@pugi/cli 0.1.0-alpha.10

package/dist/runtime/commands/skills.js

@@ -0,0 +1,401 @@
+import { createInterface } from 'node:readline/promises';
+import { stdin as input, stdout as output } from 'node:process';
+import { assertValidSlug, globalSkillDir, installSkill, listSkills, parseSkillMarkdown, removeSkill, workspaceSkillDir, } from '../../core/skills/loader.js';
+import { cleanupTmp, fetchSource } from '../../core/skills/sources.js';
+import { hashSkillDir, recordTrust, revokeTrust, verifyTrust, } from '../../core/skills/trust.js';
+import { readdirSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+const USAGE = [
+    'Usage:',
+    '  pugi skills list [--global|--workspace]            Show installed skills.',
+    '  pugi skills install <source> [--global|--workspace] [--yes] [--as <name>]',
+    '                                                     Fetch + trust-prompt + activate a skill.',
+    '  pugi skills info <name>                            Show metadata + body preview.',
+    '  pugi skills remove <name> [--global|--workspace]   Delete an installed skill.',
+    '  pugi skills trust <name> [--global|--workspace]    Re-trust the on-disk payload.',
+    '',
+    'Source forms accepted by `install`:',
+    '  gh:owner/repo[/subdir][@ref]   GitHub tree fetch (default ref: main).',
+    '  https://github.com/...         GitHub tree/blob URL.',
+    '  anthropic:<slug>               Shortcut for gh:anthropics/skills/<slug>@main.',
+    '  npm:<package>[@version]        npm registry tarball.',
+    '  ./path | /abs/path             Local filesystem.',
+    '  <slug>                         Catalog lookup (catalog.pugi.dev).',
+].join('\n');
+export async function runSkillsCommand(args, ctx) {
+    const sub = args[0];
+    if (!sub || sub === '--help' || sub === '-h') {
+        ctx.writeOutput({ command: 'skills', usage: USAGE.split('\n') }, USAGE);
+        return;
+    }
+    switch (sub) {
+        case 'list':
+            return runSkillsList(args.slice(1), ctx);
+        case 'install':
+            return runSkillsInstall(args.slice(1), ctx);
+        case 'info':
+            return runSkillsInfo(args.slice(1), ctx);
+        case 'remove':
+            return runSkillsRemove(args.slice(1), ctx);
+        case 'trust':
+            return runSkillsTrust(args.slice(1), ctx);
+        default:
+            throw new Error(`Unknown sub-command "pugi skills ${sub}". Expected list, install, info, remove, or trust.`);
+    }
+}
+function parseFlags(args) {
+    let scope = 'both';
+    let yes = false;
+    let asName;
+    const positional = [];
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        if (arg === '--global')
+            scope = 'global';
+        else if (arg === '--workspace')
+            scope = 'workspace';
+        else if (arg === '--yes' || arg === '-y')
+            yes = true;
+        else if (arg === '--as') {
+            asName = args[++i];
+        }
+        else if (arg && !arg.startsWith('--')) {
+            positional.push(arg);
+        }
+        else if (arg) {
+            throw new Error(`Unknown flag: ${arg}`);
+        }
+    }
+    return { scope, yes, asName, positional };
+}
+async function runSkillsList(args, ctx) {
+    const flags = parseFlags(args);
+    const includeGlobal = flags.scope === 'global' || flags.scope === 'both';
+    const includeWorkspace = flags.scope === 'workspace' || flags.scope === 'both';
+    const global = includeGlobal ? listSkills('global', ctx.workspaceRoot) : [];
+    const workspace = includeWorkspace ? listSkills('workspace', ctx.workspaceRoot) : [];
+    const all = [...global, ...workspace];
+    const trustStatuses = await Promise.all(all.map(async (skill) => {
+        const actual = hashSkillDir(skill.dir);
+        const verdict = await verifyTrust('skill', skill.scope, skill.name, actual);
+        return { skill, trust: verdict };
+    }));
+    if (ctx.json) {
+        ctx.writeOutput({
+            command: 'skills.list',
+            skills: trustStatuses.map(({ skill, trust }) => ({
+                name: skill.name,
+                scope: skill.scope,
+                dir: skill.dir,
+                description: skill.frontmatter.description,
+                version: skill.frontmatter.metadata.version ?? null,
+                tools: skill.frontmatter.metadata.tools ?? [],
+                trust: trust.status,
+            })),
+        }, '');
+        return;
+    }
+    if (trustStatuses.length === 0) {
+        ctx.writeOutput({ command: 'skills.list', skills: [] }, 'No skills installed. Try `pugi skills install anthropic:python-coding-standards`.');
+        return;
+    }
+    const lines = ['Installed skills:'];
+    for (const { skill, trust } of trustStatuses) {
+        const version = skill.frontmatter.metadata.version ? ` v${String(skill.frontmatter.metadata.version)}` : '';
+        const trustMark = trust.status === 'trusted' ? '[trusted]' : trust.status === 'unsigned' ? '[unsigned]' : '[mismatch]';
+        lines.push(`  ${skill.name.padEnd(28)} ${skill.scope.padEnd(10)} ${trustMark.padEnd(11)}${version}`);
+        lines.push(`    ${truncate(skill.frontmatter.description, 80)}`);
+    }
+    ctx.writeOutput({ command: 'skills.list', skills: trustStatuses }, lines.join('\n'));
+}
+async function runSkillsInstall(args, ctx) {
+    const flags = parseFlags(args);
+    const source = flags.positional[0];
+    if (!source) {
+        throw new Error('pugi skills install requires a <source> argument. See `pugi skills --help`.');
+    }
+    const scope = flags.scope === 'workspace' ? 'workspace' : 'global';
+    // 1. Fetch payload to tmp dir.
+    let fetched;
+    try {
+        fetched = await fetchSource(source);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        ctx.writeOutput({ command: 'skills.install', status: 'fetch_failed', source, error: message }, `Skill fetch failed: ${message}`);
+        process.exitCode = 1;
+        return;
+    }
+    if (fetched.inferredKind !== 'skill') {
+        cleanupTmp(fetched.tmpDir);
+        const message = `Source ${source} looks like an agent (single .md), not a skill. Use \`pugi agents install\` instead.`;
+        ctx.writeOutput({ command: 'skills.install', status: 'wrong_kind', source }, message);
+        process.exitCode = 1;
+        return;
+    }
+    // 2. Parse SKILL.md to surface metadata in the trust prompt.
+    const skillMdPath = join(fetched.tmpDir, 'SKILL.md');
+    let parsed;
+    try {
+        parsed = parseSkillMarkdown(readFileSync(skillMdPath, 'utf8'));
+    }
+    catch (error) {
+        cleanupTmp(fetched.tmpDir);
+        const message = error instanceof Error ? error.message : String(error);
+        ctx.writeOutput({ command: 'skills.install', status: 'parse_failed', source, error: message }, `Skill parse failed: ${message}`);
+        process.exitCode = 1;
+        return;
+    }
+    const skillName = flags.asName ?? parsed.frontmatter.name;
+    // Fail-fast before any FS or trust-prompt work: a hostile `--as` flag
+    // or a hostile frontmatter `name` must never reach path.join.
+    try {
+        assertValidSlug(skillName, 'skill');
+    }
+    catch (error) {
+        cleanupTmp(fetched.tmpDir);
+        const message = error instanceof Error ? error.message : String(error);
+        ctx.writeOutput({ command: 'skills.install', status: 'invalid_name', source, name: skillName, error: message }, message);
+        process.exitCode = 1;
+        return;
+    }
+    const sha256 = hashSkillDir(fetched.tmpDir);
+    const targetDir = scope === 'global' ? globalSkillDir(skillName) : workspaceSkillDir(ctx.workspaceRoot, skillName);
+    const summary = {
+        name: skillName,
+        description: parsed.frontmatter.description,
+        version: parsed.frontmatter.metadata.version ?? null,
+        tools: parsed.frontmatter.metadata.tools ?? [],
+        files: countFiles(fetched.tmpDir),
+        source: fetched.sourceUrl,
+        targetDir,
+        sha256,
+    };
+    if (!flags.yes) {
+        const decision = await promptTrust('skill', summary, parsed.body);
+        if (decision === 'no') {
+            cleanupTmp(fetched.tmpDir);
+            ctx.writeOutput({ command: 'skills.install', status: 'declined', source, name: skillName }, 'Install declined. Nothing changed.');
+            return;
+        }
+    }
+    // 3. Install to disk.
+    const installedDir = installSkill({
+        payloadDir: fetched.tmpDir,
+        name: skillName,
+        scope,
+        workspaceRoot: ctx.workspaceRoot,
+    });
+    // 4. Record trust.
+    await recordTrust({
+        kind: 'skill',
+        scope,
+        name: skillName,
+        sha256,
+        source: fetched.sourceUrl,
+        signedBy: signerIdentity(),
+    });
+    cleanupTmp(fetched.tmpDir);
+    ctx.writeOutput({
+        command: 'skills.install',
+        status: 'installed',
+        name: skillName,
+        scope,
+        dir: installedDir,
+        sha256,
+        source: fetched.sourceUrl,
+    }, [
+        `Installed skill "${skillName}" (${scope}).`,
+        `  Path:    ${installedDir}`,
+        `  Source:  ${fetched.sourceUrl}`,
+        `  sha256:  ${sha256}`,
+    ].join('\n'));
+}
+async function runSkillsInfo(args, ctx) {
+    const flags = parseFlags(args);
+    const name = flags.positional[0];
+    if (!name) {
+        throw new Error('pugi skills info requires a <name> argument.');
+    }
+    const matches = findSkill(name, flags.scope, ctx.workspaceRoot);
+    if (matches.length === 0) {
+        ctx.writeOutput({ command: 'skills.info', status: 'not_found', name }, `No skill "${name}" installed. Try \`pugi skills list\`.`);
+        process.exitCode = 1;
+        return;
+    }
+    const skill = matches[0];
+    if (!skill) {
+        ctx.writeOutput({ command: 'skills.info', status: 'not_found', name }, `No skill "${name}" installed.`);
+        process.exitCode = 1;
+        return;
+    }
+    const actualSha = hashSkillDir(skill.dir);
+    const trust = await verifyTrust('skill', skill.scope, skill.name, actualSha);
+    const preview = skill.body.slice(0, 800);
+    const lines = [
+        `Skill: ${skill.name}`,
+        `  Scope:        ${skill.scope}`,
+        `  Path:         ${skill.dir}`,
+        `  Description:  ${skill.frontmatter.description}`,
+        `  Version:      ${String(skill.frontmatter.metadata.version ?? '(unset)')}`,
+        `  Tools:        ${(skill.frontmatter.metadata.tools ?? []).join(', ') || '(none)'}`,
+        `  Trust:        ${trust.status}`,
+        `  sha256:       ${actualSha}`,
+        '',
+        'Body preview:',
+        preview,
+        skill.body.length > 800 ? `... (${skill.body.length - 800} more chars)` : '',
+    ]
+        .filter((line) => line !== '')
+        .join('\n');
+    ctx.writeOutput({
+        command: 'skills.info',
+        name: skill.name,
+        scope: skill.scope,
+        dir: skill.dir,
+        frontmatter: skill.frontmatter,
+        sha256: actualSha,
+        trust,
+        bodyPreview: preview,
+        bodyLength: skill.body.length,
+    }, lines);
+}
+async function runSkillsRemove(args, ctx) {
+    const flags = parseFlags(args);
+    const name = flags.positional[0];
+    if (!name) {
+        throw new Error('pugi skills remove requires a <name> argument.');
+    }
+    const matches = findSkill(name, flags.scope, ctx.workspaceRoot);
+    if (matches.length === 0) {
+        ctx.writeOutput({ command: 'skills.remove', status: 'not_found', name }, `No skill "${name}" installed.`);
+        process.exitCode = 1;
+        return;
+    }
+    for (const skill of matches) {
+        removeSkill(skill.name, skill.scope, ctx.workspaceRoot);
+        await revokeTrust('skill', skill.scope, skill.name);
+    }
+    ctx.writeOutput({
+        command: 'skills.remove',
+        status: 'removed',
+        name,
+        removed: matches.map((m) => ({ name: m.name, scope: m.scope, dir: m.dir })),
+    }, `Removed ${matches.length} skill install(s) named "${name}".`);
+}
+async function runSkillsTrust(args, ctx) {
+    const flags = parseFlags(args);
+    const name = flags.positional[0];
+    if (!name) {
+        throw new Error('pugi skills trust requires a <name> argument.');
+    }
+    const matches = findSkill(name, flags.scope, ctx.workspaceRoot);
+    if (matches.length === 0) {
+        ctx.writeOutput({ command: 'skills.trust', status: 'not_found', name }, `No skill "${name}" installed.`);
+        process.exitCode = 1;
+        return;
+    }
+    const skill = matches[0];
+    if (!skill) {
+        process.exitCode = 1;
+        return;
+    }
+    const sha256 = hashSkillDir(skill.dir);
+    await recordTrust({
+        kind: 'skill',
+        scope: skill.scope,
+        name: skill.name,
+        sha256,
+        source: skill.dir,
+        signedBy: signerIdentity(),
+    });
+    ctx.writeOutput({ command: 'skills.trust', status: 'trusted', name: skill.name, scope: skill.scope, sha256 }, `Re-trusted skill "${skill.name}" (${skill.scope}). sha256 = ${sha256}.`);
+}
+/* ----------------------------- shared helpers ----------------------------- */
+function findSkill(name, scope, workspaceRoot) {
+    const scopes = scope === 'both' ? ['global', 'workspace'] : [scope];
+    const out = [];
+    for (const s of scopes) {
+        const all = listSkills(s, workspaceRoot);
+        for (const skill of all) {
+            if (skill.name === name)
+                out.push(skill);
+        }
+    }
+    return out;
+}
+function countFiles(dir) {
+    // Conservative — recurse and count regular files only. Used for the
+    // trust prompt summary so the operator sees payload bulk.
+    let total = 0;
+    const walk = (d) => {
+        for (const entry of readdirSync(d, { withFileTypes: true })) {
+            const full = join(d, entry.name);
+            if (entry.isDirectory())
+                walk(full);
+            else if (entry.isFile())
+                total++;
+        }
+    };
+    walk(dir);
+    return total;
+}
+function truncate(text, max) {
+    if (text.length <= max)
+        return text;
+    return `${text.slice(0, max - 1)}…`;
+}
+function signerIdentity() {
+    return (process.env.PUGI_TRUSTED_BY?.trim() ||
+        process.env.USER?.trim() ||
+        process.env.USERNAME?.trim() ||
+        'cli');
+}
+/**
+ * Interactive trust prompt. Reads from stdin; `info` shows the full
+ * body; `y` accepts; everything else declines.
+ *
+ * Bypassable only via the operator-passed `--yes` flag in the caller
+ * (never auto-injected from another code path).
+ */
+async function promptTrust(kind, summary, body) {
+    const banner = [
+        '',
+        `About to install ${kind} "${summary.name}"`,
+        `  Description:  ${summary.description}`,
+        `  Version:      ${summary.version ?? '(unset)'}`,
+        `  Tools:        ${summary.tools.join(', ') || '(none)'}`,
+        `  Files:        ${summary.files}`,
+        `  Source:       ${summary.source}`,
+        `  Target:       ${summary.targetDir}`,
+        `  sha256:       ${summary.sha256}`,
+        '',
+        'This payload becomes part of the system prompt and may influence agent decisions.',
+        'Trust this install? [y/N/info] ',
+    ].join('\n');
+    process.stdout.write(banner);
+    if (!input.isTTY) {
+        // Non-interactive caller without --yes: refuse rather than block.
+        process.stdout.write('\n(non-interactive stdin; declining install)\n');
+        return 'no';
+    }
+    const rl = createInterface({ input, output });
+    try {
+        while (true) {
+            const answer = (await rl.question('')).trim().toLowerCase();
+            if (answer === 'y' || answer === 'yes')
+                return 'yes';
+            if (answer === 'info') {
+                process.stdout.write('\n');
+                process.stdout.write(body);
+                process.stdout.write('\n\nTrust this install? [y/N] ');
+                continue;
+            }
+            return 'no';
+        }
+    }
+    finally {
+        rl.close();
+    }
+}
+//# sourceMappingURL=skills.js.map