npm - @js-eyes/protocol - Versions diffs - 2.6.2 → 2.8.1 - Mend

@js-eyes/protocol 2.6.2 → 2.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/index.js CHANGED Viewed

@@ -24,13 +24,12 @@ const FORWARDABLE_ACTIONS = [
 ];
 const SENSITIVE_TOOL_NAMES = Object.freeze([
-  'js_eyes_execute_script',
-  'js_eyes_get_cookies',
-  'js_eyes_get_cookies_by_domain',
-  'js_eyes_inject_css',
-  'js_eyes_upload_file',
-  'js_eyes_upload_file_to_tab',
-  'js_eyes_install_skill',
+  'browser/execute-script',
+  'browser/get-cookies',
+  'browser/get-cookies-by-domain',
+  'browser/inject-css',
+  'browser/upload-file',
+  'skills/plan-install',
 ]);
 const LOOPBACK_HOSTS = Object.freeze(['localhost', '127.0.0.1', '::1', '::ffff:127.0.0.1', '0:0:0:0:0:0:0:1']);
@@ -79,13 +78,12 @@ const DEFAULT_SECURITY_CONFIG = Object.freeze({
   taint: { ...DEFAULT_TAINT_CONFIG },
   profile: { ...DEFAULT_PROFILE_CONFIG },
   toolPolicies: {
-    js_eyes_execute_script: 'confirm',
-    js_eyes_get_cookies: 'confirm',
-    js_eyes_get_cookies_by_domain: 'confirm',
-    js_eyes_inject_css: 'confirm',
-    js_eyes_upload_file: 'confirm',
-    js_eyes_upload_file_to_tab: 'confirm',
-    js_eyes_install_skill: 'confirm',
+    'browser/execute-script': 'confirm',
+    'browser/get-cookies': 'confirm',
+    'browser/get-cookies-by-domain': 'confirm',
+    'browser/inject-css': 'confirm',
+    'browser/upload-file': 'confirm',
+    'skills/plan-install': 'confirm',
   },
   sensitiveCookieDomains: [
     'bank',

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@js-eyes/protocol",
-  "version": "2.6.2",
+  "version": "2.8.1",
   "description": "Shared protocol constants for JS Eyes runtime packages",
   "main": "index.js",
   "files": [

package/safe-npm.js CHANGED Viewed

@@ -11,9 +11,9 @@
 //     process.env (tokens, OAuth state, etc.) never leak into the npm run;
 //   * postinstall scripts are disabled unless the caller explicitly opts in.
 //
-// The single allowed binary name is `npm`. No wildcards, no PATHEXT, no shell
-// meta-characters: Node's child_process with shell=false treats the argv as a
-// literal argument vector.
+// The only allowed binary is npm (or the fixed cmd.exe/npm.cmd wrapper Windows
+// requires for command shims). No wildcards or user-controlled argv: every npm
+// argument still comes from immutable constants below.
 const fs = require('fs');
 const path = require('path');
@@ -26,6 +26,7 @@ const ALLOWED_SUBCOMMANDS = Object.freeze({
 const SAFE_ENV_KEYS = Object.freeze([
   'PATH',
+  'Path',
   'HOME',
   'USERPROFILE',
   'APPDATA',
@@ -82,7 +83,12 @@ function runNpm(subcommand, targetDir, options = {}) {
     npm_config_ignore_scripts: allowPostinstall ? 'false' : 'true',
   });
-  const result = spawnSync('npm', baseArgs, {
+  const bin = process.platform === 'win32' ? 'cmd.exe' : 'npm';
+  const args = process.platform === 'win32'
+    ? ['/d', '/s', '/c', 'npm.cmd', ...baseArgs]
+    : baseArgs;
+  const result = spawnSync(bin, args, {
     cwd: targetDir,
     stdio: options.stdio || 'pipe',
     shell: false,
@@ -97,7 +103,8 @@ function safeNpmCi(targetDir, options = {}) {
   const { result, args } = runNpm('ci', targetDir, options);
   if (result.status !== 0) {
     const stderr = result.stderr ? String(result.stderr) : '';
-    throw new Error(`npm ${args.join(' ')} 失败 (status=${result.status}): ${stderr.slice(0, 500)}`);
+    const reason = result.error ? result.error.message : stderr;
+    throw new Error(`npm ${args.join(' ')} 失败 (status=${result.status}): ${String(reason || '').slice(0, 500)}`);
   }
   return { ran: true, manager: 'npm', args };
 }
@@ -106,7 +113,8 @@ function safeNpmInstall(targetDir, options = {}) {
   const { result, args } = runNpm('install', targetDir, options);
   if (result.status !== 0) {
     const stderr = result.stderr ? String(result.stderr) : '';
-    throw new Error(`npm ${args.join(' ')} 失败 (status=${result.status}): ${stderr.slice(0, 500)}`);
+    const reason = result.error ? result.error.message : stderr;
+    throw new Error(`npm ${args.join(' ')} 失败 (status=${result.status}): ${String(reason || '').slice(0, 500)}`);
   }
   return { ran: true, manager: 'npm', args };
 }

package/skill-registry.js CHANGED Viewed

@@ -3,7 +3,12 @@
 /**
  * SkillRegistry — js-eyes 技能运行时注册表
  *
- * 通过「工具级 dispatcher 间接层」实现零重启热加载：
+ * 通过两种绑定模式实现零重启热加载：
+ *   - routerMode=true（OpenClaw 单工具模式）：只维护 actionBindings，由 `js-eyes`
+ *     总线工具按 `skill/<skillId>/<action>` 委派执行，不向宿主注册子技能工具；
+ *   - routerMode=false（兼容/测试模式）：保留工具级 dispatcher 间接层。
+ *
+ * 兼容 dispatcher 模式：
  *   - 插件启动时 api.registerTool(name, dispatcher) 仅对每个 tool name 注册一次稳定闭包；
  *   - 每个 dispatcher 在调用时从 toolBindings.get(name) 查当前实现并委派；
  *   - 热加载只改 toolBindings 映射，不触碰宿主注册表。
@@ -15,6 +20,8 @@
  * 让 OpenClaw / LLM 看到正确的入参约束（required / properties 等）。热加载时若 contract
  * 改了 schema，会按**引用** mutate 已注册的 dispatcher 对象；若某些 OpenClaw 宿主对 tool
  * 对象做了深拷贝/快照，则 mutate 不会生效，但首次注册的 schema 仍然是正确的。
+ * routerMode 下 OpenClaw 只看到 `js-eyes` 的总线 schema，子技能 schema 作为内部 definition
+ * 保留给后续 introspection / 文档输出使用。
  */
 const fs = require('fs');
@@ -30,6 +37,7 @@ function isSkillEnabled(...args) { return skillsApi.isSkillEnabled(...args); }
 function loadSkillContract(...args) { return skillsApi.loadSkillContract(...args); }
 function readSkillIntegrity(...args) { return skillsApi.readSkillIntegrity(...args); }
 function resolveSkillSources(...args) { return skillsApi.resolveSkillSources(...args); }
+function skillToolActionName(...args) { return skillsApi.skillToolActionName(...args); }
 function verifySkillIntegrity(...args) { return skillsApi.verifySkillIntegrity(...args); }
 const { verifyExtraDir: verifyExtraSkillDir } = require('./extra-integrity');
@@ -51,6 +59,17 @@ function makeLogger(candidate) {
   };
 }
+function isBundledPrimarySkill(skill) {
+  if (!skill || skill.source !== 'primary') return false;
+  const sourcePath = skill.sourcePath || '';
+  if (!sourcePath || path.basename(sourcePath) !== 'skills') return false;
+  const bundleRoot = path.dirname(sourcePath);
+  return (
+    fs.existsSync(path.join(bundleRoot, 'openclaw-plugin'))
+    && fs.existsSync(path.join(bundleRoot, 'skills'))
+  );
+}
 /**
  * 计算 skillDir 内"驱动热更"的关键文件的指纹（mtime 组合）。
  * 任一文件缺失按 0 处理；出错时退化为空字符串（此时 reload 语义保守：会认为"没变"）。
@@ -118,6 +137,7 @@ function createSkillRegistry(options = {}) {
     pluginConfig = {},
     wrapSensitiveTool = null,
     builtinToolNames = [],
+    routerMode = false,
     // When true (default when a watcher is active), we set suppressNextReload
     // after our own setConfigValue writes so the chokidar echo doesn't cause a
     // duplicate reload. Leave this false in test harnesses that drive reload()
@@ -125,11 +145,11 @@ function createSkillRegistry(options = {}) {
     suppressSelfWrites = true,
   } = options;
-  if (!api || typeof api.registerTool !== 'function') {
+  if (!routerMode && (!api || typeof api.registerTool !== 'function')) {
     throw new Error('createSkillRegistry: api.registerTool is required');
   }
-  const logger = makeLogger(options.logger || api.logger);
+  const logger = makeLogger(options.logger || (api && api.logger));
   const configLoader = typeof options.configLoader === 'function'
     ? options.configLoader
     : () => ({});
@@ -148,6 +168,8 @@ function createSkillRegistry(options = {}) {
   const skills = new Map();
   // toolName -> { skillId, definition, optional }
   const toolBindings = new Map();
+  // action -> { skillId, toolName, definition, optional }
+  const actionBindings = new Map();
   // toolName -> dispatcher object (registered once per name; kept by reference so we can
   // mutate `description`/`parameters`/`label` on hot-reload to keep OpenClaw-visible schema in sync)
   const dispatchers = new Map();
@@ -255,6 +277,11 @@ function createSkillRegistry(options = {}) {
         removed.push(name);
       }
     }
+    for (const [action, binding] of actionBindings) {
+      if (binding.skillId === skillId) {
+        actionBindings.delete(action);
+      }
+    }
     return removed;
   }
@@ -336,6 +363,7 @@ function createSkillRegistry(options = {}) {
       contract,
       adapter,
       toolNames: toolDefs.map((t) => t.toolName),
+      actionNames: toolDefs.map((t) => skillToolActionName(skill.id, t.toolName)),
       // runtime.dispose is used by hot-unload to drain WS, clear intervals, etc.
       dispose: async () => {
         const runtime = adapter && adapter.runtime;
@@ -354,17 +382,35 @@ function createSkillRegistry(options = {}) {
   function applyBindings(state) {
     const failedDispatchers = [];
+    const localActions = new Set();
     for (const entry of state.toolDefs) {
-      const dispatched = ensureDispatcher(entry.toolName, entry.optional, entry.definition);
-      if (!dispatched.ok) {
+      if (!routerMode) {
+        const dispatched = ensureDispatcher(entry.toolName, entry.optional, entry.definition);
+        if (!dispatched.ok) {
+          failedDispatchers.push(entry.toolName);
+          continue;
+        }
+      }
+      const actionName = skillToolActionName(state.id, entry.toolName);
+      if (localActions.has(actionName)) {
+        logger.warn(
+          `[js-eyes] Skill "${state.id}" skipped tool "${entry.toolName}" because action "${actionName}" duplicates another tool after slug normalization`,
+        );
         failedDispatchers.push(entry.toolName);
         continue;
       }
+      localActions.add(actionName);
       toolBindings.set(entry.toolName, {
         skillId: state.id,
         definition: entry.definition,
         optional: entry.optional,
       });
+      actionBindings.set(actionName, {
+        skillId: state.id,
+        toolName: entry.toolName,
+        definition: entry.definition,
+        optional: entry.optional,
+      });
     }
     return { failedDispatchers };
   }
@@ -475,9 +521,15 @@ function createSkillRegistry(options = {}) {
       return { ok: false };
     }
     if (!integrity.hasIntegrity) {
-      logger.warn(
-        `[js-eyes] Skill "${skill.id}" has no .integrity.json (legacy install); load allowed but consider reinstalling`,
-      );
+      if (isBundledPrimarySkill(skill)) {
+        logger.info(
+          `[js-eyes] Skill "${skill.id}" has no .integrity.json because it is loaded from the bundled/source primary skills directory (${skill.sourcePath}); load allowed. Registry-installed primary skills should carry .integrity.json for tamper checks.`,
+        );
+      } else {
+        logger.warn(
+          `[js-eyes] Skill "${skill.id}" has no .integrity.json (legacy primary install); load allowed, but reinstall via \`js-eyes skills install ${skill.id}\` to restore tamper-check metadata`,
+        );
+      }
     }
     return { ok: true };
   }
@@ -646,12 +698,27 @@ function createSkillRegistry(options = {}) {
         sourcePath: s.sourcePath,
         skillDir: s.skillDir,
         tools: s.toolNames.slice(),
+        actions: s.actionNames.slice(),
       })),
       toolBindings: Array.from(toolBindings.keys()),
+      actionBindings: Array.from(actionBindings.keys()),
       dispatchersRegistered: Array.from(dispatchers.keys()),
     };
   }
+  async function executeAction(action, toolCallId, params) {
+    const binding = actionBindings.get(action);
+    if (!binding) {
+      return { content: [{ type: 'text', text: DEFAULT_UNAVAILABLE_MESSAGE(action) }] };
+    }
+    return binding.definition.execute(toolCallId, params);
+  }
+  function getActionDefinition(action) {
+    const binding = actionBindings.get(action);
+    return binding ? binding.definition : null;
+  }
   return {
     init,
     reload,
@@ -659,9 +726,12 @@ function createSkillRegistry(options = {}) {
     disposeAll,
     snapshot,
     getState,
+    executeAction,
+    getActionDefinition,
     // Testing / plugin integration helpers
     _internals: {
       toolBindings,
+      actionBindings,
       skills,
       dispatchers,
       setSuppressNextReload(v) { suppressNextReload = Boolean(v); },

package/skills.js CHANGED Viewed

@@ -13,6 +13,20 @@ const SKILL_CONTRACT_FILE = 'skill.contract.js';
 const INTEGRITY_FILE = '.integrity.json';
 const INSTALL_MANIFEST_FILE = 'skills-install.json';
+function toolNameToActionSegment(name) {
+  return String(name || '')
+    .trim()
+    .replace(/([a-z0-9])([A-Z])/g, '$1-$2')
+    .replace(/[^a-zA-Z0-9]+/g, '-')
+    .replace(/^-+|-+$/g, '')
+    .toLowerCase();
+}
+function skillToolActionName(skillId, toolName) {
+  const action = toolNameToActionSegment(toolName);
+  return `skill/${skillId}/${action || 'run'}`;
+}
 function loadSkillContract(skillDir) {
   const contractPath = path.resolve(skillDir, SKILL_CONTRACT_FILE);
   if (!fs.existsSync(contractPath)) return null;
@@ -142,8 +156,10 @@ function normalizeSkillMetadata(skillDir) {
     ? cli.commands.map((command) => command.name)
     : [];
+  const id = contract?.id || pkg.name || path.basename(skillDir);
   return {
-    id: contract?.id || pkg.name || path.basename(skillDir),
+    id,
     name: contract?.name || pkg.name || path.basename(skillDir),
     version: contract?.version || pkg.version || '1.0.0',
     description: contract?.description || pkg.description || '',
@@ -151,6 +167,7 @@ function normalizeSkillMetadata(skillDir) {
     cliEntry: cli.entry ? path.resolve(skillDir, cli.entry) : path.join(skillDir, 'index.js'),
     commands,
     tools,
+    actions: tools.map((tool) => skillToolActionName(id, tool)),
     runtime: contract?.runtime || {},
     contract,
   };
@@ -728,6 +745,8 @@ Object.assign(module.exports, {
   resolveSkillsDir,
   resolveOpenClawPluginEntry,
   runSkillCli,
+  skillToolActionName,
+  toolNameToActionSegment,
   verifySkillIntegrity,
   writeIntegrityManifest,
 });