feat: unify skills

.devcontainer/devcontainer-lock.json

@@ -0,0 +1,14 @@
+{
+  "features": {
+    "ghcr.io/devcontainers/features/common-utils:2.5.7": {
+      "version": "2.5.7",
+      "resolved": "ghcr.io/devcontainers/features/common-utils@sha256:dbf431d6b42d55cde50fa1df75c7f7c3999a90cde6d73f7a7071174b3c3d0cc4",
+      "integrity": "sha256:dbf431d6b42d55cde50fa1df75c7f7c3999a90cde6d73f7a7071174b3c3d0cc4"
+    },
+    "ghcr.io/devcontainers/features/github-cli:1.1.0": {
+      "version": "1.1.0",
+      "resolved": "ghcr.io/devcontainers/features/github-cli@sha256:d22f50b70ed75339b4eed1ba9ecde3a1791f90e88d37936517e3bace0bbad671",
+      "integrity": "sha256:d22f50b70ed75339b4eed1ba9ecde3a1791f90e88d37936517e3bace0bbad671"
+    }
+  }
+}

CHANGELOG.md

@@ -7,6 +7,20 @@ this project adheres to [Semantic Versioning](https://semver.org/).
 
 ## [Unreleased]
 
+### Changed
+
+- Replaced separate `add-request-protection` and `add-guard-protection` skills
+  with the unified `arcjet` skill from
+  [arcjet/skills](https://github.com/arcjet/skills). The unified skill covers
+  both HTTP route protection and non-HTTP code paths (Guard) in a single
+  workflow with shared references.
+- `skills/add-request-protection/`, `skills/add-guard-protection/`,
+  `skills/protect-route/`, and `skills/add-ai-protection/` are now
+  deprecation stubs pointing to the unified `arcjet` skill. The alias
+  directories are preserved so saved transcripts and existing workflows
+  continue to resolve.
+- README updated to reflect the unified skill structure.
+
 ### Added
 
 - Arcjet CLI integration. The plugin now invokes the CLI for capabilities

README.md

@@ -7,7 +7,7 @@ The [Arcjet plugin](https://github.com/arcjet/arcjet-plugin) turns any supported
 - **MCP integration** — connects to the [Arcjet MCP Server](https://docs.arcjet.com/mcp-server) for traffic analysis, request inspection, IP investigation, and remote rule management
 - **CLI integration** — invokes the [Arcjet CLI](https://docs.arcjet.com/cli) for authentication, site/key setup, live request streaming, and remote rule management
 - **Security-aware coding rules** — framework-specific guidance activates automatically when you work in route handlers, API endpoints, and AI/LLM code
-- **Skills** — task-oriented workflows sourced from [arcjet/skills](https://github.com/arcjet/skills) for adding protection to HTTP routes and non-HTTP code paths
+- **Skills** — task-oriented workflow sourced from [arcjet/skills](https://github.com/arcjet/skills) for adding protection to any code path (HTTP routes and non-HTTP code)
 - **Security analyst agent** — investigates threats, analyzes traffic, and manages rules via MCP
 
 ## Installation
@@ -37,19 +37,20 @@ After installing, guidance activates automatically. The plugin detects what you'
 
 The plugin's skills are sourced from [arcjet/skills](https://github.com/arcjet/skills), the canonical agent skills surface for Arcjet.
 
-| Skill                            | Purpose                                                                                                                                                       |
-| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `/arcjet:add-request-protection` | Add Arcjet protection to any HTTP route or endpoint — detects framework, sets up client, applies rules. Includes AI/LLM endpoint guidance (chat, completion). |
-| `/arcjet:add-guard-protection`   | Add Arcjet Guard to non-HTTP code paths — AI agent tool calls, MCP tool handlers, background jobs/workers                                                     |
+| Skill     | Purpose                                                                                                                                                                               |
+| --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `/arcjet` | Add Arcjet security protection to any code path — HTTP route handlers, API endpoints, AI agent tool calls, MCP servers, background jobs, and queue workers. The unified Arcjet skill. |
 
 #### Deprecated aliases
 
 The previous skill names are kept as deprecation aliases. Invoking them tells the user the new name and then proceeds with the canonical workflow — existing prompts, prompts in saved transcripts, and project-local references continue to work.
 
-| Deprecated alias            | Replacement                                                                                         |
-| --------------------------- | --------------------------------------------------------------------------------------------------- |
-| `/arcjet:protect-route`     | `/arcjet:add-request-protection`                                                                    |
-| `/arcjet:add-ai-protection` | `/arcjet:add-request-protection` (HTTP endpoints) or `/arcjet:add-guard-protection` (non-HTTP code) |
+| Deprecated alias                 | Replacement |
+| -------------------------------- | ----------- |
+| `/arcjet:add-request-protection` | `/arcjet`   |
+| `/arcjet:add-guard-protection`   | `/arcjet`   |
+| `/arcjet:protect-route`          | `/arcjet`   |
+| `/arcjet:add-ai-protection`      | `/arcjet`   |
 
 ### Rules (auto-activated)
 

agents/security-analyst.md

@@ -92,7 +92,7 @@ Understand the boundary:
 - **Remote rules** (managed via MCP, immediate effect, no deploy): `rate_limit`, `bot`, `shield`, `filter`
 - **SDK rules** (require code changes and deployment): `prompt_injection`, `sensitive_info`, `email`, `signup`
 
-When recommending rules that need request body analysis, explain that these must be added via the SDK and provide guidance on which skill to use (`/arcjet:protect-route` or `/arcjet:add-ai-protection`).
+When recommending rules that need request body analysis, explain that these must be added via the SDK and provide guidance on using the `/arcjet` skill.
 
 ## Tone
 

skills/add-ai-protection/SKILL.md

@@ -1,24 +1,14 @@
 ---
 name: add-ai-protection
 license: Apache-2.0
-description: "Deprecated alias. Use /arcjet:add-request-protection for HTTP AI/LLM endpoints (chat, completion routes) or /arcjet:add-guard-protection for non-HTTP code (agent tool calls, MCP handlers, background workers). Covers prompt injection detection, PII blocking, and token budget rate limiting."
+description: "Deprecated: use the `arcjet` skill instead. Adds security protection to AI/LLM endpoints and non-HTTP code paths — prompt injection detection, PII blocking, and token budget rate limiting."
 metadata:
   author: arcjet
   internal: true
 ---
 
-# Deprecated — Use `/arcjet:add-request-protection` or `/arcjet:add-guard-protection`
+# Deprecated — Use `arcjet`
 
-`/arcjet:add-ai-protection` has been split into two canonical skills:
+This skill has been replaced by the unified `arcjet` skill, which covers HTTP route protection (including AI/LLM endpoints) plus non-HTTP code paths (tool calls, MCP handlers, queue workers) in a single skill.
 
-- **`/arcjet:add-request-protection`** — for HTTP routes serving AI/LLM endpoints (chat, completion, generation). Covers prompt injection detection, PII blocking, token budget rate limiting, and bot/shield protection at the HTTP layer.
-- **`/arcjet:add-guard-protection`** — for non-HTTP code (AI agent tool calls, MCP tool handlers, background jobs, queue workers). Same protections via `@arcjet/guard` / `arcjet.guard`.
-
-## Instructions for the agent
-
-1. **Tell the user:** "`/arcjet:add-ai-protection` is deprecated. Use `/arcjet:add-request-protection` for HTTP AI endpoints, or `/arcjet:add-guard-protection` for non-HTTP code (agent tool calls, MCP handlers, background workers)."
-2. **Pick the right replacement based on context:**
-   - If the file under consideration is an HTTP route handler (e.g. `app/api/chat/route.ts`, `pages/api/completion.ts`, FastAPI/Flask endpoint) → follow `/arcjet:add-request-protection` (`skills/add-request-protection/SKILL.md`) and use its "AI / LLM Endpoints" section.
-   - If the file is a tool handler, MCP server handler, agent loop, queue worker, or other non-HTTP code path → follow `/arcjet:add-guard-protection` (`skills/add-guard-protection/SKILL.md`).
-   - If unclear, ask the user which context applies before proceeding.
-3. Do not duplicate the canonical skill content here — read and follow the chosen skill directly.
+Please use the `arcjet` skill instead.