bmad-module-skill-forge 0.5.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (84) hide show
  1. package/README.md +2 -1
  2. package/docs/agents.md +3 -0
  3. package/docs/concepts.md +23 -5
  4. package/docs/examples.md +30 -1
  5. package/docs/getting-started.md +11 -0
  6. package/docs/how-it-works.md +49 -25
  7. package/docs/index.md +1 -1
  8. package/docs/workflows.md +6 -6
  9. package/package.json +2 -2
  10. package/src/agents/forger.agent.yaml +1 -1
  11. package/src/forger/forge-tier.yaml +17 -1
  12. package/src/forger/preferences.yaml +1 -1
  13. package/src/knowledge/ccc-bridge.md +110 -0
  14. package/src/knowledge/confidence-tiers.md +3 -3
  15. package/src/knowledge/overview.md +2 -1
  16. package/src/knowledge/progressive-capability.md +12 -4
  17. package/src/knowledge/qmd-registry.md +14 -0
  18. package/src/knowledge/skf-knowledge-index.csv +2 -1
  19. package/src/module-help.csv +1 -1
  20. package/src/module.yaml +1 -1
  21. package/src/workflows/README.md +1 -1
  22. package/src/workflows/analyze-source/data/skill-brief-schema.md +1 -1
  23. package/src/workflows/analyze-source/data/unit-detection-heuristics.md +1 -0
  24. package/src/workflows/analyze-source/steps-c/step-01-init.md +2 -2
  25. package/src/workflows/analyze-source/steps-c/step-04-map-and-detect.md +7 -3
  26. package/src/workflows/analyze-source/validation-report.md +2 -2
  27. package/src/workflows/analyze-source/workflow-plan-analyze-source.md +1 -1
  28. package/src/workflows/audit-skill/data/drift-report-template.md +6 -6
  29. package/src/workflows/audit-skill/steps-c/step-01-init.md +2 -2
  30. package/src/workflows/audit-skill/steps-c/step-02-re-index.md +18 -1
  31. package/src/workflows/audit-skill/steps-c/step-04-semantic-diff.md +5 -5
  32. package/src/workflows/audit-skill/validation-report.md +3 -3
  33. package/src/workflows/audit-skill/workflow-plan-audit-skill.md +2 -2
  34. package/src/workflows/audit-skill/workflow.md +1 -1
  35. package/src/workflows/brief-skill/data/skill-brief-schema.md +3 -3
  36. package/src/workflows/brief-skill/steps-c/step-01-gather-intent.md +3 -3
  37. package/src/workflows/brief-skill/steps-c/step-02-analyze-target.md +15 -0
  38. package/src/workflows/create-skill/data/extraction-patterns.md +37 -1
  39. package/src/workflows/create-skill/data/skill-sections.md +2 -2
  40. package/src/workflows/create-skill/steps-c/step-01-load-brief.md +5 -3
  41. package/src/workflows/create-skill/steps-c/step-02-ecosystem-check.md +2 -2
  42. package/src/workflows/create-skill/steps-c/step-02b-ccc-discover.md +157 -0
  43. package/src/workflows/create-skill/steps-c/step-03-extract.md +10 -1
  44. package/src/workflows/create-skill/steps-c/step-03b-fetch-temporal.md +5 -5
  45. package/src/workflows/create-skill/steps-c/step-04-enrich.md +8 -8
  46. package/src/workflows/create-skill/steps-c/step-06-validate.md +1 -1
  47. package/src/workflows/create-skill/steps-c/step-07-generate-artifacts.md +32 -0
  48. package/src/workflows/create-skill/steps-c/step-08-report.md +1 -0
  49. package/src/workflows/create-skill/validation-report.md +1 -1
  50. package/src/workflows/create-skill/workflow-plan-create-skill.md +4 -2
  51. package/src/workflows/create-skill/workflow.md +1 -1
  52. package/src/workflows/create-stack-skill/data/stack-skill-template.md +1 -1
  53. package/src/workflows/create-stack-skill/steps-c/step-01-init.md +3 -2
  54. package/src/workflows/create-stack-skill/steps-c/step-05-detect-integrations.md +10 -0
  55. package/src/workflows/create-stack-skill/steps-c/step-08-validate.md +1 -1
  56. package/src/workflows/create-stack-skill/validation-report.md +1 -1
  57. package/src/workflows/create-stack-skill/workflow-plan-create-stack-skill.md +2 -2
  58. package/src/workflows/create-stack-skill/workflow.md +1 -1
  59. package/src/workflows/export-skill/steps-c/step-01-load-skill.md +1 -1
  60. package/src/workflows/export-skill/steps-c/step-02-package.md +1 -1
  61. package/src/workflows/export-skill/workflow-plan-export-skill.md +1 -1
  62. package/src/workflows/quick-skill/data/skill-template.md +8 -0
  63. package/src/workflows/quick-skill/steps-c/step-02-ecosystem-check.md +1 -3
  64. package/src/workflows/setup-forge/data/tier-rules.md +16 -6
  65. package/src/workflows/setup-forge/steps-c/step-01-detect-and-tier.md +32 -15
  66. package/src/workflows/setup-forge/steps-c/step-01b-ccc-index.md +148 -0
  67. package/src/workflows/setup-forge/steps-c/step-02-write-config.md +24 -6
  68. package/src/workflows/setup-forge/steps-c/step-03-auto-index.md +29 -6
  69. package/src/workflows/setup-forge/steps-c/step-04-report.md +14 -2
  70. package/src/workflows/setup-forge/validation-report.md +1 -1
  71. package/src/workflows/setup-forge/workflow-plan-setup-forge.md +11 -9
  72. package/src/workflows/setup-forge/workflow.md +1 -1
  73. package/src/workflows/test-skill/data/scoring-rules.md +5 -0
  74. package/src/workflows/test-skill/steps-c/step-01-init.md +2 -2
  75. package/src/workflows/test-skill/templates/test-report-template.md +3 -0
  76. package/src/workflows/test-skill/validation-report.md +2 -2
  77. package/src/workflows/test-skill/workflow-plan-test-skill.md +2 -2
  78. package/src/workflows/update-skill/steps-c/step-01-init.md +3 -2
  79. package/src/workflows/update-skill/steps-c/step-03-re-extract.md +19 -2
  80. package/src/workflows/update-skill/steps-c/step-05-validate.md +1 -1
  81. package/src/workflows/update-skill/steps-c/step-06-write.md +2 -2
  82. package/src/workflows/update-skill/validation-report.md +1 -1
  83. package/src/workflows/update-skill/workflow-plan-update-skill.md +1 -1
  84. package/tools/cli/commands/status.js +2 -1
package/README.md CHANGED
@@ -102,8 +102,9 @@ SKF builds on these excellent open-source tools:
102
102
  |--------------------------------------------------------------|--------------------------------------------------------------------|
103
103
  | [agentskills.io](https://github.com/agentskills/agentskills) | Skill specification and ecosystem standard |
104
104
  | [GitHub CLI](https://cli.github.com/) | Source code access and repository intelligence (all tiers) |
105
- | [ast-grep](https://github.com/ast-grep/ast-grep) | AST-based structural code extraction (Forge/Deep tiers) |
105
+ | [ast-grep](https://github.com/ast-grep/ast-grep) | AST-based structural code extraction (Forge/Forge+/Deep tiers) |
106
106
  | [ast-grep MCP](https://github.com/ast-grep/ast-grep-mcp) | MCP server for memory-efficient AST queries (recommended) |
107
+ | [cocoindex-code](https://github.com/cocoindex-io/cocoindex-code) | Semantic code search and file discovery pre-ranking (Forge+ tier) |
107
108
  | [QMD](https://github.com/tobi/qmd) | Local hybrid search engine for knowledge indexing (Deep tier) |
108
109
  | [skill-check](https://github.com/thedaviddias/skill-check) | Skill validation, auto-fix, quality scoring, and security scanning |
109
110
  | [Snyk Agent Scan](https://github.com/snyk/agent-scan) | Security scanning for prompt injection and data exposure (optional) |
package/docs/agents.md CHANGED
@@ -22,10 +22,13 @@ Ferris handles all SKF workflows. You always interact with Ferris — he switche
22
22
 
23
23
  **Key Capabilities:**
24
24
  - AST analysis via ast-grep for structural truth
25
+ - Semantic code discovery via cocoindex-code for intelligent file pre-ranking
25
26
  - QMD knowledge search for temporal context and evidence
26
27
  - agentskills.io specification compliance and validation
27
28
  - GitHub source navigation and package-to-repo resolution
28
29
  - Cross-knowledge synthesis for stack skills and integration patterns
30
+ - Skill authoring best practices enforcement (third-person voice, consistent terminology, discovery optimization)
31
+ - Source-derived scripts and assets extraction with provenance tracking
29
32
 
30
33
  **Workflow-Driven Modes:**
31
34
 
package/docs/concepts.md CHANGED
@@ -31,25 +31,27 @@ Provenance means every instruction in a skill traces back to where it came from.
31
31
 
32
32
  ---
33
33
 
34
- ## Confidence Tiers (T1/T2/T3)
34
+ ## Confidence Tiers (T1/T1-low/T2/T3)
35
35
 
36
36
  Each piece of information in a skill carries a confidence level based on where it came from:
37
37
 
38
38
  - **T1 — AST extraction:** Pulled directly from source code via AST parsing. This is structural truth — the function signature actually exists in the code right now.
39
+ - **T1-low — Source reading:** Found by reading source files directly without AST parsing. The location is correct but the type signature may be inferred. Produced by Quick tier and by Forge/Deep when ast-grep cannot parse a specific file.
39
40
  - **T2 — Evidence:** Found in issues, PRs, changelogs, or documentation within the repository. Reliable context, but not as definitive as code.
40
41
  - **T3 — External:** Pulled from external documentation or websites. Treated with caution and clearly marked.
41
42
 
42
- **Example:** A function signature is T1. A deprecation warning from a closed GitHub issue is T2. A usage example from a blog post is T3.
43
+ **Example:** A function signature is T1. A source-read export without AST verification is T1-low. A deprecation warning from a closed GitHub issue is T2. A usage example from a blog post is T3.
43
44
 
44
45
  ---
45
46
 
46
- ## Capability Tiers (Quick/Forge/Deep)
47
+ ## Capability Tiers (Quick/Forge/Forge+/Deep)
47
48
 
48
49
  Your capability tier depends on which tools you have installed. Each tier builds on the previous one:
49
50
 
50
- - **Quick** — GitHub CLI only. SKF reads source files and builds best-effort skills. Works in under a minute.
51
+ - **Quick** — No tools required. SKF reads source files and builds best-effort skills. Works in under a minute. GitHub CLI used when available.
51
52
  - **Forge** — Adds [ast-grep](https://ast-grep.github.io). SKF uses AST parsing for structural truth. Instructions are verified against the actual code structure.
52
- - **Deep** — Adds [QMD](https://github.com/tobi/qmd). SKF indexes knowledge for semantic search. Skills get enriched with historical context, deprecation warnings, and cross-reference intelligence.
53
+ - **Forge+** — Adds [cocoindex-code](https://github.com/cocoindex-io/cocoindex-code). SKF uses semantic code search to discover relevant source regions before AST extraction, improving coverage on large codebases.
54
+ - **Deep** — Adds [GitHub CLI](https://cli.github.com) + [QMD](https://github.com/tobi/qmd). Requires ast-grep, gh, and QMD. SKF indexes knowledge for semantic search and performs GitHub repository exploration. Skills get enriched with historical context, deprecation warnings, and cross-reference intelligence.
53
55
 
54
56
  You don't need all tools to start. SKF detects what you have and sets your tier automatically. See [How It Works](../how-it-works.md) for the full technical treatment.
55
57
 
@@ -94,3 +96,19 @@ Ferris switches between four modes depending on which workflow is active: Archit
94
96
  SKF's core principle: if an instruction can't be traced back to actual source code, it doesn't get included in the skill. This is the opposite of how most AI tools work — they generate plausible-sounding content from training data. SKF only includes what it can verify.
95
97
 
96
98
  This doesn't mean skills are perfect. Quick-tier skills read source files without AST verification, so they rely on best-effort extraction. But even Quick skills cite their sources, and no tier includes invented information.
99
+
100
+ ---
101
+
102
+ ## Scripts & Assets
103
+
104
+ Skills can include executable scripts and static assets alongside the main SKILL.md instructions. Scripts handle deterministic operations (validation, setup, data processing) while assets provide templates, schemas, and configuration examples. Both are extracted from the source repository with provenance tracking — SKF copies them, it doesn't fabricate them.
105
+
106
+ **Example:** A database library skill might include `scripts/migrate.sh` (copied from the library's `bin/` directory) and `assets/config-schema.json` (copied from the library's `schemas/` directory). Each file carries a `[SRC:file:L1]` citation and SHA-256 hash for drift detection.
107
+
108
+ ---
109
+
110
+ ## Best Practices
111
+
112
+ SKF integrates skill authoring best practices from the Claude platform and community guidelines. Generated skills use third-person descriptions for reliable agent discovery, consistent terminology throughout, and appropriate degrees of freedom (prescriptive for fragile operations like database migrations, flexible for creative tasks like code reviews). These practices are enforced during compilation and verified during testing.
113
+
114
+ **Example:** A skill description reads "Processes payments via REST API with token-based auth. NOT for: billing dashboards" — third-person voice, specific keywords, and negative triggers help agents select the right skill.
package/docs/examples.md CHANGED
@@ -46,6 +46,24 @@ Provenance tags trace each instruction to its source:
46
46
 
47
47
  See [How It Works](../how-it-works.md) for the full output structure.
48
48
 
49
+ **Full skill directory structure:**
50
+
51
+ ```
52
+ skills/cognee/
53
+ ├── SKILL.md # What your agent reads
54
+ ├── context-snippet.md # Compressed index for CLAUDE.md
55
+ ├── metadata.json # Machine-readable provenance
56
+ ├── references/ # Progressive disclosure detail
57
+ │ ├── api-core.md
58
+ │ └── graph-types.md
59
+ ├── scripts/ # Executable utilities (when detected)
60
+ │ └── setup-graphdb.sh
61
+ └── assets/ # Templates and schemas (when detected)
62
+ └── config-schema.json
63
+ ```
64
+
65
+ The `scripts/` and `assets/` directories appear only when the source repository contains them. Each file traces back to its source with provenance citations and SHA-256 hashes.
66
+
49
67
  ---
50
68
 
51
69
  ## Example Workflows
@@ -150,7 +168,7 @@ The brief's `doc_urls` field drives the doc_fetcher step. The agent uses whateve
150
168
 
151
169
  ### Progressive Capability
152
170
 
153
- Start with Quick mode (no setup required), upgrade to Forge (install ast-grep), then Deep (install QMD). Each tier builds on the previous — you never lose capability.
171
+ Start with Quick mode (no setup required), upgrade to Forge (install ast-grep), then Forge+ (install cocoindex-code for semantic discovery), then Deep (install QMD). Each tier builds on the previous — you never lose capability.
154
172
 
155
173
  ### Batch Operations
156
174
 
@@ -164,6 +182,14 @@ Stack skills focus on integration patterns. Individual skills focus on API surfa
164
182
 
165
183
  After each sprint's refactor, run `@Ferris US` to regenerate changed components. Export updates CLAUDE.md automatically. Skill generation becomes routine — like running tests.
166
184
 
185
+ ### Best Practices Built In
186
+
187
+ Generated skills automatically follow authoring best practices: third-person descriptions for reliable agent discovery, consistent terminology, degrees-of-freedom matching (prescriptive for fragile operations, flexible for creative tasks), and table-of-contents headers in large reference files. Discovery testing recommendations are included in test reports.
188
+
189
+ ### Scripts & Assets
190
+
191
+ If your source repo includes executable scripts (`scripts/`, `bin/`) or static assets (`templates/`, `schemas/`), SKF detects and packages them automatically with provenance tracking. Custom scripts you add to `scripts/[MANUAL]/` are preserved during updates — just like `<!-- [MANUAL] -->` markers in SKILL.md.
192
+
167
193
  ---
168
194
 
169
195
  ## Troubleshooting
@@ -182,6 +208,9 @@ An official skill already exists for this package. Consider installing it with `
182
208
  **Quick mode skills have lower confidence**
183
209
  Quick mode reads source without AST analysis. Install ast-grep to upgrade to Forge mode for structural truth (T1 confidence).
184
210
 
211
+ **Want semantic discovery for large codebases?**
212
+ Install [cocoindex-code](https://github.com/cocoindex-io/cocoindex-code) to unlock Forge+ mode. CCC indexes your codebase and pre-ranks files by semantic relevance before AST extraction, improving coverage on projects with 500+ files.
213
+
185
214
  ---
186
215
 
187
216
  ## Getting More Help
@@ -194,6 +194,17 @@ Your existing skill is now out of date. Audit detects the drift, Update regenera
194
194
  @Ferris TS # Verify the update
195
195
  ```
196
196
 
197
+ ### I want scripts and assets included in my skills
198
+
199
+ Your source repo has CLI tools, setup scripts, or config templates that agents should use. SKF detects and packages them automatically.
200
+
201
+ ```
202
+ @Ferris BS # Brief — set scripts_intent: detect
203
+ @Ferris CS # Create — scripts/ and assets/ auto-detected
204
+ ```
205
+
206
+ Scripts from `scripts/`, `bin/`, and `tools/` directories are copied with provenance. Config templates and schemas from `assets/`, `templates/`, and `schemas/` are included. Custom files you add to `scripts/[MANUAL]/` survive updates.
207
+
197
208
  ---
198
209
 
199
210
  ## What's Next?
@@ -35,7 +35,7 @@ Each workflow directory contains these files, and each has a specific job:
35
35
  | `data/*.md` | Workflow-specific reference data — schemas, heuristics, rules, patterns | Read by steps on demand |
36
36
  | `templates/*.md` | Output skeletons with placeholder vars — steps fill these in to produce the final artifact | Read by steps when generating output |
37
37
  | `skf-knowledge-index.csv` | Knowledge fragment index — id, name, tags, tier, file path | Read by steps to decide which fragments to load |
38
- | `knowledge/*.md` | 10 reusable fragments — cross-cutting principles and patterns (e.g., `zero-hallucination.md`, `confidence-tiers.md`) | Selectively read into context when a step directs |
38
+ | `knowledge/*.md` | 12 reusable fragments — cross-cutting principles and patterns (e.g., `zero-hallucination.md`, `confidence-tiers.md`, `ccc-bridge.md`) | Selectively read into context when a step directs |
39
39
 
40
40
  ```mermaid
41
41
  flowchart LR
@@ -96,7 +96,8 @@ SKF uses an additive tier model. Each tier is the previous tier plus one tool. Y
96
96
  |------|-------|-------------|
97
97
  | **Quick** | `gh_bridge` + `skill-check` + `tessl` | Source reading + spec validation + content quality review. Best-effort skills in under a minute. |
98
98
  | **Forge** | + `ast_bridge` | Structural truth. AST-verified signatures. Co-import detection. T1 confidence. |
99
- | **Deep** | + `qmd_bridge` | Knowledge search. Temporal provenance. Drift detection. Full intelligence. |
99
+ | **Forge+** | + `ccc_bridge` | Semantic discovery. CCC pre-ranks files by meaning before AST extraction. Better coverage on large codebases. |
100
+ | **Deep** | + `gh_bridge` + `qmd_bridge` | Requires ast-grep + gh + QMD. Knowledge search. Temporal provenance. Drift detection. Full intelligence. |
100
101
 
101
102
  Setup detects your installed tools and sets your tier automatically:
102
103
 
@@ -105,10 +106,10 @@ Setup detects your installed tools and sets your tier automatically:
105
106
  ```
106
107
 
107
108
  ```
108
- Forge initialized. Tools: gh, ast-grep, QMD. Tier: Deep. Ready.
109
+ Forge initialized. Tools: gh, ast-grep, ccc, QMD. Tier: Deep. Ready.
109
110
  ```
110
111
 
111
- Don't have ast-grep or QMD yet? No problem — Quick mode works with just the GitHub CLI. Install tools later; your tier upgrades automatically.
112
+ Don't have ast-grep, cocoindex-code, or QMD yet? No problem — Quick mode works with just the GitHub CLI. Install tools later; your tier upgrades automatically.
112
113
 
113
114
  ### Tier Override — Comparing Output Across Tiers
114
115
 
@@ -128,10 +129,13 @@ This is useful for comparing skill quality across tiers for the same target:
128
129
  # 2. Change to tier_override: Forge
129
130
  @Ferris CS # recompile at Forge tier — compare output
130
131
 
131
- # 3. Reset to tier_override: ~ (auto-detect)
132
+ # 3. Change to tier_override: Forge+
133
+ @Ferris CS # recompile with semantic discovery — compare coverage
134
+
135
+ # 4. Reset to tier_override: ~ (auto-detect)
132
136
  ```
133
137
 
134
- Set `tier_override` to `Quick`, `Forge`, or `Deep`. Set to `~` (null) to return to auto-detection. The override is respected by all tier-aware workflows (CS, SS, US, AS, TS).
138
+ Set `tier_override` to `Quick`, `Forge`, `Forge+`, or `Deep`. Set to `~` (null) to return to auto-detection. The override is respected by all tier-aware workflows (CS, SS, US, AS, TS).
135
139
 
136
140
  ---
137
141
 
@@ -142,7 +146,8 @@ Every claim in a generated skill carries a confidence tier that traces to its so
142
146
  | Tier | Source | Tool | What It Means |
143
147
  |------|--------|------|---------------|
144
148
  | **T1** | AST extraction | `ast_bridge` | Current code, structurally verified. Immutable for that version. |
145
- | **T2** | QMD evidence / source reading | `qmd_bridge` / `gh_bridge` | Historical + planned context (issues, PRs, changelogs, docs). |
149
+ | **T1-low** | Source reading | `gh_bridge` | Source-read without AST verification. Location correct, signature may be inferred. |
150
+ | **T2** | QMD evidence | `qmd_bridge` | Historical + planned context (issues, PRs, changelogs, docs). |
146
151
  | **T3** | External documentation | `doc_fetcher` | External, untrusted. Quarantined. |
147
152
 
148
153
  ### Temporal Provenance
@@ -165,11 +170,12 @@ Progressive disclosure controls how much context surfaces at each level:
165
170
 
166
171
  Your forge tier limits what authority claims a skill can make:
167
172
 
168
- | Forge Tier | AST? | QMD? | Max Authority | Accuracy Guarantee |
169
- |-----------|------|------|---------------|-------------------|
170
- | Quick | No | No | `community` | Best-effort |
171
- | Forge | Yes | No | `official` | Structural (AST-verified) |
172
- | Deep | Yes | Yes | `official` | Full (structural + contextual + temporal) |
173
+ | Forge Tier | AST? | CCC? | QMD? | Max Authority | Accuracy Guarantee |
174
+ |-----------|------|------|------|---------------|-------------------|
175
+ | Quick | No | No | No | `community` | Best-effort |
176
+ | Forge | Yes | No | No | `official` | Structural (AST-verified) |
177
+ | Forge+ | Yes | Yes | No | `official` | Structural + semantic discovery |
178
+ | Deep | Yes | opt. (enhances when installed) | Yes | `official` | Full (structural + contextual + temporal) |
173
179
 
174
180
  ---
175
181
 
@@ -184,14 +190,17 @@ skills/{name}/
184
190
  ├── SKILL.md # Active skill (loaded on trigger)
185
191
  ├── context-snippet.md # Passive context (compressed, always-on)
186
192
  ├── metadata.json # Machine-readable provenance
187
- └── references/ # Progressive disclosure
188
- ├── {function-a}.md
189
- ├── {function-b}.md
190
- └── integrations/ # Stack skills only
191
- ├── auth-db.md
192
- └── pwa-auth.md
193
+ ├── references/ # Progressive disclosure
194
+ ├── {function-a}.md
195
+ │ └── {function-b}.md
196
+ ├── scripts/ # Executable automation (when detected in source)
197
+ │ └── {script-name}.sh
198
+ └── assets/ # Templates, schemas, configs (when detected in source)
199
+ └── {asset-name}.json
193
200
  ```
194
201
 
202
+ The `scripts/` and `assets/` directories are optional — only created when the source repository contains executable scripts or static assets matching detection heuristics. Each file traces to its source via `[SRC:file:L1]` provenance citations with SHA-256 content hashes for drift detection. User-authored files go in `scripts/[MANUAL]/` or `assets/[MANUAL]/` subdirectories and are preserved during updates.
203
+
195
204
  ### SKILL.md Format
196
205
 
197
206
  Skills follow the [agentskills.io specification](https://agentskills.io/specification) with frontmatter:
@@ -199,9 +208,10 @@ Skills follow the [agentskills.io specification](https://agentskills.io/specific
199
208
  ```yaml
200
209
  ---
201
210
  name: payment-service
202
- version: 2.1.0
203
- description: Payment processing API skill 23 verified functions
204
- author: org/payment-team
211
+ description: >
212
+ Processes payments via REST API with token-based auth. Use when writing
213
+ payment integration code. NOT for: billing dashboards or reporting.
214
+ 23 verified functions from github.com/org/payment-service.
205
215
  ---
206
216
  ```
207
217
 
@@ -233,11 +243,21 @@ Machine-readable provenance for every skill:
233
243
  "coverage": 1.0,
234
244
  "confidence_t1": 20,
235
245
  "confidence_t2": 3,
236
- "confidence_t3": 0
237
- }
246
+ "confidence_t3": 0,
247
+ "scripts_count": 1,
248
+ "assets_count": 1
249
+ },
250
+ "scripts": [
251
+ { "file": "scripts/validate.sh", "purpose": "Validates config schema", "confidence": "T1-low" }
252
+ ],
253
+ "assets": [
254
+ { "file": "assets/config-schema.json", "purpose": "Configuration JSON schema", "confidence": "T1-low" }
255
+ ]
238
256
  }
239
257
  ```
240
258
 
259
+ `scripts` and `assets` arrays are optional — omitted entirely (not empty) when the source has no scripts or assets.
260
+
241
261
  ### Stack Skill Output
242
262
 
243
263
  Stack skills map how your dependencies interact — shared types, co-import patterns, integration points:
@@ -301,7 +321,7 @@ Export injects a managed section between markers:
301
321
 
302
322
  ## Tool Ecosystem
303
323
 
304
- ### 6 Tools
324
+ ### 7 Tools
305
325
 
306
326
  | Tool | Wraps | Purpose |
307
327
  |------|-------|---------|
@@ -309,6 +329,7 @@ Export injects a managed section between markers:
309
329
  | **`skill-check`** | [thedaviddias/skill-check](https://github.com/thedaviddias/skill-check) | Validation + auto-fix (`check --fix`), quality scoring (0-100), security scan, split-body, diff comparison |
310
330
  | **`tessl`** | [tessl](https://tessl.io) | Content quality review, actionability scoring, progressive disclosure evaluation, AI judge with suggestions |
311
331
  | **`ast_bridge`** | ast-grep CLI | Structural extraction, custom AST queries, co-import detection |
332
+ | **`ccc_bridge`** | cocoindex-code | Semantic code search, project indexing, file discovery pre-ranking |
312
333
  | **`qmd_bridge`** | QMD (local search) | BM25 keyword search, vector semantic search, collection indexing |
313
334
  | **`doc_fetcher`** | Environment web tools | Remote documentation fetching for T3-confidence content. Tool-agnostic — uses whatever web fetching is available (Firecrawl, WebFetch, curl, etc.). Output quarantined as T3. |
314
335
 
@@ -319,6 +340,7 @@ When tools disagree, higher priority wins for instructions. Lower priority is pr
319
340
  | Priority | Source | Tool |
320
341
  |----------|--------|------|
321
342
  | 1 (highest) | AST extraction | `ast_bridge` |
343
+ | 1b | CCC discovery (pre-ranking) | `ccc_bridge` |
322
344
  | 2 | QMD evidence | `qmd_bridge` |
323
345
  | 3 | Source reading (non-AST) | `gh_bridge` |
324
346
  | 4 | External documentation | `doc_fetcher` |
@@ -344,6 +366,8 @@ forge-data/{skill-name}/
344
366
  └── extraction-rules.yaml # Language-specific ast-grep schema
345
367
  ```
346
368
 
369
+ The `provenance-map.json` includes a `file_entries` array for script/asset file-level provenance (SHA-256 hashes, source paths) alongside the export-level `entries` array.
370
+
347
371
  `skills/` and `forge-data/` are committed. Agent memory (`_bmad/_memory/forger-sidecar/`) is gitignored.
348
372
 
349
373
  ---
@@ -396,7 +420,7 @@ src/
396
420
  │ └── README.md
397
421
  ├── knowledge/
398
422
  │ ├── skf-knowledge-index.csv
399
- │ └── *.md (10 fragments)
423
+ │ └── *.md (12 fragments)
400
424
  └── workflows/
401
425
  ├── setup-forge/
402
426
  ├── analyze-source/
package/docs/index.md CHANGED
@@ -17,7 +17,7 @@ hero:
17
17
 
18
18
  ## What does Skill Forge do?
19
19
 
20
- AI agents hallucinate API calls. They invent function names, guess parameter types, and produce code that doesn't compile. Skill Forge fixes this by analyzing code repositories, documentation, and developer discourse — extracting real signatures and patterns and compiling them into verified instruction files that any AI agent can follow. Every instruction traces back to where it came from.
20
+ AI agents hallucinate API calls. They invent function names, guess parameter types, and produce code that doesn't compile. Skill Forge fixes this by analyzing code repositories, documentation, and developer discourse — extracting real signatures and patterns and compiling them into verified instruction files that any AI agent can follow. Every instruction traces back to where it came from. Generated skills can also include executable scripts and static assets extracted from the source repository, each with full provenance tracking.
21
21
 
22
22
  ## Quick Install
23
23
 
package/docs/workflows.md CHANGED
@@ -15,11 +15,11 @@ SKF has 10 workflows. You trigger them by typing commands to [Ferris](../agents.
15
15
 
16
16
  **Command:** `@Ferris SF`
17
17
 
18
- **Purpose:** Initialize forge environment, detect tools, set capability tier, verify QMD collection health.
18
+ **Purpose:** Initialize forge environment, detect tools (ast-grep, ccc, gh, qmd), set capability tier, index project in CCC (Forge+), verify QMD collection health (Deep).
19
19
 
20
20
  **When to Use:** First time using SKF in a project. Run once per project.
21
21
 
22
- **Key Steps:** Detect tools → Determine tier → Write forge-tier.yaml → QMD hygiene (Deep)
22
+ **Key Steps:** Detect tools → CCC index check (Forge+) → Determine tier → Write forge-tier.yaml → QMD hygiene (Deep)
23
23
 
24
24
  **Agent:** Ferris (Architect mode)
25
25
 
@@ -33,7 +33,7 @@ SKF has 10 workflows. You trigger them by typing commands to [Ferris](../agents.
33
33
 
34
34
  **When to Use:** Before `Create Skill` when you want maximum control over what gets compiled.
35
35
 
36
- **Key Steps:** Gather intent → Analyze target → Define scope → Write skill-brief.yaml
36
+ **Key Steps:** Gather intent → Analyze target → Define scope → Scripts/assets intent → Write skill-brief.yaml
37
37
 
38
38
  **Agent:** Ferris (Architect mode)
39
39
 
@@ -47,7 +47,7 @@ SKF has 10 workflows. You trigger them by typing commands to [Ferris](../agents.
47
47
 
48
48
  **When to Use:** After Brief Skill, or with an existing skill-brief.yaml.
49
49
 
50
- **Key Steps:** Load brief → Ecosystem check → AST extract → QMD enrich → Compile → Validate → Generate
50
+ **Key Steps:** Load brief → Ecosystem check → AST extract → Scripts/assets detect → QMD enrich → Compile → Validate → Generate
51
51
 
52
52
  **Agent:** Ferris (Architect mode)
53
53
 
@@ -61,7 +61,7 @@ SKF has 10 workflows. You trigger them by typing commands to [Ferris](../agents.
61
61
 
62
62
  **When to Use:** After source code changes when an existing skill needs updating.
63
63
 
64
- **Key Steps:** Load existing → Detect changes → Re-extract → Merge (preserve MANUAL) → Validate → Write
64
+ **Key Steps:** Load existing → Detect changes (incl. scripts/assets) → Re-extract → Merge (preserve MANUAL) → Validate → Write
65
65
 
66
66
  **Agent:** Ferris (Surgeon mode)
67
67
 
@@ -119,7 +119,7 @@ SKF has 10 workflows. You trigger them by typing commands to [Ferris](../agents.
119
119
 
120
120
  **When to Use:** To check if a skill has fallen out of date with its source code.
121
121
 
122
- **Key Steps:** Load skill → Re-index source → Structural diff → Semantic diff (Deep) → Classify severity → Report
122
+ **Key Steps:** Load skill → Re-index source → Structural diff → Script/asset drift → Semantic diff (Deep) → Classify severity → Report
123
123
 
124
124
  **Agent:** Ferris (Audit mode)
125
125
 
package/package.json CHANGED
@@ -1,8 +1,8 @@
1
1
  {
2
2
  "$schema": "https://json.schemastore.org/package.json",
3
3
  "name": "bmad-module-skill-forge",
4
- "version": "0.5.0",
5
- "description": "BMAD module — Turn code and docs into instructions AI agents can actually follow. Progressive capability tiers (Quick/Forge/Deep).",
4
+ "version": "0.6.0",
5
+ "description": "BMAD module — Turn code and docs into instructions AI agents can actually follow. Progressive capability tiers (Quick/Forge/Forge+/Deep).",
6
6
  "keywords": [
7
7
  "bmad",
8
8
  "bmad-method",
@@ -15,7 +15,7 @@ agent:
15
15
  Skill compilation specialist who transforms code repositories, documentation, and developer discourse into verified agent skills.
16
16
  Manages the full lifecycle: source analysis, skill briefing, AST-backed compilation,
17
17
  integrity testing, and ecosystem-ready export across progressive capability tiers
18
- (Quick/Forge/Deep).
18
+ (Quick/Forge/Forge+/Deep).
19
19
 
20
20
  identity: |
21
21
  The forge master — a precision-focused craftsman who works through four modes:
@@ -6,8 +6,24 @@ tools:
6
6
  ast_grep: ~
7
7
  gh_cli: ~
8
8
  qmd: ~
9
+ ccc: ~
10
+ security_scan: ~
9
11
 
10
12
  # Capability tier (derived from tool availability)
11
- # Quick = no tools required | Forge = + ast-grep | Deep = + ast-grep + gh + QMD
13
+ # Quick = no tools | Forge = + ast-grep | Forge+ = + ast-grep + ccc | Deep = + ast-grep + gh + QMD
12
14
  tier: ~
13
15
  tier_detected_at: ~
16
+
17
+ # CCC semantic index state (managed by setup-forge and extraction workflows)
18
+ ccc_index:
19
+ indexed_path: ~
20
+ last_indexed: ~
21
+ status: "none"
22
+ staleness_threshold_hours: 24
23
+
24
+ # CCC index registry (tracks which source paths have been indexed for skill workflows)
25
+ ccc_index_registry: []
26
+
27
+ # QMD collection registry (populated by create-skill, consumed by audit/update-skill)
28
+ # Each entry tracks a QMD collection created during skill workflows
29
+ qmd_collections: []
@@ -2,7 +2,7 @@
2
2
  # Created by setup-forge workflow on first run
3
3
  # Edit this file to customize Ferris behavior
4
4
 
5
- # Override detected tier (set to Quick, Forge, or Deep to force a tier)
5
+ # Override detected tier (set to Quick, Forge, Forge+, or Deep to force a tier)
6
6
  tier_override: ~
7
7
 
8
8
  # Passive context injection (set to false to skip snippet generation and CLAUDE.md updates during export)
@@ -0,0 +1,110 @@
1
+ # CCC Bridge
2
+
3
+ ## Principle
4
+
5
+ `ccc_bridge.*` references in workflow steps are **conceptual interfaces**, not callable functions. They describe a semantic code discovery operation to perform. Use the `ccc` MCP server tools (when available) or `ccc` CLI commands to execute these operations. See the TOOL/SUBPROCESS FALLBACK rule — if ccc is unavailable, the calling step falls back to direct ast-grep or source reading without ccc pre-discovery.
6
+
7
+ ## Rationale
8
+
9
+ Without ccc pre-discovery, extraction steps scan all source files uniformly — processing them in directory order or entry-point-first order. On large codebases (500+ files), this means AST extraction in CLI streaming mode uses `head -N` cutoffs that may miss relevant exports in files that appear late in the scan. Integration detection in Stack Skill relies on grep-based co-import counting, which misses semantic relationships between libraries that don't appear in the same file.
10
+
11
+ With ccc pre-discovery:
12
+ - Extraction steps receive a relevance-ranked file queue — the most semantically important files are processed first, before any streaming cutoff
13
+ - Integration detection gains semantic augmentation — pairs below the 2-file co-import threshold can be evaluated via natural language queries
14
+ - Audit workflows can detect renamed/moved exports via semantic search before classifying them as deleted
15
+
16
+ The key architectural constraint: ccc discovers, ast-grep verifies. Discovery method is orthogonal to confidence tier. This keeps the 4-tier confidence system (T1/T1-low/T2/T3) clean and avoids tier proliferation.
17
+
18
+ ## When ccc Is Used
19
+
20
+ ccc is a **discovery layer only**. It answers "where should I look?" — it does not produce citations or structural claims. Every path or symbol returned by ccc_bridge must be verified by `ast_bridge` (T1) or source reading (T1-low) before it enters the extraction inventory. ccc results never appear in provenance citations.
21
+
22
+ ccc is available at **Forge+** and **Deep** tiers (when `tools.ccc: true` in forge-tier.yaml).
23
+
24
+ ## Availability
25
+
26
+ ccc_bridge operations are available when:
27
+ - `tools.ccc: true` in forge-tier.yaml (verified by `ccc --help` + `ccc doctor` in setup-forge)
28
+ - `ccc_index.status` is `"fresh"` or `"stale"` in forge-tier.yaml (an index exists for the project)
29
+
30
+ When either condition is false, calling steps skip ccc discovery silently and proceed with direct ast-grep or source reading. This is standard Forge tier behavior — not a degradation.
31
+
32
+ ## Operations
33
+
34
+ ### `ccc_bridge.search(query, path?, top_k?)`
35
+
36
+ **Resolves to:** `ccc search "{query}" --path {path} --top {top_k}` (CLI) or the `ccc` MCP search tool (preferred)
37
+
38
+ Returns: list of `{file, score, snippet}` entries ranked by semantic relevance to the query. These are **candidates** for ast-grep extraction — not verified exports.
39
+
40
+ **Usage context:** Called before ast-grep in Forge+ and Deep tier extraction steps to discover semantically relevant source regions. Results pre-rank the file extraction queue so ast-grep processes the most relevant files first.
41
+
42
+ ### `ccc_bridge.ensure_index(path)`
43
+
44
+ **Resolves to:** Check `ccc_index.status` in forge-tier.yaml. If `"none"` or the indexed_path does not match, run `ccc init {path}` then `ccc index` and update forge-tier.yaml.
45
+
46
+ **Usage context:** Called by setup-forge step-01b to ensure the project root is indexed. Called lazily by extraction steps when `ccc_index.status` is `"none"` but ccc is available.
47
+
48
+ ### `ccc_bridge.status()`
49
+
50
+ **Resolves to:** Two-step verification:
51
+ 1. `ccc --help` — confirms binary exists (exit 0)
52
+ 2. `ccc doctor` — confirms daemon is running, extracts version string, validates embedding model
53
+
54
+ **Usage context:** Called exclusively by setup-forge step-01 during tool detection. Downstream workflows read the result from forge-tier.yaml — they do not re-verify.
55
+
56
+ ## Confidence
57
+
58
+ ccc discovery does not produce a confidence tier. The provenance chain is:
59
+
60
+ 1. ccc discovers candidate files (internal hint — not cited)
61
+ 2. ast-grep verifies exports in those files → **T1** citation `[AST:file:Lnn]`
62
+ 3. Or source reading verifies → **T1-low** citation `[SRC:file:Lnn]`
63
+
64
+ The ccc search is invisible in the output artifact. A Forge+ skill's citations are indistinguishable from a Forge skill's citations — the difference is in extraction coverage, not citation format.
65
+
66
+ ## Indexing Lifecycle
67
+
68
+ ### When Indexing Happens
69
+
70
+ 1. **setup-forge step-01b:** Indexes the project root when setup-forge runs. This is the primary indexing point.
71
+ 2. **Workflow discovery steps:** If `ccc_index.status` is `"stale"` or `"none"`, discovery steps trigger a re-index and warn the user. They do not block.
72
+ 3. **ccc daemon:** Incremental indexing means re-indexing unchanged files is a near-no-op.
73
+
74
+ ### Freshness
75
+
76
+ - Staleness threshold: 24 hours (configurable via `ccc_index.staleness_threshold_hours` in forge-tier.yaml)
77
+ - A stale index still produces useful results — the workflow proceeds with the stale index and notes the staleness
78
+ - setup-forge is the designated refresh authority
79
+
80
+ ### Relationship to QMD Registry
81
+
82
+ ccc_index and qmd_collections are **orthogonal**:
83
+ - `ccc_index` in forge-tier.yaml tracks the persistent source code index (one per project)
84
+ - `qmd_collections[]` in forge-tier.yaml tracks per-skill workflow artifact collections
85
+ - ccc indexes source code for semantic search; QMD indexes curated artifacts for temporal/knowledge search
86
+ - The janitor role for QMD (setup-forge step-03) operates independently of ccc_index
87
+
88
+ ## Query Volume Bounds
89
+
90
+ To prevent excessive daemon calls, workflow steps cap ccc queries:
91
+ - **create-skill extraction:** max 2 queries per skill (discovery + optional scope refinement)
92
+ - **analyze-source mapping:** max 1 query per qualifying unit
93
+ - **create-stack-skill integration detection:** max 1 query per library pair
94
+ - **audit-skill re-index:** max 1 query per export missing from its recorded location
95
+
96
+ ## Anti-Patterns
97
+
98
+ - Using ccc_bridge results as citations without ast-grep verification — ccc output is never a provenance citation
99
+ - Blocking a workflow because ccc is unavailable — ccc is always optional
100
+ - Running ccc_bridge.ensure_index() without checking ccc_index.status first — unnecessary re-indexing
101
+ - Passing ccc results directly to the extraction inventory — they are candidates, not extractions
102
+ - Listing ccc as "unavailable" in reports for Quick/Forge tiers — ccc is a Forge+ capability, not something Quick/Forge tiers are missing
103
+
104
+ ## Related Fragments
105
+
106
+ - [progressive-capability.md](progressive-capability.md) — Forge+ tier definition and positive framing
107
+ - [confidence-tiers.md](confidence-tiers.md) — why ccc does not create a new confidence tier
108
+ - [qmd-registry.md](qmd-registry.md) — the parallel but separate registry for QMD collections
109
+
110
+ _Source: designed as part of the Forge+ tier integration for cocoindex-code semantic code search_
@@ -22,8 +22,8 @@ With confidence tiers:
22
22
 
23
23
  | Tier | Label | Source | Extraction Method | Available At |
24
24
  | --- | --- | --- | --- | --- |
25
- | T1 | AST-verified | Source code | ast-grep structural parsing | Forge, Deep |
26
- | T1-low | Source-read | Source code | Pattern matching, file reading | Quick, Forge, Deep |
25
+ | T1 | AST-verified | Source code | ast-grep structural parsing | Forge, Forge+, Deep |
26
+ | T1-low | Source-read | Source code | Pattern matching, file reading | Quick, Forge, Forge+, Deep |
27
27
  | T2 | QMD-enriched | Knowledge base | QMD semantic search + synthesis | Deep |
28
28
  | T3 | External reference | Docs, URLs | External documentation lookup | All tiers |
29
29
 
@@ -131,7 +131,7 @@ Every generated skill includes a confidence distribution in `metadata.json`:
131
131
  "t2": 12,
132
132
  "t3": 3
133
133
  },
134
- "extraction_tier": "deep"
134
+ "extraction_tier": "deep" // valid values: "quick", "forge", "forge+", "deep"
135
135
  }
136
136
  ```
137
137
 
@@ -24,12 +24,13 @@ With knowledge files:
24
24
  |------------------------------------------------------------|-------------------------------------------------------------------|------------------------------------|
25
25
  | [zero-hallucination.md](zero-hallucination.md) | Every claim traces to source; uncitable content excluded | AN, BS, CS, QS, SS, US, AS, TS |
26
26
  | [confidence-tiers.md](confidence-tiers.md) | T1/T1-low/T2/T3 trust model and citation formats | AN, BS, CS, QS, SS, US, AS, TS, EX |
27
- | [progressive-capability.md](progressive-capability.md) | Quick/Forge/Deep tier philosophy and behavior adaptation | All 10 |
27
+ | [progressive-capability.md](progressive-capability.md) | Quick/Forge/Forge+/Deep tier philosophy and behavior adaptation | All 10 |
28
28
  | [agentskills-spec.md](agentskills-spec.md) | agentskills.io output format principles and compliance | CS, QS, SS, US, TS, EX |
29
29
  | [skill-lifecycle.md](skill-lifecycle.md) | End-to-end pipeline, artifact flow, workflow selection | All 10 |
30
30
  | [provenance-tracking.md](provenance-tracking.md) | Provenance-map.json entries and file_entries, evidence reports, claim traceability | CS, QS, SS, US, AS, TS |
31
31
  | [manual-section-integrity.md](manual-section-integrity.md) | \[MANUAL\] marker preservation and merge algorithm | CS, US, AS, TS, EX |
32
32
  | [qmd-registry.md](qmd-registry.md) | Progressive QMD collection registry and collection gate principle | SF, BS, CS, US, AS |
33
+ | [ccc-bridge.md](ccc-bridge.md) | ccc_bridge interface, indexing lifecycle, Forge+ discovery-before-extraction | SF, CS, SS, AS, US, BS |
33
34
  | [split-body-strategy.md](split-body-strategy.md) | Selective vs full split-body, detection pattern, agent accuracy | CS, QS, US, TS, EX |
34
35
 
35
36
  ## JiT Loading Protocol