feat: PAIIssues skill — score and triage upstream issues against your PAI stack profile

[rfdiazpr]

Problem

Every PAI user who wants to stay current with upstream has to manually skim 100+ open issues, guess which ones apply to their setup, and prioritize from scratch. There is no structured way to filter upstream issues against your actual stack, security posture, or active projects.

Proposed Solution

A PAIIssues skill that fetches open issues from this repo, scores each one against the user's local PAI stack profile, and outputs a ranked triage table with Build Now / Watch / Defer classification.

Skill Architecture

Trigger phrases

pai issues, upstream issues, pai backlog, what should i build next in pai, feature triage

One workflow: Triage

Step 1: Load Stack Profile

Read user customizations from ${PAI_DIR}/USER/SKILLCUSTOMIZATIONS/PAIIssues/PREFERENCES.md. If not present, fall back to defaults:

• Stack: local-first, TypeScript/Bun, deterministic skills, security-sensitive
• Score weights: security 0.35, relevance 0.25, arch_leverage 0.20, workflow_freq 0.10, impl_readiness 0.10
• Priority domains: security > state/observability > bootstrap/context > cost/routing > modularity/skills

Step 2: Fetch Open Issues

curl -s "https://api.github.com/repos/danielmiessler/Personal_AI_Infrastructure/issues?state=open&per_page=100" \
  -H "Accept: application/vnd.github.v3+json" \
  ${GITHUB_TOKEN:+-H "Authorization: token $GITHUB_TOKEN"}

Filter out items with a pull_request key — those are PRs, not issues.

Step 3: Score Each Issue

3a. Security Score (0–100)

Seven dimensions scored 0–5:

Dimension	Weight	Detects…
Execution impact	25	file write, command exec, secret access, config mutation
Trust-boundary violation	20	untrusted content crossing into prompts, memory, or policy layers
Blast radius	15	affects full runtime, multiple skills, or memory/state system
Exploitability	15	triggered during normal use via MCP, retrieval, tool descriptions
Detection difficulty	10	silent failure, hard to spot without telemetry
Persistence	10	survives into memory, STATE, PATTERNS, TELOS, or future sessions
Recovery cost	5	requires key rotation, state repair, trust rebuild, or reinstall

PAI-specific boosts (additive, capped at 100):

• Bypasses SecurityPipeline or PreToolUse-style gate: +12
• Involves MCP tool registration or connector trust: +10
• Enables indirect prompt injection from retrieved content: +8
• Can persist into memory, STATE, PATTERNS, or TELOS: +8
• Exploitation is silent / hard to detect: +6
• UI-only, no privilege or data-integrity consequence: -10

3b. Four Remaining Dimensions (0–10 each)

• Relevance — how directly does this issue serve the user's stack profile?
• Architectural Leverage — how many PAI layers does this fix improve?
• Workflow Frequency — how often would a typical user encounter this?
• Implementation Readiness — how tractable is this to implement now?

3c. Final Score

final_score = (
  weights.security       × (security_score / 100) +
  weights.relevance      × (relevance / 10) +
  weights.arch_leverage  × (arch_leverage / 10) +
  weights.workflow_freq  × (workflow_freq / 10) +
  weights.impl_readiness × (impl_readiness / 10)
) × 100

Step 4: Classify

final_score	Classification
≥ 75	Build Now
50–74	Watch
< 50	Defer

Overrides: security ≥ 85 → always Build Now. Security ≥ 70 AND final ≥ 50 → elevate to Build Now.

Step 5: Output

Three-section report:

1. Ranked triage table (top 20, sorted by final_score)
2. Category summary (Security · State · Bootstrap · Cost · Modularity · Messaging)
3. Stack-anchored rationale (3–5 sentences connecting top picks to the user's setup)

Step 6: Save Triage Note

Write to ${PAI_DIR}/MEMORY/SKILLS/PAIIssues/YYYY-MM-DD.md — searchable and referenceable in future sessions.

Customization

Users who want to adjust weights or deprioritize domains create ${PAI_DIR}/USER/SKILLCUSTOMIZATIONS/PAIIssues/PREFERENCES.md. Example override: boost security weight to 0.50 for a hardening sprint, or deprioritize messaging integrations if not using Telegram/iMessage.

Benefits

• Personalized prioritization — the same upstream backlog looks different for a Pi5 local-first user vs. a cloud-first user
• Security-first rubric — surfaces SecurityPipeline / MCP boundary issues that a generic sort would bury
• Stack-aware rationale — output explains why each issue matters for your setup, not generically
• Searchable triage history — dated notes let you track which issues you flagged across sessions

Files

• skills/PAIIssues/SKILL.md (new)
• skills/PAIIssues/Workflows/Triage.md (new)
• USER/SKILLCUSTOMIZATIONS/PAIIssues/PREFERENCES.md (user-created, optional)