opencode-skills-collection 1.0.172 → 1.0.174

package/bundled-skills/.antigravity-install-manifest.json

@@ -1,6 +1,6 @@
 {
   "schemaVersion": 1,
-  "updatedAt": "2026-04-06T16:51:24.943Z",
+  "updatedAt": "2026-04-06T19:03:24.029Z",
   "entries": [
     "00-andruia-consultant",
     "007",
@@ -625,6 +625,7 @@
     "gitlab-automation",
     "gitlab-ci-patterns",
     "gitops-workflow",
+    "global-chat-agent-discovery",
     "gmail-automation",
     "go-concurrency-patterns",
     "go-playwright",
@@ -851,6 +852,7 @@
     "multi-advisor",
     "multi-agent-brainstorming",
     "multi-agent-patterns",
+    "multi-agent-task-orchestrator",
     "multi-cloud-architecture",
     "multi-platform-apps-multi-platform",
     "n8n-code-javascript",
@@ -995,6 +997,7 @@
     "prompt-engineering",
     "prompt-engineering-patterns",
     "prompt-library",
+    "protect-mcp-governance",
     "protocol-reverse-engineering",
     "pubmed-database",
     "pydantic-ai",
@@ -1005,6 +1008,7 @@
     "python-packaging",
     "python-patterns",
     "python-performance-optimization",
+    "python-pptx-generator",
     "python-pro",
     "python-testing-patterns",
     "qiskit",
@@ -1228,6 +1232,7 @@
     "team-collaboration-issue",
     "team-collaboration-standup-notes",
     "team-composition-analysis",
+    "technical-change-tracker",
     "telegram",
     "telegram-automation",
     "telegram-bot-builder",

package/bundled-skills/docs/integrations/jetski-cortex.md

@@ -1,9 +1,9 @@
 ---
 title: Jetski/Cortex + Gemini Integration Guide
-description: "Use antigravity-awesome-skills with Jetski/Cortex without hitting context-window overflow with 1.372+ skills."
+description: "Use antigravity-awesome-skills with Jetski/Cortex without hitting context-window overflow with 1.377+ skills."
 ---
 
-# Jetski/Cortex + Gemini: safe integration with 1,1.372+ skills
+# Jetski/Cortex + Gemini: safe integration with 1,1.377+ skills
 
 This guide shows how to integrate the `antigravity-awesome-skills` repository with an agent based on **Jetski/Cortex + Gemini** (or similar frameworks) **without exceeding the model context window**.
 
@@ -23,7 +23,7 @@ Never do:
 - concatenate all `SKILL.md` content into a single system prompt;
 - re-inject the entire library for **every** request.
 
-With over 1,1.372 skills, this approach fills the context window before user messages are even added, causing truncation.
+With over 1,1.377 skills, this approach fills the context window before user messages are even added, causing truncation.
 
 ---
 

package/bundled-skills/docs/integrations/jetski-gemini-loader/README.md

@@ -20,7 +20,7 @@ This example shows one way to integrate **antigravity-awesome-skills** with a Je
 - How to enforce a **maximum number of skills per turn** via `maxSkillsPerTurn`.
 - How to choose whether to **truncate or error** when too many skills are requested via `overflowBehavior`.
 
-This pattern avoids context overflow when you have 1,372+ skills installed.
+This pattern avoids context overflow when you have 1,377+ skills installed.
 
 ---
 

package/bundled-skills/docs/maintainers/repo-growth-seo.md

@@ -6,7 +6,7 @@ This document keeps the repository's GitHub-facing discovery copy aligned with t
 
 Preferred positioning:
 
-> Installable GitHub library of 1,372+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and other AI coding assistants.
+> Installable GitHub library of 1,377+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and other AI coding assistants.
 
 Key framing:
 
@@ -20,7 +20,7 @@ Key framing:
 
 Preferred description:
 
-> Installable GitHub library of 1,372+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.
+> Installable GitHub library of 1,377+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.
 
 Preferred homepage:
 
@@ -28,7 +28,7 @@ Preferred homepage:
 
 Preferred social preview:
 
-- use a clean preview image that says `1,372+ Agentic Skills`;
+- use a clean preview image that says `1,377+ Agentic Skills`;
 - mention Claude Code, Cursor, Codex CLI, and Gemini CLI;
 - avoid dense text and tiny logos that disappear in social cards.
 

package/bundled-skills/docs/maintainers/skills-update-guide.md

@@ -69,7 +69,7 @@ For manual updates, you need:
 The update process refreshes:
 - Skills index (`skills_index.json`)
 - Web app skills data (`apps\web-app\public\skills.json`)
-- All 1,372+ skills from the skills directory
+- All 1,377+ skills from the skills directory
 
 ## When to Update
 

package/bundled-skills/docs/users/bundles.md

@@ -673,4 +673,4 @@ Found a skill that should be in a bundle? Or want to create a new bundle? [Open
 
 ---
 
-_Last updated: March 2026 | Total Skills: 1,372+ | Total Bundles: 37_
+_Last updated: March 2026 | Total Skills: 1,377+ | Total Bundles: 37_

package/bundled-skills/docs/users/claude-code-skills.md

@@ -12,7 +12,7 @@ Install the library into Claude Code, then invoke focused skills directly in the
 
 ## Why use this repo for Claude Code
 
-- It includes 1,372+ skills instead of a narrow single-domain starter pack.
+- It includes 1,377+ skills instead of a narrow single-domain starter pack.
 - It supports the standard `.claude/skills/` path and the Claude Code plugin marketplace flow.
 - It also ships generated bundle plugins so teams can install focused packs like `Essentials` or `Security Developer` from the marketplace metadata.
 - It includes onboarding docs, bundles, and workflows so new users do not need to guess where to begin.

package/bundled-skills/docs/users/gemini-cli-skills.md

@@ -12,7 +12,7 @@ Install into the Gemini skills path, then ask Gemini to apply one skill at a tim
 
 - It installs directly into the expected Gemini skills path.
 - It includes both core software engineering skills and deeper agent/LLM-oriented skills.
-- It helps new users get started with bundles and workflows rather than forcing a cold start from 1,372+ files.
+- It helps new users get started with bundles and workflows rather than forcing a cold start from 1,377+ files.
 - It is useful whether you want a broad internal skill library or a single repo to test many workflows quickly.
 
 ## Install Gemini CLI Skills

package/bundled-skills/docs/users/getting-started.md

@@ -1,4 +1,4 @@
-# Getting Started with Antigravity Awesome Skills (V9.7.0)
+# Getting Started with Antigravity Awesome Skills (V9.8.0)
 
 **New here? This guide will help you supercharge your AI Agent in 5 minutes.**
 

package/bundled-skills/docs/users/kiro-integration.md

@@ -18,7 +18,7 @@ Kiro is AWS's agentic AI IDE that combines:
 
 Kiro's agentic capabilities are enhanced by skills that provide:
 
-- **Domain expertise** across 1,372+ specialized areas
+- **Domain expertise** across 1,377+ specialized areas
 - **Best practices** from Anthropic, OpenAI, Google, Microsoft, and AWS
 - **Workflow automation** for common development tasks
 - **AWS-specific patterns** for serverless, infrastructure, and cloud architecture

package/bundled-skills/docs/users/usage.md

@@ -14,7 +14,7 @@ If you came in through a **Claude Code** or **Codex** plugin instead of a full l
 
 When you ran `npx antigravity-awesome-skills` or cloned the repository, you:
 
-✅ **Downloaded 1,372+ skill files** to your computer (default: `~/.gemini/antigravity/skills/`; or a custom path like `~/.agent/skills/` if you used `--path`)  
+✅ **Downloaded 1,377+ skill files** to your computer (default: `~/.gemini/antigravity/skills/`; or a custom path like `~/.agent/skills/` if you used `--path`)  
 ✅ **Made them available** to your AI assistant  
 ❌ **Did NOT enable them all automatically** (they're just sitting there, waiting)
 
@@ -34,7 +34,7 @@ Bundles are **curated groups** of skills organized by role. They help you decide
 
 **Analogy:**
 
-- You installed a toolbox with 1,372+ tools (✅ done)
+- You installed a toolbox with 1,377+ tools (✅ done)
 - Bundles are like **labeled organizer trays** saying: "If you're a carpenter, start with these 10 tools"
 - You can either **pick skills from the tray** or install that tray as a focused marketplace bundle plugin
 
@@ -212,7 +212,7 @@ Let's actually use a skill right now. Follow these steps:
 
 ## Step 5: Picking Your First Skills (Practical Advice)
 
-Don't try to use all 1,372+ skills at once. Here's a sensible approach:
+Don't try to use all 1,377+ skills at once. Here's a sensible approach:
 
 If you want a tool-specific starting point before choosing skills, use:
 
@@ -343,7 +343,7 @@ Usually no, but if your AI doesn't recognize a skill:
 
 ### "Can I load all skills into the model at once?"
 
-No. Even though you have 1,372+ skills installed locally, you should **not** concatenate every `SKILL.md` into a single system prompt or context block.
+No. Even though you have 1,377+ skills installed locally, you should **not** concatenate every `SKILL.md` into a single system prompt or context block.
 
 The intended pattern is:
 

package/bundled-skills/docs/users/visual-guide.md

@@ -34,7 +34,7 @@ antigravity-awesome-skills/
 ├── 📄 CONTRIBUTING.md                  ← Contributor workflow
 ├── 📄 CATALOG.md                       ← Full generated catalog
 │
-├── 📁 skills/                          ← 1,372+ skills live here
+├── 📁 skills/                          ← 1,377+ skills live here
 │   │
 │   ├── 📁 brainstorming/
 │   │   └── 📄 SKILL.md                 ← Skill definition
@@ -47,7 +47,7 @@ antigravity-awesome-skills/
 │   │   └── 📁 2d-games/
 │   │       └── 📄 SKILL.md             ← Nested skills also supported
 │   │
-│   └── ... (1,372+ total)
+│   └── ... (1,377+ total)
 │
 ├── 📁 apps/
 │   └── 📁 web-app/                     ← Interactive browser
@@ -100,7 +100,7 @@ antigravity-awesome-skills/
 
 ```
                     ┌─────────────────────────┐
-                    │  1,372+ SKILLS          │
+                    │  1,377+ SKILLS          │
                     └────────────┬────────────┘
                                  │
         ┌────────────────────────┼────────────────────────┐
@@ -201,7 +201,7 @@ If you want a workspace-style manual install instead, cloning into `.agent/skill
 │   ├── 📁 brainstorming/                 │
 │   ├── 📁 stripe-integration/            │
 │   ├── 📁 react-best-practices/          │
-│   └── ... (1,372+ total)                │
+│   └── ... (1,377+ total)                │
 └─────────────────────────────────────────┘
 ```
 

package/bundled-skills/global-chat-agent-discovery/SKILL.md

@@ -0,0 +1,119 @@
+---
+name: global-chat-agent-discovery
+description: "Discover and search 18K+ MCP servers and AI agents across 6+ registries using Global Chat's cross-protocol directory and MCP server."
+category: development
+risk: safe
+source: community
+source_repo: pumanitro/global-chat
+source_type: community
+date_added: "2026-04-06"
+author: pumanitro
+tags: [mcp, ai-agents, agent-discovery, agents-txt, a2a, developer-tools]
+tools: [claude, cursor, gemini, codex]
+---
+
+# Global Chat Agent Discovery
+
+## Overview
+
+Global Chat is a cross-protocol AI agent discovery platform that aggregates MCP servers and AI agents from 6+ registries into a single searchable directory. This skill helps you find the right MCP server, A2A agent, or agents.txt endpoint for any task by searching across 18,000+ indexed entries. It also provides an MCP server (`@global-chat/mcp-server`) for programmatic access to the directory from any MCP-compatible client.
+
+## When to Use This Skill
+
+- Use when you need to find an MCP server for a specific capability (e.g., database access, file conversion, API integration)
+- Use when evaluating which agent registries carry tools for your use case
+- Use when you want to search across multiple protocols (MCP, A2A, agents.txt) simultaneously
+- Use when setting up agent-to-agent communication and need to discover available endpoints
+
+## How It Works
+
+### Option 1: Use the MCP Server (Recommended for Agents)
+
+Install the Global Chat MCP server to search the directory programmatically from Claude Code, Cursor, or any MCP client.
+
+```bash
+npm install -g @global-chat/mcp-server
+```
+
+Add to your MCP client configuration:
+
+```json
+{
+  "mcpServers": {
+    "global-chat": {
+      "command": "npx",
+      "args": ["-y", "@global-chat/mcp-server"]
+    }
+  }
+}
+```
+
+Then ask your agent to search for tools:
+
+```
+Search Global Chat for MCP servers that handle PostgreSQL database queries.
+```
+
+### Option 2: Use the Web Directory
+
+Browse the full directory at [https://global-chat.io](https://global-chat.io):
+
+1. Visit the search page and enter your query
+2. Filter by protocol (MCP, A2A, agents.txt)
+3. Filter by registry source
+4. View server details, capabilities, and installation instructions
+
+### Option 3: Validate Your agents.txt
+
+If you maintain an `agents.txt` file, use the free validator:
+
+1. Go to [https://global-chat.io/validate](https://global-chat.io/validate)
+2. Enter your domain or paste your agents.txt content
+3. Get instant feedback on format compliance and discoverability
+
+## Examples
+
+### Example 1: Find MCP Servers for a Task
+
+```
+You: "Find MCP servers that can convert PDF files to text"
+Agent (via Global Chat MCP): Searching across 6 registries...
+  - @anthropic/pdf-tools (mcpservers.org) — PDF parsing and text extraction
+  - pdf-converter-mcp (mcp.so) — Convert PDF to text, markdown, or HTML
+  - ...
+```
+
+### Example 2: Discover A2A Agents
+
+```
+You: "What A2A agents are available for code review?"
+Agent (via Global Chat MCP): Found 12 A2A agents for code review across 3 registries...
+```
+
+### Example 3: Check Agent Protocol Coverage
+
+```
+You: "How many registries list tools for Kubernetes management?"
+Agent (via Global Chat MCP): 4 registries carry Kubernetes-related agents (23 total entries)...
+```
+
+## Best Practices
+
+- Use the MCP server for automated workflows and agent-to-agent discovery
+- Use the web directory for manual exploration and comparison
+- Validate your agents.txt before publishing to ensure maximum discoverability
+- Check multiple registries — coverage varies significantly by domain
+
+## Common Pitfalls
+
+- **Problem:** Search returns too many results
+  **Solution:** Add protocol or registry filters to narrow the scope
+
+- **Problem:** MCP server not connecting
+  **Solution:** Ensure `npx` is available and run `npx -y @global-chat/mcp-server` manually first to verify
+
+## Related Skills
+
+- `@mcp-client` - For general MCP client setup and configuration
+- `@agent-orchestration-multi-agent-optimize` - For orchestrating multiple discovered agents
+- `@agent-memory-mcp` - For persisting discovered agent information across sessions

package/bundled-skills/multi-agent-task-orchestrator/SKILL.md

@@ -0,0 +1,157 @@
+---
+name: multi-agent-task-orchestrator
+description: "Route tasks to specialized AI agents with anti-duplication, quality gates, and 30-minute heartbeat monitoring"
+category: agent-orchestration
+risk: safe
+source: community
+source_repo: milkomida77/guardian-agent-prompts
+source_type: community
+date_added: "2026-04-09"
+author: milkomida77
+tags: [multi-agent, orchestration, task-routing, quality-gates, anti-duplication]
+tools: [claude, cursor, gemini]
+---
+
+# Multi-Agent Task Orchestrator
+
+## Overview
+
+A production-tested pattern for coordinating multiple AI agents through a single orchestrator. Instead of letting agents work independently (and conflict), one orchestrator decomposes tasks, routes them to specialists, prevents duplicate work, and verifies results before marking anything done. Battle-tested across 10,000+ tasks over 6 months.
+
+## When to Use This Skill
+
+- Use when you have 3+ specialized agents that need to coordinate on complex tasks
+- Use when agents are doing duplicate or conflicting work
+- Use when you need audit trails showing who did what and when
+- Use when agent output quality is inconsistent and needs verification gates
+
+## How It Works
+
+### Step 1: Define the Orchestrator Identity
+
+The orchestrator must know what it IS and what it IS NOT. This prevents it from doing work instead of delegating:
+
+```
+You are the Task Orchestrator. You NEVER do specialized work yourself.
+You decompose tasks, delegate to the right agent, prevent conflicts,
+and verify quality before marking anything done.
+
+WHAT YOU ARE NOT:
+- NOT a code writer — delegate to code agents
+- NOT a researcher — delegate to research agents
+- NOT a tester — delegate to test agents
+```
+
+This "NOT-block" pattern reduces task drift by ~35% in production.
+
+### Step 2: Build a Task Registry
+
+Before assigning work, check if anyone is already doing this task:
+
+```python
+import sqlite3
+from difflib import SequenceMatcher
+
+def check_duplicate(description, threshold=0.55):
+    conn = sqlite3.connect("task_registry.db")
+    c = conn.cursor()
+    c.execute("SELECT id, description, agent, status FROM tasks WHERE status IN ('pending', 'in_progress')")
+    for row in c.fetchall():
+        ratio = SequenceMatcher(None, description.lower(), row[1].lower()).ratio()
+        if ratio >= threshold:
+            return {"id": row[0], "description": row[1], "agent": row[2]}
+    return None
+```
+
+### Step 3: Route Tasks to Specialists
+
+Use keyword scoring to match tasks to the best agent:
+
+```python
+AGENTS = {
+    "code-architect": ["code", "implement", "function", "bug", "fix", "refactor", "api"],
+    "security-reviewer": ["security", "vulnerability", "audit", "cve", "injection"],
+    "researcher": ["research", "compare", "analyze", "benchmark", "evaluate"],
+    "doc-writer": ["document", "readme", "explain", "tutorial", "guide"],
+    "test-engineer": ["test", "coverage", "unittest", "pytest", "spec"],
+}
+
+def route_task(description):
+    scores = {}
+    for agent, keywords in AGENTS.items():
+        scores[agent] = sum(1 for kw in keywords if kw in description.lower())
+    return max(scores, key=scores.get) if max(scores.values()) > 0 else "code-architect"
+```
+
+### Step 4: Enforce Quality Gates
+
+Agent output is a CLAIM. Test output is EVIDENCE.
+
+```
+After agent reports completion:
+1. Were files actually modified? (git diff --stat)
+2. Do tests pass? (npm test / pytest)
+3. Were secrets introduced? (grep for API keys, tokens)
+4. Did the build succeed? (npm run build)
+5. Were only intended files touched? (scope check)
+
+Mark done ONLY after ALL checks pass.
+```
+
+### Step 5: Run 30-Minute Heartbeats
+
+```
+Every 30 minutes, ask:
+1. "What have I DELEGATED in the last 30 minutes?"
+2. If nothing → open the task backlog and assign the next task
+3. Check for idle agents (no message in >30min on assigned task)
+4. Relance idle agents or reassign their tasks
+```
+
+## Examples
+
+### Example 1: Delegating a Code Task
+
+```
+[ORCHESTRATOR -> code-architect] TASK: Add rate limiting to /api/users
+SCOPE: src/middleware/rate-limit.ts only
+VERIFICATION: npm test -- --grep "rate-limit"
+DEADLINE: 30 minutes
+```
+
+### Example 2: Handling a Duplicate
+
+```
+User asks: "Fix the login bug"
+Registry check: Task #47 "Fix authentication bug" is IN_PROGRESS by security-reviewer
+Decision: SKIP — similar task already assigned (78% match)
+Action: Notify user of existing task, wait for completion
+```
+
+## Best Practices
+
+- Always define NOT-blocks for every agent (what they must refuse to do)
+- Use SQLite for the task registry (lightweight, no server needed)
+- Set similarity threshold at 55% for anti-duplication (lower = too many false positives)
+- Require evidence-based quality gates (not just agent claims)
+- Log every delegation with: task ID, agent, scope, deadline, verification command
+
+## Common Pitfalls
+
+- **Problem:** Orchestrator starts doing work instead of delegating
+  **Solution:** Add explicit NOT-blocks and role boundaries
+
+- **Problem:** Two agents modify the same file simultaneously
+  **Solution:** Task registry with file-level locking and queue system
+
+- **Problem:** Agent claims "done" without actual changes
+  **Solution:** Quality gate checks git diff before accepting completion
+
+- **Problem:** Tasks pile up without progress
+  **Solution:** 30-minute heartbeat catches stale assignments and reassigns
+
+## Related Skills
+
+- `@code-review` - For reviewing code changes after delegation
+- `@test-driven-development` - For ensuring quality in agent output
+- `@project-management` - For tracking multi-agent project progress

package/bundled-skills/protect-mcp-governance/SKILL.md

@@ -0,0 +1,286 @@
+---
+name: protect-mcp-governance
+description: "Agent governance skill for MCP tool calls — Cedar policy authoring, shadow-to-enforce rollout, and Ed25519 receipt verification."
+risk: safe
+source: community
+source_repo: scopeblind/scopeblind-gateway
+source_type: official
+date_added: "2026-04-05"
+---
+
+# MCP Agent Governance with protect-mcp
+
+## Overview
+
+Guidance for governing AI agent tool calls using Cedar policies and Ed25519 signed receipts. This skill teaches how to write access-control policies for MCP servers, run them in shadow mode for observation, and verify the cryptographic audit trail.
+
+## When to Use This Skill
+
+- Use when you need to control which MCP tools an agent can call and under what conditions
+- Use when you want a tamper-evident audit trail for agent tool executions
+- Use when rolling out governance policies gradually (shadow mode first, then enforce)
+- Use when authoring Cedar policies for MCP tool access control
+- Use when verifying that a receipt or audit bundle has not been tampered with
+
+## Do Not Use This Skill
+
+- When you need general application security auditing (use `@security-auditor`)
+- When you need to scan code for vulnerabilities (use `@security-audit`)
+- When you need compliance framework guidance without agent-specific governance
+
+## How It Works
+
+protect-mcp intercepts MCP tool calls, evaluates them against Cedar policies (the same policy engine used by AWS Verified Permissions), and signs every decision as an Ed25519 receipt. The receipt is a cryptographic proof that a specific policy was evaluated against a specific tool call at a specific time.
+
+```
+Agent → protect-mcp → Cedar policy evaluation → MCP Server
+                ↓
+        Ed25519 signed receipt
+```
+
+Three modes of operation:
+
+1. **Shadow mode** (default) — logs decisions without blocking. Use this to observe what your policies would do before enforcing them.
+2. **Enforce mode** — blocks tool calls that violate policy. Use after shadow-mode validation.
+3. **Hooks mode** — integrates with Claude Code hooks for pre/post tool-call governance.
+
+## Core Concepts
+
+### Cedar Policies
+
+Cedar is a policy language designed for authorization. Policies are evaluated locally via WASM — no network calls required.
+
+```cedar
+// Allow read-only file operations
+permit(
+  principal,
+  action == Action::"call_tool",
+  resource
+) when {
+  resource.tool_name in ["read_file", "list_directory", "search_files"]
+};
+
+// Deny destructive operations
+forbid(
+  principal,
+  action == Action::"call_tool",
+  resource
+) when {
+  resource.tool_name in ["execute_command", "delete_file", "write_file"]
+  && resource has args
+  && resource.args.contains("rm -rf")
+};
+```
+
+### Signed Receipts
+
+Every policy decision produces a signed receipt:
+
+```json
+{
+  "payload": {
+    "type": "protectmcp:decision",
+    "tool_name": "read_file",
+    "decision": "allow",
+    "policy_digest": "sha256:9d0fd4c9e72c1d5d",
+    "issued_at": "2026-04-05T14:32:04.102Z",
+    "issuer_id": "sb:issuer:de073ae64e43"
+  },
+  "signature": {
+    "alg": "EdDSA",
+    "kid": "sb:issuer:de073ae64e43",
+    "sig": "2a3b5022..."
+  }
+}
+```
+
+The receipt format follows [IETF Internet-Draft draft-farley-acta-signed-receipts](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/).
+
+## Step-by-Step Guide
+
+### 1. Initialize Governance for a Project
+
+```bash
+# Install and initialize hooks (Claude Code integration)
+npx protect-mcp init-hooks
+
+# Or run as a standalone MCP gateway
+npx protect-mcp serve
+```
+
+This creates a `protect-mcp.config.json` and a starter Cedar policy in your project root.
+
+### 2. Write Your First Policy
+
+Create `policy.cedar` in your project:
+
+```cedar
+// Start permissive — allow everything in shadow mode
+permit(
+  principal,
+  action == Action::"call_tool",
+  resource
+);
+```
+
+### 3. Run in Shadow Mode (Observe First)
+
+```bash
+# Shadow mode is the default — logs decisions without blocking
+npx protect-mcp --policy policy.cedar -- node your-mcp-server.js
+```
+
+Review the shadow log to understand what your agent is doing before writing restrictive policies.
+
+### 4. Tighten and Enforce
+
+Once you understand the tool-call patterns, write specific policies:
+
+```cedar
+// Allow file reads, deny writes outside src/
+permit(
+  principal,
+  action == Action::"call_tool",
+  resource
+) when {
+  resource.tool_name == "read_file"
+};
+
+permit(
+  principal,
+  action == Action::"call_tool",
+  resource
+) when {
+  resource.tool_name == "write_file"
+  && resource has args
+  && resource.args.path like "src/*"
+};
+
+// Deny everything else
+forbid(
+  principal,
+  action == Action::"call_tool",
+  resource
+);
+```
+
+Switch to enforce mode:
+
+```bash
+npx protect-mcp --policy policy.cedar --enforce -- node your-mcp-server.js
+```
+
+### 5. Verify Receipts
+
+```bash
+# Verify a single receipt
+npx @veritasacta/verify receipt.json --key <public-key-hex>
+
+# Verify an audit bundle (multiple receipts + keys)
+npx @veritasacta/verify bundle.json --bundle
+
+# Self-test the verifier (proves it works offline)
+npx @veritasacta/verify --self-test
+```
+
+Exit codes: `0` = signature valid (proven authentic), `1` = signature invalid (proven tampered), `2` = verifier error (malformed input).
+
+## Examples
+
+### Example 1: Governance for a Claude Code Session
+
+```bash
+# Initialize hooks
+npx protect-mcp init-hooks
+
+# Claude Code now generates a signed receipt for every tool call.
+# Receipts are stored in .protect-mcp/receipts/
+```
+
+**Explanation:** After initialization, every tool call Claude Code makes is logged with a signed receipt. No tool calls are blocked (shadow mode).
+
+### Example 2: Restrict a Production MCP Server
+
+```cedar
+// Only allow approved tools with rate limiting
+permit(
+  principal,
+  action == Action::"call_tool",
+  resource
+) when {
+  resource.tool_name in [
+    "get_customer",
+    "search_orders",
+    "list_products"
+  ]
+};
+
+forbid(
+  principal,
+  action == Action::"call_tool",
+  resource
+) when {
+  resource.tool_name in [
+    "delete_customer",
+    "modify_payment",
+    "execute_sql"
+  ]
+};
+```
+
+**Explanation:** A production MCP server that serves customer data. Read-only operations are permitted; destructive operations are blocked.
+
+### Example 3: Verify an Audit Bundle After an Incident
+
+```bash
+# Export the session's audit bundle
+npx protect-mcp export-bundle --session sess_abc123 --out audit.json
+
+# Verify every receipt in the bundle
+npx @veritasacta/verify audit.json --bundle
+
+# Expected output:
+# ✓ Bundle: VALID
+#   Total:    47
+#   Passed:   47
+#   Failed:   0
+```
+
+**Explanation:** After an incident, export the audit bundle and verify that no receipts have been tampered with. The bundle contains all receipts from the session plus the signing keys needed for verification.
+
+## Best Practices
+
+- ✅ **Do:** Start in shadow mode and observe before enforcing
+- ✅ **Do:** Use `policy_digest` to track which policy version produced each decision
+- ✅ **Do:** Store receipts alongside your application logs for correlation
+- ✅ **Do:** Pin the verifier version when integrating into CI (`@veritasacta/verify@0.2.5`)
+- ❌ **Don't:** Skip shadow mode and go straight to enforce in production
+- ❌ **Don't:** Trust `claimed_issuer_tier` without independent verification
+- ❌ **Don't:** Treat a valid signature as proof the signer is trustworthy — it only proves the receipt has not been tampered with since signing
+
+## Troubleshooting
+
+### Problem: Receipts fail verification with `no_public_key`
+**Symptoms:** `npx @veritasacta/verify receipt.json` returns exit 2 with `no_public_key`
+**Solution:** Provide the public key explicitly: `--key <64 hex chars>`. The receipt does not embed the public key by default. Check `protect-mcp.config.json` for the issuer's public key.
+
+### Problem: Shadow mode shows unexpected denials
+**Symptoms:** Shadow log shows `deny` decisions for tools you expected to be allowed
+**Solution:** Check your Cedar policy ordering. Cedar evaluates `forbid` rules before `permit` rules — a broad `forbid` will override specific `permit` rules.
+
+### Problem: Enforce mode blocks a legitimate tool call
+**Symptoms:** Agent reports a tool call was denied after switching to enforce mode
+**Solution:** Add the tool to your permit policy or switch back to shadow mode: remove `--enforce` flag. Review the receipt's `deny_reason` field for the specific policy violation.
+
+## Related Skills
+
+- `@security-auditor` — General security auditing and compliance
+- `@security-audit` — Code vulnerability scanning
+- `@mcp-development` — MCP server development patterns
+
+## Additional Resources
+
+- [protect-mcp on npm](https://www.npmjs.com/package/protect-mcp) — MIT licensed
+- [Cedar Policy Language](https://www.cedarpolicy.com/) — AWS open-source policy engine
+- [IETF Draft: Signed Receipts](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/) — Receipt format specification
+- [@veritasacta/verify](https://www.npmjs.com/package/@veritasacta/verify) — Apache-2.0 verifier, works offline

package/bundled-skills/python-pptx-generator/README.md

@@ -0,0 +1,22 @@
+# Python PPTX Generator
+
+## Description
+An agent skill designed to generate complete, runnable Python scripts that build professional PowerPoint presentations using the `python-pptx` library. It transforms a simple topic request into a fully coded slide deck.
+
+## System Prompt
+You are an expert Python Developer and Executive Presentation Designer. Your objective is to write complete, error-free Python scripts using the `python-pptx` library to generate PowerPoint presentations. You do not just write code; you also generate the actual educational or business content for the slides based on the user's topic.
+
+## Rules
+1. **Library Constraint:** You must strictly use the `python-pptx` library. Assume the user will run `pip install python-pptx`.
+2. **No Placeholders:** Never use filler text like "Insert text here" or "Lorem Ipsum." You must write actual, context-relevant bullet points for the presentation.
+3. **Layout Standards:** Always utilize standard layouts (e.g., `prs.slide_layouts[0]` for Title slides, `prs.slide_layouts[1]` for Title & Content).
+4. **Self-Contained Execution:** The script must import all necessary modules, create the presentation, populate the slides, save the file (e.g., `prs.save("output.pptx")`), and print a terminal success message.
+
+## Workflow
+1. **Intake:** Ask the user for the presentation topic, target audience, and desired number of slides if not provided.
+2. **Content Structuring:** Silently draft the narrative arc (Title, Agenda, Main Points, Conclusion).
+3. **Script Generation:** Output the final Python script inside a standard python code block.
+
+## Example Usage
+**User:** Create a 5-slide presentation on the basics of Machine Learning for a high school class.
+**Agent:** [Generates the full Python script containing the content and `python-pptx` logic to build those 5 slides].

package/bundled-skills/python-pptx-generator/SKILL.md

@@ -0,0 +1,106 @@
+---
+name: python-pptx-generator
+description: "Generate complete Python scripts that build polished PowerPoint decks with python-pptx and real slide content."
+category: development
+risk: safe
+source: self
+source_type: self
+date_added: "2026-04-06"
+author: spideyashith
+tags: [python, powerpoint, python-pptx, presentations, slide-decks]
+tools: [claude, cursor, gemini, codex]
+---
+
+# Python PPTX Generator
+
+## Overview
+
+Use this skill when the user wants a ready-to-run Python script that creates a PowerPoint presentation with `python-pptx`.
+It focuses on turning a topic brief into a complete slide deck script with real slide content, sensible structure, and a working save step.
+
+## When to Use This Skill
+
+- Use when the user wants a Python script that generates a `.pptx` file automatically
+- Use when the user needs slide content drafted and encoded directly into `python-pptx`
+- Use when the user wants a quick presentation generator for demos, classes, or internal briefings
+
+## How It Works
+
+### Step 1: Collect the Deck Brief
+
+Ask for the topic, audience, tone, and target number of slides if the request does not already include them.
+If constraints are missing, pick conservative defaults and state them in the generated script comments.
+
+### Step 2: Plan the Narrative Arc
+
+Outline the deck before writing code:
+
+1. Title slide
+2. Agenda or context
+3. Core teaching or business points
+4. Summary or next steps
+
+Keep the slide count realistic for the requested audience and avoid filler slides.
+
+### Step 3: Generate the Python Script
+
+Write a complete script that:
+
+- imports `Presentation` from `python-pptx`
+- creates the deck
+- selects appropriate built-in layouts
+- writes real titles and bullet points
+- saves the file with a clear filename
+- prints a success message after saving
+
+### Step 4: Keep the Output Runnable
+
+The final answer should be a Python code block that can run after installing `python-pptx`.
+Avoid pseudocode, placeholders, or missing imports.
+
+## Examples
+
+### Example 1: Educational Deck
+
+```text
+User: Create a 5-slide presentation on the basics of machine learning for a high school class.
+Output: A complete Python script that creates a title slide, overview, core concepts, examples, and recap.
+```
+
+### Example 2: Business Briefing
+
+```text
+User: Generate a 7-slide deck for sales leadership on Q2 pipeline risks and mitigation options.
+Output: A python-pptx script with executive-friendly slide titles, concise bullets, and a final recommendations slide.
+```
+
+## Best Practices
+
+- ✅ Use standard `python-pptx` layouts unless the user asks for custom positioning
+- ✅ Write audience-appropriate bullet points instead of placeholders
+- ✅ Save the output file explicitly in the script, for example `output.pptx`
+- ✅ Keep slide titles short and the bullet hierarchy readable
+- ❌ Do not return partial snippets that require the user to assemble the rest
+- ❌ Do not invent unsupported styling APIs without checking `python-pptx` capabilities
+
+## Security & Safety Notes
+
+- Install `python-pptx` only in an environment you control, for example a local virtual environment
+- If the user will run the script on a shared machine, choose a safe output path and avoid overwriting existing presentations without confirmation
+- If the request includes proprietary or sensitive presentation content, keep it out of public examples and sample filenames
+
+## Common Pitfalls
+
+- **Problem:** The generated script uses placeholder text instead of real content  
+  **Solution:** Draft the narrative first, then turn each slide into specific titles and bullets
+
+- **Problem:** The deck uses too many slides for the requested audience  
+  **Solution:** Compress the outline to the most important 4 to 8 slides unless the user explicitly wants a longer deck
+
+- **Problem:** The script forgets to save or print a completion message  
+  **Solution:** Always end with `prs.save(...)` and a short success print
+
+## Related Skills
+
+- `@pptx-official` - Use when the task is about inspecting or editing existing PowerPoint files
+- `@docx-official` - Use when the requested output should be a document instead of a slide deck

package/bundled-skills/technical-change-tracker/SKILL.md

@@ -0,0 +1,60 @@
+---
+name: technical-change-tracker
+description: "Track code changes with structured JSON records, state machine enforcement, and AI session handoff for bot continuity"
+category: development
+risk: safe
+source: community
+source_repo: Elkidogz/technical-change-skill
+source_type: community
+date_added: "2026-04-05"
+author: Elkidogz
+tags: [change-tracking, session-handoff, documentation, accessibility, state-machine]
+tools: [claude, cursor, gemini, codex]
+---
+
+# Technical Change Tracker
+
+## Overview
+
+Track every code change with structured JSON records and accessible HTML output. Ensures AI bot sessions can resume seamlessly when previous sessions expire or are abandoned.
+
+## When to Use This Skill
+
+- Use when you need structured change tracking across AI coding sessions
+- Use when a bot session expires mid-task and the next session needs full context to resume
+- Use when onboarding a project with undocumented change history
+
+## How It Works
+
+### State Machine
+
+```
+planned -> in_progress -> implemented -> tested -> deployed
+             |
+             +-> blocked
+```
+
+### Commands
+
+`/tc init` | `/tc create` | `/tc update` | `/tc status` | `/tc resume` | `/tc close` | `/tc export` | `/tc dashboard` | `/tc retro`
+
+### Session Handoff
+
+Each TC stores: progress summary, next steps, blockers, key context, and files in progress — so the next bot session picks up exactly where the last left off.
+
+### Non-Blocking
+
+TC bookkeeping runs via background subagents. Never interrupts coding work.
+
+## Features
+
+- Structured JSON records with append-only revision history
+- Test cases with log snippet evidence
+- WCAG AA+ accessible HTML output (dark theme, rem-based fonts)
+- CSS-only dashboard with status filters
+- Python stdlib only — zero external dependencies
+- Retroactive bulk creation from git history via `/tc retro`
+
+## Full Repository
+
+https://github.com/Elkidogz/technical-change-skill — MIT License

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-skills-collection",
-  "version": "1.0.172",
+  "version": "1.0.174",
   "description": "OpenCode CLI plugin that automatically downloads and keeps skills up to date.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",