Skip to content

feat(skill-sources): Phase B — fetch/pin/symlink wiring for trusted external skill sources#707

Merged
potiuk merged 1 commit into
apache:mainfrom
potiuk:feat/skill-sources-phase-b
Jul 3, 2026
Merged

feat(skill-sources): Phase B — fetch/pin/symlink wiring for trusted external skill sources#707
potiuk merged 1 commit into
apache:mainfrom
potiuk:feat/skill-sources-phase-b

Conversation

@potiuk

@potiuk potiuk commented Jul 3, 2026

Copy link
Copy Markdown
Member

Summary

Makes the trusted external skill sources feature runnable. Phase A (RFC-AI-0006, PRINCIPLES §13 carve-out, formats, validator) landed in #677; this is Phase B — the fetch / pin / symlink mechanism, per docs/skill-sources/README.md.

An adopter lists a source in <project-config>/skill-sources.md (the install gate) and commits its pin; /magpie-setup skill-sources then fetches it into a gitignored snapshot and wires its skills in so they behave exactly like in-tree framework skills — same magpie- symlink relay, same override layer, same eval binding.

What's included

  • New sub-action skills/setup/skill-sources.md (/magpie-setup skill-sources): read trust list → fetch+verify into .apache-magpie-sources/<id>/ (reusing the framework install recipes verbatim) → write both source locks → symlink the provided skills (canonical + relay).
  • Two source locks mirroring the framework's drift model: committed .apache-magpie.sources.lock (per-source pins) + gitignored .apache-magpie.sources.local.lock (per-machine fetch).
  • Folded into the setup lifecycle: adopt (Step 8b + .gitignore block), upgrade (Step 6f re-fetch + source drift), verify (check 10 source health), worktree-init (share the source snapshot). SKILL.md registers it all.
  • symlink-lint prunes .apache-magpie-sources/ (a build artefact like the framework snapshot); regression test added.

Verification

  • symlink-lint + skill-and-tool-validator pytest green (incl. new prune test); Phase A validator tests unchanged and green.
  • prek clean on all changed files — markdownlint, lychee (every new cross-reference/anchor resolves), mypy, workspace pytest, skill-and-tool-validate.

Notes

  • The descriptor/pointer validation path is covered by Phase A's validator fixtures; the fetch/symlink path is agent-executed markdown, so its proof is the recipe reuse + symlink-lint coverage rather than a network-touching e2e test.
  • Design follows the three assumed decisions recorded in the plan (A-then-B phasing; org-curated + adopter-opt-in trust; per-source manifest + per-skill source.md), now locked in by Phase A.

🤖 Generated with Claude Code

…xternal skill sources

Makes the trusted-external-skill-sources feature runnable (Phase A
landed the design, formats, and validator in apache#677):

- New /magpie-setup skill-sources sub-action (skills/setup/skill-sources.md):
  read the adopter trust list, fetch+verify each source into the gitignored
  .apache-magpie-sources/<id>/ reusing the framework install recipes, write
  the two source locks, and symlink the provided skills exactly like
  framework skills (canonical + relay, magpie- prefixed).
- Two source locks: committed .apache-magpie.sources.lock (per-source pins)
  + gitignored .apache-magpie.sources.local.lock (per-machine fetch), same
  drift model as the framework snapshot.
- Fold into adopt (Step 8b + .gitignore block), upgrade (Step 6f re-fetch +
  source drift), verify (check 10 source health), worktree-init (share the
  source snapshot). SKILL.md registers the sub-action, dispatch, locks.
- symlink-lint prunes .apache-magpie-sources/ (a build artefact like the
  framework snapshot); regression test added.
@potiuk potiuk merged commit e54f817 into apache:main Jul 3, 2026
35 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant