bmad-module-skill-forge 0.10.0 → 0.10.1-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (268) hide show
  1. package/.claude-plugin/marketplace.json +39 -0
  2. package/.gitattributes +16 -0
  3. package/README.md +105 -38
  4. package/docs/404.md +13 -10
  5. package/docs/RELEASING.md +185 -0
  6. package/docs/STABILITY.md +123 -0
  7. package/docs/_data/pinned.yaml +98 -0
  8. package/docs/agents.md +16 -11
  9. package/docs/architecture.md +221 -0
  10. package/docs/bmad-synergy.md +11 -13
  11. package/docs/concepts.md +18 -108
  12. package/docs/examples.md +121 -80
  13. package/docs/getting-started.md +85 -147
  14. package/docs/how-it-works.md +25 -536
  15. package/docs/index.md +44 -27
  16. package/docs/skill-model.md +328 -0
  17. package/docs/troubleshooting.md +39 -0
  18. package/docs/verifying-a-skill.md +232 -0
  19. package/docs/why-skf.md +93 -0
  20. package/docs/workflows.md +119 -13
  21. package/package.json +25 -4
  22. package/src/README.md +23 -25
  23. package/src/forger/forge-tier.yaml +4 -2
  24. package/src/forger/preferences.yaml +7 -1
  25. package/src/knowledge/agentskills-spec.md +1 -1
  26. package/src/knowledge/architecture-verification.md +1 -1
  27. package/src/knowledge/ccc-bridge.md +16 -15
  28. package/src/knowledge/overview.md +11 -11
  29. package/src/knowledge/progressive-capability.md +3 -3
  30. package/src/knowledge/provenance-tracking.md +9 -3
  31. package/src/knowledge/qmd-registry.md +8 -8
  32. package/src/knowledge/skf-knowledge-index.csv +2 -2
  33. package/src/knowledge/skill-lifecycle.md +16 -1
  34. package/src/knowledge/split-body-strategy.md +1 -1
  35. package/src/knowledge/version-paths.md +17 -12
  36. package/src/module-help.csv +18 -17
  37. package/src/shared/health-check.md +372 -0
  38. package/src/shared/references/feasibility-report-schema.md +86 -0
  39. package/src/shared/references/headless-gate-convention.md +62 -0
  40. package/src/shared/references/output-contract-schema.md +35 -0
  41. package/src/shared/references/pipeline-contracts.md +102 -0
  42. package/src/shared/scripts/skf-atomic-write.py +370 -0
  43. package/src/shared/scripts/skf-manifest-ops.py +236 -0
  44. package/src/shared/scripts/skf-preflight.py +164 -0
  45. package/src/shared/scripts/skf-rebuild-managed-sections.py +201 -0
  46. package/src/shared/scripts/skf-severity-classify.py +163 -0
  47. package/src/shared/scripts/skf-skill-inventory.py +210 -0
  48. package/src/shared/scripts/skf-structural-diff.py +257 -0
  49. package/src/shared/scripts/skf-validate-frontmatter.py +318 -0
  50. package/src/shared/scripts/skf-validate-output.py +247 -0
  51. package/src/skf-analyze-source/SKILL.md +57 -0
  52. package/src/skf-analyze-source/assets/skill-brief-schema.md +125 -0
  53. package/src/skf-analyze-source/references/unit-detection-heuristics.md +124 -0
  54. package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-01-init.md +6 -66
  55. package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-01b-continue.md +4 -59
  56. package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-02-scan-project.md +7 -68
  57. package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-03-identify-units.md +6 -66
  58. package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-04-map-and-detect.md +7 -68
  59. package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-05-recommend.md +6 -66
  60. package/src/{workflows/analyze-source → skf-analyze-source}/steps-c/step-06-generate-briefs.md +14 -71
  61. package/src/skf-analyze-source/steps-c/step-07-health-check.md +22 -0
  62. package/src/skf-audit-skill/SKILL.md +59 -0
  63. package/src/{workflows/audit-skill/data → skf-audit-skill/assets}/drift-report-template.md +7 -7
  64. package/src/{workflows/audit-skill/data → skf-audit-skill/references}/severity-rules.md +11 -11
  65. package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-01-init.md +24 -68
  66. package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-02-re-index.md +36 -71
  67. package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-03-structural-diff.md +21 -63
  68. package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-04-semantic-diff.md +6 -65
  69. package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-05-severity-classify.md +5 -63
  70. package/src/{workflows/audit-skill → skf-audit-skill}/steps-c/step-06-report.md +10 -64
  71. package/src/skf-audit-skill/steps-c/step-07-health-check.md +22 -0
  72. package/src/skf-brief-skill/SKILL.md +53 -0
  73. package/src/{workflows/brief-skill/data → skf-brief-skill/assets}/scope-templates.md +23 -0
  74. package/src/skf-brief-skill/assets/skill-brief-schema.md +206 -0
  75. package/src/{workflows/brief-skill → skf-brief-skill}/steps-c/step-01-gather-intent.md +6 -67
  76. package/src/{workflows/brief-skill → skf-brief-skill}/steps-c/step-02-analyze-target.md +6 -66
  77. package/src/{workflows/brief-skill → skf-brief-skill}/steps-c/step-03-scope-definition.md +12 -68
  78. package/src/{workflows/brief-skill → skf-brief-skill}/steps-c/step-04-confirm-brief.md +5 -63
  79. package/src/{workflows/brief-skill → skf-brief-skill}/steps-c/step-05-write-brief.md +10 -70
  80. package/src/skf-brief-skill/steps-c/step-06-health-check.md +22 -0
  81. package/src/skf-create-skill/SKILL.md +63 -0
  82. package/src/{workflows/create-skill/data → skf-create-skill/assets}/compile-assembly-rules.md +60 -0
  83. package/src/{workflows/create-skill/data → skf-create-skill/assets}/skill-sections.md +92 -23
  84. package/src/skf-create-skill/assets/tessl-dismissal-rules.md +102 -0
  85. package/src/{workflows/create-skill/data → skf-create-skill/references}/extraction-patterns-tracing.md +13 -13
  86. package/src/{workflows/create-skill/data → skf-create-skill/references}/extraction-patterns.md +8 -3
  87. package/src/skf-create-skill/references/source-resolution-protocols.md +239 -0
  88. package/src/{workflows/create-skill/data → skf-create-skill/references}/tier-degradation-rules.md +8 -7
  89. package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-01-load-brief.md +25 -63
  90. package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-02-ecosystem-check.md +8 -64
  91. package/src/skf-create-skill/steps-c/step-03-extract.md +379 -0
  92. package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-03d-component-extraction.md +18 -35
  93. package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-04-enrich.md +12 -69
  94. package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-05-compile.md +71 -75
  95. package/src/skf-create-skill/steps-c/step-06-validate.md +267 -0
  96. package/src/{workflows/create-skill → skf-create-skill}/steps-c/step-07-generate-artifacts.md +30 -74
  97. package/src/skf-create-skill/steps-c/step-08-report.md +145 -0
  98. package/src/skf-create-skill/steps-c/step-09-health-check.md +23 -0
  99. package/src/{workflows/create-skill/steps-c → skf-create-skill/steps-c/sub}/step-02b-ccc-discover.md +8 -66
  100. package/src/skf-create-skill/steps-c/sub/step-03b-fetch-temporal.md +229 -0
  101. package/src/{workflows/create-skill/steps-c → skf-create-skill/steps-c/sub}/step-03c-fetch-docs.md +18 -42
  102. package/src/skf-create-stack-skill/SKILL.md +64 -0
  103. package/src/{workflows/create-stack-skill/data → skf-create-stack-skill/assets}/stack-skill-template.md +2 -1
  104. package/src/{workflows/create-stack-skill/data → skf-create-stack-skill/references}/compose-mode-rules.md +19 -5
  105. package/src/{workflows/create-stack-skill/data → skf-create-stack-skill/references}/integration-patterns.md +1 -1
  106. package/src/{workflows/create-stack-skill/data → skf-create-stack-skill/references}/manifest-patterns.md +10 -10
  107. package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-01-init.md +14 -55
  108. package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-02-detect-manifests.md +29 -63
  109. package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-03-rank-and-confirm.md +9 -59
  110. package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-04-parallel-extract.md +29 -64
  111. package/src/skf-create-stack-skill/steps-c/step-05-detect-integrations.md +164 -0
  112. package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-06-compile-stack.md +7 -60
  113. package/src/skf-create-stack-skill/steps-c/step-07-generate-output.md +328 -0
  114. package/src/{workflows/create-stack-skill → skf-create-stack-skill}/steps-c/step-08-validate.md +17 -63
  115. package/src/skf-create-stack-skill/steps-c/step-09-report.md +128 -0
  116. package/src/skf-create-stack-skill/steps-c/step-10-health-check.md +22 -0
  117. package/src/skf-drop-skill/SKILL.md +57 -0
  118. package/src/{workflows/drop-skill → skf-drop-skill}/steps-c/step-01-select.md +9 -69
  119. package/src/{workflows/drop-skill → skf-drop-skill}/steps-c/step-02-execute.md +30 -106
  120. package/src/skf-drop-skill/steps-c/step-03-report.md +83 -0
  121. package/src/skf-drop-skill/steps-c/step-04-health-check.md +22 -0
  122. package/src/skf-export-skill/SKILL.md +57 -0
  123. package/src/skf-export-skill/assets/managed-section-format.md +138 -0
  124. package/src/{workflows/export-skill/data → skf-export-skill/assets}/snippet-format.md +8 -12
  125. package/src/skf-export-skill/steps-c/step-01-load-skill.md +247 -0
  126. package/src/{workflows/export-skill → skf-export-skill}/steps-c/step-02-package.md +5 -58
  127. package/src/{workflows/export-skill → skf-export-skill}/steps-c/step-03-generate-snippet.md +15 -77
  128. package/src/{workflows/export-skill → skf-export-skill}/steps-c/step-04-update-context.md +59 -133
  129. package/src/{workflows/export-skill → skf-export-skill}/steps-c/step-05-token-report.md +4 -58
  130. package/src/{workflows/export-skill → skf-export-skill}/steps-c/step-06-summary.md +16 -68
  131. package/src/skf-export-skill/steps-c/step-07-health-check.md +22 -0
  132. package/src/skf-forger/SKILL.md +110 -0
  133. package/src/skf-forger/bmad-skill-manifest.yaml +11 -0
  134. package/src/skf-quick-skill/SKILL.md +56 -0
  135. package/src/{workflows/quick-skill/data → skf-quick-skill/references}/registry-resolution.md +6 -6
  136. package/src/{workflows/quick-skill → skf-quick-skill}/steps-c/step-01-resolve-target.md +9 -62
  137. package/src/{workflows/quick-skill → skf-quick-skill}/steps-c/step-02-ecosystem-check.md +5 -59
  138. package/src/{workflows/quick-skill → skf-quick-skill}/steps-c/step-03-quick-extract.md +18 -61
  139. package/src/{workflows/quick-skill → skf-quick-skill}/steps-c/step-04-compile.md +6 -60
  140. package/src/{workflows/quick-skill → skf-quick-skill}/steps-c/step-05-validate.md +58 -78
  141. package/src/skf-quick-skill/steps-c/step-06-write.md +73 -0
  142. package/src/skf-quick-skill/steps-c/step-07-health-check.md +22 -0
  143. package/src/skf-refine-architecture/SKILL.md +57 -0
  144. package/src/{workflows/refine-architecture/data → skf-refine-architecture/references}/refinement-rules.md +16 -16
  145. package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-01-init.md +6 -63
  146. package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-02-gap-analysis.md +29 -71
  147. package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-03-issue-detection.md +5 -65
  148. package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-04-improvements.md +5 -64
  149. package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-05-compile.md +5 -56
  150. package/src/{workflows/refine-architecture → skf-refine-architecture}/steps-c/step-06-report.md +11 -64
  151. package/src/skf-refine-architecture/steps-c/step-07-health-check.md +22 -0
  152. package/src/skf-rename-skill/SKILL.md +58 -0
  153. package/src/{workflows/rename-skill → skf-rename-skill}/steps-c/step-01-select.md +12 -73
  154. package/src/{workflows/rename-skill → skf-rename-skill}/steps-c/step-02-execute.md +32 -113
  155. package/src/skf-rename-skill/steps-c/step-03-report.md +83 -0
  156. package/src/skf-rename-skill/steps-c/step-04-health-check.md +22 -0
  157. package/src/skf-setup/SKILL.md +55 -0
  158. package/src/{workflows/setup-forge → skf-setup}/steps-c/step-01-detect-and-tier.md +6 -62
  159. package/src/{workflows/setup-forge → skf-setup}/steps-c/step-01b-ccc-index.md +9 -65
  160. package/src/{workflows/setup-forge → skf-setup}/steps-c/step-02-write-config.md +15 -60
  161. package/src/{workflows/setup-forge → skf-setup}/steps-c/step-03-auto-index.md +7 -66
  162. package/src/skf-setup/steps-c/step-04-report.md +92 -0
  163. package/src/skf-setup/steps-c/step-05-health-check.md +22 -0
  164. package/src/skf-test-skill/SKILL.md +59 -0
  165. package/src/skf-test-skill/references/migration-section-rules.md +114 -0
  166. package/src/skf-test-skill/references/scoring-rules.md +207 -0
  167. package/src/skf-test-skill/references/source-access-protocol.md +109 -0
  168. package/src/skf-test-skill/scripts/compute-score.py +310 -0
  169. package/src/skf-test-skill/steps-c/step-01-init.md +238 -0
  170. package/src/{workflows/test-skill → skf-test-skill}/steps-c/step-02-detect-mode.md +4 -62
  171. package/src/skf-test-skill/steps-c/step-03-coverage-check.md +347 -0
  172. package/src/skf-test-skill/steps-c/step-04-coherence-check.md +239 -0
  173. package/src/{workflows/test-skill → skf-test-skill}/steps-c/step-04b-external-validators.md +42 -77
  174. package/src/skf-test-skill/steps-c/step-05-score.md +266 -0
  175. package/src/skf-test-skill/steps-c/step-06-report.md +290 -0
  176. package/src/skf-test-skill/steps-c/step-07-health-check.md +25 -0
  177. package/src/skf-test-skill/templates/test-report-template.md +58 -0
  178. package/src/skf-update-skill/SKILL.md +58 -0
  179. package/src/{workflows/update-skill/data → skf-update-skill/references}/manual-section-rules.md +6 -6
  180. package/src/{workflows/update-skill/data → skf-update-skill/references}/merge-conflict-rules.md +5 -5
  181. package/src/skf-update-skill/references/remote-source-resolution.md +94 -0
  182. package/src/{workflows/update-skill → skf-update-skill}/steps-c/step-01-init.md +22 -69
  183. package/src/skf-update-skill/steps-c/step-02-detect-changes.md +255 -0
  184. package/src/skf-update-skill/steps-c/step-03-re-extract.md +336 -0
  185. package/src/{workflows/update-skill → skf-update-skill}/steps-c/step-04-merge.md +60 -72
  186. package/src/{workflows/update-skill → skf-update-skill}/steps-c/step-05-validate.md +5 -62
  187. package/src/skf-update-skill/steps-c/step-06-write.md +278 -0
  188. package/src/{workflows/update-skill → skf-update-skill}/steps-c/step-07-report.md +11 -69
  189. package/src/skf-update-skill/steps-c/step-08-health-check.md +22 -0
  190. package/src/skf-verify-stack/SKILL.md +60 -0
  191. package/src/skf-verify-stack/assets/feasibility-report-template.md +76 -0
  192. package/src/{workflows/verify-stack/data → skf-verify-stack/references}/coverage-patterns.md +12 -4
  193. package/src/skf-verify-stack/references/integration-verification-rules.md +78 -0
  194. package/src/skf-verify-stack/steps-c/step-01-init.md +178 -0
  195. package/src/{workflows/verify-stack → skf-verify-stack}/steps-c/step-02-coverage.md +27 -72
  196. package/src/skf-verify-stack/steps-c/step-03-integrations.md +179 -0
  197. package/src/{workflows/verify-stack → skf-verify-stack}/steps-c/step-04-requirements.md +14 -67
  198. package/src/skf-verify-stack/steps-c/step-05-synthesize.md +147 -0
  199. package/src/skf-verify-stack/steps-c/step-06-report.md +156 -0
  200. package/src/skf-verify-stack/steps-c/step-07-health-check.md +25 -0
  201. package/tools/cli/commands/install.js +1 -1
  202. package/tools/cli/commands/status.js +21 -23
  203. package/tools/cli/commands/uninstall.js +11 -19
  204. package/tools/cli/commands/update.js +2 -2
  205. package/tools/cli/lib/ide-skills.js +216 -0
  206. package/tools/cli/lib/installer.js +29 -52
  207. package/tools/cli/lib/manifest.js +11 -5
  208. package/tools/cli/lib/platform-codes.yaml +223 -0
  209. package/tools/cli/lib/ui.js +76 -47
  210. package/tools/validate-docs-drift.js +193 -0
  211. package/src/agents/forger.agent.yaml +0 -114
  212. package/src/workflows/README.md +0 -174
  213. package/src/workflows/analyze-source/data/skill-brief-schema.md +0 -125
  214. package/src/workflows/analyze-source/data/unit-detection-heuristics.md +0 -124
  215. package/src/workflows/analyze-source/workflow.md +0 -61
  216. package/src/workflows/audit-skill/workflow.md +0 -64
  217. package/src/workflows/brief-skill/data/skill-brief-schema.md +0 -159
  218. package/src/workflows/brief-skill/workflow.md +0 -58
  219. package/src/workflows/create-skill/data/source-resolution-protocols.md +0 -200
  220. package/src/workflows/create-skill/steps-c/step-03-extract.md +0 -301
  221. package/src/workflows/create-skill/steps-c/step-03b-fetch-temporal.md +0 -253
  222. package/src/workflows/create-skill/steps-c/step-06-validate.md +0 -254
  223. package/src/workflows/create-skill/steps-c/step-08-report.md +0 -179
  224. package/src/workflows/create-skill/workflow.md +0 -53
  225. package/src/workflows/create-stack-skill/steps-c/step-05-detect-integrations.md +0 -196
  226. package/src/workflows/create-stack-skill/steps-c/step-07-generate-output.md +0 -270
  227. package/src/workflows/create-stack-skill/steps-c/step-09-report.md +0 -150
  228. package/src/workflows/create-stack-skill/workflow.md +0 -59
  229. package/src/workflows/drop-skill/steps-c/step-03-report.md +0 -136
  230. package/src/workflows/drop-skill/workflow.md +0 -63
  231. package/src/workflows/export-skill/data/managed-section-format.md +0 -103
  232. package/src/workflows/export-skill/steps-c/step-01-load-skill.md +0 -237
  233. package/src/workflows/export-skill/workflow.md +0 -58
  234. package/src/workflows/quick-skill/steps-c/step-06-write.md +0 -178
  235. package/src/workflows/quick-skill/workflow.md +0 -58
  236. package/src/workflows/refine-architecture/workflow.md +0 -61
  237. package/src/workflows/rename-skill/steps-c/step-03-report.md +0 -133
  238. package/src/workflows/rename-skill/workflow.md +0 -64
  239. package/src/workflows/setup-forge/steps-c/step-04-report.md +0 -159
  240. package/src/workflows/setup-forge/workflow.md +0 -51
  241. package/src/workflows/shared/health-check.md +0 -231
  242. package/src/workflows/test-skill/data/scoring-rules.md +0 -123
  243. package/src/workflows/test-skill/data/source-access-protocol.md +0 -51
  244. package/src/workflows/test-skill/steps-c/step-01-init.md +0 -217
  245. package/src/workflows/test-skill/steps-c/step-03-coverage-check.md +0 -280
  246. package/src/workflows/test-skill/steps-c/step-04-coherence-check.md +0 -271
  247. package/src/workflows/test-skill/steps-c/step-05-score.md +0 -222
  248. package/src/workflows/test-skill/steps-c/step-06-report.md +0 -208
  249. package/src/workflows/test-skill/templates/test-report-template.md +0 -28
  250. package/src/workflows/test-skill/workflow.md +0 -57
  251. package/src/workflows/update-skill/data/remote-source-resolution.md +0 -57
  252. package/src/workflows/update-skill/steps-c/step-02-detect-changes.md +0 -221
  253. package/src/workflows/update-skill/steps-c/step-03-re-extract.md +0 -256
  254. package/src/workflows/update-skill/steps-c/step-06-write.md +0 -265
  255. package/src/workflows/update-skill/workflow.md +0 -56
  256. package/src/workflows/verify-stack/data/feasibility-report-template.md +0 -63
  257. package/src/workflows/verify-stack/data/integration-verification-rules.md +0 -73
  258. package/src/workflows/verify-stack/steps-c/step-01-init.md +0 -179
  259. package/src/workflows/verify-stack/steps-c/step-03-integrations.md +0 -195
  260. package/src/workflows/verify-stack/steps-c/step-05-synthesize.md +0 -191
  261. package/src/workflows/verify-stack/steps-c/step-06-report.md +0 -200
  262. package/src/workflows/verify-stack/workflow.md +0 -61
  263. package/tools/cli/lib/compiler.js +0 -306
  264. package/tools/cli/lib/ide-commands.js +0 -244
  265. /package/src/{workflows/analyze-source → skf-analyze-source}/templates/analysis-report-template.md +0 -0
  266. /package/src/{workflows/quick-skill/data → skf-quick-skill/assets}/skill-template.md +0 -0
  267. /package/src/{workflows/setup-forge/data → skf-setup/references}/tier-rules.md +0 -0
  268. /package/src/{workflows/test-skill/data → skf-test-skill/assets}/output-section-formats.md +0 -0
@@ -0,0 +1,39 @@
1
+ {
2
+ "name": "bmad-module-skill-forge",
3
+ "owner": {
4
+ "name": "Armel"
5
+ },
6
+ "description": "Turn code and docs into instructions AI agents can actually follow. Evidence-based skill compilation with progressive capability tiers.",
7
+ "license": "MIT",
8
+ "homepage": "https://github.com/armelhbobdad/bmad-module-skill-forge",
9
+ "repository": "https://github.com/armelhbobdad/bmad-module-skill-forge",
10
+ "keywords": ["bmad", "bmad-method", "bmad-module", "agent-skills", "agentskills", "agents", "skills", "skill-forge", "compilation", "forge", "ast-grep", "qmd", "cocoindex", "cocoindex-code", "provenance", "code-analysis"],
11
+ "plugins": [
12
+ {
13
+ "name": "skill-forge",
14
+ "source": "./",
15
+ "description": "Evidence-based agent skills compiler with progressive capability tiers (Quick/Forge/Forge+/Deep).",
16
+ "version": "0.10.1-alpha.0",
17
+ "author": {
18
+ "name": "Armel"
19
+ },
20
+ "skills": [
21
+ "./src/skf-forger",
22
+ "./src/skf-setup",
23
+ "./src/skf-analyze-source",
24
+ "./src/skf-brief-skill",
25
+ "./src/skf-create-skill",
26
+ "./src/skf-quick-skill",
27
+ "./src/skf-create-stack-skill",
28
+ "./src/skf-update-skill",
29
+ "./src/skf-audit-skill",
30
+ "./src/skf-test-skill",
31
+ "./src/skf-export-skill",
32
+ "./src/skf-rename-skill",
33
+ "./src/skf-drop-skill",
34
+ "./src/skf-verify-stack",
35
+ "./src/skf-refine-architecture"
36
+ ]
37
+ }
38
+ ]
39
+ }
package/.gitattributes ADDED
@@ -0,0 +1,16 @@
1
+ # Normalize all text files to LF in the repo and on checkout, regardless of
2
+ # the contributor's platform or core.autocrlf setting. SKF runs on Linux,
3
+ # macOS, and Windows (Git Bash / WSL2); LF-everywhere keeps prettier
4
+ # `endOfLine: 'lf'` clean and avoids spurious diffs from line-ending churn.
5
+ * text=auto eol=lf
6
+
7
+ # Binary blobs — never touch.
8
+ *.png binary
9
+ *.jpg binary
10
+ *.jpeg binary
11
+ *.gif binary
12
+ *.ico binary
13
+ *.pdf binary
14
+ *.zip binary
15
+ *.gz binary
16
+ *.tgz binary
package/README.md CHANGED
@@ -9,13 +9,17 @@
9
9
  [![Quality & Validation](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/workflows/quality.yaml/badge.svg)](https://github.com/armelhbobdad/bmad-module-skill-forge/actions/workflows/quality.yaml)
10
10
  [![npm](https://img.shields.io/npm/v/bmad-module-skill-forge)](https://www.npmjs.com/package/bmad-module-skill-forge)
11
11
  [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
12
- [![BMad Module](https://img.shields.io/badge/BMad-module-blue)](https://github.com/bmad-code-org/BMAD-METHOD)
12
+ [![BMAD Module](https://img.shields.io/badge/BMAD-module-blue)](https://github.com/bmad-code-org/BMAD-METHOD)
13
+ [![Python Version](https://img.shields.io/badge/python-%3E%3D3.10-blue?logo=python&logoColor=white)](https://www.python.org)
14
+ [![uv](https://img.shields.io/badge/uv-package%20manager-blueviolet?logo=uv)](https://docs.astral.sh/uv/)
13
15
  [![Docs](https://img.shields.io/badge/docs-online-green)](https://armelhbobdad.github.io/bmad-module-skill-forge/)
16
+ [![Discord](https://img.shields.io/badge/Discord-Join%20Community-7289da?logo=discord&logoColor=white)](https://discord.gg/gk8jAdXWmj)
14
17
  [![GitHub stars](https://img.shields.io/github/stars/armelhbobdad/bmad-module-skill-forge?style=social)](https://github.com/armelhbobdad/bmad-module-skill-forge/stargazers)
15
18
 
16
- *Skill Forge analyzes your code repositories, documentation, and developer discourse to build verified instruction files for AI agents. Every instruction links back to where it came from nothing is made up.*
19
+ _Skill Forge analyzes your code repositories, documentation, and developer discourse to build verified instruction files for AI agents. Every instruction links back to a specific file and line in the source it was compiled from._
17
20
 
18
- **If SKF helps your agent stop hallucinating, give it a ⭐ — it helps others find this tool.**
21
+ **If SKF fixes your agent's API guesses, give it a ⭐ — it helps others find this tool.**
22
+ **If it saved you an afternoon, [grab me a coffee ☕](https://buymeacoffee.com/armelhbobdad) — it helps me keep forging.**
19
23
 
20
24
  </div>
21
25
 
@@ -27,13 +31,7 @@ You ask an AI agent to use a library. It invents function names that don't exist
27
31
 
28
32
  This isn't an edge case. It's the default experience.
29
33
 
30
- ## How Skill Forge Fixes This
31
-
32
- 1. **Analyzes your sources** — extracts real function signatures, types, and patterns from code repositories, documentation websites, and developer discourse
33
- 2. **Compiles verified instruction files** — every instruction links to the exact file and line it came from
34
- 3. **Version-aware** — skills are stored per-version, so updating to v2.0 doesn't break your v1.x skill. Compatible with [skill.sh](https://skill.sh) and [npx skills](https://www.npmjs.com/package/skills)
35
- 4. **Manageable lifecycle** — rename skills and drop deprecated versions without manual file surgery. Transactional safety for destructive operations.
36
- 5. **Follows an open standard** — skills comply with the [agentskills.io](https://agentskills.io) spec and work across Claude, Cursor, Copilot, and other AI agents
34
+ For the full story behind SKF, read [_Hallucination has a line number_](https://medium.com/@armelhbobdad/hallucination-has-a-line-number-32209b4688de) on Medium.
37
35
 
38
36
  ## Before vs After
39
37
 
@@ -53,80 +51,149 @@ import cognee
53
51
 
54
52
  # Agent follows the skill instruction:
55
53
  # `search(query_text: str, query_type: SearchType = GRAPH_COMPLETION) -> List[SearchResult]`
56
- # [AST:cognee/api/v1/search/search.py:L26]
54
+ # [AST:cognee/api/v1/search/search.py:L27]
57
55
  results = await cognee.search(
58
56
  query_text="What does Cognee do?",
59
57
  query_type=cognee.SearchType.GRAPH_COMPLETION
60
58
  )
61
59
  ```
62
60
 
63
- The skill told the agent the real function name, the real parameters, and that the call requires `await` — all traced to the exact source line. This is from a [real generated skill](https://github.com/armelhbobdad/oh-my-skills).
61
+ The skill told the agent the real function name, the real parameters, and that the call is async — all traced to the exact source line. This example is from the real [`oms-cognee`](https://github.com/armelhbobdad/oh-my-skills/blob/main/skills/oms-cognee/1.0.0/oms-cognee/SKILL.md) skill in [**oh-my-skills**](https://github.com/armelhbobdad/oh-my-skills) — SKF's reference output. The [**Verifying a Skill**](#verifying-a-skill) section below shows how to walk the citation chain yourself.
64
62
 
65
63
  ## Install
66
64
 
67
- Requires [Node.js](https://nodejs.org/) >= 22.
65
+ Linux, Windows, and macOS supported ([platform details](https://armelhbobdad.github.io/bmad-module-skill-forge/getting-started/#platform-support)). Requires [Node.js](https://nodejs.org/) >= 22, [Python](https://www.python.org/) >= 3.10, and [uv](https://docs.astral.sh/uv/) (Python package runner).
68
66
 
69
67
  ```bash
70
68
  npx bmad-module-skill-forge install
71
69
  ```
72
70
 
73
- You'll be prompted for project name, output folders, and IDE configuration. See the [docs](https://armelhbobdad.github.io/bmad-module-skill-forge/getting-started/) for other install methods.
71
+ You'll be prompted for project name, output folders, and IDE configuration. When the install completes, open your IDE and invoke `@Ferris SF` to confirm Ferris is reachable. Ferris reports your detected tools and capability tier. See the [docs](https://armelhbobdad.github.io/bmad-module-skill-forge/getting-started/) for other install methods.
74
72
 
75
73
  ## Quick Start
76
74
 
77
- 1. **Set up your environment:** `@Ferris SF` — detects your tools and sets your capability tier
78
- 2. **Generate your first skill:** `@Ferris QS <package-name>` — creates a verified skill in under a minute
79
- 3. **Full quality path:** `@Ferris BS` → clear session → `@Ferris CS` — brief first, then compile for maximum accuracy
75
+ 1. **Set up your environment:** `@Ferris SF` _(Setup Forge)_ — detects your tools and sets your capability tier
76
+ 2. **Generate your first skill:** `@Ferris QS <package-name>` _(Quick Skill)_ — creates a verified skill in under a minute
77
+ 3. **Full quality path:** `@Ferris forge <your-library>` chains Brief → Create → Test → Export automatically — or run manually: `@Ferris BS` → clear session → `@Ferris CS` for maximum control
80
78
 
81
- > **Tip:** Start a fresh conversation before each workflow. SKF workflows load significant context clearing between them prevents interference.
79
+ > **Tip:** Start a fresh conversation before each workflow, or use pipeline mode to chain them automatically. SKF workflows load significant context; clearing between them prevents interference.
82
80
 
83
- See the [workflows docs](https://armelhbobdad.github.io/bmad-module-skill-forge/workflows/) for all 14 available workflows.
81
+ See the [workflows docs](https://armelhbobdad.github.io/bmad-module-skill-forge/workflows/) for all available workflows, pipeline aliases, and headless mode.
84
82
 
85
83
  ## Who Is This For?
86
84
 
87
- - **You use AI agents to write code** and they keep getting API calls wrong — hallucinating function names, guessing parameter types, inventing methods that don't exist
85
+ - **You use AI agents to write code** and they keep guessing API calls wrong
88
86
  - **You maintain a library** and want to ship official, verified instruction files so AI agents use your API correctly
89
87
  - **You manage a codebase with many dependencies** and want a consolidated "stack skill" that teaches your agent how all the pieces fit together
90
88
  - **You use a SaaS API or closed-source tool** with no public code — SKF can generate skills from documentation alone
91
89
  - **You need different skills for different use cases** from the same target — compile multiple skills with different scopes from one repo or doc set (e.g., a core API skill and a migration guide skill)
92
90
 
91
+ ## How SKF Compares
92
+
93
+ A skeptical reader is probably already considering one of these alternatives:
94
+
95
+ | | **Skill Forge** | MCP doc servers | Hand-edited `.cursorrules` | awesome-\* lists |
96
+ | -------------------------- | ----------------------------------------- | ----------------- | -------------------------- | ---------------- |
97
+ | Reproducible from source | AST extraction + pinned commit | varies; opaque | whatever you wrote | none |
98
+ | Version-pinned & immutable | yes — per-version directories | runtime-dependent | rots silently | no |
99
+ | Audit trail | `provenance-map.json` + test + evidence | depends on server | none | none |
100
+ | Runtime cost | zero (markdown + JSON) | a running process | zero | zero |
101
+ | Lifecycle tooling | rename, drop, update, export transactions | varies | file surgery | none |
102
+ | Falsifiable | yes — three steps, 60 seconds | rarely | no | no |
103
+
104
+ The others aren't bad. They solve different problems. **SKF solves exactly one: the claim your agent is reading about a library was true at a specific commit on a specific day, and you can prove it in under a minute.**
105
+
106
+ ## How Skill Forge Fixes This
107
+
108
+ SKF extracts real function signatures, types, and patterns from code, docs, and developer discourse — every instruction links to the exact file and line it came from. On top of that foundation:
109
+
110
+ 1. **Version-pinned** — skills are stored per-version, so updating to v2.0 doesn't replace your v1.x skill. Compatible with [skills.sh](https://skills.sh) and [npx skills](https://www.npmjs.com/package/skills)
111
+ 2. **Lifecycle tooling** — rename skills and drop deprecated versions without manual file surgery. Destructive operations are transactional.
112
+ 3. **Follows an open standard** — skills comply with the [agentskills.io](https://agentskills.io) spec and work across Claude, Cursor, Copilot, and other AI agents
113
+
114
+ > **Every skill ships two files — `SKILL.md` (the full instruction set, loaded on trigger) and `context-snippet.md` (an 80–120 token always-on index injected into `CLAUDE.md` / `AGENTS.md` / `.cursorrules`). Why both?** Per Vercel's agent evals, passive context achieves a **100% pass rate vs. 79% for active skills loaded alone** (see [Skill Model → Dual-Output Strategy](https://armelhbobdad.github.io/bmad-module-skill-forge/skill-model/#dual-output-strategy)).
115
+
116
+ ## Verifying a Skill
117
+
118
+ You can falsify any AST citation in an SKF-compiled skill in under a minute:
119
+
120
+ 1. **Open the skill's `provenance-map.json`** — find your symbol; read its `source_file` and `source_line`.
121
+ 2. **Open the skill's `metadata.json`** — read `source_commit` and `source_repo`.
122
+ 3. **Jump to the upstream repo at that commit**, open that file, find that line. The signature in `SKILL.md` should match the one you're reading.
123
+
124
+ If it doesn't, that's a bug — open an issue and SKF will republish with a new commit SHA and a new provenance map. Falsifiability isn't a feature; it's the whole deal.
125
+
126
+ **Reference output: [oh-my-skills](https://github.com/armelhbobdad/oh-my-skills)** — four Deep-tier skills compiled by SKF (cocoindex, cognee, Storybook v10, uitripled), each shipping its full audit trail in-repo. Scores range from 99.0% to 99.49%. Every claim walks to an upstream line in under 60 seconds. Serves as both the worked example for this section and ongoing proof that the pipeline does what it says.
127
+
128
+ ## Help SKF Improve
129
+
130
+ Workflows end with a health check that can file bug or friction reports as GitHub issues (auto-deduped by fingerprint — re-reporting is safe). **Please let workflows run to completion**, or [open an issue](https://github.com/armelhbobdad/bmad-module-skill-forge/issues/new/choose) directly. [Full details →](https://armelhbobdad.github.io/bmad-module-skill-forge/workflows/#terminal-step-health-check)
131
+
93
132
  ## Learn More
94
133
 
95
- - **[Getting Started](https://armelhbobdad.github.io/bmad-module-skill-forge/getting-started/)** Installation, prerequisites, and your first skill
96
- - **[Concepts](https://armelhbobdad.github.io/bmad-module-skill-forge/concepts/)** — Plain-English definitions of all key terms
97
- - **[How It Works](https://armelhbobdad.github.io/bmad-module-skill-forge/how-it-works/)** — Architecture, capability tiers, output format, and design decisions
134
+ The docs are organized into three buckets — **Why** (start here), **Try** (do stuff), and **Reference** (look things up):
135
+
136
+ **Why**
137
+
138
+ - **[Why Skill Forge?](https://armelhbobdad.github.io/bmad-module-skill-forge/why-skf/)** — The JTBD pitch, persona router, and the honest anti-pitch
139
+ - **[Verifying a Skill](https://armelhbobdad.github.io/bmad-module-skill-forge/verifying-a-skill/)** — The 60-second audit recipe and scoring formula
140
+
141
+ **Try**
142
+
143
+ - **[Getting Started](https://armelhbobdad.github.io/bmad-module-skill-forge/getting-started/)** — Install, first skill, prereqs, and config
144
+ - **[How It Works](https://armelhbobdad.github.io/bmad-module-skill-forge/how-it-works/)** — Plain-English walkthrough of one skill being built, end to end
145
+ - **[Examples](https://armelhbobdad.github.io/bmad-module-skill-forge/examples/)** — Real-world scenarios with full command transcripts
98
146
  - **[Workflows](https://armelhbobdad.github.io/bmad-module-skill-forge/workflows/)** — All 14 workflows with commands and connection diagrams
99
- - **[Agents](https://armelhbobdad.github.io/bmad-module-skill-forge/agents/)** — Ferris: the AI agent that runs all SKF workflows
100
- - **[Examples](https://armelhbobdad.github.io/bmad-module-skill-forge/examples/)** — Real-world scenarios, tips, and troubleshooting
147
+
148
+ **Reference**
149
+
150
+ - **[Concepts](https://armelhbobdad.github.io/bmad-module-skill-forge/concepts/)** — Seven load-bearing terms: provenance, confidence tiers, drift, and more
151
+ - **[Architecture](https://armelhbobdad.github.io/bmad-module-skill-forge/architecture/)** — Runtime flow, 7 tools, workspace artifacts, security, and the design decisions behind them
152
+ - **[Skill Model](https://armelhbobdad.github.io/bmad-module-skill-forge/skill-model/)** — Capability tiers, confidence tiers, output format, dual-output strategy, ownership model
153
+ - **[Agents](https://armelhbobdad.github.io/bmad-module-skill-forge/agents/)** — Ferris: the single AI agent that runs every SKF workflow
154
+ - **[BMAD Synergy](https://armelhbobdad.github.io/bmad-module-skill-forge/bmad-synergy/)** — How SKF pairs with BMAD CORE phases and optional modules (TEA, BMB, GDS, CIS)
155
+ - **[Troubleshooting](https://armelhbobdad.github.io/bmad-module-skill-forge/troubleshooting/)** — Common errors (forge setup, ecosystem checks, tier confidence) and how to resolve them
101
156
 
102
157
  ## Acknowledgements
103
158
 
104
159
  SKF builds on these excellent open-source tools:
105
160
 
106
- | Tool | Role in SKF |
107
- |--------------------------------------------------------------|--------------------------------------------------------------------|
108
- | [agentskills.io](https://github.com/agentskills/agentskills) | Skill specification and ecosystem standard |
109
- | [GitHub CLI](https://cli.github.com/) | Source code access and repository intelligence (all tiers) |
110
- | [ast-grep](https://github.com/ast-grep/ast-grep) | AST-based structural code extraction (Forge/Forge+/Deep tiers) |
111
- | [ast-grep MCP](https://github.com/ast-grep/ast-grep-mcp) | MCP server for memory-efficient AST queries (recommended) |
112
- | [cocoindex-code](https://github.com/cocoindex-io/cocoindex-code) | Semantic code search and file discovery pre-ranking (Forge+ tier) |
113
- | [QMD](https://github.com/tobi/qmd) | Local hybrid search engine for knowledge indexing (Deep tier) |
114
- | [skill-check](https://github.com/thedaviddias/skill-check) | Skill validation, auto-fix, quality scoring, and security scanning |
115
- | [Snyk Agent Scan](https://github.com/snyk/agent-scan) | Security scanning for prompt injection and data exposure (optional) |
116
- | [tessl](https://tessl.io) | Content quality review, actionability scoring, and AI judge evaluation |
117
- | [BMad Method](https://github.com/bmad-code-org/BMAD-METHOD) | Agent-workflow framework that SKF extends as a module |
161
+ | Tool | Role in SKF |
162
+ | ---------------------------------------------------------------- | ---------------------------------------------------------------------- |
163
+ | [agentskills.io](https://github.com/agentskills/agentskills) | Skill specification and ecosystem standard |
164
+ | [GitHub CLI](https://cli.github.com/) | Source code access and repository intelligence (all tiers) |
165
+ | [ast-grep](https://github.com/ast-grep/ast-grep) | AST-based structural code extraction (Forge/Forge+/Deep tiers) |
166
+ | [ast-grep MCP](https://github.com/ast-grep/ast-grep-mcp) | MCP server for memory-efficient AST queries (recommended) |
167
+ | [cocoindex-code](https://github.com/cocoindex-io/cocoindex-code) | Semantic code search and file discovery pre-ranking (Forge+ tier) |
168
+ | [QMD](https://github.com/tobi/qmd) | Local hybrid search engine for knowledge indexing (Deep tier) |
169
+ | [skill-check](https://github.com/thedaviddias/skill-check) | Skill validation, auto-fix, quality scoring, and security scanning |
170
+ | [Snyk Agent Scan](https://github.com/snyk/agent-scan) | Security scanning for prompt injection and data exposure (optional) |
171
+ | [tessl](https://tessl.io) | Content quality review, actionability scoring, and AI judge evaluation |
172
+ | [BMAD Method](https://github.com/bmad-code-org/BMAD-METHOD) | Agent-workflow framework that SKF extends as a module |
118
173
 
119
174
  ## Contributing
120
175
 
121
176
  See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
122
177
 
178
+ ## Changelog
179
+
180
+ Past releases are documented in [CHANGELOG.md](CHANGELOG.md).
181
+
182
+ ## Versioning & Stability
183
+
184
+ The v1.0.0 public API contract is documented in [docs/STABILITY.md](docs/STABILITY.md).
185
+
186
+ ## Release Process
187
+
188
+ Maintainers: see [docs/RELEASING.md](docs/RELEASING.md) for branch-protection rules, required status checks, the [`release` environment with required-reviewer gate](docs/RELEASING.md#release-environment), the [npm Trusted Publisher registration](docs/RELEASING.md#npm-trusted-publisher) (OIDC-backed publish, auto-provenance), and (later) the rollback playbook.
189
+
123
190
  ## License
124
191
 
125
192
  MIT License — see [LICENSE](LICENSE) for details.
126
193
 
127
194
  ---
128
195
 
129
- **Skill Forge (SKF)** — A standalone [BMad](https://github.com/bmad-code-org/BMAD-METHOD) module for agent skill compilation.
196
+ **Skill Forge (SKF)** — A standalone [BMAD](https://github.com/bmad-code-org/BMAD-METHOD) module for agent skill compilation.
130
197
 
131
198
  [![Contributors](https://contrib.rocks/image?repo=armelhbobdad/bmad-module-skill-forge)](https://github.com/armelhbobdad/bmad-module-skill-forge/graphs/contributors)
132
199
 
package/docs/404.md CHANGED
@@ -1,20 +1,23 @@
1
1
  ---
2
2
  title: Page Not Found
3
- description: The page you're looking for doesn't exist
3
+ description: The URL you tried didn't resolve. Use the search or the links below to continue.
4
4
  template: splash
5
5
  ---
6
6
 
7
- # Page Not Found
7
+ ## 404 no source cited
8
8
 
9
- The page you're looking for doesn't exist.
9
+ No page resolves to that URL. In keeping with the rest of this site, if a claim can't cite a source, we don't fake it — even for our own docs.
10
10
 
11
- ## What can you do?
11
+ Try one of these cited sources instead, or use the **search bar** at the top of the page:
12
12
 
13
- - Check the URL for typos
14
- - Go back to the [home page](/)
15
- - Browse the [Getting Started guide](/getting-started/)
16
- - Search for what you need using the search bar above
13
+ **Why** — [Why Skill Forge?](/why-skf/) · [Verifying a Skill](/verifying-a-skill/)
17
14
 
18
- ## Need Help?
15
+ **Try** [Getting Started](/getting-started/) · [How It Works](/how-it-works/) · [Examples](/examples/) · [Workflows](/workflows/)
19
16
 
20
- If you think this page should exist, please [open an issue](https://github.com/armelhbobdad/bmad-module-skill-forge/issues) on GitHub.
17
+ **Reference** [Concepts](/concepts/) · [Architecture](/architecture/) · [Skill Model](/skill-model/) · [Agents](/agents/) · [BMAD Synergy](/bmad-synergy/) · [Troubleshooting](/troubleshooting/)
18
+
19
+ ---
20
+
21
+ ### Think this page should exist?
22
+
23
+ A missing page is drift — a citation the docs site made to itself that no longer resolves. [Open an issue](https://github.com/armelhbobdad/bmad-module-skill-forge/issues/new/choose) with the URL you tried. SKF's docs ship a [drift validator](/verifying-a-skill/#build-time-drift-detection-for-docs-themselves) that catches exactly this pattern — if one slipped through, it's a bug we want to know about.
@@ -0,0 +1,185 @@
1
+ ---
2
+ title: Releasing SKF
3
+ description: Maintainer reference for the release pipeline — branch protection, release workflow, and rollback procedures.
4
+ ---
5
+
6
+ This document records the configuration that gates releases of `bmad-module-skill-forge`. It exists so a future maintainer (including future-you) can audit, restore, or extend the pipeline without reverse-engineering GitHub settings.
7
+
8
+ For background on GitHub rulesets vs legacy branch protection, see the [GitHub ruleset docs](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets).
9
+
10
+ ## Branch Protection on `main`
11
+
12
+ `main` is gated by a **GitHub repository ruleset** (not legacy branch protection). The legacy "Settings → Branches → Branch protection rules" surface returns 404 for this repo.
13
+
14
+ **Ruleset:** `Default` — id `13855503` — applies to `~DEFAULT_BRANCH` (currently `main`) — enforcement `active`.
15
+
16
+ **Active rules (5):**
17
+
18
+ | Rule | Effect |
19
+ | ------------------------ | -------------------------------------------------------------------------------------------------------------------------- |
20
+ | `deletion` | Branch cannot be deleted. |
21
+ | `non_fast_forward` | Force-push blocked. |
22
+ | `pull_request` | Requires ≥ 1 approving review; `require_code_owner_review: true` (see CODEOWNERS note below); merge/squash/rebase allowed. |
23
+ | `code_quality` | Blocks merge on `severity: errors` from GitHub code-quality checks. |
24
+ | `required_status_checks` | Merge blocked until all seven `quality.yaml` checks pass (names below). |
25
+
26
+ **Required status checks (7):** sourced from `.github/workflows/quality.yaml` job keys. Matrix jobs expand to `jobname (matrix-value)`:
27
+
28
+ - `prettier`
29
+ - `eslint`
30
+ - `markdownlint`
31
+ - `validate (ubuntu-latest)`
32
+ - `validate (windows-latest)`
33
+ - `python (ubuntu-latest)`
34
+ - `python (windows-latest)`
35
+
36
+ **Coupling with `quality.yaml`:** if that workflow renames a job or changes the `strategy.matrix.os` for `validate` or `python`, the ruleset's `required_status_checks` list must be updated in lock-step — otherwise merges to `main` will either block on a check name that no longer reports, or silently pass without the renamed check. Update both in the same PR.
37
+
38
+ **`strict_required_status_checks_policy: false`** — PR branches are not forced to be up-to-date with `main` before merging. This avoids constant rebases on a low-traffic repo. Flip to `true` if concurrent merges start producing logical conflicts the checks can't catch.
39
+
40
+ **CODEOWNERS note:** the `pull_request` rule has `require_code_owner_review: true`, but no `.github/CODEOWNERS` file exists in the repo today. GitHub treats the code-owner requirement as vacuously satisfied when the file is absent, so this setting is currently a no-op — the only active review gate is `required_approving_review_count: 1`. If a CODEOWNERS file is added later, make sure the listed owners can actually approve PRs from other authors. GitHub's universal rule is that a PR author cannot approve their own PR — so a CODEOWNERS file that lists only a solo maintainer would deadlock every PR that maintainer opens (they'd be the sole eligible code-owner reviewer but also the author).
41
+
42
+ **Bypass actors:** `RepositoryRole` actor_id=5 (Admin), `bypass_mode: pull_request`. Admins can bypass the ruleset **only via a pull request**, never via direct push. This preserves `non_fast_forward` and the required-checks gate for the `github-actions[bot]` account that the future `release.yaml` workflow (Story 3.1) will use to push tags and commits to `main`. **Do not add a bot-specific bypass**; it would defeat the whole purpose of this ruleset.
43
+
44
+ ### Inspect current state
45
+
46
+ ```bash
47
+ gh api repos/armelhbobdad/bmad-module-skill-forge/rulesets/13855503
48
+ ```
49
+
50
+ ### Restore from a saved baseline
51
+
52
+ A JSON baseline captured before any change can be replayed via:
53
+
54
+ ```bash
55
+ # Extract the full set of fields required by a ruleset PUT from a saved baseline.json.
56
+ # PUT replaces the resource wholesale — omitting any of these fields either 422s or
57
+ # silently resets them server-side. `bypass_actors` is optional (empty array is the
58
+ # default) but is included here to preserve the admin-via-PR bypass.
59
+ jq '{name, target, enforcement, conditions, rules, bypass_actors}' baseline.json > /tmp/restore.json
60
+
61
+ gh api --method PUT \
62
+ repos/armelhbobdad/bmad-module-skill-forge/rulesets/13855503 \
63
+ --input /tmp/restore.json
64
+ ```
65
+
66
+ The GitHub ruleset API uses `PUT` (not `PATCH`) for updates, and the `rules` array is replaced wholesale — it is not merged server-side. Always fetch current state, modify the in-memory copy, and `PUT` the complete list.
67
+
68
+ ## Release Environment
69
+
70
+ The publish job is gated by a **GitHub [deployment environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) with a required-reviewer rule** (not by workflow logic). A job declaring `environment: release` pauses until a listed reviewer clicks "Approve and deploy" in the Actions UI.
71
+
72
+ **Environment:** `release` — id `14347249917` — created 2026-04-20.
73
+
74
+ | Setting | Value |
75
+ | -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
76
+ | `wait_timer` | `0` (no artificial delay; approval is the only gate) |
77
+ | `prevent_self_review` | `false` — see rationale below |
78
+ | `reviewers` | `armelhbobdad` (user id `132626034`), 1 approver |
79
+ | `deployment_branch_policy` | `custom_branch_policies: true`, list: `main` only |
80
+ | Environment-scoped secrets | `0` (invariant — see `NPM_TOKEN` note below) |
81
+ | Cost | `$0` on public-repo tier (environments, required reviewers, and branch policies are [free for public repositories](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#about-environments)) |
82
+
83
+ **`prevent_self_review: false` — correctness constraint, not a loosened control.** Solo-maintainer setups cannot self-approve when this is `true`, so the gate would deadlock on any maintainer-triggered publish. The value flips to `true` the moment a second reviewer joins — do not leave it loose by inertia.
84
+
85
+ **`NPM_TOKEN` is NOT scoped to this environment.** It remains at repo-level secrets during the OIDC transition and is removed entirely post-v1.0.0 (see Story 6.3). The invariant: the `release` env must have zero secrets. If a future change scopes any secret here, re-audit whether the OIDC trusted-publisher path is still in force.
86
+
87
+ **Coupling with npm trusted publishing (Story 1.3).** The npm trusted publisher binds on four fields — `organization=armelhbobdad`, `repository=bmad-module-skill-forge`, `workflow filename=release.yaml`, `environment=release`. The environment name above is load-bearing: any rename here must be accompanied by a matching npm-side update in the same change, or the next publish returns 404.
88
+
89
+ ### Inspect current state
90
+
91
+ ```bash
92
+ # Environment itself (reviewers, branch-policy shape, prevent_self_review)
93
+ gh api repos/armelhbobdad/bmad-module-skill-forge/environments/release
94
+
95
+ # Allowed deployment branches (expect: one entry, name "main")
96
+ gh api repos/armelhbobdad/bmad-module-skill-forge/environments/release/deployment-branch-policies
97
+
98
+ # Environment-scoped secrets (expect: zero)
99
+ gh api repos/armelhbobdad/bmad-module-skill-forge/environments/release/secrets
100
+ ```
101
+
102
+ ### Restore / re-apply
103
+
104
+ Two-call pattern — the environment and its branch-policy list are separate resources. Creating the environment alone with `custom_branch_policies: true` leaves the allow-list empty, which rejects every dispatch; the second call is mandatory.
105
+
106
+ ```bash
107
+ # (1) Create or update the environment with the required-reviewer gate
108
+ gh api --method PUT repos/armelhbobdad/bmad-module-skill-forge/environments/release --input - <<'JSON'
109
+ {
110
+ "wait_timer": 0,
111
+ "prevent_self_review": false,
112
+ "reviewers": [{ "type": "User", "id": 132626034 }],
113
+ "deployment_branch_policy": {
114
+ "protected_branches": false,
115
+ "custom_branch_policies": true
116
+ }
117
+ }
118
+ JSON
119
+
120
+ # (2) Add main to the allowed deployment branches.
121
+ # Returns HTTP 422 ("already_exists") if main is already on the list —
122
+ # safe to ignore on re-apply. To pre-check:
123
+ # gh api repos/armelhbobdad/bmad-module-skill-forge/environments/release/deployment-branch-policies
124
+ gh api --method POST repos/armelhbobdad/bmad-module-skill-forge/environments/release/deployment-branch-policies --input - <<'JSON'
125
+ { "name": "main" }
126
+ JSON
127
+ ```
128
+
129
+ ### Temporarily allowing a feature branch
130
+
131
+ A release workflow that declares `environment: release` will be rejected from any branch not on the allow-list. For legitimate validation cuts from a feature branch (Story 3.2's alpha cut is the canonical case), widen the allow-list for the duration of the test and tighten it back immediately:
132
+
133
+ ```bash
134
+ # Allow the feature branch and capture the returned policy id into a shell var.
135
+ # Using command substitution + --jq .id avoids the "eyeball the JSON and paste
136
+ # the id later" footgun — if the POST succeeds, $POLICY_ID is ready for the revoke.
137
+ POLICY_ID=$(gh api --method POST \
138
+ repos/armelhbobdad/bmad-module-skill-forge/environments/release/deployment-branch-policies \
139
+ --input - --jq .id <<'JSON'
140
+ { "name": "feat/my-validation-branch" }
141
+ JSON
142
+ )
143
+ echo "POLICY_ID=$POLICY_ID" # confirm a numeric id was captured before proceeding
144
+
145
+ # ... run the validation cut, approve via the reviewer UI, confirm publish ...
146
+
147
+ # Revoke immediately — the allow-list must return to { main } before leaving the session.
148
+ # Quote the expansion so the shell never interprets the id as a redirection token.
149
+ gh api --method DELETE \
150
+ "repos/armelhbobdad/bmad-module-skill-forge/environments/release/deployment-branch-policies/$POLICY_ID"
151
+ ```
152
+
153
+ Leaving a feature branch on the allow-list is an unguarded hole — any later `workflow_dispatch` from that branch would be able to reach the publish path. Treat the revoke as the last step of the validation, not a follow-up.
154
+
155
+ ## npm Trusted Publisher
156
+
157
+ The future `release.yaml` workflow (Story 3.1) publishes to npm via **OIDC trusted publishing** — no `NPM_TOKEN` is consulted during the publish step, and every published version carries an auto-attached SLSA Build Level 2 provenance attestation. For this to work, the npm package `bmad-module-skill-forge` has a trusted-publisher entry on npmjs.com that binds on four fields exactly matching what the workflow asserts at run time. A mismatch on any field causes an opaque `404` at publish time — the error ("npm could not match your workflow run") surfaces the failure class but does not name which of the four fields is wrong.
158
+
159
+ **Registered:** 2026-04-20 by `armelhbobdad`.
160
+
161
+ | Field | Value |
162
+ | ----------------- | ------------------------- |
163
+ | Publisher type | `GitHub Actions` |
164
+ | Organization/user | `armelhbobdad` |
165
+ | Repository | `bmad-module-skill-forge` |
166
+ | Workflow filename | `release.yaml` |
167
+ | Environment | `release` |
168
+
169
+ **Inspect current state:** visit the [npm package settings for `bmad-module-skill-forge`](https://www.npmjs.com/package/bmad-module-skill-forge) → **Settings** tab → **Trusted Publisher** section (npm UI as of 2026-04-20; if the tab is reorganised later, the section still lives on the package Settings page). Modification requires 2FA re-entry on the maintainer account. No CLI or public API for programmatic inspection of Trusted Publisher state exists as of 2026-04-20 — drift detection is UI-only until npm exposes one.
170
+
171
+ **Case-sensitive.** All four fields above use the exact lowercase forms shown; npm's matcher is an exact-string comparison. Do not capitalize on re-registration even if GitHub's UI surfaces a display-form with capitals.
172
+
173
+ **Rename coupling — the four fields are load-bearing.** Renaming OR deleting the `release` GitHub environment (see § Release Environment), renaming or moving `release.yaml` within `.github/workflows/`, or flipping the extension between `.yaml` and `.yml` each require matching updates in the same PR to: (a) the npm-side Trusted Publisher, (b) the Registered table above, and (c) the `## Release Process` enumeration in `README.md` (which names both `release` and the Trusted Publisher). Skipping any of these produces an opaque `404` on the next publish — the error names the failure class, not the specific field.
174
+
175
+ **Pre-registration inversion.** This entry was registered **before** `release.yaml` was authored (Story 3.1). The first live validator of the full OIDC chain is Story 3.2's alpha cut. If that cut's publish step 404s, open a **three-way comparison**: (1) the npm Settings tab, (2) the workflow YAML's `name` / `on` / `jobs.<id>.environment` lines, and (3) the Registered table above. The table is the ground truth because it captured the values at npm-save time — compare both the npm record and the workflow header against the table, never the workflow against itself (verifying the workflow against its own header will silently confirm a typo).
176
+
177
+ **`NPM_TOKEN` is a legacy residual, not a safety net.** The token remains at repo-level secrets for two reasons: (a) the legacy `publish.yaml` still uses it until Story 3.3 retires that path, and (b) Story 6.3 deletes the secret entirely post-v1.0.0. Treat its continued presence as attack surface to minimize, not defence-in-depth — a repo-scope token is reachable from any workflow with `secrets.*` access. The token does NOT sit "behind" OIDC: `release.yaml` does not yet exist, so there is no OIDC path for it to be a fallback to. If a future OIDC incident forces a last-resort token-based re-publish, document the flip in the commit body and revert as soon as OIDC is restored.
178
+
179
+ **Fixing a bad registration.** The npm UI exposes both **Edit** and **Delete** on an existing Trusted Publisher entry (observed 2026-04-20). Prefer edit for a single-field typo; prefer delete-and-re-add if multiple fields are wrong or the edit form ever feels ambiguous. **Pre-Story 3.2**: there is no destructive side effect because no publish is attempted yet, and delete-and-re-add keeps the audit trail cleaner. **Post-Story 3.2**: a publish that fires during the delete-and-re-add window will 404 — gate any delete-and-re-add behind a manual publish freeze (pause any active `release.yaml` runs, confirm no tags are in-flight) before touching the entry.
180
+
181
+ <!-- Rollback Playbook — added in Story 4.1 -->
182
+
183
+ ## Rollback Playbook
184
+
185
+ _To be authored in Story 4.1 — rollback playbook covering scenarios such as failed publish, tag mismatch, bad `latest` dist-tag, OIDC auth failure, and post-publish security issue._