@sporesec/arcana 2.3.1 → 3.0.0

package/dist/utils/http.js

@@ -102,11 +102,15 @@ function doGet(url, timeout, redirectCount = 0) {
         if (token) {
             try {
                 const hostname = new URL(url).hostname;
-                if (hostname === "github.com" || hostname.endsWith(".github.com") || hostname.endsWith(".githubusercontent.com")) {
+                if (hostname === "github.com" ||
+                    hostname.endsWith(".github.com") ||
+                    hostname.endsWith(".githubusercontent.com")) {
                     headers["Authorization"] = `token ${token}`;
                 }
             }
-            catch { /* invalid URL, skip auth */ }
+            catch {
+                /* invalid URL, skip auth */
+            }
         }
         const req = https.get(url, { headers, timeout, agent }, (res) => {
             // Follow redirects (HTTPS only)
@@ -123,8 +127,14 @@ function doGet(url, timeout, redirectCount = 0) {
                 // After the existing https check, add:
                 try {
                     const redirectUrl = new URL(location);
-                    const allowedHosts = ["github.com", "raw.githubusercontent.com", "api.github.com", "objects.githubusercontent.com", "registry.npmjs.org"];
-                    if (!allowedHosts.some(h => redirectUrl.hostname === h || redirectUrl.hostname.endsWith("." + h))) {
+                    const allowedHosts = [
+                        "github.com",
+                        "raw.githubusercontent.com",
+                        "api.github.com",
+                        "objects.githubusercontent.com",
+                        "registry.npmjs.org",
+                    ];
+                    if (!allowedHosts.some((h) => redirectUrl.hostname === h || redirectUrl.hostname.endsWith("." + h))) {
                         reject(new Error(`Redirect to untrusted host blocked: ${redirectUrl.hostname}`));
                         return;
                     }
@@ -162,4 +172,3 @@ function doGet(url, timeout, redirectCount = 0) {
         });
     });
 }
-//# sourceMappingURL=http.js.map

package/dist/utils/install-core.d.ts

@@ -0,0 +1,48 @@
+import type { Provider } from "../providers/base.js";
+import type { SkillFile, SkillInfo } from "../types.js";
+export interface InstallOneResult {
+    success: boolean;
+    skillName: string;
+    files?: SkillFile[];
+    sizeKB?: number;
+    error?: string;
+    scanBlocked?: boolean;
+    conflictBlocked?: boolean;
+    conflictWarnings?: string[];
+    alreadyInstalled?: boolean;
+}
+export interface InstallBatchResult {
+    installed: string[];
+    skipped: string[];
+    failed: string[];
+    failedErrors: Record<string, string>;
+}
+/** Scan fetched files for security threats. Returns true if install should proceed. */
+export declare function preInstallScan(_skillName: string, files: SkillFile[], force?: boolean): {
+    proceed: boolean;
+    critical: string[];
+    high: string[];
+};
+/** Check for conflicts with existing project context. Returns warnings/blocks. */
+export declare function preInstallConflictCheck(skillName: string, remote: SkillInfo | null, files: SkillFile[], force?: boolean): {
+    proceed: boolean;
+    blocks: string[];
+    warnings: string[];
+};
+/**
+ * Core install logic for a single skill. Handles:
+ * fetch -> security scan -> conflict check -> write files -> write meta -> update lock
+ */
+export declare function installOneCore(skillName: string, provider: Provider, opts: {
+    force?: boolean;
+    noCheck?: boolean;
+}): Promise<InstallOneResult>;
+/** Compute size warning message if skill exceeds threshold. */
+export declare function sizeWarning(sizeKB: number): string | null;
+/** Check if a skill can be installed (not already present or force mode). */
+export declare function canInstall(skillName: string, force?: boolean): {
+    proceed: boolean;
+    reason?: string;
+};
+/** Read existing meta to detect provider change on reinstall. */
+export declare function detectProviderChange(skillName: string, newProvider: string): string | null;

package/dist/utils/install-core.js

@@ -0,0 +1,108 @@
+import * as p from "@clack/prompts";
+import { installSkill, isSkillInstalled, writeSkillMeta, readSkillMeta } from "./fs.js";
+import { scanSkillContent } from "./scanner.js";
+import { updateLockEntry } from "./integrity.js";
+import { checkConflicts } from "./conflict-check.js";
+import { detectProjectContext } from "./project-context.js";
+import { LARGE_SKILL_KB_THRESHOLD, TOKENS_PER_KB } from "../constants.js";
+/** Scan fetched files for security threats. Returns true if install should proceed. */
+export function preInstallScan(_skillName, files, force) {
+    const skillMd = files.find((f) => f.path.endsWith("SKILL.md"));
+    if (!skillMd)
+        return { proceed: true, critical: [], high: [] };
+    const issues = scanSkillContent(skillMd.content);
+    if (issues.length === 0)
+        return { proceed: true, critical: [], high: [] };
+    const critical = issues
+        .filter((i) => i.level === "critical")
+        .map((i) => `${i.category}: ${i.detail} (line ${i.line})`);
+    const high = issues.filter((i) => i.level === "high").map((i) => `${i.category}: ${i.detail} (line ${i.line})`);
+    if (critical.length > 0 && !force) {
+        return { proceed: false, critical, high };
+    }
+    // When force is true with critical findings, proceed but return the findings
+    // so the caller can prompt for confirmation
+    return { proceed: true, critical, high };
+}
+/** Check for conflicts with existing project context. Returns warnings/blocks. */
+export function preInstallConflictCheck(skillName, remote, files, force) {
+    const context = detectProjectContext(process.cwd());
+    const skillMd = files.find((f) => f.path.endsWith("SKILL.md"));
+    const warnings = checkConflicts(skillName, remote, skillMd?.content ?? null, context);
+    const blocks = warnings.filter((w) => w.severity === "block").map((w) => w.message);
+    const warns = warnings.filter((w) => w.severity === "warn").map((w) => w.message);
+    if (blocks.length > 0 && !force) {
+        return { proceed: false, blocks, warnings: warns };
+    }
+    return { proceed: true, blocks, warnings: warns };
+}
+/**
+ * Core install logic for a single skill. Handles:
+ * fetch -> security scan -> conflict check -> write files -> write meta -> update lock
+ */
+export async function installOneCore(skillName, provider, opts) {
+    const files = await provider.fetch(skillName);
+    // Security scan
+    const scan = preInstallScan(skillName, files, opts.force);
+    if (!scan.proceed) {
+        return { success: false, skillName, scanBlocked: true, error: "Blocked by security scan" };
+    }
+    // When --force bypasses critical findings, require interactive confirmation
+    if (opts.force && scan.critical.length > 0 && process.stdout.isTTY) {
+        const confirmed = await p.confirm({
+            message: `${skillName} has ${scan.critical.length} CRITICAL finding(s). Install anyway?`,
+            initialValue: false,
+        });
+        if (!confirmed || p.isCancel(confirmed)) {
+            return { success: false, skillName, scanBlocked: true, error: "User declined forced install" };
+        }
+    }
+    // Conflict detection
+    let conflictWarnings = [];
+    if (!opts.noCheck) {
+        const remote = await provider.info(skillName);
+        const conflict = preInstallConflictCheck(skillName, remote, files, opts.force);
+        conflictWarnings = conflict.warnings;
+        if (!conflict.proceed) {
+            return { success: false, skillName, conflictBlocked: true, error: "Blocked by conflict detection" };
+        }
+    }
+    // Install
+    installSkill(skillName, files);
+    const remote = await provider.info(skillName);
+    const version = remote?.version ?? "0.0.0";
+    const sizeBytes = files.reduce((s, f) => s + f.content.length, 0);
+    writeSkillMeta(skillName, {
+        version,
+        installedAt: new Date().toISOString(),
+        source: provider.name,
+        description: remote?.description,
+        fileCount: files.length,
+        sizeBytes,
+    });
+    updateLockEntry(skillName, version, provider.name, files);
+    const sizeKB = sizeBytes / 1024;
+    return { success: true, skillName, files, sizeKB, conflictWarnings };
+}
+/** Compute size warning message if skill exceeds threshold. */
+export function sizeWarning(sizeKB) {
+    if (sizeKB <= LARGE_SKILL_KB_THRESHOLD)
+        return null;
+    return `Large skill (${sizeKB.toFixed(0)} KB, ~${Math.round(sizeKB * TOKENS_PER_KB)} tokens). May use significant context.`;
+}
+/** Check if a skill can be installed (not already present or force mode). */
+export function canInstall(skillName, force) {
+    if (!isSkillInstalled(skillName))
+        return { proceed: true };
+    if (force)
+        return { proceed: true };
+    return { proceed: false, reason: `${skillName} is already installed. Use --force to reinstall.` };
+}
+/** Read existing meta to detect provider change on reinstall. */
+export function detectProviderChange(skillName, newProvider) {
+    const meta = readSkillMeta(skillName);
+    if (meta?.source && meta.source !== newProvider) {
+        return `Overwriting ${skillName} (was from ${meta.source}, now from ${newProvider})`;
+    }
+    return null;
+}

package/dist/utils/integrity.d.ts

@@ -0,0 +1,17 @@
+export interface LockEntry {
+    skill: string;
+    version: string;
+    hash: string;
+    source: string;
+    installedAt: string;
+}
+export declare function computeHash(content: string): string;
+export declare function getLockfilePath(): string;
+export declare function readLockfile(): LockEntry[];
+export declare function writeLockfile(entries: LockEntry[]): void;
+export declare function updateLockEntry(skill: string, version: string, source: string, files: Array<{
+    path: string;
+    content: string;
+}>): void;
+export declare function removeLockEntry(skill: string): void;
+export declare function verifySkillIntegrity(skillName: string, installDir: string): "ok" | "modified" | "missing";

package/dist/utils/integrity.js

@@ -0,0 +1,84 @@
+import { createHash } from "node:crypto";
+import { existsSync, readFileSync, mkdirSync, readdirSync, lstatSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { atomicWriteSync } from "./atomic.js";
+export function computeHash(content) {
+    return createHash("sha256").update(content).digest("hex");
+}
+export function getLockfilePath() {
+    return join(homedir(), ".arcana", "arcana-lock.json");
+}
+export function readLockfile() {
+    try {
+        const raw = readFileSync(getLockfilePath(), "utf-8");
+        const parsed = JSON.parse(raw);
+        if (!Array.isArray(parsed))
+            return [];
+        return parsed;
+    }
+    catch {
+        return [];
+    }
+}
+export function writeLockfile(entries) {
+    const lockPath = getLockfilePath();
+    const dir = join(homedir(), ".arcana");
+    mkdirSync(dir, { recursive: true });
+    atomicWriteSync(lockPath, JSON.stringify(entries, null, 2) + "\n", 0o600);
+}
+export function updateLockEntry(skill, version, source, files) {
+    const sorted = [...files].sort((a, b) => a.path.localeCompare(b.path));
+    const concatenated = sorted.map((f) => f.content).join("");
+    const hash = computeHash(concatenated);
+    const entries = readLockfile();
+    const idx = entries.findIndex((e) => e.skill === skill);
+    const entry = {
+        skill,
+        version,
+        hash,
+        source,
+        installedAt: new Date().toISOString(),
+    };
+    if (idx >= 0) {
+        entries[idx] = entry;
+    }
+    else {
+        entries.push(entry);
+    }
+    writeLockfile(entries);
+}
+export function removeLockEntry(skill) {
+    const entries = readLockfile();
+    const filtered = entries.filter((e) => e.skill !== skill);
+    writeLockfile(filtered);
+}
+function readDirRecursive(dir) {
+    const results = [];
+    const items = readdirSync(dir);
+    for (const item of items) {
+        const fullPath = join(dir, item);
+        const stat = lstatSync(fullPath);
+        if (stat.isDirectory()) {
+            results.push(...readDirRecursive(fullPath));
+        }
+        else {
+            results.push(fullPath);
+        }
+    }
+    return results;
+}
+export function verifySkillIntegrity(skillName, installDir) {
+    const entries = readLockfile();
+    const entry = entries.find((e) => e.skill === skillName);
+    if (!entry)
+        return "missing";
+    const skillDir = join(installDir, skillName);
+    if (!existsSync(skillDir))
+        return "modified";
+    const filePaths = readDirRecursive(skillDir);
+    const relativePaths = filePaths.map((fp) => fp.slice(skillDir.length + 1)).sort();
+    const concatenated = relativePaths.map((rel) => readFileSync(join(skillDir, rel), "utf-8")).join("");
+    const hash = computeHash(concatenated);
+    return hash === entry.hash ? "ok" : "modified";
+}

package/dist/utils/parallel.d.ts

@@ -1,2 +1 @@
 export declare function parallelMap<T, R>(items: T[], fn: (item: T) => Promise<R>, concurrency: number): Promise<R[]>;
-//# sourceMappingURL=parallel.d.ts.map

package/dist/utils/parallel.js

@@ -14,4 +14,3 @@ export async function parallelMap(items, fn, concurrency) {
     await Promise.all(Array.from({ length: Math.min(concurrency, items.length) }, () => worker()));
     return results;
 }
-//# sourceMappingURL=parallel.js.map

package/dist/utils/project-context.d.ts

@@ -0,0 +1,19 @@
+export interface ProjectContext {
+    /** Project name from directory or package.json */
+    name: string;
+    /** Detected primary type */
+    type: string;
+    /** Primary language */
+    lang: string;
+    /** All detected tech tags */
+    tags: string[];
+    /** Extracted preferences from CLAUDE.md */
+    preferences: string[];
+    /** Names of existing .claude/rules/*.md files */
+    ruleFiles: string[];
+    /** Raw content of CLAUDE.md if it exists */
+    claudeMdContent: string | null;
+    /** Names of currently installed skills */
+    installedSkills: string[];
+}
+export declare function detectProjectContext(cwd: string): ProjectContext;

package/dist/utils/project-context.js

@@ -0,0 +1,283 @@
+import { existsSync, readFileSync, readdirSync, statSync } from "node:fs";
+import { join, basename } from "node:path";
+import { getInstallDir } from "./fs.js";
+/** Map npm package names to tech tags */
+const PACKAGE_TAG_MAP = {
+    next: ["next", "react", "typescript"],
+    react: ["react"],
+    "react-dom": ["react"],
+    vue: ["vue"],
+    svelte: ["svelte"],
+    angular: ["angular"],
+    tailwindcss: ["tailwind"],
+    prisma: ["prisma", "database"],
+    "@prisma/client": ["prisma", "database"],
+    "drizzle-orm": ["drizzle", "database"],
+    express: ["express", "node"],
+    fastify: ["fastify", "node"],
+    hono: ["hono", "node"],
+    vitest: ["testing"],
+    jest: ["testing"],
+    mocha: ["testing"],
+    playwright: ["playwright", "testing"],
+    cypress: ["cypress", "testing"],
+    remotion: ["remotion", "react"],
+    three: ["threejs"],
+    docker: ["docker"],
+    electron: ["electron"],
+    "react-native": ["react-native", "react", "mobile"],
+    expo: ["expo", "react-native", "mobile"],
+    graphql: ["graphql"],
+    "@apollo/client": ["graphql", "apollo"],
+    trpc: ["trpc"],
+    "@trpc/server": ["trpc"],
+    mongoose: ["mongodb", "database"],
+    pg: ["postgresql", "database"],
+    redis: ["redis"],
+    ioredis: ["redis"],
+    "socket.io": ["websocket"],
+    ws: ["websocket"],
+    webpack: ["webpack"],
+    vite: ["vite"],
+    tsup: ["tsup"],
+    eslint: ["linting"],
+    prettier: ["formatting"],
+    storybook: ["storybook"],
+    "@storybook/react": ["storybook", "react"],
+};
+/** Map Go module paths to tags */
+const GO_MODULE_TAG_MAP = {
+    "github.com/gin-gonic/gin": ["gin", "web"],
+    "github.com/gofiber/fiber": ["fiber", "web"],
+    "github.com/labstack/echo": ["echo", "web"],
+    "github.com/gorilla/mux": ["gorilla", "web"],
+    "gorm.io/gorm": ["gorm", "database"],
+    "github.com/jmoiron/sqlx": ["sqlx", "database"],
+    "github.com/jackc/pgx": ["postgresql", "database"],
+    "github.com/go-redis/redis": ["redis"],
+    "github.com/rs/zerolog": ["zerolog", "logging"],
+    "go.uber.org/zap": ["zap", "logging"],
+    "github.com/stretchr/testify": ["testing"],
+    "google.golang.org/grpc": ["grpc"],
+    "google.golang.org/protobuf": ["protobuf"],
+};
+/** Map Python packages to tags */
+const PYTHON_PACKAGE_TAG_MAP = {
+    django: ["django", "web"],
+    flask: ["flask", "web"],
+    fastapi: ["fastapi", "web"],
+    pytorch: ["pytorch", "ml"],
+    torch: ["pytorch", "ml"],
+    tensorflow: ["tensorflow", "ml"],
+    numpy: ["numpy"],
+    pandas: ["pandas"],
+    sqlalchemy: ["sqlalchemy", "database"],
+    pytest: ["testing"],
+    celery: ["celery", "async"],
+    scrapy: ["scrapy", "scraping"],
+    playwright: ["playwright", "testing"],
+    requests: ["requests"],
+    httpx: ["httpx"],
+};
+function readJsonSafe(filePath) {
+    try {
+        return JSON.parse(readFileSync(filePath, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+function readTextSafe(filePath) {
+    try {
+        return readFileSync(filePath, "utf-8");
+    }
+    catch {
+        return null;
+    }
+}
+function detectTypeAndLang(cwd) {
+    const name = basename(cwd);
+    if (existsSync(join(cwd, "go.mod")))
+        return { name, type: "Go", lang: "go" };
+    if (existsSync(join(cwd, "Cargo.toml")))
+        return { name, type: "Rust", lang: "rust" };
+    if (existsSync(join(cwd, "requirements.txt")) || existsSync(join(cwd, "pyproject.toml")))
+        return { name, type: "Python", lang: "python" };
+    if (existsSync(join(cwd, "package.json"))) {
+        const pkg = readJsonSafe(join(cwd, "package.json"));
+        if (pkg?.dependencies?.next || pkg?.devDependencies?.next)
+            return { name, type: "Next.js", lang: "typescript" };
+        if (pkg?.dependencies?.react || pkg?.devDependencies?.react)
+            return { name, type: "React", lang: "typescript" };
+        return { name, type: "Node.js", lang: "typescript" };
+    }
+    return { name, type: "Unknown", lang: "general" };
+}
+function extractNpmTags(cwd) {
+    const pkgPath = join(cwd, "package.json");
+    const pkg = readJsonSafe(pkgPath);
+    if (!pkg)
+        return [];
+    const tags = new Set();
+    const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+    for (const dep of Object.keys(allDeps)) {
+        const mapped = PACKAGE_TAG_MAP[dep];
+        if (mapped)
+            mapped.forEach((t) => tags.add(t));
+    }
+    // Check for TypeScript
+    if (existsSync(join(cwd, "tsconfig.json")) || allDeps.typescript) {
+        tags.add("typescript");
+    }
+    return [...tags];
+}
+function extractGoTags(cwd) {
+    const goModPath = join(cwd, "go.mod");
+    const content = readTextSafe(goModPath);
+    if (!content)
+        return ["go"];
+    const tags = new Set(["go"]);
+    for (const [modulePath, moduleTags] of Object.entries(GO_MODULE_TAG_MAP)) {
+        if (content.includes(modulePath)) {
+            moduleTags.forEach((t) => tags.add(t));
+        }
+    }
+    return [...tags];
+}
+function extractPythonTags(cwd) {
+    const tags = new Set(["python"]);
+    // Read requirements.txt
+    const reqContent = readTextSafe(join(cwd, "requirements.txt"));
+    if (reqContent) {
+        for (const line of reqContent.split("\n")) {
+            const pkg = line
+                .trim()
+                .split(/[=<>!~[]/)[0]
+                ?.toLowerCase();
+            if (pkg) {
+                const mapped = PYTHON_PACKAGE_TAG_MAP[pkg];
+                if (mapped)
+                    mapped.forEach((t) => tags.add(t));
+            }
+        }
+    }
+    // Read pyproject.toml (simple scan, not full TOML parse)
+    const pyprojectContent = readTextSafe(join(cwd, "pyproject.toml"));
+    if (pyprojectContent) {
+        for (const [pkgName, pkgTags] of Object.entries(PYTHON_PACKAGE_TAG_MAP)) {
+            if (pyprojectContent.includes(`"${pkgName}"`) || pyprojectContent.includes(`'${pkgName}'`)) {
+                pkgTags.forEach((t) => tags.add(t));
+            }
+        }
+    }
+    return [...tags];
+}
+function extractInfraTags(cwd) {
+    const tags = [];
+    if (existsSync(join(cwd, "Dockerfile")) ||
+        existsSync(join(cwd, "docker-compose.yml")) ||
+        existsSync(join(cwd, "docker-compose.yaml"))) {
+        tags.push("docker");
+    }
+    if (existsSync(join(cwd, ".github", "workflows"))) {
+        tags.push("ci-cd", "github-actions");
+    }
+    if (existsSync(join(cwd, ".gitlab-ci.yml"))) {
+        tags.push("ci-cd", "gitlab-ci");
+    }
+    if (existsSync(join(cwd, "k8s")) || existsSync(join(cwd, "kubernetes"))) {
+        tags.push("kubernetes");
+    }
+    if (existsSync(join(cwd, "terraform")) || existsSync(join(cwd, "main.tf"))) {
+        tags.push("terraform");
+    }
+    return tags;
+}
+function extractPreferences(claudeMdContent) {
+    const prefs = [];
+    const lines = claudeMdContent.split("\n");
+    let inPrefsSection = false;
+    for (const line of lines) {
+        const lower = line.toLowerCase();
+        if (lower.includes("## coding") || lower.includes("## preferences") || lower.includes("## style")) {
+            inPrefsSection = true;
+            continue;
+        }
+        if (inPrefsSection && line.startsWith("## ")) {
+            inPrefsSection = false;
+            continue;
+        }
+        if (inPrefsSection && line.trim().startsWith("-")) {
+            prefs.push(line.trim().replace(/^-\s*/, ""));
+        }
+    }
+    return prefs;
+}
+function readRuleFiles(cwd) {
+    const rulesDir = join(cwd, ".claude", "rules");
+    if (!existsSync(rulesDir))
+        return [];
+    try {
+        return readdirSync(rulesDir)
+            .filter((f) => f.endsWith(".md"))
+            .sort();
+    }
+    catch {
+        return [];
+    }
+}
+function getInstalledSkillNames() {
+    const dir = getInstallDir();
+    if (!existsSync(dir))
+        return [];
+    try {
+        return readdirSync(dir)
+            .filter((d) => {
+            try {
+                return statSync(join(dir, d)).isDirectory();
+            }
+            catch {
+                return false;
+            }
+        })
+            .sort();
+    }
+    catch {
+        return [];
+    }
+}
+export function detectProjectContext(cwd) {
+    const { name, type, lang } = detectTypeAndLang(cwd);
+    // Collect tags based on language
+    const tagSet = new Set();
+    if (lang !== "general" && lang !== "unknown")
+        tagSet.add(lang);
+    if (lang === "typescript" || lang === "javascript") {
+        extractNpmTags(cwd).forEach((t) => tagSet.add(t));
+    }
+    if (lang === "go" || type === "Go") {
+        extractGoTags(cwd).forEach((t) => tagSet.add(t));
+    }
+    if (lang === "python" || type === "Python") {
+        extractPythonTags(cwd).forEach((t) => tagSet.add(t));
+    }
+    extractInfraTags(cwd).forEach((t) => tagSet.add(t));
+    // Read CLAUDE.md
+    const claudeMdPath = join(cwd, "CLAUDE.md");
+    const claudeMdContent = readTextSafe(claudeMdPath);
+    const preferences = claudeMdContent ? extractPreferences(claudeMdContent) : [];
+    // Read rule files
+    const ruleFiles = readRuleFiles(cwd);
+    // Get installed skills
+    const installedSkills = getInstalledSkillNames();
+    return {
+        name,
+        type,
+        lang,
+        tags: [...tagSet],
+        preferences,
+        ruleFiles,
+        claudeMdContent,
+        installedSkills,
+    };
+}

package/dist/utils/scanner.d.ts

@@ -24,4 +24,3 @@ export declare function hasCriticalIssues(content: string): boolean;
  * Format scan results for display.
  */
 export declare function formatScanResults(skillName: string, issues: ScanIssue[]): string;
-//# sourceMappingURL=scanner.d.ts.map