// The authoritative skill lifecycle state model including container states, version states, review workflow states, visibility overlay, and governance actions. Ensures agents don't introduce invalid states or transitions.
API design conventions, namespace coordinate system, RBAC roles, ClawHub compatibility layer, OpenAPI contract sync rules, and CSRF/session handling.
Rules for the SkillHub backend Maven multi-module clean architecture. Ensures agents place new code in the correct module and respect dependency direction.
Code style, logging, and testing conventions for SkillHub backend (Java) and frontend (TypeScript). Use when writing or reviewing code.
The complete development workflow for SkillHub contributors including local dev, staging validation, testing, and PR creation. Ensures agents follow the correct sequence of steps.
Coding conventions, architecture patterns, and testing rules for the SkillHub React frontend. Ensures agents follow Feature-Sliced Design and use the generated OpenAPI types.
PR title format, commit conventions, and pre-PR checklist for SkillHub. Use when preparing or reviewing pull requests.
| name | skill-lifecycle |
| description | The authoritative skill lifecycle state model including container states, version states, review workflow states, visibility overlay, and governance actions. Ensures agents don't introduce invalid states or transitions. |
| license | Apache-2.0 |
Use this skill when:
Enum SkillStatus (domain/skill/SkillStatus.java):
| Value | Meaning |
|---|---|
ACTIVE | Skill is operational and can have versions published |
HIDDEN | Skill hidden by platform governance (design doc says prefer boolean hidden flag instead) |
ARCHIVED | Skill archived by owner/namespace admin, cannot publish new versions |
Design-vs-code note: docs/14-skill-lifecycle.md specifies hidden should be a governance
overlay (boolean flag) rather than a lifecycle enum state. The current code still defines
SkillStatus.HIDDEN. New code should use the skill.hidden boolean field, not the enum value.
Enum SkillVersionStatus (domain/skill/SkillVersionStatus.java):
| Value | Meaning |
|---|---|
DRAFT | Non-public draft, can resubmit or delete |
SCANNING | Undergoing security scan |
SCAN_FAILED | Security scan failed |
UPLOADED | Uploaded but not yet submitted for review (or withdrawn from review) |
PENDING_REVIEW | Frozen pending reviewer action |
PUBLISHED | Currently distributable |
REJECTED | Review denied, retained |
YANKED | Was published, withdrawn from distribution |
Enum ReviewTaskStatus (domain/review/ReviewTaskStatus.java):
| Value | Meaning |
|---|---|
PENDING | Awaiting reviewer |
APPROVED | Reviewer approved |
REJECTED | Reviewer rejected |
Enum SkillVisibility (used in SkillPublishService):
| Value | Publish Path |
|---|---|
PUBLIC | Creates PENDING_REVIEW version, review task, security scan |
NAMESPACE_ONLY | Same as PUBLIC but limited visibility scope |
PRIVATE | Goes directly to UPLOADED status, no review task |
SUPER_ADMIN role bypasses review — versions go directly to PUBLISHED.
Skill.latestVersionId is only the latest published pointer:
PUBLISHED versionnull if no published version existslatest tag auto-follows this pointer (read-only)PUBLISHED version, or null| Action | From | To | Notes | Source |
|---|---|---|---|---|
| First upload (PUBLIC/NAMESPACE_ONLY) | — | PENDING_REVIEW | Review task created | SkillPublishService |
| First upload (SUPER_ADMIN) | — | PUBLISHED | Direct publish, SkillPublishedEvent emitted | SkillPublishService |
| First upload (PRIVATE) | — | UPLOADED | No review task, latestVersionId updated | SkillPublishService |
| Review approve | PENDING_REVIEW | PUBLISHED | Updates latestVersionId | Review workflow |
| Review reject | PENDING_REVIEW | REJECTED | Version retained | Review workflow |
| Withdraw review | PENDING_REVIEW | UPLOADED | Deletes pending ReviewTask | SkillGovernanceService.withdrawPendingVersion |
| Yank | PUBLISHED | YANKED | Recalculates latestVersionId | SkillGovernanceService.yankVersion |
| Hide | — | hidden=true | Independent overlay | SkillGovernanceService.hideSkill |
| Restore | — | hidden=false | Independent overlay | SkillGovernanceService.unhideSkill |
| Archive | ACTIVE | ARCHIVED | SkillStatusChangedEvent emitted | SkillGovernanceService.archiveSkill |
| Unarchive | ARCHIVED | ACTIVE | SkillStatusChangedEvent emitted | SkillGovernanceService.unarchiveSkill |
| New publish (existing pending) | PENDING_REVIEW | UPLOADED | Auto-withdraw + delete review task | SkillPublishService |
| Delete version | DRAFT/REJECTED/SCAN_FAILED/UPLOADED | — | Last version protected | SkillGovernanceService.deleteVersion |
When yanking the current latestVersionId (SkillGovernanceService):
PUBLISHED versions for the skillpublishedAt DESC, then createdAt DESC, then id DESClatestVersionId to the top result, or null if none remainRead models (detail, my-skills, favorites, search) use *QueryRepository patterns:
headlineVersion — Main display version for the pagepublishedVersion — Latest published versionownerPreviewVersion — Pending review version (visible to owner/namespace admin)resolutionMode — PUBLISHED, OWNER_PREVIEW, or NONEPublic browsing, install, download, search only use publishedVersion.
| Action | Who |
|---|---|
| Withdraw review | Submitter only |
| Delete version | Owner or namespace admin, only DRAFT/REJECTED/SCAN_FAILED/UPLOADED |
| Archive/unarchive | Owner or namespace admin (ADMIN or OWNER role) |
| Hide/restore | Platform governance (no permission check in code) |
| Yank | Platform governance (no permission check in code) |
| Publish PUBLIC skill | Namespace member (or SUPER_ADMIN) |
| Publish PRIVATE skill | Namespace member (or SUPER_ADMIN) |
SkillGovernanceService.deleteVersion enforces:
DRAFT, REJECTED, SCAN_FAILED, or UPLOADED versions can be deletedbundle.zip)latestVersionId if the deleted version was the pointer| Event | When Emitted |
|---|---|
SkillStatusChangedEvent | Archive or unarchive |
SkillPublishedEvent | SUPER_ADMIN direct publish |
SkillVersionYankedEvent | Yank action |
ReviewSubmittedEvent | Create review task for PUBLIC/NAMESPACE_ONLY |
SkillStatus.HIDDEN directly — use skill.setHidden(true) via SkillGovernanceService insteadlatestVersionId after yank or version deletionconfirmWarnings two-step publish flow (warnings require explicit confirmation)PRIVATE visibility skips review