auriga-cli 1.15.1 → 1.16.0

package/dist/skills.d.ts

@@ -8,3 +8,32 @@ export declare function planSkillInstallCommands(selected: string[], lock: Skill
 }[];
 export declare function installSkills(packageRoot: string, opts: InstallOpts): Promise<void>;
 export declare function installRecommendedSkills(packageRoot: string, opts: InstallOpts): Promise<void>;
+/**
+ * Uninstall a single skill by name. Strategy:
+ *   1. Try `npx -y skills remove <name>` (the canonical path; future-proof
+ *      against upstream-internal cleanup we don't know about).
+ *   2. If the CLI doesn't support `remove`, fall back to manual cleanup:
+ *      - rm `<cwd>/.claude/skills/<name>` (Claude Code view)
+ *      - rm `<cwd>/.agents/skills/<name>` (Codex / other agents view)
+ *      - remove the entry from `<cwd>/skills-lock.json` if present
+ *
+ * Idempotent: missing files / unknown skill names are no-ops, NOT errors.
+ * A repeated uninstall must succeed silently so the SSE caller can replay
+ * the request without special-casing.
+ */
+export declare function uninstallSkill(name: string, opts: {
+    cwd: string;
+    scope?: "project" | "user";
+    onLog?: (line: string) => void;
+}): Promise<void>;
+/**
+ * Manual fallback used when `npx skills remove` is unavailable. Exported
+ * for test coverage (the exec-success path doesn't exercise it).
+ *
+ * Steps (each idempotent):
+ *   - rm-rf `<cwd>/.claude/skills/<name>` if present
+ *   - rm-rf `<cwd>/.agents/skills/<name>` if present
+ *   - update `<cwd>/skills-lock.json` (drop the `.skills[name]` key,
+ *     atomic write) if present and the key exists
+ */
+export declare function uninstallSkillManual(name: string, cwd: string, onLog?: (line: string) => void, scope?: "project" | "user"): Promise<void>;

package/dist/skills.js

@@ -1,7 +1,8 @@
 import fs from "node:fs";
+import os from "node:os";
 import path from "node:path";
 import { checkbox, select } from "@inquirer/prompts";
-import { exec, log, withEsc } from "./utils.js";
+import { atomicWriteFile, exec, execAsync, log, withEsc } from "./utils.js";
 // Curated default-on set: skills that the workflow in the root CLAUDE.md
 // directly references. Anything else in skills-lock.json is surfaced via
 // installRecommendedSkills as an opt-in utility.
@@ -105,7 +106,16 @@ async function installSelected(entries, defaultChecked, opts) {
     for (const batch of batches) {
         console.log(`\nInstalling ${batch.skills.join(", ")} from ${batch.source}...`);
         try {
-            exec(batch.command, { inherit: true });
+            if (opts.onLog) {
+                // Web UI / non-TTY path — stream stdout/stderr through the per-line
+                // callback so SSE subscribers see install progress in real time
+                // (spec §6.4).
+                opts.onLog(`▸ ${batch.command}`, "stdout");
+                await execAsync(batch.command, { onLine: opts.onLog });
+            }
+            else {
+                exec(batch.command, { inherit: true });
+            }
             for (const name of batch.skills)
                 log.ok(`${name}: installed`);
         }
@@ -141,3 +151,136 @@ export async function installRecommendedSkills(packageRoot, opts) {
     const entries = Object.entries(lock.skills).filter(([name]) => !WORKFLOW_SKILLS.includes(name));
     await installSelected(entries, false, opts);
 }
+// --- Uninstall ----------------------------------------------------------------
+/**
+ * Detect "unknown subcommand" style failures from the upstream
+ * `npx skills` CLI so we can fall back to the manual cleanup path.
+ *
+ * Substring match instead of a strict regex: the upstream tool's error
+ * wording varies across versions (`Unknown command remove`,
+ * `unrecognized command 'remove'`, `error: invalid argument 'remove'`).
+ * We keep the filter broad so a CLI rename doesn't lock the fallback
+ * shut on the next minor release; safer to fall back on a recognized
+ * not-supported signal than to mask a different failure mode.
+ *
+ * If the upstream CLI ever stops emitting the substring `remove` in its
+ * "unsupported subcommand" path, this check will incorrectly propagate
+ * the error instead of falling back — at that point the user gets a
+ * loud failure (good), and we tighten the matcher.
+ */
+function isSkillsRemoveUnsupported(err) {
+    const text = err instanceof Error
+        ? `${err.message}\n${err.stderr ?? ""}`
+        : String(err);
+    return /unknown command|unrecognized command|invalid argument|unknown option|unsupported/i.test(text)
+        && /remove/i.test(text);
+}
+const SKILL_NAME_RE_STRICT = /^[A-Za-z0-9][A-Za-z0-9._-]{0,127}$/;
+/**
+ * Uninstall a single skill by name. Strategy:
+ *   1. Try `npx -y skills remove <name>` (the canonical path; future-proof
+ *      against upstream-internal cleanup we don't know about).
+ *   2. If the CLI doesn't support `remove`, fall back to manual cleanup:
+ *      - rm `<cwd>/.claude/skills/<name>` (Claude Code view)
+ *      - rm `<cwd>/.agents/skills/<name>` (Codex / other agents view)
+ *      - remove the entry from `<cwd>/skills-lock.json` if present
+ *
+ * Idempotent: missing files / unknown skill names are no-ops, NOT errors.
+ * A repeated uninstall must succeed silently so the SSE caller can replay
+ * the request without special-casing.
+ */
+export async function uninstallSkill(name, opts) {
+    // Defensive: the CLI parser pre-validates skill names against the
+    // catalog before dispatch, but the server route doesn't, and we
+    // interpolate `name` into a shell command + filesystem path. Reject
+    // anything that didn't pass the install-side regex so a malformed
+    // input can't escape via either vector.
+    if (!SKILL_NAME_RE_STRICT.test(name)) {
+        throw new Error(`uninstallSkill: invalid skill name ${JSON.stringify(name)}`);
+    }
+    const cwd = path.resolve(opts.cwd);
+    const scope = opts.scope ?? "project";
+    // Install side maps outer `user` → internal `-g` (global). Mirror that
+    // on remove so user-scope skills aren't silently no-op'd.
+    const globalFlag = scope === "user" ? " -g" : "";
+    const emit = (line) => {
+        opts.onLog?.(line);
+    };
+    try {
+        exec(`npx -y skills remove ${name}${globalFlag}`, { cwd });
+        log.ok(`${name}: removed via skills CLI`);
+        emit(`removed ${name} via skills CLI`);
+        return;
+    }
+    catch (err) {
+        if (!isSkillsRemoveUnsupported(err)) {
+            throw err;
+        }
+        log.warn(`skills CLI doesn't support 'remove'; falling back to manual cleanup`);
+        emit(`skills CLI doesn't support 'remove'; falling back to manual cleanup`);
+    }
+    await uninstallSkillManual(name, cwd, emit, scope);
+}
+/**
+ * Manual fallback used when `npx skills remove` is unavailable. Exported
+ * for test coverage (the exec-success path doesn't exercise it).
+ *
+ * Steps (each idempotent):
+ *   - rm-rf `<cwd>/.claude/skills/<name>` if present
+ *   - rm-rf `<cwd>/.agents/skills/<name>` if present
+ *   - update `<cwd>/skills-lock.json` (drop the `.skills[name]` key,
+ *     atomic write) if present and the key exists
+ */
+export async function uninstallSkillManual(name, cwd, onLog, scope = "project") {
+    if (!SKILL_NAME_RE_STRICT.test(name)) {
+        throw new Error(`uninstallSkillManual: invalid skill name ${JSON.stringify(name)}`);
+    }
+    const emit = (line) => { onLog?.(line); };
+    // User scope cleans `~/.claude/skills/<name>` + `~/.agents/skills/<name>`.
+    // Project scope cleans `<cwd>/.claude/...` + `<cwd>/.agents/...`.
+    // The lockfile is per-project; user-scope uninstall never mutates it.
+    const baseDir = scope === "user" ? os.homedir() : cwd;
+    const claudeDir = path.join(baseDir, ".claude", "skills", name);
+    const agentsDir = path.join(baseDir, ".agents", "skills", name);
+    for (const [label, dir] of [
+        [".claude/skills", claudeDir],
+        [".agents/skills", agentsDir],
+    ]) {
+        if (fs.existsSync(dir) || fs.lstatSync(dir, { throwIfNoEntry: false })) {
+            fs.rmSync(dir, { recursive: true, force: true });
+            log.ok(`${label}/${name} removed`);
+            emit(`removed ${label}/${name}`);
+        }
+        else {
+            log.skip(`${label}/${name} not present`);
+        }
+    }
+    if (scope === "user") {
+        // No `~/skills-lock.json` to mutate.
+        return;
+    }
+    const lockPath = path.join(cwd, "skills-lock.json");
+    if (!fs.existsSync(lockPath)) {
+        emit(`skills-lock.json not present`);
+        return;
+    }
+    // Read + validate so we don't silently corrupt a hand-edited lockfile.
+    // If the user damaged it before calling us, throw — the install side's
+    // contract is "lockfile is authoritative", and writing back a partial
+    // tree would amplify their damage.
+    const raw = JSON.parse(fs.readFileSync(lockPath, "utf-8"));
+    validateSkillsLock(raw);
+    if (!(name in raw.skills)) {
+        emit(`${name} not in skills-lock.json`);
+        return;
+    }
+    // Build a shallow copy so we don't mutate `raw` in case the caller
+    // holds a reference. Object spread preserves insertion order of
+    // remaining keys (deterministic test output).
+    const nextSkills = { ...raw.skills };
+    delete nextSkills[name];
+    const next = { ...raw, skills: nextSkills };
+    atomicWriteFile(lockPath, JSON.stringify(next, null, 2) + "\n");
+    log.ok(`${name} removed from skills-lock.json`);
+    emit(`removed ${name} from skills-lock.json`);
+}

package/dist/state.d.ts

@@ -0,0 +1,63 @@
+import type { PluginState, StateReport } from "./api-types.js";
+export interface Catalog {
+    workflowVersion: string;
+    skills: Record<string, {
+        description: string;
+        expectedHash: string;
+        isWorkflow: boolean;
+    }>;
+    recommendedSkills: Record<string, {
+        description: string;
+        expectedHash: string;
+    }>;
+    plugins: Record<string, {
+        description: string;
+        /** Agents this plugin can install into. Length 1 or 2. */
+        agents: ("claude" | "codex")[];
+        expectedVersion?: string;
+    }>;
+    hooks: Record<string, {
+        description: string;
+        expectedHash: string;
+    }>;
+}
+export interface ScanOptions {
+    execPluginList?: () => Promise<{
+        installed: any[];
+        available: any[];
+    }>;
+    readCodexConfig?: () => Promise<string | null>;
+    readCodexPluginsDir?: () => Promise<Map<string, string>>;
+}
+export declare function scanState(projectRoot: string, catalog: Catalog, opts?: ScanOptions): Promise<StateReport>;
+/**
+ * Dedupe plugins by `id`, merging dual-Agent records into a single
+ * multi-agent row. Aggregation rules:
+ *
+ *   agents:  union of all agent arrays for this id (claude before codex).
+ *   status:  installed     ⇔ every agent's record is installed
+ *            not-installed ⇔ every agent's record is not-installed
+ *            otherwise     → update-available (partial install or any agent
+ *                            with a pending update). One Apply covers all
+ *                            gaps because the handler iterates `agents`.
+ *
+ * Non-status fields (description, currentVersion, expectedVersion,
+ * versionSource) come from the first record we see. Today both sides report
+ * the same description (catalog-driven) and the same versions for any
+ * registry-pinned plugin, so this is safe; if a future divergence appears
+ * we'll need a deliberate merge policy.
+ */
+export declare function mergePluginsById(records: PluginState[]): PluginState[];
+/** Default: run `claude plugins list --json` and `claude plugins list
+ *  --available --json`. Returns null is NOT an option here — server.ts
+ *  decides whether to pass this function based on `which claude`. */
+export declare function defaultExecPluginList(): Promise<{
+    installed: any[];
+    available: any[];
+}>;
+export declare function defaultReadCodexConfig(): Promise<string | null>;
+/** Walk `~/.codex/plugins/cache/<marketplace>/<plugin>/<version>/`, returning
+ *  the highest-mtime version per `<plugin>@<marketplace>` id. The version
+ *  semantics are catalog-pinned, so we surface the directory name verbatim
+ *  rather than try to semver-sort. */
+export declare function defaultReadCodexPluginsDir(): Promise<Map<string, string>>;