@xiashe/skill 0.1.5 → 0.1.8

package/README.md

@@ -9,12 +9,17 @@ This package is intentionally separate from the full `@xiashe/cli` product CLI a
 `xiashe-skill` helps creators prepare a Skill folder for third-party Skill hubs:
 
 - inspect a local Skill project
-- run one Agent-friendly registry setup command that prepares all supported hub handoffs
+- run one high-level Agent-friendly publish handoff command
+- run lower-level registry setup commands that prepare all supported hub handoffs
+- diagnose whether a local Skill has the expected registry disclosure and runtime callback wiring
+- send labeled local verification events so the Dashboard can confirm integration health
 - write an explicit `xiashe.skill.json` registry manifest
 - generate one unified `UPLOAD_HANDOFF.md` that the creator's Agent can use after the user pastes a third-party official upload prompt
 - generate optional runtime analytics snippets
 
-It does not create upload packages, copy source directories, install background services, run postinstall hooks, read secrets, or upload to third-party hubs. The creator's Agent is responsible for packaging and uploading according to the target Skill hub's official rules.
+It does not install background services, run postinstall hooks, read secrets, or override third-party hub upload rules. The creator's Agent is responsible for packaging and uploading according to the target Skill hub's official rules.
+
+The user-facing product flow should point creators at the official publish Markdown page and the `xiashe-publish` Skill. Direct CLI commands are implementation details for local Agents and developers.
 
 `setup --hub all` still writes platform-specific `upload-<hub>.md` checklists for source attribution, but those are internal Agent checklists. Users should not need to pick files manually. When a platform such as Red Skill provides its own upload prompt, paste that official prompt to the Agent and tell it to follow `.xiashe/UPLOAD_HANDOFF.md`.
 
@@ -23,8 +28,12 @@ It does not create upload packages, copy source directories, install background
 ```bash
 node packages/xiashe-skill-cli/bin/xiashe-skill.mjs --help
 node packages/xiashe-skill-cli/bin/xiashe-skill.mjs inspect .
+node packages/xiashe-skill-cli/bin/xiashe-skill.mjs doctor .
+node packages/xiashe-skill-cli/bin/xiashe-skill.mjs publish . --code XS-XXXX-XXXX --to xiashe,claude
 node packages/xiashe-skill-cli/bin/xiashe-skill.mjs setup . --code XS-XXXX-XXXX --hub all
 node packages/xiashe-skill-cli/bin/xiashe-skill.mjs setup . --code XS-XXXX-XXXX --hub red
+node packages/xiashe-skill-cli/bin/xiashe-skill.mjs verify . --hub red --dry-run --json
+node packages/xiashe-skill-cli/bin/xiashe-skill.mjs verify . --hub red
 node packages/xiashe-skill-cli/bin/xiashe-skill.mjs attach . --code XS-XXXX-XXXX
 node packages/xiashe-skill-cli/bin/xiashe-skill.mjs attach . --public-token pub_xxx --skill-id sk_xxx
 node packages/xiashe-skill-cli/bin/xiashe-skill.mjs prompt . --hub red --source-url https://example.com/my-skill-repo

package/bin/xiashe-skill.mjs

@@ -6,7 +6,7 @@ import { mkdir, readdir, readFile, stat, writeFile } from 'node:fs/promises';
 import os from 'node:os';
 import path from 'node:path';
 
-const VERSION = '0.1.5';
+const VERSION = '0.1.7';
 const COMMAND_NAME = process.env.XIASHE_SKILL_CLI_NAME || 'xiashe-skill';
 const PRODUCT_NAME = process.env.XIASHE_SKILL_PRODUCT_NAME || (COMMAND_NAME === 'agentpie-skill' ? 'AgentPie' : 'XiaShe');
 const REGISTRY_PROVIDER = process.env.XIASHE_SKILL_REGISTRY_PROVIDER || (COMMAND_NAME === 'agentpie-skill' ? 'agentpie' : 'xiashe');
@@ -23,8 +23,120 @@ const DEFAULT_CLAIM_URL = process.env.XIASHE_SKILL_CLAIM_URL || `${DEFAULT_BASE_
 const EVENT_SCHEMA_VERSION = process.env.XIASHE_SKILL_EVENT_SCHEMA_VERSION || (REGISTRY_PROVIDER === 'agentpie'
   ? 'agentpie.skill.event.v1'
   : 'xiashe.skill.event.v1');
-const SUPPORTED_HUBS = ['red', 'clawhub', 'skillhub', 'claude', 'dify', 'coze', 'generic'];
-const DEFAULT_SETUP_HUBS = ['red', 'clawhub', 'skillhub', 'claude', 'dify', 'coze', 'generic'];
+const SUPPORTED_HUBS = ['xiashe', 'red', 'clawhub', 'skillhub', 'claude', 'codex', 'cursor', 'workbuddy', 'dify', 'coze', 'generic'];
+const DEFAULT_SETUP_HUBS = ['xiashe', 'red', 'clawhub', 'skillhub', 'claude', 'codex', 'cursor', 'workbuddy', 'dify', 'coze', 'generic'];
+const PLATFORM_REVIEW_PROFILES = {
+  xiashe: {
+    label: 'XiaShe Store',
+    packageMode: 'full_skill_package',
+    manifestPolicy: 'upload_allowed',
+    disclosurePlacement: ['Skill public page', 'README', `${WORK_DIR}/REGISTRY_DISCLOSURE.md`],
+    runtimeDataPolicy: 'runtime_capable',
+    defaultDataSource: 'runtime',
+    allowedFilePolicy: 'Upload the complete reviewed Skill package, including the local registry manifest.',
+    forbiddenPublicFiles: ['.env', 'credentials', 'node_modules', 'dist', 'build', 'browser profiles', 'SSH keys']
+  },
+  red: {
+    label: 'Red Skill',
+    packageMode: 'markdown_or_text_only',
+    manifestPolicy: 'local_only',
+    disclosurePlacement: ['SKILL.md', 'README', 'platform description field'],
+    runtimeDataPolicy: 'attribution_only_by_default',
+    defaultDataSource: 'attribution',
+    allowedFilePolicy: 'Upload only Markdown/TXT or fields accepted by the official Red Skill flow.',
+    forbiddenPublicFiles: [WORK_DIR, `${WORK_DIR}/${MANIFEST_FILE}`, `${WORK_DIR}/runtime-events.js`, 'public tokens', 'signing secrets', 'internal handoff/checklists']
+  },
+  clawhub: {
+    label: 'ClawHub',
+    packageMode: 'markdown_or_text_only',
+    manifestPolicy: 'local_only',
+    disclosurePlacement: ['SKILL.md', 'README', 'platform description field'],
+    runtimeDataPolicy: 'attribution_only_by_default',
+    defaultDataSource: 'attribution',
+    allowedFilePolicy: 'Follow ClawHub official file rules. Treat XiaShe registry files as local-only unless ClawHub explicitly accepts them.',
+    forbiddenPublicFiles: [WORK_DIR, `${WORK_DIR}/${MANIFEST_FILE}`, `${WORK_DIR}/runtime-events.js`, 'public tokens', 'signing secrets']
+  },
+  skillhub: {
+    label: 'SkillHub',
+    packageMode: 'markdown_or_text_only',
+    manifestPolicy: 'local_only',
+    disclosurePlacement: ['SKILL.md', 'README', 'platform description field'],
+    runtimeDataPolicy: 'attribution_only_by_default',
+    defaultDataSource: 'attribution',
+    allowedFilePolicy: 'Upload only files accepted by SkillHub. For Markdown/TXT-only flows, copy disclosure text into an allowed field.',
+    forbiddenPublicFiles: [WORK_DIR, `${WORK_DIR}/${MANIFEST_FILE}`, `${WORK_DIR}/runtime-events.js`, 'public tokens', 'signing secrets']
+  },
+  claude: {
+    label: 'Claude Code',
+    packageMode: 'local_agent_install',
+    manifestPolicy: 'platform_dependent',
+    disclosurePlacement: ['SKILL.md', 'README', 'agent install note'],
+    runtimeDataPolicy: 'runtime_if_http_or_mcp',
+    defaultDataSource: 'runtime',
+    allowedFilePolicy: 'Install the Skill in Claude-compatible local Skill format. Add MCP/HTTP ack only when the runtime supports it.',
+    forbiddenPublicFiles: ['public tokens in public docs', 'signing secrets', 'hidden background processes']
+  },
+  codex: {
+    label: 'Codex',
+    packageMode: 'local_agent_install',
+    manifestPolicy: 'platform_dependent',
+    disclosurePlacement: ['SKILL.md', 'README', 'agent install note'],
+    runtimeDataPolicy: 'runtime_if_http_or_mcp',
+    defaultDataSource: 'runtime',
+    allowedFilePolicy: 'Install as a local Agent Skill and wire MCP/HTTP ack where supported.',
+    forbiddenPublicFiles: ['public tokens in public docs', 'signing secrets', 'hidden background processes']
+  },
+  cursor: {
+    label: 'Cursor',
+    packageMode: 'local_agent_install',
+    manifestPolicy: 'platform_dependent',
+    disclosurePlacement: ['rules/skill docs', 'README', 'agent install note'],
+    runtimeDataPolicy: 'runtime_if_http_or_mcp',
+    defaultDataSource: 'runtime',
+    allowedFilePolicy: 'Follow Cursor rule/agent capability conventions and keep callbacks explicit.',
+    forbiddenPublicFiles: ['public tokens in public docs', 'signing secrets', 'hidden background processes']
+  },
+  workbuddy: {
+    label: 'WorkBuddy',
+    packageMode: 'local_agent_install',
+    manifestPolicy: 'platform_dependent',
+    disclosurePlacement: ['SKILL.md', 'README', 'agent install note'],
+    runtimeDataPolicy: 'runtime_if_http_or_mcp',
+    defaultDataSource: 'runtime',
+    allowedFilePolicy: 'Follow WorkBuddy agent capability rules and wire ack only through approved runtime boundaries.',
+    forbiddenPublicFiles: ['public tokens in public docs', 'signing secrets', 'hidden background processes']
+  },
+  coze: {
+    label: 'Coze',
+    packageMode: 'static_prompt_or_api_tool',
+    manifestPolicy: 'local_only',
+    disclosurePlacement: ['workflow description', 'tool description', 'README'],
+    runtimeDataPolicy: 'runtime_if_http_or_mcp',
+    defaultDataSource: 'attribution',
+    allowedFilePolicy: 'Static prompt mode is attribution-only. Use an HTTP/API Tool step for real runtime analytics.',
+    forbiddenPublicFiles: [WORK_DIR, `${WORK_DIR}/${MANIFEST_FILE}`, 'public tokens in static prompts', 'signing secrets']
+  },
+  dify: {
+    label: 'Dify',
+    packageMode: 'static_prompt_or_api_tool',
+    manifestPolicy: 'local_only',
+    disclosurePlacement: ['workflow description', 'tool description', 'README'],
+    runtimeDataPolicy: 'runtime_if_http_or_mcp',
+    defaultDataSource: 'attribution',
+    allowedFilePolicy: 'Static prompt mode is attribution-only. Use an HTTP/API Tool node for real runtime analytics.',
+    forbiddenPublicFiles: [WORK_DIR, `${WORK_DIR}/${MANIFEST_FILE}`, 'public tokens in static prompts', 'signing secrets']
+  },
+  generic: {
+    label: 'Generic Skill Hub',
+    packageMode: 'external_platform_rules',
+    manifestPolicy: 'platform_dependent',
+    disclosurePlacement: ['README', 'SKILL.md', 'platform description field'],
+    runtimeDataPolicy: 'runtime_if_http_or_mcp',
+    defaultDataSource: 'attribution',
+    allowedFilePolicy: 'Follow the target platform official rules first; merge only safe XiaShe disclosure and callbacks.',
+    forbiddenPublicFiles: ['public tokens in public docs', 'signing secrets', 'hidden background processes']
+  }
+};
 const DEFAULT_IGNORE = new Set([
   '.git',
   '.xiashe',
@@ -47,11 +159,14 @@ function usage() {
 
 Usage:
   ${COMMAND_NAME} inspect [skill-dir] [--json]
-  ${COMMAND_NAME} setup [skill-dir] --code <dynamic-code> [--hub all|red|clawhub|skillhub|claude|dify|coze|generic]
-  ${COMMAND_NAME} setup [skill-dir] --public-token <token> --skill-id <id> [--hub all|red|clawhub|skillhub|claude|dify|coze|generic]
+  ${COMMAND_NAME} publish [skill-dir] --code <dynamic-code> [--to xiashe,red,claude,codex,cursor,workbuddy,dify,coze]
+  ${COMMAND_NAME} setup [skill-dir] --code <dynamic-code> [--hub all|xiashe|red|clawhub|skillhub|claude|codex|cursor|workbuddy|dify|coze|generic]
+  ${COMMAND_NAME} setup [skill-dir] --public-token <token> --skill-id <id> [--hub all|xiashe|red|clawhub|skillhub|claude|codex|cursor|workbuddy|dify|coze|generic]
+  ${COMMAND_NAME} doctor [skill-dir] [--json]
+  ${COMMAND_NAME} verify [skill-dir] [--hub <hub>] [--scenario <label>] [--dry-run]
   ${COMMAND_NAME} attach [skill-dir] --code <dynamic-code> [--name <name>]
   ${COMMAND_NAME} attach [skill-dir] --public-token <token> [--skill-id <id>] [--name <name>]
-  ${COMMAND_NAME} prompt [skill-dir] --hub <red|clawhub|skillhub|claude|dify|coze|generic> [--source-url <url>] [--out <file>]
+  ${COMMAND_NAME} prompt [skill-dir] --hub <xiashe|red|clawhub|skillhub|claude|codex|cursor|workbuddy|dify|coze|generic> [--source-url <url>] [--out <file>]
   ${COMMAND_NAME} snippet [skill-dir] [--target js|curl] [--out <file>]
   ${COMMAND_NAME} track [skill-dir] --event <event> [--hub <hub>] [--installation-id <id>] [--invocation-id <id>]
 
@@ -64,6 +179,7 @@ Options:
   --name <name>               Skill display name override.
   --description <text>        Skill description override.
   --hub <hub>                 Target Skill hub prompt style. setup defaults to all supported hubs.
+  --to <hub[,hub]>            High-level publish targets. Alias for --hub in publish mode.
   --event <event>             Runtime event to submit for testing.
   --installation-id <id>      Stable anonymous install id for runtime analytics.
   --invocation-id <id>        Unique invocation id for one skill call.
@@ -164,11 +280,23 @@ function normalizeHub(value) {
   if (hub === 'skill-hub') {
     return 'skillhub';
   }
+  if (hub === 'xiashechat' || hub === 'xia-she' || hub === 'xiashe-store') {
+    return 'xiashe';
+  }
+  if (hub === 'claudecode' || hub === 'claude-code') {
+    return 'claude';
+  }
+  if (hub === 'openaicodex' || hub === 'openai-codex') {
+    return 'codex';
+  }
+  if (hub === 'work-buddy') {
+    return 'workbuddy';
+  }
   return hub;
 }
 
 function setupHubsFromFlags(flags) {
-  const raw = normalizeText(flags.hub || 'all', 240).toLowerCase();
+  const raw = normalizeText(flags.hub || flags.to || 'all', 240).toLowerCase();
   if (!raw || raw === 'all' || raw === '*') {
     return [...DEFAULT_SETUP_HUBS];
   }
@@ -184,6 +312,103 @@ function setupHubsFromFlags(flags) {
   return unique.length > 0 ? unique : [...DEFAULT_SETUP_HUBS];
 }
 
+function reviewProfileForHub(hub) {
+  const normalized = normalizeHub(hub) || 'generic';
+  return {
+    hub: normalized,
+    ...(PLATFORM_REVIEW_PROFILES[normalized] || PLATFORM_REVIEW_PROFILES.generic)
+  };
+}
+
+function isPublicDocFile(filePath) {
+  return /(^|\/)(SKILL|README|LICENSE|CHANGELOG|CONTRIBUTING)(\.[a-z0-9]+)?$/i.test(filePath) ||
+    /\.(md|mdx|txt)$/i.test(filePath);
+}
+
+function isLikelyEntrypointFile(filePath) {
+  return /(^|\/)(package\.json|requirements\.txt|pyproject\.toml|deno\.json|mcp\.json|manifest\.json|skill\.json|index\.(js|mjs|cjs|ts|tsx|py)|main\.(js|mjs|cjs|ts|tsx|py)|server\.(js|mjs|cjs|ts|tsx|py))$/i.test(filePath);
+}
+
+function packagePlanForHub(inspected, hub) {
+  const profile = reviewProfileForHub(hub);
+  const localOnly = [];
+  const candidateUploadFiles = [];
+  const forbiddenPatterns = [
+    '.env*',
+    `${WORK_DIR}/`,
+    '.agentpie/',
+    'node_modules/',
+    'dist/',
+    'build/',
+    'coverage/',
+    '*.pem',
+    '*.key',
+    '*secret*',
+    '*token*'
+  ];
+  for (const file of inspected.package.files) {
+    if (file.path.startsWith(`${WORK_DIR}/`) || file.path.startsWith('.agentpie/')) {
+      localOnly.push(file.path);
+      continue;
+    }
+    if (profile.packageMode === 'full_skill_package') {
+      candidateUploadFiles.push(file.path);
+      continue;
+    }
+    if (profile.packageMode === 'markdown_or_text_only') {
+      if (isPublicDocFile(file.path)) {
+        candidateUploadFiles.push(file.path);
+      }
+      continue;
+    }
+    if (profile.packageMode === 'local_agent_install') {
+      if (isPublicDocFile(file.path) || isLikelyEntrypointFile(file.path)) {
+        candidateUploadFiles.push(file.path);
+      }
+      continue;
+    }
+    if (profile.packageMode === 'static_prompt_or_api_tool') {
+      if (isPublicDocFile(file.path) || /openapi|swagger|tool|workflow|plugin/i.test(file.path)) {
+        candidateUploadFiles.push(file.path);
+      }
+      continue;
+    }
+    if (isPublicDocFile(file.path) || isLikelyEntrypointFile(file.path)) {
+      candidateUploadFiles.push(file.path);
+    }
+  }
+  return {
+    hub: profile.hub,
+    label: profile.label,
+    reviewProfile: profile,
+    dataSourcePolicy: {
+      runtime: 'Only real Skill execution callbacks, MCP/HTTP/API Tool calls, webhooks, or external Agent ack.',
+      attribution: 'Publish/upload workflow, public disclosure, and tracking-link clicks.',
+      reported: 'Manual import or public platform numbers such as downloads, installs, favorites, or displayed usage.'
+    },
+    candidateUploadFiles: Array.from(new Set(candidateUploadFiles)).sort(),
+    localOnlyFiles: Array.from(new Set([
+      ...localOnly,
+      `${WORK_DIR}/${MANIFEST_FILE}`,
+      `${WORK_DIR}/UPLOAD_HANDOFF.md`,
+      `${WORK_DIR}/runtime-events.js`,
+      `${WORK_DIR}/platform-profiles.json`
+    ])).sort(),
+    disclosureTargets: profile.disclosurePlacement,
+    forbiddenPatterns,
+    requiresUserConfirmation: true,
+    notes: [
+      profile.allowedFilePolicy,
+      profile.manifestPolicy === 'local_only'
+        ? `Keep ${WORK_DIR}/${MANIFEST_FILE} local. Do not upload it unless the target platform explicitly accepts registry JSON and the user confirms.`
+        : 'Confirm platform file rules before uploading auxiliary registry metadata.',
+      profile.runtimeDataPolicy === 'attribution_only_by_default'
+        ? 'Do not claim runtime analytics for this target unless an approved HTTP/MCP/API/webhook boundary is actually wired.'
+        : 'Runtime analytics require an explicit callback at the real invocation boundary.'
+    ]
+  };
+}
+
 function canonicalSignaturePayload(payload) {
   return [
     payload.schemaVersion || EVENT_SCHEMA_VERSION,
@@ -388,20 +613,31 @@ async function writeManifest(root, flags) {
         ]
       }
     },
-    platforms: Object.fromEntries(SUPPORTED_HUBS.map((hub) => [
-      hub,
-      {
+    platforms: Object.fromEntries(SUPPORTED_HUBS.map((hub) => {
+      const reviewProfile = reviewProfileForHub(hub);
+      return [
         hub,
-        sourceSurface: hub,
-        uploadPromptFile: `${WORK_DIR}/upload-${safeSkillKey(hub)}.md`,
-        eventDefaults: {
-          schemaVersion: EVENT_SCHEMA_VERSION,
+        {
           hub,
           sourceSurface: hub,
-          skillKey: safeSkillKey(claim?.skillKey || inspected.skillKey)
+          uploadPromptFile: `${WORK_DIR}/upload-${safeSkillKey(hub)}.md`,
+          packagePlanFile: `${WORK_DIR}/package-${safeSkillKey(hub)}.json`,
+          reviewProfile,
+          dataSourcePolicy: {
+            default: reviewProfile.defaultDataSource,
+            runtime: 'Only real Skill execution callbacks, MCP/HTTP/API Tool calls, webhooks, or external Agent ack.',
+            attribution: 'Publish/upload workflow, public disclosure, and tracking-link clicks.',
+            reported: 'Manual import or public platform numbers such as downloads, installs, favorites, or displayed usage.'
+          },
+          eventDefaults: {
+            schemaVersion: EVENT_SCHEMA_VERSION,
+            hub,
+            sourceSurface: hub,
+            skillKey: safeSkillKey(claim?.skillKey || inspected.skillKey)
+          }
         }
-      }
-    ])),
+      ];
+    })),
     sourceFingerprint: {
       sha256: inspected.package.sha256,
       fileCount: inspected.package.fileCount,
@@ -420,6 +656,9 @@ async function writeManifest(root, flags) {
 }
 
 function hubInstruction(hub) {
+  if (hub === 'xiashe') {
+    return '虾舍商店发布是完整 Skill 包和 registry manifest 的主流程。请创建虾舍商店草稿，并保留公开披露、归因和 runtime analytics 回传能力。';
+  }
   if (hub === 'red') {
     return 'Red Skill 的官方上传 prompt / 页面流程是主流程。请先从小红书创作服务平台获取或使用用户提供的 Red Skill 上传 prompt，再把下面的虾舍 registry 要求作为附加说明合并进去。';
   }
@@ -432,6 +671,15 @@ function hubInstruction(hub) {
   if (hub === 'claude') {
     return 'Claude Skills 的官方上传/导入流程是主流程。请先确认 Claude 当前 Skill 格式和共享要求，再把下面的 registry 披露文本放入允许的说明文件。';
   }
+  if (hub === 'codex') {
+    return 'Codex 的本地 Skill 或 Agent 能力安装流程是主流程。请把 registry disclosure 放进公开说明，并优先通过 MCP/HTTP ack 回传真实调用。';
+  }
+  if (hub === 'cursor') {
+    return 'Cursor 的本地 Agent 能力、规则或工具安装流程是主流程。请把 registry disclosure 放进公开说明，并优先通过 HTTP/MCP callback 回传真实调用。';
+  }
+  if (hub === 'workbuddy') {
+    return 'WorkBuddy 的 Agent 能力安装和发布流程是主流程。请按 WorkBuddy 当前规则放置 SKILL.md/工具说明，并通过 HTTP/MCP callback 回传真实调用。';
+  }
   if (hub === 'dify') {
     return 'Dify Plugin/Tool 的官方打包和发布流程是主流程。请先按 Dify 插件规范处理 manifest 和工具定义，再把下面的 registry 披露文本放入允许的 README/说明字段。';
   }
@@ -442,6 +690,9 @@ function hubInstruction(hub) {
 }
 
 function platformPromptPlaceholder(hub) {
+  if (hub === 'xiashe') {
+    return '如果用户要发布到虾舍商店，请优先创建虾舍商店草稿；不要把第三方平台限制套用到虾舍完整 Skill 包。';
+  }
   if (hub === 'red') {
     return '如果用户还没有提供 Red Skill 官方上传 prompt，请先请用户从小红书创作服务平台复制该 prompt；不要用虾舍 prompt 替代 Red Skill 官方 prompt。';
   }
@@ -454,6 +705,15 @@ function platformPromptPlaceholder(hub) {
   if (hub === 'claude') {
     return '如果 Claude 提供官方 Skill 导入/上传说明，请优先使用官方说明；不要用虾舍 prompt 替代 Claude 官方流程。';
   }
+  if (hub === 'codex') {
+    return '如果 Codex 提供官方 Skill 或 Agent 能力安装说明，请优先使用官方说明；不要用虾舍 prompt 替代 Codex 官方流程。';
+  }
+  if (hub === 'cursor') {
+    return '如果 Cursor 提供官方规则、扩展或 Agent 能力安装说明，请优先使用官方说明；不要用虾舍 prompt 替代 Cursor 官方流程。';
+  }
+  if (hub === 'workbuddy') {
+    return '如果 WorkBuddy 提供官方上传 prompt、网页或 API 流程，请优先使用官方流程；不要用虾舍 prompt 替代 WorkBuddy 官方流程。';
+  }
   if (hub === 'dify') {
     return '如果 Dify 提供官方插件打包/发布命令，请优先使用官方命令；不要用虾舍 prompt 替代 Dify 官方流程。';
   }
@@ -465,19 +725,29 @@ function platformPromptPlaceholder(hub) {
 
 function uploadCompatibilityLines(hub, manifestFile) {
   const localManifest = `${WORK_DIR}/${manifestFile}`;
+  if (hub === 'xiashe') {
+    return [
+      '虾舍商店兼容性要求：',
+      `- 虾舍商店可以接收完整 Skill 包和 ${localManifest} registry manifest。`,
+      '- 保留公开披露文本、归因链接和 runtime event callback；不要删除 registry manifest。',
+      '- 提交草稿前仍需排除 .env、密钥、node_modules、dist/build 和无关本地文件。'
+    ];
+  }
   if (hub === 'red') {
     return [
       'Red Skill 兼容性要求：',
       '- Red Skill 如果只接受 Markdown/TXT，请不要把 JSON manifest 当作源码文件上传。',
       `- ${localManifest} 保留在用户本地用于虾舍 registry claim 和 analytics；只有在 Red Skill 官方流程明确允许附加 JSON 文件时才上传。`,
-      '- 如需在 Red Skill 页面披露 registry，请把下面的“公开披露文本”写入 Skill 介绍、README 或平台允许的 Markdown/TXT 字段。'
+      '- 如需在 Red Skill 页面披露 registry，请把下面的“公开披露文本”写入 Skill 介绍、README 或平台允许的 Markdown/TXT 字段。',
+      '- 不要把 public token、signing secret、runtime-events.js 或 .xiashe 内部 handoff/checklist 文件发布到 Markdown/TXT-only 平台。'
     ];
   }
   return [
     '第三方平台兼容性要求：',
     `- 如果目标平台不接受 ${localManifest} 这类 JSON manifest，请不要强行上传该文件。`,
     '- 保留本地 registry manifest，并把“公开披露文本”写入平台允许的说明字段、README、SKILL.md 或 Markdown/TXT 附件。',
-    '- 如果平台支持额外 manifest / metadata 文件，可以在提交前向用户确认是否一并上传。'
+    '- 如果平台支持额外 manifest / metadata 文件，可以在提交前向用户确认是否一并上传。',
+    '- 不要把 public token、signing secret、runtime-events.js 或内部 handoff/checklist 文件发布到不支持运行时回调的平台。'
   ];
 }
 
@@ -502,7 +772,8 @@ function publicDisclosure(inspected, registryUrl) {
 function skillMdRegistryBlock(inspected, hub) {
   const registry = inspected.registry || {};
   const registryUrl = registry.registryUrl || DEFAULT_REGISTRY_URL;
-  const publicToken = registry.publicToken || '<public token from registry manifest>';
+  const publicSkillId = registry.skillId || registry.publicSkillId || inspected.registry?.skillId || '<public registry skill id>';
+  const publicTokenHint = registry.publicToken ? `${String(registry.publicToken).slice(0, 4)}...${String(registry.publicToken).slice(-4)}` : '<stored in local registry manifest>';
   const marker = `${REGISTRY_PROVIDER}-registry`;
   return [
     `<!-- ${marker}:start -->`,
@@ -514,12 +785,14 @@ function skillMdRegistryBlock(inspected, hub) {
     `- Skill key: ${inspected.skillKey}`,
     `- Target hub: ${hub}`,
     `- Registry event endpoint: ${registryUrl}`,
-    `- Public write token: ${publicToken}`,
+    `- Public Skill ID: ${publicSkillId}`,
+    `- Public token location: local ${WORK_DIR}/${MANIFEST_FILE} only (${publicTokenHint})`,
     `- Event schema version: ${registry.eventSchemaVersion || EVENT_SCHEMA_VERSION}`,
     `- Source fingerprint: ${inspected.package.sha256}`,
     '',
     'Analytics boundary:',
-    '- The public token can only submit allowed aggregate analytics events. It cannot read creator data or administer the account.',
+    '- The local public token can only submit allowed aggregate analytics events. It cannot read creator data or administer the account.',
+    '- Do not publish the local public token in Markdown-only hubs. Keep it in the local manifest or runtime configuration.',
     '- Events should include only public metadata: hub, sourceSurface, campaign, scenario, anonymous installationId, invocationId, and status.',
     '- Do not send user prompts, private files, credentials, environment variables, account tokens, raw business content, or personal identifiers.',
     '- The creator can rotate/revoke the token or disable analytics from the dashboard.',
@@ -564,6 +837,8 @@ async function readPlatformPrompt(flags) {
 
 async function uploadPrompt(inspected, flags) {
   const hub = normalizeHub(flags.hub || 'generic') || 'generic';
+  const reviewProfile = reviewProfileForHub(hub);
+  const packagePlan = packagePlanForHub(inspected, hub);
   const sourceUrl = normalizeText(flags['source-url'] || flags['package-url'], 1000);
   const platformCommand = normalizeText(flags['platform-command'], 1000);
   const platformPrompt = await readPlatformPrompt(flags);
@@ -623,6 +898,31 @@ async function uploadPrompt(inspected, flags) {
     '- 最终上传文件、目录结构、压缩包、表单字段和上线版本，必须由你按照目标 Skill 平台的官方要求处理。',
     '- 如果目标平台要求重新整理源码、生成 markdown、压缩包或填写表单，请你在用户授权范围内完成，并在提交前向用户展示将上传的文件和字段。',
     '',
+    '平台审核 profile：',
+    '```json',
+    JSON.stringify(reviewProfile, null, 2),
+    '```',
+    '',
+    '平台包清单 plan：',
+    '```json',
+    JSON.stringify({
+      hub: packagePlan.hub,
+      packageMode: packagePlan.reviewProfile.packageMode,
+      candidateUploadFiles: packagePlan.candidateUploadFiles,
+      localOnlyFiles: packagePlan.localOnlyFiles,
+      disclosureTargets: packagePlan.disclosureTargets,
+      forbiddenPatterns: packagePlan.forbiddenPatterns,
+      dataSourcePolicy: packagePlan.dataSourcePolicy,
+      notes: packagePlan.notes
+    }, null, 2),
+    '```',
+    '',
+    '数据口径必须分开：',
+    '- runtime：只有真实 Skill 执行 callback、MCP/HTTP/API Tool、webhook 或外部 Agent ack 才能计入。',
+    '- attribution：发布、上传、归因链接点击、公开披露访问，只代表来源漏斗。',
+    '- reported：平台公开数字或手动导入，例如收藏、下载、安装、静态平台显示使用数。',
+    '- 如果无法确认 runtime callback 已经接在真实调用边界，就把该平台标记为 attribution 或 reported，不要伪造成 runtime。',
+    '',
     ...compatibilityLines,
     '',
     ...disclosureLines,
@@ -637,8 +937,10 @@ async function uploadPrompt(inspected, flags) {
     '- 不要新增 postinstall hook、后台常驻进程、隐藏脚本或混淆逻辑。',
     `- 如果平台要求安全说明，请明确说明这是用户显式发布的 Skill 项目，${MANIFEST_FILE} 只包含公开 registry 归因和可关闭的 analytics 声明。`,
     `- 如果目标平台支持工具调用、MCP server、webhook 或 Skill runtime HTTP 请求，请在 Skill 被调用时向 ${PRODUCT_NAME} registry 发送聚合事件：skill_invoked / skill_completed / skill_failed。`,
+    `- 如果 runtime 没有向 ${registryUrl} 发送事件，${PRODUCT_NAME} 无法看到真实调用量；第三方平台内部显示“已使用”不会自动同步到 ${PRODUCT_NAME}。`,
     '- 事件里只放公开元数据、聚合状态和简短场景标签，不要发送用户输入原文、私密业务内容、账号凭据或文件内容。',
     '- installationId 必须是稳定的匿名实例 ID，用于统计唯一安装实例；不要使用邮箱、手机号、真实用户名或设备序列号。',
+    '- 发布前请至少发送一次测试事件，并确认 Dashboard 能看到对应 hub/sourceSurface；否则把这个平台标记为“仅上传/手动上报”。',
     '',
     `发布成功后，请把公开链接和平台返回的信息回传给${PRODUCT_NAME} registry。只发送公开元数据和聚合事件，不发送用户内容、私密输入或账号凭据。`,
     '',
@@ -678,6 +980,9 @@ async function writeUnifiedHandoff(root, args) {
   const promptIndex = args.promptResults
     .map((item) => `- ${item.hub}: ${path.relative(root, item.promptPath)}`)
     .join('\n');
+  const profileIndex = args.packagePlans
+    .map((item) => `- ${item.hub}: ${path.relative(root, item.planPath)} (${item.plan.reviewProfile.packageMode}, ${item.plan.reviewProfile.defaultDataSource})`)
+    .join('\n');
   const registry = args.inspected.registry || {};
   const registryUrl = registry.registryUrl || DEFAULT_REGISTRY_URL;
   const content = [
@@ -706,6 +1011,14 @@ async function writeUnifiedHandoff(root, args) {
     '',
     promptIndex,
     '',
+    '## Platform review profiles',
+    '',
+    `Structured profile index: ${relativeOutDir}/platform-profiles.json`,
+    '',
+    profileIndex,
+    '',
+    'Use each package-<hub>.json as the upload allowlist/review checklist. Files listed as localOnlyFiles must not be uploaded to restrictive platforms unless the platform explicitly accepts them and the user confirms.',
+    '',
     '## Official prompt merge rule',
     '',
     'If the user gives a Red Skill / ClawHub / SkillHub / Claude / Dify / Coze official prompt, do not replace it. Append these registry requirements as constraints, and follow the official prompt for packaging, file format, and upload steps.',
@@ -719,6 +1032,8 @@ async function writeUnifiedHandoff(root, args) {
     '',
     'Only add runtime event callbacks when the target platform or runtime explicitly supports HTTP/API/MCP/webhook calls. Do not add hidden scripts, background services, install hooks, or obfuscated code.',
     '',
+    `No runtime callback means no live ${PRODUCT_NAME} analytics. A third-party platform saying the Skill was used does not update ${PRODUCT_NAME} unless that runtime sends events to the registry endpoint.`,
+    '',
     'Best-effort callback placement:',
     '',
     '- Send `runtime_install_seen` once when a stable anonymous installation/session is first observed.',
@@ -744,6 +1059,14 @@ async function writeUnifiedHandoff(root, args) {
     '```bash',
     `${COMMAND_NAME} track . --event hub_upload_succeeded --hub <hub> --platform-skill-url <published-url>`,
     '```',
+    '',
+    'Before submitting to a hub that supports runtime HTTP/API calls, verify analytics with:',
+    '',
+    '```bash',
+    `${COMMAND_NAME} track . --event skill_invoked --hub <hub> --installation-id <anonymous-install-id> --invocation-id <test-call-id> --scenario test`,
+    '```',
+    '',
+    'If the hub cannot run callbacks, keep upload attribution and use campaign links or manual imports. Do not fake runtime events.',
     ''
   ].join('\n');
   const handoffPath = path.join(args.outDir, HANDOFF_FILE);
@@ -891,6 +1214,209 @@ async function submitTrackEvent(root, flags) {
   return { ok: true, registryUrl, payload, result };
 }
 
+async function readSmallTextFile(filePath) {
+  const info = await stat(filePath).catch(() => null);
+  if (!info?.isFile() || info.size > MAX_FILE_BYTES) return '';
+  try {
+    return await readFile(filePath, 'utf8');
+  } catch {
+    return '';
+  }
+}
+
+async function findReadmePath(root) {
+  const entries = await readdir(root, { withFileTypes: true }).catch(() => []);
+  const readme = entries
+    .filter((entry) => entry.isFile() && /^readme(\.|$)/i.test(entry.name))
+    .map((entry) => path.join(root, entry.name))
+    .sort((a, b) => a.localeCompare(b))[0];
+  return readme || path.join(root, 'README.md');
+}
+
+function registryBlockPresent(text) {
+  return /<!--\s*(?:xiashe|agentpie)-registry:start\s*-->[\s\S]*?<!--\s*(?:xiashe|agentpie)-registry:end\s*-->/i.test(text || '');
+}
+
+function hasEntryInstructions(text, packageJson) {
+  if (packageJson?.main || packageJson?.bin || packageJson?.scripts) return true;
+  return /(入口|使用|安装|运行|调用|命令|Usage|Install|Quick start|Getting started|CLI|MCP|API|Entrypoint|Run)/i.test(text || '');
+}
+
+function hasRuntimeCallbackText(text) {
+  return /(\/registry\/skill-events|trackSkillEvent|runtime_install_seen|skill_invoked|skill_completed|skill_failed|XIASHE_SKILL_REGISTRY_URL|AGENTPIE_SKILL_REGISTRY_URL)/i.test(text || '');
+}
+
+function doctorCheck(id, label, status, message, fix = '') {
+  return { id, label, status, message, fix };
+}
+
+async function runDoctor(root, flags) {
+  const inspected = await inspectSkill(root, flags);
+  const skillMdPath = path.join(inspected.root, 'SKILL.md');
+  const readmePath = await findReadmePath(inspected.root);
+  const manifestPath = path.join(inspected.root, MANIFEST_FILE);
+  const localManifestPath = path.join(inspected.root, WORK_DIR, MANIFEST_FILE);
+  const disclosurePath = path.join(inspected.root, WORK_DIR, 'REGISTRY_DISCLOSURE.md');
+  const handoffPath = path.join(inspected.root, WORK_DIR, HANDOFF_FILE);
+  const snippetPath = path.join(inspected.root, WORK_DIR, 'runtime-events.js');
+  const packageJson = await readJsonFile(path.join(inspected.root, 'package.json')).catch(() => null);
+  const skillMd = await readSmallTextFile(skillMdPath);
+  const readme = await readSmallTextFile(readmePath);
+  const snippet = await readSmallTextFile(snippetPath);
+  const scannedCallbackFiles = [];
+  let scannedCallbackText = '';
+  for (const file of inspected.package.files.slice(0, 160)) {
+    if (!/\.(md|mdx|txt|json|ya?ml|toml|js|mjs|cjs|ts|tsx|jsx|py|go|rs|java|rb|php|sh)$/i.test(file.path)) continue;
+    const absolute = path.join(inspected.root, file.path);
+    const text = await readSmallTextFile(absolute);
+    if (hasRuntimeCallbackText(text)) {
+      scannedCallbackFiles.push(file.path);
+      scannedCallbackText += `\n${text}`;
+    }
+  }
+  const manifest = inspected.registry
+    ? await readJsonFile(manifestPath).catch(() => null) || await readJsonFile(localManifestPath).catch(() => null)
+    : null;
+  const textBundle = `${skillMd}\n${readme}`;
+  const hasManifest = Boolean(manifest);
+  const registry = manifest?.registry || inspected.registry || {};
+  const runtimeCallbackPresent = hasRuntimeCallbackText(snippet) || hasRuntimeCallbackText(textBundle) || hasRuntimeCallbackText(scannedCallbackText);
+  const riskyRootEntries = ['.env', '.env.local', '.env.production', 'node_modules', 'dist', 'build']
+    .filter((name) => existsSync(path.join(inspected.root, name)));
+  const checks = [
+    existsSync(skillMdPath)
+      ? doctorCheck('skill_md', 'SKILL.md', 'pass', 'Found SKILL.md.')
+      : doctorCheck('skill_md', 'SKILL.md', 'fail', 'SKILL.md is missing.', 'Create SKILL.md with the Skill purpose, usage, and safety notes.'),
+    existsSync(readmePath)
+      ? doctorCheck('readme', 'README', 'pass', `Found ${path.basename(readmePath)}.`)
+      : doctorCheck('readme', 'README', 'warn', 'README is missing.', 'Add README.md if the target hub expects public documentation.'),
+    hasEntryInstructions(textBundle, packageJson)
+      ? doctorCheck('entry_instructions', 'Entry instructions', 'pass', 'Usage or entry instructions are present.')
+      : doctorCheck('entry_instructions', 'Entry instructions', 'warn', 'No clear usage/entry instructions detected.', 'Add usage, install, MCP/API, or command instructions to SKILL.md or README.'),
+    hasManifest && registry.publicToken && registry.registryUrl
+      ? doctorCheck('registry_manifest', 'Registry manifest', 'pass', `Found registry manifest for ${registry.provider || REGISTRY_PROVIDER}.`)
+      : doctorCheck('registry_manifest', 'Registry manifest', 'fail', `Missing usable registry manifest (${MANIFEST_FILE} or ${WORK_DIR}/${MANIFEST_FILE}).`, `Run ${COMMAND_NAME} setup . --code <dashboard-code> or ${COMMAND_NAME} attach . --public-token <token> --skill-id <id>.`),
+    registryBlockPresent(skillMd)
+      ? doctorCheck('registry_block', 'Registry block', 'pass', 'SKILL.md contains the explicit registry disclosure block.')
+      : doctorCheck('registry_block', 'Registry block', 'warn', 'SKILL.md does not contain a registry block.', `Run ${COMMAND_NAME} setup . --code <code> --embed-skill-md, especially for restrictive hubs such as Red Skill.`),
+    runtimeCallbackPresent
+      ? doctorCheck('runtime_callback', 'Runtime callback', 'pass', scannedCallbackFiles.length > 0 ? `Runtime callback references found in ${scannedCallbackFiles.slice(0, 5).join(', ')}.` : 'Runtime callback snippet/reference detected.')
+      : doctorCheck('runtime_callback', 'Runtime callback', 'warn', 'No runtime callback reference detected.', `Use ${COMMAND_NAME} snippet . --target js and ask the Agent to wire it at the real invocation boundary if the hub allows HTTP/API/MCP callbacks.`),
+    existsSync(disclosurePath)
+      ? doctorCheck('disclosure', 'Read-only disclosure', 'pass', `Found ${path.relative(inspected.root, disclosurePath)}.`)
+      : doctorCheck('disclosure', 'Read-only disclosure', 'warn', 'REGISTRY_DISCLOSURE.md is missing.', `Run ${COMMAND_NAME} setup . --code <code> to generate platform review disclosure.`),
+    existsSync(handoffPath)
+      ? doctorCheck('handoff', 'Agent handoff', 'pass', `Found ${path.relative(inspected.root, handoffPath)}.`)
+      : doctorCheck('handoff', 'Agent handoff', 'warn', 'Unified upload handoff is missing.', `Run ${COMMAND_NAME} setup . --code <code> --hub all.`),
+    riskyRootEntries.length === 0
+      ? doctorCheck('risky_files', 'Risky local files', 'pass', 'No common risky root files/directories detected.')
+      : doctorCheck('risky_files', 'Risky local files', 'warn', `Found ${riskyRootEntries.join(', ')} in the Skill root.`, 'Do not upload secrets, node_modules, dist/build output, or unrelated local files unless the target hub explicitly requires them.')
+  ];
+  const failed = checks.filter((check) => check.status === 'fail').length;
+  const warned = checks.filter((check) => check.status === 'warn').length;
+  const passed = checks.filter((check) => check.status === 'pass').length;
+  const score = Math.max(0, Math.round((passed / checks.length) * 100) - failed * 15 - warned * 4);
+  return {
+    ok: failed === 0,
+    score,
+    root: inspected.root,
+    skillKey: inspected.skillKey,
+    name: inspected.name,
+    package: inspected.package,
+    checks,
+    next: checks
+      .filter((check) => check.status !== 'pass' && check.fix)
+      .map((check) => check.fix)
+      .slice(0, 6)
+  };
+}
+
+function formatDoctor(result) {
+  const statusIcon = { pass: 'PASS', warn: 'WARN', fail: 'FAIL' };
+  const lines = [
+    `${COMMAND_NAME} doctor`,
+    `Skill: ${result.name} (${result.skillKey})`,
+    `Score: ${result.score}/100`,
+    ''
+  ];
+  for (const check of result.checks) {
+    lines.push(`${statusIcon[check.status] || check.status} ${check.label}: ${check.message}`);
+    if (check.status !== 'pass' && check.fix) lines.push(`  Fix: ${check.fix}`);
+  }
+  if (result.next.length > 0) {
+    lines.push('', 'Next:');
+    for (const item of result.next) lines.push(`- ${item}`);
+  }
+  return lines.join('\n');
+}
+
+async function verifyRegistry(root, flags) {
+  const inspected = await inspectSkill(root, flags);
+  const hub = normalizeHub(flags.hub || 'generic') || 'generic';
+  const scenario = normalizeText(flags.scenario || `${REGISTRY_PROVIDER}-skill-verify`, 120);
+  const timestamp = Date.now();
+  const installationId = normalizeText(flags['installation-id'] || `verify-${REGISTRY_PROVIDER}-${timestamp}`, 220);
+  const invocationId = normalizeText(flags['invocation-id'] || `verify-call-${timestamp}`, 160);
+  const events = normalizeText(flags.events || '', 400)
+    ? normalizeText(flags.events, 400).split(',').map((item) => normalizeText(item, 80)).filter(Boolean)
+    : ['runtime_install_seen', 'skill_invoked', 'skill_completed'];
+  const results = [];
+  for (const eventType of events) {
+    const eventResult = await submitTrackEvent(root, {
+      ...flags,
+      event: eventType,
+      hub,
+      'event-source': 'runtime',
+      'runtime-kind': 'cli-verify',
+      'source-surface': hub,
+      scenario,
+      'installation-id': installationId,
+      'invocation-id': invocationId,
+      'idempotency-key': `verify:${inspected.skillKey}:${hub}:${invocationId}:${eventType}`
+    });
+    results.push({ eventType, ...eventResult });
+  }
+  return {
+    ok: results.every((result) => result.ok),
+    dryRun: Boolean(flags.dryRun),
+    skillKey: inspected.skillKey,
+    hub,
+    scenario,
+    installationId,
+    invocationId,
+    registryUrl: results[0]?.registryUrl || inspected.registry?.registryUrl || DEFAULT_REGISTRY_URL,
+    events: results,
+    next: [
+      'Open the creator dashboard and check 接入健康度 / Integration health.',
+      'Verified should become active after these cli-verify events are indexed.',
+      'If runtime remains inactive later, the third-party platform is not calling /registry/skill-events from real Skill execution.'
+    ]
+  };
+}
+
+function formatVerify(result) {
+  const lines = [
+    `${COMMAND_NAME} verify`,
+    `Skill key: ${result.skillKey}`,
+    `Hub: ${result.hub}`,
+    `Scenario: ${result.scenario}`,
+    `Installation: ${result.installationId}`,
+    `Invocation: ${result.invocationId}`,
+    `Endpoint: ${result.registryUrl}`,
+    ''
+  ];
+  for (const item of result.events) {
+    if (item.dryRun) {
+      lines.push(`DRY ${item.eventType}: ${JSON.stringify(item.payload)}`);
+    } else {
+      lines.push(`OK ${item.eventType}: ${item.result?.eventId || item.result?.status || 'accepted'}`);
+    }
+  }
+  lines.push('', 'Next:');
+  for (const item of result.next) lines.push(`- ${item}`);
+  return lines.join('\n');
+}
+
 async function setupAgentWorkflow(root, flags) {
   const hubs = setupHubsFromFlags(flags);
   const absoluteRoot = path.resolve(root || '.');
@@ -903,15 +1429,27 @@ async function setupAgentWorkflow(root, flags) {
   });
 
   const promptResults = [];
+  const packagePlans = [];
   for (const hub of hubs) {
     const promptPath = path.join(outDir, `upload-${safeSkillKey(hub)}.md`);
     const promptResult = await writePrompt(absoluteRoot, { ...flags, hub, out: promptPath });
+    const inspectedForPlan = await inspectSkill(absoluteRoot, flags);
+    const plan = packagePlanForHub(inspectedForPlan, hub);
+    const planPath = path.join(outDir, `package-${safeSkillKey(hub)}.json`);
+    await writeFile(planPath, `${JSON.stringify(plan, null, 2)}\n`, { mode: 0o600 });
     promptResults.push({
       hub,
       promptPath: typeof promptResult === 'string' ? promptPath : promptResult.outPath
     });
+    packagePlans.push({ hub, planPath, plan });
   }
   const inspectedAfterManifest = await inspectSkill(absoluteRoot, flags);
+  const profilesPath = path.join(outDir, 'platform-profiles.json');
+  await writeFile(
+    profilesPath,
+    `${JSON.stringify(Object.fromEntries(hubs.map((hub) => [hub, reviewProfileForHub(hub)])), null, 2)}\n`,
+    { mode: 0o600 }
+  );
   const shouldEmbedSkillMd = Boolean(flags['embed-skill-md']) || (hubs.includes('red') && !flags['no-skill-md']);
   const skillMdPath = shouldEmbedSkillMd
     ? await writeSkillMdRegistryBlock(absoluteRoot, inspectedAfterManifest, hubs.join(','))
@@ -937,7 +1475,8 @@ async function setupAgentWorkflow(root, flags) {
     outDir,
     hubs,
     inspected: inspectedAfterManifest,
-    promptResults
+    promptResults,
+    packagePlans
   });
 
   const warnings = [];
@@ -967,6 +1506,8 @@ async function setupAgentWorkflow(root, flags) {
     manifestPath: manifestResult.manifestPath,
     handoffPath,
     promptPaths: promptResults,
+    packagePlanPaths: packagePlans.map((item) => ({ hub: item.hub, planPath: item.planPath })),
+    profilesPath,
     skillMdPath,
     disclosurePath,
     snippetPath: snippetResult ? snippetResult.outPath : null,
@@ -974,6 +1515,7 @@ async function setupAgentWorkflow(root, flags) {
     warnings,
     next: [
       `Use ${path.relative(absoluteRoot, handoffPath)} as the single Agent handoff. The Agent should not ask the user to manually pick registry files.`,
+      `Use ${path.relative(absoluteRoot, profilesPath)} and package-<hub>.json as the platform review profiles and upload allowlists.`,
       'When the user later pastes a Red Skill / ClawHub / SkillHub / Claude / Dify / Coze official prompt, the Agent should identify the platform and merge the matching registry checklist internally.',
       'Each prepared upload-<hub>.md pins the correct hub/sourceSurface value so platform analytics stay separated, but those files are internal checklists for the Agent.',
       skillMdPath
@@ -1010,6 +1552,47 @@ async function main() {
       print(result, flags.json);
       return;
     }
+    if (command === 'doctor') {
+      const result = await runDoctor(root, flags);
+      print(flags.json ? result : formatDoctor(result), flags.json);
+      if (!result.ok) {
+        process.exitCode = 1;
+      }
+      return;
+    }
+    if (command === 'verify') {
+      const result = await verifyRegistry(root, flags);
+      print(flags.json ? result : formatVerify(result), flags.json);
+      return;
+    }
+    if (command === 'publish') {
+      const result = await setupAgentWorkflow(root, flags);
+      if (flags.json) {
+        print({ ok: true, mode: 'xiashe-publish', ...result }, true);
+      } else {
+        const lines = [
+          `${PRODUCT_NAME} publish handoff prepared.`,
+          `Targets: ${result.hubs.join(', ')}`,
+          `Manifest: ${result.manifestPath}`,
+          `Agent handoff: ${result.handoffPath}`,
+          `Platform profiles: ${result.profilesPath}`,
+          ...result.packagePlanPaths.map((item) => `Package plan (${item.hub}): ${item.planPath}`),
+          result.skillMdPath ? `Updated: ${result.skillMdPath}` : null,
+          `Disclosure: ${result.disclosurePath}`,
+          result.snippetPath ? `Runtime snippet: ${result.snippetPath}` : null,
+          ...result.warnings.map((warning) => `Warning: ${warning}`),
+          '',
+          'Next:',
+          '- Treat the target platform official upload flow as authoritative.',
+          '- Use the handoff file as the only XiaShe registry checklist.',
+          '- For XiaShe Store, create or update the store draft after the manifest is written.',
+          '- For Markdown/TXT-only platforms, copy the disclosure text into an allowed public field instead of uploading registry JSON.',
+          '- Only count runtime usage when the Skill or Agent callback sends real runtime events.'
+        ].filter(Boolean);
+        print(lines.join('\n'), false);
+      }
+      return;
+    }
     if (command === 'setup' || command === 'handoff') {
       const result = await setupAgentWorkflow(root, flags);
       if (flags.json) {
@@ -1019,6 +1602,8 @@ async function main() {
           `Wrote ${result.manifestPath}`,
           `Wrote ${result.handoffPath}`,
           ...result.promptPaths.map((item) => `Wrote ${item.promptPath}`),
+          `Wrote ${result.profilesPath}`,
+          ...result.packagePlanPaths.map((item) => `Wrote ${item.planPath}`),
           `Wrote ${result.disclosurePath}`,
           result.snippetPath ? `Wrote ${result.snippetPath}` : null,
           ...result.warnings.map((warning) => `Warning: ${warning}`),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@xiashe/skill",
-  "version": "0.1.5",
+  "version": "0.1.8",
   "type": "module",
   "bin": {
     "xiashe-skill": "bin/xiashe-skill.mjs"