@agent-native/core 0.49.17 → 0.49.19

package/dist/cli/recap.js

@@ -2256,21 +2256,30 @@ function recoverRecapFailureEnv(env = process.env) {
     return recovered;
 }
 /**
- * Files that, if a PR touches them, would let that PR rewrite the workflow,
- * skill, or agent config the trusted recap job loads. The workflow runs the
- * recap CLI from trusted base-branch source (or an installed package), so normal
- * package code such as `packages/core/**` can be recapped without executing
- * PR-modified CLI code.
+ * Files that, if a PR touches them, would let that PR rewrite repo-pinned skill
+ * instructions or agent config the trusted recap job loads. The workflow runs
+ * the recap CLI from trusted base-branch source (or an installed package), so
+ * normal package code such as `packages/core/**` and recap workflow YAML can be
+ * recapped without executing PR-modified CLI code.
  */
-export function isRecapSensitivePath(p) {
-    if (p === ".github/workflows/pr-visual-recap.yml" ||
-        /(^|\/)skills\/visual-(recap|plan|plans)\//.test(p) ||
-        /(^|\/)\.claude\//.test(p) ||
+function normalizeRecapSkillSourceMode(value) {
+    return (value || "auto").toLowerCase();
+}
+function isRepoPinnedRecapSkillSource(value) {
+    return normalizeRecapSkillSourceMode(value) === "repo";
+}
+export function isRecapSensitivePath(p, options = {}) {
+    const skillSource = options.skillSource;
+    if (/(^|\/)\.claude\//.test(p) ||
         /(^|\/)CLAUDE\.md$/.test(p) ||
         /(^|\/)AGENTS\.md$/.test(p) ||
         /(^|\/)\.mcp\.json$/.test(p)) {
         return true;
     }
+    if (isRepoPinnedRecapSkillSource(skillSource) &&
+        /(^|\/)skills\/visual-(recap|plan|plans)\//.test(p)) {
+        return true;
+    }
     return false;
 }
 /**
@@ -2330,12 +2339,19 @@ export function evaluateRecapGate(input) {
     if (model && !/^[a-zA-Z0-9._-]{1,80}$/.test(model)) {
         reasons.push("invalid VISUAL_RECAP_MODEL value (must match [a-zA-Z0-9._-]{1,80})");
     }
-    // Self-modifying guard: if this PR changes the workflow, the
-    // visual-recap/visual-plan skill, or any agent config the runner would load
-    // (.claude/**, CLAUDE.md, .mcp.json), skip the ENTIRE job — not just the
-    // agent — so a PR can never rewrite what runs (skill, hooks, settings) and
-    // exfiltrate the publish/API secrets.
-    const hits = input.changedFiles.filter((p) => isRecapSensitivePath(p));
+    const skillSource = normalizeRecapSkillSourceMode(input.skillSource);
+    if (skillSource && !["auto", "latest", "repo"].includes(skillSource)) {
+        reasons.push('invalid VISUAL_RECAP_SKILL_SOURCE value (expected "auto", "latest", or "repo")');
+    }
+    // Self-modifying guard: if this PR changes the visual-recap/visual-plan skill
+    // when CI is explicitly pinned to repo-local skill instructions, or any agent
+    // config the runner would load (.claude/**, CLAUDE.md, AGENTS.md, .mcp.json),
+    // skip the ENTIRE job — not just the agent — so a PR can never rewrite what
+    // the agent loads (skill, hooks, settings) and exfiltrate the publish/API
+    // secrets. In the default auto/latest modes the recap prompt comes from the
+    // trusted bundled skill, so visual skill and recap workflow files are ordinary
+    // reviewed content and may be recapped.
+    const hits = input.changedFiles.filter((p) => isRecapSensitivePath(p, { skillSource }));
     if (hits.length) {
         reasons.push(`PR modifies recap-control files (${hits.slice(0, 3).join(", ")}${hits.length > 3 ? ", …" : ""}) — skipping so untrusted PR code never runs with secrets`);
     }
@@ -2428,6 +2444,7 @@ async function runGate() {
         hasOpenai: process.env.HAS_OPENAI === "true",
         agentRaw: process.env.AGENT,
         model: process.env.VISUAL_RECAP_MODEL,
+        skillSource: process.env.VISUAL_RECAP_SKILL_SOURCE,
         changedFiles,
     });
     // If listing PR files failed, append the same fail-closed reason the inline
@@ -3022,7 +3039,7 @@ Usage:
     VISUAL_RECAP_MODEL), the repo from $GITHUB_REPOSITORY, and the PR's changed
     files from the GitHub REST API (paged, with GH_TOKEN/GITHUB_TOKEN). Skips
     drafts, forks, bot authors, the missing-secret case, an invalid agent/model,
-    and any PR that touches recap-control files (the workflow, the skill,
+    and any PR that touches recap-control files (repo-pinned skill instructions,
     .claude/**, CLAUDE.md, AGENTS.md, .mcp.json) — failing CLOSED on any
     file-list error. Writes run=<true|false> and agent=<claude|codex> to
     $GITHUB_OUTPUT.