@mkterswingman/5mghost-wonder 0.0.2 → 0.0.3

package/dist/commands/check.js

@@ -5,7 +5,9 @@
 //   - auth: mkterswingman auth JWT/PAT
 //   - wecom-cookie: WeCom cookies.json presence + live validity probe
 //   - pandoc: CLI on PATH (used by use-skill for docx/pptx text)
-//   - soffice: CLI on PATH + real executable (broken symlinks are rejected)
+//   - soffice: CLI on PATH + real executable (optional — only the visual-
+//     layout xlsx render and docx/pptx PDF conversion need it; the default
+//     JSON read path does not shell out to soffice)
 //   - docx-skill: docx SKILL.md present in plugin cache or user skills dir
 //   - pptx-skill: pptx SKILL.md present in plugin cache or user skills dir
 //   - cache: local export cache directory state (informational)
@@ -41,12 +43,13 @@ function findOnPath(binName) {
     }
     return null;
 }
-function checkExecutable(binName, installHints) {
+function checkExecutable(binName, installHints, optional = false) {
     const found = findOnPath(binName);
     if (!found) {
         return {
             label: binName,
             ok: false,
+            optional,
             hint: installHints[process.platform] ?? installHints["default"] ?? `install ${binName}`,
         };
     }
@@ -60,6 +63,7 @@ function checkExecutable(binName, installHints) {
         return {
             label: binName,
             ok: false,
+            optional,
             hint: `${binName} is a broken symlink at ${found}. Reinstall: ${installHints[process.platform] ?? installHints["default"]}`,
             detail: found,
         };
@@ -73,6 +77,7 @@ function checkExecutable(binName, installHints) {
         return {
             label: binName,
             ok: false,
+            optional,
             hint: `${binName} is on PATH (${found}) but failed to execute. Reinstall: ${installHints[process.platform] ?? installHints["default"]}`,
             detail: `realpath=${realTarget}`,
         };
@@ -151,13 +156,18 @@ export async function runCheckCommand(_argv, context) {
         win32: "winget install pandoc",
         default: "https://pandoc.org/installing.html",
     }));
-    // ── LibreOffice soffice ─────────────────────────────────────────────────
+    // ── LibreOffice soffice (optional) ──────────────────────────────────────
+    // The default JSON read path (`wonder read <url>` / `--tab`) never touches
+    // soffice. It is only needed for (a) the optional xlsx visual-layout render
+    // step and (b) docx/pptx → PDF conversion inside the AI-side use skill.
+    // Mark as optional so a missing install does not make `wonder check` exit 1.
     items.push(checkExecutable("soffice", {
         darwin: "brew install --cask libreoffice",
         linux: "sudo apt install -y libreoffice  (or: sudo dnf install -y libreoffice)",
         win32: "winget install LibreOffice.LibreOffice",
         default: "https://www.libreoffice.org/download",
-    }));
+    }, 
+    /* optional */ true));
     // ── docx / pptx skill files ─────────────────────────────────────────────
     // Phase 5: intentionally NOT checked here.
     //

package/dist/commands/uninstall.js

@@ -1,14 +1,87 @@
 // src/commands/uninstall.ts
-// Runs `npm uninstall -g @mkterswingman/5mghost-wonder`.
-// NpmExecutor is injectable for unit testing.
+// Uninstall flow:
+//   1. Remove installed wonder skills from every detected AI client via the
+//      same manifest used at install time. Receipt gating in `removeSkills`
+//      only deletes directories this package owns.
+//   2. Run `npm uninstall -g @mkterswingman/5mghost-wonder`.
+//   3. Print the location of the local data dir (cookies + export cache)
+//      and the exact command to remove it. We do NOT delete data
+//      automatically — cookies are still reusable if the user reinstalls.
+import { resolveWonderPaths } from "../platform/paths.js";
 import { defaultNpmExecutor } from "../platform/npm.js";
+import { fileURLToPath } from "node:url";
+import { dirname, resolve } from "node:path";
 export async function runUninstallCommand(_argv, context, executor = defaultNpmExecutor) {
     context.io.stdout("Uninstalling 5mghost-wonder...");
+    // Step 1 — best-effort skill removal. Failures here do not block npm.
+    await removeInstalledSkills(context);
+    // Step 2 — npm uninstall.
     const result = executor(["uninstall", "-g", "@mkterswingman/5mghost-wonder"]);
     if (result.exitCode !== 0) {
         context.io.stderr(`Uninstall failed:\n${result.stderr}`);
         return { exitCode: 1 };
     }
+    // Step 3 — tell the user about residual data.
+    const paths = resolveWonderPaths({ homeDir: context.homeDir });
     context.io.stdout("Uninstalled successfully.");
+    context.io.stdout("");
+    context.io.stdout(`Local data kept at: ${paths.wonderDir}\n` +
+        `  (cookies + export cache; reused if you reinstall)\n` +
+        `  To remove manually:  rm -rf ${paths.wonderDir}`);
     return { exitCode: 0 };
 }
+async function removeInstalledSkills(context) {
+    let removeSkills;
+    let listDetectedAgents;
+    try {
+        ({ removeSkills, listDetectedAgents } = await import("@mkterswingman/5mghost-agent-skills"));
+    }
+    catch {
+        context.io.stdout("  (agent-skills SDK unavailable — skipping skill removal)");
+        return;
+    }
+    const manifestPath = findManifestPath();
+    if (!manifestPath) {
+        context.io.stdout("  (skills.manifest.json not found — skipping skill removal)");
+        return;
+    }
+    let agents;
+    try {
+        agents = listDetectedAgents();
+    }
+    catch {
+        context.io.stdout("  (could not detect AI clients — skipping skill removal)");
+        return;
+    }
+    if (!agents || agents.length === 0) {
+        context.io.stdout("  (no AI clients detected — skipping skill removal)");
+        return;
+    }
+    try {
+        const summary = removeSkills({ manifestPath, detectedAgents: agents });
+        const removed = summary.results.filter((r) => r.status === "removed");
+        if (removed.length > 0) {
+            const names = removed.map((r) => `${r.skill}@${r.agent}`).join(", ");
+            context.io.stdout(`  removed skills: ${names}`);
+        }
+        else {
+            context.io.stdout("  no wonder-owned skills found in detected AI clients");
+        }
+    }
+    catch (err) {
+        context.io.stdout(`  (skill removal failed: ${String(err)})`);
+    }
+}
+/**
+ * Resolve the package's `skills.manifest.json` from the compiled CLI.
+ * `dist/commands/uninstall.js` lives two levels below the package root.
+ */
+function findManifestPath() {
+    try {
+        const here = dirname(fileURLToPath(import.meta.url));
+        return resolve(here, "..", "..", "skills.manifest.json");
+    }
+    catch {
+        return null;
+    }
+}

package/dist/wecom/export.js

@@ -7,7 +7,7 @@
 //
 // All three document types (sheet/doc/slide) share this same flow.
 // URL parsing is in ./url.ts; cookie management is in ./cookies.ts (P1-03).
-import { writeFileSync, mkdirSync } from "fs";
+import { writeFileSync, mkdirSync, existsSync } from "fs";
 import { join } from "path";
 /** Error thrown by exportWecomDoc() */
 export class ExportError extends Error {
@@ -202,7 +202,8 @@ async function downloadExportedFile(fileUrl, fileName, saveDir) {
     catch (err) {
         throw new ExportError("write_error", `Failed to create save directory "${saveDir}": ${String(err)}`, err);
     }
-    const filePath = join(saveDir, fileName);
+    const safeName = sanitizeFilename(fileName);
+    const filePath = pickNonClobberingPath(saveDir, safeName);
     try {
         writeFileSync(filePath, Buffer.from(buffer));
     }
@@ -211,6 +212,43 @@ async function downloadExportedFile(fileUrl, fileName, saveDir) {
     }
     return { filePath, fileSizeBytes: buffer.byteLength };
 }
+/**
+ * Strip any directory components and disallow control characters. The upstream
+ * `fileName` is untrusted: a `../../etc/passwd` or `foo/bar.xlsx` value would
+ * otherwise escape `saveDir` via `path.join`. We keep it minimal — basename
+ * only, and drop control characters — rather than a full allow-list that
+ * would mangle Chinese titles.
+ */
+function sanitizeFilename(fileName) {
+    // Strip leading path segments; handles both POSIX and win32 separators.
+    let name = fileName.split(/[\\/]/).pop() ?? "";
+    // Drop control chars (0x00-0x1F, 0x7F).
+    // eslint-disable-next-line no-control-regex
+    name = name.replace(/[\x00-\x1f\x7f]/g, "");
+    name = name.trim();
+    if (name === "" || name === "." || name === "..") {
+        return "wecom-download";
+    }
+    return name;
+}
+/**
+ * Return `join(saveDir, name)` unless that exists, in which case append
+ * ` (2)`, ` (3)`, … before the extension. Never overwrites existing files.
+ */
+function pickNonClobberingPath(saveDir, name) {
+    const base = join(saveDir, name);
+    if (!existsSync(base))
+        return base;
+    const dotIdx = name.lastIndexOf(".");
+    const stem = dotIdx > 0 ? name.slice(0, dotIdx) : name;
+    const ext = dotIdx > 0 ? name.slice(dotIdx) : "";
+    for (let i = 2; i < 1000; i++) {
+        const candidate = join(saveDir, `${stem} (${i})${ext}`);
+        if (!existsSync(candidate))
+            return candidate;
+    }
+    return join(saveDir, `${stem} (${Date.now()})${ext}`);
+}
 // ---------------------------------------------------------------------------
 // Public API
 // ---------------------------------------------------------------------------

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mkterswingman/5mghost-wonder",
-  "version": "0.0.2",
+  "version": "0.0.3",
   "description": "企微文档读取 CLI — WeCom document reader",
   "type": "module",
   "engines": {
@@ -25,7 +25,7 @@
   "scripts": {
     "build": "rm -rf dist && tsc && chmod +x dist/cli.js",
     "typecheck": "tsc --noEmit",
-    "test": "node dist/wecom/url.test.js",
+    "test": "node dist/wecom/url.test.js && node --test tests/sheet-parity.test.mjs && node --test tests/export-sanitize.test.mjs",
     "smoke": "npm run build && node dist/cli.js help > /dev/null",
     "postinstall": "node scripts/postinstall.mjs"
   },

package/skills/use-5mghost-wonder/SKILL.md

@@ -106,6 +106,28 @@ Read("/Users/<you>/Downloads/5mghost-wonder/media/image3.png")
 
 **Note:** Images are full-resolution originals (up to several MB each). Only load images the user specifically asks about.
 
+### Viewing visual layout (optional)
+
+Use when the cell JSON alone can't answer the question because the sheet's meaning comes from **visual structure** — not from the cell values themselves. Typical signals:
+
+- Gantt chart (date columns × task rows, coloured blocks across cell ranges)
+- Calendar (week grid with merged day cells or coloured categories)
+- Status board / roadmap (colour-coded cells indicating stage, owner, priority)
+- Large merge-to-cell ratio in the JSON (`merges.length` is a non-trivial fraction of `cells.length`)
+- User explicitly asks about "how it looks", "颜色", "排版", "这个图表", "这张表的结构"
+
+Do **not** run render for plain data tables, lookup sheets, or when the user just wants a value. The render costs ~30 s and ~10+ MB of PDF per file.
+
+Render the whole xlsx (one PDF page per tab, preserves layout, merges, fills, borders):
+
+```bash
+soffice --headless \
+  --convert-to 'pdf:calc_pdf_Export:{"SinglePageSheets":{"type":"boolean","value":"true"}}' \
+  --outdir /tmp/ <path-to-downloaded-xlsx>
+```
+
+Then use the Read tool on the generated PDF. Page N corresponds to the Nth tab in workbook order (same as `tabs[]` in the metadata output).
+
 ---
 
 ## docx Workflow (`doc/w3_`, `doc/e2_`)
@@ -221,6 +243,7 @@ for slide in prs.slides:
 | pptx slice crash | `prs.slides[:N]` → `AttributeError: 'list' object has no attribute 'rId'` | Use `for slide in prs.slides` |
 | Cookie expiry | Cookie valid for 7–30 days | Run `wonder wecom cookie` to refresh |
 | xlsx images are full-size | Original images can be up to 6 MB each | Only read images when user specifically needs them |
+| xlsx visual layout needs soffice | Gantt/calendar/coloured boards lose meaning in JSON alone | Run the optional soffice render step in the xlsx section; CLI does not auto-render |
 | smartpage unsupported | Export API returns 0% progress forever | Manual browser export |
 
 ---