@dgxo/mashadevcli 1.1.0

package/bundle/builtin/skill-creator/scripts/package_skill.cjs

@@ -0,0 +1,131 @@
+#!/usr/bin/env node
+
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/**
+ * Skill Packager - Creates a distributable .skill file of a skill folder
+ *
+ * Usage:
+ *     node package_skill.js <path/to/skill-folder> [output-directory]
+ */
+
+const path = require('node:path');
+const { spawnSync } = require('node:child_process');
+const { validateSkill } = require('./validate_skill.cjs');
+
+async function main() {
+  const args = process.argv.slice(2);
+  if (args.length < 1) {
+    console.log(
+      'Usage: node package_skill.js <path/to/skill-folder> [output-directory]',
+    );
+    process.exit(1);
+  }
+
+  const skillPathArg = args[0];
+  const outputDirArg = args[1];
+
+  if (
+    skillPathArg.includes('..') ||
+    (outputDirArg && outputDirArg.includes('..'))
+  ) {
+    console.error('❌ Error: Path traversal detected in arguments.');
+    process.exit(1);
+  }
+
+  const skillPath = path.resolve(skillPathArg);
+  const outputDir = outputDirArg ? path.resolve(outputDirArg) : process.cwd();
+  const skillName = path.basename(skillPath);
+
+  // 1. Validate first
+  console.log('🔍 Validating skill...');
+  const result = validateSkill(skillPath);
+  if (!result.valid) {
+    console.error(`❌ Validation failed: ${result.message}`);
+    process.exit(1);
+  }
+
+  if (result.warning) {
+    console.warn(`⚠️  ${result.warning}`);
+    console.log('Please resolve all TODOs before packaging.');
+    process.exit(1);
+  }
+  console.log('✅ Skill is valid!');
+
+  // 2. Package
+  const outputFilename = path.join(outputDir, `${skillName}.skill`);
+
+  try {
+    // Zip everything except junk, keeping the folder structure
+    // We'll use the native 'zip' command for simplicity in a CLI environment
+    // or we could use a JS library, but zip is ubiquitous on darwin/linux.
+
+    // Command to zip:
+    // -r: recursive
+    // -x: exclude patterns
+    // Run the zip command from within the directory to avoid parent folder nesting
+    let zipProcess = spawnSync('zip', ['-r', outputFilename, '.'], {
+      cwd: skillPath,
+      stdio: 'inherit',
+    });
+
+    if (zipProcess.error || zipProcess.status !== 0) {
+      if (process.platform === 'win32') {
+        // Fallback to PowerShell Compress-Archive on Windows
+        // Note: Compress-Archive only supports .zip extension, so we zip to .zip and rename
+        console.log('zip command not found, falling back to PowerShell...');
+        const tempZip = outputFilename + '.zip';
+        // Escape single quotes for PowerShell (replace ' with '') and use single quotes for the path
+        const safeTempZip = tempZip.replace(/'/g, "''");
+        zipProcess = spawnSync(
+          'powershell.exe',
+          [
+            '-NoProfile',
+            '-Command',
+            `Compress-Archive -Path .\\* -DestinationPath '${safeTempZip}' -Force`,
+          ],
+          {
+            cwd: skillPath,
+            stdio: 'inherit',
+          },
+        );
+
+        if (zipProcess.status === 0 && require('node:fs').existsSync(tempZip)) {
+          require('node:fs').renameSync(tempZip, outputFilename);
+        }
+      } else {
+        // Fallback to tar on Unix-like systems
+        console.log('zip command not found, falling back to tar...');
+        zipProcess = spawnSync(
+          'tar',
+          ['-a', '-c', '--format=zip', '-f', outputFilename, '.'],
+          {
+            cwd: skillPath,
+            stdio: 'inherit',
+          },
+        );
+      }
+    }
+
+    if (zipProcess.error) {
+      throw zipProcess.error;
+    }
+
+    if (zipProcess.status !== 0) {
+      throw new Error(
+        `Packaging command failed with exit code ${zipProcess.status}`,
+      );
+    }
+
+    console.log(`✅ Successfully packaged skill to: ${outputFilename}`);
+  } catch (err) {
+    console.error(`❌ Error packaging: ${err.message}`);
+    process.exit(1);
+  }
+}
+
+main();

package/bundle/builtin/skill-creator/scripts/validate_skill.cjs

@@ -0,0 +1,131 @@
+/**
+ * @license
+ * Copyright 2026 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/**
+ * Quick validation logic for skills.
+ * Leveraging existing dependencies when possible or providing a zero-dep fallback.
+ */
+
+const fs = require('node:fs');
+const path = require('node:path');
+
+function validateSkill(skillPath) {
+  if (!fs.existsSync(skillPath) || !fs.statSync(skillPath).isDirectory()) {
+    return { valid: false, message: `Path is not a directory: ${skillPath}` };
+  }
+
+  const skillMdPath = path.join(skillPath, 'SKILL.md');
+  if (!fs.existsSync(skillMdPath)) {
+    return { valid: false, message: 'SKILL.md not found' };
+  }
+
+  const content = fs.readFileSync(skillMdPath, 'utf8');
+  if (!content.startsWith('---')) {
+    return { valid: false, message: 'No YAML frontmatter found' };
+  }
+
+  const parts = content.split('---');
+  if (parts.length < 3) {
+    return { valid: false, message: 'Invalid frontmatter format' };
+  }
+
+  const frontmatterText = parts[1];
+
+  const nameMatch = frontmatterText.match(/^name:\s*(.+)$/m);
+  // Match description: "text" or description: 'text' or description: text
+  const descMatch = frontmatterText.match(
+    /^description:\s*(?:'([^']*)'|"([^"]*)"|(.+))$/m,
+  );
+
+  if (!nameMatch)
+    return { valid: false, message: 'Missing "name" in frontmatter' };
+  if (!descMatch)
+    return {
+      valid: false,
+      message: 'Description must be a single-line string: description: ...',
+    };
+
+  const name = nameMatch[1].trim();
+  const description = (
+    descMatch[1] !== undefined
+      ? descMatch[1]
+      : descMatch[2] !== undefined
+        ? descMatch[2]
+        : descMatch[3] || ''
+  ).trim();
+
+  if (description.includes('\n')) {
+    return {
+      valid: false,
+      message: 'Description must be a single line (no newlines)',
+    };
+  }
+
+  if (!/^[a-z0-9-]+$/.test(name)) {
+    return { valid: false, message: `Name "${name}" should be hyphen-case` };
+  }
+
+  if (description.length > 1024) {
+    return { valid: false, message: 'Description is too long (max 1024)' };
+  }
+
+  // Check for TODOs
+  const files = getAllFiles(skillPath);
+  for (const file of files) {
+    const fileContent = fs.readFileSync(file, 'utf8');
+    if (fileContent.includes('TODO:')) {
+      return {
+        valid: true,
+        message: 'Skill has unresolved TODOs',
+        warning: `Found unresolved TODO in ${path.relative(skillPath, file)}`,
+      };
+    }
+  }
+
+  return { valid: true, message: 'Skill is valid!' };
+}
+
+function getAllFiles(dir, fileList = []) {
+  const files = fs.readdirSync(dir);
+  files.forEach((file) => {
+    const name = path.join(dir, file);
+    if (fs.statSync(name).isDirectory()) {
+      if (!['node_modules', '.git', '__pycache__'].includes(file)) {
+        getAllFiles(name, fileList);
+      }
+    } else {
+      fileList.push(name);
+    }
+  });
+  return fileList;
+}
+
+if (require.main === module) {
+  const args = process.argv.slice(2);
+  if (args.length !== 1) {
+    console.log('Usage: node validate_skill.js <skill_directory>');
+    process.exit(1);
+  }
+
+  const skillDirArg = args[0];
+  if (skillDirArg.includes('..')) {
+    console.error('❌ Error: Path traversal detected in skill directory path.');
+    process.exit(1);
+  }
+
+  const result = validateSkill(path.resolve(skillDirArg));
+  if (result.warning) {
+    console.warn(`⚠️  ${result.warning}`);
+  }
+  if (result.valid) {
+    console.log(`✅ ${result.message}`);
+  } else {
+    console.error(`❌ ${result.message}`);
+    process.exit(1);
+  }
+}
+
+module.exports = { validateSkill };

package/bundle/docs/CONTRIBUTING.md

@@ -0,0 +1 @@
+../CONTRIBUTING.md

package/bundle/docs/admin/enterprise-controls.md

@@ -0,0 +1,115 @@
+# Enterprise Admin Controls
+
+Gemini CLI empowers enterprise administrators to manage and enforce security
+policies and configuration settings across their entire organization. Secure
+defaults are enabled automatically for all enterprise users, but can be
+customized via the [Management Console](https://goo.gle/manage-gemini-cli).
+
+**Enterprise Admin Controls are enforced globally and cannot be overridden by
+users locally**, ensuring a consistent security posture.
+
+## Admin Controls vs. System Settings
+
+While [System-wide settings](../cli/settings.md) act as convenient configuration
+overrides, they can still be modified by users with sufficient privileges. In
+contrast, admin controls are immutable at the local level, making them the
+preferred method for enforcing policy.
+
+## Available Controls
+
+### Strict Mode
+
+**Enabled/Disabled** | Default: enabled
+
+If enabled, users will not be able to enter yolo mode.
+
+### Extensions
+
+**Enabled/Disabled** | Default: disabled
+
+If disabled, users will not be able to use or install extensions. See
+[Extensions](../extensions/index.md) for more details.
+
+### MCP
+
+#### Enabled/Disabled
+
+**Enabled/Disabled** | Default: disabled
+
+If disabled, users will not be able to use MCP servers. See
+[MCP Server Integration](../tools/mcp-server.md) for more details.
+
+#### MCP Servers (preview)
+
+**Default**: empty
+
+Allows administrators to define an explicit allowlist of MCP servers. This
+guarantees that users can only connect to trusted MCP servers defined by the
+organization.
+
+**Allowlist Format:**
+
+```json
+{
+  "mcpServers": {
+    "external-provider": {
+      "url": "https://api.mcp-provider.com",
+      "type": "sse",
+      "trust": true,
+      "includeTools": ["toolA", "toolB"],
+      "excludeTools": []
+    },
+    "internal-corp-tool": {
+      "url": "https://mcp.internal-tool.corp",
+      "type": "http",
+      "includeTools": [],
+      "excludeTools": ["adminTool"]
+    }
+  }
+}
+```
+
+**Supported Fields:**
+
+- `url`: (Required) The full URL of the MCP server endpoint.
+- `type`: (Required) The connection type (e.g., `sse` or `http`).
+- `trust`: (Optional) If set to `true`, the server is trusted and tool execution
+  will not require user approval.
+- `includeTools`: (Optional) An explicit list of tool names to allow. If
+  specified, only these tools will be available.
+- `excludeTools`: (Optional) A list of tool names to hide. These tools will be
+  blocked.
+
+**Client Enforcement Logic:**
+
+- **Empty Allowlist**: If the admin allowlist is empty, the client uses the
+  user’s local configuration as is (unless the MCP toggle above is disabled).
+- **Active Allowlist**: If the allowlist contains one or more servers, **all
+  locally configured servers not present in the allowlist are ignored**.
+- **Configuration Merging**: For a server to be active, it must exist in
+  **both** the admin allowlist and the user’s local configuration (matched by
+  name). The client merges these definitions as follows:
+  - **Override Fields**: The `url`, `type`, & `trust` are always taken from the
+    admin allowlist, overriding any local values.
+  - **Tools Filtering**: If `includeTools` or `excludeTools` are defined in the
+    allowlist, the admin’s rules are used exclusively. If both are undefined in
+    the admin allowlist, the client falls back to the user’s local tool
+    settings.
+  - **Cleared Fields**: To ensure security and consistency, the client
+    automatically clears local execution fields (`command`, `args`, `env`,
+    `cwd`, `httpUrl`, `tcp`). This prevents users from overriding the connection
+    method.
+  - **Other Fields**: All other MCP fields are pulled from the user’s local
+    configuration.
+- **Missing Allowlisted Servers**: If a server appears in the admin allowlist
+  but is missing from the local configuration, it will not be initialized. This
+  ensures users maintain final control over which permitted servers are actually
+  active in their environment.
+
+### Unmanaged Capabilities
+
+**Enabled/Disabled** | Default: disabled
+
+If disabled, users will not be able to use certain features. Currently, this
+control disables Agent Skills. See [Agent Skills](../cli/skills.md) for more
+details.