vellum-boundary-guard

$npx mdskill add vellum-ai/vellum-assistant/vellum-boundary-guard

Enforce these boundaries:

SKILL.md

.github/skills/vellum-boundary-guardView on GitHub ↗
---
name: vellum-boundary-guard
description: Check Vellum Assistant architecture and package boundaries. Use when editing imports, moving code, adding endpoints, touching assistant/gateway/client/skill boundaries, or reviewing architecture-sensitive changes.
---

# Vellum Boundary Guard

## Package Import Boundaries

Enforce these boundaries:

- `assistant/` must not import from `gateway/` via relative paths.
- `gateway/` must not import from `assistant/` via relative paths.
- `assistant/` and `skills/` must not import from each other directly.
- Runtime code must not import from `meta/`.
- Shared cross-package logic belongs in `packages/`.

For tests that need behavior from another package, mock the boundary instead of importing real handlers.

## HTTP And IPC Boundaries

- Public inbound HTTP endpoints belong in `gateway/`.
- New CLI-to-assistant interactions should use Unix socket IPC through the existing IPC route pattern.
- Events from assistant runtime code should use the assistant event hub rather than new HTTP endpoints when possible.

## Security Ownership Boundaries

- Gateway owns trust rules and gateway security files.
- CES owns credential files.
- The assistant must not read gateway-owned directories directly.
- Clients must not read from the user's `~/.vellum` directory.
- Secrets must not be stored in workspace files.

## Skill Boundaries

First-party skills run as separate processes and should communicate through supported contracts. Do not bypass skill isolation with direct relative imports.

## Review Workflow

1. Search changed imports and new route registrations.
2. Identify any package-crossing dependency.
3. Decide whether the correct home is a package-local module, a shared `packages/` module, IPC, HTTP through gateway, or a skill contract.
4. If a violation exists, recommend the smallest boundary-preserving move.

## Verification

Prefer existing guard tests when available, then add focused tests for any new boundary rule or route pattern.

More from vellum-ai/vellum-assistant

SkillDescription
acpSpawn external coding agents via the Agent Client Protocol (ACP)
amazonShop on Amazon and Amazon Fresh through your browser
api-mappingRecord and analyze API surfaces of web services
app-builderBuild and edit small, personal visual tools and artifacts — dashboards, trackers, calculators, data visualizations, charts, simple landing pages, and slide decks the user wants for THEMSELVES. This is the right skill whenever the user asks to "visualize this," "make a chart," or "build an artifact" for their own use, or to edit an app they already built here. Do NOT reach for a ui_show dynamic_page to fake an artifact — build a real persistent app here. NOT for complex, multi-user, or shippable products — those go to a real project folder with a coding agent (see Scope below).
app-controlDrive a specific named macOS app via raw input bypassing the Accessibility tree
assistant-migrationMigrate from ChatGPT, Claude, OpenClaw, Hermes, Manus, and other AI assistants into Vellum by inspecting their data exports, conversation archives, files, prompts, custom instructions, memory, saved memories, tools, GPTs, workflows, integrations, and relationships, then mapping as much as safely possible into Vellum primitives. Handles single-source and multi-source migrations with a unified, deduplicated inventory.
chatgpt-importImport conversation history from ChatGPT into Vellum
cli-discoverDiscover which CLI tools are installed, their versions, and authentication status
computer-useControl the macOS desktop
contactsManage contacts, communication channels, access control, and invite links