feat: APM integration — squad skill publish/install + apm.yml in init

[tamirdresher]

Summary

Implements #824 — APM (Agent Package Manager) integration into Squad CLI.

What is APM?

APM is \package.json\ for AI agent context. You declare skills, instructions, and prompts in \apm.yml\ and \apm install\ deploys them to .github/, .claude/, .cursor/\ etc.
See: https://github.com/microsoft/apm

Changes

New command: \squad skill\

\
squad skill publish [] Export skill(s) to APM format (updates apm.yml)
squad skill install Install from APM registry
squad skill list List installed skills
\\

Install sources:

• \owner/repo\ — all skills from a GitHub repo (reads their \apm.yml\ or .squad/skills/)
• \owner/repo/skill-name\ — a specific named skill
• \https://...\ — direct URL to a \skill.md\ file

Implementation details:

• \skill publish\ reads front-matter from \skill.md\ files to populate \apm.yml\
• \skill install\ uses GitHub CLI (\gh api) to fetch content — no extra dependencies
• Installed skills get a .apm-source.json\ metadata file for provenance tracking

Updated: \squad init\

Now generates \apm.yml\ at the project root alongside .squad/.
Follows \skipExisting\ semantics — re-running \squad init\ won't overwrite.

Updated: \squad help\

Added \skill\ command to help output.

Design notes

• .squad/\ remains the source of truth — APM is an additional export layer
• Skills become portable and community-shareable via APM registry
• No new npm dependencies added

Closes #824

[github-actions]

🛫 PR Readiness Check

ℹ️ This comment updates on each push. Last checked: commit e033083

PR Scope: 📦🔧 Mixed (product + infrastructure)

⚠️ 4 item(s) to address before review

Status	Check	Details
❌	Single commit	8 commits — consider squashing before review
✅	Not in draft	Ready for review
❌	Branch up to date	insider is 69 commit(s) ahead — rebase recommended
❌	Copilot review	No Copilot review yet — it may still be processing
✅	Changeset present	Changeset file found
✅	Scope clean	⚠️ PR includes 2 .squad/ file(s) — ensure these are intentional
❌	No merge conflicts	Merge conflicts detected — resolve before review
✅	Copilot threads resolved	No Copilot review threads
✅	CI passing	All checks passing
✅	Issue linked	Issue reference found
✅	Protected files	No protected bootstrap files changed

Files Changed (12 files, +1328 −1)

File	+/−
.changeset/apm-integration.md	+7 −0
.squad-templates/squad.agent.md	+2 −1
.squad-templates/workflow-wiring-appendix-a-code-reviewer.md	+131 −0
.squad-templates/workflow-wiring-appendix-b-documenter.md	+140 −0
.squad-templates/workflow-wiring-guide.md	+276 −0
.squad/skills/fact-checking/SKILL.md	+61 −0
.squad/templates/agents/challenger.md	+72 −0
CHANGELOG.md	+4 −0
packages/squad-cli/src/cli-entry.ts	+10 −0
packages/squad-cli/src/cli/commands/skill.ts	+568 −0
packages/squad-cli/src/cli/core/init.ts	+55 −0
packages/squad-cli/src/cli/index.ts	+2 −0

Total: +1328 −1

---

This check runs automatically on every push. Fix any ❌ items and push again.
See CONTRIBUTING.md and PR Requirements for details.

[Meir017]

are skills still being saved here?

[tamirdresher]

Good question. collectSkills itself is read-only — it scans .squad/skills/*/skill.md, parses front-matter, and returns an in-memory array. No writes happen here.

Skills are persisted in two other places in this file:

1. publish() — calls collectSkills, then serializes the result into apm.yml via writeFile(apmPath, ...) (around line 155). For single-skill publish, it also writes a per-skill apm.yml inside the skill directory (line 127).

2. install() — writes the fetched skill.md to .squad/skills/<name>/skill.md and adds an .apm-source.json metadata file for provenance tracking (e.g. lines 259–265 in installFromGitHub).

So the flow is: install saves skills to disk → collectSkills reads them back → publish exports them to apm.yml. The .squad/ directory remains the source of truth as noted in the PR description.

[Meir017]

I meant skills are now regular skills. #430

[tamirdresher]

You're right — #430 moved skills to .copilot/skills/ as the standard path. This APM code still hardcodes .squad/skills/. I'll update skill.ts to use .copilot/skills/ as primary (with .squad/skills/ fallback for backward compat, same pattern as LocalSkillSource).

[Meir017]

*You're absolutely right 😉

[Omzig]

they closed my enhancement request to get those paths normalized and added to default settings :(

• Normalize Github Copilot File Locations microsoft/vscode#308091

[Omzig]

FYI; i put in a manual fix to the front matter and the cli does not see the nap command but the copilot chat does:

[Omzig]

after more research, it looks like .copilot/* is not a supported folder in the repo for the github Copilot CLI:
https://docs.github.com/en/copilot/how-tos/copilot-cli/customize-copilot/create-skills

[Omzig]

I added an enhancement request for copilot:

• Normalize Github Copilot File Locations microsoft/vscode#308091

They closed my enhancement request.

[diberry]

⚛️ Post-Merge Review — River (TypeScript Architect)

Verdict: 🟡 Conditional Approval — Architecture is sound, type safety needs follow-ups.

What's Good

• .squad/ is source of truth, APM is export layer — Clean separation. No coupling inversion.
• ApmSkill and ApmManifest interfaces — Good starting contracts, exported from barrel.
• Command routing follows existing patterns. generateApmYml is idempotent.
• Zero new npm dependencies — disciplined.

Type Safety Findings

#	Severity	Finding	Location
1	🔴	catch (err: any) ×2 — Should be unknown with narrowing	skill.ts:1057, 1171
2	🟡	as { name: string; path: string } ×3 — Replace with type guard	skill.ts:1117, 1125, 1131
3	🟡	Non-null assertions (!) ×6 — Regex groups and array indices aren't narrowed by TS	scattered
4	🟡	parseFrontMatter returns Record<string, string> — stringly typed, no compile-time contract	skill.ts:819
5	🟡	ApmManifest declared but never validated at runtime — type exists as documentation only	skill.ts:807-814
6	🟠	generateApmYml uses sync fs (writeFileSync) while skill.ts is fully async	init.ts:1397
7	🔴	No YAML value escaping — skill names/descriptions containing :, #, quotes, or newlines produce invalid YAML	publish(), generateApmYml()

Architecture Risks

• 🔴 Hand-rolled YAML parser in installFromGitHub — line-splitting and regex will silently break on multi-line strings, inline comments, quoted values with colons, flow sequences. Single biggest correctness risk.
• 🟡 Silent error swallowing — collectSkills, readProjectName, listSkills all have catch { /* ignore */ }. Corrupted skill files are silently skipped.
• 🟡 568 lines in one file — skill.ts handles YAML parsing, GitHub API calls, URL fetching, file I/O, manifest generation, and CLI routing. Should be split.
• Zero test files for 568 lines of new code. The hand-rolled YAML parser is too risky to ship untested.

Recommended Follow-Ups (Priority Order)

1. Add YAML value escaping for all publish/init output paths (data corruption bug)
2. Add unit tests for YAML parsing — at least 5 cases
3. Replace catch (err: any) with catch (err: unknown) — 2 instances
4. Add parseApmManifest() runtime validator
5. Consider yaml npm package (0 deps, 50KB) vs maintaining regex parser

---

Review by Squad AI team (River — TypeScript Architect) · requested by Dina Berry

[tamirdresher]

Thanks @diberry — River's review is solid. Filed #924 to track all findings. The YAML escaping and hand-rolled parser are the highest priority. Also noting @Omzig's finding that .copilot/skills/\ isn't supported by Copilot CLI — that affects our resolveSkillsDir() approach.