@tankpkg/cli 0.7.0 → 0.9.0

package/dist/lib/lockfile.d.ts

@@ -1,24 +0,0 @@
-import type { SkillsLock, Permissions } from '@tank/shared';
-/**
- * Read and parse the lockfile from the given directory.
- * Returns null if the file doesn't exist or is corrupt.
- */
-export declare function readLockfile(directory?: string): SkillsLock | null;
-/**
- * Write a lockfile deterministically: sorted keys, consistent formatting, trailing newline.
- */
-export declare function writeLockfile(lock: SkillsLock, directory?: string): void;
-/**
- * Compute the union of all skill permissions from a lockfile.
- * Merges network outbound, filesystem read/write (deduped), and subprocess (OR).
- */
-export declare function computeResolvedPermissions(lock: SkillsLock): Permissions;
-/**
- * Check if resolved permissions fit within the project's permission budget.
- *
- * Returns:
- * - 'pass' if all resolved permissions are within budget
- * - 'fail' if any resolved permission exceeds budget
- * - 'no_budget' if no project permissions are defined
- */
-export declare function computeBudgetCheck(resolvedPermissions: Permissions, projectPermissions: Permissions | undefined): 'pass' | 'fail' | 'no_budget';

package/dist/lib/lockfile.js

@@ -1,135 +0,0 @@
-import fs from 'node:fs';
-import path from 'node:path';
-/**
- * Read and parse the lockfile from the given directory.
- * Returns null if the file doesn't exist or is corrupt.
- */
-export function readLockfile(directory) {
-    const dir = directory ?? process.cwd();
-    const lockPath = path.join(dir, 'skills.lock');
-    if (!fs.existsSync(lockPath)) {
-        return null;
-    }
-    try {
-        const raw = fs.readFileSync(lockPath, 'utf-8');
-        return JSON.parse(raw);
-    }
-    catch {
-        return null;
-    }
-}
-/**
- * Write a lockfile deterministically: sorted keys, consistent formatting, trailing newline.
- */
-export function writeLockfile(lock, directory) {
-    const dir = directory ?? process.cwd();
-    const lockPath = path.join(dir, 'skills.lock');
-    // Sort skill keys alphabetically for determinism
-    const sortedSkills = {};
-    for (const key of Object.keys(lock.skills).sort()) {
-        sortedSkills[key] = lock.skills[key];
-    }
-    const output = {
-        lockfileVersion: lock.lockfileVersion,
-        skills: sortedSkills,
-    };
-    fs.writeFileSync(lockPath, JSON.stringify(output, null, 2) + '\n');
-}
-/**
- * Compute the union of all skill permissions from a lockfile.
- * Merges network outbound, filesystem read/write (deduped), and subprocess (OR).
- */
-export function computeResolvedPermissions(lock) {
-    const entries = Object.values(lock.skills);
-    if (entries.length === 0) {
-        return {};
-    }
-    const outbound = new Set();
-    const fsRead = new Set();
-    const fsWrite = new Set();
-    let subprocess = false;
-    for (const entry of entries) {
-        const perms = entry.permissions;
-        if (perms.network?.outbound) {
-            for (const domain of perms.network.outbound) {
-                outbound.add(domain);
-            }
-        }
-        if (perms.filesystem?.read) {
-            for (const pattern of perms.filesystem.read) {
-                fsRead.add(pattern);
-            }
-        }
-        if (perms.filesystem?.write) {
-            for (const pattern of perms.filesystem.write) {
-                fsWrite.add(pattern);
-            }
-        }
-        if (perms.subprocess === true) {
-            subprocess = true;
-        }
-    }
-    const result = {};
-    if (outbound.size > 0) {
-        result.network = { outbound: [...outbound].sort() };
-    }
-    if (fsRead.size > 0 || fsWrite.size > 0) {
-        result.filesystem = {};
-        if (fsRead.size > 0) {
-            result.filesystem.read = [...fsRead].sort();
-        }
-        if (fsWrite.size > 0) {
-            result.filesystem.write = [...fsWrite].sort();
-        }
-    }
-    if (subprocess) {
-        result.subprocess = true;
-    }
-    return result;
-}
-/**
- * Check if resolved permissions fit within the project's permission budget.
- *
- * Returns:
- * - 'pass' if all resolved permissions are within budget
- * - 'fail' if any resolved permission exceeds budget
- * - 'no_budget' if no project permissions are defined
- */
-export function computeBudgetCheck(resolvedPermissions, projectPermissions) {
-    if (projectPermissions === undefined) {
-        return 'no_budget';
-    }
-    // Check subprocess
-    if (resolvedPermissions.subprocess === true && projectPermissions.subprocess === false) {
-        return 'fail';
-    }
-    // Check network outbound
-    if (resolvedPermissions.network?.outbound) {
-        const budgetOutbound = new Set(projectPermissions.network?.outbound ?? []);
-        for (const domain of resolvedPermissions.network.outbound) {
-            if (!budgetOutbound.has(domain)) {
-                return 'fail';
-            }
-        }
-    }
-    // Check filesystem read
-    if (resolvedPermissions.filesystem?.read) {
-        const budgetRead = new Set(projectPermissions.filesystem?.read ?? []);
-        for (const pattern of resolvedPermissions.filesystem.read) {
-            if (!budgetRead.has(pattern)) {
-                return 'fail';
-            }
-        }
-    }
-    // Check filesystem write
-    if (resolvedPermissions.filesystem?.write) {
-        const budgetWrite = new Set(projectPermissions.filesystem?.write ?? []);
-        for (const pattern of resolvedPermissions.filesystem.write) {
-            if (!budgetWrite.has(pattern)) {
-                return 'fail';
-            }
-        }
-    }
-    return 'pass';
-}
-//# sourceMappingURL=lockfile.js.map

package/dist/lib/lockfile.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"lockfile.js","sourceRoot":"","sources":["../../src/lib/lockfile.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAG7B;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,SAAkB;IAC7C,MAAM,GAAG,GAAG,SAAS,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACvC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAE/C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC/C,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAe,CAAC;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,IAAgB,EAAE,SAAkB;IAChE,MAAM,GAAG,GAAG,SAAS,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACvC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IAE/C,iDAAiD;IACjD,MAAM,YAAY,GAAiD,EAAE,CAAC;IACtE,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;QAClD,YAAY,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACvC,CAAC;IAED,MAAM,MAAM,GAAe;QACzB,eAAe,EAAE,IAAI,CAAC,eAAe;QACrC,MAAM,EAAE,YAAY;KACrB,CAAC;IAEF,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;AACrE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,0BAA0B,CAAC,IAAgB;IACzD,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC3C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IACnC,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IACjC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;IAClC,IAAI,UAAU,GAAG,KAAK,CAAC;IAEvB,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,CAAC;QAEhC,IAAI,KAAK,CAAC,OAAO,EAAE,QAAQ,EAAE,CAAC;YAC5B,KAAK,MAAM,MAAM,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;gBAC5C,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;QAED,IAAI,KAAK,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC;YAC3B,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;gBAC5C,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACtB,CAAC;QACH,CAAC;QAED,IAAI,KAAK,CAAC,UAAU,EAAE,KAAK,EAAE,CAAC;YAC5B,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;gBAC7C,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;QAED,IAAI,KAAK,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;YAC9B,UAAU,GAAG,IAAI,CAAC;QACpB,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAgB,EAAE,CAAC;IAE/B,IAAI,QAAQ,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,CAAC,OAAO,GAAG,EAAE,QAAQ,EAAE,CAAC,GAAG,QAAQ,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;IACtD,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,IAAI,OAAO,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACxC,MAAM,CAAC,UAAU,GAAG,EAAE,CAAC;QACvB,IAAI,MAAM,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YACpB,MAAM,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;QAC9C,CAAC;QACD,IAAI,OAAO,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,CAAC,UAAU,CAAC,KAAK,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QAChD,CAAC;IACH,CAAC;IAED,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;IAC3B,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB,CAChC,mBAAgC,EAChC,kBAA2C;IAE3C,IAAI,kBAAkB,KAAK,SAAS,EAAE,CAAC;QACrC,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,mBAAmB;IACnB,IAAI,mBAAmB,CAAC,UAAU,KAAK,IAAI,IAAI,kBAAkB,CAAC,UAAU,KAAK,KAAK,EAAE,CAAC;QACvF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,yBAAyB;IACzB,IAAI,mBAAmB,CAAC,OAAO,EAAE,QAAQ,EAAE,CAAC;QAC1C,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,kBAAkB,CAAC,OAAO,EAAE,QAAQ,IAAI,EAAE,CAAC,CAAC;QAC3E,KAAK,MAAM,MAAM,IAAI,mBAAmB,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;YAC1D,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBAChC,OAAO,MAAM,CAAC;YAChB,CAAC;QACH,CAAC;IACH,CAAC;IAED,wBAAwB;IACxB,IAAI,mBAAmB,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC;QACzC,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,kBAAkB,CAAC,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;QACtE,KAAK,MAAM,OAAO,IAAI,mBAAmB,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;YAC1D,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC7B,OAAO,MAAM,CAAC;YAChB,CAAC;QACH,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,IAAI,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,CAAC;QAC1C,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,kBAAkB,CAAC,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;QACxE,KAAK,MAAM,OAAO,IAAI,mBAAmB,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YAC3D,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC9B,OAAO,MAAM,CAAC;YAChB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/lib/logger.d.ts

@@ -1,6 +0,0 @@
-export declare const logger: {
-    info: (msg: string) => void;
-    success: (msg: string) => void;
-    warn: (msg: string) => void;
-    error: (msg: string) => void;
-};

package/dist/lib/logger.js

@@ -1,8 +0,0 @@
-import chalk from 'chalk';
-export const logger = {
-    info: (msg) => console.log(chalk.blue('ℹ'), msg),
-    success: (msg) => console.log(chalk.green('✓'), msg),
-    warn: (msg) => console.log(chalk.yellow('⚠'), msg),
-    error: (msg) => console.error(chalk.red('✗'), msg),
-};
-//# sourceMappingURL=logger.js.map

package/dist/lib/logger.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"logger.js","sourceRoot":"","sources":["../../src/lib/logger.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,MAAM,CAAC,MAAM,MAAM,GAAG;IACpB,IAAI,EAAE,CAAC,GAAW,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC;IACxD,OAAO,EAAE,CAAC,GAAW,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC;IAC5D,IAAI,EAAE,CAAC,GAAW,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC;IAC1D,KAAK,EAAE,CAAC,GAAW,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,GAAG,CAAC;CAC3D,CAAC"}

package/dist/lib/packer.d.ts

@@ -1,41 +0,0 @@
-export interface PackResult {
-    tarball: Buffer;
-    integrity: string;
-    fileCount: number;
-    totalSize: number;
-    readme: string;
-    files: string[];
-}
-/**
- * Pack a skill directory into a .tgz tarball with integrity hashing.
- *
- * Validates:
- * - skills.json exists and is valid
- * - SKILL.md exists
- * - No symlinks or hardlinks
- * - No path traversal (.. components)
- * - No absolute paths
- * - File count <= 1000
- * - Tarball size <= 50MB
- */
-export declare function pack(directory: string): Promise<PackResult>;
-/**
- * Pack a directory into a .tgz tarball for security scanning.
- *
- * Unlike pack(), this function does NOT require skills.json or SKILL.md.
- * It applies the same security checks (no symlinks, no path traversal, etc.)
- * and returns the same PackResult interface.
- *
- * Validates:
- * - Directory exists
- * - No symlinks or hardlinks
- * - No path traversal (.. components)
- * - No absolute paths
- * - File count <= 1000
- * - Tarball size <= 50MB
- *
- * Does NOT validate:
- * - skills.json existence or validity
- * - SKILL.md existence (but reads it if present)
- */
-export declare function packForScan(directory: string): Promise<PackResult>;

package/dist/lib/packer.js

@@ -1,284 +0,0 @@
-import fs from 'node:fs';
-import path from 'node:path';
-import crypto from 'node:crypto';
-import { create } from 'tar';
-import ignore from 'ignore';
-import { skillsJsonSchema } from '@tank/shared';
-// Limits
-const MAX_PACKAGE_SIZE = 50 * 1024 * 1024; // 50MB
-const MAX_FILE_COUNT = 1000;
-// Default ignore patterns (used when no .tankignore or .gitignore exists)
-const DEFAULT_IGNORES = [
-    'node_modules',
-    '.git',
-    '.env*',
-    '*.log',
-    '.tank',
-    '.DS_Store',
-];
-// Always ignored regardless of ignore file contents
-const ALWAYS_IGNORED = [
-    'node_modules',
-    '.git',
-];
-// Ignore file names (not packed into tarball)
-const IGNORE_FILES = ['.tankignore', '.gitignore'];
-/**
- * Pack a skill directory into a .tgz tarball with integrity hashing.
- *
- * Validates:
- * - skills.json exists and is valid
- * - SKILL.md exists
- * - No symlinks or hardlinks
- * - No path traversal (.. components)
- * - No absolute paths
- * - File count <= 1000
- * - Tarball size <= 50MB
- */
-export async function pack(directory) {
-    const absDir = path.resolve(directory);
-    // 1. Verify directory exists
-    if (!fs.existsSync(absDir)) {
-        throw new Error(`Directory does not exist: ${absDir}`);
-    }
-    const stat = fs.statSync(absDir);
-    if (!stat.isDirectory()) {
-        throw new Error(`Not a directory: ${absDir}`);
-    }
-    // 2. Verify skills.json exists and is valid
-    const skillsJsonPath = path.join(absDir, 'skills.json');
-    if (!fs.existsSync(skillsJsonPath)) {
-        throw new Error('Missing required file: skills.json');
-    }
-    let skillsJsonContent;
-    try {
-        skillsJsonContent = fs.readFileSync(skillsJsonPath, 'utf-8');
-    }
-    catch {
-        throw new Error('Failed to read skills.json');
-    }
-    let parsed;
-    try {
-        parsed = JSON.parse(skillsJsonContent);
-    }
-    catch {
-        throw new Error('Invalid skills.json: not valid JSON');
-    }
-    const validation = skillsJsonSchema.safeParse(parsed);
-    if (!validation.success) {
-        const issues = validation.error.issues
-            .map((i) => `  - ${i.path.join('.')}: ${i.message}`)
-            .join('\n');
-        throw new Error(`Invalid skills.json:\n${issues}`);
-    }
-    // 3. Verify SKILL.md exists and read its content
-    const skillMdPath = path.join(absDir, 'SKILL.md');
-    if (!fs.existsSync(skillMdPath)) {
-        throw new Error('Missing required file: SKILL.md');
-    }
-    let readmeContent;
-    try {
-        readmeContent = fs.readFileSync(skillMdPath, 'utf-8');
-    }
-    catch {
-        throw new Error('Failed to read SKILL.md');
-    }
-    // 4. Build ignore filter
-    const ig = buildIgnoreFilter(absDir);
-    // 5. Collect files with validation
-    const files = collectFiles(absDir, absDir, ig);
-    // 6. Enforce file count limit
-    if (files.length > MAX_FILE_COUNT) {
-        throw new Error(`Too many files: ${files.length} exceeds maximum of ${MAX_FILE_COUNT}`);
-    }
-    // 7. Calculate total size of source files
-    let totalSize = 0;
-    for (const file of files) {
-        const filePath = path.join(absDir, file);
-        const fileStat = fs.statSync(filePath);
-        totalSize += fileStat.size;
-    }
-    // 8. Create tarball
-    const tarball = await createTarball(absDir, files);
-    // 9. Enforce tarball size limit
-    if (tarball.length > MAX_PACKAGE_SIZE) {
-        throw new Error(`Tarball too large: ${tarball.length} bytes exceeds maximum of ${MAX_PACKAGE_SIZE} bytes (50MB)`);
-    }
-    // 10. Compute integrity hash
-    const hash = crypto.createHash('sha512').update(tarball).digest('base64');
-    const integrity = `sha512-${hash}`;
-    return {
-        tarball,
-        integrity,
-        fileCount: files.length,
-        totalSize,
-        readme: readmeContent,
-        files,
-    };
-}
-/**
- * Pack a directory into a .tgz tarball for security scanning.
- *
- * Unlike pack(), this function does NOT require skills.json or SKILL.md.
- * It applies the same security checks (no symlinks, no path traversal, etc.)
- * and returns the same PackResult interface.
- *
- * Validates:
- * - Directory exists
- * - No symlinks or hardlinks
- * - No path traversal (.. components)
- * - No absolute paths
- * - File count <= 1000
- * - Tarball size <= 50MB
- *
- * Does NOT validate:
- * - skills.json existence or validity
- * - SKILL.md existence (but reads it if present)
- */
-export async function packForScan(directory) {
-    const absDir = path.resolve(directory);
-    // 1. Verify directory exists
-    if (!fs.existsSync(absDir)) {
-        throw new Error(`Directory does not exist: ${absDir}`);
-    }
-    const stat = fs.statSync(absDir);
-    if (!stat.isDirectory()) {
-        throw new Error(`Not a directory: ${absDir}`);
-    }
-    // 2. Try to read SKILL.md if it exists (optional for scan)
-    let readmeContent = '';
-    const skillMdPath = path.join(absDir, 'SKILL.md');
-    if (fs.existsSync(skillMdPath)) {
-        try {
-            readmeContent = fs.readFileSync(skillMdPath, 'utf-8');
-        }
-        catch {
-            // If we can't read it, just use empty string
-            readmeContent = '';
-        }
-    }
-    // 3. Build ignore filter
-    const ig = buildIgnoreFilter(absDir);
-    // 4. Collect files with validation
-    const files = collectFiles(absDir, absDir, ig);
-    // 5. Enforce file count limit
-    if (files.length > MAX_FILE_COUNT) {
-        throw new Error(`Too many files: ${files.length} exceeds maximum of ${MAX_FILE_COUNT}`);
-    }
-    // 6. Calculate total size of source files
-    let totalSize = 0;
-    for (const file of files) {
-        const filePath = path.join(absDir, file);
-        const fileStat = fs.statSync(filePath);
-        totalSize += fileStat.size;
-    }
-    // 7. Create tarball
-    const tarball = await createTarball(absDir, files);
-    // 8. Enforce tarball size limit
-    if (tarball.length > MAX_PACKAGE_SIZE) {
-        throw new Error(`Tarball too large: ${tarball.length} bytes exceeds maximum of ${MAX_PACKAGE_SIZE} bytes (50MB)`);
-    }
-    // 9. Compute integrity hash
-    const hash = crypto.createHash('sha512').update(tarball).digest('base64');
-    const integrity = `sha512-${hash}`;
-    return {
-        tarball,
-        integrity,
-        fileCount: files.length,
-        totalSize,
-        readme: readmeContent,
-        files,
-    };
-}
-/**
- * Build an ignore filter from .tankignore, .gitignore, or defaults.
- */
-function buildIgnoreFilter(dir) {
-    const ig = ignore();
-    // Always add the forced ignores
-    ig.add(ALWAYS_IGNORED);
-    // Check for .tankignore first, then .gitignore, then defaults
-    const tankIgnorePath = path.join(dir, '.tankignore');
-    const gitIgnorePath = path.join(dir, '.gitignore');
-    if (fs.existsSync(tankIgnorePath)) {
-        const content = fs.readFileSync(tankIgnorePath, 'utf-8');
-        ig.add(content);
-        // Also ignore the ignore files themselves
-        ig.add(IGNORE_FILES);
-    }
-    else if (fs.existsSync(gitIgnorePath)) {
-        const content = fs.readFileSync(gitIgnorePath, 'utf-8');
-        ig.add(content);
-        ig.add(IGNORE_FILES);
-    }
-    else {
-        ig.add(DEFAULT_IGNORES);
-    }
-    return ig;
-}
-/**
- * Recursively collect files from a directory, applying ignore rules and security checks.
- */
-function collectFiles(baseDir, currentDir, ig) {
-    const files = [];
-    const entries = fs.readdirSync(currentDir, { withFileTypes: true });
-    for (const entry of entries) {
-        const fullPath = path.join(currentDir, entry.name);
-        const relativePath = path.relative(baseDir, fullPath);
-        // Security: check for path traversal
-        if (relativePath.split(path.sep).includes('..')) {
-            throw new Error(`Path traversal detected: "${relativePath}" contains ".." component`);
-        }
-        // Security: check for absolute paths
-        if (path.isAbsolute(relativePath)) {
-            throw new Error(`Absolute path detected: "${relativePath}"`);
-        }
-        // Security: check for symlinks using lstat (not stat which follows symlinks)
-        const lstatResult = fs.lstatSync(fullPath);
-        if (lstatResult.isSymbolicLink()) {
-            throw new Error(`Symlink detected: "${relativePath}" — symlinks are not allowed in skill packages`);
-        }
-        // Check if this path should be ignored
-        // For directories, append '/' so ignore patterns like 'dir/' work correctly
-        const pathForIgnore = lstatResult.isDirectory()
-            ? relativePath + '/'
-            : relativePath;
-        if (ig.ignores(pathForIgnore)) {
-            continue;
-        }
-        if (lstatResult.isDirectory()) {
-            // Recurse into subdirectory
-            const subFiles = collectFiles(baseDir, fullPath, ig);
-            files.push(...subFiles);
-        }
-        else if (lstatResult.isFile()) {
-            files.push(relativePath);
-        }
-        // Skip other types (block devices, character devices, FIFOs, sockets)
-    }
-    return files;
-}
-/**
- * Create a gzipped tarball from the given files in the directory.
- */
-async function createTarball(cwd, files) {
-    return new Promise((resolve, reject) => {
-        const chunks = [];
-        // tar.create without `file` returns a readable stream
-        const stream = create({
-            gzip: true,
-            cwd,
-            portable: true, // Omit system-specific metadata
-        }, files);
-        stream.on('data', (chunk) => {
-            chunks.push(chunk);
-        });
-        stream.on('end', () => {
-            resolve(Buffer.concat(chunks));
-        });
-        stream.on('error', (err) => {
-            reject(err);
-        });
-    });
-}
-//# sourceMappingURL=packer.js.map

package/dist/lib/packer.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"packer.js","sourceRoot":"","sources":["../../src/lib/packer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,OAAO,EAAE,MAAM,EAAE,MAAM,KAAK,CAAC;AAC7B,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD,SAAS;AACT,MAAM,gBAAgB,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO;AAClD,MAAM,cAAc,GAAG,IAAI,CAAC;AAE5B,0EAA0E;AAC1E,MAAM,eAAe,GAAG;IACtB,cAAc;IACd,MAAM;IACN,OAAO;IACP,OAAO;IACP,OAAO;IACP,WAAW;CACZ,CAAC;AAEF,oDAAoD;AACpD,MAAM,cAAc,GAAG;IACrB,cAAc;IACd,MAAM;CACP,CAAC;AAEF,8CAA8C;AAC9C,MAAM,YAAY,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;AAWnD;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,IAAI,CAAC,SAAiB;IAC1C,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEvC,6BAA6B;IAC7B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,oBAAoB,MAAM,EAAE,CAAC,CAAC;IAChD,CAAC;IAED,4CAA4C;IAC5C,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IACxD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IAED,IAAI,iBAAyB,CAAC;IAC9B,IAAI,CAAC;QACH,iBAAiB,GAAG,EAAE,CAAC,YAAY,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;IAC/D,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IAED,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACtD,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;QACxB,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,MAAM;aACnC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC;aACnD,IAAI,CAAC,IAAI,CAAC,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,yBAAyB,MAAM,EAAE,CAAC,CAAC;IACrD,CAAC;IAED,iDAAiD;IACjD,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IAClD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IAED,IAAI,aAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,aAAa,GAAG,EAAE,CAAC,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IAED,yBAAyB;IACzB,MAAM,EAAE,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAErC,mCAAmC;IACnC,MAAM,KAAK,GAAG,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC;IAE/C,8BAA8B;IAC9B,IAAI,KAAK,CAAC,MAAM,GAAG,cAAc,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACb,mBAAmB,KAAK,CAAC,MAAM,uBAAuB,cAAc,EAAE,CACvE,CAAC;IACJ,CAAC;IAED,0CAA0C;IAC1C,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACzC,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACvC,SAAS,IAAI,QAAQ,CAAC,IAAI,CAAC;IAC7B,CAAC;IAED,oBAAoB;IACpB,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAEnD,gCAAgC;IAChC,IAAI,OAAO,CAAC,MAAM,GAAG,gBAAgB,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CACb,sBAAsB,OAAO,CAAC,MAAM,6BAA6B,gBAAgB,eAAe,CACjG,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC1E,MAAM,SAAS,GAAG,UAAU,IAAI,EAAE,CAAC;IAEnC,OAAO;QACL,OAAO;QACP,SAAS;QACT,SAAS,EAAE,KAAK,CAAC,MAAM;QACvB,SAAS;QACT,MAAM,EAAE,aAAa;QACrB,KAAK;KACN,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,SAAiB;IACjD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAEvC,6BAA6B;IAC7B,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,6BAA6B,MAAM,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,oBAAoB,MAAM,EAAE,CAAC,CAAC;IAChD,CAAC;IAED,2DAA2D;IAC3D,IAAI,aAAa,GAAG,EAAE,CAAC;IACvB,MAAM,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;IAClD,IAAI,EAAE,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/B,IAAI,CAAC;YACH,aAAa,GAAG,EAAE,CAAC,YAAY,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QACxD,CAAC;QAAC,MAAM,CAAC;YACP,6CAA6C;YAC7C,aAAa,GAAG,EAAE,CAAC;QACrB,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,MAAM,EAAE,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;IAErC,mCAAmC;IACnC,MAAM,KAAK,GAAG,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,CAAC,CAAC;IAE/C,8BAA8B;IAC9B,IAAI,KAAK,CAAC,MAAM,GAAG,cAAc,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACb,mBAAmB,KAAK,CAAC,MAAM,uBAAuB,cAAc,EAAE,CACvE,CAAC;IACJ,CAAC;IAED,0CAA0C;IAC1C,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACzC,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACvC,SAAS,IAAI,QAAQ,CAAC,IAAI,CAAC;IAC7B,CAAC;IAED,oBAAoB;IACpB,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAEnD,gCAAgC;IAChC,IAAI,OAAO,CAAC,MAAM,GAAG,gBAAgB,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CACb,sBAAsB,OAAO,CAAC,MAAM,6BAA6B,gBAAgB,eAAe,CACjG,CAAC;IACJ,CAAC;IAED,4BAA4B;IAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC1E,MAAM,SAAS,GAAG,UAAU,IAAI,EAAE,CAAC;IAEnC,OAAO;QACL,OAAO;QACP,SAAS;QACT,SAAS,EAAE,KAAK,CAAC,MAAM;QACvB,SAAS;QACT,MAAM,EAAE,aAAa;QACrB,KAAK;KACN,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,GAAW;IACpC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC;IAEpB,gCAAgC;IAChC,EAAE,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAEvB,8DAA8D;IAC9D,MAAM,cAAc,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,aAAa,CAAC,CAAC;IACrD,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAEnD,IAAI,EAAE,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;QACzD,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAChB,0CAA0C;QAC1C,EAAE,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACvB,CAAC;SAAM,IAAI,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QACxC,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QACxD,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAChB,EAAE,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACvB,CAAC;SAAM,CAAC;QACN,EAAE,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAC1B,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CACnB,OAAe,EACf,UAAkB,EAClB,EAA6B;IAE7B,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,UAAU,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAEpE,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACnD,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAEtD,qCAAqC;QACrC,IAAI,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAChD,MAAM,IAAI,KAAK,CACb,6BAA6B,YAAY,2BAA2B,CACrE,CAAC;QACJ,CAAC;QAED,qCAAqC;QACrC,IAAI,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,KAAK,CAAC,4BAA4B,YAAY,GAAG,CAAC,CAAC;QAC/D,CAAC;QAED,6EAA6E;QAC7E,MAAM,WAAW,GAAG,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC3C,IAAI,WAAW,CAAC,cAAc,EAAE,EAAE,CAAC;YACjC,MAAM,IAAI,KAAK,CACb,sBAAsB,YAAY,gDAAgD,CACnF,CAAC;QACJ,CAAC;QAED,uCAAuC;QACvC,4EAA4E;QAC5E,MAAM,aAAa,GAAG,WAAW,CAAC,WAAW,EAAE;YAC7C,CAAC,CAAC,YAAY,GAAG,GAAG;YACpB,CAAC,CAAC,YAAY,CAAC;QAEjB,IAAI,EAAE,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAC9B,SAAS;QACX,CAAC;QAED,IAAI,WAAW,CAAC,WAAW,EAAE,EAAE,CAAC;YAC9B,4BAA4B;YAC5B,MAAM,QAAQ,GAAG,YAAY,CAAC,OAAO,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;YACrD,KAAK,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;QAC1B,CAAC;aAAM,IAAI,WAAW,CAAC,MAAM,EAAE,EAAE,CAAC;YAChC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC3B,CAAC;QACD,sEAAsE;IACxE,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa,CAC1B,GAAW,EACX,KAAe;IAEf,OAAO,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC7C,MAAM,MAAM,GAAa,EAAE,CAAC;QAE5B,sDAAsD;QACtD,MAAM,MAAM,GAAG,MAAM,CACnB;YACE,IAAI,EAAE,IAAI;YACV,GAAG;YACH,QAAQ,EAAE,IAAI,EAAE,gCAAgC;SACjD,EACD,KAAK,CACiB,CAAC;QAEzB,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAClC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACpB,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;QACjC,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;YAChC,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/lib/permission-checker.d.ts

@@ -1,16 +0,0 @@
-import type { Permissions } from '@tank/shared';
-/**
- * Check if a skill's permissions fit within the project's permission budget.
- * Throws if any permission exceeds the budget.
- */
-export declare function checkPermissionBudget(budget: Permissions, skillPerms: Permissions | undefined, skillName: string): void;
-/**
- * Check if a domain is allowed by the budget's domain list.
- * Supports wildcard matching: *.example.com matches sub.example.com
- */
-export declare function isDomainAllowed(domain: string, allowedDomains: string[]): boolean;
-/**
- * Check if a path is allowed by the budget's path list.
- * Simple subset check: skill path must match one of the budget paths.
- */
-export declare function isPathAllowed(requestedPath: string, allowedPaths: string[]): boolean;

package/dist/lib/permission-checker.js

@@ -1,78 +0,0 @@
-/**
- * Check if a skill's permissions fit within the project's permission budget.
- * Throws if any permission exceeds the budget.
- */
-export function checkPermissionBudget(budget, skillPerms, skillName) {
-    if (!skillPerms)
-        return;
-    // Check subprocess
-    if (skillPerms.subprocess === true && budget.subprocess !== true) {
-        throw new Error(`Permission denied: ${skillName} requires subprocess access, but project budget does not allow it`);
-    }
-    // Check network outbound
-    if (skillPerms.network?.outbound && skillPerms.network.outbound.length > 0) {
-        const budgetDomains = budget.network?.outbound ?? [];
-        for (const domain of skillPerms.network.outbound) {
-            if (!isDomainAllowed(domain, budgetDomains)) {
-                throw new Error(`Permission denied: ${skillName} requests network access to "${domain}", which is not in the project's permission budget`);
-            }
-        }
-    }
-    // Check filesystem read
-    if (skillPerms.filesystem?.read && skillPerms.filesystem.read.length > 0) {
-        const budgetPaths = budget.filesystem?.read ?? [];
-        for (const p of skillPerms.filesystem.read) {
-            if (!isPathAllowed(p, budgetPaths)) {
-                throw new Error(`Permission denied: ${skillName} requests filesystem read access to "${p}", which is not in the project's permission budget`);
-            }
-        }
-    }
-    // Check filesystem write
-    if (skillPerms.filesystem?.write && skillPerms.filesystem.write.length > 0) {
-        const budgetPaths = budget.filesystem?.write ?? [];
-        for (const p of skillPerms.filesystem.write) {
-            if (!isPathAllowed(p, budgetPaths)) {
-                throw new Error(`Permission denied: ${skillName} requests filesystem write access to "${p}", which is not in the project's permission budget`);
-            }
-        }
-    }
-}
-/**
- * Check if a domain is allowed by the budget's domain list.
- * Supports wildcard matching: *.example.com matches sub.example.com
- */
-export function isDomainAllowed(domain, allowedDomains) {
-    for (const allowed of allowedDomains) {
-        if (allowed === domain)
-            return true;
-        // Wildcard matching: *.example.com
-        if (allowed.startsWith('*.')) {
-            const suffix = allowed.slice(1); // .example.com
-            if (domain.endsWith(suffix) || domain === allowed.slice(2)) {
-                return true;
-            }
-            // Also match if the skill requests the same wildcard pattern
-            if (domain === allowed)
-                return true;
-        }
-    }
-    return false;
-}
-/**
- * Check if a path is allowed by the budget's path list.
- * Simple subset check: skill path must match one of the budget paths.
- */
-export function isPathAllowed(requestedPath, allowedPaths) {
-    for (const allowed of allowedPaths) {
-        if (allowed === requestedPath)
-            return true;
-        // If budget allows ./src/** and skill requests ./src/foo, it's allowed
-        if (allowed.endsWith('/**')) {
-            const prefix = allowed.slice(0, -3); // ./src
-            if (requestedPath.startsWith(prefix))
-                return true;
-        }
-    }
-    return false;
-}
-//# sourceMappingURL=permission-checker.js.map

package/dist/lib/permission-checker.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"permission-checker.js","sourceRoot":"","sources":["../../src/lib/permission-checker.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CACnC,MAAmB,EACnB,UAAmC,EACnC,SAAiB;IAEjB,IAAI,CAAC,UAAU;QAAE,OAAO;IAExB,mBAAmB;IACnB,IAAI,UAAU,CAAC,UAAU,KAAK,IAAI,IAAI,MAAM,CAAC,UAAU,KAAK,IAAI,EAAE,CAAC;QACjE,MAAM,IAAI,KAAK,CACb,sBAAsB,SAAS,mEAAmE,CACnG,CAAC;IACJ,CAAC;IAED,yBAAyB;IACzB,IAAI,UAAU,CAAC,OAAO,EAAE,QAAQ,IAAI,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3E,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,EAAE,QAAQ,IAAI,EAAE,CAAC;QACrD,KAAK,MAAM,MAAM,IAAI,UAAU,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;YACjD,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,aAAa,CAAC,EAAE,CAAC;gBAC5C,MAAM,IAAI,KAAK,CACb,sBAAsB,SAAS,gCAAgC,MAAM,oDAAoD,CAC1H,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,wBAAwB;IACxB,IAAI,UAAU,CAAC,UAAU,EAAE,IAAI,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzE,MAAM,WAAW,GAAG,MAAM,CAAC,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC;QAClD,KAAK,MAAM,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;YAC3C,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,WAAW,CAAC,EAAE,CAAC;gBACnC,MAAM,IAAI,KAAK,CACb,sBAAsB,SAAS,wCAAwC,CAAC,oDAAoD,CAC7H,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,IAAI,UAAU,CAAC,UAAU,EAAE,KAAK,IAAI,UAAU,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3E,MAAM,WAAW,GAAG,MAAM,CAAC,UAAU,EAAE,KAAK,IAAI,EAAE,CAAC;QACnD,KAAK,MAAM,CAAC,IAAI,UAAU,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;YAC5C,IAAI,CAAC,aAAa,CAAC,CAAC,EAAE,WAAW,CAAC,EAAE,CAAC;gBACnC,MAAM,IAAI,KAAK,CACb,sBAAsB,SAAS,yCAAyC,CAAC,oDAAoD,CAC9H,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,MAAc,EAAE,cAAwB;IACtE,KAAK,MAAM,OAAO,IAAI,cAAc,EAAE,CAAC;QACrC,IAAI,OAAO,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC;QACpC,mCAAmC;QACnC,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,eAAe;YAChD,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,MAAM,KAAK,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC3D,OAAO,IAAI,CAAC;YACd,CAAC;YACD,6DAA6D;YAC7D,IAAI,MAAM,KAAK,OAAO;gBAAE,OAAO,IAAI,CAAC;QACtC,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,aAAqB,EAAE,YAAsB;IACzE,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;QACnC,IAAI,OAAO,KAAK,aAAa;YAAE,OAAO,IAAI,CAAC;QAC3C,uEAAuE;QACvE,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ;YAC7C,IAAI,aAAa,CAAC,UAAU,CAAC,MAAM,CAAC;gBAAE,OAAO,IAAI,CAAC;QACpD,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/lib/upgrade-check.d.ts

@@ -1 +0,0 @@
-export declare function checkForUpgrade(configDir?: string): Promise<void>;