Install apps/web-app dependencies in the publish workflow before the\nfrontend build so CI matches the working Pages pipeline.\n\nHarden the maintainer release suite by adding the same install step\nbefore app:build, and switch the shared app:install helper to npm ci\nfor deterministic installs.\n\nDocument the follow-up patch release in the changelog so 8.7.1 can\npublish the 8.7.x line to npm after the 8.7.0 release failed before\nreaching the registry.
Refresh maintainer-owned artifacts after the PR merge batch, convert the\nJetski loader example to a directly importable Node ESM module, and add\nthe 8.7.0 changelog entry before release preparation.\n\nRefs #382\nRefs #388
Add a Unix activation script, Antigravity-specific installer guidance,
and cross-platform recovery documentation so users can reduce the
live skill set when truncation or context overload appears.
Regenerate the canonical bundle/catalog artifacts after merging the
stale goldrush-api removal so main stays release-ready.
Refs #381
* fix(install): implement safety backup during migration to prevent data loss
* fix: safely migrate skills by backing up directory and preserving permissions
Guard metadata repair and doc sync scripts against symlink targets so
repo maintenance tasks cannot overwrite arbitrary local files.
Replace recursive skill discovery with an iterative walk that skips
symlinked directories, and harden the VideoDB listener to write only
private regular files in the user-owned state directory.
Also fix the broken pr:preflight script entry and make the last30days
skill stop embedding raw user arguments directly in the shell command.
Freeze the accepted validation warning count at 135 so repo-state and release-state checks fail if the warning baseline grows silently while legacy warnings remain intentionally preserved.
Add a read-only maintainer audit command plus regression tests so maintainers can inspect repo health quickly without mutating files.
Unify main-branch maintenance around repo-state and release-state commands so generated docs, contributor acknowledgements, tracked web assets, and canonical artifacts stay aligned across CI and scheduled hygiene runs.
Harden release publication by reusing deterministic sync commands, adding package dry-run verification, and covering the new workflow contract with regression tests.
Add maintainer automation for repo-state hygiene so contributor acknowledgements, count-sensitive docs, and GitHub About metadata stay aligned from the same workflow.
Cover the new scripts with regression tests and wire them into the local test suite to keep future maintenance changes from drifting silently.
Expose an explicit sync:github-about workflow that updates the remote GitHub About description, homepage, and topics from the repository metadata source of truth.
Add regression coverage for the generated gh commands and document the new maintainer path in the changelog and walkthrough.
Fix the README star badge replacement pattern so encoded badge values update correctly during metadata sync.
Also align the README release summary copy with the computed star milestone to avoid stale stargazer text after sync.
Extend repository metadata syncing so npm run chain now keeps count-sensitive docs and package copy aligned with the live skills catalog.
Add regression coverage for the curated-doc sync behavior and document the automation in the maintainer walkthrough and changelog.
* chore: implement ESM standardization and security attestation
Aligning root infrastructure with Node.js v24.14.0 standards.
- Set type: module in package.json to eliminate re-parsing overhead.
- Migrated Jetski Loader tests to .cjs to maintain legacy security audit compatibility.
- Verified path traversal and symlink protections with clean attestation.
* chore(ci): update pr_preflight path to .cjs for ESM compatibility
* feat(infra): surgical ESM modernization for Gemini suite
Resolved Codex P1 by reverting global root ESM shift to preserve installer stability.
- Implemented scoped 'type: module' in /docs/integrations/jetski-gemini-loader/ to eliminate re-parsing overhead.
- Updated test runner (run-test-suite.js) and CI (ci.yml) to track .cjs transitions.
- Verified zero-warning execution in Node v24.14.0.
Add a conservative metadata fixer for missing risk and source fields,
cover it with tests, and backfill the remaining skills using explicit
source inference only when the provenance is clear. Fall back to the
repo-documented defaults when the file does not support a stronger claim.
Refs #365
* Implemented scripts and a Python utility to optimize agent skills, preventing context window overload, and document their usage.
* feat(infra): add skills optimization scripts with bundle support and fixed archive logic
* Removed Linux / Mac optimize-skills
* Removed the Linux Section
* feat(infra): final robust skill optimization suite with Library Mode
* Removed
* Updated the read me changed the optimisation to activation-skills
* Updated ReadMe
* docs: trim activation script README diff
* docs: update README with activate-skills script instructions
* fix: resolve merge conflict in get-bundle-skills.py with security and compatibility
* fix: resolve merge conflicts in activate-skills.bat and get-bundle-skills.py using line-based iteration
---------
Co-authored-by: sck_0 <samujackson1337@gmail.com>
Make the skill filter helper treat the complete bundle as a
pass-through so categories missing from the hardcoded map are
not silently omitted.
Add a regression test to keep complete bundle behavior aligned
with its name.
Harden batch activation, dev refresh gating, Microsoft sync path
handling, and Jetski skill loading against command injection,
symlink traversal, and client-side star tampering.
Add regression coverage for the security-sensitive paths and
update the internal triage addendum for the Jetski loader fix.
Tighten the remaining high-signal security findings by switching the todo example to a standard Express rate limiter, removing sensitive metadata from boilerplate logging, and replacing fragile HTML tag filtering with parser-based conversion.
Co-Authored-By: Claude <noreply@anthropic.com>
Harden template and example code paths, redact sensitive output, and pin safe transitive npm packages. Consolidate the todo backend on better-sqlite3 so the example no longer pulls the vulnerable sqlite3 chain and still passes build and CRUD smoke checks.
Co-Authored-By: Claude <noreply@anthropic.com>
Update the Claude marketplace entry to use a schema-valid relative source path and add a regression test so invalid marketplace sources fail in the local suite. Also document the maintainer workflow used for stale PR metadata and fork-gated Actions runs.
Fixes#344
* Implemented scripts and a Python utility to optimize agent skills, preventing context window overload, and document their usage.
* feat(infra): add skills optimization scripts with bundle support and fixed archive logic
* Removed Linux / Mac optimize-skills
* Removed the Linux Section
* feat(infra): final robust skill optimization suite with Library Mode
* Removed
* Updated the read me changed the optimisation to activation-skills
* Updated ReadMe
* docs: trim activation script README diff
---------
Co-authored-by: sck_0 <samujackson1337@gmail.com>
Include tools/lib in the published npm files whitelist so the npx installer can resolve symlink-safety at runtime. Add a regression test that checks npm pack --dry-run --json for the expected packaged files.
Fixes#315
Co-Authored-By: Claude <noreply@anthropic.com>
- The installer uses copyRecursiveSync which copies files,
not symlinks, so git clone without core.symlinks works fine
- The previous Windows-specific git -c core.symlinks=true clone
required admin privileges, causing install failures
- This fix allows non-admin Windows users to install
Fixes#286
Co-authored-by: 阳虎 <yanghu@yanghudeMacBook-Pro.local>
* feat: Add skill filtering utility to fix Gemini token truncation (Issue #215) Adds skill-filter.js module that provides: - Category-based skill filtering to reduce context overhead - Pre-configured skill bundles (minimal, balanced, complete) - Support for environments with token limits This addresses the "could not convert a single message before hitting truncation" error when all 1,200+ skills are loaded with Gemini. Users can now use the minimal bundle to avoid truncation: - Minimal bundle: ~5k tokens - Balanced bundle: ~15k tokens - Complete bundle: ~50k tokens Fixes#215
This module filters and manages skills by category to address token limit issues in Gemini, providing various skill bundles to optimize performance.
* Fix: Use catalog-backed categories for skill bundles Replaces hardcoded categories (core, architecture, etc) with actual categories present in skills_index.json to ensure getSkillsByBundle returns a usable subset instead of empty set.
Consolidate the repository into clearer apps, tools, and layered docs areas so contributors can navigate and maintain it more reliably. Align validation, metadata sync, and CI around the same canonical workflow to reduce drift across local checks and GitHub Actions.
