assistme 0.8.2 → 0.8.3

package/dist/{chunk-IKYXC4RJ.js → chunk-UHGTMSLZ.js}

@@ -1,5 +1,4 @@
 import {
-  AppError,
   BrowseSkillRowSchema,
   CDP_COMMAND_TIMEOUT_MS,
   FRAME_CONTEXTS_MAX_SIZE,
@@ -14,15 +13,17 @@ import {
   SkillRowSchema,
   WS_CONNECT_TIMEOUT_MS,
   callMcpHandler,
-  errorMessage,
   log,
   readAuthStore,
   safeParse,
   writeAuthStore
-} from "./chunk-A2NR7LCQ.js";
+} from "./chunk-3UNXN3BX.js";
 import {
-  getConfig
-} from "./chunk-YYSJHZSO.js";
+  AppError,
+  errorMessage,
+  getConfig,
+  getDataDir
+} from "./chunk-HY3FFXSQ.js";
 
 // src/db/auth.ts
 async function loginWithToken(mcpToken) {
@@ -52,7 +53,7 @@ async function logout() {
 
 // src/db/session.ts
 async function createSession(sessionName, workspacePath, version) {
-  const { getConfig: getConfig2 } = await import("./config-3RWSAUAZ.js");
+  const { getConfig: getConfig2 } = await import("./config-2HH7PO34.js");
   const data = await callMcpHandler("session.create", {
     session_name: sessionName,
     workspace_path: workspacePath,
@@ -287,7 +288,7 @@ var BrowserController = class {
       throw new Error("Tab does not expose a WebSocket debugger URL.");
     }
     this.currentTabId = targetTab.id;
-    return new Promise((resolve, reject) => {
+    return new Promise((resolve2, reject) => {
       let settled = false;
       this.ws = new WebSocket(targetTab.webSocketDebuggerUrl);
       const connectTimeout = setTimeout(() => {
@@ -308,7 +309,7 @@ var BrowserController = class {
         });
         this.send("DOM.enable").catch(() => {
         });
-        resolve(`Connected to tab: "${targetTab.title}" (${targetTab.url})`);
+        resolve2(`Connected to tab: "${targetTab.title}" (${targetTab.url})`);
       });
       this.ws.on("message", (data) => {
         try {
@@ -356,7 +357,7 @@ var BrowserController = class {
     return await res.json();
   }
   send(method, params) {
-    return new Promise((resolve, reject) => {
+    return new Promise((resolve2, reject) => {
       if (!this.ws || this.ws.readyState !== WebSocket.OPEN) {
         reject(new Error("Not connected to browser. Call browser_connect first."));
         return;
@@ -371,7 +372,7 @@ var BrowserController = class {
         if (response.error) {
           reject(new Error(`CDP error: ${response.error.message}`));
         } else {
-          resolve(response.result || {});
+          resolve2(response.result || {});
         }
       });
       this.ws.send(JSON.stringify({ id, method, params }));
@@ -644,7 +645,7 @@ URL: ${info.url}`;
     };
     const parts = key.split("+");
     let modifiers = 0;
-    let actualKey = parts[parts.length - 1];
+    const actualKey = parts[parts.length - 1];
     for (let i = 0; i < parts.length - 1; i++) {
       const mod = modifierMap[parts[i]];
       if (mod) modifiers |= mod;
@@ -1922,8 +1923,7 @@ function getDefaultProfileDir(chromePath) {
   return join(home, ".config", "google-chrome");
 }
 function getDebugProfileDir(chromePath) {
-  const home = homedir();
-  const debugDir = join(home, ".assistme", "browser-profile");
+  const debugDir = join(getDataDir(), "browser-profile");
   if (!existsSync(debugDir)) {
     mkdirSync(debugDir, { recursive: true });
     log.debug(`Created debug profile directory: ${debugDir}`);
@@ -2079,7 +2079,9 @@ async function ensureBrowserAvailable(port = 9222) {
     success: false,
     action: "launch_failed",
     chromePath,
-    detail: "Could not start browser with remote debugging. Possible causes:\n  1) Another assistme debug browser is already using port " + port + "\n  2) The browser crashed on startup\nTry: rm -rf ~/.assistme/browser-profile && assistme"
+    detail: "Could not start browser with remote debugging. Possible causes:\n  1) Another assistme debug browser is already using port " + port + `
+  2) The browser crashed on startup
+Try: rm -rf ${join(getDataDir(), "browser-profile")} && assistme`
   };
 }
 var browserInstances = /* @__PURE__ */ new Map();
@@ -2107,7 +2109,7 @@ function getNextRunTime(cronExpr, timezone, fromDate) {
     if (err instanceof Error && err.message.includes("No future run time")) {
       throw err;
     }
-    throw new Error(`Invalid cron expression "${cronExpr}": ${errorMessage(err)}`);
+    throw new Error(`Invalid cron expression "${cronExpr}": ${errorMessage(err)}`, { cause: err });
   }
 }
 var Scheduler = class {
@@ -2393,8 +2395,47 @@ function computeWordOverlap(a, b) {
   return union === 0 ? 0 : intersection / union;
 }
 
-// src/agent/skills.ts
-import { execSync as execSync2 } from "child_process";
+// src/utils/lru-cache.ts
+var LRUCache = class {
+  constructor(maxSize) {
+    this.maxSize = maxSize;
+    if (maxSize < 1) throw new Error("LRUCache maxSize must be >= 1");
+  }
+  cache = /* @__PURE__ */ new Map();
+  get(key) {
+    const value = this.cache.get(key);
+    if (value === void 0) return void 0;
+    this.cache.delete(key);
+    this.cache.set(key, value);
+    return value;
+  }
+  set(key, value) {
+    if (this.cache.has(key)) {
+      this.cache.delete(key);
+    }
+    this.cache.set(key, value);
+    while (this.cache.size > this.maxSize) {
+      const oldest = this.cache.keys().next().value;
+      if (oldest !== void 0) {
+        this.cache.delete(oldest);
+      }
+    }
+  }
+  has(key) {
+    return this.cache.has(key);
+  }
+  delete(key) {
+    return this.cache.delete(key);
+  }
+  clear() {
+    this.cache.clear();
+  }
+  get size() {
+    return this.cache.size;
+  }
+};
+
+// src/agent/skill-search.ts
 var STOP_WORDS = /* @__PURE__ */ new Set([
   "the",
   "a",
@@ -2520,6 +2561,151 @@ function bigrams(tokens) {
   }
   return result;
 }
+function buildIdfMap(skills) {
+  const docFreq = /* @__PURE__ */ new Map();
+  let totalSkills = 0;
+  for (const skill of skills) {
+    totalSkills++;
+    const allText = `${skill.name} ${skill.description} ${skill.content} ${skill.keywords.join(" ")}`.toLowerCase();
+    const words = new Set(tokenize(allText));
+    for (const w of words) {
+      docFreq.set(w, (docFreq.get(w) || 0) + 1);
+    }
+  }
+  const total = totalSkills || 1;
+  const idfMap = /* @__PURE__ */ new Map();
+  for (const [word, df] of docFreq) {
+    idfMap.set(word, Math.log(total / df) + 1);
+  }
+  return idfMap;
+}
+function createSearchContext(prompt, idfMap) {
+  const lower = prompt.toLowerCase();
+  const tokens = tokenize(lower);
+  return {
+    lower,
+    tokens,
+    tokenSet: new Set(tokens),
+    bigramSet: bigrams(tokens),
+    idf: (word) => idfMap.get(word) || 1
+  };
+}
+function findSimilarSkill(name, skills) {
+  const normalizedName = name.toLowerCase().replace(/[^a-z0-9]/g, "");
+  const nameWords = new Set(name.split("-"));
+  for (const [existingName, skill] of skills) {
+    const normalizedExisting = existingName.toLowerCase().replace(/[^a-z0-9]/g, "");
+    if (normalizedName.includes(normalizedExisting) || normalizedExisting.includes(normalizedName)) {
+      return skill;
+    }
+    const existingWords = new Set(existingName.split("-"));
+    let overlap = 0;
+    for (const w of nameWords) {
+      if (existingWords.has(w)) overlap++;
+    }
+    if (overlap >= 2 || overlap >= 1 && nameWords.size <= 2) {
+      return skill;
+    }
+  }
+  return null;
+}
+var skillTokensCache = /* @__PURE__ */ new WeakMap();
+function getSkillTokens(skill) {
+  let cached = skillTokensCache.get(skill);
+  if (cached) return cached;
+  const descTokens = tokenize(skill.description.toLowerCase());
+  cached = {
+    descTokens,
+    descBigramSet: bigrams(descTokens),
+    contentTokens: tokenize(skill.content.toLowerCase()),
+    nameLower: skill.name.toLowerCase(),
+    keywordsLower: skill.keywords.map((kw) => kw.toLowerCase())
+  };
+  skillTokensCache.set(skill, cached);
+  return cached;
+}
+function scoreSkillRelevance(skill, ctx) {
+  if (skill.disableModelInvocation) return -1;
+  const st = getSkillTokens(skill);
+  let score = 0;
+  if (ctx.lower.includes(st.nameLower)) score += 10;
+  for (const kw of st.keywordsLower) {
+    if (ctx.lower.includes(kw)) score += 8;
+  }
+  for (const word of st.descTokens) {
+    if (ctx.tokenSet.has(word)) score += 3 * ctx.idf(word);
+  }
+  for (const word of st.contentTokens) {
+    if (ctx.tokenSet.has(word)) score += 0.5 * ctx.idf(word);
+  }
+  for (const bg of st.descBigramSet) {
+    if (ctx.bigramSet.has(bg)) score += 5;
+  }
+  return score;
+}
+
+// src/agent/skill-format.ts
+function formatSkillDescriptions(skills, relevantNames, budget) {
+  const active = skills.filter((s) => !s.disableModelInvocation);
+  if (active.length === 0) return "";
+  const alwaysSkills = active.filter((s) => s.metadata.always);
+  const rest = active.filter((s) => !s.metadata.always);
+  const sorted = rest.sort((a, b) => {
+    if (relevantNames) {
+      const aRelevant = relevantNames.has(a.name);
+      const bRelevant = relevantNames.has(b.name);
+      if (aRelevant && !bRelevant) return -1;
+      if (!aRelevant && bRelevant) return 1;
+    }
+    return (b.invocationCount || 0) - (a.invocationCount || 0);
+  });
+  const ordered = [...alwaysSkills, ...sorted];
+  let remaining = budget;
+  let prompt = "\n\n## Your Skills\n";
+  prompt += "These are your approved skills. Use skill_invoke to load full instructions when a task matches.\n";
+  prompt += "If no skill matches but the task is a reusable pattern, consider creating one with skill_create.\n\n";
+  let included = 0;
+  for (const skill of ordered) {
+    const emoji = skill.metadata.emoji || "";
+    const hint = skill.argumentHint ? ` (${skill.argumentHint})` : "";
+    const line = `- **${emoji ? emoji + " " : ""}${skill.name}**${hint}: ${skill.description}
+`;
+    if (remaining - line.length < 0) break;
+    remaining -= line.length;
+    prompt += line;
+    included++;
+  }
+  if (included < ordered.length) {
+    prompt += `
+_(${ordered.length - included} additional skills available \u2014 use skill_search to find more)_
+`;
+  }
+  return prompt;
+}
+function formatDiscoveredSkills(discovered) {
+  if (discovered.length === 0) return "";
+  let prompt = "\n\n## Suggested Skills from Marketplace\n";
+  prompt += "These public skills may be relevant. Use skill_invoke with the exact name to add and use one.\n";
+  prompt += "Only use them if they genuinely match the user's request.\n";
+  prompt += "**Note:** Marketplace skills require user confirmation before use \u2014 the system will prompt the user to approve or deny. Each skill requires separate confirmation. If the user denies, do NOT retry \u2014 try alternatives or complete the task without it.\n\n";
+  for (const d of discovered) {
+    const emoji = d.emoji ? `${d.emoji} ` : "";
+    const installs = d.install_count > 0 ? ` (${d.install_count} installs)` : "";
+    prompt += `- **${emoji}${d.name}**${installs}: ${d.description}
+`;
+  }
+  return prompt;
+}
+function formatSkillList(skills) {
+  if (skills.length === 0) return "No skills in your collection.";
+  return skills.map((s) => {
+    const emoji = s.metadata.emoji || "";
+    return `  ${emoji ? emoji + " " : ""}${s.name} (${s.version}) [${s.source}]
+    ${s.description}`;
+  }).join("\n\n");
+}
+
+// src/agent/skill-types.ts
 function parseDbMetadata(raw) {
   if (!raw || typeof raw !== "object") return {};
   const obj = raw;
@@ -2534,13 +2720,166 @@ function parseDbMetadata(raw) {
     credentials: openclaw.credentials
   };
 }
+
+// src/agent/skill-db.ts
+async function upsertAgentSkill(params) {
+  try {
+    const data = await callMcpHandler("skill.upsert", {
+      name: params.name,
+      description: params.description,
+      content: params.content,
+      version: params.version,
+      source: params.source || "manual",
+      emoji: params.emoji || null,
+      keywords: params.keywords || [],
+      change_summary: params.changeSummary || null,
+      source_skill_id: params.sourceSkillId || null
+    });
+    if (data && typeof data === "object" && "id" in data) {
+      log.debug(`Skill "${params.name}" synced to agent_skills`);
+      return data.id;
+    }
+    log.debug(`Skill "${params.name}" synced to agent_skills (no id returned)`);
+    return null;
+  } catch (err) {
+    log.debug(`DB skill sync error for "${params.name}": ${err}`);
+    return null;
+  }
+}
+async function logSkillInvocation(skillDbId, options) {
+  try {
+    await callMcpHandler("skill.log_invocation", {
+      skill_id: skillDbId,
+      message_id: options?.messageId || null,
+      session_id: options?.sessionId || null,
+      task_prompt: options?.taskPrompt?.slice(0, 500) || null,
+      arguments: options?.arguments || null,
+      success: options?.success ?? null
+    });
+  } catch (err) {
+    log.debug(`Invocation log error: ${err}`);
+  }
+}
+async function searchSkillsInDb(query, limit) {
+  try {
+    const data = await callMcpHandler("skill.search", {
+      query,
+      limit
+    });
+    if (data) {
+      return data.map((row) => ({
+        name: String(row.name),
+        description: String(row.description ?? ""),
+        emoji: String(row.emoji ?? ""),
+        source: String(row.source ?? "manual"),
+        invocationCount: typeof row.invocation_count === "number" ? row.invocation_count : 0
+      }));
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+async function discoverSkills(query, limit, excludeNames) {
+  try {
+    const data = await callMcpHandler("skill.discover", {
+      query,
+      limit,
+      exclude_names: excludeNames
+    });
+    return data || null;
+  } catch {
+    return null;
+  }
+}
+async function removeSkillFromDb(name) {
+  try {
+    await callMcpHandler("skill.remove", { name });
+  } catch (err) {
+    log.debug(`Failed to remove skill "${name}" from DB: ${err}`);
+  }
+}
+async function updateSourceSkill(sourceSkillId, content, description, version) {
+  try {
+    await callMcpHandler("skill.update_source", {
+      source_skill_id: sourceSkillId,
+      content,
+      description,
+      version
+    });
+  } catch (err) {
+    log.debug(`Failed to update source skill "${sourceSkillId}": ${err}`);
+  }
+}
+
+// src/agent/skill-marketplace.ts
+async function publishSkill(skill, options) {
+  if (skill.source === "external") {
+    log.debug(`Cannot publish external skill "${skill.name}"`);
+    return null;
+  }
+  try {
+    const data = await callMcpHandler("skill.publish", {
+      name: skill.name,
+      description: skill.description,
+      version: skill.version,
+      emoji: skill.metadata.emoji || null,
+      content: skill.content,
+      argument_hint: skill.argumentHint || null,
+      keywords: skill.keywords,
+      allowed_tools: skill.allowedTools,
+      author_name: options?.authorName || null,
+      metadata: skill.metadata,
+      homepage: skill.homepage || null,
+      category: options?.category || null,
+      source: skill.source
+    });
+    log.info(`Skill "${skill.name}" published to marketplace`);
+    return data;
+  } catch (err) {
+    log.debug(`Publish error: ${err}`);
+    return null;
+  }
+}
+async function browseSkills(options) {
+  try {
+    const data = await callMcpHandler("skill.browse", {
+      query: options?.query || null,
+      category: options?.category || null,
+      sort: options?.sort || "popular",
+      limit: options?.limit || 20,
+      offset: options?.offset || 0
+    });
+    return (data || []).map((r) => safeParse(BrowseSkillRowSchema, r)).filter(Boolean).map((r) => ({
+      id: r.id,
+      name: r.name,
+      description: r.description,
+      emoji: r.emoji,
+      version: r.version,
+      authorName: r.author_name,
+      category: r.category,
+      installCount: r.install_count,
+      avgRating: r.avg_rating ?? null,
+      ratingCount: r.rating_count
+    }));
+  } catch {
+    return [];
+  }
+}
+
+// src/agent/skills.ts
+var MAX_RELEVANCE_CACHE_ENTRIES = 100;
+var DISCOVER_TIMEOUT_MS = 3e3;
+var DISCOVER_RELEVANCE_THRESHOLD = 5;
+var DISCOVER_CACHE_TTL_MS = 6e4;
 var SkillManager = class {
   skills = /* @__PURE__ */ new Map();
   idfCache = /* @__PURE__ */ new Map();
   userId = null;
-  /** Cache for findRelevant() — keyed by prompt, invalidated on skill changes */
-  relevanceCache = /* @__PURE__ */ new Map();
-  DESCRIPTION_BUDGET_CHARS = SKILL_DESCRIPTION_BUDGET_CHARS;
+  /** Bounded cache for findRelevant() — keyed by normalized prompt, invalidated on skill changes. */
+  relevanceCache = new LRUCache(MAX_RELEVANCE_CACHE_ENTRIES);
+  /** Bounded, TTL-aware cache for marketplace discover results. */
+  discoverCache = new LRUCache(50);
   setUserId(userId) {
     this.userId = userId;
   }
@@ -2552,10 +2891,9 @@ var SkillManager = class {
       for (const raw of data || []) {
         const row = safeParse(SkillRowSchema, raw);
         if (!row) continue;
-        const skill = this.rowToSkill(row);
-        this.skills.set(skill.name, skill);
+        this.skills.set(row.name, this.rowToSkill(row));
       }
-      this.buildIdfCache();
+      this.rebuildIdfCache();
       if (this.skills.size > 0) {
         log.info(`Loaded ${this.skills.size} skill(s) from DB`);
       }
@@ -2565,44 +2903,33 @@ var SkillManager = class {
   }
   rowToSkill(row) {
     return {
-      name: String(row.name),
-      description: String(row.description ?? ""),
-      version: String(row.version ?? "1.0.0"),
-      userInvocable: row.user_invocable !== false,
-      disableModelInvocation: row.disable_model_invocation === true,
-      keywords: Array.isArray(row.keywords) ? row.keywords : [],
-      allowedTools: Array.isArray(row.allowed_tools) ? row.allowed_tools : [],
-      argumentHint: String(row.argument_hint ?? ""),
+      name: row.name,
+      description: row.description,
+      version: row.version,
+      userInvocable: row.user_invocable,
+      disableModelInvocation: row.disable_model_invocation,
+      keywords: row.keywords,
+      allowedTools: row.allowed_tools,
+      argumentHint: row.argument_hint,
       metadata: parseDbMetadata(row.metadata),
-      homepage: String(row.homepage ?? ""),
-      content: String(row.content ?? ""),
+      homepage: row.homepage,
+      content: row.content,
       filePath: "",
       source: row.source || "manual",
-      dbId: row.id != null ? String(row.id) : void 0,
-      sourceSkillId: row.source_skill_id != null ? String(row.source_skill_id) : void 0,
-      invocationCount: typeof row.invocation_count === "number" ? row.invocation_count : 0
+      dbId: row.id,
+      sourceSkillId: row.source_skill_id ?? void 0,
+      invocationCount: row.invocation_count
     };
   }
-  /** Invalidate caches when skills change (create, add, update, remove). */
   invalidateCaches() {
     this.relevanceCache.clear();
-    this.buildIdfCache();
-  }
-  buildIdfCache() {
-    this.idfCache.clear();
-    const docFreq = /* @__PURE__ */ new Map();
-    const totalSkills = this.skills.size || 1;
-    for (const skill of this.skills.values()) {
-      const allText = `${skill.name} ${skill.description} ${skill.content} ${skill.keywords.join(" ")}`.toLowerCase();
-      const words = new Set(tokenize(allText));
-      for (const w of words) {
-        docFreq.set(w, (docFreq.get(w) || 0) + 1);
-      }
-    }
-    for (const [word, df] of docFreq) {
-      this.idfCache.set(word, Math.log(totalSkills / df) + 1);
-    }
+    this.discoverCache.clear();
+    this.rebuildIdfCache();
+  }
+  rebuildIdfCache() {
+    this.idfCache = buildIdfMap(this.skills.values());
   }
+  // ── Read ────────────────────────────────────────────────────────
   getAll() {
     return Array.from(this.skills.values());
   }
@@ -2610,89 +2937,83 @@ var SkillManager = class {
     return this.skills.get(name);
   }
   findRelevant(prompt, maxResults = 3) {
+    return this.findRelevantWithScore(prompt, maxResults).results;
+  }
+  /**
+   * Find relevant skills and return both results and the top score.
+   * Avoids duplicate scoring when both relevance results and the max score are needed.
+   */
+  findRelevantWithScore(prompt, maxResults = 3) {
     const cacheKey = prompt.toLowerCase();
     const cached = this.relevanceCache.get(cacheKey);
     if (cached && cached.maxResults >= maxResults) {
-      return cached.results.slice(0, maxResults);
-    }
-    const lower = cacheKey;
-    const promptTokens = tokenize(lower);
-    const promptTokenSet = new Set(promptTokens);
-    const idf = (word) => this.idfCache.get(word) || 1;
-    const scored = [];
-    for (const skill of this.skills.values()) {
-      if (skill.disableModelInvocation) continue;
-      let score = 0;
-      if (lower.includes(skill.name.toLowerCase())) score += 10;
-      for (const kw of skill.keywords) {
-        if (lower.includes(kw.toLowerCase())) score += 8;
-      }
-      const descTokens = tokenize(skill.description.toLowerCase());
-      for (const word of descTokens) {
-        if (promptTokenSet.has(word)) score += 3 * idf(word);
-      }
-      const contentTokens = tokenize(skill.content.toLowerCase());
-      for (const word of contentTokens) {
-        if (promptTokenSet.has(word)) score += 0.5 * idf(word);
-      }
-      const promptBigrams = bigrams(promptTokens);
-      const descBigrams = bigrams(descTokens);
-      for (const bg of descBigrams) {
-        if (promptBigrams.has(bg)) score += 5;
-      }
-      if (score > 0) scored.push({ skill, score });
+      return {
+        results: cached.results.slice(0, maxResults),
+        topScore: cached.topScore
+      };
     }
-    const results = scored.sort((a, b) => b.score - a.score).slice(0, maxResults).map((s) => s.skill);
-    this.relevanceCache.set(cacheKey, { results, maxResults });
-    return results;
+    const ctx = createSearchContext(prompt, this.idfCache);
+    const scored = Array.from(this.skills.values()).map((skill) => ({ skill, score: scoreSkillRelevance(skill, ctx) })).filter(({ score }) => score > 0).sort((a, b) => b.score - a.score);
+    const topScore = scored.length > 0 ? scored[0].score : 0;
+    const results = scored.slice(0, maxResults).map(({ skill }) => skill);
+    this.relevanceCache.set(cacheKey, { results, maxResults, topScore });
+    return { results, topScore };
   }
-  /**
-   * Build lightweight skill descriptions for the system prompt.
-   * When a taskPrompt is provided, relevant skills are prioritized to the top;
-   * remaining skills are sorted by usage frequency (invocationCount).
-   */
-  buildSkillDescriptions(taskPrompt) {
-    const all = this.getAll().filter((s) => !s.disableModelInvocation);
-    if (all.length === 0) return "";
-    const alwaysSkills = all.filter((s) => s.metadata.always);
-    const rest = all.filter((s) => !s.metadata.always);
+  findSimilar(name) {
+    if (this.skills.has(name)) return this.skills.get(name);
+    return findSimilarSkill(name, this.skills);
+  }
+  async buildSkillDescriptions(taskPrompt) {
+    const all = this.getAll();
+    const hasActive = all.some((s) => !s.disableModelInvocation);
     let relevantNames = null;
+    let topScore = 0;
     if (taskPrompt) {
-      const relevant = this.findRelevant(taskPrompt, 10);
-      relevantNames = new Set(relevant.map((s) => s.name));
-    }
-    const sorted = rest.sort((a, b) => {
-      if (relevantNames) {
-        const aRelevant = relevantNames.has(a.name);
-        const bRelevant = relevantNames.has(b.name);
-        if (aRelevant && !bRelevant) return -1;
-        if (!aRelevant && bRelevant) return 1;
+      const { results, topScore: ts } = this.findRelevantWithScore(taskPrompt, 10);
+      relevantNames = new Set(results.map((s) => s.name));
+      topScore = ts;
+    }
+    let prompt = "";
+    if (hasActive) {
+      prompt += formatSkillDescriptions(all, relevantNames, SKILL_DESCRIPTION_BUDGET_CHARS);
+    }
+    if (taskPrompt && this.userId && topScore < DISCOVER_RELEVANCE_THRESHOLD) {
+      const discovered = await this.discoverWithTimeout(
+        taskPrompt,
+        5,
+        all.map((s) => s.name)
+      );
+      if (discovered && discovered.length > 0) {
+        prompt += formatDiscoveredSkills(discovered);
       }
-      return (b.invocationCount || 0) - (a.invocationCount || 0);
-    });
-    const skills = [...alwaysSkills, ...sorted];
-    let budget = this.DESCRIPTION_BUDGET_CHARS;
-    let prompt = "\n\n## Your Skills\n";
-    prompt += "These are your approved skills. Use skill_invoke to load full instructions when a task matches.\n";
-    prompt += "If no skill matches but the task is a reusable pattern, consider creating one with skill_create.\n\n";
-    let included = 0;
-    for (const skill of skills) {
-      const emoji = skill.metadata.emoji || "";
-      const hint = skill.argumentHint ? ` (${skill.argumentHint})` : "";
-      const line = `- **${emoji ? emoji + " " : ""}${skill.name}**${hint}: ${skill.description}
-`;
-      if (budget - line.length < 0) break;
-      budget -= line.length;
-      prompt += line;
-      included++;
-    }
-    if (included < skills.length) {
-      prompt += `
-_(${skills.length - included} additional skills available \u2014 use skill_search to find more)_
-`;
     }
     return prompt;
   }
+  /**
+   * Discover marketplace skills with timeout and short-term caching.
+   * Returns null on timeout or error (non-blocking).
+   */
+  async discoverWithTimeout(query, limit, excludeNames) {
+    const cacheKey = query.toLowerCase().slice(0, 200);
+    const cached = this.discoverCache.get(cacheKey);
+    if (cached && Date.now() - cached.ts < DISCOVER_CACHE_TTL_MS) {
+      return cached.results;
+    }
+    try {
+      const result = await Promise.race([
+        discoverSkills(query, limit, excludeNames),
+        new Promise((resolve2) => setTimeout(() => resolve2(null), DISCOVER_TIMEOUT_MS))
+      ]);
+      this.discoverCache.set(cacheKey, { results: result || [], ts: Date.now() });
+      return result;
+    } catch {
+      return null;
+    }
+  }
+  listFormatted() {
+    return formatSkillList(this.getAll());
+  }
+  // ── Create / Update / Remove ──────────────────────────────────
   async create(name, description, content, options) {
     if (!this.userId) return null;
     try {
@@ -2752,13 +3073,19 @@ _(${skills.length - included} additional skills available \u2014 use skill_searc
       );
       const row = result.skill;
       const agentSkillRow = result.agent_skill && typeof result.agent_skill === "object" ? result.agent_skill : row;
-      const skill = this.rowToSkill({
+      const merged = {
         ...agentSkillRow,
         name: row.name,
         description: row.description,
         content: row.content,
         source_skill_id: skillId
-      });
+      };
+      const parsed = safeParse(SkillRowSchema, merged);
+      if (!parsed) {
+        log.debug(`addSkill: failed to parse merged skill row for "${row.name}"`);
+        return null;
+      }
+      const skill = this.rowToSkill(parsed);
       this.skills.set(skill.name, skill);
       this.invalidateCaches();
       log.info(`Skill "${row.name}" added to user's collection`);
@@ -2773,39 +3100,11 @@ _(${skills.length - included} additional skills available \u2014 use skill_searc
     if (!skill) return false;
     this.skills.delete(name);
     this.invalidateCaches();
-    this.removeFromDb(name).catch(() => {
+    removeSkillFromDb(name).catch((err) => {
+      log.debug(`Failed to remove skill "${name}" from DB: ${err}`);
     });
     return true;
   }
-  listFormatted() {
-    const skills = this.getAll();
-    if (skills.length === 0) return "No skills in your collection.";
-    return skills.map((s) => {
-      const emoji = s.metadata.emoji || "";
-      return `  ${emoji ? emoji + " " : ""}${s.name} (${s.version}) [${s.source}]
-    ${s.description}`;
-    }).join("\n\n");
-  }
-  findSimilar(name) {
-    if (this.skills.has(name)) return this.skills.get(name);
-    const normalizedName = name.toLowerCase().replace(/[^a-z0-9]/g, "");
-    for (const [existingName, skill] of this.skills) {
-      const normalizedExisting = existingName.toLowerCase().replace(/[^a-z0-9]/g, "");
-      if (normalizedName.includes(normalizedExisting) || normalizedExisting.includes(normalizedName)) {
-        return skill;
-      }
-      const nameWords = new Set(name.split("-"));
-      const existingWords = new Set(existingName.split("-"));
-      let overlap = 0;
-      for (const w of nameWords) {
-        if (existingWords.has(w)) overlap++;
-      }
-      if (overlap >= 2 || overlap >= 1 && nameWords.size <= 2) {
-        return skill;
-      }
-    }
-    return null;
-  }
   update(name, newContent, description) {
     const skill = this.skills.get(name);
     if (!skill) return false;
@@ -2817,191 +3116,113 @@ _(${skills.length - included} additional skills available \u2014 use skill_searc
     skill.description = newDescription;
     skill.version = newVersion;
     this.invalidateCaches();
-    this.syncToAgentSkills(name, newDescription, newContent, newVersion, {
+    upsertAgentSkill({
+      name,
+      description: newDescription,
+      content: newContent,
+      version: newVersion,
       source: "auto_improved"
-    }).catch(() => {
+    }).catch((err) => {
+      log.debug(`Failed to sync skill "${name}" update to DB: ${err}`);
     });
     if (skill.sourceSkillId && this.userId) {
-      callMcpHandler("skill.update_source", {
-        source_skill_id: skill.sourceSkillId,
-        content: newContent,
-        description: newDescription,
-        version: newVersion
-      }).catch(() => {
-      });
+      updateSourceSkill(skill.sourceSkillId, newContent, newDescription, newVersion).catch(
+        (err) => {
+          log.debug(`Failed to update source skill for "${name}": ${err}`);
+        }
+      );
     }
     log.info(`Skill "${name}" updated to v${newVersion}`);
     return true;
   }
-  // ── DB Integration ─────────────────────────────────────────────────
+  // ── DB Coordination ───────────────────────────────────────────
   async syncToAgentSkills(name, description, content, version, options) {
     if (!this.userId) return;
-    try {
-      const data = await callMcpHandler("skill.upsert", {
-        name,
-        description,
-        content,
-        version,
-        source: options?.source || "manual",
-        emoji: options?.emoji || null,
-        keywords: options?.keywords || [],
-        change_summary: options?.changeSummary || null,
-        source_skill_id: options?.sourceSkillId || null
-      });
+    const id = await upsertAgentSkill({
+      name,
+      description,
+      content,
+      version,
+      source: options?.source,
+      emoji: options?.emoji,
+      keywords: options?.keywords,
+      changeSummary: options?.changeSummary,
+      sourceSkillId: options?.sourceSkillId
+    });
+    if (id) {
       const skill = this.skills.get(name);
-      if (skill && data && typeof data === "object" && "id" in data) {
-        skill.dbId = data.id;
-      }
-      log.debug(`Skill "${name}" synced to agent_skills`);
-    } catch (err) {
-      log.debug(`DB skill sync error for "${name}": ${err}`);
+      if (skill) skill.dbId = id;
     }
   }
   async logInvocation(skillName, options) {
     if (!this.userId) return;
     const skill = this.skills.get(skillName);
-    const skillDbId = skill?.dbId;
-    if (!skillDbId) {
+    if (!skill?.dbId) {
       log.debug(`Cannot log invocation: skill "${skillName}" has no DB ID`);
       return;
     }
-    try {
-      await callMcpHandler("skill.log_invocation", {
-        skill_id: skillDbId,
-        message_id: options?.messageId || null,
-        session_id: options?.sessionId || null,
-        task_prompt: options?.taskPrompt?.slice(0, 500) || null,
-        arguments: options?.arguments || null,
-        success: options?.success ?? null
-      });
-    } catch (err) {
-      log.debug(`Invocation log error: ${err}`);
-    }
+    await logSkillInvocation(skill.dbId, options);
   }
   async searchDb(query, limit = 10) {
+    let agentResults = null;
     if (this.userId) {
-      try {
-        const data = await callMcpHandler("skill.search", {
-          query,
-          limit
-        });
-        if (data) {
-          return data.map((row) => ({
-            name: String(row.name),
-            description: String(row.description ?? ""),
-            emoji: String(row.emoji ?? ""),
-            source: String(row.source ?? "manual"),
-            invocationCount: typeof row.invocation_count === "number" ? row.invocation_count : 0
-          }));
+      agentResults = await searchSkillsInDb(query, limit);
+    }
+    if (!agentResults) {
+      agentResults = this.findRelevant(query, limit).map((s) => ({
+        name: s.name,
+        description: s.description,
+        emoji: s.metadata.emoji || "",
+        source: s.source,
+        invocationCount: 0
+      }));
+    }
+    if (agentResults.length === 0 && this.userId) {
+      const discovered = await discoverSkills(query, limit, []);
+      if (discovered && discovered.length > 0) {
+        for (const d of discovered) {
+          agentResults.push({
+            name: d.name,
+            description: d.description || "",
+            emoji: d.emoji || "",
+            source: d.source || "external",
+            invocationCount: 0,
+            marketplaceId: d.id
+          });
         }
-      } catch {
       }
     }
-    const results = this.findRelevant(query, limit);
-    return results.map((s) => ({
-      name: s.name,
-      description: s.description,
-      emoji: s.metadata.emoji || "",
-      source: s.source,
-      invocationCount: 0
-    }));
+    return agentResults;
   }
-  async removeFromDb(name) {
-    if (!this.userId) return;
+  // ── Marketplace Discovery ────────────────────────────────────
+  /**
+   * Preview a marketplace skill by name without adding it.
+   * Returns the DiscoverResult if an exact match is found, so the caller
+   * can show details to the user for confirmation before adding.
+   */
+  async previewMarketplaceSkill(name) {
+    if (!this.userId) return null;
     try {
-      await callMcpHandler("skill.remove", { name });
-    } catch {
+      const discovered = await discoverSkills(name, 5, []);
+      if (!discovered || discovered.length === 0) return null;
+      const match = discovered.find((d) => d.name === name);
+      return match || null;
+    } catch (err) {
+      log.debug(`previewMarketplaceSkill error for "${name}": ${err}`);
+      return null;
     }
   }
-  // ── Marketplace ────────────────────────────────────────────────────
+  // ── Marketplace (delegated) ───────────────────────────────────
   async publish(name, options) {
     if (!this.userId) return null;
     const skill = this.skills.get(name);
     if (!skill) return null;
-    if (skill.source === "external") {
-      log.debug(`Cannot publish external skill "${name}"`);
-      return null;
-    }
-    try {
-      const data = await callMcpHandler("skill.publish", {
-        name: skill.name,
-        description: skill.description,
-        version: skill.version,
-        emoji: skill.metadata.emoji || null,
-        content: skill.content,
-        argument_hint: skill.argumentHint || null,
-        keywords: skill.keywords,
-        allowed_tools: skill.allowedTools,
-        author_name: options?.authorName || null,
-        metadata: skill.metadata,
-        homepage: skill.homepage || null,
-        category: options?.category || null,
-        source: skill.source
-      });
-      log.info(`Skill "${name}" published to marketplace`);
-      return data;
-    } catch (err) {
-      log.debug(`Publish error: ${err}`);
-      return null;
-    }
+    return publishSkill(skill, options);
   }
   async browse(options) {
-    try {
-      const data = await callMcpHandler("skill.browse", {
-        query: options?.query || null,
-        category: options?.category || null,
-        sort: options?.sort || "popular",
-        limit: options?.limit || 20,
-        offset: options?.offset || 0
-      });
-      return (data || []).map((r) => safeParse(BrowseSkillRowSchema, r)).filter(Boolean).map((r) => ({
-        id: r.id,
-        name: r.name,
-        description: r.description,
-        emoji: r.emoji,
-        version: r.version,
-        authorName: r.author_name,
-        category: r.category,
-        installCount: r.install_count,
-        avgRating: r.avg_rating ?? null,
-        ratingCount: r.rating_count
-      }));
-    } catch {
-      return [];
-    }
+    return browseSkills(options);
   }
 };
-function validateSkillName(name) {
-  if (!name || name.length === 0) return "name is empty";
-  if (name.length > 64) return `name too long (${name.length}/64 chars)`;
-  if (!/^[a-z0-9]+(-[a-z0-9]+)*$/.test(name)) {
-    return `name must be lowercase kebab-case (a-z, 0-9, hyphens), no leading/trailing/consecutive hyphens. Got: "${name}"`;
-  }
-  return null;
-}
-function normalizeSkillName(name) {
-  return name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").replace(/-{2,}/g, "-").slice(0, 64);
-}
-function substituteArguments(content, args) {
-  const parts = args.split(/\s+/);
-  content = content.replace(/\$ARGUMENTS/g, args);
-  content = content.replace(/\$ARGUMENTS\[(\d+)\]/g, (_, i) => parts[parseInt(i)] || "");
-  content = content.replace(/\$(\d+)(?!\w)/g, (_, i) => parts[parseInt(i)] || "");
-  return content;
-}
-var SAFE_DYNAMIC_COMMANDS = /^(date|whoami|hostname|uname|pwd|echo|node\s+--version|npm\s+--version|git\s+(branch|rev-parse|log\s+--oneline)|cat\s+)/;
-function preprocessDynamicContext(content, cwd) {
-  return content.replace(/!`([^`]+)`/g, (_, cmd) => {
-    if (!SAFE_DYNAMIC_COMMANDS.test(cmd.trim())) {
-      return `[command blocked: ${cmd}]`;
-    }
-    try {
-      return execSync2(cmd, { timeout: 1e4, encoding: "utf-8", cwd }).trim();
-    } catch {
-      return `[command failed: ${cmd}]`;
-    }
-  });
-}
 
 // src/credentials/credential-store.ts
 import { randomUUID } from "crypto";
@@ -3011,7 +3232,7 @@ import { dirname } from "path";
 import { createCipheriv, createDecipheriv, randomBytes, scryptSync, createHash } from "crypto";
 import { existsSync as existsSync2, readFileSync, writeFileSync, mkdirSync as mkdirSync2 } from "fs";
 import { join as join2 } from "path";
-import { homedir as homedir2, hostname, userInfo } from "os";
+import { hostname, userInfo, homedir as homedir2 } from "os";
 var ALGORITHM = "aes-256-gcm";
 var KEY_LENGTH = 32;
 var IV_LENGTH = 12;
@@ -3035,10 +3256,7 @@ function deriveKey(basePath) {
 function encrypt(plaintext, key) {
   const iv = randomBytes(IV_LENGTH);
   const cipher = createCipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
-  const encrypted = Buffer.concat([
-    cipher.update(plaintext, "utf-8"),
-    cipher.final()
-  ]);
+  const encrypted = Buffer.concat([cipher.update(plaintext, "utf-8"), cipher.final()]);
   return {
     iv: iv.toString("base64"),
     data: encrypted.toString("base64"),
@@ -3051,28 +3269,23 @@ function decrypt(payload, key) {
   const tag = Buffer.from(payload.tag, "base64");
   const decipher = createDecipheriv(ALGORITHM, key, iv, { authTagLength: AUTH_TAG_LENGTH });
   decipher.setAuthTag(tag);
-  return Buffer.concat([
-    decipher.update(data),
-    decipher.final()
-  ]).toString("utf-8");
+  return Buffer.concat([decipher.update(data), decipher.final()]).toString("utf-8");
 }
 
 // src/credentials/local-store.ts
 import Database from "better-sqlite3";
 import { existsSync as existsSync3, mkdirSync as mkdirSync3 } from "fs";
 import { join as join3 } from "path";
-import { homedir as homedir3 } from "os";
-var DEFAULT_DB_DIR = join3(homedir3(), ".config", "assistme");
 var DEFAULT_DB_NAME = "local.db";
 var LocalStore = class {
   db;
   dbPath;
   constructor(dbPath) {
-    const dir = dbPath ? dbPath : DEFAULT_DB_DIR;
+    const dir = dbPath ? dbPath : getDataDir();
     if (!existsSync3(dir)) {
       mkdirSync3(dir, { recursive: true, mode: 448 });
     }
-    this.dbPath = dbPath ? join3(dbPath, DEFAULT_DB_NAME) : join3(DEFAULT_DB_DIR, DEFAULT_DB_NAME);
+    this.dbPath = join3(dir, DEFAULT_DB_NAME);
     this.db = new Database(this.dbPath);
     this.db.pragma("journal_mode = WAL");
     this.db.pragma("foreign_keys = ON");
@@ -3273,8 +3486,72 @@ function getCredentialStore() {
   return _instance2;
 }
 
+// src/agent/sdk-stream.ts
+async function consumeSDKStream(stream, handlers) {
+  let response = "";
+  let sessionId;
+  let tokenUsage;
+  let costUsd;
+  let numTurns;
+  let structuredOutput;
+  const errors = [];
+  for await (const message of stream) {
+    const msg = message;
+    switch (msg.type) {
+      case "assistant": {
+        const assistantMsg = message;
+        for (const block of assistantMsg.message.content) {
+          if (block.type === "text") {
+            response += block.text;
+            if (handlers?.onText) await handlers.onText(block.text);
+          } else if (block.type === "thinking" && "thinking" in block) {
+            const thinkingText = block.thinking;
+            if (handlers?.onThinking) await handlers.onThinking(thinkingText);
+          }
+        }
+        break;
+      }
+      case "result": {
+        const resultMsg = message;
+        tokenUsage = {
+          input_tokens: resultMsg.usage.input_tokens,
+          output_tokens: resultMsg.usage.output_tokens
+        };
+        if (resultMsg.subtype === "success") {
+          const successMsg = resultMsg;
+          if (!response && successMsg.result) {
+            response = successMsg.result;
+          }
+          sessionId = successMsg.session_id;
+          costUsd = successMsg.total_cost_usd;
+          numTurns = successMsg.num_turns;
+          structuredOutput = successMsg.structured_output;
+        } else {
+          const errMsg = resultMsg;
+          for (const err of errMsg.errors) {
+            errors.push(err);
+            if (handlers?.onError) await handlers.onError(err);
+          }
+        }
+        break;
+      }
+      default: {
+        if (msg.type === "system" && "subtype" in msg) {
+          const sysMsg = msg;
+          if (sysMsg.subtype === "init" && sysMsg.session_id) {
+            sessionId = sysMsg.session_id;
+          }
+        }
+        break;
+      }
+    }
+  }
+  return { response, sessionId, tokenUsage, costUsd, numTurns, structuredOutput, errors };
+}
+
 // src/tools/shell.ts
 import { exec } from "child_process";
+import { resolve, relative, sep } from "path";
 var BLOCKED_PATTERNS = [
   /rm\s+(-\w*\s+)*-\w*r\w*\s+\/($|\s)/i,
   // rm -rf /, rm -fr /, etc.
@@ -3297,16 +3574,54 @@ var BLOCKED_PATTERNS = [
   /\bsystemctl\s+(start|stop|disable|mask)\b/i
   // dangerous systemctl ops
 ];
+var SHELL_WRAPPER_PATTERNS = [
+  /\b(?:bash|sh|zsh|dash|ksh|csh)\s+(?:-\w+\s+)*-c\s+/i,
+  // bash -c "...", sh -c "..."
+  /\beval\s+/i,
+  // eval "..."
+  /\bexec\s+/i,
+  // exec "..."
+  /\bsource\s+\/dev\/stdin/i
+  // source /dev/stdin <<< "..."
+];
+function extractInnerCommand(command) {
+  for (const pattern of SHELL_WRAPPER_PATTERNS) {
+    const match = command.match(pattern);
+    if (match) {
+      const rest = command.slice(match.index + match[0].length);
+      const trimmed = rest.trim();
+      if (trimmed.startsWith('"') && trimmed.endsWith('"') || trimmed.startsWith("'") && trimmed.endsWith("'")) {
+        return trimmed.slice(1, -1);
+      }
+      return trimmed;
+    }
+  }
+  return null;
+}
 function isBlocked(command) {
-  return BLOCKED_PATTERNS.some((pattern) => pattern.test(command));
+  if (BLOCKED_PATTERNS.some((pattern) => pattern.test(command))) {
+    return true;
+  }
+  const inner = extractInnerCommand(command);
+  if (inner && isBlocked(inner)) {
+    return true;
+  }
+  return false;
 }
 async function executeShell(command, cwd) {
   if (isBlocked(command)) {
     throw new AppError(`Command blocked for safety: "${command}"`, "COMMAND_BLOCKED");
   }
   const config = getConfig();
-  const workDir = cwd || config.workspacePath;
-  return new Promise((resolve) => {
+  const workDir = cwd ? resolve(cwd) : config.workspacePath;
+  const rel = relative(config.workspacePath, workDir);
+  if (rel.startsWith("..") || rel.startsWith(sep + sep)) {
+    throw new AppError(
+      `Access denied: cwd "${cwd}" is outside workspace "${config.workspacePath}"`,
+      "PATH_TRAVERSAL"
+    );
+  }
+  return new Promise((resolve2) => {
     exec(
       command,
       {
@@ -3334,7 +3649,7 @@ ${stderr}` : "";
 
 [Output truncated at ${SHELL_MAX_OUTPUT} bytes]`;
         }
-        resolve(output || "(no output)");
+        resolve2(output || "(no output)");
       }
     );
   });
@@ -3371,13 +3686,11 @@ export {
   listScheduledTasks,
   toggleScheduledTask,
   deleteScheduledTask,
+  consumeSDKStream,
   executeShell,
   MemoryManager,
+  LRUCache,
   SkillManager,
-  validateSkillName,
-  normalizeSkillName,
-  substituteArguments,
-  preprocessDynamicContext,
   getLocalStore,
   getCredentialStore
 };