From 18e71db7fc793ce01f94f06a6dec7141479fde2a Mon Sep 17 00:00:00 2001 From: HiranoMasaaki Date: Sat, 3 Jan 2026 05:17:29 +0000 Subject: [PATCH] fix(create-expert): add pick to internal experts for minimal privilege MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add pick lists to all 8 internal PBT framework experts to follow the minimal privilege principle documented in docs/making-experts/skills.md. Each expert now only has access to the tools it requires: - create-expert: ["attemptCompletion"] (only orchestrates via delegates) - property-extractor: ["attemptCompletion"] - ecosystem-builder: ["readTextFile", "appendTextFile", "attemptCompletion"] - integration-manager: ["attemptCompletion"] - functional-manager: ["attemptCompletion"] - usability-manager: ["attemptCompletion"] - expert-tester: ["exec", "attemptCompletion"] - report-generator: ["attemptCompletion"] Closes #350 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- .changeset/add-pick-to-experts.md | 15 +++++++++++++++ apps/create-expert/src/lib/create-expert-toml.ts | 8 ++++++++ 2 files changed, 23 insertions(+) create mode 100644 .changeset/add-pick-to-experts.md diff --git a/.changeset/add-pick-to-experts.md b/.changeset/add-pick-to-experts.md new file mode 100644 index 00000000..6c16db05 --- /dev/null +++ b/.changeset/add-pick-to-experts.md @@ -0,0 +1,15 @@ +--- +"create-expert": patch +--- + +Add `pick` to all internal PBT framework experts for minimal privilege + +Each expert now only has access to the tools it actually needs: +- `create-expert`: `["attemptCompletion"]` +- `property-extractor`: `["attemptCompletion"]` +- `ecosystem-builder`: `["readTextFile", "appendTextFile", "attemptCompletion"]` +- `integration-manager`: `["attemptCompletion"]` +- `functional-manager`: `["attemptCompletion"]` +- `usability-manager`: `["attemptCompletion"]` +- `expert-tester`: `["exec", "attemptCompletion"]` +- `report-generator`: `["attemptCompletion"]` diff --git a/apps/create-expert/src/lib/create-expert-toml.ts b/apps/create-expert/src/lib/create-expert-toml.ts index 14334924..c9fd903a 100644 --- a/apps/create-expert/src/lib/create-expert-toml.ts +++ b/apps/create-expert/src/lib/create-expert-toml.ts @@ -620,6 +620,7 @@ delegates = ["property-extractor", "ecosystem-builder", "integration-manager", " type = "mcpStdioSkill" command = "npx" packageName = "@perstack/base" +pick = ["attemptCompletion"] # ---------------------------------------------------------------------------- @@ -634,6 +635,7 @@ ${PROPERTY_EXTRACTOR_INSTRUCTION} type = "mcpStdioSkill" command = "npx" packageName = "@perstack/base" +pick = ["attemptCompletion"] # ---------------------------------------------------------------------------- @@ -648,6 +650,7 @@ ${ECOSYSTEM_BUILDER_INSTRUCTION} type = "mcpStdioSkill" command = "npx" packageName = "@perstack/base" +pick = ["readTextFile", "appendTextFile", "attemptCompletion"] # ---------------------------------------------------------------------------- @@ -663,6 +666,7 @@ delegates = ["functional-manager", "usability-manager"] type = "mcpStdioSkill" command = "npx" packageName = "@perstack/base" +pick = ["attemptCompletion"] # ---------------------------------------------------------------------------- @@ -678,6 +682,7 @@ delegates = ["expert-tester"] type = "mcpStdioSkill" command = "npx" packageName = "@perstack/base" +pick = ["attemptCompletion"] # ---------------------------------------------------------------------------- @@ -693,6 +698,7 @@ delegates = ["expert-tester"] type = "mcpStdioSkill" command = "npx" packageName = "@perstack/base" +pick = ["attemptCompletion"] # ---------------------------------------------------------------------------- @@ -707,6 +713,7 @@ ${EXPERT_TESTER_INSTRUCTION} type = "mcpStdioSkill" command = "npx" packageName = "@perstack/base" +pick = ["exec", "attemptCompletion"] # ---------------------------------------------------------------------------- @@ -721,5 +728,6 @@ ${REPORT_GENERATOR_INSTRUCTION} type = "mcpStdioSkill" command = "npx" packageName = "@perstack/base" +pick = ["attemptCompletion"] ` }