akm-cli 0.0.22 → 0.1.0

package/dist/stash-clone.js

@@ -1,12 +1,13 @@
 import fs from "node:fs";
 import path from "node:path";
 import { TYPE_DIRS } from "./asset-spec";
+import { UsageError } from "./errors";
 import { isRemoteOrigin, resolveSourcesForOrigin } from "./origin-resolve";
 import { installRegistryRef } from "./registry-install";
+import { findSourceForPath, getPrimarySource, resolveStashSources } from "./search-source";
 import { makeAssetRef, parseAssetRef } from "./stash-ref";
 import { resolveAssetPath } from "./stash-resolve";
-import { findSourceForPath, getPrimarySource, resolveStashSources } from "./stash-source";
-export async function agentikitClone(options) {
+export async function akmClone(options) {
     const parsed = parseAssetRef(options.sourceRef);
     // When --dest is provided, the working stash is optional
     let allSources;
@@ -61,6 +62,31 @@ export async function agentikitClone(options) {
     const sourceSource = findSourceForPath(sourcePath, allSources);
     const destName = options.newName ?? parsed.name;
     const typeDir = TYPE_DIRS[parsed.type];
+    // Validate destName to prevent path traversal (parsed.name is already
+    // validated by parseAssetRef, but newName comes directly from user input).
+    // Run whenever newName is provided, including empty string.
+    if (options.newName !== undefined) {
+        if (destName === "") {
+            throw new UsageError("Clone name must not be empty.");
+        }
+        const normalized = path.posix.normalize(destName.replace(/\\/g, "/"));
+        if (path.isAbsolute(destName) ||
+            normalized === "." ||
+            normalized.startsWith("../") ||
+            normalized === ".." ||
+            destName.includes("\0")) {
+            throw new UsageError(`Unsafe clone name "${destName}": must not contain path traversal or absolute paths.`);
+        }
+        // Ensure the resolved destination is strictly inside the type directory,
+        // not equal to it (which can happen with crafted multi-segment names).
+        // path.relative() is used instead of startsWith() for cross-platform safety.
+        const destTypeDir = path.resolve(path.join(destRoot, typeDir));
+        const resolvedDest = path.resolve(path.join(destRoot, typeDir, destName));
+        const rel = path.relative(destTypeDir, resolvedDest);
+        if (rel === "" || rel.startsWith("..")) {
+            throw new UsageError(`Unsafe clone name "${destName}": resolves outside the target type directory.`);
+        }
+    }
     const destLabel = options.dest ? "at destination" : "in working stash";
     // Guard against self-clone
     if (parsed.type === "skill") {

package/dist/stash-provider-factory.js

@@ -19,33 +19,18 @@ export function resolveStashProviderFactory(type) {
 }
 /**
  * Resolve all non-filesystem stash providers from config.
- * Sources come from `stashes` (new) or `remoteStashSources` (legacy).
  * Filesystem entries are excluded — they are handled by resolveStashSources().
  */
 export function resolveStashProviders(config) {
     const providers = [];
-    // New config: stashes[]
-    if (config.stashes) {
-        for (const entry of config.stashes) {
-            if (entry.enabled === false)
-                continue;
-            if (entry.type === "filesystem")
-                continue;
-            const factory = registry.resolve(entry.type);
-            if (factory) {
-                providers.push(factory(entry));
-            }
-        }
-    }
-    // Legacy config: remoteStashSources[] → map to stash providers
-    if (!config.stashes && config.remoteStashSources) {
-        for (const entry of config.remoteStashSources) {
-            if (entry.enabled === false)
-                continue;
-            const factory = registry.resolve(entry.type ?? "openviking");
-            if (factory) {
-                providers.push(factory(entry));
-            }
+    for (const entry of config.stashes ?? []) {
+        if (entry.enabled === false)
+            continue;
+        if (entry.type === "filesystem")
+            continue;
+        const factory = registry.resolve(entry.type);
+        if (factory) {
+            providers.push(factory(entry));
         }
     }
     return providers;

package/dist/stash-providers/filesystem.js

@@ -1,9 +1,9 @@
 import { resolveStashDir } from "../common";
 import { loadConfig } from "../config";
 import { searchLocal } from "../local-search";
+import { resolveStashSources } from "../search-source";
 import { registerStashProvider } from "../stash-provider-factory";
 import { showLocal } from "../stash-show";
-import { resolveStashSources } from "../stash-source";
 class FilesystemStashProvider {
     type = "filesystem";
     name;

package/dist/stash-providers/openviking.js

@@ -16,7 +16,7 @@ const QUERY_CACHE_TTL_MS = 5 * 60 * 1000;
 /** Maximum age before query cache is considered stale but still usable (1 hour). */
 const QUERY_CACHE_STALE_MS = 60 * 60 * 1000;
 /**
- * Single source of truth for OpenViking type → agentikit asset type mapping.
+ * Single source of truth for OpenViking type → akm asset type mapping.
  * Used by both search hit mapping and show response mapping.
  */
 const OV_TYPE_MAP = {

package/dist/stash-search.js

@@ -5,9 +5,9 @@ import { resolveStashProviders } from "./stash-provider-factory";
 import "./stash-providers/index";
 import { UsageError } from "./errors";
 import { searchRegistry } from "./registry-search";
-import { resolveStashSources } from "./stash-source";
+import { resolveStashSources } from "./search-source";
 const DEFAULT_LIMIT = 20;
-export async function agentikitSearch(input) {
+export async function akmSearch(input) {
     const t0 = Date.now();
     const query = input.query.trim();
     const normalizedQuery = query.toLowerCase();
@@ -24,7 +24,7 @@ export async function agentikitSearch(input) {
             stashDir: "",
             source,
             hits: [],
-            warnings: ["No stash sources configured. Run `akm init` first."],
+            warnings: ["No stashes configured. Run `akm init` to create your working stash."],
             timing: { totalMs: Date.now() - t0 },
         };
     }

package/dist/stash-show.js

@@ -2,17 +2,17 @@ import { loadConfig } from "./config";
 import { NotFoundError, UsageError } from "./errors";
 import { buildFileContext, buildRenderContext, getRenderer, runMatchers } from "./file-context";
 import { resolveSourcesForOrigin } from "./origin-resolve";
+import { buildEditHint, findSourceForPath, isEditable, resolveStashSources } from "./search-source";
 import { resolveStashProviders } from "./stash-provider-factory";
 import { parseAssetRef } from "./stash-ref";
 import { resolveAssetPath } from "./stash-resolve";
-import { buildEditHint, findSourceForPath, isEditable, resolveStashSources } from "./stash-source";
 // Eagerly import stash providers to trigger self-registration
 import "./stash-providers/index";
 /**
  * Unified show: routes to the first stash provider that can handle the ref.
  * viking:// refs are handled by OpenViking provider; everything else by filesystem show.
  */
-export async function agentikitShowUnified(input) {
+export async function akmShowUnified(input) {
     const ref = input.ref.trim();
     // Try stash providers first (e.g. OpenViking for viking:// URIs)
     const config = loadConfig();
@@ -23,7 +23,7 @@ export async function agentikitShowUnified(input) {
     // Default: local filesystem show
     return showLocal(input);
 }
-/** @internal Use agentikitShowUnified() for all external callers. */
+/** @internal Use akmShowUnified() for all external callers. */
 export async function showLocal(input) {
     const parsed = parseAssetRef(input.ref);
     const displayType = parsed.type;
@@ -48,12 +48,15 @@ export async function showLocal(input) {
             `Kit "${parsed.origin}" is not installed. Run: ${installCmd}`);
     }
     if (!assetPath) {
-        throw lastError ?? new NotFoundError(`Stash asset not found for ref: ${displayType}:${parsed.name}`);
+        throw (lastError ??
+            new NotFoundError(`Stash asset not found for ref: ${displayType}:${parsed.name}. ` +
+                "Check the name with `akm search` or verify the asset exists in your stash."));
     }
     const source = findSourceForPath(assetPath, allSources);
     const sourceStashDir = source?.path ?? allStashDirs[0];
     if (!sourceStashDir) {
-        throw new UsageError(`Could not determine stash root for asset: ${displayType}:${parsed.name}`);
+        throw new UsageError(`Could not determine stash root for asset: ${displayType}:${parsed.name}. ` +
+            "Run `akm init` to create the stash directory, or check `akm stash list` for configured paths.");
     }
     const fileCtx = buildFileContext(sourceStashDir, assetPath);
     const match = await runMatchers(fileCtx);

package/dist/stash-source-manage.js

@@ -0,0 +1,82 @@
+import path from "node:path";
+import { loadConfig, saveConfig } from "./config";
+import { UsageError } from "./errors";
+import { resolveStashSources } from "./search-source";
+// ── Operations ──────────────────────────────────────────────────────────────
+/**
+ * Add a stash source (filesystem path or remote provider URL) to config.
+ *
+ * Filesystem paths are auto-detected when `target` does not start with
+ * `http://` or `https://`. URL sources require a `providerType` option
+ * (e.g. "openviking").
+ */
+export function addStash(opts) {
+    const { target, name, providerType, options: providerOptions } = opts;
+    const config = loadConfig();
+    const stashes = [...(config.stashes ?? [])];
+    const isUrl = target.startsWith("http://") || target.startsWith("https://");
+    let entry;
+    if (isUrl) {
+        if (!providerType) {
+            throw new UsageError("--provider is required for URL sources (e.g. --provider openviking)");
+        }
+        // Deduplicate by URL
+        if (stashes.some((s) => s.url === target)) {
+            return { stashes, added: false, message: "Source URL already configured" };
+        }
+        entry = { type: providerType, url: target };
+        if (name)
+            entry.name = name;
+        if (providerOptions)
+            entry.options = providerOptions;
+    }
+    else {
+        // Filesystem path
+        const resolvedPath = path.resolve(target);
+        if (stashes.some((s) => s.path && path.resolve(s.path) === resolvedPath)) {
+            return { stashes, added: false, message: "Source path already configured" };
+        }
+        entry = { type: "filesystem", path: resolvedPath };
+        if (name)
+            entry.name = name;
+    }
+    stashes.push(entry);
+    saveConfig({ ...config, stashes });
+    return { stashes, added: true, entry };
+}
+/**
+ * Remove a stash source by URL, path, or name.
+ * Match priority: URL > path > name (most specific first).
+ */
+export function removeStash(target) {
+    const config = loadConfig();
+    const stashes = [...(config.stashes ?? [])];
+    const isUrl = target.startsWith("http://") || target.startsWith("https://");
+    const resolvedPath = !isUrl ? path.resolve(target) : undefined;
+    // Try URL match first, then path, then name (most specific → least specific)
+    let idx = -1;
+    if (isUrl) {
+        idx = stashes.findIndex((s) => s.url === target);
+    }
+    if (idx === -1 && resolvedPath) {
+        idx = stashes.findIndex((s) => s.path && path.resolve(s.path) === resolvedPath);
+    }
+    if (idx === -1) {
+        idx = stashes.findIndex((s) => s.name === target);
+    }
+    if (idx === -1) {
+        return { stashes, removed: false, message: "No matching source found" };
+    }
+    const removed = stashes.splice(idx, 1)[0];
+    saveConfig({ ...config, stashes });
+    return { stashes, removed: true, entry: removed };
+}
+/**
+ * List all stash sources (local filesystem + configured stashes).
+ */
+export function listStashes() {
+    const config = loadConfig();
+    const localSources = resolveStashSources();
+    const stashes = config.stashes ?? [];
+    return { localSources, stashes };
+}

package/package.json

@@ -1,11 +1,11 @@
 {
   "name": "akm-cli",
-  "version": "0.0.22",
+  "version": "0.1.0",
   "type": "module",
   "description": "CLI tool to search, open, and run extension assets from an akm stash directory.",
   "keywords": [
     "akm",
-    "agent-i-kit",
+    "akm-kit",
     "ai-agent",
     "agent-framework",
     "developer-tools",