Regenerate canonical registry artifacts after removing the synthetic
merge-batch end-to-end fixture.
This drops the remaining bundle, catalog, plugin, and skills index
references so validate:references passes again on main.
Add a short maintainer guide for merge:batch and link it from the
existing merge policy docs.
Lock in the source-validation CI fixes discovered during the
merge-batch end-to-end exercise so shallow checkout and missing
base-branch fetch regressions fail the workflow contract test.
Add the missing When to Use sections for the new psychology skill pack and refresh the canonical generated artifacts required by the release workflow so the repository passes the warning budget and consistency gates.
Add installer filters for risk, category, and tags so maintainers and
users can ship smaller skill surfaces to context-sensitive runtimes.
Document the reduced-install flow for OpenCode-style hosts, add the
humanize-chinese community skill, and sync the generated catalog and
plugin-safe artifacts that now reflect the release batch.
Refs #437
Refs #440
Refs #443
Import the official Hugging Face ecosystem skills and sync the\nexisting local coverage with upstream metadata and assets.\n\nRegenerate the canonical catalog, plugin mirrors, docs, and release\nnotes after the maintainer merge batch so main stays in sync.\n\nFixes #417
Add a machine-readable CSV companion for the 2026-03-29 security re-triage so maintainers can consume the refreshed statuses outside the markdown report.\n\nLink the refresh markdown and walkthrough to the new export to keep the historical baseline, addendum, and current-head report aligned.
Re-triage the 2026-03-15 security finding set against current main, keep the old snapshot as historical baseline, and add a current-head refresh with updated counts and finding status.\n\nLink the baseline and addendum to the new refresh report so maintainers have one current source of truth for what is still reproducible on HEAD.
Document the current static web-app behavior, local-only save flow, shallow installer path, and maintainer-only sync controls.\n\nAlign maintainer guides with the active audit-to-risk-sync workflow, canonical artifact bot contract, release/coverage requirements, and updated security triage context so the docs match the repository's real operating model.
Add a maintainers script to safely promote high-confidence legacy risk labels from unknown to concrete values, cover it with tests, and regenerate the canonical skill artifacts and plugin copies. This reduces the legacy unknown backlog without forcing noisy classifications that still need manual review.
Tighten the repo-state automation so canonical bot commits remain
predictable while leaving main clean after each sync.
Make the public catalog UI more honest by hiding dev-only sync,
turning stars into explicit browser-local saves, aligning risk types,
and removing hardcoded catalog counts.
Add shared public asset URL helpers, risk suggestion plumbing,
safer unpack/sync guards, and CI coverage gates so release and
maintainer workflows catch drift earlier.
