Open
Conversation
Security: - Add Laravel Policies for Project, Skill, Webhook, MCP, A2A resources - Add $this->authorize() checks to all 15 controllers (~50 methods) - Fix BulkSkillController to scope queries by organization - Fix skill duplication cross-project authorization - Activate ResolveOrganization middleware on API routes - Add rate limiting: 120 req/min general, 10/min LLM endpoints, 5/min generation - Encrypt webhook secrets at rest (Laravel encrypted cast) - Sanitize SSE error responses in production Testing: - AuthorizationTest — 10 tests for cross-org access denial - ProjectApiTest — 6 tests for CRUD lifecycle - SkillApiTest — 9 tests for CRUD, duplication, versioning - TemplateResolverTest — 10 tests for variable resolution - PromptLinterTest — 10 tests for all 8 lint rules CI/CD: - GitHub Actions workflow (PHP tests + Pint + frontend lint/typecheck/build) - pint.json with Laravel preset Community: - CONTRIBUTING.md with setup instructions and PR process - SECURITY.md with responsible disclosure policy - CODE_OF_CONDUCT.md linking Contributor Covenant v2.1 - ui/.env.example Frontend: - ErrorBoundary component wrapping App - Gate console.error behind import.meta.env.DEV Other: - Skip default admin seeding in production with warning - Add credentials warning to README - Bump ui version to 0.1.0 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Merges the separate scan (.skillr/ only) and import (provider configs)
flows into a single action. When "Scan" is clicked, the system now:
1. Scans .skillr/skills/ as before
2. Auto-detects ALL provider config files (Claude, Cursor, Copilot,
Windsurf, Cline, OpenAI, Codex CLI) regardless of output settings
3. Imports new skills from detected configs, skipping duplicates
4. Returns structured results to the UI
Changes:
- New ProjectScanService orchestrating scan + provider import
- Add Codex CLI parser (AGENTS.md + .codex/) to ProviderImportService
- Add imported:{provider} tags for traceability on imported skills
- Fix writeSkillFile bug in ProviderImportService (wrong arguments)
- Make scan endpoint synchronous with structured JSON response
- Remove setTimeout hack in ProjectDetail, show descriptive toast
- Add ScanResult type to frontend
- 8 new test cases for scan+import flow
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Narrative article covering the inspiration (keeping AI coding tools synchronized across teams) and implementation of Skillr as a single source of truth for AI instructions across providers. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New milestone (#7) with 8 issues (#49-#56) covering: - Desktop MCP config sync (Claude Desktop, Claude Code, Cursor, Windsurf) - Reverse-import MCP servers from existing desktop configs - Workspace profiles for shared app settings - Desktop config diff preview before sync Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
New section covers the second layer of AI tool fragmentation: desktop app configs (MCP servers, model prefs, permissions) that live outside project repos. Positions desktop config sync as the natural next step, discusses workspace profiles concept, and reframes the "What's Next" into agents. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add Medium article draft covering Skillr's inspiration, implementation, and the desktop app config fragmentation frontier. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Extends Skillr to sync MCP server definitions and app settings to desktop AI tools (Claude Desktop, Claude Code, Cursor, Windsurf, Codex CLI). Backend: - Migration: desktop_app_configs + workspace_profiles tables - DesktopAppConfig model with OS-aware config path detection for 5 apps - WorkspaceProfile model for shared settings (model, approval, tools) - DesktopSyncService: sync MCP to desktop configs, merge settings from workspace profiles, preview diffs, reverse-import MCP from existing configs. Non-destructive merge preserves non-Skillr config keys. - DesktopConfigController: 8 API endpoints (list, detect, store, delete, sync all, sync app, preview, import MCP) - Routes registered under auth:web group Tests (9 cases): - Known app detection - MCP config generation with correct JSON shape - Non-destructive merge preserving existing keys - Preview without writing - MCP reverse-import from desktop configs - Claude Code settings merge (allowedTools, deniedTools) - Codex CLI settings merge (model, approvalMode) - Config file creation when missing - Graceful handling of malformed JSON Closes #49, #50, #51, #52, #53, #54, #55, #56 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.