@tankpkg/cli 0.5.0 → 0.6.1

package/dist/commands/install.js

@@ -1,9 +1,8 @@
+import crypto from 'node:crypto';
 import fs from 'node:fs';
 import path from 'node:path';
-import crypto from 'node:crypto';
 import os from 'node:os';
 import ora from 'ora';
-import { extract } from 'tar';
 import { resolve, LOCKFILE_VERSION } from '@tank/shared';
 import { getConfig } from '../lib/config.js';
 import { logger } from '../lib/logger.js';
@@ -11,241 +10,323 @@ import { prepareAgentSkillDir } from '../lib/frontmatter.js';
 import { linkSkillToAgents } from '../lib/linker.js';
 import { detectInstalledAgents, getGlobalSkillsDir, getGlobalAgentSkillsDir } from '../lib/agents.js';
 import { USER_AGENT } from '../version.js';
-const MAX_UNCOMPRESSED_SIZE = 100 * 1024 * 1024; // 100MB
-/**
- * Install a skill from the Tank registry.
- *
- * Flow:
- * 1. Read skills.json from directory (must exist)
- * 2. Fetch available versions
- * 3. Resolve best version using semver
- * 4. Check if already installed (skip if same version in lockfile)
- * 5. Fetch version metadata + download URL
- * 6. Check permission budget
- * 7. Download tarball
- * 8. Verify integrity (sha512)
- * 9. Extract tarball safely
- * 10. Update skills.json
- * 11. Update skills.lock
- */
-export async function installCommand(options) {
-    const { name, versionRange = '*', directory = process.cwd(), configDir, global = false, homedir, } = options;
-    const config = getConfig(configDir);
-    const resolvedHome = homedir ?? os.homedir();
-    const requestHeaders = { 'User-Agent': USER_AGENT };
-    if (config.token) {
-        requestHeaders.Authorization = `Bearer ${config.token}`;
-    }
-    // 1. Read or create skills.json
-    const skillsJsonPath = path.join(directory, 'skills.json');
-    let skillsJson = { skills: {} };
-    if (!global) {
-        if (!fs.existsSync(skillsJsonPath)) {
-            skillsJson = { skills: {} };
-            fs.writeFileSync(skillsJsonPath, JSON.stringify(skillsJson, null, 2) + '\n');
-            logger.info('Created skills.json');
-        }
-        else {
+import { resolveDependencyTree, buildSkillKey, } from '../lib/dependency-resolver.js';
+import { checkPermissionBudget } from '../lib/permission-checker.js';
+import { downloadAllParallel, extractSafely, getExtractDir, getGlobalExtractDir, getResolvedNodesInOrder, parseLockKey, parseVersionFromLockKey, readExtractedDependencies, verifyExtractedDependencies, writeLockfileWithResolvedGraph, } from '../lib/install-pipeline.js';
+function createRegistryFetcher(registry, headers) {
+    const versionsCache = new Map();
+    const metadataCache = new Map();
+    return {
+        async fetchVersions(name) {
+            const cached = versionsCache.get(name);
+            if (cached) {
+                return cached;
+            }
+            const encoded = encodeURIComponent(name);
+            let res;
             try {
-                const raw = fs.readFileSync(skillsJsonPath, 'utf-8');
-                skillsJson = JSON.parse(raw);
+                res = await fetch(`${registry}/api/v1/skills/${encoded}/versions`, { headers });
             }
-            catch {
-                throw new Error('Failed to read or parse skills.json');
+            catch (err) {
+                throw new Error(`Network error fetching versions: ${err instanceof Error ? err.message : String(err)}`);
             }
-        }
-    }
-    // Read existing lockfile if present
-    const lockPath = global
-        ? path.join(resolvedHome, '.tank', 'skills.lock')
-        : path.join(directory, 'skills.lock');
-    let lock = { lockfileVersion: LOCKFILE_VERSION, skills: {} };
-    if (fs.existsSync(lockPath)) {
-        try {
-            const raw = fs.readFileSync(lockPath, 'utf-8');
-            lock = JSON.parse(raw);
-        }
-        catch {
-            // If lockfile is corrupt, start fresh
-            lock = { lockfileVersion: LOCKFILE_VERSION, skills: {} };
-        }
-    }
-    const spinner = ora('Resolving versions...').start();
-    // 2. Fetch available versions
-    const encodedName = encodeURIComponent(name);
-    const versionsUrl = `${config.registry}/api/v1/skills/${encodedName}/versions`;
-    let versionsRes;
+            if (!res.ok) {
+                if (res.status === 403)
+                    throw new Error('Token lacks required scope: skills:read');
+                if (res.status === 404)
+                    throw new Error(`Skill not found or no access: ${name}`);
+                const body = await res.json().catch(() => ({}));
+                throw new Error(body.error ?? res.statusText);
+            }
+            const data = await res.json();
+            versionsCache.set(name, data.versions);
+            return data.versions;
+        },
+        async fetchMetadata(name, version) {
+            const cacheKey = buildSkillKey(name, version);
+            const cached = metadataCache.get(cacheKey);
+            if (cached) {
+                return cached;
+            }
+            const encoded = encodeURIComponent(name);
+            let res;
+            try {
+                res = await fetch(`${registry}/api/v1/skills/${encoded}/${version}`, { headers });
+            }
+            catch (err) {
+                throw new Error(`Network error fetching metadata: ${err instanceof Error ? err.message : String(err)}`);
+            }
+            if (!res.ok) {
+                if (res.status === 403)
+                    throw new Error('Token lacks required scope: skills:read');
+                if (res.status === 404)
+                    throw new Error(`Skill not found or no access: ${name}@${version}`);
+                const body = await res.json().catch(() => ({}));
+                throw new Error(body.error ?? res.statusText);
+            }
+            const data = await res.json();
+            const normalized = {
+                ...data,
+                dependencies: data.dependencies ?? {},
+            };
+            metadataCache.set(cacheKey, normalized);
+            return normalized;
+        },
+    };
+}
+function readSkillsJson(skillsJsonPath) {
     try {
-        versionsRes = await fetch(versionsUrl, {
-            headers: requestHeaders,
-        });
-    }
-    catch (err) {
-        spinner.fail('Failed to fetch versions');
-        throw new Error(`Network error fetching versions: ${err instanceof Error ? err.message : String(err)}`);
+        const raw = fs.readFileSync(skillsJsonPath, 'utf-8');
+        return JSON.parse(raw);
     }
-    if (!versionsRes.ok) {
-        spinner.fail('Failed to fetch versions');
-        if (versionsRes.status === 403) {
-            throw new Error('Token lacks required scope: skills:read');
-        }
-        if (versionsRes.status === 404) {
-            throw new Error(`Skill not found or no access: ${name}`);
-        }
-        const body = await versionsRes.json().catch(() => ({}));
-        throw new Error(body.error ?? versionsRes.statusText);
+    catch {
+        throw new Error('Failed to read or parse skills.json');
     }
-    const versionsData = await versionsRes.json();
-    const availableVersions = versionsData.versions.map((v) => v.version);
-    // 3. Resolve best version
-    const resolved = resolve(versionRange, availableVersions);
-    if (!resolved) {
-        spinner.fail('Version resolution failed');
-        throw new Error(`No version of ${name} satisfies range "${versionRange}". Available: ${availableVersions.join(', ')}`);
+}
+function readOrCreateSkillsJson(skillsJsonPath) {
+    if (!fs.existsSync(skillsJsonPath)) {
+        const skillsJson = { skills: {} };
+        fs.writeFileSync(skillsJsonPath, JSON.stringify(skillsJson, null, 2) + '\n');
+        logger.info('Created skills.json');
+        return skillsJson;
     }
-    // 4. Check if already installed
-    const lockKey = `${name}@${resolved}`;
-    if (lock.skills[lockKey]) {
-        spinner.stop();
-        logger.info(`${name}@${resolved} is already installed`);
-        return;
+    return readSkillsJson(skillsJsonPath);
+}
+function readLockOrFresh(lockPath) {
+    if (!fs.existsSync(lockPath)) {
+        return { lockfileVersion: LOCKFILE_VERSION, skills: {} };
     }
-    // 5. Fetch version metadata
-    spinner.text = `Fetching ${name}@${resolved}...`;
-    const metaUrl = `${config.registry}/api/v1/skills/${encodedName}/${resolved}`;
-    let metaRes;
     try {
-        metaRes = await fetch(metaUrl, {
-            headers: requestHeaders,
-        });
+        const raw = fs.readFileSync(lockPath, 'utf-8');
+        return JSON.parse(raw);
     }
-    catch (err) {
-        spinner.fail('Failed to fetch version metadata');
-        throw new Error(`Network error fetching metadata: ${err instanceof Error ? err.message : String(err)}`);
+    catch {
+        return { lockfileVersion: LOCKFILE_VERSION, skills: {} };
+    }
+}
+function buildLockedVersionByName(lock) {
+    const lockedVersionByName = new Map();
+    for (const key of Object.keys(lock.skills)) {
+        lockedVersionByName.set(parseLockKey(key), parseVersionFromLockKey(key));
+    }
+    return lockedVersionByName;
+}
+function createExtractDirResolver(directory, global, resolvedHome) {
+    return (skillName) => (global ? getGlobalExtractDir(resolvedHome, skillName) : getExtractDir(directory, skillName));
+}
+function validateResolvedNodes(resolvedNodes, projectPermissions, auditMinScore) {
+    if (!projectPermissions) {
+        logger.warn('No permission budget defined in skills.json. Install proceeding without permission checks.');
     }
-    if (!metaRes.ok) {
-        spinner.fail('Failed to fetch version metadata');
-        if (metaRes.status === 403) {
-            throw new Error('Token lacks required scope: skills:read');
+    for (const node of resolvedNodes) {
+        if (projectPermissions) {
+            checkPermissionBudget(projectPermissions, node.meta.permissions, node.name);
         }
-        if (metaRes.status === 404) {
-            throw new Error(`Skill not found or no access: ${name}@${resolved}`);
+        if (auditMinScore !== undefined) {
+            if (node.meta.auditScore === null || node.meta.auditScore === undefined) {
+                logger.warn(`Audit score not yet available for ${node.name}. Install proceeding without audit score check.`);
+            }
+            else if (node.meta.auditScore < auditMinScore) {
+                throw new Error(`Audit score ${node.meta.auditScore} for ${node.name} is below minimum threshold ${auditMinScore} defined in skills.json`);
+            }
         }
-        const body = await metaRes.json().catch(() => ({}));
-        throw new Error(body.error ?? metaRes.statusText);
     }
-    const metadata = await metaRes.json();
-    // 6. Check permission budget
-    const projectPermissions = global ? undefined : skillsJson.permissions;
-    const skillPermissions = metadata.permissions;
-    if (!global) {
-        if (!projectPermissions) {
-            logger.warn('No permission budget defined in skills.json. Install proceeding without permission checks.');
+}
+async function runLegacyFallback(options) {
+    const { rootSkillNames, resolvedNodeByName, extractDirForSkill, directory, configDir, global, homedir } = options;
+    for (const skillName of rootSkillNames) {
+        const node = resolvedNodeByName.get(skillName);
+        if (!node || Object.keys(node.meta.dependencies).length > 0) {
+            continue;
         }
-        else {
-            checkPermissionBudget(projectPermissions, skillPermissions, name);
+        const extractedDeps = readExtractedDependencies(extractDirForSkill(skillName));
+        for (const [depName, depRange] of Object.entries(extractedDeps)) {
+            if (depName === skillName) {
+                continue;
+            }
+            await installCommand({
+                name: depName,
+                versionRange: depRange,
+                directory,
+                configDir,
+                global,
+                homedir,
+                isTransitive: true,
+            });
         }
     }
-    // 6.5. Check audit score threshold
-    const auditMinScore = global ? undefined : skillsJson.audit?.min_score;
-    if (!global && auditMinScore !== undefined) {
-        if (metadata.auditScore === null || metadata.auditScore === undefined) {
-            logger.warn(`Audit score not yet available for ${name}. Install proceeding without audit score check.`);
+}
+function linkInstalledRoots(options) {
+    const { rootSkillNames, resolvedNodeByName, extractDirForSkill, directory, global, resolvedHome, homedir } = options;
+    const agentSkillsBaseDir = global
+        ? getGlobalAgentSkillsDir(resolvedHome)
+        : path.join(directory, '.tank', 'agent-skills');
+    const linksDir = global ? path.join(resolvedHome, '.tank') : path.join(directory, '.tank');
+    for (const skillName of rootSkillNames) {
+        try {
+            const node = resolvedNodeByName.get(skillName);
+            if (!node) {
+                continue;
+            }
+            const agentSkillDir = prepareAgentSkillDir({
+                skillName,
+                extractDir: extractDirForSkill(skillName),
+                agentSkillsBaseDir,
+                description: node.meta.description,
+            });
+            const linkResult = linkSkillToAgents({
+                skillName,
+                sourceDir: agentSkillDir,
+                linksDir,
+                source: global ? 'global' : 'local',
+                homedir,
+            });
+            if (linkResult.linked.length > 0) {
+                logger.info(`Linked to ${linkResult.linked.length} agent(s)`);
+            }
+            if (linkResult.failed.length > 0) {
+                for (const failedLink of linkResult.failed) {
+                    logger.warn(`Failed to link to ${failedLink.agentId}: ${failedLink.error}`);
+                }
+            }
         }
-        else if (metadata.auditScore < auditMinScore) {
-            throw new Error(`Audit score ${metadata.auditScore} for ${name} is below minimum threshold ${auditMinScore} defined in skills.json`);
+        catch {
+            if (rootSkillNames.length === 1) {
+                logger.warn('Agent linking skipped (non-fatal)');
+            }
+            else {
+                logger.warn(`Agent linking skipped for ${skillName} (non-fatal)`);
+            }
         }
     }
-    // 7. Download tarball
-    spinner.text = `Downloading ${name}@${resolved}...`;
-    let downloadRes;
-    try {
-        downloadRes = await fetch(metadata.downloadUrl);
-    }
-    catch (err) {
-        spinner.fail('Download failed');
-        throw new Error(`Network error downloading tarball: ${err instanceof Error ? err.message : String(err)}`);
-    }
-    if (!downloadRes.ok) {
-        spinner.fail('Download failed');
-        throw new Error(`Failed to download tarball: ${downloadRes.status} ${downloadRes.statusText}`);
+    const detectedAgents = detectInstalledAgents(homedir);
+    if (detectedAgents.length === 0) {
+        logger.warn('No agents detected for linking');
     }
-    const tarballBuffer = Buffer.from(await downloadRes.arrayBuffer());
-    // 8. Verify integrity
-    spinner.text = 'Verifying integrity...';
-    const hash = crypto.createHash('sha512').update(tarballBuffer).digest('base64');
-    const computedIntegrity = `sha512-${hash}`;
-    if (computedIntegrity !== metadata.integrity) {
-        spinner.fail('Integrity check failed');
-        throw new Error(`Integrity mismatch for ${name}@${resolved}. Expected: ${metadata.integrity}, Got: ${computedIntegrity}`);
-    }
-    // 9. Extract tarball safely
-    spinner.text = `Extracting ${name}@${resolved}...`;
-    const extractDir = global
-        ? getGlobalExtractDir(resolvedHome, name)
-        : getExtractDir(directory, name);
-    // Create extraction directory
-    fs.mkdirSync(extractDir, { recursive: true });
-    // Extract with safety checks
-    await extractSafely(tarballBuffer, extractDir);
-    // 10. Update skills.json
+}
+async function executeInstallPipeline(options) {
+    const { directory, configDir, global, homedir, resolvedHome, lock, lockPath, resolvedNodes, nodesToInstall, rootSkillNames, projectPermissions, auditMinScore, spinner, } = options;
     if (!global) {
-        const skills = (skillsJson.skills ?? {});
-        // Use the provided range if explicit, otherwise use ^{resolved}
-        skills[name] = versionRange === '*' ? `^${resolved}` : versionRange;
-        skillsJson.skills = skills;
-        fs.writeFileSync(skillsJsonPath, JSON.stringify(skillsJson, null, 2) + '\n');
-    }
-    // 11. Update skills.lock
-    lock.skills[lockKey] = {
-        resolved: metadata.downloadUrl,
-        integrity: computedIntegrity,
-        permissions: skillPermissions ?? {},
-        audit_score: metadata.auditScore ?? null,
-    };
-    // Sort keys alphabetically
-    const sortedSkills = {};
-    for (const key of Object.keys(lock.skills).sort()) {
-        sortedSkills[key] = lock.skills[key];
-    }
-    lock.skills = sortedSkills;
+        validateResolvedNodes(resolvedNodes, projectPermissions, auditMinScore);
+    }
+    const extractDirForSkill = createExtractDirResolver(directory, global, resolvedHome);
+    const resolvedNodeByName = new Map(resolvedNodes.map((node) => [node.name, node]));
+    const downloaded = await downloadAllParallel(nodesToInstall, spinner);
+    for (const node of nodesToInstall) {
+        const payload = downloaded.get(node.name);
+        if (!payload) {
+            throw new Error(`Missing downloaded tarball for ${node.name}@${node.version}`);
+        }
+        spinner.text = `Extracting ${node.name}@${node.version}...`;
+        const extractDir = extractDirForSkill(node.name);
+        fs.mkdirSync(extractDir, { recursive: true });
+        await extractSafely(payload.buffer, extractDir);
+        verifyExtractedDependencies(extractDir, node);
+    }
+    lock.lockfileVersion = LOCKFILE_VERSION;
+    const updatedLock = writeLockfileWithResolvedGraph(lock, resolvedNodes, downloaded);
     fs.mkdirSync(path.dirname(lockPath), { recursive: true });
-    fs.writeFileSync(lockPath, JSON.stringify(lock, null, 2) + '\n');
-    // 12. Agent linking (always-on, failures are warnings)
+    fs.writeFileSync(lockPath, JSON.stringify(updatedLock, null, 2) + '\n');
+    await runLegacyFallback({
+        rootSkillNames,
+        resolvedNodeByName,
+        extractDirForSkill,
+        directory,
+        configDir,
+        global,
+        homedir,
+    });
+    linkInstalledRoots({
+        rootSkillNames,
+        resolvedNodeByName,
+        extractDirForSkill,
+        directory,
+        global,
+        resolvedHome,
+        homedir,
+    });
+    return updatedLock;
+}
+export async function installCommand(options) {
+    const { name, versionRange = '*', directory = process.cwd(), configDir, global = false, homedir, isTransitive = false, } = options;
+    const config = getConfig(configDir);
+    const resolvedHome = homedir ?? os.homedir();
+    const requestHeaders = { 'User-Agent': USER_AGENT };
+    if (config.token) {
+        requestHeaders.Authorization = `Bearer ${config.token}`;
+    }
+    const skillsJsonPath = path.join(directory, 'skills.json');
+    const skillsJson = global ? { skills: {} } : readOrCreateSkillsJson(skillsJsonPath);
+    const lockPath = global
+        ? path.join(resolvedHome, '.tank', 'skills.lock')
+        : path.join(directory, 'skills.lock');
+    const lock = readLockOrFresh(lockPath);
+    const spinner = ora('Resolving dependency graph...').start();
     try {
-        const agentSkillsBaseDir = global
-            ? getGlobalAgentSkillsDir(resolvedHome)
-            : path.join(directory, '.tank', 'agent-skills');
-        const agentSkillDir = prepareAgentSkillDir({
-            skillName: name,
-            extractDir,
-            agentSkillsBaseDir,
-            description: metadata.description,
-        });
-        const linkResult = linkSkillToAgents({
-            skillName: name,
-            sourceDir: agentSkillDir,
-            linksDir: global ? path.join(resolvedHome, '.tank') : path.join(directory, '.tank'),
-            source: global ? 'global' : 'local',
-            homedir: options.homedir,
-        });
-        const detectedAgents = detectInstalledAgents(options.homedir);
-        if (detectedAgents.length === 0) {
-            logger.warn('No agents detected for linking');
+        const fetcher = createRegistryFetcher(config.registry, requestHeaders);
+        const requestedVersions = await fetcher.fetchVersions(name);
+        const requestedAvailableVersions = requestedVersions.map((versionInfo) => versionInfo.version);
+        const requestedResolvedVersion = resolve(versionRange, requestedAvailableVersions);
+        if (!requestedResolvedVersion) {
+            throw new Error(`No version of ${name} satisfies range "${versionRange}". Available: ${requestedAvailableVersions.join(', ')}`);
         }
-        if (linkResult.linked.length > 0) {
-            logger.info(`Linked to ${linkResult.linked.length} agent(s)`);
+        const requestedLockKey = buildSkillKey(name, requestedResolvedVersion);
+        if (lock.skills[requestedLockKey]) {
+            logger.info(`${name}@${requestedResolvedVersion} is already installed`);
+            spinner.succeed(`${name}@${requestedResolvedVersion} is already installed`);
+            return;
         }
-        if (linkResult.failed.length > 0) {
-            for (const f of linkResult.failed) {
-                logger.warn(`Failed to link to ${f.agentId}: ${f.error}`);
+        const rootDependencies = {};
+        if (!global && !isTransitive) {
+            const existingSkills = (skillsJson.skills ?? {});
+            const lockedVersionByName = buildLockedVersionByName(lock);
+            for (const [skillName, range] of Object.entries(existingSkills)) {
+                if (typeof range !== 'string') {
+                    continue;
+                }
+                rootDependencies[skillName] = lockedVersionByName.get(skillName) ?? range;
             }
         }
+        rootDependencies[name] = versionRange;
+        const resolvedGraph = await resolveDependencyTree(rootDependencies, fetcher);
+        const resolvedNodes = getResolvedNodesInOrder(resolvedGraph.nodes, resolvedGraph.installOrder);
+        const rootNode = resolvedGraph.nodes.get(name);
+        if (!rootNode) {
+            throw new Error(`Failed to resolve requested skill: ${name}`);
+        }
+        const nodesToInstall = resolvedNodes.filter((node) => {
+            const lockKey = buildSkillKey(node.name, node.version);
+            return !lock.skills[lockKey];
+        });
+        const projectPermissions = global ? undefined : skillsJson.permissions;
+        const auditMinScore = global ? undefined : skillsJson.audit?.min_score;
+        await executeInstallPipeline({
+            directory,
+            configDir,
+            global,
+            homedir,
+            resolvedHome,
+            lock,
+            lockPath,
+            resolvedNodes,
+            nodesToInstall,
+            rootSkillNames: [name],
+            projectPermissions,
+            auditMinScore,
+            spinner,
+        });
+        if (!global && !isTransitive) {
+            const skills = (skillsJson.skills ?? {});
+            skills[name] = versionRange === '*' ? `^${rootNode.version}` : versionRange;
+            skillsJson.skills = skills;
+            fs.writeFileSync(skillsJsonPath, JSON.stringify(skillsJson, null, 2) + '\n');
+        }
+        spinner.succeed(`Installed ${name}@${rootNode.version}`);
     }
-    catch {
-        logger.warn('Agent linking skipped (non-fatal)');
+    catch (err) {
+        spinner.fail('Install failed');
+        throw err;
     }
-    spinner.succeed(`Installed ${name}@${resolved}`);
 }
 export async function installFromLockfile(options) {
     const { directory = process.cwd(), configDir, global = false, homedir } = options;
@@ -283,7 +364,6 @@ export async function installFromLockfile(options) {
             const skillName = parseLockKey(key);
             const version = parseVersionFromLockKey(key);
             spinner.text = `Installing ${key}...`;
-            // Fetch metadata from API to record download and get fresh signed URL
             const encodedName = encodeURIComponent(skillName);
             const metaUrl = `${config.registry}/api/v1/skills/${encodedName}/${version}`;
             let metaRes;
@@ -309,8 +389,7 @@ export async function installFromLockfile(options) {
                 throw new Error(`Failed to download ${key}: ${downloadRes.status} ${downloadRes.statusText}`);
             }
             const tarballBuffer = Buffer.from(await downloadRes.arrayBuffer());
-            const hash = crypto.createHash('sha512').update(tarballBuffer).digest('base64');
-            const computedIntegrity = `sha512-${hash}`;
+            const computedIntegrity = buildIntegrity(tarballBuffer);
             if (computedIntegrity !== entry.integrity) {
                 throw new Error(`Integrity mismatch for ${key}. Expected: ${entry.integrity}, Got: ${computedIntegrity}`);
             }
@@ -345,8 +424,8 @@ export async function installFromLockfile(options) {
                         logger.info(`Linked to ${linkResult.linked.length} agent(s)`);
                     }
                     if (linkResult.failed.length > 0) {
-                        for (const f of linkResult.failed) {
-                            logger.warn(`Failed to link to ${f.agentId}: ${f.error}`);
+                        for (const failedLink of linkResult.failed) {
+                            logger.warn(`Failed to link to ${failedLink.agentId}: ${failedLink.error}`);
                         }
                     }
                 }
@@ -368,6 +447,11 @@ export async function installFromLockfile(options) {
 export async function installAll(options) {
     const { directory = process.cwd(), configDir, global = false, homedir } = options;
     const resolvedHome = homedir ?? os.homedir();
+    const config = getConfig(configDir);
+    const requestHeaders = { 'User-Agent': USER_AGENT };
+    if (config.token) {
+        requestHeaders.Authorization = `Bearer ${config.token}`;
+    }
     const lockPath = global
         ? path.join(resolvedHome, '.tank', 'skills.lock')
         : path.join(directory, 'skills.lock');
@@ -383,168 +467,51 @@ export async function installAll(options) {
         logger.info('No skills.json found — nothing to install');
         return;
     }
-    let skillsJson;
-    try {
-        const raw = fs.readFileSync(skillsJsonPath, 'utf-8');
-        skillsJson = JSON.parse(raw);
-    }
-    catch {
-        throw new Error('Failed to read or parse skills.json');
-    }
+    const skillsJson = readSkillsJson(skillsJsonPath);
     const skills = (skillsJson.skills ?? {});
     const skillEntries = Object.entries(skills);
     if (skillEntries.length === 0) {
         logger.info('No skills defined in skills.json');
         return;
     }
-    for (const [name, versionRange] of skillEntries) {
-        await installCommand({ name, versionRange, directory, configDir, global, homedir });
-    }
-}
-function parseLockKey(key) {
-    const lastAt = key.lastIndexOf('@');
-    if (lastAt <= 0) {
-        throw new Error(`Invalid lockfile key: ${key}`);
-    }
-    return key.slice(0, lastAt);
-}
-function parseVersionFromLockKey(key) {
-    const lastAt = key.lastIndexOf('@');
-    if (lastAt <= 0 || lastAt === key.length - 1) {
-        throw new Error(`Invalid lockfile key: ${key}`);
-    }
-    return key.slice(lastAt + 1);
-}
-function getExtractDir(projectDir, skillName) {
-    if (skillName.startsWith('@')) {
-        const [scope, name] = skillName.split('/');
-        return path.join(projectDir, '.tank', 'skills', scope, name);
-    }
-    return path.join(projectDir, '.tank', 'skills', skillName);
-}
-function getGlobalExtractDir(homedir, skillName) {
-    const globalDir = path.join(homedir, '.tank', 'skills');
-    if (skillName.startsWith('@')) {
-        const [scope, name] = skillName.split('/');
-        return path.join(globalDir, scope, name);
-    }
-    return path.join(globalDir, skillName);
-}
-/**
- * Extract a tarball safely with security checks.
- * Rejects: absolute paths, path traversal (..), symlinks/hardlinks.
- * Enforces max uncompressed size.
- */
-async function extractSafely(tarball, destDir) {
-    // Write tarball to a temp file for extraction
-    const tmpTarball = path.join(destDir, '.tmp-tarball.tgz');
-    fs.writeFileSync(tmpTarball, tarball);
+    const spinner = ora('Resolving dependency graph...').start();
     try {
-        await extract({
-            file: tmpTarball,
-            cwd: destDir,
-            // Safety: reject entries that try to escape the extraction directory
-            filter: (entryPath) => {
-                // Reject absolute paths
-                if (path.isAbsolute(entryPath)) {
-                    throw new Error(`Absolute path in tarball: ${entryPath}`);
-                }
-                // Reject path traversal
-                if (entryPath.split('/').includes('..') || entryPath.split(path.sep).includes('..')) {
-                    throw new Error(`Path traversal in tarball: ${entryPath}`);
-                }
-                return true;
-            },
-            onReadEntry: (entry) => {
-                // Reject symlinks and hardlinks
-                if (entry.type === 'SymbolicLink' || entry.type === 'Link') {
-                    throw new Error(`Symlink/hardlink in tarball: ${entry.path}`);
-                }
-            },
-        });
-    }
-    finally {
-        // Clean up temp tarball
-        if (fs.existsSync(tmpTarball)) {
-            fs.unlinkSync(tmpTarball);
-        }
-    }
-}
-/**
- * Check if a skill's permissions fit within the project's permission budget.
- * Throws if any permission exceeds the budget.
- */
-function checkPermissionBudget(budget, skillPerms, skillName) {
-    if (!skillPerms)
-        return;
-    // Check subprocess
-    if (skillPerms.subprocess === true && budget.subprocess !== true) {
-        throw new Error(`Permission denied: ${skillName} requires subprocess access, but project budget does not allow it`);
-    }
-    // Check network outbound
-    if (skillPerms.network?.outbound && skillPerms.network.outbound.length > 0) {
-        const budgetDomains = budget.network?.outbound ?? [];
-        for (const domain of skillPerms.network.outbound) {
-            if (!isDomainAllowed(domain, budgetDomains)) {
-                throw new Error(`Permission denied: ${skillName} requests network access to "${domain}", which is not in the project's permission budget`);
-            }
-        }
-    }
-    // Check filesystem read
-    if (skillPerms.filesystem?.read && skillPerms.filesystem.read.length > 0) {
-        const budgetPaths = budget.filesystem?.read ?? [];
-        for (const p of skillPerms.filesystem.read) {
-            if (!isPathAllowed(p, budgetPaths)) {
-                throw new Error(`Permission denied: ${skillName} requests filesystem read access to "${p}", which is not in the project's permission budget`);
-            }
-        }
-    }
-    // Check filesystem write
-    if (skillPerms.filesystem?.write && skillPerms.filesystem.write.length > 0) {
-        const budgetPaths = budget.filesystem?.write ?? [];
-        for (const p of skillPerms.filesystem.write) {
-            if (!isPathAllowed(p, budgetPaths)) {
-                throw new Error(`Permission denied: ${skillName} requests filesystem write access to "${p}", which is not in the project's permission budget`);
+        const rootDependencies = {};
+        for (const [skillName, range] of skillEntries) {
+            if (typeof range === 'string') {
+                rootDependencies[skillName] = range;
             }
         }
+        const fetcher = createRegistryFetcher(config.registry, requestHeaders);
+        const resolvedGraph = await resolveDependencyTree(rootDependencies, fetcher);
+        const resolvedNodes = getResolvedNodesInOrder(resolvedGraph.nodes, resolvedGraph.installOrder);
+        const lock = { lockfileVersion: LOCKFILE_VERSION, skills: {} };
+        const projectPermissions = skillsJson.permissions;
+        const auditMinScore = skillsJson.audit?.min_score;
+        await executeInstallPipeline({
+            directory,
+            configDir,
+            global,
+            homedir,
+            resolvedHome,
+            lock,
+            lockPath,
+            resolvedNodes,
+            nodesToInstall: resolvedNodes,
+            rootSkillNames: skillEntries.map(([skillName]) => skillName),
+            projectPermissions,
+            auditMinScore,
+            spinner,
+        });
+        spinner.succeed(`Installed ${skillEntries.length} root skill${skillEntries.length === 1 ? '' : 's'}`);
     }
-}
-/**
- * Check if a domain is allowed by the budget's domain list.
- * Supports wildcard matching: *.example.com matches sub.example.com
- */
-function isDomainAllowed(domain, allowedDomains) {
-    for (const allowed of allowedDomains) {
-        if (allowed === domain)
-            return true;
-        // Wildcard matching: *.example.com
-        if (allowed.startsWith('*.')) {
-            const suffix = allowed.slice(1); // .example.com
-            if (domain.endsWith(suffix) || domain === allowed.slice(2)) {
-                return true;
-            }
-            // Also match if the skill requests the same wildcard pattern
-            if (domain === allowed)
-                return true;
-        }
+    catch (err) {
+        spinner.fail('Install failed');
+        throw err;
     }
-    return false;
 }
-/**
- * Check if a path is allowed by the budget's path list.
- * Simple subset check: skill path must match one of the budget paths.
- */
-function isPathAllowed(requestedPath, allowedPaths) {
-    for (const allowed of allowedPaths) {
-        if (allowed === requestedPath)
-            return true;
-        // If budget allows ./src/** and skill requests ./src/foo, it's allowed
-        if (allowed.endsWith('/**')) {
-            const prefix = allowed.slice(0, -3); // ./src
-            if (requestedPath.startsWith(prefix))
-                return true;
-        }
-    }
-    return false;
+function buildIntegrity(buffer) {
+    const hash = crypto.createHash('sha512').update(buffer).digest('base64');
+    return `sha512-${hash}`;
 }
 //# sourceMappingURL=install.js.map