@skillport/cli 0.1.0

package/dist/index.js

@@ -0,0 +1,2692 @@
+#!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// ../../packages/shared/dist/constants.js
+var SP_VERSION, SP_CONFIG_DIR, SP_KEYS_DIR, SP_AUDIT_DIR, SP_CONFIG_FILE, SP_REGISTRY_FILE, OPENCLAW_SKILLS_DIR, DEFAULT_MARKETPLACE_URL;
+var init_constants = __esm({
+  "../../packages/shared/dist/constants.js"() {
+    "use strict";
+    SP_VERSION = "1.0";
+    SP_CONFIG_DIR = ".skillport";
+    SP_KEYS_DIR = "keys";
+    SP_AUDIT_DIR = "audit";
+    SP_CONFIG_FILE = "config.json";
+    SP_REGISTRY_FILE = "installed/registry.json";
+    OPENCLAW_SKILLS_DIR = ".openclaw/skills";
+    DEFAULT_MARKETPLACE_URL = "https://api.skillport.market";
+  }
+});
+
+// ../../packages/shared/dist/index.js
+var init_dist = __esm({
+  "../../packages/shared/dist/index.js"() {
+    "use strict";
+    init_constants();
+  }
+});
+
+// src/utils/config.ts
+var config_exports = {};
+__export(config_exports, {
+  appendAuditLog: () => appendAuditLog,
+  auditLogPath: () => auditLogPath,
+  configPath: () => configPath,
+  ensureConfigDirs: () => ensureConfigDirs,
+  hasKeys: () => hasKeys,
+  keysDir: () => keysDir,
+  loadConfig: () => loadConfig,
+  loadPrivateKey: () => loadPrivateKey2,
+  loadPublicKey: () => loadPublicKey2,
+  loadRegistry: () => loadRegistry,
+  registryPath: () => registryPath,
+  saveConfig: () => saveConfig,
+  saveRegistry: () => saveRegistry
+});
+import { readFileSync, writeFileSync, mkdirSync, existsSync, appendFileSync } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+function configDir() {
+  return join(homedir(), SP_CONFIG_DIR);
+}
+function ensureConfigDirs() {
+  const base = configDir();
+  mkdirSync(join(base, SP_KEYS_DIR), { recursive: true });
+  mkdirSync(join(base, SP_AUDIT_DIR), { recursive: true });
+  mkdirSync(join(base, "installed"), { recursive: true });
+}
+function configPath() {
+  return join(configDir(), SP_CONFIG_FILE);
+}
+function keysDir() {
+  return join(configDir(), SP_KEYS_DIR);
+}
+function auditLogPath() {
+  return join(configDir(), SP_AUDIT_DIR, "audit.log");
+}
+function registryPath() {
+  return join(configDir(), SP_REGISTRY_FILE);
+}
+function loadConfig() {
+  const path = configPath();
+  if (!existsSync(path)) {
+    return { marketplace_url: DEFAULT_MARKETPLACE_URL };
+  }
+  return JSON.parse(readFileSync(path, "utf-8"));
+}
+function saveConfig(config) {
+  ensureConfigDirs();
+  writeFileSync(configPath(), JSON.stringify(config, null, 2));
+}
+function loadRegistry() {
+  const path = registryPath();
+  if (!existsSync(path)) {
+    return { skills: [] };
+  }
+  return JSON.parse(readFileSync(path, "utf-8"));
+}
+function saveRegistry(registry) {
+  ensureConfigDirs();
+  writeFileSync(registryPath(), JSON.stringify(registry, null, 2));
+}
+function appendAuditLog(entry) {
+  ensureConfigDirs();
+  const logEntry = {
+    ...entry,
+    timestamp: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  const path = auditLogPath();
+  const line = JSON.stringify(logEntry) + "\n";
+  appendFileSync(path, line);
+}
+function hasKeys() {
+  const dir = keysDir();
+  return existsSync(join(dir, "default.key")) && existsSync(join(dir, "default.pub"));
+}
+function loadPrivateKey2() {
+  return readFileSync(join(keysDir(), "default.key"), "utf-8");
+}
+function loadPublicKey2() {
+  return readFileSync(join(keysDir(), "default.pub"), "utf-8");
+}
+var init_config = __esm({
+  "src/utils/config.ts"() {
+    "use strict";
+    init_dist();
+  }
+});
+
+// src/index.ts
+import { Command } from "commander";
+
+// src/commands/init.ts
+import { writeFileSync as writeFileSync2 } from "node:fs";
+import { join as join2 } from "node:path";
+import chalk from "chalk";
+
+// ../../packages/core/dist/manifest/schema.js
+import { z } from "zod";
+var semverRegex = /^\d+\.\d+\.\d+$/;
+var semverRangeRegex = /^[\^~>=<\s\d.|]+$/;
+var EntrypointSchema = z.object({
+  name: z.string().min(1),
+  description: z.string().optional(),
+  file: z.string().min(1)
+});
+var NetworkPermissionSchema = z.discriminatedUnion("mode", [
+  z.object({ mode: z.literal("none") }),
+  z.object({ mode: z.literal("allowlist"), domains: z.array(z.string()) })
+]);
+var FilesystemPermissionSchema = z.object({
+  read_paths: z.array(z.string()),
+  write_paths: z.array(z.string())
+});
+var ExecPermissionSchema = z.object({
+  allowed_commands: z.array(z.string()),
+  shell: z.boolean()
+});
+var IntegrationLevel = z.enum(["none", "read", "write", "send"]);
+var IntegrationsPermissionSchema = z.object({
+  slack: IntegrationLevel.optional(),
+  gmail: IntegrationLevel.optional(),
+  notion: IntegrationLevel.optional(),
+  github: IntegrationLevel.optional()
+});
+var PermissionsSchema = z.object({
+  network: NetworkPermissionSchema,
+  filesystem: FilesystemPermissionSchema,
+  exec: ExecPermissionSchema,
+  integrations: IntegrationsPermissionSchema.optional()
+});
+var DangerFlagSchema = z.object({
+  code: z.string(),
+  severity: z.enum(["info", "low", "medium", "high", "critical"]),
+  message: z.string(),
+  file: z.string().optional(),
+  line: z.number().optional()
+});
+var DependencySchema = z.object({
+  name: z.string(),
+  type: z.enum(["cli", "npm", "pip", "brew", "apt", "other"]),
+  version: z.string().optional(),
+  optional: z.boolean().optional()
+});
+var RequiredInputSchema = z.object({
+  key: z.string(),
+  description: z.string(),
+  type: z.enum(["string", "secret", "number", "boolean"]),
+  required: z.boolean(),
+  default: z.union([z.string(), z.number(), z.boolean()]).optional()
+});
+var InstallSchema = z.object({
+  steps: z.array(z.string()),
+  required_inputs: z.array(RequiredInputSchema)
+});
+var AuthorSchema = z.object({
+  name: z.string().min(1),
+  email: z.string().email().optional(),
+  signing_key_id: z.string()
+});
+var ManifestSchema = z.object({
+  ssp_version: z.literal("1.0"),
+  id: z.string().regex(/^[a-z0-9_-]+\/[a-z0-9_-]+$/, "Must be 'author-slug/skill-slug'"),
+  name: z.string().min(1).max(100),
+  description: z.string().min(1).max(1e3),
+  version: z.string().regex(semverRegex, "Must be valid semver (x.y.z)"),
+  author: AuthorSchema,
+  openclaw_compat: z.string().regex(semverRangeRegex, "Must be a valid semver range"),
+  os_compat: z.array(z.enum(["macos", "linux", "windows"])).min(1),
+  entrypoints: z.array(EntrypointSchema).min(1),
+  permissions: PermissionsSchema,
+  dependencies: z.array(DependencySchema),
+  danger_flags: z.array(DangerFlagSchema),
+  install: InstallSchema,
+  hashes: z.record(z.string(), z.string()),
+  created_at: z.string().datetime()
+});
+
+// ../../packages/core/dist/crypto/keys.js
+import { generateKeyPairSync, createHash, createPublicKey, createPrivateKey } from "node:crypto";
+function generateKeyPair() {
+  const { publicKey, privateKey } = generateKeyPairSync("ed25519", {
+    publicKeyEncoding: { type: "spki", format: "pem" },
+    privateKeyEncoding: { type: "pkcs8", format: "pem" }
+  });
+  const keyId = computeKeyId(publicKey);
+  return { publicKey, privateKey, keyId };
+}
+function computeKeyId(publicKeyPem) {
+  const hash = createHash("sha256").update(publicKeyPem).digest("hex");
+  return hash.substring(0, 16);
+}
+function loadPublicKey(pem) {
+  return createPublicKey(pem);
+}
+function loadPrivateKey(pem) {
+  return createPrivateKey(pem);
+}
+
+// ../../packages/core/dist/crypto/sign.js
+import { sign as cryptoSign } from "node:crypto";
+function signManifest(manifestJson, privateKeyPem) {
+  const privateKey = loadPrivateKey(privateKeyPem);
+  const signature = cryptoSign(null, Buffer.from(manifestJson), privateKey);
+  return signature.toString("base64");
+}
+
+// ../../packages/core/dist/crypto/verify.js
+import { verify as cryptoVerify } from "node:crypto";
+function verifySignature(manifestJson, signatureBase64, publicKeyPem) {
+  const publicKey = loadPublicKey(publicKeyPem);
+  const signature = Buffer.from(signatureBase64, "base64");
+  return cryptoVerify(null, Buffer.from(manifestJson), publicKey, signature);
+}
+
+// ../../packages/core/dist/crypto/checksum.js
+import { createHash as createHash2 } from "node:crypto";
+function sha256(data) {
+  return createHash2("sha256").update(data).digest("hex");
+}
+function computeChecksums(files) {
+  const checksums = {};
+  for (const [path, content] of files) {
+    checksums[path] = sha256(content);
+  }
+  return checksums;
+}
+function verifyChecksums(files, expected) {
+  const mismatches = [];
+  for (const [path, expectedHash] of Object.entries(expected)) {
+    const content = files.get(path);
+    if (!content) {
+      mismatches.push(path);
+      continue;
+    }
+    const actual = sha256(content);
+    if (actual !== expectedHash) {
+      mismatches.push(path);
+    }
+  }
+  return { valid: mismatches.length === 0, mismatches };
+}
+
+// ../../packages/core/dist/archive/create.js
+import JSZip from "jszip";
+async function createSSP(options) {
+  const { manifest, files, privateKeyPem } = options;
+  ManifestSchema.parse(manifest);
+  const checksumFiles = /* @__PURE__ */ new Map();
+  for (const [path, content] of files) {
+    if (path === "SKILL.md") {
+      checksumFiles.set(path, content);
+    } else {
+      checksumFiles.set(`payload/${path}`, content);
+    }
+  }
+  const checksums = computeChecksums(checksumFiles);
+  const finalManifest = {
+    ...manifest,
+    hashes: checksums
+  };
+  const manifestJson = JSON.stringify(finalManifest, null, 2);
+  const manifestBuffer = Buffer.from(manifestJson);
+  const authorSignature = signManifest(manifestJson, privateKeyPem);
+  const zip = new JSZip();
+  zip.file("manifest.json", manifestBuffer);
+  zip.file("signatures/author.sig", authorSignature);
+  zip.file("checksums.json", JSON.stringify(checksums, null, 2));
+  const skillMd = files.get("SKILL.md");
+  if (skillMd) {
+    zip.file("SKILL.md", skillMd);
+  }
+  for (const [path, content] of files) {
+    if (path !== "SKILL.md") {
+      zip.file(`payload/${path}`, content);
+    }
+  }
+  const buffer = await zip.generateAsync({
+    type: "nodebuffer",
+    compression: "DEFLATE",
+    compressionOptions: { level: 9 }
+  });
+  return buffer;
+}
+
+// ../../packages/core/dist/archive/extract.js
+import JSZip2 from "jszip";
+async function extractSSP(data) {
+  const zip = await JSZip2.loadAsync(data);
+  const manifestFile = zip.file("manifest.json");
+  if (!manifestFile) {
+    throw new Error("Invalid SSP: missing manifest.json");
+  }
+  const manifestRaw = await manifestFile.async("string");
+  const manifestData = JSON.parse(manifestRaw);
+  const manifest = ManifestSchema.parse(manifestData);
+  const authorSigFile = zip.file("signatures/author.sig");
+  const authorSignature = authorSigFile ? await authorSigFile.async("string") : null;
+  const platformSigFile = zip.file("signatures/platform.sig");
+  const platformSignature = platformSigFile ? await platformSigFile.async("string") : null;
+  const checksumsFile = zip.file("checksums.json");
+  const checksums = checksumsFile ? JSON.parse(await checksumsFile.async("string")) : {};
+  const skillMdFile = zip.file("SKILL.md");
+  const skillMd = skillMdFile ? await skillMdFile.async("string") : null;
+  const files = /* @__PURE__ */ new Map();
+  const entries = Object.entries(zip.files);
+  for (const [path, entry] of entries) {
+    if (entry.dir)
+      continue;
+    if (path === "manifest.json" || path === "checksums.json" || path.startsWith("signatures/")) {
+      continue;
+    }
+    const content = await entry.async("nodebuffer");
+    files.set(path, content);
+  }
+  return {
+    manifest,
+    manifestRaw,
+    files,
+    authorSignature,
+    platformSignature,
+    checksums,
+    skillMd
+  };
+}
+
+// ../../packages/core/dist/permissions/validate.js
+function assessNetworkRisk(permissions) {
+  if (permissions.network.mode === "none")
+    return "safe";
+  if (permissions.network.mode === "allowlist") {
+    return permissions.network.domains.length <= 2 ? "low" : "medium";
+  }
+  return "safe";
+}
+function assessFilesystemRisk(permissions) {
+  const { read_paths, write_paths } = permissions.filesystem;
+  if (read_paths.length === 0 && write_paths.length === 0)
+    return "safe";
+  if (write_paths.length === 0)
+    return "low";
+  const hasSensitivePaths = write_paths.some((p) => p === "/" || p === "~" || p.startsWith("/etc") || p.startsWith("/usr"));
+  if (hasSensitivePaths)
+    return "critical";
+  return "medium";
+}
+function assessExecRisk(permissions) {
+  const { allowed_commands, shell } = permissions.exec;
+  if (allowed_commands.length === 0 && !shell)
+    return "safe";
+  if (shell)
+    return "high";
+  return allowed_commands.length <= 3 ? "medium" : "high";
+}
+function assessIntegrationsRisk(permissions) {
+  const integrations = permissions.integrations;
+  if (!integrations)
+    return "safe";
+  const levels = [
+    integrations.slack,
+    integrations.gmail,
+    integrations.notion,
+    integrations.github
+  ].filter((l) => l && l !== "none");
+  if (levels.length === 0)
+    return "safe";
+  if (levels.some((l) => l === "send" || l === "write"))
+    return "high";
+  if (levels.some((l) => l === "read"))
+    return "medium";
+  return "low";
+}
+var riskOrder = ["safe", "low", "medium", "high", "critical"];
+function maxRisk(...levels) {
+  let max = 0;
+  for (const level of levels) {
+    const idx = riskOrder.indexOf(level);
+    if (idx > max)
+      max = idx;
+  }
+  return riskOrder[max];
+}
+function assessPermissions(permissions) {
+  const network = assessNetworkRisk(permissions);
+  const filesystem = assessFilesystemRisk(permissions);
+  const exec = assessExecRisk(permissions);
+  const integrations = assessIntegrationsRisk(permissions);
+  const overall = maxRisk(network, filesystem, exec, integrations);
+  return { network, filesystem, exec, integrations, overall };
+}
+
+// ../../packages/core/dist/permissions/display.js
+function formatPermissions(permissions, summary) {
+  const lines = [];
+  if (permissions.network.mode === "none") {
+    lines.push({
+      category: "network",
+      icon: "\u{1F512}",
+      label: "Network",
+      detail: "No network access",
+      risk: summary.network
+    });
+  } else {
+    lines.push({
+      category: "network",
+      icon: "\u{1F310}",
+      label: "Network",
+      detail: `Allowed domains: ${permissions.network.domains.join(", ")}`,
+      risk: summary.network
+    });
+  }
+  const { read_paths, write_paths } = permissions.filesystem;
+  if (read_paths.length === 0 && write_paths.length === 0) {
+    lines.push({
+      category: "filesystem",
+      icon: "\u{1F512}",
+      label: "Filesystem",
+      detail: "No filesystem access",
+      risk: summary.filesystem
+    });
+  } else {
+    const parts = [];
+    if (read_paths.length > 0)
+      parts.push(`Read: ${read_paths.join(", ")}`);
+    if (write_paths.length > 0)
+      parts.push(`Write: ${write_paths.join(", ")}`);
+    lines.push({
+      category: "filesystem",
+      icon: "\u{1F4C1}",
+      label: "Filesystem",
+      detail: parts.join(" | "),
+      risk: summary.filesystem
+    });
+  }
+  const { allowed_commands, shell } = permissions.exec;
+  if (allowed_commands.length === 0 && !shell) {
+    lines.push({
+      category: "exec",
+      icon: "\u{1F512}",
+      label: "Execution",
+      detail: "No command execution",
+      risk: summary.exec
+    });
+  } else {
+    const parts = [];
+    if (allowed_commands.length > 0)
+      parts.push(`Commands: ${allowed_commands.join(", ")}`);
+    if (shell)
+      parts.push("Shell access: YES");
+    lines.push({
+      category: "exec",
+      icon: "\u2699\uFE0F",
+      label: "Execution",
+      detail: parts.join(" | "),
+      risk: summary.exec
+    });
+  }
+  const integrations = permissions.integrations;
+  if (integrations) {
+    const active = Object.entries(integrations).filter(([, v]) => v && v !== "none");
+    if (active.length > 0) {
+      lines.push({
+        category: "integrations",
+        icon: "\u{1F517}",
+        label: "Integrations",
+        detail: active.map(([k, v]) => `${k}: ${v}`).join(", "),
+        risk: summary.integrations
+      });
+    }
+  }
+  return lines;
+}
+function riskColor(risk) {
+  switch (risk) {
+    case "safe":
+      return "green";
+    case "low":
+      return "blue";
+    case "medium":
+      return "yellow";
+    case "high":
+      return "red";
+    case "critical":
+      return "magenta";
+  }
+}
+function severityColor(severity) {
+  switch (severity) {
+    case "info":
+      return "gray";
+    case "low":
+      return "blue";
+    case "medium":
+      return "yellow";
+    case "high":
+      return "red";
+    case "critical":
+      return "magenta";
+  }
+}
+
+// src/commands/init.ts
+init_config();
+async function initCommand() {
+  if (hasKeys()) {
+    console.log(chalk.yellow("Keys already exist."));
+    return;
+  }
+  ensureConfigDirs();
+  console.log("Generating Ed25519 key pair...");
+  const keyPair = generateKeyPair();
+  const dir = keysDir();
+  writeFileSync2(join2(dir, "default.pub"), keyPair.publicKey);
+  writeFileSync2(join2(dir, "default.key"), keyPair.privateKey, { mode: 384 });
+  const config = loadConfig();
+  config.default_key_id = keyPair.keyId;
+  saveConfig(config);
+  console.log(chalk.green("Key pair generated successfully!"));
+  console.log(`  Key ID: ${chalk.bold(keyPair.keyId)}`);
+  console.log(`  Public key: ${join2(dir, "default.pub")}`);
+  console.log(`  Private key: ${join2(dir, "default.key")}`);
+  console.log();
+  console.log(
+    chalk.dim("Register your public key with the marketplace using: skillport login")
+  );
+}
+
+// src/commands/scan.ts
+import { readFileSync as readFileSync2, readdirSync, statSync } from "node:fs";
+import { join as join3, relative } from "node:path";
+
+// ../../packages/scanner/dist/detectors/secrets.js
+function shannonEntropy(str) {
+  const freq = /* @__PURE__ */ new Map();
+  for (const ch of str) {
+    freq.set(ch, (freq.get(ch) || 0) + 1);
+  }
+  let entropy = 0;
+  const len = str.length;
+  for (const count of freq.values()) {
+    const p = count / len;
+    entropy -= p * Math.log2(p);
+  }
+  return entropy;
+}
+var patterns = [
+  {
+    id: "SEC001",
+    regex: /AKIA[0-9A-Z]{16}/,
+    category: "secret",
+    severity: "critical",
+    message: "AWS Access Key ID detected",
+    remediation: "Remove the key and rotate it in AWS IAM console"
+  },
+  {
+    id: "SEC002",
+    regex: /\b(ghp_|gho_|ghs_|ghr_)[A-Za-z0-9_]{36,}/,
+    category: "secret",
+    severity: "critical",
+    message: "GitHub token detected",
+    remediation: "Revoke the token and generate a new one"
+  },
+  {
+    id: "SEC003",
+    regex: /\b(sk_live_|pk_live_|rk_live_)[A-Za-z0-9]+/,
+    category: "secret",
+    severity: "critical",
+    message: "Stripe live key detected",
+    remediation: "Rotate the key in Stripe Dashboard"
+  },
+  {
+    id: "SEC004",
+    regex: /\b(sk-[A-Za-z0-9]{20,})/,
+    category: "secret",
+    severity: "critical",
+    message: "OpenAI API key detected",
+    remediation: "Rotate the key in OpenAI dashboard"
+  },
+  {
+    id: "SEC005",
+    regex: /xoxb-[0-9]{10,}-[A-Za-z0-9]+/,
+    category: "secret",
+    severity: "critical",
+    message: "Slack bot token detected",
+    remediation: "Revoke the token in Slack App settings"
+  },
+  {
+    id: "SEC006",
+    regex: /-----BEGIN\s+(RSA|DSA|EC|OPENSSH|PGP)\s+PRIVATE\s+KEY-----/,
+    category: "secret",
+    severity: "critical",
+    message: "Private key detected",
+    remediation: "Remove the private key from the package"
+  },
+  {
+    id: "SEC007",
+    regex: /\b(api[_-]?key|api[_-]?secret|access[_-]?token|auth[_-]?token|secret[_-]?key)\s*[:=]\s*['"`]([A-Za-z0-9+/=_-]{20,})['"`]/i,
+    category: "secret",
+    severity: "high",
+    message: "Potential API key or secret hardcoded",
+    remediation: "Use environment variables or required_inputs instead"
+  },
+  {
+    id: "SEC008",
+    regex: /password\s*[:=]\s*['"`]([^'"`]{4,})['"`]/i,
+    category: "secret",
+    severity: "high",
+    message: "Hardcoded password detected",
+    remediation: "Use environment variables or required_inputs instead"
+  },
+  {
+    id: "SEC009",
+    regex: /['"`]([A-Za-z0-9+/=_-]{40,})['"`]/,
+    category: "secret",
+    severity: "medium",
+    message: "High-entropy string detected (possible secret)",
+    filter: (_match, _line) => {
+      const str = _match[1];
+      if (!str)
+        return false;
+      return shannonEntropy(str) >= 4.5;
+    },
+    remediation: "Verify this string is not a secret; if it is, use required_inputs"
+  }
+];
+var secretsDetector = {
+  name: "secrets",
+  patterns
+};
+
+// ../../packages/scanner/dist/detectors/dangerous.js
+var patterns2 = [
+  {
+    id: "DNG001",
+    regex: /\beval\s*\(/,
+    category: "dangerous",
+    severity: "high",
+    message: "eval() call detected \u2014 arbitrary code execution risk",
+    remediation: "Avoid eval(); use safer alternatives"
+  },
+  {
+    id: "DNG002",
+    regex: /\bnew\s+Function\s*\(/,
+    category: "dangerous",
+    severity: "high",
+    message: "new Function() detected \u2014 dynamic code execution risk",
+    remediation: "Avoid dynamic code generation"
+  },
+  {
+    id: "DNG003",
+    regex: /\bchild_process\b/,
+    category: "dangerous",
+    severity: "high",
+    message: "child_process module usage detected",
+    remediation: "Declare required commands in permissions.exec"
+  },
+  {
+    id: "DNG004",
+    regex: /\b(exec|execSync|spawn|spawnSync|execFile|execFileSync|fork)\s*\(/,
+    category: "dangerous",
+    severity: "high",
+    message: "Process execution function detected",
+    remediation: "Declare required commands in permissions.exec"
+  },
+  {
+    id: "DNG005",
+    regex: /curl\s+.*\|\s*sh/,
+    category: "dangerous",
+    severity: "critical",
+    message: "curl | sh pipe execution detected \u2014 remote code execution risk",
+    remediation: "Download and verify scripts before executing"
+  },
+  {
+    id: "DNG006",
+    regex: /rm\s+-rf\s+[/~]/,
+    category: "dangerous",
+    severity: "critical",
+    message: "Destructive rm -rf command detected",
+    remediation: "Use targeted file removal instead"
+  },
+  {
+    id: "DNG007",
+    regex: /\bfs\.(writeFile|writeFileSync|appendFile|appendFileSync|rmSync|rmdirSync|unlinkSync)\s*\(/,
+    category: "dangerous",
+    severity: "high",
+    message: "Filesystem write/delete operation detected",
+    remediation: "Declare paths in permissions.filesystem"
+  },
+  {
+    id: "DNG008",
+    regex: /process\.env[\s\S]{0,50}(fetch|http|request|send|post|XMLHttpRequest)/,
+    category: "dangerous",
+    severity: "critical",
+    message: "Potential environment variable exfiltration detected",
+    remediation: "Do not send environment variables to external services"
+  },
+  {
+    id: "DNG009",
+    regex: /\bwget\s+/,
+    category: "dangerous",
+    severity: "medium",
+    message: "wget usage detected",
+    remediation: "Declare network access in permissions.network"
+  },
+  {
+    id: "DNG010",
+    regex: /\b(nc|ncat|netcat)\s+(-[a-z]*\s+)*\S+\s+\d+/,
+    category: "dangerous",
+    severity: "critical",
+    message: "Reverse shell pattern detected (netcat)",
+    remediation: "Remove reverse shell code"
+  },
+  {
+    id: "DNG011",
+    regex: /\/dev\/(tcp|udp)\/\S+\/\d+/,
+    category: "dangerous",
+    severity: "critical",
+    message: "Reverse shell pattern detected (/dev/tcp)",
+    remediation: "Remove reverse shell code"
+  },
+  {
+    id: "DNG012",
+    regex: /process\.env\.(HOME|USER|PATH|SHELL|LOGNAME)/,
+    category: "dangerous",
+    severity: "medium",
+    message: "Environment variable access detected",
+    remediation: "Ensure environment variables are used locally only"
+  }
+];
+var dangerousDetector = {
+  name: "dangerous",
+  patterns: patterns2
+};
+
+// ../../packages/scanner/dist/detectors/pii.js
+var EXAMPLE_EMAIL_DOMAINS = [
+  "example.com",
+  "example.org",
+  "example.net",
+  "test.com",
+  "localhost",
+  "placeholder.com"
+];
+function luhnCheck(num) {
+  const digits = num.replace(/\D/g, "");
+  if (digits.length < 13 || digits.length > 19)
+    return false;
+  let sum = 0;
+  let alternate = false;
+  for (let i = digits.length - 1; i >= 0; i--) {
+    let n = parseInt(digits[i], 10);
+    if (alternate) {
+      n *= 2;
+      if (n > 9)
+        n -= 9;
+    }
+    sum += n;
+    alternate = !alternate;
+  }
+  return sum % 10 === 0;
+}
+var patterns3 = [
+  {
+    id: "PII001",
+    regex: /(\/Users\/[a-zA-Z0-9._-]+|\/home\/[a-zA-Z0-9._-]+|C:\\Users\\[a-zA-Z0-9._-]+)/,
+    category: "pii",
+    severity: "medium",
+    message: "User home directory path detected",
+    remediation: "Replace with relative paths or use ~ placeholder"
+  },
+  {
+    id: "PII002",
+    regex: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/,
+    category: "pii",
+    severity: "low",
+    message: "Email address detected",
+    filter: (match) => {
+      const email = match[0];
+      return !EXAMPLE_EMAIL_DOMAINS.some((d) => email.endsWith(`@${d}`));
+    },
+    remediation: "Remove or anonymize the email address"
+  },
+  {
+    id: "PII003",
+    regex: /\b0[789]0-?\d{4}-?\d{4}\b/,
+    category: "pii",
+    severity: "medium",
+    message: "Japanese phone number detected",
+    remediation: "Remove the phone number"
+  },
+  {
+    id: "PII004",
+    regex: /\b(?:\+1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b/,
+    category: "pii",
+    severity: "medium",
+    message: "Phone number detected",
+    remediation: "Remove the phone number"
+  },
+  {
+    id: "PII005",
+    regex: /\b(?:\d[ -]*?){13,19}\b/,
+    category: "pii",
+    severity: "critical",
+    message: "Credit card number detected (Luhn-verified)",
+    filter: (match) => luhnCheck(match[0]),
+    remediation: "Remove the credit card number immediately"
+  },
+  {
+    id: "PII006",
+    regex: /\b(?!10\.)(?!172\.(?:1[6-9]|2\d|3[01])\.)(?!192\.168\.)(?!127\.)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/,
+    category: "pii",
+    severity: "low",
+    message: "Public IP address detected",
+    remediation: "Remove or anonymize the IP address"
+  }
+];
+var piiDetector = {
+  name: "pii",
+  patterns: patterns3
+};
+
+// ../../packages/scanner/dist/detectors/obfuscation.js
+var patterns4 = [
+  {
+    id: "OBF001",
+    regex: /\batob\s*\(/,
+    category: "obfuscation",
+    severity: "medium",
+    message: "Base64 decoding (atob) detected",
+    remediation: "Use plain text instead of Base64-encoded strings"
+  },
+  {
+    id: "OBF002",
+    regex: /\bBuffer\.from\s*\([^,]+,\s*['"`]base64['"`]\s*\)/,
+    category: "obfuscation",
+    severity: "medium",
+    message: "Buffer.from base64 decoding detected",
+    remediation: "Use plain text instead of Base64-encoded data"
+  },
+  {
+    id: "OBF003",
+    regex: /(?:\\x[0-9a-fA-F]{2}){8,}/,
+    category: "obfuscation",
+    severity: "high",
+    message: "Hex-escaped string sequence detected",
+    remediation: "Use readable string literals instead of hex escapes"
+  },
+  {
+    id: "OBF004",
+    regex: /[A-Za-z0-9+/]{100,}={0,2}/,
+    category: "obfuscation",
+    severity: "medium",
+    message: "Long Base64-like string detected (100+ chars)",
+    remediation: "Ensure this is not obfuscated code or data"
+  },
+  {
+    id: "OBF005",
+    regex: /String\.fromCharCode\s*\(\s*(\d+\s*,\s*){5,}/,
+    category: "obfuscation",
+    severity: "high",
+    message: "String.fromCharCode with many arguments \u2014 possible obfuscation",
+    remediation: "Use readable string literals"
+  },
+  {
+    id: "OBF006",
+    regex: /\bunescape\s*\(\s*['"`]%/,
+    category: "obfuscation",
+    severity: "medium",
+    message: "URL-encoded string decoding detected",
+    remediation: "Use readable string literals"
+  }
+];
+var obfuscationDetector = {
+  name: "obfuscation",
+  patterns: patterns4
+};
+
+// ../../packages/scanner/dist/detectors/network.js
+var patterns5 = [
+  {
+    id: "NET001",
+    regex: /\bfetch\s*\(\s*['"`](https?:\/\/[^'"`\s]+)['"`]/,
+    category: "network",
+    severity: "medium",
+    message: "External HTTP request via fetch()",
+    filter: (match) => {
+      const url = match[1];
+      if (!url)
+        return true;
+      return !/^https?:\/\/(localhost|127\.0\.0\.1)/.test(url);
+    },
+    remediation: "Declare the domain in permissions.network.domains"
+  },
+  {
+    id: "NET002",
+    regex: /\brequire\s*\(\s*['"`](https?|node:https?)['"`]\s*\)/,
+    category: "network",
+    severity: "low",
+    message: "HTTP/HTTPS module import detected",
+    remediation: "Declare network usage in permissions.network"
+  },
+  {
+    id: "NET003",
+    regex: /\bhttps?\.request\s*\(/,
+    category: "network",
+    severity: "medium",
+    message: "Direct HTTP request detected",
+    remediation: "Declare the domain in permissions.network.domains"
+  },
+  {
+    id: "NET004",
+    regex: /new\s+WebSocket\s*\(\s*['"`](wss?:\/\/[^'"`\s]+)['"`]/,
+    category: "network",
+    severity: "medium",
+    message: "WebSocket connection detected",
+    remediation: "Declare the domain in permissions.network.domains"
+  },
+  {
+    id: "NET005",
+    regex: /\baxios\b|\bsuperagent\b|\bgot\b|\bnode-fetch\b|\bundici\b/,
+    category: "network",
+    severity: "low",
+    message: "HTTP client library usage detected",
+    remediation: "Declare network usage in permissions.network"
+  }
+];
+var networkDetector = {
+  name: "network",
+  patterns: patterns5
+};
+
+// ../../packages/scanner/dist/engine/scanner.js
+var SCANNABLE_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".md",
+  ".ts",
+  ".tsx",
+  ".js",
+  ".jsx",
+  ".py",
+  ".sh",
+  ".bash",
+  ".zsh",
+  ".json",
+  ".yaml",
+  ".yml",
+  ".txt",
+  ".toml",
+  ".cfg",
+  ".ini",
+  ".env",
+  ".conf"
+]);
+var MAX_FILE_SIZE = 1 * 1024 * 1024;
+var MAX_ZIP_SIZE = 10 * 1024 * 1024;
+function isScannable(fileName) {
+  const dotIndex = fileName.lastIndexOf(".");
+  if (dotIndex === -1)
+    return false;
+  const ext = fileName.substring(dotIndex).toLowerCase();
+  return SCANNABLE_EXTENSIONS.has(ext);
+}
+var allDetectors = [
+  secretsDetector,
+  dangerousDetector,
+  piiDetector,
+  obfuscationDetector,
+  networkDetector
+];
+function scanFileContent(content, fileName) {
+  const issues = [];
+  const lines = content.split("\n");
+  for (let lineIndex = 0; lineIndex < lines.length; lineIndex++) {
+    const line = lines[lineIndex];
+    const lineNumber = lineIndex + 1;
+    for (const detector of allDetectors) {
+      for (const pattern of detector.patterns) {
+        const match = line.match(pattern.regex);
+        if (!match)
+          continue;
+        if (pattern.filter && !pattern.filter(match, line))
+          continue;
+        const snippet = line.length > 200 ? line.substring(0, 200) + "..." : line;
+        issues.push({
+          id: pattern.id,
+          severity: pattern.severity,
+          category: pattern.category,
+          message: pattern.message,
+          file: fileName,
+          line: lineNumber,
+          snippet: snippet.trim(),
+          remediation: pattern.remediation
+        });
+      }
+    }
+  }
+  return issues;
+}
+function scanFiles(files) {
+  const issues = [];
+  const scannedFiles = [];
+  const skippedFiles = [];
+  for (const [path, content] of files) {
+    if (!isScannable(path)) {
+      skippedFiles.push(path);
+      continue;
+    }
+    const fileIssues = scanFileContent(content, path);
+    issues.push(...fileIssues);
+    scannedFiles.push(path);
+  }
+  return { issues, scannedFiles, skippedFiles };
+}
+
+// ../../packages/scanner/dist/report/report.js
+var SEVERITY_WEIGHTS = {
+  info: 0,
+  low: 2,
+  medium: 5,
+  high: 15,
+  critical: 30
+};
+var SCANNER_VERSION = "0.1.0";
+function generateReport(issues, scannedFiles, skippedFiles) {
+  const by_severity = {
+    info: 0,
+    low: 0,
+    medium: 0,
+    high: 0,
+    critical: 0
+  };
+  const by_category = {
+    secret: 0,
+    dangerous: 0,
+    pii: 0,
+    obfuscation: 0,
+    network: 0
+  };
+  let rawScore = 0;
+  for (const issue of issues) {
+    by_severity[issue.severity]++;
+    by_category[issue.category]++;
+    rawScore += SEVERITY_WEIGHTS[issue.severity];
+  }
+  const risk_score = Math.min(rawScore, 100);
+  const passed = by_severity.high === 0 && by_severity.critical === 0;
+  return {
+    passed,
+    risk_score,
+    summary: {
+      total: issues.length,
+      by_severity,
+      by_category
+    },
+    issues,
+    scanned_files: scannedFiles,
+    skipped_files: skippedFiles,
+    scanned_at: (/* @__PURE__ */ new Date()).toISOString(),
+    scanner_version: SCANNER_VERSION
+  };
+}
+
+// src/utils/display.ts
+import chalk2 from "chalk";
+function displayScanReport(report) {
+  console.log();
+  if (report.passed) {
+    console.log(chalk2.green.bold("SCAN PASSED"));
+  } else {
+    console.log(chalk2.red.bold("SCAN FAILED"));
+  }
+  console.log(
+    chalk2.dim(`Risk Score: ${report.risk_score}/100 | `) + chalk2.dim(`Scanned: ${report.scanned_files.length} files | `) + chalk2.dim(`Issues: ${report.summary.total}`)
+  );
+  console.log();
+  if (report.summary.total > 0) {
+    console.log(chalk2.bold("Issues by severity:"));
+    for (const [severity, count] of Object.entries(report.summary.by_severity)) {
+      if (count > 0) {
+        const color = severityColor(severity);
+        console.log(`  ${chalk2[color](`${severity}: ${count}`)}`);
+      }
+    }
+    console.log();
+    console.log(chalk2.bold("Details:"));
+    for (const issue of report.issues) {
+      const color = severityColor(issue.severity);
+      const prefix = chalk2[color](`[${issue.severity.toUpperCase()}]`);
+      console.log(`  ${prefix} ${issue.message}`);
+      console.log(
+        chalk2.dim(`    ${issue.file}:${issue.line} (${issue.id})`)
+      );
+      if (issue.remediation) {
+        console.log(chalk2.dim(`    Fix: ${issue.remediation}`));
+      }
+    }
+  }
+  console.log();
+}
+function displayPermissions(permissions) {
+  const summary = assessPermissions(permissions);
+  const lines = formatPermissions(permissions, summary);
+  console.log(chalk2.bold("Permissions:"));
+  for (const line of lines) {
+    const color = riskColor(line.risk);
+    console.log(
+      `  ${line.icon} ${chalk2[color](line.label)}: ${line.detail}`
+    );
+  }
+  console.log();
+}
+function displayDangerFlags(flags) {
+  if (flags.length === 0) return;
+  console.log(chalk2.bold("Danger Flags:"));
+  for (const flag of flags) {
+    const color = severityColor(flag.severity);
+    const prefix = chalk2[color](`[${flag.severity.toUpperCase()}]`);
+    console.log(`  ${prefix} ${flag.message} (${flag.code})`);
+    if (flag.file) {
+      console.log(chalk2.dim(`    ${flag.file}${flag.line ? `:${flag.line}` : ""}`));
+    }
+  }
+  console.log();
+}
+
+// src/commands/scan.ts
+function collectFiles(dir, basePath = dir) {
+  const files = /* @__PURE__ */ new Map();
+  const entries = readdirSync(dir, { withFileTypes: true });
+  for (const entry of entries) {
+    const fullPath = join3(dir, entry.name);
+    if (entry.name.startsWith(".") || entry.name === "node_modules") continue;
+    if (entry.isDirectory()) {
+      const sub = collectFiles(fullPath, basePath);
+      for (const [k, v] of sub) files.set(k, v);
+    } else if (entry.isFile()) {
+      const relPath = relative(basePath, fullPath);
+      const stat = statSync(fullPath);
+      if (stat.size > MAX_FILE_SIZE) continue;
+      if (!isScannable(relPath)) continue;
+      files.set(relPath, readFileSync2(fullPath, "utf-8"));
+    }
+  }
+  return files;
+}
+async function scanCommand(target) {
+  let files;
+  if (target.endsWith(".ssp")) {
+    console.log(`Scanning SkillPort package: ${target}`);
+    const data = readFileSync2(target);
+    const ssp = await extractSSP(data);
+    files = /* @__PURE__ */ new Map();
+    for (const [path, content] of ssp.files) {
+      if (isScannable(path)) {
+        files.set(path, content.toString("utf-8"));
+      }
+    }
+    if (ssp.skillMd) {
+      files.set("SKILL.md", ssp.skillMd);
+    }
+  } else {
+    console.log(`Scanning directory: ${target}`);
+    files = collectFiles(target);
+  }
+  const result = scanFiles(files);
+  const report = generateReport(
+    result.issues,
+    result.scannedFiles,
+    result.skippedFiles
+  );
+  displayScanReport(report);
+  if (!report.passed) {
+    process.exitCode = 1;
+  } else if (report.summary.total > 0) {
+    process.exitCode = 2;
+  }
+}
+
+// src/commands/export.ts
+import { readFileSync as readFileSync3, readdirSync as readdirSync2, statSync as statSync2, writeFileSync as writeFileSync3 } from "node:fs";
+import { join as join4, relative as relative2, basename } from "node:path";
+import chalk3 from "chalk";
+import inquirer from "inquirer";
+init_dist();
+init_config();
+
+// src/utils/skill-parser.ts
+function parseSkillMd(content) {
+  let frontmatter = "";
+  let body = content;
+  if (body.startsWith("---")) {
+    const endIdx = body.indexOf("---", 3);
+    if (endIdx !== -1) {
+      frontmatter = body.slice(0, endIdx + 3);
+      body = body.slice(endIdx + 3);
+    }
+  }
+  const lines = body.split("\n");
+  let headerLines = [];
+  const sections = [];
+  let currentHeading = "";
+  let currentLines = [];
+  let inSection = false;
+  for (const line of lines) {
+    if (/^## /.test(line)) {
+      if (inSection) {
+        sections.push(buildSection(currentHeading, currentLines));
+      }
+      currentHeading = line.replace(/^## /, "").trim();
+      currentLines = [line];
+      inSection = true;
+    } else if (inSection) {
+      currentLines.push(line);
+    } else {
+      headerLines.push(line);
+    }
+  }
+  if (inSection) {
+    sections.push(buildSection(currentHeading, currentLines));
+  }
+  return {
+    frontmatter,
+    header: headerLines.join("\n"),
+    sections
+  };
+}
+function buildSection(heading, lines) {
+  const raw = lines.join("\n");
+  const referencedFiles = extractFileReferences(raw);
+  return { heading, raw, referencedFiles };
+}
+function extractFileReferences(text) {
+  const refs = /* @__PURE__ */ new Set();
+  const backtickPattern = /`([a-zA-Z0-9_./-]+\.[a-zA-Z0-9]+)`/g;
+  let match;
+  while ((match = backtickPattern.exec(text)) !== null) {
+    const path = match[1];
+    if (!path.startsWith("http") && !path.includes("@") && path.includes("/")) {
+      refs.add(path);
+    }
+  }
+  const pathPattern = /(?:scripts|payload|bins)\/[a-zA-Z0-9_.-]+/g;
+  while ((match = pathPattern.exec(text)) !== null) {
+    refs.add(match[0]);
+  }
+  return [...refs];
+}
+function reconstructSkillMd(parsed, selectedIndices) {
+  const parts = [];
+  if (parsed.frontmatter) {
+    parts.push(parsed.frontmatter);
+  }
+  parts.push(parsed.header);
+  for (const idx of selectedIndices) {
+    if (idx >= 0 && idx < parsed.sections.length) {
+      parts.push(parsed.sections[idx].raw);
+    }
+  }
+  return parts.join("\n").replace(/\n{3,}/g, "\n\n").trim() + "\n";
+}
+function sectionSummary(section, maxLen = 60) {
+  const lines = section.raw.split("\n").slice(1);
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (trimmed && !trimmed.startsWith("#") && !trimmed.startsWith("```")) {
+      return trimmed.length > maxLen ? trimmed.slice(0, maxLen - 3) + "..." : trimmed;
+    }
+  }
+  return "";
+}
+
+// src/utils/env-detect.ts
+import { execSync } from "node:child_process";
+import { platform as osPlatform } from "node:os";
+function detectOS() {
+  const p = osPlatform();
+  if (p === "darwin") return "macos";
+  if (p === "win32") return "windows";
+  return p;
+}
+function binaryExists(name) {
+  try {
+    execSync(`which ${name}`, { stdio: "pipe" });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function envVarExists(name) {
+  return !!process.env[name];
+}
+function checkEnvironment(manifest) {
+  const currentOS = detectOS();
+  const osCompatible = manifest.os_compat.includes(currentOS);
+  const binaries = manifest.dependencies.filter((d) => d.type === "cli" || d.type === "brew" || d.type === "apt").map((dep) => {
+    const found = binaryExists(dep.name);
+    return {
+      check: dep.name,
+      status: found ? "ok" : dep.optional ? "warn" : "missing",
+      detail: found ? `Found${dep.version ? ` (requires ${dep.version})` : ""}` : dep.optional ? "Not found (optional)" : "Not found (required)",
+      skippable: dep.optional ?? false
+    };
+  });
+  const envVars = manifest.install.required_inputs.filter((input) => input.key === input.key.toUpperCase()).map((input) => {
+    const found = envVarExists(input.key);
+    return {
+      check: input.key,
+      status: found ? "ok" : input.required ? "missing" : "warn",
+      detail: found ? "Set" : input.required ? `Not set \u2014 ${input.description}` : `Not set (optional) \u2014 ${input.description}`
+    };
+  });
+  const hasMissing = binaries.some((b) => b.status === "missing") || envVars.some((e) => e.status === "missing");
+  return {
+    os: { name: currentOS, compatible: osCompatible },
+    binaries,
+    envVars,
+    incompatibleSections: [],
+    // filled by caller with SKILL.md analysis
+    ready: osCompatible && !hasMissing
+  };
+}
+function findIncompatibleSections(sectionTexts, missingBins) {
+  if (missingBins.length === 0) return [];
+  const incompatible = [];
+  for (let i = 0; i < sectionTexts.length; i++) {
+    const lower = sectionTexts[i].toLowerCase();
+    for (const bin of missingBins) {
+      if (lower.includes(bin.toLowerCase())) {
+        incompatible.push(i);
+        break;
+      }
+    }
+  }
+  return incompatible;
+}
+
+// src/utils/quality-check.ts
+var KNOWN_CLI_TOOLS = /* @__PURE__ */ new Set([
+  "git",
+  "docker",
+  "docker-compose",
+  "npm",
+  "npx",
+  "yarn",
+  "pnpm",
+  "node",
+  "python",
+  "python3",
+  "pip",
+  "pip3",
+  "ruby",
+  "gem",
+  "cargo",
+  "rustc",
+  "go",
+  "curl",
+  "wget",
+  "jq",
+  "yq",
+  "sed",
+  "awk",
+  "grep",
+  "kubectl",
+  "helm",
+  "terraform",
+  "ansible",
+  "aws",
+  "gcloud",
+  "az",
+  "redis-cli",
+  "psql",
+  "mysql",
+  "sqlite3",
+  "mongosh",
+  "ffmpeg",
+  "imagemagick",
+  "convert",
+  "gh",
+  "hub",
+  "slack",
+  "slack_cli",
+  "make",
+  "cmake",
+  "gcc",
+  "g++",
+  "clang",
+  "java",
+  "javac",
+  "mvn",
+  "gradle",
+  "swift",
+  "xcodebuild",
+  "deno",
+  "bun"
+]);
+function detectCliDeps(content, source) {
+  const found = /* @__PURE__ */ new Map();
+  const backtickPattern = /`([a-zA-Z0-9_-]+)(?:\s[^`]*)?`/g;
+  let match;
+  while ((match = backtickPattern.exec(content)) !== null) {
+    const tool = match[1].toLowerCase();
+    if (KNOWN_CLI_TOOLS.has(tool) && !found.has(tool)) {
+      found.set(tool, {
+        name: tool,
+        source,
+        available: binaryExists(tool)
+      });
+    }
+  }
+  const shebangPattern = /^#!\/usr\/bin\/env\s+([a-zA-Z0-9_-]+)|^#!\/(?:usr\/(?:local\/)?)?bin\/([a-zA-Z0-9_-]+)/gm;
+  while ((match = shebangPattern.exec(content)) !== null) {
+    const tool = (match[1] || match[2]).toLowerCase();
+    if (!found.has(tool)) {
+      found.set(tool, {
+        name: tool,
+        source,
+        available: binaryExists(tool)
+      });
+    }
+  }
+  const cmdPattern = /^(?:\$\s+|>\s+)?([a-zA-Z0-9_-]+)\s/gm;
+  while ((match = cmdPattern.exec(content)) !== null) {
+    const tool = match[1].toLowerCase();
+    if (KNOWN_CLI_TOOLS.has(tool) && !found.has(tool)) {
+      found.set(tool, {
+        name: tool,
+        source,
+        available: binaryExists(tool)
+      });
+    }
+  }
+  return [...found.values()];
+}
+function checkFileReferences(skillMdContent, payloadFiles, sectionHeadings) {
+  const broken = [];
+  const fileSet = new Set(payloadFiles);
+  const backtickPattern = /`([a-zA-Z0-9_./-]+\.[a-zA-Z0-9]+)`/g;
+  let match;
+  while ((match = backtickPattern.exec(skillMdContent)) !== null) {
+    const ref = match[1];
+    if (ref.startsWith("http") || ref.includes("@")) continue;
+    if (!ref.includes("/")) continue;
+    const exists = fileSet.has(ref) || fileSet.has(`payload/${ref}`);
+    if (!exists) {
+      const before = skillMdContent.slice(0, match.index);
+      const lastHeading = before.match(/## ([^\n]+)/g);
+      const source = lastHeading ? `SKILL.md ## ${lastHeading[lastHeading.length - 1].replace("## ", "")}` : "SKILL.md";
+      broken.push({ ref, source });
+    }
+  }
+  const pathPattern = /(?:scripts|payload|bins)\/[a-zA-Z0-9_.-]+/g;
+  while ((match = pathPattern.exec(skillMdContent)) !== null) {
+    const ref = match[0];
+    const exists = fileSet.has(ref) || fileSet.has(`payload/${ref}`);
+    if (!exists && !broken.some((b) => b.ref === ref)) {
+      const before = skillMdContent.slice(0, match.index);
+      const lastHeading = before.match(/## ([^\n]+)/g);
+      const source = lastHeading ? `SKILL.md ## ${lastHeading[lastHeading.length - 1].replace("## ", "")}` : "SKILL.md";
+      broken.push({ ref, source });
+    }
+  }
+  return broken;
+}
+function checkStructure(skillMdContent, fileCount) {
+  const issues = [];
+  const lines = skillMdContent.split("\n");
+  const nonEmptyLines = lines.filter((l) => l.trim().length > 0);
+  if (!lines.some((l) => /^# /.test(l))) {
+    issues.push({ severity: "error", message: "SKILL.md is missing a # title heading" });
+  }
+  if (nonEmptyLines.length < 5) {
+    issues.push({ severity: "warn", message: "SKILL.md is very short \u2014 add more detailed instructions" });
+  }
+  const sectionCount = lines.filter((l) => /^## /.test(l)).length;
+  if (sectionCount === 0 && nonEmptyLines.length > 20) {
+    issues.push({ severity: "warn", message: "Consider splitting SKILL.md into ## sections for better organization" });
+  }
+  const titleIdx = lines.findIndex((l) => /^# /.test(l));
+  if (titleIdx >= 0) {
+    const afterTitle = lines.slice(titleIdx + 1, titleIdx + 5);
+    const hasIntro = afterTitle.some((l) => l.trim().length > 0 && !/^#/.test(l));
+    if (!hasIntro) {
+      issues.push({ severity: "warn", message: "Add a brief description after the # title" });
+    }
+  }
+  if (!skillMdContent.startsWith("---")) {
+    issues.push({ severity: "info", message: "No YAML frontmatter \u2014 consider adding name and description metadata" });
+  }
+  if (fileCount <= 1) {
+    issues.push({ severity: "info", message: "Package contains only SKILL.md \u2014 consider adding supporting scripts or configs" });
+  }
+  return issues;
+}
+function depsToManifest(deps) {
+  return deps.map((d) => ({
+    name: d.name,
+    type: "cli",
+    optional: false
+  }));
+}
+function runQualityCheck(skillMdContent, allFiles) {
+  const payloadFiles = [...allFiles.keys()].filter((f) => f !== "SKILL.md");
+  const depsFromSkillMd = detectCliDeps(skillMdContent, "SKILL.md");
+  const depsFromScripts = [];
+  for (const [path, content] of allFiles) {
+    if (path === "SKILL.md") continue;
+    const ext = path.split(".").pop()?.toLowerCase();
+    if (["sh", "bash", "zsh", "py", "rb", "js", "ts"].includes(ext ?? "")) {
+      const scriptDeps = detectCliDeps(content.toString("utf-8"), path);
+      for (const dep of scriptDeps) {
+        if (!depsFromSkillMd.some((d) => d.name === dep.name) && !depsFromScripts.some((d) => d.name === dep.name)) {
+          depsFromScripts.push(dep);
+        }
+      }
+    }
+  }
+  const allDeps = [...depsFromSkillMd, ...depsFromScripts];
+  const brokenRefs = checkFileReferences(skillMdContent, payloadFiles);
+  const structureIssues = checkStructure(skillMdContent, allFiles.size);
+  const issues = [...structureIssues];
+  const unavailableDeps = allDeps.filter((d) => !d.available);
+  if (unavailableDeps.length > 0) {
+    issues.push({
+      severity: "warn",
+      message: `${unavailableDeps.length} detected tool(s) not found on your system: ${unavailableDeps.map((d) => d.name).join(", ")}`
+    });
+  }
+  if (brokenRefs.length > 0) {
+    issues.push({
+      severity: "error",
+      message: `${brokenRefs.length} file reference(s) in SKILL.md point to missing files`
+    });
+  }
+  let score = 100;
+  for (const issue of issues) {
+    if (issue.severity === "error") score -= 20;
+    else if (issue.severity === "warn") score -= 10;
+    else score -= 2;
+  }
+  const lines = skillMdContent.split("\n");
+  const sectionCount = lines.filter((l) => /^## /.test(l)).length;
+  if (sectionCount >= 2) score = Math.min(100, score + 5);
+  if (skillMdContent.startsWith("---")) score = Math.min(100, score + 5);
+  score = Math.max(0, score);
+  return {
+    detectedDeps: allDeps,
+    brokenRefs,
+    issues,
+    score,
+    passed: !issues.some((i) => i.severity === "error")
+  };
+}
+
+// src/commands/export.ts
+function collectAllFiles(dir, basePath = dir) {
+  const files = /* @__PURE__ */ new Map();
+  const entries = readdirSync2(dir, { withFileTypes: true });
+  for (const entry of entries) {
+    const fullPath = join4(dir, entry.name);
+    if (entry.name.startsWith(".") || entry.name === "node_modules") continue;
+    if (entry.isDirectory()) {
+      const sub = collectAllFiles(fullPath, basePath);
+      for (const [k, v] of sub) files.set(k, v);
+    } else if (entry.isFile()) {
+      const relPath = relative2(basePath, fullPath);
+      const stat = statSync2(fullPath);
+      if (stat.size > MAX_FILE_SIZE) continue;
+      files.set(relPath, readFileSync3(fullPath));
+    }
+  }
+  return files;
+}
+async function selectContent(allFiles) {
+  const skillMdContent = allFiles.get("SKILL.md").toString("utf-8");
+  const parsed = parseSkillMd(skillMdContent);
+  if (parsed.sections.length === 0) {
+    return allFiles;
+  }
+  const payloadFiles = [...allFiles.keys()].filter((f) => f !== "SKILL.md");
+  console.log("");
+  console.log(chalk3.bold("Skill overview:"));
+  console.log(chalk3.dim(`  SKILL.md sections: ${parsed.sections.length}`));
+  console.log(chalk3.dim(`  Payload files:     ${payloadFiles.length}`));
+  console.log("");
+  const { customize } = await inquirer.prompt([
+    {
+      type: "confirm",
+      name: "customize",
+      message: "Select which sections and files to include?",
+      default: false
+    }
+  ]);
+  if (!customize) {
+    return allFiles;
+  }
+  console.log("");
+  console.log(chalk3.bold("SKILL.md sections:"));
+  const sectionChoices = parsed.sections.map((section, idx) => {
+    const summary = sectionSummary(section);
+    const label = summary ? `${section.heading} ${chalk3.dim(`\u2014 ${summary}`)}` : section.heading;
+    return { name: label, value: idx, checked: true };
+  });
+  const { selectedSections } = await inquirer.prompt([
+    {
+      type: "checkbox",
+      name: "selectedSections",
+      message: "Include these sections:",
+      choices: sectionChoices,
+      validate: (v) => v.length > 0 || "At least one section must be selected"
+    }
+  ]);
+  let selectedFiles = payloadFiles;
+  if (payloadFiles.length > 0) {
+    console.log("");
+    const excludedIndices = new Set(
+      parsed.sections.map((_, i) => i).filter((i) => !selectedSections.includes(i))
+    );
+    const excludedRefs = /* @__PURE__ */ new Set();
+    for (const idx of excludedIndices) {
+      for (const ref of parsed.sections[idx].referencedFiles) {
+        excludedRefs.add(ref);
+      }
+    }
+    const fileChoices = payloadFiles.map((filePath) => {
+      const size = allFiles.get(filePath).length;
+      const sizeStr = size < 1024 ? `${size} B` : `${(size / 1024).toFixed(1)} KB`;
+      const hint = excludedRefs.has(filePath) ? chalk3.yellow(" (referenced by excluded section)") : "";
+      return {
+        name: `${filePath} ${chalk3.dim(`(${sizeStr})`)}${hint}`,
+        value: filePath,
+        checked: !excludedRefs.has(filePath)
+      };
+    });
+    const { files } = await inquirer.prompt([
+      {
+        type: "checkbox",
+        name: "files",
+        message: "Include these files:",
+        choices: fileChoices
+      }
+    ]);
+    selectedFiles = files;
+  }
+  const newSkillMd = reconstructSkillMd(parsed, selectedSections);
+  const filtered = /* @__PURE__ */ new Map();
+  filtered.set("SKILL.md", Buffer.from(newSkillMd, "utf-8"));
+  for (const filePath of selectedFiles) {
+    filtered.set(filePath, allFiles.get(filePath));
+  }
+  const removedSections = parsed.sections.length - selectedSections.length;
+  const removedFiles = payloadFiles.length - selectedFiles.length;
+  if (removedSections > 0 || removedFiles > 0) {
+    console.log("");
+    console.log(
+      chalk3.cyan(
+        `Customized: ${removedSections} section(s) and ${removedFiles} file(s) excluded`
+      )
+    );
+  }
+  return filtered;
+}
+function displayQualityReport(report) {
+  console.log("");
+  console.log(chalk3.bold("Quality Report:"));
+  console.log(chalk3.dim("\u2500".repeat(50)));
+  if (report.detectedDeps.length > 0) {
+    console.log(chalk3.bold("  Detected dependencies:"));
+    for (const dep of report.detectedDeps) {
+      const icon = dep.available ? chalk3.green("\u2713") : chalk3.yellow("!");
+      const status = dep.available ? "installed" : "not found";
+      console.log(`    ${icon} ${dep.name} ${chalk3.dim(`(${status} \u2014 from ${dep.source})`)}`);
+    }
+  } else {
+    console.log(chalk3.dim("  No CLI dependencies detected."));
+  }
+  if (report.brokenRefs.length > 0) {
+    console.log("");
+    console.log(chalk3.bold("  Broken file references:"));
+    for (const ref of report.brokenRefs) {
+      console.log(`    ${chalk3.red("\u2717")} ${ref.ref} ${chalk3.dim(`(in ${ref.source})`)}`);
+    }
+  }
+  if (report.issues.length > 0) {
+    console.log("");
+    for (const issue of report.issues) {
+      const icon = issue.severity === "error" ? chalk3.red("\u2717") : issue.severity === "warn" ? chalk3.yellow("!") : chalk3.blue("i");
+      console.log(`  ${icon} ${issue.message}`);
+    }
+  }
+  console.log(chalk3.dim("\u2500".repeat(50)));
+  const scoreColor = report.score >= 80 ? chalk3.green : report.score >= 50 ? chalk3.yellow : chalk3.red;
+  console.log(`  Quality score: ${scoreColor(`${report.score}/100`)}${report.passed ? "" : chalk3.red(" \u2014 FAILED")}`);
+  console.log("");
+}
+async function exportCommand(path, options) {
+  if (!hasKeys()) {
+    console.log(
+      chalk3.red("No keys found. Run 'skillport init' first to generate keys.")
+    );
+    process.exitCode = 1;
+    return;
+  }
+  console.log(`Reading skill from: ${path}`);
+  const allFiles = collectAllFiles(path);
+  if (!allFiles.has("SKILL.md")) {
+    console.log(chalk3.red("SKILL.md not found in the skill directory."));
+    process.exitCode = 1;
+    return;
+  }
+  const selectedFiles = options.yes ? allFiles : await selectContent(allFiles);
+  console.log("\nRunning quality check...");
+  const skillMdForCheck = selectedFiles.get("SKILL.md").toString("utf-8");
+  const qualityReport = runQualityCheck(skillMdForCheck, selectedFiles);
+  displayQualityReport(qualityReport);
+  if (!qualityReport.passed) {
+    if (options.yes) {
+      console.log(chalk3.yellow("Quality issues found. Continuing (--yes)."));
+    } else {
+      const { continueExport } = await inquirer.prompt([
+        {
+          type: "confirm",
+          name: "continueExport",
+          message: chalk3.yellow("Quality issues found. Continue with export?"),
+          default: false
+        }
+      ]);
+      if (!continueExport) {
+        console.log("Export cancelled. Fix the issues above and try again.");
+        return;
+      }
+    }
+  }
+  console.log("\nRunning security scan...");
+  const textFiles = /* @__PURE__ */ new Map();
+  for (const [p, content] of selectedFiles) {
+    if (isScannable(p)) {
+      textFiles.set(p, content.toString("utf-8"));
+    }
+  }
+  const scanResult = scanFiles(textFiles);
+  const report = generateReport(
+    scanResult.issues,
+    scanResult.scannedFiles,
+    scanResult.skippedFiles
+  );
+  displayScanReport(report);
+  if (!report.passed) {
+    console.log(
+      chalk3.red(
+        "Export blocked: critical/high severity issues found. Fix them before exporting."
+      )
+    );
+    process.exitCode = 1;
+    return;
+  }
+  const config = loadConfig();
+  const publicKey = loadPublicKey2();
+  const keyId = config.default_key_id || computeKeyId(publicKey);
+  let answers;
+  if (options.yes) {
+    const missing = [];
+    if (!options.id) missing.push("--id");
+    if (!options.name) missing.push("--name");
+    if (!options.description) missing.push("--description");
+    if (!options.author) missing.push("--author");
+    if (missing.length > 0) {
+      console.log(chalk3.red(`Missing required flags for --yes mode: ${missing.join(", ")}`));
+      process.exitCode = 1;
+      return;
+    }
+    answers = {
+      id: options.id,
+      name: options.name,
+      description: options.description,
+      version: options.skillVersion || "1.0.0",
+      authorName: options.author,
+      openclawCompat: options.openclawCompat || ">=1.0.0",
+      osCompat: options.os || ["macos", "linux"]
+    };
+  } else {
+    answers = await inquirer.prompt([
+      {
+        type: "input",
+        name: "id",
+        message: "Skill ID (author-slug/skill-slug):",
+        validate: (v) => /^[a-z0-9_-]+\/[a-z0-9_-]+$/.test(v) || "Format: author-slug/skill-slug"
+      },
+      { type: "input", name: "name", message: "Skill name:" },
+      { type: "input", name: "description", message: "Description:" },
+      {
+        type: "input",
+        name: "version",
+        message: "Version:",
+        default: "1.0.0",
+        validate: (v) => /^\d+\.\d+\.\d+$/.test(v) || "Must be semver (x.y.z)"
+      },
+      { type: "input", name: "authorName", message: "Author name:" },
+      {
+        type: "input",
+        name: "openclawCompat",
+        message: "OpenClaw compatibility range:",
+        default: ">=1.0.0"
+      },
+      {
+        type: "checkbox",
+        name: "osCompat",
+        message: "Compatible OS:",
+        choices: ["macos", "linux", "windows"],
+        default: ["macos", "linux"]
+      }
+    ]);
+  }
+  const entrypoints = [{ name: "main", file: "SKILL.md" }];
+  const dangerFlags = report.issues.map((issue) => ({
+    code: issue.id,
+    severity: issue.severity,
+    message: issue.message,
+    file: issue.file,
+    line: issue.line
+  }));
+  const detectedDeps = depsToManifest(qualityReport.detectedDeps);
+  const manifest = {
+    ssp_version: SP_VERSION,
+    id: answers.id,
+    name: answers.name,
+    description: answers.description,
+    version: answers.version,
+    author: {
+      name: answers.authorName,
+      signing_key_id: keyId
+    },
+    openclaw_compat: answers.openclawCompat,
+    os_compat: answers.osCompat,
+    entrypoints,
+    permissions: {
+      network: { mode: "none" },
+      filesystem: { read_paths: [], write_paths: [] },
+      exec: { allowed_commands: [], shell: false }
+    },
+    dependencies: detectedDeps,
+    danger_flags: dangerFlags,
+    install: { steps: [], required_inputs: [] },
+    hashes: {},
+    created_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  console.log("Creating SkillPort package...");
+  const privateKey = loadPrivateKey2();
+  const sspBuffer = await createSSP({
+    manifest,
+    files: selectedFiles,
+    privateKeyPem: privateKey
+  });
+  const outputPath = options.output || `${basename(path)}.ssp`;
+  writeFileSync3(outputPath, sspBuffer);
+  console.log(chalk3.green(`
+SkillPort package created: ${outputPath}`));
+  console.log(
+    chalk3.dim(`  Size: ${(sspBuffer.length / 1024).toFixed(1)} KB`)
+  );
+  console.log(
+    chalk3.dim(`  Files: ${selectedFiles.size} (including SKILL.md)`)
+  );
+  if (detectedDeps.length > 0) {
+    console.log(
+      chalk3.dim(`  Dependencies: ${detectedDeps.map((d) => d.name).join(", ")}`)
+    );
+  }
+  console.log(
+    chalk3.dim(`  Quality: ${qualityReport.score}/100`)
+  );
+}
+
+// src/commands/sign.ts
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync4 } from "node:fs";
+import chalk4 from "chalk";
+init_config();
+async function signCommand(sspPath) {
+  if (!hasKeys()) {
+    console.log(chalk4.red("No keys found. Run 'skillport init' first."));
+    process.exitCode = 1;
+    return;
+  }
+  console.log(`Signing: ${sspPath}`);
+  const data = readFileSync4(sspPath);
+  const extracted = await extractSSP(data);
+  const privateKey = loadPrivateKey2();
+  const files = /* @__PURE__ */ new Map();
+  for (const [path, content] of extracted.files) {
+    const cleanPath = path.startsWith("payload/") ? path.substring(8) : path;
+    files.set(cleanPath, content);
+  }
+  if (extracted.skillMd) {
+    files.set("SKILL.md", Buffer.from(extracted.skillMd));
+  }
+  const sspBuffer = await createSSP({
+    manifest: extracted.manifest,
+    files,
+    privateKeyPem: privateKey
+  });
+  writeFileSync4(sspPath, sspBuffer);
+  console.log(chalk4.green(`Package re-signed successfully: ${sspPath}`));
+}
+
+// src/commands/verify.ts
+import { readFileSync as readFileSync5 } from "node:fs";
+import chalk5 from "chalk";
+async function verifyCommand(sspPath, options) {
+  console.log(`Verifying: ${sspPath}`);
+  const data = readFileSync5(sspPath);
+  const extracted = await extractSSP(data);
+  let allPassed = true;
+  if (extracted.authorSignature) {
+    let publicKeyPem = null;
+    if (options.publicKey) {
+      publicKeyPem = readFileSync5(options.publicKey, "utf-8");
+    }
+    if (publicKeyPem) {
+      const manifestJson = JSON.stringify(extracted.manifest, null, 2);
+      const sigValid = verifySignature(
+        manifestJson,
+        extracted.authorSignature,
+        publicKeyPem
+      );
+      if (sigValid) {
+        console.log(chalk5.green("  Author signature: VALID"));
+      } else {
+        console.log(chalk5.red("  Author signature: INVALID"));
+        allPassed = false;
+      }
+    } else {
+      console.log(chalk5.yellow("  Author signature: PRESENT (no public key to verify)"));
+    }
+  } else {
+    console.log(chalk5.red("  Author signature: MISSING"));
+    allPassed = false;
+  }
+  if (extracted.platformSignature) {
+    console.log(chalk5.green("  Platform signature: PRESENT"));
+  } else {
+    console.log(chalk5.dim("  Platform signature: ABSENT"));
+  }
+  const { valid, mismatches } = verifyChecksums(
+    extracted.files,
+    extracted.checksums
+  );
+  if (valid) {
+    console.log(chalk5.green("  Checksums: ALL VALID"));
+  } else {
+    console.log(chalk5.red(`  Checksums: ${mismatches.length} MISMATCHES`));
+    for (const path of mismatches) {
+      console.log(chalk5.red(`    - ${path}`));
+    }
+    allPassed = false;
+  }
+  console.log();
+  if (allPassed) {
+    console.log(chalk5.green.bold("Verification PASSED"));
+  } else {
+    console.log(chalk5.red.bold("Verification FAILED"));
+    process.exitCode = 1;
+  }
+}
+
+// src/commands/install.ts
+import { readFileSync as readFileSync6, mkdirSync as mkdirSync2, writeFileSync as writeFileSync5, existsSync as existsSync2 } from "node:fs";
+import { join as join5 } from "node:path";
+import { homedir as homedir2 } from "node:os";
+import chalk6 from "chalk";
+import inquirer2 from "inquirer";
+init_dist();
+init_config();
+function getSkillsBaseDir() {
+  return process.env.OPENCLAW_SKILLS_DIR || join5(homedir2(), OPENCLAW_SKILLS_DIR);
+}
+async function installCommand(target, options) {
+  let data;
+  if (existsSync2(target)) {
+    data = readFileSync6(target);
+  } else {
+    console.log(chalk6.dim(`Resolving from marketplace: ${target}`));
+    const { loadConfig: loadConfig2 } = await Promise.resolve().then(() => (init_config(), config_exports));
+    const config = loadConfig2();
+    if (!config.auth_token) {
+      console.log(chalk6.red("Not logged in. Run 'skillport login' first."));
+      process.exitCode = 1;
+      return;
+    }
+    let skillId = target;
+    let version;
+    const atIdx = target.lastIndexOf("@");
+    if (atIdx > 0) {
+      skillId = target.substring(0, atIdx);
+      version = target.substring(atIdx + 1);
+    }
+    try {
+      let resolvedId = skillId;
+      if (skillId.includes("/")) {
+        const searchRes = await fetch(
+          `${config.marketplace_url}/v1/skills?q=${encodeURIComponent(skillId)}&per_page=1`,
+          { headers: { Authorization: `Bearer ${config.auth_token}` } }
+        );
+        if (!searchRes.ok) {
+          console.log(chalk6.red(`Marketplace search failed: ${searchRes.statusText}`));
+          process.exitCode = 1;
+          return;
+        }
+        const searchData = await searchRes.json();
+        const match = searchData.data.find((s) => s.ssp_id === skillId);
+        if (!match) {
+          console.log(chalk6.red(`Skill not found: ${skillId}`));
+          process.exitCode = 1;
+          return;
+        }
+        resolvedId = match.id;
+      }
+      const dlUrl = version ? `${config.marketplace_url}/v1/skills/${resolvedId}/download?version=${version}` : `${config.marketplace_url}/v1/skills/${resolvedId}/download`;
+      const dlRes = await fetch(dlUrl, {
+        headers: { Authorization: `Bearer ${config.auth_token}` }
+      });
+      if (!dlRes.ok) {
+        const err = await dlRes.json();
+        console.log(chalk6.red(`Download failed: ${err.error || dlRes.statusText}`));
+        process.exitCode = 1;
+        return;
+      }
+      const { url } = await dlRes.json();
+      console.log(chalk6.dim("Downloading package..."));
+      const fileRes = await fetch(url);
+      if (!fileRes.ok) {
+        console.log(chalk6.red("Failed to download package file."));
+        process.exitCode = 1;
+        return;
+      }
+      data = Buffer.from(await fileRes.arrayBuffer());
+      console.log(chalk6.green(`  Downloaded ${(data.length / 1024).toFixed(1)} KB`));
+    } catch (err) {
+      console.log(chalk6.red(`Marketplace error: ${err.message}`));
+      process.exitCode = 1;
+      return;
+    }
+  }
+  console.log("Extracting SkillPort package...");
+  const extracted = await extractSSP(data);
+  const { manifest } = extracted;
+  console.log("Verifying checksums...");
+  const { valid, mismatches } = verifyChecksums(
+    extracted.files,
+    extracted.checksums
+  );
+  if (!valid) {
+    console.log(chalk6.red("Checksum verification FAILED. Aborting install."));
+    for (const path of mismatches) {
+      console.log(chalk6.red(`  Mismatch: ${path}`));
+    }
+    process.exitCode = 1;
+    return;
+  }
+  console.log(chalk6.green("  Checksums verified."));
+  if (extracted.authorSignature) {
+    console.log(chalk6.green("  Author signature present."));
+  } else {
+    console.log(chalk6.red("  No author signature. Aborting install."));
+    process.exitCode = 1;
+    return;
+  }
+  if (extracted.platformSignature) {
+    console.log(chalk6.green("  Platform signature present."));
+  }
+  console.log("");
+  console.log(chalk6.bold("\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"));
+  console.log(chalk6.bold(`\u2551  ${manifest.name}`));
+  console.log(chalk6.bold(`\u2551  v${manifest.version} by ${manifest.author.name}`));
+  console.log(chalk6.bold("\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D"));
+  console.log(chalk6.dim(`  ${manifest.description}`));
+  console.log(chalk6.dim(`  OS: ${manifest.os_compat.join(", ")} | ID: ${manifest.id}`));
+  console.log("");
+  console.log(chalk6.bold("Environment Check:"));
+  console.log(chalk6.dim("\u2500".repeat(50)));
+  const envReport = checkEnvironment(manifest);
+  const osIcon = envReport.os.compatible ? chalk6.green("\u2713") : chalk6.red("\u2717");
+  console.log(`  ${osIcon} OS: ${envReport.os.name} ${envReport.os.compatible ? "" : chalk6.red("(not compatible)")}`);
+  for (const bin of envReport.binaries) {
+    const icon = bin.status === "ok" ? chalk6.green("\u2713") : bin.status === "warn" ? chalk6.yellow("!") : chalk6.red("\u2717");
+    console.log(`  ${icon} ${bin.check}: ${chalk6.dim(bin.detail)}`);
+  }
+  for (const env of envReport.envVars) {
+    const icon = env.status === "ok" ? chalk6.green("\u2713") : env.status === "warn" ? chalk6.yellow("!") : chalk6.red("\u2717");
+    console.log(`  ${icon} ${env.check}: ${chalk6.dim(env.detail)}`);
+  }
+  if (envReport.binaries.length === 0 && envReport.envVars.length === 0) {
+    console.log(chalk6.dim("  No specific dependencies required."));
+  }
+  console.log(chalk6.dim("\u2500".repeat(50)));
+  if (!envReport.os.compatible) {
+    console.log(chalk6.red(`
+This skill is not compatible with your OS (${envReport.os.name}).`));
+    console.log(chalk6.red(`Supported: ${manifest.os_compat.join(", ")}`));
+    process.exitCode = 1;
+    return;
+  }
+  console.log("");
+  console.log("Running local security scan...");
+  const textFiles = /* @__PURE__ */ new Map();
+  for (const [path, content] of extracted.files) {
+    if (isScannable(path)) {
+      textFiles.set(path, content.toString("utf-8"));
+    }
+  }
+  const scanResult = scanFiles(textFiles);
+  const report = generateReport(
+    scanResult.issues,
+    scanResult.scannedFiles,
+    scanResult.skippedFiles
+  );
+  displayScanReport(report);
+  displayPermissions(manifest.permissions);
+  displayDangerFlags(manifest.danger_flags);
+  const permSummary = assessPermissions(manifest.permissions);
+  const requiresAcceptRisk = manifest.permissions.exec.shell || manifest.danger_flags.some((f) => f.severity === "critical");
+  if (requiresAcceptRisk && !options.acceptRisk) {
+    console.log(
+      chalk6.red(
+        "This skill requires shell access or has critical danger flags."
+      )
+    );
+    console.log(
+      chalk6.red("Use --accept-risk to acknowledge and proceed.")
+    );
+    process.exitCode = 1;
+    return;
+  }
+  let finalSkillMd;
+  let finalFiles = extracted.files;
+  if (extracted.skillMd && !options.yes) {
+    const parsed = parseSkillMd(extracted.skillMd);
+    if (parsed.sections.length > 1) {
+      const missingBins = envReport.binaries.filter((b) => b.status === "missing").map((b) => b.check);
+      const incompatibleIndices = findIncompatibleSections(
+        parsed.sections.map((s) => s.raw),
+        missingBins
+      );
+      console.log(chalk6.bold("Skill Sections:"));
+      for (let i = 0; i < parsed.sections.length; i++) {
+        const section = parsed.sections[i];
+        const summary = sectionSummary(section);
+        const isIncompat = incompatibleIndices.includes(i);
+        const icon = isIncompat ? chalk6.yellow("!") : chalk6.green("\u2713");
+        const hint = isIncompat ? chalk6.yellow(" (requires missing dependency)") : "";
+        console.log(`  ${icon} ${section.heading}${hint}`);
+        if (summary) {
+          console.log(chalk6.dim(`    ${summary}`));
+        }
+      }
+      console.log("");
+      const hasIncompat = incompatibleIndices.length > 0;
+      const customizeMessage = hasIncompat ? "Some sections require missing dependencies. Customize installation?" : "Customize which sections to install?";
+      const { customize } = await inquirer2.prompt([
+        {
+          type: "confirm",
+          name: "customize",
+          message: customizeMessage,
+          default: hasIncompat
+        }
+      ]);
+      if (customize) {
+        const sectionChoices = parsed.sections.map((section, idx) => {
+          const isIncompat = incompatibleIndices.includes(idx);
+          const summary = sectionSummary(section);
+          const label = isIncompat ? `${section.heading} ${chalk6.yellow("(missing deps)")}` : summary ? `${section.heading} ${chalk6.dim(`\u2014 ${summary}`)}` : section.heading;
+          return { name: label, value: idx, checked: !isIncompat };
+        });
+        const { selectedSections } = await inquirer2.prompt([
+          {
+            type: "checkbox",
+            name: "selectedSections",
+            message: "Select sections to install:",
+            choices: sectionChoices,
+            validate: (v) => v.length > 0 || "At least one section must be selected"
+          }
+        ]);
+        finalSkillMd = reconstructSkillMd(parsed, selectedSections);
+        const excludedIndices = new Set(
+          parsed.sections.map((_, i) => i).filter((i) => !selectedSections.includes(i))
+        );
+        if (excludedIndices.size > 0) {
+          const excludedRefs = /* @__PURE__ */ new Set();
+          for (const idx of excludedIndices) {
+            for (const ref of parsed.sections[idx].referencedFiles) {
+              excludedRefs.add(ref);
+            }
+          }
+          if (excludedRefs.size > 0) {
+            const includedRefs = /* @__PURE__ */ new Set();
+            for (const idx of selectedSections) {
+              for (const ref of parsed.sections[idx].referencedFiles) {
+                includedRefs.add(ref);
+              }
+            }
+            const toRemove = /* @__PURE__ */ new Set();
+            for (const ref of excludedRefs) {
+              if (!includedRefs.has(ref)) {
+                toRemove.add(ref);
+                toRemove.add(`payload/${ref}`);
+              }
+            }
+            if (toRemove.size > 0) {
+              finalFiles = new Map(
+                [...extracted.files].filter(([path]) => !toRemove.has(path))
+              );
+            }
+          }
+          const removedCount = parsed.sections.length - selectedSections.length;
+          console.log(chalk6.cyan(`
+Optimized: ${removedCount} section(s) excluded for your environment.`));
+        }
+      }
+    }
+  }
+  if (!options.yes) {
+    const { confirm } = await inquirer2.prompt([
+      {
+        type: "confirm",
+        name: "confirm",
+        message: `Install ${manifest.name} v${manifest.version}?`,
+        default: true
+      }
+    ]);
+    if (!confirm) {
+      console.log("Installation cancelled.");
+      return;
+    }
+  }
+  const [authorSlug, skillSlug] = manifest.id.split("/");
+  const installDir = join5(
+    getSkillsBaseDir(),
+    authorSlug,
+    skillSlug
+  );
+  mkdirSync2(installDir, { recursive: true });
+  writeFileSync5(
+    join5(installDir, "manifest.json"),
+    JSON.stringify(manifest, null, 2)
+  );
+  const skillMdToWrite = finalSkillMd ?? extracted.skillMd;
+  if (skillMdToWrite) {
+    writeFileSync5(join5(installDir, "SKILL.md"), skillMdToWrite);
+  }
+  for (const [path, content] of finalFiles) {
+    if (path === "SKILL.md") continue;
+    const cleanPath = path.startsWith("payload/") ? path.substring(8) : path;
+    const filePath = join5(installDir, cleanPath);
+    const dir = filePath.substring(0, filePath.lastIndexOf("/"));
+    mkdirSync2(dir, { recursive: true });
+    writeFileSync5(filePath, content);
+  }
+  if (manifest.install.required_inputs.length > 0) {
+    const relevantInputs = manifest.install.required_inputs.filter((input) => {
+      if (finalSkillMd) {
+        return finalSkillMd.toLowerCase().includes(input.key.toLowerCase());
+      }
+      return true;
+    });
+    if (relevantInputs.length > 0) {
+      let inputAnswers;
+      if (options.yes) {
+        inputAnswers = {};
+        for (const input of relevantInputs) {
+          inputAnswers[input.key] = input.default?.toString() || "";
+        }
+      } else {
+        console.log(chalk6.bold("\nRequired configuration:"));
+        inputAnswers = await inquirer2.prompt(
+          relevantInputs.map((input) => ({
+            type: input.type === "secret" ? "password" : "input",
+            name: input.key,
+            message: input.description,
+            default: input.default?.toString()
+          }))
+        );
+      }
+      const envContent = Object.entries(inputAnswers).map(([k, v]) => `${k}=${v}`).join("\n");
+      writeFileSync5(join5(installDir, ".env"), envContent, { mode: 384 });
+    }
+  }
+  const registry = loadRegistry();
+  registry.skills = registry.skills.filter((s) => s.id !== manifest.id);
+  registry.skills.push({
+    id: manifest.id,
+    version: manifest.version,
+    installed_at: (/* @__PURE__ */ new Date()).toISOString(),
+    install_path: installDir,
+    author_key_id: manifest.author.signing_key_id
+  });
+  saveRegistry(registry);
+  appendAuditLog({
+    action: "install",
+    skill_id: manifest.id,
+    version: manifest.version,
+    risk_score: report.risk_score,
+    install_path: installDir,
+    customized: finalSkillMd !== void 0
+  });
+  console.log(chalk6.green(`
+Installed: ${manifest.name} v${manifest.version}`));
+  console.log(chalk6.dim(`  Location: ${installDir}`));
+  if (finalSkillMd) {
+    console.log(chalk6.dim("  Optimized for your environment."));
+  }
+}
+
+// src/commands/dry-run.ts
+import { readFileSync as readFileSync7 } from "node:fs";
+import { platform } from "node:os";
+import chalk7 from "chalk";
+async function dryRunCommand(sspPath) {
+  console.log(`Dry-run diagnostics for: ${sspPath}`);
+  console.log();
+  const data = readFileSync7(sspPath);
+  const extracted = await extractSSP(data);
+  const { manifest } = extracted;
+  const diagnostics = [];
+  diagnostics.push({
+    check: "Author Signature",
+    status: extracted.authorSignature ? "pass" : "fail",
+    detail: extracted.authorSignature ? "Present" : "Missing"
+  });
+  diagnostics.push({
+    check: "Platform Signature",
+    status: extracted.platformSignature ? "pass" : "warn",
+    detail: extracted.platformSignature ? "Present" : "Absent (not required)"
+  });
+  const { valid, mismatches } = verifyChecksums(
+    extracted.files,
+    extracted.checksums
+  );
+  diagnostics.push({
+    check: "Checksums",
+    status: valid ? "pass" : "fail",
+    detail: valid ? `All ${Object.keys(extracted.checksums).length} files verified` : `${mismatches.length} mismatches`
+  });
+  const currentOS = platform() === "darwin" ? "macos" : platform();
+  const osCompat = manifest.os_compat.includes(currentOS);
+  diagnostics.push({
+    check: "OS Compatibility",
+    status: osCompat ? "pass" : "fail",
+    detail: osCompat ? `Current OS (${currentOS}) is supported` : `Current OS (${currentOS}) not in ${manifest.os_compat.join(", ")}`
+  });
+  for (const dep of manifest.dependencies) {
+    if (dep.type === "cli") {
+      const { execSync: execSync2 } = await import("node:child_process");
+      let found = false;
+      try {
+        execSync2(`which ${dep.name}`, { stdio: "pipe" });
+        found = true;
+      } catch {
+        found = false;
+      }
+      diagnostics.push({
+        check: `Dependency: ${dep.name}`,
+        status: found ? "pass" : dep.optional ? "warn" : "fail",
+        detail: found ? "Found" : dep.optional ? "Not found (optional)" : "Not found (required)"
+      });
+    }
+  }
+  const textFiles = /* @__PURE__ */ new Map();
+  for (const [path, content] of extracted.files) {
+    if (isScannable(path)) {
+      textFiles.set(path, content.toString("utf-8"));
+    }
+  }
+  const scanResult = scanFiles(textFiles);
+  const report = generateReport(
+    scanResult.issues,
+    scanResult.scannedFiles,
+    scanResult.skippedFiles
+  );
+  diagnostics.push({
+    check: "Security Scan",
+    status: report.passed ? report.summary.total > 0 ? "warn" : "pass" : "fail",
+    detail: `Risk: ${report.risk_score}/100, Issues: ${report.summary.total}`
+  });
+  console.log(chalk7.bold("Diagnostic Results:"));
+  console.log(chalk7.dim("\u2500".repeat(60)));
+  for (const d of diagnostics) {
+    let icon;
+    let color;
+    switch (d.status) {
+      case "pass":
+        icon = "\u2713";
+        color = chalk7.green;
+        break;
+      case "warn":
+        icon = "!";
+        color = chalk7.yellow;
+        break;
+      case "fail":
+        icon = "\u2717";
+        color = chalk7.red;
+        break;
+    }
+    console.log(
+      `  ${color(icon)} ${d.check.padEnd(25)} ${chalk7.dim(d.detail)}`
+    );
+  }
+  console.log(chalk7.dim("\u2500".repeat(60)));
+  const hasFail = diagnostics.some((d) => d.status === "fail");
+  if (hasFail) {
+    console.log(chalk7.red.bold("\nDry-run: ISSUES FOUND"));
+    process.exitCode = 1;
+  } else {
+    console.log(chalk7.green.bold("\nDry-run: ALL CHECKS PASSED"));
+  }
+}
+
+// src/commands/uninstall.ts
+init_config();
+import { rmSync, existsSync as existsSync4 } from "node:fs";
+import chalk8 from "chalk";
+import inquirer3 from "inquirer";
+async function uninstallCommand(skillId) {
+  const registry = loadRegistry();
+  const skill = registry.skills.find((s) => s.id === skillId);
+  if (!skill) {
+    console.log(chalk8.red(`Skill not found in registry: ${skillId}`));
+    console.log(chalk8.dim("Installed skills:"));
+    for (const s of registry.skills) {
+      console.log(chalk8.dim(`  ${s.id} v${s.version}`));
+    }
+    process.exitCode = 1;
+    return;
+  }
+  const { confirm } = await inquirer3.prompt([
+    {
+      type: "confirm",
+      name: "confirm",
+      message: `Uninstall ${skill.id} v${skill.version}?`,
+      default: false
+    }
+  ]);
+  if (!confirm) {
+    console.log("Uninstall cancelled.");
+    return;
+  }
+  if (existsSync4(skill.install_path)) {
+    rmSync(skill.install_path, { recursive: true });
+    console.log(chalk8.dim(`  Removed: ${skill.install_path}`));
+  }
+  registry.skills = registry.skills.filter((s) => s.id !== skillId);
+  saveRegistry(registry);
+  appendAuditLog({
+    action: "uninstall",
+    skill_id: skillId,
+    version: skill.version
+  });
+  console.log(chalk8.green(`Uninstalled: ${skillId}`));
+}
+
+// src/commands/login.ts
+init_config();
+import { createServer } from "node:http";
+import { randomBytes } from "node:crypto";
+import chalk9 from "chalk";
+import inquirer4 from "inquirer";
+async function loginCommand() {
+  const config = loadConfig();
+  console.log(chalk9.bold("SkillPort Market Login"));
+  console.log(chalk9.dim(`Marketplace: ${config.marketplace_url}`));
+  console.log();
+  const { method } = await inquirer4.prompt([
+    {
+      type: "list",
+      name: "method",
+      message: "Login method:",
+      choices: [
+        { name: "Browser (GitHub OAuth)", value: "browser" },
+        { name: "Paste API token", value: "token" }
+      ]
+    }
+  ]);
+  if (method === "token") {
+    const { token: token2 } = await inquirer4.prompt([
+      { type: "password", name: "token", message: "Enter your API token:" }
+    ]);
+    config.auth_token = token2;
+    saveConfig(config);
+    console.log(chalk9.green("Login successful! Token saved."));
+    return;
+  }
+  const state = randomBytes(16).toString("hex");
+  const port = 9876;
+  const authUrl = `${config.marketplace_url}/auth/cli?state=${state}&port=${port}`;
+  console.log(chalk9.dim(`Opening browser to: ${authUrl}`));
+  console.log(chalk9.dim("Waiting for authentication..."));
+  const { exec } = await import("node:child_process");
+  const openCmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
+  exec(`${openCmd} "${authUrl}"`);
+  const token = await new Promise((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      server.close();
+      reject(new Error("Authentication timed out (60s)"));
+    }, 6e4);
+    const server = createServer(async (req, res) => {
+      const url = new URL(req.url || "", `http://localhost:${port}`);
+      if (url.pathname === "/callback") {
+        const callbackState = url.searchParams.get("state");
+        const accessToken = url.searchParams.get("token");
+        if (callbackState !== state) {
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end("<h1>State mismatch. Please try again.</h1>");
+          return;
+        }
+        if (!accessToken) {
+          res.writeHead(400, { "Content-Type": "text/html" });
+          res.end("<h1>No token received. Please try again.</h1>");
+          return;
+        }
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end("<h1>Logged in to SkillPort! You can close this window.</h1>");
+        clearTimeout(timeout);
+        server.close();
+        resolve(accessToken);
+      }
+    });
+    server.listen(port);
+  });
+  try {
+    const response = await fetch(`${config.marketplace_url}/v1/auth/cli-token`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${token}`
+      },
+      body: JSON.stringify({ label: "cli", scopes: ["read", "write", "publish"] })
+    });
+    if (response.ok) {
+      const data = await response.json();
+      config.auth_token = data.token;
+    } else {
+      config.auth_token = token;
+    }
+  } catch {
+    config.auth_token = token;
+  }
+  saveConfig(config);
+  if (hasKeys()) {
+    try {
+      const publicKey = loadPublicKey2();
+      await fetch(`${config.marketplace_url}/v1/keys`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${config.auth_token}`
+        },
+        body: JSON.stringify({ public_key_pem: publicKey, label: "default" })
+      });
+      console.log(chalk9.dim("  Public key registered with marketplace."));
+    } catch {
+    }
+  }
+  console.log(chalk9.green("Login successful! Token saved."));
+}
+
+// src/commands/publish.ts
+import { readFileSync as readFileSync8, existsSync as existsSync5 } from "node:fs";
+import { join as join6 } from "node:path";
+import { homedir as homedir3 } from "node:os";
+import chalk10 from "chalk";
+init_config();
+async function publishCommand(sspPath) {
+  const config = loadConfig();
+  if (!config.auth_token) {
+    console.log(chalk10.red("Not logged in. Run 'skillport login' first."));
+    process.exitCode = 1;
+    return;
+  }
+  console.log(`Validating: ${sspPath}`);
+  const data = readFileSync8(sspPath);
+  const extracted = await extractSSP(data);
+  const { valid } = verifyChecksums(extracted.files, extracted.checksums);
+  if (!valid) {
+    console.log(chalk10.red("Checksum verification failed. Cannot publish."));
+    process.exitCode = 1;
+    return;
+  }
+  if (!extracted.authorSignature) {
+    console.log(chalk10.red("No author signature. Sign the package first."));
+    process.exitCode = 1;
+    return;
+  }
+  const keyId = extracted.manifest.author.signing_key_id;
+  const pubKeyPath = join6(homedir3(), ".skillport", "keys", "default.pub");
+  if (existsSync5(pubKeyPath)) {
+    const pubKeyPem = readFileSync8(pubKeyPath, "utf-8");
+    const sigValid = verifySignature(
+      extracted.manifestRaw,
+      extracted.authorSignature,
+      pubKeyPem
+    );
+    if (!sigValid) {
+      console.log(chalk10.red("Signature verification failed. Package may have been tampered with after signing."));
+      console.log(chalk10.dim(`  Key ID: ${keyId}`));
+      process.exitCode = 1;
+      return;
+    }
+    console.log(chalk10.green("\u2713 Signature verified"));
+  } else {
+    console.log(chalk10.yellow("\u26A0 Local public key not found \u2014 skipping local signature check"));
+    console.log(chalk10.dim("  Server will verify signature against registered key."));
+  }
+  console.log("Uploading to marketplace...");
+  try {
+    const formData = new FormData();
+    formData.append("file", new Blob([data]), sspPath.split("/").pop());
+    const response = await fetch(`${config.marketplace_url}/v1/skills`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${config.auth_token}`
+      },
+      body: formData
+    });
+    if (!response.ok) {
+      const errorBody = await response.json();
+      console.log(chalk10.red(`Upload failed: ${errorBody.error || response.statusText}`));
+      process.exitCode = 1;
+      return;
+    }
+    const result = await response.json();
+    console.log(chalk10.green("Published successfully!"));
+    console.log();
+    console.log(`  ${chalk10.bold("Skill ID:")}    ${result.id}`);
+    console.log(`  ${chalk10.bold("SSP ID:")}      ${result.ssp_id}`);
+    console.log(`  ${chalk10.bold("Version:")}     ${result.version}`);
+    console.log(`  ${chalk10.bold("Scan:")}        ${result.scan_passed ? chalk10.green("PASSED") : chalk10.red("FAILED")}`);
+    console.log(`  ${chalk10.bold("Risk Score:")}  ${result.risk_score}/100`);
+    console.log();
+    console.log(chalk10.dim(`  URL: ${config.marketplace_url}/skills/${result.id}`));
+    console.log(chalk10.dim(`  Install: skillport install ${result.ssp_id}@${result.version}`));
+  } catch (error) {
+    console.log(chalk10.red(`Upload failed: ${error.message}`));
+    process.exitCode = 1;
+  }
+}
+
+// src/index.ts
+var program = new Command();
+program.name("skillport").description("SkillPort \u2014 secure skill distribution for OpenClaw").version("0.1.0");
+program.command("init").description("Generate Ed25519 key pair for signing").action(initCommand);
+program.command("scan <path>").description("Run security scan on a skill directory or .ssp file").action(scanCommand);
+program.command("export <path>").description("Export a skill directory as a SkillPort package (.ssp)").option("-o, --output <file>", "Output file path").option("-y, --yes", "Non-interactive mode (include all, skip prompts)").option("--id <id>", "Skill ID (author-slug/skill-slug)").option("--name <name>", "Skill name").option("--description <desc>", "Skill description").option("--skill-version <ver>", "Skill version (semver)").option("--author <name>", "Author name").option("--openclaw-compat <range>", "OpenClaw compatibility range").option("--os <os...>", "Compatible OS (macos, linux, windows)").action(exportCommand);
+program.command("sign <ssp>").description("Sign or re-sign a SkillPort package").action(signCommand);
+program.command("verify <ssp>").description("Verify SkillPort package signatures and checksums").option("--public-key <path>", "Path to author public key for verification").action(verifyCommand);
+program.command("install <target>").description("Install a SkillPort package").option("--accept-risk", "Accept high-risk permissions (shell, critical flags)").option("-y, --yes", "Non-interactive mode (auto-approve, use defaults)").action(installCommand);
+program.command("dry-run <ssp>").description("Run installation diagnostics without installing").action(dryRunCommand);
+program.command("uninstall <id>").description("Uninstall an installed skill").action(uninstallCommand);
+program.command("login").description("Authenticate with SkillPort Market").action(loginCommand);
+program.command("publish <ssp>").description("Publish a SkillPort package to the marketplace").action(publishCommand);
+program.parse();