Add embedded Aspire skills fallback

[IEvangelist]

Description

Make Aspire skills installation reliable when GitHub release asset acquisition is unavailable.

Users running aspire agent init directly, or through the chained aspire new|init flow, now get a non-fatal warning if the Aspire skills bundle cannot be resolved instead of having the whole command fail. The installer now resolves the skills bundle in this order:

1. Existing validated cache.
2. Verified microsoft/aspire-skills GitHub release asset.
3. Embedded checked-in release snapshot.

This also adds a scheduled/manual automation workflow that downloads the configured microsoft/aspire-skills release asset, verifies its GitHub artifact attestation, updates the checked-in embedded snapshot and metadata, and opens a draft PR with the Aspire bot. The shared create-pull-request action now supports a draft input for that workflow.

User-facing usage

No new CLI options are required. Existing commands keep working and automatically use the embedded fallback when cache/GitHub acquisition is unavailable:

aspire agent init
aspire new
aspire init

Behavior change

aspire agent init now uses best-effort behavior for Aspire skills bundle acquisition in both explicit invocations and the chained aspire new|init prompt. If every bundle source is unavailable or invalid, the command warns and skips only bundle-backed Aspire skills instead of returning a non-zero exit code solely because optional skills content could not be acquired. Other selected agent-environment configuration can still complete.

Security considerations

This change touches release asset download, archive extraction, and a checked-in supply-chain fallback. GitHub downloads still require artifact attestation verification before use. The embedded snapshot is checked against embedded SHA-256 metadata before extraction, and the existing safe archive extraction and bundle manifest hash validation are reused for cache, GitHub, and embedded sources. The refresh workflow uses the existing Aspire bot GitHub App secrets and verifies the release asset attestation before writing the embedded snapshot.

Validation:

• .\restore.cmd
• .\eng\scripts\update-aspire-skills-bundle.ps1
• .\eng\scripts\verify-aspire-skills-bundle.ps1
• gh attestation verify src\Aspire.Cli\Agents\AspireSkills\Embedded\aspire-skills-v0.0.1.tgz --repo microsoft/aspire-skills --cert-identity "https://github.com/microsoft/aspire-skills/.github/workflows/publish.yml@refs/tags/v0.0.1" --cert-oidc-issuer "https://token.actions.githubusercontent.com"
• dotnet build /t:UpdateXlf src\Aspire.Cli\Aspire.Cli.csproj
• dotnet test --project tests\Aspire.Cli.Tests\Aspire.Cli.Tests.csproj --no-launch-profile -- --filter-class "*.AspireSkillsInstallerTests" --filter-class "*.AspireSkillsBundleTests" --filter-class "*.AgentInitCommandTests" --filter-not-trait "quarantined=true" --filter-not-trait "outerloop=true"
• dotnet build src\Aspire.Cli\Aspire.Cli.csproj /p:SkipNativeBuild=true
• git --no-pager diff --check

Fixes # (issue)

Checklist

• Is this feature complete?
  • Yes. Ready to ship.
  • No. Follow-up changes expected.
• Are you including unit tests for the changes and scenario tests if relevant?
  • Yes
  • No
• Did you add public API?
  • Yes
    • If yes, did you have an API Review for it?
      • Yes
      • No
    • Did you add <remarks /> and <code /> elements on your triple slash comments?
      • Yes
      • No
  • No
• Does the change make any security assumptions or guarantees?
  • Yes
    • If yes, have you done a threat model and had a security review?
      • Yes
      • No
  • No

[Copilot]

Copilot wasn't able to review any files in this pull request.

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 17537

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 17537"

[mitchdenny]

Safeguard suggestion: add CI verification of the embedded .tgz against its Sigstore attestation.

Today the runtime check is "SHA in the .tgz matches SHA in aspire-skills.metadata.json" — both committed side-by-side. The Sigstore/gh attestation verify step only runs inside update-aspire-skills-bundle.yml, which an attacker landing a hand-crafted PR would simply not invoke. GitHub's PR UI renders binary diffs as Bin XXX → YYY bytes, so an atomic swap of the archive + metadata SHA is easy to miss in review.

Suggest adding a CI job (triggered on any PR that touches src/Aspire.Cli/Agents/AspireSkills/Embedded/**) that re-asserts the embedded archive really is a Sigstore-attested release artifact from microsoft/aspire-skills:

- name: Verify embedded Aspire skills bundle attestation
  shell: pwsh
  env:
    GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  run: |
    $meta = Get-Content -Raw src/Aspire.Cli/Agents/AspireSkills/Embedded/aspire-skills.metadata.json | ConvertFrom-Json

    if ($meta.repository -ne 'microsoft/aspire-skills') {
      throw "Unexpected embedded bundle repository '$($meta.repository)'."
    }

    $archive = "src/Aspire.Cli/Agents/AspireSkills/Embedded/$($meta.assetName)"
    $actual = (Get-FileHash -Algorithm SHA256 $archive).Hash.ToLowerInvariant()
    if ($actual -ne $meta.sha256) {
      throw "Embedded bundle SHA-256 mismatch. Expected '$($meta.sha256)', got '$actual'."
    }

    $certIdentity = "https://github.com/$($meta.repository)/.github/workflows/publish.yml@refs/tags/$($meta.tag)"
    gh attestation verify $archive `
      --repo $meta.repository `
      --cert-identity $certIdentity `
      --cert-oidc-issuer 'https://token.actions.githubusercontent.com'

This closes the gap without sacrificing offline builds — the committed .tgz stays a build-time convenience, and CI enforces that any change to it (whether by the bot workflow or a hand-crafted PR) must correspond to a Sigstore-attested release. The repository pin guards against an attacker swapping the metadata to point at a repo they control.

[mitchdenny]

Additional findings from the review (one bug-class behavioral regression, one dead code path, one workflow-input injection vector, and two diagnostic/UX improvements).

[mitchdenny]

@IEvangelist Thanks for the quick turnaround on the fixes — dead-code, workflow-injection, SHA-256 diagnostic, and metadata-error consistency all look good.

One outstanding item from the original review I want to confirm is intentional before this auto-merges: the removal of AgentInitErrorMode.Strict in AgentInitCommand.cs. Both the prompt-driven (PromptAndChainAsync) and explicit (ExecuteAsync) call paths now use the best-effort behavior — install failure → warning + silently drop AspireSkills-bundle skills + exit 0.

The rationale "we always have an embedded fallback" holds for the prompt-driven path, but the embedded fallback can itself fail (corrupted/missing embedded resource, SHA mismatch, metadata mismatch — all paths added by this PR return AcquisitionStatus.Failed). In that case, an explicit aspire agent init invocation now exits successfully with skills silently missing, which is a behavior change for anyone scripting it / running it in CI.

Is the loss of the non-zero exit code on the explicit path intentional? If yes, no objection — just worth calling out in the PR description so downstream automation owners know. If not, keeping Strict for ExecuteAsync would preserve the prior contract.

[IEvangelist]

Is the loss of the non-zero exit code on the explicit path intentional? If yes, no objection — just worth calling out in the PR description so downstream automation owners know. If not, keeping Strict for ExecuteAsync would preserve the prior contract.

Yes, this is intentional. The goal is for aspire agent init to keep applying any other selected agent-environment configuration and not fail solely because optional Aspire skills content could not be acquired; I updated the PR description with an explicit Behavior change section calling out the direct-command behavior and downstream automation impact.

[IEvangelist]

Safeguard suggestion: add CI verification of the embedded .tgz against its Sigstore attestation.

Added this safeguard. There is now a dedicated Verify Aspire Skills Bundle PR workflow, triggered when the embedded bundle files or verifier change, plus eng/scripts/verify-aspire-skills-bundle.ps1 which checks the pinned repository, archive filename safety, metadata SHA-256, and GitHub artifact attestation for the embedded archive.

[mitchdenny]

End-to-end tested in the repo container runner (PR CLI 13.5.0-pr.17537.g2243545c, scenarios: happy path, network-blocked → embedded fallback, version-override mismatch). A few observations to share, not blockers:

• ✅ Embedded resources load correctly from the AOT-published binary — the new fallback flow runs end-to-end with no missing-resource errors; Assembly.GetManifestResourceStream resolves both aspire-skills.metadata.json and aspire-skills.bundle.tgz in the published CLI.
• ✅ Sigstore CI safeguard (verify-aspire-skills-bundle.yml) looks good and correctly path-triggers on Embedded/**.
• ℹ️ Bundle compat note (presumably expected): the shipped aspire-skills-v0.0.1.tgz declares supports: >=13.4.0 <13.5.0, so on this 13.5.0-pr.* CLI ValidateCompatibility rejects it from both GitHub and embedded sources. I'm assuming this is by design — a follow-up aspire-skills release covering 13.5.x plus a re-run of update-aspire-skills-bundle.yml will restore the install path.
• ⚠️ The AgentInitErrorMode.Strict removal makes the above invisible. Across all three scenarios aspire agent init prints ✅ Agent environment configuration complete. and exits 0 even though the warning ⚠️ The Aspire skills bundle is invalid: ... was just emitted and no skills landed on disk. Even if the compat issue is expected today, the silent-success behavior will hide future bundle/compat issues from anyone scripting aspire agent init in CI. Worth either preserving Strict behavior on the explicit command path, or printing a clearly non-success closing message (and non-zero exit) when any installer step warned/failed.

[IEvangelist]

/backport to release/13.4

[github-actions]

Started backporting to release/13.4 (link to workflow run)

[aspire-repo-bot]

@IEvangelist backporting to release/13.4 failed, the patch most likely resulted in conflicts. Please backport manually!

git am output

$ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch

Applying: Add embedded Aspire skills fallback
Using index info to reconstruct a base tree...
M	src/Aspire.Cli/Commands/AgentInitCommand.cs
M	src/Aspire.Cli/Resources/AgentCommandStrings.Designer.cs
M	src/Aspire.Cli/Resources/AgentCommandStrings.resx
M	src/Aspire.Cli/Resources/xlf/AgentCommandStrings.cs.xlf
M	src/Aspire.Cli/Resources/xlf/AgentCommandStrings.de.xlf
M	src/Aspire.Cli/Resources/xlf/AgentCommandStrings.es.xlf
M	src/Aspire.Cli/Resources/xlf/AgentCommandStrings.fr.xlf
M	src/Aspire.Cli/Resources/xlf/AgentCommandStrings.it.xlf
M	src/Aspire.Cli/Resources/xlf/AgentCommandStrings.ja.xlf
M	src/Aspire.Cli/Resources/xlf/AgentCommandStrings.ko.xlf
M	src/Aspire.Cli/Resources/xlf/AgentCommandStrings.pl.xlf
M	src/Aspire.Cli/Resources/xlf/AgentCommandStrings.pt-BR.xlf
M	src/Aspire.Cli/Resources/xlf/AgentCommandStrings.ru.xlf
M	src/Aspire.Cli/Resources/xlf/AgentCommandStrings.tr.xlf
M	src/Aspire.Cli/Resources/xlf/AgentCommandStrings.zh-Hans.xlf
M	src/Aspire.Cli/Resources/xlf/AgentCommandStrings.zh-Hant.xlf
M	tests/Aspire.Cli.Tests/Commands/AgentInitCommandTests.cs
Falling back to patching base and 3-way merge...
Auto-merging src/Aspire.Cli/Commands/AgentInitCommand.cs
CONFLICT (content): Merge conflict in src/Aspire.Cli/Commands/AgentInitCommand.cs
Auto-merging src/Aspire.Cli/Resources/AgentCommandStrings.Designer.cs
Auto-merging src/Aspire.Cli/Resources/AgentCommandStrings.resx
Auto-merging src/Aspire.Cli/Resources/xlf/AgentCommandStrings.cs.xlf
Auto-merging src/Aspire.Cli/Resources/xlf/AgentCommandStrings.de.xlf
Auto-merging src/Aspire.Cli/Resources/xlf/AgentCommandStrings.es.xlf
Auto-merging src/Aspire.Cli/Resources/xlf/AgentCommandStrings.fr.xlf
Auto-merging src/Aspire.Cli/Resources/xlf/AgentCommandStrings.it.xlf
Auto-merging src/Aspire.Cli/Resources/xlf/AgentCommandStrings.ja.xlf
Auto-merging src/Aspire.Cli/Resources/xlf/AgentCommandStrings.ko.xlf
Auto-merging src/Aspire.Cli/Resources/xlf/AgentCommandStrings.pl.xlf
Auto-merging src/Aspire.Cli/Resources/xlf/AgentCommandStrings.pt-BR.xlf
Auto-merging src/Aspire.Cli/Resources/xlf/AgentCommandStrings.ru.xlf
Auto-merging src/Aspire.Cli/Resources/xlf/AgentCommandStrings.tr.xlf
Auto-merging src/Aspire.Cli/Resources/xlf/AgentCommandStrings.zh-Hans.xlf
Auto-merging src/Aspire.Cli/Resources/xlf/AgentCommandStrings.zh-Hant.xlf
Auto-merging tests/Aspire.Cli.Tests/Commands/AgentInitCommandTests.cs
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 Add embedded Aspire skills fallback
Error: The process '/usr/bin/git' failed with exit code 128

Link to workflow output

[JamesNK]

resource strings for localization please

[IEvangelist]

Thank you, good catch: #17547

[github-actions]

❓ CLI E2E Tests unknown — 107 passed, 0 failed, 2 unknown (commit 153ec4d)

View all recordings

Status	Test	Recording
✅	AddPackageInteractiveWhileAppHostRunningDetached	✅ ▶️ View recording
✅	AddPackageWhileAppHostRunningDetached	✅ ▶️ View recording
✅	AgentCommands_AllHelpOutputs_AreCorrect	✅ ▶️ View recording
✅	AgentInitCommand_DefaultSelection_InstallsDefaultSkills	✅ ▶️ View recording
✅	AgentInitCommand_MigratesDeprecatedConfig	✅ ▶️ View recording
✅	AgentMcpListStructuredLogsReturnsLogsFromStarterApp	✅ ▶️ View recording
✅	AgentMcpListStructuredLogsReturnsLogsFromStarterApp_DevLocalhost	✅ ▶️ View recording
✅	AgentMcpListStructuredLogsReturnsLogsFromStarterApp_Isolated	✅ ▶️ View recording
✅	AllPublishMethodsBuildDockerImages	✅ ▶️ View recording
✅	AspireAddAndStartWorkAgainstLegacyAppHostTs	✅ ▶️ View recording
✅	AspireAddPackageVersionToDirectoryPackagesProps	✅ ▶️ View recording
✅	AspireInitSingleFileAppHostRunsViaDotnetRunAppHost	✅ ▶️ View recording
✅	AspireInitWithExistingAppHostDirRecreatesMissingNuGetConfigAndPreservesFiles	✅ ▶️ View recording
❔	AspireInitWithSolutionFileGeneratesAppHostThatBuildsAgainstChannelHive	❔ ▶️ View recording
✅	AspireStartUpdatesStaleTypeScriptAppHostPath	✅ ▶️ View recording
✅	AspireUpdateRemovesAppHostPackageVersionFromDirectoryPackagesProps	✅ ▶️ View recording
✅	AspireUpdateRemovesOrphanAppHostPackageVersionWhenSdkAlreadyCurrent	✅ ▶️ View recording
✅	Banner_DisplayedOnFirstRun	✅ ▶️ View recording
✅	Banner_DisplayedWithExplicitFlag	✅ ▶️ View recording
✅	Banner_NotDisplayedWithNoLogoFlag	✅ ▶️ View recording
✅	CertificatesClean_RemovesCertificates	✅ ▶️ View recording
✅	CertificatesTrust_WithNoCert_CreatesAndTrustsCertificate	✅ ▶️ View recording
✅	CertificatesTrust_WithUntrustedCert_TrustsCertificate	✅ ▶️ View recording
✅	ConfigSetGet_CreatesNestedJsonFormat	✅ ▶️ View recording
✅	CreateAndRunAspireStarterProject	✅ ▶️ View recording
✅	CreateAndRunAspireStarterProjectWithBundle	✅ ▶️ View recording
✅	CreateAndRunEmptyAppHostProject	✅ ▶️ View recording
✅	CreateAndRunJavaEmptyAppHostProject	✅ ▶️ View recording
✅	CreateAndRunJsReactProject	✅ ▶️ View recording
✅	CreateAndRunPythonReactProject	✅ ▶️ View recording
✅	CreateAndRunTypeScriptEmptyAppHostProject	✅ ▶️ View recording
✅	CreateAndRunTypeScriptStarterProject	✅ ▶️ View recording
✅	CreateJavaAppHostWithViteApp	✅ ▶️ View recording
✅	CreateTypeScriptAppHostWithViteApp_AllowsGuestAppPackageManagerToDiffer	✅ ▶️ View recording
✅	CreateTypeScriptAppHostWithViteApp_UsesConfiguredToolchain	✅ ▶️ View recording
✅	DashboardRunWithAgentMcpListTracesReturnsNoTraces	✅ ▶️ View recording
✅	DashboardRunWithAgentMcpListTracesReturnsNoTraces_DevLocalhost	✅ ▶️ View recording
✅	DashboardRunWithOtelTracesReturnsNoTraces	✅ ▶️ View recording
✅	DashboardRunWithOtelTracesReturnsNoTraces_DevLocalhost	✅ ▶️ View recording
✅	DeployK8sBasicApiService	✅ ▶️ View recording
✅	DeployK8sWithExternalHelmChart	✅ ▶️ View recording
✅	DeployK8sWithGarnet	✅ ▶️ View recording
✅	DeployK8sWithMongoDB	✅ ▶️ View recording
✅	DeployK8sWithMySql	✅ ▶️ View recording
✅	DeployK8sWithPostgres	✅ ▶️ View recording
✅	DeployK8sWithRabbitMQ	✅ ▶️ View recording
✅	DeployK8sWithRedis	✅ ▶️ View recording
✅	DeployK8sWithSqlServer	✅ ▶️ View recording
✅	DeployK8sWithValkey	✅ ▶️ View recording
✅	DeployTypeScriptAppToKubernetes	✅ ▶️ View recording
✅	DescribeCommandResolvesReplicaNames	✅ ▶️ View recording
✅	DescribeCommandShowsRunningResources	✅ ▶️ View recording
✅	DetachFormatJsonProducesValidJson	✅ ▶️ View recording
✅	DetachFormatJsonProducesValidJsonWhenRestartingExistingInstance	✅ ▶️ View recording
✅	DoPublishAndDeployListStepsWork	✅ ▶️ View recording
✅	DocsCommand_RendersInteractiveMarkdownFromLocalSource	✅ ▶️ View recording
✅	DoctorCommand_DetectsDeprecatedAgentConfig	✅ ▶️ View recording
✅	DoctorCommand_TypeScriptAppHostReportsMissingConfiguredToolchain	✅ ▶️ View recording
✅	DoctorCommand_WithSslCertDir_ShowsTrusted	✅ ▶️ View recording
✅	DoctorCommand_WithoutSslCertDir_ShowsPartiallyTrusted	✅ ▶️ View recording
✅	GatewayWithoutExternalEndpoint_FailsPublishWithGuidance	✅ ▶️ View recording
✅	GeneratedAspireDevScript_StartsWatchMode_WithConfiguredToolchain	✅ ▶️ View recording
✅	GlobalMigration_HandlesCommentsAndTrailingCommas	✅ ▶️ View recording
✅	GlobalMigration_HandlesMalformedLegacyJson	✅ ▶️ View recording
✅	GlobalMigration_PreservesAllValueTypes	✅ ▶️ View recording
✅	GlobalMigration_SkipsWhenNewConfigExists	✅ ▶️ View recording
✅	GlobalSettings_MigratedFromLegacyFormat	✅ ▶️ View recording
✅	IngressWithoutExternalEndpoint_FailsPublishWithGuidance	✅ ▶️ View recording
✅	InitTypeScriptAppHost_AugmentsExistingViteRepoInWorkspaceSubdirectory	✅ ▶️ View recording
✅	InteractiveCSharpInitCreatesExpectedFiles	✅ ▶️ View recording
✅	InvalidAppHostPathWithComments_IsHealedOnRun	✅ ▶️ View recording
✅	JavaScriptHostingApisRunFromTypeScriptAppHost	✅ ▶️ View recording
✅	LatestCliCanStartStableChannelAppHost	✅ ▶️ View recording
✅	LatestCliCanStartStableChannelTypeScriptAppHost	✅ ▶️ View recording
✅	LegacySettingsMigration_AdjustsRelativeAppHostPath	✅ ▶️ View recording
✅	LogsCommandShowsResourceLogs	✅ ▶️ View recording
✅	OtelLogsReturnsStructuredLogsFromStarterApp	✅ ▶️ View recording
✅	OtelLogsReturnsStructuredLogsFromStarterAppIsolated	✅ ▶️ View recording
✅	PsCommandListsRunningAppHost	✅ ▶️ View recording
✅	PsFormatJsonOutputsOnlyJsonToStdout	✅ ▶️ View recording
✅	PublishJavaScriptPatternsGeneratesExpectedDockerComposeArtifacts	✅ ▶️ View recording
✅	PublishWithConfigureEnvFileUpdatesEnvOutput	✅ ▶️ View recording
✅	PublishWithDockerComposeServiceCallbackSucceeds	✅ ▶️ View recording
✅	PublishWithoutOutputPathUsesAppHostDirectoryDefault	✅ ▶️ View recording
✅	ResourceCommand_FailedExecution_DisplaysAppHostLogPathAndLogContainsEntries	✅ ▶️ View recording
✅	ResourceCommand_SetAndDeleteParameterUpdatesDescribeOutput	✅ ▶️ View recording
✅	RestoreGeneratesSdkFiles	✅ ▶️ View recording
✅	RestoreGeneratesSdkFiles_WithConfiguredToolchain	✅ ▶️ View recording
✅	RestoreRefreshesGeneratedSdkAfterAddingIntegration	✅ ▶️ View recording
✅	RestoreSupportsConfigOnlyHelperPackageAndCrossPackageTypes	✅ ▶️ View recording
✅	RunFromParentDirectory_UsesExistingConfigNearAppHost	✅ ▶️ View recording
✅	RunReportsSyntaxErrorsForDotNetAppHost	✅ ▶️ View recording
✅	RunReportsSyntaxErrorsForTypeScriptAppHost	✅ ▶️ View recording
✅	SecretCrudOnDotNetAppHost	✅ ▶️ View recording
✅	SecretCrudOnTypeScriptAppHost	✅ ▶️ View recording
✅	StagingChannel_ConfigureAndVerifySettings_ThenSwitchChannels	✅ ▶️ View recording
✅	StartAndWaitForTypeScriptSqlServerAppHostWithNativeAssets	✅ ▶️ View recording
✅	StartReportsSyntaxErrorsForDotNetAppHost	✅ ▶️ View recording
✅	StartReportsSyntaxErrorsForTypeScriptAppHost	✅ ▶️ View recording
✅	StopAllAppHostsFromAppHostDirectory	✅ ▶️ View recording
✅	StopJavaPolyglotAppHostUsingApphostDirectory	✅ ▶️ View recording
✅	StopNonInteractiveSingleAppHost	✅ ▶️ View recording
✅	StopTypeScriptPolyglotAppHostUsingApphostDirectory	✅ ▶️ View recording
✅	StopWithNoRunningAppHostExitsSuccessfully	✅ ▶️ View recording
✅	UnAwaitedChainsCompileWithAutoResolvePromises	✅ ▶️ View recording
❔	UpdateProjectChannelToStable_CSharpEmptyAppHost_PreservesAspireConfigChannel	❔ ▶️ View recording
✅	UpdateProjectChannelToStable_CSharpSingleFileInit_PreservesAspireConfigChannel	✅ ▶️ View recording
✅	UpdateProjectChannelToStable_TypeScriptSingleFileInit_PreservesAspireConfigChannel	✅ ▶️ View recording
✅	UpdateProjectChannelToStable_TypeScript_PreviewsStablePackagesAndPreservesChannel	✅ ▶️ View recording

---

_{📹 Recordings uploaded automatically from CI run #26518122569}

[aspire-repo-bot]

Pull request created: #1094

Generated by PR Documentation Check

[aspire-repo-bot]

📝 Documentation has been drafted in microsoft/aspire.dev#1094 targeting release/13.4.

Updated src/frontend/src/content/docs/reference/cli/commands/aspire-agent-init.mdx to document the new best-effort Aspire skills bundle acquisition behavior. Added a "Aspire skills bundle acquisition" subsection explaining the three-level resolution order (validated cache → GitHub release asset → embedded CLI snapshot) and noting that when all sources fail the command warns and skips bundle-backed skills instead of exiting with a non-zero code. The aspire new and aspire init chained flows are also called out as following the same behavior.

Note

This draft PR needs human review before merging.