Table of Contents generated with DocToc
Trusted external skill sources
A skill source is a repository — other than apache/magpie — that
ships Magpie-shaped skills (and their evals and tests). This page defines
how an adopter pulls a skill or whole skill-family from such a source and
wires it in so it behaves exactly like an in-tree skill: same
magpie--prefixed symlink relay, same override layer, same eval binding.
Per PRINCIPLES.md §13,
installation is permitted only from a trusted source — one the
adopter has explicitly vouched for by committing its pin (method + URL +
ref + verification anchor) to the repo. A trusted install obeys the same
snapshot-plus-pin discipline the framework uses for itself: a gitignored
snapshot, a committed lock, a verified and deliberate fetch by the one
setup skill — never a git submodule, and
never an unpinned or unverified auto-fetch. The full rationale and threat
model are in RFC-AI-0006.
The trust model — three layers
Trust is layered so an organization can curate candidate sources while the adopter keeps the final say. Nothing is fetched until the adopter opts in.
| Layer | File | Home | Role |
|---|---|---|---|
| Discovery | registry.md |
in-tree | The framework’s index of known sources — curated and community. Editorial only; lists a source, never installs it. |
| Org-curated | organizations/<org>/skill-sources.md |
in-tree (or adopter-local org override) | An organization vouches for a set of sources its projects may draw from. Inherited by naming organization: <org>. Still not an install. |
| Adopter opt-in | <project-config>/skill-sources.md |
committed in the adopter repo | The install gate. The adopter lists the source ids it trusts and commits each pin. Only sources listed here are ever fetched. |
An adopter may trust a source their org did not curate (list it
directly with a full descriptor), or decline one the org did. The org
layer is a convenience default, never a mandate — the same
project → organization → framework precedence the rest of the config
model uses (see AGENTS.md).
Source descriptor
A descriptor identifies one source and enumerates what it provides.
It appears in the org-curated file and/or the adopter opt-in file; the
registry links to the canonical one. Fields reuse the
install-method and lock vocabulary the
framework snapshot already uses, so resolution is mechanical.
id: <source-id> # unique, kebab-case — the handle pointers reference
organization: <org> # owning org; must name a directory under organizations/
name: "<human-readable name>"
maintainer: "<who — handle / team / org>"
method: <git-tag | git-branch | svn-zip> # same three install methods as the framework
url: <git repo URL | svn/dist archive URL>
ref: <tag | branch | version>
# Verification anchor — the re-fetch guard, per method:
# git-tag : commit: <SHA the tag resolved to>
# svn-zip : sha512: <released archive SHA-512>
# git-branch has no cryptographic anchor — it tracks the branch tip
layout: # where things live inside the source repo
skills_root: skills # default: skills
evals_root: tools/skill-evals/evals # default: tools/skill-evals/evals
provides:
- skill: <name> # one unprefixed skill directory name
- family: <prefix>-* # or a family prefix — pulls every skill matching it
method, url, ref, and the per-method anchor are exactly the keys the
framework’s own .apache-magpie.lock carries;
svn-zip is the only method with cryptographic verification (SHA-512 +
optional GPG against the source’s KEYS), git-tag pins a resolved
commit, and git-branch tracks a tip (WIP only, no frozen anchor).
Pointer file — the redirect
Where a skill directory would sit, a pointer file names its source.
It is the “redirect link”: the skill body, evals, and tests are not
committed here — they are fetched into the gitignored snapshot at
adopt/upgrade time. The file is skills/<name>/source.md (deliberately
not SKILL.md, so the skill validator’s SKILL.md-gated checks do
not fire on a stub).
---
source: <source-id> # references a descriptor above
organization: <org> # must name a directory under organizations/
skill_path: skills/<name> # subpath of the skill within the source repo
evals_path: tools/skill-evals/evals/<name> # subpath of its eval suite
---
<!-- SPDX-License-Identifier: Apache-2.0 -->
# <name> — redirect to a trusted external source
This skill is provided by the trusted external source `<source-id>`
(`organization: <org>`). Its `SKILL.md`, eval suite, and tests are fetched
into the gitignored snapshot at `.apache-magpie-sources/<source-id>/` by
`/magpie-setup` and symlinked in exactly like an in-tree skill. This file
is a pointer only — do not add skill logic here; contribute it to the
source repo instead.
source: is already an allowed optional key in the skill validator’s
frontmatter set, so nothing about the pointer is a special case for the
common-path validation — only the additional pointer-specific checks in
the validator apply (the source:
resolves to a known descriptor; the organization: is a known org; the
directory draws no eval-coverage advisory because its evals are external).
How a trusted skill is installed
The setup skill drives the fetch — the
skill-sources sub-action
(/magpie-setup skill-sources). In outline:
- Read
<project-config>/skill-sources.md— the trust list. Sources not listed there are never fetched. - For each trusted source, fetch + verify into
.apache-magpie-sources/<source-id>/(gitignored) reusing the framework install recipes verbatim —git clone --depth=1 --branch <ref>for git methods; download +sha512sum -c+ optionalgpg --verifyforsvn-zip. - Record the pins: committed
.apache-magpie.sources.lock(per-sourcemethod/url/ref+ anchor) and gitignored.apache-magpie.sources.local.lock(what this machine fetched + when) — the same two-lock drift model as the framework snapshot. - For each provided skill, create the canonical + relay symlinks
(
.agents/skills/magpie-<name>→../../.apache-magpie-sources/<id>/skills/<name>/, with per-agent relays back through the canonical entry) — identical to how framework-family skills are wired.
Drift detection, upgrade, and verify extend to the source locks: a
committed-vs-local mismatch surfaces the gap and proposes
/magpie-setup upgrade, which re-fetches per the committed pins.
Layout contract — skills, evals, tests
A skill’s eval suite lives outside its directory, at
tools/skill-evals/evals/<name>/, bound to the skill by directory name and
a repo-relative skill_md: path in each step’s fixtures/step-config.json
(see tools/skill-evals/README.md).
For that binding to resolve after a fetch, a source repo must keep the same
two-tree layout the framework uses — skills/<name>/ for the body and
tools/skill-evals/evals/<name>/ for the evals — declared via the
descriptor’s layout: block. Fetching a source pulls both trees plus
any tool tests/ the skill depends on, so the pulled skill is testable and
eval-able exactly as it is in its home repo.
Security model
- Adopter-vouched, always. The
<project-config>/skill-sources.mdtrust list is the only thing that authorizes a fetch. An org curating a source, or the registry listing one, never triggers an install. - Pinned + verified. Every trusted source carries a pin with a
verification anchor (
commit/sha512).git-branch(tip-tracking, no anchor) is WIP-only, exactly as for the framework snapshot. - Untrusted stays discovery-only. The registry and org curation are editorial pointers for humans to evaluate — not supply-chain hooks.
- External content is data. Skills pulled from a source are still subject to the framework’s injection-guard discipline; a fetched skill is reviewed like any other before it runs.
The full threat model (source-repo compromise, eval provenance, unpinned
fetch) is in RFC-AI-0006.
Discovery index
The known sources — framework-curated and community-maintained — are
listed in registry.md. Listing is editorial discovery
only; it makes no guarantee and triggers no install.
See also
authoring-a-source.md— the source-repo side: how a third-party org publishes skills for adopters to pull.RFC-AI-0006— the design + trust + threat model.docs/extending.md— the full extension model (what / where / who).organizations/README.md— the organization layer and itsskill-sources.mdcuration.skills/setup/SKILL.md— the adopt/upgrade/verify flow that fetches and pins sources.docs/adapters/registry.md— the sibling discovery index for tool adapters and organizations.