Skip to content

feat: add new skill capabilities#8

Merged
pedronauck merged 17 commits into
mainfrom
pn/skills-v2
Apr 8, 2026
Merged

feat: add new skill capabilities#8
pedronauck merged 17 commits into
mainfrom
pn/skills-v2

Conversation

@pedronauck
Copy link
Copy Markdown
Member

@pedronauck pedronauck commented Apr 8, 2026
edited by coderabbitai Bot
Loading

Summary by CodeRabbit

  • New Features

    • CLI marketplace: search, install, remove, and update skills from a registry (default)
    • Skill lifecycle hooks that run on session created/stopped events
    • Skills may declare MCP servers (consent-controlled inclusion)
    • Provenance & integrity checks: installed skills include sidecars and hash verification
    • Config: marketplace registry and optional base URL + marketplace consent lists

  • Tests

    • Extensive integration and unit tests covering marketplace flows, hooks, and provenance

@pedronauck pedronauck self-assigned this Apr 8, 2026
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 8, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2f12ed49-2adc-4761-8089-12f8a253de29

📥 Commits

Reviewing files that changed from the base of the PR and between 374f65d and b4d70ea.

⛔ Files ignored due to path filters (46)
  • .agents/skills/mermaid-diagrams/README.md is excluded by !**/*.md, !.agents/**
  • .agents/skills/mermaid-diagrams/SKILL.md is excluded by !**/*.md, !.agents/**
  • .agents/skills/mermaid-diagrams/references/advanced-features.md is excluded by !**/*.md, !.agents/**
  • .agents/skills/mermaid-diagrams/references/architecture-diagrams.md is excluded by !**/*.md, !.agents/**
  • .agents/skills/mermaid-diagrams/references/c4-diagrams.md is excluded by !**/*.md, !.agents/**
  • .agents/skills/mermaid-diagrams/references/class-diagrams.md is excluded by !**/*.md, !.agents/**
  • .agents/skills/mermaid-diagrams/references/erd-diagrams.md is excluded by !**/*.md, !.agents/**
  • .agents/skills/mermaid-diagrams/references/flowcharts.md is excluded by !**/*.md, !.agents/**
  • .agents/skills/mermaid-diagrams/references/sequence-diagrams.md is excluded by !**/*.md, !.agents/**
  • ai-docs/reviews-pr-8/_summary.md is excluded by !**/*.md
  • ai-docs/reviews-pr-8/issues/001-issue.md is excluded by !**/*.md
  • ai-docs/reviews-pr-8/issues/002-issue.md is excluded by !**/*.md
  • ai-docs/reviews-pr-8/issues/003-issue.md is excluded by !**/*.md
  • ai-docs/reviews-pr-8/issues/004-issue.md is excluded by !**/*.md
  • ai-docs/reviews-pr-8/issues/005-issue.md is excluded by !**/*.md
  • ai-docs/reviews-pr-8/outside/003-outside_01_internal_skills_registry.go.md is excluded by !**/*.md
  • docs/plans/2026-04-08-agh-network-design.md is excluded by !**/*.md
  • docs/plans/2026-04-08-rfc-examples-design.md is excluded by !**/*.md
  • docs/rfcs/001_agent-md-with-skills-memory.md is excluded by !**/*.md
  • docs/rfcs/002_skills-system-final.md is excluded by !**/*.md
  • docs/rfcs/003_agh-network-v1.md is excluded by !**/*.md
  • docs/rfcs/ideas/from-claude-code/_meta.md is excluded by !**/*.md
  • docs/rfcs/ideas/from-claude-code/analysis_memory_autonomous.md is excluded by !**/*.md
  • docs/rfcs/ideas/from-claude-code/analysis_multi_agent.md is excluded by !**/*.md
  • docs/rfcs/ideas/from-claude-code/analysis_prompt_architecture.md is excluded by !**/*.md
  • docs/rfcs/ideas/from-claude-code/analysis_query_engine.md is excluded by !**/*.md
  • docs/rfcs/ideas/from-claude-code/analysis_services_infra.md is excluded by !**/*.md
  • docs/rfcs/ideas/from-claude-code/analysis_tool_system.md is excluded by !**/*.md
  • docs/rfcs/ideas/from-claude-code/filtered_recommendations.md is excluded by !**/*.md
  • docs/rfcs/ideas/from-claude-code/our_system_cli.md is excluded by !**/*.md
  • docs/rfcs/ideas/from-claude-code/our_system_infra.md is excluded by !**/*.md
  • docs/rfcs/ideas/from-claude-code/our_system_kernel.md is excluded by !**/*.md
  • docs/rfcs/ideas/network/agora-council_round1.md is excluded by !**/*.md
  • docs/rfcs/ideas/network/agora-council_round2.md is excluded by !**/*.md
  • docs/rfcs/ideas/network/agora-recipe-design.md is excluded by !**/*.md
  • docs/rfcs/ideas/network/agora-spec-v0.1.md is excluded by !**/*.md
  • docs/rfcs/ideas/network/agora-spec-v0.2.md is excluded by !**/*.md
  • docs/rfcs/ideas/network/draft_1.md is excluded by !**/*.md
  • docs/rfcs/ideas/network/draft_2.md is excluded by !**/*.md
  • docs/rfcs/ideas/network/draft_3.md is excluded by !**/*.md
  • docs/rfcs/ideas/network/draft_4.md is excluded by !**/*.md
  • docs/rfcs/ideas/network/draft_5.md is excluded by !**/*.md
  • docs/rfcs/ptbr/001_agent-md-with-skills-memory.md is excluded by !**/*.md
  • docs/rfcs/ptbr/002_skills-system-final.md is excluded by !**/*.md
  • docs/rfcs/ptbr/003_agh-network-v1.md is excluded by !**/*.md
  • skills-lock.json is excluded by !**/*.json
📒 Files selected for processing (18)
  • internal/cli/skill.go
  • internal/cli/skill_marketplace_integration_test.go
  • internal/cli/skill_test.go
  • internal/config/config.go
  • internal/config/config_test.go
  • internal/config/merge.go
  • internal/config/merge_test.go
  • internal/skills/hook_process_unix.go
  • internal/skills/hook_process_windows.go
  • internal/skills/hooks.go
  • internal/skills/hooks_test.go
  • internal/skills/mcp.go
  • internal/skills/mcp_test.go
  • internal/skills/provenance.go
  • internal/skills/provenance_test.go
  • internal/skills/registry.go
  • internal/skills/registry_integration_test.go
  • internal/skills/registry_test.go

Walkthrough

Adds marketplace-backed skill lifecycle (search/install/remove/update) to the CLI, provenance sidecars & integrity checks for installed skills, MCP server declarations and resolver, subprocess-based skill hooks executed during session lifecycle, and wiring of these components into daemon/session notifier and manager flows.

Changes

Cohort / File(s) Summary
CLI Skill Commands
internal/cli/skill.go, internal/cli/skill_test.go, internal/cli/skill_marketplace_integration_test.go		 Adds skill subcommands (search, install, remove, update), marketplace registry loading, slug validation, archive download/extraction, safe SKILL.md discovery/validation, provenance sidecar write/verify, install/remove/update orchestration, and CLI output bundles and tests.
Marketplace Backend & Types
internal/skills/marketplace/registry.go, internal/skills/marketplace/types.go, internal/skills/marketplace/clawhub/client.go, internal/skills/marketplace/clawhub/client_test.go		 Introduces marketplace.Registry and types (SkillListing, SkillDetail, SkillArchive, SearchOpts) and a ClawHub client with HTTP retry/backoff, request decoding, search/info/download, error handling, and unit tests.
Skill Model, Loader & Registry
internal/skills/types.go, internal/skills/loader.go, internal/skills/registry.go, internal/skills/catalog.go, internal/skills/loader_test.go, internal/skills/registry_test.go, internal/skills/registry_integration_test.go, internal/skills/catalog_test.go		 Extends Skill model with MCPServers, Hooks, Provenance, InstalledFrom, adds SourceMarketplace, parses metadata.agh, promotes sidecar-backed skills to marketplace, verifies hashes, records sidecar snapshots, deep-clones new fields, and updates catalog handling; adds tests.
Provenance & Install Helpers
internal/skills/provenance.go, internal/skills/provenance_test.go		 Adds .agh-meta.json sidecar support, ComputeHash/ComputeDirectoryHash, WriteSidecar/ReadSidecar, VerifyHash, HasSidecar, validation and tests for serialization and integrity checking.
Marketplace Install Flow & CLI Helpers
internal/cli/skill.go (install/remove/update helpers), test helpers/files referenced		 Implements archive extraction utilities (sanitization/path confinement), provenance computation/writing, safe move/replace semantics, slug/name normalization, and comprehensive install/remove/update tests and renderers.
MCP Resolver & Integration
internal/skills/mcp.go, internal/skills/mcp_test.go, internal/session/interfaces.go, internal/session/manager.go, internal/session/manager_lifecycle.go, internal/session/manager_test.go		 Adds MCPResolver converting skill-declared MCP servers into config MCP servers with marketplace-consent filtering, deduplication and source precedence; wires SkillRegistry/MCPResolver into session manager to merge skill-derived MCP servers for Create/Resume.
Hook Runner & Notifier Wiring
internal/skills/hooks.go, internal/skills/hooks_test.go, internal/skills/testdata/hooks/driver.sh, internal/daemon/notifier.go, internal/daemon/notifier_test.go, internal/daemon/notifier_integration_test.go		 Adds HookRunner to execute skill hooks as subprocesses with JSON stdin, timeouts, env allowlist, ordering, logging, and failure handling. Refactors notifierFanout to support hook-phase callbacks and adds skillsHookDispatcher to resolve workspace, query SkillRegistry, and run hooks. Includes unit and integration tests and a hook driver.
Daemon Boot & Session Wiring
internal/daemon/boot.go, internal/daemon/daemon.go, internal/daemon/daemon_integration_test.go		 Boot constructs MCPResolver/HookRunner when skills enabled and injects SkillRegistry/MCPResolver into session manager deps; adjusts fanout to append post-session callbacks and conditionally set hook-phase dispatcher; tests updated.
Config & Overlays
internal/config/config.go, internal/config/config_test.go, internal/config/merge.go, internal/config/merge_test.go		 Adds MarketplaceConfig and AllowedMarketplaceMCP/AllowedMarketplaceHooks to SkillsConfig, validation for registry/base_url, TOML overlay merge support, and tests for parsing/validation and overlay semantics.
Hook Process Platform Helpers
internal/skills/hook_process_unix.go, internal/skills/hook_process_windows.go		 Adds platform-specific process-group configuration and signal/termination helpers for hook subprocess management.
Tests & Testdata
many new/updated _test.go files and internal/skills/testdata/hooks/driver.sh		 Extensive unit and integration tests across CLI, marketplace client, skills loader/registry/provenance/mcp/hooks, notifier, and session manager; adds hook driver script used by tests.

Sequence Diagrams

sequenceDiagram
    actor User
    participant CLI
    participant Marketplace as Marketplace\n(Registry)
    participant FS as Filesystem
    participant Verifier

    User->>CLI: skill install `@agh/review`
    CLI->>Marketplace: Download(slug)
    Marketplace-->>CLI: SkillArchive(tar.gz)
    CLI->>CLI: Extract & sanitize paths
    CLI->>FS: Locate `SKILL.md`
    CLI->>Verifier: Parse & validate `SKILL.md`
    alt Critical validation errors
        Verifier-->>CLI: Validation error
        CLI-->>User: Installation blocked
    else Valid
        Verifier-->>CLI: Valid
        CLI->>CLI: Compute directory hash
        CLI->>FS: WriteSidecar(.agh-meta.json)
        CLI->>FS: Move skill → user skills dir (replace/backup if needed)
        CLI-->>User: Installed
    end
Loading 
sequenceDiagram
    actor Session as Session\nLifecycle
    participant Fanout as notifierFanout
    participant Dispatcher as skillsHookDispatcher
    participant Workspace as WorkspaceResolver
    participant Registry as SkillRegistry
    participant Runner as HookRunner

    Session->>Fanout: OnSessionCreated(ctx, sess)
    Fanout->>Fanout: Notify built-in notifiers
    Fanout->>Dispatcher: OnSessionCreated(ctx, sess)
    Dispatcher->>Workspace: Resolve(sess.WorkspaceID)
    Workspace-->>Dispatcher: ResolvedWorkspace
    Dispatcher->>Registry: ForWorkspace(ctx, resolved)
    Registry-->>Dispatcher: []*Skill
    Dispatcher->>Runner: RunHooks(ctx, on_session_created, skills, payload)
    loop for each matching hook
        Runner->>Skill: Execute subprocess (stdin JSON, env)
        Skill-->>Runner: stdout/stderr + exit code
        Runner->>Runner: Log result / continue on failure
    end
    Runner-->>Dispatcher: []HookResult
    Dispatcher-->>Fanout: Return
    Fanout-->>Session: Complete
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related issues

  • compozy/agh#3: Implements daemon-managed skills (marketplace CLI, provenance, MCP resolver, hook runner) that align with the RFC proposed features in that issue.

Possibly related PRs

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 7.50% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check ❓ Inconclusive The title 'feat: add new skill capabilities' is vague and generic, using non-descriptive terms that do not convey the primary changes in this comprehensive pull request. Consider a more specific title that highlights the main features being added, such as 'feat: implement marketplace skill integration with install/remove/update CLI commands' or 'feat: add marketplace-driven skills with MCP server and hook support'.
✅ Passed checks (1 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch pn/skills-v2

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot requested changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🧹 Nitpick comments (8)
internal/skills/catalog_test.go (1)

95-121: Use the repo’s default t.Run("Should...") pattern for this new case.

This test is fine functionally, but the new addition is now an outlier against the suite’s required subtest structure, which makes it harder to extend cleanly as more disabled-skill cases are added.

As per coding guidelines, **/*_test.go: Use table-driven tests with subtests (t.Run) as defaultandMUST use t.Run("Should...") pattern for ALL test cases`.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@internal/skills/catalog_test.go` around lines 95 - 121, Convert
TestBuildCatalogExcludesDisabledSkills to use the suite’s subtest pattern by
wrapping assertions in a t.Run("Should exclude disabled skills") subtest (or
convert to a table-driven subtest if you prefer multiple cases), so the test for
BuildCatalog uses the required t.Run("Should...") structure; update the function
name TestBuildCatalogExcludesDisabledSkills only by enclosing the existing setup
and assertions inside t.Run and keep references to BuildCatalog, Skill, and
SkillMeta unchanged.
internal/config/config_test.go (1)

508-533: Normalize subtest names to the required Should... pattern.

Please rename these t.Run cases to Should... form to match the enforced test style (e.g., ShouldAcceptValidMarketplaceConfig, ShouldRejectEmptyRegistryWhenConfigured).

As per coding guidelines, "MUST use t.Run("Should...") pattern for ALL test cases".

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@internal/config/config_test.go` around lines 508 - 533, Rename the two t.Run
subtests in the config tests to use the required "Should..." naming pattern:
change t.Run("accepts-valid-marketplace-config", ...) to
t.Run("ShouldAcceptValidMarketplaceConfig", ...) and
t.Run("rejects-empty-registry-when-marketplace-configured", ...) to
t.Run("ShouldRejectEmptyRegistryWhenConfigured", ...); keep the test bodies and
calls to cfg.Validate() and assertions unchanged so only the subtest names are
normalized to the style guide.
internal/config/config.go (1)

451-467: Validate skills.marketplace.base_url format when provided.

Right now malformed URLs are accepted and likely fail later in marketplace calls; validating here gives earlier, clearer feedback.

🔧 Proposed refactor 
 import (
 	"errors"
 	"fmt"
+	"net/url"
 	"os"
 	"path/filepath"
 	"strings"
 	"time"
@@
 func (c MarketplaceConfig) Validate() error {
 	registry := strings.TrimSpace(c.Registry)
 	baseURL := strings.TrimSpace(c.BaseURL)
 	if registry == "" && baseURL == "" {
 		return nil
 	}
 	if registry == "" {
 		return errors.New("skills.marketplace.registry is required")
 	}
+	if baseURL != "" {
+		if _, err := url.ParseRequestURI(baseURL); err != nil {
+			return fmt.Errorf("skills.marketplace.base_url must be a valid URL: %q", c.BaseURL)
+		}
+	}
 
 	switch strings.ToLower(registry) {
 	case "clawhub":
 		return nil
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@internal/config/config.go` around lines 451 - 467, The Validate method in
MarketplaceConfig currently ignores BaseURL format; update
MarketplaceConfig.Validate to, after trimming baseURL and before returning
success, validate non-empty baseURL by parsing it (use net/url's Parse or
ParseRequestURI) and ensure it has a valid scheme (http or https) and a
non-empty host; if parsing or checks fail, return a descriptive error like
fmt.Errorf("skills.marketplace.base_url is invalid: %v", err). Keep the existing
registry checks (registry variable, switch on strings.ToLower(registry) and the
"clawhub" requirement) and only perform the URL validation when baseURL is
provided (non-empty).
internal/config/merge_test.go (1)

56-84: Use subtest pattern for the new marketplace-defaults test.

Please wrap this scenario in t.Run("Should ...") (and table-drive if more cases are expected) to keep it aligned with the suite conventions.

As per coding guidelines, "Use table-driven tests with subtests (t.Run) as default" and "MUST use t.Run("Should...") pattern for ALL test cases".

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@internal/config/merge_test.go` around lines 56 - 84, Wrap the existing
TestApplyConfigOverlayFileLeavesMarketplaceDefaultsWhenOverlayOmitsFields body
in a t.Run subtest using the "Should ..." naming pattern (or convert to a small
table-driven loop with t.Run per case) so it follows suite conventions; keep the
same setup calls (ResolveHomePathsFrom, DefaultWithHome), overlay creation,
ApplyConfigOverlayFile invocation and assertions, but move them into a
t.Run("Should leave marketplace defaults when overlay omits fields", func(t
*testing.T) { ... }) block (or a table entry) so the test uses subtests while
preserving existing referenced symbols.
internal/skills/hooks_test.go (1)

194-229: Consider increasing timeout margin for CI stability.

The 25ms timeout is quite tight and may cause flakiness on slower CI runners or under load.

💡 Suggested timeout increase 
 		newSkillWithHook("timeout-skill", SourceUser, HookDecl{
 			Event:   HookSessionCreated,
 			Command: "/bin/sh",
 			Args:    []string{script},
-			Timeout: 25 * time.Millisecond,
+			Timeout: 100 * time.Millisecond,
 			Env: map[string]string{
 				"HOOK_TEST_BUSY_LOOP": "1",
 			},
 		}),
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@internal/skills/hooks_test.go` around lines 194 - 229, The test
TestHookRunnerRunHooksTimesOut uses a very small hardcoded timeout (Timeout: 25
* time.Millisecond) which can flake on CI; increase the HookDecl timeout to a
more forgiving value (e.g., 200-500ms) in the newSkillWithHook call so the
timeout behavior is still exercised but stable in slower environments, and keep
assertions against the timeout error and logs unchanged (references:
TestHookRunnerRunHooksTimesOut, newSkillWithHook, HookDecl.Timeout).
internal/skills/mcp.go (1)

45-84: Consider documenting the last-wins merge strategy.

The Resolve method uses a last-wins strategy when servers share the same name (line 67 replaces the existing entry). However, per the context snippet, MergeMCPServers in internal/config/provider.go uses first-wins at the position level. When these are composed, the interaction may produce unexpected results.

Consider adding a doc comment clarifying the merge semantics, or ensure the calling code in manager_lifecycle.go handles this correctly.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@internal/skills/mcp.go` around lines 45 - 84, Update the Resolve method's doc
comment to state that when multiple MCP servers share the same trimmed Name the
implementation uses a last-wins merge (the loop replaces an existing entry via
index[name] with the later one returned by toConfigMCPServer), and note that
this differs from MergeMCPServers (MergeMCPServers uses first-wins at the
position level); also call out the combined semantics so callers (e.g., manager
lifecycle code) can handle or reconcile these behaviors.
internal/skills/registry.go (1)

317-331: Consider clarifying the double verification flow.

The current logic calls VerifyContent at line 320, then calls verifyMarketplaceSkill which may return true to trigger a second VerifyContent call at line 322. The intent appears to be re-verification after detecting hash mismatch, but the control flow is subtle.

Consider extracting this into a more explicit pattern:

func (r *Registry) processSkill(dst map[string]*Skill, skill *Skill) bool {
	r.applyDisabled(skill)
	
	// Check marketplace integrity first
	hashMismatch := r.verifyMarketplaceSkill(skill)
	
	// Verify content (re-verify if hash mismatched to capture any tampering)
	warnings := VerifyContent(skill.Content)
	if hashMismatch {
		// Log additional context about the mismatch
	}
	
	r.logVerificationWarnings(skill, warnings)
	// ...
}
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@internal/skills/registry.go` around lines 317 - 331, Refactor processSkill to
make the double verification explicit: call r.applyDisabled(skill) first, then
call r.verifyMarketplaceSkill(skill) and store its boolean result (e.g.,
hashMismatch) instead of conditionally invoking VerifyContent inline; next call
VerifyContent(skill.Content) once to produce warnings and, if hashMismatch is
true, optionally re-run VerifyContent or add contextual logging about the hash
mismatch before calling r.logVerificationWarnings(skill, warnings); keep the
subsequent hasCriticalWarning check and r.overlaySkill(dst, skill) unchanged and
reference the existing symbols processSkill, verifyMarketplaceSkill,
VerifyContent, logVerificationWarnings, hasCriticalWarning, overlaySkill, and
applyDisabled when implementing this change.
internal/daemon/notifier.go (1)

75-80: Add a local interface assertion for skillsHookDispatcher.

This type is consumed as sessionHookPhase, but the contract is only enforced indirectly at assignment sites. Keeping the assertion next to the type makes signature drift obvious during future edits.

♻️ Suggested change 
 type skillsHookDispatcher struct {
 	registry          session.SkillRegistry
 	runner            *skills.HookRunner
 	workspaceResolver workspacepkg.WorkspaceResolver
 	logger            *slog.Logger
 }
+
+var _ sessionHookPhase = (*skillsHookDispatcher)(nil)

As per coding guidelines, "Use compile-time interface verification: var _ Interface = (*Type)(nil)".

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@internal/daemon/notifier.go` around lines 75 - 80, The type
skillsHookDispatcher is intended to implement sessionHookPhase but lacks an
explicit compile-time assertion; add a local interface verification line `var _
sessionHookPhase = (*skillsHookDispatcher)(nil)` adjacent to the type
declaration to ensure the compiler enforces the contract and makes future
signature drift obvious (place the assertion right after the
skillsHookDispatcher type block).
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/daemon/notifier.go`:
- Around line 128-144: Add a package-level compile-time assertion for the
sessionHookPhase interface by adding: var _ sessionHookPhase =
(*skillsHookDispatcher)(nil) so the compiler verifies skillsHookDispatcher
implements sessionHookPhase; then prevent untrusted marketplace skills from
being invoked by filtering the results of Registry.ForWorkspace(...) before
calling d.runner.RunHooks: replicate the allowlist behavior used in mcp.go
(allowedMarketplace) — either filter marketplace-origin skills out in the
notifier path that calls RunHooks or add the same allowlist gating inside
RunHooks itself so only marketplace-trusted skills are dispatched during hook
execution.

In `@internal/skills/loader.go`:
- Around line 276-285: parseHookDecls is currently appending HookDecls even when
Command is empty; modify parseHookDecls to validate the built HookDecl (the
Command field created via stringValue) and fail fast: after creating hook :=
HookDecl{...}, if hook.Command == "" return a descriptive error (include skill
identifier and hook index) instead of appending; ensure callers of
parseHookDecls handle the returned error. This enforces rejecting empty command
entries at parse time rather than deferring to runtime hook execution.

In `@internal/skills/provenance.go`:
- Around line 74-79: After json.Unmarshal into the provenance variable in
ReadSidecar, validate that the required provenance fields are present
(non-zero/empty) and return a descriptive error if any are missing instead of
returning a zero-value Provenance; update ReadSidecar to check the provenance
struct fields that are required by registry.go (e.g., the provenance
identity/ownership fields used to mark marketplace-managed skills) and fail fast
with fmt.Errorf("skills: invalid provenance sidecar %q: missing %s",
sidecarPath, "<field>") when a required field is empty.

In `@internal/skills/testdata/hooks/driver.sh`:
- Around line 17-29: The case for HOOK_TEST_OUTPUT_MODE currently expects
"payload" but the default expansion uses "value", so the default path falls to
the "*" branch and returns the wrong variable; update the case patterns to treat
"value" as an alias for "payload" (for example add a branch matching
"value|payload") or change the default expansion to "payload", ensuring the
payload-printing branch (the existing payload branch) runs for the default case.

---

Nitpick comments:
In `@internal/config/config_test.go`:
- Around line 508-533: Rename the two t.Run subtests in the config tests to use
the required "Should..." naming pattern: change
t.Run("accepts-valid-marketplace-config", ...) to
t.Run("ShouldAcceptValidMarketplaceConfig", ...) and
t.Run("rejects-empty-registry-when-marketplace-configured", ...) to
t.Run("ShouldRejectEmptyRegistryWhenConfigured", ...); keep the test bodies and
calls to cfg.Validate() and assertions unchanged so only the subtest names are
normalized to the style guide.

In `@internal/config/config.go`:
- Around line 451-467: The Validate method in MarketplaceConfig currently
ignores BaseURL format; update MarketplaceConfig.Validate to, after trimming
baseURL and before returning success, validate non-empty baseURL by parsing it
(use net/url's Parse or ParseRequestURI) and ensure it has a valid scheme (http
or https) and a non-empty host; if parsing or checks fail, return a descriptive
error like fmt.Errorf("skills.marketplace.base_url is invalid: %v", err). Keep
the existing registry checks (registry variable, switch on
strings.ToLower(registry) and the "clawhub" requirement) and only perform the
URL validation when baseURL is provided (non-empty).

In `@internal/config/merge_test.go`:
- Around line 56-84: Wrap the existing
TestApplyConfigOverlayFileLeavesMarketplaceDefaultsWhenOverlayOmitsFields body
in a t.Run subtest using the "Should ..." naming pattern (or convert to a small
table-driven loop with t.Run per case) so it follows suite conventions; keep the
same setup calls (ResolveHomePathsFrom, DefaultWithHome), overlay creation,
ApplyConfigOverlayFile invocation and assertions, but move them into a
t.Run("Should leave marketplace defaults when overlay omits fields", func(t
*testing.T) { ... }) block (or a table entry) so the test uses subtests while
preserving existing referenced symbols.

In `@internal/daemon/notifier.go`:
- Around line 75-80: The type skillsHookDispatcher is intended to implement
sessionHookPhase but lacks an explicit compile-time assertion; add a local
interface verification line `var _ sessionHookPhase =
(*skillsHookDispatcher)(nil)` adjacent to the type declaration to ensure the
compiler enforces the contract and makes future signature drift obvious (place
the assertion right after the skillsHookDispatcher type block).

In `@internal/skills/catalog_test.go`:
- Around line 95-121: Convert TestBuildCatalogExcludesDisabledSkills to use the
suite’s subtest pattern by wrapping assertions in a t.Run("Should exclude
disabled skills") subtest (or convert to a table-driven subtest if you prefer
multiple cases), so the test for BuildCatalog uses the required
t.Run("Should...") structure; update the function name
TestBuildCatalogExcludesDisabledSkills only by enclosing the existing setup and
assertions inside t.Run and keep references to BuildCatalog, Skill, and
SkillMeta unchanged.

In `@internal/skills/hooks_test.go`:
- Around line 194-229: The test TestHookRunnerRunHooksTimesOut uses a very small
hardcoded timeout (Timeout: 25 * time.Millisecond) which can flake on CI;
increase the HookDecl timeout to a more forgiving value (e.g., 200-500ms) in the
newSkillWithHook call so the timeout behavior is still exercised but stable in
slower environments, and keep assertions against the timeout error and logs
unchanged (references: TestHookRunnerRunHooksTimesOut, newSkillWithHook,
HookDecl.Timeout).

In `@internal/skills/mcp.go`:
- Around line 45-84: Update the Resolve method's doc comment to state that when
multiple MCP servers share the same trimmed Name the implementation uses a
last-wins merge (the loop replaces an existing entry via index[name] with the
later one returned by toConfigMCPServer), and note that this differs from
MergeMCPServers (MergeMCPServers uses first-wins at the position level); also
call out the combined semantics so callers (e.g., manager lifecycle code) can
handle or reconcile these behaviors.

In `@internal/skills/registry.go`:
- Around line 317-331: Refactor processSkill to make the double verification
explicit: call r.applyDisabled(skill) first, then call
r.verifyMarketplaceSkill(skill) and store its boolean result (e.g.,
hashMismatch) instead of conditionally invoking VerifyContent inline; next call
VerifyContent(skill.Content) once to produce warnings and, if hashMismatch is
true, optionally re-run VerifyContent or add contextual logging about the hash
mismatch before calling r.logVerificationWarnings(skill, warnings); keep the
subsequent hasCriticalWarning check and r.overlaySkill(dst, skill) unchanged and
reference the existing symbols processSkill, verifyMarketplaceSkill,
VerifyContent, logVerificationWarnings, hasCriticalWarning, overlaySkill, and
applyDisabled when implementing this change.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3d0c6f1c-e954-412c-b058-0e17d33d512b

📥 Commits

Reviewing files that changed from the base of the PR and between c443ab2 and a4ce155.

⛔ Files ignored due to path filters (36)
  • .compozy/tasks/skills-v2/_meta.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/_tasks.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/_techspec.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/adrs/adr-001.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/adrs/adr-002.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/adrs/adr-003.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/adrs/adr-004.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/memory/MEMORY.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/memory/task_01.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/memory/task_02.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/memory/task_03.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/memory/task_04.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/memory/task_05.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/memory/task_06.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/memory/task_07.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/memory/task_08.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/memory/task_09.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/memory/task_10.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/task_01.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/task_02.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/task_03.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/task_04.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/task_05.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/task_06.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/task_07.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/task_08.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/task_09.md is excluded by !**/*.md
  • .compozy/tasks/skills-v2/task_10.md is excluded by !**/*.md
  • docs/rfcs/skills-system-final.md is excluded by !**/*.md
  • internal/skills/testdata/loader/combined/SKILL.md is excluded by !**/*.md
  • internal/skills/testdata/loader/hooks-only/SKILL.md is excluded by !**/*.md
  • internal/skills/testdata/loader/invalid-hook/SKILL.md is excluded by !**/*.md
  • internal/skills/testdata/loader/invalid-mcp/SKILL.md is excluded by !**/*.md
  • internal/skills/testdata/loader/malformed-agh/SKILL.md is excluded by !**/*.md
  • internal/skills/testdata/loader/mcp-only/SKILL.md is excluded by !**/*.md
  • internal/skills/testdata/loader/no-agh/SKILL.md is excluded by !**/*.md
📒 Files selected for processing (36)
  • internal/cli/skill.go
  • internal/cli/skill_marketplace_integration_test.go
  • internal/cli/skill_test.go
  • internal/config/config.go
  • internal/config/config_test.go
  • internal/config/merge.go
  • internal/config/merge_test.go
  • internal/daemon/boot.go
  • internal/daemon/daemon.go
  • internal/daemon/daemon_integration_test.go
  • internal/daemon/notifier.go
  • internal/daemon/notifier_integration_test.go
  • internal/daemon/notifier_test.go
  • internal/session/interfaces.go
  • internal/session/manager.go
  • internal/session/manager_lifecycle.go
  • internal/session/manager_test.go
  • internal/skills/catalog.go
  • internal/skills/catalog_test.go
  • internal/skills/hooks.go
  • internal/skills/hooks_test.go
  • internal/skills/loader.go
  • internal/skills/loader_test.go
  • internal/skills/marketplace/clawhub/client.go
  • internal/skills/marketplace/clawhub/client_test.go
  • internal/skills/marketplace/registry.go
  • internal/skills/marketplace/types.go
  • internal/skills/mcp.go
  • internal/skills/mcp_test.go
  • internal/skills/provenance.go
  • internal/skills/provenance_test.go
  • internal/skills/registry.go
  • internal/skills/registry_integration_test.go
  • internal/skills/registry_test.go
  • internal/skills/testdata/hooks/driver.sh
  • internal/skills/types.go

Comment thread internal/daemon/boot.go
Comment thread internal/daemon/notifier.go
Comment thread internal/skills/hooks.go Outdated
Comment thread internal/skills/loader.go
Comment thread internal/skills/provenance.go
Comment thread internal/skills/testdata/hooks/driver.sh
coderabbitai[bot]
coderabbitai Bot requested changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
internal/skills/registry.go (1)

317-337: ⚠️ Potential issue | 🔴 Critical

Fail closed when marketplace provenance verification fails.

Once a skill is reclassified as SourceMarketplace, a hash mismatch only produces a warning and the skill is still overlaid into the active registry. That leaves a tampered marketplace install able to contribute prompt content, hooks, and MCP declarations.

🛡 Proposed fix 
 func (r *Registry) processSkill(dst map[string]*Skill, skill *Skill) bool {
 	r.applyDisabled(skill)
 
-	hashMismatch := r.verifyMarketplaceSkill(skill)
-	// Content warnings are derived from the current file body; marketplace hash
-	// mismatches only add provenance-specific logging above.
+	if err := r.verifyMarketplaceSkill(skill); err != nil {
+		return false
+	}
+
+	// Content warnings are derived from the current file body.
 	warnings := VerifyContent(skill.Content)
-	if hashMismatch {
-		r.logger.Debug(
-			"skills: reusing content verification warnings after marketplace hash mismatch",
-			"skill_name", skill.Meta.Name,
-			"path", skill.FilePath,
-		)
-	}
 	r.logVerificationWarnings(skill, warnings)
 	if hasCriticalWarning(warnings) {
 		return false
 	}
@@
-func (r *Registry) verifyMarketplaceSkill(skill *Skill) bool {
+func (r *Registry) verifyMarketplaceSkill(skill *Skill) error {
 	if skill == nil || skill.Source != SourceMarketplace || skill.Provenance == nil {
-		return false
+		return nil
 	}
 
 	err := VerifyHash(skill.Dir, skill.Provenance)
 	if err == nil {
-		return false
+		return nil
 	}
@@
-		return true
+		return err
 	}
@@
-	return false
+	return err
 }

Also applies to: 370-399

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@internal/skills/registry.go` around lines 317 - 337, processSkill currently
treats a marketplace provenance hash mismatch as only a warning and still
overlays the skill; change this to fail-closed: after calling
verifyMarketplaceSkill (the hashMismatch variable) if hashMismatch is true, log
a provenance verification error (use r.logger.* with skill.Meta.Name and
skill.FilePath) and return false before calling r.overlaySkill so tampered
marketplace installs are not applied. Apply the same change to the corresponding
logic block referenced at the other occurrence (lines 370-399) where
verifyMarketplaceSkill is used, ensuring both paths abort overlay when
marketplace verification fails and update any tests that assumed the old
behavior.
🧹 Nitpick comments (2)
internal/skills/provenance_test.go (1)

14-326: Please move these into t.Run("Should...") subtests.

The cases are mostly isolated already, but they are still top-level tests. Grouping them into table-driven subtests would match the repo's default structure and remove a lot of repeated setup. As per coding guidelines, **/*_test.go: MUST use t.Run("Should...") pattern for ALL test cases.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@internal/skills/provenance_test.go` around lines 14 - 326, Wrap each
top-level test body into a t.Run subtest with a "Should..." name (e.g., inside
TestComputeHashReturnsConsistentSHA256ForSameContent call
t.Run("ShouldReturnConsistentSHA256ForSameContent", func(t *testing.T){ ... })
), move any t.Parallel() calls into the subtest, and keep all existing setup and
assertions intact; apply this change to the functions
TestComputeHashReturnsConsistentSHA256ForSameContent,
TestComputeHashReturnsDifferentHashForDifferentContent,
TestWriteSidecarCreatesStableHumanReadableJSON,
TestReadSidecarParsesValidJSONIntoProvenance,
TestReadSidecarReturnsDescriptiveErrorForMalformedJSON,
TestReadSidecarReturnsNotExistForMissingSidecar,
TestVerifyHashReturnsNilWhenHashMatches,
TestVerifyHashReturnsExpectedAndActualHashWhenTampered,
TestHasSidecarReturnsTrueWhenSidecarExists,
TestHasSidecarReturnsFalseWhenSidecarMissing, and
TestSidecarRoundTripProducesIdenticalProvenance so they each use a single
t.Run("Should...") subtest while preserving existing helper calls like
WriteSidecar, ReadSidecar, VerifyHash, ComputeHash, HasSidecar, testProvenance,
and writeSkillFile.
internal/skills/hooks.go (1)

293-323: Add the interface assertion and remove the blank-identifier writes.

limitedHookCapture is the only hookCapture implementation in this file, so a compile-time assertion would catch drift cheaply. Also, _, _ = c.buf.Write(...) breaks the repo rule against ignored errors with _; call c.buf.Write(...) directly and leave a brief note that bytes.Buffer.Write is effectively infallible.

♻️ Suggested cleanup 
 type hookCapture interface {
 	Write([]byte) (int, error)
 	String() string
 	Len() int
 	Truncated() bool
 }
 
 type limitedHookCapture struct {
 	buf       bytes.Buffer
 	truncated bool
 }
+
+var _ hookCapture = (*limitedHookCapture)(nil)
@@
 	switch {
 	case remaining <= 0:
 		c.truncated = true
 	case len(p) > remaining:
-		_, _ = c.buf.Write(p[:remaining])
+		c.buf.Write(p[:remaining]) // bytes.Buffer.Write never returns an error
 		c.truncated = true
 	default:
-		_, _ = c.buf.Write(p)
+		c.buf.Write(p) // bytes.Buffer.Write never returns an error
 	}

As per coding guidelines "Use compile-time interface verification: var _ Interface = (*Type)(nil)" and "Never ignore errors with _ — every error must be handled or have a written justification".

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@internal/skills/hooks.go` around lines 293 - 323, Add a compile-time
interface assertion for hookCapture by declaring var _ hookCapture =
(*limitedHookCapture)(nil) near the type definitions, and replace the
blank-identifier writes in limitedHookCapture.Write (the occurrences of "_, _ =
c.buf.Write(...)") with real calls that capture the returned (int, error) and
either handle the error or explicitly comment that bytes.Buffer.Write cannot
fail (e.g., assign to n, err := c.buf.Write(...); if err != nil { /* impossible
for bytes.Buffer.Write */ }). Ensure these changes touch the limitedHookCapture
type, newHookCapture function and the Write method, and keep reference to
hookCaptureLimitBytes unchanged.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@internal/skills/hooks.go`:
- Around line 68-76: NewHookRunner currently initializes
HookRunner.allowedMarketplace from cfg.AllowedMarketplaceMCP which conflates MCP
consent with hook consent and marketplaceSkillAllowed checks skill.Meta.Name
(mutable); change this by adding a separate hook allowlist in the config (e.g.,
AllowedMarketplaceHooks or AllowedHookMarketplaceIDs), initialize
HookRunner.allowedHooks from that list instead of AllowedMarketplaceMCP in
NewHookRunner, and update the gating function marketplaceSkillAllowed (or create
a new hookAllowed) to validate against immutable marketplace identity fields
(slug, registry, or hash) on the skill rather than skill.Meta.Name; keep using
cloneStrings for the new list to match existing patterns and ensure all
references to allowedMarketplace are adjusted to use the distinct hook allowlist
where lifecycle hooks are evaluated.
- Around line 149-163: The hook execution needs process-group containment and
the working directory set: replace the plain exec.CommandContext invocation with
a managed command via acp.configureManagedCommand (so SysProcAttr.Setpgid is
applied) and set cmd.Dir = skill.Dir before running; specifically update the
block that creates/sets up cmd (currently using exec.CommandContext with
hook.Command/hook.Args and setting cmd.Stdout/Stderr) to call
configureManagedCommand(ctx, hook.Command, hook.Args...) (or wrap the created
*exec.Cmd with configureManagedCommand) and ensure cmd.Dir = skill.Dir so
descendants are killed on timeout and relative paths resolve to the skill
installation root.
- Around line 153-156: The hook process is started with exec.CommandContext
(creating cmd) but cmd.Dir is never set, so relative hook commands run from the
daemon cwd; set cmd.Dir to the skill's extracted directory (skill.Dir) on the
cmd object before running the command (i.e., after creating cmd and before
starting/awaiting it) so ./script.sh and other relative paths resolve inside the
skill; locate the cmd creation in internal/skills/hooks.go where
exec.CommandContext(hookCtx, hook.Command, hook.Args...) is used and add cmd.Dir
= skill.Dir alongside cmd.Stdin and cmd.Env.

In `@internal/skills/mcp.go`:
- Around line 63-80: The code trims the temporary lookup key `name` but leaves
`resolvedServer.Name` unnormalized, causing entries like " github " and "github"
to dedupe but persist different `Name` values; update the `resolvedServer`
produced by `toConfigMCPServer(server)` so its `Name` field is normalized (e.g.,
set `resolvedServer.Name = strings.TrimSpace(name)` or otherwise normalize
`name`) before using it for replacement (`resolved[idx] = resolvedServer`) or
appending (`resolved = append(resolved, resolvedServer)`), keeping the same
`index`/`mcpOrigin` logic intact.

In `@internal/skills/provenance.go`:
- Around line 36-40: ComputeHash currently only hashes SKILL.md; update it (and
the corresponding VerifyHash logic) to compute a deterministic hash of the full
installed skill payload instead: gather SKILL.md plus every file referenced by
hooks and MCP declarations (or walk the skill directory and build a sorted
manifest of file paths and their contents), concatenate in a stable order and
compute the SHA-256 over that manifest; then change VerifyHash to validate
against that full-payload hash rather than just SKILL.md. Ensure you update the
functions named ComputeHash and VerifyHash (and any callers between lines
~87-111 that verify hashes) to accept or derive the list/manifest of files so
integrity covers declared command targets and auxiliary files.

---

Outside diff comments:
In `@internal/skills/registry.go`:
- Around line 317-337: processSkill currently treats a marketplace provenance
hash mismatch as only a warning and still overlays the skill; change this to
fail-closed: after calling verifyMarketplaceSkill (the hashMismatch variable) if
hashMismatch is true, log a provenance verification error (use r.logger.* with
skill.Meta.Name and skill.FilePath) and return false before calling
r.overlaySkill so tampered marketplace installs are not applied. Apply the same
change to the corresponding logic block referenced at the other occurrence
(lines 370-399) where verifyMarketplaceSkill is used, ensuring both paths abort
overlay when marketplace verification fails and update any tests that assumed
the old behavior.

---

Nitpick comments:
In `@internal/skills/hooks.go`:
- Around line 293-323: Add a compile-time interface assertion for hookCapture by
declaring var _ hookCapture = (*limitedHookCapture)(nil) near the type
definitions, and replace the blank-identifier writes in limitedHookCapture.Write
(the occurrences of "_, _ = c.buf.Write(...)") with real calls that capture the
returned (int, error) and either handle the error or explicitly comment that
bytes.Buffer.Write cannot fail (e.g., assign to n, err := c.buf.Write(...); if
err != nil { /* impossible for bytes.Buffer.Write */ }). Ensure these changes
touch the limitedHookCapture type, newHookCapture function and the Write method,
and keep reference to hookCaptureLimitBytes unchanged.

In `@internal/skills/provenance_test.go`:
- Around line 14-326: Wrap each top-level test body into a t.Run subtest with a
"Should..." name (e.g., inside
TestComputeHashReturnsConsistentSHA256ForSameContent call
t.Run("ShouldReturnConsistentSHA256ForSameContent", func(t *testing.T){ ... })
), move any t.Parallel() calls into the subtest, and keep all existing setup and
assertions intact; apply this change to the functions
TestComputeHashReturnsConsistentSHA256ForSameContent,
TestComputeHashReturnsDifferentHashForDifferentContent,
TestWriteSidecarCreatesStableHumanReadableJSON,
TestReadSidecarParsesValidJSONIntoProvenance,
TestReadSidecarReturnsDescriptiveErrorForMalformedJSON,
TestReadSidecarReturnsNotExistForMissingSidecar,
TestVerifyHashReturnsNilWhenHashMatches,
TestVerifyHashReturnsExpectedAndActualHashWhenTampered,
TestHasSidecarReturnsTrueWhenSidecarExists,
TestHasSidecarReturnsFalseWhenSidecarMissing, and
TestSidecarRoundTripProducesIdenticalProvenance so they each use a single
t.Run("Should...") subtest while preserving existing helper calls like
WriteSidecar, ReadSidecar, VerifyHash, ComputeHash, HasSidecar, testProvenance,
and writeSkillFile.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e5358edf-ba0a-4bae-8ba6-c6f67db7faf6

📥 Commits

Reviewing files that changed from the base of the PR and between a4ce155 and 374f65d.

⛔ Files ignored due to path filters (10)
  • ai-docs/reviews-pr-8/_summary.md is excluded by !**/*.md
  • ai-docs/reviews-pr-8/issues/001-issue.md is excluded by !**/*.md
  • ai-docs/reviews-pr-8/issues/002-issue.md is excluded by !**/*.md
  • ai-docs/reviews-pr-8/issues/003-issue.md is excluded by !**/*.md
  • ai-docs/reviews-pr-8/issues/004-issue.md is excluded by !**/*.md
  • ai-docs/reviews-pr-8/issues/005-issue.md is excluded by !**/*.md
  • ai-docs/reviews-pr-8/issues/006-issue.md is excluded by !**/*.md
  • docs/plans/2026-04-08-agh-network-design.md is excluded by !**/*.md
  • docs/rfcs/agh-network.md is excluded by !**/*.md
  • internal/skills/testdata/loader/invalid-hook-command/SKILL.md is excluded by !**/*.md
📒 Files selected for processing (18)
  • internal/config/config.go
  • internal/config/config_test.go
  • internal/config/merge_test.go
  • internal/daemon/boot.go
  • internal/daemon/daemon_integration_test.go
  • internal/daemon/notifier.go
  • internal/daemon/notifier_integration_test.go
  • internal/daemon/notifier_test.go
  • internal/skills/catalog_test.go
  • internal/skills/hooks.go
  • internal/skills/hooks_test.go
  • internal/skills/loader.go
  • internal/skills/loader_test.go
  • internal/skills/mcp.go
  • internal/skills/provenance.go
  • internal/skills/provenance_test.go
  • internal/skills/registry.go
  • internal/skills/testdata/hooks/driver.sh
✅ Files skipped from review due to trivial changes (5)
  • internal/daemon/daemon_integration_test.go
  • internal/config/config_test.go
  • internal/skills/hooks_test.go
  • internal/config/config.go
  • internal/config/merge_test.go
🚧 Files skipped from review as they are similar to previous changes (4)
  • internal/skills/loader.go
  • internal/skills/catalog_test.go
  • internal/skills/loader_test.go
  • internal/daemon/notifier.go

Comment thread internal/skills/hooks.go
Comment thread internal/skills/hooks.go
Comment thread internal/skills/hooks.go Outdated
Comment thread internal/skills/mcp.go
Comment thread internal/skills/provenance.go
@pedronauck pedronauck merged commit ee8736c into main Apr 8, 2026
1 check was pending
@pedronauck pedronauck deleted the pn/skills-v2 branch April 8, 2026 20:13
This was referenced Apr 9, 2026
Merged
Merged
Merged
Merged
Merged
This was referenced May 23, 2026
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Closed
Merged
pedronauck added a commit that referenced this pull request May 26, 2026
@pedronauck @github-actions
release: Release v0.0.1 (#204)
f9a9fcc 
## Release v0.0.1

This PR prepares the release of version v0.0.1.

### Changelog

## 0.0.1 - 2026-05-26



### Other Changes

- Lessons learned



### ♻️ Refactoring

- Project structure (#7)
- Kb improvements (#12)
- Rename spaces to channels (#17)
- Add extensions gaps (#21)
- Improve tool calls ui (#22)
- Remove web app header
- Module improvements (#29)
- Memory improvements (#35)
- Storybook for web and ui (#38)
- Enable AGH network by default for new installs (#57)
- Hermes adjustments (#69)
- Badges design (#84)
- Storybook scenario and logos gallery
- Migrate typescript tests (#114)
- Internal go packages (#120)
- Ui patterns (#127)
- Improve e2e tests (#130)
- Ui redesign
- Workspace isolation across runtime surfaces (#145)
- Prod ready applies (#162)
- Tool card ui (#164)
- Alpha on logo
- Prod ready features (#167)
- Thread sheet (#202)



### 🎉 Features

- Implement config foundation packages
- Implement sqlite store package
- Add ACP client package
- Add session lifecycle manager
- Implement observe package
- Add daemon composition root
- Add uds api server
- Implement cli package
- Add http api server
- Add system design
- Add foundation types, schemas, and layout shell for web client
- Add daemon health polling and agent sidebar systems for web client
- Add session system CRUD, streaming core, and session store for web
client
- Add chat view, messages, and composer tests for web client
- Add tool cards and renderers for web client
- Add file-backed memory store core
- Scaffold memory session seams
- Add memory dream consolidation service
- Wire memory assembler into daemon
- Add memory api and cli
- New skills system (#1)
- Add workspace entity (#5)
- Add new skill capabilities (#8)
- Web ui v2 (#9)
- Improve hooks system (#10)
- Session resilience (#11)
- Add extensability (#13)
- Add automation (#16)
- Add channels (#14)
- Add network implementation (#15)
- Add network, bridges and automations web pages (#18)
- Ext registry (#20)
- Add core tasks (#19)
- Bridge adapters (#23)
- Add site (#26)
- Add ext refac and sandbox (#25)
- Settings ui (#37)
- Tasks ui (#36)
- Harness improvements (#44)
- Agent capabilities (#49)
- Redesign ui (#48)
- Unify capability (#53)
- Redesign network workspace (#59)
- Add task deletion and split session delete from stop (#58)
- Session provider selection (#60)
- Production grade adjustments (#66)
- Autonomous system (#75)
- Add agent session route (#80)
- Tools registry (#85)
- Agents soul (#88)
- Add network threads (#105)
- Orchestration improvements (#106)
- Memory v2 (#108)
- Agent categories (#113)
- Providers model (#118)
- Add canonical AGH bundled skill (#143)
- Onboarding and improvements (#198)
- Onboarding and improvements (#201)



### 🐛 Bug Fixes

- Review round
- Review rounds
- Resolve memory extensibility review batch
- Embed web into daemon
- Defaults agents
- Acp integration (#4)
- Lint errors
- Prd folder
- Remove orphan web actions and dead surfaces (#55)
- Qa testing and fixes (#73)
- New review rounds (#82)
- Security audit (#90)
- Release qa round (#95)
- Add missing tools (#141)
- New qa round (#147)
- Advanced qa round (#149)
- Homebrew tap
- Final review round (#151)
- Daemon healthy
- Reasoning models (#158)
- Lint errors (#160)
- Review round (#168)
- Release adjustments (#171)
- Stabilize release ci fixtures
- Stabilize release integration gate
- Stabilize release verify gates
- Stabilize release integration flows
- Stabilize release verify gates
- Stabilize main verify shutdown
- Ignore stale acpmock cancel
- Marketplace search focus and filtering (#193)
- Website video
- Workspace command select



### 📚 Documentation

- Update agents.md
- Update prd
- Update skills
- Update compozy tasks
- Update compozy
- Update compozy
- Add new skills
- Archive prd
- Update prds
- Update rfc
- Update prds
- Update prds
- Add automation prd
- Channels prd
- Update prd
- Update prd
- New prds
- Archive prds
- Bridges adapters prd
- Sandbox prd
- Update
- Archive prd
- Update
- Add new prd
- New design
- Update prd
- Archive prds
- Update prds
- Tasks-ui prd tasks
- Update prd
- Update design docs
- Agent capabilities prd
- Improve site docs
- Remove old design references
- Udpate
- Autonomous prd
- Update skills
- Blog design
- Agent sould prd
- Final qa plan
- Update
- Remove codex ledgers from gitignore
- Remove not needed files
- Udpate ledger
- Update cy-codex-loop skill
- Orchestration improves prd
- Update prds
- Orch improvs prd
- Memv2 prd
- Providers model prd
- Update refacs prd
- New design proposal
- Update rules
- Update skills
- New blog posts (#173)
- Format docs
- Remove old design files
- Remove old
- Skeeper update



### 📦 Build System

- Initial structure
- Commitlint
- Frontend base structure
- Update vscode settings
- Add subagents
- Coderabbit
- Prd and tooling
- Bun lock
- Lint tooling
- Copy.md and tooling adjusts
- Add repoclone rc
- Upgrade skeeper to v0.2.0
- Update go.mod
- Adopt task artifacts into skeeper
- Sync codex plans with skeeper
- Skeeper lock
- Skeeper lock
- New skills
- Skeeper lock
- Skeeper lock
- Skeeper lock
- Update deps and go
- Regenerate daytona sidecar assets for go 1.26.3
- Fix cliff
- Ignore docs on fmt
- Build web assets before goreleaser
- Extend release dry-run timeout



### 🔧 CI/CD

- Lint errors
- Fint release pr
- Fix goreleaser



### 🧪 Testing

- Add e2e tests (#27)
- Qa rounds (#78)
- Improve test suite (#138)
- Harden daemon-served restart reloads
- Harden daemon-served readiness waits
- Stabilize dashboard focus assertion
- Stabilize release integration gates
- Stabilize release e2e markers
- Stabilize release e2e flows

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
This was referenced May 26, 2026
Closed
Merged
pedronauck added a commit that referenced this pull request May 26, 2026
@pedronauck @github-actions
release: Release v0.0.1 (#206)
c43820a 
## Release v0.0.1

This PR prepares the release of version v0.0.1.

### Changelog

## 0.0.1 - 2026-05-26



### Other Changes

- Lessons learned



### ♻️ Refactoring

- Project structure (#7)
- Kb improvements (#12)
- Rename spaces to channels (#17)
- Add extensions gaps (#21)
- Improve tool calls ui (#22)
- Remove web app header
- Module improvements (#29)
- Memory improvements (#35)
- Storybook for web and ui (#38)
- Enable AGH network by default for new installs (#57)
- Hermes adjustments (#69)
- Badges design (#84)
- Storybook scenario and logos gallery
- Migrate typescript tests (#114)
- Internal go packages (#120)
- Ui patterns (#127)
- Improve e2e tests (#130)
- Ui redesign
- Workspace isolation across runtime surfaces (#145)
- Prod ready applies (#162)
- Tool card ui (#164)
- Alpha on logo
- Prod ready features (#167)
- Thread sheet (#202)



### 🎉 Features

- Implement config foundation packages
- Implement sqlite store package
- Add ACP client package
- Add session lifecycle manager
- Implement observe package
- Add daemon composition root
- Add uds api server
- Implement cli package
- Add http api server
- Add system design
- Add foundation types, schemas, and layout shell for web client
- Add daemon health polling and agent sidebar systems for web client
- Add session system CRUD, streaming core, and session store for web
client
- Add chat view, messages, and composer tests for web client
- Add tool cards and renderers for web client
- Add file-backed memory store core
- Scaffold memory session seams
- Add memory dream consolidation service
- Wire memory assembler into daemon
- Add memory api and cli
- New skills system (#1)
- Add workspace entity (#5)
- Add new skill capabilities (#8)
- Web ui v2 (#9)
- Improve hooks system (#10)
- Session resilience (#11)
- Add extensability (#13)
- Add automation (#16)
- Add channels (#14)
- Add network implementation (#15)
- Add network, bridges and automations web pages (#18)
- Ext registry (#20)
- Add core tasks (#19)
- Bridge adapters (#23)
- Add site (#26)
- Add ext refac and sandbox (#25)
- Settings ui (#37)
- Tasks ui (#36)
- Harness improvements (#44)
- Agent capabilities (#49)
- Redesign ui (#48)
- Unify capability (#53)
- Redesign network workspace (#59)
- Add task deletion and split session delete from stop (#58)
- Session provider selection (#60)
- Production grade adjustments (#66)
- Autonomous system (#75)
- Add agent session route (#80)
- Tools registry (#85)
- Agents soul (#88)
- Add network threads (#105)
- Orchestration improvements (#106)
- Memory v2 (#108)
- Agent categories (#113)
- Providers model (#118)
- Add canonical AGH bundled skill (#143)
- Onboarding and improvements (#198)
- Onboarding and improvements (#201)



### 🐛 Bug Fixes

- Review round
- Review rounds
- Resolve memory extensibility review batch
- Embed web into daemon
- Defaults agents
- Acp integration (#4)
- Lint errors
- Prd folder
- Remove orphan web actions and dead surfaces (#55)
- Qa testing and fixes (#73)
- New review rounds (#82)
- Security audit (#90)
- Release qa round (#95)
- Add missing tools (#141)
- New qa round (#147)
- Advanced qa round (#149)
- Homebrew tap
- Final review round (#151)
- Daemon healthy
- Reasoning models (#158)
- Lint errors (#160)
- Review round (#168)
- Release adjustments (#171)
- Stabilize release ci fixtures
- Stabilize release integration gate
- Stabilize release verify gates
- Stabilize release integration flows
- Stabilize release verify gates
- Stabilize main verify shutdown
- Ignore stale acpmock cancel
- Marketplace search focus and filtering (#193)
- Website video
- Workspace command select



### 📚 Documentation

- Update agents.md
- Update prd
- Update skills
- Update compozy tasks
- Update compozy
- Update compozy
- Add new skills
- Archive prd
- Update prds
- Update rfc
- Update prds
- Update prds
- Add automation prd
- Channels prd
- Update prd
- Update prd
- New prds
- Archive prds
- Bridges adapters prd
- Sandbox prd
- Update
- Archive prd
- Update
- Add new prd
- New design
- Update prd
- Archive prds
- Update prds
- Tasks-ui prd tasks
- Update prd
- Update design docs
- Agent capabilities prd
- Improve site docs
- Remove old design references
- Udpate
- Autonomous prd
- Update skills
- Blog design
- Agent sould prd
- Final qa plan
- Update
- Remove codex ledgers from gitignore
- Remove not needed files
- Udpate ledger
- Update cy-codex-loop skill
- Orchestration improves prd
- Update prds
- Orch improvs prd
- Memv2 prd
- Providers model prd
- Update refacs prd
- New design proposal
- Update rules
- Update skills
- New blog posts (#173)
- Format docs
- Remove old design files
- Remove old
- Skeeper update



### 📦 Build System

- Initial structure
- Commitlint
- Frontend base structure
- Update vscode settings
- Add subagents
- Coderabbit
- Prd and tooling
- Bun lock
- Lint tooling
- Copy.md and tooling adjusts
- Add repoclone rc
- Upgrade skeeper to v0.2.0
- Update go.mod
- Adopt task artifacts into skeeper
- Sync codex plans with skeeper
- Skeeper lock
- Skeeper lock
- New skills
- Skeeper lock
- Skeeper lock
- Skeeper lock
- Update deps and go
- Regenerate daytona sidecar assets for go 1.26.3
- Fix cliff
- Ignore docs on fmt
- Build web assets before goreleaser
- Extend release dry-run timeout



### 🔧 CI/CD

- Lint errors
- Fint release pr
- Fix goreleaser
- Fix release



### 🧪 Testing

- Add e2e tests (#27)
- Qa rounds (#78)
- Improve test suite (#138)
- Harden daemon-served restart reloads
- Harden daemon-served readiness waits
- Stabilize dashboard focus assertion
- Stabilize release integration gates
- Stabilize release e2e markers
- Stabilize release e2e flows

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@pedronauck pedronauck mentioned this pull request May 26, 2026
Merged
pedronauck added a commit that referenced this pull request May 26, 2026
@pedronauck @github-actions
release: Release v0.0.2 (#207)
5592f87 
## Release v0.0.2

This PR prepares the release of version v0.0.2.

### Changelog

## 0.0.2 - 2026-05-26



### Other Changes

- Lessons learned



### ♻️ Refactoring

- Project structure (#7)
- Kb improvements (#12)
- Rename spaces to channels (#17)
- Add extensions gaps (#21)
- Improve tool calls ui (#22)
- Remove web app header
- Module improvements (#29)
- Memory improvements (#35)
- Storybook for web and ui (#38)
- Enable AGH network by default for new installs (#57)
- Hermes adjustments (#69)
- Badges design (#84)
- Storybook scenario and logos gallery
- Migrate typescript tests (#114)
- Internal go packages (#120)
- Ui patterns (#127)
- Improve e2e tests (#130)
- Ui redesign
- Workspace isolation across runtime surfaces (#145)
- Prod ready applies (#162)
- Tool card ui (#164)
- Alpha on logo
- Prod ready features (#167)
- Thread sheet (#202)



### 🎉 Features

- Implement config foundation packages
- Implement sqlite store package
- Add ACP client package
- Add session lifecycle manager
- Implement observe package
- Add daemon composition root
- Add uds api server
- Implement cli package
- Add http api server
- Add system design
- Add foundation types, schemas, and layout shell for web client
- Add daemon health polling and agent sidebar systems for web client
- Add session system CRUD, streaming core, and session store for web
client
- Add chat view, messages, and composer tests for web client
- Add tool cards and renderers for web client
- Add file-backed memory store core
- Scaffold memory session seams
- Add memory dream consolidation service
- Wire memory assembler into daemon
- Add memory api and cli
- New skills system (#1)
- Add workspace entity (#5)
- Add new skill capabilities (#8)
- Web ui v2 (#9)
- Improve hooks system (#10)
- Session resilience (#11)
- Add extensability (#13)
- Add automation (#16)
- Add channels (#14)
- Add network implementation (#15)
- Add network, bridges and automations web pages (#18)
- Ext registry (#20)
- Add core tasks (#19)
- Bridge adapters (#23)
- Add site (#26)
- Add ext refac and sandbox (#25)
- Settings ui (#37)
- Tasks ui (#36)
- Harness improvements (#44)
- Agent capabilities (#49)
- Redesign ui (#48)
- Unify capability (#53)
- Redesign network workspace (#59)
- Add task deletion and split session delete from stop (#58)
- Session provider selection (#60)
- Production grade adjustments (#66)
- Autonomous system (#75)
- Add agent session route (#80)
- Tools registry (#85)
- Agents soul (#88)
- Add network threads (#105)
- Orchestration improvements (#106)
- Memory v2 (#108)
- Agent categories (#113)
- Providers model (#118)
- Add canonical AGH bundled skill (#143)
- Onboarding and improvements (#198)
- Onboarding and improvements (#201)



### 🐛 Bug Fixes

- Review round
- Review rounds
- Resolve memory extensibility review batch
- Embed web into daemon
- Defaults agents
- Acp integration (#4)
- Lint errors
- Prd folder
- Remove orphan web actions and dead surfaces (#55)
- Qa testing and fixes (#73)
- New review rounds (#82)
- Security audit (#90)
- Release qa round (#95)
- Add missing tools (#141)
- New qa round (#147)
- Advanced qa round (#149)
- Homebrew tap
- Final review round (#151)
- Daemon healthy
- Reasoning models (#158)
- Lint errors (#160)
- Review round (#168)
- Release adjustments (#171)
- Stabilize release ci fixtures
- Stabilize release integration gate
- Stabilize release verify gates
- Stabilize release integration flows
- Stabilize release verify gates
- Stabilize main verify shutdown
- Ignore stale acpmock cancel
- Marketplace search focus and filtering (#193)
- Website video
- Workspace command select



### 📚 Documentation

- Update agents.md
- Update prd
- Update skills
- Update compozy tasks
- Update compozy
- Update compozy
- Add new skills
- Archive prd
- Update prds
- Update rfc
- Update prds
- Update prds
- Add automation prd
- Channels prd
- Update prd
- Update prd
- New prds
- Archive prds
- Bridges adapters prd
- Sandbox prd
- Update
- Archive prd
- Update
- Add new prd
- New design
- Update prd
- Archive prds
- Update prds
- Tasks-ui prd tasks
- Update prd
- Update design docs
- Agent capabilities prd
- Improve site docs
- Remove old design references
- Udpate
- Autonomous prd
- Update skills
- Blog design
- Agent sould prd
- Final qa plan
- Update
- Remove codex ledgers from gitignore
- Remove not needed files
- Udpate ledger
- Update cy-codex-loop skill
- Orchestration improves prd
- Update prds
- Orch improvs prd
- Memv2 prd
- Providers model prd
- Update refacs prd
- New design proposal
- Update rules
- Update skills
- New blog posts (#173)
- Format docs
- Remove old design files
- Remove old
- Skeeper update



### 📦 Build System

- Initial structure
- Commitlint
- Frontend base structure
- Update vscode settings
- Add subagents
- Coderabbit
- Prd and tooling
- Bun lock
- Lint tooling
- Copy.md and tooling adjusts
- Add repoclone rc
- Upgrade skeeper to v0.2.0
- Update go.mod
- Adopt task artifacts into skeeper
- Sync codex plans with skeeper
- Skeeper lock
- Skeeper lock
- New skills
- Skeeper lock
- Skeeper lock
- Skeeper lock
- Update deps and go
- Regenerate daytona sidecar assets for go 1.26.3
- Fix cliff
- Ignore docs on fmt
- Build web assets before goreleaser
- Extend release dry-run timeout



### 🔧 CI/CD

- Lint errors
- Fint release pr
- Fix goreleaser
- Fix release
- Fix release process



### 🧪 Testing

- Add e2e tests (#27)
- Qa rounds (#78)
- Improve test suite (#138)
- Harden daemon-served restart reloads
- Harden daemon-served readiness waits
- Stabilize dashboard focus assertion
- Stabilize release integration gates
- Stabilize release e2e markers
- Stabilize release e2e flows
- Improve suite speed

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
This was referenced May 26, 2026
Closed
Closed
Merged
pedronauck added a commit that referenced this pull request May 27, 2026
@pedronauck @github-actions
release: Release v0.0.2 (#211)
7ab276a 
## Release v0.0.2

This PR prepares the release of version v0.0.2.

### Changelog

## 0.0.2 - 2026-05-26



### Other Changes

- Lessons learned



### ♻️ Refactoring

- Project structure (#7)
- Kb improvements (#12)
- Rename spaces to channels (#17)
- Add extensions gaps (#21)
- Improve tool calls ui (#22)
- Remove web app header
- Module improvements (#29)
- Memory improvements (#35)
- Storybook for web and ui (#38)
- Enable AGH network by default for new installs (#57)
- Hermes adjustments (#69)
- Badges design (#84)
- Storybook scenario and logos gallery
- Migrate typescript tests (#114)
- Internal go packages (#120)
- Ui patterns (#127)
- Improve e2e tests (#130)
- Ui redesign
- Workspace isolation across runtime surfaces (#145)
- Prod ready applies (#162)
- Tool card ui (#164)
- Alpha on logo
- Prod ready features (#167)
- Thread sheet (#202)



### 🎉 Features

- Implement config foundation packages
- Implement sqlite store package
- Add ACP client package
- Add session lifecycle manager
- Implement observe package
- Add daemon composition root
- Add uds api server
- Implement cli package
- Add http api server
- Add system design
- Add foundation types, schemas, and layout shell for web client
- Add daemon health polling and agent sidebar systems for web client
- Add session system CRUD, streaming core, and session store for web
client
- Add chat view, messages, and composer tests for web client
- Add tool cards and renderers for web client
- Add file-backed memory store core
- Scaffold memory session seams
- Add memory dream consolidation service
- Wire memory assembler into daemon
- Add memory api and cli
- New skills system (#1)
- Add workspace entity (#5)
- Add new skill capabilities (#8)
- Web ui v2 (#9)
- Improve hooks system (#10)
- Session resilience (#11)
- Add extensability (#13)
- Add automation (#16)
- Add channels (#14)
- Add network implementation (#15)
- Add network, bridges and automations web pages (#18)
- Ext registry (#20)
- Add core tasks (#19)
- Bridge adapters (#23)
- Add site (#26)
- Add ext refac and sandbox (#25)
- Settings ui (#37)
- Tasks ui (#36)
- Harness improvements (#44)
- Agent capabilities (#49)
- Redesign ui (#48)
- Unify capability (#53)
- Redesign network workspace (#59)
- Add task deletion and split session delete from stop (#58)
- Session provider selection (#60)
- Production grade adjustments (#66)
- Autonomous system (#75)
- Add agent session route (#80)
- Tools registry (#85)
- Agents soul (#88)
- Add network threads (#105)
- Orchestration improvements (#106)
- Memory v2 (#108)
- Agent categories (#113)
- Providers model (#118)
- Add canonical AGH bundled skill (#143)
- Onboarding and improvements (#198)
- Onboarding and improvements (#201)



### 🐛 Bug Fixes

- Review round
- Review rounds
- Resolve memory extensibility review batch
- Embed web into daemon
- Defaults agents
- Acp integration (#4)
- Lint errors
- Prd folder
- Remove orphan web actions and dead surfaces (#55)
- Qa testing and fixes (#73)
- New review rounds (#82)
- Security audit (#90)
- Release qa round (#95)
- Add missing tools (#141)
- New qa round (#147)
- Advanced qa round (#149)
- Homebrew tap
- Final review round (#151)
- Daemon healthy
- Reasoning models (#158)
- Lint errors (#160)
- Review round (#168)
- Release adjustments (#171)
- Stabilize release ci fixtures
- Stabilize release integration gate
- Stabilize release verify gates
- Stabilize release integration flows
- Stabilize release verify gates
- Stabilize main verify shutdown
- Ignore stale acpmock cancel
- Marketplace search focus and filtering (#193)
- Website video
- Workspace command select



### 📚 Documentation

- Update agents.md
- Update prd
- Update skills
- Update compozy tasks
- Update compozy
- Update compozy
- Add new skills
- Archive prd
- Update prds
- Update rfc
- Update prds
- Update prds
- Add automation prd
- Channels prd
- Update prd
- Update prd
- New prds
- Archive prds
- Bridges adapters prd
- Sandbox prd
- Update
- Archive prd
- Update
- Add new prd
- New design
- Update prd
- Archive prds
- Update prds
- Tasks-ui prd tasks
- Update prd
- Update design docs
- Agent capabilities prd
- Improve site docs
- Remove old design references
- Udpate
- Autonomous prd
- Update skills
- Blog design
- Agent sould prd
- Final qa plan
- Update
- Remove codex ledgers from gitignore
- Remove not needed files
- Udpate ledger
- Update cy-codex-loop skill
- Orchestration improves prd
- Update prds
- Orch improvs prd
- Memv2 prd
- Providers model prd
- Update refacs prd
- New design proposal
- Update rules
- Update skills
- New blog posts (#173)
- Format docs
- Remove old design files
- Remove old
- Skeeper update



### 📦 Build System

- Initial structure
- Commitlint
- Frontend base structure
- Update vscode settings
- Add subagents
- Coderabbit
- Prd and tooling
- Bun lock
- Lint tooling
- Copy.md and tooling adjusts
- Add repoclone rc
- Upgrade skeeper to v0.2.0
- Update go.mod
- Adopt task artifacts into skeeper
- Sync codex plans with skeeper
- Skeeper lock
- Skeeper lock
- New skills
- Skeeper lock
- Skeeper lock
- Skeeper lock
- Update deps and go
- Regenerate daytona sidecar assets for go 1.26.3
- Fix cliff
- Ignore docs on fmt
- Build web assets before goreleaser
- Extend release dry-run timeout



### 🔧 CI/CD

- Lint errors
- Fint release pr
- Fix goreleaser
- Fix release
- Fix release process
- Fix release sync
- Decouple release dry-run npm auth
- Persist web assets git auth



### 🧪 Testing

- Add e2e tests (#27)
- Qa rounds (#78)
- Improve test suite (#138)
- Harden daemon-served restart reloads
- Harden daemon-served readiness waits
- Stabilize dashboard focus assertion
- Stabilize release integration gates
- Stabilize release e2e markers
- Stabilize release e2e flows
- Improve suite speed


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Updated web assets dependency to a newer version for improved
stability and performance.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/compozy/agh/pull/211?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
This was referenced May 27, 2026
Closed
Closed
Merged
pedronauck added a commit that referenced this pull request May 27, 2026
@pedronauck @github-actions
release: Release v0.0.2 (#214)
2e87293 
## Release v0.0.2

This PR prepares the release of version v0.0.2.

### Changelog

## 0.0.2 - 2026-05-27



### Other Changes

- Lessons learned



### ♻️ Refactoring

- Project structure (#7)
- Kb improvements (#12)
- Rename spaces to channels (#17)
- Add extensions gaps (#21)
- Improve tool calls ui (#22)
- Remove web app header
- Module improvements (#29)
- Memory improvements (#35)
- Storybook for web and ui (#38)
- Enable AGH network by default for new installs (#57)
- Hermes adjustments (#69)
- Badges design (#84)
- Storybook scenario and logos gallery
- Migrate typescript tests (#114)
- Internal go packages (#120)
- Ui patterns (#127)
- Improve e2e tests (#130)
- Ui redesign
- Workspace isolation across runtime surfaces (#145)
- Prod ready applies (#162)
- Tool card ui (#164)
- Alpha on logo
- Prod ready features (#167)
- Thread sheet (#202)



### 🎉 Features

- Implement config foundation packages
- Implement sqlite store package
- Add ACP client package
- Add session lifecycle manager
- Implement observe package
- Add daemon composition root
- Add uds api server
- Implement cli package
- Add http api server
- Add system design
- Add foundation types, schemas, and layout shell for web client
- Add daemon health polling and agent sidebar systems for web client
- Add session system CRUD, streaming core, and session store for web
client
- Add chat view, messages, and composer tests for web client
- Add tool cards and renderers for web client
- Add file-backed memory store core
- Scaffold memory session seams
- Add memory dream consolidation service
- Wire memory assembler into daemon
- Add memory api and cli
- New skills system (#1)
- Add workspace entity (#5)
- Add new skill capabilities (#8)
- Web ui v2 (#9)
- Improve hooks system (#10)
- Session resilience (#11)
- Add extensability (#13)
- Add automation (#16)
- Add channels (#14)
- Add network implementation (#15)
- Add network, bridges and automations web pages (#18)
- Ext registry (#20)
- Add core tasks (#19)
- Bridge adapters (#23)
- Add site (#26)
- Add ext refac and sandbox (#25)
- Settings ui (#37)
- Tasks ui (#36)
- Harness improvements (#44)
- Agent capabilities (#49)
- Redesign ui (#48)
- Unify capability (#53)
- Redesign network workspace (#59)
- Add task deletion and split session delete from stop (#58)
- Session provider selection (#60)
- Production grade adjustments (#66)
- Autonomous system (#75)
- Add agent session route (#80)
- Tools registry (#85)
- Agents soul (#88)
- Add network threads (#105)
- Orchestration improvements (#106)
- Memory v2 (#108)
- Agent categories (#113)
- Providers model (#118)
- Add canonical AGH bundled skill (#143)
- Onboarding and improvements (#198)
- Onboarding and improvements (#201)



### 🐛 Bug Fixes

- Review round
- Review rounds
- Resolve memory extensibility review batch
- Embed web into daemon
- Defaults agents
- Acp integration (#4)
- Lint errors
- Prd folder
- Remove orphan web actions and dead surfaces (#55)
- Qa testing and fixes (#73)
- New review rounds (#82)
- Security audit (#90)
- Release qa round (#95)
- Add missing tools (#141)
- New qa round (#147)
- Advanced qa round (#149)
- Homebrew tap
- Final review round (#151)
- Daemon healthy
- Reasoning models (#158)
- Lint errors (#160)
- Review round (#168)
- Release adjustments (#171)
- Stabilize release ci fixtures
- Stabilize release integration gate
- Stabilize release verify gates
- Stabilize release integration flows
- Stabilize release verify gates
- Stabilize main verify shutdown
- Ignore stale acpmock cancel
- Marketplace search focus and filtering (#193)
- Website video
- Workspace command select



### 📚 Documentation

- Update agents.md
- Update prd
- Update skills
- Update compozy tasks
- Update compozy
- Update compozy
- Add new skills
- Archive prd
- Update prds
- Update rfc
- Update prds
- Update prds
- Add automation prd
- Channels prd
- Update prd
- Update prd
- New prds
- Archive prds
- Bridges adapters prd
- Sandbox prd
- Update
- Archive prd
- Update
- Add new prd
- New design
- Update prd
- Archive prds
- Update prds
- Tasks-ui prd tasks
- Update prd
- Update design docs
- Agent capabilities prd
- Improve site docs
- Remove old design references
- Udpate
- Autonomous prd
- Update skills
- Blog design
- Agent sould prd
- Final qa plan
- Update
- Remove codex ledgers from gitignore
- Remove not needed files
- Udpate ledger
- Update cy-codex-loop skill
- Orchestration improves prd
- Update prds
- Orch improvs prd
- Memv2 prd
- Providers model prd
- Update refacs prd
- New design proposal
- Update rules
- Update skills
- New blog posts (#173)
- Format docs
- Remove old design files
- Remove old
- Skeeper update



### 📦 Build System

- Initial structure
- Commitlint
- Frontend base structure
- Update vscode settings
- Add subagents
- Coderabbit
- Prd and tooling
- Bun lock
- Lint tooling
- Copy.md and tooling adjusts
- Add repoclone rc
- Upgrade skeeper to v0.2.0
- Update go.mod
- Adopt task artifacts into skeeper
- Sync codex plans with skeeper
- Skeeper lock
- Skeeper lock
- New skills
- Skeeper lock
- Skeeper lock
- Skeeper lock
- Update deps and go
- Regenerate daytona sidecar assets for go 1.26.3
- Fix cliff
- Ignore docs on fmt
- Build web assets before goreleaser
- Extend release dry-run timeout
- Fix release dry-run token contract



### 🔧 CI/CD

- Lint errors
- Fint release pr
- Fix goreleaser
- Fix release
- Fix release process
- Fix release sync
- Decouple release dry-run npm auth
- Persist web assets git auth
- Require npm auth before release merge



### 🧪 Testing

- Add e2e tests (#27)
- Qa rounds (#78)
- Improve test suite (#138)
- Harden daemon-served restart reloads
- Harden daemon-served readiness waits
- Stabilize dashboard focus assertion
- Stabilize release integration gates
- Stabilize release e2e markers
- Stabilize release e2e flows
- Improve suite speed


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
  * Updated dependencies to latest versions.

<!-- review_stack_entry_start -->

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/compozy/agh/pull/214?utm_source=github_walkthrough&utm_medium=github&utm_campaign=change_stack)

<!-- review_stack_entry_end -->

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

@pedronauck pedronauck

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pedronauck