openclacky 0.9.34 → 0.9.35

data/lib/clacky/server/http_server.rb

@@ -7,7 +7,6 @@ require "thread"
 require "fileutils"
 require "tmpdir"
 require "uri"
-require "open3"
 require "securerandom"
 require "timeout"
 require_relative "session_registry"
@@ -169,7 +168,8 @@ module Clacky
         @version_mutex   = Mutex.new
         @scheduler       = Scheduler.new(
           session_registry: @registry,
-          session_builder:  method(:build_session)
+          session_builder:  method(:build_session),
+          task_runner:      method(:run_agent_task)
         )
         @channel_manager = Clacky::Channel::ChannelManager.new(
           session_registry:  @registry,
@@ -180,6 +180,18 @@ module Clacky
         )
         @browser_manager = Clacky::BrowserManager.instance
         @skill_loader    = Clacky::SkillLoader.new(working_dir: nil, brand_config: Clacky::BrandConfig.load)
+        # Access key authentication:
+        # - localhost (127.0.0.1 / ::1) is always trusted; auth is skipped entirely.
+        # - Any other bind address requires CLACKY_ACCESS_KEY env var.
+        @localhost_only      = local_host?(@host)
+        @access_key          = @localhost_only ? nil : resolve_access_key
+        @auth_failures       = {}
+        @auth_failures_mutex = Mutex.new
+        if @localhost_only
+          Clacky::Logger.info("[HttpServer] Localhost mode — authentication disabled")
+        else
+          Clacky::Logger.info("[HttpServer] Public mode — access key authentication ENABLED")
+        end
       end
 
       def start
@@ -318,7 +330,8 @@ module Clacky
         path   = req.path
         method = req.request_method
 
-
+        # Access key guard (skip for WebSocket upgrades)
+        return unless check_access_key(req, res)
 
         # WebSocket upgrade — no timeout applied (long-lived connection)
         if websocket_upgrade?(req)
@@ -382,6 +395,7 @@ module Clacky
         when ["GET",    "/api/channels"]          then api_list_channels(res)
         when ["POST",   "/api/tool/browser"]      then api_tool_browser(req, res)
         when ["POST",   "/api/upload"]            then api_upload_file(req, res)
+        when ["POST",   "/api/open-file"]         then api_open_file(req, res)
         when ["GET",    "/api/version"]           then api_get_version(res)
         when ["POST",   "/api/version/upgrade"]   then api_upgrade_version(req, res)
         when ["POST",   "/api/restart"]           then api_restart(req, res)
@@ -400,6 +414,9 @@ module Clacky
           elsif method == "GET" && path.match?(%r{^/api/sessions/[^/]+/skills$})
             session_id = path.sub("/api/sessions/", "").sub("/skills", "")
             api_session_skills(session_id, res)
+          elsif method == "GET" && path.match?(%r{^/api/sessions/[^/]+/export$})
+            session_id = path.sub("/api/sessions/", "").sub("/export", "")
+            api_export_session(session_id, res)
           elsif method == "GET" && path.match?(%r{^/api/sessions/[^/]+/messages$})
             session_id = path.sub("/api/sessions/", "").sub("/messages", "")
             api_session_messages(session_id, req, res)
@@ -758,9 +775,12 @@ module Clacky
             }
           end
           json_response(res, 200, {
-            ok:      true,
-            skills:  local_skills,
-            warning: "Could not reach the license server. Showing locally installed skills only."
+            ok:           true,
+            skills:       local_skills,
+            # warning_code lets the frontend render a localized message.
+            # `warning` is kept for back-compat and as an English fallback.
+            warning_code: "remote_unavailable",
+            warning:      "Could not reach the license server. Showing locally installed skills only."
           })
         end
       end
@@ -855,17 +875,112 @@ module Clacky
         end
       end
 
+      # Returns true when the bind host is loopback-only.
+      private def local_host?(host)
+        ["127.0.0.1", "::1", "localhost"].include?(host.to_s.strip)
+      end
+
+      # Resolve access key from CLACKY_ACCESS_KEY env var only.
+      private def resolve_access_key
+        key = ENV.fetch("CLACKY_ACCESS_KEY", "").strip
+        key.empty? ? nil : key
+      end
+
+      # Extract bearer token / query param / cookie from a WEBrick request.
+      # Priority: Authorization: Bearer > ?access_key= > Cookie clacky_access_key
+      private def extract_key(req)
+        auth = req["Authorization"].to_s.strip
+        if auth.start_with?("Bearer ")
+          token = auth.sub(/\ABearer\s+/i, "").strip
+          return token unless token.empty?
+        end
+
+        query = URI.decode_www_form(req.query_string.to_s).to_h
+        token = query["access_key"].to_s.strip
+        return token unless token.empty?
+
+        req.cookies.each do |c|
+          return c.value if c.name == "clacky_access_key" && !c.value.to_s.empty?
+        end
+
+        nil
+      end
+
+      # Constant-time string comparison to prevent timing attacks.
+      private def secure_compare(a, b)
+        return false unless a.bytesize == b.bytesize
+
+        result = 0
+        a.unpack("C*").zip(b.unpack("C*")) { |x, y| result |= x ^ y }
+        result.zero?
+      end
+
+      # Returns true if the request is authenticated or auth is disabled.
+      # Writes 401/429 to res and returns false on failure.
+      private def check_access_key(req, res)
+        # Localhost binding — always trusted, no auth needed.
+        return true if @localhost_only
+        return true unless @access_key   # public but no key configured (cli already blocked this)
+
+        ip        = req.peeraddr.last rescue "unknown"
+        candidate = extract_key(req)
+
+        # Lazily evict expired lockout entries to prevent unbounded memory growth.
+        @auth_failures_mutex.synchronize do
+          @auth_failures.delete_if { |_, e| Time.now >= e[:reset_at] }
+        end
+
+        # No key provided — reject immediately without counting as a failure.
+        if candidate.nil? || candidate.empty?
+          json_response(res, 401, {
+            error: "Unauthorized: access key required",
+            hint:  "Pass key via 'Authorization: Bearer <key>' header or '?access_key=<key>'"
+          })
+          return false
+        end
+
+        # Check if IP is currently locked out.
+        blocked, wait_secs = @auth_failures_mutex.synchronize do
+          entry = @auth_failures[ip]
+          if entry && entry[:count] >= 10 && Time.now < entry[:reset_at]
+            [true, (entry[:reset_at] - Time.now).ceil]
+          else
+            [false, 0]
+          end
+        end
+
+        if blocked
+          json_response(res, 429, { error: "Too many failed attempts", retry_after: wait_secs })
+          return false
+        end
+
+        if secure_compare(@access_key, candidate)
+          @auth_failures_mutex.synchronize { @auth_failures.delete(ip) }
+          return true
+        end
+
+        @auth_failures_mutex.synchronize do
+          entry = @auth_failures[ip] ||= { count: 0, reset_at: Time.now + 300 }
+          entry[:count] += 1
+          Clacky::Logger.warn("[Auth] Failed attempt #{entry[:count]}/10 from #{ip}")
+        end
+
+        json_response(res, 401, {
+          error: "Unauthorized: invalid access key",
+          hint:  "Pass key via 'Authorization: Bearer <key>' header or '?access_key=<key>'"
+        })
+        false
+      end
+
       # Returns true when the configured gem source is the official RubyGems.org.
       # Raises on error — caller's rescue will handle it.
       private def official_gem_source?
-        shell  = Clacky::Tools::Shell.new
-        result = shell.execute(command: "gem sources -l", soft_timeout: 10, hard_timeout: 15)
-        raise "gem sources -l failed (exit #{result[:exit_code]}): #{result[:stderr]}" unless result[:exit_code] == 0
+        output, exit_code = run_shell("gem sources -l")
+        raise "gem sources -l failed (exit #{exit_code}): #{output}" unless exit_code&.zero?
 
-        sources = result[:stdout].to_s
-        Clacky::Logger.info("[Upgrade] gem sources: #{sources.strip}")
-        sources.include?("https://rubygems.org") &&
-          !sources.match?(%r{mirrors\.|aliyun|tuna|ustc|ruby-china})
+        Clacky::Logger.info("[Upgrade] gem sources: #{output.strip}")
+        output.include?("https://rubygems.org") &&
+          !output.match?(%r{mirrors\.|aliyun|tuna|ustc|ruby-china})
       end
 
       # Upgrade via `gem update openclacky --no-document` (official RubyGems source).
@@ -874,15 +989,12 @@ module Clacky
         Clacky::Logger.info("[Upgrade] Official source — running: #{cmd}")
         broadcast_all(type: "upgrade_log", line: "Starting upgrade: #{cmd}\n")
 
-        shell  = Clacky::Tools::Shell.new
-        result = shell.execute(command: cmd, soft_timeout: 30, hard_timeout: 300)
+        output, exit_code = run_shell(cmd, timeout: 600)
 
-        Clacky::Logger.info("[Upgrade] exit_code=#{result[:exit_code]}")
-        Clacky::Logger.info("[Upgrade] stdout=#{result[:stdout].to_s.slice(0, 500)}")
-        Clacky::Logger.info("[Upgrade] stderr=#{result[:stderr].to_s.slice(0, 500)}")
+        Clacky::Logger.info("[Upgrade] exit_code=#{exit_code}")
+        Clacky::Logger.info("[Upgrade] output=#{output.slice(0, 1000)}")
 
-        output  = [result[:stdout], result[:stderr]].join
-        success = result[:exit_code] == 0
+        success = exit_code&.zero? || false
 
         broadcast_all(type: "upgrade_log", line: output)
         finish_upgrade(success, fallback_hint: "gem update openclacky")
@@ -922,11 +1034,10 @@ module Clacky
         broadcast_all(type: "upgrade_log", line: "Downloading openclacky-#{latest_version}.gem from OSS...\n")
         Clacky::Logger.info("[Upgrade] Downloading #{gem_url}")
 
-        shell = Clacky::Tools::Shell.new
-        dl    = shell.execute(command: "curl -fsSL '#{gem_url}' -o '#{gem_file}'",
-                              soft_timeout: 60, hard_timeout: 120)
-        unless dl[:exit_code] == 0
-          broadcast_all(type: "upgrade_log", line: "✗ Download failed: #{dl[:stderr]}\n")
+        shell_cmd = "curl -fsSL '#{gem_url}' -o '#{gem_file}'"
+        dl_out, dl_exit = run_shell(shell_cmd, timeout: 300)
+        unless dl_exit&.zero?
+          broadcast_all(type: "upgrade_log", line: "✗ Download failed: #{dl_out}\n")
           broadcast_all(type: "upgrade_complete", success: false)
           return
         end
@@ -936,9 +1047,8 @@ module Clacky
         broadcast_all(type: "upgrade_log", line: "Installing...\n")
         Clacky::Logger.info("[Upgrade] Running: #{cmd}")
 
-        result  = shell.execute(command: cmd, soft_timeout: 30, hard_timeout: 300)
-        output  = [result[:stdout], result[:stderr]].join
-        success = result[:exit_code] == 0
+        output, exit_code = run_shell(cmd, timeout: 600)
+        success = exit_code&.zero? || false
 
         broadcast_all(type: "upgrade_log", line: output)
         finish_upgrade(success, fallback_hint: "gem install #{gem_url}")
@@ -1017,7 +1127,7 @@ module Clacky
       end
 
       # Fetch the latest gem version using `gem list -r`, with a 1-hour in-memory cache.
-      # Uses Clacky::Tools::Shell (login shell) so rbenv/mise shims and gem mirrors work correctly.
+      # Uses Terminal (PTY + login shell) so rbenv/mise shims and gem mirrors work correctly.
       private def fetch_latest_version_cached
         @version_mutex.synchronize do
           now = Time.now
@@ -1039,6 +1149,7 @@ module Clacky
       # Query the latest openclacky version.
       # Strategy: try RubyGems official REST API first (most accurate, not affected by mirror lag),
       # then fall back to `gem list -r` (respects user's configured gem source).
+      # Uses Terminal (PTY + login shell) so rbenv/mise shims and gem mirrors work correctly.
       private def fetch_latest_version_from_gem
         fetch_latest_version_from_rubygems_api || fetch_latest_version_from_gem_command
       end
@@ -1068,11 +1179,9 @@ module Clacky
       # Respects the user's configured gem source (rbenv/mise mirrors, etc.).
       # Output format: "openclacky (0.9.0)"
       private def fetch_latest_version_from_gem_command
-        shell  = Clacky::Tools::Shell.new
-        result = shell.execute(command: "gem list -r openclacky", soft_timeout: 15, hard_timeout: 30)
-        return nil unless result[:exit_code] == 0
+        out, exit_code = run_shell("gem list -r openclacky", timeout: 30)
+        return nil unless exit_code&.zero?
 
-        out   = result[:stdout].to_s
         match = out.match(/^openclacky\s+\(([^)]+)\)/)
         match ? match[1].strip : nil
       rescue StandardError
@@ -1086,6 +1195,23 @@ module Clacky
         false
       end
 
+      # Run a shell command via the unified Terminal tool and return
+      # [output, exit_code] — drop-in replacement for Open3.capture2e.
+      #
+      # Uses Terminal#execute so the command inherits the user's real
+      # login shell (rbenv/mise shims, configured gem mirrors, etc.).
+      # On timeout / still-running, returns [output_so_far, nil].
+      #
+      # The command is routed through the Security layer like any other
+      # Terminal call; server-side commands (`gem ...`, `curl -fsSL ... -o ...`)
+      # pass through unchanged.
+      private def run_shell(command, timeout: 120)
+        result = Clacky::Tools::Terminal.new.execute(command: command, timeout: timeout)
+        output    = result[:output].to_s
+        exit_code = result[:exit_code] # nil when the session is still running
+        [output, exit_code]
+      end
+
       # ── Channel API ───────────────────────────────────────────────────────────
 
       # GET /api/channels
@@ -1151,6 +1277,27 @@ module Clacky
         json_response(res, 500, { ok: false, error: e.message })
       end
 
+      # POST /api/open-file
+      # Opens a local file or directory using the OS default handler.
+      # Used by the Web UI to handle file:// links — browsers block direct
+      # file:// navigation from http:// pages for security reasons.
+      def api_open_file(req, res)
+        path = parse_json_body(req)["path"]
+        return json_response(res, 400, { error: "path is required" }) unless path && !path.empty?
+
+        # On WSL the file may be specified as a Windows path (e.g. "C:/Users/…").
+        # Convert it to the Linux-side path so File.exist? works.
+        linux_path = Utils::EnvironmentDetector.win_to_linux_path(path)
+
+        return json_response(res, 404, { error: "file not found" }) unless File.exist?(linux_path)
+
+        result = Utils::EnvironmentDetector.open_file(linux_path)
+        return json_response(res, 501, { error: "unsupported OS" }) if result.nil?
+        json_response(res, 200, { ok: true })
+      rescue => e
+        json_response(res, 500, { ok: false, error: e.message })
+      end
+
       # POST /api/channels/:platform
       # Body: { fields... }  (platform-specific credential fields)
       # Saves credentials and optionally (re)starts the adapter.
@@ -1689,6 +1836,8 @@ module Clacky
             type:             m["type"]
           }
         end
+        # Filter out auto-injected models (like lite) from UI display
+        models.reject! { |m| @agent_config.models[m[:index]]["auto_injected"] }
         json_response(res, 200, { models: models, current_index: @agent_config.current_model_index })
       end
 
@@ -1831,15 +1980,13 @@ module Clacky
           agent.rename(new_name)
         end
         
-        # Save session data
-        session_data = agent.to_session_data
-        
-        # Update pinned field if provided (not stored in agent, only in session file)
+        # Update pinned status if provided
         if !pinned.nil?
-          session_data[:pinned] = pinned
+          agent.pinned = pinned
         end
         
-        @session_manager.save(session_data)
+        # Save session data
+        @session_manager.save(agent.to_session_data)
         
         # Broadcast update event
         update_data = { type: "session_updated", session_id: session_id }
@@ -1936,6 +2083,47 @@ module Clacky
         end
       end
 
+      # Export a session bundle as a .zip download containing:
+      #   - session.json          (always)
+      #   - chunk-*.md            (0..N archived conversation chunks)
+      # Useful for debugging — user clicks "download" in the WebUI status bar
+      # and we can ask them to attach the zip to a bug report.
+      def api_export_session(session_id, res)
+        bundle = @session_manager.files_for(session_id)
+        unless bundle
+          return json_response(res, 404, { error: "Session not found" })
+        end
+
+        require "zip"
+
+        short_id = bundle[:session][:session_id].to_s[0..7]
+        # Build the zip entirely in memory — session files are small (< few MB).
+        buffer = Zip::OutputStream.write_buffer do |zos|
+          zos.put_next_entry("session.json")
+          zos.write(File.binread(bundle[:json_path]))
+
+          bundle[:chunks].each do |chunk_path|
+            # Preserve original chunk filename so the ordering (chunk-1.md, chunk-2.md, ...) is clear.
+            zos.put_next_entry(File.basename(chunk_path))
+            zos.write(File.binread(chunk_path))
+          end
+        end
+        buffer.rewind
+        data = buffer.read
+
+        filename = "clacky-session-#{short_id}.zip"
+        res.status = 200
+        res.content_type = "application/zip"
+        res["Content-Disposition"] = %(attachment; filename="#{filename}")
+        res["Access-Control-Allow-Origin"] = "*"
+        # Force a fresh copy each time — debugging sessions get new chunks over time.
+        res["Cache-Control"] = "no-store"
+        res.body = data
+      rescue => e
+        Clacky::Logger.error("Session export failed: #{e.message}") if defined?(Clacky::Logger)
+        json_response(res, 500, { error: "Export failed: #{e.message}" })
+      end
+
       # ── WebSocket ─────────────────────────────────────────────────────────────
 
       def websocket_upgrade?(req)
@@ -2088,7 +2276,14 @@ module Clacky
         return unless @registry.exist?(session_id)
 
         session = @registry.get(session_id)
-        return if session[:status] == :running
+        
+        # If session is running, interrupt it first (mimics CLI behavior)
+        if session[:status] == :running
+          interrupt_session(session_id)
+          # Wait briefly for the thread to catch the interrupt and update status
+          # This ensures the agent loop exits cleanly before starting the new task
+          sleep 0.1
+        end
 
         agent = nil
         @registry.with_session(session_id) { |s| agent = s[:agent] }

data/lib/clacky/server/scheduler.rb

@@ -23,9 +23,13 @@ module Clacky
       SCHEDULES_FILE = File.expand_path("~/.clacky/schedules.yml")
       TASKS_DIR      = File.expand_path("~/.clacky/tasks")
 
-      def initialize(session_registry:, session_builder:)
+      def initialize(session_registry:, session_builder:, task_runner:)
         @registry        = session_registry
         @session_builder = session_builder  # callable: (name:, working_dir:) -> session_id
+        # Callable that runs a task on an agent with unified status/save/broadcast
+        # handling — signature: (session_id, agent, &block). Same contract as
+        # the one ChannelManager receives.
+        @task_runner     = task_runner
         @thread          = nil
         @running         = false
         @mutex           = Mutex.new
@@ -227,22 +231,19 @@ module Clacky
 
         Clacky::Logger.info("scheduler_task_fired", task: task_name, session: session_id)
 
-        # Run the agent in a background thread so the scheduler tick is non-blocking.
-        Thread.new do
-          session = @registry.get(session_id)
-          agent   = nil
-          @registry.with_session(session_id) { |s| agent = s[:agent] }
-          next unless agent
-
-          @registry.update(session_id, status: :running)
-          agent.run(prompt)
-          @registry.update(session_id, status: :idle)
-          Clacky::Logger.info("scheduler_task_completed", task: task_name, session: session_id)
-        rescue => e
-          @registry.update(session_id, status: :error, error: e.message)
-          Clacky::Logger.error("scheduler_task_failed", task: task_name, session: session_id, error: e)
-        end
+        agent = nil
+        @registry.with_session(session_id) { |s| agent = s[:agent] }
+        return unless agent
+
+        # Delegate to the unified task runner (same code path as manual runs and
+        # channel-triggered runs). It handles:
+        #   * status transitions (:running → :idle/:error)
+        #   * broadcasting session_update
+        #   * persisting the session JSON on success/interrupted/error   ← the bit we were missing
+        #   * idle-compression timer lifecycle
+        @task_runner.call(session_id, agent) { agent.run(prompt) }
 
+        Clacky::Logger.info("scheduler_task_dispatched", task: task_name, session: session_id)
       rescue => e
         Clacky::Logger.error("scheduler_fire_error", task: schedule["task"], error: e)
       end

data/lib/clacky/server/session_registry.rb

@@ -265,10 +265,6 @@ module Clacky
 
         model_info = agent.current_model_info
         
-        # Load pinned status from disk session file
-        disk_session = @session_manager.load(session_id)
-        pinned = disk_session ? (disk_session[:pinned] || false) : false
-        
         {
           id:              session[:id],
           name:            agent.name,
@@ -283,7 +279,7 @@ module Clacky
           permission_mode: agent.permission_mode,
           source:          agent.source.to_s,
           agent_profile:   agent.agent_profile.name,
-          pinned:          pinned,
+          pinned:          agent.pinned || false,
         }
       end
     end

data/lib/clacky/server/web_ui_controller.rb

@@ -87,7 +87,7 @@ module Clacky
       def show_assistant_message(content, files:)
         return if (content.nil? || content.to_s.strip.empty?) && files.empty?
 
-        emit("assistant_message", content: content, files: files)
+        emit("assistant_message", content: content.to_s, files: files)
         forward_to_subscribers { |sub| sub.show_assistant_message(content, files: files) }
       end
 
@@ -300,13 +300,14 @@ module Clacky
 
       # === State updates ===
 
-      def update_sessionbar(tasks: nil, cost: nil, status: nil)
+      def update_sessionbar(tasks: nil, cost: nil, cost_source: nil, status: nil)
         data = {}
-        data[:tasks]  = tasks  if tasks
-        data[:cost]   = cost   if cost
-        data[:status] = status if status
+        data[:tasks]       = tasks       if tasks
+        data[:cost]        = cost        if cost
+        data[:cost_source] = cost_source if cost_source
+        data[:status]      = status      if status
         emit("session_update", **data) unless data.empty?
-        forward_to_subscribers { |sub| sub.update_sessionbar(tasks: tasks, cost: cost, status: status) }
+        forward_to_subscribers { |sub| sub.update_sessionbar(tasks: tasks, cost: cost, cost_source: cost_source, status: status) }
       end
 
       def update_todos(todos)

data/lib/clacky/session_manager.rb

@@ -62,6 +62,28 @@ module Clacky
       true
     end
 
+    # Return the on-disk files associated with a session: the main JSON file
+    # and any "{base}-chunk-*.md" archive files. Used by the export / download
+    # endpoint so the UI can bundle everything a user may need for debugging.
+    # Returns nil if the session is not found, or a Hash:
+    #   {
+    #     session:   Hash,        # the loaded session metadata
+    #     json_path: String,      # absolute path to session.json
+    #     chunks:    [String]     # sorted absolute paths to chunk *.md files
+    #   }
+    def files_for(session_id)
+      session = all_sessions.find { |s| s[:session_id].to_s.start_with?(session_id.to_s) }
+      return nil unless session
+
+      json_path = File.join(@sessions_dir, generate_filename(session[:session_id], session[:created_at]))
+      return nil unless File.exist?(json_path)
+
+      base   = File.basename(json_path, ".json")
+      chunks = Dir.glob(File.join(@sessions_dir, "#{base}-chunk-*.md")).sort
+
+      { session: session, json_path: json_path, chunks: chunks }
+    end
+
     # All sessions from disk, newest-first (sorted by created_at).
     # Optional filters:
     #   current_dir: (String) if given, sessions matching working_dir come first

data/lib/clacky/skill.rb

@@ -169,11 +169,27 @@ module Clacky
       "/#{identifier}"
     end
 
-    # Get the description for context loading
-    # Returns the description from frontmatter, or first paragraph of content
+    # Maximum length for a skill's description when injected into the system
+    # prompt. Descriptions longer than this are truncated to protect the token
+    # budget — a good description is a trigger hint, not a tutorial. Authors
+    # still see their full description via `skill.description`; only the
+    # system-prompt rendering is truncated.
+    #
+    # Anthropic's hard limit is 1024, but empirically ~300 chars is enough for
+    # reliable triggering (including trigger-phrase lists); longer content
+    # belongs in the SKILL.md body.
+    DESCRIPTION_MAX_CHARS = 300
+
+    # Get the description for context loading.
+    # Returns the description from frontmatter (or first paragraph of content),
+    # hard-capped at {DESCRIPTION_MAX_CHARS} so a single overlong skill can't
+    # blow up the system prompt. Truncation is marked with an ellipsis.
     # @return [String]
     def context_description
-      @description || extract_first_paragraph
+      raw = @description || extract_first_paragraph
+      return raw if raw.nil? || raw.length <= DESCRIPTION_MAX_CHARS
+
+      raw[0, DESCRIPTION_MAX_CHARS - 1] + "…"
     end
 
     # Get all supporting files in the skill directory (excluding SKILL.md)