autosnippet 2.7.0 → 2.8.0

package/lib/external/mcp/handlers/skill.js

@@ -14,6 +14,7 @@ import fs from 'node:fs';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { getProjectSkillsPath } from '../../../infrastructure/config/Paths.js';
+import pathGuard from '../../../shared/PathGuard.js';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const SKILLS_DIR = path.resolve(__dirname, '../../../../skills');
@@ -282,6 +283,8 @@ export function createSkill(_ctx, args) {
 
   // ── 写入 SKILL.md ──
   try {
+    // 路径安全检查 — name 来自用户输入，可能含路径字符
+    pathGuard.assertProjectWriteSafe(skillDir);
     fs.mkdirSync(skillDir, { recursive: true });
 
     // 自动推断 title: 优先使用传入参数，否则从 content 的第一个 # heading 提取
@@ -385,6 +388,7 @@ function _regenerateEditorIndex() {
     ].join('\n');
 
     // 写入 .cursor/rules/
+    pathGuard.assertProjectWriteSafe(rulesDir);
     fs.mkdirSync(rulesDir, { recursive: true });
     const indexPath = path.join(rulesDir, 'autosnippet-skills.mdc');
     fs.writeFileSync(indexPath, mdcContent, 'utf8');
@@ -395,6 +399,204 @@ function _regenerateEditorIndex() {
   }
 }
 
+// ═══════════════════════════════════════════════════════════
+// Handler: deleteSkill
+// ═══════════════════════════════════════════════════════════
+
+/**
+ * 删除项目级 Skill — 移除 {projectRoot}/AutoSnippet/skills/<name>/ 整个目录
+ * 内置 Skill 不可删除。删除后自动 regenerate 编辑器索引。
+ *
+ * @param {object} _ctx  MCP context
+ * @param {object} args  { name: string }
+ * @returns {string} JSON envelope
+ */
+export function deleteSkill(_ctx, args) {
+  const { name } = args || {};
+
+  if (!name) {
+    return JSON.stringify({
+      success: false,
+      error: { code: 'MISSING_PARAM', message: 'name is required' },
+    });
+  }
+
+  // 不允许删除内置 Skill
+  const builtinSkillPath = path.join(SKILLS_DIR, name);
+  if (fs.existsSync(builtinSkillPath)) {
+    return JSON.stringify({
+      success: false,
+      error: {
+        code: 'BUILTIN_PROTECTED',
+        message: `"${name}" is a built-in Skill and cannot be deleted.`,
+      },
+    });
+  }
+
+  // 检查项目级 Skill 是否存在
+  const projectSkillsDir = _getProjectSkillsDir();
+  const skillDir = path.join(projectSkillsDir, name);
+  if (!fs.existsSync(skillDir)) {
+    return JSON.stringify({
+      success: false,
+      error: {
+        code: 'SKILL_NOT_FOUND',
+        message: `Project skill "${name}" not found.`,
+      },
+    });
+  }
+
+  // ── 路径安全检查 ──
+  try {
+    pathGuard.assertProjectWriteSafe(skillDir);
+  } catch (err) {
+    return JSON.stringify({
+      success: false,
+      error: { code: 'PATH_GUARD', message: err.message },
+    });
+  }
+
+  // ── 删除目录 ──
+  try {
+    fs.rmSync(skillDir, { recursive: true, force: true });
+  } catch (err) {
+    return JSON.stringify({
+      success: false,
+      error: { code: 'DELETE_ERROR', message: `Failed to delete skill: ${err.message}` },
+    });
+  }
+
+  // ── regenerate 编辑器索引 ──
+  const indexResult = _regenerateEditorIndex();
+
+  return JSON.stringify({
+    success: true,
+    data: {
+      skillName: name,
+      deleted: true,
+      editorIndex: indexResult,
+      hint: `Skill "${name}" deleted successfully.`,
+    },
+  });
+}
+
+// ═══════════════════════════════════════════════════════════
+// Handler: updateSkill
+// ═══════════════════════════════════════════════════════════
+
+/**
+ * 更新项目级 Skill — 修改 description 和/或 content
+ * 内置 Skill 不可更新。更新后自动 regenerate 编辑器索引。
+ *
+ * @param {object} _ctx  MCP context
+ * @param {object} args  { name, description?, content? }
+ * @returns {string} JSON envelope
+ */
+export function updateSkill(_ctx, args) {
+  const { name, description, content } = args || {};
+
+  if (!name) {
+    return JSON.stringify({
+      success: false,
+      error: { code: 'MISSING_PARAM', message: 'name is required' },
+    });
+  }
+
+  if (!description && !content) {
+    return JSON.stringify({
+      success: false,
+      error: { code: 'NOTHING_TO_UPDATE', message: 'At least one of description or content must be provided.' },
+    });
+  }
+
+  // 不允许更新内置 Skill
+  const builtinSkillPath = path.join(SKILLS_DIR, name, 'SKILL.md');
+  if (fs.existsSync(builtinSkillPath)) {
+    return JSON.stringify({
+      success: false,
+      error: {
+        code: 'BUILTIN_PROTECTED',
+        message: `"${name}" is a built-in Skill and cannot be updated. Fork it as a project skill instead.`,
+      },
+    });
+  }
+
+  // 检查项目级 Skill 是否存在
+  const projectSkillsDir = _getProjectSkillsDir();
+  const skillPath = path.join(projectSkillsDir, name, 'SKILL.md');
+  if (!fs.existsSync(skillPath)) {
+    return JSON.stringify({
+      success: false,
+      error: {
+        code: 'SKILL_NOT_FOUND',
+        message: `Project skill "${name}" not found. Use autosnippet_create_skill to create it first.`,
+      },
+    });
+  }
+
+  try {
+    // ── 读取现有文件 ──
+    const existing = fs.readFileSync(skillPath, 'utf8');
+
+    // 解析现有 frontmatter
+    const fmMatch = existing.match(/^---\n([\s\S]*?)\n---\n?([\s\S]*)$/);
+    let oldFm = '';
+    let oldBody = existing;
+    if (fmMatch) {
+      oldFm = fmMatch[1];
+      oldBody = fmMatch[2];
+    }
+
+    // 解析已有字段
+    const getField = (fm, key) => {
+      const m = fm.match(new RegExp(`^${key}:\\s*(.+?)$`, 'm'));
+      return m ? m[1].trim() : null;
+    };
+
+    const newDesc = description || getField(oldFm, 'description') || name;
+    const newBody = content !== undefined && content !== null ? content : oldBody;
+
+    // 保留原有字段
+    const createdBy = getField(oldFm, 'createdBy') || 'external-ai';
+    const createdAt = getField(oldFm, 'createdAt') || new Date().toISOString();
+    const title = getField(oldFm, 'title');
+
+    // 重建 frontmatter
+    const fmLines = ['---', `name: ${name}`];
+    if (title) fmLines.push(`title: ${title}`);
+    fmLines.push(
+      `description: ${newDesc}`,
+      `createdBy: ${createdBy}`,
+      `createdAt: ${createdAt}`,
+      `updatedAt: ${new Date().toISOString()}`,
+      '---',
+      '',
+    );
+
+    pathGuard.assertProjectWriteSafe(path.join(projectSkillsDir, name));
+    fs.writeFileSync(skillPath, fmLines.join('\n') + newBody, 'utf8');
+  } catch (err) {
+    return JSON.stringify({
+      success: false,
+      error: { code: 'UPDATE_ERROR', message: `Failed to update skill: ${err.message}` },
+    });
+  }
+
+  // ── regenerate 编辑器索引 ──
+  const indexResult = _regenerateEditorIndex();
+
+  return JSON.stringify({
+    success: true,
+    data: {
+      skillName: name,
+      updated: true,
+      fieldsUpdated: [description ? 'description' : null, content ? 'content' : null].filter(Boolean),
+      editorIndex: indexResult,
+      hint: `Skill "${name}" updated. Use autosnippet_load_skill to verify content.`,
+    },
+  });
+}
+
 // ═══════════════════════════════════════════════════════════
 // Handler: suggestSkills
 // ═══════════════════════════════════════════════════════════

package/lib/external/mcp/tools.js

@@ -1,5 +1,5 @@
 /**
- * MCP 工具定义（34 个）+ Gateway 映射
+ * MCP 工具定义（38 个）+ Gateway 映射
  *
  * 只包含 JSON Schema 级别的声明，不含任何业务逻辑。
  */
@@ -18,6 +18,8 @@ export const TOOL_GATEWAY_MAP = {
   autosnippet_bootstrap_knowledge: { action: 'knowledge:bootstrap', resource: 'knowledge' },
   autosnippet_bootstrap_refine: { action: 'candidate:update', resource: 'candidates' },
   autosnippet_create_skill: { action: 'create:skills', resource: 'skills' },
+  autosnippet_delete_skill: { action: 'delete:skills', resource: 'skills' },
+  autosnippet_update_skill: { action: 'update:skills', resource: 'skills' },
 };
 
 export const TOOLS = [
@@ -684,6 +686,57 @@ export const TOOLS = [
       '  • 候选被大量驳回时',
     inputSchema: { type: 'object', properties: {}, required: [] },
   },
+  // 37. 删除项目级 Skill
+  {
+    name: 'autosnippet_delete_skill',
+    description:
+      '删除一个项目级 Skill 及其目录。\n' +
+      '⚠️ 内置 Skill 不可删除。删除后自动更新编辑器索引。\n' +
+      '\n' +
+      '使用场景：\n' +
+      '  • 清理不再需要的自定义 Skill\n' +
+      '  • 移除过时或错误的操作指南',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        name: {
+          type: 'string',
+          description: 'Skill 名称（如 my-auth-guide）',
+        },
+      },
+      required: ['name'],
+    },
+  },
+  // 38. 更新项目级 Skill
+  {
+    name: 'autosnippet_update_skill',
+    description:
+      '更新已存在的项目级 Skill 的描述或内容。\n' +
+      '⚠️ 内置 Skill 不可更新。更新后自动刷新编辑器索引。\n' +
+      '\n' +
+      '使用场景：\n' +
+      '  • 迭代改进已有 Skill 的操作指南\n' +
+      '  • 更新过时的最佳实践内容\n' +
+      '  • 修正 Skill 描述或补充新章节',
+    inputSchema: {
+      type: 'object',
+      properties: {
+        name: {
+          type: 'string',
+          description: 'Skill 名称（必须已存在于项目级 Skills 中）',
+        },
+        description: {
+          type: 'string',
+          description: '新的一句话描述（可选，不传则保持原值）',
+        },
+        content: {
+          type: 'string',
+          description: '新的正文内容（Markdown 格式，不含 frontmatter）。不传则保持原值',
+        },
+      },
+      required: ['name'],
+    },
+  },
   // 36. ② 内容润色：Bootstrap 候选 AI 精炼（Phase 6）
   {
     name: 'autosnippet_bootstrap_refine',

package/lib/http/routes/ai.js

@@ -1,9 +1,11 @@
 /**
  * AI API 路由
- * AI 提供商管理、摘要、翻译、对话
+ * AI 提供商管理、摘要、翻译、对话、.env LLM 配置
  */
 
 import express from 'express';
+import { existsSync, readFileSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
 import { asyncHandler } from '../middleware/errorHandler.js';
 import { getServiceContainer } from '../../injection/ServiceContainer.js';
 import { createProvider } from '../../external/ai/AiFactory.js';
@@ -244,4 +246,156 @@ router.post('/format-usage-guide', asyncHandler(async (req, res) => {
   res.json({ success: true, data: { formatted } });
 }));
 
+// ═══════════════════════════════════════════════════════
+//  .env LLM 配置读写
+// ═══════════════════════════════════════════════════════
+
+/** 获取用户项目目录下 .env 的路径 */
+function _getProjectEnvPath() {
+  const container = getServiceContainer();
+  const projectRoot = container.singletons?._projectRoot || process.env.ASD_PROJECT_DIR || process.cwd();
+  return join(projectRoot, '.env');
+}
+
+/** LLM 相关的 env 变量名 → 标签映射 */
+const LLM_ENV_KEYS = [
+  'ASD_AI_PROVIDER',
+  'ASD_AI_MODEL',
+  'ASD_GOOGLE_API_KEY',
+  'ASD_OPENAI_API_KEY',
+  'ASD_CLAUDE_API_KEY',
+  'ASD_DEEPSEEK_API_KEY',
+  'ASD_AI_PROXY',
+];
+
+/**
+ * 解析 .env 内容为 key-value（仅提取 LLM 相关变量）
+ * 返回 { vars, hasEnvFile, llmReady }
+ *   llmReady: provider + 至少一个对应 API Key 已配置
+ */
+function parseLlmEnv(envPath) {
+  if (!existsSync(envPath)) {
+    return { vars: {}, hasEnvFile: false, llmReady: false };
+  }
+
+  const raw = readFileSync(envPath, 'utf8');
+  const vars = {};
+
+  for (const line of raw.split('\n')) {
+    const trimmed = line.trim();
+    // 跳过注释和空行
+    if (!trimmed || trimmed.startsWith('#')) continue;
+    const eqIdx = trimmed.indexOf('=');
+    if (eqIdx === -1) continue;
+    const key = trimmed.slice(0, eqIdx).trim();
+    const val = trimmed.slice(eqIdx + 1).trim().replace(/^["']|["']$/g, '');
+    if (LLM_ENV_KEYS.includes(key)) {
+      vars[key] = val;
+    }
+  }
+
+  // 判断 LLM 是否可用：有 provider + 对应的 API Key
+  const provider = vars.ASD_AI_PROVIDER || '';
+  const keyMap = {
+    google: 'ASD_GOOGLE_API_KEY',
+    openai: 'ASD_OPENAI_API_KEY',
+    claude: 'ASD_CLAUDE_API_KEY',
+    deepseek: 'ASD_DEEPSEEK_API_KEY',
+    ollama: '', // ollama 不需要 key
+    mock: '',   // mock 不需要 key
+  };
+  const neededKey = keyMap[provider] || '';
+  const llmReady = !!provider && (!neededKey || !!vars[neededKey]);
+
+  return { vars, hasEnvFile: true, llmReady };
+}
+
+/**
+ * GET /api/v1/ai/env-config
+ * 读取用户项目 .env 中的 LLM 配置
+ */
+router.get('/env-config', asyncHandler(async (req, res) => {
+  const envPath = _getProjectEnvPath();
+  const result = parseLlmEnv(envPath);
+  res.json({ success: true, data: result });
+}));
+
+/**
+ * POST /api/v1/ai/env-config
+ * 写入 / 更新用户项目 .env 中的 LLM 配置
+ *
+ * Body: { provider, model, apiKey, proxy? }
+ */
+router.post('/env-config', asyncHandler(async (req, res) => {
+  const { provider, model, apiKey, proxy } = req.body;
+  if (!provider || typeof provider !== 'string') {
+    throw new ValidationError('provider is required');
+  }
+
+  const envPath = _getProjectEnvPath();
+  let content = existsSync(envPath) ? readFileSync(envPath, 'utf8') : '';
+
+  // 构建 key-value 更新列表
+  const updates = {
+    ASD_AI_PROVIDER: provider,
+  };
+  if (model) updates.ASD_AI_MODEL = model;
+  if (proxy) updates.ASD_AI_PROXY = proxy;
+
+  // 根据 provider 决定写入哪个 API Key 变量
+  const providerKeyMap = {
+    google: 'ASD_GOOGLE_API_KEY',
+    openai: 'ASD_OPENAI_API_KEY',
+    claude: 'ASD_CLAUDE_API_KEY',
+    deepseek: 'ASD_DEEPSEEK_API_KEY',
+  };
+  const keyName = providerKeyMap[provider];
+  if (keyName && apiKey) {
+    updates[keyName] = apiKey;
+  }
+
+  // 逐条合并到 .env 内容
+  for (const [k, v] of Object.entries(updates)) {
+    // 匹配已有行（包括被注释的行）
+    const activeRe = new RegExp(`^${k}\\s*=.*$`, 'm');
+    const commentedRe = new RegExp(`^#\\s*${k}\\s*=.*$`, 'm');
+
+    if (activeRe.test(content)) {
+      // 替换已有活动行
+      content = content.replace(activeRe, `${k}=${v}`);
+    } else if (commentedRe.test(content)) {
+      // 取消注释并赋值
+      content = content.replace(commentedRe, `${k}=${v}`);
+    } else {
+      // 追加到末尾
+      if (!content.endsWith('\n')) content += '\n';
+      content += `${k}=${v}\n`;
+    }
+  }
+
+  writeFileSync(envPath, content);
+  logger.info('LLM env config updated', { provider, model });
+
+  // 同步到当前进程环境变量（热生效）
+  for (const [k, v] of Object.entries(updates)) {
+    process.env[k] = v;
+  }
+
+  // 尝试热切换 AI Provider
+  try {
+    const newProvider = createProvider({
+      provider: provider.toLowerCase(),
+      model: model || undefined,
+    });
+    const container = getServiceContainer();
+    container.singletons.aiProvider = newProvider;
+    logger.info('AI provider hot-swapped after env update', { provider, model: newProvider.model });
+  } catch (err) {
+    logger.debug('Hot-swap AI provider failed (will take effect on restart)', { error: err.message });
+  }
+
+  const result = parseLlmEnv(envPath);
+  res.json({ success: true, data: result });
+}));
+
 export default router;

package/lib/infrastructure/config/Paths.js

@@ -1,5 +1,6 @@
 import path from 'node:path';
 import fs from 'node:fs';
+import pathGuard from '../../shared/PathGuard.js';
 
 /**
  * Paths — 项目路径解析工具
@@ -14,6 +15,8 @@ const USER_HOME = process.env.HOME || process.env.USERPROFILE || '';
 /** 确保目录存在（静默处理异常） */
 function ensureDir(dirPath) {
   try {
+    // 双层路径安全检查 — 阻止在项目允许范围外创建文件夹
+    pathGuard.assertProjectWriteSafe(dirPath);
     if (!fs.existsSync(dirPath)) {
       fs.mkdirSync(dirPath, { recursive: true });
     }

package/lib/infrastructure/database/DatabaseConnection.js

@@ -2,6 +2,7 @@ import Database from 'better-sqlite3';
 import fs from 'fs';
 import path from 'path';
 import { fileURLToPath } from 'url';
+import pathGuard from '../../shared/PathGuard.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
@@ -20,9 +21,13 @@ export class DatabaseConnection {
    */
   async connect() {
     const dbPath = this.config.path;
+
+    // 路径安全检查 — 防止 DB 文件创建到项目允许范围外
+    const resolvedDbPath = path.resolve(dbPath);
+    pathGuard.assertProjectWriteSafe(resolvedDbPath);
     
     // 确保数据目录存在
-    const dbDir = path.dirname(dbPath);
+    const dbDir = path.dirname(resolvedDbPath);
     if (!fs.existsSync(dbDir)) {
       fs.mkdirSync(dbDir, { recursive: true });
     }

package/lib/infrastructure/vector/JsonVectorAdapter.js

@@ -7,6 +7,7 @@
 import { VectorStore } from './VectorStore.js';
 import { writeFileSync, readFileSync, mkdirSync, existsSync, statSync } from 'node:fs';
 import { join, dirname } from 'node:path';
+import pathGuard from '../../shared/PathGuard.js';
 
 export class JsonVectorAdapter extends VectorStore {
   #indexPath;
@@ -238,6 +239,7 @@ export class JsonVectorAdapter extends VectorStore {
     if (!this.#dirty) return;
     try {
       const dir = dirname(this.#indexPath);
+      pathGuard.assertProjectWriteSafe(dir);
       if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
       const items = [...this.#data.values()];
       writeFileSync(this.#indexPath, JSON.stringify(items, null, 2));

package/lib/service/automation/handlers/AlinkHandler.js

@@ -1,7 +1,12 @@
 /**
  * AlinkHandler — 处理 alink 指令
+ *
+ * 解析编辑器中的 alink 触发行，提取 completionKey，
+ * 通过数据库查找匹配的 Recipe，打开 Dashboard 详情页。
  */
 
+import { getServiceContainer } from '../../../injection/ServiceContainer.js';
+
 /**
  * @param {string} alinkLine
  */
@@ -19,11 +24,45 @@ export async function handleAlink(alinkLine) {
 
   if (completionKey != null) {
     try {
+      // 从 DI 容器获取数据库实例，查找匹配 trigger 的 Recipe
+      const container = getServiceContainer();
+      const db = container.get('database');
+
+      let recipeId = null;
+      if (db) {
+        try {
+          const row = db.prepare(
+            'SELECT id FROM recipes WHERE trigger = ? LIMIT 1',
+          ).get(completionKey);
+          if (row) recipeId = row.id;
+        } catch {
+          // DB 查询失败时回退到搜索
+        }
+
+        // 若精确匹配失败，尝试模糊搜索
+        if (!recipeId) {
+          try {
+            const escaped = completionKey.replace(/[%_\\]/g, ch => `\\${ch}`);
+            const row = db.prepare(
+              "SELECT id FROM recipes WHERE trigger LIKE ? ESCAPE '\\' OR title LIKE ? ESCAPE '\\' LIMIT 1",
+            ).get(`%${escaped}%`, `%${escaped}%`);
+            if (row) recipeId = row.id;
+          } catch { /* silent */ }
+        }
+      }
+
+      // 构建 Dashboard URL 并打开
+      const port = process.env.ASD_DASHBOARD_PORT || 3000;
+      const host = process.env.ASD_DASHBOARD_HOST || 'localhost';
+      const url = recipeId
+        ? `http://${host}:${port}/#/recipes/${recipeId}`
+        : `http://${host}:${port}/#/search?q=${encodeURIComponent(completionKey)}`;
+
       const open = (await import('open')).default;
-      // TODO: 从 V2 缓存系统获取 link
-      console.log(`[alink] completionKey=${completionKey} — V2 链接缓存待实现`);
-    } catch {
-      // 静默
+      await open(url);
+      console.log(`[alink] completionKey=${completionKey} → ${url}`);
+    } catch (err) {
+      console.warn(`[alink] Failed to open link: ${err.message}`);
     }
   }
 }

package/lib/service/candidate/CandidateFileWriter.js

@@ -19,6 +19,7 @@ import path from 'node:path';
 import { createHash } from 'node:crypto';
 import { CANDIDATES_DIR } from '../../infrastructure/config/Defaults.js';
 import Logger from '../../infrastructure/logging/Logger.js';
+import pathGuard from '../../shared/PathGuard.js';
 
 export { CANDIDATES_DIR };
 
@@ -175,6 +176,9 @@ export class CandidateFileWriter {
       const category = (candidate.category || 'general').toLowerCase();
       const categoryDir = path.join(this.candidatesDir, category);
 
+      // 路径安全检查 — 阻止 category 含 ../ 导致路径逃逸
+      pathGuard.assertProjectWriteSafe(categoryDir);
+
       if (!fs.existsSync(categoryDir)) {
         fs.mkdirSync(categoryDir, { recursive: true });
       }