@wingman-ai/gateway 0.3.2 → 0.4.0

package/dist/cli/services/skillSecurityScanner.js

@@ -0,0 +1,121 @@
+import { spawn } from "node:child_process";
+import { ensureUvAvailableForFeature } from "../../utils/uv.js";
+const DEFAULT_SCANNER_COMMAND = "uvx";
+const DEFAULT_SCANNER_ARGS = [
+    "--from",
+    "mcp-scan>=0.4,<0.5",
+    "mcp-scan",
+    "--json",
+    "--skills"
+];
+const DEFAULT_BLOCKED_CODES = [
+    "MCP501",
+    "MCP506",
+    "MCP507",
+    "MCP508",
+    "MCP509",
+    "MCP510",
+    "MCP511"
+];
+function getScannerCommand(security) {
+    return security?.scannerCommand?.trim() || DEFAULT_SCANNER_COMMAND;
+}
+function getScannerArgs(security) {
+    if (Array.isArray(security?.scannerArgs) && security.scannerArgs.length > 0) return security.scannerArgs;
+    return DEFAULT_SCANNER_ARGS;
+}
+function getBlockedIssueCodes(security) {
+    const configured = security?.blockIssueCodes || DEFAULT_BLOCKED_CODES;
+    return new Set(configured.map((code)=>code.trim().toUpperCase()).filter(Boolean));
+}
+function parseScanResult(stdout) {
+    try {
+        return JSON.parse(stdout);
+    } catch  {
+        const firstBrace = stdout.indexOf("{");
+        const lastBrace = stdout.lastIndexOf("}");
+        if (-1 === firstBrace || -1 === lastBrace || lastBrace < firstBrace) throw new Error("Scanner output did not include JSON");
+        const jsonPayload = stdout.slice(firstBrace, lastBrace + 1);
+        return JSON.parse(jsonPayload);
+    }
+}
+async function runCommand(command, args) {
+    return await new Promise((resolve, reject)=>{
+        const child = spawn(command, args, {
+            stdio: [
+                "ignore",
+                "pipe",
+                "pipe"
+            ]
+        });
+        let stdout = "";
+        let stderr = "";
+        child.stdout.on("data", (chunk)=>{
+            stdout += chunk.toString();
+        });
+        child.stderr.on("data", (chunk)=>{
+            stderr += chunk.toString();
+        });
+        child.on("error", reject);
+        child.on("close", (exitCode)=>{
+            resolve({
+                exitCode,
+                stdout,
+                stderr
+            });
+        });
+    });
+}
+async function scanSkillDirectory(skillPath, logger, security) {
+    const scanOnInstall = security?.scanOnInstall ?? true;
+    if (!scanOnInstall) return;
+    const command = getScannerCommand(security);
+    ensureUvAvailableForFeature(command, "skills.security.scanOnInstall");
+    const args = [
+        ...getScannerArgs(security),
+        skillPath
+    ];
+    logger.info(`Running skill security scan: ${command} ${args.join(" ")}`);
+    const result = await runCommand(command, args);
+    if (0 !== result.exitCode) {
+        const details = result.stderr.trim() || result.stdout.trim();
+        throw new Error(`Skill security scan failed with exit code ${result.exitCode ?? "unknown"}${details ? `: ${details}` : ""}`);
+    }
+    const parsed = parseScanResult(result.stdout);
+    const failedPaths = Object.entries(parsed).filter(([, value])=>Boolean(value.error && false !== value.error.is_failure));
+    if (failedPaths.length > 0) {
+        const formatted = failedPaths.map(([path, value])=>{
+            const category = value.error?.category ? ` (${value.error.category})` : "";
+            return `${path}: ${value.error?.message || "unknown scan error"}${category}`;
+        }).join("; ");
+        throw new Error(`Skill security scan reported errors: ${formatted}`);
+    }
+    const blockedCodes = getBlockedIssueCodes(security);
+    const blockingIssues = [];
+    const nonBlockingIssues = [];
+    for (const value of Object.values(parsed))for (const issue of value.issues || []){
+        const code = (issue.code || "").trim().toUpperCase();
+        if (!code) continue;
+        const issueDetails = {
+            code,
+            message: issue.message || ""
+        };
+        if (blockedCodes.has(code)) blockingIssues.push(issueDetails);
+        else nonBlockingIssues.push(issueDetails);
+    }
+    if (nonBlockingIssues.length > 0) {
+        const codes = Array.from(new Set(nonBlockingIssues.map((issue)=>issue.code)));
+        logger.warn(`Skill security scan returned non-blocking issues: ${codes.join(", ")}`);
+    }
+    if (blockingIssues.length > 0) {
+        const codes = Array.from(new Set(blockingIssues.map((issue)=>issue.code)));
+        throw new Error(`Skill security scan blocked installation due to issue codes: ${codes.join(", ")}`);
+    }
+}
+const __skillSecurityScanner = {
+    parseScanResult,
+    getScannerArgs,
+    getScannerCommand,
+    getBlockedIssueCodes
+};
+export { __skillSecurityScanner, scanSkillDirectory };

package/dist/cli/services/skillService.cjs

@@ -27,9 +27,11 @@ __webpack_require__.d(__webpack_exports__, {
     SkillService: ()=>SkillService
 });
 const promises_namespaceObject = require("node:fs/promises");
+const external_node_os_namespaceObject = require("node:os");
 const external_node_path_namespaceObject = require("node:path");
 const external_node_readline_promises_namespaceObject = require("node:readline/promises");
 const external_logger_cjs_namespaceObject = require("../../logger.cjs");
+const external_skillSecurityScanner_cjs_namespaceObject = require("./skillSecurityScanner.cjs");
 function _define_property(obj, key, value) {
     if (key in obj) Object.defineProperty(obj, key, {
         value: value,
@@ -85,6 +87,8 @@ class SkillService {
         }
     }
     async installSkill(skillName) {
+        let stagingRoot = null;
+        let shouldReplaceExisting = false;
         try {
             const nameRegex = /^[a-z0-9]+(-[a-z0-9]+)*$/;
             if (!nameRegex.test(skillName)) throw new Error(`Invalid skill name '${skillName}': must be lowercase alphanumeric with hyphens only`);
@@ -94,11 +98,7 @@ class SkillService {
             if (exists) if ("interactive" === this.outputManager.getMode()) {
                 const shouldOverwrite = await this.promptForOverwrite(skillName);
                 if (!shouldOverwrite) return void console.log("\nInstallation cancelled.");
-                this.logger.info("Removing existing skill...");
-                await promises_namespaceObject.rm(skillPath, {
-                    recursive: true,
-                    force: true
-                });
+                shouldReplaceExisting = true;
             } else throw new Error(`Skill '${skillName}' is already installed.`);
             this.logger.info("Fetching skill metadata...");
             const metadata = await this.repository.getSkillMetadata(skillName);
@@ -113,22 +113,39 @@ class SkillService {
             });
             this.logger.info("Downloading skill files...");
             const files = await this.repository.downloadSkill(skillName);
-            await promises_namespaceObject.mkdir(this.getSkillsPath(), {
-                recursive: true
-            });
-            await promises_namespaceObject.mkdir(skillPath, {
+            stagingRoot = await promises_namespaceObject.mkdtemp(external_node_path_namespaceObject.join((0, external_node_os_namespaceObject.tmpdir)(), "wingman-skill-"));
+            const stagedSkillPath = external_node_path_namespaceObject.join(stagingRoot, skillName);
+            await promises_namespaceObject.mkdir(stagedSkillPath, {
                 recursive: true
             });
-            this.logger.info(`Writing ${files.size} files...`);
+            this.logger.info(`Writing ${files.size} files to staging...`);
             for (const [relativePath, content] of files){
-                const filePath = external_node_path_namespaceObject.join(skillPath, relativePath);
+                const filePath = this.resolveSafeInstallPath(stagedSkillPath, relativePath);
                 const fileDir = external_node_path_namespaceObject.dirname(filePath);
                 await promises_namespaceObject.mkdir(fileDir, {
                     recursive: true
                 });
                 await promises_namespaceObject.writeFile(filePath, content);
             }
-            await this.validateSkillMd(skillPath);
+            await this.validateSkillMd(stagedSkillPath);
+            await (0, external_skillSecurityScanner_cjs_namespaceObject.scanSkillDirectory)(stagedSkillPath, this.logger, this.security);
+            await promises_namespaceObject.mkdir(this.getSkillsPath(), {
+                recursive: true
+            });
+            if (shouldReplaceExisting) {
+                this.logger.info("Replacing existing skill...");
+                await promises_namespaceObject.rm(skillPath, {
+                    recursive: true,
+                    force: true
+                });
+            }
+            await promises_namespaceObject.mkdir(skillPath, {
+                recursive: true
+            });
+            await promises_namespaceObject.cp(stagedSkillPath, skillPath, {
+                recursive: true,
+                force: true
+            });
             if ("interactive" === this.outputManager.getMode()) console.log(`\n✓ Successfully installed skill ${skillName} to ${skillPath}`);
             else this.outputManager.emitEvent({
                 type: "skill-install-complete",
@@ -150,6 +167,11 @@ class SkillService {
                 timestamp: new Date().toISOString()
             });
             throw error;
+        } finally{
+            if (stagingRoot) await promises_namespaceObject.rm(stagingRoot, {
+                recursive: true,
+                force: true
+            });
         }
     }
     async listInstalledSkills() {
@@ -291,6 +313,14 @@ class SkillService {
             throw new Error(`Invalid SKILL.md: ${error instanceof Error ? error.message : String(error)}`);
         }
     }
+    resolveSafeInstallPath(root, relativePath) {
+        const normalized = external_node_path_namespaceObject.posix.normalize(relativePath.replace(/\\/g, "/")).replace(/^\/+/, "");
+        if (!normalized || "." === normalized || normalized.startsWith("../")) throw new Error(`Unsafe skill file path '${relativePath}' rejected during installation`);
+        const rootResolved = external_node_path_namespaceObject.resolve(root);
+        const filePath = external_node_path_namespaceObject.resolve(rootResolved, normalized);
+        if (filePath !== rootResolved && !filePath.startsWith(rootResolved + external_node_path_namespaceObject.sep)) throw new Error(`Unsafe skill file path '${relativePath}' rejected during installation`);
+        return filePath;
+    }
     parseSkillMetadata(content) {
         const frontmatterRegex = /^---\s*\n([\s\S]*?)\n---/;
         const match = content.match(frontmatterRegex);
@@ -320,11 +350,13 @@ class SkillService {
         _define_property(this, "repository", void 0);
         _define_property(this, "outputManager", void 0);
         _define_property(this, "logger", void 0);
+        _define_property(this, "security", void 0);
         this.repository = repository;
         this.outputManager = outputManager;
         this.logger = logger;
         this.workspace = options.workspace;
         this.skillsDirectory = options.skillsDirectory || "skills";
+        this.security = options.security || {};
     }
 }
 exports.SkillService = __webpack_exports__.SkillService;

package/dist/cli/services/skillService.d.ts

@@ -8,6 +8,7 @@ export declare class SkillService {
     private readonly repository;
     private readonly outputManager;
     private readonly logger;
+    private readonly security;
     constructor(repository: SkillRepository, outputManager: OutputManager, logger: Logger, options: SkillServiceOptions);
     /**
      * Get the absolute path to the skills directory
@@ -41,6 +42,7 @@ export declare class SkillService {
      * Validate SKILL.md file
      */
     private validateSkillMd;
+    private resolveSafeInstallPath;
     /**
      * Parse SKILL.md metadata (same logic as repository)
      */

package/dist/cli/services/skillService.js

@@ -1,7 +1,9 @@
-import { access, mkdir, readFile, readdir, rm, writeFile } from "node:fs/promises";
-import { dirname, join } from "node:path";
+import { access, cp, mkdir, mkdtemp, readFile, readdir, rm, writeFile } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { dirname, join, posix, resolve, sep } from "node:path";
 import { createInterface } from "node:readline/promises";
 import { getLogFilePath } from "../../logger.js";
+import { scanSkillDirectory } from "./skillSecurityScanner.js";
 function _define_property(obj, key, value) {
     if (key in obj) Object.defineProperty(obj, key, {
         value: value,
@@ -57,6 +59,8 @@ class SkillService {
         }
     }
     async installSkill(skillName) {
+        let stagingRoot = null;
+        let shouldReplaceExisting = false;
         try {
             const nameRegex = /^[a-z0-9]+(-[a-z0-9]+)*$/;
             if (!nameRegex.test(skillName)) throw new Error(`Invalid skill name '${skillName}': must be lowercase alphanumeric with hyphens only`);
@@ -66,11 +70,7 @@ class SkillService {
             if (exists) if ("interactive" === this.outputManager.getMode()) {
                 const shouldOverwrite = await this.promptForOverwrite(skillName);
                 if (!shouldOverwrite) return void console.log("\nInstallation cancelled.");
-                this.logger.info("Removing existing skill...");
-                await rm(skillPath, {
-                    recursive: true,
-                    force: true
-                });
+                shouldReplaceExisting = true;
             } else throw new Error(`Skill '${skillName}' is already installed.`);
             this.logger.info("Fetching skill metadata...");
             const metadata = await this.repository.getSkillMetadata(skillName);
@@ -85,22 +85,39 @@ class SkillService {
             });
             this.logger.info("Downloading skill files...");
             const files = await this.repository.downloadSkill(skillName);
-            await mkdir(this.getSkillsPath(), {
-                recursive: true
-            });
-            await mkdir(skillPath, {
+            stagingRoot = await mkdtemp(join(tmpdir(), "wingman-skill-"));
+            const stagedSkillPath = join(stagingRoot, skillName);
+            await mkdir(stagedSkillPath, {
                 recursive: true
             });
-            this.logger.info(`Writing ${files.size} files...`);
+            this.logger.info(`Writing ${files.size} files to staging...`);
             for (const [relativePath, content] of files){
-                const filePath = join(skillPath, relativePath);
+                const filePath = this.resolveSafeInstallPath(stagedSkillPath, relativePath);
                 const fileDir = dirname(filePath);
                 await mkdir(fileDir, {
                     recursive: true
                 });
                 await writeFile(filePath, content);
             }
-            await this.validateSkillMd(skillPath);
+            await this.validateSkillMd(stagedSkillPath);
+            await scanSkillDirectory(stagedSkillPath, this.logger, this.security);
+            await mkdir(this.getSkillsPath(), {
+                recursive: true
+            });
+            if (shouldReplaceExisting) {
+                this.logger.info("Replacing existing skill...");
+                await rm(skillPath, {
+                    recursive: true,
+                    force: true
+                });
+            }
+            await mkdir(skillPath, {
+                recursive: true
+            });
+            await cp(stagedSkillPath, skillPath, {
+                recursive: true,
+                force: true
+            });
             if ("interactive" === this.outputManager.getMode()) console.log(`\n✓ Successfully installed skill ${skillName} to ${skillPath}`);
             else this.outputManager.emitEvent({
                 type: "skill-install-complete",
@@ -122,6 +139,11 @@ class SkillService {
                 timestamp: new Date().toISOString()
             });
             throw error;
+        } finally{
+            if (stagingRoot) await rm(stagingRoot, {
+                recursive: true,
+                force: true
+            });
         }
     }
     async listInstalledSkills() {
@@ -263,6 +285,14 @@ class SkillService {
             throw new Error(`Invalid SKILL.md: ${error instanceof Error ? error.message : String(error)}`);
         }
     }
+    resolveSafeInstallPath(root, relativePath) {
+        const normalized = posix.normalize(relativePath.replace(/\\/g, "/")).replace(/^\/+/, "");
+        if (!normalized || "." === normalized || normalized.startsWith("../")) throw new Error(`Unsafe skill file path '${relativePath}' rejected during installation`);
+        const rootResolved = resolve(root);
+        const filePath = resolve(rootResolved, normalized);
+        if (filePath !== rootResolved && !filePath.startsWith(rootResolved + sep)) throw new Error(`Unsafe skill file path '${relativePath}' rejected during installation`);
+        return filePath;
+    }
     parseSkillMetadata(content) {
         const frontmatterRegex = /^---\s*\n([\s\S]*?)\n---/;
         const match = content.match(frontmatterRegex);
@@ -292,11 +322,13 @@ class SkillService {
         _define_property(this, "repository", void 0);
         _define_property(this, "outputManager", void 0);
         _define_property(this, "logger", void 0);
+        _define_property(this, "security", void 0);
         this.repository = repository;
         this.outputManager = outputManager;
         this.logger = logger;
         this.workspace = options.workspace;
         this.skillsDirectory = options.skillsDirectory || "skills";
+        this.security = options.security || {};
     }
 }
 export { SkillService };

package/dist/cli/types/skill.d.ts

@@ -57,9 +57,17 @@ export interface SkillCommandArgs {
  * Options for skill repository operations
  */
 export interface SkillRepositoryOptions {
+    provider?: "github" | "clawhub";
     repositoryOwner?: string;
     repositoryName?: string;
     githubToken?: string;
+    clawhubBaseUrl?: string;
+}
+export interface SkillSecurityOptions {
+    scanOnInstall?: boolean;
+    scannerCommand?: string;
+    scannerArgs?: string[];
+    blockIssueCodes?: string[];
 }
 /**
  * Options for skill service operations
@@ -68,4 +76,5 @@ export interface SkillServiceOptions {
     workspace: string;
     skillsDirectory?: string;
     outputMode: OutputMode;
+    security?: SkillSecurityOptions;
 }

package/dist/gateway/server.cjs

@@ -41,6 +41,7 @@ const agentInvoker_cjs_namespaceObject = require("../cli/core/agentInvoker.cjs")
 const outputManager_cjs_namespaceObject = require("../cli/core/outputManager.cjs");
 const sessionManager_cjs_namespaceObject = require("../cli/core/sessionManager.cjs");
 const external_logger_cjs_namespaceObject = require("../logger.cjs");
+const uv_cjs_namespaceObject = require("../utils/uv.cjs");
 const discord_cjs_namespaceObject = require("./adapters/discord.cjs");
 const external_auth_cjs_namespaceObject = require("./auth.cjs");
 const external_browserRelayServer_cjs_namespaceObject = require("./browserRelayServer.cjs");
@@ -99,6 +100,8 @@ function resolveExecutionConfigDirOverride(payload) {
 class GatewayServer {
     async start() {
         if (void 0 === globalThis.Bun) throw new Error("Gateway server requires Bun runtime. Start with `bun ./bin/wingman gateway start`.");
+        const proxyConfig = this.wingmanConfig.gateway?.mcpProxy;
+        if (proxyConfig?.enabled) (0, uv_cjs_namespaceObject.ensureUvAvailableForFeature)(proxyConfig.command || "uvx", "gateway.mcpProxy.enabled");
         this.startedAt = Date.now();
         this.internalHooks = new registry_cjs_namespaceObject.InternalHookRegistry(this.getHttpContext(), this.wingmanConfig.hooks);
         await this.internalHooks.load();
@@ -546,7 +549,8 @@ class GatewayServer {
             sessionManager,
             terminalSessionManager: this.terminalSessionManager,
             workdir,
-            defaultOutputDir
+            defaultOutputDir,
+            mcpProxyConfig: this.wingmanConfig.gateway?.mcpProxy
         });
         const abortController = new AbortController();
         this.activeAgentRequests.set(msg.id, {

package/dist/gateway/server.js

@@ -8,6 +8,7 @@ import { AgentInvoker } from "../cli/core/agentInvoker.js";
 import { OutputManager } from "../cli/core/outputManager.js";
 import { SessionManager } from "../cli/core/sessionManager.js";
 import { createLogger } from "../logger.js";
+import { ensureUvAvailableForFeature } from "../utils/uv.js";
 import { DiscordGatewayAdapter } from "./adapters/discord.js";
 import { GatewayAuth } from "./auth.js";
 import { BrowserRelayServer } from "./browserRelayServer.js";
@@ -66,6 +67,8 @@ function resolveExecutionConfigDirOverride(payload) {
 class GatewayServer {
     async start() {
         if (void 0 === globalThis.Bun) throw new Error("Gateway server requires Bun runtime. Start with `bun ./bin/wingman gateway start`.");
+        const proxyConfig = this.wingmanConfig.gateway?.mcpProxy;
+        if (proxyConfig?.enabled) ensureUvAvailableForFeature(proxyConfig.command || "uvx", "gateway.mcpProxy.enabled");
         this.startedAt = Date.now();
         this.internalHooks = new InternalHookRegistry(this.getHttpContext(), this.wingmanConfig.hooks);
         await this.internalHooks.load();
@@ -513,7 +516,8 @@ class GatewayServer {
             sessionManager,
             terminalSessionManager: this.terminalSessionManager,
             workdir,
-            defaultOutputDir
+            defaultOutputDir,
+            mcpProxyConfig: this.wingmanConfig.gateway?.mcpProxy
         });
         const abortController = new AbortController();
         this.activeAgentRequests.set(msg.id, {

package/dist/gateway/types.d.ts

@@ -143,6 +143,15 @@ export interface GatewayConfig {
         method: "mdns" | "tailscale";
         name: string;
     };
+    mcpProxy?: {
+        enabled: boolean;
+        command?: string;
+        baseArgs?: string[];
+        projectName?: string;
+        pushExplorer?: boolean;
+        apiKey?: string;
+        apiUrl?: string;
+    };
 }
 export interface GatewayAuthConfig {
     mode: "token" | "password" | "none";

package/dist/tests/cli-config-loader.test.cjs

@@ -75,9 +75,31 @@ const external_os_namespaceObject = require("os");
                     outputMode: "auto"
                 },
                 skills: {
+                    provider: "github",
                     repositoryOwner: "anthropics",
                     repositoryName: "skills",
-                    skillsDirectory: "skills"
+                    clawhubBaseUrl: "https://clawhub.ai",
+                    skillsDirectory: "skills",
+                    security: {
+                        scanOnInstall: true,
+                        scannerCommand: "uvx",
+                        scannerArgs: [
+                            "--from",
+                            "mcp-scan>=0.4,<0.5",
+                            "mcp-scan",
+                            "--json",
+                            "--skills"
+                        ],
+                        blockIssueCodes: [
+                            "MCP501",
+                            "MCP506",
+                            "MCP507",
+                            "MCP508",
+                            "MCP509",
+                            "MCP510",
+                            "MCP511"
+                        ]
+                    }
                 },
                 browser: {
                     profilesDir: ".wingman/browser-profiles",
@@ -109,6 +131,16 @@ const external_os_namespaceObject = require("os");
                         allowInsecureAuth: false
                     },
                     dynamicUiEnabled: true,
+                    mcpProxy: {
+                        enabled: false,
+                        command: "uvx",
+                        baseArgs: [
+                            "invariant-gateway@latest",
+                            "mcp"
+                        ],
+                        projectName: "wingman-gateway",
+                        pushExplorer: false
+                    },
                     adapters: {}
                 },
                 agents: {

package/dist/tests/cli-config-loader.test.js

@@ -73,9 +73,31 @@ describe("CLI Config Loader", ()=>{
                     outputMode: "auto"
                 },
                 skills: {
+                    provider: "github",
                     repositoryOwner: "anthropics",
                     repositoryName: "skills",
-                    skillsDirectory: "skills"
+                    clawhubBaseUrl: "https://clawhub.ai",
+                    skillsDirectory: "skills",
+                    security: {
+                        scanOnInstall: true,
+                        scannerCommand: "uvx",
+                        scannerArgs: [
+                            "--from",
+                            "mcp-scan>=0.4,<0.5",
+                            "mcp-scan",
+                            "--json",
+                            "--skills"
+                        ],
+                        blockIssueCodes: [
+                            "MCP501",
+                            "MCP506",
+                            "MCP507",
+                            "MCP508",
+                            "MCP509",
+                            "MCP510",
+                            "MCP511"
+                        ]
+                    }
                 },
                 browser: {
                     profilesDir: ".wingman/browser-profiles",
@@ -107,6 +129,16 @@ describe("CLI Config Loader", ()=>{
                         allowInsecureAuth: false
                     },
                     dynamicUiEnabled: true,
+                    mcpProxy: {
+                        enabled: false,
+                        command: "uvx",
+                        baseArgs: [
+                            "invariant-gateway@latest",
+                            "mcp"
+                        ],
+                        projectName: "wingman-gateway",
+                        pushExplorer: false
+                    },
                     adapters: {}
                 },
                 agents: {

package/dist/tests/config-json-schema.test.cjs

@@ -0,0 +1,25 @@
+"use strict";
+var __webpack_exports__ = {};
+const external_vitest_namespaceObject = require("vitest");
+const jsonSchema_cjs_namespaceObject = require("../cli/config/jsonSchema.cjs");
+(0, external_vitest_namespaceObject.describe)("wingman config json schema", ()=>{
+    (0, external_vitest_namespaceObject.it)("includes metadata and top-level sections", ()=>{
+        const schema = (0, jsonSchema_cjs_namespaceObject.buildWingmanConfigJsonSchema)();
+        (0, external_vitest_namespaceObject.expect)(schema.$schema).toBe("https://json-schema.org/draft/2020-12/schema");
+        (0, external_vitest_namespaceObject.expect)(schema.$id).toBe(jsonSchema_cjs_namespaceObject.WINGMAN_CONFIG_JSON_SCHEMA_ID);
+        (0, external_vitest_namespaceObject.expect)(schema.title).toBe("Wingman Config");
+        (0, external_vitest_namespaceObject.expect)(schema.type).toBe("object");
+        (0, external_vitest_namespaceObject.expect)(schema.properties).toBeDefined();
+        (0, external_vitest_namespaceObject.expect)(schema.properties.gateway).toBeDefined();
+        (0, external_vitest_namespaceObject.expect)(schema.properties.skills).toBeDefined();
+    });
+    (0, external_vitest_namespaceObject.it)("exposes resilient default scanner args", ()=>{
+        const schema = (0, jsonSchema_cjs_namespaceObject.buildWingmanConfigJsonSchema)();
+        const scannerArgsDefault = schema.properties.skills.properties.security.properties.scannerArgs.default;
+        (0, external_vitest_namespaceObject.expect)(scannerArgsDefault).toContain("mcp-scan>=0.4,<0.5");
+    });
+});
+for(var __rspack_i in __webpack_exports__)exports[__rspack_i] = __webpack_exports__[__rspack_i];
+Object.defineProperty(exports, '__esModule', {
+    value: true
+});

package/dist/tests/config-json-schema.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/tests/config-json-schema.test.js

@@ -0,0 +1,19 @@
+import { describe, expect, it } from "vitest";
+import { WINGMAN_CONFIG_JSON_SCHEMA_ID, buildWingmanConfigJsonSchema } from "../cli/config/jsonSchema.js";
+describe("wingman config json schema", ()=>{
+    it("includes metadata and top-level sections", ()=>{
+        const schema = buildWingmanConfigJsonSchema();
+        expect(schema.$schema).toBe("https://json-schema.org/draft/2020-12/schema");
+        expect(schema.$id).toBe(WINGMAN_CONFIG_JSON_SCHEMA_ID);
+        expect(schema.title).toBe("Wingman Config");
+        expect(schema.type).toBe("object");
+        expect(schema.properties).toBeDefined();
+        expect(schema.properties.gateway).toBeDefined();
+        expect(schema.properties.skills).toBeDefined();
+    });
+    it("exposes resilient default scanner args", ()=>{
+        const schema = buildWingmanConfigJsonSchema();
+        const scannerArgsDefault = schema.properties.skills.properties.security.properties.scannerArgs.default;
+        expect(scannerArgsDefault).toContain("mcp-scan>=0.4,<0.5");
+    });
+});