feat: Phase 1+2 — 6 umbrella skills, curated anchors, evals, gap fixes

.claude-plugin/marketplace.json

@@ -0,0 +1,20 @@
+{
+  "name": "ping-identity-skills",
+  "owner": {
+    "name": "Ping Identity",
+    "email": "developer-experience@pingidentity.com"
+  },
+  "description": "Agent skills for Ping Identity platforms — six umbrella skills covering PingOne MT, PingOne Advanced Identity Cloud (ST), Ping Software Suite, DaVinci, universal services, app integration, and identity for AI.",
+  "plugins": [
+    {
+      "name": "ping-identity",
+      "source": "./plugins/ping-identity",
+      "displayName": "Ping Identity",
+      "description": "Six umbrella skills modelled on the Cloudflare few-broad-skills approach: ping-quickstart, ping-foundation, ping-orchestration, ping-universal-services, ping-app-integration, ping-identity-for-ai. Each routes by intent, platform family, exact product/service, and reference tier.",
+      "version": "1.0.0",
+      "author": { "name": "Ping Identity" },
+      "category": "identity",
+      "keywords": ["ping", "pingone", "aic", "davinci", "pingfederate", "pingaccess", "identity", "authentication", "ciam", "ai-identity"]
+    }
+  ]
+}

.claude-plugin/plugin.json

@@ -0,0 +1,6 @@
+{
+  "name": "ping-identity",
+  "version": "1.0.0",
+  "description": "Six-umbrella agent skill suite for Ping Identity platforms.",
+  "author": { "name": "Ping Identity" }
+}

.claude/settings.local.json

@@ -0,0 +1,21 @@
+{
+  "permissions": {
+    "allow": [
+      "mcp__plugin_polaris_glean__read_document",
+      "Bash(xargs sed *)",
+      "WebFetch(domain:docs.pingidentity.com)",
+      "mcp__plugin_polaris_glean__search",
+      "WebFetch(domain:docs.pingoneaic)",
+      "Bash(python3 *)",
+      "Skill(firecrawl:firecrawl-scrape)",
+      "WebFetch(domain:registry.npmjs.org)",
+      "WebFetch(domain:cdn-docs.pingidentity.com)",
+      "mcp__plugin_polaris_playwright__browser_navigate",
+      "WebFetch(domain:bedrock-runtime.eu-west-2.amazonaws.com)"
+    ]
+  },
+  "sandbox": {
+    "enabled": true,
+    "autoAllowBashIfSandboxed": true
+  }
+}

.cursor-plugin/marketplace.json

@@ -0,0 +1,11 @@
+{
+  "name": "ping-identity-skills",
+  "owner": { "name": "Ping Identity" },
+  "description": "Agent skills for Ping Identity platforms — six umbrella skills covering platform setup, orchestration, universal services, app integration, AI identity patterns, and platform routing.",
+  "plugins": [
+    {
+      "name": "ping-identity",
+      "source": "./plugins/ping-identity"
+    }
+  ]
+}

.cursor-plugin/plugin.json

@@ -0,0 +1,7 @@
+{
+  "name": "ping-identity",
+  "version": "1.0.0",
+  "description": "Six-umbrella agent skill suite for Ping Identity: PingOne MT, PingOne ST (AIC), Ping Software Suite, DaVinci, universal services, app integration, identity for AI.",
+  "author": { "name": "Ping Identity" },
+  "keywords": ["ping", "pingone", "aic", "davinci", "pingfederate", "identity", "authentication", "ciam", "ai-identity"]
+}

.github/workflows/build-reference-manifests.yml

@@ -0,0 +1,73 @@
+name: Build Reference Manifests
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "plugins/ping-identity/skills/*/references/curated/**/*.md"
+      - "scripts/build_reference_manifests.py"
+  pull_request:
+    paths:
+      - "plugins/ping-identity/skills/*/references/curated/**/*.md"
+      - "scripts/build_reference_manifests.py"
+  workflow_dispatch:
+
+jobs:
+  build-manifests:
+    name: Build reference manifests
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Build manifests
+        run: python3 scripts/build_reference_manifests.py --root .
+
+      - name: Validate manifests against schema
+        run: |
+          pip install jsonschema --quiet
+          python3 - <<'PYEOF'
+          import json, sys
+          from pathlib import Path
+          from jsonschema import validate, ValidationError
+
+          schema = json.loads(Path("shared/schemas/reference-manifest-schema.json").read_text())
+          errors = []
+          for manifest in Path("plugins").rglob("top-*.json"):
+              data = json.loads(manifest.read_text())
+              # skip empty stubs
+              if data.get("docs") == [] and data.get("generated_at") is None:
+                  continue
+              try:
+                  validate(instance=data, schema=schema)
+              except ValidationError as e:
+                  errors.append(f"{manifest}: {e.message}")
+          if errors:
+              for e in errors:
+                  print(f"FAIL: {e}", file=sys.stderr)
+              sys.exit(1)
+          print(f"OK: {len(list(Path('plugins').rglob('top-*.json')))} manifest(s) validated")
+          PYEOF
+
+      - name: Check for changes
+        id: diff
+        run: |
+          git diff --name-only plugins/*/skills/*/references/generated/ | head -20
+          echo "changed=$(git diff --quiet plugins/*/skills/*/references/generated/ && echo false || echo true)" >> "$GITHUB_OUTPUT"
+
+      - name: Commit updated manifests
+        if: steps.diff.outputs.changed == 'true' && github.ref == 'refs/heads/main' && github.event_name == 'push'
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add plugins/*/skills/*/references/generated/top-*.json
+          git commit -m "chore(generated): rebuild reference manifests [skip ci]"
+          git push

.gitignore

@@ -0,0 +1 @@
+.playwright-mcp/

.well-known/agent-skills/index.json

@@ -0,0 +1,5 @@
+{
+  "$schema": "https://agentskills.io/spec/v0.2.0/index.schema.json",
+  "version": "0.2.0",
+  "skills": []
+}

CLAUDE.md

@@ -0,0 +1,73 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## What this repo is
+
+A **public-facing skill package** that exposes Ping Identity's agent skills through a unified layer. It is consumed by AI agents (Claude Code, Copilot CLI, Gemini CLI, etc.) to guide reasoning about Ping Identity platforms — not executed as application code.
+
+The repo ships one plugin: `plugins/ping-identity/`, which contains skills, reference files, and routing logic. The `/shared/` directory holds canonical taxonomies, schemas, templates, and evals that apply across all plugins.
+
+## No build system
+
+There are no build, compile, test, or lint commands. All content is Markdown and JSON. The only automated concern is frontmatter validation (CI rejects reference `.md` files with missing required fields).
+
+## Skill authoring
+
+Every skill lives in `plugins/<plugin>/skills/<skill-name>/`:
+- `SKILL.md` — routing logic only (≤120 lines); structured as: when to use → when NOT to use → multi-skill use cases → routing tables → retrieval escalation
+- `ping-marketplace.json` — skill metadata for the Claude Code marketplace
+- `references/curated/` — hand-authored task-completing docs (150–400 lines, `canonical: true`)
+- `references/generated/` — CI-populated shortlists and stubs (`canonical: false`)
+
+Before writing any `SKILL.md` or reference file, read `shared/templates/AUTHORING-RULES.md` in full — it is the single source of truth for all authoring rules. Key constraints enforced in review:
+- Every reference `.md` requires a complete frontmatter block (`title`, `product_family`, `capabilities`, `doc_type`, `status` are mandatory)
+- `product_family` in frontmatter must match the file's directory path (e.g., a file in `pingone-st/` must have `product_family: pingone-st`)
+- Curated anchors must include a `## Scope` section with explicit Covers/Does NOT cover statements
+- No UI navigation steps ("click X", "navigate to Y") — write configuration facts, field tables, and decision rules instead
+- Cross-references must use repo-relative paths, never absolute paths or bare filenames
+- Plugin files (`plugins/<plugin>/`) must not reference anything in `/shared/`
+
+## Reference file structure (curated anchors)
+
+Follow this section order:
+```
+# Title
+One-sentence description.
+## Scope
+## [Content sections — tables, decision rules, constraints]
+## Prerequisites
+## Common variants
+## Related references
+## Source
+```
+
+## Routing architecture
+
+Skills route requests in three steps:
+1. **Skill selection** — match user intent to the correct skill (`ping-quickstart`, `ping-foundation`, `ping-orchestration`, `ping-universal-services`, `ping-app-integration`, `ping-identity-for-ai`)
+2. **Platform detection** — classify as `pingone-mt`, `pingone-st`, `ping-software`, or `cross-platform`
+3. **Reference tier** — load curated anchors first (1–3 max); fall back to generated shortlist; only query external Docs MCP if both are insufficient
+
+Canonical routing rules: `shared/taxonomies/routing-rules.md`. Platform family definitions: `shared/taxonomies/platform-families.md`. Plugin-local routing (for standalone installs without `/shared/`): `plugins/ping-identity/routing-hints.md`.
+
+## Adding a new skill
+
+1. Create `plugins/ping-identity/skills/<skill-name>/` with `SKILL.md` and `ping-marketplace.json`
+2. The `name` field in `SKILL.md` frontmatter must exactly match the directory name
+3. Add the skill to `plugins/ping-identity/plugin-map.md` and `plugins/ping-identity/references/index.json`
+4. Write at least 3 benchmark prompts that should trigger the skill and 2 that should not — validate with `shared/evals/routing-eval.md`
+5. Use `shared/templates/SKILL.template.md` as the starting structure
+
+## Eval format
+
+Run skill routing evals using the format in `shared/evals/routing-eval.md`. The scorecard has five dimensions: Routing Correctness (30), Context Correctness (25), Answer Correctness (20), Token Efficiency (15), Fallback Discipline (10). A run fails at <80/100 or any hard-gate violation (wrong umbrella skill, major factual error, unnecessary external docs call, token spend >150% of minimum).
+
+## Plugin standalone vs. full-repo
+
+The plugin at `plugins/ping-identity/` is designed to work standalone (without `/shared/`). In that mode it uses its own orientation files (`README.md`, `plugin-map.md`, `platform-scope.md`, `routing-hints.md`). When the full repo is present, `/shared/taxonomies/` is authoritative and overrides plugin-local equivalents.
+
+## GitHub
+
+Remote: `https://github.com/brando-dill_pingcorp/agent-skills.git`  
+Use the `george-bafaloukas_pingcorp` EMU account for all `gh` operations (`gh auth switch --user george-bafaloukas_pingcorp`).