v1.0.0 — initial release

Package manager, lockfile, and bundler for agent skills (SKILL.md / .cursorrules / AGENT.md / skill.yaml). Cross-vendor skill lifecycle tooling — resolve, pin, hash, bundle, sign.

Highlights

• Multi-format parser: SKILL.md (Anthropic frontmatter), .cursorrules (Cursor), AGENT.md (cross-vendor), skill.yaml
• Semver resolver: constraint syntax (^, ~, x, exact) + topological install order with deterministic lex tiebreak
• Content-addressed hashing: sha256 per skill, canonical pre-image resists key/value and list-boundary collisions
• Deterministic lockfile: JSON, sorted keys, byte-identical across runs
• Deterministic bundle: gzipped tar with fixed epoch mtime, sorted entries, UTF-8 PAX headers
• Detached signatures: ed25519, .sig alongside .skl, tamper detection via distinct exit code 6
• CI verify mode: skillpack verify --lockfile exits non-zero on drift/missing/extra, snake_case JSON for CI consumers
• Exit codes: 0 pass, 1 drift, 2 parse, 3 IO, 4 internal, 5 usage, 6 security
• Zero runtime deps: single 4 MB static Go binary
• 221 tests (race-clean, shuffle-clean, reproducible builds)

Install

go install github.com/JSLEEKR/skillpack/cmd/skillpack@v1.0.0

Or download a binary from the assets below.

Usage

skillpack init
skillpack add ./skills/my-skill
skillpack resolve
skillpack install --lockfile skillpack.lock
skillpack verify
skillpack bundle --out mypack.skl
skillpack keygen --priv priv.key --pub pub.key
skillpack sign mypack.skl --key priv.key
skillpack sign mypack.skl --verify --pubkey pub.key

Hardened across 14 adversarial evaluation cycles (A–N) before first release — 20 bugs found and fixed including hash-canonicalization collision attacks, lockfile duplicate-name silent hiding, and keygen same-path data loss. See ROUND_LOG.md.