@skilly-hand/skilly-hand 0.17.0 → 0.19.0

package/CHANGELOG.md

@@ -16,6 +16,45 @@ All notable changes to this project are documented in this file.
 ### Removed
 - _None._
 
+## [0.19.0] - 2026-04-11
+[View on npm](https://www.npmjs.com/package/@skilly-hand/skilly-hand/v/0.19.0)
+
+### Added
+- Added `scripts/dependency-security-check.mjs` plus new npm script `security:deps` for strict dependency audit and outdated-package reporting.
+- Added a full-screen Ink terminal UI for interactive CLI flows, including the new `--classic` fallback flag for plain text mode.
+- Added dependency security report automation to the project-security GitHub Actions template (scheduled artifact workflow).
+
+### Changed
+- Updated `security:check` to run strict dependency checks in addition to secret/config scanning.
+- Updated project-security hook/CI assets to use shared `run_security_gates` flow.
+- Updated CLI command routing and terminal rendering to support Ink-backed interactive sessions.
+
+### Fixed
+- Expanded and refreshed interactive/terminal/script test coverage for the new UI and security flows.
+
+### Removed
+- _None._
+
+## [0.18.0] - 2026-04-08
+[View on npm](https://www.npmjs.com/package/@skilly-hand/skilly-hand/v/0.18.0)
+
+### Added
+- Added `sync-catalog` orchestration script to compute catalog README + skill frontmatter updates up front and apply writes atomically with rollback on failure.
+- Added `sync-skill-frontmatter` CLI script with `--check`, `--json`, and `--skill` filtering support.
+- Added regression coverage for catalog sync rollback/idempotency and frontmatter normalization edge cases (`tests/sync-catalog.test.js`, `tests/skill-frontmatter.test.js`).
+
+### Changed
+- Updated root `catalog:sync` script to run `scripts/sync-catalog.mjs` for unified catalog synchronization.
+- Expanded script JSON contract coverage for `sync-catalog` and `sync-skill-frontmatter` in `tests/scripts-output.test.js`.
+- Updated catalog validation flow to verify catalog README drift through dry-run sync checks.
+
+### Fixed
+- Hardened skill frontmatter parsing and verification to avoid false frontmatter detection and preserve markdown content for malformed leading YAML-like blocks.
+- Improved catalog README sync behavior to treat CRLF/LF-equivalent content as in sync.
+
+### Removed
+- _None._
+
 ## [0.17.0] - 2026-04-08
 [View on npm](https://www.npmjs.com/package/@skilly-hand/skilly-hand/v/0.17.0)
 

package/README.md

@@ -5,8 +5,8 @@
 ██╔════╝██║ ██╔╝██║██║     ██║     ╚██╗ ██╔╝    ██║  ██║██╔══██╗████╗  ██║██╔══██╗
 ╚█████╗ █████╔╝ ██║██║     ██║      ╚████╔╝     ███████║███████║██╔██╗ ██║██║  ██║
  ╚══██╗ ██╔═██╗ ██║██║     ██║       ╚██╔╝      ██╔══██║██╔══██║██║╚██╗██║██║  ██║
-██████╔╝██║  ██╗██║███████╗███████╗   ██║        ██║  ██║██║  ██║██║ ╚████║██████╔╝
-╚═════╝ ╚═╝  ╚═╝╚═╝╚══════╝╚══════╝   ╚═╝        ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝╚═════╝
+██████╔╝██║  ██╗██║███████╗███████╗   ██║       ██║  ██║██║  ██║██║ ╚████║██████╔╝
+╚═════╝ ╚═╝  ╚═╝╚═╝╚══════╝╚══════╝   ╚═╝       ╚═╝  ╚═╝╚═╝  ╚═╝╚═╝  ╚═══╝╚═════╝
 ```
 
 **Portable AI agent skills. One CLI. Every coding assistant.**
@@ -36,7 +36,7 @@
 npx skilly-hand
 ```
 
-`npx skilly-hand` opens an interactive command launcher when running in a TTY.
+`npx skilly-hand` opens a full-screen skilly-hand terminal UI when running in a TTY.
 
 ---
 
@@ -55,6 +55,7 @@ npx skilly-hand
 | Flag | Description |
 | ---- | ----------- |
 | `--json` | Emit machine-readable output and disable interactive prompts |
+| `--classic` | Force plain text command mode and skip full-screen TUI |
 | `--yes`, `-y` | Skip confirmation prompts for mutating commands (`install`, `uninstall`) |
 | `--dry-run` | Preview install plan without writing files |
 | `--agent`, `-a <name>` | Target a specific assistant (repeatable; e.g. `--agent claude --agent cursor`) |
@@ -100,6 +101,11 @@ See [catalog/README.md](./catalog/README.md) for generated skill metadata.
 8. Smoke test after publish: `npx @skilly-hand/skilly-hand@<version> --help`.
 9. Verify npm metadata (README render, changelog, license, executable bin).
 
+### Security Automation
+
+- `npm run security:check` runs repository secret/config checks plus strict dependency security checks.
+- `npm run security:deps` runs strict dependency audit + outdated reporting only.
+
 ---
 
 ## Stack Detection

package/catalog/skills/accessibility-audit/SKILL.md

@@ -1,3 +1,24 @@
+---
+description: "Audit web accessibility against W3C WCAG 2.2 Level AA using framework-agnostic checks, remediation patterns, and portable command-line scanning."
+skillMetadata:
+  author: "skilly-hand"
+  last-edit: "2026-04-04"
+  license: "Apache-2.0"
+  version: "1.0.0"
+  changelog: "Added portable WCAG 2.2 Level AA accessibility auditing skill with W3C-only references and scanner script; enables consistent web accessibility review across frameworks; affects catalog skill coverage and install plans for stacks recommending accessibility-audit"
+  auto-invoke: "Auditing, reviewing, or implementing web accessibility against WCAG 2.2 Level AA"
+  allowed-tools:
+    - "Read"
+    - "Edit"
+    - "Write"
+    - "Glob"
+    - "Grep"
+    - "Bash"
+    - "WebFetch"
+    - "WebSearch"
+    - "Task"
+    - "SubAgent"
+---
 # Accessibility Audit Guide
 
 ## When to Use

package/catalog/skills/agents-root-orchestrator/SKILL.md

@@ -1,3 +1,22 @@
+---
+description: "Author root AGENTS.md as a Where/What/When orchestrator that routes tasks and skill invocation clearly."
+skillMetadata:
+  author: "skilly-hand"
+  last-edit: "2026-04-03"
+  license: "Apache-2.0"
+  version: "1.0.0"
+  changelog: "Added root AGENTS orchestration guidance around Where/What/When structure; improves AI task routing clarity and trigger recognition; affects root AGENTS authoring workflow"
+  auto-invoke: "Creating or updating root AGENTS.md orchestration guidance"
+  allowed-tools:
+    - "Read"
+    - "Edit"
+    - "Write"
+    - "Glob"
+    - "Grep"
+    - "Bash"
+    - "Task"
+    - "SubAgent"
+---
 # AGENTS Root Orchestrator Guide
 
 ## When to Use

package/catalog/skills/angular-guidelines/SKILL.md

@@ -1,3 +1,24 @@
+---
+description: "Guide Angular code generation and review using latest stable Angular verification and modern framework best practices."
+skillMetadata:
+  author: "skilly-hand"
+  last-edit: "2026-04-03"
+  license: "Apache-2.0"
+  version: "1.1.1"
+  changelog: "Added allowed-modes metadata to declare angular-guidelines sub-agent routing targets; improves discoverability of component-creator and angular-tester delegation modes; affects angular-guidelines manifest metadata"
+  auto-invoke: "Generating, reviewing, or refactoring Angular code artifacts in Angular projects"
+  allowed-tools:
+    - "Read"
+    - "Edit"
+    - "Write"
+    - "Glob"
+    - "Grep"
+    - "Bash"
+    - "WebFetch"
+    - "WebSearch"
+    - "Task"
+    - "SubAgent"
+---
 # Angular Guidelines
 
 ## When to Use

package/catalog/skills/figma-mcp-0to1/SKILL.md

@@ -1,3 +1,24 @@
+---
+description: "Guide users from Figma MCP installation and authentication through first canvas creation, with function-level tool coverage and operational recovery patterns."
+skillMetadata:
+  author: "skilly-hand"
+  last-edit: "2026-04-03"
+  license: "Apache-2.0"
+  version: "1.0.1"
+  changelog: "Added allowed-modes metadata to declare figma-mcp-0to1 sub-agent routing targets; improves discoverability of install-auth, tool-function-catalog, canvas-creation-playbook, and troubleshooting-ops delegation modes; affects figma-mcp-0to1 manifest metadata"
+  auto-invoke: "Installing, configuring, or using Figma MCP from setup through first canvas creation"
+  allowed-tools:
+    - "Read"
+    - "Edit"
+    - "Write"
+    - "Glob"
+    - "Grep"
+    - "Bash"
+    - "WebFetch"
+    - "WebSearch"
+    - "Task"
+    - "SubAgent"
+---
 # Figma MCP 0-to-1 Guide
 
 ## When to Use

package/catalog/skills/frontend-design/SKILL.md

@@ -1,3 +1,20 @@
+---
+description: "Project-aware frontend design skill that detects the existing tech stack, UI libraries, CSS variables, and design tokens before proposing any UI work. Supports greenfield projects via DESIGN.md context setup, and includes post-generation motion and visual refinement phases."
+skillMetadata:
+  author: "skilly-hand"
+  last-edit: "2026-04-05"
+  license: "Apache-2.0"
+  version: "1.1.0"
+  changelog: "v1.1.0: Added design-context-setter agent for greenfield/DESIGN.md workflow; added visual-refiner agent for post-generation quality evaluation; added motion-designer agent for stack-aware micro-interactions; added aesthetic-archetypes reference asset; expanded SKILL.md routing map with optional motion and refinement phases; upgraded component-designer with interaction states checklist and aesthetic principles"
+  auto-invoke: "Designing or generating UI components, pages, or layouts in a web or mobile project; setting up visual direction for a greenfield project; adding motion or micro-interactions to existing UI; refining or polishing generated UI output"
+  allowed-tools:
+    - "Read"
+    - "Grep"
+    - "Glob"
+    - "Bash"
+    - "Edit"
+    - "Write"
+---
 # Frontend Design Guide
 
 ## When to Use

package/catalog/skills/output-optimizer/SKILL.md

@@ -1,3 +1,21 @@
+---
+description: "Optimize output token consumption through compact interpreter modes with controlled expansion when complexity, ambiguity, or risk requires more detail. Trigger: minimizing response verbosity while preserving clarity and correctness."
+skillMetadata:
+  author: "skilly-hand"
+  last-edit: "2026-04-07"
+  license: "Apache-2.0"
+  version: "1.0.0"
+  changelog: "Added a new portable output compression skill with deterministic interpreter modes and guarded detail expansion; reduces response token costs while preserving safety and clarity; affects response shaping workflows and catalog routing"
+  auto-invoke: "When minimizing output verbosity or selecting compact communication modes"
+  allowed-tools:
+    - "Read"
+    - "Edit"
+    - "Write"
+    - "Glob"
+    - "Grep"
+    - "Bash"
+    - "Task"
+---
 # Output Optimizer Guide
 
 ## When to Use

package/catalog/skills/project-security/SKILL.md

@@ -1,3 +1,22 @@
+---
+description: "Scan project configuration and release surfaces for leak and security risks, and enforce security gates on commit, push, and publish workflows across GitHub, GitLab, npm, pnpm, yarn, and generic CI. Trigger: validating repository security posture, preventing secret leaks, or hardening delivery pipelines."
+skillMetadata:
+  author: "skilly-hand"
+  last-edit: "2026-04-07"
+  license: "Apache-2.0"
+  version: "1.0.0"
+  changelog: "Added portable project-security skill with commit/push/publish gating assets and CI templates; reduces secret leak and misconfiguration risk before delivery; affects catalog security workflow coverage and auto-invoke routing"
+  auto-invoke: "Scanning project configuration and delivery workflows for leaks or security issues before commit, push, or publish"
+  allowed-tools:
+    - "Read"
+    - "Edit"
+    - "Write"
+    - "Glob"
+    - "Grep"
+    - "Bash"
+    - "Task"
+    - "SubAgent"
+---
 # Project Security Guide
 
 ## When to Use

package/catalog/skills/project-security/assets/generic-ci-security-gate.sh

@@ -5,32 +5,5 @@ script_dir=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
 # shellcheck source=/dev/null
 . "$script_dir/run-security-check.shared.sh"
 
-run_supply_chain_check() {
-  if [ -f "pnpm-lock.yaml" ] && command -v pnpm >/dev/null 2>&1; then
-    if ! pnpm audit --prod; then
-      echo "[project-security] pnpm audit reported issues." >&2
-      return 1
-    fi
-    return
-  fi
-
-  if [ -f "yarn.lock" ] && command -v yarn >/dev/null 2>&1; then
-    if ! yarn npm audit; then
-      echo "[project-security] yarn audit reported issues." >&2
-      return 1
-    fi
-    return
-  fi
-
-  if [ -f "package-lock.json" ] && command -v npm >/dev/null 2>&1; then
-    if ! npm audit --audit-level=high; then
-      echo "[project-security] npm audit reported issues." >&2
-      return 1
-    fi
-    return
-  fi
-}
-
 echo "[project-security] running CI security gate..."
-run_security_check
-run_supply_chain_check
+run_security_gates

package/catalog/skills/project-security/assets/github-actions-security-gate.yml

@@ -5,6 +5,8 @@ on:
   push:
     branches:
       - "**"
+  schedule:
+    - cron: "23 5 * * 1"
   release:
     types: [published]
 
@@ -36,3 +38,39 @@ jobs:
 
       - name: Run security gate
         run: sh catalog/skills/project-security/assets/generic-ci-security-gate.sh
+
+  dependency-report:
+    if: github.event_name == 'schedule'
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
+
+      - name: Setup Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+        with:
+          node-version: "20"
+
+      - name: Install dependencies (auto-detect package manager)
+        run: |
+          corepack enable
+          if [ -f pnpm-lock.yaml ]; then
+            pnpm install --frozen-lockfile
+          elif [ -f yarn.lock ]; then
+            yarn install --immutable
+          elif [ -f package-lock.json ]; then
+            npm ci
+          elif [ -f package.json ]; then
+            echo "[project-security] missing lockfile; refusing non-deterministic install" >&2
+            exit 1
+          fi
+
+      - name: Generate dependency report
+        run: |
+          node scripts/dependency-security-check.mjs --json > dependency-security-report.json
+
+      - name: Upload dependency report artifact
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275f52d1598f
+        with:
+          name: dependency-security-report
+          path: dependency-security-report.json

package/catalog/skills/project-security/assets/pre-commit.sample.sh

@@ -6,4 +6,4 @@ script_dir=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
 . "$script_dir/run-security-check.shared.sh"
 
 echo "[project-security] running commit gate..."
-run_security_check
+run_security_gates

package/catalog/skills/project-security/assets/pre-push.sample.sh

@@ -5,34 +5,5 @@ script_dir=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
 # shellcheck source=/dev/null
 . "$script_dir/run-security-check.shared.sh"
 
-run_optional_supply_chain_check() {
-  if [ -f "pnpm-lock.yaml" ] && command -v pnpm >/dev/null 2>&1; then
-    if ! pnpm audit --prod; then
-      echo "[project-security] pnpm audit reported issues." >&2
-      return 1
-    fi
-    return 0
-  fi
-
-  if [ -f "yarn.lock" ] && command -v yarn >/dev/null 2>&1; then
-    if ! yarn npm audit; then
-      echo "[project-security] yarn audit reported issues." >&2
-      return 1
-    fi
-    return 0
-  fi
-
-  if [ -f "package-lock.json" ] && command -v npm >/dev/null 2>&1; then
-    if ! npm audit --audit-level=high; then
-      echo "[project-security] npm audit reported issues." >&2
-      return 1
-    fi
-    return 0
-  fi
-
-  return 0
-}
-
 echo "[project-security] running push gate..."
-run_security_check
-run_optional_supply_chain_check
+run_security_gates

package/catalog/skills/project-security/assets/run-security-check.shared.sh

@@ -25,3 +25,36 @@ run_security_check() {
   echo "[project-security] no security check command available." >&2
   return 1
 }
+
+run_dependency_security_check() {
+  if [ -f "pnpm-lock.yaml" ] && command -v pnpm >/dev/null 2>&1; then
+    if pnpm run -s security:deps >/dev/null 2>&1; then
+      pnpm run -s security:deps
+      return
+    fi
+  fi
+
+  if [ -f "yarn.lock" ] && command -v yarn >/dev/null 2>&1; then
+    if yarn -s security:deps >/dev/null 2>&1; then
+      yarn -s security:deps
+      return
+    fi
+  fi
+
+  if [ -f "package.json" ] && command -v npm >/dev/null 2>&1; then
+    if npm run --silent security:deps >/dev/null 2>&1; then
+      npm run --silent security:deps
+      return
+    fi
+  fi
+
+  if [ -f "scripts/dependency-security-check.mjs" ] && command -v node >/dev/null 2>&1; then
+    node scripts/dependency-security-check.mjs --strict
+    return
+  fi
+}
+
+run_security_gates() {
+  run_security_check
+  run_dependency_security_check
+}

package/catalog/skills/project-teacher/SKILL.md

@@ -1,3 +1,20 @@
+---
+description: "Scan the active project and teach any concept, code path, or decision using verified information, interactive questions, and simple explanations. Trigger: user asks to explain, understand, clarify, or learn about anything in the project or codebase."
+skillMetadata:
+  author: "skilly-hand"
+  last-edit: "2026-04-04"
+  license: "Apache-2.0"
+  version: "1.0.0"
+  changelog: "Initial release of project-teacher skill; provides interactive, project-grounded teaching for any concept or code path; affects education and clarification workflows across all projects"
+  auto-invoke: "User needs to understand, explain, or learn about any aspect of the project or codebase"
+  allowed-tools:
+    - "Read"
+    - "Glob"
+    - "Grep"
+    - "Bash"
+    - "WebFetch"
+    - "WebSearch"
+---
 # Project Teacher Guide
 
 ## When to Use

package/catalog/skills/react-guidelines/SKILL.md

@@ -1,3 +1,24 @@
+---
+description: "Guide React code generation and review using latest stable React verification and modern framework best practices."
+skillMetadata:
+  author: "skilly-hand"
+  last-edit: "2026-04-04"
+  license: "Apache-2.0"
+  version: "1.0.0"
+  changelog: "Added new react-guidelines skill with component and testing sub-agent routing; improves React-specific generation and review consistency with latest-stable preflight checks; affects portable catalog skill discovery and React workflow guidance"
+  auto-invoke: "Generating, reviewing, or refactoring React code artifacts in React projects"
+  allowed-tools:
+    - "Read"
+    - "Edit"
+    - "Write"
+    - "Glob"
+    - "Grep"
+    - "Bash"
+    - "WebFetch"
+    - "WebSearch"
+    - "Task"
+    - "SubAgent"
+---
 # React Guidelines
 
 ## When to Use

package/catalog/skills/review-rangers/SKILL.md

@@ -1,3 +1,20 @@
+---
+description: "Review code, decisions, and artifacts through a multi-perspective committee and a domain expert safety guard, then synthesize a structured verdict."
+skillMetadata:
+  author: "skilly-hand"
+  last-edit: "2026-04-04"
+  license: "Apache-2.0"
+  version: "1.0.0"
+  changelog: "Added multi-perspective review skill with committee + safety guard synthesis; enables adversarial evaluation without permanent agent files; affects catalog skill coverage for review and quality workflows"
+  auto-invoke: "Reviewing code, decisions, or artifacts where adversarial multi-perspective evaluation adds value"
+  allowed-tools:
+    - "Read"
+    - "Grep"
+    - "Glob"
+    - "Bash"
+    - "Task"
+    - "SubAgent"
+---
 # Review Rangers Guide
 
 ## When to Use

package/catalog/skills/skill-creator/SKILL.md

@@ -1,3 +1,24 @@
+---
+description: "Create and standardize AI skills with reusable structure, metadata rules, and templates."
+skillMetadata:
+  author: "skilly-hand"
+  last-edit: "2026-03-27"
+  license: "Apache-2.0"
+  version: "1.2.3"
+  changelog: "Metadata updated to ensure compliance with current standards; maintains skill integrity and version tracking; affects metadata section"
+  auto-invoke: "Creating a new skill"
+  allowed-tools:
+    - "Read"
+    - "Edit"
+    - "Write"
+    - "Glob"
+    - "Grep"
+    - "Bash"
+    - "WebFetch"
+    - "WebSearch"
+    - "Task"
+    - "SubAgent"
+---
 # Skill Creator Guide
 
 ## When to Create a Skill
@@ -87,6 +108,17 @@ Generic skill needs {product-name} info?   -> Add references/ pointing to {produ
 | `skillMetadata.allowed-tools` | Yes | String list | All tools this skill can invoke (e.g., `Read`, `Edit`, `Write`, `SubAgent`) |
 | `skillMetadata.allowed-modes` | Optional | String list | Use only when skill has an `agents/` folder |
 
+### SKILL.md Frontmatter Mirroring
+
+Top-level `SKILL.md` files now include managed YAML frontmatter mirrored from `manifest.json`.
+
+Rules:
+
+- `manifest.json` is the single source of truth.
+- Mirror only `description` and `skillMetadata.{author,last-edit,license,version,changelog,auto-invoke,allowed-tools}`.
+- Do not manually edit mirrored frontmatter in `SKILL.md`; run sync automation instead.
+- Keep instruction body content in `SKILL.md` focused on workflow guidance.
+
 ---
 
 ## Metadata Standards
@@ -153,6 +185,7 @@ Do not:
 - Use web URLs in references.
 - Leave `changelog` empty or informal.
 - Use non-ISO date formats.
+- Manually drift `SKILL.md` frontmatter away from `manifest.json`.
 
 ---
 
@@ -167,6 +200,7 @@ Do not:
 - [ ] `changelog` uses structured format: `what; why; where`.
 - [ ] `allowed-modes` is present only when `agents/` exists.
 - [ ] `allowed-tools` matches actual tool usage.
+- [ ] `SKILL.md` frontmatter is synced from `manifest.json`.
 - [ ] Critical patterns are clear and concise.
 - [ ] Code examples are minimal and focused.
 - [ ] Commands section exists with copy-paste commands.

package/catalog/skills/skill-creator/assets/SKILL-TEMPLATE.md

@@ -1,5 +1,10 @@
 # {Name of the Skill} Guide
 
+<!--
+Managed frontmatter is mirrored from manifest.json by automation.
+Do not hand-author frontmatter in this template.
+-->
+
 ## When to Use
 
 Use this skill when:
@@ -74,3 +79,4 @@ Otherwise     -> {Default action}
 
 - Template assets: Place reusable templates, schemas, and examples in `assets/`.
 - Define metadata in `manifest.json` (`id`, `description`, `skillMetadata`, `allowed-tools`, optional `allowed-modes`).
+- Run skill frontmatter sync so top-level `SKILL.md` mirrors manifest metadata.

package/catalog/skills/spec-driven-development/SKILL.md

@@ -1,3 +1,22 @@
+---
+description: "Plan, execute, and verify multi-step work through versioned specs with small, testable tasks."
+skillMetadata:
+  author: "skilly-hand"
+  last-edit: "2026-04-03"
+  license: "Apache-2.0"
+  version: "1.0.3"
+  changelog: "Added OpenSpec complementary support routing guidance to spec-driven-development instructions; improves planning continuity and review clarity when local SDD needs reinforcement; affects spec-driven-development SKILL guidance and manifest metadata"
+  auto-invoke: "Planning or executing feature work, bug fixes, and multi-phase implementation"
+  allowed-tools:
+    - "Read"
+    - "Edit"
+    - "Write"
+    - "Glob"
+    - "Grep"
+    - "Bash"
+    - "Task"
+    - "SubAgent"
+---
 # Spec-Driven Development Guide
 
 ## When to Use

package/catalog/skills/test-driven-development/SKILL.md

@@ -1,3 +1,20 @@
+---
+description: "Guide implementation using the RED → GREEN → REFACTOR TDD cycle: write a failing test first, write the minimum code to pass, then refactor while tests stay green."
+skillMetadata:
+  author: "skilly-hand"
+  last-edit: "2026-04-04"
+  license: "Apache-2.0"
+  version: "1.0.0"
+  changelog: "Initial TDD skill ported from legacy scannlab-sdd tdd-templates; enables RED→GREEN→REFACTOR workflow across any stack; affects catalog skill coverage for test-first development"
+  auto-invoke: "Implementing features, services, or components using test-driven development (TDD) or RED→GREEN→REFACTOR cycles"
+  allowed-tools:
+    - "Read"
+    - "Edit"
+    - "Write"
+    - "Glob"
+    - "Grep"
+    - "Bash"
+---
 # Test-Driven Development Guide
 
 ## When to Use

package/catalog/skills/token-optimizer/SKILL.md

@@ -1,3 +1,21 @@
+---
+description: "Classify task complexity and right-size reasoning depth, context gathering, and response detail to reduce wasted tokens."
+skillMetadata:
+  author: "skilly-hand"
+  last-edit: "2026-04-03"
+  license: "Apache-2.0"
+  version: "1.0.3"
+  changelog: "Migrated token-optimizer into portable catalog format with curated model-agnostic guidance; improves default reasoning and token-efficiency behavior across installs; affects skill discovery, auto-invoke routing, and install baseline"
+  auto-invoke: "Classifying task complexity and choosing reasoning depth/token budget"
+  allowed-tools:
+    - "Read"
+    - "Edit"
+    - "Write"
+    - "Glob"
+    - "Grep"
+    - "Bash"
+    - "Task"
+---
 # Token Optimizer Guide
 
 ## When to Use

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@skilly-hand/skilly-hand",
-  "version": "0.17.0",
+  "version": "0.19.0",
   "license": "CC-BY-NC-4.0",
   "type": "module",
   "publishConfig": {
@@ -26,10 +26,11 @@
   "scripts": {
     "build": "node ./scripts/build-catalog-index.mjs",
     "catalog:check": "node ./scripts/check-catalog.mjs",
-    "catalog:sync": "node ./scripts/sync-catalog-readme.mjs",
+    "catalog:sync": "node ./scripts/sync-catalog.mjs",
     "agentic:self:sync": "node ./scripts/sync-self-agentic.mjs",
     "test": "node --test tests/*.test.js && node ./scripts/test-in-sandbox.mjs",
-    "security:check": "node ./scripts/security-check.mjs",
+    "security:deps": "node ./scripts/dependency-security-check.mjs --strict",
+    "security:check": "node ./scripts/security-check.mjs --strict-deps",
     "verify:packlist": "node ./scripts/verify-packlist.mjs",
     "verify:versions": "node ./scripts/verify-versions.mjs",
     "verify:publish": "npm run verify:versions && npm run security:check && npm run catalog:check && npm test && npm run verify:packlist",
@@ -46,6 +47,7 @@
     "doctor": "node ./packages/cli/src/bin.js doctor"
   },
   "dependencies": {
-    "@inquirer/prompts": "^7.10.1"
+    "ink": "^5.2.1",
+    "react": "^18.3.1"
   }
 }