circle-ir-ai 1.1.0

package/dist/skills/bundle-loader.js

@@ -0,0 +1,284 @@
+/**
+ * Skill Bundle Loader
+ *
+ * Loads AI skill bundles from filesystem into SkillBundle structure.
+ */
+import * as fs from 'fs/promises';
+import * as path from 'path';
+/**
+ * Load a skill bundle from filesystem
+ *
+ * Expected structure:
+ * skill-directory/
+ * ├── SKILL.md                 # Instructions (required)
+ * ├── package.json             # Metadata (optional)
+ * ├── mcp-config.json          # MCP configuration (optional)
+ * ├── src/                     # Source code (optional)
+ * │   ├── index.ts
+ * │   └── ...
+ * └── plugin/                  # Plugin files (optional)
+ *     └── ...
+ */
+export async function loadSkillBundle(skillPath) {
+    // Resolve absolute path
+    const absPath = path.resolve(skillPath);
+    // Check if path exists
+    const stats = await fs.stat(absPath);
+    if (!stats.isDirectory()) {
+        throw new Error(`Skill path must be a directory: ${skillPath}`);
+    }
+    // Load SKILL.md (required)
+    const skillMd = await loadSkillMd(absPath);
+    // Load package.json for metadata (optional)
+    const metadata = await loadPackageJson(absPath);
+    // Load MCP config (optional)
+    const mcpConfig = await loadMCPConfig(absPath);
+    // Discover and load code files
+    const codeFiles = await loadCodeFiles(absPath);
+    // Discover and load plugin files (optional)
+    const pluginFiles = await loadPluginFiles(absPath);
+    return {
+        skillId: metadata.skillId || path.basename(absPath),
+        name: metadata.name || path.basename(absPath),
+        version: metadata.version || '0.0.0',
+        skillMd,
+        codeFiles,
+        mcpConfig,
+        pluginFiles,
+        rootPath: absPath,
+    };
+}
+/**
+ * Load SKILL.md file (required)
+ */
+async function loadSkillMd(skillPath) {
+    // Try different possible names
+    const possibleNames = ['SKILL.md', 'skill.md', 'INSTRUCTIONS.md', 'instructions.md', 'README.md'];
+    for (const name of possibleNames) {
+        const filePath = path.join(skillPath, name);
+        try {
+            const content = await fs.readFile(filePath, 'utf-8');
+            return content;
+        }
+        catch (error) {
+            // Try next name
+            continue;
+        }
+    }
+    throw new Error(`SKILL.md not found in ${skillPath}. Tried: ${possibleNames.join(', ')}`);
+}
+/**
+ * Load package.json for metadata (optional)
+ */
+async function loadPackageJson(skillPath) {
+    const pkgPath = path.join(skillPath, 'package.json');
+    try {
+        const content = await fs.readFile(pkgPath, 'utf-8');
+        const pkg = JSON.parse(content);
+        return {
+            skillId: pkg.skillId || pkg.name,
+            name: pkg.name,
+            version: pkg.version,
+        };
+    }
+    catch (error) {
+        // package.json is optional
+        return {};
+    }
+}
+/**
+ * Load MCP server configuration (optional)
+ */
+async function loadMCPConfig(skillPath) {
+    const possibleNames = ['mcp-config.json', 'mcp.json', '.mcp.json'];
+    for (const name of possibleNames) {
+        const filePath = path.join(skillPath, name);
+        try {
+            const content = await fs.readFile(filePath, 'utf-8');
+            const config = JSON.parse(content);
+            return config;
+        }
+        catch (error) {
+            // Try next name
+            continue;
+        }
+    }
+    // MCP config is optional
+    return undefined;
+}
+/**
+ * Discover and load code files recursively
+ */
+async function loadCodeFiles(skillPath) {
+    const codeFiles = [];
+    // Directories to scan for code
+    const codeDirs = ['src', 'lib', '.']; // Also check root directory
+    // Extensions to consider as code
+    const codeExtensions = ['.ts', '.js', '.tsx', '.jsx', '.py', '.java', '.rs'];
+    for (const dir of codeDirs) {
+        const dirPath = path.join(skillPath, dir);
+        try {
+            const files = await findFilesRecursive(dirPath, codeExtensions);
+            for (const file of files) {
+                const content = await fs.readFile(file, 'utf-8');
+                const relativePath = path.relative(skillPath, file);
+                const language = detectLanguageFromExtension(path.extname(file));
+                if (language) {
+                    codeFiles.push({
+                        path: relativePath,
+                        content,
+                        language,
+                    });
+                }
+            }
+        }
+        catch (error) {
+            // Directory might not exist, that's OK
+            continue;
+        }
+    }
+    return codeFiles;
+}
+/**
+ * Discover and load plugin files (optional)
+ */
+async function loadPluginFiles(skillPath) {
+    const pluginPath = path.join(skillPath, 'plugin');
+    try {
+        const stats = await fs.stat(pluginPath);
+        if (!stats.isDirectory()) {
+            return [];
+        }
+        // Load all files in plugin directory
+        return await loadCodeFiles(pluginPath);
+    }
+    catch (error) {
+        // Plugin directory is optional
+        return [];
+    }
+}
+/**
+ * Check if a file or directory is a test file/directory
+ */
+function isTestFileOrDirectory(name, isDirectory) {
+    // Test directory patterns
+    const testDirPatterns = ['__tests__', 'tests', 'test', '.test', '__test__', 'spec', '__specs__'];
+    // Test file patterns
+    const testFilePatterns = [
+        '.test.ts',
+        '.test.js',
+        '.test.tsx',
+        '.test.jsx',
+        '.spec.ts',
+        '.spec.js',
+        '.spec.tsx',
+        '.spec.jsx',
+        '.test.py',
+        '_test.py',
+        '.test.java',
+        '.test.rs',
+        'test.config.ts',
+        'test.config.js',
+        'vitest.config.ts',
+        'vitest.config.js',
+        'jest.config.ts',
+        'jest.config.js',
+    ];
+    if (isDirectory) {
+        // Check if directory name matches test patterns
+        return testDirPatterns.includes(name);
+    }
+    else {
+        // Check if file name matches test patterns
+        return testFilePatterns.some((pattern) => name.endsWith(pattern));
+    }
+}
+/**
+ * Find files recursively with specific extensions
+ */
+async function findFilesRecursive(dir, extensions) {
+    const files = [];
+    try {
+        const entries = await fs.readdir(dir, { withFileTypes: true });
+        for (const entry of entries) {
+            const fullPath = path.join(dir, entry.name);
+            if (entry.isDirectory()) {
+                // Skip node_modules, .git, hidden directories, and test directories
+                if (entry.name.startsWith('.') ||
+                    entry.name === 'node_modules' ||
+                    isTestFileOrDirectory(entry.name, true)) {
+                    continue;
+                }
+                // Recurse into subdirectory
+                const subFiles = await findFilesRecursive(fullPath, extensions);
+                files.push(...subFiles);
+            }
+            else if (entry.isFile()) {
+                // Skip test files
+                if (isTestFileOrDirectory(entry.name, false)) {
+                    continue;
+                }
+                const ext = path.extname(entry.name);
+                if (extensions.includes(ext)) {
+                    files.push(fullPath);
+                }
+            }
+        }
+    }
+    catch (error) {
+        // Directory might not exist or not accessible
+    }
+    return files;
+}
+/**
+ * Detect language from file extension
+ */
+function detectLanguageFromExtension(ext) {
+    switch (ext.toLowerCase()) {
+        case '.java':
+            return 'java';
+        case '.js':
+        case '.jsx':
+        case '.mjs':
+        case '.cjs':
+            return 'javascript';
+        case '.ts':
+        case '.tsx':
+        case '.mts':
+        case '.cts':
+            return 'typescript';
+        case '.py':
+            return 'python';
+        case '.rs':
+            return 'rust';
+        default:
+            return undefined;
+    }
+}
+/**
+ * Validate skill bundle structure
+ */
+export async function validateSkillBundle(bundle) {
+    const errors = [];
+    // Check required fields
+    if (!bundle.skillMd || bundle.skillMd.trim().length === 0) {
+        errors.push('SKILL.md is empty or missing');
+    }
+    if (!bundle.skillId) {
+        errors.push('Skill ID is missing');
+    }
+    if (!bundle.name) {
+        errors.push('Skill name is missing');
+    }
+    // Validate MCP config structure (if present)
+    if (bundle.mcpConfig) {
+        if (!bundle.mcpConfig.name) {
+            errors.push('MCP config missing name field');
+        }
+        if (!bundle.mcpConfig.version) {
+            errors.push('MCP config missing version field');
+        }
+    }
+    return errors;
+}
+//# sourceMappingURL=bundle-loader.js.map

package/dist/skills/bundle-loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bundle-loader.js","sourceRoot":"","sources":["../../src/skills/bundle-loader.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,MAAM,aAAa,CAAC;AAClC,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AAG7B;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,SAAiB;IACrD,wBAAwB;IACxB,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAExC,uBAAuB;IACvB,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACrC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,mCAAmC,SAAS,EAAE,CAAC,CAAC;IAClE,CAAC;IAED,2BAA2B;IAC3B,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,OAAO,CAAC,CAAC;IAE3C,4CAA4C;IAC5C,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,CAAC;IAEhD,6BAA6B;IAC7B,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;IAE/C,+BAA+B;IAC/B,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,OAAO,CAAC,CAAC;IAE/C,4CAA4C;IAC5C,MAAM,WAAW,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,CAAC;IAEnD,OAAO;QACL,OAAO,EAAE,QAAQ,CAAC,OAAO,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;QACnD,IAAI,EAAE,QAAQ,CAAC,IAAI,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;QAC7C,OAAO,EAAE,QAAQ,CAAC,OAAO,IAAI,OAAO;QACpC,OAAO;QACP,SAAS;QACT,SAAS;QACT,WAAW;QACX,QAAQ,EAAE,OAAO;KAClB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,WAAW,CAAC,SAAiB;IAC1C,+BAA+B;IAC/B,MAAM,aAAa,GAAG,CAAC,UAAU,EAAE,UAAU,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,WAAW,CAAC,CAAC;IAElG,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QAC5C,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACrD,OAAO,OAAO,CAAC;QACjB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,gBAAgB;YAChB,SAAS;QACX,CAAC;IACH,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,yBAAyB,SAAS,YAAY,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AAC5F,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,eAAe,CAC5B,SAAiB;IAEjB,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;IAErD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACpD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAChC,OAAO;YACL,OAAO,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,IAAI;YAChC,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,2BAA2B;QAC3B,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa,CAAC,SAAiB;IAC5C,MAAM,aAAa,GAAG,CAAC,iBAAiB,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;IAEnE,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QAC5C,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACrD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAoB,CAAC;YACtD,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,gBAAgB;YAChB,SAAS;QACX,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa,CAAC,SAAiB;IAC5C,MAAM,SAAS,GAAoB,EAAE,CAAC;IAEtC,+BAA+B;IAC/B,MAAM,QAAQ,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,GAAG,CAAC,CAAC,CAAC,4BAA4B;IAElE,iCAAiC;IACjC,MAAM,cAAc,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IAE7E,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAE1C,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,kBAAkB,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;YAEhE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;gBACjD,MAAM,YAAY,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;gBACpD,MAAM,QAAQ,GAAG,2BAA2B,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;gBAEjE,IAAI,QAAQ,EAAE,CAAC;oBACb,SAAS,CAAC,IAAI,CAAC;wBACb,IAAI,EAAE,YAAY;wBAClB,OAAO;wBACP,QAAQ;qBACT,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,uCAAuC;YACvC,SAAS;QACX,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,eAAe,CAAC,SAAiB;IAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAElD,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACxC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACzB,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,qCAAqC;QACrC,OAAO,MAAM,aAAa,CAAC,UAAU,CAAC,CAAC;IACzC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,+BAA+B;QAC/B,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,IAAY,EAAE,WAAoB;IAC/D,0BAA0B;IAC1B,MAAM,eAAe,GAAG,CAAC,WAAW,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;IAEjG,qBAAqB;IACrB,MAAM,gBAAgB,GAAG;QACvB,UAAU;QACV,UAAU;QACV,WAAW;QACX,WAAW;QACX,UAAU;QACV,UAAU;QACV,WAAW;QACX,WAAW;QACX,UAAU;QACV,UAAU;QACV,YAAY;QACZ,UAAU;QACV,gBAAgB;QAChB,gBAAgB;QAChB,kBAAkB;QAClB,kBAAkB;QAClB,gBAAgB;QAChB,gBAAgB;KACjB,CAAC;IAEF,IAAI,WAAW,EAAE,CAAC;QAChB,gDAAgD;QAChD,OAAO,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IACxC,CAAC;SAAM,CAAC;QACN,2CAA2C;QAC3C,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;IACpE,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,kBAAkB,CAAC,GAAW,EAAE,UAAoB;IACjE,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;QAE/D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;YAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YAE5C,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,oEAAoE;gBACpE,IACE,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;oBAC1B,KAAK,CAAC,IAAI,KAAK,cAAc;oBAC7B,qBAAqB,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,CAAC,EACvC,CAAC;oBACD,SAAS;gBACX,CAAC;gBAED,4BAA4B;gBAC5B,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;gBAChE,KAAK,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,CAAC;YAC1B,CAAC;iBAAM,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;gBAC1B,kBAAkB;gBAClB,IAAI,qBAAqB,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,EAAE,CAAC;oBAC7C,SAAS;gBACX,CAAC;gBAED,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;gBACrC,IAAI,UAAU,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC7B,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACvB,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,8CAA8C;IAChD,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,2BAA2B,CAClC,GAAW;IAEX,QAAQ,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC;QAC1B,KAAK,OAAO;YACV,OAAO,MAAM,CAAC;QAChB,KAAK,KAAK,CAAC;QACX,KAAK,MAAM,CAAC;QACZ,KAAK,MAAM,CAAC;QACZ,KAAK,MAAM;YACT,OAAO,YAAY,CAAC;QACtB,KAAK,KAAK,CAAC;QACX,KAAK,MAAM,CAAC;QACZ,KAAK,MAAM,CAAC;QACZ,KAAK,MAAM;YACT,OAAO,YAAY,CAAC;QACtB,KAAK,KAAK;YACR,OAAO,QAAQ,CAAC;QAClB,KAAK,KAAK;YACR,OAAO,MAAM,CAAC;QAChB;YACE,OAAO,SAAS,CAAC;IACrB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,MAAmB;IAC3D,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,wBAAwB;IACxB,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1D,MAAM,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;IAC9C,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;IACrC,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACjB,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;IACvC,CAAC;IAED,6CAA6C;IAC7C,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;YAC3B,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;QAC/C,CAAC;QACD,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/skills/capability-mismatch.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Capability Mismatch Detection
+ *
+ * Detects mismatches between what SKILL.md declares and what code actually does.
+ *
+ * Examples:
+ * - SKILL.md says "reads user files" but code writes to network
+ * - SKILL.md says "queries database" but code executes shell commands
+ * - Code accesses sensitive data not mentioned in SKILL.md
+ */
+import type { CircleIR } from 'circle-ir';
+import type { SkillFinding, ExtractedArtifact } from './types.js';
+/**
+ * Detect capability mismatches between SKILL.md and code
+ *
+ * @param skillMdIR - CircleIR extracted from SKILL.md
+ * @param codeArtifacts - CircleIR extracted from code files
+ * @returns List of capability mismatch findings
+ */
+export declare function detectCapabilityMismatches(skillMdIR: CircleIR, codeArtifacts: ExtractedArtifact[]): Promise<SkillFinding[]>;
+//# sourceMappingURL=capability-mismatch.d.ts.map

package/dist/skills/capability-mismatch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"capability-mismatch.d.ts","sourceRoot":"","sources":["../../src/skills/capability-mismatch.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAA0B,MAAM,WAAW,CAAC;AAClE,OAAO,KAAK,EAAE,YAAY,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAGlE;;;;;;GAMG;AACH,wBAAsB,0BAA0B,CAC9C,SAAS,EAAE,QAAQ,EACnB,aAAa,EAAE,iBAAiB,EAAE,GACjC,OAAO,CAAC,YAAY,EAAE,CAAC,CA0CzB"}

package/dist/skills/capability-mismatch.js

@@ -0,0 +1,188 @@
+/**
+ * Capability Mismatch Detection
+ *
+ * Detects mismatches between what SKILL.md declares and what code actually does.
+ *
+ * Examples:
+ * - SKILL.md says "reads user files" but code writes to network
+ * - SKILL.md says "queries database" but code executes shell commands
+ * - Code accesses sensitive data not mentioned in SKILL.md
+ */
+import { getAxLLMClient } from '../llm/ax-client.js';
+/**
+ * Detect capability mismatches between SKILL.md and code
+ *
+ * @param skillMdIR - CircleIR extracted from SKILL.md
+ * @param codeArtifacts - CircleIR extracted from code files
+ * @returns List of capability mismatch findings
+ */
+export async function detectCapabilityMismatches(skillMdIR, codeArtifacts) {
+    const findings = [];
+    // Extract declared capabilities from SKILL.md
+    const declaredSources = skillMdIR.taint.sources || [];
+    const declaredSinks = skillMdIR.taint.sinks || [];
+    // Extract actual capabilities from code
+    const actualSources = [];
+    const actualSinks = [];
+    for (const artifact of codeArtifacts) {
+        for (const source of artifact.ir.taint.sources || []) {
+            actualSources.push({ ...source, artifact: artifact.artifact });
+        }
+        for (const sink of artifact.ir.taint.sinks || []) {
+            actualSinks.push({ ...sink, artifact: artifact.artifact });
+        }
+    }
+    // Use LLM to detect semantic mismatches
+    const mismatches = await detectMismatchesWithLLM(declaredSources, declaredSinks, actualSources, actualSinks);
+    // Convert to findings
+    for (const mismatch of mismatches) {
+        findings.push({
+            type: 'capability_mismatch',
+            severity: mismatch.severity,
+            artifact: mismatch.artifact,
+            title: mismatch.title,
+            description: mismatch.description,
+            evidence: mismatch.evidence,
+            confidence: mismatch.confidence,
+        });
+    }
+    return findings;
+}
+/**
+ * Use LLM to detect semantic capability mismatches
+ */
+async function detectMismatchesWithLLM(declaredSources, declaredSinks, actualSources, actualSinks) {
+    const llm = getAxLLMClient();
+    const systemPrompt = `You are a security analyst detecting capability mismatches in AI skills.
+
+A capability mismatch occurs when:
+1. The SKILL.md claims to do X, but the code does Y instead
+2. The code performs operation Y, but SKILL.md doesn't mention it
+3. The declared data access doesn't match actual data accessed in code
+
+Your job: Find semantic mismatches between declared and actual capabilities.
+
+Be strict:
+- Only flag CLEAR mismatches with evidence
+- Ignore trivial differences (e.g., "read file" vs "load file" are the same)
+- Focus on SECURITY-RELEVANT mismatches (data access, dangerous operations)
+- Assign high confidence only when mismatch is obvious
+
+IMPORTANT - What is NOT a mismatch:
+- Validation/sanitization code (e.g., validatePath, encodeURIComponent) - this is GOOD security practice
+- SKILL.md says "secure HTTP request" and code uses encodeURIComponent - this is IMPLEMENTING security, not a mismatch
+- SKILL.md says "sandboxed file access" and code validates paths - this is correct implementation
+- Semantic equivalence: "accesses api.example.com" vs "makes HTTP request" are the same thing
+
+Examples of TRUE mismatches:
+1. SKILL.md: "No network access" | Code: https.get() or https.request() → MISMATCH (undisclosed_capability, CRITICAL)
+2. SKILL.md: "Runs offline" | Code: fetch() or HTTP sinks → MISMATCH (undisclosed_capability, CRITICAL)
+3. SKILL.md: "Reads from database" | Code: no database calls found → MISMATCH (false_advertising)
+4. SKILL.md: "Accesses api.weather.com only" | Code: accesses api.analytics.com → MISMATCH (data_mismatch)
+5. SKILL.md: Says nothing about network | Code: makes HTTP requests to ANY domain → MISMATCH (undisclosed_capability)
+
+CRITICAL - Network access is ALWAYS a mismatch if:
+- SKILL.md says "no network", "offline", "no external access" BUT code has SSRF sinks (https.request, fetch, etc.)
+- SKILL.md doesn't mention network access BUT code has SSRF sinks to ANY domain
+- Network access is a SECURITY-CRITICAL capability that MUST be disclosed
+
+Examples of FALSE matches (DO NOT FLAG):
+1. SKILL.md: "Validates input" | Code: uses regex validation → NOT a mismatch (implementing stated security)
+2. SKILL.md: "Reads files in workspace" | Code: calls validatePath() → NOT a mismatch (secure implementation)
+3. SKILL.md: "Makes HTTP request" | Code: uses encodeURIComponent on URL → NOT a mismatch (secure implementation)
+4. SKILL.md: "Accesses API" | Code: https.request() to that API → NOT a mismatch (documented network access)`;
+    const userPrompt = `Analyze this AI skill for capability mismatches:
+
+**Declared Capabilities (from SKILL.md):**
+
+Declared Sources (data inputs):
+${formatSources(declaredSources)}
+
+Declared Sinks (dangerous operations):
+${formatSinks(declaredSinks)}
+
+**Actual Capabilities (from code analysis):**
+
+Actual Sources (data inputs):
+${formatActualSources(actualSources)}
+
+Actual Sinks (dangerous operations):
+${formatActualSinks(actualSinks)}
+
+**Task:** Find mismatches where:
+1. Code performs operations not declared in SKILL.md (undisclosed capabilities)
+2. SKILL.md declares operations not found in code (false advertising)
+3. Data access patterns differ significantly
+
+Return JSON array of mismatches:
+[
+  {
+    "type": "undisclosed_capability" | "false_advertising" | "data_mismatch",
+    "title": "Brief title (< 10 words)",
+    "description": "Detailed explanation with evidence",
+    "severity": "critical" | "high" | "medium" | "low",
+    "artifact": "which code file contains the issue",
+    "evidence": {
+      "declared": "what SKILL.md says",
+      "actual": "what code does",
+      "location": "specific code location"
+    },
+    "confidence": 0.0-1.0
+  }
+]
+
+If no mismatches, return: []`;
+    try {
+        const result = await llm.chatJSON(systemPrompt, userPrompt, 'verification');
+        return result || [];
+    }
+    catch (error) {
+        console.error('LLM mismatch detection failed:', error);
+        return [];
+    }
+}
+/**
+ * Format sources for LLM prompt
+ */
+function formatSources(sources) {
+    if (sources.length === 0) {
+        return '  (none declared)';
+    }
+    return sources
+        .map((s, i) => `  ${i + 1}. ${s.type} at ${s.location}\n     Severity: ${s.severity}\n     Confidence: ${(s.confidence || 0.8) * 100}%`)
+        .join('\n');
+}
+/**
+ * Format sinks for LLM prompt
+ */
+function formatSinks(sinks) {
+    if (sinks.length === 0) {
+        return '  (none declared)';
+    }
+    return sinks
+        .map((s, i) => `  ${i + 1}. ${s.type} (${s.cwe}) at ${s.location}\n     Confidence: ${(s.confidence || 0.8) * 100}%`)
+        .join('\n');
+}
+/**
+ * Format actual sources with artifact info
+ */
+function formatActualSources(sources) {
+    if (sources.length === 0) {
+        return '  (no sources found in code)';
+    }
+    return sources
+        .map((s, i) => `  ${i + 1}. ${s.type} in ${s.artifact}:${s.line}\n     Location: ${s.location}\n     Confidence: ${(s.confidence || 0.8) * 100}%`)
+        .join('\n');
+}
+/**
+ * Format actual sinks with artifact info
+ */
+function formatActualSinks(sinks) {
+    if (sinks.length === 0) {
+        return '  (no dangerous operations found in code)';
+    }
+    return sinks
+        .map((s, i) => `  ${i + 1}. ${s.type} (${s.cwe}) in ${s.artifact}:${s.line}\n     Location: ${s.location}\n     Confidence: ${(s.confidence || 0.8) * 100}%`)
+        .join('\n');
+}
+//# sourceMappingURL=capability-mismatch.js.map

package/dist/skills/capability-mismatch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"capability-mismatch.js","sourceRoot":"","sources":["../../src/skills/capability-mismatch.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAErD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,SAAmB,EACnB,aAAkC;IAElC,MAAM,QAAQ,GAAmB,EAAE,CAAC;IAEpC,8CAA8C;IAC9C,MAAM,eAAe,GAAG,SAAS,CAAC,KAAK,CAAC,OAAO,IAAI,EAAE,CAAC;IACtD,MAAM,aAAa,GAAG,SAAS,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC;IAElD,wCAAwC;IACxC,MAAM,aAAa,GAA8C,EAAE,CAAC;IACpE,MAAM,WAAW,GAA4C,EAAE,CAAC;IAEhE,KAAK,MAAM,QAAQ,IAAI,aAAa,EAAE,CAAC;QACrC,KAAK,MAAM,MAAM,IAAI,QAAQ,CAAC,EAAE,CAAC,KAAK,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;YACrD,aAAa,CAAC,IAAI,CAAC,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;QACjE,CAAC;QACD,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,EAAE,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,EAAE,CAAC;YACjD,WAAW,CAAC,IAAI,CAAC,EAAE,GAAG,IAAI,EAAE,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;IAED,wCAAwC;IACxC,MAAM,UAAU,GAAG,MAAM,uBAAuB,CAC9C,eAAe,EACf,aAAa,EACb,aAAa,EACb,WAAW,CACZ,CAAC;IAEF,sBAAsB;IACtB,KAAK,MAAM,QAAQ,IAAI,UAAU,EAAE,CAAC;QAClC,QAAQ,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,qBAAqB;YAC3B,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,WAAW,EAAE,QAAQ,CAAC,WAAW;YACjC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;YAC3B,UAAU,EAAE,QAAQ,CAAC,UAAU;SAChC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,uBAAuB,CACpC,eAA8B,EAC9B,aAA0B,EAC1B,aAAwD,EACxD,WAAoD;IAWpD,MAAM,GAAG,GAAG,cAAc,EAAE,CAAC;IAE7B,MAAM,YAAY,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;6GAqCsF,CAAC;IAE5G,MAAM,UAAU,GAAG;;;;;EAKnB,aAAa,CAAC,eAAe,CAAC;;;EAG9B,WAAW,CAAC,aAAa,CAAC;;;;;EAK1B,mBAAmB,CAAC,aAAa,CAAC;;;EAGlC,iBAAiB,CAAC,WAAW,CAAC;;;;;;;;;;;;;;;;;;;;;;;;6BAwBH,CAAC;IAE5B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,GAAG,CAAC,QAAQ,CAU/B,YAAY,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;QAE5C,OAAO,MAAM,IAAI,EAAE,CAAC;IACtB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,KAAK,CAAC,CAAC;QACvD,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,OAAsB;IAC3C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,mBAAmB,CAAC;IAC7B,CAAC;IAED,OAAO,OAAO;SACX,GAAG,CACF,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,QAAQ,oBAAoB,CAAC,CAAC,QAAQ,sBAAsB,CAAC,CAAC,CAAC,UAAU,IAAI,GAAG,CAAC,GAAG,GAAG,GAAG,CAC3H;SACA,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,KAAkB;IACrC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,mBAAmB,CAAC;IAC7B,CAAC;IAED,OAAO,KAAK;SACT,GAAG,CACF,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC,QAAQ,sBAAsB,CAAC,CAAC,CAAC,UAAU,IAAI,GAAG,CAAC,GAAG,GAAG,GAAG,CACxG;SACA,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,mBAAmB,CAAC,OAAkD;IAC7E,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,8BAA8B,CAAC;IACxC,CAAC;IAED,OAAO,OAAO;SACX,GAAG,CACF,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,IAAI,oBAAoB,CAAC,CAAC,QAAQ,sBAAsB,CAAC,CAAC,CAAC,UAAU,IAAI,GAAG,CAAC,GAAG,GAAG,GAAG,CACrI;SACA,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,KAA8C;IACvE,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,2CAA2C,CAAC;IACrD,CAAC;IAED,OAAO,KAAK;SACT,GAAG,CACF,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,GAAG,QAAQ,CAAC,CAAC,QAAQ,IAAI,CAAC,CAAC,IAAI,oBAAoB,CAAC,CAAC,QAAQ,sBAAsB,CAAC,CAAC,CAAC,UAAU,IAAI,GAAG,CAAC,GAAG,GAAG,GAAG,CAChJ;SACA,IAAI,CAAC,IAAI,CAAC,CAAC;AAChB,CAAC"}

package/dist/skills/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Skills Analysis Module
+ *
+ * Analyze AI skill bundles (code + SKILL.md + MCP config) for security issues.
+ */
+export type { SkillBundle, SkillCodeFile, MCPServerConfig, MCPPermission, MCPTool, MCPResource, SkillAnalysisResult, SkillFinding, SkillFindingType, SkillAnalysisOptions, AnalysisProgress, ExtractedArtifact, } from './types.js';
+export { loadSkillBundle, validateSkillBundle } from './bundle-loader.js';
+export { analyzeSkillBundle } from './skill-analyzer.js';
+export { detectCapabilityMismatches } from './capability-mismatch.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/skills/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/skills/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,YAAY,EACV,WAAW,EACX,aAAa,EACb,eAAe,EACf,aAAa,EACb,OAAO,EACP,WAAW,EACX,mBAAmB,EACnB,YAAY,EACZ,gBAAgB,EAChB,oBAAoB,EACpB,gBAAgB,EAChB,iBAAiB,GAClB,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC"}

package/dist/skills/index.js

@@ -0,0 +1,9 @@
+/**
+ * Skills Analysis Module
+ *
+ * Analyze AI skill bundles (code + SKILL.md + MCP config) for security issues.
+ */
+export { loadSkillBundle, validateSkillBundle } from './bundle-loader.js';
+export { analyzeSkillBundle } from './skill-analyzer.js';
+export { detectCapabilityMismatches } from './capability-mismatch.js';
+//# sourceMappingURL=index.js.map

package/dist/skills/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/skills/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAiBH,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAC1E,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,0BAA0B,EAAE,MAAM,0BAA0B,CAAC"}

package/dist/skills/skill-analyzer.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Skill Analyzer
+ *
+ * Main orchestrator for analyzing AI skill bundles.
+ * Coordinates extraction, taint analysis, and cross-artifact reasoning.
+ */
+import { type SkillAnalysisResult, type SkillAnalysisOptions } from './types.js';
+/**
+ * Analyze a skill bundle
+ *
+ * @param skillPath - Path to skill directory
+ * @param options - Analysis options
+ * @returns Analysis result with findings and trust score
+ */
+export declare function analyzeSkillBundle(skillPath: string, options?: SkillAnalysisOptions): Promise<SkillAnalysisResult>;
+//# sourceMappingURL=skill-analyzer.d.ts.map

package/dist/skills/skill-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"skill-analyzer.d.ts","sourceRoot":"","sources":["../../src/skills/skill-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAEL,KAAK,mBAAmB,EAExB,KAAK,oBAAoB,EAE1B,MAAM,YAAY,CAAC;AAKpB;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CACtC,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,oBAAyB,GACjC,OAAO,CAAC,mBAAmB,CAAC,CAyG9B"}