---
name: missive
description: 'Use for API testing/exercising tasks — Postman-style collections as *.api.md Markdown (Request/Checks/Mock/Notebook) + a local secret vault + a deterministic auth-runner. Triggers: "Missive", "api collection", "fire this endpoint", "*.api.md" files present, "postman alternative", OAuth2/HMAC/SigV4/mTLS request signing.'
---

# Missive — router

**This skill is a router, not the rules.** The canonical instruction is **`MISSIVE.md`** in the
project root — read it and follow it exactly. It is the single source of truth. Do not embed the
contract in this skill, and do not improvise the discipline from training data.

1. **Read `MISSIVE.md`** in the project and follow it. Author new collections by copying
   `MISSIVE-TEMPLATE.md`; pull shape × auth recipes from `MISSIVE-PATTERNS.md`.
2. **If `MISSIVE.md` is missing**, fetch the canon, then continue:
   ```sh
   curl -fsSL https://missive.daystra.com/install.sh | sh
   ```
   (Docs only: `curl -fsSL https://missive.daystra.com/MISSIVE.md -o MISSIVE.md`)

## Tripwire (enforce even if `MISSIVE.md` is unavailable)
- **The vault law:** the Markdown holds `{{vault:NAME}}` references, NEVER secret values. Fire via
  `scripts/vault.sh exec NAME -- <cmd>` (inject-and-fire) or `scripts/missive-run.sh`. Never run a
  bare `vault.sh get` whose output lands in a transcript; never suggest storing a secret through a
  command line that is recorded (agent `!` prefixes, chat) — the user's own terminal only.
- Advanced auth (OAuth2 `**Capture**`, `**Sign**` HMAC/SigV4, mTLS `tls:`) is **runner-only**:
  `scripts/missive-run.sh <file> "<endpoint>" --env <env>` — never hand-compute signatures.
- References never appear in `Checks`/`Mock`/`Notebook`. Checks assert literals.
- The `**Notebook**` is append-only: `- <emoji> <bucket> <ISO-8601 UTC> — <text>`; never edit or
  delete prior entries; never back-date.
