Problem
Currently, rulesync install fetches skills exclusively from GitHub (or git remotes). This doesn't work in enterprise environments where outbound access to public GitHub is restricted and all packages must be sourced from a private registry such as JFrog Artifactory, a private npm registry, or similar.
The workaround today is to manually copy skill files out of locally-installed packages into .rulesync/skills/ and commit them — which works but requires a custom sync script and a lint check to keep files in sync as packages update.
Proposed Solution
Add an npm (or registry) transport to declarative sources that fetches skills from an npm-compatible registry:
The transport would:
- Resolve the package from the configured registry (respecting
.npmrc / NPM_TOKEN for auth)
- Extract the skill directories from the package
- Write them to
.rulesync/skills/.curated/<skill-name>/ as the existing transports do
This would allow enterprises using Artifactory (or any npm-compatible private registry) to distribute skills internally as npm packages without requiring direct GitHub access.
Alternatives Considered
file:// git transport — requires the skill source to be a git repo on disk, not an installed package- Manual copy + lint check — functional but requires custom tooling per project
Additional Context
The Agent Skills specification already defines a standard directory layout (SKILL.md, references/, etc.) that maps naturally onto npm package contents. Packaging skills as npm packages and distributing them via a private registry is a natural fit for this spec in enterprise settings.
Problem
Currently,
rulesync installfetches skills exclusively from GitHub (or git remotes). This doesn't work in enterprise environments where outbound access to public GitHub is restricted and all packages must be sourced from a private registry such as JFrog Artifactory, a private npm registry, or similar.The workaround today is to manually copy skill files out of locally-installed packages into
.rulesync/skills/and commit them — which works but requires a custom sync script and a lint check to keep files in sync as packages update.Proposed Solution
Add an
npm(orregistry) transport to declarative sources that fetches skills from an npm-compatible registry:{ "sources": [ { "source": "my-org/my-skill-package", "transport": "npm", "registry": "https://my-artifactory.example.com/artifactory/api/npm/npm-local/" } ] }The transport would:
.npmrc/NPM_TOKENfor auth).rulesync/skills/.curated/<skill-name>/as the existing transports doThis would allow enterprises using Artifactory (or any npm-compatible private registry) to distribute skills internally as npm packages without requiring direct GitHub access.
Alternatives Considered
file://git transport — requires the skill source to be a git repo on disk, not an installed packageAdditional Context
The Agent Skills specification already defines a standard directory layout (
SKILL.md,references/, etc.) that maps naturally onto npm package contents. Packaging skills as npm packages and distributing them via a private registry is a natural fit for this spec in enterprise settings.