skillwiki 0.9.1 → 0.9.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (34) hide show
  1. package/dist/cli.js +1125 -683
  2. package/package.json +1 -1
  3. package/skills/.claude-plugin/plugin.json +1 -1
  4. package/skills/.codex-plugin/plugin.json +1 -1
  5. package/skills/agents/proj-decide.md +1 -0
  6. package/skills/agents/proj-distill.md +1 -0
  7. package/skills/agents/proj-init.md +1 -0
  8. package/skills/agents/proj-work.md +1 -0
  9. package/skills/agents/wiki-adapter-prd.md +8 -5
  10. package/skills/agents/wiki-add-task.md +8 -5
  11. package/skills/agents/wiki-archive.md +1 -0
  12. package/skills/agents/wiki-audit.md +1 -0
  13. package/skills/agents/wiki-canvas.md +1 -0
  14. package/skills/agents/wiki-crystallize.md +5 -2
  15. package/skills/agents/wiki-ingest.md +8 -5
  16. package/skills/agents/wiki-lint.md +5 -3
  17. package/skills/agents/wiki-query.md +4 -1
  18. package/skills/agents/wiki-reingest.md +6 -3
  19. package/skills/agents/wiki-sync.md +1 -0
  20. package/skills/package.json +1 -1
  21. package/skills/skills/using-skillwiki/SKILL.md +26 -1
  22. package/skills/skills/wiki-adapter-prd/SKILL.md +8 -5
  23. package/skills/skills/wiki-add-task/SKILL.md +9 -6
  24. package/skills/skills/wiki-crystallize/SKILL.md +5 -2
  25. package/skills/skills/wiki-ingest/SKILL.md +8 -6
  26. package/skills/skills/wiki-lint/SKILL.md +5 -3
  27. package/skills/skills/wiki-query/SKILL.md +4 -1
  28. package/skills/using-skillwiki/SKILL.md +26 -1
  29. package/skills/wiki-adapter-prd/SKILL.md +8 -5
  30. package/skills/wiki-add-task/SKILL.md +9 -6
  31. package/skills/wiki-crystallize/SKILL.md +5 -2
  32. package/skills/wiki-ingest/SKILL.md +8 -6
  33. package/skills/wiki-lint/SKILL.md +5 -3
  34. package/skills/wiki-query/SKILL.md +4 -1
@@ -62,9 +62,10 @@ Map source sections to typed-knowledge pages:
62
62
  0. Resolve vault and language: `skillwiki path` and `skillwiki lang`.
63
63
  1. Classify the input format using the structural cues above.
64
64
  2. If URL source: run `skillwiki fetch-guard <url>`, then fetch.
65
- 3. Write raw capture: frontmatter + full body `raw/articles/<slug>.md`.
66
- 4. Run `skillwiki hash <raw-file>`, embed sha256.
67
- 5. Generate typed-knowledge pages following the mapping strategy.
65
+ 3. **Sensitive content guard.** Before writing the raw capture or generated pages, scan the source and generated body for live credentials, access keys, tokens, passwords, cookies, bearer headers, or private keys. Redact generated prose before writing. If the source itself contains a live secret and would need to remain raw, STOP instead of preserving it.
66
+ 4. Write raw capture: frontmatter + full body → `raw/articles/<slug>.md`.
67
+ 5. Run `skillwiki hash <raw-file>`, embed sha256.
68
+ 6. Generate typed-knowledge pages following the mapping strategy.
68
69
  For generated comparison or evaluation pages, end the body with:
69
70
  ```markdown
70
71
  ## Decision Closeout
@@ -74,8 +75,8 @@ Map source sections to typed-knowledge pages:
74
75
  Follow-up: ...
75
76
  ```
76
77
  Use exactly one disposition. Preserve action items as skipped project-management content unless the closeout explicitly says `work-item`.
77
- 6. For each page: run `skillwiki validate <page>`. If any fails, STOP.
78
- 7. Write pages, then update `index.md` and `log.md`.
78
+ 7. For each page: run `skillwiki validate <page>`. If any fails, STOP.
79
+ 8. Write pages, then update `index.md` and `log.md`.
79
80
 
80
81
  ## Provenance defaults
81
82
 
@@ -87,6 +88,7 @@ Map source sections to typed-knowledge pages:
87
88
  - `fetch-guard` non-zero.
88
89
  - `validate` non-zero on any page.
89
90
  - sha256 already exists for the same source (skip — already ingested).
91
+ - Source or generated content contains unredacted live credentials or other authenticating secrets.
90
92
 
91
93
  ## Forbidden
92
94
 
@@ -94,3 +96,4 @@ Map source sections to typed-knowledge pages:
94
96
  - Writing index/log before all pages validate.
95
97
  - Modifying existing raw files (N9).
96
98
  - Auto-generating pages for action items, timelines, or process steps — those are project management, not knowledge.
99
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault.
@@ -32,8 +32,9 @@ Run `skillwiki lang` at the start. Entry prose and `--human` summaries use the r
32
32
  - `text` — the idea/bug/task/note content (required)
33
33
  - `type` — one of: `idea`, `bug`, `task`, `note` (default: `idea`)
34
34
  - `project` — optional project slug to cross-reference (e.g., `llm-wiki`)
35
- 2. **Build filename.** Derive a slug from the first ~6 words of the text (lowercased, hyphens for spaces, non-alphanumeric stripped). The capture file is `raw/transcripts/YYYY-MM-DD-{type}-{slug}.md`. Each capture gets its own file never append to an existing file.
36
- 3. **Write frontmatter.** Create the file with ad-hoc capture frontmatter:
35
+ 2. **Sensitive content guard.** Before writing a capture, scan the text for live credentials, access keys, tokens, passwords, cookies, bearer headers, or private keys. Redact before writing. If the source text itself contains a live secret that must be preserved verbatim, STOP instead of filing it.
36
+ 3. **Build filename.** Derive a slug from the first ~6 words of the text (lowercased, hyphens for spaces, non-alphanumeric stripped). The capture file is `raw/transcripts/YYYY-MM-DD-{type}-{slug}.md`. Each capture gets its own file — never append to an existing file.
37
+ 4. **Write frontmatter.** Create the file with ad-hoc capture frontmatter:
37
38
  ```yaml
38
39
  ---
39
40
  source_url:
@@ -47,19 +48,19 @@ project: "[[{slug}]]"
47
48
  - If no project, omit the `project` field entirely.
48
49
  - `source_url` is null (these are locally originated captures).
49
50
  - No `sha256` — ad-hoc captures are mutable working notes, not immutable sources.
50
- 4. **Write body.** Below the frontmatter, write:
51
+ 5. **Write body.** Below the frontmatter, write:
51
52
  ```markdown
52
53
  # {type}: {text}
53
54
  {text}
54
55
  ```
55
56
  Use the resolved output language for any prose. The type label and frontmatter stay English.
56
- 5. **Cross-reference (optional).** If a `project` slug was provided:
57
+ 6. **Cross-reference (optional).** If a `project` slug was provided:
57
58
  - Check that `projects/{slug}/` exists in the vault.
58
59
  - Append a one-line reference to the project's compound notes:
59
60
  `- [YYYY-MM-DD] capture: [text (first 60 chars)] → raw/transcripts/YYYY-MM-DD-{type}-{slug}.md`
60
61
  - Do NOT create a full work item (that's `proj-work`'s job).
61
- 6. **Update log.md.** Append: `## [YYYY-MM-DD] capture | [type]: [text (first 60 chars)]`
62
- 7. **Confirm to user.** Report what was captured and where. Suggest next steps:
62
+ 7. **Update log.md.** Append: `## [YYYY-MM-DD] capture | [type]: [text (first 60 chars)]`
63
+ 8. **Confirm to user.** Report what was captured and where. Suggest next steps:
63
64
  - If `type: idea` → "Consider ingesting related sources to develop this idea."
64
65
  - If `type: bug` → "Use proj-work to create a bug-fix work item."
65
66
  - If `type: task` → "Use proj-work to track this task through the dev loop."
@@ -83,11 +84,13 @@ Ad-hoc captures omit `sha256` — they are mutable working notes, not immutable
83
84
  - `skillwiki path` returns NO_VAULT_CONFIGURED.
84
85
  - No `text` provided (prompt user once, then stop).
85
86
  - Target file already exists (use a different slug or add a suffix).
87
+ - Capture text contains unredacted live credentials or other authenticating secrets.
86
88
  ## Forbidden
87
89
  - Creating an `inbox/` directory. All captures go to `raw/transcripts/`.
88
90
  - Appending to existing capture files — each capture gets its own file.
89
91
  - Creating a work item — this is capture-only. Use `proj-work` for full work items.
90
92
  - Writing to any Layer 2 or Layer 3 location. Captures are Layer 1 (raw).
93
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault.
91
94
  ## Filesystem drop (offline capture)
92
95
  When you're not in a Claude session, drop files directly into `raw/transcripts/`:
93
96
  1. Create a `.md` file in `raw/transcripts/` — name it descriptively (e.g., `2026-05-08-idea-fix-template.md`)
@@ -26,12 +26,15 @@ Reason: ...
26
26
  Follow-up: ...
27
27
  ```
28
28
  Use exactly one disposition. Keep this as a prompt/template convention; do not add validation or lint enforcement.
29
- 4. `skillwiki validate <page>`. If non-zero, STOP.
30
- 5. Apply writes: page `index.md` → `log.md`.
29
+ 4. **Sensitive content guard.** Before writing, scan the source and generated body for live credentials, access keys, tokens, passwords, cookies, bearer headers, or private keys. Redact generated prose before writing. If the source itself contains a live secret and would need to remain raw, STOP instead of preserving it.
30
+ 5. `skillwiki validate <page>`. If non-zero, STOP.
31
+ 6. Apply writes: page → `index.md` → `log.md`.
31
32
  ## Stop conditions
32
33
  - `validate` non-zero.
33
34
  - Missing `provenance:` for project-context runs.
35
+ - Source or generated content contains unredacted live credentials or other authenticating secrets.
34
36
  ## Forbidden
35
37
  - Filing without explicit `provenance:`.
36
38
  - Updating `index.md` before `validate` passes.
37
39
  - Writing `[[wikilinks]]` to pages that don't exist in the vault. Before linking, verify the target exists: check `index.md` or `ls` the target directory. If the target doesn't exist yet, use plain text instead of a wikilink.
40
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault.
@@ -19,8 +19,9 @@ Run `skillwiki lang` at the start. Generate page-body prose, narrative sections,
19
19
  1. **Guard.** For each URL: run `skillwiki fetch-guard <url>`. If exit ≠ 0, STOP and surface the error. Do not retry.
20
20
  2. **Fetch.** Use `web_fetch` (or read local file) under Layer 2 controls (the CLI Layer 2 fetcher applies in tests; in skill runtime use `web_fetch` directly and treat any error as STOP).
21
21
  3. **Identity guard.** Before writing raw files, ensure the target raw filename/title, `source_url`, fetched H1/title, and early body subject agree. If `skillwiki ingest` reports `INGEST_VALIDATION_FAILED` with `source identity conflict`, STOP. Do not fix by renaming after the fact; choose the correct title/source pair or ask the user.
22
- 4. **Hash.** Write the raw file (frontmatter + body). Run `skillwiki hash <raw-file>` and embed the result in raw frontmatter `sha256:`.
23
- 5. **Generate page(s).** Compose typed-knowledge page(s) with citations pre-attached (`^[raw/...]` markers). Every page MUST include:
22
+ 4. **Sensitive content guard.** Before writing or filing any vault page, scan the source and generated body for live credentials, access keys, tokens, passwords, cookies, bearer headers, or private keys. Redact generated prose before writing. If the source itself must remain raw and contains a live secret, STOP instead of preserving it.
23
+ 5. **Hash.** Write the raw file (frontmatter + body). Run `skillwiki hash <raw-file>` and embed the result in raw frontmatter `sha256:`.
24
+ 6. **Generate page(s).** Compose typed-knowledge page(s) with citations pre-attached (`^[raw/...]` markers). Every page MUST include:
24
25
  - `> **TL;DR:**` blockquote as the first content after the title heading — a one-sentence summary of the page's key takeaway (under 200 chars). See SCHEMA.md `## TL;DR Convention`.
25
26
  - For pages tagged `architecture` or explaining workflows/systems: include a Mermaid diagram (`graph TB` or `sequenceDiagram`) in the body. Follow Obsidian-compatible Mermaid rules (see SCHEMA.md `## Mermaid Diagrams`).
26
27
  For generated `comparisons/` pages or evaluation-style `queries/` pages, end the body with:
@@ -32,9 +33,9 @@ Reason: ...
32
33
  Follow-up: ...
33
34
  ```
34
35
  Use exactly one disposition. Keep this as a prompt convention, not a validator rule.
35
- 6. **Validate.** For each generated page: run `skillwiki validate <page>`. If exit ≠ 0, STOP — do not write index/log.
36
- 7. **Apply writes in order.** raw → page(s) → `index.md` → `log.md`.
37
- 8. **Confidence flag.** If only one source is cited, set `confidence: low`.
36
+ 7. **Validate.** For each generated page: run `skillwiki validate <page>`. If exit ≠ 0, STOP — do not write index/log.
37
+ 8. **Apply writes in order.** raw → page(s) → `index.md` → `log.md`.
38
+ 9. **Confidence flag.** If only one source is cited, set `confidence: low`.
38
39
  ## Provenance defaults
39
40
  - Default `provenance: research`.
40
41
  - If cwd is inside `projects/{slug}/`, set `provenance: project` and add `provenance_projects: ["[[slug]]"]`.
@@ -47,6 +48,7 @@ Raw ephemeral data (market feeds, logs, transient JSON) must be written to the *
47
48
  - `fetch-guard` non-zero.
48
49
  - Fetch timeout / size limit exceeded.
49
50
  - `INGEST_VALIDATION_FAILED` with `source identity conflict`.
51
+ - Source or generated content contains unredacted live credentials or other authenticating secrets.
50
52
  - `validate` non-zero on any page.
51
53
  - sha256 already exists in vault for the same source.
52
54
  ## Forbidden
@@ -57,7 +59,7 @@ Raw ephemeral data (market feeds, logs, transient JSON) must be written to the *
57
59
  - Writing `[[wikilinks]]` to pages that don't exist in the vault. Before linking, verify the target exists: check `index.md` or `ls` the target directory. If the target doesn't exist yet, use plain text instead of a wikilink.
58
60
  ## Batch Mode
59
61
  When the user provides multiple sources (a directory of files, a list of URLs, or a multi-document input):
60
- 1. **Loop per source.** Execute steps 1–6 for each source individually (guard → fetch → identity guard → hash → generate → validate).
62
+ 1. **Loop per source.** Execute steps 1–7 for each source individually (guard → fetch → identity guard → sensitive content guard → hash → generate → validate).
61
63
  2. **Accumulate, don't write yet.** Collect all raw files and pages in memory. Do not write `index.md` or `log.md` until every source has validated.
62
64
  3. **Fail fast.** If any page fails validation, STOP. Report all failures. Do not write index/log for any source.
63
65
  4. **Deduplication.** Before writing each raw file, check `sha256` against existing vault raw sources. Skip sources whose content is already present.
@@ -15,12 +15,14 @@ Standard four reads.
15
15
  2. For lint-only maintenance, run `skillwiki lint <vault> --summary`. This returns bounded bucket counts, capped examples, and `details_command` hints without full item arrays.
16
16
  3. Drill into important buckets with `skillwiki lint <vault> --only <bucket>` when examples are insufficient for remediation.
17
17
  4. Reason over findings; present grouped by severity with concrete suggested actions per kind. If the CLI was recently updated with new lint checks, re-running lint on the full vault may flag pre-existing pages that predate the new rule — treat these as legitimate findings, not false positives.
18
- 5. If `log_rotate_needed` is present and the user consents, run `skillwiki log-rotate <vault> --apply`. Otherwise leave alone.
19
- 6. **Post-migration verification**: If the user recently migrated content (e.g., moved entity/concept pages to another vault), re-run `skillwiki lint <vault> --summary` and verify that broken_wikilinks count decreased. Remaining broken links for migrated content indicate pages still referencing the moved files — these should be cleaned up (remove citations or migrate the referencing pages too).
20
- 7. Append a `log.md` entry summarizing lint counts only when the user asked to record the maintenance result. Do not log routine `health` reports by default.
18
+ 5. Treat `sensitive_content` as a security error. Drill down with `skillwiki lint <vault> --only sensitive_content --human`. Redaction is allowed as a security exception to raw immutability only through `skillwiki lint <vault> --fix --only sensitive_content`; never print the secret value in the report.
19
+ 6. If `log_rotate_needed` is present and the user consents, run `skillwiki log-rotate <vault> --apply`. Otherwise leave alone.
20
+ 7. **Post-migration verification**: If the user recently migrated content (e.g., moved entity/concept pages to another vault), re-run `skillwiki lint <vault> --summary` and verify that broken_wikilinks count decreased. Remaining broken links for migrated content indicate pages still referencing the moved files these should be cleaned up (remove citations or migrate the referencing pages too).
21
+ 8. Append a `log.md` entry summarizing lint counts only when the user asked to record the maintenance result. Do not log routine `health` reports by default.
21
22
  ## Stop conditions
22
23
  None — lint reports all findings even on per-page errors.
23
24
  ## Forbidden
24
25
  - Auto-rotating logs.
25
26
  - Auto-updating sha256 fields.
26
27
  - Modifying any page beyond a user-approved lint summary entry in `log.md`.
28
+ - Printing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets in findings or summaries.
@@ -22,7 +22,8 @@ Standard four reads (SCHEMA, index, log, project context if applicable).
22
22
  - Type affinity: 1.0×
23
23
  5. **Read top candidates** in full (frontmatter + body).
24
24
  6. **Synthesize answer** with explicit citations to the candidate pages.
25
- 7. **Optional file.** If user accepts: write to `queries/<slug>.md` or `comparisons/<slug>.md` with full frontmatter, validate, then update `index.md` then `log.md`. If the filed page is a research/evaluation answer, recommendation, or comparison, end it with:
25
+ 7. **Sensitive content guard.** Before filing any query or comparison page, scan the generated body for live credentials, access keys, tokens, passwords, cookies, bearer headers, or private keys. Redact before writing. If the answer depends on preserving a live secret, STOP and ask for a redacted source or explicit rotation/remediation direction.
26
+ 8. **Optional file.** If user accepts: write to `queries/<slug>.md` or `comparisons/<slug>.md` with full frontmatter, validate, then update `index.md` then `log.md`. If the filed page is a research/evaluation answer, recommendation, or comparison, end it with:
26
27
  ```markdown
27
28
  ## Decision Closeout
28
29
 
@@ -34,6 +35,7 @@ Use exactly one disposition. This is a prompt convention only; do not add CLI en
34
35
  ## Stop conditions
35
36
  - Zero matching pages.
36
37
  - User declines to file.
38
+ - Generated filed content contains unredacted live credentials or other authenticating secrets.
37
39
  ## Pitfalls
38
40
  ### Claimed-status vs actual-state gap
39
41
  When a wiki page (especially a work item `tasks.md`) claims that fixes were applied, features were completed, or files were removed — **verify on disk before accepting the claim**. In one incident, a `tasks.md` marked 6 items DONE but 5 were not actually applied: a script claimed "removed" was still 2020 bytes on disk, a crontab claimed "updated to 30min" was still `*/10`, and a build target claimed "verified has consumers" had no web server serving it.
@@ -41,3 +43,4 @@ When a wiki page (especially a work item `tasks.md`) claims that fixes were appl
41
43
  ## Forbidden
42
44
  - Filing without `validate` passing.
43
45
  - Skipping the orientation reads even for "quick" queries.
46
+ - Writing live credentials, access keys, tokens, passwords, cookies, bearer headers, private keys, or other authenticating secrets to the vault.