@tankpkg/cli 0.14.4 → 0.15.1

package/dist/bin/tank.js

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { a as VERSION, i as USER_AGENT, l as setConfig, n as flushLogs, o as getConfig, s as getConfigDir, t as authFlowLog } from "../debug-logger-DR0pKCTH.js";
+import { a as VERSION, i as USER_AGENT, l as setConfig, n as flushLogs, o as getConfig, s as getConfigDir, t as authFlowLog } from "../debug-logger-CxX7rakF.js";
 import { t as logger } from "../logger-BhULz3Uz.js";
 import { createRequire } from "node:module";
 import { Command } from "commander";
@@ -13,9 +13,9 @@ import ora from "ora";
 import { confirm, input } from "@inquirer/prompts";
 import { execSync, spawn } from "node:child_process";
 import crypto$1 from "node:crypto";
+import { mkdir, mkdtemp, rm, stat } from "node:fs/promises";
 import { create, extract } from "tar";
 import { createInterface } from "node:readline";
-import { mkdir, mkdtemp, rm, stat } from "node:fs/promises";
 import { Readable } from "node:stream";
 import { pipeline } from "node:stream/promises";
 import open from "open";
@@ -301,6 +301,35 @@ const packageIRSchema = z.object({
 	visibility: z.enum(["public", "private"]).optional(),
 	audit: z.object({ min_score: z.number().min(0).max(10) }).strict().optional()
 }).strict();
+const commandSchema$1 = z.string().min(1, "command must not be empty");
+const argSchema$1 = z.array(z.string()).default([]);
+const envSchema$1 = z.record(z.string(), z.string()).optional();
+const remoteUrlSchema$1 = z.string().url("remote must be a valid URL");
+const localMcpServerSchema = z.object({
+	command: commandSchema$1,
+	args: argSchema$1,
+	env: envSchema$1,
+	requires_auth: z.literal(false).optional()
+}).strict();
+const remoteMcpServerSchema = z.object({
+	remote: remoteUrlSchema$1,
+	requires_auth: z.boolean().default(false),
+	env: envSchema$1
+}).strict();
+const mcpServerSchema$1 = z.union([localMcpServerSchema, remoteMcpServerSchema]);
+function isRemoteMcpServer(server) {
+	return "remote" in server;
+}
+const perToolOverrideSchema$1 = z.object({
+	scan: z.boolean().optional(),
+	blockOnMatch: z.boolean().optional()
+}).strict();
+z.object({
+	perfBudgetMs: z.number().positive().optional(),
+	blockOnMatch: z.boolean().optional(),
+	resetPinsOnMismatch: z.boolean().optional(),
+	perTool: z.record(z.string(), perToolOverrideSchema$1).optional()
+}).strict();
 const baseManifestFields$1 = {
 	name: z.string().min(1, "Name must not be empty").max(214, `Name must be 214 characters or fewer`).regex(/^@[a-z0-9-]+\/[a-z0-9][a-z0-9-]*$/, "Name must be scoped (@org/name), lowercase alphanumeric and hyphens"),
 	version: z.string().regex(/^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/, "Version must be valid semver"),
@@ -309,7 +338,8 @@ const baseManifestFields$1 = {
 	permissions: permissionsSchema$1.optional(),
 	repository: z.string().url("Repository must be a valid URL").optional(),
 	visibility: z.enum(["public", "private"]).optional(),
-	audit: z.object({ min_score: z.number().min(0).max(10) }).strict().optional()
+	audit: z.object({ min_score: z.number().min(0).max(10) }).strict().optional(),
+	mcp_server: mcpServerSchema$1.optional()
 };
 /** Legacy skills.json schema — strict, no atoms. Used for backward-compatible consumers. */
 const skillsJsonSchema = z.object(baseManifestFields$1).strict();
@@ -467,7 +497,7 @@ function scoreColor$3(score) {
 	if (score >= 4) return chalk.yellow;
 	return chalk.red;
 }
-function formatScore(result) {
+function formatScore$1(result) {
 	if (result.error) return chalk.dim("error");
 	if (result.score == null || result.status !== "completed") return chalk.dim("pending");
 	return scoreColor$3(result.score)(result.score.toFixed(1));
@@ -510,7 +540,7 @@ function displayDetailedAudit(result) {
 	console.log(chalk.bold(result.name));
 	console.log("");
 	console.log(`${chalk.dim("Version:".padEnd(14))}${result.version}`);
-	console.log(`${chalk.dim("Audit Score:".padEnd(14))}${formatScore(result)}`);
+	console.log(`${chalk.dim("Audit Score:".padEnd(14))}${formatScore$1(result)}`);
 	console.log(`${chalk.dim("Status:".padEnd(14))}${result.status}`);
 	const perms = result.permissions;
 	if (perms) {
@@ -534,7 +564,7 @@ function displayTable(results) {
 	for (const result of results) {
 		const name = chalk.bold(padRight$1(result.name, 30));
 		const version = padRight$1(result.version, 12);
-		const score = padRight$1(formatScore(result), 10);
+		const score = padRight$1(formatScore$1(result), 10);
 		const status = formatStatus(result);
 		console.log(`${name}${version}${score}${status}`);
 	}
@@ -2705,6 +2735,8 @@ async function initCommand(options = {}) {
 }
 //#endregion
 //#region ../internals-helpers/dist/index.js
+const ALPHANUMERIC$1 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+`${ALPHANUMERIC$1}`, `${ALPHANUMERIC$1}`, `${ALPHANUMERIC$1}`, `${ALPHANUMERIC$1}`;
 function resolve$1(range, versions) {
 	try {
 		if (!range || !semver.validRange(range)) return null;
@@ -2716,6 +2748,196 @@ function resolve$1(range, versions) {
 	}
 }
 //#endregion
+//#region src/lib/adapter-rewriter.ts
+const DEFAULT_TANK_BINARY = "tank";
+const AUTH_ENV_VAR_PREFIX = "TANK_MCP_AUTH_";
+const AUTH_PLACEHOLDER_VALUE = "<agent-config-resolves-this>";
+function deriveAuthEnvVarName(skillName) {
+	const lastSlash = skillName.lastIndexOf("/");
+	return `${AUTH_ENV_VAR_PREFIX}${(lastSlash === -1 ? skillName : skillName.slice(lastSlash + 1)).replace(/[^A-Za-z0-9]+/g, "_").replace(/^_+|_+$/g, "").toUpperCase()}`;
+}
+function passthroughEntry(server) {
+	if (isRemoteMcpServer(server)) throw new Error("adapter-rewriter: remote MCP servers cannot opt out (proxy transport is mandatory for remote)");
+	const entry = {
+		command: server.command,
+		args: [...server.args]
+	};
+	if (server.env) entry.env = { ...server.env };
+	return entry;
+}
+function wrapLocal(server, binary) {
+	const entry = {
+		command: binary,
+		args: [
+			"proxy",
+			"--",
+			server.command,
+			...server.args
+		]
+	};
+	if (server.env) entry.env = { ...server.env };
+	return entry;
+}
+function wrapRemote(skillName, server, binary) {
+	const entry = {
+		command: binary,
+		args: [
+			"proxy",
+			"--remote",
+			server.remote
+		]
+	};
+	const mergedEnv = { ...server.env ?? {} };
+	if (server.requires_auth) mergedEnv[deriveAuthEnvVarName(skillName)] = AUTH_PLACEHOLDER_VALUE;
+	if (Object.keys(mergedEnv).length > 0) entry.env = mergedEnv;
+	return entry;
+}
+function rewriteMcpServerEntry(options) {
+	const binary = options.tankBinaryPath ?? DEFAULT_TANK_BINARY;
+	if (options.dangerouslyNoTankProxy) return passthroughEntry(options.mcpServer);
+	if (isRemoteMcpServer(options.mcpServer)) return wrapRemote(options.skillName, options.mcpServer, binary);
+	return wrapLocal(options.mcpServer, binary);
+}
+//#endregion
+//#region src/lib/mcp-config-writer.ts
+const AGENT_CONFIG_PATHS = {
+	claude: [".claude", "settings.json"],
+	cursor: [".cursor", "mcp.json"],
+	opencode: [
+		".config",
+		"opencode",
+		"mcp.json"
+	],
+	codex: [".codex", "config.json"],
+	openclaw: [".openclaw", "mcp.json"],
+	universal: [
+		".config",
+		"mcp",
+		"servers.json"
+	]
+};
+function getAgentConfigPath(agentId, homedir) {
+	const segments = AGENT_CONFIG_PATHS[agentId];
+	if (!segments) return null;
+	const base = homedir ?? os.homedir();
+	return path.join(base, ...segments);
+}
+function readConfigOrEmpty(configPath) {
+	if (!fs.existsSync(configPath)) return {};
+	try {
+		const raw = fs.readFileSync(configPath, "utf-8");
+		const parsed = JSON.parse(raw);
+		if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) return {};
+		return parsed;
+	} catch {
+		return {};
+	}
+}
+function persistConfig(configPath, config) {
+	fs.mkdirSync(path.dirname(configPath), { recursive: true });
+	fs.writeFileSync(configPath, `${JSON.stringify(config, null, 2)}\n`);
+}
+function writeMcpServerEntry(options) {
+	const configPath = getAgentConfigPath(options.agentId, options.homedir);
+	if (!configPath) throw new Error(`unknown agent: ${options.agentId}`);
+	const existing = readConfigOrEmpty(configPath);
+	const mcpServers = { ...existing.mcpServers ?? {} };
+	if (options.remove) {
+		if (!(options.skillName in mcpServers)) {
+			if (!fs.existsSync(configPath)) return;
+		}
+		delete mcpServers[options.skillName];
+	} else {
+		if (!options.entry) throw new Error("writeMcpServerEntry: entry is required when remove=false");
+		mcpServers[options.skillName] = options.entry;
+	}
+	persistConfig(configPath, {
+		...existing,
+		mcpServers
+	});
+}
+//#endregion
+//#region src/lib/apply-proxy-wrapping.ts
+function readManifest(skillDir) {
+	const manifestPath = path.join(skillDir, "tank.json");
+	if (!fs.existsSync(manifestPath)) return "missing";
+	try {
+		const raw = fs.readFileSync(manifestPath, "utf-8");
+		const parsed = JSON.parse(raw);
+		if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) return "invalid";
+		return parsed;
+	} catch {
+		return "invalid";
+	}
+}
+function warnOptOut(skillName) {
+	console.warn(`Proxy disabled for ${skillName} — MCP traffic will not be scanned`);
+}
+function isKnownAgent(agentId) {
+	return agentId in AGENT_CONFIG_PATHS;
+}
+function applyRemoval(options) {
+	const wrapped = [];
+	for (const agentId of options.agentIds) {
+		if (!isKnownAgent(agentId)) continue;
+		writeMcpServerEntry({
+			agentId,
+			skillName: options.skillName,
+			remove: true,
+			homedir: options.homedir
+		});
+		wrapped.push(agentId);
+	}
+	return {
+		wrapped,
+		skipped: []
+	};
+}
+function applyProxyWrapping(options) {
+	if (options.remove) return applyRemoval(options);
+	const manifest = readManifest(options.skillDir);
+	if (manifest === "missing") return {
+		wrapped: [],
+		skipped: ["no-manifest"]
+	};
+	if (manifest === "invalid") return {
+		wrapped: [],
+		skipped: ["invalid-manifest"]
+	};
+	const rawMcpServer = manifest.mcp_server;
+	if (rawMcpServer === void 0) return {
+		wrapped: [],
+		skipped: ["no-mcp-server"]
+	};
+	const parseResult = mcpServerSchema$1.safeParse(rawMcpServer);
+	if (!parseResult.success) return {
+		wrapped: [],
+		skipped: ["invalid-mcp-server"]
+	};
+	const entry = rewriteMcpServerEntry({
+		skillName: options.skillName,
+		mcpServer: parseResult.data,
+		...options.tankBinaryPath !== void 0 ? { tankBinaryPath: options.tankBinaryPath } : {},
+		...options.dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {}
+	});
+	if (options.dangerouslyNoTankProxy) warnOptOut(options.skillName);
+	const wrapped = [];
+	for (const agentId of options.agentIds) {
+		if (!isKnownAgent(agentId)) continue;
+		writeMcpServerEntry({
+			agentId,
+			skillName: options.skillName,
+			entry,
+			homedir: options.homedir
+		});
+		wrapped.push(agentId);
+	}
+	return {
+		wrapped,
+		skipped: []
+	};
+}
+//#endregion
 //#region ../sdk/dist/index.mjs
 var __create = Object.create;
 var __defProp = Object.defineProperty;
@@ -6913,6 +7135,30 @@ object({
 	visibility: _enum(["public", "private"]).optional(),
 	audit: object({ min_score: number().min(0).max(10) }).strict().optional()
 }).strict();
+const commandSchema = string().min(1, "command must not be empty");
+const argSchema = array(string()).default([]);
+const envSchema = record(string(), string()).optional();
+const remoteUrlSchema = string().url("remote must be a valid URL");
+const mcpServerSchema = union([object({
+	command: commandSchema,
+	args: argSchema,
+	env: envSchema,
+	requires_auth: literal(false).optional()
+}).strict(), object({
+	remote: remoteUrlSchema,
+	requires_auth: boolean().default(false),
+	env: envSchema
+}).strict()]);
+const perToolOverrideSchema = object({
+	scan: boolean().optional(),
+	blockOnMatch: boolean().optional()
+}).strict();
+object({
+	perfBudgetMs: number().positive().optional(),
+	blockOnMatch: boolean().optional(),
+	resetPinsOnMismatch: boolean().optional(),
+	perTool: record(string(), perToolOverrideSchema).optional()
+}).strict();
 const baseManifestFields = {
 	name: string().min(1, "Name must not be empty").max(214, `Name must be 214 characters or fewer`).regex(/^@[a-z0-9-]+\/[a-z0-9][a-z0-9-]*$/, "Name must be scoped (@org/name), lowercase alphanumeric and hyphens"),
 	version: string().regex(/^\d+\.\d+\.\d+(-[a-zA-Z0-9.-]+)?(\+[a-zA-Z0-9.-]+)?$/, "Version must be valid semver"),
@@ -6921,7 +7167,8 @@ const baseManifestFields = {
 	permissions: permissionsSchema.optional(),
 	repository: string().url("Repository must be a valid URL").optional(),
 	visibility: _enum(["public", "private"]).optional(),
-	audit: object({ min_score: number().min(0).max(10) }).strict().optional()
+	audit: object({ min_score: number().min(0).max(10) }).strict().optional(),
+	mcp_server: mcpServerSchema.optional()
 };
 object(baseManifestFields).strict();
 object({
@@ -7019,47 +7266,6 @@ var TankIntegrityError = class extends TankError {
 	}
 };
 createRequire(import.meta.url);
-function checkPermissionBudget(budget, skillPerms, skillName) {
-	if (!skillPerms) return;
-	if (skillPerms.subprocess === true && budget.subprocess !== true) throw new TankPermissionError(`${skillName} requires subprocess access, but project budget does not allow it`);
-	if (skillPerms.network?.outbound && skillPerms.network.outbound.length > 0) {
-		const budgetDomains = budget.network?.outbound ?? [];
-		for (const domain of skillPerms.network.outbound) if (!isDomainAllowed$1(domain, budgetDomains)) throw new TankPermissionError(`${skillName} requests network access to "${domain}", which is not in the project's permission budget`);
-	}
-	if (skillPerms.filesystem?.read && skillPerms.filesystem.read.length > 0) {
-		const budgetPaths = budget.filesystem?.read ?? [];
-		for (const p of skillPerms.filesystem.read) if (!isPathAllowed$1(p, budgetPaths)) throw new TankPermissionError(`${skillName} requests filesystem read access to "${p}", which is not in the project's permission budget`);
-	}
-	if (skillPerms.filesystem?.write && skillPerms.filesystem.write.length > 0) {
-		const budgetPaths = budget.filesystem?.write ?? [];
-		for (const p of skillPerms.filesystem.write) if (!isPathAllowed$1(p, budgetPaths)) throw new TankPermissionError(`${skillName} requests filesystem write access to "${p}", which is not in the project's permission budget`);
-	}
-}
-function isDomainAllowed$1(domain, allowedDomains) {
-	for (const allowed of allowedDomains) {
-		if (allowed === domain) return true;
-		if (allowed.startsWith("*.")) {
-			const suffix = allowed.slice(1);
-			if (domain.endsWith(suffix) || domain === allowed.slice(2)) return true;
-			if (domain === allowed) return true;
-		}
-	}
-	return false;
-}
-function isPathAllowed$1(requestedPath, allowedPaths) {
-	const norm = (p) => p.replaceAll("\\", "/");
-	const req = norm(requestedPath);
-	if (req.includes("..")) return false;
-	for (const allowed of allowedPaths) {
-		const a = norm(allowed);
-		if (a === req) return true;
-		if (a.endsWith("/**")) {
-			const prefix = a.slice(0, -3);
-			if (req === prefix || req.startsWith(`${prefix}/`)) return true;
-		}
-	}
-	return false;
-}
 var require_constants = /* @__PURE__ */ __commonJSMin(((exports, module) => {
 	const SEMVER_SPEC_VERSION = "2.0.0";
 	const MAX_LENGTH = 256;
@@ -8307,6 +8513,8 @@ var import_semver = /* @__PURE__ */ __toESM((/* @__PURE__ */ __commonJSMin(((exp
 		rcompareIdentifiers: identifiers.rcompareIdentifiers
 	};
 })))(), 1);
+const ALPHANUMERIC = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+`${ALPHANUMERIC}`, `${ALPHANUMERIC}`, `${ALPHANUMERIC}`, `${ALPHANUMERIC}`;
 function resolve(range, versions) {
 	try {
 		if (!range || !import_semver.default.validRange(range)) return null;
@@ -8317,6 +8525,68 @@ function resolve(range, versions) {
 		return null;
 	}
 }
+function isDomainAllowed$1(domain, allowedDomains) {
+	for (const allowed of allowedDomains) {
+		if (allowed === domain) return true;
+		if (allowed.startsWith("*.")) {
+			const suffix = allowed.slice(1);
+			if (domain.endsWith(suffix) || domain === allowed.slice(2)) return true;
+			if (domain === allowed) return true;
+		}
+	}
+	return false;
+}
+function isPathAllowed$1(requestedPath, allowedPaths) {
+	const norm = (p) => p.replaceAll("\\", "/");
+	const req = norm(requestedPath);
+	if (req.includes("..")) return false;
+	for (const allowed of allowedPaths) {
+		const a = norm(allowed);
+		if (a === req) return true;
+		if (a.endsWith("/**")) {
+			const prefix = a.slice(0, -3);
+			if (req === prefix || req.startsWith(`${prefix}/`)) return true;
+		}
+	}
+	return false;
+}
+/**
+* Thrown by checkPermissionBudget when a skill's declared permissions exceed the project budget.
+*
+* internals-helpers cannot import from @tankpkg/sdk (would invert dep graph).
+* sdk shim catches this and re-throws as TankPermissionError to preserve
+* the public sdk error API. See D7 / INTENT C25b.
+*/
+var PermissionBudgetError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "PermissionBudgetError";
+	}
+};
+function checkPermissionBudget$1(budget, skillPerms, skillName) {
+	if (!skillPerms) return;
+	if (skillPerms.subprocess === true && budget.subprocess !== true) throw new PermissionBudgetError(`${skillName} requires subprocess access, but project budget does not allow it`);
+	if (skillPerms.network?.outbound && skillPerms.network.outbound.length > 0) {
+		const budgetDomains = budget.network?.outbound ?? [];
+		for (const domain of skillPerms.network.outbound) if (!isDomainAllowed$1(domain, budgetDomains)) throw new PermissionBudgetError(`${skillName} requests network access to "${domain}", which is not in the project's permission budget`);
+	}
+	if (skillPerms.filesystem?.read && skillPerms.filesystem.read.length > 0) {
+		const budgetPaths = budget.filesystem?.read ?? [];
+		for (const p of skillPerms.filesystem.read) if (!isPathAllowed$1(p, budgetPaths)) throw new PermissionBudgetError(`${skillName} requests filesystem read access to "${p}", which is not in the project's permission budget`);
+	}
+	if (skillPerms.filesystem?.write && skillPerms.filesystem.write.length > 0) {
+		const budgetPaths = budget.filesystem?.write ?? [];
+		for (const p of skillPerms.filesystem.write) if (!isPathAllowed$1(p, budgetPaths)) throw new PermissionBudgetError(`${skillName} requests filesystem write access to "${p}", which is not in the project's permission budget`);
+	}
+}
+function checkPermissionBudget(budget, skillPerms, skillName) {
+	try {
+		checkPermissionBudget$1(budget, skillPerms, skillName);
+	} catch (e) {
+		if (e instanceof PermissionBudgetError) throw new TankPermissionError(e.message);
+		throw e;
+	}
+}
 function buildSkillKey(name, version) {
 	return `${name}@${version}`;
 }
@@ -8937,12 +9207,13 @@ const HOST_MAP = [
 	[/registry\.npmjs\.org/i, "npm"]
 ];
 function detectSourceType(url) {
+	if (url.startsWith("file://")) return "file";
 	for (const [pattern, sourceType] of HOST_MAP) if (pattern.test(url)) return sourceType;
 	return "unknown";
 }
 /** Returns true if the input looks like a URL rather than a package name. */
 function isUrl(input) {
-	if (input.startsWith("http://") || input.startsWith("https://")) return true;
+	if (input.startsWith("http://") || input.startsWith("https://") || input.startsWith("file://")) return true;
 	for (const [pattern] of HOST_MAP) if (pattern.test(input)) return true;
 	return false;
 }
@@ -9226,6 +9497,24 @@ async function fetchFromGenericUrl(url, tempDir) {
 		cleanup: () => cleanupDir(tempDir)
 	};
 }
+async function fetchFromFileUrl(url, tempDir) {
+	const sourcePath = new URL(url).pathname;
+	const destDir = join(tempDir, "skill");
+	const { cp } = await import("node:fs/promises");
+	await mkdir(destDir, { recursive: true });
+	await cp(sourcePath, destDir, {
+		recursive: true,
+		errorOnExist: false
+	});
+	return {
+		localPath: destDir,
+		sourceType: "file",
+		sourceUrl: url,
+		commitSha: null,
+		inferredName: sourcePath.replace(/\/$/, "").split("/").pop() ?? null,
+		cleanup: () => cleanupDir(tempDir)
+	};
+}
 /** Fetch a skill from a URL to a local temp directory. */
 async function fetchFromUrl(url) {
 	const sourceType = detectSourceType(url);
@@ -9243,6 +9532,9 @@ async function fetchFromUrl(url) {
 			case "skills_sh":
 				result = await fetchFromSkillsSh(url, tempDir);
 				break;
+			case "file":
+				result = await fetchFromFileUrl(url, tempDir);
+				break;
 			default:
 				result = await fetchFromGenericUrl(url, tempDir);
 				break;
@@ -9397,8 +9689,28 @@ function installToolDependencies(extractDir, skillName) {
 		logger.warn(`Dependency install skipped for ${skillName} (non-fatal)`);
 	}
 }
+function wrapMcpServerForSkill(options) {
+	try {
+		const agents = detectInstalledAgents(options.homedir);
+		if (agents.length === 0) return;
+		const result = applyProxyWrapping({
+			skillName: options.skillName,
+			skillDir: options.extractDir,
+			agentIds: agents.map((a) => a.id),
+			...options.homedir !== void 0 ? { homedir: options.homedir } : {},
+			...options.dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {}
+		});
+		if (result.wrapped.length > 0) {
+			const mode = options.dangerouslyNoTankProxy ? "registered (proxy disabled)" : "proxy-wrapped";
+			logger.info(`${options.skillName}: ${mode} in ${result.wrapped.length} agent config(s)`);
+		}
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		logger.warn(`MCP proxy wrapping skipped for ${options.skillName}: ${msg}`);
+	}
+}
 async function linkInstalledRoots(options) {
-	const { rootSkillNames, resolvedNodeByName, extractDirForSkill, directory, global, resolvedHome, homedir } = options;
+	const { rootSkillNames, resolvedNodeByName, extractDirForSkill, directory, global, resolvedHome, homedir, dangerouslyNoTankProxy } = options;
 	const agentSkillsBaseDir = global ? getGlobalAgentSkillsDir(resolvedHome) : path.join(directory, ".tank", "agent-skills");
 	const linksDir = global ? path.join(resolvedHome, ".tank") : path.join(directory, ".tank");
 	for (const skillName of rootSkillNames) try {
@@ -9418,6 +9730,12 @@ async function linkInstalledRoots(options) {
 		});
 		if (linkResult.linked.length > 0) logger.info(`Linked to ${linkResult.linked.length} agent(s)`);
 		if (linkResult.failed.length > 0) for (const failedLink of linkResult.failed) logger.warn(`Failed to link to ${failedLink.agentId}: ${failedLink.error}`);
+		wrapMcpServerForSkill({
+			skillName,
+			extractDir: extractDirForSkill(skillName),
+			homedir,
+			dangerouslyNoTankProxy
+		});
 	} catch {
 		if (rootSkillNames.length === 1) logger.warn("Agent linking skipped (non-fatal)");
 		else logger.warn(`Agent linking skipped for ${skillName} (non-fatal)`);
@@ -9490,12 +9808,13 @@ async function executeInstallPipeline(options) {
 		directory,
 		global,
 		resolvedHome,
-		homedir
+		homedir,
+		...options.dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {}
 	});
 	return updatedLock;
 }
 async function installCommand(options) {
-	const { name, versionRange = "*", directory = process.cwd(), configDir, global = false, homedir, isTransitive = false } = options;
+	const { name, versionRange = "*", directory = process.cwd(), configDir, global = false, homedir, isTransitive = false, dangerouslyNoTankProxy } = options;
 	const config = getConfig(configDir);
 	const resolvedHome = homedir ?? os.homedir();
 	const requestHeaders = { "User-Agent": USER_AGENT };
@@ -9551,7 +9870,8 @@ async function installCommand(options) {
 			rootSkillNames: [name],
 			projectPermissions,
 			auditMinScore,
-			spinner
+			spinner,
+			...dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {}
 		});
 		if (!global && !isTransitive) {
 			const skills = skillsJson.skills ?? {};
@@ -9566,7 +9886,7 @@ async function installCommand(options) {
 	}
 }
 async function installFromLockfile(options) {
-	const { directory = process.cwd(), configDir, global = false, homedir } = options;
+	const { directory = process.cwd(), configDir, global = false, homedir, dangerouslyNoTankProxy } = options;
 	const resolvedHome = homedir ?? os.homedir();
 	const config = getConfig(configDir);
 	const requestHeaders = { "User-Agent": USER_AGENT };
@@ -9593,42 +9913,46 @@ async function installFromLockfile(options) {
 			const skillName = parseLockKey$2(key);
 			const version = parseVersionFromLockKey(key);
 			spinner.text = `Installing ${key}...`;
-			const encodedName = encodeURIComponent(skillName);
-			const metaUrl = `${config.registry}/api/v1/skills/${encodedName}/${version}`;
-			let metaRes;
-			try {
-				metaRes = await fetch(metaUrl, { headers: requestHeaders });
-			} catch (err) {
-				throw new Error(`Network error fetching ${key}: ${err instanceof Error ? err.message : String(err)}`);
-			}
-			if (!metaRes.ok) {
-				if (metaRes.status === 404) throw new Error(`Skill or version not found: ${key}`);
-				const body = await metaRes.json().catch(() => null);
-				throw new Error(`Failed to fetch ${key}: ${body?.error ?? metaRes.statusText}`);
-			}
-			const downloadUrl = (await metaRes.json()).downloadUrl;
-			const downloadRes = await fetch(downloadUrl);
-			if (!downloadRes.ok) throw new Error(`Failed to download ${key}: ${downloadRes.status} ${downloadRes.statusText}`);
-			const tarballBuffer = Buffer.from(await downloadRes.arrayBuffer());
-			const computedIntegrity = buildIntegrity(tarballBuffer);
-			if (computedIntegrity !== entry.integrity) throw new Error(`Integrity mismatch for ${key}. Expected: ${entry.integrity}, Got: ${computedIntegrity}`);
 			const extractDir = global ? getGlobalExtractDir(resolvedHome, skillName) : getExtractDir$1(directory, skillName);
-			if (fs.existsSync(extractDir)) fs.rmSync(extractDir, {
-				recursive: true,
-				force: true
-			});
-			fs.mkdirSync(extractDir, { recursive: true });
-			await extractSafely(tarballBuffer, extractDir);
-			if (global) try {
+			if (!fs.existsSync(path.join(extractDir, "tank.json"))) {
+				const encodedName = encodeURIComponent(skillName);
+				const metaUrl = `${config.registry}/api/v1/skills/${encodedName}/${version}`;
+				let metaRes;
+				try {
+					metaRes = await fetch(metaUrl, { headers: requestHeaders });
+				} catch (err) {
+					throw new Error(`Network error fetching ${key}: ${err instanceof Error ? err.message : String(err)}`);
+				}
+				if (!metaRes.ok) {
+					if (metaRes.status === 404) throw new Error(`Skill or version not found: ${key}`);
+					const body = await metaRes.json().catch(() => null);
+					throw new Error(`Failed to fetch ${key}: ${body?.error ?? metaRes.statusText}`);
+				}
+				const downloadUrl = (await metaRes.json()).downloadUrl;
+				const downloadRes = await fetch(downloadUrl);
+				if (!downloadRes.ok) throw new Error(`Failed to download ${key}: ${downloadRes.status} ${downloadRes.statusText}`);
+				const tarballBuffer = Buffer.from(await downloadRes.arrayBuffer());
+				const computedIntegrity = buildIntegrity(tarballBuffer);
+				if (computedIntegrity !== entry.integrity) throw new Error(`Integrity mismatch for ${key}. Expected: ${entry.integrity}, Got: ${computedIntegrity}`);
+				if (fs.existsSync(extractDir)) fs.rmSync(extractDir, {
+					recursive: true,
+					force: true
+				});
+				fs.mkdirSync(extractDir, { recursive: true });
+				await extractSafely(tarballBuffer, extractDir);
+			}
+			try {
+				const agentSkillsBaseDir = global ? getGlobalAgentSkillsDir(resolvedHome) : path.join(directory, ".tank", "agent-skills");
+				const linksDir = global ? path.join(resolvedHome, ".tank") : path.join(directory, ".tank");
 				const linkResult = linkSkillToAgents({
 					skillName,
 					sourceDir: prepareAgentSkillDir({
 						skillName,
 						extractDir,
-						agentSkillsBaseDir: getGlobalAgentSkillsDir(resolvedHome)
+						agentSkillsBaseDir
 					}),
-					linksDir: path.join(resolvedHome, ".tank"),
-					source: "global",
+					linksDir,
+					source: global ? "global" : "local",
 					homedir
 				});
 				if (detectInstalledAgents(homedir).length === 0) logger.warn("No agents detected for linking");
@@ -9637,6 +9961,12 @@ async function installFromLockfile(options) {
 			} catch {
 				logger.warn("Agent linking skipped (non-fatal)");
 			}
+			wrapMcpServerForSkill({
+				skillName,
+				extractDir,
+				...homedir !== void 0 ? { homedir } : {},
+				...dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {}
+			});
 		}
 		spinner.succeed(`Installed ${entries.length} skill${entries.length === 1 ? "" : "s"} from lockfile`);
 	} catch (err) {
@@ -9649,7 +9979,7 @@ async function installFromLockfile(options) {
 	}
 }
 async function installAll(options) {
-	const { directory = process.cwd(), configDir, global = false, homedir } = options;
+	const { directory = process.cwd(), configDir, global = false, homedir, dangerouslyNoTankProxy } = options;
 	const resolvedHome = homedir ?? os.homedir();
 	const config = getConfig(configDir);
 	const requestHeaders = { "User-Agent": USER_AGENT };
@@ -9662,7 +9992,8 @@ async function installAll(options) {
 		directory,
 		configDir,
 		global,
-		homedir
+		homedir,
+		...dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {}
 	});
 	if (global) {
 		logger.info(`No ${LOCKFILE_FILENAME} found — nothing to install`);
@@ -9704,7 +10035,8 @@ async function installAll(options) {
 			rootSkillNames: skillEntries.map(([skillName]) => skillName),
 			projectPermissions,
 			auditMinScore,
-			spinner
+			spinner,
+			...dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {}
 		});
 		spinner.succeed(`Installed ${skillEntries.length} root skill${skillEntries.length === 1 ? "" : "s"}`);
 	} catch (err) {
@@ -9757,7 +10089,7 @@ function readManifestFromDir(dir) {
 	return null;
 }
 async function installFromUrl(url, options) {
-	const { global = false, yes = false } = options;
+	const { global = false, yes = false, dangerouslyNoTankProxy } = options;
 	const resolvedHome = os.homedir();
 	const directory = process.cwd();
 	const spinner = ora(`Fetching from URL...`).start();
@@ -9778,13 +10110,16 @@ async function installFromUrl(url, options) {
 		process.exit(1);
 	}
 	try {
-		const scanResult = await scanUrl(url);
-		displayScanResults(scanResult);
-		const enforcement = await enforceVerdict(scanResult, { yes });
-		if (!enforcement.allowed) {
-			spinner.fail(enforcement.reason ?? "Install blocked by security scan");
-			await fetchResult.cleanup();
-			process.exit(1);
+		let scanResult = null;
+		if (!url.startsWith("file://")) {
+			scanResult = await scanUrl(url);
+			displayScanResults(scanResult);
+			const enforcement = await enforceVerdict(scanResult, { yes });
+			if (!enforcement.allowed) {
+				spinner.fail(enforcement.reason ?? "Install blocked by security scan");
+				await fetchResult.cleanup();
+				process.exit(1);
+			}
 		}
 		const skillMdPath = path.join(fetchResult.localPath, "SKILL.md");
 		if (!fs.existsSync(skillMdPath)) throw new Error("No SKILL.md found. This doesn't appear to be a valid skill.");
@@ -9816,12 +10151,12 @@ async function installFromUrl(url, options) {
 		const lockKey = `${skillName}@${skillVersion}`;
 		const skillPermissions = existingManifest?.permissions ?? {};
 		lock.skills[lockKey] = {
-			resolved: url.startsWith("http") ? url : `https://${url}`,
+			resolved: url.startsWith("http") ? url : url.startsWith("file://") ? url : `https://${url}`,
 			integrity,
 			permissions: skillPermissions,
-			audit_score: scanResult.auditScore ?? null,
+			audit_score: scanResult?.auditScore ?? null,
 			source: mapSourceType(fetchResult.sourceType),
-			scan_verdict: scanResult.verdict,
+			scan_verdict: scanResult?.verdict ?? "pass",
 			scanned_at: (/* @__PURE__ */ new Date()).toISOString()
 		};
 		lock.lockfileVersion = 2;
@@ -9848,6 +10183,11 @@ async function installFromUrl(url, options) {
 			logger.warn("Agent linking skipped (non-fatal)");
 		}
 		if (detectInstalledAgents().length === 0) logger.warn("No agents detected for linking");
+		wrapMcpServerForSkill({
+			skillName,
+			extractDir: installDir,
+			...dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {}
+		});
 		await fetchResult.cleanup();
 		spinner.succeed(`Installed ${skillName} from ${fetchResult.sourceType}`);
 		if (linkedAgents.length > 0) logger.info(`Linked to ${linkedAgents.join(", ")}`);
@@ -10211,6 +10551,30 @@ async function permissionsCommand(options) {
 	}
 }
 //#endregion
+//#region src/commands/proxy.ts
+const PROXY_MODULE = "@tankpkg/proxy";
+async function proxyCommand(options) {
+	if (!options.command || options.command.length === 0) throw new Error("tank proxy: missing child command (usage: tank proxy -- <command> [args...])");
+	const { startProxy } = await import(PROXY_MODULE);
+	if (options.verbose) console.error(chalk.dim(`[tank proxy] spawning: ${options.command} ${options.args.join(" ")}`));
+	const startOptions = {
+		command: options.command,
+		args: options.args
+	};
+	if (options.auditPath !== void 0) startOptions.auditPath = options.auditPath;
+	if (options.enableMl === true) startOptions.enableMl = true;
+	const handle = await startProxy(startOptions);
+	const forwardSignal = (signal) => {
+		try {
+			handle.kill(signal);
+		} catch {}
+	};
+	process.on("SIGINT", () => forwardSignal("SIGINT"));
+	process.on("SIGTERM", () => forwardSignal("SIGTERM"));
+	const code = await handle.exitCode;
+	process.exit(code);
+}
+//#endregion
 //#region src/lib/packer.ts
 const MAX_PACKAGE_SIZE = 50 * 1024 * 1024;
 const MAX_FILE_COUNT = 1e3;
@@ -10892,6 +11256,11 @@ function scoreColor(score) {
 	if (score >= 4) return chalk.yellow;
 	return chalk.red;
 }
+function formatScore(score) {
+	if (score == null || !Number.isFinite(score)) return chalk.dim(padRight("N/A", 8));
+	const scoreStr = Number.isInteger(score) ? score.toFixed(1) : String(score);
+	return scoreColor(score)(padRight(scoreStr, 8));
+}
 function truncate(text, maxLen) {
 	if (text.length <= maxLen) return text;
 	return `${text.slice(0, maxLen - 3)}...`;
@@ -10924,9 +11293,8 @@ async function searchCommand(options) {
 	console.log(`${padRight("NAME", 30) + padRight("VERSION", 10) + padRight("SCORE", 8)}DESCRIPTION`);
 	for (const result of data.results) {
 		const name = chalk.bold(padRight(result.name, 30));
-		const version = padRight(result.latestVersion, 10);
-		const scoreStr = Number.isInteger(result.auditScore) ? result.auditScore.toFixed(1) : String(result.auditScore);
-		const score = scoreColor(result.auditScore)(padRight(scoreStr, 8));
+		const version = padRight(result.latestVersion ?? "-", 10);
+		const score = formatScore(result.auditScore);
 		const desc = truncate(result.description ?? "", MAX_DESC_LENGTH);
 		console.log(`${name}${version}${score}${desc}`);
 	}
@@ -11509,18 +11877,23 @@ program.command("publish").alias("pub").description("Pack and publish a skill to
 		process.exit(1);
 	}
 });
-program.command("install").alias("i").description("Install a skill from the Tank registry, a URL, or all skills from lockfile").argument("[name]", "Skill name or URL (e.g., @org/skill-name or https://github.com/owner/repo). Omit to install from lockfile.").argument("[version-range]", "Semver range (default: *)", "*").option("-g, --global", "Install skill globally (available to all projects)").option("-y, --yes", "Auto-accept flagged scan verdicts").action(async (name, versionRange, opts) => {
+program.command("install").alias("i").description("Install a skill from the Tank registry, a URL, or all skills from lockfile").argument("[name]", "Skill name or URL (e.g., @org/skill-name or https://github.com/owner/repo). Omit to install from lockfile.").argument("[version-range]", "Semver range (default: *)", "*").option("-g, --global", "Install skill globally (available to all projects)").option("-y, --yes", "Auto-accept flagged scan verdicts").option("--dangerously-no-tank-proxy", "Skip wrapping MCP servers with the tank proxy (no scanning, no enforcement)").action(async (name, versionRange, opts) => {
 	try {
 		if (name && isUrl(name)) await installFromUrl(name, {
 			global: opts.global,
-			yes: opts.yes
+			yes: opts.yes,
+			...opts.dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {}
 		});
 		else if (name) await installCommand({
 			name,
 			versionRange,
-			global: opts.global
+			global: opts.global,
+			...opts.dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {}
+		});
+		else await installAll({
+			global: opts.global,
+			...opts.dangerouslyNoTankProxy ? { dangerouslyNoTankProxy: true } : {}
 		});
-		else await installAll({ global: opts.global });
 	} catch (err) {
 		const msg = err instanceof Error ? err.message : String(err);
 		console.error(`Install failed: ${msg}`);
@@ -11610,6 +11983,42 @@ program.command("run").description("Launch an agent with credential protection (
 		process.exit(1);
 	}
 });
+program.command("proxy").description("Transparent MCP proxy — wraps an MCP server with runtime enforcement").argument("[command]", "Child MCP server command to wrap (omit when using --reset-pins, --remote, or download-ml-model)").allowUnknownOption(true).allowExcessArguments(true).option("--audit-path <path>", "JSONL audit log path (default: ~/.tank/proxy/audit.jsonl)").option("--reset-pins", "Delete all rug-pull schema pins under ~/.tank/proxy/pins/ and continue").option("--remote <url>", "Connect to a remote MCP server over SSE/HTTP instead of spawning a child").option("--requires-auth", "Require TANK_MCP_AUTH_<SLUG> env var before connecting to the remote").option("--enable-ml", "Enable the opt-in ML-based prompt-injection classifier (requires ~500MB model; run `tank proxy download-ml-model` first)").option("--verbose", "Print proxy diagnostic details to stderr").action(async (command, opts, cmd) => {
+	try {
+		if (command === "download-ml-model") {
+			const { proxyDownloadMlCommand } = await import("../proxy-download-ml-DUk7ehNs.js");
+			const downloadOpts = {};
+			if (process.argv.includes("--yes") || process.argv.includes("-y")) downloadOpts.yes = true;
+			await proxyDownloadMlCommand(downloadOpts);
+			return;
+		}
+		if (opts.resetPins) {
+			const { proxyResetPinsCommand } = await import("../proxy-reset-pins-CfEbaL-F.js");
+			proxyResetPinsCommand();
+		}
+		if (opts.remote) {
+			const { proxyRemoteCommand } = await import("../proxy-remote-CCemokkz.js");
+			await proxyRemoteCommand({
+				url: opts.remote,
+				requiresAuth: opts.requiresAuth === true
+			});
+			return;
+		}
+		if (!command) return;
+		const proxyOpts = {
+			command,
+			args: cmd.args.slice(1)
+		};
+		if (opts.auditPath !== void 0) proxyOpts.auditPath = opts.auditPath;
+		if (opts.verbose !== void 0) proxyOpts.verbose = opts.verbose;
+		if (opts.enableMl === true) proxyOpts.enableMl = true;
+		await proxyCommand(proxyOpts);
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		console.error(`Proxy failed: ${msg}`);
+		process.exit(1);
+	}
+});
 program.command("scan").description("Scan a local skill for security issues without publishing").option("-d, --directory <path>", "Directory to scan (default: current directory)").action(async (opts) => {
 	try {
 		await scanCommand({ directory: opts.directory });