You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
add: reviewer-in-the-loop promotion flow — DISCOVER and REFRESH now stage into <slug>-context.proposed/ instead of writing the live contextualizer, and three new commands (/skill-engine:review, /skill-engine:apply, /skill-engine:discard) gate promotion behind a recorded REVIEW.md sign-off, so no engine run mutates a published index without explicit approval (plugin/skill-engine/skills/{review,apply,discard,discover,refresh}/SKILL.md, plugin/skill-engine/engine-bootstrap-templates/REVIEW.md.template).
add: coverage-testing instruments wired into SELF-AUDIT — Check 7 (paragraph→permalink density, a free bash-local lint) and Check 8 (grounded-citation rate, an opt-in Anthropic-API runner), both defaulting to a ≥80% threshold, so contextualizer grounding is measured rather than assumed (plugin/skill-engine/docs/13-coverage-testing.md, plugin/skill-engine/tests/{permalink_density.py,grounded_rate.py}, plugin/skill-engine/skills/self-audit/SKILL.md).
add: security-scan CI and hooks audit — a new security.yml workflow runs bandit + semgrep + shellcheck (gating on HIGH/CRITICAL, SARIF to the Security tab), and make hooks-audit plus its mirror workflow assert the bundled .claude/settings.json ships zero hooks and the manifest declares only the single SessionStart bootstrap hook (.github/workflows/{security,hooks-audit}.yml, Makefile, .semgrep/, plugin/skill-engine/tests/hooks-audit.sh).
add: guardrails-contract chapter in SECURITY.md spelling out the engine's safety model — what it checks, what it does not promise, and the one hook it ships — plus a sandbox-block detection check that fails fast when the engine cannot honor a requested mode (SECURITY.md).
change: reference files now carry NO YAML frontmatter — verify.sh inverts its frontmatter check so name:/description: are scoped to the navigator SKILL.md only (matching Anthropic's canonical Agent Skills practice); a reference whose first non-blank line is --- now fails (plugin/skill-engine/engine-bootstrap-templates/verify.sh, plugin/skill-engine/docs/02-artifact-contract.md).
change: README rewritten around a load-bearing-capability lede with a worked Safety Model section (mermaid diagram), and the Flask placeholder replaced by three real bundled examples — modelcontextprotocol-python-sdk-context, langchain-context, and the multi-source inspect-ai-context (README.md, examples/).
change: CI lint gains permalink-density and grounded-rate test jobs, and a git.readonly doctrine lint asserts the engine never runs mutating git on the user's behalf (.github/workflows/lint.yml, plugin/skill-engine/tests/{permalink-density,grounded-rate}/run.sh, plugin/skill-engine/tests/doctrine.sh).
add: config-set command for engine configuration and a dependabot config for GitHub Actions version tracking (plugin/skill-engine/skills/config-set/SKILL.md, .github/dependabot.yml).
remove: the fictional persona gallery (docs/personas/) retired in favor of evidence-shaped docs/case-studies/ (the legacy-rescue story plus a truth-contract and submission issue template) and docs/usage-modes.md orientation prose — the project speaks through real examples, not invented people (docs/case-studies/, docs/usage-modes.md, .github/ISSUE_TEMPLATE/case-study.md).
