Skip to content

Modular skills architecture with trust model and security analyzer#6

Merged
initializ-mk merged 2 commits intomainfrom
core/make-skill-modular
Feb 23, 2026
Merged

Modular skills architecture with trust model and security analyzer#6
initializ-mk merged 2 commits intomainfrom
core/make-skill-modular

Conversation

@initializ-mk
Copy link
Contributor

@initializ-mk initializ-mk commented Feb 23, 2026

Summary

  • Phase 1: Extract all skill logic from forge-core/ into standalone forge-skills/ module with autodiscovery, SkillRegistry interface, SKILL.md-per-subdirectory convention, embedded skill filesystem, parser, compiler, requirements aggregation, and env resolver
  • Phase 2: Add trust model (SHA-256 integrity checksums, Ed25519 signature verification, keyring management, provenance tracking on SkillDescriptor) and security analyzer (deterministic risk scoring, configurable policy enforcement, audit report generation)
  • Build pipeline: New SecurityAnalysisStage between skills compilation and requirements — writes compiled/security-audit.json artifact and blocks build on policy errors
  • CLI commands: forge skills audit [--format text|json], forge skills sign --key <path>, forge skills keygen <name>
  • TUI wizard: Refactored init wizard to Bubble Tea TUI with improved navigation and UX (from prior commits on this branch)
  • Tavily integration: Web search provider support with Tavily and Perplexity backends (from prior commits on this branch)

Test plan

  • go test ./... passes for all three modules (forge-core, forge-cli, forge-skills)
  • golangci-lint run reports 0 issues across all modules
  • gofmt -w applied to all source files
  • Binary compiles: go build ./forge-cli/cmd/forge/
  • Manual: forge skills audit on a project with skills.md shows risk scores and policy check
  • Manual: forge skills audit --format json outputs valid JSON
  • Manual: forge skills keygen test-author creates key pair in ~/.forge/keys/
  • Manual: forge skills sign <skill-file> --key <key> creates .sig file
  • Manual: forge build includes compiled/security-audit.json in output

@initializ-mk
Add trust model and security analyzer for skills (Phase 2)
573df35 
Introduce integrity verification (SHA-256 checksums, manifests),
Ed25519 signature support with keyring management, provenance tracking
on SkillDescriptor, and a security analyzer with risk scoring, policy
enforcement, and audit reporting. Integrate SecurityAnalysisStage into
the build pipeline and add forge skills audit/sign/keygen CLI commands.
@initializ-mk initializ-mk mentioned this pull request Feb 23, 2026
Merged
@initializ-mk
Rename skills.md → SKILL.md and add registry audit modes
61ad28c 
Align the default skills filename with project branding (SKILL.md).
Add --embedded and --dir flags to `forge skills audit` for per-skill
registry scanning.
@initializ-mk initializ-mk merged commit ffd870a into main Feb 23, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@initializ-mk