cue-ai 0.3.0 → 0.4.0

package/src/commands/list.ts

@@ -2,7 +2,9 @@
  * `cue list` — show all available profiles with their icon, name, and description.
  */
 
+import { resolve } from "node:path";
 import { listProfiles, loadProfile } from "../lib/profile-loader";
+import { detectKittyTerminal, transmitKittyImage, kittyPlaceholderLabel } from "../lib/kitty-image";
 
 export async function run(_args: string[]): Promise<number> {
   const names = await listProfiles();
@@ -11,19 +13,27 @@ export async function run(_args: string[]): Promise<number> {
     return 1;
   }
 
-  // Compute padding so the names line up regardless of icon presence.
+  const kitty = await detectKittyTerminal();
+  const profilesRoot = resolve(new URL(import.meta.url).pathname, "..", "..", "..", "profiles");
+
   const maxNameLen = Math.max(...names.map((n) => n.length));
+  let nextImageId = 1;
 
   for (const name of names) {
     let icon = "  ";
     let description = "";
     try {
       const p = await loadProfile(name);
-      icon = p.icon ?? "  ";
+      if (kitty && p.iconImage && nextImageId <= 255) {
+        const imgPath = resolve(profilesRoot, name, p.iconImage);
+        const id = nextImageId++;
+        transmitKittyImage(imgPath, id, 2, 1);
+        icon = kittyPlaceholderLabel(id, 2, 1);
+      } else {
+        icon = p.icon ?? "  ";
+      }
       description = p.description;
-    } catch {
-      // Best-effort: still print the name even if profile fails to load.
-    }
+    } catch { /* best-effort */ }
     const namePadded = name.padEnd(maxNameLen);
     process.stdout.write(`${icon}  ${namePadded}  ${description}\n`);
   }

package/src/commands/materialize.ts

@@ -0,0 +1,135 @@
+/**
+ * `cue materialize <agent> [--dir <path>]` — write skills + MCPs for any agent.
+ *
+ * This is the universal materializer. It reads the active profile and writes
+ * the config files in whatever format the target agent expects.
+ *
+ * Examples:
+ *   cue materialize cursor           # writes .cursorrules + .cursor/mcp.json
+ *   cue materialize cline            # writes .clinerules + cline_mcp_settings.json
+ *   cue materialize gemini           # writes ~/.gemini/skills/*.md
+ *   cue materialize copilot          # writes .github/copilot-instructions.md
+ *   cue materialize --all            # materialize for ALL agents in profile
+ */
+
+import { readFileSync, existsSync } from "node:fs";
+import { resolve, dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+
+import { loadProfile } from "../lib/profile-loader";
+import { resolveProfileForCwd } from "../lib/cwd-resolver";
+import { getAdapter, AGENT_IDS, ADAPTERS } from "../lib/agent-adapters";
+
+const REPO_ROOT = resolve(dirname(fileURLToPath(import.meta.url)), "..", "..");
+const SKILLS_ROOT = join(REPO_ROOT, "resources", "skills", "skills");
+const MCP_CONFIGS_DIR = join(REPO_ROOT, "resources", "mcps", "configs");
+
+function loadSkillContent(id: string): { id: string; content: string } | null {
+  const path = join(SKILLS_ROOT, id, "SKILL.md");
+  if (!existsSync(path)) return null;
+  return { id, content: readFileSync(path, "utf8") };
+}
+
+function loadMcpRegistry(): Record<string, unknown> {
+  for (const file of ["claude_runtime.sanitized.json", "claude.sanitized.json"]) {
+    try {
+      const raw = JSON.parse(readFileSync(join(MCP_CONFIGS_DIR, file), "utf8"));
+      if (raw.servers) return raw.servers;
+    } catch {}
+  }
+  return {};
+}
+
+export async function run(args: string[]): Promise<number> {
+  if (args.includes("-h") || args.includes("--help")) {
+    process.stdout.write(`cue materialize — write skills + MCPs for any AI agent
+
+Usage: cue materialize <agent> [--dir <path>] [--profile <name>]
+
+Agents: ${AGENT_IDS.join(", ")}
+
+Flags:
+  --dir <path>       Target directory (default: cwd or agent's config dir)
+  --profile <name>   Use specific profile (default: resolved from .cue-profile)
+  --all              Materialize for all agents listed in the profile
+  --dry-run          Show what would be written without writing
+
+Examples:
+  cue materialize cursor              # .cursorrules + .cursor/mcp.json
+  cue materialize cline               # .clinerules + cline_mcp_settings.json
+  cue materialize gemini              # ~/.gemini/skills/*.md
+  cue materialize copilot             # .github/copilot-instructions.md
+  cue materialize --all               # all agents in profile
+`);
+    return 0;
+  }
+
+  const all = args.includes("--all");
+  const dryRun = args.includes("--dry-run");
+  const dirIdx = args.indexOf("--dir");
+  const profileIdx = args.indexOf("--profile");
+  const targetDir = dirIdx >= 0 ? args[dirIdx + 1]! : process.cwd();
+  const profileArg = profileIdx >= 0 ? args[profileIdx + 1]! : null;
+
+  // Find agent ID: first arg that's not a flag and not a flag value
+  const skipValues = new Set<number>();
+  if (dirIdx >= 0) skipValues.add(dirIdx + 1);
+  if (profileIdx >= 0) skipValues.add(profileIdx + 1);
+  const agentId = args.find((a, i) => !a.startsWith("-") && !skipValues.has(i));
+
+  if (!agentId && !all) {
+    process.stderr.write(`Usage: cue materialize <agent>\nAgents: ${AGENT_IDS.join(", ")}\n`);
+    return 1;
+  }
+
+  // Resolve profile
+  let profile;
+  try {
+    const name = profileArg ?? await resolveProfileForCwd(process.cwd());
+    profile = await loadProfile(name);
+  } catch {
+    process.stderr.write("No active profile. Pin one with `echo <name> > .cue-profile`\n");
+    return 1;
+  }
+
+  // Load skills content
+  const skills = profile.skills.local
+    .map(s => loadSkillContent(s.id))
+    .filter(Boolean) as { id: string; content: string }[];
+
+  // Load MCPs
+  const registry = loadMcpRegistry();
+  const mcps: Record<string, unknown> = {};
+  for (const m of profile.mcps) {
+    if (registry[m.id]) mcps[m.id] = registry[m.id];
+  }
+
+  // Determine which agents to materialize for
+  const agents = all
+    ? profile.agents.map(a => a === "claude-code" ? "claude-code" : a)
+    : [agentId!];
+
+  for (const id of agents) {
+    const adapter = getAdapter(id);
+    if (!adapter) {
+      process.stderr.write(`Unknown agent: "${id}". Available: ${AGENT_IDS.join(", ")}\n`);
+      return 1;
+    }
+
+    const dir = dirIdx >= 0 ? targetDir : (id === "gemini" ? adapter.configDir() : targetDir);
+
+    if (dryRun) {
+      process.stdout.write(`[dry-run] ${adapter.name}:\n`);
+      process.stdout.write(`  Skills: ${skills.length} → ${dir}\n`);
+      process.stdout.write(`  MCPs: ${Object.keys(mcps).length} → ${dir}\n`);
+      continue;
+    }
+
+    adapter.writeSkills(skills, dir);
+    adapter.writeMcps(mcps, dir);
+
+    process.stdout.write(`✅ ${adapter.name}: ${skills.length} skills + ${Object.keys(mcps).length} MCPs → ${dir}\n`);
+  }
+
+  return 0;
+}

package/src/commands/security.ts

@@ -101,7 +101,7 @@ const RULES: { code: string; severity: "critical" | "high" | "medium"; patterns:
     code: "SEC6",
     severity: "medium",
     patterns: [
-      /[A-Za-z0-9+/]{60,}={0,2}/,  // long base64 strings
+      /(?<![/~.])[A-Za-z0-9+/]{80,}={0,2}/,  // long base64 (exclude file paths)
       /\\x[0-9a-f]{2}(\\x[0-9a-f]{2}){10,}/i,  // hex-encoded strings
       /atob\s*\(/,
       /Buffer\.from\(.{0,20}base64/,
@@ -130,23 +130,41 @@ function scanSkill(id: string): SecurityIssue[] {
   const lines = content.split("\n");
   const issues: SecurityIssue[] = [];
 
-  // Context: security-focused skills talk ABOUT these patterns — don't flag them
+  // Context-aware skipping: many skills are documentation/examples, not instructions
   const isSecuritySkill = /security|review|audit|pentest|vuln/i.test(id);
-  // Context: skill-evolution talks about what NOT to do — don't flag it
-  const isMetaSkill = /skill-evolution|builtin-manager/i.test(id);
+  const isMetaSkill = /skill-evolution|builtin-manager|doctor|help|omx|plugin-creator|save-profile/i.test(id);
+  const isApiDocSkill = /hostinger|medusa|stripe|coolify|deployment|kiro/i.test(id);
+  const isDesignSkill = /design|remotion|higgsfield|imagegen/i.test(id);
+  const isOrchSkill = /colony|pipeline|fleet|orchestration|worker/i.test(id);
+  const isResearchSkill = /research|find-skills|openai-docs/i.test(id);
 
   for (const rule of RULES) {
-    // Skip SEC1/SEC4/SEC5 for security review skills (they discuss these topics)
+    // Skip rules for skill categories where these patterns are expected documentation
     if (isSecuritySkill && ["SEC1", "SEC4", "SEC5"].includes(rule.code)) continue;
-    // Skip SEC4/SEC5 for meta skills that document rules about what NOT to do
     if (isMetaSkill && ["SEC4", "SEC5"].includes(rule.code)) continue;
+    if (isApiDocSkill && ["SEC1", "SEC2", "SEC5"].includes(rule.code)) continue;
+    if (isDesignSkill && ["SEC2"].includes(rule.code)) continue;
+    if (isOrchSkill && ["SEC4", "SEC5"].includes(rule.code)) continue;
+    if (isResearchSkill && ["SEC1", "SEC2"].includes(rule.code)) continue;
 
     for (let i = 0; i < lines.length; i++) {
       const line = lines[i]!;
-      // Skip lines that are clearly "don't do this" instructions
+
+      // Skip lines that are clearly safe contexts
       if (/\b(MUST NOT|must not|do not|don't|never|avoid|reject)\b/i.test(line)) continue;
-      // Skip lines inside code comments or examples about what's bad
       if (/^#|^\/\/|^\s*\*|NEVER|prohibited/i.test(line.trim())) continue;
+      // Skip lines inside code blocks (``` fenced) — these are examples
+      if (/^```/.test(line.trim())) continue;
+      // Skip lines that are curl examples showing API usage (documentation)
+      if (/^\s*(curl|fetch|wget)\s/.test(line) && /example|api\.|developers\./i.test(line)) continue;
+      // Skip lines with placeholder variables ($VARIABLE_NAME) — these are templates
+      if (/\$\{?[A-Z_]+\}?/.test(line) && /(-H|header|Authorization|Bearer)/i.test(line)) continue;
+      // Skip lines documenting CLI flags (--force, --skip-verify in help text)
+      if (/^\s*(-|•|\*|`--)/.test(line) && /flag|option|argument/i.test(lines[Math.max(0, i-3)]! + lines[Math.max(0, i-2)]! + lines[Math.max(0, i-1)]!)) continue;
+      // Skip lines that describe what a response "includes" (not an instruction to expose)
+      if (/response|returns|includes|contains/i.test(line) && rule.code === "SEC1") continue;
+      // Skip fetch() in code examples (inside ``` blocks)
+      if (isInsideCodeBlock(lines, i)) continue;
 
       for (const pattern of rule.patterns) {
         if (pattern.test(line)) {
@@ -169,6 +187,15 @@ function scanSkill(id: string): SecurityIssue[] {
   return issues;
 }
 
+/** Check if a line index is inside a fenced code block */
+function isInsideCodeBlock(lines: string[], idx: number): boolean {
+  let inside = false;
+  for (let i = 0; i < idx; i++) {
+    if (/^```/.test(lines[i]!.trim())) inside = !inside;
+  }
+  return inside;
+}
+
 export async function run(args: string[]): Promise<number> {
   if (args.includes("-h") || args.includes("--help")) {
     process.stdout.write(`cue security — scan skills for prompt injection & secret exfiltration

package/src/commands/share.ts

@@ -0,0 +1,230 @@
+/**
+ * `cue share <profile>` — publish a profile to the cue marketplace.
+ * `cue browse` — browse shared profiles from the community.
+ *
+ * Profiles are published as GitHub Gists (no backend needed).
+ * The marketplace index is a JSON file in the cue repo's GitHub Pages.
+ */
+
+import { readFileSync, writeFileSync, existsSync, mkdirSync } from "node:fs";
+import { spawnSync } from "node:child_process";
+import { resolve, dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+import { homedir } from "node:os";
+
+import { loadProfile } from "../lib/profile-loader";
+
+const REPO_ROOT = resolve(dirname(fileURLToPath(import.meta.url)), "..", "..");
+const PROFILES_DIR = process.env.CUE_PROFILES_DIR ?? join(REPO_ROOT, "profiles");
+const MARKETPLACE_URL = "https://raw.githubusercontent.com/recodeee/cue-marketplace/main/index.json";
+const SKILLS_ROOT = join(REPO_ROOT, "resources", "skills", "skills");
+
+export async function run(args: string[]): Promise<number> {
+  const sub = args[0];
+
+  if (args.includes("-h") || args.includes("--help") || !sub) {
+    process.stdout.write(`cue share — publish & browse community profiles
+
+Usage:
+  cue share <profile>        Publish a profile to the marketplace
+  cue share browse [query]   Browse shared profiles
+  cue share install <id>     Install a shared profile
+
+Examples:
+  cue share backend          # publish your backend profile
+  cue share browse           # see what others shared
+  cue share browse "medusa"  # search shared profiles
+  cue share install user/backend  # install someone's profile
+`);
+    return 0;
+  }
+
+  switch (sub) {
+    case "browse": return cmdBrowse(args.slice(1));
+    case "install": return cmdInstall(args[1] ?? "");
+    default: return cmdShare(sub);
+  }
+}
+
+async function cmdShare(profileName: string): Promise<number> {
+  // Check gh CLI
+  const ghCheck = spawnSync("gh", ["auth", "status"], { encoding: "utf8" });
+  if (ghCheck.status !== 0) {
+    process.stderr.write("Not authenticated with GitHub. Run `gh auth login` first.\n");
+    return 1;
+  }
+
+  // Get username
+  const whoami = spawnSync("gh", ["api", "user", "--jq", ".login"], { encoding: "utf8" });
+  const username = whoami.stdout.trim();
+
+  // Load profile
+  let profile;
+  try { profile = await loadProfile(profileName); } catch {
+    process.stderr.write(`Profile "${profileName}" not found.\n`);
+    return 1;
+  }
+
+  // Build shareable YAML
+  const yaml = require("yaml");
+  const shareData = {
+    name: profile.name,
+    description: profile.description,
+    icon: profile.icon,
+    author: username,
+    shared_at: new Date().toISOString(),
+    skills: { local: profile.skills.local.map(s => s.id) },
+    mcps: profile.mcps.map(m => m.id),
+    plugins: profile.plugins.map(p => p.id),
+    stats: {
+      skill_count: profile.skills.local.length,
+      mcp_count: profile.mcps.length,
+    },
+  };
+
+  const content = yaml.stringify(shareData);
+
+  // Create a GitHub Gist
+  process.stdout.write(`📤 Sharing profile "${profileName}" as ${username}/${profileName}...\n`);
+
+  const gistRes = spawnSync("gh", [
+    "gist", "create",
+    "--public",
+    "--desc", `cue profile: ${profileName} — ${profile.description}`,
+    "--filename", `${profileName}.cue-profile.yaml`,
+    "-"
+  ], {
+    input: content,
+    encoding: "utf8",
+    timeout: 15000,
+  });
+
+  if (gistRes.status !== 0) {
+    process.stderr.write(`Failed to create gist: ${gistRes.stderr}\n`);
+    return 1;
+  }
+
+  const gistUrl = gistRes.stdout.trim();
+
+  process.stdout.write(`\n✅ Profile shared!\n\n`);
+  process.stdout.write(`  🔗 ${gistUrl}\n`);
+  process.stdout.write(`  📋 Others install with: cue share install ${username}/${profileName}\n\n`);
+  process.stdout.write(`  Profile: ${profile.icon} ${profileName}\n`);
+  process.stdout.write(`  Skills:  ${profile.skills.local.length}\n`);
+  process.stdout.write(`  MCPs:    ${profile.mcps.length}\n`);
+  process.stdout.write(`  Author:  ${username}\n\n`);
+
+  // Save the share record locally
+  const sharesFile = join(homedir(), ".config", "cue", "shares.json");
+  mkdirSync(dirname(sharesFile), { recursive: true });
+  let shares: Record<string, unknown>[] = [];
+  try { shares = JSON.parse(readFileSync(sharesFile, "utf8")); } catch {}
+  shares.push({ id: `${username}/${profileName}`, url: gistUrl, ts: new Date().toISOString() });
+  writeFileSync(sharesFile, JSON.stringify(shares, null, 2));
+
+  return 0;
+}
+
+async function cmdBrowse(args: string[]): Promise<number> {
+  const query = args.filter(a => !a.startsWith("-")).join(" ");
+
+  // Search GitHub Gists with cue-profile tag
+  process.stdout.write(`🔍 Searching shared cue profiles${query ? ` for "${query}"` : ""}...\n\n`);
+
+  const searchQuery = `cue profile ${query}`.trim();
+  const res = spawnSync("gh", [
+    "search", "code",
+    "--json", "repository,path,textMatch",
+    "--limit", "10",
+    "filename:cue-profile.yaml", searchQuery,
+  ], { encoding: "utf8", timeout: 15000 });
+
+  if (res.status !== 0) {
+    // Fallback: search gists
+    const gistRes = spawnSync("gh", [
+      "gist", "list", "--public", "--limit", "10"
+    ], { encoding: "utf8", timeout: 10000 });
+
+    if (gistRes.stdout.trim()) {
+      process.stdout.write("  Recent public gists (filter by 'cue-profile'):\n\n");
+      process.stdout.write(gistRes.stdout);
+    } else {
+      process.stdout.write("  No shared profiles found yet.\n");
+      process.stdout.write("  Be the first! Run: cue share <profile>\n");
+    }
+    return 0;
+  }
+
+  try {
+    const results = JSON.parse(res.stdout);
+    if (!results.length) {
+      process.stdout.write("  No shared profiles found.\n");
+      process.stdout.write("  Be the first! Run: cue share <profile>\n");
+      return 0;
+    }
+    for (const r of results) {
+      const repo = r.repository?.fullName ?? "unknown";
+      process.stdout.write(`  📦 ${repo}\n`);
+      process.stdout.write(`     ${r.path}\n\n`);
+    }
+  } catch {
+    process.stdout.write("  Could not parse results. Try: cue share browse\n");
+  }
+
+  return 0;
+}
+
+async function cmdInstall(id: string): Promise<number> {
+  if (!id) {
+    process.stderr.write("Usage: cue share install <user/profile>\n");
+    return 1;
+  }
+
+  const [user, name] = id.includes("/") ? id.split("/") : [null, id];
+
+  if (!user) {
+    process.stderr.write("Specify user: cue share install <user>/<profile>\n");
+    return 1;
+  }
+
+  process.stdout.write(`📥 Installing profile "${id}"...\n`);
+
+  // Try to find the gist
+  const res = spawnSync("gh", [
+    "gist", "list", "--public", "--limit", "50"
+  ], { encoding: "utf8", timeout: 10000 });
+
+  // Alternative: try fetching from a known URL pattern
+  const gistUrl = `https://gist.githubusercontent.com/${user}/raw/${name}.cue-profile.yaml`;
+
+  try {
+    const fetchRes = await fetch(gistUrl, { signal: AbortSignal.timeout(10000) });
+    if (fetchRes.ok) {
+      const content = await fetchRes.text();
+      const yaml = require("yaml");
+      const parsed = yaml.parse(content);
+      const profileName = parsed.name ?? name;
+
+      const profileDir = join(PROFILES_DIR, profileName!);
+      mkdirSync(profileDir, { recursive: true });
+
+      // Convert shared format back to profile.yaml
+      const profileYaml: Record<string, unknown> = {
+        name: profileName,
+        description: parsed.description ?? `Shared by ${user}`,
+        icon: parsed.icon ?? "📦",
+      };
+      if (parsed.skills?.local?.length) profileYaml.skills = { local: parsed.skills.local };
+      if (parsed.mcps?.length) profileYaml.mcps = parsed.mcps;
+
+      writeFileSync(join(profileDir, "profile.yaml"), yaml.stringify(profileYaml));
+      process.stdout.write(`✅ Installed "${profileName}" from ${user}\n`);
+      process.stdout.write(`   Activate: echo ${profileName} > .cue-profile\n`);
+      return 0;
+    }
+  } catch { /* gist not found at that URL */ }
+
+  // Fallback: use cue import
+  process.stdout.write(`  Could not find gist. Try: cue import https://gist.github.com/${user}/<gist-id>/raw\n`);
+  return 1;
+}

package/src/commands/status.ts

@@ -35,20 +35,18 @@ function quickDiagnose(profileName: string, profile: any): Warning[] {
   // Check skills exist on disk
   for (const s of profile.skills.local) {
     const id = s.id ?? s;
-    // Try to find the skill in any category
+    if (typeof id === "string" && id.includes("*")) continue; // skip wildcards
+    // Try direct path first (category/slug format)
+    if (existsSync(join(SKILLS_ROOT, id, "SKILL.md"))) continue;
+    // Try to find the skill in any category (bare slug)
     let found = false;
     try {
       const cats = readdirSync(SKILLS_ROOT, { withFileTypes: true });
       for (const cat of cats) {
         if (!cat.isDirectory()) continue;
-        const skillDir = join(SKILLS_ROOT, cat.name, id);
-        if (existsSync(join(skillDir, "SKILL.md"))) { found = true; break; }
+        if (existsSync(join(SKILLS_ROOT, cat.name, id, "SKILL.md"))) { found = true; break; }
       }
     } catch { /* skip */ }
-    if (!found && typeof id === "string" && !id.includes("/")) {
-      // Could be a category/slug ref — check directly
-      if (existsSync(join(SKILLS_ROOT, id, "SKILL.md"))) found = true;
-    }
     if (!found) {
       warnings.push({ code: "D1", message: `skill "${id}" not found on disk` });
     }

package/src/commands/tree.ts

@@ -2,8 +2,10 @@
  * `cue tree [profile]` — visualize profile inheritance tree.
  */
 
+import { resolve } from "node:path";
 import { loadProfile } from "../lib/profile-loader";
 import { resolveProfileForCwd } from "../lib/cwd-resolver";
+import { detectKittyTerminal, transmitKittyImage, kittyPlaceholderLabel } from "../lib/kitty-image";
 
 export async function run(args: string[]): Promise<number> {
   const json = args.includes("--json");
@@ -18,6 +20,19 @@ export async function run(args: string[]): Promise<number> {
 
   const profile = await loadProfile(profileName!);
   const chain = profile.inheritanceChain;
+  const kitty = await detectKittyTerminal();
+  const profilesRoot = resolve(new URL(import.meta.url).pathname, "..", "..", "..", "profiles");
+  let nextImageId = 1;
+
+  function getIcon(p: any, name: string): string {
+    if (kitty && p.iconImage && nextImageId <= 255) {
+      const imgPath = resolve(profilesRoot, name, p.iconImage);
+      const id = nextImageId++;
+      transmitKittyImage(imgPath, id, 2, 1);
+      return kittyPlaceholderLabel(id, 2, 1);
+    }
+    return p.icon ?? "";
+  }
 
   if (json) {
     const tree = {
@@ -33,7 +48,7 @@ export async function run(args: string[]): Promise<number> {
   }
 
   // Build visual tree
-  const icon = profile.icon ?? "";
+  const icon = getIcon(profile, profileName!);
   process.stdout.write(`${icon} ${profileName}\n`);
 
   // Show inheritance chain (ancestors)
@@ -42,7 +57,7 @@ export async function run(args: string[]): Promise<number> {
       const ancestor = chain[i]!;
       try {
         const ancestorProfile = await loadProfile(ancestor);
-        const aIcon = ancestorProfile.icon ?? "";
+        const aIcon = getIcon(ancestorProfile, ancestor);
         const indent = "│   ".repeat(chain.length - 1 - i);
         process.stdout.write(`${indent}└── ${aIcon} ${ancestor}\n`);