feat(skills): full agentskills.io spec compliance

[ezynda3]

Description

Brings Kit's skills subsystem into full compliance with the agentskills.io specification in a single coordinated sweep. Kit was already substantially aligned (3-tier progressive disclosure, <available_skills> catalog, /skill: activation, runtime mutation SDK), so this PR closes the remaining 16 gaps clustered across read-side robustness, safety/policy, and cross-client polish.

The highest-impact fixes address two real defects: catalog descriptions containing <, >, or & previously produced malformed XML that some models refuse to parse, and a freshly cloned repo with .agents/skills/ would silently inject its instructions into the system prompt on cd — a genuine prompt-injection vector. Both are now handled (XML escaping; a persisted project-trust gate). Skills authored for other clients (with license/compatibility fields or the common unquoted-colon description: Use when: … mistake) now load correctly, and skills missing a required description are skipped with a logged warning instead of appearing undiscoverable in the catalog.

The change is intentionally one PR because the pieces are tightly coupled — each new frontmatter field cascades through the parser struct, the SDK type alias, the extension bridge, catalog rendering, and the docs, and the compaction-protection tag must match the activation-time wrapper which must match the catalog-time stripping.

Fixes #65

Type of Change

• New feature (non-breaking change which adds functionality)
• Bug fix (non-breaking change which fixes an issue)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactor / chore

What changed

Read-side robustness

• XML-escape name/description/compatibility/location in the catalog; drop the file:// prefix on <location> (bare paths the read/fs tools expect).
• Skip skills missing a required description (logged warning); add Skill.Validate() []Diagnostic.
• New spec frontmatter fields: license, compatibility, metadata, allowed-tools, disable-model-invocation, threaded through skills.Skill, extensions.Skill, convertSkill, and the .kit.yml template.
• Malformed-YAML fallback: on a parse failure, quote unquoted-colon scalar values (description: Use when: …) and retry once.

Discovery & precedence

• Add the missing ~/.agents/skills/ scope (now 4 canonical scopes).
• Dedupe by name with explicit project > user precedence and collision warnings (was dedupe-by-path).
• --skills-dir now scans the directory directly instead of appending .agents/.kit beneath it (matches documented intent).

Safety / policy

• Project-trust gate: new internal/trust package persists an allowlist at ~/.config/kit/trusted-projects.json; Options.SkillTrustPrompt callback + interactive CLI prompt gate first-time project-skill loading. Defaults to load-without-prompting when no callback is set (back-compatible).
• Compaction protection: messages carrying <skill>/<skill_content> wrappers are preserved verbatim instead of being summarized away.

Activation & SDK polish

• New internal/skilltool activate_skill MCP tool with enum-constrained name, bundled-resource enumeration, and per-session dedup; registered only when ≥1 skill is loaded.
• <skill_resources> enumeration of scripts//references//assets/ on /skill: activation.
• Per-skill disable: --skill-disable flag, skill-disable config key, disable-model-invocation honoring, plus Kit.DisableSkill/EnableSkill SDK methods.
• SDK helpers: Skill.BaseDir(), Skill.Resources(), Skill.Validate().

Checklist

• My code follows the style guidelines of this project (go fmt, go vet, golangci-lint run all clean)
• I have performed a self-review of my own code
• I have added tests that prove my fix/feature works
• New and existing unit tests pass locally (go test -race ./...)
• I have made corresponding changes to the documentation (README + docs site)

Additional Information

New files

• internal/trust/{trust.go,trust_test.go} — persisted project-trust allowlist
• internal/skilltool/{skilltool.go,skilltool_test.go} — activate_skill MCP tool
• cmd/skill_trust.go — interactive CLI trust prompt
• pkg/kit/skills_spec_test.go — SDK-level coverage (direct --skills-dir, disable list, trust gate)

Backward compatibility

• New Options fields (SkillsDisable, SkillTrustPrompt) and frontmatter fields are all optional; existing skills and SDK callers are unaffected.
• SkillTrustPrompt defaults to nil → project skills load without prompting, preserving prior behavior. The CLI only prompts in interactive TTY sessions (skipped for --quiet, piped stdin, and one-shot positional prompts).
• The --skills-dir semantics change is a fix to match the documented/expected behavior; the flag was previously scanning <dir>/.agents/skills and <dir>/.kit/skills rather than <dir> itself.

Verification

• go build ./..., go vet, and golangci-lint run clean (the pre-existing examples/extensions build error is unrelated and present on master).
• Docs site builds cleanly (npm run build via tome).

Summary by CodeRabbit

Release Notes

• New Features
  • Disable specific skills from the model catalog via --skill-disable flag while keeping them accessible via /skill:
  • Interactive trust prompt for newly discovered project-local skills
  • Agents can dynamically activate skills by name
  • Skills now support expanded metadata (license, compatibility, allowed-tools, tags)
  • Skill bundled resources are discoverable and enumerable
• Documentation
  • Enhanced CLI reference and configuration documentation for skill management
  • Added comprehensive skill frontmatter specification

[mark-iii-labs-huly]

Connected to Huly®: KIT-72

[coderabbitai]

Warning

Review limit reached

@ezynda3, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 29 minutes and 25 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6c86d06d-bb24-4c40-b248-2a476b0fc1cb

📥 Commits

Reviewing files that changed from the base of the PR and between 7156b01 and 902ad8a.

📒 Files selected for processing (3)

• internal/skills/skills.go
• internal/skilltool/skilltool.go
• internal/skilltool/skilltool_test.go

📝 Walkthrough

Walkthrough

This PR implements full agentskills.io spec compliance: expands the Skill model with new frontmatter fields, validation, resource enumeration, and YAML repair; refactors skill discovery with scoped loaders and name-collision deduplication; adds a persisted project-skill trust store; introduces per-skill DisableSkill/EnableSkill on Kit; registers a new activate_skill LLM tool; protects skill messages from compaction pruning; and wires all changes through the CLI, SDK, and documentation.

Changes

agentskills.io spec compliance

Layer / File(s)	Summary
Skill model: new fields, validation, YAML repair, and resources internal/skills/skills.go, internal/extensions/api.go, internal/skills/skills_test.go	Skill gains License, Compatibility, Metadata, AllowedTools, and DisableModelInvocation fields. Validate(), BaseDir(), and Resources() methods are added. Frontmatter parsing routes through unmarshalFrontmatter with a YAML unquoted-colon repair pass. Extensions Skill struct gains matching fields. Tests cover new field parsing, YAML repair, Validate(), and Resources().
Skill discovery refactor: scoped loaders, deduplication, and prompt formatting internal/skills/skills.go, internal/skills/skills_test.go, internal/skills/prompt_builder_test.go	Exports LoadUserSkills, LoadProjectSkills, and Combine; finalizeSkills validates and resolves name collisions favoring project-local skills. FormatForPrompt XML-escapes fields, omits DisableModelInvocation skills, and drops the file:// location prefix. Tests cover missing-description skipping, name-collision precedence, XML escaping, and format changes.
Trust store: persisted project-directory allowlist internal/trust/trust.go, internal/trust/trust_test.go	New package with Decision enum (Skip, Trust, TrustOnce), a mutex-guarded Store backed by JSON at $XDG_CONFIG_HOME/kit/trusted-projects.json, and IsTrusted/Trust/Untrust with directory normalization. Tests verify persist-on-trust, untrust, and missing-file behavior.
Kit skills: DisableSkill/EnableSkill, trust gate, and convertSkill expansion pkg/kit/skills.go, pkg/kit/skills_spec_test.go	Adds applySkillDisableList, exported DisableSkill/EnableSkill (toggle DisableModelInvocation and recompose the system prompt), TrustDecision alias, and projectSkillsTrusted to gate project skills via the persisted store and optional SkillTrustPrompt callback. convertSkill populates all new fields on the extensions-facing struct. Tests cover direct-dir scanning, disable list, and trust gating with persistence.
activate_skill tool: on-demand skill loading with deduplication internal/skilltool/skilltool.go, internal/skilltool/skilltool_test.go	New activate_skill fantasy tool with enum-constrained name parameter, per-session mutex-protected deduplication, dynamic provider snapshot resolution, disk reload stripping frontmatter, and <skill_content> response wrapping including bundled resources. Tests cover nil-when-no-skills, load-and-dedup, and unknown-skill error.
Kit.go wiring: New(), loadSkills, activate_skill registration, and /skill: resources pkg/kit/kit.go, pkg/kit/skills_spec_test.go	Adds SkillsDisable and SkillTrustPrompt to Options. New() applies the disable list post-discovery and conditionally registers activate_skill with a deferred live-instance provider. loadSkills scans SkillsDir directly or runs trust-gated auto-discovery. /skill: expansion appends formatted bundled resources.
CLI wiring: --skill-disable flag and interactive trust prompt cmd/root.go, cmd/skill_trust.go	Adds --skill-disable repeatable flag with viper binding; passes SkillsDisable and SkillTrustPrompt into kit options. skillTrustPrompt() reads a line from stdin for interactive sessions to produce TrustProject, TrustProjectOnce, or SkipProjectSkills, and returns nil for non-interactive/quiet sessions.
Compaction protection, config template, and docs internal/compaction/compaction.go, internal/compaction/compaction_test.go, internal/config/config.go, README.md, www/pages/...	isProtectedMessage detects skill-content XML markers and preserves those messages across compaction. Default .kit.yml template is expanded with frontmatter field guidance. All documentation (CLI, SDK, configuration, extensions) is updated for new flags, fields, trust workflow, and discovery semantics.

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant CLI as cmd/root.go
  participant Kit as pkg/kit/kit.go
  participant TrustStore as internal/trust
  participant SkillsLoader as internal/skills
  participant ActivateTool as internal/skilltool

  User->>CLI: kit run (with project dir containing SKILL.md)
  CLI->>Kit: New(opts with SkillTrustPrompt, SkillsDisable)
  Kit->>SkillsLoader: LoadUserSkills() + LoadProjectSkills(cwd)
  SkillsLoader-->>Kit: user skills + project skills
  Kit->>TrustStore: IsTrusted(projectDir)
  alt not yet trusted
    TrustStore-->>Kit: false
    Kit->>CLI: SkillTrustPrompt(projectDir, skillCount)
    CLI->>User: interactive prompt
    User-->>CLI: TrustProject
    CLI-->>Kit: TrustProject decision
    Kit->>TrustStore: Trust(projectDir) — persists JSON
  end
  Kit->>Kit: applySkillDisableList(SkillsDisable)
  Kit->>ActivateTool: skilltool.New(names, liveProvider)
  Kit-->>User: agent ready with activate_skill tool

  User->>ActivateTool: Run(name="coding-skill")
  ActivateTool->>SkillsLoader: LoadSkill(path) — strip frontmatter
  SkillsLoader-->>ActivateTool: skill content + resources
  ActivateTool-->>User: <skill_content name="coding-skill">...</skill_content>

Loading

Estimated code review effort

🎯 5 (Critical) | ⏱️ ~120 minutes

Possibly related PRs

• mark3labs/kit#37: Modifies the same pkg/kit/skills.go and /skill: expansion path in pkg/kit/kit.go, intersecting directly with the runtime skill-set mutation and system-prompt recomposition logic extended here.
• mark3labs/kit#55: Modifies cmd/root.go and pkg/kit/kit.go wiring around SkillsDir and Options—the same startup plumbing that this PR extends with --skill-disable and trust gating.
• mark3labs/kit#69: Modifies internal/skills/skills.go skill parsing and discovery, directly overlapping with the refactored LoadUserSkills/LoadProjectSkills/Combine and frontmatter parsing changes in this PR.

Poem

🐇 Hop, hop — a new skill pops into view,
Trust me once, or always, it's up to you!
XML-escaped names so the catalog stays clean,
activate_skill conjures what once was unseen.
Compaction won't swallow what skills have to say,
This bunny ships spec compliance today! 🌟

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 72.55% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'feat(skills): full agentskills.io spec compliance' clearly summarizes the main change—achieving full specification compliance for the skills subsystem.
Linked Issues check	✅ Passed	The PR comprehensively addresses all objectives from issue #65 across P0-P3 priority levels: XML escaping, skill validation, --skills-dir semantics, new scan scope, deduplication, new frontmatter fields, YAML fallback, per-skill disable, resource enumeration, MCP tool, trust gate, and SDK helpers.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to achieving agentskills.io specification compliance per issue #65; no unrelated modifications were introduced.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/65-agentskills-spec-compliance

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (4)

internal/skilltool/skilltool_test.go (1)

74-84: ⚡ Quick win

Add a regression test that disabled skills cannot be activated

Current tests validate known/unknown and dedup flows, but they don’t assert DisableModelInvocation enforcement. Please add a case where provider returns a matching skill with DisableModelInvocation: true and activation returns an error response.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/skilltool/skilltool_test.go` around lines 74 - 84, Add a new test
function following the pattern of TestActivateSkill_UnknownSkill that validates
the DisableModelInvocation enforcement. Create a provider function that returns
a skills.Skill with a matching name but with DisableModelInvocation set to true,
instantiate the tool with New(), call tool.Run() with a request for that skill
name, and assert that the response contains an appropriate error message
indicating the skill is disabled. This ensures that skills marked as disabled
cannot be activated even when they exist in the provider.

pkg/kit/skills_spec_test.go (1)

91-91: 💤 Low value

Unused prompted counter variable.

The prompted variable is declared and incremented but never asserted. Consider adding verification that the prompt was called exactly once, or remove the counter if not needed.

♻️ Optional: Verify prompt was called

 	// Trust decision → project skills loaded and directory persisted.
 	prompted := 0
 	trusted, err := loadSkills(&Options{
 		SessionDir: projectDir,
 		SkillTrustPrompt: func(_ string, _ int) TrustDecision {
 			prompted++
 			return TrustProject
 		},
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 	if len(trusted) != 1 {
 		t.Fatalf("expected 1 skill when trusted, got %d", len(trusted))
 	}
+	if prompted != 1 {
+		t.Fatalf("expected prompt to be called once, got %d", prompted)
+	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/kit/skills_spec_test.go` at line 91, The `prompted` counter variable is
declared and incremented but never verified in an assertion, making it unused.
Either add an assertion at the end of the test to verify that `prompted` equals
the expected count (likely 1 to confirm the prompt was called exactly once), or
remove the variable declaration and any increment operations if it is not needed
for the test validation.

internal/trust/trust.go (1)

95-99: 💤 Low value

Consider using RLock for read-only operation.

IsTrusted is a read-only method but uses Lock() instead of RLock(). While functionally correct, using sync.RWMutex with RLock() would allow concurrent reads.

However, since the struct uses sync.Mutex (not sync.RWMutex), this is consistent with the current design. If contention becomes a concern, the mutex type could be upgraded.

♻️ Optional: Upgrade to RWMutex for concurrent reads

 type Store struct {
-	mu      sync.Mutex
+	mu      sync.RWMutex
 	path    string
 	trusted map[string]bool
 }

Then in IsTrusted:

 func (s *Store) IsTrusted(dir string) bool {
-	s.mu.Lock()
-	defer s.mu.Unlock()
+	s.mu.RLock()
+	defer s.mu.RUnlock()
 	return s.trusted[normalize(dir)]
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/trust/trust.go` around lines 95 - 99, To optimize for concurrent
reads in the Store type, upgrade the mutex from sync.Mutex to sync.RWMutex in
the Store struct definition. Then in the IsTrusted method, replace the
s.mu.Lock() call with s.mu.RLock() and change the corresponding defer statement
from defer s.mu.Unlock() to defer s.mu.RUnlock(). This allows multiple
goroutines to read the trusted map simultaneously while maintaining exclusive
write access for mutation operations elsewhere in the code.

www/pages/cli/commands.md (1)

116-124: ⚡ Quick win

Add language identifier to fenced code block for the trust prompt example.

Line 118 is missing a language identifier on the fenced code block. Use ```text or ```shell to satisfy the markdown linter (MD040).

Proposed fix

-This project provides 2 skills under .agents/skills or .kit/skills:
+This project provides 2 skills under .agents/skills or .kit/skills:
+```text

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@www/pages/cli/commands.md` around lines 116 - 124, The fenced code block
displaying the trust prompt example (starting with "This project provides 2
skills under .agents/skills or .kit/skills:") is missing a language identifier
after the opening triple backticks, which causes the MD040 markdown linter to
fail. Add a language identifier such as `text` or `shell` after the opening ```
to specify the code block language and satisfy the linter requirement.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/compaction/compaction.go`:
- Around line 401-413: The isProtectedMessage function treats any message
containing skill content markers as protected without verifying the source or
role of the message, allowing users to inject these markers to prevent their
messages from being compacted. Modify the isProtectedMessage function to add a
role or source check that ensures only messages from trusted sources (such as
system or assistant messages, not user messages) are treated as protected
content. This prevents users from exploiting the protection mechanism by
injecting marker substrings to keep arbitrary history from being compacted.

In `@internal/skills/skills.go`:
- Around line 414-423: The LoadUserSkills function silently discards errors from
LoadSkillsFromDir calls by using underscore placeholders instead of checking the
error returns. This can mask permission denied, broken symlink, or transient I/O
errors that result in partial skill catalogs. Modify the LoadUserSkills function
to capture the error returns from both LoadSkillsFromDir calls (when loading
from the user home directory and global skills directory), check if errors occur
that are not ENOENT, and wrap any non-ENOENT errors with fmt.Errorf providing
context about which skill directory failed to load, then return the error up the
call chain or log it appropriately. This applies to all instances where
LoadSkillsFromDir is called in this code section.

In `@internal/skilltool/skilltool.go`:
- Around line 98-104: The check-and-set operation for preventing duplicate skill
activation is not atomic because the lock is released before the skill is
actually marked as activated. Move the t.mu.Unlock() call that currently occurs
after checking t.activated[name] to instead occur after the skill has been
written to the t.activated map (around line 134-136 where the activation
happens). This ensures the entire check to see if a skill is already activated
and the subsequent marking of it as activated happens within a single lock
section, preventing two concurrent calls from both passing the duplicate check
and both activating the same skill.
- Around line 108-113: The skill lookup loop iterating through t.provider() only
validates that s.Name matches the requested name, but does not check if the
skill is marked with DisableModelInvocation. Add an additional condition to the
if statement that checks the DisableModelInvocation flag on the skill object s
to ensure disabled skills cannot be activated. The if statement should verify
both that the name matches AND that the skill is not disabled before setting the
path and breaking.

---

Nitpick comments:
In `@internal/skilltool/skilltool_test.go`:
- Around line 74-84: Add a new test function following the pattern of
TestActivateSkill_UnknownSkill that validates the DisableModelInvocation
enforcement. Create a provider function that returns a skills.Skill with a
matching name but with DisableModelInvocation set to true, instantiate the tool
with New(), call tool.Run() with a request for that skill name, and assert that
the response contains an appropriate error message indicating the skill is
disabled. This ensures that skills marked as disabled cannot be activated even
when they exist in the provider.

In `@internal/trust/trust.go`:
- Around line 95-99: To optimize for concurrent reads in the Store type, upgrade
the mutex from sync.Mutex to sync.RWMutex in the Store struct definition. Then
in the IsTrusted method, replace the s.mu.Lock() call with s.mu.RLock() and
change the corresponding defer statement from defer s.mu.Unlock() to defer
s.mu.RUnlock(). This allows multiple goroutines to read the trusted map
simultaneously while maintaining exclusive write access for mutation operations
elsewhere in the code.

In `@pkg/kit/skills_spec_test.go`:
- Line 91: The `prompted` counter variable is declared and incremented but never
verified in an assertion, making it unused. Either add an assertion at the end
of the test to verify that `prompted` equals the expected count (likely 1 to
confirm the prompt was called exactly once), or remove the variable declaration
and any increment operations if it is not needed for the test validation.

In `@www/pages/cli/commands.md`:
- Around line 116-124: The fenced code block displaying the trust prompt example
(starting with "This project provides 2 skills under .agents/skills or
.kit/skills:") is missing a language identifier after the opening triple
backticks, which causes the MD040 markdown linter to fail. Add a language
identifier such as `text` or `shell` after the opening ``` to specify the code
block language and satisfy the linter requirement.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 00cdb372-2299-4f14-a034-336adcc0b6d4

📥 Commits

Reviewing files that changed from the base of the PR and between dd7ae41 and 7156b01.

📒 Files selected for processing (23)

• README.md
• cmd/root.go
• cmd/skill_trust.go
• internal/compaction/compaction.go
• internal/compaction/compaction_test.go
• internal/config/config.go
• internal/extensions/api.go
• internal/skills/prompt_builder_test.go
• internal/skills/skills.go
• internal/skills/skills_test.go
• internal/skilltool/skilltool.go
• internal/skilltool/skilltool_test.go
• internal/trust/trust.go
• internal/trust/trust_test.go
• pkg/kit/kit.go
• pkg/kit/skills.go
• pkg/kit/skills_spec_test.go
• www/pages/cli/commands.md
• www/pages/cli/flags.md
• www/pages/configuration.md
• www/pages/extensions/capabilities.md
• www/pages/sdk/options.md
• www/pages/sdk/overview.md