Enforce skills_dir requires strict: false

[astefanutti]

Summary

• Add schema constraint: skills_dir requires strict to be present (dependentRequired)
• Add check_strict_consistency validation that skills_dir is only used with strict: false
• Remove unnecessary strict: false and skills_dir from rfe-creator and test-plan (Claude Code auto-discovers .claude/skills/)
• Update schema descriptions to clarify strict mode semantics
• Add ARCHITECTURE.md documenting the registry architecture

Context

strict: false means the marketplace entry is the entire plugin definition. When strict: true (default), Claude Code auto-discovers skills in default locations like .claude/skills/ — no skills_dir needed. Setting skills_dir without strict: false has no effect and is misleading.

Test plan

• python3 scripts/validate_registry.py passes
• Adding skills_dir without strict: false fails validation
• marketplace.json and catalog.md are in sync

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation

  • Added comprehensive architecture docs for the skills-registry, expanded README with install/update/verify instructions, status badge, and a curated plugin summary.

• Chores

  • Strengthened registry/schema validation and CI checks to ensure plugin configuration consistency and more reliable marketplace generation.

[coderabbitai]

Warning

Rate limit exceeded

@astefanutti has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 17 minutes and 5 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 17 minutes and 5 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 51d0ea4c-1aed-4b4c-9eae-980f1b04741a

📥 Commits

Reviewing files that changed from the base of the PR and between 416e839 and 2cae1b4.

📒 Files selected for processing (1)

• README.md

📝 Walkthrough

Walkthrough

The diff adds ARCHITECTURE.md and README updates; updates registry schema and registry.yaml; removes skills_dir and strict: false from some plugin entries; adjusts .claude-plugin/marketplace.json for rfe-creator to remove skills and strict fields; and adds runtime validation in scripts/validate_registry.py to enforce skills_dir/strict consistency. No exported/public code APIs were changed.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Issues

• scripts/validate_registry.py — ambiguous default handling (CWE-20)

  • Problem: check_strict_consistency() treats missing strict as True implicitly, conflating omitted and explicit values and risking silent acceptance or rejection.
  • Actionable fix: check explicitly:
    • if source.get("skills_dir") and source.get("strict") is not False: report error
  • Rationale: explicit boolean checks avoid misinterpreting falsy/truthy values and prevent malformed config bypassing validation.

• schema/registry.schema.json — one-way constraint (CWE-20)

  • Problem: schema requires skills_dir when strict: false, but does not forbid skills_dir when strict: true. This leaves enforcement to runtime-only validation.
  • Actionable fixes (pick one):
    • Add a reciprocal constraint so skills_dir implies strict: false (e.g., dependentRequired/dependentSchemas or oneOf with mutually exclusive schemas).
    • Or document clearly that schema is intentionally permissive and rely on CI/runtime checks, but add automated test coverage ensuring runtime check runs in CI.

• registry.yaml edits — authoritative-source change risk (CWE-284 / operational)

  • Problem: removing strict: false and skills_dir flips plugin entries to default strict: true, changing authority to repo plugin.json. If those repos lack required plugin.json/skills, marketplace generation may drop functionality.
  • Actionable checks:
    • Verify each impacted repo (rfe-creator, test-plan) contains a valid plugin.json and expected skill files at the paths the generator will use.
    • Add a CI validation step that fetches the repo plugin.json when strict defaults to true and fails if required fields/skills are missing.

• .claude-plugin/marketplace.json change — potential silent capability removal (CWE-20)

  • Problem: removing skills and strict from rfe-creator can silently remove skill metadata from the marketplace if not present in upstream repo.
  • Actionable fix: ensure sync script (sync_marketplace.py) explicitly logs and fails when a plugin loses skills because of missing upstream metadata; consider adding a pre-merge check that compares previous and generated marketplace.json diffs for unexpected removals.

Security/CVEs: no specific CVEs are applicable to these config/schema edits. Focus is on input validation and authority-of-truth enforcement (CWE-20, CWE-284).

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main objective: adding enforcement that skills_dir requires strict: false via schema constraints and validation logic.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

ARCHITECTURE.md (1)

10-24: Add language specifiers to fenced code blocks.

markdownlint flags code blocks without language specifiers (MD040). For ASCII diagrams, use text or plaintext:

♻️ Example fix for one block

-```
+```text
                         skills-registry
 ┌──────────────────────────────────────────────────────┐

Apply similarly to blocks at lines 28, 47, 72, 120, and 146.

Also applies to: 28-43, 47-65, 72-93, 120-139, 146-167

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@ARCHITECTURE.md` around lines 10 - 24, The fenced ASCII diagram blocks
(containing items like "skills-registry", "registry.yaml", "marketplace.json",
"catalog.md", and the box/diagram art) need language specifiers to satisfy
markdownlint MD040; update each triple-backtick fence for the diagrams to use a
plain text specifier such as ```text (or ```plaintext) for the blocks shown and
the other occurrences referenced (the blocks around the sections with
"registry.yaml", "marketplace.json", "catalog.md" and the similar diagrams at
the other locations), ensuring all code fences at the listed diagram locations
include the language token.

schema/registry.schema.json (1)

50-52: Schema constraint is structurally correct but semantically incomplete.

dependentRequired only enforces that strict must be present when skills_dir is used—it doesn't enforce strict: false. The Python validation in check_strict_consistency() fills this gap.

If you want full schema-level enforcement, an if/then/else block could check that when skills_dir is present, strict must equal false:

♻️ Optional: Full schema-level enforcement

       "dependentRequired": {
         "skills_dir": ["strict"]
-      },
+      },
+      "if": {
+        "required": ["skills_dir"]
+      },
+      "then": {
+        "properties": {
+          "strict": { "const": false }
+        }
+      },

Current two-layer approach (schema + Python) is acceptable and provides clearer error messages.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@schema/registry.schema.json` around lines 50 - 52, The JSON Schema uses
"dependentRequired" to require presence of "strict" when "skills_dir" exists but
doesn't enforce that "strict" must be false; update the schema by
replacing/augmenting the "dependentRequired" rule with an if/then/else that
checks presence of "skills_dir" in the instance and then requires "strict" to be
false (i.e., in the then branch assert "strict": {"const": false}), and keep or
remove the Python helper check_strict_consistency() accordingly to avoid
duplicate validation; reference the existing "dependentRequired", "skills_dir",
"strict" and the helper function name "check_strict_consistency()" when making
the change so you enforce the semantic constraint entirely in the schema.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@ARCHITECTURE.md`:
- Around line 10-24: The fenced ASCII diagram blocks (containing items like
"skills-registry", "registry.yaml", "marketplace.json", "catalog.md", and the
box/diagram art) need language specifiers to satisfy markdownlint MD040; update
each triple-backtick fence for the diagrams to use a plain text specifier such
as ```text (or ```plaintext) for the blocks shown and the other occurrences
referenced (the blocks around the sections with "registry.yaml",
"marketplace.json", "catalog.md" and the similar diagrams at the other
locations), ensuring all code fences at the listed diagram locations include the
language token.

In `@schema/registry.schema.json`:
- Around line 50-52: The JSON Schema uses "dependentRequired" to require
presence of "strict" when "skills_dir" exists but doesn't enforce that "strict"
must be false; update the schema by replacing/augmenting the "dependentRequired"
rule with an if/then/else that checks presence of "skills_dir" in the instance
and then requires "strict" to be false (i.e., in the then branch assert
"strict": {"const": false}), and keep or remove the Python helper
check_strict_consistency() accordingly to avoid duplicate validation; reference
the existing "dependentRequired", "skills_dir", "strict" and the helper function
name "check_strict_consistency()" when making the change so you enforce the
semantic constraint entirely in the schema.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: da9ac3c5-841f-4820-8129-486e02aa9f31

📥 Commits

Reviewing files that changed from the base of the PR and between 2392f77 and 0aeecfe.

📒 Files selected for processing (5)

• .claude-plugin/marketplace.json
• ARCHITECTURE.md
• registry.yaml
• schema/registry.schema.json
• scripts/validate_registry.py

💤 Files with no reviewable changes (2)

• registry.yaml
• .claude-plugin/marketplace.json

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@README.md`:
- Around line 64-66: The fenced code block containing the URL needs an explicit
language identifier to satisfy markdownlint MD040; update the block surrounding
the URL (the triple-backtick fenced block showing
"https://raw.githubusercontent.com/opendatahub-io/skills-registry/main/registry.yaml")
to include the language token `text` (i.e., replace ``` with ```text) so the
markdown linter recognizes the block language.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 8459d7e5-ad79-4698-9504-9bc058eec611

📥 Commits

Reviewing files that changed from the base of the PR and between 0aeecfe and 416e839.

📒 Files selected for processing (1)

• README.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add a language identifier to the fenced block at Line 64 to satisfy markdownlint MD040.

Use an explicit language (text) for the URL block to keep lint clean.

Proposed fix

-```
+```text
 https://raw.githubusercontent.com/opendatahub-io/skills-registry/main/registry.yaml

</details>

<!-- suggestion_start -->

<details>
<summary>📝 Committable suggestion</summary>

> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

```suggestion

🧰 Tools

🪛 markdownlint-cli2 (0.22.0)

[warning] 64-64: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 64 - 66, The fenced code block containing the URL
needs an explicit language identifier to satisfy markdownlint MD040; update the
block surrounding the URL (the triple-backtick fenced block showing
"https://raw.githubusercontent.com/opendatahub-io/skills-registry/main/registry.yaml")
to include the language token `text` (i.e., replace ``` with ```text) so the
markdown linter recognizes the block language.

[fege]

/lgtm