@rafter-security/cli 0.6.6 → 0.7.1

package/dist/commands/report.js

@@ -86,11 +86,11 @@ function generateHtmlReport(results, title) {
                     ? "Low"
                     : "None";
     const riskColor = {
-        Critical: "#dc2626",
-        High: "#ea580c",
-        Medium: "#2563eb",
-        Low: "#16a34a",
-        None: "#16a34a",
+        Critical: "hsl(0 40% 55%)",
+        High: "hsl(25 35% 55%)",
+        Medium: "hsl(0 0% 64%)",
+        Low: "hsl(0 0% 50%)",
+        None: "hsl(0 0% 50%)",
     }[riskLevel];
     const topPatterns = Object.entries(patternCounts)
         .sort((a, b) => b[1] - a[1])
@@ -113,38 +113,39 @@ function generateHtmlReport(results, title) {
 <title>${escapeHtml(title)}</title>
 <style>
   *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
-  body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif; line-height: 1.6; color: #1e293b; background: #f8fafc; }
+  body { font-family: "SFMono-Regular", Consolas, "Liberation Mono", Menlo, monospace; line-height: 1.6; color: hsl(0 0% 98%); background: hsl(0 0% 3.9%); }
   .container { max-width: 1100px; margin: 0 auto; padding: 2rem 1.5rem; }
-  header { background: linear-gradient(135deg, #0f172a 0%, #1e293b 100%); color: white; padding: 2rem 0; margin-bottom: 2rem; }
+  header { background: hsl(0 0% 7%); color: hsl(0 0% 98%); padding: 2rem 0; margin-bottom: 2rem; border-bottom: 1px solid hsl(0 0% 14.9%); }
   header .container { display: flex; justify-content: space-between; align-items: center; flex-wrap: wrap; gap: 1rem; }
   header h1 { font-size: 1.5rem; font-weight: 700; }
-  header .meta { font-size: 0.85rem; opacity: 0.8; text-align: right; }
-  .card { background: white; border-radius: 8px; box-shadow: 0 1px 3px rgba(0,0,0,0.08); padding: 1.5rem; margin-bottom: 1.5rem; }
-  .card h2 { font-size: 1.1rem; font-weight: 600; margin-bottom: 1rem; color: #334155; }
+  header .meta { font-size: 0.85rem; opacity: 0.6; text-align: right; }
+  .card { background: hsl(0 0% 7%); border-radius: 8px; border: 1px solid hsl(0 0% 14.9%); padding: 1.5rem; margin-bottom: 1.5rem; }
+  .card h2 { font-size: 1.1rem; font-weight: 600; margin-bottom: 1rem; color: hsl(0 0% 98%); }
   .summary-grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(180px, 1fr)); gap: 1rem; }
-  .stat { text-align: center; padding: 1rem; border-radius: 6px; background: #f1f5f9; }
-  .stat .value { font-size: 2rem; font-weight: 700; }
-  .stat .label { font-size: 0.8rem; text-transform: uppercase; letter-spacing: 0.05em; color: #64748b; margin-top: 0.25rem; }
-  .risk-badge { display: inline-block; padding: 0.25rem 0.75rem; border-radius: 4px; color: white; font-weight: 600; font-size: 0.85rem; }
-  .sev-critical { background: #dc2626; }
-  .sev-high { background: #ea580c; }
-  .sev-medium { background: #2563eb; }
-  .sev-low { background: #16a34a; }
+  .stat { text-align: center; padding: 1rem; border-radius: 6px; background: hsl(0 0% 10%); border: 1px solid hsl(0 0% 14.9%); }
+  .stat .value { font-size: 2rem; font-weight: 700; color: hsl(0 0% 98%); }
+  .stat .label { font-size: 0.8rem; text-transform: uppercase; letter-spacing: 0.05em; color: hsl(0 0% 50%); margin-top: 0.25rem; }
+  .risk-badge { display: inline-block; padding: 0.25rem 0.75rem; border-radius: 4px; font-weight: 600; font-size: 0.85rem; }
+  .sev-critical { background: hsl(0 30% 20%); color: hsl(0 40% 75%); border: 1px solid hsl(0 30% 30%); }
+  .sev-high { background: hsl(25 25% 18%); color: hsl(25 35% 70%); border: 1px solid hsl(25 25% 28%); }
+  .sev-medium { background: hsl(0 0% 18%); color: hsl(0 0% 70%); border: 1px solid hsl(0 0% 25%); }
+  .sev-low { background: hsl(0 0% 14%); color: hsl(0 0% 55%); border: 1px solid hsl(0 0% 22%); }
   .bar-chart { margin-top: 0.5rem; }
   .bar-row { display: flex; align-items: center; margin-bottom: 0.4rem; }
-  .bar-label { width: 180px; font-size: 0.85rem; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; }
-  .bar-track { flex: 1; height: 20px; background: #e2e8f0; border-radius: 3px; overflow: hidden; }
-  .bar-fill { height: 100%; border-radius: 3px; min-width: 2px; }
-  .bar-count { width: 40px; text-align: right; font-size: 0.85rem; font-weight: 600; color: #475569; margin-left: 0.5rem; }
+  .bar-label { width: 180px; font-size: 0.85rem; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; color: hsl(0 0% 70%); }
+  .bar-track { flex: 1; height: 20px; background: hsl(0 0% 14.9%); border-radius: 3px; overflow: hidden; }
+  .bar-fill { height: 100%; border-radius: 3px; min-width: 2px; background: hsl(0 0% 98%); opacity: 0.6; }
+  .bar-count { width: 40px; text-align: right; font-size: 0.85rem; font-weight: 600; color: hsl(0 0% 64%); margin-left: 0.5rem; }
   table { width: 100%; border-collapse: collapse; font-size: 0.85rem; }
-  th { text-align: left; padding: 0.6rem 0.75rem; background: #f1f5f9; border-bottom: 2px solid #e2e8f0; font-weight: 600; color: #475569; white-space: nowrap; }
-  td { padding: 0.6rem 0.75rem; border-bottom: 1px solid #e2e8f0; vertical-align: top; }
-  tr:hover td { background: #f8fafc; }
-  .sev-pill { display: inline-block; padding: 0.15rem 0.5rem; border-radius: 3px; color: white; font-weight: 600; font-size: 0.75rem; text-transform: uppercase; }
-  .file-path { font-family: "SFMono-Regular", Consolas, "Liberation Mono", Menlo, monospace; font-size: 0.8rem; word-break: break-all; }
-  .redacted { font-family: monospace; font-size: 0.8rem; color: #94a3b8; }
-  footer { text-align: center; padding: 2rem 0; font-size: 0.8rem; color: #94a3b8; }
-  .no-findings { text-align: center; padding: 3rem; color: #16a34a; }
+  th { text-align: left; padding: 0.6rem 0.75rem; background: hsl(0 0% 10%); border-bottom: 2px solid hsl(0 0% 14.9%); font-weight: 600; color: hsl(0 0% 64%); white-space: nowrap; text-transform: uppercase; letter-spacing: 0.05em; font-size: 0.75rem; }
+  td { padding: 0.6rem 0.75rem; border-bottom: 1px solid hsl(0 0% 14.9%); vertical-align: top; }
+  tr:hover td { background: hsl(0 0% 10%); }
+  .sev-pill { display: inline-block; padding: 0.15rem 0.5rem; border-radius: 3px; font-weight: 600; font-size: 0.75rem; text-transform: uppercase; }
+  .file-path { font-size: 0.8rem; word-break: break-all; }
+  .redacted { font-size: 0.8rem; color: hsl(0 0% 40%); }
+  .description { color: hsl(0 0% 50%); }
+  footer { text-align: center; padding: 2rem 0; font-size: 0.8rem; color: hsl(0 0% 35%); border-top: 1px solid hsl(0 0% 14.9%); }
+  .no-findings { text-align: center; padding: 3rem; color: hsl(0 0% 64%); }
   .no-findings .icon { font-size: 3rem; margin-bottom: 0.5rem; }
   @media (max-width: 768px) {
     .summary-grid { grid-template-columns: repeat(2, 1fr); }
@@ -152,9 +153,9 @@ function generateHtmlReport(results, title) {
     table { display: block; overflow-x: auto; }
   }
   @media print {
-    body { background: white; }
-    .card { box-shadow: none; border: 1px solid #e2e8f0; break-inside: avoid; }
-    header { background: #0f172a !important; -webkit-print-color-adjust: exact; print-color-adjust: exact; }
+    body { background: hsl(0 0% 3.9%); color: hsl(0 0% 98%); }
+    .card { break-inside: avoid; }
+    header { -webkit-print-color-adjust: exact; print-color-adjust: exact; }
   }
 </style>
 </head>
@@ -173,7 +174,7 @@ function generateHtmlReport(results, title) {
     <h2>Executive Summary</h2>
     <div class="summary-grid">
       <div class="stat">
-        <div class="value" style="color:${riskColor}">${totalFindings}</div>
+        <div class="value">${totalFindings}</div>
         <div class="label">Total Findings</div>
       </div>
       <div class="stat">
@@ -181,7 +182,7 @@ function generateHtmlReport(results, title) {
         <div class="label">Files Affected</div>
       </div>
       <div class="stat">
-        <div class="value"><span class="risk-badge" style="background:${riskColor}">${riskLevel}</span></div>
+        <div class="value"><span class="risk-badge" style="background:${riskColor};color:hsl(0 0% 98%)">${riskLevel}</span></div>
         <div class="label">Overall Risk</div>
       </div>
     </div>
@@ -190,10 +191,10 @@ function generateHtmlReport(results, title) {
   <div class="card">
     <h2>Severity Breakdown</h2>
     <div class="summary-grid">
-      <div class="stat"><div class="value" style="color:#dc2626">${severityCounts.critical}</div><div class="label">Critical</div></div>
-      <div class="stat"><div class="value" style="color:#ea580c">${severityCounts.high}</div><div class="label">High</div></div>
-      <div class="stat"><div class="value" style="color:#2563eb">${severityCounts.medium}</div><div class="label">Medium</div></div>
-      <div class="stat"><div class="value" style="color:#16a34a">${severityCounts.low}</div><div class="label">Low</div></div>
+      <div class="stat"><div class="value" style="color:hsl(0 40% 70%)">${severityCounts.critical}</div><div class="label">Critical</div></div>
+      <div class="stat"><div class="value" style="color:hsl(25 30% 65%)">${severityCounts.high}</div><div class="label">High</div></div>
+      <div class="stat"><div class="value">${severityCounts.medium}</div><div class="label">Medium</div></div>
+      <div class="stat"><div class="value" style="color:hsl(0 0% 50%)">${severityCounts.low}</div><div class="label">Low</div></div>
     </div>
   </div>
 
@@ -204,7 +205,7 @@ ${topPatterns.map(([name, count]) => {
         const pct = Math.round((count / totalFindings) * 100);
         return `      <div class="bar-row">
         <div class="bar-label" title="${escapeHtml(name)}">${escapeHtml(name)}</div>
-        <div class="bar-track"><div class="bar-fill sev-medium" style="width:${pct}%"></div></div>
+        <div class="bar-track"><div class="bar-fill" style="width:${pct}%"></div></div>
         <div class="bar-count">${count}</div>
       </div>`;
     }).join("\n")}
@@ -226,7 +227,7 @@ ${totalFindings > 0 ? `  <div class="card">
       <tbody>
 ${findingsRows.map((f) => `        <tr>
           <td><span class="sev-pill sev-${f.severity}">${f.severity}</span></td>
-          <td>${f.pattern}${f.description ? `<br><small style="color:#94a3b8">${f.description}</small>` : ""}</td>
+          <td>${f.pattern}${f.description ? `<br><small class="description">${f.description}</small>` : ""}</td>
           <td class="file-path">${f.file}</td>
           <td>${f.line}</td>
           <td class="redacted">${f.redacted}</td>

package/dist/commands/scan/index.js

@@ -1,8 +1,8 @@
 /**
  * rafter scan — top-level scan command group.
  *
- * Default (no subcommand): remote backend scan (same as `rafter run`)
- * rafter scan remote:       explicit alias for remote backend scan
+ * Default (no subcommand): remote scan (same as `rafter run`)
+ * rafter scan remote:       explicit alias for remote scan
  * rafter scan local [path]: local secret scanner (was `rafter agent scan`)
  */
 import { Command } from "commander";
@@ -21,25 +21,27 @@ export function createScanGroupCommand() {
         .option("-k, --api-key <key>", "API key or RAFTER_API_KEY env var")
         .option("-f, --format <format>", "json | md", "md")
         .option("-m, --mode <mode>", "scan mode: fast | plus", "fast")
+        .option("--github-token <token>", "GitHub PAT for private repos (or RAFTER_GITHUB_TOKEN env var)")
         .option("--skip-interactive", "do not wait for scan to complete")
         .option("--quiet", "suppress status messages")
         .action(async (opts) => {
         await runRemoteScan(opts);
     });
-    // Root scan group — default action is remote backend scan
+    // Root scan group — default action is remote scan
     const scanGroup = new Command("scan")
-        .description("Scan for security issues. Default: remote backend scan. Use 'scan local' for local secret scanning.")
+        .description("Scan for security issues. Default: remote scan. Use 'scan local' for local secret scanning.")
         .enablePositionalOptions()
         .option("-r, --repo <repo>", "org/repo (default: current)")
         .option("-b, --branch <branch>", "branch (default: current else main)")
         .option("-k, --api-key <key>", "API key or RAFTER_API_KEY env var")
         .option("-f, --format <format>", "json | md", "md")
         .option("-m, --mode <mode>", "scan mode: fast | plus", "fast")
+        .option("--github-token <token>", "GitHub PAT for private repos (or RAFTER_GITHUB_TOKEN env var)")
         .option("--skip-interactive", "do not wait for scan to complete")
         .option("--quiet", "suppress status messages");
     scanGroup.addCommand(localCmd);
     scanGroup.addCommand(remoteCmd);
-    // When invoked with no subcommand, run remote backend scan
+    // When invoked with no subcommand, run remote scan
     scanGroup.action(async (opts) => {
         await runRemoteScan(opts);
     });

package/dist/commands/skill/index.js

@@ -0,0 +1,14 @@
+import { Command } from "commander";
+import { createListCommand } from "./list.js";
+import { createInstallCommand } from "./install.js";
+import { createUninstallCommand } from "./uninstall.js";
+import { createReviewCommand } from "./review.js";
+export function createSkillCommand() {
+    const skill = new Command("skill")
+        .description("Manage rafter-authored skills (list / install / uninstall / review)");
+    skill.addCommand(createListCommand());
+    skill.addCommand(createInstallCommand());
+    skill.addCommand(createUninstallCommand());
+    skill.addCommand(createReviewCommand());
+    return skill;
+}

package/dist/commands/skill/install.js

@@ -0,0 +1,89 @@
+import { Command } from "commander";
+import fs from "fs";
+import { resolveSkill, listBundledSkills, skillDestPath, skillDetectDir, resolveExplicitDest, writeSkillTo, recordSkillState, SKILL_PLATFORMS, } from "./registry.js";
+import { fmt } from "../../utils/formatter.js";
+/**
+ * `rafter skill install <name>` — install a rafter-authored skill to one or
+ * more platforms (or an explicit --to path).
+ *
+ * Exit codes:
+ *   0 — installed successfully (or already installed — copy is idempotent)
+ *   1 — unknown skill, unknown platform, or install failure
+ *   2 — no detected platform found and --force was not passed
+ */
+export function createInstallCommand() {
+    return new Command("install")
+        .description("Install a rafter-authored skill to detected platform(s) or an explicit path")
+        .argument("<name>", "Skill name (e.g. rafter, rafter-secure-design)")
+        .option("--platform <platform...>", `Target platform(s). One or more of: ${SKILL_PLATFORMS.join(", ")}. Default: all detected.`)
+        .option("--to <path>", "Explicit destination. If it ends in .md/.mdc, used as-is; otherwise treated as a skills-base directory.")
+        .option("--force", "Install even if no target platform is detected")
+        .action((name, opts) => {
+        const skill = resolveSkill(name);
+        if (!skill) {
+            console.error(fmt.error(`Unknown skill: ${name}`));
+            console.error(fmt.info(`Available: ${listBundledSkills().map((s) => s.name).join(", ") || "(none)"}`));
+            process.exit(1);
+        }
+        // --to overrides platform-based resolution.
+        if (opts.to) {
+            const destPath = resolveExplicitDest(opts.to, skill.name);
+            try {
+                writeSkillTo(skill, destPath);
+                console.log(fmt.success(`Installed ${skill.name} v${skill.version} → ${destPath}`));
+                process.exit(0);
+            }
+            catch (e) {
+                console.error(fmt.error(`Failed to install ${skill.name} to ${destPath}: ${e}`));
+                process.exit(1);
+            }
+        }
+        // Resolve target platforms: either explicit --platform list, or "all detected".
+        let targets;
+        if (Array.isArray(opts.platform) && opts.platform.length > 0) {
+            targets = [];
+            for (const raw of opts.platform) {
+                const p = raw.trim();
+                if (!SKILL_PLATFORMS.includes(p)) {
+                    console.error(fmt.error(`Unknown platform: ${raw}. Known: ${SKILL_PLATFORMS.join(", ")}`));
+                    process.exit(1);
+                }
+                targets.push(p);
+            }
+        }
+        else {
+            targets = SKILL_PLATFORMS.filter((p) => fs.existsSync(skillDetectDir(p)));
+            if (targets.length === 0) {
+                if (!opts.force) {
+                    console.error(fmt.warning(`No supported platform detected. Re-run with --platform <name> or --force to install to all known platforms.`));
+                    process.exit(2);
+                }
+                targets = [...SKILL_PLATFORMS];
+            }
+        }
+        let exitCode = 0;
+        for (const platform of targets) {
+            const detected = fs.existsSync(skillDetectDir(platform));
+            if (!detected && !opts.force && !(Array.isArray(opts.platform) && opts.platform.length > 0)) {
+                // Shouldn't hit this — we pre-filtered to detected — but defensive.
+                continue;
+            }
+            if (!detected && !opts.force && Array.isArray(opts.platform) && opts.platform.length > 0) {
+                console.error(fmt.warning(`${platform}: not detected (${skillDetectDir(platform)}). Re-run with --force to install anyway.`));
+                exitCode = exitCode || 2;
+                continue;
+            }
+            const destPath = skillDestPath(platform, skill.name);
+            try {
+                writeSkillTo(skill, destPath);
+                recordSkillState(platform, skill.name, true, skill.version);
+                console.log(fmt.success(`Installed ${skill.name} v${skill.version} → ${destPath} (${platform})`));
+            }
+            catch (e) {
+                console.error(fmt.error(`Failed to install ${skill.name} for ${platform}: ${e}`));
+                exitCode = 1;
+            }
+        }
+        process.exit(exitCode);
+    });
+}

package/dist/commands/skill/list.js

@@ -0,0 +1,79 @@
+import { Command } from "commander";
+import { listBundledSkills, snapshotSkills, SKILL_PLATFORMS, } from "./registry.js";
+import { fmt } from "../../utils/formatter.js";
+/**
+ * `rafter skill list` — show rafter-authored skills available in this CLI and
+ * whether each is installed for each supported platform (claude-code, codex,
+ * openclaw, cursor).
+ *
+ * Exit code: 0 on success.
+ */
+export function createListCommand() {
+    return new Command("list")
+        .description("List rafter-authored skills and their install state per platform")
+        .option("--json", "Output machine-readable JSON")
+        .option("--installed", "Only show (skill, platform) pairs where the skill is installed")
+        .option("--platform <platform>", "Limit to one platform")
+        .action((opts) => {
+        const bundled = listBundledSkills();
+        let rows = snapshotSkills();
+        const platformFilter = opts.platform;
+        if (platformFilter) {
+            if (!SKILL_PLATFORMS.includes(platformFilter)) {
+                console.error(fmt.error(`Unknown platform: ${platformFilter}. Known: ${SKILL_PLATFORMS.join(", ")}`));
+                process.exit(1);
+            }
+            rows = rows.filter((r) => r.platform === platformFilter);
+        }
+        if (opts.installed)
+            rows = rows.filter((r) => r.installed);
+        if (opts.json) {
+            const payload = {
+                skills: bundled.map((s) => ({
+                    name: s.name,
+                    version: s.version,
+                    description: s.description,
+                })),
+                installations: rows.map((r) => ({
+                    name: r.name,
+                    platform: r.platform,
+                    path: r.path,
+                    detected: r.detected,
+                    installed: r.installed,
+                    version: r.version,
+                })),
+            };
+            console.log(JSON.stringify(payload, null, 2));
+            return;
+        }
+        console.log(fmt.header("Rafter-authored skills"));
+        for (const s of bundled) {
+            console.log(`  ${s.name.padEnd(24)} v${s.version}`);
+        }
+        console.log();
+        console.log(fmt.header("Installations by platform"));
+        const byPlatform = new Map();
+        for (const r of rows) {
+            const arr = byPlatform.get(r.platform) ?? [];
+            arr.push(r);
+            byPlatform.set(r.platform, arr);
+        }
+        for (const [platform, list] of byPlatform) {
+            const detected = list[0]?.detected ?? false;
+            const suffix = detected ? "" : " (not detected)";
+            console.log(`\n${platform}${suffix}`);
+            for (const r of list) {
+                const label = r.name.padEnd(24);
+                if (r.installed) {
+                    const ver = r.version ? ` v${r.version}` : "";
+                    console.log(`  ${label} ● installed${ver}  (${r.path})`);
+                }
+                else {
+                    console.log(`  ${label} ○ not installed`);
+                }
+            }
+        }
+        console.log();
+        console.log(fmt.info("Use `rafter skill install <name>` / `rafter skill uninstall <name>` to toggle skills."));
+    });
+}

package/dist/commands/skill/registry.js

@@ -0,0 +1,273 @@
+import fs from "fs";
+import path from "path";
+import os from "os";
+import { fileURLToPath } from "url";
+import { ConfigManager } from "../../core/config-manager.js";
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+/**
+ * Rafter-authored skills that ship inside this package. Lifecycle commands
+ * (`rafter skill list/install/uninstall`) only operate on names in this list —
+ * the intent is to manage first-party skills, not arbitrary third-party files.
+ */
+export const KNOWN_SKILL_NAMES = [
+    "rafter",
+    "rafter-agent-security",
+    "rafter-secure-design",
+    "rafter-code-review",
+    "rafter-skill-review",
+];
+export const SKILL_PLATFORMS = [
+    "claude-code",
+    "codex",
+    "openclaw",
+    "cursor",
+];
+function skillsResourcesRoot() {
+    return path.join(__dirname, "..", "..", "..", "resources", "skills");
+}
+function parseFrontmatter(content) {
+    const match = content.match(/^---\n([\s\S]*?)\n---/);
+    if (!match)
+        return {};
+    const out = {};
+    for (const line of match[1].split("\n")) {
+        const m = line.match(/^([A-Za-z0-9_-]+):\s*(.*)$/);
+        if (!m)
+            continue;
+        let val = m[2].trim();
+        if (val.startsWith('"') && val.endsWith('"'))
+            val = val.slice(1, -1);
+        else if (val.startsWith("'") && val.endsWith("'"))
+            val = val.slice(1, -1);
+        out[m[1]] = val;
+    }
+    return out;
+}
+/** Read frontmatter from a SKILL.md file on disk. Returns {} on any failure. */
+export function readSkillFrontmatter(filePath) {
+    try {
+        const content = fs.readFileSync(filePath, "utf-8");
+        return parseFrontmatter(content);
+    }
+    catch {
+        return {};
+    }
+}
+/** Enumerate bundled rafter-authored skills present in this installation. */
+export function listBundledSkills() {
+    const root = skillsResourcesRoot();
+    const skills = [];
+    for (const name of KNOWN_SKILL_NAMES) {
+        const sourcePath = path.join(root, name, "SKILL.md");
+        if (!fs.existsSync(sourcePath))
+            continue;
+        const fm = readSkillFrontmatter(sourcePath);
+        skills.push({
+            name,
+            version: fm.version ?? "unknown",
+            description: fm.description ?? "",
+            sourcePath,
+        });
+    }
+    return skills;
+}
+export function resolveSkill(name) {
+    const normalized = name.trim();
+    return listBundledSkills().find((s) => s.name === normalized);
+}
+export function skillDetectDir(platform) {
+    const home = os.homedir();
+    switch (platform) {
+        case "claude-code":
+            return path.join(home, ".claude");
+        case "codex":
+            return path.join(home, ".codex");
+        case "openclaw":
+            return path.join(home, ".openclaw");
+        case "cursor":
+            return path.join(home, ".cursor");
+    }
+}
+/**
+ * Base directory where a platform stores INSTALLED skill files. Used by
+ * `rafter skill review --installed` to walk every skill on this machine.
+ *
+ * Shape per platform (see `skillDestPath` for where we *write* skills):
+ *   claude-code → ~/.claude/skills/<name>/SKILL.md
+ *   codex       → ~/.agents/skills/<name>/SKILL.md
+ *   openclaw    → ~/.openclaw/skills/<name>.md
+ *   cursor      → ~/.cursor/rules/<name>.mdc
+ */
+export function skillBaseDir(platform) {
+    const home = os.homedir();
+    switch (platform) {
+        case "claude-code":
+            return path.join(home, ".claude", "skills");
+        case "codex":
+            return path.join(home, ".agents", "skills");
+        case "openclaw":
+            return path.join(home, ".openclaw", "skills");
+        case "cursor":
+            return path.join(home, ".cursor", "rules");
+    }
+}
+/**
+ * Walk every known platform's skill base directory and return one entry per
+ * installed skill file. Platform layout determines whether skills are per-dir
+ * (claude-code, codex) or flat files (openclaw, cursor). Missing base dirs are
+ * silently skipped. Unreadable entries are silently skipped (permission denied
+ * on a single subdir never aborts the whole walk).
+ */
+export function discoverInstalledSkills(platform) {
+    const targets = platform ? [platform] : SKILL_PLATFORMS;
+    const out = [];
+    for (const p of targets) {
+        const base = skillBaseDir(p);
+        let entries;
+        try {
+            entries = fs.readdirSync(base, { withFileTypes: true });
+        }
+        catch {
+            continue; // missing or unreadable → nothing to audit here
+        }
+        for (const entry of entries) {
+            const full = path.join(base, entry.name);
+            if (p === "claude-code" || p === "codex") {
+                if (!entry.isDirectory())
+                    continue;
+                const skillFile = path.join(full, "SKILL.md");
+                try {
+                    if (!fs.statSync(skillFile).isFile())
+                        continue;
+                }
+                catch {
+                    continue;
+                }
+                out.push({ platform: p, name: entry.name, path: skillFile });
+            }
+            else if (p === "openclaw") {
+                if (!entry.isFile() || !entry.name.toLowerCase().endsWith(".md"))
+                    continue;
+                out.push({
+                    platform: p,
+                    name: entry.name.replace(/\.md$/i, ""),
+                    path: full,
+                });
+            }
+            else if (p === "cursor") {
+                if (!entry.isFile() || !entry.name.toLowerCase().endsWith(".mdc"))
+                    continue;
+                out.push({
+                    platform: p,
+                    name: entry.name.replace(/\.mdc$/i, ""),
+                    path: full,
+                });
+            }
+        }
+    }
+    // Deterministic ordering — tests golden-file against this.
+    out.sort((a, b) => {
+        if (a.platform !== b.platform)
+            return a.platform.localeCompare(b.platform);
+        return a.name.localeCompare(b.name);
+    });
+    return out;
+}
+/** Destination file path for a skill on a given platform. */
+export function skillDestPath(platform, skillName) {
+    const home = os.homedir();
+    switch (platform) {
+        case "claude-code":
+            return path.join(home, ".claude", "skills", skillName, "SKILL.md");
+        case "codex":
+            return path.join(home, ".agents", "skills", skillName, "SKILL.md");
+        case "openclaw":
+            return path.join(home, ".openclaw", "skills", `${skillName}.md`);
+        case "cursor":
+            return path.join(home, ".cursor", "rules", `${skillName}.mdc`);
+    }
+}
+/** Resolve a --to argument to a concrete file path for a skill.
+ *
+ * Rules:
+ *  - If `dest` ends in `.md` / `.mdc`, it's taken as the literal file path.
+ *  - Otherwise `dest` is treated as a skills *base* directory, and the skill
+ *    is written to `<dest>/<skill>/SKILL.md` (matches claude-code / codex layout).
+ */
+export function resolveExplicitDest(dest, skillName) {
+    const lower = dest.toLowerCase();
+    if (lower.endsWith(".md") || lower.endsWith(".mdc"))
+        return dest;
+    return path.join(dest, skillName, "SKILL.md");
+}
+function ensureParent(filePath) {
+    const dir = path.dirname(filePath);
+    if (!fs.existsSync(dir))
+        fs.mkdirSync(dir, { recursive: true });
+}
+/** Write a skill's SKILL.md to `destPath`. Creates parent directories as needed. */
+export function writeSkillTo(skill, destPath) {
+    ensureParent(destPath);
+    fs.copyFileSync(skill.sourcePath, destPath);
+}
+/** Delete a skill file at `destPath`; prune the immediate parent dir if empty. */
+export function deleteSkillAt(destPath) {
+    if (!fs.existsSync(destPath))
+        return false;
+    fs.rmSync(destPath, { force: true });
+    const parent = path.dirname(destPath);
+    try {
+        if (fs.existsSync(parent) && fs.readdirSync(parent).length === 0) {
+            fs.rmdirSync(parent);
+        }
+    }
+    catch {
+        // non-empty or races — leave it
+    }
+    return true;
+}
+/** Snapshot of every (platform, skill) pair's install state on disk. */
+export function snapshotSkills() {
+    const bundled = listBundledSkills();
+    const rows = [];
+    for (const skill of bundled) {
+        for (const platform of SKILL_PLATFORMS) {
+            const destPath = skillDestPath(platform, skill.name);
+            const detected = fs.existsSync(skillDetectDir(platform));
+            const installed = fs.existsSync(destPath);
+            let version = null;
+            if (installed) {
+                const fm = readSkillFrontmatter(destPath);
+                version = fm.version ?? null;
+            }
+            rows.push({
+                name: skill.name,
+                platform,
+                detected,
+                installed,
+                path: destPath,
+                version,
+            });
+        }
+    }
+    return rows;
+}
+/**
+ * Record a skill's install/uninstall state in ~/.rafter/config.json under
+ * `skills.<platform>.<name>`. Writes the whole `skills` map in one shot to
+ * avoid splitting the skill name (which can contain hyphens but not dots) —
+ * unlike component IDs, there's no dot-key hazard here, but we keep one
+ * serialization path for consistency.
+ */
+export function recordSkillState(platform, name, enabled, version) {
+    const cm = new ConfigManager();
+    const existing = (cm.get("skillInstallations") ?? {});
+    existing[platform] ?? (existing[platform] = {});
+    existing[platform][name] = {
+        enabled,
+        version: version ?? undefined,
+        updatedAt: new Date().toISOString(),
+    };
+    cm.set("skillInstallations", existing);
+}