feat: advertise and serve agent skills from .well-known

[gregnr]

Implements the consumer half of the agent-skills .well-known discovery spec for supabase.com. The publisher side lives in supabase/agent-skills, which ships per-skill .tar.gz archives and an index.json as assets on each GitHub release.

At www build time, scripts/fetchAgentSkills.mjs:

1. Reads the latest release from https://api.github.com/repos/supabase/agent-skills/releases/latest.
2. Downloads the release's index.json.
3. Rewrites each skill.url from the relative filename in the published index (e.g. supabase.tar.gz) to the absolute GitHub Release asset URL.
4. Writes the rewritten index to apps/www/public/.well-known/agent-skills/index.json.

Tarballs are not downloaded or hosted by supabase.com. supabase.com only serves the discovery index; clients fetch the archives directly from GitHub Releases. The SHA-256 digest in each skill entry — set by the publisher and unchanged by this script — is the trust anchor, the same pattern as Subresource Integrity on the web.

supabase.com/.well-known/agent-skills/index.json
└── skills[].url → github.com/supabase/agent-skills/releases/download/<tag>/<name>.tar.gz

Do not merge until supabase/agent-skills#77 is merged and the build process is tested.

Summary by CodeRabbit

• New Features

  • Agent skills are now automatically fetched and synchronized with the latest release during the build process, ensuring users consistently have access to the most current and accurate agent skill information available.

• Chores

  • Build pipeline updated with additional automated generation step.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
zone-www-dot-com	Ready	Preview, Comment, Open in v0	May 19, 2026 10:07am

7 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
studio	Ignored		May 19, 2026 10:07am
design-system	Skipped		May 19, 2026 10:07am
docs	Skipped		May 19, 2026 10:07am
learn	Skipped		May 19, 2026 10:07am
studio-self-hosted	Skipped		May 19, 2026 10:07am
studio-staging	Skipped		May 19, 2026 10:07am
ui-library	Skipped		May 19, 2026 10:07am

[supabase]

This pull request has been ignored for the connected project xguihxuzqibwxjnimxev because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

---

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new build-time script is added to fetch the latest supabase/agent-skills GitHub Release, rewrite skill metadata URLs to absolute asset links, and publish the result to public/.well-known/agent-skills/index.json. The content:build script in package.json is updated to run this new fetch step as part of the content generation pipeline.

Changes

Agent Skills Fetching Integration

Layer / File(s)	Summary
Agent skills fetch and rewrite script apps/www/scripts/fetchAgentSkills.mjs, apps/www/package.json	New script fetches the latest agent-skills release from GitHub, rewrites skill URLs to absolute release asset URLs, and writes the index to public/.well-known/agent-skills/index.json. The content:build script is extended to run this fetch step after static content and LLM pricing generation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• supabase/supabase#45641: Extends the same content:build script and fetches the supabase/agent-skills release to populate the public well-known agent-skills directory.

Poem

🐰 A rabbit hops through GitHub's release hall,
Fetching agent skills, rewriting URLs with glee,
The build pipeline now chains them all,
From release assets to the well-known decree,
Well-formed and ready for agents to see! 🌟

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	PR description does not follow the required template structure with sections for contributing acknowledgment, change type, current behavior, new behavior, and additional context.	Restructure the description to match the template format: confirm CONTRIBUTING.md review, specify change type (feature), link issues, describe new behavior, and add any additional context.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: advertise and serve agent skills from .well-known' clearly and concisely summarizes the main change: implementing agent skills discovery by serving them from the .well-known directory.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/agent-skill-discovery

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/www/scripts/fetchAgentSkills.mjs`:
- Around line 40-55: The script currently only writes index.json but doesn't
download the per-skill tarball artifacts, so clients expecting site-hosted
archives will fail; update the logic after computing assetUrls and rewritten to
iterate over (index.skills ?? []) and for each skill whose url maps to an asset
(assetUrls[skill.url] exists) fetch the asset from assetUrls[skill.url] and
write the downloaded bytes into OUT_DIR using the asset filename (use the same
key from assetUrls, e.g., release.assets names), ensuring you create OUT_DIR
(already done) and handle fetch errors (log/throw) so the per-skill .tar.gz
files are present alongside index.json; reference variables/functions:
assetUrls, release.assets, index.skills, OUT_DIR, rewritten.
- Around line 43-50: The current rewrite uses exact asset-name lookup
(assetUrls[skill.url]) which fails for relative or path/absolute URLs; change
the logic in the rewritten.skills mapping to resolve skill.url per RFC3986 using
the URL constructor against a sensible base (e.g. index.url or the release
HTML/base URL), then normalize and attempt to match assets by normalized
pathname or basename (derive each asset's URL pathname via new
URL(asset.browser_download_url).pathname or path.basename) and substitute with
the matched asset.browser_download_url; if URL construction throws or no asset
matches, fall back to the original skill.url. Ensure you update the code that
builds assetUrls and the mapping inside rewritten.skills to use the resolved URL
and pathname-based matching rather than a raw key lookup of skill.url.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: df4dd813-b7e1-4b4e-ae13-e6f79cdb9ceb

📥 Commits

Reviewing files that changed from the base of the PR and between cdbf14a and 3845043.

📒 Files selected for processing (2)

• apps/www/package.json
• apps/www/scripts/fetchAgentSkills.mjs

[Rodriguespn]

Waiting for supabase/agent-skills#85 to be merged and supabase/agent-skills version v0.1.3 is published