Skip to content

Commit 1bcebef

Browse files
arcjet-reiclaude
andauthored
feat(skills): migrate to canonical names with deprecated aliases (#6)
* feat(skills): migrate to canonical names with deprecated aliases Rename plugin skills to match the canonical names in arcjet/skills: - New skills/add-request-protection/ — canonical HTTP route protection skill, replacing protect-route and the HTTP slice of add-ai-protection. Includes integrated CLI workflows for auth, site/key setup, decision verification (arcjet watch), and remote rule management. - skills/add-guard-protection/ synced with the canonical version, including refreshed references/javascript.md and references/python.md. - skills/protect-route/ and skills/add-ai-protection/ are now deprecation alias stubs (frontmatter metadata.internal: true). Invoking either tells the user the canonical replacement and then proceeds with the canonical skill, so existing prompts and saved transcripts continue to work. Also updates README to list canonical skills, link arcjet/skills as the source of truth, document the CLI install order (npx, brew, install script, GitHub Releases), and drop the obsolete claim that arcjet skills install writes ARCJET.md into the project. rules/arcjet-cli.mdc updated similarly. Prepares the plugin for the Arcjet CLI 1.0.0 release. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(rules): drop arcjet skills CLI bullet, point at npx skills add directly Skill installation is not a use case for the CLI — point users at `npx skills add arcjet/skills` directly when they need skills outside the plugin context. --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 73ebd6f commit 1bcebef

8 files changed

Lines changed: 582 additions & 404 deletions

File tree

CHANGELOG.md

Lines changed: 23 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -11,22 +11,38 @@ this project adheres to [Semantic Versioning](https://semver.org/).
1111

1212
- Arcjet CLI integration. The plugin now invokes the CLI for capabilities
1313
the MCP server does not expose: `arcjet watch` for live request streaming
14-
during incident response, and `arcjet skills install` for project-local
15-
skill installation. Commands run via `npx -y @arcjet/cli@latest` so no
16-
install is required. Setup, read-side analysis, and rule CRUD continue to
17-
use the MCP server.
14+
during incident response, plus authentication, site/key setup, and remote
15+
rule management. Commands run via `npx -y @arcjet/cli@latest` so no
16+
install is required. Read-side analysis and rule inspection remain
17+
available on the MCP server.
1818
- New `rules/arcjet-cli.mdc` rule explaining when to reach for the CLI vs
1919
MCP, the npx invocation pattern, and agent-friendly flags
2020
(`--output json`, `--fields`).
21+
- New `skills/add-request-protection/` skill — the canonical name for HTTP
22+
route protection, replacing `skills/protect-route` and the HTTP slice of
23+
`skills/add-ai-protection`. Sourced from
24+
[arcjet/skills](https://github.com/arcjet/skills) and includes integrated
25+
CLI workflows for authentication, site setup, decision verification
26+
(`arcjet watch`), and remote rule management.
2127

2228
### Changed
2329

2430
- `agents/security-analyst.md` now uses `arcjet watch` for continuous
2531
monitoring during active incidents, instead of polling `list-requests`
2632
over MCP.
27-
- `skills/protect-route`, `skills/add-ai-protection`, and
28-
`skills/add-guard-protection` now end with an optional step that runs
29-
`arcjet skills install` to write `ARCJET.md` into the project.
33+
- `skills/add-guard-protection/` synced with the canonical version from
34+
[arcjet/skills](https://github.com/arcjet/skills), including refreshed
35+
`references/javascript.md` and `references/python.md`.
36+
- `skills/protect-route/` and `skills/add-ai-protection/` are now
37+
deprecation aliases. Invoking them instructs the agent to tell the user
38+
the canonical replacement (`/arcjet:add-request-protection` or
39+
`/arcjet:add-guard-protection`) and then proceed with that skill. The
40+
alias directories are preserved so saved transcripts and existing
41+
workflows continue to resolve.
42+
- README updated to reflect the canonical skill names, link
43+
[arcjet/skills](https://github.com/arcjet/skills) as the source of truth,
44+
and document the CLI install methods (npx, Homebrew, install script,
45+
GitHub Releases archive).
3046

3147
## [1.0.0] - 2026-04-08
3248

README.md

Lines changed: 31 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -5,9 +5,9 @@
55
The [Arcjet plugin](https://github.com/arcjet/arcjet-plugin) turns any supported AI coding agent into a security expert. It pre-loads agents with knowledge of the Arcjet security platform and automatically injects the right guidance based on what you're working on — framework-specific SDK patterns, protection rules, and best practices.
66

77
- **MCP integration** — connects to the [Arcjet MCP Server](https://docs.arcjet.com/mcp-server) for traffic analysis, request inspection, IP investigation, and remote rule management
8-
- **CLI integration** — invokes the [Arcjet CLI](https://docs.arcjet.com/cli) for capabilities the MCP server does not expose (live request streaming, project-local skill installation)
8+
- **CLI integration** — invokes the [Arcjet CLI](https://docs.arcjet.com/cli) for authentication, site/key setup, live request streaming, and remote rule management
99
- **Security-aware coding rules** — framework-specific guidance activates automatically when you work in route handlers, API endpoints, and AI/LLM code
10-
- **Skills** — task-oriented workflows for adding protection to routes and securing AI endpoints
10+
- **Skills** — task-oriented workflows sourced from [arcjet/skills](https://github.com/arcjet/skills) for adding protection to HTTP routes and non-HTTP code paths
1111
- **Security analyst agent** — investigates threats, analyzes traffic, and manages rules via MCP
1212

1313
## Installation
@@ -20,17 +20,36 @@ That's it. The plugin activates automatically — security guidance appears when
2020

2121
You can also point your agent at the [agent get started documentation](https://docs.arcjet.com/agent-get-started).
2222

23+
### Arcjet CLI
24+
25+
The plugin invokes the Arcjet CLI for authentication, site management, and live request streaming. Install it via any of:
26+
27+
1. `npx -y @arcjet/cli@latest <command>` — no install required, works on macOS, Linux, and Windows
28+
2. `brew install arcjet` — Homebrew tap
29+
3. `curl -sSfL https://arcjet.com/cli/install.sh | bash` — install script
30+
4. [GitHub Releases archive](https://github.com/arcjet/arcjet-cli/releases) — for internal redistribution and air-gapped environments
31+
2332
## How It Works
2433

2534
After installing, guidance activates automatically. The plugin detects what you're working on and injects Arcjet expertise. Just use your AI agent as you normally would.
2635

2736
### Skills
2837

29-
| Skill | Purpose |
30-
| ------------------------------ | --------------------------------------------------------------------------------------------------------- |
31-
| `/arcjet:protect-route` | Add Arcjet protection to any route handler — detects framework, sets up client, applies rules |
32-
| `/arcjet:add-ai-protection` | Add prompt injection detection, PII blocking, and token budget rate limiting to AI HTTP endpoints |
33-
| `/arcjet:add-guard-protection` | Add Arcjet Guard to non-HTTP code paths — AI agent tool calls, MCP tool handlers, background jobs/workers |
38+
The plugin's skills are sourced from [arcjet/skills](https://github.com/arcjet/skills), the canonical agent skills surface for Arcjet.
39+
40+
| Skill | Purpose |
41+
| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
42+
| `/arcjet:add-request-protection` | Add Arcjet protection to any HTTP route or endpoint — detects framework, sets up client, applies rules. Includes AI/LLM endpoint guidance (chat, completion). |
43+
| `/arcjet:add-guard-protection` | Add Arcjet Guard to non-HTTP code paths — AI agent tool calls, MCP tool handlers, background jobs/workers |
44+
45+
#### Deprecated aliases
46+
47+
The previous skill names are kept as deprecation aliases. Invoking them tells the user the new name and then proceeds with the canonical workflow — existing prompts, prompts in saved transcripts, and project-local references continue to work.
48+
49+
| Deprecated alias | Replacement |
50+
| --------------------------- | --------------------------------------------------------------------------------------------------- |
51+
| `/arcjet:protect-route` | `/arcjet:add-request-protection` |
52+
| `/arcjet:add-ai-protection` | `/arcjet:add-request-protection` (HTTP endpoints) or `/arcjet:add-guard-protection` (non-HTTP code) |
3453

3554
### Rules (auto-activated)
3655

@@ -59,14 +78,15 @@ The MCP server connects automatically via OAuth when the plugin is installed. Yo
5978

6079
### CLI
6180

62-
The plugin uses the [Arcjet CLI](https://docs.arcjet.com/cli) for two specific capabilities the MCP server does not expose:
81+
The plugin uses the [Arcjet CLI](https://docs.arcjet.com/cli) for capabilities that benefit from a real terminal session:
6382

83+
- **Authentication and site/key setup**`arcjet auth login`, `arcjet teams list`, `arcjet sites list/create/get-key`. The CLI is the primary way to bootstrap a new project's `ARCJET_KEY`.
6484
- **Live request streaming**`arcjet watch --site-id <id>` is invoked by the security analyst agent during active incident response, when polling `list-requests` over MCP would be too coarse.
65-
- **Project-local skill installation**`arcjet skills install` is run after each skill workflow to write an `ARCJET.md` skills file into the project, giving future agent turns zero-round-trip discovery.
85+
- **Remote rule management**`arcjet rules create/list/promote/update/delete` for managing rules without code changes or redeployment.
6686

67-
No install is required. Commands are invoked as `npx -y @arcjet/cli@latest <command>`, which works on macOS, Linux, and Windows. If a local `arcjet` binary is on `PATH` (Homebrew, npm global, release archive), the plugin uses it directly. CLI authentication uses the same browser-based device flow as `gh auth login` or `vercel login`.
87+
No install is required. Commands are invoked as `npx -y @arcjet/cli@latest <command>`, which works on macOS, Linux, and Windows. If a local `arcjet` binary is on `PATH` (Homebrew, install script, GitHub Releases archive), the plugin uses it directly. CLI authentication uses the same browser-based device flow as `gh auth login` or `vercel login`.
6888

69-
Setup commands, read-side analysis, and rule CRUD remain on the MCP server.
89+
Read-side analysis and rule inspection over a structured tool interface remain available on the MCP server.
7090

7191
### Security Analyst Agent
7292

rules/arcjet-cli.mdc

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -23,13 +23,13 @@ Reach for the Arcjet CLI in these specific cases:
2323
API and prints decisions as they happen. MCP has no streaming equivalent.
2424
Use during active incident response or when verifying that a newly added
2525
rule is matching the expected traffic.
26-
- **Project-local skill installation** — `arcjet skills install` writes an
27-
`ARCJET.md` skills file into the current project so future agent turns can
28-
discover Arcjet capabilities without a docs round trip. The CLI is the
29-
source of truth for skill content; do not duplicate it.
30-
- **Guided SDK setup** — `arcjet skills initialize` runs an interactive setup
31-
that installs the SDK and configures the application. Use as an alternative
32-
to manually walking the user through `/arcjet:protect-route`.
26+
- **Authentication and site/key setup** — `arcjet auth login`,
27+
`arcjet teams list`, `arcjet sites list/create/get-key`. The CLI is the
28+
primary way to bootstrap a new project's `ARCJET_KEY`.
29+
30+
If a user needs the canonical Arcjet skills outside this plugin (for example,
31+
in a different agent client), point them at `npx skills add arcjet/skills`
32+
directly — the CLI is not the right entry point for skill installation.
3333

3434
## Invocation
3535

0 commit comments

Comments
 (0)