vibesuite 1.3.3 → 2.0.2

package/assets/.agent/skills/convex-security-check/SKILL.md

@@ -0,0 +1,378 @@
+---
+name: convex-security-check
+displayName: Convex Security Check
+description: Quick security audit checklist covering authentication, function exposure, argument validation, row-level access control, and environment variable handling
+version: 1.0.0
+author: Convex
+tags: [convex, security, authentication, authorization, checklist]
+---
+
+# Convex Security Check
+
+A quick security audit checklist for Convex applications covering authentication, function exposure, argument validation, row-level access control, and environment variable handling.
+
+## Documentation Sources
+
+Before implementing, do not assume; fetch the latest documentation:
+
+- Primary: https://docs.convex.dev/auth
+- Production Security: https://docs.convex.dev/production
+- Functions Auth: https://docs.convex.dev/auth/functions-auth
+- For broader context: https://docs.convex.dev/llms.txt
+
+## Instructions
+
+### Security Checklist
+
+Use this checklist to quickly audit your Convex application's security:
+
+#### 1. Authentication
+
+- [ ] Authentication provider configured (Clerk, Auth0, etc.)
+- [ ] All sensitive queries check `ctx.auth.getUserIdentity()`
+- [ ] Unauthenticated access explicitly allowed where intended
+- [ ] Session tokens properly validated
+
+#### 2. Function Exposure
+
+- [ ] Public functions (`query`, `mutation`, `action`) reviewed
+- [ ] Internal functions use `internalQuery`, `internalMutation`, `internalAction`
+- [ ] No sensitive operations exposed as public functions
+- [ ] HTTP actions validate origin/authentication
+
+#### 3. Argument Validation
+
+- [ ] All functions have explicit `args` validators
+- [ ] All functions have explicit `returns` validators
+- [ ] No `v.any()` used for sensitive data
+- [ ] ID validators use correct table names
+
+#### 4. Row-Level Access Control
+
+- [ ] Users can only access their own data
+- [ ] Admin functions check user roles
+- [ ] Shared resources have proper access checks
+- [ ] Deletion functions verify ownership
+
+#### 5. Environment Variables
+
+- [ ] API keys stored in environment variables
+- [ ] No secrets in code or schema
+- [ ] Different keys for dev/prod environments
+- [ ] Environment variables accessed only in actions
+
+### Authentication Check
+
+```typescript
+// convex/auth.ts
+import { query, mutation } from "./_generated/server";
+import { v } from "convex/values";
+import { ConvexError } from "convex/values";
+
+// Helper to require authentication
+async function requireAuth(ctx: QueryCtx | MutationCtx) {
+  const identity = await ctx.auth.getUserIdentity();
+  if (!identity) {
+    throw new ConvexError("Authentication required");
+  }
+  return identity;
+}
+
+// Secure query pattern
+export const getMyProfile = query({
+  args: {},
+  returns: v.union(v.object({
+    _id: v.id("users"),
+    name: v.string(),
+    email: v.string(),
+  }), v.null()),
+  handler: async (ctx) => {
+    const identity = await requireAuth(ctx);
+    
+    return await ctx.db
+      .query("users")
+      .withIndex("by_tokenIdentifier", (q) => 
+        q.eq("tokenIdentifier", identity.tokenIdentifier)
+      )
+      .unique();
+  },
+});
+```
+
+### Function Exposure Check
+
+```typescript
+// PUBLIC - Exposed to clients (review carefully!)
+export const listPublicPosts = query({
+  args: {},
+  returns: v.array(v.object({ /* ... */ })),
+  handler: async (ctx) => {
+    // Anyone can call this - intentionally public
+    return await ctx.db
+      .query("posts")
+      .withIndex("by_public", (q) => q.eq("isPublic", true))
+      .collect();
+  },
+});
+
+// INTERNAL - Only callable from other Convex functions
+export const _updateUserCredits = internalMutation({
+  args: { userId: v.id("users"), amount: v.number() },
+  returns: v.null(),
+  handler: async (ctx, args) => {
+    // This cannot be called directly from clients
+    await ctx.db.patch(args.userId, {
+      credits: args.amount,
+    });
+    return null;
+  },
+});
+```
+
+### Argument Validation Check
+
+```typescript
+// GOOD: Strict validation
+export const createPost = mutation({
+  args: {
+    title: v.string(),
+    content: v.string(),
+    category: v.union(
+      v.literal("tech"),
+      v.literal("news"),
+      v.literal("other")
+    ),
+  },
+  returns: v.id("posts"),
+  handler: async (ctx, args) => {
+    const identity = await requireAuth(ctx);
+    return await ctx.db.insert("posts", {
+      ...args,
+      authorId: identity.tokenIdentifier,
+    });
+  },
+});
+
+// BAD: Weak validation
+export const createPostUnsafe = mutation({
+  args: {
+    data: v.any(), // DANGEROUS: Allows any data
+  },
+  returns: v.id("posts"),
+  handler: async (ctx, args) => {
+    return await ctx.db.insert("posts", args.data);
+  },
+});
+```
+
+### Row-Level Access Control Check
+
+```typescript
+// Verify ownership before update
+export const updateTask = mutation({
+  args: {
+    taskId: v.id("tasks"),
+    title: v.string(),
+  },
+  returns: v.null(),
+  handler: async (ctx, args) => {
+    const identity = await requireAuth(ctx);
+    
+    const task = await ctx.db.get(args.taskId);
+    
+    // Check ownership
+    if (!task || task.userId !== identity.tokenIdentifier) {
+      throw new ConvexError("Not authorized to update this task");
+    }
+    
+    await ctx.db.patch(args.taskId, { title: args.title });
+    return null;
+  },
+});
+
+// Verify ownership before delete
+export const deleteTask = mutation({
+  args: { taskId: v.id("tasks") },
+  returns: v.null(),
+  handler: async (ctx, args) => {
+    const identity = await requireAuth(ctx);
+    
+    const task = await ctx.db.get(args.taskId);
+    
+    if (!task || task.userId !== identity.tokenIdentifier) {
+      throw new ConvexError("Not authorized to delete this task");
+    }
+    
+    await ctx.db.delete(args.taskId);
+    return null;
+  },
+});
+```
+
+### Environment Variables Check
+
+```typescript
+// convex/actions.ts
+"use node";
+
+import { action } from "./_generated/server";
+import { v } from "convex/values";
+
+export const sendEmail = action({
+  args: {
+    to: v.string(),
+    subject: v.string(),
+    body: v.string(),
+  },
+  returns: v.object({ success: v.boolean() }),
+  handler: async (ctx, args) => {
+    // Access API key from environment
+    const apiKey = process.env.RESEND_API_KEY;
+    
+    if (!apiKey) {
+      throw new Error("RESEND_API_KEY not configured");
+    }
+    
+    const response = await fetch("https://api.resend.com/emails", {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${apiKey}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        from: "noreply@example.com",
+        to: args.to,
+        subject: args.subject,
+        html: args.body,
+      }),
+    });
+    
+    return { success: response.ok };
+  },
+});
+```
+
+## Examples
+
+### Complete Security Pattern
+
+```typescript
+// convex/secure.ts
+import { query, mutation, internalMutation } from "./_generated/server";
+import { v } from "convex/values";
+import { ConvexError } from "convex/values";
+
+// Authentication helper
+async function getAuthenticatedUser(ctx: QueryCtx | MutationCtx) {
+  const identity = await ctx.auth.getUserIdentity();
+  if (!identity) {
+    throw new ConvexError({
+      code: "UNAUTHENTICATED",
+      message: "You must be logged in",
+    });
+  }
+  
+  const user = await ctx.db
+    .query("users")
+    .withIndex("by_tokenIdentifier", (q) => 
+      q.eq("tokenIdentifier", identity.tokenIdentifier)
+    )
+    .unique();
+    
+  if (!user) {
+    throw new ConvexError({
+      code: "USER_NOT_FOUND",
+      message: "User profile not found",
+    });
+  }
+  
+  return user;
+}
+
+// Check admin role
+async function requireAdmin(ctx: QueryCtx | MutationCtx) {
+  const user = await getAuthenticatedUser(ctx);
+  
+  if (user.role !== "admin") {
+    throw new ConvexError({
+      code: "FORBIDDEN",
+      message: "Admin access required",
+    });
+  }
+  
+  return user;
+}
+
+// Public: List own tasks
+export const listMyTasks = query({
+  args: {},
+  returns: v.array(v.object({
+    _id: v.id("tasks"),
+    title: v.string(),
+    completed: v.boolean(),
+  })),
+  handler: async (ctx) => {
+    const user = await getAuthenticatedUser(ctx);
+    
+    return await ctx.db
+      .query("tasks")
+      .withIndex("by_user", (q) => q.eq("userId", user._id))
+      .collect();
+  },
+});
+
+// Admin only: List all users
+export const listAllUsers = query({
+  args: {},
+  returns: v.array(v.object({
+    _id: v.id("users"),
+    name: v.string(),
+    role: v.string(),
+  })),
+  handler: async (ctx) => {
+    await requireAdmin(ctx);
+    
+    return await ctx.db.query("users").collect();
+  },
+});
+
+// Internal: Update user role (never exposed)
+export const _setUserRole = internalMutation({
+  args: {
+    userId: v.id("users"),
+    role: v.union(v.literal("user"), v.literal("admin")),
+  },
+  returns: v.null(),
+  handler: async (ctx, args) => {
+    await ctx.db.patch(args.userId, { role: args.role });
+    return null;
+  },
+});
+```
+
+## Best Practices
+
+- Never run `npx convex deploy` unless explicitly instructed
+- Never run any git commands unless explicitly instructed
+- Always verify user identity before returning sensitive data
+- Use internal functions for sensitive operations
+- Validate all arguments with strict validators
+- Check ownership before update/delete operations
+- Store API keys in environment variables
+- Review all public functions for security implications
+
+## Common Pitfalls
+
+1. **Missing authentication checks** - Always verify identity
+2. **Exposing internal operations** - Use internalMutation/Query
+3. **Trusting client-provided IDs** - Verify ownership
+4. **Using v.any() for arguments** - Use specific validators
+5. **Hardcoding secrets** - Use environment variables
+
+## References
+
+- Convex Documentation: https://docs.convex.dev/
+- Convex LLMs.txt: https://docs.convex.dev/llms.txt
+- Authentication: https://docs.convex.dev/auth
+- Production Security: https://docs.convex.dev/production
+- Functions Auth: https://docs.convex.dev/auth/functions-auth

package/assets/.agent/skills/convex-security-check/agents/openai.yaml

@@ -0,0 +1,3 @@
+interface:
+  icon_small: "./assets/small-logo.svg"
+  icon_large: "./assets/large-logo.png"

package/assets/.agent/skills/convex-security-check/assets/small-logo.svg

@@ -0,0 +1,17 @@
+<svg width="16" height="16" viewBox="0 0 16 16" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_3_23)">
+<g clip-path="url(#clip1_3_23)">
+<path d="M10.0643 12.5735C12.3769 12.3166 14.5572 11.0843 15.7577 9.02756C15.1892 14.1148 9.62646 17.3302 5.08583 15.356C4.66743 15.1746 4.30728 14.8728 4.06013 14.4848C3.03973 12.8825 2.7043 10.8437 3.18626 8.99344C4.56327 11.37 7.3632 12.8267 10.0643 12.5735Z" fill="#F3B01C"/>
+<path d="M3.1018 7.50072C2.16436 9.66714 2.12376 12.2034 3.27303 14.2907C-0.771507 11.2479 -0.72737 4.7362 3.2236 1.72378C3.58904 1.44535 4.02333 1.2801 4.47881 1.25494C6.3519 1.15614 8.25501 1.88006 9.58963 3.22909C6.87799 3.25604 4.23695 4.99308 3.1018 7.50072Z" fill="#8D2676"/>
+<path d="M10.8974 3.89562C9.52924 1.98794 7.38779 0.68921 5.04156 0.649695C9.57686 -1.40888 15.1555 1.92867 15.7629 6.86314C15.8194 7.32119 15.7452 7.78824 15.5421 8.20138C14.6948 9.92223 13.1236 11.2569 11.2876 11.7508C12.6328 9.25579 12.4668 6.20748 10.8974 3.89562Z" fill="#EE342F"/>
+</g>
+</g>
+<defs>
+<clipPath id="clip0_3_23">
+<rect width="16" height="16" fill="white"/>
+</clipPath>
+<clipPath id="clip1_3_23">
+<rect width="16" height="16" fill="white"/>
+</clipPath>
+</defs>
+</svg>

package/assets/.agent/skills/github-ops/SKILL.md

@@ -102,16 +102,16 @@ gh project field-create NUMBER --owner USERNAME --name "Target Date" --data-type
 
 ```powershell
 # Basic: Create new issues only
-powershell -ExecutionPolicy Bypass -File ~/.gemini/antigravity/skills/github-ops/scripts/publish_issues.ps1
+powershell -ExecutionPolicy Bypass -File .agent/skills/github-ops/scripts/publish_issues.ps1
 
 # Dry run preview
-powershell -ExecutionPolicy Bypass -File ~/.gemini/antigravity/skills/github-ops/scripts/publish_issues.ps1 -Update -DryRun
+powershell -ExecutionPolicy Bypass -File .agent/skills/github-ops/scripts/publish_issues.ps1 -Update -DryRun
 
 # Update + archive completed
-powershell -ExecutionPolicy Bypass -File ~/.gemini/antigravity/skills/github-ops/scripts/publish_issues.ps1 -Update -AutoArchive
+powershell -ExecutionPolicy Bypass -File .agent/skills/github-ops/scripts/publish_issues.ps1 -Update -AutoArchive
 
 # Full sync with project dates
-powershell -ExecutionPolicy Bypass -File ~/.gemini/antigravity/skills/github-ops/scripts/publish_issues.ps1 `
+powershell -ExecutionPolicy Bypass -File .agent/skills/github-ops/scripts/publish_issues.ps1 `
     -Update -AutoArchive -SyncDates `
     -ProjectNumber 7 `
     -ProjectId "PVT_xxx" `

package/assets/.agent/skills/google-trends/SKILL.md

@@ -16,7 +16,7 @@ Node.js 18+ and PNPM required.
 node --version
 
 # Install dependencies (first-time only)
-cd ~/.gemini/antigravity/skills/google-trends/scripts
+cd .agent/skills/google-trends/scripts
 pnpm install
 ```
 
@@ -26,16 +26,16 @@ pnpm install
 
 ```powershell
 # Basic search (YouTube, Last 7 Days, Tech category)
-node ~/.gemini/antigravity/skills/google-trends/scripts/search.js -k "Claude AI"
+node .agent/skills/google-trends/scripts/search.js -k "Claude AI"
 
 # Search Web instead of YouTube
-node ~/.gemini/antigravity/skills/google-trends/scripts/search.js -k "AI agents" -p web
+node .agent/skills/google-trends/scripts/search.js -k "AI agents" -p web
 
 # Extended time range (1 month)
-node ~/.gemini/antigravity/skills/google-trends/scripts/search.js -k "VibeCoding" -t "now 1-m"
+node .agent/skills/google-trends/scripts/search.js -k "VibeCoding" -t "now 1-m"
 
 # Output as JSON for piping
-node ~/.gemini/antigravity/skills/google-trends/scripts/search.js -k "Cursor IDE" -o json
+node .agent/skills/google-trends/scripts/search.js -k "Cursor IDE" -o json
 ```
 
 ---
@@ -96,7 +96,7 @@ Use this skill during `/youtube-phase1-strategy` to validate topics:
 
 ```powershell
 # Check if "Claude Cowork" is rising on YouTube
-node ~/.gemini/antigravity/skills/google-trends/scripts/search.js -k "Claude Cowork" -p youtube -t "now 7-d"
+node .agent/skills/google-trends/scripts/search.js -k "Claude Cowork" -p youtube -t "now 7-d"
 ```
 
 **Signal:** Look for `BREAKOUT` or values > 100 in related queries.
@@ -105,7 +105,7 @@ node ~/.gemini/antigravity/skills/google-trends/scripts/search.js -k "Claude Cow
 
 ```powershell
 # Is "RAG" still trending in AI?
-node ~/.gemini/antigravity/skills/google-trends/scripts/search.js -k "RAG AI" -p web -t "today 3-m" --interest
+node .agent/skills/google-trends/scripts/search.js -k "RAG AI" -p web -t "today 3-m" --interest
 ```
 
 **Signal:** Check if interest-over-time is increasing or peaked.

package/assets/.agent/skills/optimize-agent-context/SKILL.md

@@ -0,0 +1,97 @@
+---
+name: optimize-agent-context
+description: >
+  Create, audit, or optimize agent.md, claude.md, cursorrules, or any AI coding agent context file
+  using the "Band-Aid Philosophy." Strips bloat, enforces minimalism, and ensures only failure-correcting
+  rules remain. Use when the user mentions: "agent.md", "claude.md", "cursorrules", ".clinerules",
+  "AGENTS.md", "context file", "optimize context", "agent instructions", "reduce agent bloat",
+  "agent keeps making mistakes", "fix my agent file", "create agent file", "audit agent context",
+  or any variant of writing/improving AI coding agent instruction files.
+---
+
+# Optimize Agent Context
+
+Enforce the **Band-Aid Philosophy**: an agent context file should only contain rules that fix mistakes the agent is actively making. Everything else is bloat that degrades performance and increases cost.
+
+## Core Rules (Non-Negotiable)
+
+1. **NO BLOAT** — Never include directory structures, file trees, dependency lists, or package inventories. The agent has tools to discover these.
+2. **NO SUMMARIES** — Never include vague app descriptions ("This is a video sharing app"). This distracts the model and triggers hallucinations.
+3. **ONLY FIX KNOWN FAILURES** — Every line must correct a specific, observed agent mistake or enforce an architectural constraint the agent cannot guess.
+4. **USE NEGATIVE CONSTRAINTS** — When the agent uses the wrong tool/library, explicitly state what NOT to use, then what TO use.
+5. **BE MINIMAL** — Target under 20 lines. Bullet points preferred. If a rule can be removed without the agent breaking, remove it.
+
+## Why This Matters
+
+Studies show bloated, AI-generated context files:
+- **Degrade agent performance by ~3%**
+- **Increase token costs by 20%+**
+- Trigger hallucinations by surfacing legacy code the agent then tries to use ("pink elephants" effect)
+
+## Workflow
+
+### Mode A: Create New Agent File (Interview)
+
+When the user wants to create a new context file from scratch:
+
+1. **Ask these questions one at a time** (do not dump all at once):
+   - "What specific mistakes has the AI agent been making repeatedly?" (e.g., wrong imports, forgetting to format, modifying wrong files)
+   - "Are there legacy tools/libraries the agent keeps using but shouldn't?" (e.g., "We have Redux but use Zustand for new features")
+   - "Any build/test/env quirks the agent can't figure out on its own?" (e.g., special env vars, non-standard test commands)
+
+2. **Synthesize** answers into a ruthlessly minimal bulleted markdown file.
+
+3. **Validate** the output against the Core Rules above. Strip anything that violates them.
+
+4. **Present** the file and ask: "Does this capture the mistakes? Anything to add or remove?"
+
+### Mode B: Audit Existing Agent File
+
+When the user has an existing `agent.md` / `claude.md` / `cursorrules` and wants it optimized:
+
+1. **Read the file** using `view_file`.
+2. **Classify every line** into one of:
+   - ✅ **KEEP** — Fixes a known failure or states an ungessable constraint
+   - ❌ **BLOAT** — Directory trees, dependency lists, file structures
+   - ❌ **SUMMARY** — Vague app descriptions, project overviews
+   - ❌ **OBVIOUS** — Things the agent can discover via tools (package.json, tsconfig, etc.)
+   - ⚠️ **MAYBE** — Potentially useful but needs user confirmation
+3. **Present the audit** as a table showing each section and its classification.
+4. **Generate the optimized version** with only ✅ KEEP and confirmed ⚠️ MAYBE lines.
+5. **Show before/after line count** to demonstrate the reduction.
+
+### Mode C: Add a Band-Aid
+
+When the user reports a specific agent mistake mid-session:
+
+1. Ask: "What did the agent do wrong?"
+2. Write a single, precise negative constraint: `Do NOT [wrong thing]. Instead, [correct thing].`
+3. Suggest appending it to the existing context file.
+
+## Output Format
+
+The generated file should follow this structure:
+
+```markdown
+# Agent Rules
+
+- [Negative constraint or correction]
+- [Negative constraint or correction]
+- [Build/test quirk]
+- [Architectural constraint]
+```
+
+**No headers beyond the title. No explanations. No examples. Just rules.**
+
+## Anti-Patterns to Reject
+
+If the user or another agent tries to include any of these, push back:
+
+| Anti-Pattern | Why It's Bad |
+|---|---|
+| Folder tree / file structure | Agent has `list_dir` and `find_by_name` |
+| Dependency list | Agent reads `package.json` / `requirements.txt` |
+| "This app is a..." summary | Distracts model, triggers hallucination |
+| Tech stack overview | Agent reads config files |
+| Code style rules already in linter config | Redundant — linter enforces these |
+| Long code examples | Bloats context, agent writes its own code |

package/assets/.agent/skills/youtube-pipeline/SKILL.md

@@ -1,4 +1,4 @@
----
+---
 name: youtube-pipeline
 description: Complete YouTube video production pipeline from ideation to distribution. Covers Strategy (Phase 1), Packaging (Phase 2), Scripting (Phase 3), Shorts (Phase 3.5), Production (Phase 4), and Repurposing (Phase 5).
 ---
@@ -27,13 +27,13 @@ The workflow docs are bundled in this skill's `resources/` folder for quick acce
 
 **Workflow Files (Local):**
 ```
-~/.gemini/antigravity/skills/youtube-pipeline/resources/youtube-pipeline.md
-~/.gemini/antigravity/skills/youtube-pipeline/resources/youtube-phase1-strategy.md
-~/.gemini/antigravity/skills/youtube-pipeline/resources/youtube-phase2-packaging.md
-~/.gemini/antigravity/skills/youtube-pipeline/resources/youtube-phase3-scripting.md
-~/.gemini/antigravity/skills/youtube-pipeline/resources/youtube-phase3.5-shorts.md
-~/.gemini/antigravity/skills/youtube-pipeline/resources/youtube-phase4-production.md
-~/.gemini/antigravity/skills/youtube-pipeline/resources/youtube-phase5-repurposing.md
+.agent/skills/youtube-pipeline/resources/youtube-pipeline.md
+.agent/skills/youtube-pipeline/resources/youtube-phase1-strategy.md
+.agent/skills/youtube-pipeline/resources/youtube-phase2-packaging.md
+.agent/skills/youtube-pipeline/resources/youtube-phase3-scripting.md
+.agent/skills/youtube-pipeline/resources/youtube-phase3.5-shorts.md
+.agent/skills/youtube-pipeline/resources/youtube-phase4-production.md
+.agent/skills/youtube-pipeline/resources/youtube-phase5-repurposing.md
 ```
 
 **Source of Truth (User's Vault):**
@@ -53,8 +53,8 @@ c:\CreativeOS\Creator_Command_Hub_Obsidian\📁 YouTube Brain\📝 01-Prompt\Sho
 
 **Automation Scripts (Phase 1):**
 ```
-~/.gemini/antigravity/skills/youtube-pipeline/scripts/parse_yt_studio.ps1  # Parse YT Studio Inspiration HTML
-~/.gemini/antigravity/skills/google-trends/scripts/search.js               # Google Trends CLI (separate skill)
+.agent/skills/youtube-pipeline/scripts/parse_yt_studio.ps1  # Parse YT Studio Inspiration HTML
+.agent/skills/google-trends/scripts/search.js               # Google Trends CLI (separate skill)
 ```
 
 ---

package/assets/.agent/workflows/LEGACY/init_smart_ops.md

@@ -6,7 +6,7 @@ description: Initialize Smart Ops for this repository with automatic OS detectio
 
 One-time setup to generate GitHub automation scripts for your repository.
 
-> **Skill Reference:** Read `~/.gemini/antigravity/skills/github-ops/SKILL.md` for templates and patterns.
+> **Skill Reference:** Read `.agent/skills/github-ops/SKILL.md` for templates and patterns.
 
 ## Quick Start
 
@@ -20,7 +20,7 @@ User: "/init_smart_ops"
 
 ### 1. Read the Skill First
 ```
-view_file ~/.gemini/antigravity/skills/github-ops/SKILL.md
+view_file .agent/skills/github-ops/SKILL.md
 ```
 
 ### 2. Detect OS

package/assets/.agent/workflows/agent_reset.md

@@ -21,14 +21,12 @@ You are exhibiting context degradation. Before doing ANYTHING:
 
 ### 0. Re-Discover Available Skills & Workflows
 
-You may have forgotten what tools are available. **Run this now:**
+You may have forgotten what tools are available.
 
-```bash
-# Global (always available)
-ls ~/.gemini/antigravity/skills/
-ls ~/.gemini/antigravity/global_workflows/
+**Your system prompt lists all available skills and workflows with their full absolute paths.** Check there FIRST.
 
-# Local (project-specific, if exists)
+Fallback (if not in system prompt):
+```bash
 ls .agent/skills/ 2>/dev/null
 ls .agent/workflows/ 2>/dev/null
 ```