Clarify delivery runtime permissions

Author: romgenie

.clawhubignore

@@ -29,11 +29,11 @@ ENV/
 
 .env
 .env.*
-!.env.example
 secrets.json
 *_secret.ini
 *_local.ini
 *.tmp
+scripts/validate_quality.py
 .DS_Store
 Thumbs.db
 desktop.ini

README.md

@@ -13,13 +13,13 @@ Part of the CompleteTech LLC agentic services skill library. This skill supports
 ## OpenClaw / ClawHub Metadata
 
 - Skill key: `agentic-delivery-skill`
-- Version-ready metadata: `1.0.0`
+- Version-ready metadata: `1.0.3`
 - Homepage: https://github.com/CompleteTech-LLC/agentic-delivery-skill
 - README: https://github.com/CompleteTech-LLC/agentic-delivery-skill#readme
 - Runtime binaries: `python3`
-- Python packages: `reportlab>=4.0` (optional PNG preview: `pypdfium2`, `pillow`)
+- Python packages: `reportlab==4.5.1`, `pyyaml==6.0.3` (optional PNG preview: `pypdfium2==5.8.0`, `pillow==12.2.0`)
 - Intended registry/discovery tags: `latest`, `complete-tech`, `codex-skill`, `agentic-development`, `agentic-workflows`, `delivery`, `project-management`, `handoff`, `pdf`, `pdf-generator`
-- License: repository code, templates, and documentation use MIT; ClawHub publishing is intentionally skipped for now.
+- License: repository code, templates, and documentation use MIT; published by CompleteTech on ClawHub.
 - Brand assets: CompleteTech LLC names, logos, seals, and brand assets are reserved; see `BRAND_ASSETS.md`.
 
 ## Workflow Diagram
@@ -104,6 +104,10 @@ The committed `example.{md,pdf,png}` use curated, realistic demonstration data f
 
 Use a direct, concrete, low-hype tone. Present delivery as practical bounded implementation: execute the approved scope, protect human approval gates, track decisions and risks, verify evaluation examples, document logs and monitoring, prepare reviewers/admins, manage change requests, confirm acceptance, and hand off cleanly. Do not invent client facts, approvals, test results, metrics, regulated-use assurances, legal claims, or production readiness.
 
+## Runtime Permissions
+
+This skill needs local filesystem access only for the documented renderer workflow. It reads bundled templates, references, examples, `assets/logo.png`, and user-provided Markdown or variables, then writes only to the selected `--out`, `--png`, `--markdown-out`, or default `output/` artifact paths. It runs local Python renderer entry points and does not require network access, credential access, persistence, privilege escalation, or destructive file operations.
+
 ## License
 
 Code, templates, and documentation are licensed under the MIT License. CompleteTech LLC names, logos, seals, and brand assets are reserved and are not licensed for reuse except to identify this project. See `LICENSE` and `BRAND_ASSETS.md`.

SKILL.md

@@ -2,7 +2,7 @@
 name: agentic-delivery-skill
 description: >-
   Create CompleteTech LLC delivery execution artifacts for approved agentic development engagements, including kickoff agendas, access checklists, project plans, milestone trackers, status updates, decision logs, risk/issue logs, change request intake, prototype review, evaluation reports, acceptance packets, launch readiness, monitoring, support, handoff, runbooks, quickstarts, closeout, post-launch review, and escalation procedures. Use after proposal/SOW or contract approval when Codex needs to run bounded agentic workflow delivery cleanly.
-version: 1.0.2
+version: 1.0.3
 metadata:
   openclaw:
     skillKey: agentic-delivery-skill
@@ -12,9 +12,13 @@ metadata:
         - python3
     install:
       - kind: uv
-        package: reportlab>=4.0
+        package: reportlab==4.5.1
       - kind: uv
-        package: pyyaml>=6.0
+        package: pypdfium2==5.8.0
+      - kind: uv
+        package: pillow==12.2.0
+      - kind: uv
+        package: pyyaml==6.0.3
 ---
 
 # Agentic Delivery Skill
@@ -87,6 +91,15 @@ When several artifacts fit, choose the one closest to the operational event. Do
 - `references/template-index.json`: machine-readable template metadata used by the renderer.
 - `scripts/render_delivery.py`: list delivery artifacts or render a draft with placeholders.
 
+## Runtime Permissions
+
+This skill needs local filesystem access only for its documented renderer workflow:
+
+- Reads bundled templates, references, examples, `assets/logo.png`, and user-provided Markdown or variable inputs.
+- Writes only to the user-selected `--out`, `--png`, `--markdown-out`, or default `output/` artifact paths.
+- Runs local Python entry points `scripts/render_delivery.py` and `scripts/render_pdf.py`.
+- Does not require network access, credential access, persistence, privilege escalation, or destructive file operations.
+
 ## Renderer
 
 ```bash

requirements.txt

@@ -1,5 +1,6 @@
 # Branded PDF artifact rendering (scripts/render_pdf.py)
-reportlab>=4.0
+reportlab==4.5.1
+pyyaml==6.0.3
 # Optional: only needed to also emit a PNG preview montage (scripts/render_pdf.py --png)
-pypdfium2>=4.30
-pillow>=10.0
+pypdfium2==5.8.0
+pillow==12.2.0

scripts/validate_quality.py

@@ -60,10 +60,7 @@ def run_ruff() -> None:
     if shutil.which("ruff"):
         run(["ruff", "check", "."])
         return
-    if shutil.which("uvx"):
-        run(["uvx", "ruff", "check", "."])
-        return
-    run([sys.executable, "-m", "ruff", "check", "."])
+    raise RuntimeError("ruff is required for quality validation")
 
 
 def compile_python() -> None:
@@ -205,11 +202,15 @@ def publish_candidate_files(patterns: list[str]) -> list[Path]:
 
 def assert_dependency(openclaw: dict[str, Any], package: str) -> None:
     installs = openclaw.get("install") or []
-    packages = {str(item.get("package", "")).split(">=", 1)[0].lower() for item in installs if isinstance(item, dict)}
+    packages = {package_name(str(item.get("package", ""))) for item in installs if isinstance(item, dict)}
     if package.lower() not in packages:
         raise RuntimeError(f"metadata.openclaw.install must declare {package}")
 
 
+def package_name(spec: str) -> str:
+    return re.split(r"[<>=!~]", spec, 1)[0].strip().lower()
+
+
 def validate_clawhub_bundle() -> None:
     data = frontmatter()
     name = data.get("name")