feat(skills): sync AGENTS.md to AI-specific formats

[Alan-TheGentleman]

Context

AI coding assistants (Claude, Gemini, Copilot) don't reliably auto-invoke skills even when the Trigger: in SKILL.md descriptions matches the user's request. This is a known issue - AI treats skill suggestions as "background noise" and proceeds with its default approach.

Solution: Explicit commands in AGENTS.md files force the AI to use skills. The Auto-invoke Skills section tells the AI: "When performing X action, ALWAYS invoke Y skill FIRST."

Description

This PR standardizes AI assistant configuration and automates skill invocation:

1. AGENTS.md as source of truth

• Edit AGENTS.md once, sync to format-specific copies (CLAUDE.md, GEMINI.md, copilot-instructions.md)
• Each component directory (ui/, api/, prowler/) has its own AGENTS.md with context-specific rules

2. Auto-invoke Skills sections

• Added to root, ui/, api/, and prowler/ AGENTS.md files
• Explicitly commands AI to invoke skills for specific actions
• Solves the "skills not triggering" problem

3. skill-sync automation (NEW)

• New skill-sync skill with sync.sh script
• Reads metadata.scope and metadata.auto_invoke from each SKILL.md
• Auto-generates Auto-invoke tables in corresponding AGENTS.md files
• 22 unit tests for the sync script

4. Skill metadata fields (NEW)

• Added metadata.scope (ui, api, sdk, root) to 17 skills
• Added metadata.auto_invoke (action description) to 17 skills
• Generic skills (pytest, typescript, etc.) intentionally have no scope

Usage

# Setup AI assistants (creates symlinks + copies AGENTS.md)
./skills/setup.sh

# After creating/modifying a skill, sync Auto-invoke sections
./skills/skill-sync/assets/sync.sh

# Dry run to preview changes
./skills/skill-sync/assets/sync.sh --dry-run

# Sync specific scope only
./skills/skill-sync/assets/sync.sh --scope ui

Files Changed

Category	Files
Scripts	skills/setup.sh, skills/skill-sync/assets/sync.sh
Tests	skills/setup_test.sh, skills/skill-sync/assets/sync_test.sh
AGENTS.md	root, ui/, api/, prowler/
Skills (metadata)	17 skills with scope + auto_invoke
Documentation	skills/README.md

Why This Matters

Without this:

• Developer asks AI to "create a new check"
• AI ignores prowler-sdk-check skill and does it wrong

With this:

• AGENTS.md says "Creating new checks → invoke prowler-sdk-check"
• AI loads the skill and follows correct patterns

Test Plan

• ./skills/setup_test.sh - 19 tests pass
• ./skills/skill-sync/assets/sync_test.sh - 22 tests pass
• Run ./skills/setup.sh --all and verify files created
• Run ./skills/skill-sync/assets/sync.sh --dry-run and verify output
• Verify Auto-invoke sections in ui/, api/, prowler/, root AGENTS.md

References

• Claude Code Skills Don't Auto-Activate
• Skills Not Triggering - Character Budget
• Agent Skills Specification

[github-actions]

⚠️ Changes detected in the following folders without a corresponding update to the CHANGELOG.md:

• api
• ui
• prowler

Please add an entry to the corresponding CHANGELOG.md file to maintain a clear history of changes.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

🔒 Container Security Scan

Image: prowler:87ec649
Last scan: 2026-01-12 20:14:12 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	3
Total	3

3 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[github-actions]

🔒 Container Security Scan

Image: prowler-ui:1f8592e
Last scan: 2026-01-13 10:11:00 UTC

✅ No Vulnerabilities Detected

The container image passed all security checks. No known CVEs were found.

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[github-actions]

🔒 Container Security Scan

Image: prowler-api:1f8592e
Last scan: 2026-01-13 10:11:15 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	11
Total	11

10 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.51%. Comparing base (17f5633) to head (622397c).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #9751       +/-   ##
===========================================
+ Coverage   58.94%   92.51%   +33.57%     
===========================================
  Files           8      163      +155     
  Lines         397    23285    +22888     
===========================================
+ Hits          234    21543    +21309     
- Misses        163     1742     +1579     

Flag	Coverage Δ
api	92.51% <ø> (?)
prowler-py3.10-kubernetes	?
prowler-py3.11-kubernetes	?
prowler-py3.12-kubernetes	?
prowler-py3.9-kubernetes	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	∅ <ø> (∅)
api	92.51% <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.