MCP HubMCP Hub
Back to Skills

moai-artifacts-builder

modu-ai
Updated Yesterday
28 views
424
78
424
View on GitHub
Metaaidesign

About

The moai-artifacts-builder skill provides enterprise artifact management with governance, lifecycle control, and supply chain security aligned with November 2025 standards. It handles multiple artifact formats while ensuring SBOM generation, compliance scanning, and security verification. Use this skill when you need to manage production artifacts with automated governance and security controls.

Quick Install

Claude Code

Recommended
Plugin CommandRecommended
/plugin add https://github.com/modu-ai/moai-adk
Git CloneAlternative
git clone https://github.com/modu-ai/moai-adk.git ~/.claude/skills/moai-artifacts-builder

Copy and paste this command in Claude Code to install this skill

Documentation

Enterprise Artifact Management & Governance - v4.1.0

Skill Overview

November 2025 Enterprise Standards: Production artifact management with governance, SBOM, and supply chain security

FeatureCoverage
Artifact Types7 standard formats (80% enterprise coverage)
SecuritySBOM, provenance, immutability, SOC 2/ISO 27001
Context7 MCP✅ Metadata lookup and artifact index search
ComplianceAutomated scanning and signature verification

Core Responsibilities

  1. Artifact Classification: 7 enterprise-standard formats
  2. Lifecycle Management: Creation → Validation → Storage → Deployment → Retirement
  3. Governance: RBAC, monitoring, audit trails
  4. Security: SBOM, provenance, supply chain security
  5. Context7 Integration: Metadata and vulnerability correlation

Level 1: Quick Reference (50-150 lines)

Essential Artifact Patterns

Docker Container Artifact:

artifact:
  id: "[email protected]"
  type: "Container Image"
  format: "Docker OCI"
  registry: "docker.io"
  repository: "myorg/api-gateway"
  tag: "2.5.1"
  
  metadata:
    created: 2025-11-13T14:30:00Z
    source_repo: "https://github.com/myorg/api-gateway"
    source_commit: "abc123def456789"
    creator: "github-actions"
    
  security:
    vulnerability_scan:
      tool: "Trivy v0.54.0"
      status: "passed"
      critical_vulnerabilities: 0
      high_vulnerabilities: 0

Python Package Artifact:

artifact:
  id: "[email protected]"
  type: "Language Package"
  format: "Python Wheel"
  
  filename: "data_pipeline-1.3.2-py3-none-any.whl"
  pypi_url: "https://pypi.org/project/data-pipeline/1.3.2/"
  
  metadata:
    created: 2025-11-13T13:45:00Z
    python_version: "3.8+"
    checksum:
      sha256: "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
    
    dependencies:
      - name: "pandas"
        version: "2.1.0"
        requirement: "pandas>=2.1.0,<3.0"

SBOM Requirement (CycloneDX 1.6):

sbom:
  version: "CycloneDX 1.6"
  spec_version: "1.6"
  
  metadata:
    timestamp: 2025-11-13T14:30:00Z
    tools:
      - name: "syft"
        version: "0.95.0"
  
  components:
    - type: "library"
      name: "requests"
      version: "2.31.0"
      purl: "pkg:pypi/[email protected]"
      licenses: [{ name: "Apache-2.0" }]

7 Enterprise Artifact Types:

  1. Container Images (Docker/OCI) - 80-90% enterprise usage
  2. Language Packages (Maven, npm, PyPI) - Package managers, semantic versioning
  3. Binary Artifacts (Executable, .so, .dll) - Native code, compiled binaries
  4. Documentation (API docs, guides) - HTML, PDF, Markdown formats
  5. Configuration (IaC, templates) - Terraform, CloudFormation, Helm
  6. Test Reports (Coverage, scans) - JSON, XML, CSV compliance data
  7. Source Archives (Release tarballs) - .tar.gz, .zip with GPG signatures

Core Governance Rules:

  • Classification First: Every artifact maps to one of 7 types
  • Provenance Tracking: Complete source-to-production traceability
  • Immutability: Published artifacts cannot be modified
  • SBOM Required: All artifacts include Software Bill of Materials
  • Security Scanning: Pre-deployment vulnerability verification

Level 2: Practical Implementation (200-300 lines)

Enterprise Artifact Lifecycle

Phase 1: Creation:

phase: "creation"
activities:
  - Build artifact from source (CI/CD)
  - Generate metadata (timestamp, commit SHA, builder)
  - Create initial SBOM (syft, cyclonedx)
  - Assign semantic version (SemVer)
  
artifacts:
  - Raw binary/container
  - SBOM (CycloneDX or SPDX)
  - Build log
  - Metadata JSON

Phase 2: Validation:

phase: "validation"
gates:
  - ✅ Vulnerability scan (Trivy, Grype)
  - ✅ License compliance (FOSSA, Black Duck)
  - ✅ SBOM validation (cyclonedx-python)
  - ✅ Signature verification (GPG/RSA)
  - ✅ Artifact integrity (checksum match)
  
failure_behavior:
  critical: "block_deployment"  # CRITICAL/HIGH vulnerabilities
  high: "require_approval"      # Manual approval required
  medium_low: "log_warning"     # Warning only

Multi-Format Repository Setup:

repositories:
  - name: "container-registry"
    type: "Container (Docker/OCI)"
    upstream: "docker.io"
    proxy_cache:
      enabled: true
      retention_days: 30
    security:
      scan_on_push: true
      signature_required: true
      sbom_required: true
  
  - name: "python-packages"
    type: "Python (PyPI)"
    upstream: "pypi.org"
    retention_policy:
      strategy: "semantic_versioning"
      keep_release_versions: true
      keep_prerelease: 3
  
  - name: "binary-artifacts"
    type: "Generic Binary"
    retention_policy:
      max_size_gb: 500
      cleanup_strategy: "lru"

governance:
  rbac:
    admin_group: "release-engineering"
    publish_group: "ci-automation"
    read_group: "developers"
  
  approval_workflow:
    require_approval: true
    approvers: ["security-team", "release-manager"]
    timeout_hours: 24

Context7 MCP Integration:

# Context7 artifact metadata lookup
context7_query = {
    "operation": "artifact_metadata_lookup",
    "artifact_id": "[email protected]",
    "fields": [
        "sbom",
        "provenance",
        "signatures",
        "vulnerability_scan",
        "compliance_status"
    ]
}

# Response structure
response = {
    "artifact": {
        "id": "[email protected]",
        "registry": "docker.io",
        "location": "docker.io/myorg/app-service:1.0.0",
        "sbom_url": "context7://sbom-index/[email protected]",
        "provenance_verified": True,
        "vulnerabilities_critical": 0
    }
}

SBOM Index Search:

# Context7 vulnerability correlation
context7_query = {
    "operation": "vulnerability_correlation",
    "cve_id": "CVE-2024-5678",
    "affected_components": ["requests", "urllib3"],
    "action": "find_artifacts"
}

# Response
response = {
    "cve": "CVE-2024-5678",
    "severity": "HIGH",
    "affected_artifacts": [
        {
            "artifact_id": "[email protected]",
            "component": "[email protected]",
            "status": "vulnerable",
            "patch_available": True,
            "patched_version": "[email protected]",
            "recommended_action": "upgrade_component_rebuild"
        }
    ]
}

Binary Artifact Example:

artifact:
  id: "[email protected]"
  type: "Binary Artifact"
  format: "Native Executable (.so)"
  
  files:
    - name: "libperformance_optimizer.so"
      arch: "x86_64"
      os: "linux"
      size_bytes: 512000
      checksum_sha256: "abc123..."
      signature: "RSA-4096"
    
    - name: "libperformance_optimizer.dylib"
      arch: "arm64"
      os: "macos"
      size_bytes: 480000
      checksum_sha256: "def456..."
      signature: "RSA-4096"
  
  metadata:
    created: 2025-11-13T12:00:00Z
    compiler: "gcc-13"
    optimization_flags: "-O3 -march=native"
    source_commit: "release/3.1.0"
  
  distribution:
    storage: "artifactory.myorg.com"
    bucket: "native-binaries"
    access: "restricted"
    approval_required: true

Terraform/IaC Artifact:

artifact:
  id: "[email protected]"
  type: "Configuration/IaC"
  format: "Terraform Module"
  
  files:
    - path: "main.tf"
      size_bytes: 2048
      checksum_sha256: "ijk789..."
    - path: "variables.tf"
      size_bytes: 1024
      checksum_sha256: "lmn012..."
  
  metadata:
    created: 2025-11-13T10:30:00Z
    terraform_version: ">= 1.5"
    cloud_provider: "AWS"
    modules_included: 5
    
  validation:
    terraform_fmt: "passed"
    terraform_validate: "passed"
    security_scan: "passed"

Level 3: Advanced Integration (50-150 lines)

Advanced Governance & Security

Supply Chain Security Framework:

artifact_governance:
  supply_chain_security:
    provenance_tracking: true
    source_commit_required: true
    builder_attestation: true
    
    sbom_requirements:
      format: ["CycloneDX-1.6", "SPDX-2.3"]
      components_scanned: true
      license_compliance: true
      vulnerability_threshold:
        critical: "block"
        high: "require_approval"
        medium: "log_only"
    
    signature_verification:
      algorithms: ["RSA-4096", "ECDSA-P256"]
      trusted_signers: ["[email protected]"]
      timestamp_authority: "https://timestamp.comodoca.com"
  
  context7_mcp:
    enabled: true
    operations:
      - artifact_metadata_lookup
      - sbom_index_search
      - vulnerability_correlation
      - compliance_status_check

Attestation Framework (SLSA):

artifact:
  id: "[email protected]"
  type: "Attestation"
  format: "in-toto/SLSA"
  
  attestation:
    version: "0.3"
    
    statement:
      _type: "https://in-toto.io/Statement/v0.1"
      
      subject:
        - name: "docker.io/myorg/app-service"
          digest:
            sha256: "abc123def456..."
      
      predicateType: "https://slsa.dev/provenance/v1"
      
      predicate:
        buildDefinition:
          buildType: "https://github.com/slsa-framework/slsa-github-generator@v1"
          externalParameters:
            source: "https://github.com/myorg/app-service"
            ref: "refs/tags/1.0.0"
        
        runDetails:
          builder:
            id: "https://github.com/slsa-framework/slsa-github-generator"
          completion:
            finishTime: "2025-11-13T14:35:00Z"

Advanced Automation:

automation:
  auto_scan_on_push: true
  auto_sbom_generation: true
  auto_compliance_report: true
  auto_deprecation_warnings: true
  
  monitoring:
    sla_targets:
      - artifact_availability: "99.99%"
      - scan_completion: "< 5 minutes"
      - deployment_success: "> 95%"
    
    alerts:
      - high_vulnerability_detected: "notify_security_team"
      - signature_verification_failed: "block_deployment"
      - unauthorized_access: "incident_response"

Enterprise Compliance:

compliance:
  sbom_required: true
  sbom_format: "CycloneDX"
  signature_required: true
  audit_retention_years: 7
  
  frameworks:
    - SOC 2 Type II
    - ISO 27001
    - NIST CSF
    - GDPR (for EU deployments)
    
  reporting:
    automated_reports: true
    vulnerability_reports: "daily"
    compliance_reports: "weekly"
    audit_trail: "7 years"

Release Bundle Example:

artifact:
  id: "[email protected]"
  type: "Release Bundle"
  format: "GitHub Release"
  
  release:
    tag: "v2.0.0"
    name: "Version 2.0.0 - Production Release"
    created: 2025-11-13T14:40:00Z
    
    assets:
      - name: "app-service-2.0.0.tar.gz"
        size_bytes: 5242880
        checksum_sha256: "abc123def456..."
      
      - name: "SBOM.json"
        size_bytes: 123456
      
      - name: "SBOM.json.sig"
        size_bytes: 256
    
    changelog: |
      ## What's New
      - Feature A
      - Feature B
      - Bug fixes

Best Practices Checklist

Artifact Creation

  • Classification: Choose from 7 standard types
  • Metadata: Include creator, timestamp, source commit
  • Provenance: Source repo, commit SHA, build log links
  • SBOM: CycloneDX or SPDX format
  • Signature: RSA-4096 or ECDSA-P256
  • Scanning: Trivy/Grype vulnerability detection
  • Immutability: No post-publication modifications

Repository Design

  • Multi-format Support: Container, Python, Binary, IaC, Docs
  • Registry Configuration: Official (upstream), proxy cache (local)
  • RBAC: Admin, publisher, read permissions
  • Approval Workflow: Security team and release manager approval
  • Auto-scanning: Push-time vulnerability scanning
  • SBOM Required: All artifacts must include SBOM
  • Audit Trail: 7-year retention for compliance

Version: 4.1.0 Enterprise
Last Updated: 2025-11-13
Status: Production Ready
Standards: November 2025 Enterprise Standards
Compliance: SOC 2, ISO 27001, NIST CSF Ready

GitHub Repository

modu-ai/moai-adk
Path: .claude/skills/moai-artifacts-builder
agentic-aiagentic-codingagentic-workflowclaudeclaudecodevibe-coding

Related Skills

sglang

Meta

SGLang is a high-performance LLM serving framework that specializes in fast, structured generation for JSON, regex, and agentic workflows using its RadixAttention prefix caching. It delivers significantly faster inference, especially for tasks with repeated prefixes, making it ideal for complex, structured outputs and multi-turn conversations. Choose SGLang over alternatives like vLLM when you need constrained decoding or are building applications with extensive prefix sharing.

View skill

content-collections

Meta

This skill provides a production-tested setup for Content Collections, a TypeScript-first tool that transforms Markdown/MDX files into type-safe data collections with Zod validation. Use it when building blogs, documentation sites, or content-heavy Vite + React applications to ensure type safety and automatic content validation. It covers everything from Vite plugin configuration and MDX compilation to deployment optimization and schema validation.

View skill

evaluating-llms-harness

Testing

This Claude Skill runs the lm-evaluation-harness to benchmark LLMs across 60+ standardized academic tasks like MMLU and GSM8K. It's designed for developers to compare model quality, track training progress, or report academic results. The tool supports various backends including HuggingFace and vLLM models.

View skill

llamaguard

Other

LlamaGuard is Meta's 7-8B parameter model for moderating LLM inputs and outputs across six safety categories like violence and hate speech. It offers 94-95% accuracy and can be deployed using vLLM, Hugging Face, or Amazon SageMaker. Use this skill to easily integrate content filtering and safety guardrails into your AI applications.

View skill