@claude-collective/cli 0.26.1 → 0.29.4

package/dist/{chunk-CQ7657GA.js → chunk-SSHG7MEE.js}

@@ -1,5 +1,6 @@
 #!/usr/bin/env node
 import {
+  SKILL_ID_PATTERN,
   agentFrontmatterValidationSchema,
   agentYamlConfigSchema,
   categoryPathSchema,
@@ -7,11 +8,14 @@ import {
   directoryExists,
   ensureDir,
   fileExists,
+  formatZodErrors,
+  getErrorMessage,
   glob,
   hooksRecordSchema,
   listDirectories,
   localRawMetadataSchema,
   localSkillMetadataSchema,
+  log,
   marketplaceSchema,
   pluginAuthorSchema,
   pluginManifestSchema,
@@ -19,6 +23,7 @@ import {
   projectSourceConfigSchema,
   readFile,
   readFileOptional,
+  readFileSafe,
   remove,
   skillDisplayNameSchema,
   skillFrontmatterLoaderSchema,
@@ -27,31 +32,43 @@ import {
   skillMetadataLoaderSchema,
   skillsMatrixConfigSchema,
   stacksConfigSchema,
+  validateNestingDepth,
   verbose,
   warn,
+  warnUnknownFields,
   writeFile
-} from "./chunk-324DM2L6.js";
-import {
-  typedEntries,
-  typedKeys
-} from "./chunk-HWD32NP7.js";
+} from "./chunk-5WIHSJRO.js";
 import {
   ARCHIVED_SKILLS_DIR_NAME,
   CACHE_DIR,
+  CACHE_HASH_LENGTH,
+  CACHE_READABLE_PREFIX_LENGTH,
   CLAUDE_DIR,
   CLAUDE_SRC_DIR,
   DEFAULT_DISPLAY_VERSION,
+  DEFAULT_PLUGIN_NAME,
   DEFAULT_VERSION,
   DIRS,
-  KEY_SUBCATEGORIES,
+  GITHUB_SOURCE,
+  HASH_PREFIX_LENGTH,
   LOCAL_SKILLS_PATH,
+  MAX_CONFIG_FILE_SIZE,
+  MAX_JSON_NESTING_DEPTH,
+  MAX_MARKETPLACE_FILE_SIZE,
+  MAX_MARKETPLACE_PLUGINS,
+  MAX_PLUGIN_FILE_SIZE,
   PLUGINS_SUBDIR,
   PLUGIN_MANIFEST_DIR,
   PLUGIN_MANIFEST_FILE,
   PROJECT_ROOT,
+  SCHEMA_PATHS,
   SKILLS_DIR_PATH,
-  SKILLS_MATRIX_PATH
-} from "./chunk-O6ZTD7ZI.js";
+  SKILLS_MATRIX_PATH,
+  STANDARD_DIRS,
+  STANDARD_FILES,
+  YAML_FORMATTING,
+  yamlSchemaComment
+} from "./chunk-IFODQTCX.js";
 import {
   init_esm_shims
 } from "./chunk-AWKZ5BDL.js";
@@ -62,16 +79,37 @@ init_esm_shims();
 // src/cli/lib/configuration/config.ts
 init_esm_shims();
 import path from "path";
-import { parse as parseYaml, stringify as stringifyYaml } from "yaml";
-var DEFAULT_SOURCE = "github:claude-collective/skills";
+import { stringify as stringifyYaml } from "yaml";
+
+// src/cli/utils/yaml.ts
+init_esm_shims();
+import { parse as parseYaml } from "yaml";
+async function safeLoadYamlFile(filePath, schema, maxSizeBytes = MAX_CONFIG_FILE_SIZE) {
+  try {
+    const content = await readFileSafe(filePath, maxSizeBytes);
+    const parsed = parseYaml(content);
+    const result = schema.safeParse(parsed);
+    if (!result.success) {
+      warn(`Invalid YAML at '${filePath}': ${result.error.message}`);
+      return null;
+    }
+    return result.data;
+  } catch (error) {
+    warn(`Failed to parse YAML at '${filePath}': ${error}`);
+    return null;
+  }
+}
+
+// src/cli/lib/configuration/config.ts
+var DEFAULT_SOURCE = `${GITHUB_SOURCE.GITHUB_PREFIX}claude-collective/skills`;
 var SOURCE_ENV_VAR = "CC_SOURCE";
-var PROJECT_CONFIG_FILE = "config.yaml";
+var PROJECT_CONFIG_FILE = STANDARD_FILES.CONFIG_YAML;
 function getProjectConfigPath(projectDir) {
   return path.join(projectDir, CLAUDE_SRC_DIR, PROJECT_CONFIG_FILE);
 }
 async function loadProjectSourceConfig(projectDir) {
   const srcConfigPath = getProjectConfigPath(projectDir);
-  const legacyConfigPath = path.join(projectDir, CLAUDE_DIR, "config.yaml");
+  const legacyConfigPath = path.join(projectDir, CLAUDE_DIR, STANDARD_FILES.CONFIG_YAML);
   let configPath = srcConfigPath;
   if (!await fileExists(srcConfigPath)) {
     if (await fileExists(legacyConfigPath)) {
@@ -82,26 +120,18 @@ async function loadProjectSourceConfig(projectDir) {
       return null;
     }
   }
-  try {
-    const content = await readFile(configPath);
-    const parsed = parseYaml(content);
-    const result = projectSourceConfigSchema.safeParse(parsed);
-    if (!result.success) {
-      warn(`Invalid project config at ${configPath}: ${result.error.message}`);
-      return null;
-    }
-    verbose(`Loaded project config from ${configPath}`);
-    return result.data;
-  } catch (error) {
-    warn(`Failed to parse project config at ${configPath}: ${error}`);
-    return null;
-  }
+  const data = await safeLoadYamlFile(configPath, projectSourceConfigSchema);
+  if (!data) return null;
+  verbose(`Loaded project config from ${configPath}`);
+  return data;
 }
 async function saveProjectConfig(projectDir, config) {
   const configPath = getProjectConfigPath(projectDir);
   await ensureDir(path.join(projectDir, CLAUDE_SRC_DIR));
-  const content = stringifyYaml(config, { lineWidth: 0 });
-  await writeFile(configPath, content);
+  const schemaComment = `${yamlSchemaComment(SCHEMA_PATHS.projectSourceConfig)}
+`;
+  const content = stringifyYaml(config, { lineWidth: YAML_FORMATTING.LINE_WIDTH_NONE });
+  await writeFile(configPath, `${schemaComment}${content}`);
   verbose(`Saved project config to ${configPath}`);
 }
 async function resolveSource(flagValue, projectDir) {
@@ -109,15 +139,32 @@ async function resolveSource(flagValue, projectDir) {
   const marketplace = projectConfig?.marketplace;
   if (flagValue !== void 0) {
     if (flagValue === "" || flagValue.trim() === "") {
-      throw new Error("--source flag cannot be empty");
+      throw new Error(
+        "--source flag cannot be empty. Provide a valid source: a local directory path or a git repository URL (e.g., './my-skills' or 'https://github.com/user/repo')"
+      );
     }
+    validateSourceFormat(flagValue.trim(), "--source");
     verbose(`Source from --source flag: ${flagValue}`);
     return { source: flagValue, sourceOrigin: "flag", marketplace };
   }
   const envValue = process.env[SOURCE_ENV_VAR];
   if (envValue) {
-    verbose(`Source from ${SOURCE_ENV_VAR} env var: ${envValue}`);
-    return { source: envValue, sourceOrigin: "env", marketplace };
+    const trimmed = envValue.trim();
+    if (trimmed === "") {
+      warn(`${SOURCE_ENV_VAR} is set but empty \u2014 ignoring and falling back to next source.`);
+    } else {
+      try {
+        validateSourceFormat(trimmed, SOURCE_ENV_VAR);
+        verbose(`Source from ${SOURCE_ENV_VAR} env var: ${trimmed}`);
+        return { source: trimmed, sourceOrigin: "env", marketplace };
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        warn(
+          `${SOURCE_ENV_VAR} has an invalid value \u2014 ignoring and falling back to next source.
+${message}`
+        );
+      }
+    }
   }
   if (projectConfig?.source) {
     verbose(`Source from project config: ${projectConfig.source}`);
@@ -133,8 +180,11 @@ async function resolveSource(flagValue, projectDir) {
 async function resolveAgentsSource(flagValue, projectDir) {
   if (flagValue !== void 0) {
     if (flagValue === "" || flagValue.trim() === "") {
-      throw new Error("--agent-source flag cannot be empty");
+      throw new Error(
+        "--agent-source flag cannot be empty. Provide a valid source: a local directory path or a git repository URL (e.g., './my-agents' or 'https://github.com/user/repo')"
+      );
     }
+    validateSourceFormat(flagValue.trim(), "--agent-source");
     verbose(`Agents source from --agent-source flag: ${flagValue}`);
     return { agentsSource: flagValue, agentsSourceOrigin: "flag" };
   }
@@ -160,6 +210,8 @@ function formatOrigin(type, origin) {
         return `${SOURCE_ENV_VAR} environment variable`;
       case "default":
         return "default";
+      default:
+        break;
     }
   }
   switch (origin) {
@@ -167,6 +219,8 @@ function formatOrigin(type, origin) {
       return "--agent-source flag";
     case "default":
       return "default (local CLI)";
+    default:
+      break;
   }
   return origin;
 }
@@ -194,23 +248,155 @@ async function resolveAllSources(projectDir) {
   }
   return { primary, extras };
 }
+var REMOTE_PROTOCOLS = [
+  GITHUB_SOURCE.GITHUB_PREFIX,
+  // "github:"
+  GITHUB_SOURCE.GH_PREFIX,
+  // "gh:"
+  "gitlab:",
+  "bitbucket:",
+  "sourcehut:",
+  "https://",
+  "http://"
+];
+var MIN_REMOTE_PATH_LENGTH = 3;
+var MAX_SOURCE_LENGTH = 512;
+var NULL_BYTE_PATTERN = /\0/;
+var PATH_TRAVERSAL_PATTERN = /\.\./;
+var UNC_PATH_PATTERN = /^(?:\/\/|\\\\)/;
+var PRIVATE_IPV4_PATTERN = /^(?:127\.\d+\.\d+\.\d+|10\.\d+\.\d+\.\d+|172\.(?:1[6-9]|2\d|3[01])\.\d+\.\d+|192\.168\.\d+\.\d+|0\.0\.0\.0|169\.254\.\d+\.\d+)$/;
+var PRIVATE_IPV6_PATTERN = /^\[(?:::1|::ffff:(?:127\.\d+\.\d+\.\d+|10\.\d+\.\d+\.\d+|192\.168\.\d+\.\d+)|fd[0-9a-f]{2}:.*|fe80:.*)\]$/i;
+function validateSourceFormat(source, flagName) {
+  if (NULL_BYTE_PATTERN.test(source)) {
+    throw new Error(
+      `${flagName} contains invalid characters.
+
+Source values must not contain null bytes.
+Examples:
+  ${flagName} ./my-skills
+  ${flagName} github:user/repo`
+    );
+  }
+  if (source.length > MAX_SOURCE_LENGTH) {
+    throw new Error(
+      `${flagName} value is too long (${source.length} characters, max ${MAX_SOURCE_LENGTH}).
+
+Provide a shorter source path or URL.
+Examples:
+  ${flagName} ./my-skills
+  ${flagName} github:user/repo`
+    );
+  }
+  const matchedProtocol = REMOTE_PROTOCOLS.find((prefix) => source.startsWith(prefix));
+  if (matchedProtocol) {
+    validateRemoteSource(source, matchedProtocol, flagName);
+  } else {
+    validateLocalPath(source, flagName);
+  }
+}
+function validateRemoteSource(source, protocol, flagName) {
+  const pathAfterProtocol = source.slice(protocol.length).trim();
+  if (pathAfterProtocol.length < MIN_REMOTE_PATH_LENGTH) {
+    throw new Error(
+      `${flagName} has an incomplete URL: "${source}"
+
+A repository path is required after the protocol prefix.
+Examples:
+  ${flagName} github:user/repo
+  ${flagName} https://github.com/user/repo`
+    );
+  }
+  if (PATH_TRAVERSAL_PATTERN.test(pathAfterProtocol)) {
+    throw new Error(
+      `${flagName} contains path traversal in URL: "${source}"
+
+Remote source URLs must not contain '..' sequences.
+Examples:
+  ${flagName} github:user/repo
+  ${flagName} https://github.com/user/repo`
+    );
+  }
+  if (protocol === "https://" || protocol === "http://") {
+    validateHttpUrl(source, flagName);
+  }
+  if (protocol !== "https://" && protocol !== "http://") {
+    validateGitShorthand(source, pathAfterProtocol, flagName);
+  }
+}
+function validateHttpUrl(source, flagName) {
+  const afterProtocol = source.replace(/^https?:\/\//, "");
+  const hostnameWithPort = afterProtocol.split("/")[0] ?? "";
+  const hostname = hostnameWithPort.split(":")[0] ?? "";
+  const isBracketedIPv6 = hostnameWithPort.startsWith("[") && hostnameWithPort.includes("]");
+  if (!hostname || !hostname.includes(".") && hostname !== "localhost" && !isBracketedIPv6) {
+    throw new Error(
+      `${flagName} has an invalid URL: "${source}"
+
+The URL must include a valid hostname.
+Examples:
+  ${flagName} https://github.com/user/repo
+  ${flagName} https://gitlab.company.com/team/skills`
+    );
+  }
+  if (PRIVATE_IPV4_PATTERN.test(hostname) || PRIVATE_IPV6_PATTERN.test(hostnameWithPort)) {
+    throw new Error(
+      `${flagName} points to a private or reserved IP address: "${source}"
+
+Source URLs must not target private network addresses.
+Use a public hostname instead.
+Examples:
+  ${flagName} https://github.com/user/repo
+  ${flagName} https://gitlab.company.com/team/skills`
+    );
+  }
+}
+function validateGitShorthand(source, repoPath, flagName) {
+  if (!repoPath.includes("/")) {
+    throw new Error(
+      `${flagName} has an invalid repository reference: "${source}"
+
+Git shorthand sources require an owner/repo format.
+Examples:
+  ${flagName} github:user/repo
+  ${flagName} gh:organization/skills`
+    );
+  }
+}
+function validateLocalPath(source, flagName) {
+  const CONTROL_CHAR_PATTERN2 = /[\x00-\x08\x0E-\x1F\x7F]/u;
+  if (CONTROL_CHAR_PATTERN2.test(source)) {
+    throw new Error(
+      `${flagName} contains invalid characters: "${source}"
+
+Source paths must not contain control characters.
+Examples:
+  ${flagName} ./my-skills
+  ${flagName} /home/user/skills`
+    );
+  }
+  if (UNC_PATH_PATTERN.test(source)) {
+    throw new Error(
+      `${flagName} contains a UNC network path: "${source}"
+
+Network paths (\\\\server\\share or //server/share) are not allowed for security reasons.
+Use a local directory path or a remote URL instead.
+Examples:
+  ${flagName} ./my-skills
+  ${flagName} /home/user/skills
+  ${flagName} https://github.com/user/repo`
+    );
+  }
+}
 function isLocalSource(source) {
   if (source.startsWith("/") || source.startsWith(".")) {
     return true;
   }
-  const remoteProtocols = [
-    "github:",
-    "gh:",
-    "gitlab:",
-    "bitbucket:",
-    "sourcehut:",
-    "https://",
-    "http://"
-  ];
-  const hasRemoteProtocol = remoteProtocols.some((prefix) => source.startsWith(prefix));
+  const hasRemoteProtocol = REMOTE_PROTOCOLS.some((prefix) => source.startsWith(prefix));
   if (!hasRemoteProtocol) {
     if (source.includes("..") || source.includes("~")) {
-      throw new Error(`Invalid source path: ${source}. Path traversal patterns are not allowed.`);
+      throw new Error(
+        `Invalid source path: ${source}. Path traversal patterns like '..' and '~' are not allowed for security reasons. Use absolute paths or remote URLs instead (e.g., '/home/user/skills' or 'https://github.com/user/repo').`
+      );
     }
   }
   return !hasRemoteProtocol;
@@ -218,8 +404,9 @@ function isLocalSource(source) {
 
 // src/cli/lib/loading/source-fetcher.ts
 init_esm_shims();
-import path25 from "path";
+import { createHash as createHash2 } from "crypto";
 import { downloadTemplate } from "giget";
+import path24 from "path";
 
 // src/cli/lib/configuration/index.ts
 init_esm_shims();
@@ -227,45 +414,73 @@ init_esm_shims();
 // src/cli/lib/configuration/config-generator.ts
 init_esm_shims();
 
+// src/cli/utils/typed-object.ts
+init_esm_shims();
+function typedEntries(obj) {
+  return Object.entries(obj);
+}
+function typedKeys(obj) {
+  return Object.keys(obj);
+}
+
 // src/cli/lib/skills/index.ts
 init_esm_shims();
 
 // src/cli/lib/skills/skill-metadata.ts
 init_esm_shims();
 import path3 from "path";
-import { parse as parseYaml3, stringify as stringifyYaml3 } from "yaml";
 import { sortBy } from "remeda";
+import { parse as parseYaml2, stringify as stringifyYaml2 } from "yaml";
 
 // src/cli/lib/versioning.ts
 init_esm_shims();
 import { createHash } from "crypto";
 import path2 from "path";
-import { stringify as stringifyYaml2, parse as parseYaml2 } from "yaml";
-var HASH_PREFIX_LENGTH = 7;
-var HASHABLE_FILES = ["SKILL.md", "reference.md"];
-var HASHABLE_DIRS = ["examples", "scripts"];
+
+// src/cli/lib/metadata-keys.ts
+init_esm_shims();
+var METADATA_KEYS = {
+  CLI_NAME: "cli_name",
+  CLI_DESCRIPTION: "cli_description",
+  CATEGORY: "category",
+  FORKED_FROM: "forked_from",
+  CONTENT_HASH: "content_hash",
+  USAGE_GUIDANCE: "usage_guidance"
+};
+var IMPORT_DEFAULTS = {
+  CATEGORY: "imported",
+  AUTHOR: "@imported"
+};
+var LOCAL_DEFAULTS = {
+  CATEGORY: "local",
+  AUTHOR: "@local"
+};
+var SKILL_CONTENT_FILES = [STANDARD_FILES.SKILL_MD, STANDARD_FILES.REFERENCE_MD];
+var SKILL_CONTENT_DIRS = [STANDARD_DIRS.EXAMPLES, STANDARD_DIRS.SCRIPTS];
+
+// src/cli/lib/versioning.ts
 function getCurrentDate() {
   return (/* @__PURE__ */ new Date()).toISOString().split("T")[0];
 }
-function hashString(content) {
+function computeStringHash(content) {
   const hash = createHash("sha256");
   hash.update(content);
   return hash.digest("hex").slice(0, HASH_PREFIX_LENGTH);
 }
-async function hashFile(filePath) {
+async function computeFileHash(filePath) {
   const content = await readFile(filePath);
-  return hashString(content);
+  return computeStringHash(content);
 }
-async function hashSkillFolder(skillPath) {
+async function computeSkillFolderHash(skillPath) {
   const contents = [];
-  for (const fileName of HASHABLE_FILES) {
+  for (const fileName of SKILL_CONTENT_FILES) {
     const filePath = path2.join(skillPath, fileName);
     if (await fileExists(filePath)) {
       const content = await readFile(filePath);
       contents.push(`${fileName}:${content}`);
     }
   }
-  for (const dirName of HASHABLE_DIRS) {
+  for (const dirName of SKILL_CONTENT_DIRS) {
     const dirPath = path2.join(skillPath, dirName);
     if (await fileExists(dirPath)) {
       const files = await glob("**/*", dirPath);
@@ -277,7 +492,7 @@ async function hashSkillFolder(skillPath) {
     }
   }
   const combined = contents.join("\n---\n");
-  return hashString(combined);
+  return computeStringHash(combined);
 }
 var CONTENT_HASH_FILE = ".content-hash";
 function parseMajorVersion(version) {
@@ -294,9 +509,9 @@ async function readExistingPluginManifest(pluginDir, getManifestPath) {
     return null;
   }
   try {
-    const content = await readFile(manifestPath);
+    const content = await readFileSafe(manifestPath, MAX_PLUGIN_FILE_SIZE);
     const manifest = pluginManifestSchema.parse(JSON.parse(content));
-    const hashFilePath = manifestPath.replace("plugin.json", CONTENT_HASH_FILE);
+    const hashFilePath = manifestPath.replace(STANDARD_FILES.PLUGIN_JSON, CONTENT_HASH_FILE);
     let contentHash;
     if (await fileExists(hashFilePath)) {
       contentHash = (await readFile(hashFilePath)).trim();
@@ -305,7 +520,8 @@ async function readExistingPluginManifest(pluginDir, getManifestPath) {
       version: manifest.version ?? DEFAULT_VERSION,
       contentHash
     };
-  } catch {
+  } catch (error) {
+    warn(`Failed to read plugin manifest at '${manifestPath}': ${getErrorMessage(error)}`);
     return null;
   }
 }
@@ -329,22 +545,23 @@ async function determinePluginVersion(newHash, pluginDir, getManifestPath) {
   };
 }
 async function writeContentHash(pluginDir, contentHash, getManifestPath) {
-  const hashFilePath = getManifestPath(pluginDir).replace("plugin.json", CONTENT_HASH_FILE);
+  const hashFilePath = getManifestPath(pluginDir).replace(
+    STANDARD_FILES.PLUGIN_JSON,
+    CONTENT_HASH_FILE
+  );
   await writeFile(hashFilePath, contentHash);
 }
 
 // src/cli/lib/skills/skill-metadata.ts
 async function readForkedFromMetadata(skillDir) {
-  const metadataPath = path3.join(skillDir, "metadata.yaml");
+  const metadataPath = path3.join(skillDir, STANDARD_FILES.METADATA_YAML);
   if (!await fileExists(metadataPath)) {
     return null;
   }
   const content = await readFile(metadataPath);
-  const result = localSkillMetadataSchema.safeParse(parseYaml3(content));
+  const result = localSkillMetadataSchema.safeParse(parseYaml2(content));
   if (!result.success) {
-    warn(
-      `Invalid metadata.yaml at ${metadataPath}: ${result.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ")}`
-    );
+    warn(`Invalid metadata.yaml at ${metadataPath}: ${formatZodErrors(result.error.issues)}`);
     return null;
   }
   return result.data.forked_from ?? null;
@@ -365,13 +582,13 @@ async function getLocalSkillsWithMetadata(projectDir) {
   return result;
 }
 async function computeSourceHash(sourcePath, skillPath) {
-  const skillMdPath = path3.join(sourcePath, "src", skillPath, "SKILL.md");
+  const skillMdPath = path3.join(sourcePath, "src", skillPath, STANDARD_FILES.SKILL_MD);
   if (!await fileExists(skillMdPath)) {
     return null;
   }
-  return hashFile(skillMdPath);
+  return computeFileHash(skillMdPath);
 }
-async function compareSkills(projectDir, sourcePath, sourceSkills) {
+async function compareLocalSkillsWithSource(projectDir, sourcePath, sourceSkills) {
   const results = [];
   const localSkills = await getLocalSkillsWithMetadata(projectDir);
   for (const [skillId, { dirName, forkedFrom }] of localSkills) {
@@ -421,16 +638,16 @@ async function compareSkills(projectDir, sourcePath, sourceSkills) {
   return sortBy(results, (r) => r.id);
 }
 async function injectForkedFromMetadata(destPath, skillId, contentHash) {
-  const metadataPath = path3.join(destPath, "metadata.yaml");
+  const metadataPath = path3.join(destPath, STANDARD_FILES.METADATA_YAML);
   const rawContent = await readFile(metadataPath);
   const lines = rawContent.split("\n");
   let yamlContent = rawContent;
   if (lines[0]?.startsWith("# yaml-language-server:")) {
     yamlContent = lines.slice(1).join("\n");
   }
-  const parseResult = localSkillMetadataSchema.safeParse(parseYaml3(yamlContent));
+  const parseResult = localSkillMetadataSchema.safeParse(parseYaml2(yamlContent));
   if (!parseResult.success) {
-    warn(`Malformed metadata.yaml at ${metadataPath} \u2014 existing fields may be lost`);
+    warn(`Malformed metadata.yaml at '${metadataPath}' \u2014 existing fields may be lost`);
   }
   const metadata = parseResult.success ? parseResult.data : { forked_from: void 0 };
   metadata.forked_from = {
@@ -438,23 +655,45 @@ async function injectForkedFromMetadata(destPath, skillId, contentHash) {
     content_hash: contentHash,
     date: getCurrentDate()
   };
-  const newYamlContent = stringifyYaml3(metadata, { lineWidth: 0 });
-  await writeFile(metadataPath, newYamlContent);
+  const schemaComment = `${yamlSchemaComment(SCHEMA_PATHS.metadata)}
+`;
+  const newYamlContent = stringifyYaml2(metadata, { lineWidth: YAML_FORMATTING.LINE_WIDTH_NONE });
+  await writeFile(metadataPath, `${schemaComment}${newYamlContent}`);
 }
 
 // src/cli/lib/skills/skill-copier.ts
 init_esm_shims();
 import path4 from "path";
+var NULL_BYTE_PATTERN2 = /\0/;
+function validateSkillPath(resolvedPath, expectedParent, skillPath) {
+  if (NULL_BYTE_PATTERN2.test(skillPath)) {
+    throw new Error(`Invalid skill path: '${skillPath}' contains null bytes`);
+  }
+  const normalizedResolved = path4.resolve(resolvedPath);
+  const normalizedParent = path4.resolve(expectedParent);
+  if (!normalizedResolved.startsWith(normalizedParent + path4.sep) && normalizedResolved !== normalizedParent) {
+    throw new Error(
+      `Invalid skill path: '${skillPath}' escapes expected directory '${normalizedParent}'`
+    );
+  }
+}
+function resolveSkillPath(basePath, skillPath) {
+  const resolved = path4.join(basePath, skillPath);
+  validateSkillPath(resolved, basePath, skillPath);
+  return resolved;
+}
 function getSkillDestPath(skill, stackDir) {
   const skillRelativePath = skill.path.replace(/^skills\//, "");
-  return path4.join(stackDir, "skills", skillRelativePath);
+  const skillsDir = path4.join(stackDir, "skills");
+  return resolveSkillPath(skillsDir, skillRelativePath);
 }
 async function generateSkillHash(skillSourcePath) {
-  const skillMdPath = path4.join(skillSourcePath, "SKILL.md");
-  return hashFile(skillMdPath);
+  const skillMdPath = path4.join(skillSourcePath, STANDARD_FILES.SKILL_MD);
+  return computeFileHash(skillMdPath);
 }
 function getSkillSourcePathFromSource(skill, sourceResult) {
-  return path4.join(sourceResult.sourcePath, "src", skill.path);
+  const srcDir = path4.join(sourceResult.sourcePath, "src");
+  return resolveSkillPath(srcDir, skill.path);
 }
 async function copySkillFromSource(skill, stackDir, sourceResult) {
   const sourcePath = getSkillSourcePathFromSource(skill, sourceResult);
@@ -470,35 +709,43 @@ async function copySkillFromSource(skill, stackDir, sourceResult) {
     destPath
   };
 }
-async function copySkillsToPluginFromSource(selectedSkillIds, pluginDir, matrix, sourceResult, sourceSelections) {
-  const copiedSkills = [];
-  for (const skillId of selectedSkillIds) {
-    const skill = matrix.skills[skillId];
-    if (!skill) {
-      console.warn(`Warning: Skill not found in matrix: ${skillId}`);
-      continue;
-    }
-    const selectedSource = sourceSelections?.[skillId];
-    const userSelectedRemote = selectedSource && selectedSource !== "local";
-    if (skill.local && skill.localPath && !userSelectedRemote) {
-      const localSkillPath = path4.join(process.cwd(), skill.localPath);
-      const contentHash = await generateSkillHash(localSkillPath);
-      copiedSkills.push({
-        skillId: skill.id,
-        sourcePath: skill.localPath,
-        destPath: skill.localPath,
-        contentHash,
-        local: true
-      });
-      continue;
-    }
-    const copied = await copySkillFromSource(skill, pluginDir, sourceResult);
-    copiedSkills.push(copied);
-  }
-  return copiedSkills;
+async function copySkillsToPluginFromSource(selectedSkillIds, pluginDir, matrix, sourceResult, sourceSelections, onProgress) {
+  const total = selectedSkillIds.length;
+  let completed = 0;
+  const results = await Promise.all(
+    selectedSkillIds.map(async (skillId) => {
+      const skill = matrix.skills[skillId];
+      if (!skill) {
+        warn(`Skill not found in matrix: '${skillId}'`);
+        completed++;
+        onProgress?.(completed, total);
+        return null;
+      }
+      const selectedSource = sourceSelections?.[skillId];
+      const userSelectedRemote = selectedSource && selectedSource !== "local";
+      let result;
+      if (skill.local && skill.localPath && !userSelectedRemote) {
+        const localSkillPath = path4.join(process.cwd(), skill.localPath);
+        const contentHash = await generateSkillHash(localSkillPath);
+        result = {
+          skillId: skill.id,
+          sourcePath: skill.localPath,
+          destPath: skill.localPath,
+          contentHash,
+          local: true
+        };
+      } else {
+        result = await copySkillFromSource(skill, pluginDir, sourceResult);
+      }
+      completed++;
+      onProgress?.(completed, total);
+      return result;
+    })
+  );
+  return results.filter((r) => r !== null);
 }
 function getFlattenedSkillDestPath(skill, localSkillsDir) {
-  return path4.join(localSkillsDir, skill.id);
+  return resolveSkillPath(localSkillsDir, skill.id);
 }
 async function copySkillToLocalFlattened(skill, localSkillsDir, sourceResult) {
   const sourcePath = getSkillSourcePathFromSource(skill, sourceResult);
@@ -515,31 +762,30 @@ async function copySkillToLocalFlattened(skill, localSkillsDir, sourceResult) {
   };
 }
 async function copySkillsToLocalFlattened(selectedSkillIds, localSkillsDir, matrix, sourceResult, sourceSelections) {
-  const copiedSkills = [];
-  for (const skillId of selectedSkillIds) {
-    const skill = matrix.skills[skillId];
-    if (!skill) {
-      console.warn(`Warning: Skill not found in matrix: ${skillId}`);
-      continue;
-    }
-    const selectedSource = sourceSelections?.[skillId];
-    const userSelectedRemote = selectedSource && selectedSource !== "local";
-    if (skill.local && skill.localPath && !userSelectedRemote) {
-      const localSkillPath = path4.join(process.cwd(), skill.localPath);
-      const contentHash = await generateSkillHash(localSkillPath);
-      copiedSkills.push({
-        skillId: skill.id,
-        sourcePath: skill.localPath,
-        destPath: skill.localPath,
-        contentHash,
-        local: true
-      });
-      continue;
-    }
-    const copied = await copySkillToLocalFlattened(skill, localSkillsDir, sourceResult);
-    copiedSkills.push(copied);
-  }
-  return copiedSkills;
+  const results = await Promise.all(
+    selectedSkillIds.map(async (skillId) => {
+      const skill = matrix.skills[skillId];
+      if (!skill) {
+        warn(`Skill not found in matrix: '${skillId}'`);
+        return null;
+      }
+      const selectedSource = sourceSelections?.[skillId];
+      const userSelectedRemote = selectedSource && selectedSource !== "local";
+      if (skill.local && skill.localPath && !userSelectedRemote) {
+        const localSkillPath = path4.join(process.cwd(), skill.localPath);
+        const contentHash = await generateSkillHash(localSkillPath);
+        return {
+          skillId: skill.id,
+          sourcePath: skill.localPath,
+          destPath: skill.localPath,
+          contentHash,
+          local: true
+        };
+      }
+      return copySkillToLocalFlattened(skill, localSkillsDir, sourceResult);
+    })
+  );
+  return results.filter((r) => r !== null);
 }
 
 // src/cli/lib/skills/skill-agent-mappings.ts
@@ -550,7 +796,7 @@ init_esm_shims();
 
 // src/cli/lib/loading/loader.ts
 init_esm_shims();
-import { parse as parseYaml4 } from "yaml";
+import { parse as parseYaml3 } from "yaml";
 import path5 from "path";
 import { unique } from "remeda";
 var FRONTMATTER_REGEX = /^---\n([\s\S]*?)\n---/;
@@ -558,12 +804,10 @@ function parseFrontmatter(content, filePath) {
   const match = content.match(FRONTMATTER_REGEX);
   if (!match) return null;
   const yamlContent = match[1];
-  const parsed = skillFrontmatterLoaderSchema.safeParse(parseYaml4(yamlContent));
+  const parsed = skillFrontmatterLoaderSchema.safeParse(parseYaml3(yamlContent));
   if (!parsed.success) {
     const location = filePath ?? "unknown file";
-    warn(
-      `Invalid SKILL.md frontmatter in ${location}: ${parsed.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ")}`
-    );
+    warn(`Invalid SKILL.md frontmatter in '${location}': ${formatZodErrors(parsed.error.issues)}`);
     return null;
   }
   return parsed.data;
@@ -576,7 +820,7 @@ async function loadAllAgents(projectRoot) {
     const fullPath = path5.join(agentSourcesDir, file);
     try {
       const content = await readFile(fullPath);
-      const config = agentYamlConfigSchema.parse(parseYaml4(content));
+      const config = agentYamlConfigSchema.parse(parseYaml3(content));
       const agentPath = path5.dirname(file);
       agents[config.id] = {
         title: config.title,
@@ -588,9 +832,7 @@ async function loadAllAgents(projectRoot) {
       };
       verbose(`Loaded agent: ${config.id} from ${file}`);
     } catch (error) {
-      warn(
-        `Skipping invalid agent.yaml at ${fullPath}: ${error instanceof Error ? error.message : String(error)}`
-      );
+      warn(`Skipping invalid agent.yaml at '${fullPath}': ${getErrorMessage(error)}`);
     }
   }
   return agents;
@@ -607,7 +849,7 @@ async function loadProjectAgents(projectRoot) {
     const fullPath = path5.join(projectAgentsDir, file);
     try {
       const content = await readFile(fullPath);
-      const config = agentYamlConfigSchema.parse(parseYaml4(content));
+      const config = agentYamlConfigSchema.parse(parseYaml3(content));
       const agentPath = path5.dirname(file);
       agents[config.id] = {
         title: config.title,
@@ -621,9 +863,7 @@ async function loadProjectAgents(projectRoot) {
       };
       verbose(`Loaded project agent: ${config.id} from ${file}`);
     } catch (error) {
-      warn(
-        `Skipping invalid agent.yaml at ${fullPath}: ${error instanceof Error ? error.message : String(error)}`
-      );
+      warn(`Skipping invalid agent.yaml at '${fullPath}': ${getErrorMessage(error)}`);
     }
   }
   return agents;
@@ -655,13 +895,13 @@ async function loadSkillsByIds(skillIds, projectRoot) {
     } else {
       const childSkills = allSkillIds.filter((id) => {
         const dirPath = idToDirectoryPath[id];
-        return dirPath.startsWith(skillId + "/");
+        return dirPath.startsWith(`${skillId}/`);
       });
       if (childSkills.length > 0) {
         expandedSkillIds.push(...childSkills);
         verbose(`Expanded directory '${skillId}' to ${childSkills.length} skills`);
       } else {
-        console.warn(`  Warning: Unknown skill reference '${skillId}'`);
+        warn(`Unknown skill reference '${skillId}'`);
       }
     }
   }
@@ -669,16 +909,16 @@ async function loadSkillsByIds(skillIds, projectRoot) {
   for (const skillId of uniqueSkillIds) {
     const directoryPath = idToDirectoryPath[skillId];
     if (!directoryPath) {
-      console.warn(`  Warning: Could not find skill ${skillId}: No matching skill found`);
+      warn(`Could not find skill '${skillId}': no matching skill found`);
       continue;
     }
     const skillPath = path5.join(skillsDir, directoryPath);
-    const skillMdPath = path5.join(skillPath, "SKILL.md");
+    const skillMdPath = path5.join(skillPath, STANDARD_FILES.SKILL_MD);
     try {
       const content = await readFile(skillMdPath);
       const frontmatter = parseFrontmatter(content, skillMdPath);
       if (!frontmatter) {
-        warn(`Skipping ${skillId}: Missing or invalid frontmatter`);
+        warn(`Skipping '${skillId}': missing or invalid frontmatter`);
         continue;
       }
       const canonicalId = frontmatter.name;
@@ -693,7 +933,7 @@ async function loadSkillsByIds(skillIds, projectRoot) {
       }
       verbose(`Loaded skill: ${canonicalId} (from ${directoryPath})`);
     } catch (error) {
-      console.warn(`  Warning: Could not load skill ${skillId}: ${error}`);
+      warn(`Could not load skill '${skillId}': ${error}`);
     }
   }
   return skills;
@@ -710,7 +950,7 @@ async function loadPluginSkills(pluginDir) {
     const content = await readFile(fullPath);
     const frontmatter = parseFrontmatter(content, fullPath);
     if (!frontmatter) {
-      warn(`Skipping ${file}: Missing or invalid frontmatter`);
+      warn(`Skipping '${file}': missing or invalid frontmatter`);
       continue;
     }
     const folderPath = file.replace("/SKILL.md", "");
@@ -735,7 +975,7 @@ init_esm_shims();
 
 // src/cli/lib/matrix/matrix-loader.ts
 init_esm_shims();
-import { parse as parseYaml5 } from "yaml";
+import { parse as parseYaml4 } from "yaml";
 import path6 from "path";
 import { z } from "zod";
 var rawMetadataSchema = z.object({
@@ -756,11 +996,11 @@ var rawMetadataSchema = z.object({
 });
 async function loadSkillsMatrix(configPath) {
   const content = await readFile(configPath);
-  const raw = parseYaml5(content);
+  const raw = parseYaml4(content);
   const result = skillsMatrixConfigSchema.safeParse(raw);
   if (!result.success) {
     throw new Error(
-      `Invalid skills matrix at ${configPath}: ${result.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ")}`
+      `Invalid skills matrix at '${configPath}': ${formatZodErrors(result.error.issues)}`
     );
   }
   verbose(`Loaded skills matrix: ${configPath}`);
@@ -768,21 +1008,21 @@ async function loadSkillsMatrix(configPath) {
 }
 async function extractAllSkills(skillsDir) {
   const skills = [];
-  const metadataFiles = await glob("**/metadata.yaml", skillsDir);
+  const metadataFiles = await glob(`**/${STANDARD_FILES.METADATA_YAML}`, skillsDir);
   for (const metadataFile of metadataFiles) {
     const skillDir = path6.dirname(metadataFile);
-    const skillMdPath = path6.join(skillsDir, skillDir, "SKILL.md");
+    const skillMdPath = path6.join(skillsDir, skillDir, STANDARD_FILES.SKILL_MD);
     const metadataPath = path6.join(skillsDir, metadataFile);
     if (!await fileExists(skillMdPath)) {
-      verbose(`Skipping ${metadataFile}: No SKILL.md found`);
+      verbose(`Skipping ${metadataFile}: No ${STANDARD_FILES.SKILL_MD} found`);
       continue;
     }
     const metadataContent = await readFile(metadataPath);
-    const rawMetadata = parseYaml5(metadataContent);
+    const rawMetadata = parseYaml4(metadataContent);
     const metadataResult = rawMetadataSchema.safeParse(rawMetadata);
     if (!metadataResult.success) {
       warn(
-        `Skipping ${metadataFile}: Invalid metadata.yaml \u2014 ${metadataResult.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ")}`
+        `Skipping '${metadataFile}': invalid metadata.yaml \u2014 ${formatZodErrors(metadataResult.error.issues)}`
       );
       continue;
     }
@@ -795,7 +1035,7 @@ async function extractAllSkills(skillsDir) {
     }
     if (!metadata.cli_name) {
       throw new Error(
-        `Skill at ${metadataFile} is missing required 'cli_name' field in metadata.yaml`
+        `Skill at ${metadataFile} is missing required '${METADATA_KEYS.CLI_NAME}' field in metadata.yaml`
       );
     }
     const skillId = frontmatter.name;
@@ -849,10 +1089,13 @@ function buildAliasTargetToSkillIdMap(displayNameToId, skills) {
   }
   const aliasTargets = new Set(Object.values(displayNameToId));
   for (const skill of skills) {
-    for (const aliasTarget of aliasTargets) {
-      if (aliasTarget !== skill.id && (skill.id.endsWith(`/${aliasTarget}`) || skill.id === aliasTarget)) {
-        map[aliasTarget] = skill.id;
+    let slashIdx = skill.id.indexOf("/");
+    while (slashIdx !== -1) {
+      const suffix = skill.id.slice(slashIdx + 1);
+      if (suffix && aliasTargets.has(suffix) && suffix !== skill.id) {
+        map[suffix] = skill.id;
       }
+      slashIdx = skill.id.indexOf("/", slashIdx + 1);
     }
   }
   return map;
@@ -911,110 +1154,99 @@ async function mergeMatrixWithSkills(matrix, skills) {
   };
   return merged;
 }
-function buildResolvedSkill(skill, matrix, displayNameToId, displayNames, directoryPathToId, aliasTargetToSkillId) {
-  const conflictsWith = [];
-  const recommends = [];
-  const requires = [];
-  const alternatives = [];
-  const discourages = [];
-  const resolve = (id, relationContext) => resolveToCanonicalId(
-    id,
-    displayNameToId,
-    directoryPathToId,
-    aliasTargetToSkillId,
-    relationContext ? `${skill.id} ${relationContext}` : void 0
-  );
-  for (const conflictRef of skill.conflictsWith) {
-    const canonicalId = resolve(conflictRef, "conflictsWith");
-    conflictsWith.push({
-      skillId: canonicalId,
+function resolveConflicts(skillId, metadataConflicts, conflictRules, resolve) {
+  const conflicts = [];
+  for (const conflictRef of metadataConflicts) {
+    conflicts.push({
+      skillId: resolve(conflictRef, "conflictsWith"),
       reason: "Defined in skill metadata"
     });
   }
-  for (const conflictRule of matrix.relationships.conflicts) {
-    const resolvedSkills = conflictRule.skills.map((id) => resolve(id, "conflicts"));
-    if (resolvedSkills.includes(skill.id)) {
-      for (const otherSkill of resolvedSkills) {
-        if (otherSkill !== skill.id) {
-          if (!conflictsWith.some((c) => c.skillId === otherSkill)) {
-            conflictsWith.push({
-              skillId: otherSkill,
-              reason: conflictRule.reason
-            });
-          }
-        }
+  for (const rule of conflictRules) {
+    const resolved = rule.skills.map((id) => resolve(id, "conflicts"));
+    if (!resolved.includes(skillId)) continue;
+    for (const other of resolved) {
+      if (other !== skillId && !conflicts.some((c) => c.skillId === other)) {
+        conflicts.push({ skillId: other, reason: rule.reason });
       }
     }
   }
-  for (const compatRef of skill.compatibleWith) {
-    const canonicalId = resolve(compatRef, "compatibleWith");
+  return conflicts;
+}
+function resolveRecommends(skillId, compatibleWith, recommendRules, resolve) {
+  const recommends = [];
+  for (const compatRef of compatibleWith) {
     recommends.push({
-      skillId: canonicalId,
+      skillId: resolve(compatRef, "compatibleWith"),
       reason: "Compatible with this skill"
     });
   }
-  for (const recommendRule of matrix.relationships.recommends) {
-    const whenCanonicalId = resolve(recommendRule.when, "recommends.when");
-    if (whenCanonicalId === skill.id) {
-      for (const suggested of recommendRule.suggest) {
-        const canonicalId = resolve(suggested, "recommends.suggest");
-        if (!recommends.some((r) => r.skillId === canonicalId)) {
-          recommends.push({
-            skillId: canonicalId,
-            reason: recommendRule.reason
-          });
-        }
+  for (const rule of recommendRules) {
+    if (resolve(rule.when, "recommends.when") !== skillId) continue;
+    for (const suggested of rule.suggest) {
+      const canonicalId = resolve(suggested, "recommends.suggest");
+      if (!recommends.some((r) => r.skillId === canonicalId)) {
+        recommends.push({ skillId: canonicalId, reason: rule.reason });
       }
     }
   }
-  if (skill.requires.length > 0) {
+  return recommends;
+}
+function resolveRequirements(skillId, metadataRequires, requireRules, resolve) {
+  const requires = [];
+  if (metadataRequires.length > 0) {
     requires.push({
-      skillIds: skill.requires.map((id) => resolve(id, "requires")),
+      skillIds: metadataRequires.map((id) => resolve(id, "requires")),
       needsAny: false,
       reason: "Defined in skill metadata"
     });
   }
-  for (const requireRule of matrix.relationships.requires) {
-    const skillCanonicalId = resolve(requireRule.skill, "requires.skill");
-    if (skillCanonicalId === skill.id) {
-      requires.push({
-        skillIds: requireRule.needs.map((id) => resolve(id, "requires.needs")),
-        needsAny: requireRule.needs_any ?? false,
-        reason: requireRule.reason
-      });
-    }
+  for (const rule of requireRules) {
+    if (resolve(rule.skill, "requires.skill") !== skillId) continue;
+    requires.push({
+      skillIds: rule.needs.map((id) => resolve(id, "requires.needs")),
+      needsAny: rule.needs_any ?? false,
+      reason: rule.reason
+    });
   }
-  for (const altGroup of matrix.relationships.alternatives) {
-    const resolvedAlts = altGroup.skills.map((id) => resolve(id, "alternatives"));
-    if (resolvedAlts.includes(skill.id)) {
-      for (const altSkill of resolvedAlts) {
-        if (altSkill !== skill.id) {
-          alternatives.push({
-            skillId: altSkill,
-            purpose: altGroup.purpose
-          });
-        }
+  return requires;
+}
+function resolveAlternatives(skillId, alternativeGroups, resolve) {
+  const alternatives = [];
+  for (const group of alternativeGroups) {
+    const resolved = group.skills.map((id) => resolve(id, "alternatives"));
+    if (!resolved.includes(skillId)) continue;
+    for (const alt of resolved) {
+      if (alt !== skillId) {
+        alternatives.push({ skillId: alt, purpose: group.purpose });
       }
     }
   }
-  if (matrix.relationships.discourages) {
-    for (const discourageRule of matrix.relationships.discourages) {
-      const resolvedSkills = discourageRule.skills.map((id) => resolve(id, "discourages"));
-      if (resolvedSkills.includes(skill.id)) {
-        for (const otherSkill of resolvedSkills) {
-          if (otherSkill !== skill.id) {
-            if (!discourages.some((d) => d.skillId === otherSkill)) {
-              discourages.push({
-                skillId: otherSkill,
-                reason: discourageRule.reason
-              });
-            }
-          }
-        }
+  return alternatives;
+}
+function resolveDiscourages(skillId, discourageRules, resolve) {
+  if (!discourageRules) return [];
+  const discourages = [];
+  for (const rule of discourageRules) {
+    const resolved = rule.skills.map((id) => resolve(id, "discourages"));
+    if (!resolved.includes(skillId)) continue;
+    for (const other of resolved) {
+      if (other !== skillId && !discourages.some((d) => d.skillId === other)) {
+        discourages.push({ skillId: other, reason: rule.reason });
       }
     }
   }
-  const compatibleWith = skill.compatibleWith.map((id) => resolve(id, "compatibleWith"));
+  return discourages;
+}
+function buildResolvedSkill(skill, matrix, displayNameToId, displayNames, directoryPathToId, aliasTargetToSkillId) {
+  const resolve = (id, context) => resolveToCanonicalId(
+    id,
+    displayNameToId,
+    directoryPathToId,
+    aliasTargetToSkillId,
+    context ? `${skill.id} ${context}` : void 0
+  );
+  const { relationships } = matrix;
   return {
     id: skill.id,
     displayName: displayNames[skill.id],
@@ -1024,12 +1256,22 @@ function buildResolvedSkill(skill, matrix, displayNameToId, displayNames, direct
     categoryExclusive: skill.categoryExclusive,
     tags: skill.tags,
     author: skill.author,
-    conflictsWith,
-    recommends,
-    requires,
-    alternatives,
-    discourages,
-    compatibleWith,
+    conflictsWith: resolveConflicts(
+      skill.id,
+      skill.conflictsWith,
+      relationships.conflicts,
+      resolve
+    ),
+    recommends: resolveRecommends(
+      skill.id,
+      skill.compatibleWith,
+      relationships.recommends,
+      resolve
+    ),
+    requires: resolveRequirements(skill.id, skill.requires, relationships.requires, resolve),
+    alternatives: resolveAlternatives(skill.id, relationships.alternatives, resolve),
+    discourages: resolveDiscourages(skill.id, relationships.discourages, resolve),
+    compatibleWith: skill.compatibleWith.map((id) => resolve(id, "compatibleWith")),
     requiresSetup: skill.requiresSetup.map((id) => resolve(id, "requiresSetup")),
     providesSetupFor: skill.providesSetupFor.map((id) => resolve(id, "providesSetupFor")),
     path: skill.path
@@ -1048,6 +1290,11 @@ function getLabel(skill, fallback) {
 function resolveAlias(aliasOrId, matrix) {
   return matrix.displayNameToId[aliasOrId] || aliasOrId;
 }
+function initializeSelectionContext(currentSelections, matrix) {
+  const resolvedSelections = currentSelections.map((s) => resolveAlias(s, matrix));
+  const selectedSet = new Set(resolvedSelections);
+  return { resolvedSelections, selectedSet };
+}
 function isDisabled(skillId, currentSelections, matrix, options) {
   if (options?.expertMode) {
     return false;
@@ -1063,19 +1310,19 @@ function isDisabled(skillId, currentSelections, matrix, options) {
       return true;
     }
     const selectedSkill = matrix.skills[selectedFullId];
-    if (selectedSkill && selectedSkill.conflictsWith.some((c) => c.skillId === fullId)) {
+    if (selectedSkill?.conflictsWith.some((c) => c.skillId === fullId)) {
       return true;
     }
   }
-  const resolvedSelections = currentSelections.map((s) => resolveAlias(s, matrix));
+  const { selectedSet } = initializeSelectionContext(currentSelections, matrix);
   for (const requirement of skill.requires) {
     if (requirement.needsAny) {
-      const hasAny = requirement.skillIds.some((reqId) => resolvedSelections.includes(reqId));
+      const hasAny = requirement.skillIds.some((reqId) => selectedSet.has(reqId));
       if (!hasAny) {
         return true;
       }
     } else {
-      const hasAll = requirement.skillIds.every((reqId) => resolvedSelections.includes(reqId));
+      const hasAll = requirement.skillIds.every((reqId) => selectedSet.has(reqId));
       if (!hasAll) {
         return true;
       }
@@ -1089,7 +1336,7 @@ function getDisableReason(skillId, currentSelections, matrix) {
   if (!skill) {
     return void 0;
   }
-  const resolvedSelections = currentSelections.map((s) => resolveAlias(s, matrix));
+  const { resolvedSelections, selectedSet } = initializeSelectionContext(currentSelections, matrix);
   for (const selectedId of resolvedSelections) {
     const conflict = skill.conflictsWith.find((c) => c.skillId === selectedId);
     if (conflict) {
@@ -1106,15 +1353,13 @@ function getDisableReason(skillId, currentSelections, matrix) {
   }
   for (const requirement of skill.requires) {
     if (requirement.needsAny) {
-      const hasAny = requirement.skillIds.some((reqId) => resolvedSelections.includes(reqId));
+      const hasAny = requirement.skillIds.some((reqId) => selectedSet.has(reqId));
       if (!hasAny) {
         const requiredNames = requirement.skillIds.map((id) => getLabel(matrix.skills[id], id)).join(" or ");
         return `${requirement.reason} (requires ${requiredNames})`;
       }
     } else {
-      const missingIds = requirement.skillIds.filter(
-        (reqId) => !resolvedSelections.includes(reqId)
-      );
+      const missingIds = requirement.skillIds.filter((reqId) => !selectedSet.has(reqId));
       if (missingIds.length > 0) {
         const missingNames = missingIds.map((id) => getLabel(matrix.skills[id], id)).join(", ");
         return `${requirement.reason} (requires ${missingNames})`;
@@ -1129,10 +1374,10 @@ function isDiscouraged(skillId, currentSelections, matrix) {
   if (!skill) {
     return false;
   }
-  const resolvedSelections = currentSelections.map((s) => resolveAlias(s, matrix));
+  const { resolvedSelections } = initializeSelectionContext(currentSelections, matrix);
   for (const selectedId of resolvedSelections) {
     const selectedSkill = matrix.skills[selectedId];
-    if (selectedSkill && selectedSkill.discourages.some((d) => d.skillId === fullId)) {
+    if (selectedSkill?.discourages.some((d) => d.skillId === fullId)) {
       return true;
     }
     if (skill.discourages.some((d) => d.skillId === selectedId)) {
@@ -1147,7 +1392,7 @@ function getDiscourageReason(skillId, currentSelections, matrix) {
   if (!skill) {
     return void 0;
   }
-  const resolvedSelections = currentSelections.map((s) => resolveAlias(s, matrix));
+  const { resolvedSelections } = initializeSelectionContext(currentSelections, matrix);
   for (const selectedId of resolvedSelections) {
     const selectedSkill = matrix.skills[selectedId];
     if (selectedSkill) {
@@ -1169,10 +1414,10 @@ function isRecommended(skillId, currentSelections, matrix) {
   if (!skill) {
     return false;
   }
-  const resolvedSelections = currentSelections.map((s) => resolveAlias(s, matrix));
+  const { resolvedSelections } = initializeSelectionContext(currentSelections, matrix);
   for (const selectedId of resolvedSelections) {
     const selectedSkill = matrix.skills[selectedId];
-    if (selectedSkill && selectedSkill.recommends.some((r) => r.skillId === fullId)) {
+    if (selectedSkill?.recommends.some((r) => r.skillId === fullId)) {
       return true;
     }
   }
@@ -1184,7 +1429,7 @@ function getRecommendReason(skillId, currentSelections, matrix) {
   if (!skill) {
     return void 0;
   }
-  const resolvedSelections = currentSelections.map((s) => resolveAlias(s, matrix));
+  const { resolvedSelections } = initializeSelectionContext(currentSelections, matrix);
   for (const selectedId of resolvedSelections) {
     const selectedSkill = matrix.skills[selectedId];
     if (selectedSkill) {
@@ -1196,10 +1441,8 @@ function getRecommendReason(skillId, currentSelections, matrix) {
   }
   return void 0;
 }
-function validateSelection(selections, matrix) {
+function validateConflicts(resolvedSelections, matrix) {
   const errors = [];
-  const warnings = [];
-  const resolvedSelections = selections.map((s) => resolveAlias(s, matrix));
   for (let i = 0; i < resolvedSelections.length; i++) {
     const skillA = matrix.skills[resolvedSelections[i]];
     if (!skillA) continue;
@@ -1215,12 +1458,16 @@ function validateSelection(selections, matrix) {
       }
     }
   }
+  return { errors, warnings: [] };
+}
+function validateRequirements(resolvedSelections, selectedSet, matrix) {
+  const errors = [];
   for (const skillId of resolvedSelections) {
     const skill = matrix.skills[skillId];
     if (!skill) continue;
     for (const requirement of skill.requires) {
       if (requirement.needsAny) {
-        const hasAny = requirement.skillIds.some((reqId) => resolvedSelections.includes(reqId));
+        const hasAny = requirement.skillIds.some((reqId) => selectedSet.has(reqId));
         if (!hasAny) {
           errors.push({
             type: "missing_requirement",
@@ -1229,9 +1476,7 @@ function validateSelection(selections, matrix) {
           });
         }
       } else {
-        const missingIds = requirement.skillIds.filter(
-          (reqId) => !resolvedSelections.includes(reqId)
-        );
+        const missingIds = requirement.skillIds.filter((reqId) => !selectedSet.has(reqId));
         if (missingIds.length > 0) {
           errors.push({
             type: "missing_requirement",
@@ -1242,6 +1487,10 @@ function validateSelection(selections, matrix) {
       }
     }
   }
+  return { errors, warnings: [] };
+}
+function validateExclusivity(resolvedSelections, matrix) {
+  const errors = [];
   const validSkills = resolvedSelections.map((skillId) => ({ skillId, skill: matrix.skills[skillId] })).filter((entry) => entry.skill != null);
   const categorySelections = groupBy(validSkills, (entry) => entry.skill.category);
   for (const [categoryId, entries] of typedEntries(categorySelections)) {
@@ -1257,15 +1506,19 @@ function validateSelection(selections, matrix) {
       }
     }
   }
+  return { errors, warnings: [] };
+}
+function validateRecommendations(resolvedSelections, selectedSet, matrix) {
+  const warnings = [];
   for (const skillId of resolvedSelections) {
     const skill = matrix.skills[skillId];
     if (!skill) continue;
     for (const recommendation of skill.recommends) {
-      if (!resolvedSelections.includes(recommendation.skillId)) {
+      if (!selectedSet.has(recommendation.skillId)) {
         const recommendedSkill = matrix.skills[recommendation.skillId];
         if (recommendedSkill) {
           const hasConflict = recommendedSkill.conflictsWith.some(
-            (c) => resolvedSelections.includes(c.skillId)
+            (c) => selectedSet.has(c.skillId)
           );
           if (!hasConflict) {
             warnings.push({
@@ -1278,12 +1531,14 @@ function validateSelection(selections, matrix) {
       }
     }
   }
+  return { errors: [], warnings };
+}
+function validateSetupUsage(resolvedSelections, selectedSet, matrix) {
+  const warnings = [];
   for (const skillId of resolvedSelections) {
     const skill = matrix.skills[skillId];
     if (!skill || skill.providesSetupFor.length === 0) continue;
-    const hasUsageSkill = skill.providesSetupFor.some(
-      (usageId) => resolvedSelections.includes(usageId)
-    );
+    const hasUsageSkill = skill.providesSetupFor.some((usageId) => selectedSet.has(usageId));
     if (!hasUsageSkill) {
       warnings.push({
         type: "unused_setup",
@@ -1292,6 +1547,23 @@ function validateSelection(selections, matrix) {
       });
     }
   }
+  return { errors: [], warnings };
+}
+function mergeValidationResults(results) {
+  return {
+    errors: results.flatMap((r) => r.errors),
+    warnings: results.flatMap((r) => r.warnings)
+  };
+}
+function validateSelection(selections, matrix) {
+  const { resolvedSelections, selectedSet } = initializeSelectionContext(selections, matrix);
+  const { errors, warnings } = mergeValidationResults([
+    validateConflicts(resolvedSelections, matrix),
+    validateRequirements(resolvedSelections, selectedSet, matrix),
+    validateExclusivity(resolvedSelections, matrix),
+    validateRecommendations(resolvedSelections, selectedSet, matrix),
+    validateSetupUsage(resolvedSelections, selectedSet, matrix)
+  ]);
   return {
     valid: errors.length === 0,
     errors,
@@ -1300,7 +1572,7 @@ function validateSelection(selections, matrix) {
 }
 function getAvailableSkills(categoryId, currentSelections, matrix, options) {
   const skillOptions = [];
-  const resolvedSelections = currentSelections.map((s) => resolveAlias(s, matrix));
+  const { selectedSet } = initializeSelectionContext(currentSelections, matrix);
   for (const skill of Object.values(matrix.skills)) {
     if (!skill) continue;
     if (skill.category !== categoryId) {
@@ -1319,7 +1591,7 @@ function getAvailableSkills(categoryId, currentSelections, matrix, options) {
       discouragedReason: discouraged ? getDiscourageReason(skill.id, currentSelections, matrix) : void 0,
       recommended,
       recommendedReason: recommended ? getRecommendReason(skill.id, currentSelections, matrix) : void 0,
-      selected: resolvedSelections.includes(skill.id),
+      selected: selectedSet.has(skill.id),
       alternatives: skill.alternatives.map((a) => a.skillId)
     });
   }
@@ -1473,8 +1745,8 @@ init_esm_shims();
 // src/cli/lib/plugins/plugin-manifest.ts
 init_esm_shims();
 import path7 from "path";
-var PLUGIN_DIR_NAME = ".claude-plugin";
-var PLUGIN_MANIFEST_FILE2 = "plugin.json";
+var PLUGIN_DIR_NAME = PLUGIN_MANIFEST_DIR;
+var PLUGIN_MANIFEST_FILE2 = STANDARD_FILES.PLUGIN_JSON;
 var SKILL_PLUGIN_PREFIX = "";
 var AGENT_PLUGIN_PREFIX = "agent-";
 function buildAuthor(name, email) {
@@ -1567,9 +1839,11 @@ async function findPluginManifest(startDir) {
 // src/cli/lib/plugins/plugin-finder.ts
 init_esm_shims();
 import path9 from "path";
+import { last, zip } from "remeda";
+var MAX_SKILL_NAME_LENGTH = 100;
 function getCollectivePluginDir(projectDir) {
   const dir = projectDir ?? process.cwd();
-  return path9.join(dir, CLAUDE_DIR, PLUGINS_SUBDIR, "claude-collective");
+  return path9.join(dir, CLAUDE_DIR, PLUGINS_SUBDIR, DEFAULT_PLUGIN_NAME);
 }
 function getProjectPluginsDir(projectDir) {
   const dir = projectDir ?? process.cwd();
@@ -1591,7 +1865,7 @@ async function readPluginManifest(pluginDir) {
     return null;
   }
   try {
-    const content = await readFile(manifestPath);
+    const content = await readFileSafe(manifestPath, MAX_PLUGIN_FILE_SIZE);
     const manifest = pluginManifestSchema.parse(JSON.parse(content));
     if (!manifest.name || typeof manifest.name !== "string") {
       verbose(`  Invalid manifest at ${manifestPath}: missing name`);
@@ -1607,29 +1881,40 @@ async function getPluginSkillIds(pluginSkillsDir, matrix) {
   const skillFiles = await glob("**/SKILL.md", pluginSkillsDir);
   const skillIds = [];
   const aliasToId = /* @__PURE__ */ new Map();
-  for (const [id, skill] of Object.entries(matrix.skills)) {
+  for (const [id, skill] of typedEntries(matrix.skills)) {
     if (!skill) continue;
     if (skill.displayName) {
       aliasToId.set(skill.displayName.toLowerCase(), id);
     }
   }
   const dirToId = /* @__PURE__ */ new Map();
-  for (const [id] of Object.entries(matrix.skills)) {
+  for (const [id] of typedEntries(matrix.skills)) {
     const idParts = id.split("/");
-    const lastPart = idParts[idParts.length - 1];
+    const lastPart = last(idParts);
     if (lastPart) {
       dirToId.set(lastPart.toLowerCase(), id);
     }
   }
-  for (const skillFile of skillFiles) {
-    const fullPath = path9.join(pluginSkillsDir, skillFile);
-    const content = await readFile(fullPath);
+  const fileContents = await Promise.all(
+    skillFiles.map((skillFile) => readFile(path9.join(pluginSkillsDir, skillFile)))
+  );
+  for (const [skillFile, content] of zip(skillFiles, fileContents)) {
     const frontmatterMatch = content.match(/^---\n([\s\S]*?)\n---/);
     if (frontmatterMatch) {
       const frontmatter = frontmatterMatch[1];
       const nameMatch = frontmatter.match(/^name:\s*["']?(.+?)["']?\s*$/m);
       if (nameMatch) {
         const skillName = nameMatch[1].trim();
+        if (skillName.length === 0) {
+          warn(`Skipping plugin skill '${skillFile}': empty name in frontmatter`);
+          continue;
+        }
+        if (skillName.length > MAX_SKILL_NAME_LENGTH) {
+          warn(
+            `Skipping plugin skill '${skillFile}': name exceeds ${MAX_SKILL_NAME_LENGTH} characters`
+          );
+          continue;
+        }
         if (matrix.skills[skillName]) {
           skillIds.push(skillName);
           continue;
@@ -1663,8 +1948,8 @@ init_esm_shims();
 init_esm_shims();
 import path10 from "path";
 async function detectInstallation(projectDir = process.cwd()) {
-  const srcConfigPath = path10.join(projectDir, CLAUDE_SRC_DIR, "config.yaml");
-  const legacyConfigPath = path10.join(projectDir, CLAUDE_DIR, "config.yaml");
+  const srcConfigPath = path10.join(projectDir, CLAUDE_SRC_DIR, STANDARD_FILES.CONFIG_YAML);
+  const legacyConfigPath = path10.join(projectDir, CLAUDE_DIR, STANDARD_FILES.CONFIG_YAML);
   const localConfigPath = await fileExists(srcConfigPath) ? srcConfigPath : await fileExists(legacyConfigPath) ? legacyConfigPath : null;
   if (localConfigPath) {
     const loaded = await loadProjectConfig(projectDir);
@@ -1680,7 +1965,7 @@ async function detectInstallation(projectDir = process.cwd()) {
     }
   }
   const pluginDir = getCollectivePluginDir(projectDir);
-  const pluginConfigPath = path10.join(pluginDir, "config.yaml");
+  const pluginConfigPath = path10.join(pluginDir, STANDARD_FILES.CONFIG_YAML);
   if (await directoryExists(pluginDir)) {
     return {
       mode: "plugin",
@@ -1696,41 +1981,59 @@ async function detectInstallation(projectDir = process.cwd()) {
 // src/cli/lib/installation/local-installer.ts
 init_esm_shims();
 import path15 from "path";
-import { stringify as stringifyYaml4 } from "yaml";
+import { stringify as stringifyYaml3 } from "yaml";
 
 // src/cli/lib/stacks/index.ts
 init_esm_shims();
 
 // src/cli/lib/stacks/stacks-loader.ts
 init_esm_shims();
-import { parse as parseYaml6 } from "yaml";
+import { parse as parseYaml5 } from "yaml";
 import path11 from "path";
-import { mapValues } from "remeda";
+import { mapValues, pipe, flatMap, unique as unique2 } from "remeda";
 var STACKS_FILE = "config/stacks.yaml";
 var stacksCache = /* @__PURE__ */ new Map();
-async function loadStacks(configDir) {
-  const cacheKey = configDir;
+function normalizeAgentConfig(agentConfig) {
+  return mapValues(agentConfig, (value) => {
+    const items = Array.isArray(value) ? value : [value];
+    return items.map(
+      (item) => typeof item === "string" ? { id: item, preloaded: false } : item
+    );
+  });
+}
+function normalizeStackRecord(rawStack) {
+  return mapValues(rawStack, (agentConfig) => normalizeAgentConfig(agentConfig));
+}
+async function loadStacks(configDir, stacksFile) {
+  const resolvedStacksFile = stacksFile ?? STACKS_FILE;
+  const cacheKey = `${configDir}:${resolvedStacksFile}`;
   const cached = stacksCache.get(cacheKey);
   if (cached) return cached;
-  const stacksPath = path11.join(configDir, STACKS_FILE);
+  const stacksPath = path11.join(configDir, resolvedStacksFile);
   if (!await fileExists(stacksPath)) {
     verbose(`No stacks file found at ${stacksPath}`);
     return [];
   }
   try {
     const content = await readFile(stacksPath);
-    const result = stacksConfigSchema.safeParse(parseYaml6(content));
+    const result = stacksConfigSchema.safeParse(parseYaml5(content));
     if (!result.success) {
       throw new Error(
-        `Invalid stacks.yaml at ${stacksPath}: ${result.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ")}`
+        `Invalid stacks.yaml at '${stacksPath}': ${formatZodErrors(result.error.issues)}`
       );
     }
-    const config = result.data;
-    stacksCache.set(cacheKey, config.stacks);
-    verbose(`Loaded ${config.stacks.length} stacks from ${stacksPath}`);
-    return config.stacks;
+    const stacks = result.data.stacks.map((stack) => ({
+      ...stack,
+      agents: mapValues(
+        stack.agents,
+        (agentConfig) => normalizeAgentConfig(agentConfig)
+      )
+    }));
+    stacksCache.set(cacheKey, stacks);
+    verbose(`Loaded ${stacks.length} stacks from ${stacksPath}`);
+    return stacks;
   } catch (error) {
-    const errorMessage = error instanceof Error ? error.message : String(error);
+    const errorMessage = getErrorMessage(error);
     throw new Error(`Failed to load stacks from '${stacksPath}': ${errorMessage}`);
   }
 }
@@ -1744,25 +2047,36 @@ async function loadStackById(stackId, configDir) {
   verbose(`Found stack: ${stack.name} (${stackId})`);
   return stack;
 }
-function resolveAgentConfigToSkills(agentConfig, displayNameToId) {
+function resolveAgentConfigToSkills(agentConfig) {
   const skillRefs = [];
-  for (const [subcategory, technologyDisplayName] of Object.entries(agentConfig)) {
-    const fullSkillId = displayNameToId[technologyDisplayName];
-    if (!fullSkillId) {
-      warn(
-        `No skill found for display name '${technologyDisplayName}' (subcategory: ${subcategory}) in stack config. Skipping.`
-      );
-      continue;
+  for (const [subcategory, assignments] of typedEntries(
+    agentConfig
+  )) {
+    if (!assignments) continue;
+    for (const assignment of assignments) {
+      if (!SKILL_ID_PATTERN.test(assignment.id)) {
+        warn(
+          `Invalid skill ID '${assignment.id}' for subcategory '${subcategory}' in stack config. Skipping.`
+        );
+        continue;
+      }
+      skillRefs.push({
+        id: assignment.id,
+        usage: `when working with ${subcategory}`,
+        preloaded: assignment.preloaded ?? false
+      });
     }
-    const isKeySkill = KEY_SUBCATEGORIES.has(subcategory);
-    skillRefs.push({
-      id: fullSkillId,
-      usage: `when working with ${subcategory}`,
-      preloaded: isKeySkill
-    });
   }
   return skillRefs;
 }
+function getStackSkillIds(stack) {
+  return pipe(
+    Object.values(stack),
+    flatMap(resolveAgentConfigToSkills),
+    (refs) => refs.map((r) => r.id),
+    unique2()
+  );
+}
 
 // src/cli/lib/stacks/stack-installer.ts
 init_esm_shims();
@@ -1777,7 +2091,7 @@ import path13 from "path";
 init_esm_shims();
 import { Liquid } from "liquidjs";
 import path12 from "path";
-import { pipe, flatMap, filter, uniqueBy } from "remeda";
+import { pipe as pipe2, flatMap as flatMap2, filter, uniqueBy } from "remeda";
 
 // src/cli/lib/resolver.ts
 init_esm_shims();
@@ -1797,17 +2111,9 @@ function resolveSkillReferences(skillRefs, skills) {
   return skillRefs.map((ref) => resolveSkillReference(ref, skills)).filter((skill) => skill !== null);
 }
 function buildSkillRefsFromConfig(agentStack) {
-  const skillRefs = [];
-  for (const [subcategory, skillId] of typedEntries(agentStack)) {
-    skillRefs.push({
-      id: skillId,
-      usage: `when working with ${subcategory}`,
-      preloaded: KEY_SUBCATEGORIES.has(subcategory)
-    });
-  }
-  return skillRefs;
+  return resolveAgentConfigToSkills(agentStack);
 }
-function resolveAgentSkillsFromStack(agentName, stack, displayNameToId) {
+function resolveAgentSkillsFromStack(agentName, stack) {
   const agentConfig = stack.agents[agentName];
   if (!agentConfig) {
     verbose(`Agent '${agentName}' not found in stack '${stack.id}'`);
@@ -1817,33 +2123,16 @@ function resolveAgentSkillsFromStack(agentName, stack, displayNameToId) {
     verbose(`Agent '${agentName}' has no technology config in stack '${stack.id}'`);
     return [];
   }
-  const skillRefs = [];
-  for (const [subcategory, technologyDisplayName] of typedEntries(
-    agentConfig
-  )) {
-    const fullSkillId = displayNameToId[technologyDisplayName];
-    if (!fullSkillId) {
-      verbose(
-        `Warning: No skill found for display name '${technologyDisplayName}' (agent: ${agentName}, subcategory: ${subcategory}). Skipping.`
-      );
-      continue;
-    }
-    const isKeySkill = KEY_SUBCATEGORIES.has(subcategory);
-    skillRefs.push({
-      id: fullSkillId,
-      usage: `when working with ${subcategory}`,
-      preloaded: isKeySkill
-    });
-  }
+  const skillRefs = resolveAgentConfigToSkills(agentConfig);
   verbose(`Resolved ${skillRefs.length} skills for agent '${agentName}' from stack '${stack.id}'`);
   return skillRefs;
 }
-async function getAgentSkills(agentName, agentConfig, stack, displayNameToId) {
+async function resolveAgentSkillRefs(agentName, agentConfig, stack) {
   if (agentConfig.skills && agentConfig.skills.length > 0) {
     return agentConfig.skills;
   }
-  if (stack && displayNameToId) {
-    const stackSkills = resolveAgentSkillsFromStack(agentName, stack, displayNameToId);
+  if (stack) {
+    const stackSkills = resolveAgentSkillsFromStack(agentName, stack);
     if (stackSkills.length > 0) {
       verbose(`Resolved ${stackSkills.length} skills from stack for ${agentName}`);
       return stackSkills;
@@ -1851,7 +2140,7 @@ async function getAgentSkills(agentName, agentConfig, stack, displayNameToId) {
   }
   return [];
 }
-async function resolveAgents(agents, skills, compileConfig, _projectRoot, stack, displayNameToId) {
+async function resolveAgents(agents, skills, compileConfig, _projectRoot, stack) {
   const resolved = {};
   const agentNames = typedKeys(compileConfig.agents);
   for (const agentName of agentNames) {
@@ -1864,7 +2153,7 @@ async function resolveAgents(agents, skills, compileConfig, _projectRoot, stack,
       );
     }
     const agentConfig = compileConfig.agents[agentName];
-    const skillRefs = await getAgentSkills(agentName, agentConfig, stack, displayNameToId);
+    const skillRefs = await resolveAgentSkillRefs(agentName, agentConfig, stack);
     const resolvedSkills = resolveSkillReferences(skillRefs, skills);
     resolved[agentName] = {
       name: agentName,
@@ -1880,7 +2169,7 @@ async function resolveAgents(agents, skills, compileConfig, _projectRoot, stack,
   }
   return resolved;
 }
-function stackToCompileConfig(stackId, stack) {
+function convertStackToCompileConfig(stackId, stack) {
   const agents = {};
   for (const agentId of stack.agents) {
     agents[agentId] = {};
@@ -1895,7 +2184,7 @@ function stackToCompileConfig(stackId, stack) {
 
 // src/cli/utils/frontmatter.ts
 init_esm_shims();
-import { parse as parseYaml7 } from "yaml";
+import { parse as parseYaml6 } from "yaml";
 function extractFrontmatter(content) {
   const frontmatterRegex = /^---\r?\n([\s\S]*?)\r?\n---/;
   const match = content.match(frontmatterRegex);
@@ -1903,13 +2192,75 @@ function extractFrontmatter(content) {
     return null;
   }
   try {
-    return parseYaml7(match[1]);
+    return parseYaml6(match[1]);
   } catch {
     return null;
   }
 }
 
 // src/cli/lib/compiler.ts
+var LIQUID_SYNTAX_PATTERN = /\{\{|\}\}|\{%|%\}/g;
+function sanitizeLiquidSyntax(value, fieldName) {
+  if (!LIQUID_SYNTAX_PATTERN.test(value)) return value;
+  LIQUID_SYNTAX_PATTERN.lastIndex = 0;
+  const sanitized = value.replace(LIQUID_SYNTAX_PATTERN, "");
+  warn(`Stripped Liquid template syntax from '${fieldName}' \u2014 possible template injection attempt`);
+  return sanitized;
+}
+function sanitizeString(value, fieldName) {
+  if (value === void 0) return void 0;
+  return sanitizeLiquidSyntax(value, fieldName);
+}
+function sanitizeStringArray(values, fieldName) {
+  if (!values) return values;
+  return values.map((v) => sanitizeLiquidSyntax(v, fieldName));
+}
+function sanitizeSkills(skills) {
+  return skills.map((s) => ({
+    ...s,
+    id: sanitizeLiquidSyntax(s.id, "skill.id"),
+    description: sanitizeLiquidSyntax(s.description, "skill.description"),
+    usage: sanitizeLiquidSyntax(s.usage, "skill.usage"),
+    pluginRef: sanitizeString(s.pluginRef, "skill.pluginRef")
+  }));
+}
+function sanitizeCompiledAgentData(data) {
+  const sanitizedAgent = {
+    ...data.agent,
+    name: sanitizeLiquidSyntax(data.agent.name, "agent.name"),
+    title: sanitizeLiquidSyntax(data.agent.title, "agent.title"),
+    description: sanitizeLiquidSyntax(data.agent.description, "agent.description"),
+    tools: sanitizeStringArray(data.agent.tools, "agent.tools") ?? data.agent.tools,
+    disallowed_tools: sanitizeStringArray(data.agent.disallowed_tools, "agent.disallowed_tools"),
+    model: sanitizeString(data.agent.model, "agent.model"),
+    permission_mode: sanitizeString(
+      data.agent.permission_mode,
+      "agent.permission_mode"
+    )
+  };
+  const sanitizedSkills = sanitizeSkills(data.skills);
+  const sanitizedPreloaded = sanitizeSkills(data.preloadedSkills);
+  const sanitizedDynamic = sanitizeSkills(data.dynamicSkills);
+  const sanitizedPreloadedIds = data.preloadedSkillIds.map(
+    (id) => sanitizeLiquidSyntax(String(id), "preloadedSkillId")
+  );
+  return {
+    agent: sanitizedAgent,
+    intro: sanitizeLiquidSyntax(data.intro, "intro"),
+    workflow: sanitizeLiquidSyntax(data.workflow, "workflow"),
+    examples: sanitizeLiquidSyntax(data.examples, "examples"),
+    criticalRequirementsTop: sanitizeLiquidSyntax(
+      data.criticalRequirementsTop,
+      "criticalRequirementsTop"
+    ),
+    criticalReminders: sanitizeLiquidSyntax(data.criticalReminders, "criticalReminders"),
+    outputFormat: sanitizeLiquidSyntax(data.outputFormat, "outputFormat"),
+    skills: sanitizedSkills,
+    preloadedSkills: sanitizedPreloaded,
+    dynamicSkills: sanitizedDynamic,
+    preloadedSkillIds: sanitizedPreloadedIds
+  };
+}
 async function createLiquidEngine(projectDir) {
   const roots = [];
   if (projectDir) {
@@ -1934,42 +2285,48 @@ async function createLiquidEngine(projectDir) {
 }
 
 // src/cli/lib/stacks/stack-plugin-compiler.ts
-import { unique as unique2 } from "remeda";
+import { unique as unique3 } from "remeda";
 function hashStackConfig(stack) {
-  const stackSkillIds = stack.stack ? [...new Set(Object.values(stack.stack).flatMap((a) => Object.values(a)))].sort() : [];
+  const stackSkillIds = stack.stack ? getStackSkillIds(stack.stack).sort() : [];
   const parts = [
     `name:${stack.name}`,
     `description:${stack.description ?? ""}`,
     `skills:${stackSkillIds.join(",")}`,
     `agents:${(stack.agents || []).sort().join(",")}`
   ];
-  return hashString(parts.join("\n"));
+  return computeStringHash(parts.join("\n"));
 }
 async function compileAgentForPlugin(name, agent, fallbackRoot, engine, installMode) {
   verbose(`Compiling agent: ${name}`);
   const agentSourceRoot = agent.sourceRoot || fallbackRoot;
   const agentBaseDir = agent.agentBaseDir || DIRS.agents;
   const agentDir = path13.join(agentSourceRoot, agentBaseDir, agent.path || name);
-  const intro = await readFile(path13.join(agentDir, "intro.md"));
-  const workflow = await readFile(path13.join(agentDir, "workflow.md"));
+  const intro = await readFile(path13.join(agentDir, STANDARD_FILES.INTRO_MD));
+  const workflow = await readFile(path13.join(agentDir, STANDARD_FILES.WORKFLOW_MD));
   const examples = await readFileOptional(
-    path13.join(agentDir, "examples.md"),
+    path13.join(agentDir, STANDARD_FILES.EXAMPLES_MD),
     "## Examples\n\n_No examples defined._"
   );
   const criticalRequirementsTop = await readFileOptional(
-    path13.join(agentDir, "critical-requirements.md"),
+    path13.join(agentDir, STANDARD_FILES.CRITICAL_REQUIREMENTS_MD),
     ""
   );
   const criticalReminders = await readFileOptional(
-    path13.join(agentDir, "critical-reminders.md"),
+    path13.join(agentDir, STANDARD_FILES.CRITICAL_REMINDERS_MD),
     ""
   );
   const agentPath = agent.path || name;
   const category = agentPath.split("/")[0];
   const categoryDir = path13.join(agentSourceRoot, agentBaseDir, category);
-  let outputFormat = await readFileOptional(path13.join(agentDir, "output-format.md"), "");
+  let outputFormat = await readFileOptional(
+    path13.join(agentDir, STANDARD_FILES.OUTPUT_FORMAT_MD),
+    ""
+  );
   if (!outputFormat) {
-    outputFormat = await readFileOptional(path13.join(categoryDir, "output-format.md"), "");
+    outputFormat = await readFileOptional(
+      path13.join(categoryDir, STANDARD_FILES.OUTPUT_FORMAT_MD),
+      ""
+    );
   }
   const skills = installMode === "plugin" ? agent.skills.map((s) => ({ ...s, pluginRef: `${s.id}:${s.id}` })) : agent.skills;
   const preloadedSkills = skills.filter((s) => s.preloaded);
@@ -1991,7 +2348,7 @@ async function compileAgentForPlugin(name, agent, fallbackRoot, engine, installM
     dynamicSkills,
     preloadedSkillIds
   };
-  return engine.renderFile("agent", data);
+  return engine.renderFile("agent", sanitizeCompiledAgentData(data));
 }
 function generateStackReadme(stackId, stack, agents, skillPlugins) {
   const lines = [];
@@ -2004,9 +2361,9 @@ function generateStackReadme(stackId, stack, agents, skillPlugins) {
   lines.push("Add this plugin to your Claude Code configuration:");
   lines.push("");
   lines.push("```json");
-  lines.push(`{`);
+  lines.push("{");
   lines.push(`  "plugins": ["${stackId}"]`);
-  lines.push(`}`);
+  lines.push("}");
   lines.push("```");
   lines.push("");
   lines.push("## Agents");
@@ -2022,7 +2379,7 @@ function generateStackReadme(stackId, stack, agents, skillPlugins) {
     lines.push("");
     lines.push("This stack includes the following skills:");
     lines.push("");
-    const uniqueSkills = unique2(skillPlugins).sort();
+    const uniqueSkills = unique3(skillPlugins).sort();
     for (const skill of uniqueSkills) {
       lines.push(`- \`${skill}\``);
     }
@@ -2049,19 +2406,8 @@ async function compileStackPlugin(options) {
   );
   let newStack = options.stack || await loadStackById(stackId, projectRoot);
   if (!newStack) {
-    newStack = await loadStackById(stackId, PROJECT_ROOT);
-  }
-  const sourceMatrixPath = path13.join(projectRoot, SKILLS_MATRIX_PATH);
-  const cliMatrixPath = path13.join(PROJECT_ROOT, SKILLS_MATRIX_PATH);
-  let matrix;
-  try {
-    matrix = await loadSkillsMatrix(
-      await fileExists(sourceMatrixPath) ? sourceMatrixPath : cliMatrixPath
-    );
-  } catch {
-    matrix = await loadSkillsMatrix(cliMatrixPath);
+    newStack = await loadStackById(stackId, PROJECT_ROOT);
   }
-  const skillAliases = matrix.skill_aliases || {};
   let stack;
   if (newStack) {
     verbose(`  Found stack: ${newStack.name}`);
@@ -2069,7 +2415,7 @@ async function compileStackPlugin(options) {
     for (const agentName of typedKeys(newStack.agents)) {
       const agentConfig = newStack.agents[agentName];
       if (!agentConfig) continue;
-      const skillRefs = resolveAgentConfigToSkills(agentConfig, skillAliases);
+      const skillRefs = resolveAgentConfigToSkills(agentConfig);
       for (const ref of skillRefs) {
         agentSkillIds.add(ref.id);
       }
@@ -2079,25 +2425,18 @@ async function compileStackPlugin(options) {
       description: newStack.description,
       agents: typedKeys(newStack.agents),
       skills: [...agentSkillIds],
-      stack: buildStackProperty(newStack, skillAliases)
+      stack: buildStackProperty(newStack)
     };
   } else {
     throw new Error(`Stack '${stackId}' not found in config/stacks.yaml`);
   }
-  const stackSkillIds = stack.stack ? [...new Set(Object.values(stack.stack).flatMap((a) => Object.values(a)))] : [];
+  const stackSkillIds = stack.stack ? getStackSkillIds(stack.stack) : [];
   const skills = await loadSkillsByIds(
     stackSkillIds.map((id) => ({ id })),
     projectRoot
   );
-  const compileConfig = stackToCompileConfig(stackId, stack);
-  const resolvedAgents = await resolveAgents(
-    agents,
-    skills,
-    compileConfig,
-    projectRoot,
-    newStack,
-    skillAliases
-  );
+  const compileConfig = convertStackToCompileConfig(stackId, stack);
+  const resolvedAgents = await resolveAgents(agents, skills, compileConfig, projectRoot, newStack);
   const pluginDir = path13.join(outputDir, stackId);
   const agentsDir = path13.join(pluginDir, "agents");
   await ensureDir(pluginDir);
@@ -2132,11 +2471,11 @@ async function compileStackPlugin(options) {
     verbose(`  Compiled agent: ${name}`);
   }
   const stackDir = path13.join(projectRoot, DIRS.stacks, stackId);
-  const claudeMdPath = path13.join(stackDir, "CLAUDE.md");
+  const claudeMdPath = path13.join(stackDir, STANDARD_FILES.CLAUDE_MD);
   if (await fileExists(claudeMdPath)) {
     const claudeContent = await readFile(claudeMdPath);
-    await writeFile(path13.join(pluginDir, "CLAUDE.md"), claudeContent);
-    verbose(`  Copied CLAUDE.md`);
+    await writeFile(path13.join(pluginDir, STANDARD_FILES.CLAUDE_MD), claudeContent);
+    verbose(`  Copied ${STANDARD_FILES.CLAUDE_MD}`);
   }
   const newHash = hashStackConfig(stack);
   const { version, contentHash } = await determinePluginVersion(
@@ -2144,7 +2483,7 @@ async function compileStackPlugin(options) {
     pluginDir,
     getPluginManifestPath
   );
-  const uniqueSkillPlugins = unique2(allSkillPlugins);
+  const uniqueSkillPlugins = unique3(allSkillPlugins);
   const manifest = generateStackPluginManifest({
     stackName: stackId,
     description: stack.description,
@@ -2160,7 +2499,7 @@ async function compileStackPlugin(options) {
   verbose(`  Wrote plugin.json (v${version})`);
   const readme = generateStackReadme(stackId, stack, compiledAgentNames, uniqueSkillPlugins);
   await writeFile(path13.join(pluginDir, "README.md"), readme);
-  verbose(`  Generated README.md`);
+  verbose("  Generated README.md");
   return {
     pluginPath: pluginDir,
     manifest,
@@ -2171,27 +2510,111 @@ async function compileStackPlugin(options) {
   };
 }
 function printStackCompilationSummary(result) {
-  console.log(`
+  log(`
 Stack plugin compiled: ${result.stackName}`);
-  console.log(`  Path: ${result.pluginPath}`);
-  console.log(`  Agents: ${result.agents.length}`);
+  log(`  Path: ${result.pluginPath}`);
+  log(`  Agents: ${result.agents.length}`);
   for (const agent of result.agents) {
-    console.log(`    - ${agent}`);
+    log(`    - ${agent}`);
   }
   if (result.skillPlugins.length > 0) {
-    console.log(`  Skills included: ${result.skillPlugins.length}`);
+    log(`  Skills included: ${result.skillPlugins.length}`);
     for (const skill of result.skillPlugins) {
-      console.log(`    - ${skill}`);
+      log(`    - ${skill}`);
     }
   }
   if (result.hasHooks) {
-    console.log(`  Hooks: enabled`);
+    log("  Hooks: enabled");
   }
 }
 
 // src/cli/utils/exec.ts
 init_esm_shims();
 import { spawn } from "child_process";
+var MAX_PLUGIN_PATH_LENGTH = 1024;
+var MAX_GITHUB_REPO_LENGTH = 256;
+var MAX_MARKETPLACE_NAME_LENGTH = 128;
+var MAX_PLUGIN_NAME_LENGTH = 256;
+var GITHUB_REPO_PATTERN = /^[a-zA-Z0-9._-]+\/[a-zA-Z0-9._-]+$/;
+var SAFE_NAME_PATTERN = /^[a-zA-Z0-9._@/-]+$/;
+var SAFE_PLUGIN_PATH_PATTERN = /^[a-zA-Z0-9._@/:~-]+$/;
+var CONTROL_CHAR_PATTERN = /[\x00-\x08\x0E-\x1F\x7F]/u;
+function validatePluginPath(pluginPath) {
+  if (!pluginPath || pluginPath.trim().length === 0) {
+    throw new Error("Plugin path must not be empty.");
+  }
+  if (pluginPath.length > MAX_PLUGIN_PATH_LENGTH) {
+    throw new Error(
+      `Plugin path is too long (${pluginPath.length} characters, max ${MAX_PLUGIN_PATH_LENGTH}).`
+    );
+  }
+  if (CONTROL_CHAR_PATTERN.test(pluginPath)) {
+    throw new Error("Plugin path contains invalid control characters.");
+  }
+  if (!SAFE_PLUGIN_PATH_PATTERN.test(pluginPath)) {
+    throw new Error(
+      `Plugin path contains invalid characters: "${pluginPath}"
+Plugin paths may only contain alphanumeric characters, dashes, underscores, dots, slashes, @, and colons.`
+    );
+  }
+}
+function validateGithubRepo(githubRepo) {
+  if (!githubRepo || githubRepo.trim().length === 0) {
+    throw new Error("GitHub repository must not be empty.");
+  }
+  if (githubRepo.length > MAX_GITHUB_REPO_LENGTH) {
+    throw new Error(
+      `GitHub repository is too long (${githubRepo.length} characters, max ${MAX_GITHUB_REPO_LENGTH}).`
+    );
+  }
+  if (CONTROL_CHAR_PATTERN.test(githubRepo)) {
+    throw new Error("GitHub repository contains invalid control characters.");
+  }
+  if (!GITHUB_REPO_PATTERN.test(githubRepo)) {
+    throw new Error(
+      `Invalid GitHub repository format: "${githubRepo}"
+Expected format: owner/repo (e.g., 'my-org/my-skills').`
+    );
+  }
+}
+function validateMarketplaceName(name) {
+  if (!name || name.trim().length === 0) {
+    throw new Error("Marketplace name must not be empty.");
+  }
+  if (name.length > MAX_MARKETPLACE_NAME_LENGTH) {
+    throw new Error(
+      `Marketplace name is too long (${name.length} characters, max ${MAX_MARKETPLACE_NAME_LENGTH}).`
+    );
+  }
+  if (CONTROL_CHAR_PATTERN.test(name)) {
+    throw new Error("Marketplace name contains invalid control characters.");
+  }
+  if (!SAFE_NAME_PATTERN.test(name)) {
+    throw new Error(
+      `Marketplace name contains invalid characters: "${name}"
+Names may only contain alphanumeric characters, dashes, underscores, dots, @, and slashes.`
+    );
+  }
+}
+function validatePluginName(pluginName) {
+  if (!pluginName || pluginName.trim().length === 0) {
+    throw new Error("Plugin name must not be empty.");
+  }
+  if (pluginName.length > MAX_PLUGIN_NAME_LENGTH) {
+    throw new Error(
+      `Plugin name is too long (${pluginName.length} characters, max ${MAX_PLUGIN_NAME_LENGTH}).`
+    );
+  }
+  if (CONTROL_CHAR_PATTERN.test(pluginName)) {
+    throw new Error("Plugin name contains invalid control characters.");
+  }
+  if (!SAFE_NAME_PATTERN.test(pluginName)) {
+    throw new Error(
+      `Plugin name contains invalid characters: "${pluginName}"
+Names may only contain alphanumeric characters, dashes, underscores, dots, @, and slashes.`
+    );
+  }
+}
 async function execCommand(command, args, options) {
   return new Promise((resolve, reject) => {
     const proc = spawn(command, args, {
@@ -2220,6 +2643,7 @@ async function execCommand(command, args, options) {
   });
 }
 async function claudePluginInstall(pluginPath, scope, projectDir) {
+  validatePluginPath(pluginPath);
   const args = ["plugin", "install", pluginPath, "--scope", scope];
   const result = await execCommand("claude", args, { cwd: projectDir });
   if (result.exitCode !== 0) {
@@ -2262,14 +2686,14 @@ async function claudePluginMarketplaceExists(name) {
   return marketplaces.some((m) => m.name === name);
 }
 async function claudePluginMarketplaceAdd(githubRepo, name) {
+  validateGithubRepo(githubRepo);
+  validateMarketplaceName(name);
   const args = ["plugin", "marketplace", "add", githubRepo, "--name", name];
   let result;
   try {
     result = await execCommand("claude", args, {});
   } catch (err) {
-    throw new Error(
-      `Failed to add marketplace: ${err instanceof Error ? err.message : "Unknown error"}`
-    );
+    throw new Error(`Failed to add marketplace: ${getErrorMessage(err)}`);
   }
   if (result.exitCode !== 0) {
     const errorMessage = result.stderr || result.stdout || "Unknown error";
@@ -2280,6 +2704,7 @@ async function claudePluginMarketplaceAdd(githubRepo, name) {
   }
 }
 async function claudePluginUninstall(pluginName, scope, projectDir) {
+  validatePluginName(pluginName);
   const args = ["plugin", "uninstall", pluginName, "--scope", scope];
   const result = await execCommand("claude", args, { cwd: projectDir });
   if (result.exitCode !== 0) {
@@ -2351,9 +2776,33 @@ async function installStackAsPlugin(options) {
 }
 
 // src/cli/lib/installation/local-installer.ts
-var PLUGIN_NAME = "claude-collective";
-var YAML_INDENT = 2;
-var YAML_LINE_WIDTH = 120;
+function resolveInstallPaths(projectDir) {
+  return {
+    skillsDir: path15.join(projectDir, LOCAL_SKILLS_PATH),
+    agentsDir: path15.join(projectDir, CLAUDE_DIR, "agents"),
+    configPath: path15.join(projectDir, CLAUDE_SRC_DIR, STANDARD_FILES.CONFIG_YAML)
+  };
+}
+async function prepareDirectories(paths) {
+  await ensureDir(paths.skillsDir);
+  await ensureDir(paths.agentsDir);
+  await ensureDir(path15.dirname(paths.configPath));
+}
+async function archiveAndCopySkills(wizardResult, sourceResult, projectDir, skillsDir) {
+  for (const skillId of wizardResult.selectedSkills) {
+    const selectedSource = wizardResult.sourceSelections?.[skillId];
+    if (selectedSource && selectedSource !== "public") {
+      verbose(`Using alternate source '${selectedSource}' for ${skillId}`);
+      await archiveLocalSkill(projectDir, skillId);
+    }
+  }
+  return copySkillsToLocalFlattened(
+    wizardResult.selectedSkills,
+    skillsDir,
+    sourceResult.matrix,
+    sourceResult
+  );
+}
 function buildLocalSkillsMap(copiedSkills, matrix) {
   const localSkillsForResolution = {};
   for (const copiedSkill of copiedSkills) {
@@ -2370,6 +2819,11 @@ function buildLocalSkillsMap(copiedSkills, matrix) {
   }
   return localSkillsForResolution;
 }
+async function loadMergedAgents(sourcePath) {
+  const cliAgents = await loadAllAgents(PROJECT_ROOT);
+  const sourceAgents = await loadAllAgents(sourcePath);
+  return { ...cliAgents, ...sourceAgents };
+}
 async function buildLocalConfig(wizardResult, sourceResult) {
   let loadedStack = null;
   if (wizardResult.selectedStackId) {
@@ -2382,7 +2836,7 @@ async function buildLocalConfig(wizardResult, sourceResult) {
   if (wizardResult.selectedStackId) {
     if (loadedStack) {
       localConfig = generateProjectConfigFromSkills(
-        PLUGIN_NAME,
+        DEFAULT_PLUGIN_NAME,
         wizardResult.selectedSkills,
         sourceResult.matrix
       );
@@ -2401,7 +2855,7 @@ async function buildLocalConfig(wizardResult, sourceResult) {
     }
   } else {
     localConfig = generateProjectConfigFromSkills(
-      PLUGIN_NAME,
+      DEFAULT_PLUGIN_NAME,
       wizardResult.selectedSkills,
       sourceResult.matrix
     );
@@ -2419,6 +2873,21 @@ function setConfigMetadata(config, wizardResult, sourceResult, sourceFlag) {
     config.marketplace = sourceResult.marketplace;
   }
 }
+async function buildAndMergeConfig(wizardResult, sourceResult, projectDir, sourceFlag) {
+  const { config } = await buildLocalConfig(wizardResult, sourceResult);
+  setConfigMetadata(config, wizardResult, sourceResult, sourceFlag);
+  return mergeWithExistingConfig(config, { projectDir });
+}
+async function writeConfigFile(config, configPath) {
+  const schemaComment = `${yamlSchemaComment(SCHEMA_PATHS.projectConfig)}
+`;
+  const serializable = config.stack ? { ...config, stack: compactStackForYaml(config.stack) } : config;
+  const configYaml = stringifyYaml3(serializable, {
+    indent: YAML_FORMATTING.INDENT,
+    lineWidth: YAML_FORMATTING.LINE_WIDTH
+  });
+  await writeFile(configPath, `${schemaComment}${configYaml}`);
+}
 function buildCompileAgents(config, agents) {
   const compileAgents = {};
   for (const agentId of config.agents) {
@@ -2453,42 +2922,22 @@ async function compileAndWriteAgents(compileConfig, agents, localSkills, sourceR
 }
 async function installLocal(options) {
   const { wizardResult, sourceResult, projectDir, sourceFlag } = options;
-  const matrix = sourceResult.matrix;
-  const localSkillsDir = path15.join(projectDir, LOCAL_SKILLS_PATH);
-  const localAgentsDir = path15.join(projectDir, CLAUDE_DIR, "agents");
-  const localConfigPath = path15.join(projectDir, CLAUDE_SRC_DIR, "config.yaml");
-  await ensureDir(localSkillsDir);
-  await ensureDir(localAgentsDir);
-  await ensureDir(path15.dirname(localConfigPath));
-  for (const skillId of wizardResult.selectedSkills) {
-    const selectedSource = wizardResult.sourceSelections?.[skillId];
-    if (selectedSource && selectedSource !== "public") {
-      verbose(`Using alternate source '${selectedSource}' for ${skillId}`);
-      await archiveLocalSkill(projectDir, skillId);
-    }
-  }
-  const copiedSkills = await copySkillsToLocalFlattened(
-    wizardResult.selectedSkills,
-    localSkillsDir,
-    matrix,
-    sourceResult
+  const paths = resolveInstallPaths(projectDir);
+  await prepareDirectories(paths);
+  const copiedSkills = await archiveAndCopySkills(
+    wizardResult,
+    sourceResult,
+    projectDir,
+    paths.skillsDir
   );
-  const localSkillsForResolution = buildLocalSkillsMap(copiedSkills, matrix);
-  const cliAgents = await loadAllAgents(PROJECT_ROOT);
-  const localAgents = await loadAllAgents(sourceResult.sourcePath);
-  const agents = { ...cliAgents, ...localAgents };
-  const { config: builtConfig } = await buildLocalConfig(wizardResult, sourceResult);
-  setConfigMetadata(builtConfig, wizardResult, sourceResult, sourceFlag);
-  const mergeResult = await mergeWithExistingConfig(builtConfig, { projectDir });
+  const localSkillsForResolution = buildLocalSkillsMap(copiedSkills, sourceResult.matrix);
+  const agents = await loadMergedAgents(sourceResult.sourcePath);
+  const mergeResult = await buildAndMergeConfig(wizardResult, sourceResult, projectDir, sourceFlag);
   const finalConfig = mergeResult.config;
-  const configYaml = stringifyYaml4(finalConfig, {
-    indent: YAML_INDENT,
-    lineWidth: YAML_LINE_WIDTH
-  });
-  await writeFile(localConfigPath, configYaml);
+  await writeConfigFile(finalConfig, paths.configPath);
   const compileAgentsConfig = buildCompileAgents(finalConfig, agents);
   const compileConfig = {
-    name: PLUGIN_NAME,
+    name: DEFAULT_PLUGIN_NAME,
     description: finalConfig.description || `Local setup with ${wizardResult.selectedSkills.length} skills`,
     agents: compileAgentsConfig
   };
@@ -2498,23 +2947,22 @@ async function installLocal(options) {
     localSkillsForResolution,
     sourceResult,
     projectDir,
-    localAgentsDir,
+    paths.agentsDir,
     wizardResult.installMode
   );
   return {
     copiedSkills,
     config: finalConfig,
-    configPath: localConfigPath,
+    configPath: paths.configPath,
     compiledAgents: compiledAgentNames,
     wasMerged: mergeResult.merged,
     mergedConfigPath: mergeResult.existingConfigPath,
-    skillsDir: localSkillsDir,
-    agentsDir: localAgentsDir
+    skillsDir: paths.skillsDir,
+    agentsDir: paths.agentsDir
   };
 }
 
 // src/cli/lib/plugins/plugin-info.ts
-var DEFAULT_NAME = "claude-collective";
 async function getInstallationInfo() {
   const installation = await detectInstallation();
   if (!installation) {
@@ -2522,7 +2970,7 @@ async function getInstallationInfo() {
   }
   let skillCount = 0;
   let agentCount = 0;
-  let name = DEFAULT_NAME;
+  let name = DEFAULT_PLUGIN_NAME;
   let version = DEFAULT_DISPLAY_VERSION;
   if (await directoryExists(installation.skillsDir)) {
     try {
@@ -2545,14 +2993,14 @@ async function getInstallationInfo() {
   if (installation.mode === "local") {
     const loaded = await loadProjectConfig(installation.projectDir);
     if (loaded?.config) {
-      name = loaded.config.name || DEFAULT_NAME;
+      name = loaded.config.name || DEFAULT_PLUGIN_NAME;
       version = "local";
     }
   } else {
     const pluginDir = getCollectivePluginDir(installation.projectDir);
     const manifest = await readPluginManifest(pluginDir);
     if (manifest) {
-      name = manifest.name || DEFAULT_NAME;
+      name = manifest.name || DEFAULT_PLUGIN_NAME;
       version = manifest.version || DEFAULT_DISPLAY_VERSION;
     }
   }
@@ -2587,7 +3035,7 @@ function parseVersion(version) {
 }
 async function bumpPluginVersion(pluginDir, type) {
   const manifestPath = path16.join(pluginDir, PLUGIN_MANIFEST_DIR, PLUGIN_MANIFEST_FILE);
-  const content = await readFile(manifestPath);
+  const content = await readFileSafe(manifestPath, MAX_PLUGIN_FILE_SIZE);
   const manifest = pluginManifestSchema.parse(JSON.parse(content));
   const [major, minor, patch] = parseVersion(manifest.version || DEFAULT_VERSION);
   let newVersion;
@@ -2601,6 +3049,10 @@ async function bumpPluginVersion(pluginDir, type) {
     case "patch":
       newVersion = `${major}.${minor}.${patch + 1}`;
       break;
+    default: {
+      const exhaustiveCheck = type;
+      throw new Error(`Unknown version bump type: ${exhaustiveCheck}`);
+    }
   }
   manifest.version = newVersion;
   await writeFile(manifestPath, JSON.stringify(manifest, null, 2));
@@ -2608,7 +3060,7 @@ async function bumpPluginVersion(pluginDir, type) {
 }
 async function getPluginVersion(pluginDir) {
   const manifestPath = path16.join(pluginDir, PLUGIN_MANIFEST_DIR, PLUGIN_MANIFEST_FILE);
-  const content = await readFile(manifestPath);
+  const content = await readFileSafe(manifestPath, MAX_PLUGIN_FILE_SIZE);
   const manifest = pluginManifestSchema.parse(JSON.parse(content));
   return manifest.version || DEFAULT_VERSION;
 }
@@ -2619,8 +3071,8 @@ import { z as z2 } from "zod";
 import path17 from "path";
 import fg from "fast-glob";
 import { countBy as countBy2 } from "remeda";
-var PLUGIN_DIR = ".claude-plugin";
-var PLUGIN_MANIFEST = "plugin.json";
+var PLUGIN_DIR = PLUGIN_MANIFEST_DIR;
+var PLUGIN_MANIFEST = STANDARD_FILES.PLUGIN_JSON;
 var KEBAB_CASE_REGEX = /^[a-z][a-z0-9]*(-[a-z0-9]+)*$/;
 var SEMVER_REGEX = /^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$/;
 var pluginManifestValidationSchema = z2.object({
@@ -2634,13 +3086,13 @@ var pluginManifestValidationSchema = z2.object({
   skills: z2.union([z2.string(), z2.array(z2.string())]).optional(),
   hooks: z2.union([z2.string(), hooksRecordSchema]).optional()
 }).strict();
-function formatZodErrors(error) {
+function formatZodErrors2(error) {
   return error.issues.map((issue) => {
-    const path26 = issue.path.join(".");
+    const path25 = issue.path.join(".");
     if (issue.code === "unrecognized_keys") {
       return `Unrecognized key: "${issue.keys.join('", "')}"`;
     }
-    return path26 ? `${path26}: ${issue.message}` : issue.message;
+    return path25 ? `${path25}: ${issue.message}` : issue.message;
   });
 }
 function isKebabCase(str) {
@@ -2689,19 +3141,18 @@ async function validatePluginManifest(manifestPath) {
   }
   let manifest;
   try {
-    const content = await readFile(manifestPath);
+    const content = await readFileSafe(manifestPath, MAX_PLUGIN_FILE_SIZE);
     manifest = JSON.parse(content);
   } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
     return {
       valid: false,
-      errors: [`Invalid JSON in ${PLUGIN_MANIFEST}: ${message}`],
+      errors: [`Invalid JSON in ${PLUGIN_MANIFEST}: ${getErrorMessage(err)}`],
       warnings: []
     };
   }
   const result = pluginManifestValidationSchema.safeParse(manifest);
   if (!result.success) {
-    errors.push(...formatZodErrors(result.error));
+    errors.push(...formatZodErrors2(result.error));
   }
   if (manifest.name && typeof manifest.name === "string") {
     if (!isKebabCase(manifest.name)) {
@@ -2758,7 +3209,7 @@ async function validateSkillFrontmatter(skillPath) {
   }
   const result = skillFrontmatterValidationSchema.safeParse(frontmatter);
   if (!result.success) {
-    errors.push(...formatZodErrors(result.error));
+    errors.push(...formatZodErrors2(result.error));
   }
   return {
     valid: errors.length === 0,
@@ -2787,7 +3238,7 @@ async function validateAgentFrontmatter(agentPath) {
   }
   const result = agentFrontmatterValidationSchema.safeParse(frontmatter);
   if (!result.success) {
-    errors.push(...formatZodErrors(result.error));
+    errors.push(...formatZodErrors2(result.error));
   }
   const fm = frontmatter;
   if (fm.name && typeof fm.name === "string") {
@@ -2801,74 +3252,72 @@ async function validateAgentFrontmatter(agentPath) {
     warnings
   };
 }
-async function validatePlugin(pluginPath) {
-  const errors = [];
-  const warnings = [];
-  const structureResult = await validatePluginStructure(pluginPath);
-  errors.push(...structureResult.errors);
-  warnings.push(...structureResult.warnings);
-  if (!structureResult.valid) {
-    return { valid: false, errors, warnings };
+function mergeResults(results) {
+  const errors = results.flatMap((r) => r.errors);
+  const warnings = results.flatMap((r) => r.warnings);
+  return { valid: errors.length === 0, errors, warnings };
+}
+var EMPTY_RESULT = { valid: true, errors: [], warnings: [] };
+function prefixResult(result, prefix) {
+  return {
+    valid: result.valid,
+    errors: result.valid ? [] : result.errors.map((e) => `${prefix}: ${e}`),
+    warnings: result.warnings.map((w) => `${prefix}: ${w}`)
+  };
+}
+async function validatePluginSkillFiles(pluginPath, skillsRelPath) {
+  const skillsDir = path17.join(pluginPath, skillsRelPath);
+  if (!await directoryExists(skillsDir)) return EMPTY_RESULT;
+  const files = await fg("**/SKILL.md", { cwd: skillsDir, absolute: true });
+  if (files.length === 0) {
+    return {
+      valid: true,
+      errors: [],
+      warnings: [`Skills directory exists but contains no SKILL.md files: ${skillsRelPath}`]
+    };
   }
-  const manifestPath = path17.join(pluginPath, PLUGIN_DIR, PLUGIN_MANIFEST);
-  const manifestResult = await validatePluginManifest(manifestPath);
-  errors.push(...manifestResult.errors);
-  warnings.push(...manifestResult.warnings);
-  let manifest = null;
+  const results = await Promise.all(
+    files.map(
+      async (f) => prefixResult(await validateSkillFrontmatter(f), path17.relative(pluginPath, f))
+    )
+  );
+  return mergeResults(results);
+}
+async function validatePluginAgentFiles(pluginPath, agentsRelPath) {
+  const agentsDir = path17.join(pluginPath, agentsRelPath);
+  if (!await directoryExists(agentsDir)) return EMPTY_RESULT;
+  const files = await fg("*.md", { cwd: agentsDir, absolute: true });
+  if (files.length === 0) {
+    return {
+      valid: true,
+      errors: [],
+      warnings: [`Agents directory exists but contains no .md files: ${agentsRelPath}`]
+    };
+  }
+  const results = await Promise.all(
+    files.map(
+      async (f) => prefixResult(await validateAgentFrontmatter(f), path17.relative(pluginPath, f))
+    )
+  );
+  return mergeResults(results);
+}
+async function loadManifestForValidation(manifestPath) {
   try {
-    const content = await readFile(manifestPath);
-    manifest = JSON.parse(content);
+    const content = await readFileSafe(manifestPath, MAX_PLUGIN_FILE_SIZE);
+    return JSON.parse(content);
   } catch {
+    return null;
   }
-  if (manifest) {
-    if (manifest.skills && typeof manifest.skills === "string") {
-      const skillsDir = path17.join(pluginPath, manifest.skills);
-      if (await directoryExists(skillsDir)) {
-        const skillFiles = await fg("**/SKILL.md", {
-          cwd: skillsDir,
-          absolute: true
-        });
-        if (skillFiles.length === 0) {
-          warnings.push(
-            `Skills directory exists but contains no SKILL.md files: ${manifest.skills}`
-          );
-        }
-        for (const skillFile of skillFiles) {
-          const relativePath = path17.relative(pluginPath, skillFile);
-          const skillResult = await validateSkillFrontmatter(skillFile);
-          if (!skillResult.valid) {
-            errors.push(...skillResult.errors.map((e) => `${relativePath}: ${e}`));
-          }
-          warnings.push(...skillResult.warnings.map((w) => `${relativePath}: ${w}`));
-        }
-      }
-    }
-    if (manifest.agents && typeof manifest.agents === "string") {
-      const agentsDir = path17.join(pluginPath, manifest.agents);
-      if (await directoryExists(agentsDir)) {
-        const agentFiles = await fg("*.md", {
-          cwd: agentsDir,
-          absolute: true
-        });
-        if (agentFiles.length === 0) {
-          warnings.push(`Agents directory exists but contains no .md files: ${manifest.agents}`);
-        }
-        for (const agentFile of agentFiles) {
-          const relativePath = path17.relative(pluginPath, agentFile);
-          const agentResult = await validateAgentFrontmatter(agentFile);
-          if (!agentResult.valid) {
-            errors.push(...agentResult.errors.map((e) => `${relativePath}: ${e}`));
-          }
-          warnings.push(...agentResult.warnings.map((w) => `${relativePath}: ${w}`));
-        }
-      }
-    }
-  }
-  return {
-    valid: errors.length === 0,
-    errors,
-    warnings
-  };
+}
+async function validatePlugin(pluginPath) {
+  const structureResult = await validatePluginStructure(pluginPath);
+  if (!structureResult.valid) return structureResult;
+  const manifestPath = path17.join(pluginPath, PLUGIN_DIR, PLUGIN_MANIFEST);
+  const manifestResult = await validatePluginManifest(manifestPath);
+  const manifest = await loadManifestForValidation(manifestPath);
+  const skillsResult = manifest?.skills && typeof manifest.skills === "string" ? await validatePluginSkillFiles(pluginPath, manifest.skills) : EMPTY_RESULT;
+  const agentsResult = manifest?.agents && typeof manifest.agents === "string" ? await validatePluginAgentFiles(pluginPath, manifest.agents) : EMPTY_RESULT;
+  return mergeResults([structureResult, manifestResult, skillsResult, agentsResult]);
 }
 async function validateAllPlugins(pluginsDir) {
   const results = [];
@@ -2936,21 +3385,21 @@ function printPluginValidationResult(name, result, verbose2 = false) {
   if (result.valid && result.warnings.length === 0 && !verbose2) {
     return;
   }
-  console.log(`
+  log(`
   ${status} ${name}`);
   if (result.errors.length > 0) {
-    console.log("    Errors:");
-    result.errors.forEach((e) => console.log(`      - ${e}`));
+    log("    Errors:");
+    result.errors.forEach((e) => log(`      - ${e}`));
   }
   if (result.warnings.length > 0) {
-    console.log("    Warnings:");
-    result.warnings.forEach((w) => console.log(`      - ${w}`));
+    log("    Warnings:");
+    result.warnings.forEach((w) => log(`      - ${w}`));
   }
 }
 
 // src/cli/lib/loading/multi-source-loader.ts
 var PUBLIC_SOURCE_NAME = "public";
-async function loadSkillsFromAllSources(primaryMatrix, sourceConfig, projectDir) {
+async function loadSkillsFromAllSources(primaryMatrix, _sourceConfig, projectDir) {
   tagPrimarySourceSkills(primaryMatrix);
   tagLocalSkills(primaryMatrix);
   await tagPluginSkills(primaryMatrix, projectDir);
@@ -2958,9 +3407,7 @@ async function loadSkillsFromAllSources(primaryMatrix, sourceConfig, projectDir)
   setActiveSources(primaryMatrix);
 }
 function tagPrimarySourceSkills(matrix) {
-  for (const [, skill] of typedEntries(
-    matrix.skills
-  )) {
+  for (const [, skill] of typedEntries(matrix.skills)) {
     if (!skill) continue;
     const source = {
       name: PUBLIC_SOURCE_NAME,
@@ -2974,9 +3421,7 @@ function tagPrimarySourceSkills(matrix) {
 }
 function tagLocalSkills(matrix) {
   let count = 0;
-  for (const [, skill] of typedEntries(
-    matrix.skills
-  )) {
+  for (const [, skill] of typedEntries(matrix.skills)) {
     if (!skill) continue;
     if (!skill.local) continue;
     const source = {
@@ -3063,14 +3508,12 @@ async function tagExtraSources(matrix, projectDir) {
         `Extra source '${extraSource.name}': ${skills.length} skills found, ${matchCount} matching`
       );
     } catch (error) {
-      warn(`Failed to load extra source '${extraSource.name}' (${extraSource.url}): ${error}`);
+      warn(`Failed to load extra source '${extraSource.name}' ('${extraSource.url}'): ${error}`);
     }
   }
 }
 function setActiveSources(matrix) {
-  for (const [, skill] of typedEntries(
-    matrix.skills
-  )) {
+  for (const [, skill] of typedEntries(matrix.skills)) {
     if (!skill) continue;
     if (!skill.availableSources || skill.availableSources.length === 0) continue;
     const installedSource = skill.availableSources.find((s) => s.installed);
@@ -3102,7 +3545,7 @@ async function searchExtraSources(alias, configuredSources) {
         }
       }
     } catch (error) {
-      warn(`Failed to search extra source '${source.name}' (${source.url}): ${error}`);
+      warn(`Failed to search extra source '${source.name}' ('${source.url}'): ${error}`);
     }
   }
   return candidates;
@@ -3141,30 +3584,7 @@ async function loadFromLocal(source, sourceConfig) {
     skillsPath = PROJECT_ROOT;
   }
   verbose(`Loading skills from local path: ${skillsPath}`);
-  const sourceMatrixPath = path19.join(skillsPath, SKILLS_MATRIX_PATH);
-  const cliMatrixPath = path19.join(PROJECT_ROOT, SKILLS_MATRIX_PATH);
-  let matrixPath;
-  if (await fileExists(sourceMatrixPath)) {
-    matrixPath = sourceMatrixPath;
-    verbose(`Matrix from source: ${matrixPath}`);
-  } else {
-    matrixPath = cliMatrixPath;
-    verbose(`Matrix from CLI (source has no matrix): ${matrixPath}`);
-  }
-  const skillsDir = path19.join(skillsPath, SKILLS_DIR_PATH);
-  verbose(`Skills from source: ${skillsDir}`);
-  const matrix = await loadSkillsMatrix(matrixPath);
-  const skills = await extractAllSkills(skillsDir);
-  const mergedMatrix = await mergeMatrixWithSkills(matrix, skills);
-  const sourceStacks = await loadStacks(skillsPath);
-  const stacks = sourceStacks.length > 0 ? sourceStacks : await loadStacks(PROJECT_ROOT);
-  if (stacks.length > 0) {
-    mergedMatrix.suggestedStacks = stacks.map(
-      (stack) => stackToResolvedStack(stack, mergedMatrix.displayNameToId)
-    );
-    const stackSource = sourceStacks.length > 0 ? "source" : "CLI";
-    verbose(`Loaded ${stacks.length} stacks from ${stackSource}`);
-  }
+  const mergedMatrix = await loadAndMergeFromBasePath(skillsPath);
   return {
     matrix: mergedMatrix,
     sourceConfig,
@@ -3177,7 +3597,21 @@ async function loadFromRemote(source, sourceConfig, forceRefresh) {
   verbose(`Fetching skills from remote source: ${source}`);
   const fetchResult = await fetchFromSource(source, { forceRefresh });
   verbose(`Fetched to: ${fetchResult.path}`);
-  const sourceMatrixPath = path19.join(fetchResult.path, SKILLS_MATRIX_PATH);
+  const mergedMatrix = await loadAndMergeFromBasePath(fetchResult.path);
+  return {
+    matrix: mergedMatrix,
+    sourceConfig,
+    sourcePath: fetchResult.path,
+    isLocal: false,
+    marketplace: sourceConfig.marketplace
+  };
+}
+async function loadAndMergeFromBasePath(basePath) {
+  const sourceProjectConfig = await loadProjectSourceConfig(basePath);
+  const matrixRelPath = sourceProjectConfig?.matrix_file ?? SKILLS_MATRIX_PATH;
+  const skillsDirRelPath = sourceProjectConfig?.skills_dir ?? SKILLS_DIR_PATH;
+  const stacksRelFile = sourceProjectConfig?.stacks_file;
+  const sourceMatrixPath = path19.join(basePath, matrixRelPath);
   const cliMatrixPath = path19.join(PROJECT_ROOT, SKILLS_MATRIX_PATH);
   let matrixPath;
   if (await fileExists(sourceMatrixPath)) {
@@ -3187,35 +3621,27 @@ async function loadFromRemote(source, sourceConfig, forceRefresh) {
     matrixPath = cliMatrixPath;
     verbose(`Matrix from CLI (source has no matrix): ${matrixPath}`);
   }
-  const skillsDir = path19.join(fetchResult.path, SKILLS_DIR_PATH);
+  const skillsDir = path19.join(basePath, skillsDirRelPath);
   verbose(`Skills from source: ${skillsDir}`);
   const matrix = await loadSkillsMatrix(matrixPath);
   const skills = await extractAllSkills(skillsDir);
   const mergedMatrix = await mergeMatrixWithSkills(matrix, skills);
-  const sourceStacks = await loadStacks(fetchResult.path);
+  const sourceStacks = await loadStacks(basePath, stacksRelFile);
   const stacks = sourceStacks.length > 0 ? sourceStacks : await loadStacks(PROJECT_ROOT);
   if (stacks.length > 0) {
-    mergedMatrix.suggestedStacks = stacks.map(
-      (stack) => stackToResolvedStack(stack, mergedMatrix.displayNameToId)
-    );
+    mergedMatrix.suggestedStacks = stacks.map((stack) => convertStackToResolvedStack(stack));
     const stackSource = sourceStacks.length > 0 ? "source" : "CLI";
     verbose(`Loaded ${stacks.length} stacks from ${stackSource}`);
   }
-  return {
-    matrix: mergedMatrix,
-    sourceConfig,
-    sourcePath: fetchResult.path,
-    isLocal: false,
-    marketplace: sourceConfig.marketplace
-  };
+  return mergedMatrix;
 }
-function stackToResolvedStack(stack, displayNameToId) {
+function convertStackToResolvedStack(stack) {
   const allSkillIds = [];
   const seenSkillIds = /* @__PURE__ */ new Set();
   for (const agentId of typedKeys(stack.agents)) {
     const agentConfig = stack.agents[agentId];
     if (!agentConfig) continue;
-    const skillRefs = resolveAgentConfigToSkills(agentConfig, displayNameToId);
+    const skillRefs = resolveAgentConfigToSkills(agentConfig);
     for (const ref of skillRefs) {
       if (!seenSkillIds.has(ref.id)) {
         seenSkillIds.add(ref.id);
@@ -3237,6 +3663,26 @@ function stackToResolvedStack(stack, displayNameToId) {
     philosophy: stack.philosophy || ""
   };
 }
+function extractSourceName(source) {
+  const withoutProtocol = source.replace(/^(?:github|gh|gitlab|bitbucket|sourcehut):/, "");
+  const withoutUrl = withoutProtocol.replace(/^https?:\/\/[^/]+\//, "");
+  const firstSegment = withoutUrl.split("/")[0];
+  return firstSegment || source;
+}
+function getMarketplaceLabel(sourceResult) {
+  if (sourceResult.isLocal) return void 0;
+  const { marketplace } = sourceResult;
+  if (!marketplace) {
+    const name = extractSourceName(sourceResult.sourceConfig.source);
+    return `${name} (public)`;
+  }
+  const PUBLIC_MARKETPLACE_COUNT = 1;
+  const isDefaultSource = sourceResult.sourceConfig.source === DEFAULT_SOURCE;
+  if (!isDefaultSource) {
+    return `${marketplace} + ${PUBLIC_MARKETPLACE_COUNT} public`;
+  }
+  return marketplace;
+}
 function mergeLocalSkillsIntoMatrix(matrix, localResult) {
   for (const metadata of localResult.skills) {
     const existingSkill = matrix.skills[metadata.id];
@@ -3250,7 +3696,7 @@ function mergeLocalSkillsIntoMatrix(matrix, localResult) {
       category,
       categoryExclusive: metadata.categoryExclusive,
       tags: metadata.tags ?? [],
-      author: "@local",
+      author: LOCAL_DEFAULTS.AUTHOR,
       conflictsWith: existingSkill?.conflictsWith ?? [],
       recommends: existingSkill?.recommends ?? [],
       requires: existingSkill?.requires ?? [],
@@ -3271,7 +3717,6 @@ function mergeLocalSkillsIntoMatrix(matrix, localResult) {
 
 // src/cli/lib/loading/defaults-loader.ts
 init_esm_shims();
-import { parse as parseYaml8 } from "yaml";
 var cachedDefaults = null;
 function getCachedDefaults() {
   return cachedDefaults;
@@ -3389,7 +3834,7 @@ function getEffectiveSkillToAgents() {
   }
   return SKILL_TO_AGENTS;
 }
-function getAgentsForSkill(skillPath, category, projectConfig) {
+function getAgentsForSkill(skillPath, category, _projectConfig) {
   const normalizedPath = skillPath.replace(/^skills\//, "").replace(/\/$/, "");
   const skillToAgents = getEffectiveSkillToAgents();
   if (skillToAgents[category]) {
@@ -3414,14 +3859,12 @@ function getAgentsForSkill(skillPath, category, projectConfig) {
 // src/cli/lib/skills/skill-plugin-compiler.ts
 init_esm_shims();
 import path20 from "path";
-import { parse as parseYaml9 } from "yaml";
-var SKILL_FILES = ["SKILL.md", "reference.md"];
-var SKILL_DIRS = ["examples", "scripts"];
+import { parse as parseYaml7 } from "yaml";
 function sanitizeSkillName(name) {
   return name.replace(/\+/g, "-");
 }
 async function readSkillMetadata(skillPath) {
-  const metadataPath = path20.join(skillPath, "metadata.yaml");
+  const metadataPath = path20.join(skillPath, STANDARD_FILES.METADATA_YAML);
   if (!await fileExists(metadataPath)) {
     return null;
   }
@@ -3429,16 +3872,14 @@ async function readSkillMetadata(skillPath) {
     const content = await readFile(metadataPath);
     const lines = content.split("\n");
     const yamlContent = lines[0]?.startsWith("# yaml-language-server:") ? lines.slice(1).join("\n") : content;
-    const result = skillMetadataLoaderSchema.safeParse(parseYaml9(yamlContent));
+    const result = skillMetadataLoaderSchema.safeParse(parseYaml7(yamlContent));
     if (!result.success) {
-      warn(
-        `Invalid metadata.yaml at ${skillPath}: ${result.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ")}`
-      );
+      warn(`Invalid metadata.yaml at '${skillPath}': ${formatZodErrors(result.error.issues)}`);
       return null;
     }
     return result.data;
   } catch (error) {
-    warn(`Failed to read metadata.yaml at ${skillPath}: ${error}`);
+    warn(`Failed to read metadata.yaml at '${skillPath}': ${error}`);
     return null;
   }
 }
@@ -3459,17 +3900,17 @@ function generateReadme(skillName, frontmatter, metadata) {
   lines.push("Add this plugin to your Claude Code configuration:");
   lines.push("");
   lines.push("```json");
-  lines.push(`{`);
+  lines.push("{");
   lines.push(`  "plugins": ["${skillName}"]`);
-  lines.push(`}`);
+  lines.push("}");
   lines.push("```");
   lines.push("");
   lines.push("## Usage");
   lines.push("");
-  lines.push(`This skill is automatically available when installed.`);
+  lines.push("This skill is automatically available when installed.");
   if (metadata?.requires && metadata.requires.length > 0) {
     lines.push("");
-    lines.push("**Requires:** " + metadata.requires.join(", "));
+    lines.push(`**Requires:** ${metadata.requires.join(", ")}`);
   }
   lines.push("");
   lines.push("---");
@@ -3481,17 +3922,17 @@ function generateReadme(skillName, frontmatter, metadata) {
 async function compileSkillPlugin(options) {
   const { skillPath, outputDir, skillName: overrideName } = options;
   const dirBasename = path20.basename(skillPath);
-  const skillMdPath = path20.join(skillPath, "SKILL.md");
+  const skillMdPath = path20.join(skillPath, STANDARD_FILES.SKILL_MD);
   if (!await fileExists(skillMdPath)) {
     throw new Error(
-      `Skill '${dirBasename}' is missing required SKILL.md file. Expected at: ${skillMdPath}`
+      `Skill '${dirBasename}' is missing required ${STANDARD_FILES.SKILL_MD} file. Expected at: ${skillMdPath}`
     );
   }
   const skillMdContent = await readFile(skillMdPath);
   const frontmatter = parseFrontmatter(skillMdContent, skillMdPath);
   if (!frontmatter) {
     throw new Error(
-      `Skill '${dirBasename}' has invalid or missing YAML frontmatter in SKILL.md. Required fields: 'name' and 'description'. File: ${skillMdPath}`
+      `Skill '${dirBasename}' has invalid or missing YAML frontmatter in ${STANDARD_FILES.SKILL_MD}. Required fields: 'name' and 'description'. File: ${skillMdPath}`
     );
   }
   const skillName = overrideName ?? sanitizeSkillName(frontmatter.name);
@@ -3501,7 +3942,7 @@ async function compileSkillPlugin(options) {
   const skillsDir = path20.join(pluginDir, "skills", skillName);
   await ensureDir(pluginDir);
   await ensureDir(skillsDir);
-  const newHash = await hashSkillFolder(skillPath);
+  const newHash = await computeSkillFolderHash(skillPath);
   const { version, contentHash } = await determinePluginVersion(
     newHash,
     pluginDir,
@@ -3517,10 +3958,10 @@ async function compileSkillPlugin(options) {
   await writePluginManifest(pluginDir, manifest);
   await writeContentHash(pluginDir, contentHash, getPluginManifestPath);
   verbose(`  Wrote plugin.json for ${skillName} (v${version})`);
-  await writeFile(path20.join(skillsDir, "SKILL.md"), skillMdContent);
-  verbose(`  Copied SKILL.md`);
-  for (const fileName of SKILL_FILES) {
-    if (fileName === "SKILL.md") continue;
+  await writeFile(path20.join(skillsDir, STANDARD_FILES.SKILL_MD), skillMdContent);
+  verbose(`  Copied ${STANDARD_FILES.SKILL_MD}`);
+  for (const fileName of SKILL_CONTENT_FILES) {
+    if (fileName === STANDARD_FILES.SKILL_MD) continue;
     const sourcePath = path20.join(skillPath, fileName);
     if (await fileExists(sourcePath)) {
       const content = await readFile(sourcePath);
@@ -3528,7 +3969,7 @@ async function compileSkillPlugin(options) {
       verbose(`  Copied ${fileName}`);
     }
   }
-  for (const dirName of SKILL_DIRS) {
+  for (const dirName of SKILL_CONTENT_DIRS) {
     const sourceDir = path20.join(skillPath, dirName);
     if (await fileExists(sourceDir)) {
       await copy(sourceDir, path20.join(skillsDir, dirName));
@@ -3537,7 +3978,7 @@ async function compileSkillPlugin(options) {
   }
   const readme = generateReadme(skillName, frontmatter, metadata);
   await writeFile(path20.join(pluginDir, "README.md"), readme);
-  verbose(`  Generated README.md`);
+  verbose("  Generated README.md");
   return {
     pluginPath: pluginDir,
     manifest,
@@ -3546,7 +3987,7 @@ async function compileSkillPlugin(options) {
 }
 async function compileAllSkillPlugins(skillsDir, outputDir) {
   const results = [];
-  const skillMdFiles = await glob("**/SKILL.md", skillsDir);
+  const skillMdFiles = await glob(`**/${STANDARD_FILES.SKILL_MD}`, skillsDir);
   for (const skillMdFile of skillMdFiles) {
     const skillPath = path20.join(skillsDir, path20.dirname(skillMdFile));
     try {
@@ -3555,29 +3996,27 @@ async function compileAllSkillPlugins(skillsDir, outputDir) {
         outputDir
       });
       results.push(result);
-      console.log(`  [OK] ${result.skillName}`);
+      log(`  [OK] ${result.skillName}`);
     } catch (error) {
-      const errorMessage = error instanceof Error ? error.message : String(error);
+      const errorMessage = getErrorMessage(error);
       const dirBasename = path20.basename(skillPath);
-      console.warn(`  [WARN] Failed to compile skill from ${dirBasename}: ${errorMessage}`);
+      warn(`Failed to compile skill from '${dirBasename}': ${errorMessage}`);
     }
   }
   return results;
 }
 function printCompilationSummary(results) {
-  console.log(`
+  log(`
 Compiled ${results.length} skill plugins:`);
   for (const result of results) {
-    console.log(`  - ${result.skillName} (v${result.manifest.version})`);
+    log(`  - ${result.skillName} (v${result.manifest.version})`);
   }
 }
 
 // src/cli/lib/skills/local-skill-loader.ts
 init_esm_shims();
-import { parse as parseYaml10 } from "yaml";
+import { parse as parseYaml8 } from "yaml";
 import path21 from "path";
-var LOCAL_CATEGORY = "local";
-var LOCAL_AUTHOR = "@local";
 async function discoverLocalSkills(projectDir) {
   const localSkillsPath = path21.join(projectDir, LOCAL_SKILLS_PATH);
   if (!await directoryExists(localSkillsPath)) {
@@ -3600,8 +4039,8 @@ async function discoverLocalSkills(projectDir) {
 }
 async function extractLocalSkill(localSkillsPath, skillDirName) {
   const skillDir = path21.join(localSkillsPath, skillDirName);
-  const metadataPath = path21.join(skillDir, "metadata.yaml");
-  const skillMdPath = path21.join(skillDir, "SKILL.md");
+  const metadataPath = path21.join(skillDir, STANDARD_FILES.METADATA_YAML);
+  const skillMdPath = path21.join(skillDir, STANDARD_FILES.SKILL_MD);
   if (!await fileExists(metadataPath)) {
     verbose(`Skipping local skill '${skillDirName}': No metadata.yaml found`);
     return null;
@@ -3611,30 +4050,32 @@ async function extractLocalSkill(localSkillsPath, skillDirName) {
     return null;
   }
   const metadataContent = await readFile(metadataPath);
-  const parsed = localRawMetadataSchema.safeParse(parseYaml10(metadataContent));
+  const parsed = localRawMetadataSchema.safeParse(parseYaml8(metadataContent));
   if (!parsed.success) {
     warn(
-      `Skipping local skill '${skillDirName}': Invalid metadata.yaml \u2014 ${parsed.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ")}`
+      `Skipping local skill '${skillDirName}': invalid metadata.yaml \u2014 ${formatZodErrors(parsed.error.issues)}`
     );
     return null;
   }
   const metadata = parsed.data;
   if (!metadata.cli_name) {
-    warn(`Skipping local skill '${skillDirName}': Missing required 'cli_name' in metadata.yaml`);
+    warn(
+      `Skipping local skill '${skillDirName}': missing required '${METADATA_KEYS.CLI_NAME}' in metadata.yaml`
+    );
     return null;
   }
   const skillMdContent = await readFile(skillMdPath);
   const frontmatter = parseFrontmatter(skillMdContent, skillMdPath);
   if (!frontmatter) {
-    warn(`Skipping local skill '${skillDirName}': Invalid SKILL.md frontmatter`);
+    warn(`Skipping local skill '${skillDirName}': invalid SKILL.md frontmatter`);
     return null;
   }
   const relativePath = `${LOCAL_SKILLS_PATH}/${skillDirName}/`;
   const skillId = frontmatter.name;
-  const category = metadata.category || LOCAL_CATEGORY;
+  const category = metadata.category || LOCAL_DEFAULTS.CATEGORY;
   if (!metadata.category) {
     warn(
-      `Local skill '${skillDirName}' has no category in metadata.yaml \u2014 defaulting to '${LOCAL_CATEGORY}' (will not appear in wizard domain views)`
+      `Local skill '${skillDirName}' has no category in metadata.yaml \u2014 defaulting to '${LOCAL_DEFAULTS.CATEGORY}' (will not appear in wizard domain views)`
     );
   }
   const extracted = {
@@ -3644,7 +4085,7 @@ async function extractLocalSkill(localSkillsPath, skillDirName) {
     usageGuidance: metadata.usage_guidance,
     category,
     categoryExclusive: metadata.category_exclusive ?? false,
-    author: LOCAL_AUTHOR,
+    author: LOCAL_DEFAULTS.AUTHOR,
     tags: metadata.tags ?? [],
     compatibleWith: metadata.compatible_with ?? [],
     conflictsWith: metadata.conflicts_with ?? [],
@@ -3662,38 +4103,65 @@ async function extractLocalSkill(localSkillsPath, skillDirName) {
 // src/cli/lib/skills/source-switcher.ts
 init_esm_shims();
 import path22 from "path";
+function validateSkillId(skillId) {
+  if (!SKILL_ID_PATTERN.test(skillId)) {
+    return false;
+  }
+  return !(skillId.includes("\0") || skillId.includes("..") || skillId.includes("/") || skillId.includes("\\"));
+}
+function validatePathBoundary(resolvedPath, expectedParent) {
+  const normalizedPath = path22.resolve(resolvedPath);
+  const normalizedParent = path22.resolve(expectedParent);
+  return normalizedPath.startsWith(normalizedParent + path22.sep);
+}
 async function archiveLocalSkill(projectDir, skillId) {
-  const skillPath = path22.join(projectDir, LOCAL_SKILLS_PATH, skillId);
-  const archivedDir = path22.join(projectDir, LOCAL_SKILLS_PATH, ARCHIVED_SKILLS_DIR_NAME);
-  const archivedSkillPath = path22.join(archivedDir, skillId);
-  if (!await directoryExists(skillPath)) {
-    warn(`Skill directory not found for archiving: ${skillPath}`);
+  if (!validateSkillId(skillId)) {
+    warn(`Invalid skill ID for archiving: '${skillId}'`);
+    return;
+  }
+  const skillsDir = path22.resolve(path22.join(projectDir, LOCAL_SKILLS_PATH));
+  const skillPath = path22.resolve(path22.join(skillsDir, skillId));
+  const archivedDir = path22.resolve(path22.join(skillsDir, ARCHIVED_SKILLS_DIR_NAME));
+  const archivedSkillPath = path22.resolve(path22.join(archivedDir, skillId));
+  if (!validatePathBoundary(skillPath, skillsDir) || !validatePathBoundary(archivedSkillPath, archivedDir)) {
+    warn(`Skill ID '${skillId}' resolves outside the skills directory.`);
+    return;
+  }
+  try {
+    await ensureDir(archivedDir);
+    await copy(skillPath, archivedSkillPath);
+    await remove(skillPath);
+  } catch (error) {
+    warn(`Failed to archive skill '${skillId}': ${getErrorMessage(error)}`);
     return;
   }
-  await ensureDir(archivedDir);
-  await copy(skillPath, archivedSkillPath);
-  await remove(skillPath);
   verbose(`Archived local skill '${skillId}' to ${ARCHIVED_SKILLS_DIR_NAME}/`);
 }
 async function restoreArchivedSkill(projectDir, skillId) {
-  const skillPath = path22.join(projectDir, LOCAL_SKILLS_PATH, skillId);
-  const archivedSkillPath = path22.join(
-    projectDir,
-    LOCAL_SKILLS_PATH,
-    ARCHIVED_SKILLS_DIR_NAME,
-    skillId
-  );
-  if (!await directoryExists(archivedSkillPath)) {
+  if (!validateSkillId(skillId)) {
+    warn(`Invalid skill ID for restoring: '${skillId}'`);
+    return false;
+  }
+  const skillsDir = path22.resolve(path22.join(projectDir, LOCAL_SKILLS_PATH));
+  const skillPath = path22.resolve(path22.join(skillsDir, skillId));
+  const archivedDir = path22.resolve(path22.join(skillsDir, ARCHIVED_SKILLS_DIR_NAME));
+  const archivedSkillPath = path22.resolve(path22.join(archivedDir, skillId));
+  if (!validatePathBoundary(skillPath, skillsDir) || !validatePathBoundary(archivedSkillPath, archivedDir)) {
+    warn(`Skill ID '${skillId}' resolves outside the skills directory.`);
+    return false;
+  }
+  try {
+    await copy(archivedSkillPath, skillPath);
+    await remove(archivedSkillPath);
+  } catch {
     return false;
   }
-  await copy(archivedSkillPath, skillPath);
-  await remove(archivedSkillPath);
   verbose(`Restored archived skill '${skillId}' from ${ARCHIVED_SKILLS_DIR_NAME}/`);
   return true;
 }
 
 // src/cli/lib/configuration/config-generator.ts
-function extractSubcategory(categoryPath) {
+function extractSubcategoryFromPath(categoryPath) {
   if (categoryPath === "local") return void 0;
   const parts = categoryPath.split("/");
   return parts.length >= 2 ? parts[1] : parts[0];
@@ -3709,14 +4177,14 @@ function generateProjectConfigFromSkills(name, selectedSkillIds, matrix, options
     const skillPath = skill.path;
     const category = skill.category;
     const agents = getAgentsForSkill(skillPath, category);
-    const subcategory = extractSubcategory(category);
+    const subcategory = extractSubcategoryFromPath(category);
     for (const agentId of agents) {
       neededAgents.add(agentId);
       if (subcategory) {
         if (!stackProperty[agentId]) {
           stackProperty[agentId] = {};
         }
-        stackProperty[agentId][subcategory] = skillId;
+        stackProperty[agentId][subcategory] = [{ id: skillId, preloaded: false }];
       }
     }
   }
@@ -3736,23 +4204,18 @@ function generateProjectConfigFromSkills(name, selectedSkillIds, matrix, options
   }
   return config;
 }
-function buildStackProperty(stack, displayNameToId) {
+function buildStackProperty(stack) {
   const result = {};
   for (const [agentId, agentConfig] of typedEntries(stack.agents)) {
     if (!agentConfig || Object.keys(agentConfig).length === 0) {
       continue;
     }
     const resolvedMappings = {};
-    for (const [subcategoryId, displayName] of typedEntries(
+    for (const [subcategoryId, assignments] of typedEntries(
       agentConfig
     )) {
-      if (!displayName) continue;
-      const skillId = displayNameToId[displayName];
-      if (skillId) {
-        resolvedMappings[subcategoryId] = skillId;
-      } else {
-        resolvedMappings[subcategoryId] = displayName;
-      }
+      if (!assignments || assignments.length === 0) continue;
+      resolvedMappings[subcategoryId] = assignments;
     }
     if (Object.keys(resolvedMappings).length > 0) {
       result[agentId] = resolvedMappings;
@@ -3760,6 +4223,33 @@ function buildStackProperty(stack, displayNameToId) {
   }
   return result;
 }
+function compactStackForYaml(stack) {
+  const result = {};
+  for (const [agentId, agentConfig] of Object.entries(stack)) {
+    const compacted = {};
+    for (const [subcategory, assignments] of typedEntries(
+      agentConfig
+    )) {
+      if (!assignments || assignments.length === 0) continue;
+      if (assignments.length === 1) {
+        const assignment = assignments[0];
+        if (!assignment.preloaded) {
+          compacted[subcategory] = assignment.id;
+        } else {
+          compacted[subcategory] = { id: assignment.id, preloaded: true };
+        }
+      } else {
+        compacted[subcategory] = assignments.map(
+          (a) => !a.preloaded ? a.id : { id: a.id, preloaded: true }
+        );
+      }
+    }
+    if (Object.keys(compacted).length > 0) {
+      result[agentId] = compacted;
+    }
+  }
+  return result;
+}
 
 // src/cli/lib/configuration/config-merger.ts
 init_esm_shims();
@@ -3768,7 +4258,6 @@ import { difference } from "remeda";
 // src/cli/lib/configuration/project-config.ts
 init_esm_shims();
 import path23 from "path";
-import { parse as parseYaml11 } from "yaml";
 var CONFIG_PATH = `${CLAUDE_SRC_DIR}/config.yaml`;
 var LEGACY_CONFIG_PATH = `${CLAUDE_DIR}/config.yaml`;
 async function loadProjectConfig(projectDir) {
@@ -3784,38 +4273,29 @@ async function loadProjectConfig(projectDir) {
       return null;
     }
   }
-  try {
-    const content = await readFile(configPath);
-    const parsed = parseYaml11(content);
-    if (!parsed || typeof parsed !== "object") {
-      warn(`Invalid project config structure at ${configPath}`);
-      return null;
-    }
-    const result = projectConfigLoaderSchema.safeParse(parsed);
-    if (!result.success) {
-      warn(`Invalid project config at ${configPath}: ${result.error.message}`);
-      return null;
-    }
-    const config = result.data;
-    if (!config.name) {
-      warn(
-        `Project config at ${configPath} is missing required 'name' field \u2014 defaulting to directory name`
-      );
-      config.name = path23.basename(projectDir);
-    }
-    if (!config.skills) {
-      warn(`Project config at ${configPath} is missing 'skills' array \u2014 defaulting to empty`);
-      config.skills = [];
-    }
-    verbose(`Loaded project config from ${configPath}`);
-    return {
-      config,
-      configPath
-    };
-  } catch (error) {
-    warn(`Failed to parse project config at ${configPath}: ${error}`);
-    return null;
+  const data = await safeLoadYamlFile(configPath, projectConfigLoaderSchema);
+  if (!data) return null;
+  const config = data;
+  if (config.stack) {
+    config.stack = normalizeStackRecord(
+      config.stack
+    );
+  }
+  if (!config.name) {
+    warn(
+      `Project config at '${configPath}' is missing required 'name' field \u2014 defaulting to directory name`
+    );
+    config.name = path23.basename(projectDir);
   }
+  if (!config.skills) {
+    warn(`Project config at '${configPath}' is missing 'skills' array \u2014 defaulting to empty`);
+    config.skills = [];
+  }
+  verbose(`Loaded project config from ${configPath}`);
+  return {
+    config,
+    configPath
+  };
 }
 function validateProjectConfig(config) {
   const errors = [];
@@ -3899,42 +4379,22 @@ async function mergeWithExistingConfig(newConfig, context) {
 
 // src/cli/lib/configuration/config-saver.ts
 init_esm_shims();
-import path24 from "path";
-import { parse as parseYaml12, stringify as stringifyYaml5 } from "yaml";
-var YAML_INDENT2 = 2;
 async function saveSourceToProjectConfig(projectDir, source) {
-  const configPath = path24.join(projectDir, CLAUDE_SRC_DIR, "config.yaml");
-  let config = {};
-  if (await fileExists(configPath)) {
-    const content = await readFile(configPath);
-    try {
-      const parsed = parseYaml12(content);
-      const result = projectSourceConfigSchema.safeParse(parsed);
-      config = result.success ? result.data : {};
-      if (!result.success) {
-        warn(
-          `Invalid config at ${configPath}: ${result.error.issues.map((i) => i.message).join(", ")}. Starting with empty config.`
-        );
-      }
-    } catch (error) {
-      warn(
-        `Failed to parse existing config at ${configPath}: ${error instanceof Error ? error.message : String(error)}. Starting with empty config.`
-      );
-    }
-  }
-  config.source = source;
-  await ensureDir(path24.join(projectDir, CLAUDE_SRC_DIR));
-  const configYaml = stringifyYaml5(config, { indent: YAML_INDENT2 });
-  await writeFile(configPath, configYaml);
+  const existing = await loadProjectSourceConfig(projectDir) ?? {};
+  await saveProjectConfig(projectDir, { ...existing, source });
 }
 
 // src/cli/lib/loading/source-fetcher.ts
+var SAFE_NAME_PATTERN2 = /^[a-zA-Z0-9@._/ -]+$/;
+var MAX_NAME_LENGTH = 200;
 function sanitizeSourceForCache(source) {
-  return source.replace(/:/g, "-").replace(/[\/]/g, "-").replace(/--+/g, "-").replace(/^-|-$/g, "");
+  const hash = createHash2("sha256").update(source).digest("hex").slice(0, CACHE_HASH_LENGTH);
+  const readable = source.replace(/[^a-zA-Z0-9]/g, "-").replace(/--+/g, "-").replace(/^-|-$/g, "").slice(0, CACHE_READABLE_PREFIX_LENGTH);
+  return readable ? `${readable}-${hash}` : hash;
 }
 function getCacheDir(source) {
-  const sanitized = sanitizeSourceForCache(source);
-  return path25.join(CACHE_DIR, "sources", sanitized);
+  const sanitized = sanitizeSourceForCache(source) || "unknown";
+  return path24.join(CACHE_DIR, "sources", sanitized);
 }
 async function fetchFromSource(source, options = {}) {
   const { forceRefresh = false, subdir } = options;
@@ -3944,10 +4404,10 @@ async function fetchFromSource(source, options = {}) {
   return fetchFromRemoteSource(source, { forceRefresh, subdir });
 }
 async function fetchFromLocalSource(source, subdir) {
-  const fullPath = subdir ? path25.join(source, subdir) : source;
-  const absolutePath = path25.isAbsolute(fullPath) ? fullPath : path25.resolve(process.cwd(), fullPath);
+  const fullPath = subdir ? path24.join(source, subdir) : source;
+  const absolutePath = path24.isAbsolute(fullPath) ? fullPath : path24.resolve(process.cwd(), fullPath);
   if (!await directoryExists(absolutePath)) {
-    throw new Error(`Local source not found: ${absolutePath}`);
+    throw new Error(`Local source not found: '${absolutePath}'`);
   }
   verbose(`Using local source: ${absolutePath}`);
   return {
@@ -3970,7 +4430,7 @@ async function fetchFromRemoteSource(source, options) {
       source: fullSource
     };
   }
-  await ensureDir(path25.dirname(cacheDir));
+  await ensureDir(path24.dirname(cacheDir));
   try {
     const result = await downloadTemplate(fullSource, {
       dir: cacheDir,
@@ -3985,11 +4445,11 @@ async function fetchFromRemoteSource(source, options) {
       source: fullSource
     };
   } catch (error) {
-    throw wrapGigetError(error, source);
+    throw createDetailedFetchError(error, source);
   }
 }
-function wrapGigetError(error, source) {
-  const message = error instanceof Error ? error.message : String(error);
+function createDetailedFetchError(error, source) {
+  const message = getErrorMessage(error);
   if (message.includes("404") || message.includes("Not Found")) {
     return new Error(
       `Repository not found: ${source}
@@ -4040,25 +4500,71 @@ async function fetchMarketplace(source, options = {}) {
     subdir: ""
     // Root of repo
   });
-  const marketplacePath = path25.join(result.path, ".claude-plugin", "marketplace.json");
-  if (!await directoryExists(path25.dirname(marketplacePath))) {
+  const marketplacePath = path24.join(result.path, ".claude-plugin", "marketplace.json");
+  if (!await directoryExists(path24.dirname(marketplacePath))) {
     throw new Error(
-      `Marketplace not found at: ${marketplacePath}
+      `Marketplace not found for source: ${source}
+
+The .claude-plugin/marketplace.json file is missing from this repository.
 
-Expected .claude-plugin/marketplace.json in the source repository.`
+Possible causes:
+  - The source URL may be incorrect
+  - The repository may not have a marketplace configured
+
+To create a marketplace, add a .claude-plugin/marketplace.json file to your source repository.`
     );
   }
-  const content = await readFile(marketplacePath);
+  const content = await readFileSafe(marketplacePath, MAX_MARKETPLACE_FILE_SIZE);
   const parsed = JSON.parse(content);
+  if (!validateNestingDepth(parsed, MAX_JSON_NESTING_DEPTH)) {
+    throw new Error(
+      `Invalid marketplace.json at: ${marketplacePath}
+
+JSON structure exceeds maximum nesting depth of ${MAX_JSON_NESTING_DEPTH}.`
+    );
+  }
   const validation = marketplaceSchema.safeParse(parsed);
   if (!validation.success) {
     throw new Error(
       `Invalid marketplace.json at: ${marketplacePath}
 
-Validation errors: ${validation.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`).join("; ")}`
+Validation errors: ${formatZodErrors(validation.error.issues)}`
     );
   }
   const marketplace = validation.data;
+  const EXPECTED_MARKETPLACE_KEYS = [
+    "$schema",
+    "name",
+    "version",
+    "description",
+    "owner",
+    "metadata",
+    "plugins"
+  ];
+  if (typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
+    warnUnknownFields(
+      parsed,
+      EXPECTED_MARKETPLACE_KEYS,
+      "marketplace.json"
+    );
+  }
+  if (marketplace.plugins.length > MAX_MARKETPLACE_PLUGINS) {
+    throw new Error(
+      `Invalid marketplace.json at: ${marketplacePath}
+
+Too many plugins: ${marketplace.plugins.length} (limit: ${MAX_MARKETPLACE_PLUGINS}).`
+    );
+  }
+  for (const plugin of marketplace.plugins) {
+    if (plugin.name.length > MAX_NAME_LENGTH) {
+      warn(
+        `Marketplace plugin name too long (${plugin.name.length} chars): '${plugin.name.slice(0, 50)}...'`
+      );
+    }
+    if (!SAFE_NAME_PATTERN2.test(plugin.name)) {
+      warn(`Marketplace plugin name contains unsafe characters: '${plugin.name.slice(0, 50)}'`);
+    }
+  }
   verbose(`Loaded marketplace: ${marketplace.name} v${marketplace.version}`);
   return {
     marketplace,
@@ -4140,6 +4646,8 @@ export {
   generateAgentPluginManifest,
   writePluginManifest,
   findPluginManifest,
+  typedEntries,
+  typedKeys,
   getCollectivePluginDir,
   getProjectPluginsDir,
   getPluginSkillsDir,
@@ -4156,13 +4664,15 @@ export {
   formatOrigin,
   resolveAuthor,
   resolveAllSources,
+  IMPORT_DEFAULTS,
+  LOCAL_DEFAULTS,
   getCurrentDate,
-  hashString,
-  hashFile,
+  computeStringHash,
+  computeFileHash,
   determinePluginVersion,
   writeContentHash,
   readForkedFromMetadata,
-  compareSkills,
+  compareLocalSkillsWithSource,
   injectForkedFromMetadata,
   copySkillsToPluginFromSource,
   copySkillsToLocalFlattened,
@@ -4175,7 +4685,9 @@ export {
   getAvailableSkills,
   fetchFromSource,
   searchExtraSources,
+  normalizeStackRecord,
   loadStacks,
+  getStackSkillIds,
   buildSkillRefsFromConfig,
   resolveAgents,
   extractFrontmatter,
@@ -4190,6 +4702,7 @@ export {
   claudePluginUninstall,
   installStackAsPlugin,
   loadSkillsMatrixFromSource,
+  getMarketplaceLabel,
   compileSkillPlugin,
   compileAllSkillPlugins,
   printCompilationSummary,
@@ -4212,4 +4725,4 @@ export {
   validateAllPlugins,
   printPluginValidationResult
 };
-//# sourceMappingURL=chunk-CQ7657GA.js.map
+//# sourceMappingURL=chunk-SSHG7MEE.js.map