@sporesec/arcana 2.4.0 → 3.0.1

package/dist/utils/errors.js

@@ -8,4 +8,3 @@ export class CliError extends Error {
         this.name = "CliError";
     }
 }
-//# sourceMappingURL=errors.js.map

package/dist/utils/frontmatter.d.ts

@@ -9,4 +9,3 @@ export declare function extractFrontmatter(content: string): {
 export declare function parseFrontmatter(raw: string): SkillFrontmatter | null;
 export declare function fixSkillFrontmatter(content: string): string;
 export declare function validateSkillDir(skillDir: string, skillName: string): ValidationResult;
-//# sourceMappingURL=frontmatter.d.ts.map

package/dist/utils/frontmatter.js

@@ -40,7 +40,13 @@ export function parseFrontmatter(raw) {
         if (descMatch?.[1] !== undefined) {
             let value = descMatch[1].trim();
             // Handle YAML multiline: |, >, or bare indented continuation
-            if (value === "|" || value === ">" || value === "|-" || value === "|+" || value === ">-" || value === ">+" || value === "") {
+            if (value === "|" ||
+                value === ">" ||
+                value === "|-" ||
+                value === "|+" ||
+                value === ">-" ||
+                value === ">+" ||
+                value === "") {
                 const multilineLines = [];
                 for (let j = i + 1; j < lines.length; j++) {
                     const next = lines[j];
@@ -93,12 +99,7 @@ export function fixSkillFrontmatter(content) {
     if (!parsed)
         return content;
     // Rebuild clean frontmatter with only name and description
-    const cleanFm = [
-        FM_DELIMITER,
-        `name: ${parsed.name}`,
-        `description: ${parsed.description}`,
-        FM_DELIMITER,
-    ].join("\n");
+    const cleanFm = [FM_DELIMITER, `name: ${parsed.name}`, `description: ${parsed.description}`, FM_DELIMITER].join("\n");
     return cleanFm + "\n" + extracted.body.replace(/^\n+/, "\n");
 }
 export function validateSkillDir(skillDir, skillName) {
@@ -137,20 +138,40 @@ export function validateSkillDir(skillDir, skillName) {
         return result;
     }
     if (!parsed.description) {
-        result.warnings.push("Missing description in frontmatter");
+        result.valid = false;
+        result.errors.push("Missing description in frontmatter");
     }
     else if (parsed.description.length < MIN_DESC_LENGTH) {
-        result.warnings.push(`Description too short (${parsed.description.length} chars, recommend ${MIN_DESC_LENGTH}+)`);
+        result.valid = false;
+        result.errors.push(`Description too short (${parsed.description.length} chars, minimum ${MIN_DESC_LENGTH})`);
     }
     else if (parsed.description.length > MAX_DESC_LENGTH) {
-        result.warnings.push(`Description too long (${parsed.description.length} chars, max ${MAX_DESC_LENGTH})`);
+        result.valid = false;
+        result.errors.push(`Description too long (${parsed.description.length} chars, max ${MAX_DESC_LENGTH})`);
     }
-    // Check for non-standard fields
+    // Check for non-standard fields (metadata is invalid per spec)
     const standardFields = ["name", "description"];
+    const VALID_FIELDS = [
+        "name",
+        "description",
+        "argument-hint",
+        "compatibility",
+        "disable-model-invocation",
+        "license",
+        "user-invokable",
+    ];
     for (const line of extracted.raw.split("\n")) {
         const keyMatch = line.match(/^(\w[\w-]*):/);
         if (keyMatch?.[1] && !standardFields.includes(keyMatch[1])) {
-            result.infos.push(`Non-standard field: ${keyMatch[1]}`);
+            if (keyMatch[1] === "metadata") {
+                result.warnings.push("Invalid field: metadata (not allowed in frontmatter)");
+            }
+            else if (!VALID_FIELDS.includes(keyMatch[1])) {
+                result.infos.push(`Non-standard field: ${keyMatch[1]}`);
+            }
+            else {
+                result.infos.push(`Optional field: ${keyMatch[1]}`);
+            }
         }
     }
     if (parsed.name !== skillName) {
@@ -163,10 +184,19 @@ export function validateSkillDir(skillDir, skillName) {
         result.warnings.push("SKILL.md body is very short (less than 50 chars)");
     }
     if (extracted.body.trim().length >= 50 && !extracted.body.includes("##")) {
-        result.infos.push("Body has no ## headings (recommended for structure)");
+        result.warnings.push("Body has no ## headings (required for structure)");
+    }
+    // Check for code blocks (quality signal)
+    if (extracted.body.trim().length >= 50 && !extracted.body.includes("```")) {
+        result.warnings.push("No code blocks found (skills must include code examples)");
+    }
+    // Check for BAD/GOOD pattern examples
+    const hasPattern = /(?:BAD|GOOD|WRONG|RIGHT|AVOID|PREFER|DO NOT|INSTEAD)/i.test(extracted.body) ||
+        /<!--\s*(?:bad|good)\s*-->/i.test(extracted.body);
+    if (extracted.body.trim().length >= 100 && !hasPattern) {
+        result.infos.push("No BAD/GOOD contrast patterns found (recommended for teaching)");
     }
     if (result.errors.length > 0)
         result.valid = false;
     return result;
 }
-//# sourceMappingURL=frontmatter.js.map

package/dist/utils/fs.d.ts

@@ -32,4 +32,3 @@ export declare function listFilesByAge(dir: string, ext: string, olderThanDays:
  */
 export declare function isOrphanedProject(projectDirName: string): boolean;
 export declare function listSymlinks(): SymlinkInfo[];
-//# sourceMappingURL=fs.d.ts.map

package/dist/utils/fs.js

@@ -1,4 +1,4 @@
-import { existsSync, mkdirSync, writeFileSync, readFileSync, readdirSync, rmSync, renameSync, lstatSync, readlinkSync } from "node:fs";
+import { existsSync, mkdirSync, writeFileSync, readFileSync, readdirSync, rmSync, renameSync, lstatSync, readlinkSync, } from "node:fs";
 import { join, dirname, resolve, sep } from "node:path";
 import { homedir } from "node:os";
 import { loadConfig } from "../utils/config.js";
@@ -26,10 +26,14 @@ export function getDirSize(dir) {
                     else
                         size += stat.size;
                 }
-                catch { /* skip unreadable entries */ }
+                catch {
+                    /* skip unreadable entries */
+                }
             }
         }
-        catch { /* skip unreadable dirs */ }
+        catch {
+            /* skip unreadable dirs */
+        }
     }
     return size;
 }
@@ -45,14 +49,18 @@ export function installSkill(skillName, files) {
     try {
         for (const file of files) {
             // Reject paths containing .. before resolving
-            if (file.path.includes("..") || file.path.includes("~") || file.path.startsWith("\\\\") || file.path.startsWith("//")) {
+            if (file.path.includes("..") ||
+                file.path.includes("~") ||
+                file.path.startsWith("\\\\") ||
+                file.path.startsWith("//")) {
                 throw new Error(`Path traversal blocked: ${file.path}`);
             }
             const filePath = resolve(tempDir, file.path);
             // Normalize to lowercase on Windows for case-insensitive comparison
             const normalizedFile = process.platform === "win32" ? filePath.toLowerCase() : filePath;
             const normalizedTemp = process.platform === "win32" ? (tempDir + sep).toLowerCase() : tempDir + sep;
-            if (!normalizedFile.startsWith(normalizedTemp) && normalizedFile !== (process.platform === "win32" ? tempDir.toLowerCase() : tempDir)) {
+            if (!normalizedFile.startsWith(normalizedTemp) &&
+                normalizedFile !== (process.platform === "win32" ? tempDir.toLowerCase() : tempDir)) {
                 throw new Error(`Path traversal blocked: ${file.path}`);
             }
             const dir = dirname(filePath);
@@ -72,7 +80,9 @@ export function installSkill(skillName, files) {
         try {
             rmSync(tempDir, { recursive: true, force: true });
         }
-        catch { /* best-effort */ }
+        catch {
+            /* best-effort */
+        }
         throw err;
     }
     return skillDir;
@@ -124,13 +134,21 @@ export function listFilesByAge(dir, ext, olderThanDays) {
                         continue;
                     const age = now - stat.mtimeMs;
                     if (age > cutoff) {
-                        results.push({ path: full, sizeMB: stat.size / (1024 * 1024), daysOld: Math.floor(age / (24 * 60 * 60 * 1000)) });
+                        results.push({
+                            path: full,
+                            sizeMB: stat.size / (1024 * 1024),
+                            daysOld: Math.floor(age / (24 * 60 * 60 * 1000)),
+                        });
                     }
                 }
-                catch { /* skip */ }
+                catch {
+                    /* skip */
+                }
             }
         }
-        catch { /* skip */ }
+        catch {
+            /* skip */
+        }
     }
     return results;
 }
@@ -189,8 +207,9 @@ export function listSymlinks() {
                 results.push({ name: entry, fullPath, target, broken: !existsSync(target) });
             }
         }
-        catch { /* skip unreadable */ }
+        catch {
+            /* skip unreadable */
+        }
     }
     return results;
 }
-//# sourceMappingURL=fs.js.map

package/dist/utils/help.d.ts

@@ -3,4 +3,3 @@ export declare function buildCustomHelp(version: string): string;
 export declare function isFirstRun(): boolean;
 export declare function markInitialized(): void;
 export declare function showWelcome(version: string): void;
-//# sourceMappingURL=help.d.ts.map

package/dist/utils/help.js

@@ -4,6 +4,7 @@ import { homedir } from "node:os";
 import * as p from "@clack/prompts";
 import chalk from "chalk";
 import { ui } from "./ui.js";
+import { getGroupedCommands } from "../command-registry.js";
 const noColor = !!(process.env.NO_COLOR || process.env.TERM === "dumb");
 function amberShade(hex, text) {
     if (noColor)
@@ -32,30 +33,12 @@ export function renderBanner() {
     }
     return BANNER_LINES.map((line, i) => `  ${amberShade(AMBER_HEXES[i], line)}`).join("\n");
 }
-const COMMAND_GROUPS = {
-    "GETTING STARTED": [
-        { cmd: "init", desc: "Initialize arcana in current project" },
-        { cmd: "doctor", desc: "Check environment and diagnose issues" },
-    ],
-    SKILLS: [
-        { cmd: "list", desc: "List available skills" },
-        { cmd: "search <query>", desc: "Search across providers" },
-        { cmd: "info <skill>", desc: "Show skill details" },
-        { cmd: "install [skills...]", desc: "Install one or more skills" },
-        { cmd: "update [skills...]", desc: "Update installed skills" },
-        { cmd: "uninstall [skills...]", desc: "Remove one or more skills" },
-    ],
-    DEVELOPMENT: [
-        { cmd: "create <name>", desc: "Create a new skill from template" },
-        { cmd: "validate [skill]", desc: "Validate skill structure" },
-        { cmd: "audit [skill]", desc: "Audit skill quality" },
-    ],
-    CONFIGURATION: [
-        { cmd: "config [key] [val]", desc: "View or modify configuration" },
-        { cmd: "providers", desc: "Manage skill providers" },
-        { cmd: "clean", desc: "Remove orphaned data" },
-        { cmd: "stats", desc: "Show session analytics" },
-    ],
+// Help groups: subset of registry for --help display (keeps output scannable)
+const HELP_GROUPS = {
+    "GETTING STARTED": ["init", "doctor"],
+    SKILLS: ["list", "search", "info", "install", "update", "uninstall", "recommend"],
+    DEVELOPMENT: ["create", "validate", "audit"],
+    CONFIGURATION: ["config", "providers", "clean", "stats"],
 };
 const EXAMPLES = [
     "$ arcana install code-reviewer typescript golang",
@@ -74,11 +57,16 @@ export function buildCustomHelp(version) {
     lines.push("");
     lines.push(`  ${ui.dim("USAGE")}`);
     lines.push("    arcana <command> [options]");
-    for (const [group, commands] of Object.entries(COMMAND_GROUPS)) {
+    const allCommands = getGroupedCommands();
+    const allFlat = Object.values(allCommands).flat();
+    for (const [group, names] of Object.entries(HELP_GROUPS)) {
         lines.push("");
         lines.push(`  ${ui.dim(group)}`);
-        for (const { cmd, desc } of commands) {
-            lines.push(`    ${ui.cyan(padRight(cmd, 22))}${ui.dim(desc)}`);
+        for (const name of names) {
+            const entry = allFlat.find((c) => c.name === name);
+            if (!entry)
+                continue;
+            lines.push(`    ${ui.cyan(padRight(entry.usage, 22))}${ui.dim(entry.description)}`);
         }
     }
     lines.push("");
@@ -114,4 +102,3 @@ export function showWelcome(version) {
     p.log.info("They install on-demand and only load when relevant, not all at once.");
     console.log();
 }
-//# sourceMappingURL=help.js.map

package/dist/utils/history.d.ts

@@ -7,4 +7,3 @@ export declare function readHistory(): HistoryEntry[];
 export declare function appendHistory(action: string, target?: string): void;
 export declare function clearHistory(): void;
 export declare function getRecentSkills(limit?: number): string[];
-//# sourceMappingURL=history.d.ts.map

package/dist/utils/history.js

@@ -55,4 +55,3 @@ export function getRecentSkills(limit = 5) {
     }
     return skills;
 }
-//# sourceMappingURL=history.js.map

package/dist/utils/http.d.ts

@@ -14,4 +14,3 @@ export declare class RateLimitError extends HttpError {
     constructor(url: string, resetAt: Date | null);
 }
 export declare function httpGet(url: string, timeout?: number): Promise<HttpResponse>;
-//# sourceMappingURL=http.d.ts.map

package/dist/utils/http.js

@@ -102,11 +102,15 @@ function doGet(url, timeout, redirectCount = 0) {
         if (token) {
             try {
                 const hostname = new URL(url).hostname;
-                if (hostname === "github.com" || hostname.endsWith(".github.com") || hostname.endsWith(".githubusercontent.com")) {
+                if (hostname === "github.com" ||
+                    hostname.endsWith(".github.com") ||
+                    hostname.endsWith(".githubusercontent.com")) {
                     headers["Authorization"] = `token ${token}`;
                 }
             }
-            catch { /* invalid URL, skip auth */ }
+            catch {
+                /* invalid URL, skip auth */
+            }
         }
         const req = https.get(url, { headers, timeout, agent }, (res) => {
             // Follow redirects (HTTPS only)
@@ -123,8 +127,14 @@ function doGet(url, timeout, redirectCount = 0) {
                 // After the existing https check, add:
                 try {
                     const redirectUrl = new URL(location);
-                    const allowedHosts = ["github.com", "raw.githubusercontent.com", "api.github.com", "objects.githubusercontent.com", "registry.npmjs.org"];
-                    if (!allowedHosts.some(h => redirectUrl.hostname === h || redirectUrl.hostname.endsWith("." + h))) {
+                    const allowedHosts = [
+                        "github.com",
+                        "raw.githubusercontent.com",
+                        "api.github.com",
+                        "objects.githubusercontent.com",
+                        "registry.npmjs.org",
+                    ];
+                    if (!allowedHosts.some((h) => redirectUrl.hostname === h || redirectUrl.hostname.endsWith("." + h))) {
                         reject(new Error(`Redirect to untrusted host blocked: ${redirectUrl.hostname}`));
                         return;
                     }
@@ -162,4 +172,3 @@ function doGet(url, timeout, redirectCount = 0) {
         });
     });
 }
-//# sourceMappingURL=http.js.map

package/dist/utils/install-core.d.ts

@@ -0,0 +1,48 @@
+import type { Provider } from "../providers/base.js";
+import type { SkillFile, SkillInfo } from "../types.js";
+export interface InstallOneResult {
+    success: boolean;
+    skillName: string;
+    files?: SkillFile[];
+    sizeKB?: number;
+    error?: string;
+    scanBlocked?: boolean;
+    conflictBlocked?: boolean;
+    conflictWarnings?: string[];
+    alreadyInstalled?: boolean;
+}
+export interface InstallBatchResult {
+    installed: string[];
+    skipped: string[];
+    failed: string[];
+    failedErrors: Record<string, string>;
+}
+/** Scan fetched files for security threats. Returns true if install should proceed. */
+export declare function preInstallScan(_skillName: string, files: SkillFile[], force?: boolean): {
+    proceed: boolean;
+    critical: string[];
+    high: string[];
+};
+/** Check for conflicts with existing project context. Returns warnings/blocks. */
+export declare function preInstallConflictCheck(skillName: string, remote: SkillInfo | null, files: SkillFile[], force?: boolean): {
+    proceed: boolean;
+    blocks: string[];
+    warnings: string[];
+};
+/**
+ * Core install logic for a single skill. Handles:
+ * fetch -> security scan -> conflict check -> write files -> write meta -> update lock
+ */
+export declare function installOneCore(skillName: string, provider: Provider, opts: {
+    force?: boolean;
+    noCheck?: boolean;
+}): Promise<InstallOneResult>;
+/** Compute size warning message if skill exceeds threshold. */
+export declare function sizeWarning(sizeKB: number): string | null;
+/** Check if a skill can be installed (not already present or force mode). */
+export declare function canInstall(skillName: string, force?: boolean): {
+    proceed: boolean;
+    reason?: string;
+};
+/** Read existing meta to detect provider change on reinstall. */
+export declare function detectProviderChange(skillName: string, newProvider: string): string | null;

package/dist/utils/install-core.js

@@ -0,0 +1,108 @@
+import * as p from "@clack/prompts";
+import { installSkill, isSkillInstalled, writeSkillMeta, readSkillMeta } from "./fs.js";
+import { scanSkillContent } from "./scanner.js";
+import { updateLockEntry } from "./integrity.js";
+import { checkConflicts } from "./conflict-check.js";
+import { detectProjectContext } from "./project-context.js";
+import { LARGE_SKILL_KB_THRESHOLD, TOKENS_PER_KB } from "../constants.js";
+/** Scan fetched files for security threats. Returns true if install should proceed. */
+export function preInstallScan(_skillName, files, force) {
+    const skillMd = files.find((f) => f.path.endsWith("SKILL.md"));
+    if (!skillMd)
+        return { proceed: true, critical: [], high: [] };
+    const issues = scanSkillContent(skillMd.content);
+    if (issues.length === 0)
+        return { proceed: true, critical: [], high: [] };
+    const critical = issues
+        .filter((i) => i.level === "critical")
+        .map((i) => `${i.category}: ${i.detail} (line ${i.line})`);
+    const high = issues.filter((i) => i.level === "high").map((i) => `${i.category}: ${i.detail} (line ${i.line})`);
+    if (critical.length > 0 && !force) {
+        return { proceed: false, critical, high };
+    }
+    // When force is true with critical findings, proceed but return the findings
+    // so the caller can prompt for confirmation
+    return { proceed: true, critical, high };
+}
+/** Check for conflicts with existing project context. Returns warnings/blocks. */
+export function preInstallConflictCheck(skillName, remote, files, force) {
+    const context = detectProjectContext(process.cwd());
+    const skillMd = files.find((f) => f.path.endsWith("SKILL.md"));
+    const warnings = checkConflicts(skillName, remote, skillMd?.content ?? null, context);
+    const blocks = warnings.filter((w) => w.severity === "block").map((w) => w.message);
+    const warns = warnings.filter((w) => w.severity === "warn").map((w) => w.message);
+    if (blocks.length > 0 && !force) {
+        return { proceed: false, blocks, warnings: warns };
+    }
+    return { proceed: true, blocks, warnings: warns };
+}
+/**
+ * Core install logic for a single skill. Handles:
+ * fetch -> security scan -> conflict check -> write files -> write meta -> update lock
+ */
+export async function installOneCore(skillName, provider, opts) {
+    const files = await provider.fetch(skillName);
+    // Security scan
+    const scan = preInstallScan(skillName, files, opts.force);
+    if (!scan.proceed) {
+        return { success: false, skillName, scanBlocked: true, error: "Blocked by security scan" };
+    }
+    // When --force bypasses critical findings, require interactive confirmation
+    if (opts.force && scan.critical.length > 0 && process.stdout.isTTY) {
+        const confirmed = await p.confirm({
+            message: `${skillName} has ${scan.critical.length} CRITICAL finding(s). Install anyway?`,
+            initialValue: false,
+        });
+        if (!confirmed || p.isCancel(confirmed)) {
+            return { success: false, skillName, scanBlocked: true, error: "User declined forced install" };
+        }
+    }
+    // Conflict detection
+    let conflictWarnings = [];
+    if (!opts.noCheck) {
+        const remote = await provider.info(skillName);
+        const conflict = preInstallConflictCheck(skillName, remote, files, opts.force);
+        conflictWarnings = conflict.warnings;
+        if (!conflict.proceed) {
+            return { success: false, skillName, conflictBlocked: true, error: "Blocked by conflict detection" };
+        }
+    }
+    // Install
+    installSkill(skillName, files);
+    const remote = await provider.info(skillName);
+    const version = remote?.version ?? "0.0.0";
+    const sizeBytes = files.reduce((s, f) => s + f.content.length, 0);
+    writeSkillMeta(skillName, {
+        version,
+        installedAt: new Date().toISOString(),
+        source: provider.name,
+        description: remote?.description,
+        fileCount: files.length,
+        sizeBytes,
+    });
+    updateLockEntry(skillName, version, provider.name, files);
+    const sizeKB = sizeBytes / 1024;
+    return { success: true, skillName, files, sizeKB, conflictWarnings };
+}
+/** Compute size warning message if skill exceeds threshold. */
+export function sizeWarning(sizeKB) {
+    if (sizeKB <= LARGE_SKILL_KB_THRESHOLD)
+        return null;
+    return `Large skill (${sizeKB.toFixed(0)} KB, ~${Math.round(sizeKB * TOKENS_PER_KB)} tokens). May use significant context.`;
+}
+/** Check if a skill can be installed (not already present or force mode). */
+export function canInstall(skillName, force) {
+    if (!isSkillInstalled(skillName))
+        return { proceed: true };
+    if (force)
+        return { proceed: true };
+    return { proceed: false, reason: `${skillName} is already installed. Use --force to reinstall.` };
+}
+/** Read existing meta to detect provider change on reinstall. */
+export function detectProviderChange(skillName, newProvider) {
+    const meta = readSkillMeta(skillName);
+    if (meta?.source && meta.source !== newProvider) {
+        return `Overwriting ${skillName} (was from ${meta.source}, now from ${newProvider})`;
+    }
+    return null;
+}

package/dist/utils/integrity.d.ts

@@ -0,0 +1,17 @@
+export interface LockEntry {
+    skill: string;
+    version: string;
+    hash: string;
+    source: string;
+    installedAt: string;
+}
+export declare function computeHash(content: string): string;
+export declare function getLockfilePath(): string;
+export declare function readLockfile(): LockEntry[];
+export declare function writeLockfile(entries: LockEntry[]): void;
+export declare function updateLockEntry(skill: string, version: string, source: string, files: Array<{
+    path: string;
+    content: string;
+}>): void;
+export declare function removeLockEntry(skill: string): void;
+export declare function verifySkillIntegrity(skillName: string, installDir: string): "ok" | "modified" | "missing";

package/dist/utils/integrity.js

@@ -0,0 +1,84 @@
+import { createHash } from "node:crypto";
+import { existsSync, readFileSync, mkdirSync, readdirSync, lstatSync } from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+import { atomicWriteSync } from "./atomic.js";
+export function computeHash(content) {
+    return createHash("sha256").update(content).digest("hex");
+}
+export function getLockfilePath() {
+    return join(homedir(), ".arcana", "arcana-lock.json");
+}
+export function readLockfile() {
+    try {
+        const raw = readFileSync(getLockfilePath(), "utf-8");
+        const parsed = JSON.parse(raw);
+        if (!Array.isArray(parsed))
+            return [];
+        return parsed;
+    }
+    catch {
+        return [];
+    }
+}
+export function writeLockfile(entries) {
+    const lockPath = getLockfilePath();
+    const dir = join(homedir(), ".arcana");
+    mkdirSync(dir, { recursive: true });
+    atomicWriteSync(lockPath, JSON.stringify(entries, null, 2) + "\n", 0o600);
+}
+export function updateLockEntry(skill, version, source, files) {
+    const sorted = [...files].sort((a, b) => a.path.localeCompare(b.path));
+    const concatenated = sorted.map((f) => f.content).join("");
+    const hash = computeHash(concatenated);
+    const entries = readLockfile();
+    const idx = entries.findIndex((e) => e.skill === skill);
+    const entry = {
+        skill,
+        version,
+        hash,
+        source,
+        installedAt: new Date().toISOString(),
+    };
+    if (idx >= 0) {
+        entries[idx] = entry;
+    }
+    else {
+        entries.push(entry);
+    }
+    writeLockfile(entries);
+}
+export function removeLockEntry(skill) {
+    const entries = readLockfile();
+    const filtered = entries.filter((e) => e.skill !== skill);
+    writeLockfile(filtered);
+}
+function readDirRecursive(dir) {
+    const results = [];
+    const items = readdirSync(dir);
+    for (const item of items) {
+        const fullPath = join(dir, item);
+        const stat = lstatSync(fullPath);
+        if (stat.isDirectory()) {
+            results.push(...readDirRecursive(fullPath));
+        }
+        else {
+            results.push(fullPath);
+        }
+    }
+    return results;
+}
+export function verifySkillIntegrity(skillName, installDir) {
+    const entries = readLockfile();
+    const entry = entries.find((e) => e.skill === skillName);
+    if (!entry)
+        return "missing";
+    const skillDir = join(installDir, skillName);
+    if (!existsSync(skillDir))
+        return "modified";
+    const filePaths = readDirRecursive(skillDir);
+    const relativePaths = filePaths.map((fp) => fp.slice(skillDir.length + 1)).sort();
+    const concatenated = relativePaths.map((rel) => readFileSync(join(skillDir, rel), "utf-8")).join("");
+    const hash = computeHash(concatenated);
+    return hash === entry.hash ? "ok" : "modified";
+}

package/dist/utils/parallel.d.ts

@@ -1,2 +1 @@
 export declare function parallelMap<T, R>(items: T[], fn: (item: T) => Promise<R>, concurrency: number): Promise<R[]>;
-//# sourceMappingURL=parallel.d.ts.map

package/dist/utils/parallel.js

@@ -14,4 +14,3 @@ export async function parallelMap(items, fn, concurrency) {
     await Promise.all(Array.from({ length: Math.min(concurrency, items.length) }, () => worker()));
     return results;
 }
-//# sourceMappingURL=parallel.js.map

package/dist/utils/project-context.d.ts

@@ -0,0 +1,19 @@
+export interface ProjectContext {
+    /** Project name from directory or package.json */
+    name: string;
+    /** Detected primary type */
+    type: string;
+    /** Primary language */
+    lang: string;
+    /** All detected tech tags */
+    tags: string[];
+    /** Extracted preferences from CLAUDE.md */
+    preferences: string[];
+    /** Names of existing .claude/rules/*.md files */
+    ruleFiles: string[];
+    /** Raw content of CLAUDE.md if it exists */
+    claudeMdContent: string | null;
+    /** Names of currently installed skills */
+    installedSkills: string[];
+}
+export declare function detectProjectContext(cwd: string): ProjectContext;