npm - pluribus-context - Versions diffs - 0.3.35 → 0.3.37 - Mend

pluribus-context 0.3.35 → 0.3.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (70) hide show

package/examples/parallel-session-review-ledger/parallel-session-review-ledger.json ADDED Viewed

@@ -0,0 +1,72 @@
+{
+  "schema": "pluribus.parallel_session_review_ledger.v1",
+  "generated_at": "2026-06-04T19:00:00Z",
+  "run": {
+    "orchestrator": "human",
+    "repo": "redacted-service",
+    "coordination_mode": "parallel_sessions"
+  },
+  "sessions": [
+    {
+      "id": "session-a",
+      "agent": "claude-code",
+      "assignment": "update validation for billing webhook retries",
+      "branch": "agent/billing-webhook-retry-validation",
+      "allowed_scope": {
+        "files": ["src/billing/**", "test/billing/**"],
+        "commands": ["npm test -- --test-name-pattern=billing"],
+        "network": "none"
+      },
+      "touched_files": ["src/billing/retries.js", "test/billing/retries.test.js"],
+      "agent_claim": "added retry validation and regression coverage",
+      "evidence": [
+        { "type": "commit", "ref": "abc1234" },
+        { "type": "test", "name": "billing retry validation", "status": "passed" }
+      ],
+      "missing_checks": [],
+      "privacy_flags": [],
+      "state": "complete",
+      "safe_next_action": "review_diff"
+    },
+    {
+      "id": "session-b",
+      "agent": "cursor-agent",
+      "assignment": "draft migration notes for webhook retry config",
+      "branch": "agent/retry-config-notes",
+      "allowed_scope": {
+        "files": ["docs/**"],
+        "commands": ["npm test -- --test-name-pattern=docs"],
+        "network": "none"
+      },
+      "touched_files": ["docs/webhook-retry-config.md"],
+      "agent_claim": "documented retry config and rollback notes",
+      "evidence": [
+        { "type": "diff", "ref": "docs-only" }
+      ],
+      "missing_checks": ["link-check docs/webhook-retry-config.md"],
+      "privacy_flags": [],
+      "state": "partial",
+      "safe_next_action": "run_missing_check"
+    },
+    {
+      "id": "session-c",
+      "agent": "codex-cli",
+      "assignment": "investigate retry metrics regression",
+      "branch": "agent/retry-metrics-investigation",
+      "allowed_scope": {
+        "files": ["src/metrics/**", "test/metrics/**"],
+        "commands": ["npm test -- --test-name-pattern=metrics"],
+        "network": "none"
+      },
+      "touched_files": ["src/metrics/retry-metrics.js"],
+      "agent_claim": "found possible metrics label mismatch, not fixed",
+      "evidence": [
+        { "type": "note", "ref": "suspected-label-mismatch" }
+      ],
+      "missing_checks": ["confirm label contract with owner"],
+      "privacy_flags": ["scope_expanded_without_approval"],
+      "state": "unsafe_to_resume",
+      "safe_next_action": "stop_manual_review"
+    }
+  ]
+}

package/examples/phase-boundary-contract/README.md ADDED Viewed

@@ -0,0 +1,23 @@
+# Phase-boundary contract example
+This example is for multi-model coding workflows where one phase plans, another phase applies, and another verifies. It records the exact handoff boundary without storing prompts, transcripts, raw source, secrets, or full command output.
+Run:
+```bash
+node check-phase-boundary.mjs phase-boundary-contract.json
+```
+Expected output:
+```text
+phase-boundary contract ok: checkout-refactor-2026-06-03 apply->verify
+```
+Use the shape as a small gate before moving from Apply to Verify:
+- approved plan/task refs and hashes entered the phase;
+- output artifact hash exists;
+- changed file-set hash and tests are present;
+- open risks are explicit;
+- stale exploration transcript or rejected designs are intentionally dropped.

package/examples/phase-boundary-contract/check-phase-boundary.mjs ADDED Viewed

@@ -0,0 +1,73 @@
+#!/usr/bin/env node
+import fs from 'node:fs';
+const file = process.argv[2] || 'phase-boundary-contract.json';
+const contract = JSON.parse(fs.readFileSync(file, 'utf8'));
+const errors = [];
+const phases = ['explore', 'propose', 'spec', 'design', 'tasks', 'apply', 'verify'];
+const hashRe = /^sha256:[a-f0-9]{64}$/;
+const unsafeRefRe = /(^\/|\.\.|[A-Za-z]:\\|secret|token|password|private_key)/i;
+const requiredGateKeys = ['changed_files', 'tests_run', 'open_risks', 'stop_conditions'];
+function expect(condition, message) {
+  if (!condition) errors.push(message);
+}
+expect(contract.schema === 'pluribus.phase-boundary-contract.v1', 'schema must be pluribus.phase-boundary-contract.v1');
+expect(typeof contract.workflowId === 'string' && contract.workflowId.length >= 6, 'workflowId is required');
+expect(phases.includes(contract.currentPhase), 'currentPhase must be a known phase');
+expect(phases.includes(contract.nextPhase), 'nextPhase must be a known phase');
+expect(contract.currentPhase !== contract.nextPhase, 'currentPhase and nextPhase must differ');
+expect(Array.isArray(contract.allowedInput) && contract.allowedInput.length > 0, 'allowedInput must list at least one source');
+for (const [index, input] of (contract.allowedInput || []).entries()) {
+  expect(typeof input.kind === 'string' && input.kind.length > 0, `allowedInput[${index}].kind is required`);
+  expect(typeof input.ref === 'string' && !unsafeRefRe.test(input.ref), `allowedInput[${index}].ref must be a non-secret relative/logical ref`);
+  expect(hashRe.test(input.contentHash || ''), `allowedInput[${index}].contentHash must be sha256:<64 hex>`);
+}
+expect(contract.outputArtifact && typeof contract.outputArtifact.kind === 'string', 'outputArtifact.kind is required');
+expect(contract.outputArtifact && typeof contract.outputArtifact.ref === 'string' && !unsafeRefRe.test(contract.outputArtifact.ref), 'outputArtifact.ref must be a non-secret logical ref');
+expect(contract.outputArtifact && hashRe.test(contract.outputArtifact.contentHash || ''), 'outputArtifact.contentHash must be sha256:<64 hex>');
+const gate = contract.evidenceGate || {};
+expect(gate.status === 'pass' || gate.status === 'needs_review' || gate.status === 'fail', 'evidenceGate.status must be pass, needs_review, or fail');
+expect(Array.isArray(gate.requiredBeforeNextPhase), 'evidenceGate.requiredBeforeNextPhase must be an array');
+for (const key of requiredGateKeys) {
+  expect((gate.requiredBeforeNextPhase || []).includes(key), `evidenceGate.requiredBeforeNextPhase must include ${key}`);
+}
+expect(gate.changedFiles && Number.isInteger(gate.changedFiles.count) && gate.changedFiles.count >= 0, 'evidenceGate.changedFiles.count is required');
+expect(gate.changedFiles && hashRe.test(gate.changedFiles.fileSetHash || ''), 'evidenceGate.changedFiles.fileSetHash must be sha256:<64 hex>');
+expect(Array.isArray(gate.testsRun), 'evidenceGate.testsRun must be an array');
+for (const [index, test] of (gate.testsRun || []).entries()) {
+  expect(typeof test.name === 'string' && test.name.length > 0, `testsRun[${index}].name is required`);
+  expect(hashRe.test(test.commandHash || ''), `testsRun[${index}].commandHash must be sha256:<64 hex>`);
+  expect(['pass', 'fail', 'skipped'].includes(test.status), `testsRun[${index}].status must be pass/fail/skipped`);
+}
+expect(Array.isArray(gate.openRisks), 'evidenceGate.openRisks must be an array');
+for (const [index, risk] of (gate.openRisks || []).entries()) {
+  expect(typeof risk.riskClass === 'string' && risk.riskClass.length > 0, `openRisks[${index}].riskClass is required`);
+  expect(['low', 'medium', 'high'].includes(risk.severity), `openRisks[${index}].severity must be low/medium/high`);
+  expect(typeof risk.safeToContinue === 'boolean', `openRisks[${index}].safeToContinue must be boolean`);
+}
+expect(Array.isArray(contract.droppedContext), 'droppedContext must be an array');
+for (const [index, dropped] of (contract.droppedContext || []).entries()) {
+  expect(typeof dropped.kind === 'string' && dropped.kind.length > 0, `droppedContext[${index}].kind is required`);
+  expect(typeof dropped.reason === 'string' && dropped.reason.length > 0, `droppedContext[${index}].reason is required`);
+}
+expect(Array.isArray(contract.stopConditions), 'stopConditions must be an array');
+if (gate.status === 'pass') {
+  expect((contract.stopConditions || []).length === 0, 'pass contracts must not have active stopConditions');
+  expect((gate.openRisks || []).every((risk) => risk.safeToContinue), 'pass contracts require all open risks to be safeToContinue');
+}
+if (errors.length) {
+  console.error(`phase-boundary contract failed (${errors.length}):`);
+  for (const error of errors) console.error(`- ${error}`);
+  process.exit(1);
+}
+console.log(`phase-boundary contract ok: ${contract.workflowId} ${contract.currentPhase}->${contract.nextPhase}`);

package/examples/phase-boundary-contract/phase-boundary-contract.json ADDED Viewed

@@ -0,0 +1,68 @@
+{
+  "schema": "pluribus.phase-boundary-contract.v1",
+  "workflowId": "checkout-refactor-2026-06-03",
+  "currentPhase": "apply",
+  "nextPhase": "verify",
+  "allowedInput": [
+    {
+      "kind": "approved_plan",
+      "ref": "plans/checkout-refactor.md",
+      "contentHash": "sha256:0b70d75d6c8f0e54c74e1d7ea90e7c7b3d83e15dd3a3f7b4b9e9e73339d2b22e",
+      "required": true
+    },
+    {
+      "kind": "task_list",
+      "ref": "tasks/checkout-refactor.md#apply",
+      "contentHash": "sha256:63ccf4555f0adbe64bbff5a8f7c4b24708fdb2b5e4d0e417a5cb057b9ed39a76",
+      "required": true
+    }
+  ],
+  "outputArtifact": {
+    "kind": "patch",
+    "ref": "git:working-tree",
+    "contentHash": "sha256:3f9d6216dc7dcb53e6f29ad23433de97f0c172be6a6f46d574aa67e0edfd0789"
+  },
+  "evidenceGate": {
+    "requiredBeforeNextPhase": [
+      "changed_files",
+      "tests_run",
+      "open_risks",
+      "stop_conditions"
+    ],
+    "status": "pass",
+    "changedFiles": {
+      "count": 4,
+      "fileSetHash": "sha256:5f6c8b62349d527cd2e24c6913b8c5f0af8775be1a836bf942853c39efc11f91"
+    },
+    "testsRun": [
+      {
+        "name": "unit-tests",
+        "commandHash": "sha256:1f2cc9d3f4ce8cb118198c7da4d6951de2f21485af126eb1a0fe5f1d7e0139de",
+        "status": "pass"
+      },
+      {
+        "name": "typecheck",
+        "commandHash": "sha256:54d29f16fd215f74b4c03da61e37e71918f2e5c8db454a76f5f582b76471cb13",
+        "status": "pass"
+      }
+    ],
+    "openRisks": [
+      {
+        "riskClass": "manual_browser_flow_not_verified",
+        "severity": "medium",
+        "safeToContinue": true
+      }
+    ]
+  },
+  "droppedContext": [
+    {
+      "kind": "exploration_transcript",
+      "reason": "not authoritative after approved plan"
+    },
+    {
+      "kind": "rejected_design_option",
+      "reason": "kept as citation only; not input to verify phase"
+    }
+  ],
+  "stopConditions": []
+}

package/examples/skill-install-receipts/README.md ADDED Viewed

@@ -0,0 +1,31 @@
+# Skill install/load receipt example
+This example is for setup tools that install Skills across multiple agents and then need to prove whether each target can discover/load the installed resource before the first real session.
+It complements:
+- `examples/install-plan-receipts/` — pre-write plan proof (`writes_started=false`);
+- `examples/loaded-resource-boundary/` — runtime proof that an existing resource crossed discovery/attachment/injection/readability stages.
+## Smoke test
+```bash
+node examples/skill-install-receipts/check-skill-install-receipt.mjs \
+  examples/skill-install-receipts/skill-install-receipt.json
+```
+Expected output:
+```text
+skill install receipt ok: 3 targets checked
+```
+## Review checklist
+A useful receipt should answer:
+- What installer/source ref was used, without credentials?
+- Which agent targets and scopes were touched?
+- Which targets were installed, skipped, discovered, deferred, injected, or readable?
+- Was any required target unsafe before the first session?
+- Did the receipt avoid raw skill bodies, prompts, transcripts, env dumps, secrets, and private paths?

package/examples/skill-install-receipts/check-skill-install-receipt.mjs ADDED Viewed

@@ -0,0 +1,75 @@
+#!/usr/bin/env node
+import fs from 'node:fs';
+const file = process.argv[2] || new URL('./skill-install-receipt.json', import.meta.url);
+const receipt = JSON.parse(fs.readFileSync(file, 'utf8'));
+const allowedInstall = new Set(['installed', 'skipped', 'failed']);
+const allowedDiscovery = new Set(['discovered', 'not_discovered', 'not_tested', 'failed']);
+const allowedLoad = new Set(['injected', 'readable', 'activation_required', 'deferred', 'not_tested', 'failed']);
+const allowedCost = new Set(['0-1k', '1k-5k', '5k-20k', 'over_budget', 'unknown']);
+const requiredPrivacy = [
+  'raw_skill_body',
+  'raw_prompt',
+  'transcript',
+  'secrets',
+  'env_dump',
+  'private_absolute_path'
+];
+function assert(condition, message) {
+  if (!condition) {
+    throw new Error(message);
+  }
+}
+assert(receipt.receipt_type === 'agent.skill_install_receipt.v1', 'unexpected receipt_type');
+assert(receipt.run_id, 'missing run_id');
+assert(receipt.installer?.name, 'missing installer.name');
+assert(receipt.installer?.source?.kind, 'missing installer.source.kind');
+assert(receipt.installer?.source?.ref, 'missing installer.source.ref');
+assert(receipt.installer.source.credentials_in_ref === false, 'source ref must not carry credentials');
+assert(Array.isArray(receipt.targets) && receipt.targets.length > 0, 'targets must be a non-empty array');
+assert(Array.isArray(receipt.privacy_exclusions), 'missing privacy_exclusions');
+for (const item of requiredPrivacy) {
+  assert(receipt.privacy_exclusions.includes(item), `privacy_exclusions must include ${item}`);
+}
+let computedOverallSafe = true;
+for (const [index, target] of receipt.targets.entries()) {
+  assert(target.agent, `targets[${index}].agent missing`);
+  assert(['project', 'global', 'workspace', 'unknown'].includes(target.scope), `targets[${index}].scope invalid`);
+  assert(typeof target.required === 'boolean', `targets[${index}].required must be boolean`);
+  assert(allowedInstall.has(target.install_status), `targets[${index}].install_status invalid`);
+  assert(allowedDiscovery.has(target.discovery_status), `targets[${index}].discovery_status invalid`);
+  assert(allowedLoad.has(target.load_status), `targets[${index}].load_status invalid`);
+  assert(allowedCost.has(target.context_cost_bucket), `targets[${index}].context_cost_bucket invalid`);
+  assert(typeof target.safe_to_start_session === 'boolean', `targets[${index}].safe_to_start_session must be boolean`);
+  if (target.evidence) {
+    assert(target.evidence.raw_body_logged === false, `targets[${index}] must not log raw skill body`);
+  }
+  const requiredTargetUnsafe = target.required && (
+    target.install_status !== 'installed' ||
+    target.discovery_status !== 'discovered' ||
+    target.load_status === 'failed' ||
+    target.load_status === 'not_tested' ||
+    target.context_cost_bucket === 'over_budget' ||
+    target.safe_to_start_session !== true
+  );
+  if (requiredTargetUnsafe) {
+    computedOverallSafe = false;
+  }
+}
+assert(receipt.overall_safe_to_start_session === computedOverallSafe, 'overall_safe_to_start_session does not match required target safety');
+const serialized = JSON.stringify(receipt).toLowerCase();
+for (const forbidden of ['private_key', 'api_key=', 'ghp_', 'github_pat_', 'npm_', 'bearer ']) {
+  assert(!serialized.includes(forbidden), `receipt appears to include secret marker: ${forbidden}`);
+}
+console.log(`skill install receipt ok: ${receipt.targets.length} targets checked`);

package/examples/skill-install-receipts/skill-install-receipt.json ADDED Viewed

@@ -0,0 +1,79 @@
+{
+  "receipt_type": "agent.skill_install_receipt.v1",
+  "run_id": "skill-install-demo-2026-06-04T13:00Z",
+  "installer": {
+    "name": "skills-cli",
+    "version_bucket": "0.x",
+    "command_class": "skill_package_install",
+    "source": {
+      "kind": "git_ref",
+      "package": "vercel-labs/skills/context-budget-preflight",
+      "ref": "sha256:demo-source-package-hash",
+      "credentials_in_ref": false
+    }
+  },
+  "mode_requested": "install_then_check",
+  "mode_effective": "post_install_check",
+  "writes_completed": true,
+  "backup_created": true,
+  "targets": [
+    {
+      "agent": "claude-code",
+      "scope": "project",
+      "required": true,
+      "install_status": "installed",
+      "discovery_status": "discovered",
+      "load_status": "activation_required",
+      "activation": "on_demand_skill_description",
+      "context_cost_bucket": "0-1k",
+      "safe_to_start_session": true,
+      "evidence": {
+        "manifest_hash": "sha256:demo-claude-manifest-hash",
+        "skill_body_hash": "sha256:demo-claude-skill-body-hash",
+        "raw_body_logged": false
+      }
+    },
+    {
+      "agent": "codex",
+      "scope": "project",
+      "required": true,
+      "install_status": "installed",
+      "discovery_status": "discovered",
+      "load_status": "deferred",
+      "activation": "manual_or_triggered",
+      "context_cost_bucket": "0-1k",
+      "safe_to_start_session": true,
+      "evidence": {
+        "manifest_hash": "sha256:demo-codex-manifest-hash",
+        "skill_body_hash": "sha256:demo-codex-skill-body-hash",
+        "raw_body_logged": false
+      }
+    },
+    {
+      "agent": "zed-acp",
+      "scope": "project",
+      "required": false,
+      "install_status": "skipped",
+      "discovery_status": "not_tested",
+      "load_status": "not_tested",
+      "activation": "unsupported_target_in_this_installer",
+      "context_cost_bucket": "unknown",
+      "safe_to_start_session": true,
+      "skipped_reason": "target_not_selected"
+    }
+  ],
+  "overall_safe_to_start_session": true,
+  "next_safe_command": "start a disposable agent session and ask it to cite the installed Skill sentinel line",
+  "privacy_exclusions": [
+    "raw_skill_body",
+    "raw_source",
+    "raw_prompt",
+    "transcript",
+    "raw_tool_output",
+    "customer_data",
+    "secrets",
+    "env_dump",
+    "private_absolute_path"
+  ],
+  "audit_gap": "proves installer/discovery/load boundary, not skill semantic quality or future activation"
+}

package/examples/skill-use-rate-receipts/README.md ADDED Viewed

@@ -0,0 +1,16 @@
+# Skill use-rate receipts
+This example shows a privacy-safe receipt for the gap between installing an Agent Skill and actually using it.
+```bash
+node check-skill-use-rate.mjs skill-use-rate-receipt.json
+```
+Expected output:
+```text
+skill use-rate receipt ok: 3 skills checked, 1 unused install warning
+- rust-lsp-helper is installed/attached but has 0 invocations in this window
+```
+The warning is intentional: installation is not adoption. A skill can be installed, attached, and discoverable while still adding context surface area with no observed invocation.

package/examples/skill-use-rate-receipts/check-skill-use-rate.mjs ADDED Viewed

@@ -0,0 +1,89 @@
+#!/usr/bin/env node
+import fs from 'node:fs'
+import path from 'node:path'
+const receiptPath = process.argv[2] || path.join(import.meta.dirname, 'skill-use-rate-receipt.json')
+const receipt = JSON.parse(fs.readFileSync(receiptPath, 'utf8'))
+const errors = []
+const warnings = []
+function requireString(value, field) {
+  if (typeof value !== 'string' || value.trim() === '') {
+    errors.push(`${field} must be a non-empty string`)
+  }
+}
+function requireBoolean(value, field) {
+  if (typeof value !== 'boolean') {
+    errors.push(`${field} must be boolean`)
+  }
+}
+function requireNonNegativeInteger(value, field) {
+  if (!Number.isInteger(value) || value < 0) {
+    errors.push(`${field} must be a non-negative integer`)
+  }
+}
+if (receipt.schema !== 'pluribus.skill_use_rate_receipt.v1') {
+  errors.push('schema must be pluribus.skill_use_rate_receipt.v1')
+}
+requireString(receipt.run_id, 'run_id')
+requireString(receipt.generated_at, 'generated_at')
+requireString(receipt.installer?.name, 'installer.name')
+requireString(receipt.window?.started_at, 'window.started_at')
+requireString(receipt.window?.ended_at, 'window.ended_at')
+if (!Array.isArray(receipt.skills) || receipt.skills.length === 0) {
+  errors.push('skills must be a non-empty array')
+}
+for (const [index, skill] of (receipt.skills || []).entries()) {
+  const prefix = `skills[${index}]`
+  requireString(skill.skill_id, `${prefix}.skill_id`)
+  requireString(skill.source_ref, `${prefix}.source_ref`)
+  requireString(skill.target_agent, `${prefix}.target_agent`)
+  requireString(skill.scope, `${prefix}.scope`)
+  requireString(skill.install_method, `${prefix}.install_method`)
+  requireBoolean(skill.discovered, `${prefix}.discovered`)
+  requireBoolean(skill.installed, `${prefix}.installed`)
+  requireBoolean(skill.attached, `${prefix}.attached`)
+  requireBoolean(skill.unused_since_install, `${prefix}.unused_since_install`)
+  requireNonNegativeInteger(skill.invoked_count, `${prefix}.invoked_count`)
+  requireNonNegativeInteger(skill.acted_on_count, `${prefix}.acted_on_count`)
+  if (Number.isInteger(skill.acted_on_count) && Number.isInteger(skill.invoked_count) && skill.acted_on_count > skill.invoked_count) {
+    errors.push(`${prefix}.acted_on_count cannot exceed invoked_count`)
+  }
+  if (skill.installed && skill.attached && skill.invoked_count === 0) {
+    if (skill.unused_since_install !== true) {
+      errors.push(`${prefix}.unused_since_install must be true when installed/attached but never invoked`)
+    }
+    warnings.push(`${skill.skill_id || prefix} is installed/attached but has 0 invocations in this window`)
+  }
+  if (skill.invoked_count > 0) {
+    if (skill.unused_since_install !== false) {
+      errors.push(`${prefix}.unused_since_install must be false when invoked_count > 0`)
+    }
+    if (typeof skill.last_invoked_at !== 'string' || skill.last_invoked_at.trim() === '') {
+      errors.push(`${prefix}.last_invoked_at must be set when invoked_count > 0`)
+    }
+  }
+  if (!Array.isArray(skill.evidence) || skill.evidence.length === 0) {
+    errors.push(`${prefix}.evidence must include at least one privacy-safe evidence ref`)
+  }
+}
+if (errors.length > 0) {
+  console.error('skill use-rate receipt invalid:')
+  for (const error of errors) console.error(`- ${error}`)
+  process.exit(1)
+}
+const warningLabel = warnings.length === 1 ? 'warning' : 'warnings'
+console.log(`skill use-rate receipt ok: ${receipt.skills.length} skills checked, ${warnings.length} unused install ${warningLabel}`)
+for (const warning of warnings) console.log(`- ${warning}`)

package/examples/skill-use-rate-receipts/skill-use-rate-receipt.json ADDED Viewed

@@ -0,0 +1,79 @@
+{
+  "schema": "pluribus.skill_use_rate_receipt.v1",
+  "run_id": "skills-audit-2026-06-05T13:00Z",
+  "generated_at": "2026-06-05T13:00:00Z",
+  "installer": {
+    "name": "skills",
+    "version": "1.5.9",
+    "command_digest": "sha256:4c2b31d9f1e3a1a5f94c2c65d18f0a9b0c3d14a1c6a4f8cbb6e8f0b2a118f001"
+  },
+  "window": {
+    "started_at": "2026-05-22T00:00:00Z",
+    "ended_at": "2026-06-05T13:00:00Z"
+  },
+  "skills": [
+    {
+      "skill_id": "frontend-design",
+      "source_ref": "github:vercel-labs/agent-skills/skills/frontend-design@main",
+      "target_agent": "claude-code",
+      "scope": "project",
+      "install_method": "symlink",
+      "discovered": true,
+      "installed": true,
+      "attached": true,
+      "invoked_count": 7,
+      "acted_on_count": 3,
+      "last_invoked_at": "2026-06-05T10:12:08Z",
+      "unused_since_install": false,
+      "context_cost_bucket": "small",
+      "evidence": [
+        {
+          "kind": "session_log_digest",
+          "ref": "sha256:0b7d7a9f2950f5e4ab8d9ab2f93e71875a995ee3878d0d595c8a65f8d7bf0c4d"
+        }
+      ]
+    },
+    {
+      "skill_id": "rust-lsp-helper",
+      "source_ref": "github:example-org/agent-skills/skills/rust-lsp-helper@v1.2.0",
+      "target_agent": "claude-code",
+      "scope": "global",
+      "install_method": "copy",
+      "discovered": true,
+      "installed": true,
+      "attached": true,
+      "invoked_count": 0,
+      "acted_on_count": 0,
+      "last_invoked_at": null,
+      "unused_since_install": true,
+      "context_cost_bucket": "medium",
+      "evidence": [
+        {
+          "kind": "installer_lock_digest",
+          "ref": "sha256:d25b0ddca0d6b8ac8705cc1e845351f5f5a3971b982be9dc6eeb3aadc5a83a54"
+        }
+      ]
+    },
+    {
+      "skill_id": "code-review-xhigh",
+      "source_ref": "builtin:claude-code/code-review@2.1.152",
+      "target_agent": "claude-code",
+      "scope": "builtin",
+      "install_method": "builtin",
+      "discovered": true,
+      "installed": true,
+      "attached": true,
+      "invoked_count": 12,
+      "acted_on_count": 9,
+      "last_invoked_at": "2026-06-05T12:40:01Z",
+      "unused_since_install": false,
+      "context_cost_bucket": "unknown",
+      "evidence": [
+        {
+          "kind": "review_report_digest",
+          "ref": "sha256:8f489e2b0d3539b17f3d0b6ebc68bf1c9d68022c6ea086b6a3636b107a42f9f4"
+        }
+      ]
+    }
+  ]
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pluribus-context",
-  "version": "0.3.35",
+  "version": "0.3.37",
   "description": "AI context and rules sync CLI for Claude.md, Claude Code, Cursor, and Copilot instructions, with privacy-safe context receipts that prove what memory, tools, skills, compactions, and security findings crossed agent boundaries without logging raw content.",
   "type": "module",
   "homepage": "https://github.com/caioribeiroclw-pixel/pluribus#readme",
@@ -22,6 +22,7 @@
     "spec/",
     "schemas/",
     "examples/",
+    "skills/",
     "CHANGELOG.md"
   ],
   "scripts": {

package/{examples/agent-skills → skills}/context-receipts/README.md RENAMED Viewed

@@ -19,10 +19,10 @@ grep -E 'raw_(schema|query|args|result|output|transcript|text)_copied":false|raw
 Then manually check that the receipt contains counts, hashes, ids, buckets, and `audit_gap`, but does **not** contain private prompts, raw schemas, tool args/results, skill bodies, memory bodies, customer names, secrets, or transcript text.
-For executable fixture examples, see [`../../context-input-evidence/`](../../context-input-evidence/), including the ToolSearch propagation, pruning, and compaction transaction smokes:
+For executable fixture examples, see [`../../examples/context-input-evidence/`](../../examples/context-input-evidence/), including the ToolSearch propagation, pruning, and compaction transaction smokes:
 ```bash
-node ../../context-input-evidence/convert-subagent-toolsearch-propagation-log.mjs
-node ../../context-input-evidence/convert-pruning-log.mjs
-node ../../context-input-evidence/convert-compaction-transaction-log.mjs
+node ../../examples/context-input-evidence/convert-subagent-toolsearch-propagation-log.mjs
+node ../../examples/context-input-evidence/convert-pruning-log.mjs
+node ../../examples/context-input-evidence/convert-compaction-transaction-log.mjs
 ```