@tsfpp/agents 1.4.0 → 1.5.0

package/CHANGELOG.md

@@ -10,6 +10,21 @@ Versioning follows [Semantic Versioning](https://semver.org/).
 
 ## [Unreleased]
 
+## [1.5.0] - 2026-05-18
+
+### Added
+
+- Added `copilot/skills/config-standard/SKILL.md`.
+- Added `copilot/skills/log-standard/SKILL.md`.
+
+### Changed
+
+- Updated `README.md` with latest guidance updates.
+- Updated `copilot/agents/tsfpp-audit.agent.md` with expanded checks and release hygiene.
+- Updated `copilot/agents/tsfpp-guarded-coding.agent.md` with guarded workflow refinements.
+- Updated `copilot/instructions/tsfpp-base.instructions.md` with aligned base-level standards guidance.
+- Updated `init.mjs` to include installer wiring for newly added skills and updates.
+
 ## [1.4.0] - 2026-05-18
 
 ### Added

package/README.md

@@ -256,6 +256,8 @@ Skills are loaded automatically by Copilot based on semantic match with what is
 | `react-coding-standard` | Writing React components, hooks, forms, or stores |
 | `test-standard` | Writing or reviewing test files; discussing coverage or test structure |
 | `annotation-standard` | Writing or reviewing any comment, JSDoc block, module header, code marker, or DEVIATION; discussing what to annotate and why |
+| `log-standard` | Writing or reviewing logging code, Logger port implementations, `withRequestLog` usage, or `tap`/`tapErr` side effects |
+| `config-standard` | Writing or reviewing config loaders, `loadConfig` usage, `Config` types, `.env.example`, or `process.env` access |
 
 Skills are distilled from the full standard documents — concise enough to fit in the model's context without crowding out code.
 

package/copilot/agents/tsfpp-audit.agent.md

@@ -1,7 +1,7 @@
 ---
 description: TSF++ standards compliance auditor. Produces a structured markdown report in docs/audits/ with per-slice checkboxes.
 name: tsfpp-audit
-argument-hint: "target=<path|package|layer> focus=<all|types|boundary|complexity|loc|annotations|security|react|data|prelude|test>"
+argument-hint: "target=<path|package|layer> focus=<all|types|boundary|complexity|loc|annotations|security|react|data|prelude|test|log|config>"
 tools:
   - edit/createFile
   - edit/editFiles
@@ -44,7 +44,7 @@ If `target` and `focus` are present in the message (e.g. `target=src/ focus=test
 If and only if either is missing and cannot be inferred, ask once:
 
 > **Target** — path, package name, or layer to audit (e.g. `src/domain`, `@tsfpp/prelude`, `api layer`)?
-> **Focus** — `all` · `types` · `boundary` · `complexity` · `loc` · `annotations` · `security` · `react` · `data` · `prelude` · `test` · or comma-separated combination?
+> **Focus** — `all` · `types` · `boundary` · `complexity` · `loc` · `annotations` · `security` · `react` · `data` · `prelude` · `test` · `log` · `config` · or comma-separated combination?
 
 ---
 
@@ -160,12 +160,26 @@ Append each completed slice to the report:
 - [ ] 6.3 — No `null`/`undefined` propagation; use `Option<A>`
 - [ ] 6.6 — `Promise.allSettled` over `Promise.all` when partial failure is meaningful
 
-**Annotations (§7)**
-- [ ] 7.x — JSDoc on every exported symbol (`@param`, `@returns`; `@law` on combinators)
+**Annotations (§7 + ANNOTATION_CODING_STANDARD — cross-cutting, always checked)**
+- [ ] Module-level JSDoc block present on all files with public exports
+- [ ] Every exported symbol has a JSDoc block
+- [ ] `@param` describes domain constraint (not the type); `@returns` describes meaning (not the type)
+- [ ] `@law` present on all combinators with algebraic properties
+- [ ] `@example` present on smart constructors and non-obvious combinators
+- [ ] No comments that paraphrase the code; no commented-out code
+- [ ] Code markers follow `// MARKER(author, YYYY-MM-DD[, TICKET]): description` format
+- [ ] Every `eslint-disable` paired with a `// DEVIATION(N.M): <reason>` comment
+- [ ] For full annotation audit: use `focus=annotations`
+
+**Security (SECURITY_CODING_STANDARD — cross-cutting, always checked)**
+- [ ] No secrets, credentials, or tokens in source code or committed config
+- [ ] No sensitive data (PII, credentials, tokens) in error messages or log output
+- [ ] No `eval`, `Function()`, or dynamic `import()` with user-controlled input
+- [ ] User input not reflected in error responses without sanitisation
+- [ ] For full security audit: use `focus=security`
 
-**Boundary and imports (§8–§9)**
-- [ ] 8.4 — Parse, don't validate: `unknown` converted to domain types at the boundary
-- [ ] 9.x — No `import from 'ramda'`; use `@tsfpp/prelude`
+**Boundary and parse (§8)**
+- [ ] 8.4 — Parse, don't validate: `unknown` converted to domain types at the boundary via smart constructors or Zod
 
 **Size limits (§11)**
 - [ ] 11.1 — One type / one responsibility per file
@@ -345,7 +359,6 @@ Cross-cutting — applies to all layers. Check for hand-rolled patterns that `@t
 | `.map()` on a fallible function | MUST | `traverseArray` |
 | `new Map()` | MUST | `intoMap([...])` |
 | `new Set()` | MUST | `intoSet([...])` |
-| `import ... from 'ramda'` | MUST | `@tsfpp/prelude` |
 | `result._tag === 'Ok'` | MUST | `isOk(result)` |
 | `option._tag === 'Some'` | MUST | `isSome(option)` |
 | `Result<void, E>` | MUST | `Result<Unit, E>` with `ok(unit)` |
@@ -360,7 +373,6 @@ Checklist:
 - [ ] No `try/catch` outside adapter boundaries — use `tryCatch`/`tryCatchAsync`
 - [ ] No `.map()` on fallible function — use `traverseArray`
 - [ ] No `new Map()` / `new Set()` — use `intoMap` / `intoSet`
-- [ ] No `import from 'ramda'`
 - [ ] Prelude ADTs accessed via exported guards (`isOk`, `isSome`), never `._tag` directly
 - [ ] No `Result<void, E>` — use `Result<Unit, E>`
 - [ ] Side effects in pipelines via `tap` / `tapErr`
@@ -412,8 +424,60 @@ Checklist:
 - [ ] 4.4 DAL — insert+read round-trip tested; not-found returns `None`
 - [ ] 4.5 React — loading state, error state, and user interactions all covered
 
+### `log`
+Full reference: `node_modules/@tsfpp/standard/spec/LOG_CODING_STANDARD.md`
+
+Cross-cutting — apply to every file regardless of other focus selections.
+
+- [ ] No `console.*` calls outside `main.ts` / `server.ts`
+- [ ] `Logger` port imported from `@tsfpp/prelude`; never a concrete library
+- [ ] `Logger` injected as a dependency; never imported as a singleton
+- [ ] All `message` fields use dot-separated event-name format (`user.created`, not `"User was created"`)
+- [ ] Every request-scoped log entry includes `traceId`
+- [ ] Every `error`-level entry includes `code`
+- [ ] `cause` logged before `apiErrorToResponse` on `dependency` / `internal` errors
+- [ ] No PII in any log field at any level
+- [ ] No credentials, tokens, or secrets in any log field
+- [ ] No full request or response bodies logged at `info` or above
+- [ ] No stack traces in production log output (`err.message` not `err.stack`)
+- [ ] `withRequestLog` used for HTTP request logging; no manual request logging in handlers
+- [ ] `routeTemplate` is parameterised, not the resolved URL
+- [ ] Pipelines use `tap` / `tapErr` for logging; pipeline not broken for a log call
+- [ ] Tests receive `silentLogger`, not the production logger
+- [ ] Production logger emits newline-delimited JSON
+- [ ] Log level configurable via environment variable
+
+### `config`
+Full reference: `node_modules/@tsfpp/standard/spec/CONFIG_CODING_STANDARD.md`
+
+Cross-cutting — apply to entry points, config loaders, and any module that accesses configuration.
+
+- [ ] No `process.env` access outside the config loader
+- [ ] No config singleton imported by application modules
+- [ ] `loadConfig` from `@tsfpp/boundary` used in the loader
+- [ ] Loader returns `Result<Config, ConfigError>`; never throws
+- [ ] All type coercion (`string → number`, `string → boolean`) in Zod schema, not application code
+- [ ] All validation failures reported together (Zod `safeParse`, not sequential)
+- [ ] Required secrets validated for minimum length (`z.string().min(32)`)
+- [ ] `.env.example` committed; `.env` in `.gitignore`
+- [ ] Every variable in `.env.example` has an explanatory comment
+- [ ] No config values or `process.env` logged at any level
+- [ ] Tests pass plain records to the loader; never mutate `process.env`
+- [ ] Config factory in `tests/helpers/` for use-case and integration tests
+- [ ] Loader tests cover: valid, each missing required var, invalid type
+- [ ] React: `clientConfig` validated at module load; no secrets in client config
+
 ### `all`
-All focus areas above in sequence. For `.tsx` files, include `react` automatically. For files in `infrastructure/`, `dal/`, or `repository/` paths, include `data` automatically. For `*.test.ts` and `*.test.tsx` files, include `test` automatically. Include `prelude` for all files.
+All focus areas in sequence.
+
+**Always active (cross-cutting — every file, every focus):**
+`annotations`, `security`, `log`, and `config` are applied to every slice regardless of focus selection or file type.
+
+**Auto-detected by file type / path:**
+- `.tsx` files → include `react`
+- `infrastructure/`, `dal/`, `repository/` paths → include `data`
+- `*.test.ts` / `*.test.tsx` files → include `test`
+- All files → include `prelude`
 
 ---
 
@@ -431,11 +495,17 @@ Example: `docs/audits/src-domain-prelude-20260517-1430.md` or `docs/audits/src-a
 **Step 3 — Inspect slice by slice**
 For each slice:
 1. Read the file(s).
-2. Check every rule in the active focus set.
-3. Record all findings (rule · line · severity · description).
-4. Fill in the checklist.
-5. Append the completed slice section to the report.
-6. Update the slice status in the index table.
+2. Determine which checklists apply:
+   - **Always:** base checklist including the `annotations` and `security` sections — every slice, every focus
+   - React checklist for `.tsx` files under `react` or `all` focus
+   - Data checklist for files in `infrastructure/`, `dal/`, `repository/` under `data` or `all` focus
+   - Test checklist for `*.test.ts` / `*.test.tsx` under `test` or `all` focus
+   - Prelude checklist for all files under `prelude` or `all` focus
+3. Check every rule in the active focus set.
+4. Record all findings (rule · line · severity · description).
+5. Fill in the checklist.
+6. Append the completed slice section to the report.
+7. Update the slice status in the index table.
 
 **Step 4 — Summarise**
 After all slices: fill in the Summary table · set Status to ✅ Complete or ⚠️ Violations found · list the top 3 highest-priority issues.

package/copilot/agents/tsfpp-guarded-coding.agent.md

@@ -152,6 +152,9 @@ Do not hand-roll what the prelude already provides.
 | Key/value lookup | `intoMap`, `lookup`, `assoc`, `dissoc` |
 | Set membership | `intoSet`, `conj`, `disj`, `member` |
 | Exhaustive match | `absurd` |
+| Application logging | `Logger` port — `import { type Logger } from '@tsfpp/prelude'`; inject as dependency; never `console.*` |
+| Config access | Receive `Config` as a dependency; never read `process.env` directly |
+| Config loading (entry point only) | `loadConfig` — `import { loadConfig } from '@tsfpp/boundary'` |
 
 If you are about to write a `try/catch`, a `null` check, an `if (x === undefined)`,
 a `x ?? fallback`, or a `.map()` that can fail — stop and use the prelude equivalent instead.

package/copilot/instructions/tsfpp-base.instructions.md

@@ -24,6 +24,8 @@ Full standard: `node_modules/@tsfpp/standard/spec/CODING_STANDARD.md`
 - `new Map()` `new Set()` — use `intoMap` / `intoSet` from `@tsfpp/prelude`
 - `if (x === null)` `if (x !== null)` `if (x === undefined)` `if (x !== undefined)` `if (!x)` `x ?? y` — any nullability check in any form; use `fromNullable` → `Option<T>`, then `isSome` / `isNone` / `getOrElse`
 - `try/catch` in core — use `tryCatch` / `tryCatchAsync` from `@tsfpp/prelude`
+- `console.log` `console.error` `console.warn` `console.info` — anywhere except `main.ts` / `server.ts` startup; use the injected `Logger` port from `@tsfpp/prelude`
+- `process.env` outside the config loader — use the typed `Config` record injected as a dependency
 
 ## Always
 
@@ -85,6 +87,9 @@ const head = <A>(xs: ReadonlyArray<A>): Option<A> =>
 
 All ADT constructors, combinators, and utilities come from `@tsfpp/prelude`. Never import from `ramda` directly.
 
+Logger port: `import { type Logger, type LogEntry } from '@tsfpp/prelude'`
+Config loader: `import { loadConfig, type ConfigError } from '@tsfpp/boundary'`
+
 ## Markers
 
 ```ts

package/copilot/skills/config-standard/SKILL.md

@@ -0,0 +1,205 @@
+---
+name: config-standard
+description: >
+  Normative TSF++ configuration management rules. Load when writing or reviewing
+  any code that loads environment variables, defines a Config type, calls
+  loadConfig, accesses process.env, implements a config loader, or writes
+  .env.example: loadConfig from @tsfpp/boundary, Config as typed readonly record,
+  Zod validation at the startup boundary, injection pattern, test factories.
+---
+
+# TSF++ config standard
+
+Full standard: `node_modules/@tsfpp/standard/spec/CONFIG_CODING_STANDARD.md`
+
+---
+
+## The pattern in one picture
+
+```
+process.env (string | undefined)
+    ↓
+loadConfig(schema, env)   ← @tsfpp/boundary — validates all vars at once
+    ↓
+Result<Config, ConfigError>
+    ↓ exit on Err at startup
+Config (typed readonly record)
+    ↓ injected into every module that needs it
+```
+
+`process.env` is only touched at the entry point. Everything downstream receives a typed `Config`.
+
+---
+
+## Imports
+
+```ts
+// In the config loader
+import { loadConfig, type ConfigError } from '@tsfpp/boundary'
+import { isErr, ok, type Result }       from '@tsfpp/prelude'
+
+// In application modules — inject Config as a dependency, never import process.env
+import { type Config } from '../shared/config'
+```
+
+---
+
+## Config type — project-defined, not from a package
+
+```ts
+// src/shared/config.ts
+export type Config = {
+  readonly server: {
+    readonly port:     number
+    readonly host:     string
+    readonly logLevel: 'debug' | 'info' | 'warn' | 'error'
+  }
+  readonly database: {
+    readonly url:            string
+    readonly poolMin:        number
+    readonly poolMax:        number
+    readonly queryTimeoutMs: number
+  }
+  readonly auth: {
+    readonly jwtSecret:       string
+    readonly tokenTtlSeconds: number
+  }
+  readonly features: {
+    readonly maintenanceMode: boolean
+  }
+}
+```
+
+All fields are required. Optional config uses `Option<T>`, not `T | undefined`.
+
+---
+
+## Config loader
+
+```ts
+// src/infrastructure/config-loader.ts
+import { z } from 'zod'
+import { loadConfig, type ConfigError } from '@tsfpp/boundary'
+import { isErr, ok, type Result }       from '@tsfpp/prelude'
+import { type Config }                  from '../shared/config'
+
+const schema = z.object({
+  PORT:                z.coerce.number().int().min(1).max(65535).default(3000),
+  HOST:                z.string().default('0.0.0.0'),
+  LOG_LEVEL:           z.enum(['debug', 'info', 'warn', 'error']).default('info'),
+  DATABASE_URL:        z.string().url(),
+  DATABASE_POOL_MIN:   z.coerce.number().int().min(1).default(2),
+  DATABASE_POOL_MAX:   z.coerce.number().int().min(1).default(10),
+  DATABASE_TIMEOUT_MS: z.coerce.number().int().min(100).default(5000),
+  JWT_SECRET:          z.string().min(32),
+  TOKEN_TTL_SECONDS:   z.coerce.number().int().min(60).default(3600),
+  MAINTENANCE_MODE:    z.coerce.boolean().default(false),
+})
+
+export const parseConfig = (
+  env: Record<string, string | undefined>
+): Result<Config, ConfigError> => {
+  const raw = loadConfig(schema, env)
+  if (isErr(raw)) return raw
+
+  const e = raw.value
+  return ok({
+    server:   { port: e.PORT, host: e.HOST, logLevel: e.LOG_LEVEL },
+    database: { url: e.DATABASE_URL, poolMin: e.DATABASE_POOL_MIN,
+                poolMax: e.DATABASE_POOL_MAX, queryTimeoutMs: e.DATABASE_TIMEOUT_MS },
+    auth:     { jwtSecret: e.JWT_SECRET, tokenTtlSeconds: e.TOKEN_TTL_SECONDS },
+    features: { maintenanceMode: e.MAINTENANCE_MODE },
+  })
+}
+```
+
+---
+
+## Entry point — fail at startup
+
+```ts
+// src/main.ts
+import { parseConfig } from './infrastructure/config-loader'
+
+const configResult = parseConfig(process.env)
+if (isErr(configResult)) {
+  console.error(configResult.error.summary)
+  process.exit(1)
+}
+const config = configResult.value
+// wire up the application with config
+```
+
+---
+
+## Injection — never import process.env in modules
+
+```ts
+// Good — Config injected as part of Deps
+type Deps = {
+  readonly db:     Database
+  readonly logger: Logger
+  readonly config: Pick<Config, 'auth'>
+}
+
+// Bad — reads process.env inside a module
+const ttl = parseInt(process.env.TOKEN_TTL_SECONDS ?? '3600', 10)
+
+// Bad — imports a config singleton
+import { config } from '../config'
+```
+
+Use `Pick<Config, 'auth'>` to declare precisely which slice of config a module needs.
+
+---
+
+## Zod schema conventions
+
+```ts
+// Required — no default; missing = startup failure
+DATABASE_URL: z.string().url()
+JWT_SECRET:   z.string().min(32)   // enforce minimum entropy for secrets
+
+// Optional with sensible default
+PORT:         z.coerce.number().int().default(3000)
+LOG_LEVEL:    z.enum(['debug', 'info', 'warn', 'error']).default('info')
+
+// Boolean — coerce from 'true' / 'false' string
+MAINTENANCE_MODE: z.coerce.boolean().default(false)
+```
+
+All coercion (`string → number`, `string → boolean`) happens in the schema. Never parse in application code.
+
+---
+
+## Testing
+
+```ts
+// Never mutate process.env in tests
+// Bad
+process.env.DATABASE_URL = 'postgres://localhost/test'
+
+// Good — pass a plain record to the loader
+const result = parseConfig({ DATABASE_URL: 'postgres://localhost/test', JWT_SECRET: 'a'.repeat(32), ... })
+
+// Config factory for use-case and integration tests
+// tests/helpers/config.factory.ts
+export const makeConfig = (overrides: Partial<Config> = {}): Config => ({
+  server:   { port: 3000, host: '127.0.0.1', logLevel: 'error', ...overrides.server },
+  database: { url: 'postgres://localhost/test', poolMin: 1, poolMax: 2,
+              queryTimeoutMs: 1000, ...overrides.database },
+  auth:     { jwtSecret: 'a'.repeat(32), tokenTtlSeconds: 3600, ...overrides.auth },
+  features: { maintenanceMode: false, ...overrides.features },
+  ...overrides,
+})
+```
+
+---
+
+## Never
+
+- Access `process.env` outside the config loader
+- Import a config singleton in application modules
+- Coerce types (parseInt, parseFloat) inside application code
+- Log config values or `process.env` at any level
+- Commit `.env` — only `.env.example` is committed

package/copilot/skills/log-standard/SKILL.md

@@ -0,0 +1,148 @@
+---
+name: log-standard
+description: >
+  Normative TSF++ logging rules. Load when writing or reviewing any code that
+  logs, uses the Logger port, implements a logger adapter, or calls tap/tapErr
+  for side effects: Logger port from @tsfpp/prelude, LogEntry field conventions,
+  log level semantics, structured message format, what never to log (PII,
+  secrets, stack traces), withRequestLog for HTTP, silentLogger for tests.
+---
+
+# TSF++ log standard
+
+Full standard: `node_modules/@tsfpp/standard/spec/LOG_CODING_STANDARD.md`
+
+---
+
+## Import
+
+```ts
+import { type Logger, type LogEntry, type LogLevel } from '@tsfpp/prelude'
+```
+
+Never import `pino`, `winston`, or `console` in core, use-case, or DAL code.
+
+---
+
+## Logger port
+
+```ts
+// Infrastructure adapter — inject this; never the library directly
+import pino from 'pino'
+import { type Logger } from '@tsfpp/prelude'
+
+export const logger: Logger = {
+  debug: (entry) => pinoInstance.debug(entry, entry.message),
+  info:  (entry) => pinoInstance.info(entry, entry.message),
+  warn:  (entry) => pinoInstance.warn(entry, entry.message),
+  error: (entry) => pinoInstance.error(entry, entry.message),
+}
+
+// Tests — always use silentLogger, never the production logger
+export const silentLogger: Logger = {
+  debug: () => undefined,
+  info:  () => undefined,
+  warn:  () => undefined,
+  error: () => undefined,
+}
+```
+
+---
+
+## Log levels
+
+| Level | Use when |
+|---|---|
+| `debug` | Diagnostic detail — disabled in production by default. Never log PII even at debug. |
+| `info` | A significant, expected business event occurred. One entry per meaningful outcome. |
+| `warn` | Unexpected but recoverable — retry triggered, rate limit approached, deprecated path called. |
+| `error` | Failure requiring attention — operation failed, dependency unreachable, unhandled `Err` at boundary. |
+
+`info` is for **business events**, not execution steps. Never log "calling repository", "repository returned".
+
+---
+
+## LogEntry field conventions
+
+```ts
+// message — dot-separated event name, machine-readable
+{ message: 'user.created' }
+{ message: 'payment.charge.failed' }
+{ message: 'session.expired' }
+
+// Always include traceId in request-scoped logs
+{ message: 'user.created', traceId: ctx.traceId, userId: user.id }
+
+// Always include code on error-level logs
+{ message: 'db.query.failed', code: 'db_timeout', traceId }
+
+// duration for operations with performance budgets (milliseconds)
+{ message: 'payment.charge.completed', duration: Date.now() - start, traceId }
+```
+
+Flat structure only — no nested objects. Log aggregators cannot query nested fields.
+
+---
+
+## Logging in pipelines — tap / tapErr
+
+Never break a `pipe` chain to log. Use `tap` / `tapErr`:
+
+```ts
+// Good
+pipe(
+  validateInput(input),
+  flatMap(createUser(deps.users)),
+  tap(user  => deps.logger.info({ message: 'user.created', userId: user.id, traceId })),
+  tapErr(err => deps.logger.error({ message: 'user.create.failed', code: err.code, traceId })),
+)
+
+// Bad — breaks the pipeline
+const result = await createUser(deps.users)(input)
+if (isOk(result)) deps.logger.info(...)  // separate from the pipeline
+```
+
+---
+
+## Log `cause` before discarding it
+
+`dependency` and `internal` `ApiError` variants carry a `cause` that is stripped by `apiErrorToResponse`. Log it first:
+
+```ts
+if (isErr(result) && result.error.kind === 'dependency') {
+  deps.logger.error({
+    message: 'payment.gateway.unreachable',
+    code:    'dependency_error',
+    error:   String(result.error.cause),
+    traceId: ctx.traceId,
+  })
+  return apiErrorToResponse(result.error, ctx)
+}
+```
+
+---
+
+## HTTP request logging
+
+Use `withRequestLog` from `@tsfpp/boundary` — never add manual logging to handler bodies.
+
+```ts
+const handler = pipe(
+  createUserHandler(deps),
+  withIdempotency(store),
+  withRequestLog(logger, '/v1/users'),  // always outermost; routeTemplate not resolved URL
+)
+```
+
+`routeTemplate` must be the parameterised path (`/v1/users/:id`), never the resolved URL.
+
+---
+
+## Never log
+
+- PII — names, emails, phone numbers, addresses, national IDs
+- Credentials — passwords, tokens, API keys, session IDs
+- Full request or response bodies at `info` or above
+- Stack traces in production — log `err.message`, not `err.stack`
+- `process.env` or config values — they may contain secrets
+- `console.*` anywhere except `main.ts` / `server.ts` startup boundary

package/init.mjs

@@ -66,6 +66,8 @@ const FILES = [
   ['copilot/skills/react-coding-standard/SKILL.md',           '.github/skills/react-coding-standard/SKILL.md'],
   ['copilot/skills/test-standard/SKILL.md',                   '.github/skills/test-standard/SKILL.md'],
   ['copilot/skills/annotation-standard/SKILL.md',          '.github/skills/annotation-standard/SKILL.md'],
+  ['copilot/skills/log-standard/SKILL.md',                  '.github/skills/log-standard/SKILL.md'],
+  ['copilot/skills/config-standard/SKILL.md',               '.github/skills/config-standard/SKILL.md'],
 
   // Claude Code
   ['claude/CLAUDE.md',                                        '.claude/CLAUDE.md'],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tsfpp/agents",
-  "version": "1.4.0",
+  "version": "1.5.0",
   "description": "Workspace AI tooling for TSF++ projects: scoped instructions, coding agents, and reusable prompts",
   "keywords": [
     "tsfpp",
@@ -37,11 +37,11 @@
     "LICENSE"
   ],
   "peerDependencies": {
-    "@tsfpp/standard":     ">=1.0.0",
-    "@tsfpp/prelude":      ">=1.0.0",
-    "@tsfpp/boundary":     ">=1.0.0",
-    "@tsfpp/eslint-config":">=1.0.0",
-    "@tsfpp/tsconfig":     ">=1.0.0"
+    "@tsfpp/standard": ">=1.0.0",
+    "@tsfpp/prelude": ">=1.0.0",
+    "@tsfpp/boundary": ">=1.0.0",
+    "@tsfpp/eslint-config": ">=1.0.0",
+    "@tsfpp/tsconfig": ">=1.0.0"
   },
   "publishConfig": {
     "access": "public"