Add repair skill and refactor skill naming

.claude-plugin/marketplace.json

@@ -9,46 +9,46 @@
   },
   "plugins": [
     {
-      "name": "scan",
-      "source": "./skills/scan",
+      "name": "research-scan",
+      "source": "./skills/research-scan",
       "skills": "./",
-      "description": "Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, and performs Tier 1 reachability analysis for enterprise customers."
+      "description": "Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, performs Tier 1 reachability analysis for enterprise customers, and provides license compliance auditing with SBOM generation."
     },
     {
-      "name": "inspect",
-      "source": "./skills/inspect",
+      "name": "research-inspect",
+      "source": "./skills/research-inspect",
       "skills": "./",
       "description": "Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches."
     },
     {
-      "name": "patch",
-      "source": "./skills/patch",
+      "name": "dep-patch",
+      "source": "./skills/dep-patch",
       "skills": "./",
-      "description": "Apply Socket's binary-level security patches without changing dependency versions, and set up automated patching infrastructure. Uses socket-patch apply to fix vulnerabilities in-place across CI/CD and local development."
+      "description": "Apply Socket's binary-level security patches without changing dependency versions. Uses socket-patch apply to fix vulnerabilities in-place. For CI/CD and infrastructure setup, use the /setup skill."
     },
     {
       "name": "setup",
       "source": "./skills/setup",
       "skills": "./",
-      "description": "Set up Socket — prompt for API key, install the CLI, authenticate, configure CI/CD for firewall or patch modes across GitHub, GitLab, Bitbucket, and other systems."
+      "description": "Set up Socket — prompt for API key, install the CLI, authenticate, configure policies and tokens, set up CI/CD for firewall or patch modes across GitHub, GitLab, Bitbucket, and other systems."
     },
     {
-      "name": "upgrade",
-      "source": "./skills/upgrade",
+      "name": "dep-upgrade",
+      "source": "./skills/dep-upgrade",
       "skills": "./",
-      "description": "Use socket fix to find and update vulnerable dependencies, then fix any breaking changes in the codebase. Security-audited upgrades with automated code migration."
+      "description": "Use socket fix to find and update vulnerable dependencies one at a time, then fix any breaking changes in the codebase. Security-audited upgrades with automated code migration."
     },
     {
-      "name": "cleanup",
-      "source": "./skills/cleanup",
+      "name": "dep-cleanup",
+      "source": "./skills/dep-cleanup",
       "skills": "./",
-      "description": "Find and remove unused dependencies from your project. Scans the codebase for import and usage patterns across npm, PyPI, Cargo, Bundler, Maven, NuGet, Go, pnpm, and Yarn to identify dependencies that are no longer referenced."
+      "description": "Evaluate and remove a single unused dependency from your project. Searches the entire codebase for all usages (imports, requires, config refs, scripts, type packages, indirect usage), reports findings, and performs full removal with verification."
     },
     {
-      "name": "audit",
-      "source": "./skills/audit",
+      "name": "repair",
+      "source": "./skills/repair",
       "skills": "./",
-      "description": "Generate compliance reports, SBOMs, and license audits for your project. Produces CycloneDX/SPDX output, aggregates license usage, flags problematic licenses, and creates a compliance summary using Socket data."
+      "description": "Holistic dependency repair — orchestrates cleanup, patching, and upgrades in a single workflow with three aggressiveness levels (conservative, cautious, full)."
     }
   ]
 }

.github/workflows/generate-agents.yml

@@ -59,30 +59,6 @@ jobs:
       - name: Run structural tests (Tier 1)
         run: npm run test:structural
 
-  test-mcp:
-    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-
-      - name: Set up Node.js
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
-        with:
-          node-version: "20"
-
-      - name: Install dependencies
-        run: npm ci || npm install
-
-      - name: Run structural tests (Tier 1)
-        run: npm run test:structural
-
-      - name: Run MCP tests (Tier 2)
-        if: env.SOCKET_SECURITY_API_KEY != ''
-        env:
-          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
-        run: npm run test:mcp
-
   test-e2e:
     if: >
       github.event_name == 'workflow_dispatch' &&

README.md

@@ -123,15 +123,40 @@ This repository contains security-focused skills for dependency management. You
 
 <!-- This table is auto-generated by scripts/generate-agents.ts. Do not edit manually. -->
 <!-- BEGIN_SKILLS_TABLE -->
+#### Setup
+
+Install, authenticate, and configure Socket for your project.
+
+| Name | Description | Documentation |
+|------|-------------|---------------|
+| `setup` | Set up Socket — prompt for API key, install the CLI, authenticate, configure policies and tokens, set up CI/CD for firewall or patch modes across GitHub, GitLab, Bitbucket, and other systems. | [SKILL.md](skills/setup/SKILL.md) |
+
+#### Research
+
+Scan dependencies and inspect individual packages for security risks.
+
+| Name | Description | Documentation |
+|------|-------------|---------------|
+| `research-inspect` | Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches. | [SKILL.md](skills/research-inspect/SKILL.md) |
+| `research-scan` | Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, performs Tier 1 reachability analysis for enterprise customers, and provides license compliance auditing with SBOM generation. | [SKILL.md](skills/research-scan/SKILL.md) |
+
+#### Dependency Management
+
+Upgrade, patch, and clean up individual dependencies.
+
+| Name | Description | Documentation |
+|------|-------------|---------------|
+| `dep-cleanup` | Evaluate and remove a single unused dependency from your project. Searches the entire codebase for all usages (imports, requires, config refs, scripts, type packages, indirect usage), reports findings, and performs full removal with verification. | [SKILL.md](skills/dep-cleanup/SKILL.md) |
+| `dep-patch` | Apply Socket's binary-level security patches without changing dependency versions. Uses socket-patch apply to fix vulnerabilities in-place. For CI/CD and infrastructure setup, use the /setup skill. | [SKILL.md](skills/dep-patch/SKILL.md) |
+| `dep-upgrade` | Use socket fix to find and update vulnerable dependencies one at a time, then fix any breaking changes in the codebase. Security-audited upgrades with automated code migration. | [SKILL.md](skills/dep-upgrade/SKILL.md) |
+
+#### Repair
+
+Holistic dependency repair — orchestrate cleanup, patching, and upgrades in a single phased workflow.
+
 | Name | Description | Documentation |
 |------|-------------|---------------|
-| `audit` | Generate compliance reports, SBOMs, and license audits for your project. Produces CycloneDX/SPDX output, aggregates license usage, flags problematic licenses, and creates a compliance summary using Socket data. | [SKILL.md](skills/audit/SKILL.md) |
-| `cleanup` | Find and remove unused dependencies from your project. Scans the codebase for import and usage patterns across npm, PyPI, Cargo, Bundler, Maven, NuGet, Go, pnpm, and Yarn to identify dependencies that are no longer referenced. | [SKILL.md](skills/cleanup/SKILL.md) |
-| `inspect` | Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches. | [SKILL.md](skills/inspect/SKILL.md) |
-| `patch` | Apply Socket's binary-level security patches without changing dependency versions, and set up automated patching infrastructure. Uses socket-patch apply to fix vulnerabilities in-place across CI/CD and local development. | [SKILL.md](skills/patch/SKILL.md) |
-| `scan` | Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, and performs Tier 1 reachability analysis for enterprise customers. | [SKILL.md](skills/scan/SKILL.md) |
-| `setup` | Set up Socket — prompt for API key, install the CLI, authenticate, configure CI/CD for firewall or patch modes across GitHub, GitLab, Bitbucket, and other systems. | [SKILL.md](skills/setup/SKILL.md) |
-| `upgrade` | Use socket fix to find and update vulnerable dependencies, then fix any breaking changes in the codebase. Security-audited upgrades with automated code migration. | [SKILL.md](skills/upgrade/SKILL.md) |
+| `repair` | Holistic dependency repair — orchestrates cleanup, patching, and upgrades in a single workflow with three aggressiveness levels (conservative, cautious, full). | [SKILL.md](skills/repair/SKILL.md) |
 <!-- END_SKILLS_TABLE -->
 
 ## Contributing

agents/AGENTS.md

@@ -6,13 +6,13 @@ You have additional SKILLs documented in directories containing a "SKILL.md" fil
 
 | Skill | Description |
 |-------|-------------|
-| audit | Generate compliance reports, SBOMs, and license audits for your project. Produces CycloneDX/SPDX output, aggregates license usage, flags problematic licenses, and creates a compliance summary using Socket data. |
-| cleanup | Find and remove unused dependencies from your project. Scans the codebase for import and usage patterns across npm, PyPI, Cargo, Bundler, Maven, NuGet, Go, pnpm, and Yarn to identify dependencies that are no longer referenced. |
-| inspect | Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches. |
-| patch | Apply Socket's binary-level security patches without changing dependency versions, and set up automated patching infrastructure. Uses socket-patch apply to fix vulnerabilities in-place across CI/CD and local development. |
-| scan | Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, and performs Tier 1 reachability analysis for enterprise customers. |
-| setup | Set up Socket — prompt for API key, install the CLI, authenticate, configure CI/CD for firewall or patch modes across GitHub, GitLab, Bitbucket, and other systems. |
-| upgrade | Use socket fix to find and update vulnerable dependencies, then fix any breaking changes in the codebase. Security-audited upgrades with automated code migration. |
+| dep-cleanup | Evaluate and remove a single unused dependency from your project. Searches the entire codebase for all usages (imports, requires, config refs, scripts, type packages, indirect usage), reports findings, and performs full removal with verification. |
+| dep-patch | Apply Socket's binary-level security patches without changing dependency versions. Uses socket-patch apply to fix vulnerabilities in-place. For CI/CD and infrastructure setup, use the /setup skill. |
+| dep-upgrade | Use socket fix to find and update vulnerable dependencies, then fix any breaking changes in the codebase. Security-audited upgrades with automated code migration. |
+| repair | Holistic dependency repair — orchestrates cleanup, patching, and upgrades in a single workflow with three aggressiveness levels (conservative, cautious, full). Delegates to /dep-cleanup, /dep-patch, and /dep-upgrade as subroutines. |
+| research-inspect | Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches. |
+| research-scan | Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, performs Tier 1 reachability analysis for enterprise customers, and provides license compliance auditing with SBOM generation. |
+| setup | Set up Socket — prompt for API key, install the CLI, authenticate, configure policies and tokens, set up CI/CD for firewall or patch modes across GitHub, GitLab, Bitbucket, and other systems. |
 
 ## Usage
 
@@ -25,10 +25,10 @@ Paths referenced within SKILL folders are relative to that SKILL. For example th
 ## Skill Files
 
 The skills are located in:
-- `skills/audit/SKILL.md`
-- `skills/cleanup/SKILL.md`
-- `skills/inspect/SKILL.md`
-- `skills/patch/SKILL.md`
-- `skills/scan/SKILL.md`
+- `skills/dep-cleanup/SKILL.md`
+- `skills/dep-patch/SKILL.md`
+- `skills/dep-upgrade/SKILL.md`
+- `skills/repair/SKILL.md`
+- `skills/research-inspect/SKILL.md`
+- `skills/research-scan/SKILL.md`
 - `skills/setup/SKILL.md`
-- `skills/upgrade/SKILL.md`

scripts/generate-agents.ts

@@ -66,25 +66,70 @@ function loadMarketplace(): Marketplace {
   return JSON.parse(fs.readFileSync(MARKETPLACE_PATH, "utf-8"));
 }
 
+interface CategoryDef {
+  label: string;
+  description: string;
+}
+
+const CATEGORIES: [string, CategoryDef][] = [
+  ["setup", { label: "Setup", description: "Install, authenticate, and configure Socket for your project." }],
+  ["research", { label: "Research", description: "Scan dependencies and inspect individual packages for security risks." }],
+  ["dep", { label: "Dependency Management", description: "Upgrade, patch, and clean up individual dependencies." }],
+  ["repair", { label: "Repair", description: "Holistic dependency repair — orchestrate cleanup, patching, and upgrades in a single phased workflow." }],
+];
+
+function getCategory(skillName: string): string {
+  if (skillName === "setup") return "setup";
+  if (skillName.startsWith("research-")) return "research";
+  if (skillName.startsWith("dep-")) return "dep";
+  if (skillName === "repair") return "repair";
+  return "setup";
+}
+
 function generateReadmeTable(skills: Skill[]): string {
   const marketplace = loadMarketplace();
   const pluginsBySource = new Map<string, MarketplacePlugin>();
   for (const p of marketplace.plugins) {
     pluginsBySource.set(p.source, p);
   }
 
-  const lines = [
-    "| Name | Description | Documentation |",
-    "|------|-------------|---------------|",
-  ];
-
+  const grouped = new Map<string, Skill[]>();
+  for (const [key] of CATEGORIES) {
+    grouped.set(key, []);
+  }
   for (const skill of skills) {
-    const source = `./${skill.path}`;
-    const plugin = pluginsBySource.get(source);
-    const name = plugin?.name ?? skill.name;
-    const description = plugin?.description ?? skill.description;
-    const docLink = `[SKILL.md](${skill.path}/SKILL.md)`;
-    lines.push(`| \`${name}\` | ${description} | ${docLink} |`);
+    const cat = getCategory(skill.name);
+    grouped.get(cat)?.push(skill);
+  }
+
+  const lines: string[] = [];
+
+  for (const [key, def] of CATEGORIES) {
+    const catSkills = grouped.get(key);
+    if (!catSkills || catSkills.length === 0) continue;
+
+    lines.push(`#### ${def.label}`);
+    lines.push("");
+    lines.push(def.description);
+    lines.push("");
+    lines.push("| Name | Description | Documentation |");
+    lines.push("|------|-------------|---------------|");
+
+    for (const skill of catSkills) {
+      const source = `./${skill.path}`;
+      const plugin = pluginsBySource.get(source);
+      const name = plugin?.name ?? skill.name;
+      const description = plugin?.description ?? skill.description;
+      const docLink = `[SKILL.md](${skill.path}/SKILL.md)`;
+      lines.push(`| \`${name}\` | ${description} | ${docLink} |`);
+    }
+
+    lines.push("");
+  }
+
+  // Remove trailing empty line
+  while (lines.length > 0 && lines[lines.length - 1] === "") {
+    lines.pop();
   }
 
   return lines.join("\n");