@spardutti/claude-skills 2.2.0 → 2.3.0

package/lib/github.mjs

@@ -67,17 +67,57 @@ async function fetchListing({ apiUrl, label, entryFilter, buildRawUrl, mapEntry,
   return results.filter(Boolean);
 }
 
-export function fetchSkills() {
-  return fetchListing({
-    apiUrl: CONTENTS_API,
-    label: "skills",
-    entryFilter: (e) => e.type === "dir",
-    buildRawUrl: (dir) => `${RAW_BASE}/${dir.name}/SKILL.md`,
-    mapEntry: (dir, content) => {
-      const { name, description, category } = parseFrontmatter(content, dir.name);
-      return { dirName: dir.name, name, description, category, content };
-    },
-  });
+export async function fetchSkills() {
+  const headers = getAuthHeaders();
+  const res = await fetch(CONTENTS_API, { headers });
+
+  if (!res.ok) {
+    if (res.status === 403 || res.status === 429) {
+      throw new Error("GitHub API rate limit exceeded. Try again later or install gh CLI (https://cli.github.com).");
+    }
+    throw new Error(`Failed to list skills: ${res.status} ${res.statusText}`);
+  }
+
+  const dirs = (await res.json()).filter((e) => e.type === "dir");
+
+  const skills = await Promise.all(
+    dirs.map(async (dir) => {
+      try {
+        const listRes = await fetch(`${CONTENTS_API}/${dir.name}`, { headers });
+        if (!listRes.ok) {
+          console.warn(`  Warning: Failed to list skill ${dir.name}, skipping`);
+          return null;
+        }
+        const files = (await listRes.json()).filter((e) => e.type === "file");
+
+        const fetched = await Promise.all(
+          files.map(async (f) => {
+            const r = await fetch(`${RAW_BASE}/${dir.name}/${f.name}`, { headers });
+            if (!r.ok) {
+              console.warn(`  Warning: Failed to fetch ${dir.name}/${f.name}, skipping`);
+              return null;
+            }
+            return { name: f.name, content: await r.text(), executable: f.name.endsWith(".sh") };
+          })
+        );
+
+        const valid = fetched.filter(Boolean);
+        const skillMd = valid.find((f) => f.name === "SKILL.md");
+        if (!skillMd) {
+          console.warn(`  Warning: ${dir.name}/SKILL.md missing, skipping`);
+          return null;
+        }
+        const peerFiles = valid.filter((f) => f.name !== "SKILL.md");
+        const { name, description, category } = parseFrontmatter(skillMd.content, dir.name);
+        return { dirName: dir.name, name, description, category, content: skillMd.content, peerFiles };
+      } catch {
+        console.warn(`  Warning: Failed to fetch ${dir.name}, skipping`);
+        return null;
+      }
+    })
+  );
+
+  return skills.filter(Boolean);
 }
 
 export function fetchCommands() {

package/lib/install.mjs

@@ -1,4 +1,4 @@
-import { mkdir, writeFile } from "node:fs/promises";
+import { mkdir, writeFile, chmod } from "node:fs/promises";
 import { join } from "node:path";
 import chalk from "chalk";
 
@@ -24,6 +24,13 @@ export async function installSkills(skills, targetDir = process.cwd()) {
     const skillDir = join(baseDir, skill.dirName);
     await mkdir(skillDir, { recursive: true });
     await writeFile(join(skillDir, "SKILL.md"), skill.content);
+
+    for (const peer of skill.peerFiles ?? []) {
+      const peerPath = join(skillDir, peer.name);
+      await writeFile(peerPath, peer.content);
+      if (peer.executable) await chmod(peerPath, 0o755);
+    }
+
     console.log(`  ${chalk.green("✔")} ${chalk.bold(humanName(skill))} ${chalk.dim(`→ .claude/skills/${skill.dirName}/`)}`);
   }
 }

package/lib/setup-hook.mjs

@@ -54,8 +54,78 @@ touch "/tmp/claude-skill-gate-$SESSION_ID"
 exit 0
 `;
 
+// PreToolUse audit runner: runs each installed skill's audit.sh against the
+// write target. Denies the write if any audit exits 2. Defers (exits 0) when
+// the skill-gate marker isn't set yet — the gate handles that case.
+//
+// Honors .claude/skill-audit-ignore (one skill name per line, # comments OK).
+const AUDIT_RUNNER_SCRIPT = `#!/bin/bash
+# PreToolUse skill-audit runner.
+
+INPUT=$(cat)
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+PROJECT_DIR="$(dirname "$(dirname "$SCRIPT_DIR")")"
+
+SESSION_ID=$(printf '%s' "$INPUT" | grep -o '"session_id":"[^"]*"' | head -1 | sed 's/"session_id":"//; s/"$//')
+if [ -z "$SESSION_ID" ]; then
+  exit 0
+fi
+
+# Defer until the skill-gate has been satisfied in this session.
+if [ ! -f "/tmp/claude-skill-gate-$SESSION_ID" ]; then
+  exit 0
+fi
+
+FILE_PATH=$(printf '%s' "$INPUT" | grep -o '"file_path":"[^"]*"' | head -1 | sed 's/"file_path":"//; s/"$//')
+if [ -z "$FILE_PATH" ]; then
+  exit 0
+fi
+
+SKILLS_DIR="$PROJECT_DIR/.claude/skills"
+[ ! -d "$SKILLS_DIR" ] && exit 0
+
+IGNORE_FILE="$PROJECT_DIR/.claude/skill-audit-ignore"
+is_ignored() {
+  [ ! -f "$IGNORE_FILE" ] && return 1
+  grep -qE "^[[:space:]]*\${1}[[:space:]]*(#.*)?$" "$IGNORE_FILE"
+}
+
+# Portable JSON string escape for the deny reason.
+json_escape() {
+  local s="$1"
+  s="\${s//\\\\/\\\\\\\\}"
+  s="\${s//\\"/\\\\\\"}"
+  s="\${s//$'\\n'/\\\\n}"
+  s="\${s//$'\\r'/\\\\r}"
+  s="\${s//$'\\t'/\\\\t}"
+  printf '"%s"' "$s"
+}
+
+for audit in "$SKILLS_DIR"/*/audit.sh; do
+  [ ! -f "$audit" ] && continue
+  [ ! -x "$audit" ] && continue
+  skill_name=$(basename "$(dirname "$audit")")
+  if is_ignored "$skill_name"; then
+    continue
+  fi
+
+  output=$("$audit" "$FILE_PATH" 2>&1 >/dev/null)
+  rc=$?
+
+  if [ $rc -eq 2 ]; then
+    reason=$(json_escape "$output")
+    printf '{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"deny","permissionDecisionReason":%s}}\\n' "$reason"
+    exit 0
+  fi
+done
+
+exit 0
+`;
+
 const GATE_FILENAME = "skill-gate.sh";
 const AUTO_MARK_FILENAME = "skill-gate-automark.sh";
+const AUDIT_RUNNER_FILENAME = "skill-audit-runner.sh";
 const LEGACY_EVAL_FILENAME = "skill-forced-eval-hook.sh";
 
 export async function setupHook(targetDir = process.cwd()) {
@@ -63,6 +133,7 @@ export async function setupHook(targetDir = process.cwd()) {
   const hooksDir = join(resolved, ".claude", "hooks");
   const gatePath = join(hooksDir, GATE_FILENAME);
   const autoMarkPath = join(hooksDir, AUTO_MARK_FILENAME);
+  const auditRunnerPath = join(hooksDir, AUDIT_RUNNER_FILENAME);
   const settingsPath = join(resolved, ".claude", "settings.json");
 
   await mkdir(hooksDir, { recursive: true });
@@ -70,6 +141,8 @@ export async function setupHook(targetDir = process.cwd()) {
   await chmod(gatePath, 0o755);
   await writeFile(autoMarkPath, AUTO_MARK_SCRIPT, { mode: 0o755 });
   await chmod(autoMarkPath, 0o755);
+  await writeFile(auditRunnerPath, AUDIT_RUNNER_SCRIPT, { mode: 0o755 });
+  await chmod(auditRunnerPath, 0o755);
 
   let settings = {};
   try {
@@ -105,6 +178,17 @@ export async function setupHook(targetDir = process.cwd()) {
     settings.hooks.PreToolUse = [gateEntry];
   }
 
+  // Register PreToolUse audit runner (after the gate).
+  const auditCommand = `$CLAUDE_PROJECT_DIR/.claude/hooks/${AUDIT_RUNNER_FILENAME}`;
+  const auditEntry = {
+    matcher: "Write|Edit|MultiEdit",
+    hooks: [{ type: "command", command: auditCommand }],
+  };
+  const auditAlreadyRegistered = settings.hooks.PreToolUse.some((entry) =>
+    entry.hooks?.some((h) => h.command?.endsWith(AUDIT_RUNNER_FILENAME))
+  );
+  if (!auditAlreadyRegistered) settings.hooks.PreToolUse.push(auditEntry);
+
   // Register PostToolUse auto-mark on Skill.
   const autoMarkCommand = `$CLAUDE_PROJECT_DIR/.claude/hooks/${AUTO_MARK_FILENAME}`;
   const autoMarkEntry = {
@@ -125,5 +209,6 @@ export async function setupHook(targetDir = process.cwd()) {
 
   console.log(`  Hook installed: .claude/hooks/${GATE_FILENAME}`);
   console.log(`  Hook installed: .claude/hooks/${AUTO_MARK_FILENAME}`);
+  console.log(`  Hook installed: .claude/hooks/${AUDIT_RUNNER_FILENAME}`);
   console.log(`  Settings updated: .claude/settings.json`);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@spardutti/claude-skills",
-  "version": "2.2.0",
+  "version": "2.3.0",
   "description": "CLI to install Claude Code skills from the claude-skills collection",
   "type": "module",
   "bin": {