Extend aw.yml to support includes, skills, and agents

[Copilot]

Adds first-class support for includes in the aw.yml package manifest, with folder-based type inference for workflows, skills, and agents, while retaining support for explicit skills and agents fields.

Manifest format

name: My Package
includes:
  - workflows/review.md
  - agentic-workflows/pr-review.md
  - skills/code-review
  - agents/reviewer.md
  - .github/workflows/ci.yml
  - .github/skills/release-assistant
  - .github/agents/reviewer.md

Legacy files is still supported and now emits a deprecation warning plus codemod guidance to migrate to includes.

Include path conventions

Type is inferred by folder naming:

• Workflows: workflows/, agentic-workflows/, .github/workflows/
• Skills: skills/, .github/skills/
• Agents: agents/, .github/agents/

When explicit skill directories are provided (skills or inferred via includes), SKILL.md is validated as required.

Install targets

• Skill files → engine-specific skill dir (GetEngineSkillDir)
• Agent files → engine-specific agents dir (GetEngineSubAgentDir)

Engine override (--engine) is now correctly honored for package-installed skills and agents.

Changes

• aw_manifest_schema.json — added includes, retained files as deprecated, and documented manifest semantics (including agentic-workflows/ workflow support)
• remote_fetch.go — fixed git fallback for ListDirAllFilesForHost to avoid treating directories as files
• add_package_manifest.go — added includes parsing, type inference, legacy files warning + codemod suggestion, expanded path validation (workflows/*, agentic-workflows/*, skills/*, agents/*, and .github/*), skill marker validation, and updated auto-scan logic
• add_command.go — fixed package skill/agent install path resolution to honor opts.EngineOverride
• add_package_manifest_test.go — updated and expanded tests for includes, deprecation warnings, codemod behavior, agentic-workflows/ workflow paths, direct .github/* references, and skill marker validation
• Docs — updated repository package manifest reference for includes and migration from files

[Copilot]

Pull request overview

This PR extends repository package manifests (aw.yml) so package installs can include skills and agents in addition to workflow files, wiring discovery, resolution, and install handling through the existing add pipeline.

Changes:

• Adds skills and agents manifest fields and parsing/validation logic.
• Adds remote directory listing helpers for skill/agent discovery.
• Routes resolved package skill and agent files to dedicated install handlers and adds related tests.

Show a summary per file

File	Description
pkg/parser/schemas/aw_manifest_schema.json	Adds schema entries for skills and agents.
pkg/parser/remote_fetch.go	Adds remote directory file/subdirectory listing with API and git fallback paths.
pkg/cli/spec.go	Extends WorkflowSpec with package skill/agent metadata.
pkg/cli/add_workflow_resolution.go	Resolves package skill and agent specs alongside workflow specs.
pkg/cli/add_package_manifest.go	Parses manifest fields and resolves explicit or auto-discovered skill/agent files.
pkg/cli/add_package_manifest_test.go	Adds and updates tests for manifest parsing and package resolution.
pkg/cli/add_command.go	Installs package skill and agent files into engine-specific directories.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 7/7 changed files
• Comments generated: 4

[github-actions]

🧪 Test Quality Sentinel completed test quality analysis.

[github-actions]

🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅

[github-actions]

✅ Design Decision Gate 🏗️ completed the design decision gate check.

[github-actions]

✅ PR Code Quality Reviewer completed the code quality review.

[github-actions]

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (1,099 new lines in pkg/) but does not have a linked Architecture Decision Record (ADR).

📄 Draft ADR committed: docs/adr/35778-extend-aw-yml-for-skills-and-agents.md — review and complete it before merging.

🔒 This PR cannot merge until an ADR is linked in the PR body.

📋 What to do next

1. Review the draft ADR committed to your branch — it was generated from the PR diff and captures the decision to extend the aw.yml manifest with first-class skills and agents artifact types.
2. Complete / refine the sections — confirm the alternatives you actually weighed (e.g. reusing files: vs. dedicated fields vs. a separate command), and tighten the consequences with anything the diff couldn't reveal (rate-limit impact of auto-scan, marker-convention documentation plans).
3. Commit the finalized ADR to docs/adr/ on your branch.
4. Reference the ADR in this PR body by adding a line such as:

   ADR: ADR-35778: Extend aw.yml Package Manifest to Support Skills and Agents

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

❓ Why ADRs Matter

"AI made me procrastinate on key design decisions. Because refactoring was cheap, I could always say 'I'll deal with this later.' Deferring decisions corroded my ability to think clearly."

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you.

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

• Context — What is the problem? What forces are at play?
• Decision — What did you decide? Why?
• Alternatives Considered — What else could have been done?
• Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (e.g., 35778-extend-aw-yml-for-skills-and-agents.md).

References: §26661810526

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · opus48 1M · ◷

[github-actions]

🧪 Test Quality Sentinel Report

✅ Test Quality Score: 92/100 — Excellent

Analyzed 6 test(s): 6 design, 0 implementation, 0 coding-guideline violations. One test covers only the happy path; assertion messages are missing throughout (style note).

📊 Metrics & Test Classification (6 tests analyzed)

Metric	Value
New/modified tests analyzed	6
✅ Design tests (behavioral contracts)	6 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	5 (83%)
Duplicate test clusters	0
Test inflation detected	No (1.81:1 ratio)
🚨 Coding-guideline violations	0

Test Classification Details

Test	File	Classification	Issues Detected
TestIsSupportedSkillDirPath	pkg/cli/add_package_manifest_test.go:882	✅ Design	Bare assertions (no message args); edge cases covered
TestIsSupportedAgentFilePath	pkg/cli/add_package_manifest_test.go:912	✅ Design	Bare assertions (no message args); edge cases covered
TestExtractManifestSkillDirs	pkg/cli/add_package_manifest_test.go:943	✅ Design	Covers valid, invalid, dedup, non-list; bare assertions
TestExtractManifestAgentFiles	pkg/cli/add_package_manifest_test.go:972	✅ Design	Covers valid, invalid, dedup, non-list; bare assertions
TestResolveRepositoryPackage_SkillsAndAgents	pkg/cli/add_package_manifest_test.go:1001	✅ Design	4 subtests incl. missing-skill warning, absent dirs; bare assertions
TestResolveWorkflows_SkillsAndAgents	pkg/cli/add_package_manifest_test.go:1183	✅ Design	Happy-path only; no error fetch / partial failure cases

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 6 tests — unit (//go:build !integration)
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

⚠️ Flagged Tests — Requires Review (1 issue)

⚠️ TestResolveWorkflows_SkillsAndAgents (pkg/cli/add_package_manifest_test.go:1183)

Classification: Design test — but happy-path only
Issue: The test verifies the normal resolution flow (manifest found, all fetches succeed) but does not exercise error paths: what happens when the skill-file fetch fails, when fetchWorkflowFromSourceWithContextFn returns an error for one of the three items, or when an agent file cannot be retrieved?
What design invariant does this test enforce? That resolved workflows correctly carry IsPackageSkillFile, IsPackageAgentFile, and SkillName flags for each item type.
What would break if deleted? A regression where those flags are set incorrectly on resolved items would go undetected. However, partial-failure behavior is untested.
Suggested improvement: Add a sub-test (or a sibling test function) that stubs fetchWorkflowFromSourceWithContextFn to return an error for the skill or agent path and asserts the appropriate error propagation or fallback behavior.

---

i️ Style note — missing assertion messages (all 6 tests)

Issue: Assertions throughout the new tests use bare form, e.g. assert.Equal(t, tt.want, isSupportedSkillDirPath(tt.path)). The project guideline requires a descriptive message argument on every assertion call so that failure output is self-explanatory without reading the source.
Suggested improvement: Add a short message to each assertion: assert.Equal(t, tt.want, isSupportedSkillDirPath(tt.path), "path %q", tt.path).
This is a style note only and does not affect the verdict.

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). All 6 tests verify behavioral contracts with no mock-library violations and no missing build tags.

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §26661810529

🧪 Test quality analysis by Test Quality Sentinel · sonnet46 2M · ◷

[github-actions]

✅ Test Quality Sentinel: 92/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 6 new tests verify behavioral contracts with proper build tags and no mock-library violations.

[github-actions]

REQUEST_CHANGES — two new blocking issues in the git fallback path, plus four already-flagged issues from the prior review pass that need to be resolved before merge.

### Blocking issues (this pass)

• ref empty string → git clone crash (remote_fetch.go:996, 1098): if ref is "", the git clone command emits fatal: invalid branch name: "". Guard both listDirAllFilesViaGitForHost and listDirSubdirsViaGitForHost before constructing the clone command.
• N+1 git clones per package (remote_fetch.go:981): each listDir*ViaGit call clones the repo independently. A package with N skills in fallback mode incurs N+2 sequential clones. Extract a shared shallow-clone helper or switch the fallback to the GitHub Trees API.

### Blocking issues (prior pass, still open)

• add_command.go:631 — GetEngineSkillDir("") ignores opts.EngineOverride
• add_command.go:680 — GetEngineSubAgentDir("") ignores opts.EngineOverride
• remote_fetch.go:1021 — ls-tree --name-only includes directory entries; file list will contain subdirectory names
• add_package_manifest.go:418 — explicit skills: entries bypass the SKILL.md marker check

🔎 Code quality review by PR Code Quality Reviewer · sonnet46 2M

[github-actions]

ref empty string crashes the git clone with a cryptic fatal error — if ref is "", the command becomes git clone --depth 1 --branch --single-branch ... which git rejects with fatal: invalid branch name: "", surfacing as an opaque error rather than a clear validation message.

💡 Suggested fix

Guard before constructing the command:

if ref == "" {
    return nil, fmt.Errorf("ref must be non-empty for git clone fallback")
}
cloneCmd := exec.Command("git", "clone", "--depth", "1", "--branch", ref, ...)

The same guard is needed in listDirSubdirsViaGitForHost (line 1098). The REST API path silently treats an empty ref as the default branch, but the git path does not.

[github-actions]

N+1 git clones per package resolution — severe network regression — each call to listDirAllFilesViaGitForHost and listDirSubdirsViaGitForHost performs an independent git clone --depth 1. For a package with N skill directories the fallback path incurs: 1 clone (subdir listing) + N clones (one per skill dir file listing) + 1 clone (agents dir). All sequential over the network.

💡 Suggested fix

The simplest fix: extract a cloneRepoShallow(owner, repo, ref, host) (string, func(), error) helper that clones once and returns the temp dir path plus a cleanup func. Pass the temp dir through to the ls-tree helpers so a single clone serves all subsequent listing calls for the same (owner, repo, ref) tuple.

Alternatively, use the GitHub Trees API with recursive=1, which returns the full tree in one HTTP request and eliminates the fallback entirely:

GET /repos/{owner}/{repo}/git/trees/{ref}?recursive=1

Note: the current approach also duplicates ~40 lines of clone boilerplate verbatim between listDirAllFilesViaGitForHost and listDirSubdirsViaGitForHost; fixing the N+1 issue with a shared helper also resolves the duplication.

[github-actions]

Skills-Based Review 🧠

Applied /improve-codebase-architecture, /tdd, /diagnose, and /zoom-out. Solid feature addition overall — no blocking issues — but a few things worth addressing before merging.

📋 Key Themes & Findings

Key Themes

1. Code duplication — addSkillFileWithTracking and addAgentFileWithTracking share ~50 lines of identical file-write logic. Extracting a shared helper now will pay off every time the install behaviour evolves.

2. N+1 API calls in auto-scan — scanPackageSkillDirs probes each skill subdir with an individual downloadPackageFileFromGitHubForHost call to check for SKILL.md, then resolvePackageSkillFiles calls listPackageDirFilesForHost on the same directories. The marker check can be folded into the file-list step, eliminating one round-trip per skill.

3. Inconsistent SKILL.md validation — auto-scan enforces the SKILL.md marker; explicit manifest entries do not. A directory listed in aw.yml under skills: without a SKILL.md will be installed silently.

4. Missing tests for the installation layer — addSkillFileWithTracking / addAgentFileWithTracking have no unit tests. The manifest-parsing and resolution layers are well-tested; the final file-write step is not.

5. Silent non-.md filter in resolvePackageAgentFiles — auto-scan drops non-.md files without a warning, while the skills path installs all file types. The asymmetry is surprising and undocumented.

Positive Highlights

• ✅ Clean separation between resolution (manifest parsing, auto-scan) and installation (file-write)
• ✅ Good use of path.Clean(filepath.ToSlash(...)) to normalise path separators and prevent traversal in validators
• ✅ Comprehensive table-driven tests for path validators and manifest extraction
• ✅ Consistent use of joinRepositoryPackagePath to handle nested package paths
• ✅ Git fallback implemented for both new listDirAllFiles and listDirSubdirs functions

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · sonnet46 3.5M

[github-actions]

[/improve-codebase-architecture] addAgentFileWithTracking duplicates ~50 lines from addSkillFileWithTracking. The only real differences are the destination directory, file-kind label, and success-message format — everything else (exist-check, force-overwrite, tracker, write) is identical.

💡 Suggested refactor

Extract a shared helper:

type artifactInstallOptions struct {
	destDir  string
	kind     string // "skill" or "agent"
	label    string // used in console messages
}

func addArtifactFileWithTracking(
	resolved *ResolvedWorkflow,
	tracker *FileTracker,
	opts AddOptions,
	destDir string,
	kind string,
) error {
	if err := os.MkdirAll(destDir, constants.DirPermPublic); err != nil {
		return fmt.Errorf("failed to create %s directory %s: %w", kind, destDir, err)
	}
	// ... shared logic ...
}

Then addSkillFileWithTracking and addAgentFileWithTracking become thin wrappers that build destDir and call this helper. This would shrink the diff by ~45 lines and make future changes (e.g. adding a --dry-run flag) apply to both artifact types automatically.

[github-actions]

[/improve-codebase-architecture] scanPackageSkillDirs makes N+1 API calls: one listPackageDirSubdirsForHost to enumerate subdirs, then one downloadPackageFileFromGitHubForHost per subdir to check for the SKILL.md marker. However resolvePackageSkillFiles immediately follows with a listPackageDirFilesForHost call for every qualifying dir anyway, so the marker content is redundantly fetched.

💡 Suggested fix

Remove scanPackageSkillDirs's per-subdir download and instead defer the SKILL.md check to resolvePackageSkillFiles where the file listing is already available:

// In resolvePackageSkillFiles, after listing files:
hasMarker := slices.ContainsFunc(files, func(f string) bool {
    return filepath.Base(f) == packageSkillMarkerFile
})
if !hasMarker {
    warnings = append(warnings, fmt.Sprintf("skill dir %q has no SKILL.md, skipping", skillDir))
    continue
}

This eliminates N extra HTTP round-trips (one per skill subdirectory in the auto-scan path).

[github-actions]

[/diagnose] Explicit skill dirs listed in the manifest skip the SKILL.md marker check that auto-scan enforces (see scanPackageSkillDirs). A user could list skills/not-a-skill in aw.yml and its files would be installed to the skill directory even without a SKILL.md, silently creating a broken skill.

💡 Suggested fix

Apply the same marker validation regardless of discovery path. Whether the dirs come from the manifest or auto-scan, after listing files check that SKILL.md is present:

hasMarker := false
for _, f := range files {
    if filepath.Base(f) == packageSkillMarkerFile {
        hasMarker = true
        break
    }
}
if !hasMarker {
    warnings = append(warnings, fmt.Sprintf(
        "skill directory %q has no SKILL.md — skipping (add SKILL.md to qualify it as a skill)",
        skillDir,
    ))
    continue
}

[github-actions]

[/tdd] addSkillFileWithTracking (and its agent counterpart) have no unit tests. The resolution and manifest-parsing layers are well-covered, but the actual file-installation functions — directory creation, force-overwrite behaviour, tracker interaction, and quiet/verbose output — are not tested at all.

💡 Suggested test skeleton

func TestAddSkillFileWithTracking(t *testing.T) {
    t.Run("creates new skill file", func(t *testing.T) { ... })
    t.Run("skips existing file without --force", func(t *testing.T) { ... })
    t.Run("overwrites existing file with --force", func(t *testing.T) { ... })
    t.Run("tracks created vs modified files via tracker", func(t *testing.T) { ... })
}

Consider using t.TempDir() to create an isolated git root so tests don't touch the real filesystem.

[github-actions]

[/zoom-out] resolvePackageAgentFiles silently drops non-.md files during auto-scan (line ~440: strings.HasSuffix(strings.ToLower(f), ".md")), but returns no warning. A user who accidentally places a .sh helper alongside their agent .md might expect it to be installed too and would get no feedback when it is skipped.

💡 Suggestion

Either:

1. Emit a warning for each skipped non-.md file: "agents/%s was skipped (only .md files are installed from the agents/ directory)"
2. Or document this filter clearly in a comment so the omission is intentional and obvious.

The skills path already surfaces a similar concern — non-.md files in a skill dir are installed (e.g. prompt.sh), which makes this asymmetry surprising.

[pelikhan]

@copilot move all files under a "includes" folder and use folder naming conventions to determine the type of file. Same structure as .github folder:

• workflows - agentic workflows
• skills - skills
• agents - agents

also support direct reference

• .github/workflows, .github/skills, .github/agents

• Add legacy support for files and print a warning.

• Create a codemod to convert files to includes

[Copilot]

@copilot move all files under a "includes" folder and use folder naming conventions to determine the type of file. Same structure as .github folder:

• workflows - agentic workflows
  ...

Implemented in 0f4f374.

• Added includes manifest support with type inference by path conventions:
  • workflows: workflows/, includes/workflows/, .github/workflows/
  • skills: skills/, includes/skills/, .github/skills/
  • agents: agents/, includes/agents/, .github/agents/
• Added direct .github/workflows, .github/skills, .github/agents path support in manifest validation/resolution.
• Kept legacy files support and now emit a deprecation warning with a codemod suggestion to includes.
• Added codemod conversion helper (files -> includes path mapping) and tests.
• Updated manifest schema and docs.
• Also fixed engine override usage for package skill/agent install destinations and tightened git fallback file listing behavior.

[pelikhan]

@copilot avoid the "includes/" folder, just "workflows/" . includes is th ename of the frontmatter field not the folders.

[Copilot]

Updated in 4da41ab. Manifest include path conventions now use top-level workflows/, skills/, and agents/ (plus direct .github/workflows, .github/skills, .github/agents), and includes/* folder paths are no longer part of inferred types.

[pelikhan]

@copilot also support agentic-workflows/ as a folder to hold agentic workflow .md files.

[pelikhan]

@copilot review all review comments from copilot and github-actions actor

[Copilot]

@copilot also support agentic-workflows/ as a folder to hold agentic workflow .md files.

Implemented in ecf3f5e. agentic-workflows/*.md is now accepted as workflow includes (same workflow type inference as workflows/ and .github/workflows/), with updated warnings, schema docs, and tests.

[Copilot]

@copilot review all review comments from copilot and github-actions actor

Reviewed all Copilot and github-actions review comments. The previously flagged install-path and SKILL.md checks are already in place, and I addressed the remaining git-fallback blockers in commits 523170f, dd23d88, and 07c02dd (empty-ref validation + shared clone reuse for fallback dir listing + follow-up polish/tests).

[pelikhan]

@copilot add optional license and description fields