ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-18 19:50:38 +09:00
Code Issues Projects Releases Packages Wiki Activity

Bundle the wireframe skill into the skills catalog

Browse source 
Adds the wireframe skill (low-fi black-and-white SVG wireframes + viewer
page) as a bundled catalog skill under
catalog/bundled/product/wireframe, alongside its references/ docs and
assets/ templates. Regenerates generated/catalog.json (8 -> 9 skills).

The skill ships static svg/html template assets, so its derived trust
level is "assets" rather than "markdown_only". The server's real
install-time security gate (assertCatalogSkillInstallable) blocks only
"scripts_executables", and "assets" skills are installable, so the
shipped-catalog markdown-only invariant is refined to gate on executable
scripts instead. No skill ships executable scripts.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Dotta 2026-05-31 18:07:26 +00:00
parent 911a1e8b0d
commit 1cf3b792b5
9 changed files with 1624 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
packages/skills-catalog/src/shipped-catalog.test.ts
View file

@ -6,6 +6,7 @@ const EXPECTED_BUNDLED_KEYS = [
"paperclipai/bundled/docs/doc-maintenance",
"paperclipai/bundled/paperclip-operations/issue-triage",
"paperclipai/bundled/paperclip-operations/task-planning",
"paperclipai/bundled/product/wireframe",
"paperclipai/bundled/quality/qa-acceptance",
"paperclipai/bundled/software-development/github-pr-workflow",
];
@ -31,8 +32,11 @@ describe("shipped skills catalog", () => {
expect(optionalKeys).toEqual(EXPECTED_OPTIONAL_KEYS);
});
it("keeps every shipped skill markdown-only until a script-bearing skill clears security review", () => {
const scriptBearing = catalogSkills.filter((skill) => skill.trustLevel !== "markdown_only");
it("keeps every shipped skill free of executable scripts until script-bearing skills clear security review", () => {
// The real install-time security boundary (server assertCatalogSkillInstallable) blocks
// only "scripts_executables". Static assets (svg/html templates, e.g. the wireframe skill)
// carry the "assets" trust level and are installable, so they are allowed in the catalog.
const scriptBearing = catalogSkills.filter((skill) => skill.trustLevel === "scripts_executables");
expect(scriptBearing, formatViolations("script-bearing skills require security review", scriptBearing)).toEqual([]);
});