@omnidev-ai/core 0.11.0 → 0.12.0

package/src/state/security-allows.ts

@@ -0,0 +1,178 @@
+/**
+ * Security allows state management
+ *
+ * Stores allowed (ignored) security warnings in .omni/security.json
+ * This allows users to suppress specific findings they've reviewed and accepted.
+ */
+
+import { existsSync, mkdirSync } from "node:fs";
+import { readFile, writeFile } from "node:fs/promises";
+import type { FindingType } from "../security/types.js";
+
+const OMNI_DIR = ".omni";
+const SECURITY_PATH = `${OMNI_DIR}/security.json`;
+
+/**
+ * Security allows state structure
+ */
+export interface SecurityAllowsState {
+	/** Schema version */
+	version: 1;
+	/** Timestamp of last modification */
+	modifiedAt: string;
+	/** Map of capability ID -> array of allowed finding types */
+	allows: Record<string, FindingType[]>;
+}
+
+/**
+ * An individual security allow entry
+ */
+export interface SecurityAllow {
+	capabilityId: string;
+	findingType: FindingType;
+}
+
+const DEFAULT_STATE: SecurityAllowsState = {
+	version: 1,
+	modifiedAt: new Date().toISOString(),
+	allows: {},
+};
+
+/**
+ * Read the security allows from local state.
+ * Returns empty state if no file exists.
+ */
+export async function readSecurityAllows(): Promise<SecurityAllowsState> {
+	if (!existsSync(SECURITY_PATH)) {
+		return { ...DEFAULT_STATE };
+	}
+
+	try {
+		const content = await readFile(SECURITY_PATH, "utf-8");
+		const state = JSON.parse(content) as SecurityAllowsState;
+		return state;
+	} catch {
+		return { ...DEFAULT_STATE };
+	}
+}
+
+/**
+ * Write security allows to local state.
+ */
+export async function writeSecurityAllows(state: SecurityAllowsState): Promise<void> {
+	mkdirSync(OMNI_DIR, { recursive: true });
+	state.modifiedAt = new Date().toISOString();
+	await writeFile(SECURITY_PATH, `${JSON.stringify(state, null, 2)}\n`, "utf-8");
+}
+
+/**
+ * Add an allow for a specific capability and finding type.
+ */
+export async function addSecurityAllow(
+	capabilityId: string,
+	findingType: FindingType,
+): Promise<boolean> {
+	const state = await readSecurityAllows();
+
+	if (!state.allows[capabilityId]) {
+		state.allows[capabilityId] = [];
+	}
+
+	// Check if already allowed
+	if (state.allows[capabilityId].includes(findingType)) {
+		return false; // Already exists
+	}
+
+	state.allows[capabilityId].push(findingType);
+	await writeSecurityAllows(state);
+	return true;
+}
+
+/**
+ * Remove an allow for a specific capability and finding type.
+ */
+export async function removeSecurityAllow(
+	capabilityId: string,
+	findingType: FindingType,
+): Promise<boolean> {
+	const state = await readSecurityAllows();
+
+	if (!state.allows[capabilityId]) {
+		return false; // Doesn't exist
+	}
+
+	const index = state.allows[capabilityId].indexOf(findingType);
+	if (index === -1) {
+		return false; // Doesn't exist
+	}
+
+	state.allows[capabilityId].splice(index, 1);
+
+	// Clean up empty arrays
+	if (state.allows[capabilityId].length === 0) {
+		delete state.allows[capabilityId];
+	}
+
+	await writeSecurityAllows(state);
+	return true;
+}
+
+/**
+ * Check if a finding type is allowed for a capability.
+ */
+export async function isSecurityAllowed(
+	capabilityId: string,
+	findingType: FindingType,
+): Promise<boolean> {
+	const state = await readSecurityAllows();
+	const allows = state.allows[capabilityId];
+	if (!allows) return false;
+	return allows.includes(findingType);
+}
+
+/**
+ * Get all allows for a capability.
+ */
+export async function getCapabilityAllows(capabilityId: string): Promise<FindingType[]> {
+	const state = await readSecurityAllows();
+	return state.allows[capabilityId] ?? [];
+}
+
+/**
+ * Get all security allows as a flat list.
+ */
+export async function getAllSecurityAllows(): Promise<SecurityAllow[]> {
+	const state = await readSecurityAllows();
+	const result: SecurityAllow[] = [];
+
+	for (const [capabilityId, findingTypes] of Object.entries(state.allows)) {
+		for (const findingType of findingTypes) {
+			result.push({ capabilityId, findingType });
+		}
+	}
+
+	return result;
+}
+
+/**
+ * Clear all allows for a capability.
+ */
+export async function clearCapabilityAllows(capabilityId: string): Promise<boolean> {
+	const state = await readSecurityAllows();
+
+	if (!state.allows[capabilityId]) {
+		return false;
+	}
+
+	delete state.allows[capabilityId];
+	await writeSecurityAllows(state);
+	return true;
+}
+
+/**
+ * Clear all security allows.
+ */
+export async function clearAllSecurityAllows(): Promise<void> {
+	const state = { ...DEFAULT_STATE };
+	await writeSecurityAllows(state);
+}

package/src/sync.ts

@@ -27,11 +27,11 @@ export interface SyncOptions {
 }
 
 /**
- * Install dependencies for capabilities in .omni/capabilities/
- * Only installs for capabilities that have a package.json
+ * Install dependencies and build TypeScript capabilities in .omni/capabilities/
+ * Only processes capabilities that have a package.json
  */
 export async function installCapabilityDependencies(silent: boolean): Promise<void> {
-	const { existsSync, readdirSync } = await import("node:fs");
+	const { existsSync, readdirSync, readFileSync } = await import("node:fs");
 	const { join } = await import("node:path");
 
 	const capabilitiesDir = ".omni/capabilities";
@@ -73,11 +73,7 @@ export async function installCapabilityDependencies(silent: boolean): Promise<vo
 			continue;
 		}
 
-		if (!silent) {
-			console.log(`Installing dependencies for ${capabilityPath}...`);
-		}
-
-		// Prefer Bun if available, otherwise fallback to npm.
+		// Install dependencies silently (only show errors)
 		await new Promise<void>((resolve, reject) => {
 			const useNpmCi = hasNpm && existsSync(join(capabilityPath, "package-lock.json"));
 			const cmd = hasBun ? "bun" : "npm";
@@ -85,14 +81,19 @@ export async function installCapabilityDependencies(silent: boolean): Promise<vo
 
 			const proc = spawn(cmd, args, {
 				cwd: capabilityPath,
-				stdio: silent ? "ignore" : "inherit",
+				stdio: "pipe",
+			});
+
+			let stderr = "";
+			proc.stderr?.on("data", (data) => {
+				stderr += data.toString();
 			});
 
 			proc.on("close", (code) => {
 				if (code === 0) {
 					resolve();
 				} else {
-					reject(new Error(`Failed to install dependencies for ${capabilityPath}`));
+					reject(new Error(`Failed to install dependencies for ${capabilityPath}:\n${stderr}`));
 				}
 			});
 
@@ -100,6 +101,57 @@ export async function installCapabilityDependencies(silent: boolean): Promise<vo
 				reject(error);
 			});
 		});
+
+		// Check if capability needs building (has index.ts but no dist/index.js)
+		const hasIndexTs = existsSync(join(capabilityPath, "index.ts"));
+		const hasBuiltIndex = existsSync(join(capabilityPath, "dist", "index.js"));
+
+		if (hasIndexTs && !hasBuiltIndex) {
+			// Check if package.json has a build script
+			let hasBuildScript = false;
+			try {
+				const pkgJson = JSON.parse(readFileSync(packageJsonPath, "utf-8"));
+				hasBuildScript = Boolean(pkgJson.scripts?.build);
+			} catch {
+				// Ignore parse errors
+			}
+
+			if (hasBuildScript) {
+				// Build silently (only show errors)
+				await new Promise<void>((resolve, reject) => {
+					const cmd = hasBun ? "bun" : "npm";
+					const args = ["run", "build"];
+
+					const proc = spawn(cmd, args, {
+						cwd: capabilityPath,
+						stdio: "pipe",
+					});
+
+					let stderr = "";
+					proc.stderr?.on("data", (data) => {
+						stderr += data.toString();
+					});
+
+					proc.on("close", (code) => {
+						if (code === 0) {
+							resolve();
+						} else {
+							reject(new Error(`Failed to build capability ${capabilityPath}:\n${stderr}`));
+						}
+					});
+
+					proc.on("error", (error) => {
+						reject(error);
+					});
+				});
+			} else if (!silent) {
+				// Warn user that capability has TypeScript but no build setup
+				console.warn(
+					`Warning: Capability at ${capabilityPath} has index.ts but no build script.\n` +
+						`  Add a "build" script to package.json (e.g., "build": "tsc") to compile TypeScript.`,
+				);
+			}
+		}
 	}
 }
 
@@ -162,10 +214,6 @@ export async function syncAgentConfiguration(options?: SyncOptions): Promise<Syn
 	const silent = options?.silent ?? false;
 	const adapters = options?.adapters ?? [];
 
-	if (!silent) {
-		console.log("Syncing agent configuration...");
-	}
-
 	const { bundle } = await buildSyncBundle({ silent });
 	const capabilities = bundle.capabilities;
 
@@ -173,24 +221,7 @@ export async function syncAgentConfiguration(options?: SyncOptions): Promise<Syn
 	const previousManifest = await loadManifest();
 	const currentCapabilityIds = new Set(capabilities.map((c) => c.id));
 
-	const cleanupResult = await cleanupStaleResources(previousManifest, currentCapabilityIds);
-
-	if (
-		!silent &&
-		(cleanupResult.deletedSkills.length > 0 || cleanupResult.deletedRules.length > 0)
-	) {
-		console.log("Cleaned up stale resources:");
-		if (cleanupResult.deletedSkills.length > 0) {
-			console.log(
-				`  - Removed ${cleanupResult.deletedSkills.length} skill(s): ${cleanupResult.deletedSkills.join(", ")}`,
-			);
-		}
-		if (cleanupResult.deletedRules.length > 0) {
-			console.log(
-				`  - Removed ${cleanupResult.deletedRules.length} rule(s): ${cleanupResult.deletedRules.join(", ")}`,
-			);
-		}
-	}
+	await cleanupStaleResources(previousManifest, currentCapabilityIds);
 
 	// Call sync hooks for capabilities that have them
 	for (const capability of capabilities) {
@@ -223,7 +254,7 @@ export async function syncAgentConfiguration(options?: SyncOptions): Promise<Syn
 	mkdirSync(".omni", { recursive: true });
 
 	// Sync .mcp.json with capability MCP servers (before saving manifest)
-	await syncMcpJson(capabilities, previousManifest, { silent });
+	await syncMcpJson(capabilities, previousManifest);
 
 	// Save updated manifest for future cleanup
 	const newManifest = buildManifestFromCapabilities(capabilities);
@@ -239,24 +270,13 @@ export async function syncAgentConfiguration(options?: SyncOptions): Promise<Syn
 
 		for (const adapter of adapters) {
 			try {
-				const result = await adapter.sync(bundle, ctx);
-				if (!silent && result.filesWritten.length > 0) {
-					console.log(`  - ${adapter.displayName}: ${result.filesWritten.length} files`);
-				}
+				await adapter.sync(bundle, ctx);
 			} catch (error) {
 				console.error(`Error running ${adapter.displayName} adapter:`, error);
 			}
 		}
 	}
 
-	if (!silent) {
-		console.log("✓ Synced:");
-		console.log(`  - ${bundle.docs.length} docs, ${bundle.rules.length} rules`);
-		if (adapters.length > 0) {
-			console.log(`  - Provider adapters: ${adapters.map((a) => a.displayName).join(", ")}`);
-		}
-	}
-
 	return {
 		capabilities: capabilities.map((c) => c.id),
 		skillCount: bundle.skills.length,

package/src/types/index.ts

@@ -222,16 +222,31 @@ export function isFileSourceConfig(
 	return config.source.startsWith("file://");
 }
 
+/**
+ * Source where the version was detected from.
+ * Used for debugging and auditing to understand version provenance.
+ */
+export type VersionSource =
+	| "capability.toml"
+	| "plugin.json"
+	| "package.json"
+	| "commit"
+	| "content_hash";
+
 /** Lock file entry for a capability (version tracking) */
 export interface CapabilityLockEntry {
 	/** Original source reference */
 	source: string;
-	/** Version from capability.toml or package.json */
+	/** Version from capability.toml, plugin.json, package.json, or fallback */
 	version: string;
+	/** Where the version was detected from (for auditing/debugging) */
+	version_source?: VersionSource;
 	/** For git sources: exact commit hash */
 	commit?: string;
 	/** Pinned ref if specified */
 	ref?: string;
+	/** For file sources: SHA-256 hash of content for reproducibility */
+	content_hash?: string;
 	/** Last update timestamp (ISO 8601) */
 	updated_at: string;
 }
@@ -260,6 +275,40 @@ export interface ProfileConfig {
 	capabilities?: string[];
 }
 
+/**
+ * Security scan mode
+ * - off: No scanning (default)
+ * - warn: Report findings but continue
+ * - error: Report findings and fail sync
+ */
+export type SecurityMode = "off" | "warn" | "error";
+
+/**
+ * Individual scan toggles for security scanning
+ */
+export interface ScanSettings {
+	/** Detect suspicious Unicode characters (bidi overrides, zero-width, control chars) */
+	unicode?: boolean;
+	/** Detect symlinks inside capability directories */
+	symlinks?: boolean;
+	/** Detect suspicious patterns in scripts/hooks */
+	scripts?: boolean;
+	/** Detect binary files in content folders */
+	binaries?: boolean;
+}
+
+/**
+ * Security configuration section in omni.toml
+ */
+export interface SecurityConfig {
+	/** Scan mode: off, warn, or error (default: off) */
+	mode?: SecurityMode;
+	/** Trusted source patterns (host/org/repo) that skip scanning */
+	trusted_sources?: string[];
+	/** Individual scan settings */
+	scan?: ScanSettings;
+}
+
 export interface OmniConfig {
 	profiles?: Record<string, ProfileConfig>;
 	providers?: {
@@ -269,6 +318,8 @@ export interface OmniConfig {
 	capabilities?: CapabilitiesConfig;
 	/** MCP server definitions that auto-generate capabilities */
 	mcps?: Record<string, McpConfig>;
+	/** Security scanning configuration */
+	security?: SecurityConfig;
 }
 
 // Provider Types