diff --git a/.github/workflows/notify-docs.yaml b/.github/workflows/notify-docs.yaml
new file mode 100644
index 0000000..9a185d0
--- /dev/null
+++ b/.github/workflows/notify-docs.yaml
@@ -0,0 +1,19 @@
+name: Notify docs update
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'docs/**'
+
+jobs:
+  notify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger useforge.ai rebuild
+        uses: peter-evans/repository-dispatch@v3
+        with:
+          token: ${{ secrets.USEFORGE_DISPATCH_TOKEN }}
+          repository: initializ/useforge.ai
+          event-type: docs-updated
+          client-payload: '{"ref": "${{ github.sha }}", "message": "${{ github.event.head_commit.message }}"}'
diff --git a/docs/channels.md b/docs/core-concepts/channels.md
similarity index 98%
rename from docs/channels.md
rename to docs/core-concepts/channels.md
index 0147484..218bc75 100644
--- a/docs/channels.md
+++ b/docs/core-concepts/channels.md
@@ -1,6 +1,8 @@
-# Channel Adapters
-
-> Part of [Forge Documentation](../README.md)
+---
+title: "Channels"
+description: "Bridge messaging platforms like Slack and Telegram to your AI agent."
+order: 4
+---
 
 Channel adapters bridge messaging platforms (Slack, Telegram) to your A2A-compliant agent. Each adapter normalizes platform-specific events into a common `ChannelEvent` format, forwards them to the agent's A2A server, and delivers responses back to the originating platform.
 
@@ -227,6 +229,3 @@ type ChannelPlugin interface {
 2. Implement `ChannelPlugin`.
 3. Register the plugin in the channel registry.
 4. Add config generation in `generateChannelConfig()` and env vars in `generateEnvVars()`.
-
----
-← [Memory](memory.md) | [Back to README](../README.md) | [Security Overview](security/overview.md) →
diff --git a/docs/hooks.md b/docs/core-concepts/hooks.md
similarity index 97%
rename from docs/hooks.md
rename to docs/core-concepts/hooks.md
index 3efb880..44d9318 100644
--- a/docs/hooks.md
+++ b/docs/core-concepts/hooks.md
@@ -1,6 +1,8 @@
-# Hooks
-
-> Part of [Forge Documentation](../README.md)
+---
+title: "Hooks"
+description: "Hook into the agent loop for logging, enforcement, and auditing."
+order: 7
+---
 
 The hook system allows custom logic to run at key points in the LLM agent loop. Hooks can observe, modify context, or block execution.
 
@@ -142,6 +144,3 @@ exec := engine.NewLLMExecutor(engine.LLMExecutorConfig{
 ```
 
 If no `HookRegistry` is provided, an empty one is created automatically.
-
----
-← [Scheduling](scheduling.md) | [Back to README](../README.md) | [Commands](commands.md) →
diff --git a/docs/architecture.md b/docs/core-concepts/how-forge-works.md
similarity index 99%
rename from docs/architecture.md
rename to docs/core-concepts/how-forge-works.md
index dccc437..792090c 100644
--- a/docs/architecture.md
+++ b/docs/core-concepts/how-forge-works.md
@@ -1,6 +1,8 @@
-# Architecture
-
-> Part of [Forge Documentation](../README.md)
+---
+title: "How Forge Works"
+description: "Understand Forge's architecture, module system, and data flows."
+order: 1
+---
 
 Forge is a portable runtime for building and running secure AI agents from simple skill definitions.
 
@@ -359,6 +361,3 @@ The A2A server adds:
 - **Request size limits** — `MaxHeaderBytes` (1 MiB) and `http.MaxBytesReader` (2 MiB) on request bodies; returns 413 on excess
 
 See [Egress Security](security/egress.md) for details.
-
----
-← [Installation](installation.md) | [Back to README](../README.md) | [Skills](skills.md) →
diff --git a/docs/memory.md b/docs/core-concepts/memory-system.md
similarity index 96%
rename from docs/memory.md
rename to docs/core-concepts/memory-system.md
index d3326bd..c41c6d9 100644
--- a/docs/memory.md
+++ b/docs/core-concepts/memory-system.md
@@ -1,6 +1,8 @@
-# Memory
-
-> Part of [Forge Documentation](../README.md)
+---
+title: "Memory System"
+description: "Session persistence, context management, and long-term memory."
+order: 5
+---
 
 Forge provides two layers of memory management: session persistence for multi-turn conversations and long-term memory for cross-session knowledge.
 
@@ -122,6 +124,3 @@ Environment variables:
 | `FORGE_SESSION_MAX_AGE` | Session idle timeout, e.g. `30m`, `1h` (default: `30m`) |
 | `FORGE_MEMORY_LONG_TERM` | Set `true` to enable long-term memory |
 | `FORGE_EMBEDDING_PROVIDER` | Override embedding provider |
-
----
-← [Runtime](runtime.md) | [Back to README](../README.md) | [Channels](channels.md) →
diff --git a/docs/runtime.md b/docs/core-concepts/runtime-engine.md
similarity index 98%
rename from docs/runtime.md
rename to docs/core-concepts/runtime-engine.md
index 7c0d4dd..f0b5c0c 100644
--- a/docs/runtime.md
+++ b/docs/core-concepts/runtime-engine.md
@@ -1,6 +1,8 @@
-# LLM Runtime Engine
-
-> Part of [Forge Documentation](../README.md)
+---
+title: "Runtime Engine"
+description: "The LLM runtime engine powering tool calling, memory, and hooks."
+order: 6
+---
 
 The runtime engine powers `forge run` — executing agent tasks via LLM providers with tool calling, conversation memory, and lifecycle hooks.
 
@@ -254,6 +256,3 @@ The runner registers five hook groups: logging, audit, progress, global guardrai
 ## Streaming
 
 The LLM tool-calling loop runs non-streaming internally. `ExecuteStream` calls `Execute` and emits the final response on a channel. However, the **UI chat proxy** (`forge-ui/chat.go`) streams A2A SSE events to the browser in real-time — `status` events carry incremental text, `progress` events carry tool execution updates, and `result` events carry the final response. The frontend renders text and tool progress as each event arrives.
-
----
-← [Tools](tools.md) | [Back to README](../README.md) | [Memory](memory.md) →
diff --git a/docs/scheduling.md b/docs/core-concepts/scheduling.md
similarity index 92%
rename from docs/scheduling.md
rename to docs/core-concepts/scheduling.md
index 23bae69..a51b607 100644
--- a/docs/scheduling.md
+++ b/docs/core-concepts/scheduling.md
@@ -1,6 +1,8 @@
-# Scheduling (Cron)
-
-> Part of [Forge Documentation](../README.md)
+---
+title: "Scheduling"
+description: "Built-in cron scheduler for recurring agent tasks."
+order: 8
+---
 
 Forge includes a built-in cron scheduler for recurring tasks, configurable in `forge.yaml` or created dynamically by the agent at runtime.
 
@@ -53,6 +55,3 @@ When a schedule includes `channel` and `channel_target`, the agent's response is
 - **Persistence**: Schedules are stored in `.forge/memory/SCHEDULES.md` and survive restarts
 - **History**: The last 50 executions are recorded with status, duration, and correlation IDs
 - **Audit events**: `schedule_fire`, `schedule_complete`, `schedule_skip`, `schedule_modify`
-
----
-← [Guardrails](security/guardrails.md) | [Back to README](../README.md) | [Hooks](hooks.md) →
diff --git a/docs/core-concepts/skill-md-format.md b/docs/core-concepts/skill-md-format.md
new file mode 100644
index 0000000..89d1086
--- /dev/null
+++ b/docs/core-concepts/skill-md-format.md
@@ -0,0 +1,165 @@
+---
+title: "SKILL.md Format"
+description: "Define agent skills using the SKILL.md format with YAML frontmatter and tool definitions."
+order: 2
+---
+
+## SKILL.md Format
+
+Skills are defined in Markdown files inside `skills/<skill-name>/SKILL.md`. Each file supports optional YAML frontmatter and two body formats.
+
+```markdown
+---
+name: weather
+icon: 🌤️
+category: utilities
+tags:
+  - weather
+  - forecast
+  - api
+description: Weather data skill
+metadata:
+  forge:
+    requires:
+      bins:
+        - curl
+      env:
+        required: []
+        one_of: []
+        optional: []
+---
+## Tool: weather_current
+
+Get current weather for a location.
+
+**Input:** location (string) - City name or coordinates
+**Output:** Current temperature, conditions, humidity, and wind speed
+
+## Tool: weather_forecast
+
+Get weather forecast for a location.
+
+**Input:** location (string), days (integer: 1-7)
+**Output:** Daily forecast with high/low temperatures and conditions
+```
+
+Each `## Tool:` heading defines a tool the agent can call. The frontmatter declares binary dependencies and environment variable requirements. Skills compile into JSON artifacts and prompt text during `forge build`.
+
+### YAML Frontmatter
+
+Top-level fields:
+
+| Field | Required | Description |
+|-------|----------|-------------|
+| `name` | yes | Skill identifier (kebab-case) |
+| `icon` | yes | Emoji displayed in the TUI skill picker |
+| `category` | yes | Grouping for `forge skills list --category` (e.g., `sre`, `developer`, `research`, `utilities`) |
+| `tags` | yes | Discovery keywords for `forge skills list --tags` (kebab-case) |
+| `description` | yes | One-line summary |
+
+The `metadata.forge.requires` block declares runtime dependencies:
+
+- **`bins`** — Binary dependencies that must be in `$PATH` at runtime
+- **`env.required`** — Environment variables that must be set
+- **`env.one_of`** — At least one of these environment variables must be set
+- **`env.optional`** — Optional environment variables for extended functionality
+
+Frontmatter is parsed by `ParseWithMetadata()` in `forge-skills/parser/parser.go` and feeds into the compilation pipeline.
+
+### Legacy List Format
+
+```markdown
+# Agent Skills
+
+- translate
+- summarize
+- classify
+```
+
+Single-word list items (no spaces, max 64 characters) create name-only skill entries. This format is simpler but provides less metadata.
+
+## Skill Registry
+
+Forge ships with a built-in skill registry. Add skills to your project with a single command:
+
+```bash
+# Add a skill from the registry
+forge skills add tavily-research
+
+# Validate skill requirements
+forge skills validate
+
+# Audit skill security
+forge skills audit --embedded
+```
+
+`forge skills add` copies the skill's SKILL.md and any associated scripts into your project's `skills/` directory. It validates binary and environment requirements, checks for existing values in your environment, `.env` file, and encrypted secrets, and prompts only for truly missing values with a suggestion to use `forge secrets set` for sensitive keys. If the skill declares `egress_domains`, they are automatically merged into the `forge.yaml` `egress.allowed_domains` list (deduplicated and sorted).
+
+## Skills as First-Class Tools
+
+Script-backed skills are automatically registered as **first-class LLM tools** at runtime. When a skill has scripts in `skills/scripts/`, Forge:
+
+1. Parses the skill's SKILL.md for tool definitions, descriptions, and input schemas
+2. Creates a named tool for each `## Tool:` entry (e.g., `tavily_research` becomes a tool the LLM can call directly)
+3. Executes the skill's shell script with JSON input when the LLM invokes it
+
+This means the LLM sees skill tools alongside builtins like `web_search` and `http_request` — no generic `cli_execute` indirection needed.
+
+For skills **without** scripts (binary-backed skills like `k8s-incident-triage`), Forge injects the full skill instructions into the system prompt. The complete SKILL.md body — including triage steps, detection heuristics, output structure, and safety constraints — is included inline so the LLM follows the skill protocol without needing an extra tool call. Skills are invoked via `cli_execute` with the declared binary dependencies.
+
+```
+┌─────────────────────────────────────────────────┐
+│                LLM Tool Registry                │
+├─────────────────┬───────────────────────────────┤
+│  Builtins       │  web_search, http_request     │
+│  Skill Tools    │  tavily_research, codegen_*   │  ← auto-registered from scripts
+│  read_skill     │  load any SKILL.md on demand  │
+│  cli_execute    │  run approved binaries        │
+├─────────────────┴───────────────────────────────┤
+│  System Prompt: full skill instructions inline  │  ← binary-backed skills
+└─────────────────────────────────────────────────┘
+```
+
+## Skill Execution Security
+
+Skill scripts run in a restricted environment via `SkillCommandExecutor`:
+
+- **Isolated environment**: Only `PATH`, `HOME`, and explicitly declared env vars are passed through
+- **OAuth token resolution**: When `OPENAI_API_KEY` is set to `__oauth__`, the executor resolves OAuth credentials and injects the access token, `OPENAI_BASE_URL`, and the configured model as `REVIEW_MODEL`
+- **Configurable timeout**: Each skill declares a `timeout_hint` in its YAML frontmatter (e.g., 300s for research)
+- **No shell execution**: Scripts run via `bash <script> <json-input>`, not through a shell interpreter
+- **Egress proxy enforcement**: When egress mode is `allowlist` or `deny-all`, a local HTTP/HTTPS proxy is started and `HTTP_PROXY`/`HTTPS_PROXY` env vars are injected into subprocess environments, ensuring `curl`, `wget`, Python `requests`, and other HTTP clients route through the same domain allowlist used by in-process tools (see [Egress Security](security/egress.md))
+
+### Symlink Escape Detection
+
+The skill scanner validates symlinks when a filesystem root path is available. Symlinks that resolve outside the root directory are skipped with a warning log. This prevents malicious symlinks in skill directories from escaping the project boundary. The scanner exposes `ScanWithRoot(fsys, rootPath)` for callers that need symlink validation, while the original `Scan(fsys)` remains backward-compatible.
+
+### Trust Policy Defaults
+
+The default trust policy requires checksum verification (`RequireChecksum: true`). Skills loaded without a signature emit a warning log at scan time. Signature verification remains opt-in (`RequireSignature: false`).
+
+## Skill Categories & Tags
+
+All embedded skills must declare `category`, `tags`, and `icon` in their frontmatter. Categories and tags must be lowercase kebab-case.
+
+```markdown
+---
+name: k8s-incident-triage
+icon: ☸️
+category: sre
+tags:
+  - kubernetes
+  - incident-response
+  - triage
+---
+```
+
+Use categories and tags to filter skills:
+
+```bash
+# List skills by category
+forge skills list --category sre
+
+# Filter by tags (AND semantics — skill must have all listed tags)
+forge skills list --tags kubernetes,incident-response
+```
diff --git a/docs/tools.md b/docs/core-concepts/tools-and-builtins.md
similarity index 98%
rename from docs/tools.md
rename to docs/core-concepts/tools-and-builtins.md
index 3357fd8..ee615b2 100644
--- a/docs/tools.md
+++ b/docs/core-concepts/tools-and-builtins.md
@@ -1,6 +1,8 @@
-# Tools
-
-> Part of [Forge Documentation](../README.md)
+---
+title: "Tools & Builtins"
+description: "Built-in tools, adapter tools, and the pluggable tool system."
+order: 3
+---
 
 Tools are capabilities that an LLM agent can invoke during execution. Forge provides a pluggable tool system with built-in tools, adapter tools, development tools, and custom tools.
 
@@ -248,6 +250,3 @@ The `ToolFilterStage` runs during `forge build`:
 2. Sets `tool_interface_version` to `"1.0"` on the AgentSpec
 3. In production mode (`--prod`), removes all dev-category tools
 4. Counts tools per category for the build manifest
-
----
-← [Skills](skills.md) | [Back to README](../README.md) | [Runtime](runtime.md) →
diff --git a/docs/deployment.md b/docs/deployment.md
deleted file mode 100644
index d7f5741..0000000
--- a/docs/deployment.md
+++ /dev/null
@@ -1,114 +0,0 @@
-# Packaging & Deployment
-
-> Part of [Forge Documentation](../README.md)
-
-Forge agents can be packaged as container images and deployed to Docker, Kubernetes, or air-gapped environments.
-
-## Pre-built Docker Image
-
-Forge publishes multi-architecture Docker images (linux/amd64, linux/arm64) to GitHub Container Registry on every release:
-
-```bash
-# Pull the latest release
-docker pull ghcr.io/initializ/forge:latest
-
-# Pin to a specific version
-docker pull ghcr.io/initializ/forge:v1.2.3
-
-# Run with your agent directory mounted
-docker run -v /path/to/agent:/home/forge/agent -w /home/forge/agent \
-  -e OPENAI_API_KEY=sk-... \
-  ghcr.io/initializ/forge:latest run --host 0.0.0.0
-```
-
-Tags follow the pattern `v1.2.3`, `v1.2`, `v1`, and `latest`.
-
-The image is built from a multi-stage Dockerfile in the repository root — `golang:1.25-alpine` for the build stage (static binary, `CGO_ENABLED=0`) and `alpine:3.21` for the runtime with `ca-certificates`, `git`, and `tzdata`. The container runs as a non-root `forge` user.
-
-## Building Agent Container Images
-
-```bash
-# Build a container image (auto-detects Docker/Podman/Buildah)
-forge package
-
-# Production build (rejects dev tools and dev-open egress)
-forge package --prod
-
-# Build and push to registry
-forge package --registry ghcr.io/myorg --push
-
-# Generate docker-compose with channel sidecars
-forge package --with-channels
-
-# Export for Initializ Command platform
-forge export --pretty --include-schemas
-```
-
-`forge package` generates a Dockerfile, Kubernetes manifests, and NetworkPolicy. Use `--prod` to strip dev tools and enforce strict egress. Use `--verify` to smoke-test the built container.
-
-## Production Build Checks
-
-Production builds (`--prod`) enforce:
-
-- No `dev-open` egress mode
-- No dev-only tools (`local_shell`, `local_file_browser`)
-- Secret provider chain must include `env` (not just `encrypted-file`)
-- `.dockerignore` must exist if a Dockerfile is generated
-
-## Docker Compose
-
-```bash
-forge package --with-channels
-```
-
-This generates a `docker-compose.yaml` with:
-- An `agent` service running the A2A server
-- Adapter services (e.g., `slack-adapter`, `telegram-adapter`) connecting to the agent
-
-## Kubernetes
-
-Every `forge build` generates container-ready artifacts:
-
-| Artifact | Purpose |
-|----------|---------|
-| `guardrails.json` | Guardrail policy config (copied from project root if present) |
-| `Dockerfile` | Container image with minimal attack surface |
-| `deployment.yaml` | Kubernetes Deployment manifest |
-| `service.yaml` | Kubernetes Service manifest |
-| `network-policy.yaml` | NetworkPolicy restricting pod egress to allowed domains |
-| `egress_allowlist.json` | Machine-readable domain allowlist |
-| `checksums.json` | SHA-256 checksums + Ed25519 signature |
-
-## Air-Gap Deployments
-
-Forge can run entirely offline with local models:
-
-1. Use `ollama` as the LLM provider with a locally-hosted model
-2. Set egress mode to `deny-all` to block all outbound traffic
-3. Pre-install all binary dependencies in the container image
-4. Use environment variables for secrets (no passphrase prompting needed)
-
-```yaml
-model:
-  provider: ollama
-  name: llama3
-egress:
-  mode: deny-all
-```
-
-## Command Platform Export
-
-For Initializ Command integration, export the agent spec:
-
-```bash
-# Export with embedded schemas
-forge export --pretty --include-schemas
-
-# Simulate Command import
-forge export --simulate-import
-```
-
-See [Command Integration](command-integration.md) for the full integration guide.
-
----
-← [Dashboard](dashboard.md) | [Back to README](../README.md) | [Plugins](plugins.md) →
diff --git a/docs/deployment/docker.md b/docs/deployment/docker.md
new file mode 100644
index 0000000..5023f83
--- /dev/null
+++ b/docs/deployment/docker.md
@@ -0,0 +1,59 @@
+---
+title: "Docker"
+description: "Package and deploy Forge agents as Docker containers."
+order: 1
+---
+
+Forge agents can be packaged as container images and deployed to Docker.
+
+## Pre-built Docker Image
+
+Forge publishes multi-architecture Docker images (linux/amd64, linux/arm64) to GitHub Container Registry on every release:
+
+```bash
+# Pull the latest release
+docker pull ghcr.io/initializ/forge:latest
+
+# Pin to a specific version
+docker pull ghcr.io/initializ/forge:v1.2.3
+
+# Run with your agent directory mounted
+docker run -v /path/to/agent:/home/forge/agent -w /home/forge/agent \
+  -e OPENAI_API_KEY=sk-... \
+  ghcr.io/initializ/forge:latest run --host 0.0.0.0
+```
+
+Tags follow the pattern `v1.2.3`, `v1.2`, `v1`, and `latest`.
+
+The image is built from a multi-stage Dockerfile in the repository root — `golang:1.25-alpine` for the build stage (static binary, `CGO_ENABLED=0`) and `alpine:3.21` for the runtime with `ca-certificates`, `git`, and `tzdata`. The container runs as a non-root `forge` user.
+
+## Building Agent Container Images
+
+```bash
+# Build a container image (auto-detects Docker/Podman/Buildah)
+forge package
+
+# Production build (rejects dev tools and dev-open egress)
+forge package --prod
+
+# Build and push to registry
+forge package --registry ghcr.io/myorg --push
+
+# Generate docker-compose with channel sidecars
+forge package --with-channels
+
+# Export for Initializ Command platform
+forge export --pretty --include-schemas
+```
+
+`forge package` generates a Dockerfile, Kubernetes manifests, and NetworkPolicy. Use `--prod` to strip dev tools and enforce strict egress. Use `--verify` to smoke-test the built container.
+
+## Docker Compose
+
+```bash
+forge package --with-channels
+```
+
+This generates a `docker-compose.yaml` with:
+- An `agent` service running the A2A server
+- Adapter services (e.g., `slack-adapter`, `telegram-adapter`) connecting to the agent
diff --git a/docs/deployment/kubernetes.md b/docs/deployment/kubernetes.md
new file mode 100644
index 0000000..57e5f72
--- /dev/null
+++ b/docs/deployment/kubernetes.md
@@ -0,0 +1,36 @@
+---
+title: "Kubernetes"
+description: "Deploy Forge agents to Kubernetes with generated manifests and NetworkPolicy."
+order: 2
+---
+
+## Kubernetes
+
+Every `forge build` generates container-ready artifacts:
+
+| Artifact | Purpose |
+|----------|---------|
+| `guardrails.json` | Guardrail policy config (copied from project root if present) |
+| `Dockerfile` | Container image with minimal attack surface |
+| `deployment.yaml` | Kubernetes Deployment manifest |
+| `service.yaml` | Kubernetes Service manifest |
+| `network-policy.yaml` | NetworkPolicy restricting pod egress to allowed domains |
+| `egress_allowlist.json` | Machine-readable domain allowlist |
+| `checksums.json` | SHA-256 checksums + Ed25519 signature |
+
+## Air-Gap Deployments
+
+Forge can run entirely offline with local models:
+
+1. Use `ollama` as the LLM provider with a locally-hosted model
+2. Set egress mode to `deny-all` to block all outbound traffic
+3. Pre-install all binary dependencies in the container image
+4. Use environment variables for secrets (no passphrase prompting needed)
+
+```yaml
+model:
+  provider: ollama
+  name: llama3
+egress:
+  mode: deny-all
+```
diff --git a/docs/deployment/monitoring.md b/docs/deployment/monitoring.md
new file mode 100644
index 0000000..a581344
--- /dev/null
+++ b/docs/deployment/monitoring.md
@@ -0,0 +1,59 @@
+---
+title: "Monitoring"
+description: "Monitor Forge agents with structured audit events and logging."
+order: 4
+---
+
+## Audit Events
+
+All runtime security events are emitted as structured NDJSON to stderr with correlation IDs for end-to-end tracing.
+
+### Event Types
+
+| Event | Description |
+|-------|-------------|
+| `session_start` | New task session begins |
+| `session_end` | Task session completes (with final state) |
+| `tool_exec` | Tool execution start/end (with tool name) |
+| `egress_allowed` | Outbound request allowed (with domain, mode) |
+| `egress_blocked` | Outbound request blocked (with domain, mode) |
+| `llm_call` | LLM API call completed (with token count) |
+| `guardrail_check` | Guardrail evaluation result |
+| `schedule_fire` | Scheduled task triggered |
+| `schedule_complete` | Scheduled task completed |
+
+### Example
+
+```json
+{"ts":"2026-02-28T10:00:00Z","event":"session_start","correlation_id":"a1b2c3d4","task_id":"task-1"}
+{"ts":"2026-02-28T10:00:01Z","event":"tool_exec","correlation_id":"a1b2c3d4","fields":{"tool":"tavily_research","phase":"start"}}
+{"ts":"2026-02-28T10:00:01Z","event":"egress_allowed","correlation_id":"a1b2c3d4","fields":{"domain":"api.tavily.com","mode":"allowlist","source":"proxy"}}
+{"ts":"2026-02-28T10:00:05Z","event":"tool_exec","correlation_id":"a1b2c3d4","fields":{"tool":"tavily_research","phase":"end"}}
+{"ts":"2026-02-28T10:00:06Z","event":"session_end","correlation_id":"a1b2c3d4","fields":{"state":"completed"}}
+```
+
+The `source` field distinguishes in-process enforcer events from subprocess proxy events.
+
+## Streaming Events
+
+The runtime emits real-time progress events via SSE (Server-Sent Events) when using the A2A HTTP server:
+
+- **`status`** events carry incremental text
+- **`progress`** events carry tool execution updates
+- **`result`** events carry the final response
+
+These events enable live progress indicators in the [Web Dashboard](/docs/reference/web-dashboard) and channel adapters.
+
+## Health Checks
+
+When running as a daemon via `forge serve`, the agent exposes health information:
+
+```bash
+# Check daemon status (PID, uptime, health)
+forge serve status
+
+# View recent logs
+forge serve logs
+```
+
+See [Audit Logging](/docs/security/audit-logging) for details on the event format and DB mode audit storage.
diff --git a/docs/deployment/production-checklist.md b/docs/deployment/production-checklist.md
new file mode 100644
index 0000000..f2eab06
--- /dev/null
+++ b/docs/deployment/production-checklist.md
@@ -0,0 +1,28 @@
+---
+title: "Production Checklist"
+description: "Production build checks and deployment best practices."
+order: 3
+---
+
+## Production Build Checks
+
+Production builds (`--prod`) enforce:
+
+- No `dev-open` egress mode
+- No dev-only tools (`local_shell`, `local_file_browser`)
+- Secret provider chain must include `env` (not just `encrypted-file`)
+- `.dockerignore` must exist if a Dockerfile is generated
+
+## Command Platform Export
+
+For Initializ Command integration, export the agent spec:
+
+```bash
+# Export with embedded schemas
+forge export --pretty --include-schemas
+
+# Simulate Command import
+forge export --simulate-import
+```
+
+See [Command Integration](command-integration.md) for the full integration guide.
diff --git a/docs/faq.md b/docs/faq.md
new file mode 100644
index 0000000..8cfc84f
--- /dev/null
+++ b/docs/faq.md
@@ -0,0 +1,102 @@
+---
+title: "FAQ"
+description: "Frequently asked questions about Forge."
+order: 1
+---
+
+## What LLM providers does Forge support?
+
+Forge supports **OpenAI**, **Anthropic**, **Google Gemini**, **Ollama** (local models), and **custom** OpenAI-compatible endpoints. You can configure fallback chains for automatic failover between providers.
+
+## Can I use Forge without an API key?
+
+Yes. Use [Ollama](https://ollama.ai) with a locally-hosted model:
+
+```yaml
+model:
+  provider: ollama
+  name: llama3
+```
+
+No API key needed — Ollama runs models entirely on your machine.
+
+## How do I add a skill?
+
+```bash
+# Browse available skills
+forge skills list
+
+# Add a skill from the registry
+forge skills add tavily-research
+
+# Validate requirements
+forge skills validate
+```
+
+See [Embedded Skills](/docs/skills/embedded-skills) for the full catalog.
+
+## What's the difference between skills and tools?
+
+**Skills** are high-level capability descriptions defined in `SKILL.md` files. They describe what an agent *can do* and compile into container artifacts during `forge build`.
+
+**Tools** are individual functions the LLM can call at runtime — like `web_search`, `http_request`, or `cli_execute`. Skills can register their own tools (script-backed) or use existing builtin tools (binary-backed).
+
+## How does Forge secure my data?
+
+Forge provides multiple security layers:
+
+- **Egress controls** — Restrict which domains agents can access (allowlist, deny-all, or dev-open modes)
+- **Encrypted secrets** — AES-256-GCM encryption with Argon2id key derivation
+- **Execution sandboxing** — Binary allowlists, argument validation, environment isolation
+- **Content guardrails** — PII detection, jailbreak protection, secret scanning
+- **Build signing** — Ed25519 signatures for supply chain integrity
+- **Audit logging** — Structured NDJSON events for every security-relevant action
+
+See [Security Overview](/docs/security/overview) for the full architecture.
+
+## Can I run Forge in air-gapped environments?
+
+Yes. Use Ollama as the LLM provider and set egress mode to `deny-all`:
+
+```yaml
+model:
+  provider: ollama
+  name: llama3
+egress:
+  mode: deny-all
+```
+
+Pre-install all binary dependencies in the container image. No outbound network access is required.
+
+## How do I connect Slack or Telegram?
+
+```bash
+# Add a channel adapter
+forge channel add slack
+forge channel add telegram
+
+# Run with channels
+forge run --with slack,telegram
+```
+
+Both channels use **outbound-only connections** — no public URLs or webhooks required. See [Channels](/docs/core-concepts/channels) for setup instructions.
+
+## Does Forge support multi-turn conversations?
+
+Yes. Session persistence is enabled by default — conversations are saved to disk and recovered automatically. Sessions older than 30 minutes are discarded to prevent poisoned context.
+
+See [Memory System](/docs/core-concepts/memory-system) for details.
+
+## Can I schedule recurring tasks?
+
+Yes. Configure schedules in `forge.yaml` or create them dynamically at runtime:
+
+```yaml
+schedules:
+  - id: daily-report
+    cron: "@daily"
+    task: "Generate daily status report"
+    channel: telegram
+```
+
+See [Scheduling](/docs/core-concepts/scheduling) for details.
diff --git a/docs/getting-started/configuration.md b/docs/getting-started/configuration.md
new file mode 100644
index 0000000..1598db9
--- /dev/null
+++ b/docs/getting-started/configuration.md
@@ -0,0 +1,42 @@
+---
+title: "Configuration"
+description: "Configure your Forge agent with forge.yaml and environment variables."
+order: 4
+---
+
+All Forge agent configuration lives in `forge.yaml` at the project root.
+
+## Quick Start
+
+A minimal `forge.yaml`:
+
+```yaml
+agent_id: "my-agent"
+version: "1.0.0"
+
+model:
+  provider: "openai"
+  name: "gpt-4o"
+
+tools:
+  - name: "web_search"
+  - name: "cli_execute"
+    config:
+      allowed_binaries: ["git", "curl"]
+```
+
+## Key Sections
+
+| Section | Purpose |
+|---------|---------|
+| `model` | LLM provider, model name, fallback chain |
+| `tools` | Builtin and custom tool configuration |
+| `channels` | Messaging platform adapters (Slack, Telegram) |
+| `egress` | Outbound network access controls |
+| `memory` | Session persistence and long-term memory |
+| `secrets` | Encrypted secret storage providers |
+| `schedules` | Recurring cron-based tasks |
+
+For the complete schema, see [forge.yaml Schema](/docs/reference/forge-yaml-schema).
+
+For all environment variable overrides, see [Environment Variables](/docs/reference/environment-variables).
diff --git a/docs/contributing.md b/docs/getting-started/contributing.md
similarity index 97%
rename from docs/contributing.md
rename to docs/getting-started/contributing.md
index 245d333..288c9f0 100644
--- a/docs/contributing.md
+++ b/docs/getting-started/contributing.md
@@ -1,4 +1,8 @@
-# Contributing
+---
+title: "Contributing"
+description: "Set up the development environment and contribute to Forge."
+order: 5
+---
 
 ## Development Setup
 
diff --git a/docs/installation.md b/docs/getting-started/installation.md
similarity index 75%
rename from docs/installation.md
rename to docs/getting-started/installation.md
index be6ba05..9b55181 100644
--- a/docs/installation.md
+++ b/docs/getting-started/installation.md
@@ -1,6 +1,8 @@
-# Installation
-
-> Part of [Forge Documentation](../README.md)
+---
+title: "Installation"
+description: "Install Forge via Homebrew, script, or binary download."
+order: 1
+---
 
 Forge can be installed via Homebrew, pre-built binary, or manual download on Windows.
 
@@ -27,6 +29,3 @@ Download the latest `.zip` from [GitHub Releases](https://github.com/initializ/f
 ```bash
 forge --version
 ```
-
----
-← [Quick Start](quickstart.md) | [Back to README](../README.md) | [Architecture](architecture.md) →
diff --git a/docs/quickstart.md b/docs/getting-started/quick-start.md
similarity index 91%
rename from docs/quickstart.md
rename to docs/getting-started/quick-start.md
index aba64dd..0f76bf3 100644
--- a/docs/quickstart.md
+++ b/docs/getting-started/quick-start.md
@@ -1,6 +1,8 @@
-# Quick Start
-
-> Part of [Forge Documentation](../README.md)
+---
+title: "Quick Start"
+description: "Get a Forge agent running in under 60 seconds."
+order: 2
+---
 
 Get a Forge agent running in under 60 seconds.
 
@@ -47,6 +49,3 @@ forge run --with telegram
 The `forge init` wizard walks you through model provider, API key, fallback providers, tools, skills, and channel setup. Use `--non-interactive` with flags for scripted setups.
 
 See [Installation](installation.md) for all installation methods.
-
----
-[Back to README](../README.md) | [Installation](installation.md) →
diff --git a/docs/getting-started/your-first-skill.md b/docs/getting-started/your-first-skill.md
new file mode 100644
index 0000000..691b574
--- /dev/null
+++ b/docs/getting-started/your-first-skill.md
@@ -0,0 +1,70 @@
+---
+title: "Your First Skill"
+description: "Create your first agent skill with the SKILL.md format."
+order: 3
+---
+
+Skills bridge the gap between high-level capability descriptions and the tool-calling system. Each skill lives in its own subdirectory under `skills/` with a `SKILL.md` file that defines what the agent can do.
+
+## Create Your First Skill
+
+### 1. Initialize a project
+
+```bash
+forge init my-agent
+cd my-agent
+```
+
+### 2. Create a skill directory
+
+```bash
+mkdir -p skills/weather
+```
+
+### 3. Write the SKILL.md
+
+Create `skills/weather/SKILL.md`:
+
+```markdown
+---
+name: weather
+icon: 🌤️
+category: utilities
+tags:
+  - weather
+  - forecast
+description: Weather data skill
+---
+## Tool: weather_current
+
+Get current weather for a location.
+
+**Input:** location (string) - City name or coordinates
+**Output:** Current temperature, conditions, humidity, and wind speed
+```
+
+### 4. Build and run
+
+```bash
+forge build
+forge run
+```
+
+Your agent now has a `weather_current` tool it can invoke. The skill's instructions are injected into the LLM system prompt automatically.
+
+### 5. Add from the registry
+
+Instead of writing skills from scratch, you can add pre-built skills:
+
+```bash
+# Browse available skills
+forge skills list
+
+# Add a skill from the registry
+forge skills add tavily-research
+
+# Validate requirements
+forge skills validate
+```
+
+See [SKILL.md Format](/docs/core-concepts/skill-md-format) for the complete format reference and [Embedded Skills](/docs/skills/embedded-skills) for all built-in skills.
diff --git a/docs/reference/agent-skills-compatibility.md b/docs/reference/agent-skills-compatibility.md
new file mode 100644
index 0000000..ae7a60c
--- /dev/null
+++ b/docs/reference/agent-skills-compatibility.md
@@ -0,0 +1,41 @@
+---
+title: "Agent Skills Compatibility"
+description: "Compatibility matrix for skills across agent types and LLM providers."
+order: 4
+---
+
+## Compatibility Matrix
+
+All embedded skills work with any LLM provider that supports tool calling. Provider-specific requirements are limited to API keys for external services.
+
+### Provider Support
+
+| Feature | OpenAI | Anthropic | Gemini | Ollama |
+|---------|--------|-----------|--------|--------|
+| Tool calling | ✅ | ✅ | ✅ | ✅ (model-dependent) |
+| Script-backed skills | ✅ | ✅ | ✅ | ✅ |
+| Binary-backed skills | ✅ | ✅ | ✅ | ✅ |
+| Skill guardrails | ✅ | ✅ | ✅ | ✅ |
+| OAuth login | ✅ | — | — | — |
+
+### Skill Requirements
+
+| Skill | Required Binaries | Required Env Vars | Egress Domains |
+|-------|-------------------|-------------------|----------------|
+| `github` | `gh`, `git`, `jq` | `GH_TOKEN` (optional) | `api.github.com`, `github.com` |
+| `tavily-search` | `curl`, `jq` | `TAVILY_API_KEY` | `api.tavily.com` |
+| `tavily-research` | `curl`, `jq` | `TAVILY_API_KEY` | `api.tavily.com` |
+| `k8s-incident-triage` | `kubectl` | `KUBECONFIG` (optional) | — |
+| `k8s-pod-rightsizer` | `bash`, `kubectl`, `jq`, `curl` | `KUBECONFIG` (optional) | — |
+| `k8s-cost-visibility` | `kubectl`, `jq`, `awk`, `bc` | `KUBECONFIG` (optional) | — |
+| `code-review` | — | `OPENAI_API_KEY` or `ANTHROPIC_API_KEY` | Provider API domain |
+| `codegen-react` | `node`, `npx`, `jq` | — | `registry.npmjs.org`, `cdn.tailwindcss.com` |
+| `codegen-html` | `jq` | — | `cdn.tailwindcss.com`, `esm.sh` |
+| `code-agent` | `bash`, `jq` | — | Package registries |
+
+### Notes
+
+- **Binary dependencies** are checked at runtime. Missing binaries produce clear error messages with installation instructions.
+- **Environment variables** are resolved from the secret provider chain: agent-local encrypted file → global encrypted file → environment variables.
+- **Egress domains** declared by skills are automatically merged into `forge.yaml` when added via `forge skills add`.
+- **Ollama** requires models with tool-calling support (e.g., `llama3.1`, `mistral`). Older models without tool support will not work with script-backed skills.
diff --git a/docs/commands.md b/docs/reference/cli-reference.md
similarity index 98%
rename from docs/commands.md
rename to docs/reference/cli-reference.md
index 32f31da..eb53b2b 100644
--- a/docs/commands.md
+++ b/docs/reference/cli-reference.md
@@ -1,6 +1,8 @@
-# CLI Reference
-
-> Part of [Forge Documentation](../README.md)
+---
+title: "CLI Reference"
+description: "Complete reference for all Forge CLI commands."
+order: 1
+---
 
 Complete reference for all Forge CLI commands.
 
@@ -504,6 +506,3 @@ forge ui --no-open
 ```
 
 See [Dashboard](dashboard.md) for full documentation.
-
----
-← [Hooks](hooks.md) | [Back to README](../README.md) | [Configuration](configuration.md) →
diff --git a/docs/command-integration.md b/docs/reference/command-integration.md
similarity index 97%
rename from docs/command-integration.md
rename to docs/reference/command-integration.md
index 809dbb4..306d7d2 100644
--- a/docs/command-integration.md
+++ b/docs/reference/command-integration.md
@@ -1,4 +1,8 @@
-# Command Platform Integration Guide
+---
+title: "Command Integration"
+description: "Integrate Forge agents with the Initializ Command platform."
+order: 7
+---
 
 ## Overview
 
@@ -192,6 +196,3 @@ The following are considered stable and will not change without a major version
 - Deprecated APIs will be marked with `// Deprecated:` comments
 - Deprecated APIs will continue to work for at least one minor version
 - Removal of deprecated APIs requires a major version bump
-
----
-← [Plugins](plugins.md) | [Back to README](../README.md) | [Contributing](contributing.md) →
diff --git a/docs/reference/environment-variables.md b/docs/reference/environment-variables.md
new file mode 100644
index 0000000..ed28c70
--- /dev/null
+++ b/docs/reference/environment-variables.md
@@ -0,0 +1,32 @@
+---
+title: "Environment Variables"
+description: "All environment variables supported by Forge."
+order: 3
+---
+
+## Environment Variables
+
+| Variable | Description |
+|----------|-------------|
+| `FORGE_MODEL_PROVIDER` | Override LLM provider |
+| `FORGE_MODEL_FALLBACKS` | Fallback chain (e.g., `"anthropic:claude-sonnet-4,gemini"`) |
+| `FORGE_MEMORY_PERSISTENCE` | Set `false` to disable session persistence |
+| `FORGE_MEMORY_LONG_TERM` | Set `true` to enable long-term memory |
+| `FORGE_EMBEDDING_PROVIDER` | Override embedding provider |
+| `OPENAI_API_KEY` | OpenAI API key |
+| `OPENAI_ORG_ID` | OpenAI Organization ID (enterprise); overrides `organization_id` in YAML |
+| `ANTHROPIC_API_KEY` | Anthropic API key |
+| `GEMINI_API_KEY` | Google Gemini API key |
+| `TAVILY_API_KEY` | Tavily web search API key |
+| `PERPLEXITY_API_KEY` | Perplexity web search API key |
+| `WEB_SEARCH_PROVIDER` | Force web search provider (`tavily` or `perplexity`) |
+| `OPENAI_BASE_URL` | Override OpenAI base URL |
+| `ANTHROPIC_BASE_URL` | Override Anthropic base URL |
+| `OLLAMA_BASE_URL` | Override Ollama base URL (default: `http://localhost:11434`) |
+| `FORGE_CORS_ORIGINS` | Comma-separated CORS allowed origins for A2A server |
+| `FORGE_AUTH_URL` | External auth provider URL for token validation |
+| `FORGE_AUTH_ORG_ID` | Organization ID sent to external auth provider |
+| `FORGE_GUARDRAILS_DB` | MongoDB URI for DB-backed guardrails config + audit |
+| `FORGE_AGENT_ID` | Agent identifier for DB guardrails (falls back to `agent_id` in YAML) |
+| `FORGE_ORG_ID` | Organization identifier for DB guardrails |
+| `FORGE_PASSPHRASE` | Passphrase for encrypted secrets file |
diff --git a/docs/configuration.md b/docs/reference/forge-yaml-schema.md
similarity index 66%
rename from docs/configuration.md
rename to docs/reference/forge-yaml-schema.md
index cdc5a60..0407ce1 100644
--- a/docs/configuration.md
+++ b/docs/reference/forge-yaml-schema.md
@@ -1,6 +1,8 @@
-# Configuration Reference
-
-> Part of [Forge Documentation](../README.md)
+---
+title: "forge.yaml Schema"
+description: "Complete YAML schema reference for Forge agent configuration."
+order: 2
+---
 
 All Forge agent configuration lives in `forge.yaml` at the project root.
 
@@ -87,33 +89,3 @@ schedules:                          # Recurring scheduled tasks (optional)
     channel: "telegram"             # Optional channel for delivery
     channel_target: "-100123456"    # Destination chat/channel ID
 ```
-
-## Environment Variables
-
-| Variable | Description |
-|----------|-------------|
-| `FORGE_MODEL_PROVIDER` | Override LLM provider |
-| `FORGE_MODEL_FALLBACKS` | Fallback chain (e.g., `"anthropic:claude-sonnet-4,gemini"`) |
-| `FORGE_MEMORY_PERSISTENCE` | Set `false` to disable session persistence |
-| `FORGE_MEMORY_LONG_TERM` | Set `true` to enable long-term memory |
-| `FORGE_EMBEDDING_PROVIDER` | Override embedding provider |
-| `OPENAI_API_KEY` | OpenAI API key |
-| `OPENAI_ORG_ID` | OpenAI Organization ID (enterprise); overrides `organization_id` in YAML |
-| `ANTHROPIC_API_KEY` | Anthropic API key |
-| `GEMINI_API_KEY` | Google Gemini API key |
-| `TAVILY_API_KEY` | Tavily web search API key |
-| `PERPLEXITY_API_KEY` | Perplexity web search API key |
-| `WEB_SEARCH_PROVIDER` | Force web search provider (`tavily` or `perplexity`) |
-| `OPENAI_BASE_URL` | Override OpenAI base URL |
-| `ANTHROPIC_BASE_URL` | Override Anthropic base URL |
-| `OLLAMA_BASE_URL` | Override Ollama base URL (default: `http://localhost:11434`) |
-| `FORGE_CORS_ORIGINS` | Comma-separated CORS allowed origins for A2A server |
-| `FORGE_AUTH_URL` | External auth provider URL for token validation |
-| `FORGE_AUTH_ORG_ID` | Organization ID sent to external auth provider |
-| `FORGE_GUARDRAILS_DB` | MongoDB URI for DB-backed guardrails config + audit |
-| `FORGE_AGENT_ID` | Agent identifier for DB guardrails (falls back to `agent_id` in YAML) |
-| `FORGE_ORG_ID` | Organization identifier for DB guardrails |
-| `FORGE_PASSPHRASE` | Passphrase for encrypted secrets file |
-
----
-← [Commands](commands.md) | [Back to README](../README.md) | [Dashboard](dashboard.md) →
diff --git a/docs/plugins.md b/docs/reference/framework-plugins.md
similarity index 97%
rename from docs/plugins.md
rename to docs/reference/framework-plugins.md
index b4a7ee6..6ee2bac 100644
--- a/docs/plugins.md
+++ b/docs/reference/framework-plugins.md
@@ -1,4 +1,8 @@
-# Framework Plugins
+---
+title: "Framework Plugins"
+description: "Plugin system for CrewAI, LangChain, and custom frameworks."
+order: 6
+---
 
 ## Overview
 
@@ -139,6 +143,3 @@ type Plugin interface {
 ```
 
 Available hook points: `pre-build`, `post-build`, `pre-push`, `post-push`.
-
----
-← [Deployment](deployment.md) | [Back to README](../README.md) | [Command Integration](command-integration.md) →
diff --git a/docs/dashboard.md b/docs/reference/web-dashboard.md
similarity index 98%
rename from docs/dashboard.md
rename to docs/reference/web-dashboard.md
index 664558b..4af4f0c 100644
--- a/docs/dashboard.md
+++ b/docs/reference/web-dashboard.md
@@ -1,6 +1,8 @@
-# Web Dashboard
-
-> Part of [Forge Documentation](../README.md)
+---
+title: "Web Dashboard"
+description: "Local web dashboard for managing agents from the browser."
+order: 5
+---
 
 Forge includes a local web dashboard for managing agents from the browser — no CLI needed after launch.
 
@@ -185,6 +187,3 @@ Key design decisions:
 - **Daemon-based lifecycle** — the UI delegates to `forge serve start/stop` via `exec.Command`, so agents are independent OS processes that survive UI restarts.
 - **Scanner as source of truth** — `discovery.go` reads `.forge/serve.json` and does a TCP probe to detect running agents. No in-memory state tracking is needed.
 - **Version display** — the sidebar footer shows the Forge version (injected via `-ldflags` at build time) and links to [useforge.ai](https://useforge.ai).
-
----
-← [Configuration](configuration.md) | [Back to README](../README.md) | [Deployment](deployment.md) →
diff --git a/docs/security/audit-logging.md b/docs/security/audit-logging.md
new file mode 100644
index 0000000..a850f6d
--- /dev/null
+++ b/docs/security/audit-logging.md
@@ -0,0 +1,33 @@
+---
+title: "Audit Logging"
+description: "Structured NDJSON audit logging for runtime security events."
+order: 6
+---
+
+## Audit Logging
+
+All runtime security events are emitted as structured NDJSON to stderr with correlation IDs for end-to-end tracing.
+
+### Event Types
+
+| Event | Description |
+|-------|-------------|
+| `session_start` | New task session begins |
+| `session_end` | Task session completes (with final state) |
+| `tool_exec` | Tool execution start/end (with tool name) |
+| `egress_allowed` | Outbound request allowed (with domain, mode) |
+| `egress_blocked` | Outbound request blocked (with domain, mode) |
+| `llm_call` | LLM API call completed (with token count) |
+| `guardrail_check` | Guardrail evaluation result |
+
+### Example
+
+```json
+{"ts":"2026-02-28T10:00:00Z","event":"session_start","correlation_id":"a1b2c3d4","task_id":"task-1"}
+{"ts":"2026-02-28T10:00:01Z","event":"tool_exec","correlation_id":"a1b2c3d4","fields":{"tool":"tavily_research","phase":"start"}}
+{"ts":"2026-02-28T10:00:01Z","event":"egress_allowed","correlation_id":"a1b2c3d4","fields":{"domain":"api.tavily.com","mode":"allowlist","source":"proxy"}}
+{"ts":"2026-02-28T10:00:05Z","event":"tool_exec","correlation_id":"a1b2c3d4","fields":{"tool":"tavily_research","phase":"end"}}
+{"ts":"2026-02-28T10:00:06Z","event":"session_end","correlation_id":"a1b2c3d4","fields":{"state":"completed"}}
+```
+
+The `source` field distinguishes in-process enforcer events from subprocess proxy events.
diff --git a/docs/security/signing.md b/docs/security/build-signing.md
similarity index 88%
rename from docs/security/signing.md
rename to docs/security/build-signing.md
index 21d2ad7..8f6f9bf 100644
--- a/docs/security/signing.md
+++ b/docs/security/build-signing.md
@@ -1,6 +1,8 @@
-# Build Signing & Verification
-
-> Part of [Forge Documentation](../../README.md)
+---
+title: "Build Signing"
+description: "Ed25519 signing and verification of build artifacts."
+order: 5
+---
 
 Forge supports Ed25519 signing of build artifacts for supply chain integrity.
 
@@ -44,6 +46,3 @@ The build pipeline includes a `secret-safety` stage that:
 - Blocks production builds (`--prod`) that only use `encrypted-file` without `env` provider (containers can't use encrypted files at runtime)
 - Warns if `.dockerignore` is missing alongside a generated Dockerfile
 - Ensures secrets never leak into container images
-
----
-← [Secrets](secrets.md) | [Back to README](../../README.md) | [Guardrails](guardrails.md) →
diff --git a/docs/security/egress.md b/docs/security/egress-control.md
similarity index 99%
rename from docs/security/egress.md
rename to docs/security/egress-control.md
index 12cd742..afc58b5 100644
--- a/docs/security/egress.md
+++ b/docs/security/egress-control.md
@@ -1,4 +1,8 @@
-# Egress Security
+---
+title: "Egress Control"
+description: "Layered egress security controls for restricting outbound network access."
+order: 2
+---
 
 Forge provides layered egress security controls that restrict which external domains an agent can access — at both build time and runtime.
 
@@ -301,6 +305,3 @@ Events without `"source"` come from the in-process enforcer; events with `"sourc
 | `forge-cli/tools/exec.go` | `SkillCommandExecutor` — proxy env injection for skill scripts |
 | `forge-cli/tools/cli_execute.go` | `CLIExecuteTool` — proxy env injection for CLI binaries |
 | `forge-cli/runtime/runner.go` | Proxy lifecycle management in `Run()` |
-
----
-← [Security Overview](overview.md) | [Back to README](../../README.md) | [Secrets](secrets.md) →
diff --git a/docs/security/guardrails.md b/docs/security/guardrails.md
index 727a722..2ee8940 100644
--- a/docs/security/guardrails.md
+++ b/docs/security/guardrails.md
@@ -1,6 +1,8 @@
-# Content Guardrails
-
-> Part of [Forge Documentation](../../README.md)
+---
+title: "Content Guardrails"
+description: "Configurable content filtering, PII detection, and jailbreak protection."
+order: 7
+---
 
 The guardrail engine validates inbound and outbound messages against configurable policy rules using the `github.com/initializ/guardrails` library.
 
@@ -303,6 +305,3 @@ Guardrail evaluations are logged as structured audit events:
 In DB mode, the guardrails library writes audit records to MongoDB automatically when `EnableAudit` is set.
 
 See [Security Overview](overview.md) for the full security architecture.
-
----
-← [Build Signing](signing.md) | [Back to README](../../README.md) | [Scheduling](../scheduling.md) →
diff --git a/docs/security/overview.md b/docs/security/overview.md
index 6e6ac05..b8c1a15 100644
--- a/docs/security/overview.md
+++ b/docs/security/overview.md
@@ -1,4 +1,8 @@
-# Security
+---
+title: "Security Overview"
+description: "Forge's layered security architecture from network posture to guardrails."
+order: 1
+---
 
 Forge is designed with security as a foundational principle, not an afterthought. This document describes the complete security architecture — from network-level egress controls to encrypted secrets, build signing, execution sandboxing, and runtime guardrails.
 
@@ -271,6 +275,3 @@ Production builds enforce:
 | [Tools](../tools.md) | Tool system including `cli_execute` security layers |
 | [Skills](../skills.md) | Skill definitions and runtime execution |
 | [Commands](../commands.md) | CLI reference including security-related flags |
-
----
-← [Channels](../channels.md) | [Back to README](../../README.md) | [Egress Security](egress.md) →
diff --git a/docs/security/secrets.md b/docs/security/secret-management.md
similarity index 93%
rename from docs/security/secrets.md
rename to docs/security/secret-management.md
index 6f03b7f..96b5fcf 100644
--- a/docs/security/secrets.md
+++ b/docs/security/secret-management.md
@@ -1,6 +1,8 @@
-# Secrets Management
-
-> Part of [Forge Documentation](../../README.md)
+---
+title: "Secret Management"
+description: "AES-256-GCM encrypted secret storage with per-agent isolation."
+order: 4
+---
 
 Forge provides encrypted secret management with per-agent isolation and interactive passphrase prompting.
 
@@ -81,6 +83,3 @@ Secret files are automatically excluded from git (`.forge/` in `.gitignore`) and
 - `.forge/` directories are automatically added to `.gitignore`
 - `*.enc` files are excluded in `.dockerignore`
 - Secret files never appear in container images
-
----
-← [Egress Security](egress.md) | [Back to README](../../README.md) | [Build Signing](signing.md) →
diff --git a/docs/security/trust-model.md b/docs/security/trust-model.md
new file mode 100644
index 0000000..a8145fb
--- /dev/null
+++ b/docs/security/trust-model.md
@@ -0,0 +1,54 @@
+---
+title: "Trust Model"
+description: "How Forge evaluates trust for skills, tools, and external services."
+order: 3
+---
+
+## Trust Evaluation
+
+Forge evaluates trust at multiple levels — skills, build artifacts, and secrets — to ensure integrity from development through production.
+
+### Skill Trust Policy
+
+The default trust policy for skills:
+
+| Setting | Default | Description |
+|---------|---------|-------------|
+| `RequireChecksum` | `true` | Skills must have valid checksums |
+| `RequireSignature` | `false` | Signature verification is opt-in |
+
+Skills loaded without a signature emit a warning log at scan time. The skill scanner also validates symlinks — symlinks that resolve outside the project root directory are skipped with a warning.
+
+### Build Artifact Verification
+
+When a signing key exists, `forge build` automatically:
+
+1. Computes SHA-256 checksums of all generated artifacts
+2. Signs the checksums with Ed25519
+3. Writes `checksums.json` with checksums, signature, and key ID
+
+At runtime, `forge run` can verify artifacts against trusted keys in `~/.forge/trusted-keys/`.
+
+See [Build Signing](/docs/security/build-signing) for details on key management and verification.
+
+### Secret Reuse Detection
+
+At startup, the runtime detects when the same secret value is shared across different purpose categories. This prevents credential reuse mistakes that could escalate the impact of a single token compromise.
+
+| Category | Keys |
+|----------|------|
+| `llm` | OPENAI_API_KEY, ANTHROPIC_API_KEY, GEMINI_API_KEY |
+| `search` | TAVILY_API_KEY, PERPLEXITY_API_KEY |
+| `telegram` | TELEGRAM_BOT_TOKEN |
+| `slack` | SLACK_APP_TOKEN, SLACK_BOT_TOKEN |
+
+Same-category reuse (e.g., two LLM keys with the same value) is allowed. Cross-category reuse is blocked with an error.
+
+### Production Build Checks
+
+Production builds (`--prod`) enforce additional security requirements:
+
+- No `dev-open` egress mode
+- No dev-only tools (`local_shell`, `local_file_browser`)
+- Secret provider chain must include `env` (not just `encrypted-file`)
+- `.dockerignore` must exist if a Dockerfile is generated
diff --git a/docs/skills/contributing-a-skill.md b/docs/skills/contributing-a-skill.md
new file mode 100644
index 0000000..30dd883
--- /dev/null
+++ b/docs/skills/contributing-a-skill.md
@@ -0,0 +1,67 @@
+---
+title: "Contributing a Skill"
+description: "Contribute a skill to the Forge embedded skill registry."
+order: 4
+---
+
+## Contributing to the Skill Registry
+
+Forge ships with an embedded skill registry. You can contribute new skills by submitting a pull request to the [forge repository](https://github.com/initializ/forge).
+
+### Skill Structure
+
+Each skill lives in its own directory under `forge-skills/local/embedded/`:
+
+```
+forge-skills/local/embedded/
+  your-skill/
+    SKILL.md           # Required: skill definition
+    scripts/           # Optional: script-backed tools
+      your-tool.sh
+```
+
+### Requirements
+
+1. **Valid SKILL.md** — Must include all required frontmatter fields: `name`, `icon`, `category`, `tags`, `description`
+2. **Category and tags** — Must be lowercase kebab-case
+3. **Tool definitions** — Use `## Tool: tool_name` sections with Input/Output specifications
+4. **Binary dependencies** — Declare all required binaries in `metadata.forge.requires.bins`
+5. **Environment variables** — Declare required and optional env vars
+6. **Egress domains** — Declare all external domains the skill accesses
+
+### Validation
+
+Before submitting:
+
+```bash
+# Validate skill requirements
+forge skills validate
+
+# Run security audit
+forge skills audit --embedded
+
+# Test the skill
+forge run
+```
+
+### Signing
+
+Skills can be signed for integrity verification:
+
+```bash
+# Generate a signing key (if you don't have one)
+forge skills keygen
+
+# Sign the skill
+forge skills sign
+
+# Generate trust report
+forge skills trust-report
+```
+
+### Submission
+
+1. Fork the [forge repository](https://github.com/initializ/forge)
+2. Add your skill under `forge-skills/local/embedded/your-skill/`
+3. Run `forge skills validate` and `forge skills audit --embedded`
+4. Submit a pull request with a description of the skill's purpose and requirements
diff --git a/docs/skills.md b/docs/skills/embedded-skills.md
similarity index 52%
rename from docs/skills.md
rename to docs/skills/embedded-skills.md
index a39e26d..43772c1 100644
--- a/docs/skills.md
+++ b/docs/skills/embedded-skills.md
@@ -1,172 +1,8 @@
-# Skills
-
-> Part of [Forge Documentation](../README.md)
-
-Skills are a progressive disclosure mechanism for defining agent capabilities in a structured, human-readable format. They compile into container artifacts during `forge build`.
-
-## Overview
-
-Skills bridge the gap between high-level capability descriptions and the tool-calling system. Each skill lives in its own subdirectory under `skills/` with a `SKILL.md` file that defines what the agent can do. Forge compiles these into JSON artifacts and prompt text for the container.
-
-## SKILL.md Format
-
-Skills are defined in Markdown files inside `skills/<skill-name>/SKILL.md`. Each file supports optional YAML frontmatter and two body formats.
-
-```markdown
----
-name: weather
-icon: 🌤️
-category: utilities
-tags:
-  - weather
-  - forecast
-  - api
-description: Weather data skill
-metadata:
-  forge:
-    requires:
-      bins:
-        - curl
-      env:
-        required: []
-        one_of: []
-        optional: []
----
-## Tool: weather_current
-
-Get current weather for a location.
-
-**Input:** location (string) - City name or coordinates
-**Output:** Current temperature, conditions, humidity, and wind speed
-
-## Tool: weather_forecast
-
-Get weather forecast for a location.
-
-**Input:** location (string), days (integer: 1-7)
-**Output:** Daily forecast with high/low temperatures and conditions
-```
-
-Each `## Tool:` heading defines a tool the agent can call. The frontmatter declares binary dependencies and environment variable requirements. Skills compile into JSON artifacts and prompt text during `forge build`.
-
-### YAML Frontmatter
-
-Top-level fields:
-
-| Field | Required | Description |
-|-------|----------|-------------|
-| `name` | yes | Skill identifier (kebab-case) |
-| `icon` | yes | Emoji displayed in the TUI skill picker |
-| `category` | yes | Grouping for `forge skills list --category` (e.g., `sre`, `developer`, `research`, `utilities`) |
-| `tags` | yes | Discovery keywords for `forge skills list --tags` (kebab-case) |
-| `description` | yes | One-line summary |
-
-The `metadata.forge.requires` block declares runtime dependencies:
-
-- **`bins`** — Binary dependencies that must be in `$PATH` at runtime
-- **`env.required`** — Environment variables that must be set
-- **`env.one_of`** — At least one of these environment variables must be set
-- **`env.optional`** — Optional environment variables for extended functionality
-
-Frontmatter is parsed by `ParseWithMetadata()` in `forge-skills/parser/parser.go` and feeds into the compilation pipeline.
-
-### Legacy List Format
-
-```markdown
-# Agent Skills
-
-- translate
-- summarize
-- classify
-```
-
-Single-word list items (no spaces, max 64 characters) create name-only skill entries. This format is simpler but provides less metadata.
-
-## Skill Registry
-
-Forge ships with a built-in skill registry. Add skills to your project with a single command:
-
-```bash
-# Add a skill from the registry
-forge skills add tavily-research
-
-# Validate skill requirements
-forge skills validate
-
-# Audit skill security
-forge skills audit --embedded
-```
-
-`forge skills add` copies the skill's SKILL.md and any associated scripts into your project's `skills/` directory. It validates binary and environment requirements, checks for existing values in your environment, `.env` file, and encrypted secrets, and prompts only for truly missing values with a suggestion to use `forge secrets set` for sensitive keys. If the skill declares `egress_domains`, they are automatically merged into the `forge.yaml` `egress.allowed_domains` list (deduplicated and sorted).
-
-## Skills as First-Class Tools
-
-Script-backed skills are automatically registered as **first-class LLM tools** at runtime. When a skill has scripts in `skills/scripts/`, Forge:
-
-1. Parses the skill's SKILL.md for tool definitions, descriptions, and input schemas
-2. Creates a named tool for each `## Tool:` entry (e.g., `tavily_research` becomes a tool the LLM can call directly)
-3. Executes the skill's shell script with JSON input when the LLM invokes it
-
-This means the LLM sees skill tools alongside builtins like `web_search` and `http_request` — no generic `cli_execute` indirection needed.
-
-For skills **without** scripts (binary-backed skills like `k8s-incident-triage`), Forge injects the full skill instructions into the system prompt. The complete SKILL.md body — including triage steps, detection heuristics, output structure, and safety constraints — is included inline so the LLM follows the skill protocol without needing an extra tool call. Skills are invoked via `cli_execute` with the declared binary dependencies.
-
-```
-┌─────────────────────────────────────────────────┐
-│                LLM Tool Registry                │
-├─────────────────┬───────────────────────────────┤
-│  Builtins       │  web_search, http_request     │
-│  Skill Tools    │  tavily_research, codegen_*   │  ← auto-registered from scripts
-│  read_skill     │  load any SKILL.md on demand  │
-│  cli_execute    │  run approved binaries        │
-├─────────────────┴───────────────────────────────┤
-│  System Prompt: full skill instructions inline  │  ← binary-backed skills
-└─────────────────────────────────────────────────┘
-```
-
-## Skill Execution Security
-
-Skill scripts run in a restricted environment via `SkillCommandExecutor`:
-
-- **Isolated environment**: Only `PATH`, `HOME`, and explicitly declared env vars are passed through
-- **OAuth token resolution**: When `OPENAI_API_KEY` is set to `__oauth__`, the executor resolves OAuth credentials and injects the access token, `OPENAI_BASE_URL`, and the configured model as `REVIEW_MODEL`
-- **Configurable timeout**: Each skill declares a `timeout_hint` in its YAML frontmatter (e.g., 300s for research)
-- **No shell execution**: Scripts run via `bash <script> <json-input>`, not through a shell interpreter
-- **Egress proxy enforcement**: When egress mode is `allowlist` or `deny-all`, a local HTTP/HTTPS proxy is started and `HTTP_PROXY`/`HTTPS_PROXY` env vars are injected into subprocess environments, ensuring `curl`, `wget`, Python `requests`, and other HTTP clients route through the same domain allowlist used by in-process tools (see [Egress Security](security/egress.md))
-
-### Symlink Escape Detection
-
-The skill scanner validates symlinks when a filesystem root path is available. Symlinks that resolve outside the root directory are skipped with a warning log. This prevents malicious symlinks in skill directories from escaping the project boundary. The scanner exposes `ScanWithRoot(fsys, rootPath)` for callers that need symlink validation, while the original `Scan(fsys)` remains backward-compatible.
-
-### Trust Policy Defaults
-
-The default trust policy requires checksum verification (`RequireChecksum: true`). Skills loaded without a signature emit a warning log at scan time. Signature verification remains opt-in (`RequireSignature: false`).
-
-## Skill Categories & Tags
-
-All embedded skills must declare `category`, `tags`, and `icon` in their frontmatter. Categories and tags must be lowercase kebab-case.
-
-```markdown
 ---
-name: k8s-incident-triage
-icon: ☸️
-category: sre
-tags:
-  - kubernetes
-  - incident-response
-  - triage
+title: "Embedded Skills"
+description: "Built-in skills that ship with Forge: GitHub, Tavily, Kubernetes, codegen, and more."
+order: 1
 ---
-```
-
-Use categories and tags to filter skills:
-
-```bash
-# List skills by category
-forge skills list --category sre
-
-# Filter by tags (AND semantics — skill must have all listed tags)
-forge skills list --tags kubernetes,incident-response
-```
 
 ## Built-in Skills
 
@@ -425,102 +261,3 @@ This registers eight tools:
 The skill uses **denied tools** (`file_write`, `file_edit`, `file_patch`, `file_read`, `schedule_*`) to ensure the LLM uses the skill's own tool wrappers instead of raw builtins. All file operations are confined to the agent's working directory via `PathValidator`.
 
 Requires: `bash`, `jq`. Egress: `registry.npmjs.org`, `cdn.tailwindcss.com`, `pypi.org`, `files.pythonhosted.org`, `proxy.golang.org`, `sum.golang.org`, `storage.googleapis.com`, `repo.maven.apache.org`, `repo1.maven.org`.
-
-## Skill Guardrails
-
-Skills can declare domain-specific guardrails in their `SKILL.md` frontmatter to enforce security policies at runtime. These guardrails operate at four interception points in the agent loop, preventing unauthorized commands, data exfiltration, capability enumeration, and binary name disclosure.
-
-### Configuration
-
-Add a `guardrails` block under `metadata.forge` in `SKILL.md`:
-
-```yaml
-metadata:
-  forge:
-    guardrails:
-      deny_commands:
-        - pattern: '\bget\s+secrets?\b'
-          message: "Listing Kubernetes secrets is not permitted"
-      deny_output:
-        - pattern: 'kind:\s*Secret'
-          action: block
-        - pattern: 'token:\s*[A-Za-z0-9+/=]{40,}'
-          action: redact
-      deny_prompts:
-        - pattern: '\b(approved|allowed|available)\b.{0,40}\b(tools?|binaries)\b'
-          message: "I help with K8s cost analysis. Ask about cluster costs."
-      deny_responses:
-        - pattern: '\b(kubectl|jq|awk|bc|curl)\b.*\b(kubectl|jq|awk|bc|curl)\b.*\b(kubectl|jq|awk|bc|curl)\b'
-          message: "I can analyze cluster costs. What would you like to know?"
-```
-
-### Guardrail Types
-
-| Type | Direction | Purpose |
-|------|-----------|---------|
-| `deny_commands` | Input | Block `cli_execute` commands matching patterns (e.g., `kubectl get secrets`) |
-| `deny_output` | Output | Block or redact tool output matching patterns (e.g., Secret manifests, tokens) |
-| `deny_prompts` | Input | Block user messages probing agent capabilities (e.g., "what tools can you run") |
-| `deny_responses` | Output | Replace LLM responses that enumerate internal binary names |
-
-### Capability Enumeration Prevention
-
-The `deny_prompts` and `deny_responses` guardrails form a layered defense against capability enumeration attacks:
-
-1. **Input-side** (`deny_prompts`) — Intercepts user messages that probe for available tools, binaries, or commands and redirects to the skill's functional description
-2. **Output-side** (`deny_responses`) — Catches LLM responses that list 3+ binary names and replaces the entire response with a functional capability description
-
-Additionally, skill `Description()` methods and system prompt catalog entries use generic descriptions instead of listing binary names.
-
-For full details on guardrail types, pattern syntax, and runtime behavior, see [Content Guardrails — Skill Guardrails](security/guardrails.md#skill-guardrails).
-
-## Skill Instructions in System Prompt
-
-Forge injects the **full body** of each skill's SKILL.md into the LLM system prompt. This means all detailed operational instructions — triage steps, detection heuristics, output structure, safety constraints — are directly available in the LLM's context without requiring an extra `read_skill` tool call.
-
-For skills with extensive instructions (like `k8s-incident-triage` with ~150 lines of triage procedures), this ensures the LLM follows the complete skill protocol from the first interaction.
-
-## Compilation Pipeline
-
-The skill compilation pipeline has three stages:
-
-1. **Parse** — Reads `SKILL.md` and extracts `SkillEntry` values with name, description, input spec, and output spec. When YAML frontmatter is present, `ParseWithMetadata()` additionally extracts `SkillMetadata` and `SkillRequirements` (binary deps, env vars).
-
-2. **Compile** — Converts entries into `CompiledSkills` with:
-   - A JSON-serializable skill list
-   - A human-readable prompt catalog
-   - Version identifier (`agentskills-v1`)
-
-3. **Write Artifacts** — Outputs to the build directory:
-   - `compiled/skills/skills.json` — Machine-readable skill definitions
-   - `compiled/prompt.txt` — LLM-readable skill catalog
-
-## Build Stage Integration
-
-The `SkillsStage` runs as part of the build pipeline:
-
-1. Scans the `skills/` subdirectory for `SKILL.md` files in each subdirectory
-2. Parses, compiles, and writes artifacts
-3. Updates the `AgentSpec` with `skills_spec_version` and `forge_skills_ext_version`
-4. Records generated files in the build manifest
-
-## CLI Workflow
-
-```bash
-# Initialize a project with skills support
-forge init my-agent --from-skills
-
-# Build compiles skills automatically
-forge build
-```
-
-## Skill Builder (Web UI)
-
-The [Web Dashboard](dashboard.md#skill-builder) includes an AI-powered Skill Builder that generates valid SKILL.md files and helper scripts through a conversational interface. It uses the agent's own LLM provider and includes server-side validation before saving to the agent's `skills/` directory. On save, the builder automatically parses the skill's requirements and:
-
-- **Merges egress domains** into `forge.yaml` `egress.allowed_domains` (deduplicated)
-- **Writes user-provided env vars** to `.env` (skipping keys already present)
-- **Reports missing env vars** so the user can provide values and re-save
-
----
-← [Architecture](architecture.md) | [Back to README](../README.md) | [Tools](tools.md) →
diff --git a/docs/skills/skills-cli.md b/docs/skills/skills-cli.md
new file mode 100644
index 0000000..34c291d
--- /dev/null
+++ b/docs/skills/skills-cli.md
@@ -0,0 +1,23 @@
+---
+title: "Skills CLI"
+description: "CLI commands for managing, validating, and auditing skills."
+order: 3
+---
+
+## CLI Workflow
+
+```bash
+# Initialize a project with skills support
+forge init my-agent --from-skills
+
+# Build compiles skills automatically
+forge build
+```
+
+## Skill Builder (Web UI)
+
+The [Web Dashboard](dashboard.md#skill-builder) includes an AI-powered Skill Builder that generates valid SKILL.md files and helper scripts through a conversational interface. It uses the agent's own LLM provider and includes server-side validation before saving to the agent's `skills/` directory. On save, the builder automatically parses the skill's requirements and:
+
+- **Merges egress domains** into `forge.yaml` `egress.allowed_domains` (deduplicated)
+- **Writes user-provided env vars** to `.env` (skipping keys already present)
+- **Reports missing env vars** so the user can provide values and re-save
diff --git a/docs/skills/writing-custom-skills.md b/docs/skills/writing-custom-skills.md
new file mode 100644
index 0000000..337728c
--- /dev/null
+++ b/docs/skills/writing-custom-skills.md
@@ -0,0 +1,143 @@
+---
+title: "Writing Custom Skills"
+description: "Create script-backed skills with tools, guardrails, and the compilation pipeline."
+order: 2
+---
+
+## Skill Registry
+
+Forge ships with a built-in skill registry. Add skills to your project with a single command:
+
+```bash
+# Add a skill from the registry
+forge skills add tavily-research
+
+# Validate skill requirements
+forge skills validate
+
+# Audit skill security
+forge skills audit --embedded
+```
+
+`forge skills add` copies the skill's SKILL.md and any associated scripts into your project's `skills/` directory. It validates binary and environment requirements, checks for existing values in your environment, `.env` file, and encrypted secrets, and prompts only for truly missing values with a suggestion to use `forge secrets set` for sensitive keys. If the skill declares `egress_domains`, they are automatically merged into the `forge.yaml` `egress.allowed_domains` list (deduplicated and sorted).
+
+## Skills as First-Class Tools
+
+Script-backed skills are automatically registered as **first-class LLM tools** at runtime. When a skill has scripts in `skills/scripts/`, Forge:
+
+1. Parses the skill's SKILL.md for tool definitions, descriptions, and input schemas
+2. Creates a named tool for each `## Tool:` entry (e.g., `tavily_research` becomes a tool the LLM can call directly)
+3. Executes the skill's shell script with JSON input when the LLM invokes it
+
+This means the LLM sees skill tools alongside builtins like `web_search` and `http_request` — no generic `cli_execute` indirection needed.
+
+For skills **without** scripts (binary-backed skills like `k8s-incident-triage`), Forge injects the full skill instructions into the system prompt. The complete SKILL.md body — including triage steps, detection heuristics, output structure, and safety constraints — is included inline so the LLM follows the skill protocol without needing an extra tool call. Skills are invoked via `cli_execute` with the declared binary dependencies.
+
+```
+┌─────────────────────────────────────────────────┐
+│                LLM Tool Registry                │
+├─────────────────┬───────────────────────────────┤
+│  Builtins       │  web_search, http_request     │
+│  Skill Tools    │  tavily_research, codegen_*   │  ← auto-registered from scripts
+│  read_skill     │  load any SKILL.md on demand  │
+│  cli_execute    │  run approved binaries        │
+├─────────────────┴───────────────────────────────┤
+│  System Prompt: full skill instructions inline  │  ← binary-backed skills
+└─────────────────────────────────────────────────┘
+```
+
+## Skill Execution Security
+
+Skill scripts run in a restricted environment via `SkillCommandExecutor`:
+
+- **Isolated environment**: Only `PATH`, `HOME`, and explicitly declared env vars are passed through
+- **OAuth token resolution**: When `OPENAI_API_KEY` is set to `__oauth__`, the executor resolves OAuth credentials and injects the access token, `OPENAI_BASE_URL`, and the configured model as `REVIEW_MODEL`
+- **Configurable timeout**: Each skill declares a `timeout_hint` in its YAML frontmatter (e.g., 300s for research)
+- **No shell execution**: Scripts run via `bash <script> <json-input>`, not through a shell interpreter
+- **Egress proxy enforcement**: When egress mode is `allowlist` or `deny-all`, a local HTTP/HTTPS proxy is started and `HTTP_PROXY`/`HTTPS_PROXY` env vars are injected into subprocess environments, ensuring `curl`, `wget`, Python `requests`, and other HTTP clients route through the same domain allowlist used by in-process tools (see [Egress Security](security/egress.md))
+
+### Symlink Escape Detection
+
+The skill scanner validates symlinks when a filesystem root path is available. Symlinks that resolve outside the root directory are skipped with a warning log. This prevents malicious symlinks in skill directories from escaping the project boundary. The scanner exposes `ScanWithRoot(fsys, rootPath)` for callers that need symlink validation, while the original `Scan(fsys)` remains backward-compatible.
+
+### Trust Policy Defaults
+
+The default trust policy requires checksum verification (`RequireChecksum: true`). Skills loaded without a signature emit a warning log at scan time. Signature verification remains opt-in (`RequireSignature: false`).
+
+## Skill Guardrails
+
+Skills can declare domain-specific guardrails in their `SKILL.md` frontmatter to enforce security policies at runtime. These guardrails operate at four interception points in the agent loop, preventing unauthorized commands, data exfiltration, capability enumeration, and binary name disclosure.
+
+### Configuration
+
+Add a `guardrails` block under `metadata.forge` in `SKILL.md`:
+
+```yaml
+metadata:
+  forge:
+    guardrails:
+      deny_commands:
+        - pattern: '\bget\s+secrets?\b'
+          message: "Listing Kubernetes secrets is not permitted"
+      deny_output:
+        - pattern: 'kind:\s*Secret'
+          action: block
+        - pattern: 'token:\s*[A-Za-z0-9+/=]{40,}'
+          action: redact
+      deny_prompts:
+        - pattern: '\b(approved|allowed|available)\b.{0,40}\b(tools?|binaries)\b'
+          message: "I help with K8s cost analysis. Ask about cluster costs."
+      deny_responses:
+        - pattern: '\b(kubectl|jq|awk|bc|curl)\b.*\b(kubectl|jq|awk|bc|curl)\b.*\b(kubectl|jq|awk|bc|curl)\b'
+          message: "I can analyze cluster costs. What would you like to know?"
+```
+
+### Guardrail Types
+
+| Type | Direction | Purpose |
+|------|-----------|---------|
+| `deny_commands` | Input | Block `cli_execute` commands matching patterns (e.g., `kubectl get secrets`) |
+| `deny_output` | Output | Block or redact tool output matching patterns (e.g., Secret manifests, tokens) |
+| `deny_prompts` | Input | Block user messages probing agent capabilities (e.g., "what tools can you run") |
+| `deny_responses` | Output | Replace LLM responses that enumerate internal binary names |
+
+### Capability Enumeration Prevention
+
+The `deny_prompts` and `deny_responses` guardrails form a layered defense against capability enumeration attacks:
+
+1. **Input-side** (`deny_prompts`) — Intercepts user messages that probe for available tools, binaries, or commands and redirects to the skill's functional description
+2. **Output-side** (`deny_responses`) — Catches LLM responses that list 3+ binary names and replaces the entire response with a functional capability description
+
+Additionally, skill `Description()` methods and system prompt catalog entries use generic descriptions instead of listing binary names.
+
+For full details on guardrail types, pattern syntax, and runtime behavior, see [Content Guardrails — Skill Guardrails](security/guardrails.md#skill-guardrails).
+
+## Skill Instructions in System Prompt
+
+Forge injects the **full body** of each skill's SKILL.md into the LLM system prompt. This means all detailed operational instructions — triage steps, detection heuristics, output structure, safety constraints — are directly available in the LLM's context without requiring an extra `read_skill` tool call.
+
+For skills with extensive instructions (like `k8s-incident-triage` with ~150 lines of triage procedures), this ensures the LLM follows the complete skill protocol from the first interaction.
+
+## Compilation Pipeline
+
+The skill compilation pipeline has three stages:
+
+1. **Parse** — Reads `SKILL.md` and extracts `SkillEntry` values with name, description, input spec, and output spec. When YAML frontmatter is present, `ParseWithMetadata()` additionally extracts `SkillMetadata` and `SkillRequirements` (binary deps, env vars).
+
+2. **Compile** — Converts entries into `CompiledSkills` with:
+   - A JSON-serializable skill list
+   - A human-readable prompt catalog
+   - Version identifier (`agentskills-v1`)
+
+3. **Write Artifacts** — Outputs to the build directory:
+   - `compiled/skills/skills.json` — Machine-readable skill definitions
+   - `compiled/prompt.txt` — LLM-readable skill catalog
+
+## Build Stage Integration
+
+The `SkillsStage` runs as part of the build pipeline:
+
+1. Scans the `skills/` subdirectory for `SKILL.md` files in each subdirectory
+2. Parses, compiles, and writes artifacts
+3. Updates the `AgentSpec` with `skills_spec_version` and `forge_skills_ext_version`
+4. Records generated files in the build manifest