codymaster 5.2.0 → 7.0.0

package/skills/cm-security-gate/SKILL.archive.md

@@ -0,0 +1,239 @@
+---
+name: cm-security-gate
+description: Pre-production security audit and vulnerability scanning. Run Snyk + Aikido dependency scans, OWASP analysis, and set up automated GitHub security checks with Jules. Use when asked to 'run security check', 'security audit', 'kiểm tra bảo mật', 'vulnerability scan', 'Snyk', 'OWASP', or before open-sourcing / commercializing a project.
+---
+# cm-security-gate — Mandatory Security Audit & Vulnerability Gate
+
+> **No code goes public without a security pass.**
+> **No CodyMaster release ships without Snyk + Aikido green.**
+
+## Enforcement Policy
+
+| Context | Level | What Happens |
+|---------|-------|-------------|
+| **CodyMaster internal** | 🔴 MANDATORY | Both Snyk + Aikido MUST pass. No deploy, no PR merge without green. |
+| **User projects (normal)** | 🟡 SUGGESTED | Recommend scanning, provide easy commands. User may skip. |
+| **User projects (risk detected)** | 🔴 ESCALATED MANDATORY | If CVEs found, errors hit, or risk flags raised → block until resolved. |
+
+> [!CAUTION]
+> **The Escalation Rule:** When a user encounters security errors, CVE warnings, or suspicious dependency behavior during development, the agent MUST escalate from "suggested" to "mandatory" — triggering the full Snyk + Aikido scan before any further deploy or push.
+
+---
+
+## When to Use
+
+**ALWAYS when:**
+- User asks to "run security check" or "kiểm thử bảo mật"
+- Preparing to open-source a repository or launch a commercial product
+- Adding major third-party dependencies
+- The project is graduating from alpha/beta to a wider release
+- A user encounters CVE warnings, npm audit alerts, or suspicious dependency behavior
+- Before any CodyMaster release or PR merge
+
+**Skip when:**
+- Doing quick local prototyping with no real user data
+- Exploring ideas without production intent
+
+---
+
+## Core Capabilities
+
+1. **Aikido MCP Server:** Real-time scanning of AI-generated code inside the IDE (vulnerabilities + secrets)
+2. **Snyk CLI:** Dependency vulnerability scanning (`npm`, `pip`, `yarn`, `cargo`)
+3. **Aikido CLI:** SAST, IaC, Secrets, and Dependency scanning with release/PR gating
+4. **Continuous Monitoring:** Snyk dashboard + Aikido dashboard for ongoing protection
+5. **Jules CI/CD:** Automated security analysis via GitHub on every commit
+
+---
+
+## The Process
+
+### Phase 0: Aikido MCP Setup (IDE-Level Real-Time Scanning)
+
+> [!IMPORTANT]
+> **One-time setup.** Once configured, every AI coding session automatically scans generated code for vulnerabilities and hardcoded secrets — BEFORE the code is even committed.
+
+**Step 1:** Create a Personal Access Token at [Aikido Settings → IDE → MCP](https://app.aikido.dev/settings/integrations/ide/mcp)
+
+**Step 2:** Install Aikido MCP server:
+```bash
+# For Antigravity / Gemini CLI
+gemini mcp add aikido \
+  --env AIKIDO_API_KEY=YOUR_TOKEN \
+  npx -y @aikidosec/mcp
+```
+
+**Step 3:** Download the Aikido agent rule:
+```bash
+mkdir -p ~/.gemini/skills/
+curl -fsSL "https://gist.githubusercontent.com/kidk/aa48cad6db80ba4a38493016aae67712/raw/3644397b7df43423e3da06434491b40bbb79dd47/aikido-rule.txt" \
+  -o ~/.gemini/skills/aikido-rule.txt
+```
+
+**Step 4:** Restart Antigravity IDE. Aikido MCP is now active.
+
+> **What this gives you:** Deterministic, independent security checks on EVERY AI-generated snippet. Not a replacement for CLI scanning — this is the first line of defense, catching issues at write-time.
+
+---
+
+### Phase 1: Preparation (CLI Tooling Check)
+
+Verify if the Snyk CLI and Aikido CLI are available:
+```bash
+which snyk
+which aikido-api-client
+```
+
+**If Snyk is NOT installed:**
+- **macOS (Homebrew):** `brew tap snyk/tap && brew install snyk`
+- **npm:** `npm install -g snyk`
+- Authenticate: `snyk auth`
+
+**If Aikido CLI is NOT installed:**
+- **npm:** `npm install -g @aikidosec/ci-api-client`
+- Set API key: `aikido-api-client apikey <API-KEY>`
+- *API keys: [Aikido CI Integration Settings](https://app.aikido.dev/settings/integrations/continuous-integration)*
+
+> [!WARNING]
+> **Two different API keys!** Aikido MCP (real-time IDE scanning) uses a *Personal Access Token*. Aikido CLI (release/PR gating) uses a *CI API key*. Don't mix them.
+
+---
+
+### Phase 2: Execution (Parallel Vulnerability Scan)
+
+Execute both tools **in parallel** to save time:
+
+**1. Snyk Dependency Scan:**
+```bash
+snyk test
+```
+
+**2. Aikido Release Scan:**
+```bash
+aikido-api-client scan-release <repository_id_or_name> <commit_id> \
+  --minimum-severity-level="HIGH"
+```
+
+#### Aikido Scan Flags Reference
+
+| Flag | Purpose |
+|------|---------|
+| `--minimum-severity-level` | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` — set the minimum severity that triggers a failure |
+| `--fail-on-sast-scan` | Fail if SAST (Static Analysis) issues are found |
+| `--fail-on-iac-scan` | Fail if Infrastructure as Code misconfigurations are found |
+| `--fail-on-secrets-scan` | Fail if hardcoded secrets are detected |
+
+#### CodyMaster Internal (Maximum Strictness)
+```bash
+aikido-api-client scan-release <repo> <commit> \
+  --minimum-severity-level="HIGH" \
+  --fail-on-sast-scan \
+  --fail-on-secrets-scan
+```
+
+#### User Projects (Standard)
+```bash
+aikido-api-client scan-release <repo> <commit> \
+  --minimum-severity-level="HIGH"
+```
+
+#### Analyzing Results
+- **Critical/High:** Must be resolved before making the project public.
+- **Medium/Low:** Document as technical debt or evaluate for false positives.
+- Run `snyk monitor` if the user wants continuous monitoring on the Snyk dashboard.
+
+---
+
+### Phase 2.5: PR Gating (GitHub Integration)
+
+For projects with CI/CD pipelines, add Aikido PR gating to block merging PRs with security issues:
+
+```bash
+# In GitHub Actions or CI script
+aikido-api-client scan-pr <repository_id_or_name> <base_commit_id> <head_commit_id> \
+  --minimum-severity-level="HIGH"
+```
+
+**package.json integration:**
+```json
+{
+  "scripts": {
+    "test:security": "snyk test && aikido-api-client scan-release $npm_package_name $(git rev-parse HEAD) --minimum-severity-level=HIGH",
+    "test:security:strict": "snyk test && aikido-api-client scan-release $npm_package_name $(git rev-parse HEAD) --minimum-severity-level=HIGH --fail-on-dependency-scan --fail-on-sast-scan --fail-on-secrets-scan"
+  }
+}
+```
+
+---
+
+### Phase 3: Vulnerability Remediation (Skill Discovery)
+
+If vulnerabilities are detected, **DO NOT just list errors**. CodyMaster must actively search for remediation skills:
+
+> 🚨 **Vulnerabilities Detected: Initiating Remediation**
+> 
+> Security issues were found. To systematically patch these risks, we need specialized weapons. I suggest finding and installing a dedicated remediation skill for your stack:
+> ```bash
+> npx skills add https://github.com/vercel-labs/skills --skill find-skills
+> ```
+> *(Once you discover and install the appropriate security patch skills, we will use them to eradicate the vulnerabilities and eliminate all security risks).*
+
+---
+
+### Phase 4: Knowledge Retention (Memory Sync)
+
+Once vulnerabilities are remediated, the root causes and fixes **MUST** be memorized:
+
+**Action Required:**
+- Trigger `cm-continuity` to log flaw + fix into `CONTINUITY.md` → "Security Lessons" section.
+- If cloud memory is available, sync to `cm-notebooklm` for permanent retention.
+
+---
+
+### Phase 5: Automation Handoff (Jules + Continuous Monitoring)
+
+> 🛡️ **Next Step: Automated Security Checks**
+> 
+> Manual checks aren't enough for production. Automate on every commit and PR:
+>
+> **Option A — Google Jules** (GitHub automated analysis):
+> 👉 [http://jules.google.com/](http://jules.google.com/)
+>
+> **Option B — Snyk Continuous Monitoring:**
+> ```bash
+> snyk monitor
+> ```
+>
+> **Option C — Aikido Dashboard** (full visibility):
+> 👉 [https://app.aikido.dev/](https://app.aikido.dev/)
+
+---
+
+## Escalation Protocol
+
+When the agent detects ANY of these signals, enforcement escalates from SUGGESTED → MANDATORY:
+
+| Signal | Action |
+|--------|--------|
+| `npm audit` reports HIGH/CRITICAL | Trigger full Snyk + Aikido scan |
+| User mentions "security error" or "hack" | Trigger full scan before proceeding |
+| New major dependency added (e.g., new ORM, auth lib) | Suggest scan, escalate if dep has known CVEs |
+| Pre-deploy / pre-PR-merge | Check if scan was run in this session, block if not (CodyMaster only) |
+| `.snyk` policy file has expired ignores | Re-scan and update policy |
+
+---
+
+## Integration
+
+| Skill | Relationship |
+|-------|-------------|
+| `cm-quality-gate` | PRE-REQUISITE: Code should pass functional tests before security audits. Security scan PASS is required evidence for production deploy. |
+| `cm-secret-shield`| COMPLEMENTARY: Secret Shield catches hardcoded tokens at write/commit time; `cm-security-gate` catches vulnerable dependencies and SAST issues. Both are needed. |
+| `cm-safe-deploy`  | INTEGRATED: Security scan is Gate 0.5 in the deploy pipeline (between Secret Hygiene and Syntax). |
+| `cm-test-gate`    | INTEGRATED: `test:security` script pattern uses Snyk + Aikido CLI for automated scanning in the test suite. |
+| `cm-continuity`   | MEMORY: Records discovered vulnerabilities and fixes into working memory. |
+| `cm-notebooklm`   | LONG-TERM MEMORY: Syncs critical security lessons to the permanent cloud AI brain. |
+
+## The Bottom Line
+
+**Scan before deploy. Remediate before release. Memorize before repeating. Non-negotiable.**

package/skills/cm-security-gate/SKILL.md

@@ -1,239 +1,26 @@
 ---
 name: cm-security-gate
-description: Pre-production security audit and vulnerability scanning. Run Snyk + Aikido dependency scans, OWASP analysis, and set up automated GitHub security checks with Jules. Use when asked to 'run security check', 'security audit', 'kiểm tra bảo mật', 'vulnerability scan', 'Snyk', 'OWASP', or before open-sourcing / commercializing a project.
+description: "[Deprecated] deploy safety merged. Use `cm-safe-deploy` instead."
+deprecated: true
+merged_into: cm-safe-deploy
 ---
-# cm-security-gate — Mandatory Security Audit & Vulnerability Gate
 
-> **No code goes public without a security pass.**
-> **No CodyMaster release ships without Snyk + Aikido green.**
+# cm-security-gate — Deprecated
 
-## Enforcement Policy
-
-| Context | Level | What Happens |
-|---------|-------|-------------|
-| **CodyMaster internal** | 🔴 MANDATORY | Both Snyk + Aikido MUST pass. No deploy, no PR merge without green. |
-| **User projects (normal)** | 🟡 SUGGESTED | Recommend scanning, provide easy commands. User may skip. |
-| **User projects (risk detected)** | 🔴 ESCALATED MANDATORY | If CVEs found, errors hit, or risk flags raised → block until resolved. |
-
-> [!CAUTION]
-> **The Escalation Rule:** When a user encounters security errors, CVE warnings, or suspicious dependency behavior during development, the agent MUST escalate from "suggested" to "mandatory" — triggering the full Snyk + Aikido scan before any further deploy or push.
-
----
-
-## When to Use
-
-**ALWAYS when:**
-- User asks to "run security check" or "kiểm thử bảo mật"
-- Preparing to open-source a repository or launch a commercial product
-- Adding major third-party dependencies
-- The project is graduating from alpha/beta to a wider release
-- A user encounters CVE warnings, npm audit alerts, or suspicious dependency behavior
-- Before any CodyMaster release or PR merge
-
-**Skip when:**
-- Doing quick local prototyping with no real user data
-- Exploring ideas without production intent
-
----
-
-## Core Capabilities
-
-1. **Aikido MCP Server:** Real-time scanning of AI-generated code inside the IDE (vulnerabilities + secrets)
-2. **Snyk CLI:** Dependency vulnerability scanning (`npm`, `pip`, `yarn`, `cargo`)
-3. **Aikido CLI:** SAST, IaC, Secrets, and Dependency scanning with release/PR gating
-4. **Continuous Monitoring:** Snyk dashboard + Aikido dashboard for ongoing protection
-5. **Jules CI/CD:** Automated security analysis via GitHub on every commit
-
----
-
-## The Process
-
-### Phase 0: Aikido MCP Setup (IDE-Level Real-Time Scanning)
-
-> [!IMPORTANT]
-> **One-time setup.** Once configured, every AI coding session automatically scans generated code for vulnerabilities and hardcoded secrets — BEFORE the code is even committed.
-
-**Step 1:** Create a Personal Access Token at [Aikido Settings → IDE → MCP](https://app.aikido.dev/settings/integrations/ide/mcp)
-
-**Step 2:** Install Aikido MCP server:
-```bash
-# For Antigravity / Gemini CLI
-gemini mcp add aikido \
-  --env AIKIDO_API_KEY=YOUR_TOKEN \
-  npx -y @aikidosec/mcp
-```
-
-**Step 3:** Download the Aikido agent rule:
-```bash
-mkdir -p ~/.gemini/skills/
-curl -fsSL "https://gist.githubusercontent.com/kidk/aa48cad6db80ba4a38493016aae67712/raw/3644397b7df43423e3da06434491b40bbb79dd47/aikido-rule.txt" \
-  -o ~/.gemini/skills/aikido-rule.txt
-```
-
-**Step 4:** Restart Antigravity IDE. Aikido MCP is now active.
-
-> **What this gives you:** Deterministic, independent security checks on EVERY AI-generated snippet. Not a replacement for CLI scanning — this is the first line of defense, catching issues at write-time.
-
----
-
-### Phase 1: Preparation (CLI Tooling Check)
-
-Verify if the Snyk CLI and Aikido CLI are available:
-```bash
-which snyk
-which aikido-api-client
-```
-
-**If Snyk is NOT installed:**
-- **macOS (Homebrew):** `brew tap snyk/tap && brew install snyk`
-- **npm:** `npm install -g snyk`
-- Authenticate: `snyk auth`
-
-**If Aikido CLI is NOT installed:**
-- **npm:** `npm install -g @aikidosec/ci-api-client`
-- Set API key: `aikido-api-client apikey <API-KEY>`
-- *API keys: [Aikido CI Integration Settings](https://app.aikido.dev/settings/integrations/continuous-integration)*
-
-> [!WARNING]
-> **Two different API keys!** Aikido MCP (real-time IDE scanning) uses a *Personal Access Token*. Aikido CLI (release/PR gating) uses a *CI API key*. Don't mix them.
-
----
-
-### Phase 2: Execution (Parallel Vulnerability Scan)
-
-Execute both tools **in parallel** to save time:
-
-**1. Snyk Dependency Scan:**
-```bash
-snyk test
-```
-
-**2. Aikido Release Scan:**
-```bash
-aikido-api-client scan-release <repository_id_or_name> <commit_id> \
-  --minimum-severity-level="HIGH"
-```
-
-#### Aikido Scan Flags Reference
-
-| Flag | Purpose |
-|------|---------|
-| `--minimum-severity-level` | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` — set the minimum severity that triggers a failure |
-| `--fail-on-sast-scan` | Fail if SAST (Static Analysis) issues are found |
-| `--fail-on-iac-scan` | Fail if Infrastructure as Code misconfigurations are found |
-| `--fail-on-secrets-scan` | Fail if hardcoded secrets are detected |
-
-#### CodyMaster Internal (Maximum Strictness)
-```bash
-aikido-api-client scan-release <repo> <commit> \
-  --minimum-severity-level="HIGH" \
-  --fail-on-sast-scan \
-  --fail-on-secrets-scan
-```
-
-#### User Projects (Standard)
-```bash
-aikido-api-client scan-release <repo> <commit> \
-  --minimum-severity-level="HIGH"
-```
-
-#### Analyzing Results
-- **Critical/High:** Must be resolved before making the project public.
-- **Medium/Low:** Document as technical debt or evaluate for false positives.
-- Run `snyk monitor` if the user wants continuous monitoring on the Snyk dashboard.
-
----
-
-### Phase 2.5: PR Gating (GitHub Integration)
-
-For projects with CI/CD pipelines, add Aikido PR gating to block merging PRs with security issues:
-
-```bash
-# In GitHub Actions or CI script
-aikido-api-client scan-pr <repository_id_or_name> <base_commit_id> <head_commit_id> \
-  --minimum-severity-level="HIGH"
-```
-
-**package.json integration:**
-```json
-{
-  "scripts": {
-    "test:security": "snyk test && aikido-api-client scan-release $npm_package_name $(git rev-parse HEAD) --minimum-severity-level=HIGH",
-    "test:security:strict": "snyk test && aikido-api-client scan-release $npm_package_name $(git rev-parse HEAD) --minimum-severity-level=HIGH --fail-on-dependency-scan --fail-on-sast-scan --fail-on-secrets-scan"
-  }
-}
-```
-
----
-
-### Phase 3: Vulnerability Remediation (Skill Discovery)
-
-If vulnerabilities are detected, **DO NOT just list errors**. CodyMaster must actively search for remediation skills:
-
-> 🚨 **Vulnerabilities Detected: Initiating Remediation**
-> 
-> Security issues were found. To systematically patch these risks, we need specialized weapons. I suggest finding and installing a dedicated remediation skill for your stack:
-> ```bash
-> npx skills add https://github.com/vercel-labs/skills --skill find-skills
-> ```
-> *(Once you discover and install the appropriate security patch skills, we will use them to eradicate the vulnerabilities and eliminate all security risks).*
-
----
-
-### Phase 4: Knowledge Retention (Memory Sync)
-
-Once vulnerabilities are remediated, the root causes and fixes **MUST** be memorized:
-
-**Action Required:**
-- Trigger `cm-continuity` to log flaw + fix into `CONTINUITY.md` → "Security Lessons" section.
-- If cloud memory is available, sync to `cm-notebooklm` for permanent retention.
-
----
-
-### Phase 5: Automation Handoff (Jules + Continuous Monitoring)
-
-> 🛡️ **Next Step: Automated Security Checks**
-> 
-> Manual checks aren't enough for production. Automate on every commit and PR:
+> ⚠️ This skill is deprecated as of CodyMaster v6.0.0 and will be removed in v6.1.0.
 >
-> **Option A — Google Jules** (GitHub automated analysis):
-> 👉 [http://jules.google.com/](http://jules.google.com/)
+> **Use `cm-safe-deploy` instead.** deploy safety merged.
 >
-> **Option B — Snyk Continuous Monitoring:**
-> ```bash
-> snyk monitor
-> ```
->
-> **Option C — Aikido Dashboard** (full visibility):
-> 👉 [https://app.aikido.dev/](https://app.aikido.dev/)
-
----
-
-## Escalation Protocol
-
-When the agent detects ANY of these signals, enforcement escalates from SUGGESTED → MANDATORY:
+> See [docs/migration-v2.md](../../docs/migration-v2.md) for the full mapping.
 
-| Signal | Action |
-|--------|--------|
-| `npm audit` reports HIGH/CRITICAL | Trigger full Snyk + Aikido scan |
-| User mentions "security error" or "hack" | Trigger full scan before proceeding |
-| New major dependency added (e.g., new ORM, auth lib) | Suggest scan, escalate if dep has known CVEs |
-| Pre-deploy / pre-PR-merge | Check if scan was run in this session, block if not (CodyMaster only) |
-| `.snyk` policy file has expired ignores | Re-scan and update policy |
+The original content is preserved at [SKILL.archive.md](SKILL.archive.md) for reference.
 
----
-
-## Integration
-
-| Skill | Relationship |
-|-------|-------------|
-| `cm-quality-gate` | PRE-REQUISITE: Code should pass functional tests before security audits. Security scan PASS is required evidence for production deploy. |
-| `cm-secret-shield`| COMPLEMENTARY: Secret Shield catches hardcoded tokens at write/commit time; `cm-security-gate` catches vulnerable dependencies and SAST issues. Both are needed. |
-| `cm-safe-deploy`  | INTEGRATED: Security scan is Gate 0.5 in the deploy pipeline (between Secret Hygiene and Syntax). |
-| `cm-test-gate`    | INTEGRATED: `test:security` script pattern uses Snyk + Aikido CLI for automated scanning in the test suite. |
-| `cm-continuity`   | MEMORY: Records discovered vulnerabilities and fixes into working memory. |
-| `cm-notebooklm`   | LONG-TERM MEMORY: Syncs critical security lessons to the permanent cloud AI brain. |
+## Migration
 
-## The Bottom Line
+```bash
+# Old:           cm <use this skill>
+# New (v6.0+):   cm safe-deploy <equivalent action>
+```
 
-**Scan before deploy. Remediate before release. Memorize before repeating. Non-negotiable.**
+If you depend on a capability that didn't carry over, please file an issue:
+https://github.com/tody-agent/codymaster/issues

package/skills/cm-skill-health/SKILL.archive.md

@@ -0,0 +1,83 @@
+---
+name: cm-skill-health
+description: "Operational health review for CodyMaster skills using current repo signals: validate-skills, suggest, retro logs, memory, and test gates."
+---
+
+# cm-skill-health
+
+Use this skill when a CodyMaster skill feels stale, misleading, unreliable, or under-documented.
+
+## What it checks
+
+1. Discovery drift
+   - Is the skill present in `skills/`, docs indexes, profiles, and README surfaces?
+2. Invocation friction
+   - Does `cm suggest` point users to the skill when the task matches?
+3. Operational evidence
+   - Are there recurring failures or learnings in `.cm/operational-learnings.jsonl`?
+4. Contract health
+   - Does the skill reference commands, files, or paths that still exist?
+5. Release safety
+   - Does the repo still pass `npm run validate:skills`, `npm run check:skills`, and the test gate?
+
+## Workflow
+
+1. Confirm the symptom.
+   - Missing from docs
+   - Missing from profiles
+   - Broken references inside `SKILL.md`
+   - Repeated runtime pain in retro notes
+2. Compare the live skill against:
+   - `docs/skills/index.md`
+   - `skills/profiles/full.txt`
+   - `README.md`
+   - related changelog promises
+3. Scan evidence sources.
+   - `cm advisory handoff --for cm-skill-health`
+   - `cm suggest --project .`
+   - `cm retro summary --project .`
+   - `.cm/CONTINUITY.md`
+   - `rg` over `skills/`, `docs/`, and `src/`
+4. Score the issue.
+   - `healthy`: discoverable, accurate, references valid
+   - `degraded`: present but misleading or inconsistent
+   - `broken`: missing, invalid, or unusable
+5. Hand off to:
+   - `cm-skill-evolution` to repair or derive the next version
+
+## Output
+
+Produce a short health note:
+
+```md
+## Skill Health
+- Skill: cm-...
+- Status: healthy | degraded | broken
+- Symptoms: ...
+- Evidence: ...
+- Recovery path: FIX | DERIVED | CAPTURED
+```
+
+Preferred input contract:
+
+```md
+## Advisory Handoff
+- Consumer: cm-skill-health
+- Skill: cm-...
+- Recovery path: FIX | DERIVED | CAPTURED | NONE
+- Confidence: 0.xx
+- Source analysis: EA-...
+- Task: ...
+- Status: completed | partial | failed
+- Evidence: ...
+- Selected skills: ...
+- Target skills: ...
+- Quality weight: 0.xx
+- Next step: ...
+```
+
+## Red flags
+
+- Do not claim metric dashboards or automatic scoring unless the repo actually implements them.
+- Do not treat README marketing copy as proof that a skill exists.
+- Do not evolve the skill before identifying whether the problem is docs drift, packaging drift, or missing implementation.

package/skills/cm-skill-health/SKILL.md

@@ -1,83 +1,26 @@
 ---
 name: cm-skill-health
-description: "Operational health review for CodyMaster skills using current repo signals: validate-skills, suggest, retro logs, memory, and test gates."
+description: "[Deprecated] skill lifecycle merged. Use `cm-skill-evolution` instead."
+deprecated: true
+merged_into: cm-skill-evolution
 ---
 
-# cm-skill-health
+# cm-skill-health — Deprecated
 
-Use this skill when a CodyMaster skill feels stale, misleading, unreliable, or under-documented.
+> ⚠️ This skill is deprecated as of CodyMaster v6.0.0 and will be removed in v6.1.0.
+>
+> **Use `cm-skill-evolution` instead.** skill lifecycle merged.
+>
+> See [docs/migration-v2.md](../../docs/migration-v2.md) for the full mapping.
 
-## What it checks
+The original content is preserved at [SKILL.archive.md](SKILL.archive.md) for reference.
 
-1. Discovery drift
-   - Is the skill present in `skills/`, docs indexes, profiles, and README surfaces?
-2. Invocation friction
-   - Does `cm suggest` point users to the skill when the task matches?
-3. Operational evidence
-   - Are there recurring failures or learnings in `.cm/operational-learnings.jsonl`?
-4. Contract health
-   - Does the skill reference commands, files, or paths that still exist?
-5. Release safety
-   - Does the repo still pass `npm run validate:skills`, `npm run check:skills`, and the test gate?
+## Migration
 
-## Workflow
-
-1. Confirm the symptom.
-   - Missing from docs
-   - Missing from profiles
-   - Broken references inside `SKILL.md`
-   - Repeated runtime pain in retro notes
-2. Compare the live skill against:
-   - `docs/skills/index.md`
-   - `skills/profiles/full.txt`
-   - `README.md`
-   - related changelog promises
-3. Scan evidence sources.
-   - `cm advisory handoff --for cm-skill-health`
-   - `cm suggest --project .`
-   - `cm retro summary --project .`
-   - `.cm/CONTINUITY.md`
-   - `rg` over `skills/`, `docs/`, and `src/`
-4. Score the issue.
-   - `healthy`: discoverable, accurate, references valid
-   - `degraded`: present but misleading or inconsistent
-   - `broken`: missing, invalid, or unusable
-5. Hand off to:
-   - `cm-skill-evolution` to repair or derive the next version
-
-## Output
-
-Produce a short health note:
-
-```md
-## Skill Health
-- Skill: cm-...
-- Status: healthy | degraded | broken
-- Symptoms: ...
-- Evidence: ...
-- Recovery path: FIX | DERIVED | CAPTURED
+```bash
+# Old:           cm <use this skill>
+# New (v6.0+):   cm skill-evolution <equivalent action>
 ```
 
-Preferred input contract:
-
-```md
-## Advisory Handoff
-- Consumer: cm-skill-health
-- Skill: cm-...
-- Recovery path: FIX | DERIVED | CAPTURED | NONE
-- Confidence: 0.xx
-- Source analysis: EA-...
-- Task: ...
-- Status: completed | partial | failed
-- Evidence: ...
-- Selected skills: ...
-- Target skills: ...
-- Quality weight: 0.xx
-- Next step: ...
-```
-
-## Red flags
-
-- Do not claim metric dashboards or automatic scoring unless the repo actually implements them.
-- Do not treat README marketing copy as proof that a skill exists.
-- Do not evolve the skill before identifying whether the problem is docs drift, packaging drift, or missing implementation.
+If you depend on a capability that didn't carry over, please file an issue:
+https://github.com/tody-agent/codymaster/issues