Move genesis-evals out of .apm/ to avoid scanner leak

APM's local-content scanner treats .apm/skills/ as a publishable source
root regardless of devDep marker. A maintainer-only skill colocated
under .apm/ would leak into apm pack --format plugin even when
declared as a devDependency.

Cure: live under dev/skills/ instead.

- git mv .apm/skills/genesis-evals dev/skills/genesis-evals
- update path refs in SKILL.md, scripts, composition-substrate asset
- declare local-path devDependency in apm.yml
- commit apm.lock.yaml (single local entry, is_dev: true)

This dogfoods the BUNDLE LEAKAGE / DISPATCH CONTAMINATION discipline
that genesis itself teaches.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: danielmeppiel

apm.lock.yaml

@@ -0,0 +1,11 @@
+lockfile_version: '1'
+generated_at: '2026-04-26T11:12:53.114123+00:00'
+apm_version: 0.10.0
+dependencies:
+- repo_url: _local/genesis-evals
+  package_type: claude_skill
+  deployed_files:
+  - .github/skills/genesis-evals
+  source: local
+  local_path: ./dev/skills/genesis-evals
+  is_dev: true

apm.yml

@@ -4,3 +4,9 @@ description: A design discipline for agentic primitives. Substrate, patterns, co
 author: Daniel Meppiel <danielmeppiel@users.noreply.github.com>
 license: Apache-2.0
 homepage: https://github.com/danielmeppiel/genesis
+
+# Maintainer-only dev infra. Lives outside .apm/ so APM's local-content
+# scanner does not auto-publish it. Install with: apm install --dev
+devDependencies:
+  apm:
+    - path: ./dev/skills/genesis-evals

.apm/skills/genesis-evals/.gitignore dev/skills/genesis-evals/.gitignore.apm/skills/genesis-evals/.gitignore renamed to dev/skills/genesis-evals/.gitignore

@@ -9,9 +9,10 @@ description: >-
   or "regenerate the eval matrix". This skill orchestrates parallel cold
   sub-agent spawns via the harness's task tool, scores deterministically,
   and converges P>=0.8 / N>=0.8 / R==1.0 within max 3 iteration loops.
-  This skill is contributor-only -- it lives under .apm/skills/ and is
-  NOT shipped inside the user-facing skills/genesis/ bundle (BUNDLE
-  LEAKAGE discipline).
+  This skill is contributor-only -- it lives under dev/skills/ (OUTSIDE
+  .apm/) and is NOT shipped inside the user-facing skills/genesis/
+  bundle (BUNDLE LEAKAGE discipline). See "Why this lives outside
+  .apm/" below.
 ---
 
 # genesis-evals: maintainer-side eval runner
@@ -20,14 +21,22 @@ Run the genesis self-eval suite. Steers the parent LLM session to
 orchestrate cold sub-agent spawns, capture responses, score
 deterministically, and report convergence.
 
-## Why this lives under .apm/
+## Why this lives outside `.apm/`
 
 Genesis ships to USERS via npx / `apm install`. Eval scenarios LOOK
 LIKE real user requests (that is the point). Colocating them under
 `skills/genesis/evals/` would risk DISPATCH CONTAMINATION (an
 over-eager harness loader pulling scenario prompts into the active
 context) and PAYLOAD BLOAT for users who never run evals.
 
+We also keep this OUTSIDE `.apm/` because APM treats `.apm/` as the
+publishable source root: its local-content scanner picks up anything
+under `.apm/skills/` regardless of dev-marker, so `apm pack
+--format plugin` would leak this maintainer-only skill into the
+shipped artifact. Living under `dev/skills/` keeps it scanner-invisible
+while still letting `apm install --dev` deploy it via the local-path
+devDependency in the root `apm.yml`.
+
 This is the inverse of PHANTOM DEPENDENCY (referenced-but-not-bundled):
 BUNDLE LEAKAGE (bundled-but-not-consumed-at-runtime). See
 `skills/genesis/assets/composition-substrate.md` "Anti-patterns
@@ -88,9 +97,9 @@ flagged at this step".
 ## Step 1 -- validate
 
 ```
-python .apm/skills/genesis-evals/scripts/validate_scenarios.py \
-  --scenarios-dir .apm/skills/genesis-evals/scenarios \
-  --schema        .apm/skills/genesis-evals/schema/scenario.schema.json
+python dev/skills/genesis-evals/scripts/validate_scenarios.py \
+  --scenarios-dir dev/skills/genesis-evals/scenarios \
+  --schema        dev/skills/genesis-evals/schema/scenario.schema.json
 ```
 
 If exit non-zero, STOP. Fix the schema/yaml violations before any
@@ -100,7 +109,7 @@ spawn. No partial runs.
 
 ```
 RUN_ID=$(date -u +%Y%m%dT%H%M%SZ)
-RUNS_DIR=.apm/skills/genesis-evals/runs
+RUNS_DIR=dev/skills/genesis-evals/runs
 mkdir -p "$RUNS_DIR/$RUN_ID"
 ```
 
@@ -118,8 +127,8 @@ For EACH scenario YAML in `scenarios/`:
 
 1. **Record the spawn intent** (deterministic, pre-spawn):
    ```
-   python .apm/skills/genesis-evals/scripts/spawn_record.py \
-     --scenario .apm/skills/genesis-evals/scenarios/<id>.yml \
+   python dev/skills/genesis-evals/scripts/spawn_record.py \
+     --scenario dev/skills/genesis-evals/scenarios/<id>.yml \
      --half     <with|without|single> \
      --run-id   "$RUN_ID" \
      --runs-dir "$RUNS_DIR"
@@ -156,10 +165,10 @@ parallel as the harness permits. Do NOT serialize unless forced.
 ## Step 4 -- score
 
 ```
-python .apm/skills/genesis-evals/scripts/score_run.py \
+python dev/skills/genesis-evals/scripts/score_run.py \
   --run-id        "$RUN_ID" \
   --runs-dir      "$RUNS_DIR" \
-  --scenarios-dir .apm/skills/genesis-evals/scenarios
+  --scenarios-dir dev/skills/genesis-evals/scenarios
 ```
 
 Writes `<runs-dir>/<run-id>/summary.md`. Exit code: 0 if converged,
@@ -242,7 +251,7 @@ the file (provenance / audit trail).
 ## Setup (one-time)
 
 ```
-pip install -r .apm/skills/genesis-evals/requirements.txt
+pip install -r dev/skills/genesis-evals/requirements.txt
 ```
 
 (deps: pyyaml, jsonschema. Maintainer-side only. Users never see