chore(release): v6.52.0 — skills picker GitHub URL column

CHANGELOG.md

@@ -7,6 +7,65 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [6.52.0] - 2026-05-21
+
+Skills picker UX: every row in the install-time TUI now shows the upstream
+GitHub URL after its description, sourced from
+`manifest.json:skills_pins[*].repo + .commit + .path`. In iTerm2 / Kitty /
+WezTerm the URL is OSC-8 hyperlink-detected; in plain terminals it's a
+visible reference so the user can eyeball "where this skill comes from"
+before installing.
+
+User-reported gap — the picker listed 63 skill names with no source
+attribution; for unfamiliar marketing-/SEO-related skills there was no
+way to tell at a glance who authored them or what the canonical upstream
+was. Provenance is in `manifest.json:skills_pins` but never surfaced to
+the picker.
+
+### Added
+
+- **`scripts/lib/skills.sh:_skills_default_manifest_path`** — internal
+  helper resolving `manifest.json` location, honoring `TK_MANIFEST_PATH`
+  test seam. Defaults to two levels up from the mirror dir
+  (`templates/skills-marketplace/../../manifest.json`).
+- **`scripts/lib/skills.sh:_skills_upstream_url <name>`** — returns the
+  upstream GitHub URL for a skill from `skills_pins`. Constructs
+  `${repo}/tree/${commit}/${path}` when both commit + path present,
+  `${repo}/tree/${commit}` when only commit, `${repo}` when only repo.
+  Returns empty when:
+  - `manifest.json` absent or `jq` unavailable
+  - skill name absent from `skills_pins` (e.g. `impeccable`)
+  - skill marked `_status: "no-upstream-found"` (e.g. `memo-skill`)
+  - `repo` field missing
+  Uses `jq` line-per-field output rather than `@tsv` to sidestep the Bash
+  IFS-whitespace tab-collapse trap (consecutive `\t` collapse + leading
+  `\t` skipped because `\t` is in default-IFS-whitespace, so `@tsv` loses
+  empty leading fields).
+- **`scripts/install.sh` (skills branch)** — populates parallel array
+  `TUI_URLS[]` alongside `TUI_LABELS[]` / `TUI_DESCS[]` /
+  `TUI_INSTALLED[]`, calling `_skills_upstream_url` once per row.
+
+### Changed
+
+- **`scripts/lib/tui.sh:tui_checklist`** — render loop now reads
+  `TUI_URLS[$i]` when the `TUI_URLS[*]+x` array is set, appending
+  `·  ${url}` after the description. Guarded by the `+x` existence
+  check so MCP / TK / SP / GSD pickers (which never set `TUI_URLS[]`)
+  are byte-identical to v6.51.1 output.
+
+### Verified
+
+- `bash scripts/tests/test-install-skills.sh` — 27 PASS
+- `bash scripts/tests/test-install-tui.sh` — 60 PASS
+- `make check` — manifest + commands + integrations + shellcheck +
+  markdownlint all PASS
+
+### Migration
+
+None. Users who re-run `bash install.sh --skills` on v6.52.0 see the new
+URL column automatically. Pre-v6.52.0 picker output (no URL column)
+remains compatible — the change is purely additive to the row format.
+
 ## [6.51.1] - 2026-05-20
 
 Hotfix: the install-time skills picker hardcoded a 24-skill list in

manifest.json

@@ -1,8 +1,8 @@
 {
   "manifest_version": 2,
-  "version": "6.51.1",
-  "updated": "2026-05-20",
-  "build_date": "2026-05-20",
+  "version": "6.52.0",
+  "updated": "2026-05-21",
+  "build_date": "2026-05-21",
   "description": "Claude Code Toolkit manifest for smart updates",
   "vendor_pins_note": "Pinned commits/tags of external vendors as of the toolkit release. Used by /vendor-changelog to diff vendor HEAD against these pins and surface BREAKING/ADOPT/IGNORE/DEPRECATE classifications. Updated manually by the maintainer post-release via scripts/vendor/pin-vendors.sh.",
   "vendor_pins": {
@@ -63,7 +63,7 @@
       "mirror_subset": "design-md/<brand>/DESIGN.md (71 brands; README.md per brand intentionally not mirrored)"
     }
   },
-  "skills_pins_note": "Pinned upstream HEAD of mirrored marketplace skills. Used by scripts/update-deps.sh probe_skill_pin to detect drift between this mirror and the canonical upstream repo. Current state (v6.51.0, 2026-05-20): 61 active pins + 1 no-upstream-found (memo-skill, exhaustive gh search yielded no canonical upstream \u2014 possibly toolkit-original or upstream deleted). Schema fields: repo, path (optional, for monorepo subpath probes via GitHub API), tag, commit, pinned_at, sha256 (mirror content checksum, reproducible across BSD/GNU via scripts/lib/skill-checksum.sh), _status \u2208 {active, no-upstream-found}. Trajectory: v6.35.0 (2 pins) \u2192 v6.37.0 (+path field, +3 anthropics monorepo) \u2192 v6.41.0 (+4 vercel/firecrawl) \u2192 v6.44.0 (+12 confirmed via gh code search + majiayu000/claude-skill-registry cross-reference) \u2192 v6.46.0 (+sha256 field, closed-loop sync, mirror\u2194manifest drift detection) \u2192 v6.47.0 (hardened sync: tab/newline-safe checksum, atomic mirror swap, post-checkout SHA verification, 3-way CLEAN/SOFT/DRIFT classification via --normalize so markdownlint-style cosmetic diffs do not trip --strict CI gate). Add new entries one at a time as upstream URLs are confirmed; do not invent. validate-manifest.py enforces note\u2194data consistency: any count referenced here must match the live skills_pins map AND every mirror sha256 must match the manifest-declared sha256.",
+  "skills_pins_note": "Pinned upstream HEAD of mirrored marketplace skills. Used by scripts/update-deps.sh probe_skill_pin to detect drift between this mirror and the canonical upstream repo. Current state (v6.51.0, 2026-05-20): 61 active pins + 1 no-upstream-found (memo-skill, exhaustive gh search yielded no canonical upstream — possibly toolkit-original or upstream deleted). Schema fields: repo, path (optional, for monorepo subpath probes via GitHub API), tag, commit, pinned_at, sha256 (mirror content checksum, reproducible across BSD/GNU via scripts/lib/skill-checksum.sh), _status ∈ {active, no-upstream-found}. Trajectory: v6.35.0 (2 pins) → v6.37.0 (+path field, +3 anthropics monorepo) → v6.41.0 (+4 vercel/firecrawl) → v6.44.0 (+12 confirmed via gh code search + majiayu000/claude-skill-registry cross-reference) → v6.46.0 (+sha256 field, closed-loop sync, mirror↔manifest drift detection) → v6.47.0 (hardened sync: tab/newline-safe checksum, atomic mirror swap, post-checkout SHA verification, 3-way CLEAN/SOFT/DRIFT classification via --normalize so markdownlint-style cosmetic diffs do not trip --strict CI gate). Add new entries one at a time as upstream URLs are confirmed; do not invent. validate-manifest.py enforces note↔data consistency: any count referenced here must match the live skills_pins map AND every mirror sha256 must match the manifest-declared sha256.",
   "skills_pins": {
     "ab-testing": {
       "repo": "https://github.com/coreyhaines31/marketingskills",
@@ -622,8 +622,8 @@
       "sha256": "04413be02de7478156f6728b5cd70b0edc95d57358ffb06a833416bca507bf9c"
     }
   },
-  "sp_equivalent_note": "sp_equivalent is the SP plugin-cache relative path (under <superpowers>/<ver>/) used by migrate-to-complement.sh for 3-way diff. Absent entries use same-basename fallback. v6.0 redesign (in progress) drops files duplicated by GSD/Superpowers \u2014 see .planning/v6.0-REQUIREMENTS.md.",
-  "mode_notes": "Modes consumed by lib/install.sh::compute_skip_set. v6 trim (PR 1) removed conflicts_with: [\"superpowers\"] entries that were marked as duplicates \u2014 those files now hard-deleted from repo. v6.1 audit (docs/research/v6-post-ship-audit-2026-05-06.md, F-2) found that the surviving agents/code-reviewer.md annotation was broken against Superpowers 5.1.0+ (SP dropped agents/ directory; equivalent is now skills/requesting-code-review). TK's code-reviewer is also materially different from SP's \u2014 annotation removed in v6.1. v6.1 audit F-1 found that the only true duplication remaining is skills/gsd-mode-selector/SKILL.md against GSD's gsd-help skill \u2014 annotated.",
+  "sp_equivalent_note": "sp_equivalent is the SP plugin-cache relative path (under <superpowers>/<ver>/) used by migrate-to-complement.sh for 3-way diff. Absent entries use same-basename fallback. v6.0 redesign (in progress) drops files duplicated by GSD/Superpowers — see .planning/v6.0-REQUIREMENTS.md.",
+  "mode_notes": "Modes consumed by lib/install.sh::compute_skip_set. v6 trim (PR 1) removed conflicts_with: [\"superpowers\"] entries that were marked as duplicates — those files now hard-deleted from repo. v6.1 audit (docs/research/v6-post-ship-audit-2026-05-06.md, F-2) found that the surviving agents/code-reviewer.md annotation was broken against Superpowers 5.1.0+ (SP dropped agents/ directory; equivalent is now skills/requesting-code-review). TK's code-reviewer is also materially different from SP's — annotation removed in v6.1. v6.1 audit F-1 found that the only true duplication remaining is skills/gsd-mode-selector/SKILL.md against GSD's gsd-help skill — annotated.",
   "files": {
     "agents": [
       {
@@ -1151,78 +1151,78 @@
     "components": [
       {
         "path": "components/skill-frontmatter-discipline.md",
-        "description": "Authoring discipline for SKILL.md / commands / agents frontmatter \u2014 action-verb descriptions, third person, what+when triggers, naming conventions; distilled from Anthropic + Warp update-skill"
+        "description": "Authoring discipline for SKILL.md / commands / agents frontmatter — action-verb descriptions, third person, what+when triggers, naming conventions; distilled from Anthropic + Warp update-skill"
       },
       {
         "path": "components/cost-discipline.md",
-        "description": "v6.0 \u2014 Mode selection per task size (gsd-fast/quick/plan-phase), trigger keywords, budget caps, subagent model routing via better-model"
+        "description": "v6.0 — Mode selection per task size (gsd-fast/quick/plan-phase), trigger keywords, budget caps, subagent model routing via better-model"
       },
       {
         "path": "components/domain-expert-simulation.md",
-        "description": "v6.0 \u2014 Pre-ship domain expert review for non-programmer profile; killer questions per domain (auth/payments/db/infra/privacy/UX)"
+        "description": "v6.0 — Pre-ship domain expert review for non-programmer profile; killer questions per domain (auth/payments/db/infra/privacy/UX)"
       },
       {
         "path": "components/external-tools-recommended.md",
-        "description": "v6.1 \u2014 Install matrix for Serena + better-model + claude-context; install order, decision matrix per project size, exit plans (Morph removed)"
+        "description": "v6.1 — Install matrix for Serena + better-model + claude-context; install order, decision matrix per project size, exit plans (Morph removed)"
       },
       {
         "path": "components/large-codebase-search.md",
-        "description": "v6.1 \u2014 Serena (symbolic) + ripgrep (textual) + claude-context (semantic vector) decision matrix; self-hosted Milvus setup; Voyage AI / Ollama embeddings for sensitive code"
+        "description": "v6.1 — Serena (symbolic) + ripgrep (textual) + claude-context (semantic vector) decision matrix; self-hosted Milvus setup; Voyage AI / Ollama embeddings for sensitive code"
       },
       {
         "path": "components/production-observability.md",
-        "description": "v6.0 \u2014 Sentry/Posthog/Playwright integration; closes GSD plan-vs-spec blind spot with product-vs-reality monitoring"
+        "description": "v6.0 — Sentry/Posthog/Playwright integration; closes GSD plan-vs-spec blind spot with product-vs-reality monitoring"
       },
       {
         "path": "components/vendor-risk.md",
-        "description": "v6.0 \u2014 Quarterly external dependency review methodology; signals for maintainer drift, breaking change cadence, marketing pivots"
+        "description": "v6.0 — Quarterly external dependency review methodology; signals for maintainer drift, breaking change cadence, marketing pivots"
       },
       {
         "path": "components/product-thinking-flow.md",
-        "description": "v6.3 \u2014 Product validation gate flow; decision tree for validated/needs-experiment/rejected/risk-accepted; integration with /gsd-discuss-phase, /gsd-plan-phase, /product-review"
+        "description": "v6.3 — Product validation gate flow; decision tree for validated/needs-experiment/rejected/risk-accepted; integration with /gsd-discuss-phase, /gsd-plan-phase, /product-review"
       },
       {
         "path": "components/vendor-pinning.md",
-        "description": "v6.3 \u2014 Vendor pinning architecture: manifest.json:vendor_pins schema, scripts/vendor/{clone-pinned,diff-summary,pin-vendors}.sh, /vendor-changelog command. Manual pin post-release via the script (auto-pin workflow removed in v6.14.0)."
+        "description": "v6.3 — Vendor pinning architecture: manifest.json:vendor_pins schema, scripts/vendor/{clone-pinned,diff-summary,pin-vendors}.sh, /vendor-changelog command. Manual pin post-release via the script (auto-pin workflow removed in v6.14.0)."
       },
       {
         "path": "components/comet-research.md",
-        "description": "v6.6 \u2014 Threat model and isolation requirements for the comet-bridge MCP (Perplexity Pro research backend); dedicated profile, CDP localhost-only, OTP login, kill switch; backs /research /lookup /factcheck slash commands"
+        "description": "v6.6 — Threat model and isolation requirements for the comet-bridge MCP (Perplexity Pro research backend); dedicated profile, CDP localhost-only, OTP login, kill switch; backs /research /lookup /factcheck slash commands"
       },
       {
         "path": "components/system-prompt-architecture.md",
-        "description": "v6.6 \u2014 7-block reusable system prompt template (IDENTITY, CAPABILITIES, PRIORITY, BEHAVIOR, TOOLS, SAFETY, OUTPUT) + drop-in Reusable Blocks A-E (anti-injection, citation, refusal, output discipline, skill registry); distilled from leaked production prompts; backs /prompt-audit slash command"
+        "description": "v6.6 — 7-block reusable system prompt template (IDENTITY, CAPABILITIES, PRIORITY, BEHAVIOR, TOOLS, SAFETY, OUTPUT) + drop-in Reusable Blocks A-E (anti-injection, citation, refusal, output discipline, skill registry); distilled from leaked production prompts; backs /prompt-audit slash command"
       }
     ]
   },
   "claude_md_sections": {
     "system": [
-      "\ud83d\udccc Compact Instructions",
+      "📌 Compact Instructions",
       "WORKFLOW RULES",
       "Plan Mode",
       "Structured Workflow",
       "Git Workflow",
       "Git Worktree Workflow",
       "Security Rules",
-      "\ud83d\udee1\ufe0f Production Safety",
+      "🛡️ Production Safety",
       "Visual Self-Testing",
-      "\ud83c\udfd7\ufe0f Architecture Guidelines",
-      "\ud83d\udcbb Coding Style",
-      "\ud83c\udfa8 Code Style",
-      "\ud83e\udd16 Available Agents",
-      "\u26a1 Quick Commands",
-      "\ud83d\udccb Available Audits",
-      "\ud83c\udf93 Available Skills",
+      "🏗️ Architecture Guidelines",
+      "💻 Coding Style",
+      "🎨 Code Style",
+      "🤖 Available Agents",
+      "⚡ Quick Commands",
+      "📋 Available Audits",
+      "🎓 Available Skills",
       "Scratchpad",
       "Knowledge Persistence",
       "Skill Accumulation",
       "Supreme Council"
     ],
     "user": [
-      "\ud83c\udfaf Project Overview",
-      "\ud83d\udcc1 Project Structure",
-      "\u26a1 Essential Commands",
-      "\u26a0\ufe0f Project-Specific Notes",
+      "🎯 Project Overview",
+      "📁 Project Structure",
+      "⚡ Essential Commands",
+      "⚠️ Project-Specific Notes",
       "Known Gotchas",
       "Public Endpoints"
     ]

scripts/init-claude.sh

@@ -35,7 +35,7 @@ NC='\033[0m'
 # `raw.githubusercontent.com/.../v6.24.5/.../init-claude.sh`), leave
 # TK_TOOLKIT_REF unset and it inherits the bundled default below —
 # guaranteeing every file in the install comes from the same tag.
-TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.51.1}"
+TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.52.0}"
 # Audit INF-MED-2 (2026-04-30 deep): allowlist guard — TK_TOOLKIT_REF flows
 # raw into curl URLs. Reject anything outside the tag/SHA charset, plus any
 # `..` traversal sequence. Tags / branches / SHAs do not contain `..`.

scripts/install-statusline.sh

@@ -33,7 +33,7 @@ done
 : "${YES}"  # silence shellcheck SC2034 — no-op stub today
 
 # Audit H5: TK_TOOLKIT_REF pins to a tag/SHA (default `main`).
-TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.51.1}"
+TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.52.0}"
 # Audit INF-MED-2 (2026-04-30 deep): allowlist guard — TK_TOOLKIT_REF flows
 # raw into curl URLs. Reject anything outside the tag/SHA charset, plus any
 # `..` traversal sequence. Tags / branches / SHAs do not contain `..`.

scripts/install.sh

@@ -40,7 +40,7 @@ export TK_TOOLKIT_REF TK_USER_AGENT
 # Config
 # Audit H5: TK_TOOLKIT_REF pins to a tag/SHA (default `main`); TK_REPO_URL
 # remains the highest-priority override (full URL with ref baked in).
-TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.51.1}"
+TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.52.0}"
 # Audit INF-MED-2 (2026-04-30 deep): allowlist guard — TK_TOOLKIT_REF flows
 # raw into curl URLs. Reject anything outside the tag/SHA charset, plus any
 # `..` traversal sequence. Tags / branches / SHAs do not contain `..`.

scripts/migrate-to-complement.sh

@@ -57,7 +57,7 @@ CYAN='\033[0;36m'
 NC='\033[0m'
 
 # Audit H5: TK_TOOLKIT_REF pins to a tag/SHA (default `main`).
-TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.51.1}"
+TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.52.0}"
 # Audit INF-MED-2 (2026-04-30 deep): allowlist guard — TK_TOOLKIT_REF flows
 # raw into curl URLs. Reject anything outside the tag/SHA charset, plus any
 # `..` traversal sequence. Tags / branches / SHAs do not contain `..`.

scripts/setup-council.sh

@@ -16,7 +16,7 @@ CYAN='\033[0;36m'
 NC='\033[0m'
 
 # Audit H5: TK_TOOLKIT_REF pins to a tag/SHA (default `main`).
-TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.51.1}"
+TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.52.0}"
 # Audit INF-MED-2 (2026-04-30 deep): allowlist guard — TK_TOOLKIT_REF flows
 # raw into curl URLs. Reject anything outside the tag/SHA charset, plus any
 # `..` traversal sequence. Tags / branches / SHAs do not contain `..`.

scripts/setup-prompt-engineer.sh

@@ -18,7 +18,7 @@ NC='\033[0m'
 
 # TK_TOOLKIT_REF pins to a tag/SHA (default `main`). Mirrors setup-council.sh
 # to keep allowlist + curl conventions identical.
-TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.51.1}"
+TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.52.0}"
 if ! [[ "$TK_TOOLKIT_REF" =~ ^[A-Za-z0-9._/-]+$ ]] || [[ "$TK_TOOLKIT_REF" == *..* ]]; then
     echo "Error: TK_TOOLKIT_REF must match [A-Za-z0-9._/-]+ and must not contain '..' (got: $TK_TOOLKIT_REF)" >&2
     exit 1

scripts/setup-security.sh

@@ -46,7 +46,7 @@ done
 : "${YES}"  # silence shellcheck SC2034 — YES consumed by future read blocks
 
 # Audit H5: TK_TOOLKIT_REF pins to a tag/SHA (default `main`).
-TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.51.1}"
+TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.52.0}"
 # Audit INF-MED-2 (2026-04-30 deep): allowlist guard — TK_TOOLKIT_REF flows
 # raw into curl URLs. Reject anything outside the tag/SHA charset, plus any
 # `..` traversal sequence. Tags / branches / SHAs do not contain `..`.

scripts/uninstall.sh

@@ -104,7 +104,7 @@ fi
 
 # ───────── constants + log helpers ─────────
 # Audit H5: TK_TOOLKIT_REF pins to a tag/SHA (default `main`).
-TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.51.1}"
+TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.52.0}"
 # Audit INF-MED-2 (2026-04-30 deep): allowlist guard — TK_TOOLKIT_REF flows
 # raw into curl URLs. Reject anything outside the tag/SHA charset, plus any
 # `..` traversal sequence. Tags / branches / SHAs do not contain `..`.

scripts/update-claude.sh

@@ -73,7 +73,7 @@ CYAN='\033[0;36m'
 NC='\033[0m'
 
 # Audit H5: TK_TOOLKIT_REF pins to a tag/SHA (default `main`).
-TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.51.1}"
+TK_TOOLKIT_REF="${TK_TOOLKIT_REF:-v6.52.0}"
 # Audit INF-MED-2 (2026-04-30 deep): allowlist guard — TK_TOOLKIT_REF flows
 # raw into curl URLs. Reject anything outside the tag/SHA charset, plus any
 # `..` traversal sequence. Tags / branches / SHAs do not contain `..`.