@slamb2k/mad-skills 2.0.55 → 2.0.57
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/plugin.json +1 -1
- package/hooks/hooks.json +4 -1
- package/package.json +1 -1
- package/skills/build/SKILL.md +64 -0
- package/skills/dock/SKILL.md +25 -0
- package/skills/dock/references/hardening.md +104 -0
- package/skills/dock/references/pipeline-templates.md +139 -212
- package/skills/dock/tests/evals.json +10 -0
- package/skills/handover/SKILL.md +164 -0
- package/skills/handover/references/handover-template.md +89 -0
- package/skills/handover/scripts/handover.sh +71 -0
- package/skills/handover/tests/evals.json +35 -0
- package/skills/hoist/SKILL.md +89 -0
- package/skills/hoist/references/hardening.md +62 -0
- package/skills/hoist/references/interview-guide.md +28 -0
- package/skills/hoist/references/release-templates.md +136 -0
- package/skills/hoist/references/setup-guides.md +30 -0
- package/skills/hoist/tests/evals.json +36 -0
- package/skills/manifest.json +24 -4
package/hooks/hooks.json
CHANGED
|
@@ -2,7 +2,10 @@
|
|
|
2
2
|
"hooks": {
|
|
3
3
|
"SessionStart": [{
|
|
4
4
|
"matcher": "startup|clear|compact",
|
|
5
|
-
"hooks": [
|
|
5
|
+
"hooks": [
|
|
6
|
+
{ "type": "command", "command": "_R=\"${CLAUDE_PLUGIN_ROOT}\"; [ -z \"$_R\" ] && _R=\"$HOME/.claude/plugins/marketplaces/slamb2k\"; node \"$_R/hooks/session-guard.cjs\" check", "timeout": 30 },
|
|
7
|
+
{ "type": "command", "command": "_R=\"${CLAUDE_PLUGIN_ROOT}\"; [ -z \"$_R\" ] && _R=\"$HOME/.claude/plugins/marketplaces/slamb2k\"; bash \"$_R/skills/handover/scripts/handover.sh\" load", "timeout": 10 }
|
|
8
|
+
]
|
|
6
9
|
}],
|
|
7
10
|
"UserPromptSubmit": [{
|
|
8
11
|
"hooks": [{ "type": "command", "command": "_R=\"${CLAUDE_PLUGIN_ROOT}\"; [ -z \"$_R\" ] && _R=\"$HOME/.claude/plugins/marketplaces/slamb2k\"; node \"$_R/hooks/session-guard.cjs\" remind", "timeout": 10 }]
|
package/package.json
CHANGED
package/skills/build/SKILL.md
CHANGED
|
@@ -76,6 +76,8 @@ Parse optional flags from the request:
|
|
|
76
76
|
- `--no-ship`: Stop after Stage 8 docs update
|
|
77
77
|
- `--parallel-impl`: Split implementation into parallel agents when independent
|
|
78
78
|
- `--no-superpowers`: Force the standalone pipeline even when Superpowers is installed
|
|
79
|
+
- `--handoff`: Skip the execution-mode question and hand off to a clean session
|
|
80
|
+
- `--no-handoff`: Skip the execution-mode question and run here now
|
|
79
81
|
|
|
80
82
|
---
|
|
81
83
|
|
|
@@ -91,6 +93,7 @@ Before starting, check all dependencies in this table:
|
|
|
91
93
|
| feature-dev:code-architect | agent | — | no | fallback | Uses general-purpose agent |
|
|
92
94
|
| feature-dev:code-reviewer | agent | — | no | fallback | Uses general-purpose agent |
|
|
93
95
|
| superpowers | plugin | on-disk glob via scripts/lib/superpowers.js | no | fallback | Routes Stage 4 impl core to superpowers:executing-plans / subagent-driven-development when present; see references/superpowers-deferral.md |
|
|
96
|
+
| handover | skill | `ls .claude/skills/handover/SKILL.md ~/.claude/skills/handover/SKILL.md ~/.claude/plugins/marketplaces/slamb2k/skills/handover/SKILL.md 2>/dev/null` | no | fallback | Powers the "hand off to a clean session" execution mode; ships with mad-skills, so normally present |
|
|
94
97
|
|
|
95
98
|
For each row, in order:
|
|
96
99
|
1. Run the Check command (for cli/npm) or test file existence (for agent/skill)
|
|
@@ -193,6 +196,67 @@ Before starting Stage 1, verify the working tree is suitable for building:
|
|
|
193
196
|
|
|
194
197
|
---
|
|
195
198
|
|
|
199
|
+
## Execution Mode
|
|
200
|
+
|
|
201
|
+
`/build` runs every heavy stage in subagents, so the primary conversation stays
|
|
202
|
+
compact *during* the build. The one thing subagents can't fix is a context
|
|
203
|
+
window that's **already** large when you invoke `/build` — the orchestrator
|
|
204
|
+
(this thread) still reads reports and runs the review/ship loop on top of
|
|
205
|
+
whatever came before. For that, a clean start beats a clean middle.
|
|
206
|
+
|
|
207
|
+
So there is exactly one execution-mode decision, and subagents are always on
|
|
208
|
+
underneath either choice:
|
|
209
|
+
|
|
210
|
+
- **Run here now** — orchestrate the build in this session, stages in subagents.
|
|
211
|
+
- **Hand off to a clean session** — write a handover, arm the resume signal, and
|
|
212
|
+
let a fresh session run the *same* `/build` with its own subagents.
|
|
213
|
+
|
|
214
|
+
These are mutually exclusive — one stops here, one continues here. Do **not**
|
|
215
|
+
offer a "clear? yes/no" toggle on top of run-now; the handover mode *replaces*
|
|
216
|
+
the run-now decision.
|
|
217
|
+
|
|
218
|
+
**Resolve the mode:**
|
|
219
|
+
|
|
220
|
+
1. If `--no-handoff` → run here now. Skip to Stage 1.
|
|
221
|
+
2. If `--handoff` → hand off (only if the handover skill exists; else warn it's
|
|
222
|
+
unavailable and run here now).
|
|
223
|
+
3. If the handover skill is **not** installed (pre-flight) → run here now
|
|
224
|
+
silently. No question.
|
|
225
|
+
4. Otherwise, decide whether to *offer* the hand-off at all. Only offer it when a
|
|
226
|
+
clean start would actually help **and** the plan can survive the reset:
|
|
227
|
+
- **Context already large** — this session has had substantial prior work
|
|
228
|
+
before `/build` (long conversation, many file reads, a prior task), so the
|
|
229
|
+
orchestrator would start bloated. A fresh `/build` invocation in an empty
|
|
230
|
+
session does not need this — just run here now.
|
|
231
|
+
- **Plan is self-contained** — PLAN is a spec file or a complete written plan
|
|
232
|
+
that a handover doc can capture losslessly. If the plan leans on nuance from
|
|
233
|
+
*this* conversation (decisions made live, things looked at together), a
|
|
234
|
+
handover is lossy — prefer run-here-now so that context isn't thrown away.
|
|
235
|
+
|
|
236
|
+
If **both** hold, ask via `AskUserQuestion`:
|
|
237
|
+
```
|
|
238
|
+
"This session already carries significant context. Hand this build off to a
|
|
239
|
+
clean session, or run it here now?"
|
|
240
|
+
```
|
|
241
|
+
Options:
|
|
242
|
+
- **"Run here now (Recommended)"** — orchestrate in this session (subagents underneath).
|
|
243
|
+
- **"Hand off to a clean session"** — reset context, resume the build fresh.
|
|
244
|
+
|
|
245
|
+
If either condition fails, don't ask — run here now.
|
|
246
|
+
|
|
247
|
+
**If handing off:** capture the resolved PLAN and any Stage-2 clarifications
|
|
248
|
+
gathered so far, then invoke the `handover` skill. The handover document's
|
|
249
|
+
"next steps" MUST be a single resume action: re-run this exact build in the
|
|
250
|
+
fresh session, e.g. `/build {original PLAN argument}` (plus any active flags,
|
|
251
|
+
minus `--handoff`). Include the resolved plan content and PROJECT_CONFIG so the
|
|
252
|
+
fresh session doesn't re-derive them. The handover skill arms the one-shot
|
|
253
|
+
signal and tells the user to `/clear`. **Stop here** — do not run Stage 1; the
|
|
254
|
+
fresh session does.
|
|
255
|
+
|
|
256
|
+
**If running here now:** continue to Stage 1 unchanged.
|
|
257
|
+
|
|
258
|
+
---
|
|
259
|
+
|
|
196
260
|
## Stage 1: Explore
|
|
197
261
|
|
|
198
262
|
Launch **feature-dev:code-explorer** (fallback: general-purpose):
|
package/skills/dock/SKILL.md
CHANGED
|
@@ -280,6 +280,14 @@ with development overrides (volume mounts, hot reload, debug ports).
|
|
|
280
280
|
Detect CI system from Phase 1 (GitHub Actions / Azure Pipelines / GitLab CI).
|
|
281
281
|
Read the appropriate template from `references/pipeline-templates.md`.
|
|
282
282
|
|
|
283
|
+
For GitHub Actions and Azure Pipelines, the templates are **hardened by default**
|
|
284
|
+
— read `references/hardening.md` for the OIDC auth, keyless cosign signing,
|
|
285
|
+
idempotency guards, and digest-pinned promotion these templates implement. The
|
|
286
|
+
generated workflow MUST include `id-token: write`, `provenance: true`, a cosign
|
|
287
|
+
`sign` in the build job and `verify` in every promotion job, an existence guard
|
|
288
|
+
before build, and deploy steps that reference the image by `@sha256:` digest.
|
|
289
|
+
(GitLab CI remains credential-based.)
|
|
290
|
+
|
|
283
291
|
Generate a workflow that implements:
|
|
284
292
|
|
|
285
293
|
**On pull request:**
|
|
@@ -349,6 +357,14 @@ If the detected framework doesn't already have a health endpoint, add a comment
|
|
|
349
357
|
in the generated workflow noting that a `/healthz` or `/health` endpoint is
|
|
350
358
|
recommended for deployment readiness probes.
|
|
351
359
|
|
|
360
|
+
### 3.7 — Deployment Setup Guide (deploy/SETUP.md)
|
|
361
|
+
|
|
362
|
+
Because the pipelines are secure by default, first-run requires one-time
|
|
363
|
+
cloud-side trust. Generate `deploy/SETUP.md` from the **Generated deploy/SETUP.md**
|
|
364
|
+
section of `references/hardening.md`, substituting the target repo (`OWNER/REPO`),
|
|
365
|
+
chosen registry, and cloud identifiers. This file lists the federated-credential
|
|
366
|
+
/ IAM-trust steps and the cosign verification command.
|
|
367
|
+
|
|
352
368
|
---
|
|
353
369
|
|
|
354
370
|
## Phase 4: Verify
|
|
@@ -366,6 +382,10 @@ Also validate generated workflow files:
|
|
|
366
382
|
- GitHub Actions: check YAML syntax
|
|
367
383
|
- Azure Pipelines: check YAML syntax
|
|
368
384
|
- GitLab CI: check YAML syntax
|
|
385
|
+
- For the GitHub workflow, confirm it sets `id-token: write`; for Azure Pipelines,
|
|
386
|
+
confirm it authenticates via a Workload Identity Federation service connection
|
|
387
|
+
(`azureSubscription`). Both must contain a cosign `sign`+`verify` pair and
|
|
388
|
+
reference deploy images by `@sha256:` digest. Flag any absence as a generation error.
|
|
369
389
|
|
|
370
390
|
Present the user with a summary of all generated files before writing.
|
|
371
391
|
|
|
@@ -396,6 +416,11 @@ After all files are generated and verified, present:
|
|
|
396
416
|
│ Merge → build + test → push → deploy dev → smoke
|
|
397
417
|
│ Tag → retag (no rebuild) → staging → e2e → prod
|
|
398
418
|
│
|
|
419
|
+
│ 🔐 Required cloud setup
|
|
420
|
+
│ • Configure federated identity (see deploy/SETUP.md)
|
|
421
|
+
│ • {registry-specific: IAM role / ACR federated cred / GCP WIP}
|
|
422
|
+
│ • First run fails until trust is configured — this is expected
|
|
423
|
+
│
|
|
399
424
|
│ 🔗 Links
|
|
400
425
|
│ Dockerfile: {path}
|
|
401
426
|
│ Workflow: {path}
|
|
@@ -0,0 +1,104 @@
|
|
|
1
|
+
# Pipeline Hardening Reference
|
|
2
|
+
|
|
3
|
+
How `/dock` hardens the pipelines it generates. These patterns mirror
|
|
4
|
+
mad-skills' own release workflow, translated from npm publishing to OCI
|
|
5
|
+
containers. Hardened is the only mode for GitHub Actions and Azure Pipelines.
|
|
6
|
+
|
|
7
|
+
## OIDC Registry Auth
|
|
8
|
+
|
|
9
|
+
Never store long-lived cloud registry credentials in CI. Authenticate with the
|
|
10
|
+
CI provider's OIDC identity, federated to a cloud role/identity.
|
|
11
|
+
|
|
12
|
+
- **GHCR** — keep the ephemeral `GITHUB_TOKEN` (already short-lived, OIDC-backed).
|
|
13
|
+
Requires `permissions: packages: write`.
|
|
14
|
+
- **AWS ECR** — `aws-actions/configure-aws-credentials@v4` with `role-to-assume`
|
|
15
|
+
(an IAM role trusting the GitHub OIDC provider). No access keys.
|
|
16
|
+
- **Azure ACR** — `azure/login@v2` with Workload Identity Federation
|
|
17
|
+
(`client-id` + `tenant-id` + `subscription-id`, federated credential scoped to
|
|
18
|
+
the repo). No client secret. Then `az acr login`.
|
|
19
|
+
- **Google Artifact Registry** — `google-github-actions/auth@v2` with a Workload
|
|
20
|
+
Identity Provider + service account. No SA key JSON.
|
|
21
|
+
|
|
22
|
+
All jobs that need OIDC set `permissions: id-token: write` (plus
|
|
23
|
+
`contents: read`). Azure Pipelines uses a **Workload Identity Federation service
|
|
24
|
+
connection** (`azureSubscription:`) instead of a stored password.
|
|
25
|
+
|
|
26
|
+
## Signing & Provenance
|
|
27
|
+
|
|
28
|
+
- Build with `provenance: true` and `sbom: true` (buildx emits SLSA provenance +
|
|
29
|
+
SBOM attestations attached to the image).
|
|
30
|
+
- Sign the image **by digest** with keyless cosign (Fulcio certificate + Rekor
|
|
31
|
+
transparency log, authorized by the `id-token: write` OIDC token — no signing
|
|
32
|
+
key in secrets).
|
|
33
|
+
- Every promotion job runs `cosign verify` against the digest, asserting the
|
|
34
|
+
certificate identity matches the workflow's OIDC issuer and
|
|
35
|
+
`repo:OWNER/REPO`. Verification failure blocks promotion.
|
|
36
|
+
|
|
37
|
+
> **Private-infra note:** keyless cosign writes to the public Rekor log. Orgs
|
|
38
|
+
> that cannot use public transparency infra can switch to a key pair
|
|
39
|
+
> (`cosign generate-key-pair`, private key in a CI secret,
|
|
40
|
+
> `cosign sign --key`). This is a documented fallback — dock does not generate it.
|
|
41
|
+
|
|
42
|
+
## Idempotency Guards
|
|
43
|
+
|
|
44
|
+
- Before build, guard with `crane manifest <ref>` (fallback:
|
|
45
|
+
`docker manifest inspect`). If the artifact already exists, skip build+push and
|
|
46
|
+
reuse the existing digest — the container analog of mad-skills' `npm view`
|
|
47
|
+
publish-guard.
|
|
48
|
+
- Promote/retag steps are check-then-act and tolerate an already-promoted digest
|
|
49
|
+
("recovery mode") so a re-run exits cleanly instead of failing.
|
|
50
|
+
- A `concurrency:` group keyed on workflow + ref (`cancel-in-progress`) prevents
|
|
51
|
+
overlapping release runs from racing.
|
|
52
|
+
|
|
53
|
+
## Digest-Pinned Promotion
|
|
54
|
+
|
|
55
|
+
- The build job outputs `IMAGE@sha256:<digest>` as a job output.
|
|
56
|
+
- Dev, staging, and prod deploy by that **digest**, never a mutable tag. Tags
|
|
57
|
+
like `latest` / `vX.Y.Z` may be attached for humans, but deploys resolve the
|
|
58
|
+
digest.
|
|
59
|
+
- `deploy/environments.yml` records the deployed digest so the matrix captures
|
|
60
|
+
exactly what shipped.
|
|
61
|
+
|
|
62
|
+
## Generated deploy/SETUP.md
|
|
63
|
+
|
|
64
|
+
`/dock` writes `deploy/SETUP.md` into the target repo, tailored to the chosen
|
|
65
|
+
registry. Template body (substitute `OWNER/REPO`, registry, cloud identifiers):
|
|
66
|
+
|
|
67
|
+
```markdown
|
|
68
|
+
# Deployment Setup — Required Before First Run
|
|
69
|
+
|
|
70
|
+
This pipeline uses keyless OIDC and image signing. Complete the cloud-side
|
|
71
|
+
trust below once; no long-lived credentials are stored in CI.
|
|
72
|
+
|
|
73
|
+
## 1. Federated identity (pick your registry)
|
|
74
|
+
|
|
75
|
+
### AWS ECR
|
|
76
|
+
- Create an IAM role trusting the GitHub OIDC provider
|
|
77
|
+
(`token.actions.githubusercontent.com`), condition
|
|
78
|
+
`token.actions.githubusercontent.com:sub = repo:OWNER/REPO:ref:refs/heads/main`
|
|
79
|
+
(add tag refs for releases).
|
|
80
|
+
- Attach a policy allowing `ecr:*` push to your repository.
|
|
81
|
+
- Put the role ARN in the workflow `role-to-assume`.
|
|
82
|
+
|
|
83
|
+
### Azure ACR
|
|
84
|
+
- Register an app / user-assigned managed identity.
|
|
85
|
+
- Add a **federated credential** scoped to `repo:OWNER/REPO` (branch `main` and
|
|
86
|
+
tag refs), subject `repo:OWNER/REPO:ref:refs/heads/main`.
|
|
87
|
+
- Grant it `AcrPush` on the registry.
|
|
88
|
+
- Set `client-id` / `tenant-id` / `subscription-id` in the workflow.
|
|
89
|
+
|
|
90
|
+
### Google Artifact Registry
|
|
91
|
+
- Create a Workload Identity Pool + provider for GitHub.
|
|
92
|
+
- Bind a service account with `artifactregistry.writer`, allowing
|
|
93
|
+
`principalSet://…/attribute.repository/OWNER/REPO`.
|
|
94
|
+
- Set `workload_identity_provider` + `service_account` in the workflow.
|
|
95
|
+
|
|
96
|
+
## 2. Signing
|
|
97
|
+
|
|
98
|
+
Keyless cosign needs no setup — it uses the workflow OIDC token and the public
|
|
99
|
+
Rekor log. To verify locally:
|
|
100
|
+
`cosign verify --certificate-identity-regexp 'https://github.com/OWNER/REPO/.*' --certificate-oidc-issuer https://token.actions.githubusercontent.com REGISTRY/IMAGE@sha256:...`
|
|
101
|
+
|
|
102
|
+
If public transparency logging is not allowed, switch to a key pair (see the
|
|
103
|
+
Signing & Provenance note in the dock hardening reference).
|
|
104
|
+
```
|