github · Kinosaur · Jun 14, 2026 · Jun 14, 2026
@@ -190,6 +190,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to
 | [github-copilot-starter](../skills/github-copilot-starter/SKILL.md)<br />`gh skills install github/awesome-copilot github-copilot-starter` | Set up complete GitHub Copilot configuration for a new project based on technology stack | None |
 | [github-issues](../skills/github-issues/SKILL.md)<br />`gh skills install github/awesome-copilot github-issues` | Create, update, and manage GitHub issues using MCP tools. Use this skill when users want to create bug reports, feature requests, or task issues, update existing issues, add labels/assignees/milestones, set issue fields (dates, priority, custom fields), set issue types, manage issue workflows, link issues, add dependencies, or track blocked-by/blocking relationships. Triggers on requests like "create an issue", "file a bug", "request a feature", "update issue X", "set the priority", "set the start date", "link issues", "add dependency", "blocked by", "blocking", or any GitHub issue management task. | `references/dependencies.md`<br />`references/images.md`<br />`references/issue-fields.md`<br />`references/issue-types.md`<br />`references/projects.md`<br />`references/search.md`<br />`references/sub-issues.md`<br />`references/templates.md` |
 | [github-release](../skills/github-release/SKILL.md)<br />`gh skills install github/awesome-copilot github-release` | Guides IA through releasing a new version of a GitHub library end-to-end. Handles SemVer versioning and Keep a Changelog formatting automatically. | `references/commit-classification.md`<br />`references/semver-rules.md` |
+| [github-repository-inventory](../skills/github-repository-inventory/SKILL.md)<br />`gh skills install github/awesome-copilot github-repository-inventory` | Builds a read-only, evidence-based inventory of the repositories connected to a GitHub account — not just owned repos, but every repo the account demonstrably contributed to (authored or reviewed pull requests, authored issues, commits) or has access to (collaborator, organization). Records the evidence and a confidence level for each relationship and never conflates access with contribution. Privacy-first — public-only by default, no token storage, with private repo content redacted. Also captures metadata, README availability, technology stack, and project type. Use when asked what a GitHub account has contributed to or worked on, to reconstruct a developer's verifiable GitHub footprint across owned and external repos, or to catalogue, audit, or summarize the projects and technologies behind an account. | `assets/projects-template.md`<br />`references/limitations.md`<br />`references/privacy-rules.md`<br />`references/relationship-model.md`<br />`references/repository-schema.md`<br />`scripts/detect_technologies.py`<br />`scripts/inventory.py` |
 | [go-mcp-server-generator](../skills/go-mcp-server-generator/SKILL.md)<br />`gh skills install github/awesome-copilot go-mcp-server-generator` | Generate a complete Go MCP server project with proper structure, dependencies, and implementation using the official github.com/modelcontextprotocol/go-sdk. | None |
 | [gsap-framer-scroll-animation](../skills/gsap-framer-scroll-animation/SKILL.md)<br />`gh skills install github/awesome-copilot gsap-framer-scroll-animation` | Use this skill whenever the user wants to build scroll animations, scroll effects, parallax, scroll-triggered reveals, pinned sections, horizontal scroll, text animations, or any motion tied to scroll position — in vanilla JS, React, or Next.js. Covers GSAP ScrollTrigger (pinning, scrubbing, snapping, timelines, horizontal scroll, ScrollSmoother, matchMedia) and Framer Motion / Motion v12 (useScroll, useTransform, useSpring, whileInView, variants). Use this skill even if the user just says "animate on scroll", "fade in as I scroll", "make it scroll like Apple", "parallax effect", "sticky section", "scroll progress bar", or "entrance animation". Also triggers for Copilot prompt patterns for GSAP or Framer Motion code generation. Pairs with the premium-frontend-ui skill for creative philosophy and design-level polish. | `references/framer.md`<br />`references/gsap.md` |
 | [gtm-0-to-1-launch](../skills/gtm-0-to-1-launch/SKILL.md)<br />`gh skills install github/awesome-copilot gtm-0-to-1-launch` | Launch new products from idea to first customers. Use when launching products, finding early adopters, building launch week playbooks, diagnosing why adoption stalls, or learning that press coverage does not equal growth. Includes the three-layer diagnosis, the 2-week experiment cycle, and the launch that got 50K impressions and 12 signups. | None |

@@ -0,0 +1,97 @@
+---
+name: github-repository-inventory
+description: Builds a read-only, evidence-based inventory of the repositories connected to a GitHub account — not just owned repos, but every repo the account demonstrably contributed to (authored or reviewed pull requests, authored issues, commits) or has access to (collaborator, organization). Records the evidence and a confidence level for each relationship and never conflates access with contribution. Privacy-first — public-only by default, no token storage, with private repo content redacted. Also captures metadata, README availability, technology stack, and project type. Use when asked what a GitHub account has contributed to or worked on, to reconstruct a developer's verifiable GitHub footprint across owned and external repos, or to catalogue, audit, or summarize the projects and technologies behind an account.
+license: MIT
+compatibility: Requires Python 3.11+ and an authenticated GitHub CLI (gh) v2.90.0+. Network access to the GitHub API required. Read-only; never modifies repositories.
+allowed-tools: Bash(gh:*) Bash(python3:*) Read
+metadata:
+  author: Kinosaur
+  version: "1.0.2"
+---
+
+# GitHub Repository Inventory
+
+Use this skill when a user wants an evidence-based view of a GitHub account's footprint —
+above all, **what the account has actually contributed to** (across repos it does not own),
+with the evidence and confidence for each relationship. It also catalogues, audits, and
+summarizes the owned projects and their technologies.
+
+## Safety defaults
+
+- Read-only. Never modify repositories; never call a mutating endpoint.
+- Public repositories only unless the user explicitly asks to include private ones.
+- Never print or store tokens. Authentication is delegated to `gh`.
+- Never publish private repository content into shareable output.
+- Distinguish repository *access* from verified *contribution*. Access (owner, collaborator,
+  org member) is not evidence of having contributed.
+
+## Prerequisites
+
+- `gh --version` reports 2.90.0 or newer.
+- `gh auth status` shows an authenticated account.
+- `python3 --version` reports 3.11 or newer.
+
+If any fail, tell the user how to fix it (e.g. `brew install gh`, then `gh auth login`)
+before continuing.
+
+## Workflow
+
+1. Verify GitHub CLI authentication (`gh auth status`).
+2. Determine the requested inventory scope (default: public owned repositories).
+3. Run `scripts/inventory.py scan` with the chosen flags. Use `--dry-run` first if the user
+   wants a preview.
+4. Inspect `warnings.json` for incomplete results before reporting anything.
+5. Treat `catalog.json` as the source of truth; `PROJECTS.md` is the human-readable view.
+6. Present extracted facts separately from any conclusions you draw.
+
+## Commands
+
+```bash
+# Full scan: discover public owned repos + public contribution evidence, inspect
+# (README + structure + technology detection), render all three outputs.
+python3 scripts/inventory.py scan [--out DIR] [--dry-run]
+
+# Optional discovery scope (default is owned + public contributions only):
+python3 scripts/inventory.py scan --include-accessible   # + collaborator / organization repos (access)
+python3 scripts/inventory.py scan --include-private      # + private repos (README redacted; write to a gitignored dir)
+
+# Re-scans reuse a per-repo inspection cache (skip-unchanged via updated_at/pushed_at).
+python3 scripts/inventory.py scan --no-cache             # force a full re-inspection
+
+# Localize PROJECTS.md (headers + labels). Data values stay as-is. Default: en.
+python3 scripts/inventory.py scan --lang my              # Burmese (မြန်မာ)
+
+# Derived reports (deterministic, from catalog.json; no LLM): technology-summary,
+# missing-readmes, portfolio-candidates, contribution-summary -> <out>/reports/.
+python3 scripts/inventory.py report [--out DIR]
+
+# Individual stages (each reads/writes JSON so they compose and are independently testable):
+python3 scripts/inventory.py discover [--out DIR]   # owned-repo discovery -> repositories
+python3 scripts/inventory.py inspect  [--out DIR]   # README presence + top-level contents
+python3 scripts/inventory.py render   [--out DIR]   # catalog.json + PROJECTS.md + warnings.json
+python3 scripts/inventory.py validate [--out DIR]   # validate catalog.json against the schema
+```
+
+Defaults: public-only, read-only, owned + public contributions, output directory
+`github-inventory/`. `--include-accessible` adds collaborator/organization repos (access,
+never labelled as contribution). `--include-private` includes private repos — their README
+content is redacted, and you must write only to a gitignored directory; the tool warns if
+the output path is not a known gitignored location.
+
+## Outputs
+
+- `catalog.json` — canonical, machine-readable; the source of truth.
+- `PROJECTS.md` — human-readable inventory grouped into Owned Projects / External
+  Contributions / Accessible Repositories (localizable via `--lang`).
+- `warnings.json` — incompleteness, rate-limit truncation, redactions, and gaps. Always read
+  this before reporting.
+
+## Honesty requirements
+
+- Never claim "every repo the user ever contributed to." The true statement is:
+  "repositories for which GitHub currently exposes contribution or access evidence."
+- Deleted repos, inaccessible private repos, unmatched commit emails, and expired permissions
+  all create gaps. These are recorded in `warnings.json` — surface them.
+
+Detailed schema, relationship model, privacy rules, and known limitations live in
+`references/`. Load them only when needed.
@@ -0,0 +1,21 @@
+# GitHub Project Inventory
+
+_Generated by github-repository-inventory. Source of truth: catalog.json._
+
+- **Account:** {account_login}
+- **Generated:** {generated_at}
+- **Scan:** {scan_summary}
+- **Repositories:** {repo_count}
+
+## Owned Projects
+
+{owned_section}
+
+## External Contributions
+
+{external_section}
+
+---
+
+_Some repositories may be missing. See warnings.json for known gaps (rate limits, redactions,
+expired permissions, deleted repos)._
@@ -0,0 +1,35 @@
+# Known limitations
+
+Honesty about gaps is a core feature. These limitations are surfaced in `warnings.json`.
+
+## Coverage gaps
+
+- **Not "everything you ever touched."** The inventory only includes repositories for which
+  GitHub currently exposes access or contribution evidence. Deleted repositories, repos made
+  private, unmatched commit emails, and expired permissions all create silent gaps.
+- **Commit contributions cover ~the last year only.** `commit-contributor` evidence comes
+  from GitHub's `contributionsCollection`, which defaults to roughly a one-year window and
+  caps at 100 repositories; older or overflow commit activity is not counted. Both limits are
+  flagged in `warnings.json`.
+- **Collaborator/organization and private repos are opt-in.** They are discovered only with
+  `--include-accessible` / `--include-private` respectively; the default scan is owned +
+  public contributions. Private repositories have their README content redacted and must be
+  written to a gitignored directory (the tool warns otherwise).
+- **Search API cap.** Contribution discovery uses `/search/issues`, which caps at 1000
+  results and is rate-limited (~30 req/min). Truncation is recorded as `search-truncated`.
+
+## Inspection depth
+
+- README presence and top-level structure only. No full file tree, no commit history, no code
+  download.
+- Primary `language` comes from the repo metadata; per-language byte percentages are a later
+  phase.
+
+## API realities
+
+- **Pagination.** `gh api --paginate --slurp` returns an array of pages, not a merged array;
+  the code flattens it. `--slurp` cannot be combined with `--jq`.
+- **Rate limits.** A truncated scan is recorded in `warnings.json` rather than silently
+  returning partial data as if complete.
+- **Empty repos / missing README.** A `404` from the README endpoint means "no README," not
+  an error; it is recorded as `readme.present = false`.
@@ -0,0 +1,27 @@
+# Privacy rules
+
+These rules are enforced in code, not left to judgement.
+
+## Defaults
+
+- **Public repositories only.** Private repositories are excluded unless the user passes
+  `--include-private`. (Private support is not in Phase 1.)
+- **Read-only.** The tool only issues `GET` requests via `gh api`. It never calls a mutating
+  endpoint and never modifies a repository.
+- **No token handling.** Tokens are never read into config and never written anywhere.
+  Authentication is delegated to `gh`. Tokens must never appear in logs or output.
+
+## When private repos are included (later phase)
+
+- Write output only to a local cache directory, and ensure that directory is gitignored
+  (`github-inventory/`, `.inventory-cache/`).
+- Mark every private record `"private": true` and `"visibility": "private"`.
+- Do **not** copy full private README content into shareable reports. Store a redacted
+  summary or omit it; set `readme.redacted = true`.
+- Warn (in `warnings.json` and to the user) before writing any private information outside
+  the cache directory.
+
+## Shareable output
+
+`PROJECTS.md` and `examples/` artifacts are intended to be shareable. They must never contain
+private repository content.
@@ -0,0 +1,38 @@
+# Relationship model
+
+Access to a repository is **not** the same as having contributed to it. This skill records
+the user's relationship to each repo as a list of `{ type, evidence, confidence }` entries.
+A repo can carry several relationships.
+
+## Vocabulary
+
+| Type | Meaning | Typical evidence |
+|---|---|---|
+| `owner` | The authenticated user owns the repo. | `owner.login == user` |
+| `collaborator` | Explicit collaborator permission. | repo permissions |
+| `organization-member` | Access via org membership. | org membership |
+| `fork-owner` | User owns a fork of another repo. | `fork == true` and owner match |
+| `commit-contributor` | Authored commits. | contributor list / commit author |
+| `pull-request-author` | Opened pull requests. | PR search `author:` |
+| `pull-request-reviewer` | Reviewed pull requests. | PR review search |
+| `issue-author` | Opened issues. | issue search `author:` |
+| `unknown-access` | Repo is accessible but the basis is unclear. | fallback |
+
+## Confidence
+
+- `high` — direct, unambiguous evidence (ownership, a manifest dependency, an authored PR).
+- `medium` — strong but indirect evidence.
+- `low` — weak signal (e.g. a README mention).
+
+## Current scope
+
+The scan discovers **owned** repositories plus external repositories with **public
+contribution evidence**: `pull-request-author`, `pull-request-reviewer`, and `issue-author`
+(Search API), and `commit-contributor` (GraphQL `contributionsCollection`, ~last year). All
+are high confidence with a count in the evidence string. With `--include-accessible`,
+`collaborator` and `organization-member` (access) are added. A repo can carry several
+relationships — e.g. a repo you `collaborator` on *and* committed to is both `collaborator`
+and `commit-contributor`; these are merged.
+
+Contribution is never inferred from mere access. Known limits (recorded in `warnings.json`):
+commit contributions only cover ~the last year, and the GraphQL repo list is capped at 100.
@@ -0,0 +1,35 @@
+# Repository record schema (human summary)
+
+The authoritative schema is
+[`schemas/repository-inventory.schema.json`](../../../schemas/repository-inventory.schema.json).
+This file summarizes it.
+
+## Catalog wrapper (`catalog.json`)
+
+| Field | Notes |
+|---|---|
+| `schema_version` | e.g. `"0.1.0"`. |
+| `generated_at` | UTC ISO-8601 timestamp. |
+| `account` | `{ login }` of the authenticated user. |
+| `scan` | The flags used: `include_private`, `affiliation`, `visibility`, `sources[]`. |
+| `repositories[]` | Sorted by `full_name` for deterministic output. |
+
+## Repository record
+
+Phase 1 always populates: `name`, `owner`, `full_name`, `url`, `description`, `homepage`,
+`visibility`, `private`, `archived`, `fork`, `is_template`, `default_branch`, `created_at`,
+`updated_at`, `pushed_at`, `language`, `topics` (sorted), `license`, `stargazers_count`,
+`forks_count`, `readme` (`present`/`path`/`size`/`content`), `top_level[]` (sorted by name),
+`relationships[]`, `discovered_via[]`, `last_scanned_at`.
+
+Phase 2 also populates: `manifests` (root-level manifest filenames, sorted),
+`technologies[]` (`{name, evidence, confidence}`, sorted by name; manifest-backed = high,
+primary language = medium), and `project_type` (classified enum).
+
+Reserved for later phases (optional): `language_percentages`.
+
+## Determinism
+
+Identical input must produce byte-identical output. `repositories` is sorted by `full_name`;
+`topics`, `top_level`, and `discovered_via` are sorted; JSON is written with sorted keys and
+a trailing newline. The rendering tests depend on this.