Skip to content

Harden skill packaging and verification#4

Merged
dd3ok merged 1 commit into
mainfrom
codex/runtime-scope-ci-hardening
Jul 10, 2026
Merged

Harden skill packaging and verification#4
dd3ok merged 1 commit into
mainfrom
codex/runtime-scope-ci-hardening

Conversation

@dd3ok

@dd3ok dd3ok commented Jul 10, 2026

Copy link
Copy Markdown
Owner

Summary

  • remove runtime token accounting and move experiment fairness to repository-level evaluation assets
  • split compact handoff and subagent boundaries into conditionally routed references while keeping all skill mirrors synchronized
  • add implicit trigger evaluation cases, retire stale generated reports, and document the runtime/evaluation boundary
  • harden repository verification with pinned dependencies, SHA-pinned Actions, Dependabot, cross-platform CI controls, and MIT licensing

Self-review

  • corrected CI assertions so Dependabot version updates remain valid while exact dependency pins and 40-character Action SHAs stay mandatory
  • checked runtime references for stale token/fairness text, direct routing, bounded size, mirror drift, and whitespace errors

Verification

  • python scripts/verify_all.py (38 tests)
  • python -m py_compile for verification scripts and tests
  • OpenAI skill quick_validate.py against source and both mirrors
  • JSON/YAML parse checks
  • git diff --check
  • verified Action SHAs against actions/checkout@v7.0.0 and actions/setup-python@v6.3.0

@dd3ok dd3ok merged commit 7ec1b3a into main Jul 10, 2026
3 checks passed
@dd3ok dd3ok deleted the codex/runtime-scope-ci-hardening branch July 10, 2026 00:56
@gemini-code-assist

Copy link
Copy Markdown

Warning

Gemini encountered an error creating the review. You can try again by commenting /gemini review.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b96c1cc91e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +120 to +121
if "allowed-tools" in data and (not isinstance(allowed_tools, str) or not allowed_tools.strip()):
fail(f"frontmatter allowed-tools must be a non-empty string in {display_path(skill_md)}", issues)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Accept list-form allowed-tools

When a skill uses list-form allowed-tools to preapprove multiple tools in the .claude/skills mirror, Claude Code accepts a YAML list as well as a string, but this verifier now flags any non-string value and makes scripts/verify_all.py fail for an otherwise valid skill package. The previous test fixture used this list form, so this regression will block legitimate mirror updates as soon as tool permissions are added that way.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant