+
+- Explicit selector format: `mode: <name>`
+- Canonical names:
+  - `neandertal`
+  - `machine`
+  - `step-brief`
+  - `toon`
+  - `json-compact`
+  - `binary-decision`
+- Resolution precedence:
+1. explicit mode
+2. inferred mode from wording
+3. default `step-brief`
+
+## TOON Protocol (Strict)
+
+Always output these four blocks in this exact order:
+
+1. `Title`
+2. `Objective`
+3. `Output`
+4. `Next`
+
+Constraints:
+
+- One short line per block.
+- No extra blocks.
+- No decorative or comic phrasing requirement.
+
+## `json-compact` Protocol
+
+Use compact JSON with minimal stable keys:
+
+```json
+{"status":"<value>","mode":"json-compact","next":"<value>"}
+```
+
+Rules:
+
+- Keep keys short and predictable.
+- Keep values concise.
+- No explanatory prose outside JSON.
+
+## `binary-decision` Protocol
+
+Output contract:
+
+```text
+yes: <short reason>
+```
+
+or
+
+```text
+no: <short reason>
+```
+
+Rules:
+
+- Exactly one decision token: `yes` or `no`.
+- Exactly one brief reason.
+- No extra paragraphs.
+
+## Expansion Guard
+
+Expand output only if one or more apply:
+
+- Complexity threatens correctness.
+- Ambiguity prevents safe execution.
+- Risk is material.
+- User explicitly asks for detail.
+
+When expanded, preserve the selected mode shape as much as possible.

package/catalog/skills/project-security/SKILL.md

@@ -0,0 +1,163 @@
+# Project Security Guide
+
+## When to Use
+
+Use this skill when:
+
+- You need to prevent secret leaks or insecure config from entering source control.
+- You are preparing to commit, push, or publish and want enforced security gates.
+- You need portable security checks across npm, pnpm, yarn, GitHub, GitLab, or generic CI.
+- You are reviewing repository settings, package metadata, lockfiles, and workflow files for risk.
+
+Do not use this skill for:
+
+- Runtime penetration testing of deployed environments.
+- Cloud infrastructure hardening outside the repository scope.
+- Compliance audits that require organization-specific legal controls beyond repository security.
+
+---
+
+## Critical Patterns
+
+### Pattern 1: Scan High-Risk Repository Surfaces First
+
+Prioritize files that most often leak credentials or unsafe release behavior:
+
+1. Local config and env surfaces (`.env*`, settings files, tool config, secrets material).
+2. Package and release metadata (`package.json`, lockfiles, publish config, scripts).
+3. Ignore and policy boundaries (`.gitignore`, `.npmignore`, allow/deny lists).
+4. CI/CD workflows (`.github/workflows`, `.gitlab-ci.yml`, release jobs).
+
+Use the baseline checklist in [assets/high-risk-files-checklist.md](assets/high-risk-files-checklist.md).
+
+### Pattern 2: Enforce Gates by Delivery Stage
+
+Use increasing guardrails by stage:
+
+- **Commit gate**: fast checks for hardcoded secrets, committed env files, and critical ignore hygiene.
+- **Push gate**: commit gate plus supply-chain and workflow safety checks.
+- **Publish gate**: push gate plus release-surface validation (publish scripts/config and package contents).
+
+### Pattern 3: Block on High-Risk by Default
+
+- **Blocker (fail immediately)** examples: confirmed secrets, private keys, tracked `.env` files, unsafe publish exposure.
+- **Warning (non-blocking)** examples: low-confidence token patterns, optional hardening gaps, advisory-only dependency alerts.
+
+Default policy:
+
+1. Exit non-zero for blockers.
+2. Treat dependency-audit failures as blocking by default in push and CI gates.
+3. Do not provide warning-mode bypasses for dependency audit failures in enforced gates.
+
+### Pattern 4: Keep Gate Execution Deterministic
+
+- Do not use dynamic command override execution for core gate logic.
+- Resolve commands in a fixed order only: `pnpm` -> `yarn` -> `npm` -> `node scripts/security-check.mjs`.
+- Fail closed when no valid runner or lockfile path is available.
+- Do not include bypass environment flags for enforced gates.
+
+### Pattern 5: Stay Package-Manager and CI Agnostic
+
+Always provide equivalent paths for npm, pnpm, yarn, and generic shell runners.
+
+- Do not assume one package manager.
+- Detect lockfiles and use the matching command path when possible.
+- Keep templates portable and adapter-based.
+
+---
+
+## Decision Tree
+
+```text
+Need checks before local commits?                    -> Install pre-commit gate template
+Need checks before remote integration?               -> Install pre-push gate template
+Need checks before package release/publication?      -> Install pre-publish gate and CI release gate
+Single-platform pipeline only?                       -> Use platform adapter (GitHub or GitLab)
+Multiple platforms or uncertain tooling?             -> Use generic gate script + adapter wrappers
+Otherwise                                            -> Apply all three gates (commit, push, publish)
+```
+
+---
+
+## Code Examples
+
+### Example 1: Security Check Script in `package.json`
+
+```json
+{
+  "scripts": {
+    "security:check": "node scripts/security-check.mjs"
+  }
+}
+```
+
+### Example 2: Commit Gate Wiring (Git Hook)
+
+```sh
+cp catalog/skills/project-security/assets/pre-commit.sample.sh .git/hooks/pre-commit
+chmod +x .git/hooks/pre-commit
+```
+
+### Example 3: Publish Gate Wiring (Package Script)
+
+```json
+{
+  "scripts": {
+    "prepublishOnly": "sh catalog/skills/project-security/assets/pre-publish.sample.sh"
+  }
+}
+```
+
+---
+
+## Commands
+
+```bash
+# Core check command (generic)
+node scripts/security-check.mjs
+
+# npm
+npm run --silent security:check
+
+# pnpm
+pnpm run -s security:check
+
+# yarn
+yarn -s security:check
+
+# Install git hook gates
+cp catalog/skills/project-security/assets/pre-commit.sample.sh .git/hooks/pre-commit && chmod +x .git/hooks/pre-commit
+cp catalog/skills/project-security/assets/pre-push.sample.sh .git/hooks/pre-push && chmod +x .git/hooks/pre-push
+
+# Run a generic CI gate script
+sh catalog/skills/project-security/assets/generic-ci-security-gate.sh
+
+```
+
+---
+
+## Workflow Adapters
+
+- GitHub Actions snippet: [assets/github-actions-security-gate.yml](assets/github-actions-security-gate.yml)
+- GitLab CI snippet: [assets/gitlab-ci-security-gate.yml](assets/gitlab-ci-security-gate.yml)
+- Generic CI entrypoint: [assets/generic-ci-security-gate.sh](assets/generic-ci-security-gate.sh)
+
+---
+
+## Resources
+
+- High-risk file checklist: [assets/high-risk-files-checklist.md](assets/high-risk-files-checklist.md)
+- Shared deterministic resolver: [assets/run-security-check.shared.sh](assets/run-security-check.shared.sh)
+- Commit gate template: [assets/pre-commit.sample.sh](assets/pre-commit.sample.sh)
+- Push gate template: [assets/pre-push.sample.sh](assets/pre-push.sample.sh)
+- Publish gate template: [assets/pre-publish.sample.sh](assets/pre-publish.sample.sh)
+
+---
+
+## Breaking Behavior Note
+
+- Audit failures now block by default in push and CI gates.
+- GitHub CI template fails when `package.json` exists without a lockfile.
+- Publish gate now requires the bundled generic gate script and fails closed when it is missing.
+- `SECURITY_CHECK_CMD` override is removed for deterministic gate execution.
+- `SKIP_SECURITY_GATES` and `ENABLE_SUPPLY_CHAIN_WARNINGS` bypass flags are removed from templates.

package/catalog/skills/project-security/assets/generic-ci-security-gate.sh

@@ -0,0 +1,36 @@
+#!/bin/sh
+set -eu
+
+script_dir=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
+# shellcheck source=/dev/null
+. "$script_dir/run-security-check.shared.sh"
+
+run_supply_chain_check() {
+  if [ -f "pnpm-lock.yaml" ] && command -v pnpm >/dev/null 2>&1; then
+    if ! pnpm audit --prod; then
+      echo "[project-security] pnpm audit reported issues." >&2
+      return 1
+    fi
+    return
+  fi
+
+  if [ -f "yarn.lock" ] && command -v yarn >/dev/null 2>&1; then
+    if ! yarn npm audit; then
+      echo "[project-security] yarn audit reported issues." >&2
+      return 1
+    fi
+    return
+  fi
+
+  if [ -f "package-lock.json" ] && command -v npm >/dev/null 2>&1; then
+    if ! npm audit --audit-level=high; then
+      echo "[project-security] npm audit reported issues." >&2
+      return 1
+    fi
+    return
+  fi
+}
+
+echo "[project-security] running CI security gate..."
+run_security_check
+run_supply_chain_check

package/catalog/skills/project-security/assets/github-actions-security-gate.yml

@@ -0,0 +1,38 @@
+name: security-gate
+
+on:
+  pull_request:
+  push:
+    branches:
+      - "**"
+  release:
+    types: [published]
+
+jobs:
+  security:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+
+      - name: Setup Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: "20"
+
+      - name: Install dependencies (auto-detect package manager)
+        run: |
+          corepack enable
+          if [ -f pnpm-lock.yaml ]; then
+            pnpm install --frozen-lockfile
+          elif [ -f yarn.lock ]; then
+            yarn install --immutable
+          elif [ -f package-lock.json ]; then
+            npm ci
+          elif [ -f package.json ]; then
+            echo "[project-security] missing lockfile; refusing non-deterministic install" >&2
+            exit 1
+          fi
+
+      - name: Run security gate
+        run: sh catalog/skills/project-security/assets/generic-ci-security-gate.sh

package/catalog/skills/project-security/assets/gitlab-ci-security-gate.yml

@@ -0,0 +1,21 @@
+security_gate:
+  stage: test
+  rules:
+    - if: '$CI_PIPELINE_SOURCE == "push"'
+    - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+    - if: '$CI_COMMIT_TAG'
+  before_script:
+    - corepack enable
+    - |
+      if [ -f pnpm-lock.yaml ]; then
+        pnpm install --frozen-lockfile
+      elif [ -f yarn.lock ]; then
+        yarn install --immutable
+      elif [ -f package-lock.json ]; then
+        npm ci
+      elif [ -f package.json ]; then
+        echo "[project-security] missing lockfile; refusing non-deterministic install" >&2
+        exit 1
+      fi
+  script:
+    - sh catalog/skills/project-security/assets/generic-ci-security-gate.sh

package/catalog/skills/project-security/assets/high-risk-files-checklist.md

@@ -0,0 +1,49 @@
+# High-Risk Repository Security Checklist
+
+Use this baseline list before commit, push, and publish.
+
+## 1) Secrets and Credentials
+
+- `.env`, `.env.*`, `.secrets*`, `.credentials*`
+- PEM/SSH/private key material (`*.pem`, `id_rsa`, `id_ed25519`, PKCS#12 files)
+- API keys and tokens in source/config/test fixtures
+- Service-account JSON or cloud credentials
+
+## 2) Project and Tool Settings
+
+- IDE and editor settings that may contain local paths/tokens
+- Tool config files (linters, build tools, release bots) with embedded secrets
+- MCP, AI assistant, or integration config files containing auth material
+
+## 3) Package and Publish Surface
+
+- `package.json` scripts that expose secrets in command arguments
+- `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock` integrity and unexpected source URLs
+- `.npmrc`, `.yarnrc*`, `.pnpmfile.cjs` for leaked tokens or unsafe registries
+- Publish include/exclude controls (`files`, `.npmignore`) to avoid shipping sensitive files
+
+## 4) Source-Control Boundaries
+
+- `.gitignore` and optional global ignore parity for env/secrets artifacts
+- Accidental tracking of generated artifacts containing secrets
+- Branch/workflow policies that bypass checks
+
+## 5) CI/CD and Release Definitions
+
+- `.github/workflows/*.yml` and `.gitlab-ci.yml` secret handling
+- Unmasked logging of env vars/tokens
+- Publish and release jobs missing security checks
+
+## 6) Blocker vs Warning Guidance
+
+Blockers:
+
+- Confirmed secret/token/private key exposure
+- Tracked env files with sensitive values
+- Publish configuration that includes secrets or private internals
+
+Warnings:
+
+- Suspicious but unconfirmed patterns
+- Optional hardening opportunities (pinning, stricter masks, policy tuning)
+- Advisory-only dependency concerns without exploit path evidence

package/catalog/skills/project-security/assets/pre-commit.sample.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+set -eu
+
+script_dir=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
+# shellcheck source=/dev/null
+. "$script_dir/run-security-check.shared.sh"
+
+echo "[project-security] running commit gate..."
+run_security_check

package/catalog/skills/project-security/assets/pre-publish.sample.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+set -eu
+
+script_dir=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
+
+if [ -f "$script_dir/generic-ci-security-gate.sh" ]; then
+  sh "$script_dir/generic-ci-security-gate.sh"
+  exit 0
+fi
+
+echo "[project-security] generic publish gate script is missing: $script_dir/generic-ci-security-gate.sh" >&2
+exit 1

package/catalog/skills/project-security/assets/pre-push.sample.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+set -eu
+
+script_dir=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
+# shellcheck source=/dev/null
+. "$script_dir/run-security-check.shared.sh"
+
+run_optional_supply_chain_check() {
+  if [ -f "pnpm-lock.yaml" ] && command -v pnpm >/dev/null 2>&1; then
+    if ! pnpm audit --prod; then
+      echo "[project-security] pnpm audit reported issues." >&2
+      return 1
+    fi
+    return 0
+  fi
+
+  if [ -f "yarn.lock" ] && command -v yarn >/dev/null 2>&1; then
+    if ! yarn npm audit; then
+      echo "[project-security] yarn audit reported issues." >&2
+      return 1
+    fi
+    return 0
+  fi
+
+  if [ -f "package-lock.json" ] && command -v npm >/dev/null 2>&1; then
+    if ! npm audit --audit-level=high; then
+      echo "[project-security] npm audit reported issues." >&2
+      return 1
+    fi
+    return 0
+  fi
+
+  return 0
+}
+
+echo "[project-security] running push gate..."
+run_security_check
+run_optional_supply_chain_check

package/catalog/skills/project-security/assets/run-security-check.shared.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+set -eu
+
+run_security_check() {
+  if [ -f "pnpm-lock.yaml" ] && command -v pnpm >/dev/null 2>&1; then
+    pnpm run -s security:check
+    return
+  fi
+
+  if [ -f "yarn.lock" ] && command -v yarn >/dev/null 2>&1; then
+    yarn -s security:check
+    return
+  fi
+
+  if [ -f "package.json" ] && command -v npm >/dev/null 2>&1; then
+    npm run --silent security:check
+    return
+  fi
+
+  if [ -f "scripts/security-check.mjs" ] && command -v node >/dev/null 2>&1; then
+    node scripts/security-check.mjs
+    return
+  fi
+
+  echo "[project-security] no security check command available." >&2
+  return 1
+}

package/catalog/skills/project-security/manifest.json

@@ -0,0 +1,41 @@
+{
+  "id": "project-security",
+  "title": "Project Security",
+  "description": "Scan project configuration and release surfaces for leak and security risks, and enforce security gates on commit, push, and publish workflows across GitHub, GitLab, npm, pnpm, yarn, and generic CI. Trigger: validating repository security posture, preventing secret leaks, or hardening delivery pipelines.",
+  "portable": true,
+  "tags": ["security", "workflow", "quality", "core"],
+  "detectors": ["always"],
+  "detectionTriggers": ["manual"],
+  "installsFor": ["all"],
+  "agentSupport": ["codex", "claude", "cursor", "gemini", "copilot", "antigravity", "windsurf", "trae"],
+  "skillMetadata": {
+    "author": "skilly-hand",
+    "last-edit": "2026-04-07",
+    "license": "Apache-2.0",
+    "version": "1.0.0",
+    "changelog": "Added portable project-security skill with commit/push/publish gating assets and CI templates; reduces secret leak and misconfiguration risk before delivery; affects catalog security workflow coverage and auto-invoke routing",
+    "auto-invoke": "Scanning project configuration and delivery workflows for leaks or security issues before commit, push, or publish",
+    "allowed-tools": [
+      "Read",
+      "Edit",
+      "Write",
+      "Glob",
+      "Grep",
+      "Bash",
+      "Task",
+      "SubAgent"
+    ]
+  },
+  "files": [
+    { "path": "SKILL.md", "kind": "instruction" },
+    { "path": "assets/high-risk-files-checklist.md", "kind": "asset" },
+    { "path": "assets/pre-commit.sample.sh", "kind": "asset" },
+    { "path": "assets/pre-push.sample.sh", "kind": "asset" },
+    { "path": "assets/pre-publish.sample.sh", "kind": "asset" },
+    { "path": "assets/run-security-check.shared.sh", "kind": "asset" },
+    { "path": "assets/generic-ci-security-gate.sh", "kind": "asset" },
+    { "path": "assets/github-actions-security-gate.yml", "kind": "asset" },
+    { "path": "assets/gitlab-ci-security-gate.yml", "kind": "asset" }
+  ],
+  "dependencies": []
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@skilly-hand/skilly-hand",
-  "version": "0.15.0",
+  "version": "0.16.0",
   "license": "CC-BY-NC-4.0",
   "type": "module",
   "publishConfig": {

package/packages/catalog/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@skilly-hand/catalog",
-  "version": "0.15.0",
+  "version": "0.16.0",
   "private": true,
   "type": "module"
 }

package/packages/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@skilly-hand/cli",
-  "version": "0.15.0",
+  "version": "0.16.0",
   "private": true,
   "type": "module",
   "bin": {

package/packages/core/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@skilly-hand/core",
-  "version": "0.15.0",
+  "version": "0.16.0",
   "private": true,
   "type": "module"
 }

package/packages/detectors/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@skilly-hand/detectors",
-  "version": "0.15.0",
+  "version": "0.16.0",
   "private": true,
   "type": "module"
 }