@dreamlogic-ai/cli 2.0.0 → 2.0.2

package/dist/commands/install.js

@@ -3,9 +3,11 @@
  * Supports: interactive multi-select, single skill by name, --from-file
  */
 import * as clack from "@clack/prompts";
+import { join } from "path";
 import { ApiClient } from "../lib/api-client.js";
 import { getServer, getInstallDir, loadInstalled } from "../lib/config.js";
 import { installSkill } from "../lib/installer.js";
+import { detectAgents, registerSkillWithAgents } from "../lib/agents.js";
 import { ui } from "../lib/ui.js";
 import { requireAuth } from "./helpers.js";
 import chalk from "chalk";
@@ -134,6 +136,56 @@ export async function installCommand(skillIds, opts) {
     else {
         ui.warning(`${successCount}/${selectedIds.length} installed. Check errors above.`);
     }
+    // ── Agent Registration Step ──
+    if (successCount > 0 && !opts.yes) {
+        console.log();
+        const { universal, detected } = detectAgents();
+        const totalAgents = universal.length + detected.length;
+        if (totalAgents > 0) {
+            // Build options grouped by category
+            const agentOptions = [];
+            // Universal agents header
+            for (const agent of universal) {
+                agentOptions.push({
+                    label: agent.name,
+                    value: `u:${agent.name}`,
+                    hint: "universal (.agents/skills)",
+                });
+            }
+            // Detected additional agents
+            for (const agent of detected) {
+                agentOptions.push({
+                    label: agent.name,
+                    value: `a:${agent.name}`,
+                    hint: `detected (${agent.skillsDir})`,
+                });
+            }
+            const agentChoice = await clack.multiselect({
+                message: `Register skills with AI agents? (${totalAgents} agents available)`,
+                options: agentOptions,
+                required: false,
+            });
+            if (!clack.isCancel(agentChoice) && agentChoice.length > 0) {
+                const chosenNames = agentChoice.map(v => v.replace(/^[ua]:/, ""));
+                const allAgents = [...universal, ...detected];
+                const chosenAgents = allAgents.filter(a => chosenNames.includes(a.name));
+                // Register each installed skill with chosen agents
+                const installDir = getInstallDir();
+                for (const id of selectedIds) {
+                    const skillPath = join(installDir, id);
+                    const results = registerSkillWithAgents(id, skillPath, chosenAgents);
+                    const created = results.filter(r => r.status === "created").length;
+                    const errors = results.filter(r => r.status === "error");
+                    if (created > 0) {
+                        ui.ok(`${id}: registered with ${created} agent location(s)`);
+                    }
+                    for (const e of errors) {
+                        ui.warning(`${e.agent}: ${e.error}`);
+                    }
+                }
+            }
+        }
+    }
     // Suggest MCP setup
     if (successCount > 0) {
         console.log();

package/dist/commands/setup-mcp.js

@@ -40,7 +40,8 @@ function getAgents(server, key) {
             generate: () => ({
                 mcpServers: {
                     "dreamlogic-skills": {
-                        url: `${server}/sse?api_key=${key}`,
+                        url: `${server}/sse`,
+                        headers: { "Authorization": `Bearer ${key}` },
                     },
                 },
             }),
@@ -87,7 +88,7 @@ function getAgents(server, key) {
             },
             generate: () => ({
                 // R1-02: Store args as array, not interpolated string
-                args: ["mcp", "add", "dreamlogic-skills", "--url", `${server}/sse?api_key=${key}`],
+                args: ["mcp", "add", "dreamlogic-skills", "--url", `${server}/sse`, "--header", `Authorization: Bearer ${key}`],
             }),
             apply: (config) => {
                 // R1-02: execFileSync with arg array — no shell injection possible
@@ -101,7 +102,8 @@ function getAgents(server, key) {
             generate: () => ({
                 mcpServers: {
                     "dreamlogic-skills": {
-                        url: `${server}/sse?api_key=${key}`,
+                        url: `${server}/sse`,
+                        headers: { "Authorization": `Bearer ${key}` },
                     },
                 },
             }),
@@ -170,7 +172,7 @@ export async function setupMcpCommand(opts) {
         const config = agent.generate(server, apiKey);
         // D-11: Show what will be written (R1-01: mask key in display)
         if (agent.name === "Claude CLI") {
-            const maskedCmd = `claude mcp add dreamlogic-skills --url "${server}/sse?api_key=${maskKey(apiKey)}"`;
+            const maskedCmd = `claude mcp add dreamlogic-skills --url "${server}/sse" --header "Authorization: Bearer ${maskKey(apiKey)}"`;
             ui.line(`  Command: ${chalk.cyan(maskedCmd)}`);
         }
         else {

package/dist/lib/agents.d.ts

@@ -0,0 +1,40 @@
+export interface AgentConfig {
+    name: string;
+    skillsDir: string;
+    envOverride?: string;
+    group: "universal" | "additional";
+    detect?: string;
+}
+/**
+ * Detect which agents are installed on this system
+ */
+export declare function detectAgents(): {
+    universal: AgentConfig[];
+    detected: AgentConfig[];
+};
+/**
+ * Get all available agents (universal + detected)
+ */
+export declare function getAllAgents(): AgentConfig[];
+/**
+ * Register a skill with specific agents by creating symlinks
+ * Returns array of { agent, path, status } results
+ */
+export declare function registerSkillWithAgents(skillId: string, skillPath: string, agents: AgentConfig[]): Array<{
+    agent: string;
+    path: string;
+    status: "created" | "updated" | "exists" | "error";
+    error?: string;
+}>;
+/**
+ * Unregister a skill from all agents (remove symlinks only)
+ */
+export declare function unregisterSkillFromAgents(skillId: string): number;
+/**
+ * List which agents have a specific skill registered
+ */
+export declare function getSkillAgentStatus(skillId: string): Array<{
+    agent: string;
+    registered: boolean;
+    path: string;
+}>;

package/dist/lib/agents.js

@@ -0,0 +1,178 @@
+/**
+ * Agent Registry — detect installed AI agents and register skills
+ * Inspired by skills.sh (vercel-labs/skills) agent directory mapping
+ *
+ * Pattern: Each agent has a known skills directory. We create symlinks
+ * from the agent's skills dir to the actual skill install location.
+ */
+import { existsSync, mkdirSync, symlinkSync, lstatSync, readlinkSync, unlinkSync } from "fs";
+import { join, resolve } from "path";
+import { homedir, platform } from "os";
+// ===== Agent Directory Map =====
+// Universal agents: always shown (use .agents/skills as shared dir)
+// Additional agents: shown only if detected on the system
+const AGENT_CONFIGS = [
+    // ── Universal (.agents/skills) ──
+    { name: "Amp", skillsDir: ".agents/skills", group: "universal" },
+    { name: "Cline", skillsDir: ".agents/skills", group: "universal" },
+    { name: "Codex", skillsDir: ".agents/skills", group: "universal", envOverride: "CODEX_HOME" },
+    { name: "Cursor", skillsDir: ".agents/skills", group: "universal" },
+    { name: "Deep Agents", skillsDir: ".agents/skills", group: "universal" },
+    { name: "Firebender", skillsDir: ".agents/skills", group: "universal" },
+    { name: "Gemini CLI", skillsDir: ".agents/skills", group: "universal" },
+    { name: "GitHub Copilot", skillsDir: ".agents/skills", group: "universal" },
+    { name: "Kimi Code CLI", skillsDir: ".agents/skills", group: "universal" },
+    { name: "OpenCode", skillsDir: ".agents/skills", group: "universal" },
+    { name: "Warp", skillsDir: ".agents/skills", group: "universal" },
+    // ── Additional agents ──
+    { name: "Augment", skillsDir: ".augment/skills", group: "additional", detect: ".augment" },
+    { name: "Claude Code", skillsDir: ".claude/skills", group: "additional", detect: ".claude", envOverride: "CLAUDE_CONFIG_DIR" },
+    { name: "OpenClaw", skillsDir: "skills", group: "additional", detect: "skills" },
+    { name: "CodeBuddy", skillsDir: ".codebuddy/skills", group: "additional", detect: ".codebuddy" },
+    { name: "Continue", skillsDir: ".continue/skills", group: "additional", detect: ".continue" },
+    { name: "Windsurf", skillsDir: ".codeium/windsurf/skills", group: "additional", detect: ".codeium" },
+    { name: "Goose", skillsDir: ".config/goose/skills", group: "additional", detect: ".config/goose" },
+    { name: "Roo Code", skillsDir: ".roo/skills", group: "additional", detect: ".roo" },
+    { name: "Trae", skillsDir: ".trae/skills", group: "additional", detect: ".trae" },
+    { name: "Void", skillsDir: ".void/skills", group: "additional", detect: ".void" },
+    { name: "Zed", skillsDir: ".config/zed/skills", group: "additional", detect: ".config/zed" },
+    { name: "Aider", skillsDir: ".aider/skills", group: "additional", detect: ".aider" },
+    { name: "Plandex", skillsDir: ".plandex/skills", group: "additional", detect: ".plandex" },
+];
+/**
+ * Resolve the skills directory for an agent (handles env overrides + home expansion)
+ */
+function resolveAgentDir(agent) {
+    const home = homedir();
+    if (agent.envOverride && process.env[agent.envOverride]) {
+        return join(process.env[agent.envOverride], "skills");
+    }
+    return join(home, agent.skillsDir);
+}
+/**
+ * Detect which agents are installed on this system
+ */
+export function detectAgents() {
+    const home = homedir();
+    const universal = AGENT_CONFIGS.filter(a => a.group === "universal");
+    const additional = AGENT_CONFIGS.filter(a => a.group === "additional");
+    const detected = additional.filter(agent => {
+        if (!agent.detect)
+            return false;
+        const checkPath = join(home, agent.detect);
+        return existsSync(checkPath);
+    });
+    return { universal, detected };
+}
+/**
+ * Get all available agents (universal + detected)
+ */
+export function getAllAgents() {
+    const { universal, detected } = detectAgents();
+    return [...universal, ...detected];
+}
+/**
+ * Register a skill with specific agents by creating symlinks
+ * Returns array of { agent, path, status } results
+ */
+export function registerSkillWithAgents(skillId, skillPath, agents) {
+    const results = [];
+    // R3-08: Validate skill ID to prevent path traversal via symlink target
+    const SAFE_SKILL_ID = /^[a-zA-Z0-9][a-zA-Z0-9._-]{0,127}$/;
+    if (!SAFE_SKILL_ID.test(skillId)) {
+        return [{ agent: "all", path: "", status: "error", error: "Invalid skill ID" }];
+    }
+    const resolvedSkillPath = resolve(skillPath);
+    // Deduplicate by resolved dir (universal agents share .agents/skills)
+    const seenDirs = new Set();
+    for (const agent of agents) {
+        const agentDir = resolveAgentDir(agent);
+        // Skip duplicates (multiple universal agents → same .agents/skills dir)
+        if (seenDirs.has(agentDir)) {
+            results.push({ agent: agent.name, path: agentDir, status: "exists" });
+            continue;
+        }
+        seenDirs.add(agentDir);
+        const targetLink = join(agentDir, skillId);
+        try {
+            // Ensure parent dir exists
+            mkdirSync(agentDir, { recursive: true });
+            // Check if link already exists
+            if (existsSync(targetLink)) {
+                try {
+                    const stat = lstatSync(targetLink);
+                    if (stat.isSymbolicLink()) {
+                        const existing = readlinkSync(targetLink);
+                        if (resolve(existing) === resolvedSkillPath) {
+                            results.push({ agent: agent.name, path: targetLink, status: "exists" });
+                            continue;
+                        }
+                        // Different target — update
+                        unlinkSync(targetLink);
+                    }
+                    else {
+                        // Not a symlink (real directory) — skip to avoid data loss
+                        results.push({ agent: agent.name, path: targetLink, status: "exists" });
+                        continue;
+                    }
+                }
+                catch {
+                    // Stat failed — try to proceed
+                }
+            }
+            // Create symlink
+            // On Windows, use junction for directories (no admin required)
+            const linkType = platform() === "win32" ? "junction" : "dir";
+            symlinkSync(resolvedSkillPath, targetLink, linkType);
+            results.push({ agent: agent.name, path: targetLink, status: "created" });
+        }
+        catch (err) {
+            results.push({
+                agent: agent.name,
+                path: targetLink,
+                status: "error",
+                error: err.message,
+            });
+        }
+    }
+    return results;
+}
+/**
+ * Unregister a skill from all agents (remove symlinks only)
+ */
+export function unregisterSkillFromAgents(skillId) {
+    const home = homedir();
+    let removed = 0;
+    // Check all known agent dirs
+    const allDirs = new Set(AGENT_CONFIGS.map(a => resolveAgentDir(a)));
+    for (const dir of allDirs) {
+        const targetLink = join(dir, skillId);
+        try {
+            if (existsSync(targetLink) && lstatSync(targetLink).isSymbolicLink()) {
+                unlinkSync(targetLink);
+                removed++;
+            }
+        }
+        catch {
+            // Skip errors
+        }
+    }
+    return removed;
+}
+/**
+ * List which agents have a specific skill registered
+ */
+export function getSkillAgentStatus(skillId) {
+    const results = [];
+    const seenDirs = new Set();
+    for (const agent of AGENT_CONFIGS) {
+        const agentDir = resolveAgentDir(agent);
+        if (seenDirs.has(agentDir))
+            continue;
+        seenDirs.add(agentDir);
+        const targetLink = join(agentDir, skillId);
+        const registered = existsSync(targetLink);
+        results.push({ agent: agent.name, registered, path: targetLink });
+    }
+    return results;
+}

package/dist/lib/config.js

@@ -6,6 +6,21 @@ import { existsSync, mkdirSync, readFileSync, writeFileSync, chmodSync, statSync
 import { join } from "path";
 import { homedir } from "os";
 import { CONFIG_DIR_NAME, DEFAULT_SERVER, DEFAULT_INSTALL_DIR_NAME, } from "../types.js";
+/** CFG-01 FIX: Recursively strip prototype pollution keys from parsed JSON */
+function sanitize(obj) {
+    if (typeof obj !== "object" || obj === null)
+        return obj;
+    const BANNED = new Set(["__proto__", "constructor", "prototype"]);
+    for (const key of Object.keys(obj)) {
+        if (BANNED.has(key)) {
+            delete obj[key];
+        }
+        else {
+            obj[key] = sanitize(obj[key]);
+        }
+    }
+    return obj;
+}
 // R1-06: Key format validation applied everywhere
 const KEY_RE = /^sk-(admin|user)-[a-f0-9]{16,}$/;
 function getConfigDir() {
@@ -31,7 +46,7 @@ export function loadConfig() {
     if (!existsSync(path))
         return null;
     try {
-        const data = JSON.parse(readFileSync(path, "utf-8"));
+        const data = sanitize(JSON.parse(readFileSync(path, "utf-8")));
         // R2-13: Basic shape validation
         if (typeof data !== "object" || data === null)
             return null;
@@ -81,7 +96,7 @@ export function loadInstalled() {
     if (!existsSync(path))
         return {};
     try {
-        const data = JSON.parse(readFileSync(path, "utf-8"));
+        const data = sanitize(JSON.parse(readFileSync(path, "utf-8")));
         // R2-13: Basic shape validation
         if (typeof data !== "object" || data === null || Array.isArray(data))
             return {};

package/dist/lib/installer.js

@@ -8,7 +8,7 @@
  */
 import { createWriteStream, existsSync, mkdirSync, readdirSync, renameSync, rmSync, statSync } from "fs";
 import { join, normalize, resolve as pathResolve, sep } from "path";
-import { pipeline } from "stream/promises";
+import { Transform as TransformStream } from "stream";
 import yauzl from "yauzl";
 import { loadInstalled, saveInstalled, getInstallDir } from "./config.js";
 import { ui } from "./ui.js";
@@ -155,6 +155,10 @@ export async function installSkill(client, skillId, packageFile, expectedSha256,
  * Rollback a skill to its backup (D-13)
  */
 export function rollbackSkill(skillId) {
+    // INS-03/RBK-01 FIX: Validate skill ID to prevent path traversal
+    if (!SAFE_SKILL_ID.test(skillId)) {
+        return false;
+    }
     const installDir = getInstallDir();
     const skillDir = join(installDir, skillId);
     let entries;
@@ -235,15 +239,22 @@ function extractZip(buffer, targetDir) {
                     reject(new Error(`Unsafe path in ZIP: ${entry.fileName}`));
                     return;
                 }
-                // Reject oversized single files
+                // INS-02 FIX: Reject symlink entries (external attributes bit 0xA000)
+                const externalAttrs = (entry.externalFileAttributes >>> 16) & 0xFFFF;
+                const S_IFLNK = 0xA000;
+                if ((externalAttrs & 0xF000) === S_IFLNK) {
+                    zipfile.close();
+                    reject(new Error(`Symlink entry rejected in ZIP: ${entry.fileName}`));
+                    return;
+                }
+                // R1-03: Pre-check declared size (actual bytes tracked in counting stream below)
                 if (entry.uncompressedSize > MAX_SINGLE_FILE_SIZE) {
                     zipfile.close(); // R2-08
                     reject(new Error(`File too large in ZIP: ${entry.fileName} (${entry.uncompressedSize} bytes)`));
                     return;
                 }
-                // R1-03: Cumulative size limit
-                totalExtracted += entry.uncompressedSize;
-                if (totalExtracted > MAX_TOTAL_EXTRACT_SIZE) {
+                // R1-03: Pre-check cumulative declared size (actual bytes tracked in stream)
+                if (totalExtracted + entry.uncompressedSize > MAX_TOTAL_EXTRACT_SIZE) {
                     zipfile.close(); // R2-08
                     reject(new Error(`Total extracted size exceeds ${MAX_TOTAL_EXTRACT_SIZE / 1024 / 1024}MB — possible zip bomb`));
                     return;
@@ -272,11 +283,31 @@ function extractZip(buffer, targetDir) {
                             reject(err || new Error("Failed to read ZIP entry"));
                             return;
                         }
-                        const writeStream = createWriteStream(fullPath);
-                        pipeline(readStream, writeStream).then(() => zipfile.readEntry()).catch((e) => {
-                            zipfile.close(); // R2-08
-                            reject(e);
+                        // INS-01 FIX: Track actual bytes written (not declared uncompressedSize)
+                        let fileBytes = 0;
+                        const countingStream = new TransformStream({
+                            transform(chunk, _encoding, callback) {
+                                fileBytes += chunk.length;
+                                totalExtracted += chunk.length;
+                                if (fileBytes > MAX_SINGLE_FILE_SIZE) {
+                                    zipfile.close();
+                                    callback(new Error(`Actual file size exceeds limit: ${entry.fileName}`));
+                                    return;
+                                }
+                                if (totalExtracted > MAX_TOTAL_EXTRACT_SIZE) {
+                                    zipfile.close();
+                                    callback(new Error(`Total extracted size exceeds ${MAX_TOTAL_EXTRACT_SIZE / 1024 / 1024}MB — possible zip bomb`));
+                                    return;
+                                }
+                                callback(null, chunk);
+                            },
                         });
+                        const writeStream = createWriteStream(fullPath);
+                        readStream.pipe(countingStream).pipe(writeStream);
+                        writeStream.on("finish", () => zipfile.readEntry());
+                        writeStream.on("error", (e) => { zipfile.close(); reject(e); });
+                        countingStream.on("error", (e) => { zipfile.close(); reject(e); });
+                        readStream.on("error", (e) => { zipfile.close(); reject(e); });
                     });
                 }
             });

package/dist/lib/ui.d.ts

@@ -7,7 +7,7 @@ export declare const ui: {
     error: import("chalk").ChalkInstance;
     dim: import("chalk").ChalkInstance;
     muted: import("chalk").ChalkInstance;
-    /** Animated gradient logo banner */
+    /** Animated gradient logo banner — block-art style */
     banner(): void;
     /** Section header with gradient bar */
     header(text: string): void;

package/dist/lib/ui.js

@@ -29,16 +29,17 @@ export const ui = {
     error,
     dim,
     muted,
-    /** Animated gradient logo banner */
+    /** Animated gradient logo banner — block-art style */
     banner() {
-        const logo = figlet.textSync("DreamLogic", { font: "Small" });
+        const dream = figlet.textSync("DREAM", { font: "ANSI Shadow" });
+        const logic = figlet.textSync("LOGIC", { font: "ANSI Shadow" });
+        const fullLogo = dream + logic;
         console.log();
-        console.log(hasTruecolor ? brandGradient.multiline(logo) : chalk.bold.magenta(logo));
-        console.log(muted("  ") +
+        console.log(hasTruecolor ? brandGradient.multiline(fullLogo) : chalk.bold.magenta(fullLogo));
+        console.log(muted("        ") +
             (hasTruecolor ? brandGradient(`${CLI_NAME} v${CLI_VERSION}`) : chalk.bold(`${CLI_NAME} v${CLI_VERSION}`)) +
             muted("  |  ") +
             muted(CLI_AUTHOR));
-        console.log(muted("  " + "─".repeat(48)));
         console.log();
     },
     /** Section header with gradient bar */

package/dist/types.d.ts

@@ -33,6 +33,6 @@ export interface InstalledRegistry {
 export declare const DEFAULT_SERVER = "https://skill.dreamlogic-claw.com";
 export declare const DEFAULT_INSTALL_DIR_NAME = "dreamlogic-skills";
 export declare const CONFIG_DIR_NAME = ".dreamlogic";
-export declare const CLI_VERSION = "2.0.0";
+export declare const CLI_VERSION = "2.0.2";
 export declare const CLI_NAME = "Dreamlogic CLI";
 export declare const CLI_AUTHOR = "Dreamlogic-ai by MAJORNINE";

package/dist/types.js

@@ -2,6 +2,6 @@
 export const DEFAULT_SERVER = "https://skill.dreamlogic-claw.com";
 export const DEFAULT_INSTALL_DIR_NAME = "dreamlogic-skills";
 export const CONFIG_DIR_NAME = ".dreamlogic";
-export const CLI_VERSION = "2.0.0";
+export const CLI_VERSION = "2.0.2";
 export const CLI_NAME = "Dreamlogic CLI";
 export const CLI_AUTHOR = "Dreamlogic-ai by MAJORNINE";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dreamlogic-ai/cli",
-  "version": "2.0.0",
+  "version": "2.0.2",
   "description": "Dreamlogic AI Skill Manager — Install, update and manage AI agent skills",
   "type": "module",
   "bin": {