Goal
Define how Corvus should support third-party skills without weakening the product trust model.
Product Intent
Third-party skills should be:
- supported,
- disabled by default,
- installable only from user-defined sources,
- clearly separated from official skills in trust level and UX.
Current Context
Current remote skill installation is permissive and repository-based. That is too weak for the product model we want.
Questions to Close
- What counts as an allowed third-party source?
- How does a user explicitly opt in to third-party skill sources?
- Should sources be allowlisted in config, per workspace, or globally?
- What warnings, prompts, or approvals are required before install?
- How should Corvus represent trust level for installed skills?
Acceptance Criteria
- Third-party source policy is explicitly defined.
- Disabled-by-default behavior is explicit.
- Trust and UX boundaries between official and third-party skills are clear.
- Follow-up implementation issues can be created cleanly.
Goal
Define how Corvus should support third-party skills without weakening the product trust model.
Product Intent
Third-party skills should be:
Current Context
Current remote skill installation is permissive and repository-based. That is too weak for the product model we want.
Questions to Close
Acceptance Criteria