{"id":"4163a9da-297e-46fd-9bb3-f0c70dcb99d0","shortId":"88kfD6","kind":"skill","title":"vigilante-issue-implementation-on-php","tagline":"Implement a GitHub issue end-to-end when Vigilante dispatches work for a PHP repository with Composer, static analysis, and security guidance.","description":"# Vigilante PHP Issue Implementation\n\n## Focus\n- Read the prompt for detected tech stacks, process hints, and PHP security guidance before changing code.\n- Follow repo-standard Composer, testing, formatting, and static-analysis workflows.\n- Prefer repo-defined framework and tooling conventions over forcing a universal PHP stack.\n- Keep changes scoped to the issue and do not broaden into unrelated style or lint fixes.\n\n## PHP Tooling Workflow\n- **Composer**: use Composer-managed commands and dependency workflows. Run `composer install` for reproducible installs from `composer.lock`. Run `composer update` only when intentionally upgrading dependencies.\n- **Testing**: run targeted tests for changed code first using `vendor/bin/phpunit --filter ClassName` or the framework-native test command (e.g., `php artisan test`, `vendor/bin/pest`). Use broader `vendor/bin/phpunit` when changes cross module boundaries. Respect the repository's test configuration (`phpunit.xml`, `phpunit.xml.dist`).\n- **Static analysis**: use the repository's established static-analysis tools. When PHPStan is configured (`phpstan.neon`, `phpstan.neon.dist`), run `vendor/bin/phpstan analyse`. When Psalm is configured (`psalm.xml`, `psalm.xml.dist`), run `vendor/bin/psalm`. Do not introduce a different analyzer unless the issue specifically requires it.\n- **Formatting**: use the repository's established code-style tool. When PHP CS Fixer is configured (`.php-cs-fixer.php`, `.php-cs-fixer.dist.php`), run `vendor/bin/php-cs-fixer fix`. When PHP_CodeSniffer is configured (`phpcs.xml`, `phpcs.xml.dist`, `.phpcs.xml`), run `vendor/bin/phpcs` to check and `vendor/bin/phpcbf` to fix. Do not hand-format PHP code when an automated tool is available.\n- **Dependencies**: run `composer audit` after dependency changes to check for known vulnerabilities. Review `composer.lock` changes for unexpected additions or version shifts.\n\n## Security\n- Use `password_hash()` with `PASSWORD_DEFAULT` or `PASSWORD_BCRYPT` for password storage, and `password_verify()` to check passwords. Never use `md5()`, `sha1()`, or `crypt()` directly for passwords.\n- Use parameterized queries or the framework's query builder to prevent SQL injection — never interpolate user input into raw SQL.\n- Use context-appropriate output encoding (`htmlspecialchars()` with `ENT_QUOTES`, framework template escaping) to prevent XSS.\n- Avoid `unserialize()` on untrusted data — use `json_decode()` and `json_encode()` for data interchange. When `unserialize()` is unavoidable, restrict allowed classes with the `allowed_classes` option.\n- Do not store secrets, tokens, or credentials in source files. Use environment variables or framework-native secret management.\n- Use framework-provided CSRF protection for state-changing requests.\n\n## Mixed-Language Repositories\n- A PHP repository may include a frontend layer such as a React, Vue, or other JavaScript framework colocated with the PHP backend.\n- Scope PHP tooling (Composer, PHPUnit, PHPStan, Psalm, PHP CS Fixer) to PHP source files only. Do not run PHP tools against frontend code.\n- When the repository also has a Node.js or TypeScript frontend, respect its own toolchain (package manager, bundler, linter, test runner) for frontend-scoped changes. Check the prompt for detected tech stacks and process hints.\n- When an issue touches both PHP backend and frontend code, validate each side with its own toolchain rather than validating only one side.\n- Do not assume a PHP repository is PHP-only. Read process hints and workspace signals in the prompt to understand the full repository structure.\n\n## Workflow\n- Follow the base `vigilante-issue-implementation` workflow for issue comments, validation, push, and PR creation.\n- Use `vigilante commit` for all commit-producing operations. Do not use `git commit` or GitHub CLI commit flows directly.\n- Any commit or amend must preserve the user's existing git author, committer, and signing configuration. Commit on behalf of the user and do not overwrite `git config` with a coding-agent identity.\n- Do not add `Co-authored by:` trailers or any other agent attribution for Codex, Claude, Gemini, or similar coding-agent identities.\n- Repository-specific instructions (`AGENTS.md`, `README.md`, CI config) remain authoritative when they are more specific than the generic PHP guidance in this skill.","tags":["vigilante","issue","implementation","php","aliengiraffe","agent","agent-skills","agentic-ai","agentic-workflow","agents","ai-orchestration","ai-orchestrator"],"capabilities":["skill","source-aliengiraffe","skill-vigilante-issue-implementation-on-php","topic-agent","topic-agent-skills","topic-agentic-ai","topic-agentic-workflow","topic-agents","topic-ai-orchestration","topic-ai-orchestrator","topic-orchestration"],"categories":["vigilante"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/aliengiraffe/vigilante/vigilante-issue-implementation-on-php","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add aliengiraffe/vigilante","source_repo":"https://github.com/aliengiraffe/vigilante","install_from":"skills.sh"}},"qualityScore":"0.464","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 28 github stars · SKILL.md body (4,356 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-01T07:01:24.904Z","embedding":null,"createdAt":"2026-04-18T22:23:18.726Z","updatedAt":"2026-05-01T07:01:24.904Z","lastSeenAt":"2026-05-01T07:01:24.904Z","tsv":"'add':597 'addit':268 'agent':593,606,616 'agents.md':622 'allow':355,359 'also':444 'amend':564 'analys':180 'analysi':26,61,162,170 'analyz':194 'appropri':323 'artisan':142 'assum':501 'attribut':607 'audit':254 'author':572,600 'authorit':627 'autom':247 'avail':250 'avoid':336 'backend':417,482 'base':527 'bcrypt':281 'behalf':579 'boundari':152 'broaden':86 'broader':146 'builder':308 'bundler':457 'chang':49,78,126,149,257,265,390,465 'check':233,259,289,466 'ci':624 'class':356,360 'classnam':132 'claud':610 'cli':557 'co':599 'co-author':598 'code':50,127,208,244,440,485,592,615 'code-styl':207 'codesniff':224 'codex':609 'coding-ag':591,614 'coloc':413 'command':101,139 'comment':535 'commit':543,547,554,558,562,577 'commit-produc':546 'committ':573 'compos':24,55,96,99,106,114,253,421 'composer-manag':98 'composer.lock':112,264 'config':588,625 'configur':158,175,184,216,226,576 'context':322 'context-appropri':321 'convent':70 'creation':540 'credenti':368 'cross':150 'crypt':296 'cs':213,426 'csrf':385 'data':340,348 'decod':343 'default':278 'defin':66 'depend':103,120,251,256 'detect':39,470 'differ':193 'direct':297,560 'dispatch':17 'e.g':140 'encod':325,346 'end':12,14 'end-to-end':11 'ent':328 'environ':373 'escap':332 'establish':167,206 'exist':570 'file':371,431 'filter':131 'first':128 'fix':92,221,237 'fixer':214,427 'flow':559 'focus':34 'follow':51,525 'forc':72 'format':57,201,242 'framework':67,136,305,330,377,383,412 'framework-n':135,376 'framework-provid':382 'frontend':402,439,450,463,484 'frontend-scop':462 'full':521 'gemini':611 'generic':635 'git':553,571,587 'github':9,556 'guidanc':29,47,637 'hand':241 'hand-format':240 'hash':275 'hint':43,475,511 'htmlspecialchar':326 'ident':594,617 'implement':4,7,33,531 'includ':400 'inject':312 'input':316 'instal':107,110 'instruct':621 'intent':118 'interchang':349 'interpol':314 'introduc':191 'issu':3,10,32,82,197,478,530,534 'javascript':411 'json':342,345 'keep':77 'known':261 'languag':394 'layer':403 'lint':91 'linter':458 'manag':100,380,456 'may':399 'md5':293 'mix':393 'mixed-languag':392 'modul':151 'must':565 'nativ':137,378 'never':291,313 'node.js':447 'one':497 'oper':549 'option':361 'output':324 'overwrit':586 'packag':455 'parameter':301 'password':274,277,280,283,286,290,299 'php':6,21,31,45,75,93,141,212,223,243,397,416,419,425,429,436,481,503,507,636 'php-cs-fixer.dist.php':218 'php-cs-fixer.php':217 'php-on':506 'phpcs.xml':227,229 'phpcs.xml.dist':228 'phpstan':173,423 'phpstan.neon':176 'phpstan.neon.dist':177 'phpunit':422 'phpunit.xml':159 'phpunit.xml.dist':160 'pr':539 'prefer':63 'preserv':566 'prevent':310,334 'process':42,474,510 'produc':548 'prompt':37,468,517 'protect':386 'provid':384 'psalm':182,424 'psalm.xml':185 'psalm.xml.dist':186 'push':537 'queri':302,307 'quot':329 'rather':493 'raw':318 'react':407 'read':35,509 'readme.md':623 'remain':626 'repo':53,65 'repo-defin':64 'repo-standard':52 'repositori':22,155,165,204,395,398,443,504,522,619 'repository-specif':618 'reproduc':109 'request':391 'requir':199 'respect':153,451 'restrict':354 'review':263 'run':105,113,122,178,187,219,230,252,435 'runner':460 'scope':79,418,464 'secret':365,379 'secur':28,46,272 'sha1':294 'shift':271 'side':488,498 'sign':575 'signal':514 'similar':613 'skill':640 'skill-vigilante-issue-implementation-on-php' 'sourc':370,430 'source-aliengiraffe' 'specif':198,620,632 'sql':311,319 'stack':41,76,472 'standard':54 'state':389 'state-chang':388 'static':25,60,161,169 'static-analysi':59,168 'storag':284 'store':364 'structur':523 'style':89,209 'target':123 'tech':40,471 'templat':331 'test':56,121,124,138,143,157,459 'token':366 'tool':69,94,171,210,248,420,437 'toolchain':454,492 'topic-agent' 'topic-agent-skills' 'topic-agentic-ai' 'topic-agentic-workflow' 'topic-agents' 'topic-ai-orchestration' 'topic-ai-orchestrator' 'topic-orchestration' 'touch':479 'trailer':602 'typescript':449 'unavoid':353 'understand':519 'unexpect':267 'univers':74 'unless':195 'unrel':88 'unseri':337,351 'untrust':339 'updat':115 'upgrad':119 'use':97,129,145,163,202,273,292,300,320,341,372,381,541,552 'user':315,568,582 'valid':486,495,536 'variabl':374 'vendor/bin/pest':144 'vendor/bin/php-cs-fixer':220 'vendor/bin/phpcbf':235 'vendor/bin/phpcs':231 'vendor/bin/phpstan':179 'vendor/bin/phpunit':130,147 'vendor/bin/psalm':188 'verifi':287 'version':270 'vigilant':2,16,30,529,542 'vigilante-issue-implement':528 'vigilante-issue-implementation-on-php':1 'vue':408 'vulner':262 'work':18 'workflow':62,95,104,524,532 'workspac':513 'xss':335","prices":[{"id":"9ccb78d6-dd1a-4fa4-865d-a92cffde7f39","listingId":"4163a9da-297e-46fd-9bb3-f0c70dcb99d0","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"aliengiraffe","category":"vigilante","install_from":"skills.sh"},"createdAt":"2026-04-18T22:23:18.726Z"}],"sources":[{"listingId":"4163a9da-297e-46fd-9bb3-f0c70dcb99d0","source":"github","sourceId":"aliengiraffe/vigilante/vigilante-issue-implementation-on-php","sourceUrl":"https://github.com/aliengiraffe/vigilante/tree/main/skills/vigilante-issue-implementation-on-php","isPrimary":false,"firstSeenAt":"2026-04-18T22:23:18.726Z","lastSeenAt":"2026-05-01T07:01:24.904Z"}],"details":{"listingId":"4163a9da-297e-46fd-9bb3-f0c70dcb99d0","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"aliengiraffe","slug":"vigilante-issue-implementation-on-php","github":{"repo":"aliengiraffe/vigilante","stars":28,"topics":["agent","agent-skills","agentic-ai","agentic-workflow","agents","ai","ai-orchestration","ai-orchestrator","orchestration"],"license":"apache-2.0","html_url":"https://github.com/aliengiraffe/vigilante","pushed_at":"2026-04-23T16:58:46Z","description":"Vigilante is a sandbox-first orchestration layer for coding agents. It isolates every task in a git worktree, enforces strict credential scoping, and gives you full audit logs — so your agents can't burn down production.","skill_md_sha":"1de38bb8579aa6c04674f5d02384f7a327c6a869","skill_md_path":"skills/vigilante-issue-implementation-on-php/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/aliengiraffe/vigilante/tree/main/skills/vigilante-issue-implementation-on-php"},"layout":"multi","source":"github","category":"vigilante","frontmatter":{"name":"vigilante-issue-implementation-on-php","description":"Implement a GitHub issue end-to-end when Vigilante dispatches work for a PHP repository with Composer, static analysis, and security guidance."},"skills_sh_url":"https://skills.sh/aliengiraffe/vigilante/vigilante-issue-implementation-on-php"},"updatedAt":"2026-05-01T07:01:24.904Z"}}