@omnidev-ai/core 0.11.0 → 0.12.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@omnidev-ai/core",
-  "version": "0.11.0",
+  "version": "0.12.0",
   "type": "module",
   "license": "MIT",
   "repository": {

package/src/capability/loader.ts

@@ -71,17 +71,35 @@ export async function loadCapabilityConfig(capabilityPath: string): Promise<Capa
 }
 
 /**
- * Dynamically imports capability exports from index.ts.
- * Returns an empty object if index.ts doesn't exist.
+ * Dynamically imports capability exports.
+ * Checks for built output (dist/index.js) first, then falls back to index.js or index.ts.
+ * Returns an empty object if no entry point exists.
  *
  * @param capabilityPath - Path to the capability directory
  * @returns Exported module or empty object
  * @throws Error if import fails
  */
 async function importCapabilityExports(capabilityPath: string): Promise<Record<string, unknown>> {
-	const indexPath = join(capabilityPath, "index.ts");
+	// Check for entry points in order of preference:
+	// 1. Built output (dist/index.js) - compiled TypeScript
+	// 2. Plain JavaScript (index.js)
+	// 3. TypeScript source (index.ts) - only works with TypeScript-aware runtimes
+	const builtIndexPath = join(capabilityPath, "dist", "index.js");
+	const jsIndexPath = join(capabilityPath, "index.js");
+	const tsIndexPath = join(capabilityPath, "index.ts");
+
+	let indexPath: string | null = null;
+
+	if (existsSync(builtIndexPath)) {
+		indexPath = builtIndexPath;
+	} else if (existsSync(jsIndexPath)) {
+		indexPath = jsIndexPath;
+	} else if (existsSync(tsIndexPath)) {
+		// TypeScript file exists but no built output - this will likely fail with Node.js
+		indexPath = tsIndexPath;
+	}
 
-	if (!existsSync(indexPath)) {
+	if (!indexPath) {
 		return {};
 	}
 
@@ -95,6 +113,16 @@ async function importCapabilityExports(capabilityPath: string): Promise<Record<s
 		if (errorMessage.includes("Cannot find module")) {
 			const match = errorMessage.match(/Cannot find module '([^']+)'/);
 			const missingModule = match ? match[1] : "unknown";
+
+			// Check if this is a TypeScript resolution issue
+			if (indexPath === tsIndexPath && missingModule?.endsWith(".js")) {
+				throw new Error(
+					`Capability at ${capabilityPath} has TypeScript files but no built output.\n` +
+						`Add a "build" script to package.json (e.g., "build": "tsc") and run it to compile TypeScript.\n` +
+						`The build output should be in dist/index.js.`,
+				);
+			}
+
 			throw new Error(
 				`Missing dependency '${missingModule}' for capability at ${capabilityPath}.\n` +
 					`If this is a project-specific capability, install dependencies or remove it from .omni/capabilities/`,

package/src/capability/sources.ts

@@ -20,8 +20,10 @@ import type {
 	FileCapabilitySourceConfig,
 	GitCapabilitySourceConfig,
 	OmniConfig,
+	VersionSource,
 } from "../types/index.js";
 import { isFileSourceConfig } from "../types/index.js";
+import { createHash } from "node:crypto";
 
 // Local path for .omni directory
 const OMNI_LOCAL = ".omni";
@@ -42,8 +44,12 @@ export interface FetchResult {
 	id: string;
 	path: string;
 	version: string;
+	/** Source where version was detected from */
+	versionSource: VersionSource;
 	/** Git commit hash */
 	commit?: string;
+	/** Content hash for file sources (SHA-256) */
+	contentHash?: string;
 	updated: boolean;
 	wrapped: boolean;
 }
@@ -243,12 +249,18 @@ function stringifyLockFile(lockFile: CapabilitiesLockFile): string {
 		lines.push(`[capabilities.${id}]`);
 		lines.push(`source = "${entry.source}"`);
 		lines.push(`version = "${entry.version}"`);
+		if (entry.version_source) {
+			lines.push(`version_source = "${entry.version_source}"`);
+		}
 		if (entry.commit) {
 			lines.push(`commit = "${entry.commit}"`);
 		}
 		if (entry.ref) {
 			lines.push(`ref = "${entry.ref}"`);
 		}
+		if (entry.content_hash) {
+			lines.push(`content_hash = "${entry.content_hash}"`);
+		}
 		lines.push(`updated_at = "${entry.updated_at}"`);
 		lines.push("");
 	}
@@ -294,6 +306,150 @@ function shortCommit(commit: string): string {
 	return commit.substring(0, 7);
 }
 
+/**
+ * Get short content hash (12 chars)
+ */
+function shortContentHash(hash: string): string {
+	return hash.substring(0, 12);
+}
+
+/**
+ * Default patterns to exclude from content hashing
+ */
+const CONTENT_HASH_EXCLUDES = [
+	".git",
+	"node_modules",
+	".omni",
+	"__pycache__",
+	".pytest_cache",
+	".mypy_cache",
+	"dist",
+	"build",
+	".DS_Store",
+	"Thumbs.db",
+];
+
+/**
+ * Compute a stable SHA-256 content hash for a directory.
+ * Files are processed in sorted order to ensure deterministic output.
+ * Excludes common non-semantic artifacts (.git, node_modules, etc.)
+ */
+export async function computeContentHash(
+	dirPath: string,
+	excludePatterns: string[] = CONTENT_HASH_EXCLUDES,
+): Promise<string> {
+	const hash = createHash("sha256");
+	const files: Array<{ relativePath: string; content: Buffer }> = [];
+
+	async function collectFiles(currentPath: string, relativeTo: string): Promise<void> {
+		const entries = await readdir(currentPath, { withFileTypes: true });
+		// Sort entries for deterministic ordering
+		entries.sort((a, b) => a.name.localeCompare(b.name));
+
+		for (const entry of entries) {
+			const fullPath = join(currentPath, entry.name);
+			const relativePath = fullPath.slice(relativeTo.length + 1);
+
+			// Skip excluded patterns
+			if (
+				excludePatterns.some(
+					(pattern) => entry.name === pattern || relativePath.startsWith(`${pattern}/`),
+				)
+			) {
+				continue;
+			}
+
+			if (entry.isDirectory()) {
+				await collectFiles(fullPath, relativeTo);
+			} else if (entry.isFile()) {
+				const content = await readFile(fullPath);
+				files.push({ relativePath, content });
+			}
+			// Skip symlinks for security
+		}
+	}
+
+	await collectFiles(dirPath, dirPath);
+
+	// Sort files by path and hash them
+	files.sort((a, b) => a.relativePath.localeCompare(b.relativePath));
+	for (const file of files) {
+		// Include both path and content in hash for integrity
+		hash.update(file.relativePath);
+		hash.update(file.content);
+	}
+
+	return hash.digest("hex");
+}
+
+/**
+ * Result of version detection
+ */
+export interface VersionDetectionResult {
+	version: string;
+	source: VersionSource;
+}
+
+/**
+ * Detect the display version for a capability directory.
+ * Checks in order: capability.toml > plugin.json > package.json > fallback
+ *
+ * @param dirPath - Path to the capability directory
+ * @param fallback - Fallback version if no source is found (e.g., commit hash or content hash)
+ * @param fallbackSource - Source type for the fallback
+ */
+export async function detectDisplayVersion(
+	dirPath: string,
+	fallback: string,
+	fallbackSource: VersionSource,
+): Promise<VersionDetectionResult> {
+	// 1. Check capability.toml
+	const capTomlPath = join(dirPath, "capability.toml");
+	if (existsSync(capTomlPath)) {
+		try {
+			const content = await readFile(capTomlPath, "utf-8");
+			const parsed = parseToml(content) as Record<string, unknown>;
+			const capability = parsed["capability"] as Record<string, unknown> | undefined;
+			if (capability?.["version"] && typeof capability["version"] === "string") {
+				return { version: capability["version"], source: "capability.toml" };
+			}
+		} catch {
+			// Continue to next source
+		}
+	}
+
+	// 2. Check .claude-plugin/plugin.json
+	const pluginJsonPath = join(dirPath, ".claude-plugin", "plugin.json");
+	if (existsSync(pluginJsonPath)) {
+		try {
+			const content = await readFile(pluginJsonPath, "utf-8");
+			const parsed = JSON.parse(content);
+			if (parsed.version && typeof parsed.version === "string") {
+				return { version: parsed.version, source: "plugin.json" };
+			}
+		} catch {
+			// Continue to next source
+		}
+	}
+
+	// 3. Check package.json
+	const pkgJsonPath = join(dirPath, "package.json");
+	if (existsSync(pkgJsonPath)) {
+		try {
+			const content = await readFile(pkgJsonPath, "utf-8");
+			const parsed = JSON.parse(content);
+			if (parsed.version && typeof parsed.version === "string") {
+				return { version: parsed.version, source: "package.json" };
+			}
+		} catch {
+			// Continue to fallback
+		}
+	}
+
+	// 4. Fallback to commit hash (git) or content hash (file)
+	return { version: fallback, source: fallbackSource };
+}
+
 /**
  * Clone a git repository
  */
@@ -728,15 +884,9 @@ async function fetchGitCapabilitySource(
 
 		// Check if already cloned to temp
 		if (existsSync(join(tempPath, ".git"))) {
-			if (!options?.silent) {
-				console.log(`  Checking ${id}...`);
-			}
 			updated = await fetchRepo(tempPath, config.ref);
 			commit = await getRepoCommit(tempPath);
 		} else {
-			if (!options?.silent) {
-				console.log(`  Cloning ${id} from ${config.source}...`);
-			}
 			await mkdir(join(tempPath, ".."), { recursive: true });
 			await cloneRepo(gitUrl, tempPath, config.ref);
 			commit = await getRepoCommit(tempPath);
@@ -756,6 +906,9 @@ async function fetchGitCapabilitySource(
 		await mkdir(join(targetPath, ".."), { recursive: true });
 		await cp(sourcePath, targetPath, { recursive: true });
 
+		// Clean up temp directory after successful copy
+		await rm(tempPath, { recursive: true });
+
 		repoPath = targetPath;
 	} else {
 		// Clone directly to target (no subdirectory)
@@ -802,24 +955,15 @@ async function fetchGitCapabilitySource(
 		}
 	}
 
-	// Get version from capability.toml or package.json
-	let version = shortCommit(commit);
-	const pkgJsonPath = join(repoPath, "package.json");
-	if (existsSync(pkgJsonPath)) {
-		try {
-			const pkgJson = JSON.parse(await readFile(pkgJsonPath, "utf-8"));
-			if (pkgJson.version) {
-				version = pkgJson.version;
-			}
-		} catch {
-			// Ignore parse errors
-		}
-	}
+	// Detect version using unified version detection
+	// Fallback to short commit hash for git sources
+	const versionResult = await detectDisplayVersion(repoPath, shortCommit(commit), "commit");
 
 	return {
 		id,
 		path: targetPath,
-		version,
+		version: versionResult.version,
+		versionSource: versionResult.source,
 		commit,
 		updated,
 		wrapped: needsWrap,
@@ -828,6 +972,7 @@ async function fetchGitCapabilitySource(
 
 /**
  * Fetch a file-sourced capability (copy from local path)
+ * Supports wrapping directories without capability.toml if they have skills/agents/etc.
  */
 async function fetchFileCapabilitySource(
 	id: string,
@@ -848,9 +993,20 @@ async function fetchFileCapabilitySource(
 		throw new Error(`File source must be a directory: ${sourcePath}`);
 	}
 
-	// Check if capability.toml exists in source
-	if (!existsSync(join(sourcePath, "capability.toml"))) {
-		throw new Error(`No capability.toml found in: ${sourcePath}`);
+	// Compute content hash for the source (before copy, for reproducibility)
+	const contentHash = await computeContentHash(sourcePath);
+
+	// Check if we need to wrap (no capability.toml but has content)
+	const hasCapToml = existsSync(join(sourcePath, "capability.toml"));
+	let needsWrap = false;
+
+	if (!hasCapToml) {
+		needsWrap = await shouldWrapDirectory(sourcePath);
+		if (!needsWrap) {
+			throw new Error(
+				`No capability.toml found in: ${sourcePath} (and no wrappable content detected)`,
+			);
+		}
 	}
 
 	if (!options?.silent) {
@@ -868,31 +1024,124 @@ async function fetchFileCapabilitySource(
 	// Copy directory contents
 	await cp(sourcePath, targetPath, { recursive: true });
 
-	// Read version from capability.toml
-	let version = "local";
-	const capTomlPath = join(targetPath, "capability.toml");
-	if (existsSync(capTomlPath)) {
-		try {
-			const content = await readFile(capTomlPath, "utf-8");
-			const parsed = parseToml(content) as Record<string, unknown>;
-			const capability = parsed["capability"] as Record<string, unknown> | undefined;
-			if (capability?.["version"] && typeof capability["version"] === "string") {
-				version = capability["version"];
+	// If needs wrapping, generate capability.toml in target (not source)
+	if (needsWrap) {
+		// Normalize folder names (singular -> plural)
+		await normalizeFolderNames(targetPath);
+
+		// Discover content and generate capability.toml
+		const content = await discoverContent(targetPath);
+		await generateFileSourceCapabilityToml(
+			id,
+			config.source,
+			shortContentHash(contentHash),
+			content,
+			targetPath,
+		);
+
+		if (!options?.silent) {
+			const parts: string[] = [];
+			if (content.skills.length > 0) parts.push(`${content.skills.length} skills`);
+			if (content.agents.length > 0) parts.push(`${content.agents.length} agents`);
+			if (content.commands.length > 0) parts.push(`${content.commands.length} commands`);
+			if (parts.length > 0) {
+				console.log(`    Wrapped: ${parts.join(", ")}`);
 			}
-		} catch {
-			// Ignore parse errors
 		}
 	}
 
+	// Detect version using unified version detection
+	// Fallback to short content hash for file sources
+	const versionResult = await detectDisplayVersion(
+		targetPath,
+		shortContentHash(contentHash),
+		"content_hash",
+	);
+
 	return {
 		id,
 		path: targetPath,
-		version,
+		version: versionResult.version,
+		versionSource: versionResult.source,
+		contentHash,
 		updated: true,
-		wrapped: false,
+		wrapped: needsWrap,
 	};
 }
 
+/**
+ * Generate a capability.toml for a wrapped file source
+ */
+async function generateFileSourceCapabilityToml(
+	id: string,
+	source: string,
+	hashVersion: string,
+	content: DiscoveredContent,
+	targetPath: string,
+): Promise<void> {
+	// Try to get metadata from plugin.json
+	const pluginMeta = await parsePluginJson(targetPath);
+
+	// Try to get description from README
+	const readmeDesc = await readReadmeDescription(targetPath);
+
+	// Build description based on available sources
+	let description: string;
+	if (pluginMeta?.description) {
+		description = pluginMeta.description;
+	} else if (readmeDesc) {
+		description = readmeDesc;
+	} else {
+		// Fallback: build from discovered content
+		const parts: string[] = [];
+		if (content.skills.length > 0) {
+			parts.push(`${content.skills.length} skill${content.skills.length > 1 ? "s" : ""}`);
+		}
+		if (content.agents.length > 0) {
+			parts.push(`${content.agents.length} agent${content.agents.length > 1 ? "s" : ""}`);
+		}
+		if (content.commands.length > 0) {
+			parts.push(`${content.commands.length} command${content.commands.length > 1 ? "s" : ""}`);
+		}
+		description = parts.length > 0 ? `${parts.join(", ")}` : `Wrapped from ${source}`;
+	}
+
+	// Use plugin metadata for name and version if available
+	const name = pluginMeta?.name || `${id} (wrapped)`;
+	const version = pluginMeta?.version || hashVersion;
+
+	// Build TOML content
+	let tomlContent = `# Auto-generated by OmniDev - DO NOT EDIT
+# This capability was wrapped from a local directory
+
+[capability]
+id = "${id}"
+name = "${name}"
+version = "${version}"
+description = "${description}"
+`;
+
+	// Add author if available from plugin.json
+	if (pluginMeta?.author?.name || pluginMeta?.author?.email) {
+		tomlContent += "\n[capability.author]\n";
+		if (pluginMeta.author.name) {
+			tomlContent += `name = "${pluginMeta.author.name}"\n`;
+		}
+		if (pluginMeta.author.email) {
+			tomlContent += `email = "${pluginMeta.author.email}"\n`;
+		}
+	}
+
+	// Add metadata section
+	tomlContent += `
+[capability.metadata]
+wrapped = true
+source = "${source}"
+`;
+
+	await writeFile(join(targetPath, "capability.toml"), tomlContent, "utf-8");
+}
+
 /**
  * Fetch a single capability source (git or file)
  */
@@ -1074,15 +1323,17 @@ export async function fetchAllCapabilitySources(
 	// Generate MCP capabilities FIRST
 	await generateMcpCapabilities(config);
 
+	// Clean up any stale temp directories from previous syncs
+	const tempDir = join(OMNI_LOCAL, "_temp");
+	if (existsSync(tempDir)) {
+		await rm(tempDir, { recursive: true });
+	}
+
 	const sources = config.capabilities?.sources;
 	if (!sources || Object.keys(sources).length === 0) {
 		return [];
 	}
 
-	if (!options?.silent) {
-		console.log("Fetching capability sources...");
-	}
-
 	const results: FetchResult[] = [];
 	const lockFile = await loadLockFile();
 	let lockUpdated = false;
@@ -1096,6 +1347,7 @@ export async function fetchAllCapabilitySources(
 			const lockEntry: CapabilityLockEntry = {
 				source: typeof source === "string" ? source : source.source,
 				version: result.version,
+				version_source: result.versionSource,
 				updated_at: new Date().toISOString(),
 			};
 
@@ -1103,6 +1355,10 @@ export async function fetchAllCapabilitySources(
 			if (result.commit) {
 				lockEntry.commit = result.commit;
 			}
+			// File source: use content hash
+			if (result.contentHash) {
+				lockEntry.content_hash = result.contentHash;
+			}
 			// Only access ref if it's a git source
 			if (!isFileSourceConfig(source)) {
 				const gitConfig = parseSourceConfig(source) as GitCapabilitySourceConfig;
@@ -1112,17 +1368,17 @@ export async function fetchAllCapabilitySources(
 			}
 
 			// Check if lock entry changed
+			// For git sources: compare commit hash
+			// For file sources: compare content hash
 			const existing = lockFile.capabilities[id];
-			const hasChanged = !existing || existing.commit !== result.commit;
+			const hasChanged =
+				!existing ||
+				(result.commit && existing.commit !== result.commit) ||
+				(result.contentHash && existing.content_hash !== result.contentHash);
 
 			if (hasChanged) {
 				lockFile.capabilities[id] = lockEntry;
 				lockUpdated = true;
-
-				if (!options?.silent && result.updated) {
-					const oldVersion = existing?.version || "new";
-					console.log(`  ${result.wrapped ? "+" : "~"} ${id}: ${oldVersion} -> ${result.version}`);
-				}
 			}
 		} catch (error) {
 			console.error(`  Failed to fetch ${id}: ${error}`);
@@ -1134,15 +1390,6 @@ export async function fetchAllCapabilitySources(
 		await saveLockFile(lockFile);
 	}
 
-	if (!options?.silent && results.length > 0) {
-		const updated = results.filter((r) => r.updated).length;
-		if (updated > 0) {
-			console.log(`  Updated ${updated} capability source(s)`);
-		} else {
-			console.log(`  All ${results.length} source(s) up to date`);
-		}
-	}
-
 	return results;
 }
 

package/src/index.ts

@@ -30,6 +30,9 @@ export * from "./state";
 // Export sync functionality
 export * from "./sync";
 
+// Export security scanning
+export * from "./security";
+
 // Export templates
 export * from "./templates/agents";
 export * from "./templates/capability";

package/src/mcp-json/manager.ts

@@ -132,7 +132,6 @@ function buildMcpServerConfig(mcp: McpConfig): McpServerConfig {
 export async function syncMcpJson(
 	capabilities: LoadedCapability[],
 	previousManifest: ResourceManifest,
-	options: { silent?: boolean } = {},
 ): Promise<void> {
 	const mcpJson = await readMcpJson();
 
@@ -150,17 +149,11 @@ export async function syncMcpJson(
 	}
 
 	// Add MCPs from all enabled capabilities
-	let addedCount = 0;
 	for (const cap of capabilities) {
 		if (cap.config.mcp) {
 			mcpJson.mcpServers[cap.id] = buildMcpServerConfig(cap.config.mcp);
-			addedCount++;
 		}
 	}
 
 	await writeMcpJson(mcpJson);
-
-	if (!options.silent) {
-		console.log(`  - .mcp.json (${addedCount} MCP server(s))`);
-	}
 }

package/src/security/index.ts

@@ -0,0 +1,11 @@
+/**
+ * Security scanning module for capability supply-chain safety
+ *
+ * Provides opt-in scanning for:
+ * - Suspicious Unicode characters (bidi overrides, zero-width, control chars)
+ * - Symlinks that escape capability directories
+ * - Suspicious script patterns in hooks
+ */
+
+export * from "./scanner.js";
+export * from "./types.js";