@aegis-scan/skills 0.1.1

package/ATTRIBUTION.md

@@ -0,0 +1,75 @@
+# Attribution
+
+`@aegis-scan/skills` is a multi-source skill library. Each source is
+credited individually below. Every fork preserves upstream provenance
+via a per-file `<!-- aegis-local: forked … from <upstream>@<sha>; attribution preserved -->`
+HTML comment at the top of each `SKILL.md`, independent of whichever
+attribution convention the upstream author used inside the file body.
+
+## Offensive skills — SnailSploit/Claude-Red
+
+All skills under `skills/offensive/snailsploit-fork/` are forked from
+[SnailSploit/Claude-Red](https://github.com/SnailSploit/Claude-Red)
+under MIT License.
+
+- **Upstream author:** Kai Aizen (SnailSploit) — https://snailsploit.com
+- **Upstream original source:** Sahar Shlichov — https://github.com/sahar042/offensive-checklist
+- **SPDX:** MIT (README-declared by upstream; no standalone LICENSE file upstream at fork time)
+- **Fork-SHA:** `c74d53e2938b59f111572e0819265a1e73029393`
+- **Fork date:** 2026-04-23
+- **Skill count at fork:** 37 (upstream README tabulates 38; the `patch-diffing` subdirectory listed in the README's "Infrastructure & Binary" table is absent on disk at the fork SHA, so we ship what exists rather than what is claimed)
+
+### Upstream-attribution format notes
+
+Upstream uses two attribution conventions across its 37 files:
+
+- Thirty-two files use an older `## Metadata > - Source: <url>` bullet format pointing at the upstream `sahar042/offensive-checklist` file that seeded the skill.
+- Five files (`fuzzing`, `jwt`, `osint`, `shellcode`, `sqli`) use a newer YAML-frontmatter convention (`--- name: description: ---`) without a separate Metadata section.
+
+Both conventions are semantically equivalent: they identify the skill
+and, where present, link to the upstream checklist source. AEGIS
+preserves whichever form the upstream file used. The reliable
+per-file provenance anchor across all 37 files is the AEGIS-added
+`<!-- aegis-local: forked … -->` HTML header.
+
+### Do-not-remove rule
+
+Every forked `SKILL.md` retains both its original upstream content
+byte-identically and the AEGIS-added header. When AEGIS runs a
+quarterly upstream-sync (via `scripts/sync-upstream.sh`) the same
+rule applies to any incoming updates — no stripping of upstream
+attribution, no removal of AEGIS-added headers, no paper-over of
+upstream format variance.
+
+## Defensive skills — AEGIS-native (skills-v0.2+)
+
+Planned: AEGIS-authored defensive methodology skills mirrored from
+the `@aegis-wizard/cli` pattern library under MIT License. Source is
+AEGIS itself; this section will expand when the skills ship.
+
+## MITRE-mapped skills — upstream cybersecurity framework-mapped source (skills-v0.2+)
+
+Planned: cherry-picked skills from
+[mukul975/Anthropic-Cybersecurity-Skills](https://github.com/mukul975/Anthropic-Cybersecurity-Skills)
+under Apache-2.0 with per-skill quality-audit plus MITRE ATT&CK /
+D3FEND / NIST CSF framework-mappings applied. Section populates when
+skills-v0.2 lands.
+
+## Operations skills — TBD (skills-v0.3+)
+
+Planned: incident-response, post-build-audit, verify-install-integrity
+modules. Source and attribution TBD.
+
+## License compatibility
+
+AEGIS itself ships under MIT. Offensive skills ship under MIT (via
+upstream). Future cybersecurity-framework-mapped cherry-picks ship
+under Apache-2.0 (via upstream). Both licenses are permissive,
+commercially-redistributable, and require attribution preservation —
+which this file codifies. No license incompatibility.
+
+## Changes to upstream
+
+See `CHANGELOG.md` for AEGIS-side version history. The only change
+to any forked `SKILL.md` at v0.1.0 is the prepended AEGIS-local HTML
+attribution header documented above.

package/CHANGELOG.md

@@ -0,0 +1,129 @@
+# Changelog
+
+All notable changes to `@aegis-scan/skills` are documented here. Format
+follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). The
+skills package uses SemVer; each minor-version may add new skill
+sources and categories. Release cadence is driven by upstream-sync
+and quality-audit completion, not by a fixed schedule.
+
+---
+
+## [0.1.1] — 2026-04-23 — "ship-gate-caught-recovery"
+
+First published release. v0.1.0 was tagged but NEVER published to npm —
+the publish-skills.yml tarball-scrub gate caught two internal planning-
+path references in placeholder category READMEs at the `Verify no
+internal-codename leaks in shipped tarball` step and refused to
+publish. This v0.1.1 is the clean first-publish.
+
+The fortress-discipline CI gate worked exactly as designed: the tag
+landed, the workflow ran, the scrub-gate fired, and nothing reached
+the npm registry. No force-push, no shortcut, no `--no-verify`. The
+full incident post-mortem is retained in the repository's internal
+planning tree; ask the maintainer for access if needed.
+
+### Fixed
+
+- **`skills/defensive/README.md`** and **`skills/mitre-mapped/README.md`**
+  placeholder documents referenced a gitignored operator-local
+  planning document by its exact filename; both files are generalized
+  to point to "the repository's internal planning tree" instead.
+- **`scripts/sync-upstream.sh`** reviewer-instruction paragraph
+  referenced the same operator-local planning document; generalized
+  to the same "internal planning tree" phrasing.
+
+### Added
+
+- **`__tests__/scrub.test.ts`** gains a new describe-block
+  (`scrub-clean — future-category placeholder READMEs`) covering the
+  three placeholder READMEs under `skills/defensive/`,
+  `skills/mitre-mapped/`, and `skills/ops/`. Without this block, the
+  v0.1.0 leak passed source-side tests (which iterated only the 37
+  forked SKILL.md files plus 4 package-root documents) while failing
+  at the CI tarball-scrub gate. Institutional spec-gap closed.
+
+### Meta
+
+- `v0.1.0` remains as a git-tag pointing at commit `8508aa6` for
+  audit-trail purposes but carries no corresponding npm release. If
+  you need to verify the v0.1.0 git state, check the tag; if you need
+  a running skills package, install `0.1.1` or later.
+
+---
+
+## [0.1.0] — 2026-04-23 — "initial — offensive-only" (WITHHELD — see 0.1.1 above)
+
+Initial ship. Multi-source package structure, offensive-only content
+at v0.1.0.
+
+### Added
+
+- **Package scaffold** under `packages/skills/` with `@aegis-scan/skills`
+  as the npm name, MIT license, and `npm-provenance` publish-config.
+  No install-time lifecycle scripts (enforced by
+  `.github/workflows/publish-skills.yml` gate).
+- **Multi-source directory layout** with four category-directories
+  under `skills/`:
+  - `offensive/` — populated at v0.1.0 with the 37-skill fork below.
+  - `defensive/` — placeholder README declaring skills-v0.2+ ambition
+    (AEGIS-native skills mirrored from the `@aegis-wizard/cli` pattern
+    library).
+  - `mitre-mapped/` — placeholder README declaring skills-v0.2+ ambition
+    (cherry-picks from an upstream framework-mapped source with MITRE
+    ATT&CK / D3FEND / NIST CSF mappings).
+  - `ops/` — placeholder README declaring skills-v0.3+ ambition
+    (incident-response, post-build-audit, verify-install-integrity).
+- **37 offensive skills** forked from
+  [SnailSploit/Claude-Red](https://github.com/SnailSploit/Claude-Red)
+  at SHA `c74d53e2938b59f111572e0819265a1e73029393` under the upstream
+  MIT license. Upstream `Skills/offensive-<name>/SKILL.md` lands here
+  as `skills/offensive/snailsploit-fork/<name>/SKILL.md` (redundant
+  `offensive-` prefix stripped from directory names). Every file is
+  byte-identical to upstream after a prepended AEGIS-local HTML
+  attribution header.
+- **`aegis-skills` CLI** with three subcommands: `list` (with
+  `--category` and `--source` filters), `info <skill-name>` (renders
+  frontmatter and upstream-source URL), and `install [--to <dir>]
+  [--force]` (defaults to `~/.claude/skills/user/aegis-skills/`).
+- **ATTRIBUTION.md** with per-source attribution for the SnailSploit
+  fork plus forward-declared sections for defensive, MITRE-mapped,
+  and ops categories.
+- **Test suite** — four vitest files covering manifest integrity,
+  frontmatter shape, attribution header preservation, and
+  internal-codename scrub-clean invariant across every shipped
+  skill. Total tests at v0.1.0 is 316 new cases; the full monorepo
+  test count rises from 2224 to 2540.
+
+### Known discrepancies tracked for upstream-courtesy-ping
+
+- Upstream README tabulates 38 skill rows but the `Skills/` directory
+  contains 37 subdirectories — the `patch-diffing` skill is listed in
+  the README "Infrastructure & Binary" table but the directory is
+  absent on disk at the fork SHA. This package ships what exists on
+  disk (37) rather than what is claimed in the README (38). Tracked
+  for an optional outreach to the upstream maintainer.
+- Upstream uses two attribution conventions across its files — some
+  use an older `## Metadata > Source:` bullet, others use a newer
+  YAML-only frontmatter. Both conventions are preserved byte-
+  identically. AEGIS's own per-file provenance anchor is the
+  uniform `<!-- aegis-local: -->` HTML header applied during fork.
+
+### Security posture
+
+- Pre-fork security-pass (six protocol greps plus two supplementary
+  checks) run against upstream before commit. All checks returned
+  clean with three documented caveats (cloud-IMDS IPs in SSRF
+  content, canonical pedagogical shellcode, pedagogical AMSI/IAT-
+  hook code in the windows-boundaries skill). Log retained for
+  advisor audit.
+- Markdown-only structural invariant enforced both locally and in
+  the `publish-skills.yml` CI gate: the `skills/` directory contains
+  only `.md` files.
+- `SECURITY.md` at the repo root gains a "Responsible-use posture for
+  @aegis-scan/skills" section covering the authorized-use-only scope
+  of the offensive content.
+
+### License
+
+MIT for AEGIS side. MIT for upstream SnailSploit fork. See
+`LICENSE` and `ATTRIBUTION.md`.

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 RideMatch1 (AEGIS) and upstream authors per ATTRIBUTION.md
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,123 @@
+# @aegis-scan/skills
+
+Opt-in skill library for Claude Code and compatible AI agents. Third
+sibling in the AEGIS full-repertoire institutional-grade security
+toolkit.
+
+## AEGIS is a three-layer toolkit
+
+- **`@aegis-wizard/cli`** — scaffold + agent-brief generator. Builds
+  a secure Next.js + Supabase + shadcn SaaS from day one with an
+  agent-consumable Markdown brief.
+- **`@aegis-scan/cli`** — defensive SAST scanner (five-package
+  family). Catches what the scanner knows to look for across your
+  built application.
+- **`@aegis-scan/skills`** — this package. Red-team methodology
+  library (v0.1.0) with defensive, MITRE-mapped, and ops extensions
+  landing in later releases. Primes your AI coding-agent with
+  attack-class decision-trees so you can stress-test what you built
+  before shipping.
+
+Build with the wizard. Scan what you built. Test it red-team-style.
+Full lifecycle, one toolchain, one attribution-compliant open-source
+license stack.
+
+## Quickstart
+
+```bash
+npm install -g @aegis-scan/skills
+
+# Install every skill into Claude Code's user-skill directory
+aegis-skills install
+
+# List what is available
+aegis-skills list
+
+# Inspect a specific skill
+aegis-skills info sqli
+```
+
+After `install` lands the skill files under `~/.claude/skills/user/aegis-skills/`,
+Claude Code auto-loads each `SKILL.md` based on its trigger-phrases
+whenever you invoke the agent with a relevant prompt.
+
+## What ships in v0.1.0
+
+Thirty-seven offensive-security SKILL.md files under
+`skills/offensive/snailsploit-fork/`, covering:
+
+- **Web application:** sqli · xss · ssrf · ssti · xxe · idor · file-upload
+  · rce · deserialization · race-condition · request-smuggling ·
+  open-redirect · parameter-pollution · graphql · waf-bypass (15)
+- **Auth and identity:** jwt · oauth (2)
+- **Infrastructure and binary:** shellcode · edr-evasion ·
+  exploit-development · exploit-dev-course · basic-exploitation ·
+  crash-analysis · mitigations · windows-mitigations ·
+  windows-boundaries · keylogger-arch · initial-access ·
+  advanced-redteam (12)
+- **Reconnaissance and OSINT:** osint · osint-methodology (2)
+- **Fuzzing and vulnerability research:** fuzzing · fuzzing-course ·
+  bug-identification · vuln-classes (4)
+- **AI security:** ai-security (1)
+- **Utility:** fast-checking (1)
+
+All forked from
+[SnailSploit/Claude-Red](https://github.com/SnailSploit/Claude-Red)
+under MIT License with attribution preserved per-file. See
+[`ATTRIBUTION.md`](./ATTRIBUTION.md) for the full credit chain.
+
+## Multi-source architecture
+
+`@aegis-scan/skills` is designed to grow across sources without
+re-architecting the package. The `skills/` tree carries four
+category-directories from day one, three of which are placeholders
+for future content:
+
+```
+skills/
+├── offensive/                    — populated in v0.1.0
+│   └── snailsploit-fork/
+│       └── 37 SKILL.md files
+├── defensive/                    — placeholder for skills-v0.2+
+├── mitre-mapped/                 — placeholder for skills-v0.2+
+└── ops/                          — placeholder for skills-v0.3+
+```
+
+`aegis-skills list --category defensive` today returns an informative
+"coming in v0.2+" message rather than a missing-directory error. When
+future sources land, they slot into the existing tree and the manifest
+metadata expands without layout churn.
+
+## Structural invariant
+
+The `skills/` directory is markdown-only by construction. No
+executable content, no binaries, no install-time lifecycle scripts
+anywhere in the package. The `publish-skills.yml` CI gate enforces
+this structurally before every tag-push. A consumer running
+`npm install @aegis-scan/skills` executes zero scripts from the
+`@aegis-scan` namespace. See the top-level `SECURITY.md` for the
+full supply-chain integrity posture.
+
+## Responsible use
+
+This package ships offensive-security methodology for authorized use
+only:
+
+- Authorized security testing of systems you own or have explicit
+  written permission to test.
+- Bug-bounty engagements strictly within the defined scope.
+- CTF competitions and educational environments.
+- Defensive security research — understanding attack classes to
+  defend against them.
+
+Use against systems you do not own or have permission to test is
+unauthorized and likely illegal. AEGIS provides methodology;
+responsible use is the operator's obligation. See the top-level
+`SECURITY.md` for the full responsible-use disclosure and the
+`SECURITY-INCIDENT-RESPONSE.md` for the abuse-report channel.
+
+## License
+
+MIT (see [`LICENSE`](./LICENSE)). Upstream skills ship under their
+original licenses with attribution preserved per-file — see
+[`ATTRIBUTION.md`](./ATTRIBUTION.md) for the full chain.

package/dist/bin.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=bin.d.ts.map

package/dist/bin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bin.d.ts","sourceRoot":"","sources":["../src/bin.ts"],"names":[],"mappings":""}

package/dist/bin.js

@@ -0,0 +1,122 @@
+#!/usr/bin/env node
+/**
+ * `aegis-skills` CLI entry point.
+ *
+ * Three subcommands: `list` (browse the catalog), `info <name>`
+ * (inspect a single skill), `install [--to <dir>] [--force]` (copy
+ * the catalog into a Claude-Code-compatible skill directory).
+ *
+ * No third-party CLI parser — the surface is small enough that a
+ * hand-rolled argv walk keeps the runtime dependency footprint at
+ * zero, which matches the markdown-only structural invariant of the
+ * whole package: consumers installing `@aegis-scan/skills` pull in
+ * zero runtime code that executes on their machine beyond this bin.
+ */
+import { readFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { runList } from './commands/list.js';
+import { runInfo } from './commands/info.js';
+import { runInstall } from './commands/install.js';
+const HELP_TEXT = `aegis-skills — opt-in skill library for Claude Code and compatible AI agents
+
+Usage:
+  aegis-skills list [--category <cat>] [--source <src>] [--json]
+  aegis-skills info <skill-name> [--json]
+  aegis-skills install [--to <dir>] [--force] [--dry-run]
+  aegis-skills --version
+  aegis-skills --help
+
+Commands:
+  list      Print the skill catalog grouped by category and source.
+  info      Render one skill's metadata and upstream source URL.
+  install   Copy every SKILL.md into a Claude-compatible skill directory.
+            Default target: ~/.claude/skills/user/aegis-skills/
+
+List options:
+  --category <cat>   Filter to offensive / defensive / mitre-mapped / ops / all
+  --source <src>     Filter to one source-namespace (e.g. snailsploit-fork)
+  --json             Machine-readable output
+
+Info options:
+  --json             Machine-readable output
+
+Install options:
+  --to <dir>         Target directory (overrides default)
+  --force            Overwrite existing files at the target
+  --dry-run          Print what would be copied without writing
+`;
+function readVersion() {
+    const here = dirname(fileURLToPath(import.meta.url));
+    const pkgPath = join(here, '..', 'package.json');
+    const parsed = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+    return parsed.version;
+}
+function main(argv) {
+    if (argv.length === 0 || argv[0] === '--help' || argv[0] === '-h') {
+        console.log(HELP_TEXT);
+        return 0;
+    }
+    if (argv[0] === '--version' || argv[0] === '-v') {
+        console.log(readVersion());
+        return 0;
+    }
+    const [command, ...rest] = argv;
+    switch (command) {
+        case 'list':
+            return runList(parseListOptions(rest));
+        case 'info':
+            return runInfo(rest[0] ?? '', parseInfoOptions(rest.slice(1)));
+        case 'install':
+            return runInstall(parseInstallOptions(rest));
+        default:
+            console.error(`Error: unknown command "${command}"`);
+            console.error('Run `aegis-skills --help` for usage.');
+            return 1;
+    }
+}
+function parseListOptions(argv) {
+    const out = {};
+    for (let i = 0; i < argv.length; i += 1) {
+        const arg = argv[i];
+        if (arg === '--category' && i + 1 < argv.length) {
+            out.category = argv[i + 1];
+            i += 1;
+        }
+        else if (arg === '--source' && i + 1 < argv.length) {
+            out.source = argv[i + 1];
+            i += 1;
+        }
+        else if (arg === '--json') {
+            out.json = true;
+        }
+    }
+    return out;
+}
+function parseInfoOptions(argv) {
+    const out = {};
+    for (const arg of argv) {
+        if (arg === '--json')
+            out.json = true;
+    }
+    return out;
+}
+function parseInstallOptions(argv) {
+    const out = {};
+    for (let i = 0; i < argv.length; i += 1) {
+        const arg = argv[i];
+        if (arg === '--to' && i + 1 < argv.length) {
+            out.to = argv[i + 1];
+            i += 1;
+        }
+        else if (arg === '--force' || arg === '-f') {
+            out.force = true;
+        }
+        else if (arg === '--dry-run') {
+            out.dryRun = true;
+        }
+    }
+    return out;
+}
+process.exit(main(process.argv.slice(2)));
+//# sourceMappingURL=bin.js.map

package/dist/bin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bin.js","sourceRoot":"","sources":["../src/bin.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;GAYG;AACH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAoB,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EAAE,OAAO,EAAoB,MAAM,oBAAoB,CAAC;AAC/D,OAAO,EAAE,UAAU,EAAuB,MAAM,uBAAuB,CAAC;AAExE,MAAM,SAAS,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2BjB,CAAC;AAEF,SAAS,WAAW;IAClB,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAwB,CAAC;IACjF,OAAO,MAAM,CAAC,OAAO,CAAC;AACxB,CAAC;AAED,SAAS,IAAI,CAAC,IAAuB;IACnC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QACvB,OAAO,CAAC,CAAC;IACX,CAAC;IACD,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,WAAW,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;QAC3B,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC;IAChC,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,MAAM;YACT,OAAO,OAAO,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC;QACzC,KAAK,MAAM;YACT,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACjE,KAAK,SAAS;YACZ,OAAO,UAAU,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC;QAC/C;YACE,OAAO,CAAC,KAAK,CAAC,2BAA2B,OAAO,GAAG,CAAC,CAAC;YACrD,OAAO,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAC;YACtD,OAAO,CAAC,CAAC;IACb,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAuB;IAC/C,MAAM,GAAG,GAAgB,EAAE,CAAC;IAC5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,GAAG,KAAK,YAAY,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;YAChD,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC3B,CAAC,IAAI,CAAC,CAAC;QACT,CAAC;aAAM,IAAI,GAAG,KAAK,UAAU,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;YACrD,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACzB,CAAC,IAAI,CAAC,CAAC;QACT,CAAC;aAAM,IAAI,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;QAClB,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAuB;IAC/C,MAAM,GAAG,GAAgB,EAAE,CAAC;IAC5B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,GAAG,KAAK,QAAQ;YAAE,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC;IACxC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,mBAAmB,CAAC,IAAuB;IAClD,MAAM,GAAG,GAAmB,EAAE,CAAC;IAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QACpB,IAAI,GAAG,KAAK,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;YAC1C,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YACrB,CAAC,IAAI,CAAC,CAAC;QACT,CAAC;aAAM,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YAC7C,GAAG,CAAC,KAAK,GAAG,IAAI,CAAC;QACnB,CAAC;aAAM,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;YAC/B,GAAG,CAAC,MAAM,GAAG,IAAI,CAAC;QACpB,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC"}

package/dist/commands/info.d.ts

@@ -0,0 +1,5 @@
+export interface InfoOptions {
+    json?: boolean;
+}
+export declare function runInfo(query: string, options?: InfoOptions): number;
+//# sourceMappingURL=info.d.ts.map

package/dist/commands/info.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"info.d.ts","sourceRoot":"","sources":["../../src/commands/info.ts"],"names":[],"mappings":"AASA,MAAM,WAAW,WAAW;IAC1B,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,wBAAgB,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,GAAE,WAAgB,GAAG,MAAM,CAqDxE"}

package/dist/commands/info.js

@@ -0,0 +1,75 @@
+/**
+ * `aegis-skills info <skill-name>` — render one skill's metadata.
+ *
+ * The argument matches by leaf `name` (e.g. `sqli`) or full `id` (e.g.
+ * `offensive-snailsploit-fork-sqli`). Returns exit 0 on found, exit 1
+ * on not-found, exit 2 on loader error.
+ */
+import { loadAllSkills } from '../skills-loader.js';
+export function runInfo(query, options = {}) {
+    if (!query || query.trim().length === 0) {
+        console.error('Error: aegis-skills info requires a skill-name argument');
+        return 1;
+    }
+    let skills;
+    try {
+        skills = loadAllSkills();
+    }
+    catch (err) {
+        console.error(`Error: ${err.message}`);
+        return 2;
+    }
+    const needle = query.trim().toLowerCase();
+    const matches = skills.filter((s) => s.name.toLowerCase() === needle || s.id.toLowerCase() === needle);
+    if (matches.length === 0) {
+        console.error(`Error: no skill found matching "${query}"`);
+        console.error('Run `aegis-skills list` to see the available catalog.');
+        return 1;
+    }
+    if (matches.length > 1) {
+        console.error(`Error: "${query}" is ambiguous — matches:`);
+        for (const m of matches)
+            console.error(`  ${m.id}`);
+        console.error('Use the full id (e.g. offensive-snailsploit-fork-<name>) to disambiguate.');
+        return 1;
+    }
+    const skill = matches[0];
+    if (options.json) {
+        process.stdout.write(JSON.stringify(skill, null, 2) + '\n');
+        return 0;
+    }
+    console.log(`# ${skill.title}`);
+    console.log('');
+    console.log(`id:           ${skill.id}`);
+    console.log(`category:     ${skill.category}`);
+    console.log(`source:       ${skill.source || '(none)'}`);
+    console.log(`name:         ${skill.name}`);
+    console.log(`relativePath: ${skill.relativePath}`);
+    if (skill.upstreamSourceUrl) {
+        console.log(`upstream:     ${skill.upstreamSourceUrl}`);
+    }
+    console.log('');
+    console.log('Description:');
+    console.log(wrap(skill.description || '(no description extracted)', 78, '  '));
+    console.log('');
+    console.log(`File on disk: ${skill.absolutePath}`);
+    return 0;
+}
+function wrap(text, width, indent) {
+    const words = text.split(/\s+/).filter(Boolean);
+    const lines = [];
+    let line = indent;
+    for (const word of words) {
+        if ((line.length + word.length + 1) > width && line.trim().length > 0) {
+            lines.push(line);
+            line = indent + word;
+        }
+        else {
+            line = line.trim().length === 0 ? `${indent}${word}` : `${line} ${word}`;
+        }
+    }
+    if (line.trim().length > 0)
+        lines.push(line);
+    return lines.join('\n');
+}
+//# sourceMappingURL=info.js.map

package/dist/commands/info.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"info.js","sourceRoot":"","sources":["../../src/commands/info.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,OAAO,EAAE,aAAa,EAAoB,MAAM,qBAAqB,CAAC;AAMtE,MAAM,UAAU,OAAO,CAAC,KAAa,EAAE,UAAuB,EAAE;IAC9D,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxC,OAAO,CAAC,KAAK,CAAC,yDAAyD,CAAC,CAAC;QACzE,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,MAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,GAAG,aAAa,EAAE,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,UAAW,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAClD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC1C,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAC3B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,MAAM,IAAI,CAAC,CAAC,EAAE,CAAC,WAAW,EAAE,KAAK,MAAM,CACxE,CAAC;IAEF,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,CAAC,KAAK,CAAC,mCAAmC,KAAK,GAAG,CAAC,CAAC;QAC3D,OAAO,CAAC,KAAK,CAAC,uDAAuD,CAAC,CAAC;QACvE,OAAO,CAAC,CAAC;IACX,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,CAAC,KAAK,CAAC,WAAW,KAAK,2BAA2B,CAAC,CAAC;QAC3D,KAAK,MAAM,CAAC,IAAI,OAAO;YAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,KAAK,CAAC,2EAA2E,CAAC,CAAC;QAC3F,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IACzB,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QACjB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QAC5D,OAAO,CAAC,CAAC;IACX,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC;IAChC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC;IACzC,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC/C,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,MAAM,IAAI,QAAQ,EAAE,CAAC,CAAC;IACzD,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3C,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC;IACnD,IAAI,KAAK,CAAC,iBAAiB,EAAE,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,iBAAiB,EAAE,CAAC,CAAC;IAC1D,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAC5B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,IAAI,4BAA4B,EAAE,EAAE,EAAE,IAAI,CAAC,CAAC,CAAC;IAC/E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAChB,OAAO,CAAC,GAAG,CAAC,iBAAiB,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC;IACnD,OAAO,CAAC,CAAC;AACX,CAAC;AAED,SAAS,IAAI,CAAC,IAAY,EAAE,KAAa,EAAE,MAAc;IACvD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAChD,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,IAAI,GAAG,MAAM,CAAC;IAClB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,KAAK,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACjB,IAAI,GAAG,MAAM,GAAG,IAAI,CAAC;QACvB,CAAC;aAAM,CAAC;YACN,IAAI,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,MAAM,GAAG,IAAI,EAAE,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC;QAC3E,CAAC;IACH,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7C,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}

package/dist/commands/install.d.ts

@@ -0,0 +1,7 @@
+export interface InstallOptions {
+    to?: string;
+    force?: boolean;
+    dryRun?: boolean;
+}
+export declare function runInstall(options?: InstallOptions): number;
+//# sourceMappingURL=install.d.ts.map

package/dist/commands/install.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"install.d.ts","sourceRoot":"","sources":["../../src/commands/install.ts"],"names":[],"mappings":"AA0BA,MAAM,WAAW,cAAc;IAC7B,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AAED,wBAAgB,UAAU,CAAC,OAAO,GAAE,cAAmB,GAAG,MAAM,CA6D/D"}