From 001127b7275293a2b008805697acfa3f69bfaa36 Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Thu, 19 Feb 2026 08:54:33 -0800 Subject: [PATCH 01/26] feat(skills): Implement Skills Integration --- commands/conductor/review.toml | 6 + commands/conductor/setup.toml | 31 +++- docs/skills-design.md | 268 +++++++++++++++++++++++++++++++++ skills/catalog.md | 123 +++++++++++++++ 4 files changed, 426 insertions(+), 2 deletions(-) create mode 100644 docs/skills-design.md create mode 100644 skills/catalog.md diff --git a/commands/conductor/review.toml b/commands/conductor/review.toml index c12aab6..b1ed2d9 100644 --- a/commands/conductor/review.toml +++ b/commands/conductor/review.toml @@ -50,6 +50,10 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai - Read `product-guidelines.md` and `tech-stack.md`. - **CRITICAL:** Check for the existence of `conductor/code_styleguides/` directory. - If it exists, list and read ALL `.md` files within it. These are the **Law**. Violations here are **High** severity. + - **Check for Installed Skills:** + - Check for the existence of `.agents/commands/`. + - If it exists, list the subdirectories to identify installed skills. + - If relevant skills (e.g., `gcp-*`) are found, enable specialized feedback for those domains. 2. **Load Track Context (if reviewing a track):** - Read the track's `plan.md`. - **Extract Commits:** Parse `plan.md` to find recorded git commit hashes (usually in the "Completed" tasks or "History" section). @@ -83,6 +87,8 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai - Are there new tests? - Do the changes look like they are covered by existing tests? - *Action:* **Execute the test suite automatically.** Infer the test command based on the codebase languages and structure (e.g., `npm test`, `pytest`, `go test`). Run it. Analyze the output for failures. +5. **Skill-Specific Checks:** + - If specific skills are installed (e.g. GCP), verify compliance with their best practices. ### 2.4 Output Findings **Format your output strictly as follows:** diff --git a/commands/conductor/setup.toml b/commands/conductor/setup.toml index 8ef2c10..4be24dc 100644 --- a/commands/conductor/setup.toml +++ b/commands/conductor/setup.toml @@ -37,7 +37,8 @@ CRITICAL: When determining model complexity, ALWAYS select the "flash" model, re - If `STEP` is "2.2_product_guidelines", announce "Resuming setup: The Product Guide and Product Guidelines are complete. Next, we will define the Technology Stack." and proceed to **Section 2.3**. - If `STEP` is "2.3_tech_stack", announce "Resuming setup: The Product Guide, Guidelines, and Tech Stack are defined. Next, we will select Code Styleguides." and proceed to **Section 2.4**. - If `STEP` is "2.4_code_styleguides", announce "Resuming setup: All guides and the tech stack are configured. Next, we will define the project workflow." and proceed to **Section 2.5**. - - If `STEP` is "2.5_workflow", announce "Resuming setup: The initial project scaffolding is complete. Next, we will generate the first track." and proceed to **Phase 2 (3.0)**. + - If `STEP` is "2.5_workflow", announce "Resuming setup: The workflow is configured. Next, we will select Agent Skills." and proceed to **Section 2.6**. + - If `STEP` is "2.6_skills", announce "Resuming setup: Skills are installed. Next, we will finalize the setup." and proceed to **Section 2.7**. - If `STEP` is "3.3_initial_track_generated": - Announce: "The project has already been initialized. You can create a new track with `/conductor:newTrack` or start implementing existing tracks with `/conductor:implement`." - Halt the `setup` process. @@ -319,7 +320,33 @@ CRITICAL: When determining model complexity, ALWAYS select the "flash" model, re - **Commit State:** After the `workflow.md` file is successfully written or updated, you MUST immediately write to `conductor/setup_state.json` with the exact content: `{"last_successful_step": "2.5_workflow"}` -### 2.6 Finalization +### 2.6 Select Skills (Interactive) +1. **Analyze and Recommend:** + - Read `skills/catalog.md`. + - Detect applicable skills based on `detectSignals` matched against project files and `conductor/tech-stack.md`. + - Identify "Always Recommended" skills. +2. **Present Selection:** + - Present the list of recommended skills to the user, grouped by category (e.g., "Always Recommended", "GCP", etc.). + - Display the Skill Name and Description. +3. **Ask for Selection:** + - Ask the user: "How would you like to proceed?" + A) Install all recommended skills + B) Select specific skills (enter numbers separated by commas) + C) Skip skills installation +4. **Process Selection:** + - If (A): Install all recommended skills. + - If (B): Parse input and install selected skills. + - If (C): Proceed without installation. +5. **Installation Action:** + - For each selected skill: + - Create directory `.agents/commands//`. + - Download `SKILL.md` from the `url` specified in `catalog.md` to `.agents/commands//SKILL.md`. + - **CRITICAL:** Use `curl -fsSL -o .agents/commands//SKILL.md`. +6. **Commit State:** Upon successful completion, write to `conductor/setup_state.json`: + `{"last_successful_step": "2.6_skills"}` +7. **Continue:** Immediately proceed to the next section. + +### 2.7 Finalization 1. **Generate Index File:** - Create `conductor/index.md` with the following content: ```markdown diff --git a/docs/skills-design.md b/docs/skills-design.md new file mode 100644 index 0000000..8fc77e7 --- /dev/null +++ b/docs/skills-design.md @@ -0,0 +1,268 @@ +# Skills Integration Design + +## Overview + +This document describes the design for integrating *Agent Skills** into the Conductor framework. Skills - introduced by [Claude](https://code.claude.com/docs/en/skills) - are folders containing a `SKILL.md` file, installed to `conductor/skill-set//` in the project root. They can be invoked as custom slash commands (e.g., `/gcp-deploy`) during development or used by the model to complete tasks. + +Conductor maintains an opinionated **catalog** (`conductor/skill-set/catalog.md`) — a curated list of recommended Skills with their external download URLs. The actual Skill implementations are developed and hosted by 3rd parties (each in their own repository). During `/conductor:setup` and `/conductor:newTrack`, Conductor reads the catalog, recommends the relevant Skills based on the detected or required tech stack, and downloads the selected ones on demand. + +--- + +## Motivation + +Before this feature, teams using Conductor had to manually find and install Claude Code Skills for common tasks. With Skills integration: + +- Teams get a curated set of AI-powered expert helpers on day one of setup. +- Skills are tailored to the detected or required stack (GCP skills are only offered for GCP projects). +- The catalog is extensible — new categories can be added without changing the setup command logic. + +--- + +conductor/skill-set/ +└── catalog.md # Curated list of skills defined in YAML frontmatter + +### catalog.md + +The catalog is defined in `catalog.md` using YAML frontmatter. The `skills` list contains entries for each skill: + +| Field | Type | Description | +|-------|------|-------------| +| `name` | string | The name of the skill | +| `description` | string | One-line description shown to the user during selection | +| `url` | string | Raw GitHub URL to download `SKILL.md` | +| `alwaysRecommend` | boolean | (Optional) If `true`, recommended regardless of detected stack | +| `detectSignals` | object | (Optional) Signals that trigger recommendation for conditional skills | + +`detectSignals` sub-keys (all optional): +- `files` — filenames whose presence in the project root triggers the skill +- `dependencies` — substring match against `package.json`, `requirements.txt`, or `go.mod` +- `keywords` — strings to search for in `conductor/tech-stack.md` + +### Installation Path +Skills can be discovered from three tiers: + +- **Global Tier**: `~/.agents/commands/` — Available across all projects for the current user. +- **Workspace Tier**: `.agents/commands/` at the repository root — Available to everyone working in the repository. +- **Project Tier**: `.agents/commands/` within a specific subdirectory — Scoped to a specific sub-project or package. + +Conductor installs Skills at the **Workspace Tier** (`.agents/commands//SKILL.md`) to ensure they are committed to version control and shared across the entire team. + +--- + +## Installation + +Skills installation is **Phase 2.6** of `/conductor:setup`, inserted between Phase 2.5 (Workflow selection) and Phase 2.7 (Finalization/Index generation). It is also integrated into `/conductor:newTrack` if Skills are deemed helpful for that specific track. + +For each selected skill, the setup command executes: + +mkdir -p .agents/commands/ +curl -fsSL "https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills//SKILL.md" \ + -o ".agents/commands//SKILL.md" + +### Detection Logic - GCP Example + +The setup command detects GCP usage by checking for any of the following signals: + +**File signals** (file presence in project root): +Example: `app.yaml`, `cloudbuild.yaml`, `.gcloudignore`, `Dockerfile` containing `gcr.io` + +**Dependency signals** (substring match): +Example: `package.json` dependencies: `@google-cloud/`, `requirements.txt` entries: `google-cloud-`, `go.mod` entries: `cloud.google.com/go` + +**Keyword signals** (in `conductor/tech-stack.md`): +Example: `Cloud Run`, `GKE`, `App Engine`, `Firestore`, `BigQuery`, `Pub/Sub`, `Google Cloud`, `GCP` + +If any GCP signal is found, the GCP skills category is offered to the user. + +### User Interaction + +``` +I will now help you select Agent Skills to install for this project. +Skills are Claude Code slash commands installed to .claude/commands/. + +[Always Recommended] + 1. commit - Generate a conventional commit message from staged changes + 2. pr-description - Write a PR title and description from branch diff + 3. code-review - Structured code review with severity levels + 4. changelog - Generate a CHANGELOG entry from recent commits + 5. write-tests - Generate unit/integration tests for a file or function + 6. fix-failing-tests - Diagnose and fix failing tests + 7. document - Add docstrings or JSDoc to selected code + 8. readme-update - Update README to reflect recent changes + 9. security-review - OWASP-focused security review +10. dependency-audit - Identify outdated or vulnerable dependencies + +[GCP (detected: cloudbuild.yaml, @google-cloud/* dependency)] +11. gcp-deploy - Deploy to Cloud Run, GKE, or App Engine +12. gcp-cloudbuild - Generate or update Cloud Build pipelines +13. gcp-terraform - Generate GCP Terraform resource configs +14. gcp-iam - Review and generate IAM policies (least-privilege) +15. gcp-monitoring - Set up Cloud Monitoring alerts and dashboards +16. gcp-pubsub - Design Pub/Sub schemas and generate client code +17. gcp-firestore - Design Firestore schemas and optimize queries +18. gcp-bigquery - Generate and optimize BigQuery schemas and SQL +19. gcp-secret-manager - Migrate secrets to Secret Manager + +How would you like to proceed? +A) Install all recommended skills +B) Select specific skills (enter numbers separated by commas) +C) Skip skills installation +``` + +### Resume Support + +The `setup_state.json` resume chain includes the Skills phase: + +| `last_successful_step` | Resume at | +|------------------------|-----------| +| `2.5_workflow` | Section 2.6 (Skills) | +| `2.6_skills` | Phase 3.0 (Track generation) | + +--- + +## Review Integration + +The code review process should be aware of the capabilities available through installed skills. + +### `commands/conductor/review.toml` + +The review configuration will be updated to check for relevant installed skills (e.g., GCP-related skills) during the code review process. + +- **Detection**: Check `.agents/commands/` for the presence of known skills. +- **Contextual Feedback**: If a relevant skill is found (e.g., `gcp-deploy`), the review agent can provide more specific feedback for deployment-related changes. + +--- + +## Example of Available Skills Reference + +### Workflow + +| Skill | Command | Description | +|-------|---------|-------------| +| Generate Commit Message | `/commit` | Reads `git diff --staged`, generates a conventional commit message following the project's commit strategy from `conductor/workflow.md` | +| PR Description | `/pr-description` | Reads branch diff vs main, writes a PR title and body | +| Code Review | `/code-review` | Structured review with Critical/High/Medium/Low findings, checks against `conductor/code_styleguides/` | +| Changelog | `/changelog` | Generates a CHANGELOG entry from `git log` since last tag | + +### Testing + +| Skill | Command | Description | +|-------|---------|-------------| +| Write Tests | `/write-tests` | Generates unit and integration tests following the project's test framework from `conductor/tech-stack.md` | +| Fix Failing Tests | `/fix-failing-tests` | Takes failing test output, diagnoses root cause, proposes fix | + +### Documentation + +| Skill | Command | Description | +|-------|---------|-------------| +| Document | `/document` | Adds docstrings, JSDoc, or type hints to specified code | +| README Update | `/readme-update` | Updates README sections based on recent code changes | + +### Security & Quality + +| Skill | Command | Description | +|-------|---------|-------------| +| Security Review | `/security-review` | OWASP Top 10 focused review, checks for secrets in diff | +| Dependency Audit | `/dependency-audit` | Identifies outdated, deprecated, or CVE-flagged dependencies | + +### GCP + +| Skill | Command | Description | +|-------|---------|-------------| +| GCP Deploy | `/gcp-deploy` | Step-by-step deploy to Cloud Run, GKE, or App Engine | +| Cloud Build | `/gcp-cloudbuild` | Generate or update `cloudbuild.yaml` for CI/CD pipelines | +| GCP Terraform | `/gcp-terraform` | Generate Terraform configs for GCP resources (VPC, Cloud Run, GKE, IAM) | +| GCP IAM | `/gcp-iam` | Review bindings and generate least-privilege IAM policies | +| GCP Monitoring | `/gcp-monitoring` | Generate alert policies, dashboards, and SLO configs | +| Pub/Sub | `/gcp-pubsub` | Design Pub/Sub message schemas and generate publisher/subscriber code | +| Firestore | `/gcp-firestore` | Design Firestore collections, indexes, and optimize queries | +| BigQuery | `/gcp-bigquery` | Generate schemas, partition/clustering strategies, and optimized SQL | +| Secret Manager | `/gcp-secret-manager` | Migrate env vars to Secret Manager and generate typed access code | + +--- + + + +## Extending the Catalog + +To add a new skill to the catalog: + +1. Publish the Skill in an external repository with a `SKILL.md` at the root (or a known path). +2. Add an entry to the `skills` list in `skills/catalog.md` (via YAML frontmatter) with the public raw `url`, `detectSignals` for conditional skills, or `"alwaysRecommend": true` for universal ones. +3. If introducing a new category with custom detection logic, update Phase 2.6 in `commands/conductor/setup.toml`. + +The Skill implementation itself lives entirely outside this repository. + +Categories planned for future releases: `aws`, `azure`, `mobile` (iOS/Android), `data-science`. + +--- + +## File Changes Summary + +| File | Change | +|------|--------| +| `docs/skills-design.md` | New — this document | +| `skills/catalog.md` | New — curated skill list defined in YAML frontmatter | +| `commands/conductor/setup.toml` | Modified — Phase 2.6 added, resume chain updated | +| `commands/conductor/review.toml` | Modified — Checks for relevant installed Skills (e.g., GCP) | + + +The actual `SKILL.md` implementations are **not** in this repository. They are hosted externally (see the `url` field in each catalog entry). + + +--- + +## Appendix: Authoring Skills + +For complete details, see [Creating Agent Skills](https://geminicli.com/docs/cli/creating-skills/). + +### Getting Started: `skill-creator` + +The recommended way to create a new skill is to use the built-in skill `skill-creator`: + +```bash +skill-creator +``` + +Provide a prompt like "create a new skill called 'code-reviewer'". This will generate: +1. A new directory (e.g., `code-reviewer/`) +2. `SKILL.md` with required metadata +3. Resource directories: `scripts/`, `references/`, `assets/` + +### Manual Creation + +To create a skill manually: +1. Create a directory for your skill. +2. Create a `SKILL.md` file inside it. + +#### Folder Structure + +While `SKILL.md` is the only requirement, the recommended structure is: + +``` +my-skill/ +├── SKILL.md # (Required) Instructions and metadata +├── scripts/ # (Optional) Executable scripts +├── references/ # (Optional) Static documentation +└── assets/ # (Optional) Templates and other resources +``` + +#### SKILL.md Format + +The file uses YAML frontmatter for metadata and Markdown for instructions. + +```markdown +--- +name: my-skill-name +description: A description of what the skill does and when the agent should use it. +--- +# My Skill Name + +This skill guides the agent in completing specific tasks. + +## Workflow +1. Step one... +2. Step two... +``` + + diff --git a/skills/catalog.md b/skills/catalog.md new file mode 100644 index 0000000..c93c9cb --- /dev/null +++ b/skills/catalog.md @@ -0,0 +1,123 @@ +--- +skills: + # Always Recommended + - name: commit + description: Generate a conventional commit message from staged changes + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/commit/SKILL.md + alwaysRecommend: true + - name: pr-description + description: Write a PR title and description from branch diff + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/pr-description/SKILL.md + alwaysRecommend: true + - name: code-review + description: Structured code review with severity levels + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/code-review/SKILL.md + alwaysRecommend: true + - name: changelog + description: Generate a CHANGELOG entry from recent commits + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/changelog/SKILL.md + alwaysRecommend: true + - name: write-tests + description: Generate unit/integration tests for a file or function + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/write-tests/SKILL.md + alwaysRecommend: true + - name: fix-failing-tests + description: Diagnose and fix failing tests + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/fix-failing-tests/SKILL.md + alwaysRecommend: true + - name: document + description: Add docstrings or JSDoc to selected code + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/document/SKILL.md + alwaysRecommend: true + - name: readme-update + description: Update README to reflect recent changes + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/readme-update/SKILL.md + alwaysRecommend: true + - name: security-review + description: OWASP-focused security review + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/security-review/SKILL.md + alwaysRecommend: true + - name: dependency-audit + description: Identify outdated or vulnerable dependencies + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/dependency-audit/SKILL.md + alwaysRecommend: true + + # GCP Skills + - name: gcp-deploy + description: Deploy to Cloud Run, GKE, or App Engine + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-deploy/SKILL.md + detectSignals: + files: + - app.yaml + - cloudbuild.yaml + - Dockerfile + dependencies: + - "@google-cloud/" + - "google-cloud-" + keywords: + - "GCP" + - "Google Cloud" + - "Cloud Run" + - "App Engine" + - name: gcp-cloudbuild + description: Generate or update Cloud Build pipelines + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-cloudbuild/SKILL.md + detectSignals: + files: + - cloudbuild.yaml + keywords: + - "Cloud Build" + - "CI/CD" + - name: gcp-terraform + description: Generate GCP Terraform resource configs + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-terraform/SKILL.md + detectSignals: + files: + - "*.tf" + keywords: + - "Terraform" + - "IaC" + - name: gcp-iam + description: Review and generate IAM policies (least-privilege) + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-iam/SKILL.md + detectSignals: + keywords: + - "IAM" + - "Permissions" + - name: gcp-monitoring + description: Set up Cloud Monitoring alerts and dashboards + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-monitoring/SKILL.md + detectSignals: + keywords: + - "Monitoring" + - "Alerts" + - "Observability" + - name: gcp-pubsub + description: Design Pub/Sub schemas and generate client code + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-pubsub/SKILL.md + detectSignals: + keywords: + - "Pub/Sub" + - "Messaging" + - name: gcp-firestore + description: Design Firestore schemas and optimize queries + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-firestore/SKILL.md + detectSignals: + keywords: + - "Firestore" + - "NoSQL" + - name: gcp-bigquery + description: Generate and optimize BigQuery schemas and SQL + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-bigquery/SKILL.md + detectSignals: + keywords: + - "BigQuery" + - "Data Warehouse" + - name: gcp-secret-manager + description: Migrate secrets to Secret Manager + url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-secret-manager/SKILL.md + detectSignals: + keywords: + - "Secret Manager" + - "Secrets" +--- From efe5f7462193ed2e76b430ccd6fa42bb49215c59 Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Thu, 19 Feb 2026 09:40:54 -0800 Subject: [PATCH 02/26] chore: Remove design doc from PR --- docs/skills-design.md | 268 ------------------------------------------ 1 file changed, 268 deletions(-) delete mode 100644 docs/skills-design.md diff --git a/docs/skills-design.md b/docs/skills-design.md deleted file mode 100644 index 8fc77e7..0000000 --- a/docs/skills-design.md +++ /dev/null @@ -1,268 +0,0 @@ -# Skills Integration Design - -## Overview - -This document describes the design for integrating *Agent Skills** into the Conductor framework. Skills - introduced by [Claude](https://code.claude.com/docs/en/skills) - are folders containing a `SKILL.md` file, installed to `conductor/skill-set//` in the project root. They can be invoked as custom slash commands (e.g., `/gcp-deploy`) during development or used by the model to complete tasks. - -Conductor maintains an opinionated **catalog** (`conductor/skill-set/catalog.md`) — a curated list of recommended Skills with their external download URLs. The actual Skill implementations are developed and hosted by 3rd parties (each in their own repository). During `/conductor:setup` and `/conductor:newTrack`, Conductor reads the catalog, recommends the relevant Skills based on the detected or required tech stack, and downloads the selected ones on demand. - ---- - -## Motivation - -Before this feature, teams using Conductor had to manually find and install Claude Code Skills for common tasks. With Skills integration: - -- Teams get a curated set of AI-powered expert helpers on day one of setup. -- Skills are tailored to the detected or required stack (GCP skills are only offered for GCP projects). -- The catalog is extensible — new categories can be added without changing the setup command logic. - ---- - -conductor/skill-set/ -└── catalog.md # Curated list of skills defined in YAML frontmatter - -### catalog.md - -The catalog is defined in `catalog.md` using YAML frontmatter. The `skills` list contains entries for each skill: - -| Field | Type | Description | -|-------|------|-------------| -| `name` | string | The name of the skill | -| `description` | string | One-line description shown to the user during selection | -| `url` | string | Raw GitHub URL to download `SKILL.md` | -| `alwaysRecommend` | boolean | (Optional) If `true`, recommended regardless of detected stack | -| `detectSignals` | object | (Optional) Signals that trigger recommendation for conditional skills | - -`detectSignals` sub-keys (all optional): -- `files` — filenames whose presence in the project root triggers the skill -- `dependencies` — substring match against `package.json`, `requirements.txt`, or `go.mod` -- `keywords` — strings to search for in `conductor/tech-stack.md` - -### Installation Path -Skills can be discovered from three tiers: - -- **Global Tier**: `~/.agents/commands/` — Available across all projects for the current user. -- **Workspace Tier**: `.agents/commands/` at the repository root — Available to everyone working in the repository. -- **Project Tier**: `.agents/commands/` within a specific subdirectory — Scoped to a specific sub-project or package. - -Conductor installs Skills at the **Workspace Tier** (`.agents/commands//SKILL.md`) to ensure they are committed to version control and shared across the entire team. - ---- - -## Installation - -Skills installation is **Phase 2.6** of `/conductor:setup`, inserted between Phase 2.5 (Workflow selection) and Phase 2.7 (Finalization/Index generation). It is also integrated into `/conductor:newTrack` if Skills are deemed helpful for that specific track. - -For each selected skill, the setup command executes: - -mkdir -p .agents/commands/ -curl -fsSL "https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills//SKILL.md" \ - -o ".agents/commands//SKILL.md" - -### Detection Logic - GCP Example - -The setup command detects GCP usage by checking for any of the following signals: - -**File signals** (file presence in project root): -Example: `app.yaml`, `cloudbuild.yaml`, `.gcloudignore`, `Dockerfile` containing `gcr.io` - -**Dependency signals** (substring match): -Example: `package.json` dependencies: `@google-cloud/`, `requirements.txt` entries: `google-cloud-`, `go.mod` entries: `cloud.google.com/go` - -**Keyword signals** (in `conductor/tech-stack.md`): -Example: `Cloud Run`, `GKE`, `App Engine`, `Firestore`, `BigQuery`, `Pub/Sub`, `Google Cloud`, `GCP` - -If any GCP signal is found, the GCP skills category is offered to the user. - -### User Interaction - -``` -I will now help you select Agent Skills to install for this project. -Skills are Claude Code slash commands installed to .claude/commands/. - -[Always Recommended] - 1. commit - Generate a conventional commit message from staged changes - 2. pr-description - Write a PR title and description from branch diff - 3. code-review - Structured code review with severity levels - 4. changelog - Generate a CHANGELOG entry from recent commits - 5. write-tests - Generate unit/integration tests for a file or function - 6. fix-failing-tests - Diagnose and fix failing tests - 7. document - Add docstrings or JSDoc to selected code - 8. readme-update - Update README to reflect recent changes - 9. security-review - OWASP-focused security review -10. dependency-audit - Identify outdated or vulnerable dependencies - -[GCP (detected: cloudbuild.yaml, @google-cloud/* dependency)] -11. gcp-deploy - Deploy to Cloud Run, GKE, or App Engine -12. gcp-cloudbuild - Generate or update Cloud Build pipelines -13. gcp-terraform - Generate GCP Terraform resource configs -14. gcp-iam - Review and generate IAM policies (least-privilege) -15. gcp-monitoring - Set up Cloud Monitoring alerts and dashboards -16. gcp-pubsub - Design Pub/Sub schemas and generate client code -17. gcp-firestore - Design Firestore schemas and optimize queries -18. gcp-bigquery - Generate and optimize BigQuery schemas and SQL -19. gcp-secret-manager - Migrate secrets to Secret Manager - -How would you like to proceed? -A) Install all recommended skills -B) Select specific skills (enter numbers separated by commas) -C) Skip skills installation -``` - -### Resume Support - -The `setup_state.json` resume chain includes the Skills phase: - -| `last_successful_step` | Resume at | -|------------------------|-----------| -| `2.5_workflow` | Section 2.6 (Skills) | -| `2.6_skills` | Phase 3.0 (Track generation) | - ---- - -## Review Integration - -The code review process should be aware of the capabilities available through installed skills. - -### `commands/conductor/review.toml` - -The review configuration will be updated to check for relevant installed skills (e.g., GCP-related skills) during the code review process. - -- **Detection**: Check `.agents/commands/` for the presence of known skills. -- **Contextual Feedback**: If a relevant skill is found (e.g., `gcp-deploy`), the review agent can provide more specific feedback for deployment-related changes. - ---- - -## Example of Available Skills Reference - -### Workflow - -| Skill | Command | Description | -|-------|---------|-------------| -| Generate Commit Message | `/commit` | Reads `git diff --staged`, generates a conventional commit message following the project's commit strategy from `conductor/workflow.md` | -| PR Description | `/pr-description` | Reads branch diff vs main, writes a PR title and body | -| Code Review | `/code-review` | Structured review with Critical/High/Medium/Low findings, checks against `conductor/code_styleguides/` | -| Changelog | `/changelog` | Generates a CHANGELOG entry from `git log` since last tag | - -### Testing - -| Skill | Command | Description | -|-------|---------|-------------| -| Write Tests | `/write-tests` | Generates unit and integration tests following the project's test framework from `conductor/tech-stack.md` | -| Fix Failing Tests | `/fix-failing-tests` | Takes failing test output, diagnoses root cause, proposes fix | - -### Documentation - -| Skill | Command | Description | -|-------|---------|-------------| -| Document | `/document` | Adds docstrings, JSDoc, or type hints to specified code | -| README Update | `/readme-update` | Updates README sections based on recent code changes | - -### Security & Quality - -| Skill | Command | Description | -|-------|---------|-------------| -| Security Review | `/security-review` | OWASP Top 10 focused review, checks for secrets in diff | -| Dependency Audit | `/dependency-audit` | Identifies outdated, deprecated, or CVE-flagged dependencies | - -### GCP - -| Skill | Command | Description | -|-------|---------|-------------| -| GCP Deploy | `/gcp-deploy` | Step-by-step deploy to Cloud Run, GKE, or App Engine | -| Cloud Build | `/gcp-cloudbuild` | Generate or update `cloudbuild.yaml` for CI/CD pipelines | -| GCP Terraform | `/gcp-terraform` | Generate Terraform configs for GCP resources (VPC, Cloud Run, GKE, IAM) | -| GCP IAM | `/gcp-iam` | Review bindings and generate least-privilege IAM policies | -| GCP Monitoring | `/gcp-monitoring` | Generate alert policies, dashboards, and SLO configs | -| Pub/Sub | `/gcp-pubsub` | Design Pub/Sub message schemas and generate publisher/subscriber code | -| Firestore | `/gcp-firestore` | Design Firestore collections, indexes, and optimize queries | -| BigQuery | `/gcp-bigquery` | Generate schemas, partition/clustering strategies, and optimized SQL | -| Secret Manager | `/gcp-secret-manager` | Migrate env vars to Secret Manager and generate typed access code | - ---- - - - -## Extending the Catalog - -To add a new skill to the catalog: - -1. Publish the Skill in an external repository with a `SKILL.md` at the root (or a known path). -2. Add an entry to the `skills` list in `skills/catalog.md` (via YAML frontmatter) with the public raw `url`, `detectSignals` for conditional skills, or `"alwaysRecommend": true` for universal ones. -3. If introducing a new category with custom detection logic, update Phase 2.6 in `commands/conductor/setup.toml`. - -The Skill implementation itself lives entirely outside this repository. - -Categories planned for future releases: `aws`, `azure`, `mobile` (iOS/Android), `data-science`. - ---- - -## File Changes Summary - -| File | Change | -|------|--------| -| `docs/skills-design.md` | New — this document | -| `skills/catalog.md` | New — curated skill list defined in YAML frontmatter | -| `commands/conductor/setup.toml` | Modified — Phase 2.6 added, resume chain updated | -| `commands/conductor/review.toml` | Modified — Checks for relevant installed Skills (e.g., GCP) | - - -The actual `SKILL.md` implementations are **not** in this repository. They are hosted externally (see the `url` field in each catalog entry). - - ---- - -## Appendix: Authoring Skills - -For complete details, see [Creating Agent Skills](https://geminicli.com/docs/cli/creating-skills/). - -### Getting Started: `skill-creator` - -The recommended way to create a new skill is to use the built-in skill `skill-creator`: - -```bash -skill-creator -``` - -Provide a prompt like "create a new skill called 'code-reviewer'". This will generate: -1. A new directory (e.g., `code-reviewer/`) -2. `SKILL.md` with required metadata -3. Resource directories: `scripts/`, `references/`, `assets/` - -### Manual Creation - -To create a skill manually: -1. Create a directory for your skill. -2. Create a `SKILL.md` file inside it. - -#### Folder Structure - -While `SKILL.md` is the only requirement, the recommended structure is: - -``` -my-skill/ -├── SKILL.md # (Required) Instructions and metadata -├── scripts/ # (Optional) Executable scripts -├── references/ # (Optional) Static documentation -└── assets/ # (Optional) Templates and other resources -``` - -#### SKILL.md Format - -The file uses YAML frontmatter for metadata and Markdown for instructions. - -```markdown ---- -name: my-skill-name -description: A description of what the skill does and when the agent should use it. ---- -# My Skill Name - -This skill guides the agent in completing specific tasks. - -## Workflow -1. Step one... -2. Step two... -``` - - From b3db0fdb26d887259cae6d0b9da9a6804a4f1951 Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Thu, 19 Feb 2026 09:44:41 -0800 Subject: [PATCH 03/26] refactor(skills): Convert catalog to Markdown body --- skills/catalog.md | 240 +++++++++++++++++++++++----------------------- 1 file changed, 118 insertions(+), 122 deletions(-) diff --git a/skills/catalog.md b/skills/catalog.md index c93c9cb..7370b05 100644 --- a/skills/catalog.md +++ b/skills/catalog.md @@ -1,123 +1,119 @@ +# Agent Skills Catalog + +This catalog defines the curriculum of skills available to the Conductor agent. + +## Universal Skills +These skills are always recommended for every project. + +### commit +- **Description**: Generate a conventional commit message from staged changes +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/commit/SKILL.md +- **Always Recommend**: `true` + +### pr-description +- **Description**: Write a PR title and description from branch diff +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/pr-description/SKILL.md +- **Always Recommend**: `true` + +### code-review +- **Description**: Structured code review with severity levels +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/code-review/SKILL.md +- **Always Recommend**: `true` + +### changelog +- **Description**: Generate a CHANGELOG entry from recent commits +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/changelog/SKILL.md +- **Always Recommend**: `true` + +### write-tests +- **Description**: Generate unit/integration tests for a file or function +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/write-tests/SKILL.md +- **Always Recommend**: `true` + +### fix-failing-tests +- **Description**: Diagnose and fix failing tests +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/fix-failing-tests/SKILL.md +- **Always Recommend**: `true` + +### document +- **Description**: Add docstrings or JSDoc to selected code +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/document/SKILL.md +- **Always Recommend**: `true` + +### readme-update +- **Description**: Update README to reflect recent changes +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/readme-update/SKILL.md +- **Always Recommend**: `true` + +### security-review +- **Description**: OWASP-focused security review +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/security-review/SKILL.md +- **Always Recommend**: `true` + +### dependency-audit +- **Description**: Identify outdated or vulnerable dependencies +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/dependency-audit/SKILL.md +- **Always Recommend**: `true` + --- -skills: - # Always Recommended - - name: commit - description: Generate a conventional commit message from staged changes - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/commit/SKILL.md - alwaysRecommend: true - - name: pr-description - description: Write a PR title and description from branch diff - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/pr-description/SKILL.md - alwaysRecommend: true - - name: code-review - description: Structured code review with severity levels - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/code-review/SKILL.md - alwaysRecommend: true - - name: changelog - description: Generate a CHANGELOG entry from recent commits - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/changelog/SKILL.md - alwaysRecommend: true - - name: write-tests - description: Generate unit/integration tests for a file or function - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/write-tests/SKILL.md - alwaysRecommend: true - - name: fix-failing-tests - description: Diagnose and fix failing tests - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/fix-failing-tests/SKILL.md - alwaysRecommend: true - - name: document - description: Add docstrings or JSDoc to selected code - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/document/SKILL.md - alwaysRecommend: true - - name: readme-update - description: Update README to reflect recent changes - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/readme-update/SKILL.md - alwaysRecommend: true - - name: security-review - description: OWASP-focused security review - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/security-review/SKILL.md - alwaysRecommend: true - - name: dependency-audit - description: Identify outdated or vulnerable dependencies - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/dependency-audit/SKILL.md - alwaysRecommend: true - - # GCP Skills - - name: gcp-deploy - description: Deploy to Cloud Run, GKE, or App Engine - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-deploy/SKILL.md - detectSignals: - files: - - app.yaml - - cloudbuild.yaml - - Dockerfile - dependencies: - - "@google-cloud/" - - "google-cloud-" - keywords: - - "GCP" - - "Google Cloud" - - "Cloud Run" - - "App Engine" - - name: gcp-cloudbuild - description: Generate or update Cloud Build pipelines - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-cloudbuild/SKILL.md - detectSignals: - files: - - cloudbuild.yaml - keywords: - - "Cloud Build" - - "CI/CD" - - name: gcp-terraform - description: Generate GCP Terraform resource configs - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-terraform/SKILL.md - detectSignals: - files: - - "*.tf" - keywords: - - "Terraform" - - "IaC" - - name: gcp-iam - description: Review and generate IAM policies (least-privilege) - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-iam/SKILL.md - detectSignals: - keywords: - - "IAM" - - "Permissions" - - name: gcp-monitoring - description: Set up Cloud Monitoring alerts and dashboards - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-monitoring/SKILL.md - detectSignals: - keywords: - - "Monitoring" - - "Alerts" - - "Observability" - - name: gcp-pubsub - description: Design Pub/Sub schemas and generate client code - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-pubsub/SKILL.md - detectSignals: - keywords: - - "Pub/Sub" - - "Messaging" - - name: gcp-firestore - description: Design Firestore schemas and optimize queries - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-firestore/SKILL.md - detectSignals: - keywords: - - "Firestore" - - "NoSQL" - - name: gcp-bigquery - description: Generate and optimize BigQuery schemas and SQL - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-bigquery/SKILL.md - detectSignals: - keywords: - - "BigQuery" - - "Data Warehouse" - - name: gcp-secret-manager - description: Migrate secrets to Secret Manager - url: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-secret-manager/SKILL.md - detectSignals: - keywords: - - "Secret Manager" - - "Secrets" ---- + +## GCP Skills +Skills specialized for Google Cloud Platform development. + +### gcp-deploy +- **Description**: Deploy to Cloud Run, GKE, or App Engine +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-deploy/SKILL.md +- **Detection Signals**: + - **Files**: `app.yaml`, `cloudbuild.yaml`, `Dockerfile` + - **Dependencies**: `@google-cloud/`, `google-cloud-` + - **Keywords**: `GCP`, `Google Cloud`, `Cloud Run`, `App Engine` + +### gcp-cloudbuild +- **Description**: Generate or update Cloud Build pipelines +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-cloudbuild/SKILL.md +- **Detection Signals**: + - **Files**: `cloudbuild.yaml` + - **Keywords**: `Cloud Build`, `CI/CD` + +### gcp-terraform +- **Description**: Generate GCP Terraform resource configs +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-terraform/SKILL.md +- **Detection Signals**: + - **Files**: `*.tf` + - **Keywords**: `Terraform`, `IaC` + +### gcp-iam +- **Description**: Review and generate IAM policies (least-privilege) +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-iam/SKILL.md +- **Detection Signals**: + - **Keywords**: `IAM`, `Permissions` + +### gcp-monitoring +- **Description**: Set up Cloud Monitoring alerts and dashboards +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-monitoring/SKILL.md +- **Detection Signals**: + - **Keywords**: `Monitoring`, `Alerts`, `Observability` + +### gcp-pubsub +- **Description**: Design Pub/Sub schemas and generate client code +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-pubsub/SKILL.md +- **Detection Signals**: + - **Keywords**: `Pub/Sub`, `Messaging` + +### gcp-firestore +- **Description**: Design Firestore schemas and optimize queries +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-firestore/SKILL.md +- **Detection Signals**: + - **Keywords**: `Firestore`, `NoSQL` + +### gcp-bigquery +- **Description**: Generate and optimize BigQuery schemas and SQL +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-bigquery/SKILL.md +- **Detection Signals**: + - **Keywords**: `BigQuery`, `Data Warehouse` + +### gcp-secret-manager +- **Description**: Migrate secrets to Secret Manager +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-secret-manager/SKILL.md +- **Detection Signals**: + - **Keywords**: `Secret Manager`, `Secrets` From 95588424d9b9e1db7c1598c84db0d2e702305ada Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Thu, 19 Feb 2026 09:51:06 -0800 Subject: [PATCH 04/26] fix(conductor): update skill reference paths to .agents/skills --- commands/conductor/review.toml | 2 +- commands/conductor/setup.toml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/commands/conductor/review.toml b/commands/conductor/review.toml index b1ed2d9..fd7fcb1 100644 --- a/commands/conductor/review.toml +++ b/commands/conductor/review.toml @@ -51,7 +51,7 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai - **CRITICAL:** Check for the existence of `conductor/code_styleguides/` directory. - If it exists, list and read ALL `.md` files within it. These are the **Law**. Violations here are **High** severity. - **Check for Installed Skills:** - - Check for the existence of `.agents/commands/`. + - Check for the existence of `.agents/skills/`. - If it exists, list the subdirectories to identify installed skills. - If relevant skills (e.g., `gcp-*`) are found, enable specialized feedback for those domains. 2. **Load Track Context (if reviewing a track):** diff --git a/commands/conductor/setup.toml b/commands/conductor/setup.toml index 4be24dc..c1483c2 100644 --- a/commands/conductor/setup.toml +++ b/commands/conductor/setup.toml @@ -339,9 +339,9 @@ CRITICAL: When determining model complexity, ALWAYS select the "flash" model, re - If (C): Proceed without installation. 5. **Installation Action:** - For each selected skill: - - Create directory `.agents/commands//`. - - Download `SKILL.md` from the `url` specified in `catalog.md` to `.agents/commands//SKILL.md`. - - **CRITICAL:** Use `curl -fsSL -o .agents/commands//SKILL.md`. + - Create directory `.agents/skills//`. + - Download `SKILL.md` from the `url` specified in `catalog.md` to `.agents/skills//SKILL.md`. + - **CRITICAL:** Use `curl -fsSL -o .agents/skills//SKILL.md`. 6. **Commit State:** Upon successful completion, write to `conductor/setup_state.json`: `{"last_successful_step": "2.6_skills"}` 7. **Continue:** Immediately proceed to the next section. From eb30525ab2e38c1df31a68c7f331d659cc947927 Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Thu, 19 Feb 2026 09:54:58 -0800 Subject: [PATCH 05/26] fix(conductor): update skill download to support folders --- commands/conductor/setup.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/commands/conductor/setup.toml b/commands/conductor/setup.toml index c1483c2..96a899b 100644 --- a/commands/conductor/setup.toml +++ b/commands/conductor/setup.toml @@ -340,8 +340,8 @@ CRITICAL: When determining model complexity, ALWAYS select the "flash" model, re 5. **Installation Action:** - For each selected skill: - Create directory `.agents/skills//`. - - Download `SKILL.md` from the `url` specified in `catalog.md` to `.agents/skills//SKILL.md`. - - **CRITICAL:** Use `curl -fsSL -o .agents/skills//SKILL.md`. + - Download the content of the skill folder from the `url` specified in `catalog.md` to `.agents/skills//`. + - **CRITICAL:** If the URL is a file path, find the parent folder. If it is a Git URL, use `git clone` or `sparse-checkout` to get the folder. 6. **Commit State:** Upon successful completion, write to `conductor/setup_state.json`: `{"last_successful_step": "2.6_skills"}` 7. **Continue:** Immediately proceed to the next section. From e18a33c602e5a814e5506c4c4894b1a4b5864ce8 Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Thu, 19 Feb 2026 09:56:44 -0800 Subject: [PATCH 06/26] fix(skills): update catalog URLs to point to directories --- skills/catalog.md | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/skills/catalog.md b/skills/catalog.md index 7370b05..4aa772a 100644 --- a/skills/catalog.md +++ b/skills/catalog.md @@ -7,52 +7,52 @@ These skills are always recommended for every project. ### commit - **Description**: Generate a conventional commit message from staged changes -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/commit/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/commit/ - **Always Recommend**: `true` ### pr-description - **Description**: Write a PR title and description from branch diff -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/pr-description/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/pr-description/ - **Always Recommend**: `true` ### code-review - **Description**: Structured code review with severity levels -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/code-review/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/code-review/ - **Always Recommend**: `true` ### changelog - **Description**: Generate a CHANGELOG entry from recent commits -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/changelog/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/changelog/ - **Always Recommend**: `true` ### write-tests - **Description**: Generate unit/integration tests for a file or function -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/write-tests/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/write-tests/ - **Always Recommend**: `true` ### fix-failing-tests - **Description**: Diagnose and fix failing tests -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/fix-failing-tests/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/fix-failing-tests/ - **Always Recommend**: `true` ### document - **Description**: Add docstrings or JSDoc to selected code -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/document/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/document/ - **Always Recommend**: `true` ### readme-update - **Description**: Update README to reflect recent changes -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/readme-update/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/readme-update/ - **Always Recommend**: `true` ### security-review - **Description**: OWASP-focused security review -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/security-review/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/security-review/ - **Always Recommend**: `true` ### dependency-audit - **Description**: Identify outdated or vulnerable dependencies -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/dependency-audit/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/dependency-audit/ - **Always Recommend**: `true` --- @@ -62,7 +62,7 @@ Skills specialized for Google Cloud Platform development. ### gcp-deploy - **Description**: Deploy to Cloud Run, GKE, or App Engine -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-deploy/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-deploy/ - **Detection Signals**: - **Files**: `app.yaml`, `cloudbuild.yaml`, `Dockerfile` - **Dependencies**: `@google-cloud/`, `google-cloud-` @@ -70,50 +70,50 @@ Skills specialized for Google Cloud Platform development. ### gcp-cloudbuild - **Description**: Generate or update Cloud Build pipelines -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-cloudbuild/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-cloudbuild/ - **Detection Signals**: - **Files**: `cloudbuild.yaml` - **Keywords**: `Cloud Build`, `CI/CD` ### gcp-terraform - **Description**: Generate GCP Terraform resource configs -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-terraform/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-terraform/ - **Detection Signals**: - **Files**: `*.tf` - **Keywords**: `Terraform`, `IaC` ### gcp-iam - **Description**: Review and generate IAM policies (least-privilege) -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-iam/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-iam/ - **Detection Signals**: - **Keywords**: `IAM`, `Permissions` ### gcp-monitoring - **Description**: Set up Cloud Monitoring alerts and dashboards -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-monitoring/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-monitoring/ - **Detection Signals**: - **Keywords**: `Monitoring`, `Alerts`, `Observability` ### gcp-pubsub - **Description**: Design Pub/Sub schemas and generate client code -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-pubsub/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-pubsub/ - **Detection Signals**: - **Keywords**: `Pub/Sub`, `Messaging` ### gcp-firestore - **Description**: Design Firestore schemas and optimize queries -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-firestore/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-firestore/ - **Detection Signals**: - **Keywords**: `Firestore`, `NoSQL` ### gcp-bigquery - **Description**: Generate and optimize BigQuery schemas and SQL -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-bigquery/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-bigquery/ - **Detection Signals**: - **Keywords**: `BigQuery`, `Data Warehouse` ### gcp-secret-manager - **Description**: Migrate secrets to Secret Manager -- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-secret-manager/SKILL.md +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-secret-manager/ - **Detection Signals**: - **Keywords**: `Secret Manager`, `Secrets` From d63afc17af8210f0e8e6b41f8ff44b6191fe736a Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Thu, 26 Feb 2026 17:31:18 -0800 Subject: [PATCH 07/26] feat(conductor): update skills integration with design doc requirements --- commands/conductor/review.toml | 4 ++-- commands/conductor/setup.toml | 12 ++++++++++-- skills/catalog.md | 19 +++++++++++++++++++ 3 files changed, 31 insertions(+), 4 deletions(-) diff --git a/commands/conductor/review.toml b/commands/conductor/review.toml index fd7fcb1..63fea81 100644 --- a/commands/conductor/review.toml +++ b/commands/conductor/review.toml @@ -51,8 +51,8 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai - **CRITICAL:** Check for the existence of `conductor/code_styleguides/` directory. - If it exists, list and read ALL `.md` files within it. These are the **Law**. Violations here are **High** severity. - **Check for Installed Skills:** - - Check for the existence of `.agents/skills/`. - - If it exists, list the subdirectories to identify installed skills. + - Check for the existence of `.agents/skills/` (Workspace tier) and `~/.agents/extensions/conductor/skills/` (Extension tier). + - If either exists, list the subdirectories to identify installed skills across both paths. - If relevant skills (e.g., `gcp-*`) are found, enable specialized feedback for those domains. 2. **Load Track Context (if reviewing a track):** - Read the track's `plan.md`. diff --git a/commands/conductor/setup.toml b/commands/conductor/setup.toml index 96a899b..09cef7e 100644 --- a/commands/conductor/setup.toml +++ b/commands/conductor/setup.toml @@ -339,8 +339,16 @@ CRITICAL: When determining model complexity, ALWAYS select the "flash" model, re - If (C): Proceed without installation. 5. **Installation Action:** - For each selected skill: - - Create directory `.agents/skills//`. - - Download the content of the skill folder from the `url` specified in `catalog.md` to `.agents/skills//`. + - **Determine Installation Path:** + - If `alwaysRecommend` is true, set the path to `~/.agents/extensions/conductor/skills//`. + - Otherwise, set the path to `.agents/skills//`. + - Create directory at the determined path. + - **Determine Download Strategy:** + - If `party` is '1p': + - If `version` is provided, download that specific version. + - Otherwise, download the latest copy at the exact `url`. + - If `party` is '3p', MUST use the provided `commit_sha` to download the specific vetted commit. + - Download the content of the skill folder from the `url` specified in `catalog.md` (using the determined strategy) to the determined path. - **CRITICAL:** If the URL is a file path, find the parent folder. If it is a Git URL, use `git clone` or `sparse-checkout` to get the folder. 6. **Commit State:** Upon successful completion, write to `conductor/setup_state.json`: `{"last_successful_step": "2.6_skills"}` diff --git a/skills/catalog.md b/skills/catalog.md index 4aa772a..b426583 100644 --- a/skills/catalog.md +++ b/skills/catalog.md @@ -9,51 +9,61 @@ These skills are always recommended for every project. - **Description**: Generate a conventional commit message from staged changes - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/commit/ - **Always Recommend**: `true` +- **Party**: 1p ### pr-description - **Description**: Write a PR title and description from branch diff - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/pr-description/ - **Always Recommend**: `true` +- **Party**: 1p ### code-review - **Description**: Structured code review with severity levels - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/code-review/ - **Always Recommend**: `true` +- **Party**: 1p ### changelog - **Description**: Generate a CHANGELOG entry from recent commits - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/changelog/ - **Always Recommend**: `true` +- **Party**: 1p ### write-tests - **Description**: Generate unit/integration tests for a file or function - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/write-tests/ - **Always Recommend**: `true` +- **Party**: 1p ### fix-failing-tests - **Description**: Diagnose and fix failing tests - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/fix-failing-tests/ - **Always Recommend**: `true` +- **Party**: 1p ### document - **Description**: Add docstrings or JSDoc to selected code - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/document/ - **Always Recommend**: `true` +- **Party**: 1p ### readme-update - **Description**: Update README to reflect recent changes - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/readme-update/ - **Always Recommend**: `true` +- **Party**: 1p ### security-review - **Description**: OWASP-focused security review - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/security-review/ - **Always Recommend**: `true` +- **Party**: 1p ### dependency-audit - **Description**: Identify outdated or vulnerable dependencies - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/dependency-audit/ - **Always Recommend**: `true` +- **Party**: 1p --- @@ -63,6 +73,7 @@ Skills specialized for Google Cloud Platform development. ### gcp-deploy - **Description**: Deploy to Cloud Run, GKE, or App Engine - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-deploy/ +- **Party**: 1p - **Detection Signals**: - **Files**: `app.yaml`, `cloudbuild.yaml`, `Dockerfile` - **Dependencies**: `@google-cloud/`, `google-cloud-` @@ -71,6 +82,7 @@ Skills specialized for Google Cloud Platform development. ### gcp-cloudbuild - **Description**: Generate or update Cloud Build pipelines - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-cloudbuild/ +- **Party**: 1p - **Detection Signals**: - **Files**: `cloudbuild.yaml` - **Keywords**: `Cloud Build`, `CI/CD` @@ -78,6 +90,7 @@ Skills specialized for Google Cloud Platform development. ### gcp-terraform - **Description**: Generate GCP Terraform resource configs - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-terraform/ +- **Party**: 1p - **Detection Signals**: - **Files**: `*.tf` - **Keywords**: `Terraform`, `IaC` @@ -85,35 +98,41 @@ Skills specialized for Google Cloud Platform development. ### gcp-iam - **Description**: Review and generate IAM policies (least-privilege) - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-iam/ +- **Party**: 1p - **Detection Signals**: - **Keywords**: `IAM`, `Permissions` ### gcp-monitoring - **Description**: Set up Cloud Monitoring alerts and dashboards - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-monitoring/ +- **Party**: 1p - **Detection Signals**: - **Keywords**: `Monitoring`, `Alerts`, `Observability` ### gcp-pubsub - **Description**: Design Pub/Sub schemas and generate client code - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-pubsub/ +- **Party**: 1p - **Detection Signals**: - **Keywords**: `Pub/Sub`, `Messaging` ### gcp-firestore - **Description**: Design Firestore schemas and optimize queries - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-firestore/ +- **Party**: 1p - **Detection Signals**: - **Keywords**: `Firestore`, `NoSQL` ### gcp-bigquery - **Description**: Generate and optimize BigQuery schemas and SQL - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-bigquery/ +- **Party**: 1p - **Detection Signals**: - **Keywords**: `BigQuery`, `Data Warehouse` ### gcp-secret-manager - **Description**: Migrate secrets to Secret Manager - **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/conductor/main/skills/gcp-secret-manager/ +- **Party**: 1p - **Detection Signals**: - **Keywords**: `Secret Manager`, `Secrets` From 1257334cd72a3b561ad78f6212f9ba365bd01d8d Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Thu, 26 Feb 2026 17:38:09 -0800 Subject: [PATCH 08/26] feat(conductor): add GCP OWASP Top 10 skills to catalog --- skills/catalog.md | 85 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 85 insertions(+) diff --git a/skills/catalog.md b/skills/catalog.md index b426583..e01efd4 100644 --- a/skills/catalog.md +++ b/skills/catalog.md @@ -136,3 +136,88 @@ Skills specialized for Google Cloud Platform development. - **Party**: 1p - **Detection Signals**: - **Keywords**: `Secret Manager`, `Secrets` + +--- + +## GCP OWASP Top 10 Skills +Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Google Cloud Platform. + +### gcp-broken-access-control +- **Description**: Audit and remediate broken access control vulnerabilities +- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-broken-access-control/ +- **Party**: 3p +- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df +- **Detection Signals**: + - **Keywords**: `OWASP`, `Security`, `Access Control`, `IAM` + +### gcp-cryptographic-failures +- **Description**: Audit and remediate cryptographic failures +- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-cryptographic-failures/ +- **Party**: 3p +- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df +- **Detection Signals**: + - **Keywords**: `OWASP`, `Security`, `Cryptography`, `Encryption`, `KMS` + +### gcp-injection +- **Description**: Audit and remediate injection vulnerabilities +- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-injection/ +- **Party**: 3p +- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df +- **Detection Signals**: + - **Keywords**: `OWASP`, `Security`, `Injection`, `SQLi`, `Command Injection` + +### gcp-insecure-design +- **Description**: Audit and remediate insecure design flaws +- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-insecure-design/ +- **Party**: 3p +- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df +- **Detection Signals**: + - **Keywords**: `OWASP`, `Security`, `Design`, `Architecture` + +### gcp-security-misconfiguration +- **Description**: Audit and remediate security misconfigurations +- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-security-misconfiguration/ +- **Party**: 3p +- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df +- **Detection Signals**: + - **Keywords**: `OWASP`, `Security`, `Misconfiguration`, `Hardening` + +### gcp-vulnerable-components +- **Description**: Audit and remediate vulnerable and outdated components +- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-vulnerable-components/ +- **Party**: 3p +- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df +- **Detection Signals**: + - **Keywords**: `OWASP`, `Security`, `Vulnerable Components`, `Dependencies`, `CVE` + +### gcp-auth-failures +- **Description**: Audit and remediate identification and authentication failures +- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-auth-failures/ +- **Party**: 3p +- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df +- **Detection Signals**: + - **Keywords**: `OWASP`, `Security`, `Authentication`, `Identity`, `Identity-Aware Proxy` + +### gcp-integrity-failures +- **Description**: Audit and remediate software and data integrity failures +- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-integrity-failures/ +- **Party**: 3p +- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df +- **Detection Signals**: + - **Keywords**: `OWASP`, `Security`, `Integrity`, `CI/CD`, `Binary Authorization` + +### gcp-logging-monitoring-failures +- **Description**: Audit and remediate logging and monitoring failures +- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-logging-monitoring-failures/ +- **Party**: 3p +- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df +- **Detection Signals**: + - **Keywords**: `OWASP`, `Security`, `Logging`, `Monitoring`, `Cloud Logging`, `Audit Logs` + +### gcp-ssrf +- **Description**: Audit and remediate server-side request forgery (SSRF) +- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-ssrf/ +- **Party**: 3p +- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df +- **Detection Signals**: + - **Keywords**: `OWASP`, `Security`, `SSRF`, `VPC`, `Egress` From bcb651342fb5e574772e01077be59aceb3181e13 Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Thu, 26 Feb 2026 17:51:24 -0800 Subject: [PATCH 09/26] feat(conductor): use precise detection signals for OWASP skills --- skills/catalog.md | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/skills/catalog.md b/skills/catalog.md index e01efd4..844dcc7 100644 --- a/skills/catalog.md +++ b/skills/catalog.md @@ -1,8 +1,8 @@ # Agent Skills Catalog -This catalog defines the curriculum of skills available to the Conductor agent. +This catalog defines the curriculum of skills available to the Conductor extension. -## Universal Skills + -## GCP Skills + ## GCP OWASP Top 10 Skills Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Google Cloud Platform. @@ -148,7 +148,7 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: - - **Keywords**: `OWASP`, `Security`, `Access Control`, `IAM` + - **Keywords**: `OWASP`, `Security`, `Cloud Asset Inventory`, `IAM`, `Load Balancing` ### gcp-cryptographic-failures - **Description**: Audit and remediate cryptographic failures @@ -156,7 +156,7 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: - - **Keywords**: `OWASP`, `Security`, `Cryptography`, `Encryption`, `KMS` + - **Keywords**: `OWASP`, `Security`, `KMS`, `Secret Manager`, `Cloud DLP` ### gcp-injection - **Description**: Audit and remediate injection vulnerabilities @@ -164,7 +164,7 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: - - **Keywords**: `OWASP`, `Security`, `Injection`, `SQLi`, `Command Injection` + - **Keywords**: `OWASP`, `Security`, `Web Security Scanner`, `Cloud Armor`, `SQLi` ### gcp-insecure-design - **Description**: Audit and remediate insecure design flaws @@ -172,7 +172,7 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: - - **Keywords**: `OWASP`, `Security`, `Design`, `Architecture` + - **Keywords**: `OWASP`, `Security`, `Apigee`, `Cloud DLP`, `Security Command Center` ### gcp-security-misconfiguration - **Description**: Audit and remediate security misconfigurations @@ -180,7 +180,7 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: - - **Keywords**: `OWASP`, `Security`, `Misconfiguration`, `Hardening` + - **Keywords**: `OWASP`, `Security`, `VPC Firewall`, `Compute Engine`, `Hardening` ### gcp-vulnerable-components - **Description**: Audit and remediate vulnerable and outdated components @@ -188,7 +188,7 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: - - **Keywords**: `OWASP`, `Security`, `Vulnerable Components`, `Dependencies`, `CVE` + - **Keywords**: `OWASP`, `Security`, `Artifact Registry`, `GKE`, `Container Analysis` ### gcp-auth-failures - **Description**: Audit and remediate identification and authentication failures @@ -196,7 +196,7 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: - - **Keywords**: `OWASP`, `Security`, `Authentication`, `Identity`, `Identity-Aware Proxy` + - **Keywords**: `OWASP`, `Security`, `IAP`, `Identity-Aware Proxy`, `Cloud Armor`, `Identity Platform` ### gcp-integrity-failures - **Description**: Audit and remediate software and data integrity failures @@ -204,7 +204,7 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: - - **Keywords**: `OWASP`, `Security`, `Integrity`, `CI/CD`, `Binary Authorization` + - **Keywords**: `OWASP`, `Security`, `Artifact Registry`, `Cloud Build`, `Binary Authorization` ### gcp-logging-monitoring-failures - **Description**: Audit and remediate logging and monitoring failures @@ -212,7 +212,7 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: - - **Keywords**: `OWASP`, `Security`, `Logging`, `Monitoring`, `Cloud Logging`, `Audit Logs` + - **Keywords**: `OWASP`, `Security`, `Cloud Logging`, `Cloud Monitoring`, `Audit Logs` ### gcp-ssrf - **Description**: Audit and remediate server-side request forgery (SSRF) @@ -220,4 +220,4 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: - - **Keywords**: `OWASP`, `Security`, `SSRF`, `VPC`, `Egress` + - **Keywords**: `OWASP`, `Security`, `VPC Service Controls`, `Access Context Manager`, `Egress` From 09b52d2eaaed85fe98d8f6a4b67ac3f734d59788 Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Thu, 26 Feb 2026 17:54:57 -0800 Subject: [PATCH 10/26] feat(conductor): add file and dependency signals to OWASP skills --- skills/catalog.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/skills/catalog.md b/skills/catalog.md index 844dcc7..078d54c 100644 --- a/skills/catalog.md +++ b/skills/catalog.md @@ -148,6 +148,7 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: + - **Files**: `*.tf`, `iam.tf` - **Keywords**: `OWASP`, `Security`, `Cloud Asset Inventory`, `IAM`, `Load Balancing` ### gcp-cryptographic-failures @@ -156,6 +157,8 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: + - **Files**: `*.tf` + - **Dependencies**: `@google-cloud/kms`, `@google-cloud/secret-manager`, `google-cloud-kms`, `google-cloud-secret-manager`, `cloud.google.com/go/kms` - **Keywords**: `OWASP`, `Security`, `KMS`, `Secret Manager`, `Cloud DLP` ### gcp-injection @@ -164,6 +167,8 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: + - **Files**: `app.yaml`, `Dockerfile` + - **Dependencies**: `pg`, `mysql`, `sqlite3`, `mssql` - **Keywords**: `OWASP`, `Security`, `Web Security Scanner`, `Cloud Armor`, `SQLi` ### gcp-insecure-design @@ -172,6 +177,7 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: + - **Files**: `*.tf`, `cloudbuild.yaml` - **Keywords**: `OWASP`, `Security`, `Apigee`, `Cloud DLP`, `Security Command Center` ### gcp-security-misconfiguration @@ -180,6 +186,7 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: + - **Files**: `*.tf`, `app.yaml`, `cloudbuild.yaml`, `Dockerfile` - **Keywords**: `OWASP`, `Security`, `VPC Firewall`, `Compute Engine`, `Hardening` ### gcp-vulnerable-components @@ -188,6 +195,7 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: + - **Files**: `package.json`, `requirements.txt`, `go.mod`, `pom.xml`, `build.gradle`, `Dockerfile`, `cloudbuild.yaml` - **Keywords**: `OWASP`, `Security`, `Artifact Registry`, `GKE`, `Container Analysis` ### gcp-auth-failures @@ -196,6 +204,8 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: + - **Files**: `*.tf`, `app.yaml` + - **Dependencies**: `firebase-admin`, `google-auth-library`, `google-cloud-identity`, `@google-cloud/iap` - **Keywords**: `OWASP`, `Security`, `IAP`, `Identity-Aware Proxy`, `Cloud Armor`, `Identity Platform` ### gcp-integrity-failures @@ -204,6 +214,7 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: + - **Files**: `cloudbuild.yaml`, `Dockerfile`, `binauthz.yaml` - **Keywords**: `OWASP`, `Security`, `Artifact Registry`, `Cloud Build`, `Binary Authorization` ### gcp-logging-monitoring-failures @@ -212,6 +223,8 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: + - **Files**: `*.tf` + - **Dependencies**: `@google-cloud/logging`, `@google-cloud/monitoring`, `google-cloud-logging`, `cloud.google.com/go/logging` - **Keywords**: `OWASP`, `Security`, `Cloud Logging`, `Cloud Monitoring`, `Audit Logs` ### gcp-ssrf @@ -220,4 +233,5 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Party**: 3p - **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df - **Detection Signals**: + - **Files**: `*.tf`, `app.yaml` - **Keywords**: `OWASP`, `Security`, `VPC Service Controls`, `Access Context Manager`, `Egress` From d2ba05a5d96fffa383bf7be03f7b56e182a9fb4e Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Wed, 4 Mar 2026 17:45:11 -0800 Subject: [PATCH 11/26] chore(conductor): remove obsolete setup_state.json reference --- commands/conductor/setup.toml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/commands/conductor/setup.toml b/commands/conductor/setup.toml index 1bbf198..927e337 100644 --- a/commands/conductor/setup.toml +++ b/commands/conductor/setup.toml @@ -399,9 +399,7 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai - If `party` is '3p', MUST use the provided `commit_sha` to download the specific vetted commit. - Download the content of the skill folder from the `url` specified in `catalog.md` (using the determined strategy) to the determined path. - **CRITICAL:** If the URL is a file path, find the parent folder. If it is a Git URL, use `git clone` or `sparse-checkout` to get the folder. -6. **Commit State:** Upon successful completion, write to `conductor/setup_state.json`: - `{"last_successful_step": "2.6_skills"}` -7. **Continue:** Immediately proceed to the next section. +6. **Continue:** Immediately proceed to the next section. ### 2.7 Finalization 1. **Generate Index File:** From 8f699e06baa70db17a791cd5639711ad4fcdfefa Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Wed, 4 Mar 2026 18:00:52 -0800 Subject: [PATCH 12/26] feat(skills): add gcp-apis and Firebase skills to catalog --- skills/catalog.md | 66 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/skills/catalog.md b/skills/catalog.md index 078d54c..9fc811f 100644 --- a/skills/catalog.md +++ b/skills/catalog.md @@ -235,3 +235,69 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Detection Signals**: - **Files**: `*.tf`, `app.yaml` - **Keywords**: `OWASP`, `Security`, `VPC Service Controls`, `Access Context Manager`, `Egress` + +### gcp-apis +- **Description**: Manage and enable Google Cloud Platform APIs +- **URL**: https://source.corp.google.com/piper///depot/google3/experimental/users/zerep/gcp-skills/skills/gcp-apis/ +- **Party**: 1p +- **Detection Signals**: + - **Keywords**: `GCP`, `Google Cloud APIs`, `Enable API` + +## Firebase Skills +Skills focused on setting up, managing, and using various Firebase services. + +### firebase-ai-logic-basics +- **Description**: Official skill for integrating Firebase AI Logic (Gemini API) into web applications. Covers setup, multimodal inference, structured output, and security. +- **URL**: https://raw.githubusercontent.com/firebase/agent-skills/main/skills/firebase-ai-logic-basics/ +- **Party**: 1p +- **Detection Signals**: + - **Dependencies**: `firebase`, `firebase-admin` + - **Keywords**: `Firebase`, `AI Logic`, `Gemini API`, `GenAI` + +### firebase-app-hosting-basics +- **Description**: Deploy and manage web apps with Firebase App Hosting. Use this skill when deploying Next.js/Angular apps with backends. +- **URL**: https://raw.githubusercontent.com/firebase/agent-skills/main/skills/firebase-app-hosting-basics/ +- **Party**: 1p +- **Detection Signals**: + - **Dependencies**: `firebase`, `firebase-admin` + - **Keywords**: `Firebase App Hosting`, `Next.js`, `Angular` + +### firebase-auth-basics +- **Description**: Guide for setting up and using Firebase Authentication. Use this skill when the user's app requires user sign-in, user management, or secure data access using auth rules. +- **URL**: https://raw.githubusercontent.com/firebase/agent-skills/main/skills/firebase-auth-basics/ +- **Party**: 1p +- **Detection Signals**: + - **Dependencies**: `firebase`, `firebase-admin` + - **Keywords**: `Firebase Authentication`, `Auth`, `Sign-in` + +### firebase-basics +- **Description**: Guide for setting up and using Firebase. Use this skill when the user is getting started with Firebase - setting up local environment, using Firebase for the first time, or adding Firebase to their app. +- **URL**: https://raw.githubusercontent.com/firebase/agent-skills/main/skills/firebase-basics/ +- **Party**: 1p +- **Detection Signals**: + - **Dependencies**: `firebase`, `firebase-admin` + - **Keywords**: `Firebase`, `Setup` + +### firebase-data-connect-basics +- **Description**: Build and deploy Firebase Data Connect backends with PostgreSQL. Use for schema design, GraphQL queries/mutations, authorization, and SDK generation for web, Android, iOS, and Flutter apps. +- **URL**: https://raw.githubusercontent.com/firebase/agent-skills/main/skills/firebase-data-connect-basics/ +- **Party**: 1p +- **Detection Signals**: + - **Dependencies**: `firebase`, `firebase-admin` + - **Keywords**: `Firebase Data Connect`, `PostgreSQL`, `GraphQL` + +### firebase-firestore-basics +- **Description**: Comprehensive guide for Firestore basics including provisioning, security rules, and SDK usage. Use this skill when the user needs help setting up Firestore, writing security rules, or using the Firestore SDK in their application. +- **URL**: https://raw.githubusercontent.com/firebase/agent-skills/main/skills/firebase-firestore-basics/ +- **Party**: 1p +- **Detection Signals**: + - **Dependencies**: `firebase`, `firebase-admin` + - **Keywords**: `Firestore`, `Database`, `Security Rules` + +### firebase-hosting-basics +- **Description**: Skill for working with Firebase Hosting (Classic). Use this when you want to deploy static web apps, Single Page Apps (SPAs), or simple microservices. Do NOT use for Firebase App Hosting. +- **URL**: https://raw.githubusercontent.com/firebase/agent-skills/main/skills/firebase-hosting-basics/ +- **Party**: 1p +- **Detection Signals**: + - **Dependencies**: `firebase`, `firebase-admin` + - **Keywords**: `Firebase Hosting`, `Static Hosting` From 11b539c53c566c2abf6315dcac2f22602478d147 Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Wed, 4 Mar 2026 18:02:05 -0800 Subject: [PATCH 13/26] chore(skills): cleanup inactive skills from catalog --- skills/catalog.md | 137 ---------------------------------------------- 1 file changed, 137 deletions(-) diff --git a/skills/catalog.md b/skills/catalog.md index 9fc811f..5982795 100644 --- a/skills/catalog.md +++ b/skills/catalog.md @@ -2,143 +2,6 @@ This catalog defines the curriculum of skills available to the Conductor extension. - - - - ## GCP OWASP Top 10 Skills Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Google Cloud Platform. From 8013ee9c30d25120a79a6aa4ec9b1f0a20ca9cf2 Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Wed, 4 Mar 2026 21:02:11 -0800 Subject: [PATCH 14/26] chore(skills): remove gcp-apis skill from catalog --- skills/catalog.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/skills/catalog.md b/skills/catalog.md index 5982795..0cf01a2 100644 --- a/skills/catalog.md +++ b/skills/catalog.md @@ -99,13 +99,6 @@ Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Googl - **Files**: `*.tf`, `app.yaml` - **Keywords**: `OWASP`, `Security`, `VPC Service Controls`, `Access Context Manager`, `Egress` -### gcp-apis -- **Description**: Manage and enable Google Cloud Platform APIs -- **URL**: https://source.corp.google.com/piper///depot/google3/experimental/users/zerep/gcp-skills/skills/gcp-apis/ -- **Party**: 1p -- **Detection Signals**: - - **Keywords**: `GCP`, `Google Cloud APIs`, `Enable API` - ## Firebase Skills Skills focused on setting up, managing, and using various Firebase services. From 4c759d34dcf66a69466a25fdda14225beb14a929 Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Thu, 5 Mar 2026 12:38:21 -0800 Subject: [PATCH 15/26] feat(conductor): add /skills reload instruction to setup and newTrack --- commands/conductor/newTrack.toml | 15 ++++++++++++++- commands/conductor/setup.toml | 2 ++ 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/commands/conductor/newTrack.toml b/commands/conductor/newTrack.toml index 50af617..ee72917 100644 --- a/commands/conductor/newTrack.toml +++ b/commands/conductor/newTrack.toml @@ -130,7 +130,20 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai - Label: "Revise", Description: "I want to modify the implementation steps." Await user feedback and revise the `plan.md` content until confirmed. -### 2.4 Create Track Artifacts and Update Main Plan +### 2.4 Skill Recommendation (Interactive) +1. **Analyze Needs:** + - Read `skills/catalog.md`. + - Analyze the confirmed `spec.md` and `plan.md` against the `Detection Signals` in `skills/catalog.md`. + - Identify any relevant skills that are NOT yet installed (check `~/.agents/extensions/conductor/skills/` and `.agents/skills/`). +2. **Recommendation Loop:** + - **If relevant missing skills are found:** + - **Present:** specific recommendations to the user, explaining WHY they are relevant for this track. + - **Ask:** "Would you like to install these skills now?" (yes/no or select specific). + - **Install:** If confirmed, install them using the same logic as `setup.toml` (download from URL/Git to `.agents/skills/`). + - **Notify:** **CRITICAL:** If you installed any new skills, you MUST explicitly instruct the user: "New skills installed. Please run `/skills reload` to enable them." + - **If no missing skills found:** Skip this section. + +### 2.5 Create Track Artifacts and Update Main Plan 1. **Check for existing track name:** Before generating a new Track ID, resolve the **Tracks Directory** using the **Universal File Resolution Protocol**. List all existing track directories in that resolved path. Extract the short names from these track IDs (e.g., ``shortname_YYYYMMDD`` -> `shortname`). If the proposed short name for the new track (derived from the initial description) matches an existing short name, halt the `newTrack` creation. Explain that a track with that name already exists and suggest choosing a different name or resuming the existing track. 2. **Generate Track ID:** Create a unique Track ID (e.g., ``shortname_YYYYMMDD``). diff --git a/commands/conductor/setup.toml b/commands/conductor/setup.toml index 927e337..52ab5cb 100644 --- a/commands/conductor/setup.toml +++ b/commands/conductor/setup.toml @@ -399,6 +399,8 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai - If `party` is '3p', MUST use the provided `commit_sha` to download the specific vetted commit. - Download the content of the skill folder from the `url` specified in `catalog.md` (using the determined strategy) to the determined path. - **CRITICAL:** If the URL is a file path, find the parent folder. If it is a Git URL, use `git clone` or `sparse-checkout` to get the folder. + - **Post-Installation Notification:** + - If any skills were installed, you MUST explicitly instruct the user: "Please run `/skills reload` to enable the installed skills." 6. **Continue:** Immediately proceed to the next section. ### 2.7 Finalization From 2c239f7a4ed7dba91fa90dbc21da9905f4517717 Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Thu, 5 Mar 2026 23:09:16 -0800 Subject: [PATCH 16/26] fix(conductor): update skills catalog path to absolute path --- commands/conductor/newTrack.toml | 4 ++-- commands/conductor/setup.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/commands/conductor/newTrack.toml b/commands/conductor/newTrack.toml index ee72917..650b42e 100644 --- a/commands/conductor/newTrack.toml +++ b/commands/conductor/newTrack.toml @@ -132,8 +132,8 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai ### 2.4 Skill Recommendation (Interactive) 1. **Analyze Needs:** - - Read `skills/catalog.md`. - - Analyze the confirmed `spec.md` and `plan.md` against the `Detection Signals` in `skills/catalog.md`. + - Read `skills/catalog.md` from the directory where the Conductor extension is installed (typically `~/.gemini/extensions/conductor/skills/catalog.md`). + - Analyze the confirmed `spec.md` and `plan.md` against the `Detection Signals` in the loaded `skills/catalog.md`. - Identify any relevant skills that are NOT yet installed (check `~/.agents/extensions/conductor/skills/` and `.agents/skills/`). 2. **Recommendation Loop:** - **If relevant missing skills are found:** diff --git a/commands/conductor/setup.toml b/commands/conductor/setup.toml index 52ab5cb..4d7086b 100644 --- a/commands/conductor/setup.toml +++ b/commands/conductor/setup.toml @@ -371,7 +371,7 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai ### 2.6 Select Skills (Interactive) 1. **Analyze and Recommend:** - - Read `skills/catalog.md`. + - Read `skills/catalog.md` from the directory where the Conductor extension is installed (typically `~/.gemini/extensions/conductor/skills/catalog.md`). - Detect applicable skills based on `detectSignals` matched against project files and `conductor/tech-stack.md`. - Identify "Always Recommended" skills. 2. **Present Selection:** From 6d3ebcdc4fa0d2bbbe0f865a8d186986471d0603 Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Wed, 11 Mar 2026 08:46:17 -0700 Subject: [PATCH 17/26] address review comments --- commands/conductor/setup.toml | 40 +++++++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/commands/conductor/setup.toml b/commands/conductor/setup.toml index 4d7086b..158a9f0 100644 --- a/commands/conductor/setup.toml +++ b/commands/conductor/setup.toml @@ -372,20 +372,38 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai ### 2.6 Select Skills (Interactive) 1. **Analyze and Recommend:** - Read `skills/catalog.md` from the directory where the Conductor extension is installed (typically `~/.gemini/extensions/conductor/skills/catalog.md`). + - **Catalog Not Found Handling:** If the skills catalog cannot be found, announce "Skills catalog not found. Skipping skill selection." and **immediately jump** to Section 2.7. - Detect applicable skills based on `detectSignals` matched against project files and `conductor/tech-stack.md`. - Identify "Always Recommended" skills. -2. **Present Selection:** - - Present the list of recommended skills to the user, grouped by category (e.g., "Always Recommended", "GCP", etc.). - - Display the Skill Name and Description. -3. **Ask for Selection:** - - Ask the user: "How would you like to proceed?" - A) Install all recommended skills - B) Select specific skills (enter numbers separated by commas) - C) Skip skills installation +2. **Determine Mode:** + - **If no recommended skills are found:** Announce "No additional agent skills were recommended for this project context. Skipping skill installation." and skip to 2.7. + - **If recommended skills are found:** Use the `ask_user` tool to present recommendations and choose an installation path. + - **questions:** + - **header:** "Agent Skills" + - **question:** + Based on your project context, I recommend the following skills: + + How would you like to proceed?" + - **type:** "choice" + - **options:** + - Label: "Install All", Description: "Install all recommended skills." + - Label: "Hand-pick", Description: "Select specific skills from the catalog." + - Label: "Skip", Description: "Do not install any skills at this time." +3. **Gather Selection (Conditional):** + - **If user chose "Hand-pick":** + - **Batching Strategy:** You MUST split the list of available skills from the catalog into groups of 3-4 items. + - **Action:** Announce "I'll present the available skills in groups. Please select all that you wish to install." Then, immediately call the `ask_user` tool with the batched questions. + - **Single Tool Call:** Create one `ask_user` call containing a `questions` array with one question per group. + - **Question Structure:** + - **header:** "Select Skills" + - **type:** "choice" + - **multiSelect:** true + - **question:** "Which skill(s) would you like to install? (Part X/Y):" + - **options:** The subset of skills for this group (each with label as the skill name and description as the skill description). 4. **Process Selection:** - - If (A): Install all recommended skills. - - If (B): Parse input and install selected skills. - - If (C): Proceed without installation. + - If "Install All": Install all recommended skills. + - If "Hand-pick": Parse the results from the `ask_user` call and install selected skills. + - If "Skip": Proceed without installation. 5. **Installation Action:** - For each selected skill: - **Determine Installation Path:** From 9ffe7290cee80f6ab2de86aebd039a50faf903a3 Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Wed, 11 Mar 2026 08:55:23 -0700 Subject: [PATCH 18/26] feat(conductor): use interactive ask_user for skill recommendations in newTrack --- commands/conductor/newTrack.toml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/commands/conductor/newTrack.toml b/commands/conductor/newTrack.toml index 650b42e..9282a15 100644 --- a/commands/conductor/newTrack.toml +++ b/commands/conductor/newTrack.toml @@ -137,9 +137,14 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai - Identify any relevant skills that are NOT yet installed (check `~/.agents/extensions/conductor/skills/` and `.agents/skills/`). 2. **Recommendation Loop:** - **If relevant missing skills are found:** - - **Present:** specific recommendations to the user, explaining WHY they are relevant for this track. - - **Ask:** "Would you like to install these skills now?" (yes/no or select specific). - - **Install:** If confirmed, install them using the same logic as `setup.toml` (download from URL/Git to `.agents/skills/`). + - **Ask:** "Would you like to install these skills now?" using the `ask_user` tool (do not repeat in chat): + - **questions:** + - **header:** "Install Skills" + - **question:** "I've identified some skills that could help with this track. Would you like to install any of them?" + - **type:** "choice" + - **multiSelect:** true + - **options:** (Populate with the recommended skills, providing a `label` and a `description` explaining the relevance for each). + - **Install:** If the user selects any skills, install them using the same logic as `setup.toml` (download from URL/Git to `.agents/skills/`). - **Notify:** **CRITICAL:** If you installed any new skills, you MUST explicitly instruct the user: "New skills installed. Please run `/skills reload` to enable them." - **If no missing skills found:** Skip this section. From 809ca6ed094dba720d4e4eb1114bf7297ce72b99 Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Wed, 11 Mar 2026 16:06:10 -0700 Subject: [PATCH 19/26] chore: remove GCP OWASP Top 10 Skills from catalog --- skills/catalog.md | 97 ----------------------------------------------- 1 file changed, 97 deletions(-) diff --git a/skills/catalog.md b/skills/catalog.md index 0cf01a2..452af75 100644 --- a/skills/catalog.md +++ b/skills/catalog.md @@ -2,103 +2,6 @@ This catalog defines the curriculum of skills available to the Conductor extension. -## GCP OWASP Top 10 Skills -Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Google Cloud Platform. - -### gcp-broken-access-control -- **Description**: Audit and remediate broken access control vulnerabilities -- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-broken-access-control/ -- **Party**: 3p -- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df -- **Detection Signals**: - - **Files**: `*.tf`, `iam.tf` - - **Keywords**: `OWASP`, `Security`, `Cloud Asset Inventory`, `IAM`, `Load Balancing` - -### gcp-cryptographic-failures -- **Description**: Audit and remediate cryptographic failures -- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-cryptographic-failures/ -- **Party**: 3p -- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df -- **Detection Signals**: - - **Files**: `*.tf` - - **Dependencies**: `@google-cloud/kms`, `@google-cloud/secret-manager`, `google-cloud-kms`, `google-cloud-secret-manager`, `cloud.google.com/go/kms` - - **Keywords**: `OWASP`, `Security`, `KMS`, `Secret Manager`, `Cloud DLP` - -### gcp-injection -- **Description**: Audit and remediate injection vulnerabilities -- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-injection/ -- **Party**: 3p -- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df -- **Detection Signals**: - - **Files**: `app.yaml`, `Dockerfile` - - **Dependencies**: `pg`, `mysql`, `sqlite3`, `mssql` - - **Keywords**: `OWASP`, `Security`, `Web Security Scanner`, `Cloud Armor`, `SQLi` - -### gcp-insecure-design -- **Description**: Audit and remediate insecure design flaws -- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-insecure-design/ -- **Party**: 3p -- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df -- **Detection Signals**: - - **Files**: `*.tf`, `cloudbuild.yaml` - - **Keywords**: `OWASP`, `Security`, `Apigee`, `Cloud DLP`, `Security Command Center` - -### gcp-security-misconfiguration -- **Description**: Audit and remediate security misconfigurations -- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-security-misconfiguration/ -- **Party**: 3p -- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df -- **Detection Signals**: - - **Files**: `*.tf`, `app.yaml`, `cloudbuild.yaml`, `Dockerfile` - - **Keywords**: `OWASP`, `Security`, `VPC Firewall`, `Compute Engine`, `Hardening` - -### gcp-vulnerable-components -- **Description**: Audit and remediate vulnerable and outdated components -- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-vulnerable-components/ -- **Party**: 3p -- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df -- **Detection Signals**: - - **Files**: `package.json`, `requirements.txt`, `go.mod`, `pom.xml`, `build.gradle`, `Dockerfile`, `cloudbuild.yaml` - - **Keywords**: `OWASP`, `Security`, `Artifact Registry`, `GKE`, `Container Analysis` - -### gcp-auth-failures -- **Description**: Audit and remediate identification and authentication failures -- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-auth-failures/ -- **Party**: 3p -- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df -- **Detection Signals**: - - **Files**: `*.tf`, `app.yaml` - - **Dependencies**: `firebase-admin`, `google-auth-library`, `google-cloud-identity`, `@google-cloud/iap` - - **Keywords**: `OWASP`, `Security`, `IAP`, `Identity-Aware Proxy`, `Cloud Armor`, `Identity Platform` - -### gcp-integrity-failures -- **Description**: Audit and remediate software and data integrity failures -- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-integrity-failures/ -- **Party**: 3p -- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df -- **Detection Signals**: - - **Files**: `cloudbuild.yaml`, `Dockerfile`, `binauthz.yaml` - - **Keywords**: `OWASP`, `Security`, `Artifact Registry`, `Cloud Build`, `Binary Authorization` - -### gcp-logging-monitoring-failures -- **Description**: Audit and remediate logging and monitoring failures -- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-logging-monitoring-failures/ -- **Party**: 3p -- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df -- **Detection Signals**: - - **Files**: `*.tf` - - **Dependencies**: `@google-cloud/logging`, `@google-cloud/monitoring`, `google-cloud-logging`, `cloud.google.com/go/logging` - - **Keywords**: `OWASP`, `Security`, `Cloud Logging`, `Cloud Monitoring`, `Audit Logs` - -### gcp-ssrf -- **Description**: Audit and remediate server-side request forgery (SSRF) -- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-ssrf/ -- **Party**: 3p -- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df -- **Detection Signals**: - - **Files**: `*.tf`, `app.yaml` - - **Keywords**: `OWASP`, `Security`, `VPC Service Controls`, `Access Context Manager`, `Egress` - ## Firebase Skills Skills focused on setting up, managing, and using various Firebase services. From 38b6359675f167ac45041f21f199de687372884c Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Mon, 16 Mar 2026 22:44:55 -0700 Subject: [PATCH 20/26] feat(conductor): update skill installation and style guide selection logic --- commands/conductor/newTrack.toml | 13 ++++++++++++- commands/conductor/setup.toml | 14 ++++++-------- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/commands/conductor/newTrack.toml b/commands/conductor/newTrack.toml index 9282a15..67c2248 100644 --- a/commands/conductor/newTrack.toml +++ b/commands/conductor/newTrack.toml @@ -144,7 +144,18 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai - **type:** "choice" - **multiSelect:** true - **options:** (Populate with the recommended skills, providing a `label` and a `description` explaining the relevance for each). - - **Install:** If the user selects any skills, install them using the same logic as `setup.toml` (download from URL/Git to `.agents/skills/`). + - **Install:** If the user selects any skills, then for each selected skill: + - **Determine Installation Path:** + - If `alwaysRecommend` is true, set the path to `~/.agents/extensions/conductor/skills//`. + - Otherwise, set the path to `.agents/skills//`. + - Create directory at the determined path. + - **Determine Download Strategy:** + - If `party` is '1p': + - If `version` is provided, download that specific version. + - Otherwise, download the latest copy at the exact `url`. + - If `party` is '3p', MUST use the provided `commit_sha` to download the specific vetted commit. + - Download the content of the skill folder from the `url` specified in `catalog.md` (using the determined strategy) to the determined path. + - **CRITICAL:** If the URL is a file path, find the parent folder. If it is a Git URL, use `git clone` or `sparse-checkout` to get the folder. - **Notify:** **CRITICAL:** If you installed any new skills, you MUST explicitly instruct the user: "New skills installed. Please run `/skills reload` to enable them." - **If no missing skills found:** Skip this section. diff --git a/commands/conductor/setup.toml b/commands/conductor/setup.toml index 158a9f0..c7198c3 100644 --- a/commands/conductor/setup.toml +++ b/commands/conductor/setup.toml @@ -391,15 +391,13 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai - Label: "Skip", Description: "Do not install any skills at this time." 3. **Gather Selection (Conditional):** - **If user chose "Hand-pick":** - - **Batching Strategy:** You MUST split the list of available skills from the catalog into groups of 3-4 items. - - **Action:** Announce "I'll present the available skills in groups. Please select all that you wish to install." Then, immediately call the `ask_user` tool with the batched questions. - - **Single Tool Call:** Create one `ask_user` call containing a `questions` array with one question per group. - - **Question Structure:** + - **Action:** List all available skills from the catalog in the chat (including names and descriptions). + - **Prompt for Selection:** Use the `ask_user` tool with a single question: - **header:** "Select Skills" - - **type:** "choice" - - **multiSelect:** true - - **question:** "Which skill(s) would you like to install? (Part X/Y):" - - **options:** The subset of skills for this group (each with label as the skill name and description as the skill description). + - **type:** "text" + - **question:** "Which skill(s) would you like to install? You can type the names (comma-separated) or paste a list." + - **placeholder:** "e.g., firebase-auth-basics, firebase-firestore-basics" + - **Interaction Flow:** Wait for the user's response, then parse the selected skills based on the names provided. 4. **Process Selection:** - If "Install All": Install all recommended skills. - If "Hand-pick": Parse the results from the `ask_user` call and install selected skills. From 7f666a226618e43f280cbbd91175a0c89606741f Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Tue, 17 Mar 2026 13:08:43 -0700 Subject: [PATCH 21/26] feat(conductor): add devops skills to catalog --- skills/catalog.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/skills/catalog.md b/skills/catalog.md index 452af75..c65c84d 100644 --- a/skills/catalog.md +++ b/skills/catalog.md @@ -60,3 +60,37 @@ Skills focused on setting up, managing, and using various Firebase services. - **Detection Signals**: - **Dependencies**: `firebase`, `firebase-admin` - **Keywords**: `Firebase Hosting`, `Static Hosting` + +## DevOps Skills +Skills for designing, building, and managing CI/CD pipelines and infrastructure on Google Cloud. + +### cloud-deploy-pipelines +- **Description**: Manage the entire lifecycle of Google Cloud Deploy, from designing and creating delivery pipelines to managing releases and debugging failures. +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/devops/main/skills/cloud-deploy-pipelines/ +- **Party**: 1p +- **Detection Signals**: + - **Dependencies**: `skaffold` + - **Keywords**: `Cloud Deploy`, `delivery pipeline`, `skaffold.yaml`, `clouddeploy.yaml` + +### gcp-cicd-deploy +- **Description**: Assistant for deploying applications to Google Cloud, supporting Static Sites (GCS), Cloud Run (Buildpacks or Images), and GKE. +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/devops/main/skills/gcp-cicd-deploy/ +- **Party**: 1p +- **Detection Signals**: + - **Dependencies**: `gcloud` + - **Keywords**: `Cloud Run`, `GCS`, `Static Site`, `Deployment`, `Google Cloud` + +### gcp-cicd-design +- **Description**: Assistant for designing, building, and managing CI/CD pipelines on Google Cloud, focusing on architectural design and implementation planning. +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/devops/main/skills/gcp-cicd-design/ +- **Party**: 1p +- **Detection Signals**: + - **Keywords**: `CI/CD`, `Pipeline Design`, `Google Cloud`, `Architectural Design` + +### gcp-cicd-terraform +- **Description**: Use Terraform to provision Google Cloud resources (GKE, Cloud Run, Cloud SQL) with standard GCS backend state management and IAM least-privilege. +- **URL**: https://raw.githubusercontent.com/gemini-cli-extensions/devops/main/skills/gcp-cicd-terraform/ +- **Party**: 1p +- **Detection Signals**: + - **Dependencies**: `terraform` + - **Keywords**: `Terraform`, `GCP`, `GCS Backend`, `Infrastructure as Code`, `IaC` From eb7de365801298d98fa8d8742a0e63c2ababcb98 Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Wed, 18 Mar 2026 12:30:49 -0700 Subject: [PATCH 22/26] fix(conductor): ensure agent activates relevant skills in implement.toml --- commands/conductor/implement.toml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/commands/conductor/implement.toml b/commands/conductor/implement.toml index acf789b..fba29b3 100644 --- a/commands/conductor/implement.toml +++ b/commands/conductor/implement.toml @@ -81,6 +81,11 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai - **Track Context:** Using the **Universal File Resolution Protocol**, resolve and read the **Specification** and **Implementation Plan** for the selected track. - **Workflow:** Resolve **Workflow** (via the **Universal File Resolution Protocol** using the project's index file). c. **Error Handling:** If you fail to read any of these files, you MUST stop and inform the user of the error. + d. **Activate Relevant Skills:** + - Check for the existence of installed skills in `.agents/skills/` (Workspace tier) and `~/.agents/extensions/conductor/skills/` (Extension tier). + - If either exists, list the subdirectories to identify available skills. + - Based on the track's **Specification**, **Implementation Plan**, and the **Product Definition**, determine if any installed skills are relevant to the track. + - **CRITICAL:** For every relevant skill identified, you MUST read its `SKILL.md` file (e.g., `.agents/skills//SKILL.md`) to activate it. You MUST explicitly apply and prioritize the guidelines, commands, and constraints from these files during the execution of the track's tasks. 4. **Execute Tasks and Update Track Plan:** a. **Announce:** State that you will now execute the tasks from the track's **Implementation Plan** by following the procedures in the **Workflow**. From cfb2fea7840cc53ff2a35b9a019bcd3e00f2cc6f Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Wed, 18 Mar 2026 12:39:26 -0700 Subject: [PATCH 23/26] fix(conductor): update skill activation phrasing per feedback --- commands/conductor/implement.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/commands/conductor/implement.toml b/commands/conductor/implement.toml index fba29b3..a9b78b3 100644 --- a/commands/conductor/implement.toml +++ b/commands/conductor/implement.toml @@ -85,7 +85,8 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai - Check for the existence of installed skills in `.agents/skills/` (Workspace tier) and `~/.agents/extensions/conductor/skills/` (Extension tier). - If either exists, list the subdirectories to identify available skills. - Based on the track's **Specification**, **Implementation Plan**, and the **Product Definition**, determine if any installed skills are relevant to the track. - - **CRITICAL:** For every relevant skill identified, you MUST read its `SKILL.md` file (e.g., `.agents/skills//SKILL.md`) to activate it. You MUST explicitly apply and prioritize the guidelines, commands, and constraints from these files during the execution of the track's tasks. + - **CRITICAL:** For every relevant skill identified, you MUST activate it and read its `SKILL.md` file (e.g., `.agents/skills//SKILL.md`). + - You MUST explicitly apply and prioritize the guidelines, commands, and constraints from these files during the execution of the track's tasks. 4. **Execute Tasks and Update Track Plan:** a. **Announce:** State that you will now execute the tasks from the track's **Implementation Plan** by following the procedures in the **Workflow**. From 874c4315d499e31b91908b4caf86d72c57b6259a Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Wed, 18 Mar 2026 12:39:43 -0700 Subject: [PATCH 24/26] fix(conductor): use exact 'ask the model to activate' phrasing --- commands/conductor/implement.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/commands/conductor/implement.toml b/commands/conductor/implement.toml index a9b78b3..2f23cc4 100644 --- a/commands/conductor/implement.toml +++ b/commands/conductor/implement.toml @@ -85,7 +85,7 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai - Check for the existence of installed skills in `.agents/skills/` (Workspace tier) and `~/.agents/extensions/conductor/skills/` (Extension tier). - If either exists, list the subdirectories to identify available skills. - Based on the track's **Specification**, **Implementation Plan**, and the **Product Definition**, determine if any installed skills are relevant to the track. - - **CRITICAL:** For every relevant skill identified, you MUST activate it and read its `SKILL.md` file (e.g., `.agents/skills//SKILL.md`). + - **CRITICAL:** For every relevant skill identified, ask the model to activate it and read its `SKILL.md` file (e.g., `.agents/skills//SKILL.md`). - You MUST explicitly apply and prioritize the guidelines, commands, and constraints from these files during the execution of the track's tasks. 4. **Execute Tasks and Update Track Plan:** From 00472c781543ef76cd0e5d58ba79946e66673851 Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Wed, 18 Mar 2026 13:42:36 -0700 Subject: [PATCH 25/26] chore(conductor): explicit pause on skill reload --- commands/conductor/implement.toml | 2 +- commands/conductor/newTrack.toml | 6 +++++- commands/conductor/setup.toml | 9 ++++++--- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/commands/conductor/implement.toml b/commands/conductor/implement.toml index 2f23cc4..5bc9c1c 100644 --- a/commands/conductor/implement.toml +++ b/commands/conductor/implement.toml @@ -85,7 +85,7 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai - Check for the existence of installed skills in `.agents/skills/` (Workspace tier) and `~/.agents/extensions/conductor/skills/` (Extension tier). - If either exists, list the subdirectories to identify available skills. - Based on the track's **Specification**, **Implementation Plan**, and the **Product Definition**, determine if any installed skills are relevant to the track. - - **CRITICAL:** For every relevant skill identified, ask the model to activate it and read its `SKILL.md` file (e.g., `.agents/skills//SKILL.md`). + - **CRITICAL:** For every relevant skill identified, ask the agent to activate it and read its `SKILL.md` and reference files. - You MUST explicitly apply and prioritize the guidelines, commands, and constraints from these files during the execution of the track's tasks. 4. **Execute Tasks and Update Track Plan:** diff --git a/commands/conductor/newTrack.toml b/commands/conductor/newTrack.toml index 7ba44cd..aace1a2 100644 --- a/commands/conductor/newTrack.toml +++ b/commands/conductor/newTrack.toml @@ -160,9 +160,13 @@ PLAN MODE PROTOCOL: Parts of this process run within Plan Mode. While in Plan Mo - If `party` is '3p', MUST use the provided `commit_sha` to download the specific vetted commit. - Download the content of the skill folder from the `url` specified in `catalog.md` (using the determined strategy) to the determined path. - **CRITICAL:** If the URL is a file path, find the parent folder. If it is a Git URL, use `git clone` or `sparse-checkout` to get the folder. - - **Notify:** **CRITICAL:** If you installed any new skills, you MUST explicitly instruct the user: "New skills installed. Please run `/skills reload` to enable them." - **If no missing skills found:** Skip this section. +### 2.4.1 Skill Reload Confirmation +1. **Execution Trigger:** This step MUST only be executed if you installed new skills in the previous section. +2. **Notify and Pause:** **CRITICAL:** You MUST explicitly instruct the user: "New skills installed. Please run `/skills reload` to enable them. Let me know when you have done this." +3. **Wait for Confirmation:** You MUST pause your execution here and wait for the user to confirm they have run the command and reloaded the skills before proceeding. + ### 2.5 Create Track Artifacts and Update Main Plan 1. **Check for existing track name:** Before generating a new Track ID, resolve the **Tracks Directory** using the **Universal File Resolution Protocol**. List all existing track directories in that resolved path. Extract the short names from these track IDs (e.g., ``shortname_YYYYMMDD`` -> `shortname`). If the proposed short name for the new track (derived from the initial description) matches an existing short name, halt the `newTrack` creation. Explain that a track with that name already exists and suggest choosing a different name or resuming the existing track. diff --git a/commands/conductor/setup.toml b/commands/conductor/setup.toml index 916158c..88081f8 100644 --- a/commands/conductor/setup.toml +++ b/commands/conductor/setup.toml @@ -417,9 +417,12 @@ PLAN MODE PROTOCOL: This setup process runs entirely within Plan Mode. While in - If `party` is '3p', MUST use the provided `commit_sha` to download the specific vetted commit. - Download the content of the skill folder from the `url` specified in `catalog.md` (using the determined strategy) to the determined path. - **CRITICAL:** If the URL is a file path, find the parent folder. If it is a Git URL, use `git clone` or `sparse-checkout` to get the folder. - - **Post-Installation Notification:** - - If any skills were installed, you MUST explicitly instruct the user: "Please run `/skills reload` to enable the installed skills." -6. **Continue:** Immediately proceed to the next section. +6. **Continue:** Immediately proceed to the next section (2.6.1). + +### 2.6.1 Skill Reload Confirmation +1. **Execution Trigger:** This step MUST only be executed if you installed new skills in the previous section. +2. **Notify and Pause:** **CRITICAL:** You MUST explicitly instruct the user: "New skills installed. Please run `/skills reload` to enable them. Let me know when you have done this." +3. **Wait for Confirmation:** You MUST pause your execution here and wait for the user to confirm they have run the command and reloaded the skills before proceeding. ### 2.7 Finalization 1. **Generate Index File:** From 66982227c11354ed716d981421f00ea2c5043fb3 Mon Sep 17 00:00:00 2001 From: Hadi Minooei Date: Wed, 18 Mar 2026 13:55:06 -0700 Subject: [PATCH 26/26] fix(conductor): explicitly specify not to use ask_user tool in skill reload confirmation --- commands/conductor/newTrack.toml | 2 +- commands/conductor/setup.toml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/commands/conductor/newTrack.toml b/commands/conductor/newTrack.toml index aace1a2..fe3fee5 100644 --- a/commands/conductor/newTrack.toml +++ b/commands/conductor/newTrack.toml @@ -164,7 +164,7 @@ PLAN MODE PROTOCOL: Parts of this process run within Plan Mode. While in Plan Mo ### 2.4.1 Skill Reload Confirmation 1. **Execution Trigger:** This step MUST only be executed if you installed new skills in the previous section. -2. **Notify and Pause:** **CRITICAL:** You MUST explicitly instruct the user: "New skills installed. Please run `/skills reload` to enable them. Let me know when you have done this." +2. **Notify and Pause:** **CRITICAL:** You MUST explicitly instruct the user: "New skills installed. Please run `/skills reload` to enable them. Let me know when you have done this." Do NOT use the `ask_user` tool here. 3. **Wait for Confirmation:** You MUST pause your execution here and wait for the user to confirm they have run the command and reloaded the skills before proceeding. ### 2.5 Create Track Artifacts and Update Main Plan diff --git a/commands/conductor/setup.toml b/commands/conductor/setup.toml index 88081f8..1e0f32f 100644 --- a/commands/conductor/setup.toml +++ b/commands/conductor/setup.toml @@ -421,7 +421,7 @@ PLAN MODE PROTOCOL: This setup process runs entirely within Plan Mode. While in ### 2.6.1 Skill Reload Confirmation 1. **Execution Trigger:** This step MUST only be executed if you installed new skills in the previous section. -2. **Notify and Pause:** **CRITICAL:** You MUST explicitly instruct the user: "New skills installed. Please run `/skills reload` to enable them. Let me know when you have done this." +2. **Notify and Pause:** **CRITICAL:** You MUST explicitly instruct the user: "New skills installed. Please run `/skills reload` to enable them. Let me know when you have done this." Do NOT use the `ask_user` tool here. 3. **Wait for Confirmation:** You MUST pause your execution here and wait for the user to confirm they have run the command and reloaded the skills before proceeding. ### 2.7 Finalization