@myclaude-cli/cli 0.3.0-alpha

package/dist/core/browser-auth.d.ts

@@ -0,0 +1,24 @@
+export interface BrowserAuthResult {
+    idToken: string;
+    refreshToken: string;
+    uid: string;
+    email: string;
+    username: string;
+    displayName: string;
+}
+/**
+ * Browser-based authentication flow (localhost callback).
+ *
+ * 1. Start HTTP server on 127.0.0.1:random-port
+ * 2. Open browser to myclaude.sh/cli/auth?port=PORT&state=STATE
+ * 3. User authenticates in browser (existing Firebase Auth)
+ * 4. Browser POSTs tokens to localhost:PORT/callback
+ * 5. Return tokens to caller
+ *
+ * Security:
+ * - Server binds to 127.0.0.1 only (no remote access)
+ * - Random state param prevents CSRF
+ * - Server shuts down after first successful callback
+ * - 5 minute timeout
+ */
+export declare function browserAuth(): Promise<BrowserAuthResult>;

package/dist/core/browser-auth.js

@@ -0,0 +1,155 @@
+import { createServer } from 'node:http';
+import { randomBytes } from 'node:crypto';
+import { exec } from 'node:child_process';
+import { platform } from 'node:os';
+import { getBaseUrl } from './api.js';
+const TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
+/**
+ * Browser-based authentication flow (localhost callback).
+ *
+ * 1. Start HTTP server on 127.0.0.1:random-port
+ * 2. Open browser to myclaude.sh/cli/auth?port=PORT&state=STATE
+ * 3. User authenticates in browser (existing Firebase Auth)
+ * 4. Browser POSTs tokens to localhost:PORT/callback
+ * 5. Return tokens to caller
+ *
+ * Security:
+ * - Server binds to 127.0.0.1 only (no remote access)
+ * - Random state param prevents CSRF
+ * - Server shuts down after first successful callback
+ * - 5 minute timeout
+ */
+export async function browserAuth() {
+    const state = randomBytes(32).toString('hex');
+    return new Promise((resolve, reject) => {
+        let resolved = false;
+        const server = createServer((req, res) => {
+            // CORS preflight for browser POST
+            if (req.method === 'OPTIONS') {
+                res.setHeader('Access-Control-Allow-Origin', '*');
+                res.setHeader('Access-Control-Allow-Methods', 'POST, OPTIONS');
+                res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
+                res.setHeader('Access-Control-Max-Age', '86400');
+                res.writeHead(204);
+                res.end();
+                return;
+            }
+            if (req.method === 'POST' && (req.url === '/callback' || req.url?.startsWith('/callback'))) {
+                let body = '';
+                req.on('data', (chunk) => { body += chunk.toString(); });
+                req.on('end', () => {
+                    try {
+                        // Support both JSON and form-urlencoded (form submit bypasses CORS)
+                        const contentType = req.headers['content-type'] || '';
+                        let data;
+                        if (contentType.includes('application/json')) {
+                            data = JSON.parse(body);
+                        }
+                        else {
+                            // Parse URL-encoded form data
+                            data = Object.fromEntries(new URLSearchParams(body));
+                        }
+                        // Verify state to prevent CSRF
+                        if (data.state !== state) {
+                            res.setHeader('Access-Control-Allow-Origin', '*');
+                            res.writeHead(403, { 'Content-Type': 'application/json' });
+                            res.end(JSON.stringify({ error: 'Invalid state parameter' }));
+                            return;
+                        }
+                        if (!data.idToken || !data.refreshToken || !data.uid) {
+                            res.setHeader('Access-Control-Allow-Origin', '*');
+                            res.writeHead(400, { 'Content-Type': 'application/json' });
+                            res.end(JSON.stringify({ error: 'Missing required token fields' }));
+                            return;
+                        }
+                        // Send success page
+                        res.setHeader('Access-Control-Allow-Origin', '*');
+                        res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8' });
+                        res.end(successPage());
+                        resolved = true;
+                        server.close();
+                        resolve({
+                            displayName: data.displayName || '',
+                            email: data.email || '',
+                            idToken: data.idToken,
+                            refreshToken: data.refreshToken,
+                            uid: data.uid,
+                            username: data.username || '',
+                        });
+                    }
+                    catch {
+                        res.setHeader('Access-Control-Allow-Origin', '*');
+                        res.writeHead(400, { 'Content-Type': 'application/json' });
+                        res.end(JSON.stringify({ error: 'Invalid request body' }));
+                    }
+                });
+                return;
+            }
+            res.writeHead(404);
+            res.end('Not found');
+        });
+        // Bind to localhost (use 'localhost' not '127.0.0.1' for browser CORS compat on Windows)
+        server.listen(0, 'localhost', () => {
+            const { port } = server.address();
+            const authUrl = `${getBaseUrl()}/cli/auth?port=${port}&state=${state}`;
+            openBrowser(authUrl);
+        });
+        // Timeout
+        const timer = setTimeout(() => {
+            if (!resolved) {
+                resolved = true;
+                server.close();
+                reject(new Error('Authentication timed out after 5 minutes. Run: myclaude login'));
+            }
+        }, TIMEOUT_MS);
+        server.on('close', () => clearTimeout(timer));
+        server.on('error', (err) => {
+            if (!resolved) {
+                resolved = true;
+                clearTimeout(timer);
+                reject(new Error(`Failed to start auth server: ${err.message}`));
+            }
+        });
+    });
+}
+function openBrowser(url) {
+    const os = platform();
+    let cmd;
+    if (os === 'win32') {
+        cmd = `start "" "${url}"`;
+    }
+    else if (os === 'darwin') {
+        cmd = `open "${url}"`;
+    }
+    else {
+        cmd = `xdg-open "${url}"`;
+    }
+    exec(cmd, (err) => {
+        if (err) {
+            // If browser can't open, show URL for manual copy
+            process.stderr.write(`\n  Open this URL in your browser:\n  ${url}\n\n`);
+        }
+    });
+}
+function successPage() {
+    return `<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <title>MyClaude CLI — Authenticated</title>
+  <style>
+    body { font-family: -apple-system, system-ui, sans-serif; display: flex; align-items: center; justify-content: center; min-height: 100vh; margin: 0; background: #0a0a0a; color: #e5e5e5; }
+    .card { text-align: center; padding: 3rem; border: 1px solid #333; border-radius: 12px; max-width: 400px; }
+    h1 { font-size: 1.5rem; margin-bottom: 0.5rem; color: #c4704b; }
+    p { color: #999; font-size: 0.9rem; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <h1>Authenticated</h1>
+    <p>You can close this tab and return to your terminal.</p>
+  </div>
+</body>
+</html>`;
+}
+//# sourceMappingURL=browser-auth.js.map

package/dist/core/browser-auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"browser-auth.js","sourceRoot":"","sources":["../../src/core/browser-auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,YAAY,EAA4C,MAAM,WAAW,CAAA;AACjF,OAAO,EAAC,WAAW,EAAC,MAAM,aAAa,CAAA;AACvC,OAAO,EAAC,IAAI,EAAC,MAAM,oBAAoB,CAAA;AACvC,OAAO,EAAC,QAAQ,EAAC,MAAM,SAAS,CAAA;AAGhC,OAAO,EAAC,UAAU,EAAC,MAAM,UAAU,CAAA;AAWnC,MAAM,UAAU,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAA,CAAC,YAAY;AAE7C;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW;IAC/B,MAAM,KAAK,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAE7C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,IAAI,QAAQ,GAAG,KAAK,CAAA;QAEpB,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,GAAoB,EAAE,GAAmB,EAAE,EAAE;YACxE,kCAAkC;YAClC,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBAC7B,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAA;gBACjD,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,eAAe,CAAC,CAAA;gBAC9D,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,cAAc,CAAC,CAAA;gBAC7D,GAAG,CAAC,SAAS,CAAC,wBAAwB,EAAE,OAAO,CAAC,CAAA;gBAChD,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;gBAClB,GAAG,CAAC,GAAG,EAAE,CAAA;gBACT,OAAM;YACR,CAAC;YAED,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,WAAW,IAAI,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,WAAW,CAAC,CAAC,EAAE,CAAC;gBAC3F,IAAI,IAAI,GAAG,EAAE,CAAA;gBACb,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE,GAAG,IAAI,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAA,CAAC,CAAC,CAAC,CAAA;gBAC/D,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;oBACjB,IAAI,CAAC;wBACH,oEAAoE;wBACpE,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,EAAE,CAAA;wBACrD,IAAI,IAA4B,CAAA;wBAChC,IAAI,WAAW,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;4BAC7C,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;wBACzB,CAAC;6BAAM,CAAC;4BACN,8BAA8B;4BAC9B,IAAI,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC,CAAA;wBACtD,CAAC;wBAED,+BAA+B;wBAC/B,IAAI,IAAI,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;4BACzB,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAA;4BACjD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAC,cAAc,EAAE,kBAAkB,EAAC,CAAC,CAAA;4BACxD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAC,KAAK,EAAE,yBAAyB,EAAC,CAAC,CAAC,CAAA;4BAC3D,OAAM;wBACR,CAAC;wBAED,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;4BACrD,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAA;4BACjD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAC,cAAc,EAAE,kBAAkB,EAAC,CAAC,CAAA;4BACxD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAC,KAAK,EAAE,+BAA+B,EAAC,CAAC,CAAC,CAAA;4BACjE,OAAM;wBACR,CAAC;wBAED,oBAAoB;wBACpB,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAA;wBACjD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAC,cAAc,EAAE,0BAA0B,EAAC,CAAC,CAAA;wBAChE,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAA;wBAEtB,QAAQ,GAAG,IAAI,CAAA;wBACf,MAAM,CAAC,KAAK,EAAE,CAAA;wBACd,OAAO,CAAC;4BACN,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,EAAE;4BACnC,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,EAAE;4BACvB,OAAO,EAAE,IAAI,CAAC,OAAO;4BACrB,YAAY,EAAE,IAAI,CAAC,YAAY;4BAC/B,GAAG,EAAE,IAAI,CAAC,GAAG;4BACb,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,EAAE;yBAC9B,CAAC,CAAA;oBACJ,CAAC;oBAAC,MAAM,CAAC;wBACP,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,GAAG,CAAC,CAAA;wBACjD,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAC,cAAc,EAAE,kBAAkB,EAAC,CAAC,CAAA;wBACxD,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAC,KAAK,EAAE,sBAAsB,EAAC,CAAC,CAAC,CAAA;oBAC1D,CAAC;gBACH,CAAC,CAAC,CAAA;gBACF,OAAM;YACR,CAAC;YAED,GAAG,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;YAClB,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAA;QACtB,CAAC,CAAC,CAAA;QAEF,yFAAyF;QACzF,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE;YACjC,MAAM,EAAC,IAAI,EAAC,GAAG,MAAM,CAAC,OAAO,EAAiB,CAAA;YAC9C,MAAM,OAAO,GAAG,GAAG,UAAU,EAAE,kBAAkB,IAAI,UAAU,KAAK,EAAE,CAAA;YAEtE,WAAW,CAAC,OAAO,CAAC,CAAA;QACtB,CAAC,CAAC,CAAA;QAEF,UAAU;QACV,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,QAAQ,GAAG,IAAI,CAAA;gBACf,MAAM,CAAC,KAAK,EAAE,CAAA;gBACd,MAAM,CAAC,IAAI,KAAK,CAAC,+DAA+D,CAAC,CAAC,CAAA;YACpF,CAAC;QACH,CAAC,EAAE,UAAU,CAAC,CAAA;QAEd,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAA;QAC7C,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,QAAQ,GAAG,IAAI,CAAA;gBACf,YAAY,CAAC,KAAK,CAAC,CAAA;gBACnB,MAAM,CAAC,IAAI,KAAK,CAAC,gCAAgC,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC,CAAA;YAClE,CAAC;QACH,CAAC,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,MAAM,EAAE,GAAG,QAAQ,EAAE,CAAA;IACrB,IAAI,GAAW,CAAA;IACf,IAAI,EAAE,KAAK,OAAO,EAAE,CAAC;QACnB,GAAG,GAAG,aAAa,GAAG,GAAG,CAAA;IAC3B,CAAC;SAAM,IAAI,EAAE,KAAK,QAAQ,EAAE,CAAC;QAC3B,GAAG,GAAG,SAAS,GAAG,GAAG,CAAA;IACvB,CAAC;SAAM,CAAC;QACN,GAAG,GAAG,aAAa,GAAG,GAAG,CAAA;IAC3B,CAAC;IAED,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,EAAE;QAChB,IAAI,GAAG,EAAE,CAAC;YACR,kDAAkD;YAClD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,yCAAyC,GAAG,MAAM,CAAC,CAAA;QAC1E,CAAC;IACH,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,SAAS,WAAW;IAClB,OAAO;;;;;;;;;;;;;;;;;;QAkBD,CAAA;AACR,CAAC"}

package/dist/core/install.d.ts

@@ -0,0 +1,24 @@
+export interface InstallResult {
+    slug: string;
+    version: string;
+    type: string;
+    location: string;
+    checksum: string;
+}
+export declare function validateSlug(slug: string): void;
+/**
+ * Download and install a product from the MyClaude marketplace.
+ *
+ * Security defenses:
+ * - Slug validated with regex (no path traversal)
+ * - fileName from server validated (no path separators)
+ * - Download URL must be HTTPS
+ * - Download size capped at 50 MB
+ * - Product type validated against known set
+ * - Zip paths validated + resolved path must stay within target
+ * - Rollback: temp dir cleaned on failure
+ */
+export declare function installProduct(productId: string, slug: string, type: string, price: number, options?: {
+    force?: boolean;
+    global?: boolean;
+}): Promise<InstallResult>;

package/dist/core/install.js

@@ -0,0 +1,191 @@
+import { createHash } from 'node:crypto';
+import { existsSync, mkdirSync, rmSync, writeFileSync } from 'node:fs';
+import { dirname, join, posix, resolve, sep } from 'node:path';
+import { apiPost } from './api.js';
+import { addEntry } from './lockfile.js';
+import { getInstallPath } from './paths.js';
+// Validate slug: lowercase alphanumeric + hyphens only
+const SLUG_RE = /^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]$/;
+// Validate fileName from server: no path separators, no traversal
+const SAFE_FILENAME_RE = /^[a-zA-Z0-9][a-zA-Z0-9._-]*$/;
+// Allowed download URL prefixes (R2 + Firebase Storage)
+const ALLOWED_DOWNLOAD_PREFIXES = [
+    'https://', // All HTTPS origins are accepted for signed URLs
+];
+// Maximum download size: 50 MB
+const MAX_DOWNLOAD_BYTES = 50 * 1024 * 1024;
+// Valid product types from the marketplace
+const VALID_TYPES = new Set([
+    'skills', 'squads', 'agents', 'workflows', 'design-systems',
+    'claude-md', 'prompts', 'applications', 'systems',
+]);
+export function validateSlug(slug) {
+    if (!slug || slug.length > 128) {
+        throw new Error(`Invalid product slug: too ${slug ? 'long' : 'short'}`);
+    }
+    if (!SLUG_RE.test(slug)) {
+        throw new Error(`Invalid product slug "${slug}". Slugs must be lowercase alphanumeric with hyphens.`);
+    }
+    if (slug.includes('--') || slug.includes('..')) {
+        throw new Error(`Invalid product slug "${slug}". Contains invalid sequence.`);
+    }
+}
+function validateFileName(name) {
+    if (!name || !SAFE_FILENAME_RE.test(name) || name.includes('..') || name.length > 255) {
+        throw new Error(`Invalid file name from server: "${name}"`);
+    }
+}
+function validateDownloadUrl(url) {
+    if (!url || !url.startsWith('https://')) {
+        throw new Error(`Security: download URL must be HTTPS. Got: ${url?.slice(0, 50)}`);
+    }
+}
+function validateType(type) {
+    if (!VALID_TYPES.has(type)) {
+        throw new Error(`Unknown product type: "${type}"`);
+    }
+}
+/**
+ * Download and install a product from the MyClaude marketplace.
+ *
+ * Security defenses:
+ * - Slug validated with regex (no path traversal)
+ * - fileName from server validated (no path separators)
+ * - Download URL must be HTTPS
+ * - Download size capped at 50 MB
+ * - Product type validated against known set
+ * - Zip paths validated + resolved path must stay within target
+ * - Rollback: temp dir cleaned on failure
+ */
+export async function installProduct(productId, slug, type, price, options = {}) {
+    validateSlug(slug);
+    validateType(type);
+    // Get signed download URL
+    const downloadRes = await apiPost('/api/products/download', { productId }, { auth: true });
+    if (!downloadRes.ok) {
+        const err = await downloadRes.json().catch(() => ({}));
+        if (downloadRes.status === 403) {
+            throw new Error('Purchase required. Paid product install available in Beta.');
+        }
+        throw new Error(err.error || `Download failed: ${downloadRes.status}`);
+    }
+    const { url, fileName } = await downloadRes.json();
+    validateDownloadUrl(url);
+    validateFileName(fileName);
+    // Download the file
+    const fileRes = await fetch(url);
+    if (!fileRes.ok || !fileRes.body) {
+        throw new Error(`File download failed: ${fileRes.status}`);
+    }
+    // Check Content-Length before downloading
+    const contentLength = Number(fileRes.headers.get('content-length') || 0);
+    if (contentLength > MAX_DOWNLOAD_BYTES) {
+        throw new Error(`File too large: ${(contentLength / 1024 / 1024).toFixed(1)} MB (max 50 MB)`);
+    }
+    // Determine install location
+    const location = getInstallPath(slug, type, options.global || false);
+    const isZip = fileName.endsWith('.zip');
+    const isClaude = type === 'claude-md';
+    // Download to buffer, compute checksum (with size guard)
+    const chunks = [];
+    let totalBytes = 0;
+    const reader = fileRes.body.getReader();
+    while (true) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        totalBytes += value.byteLength;
+        if (totalBytes > MAX_DOWNLOAD_BYTES) {
+            throw new Error(`File too large: exceeded 50 MB limit during download`);
+        }
+        chunks.push(Buffer.from(value));
+    }
+    const fileBuffer = Buffer.concat(chunks);
+    const checksum = 'sha256:' + createHash('sha256').update(fileBuffer).digest('hex');
+    // Create target directory (clean first if --force)
+    try {
+        if (isClaude) {
+            mkdirSync(dirname(location), { recursive: true });
+        }
+        else {
+            if (options.force && existsSync(location)) {
+                rmSync(location, { force: true, recursive: true });
+            }
+            mkdirSync(location, { recursive: true });
+        }
+        if (isZip) {
+            const extractTarget = isClaude ? dirname(location) : location;
+            await extractZip(fileBuffer, extractTarget);
+        }
+        else if (isClaude) {
+            writeFileSync(location, fileBuffer);
+        }
+        else {
+            writeFileSync(join(location, fileName), fileBuffer);
+        }
+    }
+    catch (error) {
+        // Rollback: clean up partially created directory on failure
+        if (!isClaude && existsSync(location)) {
+            try {
+                rmSync(location, { force: true, recursive: true });
+            }
+            catch { /* best effort */ }
+        }
+        throw error;
+    }
+    const version = '1.0.0'; // Alpha placeholder — version from product metadata in Beta
+    addEntry(slug, {
+        checksum,
+        installedAt: new Date().toISOString(),
+        location,
+        paid: price > 0,
+        productId,
+        type,
+        version,
+    });
+    return { checksum, location, slug, type, version };
+}
+/**
+ * Extract zip contents with security validation (DC23).
+ * Defense in depth:
+ * 1. Reject paths with "..", absolute paths, >255 chars
+ * 2. Resolve final path and verify it stays within targetDir
+ * 3. Reject UNC paths (Windows \\server\share)
+ */
+async function extractZip(buffer, targetDir) {
+    const { default: JSZip } = await import('jszip');
+    const zip = await JSZip.loadAsync(buffer);
+    const resolvedTarget = resolve(targetDir);
+    for (const [entryPath, entry] of Object.entries(zip.files)) {
+        validateZipPath(entryPath);
+        // Canonical zip-slip defense: resolve and verify containment
+        const fullPath = resolve(join(targetDir, entryPath));
+        if (!fullPath.startsWith(resolvedTarget + sep) && fullPath !== resolvedTarget) {
+            throw new Error(`Security: resolved path escapes target directory: ${entryPath}`);
+        }
+        if (entry.dir) {
+            mkdirSync(fullPath, { recursive: true });
+            continue;
+        }
+        mkdirSync(dirname(fullPath), { recursive: true });
+        const content = await entry.async('nodebuffer');
+        writeFileSync(fullPath, content);
+    }
+}
+function validateZipPath(entryPath) {
+    if (!entryPath || entryPath.trim() === '') {
+        throw new Error('Invalid zip: empty file path');
+    }
+    if (entryPath.includes('..')) {
+        throw new Error(`Security: zip contains path traversal: ${entryPath}`);
+    }
+    // Reject absolute paths: Unix, Windows drive, UNC
+    if (posix.isAbsolute(entryPath) || /^[A-Za-z]:/.test(entryPath) || entryPath.startsWith('\\\\')) {
+        throw new Error(`Security: zip contains absolute path: ${entryPath}`);
+    }
+    if (entryPath.length > 255) {
+        throw new Error(`Security: zip path exceeds 255 characters: ${entryPath.slice(0, 50)}...`);
+    }
+}
+//# sourceMappingURL=install.js.map

package/dist/core/install.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"install.js","sourceRoot":"","sources":["../../src/core/install.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,UAAU,EAAC,MAAM,aAAa,CAAA;AACtC,OAAO,EAAC,UAAU,EAAE,SAAS,EAAE,MAAM,EAAE,aAAa,EAAC,MAAM,SAAS,CAAA;AACpE,OAAO,EAAC,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAC,MAAM,WAAW,CAAA;AAE5D,OAAO,EAAC,OAAO,EAAC,MAAM,UAAU,CAAA;AAChC,OAAO,EAAC,QAAQ,EAAC,MAAM,eAAe,CAAA;AACtC,OAAO,EAAC,cAAc,EAAC,MAAM,YAAY,CAAA;AAUzC,uDAAuD;AACvD,MAAM,OAAO,GAAG,yCAAyC,CAAA;AAEzD,kEAAkE;AAClE,MAAM,gBAAgB,GAAG,8BAA8B,CAAA;AAEvD,wDAAwD;AACxD,MAAM,yBAAyB,GAAG;IAChC,UAAU,EAAG,iDAAiD;CAC/D,CAAA;AAED,+BAA+B;AAC/B,MAAM,kBAAkB,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAA;AAE3C,2CAA2C;AAC3C,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC;IAC1B,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,gBAAgB;IAC3D,WAAW,EAAE,SAAS,EAAE,cAAc,EAAE,SAAS;CAClD,CAAC,CAAA;AAEF,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAA;IACzE,CAAC;IAED,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CACb,yBAAyB,IAAI,uDAAuD,CACrF,CAAA;IACH,CAAC;IAED,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,+BAA+B,CAAC,CAAA;IAC/E,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,IAAI,CAAC,IAAI,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACtF,MAAM,IAAI,KAAK,CAAC,mCAAmC,IAAI,GAAG,CAAC,CAAA;IAC7D,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAAC,GAAW;IACtC,IAAI,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,8CAA8C,GAAG,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAA;IACpF,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,IAAY;IAChC,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,0BAA0B,IAAI,GAAG,CAAC,CAAA;IACpD,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,SAAiB,EACjB,IAAY,EACZ,IAAY,EACZ,KAAa,EACb,UAA+C,EAAE;IAEjD,YAAY,CAAC,IAAI,CAAC,CAAA;IAClB,YAAY,CAAC,IAAI,CAAC,CAAA;IAElB,0BAA0B;IAC1B,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,wBAAwB,EAAE,EAAC,SAAS,EAAC,EAAE,EAAC,IAAI,EAAE,IAAI,EAAC,CAAC,CAAA;IAEtF,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;QACpB,MAAM,GAAG,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAA2B,CAAA;QAChF,IAAI,WAAW,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAA;QAC/E,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,KAAK,IAAI,oBAAoB,WAAW,CAAC,MAAM,EAAE,CAAC,CAAA;IACxE,CAAC;IAED,MAAM,EAAC,GAAG,EAAE,QAAQ,EAAC,GAAG,MAAM,WAAW,CAAC,IAAI,EAAqC,CAAA;IACnF,mBAAmB,CAAC,GAAG,CAAC,CAAA;IACxB,gBAAgB,CAAC,QAAQ,CAAC,CAAA;IAE1B,oBAAoB;IACpB,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAA;IAChC,IAAI,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,yBAAyB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAA;IAC5D,CAAC;IAED,0CAA0C;IAC1C,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAA;IACxE,IAAI,aAAa,GAAG,kBAAkB,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,aAAa,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAA;IAC/F,CAAC;IAED,6BAA6B;IAC7B,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC,CAAA;IACpE,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;IACvC,MAAM,QAAQ,GAAG,IAAI,KAAK,WAAW,CAAA;IAErC,yDAAyD;IACzD,MAAM,MAAM,GAAa,EAAE,CAAA;IAC3B,IAAI,UAAU,GAAG,CAAC,CAAA;IAClB,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,CAAA;IACvC,OAAO,IAAI,EAAE,CAAC;QACZ,MAAM,EAAC,IAAI,EAAE,KAAK,EAAC,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAA;QACzC,IAAI,IAAI;YAAE,MAAK;QACf,UAAU,IAAI,KAAK,CAAC,UAAU,CAAA;QAC9B,IAAI,UAAU,GAAG,kBAAkB,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAA;QACzE,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAA;IACjC,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;IACxC,MAAM,QAAQ,GAAG,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IAElF,mDAAmD;IACnD,IAAI,CAAC;QACH,IAAI,QAAQ,EAAE,CAAC;YACb,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAC,SAAS,EAAE,IAAI,EAAC,CAAC,CAAA;QACjD,CAAC;aAAM,CAAC;YACN,IAAI,OAAO,CAAC,KAAK,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC1C,MAAM,CAAC,QAAQ,EAAE,EAAC,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAC,CAAC,CAAA;YAClD,CAAC;YAED,SAAS,CAAC,QAAQ,EAAE,EAAC,SAAS,EAAE,IAAI,EAAC,CAAC,CAAA;QACxC,CAAC;QAED,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,aAAa,GAAG,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAA;YAC7D,MAAM,UAAU,CAAC,UAAU,EAAE,aAAa,CAAC,CAAA;QAC7C,CAAC;aAAM,IAAI,QAAQ,EAAE,CAAC;YACpB,aAAa,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAA;QACrC,CAAC;aAAM,CAAC;YACN,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE,QAAQ,CAAC,EAAE,UAAU,CAAC,CAAA;QACrD,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,4DAA4D;QAC5D,IAAI,CAAC,QAAQ,IAAI,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YACtC,IAAI,CAAC;gBAAC,MAAM,CAAC,QAAQ,EAAE,EAAC,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAC,CAAC,CAAA;YAAC,CAAC;YAAC,MAAM,CAAC,CAAC,iBAAiB,CAAC,CAAC;QACtF,CAAC;QAED,MAAM,KAAK,CAAA;IACb,CAAC;IAED,MAAM,OAAO,GAAG,OAAO,CAAA,CAAC,4DAA4D;IACpF,QAAQ,CAAC,IAAI,EAAE;QACb,QAAQ;QACR,WAAW,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACrC,QAAQ;QACR,IAAI,EAAE,KAAK,GAAG,CAAC;QACf,SAAS;QACT,IAAI;QACJ,OAAO;KACR,CAAC,CAAA;IAEF,OAAO,EAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAC,CAAA;AAClD,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,UAAU,CAAC,MAAc,EAAE,SAAiB;IACzD,MAAM,EAAC,OAAO,EAAE,KAAK,EAAC,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,CAAA;IAC9C,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;IACzC,MAAM,cAAc,GAAG,OAAO,CAAC,SAAS,CAAC,CAAA;IAEzC,KAAK,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3D,eAAe,CAAC,SAAS,CAAC,CAAA;QAE1B,6DAA6D;QAC7D,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAA;QACpD,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,cAAc,GAAG,GAAG,CAAC,IAAI,QAAQ,KAAK,cAAc,EAAE,CAAC;YAC9E,MAAM,IAAI,KAAK,CAAC,qDAAqD,SAAS,EAAE,CAAC,CAAA;QACnF,CAAC;QAED,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;YACd,SAAS,CAAC,QAAQ,EAAE,EAAC,SAAS,EAAE,IAAI,EAAC,CAAC,CAAA;YACtC,SAAQ;QACV,CAAC;QAED,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAC,SAAS,EAAE,IAAI,EAAC,CAAC,CAAA;QAC/C,MAAM,OAAO,GAAG,MAAM,KAAK,CAAC,KAAK,CAAC,YAAY,CAAC,CAAA;QAC/C,aAAa,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;IAClC,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,SAAiB;IACxC,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAA;IACjD,CAAC;IAED,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,0CAA0C,SAAS,EAAE,CAAC,CAAA;IACxE,CAAC;IAED,kDAAkD;IAClD,IAAI,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,SAAS,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAChG,MAAM,IAAI,KAAK,CAAC,yCAAyC,SAAS,EAAE,CAAC,CAAA;IACvE,CAAC;IAED,IAAI,SAAS,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,8CAA8C,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAA;IAC5F,CAAC;AACH,CAAC"}

package/dist/core/lockfile.d.ts

@@ -0,0 +1,18 @@
+export interface LockfileEntry {
+    version: string;
+    type: string;
+    productId: string;
+    location: string;
+    checksum: string;
+    installedAt: string;
+    paid: boolean;
+}
+export interface Lockfile {
+    lockfileVersion: number;
+    installed: Record<string, LockfileEntry>;
+}
+export declare function readLockfile(): Lockfile;
+export declare function writeLockfile(lockfile: Lockfile): void;
+export declare function isInstalled(slug: string): LockfileEntry | null;
+export declare function addEntry(slug: string, entry: LockfileEntry): void;
+export declare function removeEntry(slug: string): boolean;

package/dist/core/lockfile.js

@@ -0,0 +1,41 @@
+import { existsSync, readFileSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+const LOCKFILE_NAME = 'myclaude-lock.json';
+function getLockfilePath() {
+    return join(process.cwd(), LOCKFILE_NAME);
+}
+export function readLockfile() {
+    const path = getLockfilePath();
+    try {
+        if (!existsSync(path)) {
+            return { installed: {}, lockfileVersion: 1 };
+        }
+        const raw = readFileSync(path, 'utf-8');
+        return JSON.parse(raw);
+    }
+    catch {
+        return { installed: {}, lockfileVersion: 1 };
+    }
+}
+export function writeLockfile(lockfile) {
+    const path = getLockfilePath();
+    writeFileSync(path, JSON.stringify(lockfile, null, 2) + '\n');
+}
+export function isInstalled(slug) {
+    const lockfile = readLockfile();
+    return lockfile.installed[slug] || null;
+}
+export function addEntry(slug, entry) {
+    const lockfile = readLockfile();
+    lockfile.installed[slug] = entry;
+    writeLockfile(lockfile);
+}
+export function removeEntry(slug) {
+    const lockfile = readLockfile();
+    if (!lockfile.installed[slug])
+        return false;
+    delete lockfile.installed[slug];
+    writeLockfile(lockfile);
+    return true;
+}
+//# sourceMappingURL=lockfile.js.map

package/dist/core/lockfile.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"lockfile.js","sourceRoot":"","sources":["../../src/core/lockfile.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,UAAU,EAAE,YAAY,EAAE,aAAa,EAAC,MAAM,SAAS,CAAA;AAC/D,OAAO,EAAC,IAAI,EAAC,MAAM,WAAW,CAAA;AAiB9B,MAAM,aAAa,GAAG,oBAAoB,CAAA;AAE1C,SAAS,eAAe;IACtB,OAAO,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,CAAC,CAAA;AAC3C,CAAC;AAED,MAAM,UAAU,YAAY;IAC1B,MAAM,IAAI,GAAG,eAAe,EAAE,CAAA;IAC9B,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACtB,OAAO,EAAC,SAAS,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,EAAC,CAAA;QAC5C,CAAC;QAED,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QACvC,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAA;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAC,SAAS,EAAE,EAAE,EAAE,eAAe,EAAE,CAAC,EAAC,CAAA;IAC5C,CAAC;AACH,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,QAAkB;IAC9C,MAAM,IAAI,GAAG,eAAe,EAAE,CAAA;IAC9B,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAA;AAC/D,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,IAAY;IACtC,MAAM,QAAQ,GAAG,YAAY,EAAE,CAAA;IAC/B,OAAO,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,IAAI,CAAA;AACzC,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,IAAY,EAAE,KAAoB;IACzD,MAAM,QAAQ,GAAG,YAAY,EAAE,CAAA;IAC/B,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,KAAK,CAAA;IAChC,aAAa,CAAC,QAAQ,CAAC,CAAA;AACzB,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,IAAY;IACtC,MAAM,QAAQ,GAAG,YAAY,EAAE,CAAA;IAC/B,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAA;IAC3C,OAAO,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,CAAA;IAC/B,aAAa,CAAC,QAAQ,CAAC,CAAA;IACvB,OAAO,IAAI,CAAA;AACb,CAAC"}

package/dist/core/manifest.d.ts

@@ -0,0 +1,41 @@
+/**
+ * vault.yaml manifest parser and validator.
+ * Source of truth for CLI publishing (DC11).
+ */
+declare const VALID_TYPES: readonly ["skill", "agent", "squad", "workflow", "design-system", "claude-md", "prompt", "application", "system"];
+type ProductType = typeof VALID_TYPES[number];
+export interface Manifest {
+    name: string;
+    version: string;
+    type: ProductType;
+    description: string;
+    price: number;
+    license: string;
+    tags: string[];
+    entry: string;
+    readme: string;
+    category: string;
+    displayName: string;
+    mcsLevel: number;
+    language: string;
+    longDescription: string;
+    installTarget: string;
+    compatibility: {
+        claudeCode: string;
+    };
+    dependencies: {
+        myclaude: string[];
+    };
+}
+export interface ValidationIssue {
+    field: string;
+    message: string;
+    blocker: boolean;
+}
+export declare function readManifest(dir?: string): {
+    manifest: Manifest | null;
+    issues: ValidationIssue[];
+};
+/** Read README.md contents for marketplace listing */
+export declare function readReadmeContents(dir?: string, readmePath?: string): string;
+export {};