@sporesec/arcana 2.4.0 → 3.0.1

package/dist/utils/project-context.js

@@ -0,0 +1,283 @@
+import { existsSync, readFileSync, readdirSync, statSync } from "node:fs";
+import { join, basename } from "node:path";
+import { getInstallDir } from "./fs.js";
+/** Map npm package names to tech tags */
+const PACKAGE_TAG_MAP = {
+    next: ["next", "react", "typescript"],
+    react: ["react"],
+    "react-dom": ["react"],
+    vue: ["vue"],
+    svelte: ["svelte"],
+    angular: ["angular"],
+    tailwindcss: ["tailwind"],
+    prisma: ["prisma", "database"],
+    "@prisma/client": ["prisma", "database"],
+    "drizzle-orm": ["drizzle", "database"],
+    express: ["express", "node"],
+    fastify: ["fastify", "node"],
+    hono: ["hono", "node"],
+    vitest: ["testing"],
+    jest: ["testing"],
+    mocha: ["testing"],
+    playwright: ["playwright", "testing"],
+    cypress: ["cypress", "testing"],
+    remotion: ["remotion", "react"],
+    three: ["threejs"],
+    docker: ["docker"],
+    electron: ["electron"],
+    "react-native": ["react-native", "react", "mobile"],
+    expo: ["expo", "react-native", "mobile"],
+    graphql: ["graphql"],
+    "@apollo/client": ["graphql", "apollo"],
+    trpc: ["trpc"],
+    "@trpc/server": ["trpc"],
+    mongoose: ["mongodb", "database"],
+    pg: ["postgresql", "database"],
+    redis: ["redis"],
+    ioredis: ["redis"],
+    "socket.io": ["websocket"],
+    ws: ["websocket"],
+    webpack: ["webpack"],
+    vite: ["vite"],
+    tsup: ["tsup"],
+    eslint: ["linting"],
+    prettier: ["formatting"],
+    storybook: ["storybook"],
+    "@storybook/react": ["storybook", "react"],
+};
+/** Map Go module paths to tags */
+const GO_MODULE_TAG_MAP = {
+    "github.com/gin-gonic/gin": ["gin", "web"],
+    "github.com/gofiber/fiber": ["fiber", "web"],
+    "github.com/labstack/echo": ["echo", "web"],
+    "github.com/gorilla/mux": ["gorilla", "web"],
+    "gorm.io/gorm": ["gorm", "database"],
+    "github.com/jmoiron/sqlx": ["sqlx", "database"],
+    "github.com/jackc/pgx": ["postgresql", "database"],
+    "github.com/go-redis/redis": ["redis"],
+    "github.com/rs/zerolog": ["zerolog", "logging"],
+    "go.uber.org/zap": ["zap", "logging"],
+    "github.com/stretchr/testify": ["testing"],
+    "google.golang.org/grpc": ["grpc"],
+    "google.golang.org/protobuf": ["protobuf"],
+};
+/** Map Python packages to tags */
+const PYTHON_PACKAGE_TAG_MAP = {
+    django: ["django", "web"],
+    flask: ["flask", "web"],
+    fastapi: ["fastapi", "web"],
+    pytorch: ["pytorch", "ml"],
+    torch: ["pytorch", "ml"],
+    tensorflow: ["tensorflow", "ml"],
+    numpy: ["numpy"],
+    pandas: ["pandas"],
+    sqlalchemy: ["sqlalchemy", "database"],
+    pytest: ["testing"],
+    celery: ["celery", "async"],
+    scrapy: ["scrapy", "scraping"],
+    playwright: ["playwright", "testing"],
+    requests: ["requests"],
+    httpx: ["httpx"],
+};
+function readJsonSafe(filePath) {
+    try {
+        return JSON.parse(readFileSync(filePath, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+function readTextSafe(filePath) {
+    try {
+        return readFileSync(filePath, "utf-8");
+    }
+    catch {
+        return null;
+    }
+}
+function detectTypeAndLang(cwd) {
+    const name = basename(cwd);
+    if (existsSync(join(cwd, "go.mod")))
+        return { name, type: "Go", lang: "go" };
+    if (existsSync(join(cwd, "Cargo.toml")))
+        return { name, type: "Rust", lang: "rust" };
+    if (existsSync(join(cwd, "requirements.txt")) || existsSync(join(cwd, "pyproject.toml")))
+        return { name, type: "Python", lang: "python" };
+    if (existsSync(join(cwd, "package.json"))) {
+        const pkg = readJsonSafe(join(cwd, "package.json"));
+        if (pkg?.dependencies?.next || pkg?.devDependencies?.next)
+            return { name, type: "Next.js", lang: "typescript" };
+        if (pkg?.dependencies?.react || pkg?.devDependencies?.react)
+            return { name, type: "React", lang: "typescript" };
+        return { name, type: "Node.js", lang: "typescript" };
+    }
+    return { name, type: "Unknown", lang: "general" };
+}
+function extractNpmTags(cwd) {
+    const pkgPath = join(cwd, "package.json");
+    const pkg = readJsonSafe(pkgPath);
+    if (!pkg)
+        return [];
+    const tags = new Set();
+    const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+    for (const dep of Object.keys(allDeps)) {
+        const mapped = PACKAGE_TAG_MAP[dep];
+        if (mapped)
+            mapped.forEach((t) => tags.add(t));
+    }
+    // Check for TypeScript
+    if (existsSync(join(cwd, "tsconfig.json")) || allDeps.typescript) {
+        tags.add("typescript");
+    }
+    return [...tags];
+}
+function extractGoTags(cwd) {
+    const goModPath = join(cwd, "go.mod");
+    const content = readTextSafe(goModPath);
+    if (!content)
+        return ["go"];
+    const tags = new Set(["go"]);
+    for (const [modulePath, moduleTags] of Object.entries(GO_MODULE_TAG_MAP)) {
+        if (content.includes(modulePath)) {
+            moduleTags.forEach((t) => tags.add(t));
+        }
+    }
+    return [...tags];
+}
+function extractPythonTags(cwd) {
+    const tags = new Set(["python"]);
+    // Read requirements.txt
+    const reqContent = readTextSafe(join(cwd, "requirements.txt"));
+    if (reqContent) {
+        for (const line of reqContent.split("\n")) {
+            const pkg = line
+                .trim()
+                .split(/[=<>!~[]/)[0]
+                ?.toLowerCase();
+            if (pkg) {
+                const mapped = PYTHON_PACKAGE_TAG_MAP[pkg];
+                if (mapped)
+                    mapped.forEach((t) => tags.add(t));
+            }
+        }
+    }
+    // Read pyproject.toml (simple scan, not full TOML parse)
+    const pyprojectContent = readTextSafe(join(cwd, "pyproject.toml"));
+    if (pyprojectContent) {
+        for (const [pkgName, pkgTags] of Object.entries(PYTHON_PACKAGE_TAG_MAP)) {
+            if (pyprojectContent.includes(`"${pkgName}"`) || pyprojectContent.includes(`'${pkgName}'`)) {
+                pkgTags.forEach((t) => tags.add(t));
+            }
+        }
+    }
+    return [...tags];
+}
+function extractInfraTags(cwd) {
+    const tags = [];
+    if (existsSync(join(cwd, "Dockerfile")) ||
+        existsSync(join(cwd, "docker-compose.yml")) ||
+        existsSync(join(cwd, "docker-compose.yaml"))) {
+        tags.push("docker");
+    }
+    if (existsSync(join(cwd, ".github", "workflows"))) {
+        tags.push("ci-cd", "github-actions");
+    }
+    if (existsSync(join(cwd, ".gitlab-ci.yml"))) {
+        tags.push("ci-cd", "gitlab-ci");
+    }
+    if (existsSync(join(cwd, "k8s")) || existsSync(join(cwd, "kubernetes"))) {
+        tags.push("kubernetes");
+    }
+    if (existsSync(join(cwd, "terraform")) || existsSync(join(cwd, "main.tf"))) {
+        tags.push("terraform");
+    }
+    return tags;
+}
+function extractPreferences(claudeMdContent) {
+    const prefs = [];
+    const lines = claudeMdContent.split("\n");
+    let inPrefsSection = false;
+    for (const line of lines) {
+        const lower = line.toLowerCase();
+        if (lower.includes("## coding") || lower.includes("## preferences") || lower.includes("## style")) {
+            inPrefsSection = true;
+            continue;
+        }
+        if (inPrefsSection && line.startsWith("## ")) {
+            inPrefsSection = false;
+            continue;
+        }
+        if (inPrefsSection && line.trim().startsWith("-")) {
+            prefs.push(line.trim().replace(/^-\s*/, ""));
+        }
+    }
+    return prefs;
+}
+function readRuleFiles(cwd) {
+    const rulesDir = join(cwd, ".claude", "rules");
+    if (!existsSync(rulesDir))
+        return [];
+    try {
+        return readdirSync(rulesDir)
+            .filter((f) => f.endsWith(".md"))
+            .sort();
+    }
+    catch {
+        return [];
+    }
+}
+function getInstalledSkillNames() {
+    const dir = getInstallDir();
+    if (!existsSync(dir))
+        return [];
+    try {
+        return readdirSync(dir)
+            .filter((d) => {
+            try {
+                return statSync(join(dir, d)).isDirectory();
+            }
+            catch {
+                return false;
+            }
+        })
+            .sort();
+    }
+    catch {
+        return [];
+    }
+}
+export function detectProjectContext(cwd) {
+    const { name, type, lang } = detectTypeAndLang(cwd);
+    // Collect tags based on language
+    const tagSet = new Set();
+    if (lang !== "general" && lang !== "unknown")
+        tagSet.add(lang);
+    if (lang === "typescript" || lang === "javascript") {
+        extractNpmTags(cwd).forEach((t) => tagSet.add(t));
+    }
+    if (lang === "go" || type === "Go") {
+        extractGoTags(cwd).forEach((t) => tagSet.add(t));
+    }
+    if (lang === "python" || type === "Python") {
+        extractPythonTags(cwd).forEach((t) => tagSet.add(t));
+    }
+    extractInfraTags(cwd).forEach((t) => tagSet.add(t));
+    // Read CLAUDE.md
+    const claudeMdPath = join(cwd, "CLAUDE.md");
+    const claudeMdContent = readTextSafe(claudeMdPath);
+    const preferences = claudeMdContent ? extractPreferences(claudeMdContent) : [];
+    // Read rule files
+    const ruleFiles = readRuleFiles(cwd);
+    // Get installed skills
+    const installedSkills = getInstalledSkillNames();
+    return {
+        name,
+        type,
+        lang,
+        tags: [...tagSet],
+        preferences,
+        ruleFiles,
+        claudeMdContent,
+        installedSkills,
+    };
+}

package/dist/utils/quality.d.ts

@@ -0,0 +1,27 @@
+import type { MarketplacePlugin } from "../types.js";
+export interface CrossValidationIssue {
+    level: "error" | "warning";
+    category: "marketplace-drift" | "orphan" | "companion" | "duplicate-desc";
+    skill: string;
+    detail: string;
+}
+/**
+ * Jaccard word-level similarity between two strings.
+ * Returns 0.0 (completely different) to 1.0 (identical).
+ */
+export declare function jaccardSimilarity(a: string, b: string): number;
+/**
+ * Validate companion references in marketplace plugins.
+ * Every companion must reference an existing plugin name.
+ */
+export declare function validateCompanions(plugins: MarketplacePlugin[]): CrossValidationIssue[];
+/**
+ * Check description sync between SKILL.md frontmatter and marketplace.json.
+ * Returns an issue if similarity is below 0.5.
+ */
+export declare function validateDescriptionSync(skillName: string, frontmatterDesc: string, marketplaceDesc: string): CrossValidationIssue | null;
+/**
+ * Cross-validate skill directories against marketplace.json.
+ * Checks: orphans, companions, description drift, near-duplicates.
+ */
+export declare function crossValidate(skillsDir: string, marketplacePath: string): CrossValidationIssue[];

package/dist/utils/quality.js

@@ -0,0 +1,174 @@
+import { existsSync, readdirSync, readFileSync, statSync } from "node:fs";
+import { join } from "node:path";
+import { extractFrontmatter, parseFrontmatter } from "./frontmatter.js";
+/**
+ * Jaccard word-level similarity between two strings.
+ * Returns 0.0 (completely different) to 1.0 (identical).
+ */
+export function jaccardSimilarity(a, b) {
+    const wordsA = new Set(a.toLowerCase().split(/\s+/).filter(Boolean));
+    const wordsB = new Set(b.toLowerCase().split(/\s+/).filter(Boolean));
+    if (wordsA.size === 0 && wordsB.size === 0)
+        return 1.0;
+    if (wordsA.size === 0 || wordsB.size === 0)
+        return 0.0;
+    let intersection = 0;
+    for (const w of wordsA) {
+        if (wordsB.has(w))
+            intersection++;
+    }
+    const union = wordsA.size + wordsB.size - intersection;
+    return union === 0 ? 0 : intersection / union;
+}
+/**
+ * Validate companion references in marketplace plugins.
+ * Every companion must reference an existing plugin name.
+ */
+export function validateCompanions(plugins) {
+    const issues = [];
+    const names = new Set(plugins.map((p) => p.name));
+    for (const plugin of plugins) {
+        if (!plugin.companions)
+            continue;
+        for (const companion of plugin.companions) {
+            if (!names.has(companion)) {
+                issues.push({
+                    level: "error",
+                    category: "companion",
+                    skill: plugin.name,
+                    detail: `Companion "${companion}" does not exist in marketplace`,
+                });
+            }
+        }
+    }
+    return issues;
+}
+/**
+ * Check description sync between SKILL.md frontmatter and marketplace.json.
+ * Returns an issue if similarity is below 0.5.
+ */
+export function validateDescriptionSync(skillName, frontmatterDesc, marketplaceDesc) {
+    if (!frontmatterDesc || !marketplaceDesc)
+        return null;
+    const similarity = jaccardSimilarity(frontmatterDesc, marketplaceDesc);
+    if (similarity < 0.5) {
+        return {
+            level: "warning",
+            category: "marketplace-drift",
+            skill: skillName,
+            detail: `Description drift (${Math.round(similarity * 100)}% similarity) between SKILL.md and marketplace.json`,
+        };
+    }
+    return null;
+}
+/**
+ * Cross-validate skill directories against marketplace.json.
+ * Checks: orphans, companions, description drift, near-duplicates.
+ */
+export function crossValidate(skillsDir, marketplacePath) {
+    const issues = [];
+    // Load marketplace
+    let marketplace;
+    try {
+        marketplace = JSON.parse(readFileSync(marketplacePath, "utf-8"));
+    }
+    catch {
+        issues.push({
+            level: "error",
+            category: "orphan",
+            skill: "marketplace.json",
+            detail: "Cannot read or parse marketplace.json",
+        });
+        return issues;
+    }
+    const pluginNames = new Set(marketplace.plugins.map((p) => p.name));
+    const pluginMap = new Map(marketplace.plugins.map((p) => [p.name, p]));
+    // Get skill directories
+    let skillDirs;
+    try {
+        skillDirs = readdirSync(skillsDir).filter((d) => {
+            try {
+                return statSync(join(skillsDir, d)).isDirectory();
+            }
+            catch {
+                return false;
+            }
+        });
+    }
+    catch {
+        issues.push({
+            level: "error",
+            category: "orphan",
+            skill: "skills/",
+            detail: "Cannot read skills directory",
+        });
+        return issues;
+    }
+    const dirNames = new Set(skillDirs);
+    // 1. Orphan directories (dir exists, no marketplace entry)
+    for (const dir of skillDirs) {
+        if (!pluginNames.has(dir)) {
+            issues.push({
+                level: "error",
+                category: "orphan",
+                skill: dir,
+                detail: "Skill directory exists but no marketplace.json entry",
+            });
+        }
+    }
+    // 2. Orphan entries (marketplace entry, no dir)
+    for (const name of pluginNames) {
+        if (!dirNames.has(name)) {
+            issues.push({
+                level: "error",
+                category: "orphan",
+                skill: name,
+                detail: "Marketplace entry exists but no skill directory",
+            });
+        }
+    }
+    // 3. Companion validation
+    issues.push(...validateCompanions(marketplace.plugins));
+    // 4. Description drift (SKILL.md frontmatter vs marketplace.json)
+    for (const dir of skillDirs) {
+        const plugin = pluginMap.get(dir);
+        if (!plugin)
+            continue;
+        const skillMd = join(skillsDir, dir, "SKILL.md");
+        if (!existsSync(skillMd))
+            continue;
+        try {
+            const content = readFileSync(skillMd, "utf-8");
+            const extracted = extractFrontmatter(content);
+            if (!extracted)
+                continue;
+            const parsed = parseFrontmatter(extracted.raw);
+            if (!parsed?.description)
+                continue;
+            const driftIssue = validateDescriptionSync(dir, parsed.description, plugin.description);
+            if (driftIssue)
+                issues.push(driftIssue);
+        }
+        catch {
+            /* skip unreadable */
+        }
+    }
+    // 5. Near-duplicate descriptions across skills
+    const descriptions = marketplace.plugins.map((p) => ({ name: p.name, desc: p.description }));
+    for (let i = 0; i < descriptions.length; i++) {
+        for (let j = i + 1; j < descriptions.length; j++) {
+            const a = descriptions[i];
+            const b = descriptions[j];
+            const sim = jaccardSimilarity(a.desc, b.desc);
+            if (sim > 0.85) {
+                issues.push({
+                    level: "warning",
+                    category: "duplicate-desc",
+                    skill: a.name,
+                    detail: `Near-duplicate description with ${b.name} (${Math.round(sim * 100)}% similarity)`,
+                });
+            }
+        }
+    }
+    return issues;
+}

package/dist/utils/scanner.d.ts

@@ -24,4 +24,3 @@ export declare function hasCriticalIssues(content: string): boolean;
  * Format scan results for display.
  */
 export declare function formatScanResults(skillName: string, issues: ScanIssue[]): string;
-//# sourceMappingURL=scanner.d.ts.map

package/dist/utils/scanner.js

@@ -89,7 +89,7 @@ const PATTERNS = [
         level: "high",
         category: "Prompt injection",
         detail: "System message impersonation",
-        regex: /\[system\]|\<system\>|SYSTEM:\s+/,
+        regex: /\[system\]|<system>|SYSTEM:\s+/,
     },
     // HIGH: Hardcoded secrets
     {
@@ -136,6 +136,138 @@ const PATTERNS = [
         detail: "Dynamic remote instruction loading",
         regex: /(?:curl|wget|fetch)\s+[^\n]*(?:instructions|config|setup)\.(?:md|txt|sh|yaml)/i,
     },
+    // =========================================================================
+    // v2.4.2 Extended patterns (Snyk ToxicSkills deep coverage)
+    // =========================================================================
+    // CRITICAL: Additional malicious code patterns
+    {
+        level: "critical",
+        category: "Malicious code",
+        detail: "Curl/wget piped to source",
+        regex: /(?:curl|wget)\s+[^\n|]*\|\s*source\b/i,
+    },
+    {
+        level: "critical",
+        category: "Malicious code",
+        detail: "Nested base64 decoding (obfuscation chain)",
+        regex: /base64\s+-d[^\n]*\|\s*base64\s+-d/i,
+    },
+    {
+        level: "critical",
+        category: "Malicious code",
+        detail: "Password-protected 7z or GPG-encrypted archive",
+        regex: /(?:7z\s+x\s+-p\S+|gpg\s+--decrypt\s|gpg\s+-d\s)/i,
+    },
+    {
+        level: "critical",
+        category: "Suspicious download",
+        detail: "GitHub release download from unverified source",
+        regex: /github\.com\/[^\s/]+\/[^\s/]+\/releases\/download\//i,
+    },
+    {
+        level: "critical",
+        category: "Malicious code",
+        detail: "PowerShell encoded command execution",
+        regex: /powershell[^\n]*-[Ee](?:nc|ncodedCommand)\s/i,
+    },
+    // HIGH: Extended credential and prompt injection patterns
+    {
+        level: "high",
+        category: "Credential theft",
+        detail: "Instructing to print/echo API keys or secrets",
+        regex: /(?:echo|print|cat|display|output|show)\s+.*(?:api[_-]?key|token|secret|password|credential)/i,
+    },
+    {
+        level: "high",
+        category: "Secret detected",
+        detail: "AWS access key ID pattern",
+        regex: /AKIA[0-9A-Z]{16}/,
+    },
+    {
+        level: "high",
+        category: "Secret detected",
+        detail: "Anthropic or OpenAI project key pattern",
+        regex: /(?:sk-ant-[a-zA-Z0-9-]{20,}|sk-proj-[a-zA-Z0-9-]{20,})/,
+    },
+    {
+        level: "high",
+        category: "Credential theft",
+        detail: "Authorization header in curl/wget command",
+        regex: /(?:curl|wget)\s+[^\n]*-H\s+["']?(?:Authorization|Bearer|Token)\b/i,
+    },
+    {
+        level: "high",
+        category: "Memory poisoning",
+        detail: "Writing to agent config files (SOUL.md, MEMORY.md, CLAUDE.md)",
+        regex: /(?:>>?|write|append|modify|edit|update)\s+[^\n]*(?:SOUL\.md|MEMORY\.md|CLAUDE\.md|\.cursorrules|\.windsurfrules)/i,
+    },
+    {
+        level: "high",
+        category: "Prompt injection",
+        detail: "Invisible Unicode smuggling (zero-width characters)",
+        regex: /\u200B|\u200C|\u200D|\uFEFF|\u2060/,
+    },
+    {
+        level: "high",
+        category: "Prompt injection",
+        detail: "Global behavior override pattern",
+        regex: /always\s+(?:respond|reply|output|return|answer)\s+.*(?:json|xml|yaml|markdown|plain)/i,
+    },
+    {
+        level: "high",
+        category: "Prompt injection",
+        detail: "Agent autonomy escalation (suppressing confirmations)",
+        regex: /(?:never|don't|do\s+not|disable)\s+(?:ask|confirm|check|verify|refuse|warn|prompt)/i,
+    },
+    {
+        level: "high",
+        category: "Data exfiltration",
+        detail: "Instructing agent to include sensitive data in output",
+        regex: /include\s+.*(?:contents?|data|credentials?|keys?|tokens?|secrets?)\s+.*(?:response|output|message|reply)/i,
+    },
+    // MEDIUM: Extended system and dependency patterns
+    {
+        level: "medium",
+        category: "Unverifiable dependency",
+        detail: "Global package installation from unknown source",
+        regex: /(?:npm\s+install\s+-g|pip\s+install|go\s+install)\s+\S+/i,
+    },
+    {
+        level: "medium",
+        category: "Suspicious activity",
+        detail: "Cryptocurrency or financial API access",
+        regex: /(?:binance|coinbase|metamask|etherscan|stripe|paypal)\.\w+/i,
+    },
+    {
+        level: "medium",
+        category: "Destructive command",
+        detail: "Recursive force delete on root or home directory",
+        regex: /rm\s+-rf\s+(?:\/\s|\/\*|~\/|~\s|\$HOME)/,
+    },
+    {
+        level: "medium",
+        category: "Privilege escalation",
+        detail: "Sudo usage in skill instructions",
+        regex: /\bsudo\s+\w/,
+    },
+    {
+        level: "medium",
+        category: "System modification",
+        detail: "Writing to system directories",
+        regex: />\s*\/(?:etc|usr|var|opt)\//,
+    },
+    {
+        level: "medium",
+        category: "Privilege escalation",
+        detail: "Docker privileged mode or capability addition",
+        regex: /docker\s+run\s+[^\n]*(?:--privileged|--cap-add)/i,
+    },
+    {
+        level: "medium",
+        category: "Suspicious activity",
+        detail: "Third-party HTTP request in instructions",
+        regex: /(?:fetch\(|axios\.|requests\.get|http\.get|urllib)/,
+    },
 ];
 // ---------------------------------------------------------------------------
 // Scanner
@@ -168,7 +300,7 @@ export function scanSkillContent(content) {
             const joined = line.slice(0, -1) + " " + (lines[i + 1] ?? "").trim();
             for (const pattern of PATTERNS) {
                 if (pattern.regex.test(joined)) {
-                    const alreadyFound = issues.some(iss => iss.line === i + 1 && iss.category === pattern.category);
+                    const alreadyFound = issues.some((iss) => iss.line === i + 1 && iss.category === pattern.category);
                     if (!alreadyFound) {
                         issues.push({
                             level: pattern.level,
@@ -191,7 +323,7 @@ export function scanSkillContent(content) {
  * Quick check: does this content have any critical issues?
  */
 export function hasCriticalIssues(content) {
-    return scanSkillContent(content).some(i => i.level === "critical");
+    return scanSkillContent(content).some((i) => i.level === "critical");
 }
 /**
  * Format scan results for display.
@@ -200,17 +332,13 @@ export function formatScanResults(skillName, issues) {
     if (issues.length === 0)
         return `  [OK] ${skillName}`;
     const lines = [];
-    const critical = issues.filter(i => i.level === "critical").length;
-    const high = issues.filter(i => i.level === "high").length;
-    const medium = issues.filter(i => i.level === "medium").length;
+    const critical = issues.filter((i) => i.level === "critical").length;
+    const high = issues.filter((i) => i.level === "high").length;
     const tag = critical > 0 ? "[!!]" : high > 0 ? "[!!]" : "[i]";
     lines.push(`  ${tag} ${skillName} (${issues.length} issue${issues.length !== 1 ? "s" : ""})`);
     for (const issue of issues) {
-        const icon = issue.level === "critical" ? "CRIT"
-            : issue.level === "high" ? "HIGH"
-                : "MED";
+        const icon = issue.level === "critical" ? "CRIT" : issue.level === "high" ? "HIGH" : "MED";
         lines.push(`    [${icon}] ${issue.category}: ${issue.detail} (line ${issue.line})`);
     }
     return lines.join("\n");
 }
-//# sourceMappingURL=scanner.js.map

package/dist/utils/scoring.d.ts

@@ -0,0 +1,10 @@
+import type { SkillInfo } from "../types.js";
+import type { ProjectContext } from "./project-context.js";
+export interface RecommendVerdict {
+    skill: string;
+    verdict: "recommended" | "optional" | "skip" | "conflict";
+    score: number;
+    reasons: string[];
+}
+export declare function scoreSkill(skill: SkillInfo, context: ProjectContext, installedSkills: string[], allSkills: SkillInfo[]): RecommendVerdict;
+export declare function rankSkills(skills: SkillInfo[], context: ProjectContext): RecommendVerdict[];