npm - @portel/photon - Versions diffs - 1.18.0 → 1.20.0 - Mend

@portel/photon 1.18.0 → 1.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (238) hide show

package/dist/auto-ui/beam/routes/api-browse.d.ts.map +1 -1
package/dist/auto-ui/beam/routes/api-browse.js +16 -4
package/dist/auto-ui/beam/routes/api-browse.js.map +1 -1
package/dist/auto-ui/beam/routes/api-config.js +4 -4
package/dist/auto-ui/beam/routes/api-config.js.map +1 -1
package/dist/auto-ui/beam/routes/api-marketplace.d.ts.map +1 -1
package/dist/auto-ui/beam/routes/api-marketplace.js +14 -1
package/dist/auto-ui/beam/routes/api-marketplace.js.map +1 -1
package/dist/auto-ui/beam.d.ts.map +1 -1
package/dist/auto-ui/beam.js +196 -77
package/dist/auto-ui/beam.js.map +1 -1
package/dist/auto-ui/bridge/index.d.ts.map +1 -1
package/dist/auto-ui/bridge/index.js +17 -0
package/dist/auto-ui/bridge/index.js.map +1 -1
package/dist/auto-ui/streamable-http-transport.d.ts +1 -0
package/dist/auto-ui/streamable-http-transport.d.ts.map +1 -1
package/dist/auto-ui/streamable-http-transport.js +64 -16
package/dist/auto-ui/streamable-http-transport.js.map +1 -1
package/dist/auto-ui/types.d.ts +12 -0
package/dist/auto-ui/types.d.ts.map +1 -1
package/dist/auto-ui/types.js.map +1 -1
package/dist/beam-form.bundle.js +49 -6
package/dist/beam-form.bundle.js.map +2 -2
package/dist/beam.bundle.js +2090 -512
package/dist/beam.bundle.js.map +4 -4
package/dist/capability-negotiator.d.ts +67 -0
package/dist/capability-negotiator.d.ts.map +1 -0
package/dist/capability-negotiator.js +104 -0
package/dist/capability-negotiator.js.map +1 -0
package/dist/channel-manager.d.ts +122 -0
package/dist/channel-manager.d.ts.map +1 -0
package/dist/channel-manager.js +266 -0
package/dist/channel-manager.js.map +1 -0
package/dist/claude-code-plugin.js +1 -1
package/dist/cli/commands/beam.d.ts.map +1 -1
package/dist/cli/commands/beam.js +8 -2
package/dist/cli/commands/beam.js.map +1 -1
package/dist/cli/commands/changelog.d.ts +9 -0
package/dist/cli/commands/changelog.d.ts.map +1 -0
package/dist/cli/commands/changelog.js +133 -0
package/dist/cli/commands/changelog.js.map +1 -0
package/dist/cli/commands/maker.d.ts.map +1 -1
package/dist/cli/commands/maker.js +23 -2
package/dist/cli/commands/maker.js.map +1 -1
package/dist/cli/commands/mcp.d.ts.map +1 -1
package/dist/cli/commands/mcp.js +53 -0
package/dist/cli/commands/mcp.js.map +1 -1
package/dist/cli/commands/package.d.ts.map +1 -1
package/dist/cli/commands/package.js +43 -9
package/dist/cli/commands/package.js.map +1 -1
package/dist/cli/commands/run.d.ts.map +1 -1
package/dist/cli/commands/run.js +1 -0
package/dist/cli/commands/run.js.map +1 -1
package/dist/cli/commands/update.d.ts +3 -2
package/dist/cli/commands/update.d.ts.map +1 -1
package/dist/cli/commands/update.js +50 -43
package/dist/cli/commands/update.js.map +1 -1
package/dist/cli/index.d.ts.map +1 -1
package/dist/cli/index.js +16 -2
package/dist/cli/index.js.map +1 -1
package/dist/cli-alias.js +1 -1
package/dist/cli-alias.js.map +1 -1
package/dist/context-store.d.ts +23 -33
package/dist/context-store.d.ts.map +1 -1
package/dist/context-store.js +147 -97
package/dist/context-store.js.map +1 -1
package/dist/context.d.ts +15 -10
package/dist/context.d.ts.map +1 -1
package/dist/context.js +37 -13
package/dist/context.js.map +1 -1
package/dist/daemon/client.d.ts.map +1 -1
package/dist/daemon/client.js +12 -0
package/dist/daemon/client.js.map +1 -1
package/dist/daemon/server.js +34 -51
package/dist/daemon/server.js.map +1 -1
package/dist/daemon/worker-manager.d.ts.map +1 -1
package/dist/daemon/worker-manager.js +21 -7
package/dist/daemon/worker-manager.js.map +1 -1
package/dist/data-migration.d.ts +27 -0
package/dist/data-migration.d.ts.map +1 -0
package/dist/data-migration.js +307 -0
package/dist/data-migration.js.map +1 -0
package/dist/editor-support/docblock-tag-catalog.d.ts.map +1 -1
package/dist/editor-support/docblock-tag-catalog.js +6 -0
package/dist/editor-support/docblock-tag-catalog.js.map +1 -1
package/dist/loader.d.ts +13 -0
package/dist/loader.d.ts.map +1 -1
package/dist/loader.js +169 -22
package/dist/loader.js.map +1 -1
package/dist/marketplace-manager.d.ts +6 -0
package/dist/marketplace-manager.d.ts.map +1 -1
package/dist/marketplace-manager.js +185 -62
package/dist/marketplace-manager.js.map +1 -1
package/dist/namespace-migration.d.ts +1 -0
package/dist/namespace-migration.d.ts.map +1 -1
package/dist/namespace-migration.js +86 -0
package/dist/namespace-migration.js.map +1 -1
package/dist/photon-cli-runner.d.ts.map +1 -1
package/dist/photon-cli-runner.js +47 -21
package/dist/photon-cli-runner.js.map +1 -1
package/dist/photon-doc-extractor.d.ts +1 -0
package/dist/photon-doc-extractor.d.ts.map +1 -1
package/dist/photon-doc-extractor.js +6 -0
package/dist/photon-doc-extractor.js.map +1 -1
package/dist/readme-syncer.d.ts.map +1 -1
package/dist/readme-syncer.js +6 -1
package/dist/readme-syncer.js.map +1 -1
package/dist/resource-server.d.ts +105 -0
package/dist/resource-server.d.ts.map +1 -0
package/dist/resource-server.js +723 -0
package/dist/resource-server.js.map +1 -0
package/dist/serv/auth/jwt.d.ts +2 -0
package/dist/serv/auth/jwt.d.ts.map +1 -1
package/dist/serv/auth/jwt.js +11 -5
package/dist/serv/auth/jwt.js.map +1 -1
package/dist/serv/vault/token-vault.d.ts +2 -0
package/dist/serv/vault/token-vault.d.ts.map +1 -1
package/dist/serv/vault/token-vault.js +6 -0
package/dist/serv/vault/token-vault.js.map +1 -1
package/dist/server.d.ts +30 -119
package/dist/server.d.ts.map +1 -1
package/dist/server.js +252 -1122
package/dist/server.js.map +1 -1
package/dist/shared/audit.d.ts.map +1 -1
package/dist/shared/audit.js +11 -4
package/dist/shared/audit.js.map +1 -1
package/dist/shared/security.d.ts +10 -0
package/dist/shared/security.d.ts.map +1 -1
package/dist/shared/security.js +27 -0
package/dist/shared/security.js.map +1 -1
package/dist/task-executor.d.ts +69 -0
package/dist/task-executor.d.ts.map +1 -0
package/dist/task-executor.js +182 -0
package/dist/task-executor.js.map +1 -0
package/dist/tasks/store.d.ts.map +1 -1
package/dist/tasks/store.js +6 -2
package/dist/tasks/store.js.map +1 -1
package/dist/types/photon-instance.d.ts +50 -0
package/dist/types/photon-instance.d.ts.map +1 -0
package/dist/types/photon-instance.js +9 -0
package/dist/types/photon-instance.js.map +1 -0
package/dist/types/server-types.d.ts +61 -0
package/dist/types/server-types.d.ts.map +1 -0
package/dist/types/server-types.js +8 -0
package/dist/types/server-types.js.map +1 -0
package/dist/version-notify.d.ts +27 -0
package/dist/version-notify.d.ts.map +1 -0
package/dist/version-notify.js +142 -0
package/dist/version-notify.js.map +1 -0
package/package.json +3 -3
package/dist/auto-ui/bridge/openai-shim.d.ts +0 -20
package/dist/auto-ui/bridge/openai-shim.d.ts.map +0 -1
package/dist/auto-ui/bridge/openai-shim.js +0 -231
package/dist/auto-ui/bridge/openai-shim.js.map +0 -1
package/dist/auto-ui/bridge/photon-app.d.ts +0 -162
package/dist/auto-ui/bridge/photon-app.d.ts.map +0 -1
package/dist/auto-ui/bridge/photon-app.js +0 -460
package/dist/auto-ui/bridge/photon-app.js.map +0 -1
package/dist/auto-ui/daemon-tools.d.ts +0 -45
package/dist/auto-ui/daemon-tools.d.ts.map +0 -1
package/dist/auto-ui/daemon-tools.js +0 -581
package/dist/auto-ui/daemon-tools.js.map +0 -1
package/dist/auto-ui/design-system/index.d.ts +0 -21
package/dist/auto-ui/design-system/index.d.ts.map +0 -1
package/dist/auto-ui/design-system/index.js +0 -27
package/dist/auto-ui/design-system/index.js.map +0 -1
package/dist/auto-ui/design-system/transaction-ui.d.ts +0 -70
package/dist/auto-ui/design-system/transaction-ui.d.ts.map +0 -1
package/dist/auto-ui/design-system/transaction-ui.js +0 -982
package/dist/auto-ui/design-system/transaction-ui.js.map +0 -1
package/dist/auto-ui/playground-server.d.ts +0 -7
package/dist/auto-ui/playground-server.d.ts.map +0 -1
package/dist/auto-ui/playground-server.js +0 -840
package/dist/auto-ui/playground-server.js.map +0 -1
package/dist/auto-ui/rendering/components.d.ts +0 -29
package/dist/auto-ui/rendering/components.d.ts.map +0 -1
package/dist/auto-ui/rendering/components.js +0 -1341
package/dist/auto-ui/rendering/components.js.map +0 -1
package/dist/auto-ui/rendering/field-analyzer.d.ts +0 -104
package/dist/auto-ui/rendering/field-analyzer.d.ts.map +0 -1
package/dist/auto-ui/rendering/field-analyzer.js +0 -447
package/dist/auto-ui/rendering/field-analyzer.js.map +0 -1
package/dist/auto-ui/rendering/field-renderers.d.ts +0 -64
package/dist/auto-ui/rendering/field-renderers.d.ts.map +0 -1
package/dist/auto-ui/rendering/field-renderers.js +0 -317
package/dist/auto-ui/rendering/field-renderers.js.map +0 -1
package/dist/auto-ui/rendering/index.d.ts +0 -28
package/dist/auto-ui/rendering/index.d.ts.map +0 -1
package/dist/auto-ui/rendering/index.js +0 -60
package/dist/auto-ui/rendering/index.js.map +0 -1
package/dist/auto-ui/rendering/layout-selector.d.ts +0 -60
package/dist/auto-ui/rendering/layout-selector.d.ts.map +0 -1
package/dist/auto-ui/rendering/layout-selector.js +0 -476
package/dist/auto-ui/rendering/layout-selector.js.map +0 -1
package/dist/markdown-utils.d.ts +0 -8
package/dist/markdown-utils.d.ts.map +0 -1
package/dist/markdown-utils.js +0 -64
package/dist/markdown-utils.js.map +0 -1
package/dist/mcp-client.d.ts +0 -9
package/dist/mcp-client.d.ts.map +0 -1
package/dist/mcp-client.js +0 -11
package/dist/mcp-client.js.map +0 -1
package/dist/mcp-elicitation.d.ts +0 -32
package/dist/mcp-elicitation.d.ts.map +0 -1
package/dist/mcp-elicitation.js +0 -26
package/dist/mcp-elicitation.js.map +0 -1
package/dist/photons/builder-compass.photon.d.ts +0 -167
package/dist/photons/builder-compass.photon.d.ts.map +0 -1
package/dist/photons/builder-compass.photon.js +0 -816
package/dist/photons/builder-compass.photon.js.map +0 -1
package/dist/photons/builder-compass.photon.ts +0 -1129
package/dist/photons/docs/ui/docs.html +0 -441
package/dist/photons/docs.photon.d.ts +0 -237
package/dist/photons/docs.photon.d.ts.map +0 -1
package/dist/photons/docs.photon.js +0 -483
package/dist/photons/docs.photon.js.map +0 -1
package/dist/photons/docs.photon.ts +0 -536
package/dist/photons/slides.photon.d.ts +0 -212
package/dist/photons/slides.photon.d.ts.map +0 -1
package/dist/photons/slides.photon.js +0 -355
package/dist/photons/slides.photon.js.map +0 -1
package/dist/photons/slides.photon.ts +0 -370
package/dist/photons/spreadsheet/ui/spreadsheet.html +0 -779
package/dist/photons/spreadsheet.photon.d.ts +0 -554
package/dist/photons/spreadsheet.photon.d.ts.map +0 -1
package/dist/photons/spreadsheet.photon.js +0 -1050
package/dist/photons/spreadsheet.photon.js.map +0 -1
package/dist/photons/spreadsheet.photon.ts +0 -1239
package/dist/photons/ui/builder-compass.html +0 -1199
package/dist/photons/ui/builder-compass.photon.html +0 -380
package/dist/security-scanner.d.ts +0 -52
package/dist/security-scanner.d.ts.map +0 -1
package/dist/security-scanner.js +0 -181
package/dist/security-scanner.js.map +0 -1
package/dist/shared/performance.d.ts +0 -65
package/dist/shared/performance.d.ts.map +0 -1
package/dist/shared/performance.js +0 -136
package/dist/shared/performance.js.map +0 -1

package/dist/marketplace-manager.js CHANGED Viewed

@@ -11,6 +11,7 @@ import { createLogger } from './shared/logger.js';
 import { getErrorMessage } from './shared/error-handler.js';
 import { verifyContentHash, validateAssetPath, isPathWithin } from './shared/security.js';
 import { getDefaultContext } from './context.js';
+import { getMetadataPath, resolvePath } from '@portel/photon-core';
 import { SchemaExtractor } from '@portel/photon-core';
 // Timeout for marketplace fetch requests
 const FETCH_TIMEOUT_MS = 10 * 1000;
@@ -32,8 +33,12 @@ function getGitHubToken() {
     _ghToken = process.env.GITHUB_TOKEN || null;
     if (!_ghToken) {
         try {
-            const { execSync } = require('child_process');
-            _ghToken = execSync('gh auth token 2>/dev/null', { encoding: 'utf-8' }).trim() || null;
+            const { execFileSync } = require('child_process');
+            _ghToken =
+                execFileSync('gh', ['auth', 'token'], {
+                    encoding: 'utf-8',
+                    stdio: ['pipe', 'pipe', 'ignore'],
+                }).trim() || null;
         }
         catch {
             _ghToken = null;
@@ -56,7 +61,7 @@ function ghFetch(url, options = {}) {
     return fetch(url, { ...options, headers });
 }
 const CONFIG_DIR = getDefaultContext().baseDir;
-const METADATA_FILE = path.join(CONFIG_DIR, '.metadata.json');
+const METADATA_FILE = getMetadataPath();
 // Cache is considered stale after 24 hours
 const CACHE_TTL_MS = 24 * 60 * 60 * 1000;
 // Built-in marketplaces that ship with the runtime
@@ -126,6 +131,11 @@ export async function readLocalMetadata() {
     }
     return { photons: {} };
 }
+function validateSafeName(name, label) {
+    if (/[;&|$`(){}\\\<>!#~\n\r]/.test(name)) {
+        throw new Error(`Invalid ${label}: contains unsafe characters`);
+    }
+}
 export class MarketplaceManager {
     config = { marketplaces: [] };
     logger;
@@ -138,8 +148,8 @@ export class MarketplaceManager {
         const dir = baseDir || CONFIG_DIR;
         this.configDir = dir;
         this.configFile = path.join(dir, 'marketplaces.json');
-        this.cacheDir = path.join(dir, '.cache', 'marketplaces');
-        this.metadataFile = path.join(dir, '.metadata.json');
+        this.cacheDir = path.join(getDefaultContext().cacheDir, 'marketplaces');
+        this.metadataFile = getMetadataPath(dir);
     }
     async initialize() {
         await fs.mkdir(this.configDir, { recursive: true });
@@ -731,7 +741,7 @@ export class MarketplaceManager {
      * Safe to call on every startup — only fetches when assets are actually missing.
      */
     async repairMissingAssets(workingDir) {
-        const localMetadata = await readLocalMetadata();
+        const localMetadata = await this.readMetadata();
         let repaired = 0;
         for (const [fileName, installInfo] of Object.entries(localMetadata.photons)) {
             const photonName = fileName.replace(/\.photon\.ts$/, '');
@@ -965,6 +975,11 @@ export class MarketplaceManager {
                 }
             }
         }
+        // Install @photon transitive dependencies from the same marketplace
+        const transitiveDeps = await this.installTransitiveDeps(content, result.marketplace, workingDir);
+        if (transitiveDeps.length > 0) {
+            assetsInstalled.push(...transitiveDeps.map((d) => `@photon ${d}`));
+        }
         return { photonPath, assetsInstalled };
     }
     /**
@@ -1004,10 +1019,21 @@ export class MarketplaceManager {
         const deps = extractor.extractPhotonDependencies(content);
         const installed = [];
         for (const dep of deps) {
+            // Resolve dependency name from source
+            let depName;
             if (dep.sourceType === 'local' &&
                 (dep.source.startsWith('./') || dep.source.startsWith('../'))) {
-                const depFileName = path.basename(dep.source);
-                const depName = depFileName.replace(/\.photon\.(ts|js)$/, '');
+                // Relative path: ./chat.photon.ts → chat
+                depName = path.basename(dep.source).replace(/\.photon\.(ts|js)$/, '');
+            }
+            else if (dep.sourceType === 'marketplace' || !dep.source.startsWith('/')) {
+                // Marketplace name: whatsapp, agent-router, courier
+                depName = dep.source;
+            }
+            else {
+                continue; // Absolute paths — skip
+            }
+            {
                 if (visited.has(depName))
                     continue;
                 visited.add(depName);
@@ -1016,6 +1042,9 @@ export class MarketplaceManager {
                 const installDir = namespace ? path.join(workingDir, namespace) : workingDir;
                 if (existsSync(path.join(installDir, `${depName}.photon.ts`)))
                     continue;
+                // Also check flat in workingDir
+                if (existsSync(path.join(workingDir, `${depName}.photon.ts`)))
+                    continue;
                 // Fetch from the same marketplace
                 this.logger.info(`Fetching @photon dependency: ${depName}`);
                 const depResult = await this.fetchMCPFromMarketplace(depName, marketplace);
@@ -1123,7 +1152,7 @@ export class MarketplaceManager {
         return { photons: {} };
     }
     async writeMetadata(metadata) {
-        await fs.mkdir(this.configDir, { recursive: true });
+        await fs.mkdir(path.dirname(this.metadataFile), { recursive: true });
         await writeJSON(this.metadataFile, metadata);
     }
     /**
@@ -1307,30 +1336,82 @@ export class MarketplaceManager {
      * Shared logic used by both CLI and Beam.
      */
     async forkPhoton(name, workingDir, options) {
-        const fileName = `${name}.photon.ts`;
-        const filePath = path.join(workingDir, fileName);
-        // Check file exists
-        if (!existsSync(filePath)) {
+        validateSafeName(name, 'photon name');
+        if (options?.targetRepo)
+            validateSafeName(options.targetRepo, 'target repo');
+        if (options?.createRepo)
+            validateSafeName(options.createRepo, 'repo name');
+        if (options?.newName)
+            validateSafeName(options.newName, 'new photon name');
+        const sourcePath = await resolvePath(name, workingDir);
+        if (!sourcePath) {
             return { success: false, message: `Photon not found: ${name}` };
         }
-        // Read install metadata
-        const localMetadata = await readLocalMetadata();
-        const installMeta = localMetadata.photons[fileName];
-        if (!installMeta) {
+        const sourceName = path.basename(sourcePath).replace(/\.photon\.(ts|js)$/, '');
+        const normalizedSourceKey = this.toMetadataKey(sourcePath, workingDir);
+        const requestedNewName = options?.newName?.trim();
+        const localMetadata = await this.readMetadata();
+        const installMeta = localMetadata.photons[normalizedSourceKey];
+        const isLocalSource = !installMeta;
+        const targetName = requestedNewName || sourceName;
+        const suggestedName = `${sourceName}-copy`;
+        if (isLocalSource && !requestedNewName) {
             return {
-                success: true,
-                message: `${name} is already a local photon (no marketplace tracking)`,
+                success: false,
+                message: `${sourceName} is already local. Choose a new local name to fork it.`,
+                requiresName: true,
+                suggestedName,
             };
         }
+        if (isLocalSource && requestedNewName === sourceName) {
+            return {
+                success: false,
+                message: 'Forking a local photon requires a different new name.',
+                requiresName: true,
+                suggestedName,
+            };
+        }
+        const targetPath = path.join(workingDir, `${targetName}.photon.ts`);
+        const sourceRealPath = await fs.realpath(sourcePath).catch(() => sourcePath);
+        const targetExists = existsSync(targetPath);
+        const targetRealPath = targetExists
+            ? await fs.realpath(targetPath).catch(() => targetPath)
+            : null;
+        if (targetExists && targetRealPath !== sourceRealPath) {
+            return {
+                success: false,
+                message: `A local photon named ${targetName} already exists. Choose a different local name.`,
+                requiresName: true,
+                suggestedName,
+            };
+        }
+        const fileName = `${targetName}.photon.ts`;
+        const filePath = targetPath;
         // Check @forkedFrom tag
-        const content = await readText(filePath);
+        const content = await readText(sourcePath);
         const hasForkedFrom = content.includes('@forkedFrom');
+        const sourceAssetDir = path.join(path.dirname(sourcePath), sourceName);
+        const targetAssetDir = path.join(workingDir, targetName);
+        if (targetRealPath !== sourceRealPath && !isLocalSource) {
+            await fs.mkdir(workingDir, { recursive: true });
+            await fs.rename(sourcePath, targetPath);
+            await this.movePhotonAssetDir(sourceAssetDir, targetAssetDir);
+        }
+        else if (targetRealPath !== sourceRealPath) {
+            await fs.copyFile(sourcePath, targetPath);
+            await this.copyPhotonAssetDir(sourceAssetDir, targetAssetDir);
+        }
+        else if (path.dirname(sourcePath) !== workingDir || targetName !== sourceName) {
+            await fs.mkdir(workingDir, { recursive: true });
+            await fs.rename(sourcePath, targetPath);
+            await this.movePhotonAssetDir(sourceAssetDir, targetAssetDir);
+        }
         // Handle target repo push if specified
         if (options?.targetRepo || options?.createRepo) {
-            const { execSync } = await import('child_process');
+            const { execFileSync } = await import('child_process');
             // Check gh CLI
             try {
-                execSync('gh --version', { stdio: 'pipe' });
+                execFileSync('gh', ['--version'], { stdio: 'pipe' });
             }
             catch {
                 return {
@@ -1341,7 +1422,9 @@ export class MarketplaceManager {
             if (options.createRepo) {
                 // Create new repo and push
                 try {
-                    execSync(`gh repo create ${options.createRepo} --public --confirm`, { stdio: 'pipe' });
+                    execFileSync('gh', ['repo', 'create', options.createRepo, '--public', '--confirm'], {
+                        stdio: 'pipe',
+                    });
                 }
                 catch {
                     // Repo may already exist
@@ -1349,23 +1432,17 @@ export class MarketplaceManager {
                 const targetRepo = options.createRepo;
                 const tmpDir = path.join(os.tmpdir(), `photon-fork-${Date.now()}`);
                 try {
-                    execSync(`gh repo clone ${targetRepo} "${tmpDir}" -- --depth=1`, {
+                    execFileSync('gh', ['repo', 'clone', targetRepo, tmpDir, '--', '--depth=1'], {
                         stdio: 'pipe',
                     });
                     await fs.copyFile(filePath, path.join(tmpDir, fileName));
-                    // Copy assets
-                    const photonMeta = await this.getPhotonMetadata(name);
-                    if (photonMeta?.metadata.assets) {
-                        for (const asset of photonMeta.metadata.assets) {
-                            const srcAsset = path.join(workingDir, asset);
-                            if (existsSync(srcAsset)) {
-                                const dstAsset = path.join(tmpDir, asset);
-                                await fs.mkdir(path.dirname(dstAsset), { recursive: true });
-                                await fs.copyFile(srcAsset, dstAsset);
-                            }
-                        }
-                    }
-                    execSync(`cd "${tmpDir}" && git add -A && git commit -m "fork: ${name} photon" && git push origin`, { stdio: 'pipe' });
+                    await this.copyPhotonAssetDir(targetAssetDir, path.join(tmpDir, targetName));
+                    execFileSync('git', ['add', '-A'], { cwd: tmpDir, stdio: 'pipe' });
+                    execFileSync('git', ['commit', '-m', `fork: ${name} photon`], {
+                        cwd: tmpDir,
+                        stdio: 'pipe',
+                    });
+                    execFileSync('git', ['push', 'origin'], { cwd: tmpDir, stdio: 'pipe' });
                     await fs.rm(tmpDir, { recursive: true, force: true }).catch(() => { });
                 }
                 catch (e) {
@@ -1380,23 +1457,17 @@ export class MarketplaceManager {
                 // Push to existing repo
                 const tmpDir = path.join(os.tmpdir(), `photon-fork-${Date.now()}`);
                 try {
-                    execSync(`gh repo clone ${options.targetRepo} "${tmpDir}" -- --depth=1`, {
+                    execFileSync('gh', ['repo', 'clone', options.targetRepo, tmpDir, '--', '--depth=1'], {
                         stdio: 'pipe',
                     });
                     await fs.copyFile(filePath, path.join(tmpDir, fileName));
-                    // Copy assets
-                    const photonMeta = await this.getPhotonMetadata(name);
-                    if (photonMeta?.metadata.assets) {
-                        for (const asset of photonMeta.metadata.assets) {
-                            const srcAsset = path.join(workingDir, asset);
-                            if (existsSync(srcAsset)) {
-                                const dstAsset = path.join(tmpDir, asset);
-                                await fs.mkdir(path.dirname(dstAsset), { recursive: true });
-                                await fs.copyFile(srcAsset, dstAsset);
-                            }
-                        }
-                    }
-                    execSync(`cd "${tmpDir}" && git add -A && git commit -m "fork: ${name} photon" && git push origin`, { stdio: 'pipe' });
+                    await this.copyPhotonAssetDir(targetAssetDir, path.join(tmpDir, targetName));
+                    execFileSync('git', ['add', '-A'], { cwd: tmpDir, stdio: 'pipe' });
+                    execFileSync('git', ['commit', '-m', `fork: ${name} photon`], {
+                        cwd: tmpDir,
+                        stdio: 'pipe',
+                    });
+                    execFileSync('git', ['push', 'origin'], { cwd: tmpDir, stdio: 'pipe' });
                     await fs.rm(tmpDir, { recursive: true, force: true }).catch(() => { });
                 }
                 catch (e) {
@@ -1409,22 +1480,59 @@ export class MarketplaceManager {
             }
         }
         // Remove marketplace tracking
-        delete localMetadata.photons[fileName];
+        if (installMeta) {
+            delete localMetadata.photons[normalizedSourceKey];
+        }
         await this.writeMetadata(localMetadata);
         const parts = [];
-        parts.push(`${name} is now your own`);
+        if (targetName !== sourceName) {
+            parts.push(`Created local fork ${targetName} from ${sourceName}`);
+        }
+        else {
+            parts.push(`${sourceName} is now your own`);
+        }
         if (hasForkedFrom) {
             parts.push('Origin preserved as @forkedFrom tag');
         }
-        parts.push('Marketplace update tracking removed');
+        if (installMeta) {
+            parts.push('Marketplace update tracking removed');
+        }
         return { success: true, message: parts.join('. ') };
     }
+    toMetadataKey(filePath, workingDir) {
+        return path.relative(workingDir, filePath).split(path.sep).join('/');
+    }
+    async copyPhotonAssetDir(sourceDir, targetDir) {
+        const stat = await fs.lstat(sourceDir).catch(() => null);
+        if (!stat)
+            return;
+        if (stat.isSymbolicLink()) {
+            const linkTarget = await fs.readlink(sourceDir);
+            await fs.symlink(linkTarget, targetDir).catch(() => { });
+            return;
+        }
+        if (!stat.isDirectory())
+            return;
+        await fs.cp(sourceDir, targetDir, { recursive: true, force: true });
+    }
+    async movePhotonAssetDir(sourceDir, targetDir) {
+        const stat = await fs.lstat(sourceDir).catch(() => null);
+        if (!stat)
+            return;
+        if (existsSync(targetDir))
+            return;
+        await fs.mkdir(path.dirname(targetDir), { recursive: true });
+        await fs.rename(sourceDir, targetDir);
+    }
     /**
      * Contribute a photon back upstream via PR.
      * Shared logic used by both CLI and Beam.
      */
     async contributePhoton(name, workingDir, options) {
-        const { execSync } = await import('child_process');
+        validateSafeName(name, 'photon name');
+        if (options?.branch)
+            validateSafeName(options.branch, 'branch name');
+        const { execFileSync } = await import('child_process');
         const fileName = `${name}.photon.ts`;
         const filePath = path.join(workingDir, fileName);
         // Check file exists
@@ -1433,7 +1541,7 @@ export class MarketplaceManager {
         }
         // Check gh CLI
         try {
-            execSync('gh --version', { stdio: 'pipe' });
+            execFileSync('gh', ['--version'], { stdio: 'pipe' });
         }
         catch {
             return {
@@ -1443,7 +1551,7 @@ export class MarketplaceManager {
         }
         // Check gh auth
         try {
-            execSync('gh auth status', { stdio: 'pipe' });
+            execFileSync('gh', ['auth', 'status'], { stdio: 'pipe' });
         }
         catch {
             return {
@@ -1492,20 +1600,20 @@ export class MarketplaceManager {
         }
         // Fork the repo
         try {
-            execSync(`gh repo fork ${repo} --clone=false`, { stdio: 'pipe' });
+            execFileSync('gh', ['repo', 'fork', repo, '--clone=false'], { stdio: 'pipe' });
         }
         catch {
             // Fork may already exist
         }
         // Get fork name
-        const forkJson = execSync('gh api user', { encoding: 'utf-8' });
+        const forkJson = execFileSync('gh', ['api', 'user'], { encoding: 'utf-8' });
         const ghUser = JSON.parse(forkJson).login;
         const repoName = repo.split('/')[1];
         const forkRepo = `${ghUser}/${repoName}`;
         // Clone to temp dir
         const tmpDir = path.join(os.tmpdir(), `photon-contribute-${Date.now()}`);
         try {
-            execSync(`gh repo clone ${forkRepo} "${tmpDir}" -- --depth=1`, {
+            execFileSync('gh', ['repo', 'clone', forkRepo, tmpDir, '--', '--depth=1'], {
                 stdio: 'pipe',
             });
             // Copy modified photon file
@@ -1523,9 +1631,24 @@ export class MarketplaceManager {
                 }
             }
             // Create branch, commit, push
-            execSync(`cd "${tmpDir}" && git checkout -b "${branchName}" && git add -A && git commit -m "improve: update ${name} photon" && git push origin "${branchName}"`, { stdio: 'pipe' });
+            execFileSync('git', ['checkout', '-b', branchName], { cwd: tmpDir, stdio: 'pipe' });
+            execFileSync('git', ['add', '-A'], { cwd: tmpDir, stdio: 'pipe' });
+            execFileSync('git', ['commit', '-m', `improve: update ${name} photon`], {
+                cwd: tmpDir,
+                stdio: 'pipe',
+            });
+            execFileSync('git', ['push', 'origin', branchName], { cwd: tmpDir, stdio: 'pipe' });
             // Create PR
-            const prOutput = execSync(`cd "${tmpDir}" && gh pr create --repo "${repo}" --title "Improve ${name} photon" --body "Contributed improvements to ${name} photon via Photon marketplace."`, { encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
+            const prOutput = execFileSync('gh', [
+                'pr',
+                'create',
+                '--repo',
+                repo,
+                '--title',
+                `Improve ${name} photon`,
+                '--body',
+                `Contributed improvements to ${name} photon via Photon marketplace.`,
+            ], { cwd: tmpDir, encoding: 'utf-8', stdio: ['pipe', 'pipe', 'pipe'] });
             // Cleanup temp dir
             await fs.rm(tmpDir, { recursive: true, force: true }).catch(() => { });
             const prUrl = prOutput.trim();