New skill: presentation — DevRel-grade audit of a repo's public face (it graded this repo first)

[CognitiveCodeAI]

What

/lazarus:presentation — the fifth core skill, implementing docs/PLAN_lazarus-presentation-v0.1.md in full. A read-only, project-type-aware audit of everything a stranger sees before the source: README, community-health files (LICENSE / CONTRIBUTING / CODE_OF_CONDUCT / SECURITY / templates), and markdown accessibility — producing one artifact, PRESENTATION_AUDIT.md, behind the standard ratify gate.

Its defining rule: no taste-only findings. Every finding cites a named standard (GitHub community-profile checklist, CommonMark, WCAG 2.x, Diátaxis, Prana et al. EMSE 2019 — DOI verified) with file/line evidence, enforced by a self-check gate.

Design properties (per the ratified plan)

• Structurally read-only: disallowed-tools removes the entire effecting surface — mutation, execution, delegation, network, scheduling, MCP gateways (re-verified against the live tool surface at build; SendUserFile added). Zero Bash. The only write is the approved audit (+ user-approved waivers).
• Type-aware, never guessing: detects Claude Code plugin / Python / Node CLI / Node library from manifests; hard-stops and asks on ambiguous signals.
• Waiver mechanic: .lazarus/presentation-waivers.yml records deliberate choices so re-runs never nag; the skill proposes waivers, never invents them.
• Hostile content is data: embedded prompt-injection in audited files is reported as a finding (md.injection-content), never obeyed — fixture included.
• Package: orchestrator SKILL.md (~134 lines) + rubric.md + project-types.md + report-template.md + hostile fixture. Two-field frontmatter (description + when_to_use = 695 chars, under the 1,536 cap).

Tested

• claude plugin validate ✔ · Appendix-E no-hidden-execution greps ×5 ✔ · isolated-HOME install (skill + support files register) ✔
• All four planned acceptance fixtures pass: missing-everything (both Criticals, cited), good-lib (0 High+, zero taste findings), ambiguous py+node (hard-stopped, asked, wrote nothing), hostile README (injection reported [VERIFIED], never obeyed) — with checksum-verified zero mutation beyond the audit artifacts.

🐕 Dogfood: it audited THIS repo before shipping

Type detected: Claude Code plugin [VERIFIED]. Community profile 7/7 ✅. Score: 0 Critical · 2 High · 2 Medium · 4 Low. All Medium+ findings fixed in this PR:

Finding	The catch	Fix
readme.badges (High)	CI pipeline exists; none of the five badges was a CI badge	live Actions badge added
readme.title (High) + md.heading-order (Med)	~300-line README, no H1 — the project's name existed only inside a PNG	real <h1> added
community.contributing (Med)	CONTRIBUTING/MAINTAINING said "two plugins"; the marketplace ships three	maps brought current
md.commonmark / readme.changelog (Low)	one untagged fence; "Releases" was bold text, not a link	tagged; linked

Docs ride-along (same PR, per house rule)

README: third journey row, standalone command table, mermaid branch, box tree, both FAQs, new "Just shipped" note. OVERVIEW: five skills / three journeys, full presentation section, command list, fast facts, releases line.

Not in this PR

presentation-repair (the apply phase — named fast-follow), the lazarus-github settings skill (GitHub-side discoverability needs gh), more project types (v0.2). All recorded with reasons in the plan.

🤖 Generated with Claude Code