bmad-module-skill-forge 0.10.0 → 0.10.1-alpha.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/marketplace.json +39 -0
- package/.gitattributes +16 -0
- package/README.md +105 -38
- package/docs/404.md +13 -10
- package/docs/RELEASING.md +185 -0
- package/docs/STABILITY.md +123 -0
- package/docs/_data/pinned.yaml +98 -0
- package/docs/agents.md +16 -11
- package/docs/architecture.md +221 -0
- package/docs/bmad-synergy.md +11 -13
- package/docs/concepts.md +18 -108
- package/docs/examples.md +121 -80
- package/docs/getting-started.md +85 -147
- package/docs/how-it-works.md +25 -536
- package/docs/index.md +44 -27
- package/docs/skill-model.md +328 -0
- package/docs/troubleshooting.md +39 -0
- package/docs/verifying-a-skill.md +232 -0
- package/docs/why-skf.md +93 -0
- package/docs/workflows.md +119 -13
- package/package.json +25 -4
- package/src/README.md +23 -25
- package/src/forger/forge-tier.yaml +4 -2
- package/src/forger/preferences.yaml +7 -1
- package/src/knowledge/agentskills-spec.md +1 -1
- package/src/knowledge/architecture-verification.md +1 -1
- package/src/knowledge/ccc-bridge.md +16 -15
- package/src/knowledge/overview.md +11 -11
- package/src/knowledge/progressive-capability.md +3 -3
- package/src/knowledge/provenance-tracking.md +9 -3
- package/src/knowledge/qmd-registry.md +8 -8
- package/src/knowledge/skf-knowledge-index.csv +2 -2
- package/src/knowledge/skill-lifecycle.md +16 -1
- package/src/knowledge/split-body-strategy.md +1 -1
- package/src/knowledge/version-paths.md +17 -12
- package/src/module-help.csv +18 -17
- package/src/shared/health-check.md +372 -0
- package/src/shared/references/feasibility-report-schema.md +86 -0
- package/src/shared/references/headless-gate-convention.md +62 -0
- package/src/shared/references/output-contract-schema.md +35 -0
- package/src/shared/references/pipeline-contracts.md +102 -0
- package/src/shared/scripts/skf-atomic-write.py +370 -0
- package/src/shared/scripts/skf-manifest-ops.py +236 -0
- package/src/shared/scripts/skf-preflight.py +164 -0
- package/src/shared/scripts/skf-rebuild-managed-sections.py +201 -0
- package/src/shared/scripts/skf-severity-classify.py +163 -0
- package/src/shared/scripts/skf-skill-inventory.py +210 -0
- package/src/shared/scripts/skf-structural-diff.py +257 -0
- package/src/shared/scripts/skf-validate-frontmatter.py +318 -0
- package/src/shared/scripts/skf-validate-output.py +247 -0
- package/src/skf-analyze-source/SKILL.md +57 -0
- package/src/skf-analyze-source/assets/skill-brief-schema.md +125 -0
- package/src/skf-analyze-source/references/unit-detection-heuristics.md +124 -0
- package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-01-init.md +6 -66
- package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-01b-continue.md +4 -59
- package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-02-scan-project.md +7 -68
- package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-03-identify-units.md +6 -66
- package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-04-map-and-detect.md +7 -68
- package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-05-recommend.md +6 -66
- package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-06-generate-briefs.md +14 -71
- package/src/skf-analyze-source/steps-c/step-07-health-check.md +22 -0
- package/src/skf-audit-skill/SKILL.md +59 -0
- package/src/{workflows/audit-skill/data → skf-audit-skill/assets}/drift-report-template.md +7 -7
- package/src/{workflows/audit-skill/data → skf-audit-skill/references}/severity-rules.md +11 -11
- package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-01-init.md +24 -68
- package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-02-re-index.md +36 -71
- package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-03-structural-diff.md +21 -63
- package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-04-semantic-diff.md +6 -65
- package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-05-severity-classify.md +5 -63
- package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-06-report.md +10 -64
- package/src/skf-audit-skill/steps-c/step-07-health-check.md +22 -0
- package/src/skf-brief-skill/SKILL.md +53 -0
- package/src/{workflows/brief-skill/data → skf-brief-skill/assets}/scope-templates.md +23 -0
- package/src/skf-brief-skill/assets/skill-brief-schema.md +206 -0
- package/src/{workflows/brief-skill → skf-brief-skill}/steps-c/step-01-gather-intent.md +6 -67
- package/src/{workflows/brief-skill → skf-brief-skill}/steps-c/step-02-analyze-target.md +6 -66
- package/src/{workflows/brief-skill → skf-brief-skill}/steps-c/step-03-scope-definition.md +12 -68
- package/src/{workflows/brief-skill → skf-brief-skill}/steps-c/step-04-confirm-brief.md +5 -63
- package/src/{workflows/brief-skill → skf-brief-skill}/steps-c/step-05-write-brief.md +10 -70
- package/src/skf-brief-skill/steps-c/step-06-health-check.md +22 -0
- package/src/skf-create-skill/SKILL.md +63 -0
- package/src/{workflows/create-skill/data → skf-create-skill/assets}/compile-assembly-rules.md +60 -0
- package/src/{workflows/create-skill/data → skf-create-skill/assets}/skill-sections.md +92 -23
- package/src/skf-create-skill/assets/tessl-dismissal-rules.md +102 -0
- package/src/{workflows/create-skill/data → skf-create-skill/references}/extraction-patterns-tracing.md +13 -13
- package/src/{workflows/create-skill/data → skf-create-skill/references}/extraction-patterns.md +8 -3
- package/src/skf-create-skill/references/source-resolution-protocols.md +239 -0
- package/src/{workflows/create-skill/data → skf-create-skill/references}/tier-degradation-rules.md +8 -7
- package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-01-load-brief.md +25 -63
- package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-02-ecosystem-check.md +8 -64
- package/src/skf-create-skill/steps-c/step-03-extract.md +379 -0
- package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-03d-component-extraction.md +18 -35
- package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-04-enrich.md +12 -69
- package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-05-compile.md +71 -75
- package/src/skf-create-skill/steps-c/step-06-validate.md +267 -0
- package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-07-generate-artifacts.md +30 -74
- package/src/skf-create-skill/steps-c/step-08-report.md +145 -0
- package/src/skf-create-skill/steps-c/step-09-health-check.md +23 -0
- package/src/{workflows/create-skill/steps-c → skf-create-skill/steps-c/sub}/step-02b-ccc-discover.md +8 -66
- package/src/skf-create-skill/steps-c/sub/step-03b-fetch-temporal.md +229 -0
- package/src/{workflows/create-skill/steps-c → skf-create-skill/steps-c/sub}/step-03c-fetch-docs.md +18 -42
- package/src/skf-create-stack-skill/SKILL.md +64 -0
- package/src/{workflows/create-stack-skill/data → skf-create-stack-skill/assets}/stack-skill-template.md +2 -1
- package/src/{workflows/create-stack-skill/data → skf-create-stack-skill/references}/compose-mode-rules.md +19 -5
- package/src/{workflows/create-stack-skill/data → skf-create-stack-skill/references}/integration-patterns.md +1 -1
- package/src/{workflows/create-stack-skill/data → skf-create-stack-skill/references}/manifest-patterns.md +10 -10
- package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-01-init.md +14 -55
- package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-02-detect-manifests.md +29 -63
- package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-03-rank-and-confirm.md +9 -59
- package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-04-parallel-extract.md +29 -64
- package/src/skf-create-stack-skill/steps-c/step-05-detect-integrations.md +164 -0
- package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-06-compile-stack.md +7 -60
- package/src/skf-create-stack-skill/steps-c/step-07-generate-output.md +328 -0
- package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-08-validate.md +17 -63
- package/src/skf-create-stack-skill/steps-c/step-09-report.md +128 -0
- package/src/skf-create-stack-skill/steps-c/step-10-health-check.md +22 -0
- package/src/skf-drop-skill/SKILL.md +57 -0
- package/src/{workflows/drop-skill → skf-drop-skill}/steps-c/step-01-select.md +9 -69
- package/src/{workflows/drop-skill → skf-drop-skill}/steps-c/step-02-execute.md +30 -106
- package/src/skf-drop-skill/steps-c/step-03-report.md +83 -0
- package/src/skf-drop-skill/steps-c/step-04-health-check.md +22 -0
- package/src/skf-export-skill/SKILL.md +57 -0
- package/src/skf-export-skill/assets/managed-section-format.md +138 -0
- package/src/{workflows/export-skill/data → skf-export-skill/assets}/snippet-format.md +8 -12
- package/src/skf-export-skill/steps-c/step-01-load-skill.md +247 -0
- package/src/{workflows/export-skill → skf-export-skill}/steps-c/step-02-package.md +5 -58
- package/src/{workflows/export-skill → skf-export-skill}/steps-c/step-03-generate-snippet.md +15 -77
- package/src/{workflows/export-skill → skf-export-skill}/steps-c/step-04-update-context.md +59 -133
- package/src/{workflows/export-skill → skf-export-skill}/steps-c/step-05-token-report.md +4 -58
- package/src/{workflows/export-skill → skf-export-skill}/steps-c/step-06-summary.md +16 -68
- package/src/skf-export-skill/steps-c/step-07-health-check.md +22 -0
- package/src/skf-forger/SKILL.md +110 -0
- package/src/skf-forger/bmad-skill-manifest.yaml +11 -0
- package/src/skf-quick-skill/SKILL.md +56 -0
- package/src/{workflows/quick-skill/data → skf-quick-skill/references}/registry-resolution.md +6 -6
- package/src/{workflows/quick-skill → skf-quick-skill}/steps-c/step-01-resolve-target.md +9 -62
- package/src/{workflows/quick-skill → skf-quick-skill}/steps-c/step-02-ecosystem-check.md +5 -59
- package/src/{workflows/quick-skill → skf-quick-skill}/steps-c/step-03-quick-extract.md +18 -61
- package/src/{workflows/quick-skill → skf-quick-skill}/steps-c/step-04-compile.md +6 -60
- package/src/{workflows/quick-skill → skf-quick-skill}/steps-c/step-05-validate.md +58 -78
- package/src/skf-quick-skill/steps-c/step-06-write.md +73 -0
- package/src/skf-quick-skill/steps-c/step-07-health-check.md +22 -0
- package/src/skf-refine-architecture/SKILL.md +57 -0
- package/src/{workflows/refine-architecture/data → skf-refine-architecture/references}/refinement-rules.md +16 -16
- package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-01-init.md +6 -63
- package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-02-gap-analysis.md +29 -71
- package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-03-issue-detection.md +5 -65
- package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-04-improvements.md +5 -64
- package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-05-compile.md +5 -56
- package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-06-report.md +11 -64
- package/src/skf-refine-architecture/steps-c/step-07-health-check.md +22 -0
- package/src/skf-rename-skill/SKILL.md +58 -0
- package/src/{workflows/rename-skill → skf-rename-skill}/steps-c/step-01-select.md +12 -73
- package/src/{workflows/rename-skill → skf-rename-skill}/steps-c/step-02-execute.md +32 -113
- package/src/skf-rename-skill/steps-c/step-03-report.md +83 -0
- package/src/skf-rename-skill/steps-c/step-04-health-check.md +22 -0
- package/src/skf-setup/SKILL.md +55 -0
- package/src/{workflows/setup-forge → skf-setup}/steps-c/step-01-detect-and-tier.md +6 -62
- package/src/{workflows/setup-forge → skf-setup}/steps-c/step-01b-ccc-index.md +9 -65
- package/src/{workflows/setup-forge → skf-setup}/steps-c/step-02-write-config.md +15 -60
- package/src/{workflows/setup-forge → skf-setup}/steps-c/step-03-auto-index.md +7 -66
- package/src/skf-setup/steps-c/step-04-report.md +92 -0
- package/src/skf-setup/steps-c/step-05-health-check.md +22 -0
- package/src/skf-test-skill/SKILL.md +59 -0
- package/src/skf-test-skill/references/migration-section-rules.md +114 -0
- package/src/skf-test-skill/references/scoring-rules.md +207 -0
- package/src/skf-test-skill/references/source-access-protocol.md +109 -0
- package/src/skf-test-skill/scripts/compute-score.py +310 -0
- package/src/skf-test-skill/steps-c/step-01-init.md +238 -0
- package/src/{workflows/test-skill → skf-test-skill}/steps-c/step-02-detect-mode.md +4 -62
- package/src/skf-test-skill/steps-c/step-03-coverage-check.md +347 -0
- package/src/skf-test-skill/steps-c/step-04-coherence-check.md +239 -0
- package/src/{workflows/test-skill → skf-test-skill}/steps-c/step-04b-external-validators.md +42 -77
- package/src/skf-test-skill/steps-c/step-05-score.md +266 -0
- package/src/skf-test-skill/steps-c/step-06-report.md +290 -0
- package/src/skf-test-skill/steps-c/step-07-health-check.md +25 -0
- package/src/skf-test-skill/templates/test-report-template.md +58 -0
- package/src/skf-update-skill/SKILL.md +58 -0
- package/src/{workflows/update-skill/data → skf-update-skill/references}/manual-section-rules.md +6 -6
- package/src/{workflows/update-skill/data → skf-update-skill/references}/merge-conflict-rules.md +5 -5
- package/src/skf-update-skill/references/remote-source-resolution.md +94 -0
- package/src/{workflows/update-skill → skf-update-skill}/steps-c/step-01-init.md +22 -69
- package/src/skf-update-skill/steps-c/step-02-detect-changes.md +255 -0
- package/src/skf-update-skill/steps-c/step-03-re-extract.md +336 -0
- package/src/{workflows/update-skill → skf-update-skill}/steps-c/step-04-merge.md +60 -72
- package/src/{workflows/update-skill → skf-update-skill}/steps-c/step-05-validate.md +5 -62
- package/src/skf-update-skill/steps-c/step-06-write.md +278 -0
- package/src/{workflows/update-skill → skf-update-skill}/steps-c/step-07-report.md +11 -69
- package/src/skf-update-skill/steps-c/step-08-health-check.md +22 -0
- package/src/skf-verify-stack/SKILL.md +60 -0
- package/src/skf-verify-stack/assets/feasibility-report-template.md +76 -0
- package/src/{workflows/verify-stack/data → skf-verify-stack/references}/coverage-patterns.md +12 -4
- package/src/skf-verify-stack/references/integration-verification-rules.md +78 -0
- package/src/skf-verify-stack/steps-c/step-01-init.md +178 -0
- package/src/{workflows/verify-stack → skf-verify-stack}/steps-c/step-02-coverage.md +27 -72
- package/src/skf-verify-stack/steps-c/step-03-integrations.md +179 -0
- package/src/{workflows/verify-stack → skf-verify-stack}/steps-c/step-04-requirements.md +14 -67
- package/src/skf-verify-stack/steps-c/step-05-synthesize.md +147 -0
- package/src/skf-verify-stack/steps-c/step-06-report.md +156 -0
- package/src/skf-verify-stack/steps-c/step-07-health-check.md +25 -0
- package/tools/cli/commands/install.js +1 -1
- package/tools/cli/commands/status.js +21 -23
- package/tools/cli/commands/uninstall.js +11 -19
- package/tools/cli/commands/update.js +2 -2
- package/tools/cli/lib/ide-skills.js +216 -0
- package/tools/cli/lib/installer.js +29 -52
- package/tools/cli/lib/manifest.js +11 -5
- package/tools/cli/lib/platform-codes.yaml +223 -0
- package/tools/cli/lib/ui.js +76 -47
- package/tools/validate-docs-drift.js +193 -0
- package/src/agents/forger.agent.yaml +0 -114
- package/src/workflows/README.md +0 -174
- package/src/workflows/analyze-source/data/skill-brief-schema.md +0 -125
- package/src/workflows/analyze-source/data/unit-detection-heuristics.md +0 -124
- package/src/workflows/analyze-source/workflow.md +0 -61
- package/src/workflows/audit-skill/workflow.md +0 -64
- package/src/workflows/brief-skill/data/skill-brief-schema.md +0 -159
- package/src/workflows/brief-skill/workflow.md +0 -58
- package/src/workflows/create-skill/data/source-resolution-protocols.md +0 -200
- package/src/workflows/create-skill/steps-c/step-03-extract.md +0 -301
- package/src/workflows/create-skill/steps-c/step-03b-fetch-temporal.md +0 -253
- package/src/workflows/create-skill/steps-c/step-06-validate.md +0 -254
- package/src/workflows/create-skill/steps-c/step-08-report.md +0 -179
- package/src/workflows/create-skill/workflow.md +0 -53
- package/src/workflows/create-stack-skill/steps-c/step-05-detect-integrations.md +0 -196
- package/src/workflows/create-stack-skill/steps-c/step-07-generate-output.md +0 -270
- package/src/workflows/create-stack-skill/steps-c/step-09-report.md +0 -150
- package/src/workflows/create-stack-skill/workflow.md +0 -59
- package/src/workflows/drop-skill/steps-c/step-03-report.md +0 -136
- package/src/workflows/drop-skill/workflow.md +0 -63
- package/src/workflows/export-skill/data/managed-section-format.md +0 -103
- package/src/workflows/export-skill/steps-c/step-01-load-skill.md +0 -237
- package/src/workflows/export-skill/workflow.md +0 -58
- package/src/workflows/quick-skill/steps-c/step-06-write.md +0 -178
- package/src/workflows/quick-skill/workflow.md +0 -58
- package/src/workflows/refine-architecture/workflow.md +0 -61
- package/src/workflows/rename-skill/steps-c/step-03-report.md +0 -133
- package/src/workflows/rename-skill/workflow.md +0 -64
- package/src/workflows/setup-forge/steps-c/step-04-report.md +0 -159
- package/src/workflows/setup-forge/workflow.md +0 -51
- package/src/workflows/shared/health-check.md +0 -231
- package/src/workflows/test-skill/data/scoring-rules.md +0 -123
- package/src/workflows/test-skill/data/source-access-protocol.md +0 -51
- package/src/workflows/test-skill/steps-c/step-01-init.md +0 -217
- package/src/workflows/test-skill/steps-c/step-03-coverage-check.md +0 -280
- package/src/workflows/test-skill/steps-c/step-04-coherence-check.md +0 -271
- package/src/workflows/test-skill/steps-c/step-05-score.md +0 -222
- package/src/workflows/test-skill/steps-c/step-06-report.md +0 -208
- package/src/workflows/test-skill/templates/test-report-template.md +0 -28
- package/src/workflows/test-skill/workflow.md +0 -57
- package/src/workflows/update-skill/data/remote-source-resolution.md +0 -57
- package/src/workflows/update-skill/steps-c/step-02-detect-changes.md +0 -221
- package/src/workflows/update-skill/steps-c/step-03-re-extract.md +0 -256
- package/src/workflows/update-skill/steps-c/step-06-write.md +0 -265
- package/src/workflows/update-skill/workflow.md +0 -56
- package/src/workflows/verify-stack/data/feasibility-report-template.md +0 -63
- package/src/workflows/verify-stack/data/integration-verification-rules.md +0 -73
- package/src/workflows/verify-stack/steps-c/step-01-init.md +0 -179
- package/src/workflows/verify-stack/steps-c/step-03-integrations.md +0 -195
- package/src/workflows/verify-stack/steps-c/step-05-synthesize.md +0 -191
- package/src/workflows/verify-stack/steps-c/step-06-report.md +0 -200
- package/src/workflows/verify-stack/workflow.md +0 -61
- package/tools/cli/lib/compiler.js +0 -306
- package/tools/cli/lib/ide-commands.js +0 -244
- /package/src/{workflows/analyze-source → skf-analyze-source}/templates/analysis-report-template.md +0 -0
- /package/src/{workflows/quick-skill/data → skf-quick-skill/assets}/skill-template.md +0 -0
- /package/src/{workflows/setup-forge/data → skf-setup/references}/tier-rules.md +0 -0
- /package/src/{workflows/test-skill/data → skf-test-skill/assets}/output-section-formats.md +0 -0
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "bmad-module-skill-forge",
|
|
3
|
+
"owner": {
|
|
4
|
+
"name": "Armel"
|
|
5
|
+
},
|
|
6
|
+
"description": "Turn code and docs into instructions AI agents can actually follow. Evidence-based skill compilation with progressive capability tiers.",
|
|
7
|
+
"license": "MIT",
|
|
8
|
+
"homepage": "https://github.com/armelhbobdad/bmad-module-skill-forge",
|
|
9
|
+
"repository": "https://github.com/armelhbobdad/bmad-module-skill-forge",
|
|
10
|
+
"keywords": ["bmad", "bmad-method", "bmad-module", "agent-skills", "agentskills", "agents", "skills", "skill-forge", "compilation", "forge", "ast-grep", "qmd", "cocoindex", "cocoindex-code", "provenance", "code-analysis"],
|
|
11
|
+
"plugins": [
|
|
12
|
+
{
|
|
13
|
+
"name": "skill-forge",
|
|
14
|
+
"source": "./",
|
|
15
|
+
"description": "Evidence-based agent skills compiler with progressive capability tiers (Quick/Forge/Forge+/Deep).",
|
|
16
|
+
"version": "0.10.1-alpha.0",
|
|
17
|
+
"author": {
|
|
18
|
+
"name": "Armel"
|
|
19
|
+
},
|
|
20
|
+
"skills": [
|
|
21
|
+
"./src/skf-forger",
|
|
22
|
+
"./src/skf-setup",
|
|
23
|
+
"./src/skf-analyze-source",
|
|
24
|
+
"./src/skf-brief-skill",
|
|
25
|
+
"./src/skf-create-skill",
|
|
26
|
+
"./src/skf-quick-skill",
|
|
27
|
+
"./src/skf-create-stack-skill",
|
|
28
|
+
"./src/skf-update-skill",
|
|
29
|
+
"./src/skf-audit-skill",
|
|
30
|
+
"./src/skf-test-skill",
|
|
31
|
+
"./src/skf-export-skill",
|
|
32
|
+
"./src/skf-rename-skill",
|
|
33
|
+
"./src/skf-drop-skill",
|
|
34
|
+
"./src/skf-verify-stack",
|
|
35
|
+
"./src/skf-refine-architecture"
|
|
36
|
+
]
|
|
37
|
+
}
|
|
38
|
+
]
|
|
39
|
+
}
|
package/.gitattributes
ADDED
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
# Normalize all text files to LF in the repo and on checkout, regardless of
|
|
2
|
+
# the contributor's platform or core.autocrlf setting. SKF runs on Linux,
|
|
3
|
+
# macOS, and Windows (Git Bash / WSL2); LF-everywhere keeps prettier
|
|
4
|
+
# `endOfLine: 'lf'` clean and avoids spurious diffs from line-ending churn.
|
|
5
|
+
* text=auto eol=lf
|
|
6
|
+
|
|
7
|
+
# Binary blobs — never touch.
|
|
8
|
+
*.png binary
|
|
9
|
+
*.jpg binary
|
|
10
|
+
*.jpeg binary
|
|
11
|
+
*.gif binary
|
|
12
|
+
*.ico binary
|
|
13
|
+
*.pdf binary
|
|
14
|
+
*.zip binary
|
|
15
|
+
*.gz binary
|
|
16
|
+
*.tgz binary
|
package/README.md
CHANGED
|
@@ -9,13 +9,17 @@
|
|
|
9
9
|
[](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/workflows/quality.yaml)
|
|
10
10
|
[](https://www.npmjs.com/package/bmad-module-skill-forge)
|
|
11
11
|
[](https://opensource.org/licenses/MIT)
|
|
12
|
-
[](https://github.com/bmad-code-org/BMAD-METHOD)
|
|
13
|
+
[](https://www.python.org)
|
|
14
|
+
[](https://docs.astral.sh/uv/)
|
|
13
15
|
[](https://armelhbobdad.github.io/bmad-module-skill-forge/)
|
|
16
|
+
[](https://discord.gg/gk8jAdXWmj)
|
|
14
17
|
[](https://github.com/armelhbobdad/bmad-module-skill-forge/stargazers)
|
|
15
18
|
|
|
16
|
-
|
|
19
|
+
_Skill Forge analyzes your code repositories, documentation, and developer discourse to build verified instruction files for AI agents. Every instruction links back to a specific file and line in the source it was compiled from._
|
|
17
20
|
|
|
18
|
-
**If SKF
|
|
21
|
+
**If SKF fixes your agent's API guesses, give it a ⭐ — it helps others find this tool.**
|
|
22
|
+
**If it saved you an afternoon, [grab me a coffee ☕](https://buymeacoffee.com/armelhbobdad) — it helps me keep forging.**
|
|
19
23
|
|
|
20
24
|
</div>
|
|
21
25
|
|
|
@@ -27,13 +31,7 @@ You ask an AI agent to use a library. It invents function names that don't exist
|
|
|
27
31
|
|
|
28
32
|
This isn't an edge case. It's the default experience.
|
|
29
33
|
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
1. **Analyzes your sources** — extracts real function signatures, types, and patterns from code repositories, documentation websites, and developer discourse
|
|
33
|
-
2. **Compiles verified instruction files** — every instruction links to the exact file and line it came from
|
|
34
|
-
3. **Version-aware** — skills are stored per-version, so updating to v2.0 doesn't break your v1.x skill. Compatible with [skill.sh](https://skill.sh) and [npx skills](https://www.npmjs.com/package/skills)
|
|
35
|
-
4. **Manageable lifecycle** — rename skills and drop deprecated versions without manual file surgery. Transactional safety for destructive operations.
|
|
36
|
-
5. **Follows an open standard** — skills comply with the [agentskills.io](https://agentskills.io) spec and work across Claude, Cursor, Copilot, and other AI agents
|
|
34
|
+
For the full story behind SKF, read [_Hallucination has a line number_](https://medium.com/@armelhbobdad/hallucination-has-a-line-number-32209b4688de) on Medium.
|
|
37
35
|
|
|
38
36
|
## Before vs After
|
|
39
37
|
|
|
@@ -53,80 +51,149 @@ import cognee
|
|
|
53
51
|
|
|
54
52
|
# Agent follows the skill instruction:
|
|
55
53
|
# `search(query_text: str, query_type: SearchType = GRAPH_COMPLETION) -> List[SearchResult]`
|
|
56
|
-
# [AST:cognee/api/v1/search/search.py:
|
|
54
|
+
# [AST:cognee/api/v1/search/search.py:L27]
|
|
57
55
|
results = await cognee.search(
|
|
58
56
|
query_text="What does Cognee do?",
|
|
59
57
|
query_type=cognee.SearchType.GRAPH_COMPLETION
|
|
60
58
|
)
|
|
61
59
|
```
|
|
62
60
|
|
|
63
|
-
The skill told the agent the real function name, the real parameters, and that the call
|
|
61
|
+
The skill told the agent the real function name, the real parameters, and that the call is async — all traced to the exact source line. This example is from the real [`oms-cognee`](https://github.com/armelhbobdad/oh-my-skills/blob/main/skills/oms-cognee/1.0.0/oms-cognee/SKILL.md) skill in [**oh-my-skills**](https://github.com/armelhbobdad/oh-my-skills) — SKF's reference output. The [**Verifying a Skill**](#verifying-a-skill) section below shows how to walk the citation chain yourself.
|
|
64
62
|
|
|
65
63
|
## Install
|
|
66
64
|
|
|
67
|
-
Requires [Node.js](https://nodejs.org/) >= 22.
|
|
65
|
+
Linux, Windows, and macOS supported ([platform details](https://armelhbobdad.github.io/bmad-module-skill-forge/getting-started/#platform-support)). Requires [Node.js](https://nodejs.org/) >= 22, [Python](https://www.python.org/) >= 3.10, and [uv](https://docs.astral.sh/uv/) (Python package runner).
|
|
68
66
|
|
|
69
67
|
```bash
|
|
70
68
|
npx bmad-module-skill-forge install
|
|
71
69
|
```
|
|
72
70
|
|
|
73
|
-
You'll be prompted for project name, output folders, and IDE configuration. See the [docs](https://armelhbobdad.github.io/bmad-module-skill-forge/getting-started/) for other install methods.
|
|
71
|
+
You'll be prompted for project name, output folders, and IDE configuration. When the install completes, open your IDE and invoke `@Ferris SF` to confirm Ferris is reachable. Ferris reports your detected tools and capability tier. See the [docs](https://armelhbobdad.github.io/bmad-module-skill-forge/getting-started/) for other install methods.
|
|
74
72
|
|
|
75
73
|
## Quick Start
|
|
76
74
|
|
|
77
|
-
1. **Set up your environment:** `@Ferris SF` — detects your tools and sets your capability tier
|
|
78
|
-
2. **Generate your first skill:** `@Ferris QS <package-name>` — creates a verified skill in under a minute
|
|
79
|
-
3. **Full quality path:** `@Ferris BS` → clear session → `@Ferris CS`
|
|
75
|
+
1. **Set up your environment:** `@Ferris SF` _(Setup Forge)_ — detects your tools and sets your capability tier
|
|
76
|
+
2. **Generate your first skill:** `@Ferris QS <package-name>` _(Quick Skill)_ — creates a verified skill in under a minute
|
|
77
|
+
3. **Full quality path:** `@Ferris forge <your-library>` chains Brief → Create → Test → Export automatically — or run manually: `@Ferris BS` → clear session → `@Ferris CS` for maximum control
|
|
80
78
|
|
|
81
|
-
> **Tip:** Start a fresh conversation before each workflow. SKF workflows load significant context
|
|
79
|
+
> **Tip:** Start a fresh conversation before each workflow, or use pipeline mode to chain them automatically. SKF workflows load significant context; clearing between them prevents interference.
|
|
82
80
|
|
|
83
|
-
See the [workflows docs](https://armelhbobdad.github.io/bmad-module-skill-forge/workflows/) for all
|
|
81
|
+
See the [workflows docs](https://armelhbobdad.github.io/bmad-module-skill-forge/workflows/) for all available workflows, pipeline aliases, and headless mode.
|
|
84
82
|
|
|
85
83
|
## Who Is This For?
|
|
86
84
|
|
|
87
|
-
- **You use AI agents to write code** and they keep
|
|
85
|
+
- **You use AI agents to write code** and they keep guessing API calls wrong
|
|
88
86
|
- **You maintain a library** and want to ship official, verified instruction files so AI agents use your API correctly
|
|
89
87
|
- **You manage a codebase with many dependencies** and want a consolidated "stack skill" that teaches your agent how all the pieces fit together
|
|
90
88
|
- **You use a SaaS API or closed-source tool** with no public code — SKF can generate skills from documentation alone
|
|
91
89
|
- **You need different skills for different use cases** from the same target — compile multiple skills with different scopes from one repo or doc set (e.g., a core API skill and a migration guide skill)
|
|
92
90
|
|
|
91
|
+
## How SKF Compares
|
|
92
|
+
|
|
93
|
+
A skeptical reader is probably already considering one of these alternatives:
|
|
94
|
+
|
|
95
|
+
| | **Skill Forge** | MCP doc servers | Hand-edited `.cursorrules` | awesome-\* lists |
|
|
96
|
+
| -------------------------- | ----------------------------------------- | ----------------- | -------------------------- | ---------------- |
|
|
97
|
+
| Reproducible from source | AST extraction + pinned commit | varies; opaque | whatever you wrote | none |
|
|
98
|
+
| Version-pinned & immutable | yes — per-version directories | runtime-dependent | rots silently | no |
|
|
99
|
+
| Audit trail | `provenance-map.json` + test + evidence | depends on server | none | none |
|
|
100
|
+
| Runtime cost | zero (markdown + JSON) | a running process | zero | zero |
|
|
101
|
+
| Lifecycle tooling | rename, drop, update, export transactions | varies | file surgery | none |
|
|
102
|
+
| Falsifiable | yes — three steps, 60 seconds | rarely | no | no |
|
|
103
|
+
|
|
104
|
+
The others aren't bad. They solve different problems. **SKF solves exactly one: the claim your agent is reading about a library was true at a specific commit on a specific day, and you can prove it in under a minute.**
|
|
105
|
+
|
|
106
|
+
## How Skill Forge Fixes This
|
|
107
|
+
|
|
108
|
+
SKF extracts real function signatures, types, and patterns from code, docs, and developer discourse — every instruction links to the exact file and line it came from. On top of that foundation:
|
|
109
|
+
|
|
110
|
+
1. **Version-pinned** — skills are stored per-version, so updating to v2.0 doesn't replace your v1.x skill. Compatible with [skills.sh](https://skills.sh) and [npx skills](https://www.npmjs.com/package/skills)
|
|
111
|
+
2. **Lifecycle tooling** — rename skills and drop deprecated versions without manual file surgery. Destructive operations are transactional.
|
|
112
|
+
3. **Follows an open standard** — skills comply with the [agentskills.io](https://agentskills.io) spec and work across Claude, Cursor, Copilot, and other AI agents
|
|
113
|
+
|
|
114
|
+
> **Every skill ships two files — `SKILL.md` (the full instruction set, loaded on trigger) and `context-snippet.md` (an 80–120 token always-on index injected into `CLAUDE.md` / `AGENTS.md` / `.cursorrules`). Why both?** Per Vercel's agent evals, passive context achieves a **100% pass rate vs. 79% for active skills loaded alone** (see [Skill Model → Dual-Output Strategy](https://armelhbobdad.github.io/bmad-module-skill-forge/skill-model/#dual-output-strategy)).
|
|
115
|
+
|
|
116
|
+
## Verifying a Skill
|
|
117
|
+
|
|
118
|
+
You can falsify any AST citation in an SKF-compiled skill in under a minute:
|
|
119
|
+
|
|
120
|
+
1. **Open the skill's `provenance-map.json`** — find your symbol; read its `source_file` and `source_line`.
|
|
121
|
+
2. **Open the skill's `metadata.json`** — read `source_commit` and `source_repo`.
|
|
122
|
+
3. **Jump to the upstream repo at that commit**, open that file, find that line. The signature in `SKILL.md` should match the one you're reading.
|
|
123
|
+
|
|
124
|
+
If it doesn't, that's a bug — open an issue and SKF will republish with a new commit SHA and a new provenance map. Falsifiability isn't a feature; it's the whole deal.
|
|
125
|
+
|
|
126
|
+
**Reference output: [oh-my-skills](https://github.com/armelhbobdad/oh-my-skills)** — four Deep-tier skills compiled by SKF (cocoindex, cognee, Storybook v10, uitripled), each shipping its full audit trail in-repo. Scores range from 99.0% to 99.49%. Every claim walks to an upstream line in under 60 seconds. Serves as both the worked example for this section and ongoing proof that the pipeline does what it says.
|
|
127
|
+
|
|
128
|
+
## Help SKF Improve
|
|
129
|
+
|
|
130
|
+
Workflows end with a health check that can file bug or friction reports as GitHub issues (auto-deduped by fingerprint — re-reporting is safe). **Please let workflows run to completion**, or [open an issue](https://github.com/armelhbobdad/bmad-module-skill-forge/issues/new/choose) directly. [Full details →](https://armelhbobdad.github.io/bmad-module-skill-forge/workflows/#terminal-step-health-check)
|
|
131
|
+
|
|
93
132
|
## Learn More
|
|
94
133
|
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
134
|
+
The docs are organized into three buckets — **Why** (start here), **Try** (do stuff), and **Reference** (look things up):
|
|
135
|
+
|
|
136
|
+
**Why**
|
|
137
|
+
|
|
138
|
+
- **[Why Skill Forge?](https://armelhbobdad.github.io/bmad-module-skill-forge/why-skf/)** — The JTBD pitch, persona router, and the honest anti-pitch
|
|
139
|
+
- **[Verifying a Skill](https://armelhbobdad.github.io/bmad-module-skill-forge/verifying-a-skill/)** — The 60-second audit recipe and scoring formula
|
|
140
|
+
|
|
141
|
+
**Try**
|
|
142
|
+
|
|
143
|
+
- **[Getting Started](https://armelhbobdad.github.io/bmad-module-skill-forge/getting-started/)** — Install, first skill, prereqs, and config
|
|
144
|
+
- **[How It Works](https://armelhbobdad.github.io/bmad-module-skill-forge/how-it-works/)** — Plain-English walkthrough of one skill being built, end to end
|
|
145
|
+
- **[Examples](https://armelhbobdad.github.io/bmad-module-skill-forge/examples/)** — Real-world scenarios with full command transcripts
|
|
98
146
|
- **[Workflows](https://armelhbobdad.github.io/bmad-module-skill-forge/workflows/)** — All 14 workflows with commands and connection diagrams
|
|
99
|
-
|
|
100
|
-
|
|
147
|
+
|
|
148
|
+
**Reference**
|
|
149
|
+
|
|
150
|
+
- **[Concepts](https://armelhbobdad.github.io/bmad-module-skill-forge/concepts/)** — Seven load-bearing terms: provenance, confidence tiers, drift, and more
|
|
151
|
+
- **[Architecture](https://armelhbobdad.github.io/bmad-module-skill-forge/architecture/)** — Runtime flow, 7 tools, workspace artifacts, security, and the design decisions behind them
|
|
152
|
+
- **[Skill Model](https://armelhbobdad.github.io/bmad-module-skill-forge/skill-model/)** — Capability tiers, confidence tiers, output format, dual-output strategy, ownership model
|
|
153
|
+
- **[Agents](https://armelhbobdad.github.io/bmad-module-skill-forge/agents/)** — Ferris: the single AI agent that runs every SKF workflow
|
|
154
|
+
- **[BMAD Synergy](https://armelhbobdad.github.io/bmad-module-skill-forge/bmad-synergy/)** — How SKF pairs with BMAD CORE phases and optional modules (TEA, BMB, GDS, CIS)
|
|
155
|
+
- **[Troubleshooting](https://armelhbobdad.github.io/bmad-module-skill-forge/troubleshooting/)** — Common errors (forge setup, ecosystem checks, tier confidence) and how to resolve them
|
|
101
156
|
|
|
102
157
|
## Acknowledgements
|
|
103
158
|
|
|
104
159
|
SKF builds on these excellent open-source tools:
|
|
105
160
|
|
|
106
|
-
| Tool
|
|
107
|
-
|
|
108
|
-
| [agentskills.io](https://github.com/agentskills/agentskills)
|
|
109
|
-
| [GitHub CLI](https://cli.github.com/)
|
|
110
|
-
| [ast-grep](https://github.com/ast-grep/ast-grep)
|
|
111
|
-
| [ast-grep MCP](https://github.com/ast-grep/ast-grep-mcp)
|
|
112
|
-
| [cocoindex-code](https://github.com/cocoindex-io/cocoindex-code) | Semantic code search and file discovery pre-ranking (Forge+ tier)
|
|
113
|
-
| [QMD](https://github.com/tobi/qmd)
|
|
114
|
-
| [skill-check](https://github.com/thedaviddias/skill-check)
|
|
115
|
-
| [Snyk Agent Scan](https://github.com/snyk/agent-scan)
|
|
116
|
-
| [tessl](https://tessl.io)
|
|
117
|
-
| [
|
|
161
|
+
| Tool | Role in SKF |
|
|
162
|
+
| ---------------------------------------------------------------- | ---------------------------------------------------------------------- |
|
|
163
|
+
| [agentskills.io](https://github.com/agentskills/agentskills) | Skill specification and ecosystem standard |
|
|
164
|
+
| [GitHub CLI](https://cli.github.com/) | Source code access and repository intelligence (all tiers) |
|
|
165
|
+
| [ast-grep](https://github.com/ast-grep/ast-grep) | AST-based structural code extraction (Forge/Forge+/Deep tiers) |
|
|
166
|
+
| [ast-grep MCP](https://github.com/ast-grep/ast-grep-mcp) | MCP server for memory-efficient AST queries (recommended) |
|
|
167
|
+
| [cocoindex-code](https://github.com/cocoindex-io/cocoindex-code) | Semantic code search and file discovery pre-ranking (Forge+ tier) |
|
|
168
|
+
| [QMD](https://github.com/tobi/qmd) | Local hybrid search engine for knowledge indexing (Deep tier) |
|
|
169
|
+
| [skill-check](https://github.com/thedaviddias/skill-check) | Skill validation, auto-fix, quality scoring, and security scanning |
|
|
170
|
+
| [Snyk Agent Scan](https://github.com/snyk/agent-scan) | Security scanning for prompt injection and data exposure (optional) |
|
|
171
|
+
| [tessl](https://tessl.io) | Content quality review, actionability scoring, and AI judge evaluation |
|
|
172
|
+
| [BMAD Method](https://github.com/bmad-code-org/BMAD-METHOD) | Agent-workflow framework that SKF extends as a module |
|
|
118
173
|
|
|
119
174
|
## Contributing
|
|
120
175
|
|
|
121
176
|
See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
|
|
122
177
|
|
|
178
|
+
## Changelog
|
|
179
|
+
|
|
180
|
+
Past releases are documented in [CHANGELOG.md](CHANGELOG.md).
|
|
181
|
+
|
|
182
|
+
## Versioning & Stability
|
|
183
|
+
|
|
184
|
+
The v1.0.0 public API contract is documented in [docs/STABILITY.md](docs/STABILITY.md).
|
|
185
|
+
|
|
186
|
+
## Release Process
|
|
187
|
+
|
|
188
|
+
Maintainers: see [docs/RELEASING.md](docs/RELEASING.md) for branch-protection rules, required status checks, the [`release` environment with required-reviewer gate](docs/RELEASING.md#release-environment), the [npm Trusted Publisher registration](docs/RELEASING.md#npm-trusted-publisher) (OIDC-backed publish, auto-provenance), and (later) the rollback playbook.
|
|
189
|
+
|
|
123
190
|
## License
|
|
124
191
|
|
|
125
192
|
MIT License — see [LICENSE](LICENSE) for details.
|
|
126
193
|
|
|
127
194
|
---
|
|
128
195
|
|
|
129
|
-
**Skill Forge (SKF)** — A standalone [
|
|
196
|
+
**Skill Forge (SKF)** — A standalone [BMAD](https://github.com/bmad-code-org/BMAD-METHOD) module for agent skill compilation.
|
|
130
197
|
|
|
131
198
|
[](https://github.com/armelhbobdad/bmad-module-skill-forge/graphs/contributors)
|
|
132
199
|
|
package/docs/404.md
CHANGED
|
@@ -1,20 +1,23 @@
|
|
|
1
1
|
---
|
|
2
2
|
title: Page Not Found
|
|
3
|
-
description: The
|
|
3
|
+
description: The URL you tried didn't resolve. Use the search or the links below to continue.
|
|
4
4
|
template: splash
|
|
5
5
|
---
|
|
6
6
|
|
|
7
|
-
|
|
7
|
+
## 404 — no source cited
|
|
8
8
|
|
|
9
|
-
|
|
9
|
+
No page resolves to that URL. In keeping with the rest of this site, if a claim can't cite a source, we don't fake it — even for our own docs.
|
|
10
10
|
|
|
11
|
-
|
|
11
|
+
Try one of these cited sources instead, or use the **search bar** at the top of the page:
|
|
12
12
|
|
|
13
|
-
-
|
|
14
|
-
- Go back to the [home page](/)
|
|
15
|
-
- Browse the [Getting Started guide](/getting-started/)
|
|
16
|
-
- Search for what you need using the search bar above
|
|
13
|
+
**Why** — [Why Skill Forge?](/why-skf/) · [Verifying a Skill](/verifying-a-skill/)
|
|
17
14
|
|
|
18
|
-
|
|
15
|
+
**Try** — [Getting Started](/getting-started/) · [How It Works](/how-it-works/) · [Examples](/examples/) · [Workflows](/workflows/)
|
|
19
16
|
|
|
20
|
-
|
|
17
|
+
**Reference** — [Concepts](/concepts/) · [Architecture](/architecture/) · [Skill Model](/skill-model/) · [Agents](/agents/) · [BMAD Synergy](/bmad-synergy/) · [Troubleshooting](/troubleshooting/)
|
|
18
|
+
|
|
19
|
+
---
|
|
20
|
+
|
|
21
|
+
### Think this page should exist?
|
|
22
|
+
|
|
23
|
+
A missing page is drift — a citation the docs site made to itself that no longer resolves. [Open an issue](https://github.com/armelhbobdad/bmad-module-skill-forge/issues/new/choose) with the URL you tried. SKF's docs ship a [drift validator](/verifying-a-skill/#build-time-drift-detection-for-docs-themselves) that catches exactly this pattern — if one slipped through, it's a bug we want to know about.
|
|
@@ -0,0 +1,185 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: Releasing SKF
|
|
3
|
+
description: Maintainer reference for the release pipeline — branch protection, release workflow, and rollback procedures.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
This document records the configuration that gates releases of `bmad-module-skill-forge`. It exists so a future maintainer (including future-you) can audit, restore, or extend the pipeline without reverse-engineering GitHub settings.
|
|
7
|
+
|
|
8
|
+
For background on GitHub rulesets vs legacy branch protection, see the [GitHub ruleset docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
|
|
9
|
+
|
|
10
|
+
## Branch Protection on `main`
|
|
11
|
+
|
|
12
|
+
`main` is gated by a **GitHub repository ruleset** (not legacy branch protection). The legacy "Settings → Branches → Branch protection rules" surface returns 404 for this repo.
|
|
13
|
+
|
|
14
|
+
**Ruleset:** `Default` — id `13855503` — applies to `~DEFAULT_BRANCH` (currently `main`) — enforcement `active`.
|
|
15
|
+
|
|
16
|
+
**Active rules (5):**
|
|
17
|
+
|
|
18
|
+
| Rule | Effect |
|
|
19
|
+
| ------------------------ | -------------------------------------------------------------------------------------------------------------------------- |
|
|
20
|
+
| `deletion` | Branch cannot be deleted. |
|
|
21
|
+
| `non_fast_forward` | Force-push blocked. |
|
|
22
|
+
| `pull_request` | Requires ≥ 1 approving review; `require_code_owner_review: true` (see CODEOWNERS note below); merge/squash/rebase allowed. |
|
|
23
|
+
| `code_quality` | Blocks merge on `severity: errors` from GitHub code-quality checks. |
|
|
24
|
+
| `required_status_checks` | Merge blocked until all seven `quality.yaml` checks pass (names below). |
|
|
25
|
+
|
|
26
|
+
**Required status checks (7):** sourced from `.github/workflows/quality.yaml` job keys. Matrix jobs expand to `jobname (matrix-value)`:
|
|
27
|
+
|
|
28
|
+
- `prettier`
|
|
29
|
+
- `eslint`
|
|
30
|
+
- `markdownlint`
|
|
31
|
+
- `validate (ubuntu-latest)`
|
|
32
|
+
- `validate (windows-latest)`
|
|
33
|
+
- `python (ubuntu-latest)`
|
|
34
|
+
- `python (windows-latest)`
|
|
35
|
+
|
|
36
|
+
**Coupling with `quality.yaml`:** if that workflow renames a job or changes the `strategy.matrix.os` for `validate` or `python`, the ruleset's `required_status_checks` list must be updated in lock-step — otherwise merges to `main` will either block on a check name that no longer reports, or silently pass without the renamed check. Update both in the same PR.
|
|
37
|
+
|
|
38
|
+
**`strict_required_status_checks_policy: false`** — PR branches are not forced to be up-to-date with `main` before merging. This avoids constant rebases on a low-traffic repo. Flip to `true` if concurrent merges start producing logical conflicts the checks can't catch.
|
|
39
|
+
|
|
40
|
+
**CODEOWNERS note:** the `pull_request` rule has `require_code_owner_review: true`, but no `.github/CODEOWNERS` file exists in the repo today. GitHub treats the code-owner requirement as vacuously satisfied when the file is absent, so this setting is currently a no-op — the only active review gate is `required_approving_review_count: 1`. If a CODEOWNERS file is added later, make sure the listed owners can actually approve PRs from other authors. GitHub's universal rule is that a PR author cannot approve their own PR — so a CODEOWNERS file that lists only a solo maintainer would deadlock every PR that maintainer opens (they'd be the sole eligible code-owner reviewer but also the author).
|
|
41
|
+
|
|
42
|
+
**Bypass actors:** `RepositoryRole` actor_id=5 (Admin), `bypass_mode: pull_request`. Admins can bypass the ruleset **only via a pull request**, never via direct push. This preserves `non_fast_forward` and the required-checks gate for the `github-actions[bot]` account that the future `release.yaml` workflow (Story 3.1) will use to push tags and commits to `main`. **Do not add a bot-specific bypass**; it would defeat the whole purpose of this ruleset.
|
|
43
|
+
|
|
44
|
+
### Inspect current state
|
|
45
|
+
|
|
46
|
+
```bash
|
|
47
|
+
gh api repos/armelhbobdad/bmad-module-skill-forge/rulesets/13855503
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
### Restore from a saved baseline
|
|
51
|
+
|
|
52
|
+
A JSON baseline captured before any change can be replayed via:
|
|
53
|
+
|
|
54
|
+
```bash
|
|
55
|
+
# Extract the full set of fields required by a ruleset PUT from a saved baseline.json.
|
|
56
|
+
# PUT replaces the resource wholesale — omitting any of these fields either 422s or
|
|
57
|
+
# silently resets them server-side. `bypass_actors` is optional (empty array is the
|
|
58
|
+
# default) but is included here to preserve the admin-via-PR bypass.
|
|
59
|
+
jq '{name, target, enforcement, conditions, rules, bypass_actors}' baseline.json > /tmp/restore.json
|
|
60
|
+
|
|
61
|
+
gh api --method PUT \
|
|
62
|
+
repos/armelhbobdad/bmad-module-skill-forge/rulesets/13855503 \
|
|
63
|
+
--input /tmp/restore.json
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
The GitHub ruleset API uses `PUT` (not `PATCH`) for updates, and the `rules` array is replaced wholesale — it is not merged server-side. Always fetch current state, modify the in-memory copy, and `PUT` the complete list.
|
|
67
|
+
|
|
68
|
+
## Release Environment
|
|
69
|
+
|
|
70
|
+
The publish job is gated by a **GitHub [deployment environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) with a required-reviewer rule** (not by workflow logic). A job declaring `environment: release` pauses until a listed reviewer clicks "Approve and deploy" in the Actions UI.
|
|
71
|
+
|
|
72
|
+
**Environment:** `release` — id `14347249917` — created 2026-04-20.
|
|
73
|
+
|
|
74
|
+
| Setting | Value |
|
|
75
|
+
| -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
76
|
+
| `wait_timer` | `0` (no artificial delay; approval is the only gate) |
|
|
77
|
+
| `prevent_self_review` | `false` — see rationale below |
|
|
78
|
+
| `reviewers` | `armelhbobdad` (user id `132626034`), 1 approver |
|
|
79
|
+
| `deployment_branch_policy` | `custom_branch_policies: true`, list: `main` only |
|
|
80
|
+
| Environment-scoped secrets | `0` (invariant — see `NPM_TOKEN` note below) |
|
|
81
|
+
| Cost | `$0` on public-repo tier (environments, required reviewers, and branch policies are [free for public repositories](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#about-environments)) |
|
|
82
|
+
|
|
83
|
+
**`prevent_self_review: false` — correctness constraint, not a loosened control.** Solo-maintainer setups cannot self-approve when this is `true`, so the gate would deadlock on any maintainer-triggered publish. The value flips to `true` the moment a second reviewer joins — do not leave it loose by inertia.
|
|
84
|
+
|
|
85
|
+
**`NPM_TOKEN` is NOT scoped to this environment.** It remains at repo-level secrets during the OIDC transition and is removed entirely post-v1.0.0 (see Story 6.3). The invariant: the `release` env must have zero secrets. If a future change scopes any secret here, re-audit whether the OIDC trusted-publisher path is still in force.
|
|
86
|
+
|
|
87
|
+
**Coupling with npm trusted publishing (Story 1.3).** The npm trusted publisher binds on four fields — `organization=armelhbobdad`, `repository=bmad-module-skill-forge`, `workflow filename=release.yaml`, `environment=release`. The environment name above is load-bearing: any rename here must be accompanied by a matching npm-side update in the same change, or the next publish returns 404.
|
|
88
|
+
|
|
89
|
+
### Inspect current state
|
|
90
|
+
|
|
91
|
+
```bash
|
|
92
|
+
# Environment itself (reviewers, branch-policy shape, prevent_self_review)
|
|
93
|
+
gh api repos/armelhbobdad/bmad-module-skill-forge/environments/release
|
|
94
|
+
|
|
95
|
+
# Allowed deployment branches (expect: one entry, name "main")
|
|
96
|
+
gh api repos/armelhbobdad/bmad-module-skill-forge/environments/release/deployment-branch-policies
|
|
97
|
+
|
|
98
|
+
# Environment-scoped secrets (expect: zero)
|
|
99
|
+
gh api repos/armelhbobdad/bmad-module-skill-forge/environments/release/secrets
|
|
100
|
+
```
|
|
101
|
+
|
|
102
|
+
### Restore / re-apply
|
|
103
|
+
|
|
104
|
+
Two-call pattern — the environment and its branch-policy list are separate resources. Creating the environment alone with `custom_branch_policies: true` leaves the allow-list empty, which rejects every dispatch; the second call is mandatory.
|
|
105
|
+
|
|
106
|
+
```bash
|
|
107
|
+
# (1) Create or update the environment with the required-reviewer gate
|
|
108
|
+
gh api --method PUT repos/armelhbobdad/bmad-module-skill-forge/environments/release --input - <<'JSON'
|
|
109
|
+
{
|
|
110
|
+
"wait_timer": 0,
|
|
111
|
+
"prevent_self_review": false,
|
|
112
|
+
"reviewers": [{ "type": "User", "id": 132626034 }],
|
|
113
|
+
"deployment_branch_policy": {
|
|
114
|
+
"protected_branches": false,
|
|
115
|
+
"custom_branch_policies": true
|
|
116
|
+
}
|
|
117
|
+
}
|
|
118
|
+
JSON
|
|
119
|
+
|
|
120
|
+
# (2) Add main to the allowed deployment branches.
|
|
121
|
+
# Returns HTTP 422 ("already_exists") if main is already on the list —
|
|
122
|
+
# safe to ignore on re-apply. To pre-check:
|
|
123
|
+
# gh api repos/armelhbobdad/bmad-module-skill-forge/environments/release/deployment-branch-policies
|
|
124
|
+
gh api --method POST repos/armelhbobdad/bmad-module-skill-forge/environments/release/deployment-branch-policies --input - <<'JSON'
|
|
125
|
+
{ "name": "main" }
|
|
126
|
+
JSON
|
|
127
|
+
```
|
|
128
|
+
|
|
129
|
+
### Temporarily allowing a feature branch
|
|
130
|
+
|
|
131
|
+
A release workflow that declares `environment: release` will be rejected from any branch not on the allow-list. For legitimate validation cuts from a feature branch (Story 3.2's alpha cut is the canonical case), widen the allow-list for the duration of the test and tighten it back immediately:
|
|
132
|
+
|
|
133
|
+
```bash
|
|
134
|
+
# Allow the feature branch and capture the returned policy id into a shell var.
|
|
135
|
+
# Using command substitution + --jq .id avoids the "eyeball the JSON and paste
|
|
136
|
+
# the id later" footgun — if the POST succeeds, $POLICY_ID is ready for the revoke.
|
|
137
|
+
POLICY_ID=$(gh api --method POST \
|
|
138
|
+
repos/armelhbobdad/bmad-module-skill-forge/environments/release/deployment-branch-policies \
|
|
139
|
+
--input - --jq .id <<'JSON'
|
|
140
|
+
{ "name": "feat/my-validation-branch" }
|
|
141
|
+
JSON
|
|
142
|
+
)
|
|
143
|
+
echo "POLICY_ID=$POLICY_ID" # confirm a numeric id was captured before proceeding
|
|
144
|
+
|
|
145
|
+
# ... run the validation cut, approve via the reviewer UI, confirm publish ...
|
|
146
|
+
|
|
147
|
+
# Revoke immediately — the allow-list must return to { main } before leaving the session.
|
|
148
|
+
# Quote the expansion so the shell never interprets the id as a redirection token.
|
|
149
|
+
gh api --method DELETE \
|
|
150
|
+
"repos/armelhbobdad/bmad-module-skill-forge/environments/release/deployment-branch-policies/$POLICY_ID"
|
|
151
|
+
```
|
|
152
|
+
|
|
153
|
+
Leaving a feature branch on the allow-list is an unguarded hole — any later `workflow_dispatch` from that branch would be able to reach the publish path. Treat the revoke as the last step of the validation, not a follow-up.
|
|
154
|
+
|
|
155
|
+
## npm Trusted Publisher
|
|
156
|
+
|
|
157
|
+
The future `release.yaml` workflow (Story 3.1) publishes to npm via **OIDC trusted publishing** — no `NPM_TOKEN` is consulted during the publish step, and every published version carries an auto-attached SLSA Build Level 2 provenance attestation. For this to work, the npm package `bmad-module-skill-forge` has a trusted-publisher entry on npmjs.com that binds on four fields exactly matching what the workflow asserts at run time. A mismatch on any field causes an opaque `404` at publish time — the error ("npm could not match your workflow run") surfaces the failure class but does not name which of the four fields is wrong.
|
|
158
|
+
|
|
159
|
+
**Registered:** 2026-04-20 by `armelhbobdad`.
|
|
160
|
+
|
|
161
|
+
| Field | Value |
|
|
162
|
+
| ----------------- | ------------------------- |
|
|
163
|
+
| Publisher type | `GitHub Actions` |
|
|
164
|
+
| Organization/user | `armelhbobdad` |
|
|
165
|
+
| Repository | `bmad-module-skill-forge` |
|
|
166
|
+
| Workflow filename | `release.yaml` |
|
|
167
|
+
| Environment | `release` |
|
|
168
|
+
|
|
169
|
+
**Inspect current state:** visit the [npm package settings for `bmad-module-skill-forge`](https://www.npmjs.com/package/bmad-module-skill-forge) → **Settings** tab → **Trusted Publisher** section (npm UI as of 2026-04-20; if the tab is reorganised later, the section still lives on the package Settings page). Modification requires 2FA re-entry on the maintainer account. No CLI or public API for programmatic inspection of Trusted Publisher state exists as of 2026-04-20 — drift detection is UI-only until npm exposes one.
|
|
170
|
+
|
|
171
|
+
**Case-sensitive.** All four fields above use the exact lowercase forms shown; npm's matcher is an exact-string comparison. Do not capitalize on re-registration even if GitHub's UI surfaces a display-form with capitals.
|
|
172
|
+
|
|
173
|
+
**Rename coupling — the four fields are load-bearing.** Renaming OR deleting the `release` GitHub environment (see § Release Environment), renaming or moving `release.yaml` within `.github/workflows/`, or flipping the extension between `.yaml` and `.yml` each require matching updates in the same PR to: (a) the npm-side Trusted Publisher, (b) the Registered table above, and (c) the `## Release Process` enumeration in `README.md` (which names both `release` and the Trusted Publisher). Skipping any of these produces an opaque `404` on the next publish — the error names the failure class, not the specific field.
|
|
174
|
+
|
|
175
|
+
**Pre-registration inversion.** This entry was registered **before** `release.yaml` was authored (Story 3.1). The first live validator of the full OIDC chain is Story 3.2's alpha cut. If that cut's publish step 404s, open a **three-way comparison**: (1) the npm Settings tab, (2) the workflow YAML's `name` / `on` / `jobs.<id>.environment` lines, and (3) the Registered table above. The table is the ground truth because it captured the values at npm-save time — compare both the npm record and the workflow header against the table, never the workflow against itself (verifying the workflow against its own header will silently confirm a typo).
|
|
176
|
+
|
|
177
|
+
**`NPM_TOKEN` is a legacy residual, not a safety net.** The token remains at repo-level secrets for two reasons: (a) the legacy `publish.yaml` still uses it until Story 3.3 retires that path, and (b) Story 6.3 deletes the secret entirely post-v1.0.0. Treat its continued presence as attack surface to minimize, not defence-in-depth — a repo-scope token is reachable from any workflow with `secrets.*` access. The token does NOT sit "behind" OIDC: `release.yaml` does not yet exist, so there is no OIDC path for it to be a fallback to. If a future OIDC incident forces a last-resort token-based re-publish, document the flip in the commit body and revert as soon as OIDC is restored.
|
|
178
|
+
|
|
179
|
+
**Fixing a bad registration.** The npm UI exposes both **Edit** and **Delete** on an existing Trusted Publisher entry (observed 2026-04-20). Prefer edit for a single-field typo; prefer delete-and-re-add if multiple fields are wrong or the edit form ever feels ambiguous. **Pre-Story 3.2**: there is no destructive side effect because no publish is attempted yet, and delete-and-re-add keeps the audit trail cleaner. **Post-Story 3.2**: a publish that fires during the delete-and-re-add window will 404 — gate any delete-and-re-add behind a manual publish freeze (pause any active `release.yaml` runs, confirm no tags are in-flight) before touching the entry.
|
|
180
|
+
|
|
181
|
+
<!-- Rollback Playbook — added in Story 4.1 -->
|
|
182
|
+
|
|
183
|
+
## Rollback Playbook
|
|
184
|
+
|
|
185
|
+
_To be authored in Story 4.1 — rollback playbook covering scenarios such as failed publish, tag mismatch, bad `latest` dist-tag, OIDC auth failure, and post-publish security issue._
|