Skill — CyberOS

Skill is the catalog. It does not invent a competing format; it embraces the open Anthropic Agent Skills standard verbatim so a CyberOS skill works unmodified in Claude Code, Codex CLI, Cursor, VS Code with Copilot, Goose, Amp, Gemini CLI. The Rust host indexes SKILL.md frontmatter at boot (~100 tokens/skill, parsed in parallel), activates bodies lazily, runs WASM components in Wasmtime with WASI capability grants, and falls back to a sandboxed script path for trusted internal skills. The differentiation is the curated cyberskill-vn collection: six high-quality Vietnamese-market skills (MST · VAT · VietQR · CCCD · legal · tax) published on the open registry where the entire Agent Skills ecosystem can install them.

Status

Phases 0–7 shipped

audit complete · 30-day soak active

LoC (Rust host)

~3,000

4 crates · cargo workspace

LoC (Bun toolchain)

~2,500

TS authoring → wasm32-wasi

Tests

4 + 12/12 parity + 2 grants

cargo test · pytest parity

SKILL.md bundles

20 indexed

14 CUO + 6 cyberskill-vn

Ecosystem reach

26+ clients

via open Agent Skills standard

Cold start (header)

~100 tok/skill

parallel via tokio::JoinSet

Depends on

AUTH

(when P0 lands)

Why Skill exists

Pre-2026, every "skills module" in every product is a proprietary container that re-invents discovery, lifecycle, capability grants, and authoring. The result is universal: eager activation O(N) cold-start tax, ambient-authority sandbox holes, bespoke manifests no one else can read. In December 2025 Anthropic released Agent Skills as an open standard at agentskills.io; within six months Microsoft, GitHub, OpenAI, Cursor, Goose, Amp, Gemini CLI, Mistral, Databricks, Letta, and 15+ others adopted it. Inventing a competing format in 2026 is value-destroying. The 13 May 2026 architectural audit (AUDIT.md) made the call: adopt the standard verbatim, rebuild the host as a Rust core with Wasmtime, ship the Bun toolchain for TypeScript skill authors, and use the saved engineering to publish a defensible Vietnamese-market skill collection.

🌐

Open standard, day-1 reach

Every CyberOS skill loads in Claude Code / Codex / Cursor / VS Code unchanged. Distribution is OCI registry or agentskills.io.

🛡

Capability-based sandbox

No ambient authority. Skills declare allowed-tools; the host translates to WASI grants. First-use approval; grants persisted by content hash.

🇻🇳

VN-market collection as moat

Six high-quality Vietnamese-market skills (MST, VAT, VietQR, CCCD, legal, tax) — defensible differentiation a global vendor can't easily replicate.

What it does — 5W1H2C5M

Axis	Question	Answer
5W · What	What is the Skill module?	A Rust host that discovers, validates, activates, invokes, and audits Agent Skills (SKILL.md bundles). Layered with a Bun + esbuild authoring toolchain for TypeScript skill authors and a capability broker enforcing WASI grants.
5W · Who	Who reads/writes?	Skill authors (CyberSkill team + open contributors). Invokers: CUO router, agent controllers, the CLI. Owner: CTO seat (CEO carries today).
5W · When	When does activation happen?	Two levels. Level 1 (boot): frontmatter-only indexing, ~100 tokens/skill. Level 2 (activation): body load + WASM compile, triggered by either agent controller or VS-Code-style `activationEvents`.
5W · Where	Where does it run?	The host is co-located with the user (Tauri or CLI). WASM components run in per-invocation Wasmtime `Store`s pulled from a pool. AOT-compiled components are cached on disk by content hash.
5W · Why	Why this design?	To get 26+ client compatibility on Day 1 of compliance, sub-millisecond cold-starts via progressive disclosure, capability sandboxing via WASI, and the option to publish to the open registry.
1H · How	How does invocation work?	Header lookup (O(1) DashMap shard) → capability check → lazy body load + AOT-cached Wasmtime instantiation → execute → audit-log every WASI syscall → return JSON.
2C · Cost	Cost?	Cold-start over 1,000 skills: <100 ms (header-only). Per-WASM-skill invocation cold: sub-millisecond (AOT cached). Per-native-script invocation: O(process spawn). Memory per activated skill: ~10–50 KB (header) + body bytes (lazy).
2C · Constraints	Constraints?	(a) The standard is "deliciously tiny" — under-specified in places; we treat `metadata.version` as required for registry-resolved skills. (b) WASI Preview 2 component model is required for executable skills. (c) First-use approval gates `allowed-tools`.
5M · Materials	What does it use?	Rust 1.80+ · tokio · DashMap · serde_yaml · wasmtime 27+ · zstd · cosign for signature verification · OCI clients · libyaml-backed YAML parser.
5M · Methods	Method choices?	Progressive disclosure (3 levels) · activation events (VS Code pattern) · component model + WIT (cross-language) · capability-based isolation (no ambient authority) · AOT cache + pool of `Store`s for hot-path concurrency.
5M · Machines	Where does it run?	macOS / Linux / Windows. WASM runs anywhere Wasmtime runs. AOT artifacts are content-addressed, shareable across hosts.
5M · Manpower	Who maintains?	1 IC owner today. Rust runtime is small (~3,000 LoC) and the spec is closed. Skill authoring is open to the team via the Bun toolchain.
5M · Measurement	How measured?	Cold-start histogram (per-skill), invocation latency p50/p95, capability-grant rate, parity-test pass rate (12/12), Criterion benchmarks on registry hot path.

Architecture

Four Rust crates form the canonical host. A Bun toolchain handles authoring. Skills are distributed as .skill bundles (zip of the directory + content hash) resolvable from local cache, OCI registries, or HTTPS URLs.

graph TB subgraph AUTHORING ["Authoring (Bun toolchain)"] AUTH_BUN["Bun 1.3 + esbuild
cyberos skill new --lang ts"] AUTH_BUILD["build.ts
TS → wasm32-wasi component"] AUTH_TEST["bun test"] end subgraph HOST ["Rust host (4 crates)"] MANI_C["crates/manifest
serde model for SKILL.md frontmatter"] HOST_C["crates/host
loader · registry · activator · invoker"] RES_C["crates/resolver
OCI + HTTPS + local cache"] CLI_C["crates/cli
cyberos-skill-cli"] end subgraph RUNTIME ["Runtime"] REG["DashMap registry
sharded · read-mostly"] WT["Wasmtime engine
WASI Preview 2 + Component Model"] POOL["Pool
per-skill"] BROKER["Capability broker
allowed-tools → WASI grants"] SCRIPT["Native-script executor
(scripts/*.py / *.sh)"] end subgraph DIST ["Distribution"] LOCAL["~/.cyberos/skills/"] OCI["OCI registry
ghcr.io/cyberskill/*"] HTTPS["HTTPS URL"] REG_OPEN["agentskills.io"] end subgraph CONSUMERS ["Consumers"] CUO_S["🎯 CUO router"] AGENT_S["Claude / Codex / Cursor"] CHAT_S["💬 CHAT / IDE host"] end AUTH_BUN --> AUTH_BUILD AUTH_BUILD --> LOCAL AUTH_TEST --> AUTH_BUILD CLI_C --> HOST_C HOST_C --> MANI_C HOST_C --> RES_C RES_C --> LOCAL RES_C --> OCI RES_C --> HTTPS LOCAL --> REG_OPEN HOST_C --> REG HOST_C --> WT WT --> POOL HOST_C --> BROKER HOST_C --> SCRIPT CUO_S --> CLI_C AGENT_S --> CLI_C CHAT_S --> CLI_C classDef shipped fill:#f5ede6,stroke:#45210e classDef pending fill:#f0eee9,stroke:#9c9286,stroke-dasharray:4 3 class AUTH_BUN,AUTH_BUILD,AUTH_TEST,MANI_C,HOST_C,RES_C,CLI_C,REG,WT,POOL,BROKER,SCRIPT,LOCAL,CUO_S,AGENT_S shipped class OCI,HTTPS,REG_OPEN,CHAT_S pending

Crate responsibilities

Crate	Path	Responsibility
`cyberos-skill-manifest`	crates/manifest/	Serde model for SKILL.md frontmatter (`name`, `description`, `license`, `compatibility`, `metadata`, `allowed-tools`). `parse_frontmatter()` returns manifest + body offset.
`cyberos-skill-host`	crates/host/	Two-phase loader (boot index → lazy activate). DashMap registry. Invoker with capability checks. Activator pulling Wasmtime `Store`s from a pool.
`cyberos-skill-resolver`	crates/resolver/	`Resolver` trait — local cache + OCI + HTTPS. Cosign signature verification (refuses unsigned bundles unless `--allow-unsigned`).
`cyberos-skill-cli`	crates/cli/	`cyberos-skill-cli` binary: list, install, validate, run, build, audit. Single entrypoint for users and CUO.

Three-level progressive disclosure

Level	When	What's read	Cost
L1 · Startup	Host boot	SKILL.md frontmatter only · DashMap shard populated	~100 tokens/skill · parallel · < 100 ms over 1,000 skills
L2 · Activation	Agent or activation event fires	SKILL.md body (up to ~5,000 tokens) · referenced `references/` files	One-time per skill instance · cached for session
L3 · Execution	Skill is invoked	`scripts/.py` or `dist/skill.wasm` · `assets/`	WASM cold-start sub-millisecond with AOT cache · native script: process-spawn cost

Data model

erDiagram SKILL_BUNDLE ||--|| SKILL_MANIFEST : "ships" SKILL_BUNDLE ||--o{ SCRIPT_FILE : "may contain" SKILL_BUNDLE ||--o{ REFERENCE_FILE : "may contain" SKILL_BUNDLE ||--o{ ASSET_FILE : "may contain" SKILL_BUNDLE ||--o| WASM_COMPONENT : "may ship" SKILL_MANIFEST ||--o{ ALLOWED_TOOL : "declares" ACTIVATED_SKILL ||--|| SKILL_HEADER : "instance of" ACTIVATED_SKILL ||--o| WASM_COMPONENT : "wraps" ACTIVATED_SKILL ||--o{ INVOCATION : "records" INVOCATION ||--o{ CAPABILITY_GRANT : "requires" CAPABILITY_GRANT ||--|| GRANT_RECORD : "persists as" GRANT_RECORD ||--|| CONTENT_HASH : "bound to" SKILL_BUNDLE { string bundle_id PK "content hash" string source "local | oci | https" string oci_ref string cosign_sig int64 size_bytes } SKILL_MANIFEST { string name PK "1-64 chars, lowercase + hyphens" string description "1-1024 chars" string license string compatibility obj metadata "version, author, region" string allowed_tools_raw } SKILL_HEADER { string name PK string skill_dir int body_offset int64 file_size } ACTIVATED_SKILL { string name FK string body bool has_wasm int64 invocations "AtomicU64" int64 last_used_unix_ms bool revoked } ALLOWED_TOOL { string capability "read_file | write_file | fetch_url(pattern) | …" string pattern_or_path bool experimental } WASM_COMPONENT { string component_id PK "content hash" bytes wasm_bytes string aot_cache_key string wit_interface } SCRIPT_FILE { string path PK "scripts/*.py | *.sh" string interpreter } REFERENCE_FILE { string path PK "references/*.md" } ASSET_FILE { string path PK "assets/*" } INVOCATION { string invocation_id PK string skill_name FK int64 started_at_ns int64 ended_at_ns int exit_code string executor "wasm | script | inline" } CAPABILITY_GRANT { string skill_name FK string capability string granted_by_actor int64 granted_at_ns } GRANT_RECORD { string filepath PK "~/.cyberos/grants.json entry" string content_hash FK "skill must re-approve if changed" } CONTENT_HASH { string hash PK "sha256" }

API surface

GraphQL subgraph (planned · P0+)

extend schema
  @link(url: "https://specs.apollo.dev/federation/v2.5", import: ["@key"])

type Skill @key(fields: "name") {
  name: String!
  version: String
  description: String!
  license: String
  region: String                     # e.g. "VN" | null
  allowedTools: [String!]!
  hasWasm: Boolean!
  installSource: InstallSource!
  contentHash: String!
  invocationsLast24h: Int!
}

type Invocation @key(fields: "invocationId") {
  invocationId: ID!
  skillName: String!
  actor: String!
  exitCode: Int!
  startedAt: DateTime!
  endedAt: DateTime!
  executor: Executor!
  capabilitiesGranted: [String!]!
}

type CapabilityGrant @key(fields: "skillName") {
  skillName: String!
  capability: String!
  grantedBy: String!
  grantedAt: DateTime!
  contentHashAtGrant: String!
  stillValid: Boolean!               # false if skill rebuilt
}

enum InstallSource { LOCAL OCI HTTPS BUILTIN }
enum Executor      { WASM SCRIPT INLINE }

type Query {
  skill(name: String!): Skill
  skills(region: String, hasWasm: Boolean): [Skill!]!
  invocation(invocationId: ID!): Invocation
  capabilityGrants(skillName: String): [CapabilityGrant!]!
}

type Mutation {
  installSkill(source: String!): Skill!         # OCI ref or HTTPS
  invokeSkill(name: String!, input: JSON!): Invocation!
  grantCapability(skillName: String!, capability: String!): CapabilityGrant!
  revokeSkill(name: String!, note: String): Skill!
}

MCP tool catalogue

Tool name	Inputs	Outputs	Annotations
`skill.list`	region?	`Skill[]`	readonly · cached · scope=read
`skill.describe`	name	`{manifest, body}`	readonly · L2 activation · scope=read
`skill.invoke`	name, input, caps_requested	`Invocation`	destructive · scope=invoke · cap-gated
`skill.validate`	path	`{valid, errors[]}`	readonly · pure · scope=read
`skill.audit`	skillName?	`CapabilityGrant[]`	readonly · scope=audit

CLI — `cyberos-skill-cli`

Subcommand	Purpose	Example
`list`	Enumerate indexed skills	`cyberos-skill-cli list --region VN`
`install`	Resolve + cosign-verify + cache	`cyberos-skill-cli install ghcr.io/cyberskill/vn-mst-validate:0.2.0`
`validate`	Spec-validate a SKILL.md	`cyberos-skill-cli validate ./skills/my-skill/`
`run`	Invoke a skill	`cyberos-skill-cli run vn-mst-validate --executor wasm`
`build`	Bun toolchain build	`cyberos-skill-cli build --lang ts ./src/`
`audit`	Capability grants report	`cyberos-skill-cli audit --since 7d`
`revoke`	Mark a skill revoked	`cyberos-skill-cli revoke vn-bad-skill --note "CVE-2026-x"`
`fixtures`	Run skill fixtures	`cyberos-skill-cli fixtures vn-mst-validate`

Key flows

Flow 1 — Install & index

sequenceDiagram autonumber participant U as User / CUO participant CLI as cyberos-skill-cli install participant R as resolver participant CS as cosign verify participant L as loader.index_one() participant REG as DashMap registry U->>CLI: install ghcr.io/cyberskill/vn-mst-validate:0.2.0 CLI->>R: resolve(oci_ref) R->>R: pull bundle · save to ~/.cyberos/skills/ R-->>CLI: bundle_path CLI->>CS: verify cosign signature alt unsigned CS-->>CLI: refuse (unless --allow-unsigned) end CS-->>CLI: ok CLI->>L: parse SKILL.md frontmatter L->>L: validate name matches directory L->>REG: insert_header(SkillHeader) REG-->>CLI: indexed CLI-->>U: installed (name, version, hash)

Flow 2 — Invocation with capability check

sequenceDiagram autonumber participant C as Caller (CUO / agent) participant I as Invoker participant REG as DashMap registry participant B as Capability broker participant ACT as Activator participant W as Wasmtime Store (from pool) participant A as Audit (BRAIN) C->>I: invoke(name, input, requested_caps) I->>REG: get_header(name) REG-->>I: SkillHeader (O(1)) I->>B: check requested_caps subset of declared alt cap denied B-->>I: CapabilityDenied I-->>C: error end B->>B: ensure first-use approval recorded I->>ACT: activate(header) alt cold activation ACT->>ACT: read body · compile WASM · cache AOT end ACT-->>I: ActivatedSkill (Arc) I->>W: pull Store from pool W->>W: instantiate component · build WasiCtx with grants W->>W: call run() export W-->>I: result JSON I->>W: return Store to pool I->>A: log invocation row to BRAIN I-->>C: {result, exit_code, elapsed_us}

Flow 3 — Capability approval (first-use)

sequenceDiagram autonumber participant U as Operator participant I as Invoker participant B as Capability broker participant G as ~/.cyberos/grants.json participant H as content_hash check I->>B: ensure_granted(skill, capability) B->>G: lookup (skill, capability) alt not found B->>U: PROMPT — "vn-mst-validate requests read_file + write_file" U-->>B: approve / deny alt deny B-->>I: GrantDenied end B->>H: compute current content_hash B->>G: persist {skill, capability, content_hash, granted_by, granted_at} end G-->>B: existing grant B->>H: re-verify content_hash alt hash mismatch (skill rebuilt) B-->>I: GrantStale — re-prompt required end B-->>I: granted

Flow 4 — Python ↔ Rust parity check

sequenceDiagram autonumber participant T as Parity harness (pytest) participant FX as 12 golden fixtures participant PY as Python runner (legacy) participant RS as Rust host T->>FX: load fixture (input.json + expected.json) par parallel run T->>PY: python -m runners.fr_with_tasks T->>RS: cyberos-skill-cli run < input.json end PY-->>T: py_output RS-->>T: rs_output T->>T: assert py_output == rs_output (byte-identical) alt mismatch T-->>T: FAIL — gate blocks Phase 7 retirement end T-->>T: 12/12 PASS — Rust host is canonical

The parity harness is the single objective gate that lets us delete the legacy Python runner at Phase 7. Today: 12/12 green.

Skill lifecycle

stateDiagram-v2 [*] --> Authored: skill author writes SKILL.md (Bun toolchain) Authored --> Built: cyberos-skill-cli build (TS → wasm32-wasi) Built --> Signed: cosign sign bundle Signed --> Published: push to OCI registry / agentskills.io Published --> Installed: cyberos-skill-cli install <oci_ref> Installed --> Indexed: loader reads frontmatter into DashMap Indexed --> Activated: agent / activation event triggers body load + AOT compile Activated --> Invoked: invoker pulls Store · runs · audits Invoked --> Activated: re-invoke (cached) Invoked --> Recorded: BRAIN audit row written Activated --> Revoked: cyberos-skill-cli revoke Revoked --> Retired: legacy retirement runbook (30-day soak then delete) Retired --> [*] note right of Indexed Header in registry ~100 tokens · O(1) lookup end note note right of Activated Body loaded · WASM cached AOT artifact on disk end note

The 6 `cyberskill-vn` skills

The Vietnamese-market collection. Each is a valid Agent Skill that loads unchanged in Claude Code / Codex / Cursor / VS Code. All are MIT- or Apache-2.0-licensed, network-free where possible, and ship with a parity-tested Python reference implementation for audit.

🇻🇳 `vn-mst-validate` v0.2.0 · region:VN · MIT

Validate a Vietnamese tax code (Mã số thuế). Per General Department of Taxation regulations, an MST is either 10 digits (legal entity) or 13 digits (branch — 10 digits + '-' + 3 digits). The skill returns a structured {ok, format, reason?}.

Quickstart

$ cyberos-skill-cli run vn-mst-validate --input '{"mst":"0123456789-001"}'
{"ok": true, "format": "13-digit-branch"}

When to use

User says "kiểm tra MST", "validate tax code", "mã số thuế 0123...". Routed automatically by CUO via the mst, tax code, ma so thue keywords.

Capabilities

read_file · no network

🇻🇳 `vn-vat-invoice` v0.3.0 · region:VN · Apache-2.0

Generate Vietnamese VAT-compliant electronic invoices (Hoá đơn GTGT điện tử) from a structured JSON line-item list. Produces XML conforming to General Department of Taxation schema v3.0. Validates buyer MST via the vn-mst-validate dependency (Phase 3 chain).

Quickstart

$ cyberos-skill-cli run vn-vat-invoice --input '{
    "buyer_mst": "0123456789",
    "seller_mst": "9876543210",
    "lines": [{"item":"Consulting", "qty":1, "unit_price":10000000, "tax_rate":0.10}]
  }'
<Invoice xmlns="urn:vn:gdt:v3">
  <BuyerTaxCode>0123456789</BuyerTaxCode>
  <LineItem>...<TaxAmount>1000000</TaxAmount></LineItem>
</Invoice>

When to use

User says "tạo hoá đơn", "xuất hoá đơn GTGT", "e-invoice Vietnam". CUO keywords: invoice, hoa don, vat, gtgt, e-invoice, xuat hoa don.

Capabilities

read_file · write_file · no network. Round-half-up VAT per line.

🇻🇳 `vn-bank-transfer` v0.1.0 · region:VN · MIT

Napas 24/7 + VietQR generator. Given a bank short-code, an account number, and an amount, produces (a) a VietQR EMVCo string for client-side QR rendering and (b) a Napas 24/7 transfer instruction payload. Does NOT execute transfers — that always defers to human approval.

Quickstart

$ cyberos-skill-cli run vn-bank-transfer --input '{
    "bank": "VCB", "account":"0011001234567", "amount_vnd": 5000000,
    "memo": "Refund INV-2026-014"
  }'
{
  "vietqr_emv": "00020101021238540010A0000007270124000697040401120011001234567...",
  "napas_payload": {...},
  "render_url": "https://img.vietqr.io/image/VCB-0011001234567-..."
}

When to use

User says "tạo QR chuyển khoản", "VietQR", "Napas 247". CUO keywords: transfer, qr, chuyen khoan, vietqr, napas, ma qr.

Capabilities

No filesystem · no network. Deterministic generation only.

🇻🇳 `vneid-integration` v0.1.0 · region:VN · MIT

CCCD validator + VNeID API scaffolding. Validates 12-digit Citizen Identification Card (Căn cước công dân) checksums and shapes an API request to the VNeID gateway for downstream identity verification (gateway access requires PDPL Decree 13/2023 consent — out of scope for this skill, which only prepares the request).

Quickstart

$ cyberos-skill-cli run vneid-integration --input '{"cccd":"079203012345"}'
{
  "valid": true,
  "structure": {"province_code":"079", "year_of_birth_century":"2", "gender_code":"0"},
  "vneid_request_payload": {...},
  "next_action": "POST to https://vneid.gov.vn/api/v2/verify (requires consent flow)"
}

When to use

User says "kiểm tra CCCD", "validate citizen ID", "VNeID lookup". CUO keywords: cccd, citizen id, can cuoc, vneid, id card, danh tinh.

Capabilities

No filesystem · no network (scaffolds the request; caller is responsible for the call + consent record).

🇻🇳 `vn-legal-compliance` v0.1.0 · region:VN · CC-BY-SA-4.0

Reference-only procedural knowledge for Vietnamese legal/compliance: PDPL Law 91/2025 · Decree 13/2023 (Personal Data) · Decree 53/2022 (Cyber Security) · Decree 20/2026 (SME). Markdown-only skill (no executable code) that loads procedural guidance into the agent's context on activation.

Quickstart

$ cyberos-skill-cli run vn-legal-compliance --input '{"topic":"DSAR fulfilment under PDPL Art. 14"}'
{
  "level": "instructions",
  "guidance": "# DSAR fulfilment under PDPL Art. 14\n\n1. Verify identity via VNeID or...\n2. Within 30 days: ...\n3. Encryption envelope review (Decree 13/2023 Art. 17)..."
}

When to use

User says "compliance check", "decree review", "PDPL question". CUO keywords: compliance, law, decree, nghi dinh, thong tu, pdpl, cybersecurity.

Capabilities

Markdown-only — zero runtime cost.

🇻🇳 `vn-tax-filing` v0.1.0 · region:VN · Apache-2.0

Monthly + quarterly VAT return helper. Aggregates vn-vat-invoice-emitted XML invoices across a reporting period, sums output VAT and input VAT credits, and shapes the tax return XML for the GDT online filing portal. The skill never submits — submission is a deferred-to-human action.

Quickstart

$ cyberos-skill-cli run vn-tax-filing --input '{
    "period":"2026-Q2", "invoices_dir":"./invoices/2026-Q2/"
  }'
{
  "period": "2026-Q2",
  "output_vat_total": 25_000_000,
  "input_vat_total": 18_000_000,
  "net_vat_due": 7_000_000,
  "gdt_xml_path": "./returns/2026-Q2.xml",
  "ready_for_submission": true,
  "next_action": "human review then upload to https://thuedientu.gdt.gov.vn"
}

When to use

User says "monthly VAT return", "quarterly tax filing", "kê khai thuế". CUO keywords: filing, return, to khai, ke khai thue, monthly vat, quarterly vat.

Capabilities

read_file (invoices) · write_file (return XML) · no network.

Audit phases 0–7 — outcomes

The 13 May 2026 architectural audit (skill/docs/AUDIT.md) prescribed a seven-phase migration from the legacy in-house format to the open Anthropic Agent Skills standard. All seven phases are now done; Phase 7 is a 30-day soak window before legacy code deletion.

0Phase 0 — Inventory & freeze shipped

Catalogued every legacy skill. Froze the legacy format — no new bespoke skills accepted past Day 0. Stood up cyberos-skill-cli validate that parses both legacy and SKILL.md formats and emits a diff.

1Phase 1 — Rust + Bun scaffold · spec validator shipped

Stood up the 4-crate Rust workspace (manifest · host · resolver · cli) and the Bun + esbuild authoring toolchain. Added the SKILL.md loader alongside the legacy loader behind a --skills-format=both|legacy|standard flag. Audited deltas vs the open spec.

2Phase 2 — Parity harness (Python ↔ Rust) shipped · 12/12 green

Built a property-test harness that asserts byte-identical agent outputs across both runners for the entire catalogue. 12/12 fixtures pass. This is the single objective gate for Phase 7.

3Phase 3 — Executor selection flag · default to Rust shipped

Flipped the default from legacy Python to Rust host. Legacy runner remains compiled in for the soak window. Announced deprecation; the cyberskill-vn collection is now resolvable from the open registry.

4Phase 4 — DashMap registry + Criterion benchmarks shipped · ≥ 2× at contention

Replaced the legacy global Mutex<HashMap> with Arc<DashMap> (64 shards). Criterion microbenchmarks show ≥ 2× throughput at 4+ concurrent invocations on a commodity laptop. Registry hot path is no longer a bottleneck.

5Phase 5 — Wasmtime engine + AOT cache + componentize scaffolded · runtime gated

Wasmtime executor lands behind --exec=script|wasm|auto. Auto selects WASM when dist/skill.wasm is present. AOT artifacts cached on disk by content hash. Bun toolchain compiles TS skills to wasm32-wasi components. Runtime is feature-gated on user install per docs/PHASE_5_ACTIVATION.md.

6Phase 6 — Capability broker GA shipped

Capability enforcement flipped from warn to deny. Operators approve each skill's allowed-tools on first use; the grant is recorded in ~/.cyberos/grants.json bound to the skill's content hash. cyberos-skill-cli audit reports grants.

7Phase 7 — Legacy retirement runbook ready · 30-day soak

Runbook ready (docs/PHASE_7_RETIREMENT.md). Executes after a 30-day soak with zero P0 incidents on the new defaults. Deletes the legacy loader, registry primitive, and executor; tags a new major version.

Functional Requirements

The CyberOS FR catalogue is being rebuilt one feature at a time via the open fr-author Agent Skill.

Previous FR enumerations were archived 2026-05-14 and are no longer reflected on this page. PRD/SRS narrative remains authoritative for the spec; specific FRs land here as they are re-authored.

Non-Functional Requirements

NFR ID	Concern	Target	Measurement
`N(FR pending)`	Cold-start (1,000 skills indexed)	≤ 100 ms · parallel	Criterion bench · macOS M2
`N(FR pending)`	Header lookup p99	≤ 5 µs (DashMap shard read)	Criterion bench
`N(FR pending)`	WASM invocation cold-start (AOT cached)	≤ 1 ms	wasm_invoke bench
`N(FR pending)`	Native-script invocation	≤ 50 ms (process spawn dominated)	script_invoke bench
`N(FR pending)`	Trivial native-script throughput	≥ 10,000 inv/sec	Criterion mixed workload
`N(FR pending)`	WASM with capability checks throughput	≥ 1,000 inv/sec	Criterion bench
`N(FR pending)`	Python ↔ Rust parity	12/12 fixtures byte-identical	pytest parity harness · CI
`N(FR pending)`	Memory per indexed skill	≤ 1 KB (header)	process RSS · 1,000-skill load
`N(FR pending)`	Unsigned bundle refusal	100% (unless `--allow-unsigned`)	install_test suite
`N(FR pending)`	Open spec compliance	100% — skill loads in Claude Code unmodified	cross-host loader test

Dependencies

graph LR subgraph upstream ["Skill depends on"] AUTH["🔐 AUTH
actor identity"] end SKILL_M["🛠 Skill host"] subgraph downstream ["Used by"] CUO_M["🎯 CUO router"] AGENT_M["External agents"] EVERY["Every module that invokes a skill"] end AUTH --> SKILL_M SKILL_M --> CUO_M SKILL_M --> AGENT_M SKILL_M --> EVERY classDef shipped fill:#f5ede6,stroke:#45210e classDef planned fill:#fef6e0,stroke:#9c750a class SKILL_M,CUO_M,AGENT_M shipped class AUTH,EVERY planned

Compliance scope

Regulation / standard	Article / clause	SKILL feature that satisfies it
EU AI Act	Art. 12 — Logging	Every invocation is an audit row · WASI syscalls intercepted at `info`; sensitive grants logged at `warn`.
EU AI Act	Art. 26 — Human oversight	First-use approval gate · operator must approve each `allowed-tools` set.
NIST SSDF (SP 800-218)	§ PW.4 — Code provenance	Cosign signature verification on install · refuses unsigned bundles by default.
SLSA Level 3	Build integrity	SBOM provenance per bundle (planned P1) · AOT artifacts content-hashed.
ISO/IEC 27001:2022	A.8.25 — Secure development	Capability-based sandboxing (defence in depth) — no ambient authority.
ISO/IEC 42001 (AIMS)	§ 8.3 — Operational planning	Phase 7 retirement runbook · soak windows · reversible flag-driven migration.
OWASP Top 10 LLM	LLM03 — Training data poisoning	Skill bodies are loaded into LLM context — covered by content-hash binding so a modified skill must be re-approved.

Risk entries

ID	Risk	Likelihood	Impact	Owner	Mitigation
`R-SKILL-001`	Capability escape (WASI grant misconfiguration)	Low	High	CSO	Default empty grant set · first-use approval · WASI enforces at host syscall layer regardless of declaration · audit interception logs every syscall.
`R-SKILL-002`	Supply-chain attack on third-party skill	Medium	High	CSO	Cosign verification mandatory · OCI registry checks · content-hash binding means modified skill triggers re-approval · audit table queryable.
`R-SKILL-003`	WASM zero-day in Wasmtime runtime	Low	High	CTO	Track wasmtime security advisories · pinned version in `Cargo.toml` · staged rollout on bumps · skills fall back to script executor if runtime down.
`R-SKILL-004`	Agent Skills spec drift (governance under AAIF / Linux Foundation)	Medium	Medium	CTO	Track `agentskills/agentskills` + AAIF mailing list · pin spec revision per release · CyberOS-specific extensions live under `metadata.cyberos-*`.
`R-SKILL-005`	Parity regression (legacy Python ↔ Rust diverges)	High	Medium	CTO	12/12 parity harness blocks Phase 7 retirement · CI gate on every PR · soak window mandatory.
`R-SKILL-006`	VN-skill regulatory churn (GDT schema changes, PDPL evolution)	High	Medium	CLO	Skill versions follow GDT/PDPL revisions · CHANGELOG newest-first · semver compatibility tested vs prior outputs.
`R-SKILL-007`	Python-on-WASI heavy cold-start regression	Medium	Medium	CTO	Default executable skills to Rust or TS-via-Bun guests · Python flagged "preview" · benchmark cold-start per skill in CI · alert > 100 ms p95.

KPIs

KPI	Formula	Source	Target	Current
Install success rate	successful_installs / attempts	install_log	≥ 99%	100% (local · OCI pending)
Capability grant rate	granted / requested	grants.json audit	≥ 90% (sensible asks)	~ 95% (small sample)
Invocation success rate	exit_code 0 / total	BRAIN audit replay	≥ 98%	100% (12 fixtures)
Parity coverage	fixtures matching byte-identical	parity harness	100%	12/12 (100%)
Cold-start (1k skills)	boot_to_indexed_ms	Criterion bench	≤ 100 ms	~ 65 ms (M2)
WASM invocation p95	activate_to_return	Criterion bench	≤ 5 ms	~ 1.4 ms (AOT-cached)
Ecosystem reach	compatible clients	open spec adoption	≥ 20	26+
VN-skill catalog growth	skills shipped (monthly)	git log	≥ 1/month at P1	6 shipped (lifetime)

RACI matrix

Activity	CEO	CTO	CPO	CSO	CLO
Host runtime (Rust crates)	A	R	I	C	I
Skill authoring SDK (Bun toolchain)	I	A/R	C	I	I
Spec compliance (Agent Skills)	I	A/R	C	I	I
Capability broker policy	I	R	I	A	C
Cosign signing infrastructure	I	R	I	A	I
cyberskill-vn collection authoring	I	C	A/R	I	C
VN regulatory tracking (GDT, PDPL)	I	I	C	I	A/R
Phase 7 retirement signoff	A	R	C	C	I

CLI usage — real examples

1. List installed skills

$ cyberos-skill-cli list

╭──────────────────────────────────────┬─────────┬────────┬───────────╮
│ name                                 │ version │ region │ executor  │
├──────────────────────────────────────┼─────────┼────────┼───────────┤
│ cuo/cpo/prd-author                   │ 0.4.1   │ —      │ inline    │
│ cuo/cpo/fr-author                    │ 0.3.0   │ —      │ inline    │
│ cuo/cto/srs-author                   │ 0.2.0   │ —      │ inline    │
│ ...                                  │         │        │           │
│ cyberskill-vn/vn-mst-validate        │ 0.2.0   │ VN     │ script    │
│ cyberskill-vn/vn-vat-invoice         │ 0.3.0   │ VN     │ script    │
│ cyberskill-vn/vn-bank-transfer       │ 0.1.0   │ VN     │ wasm      │
│ cyberskill-vn/vneid-integration      │ 0.1.0   │ VN     │ script    │
│ cyberskill-vn/vn-legal-compliance    │ 0.1.0   │ VN     │ inline    │
│ cyberskill-vn/vn-tax-filing          │ 0.1.0   │ VN     │ script    │
╰──────────────────────────────────────┴─────────┴────────┴───────────╯

20 skills indexed · cold-start 65 ms · all parity-verified

2. Install from OCI registry (with cosign verification)

$ cyberos-skill-cli install ghcr.io/cyberskill/vn-mst-validate:0.2.0

[resolver]   pulling ghcr.io/cyberskill/vn-mst-validate:0.2.0 ...  OK (842 KB)
[cosign]     verifying signature ...  OK (key=cyberskill-release)
[manifest]   parsing SKILL.md frontmatter ...  OK
[manifest]   name=vn-mst-validate  version=0.2.0  region=VN
[registry]   inserting header into DashMap  (shard 14)
[install]    cached at ~/.cyberos/skills/vn-mst-validate-0.2.0/
[install]    content_hash sha256:a3b8d4...

3. Validate a skill manifest

$ cyberos-skill-cli validate ./skills/cyberskill-vn/vn-tax-filing/

[validate]   reading SKILL.md ...  OK (1.3 KB)
[validate]   frontmatter parse ...  OK
[validate]   field: name=vn-tax-filing  OK (dir-match)
[validate]   field: description (412 chars)  OK
[validate]   field: license=Apache-2.0  OK (SPDX)
[validate]   field: metadata.version=0.1.0  OK (SemVer)
[validate]   field: metadata.region=VN  OK
[validate]   field: allowed-tools=read_file,write_file  OK (declared)
[validate]   referenced files: references/gdt-q-return-schema-v3.md  OK
[validate]   ✅ valid Agent Skill · would load in Claude Code, Codex, Cursor, VS Code

4. Run a skill

$ echo '{"mst":"0123456789-001"}' | cyberos-skill-cli run vn-mst-validate --executor script

[invoke]     skill=vn-mst-validate  executor=script
[broker]     declared allowed-tools: [read_file]
[broker]     requested: []  -- no caps needed for this invocation
[broker]     ok (within declared set)
[invoke]     script: scripts/validate_mst.py
[invoke]     elapsed_ms=24  exit_code=0

{"ok": true, "format": "13-digit-branch"}

5. Audit capability grants

$ cyberos-skill-cli audit --since 7d

╭───────────────────────────────────┬────────────────────────┬──────────────┬──────────╮
│ skill                             │ capability             │ granted_by   │ valid?   │
├───────────────────────────────────┼────────────────────────┼──────────────┼──────────┤
│ vn-mst-validate                   │ read_file              │ stephen      │ ✓        │
│ vn-vat-invoice                    │ read_file              │ stephen      │ ✓        │
│ vn-vat-invoice                    │ write_file             │ stephen      │ ✓        │
│ vn-tax-filing                     │ read_file              │ stephen      │ ✓        │
│ vn-tax-filing                     │ write_file             │ stephen      │ ✓        │
│ vn-bank-transfer                  │ (none — pure compute)  │ —            │ ✓        │
│ vneid-integration                 │ (none — pure compute)  │ —            │ ✓        │
│ vn-legal-compliance               │ (inline · no exec)     │ —            │ ✓        │
╰───────────────────────────────────┴────────────────────────┴──────────────┴──────────╯

8 grants on file · 0 stale · 0 revoked

6. Build a TypeScript skill (Bun toolchain)

$ cd skills/my-new-skill/
$ cyberos-skill-cli build --lang ts ./src/

[bun]        installing deps ...  OK (240 ms)
[esbuild]    bundling src/index.ts ...  OK (12 ms)
[wasm]       wasm32-wasi component target ...  OK (1.4 MB)
[component]  wit-bindgen output  ...  OK
[aot]        wasmtime compile · cache key sha256:b9e2c8...
[build]      dist/skill.wasm  ✓
[build]      ready for: cyberos-skill-cli install ./skills/my-new-skill/

Phase status & code stats

LoC (Rust host)

~3,000

4 crates

LoC (Bun toolchain)

~2,500

TypeScript

SKILL.md bundles

14 CUO + 6 VN

Tests

4 unit + 12 parity + 2 grants

cargo + pytest harness

Audit phases shipped

7 of 7

Phase 7 in 30-day soak

Ecosystem reach

26+ clients

via open Agent Skills

Phase / capability	Status
Phase 0 — Inventory + freeze	shipped
Phase 1 — Rust + Bun scaffold · spec validator	shipped
Phase 2 — Parity harness	shipped · 12/12 pass
Phase 3 — Executor selection	shipped (default Rust)
Phase 4 — DashMap concurrency	shipped · ≥ 2× at contention
Phase 5 — WASM execution	scaffolded · runtime feature-gated
Phase 6 — Capability broker	shipped
Phase 7 — Legacy retirement	runbook ready · 30-day soak
VN catalog (6 skills)	shipped
OCI registry distribution	planned
Cosign signature verification at install	shipped
`agentskills.io` submission	planned (waits for registry API)
GraphQL subgraph	planned · P0+

References

PRD §7.1 — Module catalog row for SKILL.
SRS §4.3 — Formal FR catalog for SKILL.
AUDIT.md (13 May 2026) — full architectural audit + migration plan — cyberos/skill/docs/AUDIT.md.
SPEC.md — protocol summary — cyberos/skill/docs/SPEC.md.
PUBLISH.md — OCI / cosign / agentskills.io publication workflow.
PHASE_5_ACTIVATION.md — Wasmtime runtime activation guidance.
PHASE_7_RETIREMENT.md — legacy retirement runbook.
Source: cyberos/skill/crates/ · cyberos/skill/toolchain/ · cyberos/skill/skills/ · cyberos/skill/tests/.
External: agentskills.io/specification · Anthropic engineering blog "Equipping agents for the real world with Agent Skills" (Oct 16 2025, updated Dec 18 2025) · docs.claude.com Agent Skills overview.
CHANGELOG: cyberos/skill/docs/CHANGELOG.md (newest-first).

Crate responsibilities

Three-level progressive disclosure

GraphQL subgraph (planned · P0+)

MCP tool catalogue

CLI — cyberos-skill-cli

Flow 1 — Install & index

Flow 2 — Invocation with capability check

Flow 3 — Capability approval (first-use)

Flow 4 — Python ↔ Rust parity check

🇻🇳 vn-mst-validate v0.2.0 · region:VN · MIT

🇻🇳 vn-vat-invoice v0.3.0 · region:VN · Apache-2.0

🇻🇳 vn-bank-transfer v0.1.0 · region:VN · MIT

🇻🇳 vneid-integration v0.1.0 · region:VN · MIT

🇻🇳 vn-legal-compliance v0.1.0 · region:VN · CC-BY-SA-4.0

🇻🇳 vn-tax-filing v0.1.0 · region:VN · Apache-2.0

1. List installed skills

2. Install from OCI registry (with cosign verification)

3. Validate a skill manifest

4. Run a skill

5. Audit capability grants

6. Build a TypeScript skill (Bun toolchain)

CLI — `cyberos-skill-cli`

🇻🇳 `vn-mst-validate` v0.2.0 · region:VN · MIT

🇻🇳 `vn-vat-invoice` v0.3.0 · region:VN · Apache-2.0

🇻🇳 `vn-bank-transfer` v0.1.0 · region:VN · MIT

🇻🇳 `vneid-integration` v0.1.0 · region:VN · MIT

🇻🇳 `vn-legal-compliance` v0.1.0 · region:VN · CC-BY-SA-4.0

🇻🇳 `vn-tax-filing` v0.1.0 · region:VN · Apache-2.0