ai-maestro-maintainer-agent

First-time CI scaffold for a freshly-entrusted repo with no .github/workflows/. Detects the primary language, writes a hardened CI + workflow-security workflow, seeds dependabot.yml + .npmrc, chains pin-actions + scan, commits on chore/bootstrap-ci.

Install / audit / uninstall the commit-msg hook that enforces conventional-commit subject lines plus a WHY paragraph in the body. Operates on the entrusted repo's .git/hooks/commit-msg.

Lint every JSON / YAML / TOML / Plist / CFG / INI / .env / Dockerfile in the maintained repo. Severity-aware (HIGH = syntax errors block publish; LOW = style nits).

Detect the maintained repo's language, package manager, CI presence, branch-rule state, test framework, lint setup, missing docs. Writes a fingerprint JSON for downstream skills to self-configure.

Apply mechanical workflow hardening via zizmor --fix=safe + targeted edits. Commits on the current branch; never force-pushes.

MAINTAINER agent that polls a GitHub repository for new issues, triages bugs autonomously, accepts feature requests only from the authorized GitHub user, and fixes valid issues via clone-branch-test-publish.

Use when a commit is about to land whose planned diff touches a security-sensitive path. CHECK matches the diff against the protected-paths list (.github/, scripts/publish.py, etc.); on hit, posts approve-protected-edit + a diff fingerprint on the issue and HALTS. VERIFY resumes only when $AUTHORIZED_USER approves that exact fingerprint. Trigger with phrases like "approval gate check", "verify protected-edit approval", or "guard protected paths".

Use when entrusted with an entrusted repo and the user wants every future commit message to follow conventional-commits AND carry a WHY paragraph. Installs a `commit-msg` git hook that validates the subject line (type/scope/length) and the body (≥2 paragraphs with a why/rationale/context/reason/because marker). Three modes: install / audit / uninstall. Honors COMMIT_MSG_HOOK_BYPASS for emergencies and surfaces those commits in audit. Trigger with phrases like "install commit-msg hook", "enforce commit messages", "audit commit messages", or "uninstall commit hook".

Lint the entrusted repo's config files (JSON, YAML, TOML, Plist, .cfg, .ini, .env, Dockerfile) for syntax + style before a release or merge. Three modes: scan, fix-style, audit-installed. Trigger with "lint configs", "check json/yaml/toml", "validate config files".

Use when the maintainer agent makes FIRST CONTACT with a freshly-entrusted repo (or on every patrol cycle to refresh). Fingerprints the repo across 10 dimensions — primary language, package manager, tool-version pin, CI presence, dependabot, branch rules, pre-commit/pre-push hooks, test framework, lint config, docs files, TRDD/ADR support — and writes a single stack-fingerprint.json the downstream skills (workflow-bootstrap, maintainer-commit-msg-why, maintainer-fix) read to self-configure. Trigger with phrases like "detect the stack", "fingerprint the repo", "self-config detect", or "what kind of repo is this".

Use when maintainer-triage returns action=fix or the user wants to fix, work on, or implement a GitHub issue on the maintained repo. Runs clone → branch → edit → test → workflow audit → approval gate → commit → publish → close. Enforces R19.7 (no force-push), R19.8 (tests pass), and halts on protected-path hits until approve-protected-edit lands. Trigger with phrases like "fix issue #N", "work on issue #N", or "implement issue #N".

1 hook across 1 event