Develop

.claude-plugin/marketplace.json

@@ -6,14 +6,14 @@
   },
   "metadata": {
     "description": "Syncable CLI skills for AI coding agents — project analysis, security, vulnerabilities, dependencies, IaC validation, and cloud deployment.",
-    "version": "0.1.11"
+    "version": "0.1.13"
   },
   "plugins": [
     {
       "name": "syncable-cli-skills",
       "source": "./installer/plugins/syncable-cli-skills",
       "description": "Syncable CLI skills for project analysis, security scanning, vulnerability detection, dependency auditing, IaC validation, Kubernetes optimization, and cloud deployment.",
-      "version": "0.1.11",
+      "version": "0.1.13",
       "author": {
         "name": "Syncable",
         "email": "support@syncable.dev"

installer/.gitignore

@@ -1,3 +1,4 @@
 node_modules/
 dist/
 skills/
+!plugins/syncable-cli-skills/skills/

installer/package.json

@@ -1,6 +1,6 @@
 {
   "name": "syncable-cli-skills",
-  "version": "0.1.11",
+  "version": "0.1.13",
   "type": "module",
   "description": "Install Syncable CLI skills for AI coding agents (Claude Code, Cursor, Windsurf, Codex, Gemini CLI)",
   "license": "GPL-3.0",

installer/plugins/syncable-cli-skills/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "syncable-cli-skills",
   "description": "Syncable CLI skills for project analysis, security scanning, vulnerability detection, dependency auditing, IaC validation, Kubernetes optimization, and cloud deployment.",
-  "version": "0.1.11",
+  "version": "0.1.13",
   "author": {
     "name": "Syncable",
     "email": "support@syncable.dev"

installer/plugins/syncable-cli-skills/skills/syncable-analyze/SKILL.md

@@ -0,0 +1,103 @@
+---
+description: "Analyze a project's tech stack including languages, frameworks, runtimes, package managers, and dependencies using the Syncable CLI sync-ctl tool"
+---
+
+## Purpose
+
+Analyze a project directory to detect its tech stack: programming languages, frameworks, runtimes, package managers, dependencies, Docker presence, and monorepo structure. This is the foundation skill — most workflows start here to understand what they're working with.
+
+## Prerequisites
+
+- `sync-ctl` binary installed and on PATH
+- Agent has access to the project directory
+
+## Commands
+
+### Basic analysis (agent output)
+
+```bash
+sync-ctl analyze <PATH> --agent
+```
+
+### Human-readable matrix view
+
+```bash
+sync-ctl analyze <PATH> --display matrix
+```
+
+### Filtered analysis (only specific aspects)
+
+```bash
+sync-ctl analyze <PATH> --agent --only languages,frameworks
+sync-ctl analyze <PATH> --agent --only dependencies
+```
+
+### Key Flags
+
+| Flag | Purpose |
+|------|---------|
+| `--agent` | Compressed output for agent consumption (always use when processing results) |
+| `--detailed` | Show detailed analysis (legacy vertical format) |
+| `--display {matrix\|detailed\|summary}` | Display format for human-readable output |
+| `--only <filters>` | Comma-separated: `languages`, `frameworks`, `dependencies` |
+
+## Output Interpretation
+
+When reporting to the user, prioritize: primary language, main framework, runtime version, and whether Docker/K8s infrastructure exists.
+
+## Reading Results
+
+When you use `--agent`, the output is a compressed summary — not the full analysis. Act on it directly for most decisions.
+
+The output JSON includes:
+- `summary` — project count, languages, frameworks detected
+- `full_data_ref` — reference ID for retrieving full data
+- `retrieval_hint` — exact command to get more details
+
+To drill into specifics:
+```bash
+# Get framework details
+sync-ctl retrieve <ref_id> --query "section:frameworks"
+
+# Get language breakdown
+sync-ctl retrieve <ref_id> --query "section:languages"
+
+# Get specific project details (monorepos)
+sync-ctl retrieve <ref_id> --query "project:<project-name>"
+
+# Get specific language details
+sync-ctl retrieve <ref_id> --query "language:Go"
+
+# Get specific framework details
+sync-ctl retrieve <ref_id> --query "framework:React"
+
+# List all stored outputs
+sync-ctl retrieve --list
+```
+
+**Available query filters:** `section:summary`, `section:frameworks`, `section:languages`, `language:<name>`, `framework:<name>`, `project:<name>`, `compact:true`
+
+## Error Handling
+
+| Error | Cause | Action |
+|-------|-------|--------|
+| `No such file or directory` | Invalid path | Ask user to verify the project path |
+| Empty output | No recognizable project files | Tell user the directory may not contain a supported project. Run `sync-ctl support` to show supported technologies |
+| Timeout | Very large monorepo | Try `--only languages` for a faster partial scan |
+
+## Examples
+
+**Analyze current directory:**
+```bash
+sync-ctl analyze . --agent
+```
+
+**Analyze a specific project:**
+```bash
+sync-ctl analyze /path/to/project --agent
+```
+
+**Quick language-only check:**
+```bash
+sync-ctl analyze . --agent --only languages
+```

installer/plugins/syncable-cli-skills/skills/syncable-dependencies/SKILL.md

@@ -0,0 +1,93 @@
+---
+description: "Audit project dependencies for licenses, production vs development split, and detailed package analysis using the Syncable CLI sync-ctl tool"
+---
+
+## Purpose
+
+Analyze project dependencies in detail: list all packages, check license types, separate production from development dependencies, and optionally flag vulnerabilities inline. Use this for license compliance and dependency inventory.
+
+## Prerequisites
+
+- `sync-ctl` binary installed and on PATH
+- Agent has access to the project directory
+
+## Commands
+
+### Full dependency analysis with licenses
+
+```bash
+sync-ctl dependencies <PATH> --licenses --agent
+```
+
+### Production dependencies only
+
+```bash
+sync-ctl dependencies <PATH> --licenses --prod-only --agent
+```
+
+### Key Flags
+
+| Flag | Purpose |
+|------|---------|
+| `--agent` | Compressed output for agent consumption (always use) |
+| `--licenses` | Include license information for each dependency |
+| `--vulnerabilities` | Quick inline vulnerability check (for thorough CVE scanning, use the standalone `sync-ctl vulnerabilities` command instead) |
+| `--prod-only` | Show only production dependencies |
+| `--dev-only` | Show only development dependencies |
+
+## Output Interpretation
+
+**Priority for reporting to user:**
+1. License concerns (copyleft in commercial projects, unknown licenses)
+2. Dependency counts (prod vs dev)
+3. Specific packages only if asked
+
+**When to use `--vulnerabilities` vs standalone `vulnerabilities` command:**
+- Use `--vulnerabilities` here for a quick inline check alongside license info
+- Use `sync-ctl vulnerabilities` for a dedicated, thorough CVE scan
+
+## Reading Results
+
+When you use `--agent`, the output is a **compressed summary** with counts, license distribution, and source breakdown. Individual package details are NOT in the compressed output — use `sync-ctl retrieve` to get them.
+
+**What's in the compressed output:**
+- `total` — total dependency count
+- `production` / `development` — prod vs dev split
+- `by_source` — counts per ecosystem (npm, crates.io, pypi, etc.)
+- `by_license` — license distribution
+- `full_data_ref` — reference ID for the full data
+
+**To get individual package details, use retrieve:**
+```bash
+# Get the full dependency list
+sync-ctl retrieve <ref_id>
+
+# Search for a specific package
+sync-ctl retrieve <ref_id> --query "file:package.json"
+```
+
+Results are paginated (default 20). Use `--limit N --offset M` for more.
+
+## Error Handling
+
+| Error | Cause | Action |
+|-------|-------|--------|
+| `No dependencies found` | No package manager files | Verify project path, run `sync-ctl analyze` to check for supported package managers |
+| Incomplete results | Some package managers not fully parsed | Note which ecosystems were scanned and which may be missing |
+
+## Examples
+
+**Full audit with licenses:**
+```bash
+sync-ctl dependencies . --licenses --agent
+```
+
+**Production-only for license compliance:**
+```bash
+sync-ctl dependencies . --licenses --prod-only --agent
+```
+
+**Quick vulnerability check alongside deps:**
+```bash
+sync-ctl dependencies . --licenses --vulnerabilities --agent
+```

installer/plugins/syncable-cli-skills/skills/syncable-deploy-pipeline/SKILL.md

@@ -0,0 +1,139 @@
+---
+description: "Deploy a project through Syncable by orchestrating authentication, project analysis, security gating, and cloud deployment using the Syncable CLI sync-ctl tool"
+---
+
+## Purpose
+
+Orchestrate a full deployment pipeline through the Syncable platform: authenticate, analyze the project, run a security audit as a gate, then deploy. Ensures no deployment happens without authentication and security review.
+
+## Prerequisites
+
+- `sync-ctl` binary installed and on PATH
+- Internet access for Syncable API
+- Agent has access to the project directory
+
+## Workflow Steps
+
+### Step 1: Check authentication and platform context
+
+```bash
+sync-ctl auth status
+```
+
+**Decision point:** If not authenticated:
+```bash
+sync-ctl auth login
+```
+
+Then verify project/environment context:
+```bash
+sync-ctl project current
+```
+
+**Decision point:** If no project selected:
+```bash
+sync-ctl org list
+# Ask user which org
+sync-ctl org select <ORG_ID>
+sync-ctl project list
+# Ask user which project
+sync-ctl project select <PROJECT_ID>
+sync-ctl env list
+# Ask user which environment
+sync-ctl env select <ENV_ID>
+```
+
+### Step 2: Analyze the project
+
+```bash
+sync-ctl analyze <PATH> --agent
+```
+
+Save the `full_data_ref` from the analyze output — do not re-run analyze in later steps; use `sync-ctl retrieve` with this ref_id instead.
+
+### Step 3: Pre-deploy security audit
+
+Execute the `syncable-security-audit` workflow inline (all its steps and decision logic). **Note:** Step 2's analyze output is reused here — do not re-run analyze.
+
+1. `sync-ctl security <PATH> --mode paranoid --agent`
+2. `sync-ctl vulnerabilities <PATH> --agent`
+3. `sync-ctl validate <PATH>` (if IaC files exist per Step 2's analysis)
+
+**CRITICAL GATE:** Check the security output's `status` field:
+- If `status` is "CRITICAL_ISSUES_FOUND": present findings to user, warn, require confirmation
+- If `status` is "HIGH_ISSUES_FOUND": warn but allow deployment
+- If `status` is "CLEAN": proceed to deploy
+
+All critical findings are in the `critical_issues` array of the compressed output — no retrieval needed for the gate decision.
+
+### Step 4: Deploy
+
+**4a. Get deployment recommendation:**
+```bash
+sync-ctl deploy preview <PATH>
+```
+
+This returns JSON with: provider recommendation (with reasoning), region, machine type, detected port, health check endpoint, alternatives, discovered .env files, and already-deployed service endpoints.
+
+**4b. Present recommendation to user and confirm.** Show:
+- Recommended provider, region, machine type
+- Detected port and whether public/internal
+- Any .env files found — ask if they should be injected
+- Any service endpoints that could be referenced (e.g., `BACKEND_URL`)
+
+**4c. Deploy with confirmed settings:**
+```bash
+sync-ctl deploy run <PATH> --provider <PROVIDER> --region <REGION> --port <PORT>
+```
+
+Add `--public` if user wants a public URL. Add `--env KEY=VALUE` for env vars and `--secret KEY` for secrets (user prompted in terminal). Add `--env-file .env` to inject from file.
+
+**4d. Monitor:**
+```bash
+sync-ctl deploy status <TASK_ID> --watch
+```
+
+**Example with user overrides:**
+```bash
+# User said "deploy to GCP in us-central1, make it public, use the .env file"
+sync-ctl deploy run ./services/api \
+  --provider gcp --region us-central1 --port 8080 --public \
+  --env-file .env \
+  --secret "STRIPE_KEY"
+```
+
+## Decision Points Summary
+
+| Condition | Action |
+|-----------|--------|
+| Not authenticated | Run `sync-ctl auth login` first |
+| No project/env selected | Guide user through selection |
+| Critical security findings | Warn user, require explicit confirmation to proceed |
+| High security findings (no critical) | Warn user but allow deployment |
+| Clean security audit | Proceed to deploy |
+
+## Safety
+
+- **Never deploy without the security gate.** Even if the user says "just deploy", run at least a fast security scan.
+- **Always confirm with the user before triggering deployment.** Show them what will be deployed, to which environment.
+- **Monitor deployment status** after triggering — don't fire-and-forget.
+
+## Cross-Step Retrieval
+
+Each step produces a `full_data_ref` in its output. You can retrieve details from any previous step at any time:
+
+```bash
+# Check what data is available from all steps
+sync-ctl retrieve --list
+
+# Get framework details from Step 2 (analyze)
+sync-ctl retrieve <analyze_ref_id> --query "section:frameworks"
+
+# Get critical security findings from Step 3
+sync-ctl retrieve <security_ref_id> --query "severity:critical"
+
+# Get vulnerability details from Step 3
+sync-ctl retrieve <vuln_ref_id> --query "severity:high"
+```
+
+Do NOT re-run a command just to get more detail — use `sync-ctl retrieve` instead.