Feat/ai skills integration

.github/workflows/ci.yml

@@ -141,30 +141,11 @@ jobs:
       - name: Run govulncheck
         run: govulncheck ./...
 
-  changelog-guard:
-    name: Changelog Guard
-    if: github.event_name == 'pull_request'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check for CHANGELOG.md changes
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: |
-          CHANGED_FILES=$(gh api repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/files --jq '.[].filename')
-          if echo "$CHANGED_FILES" | grep -q '^CHANGELOG.md$'; then
-            echo "::error::CHANGELOG.md should not be modified manually. It is auto-generated by git-cliff at release time."
-            echo ""
-            echo "Please revert your changes to CHANGELOG.md."
-            echo "The changelog is generated automatically from conventional commit messages (feat:, fix:, chore:, etc.)."
-            exit 1
-          fi
-          echo "CHANGELOG.md not modified - all good."
-
   ci-success:
     name: All CI Checks Passed
     runs-on: ubuntu-latest
     if: always()
-    needs: [lint, test, build, format, mod-tidy, vuln-scan, changelog-guard]
+    needs: [lint, test, build, format, mod-tidy, vuln-scan]
     steps:
       - name: Check results
         run: |
@@ -174,8 +155,4 @@ jobs:
               exit 1
             fi
           done
-          if [ "${{ needs.changelog-guard.result }}" != "success" ] && [ "${{ needs.changelog-guard.result }}" != "skipped" ]; then
-            echo "Changelog guard failed"
-            exit 1
-          fi
           echo "All CI checks passed successfully!"

.github/workflows/release.yml

@@ -52,18 +52,14 @@ jobs:
           # Release notes for this version only (passed to goreleaser)
           git-cliff --tag ${{ github.event.inputs.version }} --latest --strip header -o RELEASE_NOTES.md
 
-      - name: Commit, tag, and push release branch
+      - name: Tag and push release
         run: |
           VERSION="${{ github.event.inputs.version }}"
-          BRANCH="release/${VERSION}"
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
           git remote set-url origin https://x-access-token:${{ secrets.RELEASE_TOKEN }}@github.com/${{ github.repository }}
-          git checkout -b "${BRANCH}"
-          git add -A
-          git commit -m "chore(release): ${VERSION}"
           git tag "${VERSION}"
-          git push origin "${BRANCH}" --tags
+          git push origin --tags
 
       - name: Install cosign
         uses: sigstore/cosign-installer@v3
@@ -114,7 +110,7 @@ jobs:
 
       - name: Sign checksum files with cosign
         # Keyless signing via GitHub OIDC. The certificate identity will be:
-        #   https://github.com/verda-cloud/verda-cli/.github/workflows/release.yml@refs/heads/release/<ver>
+        #   https://github.com/verda-cloud/verda-cli/.github/workflows/release.yml@refs/heads/main
         #
         # To verify manually:
         #   cosign verify-blob \
@@ -153,13 +149,18 @@ jobs:
             "dist/verda_${VER}_SHA256SUMS.sig" \
             "dist/verda_${VER}_SHA256SUMS.pem"
 
-      - name: Create PR to merge release into main
+      - name: Commit changelog and create PR
         env:
           GH_TOKEN: ${{ secrets.RELEASE_TOKEN }}
         run: |
           VERSION="${{ github.event.inputs.version }}"
+          BRANCH="chore/changelog-${VERSION}"
+          git checkout -b "${BRANCH}"
+          git add CHANGELOG.md
+          git commit -m "chore(release): update changelog for ${VERSION}"
+          git push origin "${BRANCH}"
           gh pr create \
             --base main \
-            --head "release/${VERSION}" \
-            --title "chore(release): ${VERSION}" \
-            --body "Automated release PR for ${VERSION}. Merges changelog and version updates into main."
+            --head "${BRANCH}" \
+            --title "chore(release): update changelog for ${VERSION}" \
+            --body "Updates CHANGELOG.md with release notes for ${VERSION}."

.gitignore

@@ -379,3 +379,6 @@ scripts/live-test.sh
 # AI working notes and implementation plans (not shipped)
 .ai/notes/
 docs/plans/
+
+# AI agent project-level configs (installed by users, not shipped)
+.cursor/

AGENTS.md

@@ -1,62 +1,48 @@
-# AI Agent Guidelines for Verda CLI
+# AI Agent Contract
 
-This document provides instructions for AI coding agents (Claude Code, Codex, etc.) working on this codebase.
+Read `CLAUDE.md` first. This file defines how you execute, not what the project is.
 
-## Before You Start
+## Mandatory Read-First, Plan-First Workflow
 
-1. Read `CLAUDE.md` for project overview, build commands, and architecture
-2. Read the `CLAUDE.md` in the specific subcommand directory you're working on (e.g., `cmd/vm/CLAUDE.md`)
-3. Read `.ai/skills/new-command.md` when creating or modifying CLI commands
-4. Run `go build ./...` and `go test ./...` to verify your changes compile and pass
+Do NOT write code until you have completed all steps below. No exceptions.
 
-## Skills
+**Step 1 — Read** (always, every task):
+1. `CLAUDE.md` (root) — architecture, conventions, pricing rules
+2. `CLAUDE.md` in the target command directory (e.g. `cmd/vm/CLAUDE.md`) — domain gotchas
+3. `README.md` in the target command directory — usage, flags, examples
+4. `.ai/skills/new-command.md` if adding or modifying a command
 
-Skills are structured guides in `.ai/skills/` that document patterns and checklists:
+**Step 2 — Verify** (always):
+5. Run `make test` to confirm the repo is green before you start
 
-| Skill | When to Use |
-|-------|-------------|
-| [new-command.md](.ai/skills/new-command.md) | Adding a new subcommand or modifying an existing one |
-| [update-command-knowledge.md](.ai/skills/update-command-knowledge.md) | Auto-updating per-command README.md and CLAUDE.md docs |
+**Step 3 — Plan** (required for non-trivial changes):
+6. State what you will change and why before writing code
+7. For risky areas (see table below): write a plan, get approval, then code
+8. If superpowers skills are available: use `brainstorming` before creative work, `writing-plans` before multi-step tasks, `test-driven-development` before implementation
 
-## Key Rules
+Skipping these steps leads to pattern violations, broken dual-mode, and pricing bugs.
 
-### Always
+## Execution Rules
 
-- Support `--debug` flag on every command that calls the API (use `cmdutil.DebugJSON`)
-- Wrap API calls with spinner + timeout context
-- Support both interactive (prompts) and non-interactive (flags) modes
-- Add confirmation for destructive actions
-- Register new commands in their parent command file and `cmd/cmd.go` if new domain
-- Run `go build ./...` and `go test ./...` before finishing
+- **Follow existing patterns** — find the nearest similar command, match its structure
+- **Preserve dual mode** — every command must work interactive AND non-interactive. Never build one without the other
+- **Never modify `verdagostack`** directly — describe needed changes for the maintainer
+- **Commit only when asked** — don't auto-commit
 
-### Never
+## Risky Areas — Slow Down
 
-- Skip the `--debug` output pattern
-- Make API calls without a timeout context
-- Write to `ioStreams.Out` for non-data output (use `ioStreams.ErrOut` for prompts/warnings/debug)
-- Forget to handle user cancellation (Esc/Ctrl+C returns nil error)
-- Use lipgloss v1 imports (`github.com/charmbracelet/lipgloss`) -- use `charm.land/lipgloss/v2`
-- Use bubbletea v1 imports -- use `charm.land/bubbletea/v2`
+| Area | Risk | What To Do |
+|------|------|------------|
+| `cmd/util/pricing.go` | Wrong math = wrong bills | Verify formula, test with real numbers |
+| `options/credentials.go` | Break auth = break everything | Test all profiles, expired tokens |
+| Agent mode (`--agent`) | JSON contract change = break downstream | Check structured error format |
+| Wizard steps | Step ordering, cache invalidation | Map dependencies before coding |
+| `verdagostack` types | Shared across repos | Don't modify, describe changes needed |
 
-### Dependencies
+## Done Checklist
 
-When modifying `verdagostack` (local replace):
-- Bubble Tea v2 changed `tea.KeyMsg` to `tea.KeyPressMsg`
-- `KeyPressMsg.String()` returns `"space"` not `" "` for space key
-- `KeyPressMsg.String()` returns `"enter"`, `"esc"`, `"backspace"`, `"tab"` for special keys
-- Wizard API uses `ViewDef` (not `RegionDef`), `NewProgressView` (not `NewProgressRegion`)
-
-## Project Layout
-
-```
-cmd/verda/main.go                          # Entrypoint
-internal/verda-cli/
-  cmd/cmd.go                               # Root command, command groups
-  cmd/util/                                # Factory, IOStreams, helpers, hostname
-  cmd/vm/                                  # VM: create, list, action, wizard, status_view
-  cmd/auth/                                # Auth: login, show, use, wizard
-  cmd/sshkey/                              # SSH keys: list, add, delete
-  cmd/startupscript/                       # Startup scripts: list, add, delete
-  cmd/volume/                              # Volumes: list, create, action, trash
-  options/                                 # Global options, credentials
-```
+- [ ] `make build` passes
+- [ ] `make test` passes
+- [ ] `--help` renders correctly for changed commands
+- [ ] Interactive and non-interactive modes both work
+- [ ] No leftover debug code, TODOs, or commented-out blocks

CHANGELOG.md

@@ -0,0 +1,146 @@
+# Changelog
+
+
+## [Unreleased]
+- [`d6fe448`] Feat/vm batch operation support
+- [`79cf7b7`] Feat/verda status dashboard
+- [`d2e2338`] Require --all for filter flags (--status, --hostname) in batch operations
+- [`72ccba7`] Update license
+- [`be03cc3`] Feat/verda template
+- [`dfa9753`] Refactor: architecture hardening + template edit command
+- [`d3fd513`] Add skills fetcher for downloading manifest and skill files from GitHub
+- [`f20ef84`] Add skills state management for tracking installed skills
+- [`23b671b`] Add skills parent command and wire into root with credential skip
+- [`a8051ea`] Add skills install subcommand with full fetch, select, and install flow
+- [`db96b93`] Add skills uninstall subcommand with interactive and non-interactive modes
+- [`f3b5345`] Refactor(skills): move agent definitions from hardcoded registry to manifest
+- [`c7c27dc`] Feat(skills): add --force flag to install subcommand
+- [`5049480`] Add agent mode skip wait and response immediately
+- [`e5a3576`] Refactor license
+- [`72b1457`] Feat(skills): add embedded skills package with manifest and skill files
+- [`ce8662c`] Refactor(skills): replace HTTP fetching with embedded skills package
+- [`a041a93`] Docs(skills): update descriptions to reflect embedded skills
+- [`17272a8`] Feat(skills): enrich help text and auto-update skills on CLI update
+- [`812e252`] Docs(skills): add template command reference to embedded skills
+- [`5d3537c`] Fix(skills): handle renamed skill files and track installed filenames
+- [`6b5f1bc`] Feat(skills): add file_map for per-agent file renaming, fix Codex install
+- [`491255c`] Fix(skills): update Gemini CLI to directory-based SKILL.md install
+- [`8db8123`] Chore: add .cursor/ to gitignore, add presenting results to skill
+- [`a4d021d`] Docs: rewrite CLAUDE.md and AGENTS.md for Go CLI specificity
+- [`315d574`] Docs(agents): enforce strict read-first, plan-first workflow
+- [`e1efa04`] Docs(agents): reference superpowers skills in plan step
+
+## [v1.4.2] - 2026-04-08
+- [`0095dee`] Fix: correct homebrew and scoop package name in README
+- [`6852d07`] Add auth resolve order explain
+- [`2fbf4a0`] Fix/refactor version sub command to --version/-v pararms
+- [`e4a5df9`] Image list show image type remove id
+- [`2f2d9b7`] Ssh add pipe support
+- [`c5f9cdd`] Add more test for auth command
+
+## [v1.4.1] - 2026-04-07
+- [`d0a3b8e`] Fix: update binary migration to ~/.verda/bin
+- [`bd28c3e`] Fix/vm create related bugs
+- [`5e19808`] Fix: use official gitleaks-action to fix 404 on version fetch
+
+## [v1.4.0] - 2026-04-07
+- [`a5c57bc`] Feat/agent mode and mcp
+- [`15ee7ff`] Fix/update command issue
+
+## [v1.3.2] - 2026-04-05
+- [`cfee0cb`] Fix: resolve verify checksum matching and changelog generation issues
+
+## [v1.3.1] - 2026-04-05
+- [`2b0f0c0`] Fix/verify version prefix
+
+## [v1.3.0] - 2026-04-05
+- [`a533db7`] Fix/update permission
+- [`e2960a7`] Feat/add deatils version command
+
+## [v1.2.0] - 2026-04-03
+- [`c0b869a`] Feat: add auto-maintained per-subcommand knowledge docs
+- [`4c2d084`] Feat/cli improvements
+
+## [v1.1.1] - 2026-04-02
+- [`7808962`] Docs: add VHS demo gif and skip CI for doc-only changes
+- [`f6217c8`] Docs: reformat README tables and restore demo gif embed
+- [`d10e094`] Feat: upgrade verdagostack to v1.1.2, add theme-aware hints and interactive theme selector
+
+## [v1.1.0] - 2026-04-02
+- [`d8dbeb4`] Feat: add self-update command, update README with install/update docs
+- [`3d3b2c3`] Fix(ci): add gitleaks config to allowlist VHS demo tape files
+- [`4dfadfa`] Fix: remove vhs/ from repo, add to gitignore
+
+## [v1.0.0] - 2026-04-02
+- [`3ee032a`] Feat(vm): add interactive wizard flow for vm create
+- [`99b1ccd`] Feat(auth): add interactive wizard flow for auth configure
+- [`87b337c`] Fix(vm): lazily resolve API client in wizard flow
+- [`6a01f97`] Fix(auth): improve error message when credentials are missing
+- [`91a9855`] Feat(auth): replace auth configure with auth login, add base_url
+- [`7bc108d`] Refactor: rename --server flag to --base-url
+- [`f36583c`] Refactor(auth): add verda_ prefix to credential file keys
+- [`0e928c1`] Fix(vm): check credentials before starting wizard
+- [`777256d`] Fix: hide auth and log flags from help output
+- [`9cb8382`] Fix: remove global flags section from subcommand help
+- [`3f6f78b`] Fix(auth): show base_url in auth show output
+- [`7931cff`] Feat(vm): pre-filter instance types by availability, show locations
+- [`516e301`] Refactor: adapt to verdagostack wizard engine v2
+- [`9090584`] Feat(vm): add spinners to API-loading steps and final submit
+- [`5ed5b3a`] Feat: use percentage progress bar in wizard flows
+- [`549324e`] Feat(vm): replace JSON output with live instance status view
+- [`6d6895b`] Feat(vm): add animated spinner and elapsed timer to status polling
+- [`7ee0a01`] Feat(vm): Claude-style animated status line while polling
+- [`e774c89`] Feat(vm): add inline SSH key creation sub-flow in wizard
+- [`2e657b2`] Feat(vm): add inline startup script creation sub-flow in wizard
+- [`5f39096`] Refactor(vm): inline "Add new" option in SSH keys and startup script lists
+- [`0ed66e7`] Feat(vm): add "load from file" option for startup script creation
+- [`f4b4a16`] Fix(vm): clarify startup script "None" label to "None (skip)"
+- [`7c59c57`] Feat(vm): replace simple storage step with full volume sub-flow
+- [`5d3d484`] Fix(vm): add back option and navigation hints to storage sub-flows
+- [`e78458c`] Fix(vm): handle API errors gracefully in SSH key and startup script creation
+- [`32b44fb`] Fix(vm): never crash wizard on sub-flow errors
+- [`a1ae326`] Fix(vm): fix SSH keys/storage/scripts lost after Loader, add --debug flag
+- [`2511532`] Feat(vm): add vm list command with interactive detail view
+- [`da4eb7a`] Fix(vm): simplify vm list to single interactive select
+- [`3144970`] Feat(vm): add vm delete command with interactive selection
+- [`e6b5db0`] Feat(vm): show storage volumes in instance detail card
+- [`a2332ac`] Fix(vm): deduplicate OS volume in storage list, add volume IDs
+- [`21a8097`] Fix(vm): render storage as table with header row in detail card
+- [`e7d96a0`] Fix(vm): show storage volumes as key-value list matching instance style
+- [`f2929e5`] Feat: make --debug a global flag available to all subcommands
+- [`eda167a`] Feat(vm): replace vm delete with vm action supporting all operations
+- [`da49a2a`] Fix(vm): remove action aliases to keep CLI surface simple
+- [`360b246`] Feat(vm): filter actions by instance status, add confirmation messages
+- [`513b09d`] Feat(vm): poll instance status after action until expected state
+- [`8ca148c`] Fix(vm): poll until expected status after action, not just any terminal
+- [`0ff708d`] Fix(vm): add 5-minute timeout to status polling
+- [`53705d7`] Feat(vm): add volume selection sub-flow to delete action
+- [`0d6425f`] Fix(vm): add red bold warnings to shutdown and force shutdown actions
+- [`7eb2e19`] Feat(vm): add deployment summary with cost breakdown before submit
+- [`4dde90c`] Fix(vm): fix pricing in deployment summary and instance type list
+- [`ab2c493`] Fix(vm): show price per hour in instance type selection list
+- [`d1821e1`] Fix(vm): multiply unit price by GPU/CPU count for total hourly price
+- [`539c9be`] Fix(vm): always show price for OS and storage volumes in summary
+- [`c0d560c`] Feat(vm): show unit price alongside total for volumes in summary
+- [`7fde23d`] Feat(vm): show volume prices in type selection and storage step
+- [`9d55c6a`] Feat(vm): show unit price breakdown for multi-GPU/CPU instances
+- [`26d3b11`] Fix(vm): API price_per_hour is total, not per-GPU — remove double multiply
+- [`719936e`] Feat: add ssh-key, startup-script, and volume resource commands
+- [`6471851`] Fix: remove key and script aliases for ssh-key and startup-script
+- [`f2e4977`] Feat(volume): replace delete with action command supporting all operations
+- [`add7f40`] Feat(volume): add volume create command
+- [`27b5c64`] Feat(volume): add pricing summary with confirm before creating volume
+- [`1f447d3`] Fix(volume): collect user input before spinner in rename/resize/clone
+- [`cbd7c06`] Feat(volume): add volume trash command to list deleted volumes
+- [`c07e06d`] Fix(volume): improve trash display with type, contract, and pricing
+- [`929f248`] Feat(volume): upgrade SDK to v1.4.1, use proper trash API
+- [`1d2f7d0`] Feat: upgrade to bubbletea v2, add settings/theme, CI/CD, cross-platform release
+- [`8a54571`] Feat: add install script, update README, preload editor template
+- [`d992cfd`] Fix: resolve gosec, errcheck, staticcheck, and trivy CI failures
+- [`bd4d5fd`] Fix(ci): pin trivy-action to v0.32.0 to avoid Node.js 20 deprecation warning
+- [`0517ce9`] Fix(ci): suppress gosec G304 in test file
+- [`c7c1955`] Fix(ci): use trivy-action v0.31.0 (v0.32.0 does not exist)
+- [`c14b115`] Fix(ci): revert trivy-action to @master (tagged versions not available)
+- [`e8ea655`] Fix: resolve all golangci-lint issues and formatting
+- [`9eccacf`] Fix: add -short flag to pre-commit unit tests to avoid slow API timeout tests
+- [`d4c0b43`] Fix: resolve remaining lint and gosec issues