feat(catalog): de-vendor external skills — curated index, link to source by LucasSantana-Dev · Pull Request #258 · LucasSantana-Dev/forgekit

LucasSantana-Dev · 2026-06-06T18:44:27Z

Summary

forgekit is a curated, useful tools list — not a re-host of every skill that exists. This stops vendoring SKILL.md body copies for skills forgekit didn't author; they become curated link-out entries instead.

Rebased onto current main (v0.28.0) — 3 focused commits, +174 / −5,937.

What changed

De-vendored externally-authored skills (sourced from anthropics/skills, obra/superpowers, alirezarezvani/claude-skills). Removed the vendored SKILL.md bodies that remained on main (23 files; the rest of the original set had already been culled in earlier releases). Each keeps its manifest.json with source + homepage as a curated link-out entry. forgekit-authored skills keep their bodies.
CLI (packages/cli/src/commands/install.ts): when a skill body isn't vendored, forge install <id> now fetches it from the upstream source on demand (raw.githubusercontent built from source.repo/ref/path) instead of erroring. Install still works — pulled from upstream, not a forgekit copy. Merged with main's existing REFERENCE.md install handling.
Web (apps/web/src/pages/skills/[id].astro): body-less skills render "maintained upstream — View the full skill at source ↗" with a clickable link. Merged with main's TabStrip (IDE/CLI tabs, feat(web): IDE/CLI tabs on skill detail pages #244) — own skills still render their tabbed body.
ADR: docs/decisions/2026-06-06-curated-index-link-dont-rehost.md — the invariant (re-host only what we authored; list-and-link everything else), alternatives, mechanism, and revisit triggers.
CHANGELOG: entry under [Unreleased].

Invariant going forward

A skill sourced from another repo is listed and linked, never copied. New external catalog additions ship a manifest (source + homepage), no vendored SKILL.md.

Verification

pnpm run catalog:validate ✅ (135 skill manifests valid; bodies not required by schema)
pnpm run cli:typecheck ✅
pnpm run web:build ✅ (284 pages; spot-checked: brainstorming renders the source link, adt-add keeps its IDE/CLI tabs)
No conflict markers; mergeable: MERGEABLE against main.

Note

The branch previously carried the stale v0.24.0 batch (already shipped to main via later releases). It was rebased onto current main; only the net-new de-vendor + ADR remain.

greptile-apps

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

coderabbitai · 2026-06-06T18:44:40Z

Warning

Review limit reached

@LucasSantana-Dev, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 42 minutes and 58 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 49858c33-98bf-4047-a744-138516a64171

📥 Commits

Reviewing files that changed from the base of the PR and between c098909 and 19cf27d.

📒 Files selected for processing (6)

CHANGELOG.md
apps/web/src/pages/skills/[id].astro
docs/decisions/2026-06-06-curated-index-link-dont-rehost.md
packages/catalog/catalog/skills/brainstorming/SKILL.md
packages/catalog/catalog/skills/claude-api/SKILL.md
packages/catalog/catalog/skills/doc-coauthoring/SKILL.md

📝 Walkthrough

Walkthrough

This release transitions the catalog from vendored external skill documentation to link-out manifests with on-demand upstream fetching. Seven new forgekit-authored skills are introduced, catalog entries expand with new agents and MCP servers, 26 previously-orphaned skills are wired into thematic collections, and the web and CLI are updated to fetch and display upstream content dynamically.

Changes

v0.24.0 Link-Out Skills Release

Layer / File(s)	Summary
Release notes and version bump `CHANGELOG.md`, `docs/decisions/2026-06-06-curated-index-link-dont-rehost.md`, `package.json`	v0.24.0 release documentation records the decision to link-out external skills rather than rehost them, and version is bumped from 0.23.0 to 0.24.0 with `ajv` dev dependency added.
Catalog index expansion with new entries `packages/catalog/catalog/index.json`	7 new environment agent entries, 13 new collection definitions (including api-and-mcp-development, infrastructure-and-devops, token-and-context-optimization), new MCP servers (context-mode, fetch, filesystem, firecrawl, git, google-drive, rag-index, ssh, sonarqube, tavily), and ~40+ new skill entries with extensive description updates for existing catalog elements.
Collection definitions and skill references `packages/catalog/catalog/collections/*.yaml`	Nine YAML collection files wire 26 previously-orphaned skills into curated groups: claude-code-power-user, infrastructure-and-devops, multi-agent-orchestration, professional-work-toolkit, release-and-deploy, spec-and-planning, token-and-context-optimization, verification-review-gate, and web-app-development.
New forgekit-authored skills `packages/catalog/catalog/skills/adt-{ci-watch,force-merge-self-pr,next-priority,parallel-investigate,sync-memories,unstick-pr,knowledge-loop}/*`, manifest and SKILL.md pairs	Seven new skills introduce CI diagnostics, branch protection bypass, action prioritization, parallel investigation, memory sync, webhook desync recovery, and knowledge capture, each with catalog documentation, manifest metadata (including pt-BR translations), and procedural guidance.
De-vendoring external skill documentation `packages/catalog/catalog/skills/{brainstorming,claude-api,dispatching-parallel-agents,...,writing-skills,xlsx}/SKILL.md`	28 externally-authored skill documentation files are removed, transitioning them from vendored re-hosted content to manifest-only references that link to upstream sources.
Updates to existing forgekit skills `packages/catalog/catalog/skills/adt-{loop,plan,rag-curate,knowledge-loop}/SKILL.md`	Five existing skills receive substantial updates: loop spec rewritten to inspect→act→verify→checkpoint, plan template restructured with extend/supersede rules, rag-curate reorganized into curation patterns and gap-filling cheatsheet, and knowledge-loop enriched with metadata and worked examples.
Web UI conditional rendering for upstream skills `apps/web/src/pages/skills/[id].astro`	Template computes `hasBody` to determine whether a skill has vendored markdown, derives `sourceUrl` and `sourceLabel` from skill metadata, and conditionally renders either the article or an "maintained upstream" message with a link to the upstream skill.
CLI skill installation with upstream fetching `packages/cli/src/commands/install.ts`	Install flow enhanced to fetch `SKILL.md` from upstream GitHub raw URLs when not present locally; includes new `rawSourceUrl(source)` helper to construct raw GitHub URLs and handles missing source metadata with error guidance.
Core skill markdown documentation `packages/core/kit/core/skills/{ci-watch,force-merge-self-pr,knowledge-loop,loop,next-priority,parallel-investigate,plan,rag-curate,sync-memories,unstick-pr}.md`	Comprehensive skill documentation across 10 core skills defines triggers, procedures, stop conditions, output contracts, worked examples, and operational guidance for CI diagnostics, PR recovery, memory systems, loop iteration, priority selection, parallel agents, planning, RAG curation, and webhook desync recovery.

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

LucasSantana-Dev/forgekit#182: Both introduce v0.24.0 catalog/skill refresh with the same set of new skills (adt-ci-watch, adt-next-priority, adt-sync-memories, adt-force-merge-self-pr, adt-unstick-pr, adt-parallel-investigate, adt-rag-curate) and matching SKILL.md/manifest.json definitions.
LucasSantana-Dev/forgekit#211: Both modify the installSkill function in packages/cli/src/commands/install.ts to handle optional/external skill files during installation—this PR adds upstream SKILL.md fetching while PR #211 adds conditional REFERENCE.md installation.

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch feat/catalog-v0.24.0-skill-refresh

…e-host forgekit is a curated tools list, not a re-host of every skill. Remove the vendored SKILL.md body copies (~365KB) of 37 skills sourced from other repos (anthropics/skills, obra/superpowers, alirezarezvani/claude-skills). Their catalog manifests stay as curated link-out entries (source.repo + homepage). forgekit-own skills (86) and unsourced skills (32) keep their bodies — only externally-authored skills are de-vendored. Supporting changes so install + web degrade into "link to source": - cli/install: when a skill body isn't vendored, fetch it from the upstream source on demand (raw.githubusercontent from source.repo/ref/path) instead of erroring. `forge install <external-skill>` still works, pulling from upstream rather than a forgekit copy. - web/skills/[id]: render "maintained upstream — view at source ↗" with a clickable source link when no body is vendored; own skills render unchanged. Verified: catalog:validate ✅, cli:typecheck ✅, web:build ✅ (297 pages; external pages render the source link, own pages render their body). index.json regen left out — it carries unrelated pre-existing branch drift (195→281); de-vendoring removes bodies only, which aren't in the index.

Capture the rationale for de-vendoring the 37 externally-authored skills: forgekit re-hosts only content it authored; external skills are listed and linked (manifest + source + homepage), never copied. Records alternatives, the install/web link-out mechanism, the invariant for future additions, and revisit triggers (link rot, skills.sh API, on-demand-fetch fragility).

…ased]

greptile-apps

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

coderabbitai

Actionable comments posted: 18

🧹 Nitpick comments (6)

packages/core/kit/core/skills/knowledge-loop.md (1)
82-93: ⚡ Quick win

Add language identifier to fenced code block.

The worked example code block should specify a language identifier for proper syntax highlighting.
📝 Proposed fix
-```
+```text
 KNOWLEDGE LOOP — token optimization rounds 1-4
   Recalled:  3 hits, top cos 0.50 (skill: recall)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/core/kit/core/skills/knowledge-loop.md` around lines 82 - 93, The
fenced code block in knowledge-loop.md containing the "KNOWLEDGE LOOP — token
optimization rounds 1-4" example needs a language identifier for proper
highlighting; edit the opening fence for that block (the triple backticks before
"KNOWLEDGE LOOP — token optimization rounds 1-4") to include a language token
such as "text" or "md" (e.g., change ``` to ```text) so the block receives
correct syntax highlighting while leaving the block contents unchanged.
packages/core/kit/core/skills/next-priority.md (1)
49-49: ⚡ Quick win

Consider referencing force-merge-self-pr skill instead of duplicating the pattern.

The enforce_admins toggle pattern described here is fully documented in force-merge-self-pr.md. To avoid maintenance drift, consider replacing the inline description with a reference like: "Branch protection requires review you can't give yourself. If enforce_admins: true → use force-merge-self-pr skill."
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/core/kit/core/skills/next-priority.md` at line 49, The duplicated
branch-protection/unblock pattern in next-priority.md should reference the
existing skill instead of repeating instructions: replace the inline description
"If `enforce_admins: true` → `DELETE .../enforce_admins` → admin-merge →
re-`POST` to re-enable" with a concise cross-reference to the documented skill
(e.g., "use `force-merge-self-pr` skill" or "see force-merge-self-pr.md"), so
update next-priority.md to call out the `force-merge-self-pr` skill and remove
the duplicated pattern to avoid maintenance drift.
packages/core/kit/core/skills/parallel-investigate.md (1)
38-46: ⚡ Quick win

Add language identifier to fenced code block.

The example prompt template should specify a language identifier (e.g., text or markdown) for proper rendering.
📝 Proposed fix
-```
+```text
 Target: <repo or PR identifier>
 Task: <one specific question>
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/core/kit/core/skills/parallel-investigate.md` around lines 38 - 46,
The fenced code block in the example prompt template within
parallel-investigate.md lacks a language identifier; update the opening
triple-backtick to include a language (e.g., change "```" to "```text" or
"```markdown") so the snippet renders correctly. Locate the prompt template
block in packages/core/kit/core/skills/parallel-investigate.md (the snippet
beginning with "Target: <repo or PR identifier>") and modify the first fence to
include the chosen language identifier, leaving the rest of the content
unchanged.
packages/core/kit/core/skills/ci-watch.md (1)
49-52: ⚡ Quick win

Add language identifier to fenced code block.

The Monitor command example should specify a language (e.g., bash or shell) for proper syntax highlighting and tooling support.
📝 Proposed fix
-```
+```bash
 Monitor command: until s=$(gh pr view N --json statusCheckRollup); \
   pend=$(echo "$s" | python3 -c "..."); [ "$pend" = "0" ]; do sleep 15; done
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @packages/core/kit/core/skills/ci-watch.md around lines 49 - 52, The fenced
code block containing the "Monitor command" example is missing a language
identifier; update the triple-backtick fence surrounding the Monitor command
(the block that starts with "Monitor command: until s=$(gh pr view N --json
statusCheckRollup); ...") to include a language tag such as bash or shell (e.g.,
packages/catalog/catalog/skills/adt-ci-watch/SKILL.md (2)
46-54: 💤 Low value

Add language specifier to fenced code block.

The code block starting at line 49 should specify a language for proper syntax highlighting.
♻️ Suggested fix
-```
+```bash
 Monitor command: until s=$(gh pr view N --json statusCheckRollup); \
   pend=$(echo "$s" | python3 -c "..."); [ "$pend" = "0" ]; do sleep 15; done
</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @packages/catalog/catalog/skills/adt-ci-watch/SKILL.md around lines 46 - 54,
Add a language specifier to the fenced code block containing the Monitor command
(the block beginning with "Monitor command: until s=$(gh pr view N --json
statusCheckRollup); ...") by changing the opening triple backticks to include
"bash" so the block becomes ```bash to enable proper syntax highlighting.
</details>



---

`25-30`: _💤 Low value_

**Consider rewording to avoid repetition.**

The output list uses "likely" twice in succession ("likely cause" and "likely owner surface"), which reads awkwardly. Consider using a synonym or rephrasing one of them.





<details>
<summary>♻️ Suggested rewording</summary>

```diff
 Return:
 - failing job
 - first bad signal
 - likely cause
-- likely owner surface
+- owner surface
 - smallest viable fix
 - whether it blocks shipping now
```

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

```
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/catalog/catalog/skills/adt-ci-watch/SKILL.md` around lines 25 - 30,
The list in SKILL.md repeats "likely" in the items "likely cause" and "likely
owner surface"; change one phrase to avoid repetition and improve clarity (for
example rename "likely owner surface" to "probable owner", "owner contact", or
"owner surface area"), and update any surrounding bullets ("failing job", "first
bad signal", "smallest viable fix", "whether it blocks shipping now") to keep
parallel phrasing and tone consistent across the bulleted list.
```

</details>



</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @apps/web/src/pages/skills/[id].astro:

Around line 26-31: The sourceUrl and sourceLabel logic can produce non-http(s)
links from metadata; update the derivation of sourceUrl (and the other similar
blocks around the second occurrences) to validate the scheme before using a
value in an : attempt to construct/parse the candidate URL (e.g., built
from src.repo/src.path or skill.homepage) and only assign it if its protocol is
"http:" or "https:"; otherwise set sourceUrl to null (and ensure sourceLabel
falls back to a safe string). Apply the same scheme-checking to the two other
places mentioned so no href is rendered with a non-http/https scheme.

In @CHANGELOG.md:

Around line 7-9: Promote the existing "## [Unreleased]" section into the
released heading instead of adding new content directly: move the changes
currently under "## [Unreleased]" into the "## [0.24.0] - 2026-05-14" section
(ensure the content under the unreleased heading becomes the body of the 0.24.0
section) and then recreate an empty top "## [Unreleased]" heading above it; use
the headings "## [Unreleased]" and "## [0.24.0] - 2026-05-14" to locate where to
move and recreate content.

In @docs/decisions/2026-06-06-curated-index-link-dont-rehost.md:

Line 3: The ADR file 2026-06-06-curated-index-link-dont-rehost.md has a date
after the release it documents; update the ADR date or the changelog release
date so they are consistent. Open 2026-06-06-curated-index-link-dont-rehost.md
and change the "Date: 2026-06-06" header to a date on or before 2026-05-14
if the decision was made before that release, or if the release date in
CHANGELOG.md (the v0.24.0 entry) is incorrect, update the CHANGELOG.md v0.24.0
date to the actual release date; ensure the ADR filename and its front-matter
date agree with the chosen corrected date.

In @packages/catalog/catalog/index.json:

Line 3539: The "pptx" skill description in packages/catalog/catalog/index.json
is truncated mid-word ("slid"), indicating the index generator is enforcing an
~500-char ceiling; update the generator to stop truncating or raise the limit
and regenerate the index so the full description (e.g., ending with "slides") is
stored. Locate the index generation logic (the routine that writes the
"description" field for skills, often named something like generateIndex or
buildCatalog) and remove or increase the hard-coded character limit, then re-run
the generator so the "pptx" entry's description field contains the complete
sentence instead of the truncated "slid".

Line 3848: The catalog entry for the xlsx skill has its description
truncated (ends with "the xlsx in my"), so update the indexing pipeline to
preserve full descriptions: inspect generate-index.ts (look for functions like
generateIndex(), buildCatalog(), or any helper named
truncateDescription/shorten) and remove or increase the hard limit that slices
description fields, or change the logic to pull the full description from each
skill manifest instead of applying substring. Also verify the original skill
manifest's description field contains the full text and ensure generateIndex()
writes that full field into the catalog JSON.

Line 2949: The catalog entry for the claude-api skill has a truncated
description ending with "(O" because the source description is cut off in the
skill manifest; open the claude-api source SKILL.md (referenced by
packages/catalog/catalog/skills/claude-api/manifest.json) and restore the full
description text, then regenerate or update the manifest/agent importer so the
complete description is written into the manifest's "description" field and thus
into packages/catalog/catalog/index.json; ensure the "description" string in
manifest.json (and SKILL.md if edited) contains the full sentence and re-run the
catalog generator to propagate the fix.

Line 1128: The "description" field for the rtk-rewrite hook is truncated;
locate the rtk-rewrite manifest (manifest.json) and the generated catalog entry
that sets the "description" property and replace the truncated text with the
full exit-code protocol text (ensure the full sentences for codes 0,1,2, etc.
are included). Ensure the source of truth for the description (the hook's
manifest or the generator that reads it) emits the complete string (no
slicing/truncation), update the generator or manifest so the "description" value
is stored and copied verbatim, and add/adjust any serialization that previously
truncated the string to preserve the full text for the rtk-rewrite hook.

In @packages/catalog/catalog/skills/adt-ci-watch/manifest.json:

Around line 15-23: The manifest's source.path is incorrect and causes a 404;
update the "source.path" value in
packages/catalog/catalog/skills/adt-ci-watch/manifest.json from
"kit/core/skills/ci-watch.md" to "packages/core/kit/core/skills/ci-watch.md" so
the CLI can fetch the real file body (verify against the existing "homepage"
value and ensure "source.type" and "source.repo" remain unchanged).

In @packages/catalog/catalog/skills/adt-force-merge-self-pr/manifest.json:

Around line 15-23: The manifest.json in adt-force-merge-self-pr has incorrect
upstream references: update the "source.path" value (currently
"kit/core/skills/force-merge-self-pr.md") and the "homepage" value (currently
pointing to ".../packages/core/kit/core/skills/force-merge-self-pr.md") to the
real existing file path in the upstream repo or change "ref" to the correct
branch where those files live; locate and fix the "source.path" and "homepage"
keys in packages/catalog/catalog/skills/adt-force-merge-self-pr/manifest.json to
point to the valid raw.githubusercontent.com URLs (or valid repo paths) so both
links resolve without 404s.

In @packages/catalog/catalog/skills/adt-knowledge-loop/SKILL.md:

Around line 75-86: The fenced code block containing the "KNOWLEDGE LOOP —
token optimization rounds 1-4" text is missing a language identifier and
triggers MD040; fix it by changing the opening fence from totext for
that block in SKILL.md so the linter recognizes it (update the block that begins
with "KNOWLEDGE LOOP — token optimization rounds 1-4" and its surrounding
triple-backtick markers).

In @packages/catalog/catalog/skills/adt-next-priority/manifest.json:

Around line 16-24: The manifest's source.path is incorrect: update the
"source.path" value in the manifest.json from "kit/core/skills/next-priority.md"
to "packages/core/kit/core/skills/next-priority.md" so the git fetch points to
the actual file, and review any other URL/fetch fields (e.g., "homepage" or any
other "source" related fields) to ensure they use the same packages/core/...
path format so the CLI can retrieve the skill markdown successfully.

In @packages/catalog/catalog/skills/adt-parallel-investigate/manifest.json:

Around line 16-24: The manifest's source.path in
packages/catalog/catalog/skills/adt-parallel-investigate/manifest.json is
incorrect and will cause the CLI to 404; update the "source.path" value to
include the missing packages/core/ prefix (set it to
"packages/core/kit/core/skills/parallel-investigate.md") and also update the
"homepage" field to the matching path if present, ensuring both
manifest.source.path and manifest.homepage point to the actual upstream
locations so the CLI/raw GitHub requests succeed.

In @packages/catalog/catalog/skills/adt-parallel-investigate/SKILL.md:

Around line 38-46: The fenced code block in SKILL.md containing the "Target:
..." snippet is missing a language identifier; update
that markdown fence to include "text" (i.e., change the opening totext)
so the linter warning is resolved and rendering is consistent for the block
starting with "Target: ".

In @packages/catalog/catalog/skills/adt-sync-memories/manifest.json:

Around line 17-25: Update the manifest.json's source.path field to include the
missing packages/core/ prefix so the CLI can fetch the raw file; specifically
change the "source.path" value from "kit/core/skills/sync-memories.md" to
"packages/core/kit/core/skills/sync-memories.md" (leave "source.type",
"source.repo", "source.ref" and "homepage" unchanged) so the file location
matches the homepage and repository layout.

In @packages/catalog/catalog/skills/adt-unstick-pr/manifest.json:

Around line 15-23: The manifest.json's source.path is missing the
packages/core/ prefix which will break CLI install; update the "source.path"
value in this manifest.json (the source.path property) from
"kit/core/skills/unstick-pr.md" to "packages/core/kit/core/skills/unstick-pr.md"
so it matches the homepage URL and other skills' paths and ensures the CLI can
locate the file.

In @packages/cli/src/commands/install.ts:

Around line 77-84: The fetch call for external skills (const res = await
fetch(url);) can throw or stall; wrap it in a try/catch and use an
AbortController-based timeout to avoid hanging. Create an AbortController, set a
timer (e.g., setTimeout) that calls controller.abort() after a reasonable
timeout, pass controller.signal to fetch(url, { signal }), and then await fetch
inside try/catch; on catch or if the fetch throws due to abort, log the same
error messages currently used for non-ok responses (the console.error lines
referencing id, url, manifest) and call process.exit(1); finally clear the
timeout when fetch completes to avoid leaks. Ensure you only change the block
around fetch(url) and keep existing res.ok handling and messages intact.

In @packages/core/kit/core/skills/knowledge-loop.md:

Line 16: The metadata contains a hard-coded user path in the canonical_source
frontmatter; remove or replace that literal path by deleting the
canonical_source entry or replacing its value with a generic placeholder (e.g.,
"~/.claude/skills/knowledge-loop") so it no longer exposes a developer username;
update the canonical_source field in the top-level frontmatter of the file (the
canonical_source key) accordingly.

In @packages/core/kit/core/skills/sync-memories.md:

Line 15: The file contains a hardcoded absolute path in the frontmatter field
canonical_source which must be removed or made portable; edit the
canonical_source entry in the markdown frontmatter (the canonical_source
key) and either delete the field entirely or replace the absolute path with a
repository-relative path (e.g., ./skills/sync-memories or a relative docs
path) so no machine-specific filesystem paths remain in version control.

Nitpick comments:
In @packages/catalog/catalog/skills/adt-ci-watch/SKILL.md:

Around line 46-54: Add a language specifier to the fenced code block
containing the Monitor command (the block beginning with "Monitor command: until
s=$(gh pr view N --json statusCheckRollup); ...") by changing the opening triple
backticks to include "bash" so the block becomes ```bash to enable proper syntax
highlighting.

Around line 25-30: The list in SKILL.md repeats "likely" in the items "likely
cause" and "likely owner surface"; change one phrase to avoid repetition and
improve clarity (for example rename "likely owner surface" to "probable owner",
"owner contact", or "owner surface area"), and update any surrounding bullets
("failing job", "first bad signal", "smallest viable fix", "whether it blocks
shipping now") to keep parallel phrasing and tone consistent across the bulleted
list.

In @packages/core/kit/core/skills/ci-watch.md:

Around line 49-52: The fenced code block containing the "Monitor command"
example is missing a language identifier; update the triple-backtick fence
surrounding the Monitor command (the block that starts with "Monitor command:
until s=$(gh pr view N --json statusCheckRollup); ...") to include a language
tag such as bash or shell (e.g., ```bash) so tooling and syntax highlighting
work correctly.

In @packages/core/kit/core/skills/knowledge-loop.md:

Around line 82-93: The fenced code block in knowledge-loop.md containing the
"KNOWLEDGE LOOP — token optimization rounds 1-4" example needs a language
identifier for proper highlighting; edit the opening fence for that block (the
triple backticks before "KNOWLEDGE LOOP — token optimization rounds 1-4") to
include a language token such as "text" or "md" (e.g., change totext) so
the block receives correct syntax highlighting while leaving the block contents
unchanged.

In @packages/core/kit/core/skills/next-priority.md:

Line 49: The duplicated branch-protection/unblock pattern in next-priority.md
should reference the existing skill instead of repeating instructions: replace
the inline description "If enforce_admins: true → DELETE .../enforce_admins
→ admin-merge → re-POST to re-enable" with a concise cross-reference to the
documented skill (e.g., "use force-merge-self-pr skill" or "see
force-merge-self-pr.md"), so update next-priority.md to call out the
force-merge-self-pr skill and remove the duplicated pattern to avoid
maintenance drift.

In @packages/core/kit/core/skills/parallel-investigate.md:

Around line 38-46: The fenced code block in the example prompt template within
parallel-investigate.md lacks a language identifier; update the opening
triple-backtick to include a language (e.g., change "" to "text" or
"```markdown") so the snippet renders correctly. Locate the prompt template
block in packages/core/kit/core/skills/parallel-investigate.md (the snippet
beginning with "Target: ") and modify the first fence to
include the chosen language identifier, leaving the rest of the content
unchanged.
</details>

<details>
<summary>🪄 Autofix (Beta)</summary>

Fix all unresolved CodeRabbit comments on this PR:

- [ ]  Push a commit to this branch (recommended)
- [ ]  Create a new PR with the fixes

</details>

---

<details>
<summary>ℹ️ Review info</summary>

<details>
<summary>⚙️ Run configuration</summary>

**Configuration used**: Organization UI

**Review profile**: CHILL

**Plan**: Pro

**Run ID**: `d723484b-c606-4d50-bc6c-8fccac9cb4fe`

</details>

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between cf95bcd048f4851c65fe952b41712512a0053d92 and c09890977feab9492a9410ff80fd719251544b77.

</details>

<details>
<summary>⛔ Files ignored due to path filters (2)</summary>

* `package-lock.json` is excluded by `!**/package-lock.json`
* `pnpm-lock.yaml` is excluded by `!**/pnpm-lock.yaml`

</details>

<details>
<summary>📒 Files selected for processing (78)</summary>

* `CHANGELOG.md`
* `apps/web/src/pages/skills/[id].astro`
* `docs/decisions/2026-06-06-curated-index-link-dont-rehost.md`
* `package.json`
* `packages/catalog/catalog/collections/claude-code-power-user.yaml`
* `packages/catalog/catalog/collections/infrastructure-and-devops.yaml`
* `packages/catalog/catalog/collections/multi-agent-orchestration.yaml`
* `packages/catalog/catalog/collections/professional-work-toolkit.yaml`
* `packages/catalog/catalog/collections/release-and-deploy.yaml`
* `packages/catalog/catalog/collections/spec-and-planning.yaml`
* `packages/catalog/catalog/collections/token-and-context-optimization.yaml`
* `packages/catalog/catalog/collections/verification-review-gate.yaml`
* `packages/catalog/catalog/collections/web-app-development.yaml`
* `packages/catalog/catalog/index.json`
* `packages/catalog/catalog/skills/adt-ci-watch/SKILL.md`
* `packages/catalog/catalog/skills/adt-ci-watch/manifest.json`
* `packages/catalog/catalog/skills/adt-force-merge-self-pr/SKILL.md`
* `packages/catalog/catalog/skills/adt-force-merge-self-pr/manifest.json`
* `packages/catalog/catalog/skills/adt-knowledge-loop/SKILL.md`
* `packages/catalog/catalog/skills/adt-loop/SKILL.md`
* `packages/catalog/catalog/skills/adt-next-priority/SKILL.md`
* `packages/catalog/catalog/skills/adt-next-priority/manifest.json`
* `packages/catalog/catalog/skills/adt-parallel-investigate/SKILL.md`
* `packages/catalog/catalog/skills/adt-parallel-investigate/manifest.json`
* `packages/catalog/catalog/skills/adt-plan/SKILL.md`
* `packages/catalog/catalog/skills/adt-rag-curate/SKILL.md`
* `packages/catalog/catalog/skills/adt-sync-memories/SKILL.md`
* `packages/catalog/catalog/skills/adt-sync-memories/manifest.json`
* `packages/catalog/catalog/skills/adt-unstick-pr/SKILL.md`
* `packages/catalog/catalog/skills/adt-unstick-pr/manifest.json`
* `packages/catalog/catalog/skills/brainstorming/SKILL.md`
* `packages/catalog/catalog/skills/claude-api/SKILL.md`
* `packages/catalog/catalog/skills/dispatching-parallel-agents/SKILL.md`
* `packages/catalog/catalog/skills/doc-coauthoring/SKILL.md`
* `packages/catalog/catalog/skills/docx/SKILL.md`
* `packages/catalog/catalog/skills/eng-api-design-reviewer/SKILL.md`
* `packages/catalog/catalog/skills/eng-api-test-suite-builder/SKILL.md`
* `packages/catalog/catalog/skills/eng-ci-cd-pipeline-builder/SKILL.md`
* `packages/catalog/catalog/skills/eng-code-tour/SKILL.md`
* `packages/catalog/catalog/skills/eng-codebase-onboarding/SKILL.md`
* `packages/catalog/catalog/skills/eng-database-designer/SKILL.md`
* `packages/catalog/catalog/skills/eng-dependency-auditor/SKILL.md`
* `packages/catalog/catalog/skills/eng-docker-development/SKILL.md`
* `packages/catalog/catalog/skills/eng-env-secrets-manager/SKILL.md`
* `packages/catalog/catalog/skills/eng-focused-fix/SKILL.md`
* `packages/catalog/catalog/skills/eng-git-worktree-manager/SKILL.md`
* `packages/catalog/catalog/skills/eng-mcp-server-builder/SKILL.md`
* `packages/catalog/catalog/skills/executing-plans/SKILL.md`
* `packages/catalog/catalog/skills/finishing-a-development-branch/SKILL.md`
* `packages/catalog/catalog/skills/frontend-design/SKILL.md`
* `packages/catalog/catalog/skills/internal-comms/SKILL.md`
* `packages/catalog/catalog/skills/mcp-builder/SKILL.md`
* `packages/catalog/catalog/skills/pdf/SKILL.md`
* `packages/catalog/catalog/skills/pptx/SKILL.md`
* `packages/catalog/catalog/skills/skill-creator/SKILL.md`
* `packages/catalog/catalog/skills/slack-gif-creator/SKILL.md`
* `packages/catalog/catalog/skills/subagent-driven-development/SKILL.md`
* `packages/catalog/catalog/skills/systematic-debugging/SKILL.md`
* `packages/catalog/catalog/skills/test-driven-development/SKILL.md`
* `packages/catalog/catalog/skills/using-git-worktrees/SKILL.md`
* `packages/catalog/catalog/skills/using-superpowers/SKILL.md`
* `packages/catalog/catalog/skills/verification-before-completion/SKILL.md`
* `packages/catalog/catalog/skills/web-artifacts-builder/SKILL.md`
* `packages/catalog/catalog/skills/webapp-testing/SKILL.md`
* `packages/catalog/catalog/skills/writing-plans/SKILL.md`
* `packages/catalog/catalog/skills/writing-skills/SKILL.md`
* `packages/catalog/catalog/skills/xlsx/SKILL.md`
* `packages/cli/src/commands/install.ts`
* `packages/core/kit/core/skills/ci-watch.md`
* `packages/core/kit/core/skills/force-merge-self-pr.md`
* `packages/core/kit/core/skills/knowledge-loop.md`
* `packages/core/kit/core/skills/loop.md`
* `packages/core/kit/core/skills/next-priority.md`
* `packages/core/kit/core/skills/parallel-investigate.md`
* `packages/core/kit/core/skills/plan.md`
* `packages/core/kit/core/skills/rag-curate.md`
* `packages/core/kit/core/skills/sync-memories.md`
* `packages/core/kit/core/skills/unstick-pr.md`

</details>

<details>
<summary>💤 Files with no reviewable changes (37)</summary>

* packages/catalog/catalog/skills/eng-mcp-server-builder/SKILL.md
* packages/catalog/catalog/skills/pptx/SKILL.md
* packages/catalog/catalog/skills/test-driven-development/SKILL.md
* packages/catalog/catalog/skills/web-artifacts-builder/SKILL.md
* packages/catalog/catalog/skills/using-git-worktrees/SKILL.md
* packages/catalog/catalog/skills/eng-database-designer/SKILL.md
* packages/catalog/catalog/skills/doc-coauthoring/SKILL.md
* packages/catalog/catalog/skills/eng-ci-cd-pipeline-builder/SKILL.md
* packages/catalog/catalog/skills/eng-git-worktree-manager/SKILL.md
* packages/catalog/catalog/skills/mcp-builder/SKILL.md
* packages/catalog/catalog/skills/slack-gif-creator/SKILL.md
* packages/catalog/catalog/skills/eng-focused-fix/SKILL.md
* packages/catalog/catalog/skills/frontend-design/SKILL.md
* packages/catalog/catalog/skills/docx/SKILL.md
* packages/catalog/catalog/skills/verification-before-completion/SKILL.md
* packages/catalog/catalog/skills/webapp-testing/SKILL.md
* packages/catalog/catalog/skills/systematic-debugging/SKILL.md
* packages/catalog/catalog/skills/eng-docker-development/SKILL.md
* packages/catalog/catalog/skills/eng-env-secrets-manager/SKILL.md
* packages/catalog/catalog/skills/skill-creator/SKILL.md
* packages/catalog/catalog/skills/brainstorming/SKILL.md
* packages/catalog/catalog/skills/using-superpowers/SKILL.md
* packages/catalog/catalog/skills/writing-plans/SKILL.md
* packages/catalog/catalog/skills/executing-plans/SKILL.md
* packages/catalog/catalog/skills/subagent-driven-development/SKILL.md
* packages/catalog/catalog/skills/finishing-a-development-branch/SKILL.md
* packages/catalog/catalog/skills/eng-dependency-auditor/SKILL.md
* packages/catalog/catalog/skills/eng-api-test-suite-builder/SKILL.md
* packages/catalog/catalog/skills/pdf/SKILL.md
* packages/catalog/catalog/skills/eng-codebase-onboarding/SKILL.md
* packages/catalog/catalog/skills/writing-skills/SKILL.md
* packages/catalog/catalog/skills/eng-code-tour/SKILL.md
* packages/catalog/catalog/skills/internal-comms/SKILL.md
* packages/catalog/catalog/skills/eng-api-design-reviewer/SKILL.md
* packages/catalog/catalog/skills/dispatching-parallel-agents/SKILL.md
* packages/catalog/catalog/skills/claude-api/SKILL.md
* packages/catalog/catalog/skills/xlsx/SKILL.md

</details>

</details>

<details>
<summary>📜 Review details</summary>

<details>
<summary>🧰 Additional context used</summary>

<details>
<summary>📓 Path-based instructions (5)</summary>

<details>
<summary>package.json</summary>


**📄 CodeRabbit inference engine (CLAUDE.md)**

> Bump `version` in root `package.json` as part of the release flow

Files:
- `package.json`

</details>
<details>
<summary>packages/catalog/catalog/collections/*.yaml</summary>


**📄 CodeRabbit inference engine (CLAUDE.md)**

> All `.yaml` files in catalog collections must include a `translations.pt-BR` block with `name` and `description` fields

Files:
- `packages/catalog/catalog/collections/web-app-development.yaml`
- `packages/catalog/catalog/collections/release-and-deploy.yaml`
- `packages/catalog/catalog/collections/infrastructure-and-devops.yaml`
- `packages/catalog/catalog/collections/professional-work-toolkit.yaml`
- `packages/catalog/catalog/collections/verification-review-gate.yaml`
- `packages/catalog/catalog/collections/multi-agent-orchestration.yaml`
- `packages/catalog/catalog/collections/spec-and-planning.yaml`
- `packages/catalog/catalog/collections/claude-code-power-user.yaml`
- `packages/catalog/catalog/collections/token-and-context-optimization.yaml`

</details>
<details>
<summary>packages/catalog/catalog/**/{manifest.json,*.yaml}</summary>


**📄 CodeRabbit inference engine (CLAUDE.md)**

> Tags in catalog entries must be kebab-case; common tags include: `skill-md`, `core`, `rag`, `testing`, `security`, `git`, `deploy`, `mcp`, `debugging`, `planning`, `orchestration`

Files:
- `packages/catalog/catalog/collections/web-app-development.yaml`
- `packages/catalog/catalog/skills/adt-sync-memories/manifest.json`
- `packages/catalog/catalog/skills/adt-ci-watch/manifest.json`
- `packages/catalog/catalog/skills/adt-unstick-pr/manifest.json`
- `packages/catalog/catalog/skills/adt-parallel-investigate/manifest.json`
- `packages/catalog/catalog/collections/release-and-deploy.yaml`
- `packages/catalog/catalog/collections/infrastructure-and-devops.yaml`
- `packages/catalog/catalog/collections/professional-work-toolkit.yaml`
- `packages/catalog/catalog/collections/verification-review-gate.yaml`
- `packages/catalog/catalog/collections/multi-agent-orchestration.yaml`
- `packages/catalog/catalog/collections/spec-and-planning.yaml`
- `packages/catalog/catalog/skills/adt-next-priority/manifest.json`
- `packages/catalog/catalog/collections/claude-code-power-user.yaml`
- `packages/catalog/catalog/skills/adt-force-merge-self-pr/manifest.json`
- `packages/catalog/catalog/collections/token-and-context-optimization.yaml`

</details>
<details>
<summary>packages/catalog/catalog/skills/*/manifest.json</summary>


**📄 CodeRabbit inference engine (CLAUDE.md)**

> All `manifest.json` files in catalog skills must include a `translations.pt-BR` block with `name` and `description` fields

Files:
- `packages/catalog/catalog/skills/adt-sync-memories/manifest.json`
- `packages/catalog/catalog/skills/adt-ci-watch/manifest.json`
- `packages/catalog/catalog/skills/adt-unstick-pr/manifest.json`
- `packages/catalog/catalog/skills/adt-parallel-investigate/manifest.json`
- `packages/catalog/catalog/skills/adt-next-priority/manifest.json`
- `packages/catalog/catalog/skills/adt-force-merge-self-pr/manifest.json`

</details>
<details>
<summary>CHANGELOG.md</summary>


**📄 CodeRabbit inference engine (CLAUDE.md)**

> Promote `## [Unreleased]` section in `CHANGELOG.md` to the new version before releasing

Files:
- `CHANGELOG.md`

</details>

</details><details>
<summary>🪛 LanguageTool</summary>

<details>
<summary>packages/catalog/catalog/skills/adt-ci-watch/SKILL.md</summary>

[style] ~28-~28: This adverb was used twice in the sentence. Consider removing one of them or replacing them with a synonym.
Context: ...job - first bad signal - likely cause - likely owner surface - smallest viable fix - w...

(ADVERB_REPETITION_PREMIUM)

</details>
<details>
<summary>packages/core/kit/core/skills/ci-watch.md</summary>

[style] ~28-~28: This adverb was used twice in the sentence. Consider removing one of them or replacing them with a synonym.
Context: ...job - first bad signal - likely cause - likely owner surface - smallest viable fix - w...

(ADVERB_REPETITION_PREMIUM)

</details>

</details>
<details>
<summary>🪛 markdownlint-cli2 (0.22.1)</summary>

<details>
<summary>packages/catalog/catalog/skills/adt-ci-watch/SKILL.md</summary>

[warning] 49-49: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>
<details>
<summary>packages/core/kit/core/skills/parallel-investigate.md</summary>

[warning] 38-38: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>
<details>
<summary>packages/catalog/catalog/skills/adt-knowledge-loop/SKILL.md</summary>

[warning] 75-75: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>
<details>
<summary>packages/core/kit/core/skills/knowledge-loop.md</summary>

[warning] 82-82: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>
<details>
<summary>packages/catalog/catalog/skills/adt-parallel-investigate/SKILL.md</summary>

[warning] 38-38: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>
<details>
<summary>packages/core/kit/core/skills/ci-watch.md</summary>

[warning] 49-49: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

</details>

</details>

</details>

<details>
<summary>🔇 Additional comments (32)</summary><blockquote>

<details>
<summary>package.json (1)</summary><blockquote>

`3-3`: LGTM!



Also applies to: 50-50



</blockquote></details>
<details>
<summary>packages/catalog/catalog/index.json (7)</summary><blockquote>

`152-252`: LGTM!



---

`321-658`: LGTM!



---

`755-768`: LGTM!



Also applies to: 787-787, 801-801



---

`1289-1558`: LGTM!



---

`1559-2100`: LGTM!



---

`2101-2600`: LGTM!



---

`3937-3951`: LGTM!



</blockquote></details>
<details>
<summary>packages/core/kit/core/skills/force-merge-self-pr.md (1)</summary><blockquote>

`1-59`: LGTM!



</blockquote></details>
<details>
<summary>packages/core/kit/core/skills/loop.md (1)</summary><blockquote>

`1-41`: LGTM!



</blockquote></details>
<details>
<summary>packages/core/kit/core/skills/plan.md (1)</summary><blockquote>

`1-56`: LGTM!



</blockquote></details>
<details>
<summary>packages/core/kit/core/skills/rag-curate.md (1)</summary><blockquote>

`1-99`: LGTM!



</blockquote></details>
<details>
<summary>packages/core/kit/core/skills/sync-memories.md (1)</summary><blockquote>

`1-95`: LGTM!



</blockquote></details>
<details>
<summary>packages/core/kit/core/skills/unstick-pr.md (1)</summary><blockquote>

`1-58`: LGTM!



</blockquote></details>
<details>
<summary>packages/catalog/catalog/skills/adt-ci-watch/SKILL.md (1)</summary><blockquote>

`1-61`: LGTM!



</blockquote></details>
<details>
<summary>packages/catalog/catalog/skills/adt-ci-watch/manifest.json (1)</summary><blockquote>

`24-29`: LGTM!



</blockquote></details>
<details>
<summary>packages/catalog/catalog/skills/adt-force-merge-self-pr/SKILL.md (1)</summary><blockquote>

`1-59`: LGTM!



</blockquote></details>
<details>
<summary>packages/catalog/catalog/skills/adt-force-merge-self-pr/manifest.json (1)</summary><blockquote>

`24-30`: LGTM!



</blockquote></details>
<details>
<summary>packages/catalog/catalog/skills/adt-next-priority/SKILL.md (1)</summary><blockquote>

`1-56`: LGTM!



</blockquote></details>
<details>
<summary>packages/catalog/catalog/skills/adt-next-priority/manifest.json (1)</summary><blockquote>

`25-31`: LGTM!



</blockquote></details>
<details>
<summary>packages/catalog/catalog/skills/adt-plan/SKILL.md (2)</summary><blockquote>

`1-12`: LGTM!



---

`14-56`: LGTM!



</blockquote></details>
<details>
<summary>packages/catalog/catalog/skills/adt-rag-curate/SKILL.md (1)</summary><blockquote>

`1-99`: LGTM!



</blockquote></details>
<details>
<summary>packages/catalog/catalog/collections/claude-code-power-user.yaml (1)</summary><blockquote>

`48-51`: LGTM!



</blockquote></details>
<details>
<summary>packages/catalog/catalog/collections/infrastructure-and-devops.yaml (1)</summary><blockquote>

`37-38`: LGTM!



</blockquote></details>
<details>
<summary>packages/catalog/catalog/collections/multi-agent-orchestration.yaml (1)</summary><blockquote>

`35-36`: LGTM!



</blockquote></details>
<details>
<summary>packages/catalog/catalog/collections/professional-work-toolkit.yaml (1)</summary><blockquote>

`51-58`: LGTM!



</blockquote></details>
<details>
<summary>packages/catalog/catalog/collections/release-and-deploy.yaml (1)</summary><blockquote>

`47-48`: LGTM!



</blockquote></details>
<details>
<summary>packages/catalog/catalog/collections/spec-and-planning.yaml (1)</summary><blockquote>

`32-33`: LGTM!



</blockquote></details>
<details>
<summary>packages/catalog/catalog/collections/token-and-context-optimization.yaml (1)</summary><blockquote>

`41-48`: LGTM!



</blockquote></details>
<details>
<summary>packages/catalog/catalog/collections/verification-review-gate.yaml (1)</summary><blockquote>

`43-54`: LGTM!



</blockquote></details>
<details>
<summary>packages/catalog/catalog/collections/web-app-development.yaml (1)</summary><blockquote>

`39-44`: LGTM!



</blockquote></details>

</blockquote></details>

</details>

coderabbitai

Caution

Inline review comments failed to post. This is likely due to GitHub's internal server error or limits when posting large numbers of comments. If you are seeing this consistently it is likely a permissions issue. Please check "Moderation" -> "Code review limits" under your organization settings.

🛑 Comments failed to post (18)

apps/web/src/pages/skills/[id].astro (1)
26-31: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Validate source links to http/https before rendering.

sourceUrl is built from metadata and rendered directly into <a href=...>. Without protocol validation, a crafted entry can inject unsafe URL schemes. Restrict to http:/https: when deriving sourceUrl.
Suggested fix
+const safeHttpUrl = (value?: string | null): string | null => {
+  if (!value) return null;
+  try {
+    const u = new URL(value);
+    return u.protocol === "http:" || u.protocol === "https:" ? u.toString() : null;
+  } catch {
+    return null;
+  }
+};
+
 const sourceUrl =
-  skill.homepage ??
-  (src?.repo && src.path ? `${src.repo.replace(/\.git$/, "")}/blob/${src.ref ?? "main"}/${src.path}` : null) ??
-  src?.repo ??
+  safeHttpUrl(skill.homepage) ??
+  safeHttpUrl(src?.repo && src.path ? `${src.repo.replace(/\.git$/, "")}/blob/${src.ref ?? "main"}/${src.path}` : null) ??
+  safeHttpUrl(src?.repo) ??
   null;
Also applies to: 51-54, 61-63
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/web/src/pages/skills/`[id].astro around lines 26 - 31, The sourceUrl and
sourceLabel logic can produce non-http(s) links from metadata; update the
derivation of sourceUrl (and the other similar blocks around the second
occurrences) to validate the scheme before using a value in an <a href>: attempt
to construct/parse the candidate URL (e.g., built from src.repo/src.path or
skill.homepage) and only assign it if its protocol is "http:" or "https:";
otherwise set sourceUrl to null (and ensure sourceLabel falls back to a safe
string). Apply the same scheme-checking to the two other places mentioned so no
href is rendered with a non-http/https scheme.
CHANGELOG.md (1)
7-9: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Guideline violation: ## [Unreleased] section was not promoted to the new version.

The coding guideline requires promoting the ## [Unreleased] section to the new version before releasing. The standard Keep a Changelog workflow is:

Accumulate changes under ## [Unreleased]

On release, rename that section to ## [0.24.0] - 2026-05-14

Create a new empty ## [Unreleased] section above it

The current diff shows the v0.24.0 content added as new lines rather than promoted from the existing ## [Unreleased] section, which suggests the content was not accumulated there first.

As per coding guidelines, the Unreleased section should have been promoted to v0.24.0.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@CHANGELOG.md` around lines 7 - 9, Promote the existing "## [Unreleased]"
section into the released heading instead of adding new content directly: move
the changes currently under "## [Unreleased]" into the "## [0.24.0] -
2026-05-14" section (ensure the content under the unreleased heading becomes the
body of the 0.24.0 section) and then recreate an empty top "## [Unreleased]"
heading above it; use the headings "## [Unreleased]" and "## [0.24.0] -
2026-05-14" to locate where to move and recreate content.
Source: Coding guidelines
docs/decisions/2026-06-06-curated-index-link-dont-rehost.md (1)
3-3: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Date inconsistency: ADR dated after the release it documents.

This ADR is dated 2026-06-06, but the CHANGELOG.md shows the v0.24.0 release it documents as 2026-05-14—three weeks earlier. Architecture Decision Records should be written at or before the time decisions are made, not retroactively.

Please verify and correct either:

The ADR date (should be ≤ 2026-05-14), or

The CHANGELOG release date (if the release hasn't actually occurred yet)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/decisions/2026-06-06-curated-index-link-dont-rehost.md` at line 3, The
ADR file 2026-06-06-curated-index-link-dont-rehost.md has a date after the
release it documents; update the ADR date or the changelog release date so they
are consistent. Open 2026-06-06-curated-index-link-dont-rehost.md and change the
"**Date:** 2026-06-06" header to a date on or before 2026-05-14 if the decision
was made before that release, or if the release date in CHANGELOG.md (the
v0.24.0 entry) is incorrect, update the CHANGELOG.md v0.24.0 date to the actual
release date; ensure the ADR filename and its front-matter date agree with the
chosen corrected date.
packages/catalog/catalog/index.json (4)
1128-1128: ⚠️ Potential issue | 🟡 Minor
🧩 Analysis chain

🏁 Script executed:
#!/bin/bash
# Check the source manifest for rtk-rewrite to see if the description is complete there
fd -t f 'manifest.json' packages/catalog/catalog/hooks/rtk-rewrite/ --exec cat {}
Repository: LucasSantana-Dev/forgekit

Length of output: 1405
Fix truncated rtk-rewrite hook description

rtk-rewrite’s description is cut off mid-word (ends with "... pass through unchanged 2 De") in packages/catalog/catalog/hooks/rtk-rewrite/manifest.json, and it appears truncated in packages/catalog/catalog/index.json as well.

Update the description source/generation so the full exit-code protocol text (including the cases beyond 2 De...) is preserved rather than a truncated prefix.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/catalog/catalog/index.json` at line 1128, The "description" field
for the rtk-rewrite hook is truncated; locate the rtk-rewrite manifest
(manifest.json) and the generated catalog entry that sets the "description"
property and replace the truncated text with the full exit-code protocol text
(ensure the full sentences for codes 0,1,2, etc. are included). Ensure the
source of truth for the description (the hook's manifest or the generator that
reads it) emits the complete string (no slicing/truncation), update the
generator or manifest so the "description" value is stored and copied verbatim,
and add/adjust any serialization that previously truncated the string to
preserve the full text for the rtk-rewrite hook.
2949-2949: ⚠️ Potential issue | 🟡 Minor
🧩 Analysis chain

🏁 Script executed:
#!/bin/bash
# Check the source manifest for claude-api to see if the description is complete there
fd -t f 'manifest.json' packages/catalog/catalog/skills/claude-api/ --exec cat {}
Repository: LucasSantana-Dev/forgekit

Length of output: 1313

🏁 Script executed:
#!/bin/bash
# Look for any local SKILL.md/content for the claude-api skill to see where truncation comes from.
fd -t f -g '*SKILL*.md' 'packages/catalog/catalog/skills/claude-api' --exec sh -lc 'echo "---- $1"; sed -n "1,200p" "$1"; echo "----"; tail -n 200 "$1"' sh {} \;
Repository: LucasSantana-Dev/forgekit

Length of output: 51

🏁 Script executed:
#!/bin/bash
set -euo pipefail

echo "Files under packages/catalog/catalog/skills/claude-api/:"
fd -t f . 'packages/catalog/catalog/skills/claude-api' --exec ls -1 {} \; | head -n 200

echo
echo "Look for markdown sources in that directory:"
fd -t f -g '*.md' 'packages/catalog/catalog/skills/claude-api' --exec sh -lc 'echo "---- {}"; tail -n 80 "$1"' sh {} \;

echo
echo "Look for any JSON/YAML/TXT that might contain the full claude-api description:"
fd -t f -g '*.json' -o -g '*.yml' -o -g '*.yaml' -o -g '*.txt' 'packages/catalog/catalog/skills/claude-api' --exec sh -lc 'echo "---- {}"; tail -n 120 "$1"' sh {} \;
Repository: LucasSantana-Dev/forgekit

Length of output: 444
Fix truncated claude-api skill description

packages/catalog/catalog/index.json (line 2949) cuts off mid-word: the claude-api description ends with "(O". The same truncated text also exists in packages/catalog/catalog/skills/claude-api/manifest.json, so the catalog entry is sourced from an already-truncated description (upstream skills/claude-api/SKILL.md is referenced in manifest.json). Update the upstream/source description (or the generator/importer that produces the manifest) so the full model text renders.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/catalog/catalog/index.json` at line 2949, The catalog entry for the
claude-api skill has a truncated description ending with "(O" because the source
description is cut off in the skill manifest; open the claude-api source
SKILL.md (referenced by
packages/catalog/catalog/skills/claude-api/manifest.json) and restore the full
description text, then regenerate or update the manifest/agent importer so the
complete description is written into the manifest's "description" field and thus
into packages/catalog/catalog/index.json; ensure the "description" string in
manifest.json (and SKILL.md if edited) contains the full sentence and re-run the
catalog generator to propagate the fix.
3539-3539: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Truncated description for pptx skill.

The description ends with "slid — cut off mid-word (likely "slides"). This is the same truncation pattern seen in other entries. The index generator appears to have a ~500 character limit on descriptions.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/catalog/catalog/index.json` at line 3539, The "pptx" skill
description in packages/catalog/catalog/index.json is truncated mid-word
("slid"), indicating the index generator is enforcing an ~500-char ceiling;
update the generator to stop truncating or raise the limit and regenerate the
index so the full description (e.g., ending with "slides") is stored. Locate the
index generation logic (the routine that writes the "description" field for
skills, often named something like generateIndex or buildCatalog) and remove or
increase the hard-coded character limit, then re-run the generator so the "pptx"
entry's description field contains the complete sentence instead of the
truncated "slid".
3848-3848: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Truncated description for xlsx skill.

Ends with "the xlsx in my — same ~500 char truncation. Consider investigating the generate-index.ts script or source manifests if longer descriptions are intended to be preserved.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/catalog/catalog/index.json` at line 3848, The catalog entry for the
`xlsx` skill has its description truncated (ends with "the xlsx in my"), so
update the indexing pipeline to preserve full descriptions: inspect
generate-index.ts (look for functions like generateIndex(), buildCatalog(), or
any helper named truncateDescription/shorten) and remove or increase the hard
limit that slices description fields, or change the logic to pull the full
`description` from each skill manifest instead of applying substring. Also
verify the original skill manifest's `description` field contains the full text
and ensure generateIndex() writes that full field into the catalog JSON.
packages/catalog/catalog/skills/adt-ci-watch/manifest.json (1)
15-23: ⚠️ Potential issue | 🔴 Critical
🧩 Analysis chain

🏁 Script executed:
#!/bin/bash
# Check which path exists in the upstream forgekit repo

echo "Checking kit/core/skills/ci-watch.md..."
curl -sI "https://raw.githubusercontent.com/LucasSantana-Dev/forgekit/main/kit/core/skills/ci-watch.md" | head -1

echo "Checking packages/core/kit/core/skills/ci-watch.md..."
curl -sI "https://raw.githubusercontent.com/LucasSantana-Dev/forgekit/main/packages/core/kit/core/skills/ci-watch.md" | head -1
Repository: LucasSantana-Dev/forgekit

Length of output: 189
Fix source.path to match the actual skill file location (prevents 404 when fetching)

packages/catalog/catalog/skills/adt-ci-watch/manifest.json currently has:

source.path: kit/core/skills/ci-watch.md → raw URL returns 404

homepage: .../packages/core/kit/core/skills/ci-watch.md → raw URL returns 200

Update source.path to packages/core/kit/core/skills/ci-watch.md so the CLI fetches the real file body.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/catalog/catalog/skills/adt-ci-watch/manifest.json` around lines 15 -
23, The manifest's source.path is incorrect and causes a 404; update the
"source.path" value in
packages/catalog/catalog/skills/adt-ci-watch/manifest.json from
"kit/core/skills/ci-watch.md" to "packages/core/kit/core/skills/ci-watch.md" so
the CLI can fetch the real file body (verify against the existing "homepage"
value and ensure "source.type" and "source.repo" remain unchanged).
packages/catalog/catalog/skills/adt-force-merge-self-pr/manifest.json (1)
15-23: ⚠️ Potential issue | 🔴 Critical
🧩 Analysis chain

🏁 Script executed:
#!/bin/bash
# Verify actual upstream path for force-merge-self-pr skill

echo "Checking kit/core/skills/force-merge-self-pr.md..."
curl -sI "https://raw.githubusercontent.com/LucasSantana-Dev/forgekit/main/kit/core/skills/force-merge-self-pr.md" | head -1

echo "Checking packages/core/kit/core/skills/force-merge-self-pr.md..."
curl -sI "https://raw.githubusercontent.com/LucasSantana-Dev/forgekit/main/packages/core/kit/core/skills/force-merge-self-pr.md" | head -1
Repository: LucasSantana-Dev/forgekit

Length of output: 211
Fix adt-force-merge-self-pr manifest source.path/homepage to an existing upstream file

In packages/catalog/catalog/skills/adt-force-merge-self-pr/manifest.json (lines 15-23), source.path is kit/core/skills/force-merge-self-pr.md, but https://raw.githubusercontent.com/LucasSantana-Dev/forgekit/main/kit/core/skills/force-merge-self-pr.md returns HTTP 404.

homepage points to .../packages/core/kit/core/skills/force-merge-self-pr.md, but https://raw.githubusercontent.com/LucasSantana-Dev/forgekit/main/packages/core/kit/core/skills/force-merge-self-pr.md also returns HTTP 404.

Update both fields to the correct upstream path (or adjust ref if the skill isn’t on main).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/catalog/catalog/skills/adt-force-merge-self-pr/manifest.json` around
lines 15 - 23, The manifest.json in adt-force-merge-self-pr has incorrect
upstream references: update the "source.path" value (currently
"kit/core/skills/force-merge-self-pr.md") and the "homepage" value (currently
pointing to ".../packages/core/kit/core/skills/force-merge-self-pr.md") to the
real existing file path in the upstream repo or change "ref" to the correct
branch where those files live; locate and fix the "source.path" and "homepage"
keys in packages/catalog/catalog/skills/adt-force-merge-self-pr/manifest.json to
point to the valid raw.githubusercontent.com URLs (or valid repo paths) so both
links resolve without 404s.
packages/catalog/catalog/skills/adt-knowledge-loop/SKILL.md (1)
75-86: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add language identifier to fenced code block.

The fenced code block at line 75 lacks a language identifier, triggering a linter warning (MD040). Adding text will resolve the warning.
📝 Proposed fix
-```
+```text
 KNOWLEDGE LOOP — token optimization rounds 1-4
   Recalled:  3 hits, top cos 0.50 (skill: recall)
   Captured:  token_opt_round4_2026-05-13.md + token_baseline_2026-05-13.md
🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 75-75: Fenced code blocks should have a language specified

(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/catalog/catalog/skills/adt-knowledge-loop/SKILL.md` around lines 75
- 86, The fenced code block containing the "KNOWLEDGE LOOP — token optimization
rounds 1-4" text is missing a language identifier and triggers MD040; fix it by
changing the opening fence from ``` to ```text for that block in SKILL.md so the
linter recognizes it (update the block that begins with "KNOWLEDGE LOOP — token
optimization rounds 1-4" and its surrounding triple-backtick markers).
Source: Linters/SAST tools
packages/catalog/catalog/skills/adt-next-priority/manifest.json (1)
16-24: ⚠️ Potential issue | 🔴 Critical
🧩 Analysis chain

🏁 Script executed:
#!/bin/bash
# Verify actual upstream path for next-priority skill

echo "Checking kit/core/skills/next-priority.md..."
curl -sI "https://raw.githubusercontent.com/LucasSantana-Dev/forgekit/main/kit/core/skills/next-priority.md" | head -1

echo "Checking packages/core/kit/core/skills/next-priority.md..."
curl -sI "https://raw.githubusercontent.com/LucasSantana-Dev/forgekit/main/packages/core/kit/core/skills/next-priority.md" | head -1
Repository: LucasSantana-Dev/forgekit

Length of output: 199
Fix source.path mismatch for adt-next-priority manifest

packages/catalog/catalog/skills/adt-next-priority/manifest.json (lines 16-24) has source.path: "kit/core/skills/next-priority.md", but https://raw.githubusercontent.com/LucasSantana-Dev/forgekit/main/kit/core/skills/next-priority.md returns 404.

The file exists at https://raw.githubusercontent.com/LucasSantana-Dev/forgekit/main/packages/core/kit/core/skills/next-priority.md (200), matching the current homepage.

Update source.path (and align any other fetch URL fields) to use the packages/core/... path so the CLI can retrieve the skill markdown successfully.
"source": {
  "type": "git",
  "repo": "https://github.com/LucasSantana-Dev/forgekit",
  "ref": "main",
  "path": "kit/core/skills/next-priority.md"
},
"homepage": "https://github.com/LucasSantana-Dev/forgekit/tree/main/packages/core/kit/core/skills/next-priority.md"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/catalog/catalog/skills/adt-next-priority/manifest.json` around lines
16 - 24, The manifest's source.path is incorrect: update the "source.path" value
in the manifest.json from "kit/core/skills/next-priority.md" to
"packages/core/kit/core/skills/next-priority.md" so the git fetch points to the
actual file, and review any other URL/fetch fields (e.g., "homepage" or any
other "source" related fields) to ensure they use the same packages/core/...
path format so the CLI can retrieve the skill markdown successfully.
packages/catalog/catalog/skills/adt-parallel-investigate/manifest.json (1)
16-24: ⚠️ Potential issue | 🔴 Critical
🧩 Analysis chain

🏁 Script executed:
#!/bin/bash
# Check actual file paths in the upstream forgekit repo for the new skills

REPO="LucasSantana-Dev/forgekit"
SKILLS="parallel-investigate sync-memories unstick-pr ci-watch force-merge-self-pr next-priority"

for skill in $SKILLS; do
  echo "Checking $skill..."
  # Try with packages/core/ prefix
  curl -sI "https://raw.githubusercontent.com/$REPO/main/packages/core/kit/core/skills/${skill}.md" | head -1
  # Try without packages/core/ prefix
  curl -sI "https://raw.githubusercontent.com/$REPO/main/kit/core/skills/${skill}.md" | head -1
  echo "---"
done
Repository: LucasSantana-Dev/forgekit

Length of output: 410
Critical: fix source.path in packages/catalog/catalog/skills/adt-parallel-investigate/manifest.json to include packages/core/

source.path is kit/core/skills/parallel-investigate.md, but upstream raw has the file at packages/core/kit/core/skills/parallel-investigate.md (raw HEAD returns 200 with packages/core/..., 404 without). The CLI will fetch using manifest.source, so this will 404.
🔧 Proposed fix
   "source": {
     "type": "git",
     "repo": "https://github.com/LucasSantana-Dev/forgekit",
     "ref": "main",
-    "path": "kit/core/skills/parallel-investigate.md"
+    "path": "packages/core/kit/core/skills/parallel-investigate.md"
   },
While checking other mentioned skills in the same upstream repo: sync-memories, unstick-pr, ci-watch, and next-priority also require the packages/core/ prefix; force-merge-self-pr returned 404 for both tested locations and needs separate investigation.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
  "source": {
    "type": "git",
    "repo": "https://github.com/LucasSantana-Dev/forgekit",
    "ref": "main",
    "path": "packages/core/kit/core/skills/parallel-investigate.md"
  },
  "license": "MIT",
  "author": "Lucas Santana",
  "homepage": "https://github.com/LucasSantana-Dev/forgekit/tree/main/packages/core/kit/core/skills/parallel-investigate.md",
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/catalog/catalog/skills/adt-parallel-investigate/manifest.json`
around lines 16 - 24, The manifest's source.path in
packages/catalog/catalog/skills/adt-parallel-investigate/manifest.json is
incorrect and will cause the CLI to 404; update the "source.path" value to
include the missing packages/core/ prefix (set it to
"packages/core/kit/core/skills/parallel-investigate.md") and also update the
"homepage" field to the matching path if present, ensuring both
manifest.source.path and manifest.homepage point to the actual upstream
locations so the CLI/raw GitHub requests succeed.
packages/catalog/catalog/skills/adt-parallel-investigate/SKILL.md (1)
38-46: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add language identifier to fenced code block.

The fenced code block at line 38 lacks a language identifier, triggering a linter warning. Adding text will resolve the warning and improve rendering consistency.
📝 Proposed fix
-```
+```text
 Target: <repo or PR identifier>
 Task: <one specific question>
 Return format:
🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 38-38: Fenced code blocks should have a language specified

(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/catalog/catalog/skills/adt-parallel-investigate/SKILL.md` around
lines 38 - 46, The fenced code block in SKILL.md containing the "Target: <repo
or PR identifier>..." snippet is missing a language identifier; update that
markdown fence to include "text" (i.e., change the opening ``` to ```text) so
the linter warning is resolved and rendering is consistent for the block
starting with "Target: <repo or PR identifier>".
Source: Linters/SAST tools
packages/catalog/catalog/skills/adt-sync-memories/manifest.json (1)
17-25: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Source path missing packages/core/ prefix — CLI install will fail.

Same issue as adt-parallel-investigate: the source.path at line 21 is kit/core/skills/sync-memories.md, but the homepage URL at line 25 and the review stack context indicate the file is at packages/core/kit/core/skills/sync-memories.md.

CLI install will construct https://raw.githubusercontent.com/LucasSantana-Dev/forgekit/main/kit/core/skills/sync-memories.md and receive a 404.
🔧 Proposed fix
   "source": {
     "type": "git",
     "repo": "https://github.com/LucasSantana-Dev/forgekit",
     "ref": "main",
-    "path": "kit/core/skills/sync-memories.md"
+    "path": "packages/core/kit/core/skills/sync-memories.md"
   },
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
  "source": {
    "type": "git",
    "repo": "https://github.com/LucasSantana-Dev/forgekit",
    "ref": "main",
    "path": "packages/core/kit/core/skills/sync-memories.md"
  },
  "license": "MIT",
  "author": "Lucas Santana",
  "homepage": "https://github.com/LucasSantana-Dev/forgekit/tree/main/packages/core/kit/core/skills/sync-memories.md",
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/catalog/catalog/skills/adt-sync-memories/manifest.json` around lines
17 - 25, Update the manifest.json's source.path field to include the missing
packages/core/ prefix so the CLI can fetch the raw file; specifically change the
"source.path" value from "kit/core/skills/sync-memories.md" to
"packages/core/kit/core/skills/sync-memories.md" (leave "source.type",
"source.repo", "source.ref" and "homepage" unchanged) so the file location
matches the homepage and repository layout.
packages/catalog/catalog/skills/adt-unstick-pr/manifest.json (1)
15-23: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Source path missing packages/core/ prefix — CLI install will fail.

Same issue as the other new skills: source.path at line 19 lacks the packages/core/ prefix that appears in the homepage URL at line 23.
🔧 Proposed fix
   "source": {
     "type": "git",
     "repo": "https://github.com/LucasSantana-Dev/forgekit",
     "ref": "main",
-    "path": "kit/core/skills/unstick-pr.md"
+    "path": "packages/core/kit/core/skills/unstick-pr.md"
   },
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
  "source": {
    "type": "git",
    "repo": "https://github.com/LucasSantana-Dev/forgekit",
    "ref": "main",
    "path": "packages/core/kit/core/skills/unstick-pr.md"
  },
  "license": "MIT",
  "author": "Lucas Santana",
  "homepage": "https://github.com/LucasSantana-Dev/forgekit/tree/main/packages/core/kit/core/skills/unstick-pr.md",
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/catalog/catalog/skills/adt-unstick-pr/manifest.json` around lines 15
- 23, The manifest.json's source.path is missing the packages/core/ prefix which
will break CLI install; update the "source.path" value in this manifest.json
(the source.path property) from "kit/core/skills/unstick-pr.md" to
"packages/core/kit/core/skills/unstick-pr.md" so it matches the homepage URL and
other skills' paths and ensures the CLI can locate the file.
packages/cli/src/commands/install.ts (1)
77-84: ⚠️ Potential issue | 🟠 Major
🧩 Analysis chain

🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect relevant portion of the file
FILE="packages/cli/src/commands/install.ts"
if [ ! -f "$FILE" ]; then
  echo "Missing $FILE"
  exit 1
fi
echo "== Snippet around fetch in $FILE =="
nl -ba "$FILE" | sed -n '1,160p' | sed -n '60,120p'

echo
echo "== Locate fetch(url) occurrences =="
rg -n "fetch\$url\$" "$FILE" || true

echo
echo "== Search for AbortController usage in repo =="
rg -n "new AbortController\$" packages/cli/src || true

echo
echo "== Search for timeout/fetch wrapper definitions =="
rg -n "AbortController|setTimeout\\(.*abort|timeout.*fetch|fetchWith" packages/cli/src || true
Repository: LucasSantana-Dev/forgekit

Length of output: 198

🏁 Script executed:
#!/bin/bash
set -euo pipefail

FILE="packages/cli/src/commands/install.ts"
if [ ! -f "$FILE" ]; then
  echo "Missing $FILE"
  exit 1
fi

echo "== Snippet around fetch in $FILE (lines 60-120) =="
cat -n "$FILE" | sed -n '60,120p'

echo
echo "== Locate fetch(url) occurrences in $FILE =="
rg -n "fetch\\(url\$" "$FILE" || true

echo
echo "== Search for AbortController usage in packages/cli/src =="
rg -n "new AbortController\\(" packages/cli/src || true

echo
echo "== Search for timeout/fetch wrapper patterns in packages/cli/src =="
rg -n "AbortController|setTimeout\\(.*abort|timeout.*fetch|fetchWith" packages/cli/src || true
Repository: LucasSantana-Dev/forgekit

Length of output: 3687
Add timeout + try/catch around upstream fetch(url) for external skill installs.

In packages/cli/src/commands/install.ts, the upstream call const res = await fetch(url); (line ~77) has no try/catch for thrown network errors and no timeout/abort logic; a stalled request can hang and failures can crash instead of returning a controlled CLI error. Implement an AbortController-based timeout and catch network exceptions to exit with the existing “could not fetch …” messaging.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/cli/src/commands/install.ts` around lines 77 - 84, The fetch call
for external skills (const res = await fetch(url);) can throw or stall; wrap it
in a try/catch and use an AbortController-based timeout to avoid hanging. Create
an AbortController, set a timer (e.g., setTimeout) that calls controller.abort()
after a reasonable timeout, pass controller.signal to fetch(url, { signal }),
and then await fetch inside try/catch; on catch or if the fetch throws due to
abort, log the same error messages currently used for non-ok responses (the
console.error lines referencing id, url, manifest) and call process.exit(1);
finally clear the timeout when fetch completes to avoid leaks. Ensure you only
change the block around fetch(url) and keep existing res.ok handling and
messages intact.
packages/core/kit/core/skills/knowledge-loop.md (1)
16-16: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Remove hard-coded user path from metadata.

The canonical_source field contains a hard-coded path /Users/lucassantana/.claude/skills/knowledge-loop that will break for other users and exposes a developer username. Either remove this field entirely or use a generic placeholder like ~/.claude/skills/knowledge-loop.
🔧 Proposed fix
 metadata:
   owner: global-agents
   tier: contextual
-  canonical_source: /Users/lucassantana/.claude/skills/knowledge-loop
+  canonical_source: ~/.claude/skills/knowledge-loop
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
metadata:
  owner: global-agents
  tier: contextual
  canonical_source: ~/.claude/skills/knowledge-loop
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/core/kit/core/skills/knowledge-loop.md` at line 16, The metadata
contains a hard-coded user path in the canonical_source frontmatter; remove or
replace that literal path by deleting the canonical_source entry or replacing
its value with a generic placeholder (e.g., "~/.claude/skills/knowledge-loop")
so it no longer exposes a developer username; update the canonical_source field
in the top-level frontmatter of the file (the canonical_source key) accordingly.
packages/core/kit/core/skills/sync-memories.md (1)
15-15: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove hardcoded local file path from version control.

The canonical_source field contains an absolute local filesystem path (/Users/lucassantana/.agents/skills/sync-memories) that is specific to your development machine. This breaks portability and should not be committed to version control.
🔧 Suggested fix

Either remove the canonical_source field entirely or use a repository-relative path:
 metadata:
   owner: global-agents
   tier: stateful
-  canonical_source: /Users/lucassantana/.agents/skills/sync-memories
+  canonical_source: packages/core/kit/core/skills/sync-memories.md
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
metadata:
  owner: global-agents
  tier: stateful
  canonical_source: packages/core/kit/core/skills/sync-memories.md
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/core/kit/core/skills/sync-memories.md` at line 15, The file contains
a hardcoded absolute path in the frontmatter field `canonical_source` which must
be removed or made portable; edit the `canonical_source` entry in the markdown
frontmatter (the `canonical_source` key) and either delete the field entirely or
replace the absolute path with a repository-relative path (e.g.,
`./skills/sync-memories` or a relative docs path) so no machine-specific
filesystem paths remain in version control.

Guard sourceUrl derivation with a scheme check (CodeRabbit #258) — catalog metadata (incl. external manifests) renders into <a href>, so reject non-http(s) schemes (javascript:/data:) to prevent href injection.

greptile-apps

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

greptile-apps Bot reviewed Jun 6, 2026

View reviewed changes

LucasSantana-Dev added 3 commits June 6, 2026 15:51

docs(changelog): record de-vendoring of external skills under [Unrele…

dd7976f

…ased]

LucasSantana-Dev force-pushed the feat/catalog-v0.24.0-skill-refresh branch from c098909 to dd7976f Compare June 6, 2026 18:54

greptile-apps Bot reviewed Jun 6, 2026

View reviewed changes

LucasSantana-Dev changed the title ~~feat(catalog): v0.24.0 — curated index, de-vendor external skills, +7 ops skills~~ feat(catalog): de-vendor external skills — curated index, link to source Jun 6, 2026

coderabbitai Bot requested changes Jun 6, 2026

View reviewed changes

coderabbitai Bot reviewed Jun 6, 2026

View reviewed changes

fix(web): validate source links to http(s) before rendering href

19cf27d

Guard sourceUrl derivation with a scheme check (CodeRabbit #258) — catalog metadata (incl. external manifests) renders into <a href>, so reject non-http(s) schemes (javascript:/data:) to prevent href injection.

greptile-apps Bot reviewed Jun 6, 2026

View reviewed changes

LucasSantana-Dev merged commit b0d1220 into main Jun 6, 2026
21 checks passed

LucasSantana-Dev deleted the feat/catalog-v0.24.0-skill-refresh branch June 6, 2026 19:03

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(catalog): de-vendor external skills — curated index, link to source#258

feat(catalog): de-vendor external skills — curated index, link to source#258
LucasSantana-Dev merged 4 commits into
mainfrom
feat/catalog-v0.24.0-skill-refresh

LucasSantana-Dev commented Jun 6, 2026 •

edited

Loading

Uh oh!

greptile-apps Bot left a comment

Uh oh!

coderabbitai Bot commented Jun 6, 2026 •

edited

Loading

Review limit reached

Walkthrough

Changes

Possibly related PRs

Uh oh!

greptile-apps Bot left a comment

Uh oh!

coderabbitai Bot left a comment

Uh oh!

coderabbitai Bot left a comment

Uh oh!

greptile-apps Bot left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

LucasSantana-Dev commented Jun 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

What changed

Invariant going forward

Verification

Note

Uh oh!

greptile-apps Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot commented Jun 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review limit reached

Walkthrough

Changes

Possibly related PRs

Uh oh!

greptile-apps Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

greptile-apps Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

LucasSantana-Dev commented Jun 6, 2026 •

edited

Loading

coderabbitai Bot commented Jun 6, 2026 •

edited

Loading