HackerTrans
TopNewTrendsCommentsPastAskShowJobs

detkin

no profile record

Submissions

A package manager for AI assets (and why the lock file is per-user)

sleuth-io.github.io
4 points·by detkin·last month·0 comments

[untitled]

1 points·by detkin·last month·0 comments

Show HN: Sx – an open-source package manager for AI skills, MCPs, and commands

github.com
50 points·by detkin·2 months ago·28 comments

Agent Skills move too fast for Git

sleuth.io
2 points·by detkin·3 months ago·0 comments

Without RBAC for Skills and MCP, your org has root access to your company

sleuth.io
3 points·by detkin·3 months ago·3 comments

[untitled]

7 points·by detkin·4 months ago·0 comments

comments

detkin
·last month·discuss
[flagged]
detkin
·2 months ago·discuss
Yes. You can just point sx add at your existing skill directories and it will put them into the git vault which you can easily share via Github access control.
detkin
·2 months ago·discuss
Thank you for sharing, this is exactly the kind of thing I'm interested in learning.

Is this just for engineering or is it being used for other functions, like Marketing and HR as well?
detkin
·2 months ago·discuss
Very cool! What would you say is the biggest learning you've had about how people are using it?
detkin
·2 months ago·discuss
We added the idea of dependencies for exactly that reason. However, honestly, I've not see any usage of it in the wild. Seems like most folks are ok with either bundling them and calling it a day or not really worrying about it.

Very interesting about the domain and workflows. Do you think domain could map to a team or is it different?

At your company how are you shipping your assets? How do you do the domain and workflow grouping?
detkin
·2 months ago·discuss
Say more, what kind of tools are you thinking about?

The tool support is certainly one of the key pillars of the project so we're open to any tool additions that will help people get value from the project.
detkin
·2 months ago·discuss
lol, just s ... x, the two letters.

We wanted something short and easy to remember
detkin
·2 months ago·discuss
The sx vault also stores things in git, I agree that it's a pretty good medium for storage.

My main argument is that just using vanilla git where you store it in the directory that the AI coding agent expects means that you can't share across teams or orgs.

Also, not every kind of team is comfortable with git. How would you distribute these assets to a Marketing team?
detkin
·2 months ago·discuss
Hi HN — I'm one of the maintainers.

The short version: sx treats skills, MCP server configs, slash commands, agents, hooks, and rule files as versioned packages. You define them once, push them to a vault (a local folder, a git repo, or our hosted backend), and install them where they belong. There's a lockfile so installs are reproducible, scope levels for org / team / repo / individual, and the CLI translates the same asset into the format each AI client expects.

Supported clients today: Claude Code, Cursor, GitHub Copilot, Cline, Codex, Gemini (CLI / VS Code / JetBrains / Android Studio), Kiro, claude.ai, chatgpt.com. The last two are what let non-engineering teams (marketing, legal, ops) use the same primitive instead of being locked out of the AI-assets ecosystem.

The thing I'd most like feedback on is whether the scope model is the right shape. Org → team → repo → path → individual is what's emerged from talking to ~60 teams over the last six months, but I expect bigger orgs will surface scopes we haven't modeled (sub-team, environment, etc.).

Why this and not just plugins / vendor marketplaces? Claude Code plugins are real and a good step up over raw git-checked-in CLAUDE.md files. The limitations show up at scale: each plugin is scoped to its publishing repo, so teams duplicate skills across plugins, and you're still locked to a single vendor's client. Full writeup with the technical details: https://www.sleuth.io/post/there-s-an-npm-shaped-hole-in-the...
detkin
·3 months ago·discuss
At some of the larger orgs that I've worked at each individual system had some level of RBAC. Often they would try to centralize around an Okta-style system, but the roles in there infrequently matched what was needed. In the places you are describing what have they done around security? Even without AI it sounds like they didn't have a feasible solution?
detkin
·4 months ago·discuss
Machine assisted, not fully machine generated ¯\_(ツ)_/¯
detkin
·4 months ago·discuss
You're right, I used AI to help organize the content but we have spoken to almost 50 companies over the last 5 months and the messages and pains they have conveyed are real.

How are you handing distributing your Agent Skills and MCP's? Is this a problem you're seeing?
detkin
·4 months ago·discuss
I hear you, results is a gray area. However, with the companies we spoke to results looks like increased productivity for their developers.

It was a constant with all that they felt like 2 - 7 percent of their developers had made huge productivity gains but that the rest were not really seeing any, despite having access to the same tools.
detkin
·6 months ago·discuss
Seems very interesting.
detkin
·7 months ago·discuss
Skills have been really helpful in my team as we've been encoding tribal knowledge into something that other developers can easily take advantage of. For example, our backend architecture has these hidden patterns, that once encoding in a skill, can be followed by full stack devs doing work there, saving a ton of time in coding and PR review.

We then hit the problem of how to best share these and keep them up to date, especially with multiple repositories. It led us to build sx - https://github.com/sleuth-io/sx, a package manager for AI tools.