Package Update Skill v0.2.0

Major Refactor: Spectre.Console TUI + Architecture Overhaul

Spectre.Console Rich Terminal UI

• Live dashboard: All 5 pipeline phases render in a single AnsiConsole.Live() table that updates in-place — no more scrolling walls of text
• Progress bars: Phase 2 (Analyze) shows a ████████░░░░░░ 60% progress bar with chunk counts
• Token metrics: Real-time display of input/output/cached tokens, LLM call count, and duration — sourced from AssistantUsageEvent, not estimates
• Emoji rendering fixed: Console.OutputEncoding = UTF8 at startup fixes emoji rendering on Windows Terminal with non-emoji fonts (e.g., JetBrains NerdFont)
• Spectre emoji shortcodes: Uses :check_mark:, :warning:, :robot:, :gear: etc. instead of raw Unicode emoji for reliable cross-font rendering
• Icon semantics: :robot: for AI/Copilot SDK operations, :gear: for our-code tool calls (NuGet MCP, SDK bootstrap)
• Rich tool call detail: Shows what the AI is doing — tool name resolved to human-readable description with argument details (powershell command, URL being fetched, file path being written)

Architecture: Split Monolithic Program.cs into Focused Classes

The 667-line Program.cs has been split into 10 files:

Copilot SDK Integration Improvements

• Real token tracking: AssistantUsageEvent provides actual input/output/cache-read/cache-write token counts, duration, and LLM call count
• SessionConfig.AvailableTools wiring: Infrastructure in place for per-phase tool allow-lists to reduce context token usage (tool names TBD pending SDK documentation)
• Phase-specific tool descriptions: Each phase maps raw SDK tool names to contextual descriptions (e.g., "Fetching release notes for tag", "Writing skill files", "Reading generated output for audit")
• Tool argument extraction: Displays powershell commands, URLs, file paths from tool call arguments

Copilot Instructions

• Added .github/copilot-instructions.md with build/test commands, architecture docs, and coding conventions

Testing

• 118 unit tests passing (0 warnings, 0 errors)
• No changes to test files — all existing tests pass against the refactored code

Installation

.NET Tool (requires .NET 10 runtime)

dnx PackageUpdateSkill

Native Binaries (no runtime required)

Pre-built AOT native binaries attached below for:

Full Changelog

v0.1.2...v0.2.0

🚀 Package Update Skill v0.1.2

🐛 Fixes

NuGet Package Size — Copilot CLI Runtime Bootstrap

The v0.1.1 NuGet package exceeded NuGet.org's 250 MB size limit (343 MB) because all 6 platform-specific Copilot CLI binaries (~55–130 MB each) were bundled inside the tool package.

v0.1.2 introduces a runtime bootstrap that downloads only the binary needed for your platform on first run:

• First run: Detects OS/architecture, downloads the correct Copilot CLI from npm, and caches it locally at %LOCALAPPDATA%/package-update-skill/copilot-cli/ (Windows) or ~/.local/share/package-update-skill/copilot-cli/ (Linux/macOS)
• Subsequent runs: Uses the cached binary — no network call needed
• NuGet package size: 7.9 MB (down from 343 MB)

Supported platforms: win-x64, win-arm64, linux-x64, linux-arm64, osx-x64, osx-arm64

MSBuild Target Cleanup

• Removed the _DownloadAllCopilotClis multi-platform bundling target from the .csproj
• Added _ExcludeCopilotCliFromToolPack target that strips the build-time CLI binary from the publish output during dotnet pack, ensuring the NuGet tool package stays small

📦 Installation

.NET Tool (requires .NET 10 runtime)

dnx PackageUpdateSkill

Native Binaries (no runtime required)

Pre-built AOT native binaries attached below for:

Full Changelog

v0.1.1...v0.1.2

What's Changed

• Feature/initial release by @seiggy in #3
• Fixed issues where the nuget package didn't include the Copilot CLI files required for the targeted platform

Full Changelog: v0.1.0...v0.1.1

🚀 Package Update Skill v0.1.0

The initial release of package-update-skill — a .NET 10 tool that analyzes NuGet package upgrades and generates GitHub Copilot skill files with migration instructions and Roslyn-based code transformation scripts.

✨ Features

5-Phase AI Pipeline

• Discovery — Finds the package's source repo on GitHub and lists all release tags between two versions
• Analyze — Fetches and analyzes release notes for each version in chunks, extracting breaking changes, renames, and deprecations
• Compile — Merges and deduplicates findings into a unified migration guide
• Generate — Produces a SKILL.md, focused breakdown docs, and a Roslyn migration script
• Review — Cross-references all output against source evidence to catch hallucinations

Copilot Skill Output

Generates a complete skill package to .copilot/skills/<package>-migration/:

• SKILL.md with YAML frontmatter
• Category breakdown docs (breaking changes, API renames, deprecations, etc.)
• scripts/migrate.csx — automated Roslyn-based code transformation script

Powered by GitHub Copilot SDK

• Uses your Copilot subscription — no Azure OpenAI deployment needed
• --model flag to choose any supported model (gpt-5, claude-opus-4.6, gpt-5.2-codex, etc.)
• Each pipeline phase runs as an isolated Copilot SDK session with only the tools it needs

Two-Layer Security (--paranoid flag)

• Layer 1: Regex Fast-Pass — Scans for 25+ known injection patterns instantly
• Layer 2: LLM Semantic Analysis — Dedicated security-analyst session detects obfuscated attacks (Unicode homoglyphs, zero-width chars, base64 encoding, word splitting, indirect injection, code injection)
• Generated migration scripts are reviewed for malicious code patterns (network calls, process spawning, credential theft)
• Security report generated with all findings

Anti-Hallucination Guardrails

• Phase 2 requires verbatim quoting with PR numbers as evidence
• Phase 3 forbids inventing names or abbreviations
• Phase 5 cross-references output against source evidence

📦 Installation

.NET Tool (requires .NET 10 runtime)

dnx package-update-skill

Native Binaries (no runtime required)

Pre-built AOT native binaries attached below for:

🛠️ Usage

package-update-skill <PackageName> <FromVersion> <ToVersion> [--model <model>] [--dir <repoDir>] [--paranoid] [--debug]

Example

# Analyze Microsoft Agent Framework upgrade and generate migration skill
package-update-skill Microsoft.Agents.AI.OpenAI 1.0.0-preview.251007.1 1.0.0-preview.260209.1 --model claude-opus-4.6

# Run the generated migration script against your codebase
dotnet script .copilot/skills/microsoft-agents-ai-openai-migration/scripts/migrate.csx

🧪 Testing

• 118 unit tests — Input validation, content sanitization, red teaming (injection detection, path traversal, YAML injection), pipeline helpers
• 14 integration tests — Prove regex-based sanitizer misses sophisticated attacks (homoglyphs, zero-width chars, base64, word splitting, HTML entities, hidden code exfil) while the LLM-based validator catches all of them

⚠️ Important Notes

• Always review migrate.csx before running — it generates executable code
• Use --paranoid for unfamiliar packages — especially community packages you haven't vetted
• The --debug flag retains intermediate working files for inspection

Full Changelog

https://github.com/seiggy/package-update-skill/commits/v0.1.0