orionarchitekton/skills/ops/workspace-manifest-attestor
skills/ops/workspace-manifest-attestor/SKILL.md
# workspace-manifest-attestor **Lane:** ops **Version:** 0.1.0 **Owner:** system **Schedule:** manual ## Purpose Attests workspace integrity by comparing discovered git roots to `pandora.repos.json`. Emits `WORKSPACE_MANIFEST_ATTESTOR` receipts with `missing_from_manifest`, `unexpected_git_roots`, and `risk_score`. ## Memory Contract ### Access Mode **`service_only`** - No direct DB writes. ### Writes None - read-only skill ## Provenance Every write includes: | Field | Source |
$ install --global
skillsauthnpx skillsauth add orionarchitekton/cosmocrat-core skills/ops/workspace-manifest-attestorInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 11, 2026, 2:34 AM13.0s2 files scanned
SKILL.md
workspace-manifest-attestor
Lane: ops
Version: 0.1.0
Owner: system
Schedule: manual
Purpose
Attests workspace integrity by comparing discovered git roots to pandora.repos.json.
Emits WORKSPACE_MANIFEST_ATTESTOR receipts with missing_from_manifest,
unexpected_git_roots, and risk_score.
Memory Contract
Access Mode
service_only - No direct DB writes.
Writes
None - read-only skill
Provenance
Every write includes:
| Field | Source |
|-------|--------|
| run_id | Generated UUID |
| trace_id | From Langfuse or run_id |
| source_ref | workspace-manifest-attestor:run |
| actor | workspace-manifest-attestor |
Environment Variables
COSMOCRAT_CODE_ROOT(optional root override)PANDORA_REPOS_MANIFEST(optional manifest path override)
Testing
# Run locally in shadow mode
python ops/scripts/workspace_manifest_attestor.py --dry-run
# Unit tests
pytest tests/ops/test_workspace_manifest_attestor.py -v
Changelog
- 0.1.0 (2026-02-19): Initial shadow-mode workspace manifest attestor.
Related Skills
orionarchitekton/skills/tbm/tiktok-overnight-pipeline
tools
VerifiedTrustedCommunity
# tiktok-overnight-pipeline **Lane:** tbm **Version:** 0.1.0 **Owner:** system **Schedule:** 0 1 * * * ## Purpose Complete overnight pipeline for 3-channel TikTok content generation. Generates 9 videos (3 per channel) with TikTok Shop affiliate products. Timeline: 01:00 - 06:10 PT with GPU management (Llama on/off cycles). ## Memory Contract ### Access Mode **`service_only`** - All writes go through MemoryClient. No direct ClickHouse access. ### Writes None - read-only skill ## Pr
1SKILL.mdUpdated Apr 11, 2026
orionarchitekton/skills/tbm/tiktok-health-monitor
tools
VerifiedTrustedCommunity
# tiktok-health-monitor **Lane:** tbm **Version:** 0.1.0 **Owner:** system **Schedule:** 24 * * * * ## Purpose Hourly health check for TikTok Auto-Gen pipeline. Monitors video generation, QC pass rates, upload success. Alerts to Slack #tiktok-autogen on issues. ## Memory Contract ### Access Mode **`service_only`** - All writes go through MemoryClient. No direct ClickHouse access. ### Writes None - read-only skill ## Provenance Every write includes: | Field | Source | |-------|--
1SKILL.mdUpdated Apr 11, 2026
orionarchitekton/skills/tbm/tbm-supabase-sync
tools
VerifiedTrustedCommunity
# tbm-supabase-sync **Lane:** tbm **Version:** 0.1.0 **Owner:** system **Schedule:** 12 * * * * ## Purpose Push the latest TikTok readings from ClickHouse into the Supabase tiktok_posts table so tarotbymarie.com shows new content. ## Memory Contract ### Access Mode **`service_only`** - All writes go through MemoryClient. No direct ClickHouse access. ### Writes None - read-only skill ## Provenance Every write includes: | Field | Source | |-------|--------| | `run_id` | Generated
1SKILL.mdUpdated Apr 11, 2026
orionarchitekton/skills/tbm/tbm-reading-sync
tools
VerifiedTrustedCommunity
# tbm-reading-sync **Lane:** tbm **Version:** 0.1.0 **Owner:** system **Schedule:** 30 22 * * * ## Purpose Daily sync of tiktok_transcripts to tbm_readings. Uses rule-based extraction for cards, themes, and spread type. Runs after backfill has completed for the day. ## Memory Contract ### Access Mode **`service_only`** - All writes go through MemoryClient. No direct ClickHouse access. ### Writes None - read-only skill ## Provenance Every write includes: | Field | Source | |-----
1SKILL.mdUpdated Apr 11, 2026