feat(skill-sources): trusted external skill sources — design, §13, formats, validator (Phase A)#677
Open
potiuk wants to merge 1 commit into
Open
Conversation
…rmats, validator (Phase A) Introduce a mechanism to pull skills / skill-families from trusted external organizations and repositories, so a skill can live in another repo (a GitHub folder, an SVN/dist archive, or a git tag/branch) yet be adopted exactly like an in-tree skill — same magpie- symlink relay, same override layer, same eval binding. Phase A (design + guardrails; no setup-skill fetch wiring yet): - Amend PRINCIPLES §13 to permit installation from a *trusted* source the adopter has vouched for by committing its pin (method + URL + ref + verification anchor); untrusted external stays discovery-only. Reconcile the affected cross-references. - RFC-AI-0006: trusted external skill sources — trust model + threat model. - docs/skill-sources/: the source-descriptor and source.md redirect-pointer formats, plus a skills discovery registry (the skills counterpart to the adapter registry). - Three-layer trust: framework discovery registry, org-curated organizations/<org>/skill-sources.md, and the adopter install gate <project-config>/skill-sources.md (nothing fetches unless listed there). - skill-and-tool-validator: recognize skills/<name>/source.md pointer dirs and validate source descriptors; 13 new tests. - Wire the mechanism into extending.md, organizations/README, README, AGENTS.md, docs/index, and the org/project templates. Phase B (the /magpie-setup skill-sources fetch/lock/symlink wiring and a worked example) follows in a later change.
9 tasks
choo121600
approved these changes
Jul 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this does
Introduces a mechanism to pull skills / skill-families from trusted external organizations and repositories, so a skill can live in another repo — a GitHub folder, an SVN/
distarchive, or a git tag/branch — yet be adopted exactly like an in-tree skill: samemagpie-symlink relay, same override layer, same eval binding. Where a skill directory would sit, askills/<name>/source.mdredirect pointer names a pinned, verified source the adopter has explicitly vouched for; the skill (with its evals and tests) is fetched into the gitignored snapshot and wired in.This is Phase A — the design, the principle change, the formats, and the validator guardrails. It does not yet include the
/magpie-setupfetch/lock/symlink wiring (that is Phase B; see below).The one principle change — §13
PRINCIPLES.md §13previously said catalogs may exist "for discovery, never for installation." This PR narrows that: installation is permitted only from a trusted source — an external org/repo the adopter has vouched for by committing its pin (method + URL + ref + verification anchor). Untrusted external sources, and the adapter/organization indexes, stay discovery-only. A trusted install obeys the same snapshot-plus-pin discipline the framework already uses for itself (gitignored snapshot, committed lock, verified deliberate fetch, no submodules, no unpinned/unverified auto-fetch).Contents
docs/rfcs/RFC-AI-0006.md— the design: trust model + threat model.docs/skill-sources/— the source-descriptor andsource.mdpointer formats, plus a skills discovery registry (the skills counterpart to the adapter registry).organizations/<org>/skill-sources.md→ the adopter install gate<project-config>/skill-sources.md(nothing fetches unless listed there — final trust stays with the adopter).skill-and-tool-validatornow recognizessource.mdpointer dirs (validates thatsource:/organization:resolve; suppresses the spurious eval-coverage advisory) and validates source descriptors. 13 new tests; full suite green.extending.md,organizations/README,README,AGENTS.md,docs/index, and the org/project templates.Phase B (follow-up, not in this PR)
/magpie-setup skill-sourcessub-action +.apache-magpie.sources.lockpair, folded intoadopt/upgrade/verify(fetch, verify, pin, symlink, drift-detect).Notes for review
Because it moves a bright line in
PRINCIPLES.md, this is deliberately shaped as an RFC-first checkpoint — the mechanism is fully specified and enforced, but the invasive setup-skill surgery is held for Phase B so the trust model and §13 amendment can be reviewed first.