skillwiki 0.9.1 → 0.9.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (34) hide show
  1. package/dist/cli.js +1125 -683
  2. package/package.json +1 -1
  3. package/skills/.claude-plugin/plugin.json +1 -1
  4. package/skills/.codex-plugin/plugin.json +1 -1
  5. package/skills/agents/proj-decide.md +1 -0
  6. package/skills/agents/proj-distill.md +1 -0
  7. package/skills/agents/proj-init.md +1 -0
  8. package/skills/agents/proj-work.md +1 -0
  9. package/skills/agents/wiki-adapter-prd.md +8 -5
  10. package/skills/agents/wiki-add-task.md +8 -5
  11. package/skills/agents/wiki-archive.md +1 -0
  12. package/skills/agents/wiki-audit.md +1 -0
  13. package/skills/agents/wiki-canvas.md +1 -0
  14. package/skills/agents/wiki-crystallize.md +5 -2
  15. package/skills/agents/wiki-ingest.md +8 -5
  16. package/skills/agents/wiki-lint.md +5 -3
  17. package/skills/agents/wiki-query.md +4 -1
  18. package/skills/agents/wiki-reingest.md +6 -3
  19. package/skills/agents/wiki-sync.md +1 -0
  20. package/skills/package.json +1 -1
  21. package/skills/skills/using-skillwiki/SKILL.md +26 -1
  22. package/skills/skills/wiki-adapter-prd/SKILL.md +8 -5
  23. package/skills/skills/wiki-add-task/SKILL.md +9 -6
  24. package/skills/skills/wiki-crystallize/SKILL.md +5 -2
  25. package/skills/skills/wiki-ingest/SKILL.md +8 -6
  26. package/skills/skills/wiki-lint/SKILL.md +5 -3
  27. package/skills/skills/wiki-query/SKILL.md +4 -1
  28. package/skills/using-skillwiki/SKILL.md +26 -1
  29. package/skills/wiki-adapter-prd/SKILL.md +8 -5
  30. package/skills/wiki-add-task/SKILL.md +9 -6
  31. package/skills/wiki-crystallize/SKILL.md +5 -2
  32. package/skills/wiki-ingest/SKILL.md +8 -6
  33. package/skills/wiki-lint/SKILL.md +5 -3
  34. package/skills/wiki-query/SKILL.md +4 -1
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "skillwiki",
3
- "version": "0.9.1",
3
+ "version": "0.9.4",
4
4
  "type": "module",
5
5
  "bin": {
6
6
  "skillwiki": "dist/cli.js"
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "skillwiki",
3
- "version": "0.9.1",
3
+ "version": "0.9.4",
4
4
  "skills": "./",
5
5
  "description": "Project-aware Karpathy-style knowledge base for Claude Code: 18 prompt-only skills (wiki-*, proj-*, using-skillwiki) backed by the deterministic `skillwiki` CLI.",
6
6
  "author": {
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "skillwiki",
3
- "version": "0.9.1",
3
+ "version": "0.9.4",
4
4
  "description": "Project-aware Karpathy-style knowledge base for Codex with 18 prompt-only skills backed by the deterministic skillwiki CLI.",
5
5
  "author": {
6
6
  "name": "karlorz",
@@ -52,3 +52,4 @@ Return:
52
52
  - Filing a concept page without explicit `provenance:`
53
53
  - Skipping the generalization check
54
54
  - Updating index/logs before `validate` passes
55
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault
@@ -58,3 +58,4 @@ Return:
58
58
  - Skipping Step 1 (analysis before generation)
59
59
  - Inventing new tags not in SCHEMA.md taxonomy
60
60
  - Updating index/logs before `validate` passes
61
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault
@@ -56,3 +56,4 @@ Return:
56
56
  **Forbidden:**
57
57
  - Modifying any other project's files
58
58
  - Creating the workspace without updating index.md
59
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault
@@ -62,3 +62,4 @@ Return:
62
62
  - Marking `status: completed` without a `completed:` date
63
63
  - Accepting tasks.md DONE labels without independent disk verification
64
64
  - Re-marking tasks as DONE without actually applying the fix
65
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault
@@ -44,9 +44,10 @@ You are a PRD format adapter specializing in mapping foreign design document for
44
44
  1. **Resolve vault and language.** Run `skillwiki path` and `skillwiki lang`.
45
45
  2. **Classify format.** Match against structural cues above. If unrecognized, treat as generic.
46
46
  3. **URL guard.** If source is a URL: `skillwiki fetch-guard <url>`. If non-zero, STOP.
47
- 4. **Write raw.** Full source `raw/articles/<slug>.md` with proper frontmatter.
48
- 5. **Hash.** Run `skillwiki hash <raw-file>`, embed sha256.
49
- 6. **Generate pages.** Map sections per strategy. Each page gets:
47
+ 4. **Sensitive content guard.** Before writing the raw capture or generated pages, scan the source and generated body for live credentials, access keys, tokens, passwords, cookies, bearer headers, or private keys. Redact generated prose before writing. If the source itself contains a live secret and would need to remain raw, STOP instead of preserving it.
48
+ 5. **Write raw.** Full source `raw/articles/<slug>.md` with proper frontmatter.
49
+ 6. **Hash.** Run `skillwiki hash <raw-file>`, embed sha256.
50
+ 7. **Generate pages.** Map sections per strategy. Each page gets:
50
51
  - `provenance: research`, `sources: ["^[raw/articles/<slug>.md]"]`
51
52
  - `## TL;DR` as first section
52
53
  - Preserve requirement IDs as tags or inline references
@@ -60,8 +61,8 @@ You are a PRD format adapter specializing in mapping foreign design document for
60
61
  Follow-up: ...
61
62
  ```
62
63
  Use exactly one disposition. Keep skipped action items out of typed knowledge unless the closeout disposition is `work-item`.
63
- 7. **Validate.** `skillwiki validate <page>` for each page. If any non-zero, STOP.
64
- 8. **Apply writes:** raw → pages → `index.md` → `log.md`.
64
+ 8. **Validate.** `skillwiki validate <page>` for each page. If any non-zero, STOP.
65
+ 9. **Apply writes:** raw → pages → `index.md` → `log.md`.
65
66
 
66
67
  **Output Format:**
67
68
  Return:
@@ -75,9 +76,11 @@ Return:
75
76
  - `fetch-guard` non-zero
76
77
  - `validate` non-zero on any page
77
78
  - sha256 already exists (already ingested)
79
+ - Source or generated content contains unredacted live credentials or other authenticating secrets
78
80
 
79
81
  **Forbidden:**
80
82
  - Skipping `fetch-guard` for URL sources
81
83
  - Writing index/log before all pages validate
82
84
  - Modifying existing raw files (N9)
83
85
  - Auto-generating pages for action items or timelines
86
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault
@@ -28,8 +28,9 @@ You are a quick-capture agent specializing in writing ad-hoc captures to `raw/tr
28
28
  - `text` — the idea/bug/task/note content (required)
29
29
  - `type` — `idea`, `bug`, `task`, or `note` (default: `idea`)
30
30
  - `project` — optional project slug
31
- 3. **Build filename.** Derive slug from first ~6 words of text (lowercased, hyphens, non-alphanumeric stripped). File: `raw/transcripts/YYYY-MM-DD-{type}-{slug}.md`. If exists, add suffix.
32
- 4. **Write frontmatter:**
31
+ 3. **Sensitive content guard.** Before writing a capture, scan the text for live credentials, access keys, tokens, passwords, cookies, bearer headers, or private keys. Redact before writing. If the source text itself contains a live secret that must be preserved verbatim, STOP instead of filing it.
32
+ 4. **Build filename.** Derive slug from first ~6 words of text (lowercased, hyphens, non-alphanumeric stripped). File: `raw/transcripts/YYYY-MM-DD-{type}-{slug}.md`. If exists, add suffix.
33
+ 5. **Write frontmatter:**
33
34
  ```yaml
34
35
  ---
35
36
  source_url:
@@ -39,9 +40,9 @@ You are a quick-capture agent specializing in writing ad-hoc captures to `raw/tr
39
40
  ---
40
41
  ```
41
42
  No `sha256` — ad-hoc captures are mutable working notes.
42
- 5. **Write body:** `# {type}: {text}` then the text content.
43
- 6. **Cross-reference (optional).** If project slug provided, verify `projects/{slug}/` exists. Append one-line reference to project compound notes.
44
- 7. **Log.** Append to `{vault}/log.md`: `## [YYYY-MM-DD] capture | [type]: [text (first 60 chars)]`.
43
+ 6. **Write body:** `# {type}: {text}` then the text content.
44
+ 7. **Cross-reference (optional).** If project slug provided, verify `projects/{slug}/` exists. Append one-line reference to project compound notes.
45
+ 8. **Log.** Append to `{vault}/log.md`: `## [YYYY-MM-DD] capture | [type]: [text (first 60 chars)]`.
45
46
 
46
47
  **Output Format:**
47
48
  Return:
@@ -54,9 +55,11 @@ Return:
54
55
  - No text provided
55
56
  - Target file already exists and slug can't be disambiguated
56
57
  - `skillwiki path` returns NO_VAULT_CONFIGURED
58
+ - Capture text contains unredacted live credentials or other authenticating secrets
57
59
 
58
60
  **Forbidden:**
59
61
  - Creating an `inbox/` directory
60
62
  - Appending to existing capture files
61
63
  - Creating a full work item (that's proj-work's job)
62
64
  - Writing to Layer 2 or Layer 3 locations (captures are Layer 1)
65
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault
@@ -46,3 +46,4 @@ Return:
46
46
  - Archiving `raw/` files outside N9 Reingest Protocol
47
47
  - Archiving without updating citation markers for raw files
48
48
  - Deleting files (archive moves, never deletes)
49
+ - Preserving live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets by archive-only handling
@@ -44,3 +44,4 @@ Return a structured summary:
44
44
  **Forbidden:**
45
45
  - Auto-applying suggested fixes (audit is observation-only — do not edit pages)
46
46
  - Modifying `sources:` frontmatter or body citations
47
+ - Printing or writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets in audit summaries
@@ -42,3 +42,4 @@ Return:
42
42
  **Forbidden:**
43
43
  - Modifying `vault-graph.canvas` by hand
44
44
  - Generating canvas without current graph.json after vault changes
45
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to graph, canvas, or log output
@@ -41,8 +41,9 @@ You are a knowledge crystallizer specializing in distilling raw session material
41
41
  Follow-up: ...
42
42
  ```
43
43
  Use exactly one disposition. Keep this as a prompt/template convention, not validation or lint enforcement.
44
- 6. **Validate.** Run `skillwiki validate <page>`. If non-zero, fix issues and re-validate. Do NOT proceed until validation passes.
45
- 7. **Apply writes in order:** Page file add entry to `{vault}/index.md` append entry to `{vault}/log.md`.
44
+ 6. **Sensitive content guard.** Before writing, scan the source and generated body for live credentials, access keys, tokens, passwords, cookies, bearer headers, or private keys. Redact generated prose before writing. If the source itself contains a live secret and would need to remain raw, STOP instead of preserving it.
45
+ 7. **Validate.** Run `skillwiki validate <page>`. If non-zero, fix issues and re-validate. Do NOT proceed until validation passes.
46
+ 8. **Apply writes in order:** Page file → add entry to `{vault}/index.md` → append entry to `{vault}/log.md`.
46
47
 
47
48
  **Output Format:**
48
49
  Return:
@@ -56,9 +57,11 @@ Return:
56
57
  - `skillwiki validate` returns non-zero (after retry)
57
58
  - Missing `provenance:` for project-context runs
58
59
  - Source material is insufficient to compose a meaningful page
60
+ - Source or generated content contains unredacted live credentials or other authenticating secrets
59
61
 
60
62
  **Forbidden:**
61
63
  - Filing without explicit `provenance:`
62
64
  - Updating `index.md` before `validate` passes
63
65
  - Writing `[[wikilinks]]` to pages that don't exist — verify via `index.md` or directory listing first
64
66
  - Inventing new tags not in SCHEMA.md taxonomy
67
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault
@@ -26,9 +26,10 @@ You are a vault ingestion specialist converting source material (URLs, files, te
26
26
 
27
27
  1. **Resolve vault and language.** Run `skillwiki path` and `skillwiki lang`.
28
28
  2. **Guard (URL sources).** For each URL: `skillwiki fetch-guard <url>`. If non-zero, STOP.
29
- 3. **Fetch.** Fetch content. Write raw file at `raw/articles/<slug>.md` with proper frontmatter (`source_url`, `ingested`, `sha256` placeholder).
30
- 4. **Hash.** Run `skillwiki hash <raw-file>`. Embed the result in `sha256:`.
31
- 5. **Generate page(s).** Compose typed-knowledge pages with:
29
+ 3. **Fetch.** Fetch content.
30
+ 4. **Sensitive content guard.** Before writing or filing any vault page, scan the source and generated body for live credentials, access keys, tokens, passwords, cookies, bearer headers, or private keys. Redact generated prose before writing. If the source itself must remain raw and contains a live secret, STOP instead of preserving it.
31
+ 5. **Write raw and hash.** Write raw file at `raw/articles/<slug>.md` with proper frontmatter (`source_url`, `ingested`, `sha256` placeholder). Run `skillwiki hash <raw-file>` and embed the result in `sha256:`.
32
+ 6. **Generate page(s).** Compose typed-knowledge pages with:
32
33
  - Proper frontmatter (`title`, `type`, `tags` from SCHEMA.md taxonomy, `provenance`, `sources`)
33
34
  - `## TL;DR` as first section — 1–3 bullet summary
34
35
  - `^[raw/...]` citations for every factual claim
@@ -43,8 +44,8 @@ You are a vault ingestion specialist converting source material (URLs, files, te
43
44
  Follow-up: ...
44
45
  ```
45
46
  Use exactly one disposition. This is a prompt convention, not a validator rule.
46
- 6. **Validate.** For each page: `skillwiki validate <page>`. If any non-zero, fix issues and re-validate. Do NOT proceed until all pages pass.
47
- 7. **Apply writes in order:** raw file(s) → page(s) → update `index.md` → append `log.md`.
47
+ 7. **Validate.** For each page: `skillwiki validate <page>`. If any non-zero, fix issues and re-validate. Do NOT proceed until all pages pass.
48
+ 8. **Apply writes in order:** raw file(s) → page(s) → update `index.md` → append `log.md`.
48
49
 
49
50
  ### Batch mode
50
51
  When multiple sources are provided:
@@ -68,6 +69,7 @@ Return:
68
69
  - Fetch timeout or size limit exceeded
69
70
  - `validate` non-zero on any page (after retry)
70
71
  - sha256 already exists in vault (skip, don't duplicate)
72
+ - Source or generated content contains unredacted live credentials or other authenticating secrets
71
73
 
72
74
  **Forbidden:**
73
75
  - Skipping `fetch-guard` for URL sources
@@ -75,3 +77,4 @@ Return:
75
77
  - Modifying existing raw files (N9)
76
78
  - Writing `[[wikilinks]]` to nonexistent pages — verify first
77
79
  - Writing raw ephemeral data to cloud-mounted wiki paths
80
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault
@@ -27,9 +27,10 @@ You are a vault health inspector specializing in running `skillwiki health` and
27
27
  2. **Run health or lint summary.** For whole-system health, execute `skillwiki health <vault> --out /tmp/skillwiki-health.json --no-fail`. For lint-only maintenance, execute `skillwiki lint <vault> --summary`. Read the JSON envelope. Treat `skillwiki doctor` as setup/runtime diagnostics only.
28
28
  3. **Drill into details only when needed.** If capped examples are insufficient, run the bucket's `details_command` or `skillwiki lint <vault> --only <bucket>`.
29
29
  4. **Reason over findings.** Group by severity. For each kind of finding, suggest concrete next actions. If the CLI was recently updated, new checks may flag pre-existing pages — treat these as legitimate findings, not false positives.
30
- 5. **Log rotation.** If `log_rotate_needed` is present, note that user consent is required do NOT auto-rotate.
31
- 6. **Post-migration check.** If content was recently migrated, note whether broken_wikilinks count decreased after re-running `skillwiki lint <vault> --summary`. Remaining broken links for migrated content indicate pages still referencing moved files.
32
- 7. **Optional summary.** Append one entry to `{vault}/log.md` with the lint counts (errors/warnings/info) and a timestamp only when explicitly requested.
30
+ 5. **Sensitive content.** Treat `sensitive_content` as a security error. Drill down with `skillwiki lint <vault> --only sensitive_content --human`. Redaction is allowed as a security exception to raw immutability only through `skillwiki lint <vault> --fix --only sensitive_content`; never print the secret value in the report.
31
+ 6. **Log rotation.** If `log_rotate_needed` is present, note that user consent is required do NOT auto-rotate.
32
+ 7. **Post-migration check.** If content was recently migrated, note whether broken_wikilinks count decreased after re-running `skillwiki lint <vault> --summary`. Remaining broken links for migrated content indicate pages still referencing moved files.
33
+ 8. **Optional summary.** Append one entry to `{vault}/log.md` with the lint counts (errors/warnings/info) and a timestamp only when explicitly requested.
33
34
 
34
35
  **Output Format:**
35
36
  Return a structured summary:
@@ -49,3 +50,4 @@ Return a structured summary:
49
50
  - Auto-rotating logs without user consent
50
51
  - Auto-updating sha256 fields
51
52
  - Modifying any page beyond an explicitly requested lint summary entry in `log.md`
53
+ - Printing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets in findings or summaries
@@ -34,7 +34,8 @@ You are a vault search and synthesis specialist using E2 4-signal ranking to fin
34
34
  - Type affinity: 1.0×
35
35
  6. **Read top candidates.** Read frontmatter + body of highest-scored pages.
36
36
  7. **Synthesize answer.** Compose with explicit citations to candidate pages using `^[page-path]` markers.
37
- 8. **Optional file.** If the task asks to persist: write to `queries/<slug>.md` or `comparisons/<slug>.md` with full frontmatter, validate, then update `index.md` `log.md`. If the filed page is a research/evaluation answer, recommendation, or comparison, end it with:
37
+ 8. **Sensitive content guard.** Before filing a query or comparison page, scan the generated body for live credentials, access keys, tokens, passwords, cookies, bearer headers, or private keys. Redact before writing. If the answer depends on preserving a live secret, STOP and ask for a redacted source or explicit rotation/remediation direction.
38
+ 9. **Optional file.** If the task asks to persist: write to `queries/<slug>.md` or `comparisons/<slug>.md` with full frontmatter, validate, then update `index.md` → `log.md`. If the filed page is a research/evaluation answer, recommendation, or comparison, end it with:
38
39
  ```markdown
39
40
  ## Decision Closeout
40
41
 
@@ -58,8 +59,10 @@ Return:
58
59
  **Stop Conditions:**
59
60
  - Zero matching pages found
60
61
  - `skillwiki path` returns NO_VAULT_CONFIGURED
62
+ - Generated filed content contains unredacted live credentials or other authenticating secrets
61
63
 
62
64
  **Forbidden:**
63
65
  - Filing without `validate` passing
64
66
  - Skipping graph refresh when graph.json is missing
65
67
  - Accepting wiki claims without filesystem verification
68
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault
@@ -30,9 +30,10 @@ You are a drift detection specialist running `skillwiki drift` and processing re
30
30
  - **unchanged:** No action needed.
31
31
  4. **Process each drifted source:**
32
32
  a. Archive old raw: `skillwiki archive <raw-path>`
33
- b. Re-fetch content and write as new raw file with updated sha256
34
- c. Update all concept/entity pages citing the old source: change `^[raw/...]` markers and `sources:` to reference the new path
35
- d. Verify with `skillwiki audit` that no broken markers remain
33
+ b. Re-fetch content. If it contains live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets, STOP and ask for a redacted source or explicit rotation/remediation direction.
34
+ c. Write as new raw file with updated sha256
35
+ d. Update all concept/entity pages citing the old source: change `^[raw/...]` markers and `sources:` to reference the new path
36
+ e. Verify with `skillwiki audit` that no broken markers remain
36
37
  5. **Log.** Append to `{vault}/log.md`: scanned count, drifted count, re-ingested count, skipped count.
37
38
 
38
39
  **N9 Compliance:**
@@ -53,8 +54,10 @@ Return:
53
54
  - `skillwiki drift` returns non-zero (other than DRIFT_DETECTED)
54
55
  - No raw sources have `source_url` (nothing to check)
55
56
  - All sources unchanged
57
+ - Replacement source content contains unredacted live credentials or other authenticating secrets
56
58
 
57
59
  **Forbidden:**
58
60
  - Modifying files in `raw/` directly (N9)
59
61
  - Re-ingesting without archiving old raw first
60
62
  - Updating citations without running `skillwiki audit` to verify
63
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault
@@ -68,3 +68,4 @@ Return:
68
68
  - Auto-resolving body conflicts
69
69
  - Force-pushing (`git push --force`)
70
70
  - Modifying files in `raw/` to resolve conflicts (N9)
71
+ - Printing, committing, or preserving live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets during conflict handling
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@skillwiki/skills",
3
- "version": "0.9.1",
3
+ "version": "0.9.4",
4
4
  "private": true,
5
5
  "files": [
6
6
  "wiki-*",
@@ -55,6 +55,10 @@ sha256: # computed by skillwiki hash over body bytes after closing ---
55
55
  **Layer 2 — Typed Knowledge:** `entities/`, `concepts/`, `comparisons/`, `queries/`, `meta/`. Agent-owned pages with `^[raw/...]` citation markers at paragraph-end. Global scope — project association via `provenance_projects:` frontmatter, not directory nesting.
56
56
  **Layer 3 — Project Workspaces (`projects/{slug}/`):** Per-project lifecycle directories with `work/` (spec + plan + retro), `compound/` (distilled lessons/patterns), `architecture/` (ADRs), and `history/` (archived specs/plans).
57
57
  **No `inbox/` directory.** Ad-hoc captures go to `raw/transcripts/` or directly into a project work item via `proj-work`. Do not invent new top-level directories — extend Layer 2 via SCHEMA.md tag taxonomy if needed.
58
+
59
+ ## Sensitive Content Policy
60
+ Vault content must not contain live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets. This includes development-only and local-only credentials. Redact values before filing using `[REDACTED:<kind>]` or `[REDACTED:<kind>:<fingerprint>]`. If a source contains live secrets, stop and ask for a redacted source or explicit rotation/remediation direction; do not preserve the secret in `raw/`.
61
+
58
62
  ### Ad-hoc capture: three entry points
59
63
  | Entry | When | What happens |
60
64
  |-------|------|-------------|
@@ -107,9 +111,30 @@ Use `prd_layer` + `prd_pipeline` from `.claude/dev-loop.config.md` as source of
107
111
 
108
112
  ## CLI Backbone
109
113
  All skills are backed by the `skillwiki` CLI — a deterministic tool with no LLM calls. It handles path resolution, config management, validation, health reporting, and linting. Skills invoke it via Bash for the mechanical parts and use Claude for the creative parts.
110
- Key CLI subcommands: `init`, `health`, `lint`, `config`, `doctor`, `path`, `lang`, `install`, `graph build`, `archive`, `drift`, `compound`, `tag-sync`, `sync status`, `seed`, `stale`, `observe`, `canvas generate`.
114
+ Key CLI subcommands: `init`, `health`, `lint`, `config`, `doctor`, `path`, `lang`, `install`, `fleet context`, `fleet validate`, `graph build`, `archive`, `drift`, `compound`, `tag-sync`, `sync status`, `seed`, `stale`, `observe`, `canvas generate`.
111
115
  Run `skillwiki health <vault> --out /tmp/skillwiki-health.json --no-fail` for a bounded whole-system report that includes doctor, lint, vault-sync, query-readiness, source-freshness, risk flags, and self-check coverage. Run `skillwiki lint <vault> --summary` for lint-only bucket counts with capped examples and details commands. Run `skillwiki doctor` to diagnose setup/runtime issues only. Run `skillwiki config list` to see current configuration.
112
116
 
117
+ ## Runtime Host Context and Fleet Freshness
118
+ The live output of `skillwiki --human fleet context <vault>` is authoritative for host identity. It overrides stale injected SessionStart context, remembered workspace context, and prior conversation summaries. `fleet context` is local and network-free; it reports `identity_status`, resolver trace, warnings, and the fact that remote freshness was not checked.
119
+
120
+ Use the local identity check for ordinary runtime context:
121
+ ```bash
122
+ VAULT="$(skillwiki --human path | sed 's/ (via.*//')"
123
+ skillwiki --human fleet validate "$VAULT/projects/llm-wiki/architecture/fleet.yaml"
124
+ skillwiki --human fleet context "$VAULT"
125
+ ```
126
+
127
+ Use the remote freshness flow before SSH, sync, deploy, install/uninstall, snapshot, protected-host work, editing `fleet.yaml`, or claiming "fleet is up to date":
128
+ ```bash
129
+ VAULT="$(skillwiki --human path | sed 's/ (via.*//')"
130
+ git -C "$VAULT" fetch origin main --prune
131
+ skillwiki --human sync status "$VAULT"
132
+ skillwiki --human fleet validate "$VAULT/projects/llm-wiki/architecture/fleet.yaml"
133
+ skillwiki --human fleet context "$VAULT"
134
+ ```
135
+
136
+ If `identity_status` is `unknown` or `invalid`, treat the runtime as ephemeral: do not infer SSH/self aliases, sync authority, deploy authority, or protected-host permissions. Rerun with `--host-id <id>` only after the user confirms the current machine is that named fleet host.
137
+
113
138
  ## Typical Workflow
114
139
  1. **Init** (`wiki-init`) — create vault, set domain and taxonomy
115
140
  2. **Ingest** (`wiki-ingest`) — add sources, build pages
@@ -62,9 +62,10 @@ Map source sections to typed-knowledge pages:
62
62
  0. Resolve vault and language: `skillwiki path` and `skillwiki lang`.
63
63
  1. Classify the input format using the structural cues above.
64
64
  2. If URL source: run `skillwiki fetch-guard <url>`, then fetch.
65
- 3. Write raw capture: frontmatter + full body `raw/articles/<slug>.md`.
66
- 4. Run `skillwiki hash <raw-file>`, embed sha256.
67
- 5. Generate typed-knowledge pages following the mapping strategy.
65
+ 3. **Sensitive content guard.** Before writing the raw capture or generated pages, scan the source and generated body for live credentials, access keys, tokens, passwords, cookies, bearer headers, or private keys. Redact generated prose before writing. If the source itself contains a live secret and would need to remain raw, STOP instead of preserving it.
66
+ 4. Write raw capture: frontmatter + full body → `raw/articles/<slug>.md`.
67
+ 5. Run `skillwiki hash <raw-file>`, embed sha256.
68
+ 6. Generate typed-knowledge pages following the mapping strategy.
68
69
  For generated comparison or evaluation pages, end the body with:
69
70
  ```markdown
70
71
  ## Decision Closeout
@@ -74,8 +75,8 @@ Map source sections to typed-knowledge pages:
74
75
  Follow-up: ...
75
76
  ```
76
77
  Use exactly one disposition. Preserve action items as skipped project-management content unless the closeout explicitly says `work-item`.
77
- 6. For each page: run `skillwiki validate <page>`. If any fails, STOP.
78
- 7. Write pages, then update `index.md` and `log.md`.
78
+ 7. For each page: run `skillwiki validate <page>`. If any fails, STOP.
79
+ 8. Write pages, then update `index.md` and `log.md`.
79
80
 
80
81
  ## Provenance defaults
81
82
 
@@ -87,6 +88,7 @@ Map source sections to typed-knowledge pages:
87
88
  - `fetch-guard` non-zero.
88
89
  - `validate` non-zero on any page.
89
90
  - sha256 already exists for the same source (skip — already ingested).
91
+ - Source or generated content contains unredacted live credentials or other authenticating secrets.
90
92
 
91
93
  ## Forbidden
92
94
 
@@ -94,3 +96,4 @@ Map source sections to typed-knowledge pages:
94
96
  - Writing index/log before all pages validate.
95
97
  - Modifying existing raw files (N9).
96
98
  - Auto-generating pages for action items, timelines, or process steps — those are project management, not knowledge.
99
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault.
@@ -32,8 +32,9 @@ Run `skillwiki lang` at the start. Entry prose and `--human` summaries use the r
32
32
  - `text` — the idea/bug/task/note content (required)
33
33
  - `type` — one of: `idea`, `bug`, `task`, `note` (default: `idea`)
34
34
  - `project` — optional project slug to cross-reference (e.g., `llm-wiki`)
35
- 2. **Build filename.** Derive a slug from the first ~6 words of the text (lowercased, hyphens for spaces, non-alphanumeric stripped). The capture file is `raw/transcripts/YYYY-MM-DD-{type}-{slug}.md`. Each capture gets its own file never append to an existing file.
36
- 3. **Write frontmatter.** Create the file with ad-hoc capture frontmatter:
35
+ 2. **Sensitive content guard.** Before writing a capture, scan the text for live credentials, access keys, tokens, passwords, cookies, bearer headers, or private keys. Redact before writing. If the source text itself contains a live secret that must be preserved verbatim, STOP instead of filing it.
36
+ 3. **Build filename.** Derive a slug from the first ~6 words of the text (lowercased, hyphens for spaces, non-alphanumeric stripped). The capture file is `raw/transcripts/YYYY-MM-DD-{type}-{slug}.md`. Each capture gets its own file — never append to an existing file.
37
+ 4. **Write frontmatter.** Create the file with ad-hoc capture frontmatter:
37
38
  ```yaml
38
39
  ---
39
40
  source_url:
@@ -47,19 +48,19 @@ project: "[[{slug}]]"
47
48
  - If no project, omit the `project` field entirely.
48
49
  - `source_url` is null (these are locally originated captures).
49
50
  - No `sha256` — ad-hoc captures are mutable working notes, not immutable sources.
50
- 4. **Write body.** Below the frontmatter, write:
51
+ 5. **Write body.** Below the frontmatter, write:
51
52
  ```markdown
52
53
  # {type}: {text}
53
54
  {text}
54
55
  ```
55
56
  Use the resolved output language for any prose. The type label and frontmatter stay English.
56
- 5. **Cross-reference (optional).** If a `project` slug was provided:
57
+ 6. **Cross-reference (optional).** If a `project` slug was provided:
57
58
  - Check that `projects/{slug}/` exists in the vault.
58
59
  - Append a one-line reference to the project's compound notes:
59
60
  `- [YYYY-MM-DD] capture: [text (first 60 chars)] → raw/transcripts/YYYY-MM-DD-{type}-{slug}.md`
60
61
  - Do NOT create a full work item (that's `proj-work`'s job).
61
- 6. **Update log.md.** Append: `## [YYYY-MM-DD] capture | [type]: [text (first 60 chars)]`
62
- 7. **Confirm to user.** Report what was captured and where. Suggest next steps:
62
+ 7. **Update log.md.** Append: `## [YYYY-MM-DD] capture | [type]: [text (first 60 chars)]`
63
+ 8. **Confirm to user.** Report what was captured and where. Suggest next steps:
63
64
  - If `type: idea` → "Consider ingesting related sources to develop this idea."
64
65
  - If `type: bug` → "Use proj-work to create a bug-fix work item."
65
66
  - If `type: task` → "Use proj-work to track this task through the dev loop."
@@ -83,11 +84,13 @@ Ad-hoc captures omit `sha256` — they are mutable working notes, not immutable
83
84
  - `skillwiki path` returns NO_VAULT_CONFIGURED.
84
85
  - No `text` provided (prompt user once, then stop).
85
86
  - Target file already exists (use a different slug or add a suffix).
87
+ - Capture text contains unredacted live credentials or other authenticating secrets.
86
88
  ## Forbidden
87
89
  - Creating an `inbox/` directory. All captures go to `raw/transcripts/`.
88
90
  - Appending to existing capture files — each capture gets its own file.
89
91
  - Creating a work item — this is capture-only. Use `proj-work` for full work items.
90
92
  - Writing to any Layer 2 or Layer 3 location. Captures are Layer 1 (raw).
93
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault.
91
94
  ## Filesystem drop (offline capture)
92
95
  When you're not in a Claude session, drop files directly into `raw/transcripts/`:
93
96
  1. Create a `.md` file in `raw/transcripts/` — name it descriptively (e.g., `2026-05-08-idea-fix-template.md`)
@@ -26,12 +26,15 @@ Reason: ...
26
26
  Follow-up: ...
27
27
  ```
28
28
  Use exactly one disposition. Keep this as a prompt/template convention; do not add validation or lint enforcement.
29
- 4. `skillwiki validate <page>`. If non-zero, STOP.
30
- 5. Apply writes: page `index.md` → `log.md`.
29
+ 4. **Sensitive content guard.** Before writing, scan the source and generated body for live credentials, access keys, tokens, passwords, cookies, bearer headers, or private keys. Redact generated prose before writing. If the source itself contains a live secret and would need to remain raw, STOP instead of preserving it.
30
+ 5. `skillwiki validate <page>`. If non-zero, STOP.
31
+ 6. Apply writes: page → `index.md` → `log.md`.
31
32
  ## Stop conditions
32
33
  - `validate` non-zero.
33
34
  - Missing `provenance:` for project-context runs.
35
+ - Source or generated content contains unredacted live credentials or other authenticating secrets.
34
36
  ## Forbidden
35
37
  - Filing without explicit `provenance:`.
36
38
  - Updating `index.md` before `validate` passes.
37
39
  - Writing `[[wikilinks]]` to pages that don't exist in the vault. Before linking, verify the target exists: check `index.md` or `ls` the target directory. If the target doesn't exist yet, use plain text instead of a wikilink.
40
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault.
@@ -19,8 +19,9 @@ Run `skillwiki lang` at the start. Generate page-body prose, narrative sections,
19
19
  1. **Guard.** For each URL: run `skillwiki fetch-guard <url>`. If exit ≠ 0, STOP and surface the error. Do not retry.
20
20
  2. **Fetch.** Use `web_fetch` (or read local file) under Layer 2 controls (the CLI Layer 2 fetcher applies in tests; in skill runtime use `web_fetch` directly and treat any error as STOP).
21
21
  3. **Identity guard.** Before writing raw files, ensure the target raw filename/title, `source_url`, fetched H1/title, and early body subject agree. If `skillwiki ingest` reports `INGEST_VALIDATION_FAILED` with `source identity conflict`, STOP. Do not fix by renaming after the fact; choose the correct title/source pair or ask the user.
22
- 4. **Hash.** Write the raw file (frontmatter + body). Run `skillwiki hash <raw-file>` and embed the result in raw frontmatter `sha256:`.
23
- 5. **Generate page(s).** Compose typed-knowledge page(s) with citations pre-attached (`^[raw/...]` markers). Every page MUST include:
22
+ 4. **Sensitive content guard.** Before writing or filing any vault page, scan the source and generated body for live credentials, access keys, tokens, passwords, cookies, bearer headers, or private keys. Redact generated prose before writing. If the source itself must remain raw and contains a live secret, STOP instead of preserving it.
23
+ 5. **Hash.** Write the raw file (frontmatter + body). Run `skillwiki hash <raw-file>` and embed the result in raw frontmatter `sha256:`.
24
+ 6. **Generate page(s).** Compose typed-knowledge page(s) with citations pre-attached (`^[raw/...]` markers). Every page MUST include:
24
25
  - `> **TL;DR:**` blockquote as the first content after the title heading — a one-sentence summary of the page's key takeaway (under 200 chars). See SCHEMA.md `## TL;DR Convention`.
25
26
  - For pages tagged `architecture` or explaining workflows/systems: include a Mermaid diagram (`graph TB` or `sequenceDiagram`) in the body. Follow Obsidian-compatible Mermaid rules (see SCHEMA.md `## Mermaid Diagrams`).
26
27
  For generated `comparisons/` pages or evaluation-style `queries/` pages, end the body with:
@@ -32,9 +33,9 @@ Reason: ...
32
33
  Follow-up: ...
33
34
  ```
34
35
  Use exactly one disposition. Keep this as a prompt convention, not a validator rule.
35
- 6. **Validate.** For each generated page: run `skillwiki validate <page>`. If exit ≠ 0, STOP — do not write index/log.
36
- 7. **Apply writes in order.** raw → page(s) → `index.md` → `log.md`.
37
- 8. **Confidence flag.** If only one source is cited, set `confidence: low`.
36
+ 7. **Validate.** For each generated page: run `skillwiki validate <page>`. If exit ≠ 0, STOP — do not write index/log.
37
+ 8. **Apply writes in order.** raw → page(s) → `index.md` → `log.md`.
38
+ 9. **Confidence flag.** If only one source is cited, set `confidence: low`.
38
39
  ## Provenance defaults
39
40
  - Default `provenance: research`.
40
41
  - If cwd is inside `projects/{slug}/`, set `provenance: project` and add `provenance_projects: ["[[slug]]"]`.
@@ -47,6 +48,7 @@ Raw ephemeral data (market feeds, logs, transient JSON) must be written to the *
47
48
  - `fetch-guard` non-zero.
48
49
  - Fetch timeout / size limit exceeded.
49
50
  - `INGEST_VALIDATION_FAILED` with `source identity conflict`.
51
+ - Source or generated content contains unredacted live credentials or other authenticating secrets.
50
52
  - `validate` non-zero on any page.
51
53
  - sha256 already exists in vault for the same source.
52
54
  ## Forbidden
@@ -57,7 +59,7 @@ Raw ephemeral data (market feeds, logs, transient JSON) must be written to the *
57
59
  - Writing `[[wikilinks]]` to pages that don't exist in the vault. Before linking, verify the target exists: check `index.md` or `ls` the target directory. If the target doesn't exist yet, use plain text instead of a wikilink.
58
60
  ## Batch Mode
59
61
  When the user provides multiple sources (a directory of files, a list of URLs, or a multi-document input):
60
- 1. **Loop per source.** Execute steps 1–6 for each source individually (guard → fetch → identity guard → hash → generate → validate).
62
+ 1. **Loop per source.** Execute steps 1–7 for each source individually (guard → fetch → identity guard → sensitive content guard → hash → generate → validate).
61
63
  2. **Accumulate, don't write yet.** Collect all raw files and pages in memory. Do not write `index.md` or `log.md` until every source has validated.
62
64
  3. **Fail fast.** If any page fails validation, STOP. Report all failures. Do not write index/log for any source.
63
65
  4. **Deduplication.** Before writing each raw file, check `sha256` against existing vault raw sources. Skip sources whose content is already present.
@@ -15,12 +15,14 @@ Standard four reads.
15
15
  2. For lint-only maintenance, run `skillwiki lint <vault> --summary`. This returns bounded bucket counts, capped examples, and `details_command` hints without full item arrays.
16
16
  3. Drill into important buckets with `skillwiki lint <vault> --only <bucket>` when examples are insufficient for remediation.
17
17
  4. Reason over findings; present grouped by severity with concrete suggested actions per kind. If the CLI was recently updated with new lint checks, re-running lint on the full vault may flag pre-existing pages that predate the new rule — treat these as legitimate findings, not false positives.
18
- 5. If `log_rotate_needed` is present and the user consents, run `skillwiki log-rotate <vault> --apply`. Otherwise leave alone.
19
- 6. **Post-migration verification**: If the user recently migrated content (e.g., moved entity/concept pages to another vault), re-run `skillwiki lint <vault> --summary` and verify that broken_wikilinks count decreased. Remaining broken links for migrated content indicate pages still referencing the moved files — these should be cleaned up (remove citations or migrate the referencing pages too).
20
- 7. Append a `log.md` entry summarizing lint counts only when the user asked to record the maintenance result. Do not log routine `health` reports by default.
18
+ 5. Treat `sensitive_content` as a security error. Drill down with `skillwiki lint <vault> --only sensitive_content --human`. Redaction is allowed as a security exception to raw immutability only through `skillwiki lint <vault> --fix --only sensitive_content`; never print the secret value in the report.
19
+ 6. If `log_rotate_needed` is present and the user consents, run `skillwiki log-rotate <vault> --apply`. Otherwise leave alone.
20
+ 7. **Post-migration verification**: If the user recently migrated content (e.g., moved entity/concept pages to another vault), re-run `skillwiki lint <vault> --summary` and verify that broken_wikilinks count decreased. Remaining broken links for migrated content indicate pages still referencing the moved files these should be cleaned up (remove citations or migrate the referencing pages too).
21
+ 8. Append a `log.md` entry summarizing lint counts only when the user asked to record the maintenance result. Do not log routine `health` reports by default.
21
22
  ## Stop conditions
22
23
  None — lint reports all findings even on per-page errors.
23
24
  ## Forbidden
24
25
  - Auto-rotating logs.
25
26
  - Auto-updating sha256 fields.
26
27
  - Modifying any page beyond a user-approved lint summary entry in `log.md`.
28
+ - Printing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets in findings or summaries.
@@ -22,7 +22,8 @@ Standard four reads (SCHEMA, index, log, project context if applicable).
22
22
  - Type affinity: 1.0×
23
23
  5. **Read top candidates** in full (frontmatter + body).
24
24
  6. **Synthesize answer** with explicit citations to the candidate pages.
25
- 7. **Optional file.** If user accepts: write to `queries/<slug>.md` or `comparisons/<slug>.md` with full frontmatter, validate, then update `index.md` then `log.md`. If the filed page is a research/evaluation answer, recommendation, or comparison, end it with:
25
+ 7. **Sensitive content guard.** Before filing any query or comparison page, scan the generated body for live credentials, access keys, tokens, passwords, cookies, bearer headers, or private keys. Redact before writing. If the answer depends on preserving a live secret, STOP and ask for a redacted source or explicit rotation/remediation direction.
26
+ 8. **Optional file.** If user accepts: write to `queries/<slug>.md` or `comparisons/<slug>.md` with full frontmatter, validate, then update `index.md` then `log.md`. If the filed page is a research/evaluation answer, recommendation, or comparison, end it with:
26
27
  ```markdown
27
28
  ## Decision Closeout
28
29
 
@@ -34,6 +35,7 @@ Use exactly one disposition. This is a prompt convention only; do not add CLI en
34
35
  ## Stop conditions
35
36
  - Zero matching pages.
36
37
  - User declines to file.
38
+ - Generated filed content contains unredacted live credentials or other authenticating secrets.
37
39
  ## Pitfalls
38
40
  ### Claimed-status vs actual-state gap
39
41
  When a wiki page (especially a work item `tasks.md`) claims that fixes were applied, features were completed, or files were removed — **verify on disk before accepting the claim**. In one incident, a `tasks.md` marked 6 items DONE but 5 were not actually applied: a script claimed "removed" was still 2020 bytes on disk, a crontab claimed "updated to 30min" was still `*/10`, and a build target claimed "verified has consumers" had no web server serving it.
@@ -41,3 +43,4 @@ When a wiki page (especially a work item `tasks.md`) claims that fixes were appl
41
43
  ## Forbidden
42
44
  - Filing without `validate` passing.
43
45
  - Skipping the orientation reads even for "quick" queries.
46
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault.
@@ -55,6 +55,10 @@ sha256: # computed by skillwiki hash over body bytes after closing ---
55
55
  **Layer 2 — Typed Knowledge:** `entities/`, `concepts/`, `comparisons/`, `queries/`, `meta/`. Agent-owned pages with `^[raw/...]` citation markers at paragraph-end. Global scope — project association via `provenance_projects:` frontmatter, not directory nesting.
56
56
  **Layer 3 — Project Workspaces (`projects/{slug}/`):** Per-project lifecycle directories with `work/` (spec + plan + retro), `compound/` (distilled lessons/patterns), `architecture/` (ADRs), and `history/` (archived specs/plans).
57
57
  **No `inbox/` directory.** Ad-hoc captures go to `raw/transcripts/` or directly into a project work item via `proj-work`. Do not invent new top-level directories — extend Layer 2 via SCHEMA.md tag taxonomy if needed.
58
+
59
+ ## Sensitive Content Policy
60
+ Vault content must not contain live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets. This includes development-only and local-only credentials. Redact values before filing using `[REDACTED:<kind>]` or `[REDACTED:<kind>:<fingerprint>]`. If a source contains live secrets, stop and ask for a redacted source or explicit rotation/remediation direction; do not preserve the secret in `raw/`.
61
+
58
62
  ### Ad-hoc capture: three entry points
59
63
  | Entry | When | What happens |
60
64
  |-------|------|-------------|
@@ -107,9 +111,30 @@ Use `prd_layer` + `prd_pipeline` from `.claude/dev-loop.config.md` as source of
107
111
 
108
112
  ## CLI Backbone
109
113
  All skills are backed by the `skillwiki` CLI — a deterministic tool with no LLM calls. It handles path resolution, config management, validation, health reporting, and linting. Skills invoke it via Bash for the mechanical parts and use Claude for the creative parts.
110
- Key CLI subcommands: `init`, `health`, `lint`, `config`, `doctor`, `path`, `lang`, `install`, `graph build`, `archive`, `drift`, `compound`, `tag-sync`, `sync status`, `seed`, `stale`, `observe`, `canvas generate`.
114
+ Key CLI subcommands: `init`, `health`, `lint`, `config`, `doctor`, `path`, `lang`, `install`, `fleet context`, `fleet validate`, `graph build`, `archive`, `drift`, `compound`, `tag-sync`, `sync status`, `seed`, `stale`, `observe`, `canvas generate`.
111
115
  Run `skillwiki health <vault> --out /tmp/skillwiki-health.json --no-fail` for a bounded whole-system report that includes doctor, lint, vault-sync, query-readiness, source-freshness, risk flags, and self-check coverage. Run `skillwiki lint <vault> --summary` for lint-only bucket counts with capped examples and details commands. Run `skillwiki doctor` to diagnose setup/runtime issues only. Run `skillwiki config list` to see current configuration.
112
116
 
117
+ ## Runtime Host Context and Fleet Freshness
118
+ The live output of `skillwiki --human fleet context <vault>` is authoritative for host identity. It overrides stale injected SessionStart context, remembered workspace context, and prior conversation summaries. `fleet context` is local and network-free; it reports `identity_status`, resolver trace, warnings, and the fact that remote freshness was not checked.
119
+
120
+ Use the local identity check for ordinary runtime context:
121
+ ```bash
122
+ VAULT="$(skillwiki --human path | sed 's/ (via.*//')"
123
+ skillwiki --human fleet validate "$VAULT/projects/llm-wiki/architecture/fleet.yaml"
124
+ skillwiki --human fleet context "$VAULT"
125
+ ```
126
+
127
+ Use the remote freshness flow before SSH, sync, deploy, install/uninstall, snapshot, protected-host work, editing `fleet.yaml`, or claiming "fleet is up to date":
128
+ ```bash
129
+ VAULT="$(skillwiki --human path | sed 's/ (via.*//')"
130
+ git -C "$VAULT" fetch origin main --prune
131
+ skillwiki --human sync status "$VAULT"
132
+ skillwiki --human fleet validate "$VAULT/projects/llm-wiki/architecture/fleet.yaml"
133
+ skillwiki --human fleet context "$VAULT"
134
+ ```
135
+
136
+ If `identity_status` is `unknown` or `invalid`, treat the runtime as ephemeral: do not infer SSH/self aliases, sync authority, deploy authority, or protected-host permissions. Rerun with `--host-id <id>` only after the user confirms the current machine is that named fleet host.
137
+
113
138
  ## Typical Workflow
114
139
  1. **Init** (`wiki-init`) — create vault, set domain and taxonomy
115
140
  2. **Ingest** (`wiki-ingest`) — add sources, build pages