dt-asset-mcp 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,83 @@
+# dt-asset-mcp
+
+在 Cursor 等支持 MCP 的 IDE 中连接资产管理平台（OAuth2 设备码登录）。
+
+## 功能
+
+- `mcp_auth`：`methods` / `start` / `poll` / `status` / `logout`（OAuth2 设备码）
+- `auth_me`：当前用户
+- `assets_search`：查询资产列表
+- `assets_detail`：按 ID 查单条详情（须指定类型；能否查看由后端判定）
+- `assets_download`：按 ID 将资产写入当前项目的 `.cursor/...` 目录（鉴权规则同 `assets_detail`）
+- `assets_update`：更新资产；可传 `sourceDir` 由 MCP 自动把本地目录转换后提交更新
+- `assets_create`：创建资产（权限由后端拦截）
+
+## 使用
+
+```bash
+npx -y dt-asset-mcp@latest
+```
+
+在 Cursor 的 MCP 配置里将启动命令设为上述命令，并配置下方环境变量。
+
+## 环境变量
+
+```bash
+export ASSET_MCP_BASE_URL="http://localhost:8080"
+```
+
+## 登录（设备码）
+
+推荐按下面的“用户可理解流程”执行：
+
+1. 调用 `mcp_auth`，`{ "action": "start" }`
+2. 把返回的 `verificationUriComplete` 原样发给用户，让用户点击并在浏览器完成授权
+3. 用户回复“已授权”后，调用 `mcp_auth`，`{ "action": "poll" }`
+4. 调用 `auth_me` 确认已登录
+
+可直接发给用户的话术：
+
+> 请点击此链接完成授权：`verificationUriComplete`。完成后回复“已授权”，我将继续登录。
+
+可先调用 `{ "action": "methods" }` 查看说明。请在浏览器中登录，**不要**在对话里向 MCP 发送密码。
+
+## `assets_search`
+
+- `assetType`：`rule` | `skill` | `mcp` | `all`（默认 `all`）
+- `keyword`：关键词，透传后端，与平台搜索一致；固定第 1 页，每类最多 10 条；`all` 时每类各最多 10 条
+- `status`：仅 **`assetType` 为 rule/skill/mcp** 时参与请求；**`all` 时不传**（传入也会被忽略，避免「全资产」还套状态）
+
+## `assets_detail`
+
+- `assetType`：`rule` | `skill` | `mcp`（必填）
+- `id`：资产 ID（必填，正整数）
+
+无查看权限或资源不存在时，接口会失败；与 Web 端一致，由后端统一鉴权。
+
+## `assets_download`
+
+- `assetType`、`id`：同 `assets_detail`（无权限则无法拉取内容）
+- `relativeDir`：可选，表示 **`.cursor` 下面的子路径**（不要带 `.cursor` 前缀）；默认空，即直接 `{工作区}/.cursor/rules|skills|mcps/{资产名}/`
+- **覆盖策略**：下载前会先删除本地目标目录及同名 `.zip`（若存在），不做版本比对，始终按本次拉取结果整包覆盖。
+- **rule / skill**：无 ASSET_BUNDLE 时为单个 `.md`；有 bundle 时仅展开为多文件目录（不生成 `.zip`）
+- **mcp**：写入 `config.json`、`tools.json`、`meta.md`
+
+## `assets_create`
+
+- `assetType`：`rule` | `skill` | `mcp`（必填）
+- 可选：`name`、`description`、`version`、`tags`
+- `sourceDir`：可选，本地目录（绝对路径或相对工程根；工程根固定为当前进程 `cwd`）；传入后由 MCP 自动转换：
+  - **rule / skill**：目录文件转 `ASSET_BUNDLE_V1` 内容并写入 `content`
+  - **mcp**：读取 `config.json`、`tools.json`、`meta.md` 分别写入 `configJson`、`toolsJson`、`remark`
+- 不传 `sourceDir` 时，可直接传 `content`（rule/skill）或 `type/configJson/toolsJson/remark`（mcp）
+
+## `assets_update`
+
+- **已发布**资产：后端只更新**草稿**；你作为作者/管理员在详情、或列表带 **`mine=true`** 时会**优先看到草稿**，所以体感像「一保存就变了」；**访客/公共列表**仍读**已发布版本**，真正对外替换要走平台「申请发布 → 审核」。
+- 必填：`assetType`、`id`、`version`、`changeLog`
+- 可选：`name`、`description`、`tags`
+- `sourceDir`：可选，本地目录（绝对路径或相对工程根；工程根固定为当前进程 `cwd`）；传入后由 MCP 自动转换：
+  - **rule / skill**：目录文件转 `ASSET_BUNDLE_V1` 内容并写入 `content`
+  - **mcp**：读取 `config.json`、`tools.json`、`meta.md` 分别写入 `configJson`、`toolsJson`、`remark`
+- 不传 `sourceDir` 时，可直接传 `content`（rule/skill）或 `configJson/toolsJson/remark`（mcp）
+- **mcp + sourceDir 覆盖语义**：以本地目录为唯一数据源，缺失文件会提交默认空值（`{}` / `[]` / 空串），不会回填远端旧内容。

package/bin/asset-mcp.js

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+import '../src/server.js'

package/package.json

@@ -0,0 +1,34 @@
+{
+  "name": "dt-asset-mcp",
+  "version": "1.0.0",
+  "license": "MIT",
+  "description": "MCP server for asset operations in Cursor",
+  "type": "module",
+  "main": "src/server.js",
+  "bin": {
+    "dt-asset-mcp": "bin/asset-mcp.js"
+  },
+  "files": [
+    "bin",
+    "src",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "start": "node src/server.js",
+    "check": "node --check src/server.js && node --check src/config.js && node --check src/backend.js && node --check src/download-asset.js && node --check src/asset-bundle.js",
+    "prepublishOnly": "npm run check"
+  },
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/"
+  },
+  "dependencies": {},
+  "engines": {
+    "node": ">=18"
+  },
+  "keywords": [
+    "mcp",
+    "cursor",
+    "asset"
+  ]
+}

package/src/asset-bundle.js

@@ -0,0 +1,72 @@
+/**
+ * 与前端 assetBundle.ts 对齐：解析正文中的 ASSET_BUNDLE_V1 块。
+ */
+
+const MARKER_REGEX = /<!--\s*ASSET_BUNDLE_V1:([A-Za-z0-9+/=]+)\s*-->/
+const MARKER_PREFIX = '<!-- ASSET_BUNDLE_V1:'
+
+export function parseAssetBundle(raw, defaultEntryPath = 'ENTRY') {
+  const source = raw ?? ''
+  const match = source.match(MARKER_REGEX)
+  if (!match) {
+    return {
+      entryContent: source,
+      files: [],
+      folders: [],
+      entryPath: defaultEntryPath,
+      bundled: false,
+    }
+  }
+
+  const marker = match[0]
+  const entryContent = source.replace(marker, '').trimEnd()
+  try {
+    const decoded = Buffer.from(match[1], 'base64').toString('utf8')
+    const payload = JSON.parse(decoded)
+    const files = Array.isArray(payload.files)
+      ? payload.files
+          .filter(f => f && typeof f.path === 'string')
+          .map(f => ({ path: f.path, content: String(f.content ?? '') }))
+      : []
+    const folders = Array.isArray(payload.folders)
+      ? payload.folders.filter(f => typeof f === 'string').map(f => f.trim()).filter(Boolean)
+      : []
+    if (!files.length) {
+      return { entryContent, files: [], folders, entryPath: defaultEntryPath, bundled: false }
+    }
+    return {
+      entryContent,
+      files,
+      folders,
+      entryPath: payload.entryPath || files[0].path || defaultEntryPath,
+      bundled: true,
+    }
+  } catch {
+    return {
+      entryContent,
+      files: [],
+      folders: [],
+      entryPath: defaultEntryPath,
+      bundled: false,
+    }
+  }
+}
+
+export function buildAssetBundle(entryPath, files = [], folders = []) {
+  const safeFiles = files
+    .filter(f => f && typeof f.path === 'string' && f.path.trim())
+    .map(f => ({ path: f.path.trim(), content: String(f.content ?? '') }))
+  const safeFolders = folders
+    .filter(f => typeof f === 'string')
+    .map(f => f.trim())
+    .filter(Boolean)
+  const entry = safeFiles.find(f => f.path === entryPath) ?? safeFiles[0] ?? { path: entryPath, content: '' }
+  const payload = {
+    entryPath: entry.path,
+    files: safeFiles.length ? safeFiles : [{ path: entry.path, content: entry.content }],
+    folders: safeFolders,
+  }
+  const encoded = Buffer.from(JSON.stringify(payload), 'utf8').toString('base64')
+  const body = entry.content.trimEnd()
+  return `${body}\n\n${MARKER_PREFIX}${encoded} -->`
+}

package/src/backend.js

@@ -0,0 +1,246 @@
+import { apiUrl, config } from './config.js'
+import { getValidAccessToken, refreshAccessToken } from './oauth.js'
+
+async function parseJsonSafe(res) {
+  return res.json().catch(() => ({}))
+}
+
+async function requestWithToken(path, init = {}, retry = true) {
+  const token = await getValidAccessToken()
+  if (!token) {
+    throw new Error('未授权，请先调用 mcp_auth 完成登录')
+  }
+
+  const headers = {
+    'content-type': 'application/json',
+    authorization: `Bearer ${token}`,
+    ...(init.headers || {}),
+  }
+
+  const res = await fetch(apiUrl(path), { ...init, headers })
+  if (res.status === 401 && retry) {
+    await refreshAccessToken()
+    return requestWithToken(path, init, false)
+  }
+
+  const body = await parseJsonSafe(res)
+  if (!res.ok) {
+    throw new Error(body.message || `后端请求失败(${res.status})`)
+  }
+  if (body && body.code !== undefined && body.code !== 0) {
+    throw new Error(body.message || '业务请求失败')
+  }
+  return body.data
+}
+
+function toQueryString(params = {}) {
+  const parts = []
+  for (const [key, val] of Object.entries(params)) {
+    if (val === undefined || val === null || val === '') continue
+    if (Array.isArray(val)) {
+      for (const item of val) {
+        if (item === undefined || item === null || item === '') continue
+        parts.push(`${encodeURIComponent(key)}=${encodeURIComponent(String(item))}`)
+      }
+      continue
+    }
+    parts.push(`${encodeURIComponent(key)}=${encodeURIComponent(String(val))}`)
+  }
+  return parts.join('&')
+}
+
+/** 列表固定第一页、每页条数（MCP 不提供分页参数） */
+const LIST_PAGE = 1
+const LIST_PAGE_SIZE = 10
+
+/** 与后端 AssetQueryRequest 对齐的可选筛选（分页固定为第 1 页共 10 条） */
+function buildAssetListQuery(args = {}) {
+  const q = {
+    keyword: args.keyword,
+    page: LIST_PAGE,
+    pageSize: LIST_PAGE_SIZE,
+  }
+  if (args.mine === true) q.mine = true
+  if (args.status != null && args.status !== '') q.status = Number(args.status)
+  if (args.categoryId != null && args.categoryId !== '') q.categoryId = Number(args.categoryId)
+  if (Array.isArray(args.categoryIds) && args.categoryIds.length > 0) {
+    q.categoryIds = args.categoryIds.map(Number).filter(n => !Number.isNaN(n))
+  }
+  if (args.type) q.type = args.type
+  return q
+}
+
+async function getWithQuery(path, query = {}) {
+  const qs = toQueryString(query)
+  const target = qs ? `${path}?${qs}` : path
+  return requestWithToken(target, { method: 'GET' })
+}
+
+function clampPageResult(pageData, max = 10) {
+  if (!pageData || !Array.isArray(pageData.records)) return pageData
+  return {
+    ...pageData,
+    records: pageData.records.slice(0, max),
+  }
+}
+
+export async function whoAmI() {
+  return requestWithToken(config.api.mePath, { method: 'GET' })
+}
+
+function parsePositiveId(raw) {
+  const n = typeof raw === 'string' ? parseInt(raw, 10) : Number(raw)
+  if (!Number.isFinite(n) || n < 1 || !Number.isInteger(n)) {
+    throw new Error('id 须为正整数')
+  }
+  return n
+}
+
+/**
+ * 单条详情：走平台 GET /api/v1/assets/{type}/{id}，可见性与角色由后端 SQL + 业务校验，无权限时 404/业务错误。
+ */
+export async function getAssetDetail(args = {}) {
+  const assetType = args.assetType
+  if (!['rule', 'skill', 'mcp'].includes(assetType)) {
+    throw new Error('assetType 须为 rule、skill 或 mcp')
+  }
+  const id = parsePositiveId(args.id)
+  const path = config.api.assetDetailPath(assetType, id)
+  return requestWithToken(path, { method: 'GET' })
+}
+
+export async function searchAssets(args = {}) {
+  const assetType = args.assetType || 'all'
+  /** 全部类型并行查询时，不按 status 筛（各类型状态语义一致化成本高，且与「看全部」习惯一致） */
+  const queryArgs = assetType === 'all' ? { ...args, status: undefined } : args
+  const query = buildAssetListQuery(queryArgs)
+
+  if (assetType === 'rule') {
+    const pageData = await getWithQuery(config.api.assetsPath('rule'), query)
+    return {
+      assetType: 'rule',
+      page: clampPageResult(pageData, LIST_PAGE_SIZE),
+    }
+  }
+
+  if (assetType === 'skill') {
+    const pageData = await getWithQuery(config.api.assetsPath('skill'), query)
+    return {
+      assetType: 'skill',
+      page: clampPageResult(pageData, LIST_PAGE_SIZE),
+    }
+  }
+
+  if (assetType === 'mcp') {
+    const pageData = await getWithQuery(config.api.assetsPath('mcp'), query)
+    return {
+      assetType: 'mcp',
+      page: clampPageResult(pageData, LIST_PAGE_SIZE),
+    }
+  }
+
+  if (assetType === 'all') {
+    const [rules, skills, mcps] = await Promise.all([
+      getWithQuery(config.api.assetsPath('rule'), query),
+      getWithQuery(config.api.assetsPath('skill'), query),
+      getWithQuery(config.api.assetsPath('mcp'), query),
+    ])
+
+    return {
+      assetType: 'all',
+      rules: clampPageResult(rules, LIST_PAGE_SIZE),
+      skills: clampPageResult(skills, LIST_PAGE_SIZE),
+      mcps: clampPageResult(mcps, LIST_PAGE_SIZE),
+    }
+  }
+
+  throw new Error(`不支持的 assetType: ${assetType}`)
+}
+
+export async function createAsset(args) {
+  const common = {
+    description: args.description,
+    version: args.version || 'v1.0',
+    tags: Array.isArray(args.tags) ? args.tags : [],
+  }
+
+  if (args.assetType === 'rule') {
+    const payload = {
+      name: args.name,
+      ...common,
+      content: args.content || '',
+    }
+    return requestWithToken(config.api.assetsPath('rule'), {
+      method: 'POST',
+      body: JSON.stringify(payload),
+    })
+  }
+
+  if (args.assetType === 'skill') {
+    const payload = {
+      name: args.name,
+      ...common,
+      content: args.content || '',
+    }
+    return requestWithToken(config.api.assetsPath('skill'), {
+      method: 'POST',
+      body: JSON.stringify(payload),
+    })
+  }
+
+  if (args.assetType === 'mcp') {
+    const payload = {
+      name: args.name,
+      type: args.mcpType || args.type || 'local',
+      ...common,
+      configJson: args.configJson || '{}',
+      toolsJson: args.toolsJson || '[]',
+      remark: args.remark || '',
+    }
+    return requestWithToken(config.api.assetsPath('mcp'), {
+      method: 'POST',
+      body: JSON.stringify(payload),
+    })
+  }
+
+  throw new Error(`不支持的 assetType: ${args.assetType}`)
+}
+
+export async function updateAsset(args = {}) {
+  const assetType = args.assetType
+  if (!['rule', 'skill', 'mcp'].includes(assetType)) {
+    throw new Error('assetType 须为 rule、skill 或 mcp')
+  }
+  const id = parsePositiveId(args.id)
+  if (!args.version || !String(args.version).trim()) {
+    throw new Error('version 不能为空')
+  }
+  if (!args.changeLog || !String(args.changeLog).trim()) {
+    throw new Error('changeLog 不能为空')
+  }
+  if (!args.name || !String(args.name).trim()) {
+    throw new Error('name 不能为空')
+  }
+
+  const payload = {
+    name: String(args.name).trim(),
+    description: args.description ?? '',
+    version: String(args.version).trim(),
+    changeLog: String(args.changeLog).trim(),
+    tags: Array.isArray(args.tags) ? args.tags : [],
+  }
+
+  if (assetType === 'rule' || assetType === 'skill') {
+    payload.content = args.content ?? ''
+  } else {
+    payload.type = args.type || 'local'
+    payload.configJson = args.configJson ?? '{}'
+    payload.toolsJson = args.toolsJson ?? '[]'
+    payload.remark = args.remark ?? ''
+  }
+
+  return requestWithToken(config.api.assetUpdatePath(assetType, id), {
+    method: 'PUT',
+    body: JSON.stringify(payload),
+  })
+}

package/src/config.js

@@ -0,0 +1,55 @@
+import path from 'node:path'
+
+const DEFAULT_BASE_URL = 'http://localhost:8080'
+
+function readEnv(name, fallback = '') {
+  const v = process.env[name]
+  if (!v) return fallback
+  return v.trim()
+}
+
+function joinUrl(base, path) {
+  const b = base.endsWith('/') ? base.slice(0, -1) : base
+  const p = path.startsWith('/') ? path : `/${path}`
+  return `${b}${p}`
+}
+
+export const config = {
+  baseUrl: readEnv('ASSET_MCP_BASE_URL', DEFAULT_BASE_URL),
+  clientId: readEnv('ASSET_MCP_CLIENT_ID', 'asset-mcp'),
+  scopes: readEnv('ASSET_MCP_SCOPES', 'assets.read assets.write'),
+  oauth: {
+    deviceCodePath: readEnv('ASSET_MCP_DEVICE_CODE_PATH', '/api/oauth/device/code'),
+    tokenPath: readEnv('ASSET_MCP_TOKEN_PATH', '/api/oauth/token'),
+    revokePath: readEnv('ASSET_MCP_REVOKE_PATH', '/api/oauth/revoke'),
+  },
+  api: {
+    authRefreshPath: '/api/v1/auth/refresh',
+    authLogoutPath: '/api/v1/auth/logout',
+    /** 统一资产：GET 列表 / POST 创建，路径变量为 rule | skill | mcp */
+    assetsPath: (assetType) => `/api/v1/assets/${assetType}`,
+    /** 单条详情：GET，权限由后端校验 */
+    assetDetailPath: (assetType, id) => `/api/v1/assets/${assetType}/${id}`,
+    /** 单条更新：PUT */
+    assetUpdatePath: (assetType, id) => `/api/v1/assets/${assetType}/${id}`,
+    /** 跨类型列表（query 可带 assetType / keyword / mine 等） */
+    assetsMarketPath: '/api/v1/assets',
+    mePath: '/api/v1/auth/me',
+  },
+}
+
+export function oauthUrl(path) {
+  return joinUrl(config.baseUrl, path)
+}
+
+export function apiUrl(path) {
+  return joinUrl(config.baseUrl, path)
+}
+
+/**
+ * 下载写入、sourceDir 解析的根目录。
+ * 固定使用 process.cwd()（通常即当前项目根目录）。
+ */
+export function getWorkspaceRoot() {
+  return path.resolve(process.cwd())
+}

package/src/download-asset.js

@@ -0,0 +1,156 @@
+import fs from 'node:fs/promises'
+import path from 'node:path'
+import { parseAssetBundle } from './asset-bundle.js'
+
+function sanitizeFilename(name, fallback) {
+  const normalized = String(name ?? '').trim().replace(/[\\/:*?"<>|]+/g, '-')
+  return normalized || fallback
+}
+
+function normalizeExportPath(filePath, entryPath) {
+  if (filePath !== entryPath) return filePath
+  const slashIdx = filePath.lastIndexOf('/')
+  const dotIdx = filePath.lastIndexOf('.')
+  const hasExt = dotIdx > slashIdx
+  return hasExt ? filePath : `${filePath}.md`
+}
+
+function assertUnderRoot(rootDir, absPath) {
+  const root = path.resolve(rootDir)
+  const abs = path.resolve(absPath)
+  const rel = path.relative(root, abs)
+  if (rel.startsWith('..') || path.isAbsolute(rel)) {
+    throw new Error('路径超出工程根目录，拒绝写入')
+  }
+}
+
+/** 将相对路径拆成安全段，禁止 .. */
+function splitSafeRel(rel) {
+  return String(rel ?? '')
+    .split(/[/\\]+/)
+    .map(s => s.trim())
+    .filter(Boolean)
+    .map(seg => {
+      if (seg === '..' || seg === '.') throw new Error('非法相对路径')
+      if (seg.includes('/') || seg.includes('\\')) throw new Error('非法路径段')
+      return seg
+    })
+}
+
+function resolveUnderRoot(rootDir, ...segments) {
+  let cur = path.resolve(rootDir)
+  for (const seg of segments) {
+    if (!seg) continue
+    cur = path.join(cur, seg)
+    assertUnderRoot(rootDir, cur)
+  }
+  return cur
+}
+
+function buildMcpMeta(asset) {
+  const lines = [
+    `# ${asset.name ?? 'MCP'}`,
+    '',
+    asset.description ? `## 简介\n\n${asset.description}\n` : '',
+    asset.remark ? `## 备注\n\n${asset.remark}\n` : '',
+    `版本: ${asset.version ?? '-'}`,
+    `类型: ${asset.type ?? '-'}`,
+  ]
+  return lines.filter(Boolean).join('\n')
+}
+
+function safeFileRel(rel) {
+  return String(rel)
+    .split(/[/\\]+/)
+    .map(s => s.trim())
+    .filter(Boolean)
+    .map(seg => {
+      if (seg === '..' || seg === '.') throw new Error('非法文件路径')
+      return seg
+    })
+}
+
+/** 与工程习惯一致：规则 → rules，技能 → skills，MCP → mcps */
+function typeFolder(assetType) {
+  if (assetType === 'rule') return 'rules'
+  if (assetType === 'skill') return 'skills'
+  if (assetType === 'mcp') return 'mcps'
+  throw new Error(`不支持的 assetType: ${assetType}`)
+}
+
+/**
+ * 将资产详情写入工作区目录（与前端导出语义接近）。
+ * 每次写入前会删除目标目录及同名的 `.zip`（若有），不做本地/远端版本比对，按本次拉取内容整包覆盖。
+ * rule/skill 的 bundle 仅展开为目录，不生成 zip。
+ * @returns {{ paths: string[], rootDir: string, format: string }}
+ */
+export async function exportAssetToWorkspace(asset, workspaceRoot, relativeDir) {
+  const root = path.resolve(workspaceRoot.trim())
+  assertUnderRoot(root, root)
+
+  /** 固定落在工作区 `.cursor/` 下；relativeDir 为其下的可选子目录（多级用 /） */
+  let dirParts = splitSafeRel(relativeDir ?? '')
+
+  const assetType = asset.assetType
+  const baseName = sanitizeFilename(asset.name, `${assetType}-${asset.id}`)
+  const tf = typeFolder(assetType)
+  const destRoot = resolveUnderRoot(root, '.cursor', ...dirParts, tf, baseName)
+  const siblingZipPath = resolveUnderRoot(root, '.cursor', ...dirParts, tf, `${baseName}.zip`)
+
+  if (assetType === 'rule' || assetType === 'skill') {
+    const defaultEntry = assetType === 'rule' ? 'RULE' : 'SKILL'
+    const content = asset.content ?? ''
+    const parsed = parseAssetBundle(content, defaultEntry)
+
+    await fs.rm(destRoot, { recursive: true, force: true })
+    await fs.rm(siblingZipPath, { recursive: true, force: true })
+
+    await fs.mkdir(destRoot, { recursive: true })
+
+    if (!parsed.bundled) {
+      const filePath = resolveUnderRoot(root, '.cursor', ...dirParts, tf, baseName, `${baseName}.md`)
+      await fs.mkdir(path.dirname(filePath), { recursive: true })
+      await fs.writeFile(filePath, content, 'utf8')
+      return { paths: [filePath], rootDir: destRoot, format: 'single-markdown' }
+    }
+
+    for (const folder of parsed.folders) {
+      if (!folder.trim()) continue
+      const parts = safeFileRel(folder)
+      const dir = resolveUnderRoot(root, '.cursor', ...dirParts, tf, baseName, ...parts)
+      await fs.mkdir(dir, { recursive: true })
+    }
+
+    const written = []
+    for (const file of parsed.files) {
+      if (!file.path.trim()) continue
+      const rel = normalizeExportPath(file.path, parsed.entryPath)
+      const fparts = safeFileRel(rel)
+      const filePath = resolveUnderRoot(root, '.cursor', ...dirParts, tf, baseName, ...fparts)
+      await fs.mkdir(path.dirname(filePath), { recursive: true })
+      await fs.writeFile(filePath, file.content ?? '', 'utf8')
+      written.push(filePath)
+    }
+
+    return { paths: written, rootDir: destRoot, format: 'bundle' }
+  }
+
+  if (assetType === 'mcp') {
+    await fs.rm(destRoot, { recursive: true, force: true })
+    await fs.rm(siblingZipPath, { recursive: true, force: true })
+    await fs.mkdir(destRoot, { recursive: true })
+    const paths = []
+    const p1 = resolveUnderRoot(root, '.cursor', ...dirParts, tf, baseName, 'config.json')
+    const p2 = resolveUnderRoot(root, '.cursor', ...dirParts, tf, baseName, 'tools.json')
+    const p3 = resolveUnderRoot(root, '.cursor', ...dirParts, tf, baseName, 'meta.md')
+    await fs.writeFile(p1, asset.configJson ?? '{}', 'utf8')
+    paths.push(p1)
+    await fs.writeFile(p2, asset.toolsJson ?? '[]', 'utf8')
+    paths.push(p2)
+    await fs.writeFile(p3, buildMcpMeta(asset), 'utf8')
+    paths.push(p3)
+    return { paths, rootDir: destRoot, format: 'mcp-json' }
+  }
+
+  throw new Error(`不支持的 assetType: ${assetType}`)
+}