Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

danshapiro/create-runfile

Name: create-runfile
Author: danshapiro

skills/create-runfile/SKILL.md

npx skillsauth add danshapiro/kilroy create-runfile

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Create Runfile

Scope

This skill owns run config authoring (run.yaml / run.json) for kilroy attractor run and resume.

In scope:

Building config structure (version: 1 schema).
Aligning provider backends with DOT model/provider usage.
Setting runtime, preflight, modeldb, git, and CXDB defaults.

Out of scope:

DOT graph authoring and routing design. Use create-dotfile for graph work.

Overview

Core principle:

Keep execution policy in run config, not in DOT topology.
Align run config with what the graph needs to execute now.
Favor explicit, deterministic defaults over implicit behavior.

Default run-config source:

skills/create-runfile/reference_run_template.yaml

Workflow

Collect inputs.

Read the target DOT graph and detect provider usage (llm_provider attrs and model_stylesheet).
Capture user constraints for production/test mode and backend policy.

Choose run mode explicitly.

Production mode: llm.cli_profile: real and no test-shim flags.
Test mode: llm.cli_profile: test_shim with shim-compatible provider config.

Start from the template and fill required fields.

Required: version, repo.path, cxdb.binary_addr, cxdb.http_base_url, modeldb.openrouter_model_info_path.
Keep absolute paths for repo/modeldb/script entries.
Emit only fields supported by internal/attractor/engine/config.go.
Unknown keys are rejected at load time; do not emit unsupported keys.

Align providers with DOT.

For every provider used by DOT, set llm.providers.<provider>.backend (api or cli).
Do not edit DOT to force backend execution strategy.

4.5 Resolve model names deterministically when catalogs are unavailable.

Model resolution order: user-specified model -> run snapshot/modeldb path -> internal/attractor/modeldb/pinned/openrouter_models.json -> internal/attractor/modeldb/manual_models.yaml -> skills/shared/model_fallbacks.yaml.
Use skills/shared/model_fallbacks.yaml only as backup; never let backup entries override explicit user model/provider choices.
Normalize known aliases through fallback mappings before emitting YAML (for example provider zai: glm-5.0 -> glm-5).

Populate artifact_policy from skills/shared/profile_default_env.yaml.

The engine applies only env overrides declared explicitly in the run config.
Read skills/shared/profile_default_env.yaml for per-profile reference values.
Emit all required env vars for each profile used by the DOT graph.
Set artifact_policy.checkpoint.exclude_globs for checkpoint hygiene.
Do not use deprecated git.checkpoint_exclude_globs.

5.5 Declare secrets the project needs at build/test time.

If the project under construction needs API keys at test or build time (e.g. GEMINI_API_KEY for smoke tests that call a live LLM), declare them in artifact_policy.env.overrides so they pass through to the agent shell.
The agent shell deny-lists env vars whose names contain API_KEY, SECRET, TOKEN, PASSWORD, or CREDENTIAL by default. Vars declared in artifact_policy.env.overrides bypass this deny list because they represent explicit operator intent.
Store the actual secret values in a .env file at the repo root (gitignored). The engine loads .env at startup and declared override keys pick up the OS values automatically.

Use an empty string as the override value — the engine substitutes the real value from the environment at resolve time:

artifact_policy:
  env:
    overrides:
      generic:
        GEMINI_API_KEY: ""   # value comes from .env / shell environment

Never put actual secret values in the run config file.

Apply runtime defaults and safety guardrails.

Set git.run_branch_prefix, git.commit_per_node, and git.require_clean intentionally.
Keep runtime_policy explicit (stage_timeout_ms, stall_timeout_ms, retry cap).
Enable preflight.prompt_probes and use a non-aggressive timeout baseline for real-provider runs.

Preserve local-run robustness.

In this repo, keep cxdb.autostart launcher wiring when generating local CXDB configs.
Keep artifact/checkpoint hygiene settings where relevant (for example managed tool-cache roots).

Validate alignment before handoff.

Confirm every DOT provider has a run-config backend entry.
Confirm mode consistency (real vs test_shim) with intended command flags.
Confirm config has no unresolved placeholder paths.
If graph prompts consume scratch artifacts, require run-scoped paths (.ai/runs/$KILROY_RUN_ID/...); root .ai is not implicitly ingested.

Non-Negotiable Guardrails

Backend policy lives in run config; do not encode it in DOT structure.
Do not omit providers that are referenced by the graph.
Do not use fragile preflight probe timeouts for real-provider runs.
Do not emit local CXDB configs without cxdb.autostart wiring in this repository context.
Do not emit unsupported keys (for example: runtime_robustness, provider_capability_constraints).

References

docs/strongdm/attractor/attractor-spec.md
docs/strongdm/attractor/unified-llm-spec.md
README.md
skills/create-runfile/reference_run_template.yaml
skills/shared/profile_default_env.yaml
skills/shared/model_fallbacks.yaml

danshapiro/create-runfile

skills/create-runfile/SKILL.md

Use when authoring or repairing Kilroy run config YAML/JSON files, including DOT-to-provider backend alignment and runtime policy defaults.

185 stars

development

Updated Apr 28, 2026

$ install --global

skillsauth

npx skillsauth add danshapiro/kilroy create-runfile

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 28, 2026, 5:06 AM125.5s2 files scanned

SKILL.md

name:: create-runfile
description:: Use when authoring or repairing Kilroy run config YAML/JSON files, including DOT-to-provider backend alignment and runtime policy defaults.

Create Runfile

Scope

This skill owns run config authoring (run.yaml / run.json) for kilroy attractor run and resume.

In scope:

Building config structure (version: 1 schema).
Aligning provider backends with DOT model/provider usage.
Setting runtime, preflight, modeldb, git, and CXDB defaults.

Out of scope:

DOT graph authoring and routing design. Use create-dotfile for graph work.

Overview

Core principle:

Keep execution policy in run config, not in DOT topology.
Align run config with what the graph needs to execute now.
Favor explicit, deterministic defaults over implicit behavior.

Default run-config source:

skills/create-runfile/reference_run_template.yaml

Workflow

Collect inputs.

Read the target DOT graph and detect provider usage (llm_provider attrs and model_stylesheet).
Capture user constraints for production/test mode and backend policy.

Choose run mode explicitly.

Production mode: llm.cli_profile: real and no test-shim flags.
Test mode: llm.cli_profile: test_shim with shim-compatible provider config.

Start from the template and fill required fields.

Required: version, repo.path, cxdb.binary_addr, cxdb.http_base_url, modeldb.openrouter_model_info_path.
Keep absolute paths for repo/modeldb/script entries.
Emit only fields supported by internal/attractor/engine/config.go.
Unknown keys are rejected at load time; do not emit unsupported keys.

Align providers with DOT.

For every provider used by DOT, set llm.providers.<provider>.backend (api or cli).
Do not edit DOT to force backend execution strategy.

4.5 Resolve model names deterministically when catalogs are unavailable.

Model resolution order: user-specified model -> run snapshot/modeldb path -> internal/attractor/modeldb/pinned/openrouter_models.json -> internal/attractor/modeldb/manual_models.yaml -> skills/shared/model_fallbacks.yaml.
Use skills/shared/model_fallbacks.yaml only as backup; never let backup entries override explicit user model/provider choices.
Normalize known aliases through fallback mappings before emitting YAML (for example provider zai: glm-5.0 -> glm-5).

Populate artifact_policy from skills/shared/profile_default_env.yaml.

The engine applies only env overrides declared explicitly in the run config.
Read skills/shared/profile_default_env.yaml for per-profile reference values.
Emit all required env vars for each profile used by the DOT graph.
Set artifact_policy.checkpoint.exclude_globs for checkpoint hygiene.
Do not use deprecated git.checkpoint_exclude_globs.

5.5 Declare secrets the project needs at build/test time.

If the project under construction needs API keys at test or build time (e.g. GEMINI_API_KEY for smoke tests that call a live LLM), declare them in artifact_policy.env.overrides so they pass through to the agent shell.
The agent shell deny-lists env vars whose names contain API_KEY, SECRET, TOKEN, PASSWORD, or CREDENTIAL by default. Vars declared in artifact_policy.env.overrides bypass this deny list because they represent explicit operator intent.
Store the actual secret values in a .env file at the repo root (gitignored). The engine loads .env at startup and declared override keys pick up the OS values automatically.

Use an empty string as the override value — the engine substitutes the real value from the environment at resolve time:

artifact_policy:
  env:
    overrides:
      generic:
        GEMINI_API_KEY: ""   # value comes from .env / shell environment

Never put actual secret values in the run config file.

Apply runtime defaults and safety guardrails.

Set git.run_branch_prefix, git.commit_per_node, and git.require_clean intentionally.
Keep runtime_policy explicit (stage_timeout_ms, stall_timeout_ms, retry cap).
Enable preflight.prompt_probes and use a non-aggressive timeout baseline for real-provider runs.

Preserve local-run robustness.

In this repo, keep cxdb.autostart launcher wiring when generating local CXDB configs.
Keep artifact/checkpoint hygiene settings where relevant (for example managed tool-cache roots).

Validate alignment before handoff.

Confirm every DOT provider has a run-config backend entry.
Confirm mode consistency (real vs test_shim) with intended command flags.
Confirm config has no unresolved placeholder paths.
If graph prompts consume scratch artifacts, require run-scoped paths (.ai/runs/$KILROY_RUN_ID/...); root .ai is not implicitly ingested.

Non-Negotiable Guardrails

Backend policy lives in run config; do not encode it in DOT structure.
Do not omit providers that are referenced by the graph.
Do not use fragile preflight probe timeouts for real-provider runs.
Do not emit local CXDB configs without cxdb.autostart wiring in this repository context.
Do not emit unsupported keys (for example: runtime_robustness, provider_capability_constraints).

References

docs/strongdm/attractor/attractor-spec.md
docs/strongdm/attractor/unified-llm-spec.md
README.md
skills/create-runfile/reference_run_template.yaml
skills/shared/profile_default_env.yaml
skills/shared/model_fallbacks.yaml

Related Skills

danshapiro/using-kilroy

tools

VerifiedTrustedCommunity

Operate Kilroy Attractor pipelines end-to-end: ingest English requirements into DOT graphs, validate graph semantics, run and resume pipelines with run config files, configure provider backends (cli/api), and debug runs from logs_root artifacts and checkpoints.

185SKILL.mdUpdated Apr 28, 2026

danshapiro/using-kilroy

danshapiro/starting-a-project

tools

VerifiedTrustedCommunity

Use when bootstrapping a new project repository for Kilroy Attractor from a clean directory using existing spec, DoD, graph, and run config artifacts.

185SKILL.mdUpdated Apr 28, 2026

danshapiro/starting-a-project

danshapiro/release-kilroy

development

VerifiedTrustedCommunity

Use when preparing a Kilroy release — writing release notes, tagging, and publishing via goreleaser on GitHub.

185SKILL.mdUpdated Apr 28, 2026

danshapiro/release-kilroy

danshapiro/investigating-kilroy-runs

development

VerifiedTrustedCommunity

To diagnose active, stuck, or failed Kilroy Attractor runs, inspect run artifacts (`manifest.json`, `live.json`, `checkpoint.json`, `final.json`, `progress.ndjson`), resolve run IDs/log roots, identify model/provider routing, and isolate failure causes. Includes CXDB operations for launching/probing CXDB, opening the CXDB UI, and querying run context turns. This skill is useful when investigating run status, debugging retries/failures, explaining model usage, or inspecting CXDB-backed event history.

185SKILL.mdUpdated Apr 28, 2026

danshapiro/investigating-kilroy-runs

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/danshapiro/kilroy.git

# Copy into Claude Code skills folder (global)
cp -r kilroy/skills/create-runfile ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

danshapiro/kilroy

185 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT