npm - @trendai-crem/claude-skills - Versions diffs - 0.9.0 → 0.10.0 - Mend

@trendai-crem/claude-skills 0.9.0 → 0.10.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/cli.js CHANGED Viewed

@@ -90,21 +90,30 @@ function readJsonObject(filePath, fallback, label) {
   return fallback;
 }
-// Extracts the registered source URL for a marketplace from known_marketplaces.json.
-// Handles both string entries and object entries with a `source` field.
+// Extracts the registered source for a marketplace from known_marketplaces.json.
+// Handles: plain string, object with string .source, and GitHub registry format
+// { source: { source: "github", repo: "org/repo" } }.
 function getRegisteredMarketplaceSource(known, marketplaceName) {
   const entry = known[marketplaceName];
   if (typeof entry === 'string') return entry;
   if (entry && typeof entry === 'object' && !Array.isArray(entry)) {
-    return typeof entry.source === 'string' ? entry.source : null;
+    if (typeof entry.source === 'string') return entry.source;
+    // GitHub registry format: { source: { source: "github", repo: "org/repo" }, ... }
+    if (entry.source?.source === 'github' && typeof entry.source?.repo === 'string') {
+      return entry.source.repo;
+    }
   }
   return null;
 }
-// Normalizes a marketplace source URL to a canonical host/path form for comparison.
-// Treats SSH and HTTPS URLs pointing to the same repo as equivalent.
-// Returns null if the URL cannot be parsed.
+// Normalizes a marketplace source to a canonical host/path form for comparison.
+// Accepts SSH URLs, HTTPS URLs, and GitHub shorthand (org/repo).
+// Returns null if the source cannot be parsed.
 function normalizeMarketplaceSource(rawSource) {
+  // GitHub shorthand: org/repo (no slashes in org, no protocol)
+  if (/^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/.test(rawSource)) {
+    return rawSource.toLowerCase();
+  }
   const sshMatch = /^git@([^:]+):(.+?)(?:\.git)?$/.exec(rawSource);
   if (sshMatch) {
     return `${sshMatch[1].toLowerCase()}/${sshMatch[2].replace(/^\/+/, '').replace(/\.git$/, '')}`;
@@ -117,58 +126,42 @@ function normalizeMarketplaceSource(rawSource) {
   }
 }
-function installMarketplacePlugins() {
-  const configPath = join(__dir, 'marketplace.json');
-  if (!existsSync(configPath)) return [];
-  // Parse and validate marketplace.json — all failures are non-fatal (SCD-7)
-  const config = readJsonObject(configPath, null, 'marketplace.json');
-  const { marketplace, plugins } = config ?? {};
+// Installs or updates all plugins for a single marketplace entry.
+// Returns an array of { plugin, action, ok } results.
+function installFromMarketplace(entry, known, installed) {
   // Input validation + allowlisting (SCD-1, OWASP-A04)
   // Leading `-` is rejected to prevent argv injection: `claude plugin install -s` parses as flag.
   const SAFE_NAME = /^(?!-)[A-Za-z0-9_][A-Za-z0-9_-]*$/;
   const SAFE_SOURCE = /^(git@[\w.-]+:[\w.\-/]+\.git|https:\/\/[\w.-]+\/[\w.\-/]+\.git)$/;
+  const SAFE_GITHUB = /^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/;
+  const { name: marketplaceName, source, plugins } = entry ?? {};
-  if (
-    typeof marketplace?.name !== 'string' ||
-    typeof marketplace?.source !== 'string' ||
-    !Array.isArray(plugins)
-  ) {
-    console.error('\nInvalid marketplace.json: missing required fields (marketplace.name, marketplace.source, plugins[])');
+  if (typeof marketplaceName !== 'string' || typeof source !== 'string' || !Array.isArray(plugins)) {
+    console.error('\nInvalid marketplace entry: missing required fields (name, source, plugins[])');
     return [];
   }
-  if (!SAFE_NAME.test(marketplace.name) || !SAFE_SOURCE.test(marketplace.source)) {
-    console.error('\nInvalid marketplace name or source URL in marketplace.json');
+  if (!SAFE_NAME.test(marketplaceName) || (!SAFE_SOURCE.test(source) && !SAFE_GITHUB.test(source))) {
+    console.error(`\nInvalid marketplace name or source: ${marketplaceName}`);
     return [];
   }
-  // Reject the entire config on any invalid plugin name (fail-closed, not silent filter).
+  // Reject the entire entry on any invalid plugin name (fail-closed, not silent filter).
   const invalidPlugins = plugins.filter(p => typeof p !== 'string' || !SAFE_NAME.test(p));
   if (invalidPlugins.length > 0) {
-    console.error(`\nInvalid plugin names in marketplace.json: ${invalidPlugins.map(p => JSON.stringify(p)).join(', ')}`);
+    console.error(`\nInvalid plugin names for ${marketplaceName}: ${invalidPlugins.map(p => JSON.stringify(p)).join(', ')}`);
     return [];
   }
-  const validPlugins = plugins;
-  const { name: marketplaceName, source } = marketplace;
   console.log(`\nInstalling marketplace plugins (${marketplaceName})...\n`);
   // Register marketplace if not already known — verify source matches to prevent supply-chain mismatch (OWASP-A08)
-  const knownPath = join(homedir(), '.claude', 'plugins', 'known_marketplaces.json');
-  // Distinguish "file missing" (first-run, safe) from "file corrupted" (fail-closed).
-  const knownExists = existsSync(knownPath);
-  const known = readJsonObject(knownPath, knownExists ? null : {}, 'known_marketplaces.json');
-  if (knownExists && known === null) {
-    console.error('\nInvalid known_marketplaces.json: refusing to register marketplace automatically');
-    return validPlugins.map(plugin => ({ plugin, action: 'skipped (invalid marketplace registry)', ok: false }));
-  }
   const registeredSource = getRegisteredMarketplaceSource(known, marketplaceName);
   const normalizedSource = normalizeMarketplaceSource(source);
   const normalizedRegistered = registeredSource ? normalizeMarketplaceSource(registeredSource) : null;
   if (registeredSource && (!normalizedRegistered || normalizedRegistered !== normalizedSource)) {
     console.error(`\nMarketplace source mismatch for ${marketplaceName}: registered as ${registeredSource}, but marketplace.json specifies ${source}`);
-    return validPlugins.map(plugin => ({ plugin, action: 'skipped (source mismatch)', ok: false }));
+    return plugins.map(plugin => ({ plugin, action: 'skipped (source mismatch)', ok: false }));
   }
   if (!registeredSource) {
@@ -179,7 +172,7 @@ function installMarketplacePlugins() {
     } catch (error) {
       const exitInfo = error.status != null ? `exit ${error.status}` : error.code ?? error.message;
       console.error(`\nFailed to register marketplace: ${marketplaceName} (${exitInfo})`);
-      return validPlugins.map(plugin => ({ plugin, action: 'skipped (no marketplace)', ok: false }));
+      return plugins.map(plugin => ({ plugin, action: 'skipped (no marketplace)', ok: false }));
     }
   }
@@ -191,16 +184,7 @@ function installMarketplacePlugins() {
     console.warn(`\nWARN: Failed to update marketplace ${marketplaceName} (${exitInfo}) — using cached version`);
   }
-  // Load installed plugin registry (SCD-7)
-  const installedPath = join(homedir(), '.claude', 'plugins', 'installed_plugins.json');
-  const installedData = readJsonObject(installedPath, {}, 'installed_plugins.json');
-  // installed_plugins.json v2 nests under "plugins", v1 is flat
-  const rawInstalled = installedData.plugins ?? installedData;
-  const installed = (typeof rawInstalled === 'object' && rawInstalled !== null && !Array.isArray(rawInstalled))
-    ? rawInstalled
-    : {};
-  return validPlugins.map(plugin => {
+  return plugins.map(plugin => {
     const key = `${plugin}@${marketplaceName}`;
     const isInstalled = Object.hasOwn(installed, key); // Object.hasOwn avoids prototype chain traversal (SCD-7)
     const action = isInstalled ? 'update' : 'install';
@@ -218,6 +202,40 @@ function installMarketplacePlugins() {
   });
 }
+function installMarketplacePlugins() {
+  const configPath = join(__dir, 'marketplace.json');
+  if (!existsSync(configPath)) return [];
+  // Parse marketplace.json — all failures are non-fatal (SCD-7)
+  const config = readJsonObject(configPath, null, 'marketplace.json');
+  const marketplaces = config?.marketplaces;
+  if (!Array.isArray(marketplaces) || marketplaces.length === 0) {
+    console.warn('\nWARN: marketplace.json has no valid "marketplaces" array, skipping');
+    return [];
+  }
+  // Load shared state once: known registry (for source verification) and installed plugins
+  const knownPath = join(homedir(), '.claude', 'plugins', 'known_marketplaces.json');
+  const knownExists = existsSync(knownPath);
+  const known = readJsonObject(knownPath, knownExists ? null : {}, 'known_marketplaces.json');
+  if (knownExists && known === null) {
+    console.error('\nInvalid known_marketplaces.json: refusing to register any marketplace automatically');
+    return marketplaces.flatMap(e =>
+      (e?.plugins ?? []).map(plugin => ({ plugin, action: 'skipped (invalid marketplace registry)', ok: false }))
+    );
+  }
+  const installedPath = join(homedir(), '.claude', 'plugins', 'installed_plugins.json');
+  const installedData = readJsonObject(installedPath, {}, 'installed_plugins.json');
+  // installed_plugins.json v2 nests under "plugins", v1 is flat
+  const rawInstalled = installedData.plugins ?? installedData;
+  const installed = (typeof rawInstalled === 'object' && rawInstalled !== null && !Array.isArray(rawInstalled))
+    ? rawInstalled
+    : {};
+  return marketplaces.flatMap(entry => installFromMarketplace(entry, known, installed));
+}
 function setupAutoUpdate() {
   const { version: installedVersion } = JSON.parse(
     readFileSync(join(__dir, 'package.json'), 'utf8')

package/marketplace.json CHANGED Viewed

@@ -1,14 +1,23 @@
 {
-  "marketplace": {
-    "name": "ai-skill-marketplace",
-    "source": "git@github.com:trend-ai-taskforce/ai-skill-marketplace.git"
-  },
-  "plugins": [
-    "wiki-tools",
-    "atlassian-tools",
-    "google-style-guides",
-    "l2-automation",
-    "service-doc-generator",
-    "claude-on-teams"
+  "marketplaces": [
+    {
+      "name": "ai-skill-marketplace",
+      "source": "git@github.com:trend-ai-taskforce/ai-skill-marketplace.git",
+      "plugins": [
+        "wiki-tools",
+        "atlassian-tools",
+        "google-style-guides",
+        "l2-automation",
+        "service-doc-generator",
+        "claude-on-teams"
+      ]
+    },
+    {
+      "name": "claude-plugins-official",
+      "source": "anthropics/claude-plugins-official",
+      "plugins": [
+        "ralph-loop"
+      ]
+    }
   ]
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@trendai-crem/claude-skills",
-  "version": "0.9.0",
+  "version": "0.10.0",
   "description": "Claude Code skills installer for the trendai-crem team",
   "license": "UNLICENSED",
   "repository": {