apache
OrganizationAgent-assisted maintainership and development framework for Apache projects — Triage and Drafting (agent-authored fixes with human review); Mentoring, Pairing (developer-side dev-cycle), and Auto-merge on the roadmap.
Categories
Indexed Skills (73)
setup-steward
Transition migration shim for pre-Magpie (apache-steward) adopters. This is the ONLY framework artefact that still carries the legacy `steward` name, and it exists for exactly one purpose: to migrate a repo that adopted the framework before it was renamed to Apache Magpie over to the new `magpie-` layout, then delete itself. Sub-actions: `/setup-steward upgrade` — run the one-time pre-Magpie migration (the only supported sub-action)
magpie-audit-finding-fix
For a batch of findings from a non-security audit tool (`<audit-tool>` — ruff / flake8 / mypy / pylint / CodeQL / Apache Verum / Apache Caer / equivalent; full list in the body) against `<upstream>`, draft the smallest fix for each finding. Re-runs the tool after each batch to confirm the findings are cleared. Produces a commit and a hand-back artefact; never opens a PR on autopilot or merges.
magpie-committer-onboarding
Post-vote committer and PMC onboarding for Apache projects. Walks the nominator through every step from ICLA check to welcome announcement for both incubating podlings and graduated top-level projects.
magpie-contributor-activity-sweep
Read-only GitHub activity card for a named contributor on <upstream>. Fetches PR authorship, code-review activity, issues, and PR/issue comments over a configurable window. Limited to GitHub-visible activity — the body documents the off-GitHub tracks the nominator must supply separately. No readiness verdict is produced; use contributor-nomination for a full nomination brief.
magpie-contributor-nomination
Read-only nomination brief for a named GitHub contributor on <upstream>. Aggregates GitHub activity across all contribution tracks plus maintainer-supplied off-GitHub signal, and flags vendor-neutrality context — the evidence a PMC needs to open a committer or PMC nomination thread.
magpie-good-first-issue-author
Draft a single net-new *good first issue* on the configured `<upstream>` repo from one supplied candidate such as a known gap or a small maintainer-named task. The skill first runs a suitability gate to confirm the candidate is small and newcomer-safe. If it passes the skill drafts one issue. The draft carries scope, code pointers, contributing-doc links, acceptance criteria, and an effort estimate. A readiness checklist gates the draft before it is shown. Nothing is filed via `gh` until the maintainer explicitly confirms. The skill never curates or relabels the existing backlog.
magpie-issue-fix-workflow
For a single triaged `<issue-tracker>` issue confirmed as a bug or feature, draft a fix against `<upstream>` on `<default-branch>`. Produces the failing test, the smallest production change, the targeted+module test runs, and the commit. The PR is NOT opened on autopilot; the human committer reviews, signs, and pushes. Hand-back artefact summarises branch, commits, test results, and scope.
magpie-issue-reassess-stats
Read-only dashboard over a directory of `verdict.json` files produced by `issue-reassess` campaigns. Surfaces a health rating, classification distribution, partial-fix surfaces, oldest-unresolved buckets, and per-component breakdowns. Output is HTML by default; markdown fallback available. Read-only on tracker state; consumes campaign artefacts.
magpie-issue-reassess
Sweep a configured pool of resolved or end-of-life `<issue-tracker>` issues and re-assess each against the current `<default-branch>`. Per-issue: invoke `issue-reproducer` to extract and run the reporter's code, classify the runtime outcome, attach a nature analysis, compose a `verdict.json`. Hand-back-on-completion contract: no comments posted, no transitions, no closures.
magpie-issue-reproducer
For a single `<issue-tracker>` issue identifying a code-level bug, extract the reporter's example code from the issue body, adapt it to run on the current `<default-branch>`, execute via `<runtime>`, and compose a `verdict.json` describing the observed behaviour vs the expected failure. Read-only on the tracker — produces evidence, never posts. Invoked by `issue-triage` and `issue-reassess`; can also be run standalone.
magpie-issue-triage
For each open `<issue-tracker>` issue in the configured candidate pool, read the issue body and comments and classify the candidate disposition. On user confirmation, posts a triage-proposal comment that invites the project team to react. Read-only on tracker state — no workflow transitions, closures, or label changes. Six classes in the body.
magpie-list-skills
Print a human-readable index of every skill in this repository, grouped by family prefix (`pr-management`, `security`, `setup`, …) with each skill's name and the first sentence of its `description`. The listing is generated on every run from the live `.claude/skills/*/SKILL.md` files, so it never goes stale when skills are added, removed, or rewritten.
magpie-optimize-skill
Optimize an existing framework skill (or sweep a set of them) by applying the restructuring patterns proven on the security-skill suite: split an oversized `SKILL.md` into linked sibling docs, lift concrete/project-specific values out of the body into `<project-config>` placeholders, replace in-agent-context body reads with out-of-context tool calls, batch per-item fetches into a single upfront pass, and add a deterministic pre-flight no-op classifier ahead of LLM passes. Every change is a behavior- preserving proposal the maintainer signs off on; the skill validator must stay green before and after. The refactoring sibling of `write-skill` (which authors net-new skills).
magpie-pairing-multi-agent-review
Fan a local diff through three independent, axis-focused review passes (correctness, security, conventions), then merge the findings into a single structured report. Each pass is isolated so findings from one axis cannot suppress or bias the others. The merged report uses the same format as pairing-self-review so the developer gets a consistent signal regardless of which Pairing skill they invoke.
magpie-pairing-self-review
Run a structured pre-flight self-review on local changes before opening a PR. Reads the diff against a configurable base (default: the merge base of HEAD and the upstream default branch), checks correctness, security, and project conventions, and returns a structured report to the developer. No state changes, no PR, no external writes — the report is the output.
magpie-pr-management-code-review
Walk a maintainer through deep, sequential code review of open pull requests on the configured `<upstream>` repo. Defaults to the **"my reviews"** queue (the union of five maintainer signals — see the Inputs table); selectors can narrow to a single PR, an area label, or a collaborator subset. Drafts an `approve` / `request-changes` / `comment` review per PR and posts on the maintainer's confirmation.
magpie-pr-management-mentor
Draft a teaching-register comment on a single GitHub issue or PR thread on the configured `<upstream>` repo, aimed at a contributor who is missing repo context the maintainer would otherwise have to spell out. The skill reads the thread, decides whether a mentoring intervention is warranted, drafts one comment per the project's tone guide and convention pointers, and waits for explicit maintainer confirmation before posting via `gh`. Escalates to the configured maintainer team on the four hand-off triggers.
magpie-pr-management-quick-merge
Identify trivial, low-risk pull requests in the `ready for maintainer review` queue of <upstream> that pass every quality gate and touch only supplementary areas (docs, changelog, translations, tests) — the "express lane" a maintainer can review and merge in seconds. Surfaces and ranks candidates with per-PR diff summaries, an all-gates-green attestation, and the exact merge command. On the maintainer's explicit per-PR confirmation it can submit an APPROVE review (the maintainer's own review of the trivial diff — useful when the PR has no approvals yet and branch protection needs one), exactly as pr-management-code-review does. It never merges itself — automated merge is the framework's deliberately-deferred Mode D; the maintainer runs the printed merge command in their own session.
magpie-pr-management-stats
Read-only maintainer dashboard for the open-PR backlog of <upstream>. Surfaces a health rating, prioritised action recommendations, weekly closure velocity trends, area pressure ranking, and a triage-funnel breakdown — with the underlying area-grouped tables as a collapsible details section.
magpie-pr-management-triage
Sweep open pull requests on the configured `<upstream>` repo, classify each one against the project's quality criteria, propose a disposition, and — on the maintainer's confirmation — carry out the action via `gh`. Disposition options per PR: draft / comment / close / rebase / CI-rerun / workflow-approve / ping-stale-reviewer / request author confirmation of readiness / mark `ready for maintainer review` / promote bot-authored draft. Does **not** perform code review — that lives in `pr-management-code-review`.
magpie-security-cve-allocate
Walk a security team member through allocating a CVE for an `<tracker>` tracking issue (governance-gated per `governance.cve_allocation_gate`). Prints the configured `<cve-tool>` allocation URL, waits for the allocated CVE ID, then updates the tracker in place. Tracker updates: CVE tool link field, cve allocated label, status-change comment, CVE JSON. Chains into `security-issue-sync` afterwards to reconcile the rest of the tracker.
magpie-security-issue-deduplicate
Merge two <tracker> tracking issues that describe the same root-cause vulnerability, preserving every reporter's credit, every mailing-list thread reference, and every independent attack-vector description. Updates the kept issue's body in place, closes the duplicate with the `duplicate` label, and regenerates the CVE JSON attachment so both finders land in `credits[]`.
magpie-security-issue-fix
Attempt to fix a security issue tracked in `<tracker>` by implementing the change in a public `<upstream>` PR. Runs `security-issue-sync` first to reconcile the issue's state, proposes an implementation plan, and on explicit user confirmation writes the change, opens a PR from the user's fork, and updates the `<tracker>` tracking issue. Public PR content is scrubbed so it does **not** reveal the CVE, the security nature of the change, or any link back to `<tracker>`.
magpie-security-issue-import-from-md
Open one or more `<tracker>` tracking issues from a markdown file containing a batch of security findings. Each finding becomes one tracker landing in the `Needs triage` board column. The file itself is the full report — there is no inbound reporter to reply to and no PR to inspect.
magpie-security-issue-import-from-pr
Open a tracking issue in <tracker> for a security-relevant fix that has already been opened (or merged) as a public PR in <upstream>, in the case where there is no inbound `<security-list>` report. The tracker lands in the `Assessed` board column with the scope label applied, `pr created` / `pr merged` reflecting the PR's state, and `Remediation developer` / `PR with the fix` body fields populated from the PR. Pairs with `security-cve-allocate` afterwards.
magpie-security-issue-import-via-forwarder
Optional sub-skill of `security-issue-import`, `security-issue-invalidate`, and `security-issue-sync` that handles the *relay/forwarder* case: a report that did not arrive directly from the reporter but was relayed onto `<security-list>` by an upstream broker (the ASF security team, a third-party disclosure platform, or an internal SOC). Runs after the parent skill's generic classification cascade, dispatches through adapters declared in `forwarders.enabled` per `tools/forwarder-relay/README.md`, applies the matched adapter's preamble-detect + credit-extract + reporter- addressing rules, and hands the routing decision back. Never mutates tracker state on its own.
magpie-security-issue-import
Scan <security-list> for reports that have not yet been copied into <tracker> as tracking issues, present the proposed imports to the user, and — defaulting to *import unless the user rejects upfront* — create the tracking issues with the `Needs triage` project-board status and draft a receipt-of- confirmation reply to each reporter. This is the first step of the handling process: the entry point that converts an inbound email thread into a tracker the rest of the skills (security-issue-sync, security-issue-fix, generate-cve-json) operate on.
magpie-security-issue-invalidate
Close an `<tracker>` tracking issue as invalid: apply the `invalid` label, remove the scope label, post a short closing comment, archive the item from the project board, and — for trackers imported from `<security-list>` — draft a polite-but-firm reply to the reporter on the original Gmail thread explaining the team's reasoning (extracted from the tracker's discussion). For trackers opened via `security-issue-import-from-pr`, the email-draft step is skipped per the *no outreach to the PR author* rule of that skill.
magpie-security-issue-sync
Synchronize a security issue in <tracker> with the state of its GitHub discussion, the <security-list> mailing thread, and any <upstream> PRs that fix it. The skill gathers all relevant signals and proposes label / milestone / assignee / field / draft-email updates — applying only what the user has explicitly confirmed. Suggests the next step in the handling process and prints the CVE allocation link when a CVE is needed.
magpie-security-issue-triage
For each open `<tracker>` issue carrying the `needs triage` label, read body + comments and classify the candidate disposition into one of six classes: VALID / DEFENSE-IN-DEPTH / INFO-ONLY / INVALID / PROBABLE-DUP / FIX-ALREADY-PUBLIC. On user confirmation, posts a triage-proposal comment that invites the security team to react. Read-only on tracker state — no label flips, closes, or CVE allocations. Supports `--retriage` for re-litigating passed-triage decisions when substantive new activity lands.
magpie-security-tracker-stats-dashboard
Generate a self-contained HTML dashboard of `<tracker>` repository statistics for security-team review.
magpie-setup-isolated-setup-doctor
Probe the secure-agent setup for in-session functional restrictions that block legitimate workflows. Three live probes — SSH agent / Yubikey reachability, localhost port binding, docker / podman runtime socket — each pointing the user at the matching numbered troubleshooting entry and its settings.json remediation (see body). Read-only — never modifies settings.json, never invokes the sandbox bypass.
magpie-setup-isolated-setup-install
Guide an adopter through the first-time install of the framework's secure agent setup (bubblewrap + socat + claude-code, sandbox/permissions/clean-env layers). Walks every step interactively; never auto-runs sudo, shell-rc edits, or settings overwrites.
magpie-setup-isolated-setup-update
Surface drift between the user's installed secure agent setup and the framework's latest (framework checkout, pinned tools, user-scope script copies, denial commands, comdev MCP checkouts). Read-only — surfaces candidates and diffs, never auto-applies. The user decides what to update.
magpie-setup-isolated-setup-verify
Walk the verification checklist for the framework's secure agent setup and report ✓ done / ✗ missing / ⚠ partial for each check, with concrete evidence (file paths, command output, version strings). Covers nine checks across settings wiring, installed tool versions, and sandbox configuration. Read-only — never modifies anything.
magpie-setup-override-upstream
Walk an adopter through promoting a local `.apache-magpie-overrides/<skill>.md` file into a PR against `apache/airflow-steward`. After the PR merges and the adopter runs `/magpie-setup upgrade`, the override file is no longer needed and the skill prompts for its removal.
magpie-setup-shared-config-sync
Commit + push the user's shared Claude config to the `~/.claude-config` private dotfile-style sync repo. Inspects for uncommitted local edits and unpushed commits, drafts a commit message, and after explicit approval commits and pushes. Runs `git pull --rebase` first if the local checkout is behind, so a push never overwrites concurrent work from another machine. Never force-pushes; never rewrites already-pushed history; never modifies files outside `~/.claude-config/`.
magpie-setup
Adopt and maintain the apache-steward framework in a project repo via the snapshot-based adoption mechanism. The only framework skill committed in an adopter's repo; every other skill is a symlink the adopt sub-action wires up. Sub-actions: `/magpie-setup` - first-time adoption (default; main-checkout only) `/magpie-setup upgrade` - refresh the gitignored snapshot per the committed lock (main-checkout only) `/magpie-setup worktree-init` - symlink a worktree's snapshot to the main's `/magpie-setup verify` - health check + drift detection `/magpie-setup override <skill>` - open or scaffold an agentic override in `.apache-magpie-overrides/` `/magpie-setup unadopt` - reverse the adoption (snapshot, locks, symlinks, hook, doc sections); preserves `.apache-magpie-overrides/` by default (main-checkout only)
magpie-write-skill
Author a new skill for the Apache Steward framework, or update an existing one. Walks the user through the framework's skill shape (frontmatter, resources, placeholder convention, prompt-injection defences, Privacy-LLM gate-check) and validates via the framework's existing [`tools/skill-and-tool-validator`](../../tools/skill-and-tool-validator/). Scaffolds new skills via `init_skill.py`.
magpie-ci-runner-audit
Read-only audit of GitHub Actions workflow runner compatibility for one repository, an explicit repository set, one Apache project with multiple repositories, or the full Apache GitHub org. Finds obsolete GitHub-hosted runner labels and macOS runner/tool architecture mismatches. Produces TSV evidence files; never edits workflows, opens PRs, or posts comments.
magpie-setup-status
Show how the apache-magpie framework is adopted in the current repo, then adjust that setup in place. Renders a Markdown adoption dashboard: install method and pin, drift, the wired agent targets, the installed skill families, and symlink health. From the same view the user can add or drop agent targets and skill families; the actual change runs through the setup skill.
contributor-nomination
Read-only nomination brief for a named GitHub contributor on <upstream>. Aggregates GitHub activity across all contribution tracks plus maintainer-supplied off-GitHub signal, and flags vendor-neutrality context — the evidence a PMC needs to open a committer or PMC nomination thread.
issue-fix-workflow
For a single triaged `<issue-tracker>` issue confirmed as a bug or feature, draft a fix against `<upstream>` on `<default-branch>`. Produces the failing test, the smallest production change, the targeted+module test runs, and the commit. The PR is NOT opened on autopilot; the human committer reviews, signs, and pushes. Hand-back artefact summarises branch, commits, test results, and scope.
issue-reassess
Sweep a configured pool of resolved or end-of-life `<issue-tracker>` issues and re-assess each against the current `<default-branch>`. Per-issue: invoke `issue-reproducer` to extract and run the reporter's code, classify the runtime outcome, attach a nature analysis, compose a `verdict.json`. Hand-back-on-completion contract: no comments posted, no transitions, no closures.
issue-triage
For each open `<issue-tracker>` issue in the configured candidate pool, read the issue body and comments and classify the candidate disposition. On user confirmation, posts a triage-proposal comment that invites the project team to react. Read-only on tracker state — no workflow transitions, closures, or label changes. Six classes in the body.
pr-management-code-review
Walk a maintainer through deep, sequential code review of open pull requests on the configured `<upstream>` repo. Defaults to the **"my reviews"** queue (the union of five maintainer signals — see the Inputs table); selectors can narrow to a single PR, an area label, or a collaborator subset. Drafts an `approve` / `request-changes` / `comment` review per PR and posts on the maintainer's confirmation.
pr-management-mentor
Draft a teaching-register comment on a single GitHub issue or PR thread on the configured `<upstream>` repo, aimed at a contributor who is missing repo context the maintainer would otherwise have to spell out. The skill reads the thread, decides whether a mentoring intervention is warranted, drafts one comment per the project's tone guide and convention pointers, and waits for explicit maintainer confirmation before posting via `gh`. Escalates to the configured maintainer team on the four hand-off triggers.
pr-management-stats
Read-only maintainer dashboard for the open-PR backlog of <upstream>. Surfaces a health rating, prioritised action recommendations, weekly closure velocity trends, area pressure ranking, and a triage-funnel breakdown — with the underlying area-grouped tables as a collapsible details section.
pr-management-triage
Sweep open pull requests on the configured `<upstream>` repo, classify each one against the project's quality criteria, propose a disposition, and — on the maintainer's confirmation — carry out the action via `gh`. Disposition options per PR: draft / comment / close / rebase / CI-rerun / workflow-approve / ping-stale-reviewer / request author confirmation of readiness / mark `ready for maintainer review` / promote bot-authored draft. Does **not** perform code review — that lives in `pr-management-code-review`.
security-cve-allocate
Walk a security team member through allocating a CVE for an `<tracker>` tracking issue (governance-gated per `governance.cve_allocation_gate`). Prints the configured `<cve-tool>` allocation URL, waits for the allocated CVE ID, then updates the tracker in place. Tracker updates: CVE tool link field, cve allocated label, status-change comment, CVE JSON. Chains into `security-issue-sync` afterwards to reconcile the rest of the tracker.
security-issue-deduplicate
Merge two <tracker> tracking issues that describe the same root-cause vulnerability, preserving every reporter's credit, every mailing-list thread reference, and every independent attack-vector description. Updates the kept issue's body in place, closes the duplicate with the `duplicate` label, and regenerates the CVE JSON attachment so both finders land in `credits[]`.
security-issue-fix
Attempt to fix a security issue tracked in `<tracker>` by implementing the change in a public `<upstream>` PR. Runs `security-issue-sync` first to reconcile the issue's state, proposes an implementation plan, and on explicit user confirmation writes the change, opens a PR from the user's fork, and updates the `<tracker>` tracking issue. Public PR content is scrubbed so it does **not** reveal the CVE, the security nature of the change, or any link back to `<tracker>`.
security-issue-import-from-md
Open one or more `<tracker>` tracking issues from a markdown file containing a batch of security findings. Each finding becomes one tracker landing in the `Needs triage` board column. The file itself is the full report — there is no inbound reporter to reply to and no PR to inspect.
security-issue-import-from-pr
Open a tracking issue in <tracker> for a security-relevant fix that has already been opened (or merged) as a public PR in <upstream>, in the case where there is no inbound `<security-list>` report. The tracker lands in the `Assessed` board column with the scope label applied, `pr created` / `pr merged` reflecting the PR's state, and `Remediation developer` / `PR with the fix` body fields populated from the PR. Pairs with `security-cve-allocate` afterwards.
security-issue-import
Scan <security-list> for reports that have not yet been copied into <tracker> as tracking issues, present the proposed imports to the user, and — defaulting to *import unless the user rejects upfront* — create the tracking issues with the `Needs triage` project-board status and draft a receipt-of- confirmation reply to each reporter. This is the first step of the handling process: the entry point that converts an inbound email thread into a tracker the rest of the skills (security-issue-sync, security-issue-fix, generate-cve-json) operate on.
security-issue-invalidate
Close an `<tracker>` tracking issue as invalid: apply the `invalid` label, remove the scope label, post a short closing comment, archive the item from the project board, and — for trackers imported from `<security-list>` — draft a polite-but-firm reply to the reporter on the original Gmail thread explaining the team's reasoning (extracted from the tracker's discussion). For trackers opened via `security-issue-import-from-pr`, the email-draft step is skipped per the *no outreach to the PR author* rule of that skill.
security-issue-sync
Synchronize a security issue in <tracker> with the state of its GitHub discussion, the <security-list> mailing thread, and any <upstream> PRs that fix it. The skill gathers all relevant signals and proposes label / milestone / assignee / field / draft-email updates — applying only what the user has explicitly confirmed. Suggests the next step in the handling process and prints the CVE allocation link when a CVE is needed.
security-issue-triage
For each open `<tracker>` issue carrying the `needs triage` label, read body + comments and classify the candidate disposition into one of six classes: VALID / DEFENSE-IN-DEPTH / INFO-ONLY / INVALID / PROBABLE-DUP / FIX-ALREADY-PUBLIC. On user confirmation, posts a triage-proposal comment that invites the security team to react. Read-only on tracker state — no label flips, closes, or CVE allocations. Supports `--retriage` for re-litigating passed-triage decisions when substantive new activity lands.
setup-override-upstream
Walk an adopter through promoting a local `.apache-steward-overrides/<skill>.md` file into a PR against `apache/airflow-steward`. After the PR merges and the adopter runs `/setup-steward upgrade`, the override file is no longer needed and the skill prompts for its removal.
pairing-self-review
Run a structured pre-flight self-review on local changes before opening a PR. Reads the diff against a configurable base (default: the merge base of HEAD and the upstream default branch), checks correctness, security, and project conventions, and returns a structured report to the developer. No state changes, no PR, no external writes — the report is the output.
issue-reassess-stats
Read-only dashboard over a directory of `verdict.json` files produced by `issue-reassess` campaigns. Surfaces a health rating, classification distribution, partial-fix surfaces, oldest-unresolved buckets, and per-component breakdowns. Output is HTML by default; markdown fallback available. Read-only on tracker state; consumes campaign artefacts.
issue-reproducer
For a single `<issue-tracker>` issue identifying a code-level bug, extract the reporter's example code from the issue body, adapt it to run on the current `<default-branch>`, execute via `<runtime>`, and compose a `verdict.json` describing the observed behaviour vs the expected failure. Read-only on the tracker — produces evidence, never posts. Invoked by `issue-triage` and `issue-reassess`; can also be run standalone.
list-steward-skills
Print a human-readable index of every skill in this repository, grouped by family prefix (`pr-management`, `security`, `setup`, …) with each skill's name and the first sentence of its `description`. The listing is generated on every run from the live `.claude/skills/*/SKILL.md` files, so it never goes stale when skills are added, removed, or rewritten.
security-tracker-stats-dashboard
Generate a self-contained HTML dashboard of `<tracker>` repository statistics for security-team review.
setup-isolated-setup-doctor
Probe the secure-agent setup for in-session functional restrictions that block legitimate workflows. Three live probes — SSH agent / Yubikey reachability, localhost port binding, docker / podman runtime socket — each mapped to a numbered entry in `docs/setup/sandbox-troubleshooting.md` with the matching settings.json remediation. Read-only — never modifies settings.json, never invokes the sandbox bypass.
setup-isolated-setup-install
Guide an adopter through the first-time install of the framework's secure agent setup (bubblewrap + socat + claude-code, sandbox/permissions/clean-env layers). Walks every step interactively; never auto-runs sudo, shell-rc edits, or settings overwrites.
setup-isolated-setup-update
Surface drift between the user's installed secure agent setup and the framework's latest (framework checkout, pinned tools, user-scope script copies, denial commands, comdev MCP checkouts). Read-only — surfaces candidates and diffs, never auto-applies. The user decides what to update.
setup-isolated-setup-verify
Walk the verification checklist for the framework's secure agent setup and report ✓ done / ✗ missing / ⚠ partial for each check, with concrete evidence (file paths, command output, version strings). Coverage: settings.json wiring, claude-iso sourced, pinned tool versions, denial commands, and the comdev MCP checkout (on `main`, current). Read-only — never modifies anything.
setup-shared-config-sync
Commit + push the user's shared Claude config to the `~/.claude-config` private dotfile-style sync repo. Inspects for uncommitted local edits and unpushed commits, drafts a commit message, and after explicit approval commits and pushes. Runs `git pull --rebase` first if the local checkout is behind, so a push never overwrites concurrent work from another machine. Never force-pushes; never rewrites already-pushed history; never modifies files outside `~/.claude-config/`.
write-skill
Author a new skill for the Apache Steward framework, or update an existing one. Walks the user through the framework's skill shape (frontmatter, resources, placeholder convention, prompt-injection defences, Privacy-LLM gate-check) and validates via the framework's existing [`tools/skill-and-tool-validator`](../../../tools/skill-and-tool-validator/). Scaffolds new skills via `init_skill.py`.
good-first-issue-author
Draft a single net-new *good first issue* on the configured `<upstream>` repo from one supplied candidate such as a known gap or a small maintainer-named task. The skill first runs a suitability gate to confirm the candidate is small and newcomer-safe. If it passes the skill drafts one issue. The draft carries scope, code pointers, contributing-doc links, acceptance criteria, and an effort estimate. A readiness checklist gates the draft before it is shown. Nothing is filed via `gh` until the maintainer explicitly confirms. The skill never curates or relabels the existing backlog.
security-issue-import-via-forwarder
Optional sub-skill of `security-issue-import`, `security-issue-invalidate`, and `security-issue-sync` that handles the *relay/forwarder* case: a report that did not arrive directly from the reporter but was relayed onto `<security-list>` by an upstream broker (ASF security team, huntr.com, HackerOne, GHSA, internal SOC). Runs after the parent skill's generic classification cascade, dispatches through adapters declared in `forwarders.enabled` per `tools/forwarder-relay/README.md`, applies the matched adapter's preamble-detect + credit-extract + reporter- addressing rules, and hands the routing decision back. Never mutates tracker state on its own.
generate-cve-json
Generate a CVE 5.x JSON document from an <tracker> tracking issue, ready to paste into the Vulnogram `#source` tab of the ASF CVE tool at https://cveprocess.apache.org/cve5/<CVE-ID>#source. The conversion is deterministic: same issue in, same JSON bytes out. Handles multiple credits (one per line) and multiple references (URLs extracted from the issue's "Public advisory URL" and "PR with the fix" fields; the "Security mailing list thread" field is treated as internal-only and never exported).
Bio shown is the top-scored skill's repo description as a fallback — real GitHub bios land in a future update.