cue-ai 0.9.0 → 0.9.2

package/src/commands/dash.ts

@@ -0,0 +1,194 @@
+/**
+ * `cue dash` — a thin CLI over the running cue studio dashboard's REST API
+ * (`cue dashboard`, default http://127.0.0.1:7891/api/v1/*). Read subcommands
+ * query live profile/skill/MCP/gap data; mutating ones add an MCP to a profile,
+ * kill a session, or run a merge. The dashboard must be running.
+ *
+ * The MCP server (resources/mcps/cue-dashboard) wraps the same endpoints as
+ * tools; both are independent HTTP clients — dashboard-server.ts is the only
+ * source of truth.
+ */
+
+const DEFAULT_PORT = 7891;
+const DEFAULT_HOST = "127.0.0.1";
+
+export interface DashArgs {
+  sub: string;
+  rest: string[];
+  port: number;
+  host: string;
+  json: boolean;
+  sigkill: boolean;
+  as?: string;
+  help: boolean;
+}
+
+/** Parse `cue dash` argv: `<sub> [positional...] [--port N] [--host H] [--json] [--sigkill] [--as name]`. */
+export function parseDashArgs(argv: string[]): DashArgs {
+  const out: DashArgs = {
+    sub: "",
+    rest: [],
+    port: Number(process.env.CUE_DASH_PORT) || DEFAULT_PORT,
+    host: process.env.CUE_DASH_HOST || DEFAULT_HOST,
+    json: false,
+    sigkill: false,
+    help: false,
+  };
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i]!;
+    if (a === "--help" || a === "-h") out.help = true;
+    else if (a === "--json") out.json = true;
+    else if (a === "--sigkill") out.sigkill = true;
+    else if (a === "--port") { const v = Number(argv[++i]); if (Number.isFinite(v) && v > 0 && v < 65536) out.port = v; }
+    else if (a === "--host") { const v = argv[++i]; if (v) out.host = v; }
+    else if (a === "--as") { const v = argv[++i]; if (v) out.as = v; }
+    else if (!out.sub) out.sub = a;
+    else out.rest.push(a);
+  }
+  return out;
+}
+
+/** Build the absolute API URL for a path + optional query. Exported for tests. */
+export function dashUrl(host: string, port: number, path: string, query?: Record<string, string>): string {
+  const qs = query && Object.keys(query).length > 0 ? "?" + new URLSearchParams(query).toString() : "";
+  return `http://${host}:${port}/api/v1${path}${qs}`;
+}
+
+type Envelope<T> = { ok: true; data: T } | { ok: false; error: string };
+
+/**
+ * Fetch one API path and unwrap the `{ok, data|error}` envelope. Throws on a
+ * `{ok:false}` body (message = the server's `error`) and on a refused
+ * connection (the dashboard isn't running) with an actionable hint.
+ */
+export async function dashFetch<T = unknown>(
+  args: Pick<DashArgs, "host" | "port">,
+  path: string,
+  opts: { query?: Record<string, string>; method?: "GET" | "POST"; body?: unknown } = {},
+): Promise<T> {
+  const url = dashUrl(args.host, args.port, path, opts.query);
+  let res: Response;
+  try {
+    res = await fetch(url, {
+      method: opts.method ?? "GET",
+      headers: opts.body ? { "content-type": "application/json" } : undefined,
+      body: opts.body ? JSON.stringify(opts.body) : undefined,
+    });
+  } catch (err) {
+    throw new Error(
+      `cannot reach the dashboard at ${args.host}:${args.port} (${(err as Error).message}). ` +
+        `Start it with \`cue dashboard\`.`,
+    );
+  }
+  let env: Envelope<T>;
+  try { env = (await res.json()) as Envelope<T>; }
+  catch { throw new Error(`dashboard returned non-JSON (HTTP ${res.status}) for ${path}`); }
+  if (!env.ok) throw new Error(env.error);
+  return env.data;
+}
+
+/** Subcommand → how to call the API. Pure data so the help text and the MCP can mirror it. */
+interface Route {
+  summary: string;
+  build: (a: DashArgs) => { path: string; query?: Record<string, string>; method?: "POST"; body?: unknown };
+  mutating?: boolean;
+}
+
+export const ROUTES: Record<string, Route> = {
+  status: { summary: "dashboard + runtime status", build: () => ({ path: "/status" }) },
+  profiles: { summary: "all profiles with counts", build: () => ({ path: "/profiles" }) },
+  profile: {
+    summary: "one profile's resolved skills/mcps/plugins/commands (arg: <name>)",
+    build: (a) => ({ path: "/profile-detail", query: { profile: a.rest[0] ?? "" } }),
+  },
+  "trigger-gaps": {
+    summary: "skills that matched a prompt but never fired (arg: [profile])",
+    build: (a) => ({ path: "/trigger-gaps", query: a.rest[0] ? { profile: a.rest[0] } : undefined }),
+  },
+  "skill-report": { summary: "per-skill usage report", build: () => ({ path: "/skill-report" }) },
+  pairs: { summary: "profile pair-affinity suggestions", build: () => ({ path: "/pairs" }) },
+  sessions: { summary: "active cue sessions", build: () => ({ path: "/active-sessions" }) },
+  mcps: { summary: "the MCP catalog cue knows about", build: () => ({ path: "/mcps/catalog" }) },
+  plugins: { summary: "plugins discovered on the machine", build: () => ({ path: "/plugins/discovered" }) },
+  timeline: { summary: "telemetry timeline", build: () => ({ path: "/telemetry/timeline" }) },
+  "add-mcp": {
+    summary: "add an MCP to a profile (args: <profile> <mcp>)",
+    mutating: true,
+    build: (a) => ({ path: "/mcps/add", method: "POST", body: { profile: a.rest[0], id: a.rest[1] } }),
+  },
+  kill: {
+    summary: "kill a cue session by pid (arg: <pid>, --sigkill for SIGKILL)",
+    mutating: true,
+    build: (a) => ({ path: "/sessions/kill", method: "POST", body: { pid: Number(a.rest[0]), signal: a.sigkill ? "SIGKILL" : "SIGTERM" } }),
+  },
+  "merge-preview": {
+    summary: "preview merging 2+ profiles (args: <name> <name> ...)",
+    mutating: false,
+    build: (a) => ({ path: "/merge/preview", method: "POST", body: { names: a.rest } }),
+  },
+  "merge-save": {
+    summary: "save a merge of 2+ profiles (args: <name> <name> ... [--as <name>])",
+    mutating: true,
+    build: (a) => ({ path: "/merge/save", method: "POST", body: { names: a.rest, name: a.as } }),
+  },
+};
+
+function helpText(): string {
+  const rows = Object.entries(ROUTES)
+    .map(([k, r]) => `  ${k.padEnd(15)} ${r.summary}${r.mutating ? "  [mutates]" : ""}`)
+    .join("\n");
+  return [
+    "cue dash — query and drive the running cue studio dashboard",
+    "",
+    "Usage: cue dash <subcommand> [args] [--port N] [--host H] [--json]",
+    "",
+    "Subcommands:",
+    rows,
+    "",
+    "Defaults: --host 127.0.0.1 --port 7891 (override with CUE_DASH_HOST/CUE_DASH_PORT).",
+    "Requires `cue dashboard` to be running.",
+    "",
+  ].join("\n");
+}
+
+/**
+ * Write to stdout and wait until it has flushed to the OS. `cue` exits via
+ * `process.exit()` (src/index.ts), which does NOT drain a pending stdout
+ * buffer — so a large payload piped to another process (`cue dash profile X |
+ * jq`) would be truncated. Awaiting the write callback blocks until the reader
+ * has drained the pipe, so the full output always lands.
+ */
+function writeOut(s: string): Promise<void> {
+  return new Promise<void>((resolve) => {
+    process.stdout.write(s, () => resolve());
+  });
+}
+
+export async function run(argv: string[]): Promise<number> {
+  const a = parseDashArgs(argv);
+  if (a.help || !a.sub) {
+    process.stdout.write(helpText());
+    return a.sub ? 0 : a.help ? 0 : 1;
+  }
+  const route = ROUTES[a.sub];
+  if (!route) {
+    process.stderr.write(`unknown subcommand: ${a.sub}\n\n${helpText()}`);
+    return 1;
+  }
+  // Guard required positionals so we fail fast with a clear message, not a
+  // server-side "missing-profile" / NaN-pid.
+  if (a.sub === "profile" && !a.rest[0]) { process.stderr.write("profile: needs a profile name\n"); return 1; }
+  if (a.sub === "add-mcp" && (!a.rest[0] || !a.rest[1])) { process.stderr.write("add-mcp: needs <profile> <mcp>\n"); return 1; }
+  if (a.sub === "kill" && !Number.isFinite(Number(a.rest[0]))) { process.stderr.write("kill: needs a numeric <pid>\n"); return 1; }
+
+  const spec = route.build(a);
+  try {
+    const data = await dashFetch(a, spec.path, { query: spec.query, method: spec.method, body: spec.body });
+    if (route.mutating && !a.json) await writeOut(`✓ ${a.sub}: done\n`);
+    await writeOut(JSON.stringify(data, null, a.json ? 0 : 2) + "\n");
+    return 0;
+  } catch (err) {
+    process.stderr.write(`✗ ${a.sub}: ${(err as Error).message}\n`);
+    return 1;
+  }
+}

package/src/commands/dashboard.ts

@@ -48,6 +48,32 @@ async function toWebRequest(req: IncomingMessage, origin: string): Promise<Reque
 async function writeWebResponse(res: Response, out: ServerResponse): Promise<void> {
   const headers: Record<string, string> = {};
   res.headers.forEach((v, k) => { headers[k] = v; });
+
+  // Streaming bodies (Server-Sent Events) must be piped chunk-by-chunk, not
+  // buffered — `await res.arrayBuffer()` on a never-ending stream would hang
+  // forever and the client would never see an event.
+  const isStream = (headers["content-type"] ?? "").includes("text/event-stream");
+  if (isStream && res.body) {
+    out.writeHead(res.status, headers);
+    out.flushHeaders();
+    const reader = res.body.getReader();
+    // Client disconnect → cancel the reader so the stream's interval timers stop.
+    const onClose = () => { void reader.cancel().catch(() => { /* already gone */ }); };
+    out.on("close", onClose);
+    try {
+      for (;;) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        out.write(Buffer.from(value));
+      }
+    } catch { /* client went away mid-write */ }
+    finally {
+      out.off("close", onClose);
+      out.end();
+    }
+    return;
+  }
+
   out.writeHead(res.status, headers);
   const buf = Buffer.from(await res.arrayBuffer());
   out.end(buf);

package/src/commands/diff.ts

@@ -3,7 +3,7 @@
  * `cue diff --live <target>` — show impact of switching from current to target.
  */
 
-import { existsSync, readFileSync } from "node:fs";
+import { readFileSync } from "node:fs";
 import { join, resolve, dirname } from "node:path";
 import { fileURLToPath } from "node:url";
 

package/src/commands/discover.test.ts

@@ -5,7 +5,7 @@
 
 import { describe, expect, test, beforeEach, afterEach } from "bun:test";
 import { mkdirSync, writeFileSync, rmSync, existsSync, readFileSync, readdirSync } from "node:fs";
-import { tmpdir, homedir } from "node:os";
+import { tmpdir, } from "node:os";
 import { join } from "node:path";
 
 import { run as discoverRun } from "./discover";

package/src/commands/discover.ts

@@ -16,10 +16,11 @@ import { resolve, dirname, join } from "node:path";
 import { fileURLToPath } from "node:url";
 import { homedir } from "node:os";
 
-import { loadProfile, listProfiles } from "../lib/profile-loader";
+import { listProfiles } from "../lib/profile-loader";
 import { clusterByKeywords, clusterByEmbeddings, unclustered, type Cluster, type ClusterItem } from "../lib/cluster-skills";
 import { findRealClaudeBin } from "../lib/claude-binary";
 import { fetchCompanionFiles, detectSkillPath } from "../lib/companion-fetch";
+import { gateFreshSkill } from "./security";
 
 const REPO_ROOT = process.env.CUE_REPO_ROOT ?? process.env.SOUL_REPO_ROOT ?? resolve(dirname(fileURLToPath(import.meta.url)), "..", "..");
 // Cache path resolved lazily so tests can redirect via XDG_CONFIG_HOME without
@@ -521,11 +522,11 @@ export function applyFilters(gems: GemRepo[], f: GemFilter): GemRepo[] {
 // Profile suggestion (keyword matching)
 // ---------------------------------------------------------------------------
 
-const PROFILE_KEYWORDS: Record<string, string[]> = {
+export const PROFILE_KEYWORDS: Record<string, string[]> = {
   backend: ["api", "server", "express", "fastapi", "django", "flask", "webhook", "database", "sql", "graphql", "deploy", "docker", "kubernetes", "microservice", "redis", "postgres", "mongo", "supabase", "prisma"],
   frontend: ["react", "vue", "svelte", "nextjs", "css", "tailwind", "component", "browser", "dom", "ui", "ux", "responsive", "animation", "spa"],
   nextjs: ["nextjs", "next.js", "vercel", "app-router", "server-component", "next-auth"],
-  "python-api": ["python", "fastapi", "django", "flask", "sqlalchemy", "pytest", "pip", "uvicorn", "pydantic", "celery"],
+  "python": ["python", "fastapi", "django", "flask", "sqlalchemy", "pytest", "pip", "uvicorn", "pydantic", "celery"],
   rust: ["rust", "cargo", "tokio", "crate", "wasm", "async-std"],
   "go-api": ["golang", "gin", "echo", "chi", "gorm", "goroutine"],
   cybersecurity: ["security", "pentest", "vulnerability", "exploit", "forensic", "dfir", "red-team", "blue-team", "malware", "audit", "cve", "owasp", "threat", "osint", "recon", "dork", "credential", "phishing"],
@@ -535,7 +536,7 @@ const PROFILE_KEYWORDS: Record<string, string[]> = {
   threejs: ["three.js", "threejs", "webgl", "shader", "3d", "scene", "geometry"],
   video: ["video", "ffmpeg", "transcription", "frame", "subtitle", "stream", "recording", "youtube"],
   marketing: ["seo", "marketing", "copywriting", "growth", "conversion", "analytics", "campaign", "funnel", "landing-page"],
-  medusa: ["medusa", "ecommerce", "storefront", "shop", "cart", "checkout", "product-catalog", "amazon", "seller"],
+  "medusa-dev": ["medusa", "ecommerce", "storefront", "shop", "cart", "checkout", "product-catalog", "amazon", "seller"],
   "fleet-control": ["multi-agent", "orchestrat", "coordinator", "dispatch", "parallel", "swarm", "colony"],
 };
 
@@ -554,8 +555,8 @@ const NICHE_SUBJECT_HINTS: RegExp[] = [
   /\b(bilibili|spotify|reddit|bbc|wechat|notion|jira|servicenow|obsidian|home\s?assistant|farming\s?simulator|gospel|grant)\b/i,
 ];
 
-const STACK_PROFILES: ReadonlySet<string> = new Set([
-  "frontend", "backend", "nextjs", "python-api", "rust", "go-api", "threejs",
+export const STACK_PROFILES: ReadonlySet<string> = new Set([
+  "frontend", "backend", "nextjs", "python", "rust", "go-api", "threejs",
 ]);
 
 export function suggestProfiles(repo: GemRepo): string[] {
@@ -588,7 +589,7 @@ export function suggestProfiles(repo: GemRepo): string[] {
     }
 
     // Language-based boost
-    if (profile === "python-api" && lang === "python") hits += 2;
+    if (profile === "python" && lang === "python") hits += 2;
     if (profile === "rust" && lang === "rust") hits += 2;
     if (profile === "go-api" && lang === "go") hits += 2;
     if (profile === "frontend" && (lang === "typescript" || lang === "javascript")) hits += 1;
@@ -656,7 +657,7 @@ export function buildProfileQueries(profile: string): { q: string; label: string
     backend: ["api server deploy", "webhook microservice", "database migration", "docker kubernetes skill", "ci cd pipeline"],
     frontend: ["react component skill", "ui design system", "tailwind css", "browser testing", "responsive web"],
     nextjs: ["nextjs skill", "next.js vercel", "app router server component", "next-auth"],
-    "python-api": ["python fastapi skill", "django api", "flask sqlalchemy", "pytest automation"],
+    "python": ["python fastapi skill", "django api", "flask sqlalchemy", "pytest automation"],
     rust: ["rust cargo skill", "rust cli tool", "tokio async", "rust wasm"],
     "go-api": ["golang api skill", "go gin echo", "golang microservice"],
     cybersecurity: ["security audit skill", "pentest tool", "vulnerability scanner", "red team blue team", "threat detection"],
@@ -666,7 +667,7 @@ export function buildProfileQueries(profile: string): { q: string; label: string
     threejs: ["three.js skill", "webgl shader", "3d scene interactive"],
     video: ["video processing skill", "ffmpeg automation", "transcription subtitle", "youtube tool"],
     marketing: ["seo optimization skill", "marketing automation", "copywriting ai", "conversion funnel", "growth hacking"],
-    medusa: ["medusa ecommerce", "storefront skill", "shopping cart", "product catalog", "amazon seller"],
+    "medusa-dev": ["medusa ecommerce", "storefront skill", "shopping cart", "product catalog", "amazon seller"],
     "fleet-control": ["multi-agent orchestration", "agent coordinator", "parallel agent", "task dispatch"],
     coolify: ["coolify deploy", "self-hosted paas", "server management"],
     hostinger: ["hosting dns", "vps management", "domain config"],
@@ -1010,7 +1011,7 @@ tags: [claude-code, ${profile}, skills, mcp, ai-agents]
 
 `;
   md += `# Claude Code Skills for \`${profile}\`\n\n`;
-  md += `> ${gems.length} community-built skills curated by [cue](https://github.com/opencue/claude-code-skills) for the **${profile}** profile.\n`;
+  md += `> ${gems.length} community-built skills curated by [cue](https://github.com/opencue/cuecards) for the **${profile}** profile.\n`;
   md += `> Each one was discovered via GitHub Code Search, scored on signal quality, and mapped to this profile by keyword overlap.\n\n`;
   md += `**[← back to all discovered skills](./index.md)**\n\n---\n\n`;
 
@@ -1032,7 +1033,7 @@ tags: [claude-code, ${profile}, skills, mcp, ai-agents]
     }
     md += `\`\`\`bash\ncue skills add ${gem.full_name} --profile ${profile}\n\`\`\`\n\n---\n\n`;
   }
-  md += `## About this list\n\nGenerated by [cue](https://github.com/opencue/claude-code-skills) — an open-source agent profile manager. cue runs nightly GitHub Code Search for \`filename:SKILL.md\` and scores each repo by recency, skill format, MCP integration, and engagement signals.\n\n**Authors:** if you'd rather not be listed, add \`<!-- cue: ignore -->\` to your README — we respect it permanently. Want to opt in explicitly? Add \`<!-- cue: ok -->\`.\n\n`;
+  md += `## About this list\n\nGenerated by [cue](https://github.com/opencue/cuecards) — an open-source agent profile manager. cue runs nightly GitHub Code Search for \`filename:SKILL.md\` and scores each repo by recency, skill format, MCP integration, and engagement signals.\n\n**Authors:** if you'd rather not be listed, add \`<!-- cue: ignore -->\` to your README — we respect it permanently. Want to opt in explicitly? Add \`<!-- cue: ok -->\`.\n\n`;
   return md;
 }
 
@@ -1048,7 +1049,7 @@ tags: [claude-code, skills, mcp, ai-agents, marketplace]
 
 # 🎯 Discovered Claude Code Skills
 
-> **${totalGems} hidden-gem skills** discovered by [cue](https://github.com/opencue/claude-code-skills) across **${byProfile.size} profiles**.
+> **${totalGems} hidden-gem skills** discovered by [cue](https://github.com/opencue/cuecards) across **${byProfile.size} profiles**.
 > Last updated: ${updated.split("T")[0]} · refreshed nightly via GitHub Code Search.
 
 ## Browse by profile
@@ -1062,7 +1063,7 @@ tags: [claude-code, skills, mcp, ai-agents, marketplace]
     md += `| [**${profile}**](./${profile}.md) | ${gems.length} | ${samples} |\n`;
   }
   md += `\n## How scoring works\n\n| Tier | Score | Meaning |\n|---|---|---|\n| 💎 exceptional | 8+ | Active repo, proper skill format, low star count (true hidden gem) |\n| ✨ strong | 5–7 | Good signal mix — proven format or active maintainer |\n| 🔹 potential | 3–4 | Some signal — worth a look |\n\n`;
-  md += `## Use cue to install any of these\n\n\`\`\`bash\nnpx cue@latest\ncue skills add owner/repo --profile <profile>\n\`\`\`\n\n## About cue\n\ncue is an agent profile manager for Claude Code and Codex CLI. [github.com/opencue/claude-code-skills](https://github.com/opencue/claude-code-skills)\n`;
+  md += `## Use cue to install any of these\n\n\`\`\`bash\nnpx cue@latest\ncue skills add owner/repo --profile <profile>\n\`\`\`\n\n## About cue\n\ncue is an agent profile manager for Claude Code and Codex CLI. [github.com/opencue/cuecards](https://github.com/opencue/cuecards)\n`;
   return md;
 }
 
@@ -1113,21 +1114,21 @@ function buildIndexHtml(byProfile: Map<string, GemRepo[]>, totalGems: number, up
 <meta property="og:title" content="Discovered Claude Code Skills · cue">
 <meta property="og:description" content="${totalGems} community Claude Code skills curated by cue.">
 <meta property="og:type" content="website">
-<link rel="canonical" href="https://opencue.github.io/cue/discovered/">
+<link rel="canonical" href="https://opencue.github.io/cuecards/discovered/">
 <style>body{font:16px/1.6 -apple-system,sans-serif;max-width:760px;margin:2em auto;padding:0 1em;color:#222}table{border-collapse:collapse;width:100%}th,td{padding:.5em .75em;border-bottom:1px solid #eee;text-align:left}code{background:#f4f4f4;padding:1px 5px;border-radius:3px;font-size:.9em}a{color:#0a58ca;text-decoration:none}a:hover{text-decoration:underline}</style>
 <script type="application/ld+json">
 ${jsonLd}
 </script>
 </head><body>
 <h1>🎯 Discovered Claude Code Skills</h1>
-<p><strong>${totalGems} hidden-gem skills</strong> discovered by <a href="https://github.com/opencue/claude-code-skills">cue</a> across <strong>${byProfile.size} profiles</strong>.</p>
+<p><strong>${totalGems} hidden-gem skills</strong> discovered by <a href="https://github.com/opencue/cuecards">cue</a> across <strong>${byProfile.size} profiles</strong>.</p>
 <p><small>Last updated: ${updated.split("T")[0]} · refreshed nightly via GitHub Code Search.</small></p>
 <h2>Browse by profile</h2>
 <table><thead><tr><th>Profile</th><th>Skills</th><th>Sample</th></tr></thead>
 <tbody>
 ${rows}
 </tbody></table>
-<p><a href="https://github.com/opencue/claude-code-skills">github.com/opencue/claude-code-skills</a></p>
+<p><a href="https://github.com/opencue/cuecards">github.com/opencue/cuecards</a></p>
 </body></html>
 `;
 }
@@ -1156,7 +1157,7 @@ function buildProfileHtml(profile: string, gems: GemRepo[], updated: string): st
 <meta name="description" content="${gems.length} community Claude Code skills for ${profile}, curated by cue. Discovered via GitHub Code Search, scored on signal quality.">
 <meta property="og:title" content="Claude Code Skills for ${profile} · cue">
 <meta property="og:description" content="${gems.length} skills for ${profile}, curated by cue.">
-<link rel="canonical" href="https://opencue.github.io/cue/discovered/${profile}.html">
+<link rel="canonical" href="https://opencue.github.io/cuecards/discovered/${profile}.html">
 <style>body{font:16px/1.6 -apple-system,sans-serif;max-width:760px;margin:2em auto;padding:0 1em;color:#222}article{border-bottom:1px solid #eee;padding:1em 0}pre{background:#f4f4f4;padding:.6em;border-radius:4px;overflow-x:auto}a{color:#0a58ca;text-decoration:none}a:hover{text-decoration:underline}</style>
 <script type="application/ld+json">
 ${jsonLd}
@@ -1164,7 +1165,7 @@ ${jsonLd}
 </head><body>
 <p><a href="./index.html">← back to all profiles</a></p>
 <h1>Claude Code Skills for <code>${profile}</code></h1>
-<p>${gems.length} skills discovered by <a href="https://github.com/opencue/claude-code-skills">cue</a>. Last updated ${updated.split("T")[0]}.</p>
+<p>${gems.length} skills discovered by <a href="https://github.com/opencue/cuecards">cue</a>. Last updated ${updated.split("T")[0]}.</p>
 ${cards}
 </body></html>
 `;
@@ -1220,7 +1221,7 @@ cue skills add ${gem.full_name}${gem.suggested_profiles[0] ? ` --profile ${gem.s
 
 ## About
 
-This page was auto-generated by [cue](https://github.com/opencue/claude-code-skills) — an open-source agent profile manager for Claude Code, Codex, Cursor, Cline, Gemini, Copilot, and 4 other AI coding agents. cue scopes skills + MCPs + plugins per-directory so each project only loads what it needs.
+This page was auto-generated by [cue](https://github.com/opencue/cuecards) — an open-source agent profile manager for Claude Code, Codex, Cursor, Cline, Gemini, Copilot, and 4 other AI coding agents. cue scopes skills + MCPs + plugins per-directory so each project only loads what it needs.
 
 **Repo author:** if you'd rather we don't list this skill, add \`<!-- cue: ignore -->\` to your README and we'll skip it permanently.
 
@@ -1259,7 +1260,7 @@ function buildRepoHtml(gem: GemRepo, updated: string): string {
 <meta name="description" content="${desc.replace(/"/g, "&quot;")}">
 <meta property="og:title" content="${gem.full_name} — Claude Code skill">
 <meta property="og:description" content="${desc.replace(/"/g, "&quot;")}">
-<link rel="canonical" href="https://opencue.github.io/cue/discovered/skills/${gem.full_name.replace("/", "-").toLowerCase()}.html">
+<link rel="canonical" href="https://opencue.github.io/cuecards/discovered/skills/${gem.full_name.replace("/", "-").toLowerCase()}.html">
 <style>body{font:16px/1.6 -apple-system,sans-serif;max-width:760px;margin:2em auto;padding:0 1em;color:#222}code{background:#f4f4f4;padding:1px 5px;border-radius:3px;font-size:.9em}pre{background:#f4f4f4;padding:.6em;border-radius:4px;overflow-x:auto}a{color:#0a58ca;text-decoration:none}a:hover{text-decoration:underline}</style>
 <script type="application/ld+json">
 ${JSON.stringify(jsonLd, null, 2)}
@@ -1276,7 +1277,7 @@ ${JSON.stringify(jsonLd, null, 2)}
 cue skills add ${gem.full_name}${gem.suggested_profiles[0] ? ` --profile ${gem.suggested_profiles[0]}` : ""}</code></pre>
 <p><a href="${gem.url}">View repo on GitHub →</a></p>
 <hr>
-<p><small>This page was auto-generated by <a href="https://github.com/opencue/claude-code-skills">cue</a>. Repo authors can opt out by adding <code>&lt;!-- cue: ignore --&gt;</code> to their README.</small></p>
+<p><small>This page was auto-generated by <a href="https://github.com/opencue/cuecards">cue</a>. Repo authors can opt out by adding <code>&lt;!-- cue: ignore --&gt;</code> to their README.</small></p>
 </body></html>
 `;
 }
@@ -1286,7 +1287,7 @@ cue skills add ${gem.full_name}${gem.suggested_profiles[0] ? ` --profile ${gem.s
 // ---------------------------------------------------------------------------
 
 function buildSitemap(byProfile: Map<string, GemRepo[]>, gems: GemRepo[], updated: string): string {
-  const base = "https://opencue.github.io/cue/discovered";
+  const base = "https://opencue.github.io/cuecards/discovered";
   const date = updated.split("T")[0];
   const urls: string[] = [];
   urls.push(`<url><loc>${base}/index.html</loc><lastmod>${date}</lastmod><changefreq>daily</changefreq><priority>1.0</priority></url>`);
@@ -1415,7 +1416,7 @@ Want out? Add \`<!-- cue: ignore -->\` to your README.
 ---
 
 <p align="center">
-  <a href="https://github.com/opencue/claude-code-skills">
+  <a href="https://github.com/opencue/cuecards">
     <img src="https://img.shields.io/badge/powered_by-cue-6366f1?style=flat-square&labelColor=1e1b4b" alt="powered by cue">
   </a>
 </p>
@@ -1568,7 +1569,7 @@ const NOTIFY_LOG = join(
 
 interface NotifyLog {
   notified: Record<string, { date: string; issueUrl: string }>;
-  // Daily digest discussion posts in opencue/claude-code-skills, keyed by YYYY-MM-DD.
+  // Daily digest discussion posts in opencue/cuecards, keyed by YYYY-MM-DD.
   digests?: Record<string, { discussionUrl: string; gems: string[] }>;
 }
 
@@ -1587,10 +1588,10 @@ function saveNotifyLog(log: NotifyLog): void {
 }
 
 // ---------------------------------------------------------------------------
-// Daily digest discussion (in opencue/claude-code-skills) — lower-pressure analog to --notify
+// Daily digest discussion (in opencue/cuecards) — lower-pressure analog to --notify
 // ---------------------------------------------------------------------------
 
-const DIGEST_REPO = process.env.CUE_DIGEST_REPO ?? "opencue/claude-code-skills";
+const DIGEST_REPO = process.env.CUE_DIGEST_REPO ?? "opencue/cuecards";
 const DIGEST_CATEGORY_PREF = ["Discoveries", "Show and tell", "Announcements", "General"];
 
 interface DiscussionTarget { repoId: string; categoryId: string; categoryName: string }
@@ -1644,7 +1645,7 @@ function buildDigestBody(gems: GemRepo[], date: string): string {
     sections.push(`### \`${profile}\` (${list.length})\n\n${lines}`);
   }
 
-  return `> Daily digest from [\`cue discover\`](https://github.com/opencue/claude-code-skills) — repos newly indexed on **${date}**, grouped by profile.
+  return `> Daily digest from [\`cue discover\`](https://github.com/opencue/cuecards) — repos newly indexed on **${date}**, grouped by profile.
 
 cue scans GitHub for high-quality skill repos (\`SKILL.md\`, \`.claude/\`, MCP servers) and routes them into per-profile bundles for users of Claude Code, Codex, and other agents. Today we indexed **${gems.length}** gem(s) across **${byProfile.size}** profile(s).
 
@@ -1814,7 +1815,7 @@ ${cards.map((c, i) => {
   </g>`;
 }).join("\n")}
   <text class="footer" x="${padX}" y="${H - 14}">cue discovery engine · scored ${updated}</text>
-  <text class="footer" x="${W - padX}" y="${H - 14}" text-anchor="end">github.com/opencue/claude-code-skills</text>
+  <text class="footer" x="${W - padX}" y="${H - 14}" text-anchor="end">github.com/opencue/cuecards</text>
 </svg>`;
 }
 
@@ -1867,7 +1868,7 @@ ${heroBadges}
 
 <h2 align="center">💎 Your repo was added to cue's <code>${profile}</code> profile</h2>
 
-[**cue**](https://github.com/opencue/claude-code-skills) scans GitHub for high-quality skill repos and routes them to per-profile bundles for Claude Code & Codex users. \`${gem.full_name}\` cleared the discovery threshold (score **${gem.gem_score}**, tier **${t.tier}**) and is now auto-loaded for everyone on the **\`${profile}\`** profile.
+[**cue**](https://github.com/opencue/cuecards) scans GitHub for high-quality skill repos and routes them to per-profile bundles for Claude Code & Codex users. \`${gem.full_name}\` cleared the discovery threshold (score **${gem.gem_score}**, tier **${t.tier}**) and is now auto-loaded for everyone on the **\`${profile}\`** profile.
 
 ## Install (one line)
 
@@ -1887,7 +1888,7 @@ ${evidenceList}
 ${breakdownRows}
 | **${gem.gem_score}** | **Total** |
 
-[Full scoring rubric →](https://github.com/opencue/claude-code-skills/blob/main/src/commands/discover.ts)
+[Full scoring rubric →](https://github.com/opencue/cuecards/blob/main/src/commands/discover.ts)
 
 </details>
 
@@ -1897,22 +1898,22 @@ ${breakdownRows}
 |---|---|
 | \`cue discover\` results | ✅ Listed |
 | \`cue optimizer\` dashboard | ✅ Shown to all users on \`${profile}\` |
-| [\`docs/discovered.md\`](https://github.com/opencue/claude-code-skills/blob/main/docs/discovered.md) | ✅ Indexed |
+| [\`docs/discovered.md\`](https://github.com/opencue/cuecards/blob/main/docs/discovered.md) | ✅ Indexed |
 | GitHub backlink traffic | ✅ Active |
 
 ## Optional: README badge
 
 <p align="center">
-  <a href="https://github.com/opencue/claude-code-skills"><img src="${readmeBadge}" alt="cue hidden gem"></a>
+  <a href="https://github.com/opencue/cuecards"><img src="${readmeBadge}" alt="cue hidden gem"></a>
 </p>
 
 \`\`\`markdown
-[![cue hidden gem](${readmeBadge})](https://github.com/opencue/claude-code-skills)
+[![cue hidden gem](${readmeBadge})](https://github.com/opencue/cuecards)
 \`\`\`
 
 ---
 
-<sub>Opened by <a href="https://github.com/opencue/claude-code-skills"><code>cue discover install --notify</code></a>. One issue per repo, ever. To opt out, close this issue or <a href="https://github.com/opencue/claude-code-skills/issues/new">file an issue against cue</a>.</sub>`;
+<sub>Opened by <a href="https://github.com/opencue/cuecards"><code>cue discover install --notify</code></a>. One issue per repo, ever. To opt out, close this issue or <a href="https://github.com/opencue/cuecards/issues/new">file an issue against cue</a>.</sub>`;
 
   if (opts.dryRun) {
     process.stdout.write(`\n${wrap(ANSI.bold, "─── DRY RUN ───────────────────────────────────────────────────────────")}\n`);
@@ -1973,7 +1974,19 @@ async function cmdNotify(repo: string | undefined, opts: { profile?: string; dry
 // Auto-install CLI dependencies from skill's SKILL.md
 // ---------------------------------------------------------------------------
 
-export function autoInstallClis(skillName: string): void {
+/**
+ * Surface (and optionally install) the CLI prerequisites a skill declares in
+ * its `## Prerequisites` block.
+ *
+ * SECURITY: the prerequisite lines come from a SKILL.md that was just fetched
+ * from an arbitrary GitHub repo, so the commands are untrusted input. We never
+ * run a package installer parsed out of them unless the caller explicitly opts
+ * in with `{ yes: true }` (wired to the `--yes` flag). Without it we only print
+ * the prerequisites as warnings and let the user install them deliberately —
+ * otherwise a typosquatted skill repo with one crafted `## Prerequisites` line
+ * could trigger arbitrary global package installs (npm/brew/cargo/pipx).
+ */
+export function autoInstallClis(skillName: string, opts: { yes?: boolean } = {}): void {
   const skillsDir = join(homedir(), ".claude", "skills");
   const skillMdPath = join(skillsDir, skillName, "SKILL.md");
   if (!existsSync(skillMdPath)) return;
@@ -2017,6 +2030,19 @@ export function autoInstallClis(skillName: string): void {
 
   if (installCmds.length === 0) return;
 
+  // Consent gate: never auto-run installers parsed from an untrusted SKILL.md.
+  // Default is warn-only; the caller must pass `{ yes: true }` (via `--yes`) to
+  // actually install. Keeps `cue discover install` and the interactive wizard
+  // from silently mutating the global toolchain.
+  if (!opts.yes) {
+    process.stdout.write(`     ⚠️  ${skillName} declares CLI prerequisites (not auto-installed):\n`);
+    for (const { label } of installCmds) {
+      process.stdout.write(`          ${label}\n`);
+    }
+    process.stdout.write(`     Review them, then install manually or re-run with --yes to auto-install.\n`);
+    return;
+  }
+
   for (const { cmd, args, label } of installCmds) {
     // Check if the package manager exists
     if (spawnSync("which", [cmd], { encoding: "utf8" }).status !== 0) {
@@ -2037,7 +2063,7 @@ export function autoInstallClis(skillName: string): void {
 // Install gems into profiles
 // ---------------------------------------------------------------------------
 
-async function cmdInstall(opts: { profile?: string; minScore: number; minQuality: number; dryRun: boolean; all: boolean; notify: boolean; digest: boolean }): Promise<number> {
+async function cmdInstall(opts: { profile?: string; minScore: number; minQuality: number; dryRun: boolean; all: boolean; notify: boolean; digest: boolean; yes: boolean; allowUnsafe: boolean }): Promise<number> {
   if (!existsSync(cacheFile())) {
     process.stderr.write("No cached gems. Run `cue discover search` first.\n");
     return 1;
@@ -2117,8 +2143,27 @@ async function cmdInstall(opts: { profile?: string; minScore: number; minQuality
       }
     }
 
-    // Auto-install CLI dependencies from the skill's SKILL.md Prerequisites
-    autoInstallClis(gem.name);
+    // Security gate: the skill files are now on disk but not yet registered to
+    // a profile. Scan the just-fetched (untrusted) skill and block on critical
+    // findings (secret/data exfiltration, prompt injection) unless --allow-unsafe.
+    const gate = gateFreshSkill(gem.name, { allowUnsafe: opts.allowUnsafe });
+    if (!gate.ok) {
+      process.stdout.write(`     🔴 BLOCKED: ${gem.full_name} has ${gate.critical.length} critical security finding(s):\n`);
+      for (const c of gate.critical) {
+        process.stdout.write(`        [${c.code}] ${c.message}${c.line ? ` (line ${c.line})` : ""}\n`);
+      }
+      process.stdout.write(`        Left on disk at ~/.claude/skills/${gem.name} but NOT registered to a profile.\n`);
+      process.stdout.write(`        Review it, then re-run with --allow-unsafe to register anyway.\n`);
+      skipped++;
+      continue;
+    }
+    if (!gate.scanned) {
+      process.stdout.write(`     ⚠️  ${gem.full_name}: no SKILL.md found at ~/.claude/skills/${gem.name} to scan — review manually.\n`);
+    }
+
+    // Surface CLI dependencies from the skill's SKILL.md Prerequisites.
+    // Only auto-installs when the user passed --yes (see autoInstallClis).
+    autoInstallClis(gem.name, { yes: opts.yes });
 
     // Add to profile.yaml
     const profileYaml = join(REPO_ROOT, "profiles", targetProfile, "profile.yaml");
@@ -2181,7 +2226,7 @@ async function cmdInstall(opts: { profile?: string; minScore: number; minQuality
   process.stdout.write(`\n  Done: ${installed} installed, ${skipped} skipped\n`);
   if (opts.dryRun) process.stdout.write(`  (dry-run — no changes made. Remove --dry-run to apply)\n`);
 
-  // Daily digest discussion in opencue/claude-code-skills — covers everything we just touched,
+  // Daily digest discussion in opencue/cuecards — covers everything we just touched,
   // so owners who don't get a --notify issue can still find the post.
   if (opts.digest) {
     const log = loadNotifyLog();
@@ -2704,6 +2749,9 @@ Filters (any combination, no extra GitHub calls — read from cache):
 
 Install options:
   --dry-run                 Preview installs without making changes
+  --yes, -y                 Auto-install CLI prerequisites from a skill's SKILL.md
+  --allow-unsafe            Register a skill even if the security scan finds a
+                            critical issue (default: block + leave it unregistered)
   --notify                  Open a one-time GitHub issue on each indexed repo
   --digest                  Post a daily GitHub Discussion summarizing new gems
 
@@ -2776,8 +2824,10 @@ Examples:
     const all = args.includes("--all");
     const notify = args.includes("--notify");
     const digest = args.includes("--digest");
+    const yes = args.includes("--yes") || args.includes("-y");
+    const allowUnsafe = args.includes("--allow-unsafe");
     const minQuality = intFlag(args, "--min-quality", 7)!;
-    return cmdInstall({ profile, minScore, minQuality, dryRun, all, notify, digest });
+    return cmdInstall({ profile, minScore, minQuality, dryRun, all, notify, digest, yes, allowUnsafe });
   }
 
   if (rest[0] === "notify") {