feat(security): add state-bound invariant & path-symmetry rules

[Agilulfo1820]

Summary

Adds a new vulnerability category and audit discipline to the smart-contract-development skill, motivated by the VeBetterDAO Navigator over-delegation incident (May 2026) where a user inscribed delegated = 2× balance over two transactions because the contract relied on a transfer lock to enforce an invariant the lock didn't actually bound.

• New category refactor: flatten repo structure, remove Nx overhead #3 State-Bound Invariants & Path Symmetry in references/security.md, with the navigator incident as the worked example and a table of common shapes (delegation/balance, allocations/shares, borrow/collateral, stake/approval).
• New Pass 0 (Map paths and invariants) in the Security Review Procedure.
• New State-Bound Invariants checklist.
• Six new Security Review Questions covering path-symmetry, direction of guards, call sequencing, boundaries, cross-contract assumptions, and mid-action state transitions.
• New Adversarial Path Coverage in Tests section.
• Extended SKILL.md trigger keywords (invariant, balance check, path symmetry, adversarial, edge cases) so the skill loads on these prompts.
• Renumbered categories refactor: flatten repo structure, remove Nx overhead #3–docs: add marketplace update command to README #9 → feat: add prd and ralph skills #4–Split vechain-dev into focused skills #10.

Why

Path-symmetry gaps (a guard on one entrypoint but missing on sibling entrypoints mutating the same storage) are the most common high-severity finding pattern. The new rules force the reviewer/AI to enumerate inscription paths AND resource-modification paths for every invariant, instead of trusting "enforced elsewhere" comments without verifying the direction of the elsewhere's check.

Test plan

• Re-read references/security.md end-to-end; numbering 1–10 is consistent
• SKILL.md trigger keywords table renders correctly on GitHub
• Spot-check the navigator incident description matches the actual bug (delegate + increaseDelegation, missing unlockedBalance check)

🤖 Generated with Claude Code

[github-actions]

Skill Security Audit

Scanned 75 file(s) — found 14 issue(s) across 5 file(s).

🔵 LOW (14)

File	Line	Finding	Excerpt
skills/thor/references/contributing.md	6	External URL: golangci-lint.run	https://golangci-lint.run/usage/install/
skills/thor/references/contributing.md	261	External URL: golang.org	https://golang.org/doc/effective_go
skills/x-2-earn-apps/references/getting-started.md	153	External URL: image.png	https://image.png
skills/x-2-earn-apps/references/getting-started.md	153	External URL: twitter.com	https://twitter.com/tweet/1
skills/x-2-earn-apps/references/security.md	124	External URL: docs.guardianstack.ai	https://docs.guardianstack.ai/
skills/x-2-earn-apps/references/sustainability-proofs.md	16	External URL: image.png	https://image.png
skills/x-2-earn-apps/references/sustainability-proofs.md	17	External URL: twitter.com	https://twitter.com/tweet/1
skills/x-2-earn-apps/references/sustainability-proofs.md	33	External URL: twitter.com	https://twitter.com/tweet/123
skills/x-2-earn-apps/references/sustainability-proofs.md	106	External URL: link-to-proof.com	https://link-to-proof.com
skills/x-2-earn-apps/references/sustainability-proofs.md	106	External URL: link-to-image.com	https://link-to-image.com/1.png
skills/x-2-earn-apps/references/sustainability-proofs.md	192	External URL: link-to-proof.com	https://link-to-proof.com
skills/x-2-earn-apps/references/sustainability-proofs.md	192	External URL: link-to-image.com	https://link-to-image.com/1.png
skills/x-2-earn-apps/references/sustainability-proofs.md	255	External URL: x.com	https://x.com/user/status/123456
skills/x-2-earn-apps/references/vepassport.md	149	External URL: vechain-energy.github.io	https://vechain-energy.github.io/vebetterdao-signal-admin/

[github-actions]

Skill Size Report

Skill	SKILL.md (always loaded)	Ref files (on demand)	Total est. tokens	Alerts
thor	~1.3K tok	13 files, ~25.3K tok	~26.6K tok	✅
smart-contract-development	~1.1K tok	5 files, ~16.5K tok	~17.6K tok	⚠️ smart-contracts.md ~6.6K tok (consider splitting)
create-vechain-dapp	~1.8K tok	3 files, ~14.2K tok	~16.0K tok	⚠️ monorepo.md ~10.8K tok (consider splitting)
vebetterdao	~1.1K tok	6 files, ~14.8K tok	~15.8K tok	✅
vechain-kit	~1.4K tok	7 files, ~13.4K tok	~14.9K tok	✅
x-2-earn-apps	~1.0K tok	6 files, ~10.0K tok	~11.1K tok	✅
vechain-core	~1.2K tok	4 files, ~8.7K tok	~9.9K tok	✅
vechain-react-native-dev	~1.5K tok	3 files, ~6.7K tok	~8.2K tok	✅
stargate	~736 tok	2 files, ~5.0K tok	~5.7K tok	✅
vebetterdao-navigators	~5.7K tok	0 files, ~0 tok	~5.7K tok	⚠️ SKILL.md ~5.7K tok (always in context)
auto-voting-relayers	~5.5K tok	0 files, ~0 tok	~5.5K tok	⚠️ SKILL.md ~5.5K tok (always in context)
indexer-core	~1.2K tok	5 files, ~3.0K tok	~4.1K tok	✅
secure-github-actions	~1.2K tok	4 files, ~2.9K tok	~4.0K tok	✅
frontend	~1.1K tok	1 files, ~3.0K tok	~4.0K tok	✅
translate	~1.2K tok	0 files, ~0 tok	~1.2K tok	✅
grill-me	~418 tok	0 files, ~0 tok	~418 tok	✅
TOTAL			~150.8K tok

Large reference files (>5.0K tok)

File	Est. tokens
create-vechain-dapp/references/monorepo.md	~10.8K
smart-contract-development/references/smart-contracts.md	~6.6K

How to read this: SKILL.md is always loaded into the context window. Reference files are loaded on demand when the topic matches. Token counts are estimates (~4 chars/token). Consider splitting reference files over ~5.0K tokens.