Read-only pre-flight verification of a staged release candidate (RC) for `<upstream>`. Checks artefact integrity (GPG signatures and checksums), Apache RAT licence headers, NOTICE/LICENSE completeness, prohibited-binary absence (including `.pyc` / `__pycache__`), source-tree integrity (no dangling symlinks or broken internal references), and version-string consistency. Emits a structured PASS / PASS-WITH-WARNINGS / FAIL report. Makes no state change; a `--post-to <planning-issue>` flag proposes a comment for explicit RM confirmation before any posting.
Post-vote committer and PMC onboarding for Apache projects. Walks the nominator through every step from ICLA check to welcome announcement for both incubating podlings and graduated top-level projects.
Read-only license audit of a project's direct and transitive dependency tree. Detects the dependency manager(s), resolves each dependency's declared license from ecosystem metadata, classifies each against a configured policy (ASF three-category A/B/X model or a custom allowlist), and surfaces incompatible, forbidden, and unknown-license dependencies for maintainer review. Never modifies manifests or lock files.
Read-only dashboard over a directory of `verdict.json` files produced by `issue-reassess` campaigns. Surfaces a health rating, classification distribution, partial-fix surfaces, oldest-unresolved buckets, and per-component breakdowns. Output is HTML by default; markdown fallback available. Read-only on tracker state; consumes campaign artefacts.
For a single `<issue-tracker>` issue identifying a code-level bug, extract the reporter's example code from the issue body, adapt it to run on the current `<default-branch>`, execute via `<runtime>`, and compose a `verdict.json` describing the observed behaviour vs the expected failure. Read-only on the tracker — produces evidence, never posts. Invoked by `issue-triage` and `issue-reassess`; can also be run standalone.
Print a human-readable index of every skill in this repository, grouped by family prefix (`pr-management`, `security`, `setup`, …) with each skill's name and the first sentence of its `description`. The listing is generated on every run from the live `.claude/skills/*/SKILL.md` files, so it never goes stale when skills are added, removed, or rewritten.
Optimize an existing framework skill (or sweep a set of them) by applying the restructuring patterns proven on the security-skill suite: split an oversized `SKILL.md` into linked sibling docs, lift concrete/project-specific values out of the body into `<project-config>` placeholders, replace in-agent-context body reads with out-of-context tool calls, batch per-item fetches into a single upfront pass, and add a deterministic pre-flight no-op classifier ahead of LLM passes. Every change is a behavior- preserving proposal the maintainer signs off on; the skill validator must stay green before and after. The refactoring sibling of `write-skill` (which authors net-new skills).
Fan a local diff through three independent, axis-focused review passes (correctness, security, conventions), then merge the findings into a single structured report. Each pass is isolated so findings from one axis cannot suppress or bias the others. The merged report uses the same format as pairing-self-review so the developer gets a consistent signal regardless of which Agentic Pairing skill they invoke.