@trendai-crem/claude-skills 0.9.0 → 0.10.1

package/cli.js

@@ -13,6 +13,8 @@ const EXTERNAL_SOURCES = [
   { repo: 'obra/superpowers', flags: ['--all'], label: 'superpowers' },
 ];
 
+const MANIFEST_PATH = join(homedir(), '.claude', 'claude-skills-manifest.json');
+
 const run = (args, label) => {
   try {
     execFileSync('npx', args, { stdio: 'inherit' });
@@ -25,19 +27,36 @@ const run = (args, label) => {
 
 console.log('Installing team skills...\n');
 
-// 1. External skills — failures are non-fatal
-const externalResults = EXTERNAL_SOURCES.map(({ repo, flags, label }) =>
-  ({ label, ok: run(['skills', 'add', repo, ...flags, '-g', '-y'], label) })
-);
-
 // 2. Team skills — required, overrides same-named externals
 const teamSkills = readdirSync(join(__dir, 'skills'), { withFileTypes: true })
   .filter(e => e.isDirectory())
   .map(e => e.name)
   .sort();
 
+// Compute desired skills for reconcile (query external sources before installing)
+const externalSkillNames = EXTERNAL_SOURCES.flatMap(({ repo, flags }) =>
+  listExternalSkillNames(repo, flags) ?? []
+);
+const desiredSkills = new Set([...teamSkills, ...externalSkillNames]);
+
+// Reconcile stale skills via manifest (before installing, so removals show first)
+const skillManifest = readJsonObject(MANIFEST_PATH, {}, 'claude-skills-manifest.json') ?? {};
+const previousSkills = new Set(Array.isArray(skillManifest.skills) ? skillManifest.skills : []);
+const staleSkillResults = reconcileSkills(desiredSkills, previousSkills);
+
+// 1. External skills — failures are non-fatal
+const externalResults = EXTERNAL_SOURCES.map(({ repo, flags, label }) =>
+  ({ label, ok: run(['skills', 'add', repo, ...flags, '-g', '-y'], label) })
+);
+
 const teamOk = run(['skills', 'add', __dir, '--all', '-g', '-y'], 'team skills');
 
+// Write skills portion of manifest (merge to preserve plugins field written later)
+const tmpSkillManifest = join(tmpdir(), `claude-skills-manifest-${process.pid}-skills.json`);
+const mergedSkillManifest = { ...skillManifest, skills: [...desiredSkills] };
+writeFileSync(tmpSkillManifest, JSON.stringify(mergedSkillManifest, null, 2) + '\n');
+renameSync(tmpSkillManifest, MANIFEST_PATH);
+
 // 3. Marketplace plugins — failures are non-fatal
 let marketplaceResults = [];
 try {
@@ -48,6 +67,7 @@ try {
 
 // Summary
 console.log('\nResults:');
+staleSkillResults.forEach(({ skill, action, ok }) => console.log(`  ${ok ? '✓' : '✗'} ${skill} (${action})`));
 externalResults.forEach(({ label, ok }) => console.log(`  ${ok ? '✓' : '✗'} ${label}`));
 if (teamOk) {
   teamSkills.forEach(name => console.log(`  ✓ ${name}`));
@@ -90,21 +110,63 @@ function readJsonObject(filePath, fallback, label) {
   return fallback;
 }
 
-// Extracts the registered source URL for a marketplace from known_marketplaces.json.
-// Handles both string entries and object entries with a `source` field.
+// Lists skill names available in an external repo without installing (uses --list flag).
+// Returns null if the query fails — caller should skip reconcile for that source.
+function listExternalSkillNames(repo, flags) {
+  try {
+    const output = execFileSync('npx', ['skills', 'add', repo, ...flags, '-l'], {
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    return output.split('\n')
+      .filter(l => /^│    [a-z]/.test(l))
+      .map(l => l.replace(/^│\s+/, '').trim());
+  } catch {
+    return null; // can't determine list — reconcile skipped for this source
+  }
+}
+
+// Removes skills that claude-skills previously managed but are no longer in any source.
+// Only touches skills in our manifest — leaves user-created skills alone.
+function reconcileSkills(desiredSkills, previousSkills) {
+  const staleSkills = [...previousSkills].filter(s => !desiredSkills.has(s));
+  if (staleSkills.length === 0) return [];
+
+  console.log('\nRemoving stale skills (removed from config)...\n');
+  try {
+    execFileSync('npx', ['skills', 'remove', ...staleSkills, '-g', '-y'], { stdio: 'inherit' });
+    return staleSkills.map(skill => ({ skill, action: 'uninstall', ok: true }));
+  } catch (error) {
+    const exitInfo = error.status != null ? `exit ${error.status}` : error.code ?? error.message;
+    console.error(`\nFailed to remove stale skills (${exitInfo})`);
+    return staleSkills.map(skill => ({ skill, action: 'uninstall', ok: false }));
+  }
+}
+
+// Extracts the registered source for a marketplace from known_marketplaces.json.
+// Handles: plain string, object with string .source, and GitHub registry format
+// { source: { source: "github", repo: "org/repo" } }.
 function getRegisteredMarketplaceSource(known, marketplaceName) {
   const entry = known[marketplaceName];
   if (typeof entry === 'string') return entry;
   if (entry && typeof entry === 'object' && !Array.isArray(entry)) {
-    return typeof entry.source === 'string' ? entry.source : null;
+    if (typeof entry.source === 'string') return entry.source;
+    // GitHub registry format: { source: { source: "github", repo: "org/repo" }, ... }
+    if (entry.source?.source === 'github' && typeof entry.source?.repo === 'string') {
+      return entry.source.repo;
+    }
   }
   return null;
 }
 
-// Normalizes a marketplace source URL to a canonical host/path form for comparison.
-// Treats SSH and HTTPS URLs pointing to the same repo as equivalent.
-// Returns null if the URL cannot be parsed.
+// Normalizes a marketplace source to a canonical host/path form for comparison.
+// Accepts SSH URLs, HTTPS URLs, and GitHub shorthand (org/repo).
+// Returns null if the source cannot be parsed.
 function normalizeMarketplaceSource(rawSource) {
+  // GitHub shorthand: org/repo (no slashes in org, no protocol)
+  if (/^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/.test(rawSource)) {
+    return rawSource.toLowerCase();
+  }
   const sshMatch = /^git@([^:]+):(.+?)(?:\.git)?$/.exec(rawSource);
   if (sshMatch) {
     return `${sshMatch[1].toLowerCase()}/${sshMatch[2].replace(/^\/+/, '').replace(/\.git$/, '')}`;
@@ -117,58 +179,42 @@ function normalizeMarketplaceSource(rawSource) {
   }
 }
 
-function installMarketplacePlugins() {
-  const configPath = join(__dir, 'marketplace.json');
-  if (!existsSync(configPath)) return [];
-
-  // Parse and validate marketplace.json — all failures are non-fatal (SCD-7)
-  const config = readJsonObject(configPath, null, 'marketplace.json');
-  const { marketplace, plugins } = config ?? {};
-
+// Installs or updates all plugins for a single marketplace entry.
+// Returns an array of { plugin, action, ok } results.
+function installFromMarketplace(entry, known, installed) {
   // Input validation + allowlisting (SCD-1, OWASP-A04)
   // Leading `-` is rejected to prevent argv injection: `claude plugin install -s` parses as flag.
   const SAFE_NAME = /^(?!-)[A-Za-z0-9_][A-Za-z0-9_-]*$/;
   const SAFE_SOURCE = /^(git@[\w.-]+:[\w.\-/]+\.git|https:\/\/[\w.-]+\/[\w.\-/]+\.git)$/;
+  const SAFE_GITHUB = /^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+$/;
+
+  const { name: marketplaceName, source, plugins } = entry ?? {};
 
-  if (
-    typeof marketplace?.name !== 'string' ||
-    typeof marketplace?.source !== 'string' ||
-    !Array.isArray(plugins)
-  ) {
-    console.error('\nInvalid marketplace.json: missing required fields (marketplace.name, marketplace.source, plugins[])');
+  if (typeof marketplaceName !== 'string' || typeof source !== 'string' || !Array.isArray(plugins)) {
+    console.error('\nInvalid marketplace entry: missing required fields (name, source, plugins[])');
     return [];
   }
-  if (!SAFE_NAME.test(marketplace.name) || !SAFE_SOURCE.test(marketplace.source)) {
-    console.error('\nInvalid marketplace name or source URL in marketplace.json');
+  if (!SAFE_NAME.test(marketplaceName) || (!SAFE_SOURCE.test(source) && !SAFE_GITHUB.test(source))) {
+    console.error(`\nInvalid marketplace name or source: ${marketplaceName}`);
     return [];
   }
-  // Reject the entire config on any invalid plugin name (fail-closed, not silent filter).
+  // Reject the entire entry on any invalid plugin name (fail-closed, not silent filter).
   const invalidPlugins = plugins.filter(p => typeof p !== 'string' || !SAFE_NAME.test(p));
   if (invalidPlugins.length > 0) {
-    console.error(`\nInvalid plugin names in marketplace.json: ${invalidPlugins.map(p => JSON.stringify(p)).join(', ')}`);
+    console.error(`\nInvalid plugin names for ${marketplaceName}: ${invalidPlugins.map(p => JSON.stringify(p)).join(', ')}`);
     return [];
   }
-  const validPlugins = plugins;
 
-  const { name: marketplaceName, source } = marketplace;
   console.log(`\nInstalling marketplace plugins (${marketplaceName})...\n`);
 
   // Register marketplace if not already known — verify source matches to prevent supply-chain mismatch (OWASP-A08)
-  const knownPath = join(homedir(), '.claude', 'plugins', 'known_marketplaces.json');
-  // Distinguish "file missing" (first-run, safe) from "file corrupted" (fail-closed).
-  const knownExists = existsSync(knownPath);
-  const known = readJsonObject(knownPath, knownExists ? null : {}, 'known_marketplaces.json');
-  if (knownExists && known === null) {
-    console.error('\nInvalid known_marketplaces.json: refusing to register marketplace automatically');
-    return validPlugins.map(plugin => ({ plugin, action: 'skipped (invalid marketplace registry)', ok: false }));
-  }
   const registeredSource = getRegisteredMarketplaceSource(known, marketplaceName);
   const normalizedSource = normalizeMarketplaceSource(source);
   const normalizedRegistered = registeredSource ? normalizeMarketplaceSource(registeredSource) : null;
 
   if (registeredSource && (!normalizedRegistered || normalizedRegistered !== normalizedSource)) {
     console.error(`\nMarketplace source mismatch for ${marketplaceName}: registered as ${registeredSource}, but marketplace.json specifies ${source}`);
-    return validPlugins.map(plugin => ({ plugin, action: 'skipped (source mismatch)', ok: false }));
+    return plugins.map(plugin => ({ plugin, action: 'skipped (source mismatch)', ok: false }));
   }
 
   if (!registeredSource) {
@@ -179,7 +225,7 @@ function installMarketplacePlugins() {
     } catch (error) {
       const exitInfo = error.status != null ? `exit ${error.status}` : error.code ?? error.message;
       console.error(`\nFailed to register marketplace: ${marketplaceName} (${exitInfo})`);
-      return validPlugins.map(plugin => ({ plugin, action: 'skipped (no marketplace)', ok: false }));
+      return plugins.map(plugin => ({ plugin, action: 'skipped (no marketplace)', ok: false }));
     }
   }
 
@@ -191,16 +237,7 @@ function installMarketplacePlugins() {
     console.warn(`\nWARN: Failed to update marketplace ${marketplaceName} (${exitInfo}) — using cached version`);
   }
 
-  // Load installed plugin registry (SCD-7)
-  const installedPath = join(homedir(), '.claude', 'plugins', 'installed_plugins.json');
-  const installedData = readJsonObject(installedPath, {}, 'installed_plugins.json');
-  // installed_plugins.json v2 nests under "plugins", v1 is flat
-  const rawInstalled = installedData.plugins ?? installedData;
-  const installed = (typeof rawInstalled === 'object' && rawInstalled !== null && !Array.isArray(rawInstalled))
-    ? rawInstalled
-    : {};
-
-  return validPlugins.map(plugin => {
+  return plugins.map(plugin => {
     const key = `${plugin}@${marketplaceName}`;
     const isInstalled = Object.hasOwn(installed, key); // Object.hasOwn avoids prototype chain traversal (SCD-7)
     const action = isInstalled ? 'update' : 'install';
@@ -218,6 +255,81 @@ function installMarketplacePlugins() {
   });
 }
 
+function installMarketplacePlugins() {
+  const configPath = join(__dir, 'marketplace.json');
+  if (!existsSync(configPath)) return [];
+
+  // Parse marketplace.json — all failures are non-fatal (SCD-7)
+  const config = readJsonObject(configPath, null, 'marketplace.json');
+  const marketplaces = config?.marketplaces;
+  if (!Array.isArray(marketplaces) || marketplaces.length === 0) {
+    console.warn('\nWARN: marketplace.json has no valid "marketplaces" array, skipping');
+    return [];
+  }
+
+  // Load shared state once: known registry (for source verification) and installed plugins
+  const knownPath = join(homedir(), '.claude', 'plugins', 'known_marketplaces.json');
+  const knownExists = existsSync(knownPath);
+  const known = readJsonObject(knownPath, knownExists ? null : {}, 'known_marketplaces.json');
+  if (knownExists && known === null) {
+    console.error('\nInvalid known_marketplaces.json: refusing to register any marketplace automatically');
+    return marketplaces.flatMap(e =>
+      (e?.plugins ?? []).map(plugin => ({ plugin, action: 'skipped (invalid marketplace registry)', ok: false }))
+    );
+  }
+
+  const installedPath = join(homedir(), '.claude', 'plugins', 'installed_plugins.json');
+  const installedData = readJsonObject(installedPath, {}, 'installed_plugins.json');
+  // installed_plugins.json v2 nests under "plugins", v1 is flat
+  const rawInstalled = installedData.plugins ?? installedData;
+  const installed = (typeof rawInstalled === 'object' && rawInstalled !== null && !Array.isArray(rawInstalled))
+    ? rawInstalled
+    : {};
+
+  const desiredKeys = new Set(
+    marketplaces.flatMap(e => (e?.plugins ?? []).map(p => `${p}@${e.name}`))
+  );
+
+  // Reconcile: uninstall plugins WE previously managed that are no longer in marketplace.json.
+  // Uses a manifest so we only remove what claude-skills installed — not user-installed plugins.
+  const manifest = readJsonObject(MANIFEST_PATH, {}, 'claude-skills-manifest.json');
+  const previousKeys = new Set(Array.isArray(manifest.plugins) ? manifest.plugins : []);
+  const uninstallResults = reconcileMarketplacePlugins(desiredKeys, previousKeys, installed);
+
+  // Update manifest — merge to preserve other fields (e.g. skills written by reconcileSkills)
+  const tmpManifest = join(tmpdir(), `claude-skills-manifest-${process.pid}.json`);
+  const updatedManifest = { ...(readJsonObject(MANIFEST_PATH, {}) ?? {}), plugins: [...desiredKeys] };
+  writeFileSync(tmpManifest, JSON.stringify(updatedManifest, null, 2) + '\n');
+  renameSync(tmpManifest, MANIFEST_PATH);
+
+  const installResults = marketplaces.flatMap(entry => installFromMarketplace(entry, known, installed));
+  return [...uninstallResults, ...installResults];
+}
+
+// Uninstalls plugins that claude-skills previously managed but are no longer in marketplace.json.
+// Only touches plugins in our manifest — leaves user-installed plugins alone.
+function reconcileMarketplacePlugins(desiredKeys, previousKeys, installed) {
+  const staleKeys = [...previousKeys].filter(key =>
+    !desiredKeys.has(key) && Object.hasOwn(installed, key)
+  );
+
+  if (staleKeys.length === 0) return [];
+
+  console.log('\nRemoving stale marketplace plugins (removed from marketplace.json)...\n');
+  return staleKeys.map(key => {
+    const atIdx = key.lastIndexOf('@');
+    const plugin = atIdx !== -1 ? key.slice(0, atIdx) : key;
+    try {
+      execFileSync('claude', ['plugin', 'uninstall', key], { stdio: 'inherit' });
+      return { plugin, action: 'uninstall', ok: true };
+    } catch (error) {
+      const exitInfo = error.status != null ? `exit ${error.status}` : error.code ?? error.message;
+      console.error(`\nFailed to uninstall ${key} (${exitInfo})`);
+      return { plugin, action: 'uninstall', ok: false };
+    }
+  });
+}
+
 function setupAutoUpdate() {
   const { version: installedVersion } = JSON.parse(
     readFileSync(join(__dir, 'package.json'), 'utf8')

package/marketplace.json

@@ -1,14 +1,22 @@
 {
-  "marketplace": {
-    "name": "ai-skill-marketplace",
-    "source": "git@github.com:trend-ai-taskforce/ai-skill-marketplace.git"
-  },
-  "plugins": [
-    "wiki-tools",
-    "atlassian-tools",
-    "google-style-guides",
-    "l2-automation",
-    "service-doc-generator",
-    "claude-on-teams"
+  "marketplaces": [
+    {
+      "name": "ai-skill-marketplace",
+      "source": "git@github.com:trend-ai-taskforce/ai-skill-marketplace.git",
+      "plugins": [
+        "wiki-tools",
+        "atlassian-tools",
+        "google-style-guides",
+        "l2-automation",
+        "service-doc-generator"
+      ]
+    },
+    {
+      "name": "claude-plugins-official",
+      "source": "anthropics/claude-plugins-official",
+      "plugins": [
+        "ralph-loop"
+      ]
+    }
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@trendai-crem/claude-skills",
-  "version": "0.9.0",
+  "version": "0.10.1",
   "description": "Claude Code skills installer for the trendai-crem team",
   "license": "UNLICENSED",
   "repository": {