codegate-ai 0.2.3 → 0.3.1

package/dist/cli.d.ts

@@ -8,6 +8,7 @@ import { type ScanDiscoveryCandidate, type ScanDiscoveryContext } from "./scan.j
 import { type ResolvedScanTarget } from "./scan-target.js";
 import type { CodeGateReport } from "./types/report.js";
 import { type RemediationRunnerInput, type RemediationRunnerResult } from "./layer4-remediation/remediation-runner.js";
+import { type SkillsWrapperLaunchResult } from "./commands/skills-wrapper.js";
 import { type DeepAgentOption, type MetaAgentCommandConsentContext, type MetaAgentCommandRunResult, type RemediationConsentContext, type ScanRunnerInput } from "./commands/scan-command.js";
 export interface RunWarningConsentContext {
     target: string;
@@ -55,6 +56,11 @@ export interface CliDeps {
     requestRunWarningConsent?: (context: RunWarningConsentContext) => Promise<boolean> | boolean;
     requestSkillSelection?: (options: string[]) => Promise<string | null> | string | null;
     executeDeepResource?: (resource: DeepScanResource) => Promise<ResourceFetchResult>;
+    launchSkills?: (args: string[], cwd: string) => SkillsWrapperLaunchResult;
+    runSkillsWrapper?: (input: {
+        version: string;
+        skillsArgs: string[];
+    }) => Promise<void>;
     runWrapper?: (input: {
         target: string;
         cwd: string;

package/dist/cli.js

@@ -20,6 +20,7 @@ import { executeWrapperRun } from "./wrapper.js";
 import { runRemediation as runRemediationWorkflow, } from "./layer4-remediation/remediation-runner.js";
 import { undoLatestSession } from "./commands/undo.js";
 import { executeScanCommand } from "./commands/scan-command.js";
+import { executeSkillsWrapper, launchSkillsPassthrough, } from "./commands/skills-wrapper.js";
 import { promptDeepAgentSelection, promptDeepScanConsent, promptMetaAgentCommandConsent, promptRemediationConsent, promptSkillSelection, } from "./cli-prompts.js";
 import { resetScanState } from "./layer2-static/state/scan-state.js";
 const require = createRequire(import.meta.url);
@@ -155,6 +156,7 @@ const defaultCliDeps = {
         }
         return fetchResourceMetadata(resource.request);
     },
+    launchSkills: (args, cwd) => launchSkillsPassthrough(args, cwd),
 };
 function addScanCommand(program, version, deps) {
     program
@@ -365,6 +367,48 @@ function addRunCommand(program, version, deps) {
         }
     });
 }
+function addSkillsCommand(program, version, deps) {
+    program
+        .command("skills [skillsArgs...]")
+        .description("Wrap npx skills with CodeGate preflight scanning for installs")
+        .allowUnknownOption(true)
+        .allowExcessArguments(true)
+        .addHelpText("after", renderExampleHelp([
+        "codegate skills add vercel-labs/skills --skill find-skills",
+        "codegate skills add https://github.com/owner/repo --skill security-review",
+        "codegate skills find security",
+        "codegate skills add owner/repo --skill demo --cg-force",
+    ]))
+        .action(async (skillsArgs) => {
+        try {
+            const runSkillsWrapper = deps.runSkillsWrapper ??
+                ((input) => executeSkillsWrapper(input, {
+                    cwd: deps.cwd,
+                    isTTY: deps.isTTY,
+                    pathExists: deps.pathExists,
+                    resolveConfig: deps.resolveConfig,
+                    runScan: deps.runScan,
+                    resolveScanTarget: deps.resolveScanTarget,
+                    requestSkillSelection: deps.requestSkillSelection,
+                    requestWarningProceed: deps.requestRunWarningConsent,
+                    launchSkills: deps.launchSkills ?? ((args, cwd) => launchSkillsPassthrough(args, cwd)),
+                    stdout: deps.stdout,
+                    stderr: deps.stderr,
+                    setExitCode: deps.setExitCode,
+                    renderTui: deps.renderTui,
+                }));
+            await runSkillsWrapper({
+                version,
+                skillsArgs: skillsArgs ?? [],
+            });
+        }
+        catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            deps.stderr(`Skills wrapper failed: ${message}`);
+            deps.setExitCode(3);
+        }
+    });
+}
 function addUndoCommand(program, deps) {
     program
         .command("undo [dir]")
@@ -468,9 +512,11 @@ export function createCli(version = packageJson.version ?? "0.0.0-dev", deps = d
         "codegate scan .",
         "codegate scan https://github.com/owner/repo",
         "codegate scan https://github.com/owner/repo/blob/main/skills/security-review/SKILL.md",
+        "codegate skills add owner/repo --skill security-review",
         "codegate run claude",
     ]));
     addScanCommand(program, version, deps);
+    addSkillsCommand(program, version, deps);
     addRunCommand(program, version, deps);
     addUndoCommand(program, deps);
     addInitCommand(program, deps);

package/dist/commands/skills-wrapper.d.ts

@@ -0,0 +1,63 @@
+import { type CodeGateConfig, type OutputFormat, type ResolveConfigOptions } from "../config.js";
+import { type ResolvedScanTarget } from "../scan-target.js";
+import type { ScanRunnerInput } from "./scan-command.js";
+import type { CodeGateReport } from "../types/report.js";
+export interface SkillsWrapperRuntimeOptions {
+    force: boolean;
+    noTui: boolean;
+    includeUserScope: boolean;
+    format?: OutputFormat;
+    configPath?: string;
+}
+export interface ParsedSkillsInvocation {
+    passthroughArgs: string[];
+    wrapper: SkillsWrapperRuntimeOptions;
+    subcommand: string | null;
+    sourceTarget: string | null;
+    preferredSkill: string | null;
+}
+export interface SkillsWrapperLaunchResult {
+    status: number | null;
+    error?: Error;
+}
+export interface ExecuteSkillsWrapperInput {
+    version: string;
+    skillsArgs: string[];
+}
+export interface SkillsWarningConsentContext {
+    target: string;
+    report: CodeGateReport;
+}
+export interface SkillsWrapperDeps {
+    cwd: () => string;
+    isTTY: () => boolean;
+    pathExists?: (path: string) => boolean;
+    resolveConfig: (options: ResolveConfigOptions) => CodeGateConfig;
+    runScan: (input: ScanRunnerInput) => Promise<CodeGateReport>;
+    resolveScanTarget?: (input: {
+        rawTarget: string;
+        cwd: string;
+        preferredSkill?: string;
+        interactive?: boolean;
+        requestSkillSelection?: (options: string[]) => Promise<string | null> | string | null;
+    }) => Promise<ResolvedScanTarget> | ResolvedScanTarget;
+    requestSkillSelection?: (options: string[]) => Promise<string | null> | string | null;
+    requestWarningProceed?: (context: SkillsWarningConsentContext) => Promise<boolean> | boolean;
+    launchSkills: (args: string[], cwd: string) => SkillsWrapperLaunchResult;
+    stdout: (message: string) => void;
+    stderr: (message: string) => void;
+    setExitCode: (code: number) => void;
+    renderTui?: (props: {
+        view: "dashboard" | "summary";
+        report: CodeGateReport;
+        notices?: string[];
+    }) => void;
+}
+interface SourceDetectionContext {
+    cwd: string;
+    pathExists: (path: string) => boolean;
+}
+export declare function parseSkillsInvocation(rawArgs: string[], context?: SourceDetectionContext): ParsedSkillsInvocation;
+export declare function launchSkillsPassthrough(args: string[], cwd: string): SkillsWrapperLaunchResult;
+export declare function executeSkillsWrapper(input: ExecuteSkillsWrapperInput, deps: SkillsWrapperDeps): Promise<void>;
+export {};

package/dist/commands/skills-wrapper.js

@@ -0,0 +1,392 @@
+import { spawnSync } from "node:child_process";
+import { existsSync } from "node:fs";
+import { createInterface } from "node:readline/promises";
+import { resolve } from "node:path";
+import { applyConfigPolicy, OUTPUT_FORMATS, } from "../config.js";
+import { renderByFormat, summarizeRequestedTargetFindings } from "./scan-command/helpers.js";
+import { resolveScanTarget } from "../scan-target.js";
+function parseWrapperOptionValue(args, index, flag) {
+    const current = args[index] ?? "";
+    const withEquals = `${flag}=`;
+    if (current.startsWith(withEquals)) {
+        const value = current.slice(withEquals.length).trim();
+        if (value.length === 0) {
+            throw new Error(`${flag} requires a value`);
+        }
+        return [value, index];
+    }
+    const nextValue = args[index + 1];
+    if (!nextValue || nextValue.trim().length === 0) {
+        throw new Error(`${flag} requires a value`);
+    }
+    return [nextValue, index + 1];
+}
+function parseOutputFormat(value) {
+    const normalized = value.trim().toLowerCase();
+    const matched = OUTPUT_FORMATS.find((format) => format === normalized);
+    if (!matched) {
+        throw new Error(`Unsupported --cg-format value "${value}". Valid values: ${OUTPUT_FORMATS.join(", ")}.`);
+    }
+    return matched;
+}
+function isLikelyGitSshSource(value) {
+    return /^git@[^:]+:.+/iu.test(value) || /^ssh:\/\//iu.test(value);
+}
+function looksLikeSourceToken(value, context) {
+    if (value.trim().length === 0 || value.startsWith("-")) {
+        return false;
+    }
+    if (isLikelyHttpUrl(value) || isLikelyGitSshSource(value) || isLikelyGitHubShorthand(value)) {
+        return true;
+    }
+    if (value.startsWith("./") ||
+        value.startsWith("../") ||
+        value.startsWith("/") ||
+        value.startsWith("~/") ||
+        value.endsWith(".git")) {
+        return true;
+    }
+    if (context) {
+        const localCandidate = resolve(context.cwd, value);
+        if (context.pathExists(localCandidate)) {
+            return true;
+        }
+    }
+    return false;
+}
+function firstLikelySourceAfterAdd(args, addIndex, context) {
+    for (let index = addIndex + 1; index < args.length; index += 1) {
+        const token = args[index] ?? "";
+        if (token === "--skill") {
+            index += 1;
+            continue;
+        }
+        if (token.startsWith("--skill=")) {
+            continue;
+        }
+        if (token === "--") {
+            for (let tailIndex = index + 1; tailIndex < args.length; tailIndex += 1) {
+                const candidate = args[tailIndex] ?? "";
+                if (looksLikeSourceToken(candidate, context)) {
+                    return candidate;
+                }
+            }
+            return null;
+        }
+        if (looksLikeSourceToken(token, context)) {
+            return token;
+        }
+    }
+    return null;
+}
+function preferredSkillArg(args, addIndex) {
+    for (let index = addIndex + 1; index < args.length; index += 1) {
+        const token = args[index] ?? "";
+        if (token === "--skill") {
+            const value = args[index + 1];
+            if (value && value.trim().length > 0) {
+                return value.trim();
+            }
+            return null;
+        }
+        if (token.startsWith("--skill=")) {
+            const value = token.slice("--skill=".length).trim();
+            return value.length > 0 ? value : null;
+        }
+    }
+    return null;
+}
+function isLikelyHttpUrl(value) {
+    return /^https?:\/\//iu.test(value);
+}
+function isLikelyGitHubShorthand(value) {
+    return /^[a-z0-9._-]+\/[a-z0-9._-]+(?:\.git)?$/iu.test(value);
+}
+function normalizeSkillsSourceTarget(rawTarget, cwd, pathExists) {
+    if (isLikelyHttpUrl(rawTarget)) {
+        return rawTarget;
+    }
+    if (!isLikelyGitHubShorthand(rawTarget)) {
+        return rawTarget;
+    }
+    const localCandidate = resolve(cwd, rawTarget);
+    if (pathExists(localCandidate)) {
+        return rawTarget;
+    }
+    return `https://github.com/${rawTarget}`;
+}
+function toSubcommand(args) {
+    const index = args.findIndex((value) => !value.startsWith("-"));
+    if (index < 0) {
+        return [null, -1];
+    }
+    return [args[index]?.toLowerCase() ?? null, index];
+}
+function isLikelyLeadingGlobalOptionSequence(args, endExclusive) {
+    for (let index = 0; index < endExclusive; index += 1) {
+        const token = args[index] ?? "";
+        if (token.startsWith("-")) {
+            continue;
+        }
+        const previous = index > 0 ? (args[index - 1] ?? "") : "";
+        if (previous.startsWith("-")) {
+            continue;
+        }
+        return false;
+    }
+    return true;
+}
+function findAddSubcommandIndex(args, context) {
+    const [subcommand, subcommandIndex] = toSubcommand(args);
+    if (subcommand === "add") {
+        return subcommandIndex;
+    }
+    // Only attempt fallback when the first positional token is likely an option value.
+    // This avoids misclassifying non-add commands like `skills find add`.
+    if (subcommandIndex < 1 ||
+        typeof args[subcommandIndex - 1] !== "string" ||
+        !String(args[subcommandIndex - 1]).startsWith("-")) {
+        return -1;
+    }
+    // Fallback for inputs where global-option values appear before `add`.
+    for (let index = 0; index < args.length; index += 1) {
+        const token = args[index]?.toLowerCase();
+        if (token !== "add") {
+            continue;
+        }
+        if (isLikelyLeadingGlobalOptionSequence(args, index) &&
+            firstLikelySourceAfterAdd(args, index, context)) {
+            return index;
+        }
+    }
+    return -1;
+}
+export function parseSkillsInvocation(rawArgs, context) {
+    const wrapper = {
+        force: false,
+        noTui: false,
+        includeUserScope: false,
+        format: undefined,
+        configPath: undefined,
+    };
+    const passthroughArgs = [];
+    for (let index = 0; index < rawArgs.length; index += 1) {
+        const token = rawArgs[index] ?? "";
+        if (token === "--") {
+            passthroughArgs.push("--");
+            for (let tailIndex = index + 1; tailIndex < rawArgs.length; tailIndex += 1) {
+                passthroughArgs.push(rawArgs[tailIndex] ?? "");
+            }
+            break;
+        }
+        if (token === "--cg-force") {
+            wrapper.force = true;
+            continue;
+        }
+        if (token === "--cg-no-tui") {
+            wrapper.noTui = true;
+            continue;
+        }
+        if (token === "--cg-include-user-scope") {
+            wrapper.includeUserScope = true;
+            continue;
+        }
+        if (token === "--cg-format" || token.startsWith("--cg-format=")) {
+            const [value, consumedIndex] = parseWrapperOptionValue(rawArgs, index, "--cg-format");
+            wrapper.format = parseOutputFormat(value);
+            index = consumedIndex;
+            continue;
+        }
+        if (token === "--cg-config" || token.startsWith("--cg-config=")) {
+            const [value, consumedIndex] = parseWrapperOptionValue(rawArgs, index, "--cg-config");
+            wrapper.configPath = value;
+            index = consumedIndex;
+            continue;
+        }
+        if (token.startsWith("--cg-")) {
+            throw new Error(`Unknown CodeGate wrapper option: ${token}`);
+        }
+        passthroughArgs.push(token);
+    }
+    const addSubcommandIndex = findAddSubcommandIndex(passthroughArgs, context);
+    const subcommand = addSubcommandIndex >= 0 ? "add" : toSubcommand(passthroughArgs)[0];
+    const sourceTarget = addSubcommandIndex >= 0
+        ? firstLikelySourceAfterAdd(passthroughArgs, addSubcommandIndex, context)
+        : null;
+    const preferredSkill = addSubcommandIndex >= 0 ? preferredSkillArg(passthroughArgs, addSubcommandIndex) : null;
+    return {
+        passthroughArgs,
+        wrapper,
+        subcommand,
+        sourceTarget,
+        preferredSkill,
+    };
+}
+async function promptWarningProceed(context) {
+    const rl = createInterface({
+        input: process.stdin,
+        output: process.stdout,
+    });
+    const prompt = [
+        `Warning findings detected for ${context.target}.`,
+        `Findings: ${context.report.summary.total}`,
+        "Proceed with skills install? [y/N]: ",
+    ].join("\n");
+    try {
+        const answer = await rl.question(prompt);
+        return /^y(es)?$/iu.test(answer.trim());
+    }
+    finally {
+        rl.close();
+    }
+}
+function finalizeLaunch(result, deps) {
+    if (result.error) {
+        deps.stderr(`Failed to run npx skills: ${result.error.message}`);
+        deps.setExitCode(3);
+        return;
+    }
+    deps.setExitCode(result.status ?? 1);
+}
+function shouldPromptForWarning(report, config, force) {
+    return (report.summary.exit_code === 1 &&
+        report.findings.length > 0 &&
+        force !== true &&
+        config.auto_proceed_below_threshold !== true);
+}
+export function launchSkillsPassthrough(args, cwd) {
+    const result = spawnSync("npx", ["skills", ...args], {
+        cwd,
+        stdio: "inherit",
+    });
+    return {
+        status: result.status,
+        error: result.error ?? undefined,
+    };
+}
+export async function executeSkillsWrapper(input, deps) {
+    const cwd = deps.cwd();
+    const isTTY = deps.isTTY();
+    const pathExists = deps.pathExists ?? ((path) => existsSync(path));
+    const sourceDetectionContext = { cwd, pathExists };
+    const parsed = parseSkillsInvocation(input.skillsArgs, sourceDetectionContext);
+    if (parsed.subcommand !== "add") {
+        finalizeLaunch(deps.launchSkills(parsed.passthroughArgs, cwd), deps);
+        return;
+    }
+    const resolvedSourceTarget = parsed.sourceTarget;
+    const preferredSkill = parsed.preferredSkill ?? undefined;
+    if (!resolvedSourceTarget) {
+        deps.stderr("Could not determine the source target for `skills add`. Provide a source URL/path after `add`.");
+        deps.setExitCode(3);
+        return;
+    }
+    let resolvedTarget;
+    const interactivePromptsEnabled = isTTY && parsed.wrapper.noTui !== true;
+    try {
+        const sourceTarget = normalizeSkillsSourceTarget(resolvedSourceTarget, cwd, pathExists);
+        const resolveTarget = deps.resolveScanTarget ??
+            ((resolverInput) => resolveScanTarget(resolverInput));
+        resolvedTarget = await resolveTarget({
+            rawTarget: sourceTarget,
+            cwd,
+            preferredSkill,
+            interactive: interactivePromptsEnabled,
+            requestSkillSelection: interactivePromptsEnabled ? deps.requestSkillSelection : undefined,
+        });
+        const noTui = parsed.wrapper.noTui === true || !isTTY;
+        const cliConfig = {
+            format: parsed.wrapper.format,
+            configPath: parsed.wrapper.configPath,
+            noTui,
+        };
+        const baseConfig = deps.resolveConfig({
+            scanTarget: resolvedTarget.scanTarget,
+            cli: cliConfig,
+        });
+        const config = parsed.wrapper.includeUserScope
+            ? { ...baseConfig, scan_user_scope: true }
+            : baseConfig;
+        let report = await deps.runScan({
+            version: input.version,
+            scanTarget: resolvedTarget.scanTarget,
+            config,
+            flags: {
+                noTui,
+                format: parsed.wrapper.format,
+                force: parsed.wrapper.force,
+                includeUserScope: parsed.wrapper.includeUserScope,
+                skill: preferredSkill,
+            },
+            discoveryContext: undefined,
+        });
+        if (resolvedTarget.displayTarget && resolvedTarget.displayTarget !== report.scan_target) {
+            report = {
+                ...report,
+                scan_target: resolvedTarget.displayTarget,
+            };
+        }
+        report = applyConfigPolicy(report, config);
+        const shouldUseTui = config.tui.enabled && isTTY && deps.renderTui !== undefined && noTui !== true;
+        const targetSummaryNote = config.output_format === "terminal"
+            ? summarizeRequestedTargetFindings(report, resolvedTarget.displayTarget)
+            : null;
+        if (shouldUseTui) {
+            deps.renderTui?.({
+                view: "dashboard",
+                report,
+                notices: targetSummaryNote ? [targetSummaryNote] : undefined,
+            });
+            deps.renderTui?.({ view: "summary", report });
+        }
+        else {
+            if (targetSummaryNote) {
+                deps.stdout(targetSummaryNote);
+            }
+            deps.stdout(renderByFormat(config.output_format, report));
+        }
+        if (report.summary.exit_code === 2 && parsed.wrapper.force !== true) {
+            deps.stderr("Dangerous findings detected. Aborting `skills add` (fail-closed).");
+            deps.setExitCode(2);
+            return;
+        }
+        if (shouldPromptForWarning(report, config, parsed.wrapper.force)) {
+            if (!interactivePromptsEnabled) {
+                deps.stderr("Warning findings detected. Aborting `skills add` in non-interactive mode (fail-closed). Use --cg-force to override.");
+                deps.setExitCode(1);
+                return;
+            }
+            const requestProceed = deps.requestWarningProceed ?? promptWarningProceed;
+            const approved = await requestProceed({
+                target: resolvedSourceTarget,
+                report,
+            });
+            if (!approved) {
+                deps.stderr("Install cancelled by user.");
+                deps.setExitCode(1);
+                return;
+            }
+        }
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        if (parsed.wrapper.force !== true) {
+            deps.stderr(`Preflight scan failed (fail-closed): ${message}`);
+            deps.setExitCode(3);
+            return;
+        }
+        deps.stderr(`Preflight scan failed, continuing due to --cg-force: ${message}`);
+    }
+    finally {
+        if (resolvedTarget?.cleanup) {
+            try {
+                await resolvedTarget.cleanup();
+            }
+            catch (error) {
+                const message = error instanceof Error ? error.message : String(error);
+                deps.stderr(`Scan target cleanup failed: ${message}`);
+            }
+        }
+    }
+    finalizeLaunch(deps.launchSkills(parsed.passthroughArgs, cwd), deps);
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codegate-ai",
-  "version": "0.2.3",
+  "version": "0.3.1",
   "description": "Pre-flight security scanner for AI coding tool configurations.",
   "license": "MIT",
   "type": "module",