Skip to content

Implement Conductor Skills Integration #144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hminooei merged 28 commits into from
Mar 18, 2026
Merged

Implement Conductor Skills Integration #144

Show file tree
Hide file tree
Changes from 17 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
001127b
feat(skills): Implement Skills Integration
hminooei Feb 19, 2026
efe5f74
chore: Remove design doc from PR
hminooei Feb 19, 2026
b3db0fd
refactor(skills): Convert catalog to Markdown body
hminooei Feb 19, 2026
9558842
fix(conductor): update skill reference paths to .agents/skills
hminooei Feb 19, 2026
eb30525
fix(conductor): update skill download to support folders
hminooei Feb 19, 2026
e18a33c
fix(skills): update catalog URLs to point to directories
hminooei Feb 19, 2026
d63afc1
feat(conductor): update skills integration with design doc requirements
hminooei Feb 27, 2026
1257334
feat(conductor): add GCP OWASP Top 10 skills to catalog
hminooei Feb 27, 2026
bcb6513
feat(conductor): use precise detection signals for OWASP skills
hminooei Feb 27, 2026
09b52d2
feat(conductor): add file and dependency signals to OWASP skills
hminooei Feb 27, 2026
7b7ac53
Merge remote-tracking branch 'origin/main' into feat/skills-integrati…
hminooei Mar 5, 2026
d2ba05a
chore(conductor): remove obsolete setup_state.json reference
hminooei Mar 5, 2026
8f699e0
feat(skills): add gcp-apis and Firebase skills to catalog
hminooei Mar 5, 2026
11b539c
chore(skills): cleanup inactive skills from catalog
hminooei Mar 5, 2026
8013ee9
chore(skills): remove gcp-apis skill from catalog
hminooei Mar 5, 2026
4c759d3
feat(conductor): add /skills reload instruction to setup and newTrack
hminooei Mar 5, 2026
2c239f7
fix(conductor): update skills catalog path to absolute path
hminooei Mar 6, 2026
6d3ebcd
address review comments
hminooei Mar 11, 2026
9ffe729
feat(conductor): use interactive ask_user for skill recommendations i…
hminooei Mar 11, 2026
809ca6e
chore: remove GCP OWASP Top 10 Skills from catalog
hminooei Mar 11, 2026
38b6359
feat(conductor): update skill installation and style guide selection …
hminooei Mar 17, 2026
b12250a
Merge branch 'main' into feat/skills-integration-impl
hminooei Mar 17, 2026
7f666a2
feat(conductor): add devops skills to catalog
hminooei Mar 17, 2026
eb7de36
fix(conductor): ensure agent activates relevant skills in implement.toml
hminooei Mar 18, 2026
cfb2fea
fix(conductor): update skill activation phrasing per feedback
hminooei Mar 18, 2026
874c431
fix(conductor): use exact 'ask the model to activate' phrasing
hminooei Mar 18, 2026
00472c7
chore(conductor): explicit pause on skill reload
hminooei Mar 18, 2026
6698222
fix(conductor): explicitly specify not to use ask_user tool in skill …
hminooei Mar 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion commands/conductor/newTrack.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,20 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai
- Label: "Revise", Description: "I want to modify the implementation steps."
Await user feedback and revise the `plan.md` content until confirmed.

### 2.4 Create Track Artifacts and Update Main Plan
### 2.4 Skill Recommendation (Interactive)
1. **Analyze Needs:**
- Read `skills/catalog.md` from the directory where the Conductor extension is installed (typically `~/.gemini/extensions/conductor/skills/catalog.md`).
- Analyze the confirmed `spec.md` and `plan.md` against the `Detection Signals` in the loaded `skills/catalog.md`.
- Identify any relevant skills that are NOT yet installed (check `~/.agents/extensions/conductor/skills/` and `.agents/skills/`).
2. **Recommendation Loop:**
- **If relevant missing skills are found:**
- **Present:** specific recommendations to the user, explaining WHY they are relevant for this track.
- **Ask:** "Would you like to install these skills now?" (yes/no or select specific).
- **Install:** If confirmed, install them using the same logic as `setup.toml` (download from URL/Git to `.agents/skills/`).
- **Notify:** **CRITICAL:** If you installed any new skills, you MUST explicitly instruct the user: "New skills installed. Please run `/skills reload` to enable them."
- **If no missing skills found:** Skip this section.

### 2.5 Create Track Artifacts and Update Main Plan

1. **Check for existing track name:** Before generating a new Track ID, resolve the **Tracks Directory** using the **Universal File Resolution Protocol**. List all existing track directories in that resolved path. Extract the short names from these track IDs (e.g., ``shortname_YYYYMMDD`` -> `shortname`). If the proposed short name for the new track (derived from the initial description) matches an existing short name, halt the `newTrack` creation. Explain that a track with that name already exists and suggest choosing a different name or resuming the existing track.
2. **Generate Track ID:** Create a unique Track ID (e.g., ``shortname_YYYYMMDD``).
Expand Down
6 changes: 6 additions & 0 deletions commands/conductor/review.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,10 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai
- Read `product-guidelines.md` and `tech-stack.md`.
- **CRITICAL:** Check for the existence of `conductor/code_styleguides/` directory.
- If it exists, list and read ALL `.md` files within it. These are the **Law**. Violations here are **High** severity.
- **Check for Installed Skills:**
- Check for the existence of `.agents/skills/` (Workspace tier) and `~/.agents/extensions/conductor/skills/` (Extension tier).
- If either exists, list the subdirectories to identify installed skills across both paths.
- If relevant skills (e.g., `gcp-*`) are found, enable specialized feedback for those domains.
2. **Load Track Context (if reviewing a track):**
- Read the track's `plan.md`.
- **Extract Commits:** Parse `plan.md` to find recorded git commit hashes (usually in the "Completed" tasks or "History" section).
Expand Down Expand Up @@ -100,6 +104,8 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai
- Are there new tests?
- Do the changes look like they are covered by existing tests?
- *Action:* **Execute the test suite automatically.** Infer the test command based on the codebase languages and structure (e.g., `npm test`, `pytest`, `go test`). Run it. Analyze the output for failures.
5. **Skill-Specific Checks:**
- If specific skills are installed (e.g. GCP), verify compliance with their best practices.

### 2.4 Output Findings
**Format your output strictly as follows:**
Expand Down
38 changes: 36 additions & 2 deletions commands/conductor/setup.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai
| :--- | :--- | :--- |
| All files in `tracks/<track_id>/` (`spec`, `plan`, `metadata`, `index`) | **HALT** | "The project is already initialized. Use `/conductor:newTrack` or `/conductor:implement`." |
| `index.md` (top-level) | **Section 3.0** | "Resuming setup: Scaffolding is complete. Next: generate the first track. (Note: If an incomplete track folder was detected, we will restart this step to ensure a clean, consistent state)." |
| `workflow.md` | **Section 2.6** | "Resuming setup: Workflow is defined. Next: generate project index." |
| `workflow.md` | **Section 2.6** | "Resuming setup: Workflow is defined. Next: select Agent Skills." |
| `code_styleguides/` | **Section 2.5** | "Resuming setup: Guides/Tech Stack configured. Next: define project workflow." |
| `tech-stack.md` | **Section 2.4** | "Resuming setup: Tech Stack defined. Next: select Code Styleguides." |
| `product-guidelines.md` | **Section 2.3** | "Resuming setup: Guidelines are complete. Next: define the Technology Stack." |
Expand Down Expand Up @@ -369,7 +369,41 @@ CRITICAL: You must validate the success of every tool call. If any tool call fai
4. **Action:** Update `conductor/workflow.md` based on all user answers from both steps.


### 2.6 Finalization
### 2.6 Select Skills (Interactive)
1. **Analyze and Recommend:**
- Read `skills/catalog.md` from the directory where the Conductor extension is installed (typically `~/.gemini/extensions/conductor/skills/catalog.md`).
- Detect applicable skills based on `detectSignals` matched against project files and `conductor/tech-stack.md`.
- Identify "Always Recommended" skills.
2. **Present Selection:**
- Present the list of recommended skills to the user, grouped by category (e.g., "Always Recommended", "GCP", etc.).
- Display the Skill Name and Description.
3. **Ask for Selection:**
- Ask the user: "How would you like to proceed?"
A) Install all recommended skills
B) Select specific skills (enter numbers separated by commas)
C) Skip skills installation
4. **Process Selection:**
- If (A): Install all recommended skills.
- If (B): Parse input and install selected skills.
- If (C): Proceed without installation.
5. **Installation Action:**
- For each selected skill:
- **Determine Installation Path:**
- If `alwaysRecommend` is true, set the path to `~/.agents/extensions/conductor/skills/<skill-name>/`.
- Otherwise, set the path to `.agents/skills/<skill-name>/`.
- Create directory at the determined path.
- **Determine Download Strategy:**
- If `party` is '1p':
- If `version` is provided, download that specific version.
- Otherwise, download the latest copy at the exact `url`.
- If `party` is '3p', MUST use the provided `commit_sha` to download the specific vetted commit.
- Download the content of the skill folder from the `url` specified in `catalog.md` (using the determined strategy) to the determined path.
- **CRITICAL:** If the URL is a file path, find the parent folder. If it is a Git URL, use `git clone` or `sparse-checkout` to get the folder.
- **Post-Installation Notification:**
- If any skills were installed, you MUST explicitly instruct the user: "Please run `/skills reload` to enable the installed skills."
6. **Continue:** Immediately proceed to the next section.

### 2.7 Finalization
1. **Generate Index File:**
- Create `conductor/index.md` with the following content:
```markdown
Expand Down
159 changes: 159 additions & 0 deletions skills/catalog.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
# Agent Skills Catalog

This catalog defines the curriculum of skills available to the Conductor extension.

## GCP OWASP Top 10 Skills
Skills focused on auditing and remediating OWASP Top 10 vulnerabilities on Google Cloud Platform.

### gcp-broken-access-control
- **Description**: Audit and remediate broken access control vulnerabilities
- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-broken-access-control/
- **Party**: 3p
- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df
- **Detection Signals**:
- **Files**: `*.tf`, `iam.tf`
- **Keywords**: `OWASP`, `Security`, `Cloud Asset Inventory`, `IAM`, `Load Balancing`

### gcp-cryptographic-failures
- **Description**: Audit and remediate cryptographic failures
- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-cryptographic-failures/
- **Party**: 3p
- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df
- **Detection Signals**:
- **Files**: `*.tf`
- **Dependencies**: `@google-cloud/kms`, `@google-cloud/secret-manager`, `google-cloud-kms`, `google-cloud-secret-manager`, `cloud.google.com/go/kms`
- **Keywords**: `OWASP`, `Security`, `KMS`, `Secret Manager`, `Cloud DLP`

### gcp-injection
- **Description**: Audit and remediate injection vulnerabilities
- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-injection/
- **Party**: 3p
- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df
- **Detection Signals**:
- **Files**: `app.yaml`, `Dockerfile`
- **Dependencies**: `pg`, `mysql`, `sqlite3`, `mssql`
- **Keywords**: `OWASP`, `Security`, `Web Security Scanner`, `Cloud Armor`, `SQLi`

### gcp-insecure-design
- **Description**: Audit and remediate insecure design flaws
- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-insecure-design/
- **Party**: 3p
- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df
- **Detection Signals**:
- **Files**: `*.tf`, `cloudbuild.yaml`
- **Keywords**: `OWASP`, `Security`, `Apigee`, `Cloud DLP`, `Security Command Center`

### gcp-security-misconfiguration
- **Description**: Audit and remediate security misconfigurations
- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-security-misconfiguration/
- **Party**: 3p
- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df
- **Detection Signals**:
- **Files**: `*.tf`, `app.yaml`, `cloudbuild.yaml`, `Dockerfile`
- **Keywords**: `OWASP`, `Security`, `VPC Firewall`, `Compute Engine`, `Hardening`

### gcp-vulnerable-components
- **Description**: Audit and remediate vulnerable and outdated components
- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-vulnerable-components/
- **Party**: 3p
- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df
- **Detection Signals**:
- **Files**: `package.json`, `requirements.txt`, `go.mod`, `pom.xml`, `build.gradle`, `Dockerfile`, `cloudbuild.yaml`
- **Keywords**: `OWASP`, `Security`, `Artifact Registry`, `GKE`, `Container Analysis`

### gcp-auth-failures
- **Description**: Audit and remediate identification and authentication failures
- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-auth-failures/
- **Party**: 3p
- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df
- **Detection Signals**:
- **Files**: `*.tf`, `app.yaml`
- **Dependencies**: `firebase-admin`, `google-auth-library`, `google-cloud-identity`, `@google-cloud/iap`
- **Keywords**: `OWASP`, `Security`, `IAP`, `Identity-Aware Proxy`, `Cloud Armor`, `Identity Platform`

### gcp-integrity-failures
- **Description**: Audit and remediate software and data integrity failures
- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-integrity-failures/
- **Party**: 3p
- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df
- **Detection Signals**:
- **Files**: `cloudbuild.yaml`, `Dockerfile`, `binauthz.yaml`
- **Keywords**: `OWASP`, `Security`, `Artifact Registry`, `Cloud Build`, `Binary Authorization`

### gcp-logging-monitoring-failures
- **Description**: Audit and remediate logging and monitoring failures
- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-logging-monitoring-failures/
- **Party**: 3p
- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df
- **Detection Signals**:
- **Files**: `*.tf`
- **Dependencies**: `@google-cloud/logging`, `@google-cloud/monitoring`, `google-cloud-logging`, `cloud.google.com/go/logging`
- **Keywords**: `OWASP`, `Security`, `Cloud Logging`, `Cloud Monitoring`, `Audit Logs`

### gcp-ssrf
- **Description**: Audit and remediate server-side request forgery (SSRF)
- **URL**: https://raw.githubusercontent.com/hminooei/gcp-owasp-top10-skills/main/skills/gcp-ssrf/
- **Party**: 3p
- **Commit SHA**: 38789fb168ca741b9cc907e9f156405f9cb6c9df
- **Detection Signals**:
- **Files**: `*.tf`, `app.yaml`
- **Keywords**: `OWASP`, `Security`, `VPC Service Controls`, `Access Context Manager`, `Egress`

## Firebase Skills
Skills focused on setting up, managing, and using various Firebase services.

### firebase-ai-logic-basics
- **Description**: Official skill for integrating Firebase AI Logic (Gemini API) into web applications. Covers setup, multimodal inference, structured output, and security.
- **URL**: https://raw.githubusercontent.com/firebase/agent-skills/main/skills/firebase-ai-logic-basics/
- **Party**: 1p
- **Detection Signals**:
- **Dependencies**: `firebase`, `firebase-admin`
- **Keywords**: `Firebase`, `AI Logic`, `Gemini API`, `GenAI`

### firebase-app-hosting-basics
- **Description**: Deploy and manage web apps with Firebase App Hosting. Use this skill when deploying Next.js/Angular apps with backends.
- **URL**: https://raw.githubusercontent.com/firebase/agent-skills/main/skills/firebase-app-hosting-basics/
- **Party**: 1p
- **Detection Signals**:
- **Dependencies**: `firebase`, `firebase-admin`
- **Keywords**: `Firebase App Hosting`, `Next.js`, `Angular`

### firebase-auth-basics
- **Description**: Guide for setting up and using Firebase Authentication. Use this skill when the user's app requires user sign-in, user management, or secure data access using auth rules.
- **URL**: https://raw.githubusercontent.com/firebase/agent-skills/main/skills/firebase-auth-basics/
- **Party**: 1p
- **Detection Signals**:
- **Dependencies**: `firebase`, `firebase-admin`
- **Keywords**: `Firebase Authentication`, `Auth`, `Sign-in`

### firebase-basics
- **Description**: Guide for setting up and using Firebase. Use this skill when the user is getting started with Firebase - setting up local environment, using Firebase for the first time, or adding Firebase to their app.
- **URL**: https://raw.githubusercontent.com/firebase/agent-skills/main/skills/firebase-basics/
- **Party**: 1p
- **Detection Signals**:
- **Dependencies**: `firebase`, `firebase-admin`
- **Keywords**: `Firebase`, `Setup`

### firebase-data-connect-basics
- **Description**: Build and deploy Firebase Data Connect backends with PostgreSQL. Use for schema design, GraphQL queries/mutations, authorization, and SDK generation for web, Android, iOS, and Flutter apps.
- **URL**: https://raw.githubusercontent.com/firebase/agent-skills/main/skills/firebase-data-connect-basics/
- **Party**: 1p
- **Detection Signals**:
- **Dependencies**: `firebase`, `firebase-admin`
- **Keywords**: `Firebase Data Connect`, `PostgreSQL`, `GraphQL`

### firebase-firestore-basics
- **Description**: Comprehensive guide for Firestore basics including provisioning, security rules, and SDK usage. Use this skill when the user needs help setting up Firestore, writing security rules, or using the Firestore SDK in their application.
- **URL**: https://raw.githubusercontent.com/firebase/agent-skills/main/skills/firebase-firestore-basics/
- **Party**: 1p
- **Detection Signals**:
- **Dependencies**: `firebase`, `firebase-admin`
- **Keywords**: `Firestore`, `Database`, `Security Rules`

### firebase-hosting-basics
- **Description**: Skill for working with Firebase Hosting (Classic). Use this when you want to deploy static web apps, Single Page Apps (SPAs), or simple microservices. Do NOT use for Firebase App Hosting.
- **URL**: https://raw.githubusercontent.com/firebase/agent-skills/main/skills/firebase-hosting-basics/
- **Party**: 1p
- **Detection Signals**:
- **Dependencies**: `firebase`, `firebase-admin`
- **Keywords**: `Firebase Hosting`, `Static Hosting`
Loading