All notable changes to the Claude Skills Library will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
Unreleased — housekeeping: CHANGELOG backfill + per-domain counter validation
scripts/derive_counters.py --check now also validates the README "Skills Overview"
per-domain table: each domain row's count must equal the SKILL.md count in its linked
folder, and every on-disk domain must have a row. Previously --check only validated
the headline aggregates, so per-domain rows drifted silently (e.g. the markdown-html
domain was missing from the table entirely, and several rows lagged new-skill merges).
This closes that gap — CI gate G3 now catches per-domain drift too.
Fixed six stale domain-row counts and added the missing markdown-html row so the
per-domain rows sum to the headline total (354).
Earlier contributor-PR hardening merges updated headline counters but not this log. Backfilled, newest-first:
research/deep-research(PR #872, hardened from #851 by @Socialpranker) — rigor-first multi-source meta-research: 9-phase pipeline, triangulation (>=3 independent differently-typed sources per thesis), mandatory adversarial pass, per-source files with verbatim quotes, no fabricated citations. Full research/ plugin parity.engineering/zero-hallucination-coder(PR #870, hardened from #854 by @mehanshbarthwal-lab) — opt-in Discuss → Map → Decompose → Execute → Verify coding loop + lazy-senior YAGNI ladder; no invented APIs / assumed imports / placeholder code. Synthesizes Ralph, GSD Core, Graphify, Ponytail.ra-qm-team/skills/agent-decision-receipts(PR #868 + #869, hardened from #863 by @CWNApps) — tamper-evident, post-quantum-signed receipts for consequential agent actions (EU AI Act Art 12). Stdlib manifest builder; signing delegated to the Apache-2.0openagentontologypackage (opt-in install).engineering-team/skills/named-persona-adversarial-review(PR #867, superseding #866 by @YuhaoLin2005) — code review through named, sourced engineering philosophies with confidence-leveled attribution and an anti-fabrication rule for quotes.productivity/roast(PR #865) — 5-angle adversarial idea panel (Critic/Champion/Analyst/Investigator/Customer) → one GO/RESHAPE/KILL verdict, with a weighted veto-gated synthesizer + cheapest-48h-test designer.
Unreleased — local-seo-manager: local / Map-Pack SEO skill (this PR)
Hardened port of external contribution #797 (@Steffonet). Fills a gap: the library
had national/technical SEO (seo-audit, programmatic-seo) but no local /
Google Map-Pack SEO skill for service-area businesses (appliance repair, HVAC,
plumbing, cleaning, electrical).
- 4-mode SKILL.md — GBP audit, service-area page generation, NAP consistency, LocalBusiness schema.
- 3 stdlib scripts —
nap_checker.py(NAP consistency scanner),service_area_generator.py(neighborhood page-brief generator),schema_generator.py(LocalBusiness / HomeAndConstructionBusiness JSON-LD). - 3 references — 80-point local-SEO checklist, local schema types, review-response templates.
- Hardening applied before merge: fixed dangling cross-refs (
ai-seo→aeo, removed the non-existentgbp-content-creatorcompanion), description now passesskill_description_validator, and (per automated review)service_area_generatornow renders the previously-droppedbusiness_type/services/stateinputs,schema_generatorno longer emits an emptygeoblock, and the unusedimport syswas removed from all three scripts. - No
plugin.json/ marketplace entry needed — themarketing-skillsplugin globs./skills. - Counters: 352 → 353 skills, 590 → 593 Python tools, 718 → 721 references.
Unreleased — newgen audit follow-up: P0 fixes, path sweep, CI guards
Three skills were retired or merged in the newgen-audit follow-up (PR #835). If you installed or pinned any of these, migrate as follows:
| Removed skill | Why | Migrate to |
|---|---|---|
engineering/skills/command-guide |
Documented a different repository's commands and agents; instructed models to invoke agents that don't exist here | No replacement needed — the root commands/ folder and each plugin's own commands are the canonical command surface |
marketing-skill/skills/ai-seo |
Near-total overlap with the newer, tool-backed AEO skill | marketing-skill/skills/aeo — unique ai-seo content was preserved in aeo/references/bot_access_and_monitoring.md and aeo/references/extractable_content_patterns.md |
engineering/skills/release-manager |
489-line SemVer/Git-Flow textbook duplicating changelog-generator; its readiness checker crashed | engineering/skills/changelog-generator — now includes version_bumper.py, hotfix/rollback procedures, and the severity-SLA table. For release-readiness audits use engineering/skills/ship-gate |
Also restructured (no content change): engineering/universal-scraping-architect
moved its SKILL.md from plugin root to the standard skills/universal-scraping-architect/
layout. Marketplace source path is unchanged.
Unreleased — code-reviewer: C-specific smell detector + fixtures
Closes Phase 2 / Tier 1 of the post-#769 audit: brings C onto the same footing as C# and Java for deterministic detection. Until now, code_quality_checker.py only had check_<name>_specific_smells for C# and Java; C / C++ / Rust / Ruby / PHP / Dart all fell through to generic checks.
check_c_specific_smells()inscripts/code_quality_checker.py(~110 lines). Detects:- Banned functions —
gets,strcpy,strcat,sprintf,vsprintf(all no-bounds; CWE-242 and CWE-120 family). - Format-string vulnerability —
printf(var)/syslog(var)with a bare identifier as the format argument (CWE-134). Skips literal-string first args. - Unbounded
scanf—%sspecifier without a width (CWE-120). Suppressed when a width is present (%31s, etc.). malloc/calloc/reallocwithout NULL check — result variable not checked within 5 lines (CWE-690 NULL pointer dereference). Recognisesif (p == NULL),if (NULL == p),if (!p),if (p != NULL).free()without zeroing — pointer not set toNULLon the next real line (CWE-416 use-after-free guardrail). Low severity since some style guides skip it.system()with non-literal argument — command-injection surface (CWE-78). Suppressed when the argument is a string literal orNULL.
- Banned functions —
- Wired into
analyze_file()after the C# and Java dispatchers. assets/sample_c_smells.c+assets/sample_c_clean.c— labelled fixtures; every smell is annotated inline with the CWE it maps to. Smells fixture has 10 C-specific detector hits (some rules fire more than once); clean fixture has 0 hits and scores 100/A.expected_outputs/sample_c_smells_quality.json+expected_outputs/sample_c_clean_quality.json— regression-detection harness following the C# / Java pattern.- Documentation refreshed:
README.mdadds C to the "Language-specific smell packs" line and the bundled-fixtures table;SKILL.mdanddocs/skills/engineering-team/code-reviewer.mdupdate the "Adding a New Language" guide and "Regression Fixtures" section to reference C# + Java + C.
Verification: all 6 fixtures (C# / Java / C × smells / clean) match their committed expected_outputs/*.json byte-for-byte. C smells fixture scores 4/100 (F); C clean fixture scores 100/100 (A).
Not yet (separate PRs): check_<name>_specific_smells for C++, Rust, Python, Kotlin, PHP, Ruby, Dart, Go, Swift, TypeScript, JavaScript (audit-ranked sequence). C++ and Rust are next — security delta is highest there (smart-pointer ownership, unsafe block discipline).
Unreleased — code-reviewer: 6 new languages + analyzer wiring + doc sync
Six new language-rule files in engineering-team/skills/code-reviewer/languages/. Each follows the established 8-section contract (PR Analyzer Signals / Code Quality Checks / Security / Async / Resource Management / Exception Handling / Performance / Idioms). Contributor: @mitnick2012.
c.md— memory safety, banned functions (gets,strcpy,sprintfwithout bounds), pointer ownership, buffer-bounds discipline, undefined-behavior patterns.cpp.md— smart-pointer ownership transfer, RAII discipline,reinterpret_castaudit, missing virtual destructors, C++17/20 idioms.rust.md—unsafeblock justification,.unwrap()in production paths, Tokio runtime pitfalls,thiserrorvsanyhowseparation, clippy compliance.ruby.md— Rails-aware: N+1 withincludes,strong_parameters,YAML.safe_loadvsYAML.load,Marshal.load, Ruby 3.x idioms.php.md— SQL injection,unserialize,eval, file inclusion, CSRF, XSS, PHP 8.x idioms (match, enums,readonly).dart.md— Dart + Flutter unified: widgetdispose()lifecycle,BuildContextacross async gaps,constwidget optimization, state-management patterns.
SKILL.md dispatch table and --language valid-values comment updated accordingly. No existing language files were modified.
Post-merge audit of PR #769 surfaced a gap: SKILL.md's dispatch table and the --language help text both advertised coverage for the 6 new languages, but scripts/code_quality_checker.py was never updated — files in those languages were silently skipped by the deterministic analyzer.
Three structures in code_quality_checker.py extended (+94 / -1, stdlib-only):
LANGUAGE_EXTENSIONS— 6 new dict entries matchingSKILL.mdexactly.cdeclared beforecppso plain.hresolves to C per the dispatch-table contract.find_functionspatterns — language-aware function regexes. C/C++ require a trailing{(filters prototypes and call sites) plus negative-lookahead on control-flow keywords. Rust uses the unambiguousfnkeyword. Ruby handlesdef,def self.x, predicate (?) / bang (!) suffixes, parenthesised-or-bare params. PHP requires thefunctionkeyword. Dart matches typed-return-then-name with optionalasync/async*/sync*markers.find_classespatterns + nestedmethod_patterns— type-def regexes:struct/typedef structfor C;class/structfor C++;struct/enum/trait/unionfor Rust;class/modulefor Ruby;class/interface/trait/enumfor PHP;class/mixin/enum/extensionwith all 5 Dart 3 class modifiers (abstract/sealed/final/base/interface).
Verification: python3 scripts/code_quality_checker.py --help now lists all 14 languages as --language choices. Smoke-tested with a minimal sample per new language; each correctly detects functions and classes. All 4 bundled regression fixtures (csharp/java × smells/clean) still match their committed expected_outputs/*.json byte-for-byte.
Not yet: language-specific check_<name>_specific_smells detectors for the 6 new languages (only C# and Java have these today). Audit ranked C / C++ / Rust as the next-highest-leverage additions.
engineering-team/skills/code-reviewer/README.md— language list (line 3) and the "Review rules" guide-per-language reference (line 90) updated 7 → 13 languages.docs/skills/engineering-team/code-reviewer.md— MkDocs page synced: frontmatter description, file-tree, dispatch table (6 new rows), and--languagevalid-values comment.- Cross-platform sync indexes —
.gemini/skills-index.jsonand.vibe/skills/claude-skills/skills-index.jsonregenerated viascripts/sync-gemini-skills.py/scripts/sync-vibe-skills.py;.hermes/skills/claude-skills/skills-index.jsonhand-patched (full regen would have bundled 33 unrelated new-skill entries — left for a separate mirror-refresh PR)..codex/skills-index.jsonwas already current. All 3 updated mirrors now show the canonical 13-language description fromSKILL.mdfrontmatter.
Unreleased — Mistral Vibe cross-platform installation (closes #705)
scripts/sync-vibe-skills.py— installs claude-code-skills into Mistral Vibe (Apache-2.0 CLI coding agent). Fork ofsync-hermes-skills.pywith target~/.vibe/skills/claude-skills/<domain>/<skill>/, namespaced to avoid collisions with Vibe built-ins. Same flags:--verbose,--domain,--dry-run,--copy,--json,--target.scripts/vibe-install.sh— bash one-liner wrapper for parity withgemini-install.shandcodex-install.sh. Surfaces Vibe-specific post-install usage tips (/skills,/<slug>)..vibe/skills/claude-skills/— pre-generated tree committed to the repo: 306 skill symlinks across 14 domains plus askills-index.jsonmanifest. Lets users inspect the install surface without running the script. Mirrors the existing.hermes/skills/claude-skills/precedent.INSTALLATION.md— new "Mistral Vibe Installation" section (setup, direct Python invocation, verify, uninstall, Python CLI tools), plus TOC entry and a row in the cross-tool compatibility table.README.md— Mistral Vibe added to the "Works with" line, footnote describing the BYO-sync tier (mirrors the Hermes footnote), row in the Multi-Tool Support table, and FAQ updated from 12 → 13 supported tools.docs/index.md,docs/getting-started.md,docs/integrations.md— Mistral Vibe install tab added to all three pages, full ~130-line integration section parallel to Hermes section inintegrations.md, description meta tags updated 12 → 13 AI coding tools..claude-plugin/marketplace.json,mkdocs.yml— platform compatibility taglines updated; all 13 tools named explicitly inmkdocs.yml.
Mistral Vibe (released Jan 2026, v2.0) uses the Agent Skills spec — exactly the same SKILL.md + YAML frontmatter contract this repo already ships. Zero format conversion needed; the integration slots cleanly into the existing 5-target cross-platform sync pattern (.claude / .codex / .gemini / .hermes / .vibe). Issue #705 requested this from @saifjarboui.
Single-skill point release on top of v2.8.1. New productivity/handoff/ skill is a sibling to the existing engineering/handoff/ (shipped in v2.6.0). Both preserve Matt Pocock's seven-sentence body verbatim; the productivity variant adds the wrappers the engineering port deliberately skipped.
Single-skill plugin. Stdlib-only across the board. 23 files total.
SKILL.md— Matt Pocock's seven-sentence body preserved verbatim, surrounded by invocation triggers, output-path discipline, 5-section template (Goal / State / Decisions / Skills / Artifacts), redaction checklist, anti-patterns block in Matt's register, examples, usage table.scripts/setup.py— first-run Q&A. 5 core questions (save location, retention, redaction strictness, git context, recommender scope) plus 2 optional (filename style, project override). No pre-selected default for Q1: user explicitly picks OS temp / home folder / per-project.handoff// custom on first run. Prompt-once-then-default model: declining setup drops a sentinel so the prompt never re-appears./cs:handoff-setupre-runs anytime.scripts/handoff_template_generator.py— writes the 5-section scaffold at the configured path. Auto-includes git context (branch, last commit, dirty-file count) when in a repo + enabled in config.scripts/redaction_linter.py— 17 stdlib regex patterns: AWS access keys, AWS secret assignments, GitHub tokens, OpenAI keys, Anthropic keys, Slack tokens, Google API keys, Stripe keys, private-key blocks, JWT, env-style secret assignments, DB connection strings with creds, bearer tokens, URL token params, email, phone, private CIDR. Strict-by-default with inline<!-- handoff:allow secret -->whitelist marker. Operationalizes Matt's redaction sentence (which the engineering port left as prose-only).scripts/skill_recommender.py— scans repo SKILL.md files, scores against goal text, returns top 3-5 matches with one-line why. Hard cap at 5 — refuses to list more.scripts/cleanup.py— mtime-guarded retention cleanup. Never deletes a handoff the user edited as a working surface (data-loss prevention).scripts/config_loader.py— shared helper. Project config → global config → built-in defaults precedence.hooks/session_start.py+hooks/hooks.json—SessionStarthook surfaces latest handoff (within retention window) as<handoff_from_previous_session>data. Treated as data, not instructions. Disable viaHANDOFF_SESSIONSTART=0.references/handoff_prompt.md— mandatory 7-step checklist for the agent. Forces topic-by-topic classification (State / Decision / drop) instead of free-handing prose.references/handoff_structure.md— 5-section template with worked example.references/deduplication_discipline.md— Matt's no-duplication rule made concrete via do-this-not-that pairs.references/redaction_checklist.md— what regex catches + manual-review steps for what regex can't.references/configuration.md— field-by-field config reference.agents/cs-handoff-author.md+commands/cs-handoff.md+commands/cs-handoff-setup.md.
Three follow-up improvements judged most impactful in v1.1 design review.
hooks/session_end.py— pairs with SessionStart. When a session ends with no handoff in the last 30 minutes, prints a one-line reminder. Cannot prompt interactively or block session end (Claude Code hook constraint) — surfaces text via stdout. Disable viaHANDOFF_SESSIONEND=0.hooks/hooks.jsonupdated to wire both hooks.scripts/handoff_self_check.py— operationalizeshandoff_prompt.md. 6 checks: all 5 sections present, Goal non-empty, State bullets reference an artifact (commit hash / PR / file path), Open Decisions present when git is dirty / has recent commits, Skills 3-5 with— whyexplanation, Artifacts are paths/URLs only. Strict mode exits 1 only on high-severity findings (medium issues warn without blocking). Closes the fidelity gap (W3 from the design weakness list).--refreshflag onhandoff_template_generator.py— reuses the most recent handoff instead of creating a new file. Falls through to create-if-missing when none exists. Keeps the save location uncluttered./cs:handoffcommand flow updated to insert self-check between scaffold-fill and redaction linter.
| Aspect | productivity/handoff/ (v2.8.2) |
engineering/handoff/ (v2.6.0) |
|---|---|---|
| Primary audience | End-of-day / cross-machine session handoff | Code/PR handoff |
| First-run setup | Yes (5 questions, configurable save location) | No (fixed mktemp) |
| Redaction enforcement | Yes (linter + whitelist + strict/warn/off) | No |
| SessionStart auto-load | Yes (hook + retention-aware) | No |
| SessionEnd reminder | Yes (when no recent handoff) | No |
| Mandatory checklist | Yes (handoff_prompt.md, 7 steps) | No |
| Self-check fidelity script | Yes | No |
| Retention cleanup | Yes (mtime-guarded) | No |
Both stay. Cross-referenced in their READMEs.
Matt Pocock's handoff skill (MIT). Matt's seven-sentence body of SKILL.md is preserved verbatim. The wrapper around it (first-run setup, redaction enforcement, hooks, self-check, --refresh, retention) is original work in this repo.
Plugin audit ran twice (after each PR) — final state:
- Phase 2 (structure): 86.0/100 (GOOD) — above 75 threshold
- Phase 3 (quality): 63.0/100 (C) — above 60 floor (sibling
capturescores 46.4 on the same scorer) - Phase 4 (scripts): PASS — 7 scripts, 3 PASS + 4 PARTIAL (sibling
config_loaderimport flagged as external — false positive) - Phase 5 (security): PASS — 0 critical, 0 high
- Phase 6 (marketplace): PASS — plugin.json valid, marketplace entry at 2.8.2
- Phase 7 (ecosystem): PASS — Codex + Gemini indexed, 0 broken internal links
- Phase 8 (code review): PASS — all 7 scripts and 2 hooks work end-to-end
CLAUDE.mdCurrent Scope: 328 → 329 skills, v2.8.2 Highlights section added, footer bumped.mkdocs.ymlnav:productivity/handoffentry added under Productivity.docs/skills/productivity/handoff.mdgenerated.README.mdbadges: Skills 313 → 329, Agents 46+ → 49+, Commands 60+ → 79+. Productivity table row updated to 5 skills (incl. handoff).docs/index.md+docs/getting-started.md: counts and version references updated.- 0 remaining stale
v2.7.5references (an earlier version-number typo that this release also corrects).
- 328 → 329 skills (productivity: +1)
- 14 domains unchanged
- Plugins in marketplace: 59 → 60
- New artifacts: 23 files in productivity/handoff/
- #724 (v1.0 — 5 must-haves)
- #728 (v1.1 — SessionEnd + self-check + --refresh)
- #729 (docs sync)
[2.8.1] - 2026-05-20 — Engineering role-skill upgrade: karpathy-coder + Matt Pocock applied to fullstack / frontend / backend
The three role-based engineering skills — senior-fullstack, senior-frontend, senior-backend — were audited against the karpathy-coder + Matt Pocock canon already shipping in this repo (engineering/karpathy-coder, engineering/grill-me, engineering/grill-with-docs, v2.8.0 BizOps/Commercial pattern). Three findings drove the upgrade:
- Generic role descriptions, not opinionated workflows. Existing SKILL.md files described capabilities; they did not enforce assumptions, success criteria, or kill criteria.
- No customization surface. A 4-person SaaS startup and a 200-person enterprise read the same recommendations.
- No invocation contract. Other agents/skills could not orchestrate fullstack / frontend / backend lenses via a typed surface.
For each of senior-fullstack, senior-frontend, senior-backend:
scripts/<role>_decision_engine.py— stdlib-only deterministic profile picker. Refuses to recommend without the four core assumptions (Karpathy #1). Surfaces kill criteria. Names the human approver chain (never auto-approves).profiles/*.json× 4 — customization profiles, JSON-loadable, swappable. Users copy one to<your-org>.jsonto override defaults.references/forcing_questions.md— 7 Matt Pocock forcing questions per skill, one per turn, each with recommended answer + canon citation + kill criterion. 21 forcing questions total across the three roles.references/composition_map.md— explicit routing table to POWERFUL-tier specialists (api-design-reviewer, database-designer, slo-architect, performance-profiler, a11y-audit, epic-design, apple-hig-expert, etc.).
agents/engineering/cs-fullstack-engineer.md— walks 7 fullstack questions → decision engine → forks specialists.agents/engineering/cs-frontend-engineer.md— frontend equivalent.agents/engineering/cs-backend-engineer.md— backend equivalent.
All three are invokable by other agents via Agent({subagent_type:"cs-<role>-engineer", prompt:"..."}) — the "invokable by other agents" promise.
/cs:fullstack-review <prompt>— full grill + decision engine + composition routing./cs:frontend-review <prompt>— frontend equivalent./cs:backend-review <prompt>— backend equivalent./cs:engineer-grill <plan> [--lane fullstack|frontend|backend|all]— cross-role 21-question forcing-question runner.
Each augmented SKILL.md now has 4 new sections appended:
- Assumptions and Verifiable Success Criteria (Karpathy #1 + #4) — names the four core assumptions + three machine-checkable success criteria.
- Customization profiles — table of the 4 profiles + how to add an org-specific one.
- Composition map — table of which POWERFUL specialist to fork into per sub-concern.
- Forcing-question library (Matt Pocock grill) — summary of the 7 questions + the discipline.
- Invocation from other agents and skills — explicit contract: 3 surfaces.
- Karpathy #1 (Think Before Coding): every decision engine refuses to run without the four core assumption inputs.
- Karpathy #2 (Simplicity First): profiles never auto-recommend microservices unless team size + platform team + bounded-context independence all pass (Newman's MonolithFirst).
- Karpathy #3 (Surgical Changes): the upgrade did NOT rewrite existing SKILL.md content. New sections appended; existing tools / references / scaffolding untouched.
- Karpathy #4 (Goal-Driven Execution): every recommendation prints verifiable success criteria (latency floor, CWV target, SLO).
- Matt Pocock grill discipline: all 21 forcing questions ship with recommended answer + canon citation + kill criterion + one-per-turn rule.
- 12/12 profile JSON files parse cleanly (
json.load). - 3/3 new Python decision engines pass
--helpand--sample, exit code 0. - 3/3 new cs-* agents have valid YAML frontmatter with required keys (
name,description,skills,domain,model,tools,context: fork). - 3/3 agent → skill relative paths resolve from
agents/engineering/. - 3/3 slash commands reference their correct cs-* agent.
- Existing SKILL.md content unchanged (additive edits only — Karpathy #3, surgical scope).
Adding org-specific defaults requires zero code changes:
cp engineering-team/skills/senior-fullstack/profiles/saas-startup.json \
engineering-team/skills/senior-fullstack/profiles/my-org.json
# Edit constraints + stack_recommendations + named_approver_chain
# Decision engine auto-discovers the new profile via Path.glob('*.json')This is the "world-class customizable plugin" promise: profiles are the customization surface, not code.
engineering-team/.claude-plugin/plugin.json:2.2.3→2.8.1.claude-plugin/marketplace.json:engineering-skillsplugin →2.8.1
[2.8.0] - 2026-05-19 — business-operations + commercial domains, plugin.json regression fix, auto-release pipeline
Internal-ops skills for BizOps leads, COO direct reports, vendor management, IT ops. Both Sprints ship the orchestrator + 6 sub-skills using context: fork to chain without polluting parent context.
business-operations-skills(orchestrator) — routes inquiries to the right sub-skill and returns a digestprocess-mapper— BPMN modeling + bottleneck detection + cycle-time analysis (Lean + TOC canon: Womack & Jones, Goldratt, Rother & Shook, Reinertsen, Anderson, Pyzdek, Ohno, Liker)vendor-management(context: fork) — SLA tracking + risk scoring + supplier scorecards (NIST SP 800-161, ISO/IEC 27036, Shared Assessments SIG-Lite)capacity-planner(Sprint 2) — Erlang-C queueing math for ops teams; NOT engineering capacity (vpe-advisor's lane). Implements full Erlang-C in stdlib Python (~30 lines, log-space to avoid factorial overflow). Canon: Erlang 1909, Little 1961, Hopp & Spearman, Reinertsen, Kingman, ITIL.internal-comms(Sprint 2) — ADKAR (Prosci) + Kotter 8-step change-comms with magnitude validation (rejects celebratory framing on disruptive, layoff-keywords without disruptive magnitude). 5 tone profiles. Canon: Hiatt, Kotter, Bridges, Schein, Heath brothers, Lencioni.knowledge-ops(Sprint 2,context: fork) — Company SOPs + runbooks + KB hygiene with 5W2H validation. 6 industry profiles. 5 regulatory overlays (SOC2/HIPAA/ISO13485/GDPR/SOX). Canon: Ishikawa (5W2H), Liker (Toyota), Gawande (Checklist Manifesto), ISO 9001, ITIL v4, FDA 21 CFR Part 211, Google SRE Workbook.procurement-optimizer(Sprint 2) — UNSPSC-aligned spend categorization + supplier consolidation. HARD REFUSAL for tier-1 single-source consolidation without break-glass plan. Canon: A.T. Kearney, Spend Matters, Hackett, BCG, Productiv, Zylo, Vendr.- Distinct from
business-growth/(external sales),c-level-advisor/coo-advisor(strategic),engineering/slo-architect(system reliability),engineering/llm-wiki(personal PKM)
Per-deal-and-packaging economics skills for pricing, deal desk, partnerships, RFP, forecasting. Both Sprints ship the orchestrator + 7 sub-skills.
commercial-skills(orchestrator) — routes commercial inquiries viacontext: forkpricing-strategist— Van Westendorp WTP analysis (full PSM: OPP/IDP/PMC/PME + RAP, monotonicity screening, N<30 warning) + 5-model picker + 7 packaging anti-pattern detectors. Canon: Ramanujam (Monetizing Innovation), Skok, Tunguz, Campbell/ProfitWell, Bessemer, Poyar, Sawtooth.deal-desk— 5-dim deal scorer + discount approval routing (5-band policy + 4 industry variants) + 10-pattern terms redliner. Never auto-approves — every verdict names the human(s). Canon: SaaStr, Winning by Design, OpenView, Forrester, KeyBanc, IACCM/WorldCC.partnerships-architect(Sprint 2) — 5-tier classifier (REFERRAL/RESELLER/OEM/SI/STRATEGIC with hard floors per tier) + joint GTM + revshare modeler. Canon: Chintagunta, Hessling, Forrester, Moore, Tzuo, MPN, AWS APN.channel-economics(Sprint 2) — Fully-loaded CTS + 3-lens ROI (Cash / LTV / Marginal) + channel mix optimizer with sensitivity. Canon: Skok, Tunguz, Ramanujam, Kaplan & Cooper, Horngren, McKinsey, BCG.commercial-policy(Sprint 2) — Data-backed discount matrix (4-dim: ARR × term × payment × strategic) + exception flow with compensating commitments + 10-rule linter (L01-L10 BLOCKER/MAJOR/MINOR). Canon: OpenView, Skok, Tunguz, BVP, KeyBanc, SaaStr, Winning by Design.rfp-responder(Sprint 2,context: fork) — Shipley-method structured RFP/RFI/RFQ response. Parser with NICE>MANDATORY>WEIGHTED precedence + response drafter (HARD RULE: never invent claims for GAP) + winrate predictor with BID/PARTNER-BID/NO-BID verdict. Canon: Shipley Proposal Guide v6, APMP BoK, Sant, FAR, GSA.commercial-forecaster(Sprint 2) — 4Q-weighted bookings + cohort NRR/GRR + funnel-confidence with MANDATORY assumption disclosure. 3-tier commit/best-case/pipe-only with sandbag/hockey-stick detection. Canon: Skok, Tunguz, OpenView, BVP, Chen, Balfour, Ramanujam.- Distinct from
business-growth/sales-engineer(technical sale),business-growth/contract-and-proposal-writer(free-form authoring; RFP-responder handles buyer-dictated structured response),c-level-advisor/cro-advisor(strategic),finance/financial-analysis(close+report, not forward)
Every v2.8.0 SKILL.md ships a "Forcing-question library" section: 5–7 cited canon-anchored questions, walked one at a time by the orchestrator (or /cs:grill-bizops / /cs:grill-commercial), each with a recommended answer + a canon citation + depth-first decision-tree walking. Discipline derived verbatim from engineering/grill-me + engineering/grill-with-docs (Matt Pocock, MIT).
/cs:grill-bizops— Matt Pocock docs-anchored grilling for BizOps workflows/cs:grill-commercial— same for commercial decisions (pricing, deals, partnerships)- Plus 15 per-skill slash commands:
/cs:bizops,/cs:process-map,/cs:vendor-review,/cs:capacity-plan,/cs:internal-comms,/cs:knowledge-ops,/cs:procurement,/cs:commercial,/cs:pricing-strategy,/cs:deal-review,/cs:partner-tier,/cs:channel-econ,/cs:commercial-policy,/cs:rfp-respond,/cs:commercial-forecast
- Pricing: outputs are model + range, never a single number — the human picks the number
- Deal-desk: every verdict (incl. APPROVE) names the human approver — never auto-approves
- Forecaster: every output names the conversion assumption + data window + weighting choice explicitly
- RFP: GAP requirements are surfaced for leadership decision — never invents claims
- Partnership: STRATEGIC tier requires named-account independent-demand evidence
- Procurement: tier-1 single-source consolidation refused without documented break-glass plan
- Vendor: scoring outputs route to a named human reviewer — never auto-replaces
Final housekeeping to take v2.8.0 from "Sprint 2 complete" to "release-ready":
- Cross-platform sync —
scripts/sync-codex-skills.py,scripts/sync-gemini-skills.py, andscripts/sync-hermes-skills.pyextended to recognizebusiness-operations/andcommercial/top-level domains. Codex symlinks regenerated for 15 new skills; Gemini index expanded by 30 entries. - Docs generation —
scripts/generate-docs.pyextended with Pass 2 command discovery walking<domain>/commands/<cmd>.md(v2.8.0 pattern) AND<domain>/<skill>/commands/<cmd>.md(v2.7.0 pattern). Now generates 311 skill pages + 75 agent pages + 69 command pages (was 311 + 73 + 34) across 14 domains. The previously-missing v2.7.0 commands (capture, pulse, landing, etc.) plus all v2.8.0 commands now have rendered MkDocs pages. - MkDocs nav —
mkdocs.ymlupdated with new "Business Operations" and "Commercial" sections (14 sub-skill entries), 2 new orchestrator agents, and 17 new slash commands. - Plugin manifest validation — both
business-operations/.claude-plugin/plugin.jsonandcommercial/.claude-plugin/plugin.jsonpassscripts/check_plugin_json.py --allcleanly (recognizedsourceextension field per PR #690). - Per-skill audit —
scripts/audit_skills.pyran across 329 skills total; all 13 v2.8.0 sub-skills audited with checklist scores 2-5/6 (dominant failure: rule #2 "SKILL.md under 100 lines" — known tension with our deliberate "Forcing-question library" depth; documented as ADVISORY for skills that deliberately expose extended grill discipline).
.github/workflows/release.yml— On every push tomain, parses CHANGELOG.md and auto-creates a git tag + GitHub Release for the latest version listed. Idempotent (skips if tag already exists). Release notes are extracted from the matching CHANGELOG section.scripts/extract_release_notes.py— Stdlib-only CHANGELOG parser. Extracts the latest version, date, subtitle, and body. Used by the release workflow but also runnable standalone for previewing release notes.
Claude Code 2.1.133+ rejects "skills": "./skills" with a "Path escapes plugin directory" warning, even though ./skills resolves to a valid subdirectory inside the plugin root. This blocked skill registration for the 9 main marketplace plugins plus 38 sibling sub-plugins.
- PR #689 — replaced
"skills": "./skills"with"skills": "skills"across all 47 affectedplugin.jsonfiles. UpdatedCLAUDE.mdClawHub publishing constraints to document the new convention. - PR #690 (regression prevention) —
scripts/check_plugin_json.pynow actively rejects any"skills"string starting with"./"(catches both"./skills"and"./skills/sub"regressions). Wired intoci-quality-gate.ymlas a blocking step on every PR. Also recognizedsourceandattributionas approved extension fields (per CLAUDE.md), and dropped the over-strict"./"rejection inside arrays (["./"]is the documented single-skill-at-root form). Validator's previous error message was actually recommending"./skills"verbatim — a leftover from #539, the first round of this same upstream rule tightening — which has been corrected.
This is the second round of the same Claude Code path-validator tightening (round 1 was #539, fixing "./" → "./skills" at CC v2.1.107). The new validator + CI gate prevents a future round 3 from silently shipping again.
- inspect-assets.py (#684, contributor: @TemaDeveloper) —
--helpnow works without Pillow installed - Codex symlink syncs (automated)
- 313 → 328 skills (+15: business-operations 7 + commercial 8)
- 12 → 14 top-level domains
- 60 → 77 slash commands (+17 new
/cs:*commands) - 402 → 441 stdlib Python tools (+39: 13 sub-skills × 3 tools each)
- 542 → 581 reference documents (+39, each citing ≥7 authoritative sources)
- 46 → 48 cs- agents* (+2: cs-bizops-orchestrator, cs-commercial-orchestrator)
- 57 → 59 marketplace plugins (+2: business-operations-skills, commercial-skills)
- 34 → 69 documented slash commands in MkDocs (+35: previously-orphaned v2.7.0 + all v2.8.0)
- 73 → 75 documented agents in MkDocs (+2)
- All 39 Python tools pass
--helpand--samplesmoke tests (exit 0) - All 39 reference docs cite ≥7 authoritative sources
- 0 external imports (stdlib-only across the board)
- 0 LLM calls in tool scripts (deterministic, repeatable)
Ported alirezarezvani/aeo-box after a full component audit. Two new skills, one preserved megaprompt, and a Hermes Agent install/configure walkthrough.
A discipline distinct from SEO. AEO optimizes content for citation in LLM-generated responses (ChatGPT, Perplexity, Claude, Gemini, Mistral); SEO optimizes for search rankings. New 8th pod in marketing-skill.
aeo_audit.py— E-E-A-T + structure scoring, 0-100 composite with letter grade. 8 industries with calibrated thresholds (YMYL industries 85+, SaaS/b2b/media 70, ecommerce 65).aeo_optimizer.py— Content rewriting in 3 modes (conservative/balanced/aggressive). Auto-injects schema.org Article + FAQPage JSON-LD.citation_tracker.py— Local-first citation ledger at~/.aeo-data/citations.json. Stats: count, LLM coverage, velocity, top queries, verdict (EARLY / EMERGING / STRONG).- 3 references each citing 8 sources: E-E-A-T canon (Google QRG adapted for LLM citation), per-LLM citation patterns (with 73% cross-LLM correlation analysis), AEO-vs-SEO strategic choice.
cs-aeoagent (pragmatic content strategist; refuses fake authority signals) +/cs:aeoslash command.
Ported from David Dworken (@dworken) at Anthropic (MIT). PreToolUse hook that catches 12 security anti-patterns in Edit/Write/MultiEdit operations before they're written:
| Pattern | Upstream | Added in this port |
|---|---|---|
child_process.exec / execSync |
✓ | |
new Function |
✓ | |
eval( |
✓ | |
dangerouslySetInnerHTML |
✓ | |
document.write |
✓ | |
.innerHTML = |
✓ | |
pickle |
✓ | |
os.system |
✓ | |
| GitHub Actions workflow injection | ✓ | |
subprocess shell=True |
✓ | |
SQL via f-string or .format |
✓ | |
yaml.unsafe_load |
✓ |
Session-state caching prevents nagging (warn once per file+rule combo); 30-day auto-cleanup; disable per-session with ENABLE_SECURITY_REMINDER=0. Full attribution block in plugin.json credits the upstream.
1,579-line multi-agent AEO application spec preserved verbatim. Keeps Path-B option open for future "build the full agentic AEO app" work.
Earlier user-flagged docs gap: nowhere did the repo tell users HOW to install Hermes Agent itself (only how to install our skills INTO Hermes). Added macOS/Linux/Windows install paths, complete first-run walkthrough, sample ~/.hermes/config.yaml, and a 6 Q&A troubleshooting section.
- Marketplace: 55 → 57 plugins. Top-level + metadata descriptions updated to v2.7.3 / 313 skills.
- Domain plugin.json:
marketing-skill/.claude-plugin/plugin.jsondescription updated from "44 skills across 7 pods" → "45 skills across 8 pods" (adds AEO pod). Version bumped 2.2.3 → 2.7.3. - CLAUDE.md: root + marketing-skill CLAUDE.md refreshed to 313/402/542 counts.
- README.md: badges (313 / 46+ / 60+), Skills Overview table row counts, FAQ counts.
- docs/index.md + getting-started.md + mkdocs.yml: title, meta description, hero subtitle, grid cards, nav entries.
- MkDocs: 401 → 403 generated pages (296 skill + 73 agent + 34 command).
- Moved
marketing-skill/agents/cs-aeo.md→agents/marketing/cs-aeo.md(repo convention: agents live at rootagents/<domain>/). - Moved
marketing-skill/commands/cs-aeo.md→commands/cs-aeo.md(repo convention: commands live at rootcommands/). - Cleaned empty
marketing-skill/agents/andmarketing-skill/commands/directories. - Without this fix,
scripts/generate-docs.pywouldn't have generated docs/agents/cs-aeo.md or docs/commands/cs-aeo.md.
.codex/skills-index.json: 303 → 305 skills..gemini/skills-index.json: 353 → 355 items..hermes/skills/claude-skills/skills-index.json: 305 skills across 12 domains.
aeo: PASS WITH WARNINGS — structure 86.4/GOOD, quality 52.4/D (validator expects legacy frontmatter fields v2.7 skills don't use), 3/3 scripts PASS, 2 HIGH security findings (NET-EXFIL from urllib.request — same known false-positive as sister seo-audit skill; URL fetch is core functionality for content-audit-by-URL tools).
security-guidance: PASS WITH WARNINGS — structural mismatch (validators assume scripts/ layout, hook plugins use hooks/ per Claude Code spec), 6 CRITICAL + 4 HIGH security findings are all recursive false-positives (the auditor detects the hook's own pattern-strings like "exec(", "eval(", "yaml.load(" as actual calls — verified zero real exec/eval calls). Live smoke test: eval(input()) in Write tool → exit 2 + warning. Real defects: 0.
#678 (Hermes first-class integration) → #679 (aeo-box port + Hermes install guide) → this PR (v2.7.3 release: docs sync + layout fix + CHANGELOG + audit).
- All 4 new Python tools pass
--helpand--sample. - Security hook smoke-tested: exit 2 on detection, exit 0 on cached/clean.
- All 3 cross-platform syncs ran clean.
- MkDocs build: exit 0, 450 HTML pages generated.
[2.7.0] - 2026-05-16 — v2 megaprompt-to-skill conversion sweep: 13 new skills (productivity + marketing + research)
This release ships the complete v2 megaprompt collection (megaprompts/01-13) as production-ready skills using the Path-B direct-conversion pattern: each megaprompt's body becomes the SKILL.md verbatim, wrapped in the standard 11-file plugin layout (.claude-plugin/plugin.json, README, agent, command, SKILL.md, 3 references citing 7+ sources each, 3 stdlib Python scripts).
Three new top-level domain folders were created to host the 13 skills:
| Domain | Skills | Build pattern |
|---|---|---|
productivity/ |
capture, email (paired: inbox-setup + inbox-triage), reflect |
Personal-productivity slices — single-action intake, KB-file contract between pair |
marketing/ |
landing |
Single-file HTML landing-page generator with 4 design styles |
research/ |
pulse, litreview, grants, dossier, patent, syllabus, notebooklm, research (orchestrator) |
7 research-pack siblings + 1 hybrid router |
13 skills, 142 files, 23,698 lines of code + documentation. All scripts stdlib-only. All references cite 7+ authoritative sources.
productivity/capture/(PR #659) — Brain-dump-to-action workspace. Classify→cluster→connect→clarify intake. Path-B from megaprompt 05.productivity/email/(PR #661) — Email-workflow skill pair.inbox-setupbuilds taxonomy/KB;inbox-triageclassifies + drafts (drafts-only, never auto-send). 7-file KB contract between them. Path-B from megaprompts 06+07.productivity/reflect/(PR #668) — Light-prompt reflection sibling of capture. Path-B from megaprompt 08.
marketing/landing/(PR #662) — Single-file HTML landing-page generator. 4 design styles, brand palette validator, GSAP animation patterns, kebab-slug URL hygiene. Path-B from megaprompt 04.
research/pulse/(PR #660) — Multi-source recency research (Reddit/HN/X/web sentiment + trending). Research-pack convention. Path-B from megaprompt 01.research/litreview/(PR #663) — Academic literature orientation. PICO/SPIDER frameworks, systematic review structure, 8-section DOCX guide. Path-B from megaprompt 09.research/grants/(PR #664) — NIH grant-funding intelligence. RePORTER/NOSI/study-section navigation, R01/R21/K-award strategy. Path-B from megaprompt 11.research/dossier/(PR #664) — Decision-grade entity research. Due-diligence/background-check/competitor-prep with tier-weighted verdict + citation tracker. Path-B from megaprompt 02.research/patent/(PR #666) — Patent prior-art + IP landscape. FTO/novelty/family-resolver via 3-pass Jaccard heuristic. Path-B from megaprompt 12.research/syllabus/(PR #666) — Course supplementary-reading skill. Topic-grouper + bundled Node.js DOCX generator. Path-B from megaprompt 10.research/notebooklm/(PR #669) — Google NotebookLM browser-automation. 4 actions (read/extract, add-source, Studio outputs, create notebook). Screenshot-first + find-before-click + fire-and-notify discipline. Path-B from megaprompt 03.research/research/(PR #671) — Research orchestrator (hybrid router + fallback). Deterministic SIGNALS classification routes to the 6 specialists above at ≥2-signal confidence, else runs own 8-step plan-decompose-search-synthesize-cite fallback. Routing transparency mandatory. Distinct fromengineering/autoresearch-agent(Karpathy's file-optimization loop). Path-B from megaprompt 13.
.claude-plugin/marketplace.json: 43 → 55 plugins. 12 new entries (email-pair holds 2 skills) across 3 categories. New categories added:productivity,research..codex/skills-index.json: 290 → 303 entries. 13 new skills indexed with category metadata..codex/skills/symlinks: 11 new symlinks created (capture + pulse already existed from prior auto-sync).scripts/sync-codex-skills.py: Addedproductivity/,marketing/,research/toSKILL_DOMAINSso future auto-sync runs pick up the new top-level domains.
This release formalizes the Path-B direct-conversion pattern for future megaprompt-derived skills:
- Megaprompt body → SKILL.md preserving content verbatim
- 11-file standard plugin layout (12 files for skills with bundled JS DOCX generators like syllabus)
- 3 stdlib Python scripts per skill (no external deps)
- 3 reference docs per skill, each citing 7+ authoritative sources
cs-*agent +/cs:*command per pluginsourcefield inplugin.jsondocumentsspec(megaprompt path) +build_pattern+distinct_from(where disambiguation needed)
- 39/39 scripts pass
--helpacross all 13 skills - 8-phase plugin audit on
research/research: PASS WITH WARNINGS (structure 84.1/GOOD, scripts 3/3, security 0 findings) - Spot-check audit on pulse / litreview / notebooklm: all 86.4/GOOD, 3/3 scripts, security PASS
- Bulk audit on remaining 9 skills: all 79.5-86.4 structure, 0 critical/high security findings (1 false positive in syllabus on a user-facing
npm install docxerror-message string literal) - Cross-skill consistency: 7/7 research-pack siblings carry the
Agent Integrity Rulesblock (1 q/sec rate limit, three-count tracking, retry-once-after-3s, source discipline) - Orchestrator disambiguation:
distinct_from autoresearch-agentcallouts present in plugin.json + README + SKILL.md + agent + command (5 places)
#659 (capture), #660 (pulse), #661 (email pair), #662 (landing), #663 (litreview), #664 (grants+dossier), #666 (patent+syllabus), #667 (domain-folder cleanup), #668 (reflect), #669 (notebooklm), #671 (research orchestrator), #672 (v2.7.0 release prep — this commit).
[2.6.1] - 2026-05-14 — Meta-skill maturity: validator expansion + 21 placeholder descriptions + audit tool
scripts/audit_skills.py(./scripts/audit_skills.py) — repo-wide write-a-skill validator runner. Stdlib-only orchestration that walks every SKILL.md in the repo, runsskill_review_checklist_runner.pyagainst each, and aggregates results (PASS/WARN/FAIL counts, failure-by-rule breakdown, top-10 worst offenders). Excludes auto-generated tool bundles (.gemini/,.codex/,.cursor/,.cline/) and template fixtures. ~30s to run across 298 real skills. Merged via #646.
The v2.6.0 validators recognized only Use when, Use for, Invoke when, Trigger when as valid trigger phrases. But legacy skills had semantically-valid natural-English triggers like Use before annual GDPR review (gdpr-audit-prep). Expanded trigger patterns to include:
Use before/during/after/while ...Invoke before/after ...Apply when ...Run when/before ...
Impact: 30 legacy skills reclassified from FAIL → WARN/PASS automatically. Karpathy complexity_checker: 100/100 PASS on both modified validators (skill_description_validator.py + skill_review_checklist_runner.py). Merged via #647.
The v2.6.0 audit revealed 21 skills (~7% of repo) whose description field was literally just the skill name (e.g., description: "Migration Architect"). These were real bugs from a v2.0.0 batch import. All 21 fixed in this release.
Top-10 POWERFUL-tier engineering skills (merged via #647):
migration-architect— zero-downtime migration planning + rollback strategydependency-auditor— vulnerabilities + license + safe-upgrade auditcodebase-onboarding— codebase analysis + onboarding doc generationci-cd-pipeline-builder— pragmatic CI/CD from project stack signalsmcp-server-builder— MCP servers from OpenAPI contracts (Python + TS)observability-designer— metrics + logs + traces + SLI/SLO designapi-design-reviewer— REST design review + breaking-change detectionperformance-profiler— Node/Python/Go profiling + flamegraphs + load testschangelog-generator— Conventional Commits → release notes automationrunbook-generator— operational runbooks from service name + templates
Remaining 11 across 4 domains (merged via #648):
executive-mentor/skills/challenge— pre-mortem plan analysisexecutive-mentor/skills/board-prep— adversarial board prepgit-worktree-manager— parallel feature work with Git worktreesskill-tester— meta-skill QA (structure + script + quality scoring)monorepo-navigator— Turborepo / Nx / pnpm / Lerna navigationenv-secrets-manager— env-var hygiene + secrets rotationagent-workflow-designer— production-grade multi-agent workflowsincident-commander— incident response frameworkemail-template-builder— React Email + provider integrationstripe-integration-expert— subscriptions + webhooks + billingcontract-and-proposal-writer— jurisdiction-aware business documents
Each new description: ≤1024 chars, third person, action verb in first sentence, "Use when ..." trigger in second sentence per Matt Pocock's rule.
Updated engineering/write-a-skill/skills/write-a-skill/references/quality_gates_for_skills.md to formalize the binding-for-new vs advisory-for-legacy split. The 6-item checklist remains BLOCKING for post-v2.6.0 skills and ADVISORY for the 298 legacy SKILL.md files.
Why: forcing the gate as blocking would either delay every PR or require disabling the gate. The pragmatic split lets the repo grow the PASS count over time without force-marching 298 retrofits.
Against the 298 real-skill cohort (excludes auto-generated bundles):
| Metric | v2.6.0 baseline | v2.6.1 (now) | Δ |
|---|---|---|---|
| ✅ PASS (6/6) | 4 (1%) | 9 (3%) | +5 |
| 🟡 WARN (5/6) | 111 (37%) | 137 (46%) | +26 |
| 🔴 FAIL (≤4/6) | 183 (61%) | 152 (51%) | -31 |
| "Missing trigger" failures | 119 (39%) | 68 (23%) | -51 |
31 skills total lifted from FAIL → WARN/PASS in v2.6.1.
- #646 —
scripts/audit_skills.pyrepo-wide audit harness - #647 — validator trigger expansion + 10 placeholder description fixes + legacy advisory
- #648 — closes out remaining 11 placeholder description fixes
- v2.6.2 candidate: 27% terminology drift (agent/bot, skill/tool mixing). Larger scope; requires careful prose edits.
- v2.7 candidate: large-scale audit against the 100-line ceiling. 88% of legacy skills exceed it. Decide which top-20 high-traffic skills to refactor with
references/<topic>.mdsplits.
[2.6.0] - 2026-05-13 — Matt Pocock productivity skills: write-a-skill + caveman + grill-me + handoff
-
write-a-skill skill (
./engineering/write-a-skill/) — skill-author meta-skill derived from Matt Pocock's write-a-skill (MIT). Matt's SKILL.md content + 3-phase workflow (Gather → Draft → Review) preserved verbatim per his MIT license.- 3 stdlib Python validation tools:
skill_description_validator.py(5-check verdict: present, ≤1024 chars, third person, "Use when" trigger, action verb in first sentence),skill_structure_validator.py(6-check verdict: SKILL.md present + ≤100 lines, references when split needed, one-level-deep, no circular refs, scripts/ folder note),skill_review_checklist_runner.py(combined 6-item runner per Matt's checklist). - 4 references (7-8 sources each): progressive disclosure principles (Matt, Anthropic, Don Norman, Pirolli & Card, Maeda, DocOps, Pareto), description design patterns (Matt, Anthropic, Garrett, Nielsen Norman, Karpathy, SEO), quality gates (Matt, Humble & Farley, Kim et al., Hyrum's Law), companion tooling.
- cs-skill-author persona agent (forcing-question interrogator).
/cs:write-a-skillslash command (6-question forcing interrogation mirroring Matt's review checklist).
- 3 stdlib Python validation tools:
-
caveman skill (
./engineering/caveman/) — token-compression mode derived from Matt Pocock's caveman (MIT). Matt's persistence rules + auto-clarity exception preserved verbatim.- 3 stdlib Python tools:
caveman_compressor.py(deterministic application of Matt's rules — drop articles/filler/pleasantries/hedging, abbreviate technical terms, causality arrows; 20-50% typical reduction, 75% upper bound),token_savings_estimator.py(chars/token heuristic for prose vs technical text + $/Mtok cost extrapolation),caveman_lint.py(detects banned vocab with code-block + exception-zone whitelisting). - 3 references (7-8 sources each): compression principles (Matt, Strunk & White, Plain Language Movement, Pinker, Williams, Anthropic, tokenizer heuristics), when caveman backfires (Matt, NN/g, FAA cockpit-warning research, Krug, Schneier, Larson), companion tooling.
- cs-caveman-mode persona agent (persistence-enforced operator).
/cs:cavemanslash command.
- 3 stdlib Python tools:
-
grill-me skill (
./engineering/grill-me/) — relentless plan-interrogator derived from Matt Pocock's grill-me (MIT). Matt's one-at-a-time interview discipline preserved verbatim.- 3 stdlib Python tools:
decision_tree_extractor.py(6 branch kinds: intent / choice / open / tradeoff / dependency / question),question_generator.py(forcing questions with recommended answers + dependency-aware ordering),grill_session_tracker.py(JSON-backed state in~/.grill_sessions/for multi-day grills). - 3 references (7-8 sources each): forcing-question patterns (Matt, Socratic Method, YC office-hours, 5 Whys, Cockburn, Popper, Galef, Larson), when to stop grilling (Matt, Galef, Kahneman, Bezos Type 1/2 decisions, YC Founder School, Cynefin), companion tooling.
- cs-grill-master persona agent (one-question-at-a-time enforcer with codebase-exploration-first discipline).
/cs:grill-meslash command.
- 3 stdlib Python tools:
-
handoff skill (
./engineering/handoff/) — conversation-continuity generator derived from Matt Pocock's handoff (MIT). Matt's no-duplication discipline +mktempconvention preserved verbatim.- 3 stdlib Python tools:
handoff_template_generator.py(5-section scaffold tailored to 5 next-session emphases: deploy/review/debug/design/test/default; honors Matt'smktemp -t handoff-XXXXXX.md),artifact_deduplicator.py(detects PRD/ADR/issue/commit/long-code-block duplication with reference suggestions),skill_recommender.py(matches handoff content to 14 skills in this repo, ranked by signal strength). - 4 references (7-8 sources each): handoff structure (Matt, DRY, runbook patterns, Atlassian, GitHub PR conventions, Anthropic, Kim et al.), deduplication discipline (Matt, Hunt & Thomas, Fowler, DocOps, Karpathy LLM Wiki, git-as-source-of-truth, Stripe API versioning), next-session skill matching (Matt, Anthropic, TF-IDF/BM25, recommender systems, Karpathy, Hyrum's Law), companion tooling.
- cs-handoff-author persona agent (no-duplication-tolerated).
/cs:handoff <next-session-focus>slash command with argument-hint per Matt's convention.
- 3 stdlib Python tools:
All four skills derive from Matt Pocock's MIT-licensed skills repo — "Skills for Real Engineers. Straight from my .claude directory". Matt's SKILL.md content reproduced verbatim under MIT. Attribution in every file: README.md + plugin.json attribution block + SKILL.md frontmatter metadata + agent + command + reference footers.
This release establishes the pattern for deriving MIT-licensed external skills into this repo:
- Preserve upstream voice verbatim in SKILL.md
- Add wrapper layer: stdlib Python validation tools + 3-4 references (each citing ≥ 5 authoritative sources) + cs-* persona agent + /cs:* slash command
- Karpathy-coder gate before merge (complexity_checker + assumption_linter)
- Attribution discipline in plugin.json + README + every file footer
- 12 Python tools total: 100/100 complexity across all (0 findings) — karpathy
complexity_checkerPASS - 13 references total: 7-8 authoritative sources each (well over the ≥ 5 floor)
- All 4 SKILL.md PASS write-a-skill's own 6-item review checklist (the meta-skill dogfooded)
- SKILL.md sizes: 144 (write-a-skill, wrapper preserves Matt's full content), 69 (caveman), 58 (grill-me), 41 (handoff) — three of four under Matt's 100-line ceiling; write-a-skill documented exception (verbatim preservation overhead)
- pytest: 1,921 tests passing
- CI: PR 2 caught the missing H1 issue via
test_skill_integrity.py(test suite worked as designed); fixed in a follow-up commit before merge
- assumption_linter false positives on
caveman_compressor.py,caveman_lint.py,artifact_deduplicator.py,handoff_template_generator.py,skill_recommender.py: the linter flags banned-vocabulary strings (just, simply, fix, refactor, of course) that appear inside the tools' DATA dictionaries — these strings exist precisely to be detected. Documented as expected; no code change. - caveman compression ratio: Matt's stated "~75%" is the upper bound on extremely verbose responses with multiple pleasantries + filler + hedging. Realistic compression on typical mid-conversation text is 20-50%. Documented in
compression_principles.md.
- PR #642 — write-a-skill alone (merged 2026-05-13)
- PR #643 — caveman + grill-me + handoff batch (merged 2026-05-13)
- 5 new C-role docs pages added to
mkdocs.ymlnav (C-Level Advisory section): General Counsel Advisor, Chief Data Officer Advisor, Chief AI Officer Advisor, Chief Customer Officer Advisor, VP Engineering Advisor. - 13 new cs- agent docs pages* added to
mkdocs.ymlnav (Agents section): cs-cfo / cs-cmo / cs-cro / cs-cpo / cs-coo / cs-chro / cs-ciso / cs-chief-of-staff / cs-general-counsel / cs-cdo / cs-caio / cs-cco / cs-vpe. mkdocs-redirectsplugin added tomkdocs.ymlplugins list. Provides client-side redirects (meta-refresh + JS fallback) — Google's SERP indexing treats meta-refresh with delay=0 as 301-equivalent.
scripts/generate-docs.pydedup bug: the auto-generator created BOTH<name>.md(bundled) AND<name>-<name>.md(standalone wrapper) for dual-published skills, producing duplicate-content pages. The dedup now detects the dual-publish pattern (<domain>/<name>/skills/<same-name>/SKILL.mdpaired with<domain>/skills/<name>/SKILL.md) and skips the standalone mirror in favor of the bundled (canonical) version.- 4 pre-existing engineering dual-publish duplicate pages deleted with 301-equivalent redirects:
skills/engineering/chaos-engineering-chaos-engineering.md→skills/engineering/chaos-engineering.mdskills/engineering/feature-flags-architect-feature-flags-architect.md→skills/engineering/feature-flags-architect.mdskills/engineering/kubernetes-operator-kubernetes-operator.md→skills/engineering/kubernetes-operator.mdskills/engineering/slo-architect-slo-architect.md→skills/engineering/slo-architect.md- All 4 old URLs redirect to the canonical page; existing Google SERP indexes preserved.
mkdocs.ymlsite_description— updated from "246 skills, 20 cs-* agents" (6 versions stale) to current "268 skills, 33 cs-* agents (incl. founder-mode C-suite), 21 /cs:* slash commands."README.md— header counts updated: 246 → 268 skills; 20 → 33 agents; 33 → 54 commands; 359 → 373 Python tools. Subtitle expanded with founder-mode lineup callout..github/workflows/static.yml— install step updated frompip install mkdocs-materialtopip install mkdocs-material mkdocs-redirectsto support the new plugin.
mkdocs buildsucceeds (357 HTML pages generated)- Redirect HTML correctly emitted with
<meta http-equiv="refresh" content="0; url=...">+ JavaScript fallback that preserves URL anchors - karpathy
diff_surgeon: clean on staged diff - 71 pre-existing skill pages preserved (no SEO equity loss)
13 INFO-level link warnings exist from before this session (broken anchors and relative-link-without-index hints). These are pre-existing in the docs and not introduced or worsened by this PR. Tracked as a separate cleanup if desired.
- 3 missing voice specs added to
c-level-advisor/c-level-agents/references/persona-voices.md:cs-ceo-advisor— The Strategic Translator (tree-of-thought reasoning; refuses to debate tactics until the strategic question is named)cs-cto-advisor— The Architecture-First Pragmatist (ReAct reasoning; treats every architecture decision as a 3-year commitment)cs-general-counsel-advisor— The Risk-Paranoid Lawyer (Not Your Lawyer) — carry-over from v2.5.1- All three agents existed but their voice specs were never added to the persona reference (cs-ceo / cs-cto pre-date the c-level-agents plugin; cs-gc was an oversight in v2.5.1).
- Broken paths fixed in 2 pre-existing agent files (
agents/c-level/cs-ceo-advisor.mdandagents/c-level/cs-cto-advisor.md):- All 57 references to
../../c-level-advisor/ceo-advisor/and../../c-level-advisor/cto-advisor/updated to../../c-level-advisor/skills/ceo-advisor/and../../c-level-advisor/skills/cto-advisor/respectively (correct path; the bundled skills live underskills/) - YAML
skills:field also corrected (wasc-level-advisor/ceo-advisor, nowc-level-advisor/skills/ceo-advisor)
- All 57 references to
- karpathy-coder/diff_surgeon: clean on staged diff
Both gaps were carry-over items noted across multiple PRs in this session (v2.5.1 → v2.5.5) per karpathy principle #3 (surgical scope — no unrelated cleanups inside scoped feature PRs). This dedicated cleanup PR addresses them in one focused change without touching any feature work.
c-level-advisor/c-level-agents/references/persona-voices.md— 13 → 13 voice specs cataloged (all cs-* agents in the persona-voices list now match the agents that exist)agents/c-level/cs-ceo-advisor.md— 32 path correctionsagents/c-level/cs-cto-advisor.md— 25 path corrections
No skill/agent/command count changes; no manifest version bumps (this is a pure-fix PR).
- vpe-advisor skill (
./c-level-advisor/skills/vpe-advisor/) — opinionated throughput-first VP of Engineering skill. Fifth decision-driven C-role skill in the founder-mode lineup (after GC, CDO, CAIO, CCO). Covers four specific decisions distinct from CTO:- Are we delivering at the right throughput? (DORA 4 metrics + bottleneck identification)
- How do we scale the eng hiring funnel? (7-stage funnel + pipeline gap + weakest-stage fix)
- What's our eng team structure — when to add a tech-lead manager? (squad/tribe + manager-trigger + span-of-control)
- What's our production discipline? (on-call, deployment cadence, postmortem culture, SLO discipline — reference-only)
- Critical distinction enforced: VPE is NOT a CTO skill. CTO owns what to build (architecture, scaling cliffs, build-vs-buy). VPE owns how to ship it (delivery operations, hiring execution, team structure, production discipline). At early stage these are often the same person; at scale they're distinct roles.
- 3 stdlib Python tools with deterministic logic:
delivery_throughput_analyzer.py— Returns DORA 4 metrics (Deployment Frequency, Lead Time for Changes, MTTR, Change Failure Rate) with Elite/High/Medium/Low verdict per metric and overall. Cycle-time bottleneck identification (top wait stage as % of cycle) with typical fixes per bottleneck (review queue, CI flakiness, deploy gates, scheduled releases). Embedded sample (30-day Platform Squad, 28 deploys) → overall High; bottleneck = first_review_to_approval at 45.8% of cycle.eng_hiring_funnel_calculator.py— Stage-by-stage conversion rates for 7-stage funnel (Applied → Sourcer → Recruiter → Hiring Mgr → Tech → Onsite → Offer → Accept) with healthy/leaky verdict per stage. End-to-end conversion rate, required top-of-funnel volume for hiring target, weakest-stage identification with fixes (sourcing channel diversification, calibration, interview design, comp/close discipline). Embedded sample (Q2 2026, 4-engineer hiring target) → 0.62% end-to-end, gap of 160 candidates, weakest = offer_extended_to_offer_accepted at 60%.eng_team_structure_designer.py— Recommended structure (informal pods / formal squads / squads+tribes / multi-tribe) based on headcount. Squad sizing assessment (5-9 IC healthy range). Manager-trigger (first EM at 5-7 ICs; EM-overstretched > 10 ICs; EM-underutilized < 4 ICs). Director-trigger (3+ EMs reporting directly to VPE/CTO). Embedded sample (25-engineer team, 22 ICs / 3 EMs / 1 CTO) → 4-squad structure, no EM trigger (3 EMs for 22 ICs = healthy 7.3 per EM), director trigger FIRES (3 EMs report directly to CTO).
- 4 in-depth references each citing 5+ authoritative sources:
delivery_throughput.md— Full DORA framework with thresholds + 4 common bottlenecks + what to fix first (lead time → failure rate → frequency → MTTR) + 4 anti-patterns. Cites Accelerate (Forsgren/Humble/Kim), Google State of DevOps annual report, The Phoenix Project, Reinertsen Flow, Newman Microservices, Humble Continuous Delivery, Atlassian/GitHub/GitLab benchmarks.engineering_hiring_funnel.md— 7-stage funnel + healthy conversion benchmarks + leakage diagnosis per stage + pipeline volume math + sourcing channel diversification + technical interview design + cost-per-hire. Cites LinkedIn Talent Insights, Atlassian Recruiting Ops, Levels.fyi + Pave, Lou Adler "Hire With Your Head", Adler/Bock "Work Rules!", CMU/Booth interview validity research, SHRM surveys.eng_team_structure.md— Conway's Law + headcount-to-structure map + span-of-control benchmarks + EM vs tech lead distinction + manager/director/VPE triggers + squad sizing + chapter discipline. Cites Kniberg "Scaling Agile @ Spotify", Kniberg 2020 retrospective, Will Larson "Elegant Puzzle", Camille Fournier "Manager's Path", Conway 1968, Schwartz "A Seat at the Table", Lencioni "Five Dysfunctions", Stripe/Shopify/GitHub/Netflix engineering blogs.production_discipline.md— On-call rotation design (≥ 6 people; burnout signals) + incident response (4-tier severity, IC role, blameless postmortems) + deployment cadence (continuous vs scheduled; progressive delivery) + SLO discipline integration + 5-level maturity model. Cites Google SRE (Beyer/Jones/Petoff/Murphy), SRE Workbook, John Allspaw postmortem writings, PagerDuty Incident Response docs, Charity Majors observability, Nora Jones chaos engineering, Mikey Dickerson reliability hierarchy.
- cs-vpe-advisor agent (
./c-level-advisor/c-level-agents/agents/cs-vpe-advisor.md) — throughput-first operator. Voice: "What's your cycle time, and where does the work spend most of its time waiting?" Trusts DORA metrics over vibe. Refuses to recommend hires without naming the throughput or quality bottleneck they unblock. /cs:vpe-reviewslash command (./c-level-advisor/c-level-agents/skills/vpe-review/SKILL.md) — 6-question forcing interrogation: cycle time + waits, DORA verdict, hiring funnel leakage, team structure health, production discipline maturity, VPE-vs-CTO scope decision.- cs-vpe-advisor voice spec added to
persona-voices.md. - Dual-published from the start: standalone plugin at
c-level-advisor/vpe-advisor/with mirrored content (per #624 pattern).sync_skill_bundles.pykeeps both copies aligned.
The single most-asked staffing question at Series B is: "Do we need a VPE separately from the CTO?" This skill makes the decision mechanical:
- If CTO is spending > 50% on management vs strategy, VPE is needed
- If CTO is a co-founder more comfortable with strategy than execution, VPE complements
- At small scale (< 20 eng), one person can do both — but the operating decisions still need to be made
Existing skills don't quite own these decisions: cs-cto-advisor is about architecture; cs-engineering-lead is day-to-day incident coordination; cs-chro-advisor owns hiring SYSTEMS company-wide but not eng-specific funnel execution. VPE fills the gap with deterministic frameworks for delivery operations.
Maintained the discipline established in v2.5.2:
- Principle 1: assumptions surfaced upfront, including the critical CTO-vs-VPE distinction. Locked direction before code.
- Principle 2: rejected generic "engineering operations survey" framing. Each tool/reference covers ONE decision. No overlap with engineering tactical skills (
engineering/slo-architect/,engineering/feature-flags-architect/, etc.). - Principle 3: touched only files in the locked plan. No "while I'm here" cleanup. No edits to other c-level skills.
- Principle 4: all 3 Python tools smoke-tested with embedded samples before commit. Verifiable outputs (DORA overall High; hiring gap +160 candidates; 25-eng team → 4 squads, director trigger fired).
- Total skills: 267 → 268 (+1 vpe-advisor)
- cs- agents:* 32 → 33 (+1 cs-vpe-advisor in c-level-agents plugin)
- /cs: slash commands:* 20 → 21 (+1 /cs:vpe-review)
- Python tools: 370 → 373 (+3 in vpe-advisor/scripts/)
- References: 502 → 506 (+4 in vpe-advisor/references/)
- Marketplace plugins: 38 → 39 (+1 standalone vpe-advisor entry)
- c-level-skills plugin: v2.5.4 → v2.5.5 (description expanded; 32 → 33 skills, 12 → 13 cs-* agents)
- c-level-agents plugin: v1.4.0 → v1.5.0 (description expanded with VPE; new agent + command; +
vp-engineering,vpe,dora,delivery-throughput,engineering-hiring,eng-team-structure,production-disciplinekeywords)
cs-general-counsel-advisorvoice spec still missing frompersona-voices.md(carried from v2.5.1; multi-PR carry-over)- Phase 2 final remainder (1 role): CCO-comms (Chief Communications Officer) — naming conflict with CCO (Chief Customer Officer); needs disambiguation before adding
DORA benchmarks come from cross-industry research; specific thresholds shift with stage and complexity. Hiring funnel benchmarks vary by role level + geography. This skill provides operating-baseline guidance; pair with cs-cto-advisor (architecture), cs-chro-advisor (hiring systems), and engineering tactical skills for execution.
- chief-customer-officer-advisor skill (
./c-level-advisor/skills/chief-customer-officer-advisor/) — opinionated, retention-obsessed CCO skill. Fourth decision-driven C-role skill in the founder-mode lineup. Covers four specific decisions (not generic CS survey):- What's our retention architecture — and is gross retention vs NRR honest? (decomposition + 7-category churn taxonomy)
- How do we segment customers for differential investment? (4-tier framework + ICP fit scoring + kill list)
- What's the CS team's coverage model — and when do we go pooled vs named? (ratio math + manager trigger)
- What CS role do we hire next? (stage-to-role map; CSM ≠ Support ≠ AM ≠ IM)
- 3 stdlib Python tools with deterministic logic:
retention_decomposition_analyzer.py— Decomposes ARR retention by cohort into GRR (truth) / NRR (vanity if alone) / Logo Retention separately. Flags leaky-bucket pattern (NRR > 100% AND GRR < 85%). Categorizes churn across 7-category root-cause taxonomy (product_fit / competitor_loss / no_value_realized / pricing / champion_left / company_event / tactical_failure) and computes preventable % (CS-controllable). Embedded sample: 2 cohorts, Q1 GRR 91.7% CONCERNING (NRR too low at 106.7%), Q2 GRR 84.7% CRITICAL (declining trend), top driver = product_fit at 54.5% preventable.customer_segmentation_designer.py— Assigns 4-tier segment (Strategic / Enterprise / Mid-market / SMB-long-tail) by ARR. Scores ICP fit 0-10 from 7 weighted signals (industry, size, workflow, exec sponsor, advocacy, expansion potential, competitor concentration). Surfaces kill list (support cost > 50% of ARR AND ICP fit < 5) with the 3 paths (non-renewal / downgrade-to-tech-touch / raise-price). Surfaces upgrade candidates (high fit + expansion potential).cs_coverage_calculator.py— Calculates required CSM headcount per tier with two constraints (ARR ratio AND account count, whichever is binding). Surfaces manager-trigger thresholds (5+ ICs in tier OR 8+ across function). Generates 12-month hiring plan with quarterly sequencing. Includes fully-loaded cost projection.
- 4 in-depth references each citing 5+ authoritative sources:
retention_decomposition.md— GRR vs NRR honest math + leaky-bucket pattern + 7-category churn taxonomy + leading-indicator playbook + cohort discipline. Cites Mehta/Steinman/Murphy "Customer Success", Lincoln Murphy, David Skok (forEntrepreneurs), BVP State of the Cloud, ChartMogul/ProfitWell benchmarks, Reichheld "The Loyalty Effect", Tomasz Tunguz.customer_segmentation_strategy.md— 4-tier framework + ICP fit weighting (7 signals) + tier transition triggers + kill list criteria + the 3 paths. Cites Lincoln Murphy, Bain "Loyalty Effect", Tunguz, Skok, ChartMogul/ProfitWell, Adamson/Dixon/Toman "Challenger Customer".cs_coverage_model.md— Tech-touch / pooled / named / named+exec models + ARR-per-CSM ratios by stage and segment + manager-trigger + CS comp design + ramp curves. Cites Gainsight, TSIA, Mehta/Pickens "Customer Success Economy", ChurnZero, Skok, Lincoln Murphy, Pacific Crest/KeyBanc SaaS survey.cs_team_org_evolution.md— 5-stage role map + 6-role definition table (CSM ≠ Support ≠ AM ≠ IM ≠ CS Ops ≠ Customer Marketing) + AM-vs-CSM split decision + 7 anti-patterns. Cites Mehta/Steinman/Murphy, Mehta/Pickens, BVP, TSIA, Gainsight, ChurnZero, Lincoln Murphy.
- cs-cco-advisor agent (
./c-level-advisor/c-level-agents/agents/cs-cco-advisor.md) — retention-obsessed pragmatist. Voice: "What's your gross retention rate, and what's the #1 reason customers leave?" Trusts gross retention over NRR. Refuses to recommend CS hires without naming the customer outcome they unblock. /cs:cco-reviewslash command (./c-level-advisor/c-level-agents/skills/cco-review/SKILL.md) — 6-question forcing interrogation: GRR (not NRR), top churn driver, time-to-value, kill-list candidates, ARR-per-CSM ratio + coverage model, CS comp alignment.- cs-cco-advisor voice spec added to
persona-voices.md. - Dual-published from the start: standalone plugin at
c-level-advisor/chief-customer-officer-advisor/with mirrored content (per the same pattern as #624 for GC/CDO/CAIO).sync_skill_bundles.pykeeps both copies aligned.
By 2026, every B2B SaaS founder is being asked a board-level question: "What's your NRR?" The truth is that NRR alone is the vanity metric — it can hide a leaky bucket where 85% gross retention is masked by expansion from the survivors. This skill enforces the discipline of decomposition before reporting, and surfaces three decisions the other C-roles can't quite own:
- CRO owns the revenue math (NRR, expansion comp, ramp); CCO owns customer experience and the 7-category churn root cause analysis. Clean split.
- CPO owns product roadmap; CCO surfaces product gaps via churn data. CPO decides; CCO feeds.
- CHRO owns CS team comp; CCO designs the coverage model + ratios. CHRO executes; CCO designs.
The differential-investment framework (kill list + upgrade candidates) is the strategically distinct CCO contribution. Most founders avoid the kill-list conversation; this skill makes it mechanical.
Maintained the discipline established in v2.5.2:
- Principle 1: assumptions surfaced upfront, including the CRO vs CCO split assumption (revenue math vs customer experience). Locked direction before code.
- Principle 2: rejected generic "customer success survey" framing. Each tool/reference covers ONE decision. No overlap with
business-growth/customer-success-management/. - Principle 3: touched only files in the locked plan. No "while I'm here" cleanup of unrelated files. No edits to other c-level skills.
- Principle 4: all 3 Python tools smoke-tested with embedded samples before commit. Verifiable outputs (Q1 GRR 91.7% CONCERNING / Q2 GRR 84.7% CRITICAL; 5 customers tiered with 1 kill + 2 upgrade candidates; 4 → 12 CSMs / $2.25M annual cost at 40% growth).
- Total skills: 266 → 267 (+1 chief-customer-officer-advisor)
- cs- agents:* 31 → 32 (+1 cs-cco-advisor in c-level-agents plugin)
- /cs: slash commands:* 19 → 20 (+1 /cs:cco-review)
- Python tools: 367 → 370 (+3 in chief-customer-officer-advisor/scripts/)
- References: 498 → 502 (+4 in chief-customer-officer-advisor/references/)
- Marketplace plugins: 37 → 38 (+1 standalone chief-customer-officer-advisor entry)
- c-level-skills plugin: v2.5.3 → v2.5.4 (description expanded; 31 → 32 skills, 11 → 12 cs-* agents)
- c-level-agents plugin: v1.3.0 → v1.4.0 (description expanded with CCO; new agent + command; +
chief-customer-officer,cco,retention-decomposition,customer-segmentation,cs-coveragekeywords)
- The
cs-general-counsel-advisorvoice spec is still missing frompersona-voices.md(carried from v2.5.1). Will be addressed in a separate small PR. - Phase 2 remainder (2 more C-roles: VPE engineering execution, CCO-comms) deferred to v2.5.5+.
Retention benchmarks vary significantly by ACV, segment, and industry. This skill provides B2B SaaS-baseline guidance; consumer SaaS, marketplaces, and hardware have materially different retention math.
- chief-ai-officer-advisor skill (
./c-level-advisor/skills/chief-ai-officer-advisor/) — opinionated, eval-demanding CAIO skill covering 4 specific decisions. The third decision-driven C-role skill in the founder-mode lineup, after general-counsel-advisor (v2.5.1) and chief-data-officer-advisor (v2.5.2). - 4 specific decisions covered (not a generic AI strategy survey):
- Should we use an API, fine-tune, or build our own? (model build-vs-buy with 3-year TCO)
- Is this AI use case high-risk under regulation, and how do we govern it? (EU AI Act + NIST AI RMF + US state patchwork)
- When do we switch from API to self-hosted, and at what cost? (token economics with breakeven analysis)
- What AI role do we hire next? (stage-to-role map; AI engineer ≠ ML engineer ≠ research scientist)
- 3 stdlib Python tools with deterministic logic:
model_buildvsbuy_calculator.py— Returns API / FINE_TUNE / BUILD recommendation, 3-year TCO across 6 path variants (API frontier-premium/economy/open-hosted, fine-tune, self-hosted 70B-class, build-from-scratch), and breakeven analysis. Balances economic crossover with practical feasibility (data availability, ML team capacity, compliance constraints). Embedded sample (B2B customer support, 4M queries/mo) → API recommendation despite economic breakeven crossed, due to no fine-tune data + 1-engineer ML team.ai_risk_classifier.py— Returns EU AI Act tier (PROHIBITED / HIGH / LIMITED / MINIMAL) with Article-level citations, US state triggers (NYC LL 144, CO AI Act, IL HB 53, CA SB 1001, IL BIPA), industry overlays (FDA AI/ML, ECOA, NAIC AI bulletin), required-controls list, and conformity-assessment flag. Embedded sample (AI hiring screening in EU+NY+CO+IL+CA) → HIGH risk, conformity required, 3 US state triggers, 14 controls. 7 EU AI Act articles cited (5, 6, 9-15, 43, 49, 72).ai_cost_economics.py— Returns monthly costs at 6 paths (3 API tiers + self-hosted at low/mid/high GPU rates), breakeven monthly tokens, sensitivity to GPU pricing. Embedded sample (5M tokens/day, 750M/mo) → API at $1,500/mo beats self-hosted at $13,450/mo by 9x; breakeven at 6.7B tokens/mo for 70B-class on A100s. Reveals key insight that self-hosted floor (24/7 warm GPUs + ops) makes API economics dominate at typical B2B SaaS scale.
- 4 in-depth references each citing 5+ authoritative sources:
model_buildvsbuy_strategy.md— 3 paths with failure modes, 6 fine-tuning approaches (few-shot, prompt eng, RAG, LoRA, full FT, RLHF/DPO, continued pre-training) ranked by cost and use case, decision tree, eval-first discipline. Cites Anthropic/OpenAI/Google/Meta model cards, LoRA paper (Hu et al.), RLHF paper (Ouyang et al.), DPO paper (Rafailov et al.), Foundation Models report (Stanford CRFM), Foundation Models and Fair Use (Henderson et al.).ai_risk_governance.md— Full EU AI Act tier map (prohibited Article 5, high-risk Article 6 + Annex III, limited-risk Article 50, minimal-risk) with all 8 high-risk domains + 11 obligation Articles. NIST AI RMF 1.0 (4 functions, 7 trustworthy characteristics). US state patchwork (NYC LL 144, CO AI Act, IL HB 53, CA SB 1001, CA AB 2013, CA AB 1008, IL BIPA, WA MHMD, TX biometric). Industry overlays (FDA, CFPB, Fed SR 11-7, NYDFS Reg 23, ECOA, NAIC). 10-item governance program checklist. When-to-hire-AI-counsel criteria.ai_cost_economics.md— 2026 API pricing across 4 tiers, GPU rental (A100/H100/H200/B200), throughput estimates, GPU count by model size, cost-per-million-tokens calculations, utilization reality (interactive 20-40%, batch 60-80%), 6 hidden costs of self-hosted, 6 hidden costs of API, migration cost (3-6 months, 2-3 engineers), prompt caching as economics lever. Cites vLLM paper, DistServe (NSDI 2024), HELM benchmark, Artificial Analysis, Llama 3.1 paper.ai_team_org_evolution.md— 5-stage role map (pre-seed → late-stage), 9-role definition table distinguishing AI engineer / ML engineer / research scientist / data scientist / AI safety / AI PM / Head of AI / CAIO. AI team vs data team contrast (8 dimensions). 7 specific anti-patterns. Hiring sequencing rule. Cites Huyen "Designing ML Systems" + "AI Engineering", State of AI Report, Karpathy's AI engineer archetype discussions.
- cs-caio-advisor agent (
./c-level-advisor/c-level-agents/agents/cs-caio-advisor.md) — eval-demanding realist orchestrating the skill. Voice: "What does this AI need to be good at, and how would you measure it?" Treats every AI use case as a hiring decision; pushes back on AI hype; demands fallback behavior before scale. /cs:caio-reviewslash command (./c-level-advisor/c-level-agents/skills/caio-review/SKILL.md) — 6-question forcing interrogation: eval discipline, hallucination SLO, regulatory tier, model selection, cost trajectory, role-that-unblocks-this.- cs-caio-advisor voice spec added to
persona-voices.md.
By 2026, every founder is making AI decisions that didn't exist 18 months ago — and gstack, general legal counsel, CTOs, and CISOs each only cover part of the picture. The CAIO concerns that this skill uniquely owns:
- Model build-vs-buy is not a single answer. 80% of B2B SaaS should use frontier APIs; 15% should fine-tune; <1% should pre-train. The decision depends on data availability + team capacity + economics + compliance, not on technology preference.
- EU AI Act conformity is consequential and slow. A high-risk AI use case requires 3-12 months of conformity work + EU database registration + 10 Articles of obligations. Discovering this 2 weeks before EU launch is a category of pain this skill prevents.
- API vs self-hosted breakeven is much higher than founders expect. For 70B-class on rented A100s, breakeven is typically 1-10 billion tokens per month — not the 100M-500M most founders intuit. Self-hosting "to save money" usually wastes engineering capacity.
- AI team confusion costs 12 months of productivity. Hiring a research scientist as first AI hire is the single most common AI hiring mistake, and it's expensive to undo.
Maintained the discipline established in v2.5.2:
- Principle 1 (Think before coding): assumptions surfaced upfront before file writes. Locked 4 decisions, 3 tools, 4 references, success criteria. User confirmed direction.
- Principle 2 (Simplicity first): rejected "generic AI strategy survey" framing. Each tool covers ONE decision. Each reference answers ONE decision. No overlap with engineering/rag-architect, engineering/agent-designer, engineering/llm-cost-optimizer.
- Principle 3 (Surgical changes): touched only files in the locked plan. No "while I'm here" cleanup.
- Principle 4 (Goal-driven execution): all 3 tools smoke-tested with embedded samples before commit. Verifiable success criteria met.
- Total skills: 265 → 266 (+1 chief-ai-officer-advisor)
- cs- agents:* 30 → 31 (+1 cs-caio-advisor in c-level-agents plugin)
- /cs: slash commands:* 18 → 19 (+1 /cs:caio-review)
- Python tools: 364 → 367 (+3 in chief-ai-officer-advisor/scripts/)
- References: 494 → 498 (+4 in chief-ai-officer-advisor/references/)
- c-level-skills plugin: v2.5.2 → v2.5.3 (description expanded; 30 → 31 skills, 10 → 11 cs-* agents)
- c-level-agents plugin: v1.2.0 → v1.3.0 (description expanded with CAIO; new agent + command; +
chief-ai-officer,caio,ai-strategy,model-buildvsbuy,eu-ai-act,ai-cost-economicskeywords)
- The
cs-general-counsel-advisorvoice spec is still missing frompersona-voices.md(carried from v2.5.1). Will be addressed in a separate small PR. - Phase 2 remainder (3 more C-roles: CCO customer, VPE engineering execution, CCO comms) deferred to v2.5.4+.
The chief-ai-officer-advisor skill surfaces strategic AI decisions but is not legal advice for AI regulation, not a replacement for outside AI counsel for EU AI Act conformity assessments, and not a tactical AI/ML engineering skill. For tactical AI engineering, see engineering/rag-architect/, engineering/agent-designer/, engineering/prompt-governance/, engineering/self-eval/, engineering/llm-cost-optimizer/.
- chief-data-officer-advisor skill (
./c-level-advisor/skills/chief-data-officer-advisor/) — opinionated, decision-driven CDO skill. Refuses to be a generic data-governance survey; instead answers four specific decisions:- Can we train our model on this data? (AI training data rights matrix)
- Warehouse, lakehouse, or mesh — and what do we build vs buy? (data product strategy)
- What is our customer data worth? (B2B customer-data-as-asset valuation + M&A multiplier)
- What data role do we hire next? (data team org evolution)
- 3 stdlib Python tools with deterministic logic (not pattern-match prose):
ai_training_data_audit.py— Audits data sources on 3 dimensions (origin × data class × use case). Returns GO/MITIGATE/NO-GO per source with risk, remediation, and GDPR Art. 6 + EU AI Act + US state citations. Embedded sample tests 7 sources spanning all 3 verdicts. Implements 6+ rule branches (scraped always NO-GO, regulated requires framework-specific consent, PII for fine-tuning requires explicit opt-in, etc.).data_product_strategy_picker.py— Picks warehouse/lakehouse/mesh from a company profile (stage, consumers, data volume, ML models, culture). Returns architecture + 6-layer build-vs-buy decisions (storage, ELT, modeling, BI, feature store, ML platform) + 12-month sequencing roadmap. Deterministic: same profile → same recommendation. Embedded sample (Series A B2B SaaS, 8 consumers, 4.5TB, 1 ML model) → LAKEHOUSE recommendation.data_asset_valuator.py— Computes strategic value 0-10 from 4 components (exclusivity, freshness, cohort breadth, history depth), derives moat strength (NONE/WEAK/MEDIUM/STRONG), applies M&A multiplier (1.0x–1.7x ARR depending on moat) with penalties for MSA carve-out rate and failed anonymization audit. Ranks 3 productization paths (benchmark report / embedding endpoint / direct license) by risk + viability. Embedded sample (B2B sales engagement corpus, 380 customers, 47 carve-outs) → 8.2/10 STRONG moat, 1.33-1.61x multiplier, recommends benchmark report as starting path.
- 4 references answering one decision each (not topic surveys):
ai_training_data_rights.md— Decision: can we train on this source? Three-dimension matrix + GDPR Art. 6 lawful basis decision tree + EU AI Act high-risk triggers + US state patchwork (CCPA/CPRA, NYC LL 144, IL BIPA, WA MHMD).data_product_strategy.md— Decision: which architecture and what do we build? Stage-driven kill criteria per architecture + 6-layer build-vs-buy decision tree + sequencing pattern + anti-patterns.customer_data_as_asset.md— Decision: what's our data worth and can we productize it? 5-component valuation framework + M&A multiplier with carve-out impact + 3 productization paths with prerequisites + 10-item M&A diligence prep checklist + quarterly contractual constraint audit pattern.data_team_org_evolution.md— Decision: what role next, when to centralize vs embed? 5-stage map (seed → late-stage) with specific role definitions + centralize-vs-embed-vs-federated triggers + 6 anti-patterns ("hiring data scientist as first data hire" etc.).
- cs-cdo-advisor agent (
./c-level-advisor/c-level-agents/agents/cs-cdo-advisor.md) — decision-driven realist orchestrating the skill. Voice: "What decision does this data drive?" Refuses to recommend tooling before naming the consumer. Treats AI training data as both contractual liability and strategic asset. /cs:cdo-reviewslash command (./c-level-advisor/c-level-agents/skills/cdo-review/SKILL.md) — 6-question forcing interrogation pattern matching the /cs:cfo-review / /cs:gc-review etc. shape.- cs-cdo-advisor voice spec added to
persona-voices.md.
By 2026 every B2B SaaS founder is asking three questions the existing C-level skills can't fully answer:
- "Can we train our model on customer data?" — overlaps cs-ciso (security), cs-general-counsel (contracts), and engineering (tactics), but none of them owns the strategic data picture.
- "What's the right data architecture — and when?" — engineering's database-designer and observability-designer cover tactics, but the warehouse-vs-lakehouse-vs-mesh decision is stage-driven, not technology-driven.
- "What's our data actually worth in M&A?" — this comes up at every Series B+ and has no home in existing skills.
This skill fills that gap with deterministic decision logic (not survey prose), explicit kill criteria, and a hard rule against duplicating engineering data skills.
This PR was the first in this repo built under explicit karpathy-coder guidance:
- Principle 1 (Think before coding): assumptions surfaced upfront, verifiable success criteria locked before any file was written.
- Principle 2 (Simplicity first): rejected "generic governance survey" framing; each tool/reference covers ONE decision; refused to add scope ("data product strategy picker" doesn't try to also do data quality, RAG, or schema design).
- Principle 3 (Surgical changes): touched only the files in the locked plan. Caught one scope-creep attempt (adding cs-general-counsel-advisor voice spec while editing persona-voices.md) and reverted it — that gap belongs in a separate PR.
- Principle 4 (Goal-driven execution): all 3 Python tools smoke-tested with embedded samples before commit (audit: 7 sources → 2 NO-GO / 2 MITIGATE / 3 GO; strategy picker: Series A → LAKEHOUSE; valuator: 8.2/10 STRONG moat).
- Total skills: 264 → 265 (+1 chief-data-officer-advisor)
- cs- agents:* 29 → 30 (+1 cs-cdo-advisor in c-level-agents plugin)
- /cs: slash commands:* 17 → 18 (+1 /cs:cdo-review)
- Python tools: 361 → 364 (+3 in chief-data-officer-advisor/scripts/)
- References: 490 → 494 (+4 in chief-data-officer-advisor/references/)
- c-level-skills plugin: v2.5.1 → v2.5.2 (description expanded; 29 → 30 skills, 9 → 10 cs-* agents)
- c-level-agents plugin: v1.1.0 → v1.2.0 (description expanded with CDO; new agent; +
chief-data-officer,cdo,ai-training-data,data-product-strategy,data-as-assetkeywords)
- The
cs-general-counsel-advisorvoice spec is missing frompersona-voices.md(introduced in v2.5.1 but not added to the voice reference). Will be addressed in a separate small PR alongside other voice cleanup. - Phase 2 remainder (4 more C-roles: CAIO AI, CCO customer, VPE engineering execution, CCO comms) deferred to v2.5.3+.
The chief-data-officer-advisor skill surfaces strategic decisions but is not legal advice for AI training, not a replacement for outside counsel for productization/licensing decisions, and not a tactical data engineering skill. For tactical data engineering, see the engineering/ domain (database-designer, observability-designer, data-quality-auditor, sql-database-assistant, rag-architect, llm-cost-optimizer).
- general-counsel-advisor skill (
./c-level-advisor/skills/general-counsel-advisor/) — full standalone C-role skill backing the/cs:gc-reviewcommand (which previously had no underlying skill). 2 stdlib Python tools, 3 reference docs.contract_risk_scanner.py— Scans contract text for 12 founder-killer clause patterns: auto-renewal with long notice (>30 day), customer-indemnity-carved-out-from-cap, one-sided indemnity, vague IP ownership, aggressive non-compete (>1 year), one-sided choice-of-law/venue, one-sided force majeure, missing DPA when personal data flows, MFN pricing, one-sided audit rights, broad non-solicit, perpetual license-back. Outputs ranked findings (CRITICAL/HIGH/MEDIUM) with excerpt, why-it-matters, and suggested redline. Stdlib-only, JSON or text output. Embedded sample MSA detects 7 risks across all 3 severity levels.term_sheet_analyzer.py— Scores a term sheet 0-100 across 12 dimensions: liquidation preference (1x non-participating vs participating vs multi-preference), anti-dilution (broad-based weighted average vs narrow vs full ratchet), option pool (pre-money vs post-money + size), board composition (founder vs investor vs independent seats), vesting + acceleration (single vs double trigger), pro-rata, drag-along (founder consent / price floor), protective provisions (NVCA standard vs aggressive), information rights, dividends (none / non-cumulative / cumulative), valuation/dilution sanity, holistic posture. Outputs FOUNDER_FRIENDLY / NEGOTIATE / HOSTILE grade plus per-clause flags. Stdlib-only, JSON-input + JSON-or-text output.references/contracts_playbook.md— 7 standard startup contracts (MSA, customer SaaS, NDA, DPA, employment, contractor, equity), top redlines per type, quick triage heuristics.references/ip_and_regulatory.md— Full IP strategy (patents, copyright, trademark, trade secrets, invention assignment, OSS license compliance for permissive/weak-copyleft/strong-copyleft including AGPL) plus regulatory trigger matrix (HIPAA, PCI DSS, BSA/AML, FDA 510(k), MDR, GDPR, CCPA, COPPA, securities, ITAR, EU AI Act, telehealth, insurance) with SOC 2 → ISO 27001 → ISO 42001 sequencing and when-to-hire-a-GC criteria.references/term_sheet_decoder.md— Full term sheet glossary, founder-friendly defaults cheat sheet, the three clauses that matter most (liquidation preference, option pool pre/post-money, anti-dilution), and negotiation strategy.
- cs-general-counsel-advisor agent (
./c-level-advisor/c-level-agents/agents/cs-general-counsel-advisor.md) — risk-paranoid persona orchestrating the skill via/cs:gc-review. Distinct voice: "Before we sign, three things need to be settled in writing." Hard rule: never gives definitive legal advice; always escalates to qualified outside counsel. /cs:gc-reviewupdated to invoke the new tools and reference the skill (the command previously pointed at a planned skill with a CHANGELOG note).
YC Garry Tan's gstack has zero coverage for General Counsel — its "executives" are all software-shipping personas (CEO = scope-cutter, Eng Mgr = test matrix). But legal exposure is where startups most often discover a problem after it's expensive to fix: a missed DPA exposes the company to GDPR fines, vague IP clauses kill acquisition deals years later, full-ratchet anti-dilution silently transfers 5-15% of founder equity at the next down round. This is the first plugin in the founder-mode lineup to outclass gstack on a domain it doesn't even attempt.
- Total skills: 263 → 264 (+1 general-counsel-advisor)
- cs- agents:* 28 → 29 (+1 cs-general-counsel-advisor in c-level-agents plugin)
- Python tools: 359 → 361 (+2 in general-counsel-advisor/scripts/)
- References: 487 → 490 (+3 in general-counsel-advisor/references/)
- c-level-skills plugin: v2.5.0 → v2.5.1 (description expanded; 28 → 29 skills, 8 → 9 cs-* agents)
- c-level-agents plugin: v1.0.0 → v1.1.0 (description expanded with General Counsel; new agent added; +
contract-review,term-sheet,ip-strategykeywords)
The general-counsel-advisor skill and cs-general-counsel-advisor agent are not legal advice. Every output surfaces questions to bring to qualified counsel; both Python tools and all 3 references repeatedly remind users to engage licensed attorneys for binding decisions. The skill is positioned as a triage layer — useful for catching the obvious traps before $500/hour counsel time, never as a substitute.
- c-level-agents plugin (
./c-level-advisor/c-level-agents/) — surfaces the existing 28 c-level skills through a founder-mode interface of cs-* persona agents and/cs:*slash commands. New marketplace entry registered separately (category: leadership). - 8 new cs- persona agents* with distinct cognitive voices, completing agent coverage for every C-role:
cs-cfo-advisor(numerate skeptic) wraps cfo-advisorcs-cmo-advisor(narrative-first) wraps cmo-advisorcs-cro-advisor(pipeline-paranoid) wraps cro-advisorcs-cpo-advisor(JTBD-driven) wraps cpo-advisorcs-coo-advisor(execution OS) wraps coo-advisorcs-chro-advisor(people-systems) wraps chro-advisorcs-ciso-advisor(risk-paranoid) wraps ciso-advisorcs-chief-of-staff(router & synthesist) wraps chief-of-staff
- 17 /cs: slash commands* delivered as sub-skills under
c-level-agents/skills/:- Forcing-question office hours (8):
/cs:office-hours(YC-style 6-question intake),/cs:cfo-review,/cs:cmo-review,/cs:cpo-review,/cs:cro-review,/cs:cto-review,/cs:ciso-review,/cs:gc-review(General Counsel — a lane gstack has zero of) - Strategic sprint pipeline (5):
/cs:brief→/cs:boardroom(6-phase deliberation with Phase 2 isolation + devil's advocate pass) →/cs:decide(two-layer memory log with preserved dissent) →/cs:execute(90-day plan with weekly milestones + DRIs) →/cs:post-mortem(scored against pre-committed criteria and revisited dissent) - Meta + safety (4):
/cs:founder-mode(auto-router — the killer command),/cs:onboard(12-question founder interview →~/.claude/company-context.md),/cs:cross-eval(multi-model consensus with graceful degradation to Claude-only adversarial mode when Codex/Gemini absent),/cs:freeze(cooldown lock on irreversible decisions with/cs:unfreezeaudit trail)
- Forcing-question office hours (8):
- References:
c-level-agents/references/persona-voices.md(voice specs per role — moderate aggression: bookend opening + closing, neutral analysis body) andc-level-agents/references/llm-wiki-bridge.md(Markdown-only persistent memory viallm-wiki— the answer to gstack's gbrain Postgres+pgvector dependency). - c-level-skills marketplace entry description expanded and version bumped to v2.5.0 to reflect the bundled plugin layer.
Garry Tan's gstack (~66K stars) demonstrated the power of slash-command-first, forcing-question agent gearing — but its "executives" are all software-shipping personas (CEO = scope-cutter, Eng Mgr = test matrix). This release brings the same pattern to real business decisions: CFO with unit economics, CMO with positioning, General Counsel with contract risk, CISO with threat modeling, and a 6-phase boardroom that surpasses gstack's sequential review chain with Phase 2 isolation + adversarial pass. Combined with this repo's pre-existing compliance (ra-qm-team), finance, marketing, business-growth, and product domains, this is the business-domain answer to founder-mode — broader role coverage, real frameworks, Markdown-only memory, and explicit voice differentiation.
- Total skills: 246 → 263 (+17 from c-level-agents sub-skills)
- cs- agents:* 20 → 28 (+8 new c-level personas inside the plugin)
- Slash commands: 33 → 50 (+17 /cs:* commands as sub-skills)
- Marketplace plugins: 33 → 34 (+1 c-level-agents entry)
- c-level-skills plugin: v2.2.3 → v2.5.0
- slo-architect — End-to-end SLO/SLI/error-budget discipline per Google SRE Workbook. Generates structured SLO definitions and refuses to render if required fields (owner, error-budget policy, SLI numerator/denominator) are missing (
slo_designer.py). Computes error budget and the canonical multi-window burn-rate alert thresholds — fast (1h/5m, page), slow (6h/30m, page), ticket (3d/6h) — with PromQL-shaped output ready to paste (error_budget_calculator.py). Reviews existing SLO docs for the 7 common bugs: target too high (≥99.99%), target too low (≤99%), window too short (<7d), window too long (>90d), no SLI definition, no error budget policy, CPU-as-SLI (slo_review.py). 4 references on SLO principles, SLI design (5 types), error budget math, and composition with the rest of the portfolio. Asset templates for SLO YAML and error budget policy. New/slo-designslash command. Karpathy complexity 95/100. Composes explicitly with feature-flags-architect (rollout abort uses SLO burn-rate), chaos-engineering (blast-radius bounded by SLO error budget), kubernetes-operator (Capability Level 4 requires SLOs). - ship-gate — Pre-production audit skill from external contributor @rx4u (originally PR #527, re-applied to post-restructure dev layout). Scans codebases across 8 categories — security, database, deployment, code quality, AI/LLM, dependencies, frontend, observability — with 89 automated and manual checks. Intercepts deploy-intent phrases ("push to production", "ship it", "go live") and blocks until critical issues resolve. Stack-agnostic (Node/Next/React/Vue/Svelte/Astro/Express/Python/Django/Flask/etc.). Stdlib-only Python scanner (
ship_gate_scanner.py, ~1230 LOC) with JSON output, ANSI color, interactive manual prompts, and exit codes (0=CLEAR, 1=CRITICAL, 2=HIGH). - feature-flags-architect — End-to-end feature-flag discipline. Detects stale flags as debt (
flag_debt_scanner.py), generates phased rollout plans across ring/linear/log/cohort strategies (rollout_planner.py), and audits every flag for documented kill switch (kill_switch_audit.py). 4 references on flag taxonomy, provider comparison (LaunchDarkly / GrowthBook / Statsig / Unleash / Flipt / DIY), rollout strategies, and lifecycle. Ships standalone plugin AND in the engineering-advanced-skills bundle. New/flag-cleanupslash command. - kubernetes-operator — End-to-end Kubernetes Operator discipline. Validates CRDs against operator-pattern best practices (
crd_validator.py), lints Go reconcile functions for anti-patterns liketime.Sleep, spec mutation, missing requeue, finalizer imbalance (reconcile_lint.py), and scores operators against OperatorHub Capability Levels 1-5 (operator_capability_audit.py). 4 references on operator pattern, CRD design, reconcile loop patterns, and framework comparison (controller-runtime / kubebuilder / operator-sdk / metacontroller / KOPF). Asset templates for production CRD YAML and Go controller skeleton (both pass linters). New/operator-auditslash command. NOT a generic k8s skill — specifically the Operator pattern. Self-tested: linters caught 4 real bugs in their own asset templates during build. - chaos-engineering — End-to-end chaos engineering discipline. Generates structured experiment plans with hypothesis + steady-state + blast-radius + abort-criteria (
experiment_designer.py), computes blast radius with GREEN/YELLOW/RED risk score against monthly error budget (blast_radius_calculator.py), and produces blameless postmortems with blame-language detection (experiment_postmortem.py). 4 references on the 4 founding principles + 5th abort-criteria principle, hypothesis/steady-state/abort design, the 7-attack taxonomy (latency / error / resource / network-partition / dependency / time / infrastructure), and tooling landscape (Chaos Toolkit / Chaos Mesh / Litmus / Gremlin / AWS FIS / DIY). Templates for plans and postmortems. New/chaos-experimentslash command. Composes explicitly with feature-flags-architect (kill switches as abort triggers) and kubernetes-operator (operators are common chaos targets). Karpathy complexity 95/100 — best score in the new portfolio.
- scripts/sync_skill_bundles.py — mirror standalone plugin payloads into their domain-bundled location;
--checkexits 1 on drift,--syncrewrites the mirror. Locks in the dual-publish invariant for every new skill. - scripts/check_plugin_json.py — strict ClawHub schema validator (exactly 8 fields, semver,
author{name,url},skillsas string or array — bare"./"rejected per Claude Code v2.1.107+). Verified against all 31 existing plugin.json files.
- Total skills: 235 (v2.3.0 claim) → 246 (file-system truth via
find . -name SKILL.mdminus 4 distribution duplicates). +5 new skills this cycle (slo-architect, ship-gate, feature-flags-architect, kubernetes-operator, chaos-engineering); +6 discovered during #608/#609 reconciliation. - Python tools: 314 → 359 (
find . -path '*/scripts/*.py' | wc -l) - References: 435 → 485 (
find . -path '*/references/*.md' | wc -l) - Agents: 28 → 27 (file-system truth: 20
cs-*+ 7 personas. Previous "30" miscounted README/TEMPLATE as agents) - Slash commands: 27 → 33 (
find commands -name '*.md' | wc -l) - Marketplace plugins: 30 → 33 (registered in
.claude-plugin/marketplace.json) - engineering-advanced-skills plugin: v2.3.3 → v2.4.2
- marketplace.json:
feature-flags-architect,kubernetes-operator, andchaos-engineeringregistered as standalone plugins
tests/test_skill_integrity.py::TestScriptDirectories::test_scripts_dirs_have_python_files— was rejecting valid skills shipping.mjs/.js/.ts/.shscripts (e.g.,full-page-screenshot). Now accepts any executable script extension while keeping the "scripts/ dir is non-empty" intent.- #608, #609 — Count claims aligned to ground-truth. Every metric in
CLAUDE.md,README.md,docs/,mkdocs.yml, and.claude-plugin/marketplace.jsonnow reproduces from a deterministicfindorpython3 -c "import json"command. Stale claims of "188 skills", "30 agents", "3 personas", "235 skills" (current-state) were replaced with file-system truth. Per-domain marketplace breakdown also reconciled: engineering-advanced 40→67 unique, engineering-core 32→51, marketing 44→45, c-level 28→34, product 13→17, finance 3→4. Domains ra-qm-team (14), project-management (9), business-growth (5) unchanged. - skill-security-auditor — self-skip false positives via
noqadirective (the auditor was flagging its own scanner code).
6 New Security Skills (engineering-team):
- adversarial-reviewer — Adversarial code review with 3 hostile personas (Saboteur, New Hire, Security Auditor) to break self-review monoculture
- ai-security — ATLAS-mapped prompt injection detection, model inversion & data poisoning risk scoring (
ai_threat_scanner.py) - cloud-security — IAM privilege escalation paths, S3 public access checks, security group detection across AWS/Azure/GCP (
cloud_posture_check.py) - incident-response — SEV1-SEV4 triage, 14-type incident taxonomy, NIST SP 800-61 forensics (
incident_triage.py) - red-team — MITRE ATT&CK kill-chain planning, effort scoring, choke point identification (
engagement_planner.py) - threat-detection — Hypothesis-driven threat hunting, IOC sweep generation, z-score anomaly detection (
threat_signal_analyzer.py)
1 New Engineering Skill (engineering/):
- self-eval — Honest AI work quality evaluation with two-axis scoring (substance + execution), score inflation detection, devil's advocate reasoning, and session persistence
1 New Engineering Skill (engineering-team/):
- snowflake-development — Snowflake data warehouse development, SQL optimization, and data pipeline patterns
- Total skills: 205 → 223 across 9 domains
- Python tools: 268 → 298 CLI scripts (all stdlib-only, verified)
- Reference guides: 384 → 416
- Agents: 16 → 23
- Commands: 19 → 22
- Engineering Core: 30 → 36 skills
- Engineering POWERFUL: 35 → 36 skills
- MkDocs docs site: 269 generated pages, 301 HTML pages
- All domain plugin.json files updated to v2.2.0
- Marketplace description updated with new skill counts
- Codex CLI and Gemini CLI indexes re-synced
- Root CLAUDE.md, README.md, docs/index.md, docs/getting-started.md updated with new counts
- engineering-team/CLAUDE.md updated with security skills section
- mkdocs.yml site_description updated
- New skill docs pages auto-generated for all 8 new skills
- All existing SKILL.md files, scripts, and references unchanged
- No skill removals or renames
- Plugin source paths unchanged — existing installations will not break
- All new skills are additive only
2.1.2 - 2026-03-10
Landing Page Generator — TSX + Brand Voice Integration:
- Landing page scaffolder now defaults to Next.js/React TSX output with Tailwind CSS (HTML preserved via
--format html) - 4 Tailwind design styles:
dark-saas,clean-minimal,bold-startup,enterprisewith complete class mappings - 7 section generators: nav, hero, features, testimonials, pricing, CTA, footer
- Brand voice integration: generation workflow now includes brand voice analysis (step 2) using
marketing-skill/content-production/scripts/brand_voice_analyzer.pyto map voice profile to design style + copy framework - Added Related Skills cross-references to SKILL.md
Documentation Updates:
product-team/CLAUDE.md— Added Workflow 4 (Brand-Aligned Landing Page), updated scaffolder section with TSX docs, added Cross-Domain Integration sectionproduct-team/README.md— Fixed ghost script references (removed 7 scripts that never existed), corrected skill/tool/agent/command countsproduct-team/.codex/instructions.md— Added brand voice cross-domain workflow and TSX default note
- competitive-teardown/SKILL.md — Fixed 6 broken file references (
DATA_COLLECTION.md→references/data-collection-guide.md,TEMPLATES.md→references/analysis-templates.md) - saas-scaffolder/scripts/project_bootstrapper.py — Fixed f-string backslash syntax incompatible with Python <3.12
- 237 Python scripts verified — All pass
--helpwithout errors (previous session fixed 25 scripts across all domains)
landing-page-generator/SKILL.md— Brand voice analysis as prerequisite step in generation workflow- Codex and Gemini skill indexes re-synced with updated SKILL.md content
--format htmlstill works for landing page scaffolder (TSX is new default)- All existing script CLIs and arguments unchanged
- No skill removals or renames
- Plugin source paths unchanged — existing installations will not break
2.1.1 - 2026-03-07
18 skills optimized from 66-83% to 85-100% via tessl skill review --optimize:
| Skill | Before | After |
|---|---|---|
project-management/confluence-expert |
66% | 94% |
project-management/jira-expert |
77% | 97% |
product-team/product-strategist |
76% | 85%+ |
marketing-skill/campaign-analytics |
70% | 85%+ |
business-growth/customer-success-manager |
70% | 85%+ |
business-growth/revenue-operations |
70% | 85%+ |
finance/financial-analyst |
70% | 85%+ |
engineering-team/senior-secops |
75% | 94% |
marketing-skill/prompt-engineer-toolkit |
79% | 90% |
ra-qm-team/quality-manager-qms-iso13485 |
76% | 85%+ |
engineering-team/senior-security |
80% | 93% |
engineering-team/playwright-pro |
82% | 100% |
engineering-team/senior-backend |
83% | 100% |
engineering-team/senior-qa |
83% | 100% |
engineering-team/senior-ml-engineer |
82% | 99% |
engineering-team/ms365-tenant-manager |
83% | 100% |
engineering-team/aws-solution-architect |
83% | 94% |
c-level-advisor/cto-advisor |
82% | 99% |
marketing-skill/marketing-demand-acquisition |
72% | 99% |
- Created missing
finance/financial-analyst/references/industry-adaptations.md(reference was declared but file didn't exist) - Removed dead
project-management/packaged-skills/folder (zip files redundant)
SKILL_PIPELINE.md— Mandatory 9-phase production pipeline for all skill work
- Claude Code compliance: 18/18 pass (after fix)
- All YAML frontmatter valid
- All file references resolve
- All SKILL.md files under 500 lines
- skill-security-auditor (POWERFUL tier) — Security audit and vulnerability scanner for AI agent skills. Scans for malicious code, prompt injection, data exfiltration, supply chain risks, and privilege escalation. Zero dependencies, PASS/WARN/FAIL verdicts.
engineering/git-worktree-managerenhancements:- Added
scripts/worktree_manager.py(worktree creation, port allocation, env sync, optional dependency install) - Added
scripts/worktree_cleanup.py(stale/dirty/merged analysis with safe cleanup options) - Added extracted references and new skill README
- Added
engineering/mcp-server-builderenhancements:- Added
scripts/openapi_to_mcp.py(OpenAPI -> MCP manifest + scaffold generation) - Added
scripts/mcp_validator.py(tool definition validation and strict checks) - Extracted templates/guides into references and added skill README
- Added
engineering/changelog-generatorenhancements:- Added
scripts/generate_changelog.py(conventional commit parsing + Keep a Changelog rendering) - Added
scripts/commit_linter.py(strict conventional commit validation) - Extracted CI/format/monorepo docs into references and added skill README
- Added
engineering/ci-cd-pipeline-builderenhancements:- Added
scripts/stack_detector.py(stack and tooling detection) - Added
scripts/pipeline_generator.py(GitHub Actions / GitLab CI YAML generation) - Extracted platform templates into references and added skill README
- Added
marketing-skill/prompt-engineer-toolkitenhancements:- Added
scripts/prompt_tester.py(A/B prompt evaluation with per-case scoring) - Added
scripts/prompt_versioner.py(prompt history, diff, changelog management) - Extracted prompt libraries/guides into references and added skill README
- Added
- Refactored the five enhanced skills to slim, workflow-first
SKILL.mddocuments aligned to Anthropic best practices. - Updated
engineering/.claude-plugin/plugin.jsonmetadata:- Description now reflects 25 advanced engineering skills
- Version bumped from
1.0.0to1.1.0
- Updated root
README.mdwith a dedicated "Recently Enhanced Skills" section.
- Complete Anthropic best practices refactoring (5/42 skills remaining)
- Production Python tools for remaining RA/QM skills
- Marketing expansion: SEO Optimizer, Social Media Manager skills
2.0.0 - 2026-02-16
A new tier of advanced, deeply-engineered skills with comprehensive tooling:
- incident-commander — Incident response playbook with severity classifier, timeline reconstructor, and PIR generator
- tech-debt-tracker — Codebase debt scanner with AST parsing, debt prioritizer, and trend dashboard
- api-design-reviewer — REST API linter, breaking change detector, and API design scorecard
- interview-system-designer — Interview loop designer, question bank generator, and hiring calibrator
- migration-architect — Migration planner, compatibility checker, and rollback generator
- observability-designer — SLO designer, alert optimizer, and dashboard generator
- dependency-auditor — Multi-language dependency scanner, license compliance checker, and upgrade planner
- release-manager — Automated changelog generator, semantic version bumper, and release readiness checker
- database-designer — Schema analyzer with ERD generation, index optimizer, and migration generator
- rag-architect — RAG pipeline builder, chunking optimizer, and retrieval evaluator
- agent-designer — Multi-agent architect, tool schema generator, and agent performance evaluator
- skill-tester — Meta-skill validator, script tester, and quality scorer
- agent-workflow-designer — Multi-agent orchestration system designer with sequential, parallel, router, orchestrator, and evaluator patterns
- api-test-suite-builder — API route scanner and test suite generator across frameworks (Next.js, Express, FastAPI, Django REST)
- changelog-generator — Conventional commit parser, semantic version bumper, and structured changelog generator
- ci-cd-pipeline-builder — Stack-aware CI/CD pipeline generator for GitHub Actions, GitLab CI, and more
- codebase-onboarding — Codebase analyzer and onboarding documentation generator for new team members
- database-schema-designer — Database schema design and modeling tool with migration support
- env-secrets-manager — Environment and secrets management across dev/staging/prod lifecycle
- git-worktree-manager — Systematic Git worktree management for parallel development workflows
- mcp-server-builder — MCP (Model Context Protocol) server scaffolder and implementation guide
- monorepo-navigator — Monorepo management for Turborepo, Nx, pnpm workspaces, and Lerna
- performance-profiler — Systematic performance profiling for Node.js, Python, and Go applications
- pr-review-expert — Structured code review for GitHub PRs and GitLab MRs with systematic analysis
- runbook-generator — Production-grade operational runbook generator with stack detection
- business-growth domain (3 skills):
customer-success-manager— Onboarding, retention, expansion, health scoring (2 Python tools)sales-engineer— Technical sales, solution design, RFP responses (2 Python tools)revenue-operations— Pipeline analytics, forecasting, process optimization (2 Python tools)
- finance domain (1 skill):
financial-analyst— DCF valuation, budgeting, forecasting, financial modeling (3 Python tools)
- marketing addition:
campaign-analytics— Multi-touch attribution, funnel conversion, campaign ROI (3 Python tools)
Major rewrite of existing skills following Anthropic's agent skills specification. Each refactored skill received:
- Professional metadata (license, version, category, domain, keywords)
- Trigger phrases for better Claude activation
- Table of contents with proper section navigation
- Numbered workflows with validation checkpoints
- Progressive Disclosure Architecture (PDA)
- Concise SKILL.md (<200 lines target) with layered reference files
Engineering skills refactored (14):
senior-architect,senior-frontend,senior-backend,senior-fullstacksenior-qa,senior-secops,senior-security,code-reviewersenior-data-engineer,senior-computer-vision,senior-ml-engineersenior-prompt-engineer,tdd-guide,tech-stack-evaluator
Product & PM skills refactored (5):
product-manager-toolkit,product-strategist,agile-product-ownerux-researcher-designer,ui-design-system
RA/QM skills refactored (12):
regulatory-affairs-head,quality-manager-qmr,quality-manager-qms-iso13485capa-officer,quality-documentation-manager,risk-management-specialistinformation-security-manager-iso27001,mdr-745-specialist,fda-consultant-specialistqms-audit-expert,isms-audit-expert,gdpr-dsgvo-expert
Marketing skills refactored (4):
marketing-demand-acquisition,marketing-strategy-pmmcontent-creator,app-store-optimization
Other refactored (2):
aws-solution-architect,ms365-tenant-manager
scrum-masterandsenior-pmelevated to POWERFUL tier — PR #190
- OpenAI Codex support — Full compatibility without restructuring — PR #43, #45, #47
- Claude Code native marketplace —
marketplace.jsonand plugin support — PR #182, #185 - Codex skills sync — Automated symlink workflow for Codex integration
- 86 total skills across 9 domains (up from 42 across 6)
- 92+ Python automation tools (up from 20+)
- 26 POWERFUL-tier skills in
engineering/domain (including skill-security-auditor) - 37/42 original skills refactored to Anthropic best practices
- CI workflows (
smart-sync.yml,pr-issue-auto-close.yml) — PR #193 - Installation documentation (Issue #189) — PR #193
- Plugin JSON with correct counts and missing domains — PR #186
- PM skills extracted from zips into standard directories — PR #184, #185
- Marketing skill count corrected (6 total) — PR #182
- Codex skills sync workflow fixes — PR #178, #179, #180
social-media-analyzerrestructured with proper organization — PR #147, #151
1.1.0 - 2025-10-21 - Anthropic Best Practices Refactoring (Phase 1)
Enhanced with Anthropic Agent Skills Specification:
Marketing Skills (3 skills):
- Added professional metadata (license, version, category, domain)
- Added keywords sections for better discovery
- Enhanced descriptions with explicit triggers
- Added python-tools and tech-stack documentation
C-Level Skills (2 skills):
- Added professional metadata with frameworks
- Added keywords sections (20+ keywords per skill)
- Enhanced descriptions for better Claude activation
- Added technical and strategic terminology
documentation/implementation/SKILLS_REFACTORING_PLAN.md— Complete 4-phase refactoring roadmapdocumentation/PYTHON_TOOLS_AUDIT.md— Comprehensive tools quality assessment
Refactoring Progress: 5/42 skills complete (12%)
1.0.2 - 2025-10-21
LICENSEfile — Official MIT LicenseCONTRIBUTING.md— Contribution guidelines and standardsCODE_OF_CONDUCT.md— Community standards (Contributor Covenant 2.0)SECURITY.md— Security policy and vulnerability reportingCHANGELOG.md— Version history tracking
- Complete GitHub repository setup for open source
- Professional community health files
- Clear contribution process
- Security vulnerability handling
1.0.1 - 2025-10-21
- GitHub Star History chart to README.md
- Professional repository presentation
- README.md table of contents anchor links fixed
- Project management folder reorganized (packaged-skills/ structure)
1.0.0 - 2025-10-21
42 Production-Ready Skills across 6 Domains:
content-creator— Brand voice analyzer, SEO optimizer, content frameworksmarketing-demand-acquisition— Demand gen, paid media, CAC calculatormarketing-strategy-pmm— Positioning, GTM, competitive intelligence
ceo-advisor— Strategy analyzer, financial scenario modeling, board governancecto-advisor— Tech debt analyzer, team scaling calculator, engineering metrics
product-manager-toolkit— RICE prioritizer, interview analyzer, PRD templatesagile-product-owner— User story generator, sprint planningproduct-strategist— OKR cascade generator, strategic planningux-researcher-designer— Persona generator, user researchui-design-system— Design token generator, component architecture
senior-pm— Portfolio management, stakeholder alignmentscrum-master— Sprint ceremonies, agile coachingjira-expert— JQL mastery, configuration, dashboardsconfluence-expert— Knowledge management, documentationatlassian-admin— System administration, securityatlassian-templates— Template design, 15+ ready templates
senior-architect— Architecture diagrams, dependency analysis, ADRssenior-frontend— React components, bundle optimizationsenior-backend— API scaffolder, database migrations, load testingsenior-fullstack— Project scaffolder, code quality analyzersenior-qa— Test suite generator, coverage analyzer, E2E testssenior-devops— CI/CD pipelines, Terraform, deployment automationsenior-secops— Security scanner, vulnerability assessment, compliancecode-reviewer— PR analyzer, code quality checkersenior-security— Threat modeling, security audits, pentesting
senior-data-scientist— Experiment designer, feature engineering, statistical analysissenior-data-engineer— Pipeline orchestrator, data quality validator, ETLsenior-ml-engineer— Model deployment, MLOps setup, RAG system buildersenior-prompt-engineer— Prompt optimizer, RAG evaluator, agent orchestratorsenior-computer-vision— Vision model trainer, inference optimizer, video processor
regulatory-affairs-head— Regulatory pathway analyzer, submission trackingquality-manager-qmr— QMS effectiveness monitor, compliance dashboardsquality-manager-qms-iso13485— QMS compliance checker, design control trackercapa-officer— CAPA tracker, root cause analyzer, trend analysisquality-documentation-manager— Document version control, technical file builderrisk-management-specialist— Risk register manager, FMEA calculatorinformation-security-manager-iso27001— ISMS compliance, security risk assessmentmdr-745-specialist— MDR compliance checker, UDI generatorfda-consultant-specialist— FDA submission packager, QSR complianceqms-audit-expert— Audit planner, finding trackerisms-audit-expert— ISMS audit planner, security controls assessorgdpr-dsgvo-expert— GDPR compliance checker, DPIA generator
- Comprehensive README.md with all 42 skills
- Domain-specific README files (6 domains)
- CLAUDE.md development guide
- Installation and usage guides
- Real-world scenario walkthroughs
- 20+ verified production-ready Python CLI tools
- 90+ comprehensive reference guides
- Atlassian MCP Server integration
| Version | Date | Skills | Domains | Key Changes |
|---|---|---|---|---|
| 2.1.2 | 2026-03-10 | 170 | 9 | Landing page TSX output, brand voice integration, 25 script fixes |
| 2.1.1 | 2026-03-07 | 170 | 9 | 18 skills optimized via Tessl, YAML frontmatter, agents + commands |
| 2.0.0 | 2026-02-16 | 86 | 9 | 26 POWERFUL-tier skills, 37 refactored, Codex support, 3 new domains |
| 1.1.0 | 2025-10-21 | 42 | 6 | Anthropic best practices refactoring (5 skills) |
| 1.0.2 | 2025-10-21 | 42 | 6 | GitHub repository pages (LICENSE, CONTRIBUTING, etc.) |
| 1.0.1 | 2025-10-21 | 42 | 6 | Star History, link fixes |
| 1.0.0 | 2025-10-21 | 42 | 6 | Initial release — 42 skills, 6 domains |
- Major (x.0.0): Breaking changes, major new domains, significant architecture shifts
- Minor (1.x.0): New skills, significant enhancements
- Patch (1.0.x): Bug fixes, documentation updates, minor improvements