feat(skills): M5 Phase A — registry foundation (#85)#90
Open
viktor-shcherb wants to merge 2 commits into
Open
Conversation
…binding validator) Skill registry foundation per issue #85. Publishers upload named, versioned content bundles (markdown + structured manifest); Murmur stores them and exposes browse + read endpoints. The MCP `resources/list` / `resources/read` exposure + auto-load semantics ship in a follow-up; tarball / git-ref upload forms ship later as a separate ingestion path against the same `skill_files` row shape. Schema (migration 0004 — 0003 reserved for M2 in PR #89): - `skills` — `(publisher_id, name, version)` UNIQUE; `manifest_json`, `deprecated_at`, retained on deprecation. - `skill_files` — flat file rows; `(skill_id, path)` UNIQUE; UTF-8 text content (binary out of scope for v1). Endpoints (publisher-scoped via `publisherAuth(db)`; `/skills*` zone added to `src/server.ts`): - `POST /skills` (admin) - `GET /skills` (admin OR runner) - `GET /skills/:name` (admin OR runner) - `GET /skills/:name/:version` (admin OR runner) - `GET /skills/:name/:version/files` (admin OR runner) - `GET /skills/:name/:version/files/:path{.+}` (admin OR runner) - `DELETE /skills/:name/:version` (admin) Validation: - 256 KB per-file cap, 4 MB bundle cap, 64-file cap, kebab-case names, semver-ish versions, path-traversal-safe file paths. - `SKILL.md` REQUIRED in every bundle. - Re-upload of `(publisher_id, name, version)` → 409 (immutability). - Cross-publisher reads → 404 (no information leak). Pipeline-binding validator: - `validatePipelineSkillRefs` resolves `<publisher>/<name>@<version>` refs (or bare `<name>@<version>`) against this publisher's skills. - `name@latest` resolves to the most-recent non-deprecated version at validation time — caller writes the resolved canonical ref into the stored pipeline def (snapshotting per the M5 spec). - Cross-publisher refs rejected (`cross_publisher_skill_ref_unsupported`) in v1. - The `POST /pipelines` consumer wiring lands in a follow-up — needs the M0 pipeline-def schema to add a `skills` field, which is its own contract change. Tests: - 22 cases covering happy path, every named validation reject, immutability, deprecation lifecycle, cross-publisher isolation, and the validator + parseSkillRef. DoD coverage (issue #85): - [x] Skill bundle storage (DB-resident in v1; tarball form follow-up) - [x] Upload / list / fetch / deprecate API - [x] Pipeline binding validation at registration (helper exported, consumer wiring follow-up) - [x] `name@latest` resolution at pipeline-registration time - [x] Documentation: skill authoring guide (`docs/skills.md`) - [ ] MCP resource exposure with auto-load flag — follow-up Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
…GET/DELETE CI's coverage gate flagged src/api/**/*.ts branches at 73.24% (threshold 75%) — skills.ts at 59.22% was the culprit. Adds 14 cases covering each individual validation reject (malformed JSON, non-object body, missing/malformed version, empty description, non-object manifest, non-array files, empty files array, file count cap, non-object file entry, non-string content) plus 401-on-no-auth on GET / DELETE. Lifts skills.ts branch coverage to 71.55% and the src/api/publisher folder to 75.07% (above the 75% threshold). Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Skill registry foundation: schema + JSON-body upload + browse +
deprecate + pipeline-binding validator. Publishers upload named,
versioned content bundles (markdown + structured manifest); Murmur
stores them and exposes browse / read endpoints. Same-publisher
isolation by construction.
The MCP `resources/list` / `resources/read` exposure (with the
auto-load flag), the tarball / git-ref upload forms, and the 90-day
deprecation sweeper all ship in follow-ups against the same
`skill_files` row shape.
UNIQUE; `deprecated_at` retained-on-flip) + `skill_files` (flat
rows, UTF-8 text content, `(skill_id, path)` UNIQUE).
`publisherAuth(db)`):
kebab-case names, semver-ish versions, path-traversal-safe paths,
`SKILL.md` REQUIRED. Re-upload of the same triple → 409.
Cross-publisher reads → 404 (no information leak).
resolves `/@` (or bare
`@`) refs. Snapshots `name@latest` to the
most-recent non-deprecated version at validation time. Rejects
cross-publisher refs. The `POST /pipelines` consumer wiring lands
in a follow-up (it extends the M0 pipeline-def schema to include a
`skills` field, which is its own contract change).
DoD coverage
Branch ordering note
Numbers as migration 0004 because PR #89 (M2) holds 0003. The
two PRs are independent and can land in either order — the migrations
runner iterates by numeric prefix and tolerates gaps.
Test plan
the demo publisher's MURMUR_TOKEN.
🤖 Generated with Claude Code